synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-15 22:20:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(coderd): userOIDC: ignore leading @ of EmailDomain (#13568)

Browse Source
This commit is contained in:
Cian Johnston
2024-06-14 09:29:07 +01:00
committed by GitHub
parent d04959cea8
commit fe240add86
2 changed files with 26 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
coderd/userauth.go
View File

@ -960,6 +960,8 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
} }
userEmailDomain := emailSp[len(emailSp)-1] userEmailDomain := emailSp[len(emailSp)-1]
for _, domain := range api.OIDCConfig.EmailDomain { for _, domain := range api.OIDCConfig.EmailDomain {
// Folks sometimes enter EmailDomain with a leading '@'.
domain = strings.TrimPrefix(domain, "@")
if strings.EqualFold(userEmailDomain, domain) { if strings.EqualFold(userEmailDomain, domain) {
ok = true ok = true
break break

24
coderd/userauth_test.go
View File

@ -941,6 +941,30 @@ func TestUserOIDC(t *testing.T) {
}, },
StatusCode: http.StatusForbidden, StatusCode: http.StatusForbidden,
}, },
{
Name: "EmailDomainWithLeadingAt",
IDTokenClaims: jwt.MapClaims{
"email": "cian@coder.com",
"email_verified": true,
},
AllowSignups: true,
EmailDomain: []string{
"@coder.com",
},
StatusCode: http.StatusOK,
},
{
Name: "EmailDomainForbiddenWithLeadingAt",
IDTokenClaims: jwt.MapClaims{
"email": "kyle@kwc.io",
"email_verified": true,
},
AllowSignups: true,
EmailDomain: []string{
"@coder.com",
},
StatusCode: http.StatusForbidden,
},
{ {
Name: "EmailDomainCaseInsensitive", Name: "EmailDomainCaseInsensitive",
IDTokenClaims: jwt.MapClaims{ IDTokenClaims: jwt.MapClaims{