🔒 refactor: Optimize Email Domain Validation in OpenID, SAML, and Social Logins (#9567)

* refactor: Optimize Email Domain Validation in OpenID, SAML, and Social Login Strategies - Implemented email domain validation for user authentication in OpenID and SAML strategies, ensuring only allowed domains are processed. - Adjusted error messages for clarity and consistency across authentication methods. - Refactored social login to validate email domains before checking for existing users, improving registration flow. * refactor: Email Domain Validation in LDAP and Social Login Strategies
2025-12-20 10:20:15 +01:00 · 2025-09-11 01:01:58 -04:00 · 2025-09-11 01:01:58 -04:00 · d91f34dd42
commit d91f34dd42
parent 5676976564
5 changed files with 78 additions and 60 deletions
--- a/api/strategies/samlStrategy.js
+++ b/api/strategies/samlStrategy.js
@ -193,16 +193,25 @@ async function setupSaml() {
          logger.info(`[samlStrategy] SAML authentication received for NameID: ${profile.nameID}`);
          logger.debug('[samlStrategy] SAML profile:', profile);

+          const userEmail = getEmail(profile) || '';
+          const appConfig = await getAppConfig();
+
+          if (!isEmailDomainAllowed(userEmail, appConfig?.registration?.allowedDomains)) {
+            logger.error(
+              `[SAML Strategy] Authentication blocked - email domain not allowed [Email: ${userEmail}]`,
+            );
+            return done(null, false, { message: 'Email domain not allowed' });
+          }
+
          let user = await findUser({ samlId: profile.nameID });
          logger.info(
            `[samlStrategy] User ${user ? 'found' : 'not found'} with SAML ID: ${profile.nameID}`,
          );

          if (!user) {
-            const email = getEmail(profile) || '';
-            user = await findUser({ email });
+            user = await findUser({ email: userEmail });
            logger.info(
-              `[samlStrategy] User ${user ? 'found' : 'not found'} with email: ${profile.email}`,
+              `[samlStrategy] User ${user ? 'found' : 'not found'} with email: ${userEmail}`,
            );
          }

@ -221,16 +230,7 @@ async function setupSaml() {
            getUserName(profile) || getGivenName(profile) || getEmail(profile),
          );

-          const appConfig = await getAppConfig();
          if (!user) {
-            const userEmail = getEmail(profile) || '';
-            if (!isEmailDomainAllowed(userEmail, appConfig?.registration?.allowedDomains)) {
-              logger.error(
-                `[SAML Strategy] Registration blocked - email domain not allowed [Email: ${userEmail}]`,
-              );
-              return done(null, false, { message: 'Email domain not allowed for registration' });
-            }
-
            user = {
              provider: 'saml',
              samlId: profile.nameID,