Fix: consistently check allowed domains (#2985)

* fix: ensure consistency of checking allowed domain

* chore: update comment to match the logic

server/commands/teamCreator.ts

@@ -1,7 +1,7 @@
 import invariant from "invariant";
 import Logger from "@server/logging/logger";
 import { Team, AuthenticationProvider } from "@server/models";
-import { getAllowedDomains } from "@server/utils/authentication";
+import { isDomainAllowed } from "@server/utils/authentication";
 import { generateAvatarUrl } from "@server/utils/avatars";
 import { MaximumTeamsError } from "../errors";
 
@@ -57,9 +57,9 @@ export default async function teamCreator({
     const teamCount = await Team.count();
 
     // If the self-hosted installation has a single team and the domain for the
-    // new team matches one in the allowed domains env variable then assign the
+    // new team is allowed then assign the authentication provider to the
-    // authentication provider to the existing team
+    // existing team
-    if (teamCount === 1 && domain && getAllowedDomains().includes(domain)) {
+    if (teamCount === 1 && domain && isDomainAllowed(domain)) {
       const team = await Team.findOne();
       invariant(team, "Team should exist");
 

server/routes/auth/providers/google.ts

@@ -10,14 +10,13 @@ import {
   GoogleWorkspaceInvalidError,
 } from "@server/errors";
 import passportMiddleware from "@server/middlewares/passport";
-import { getAllowedDomains } from "@server/utils/authentication";
+import { isDomainAllowed } from "@server/utils/authentication";
 import { StateStore } from "@server/utils/passport";
 
 const router = new Router();
 const providerName = "google";
 const GOOGLE_CLIENT_ID = process.env.GOOGLE_CLIENT_ID;
 const GOOGLE_CLIENT_SECRET = process.env.GOOGLE_CLIENT_SECRET;
-const allowedDomains = getAllowedDomains();
 const scopes = [
   "https://www.googleapis.com/auth/userinfo.profile",
   "https://www.googleapis.com/auth/userinfo.email",
@@ -48,7 +47,7 @@ if (GOOGLE_CLIENT_ID) {
             throw GoogleWorkspaceRequiredError();
           }
 
-          if (allowedDomains.length && !allowedDomains.includes(domain)) {
+          if (!isDomainAllowed(domain)) {
             throw GoogleWorkspaceInvalidError();
           }
 

server/routes/auth/providers/oidc.ts

@@ -9,7 +9,7 @@ import {
   AuthenticationError,
 } from "@server/errors";
 import passportMiddleware from "@server/middlewares/passport";
-import { getAllowedDomains } from "@server/utils/authentication";
+import { isDomainAllowed } from "@server/utils/authentication";
 import { StateStore, request } from "@server/utils/passport";
 
 const router = new Router();
@@ -23,7 +23,6 @@ const OIDC_USERINFO_URI = process.env.OIDC_USERINFO_URI || "";
 const OIDC_SCOPES = process.env.OIDC_SCOPES || "";
 const OIDC_USERNAME_CLAIM =
   process.env.OIDC_USERNAME_CLAIM || "preferred_username";
-const allowedDomains = getAllowedDomains();
 
 export const config = {
   name: OIDC_DISPLAY_NAME,
@@ -84,7 +83,7 @@ if (OIDC_CLIENT_ID) {
             throw OIDCMalformedUserInfoError();
           }
 
-          if (allowedDomains.length && !allowedDomains.includes(domain)) {
+          if (!isDomainAllowed(domain)) {
             throw AuthenticationError(
               `Domain ${domain} is not on the whitelist`
             );

server/utils/authentication.ts

@@ -12,6 +12,11 @@ export function getAllowedDomains(): string[] {
   return env ? env.split(",") : [];
 }
 
+export function isDomainAllowed(domain: string): boolean {
+  const allowedDomains = getAllowedDomains();
+  return allowedDomains.includes(domain) || allowedDomains.length === 0;
+}
+
 export async function signIn(
   ctx: Context,
   user: User,