fix(coderd): userOIDC: ignore leading @ of EmailDomain (#13568)

2025-07-06 15:41:45 +00:00 · 2024-06-14 09:29:07 +01:00
parent d04959cea8
commit fe240add86
2 changed files with 26 additions and 0 deletions
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@ -960,6 +960,8 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		}
 		userEmailDomain := emailSp[len(emailSp)-1]
 		for _, domain := range api.OIDCConfig.EmailDomain {
+			// Folks sometimes enter EmailDomain with a leading '@'.
+			domain = strings.TrimPrefix(domain, "@")
 			if strings.EqualFold(userEmailDomain, domain) {
 				ok = true
 				break
--- a/coderd/userauth_test.go
+++ b/coderd/userauth_test.go
@ -941,6 +941,30 @@ func TestUserOIDC(t *testing.T) {
 			},
 			StatusCode: http.StatusForbidden,
 		},
+		{
+			Name: "EmailDomainWithLeadingAt",
+			IDTokenClaims: jwt.MapClaims{
+				"email":          "cian@coder.com",
+				"email_verified": true,
+			},
+			AllowSignups: true,
+			EmailDomain: []string{
+				"@coder.com",
+			},
+			StatusCode: http.StatusOK,
+		},
+		{
+			Name: "EmailDomainForbiddenWithLeadingAt",
+			IDTokenClaims: jwt.MapClaims{
+				"email":          "kyle@kwc.io",
+				"email_verified": true,
+			},
+			AllowSignups: true,
+			EmailDomain: []string{
+				"@coder.com",
+			},
+			StatusCode: http.StatusForbidden,
+		},
 		{
 			Name: "EmailDomainCaseInsensitive",
 			IDTokenClaims: jwt.MapClaims{