📧 fix: Case-Insensitive Domain Matching (#9868)

* chore: move domain related functions to `packages/api`

* fix: isEmailDomainAllowed for case-insensitive domain matching

- Added tests to validate case-insensitive matching for email domains in various scenarios.
- Updated isEmailDomainAllowed function to convert email domains to lowercase for consistent comparison.
- Improved handling of null/undefined entries in allowedDomains.

* ci: Mock isEmailDomainAllowed in samlStrategy tests

- Added a mock implementation for isEmailDomainAllowed to return true in samlStrategy tests, ensuring consistent behavior during test execution.

* ci: Update import of isEmailDomainAllowed in ldapStrategy tests

- Changed the import of isEmailDomainAllowed from the domains service to the api package for consistency and to reflect recent refactoring.

packages/api/src/auth/domain.spec.ts

@@ -0,0 +1,203 @@
+/* eslint-disable @typescript-eslint/ban-ts-comment */
+import { isEmailDomainAllowed, isActionDomainAllowed } from './domain';
+
+describe('isEmailDomainAllowed', () => {
+  afterEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('should return false if email is falsy', async () => {
+    const email = '';
+    const result = isEmailDomainAllowed(email);
+    expect(result).toBe(false);
+  });
+
+  it('should return false if domain is not present in the email', async () => {
+    const email = 'test';
+    const result = isEmailDomainAllowed(email);
+    expect(result).toBe(false);
+  });
+
+  it('should return true if customConfig is not available', async () => {
+    const email = 'test@domain1.com';
+    const result = isEmailDomainAllowed(email, null);
+    expect(result).toBe(true);
+  });
+
+  it('should return true if allowedDomains is not defined in customConfig', async () => {
+    const email = 'test@domain1.com';
+    const result = isEmailDomainAllowed(email, undefined);
+    expect(result).toBe(true);
+  });
+
+  it('should return true if domain is included in the allowedDomains', async () => {
+    const email = 'user@domain1.com';
+    const result = isEmailDomainAllowed(email, ['domain1.com', 'domain2.com']);
+    expect(result).toBe(true);
+  });
+
+  it('should return false if domain is not included in the allowedDomains', async () => {
+    const email = 'user@domain3.com';
+    const result = isEmailDomainAllowed(email, ['domain1.com', 'domain2.com']);
+    expect(result).toBe(false);
+  });
+
+  describe('case-insensitive domain matching', () => {
+    it('should match domains case-insensitively when email has uppercase domain', () => {
+      const email = 'user@DOMAIN1.COM';
+      const result = isEmailDomainAllowed(email, ['domain1.com', 'domain2.com']);
+      expect(result).toBe(true);
+    });
+
+    it('should match domains case-insensitively when allowedDomains has uppercase', () => {
+      const email = 'user@domain1.com';
+      const result = isEmailDomainAllowed(email, ['DOMAIN1.COM', 'DOMAIN2.COM']);
+      expect(result).toBe(true);
+    });
+
+    it('should match domains with mixed case in email', () => {
+      const email = 'user@Example.Com';
+      const result = isEmailDomainAllowed(email, ['example.com', 'domain2.com']);
+      expect(result).toBe(true);
+    });
+
+    it('should match domains with mixed case in allowedDomains', () => {
+      const email = 'user@example.com';
+      const result = isEmailDomainAllowed(email, ['Example.Com', 'Domain2.Com']);
+      expect(result).toBe(true);
+    });
+
+    it('should match when both email and allowedDomains have different mixed cases', () => {
+      const email = 'user@ExAmPlE.cOm';
+      const result = isEmailDomainAllowed(email, ['eXaMpLe.CoM', 'domain2.com']);
+      expect(result).toBe(true);
+    });
+
+    it('should still return false for non-matching domains regardless of case', () => {
+      const email = 'user@DOMAIN3.COM';
+      const result = isEmailDomainAllowed(email, ['domain1.com', 'DOMAIN2.COM']);
+      expect(result).toBe(false);
+    });
+
+    it('should handle null/undefined entries in allowedDomains gracefully', () => {
+      const email = 'user@domain1.com';
+      // @ts-expect-error Testing invalid input
+      const result = isEmailDomainAllowed(email, [null, 'DOMAIN1.COM', undefined]);
+      expect(result).toBe(true);
+    });
+  });
+});
+
+describe('isActionDomainAllowed', () => {
+  afterEach(() => {
+    jest.clearAllMocks();
+  });
+
+  // Basic Input Validation Tests
+  describe('input validation', () => {
+    it('should return false for falsy values', async () => {
+      expect(await isActionDomainAllowed()).toBe(false);
+      expect(await isActionDomainAllowed(null)).toBe(false);
+      expect(await isActionDomainAllowed('')).toBe(false);
+      expect(await isActionDomainAllowed(undefined)).toBe(false);
+    });
+
+    it('should return false for non-string inputs', async () => {
+      /** @ts-expect-error */
+      expect(await isActionDomainAllowed(123)).toBe(false);
+      /** @ts-expect-error */
+      expect(await isActionDomainAllowed({})).toBe(false);
+      /** @ts-expect-error */
+      expect(await isActionDomainAllowed([])).toBe(false);
+    });
+
+    it('should return false for invalid domain formats', async () => {
+      expect(await isActionDomainAllowed('http://', ['http://', 'https://'])).toBe(false);
+      expect(await isActionDomainAllowed('https://', ['http://', 'https://'])).toBe(false);
+    });
+  });
+
+  // Configuration Tests
+  describe('configuration handling', () => {
+    it('should return true if customConfig is null', async () => {
+      expect(await isActionDomainAllowed('example.com', null)).toBe(true);
+    });
+
+    it('should return true if actions.allowedDomains is not defined', async () => {
+      expect(await isActionDomainAllowed('example.com', undefined)).toBe(true);
+    });
+
+    it('should return true if allowedDomains is empty array', async () => {
+      expect(await isActionDomainAllowed('example.com', [])).toBe(true);
+    });
+  });
+
+  // Domain Matching Tests
+  describe('domain matching', () => {
+    const allowedDomains = [
+      'example.com',
+      '*.subdomain.com',
+      'specific.domain.com',
+      'www.withprefix.com',
+      'swapi.dev',
+    ];
+
+    it('should match exact domains', async () => {
+      expect(await isActionDomainAllowed('example.com', allowedDomains)).toBe(true);
+      expect(await isActionDomainAllowed('other.com', allowedDomains)).toBe(false);
+      expect(await isActionDomainAllowed('swapi.dev', allowedDomains)).toBe(true);
+    });
+
+    it('should handle domains with www prefix', async () => {
+      expect(await isActionDomainAllowed('www.example.com', allowedDomains)).toBe(true);
+      expect(await isActionDomainAllowed('www.withprefix.com', allowedDomains)).toBe(true);
+    });
+
+    it('should handle full URLs', async () => {
+      expect(await isActionDomainAllowed('https://example.com', allowedDomains)).toBe(true);
+      expect(await isActionDomainAllowed('http://example.com', allowedDomains)).toBe(true);
+      expect(await isActionDomainAllowed('https://example.com/path', allowedDomains)).toBe(true);
+    });
+
+    it('should handle wildcard subdomains', async () => {
+      expect(await isActionDomainAllowed('test.subdomain.com', allowedDomains)).toBe(true);
+      expect(await isActionDomainAllowed('any.subdomain.com', allowedDomains)).toBe(true);
+      expect(await isActionDomainAllowed('subdomain.com', allowedDomains)).toBe(true);
+    });
+
+    it('should handle specific subdomains', async () => {
+      expect(await isActionDomainAllowed('specific.domain.com', allowedDomains)).toBe(true);
+      expect(await isActionDomainAllowed('other.domain.com', allowedDomains)).toBe(false);
+    });
+  });
+
+  // Edge Cases
+  describe('edge cases', () => {
+    const edgeAllowedDomains = ['example.com', '*.test.com'];
+
+    it('should handle domains with query parameters', async () => {
+      expect(await isActionDomainAllowed('example.com?param=value', edgeAllowedDomains)).toBe(true);
+    });
+
+    it('should handle domains with ports', async () => {
+      expect(await isActionDomainAllowed('example.com:8080', edgeAllowedDomains)).toBe(true);
+    });
+
+    it('should handle domains with trailing slashes', async () => {
+      expect(await isActionDomainAllowed('example.com/', edgeAllowedDomains)).toBe(true);
+    });
+
+    it('should handle case insensitivity', async () => {
+      expect(await isActionDomainAllowed('EXAMPLE.COM', edgeAllowedDomains)).toBe(true);
+      expect(await isActionDomainAllowed('Example.Com', edgeAllowedDomains)).toBe(true);
+    });
+
+    it('should handle invalid entries in allowedDomains', async () => {
+      const invalidAllowedDomains = ['example.com', null, undefined, '', 'test.com'];
+      /** @ts-expect-error */
+      expect(await isActionDomainAllowed('example.com', invalidAllowedDomains)).toBe(true);
+      /** @ts-expect-error */
+      expect(await isActionDomainAllowed('test.com', invalidAllowedDomains)).toBe(true);
+    });
+  });
+});

packages/api/src/auth/domain.ts

@@ -0,0 +1,98 @@
+/**
+ * @param email
+ * @param allowedDomains
+ */
+export function isEmailDomainAllowed(email: string, allowedDomains?: string[] | null): boolean {
+  if (!email) {
+    return false;
+  }
+
+  const domain = email.split('@')[1]?.toLowerCase();
+
+  if (!domain) {
+    return false;
+  }
+
+  if (!allowedDomains) {
+    return true;
+  } else if (!Array.isArray(allowedDomains) || !allowedDomains.length) {
+    return true;
+  }
+
+  return allowedDomains.some((allowedDomain) => allowedDomain?.toLowerCase() === domain);
+}
+
+/**
+ * Normalizes a domain string. If the domain is invalid, returns null.
+ * Normalized === lowercase, trimmed, and protocol added if missing.
+ * @param domain
+ */
+function normalizeDomain(domain: string): string | null {
+  try {
+    let normalizedDomain = domain.toLowerCase().trim();
+
+    // Early return for obviously invalid formats
+    if (normalizedDomain === 'http://' || normalizedDomain === 'https://') {
+      return null;
+    }
+
+    // If it's not already a URL, make it one
+    if (!normalizedDomain.startsWith('http://') && !normalizedDomain.startsWith('https://')) {
+      normalizedDomain = `https://${normalizedDomain}`;
+    }
+
+    const url = new URL(normalizedDomain);
+    // Additional validation that hostname isn't just protocol
+    if (!url.hostname || url.hostname === 'http:' || url.hostname === 'https:') {
+      return null;
+    }
+
+    return url.hostname.replace(/^www\./i, '');
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Checks if the given domain is allowed. If no restrictions are set, allows all domains.
+ * @param domain
+ * @param allowedDomains
+ */
+export async function isActionDomainAllowed(
+  domain?: string | null,
+  allowedDomains?: string[] | null,
+): Promise<boolean> {
+  if (!domain || typeof domain !== 'string') {
+    return false;
+  }
+
+  if (!Array.isArray(allowedDomains) || !allowedDomains.length) {
+    return true;
+  }
+
+  const normalizedInputDomain = normalizeDomain(domain);
+  if (!normalizedInputDomain) {
+    return false;
+  }
+
+  for (const allowedDomain of allowedDomains) {
+    const normalizedAllowedDomain = normalizeDomain(allowedDomain);
+    if (!normalizedAllowedDomain) {
+      continue;
+    }
+
+    if (normalizedAllowedDomain.startsWith('*.')) {
+      const baseDomain = normalizedAllowedDomain.slice(2);
+      if (
+        normalizedInputDomain === baseDomain ||
+        normalizedInputDomain.endsWith(`.${baseDomain}`)
+      ) {
+        return true;
+      }
+    } else if (normalizedInputDomain === normalizedAllowedDomain) {
+      return true;
+    }
+  }
+
+  return false;
+}

packages/api/src/auth/index.ts

@@ -1 +1,2 @@
+export * from './domain';
 export * from './openid';