Add restrict signup based on domain

Infisical · Feb 10, 2024 · 5cf1ec2 · 5cf1ec2
1 parent 6c1489a
commit 5cf1ec2
Show file tree

Hide file tree

Showing 9 changed files with 109 additions and 39 deletions.
diff --git a/backend/src/db/migrations/20240205200732_invite-only.ts b/backend/src/db/migrations/20240205200732_invite-only.ts
@@ -7,6 +7,7 @@ export async function up(knex: Knex): Promise<void> {
   if (isTablePresent) {
     await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
       t.boolean("inviteOnlySignUp").defaultTo(false);
+      t.string("allowSpecificDomainSignUp");
     });
   }
 }
@@ -17,4 +18,10 @@ export async function down(knex: Knex): Promise<void> {
       t.dropColumn("inviteOnlySignUp");
     });
   }
+
+  if (await knex.schema.hasColumn(TableName.SuperAdmin, "allowSpecificDomainSignUp")) {
+    await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+      t.dropColumn("allowSpecificDomainSignUp");
+    });
+  }
 }
diff --git a/backend/src/db/schemas/super-admin.ts b/backend/src/db/schemas/super-admin.ts
@@ -12,6 +12,7 @@ export const SuperAdminSchema = z.object({
   initialized: z.boolean().default(false).nullable().optional(),
   allowSignUp: z.boolean().default(true).nullable().optional(),
   inviteOnlySignUp: z.boolean().default(false).nullable().optional(),
+  allowSpecificDomainSignUp: z.string().nullable().optional(),
   createdAt: z.date(),
   updatedAt: z.date()
 });

diff --git a/backend/src/server/routes/v1/admin-router.ts b/backend/src/server/routes/v1/admin-router.ts
@@ -32,7 +32,8 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
     schema: {
       body: z.object({
         allowSignUp: z.boolean().optional(),
-        inviteOnlySignUp: z.boolean().optional()
+        inviteOnlySignUp: z.boolean().optional(),
+        allowSpecificDomainSignUp: z.string().optional()
       }),
       response: {
         200: z.object({

diff --git a/backend/src/server/routes/v1/sso-router.ts b/backend/src/server/routes/v1/sso-router.ts
@@ -55,7 +55,7 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
               lastName: profile?.name?.familyName || "",
               authMethod: AuthMethod.GOOGLE,
               callbackPort: req.query.state as string,
-              isSignupAllowed: Boolean(serverCfg.allowSignUp)
+              serverCfg
             });
             cb(null, { isUserCompleted, providerAuthToken });
           } catch (error) {
@@ -91,7 +91,8 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
               lastName: "",
               authMethod: AuthMethod.GITHUB,
               callbackPort: req.query.state as string,
-              isSignupAllowed: Boolean(serverCfg.allowSignUp)
+              serverCfg
+              // isSignupAllowed: Boolean(serverCfg.allowSignUp)
             });
             return cb(null, { isUserCompleted, providerAuthToken });
           } catch (error) {
@@ -127,7 +128,8 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
               lastName: "",
               authMethod: AuthMethod.GITLAB,
               callbackPort: req.query.state as string,
-              isSignupAllowed: Boolean(serverCfg.allowSignUp)
+              serverCfg
+              // isSignupAllowed: Boolean(serverCfg.allowSignUp)
             });
 
             return cb(null, { isUserCompleted, providerAuthToken });

diff --git a/backend/src/server/routes/v3/signup-router.ts b/backend/src/server/routes/v3/signup-router.ts
@@ -23,8 +23,16 @@ export const registerSignupRouter = async (server: FastifyZodProvider) => {
       }
     },
     handler: async (req) => {
-      await server.services.signup.beginEmailSignupProcess(req.body.email);
-      return { message: `Sent an email verification code to ${req.body.email}` };
+      const { email } = req.body;
+      const config = await server.services.superAdmin.initServerCfg();
+
+      if (config?.allowSpecificDomainSignUp) {
+        const domain = email.split("@")[1];
+
+        if (domain !== config.allowSpecificDomainSignUp) throw new Error(`Unsupported email domain (${domain}).`);
+      }
+      await server.services.signup.beginEmailSignupProcess(email);
+      return { message: `Sent an email verification code to ${email}` };
     }
   });
 

diff --git a/backend/src/services/auth/auth-login-service.ts b/backend/src/services/auth/auth-login-service.ts
@@ -261,20 +261,25 @@ export const authLoginServiceFactory = ({ userDAL, tokenService, smtpService }:
   /*
    * OAuth2 login for google,github, and other oauth2 provider
    * */
-  const oauth2Login = async ({
-    email,
-    firstName,
-    lastName,
-    authMethod,
-    callbackPort,
-    isSignupAllowed
-  }: TOauthLoginDTO) => {
+  const oauth2Login = async ({ email, firstName, lastName, authMethod, callbackPort, serverCfg }: TOauthLoginDTO) => {
     let user = await userDAL.findUserByEmail(email);
     const appCfg = getConfig();
-    const isOauthSignUpDisabled = !isSignupAllowed && !user;
-    if (isOauthSignUpDisabled) throw new BadRequestError({ message: "User signup disabled", name: "Oauth 2 login" });
 
     if (!user) {
+      // Create a new user based on oAuth
+      if (!serverCfg?.allowSignUp)
+        throw new BadRequestError({ message: "User signup disabled", name: "Oauth 2 login" });
+
+      if (serverCfg?.allowSpecificDomainSignUp) {
+        const domain = email.split("@")[1];
+
+        if (domain !== serverCfg.allowSpecificDomainSignUp)
+          throw new BadRequestError({
+            message: `User email domain (${domain}) is not supported`,
+            name: "Oauth 2 login"
+          });
+      }
+
       user = await userDAL.create({ email, firstName, lastName, authMethods: [authMethod] });
     }
     const isLinkingRequired = !user?.authMethods?.includes(authMethod);

diff --git a/backend/src/services/auth/auth-login-type.ts b/backend/src/services/auth/auth-login-type.ts
@@ -1,3 +1,5 @@
+import { TSuperAdmin } from "@app/db/schemas/super-admin";
+
 import { AuthMethod } from "./auth-type";
 
 export type TLoginGenServerPublicKeyDTO = {
@@ -29,4 +31,5 @@ export type TOauthLoginDTO = {
   authMethod: AuthMethod;
   callbackPort?: string;
   isSignupAllowed?: boolean;
+  serverCfg?: TSuperAdmin;
 };
diff --git a/frontend/src/hooks/api/admin/types.ts b/frontend/src/hooks/api/admin/types.ts
@@ -2,6 +2,7 @@ export type TServerConfig = {
   initialized: boolean;
   allowSignUp: boolean;
   inviteOnlySignUp: boolean;
+  allowSpecificDomainSignUp?: string;
   isMigrationModeOn?: boolean;
 };
 

diff --git a/frontend/src/views/admin/DashboardPage/DashboardPage.tsx b/frontend/src/views/admin/DashboardPage/DashboardPage.tsx
@@ -1,9 +1,14 @@
-import { useEffect, useState } from "react";
+import { FormEvent, useEffect, useState } from "react";
 import { useRouter } from "next/router";
+import { faAt } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
 import { useNotificationContext } from "@app/components/context/Notifications/NotificationProvider";
 import {
+  Button,
   ContentLoader,
+  FormControl,
+  Input,
   Select,
   SelectItem,
   Tab,
@@ -24,11 +29,13 @@ export const AdminDashboardPage = () => {
   const router = useRouter();
   const data = useServerConfig();
   const [signUpMode, setSignUpMode] = useState<SignUpMode>("invite-only");
+  const [allowSpecificDomain, setAllowSpecificDomain] = useState<string | undefined>();
 
   const { config } = data;
   const { user, isLoading: isUserLoading } = useUser();
   const { orgs } = useOrganization();
   const { mutate: updateServerConfig } = useUpdateServerConfig();
+
   const { createNotification } = useNotificationContext();
 
   const isNotAllowed = !user?.superAdmin;
@@ -49,22 +56,28 @@ export const AdminDashboardPage = () => {
     }
     if (config.inviteOnlySignUp) {
       setSignUpMode("invite-only");
-      return;
+    } else {
+      setSignUpMode("anyone");
+    }
+
+    if (config.allowSpecificDomainSignUp) {
+      setAllowSpecificDomain(config.allowSpecificDomainSignUp);
     }
-    setSignUpMode("anyone");
   }, [config]);
 
-  function handleSignUpModeChange(newSignUpMode: SignUpMode) {
-    config.allowSignUp = newSignUpMode !== "disabled";
-    config.inviteOnlySignUp = newSignUpMode === "invite-only";
+  async function handleSubmit(e: FormEvent) {
+    e.preventDefault();
+
+    config.allowSignUp = signUpMode !== "disabled";
+    config.inviteOnlySignUp = signUpMode === "invite-only";
+    config.allowSpecificDomainSignUp = signUpMode === "anyone" ? allowSpecificDomain : "";
+
+    await updateServerConfig(config);
 
     createNotification({
       text: "Successfully changed sign up mode.",
       type: "success"
     });
-
-    updateServerConfig(config);
-    setSignUpMode(newSignUpMode);
   }
 
   return (
@@ -86,20 +99,49 @@ export const AdminDashboardPage = () => {
               </div>
             </TabList>
             <TabPanel value={TabSections.Settings}>
-              <div className="flex items-center justify-between space-x-4">
-                <div className="label"> Allow user to Sign Up </div>
-                <Select
-                  className="w-36 bg-mineshaft-700"
-                  dropdownContainerClassName="bg-mineshaft-700"
-                  onValueChange={(state) => handleSignUpModeChange(state as SignUpMode)}
-                  value={signUpMode}
-                  isDisabled={isNotAllowed}
-                >
-                  <SelectItem value="disabled">Disabled</SelectItem>
-                  <SelectItem value="invite-only">Invite Only</SelectItem>
-                  <SelectItem value="anyone">Anyone</SelectItem>
-                </Select>
-              </div>
+              <form
+                onSubmit={handleSubmit}
+                className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4"
+              >
+                <div className="flex justify-between">
+                  <div className="mb-4 text-xl font-semibold text-mineshaft-100">
+                    Allow user to Sign Up
+                  </div>
+                  <Select
+                    className="w-60 bg-mineshaft-700"
+                    dropdownContainerClassName="bg-mineshaft-700"
+                    onValueChange={(state) => setSignUpMode(state as SignUpMode)}
+                    value={signUpMode}
+                    isDisabled={isNotAllowed}
+                  >
+                    <SelectItem value="disabled">Disabled</SelectItem>
+                    <SelectItem value="invite-only">Invite Only</SelectItem>
+                    <SelectItem value="anyone">Anyone</SelectItem>
+                  </Select>
+                </div>
+
+                {signUpMode === "anyone" && (
+                  <div className="mt-4 flex items-center justify-between">
+                    <div className="mb-4 flex text-mineshaft-100">
+                      Allow email with only specific domain
+                    </div>
+                    <FormControl label="Leave blank to allow any domain handle">
+                      <div className="w-60">
+                        <Input
+                          placeholder="domain.com"
+                          leftIcon={<FontAwesomeIcon icon={faAt} />}
+                          value={allowSpecificDomain}
+                          onChange={(ev) => setAllowSpecificDomain(ev.target.value)}
+                        />
+                      </div>
+                    </FormControl>
+                  </div>
+                )}
+
+                <Button colorSchema="primary" variant="outline_bg" type="submit">
+                  Save
+                </Button>
+              </form>
             </TabPanel>
           </Tabs>
         </div>