Allowed domains env variable for Google Auth (#682)

* Allowed domains env variable for Google Auth * Fixing lint errors * PR comments. Use includes instead of indexOf
2018-06-17 01:06:02 +05:30
parent 19c5cafa51
commit fad5976dd2
3 changed files with 18 additions and 1 deletions
--- a/server/auth/google.js
+++ b/server/auth/google.js
@@ -12,6 +12,7 @@ const client = new OAuth2Client(
  process.env.GOOGLE_CLIENT_SECRET,
  `${process.env.URL}/auth/google.callback`
 );
+const allowedDomainsEnv = process.env.GOOGLE_ALLOWED_DOMAINS;

 // start the oauth process and redirect user to Google
 router.get('google', async ctx => {
@@ -43,6 +44,13 @@ router.get('google.callback', async ctx => {
    return;
  }

+  // allow all domains by default if the env is not set
+  const allowedDomains = allowedDomainsEnv && allowedDomainsEnv.split(',');
+  if (allowedDomains && !allowedDomains.includes(profile.data.hd)) {
+    ctx.redirect('/?notice=hd-not-allowed');
+    return;
+  }
+
  const googleId = profile.data.hd;
  const teamName = capitalize(profile.data.hd.split('.')[0]);