🔒 refactor: Optimize Email Domain Validation in OpenID, SAML, and Social Logins (#9567)

* refactor: Optimize Email Domain Validation in OpenID, SAML, and Social Login Strategies - Implemented email domain validation for user authentication in OpenID and SAML strategies, ensuring only allowed domains are processed. - Adjusted error messages for clarity and consistency across authentication methods. - Refactored social login to validate email domains before checking for existing users, improving registration flow. * refactor: Email Domain Validation in LDAP and Social Login Strategies
2025-12-17 00:40:14 +01:00 · 2025-09-11 01:01:58 -04:00 · 2025-09-11 01:01:58 -04:00 · d91f34dd42
commit d91f34dd42
parent 5676976564
5 changed files with 78 additions and 60 deletions
--- a/api/strategies/openidStrategy.js
+++ b/api/strategies/openidStrategy.js
@ -340,6 +340,19 @@ async function setupOpenId() {
      async (tokenset, done) => {
        try {
          const claims = tokenset.claims();
+          const userinfo = {
+            ...claims,
+            ...(await getUserInfo(openidConfig, tokenset.access_token, claims.sub)),
+          };
+
+          const appConfig = await getAppConfig();
+          if (!isEmailDomainAllowed(userinfo.email, appConfig?.registration?.allowedDomains)) {
+            logger.error(
+              `[OpenID Strategy] Authentication blocked - email domain not allowed [Email: ${userinfo.email}]`,
+            );
+            return done(null, false, { message: 'Email domain not allowed' });
+          }
+
          const result = await findOpenIDUser({
            openidId: claims.sub,
            email: claims.email,
@ -354,10 +367,7 @@ async function setupOpenId() {
              message: ErrorTypes.AUTH_FAILED,
            });
          }
-          const userinfo = {
-            ...claims,
-            ...(await getUserInfo(openidConfig, tokenset.access_token, claims.sub)),
-          };
+
          const fullName = getFullName(userinfo);

          if (requiredRole) {
@ -399,15 +409,7 @@ async function setupOpenId() {
            );
          }

-          const appConfig = await getAppConfig();
          if (!user) {
-            if (!isEmailDomainAllowed(userinfo.email, appConfig?.registration?.allowedDomains)) {
-              logger.error(
-                `[OpenID Strategy] Registration blocked - email domain not allowed [Email: ${userinfo.email}]`,
-              );
-              return done(null, false, { message: 'Email domain not allowed for registration' });
-            }
-
            user = {
              provider: 'openid',
              openidId: userinfo.sub,