Email domain restriction added for OAuth2 authorization.

lib/cli/auth-oauth2/index.js

@@ -54,6 +54,12 @@ module.exports.builder = function(yargs) {
     , default: process.env.OAUTH_SCOPE
     , demand: true
     })
+    .option('oauth-domain', {
+      describe: 'Optional email domain to allow authentication for.'
+    , type: 'string'
+    , default: process.env.OAUTH_DOMAIN
+    , demand: false
+    })
     .option('port', {
       alias: 'p'
     , describe: 'The port to bind to.'
@@ -89,6 +95,7 @@ module.exports.handler = function(argv) {
   , secret: argv.secret
   , ssid: argv.ssid
   , appUrl: argv.appUrl
+  , domain: argv.oauthDomain
   , oauth: {
       authorizationURL: argv.oauthAuthorizationUrl
     , tokenURL: argv.oauthTokenUrl

lib/units/auth/oauth2/index.js

@@ -28,10 +28,20 @@ module.exports = function(options) {
   , session: false
   }))
 
+  function isEmailAllowed(email) {
+    if (email) {
+      if (options.domain) {
+        return email.endsWith(options.domain)
+      }
+      return true
+    }
+    return false
+  }
+
   app.get(
     '/auth/oauth/callback'
   , function(req, res) {
-      if (req.user.email) {
+      if (isEmailAllowed(req.user.email)) {
         res.redirect(urlutil.addParams(options.appUrl, {
           jwt: jwtutil.encode({
             payload: {
@@ -46,8 +56,9 @@ module.exports = function(options) {
         }))
       }
       else {
-        log.warn('Missing email in profile', req.user)
+        log.warn('Missing or disallowed email in profile', req.user)
-        res.redirect('/auth/oauth/')
+        res.send('<html><body>Missing or rejected email address ' +
+                 '<a href="/auth/oauth/">Retry</a></body></html>')
       }
     }
   )