🐛 Fix possible bug in domain whitelisting checking.

2025-05-10 12:16:38 +02:00 · 2021-05-25 21:19:13 +02:00 · 2021-05-25 21:19:13 +02:00 · 08dce3bcdc
commit 08dce3bcdc
parent e5d4755619
4 changed files with 39 additions and 33 deletions
--- a/backend/src/app/config.clj
+++ b/backend/src/app/config.clj
@ -84,7 +84,6 @@

   :allow-demo-users true
   :registration-enabled true
-   :registration-domain-whitelist ""

   :telemetry-enabled false
   :telemetry-uri "https://telemetry.penpot.app/"
@ -161,7 +160,7 @@
 (s/def ::profile-complaint-threshold ::us/integer)
 (s/def ::public-uri ::us/string)
 (s/def ::redis-uri ::us/string)
-(s/def ::registration-domain-whitelist ::us/string)
+(s/def ::registration-domain-whitelist ::us/set-of-str)
 (s/def ::registration-enabled ::us/boolean)
 (s/def ::rlimits-image ::us/integer)
 (s/def ::rlimits-password ::us/integer)
--- a/backend/src/app/rpc/mutations/profile.clj
+++ b/backend/src/app/rpc/mutations/profile.clj
@ -60,9 +60,10 @@
    (ex/raise :type :restriction
              :code :registration-disabled))

-  (when-not (email-domain-in-whitelist? (cfg/get :registration-domain-whitelist) (:email params))
-    (ex/raise :type :validation
-              :code :email-domain-is-not-allowed))
+  (when-let [domains (cfg/get :registration-domain-whitelist)]
+    (when-not (email-domain-in-whitelist? domains (:email params))
+      (ex/raise :type :validation
+                :code :email-domain-is-not-allowed)))

  (when-not (:terms-privacy params)
    (ex/raise :type :validation
@ -137,14 +138,15 @@
           ::audit/profile-id (:id profile)})))))

 (defn email-domain-in-whitelist?
-  "Returns true if email's domain is in the given whitelist or if given
-  whitelist is an empty string."
-  [whitelist email]
-  (if (str/empty-or-nil? whitelist)
+  "Returns true if email's domain is in the given whitelist or if
+  given whitelist is an empty string."
+  [domains email]
+  (if (or (empty? domains)
+          (nil? domains))
    true
-    (let [domains (str/split whitelist #",\s*")
-          domain  (second (str/split email #"@" 2))]
-      (contains? (set domains) domain))))
+    (let [[_ candidate] (-> (str/lower email)
+                            (str/split #"@" 2))]
+      (contains? domains candidate))))

 (def ^:private sql:profile-existence
  "select exists (select * from profile