🐛 Add proper validation of registration domain whitelist on oidc

Fixes #3348
2025-05-21 07:56:10 +02:00 · 2023-06-26 18:10:43 +02:00 · 2023-06-26 18:10:43 +02:00 · f166fe1926
commit f166fe1926
parent f60d09eb8f
5 changed files with 60 additions and 38 deletions
--- a/backend/src/app/auth.clj
+++ b/backend/src/app/auth.clj
@ -6,7 +6,9 @@

 (ns app.auth
  (:require
+   [app.config :as cf]
   [buddy.hashers :as hashers]
+   [cuerdas.core :as str]
   [promesa.exec :as px]))

 (def default-params
@ -27,3 +29,16 @@
      {:update false
       :valid false})))

+(defn email-domain-in-whitelist?
+  "Returns true if email's domain is in the given whitelist or if
+  given whitelist is an empty string."
+  ([email]
+   (let [domains (cf/get :registration-domain-whitelist)]
+     (email-domain-in-whitelist? domains email)))
+  ([domains email]
+   (if (or (nil? domains) (empty? domains))
+     true
+     (let [[_ candidate] (-> (str/lower email)
+                             (str/split #"@" 2))]
+       (contains? domains candidate)))))
+
--- a/backend/src/app/auth/oidc.clj
+++ b/backend/src/app/auth/oidc.clj
@ -7,6 +7,7 @@
 (ns app.auth.oidc
  "OIDC client implementation."
  (:require
+   [app.auth :as auth]
   [app.auth.oidc.providers :as-alias providers]
   [app.common.data :as d]
   [app.common.data.macros :as dm]
@ -430,10 +431,24 @@
   ::yrs/headers {"location" (str uri)}})

 (defn- generate-error-redirect
-  [_ error]
-  (let [uri (-> (u/uri (cf/get :public-uri))
-                (assoc :path "/#/auth/login")
-                (assoc :query (u/map->query-string {:error "unable-to-auth" :hint (ex-message error)})))]
+  [_ cause]
+  (let [data   (if (ex/error? cause) (ex-data cause) nil)
+        code   (or (:code data) :unexpected)
+        type   (or (:type data) :internal)
+        hint   (or (:hint data)
+                   (if (ex/exception? cause)
+                     (ex-message cause)
+                     (str cause)))
+
+        params {:error "unable-to-auth"
+                :hint hint
+                :type type
+                :code code}
+
+        uri    (-> (u/uri (cf/get :public-uri))
+                   (assoc :path "/#/auth/login")
+                   (assoc :query (u/map->query-string params)))]
+
    (redirect-response uri)))

 (defn- generate-redirect
@ -463,19 +478,23 @@
      (->> (redirect-response uri)
           (sxf request)))

-    (let [info   (assoc info
-                        :iss :prepared-register
-                        :is-active true
-                        :exp (dt/in-future {:hours 48}))
-          token  (tokens/generate (::main/props cfg) info)
-          params (d/without-nils
-                  {:token token
-                   :fullname (:fullname info)})
-          uri    (-> (u/uri (cf/get :public-uri))
-                     (assoc :path "/#/auth/register/validate")
-                     (assoc :query (u/map->query-string params)))]

-      (redirect-response uri))))
+    (if (auth/email-domain-in-whitelist? (:email info))
+      (let [info   (assoc info
+                          :iss :prepared-register
+                          :is-active true
+                          :exp (dt/in-future {:hours 48}))
+            token  (tokens/generate (::main/props cfg) info)
+            params (d/without-nils
+                    {:token token
+                     :fullname (:fullname info)})
+            uri    (-> (u/uri (cf/get :public-uri))
+                       (assoc :path "/#/auth/register/validate")
+                       (assoc :query (u/map->query-string params)))]
+
+        (redirect-response uri))
+      (generate-error-redirect cfg "email-domain-not-allowed"))))
+

 (defn- auth-handler
  [cfg {:keys [params] :as request}]
--- a/backend/src/app/rpc/commands/auth.clj
+++ b/backend/src/app/rpc/commands/auth.clj
@ -6,6 +6,7 @@

 (ns app.rpc.commands.auth
  (:require
+   [app.auth :as auth]
   [app.common.data :as d]
   [app.common.exceptions :as ex]
   [app.common.logging :as l]
@ -38,19 +39,6 @@
 (s/def ::invitation-token ::us/not-empty-string)
 (s/def ::token ::us/not-empty-string)

-;; ---- HELPERS
-
-(defn email-domain-in-whitelist?
-  "Returns true if email's domain is in the given whitelist or if
-  given whitelist is an empty string."
-  [domains email]
-  (if (or (empty? domains)
-          (nil? domains))
-    true
-    (let [[_ candidate] (-> (str/lower email)
-                            (str/split #"@" 2))]
-      (contains? domains candidate))))
-
 ;; ---- COMMAND: login with password

 (defn login-with-password
@ -180,10 +168,9 @@
                  :code :email-does-not-match-invitation
                  :hint "email should match the invitation"))))

-  (when-let [domains (cf/get :registration-domain-whitelist)]
-    (when-not (email-domain-in-whitelist? domains (:email params))
-      (ex/raise :type :validation
-                :code :email-domain-is-not-allowed)))
+  (when-not (auth/email-domain-in-whitelist? (:email params))
+    (ex/raise :type :validation
+              :code :email-domain-is-not-allowed))

  ;; Don't allow proceed in preparing registration if the profile is
  ;; already reported as spammer.