feat: oauth email whitelist

internal/api/api.go

@@ -319,6 +319,33 @@ func (api *API) SetupRoutes() {
 			return
 		}
 
+		email, emailErr := api.Providers.GetUser(providerName.Provider)
+
+		if emailErr != nil {
+			log.Error().Err(emailErr).Msg("Failed to get user")
+			c.JSON(500, gin.H{
+				"status":  500,
+				"message": "Internal Server Error",
+			})
+			return
+		}
+
+		if !api.Auth.EmailWhitelisted(email) {
+			log.Warn().Str("email", email).Msg("Email not whitelisted")
+			unauthorizedQuery, unauthorizedQueryErr := query.Values(types.UnauthorizedQuery{
+				Email: email,
+			})
+			if unauthorizedQueryErr != nil {
+				log.Error().Err(unauthorizedQueryErr).Msg("Failed to build query")
+				c.JSON(501, gin.H{
+					"status":  501,
+					"message": "Internal Server Error",
+				})
+				return
+			}
+			c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/unauthorized?%s", api.Config.AppURL, unauthorizedQuery.Encode()))
+		}
+
 		session := sessions.Default(c)
 		session.Set("tinyauth_sid", fmt.Sprintf("%s:%s", providerName.Provider, token))
 		session.Save()
@@ -334,12 +361,12 @@ func (api *API) SetupRoutes() {
 
 		c.SetCookie("tinyauth_redirect_uri", "", -1, "/", api.Domain, api.Config.CookieSecure, true)
 
-		queries, queryErr := query.Values(types.LoginQuery{
+		redirectQuery, redirectQueryErr := query.Values(types.LoginQuery{
 			RedirectURI: redirectURI,
 		})
 
-		if queryErr != nil {
-			log.Error().Err(queryErr).Msg("Failed to build query")
+		if redirectQueryErr != nil {
+			log.Error().Err(redirectQueryErr).Msg("Failed to build query")
 			c.JSON(501, gin.H{
 				"status":  501,
 				"message": "Internal Server Error",
@@ -347,7 +374,7 @@ func (api *API) SetupRoutes() {
 			return
 		}
 
-		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/continue?%s", api.Config.AppURL, queries.Encode()))
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/continue?%s", api.Config.AppURL, redirectQuery.Encode()))
 	})
 }
 

internal/auth/auth.go

@@ -6,14 +6,16 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )
 
-func NewAuth(userList types.Users) *Auth {
+func NewAuth(userList types.Users, whitelist []string) *Auth {
 	return &Auth{
-		Users: userList,
+		Users:     userList,
+		Whitelist: whitelist,
 	}
 }
 
 type Auth struct {
-	Users types.Users
+	Users     types.Users
+	Whitelist []string
 }
 
 func (auth *Auth) GetUser(email string) *types.User {
@@ -28,4 +30,16 @@ func (auth *Auth) GetUser(email string) *types.User {
 func (auth *Auth) CheckPassword(user types.User, password string) bool {
 	hashedPasswordErr := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password))
 	return hashedPasswordErr == nil
-}
+}
+
+func (auth *Auth) EmailWhitelisted(emailSrc string) bool {
+	if len(auth.Whitelist) == 0 {
+		return true
+	}
+	for _, email := range auth.Whitelist {
+		if email == emailSrc {
+			return true
+		}
+	}
+	return false
+}

internal/hooks/hooks.go

@@ -105,6 +105,17 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) (types.UserContext, error) {
 		}, nil
 	}
 
+	if !hooks.Auth.EmailWhitelisted(email) {
+		session.Delete("tinyauth_sid")
+		session.Save()
+		return types.UserContext{
+			Email:      "",
+			IsLoggedIn: false,
+			OAuth:      false,
+			Provider:   "",
+		}, nil
+	}
+
 	return types.UserContext{
 		Email:      email,
 		IsLoggedIn: true,

internal/types/types.go

@@ -37,6 +37,7 @@ type Config struct {
 	GenericTokenURL     string `mapstructure:"generic-token-url"`
 	GenericUserURL      string `mapstructure:"generic-user-info-url"`
 	DisableContinue     bool   `mapstructure:"disable-continue"`
+	Whitelist           string `mapstructure:"whitelist"`
 }
 
 type UserContext struct {
@@ -78,3 +79,7 @@ type OAuthProviders struct {
 	Google    *oauth.OAuth
 	Microsoft *oauth.OAuth
 }
+
+type UnauthorizedQuery struct {
+	Email string `url:"email"`
+}

internal/utils/utils.go

@@ -74,3 +74,10 @@ func ParseFileToLine(content string) string {
 
 	return strings.Join(users, ",")
 }
+
+func ParseWhitelist(whitelist string) []string {
+	if whitelist == "" {
+		return []string{}
+	}
+	return strings.Split(whitelist, ",")
+}