🔒 fix: Email Domain Validation Order and Coverage (#9566)

2026-01-24 11:16:12 +01:00 · 2025-09-10 23:13:39 -04:00 · 2025-09-10 23:13:39 -04:00 · 5676976564
commit 5676976564
parent 85aa3e7d9c
6 changed files with 69 additions and 15 deletions
--- a/api/server/middleware/checkDomainAllowed.js
+++ b/api/server/middleware/checkDomainAllowed.js
@ -11,18 +11,25 @@ const { getAppConfig } = require('~/server/services/Config');
 * @param {Object} res - Express response object.
 * @param {Function} next - Next middleware function.
 *
- * @returns {Promise<function|Object>} - Returns a Promise which when resolved calls next middleware if the domain's email is allowed
+ * @returns {Promise<void>} - Calls next middleware if the domain's email is allowed, otherwise redirects to login
 */
-const checkDomainAllowed = async (req, res, next = () => {}) => {
-  const email = req?.user?.email;
-  const appConfig = await getAppConfig({
-    role: req?.user?.role,
-  });
-  if (email && !isEmailDomainAllowed(email, appConfig?.registration?.allowedDomains)) {
-    logger.error(`[Social Login] [Social Login not allowed] [Email: ${email}]`);
-    return res.redirect('/login');
-  } else {
-    return next();
+const checkDomainAllowed = async (req, res, next) => {
+  try {
+    const email = req?.user?.email;
+    const appConfig = await getAppConfig({
+      role: req?.user?.role,
+    });
+
+    if (email && !isEmailDomainAllowed(email, appConfig?.registration?.allowedDomains)) {
+      logger.error(`[Social Login] [Social Login not allowed] [Email: ${email}]`);
+      res.redirect('/login');
+      return;
+    }
+
+    next();
+  } catch (error) {
+    logger.error('[checkDomainAllowed] Error checking domain:', error);
+    res.redirect('/login');
  }
 };

--- a/api/server/routes/oauth.js
+++ b/api/server/routes/oauth.js
@ -26,9 +26,12 @@ const domains = {
 router.use(logHeaders);
 router.use(loginLimiter);

-const oauthHandler = async (req, res) => {
+const oauthHandler = async (req, res, next) => {
  try {
-    await checkDomainAllowed(req, res);
+    if (res.headersSent) {
+      return;
+    }
+
    await checkBan(req, res);
    if (req.banned) {
      return;
@ -46,6 +49,7 @@ const oauthHandler = async (req, res) => {
    res.redirect(domains.client);
  } catch (err) {
    logger.error('Error in setting authentication tokens:', err);
+    next(err);
  }
 };

@ -79,6 +83,7 @@ router.get(
    scope: ['openid', 'profile', 'email'],
  }),
  setBalanceConfig,
+  checkDomainAllowed,
  oauthHandler,
 );

@ -104,6 +109,7 @@ router.get(
    profileFields: ['id', 'email', 'name'],
  }),
  setBalanceConfig,
+  checkDomainAllowed,
  oauthHandler,
 );

@ -125,6 +131,7 @@ router.get(
    session: false,
  }),
  setBalanceConfig,
+  checkDomainAllowed,
  oauthHandler,
 );

@ -148,6 +155,7 @@ router.get(
    scope: ['user:email', 'read:user'],
  }),
  setBalanceConfig,
+  checkDomainAllowed,
  oauthHandler,
 );

@ -171,6 +179,7 @@ router.get(
    scope: ['identify', 'email'],
  }),
  setBalanceConfig,
+  checkDomainAllowed,
  oauthHandler,
 );

@ -192,6 +201,7 @@ router.post(
    session: false,
  }),
  setBalanceConfig,
+  checkDomainAllowed,
  oauthHandler,
 );