🔒 refactor: Optimize Email Domain Validation in OpenID, SAML, and Social Logins (#9567)

* refactor: Optimize Email Domain Validation in OpenID, SAML, and Social Login Strategies - Implemented email domain validation for user authentication in OpenID and SAML strategies, ensuring only allowed domains are processed. - Adjusted error messages for clarity and consistency across authentication methods. - Refactored social login to validate email domains before checking for existing users, improving registration flow. * refactor: Email Domain Validation in LDAP and Social Login Strategies
2025-12-27 21:58:51 +01:00 · 2025-09-11 01:01:58 -04:00 · 2025-09-11 01:01:58 -04:00 · d91f34dd42
commit d91f34dd42
parent 5676976564
5 changed files with 78 additions and 60 deletions
--- a/api/strategies/socialLogin.js
+++ b/api/strategies/socialLogin.js
@ -15,19 +15,19 @@ const socialLogin =
      });

      const appConfig = await getAppConfig();
-      const existingUser = await findUser({ email: email.trim() });
-      const ALLOW_SOCIAL_REGISTRATION = isEnabled(process.env.ALLOW_SOCIAL_REGISTRATION);

-      if (!existingUser && !isEmailDomainAllowed(email, appConfig?.registration?.allowedDomains)) {
+      if (!isEmailDomainAllowed(email, appConfig?.registration?.allowedDomains)) {
        logger.error(
-          `[${provider}Login] Registration blocked - email domain not allowed [Email: ${email}]`,
+          `[${provider}Login] Authentication blocked - email domain not allowed [Email: ${email}]`,
        );
        const error = new Error(ErrorTypes.AUTH_FAILED);
        error.code = ErrorTypes.AUTH_FAILED;
-        error.message = 'Email domain not allowed for registration';
+        error.message = 'Email domain not allowed';
        return cb(error);
      }

+      const existingUser = await findUser({ email: email.trim() });
+
      if (existingUser?.provider === provider) {
        await handleExistingUser(existingUser, avatarUrl, appConfig);
        return cb(null, existingUser);
@ -41,20 +41,29 @@ const socialLogin =
        return cb(error);
      }

-      if (ALLOW_SOCIAL_REGISTRATION) {
-        const newUser = await createSocialUser({
-          email,
-          avatarUrl,
-          provider,
-          providerKey: `${provider}Id`,
-          providerId: id,
-          username,
-          name,
-          emailVerified,
-          appConfig,
-        });
-        return cb(null, newUser);
+      const ALLOW_SOCIAL_REGISTRATION = isEnabled(process.env.ALLOW_SOCIAL_REGISTRATION);
+      if (!ALLOW_SOCIAL_REGISTRATION) {
+        logger.error(
+          `[${provider}Login] Registration blocked - social registration is disabled [Email: ${email}]`,
+        );
+        const error = new Error(ErrorTypes.AUTH_FAILED);
+        error.code = ErrorTypes.AUTH_FAILED;
+        error.message = 'Social registration is disabled';
+        return cb(error);
      }
+
+      const newUser = await createSocialUser({
+        email,
+        avatarUrl,
+        provider,
+        providerKey: `${provider}Id`,
+        providerId: id,
+        username,
+        name,
+        emailVerified,
+        appConfig,
+      });
+      return cb(null, newUser);
    } catch (err) {
      logger.error(`[${provider}Login]`, err);
      return cb(err);