Add option to restrict from which e-mail domain can users sign-up trough OIDC. #2332
Open
lsde
wants to merge 2 commits from
lsde/vikunja:feature/oidc-email-domain-restriction
into main
pull from: lsde/vikunja:feature/oidc-email-domain-restriction
merge into: vikunja:main
vikunja:main
vikunja:renovate/dev-dependencies
vikunja:renovate/pnpm-9.x
vikunja:feature/hasAttachments-as-store-computed
vikunja:fix/resetEmptyTitleError
vikunja:renovate/intlify-unplugin-vue-i18n-6.x
vikunja:renovate/express-4.x
vikunja:renovate/github.com-go-testfixtures-testfixtures-v3-3.x
vikunja:renovate/vuemoji-picker-0.x
vikunja:renovate/golang.org-x-crypto-0.x
vikunja:renovate/github.com-labstack-echo-jwt-v4-4.x
vikunja:renovate/golang.org-x-term-0.x
vikunja:renovate/golang.org-x-image-0.x
vikunja:renovate/golang.org-x-text-0.x
vikunja:renovate/golang.org-x-sys-0.x
vikunja:renovate/lowlight-3.x
vikunja:renovate/golang.org-x-sync-0.x
vikunja:renovate/pinia-2.x
vikunja:renovate/axios-1.x
vikunja:renovate/node-22.x
vikunja:renovate/tailwindcss-3.x
vikunja:renovate/go-1.x
vikunja:renovate/github.com-getsentry-sentry-go-0.x
vikunja:renovate/sentry-javascript-monorepo
vikunja:feat/improve-ProjectSettingsDelete
vikunja:feature/inline-dynamic-routes
vikunja:feat/add-vite-plugin-vue-devtools
vikunja:fix/remove-postcss-easings-types
vikunja:renovate/dompurify-3.x
vikunja:renovate/sortablejs-1.x
vikunja:renovate/vue-i18n-10.x
vikunja:renovate/major-vueuse
vikunja:renovate/major-dev-dependencies
vikunja:renovate/tiptap
vikunja:renovate/vue-router-4.x
vikunja:renovate/golangci-golangci-lint-1.x
vikunja:renovate/github.com-stretchr-testify-1.x
vikunja:release/0.24
vikunja:renovate/vueuse
vikunja:renovate/font-awesome
vikunja:renovate/github.com-gabriel-vasile-mimetype-1.x
vikunja:fix/saved-filter-search
vikunja:renovate/goreleaser-nfpm-2.x
vikunja:renovate/vue-monorepo
vikunja:feat/remove-postcss-easings
vikunja:feat/move-useProjectBackground-to-composables
vikunja:renovate/intlify-unplugin-vue-i18n-5.x
vikunja:fix/reactive-ancestor-projects
vikunja:renovate/golang.org-x-oauth2-0.x
vikunja:renovate/postgres-17.x
vikunja:renovate/github.com-wneessen-go-mail-0.x
vikunja:feature/use-modern-compiler-for-sass-files-as-well
vikunja:feat/webp-and-avif-attachment-previews
vikunja:fix/tsconfig22
vikunja:feature/only-build-sourcemaps-for-sentry
vikunja:fix/tiptap-editor-reactive-destructuring
vikunja:feature/migrate-back-to-bulma
vikunja:fix/sass-add-missing-list-import
vikunja:feature/use-sass-embedded
vikunja:renovate/github.com-threedotslabs-watermill-1.x
vikunja:feature/sticky-demo-bar
vikunja:fix/remove-defineProps
vikunja:renovate/workbox-monorepo
vikunja:renovate/github.com-swaggo-swag-1.x
vikunja:renovate/node-20.x
vikunja:renovate/kyvg-vue3-notification-3.x
vikunja:fix/gantt-view-switch
vikunja:renovate/github.com-redis-go-redis-v9-9.x
vikunja:renovate/github.com-yuin-goldmark-1.x
vikunja:renovate/github.com-prometheus-client_golang-1.x
vikunja:renovate/github.com-mattn-go-sqlite3-1.x
vikunja:feature/typesense-position-join
vikunja:feature/focus-visible
vikunja:renovate/date-fns-4.x
vikunja:renovate/flexsearch-0.x
vikunja:renovate/dario.cat-mergo-1.x
vikunja:renovate/github.com-typesense-typesense-go-2.x
vikunja:renovate/vue-i18n-9.x
vikunja:renovate/dayjs-1.x
vikunja:dependencies/golangci-lint
vikunja:renovate/github.com-coreos-go-oidc-v3-3.x
vikunja:renovate/github.com-microcosm-cc-bluemonday-1.x
vikunja:renovate/github.com-arran4-golang-ical-0.x
vikunja:renovate/ufo-1.x
vikunja:renovate/github-hotkey-3.x
vikunja:feature/better-filter-syntax
vikunja:fix/tiptap-task-list
vikunja:feature/zod-schema
vikunja:renovate/github.com-golang-jwt-jwt-v4-5.x
vikunja:feature/hide-forbidden-related-tasks
vikunja:renovate/golang-1.x
vikunja:release/0.20
vikunja:release/0.17
vikunja:release/0.16
vikunja:release/0.15
vikunja:release/0.14
vikunja:release/0.13
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
No description provided.
Delete Branch "lsde/vikunja:feature/oidc-email-domain-restriction"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This merge request adds an option to restrict the sign-up process for users using OpenID Connect (OIDC) to specific email domains. This feature will allow administrators to limit the type of accounts that can be created on their instance, ensuring a more secure environment for their users.
Hi lsde!
Thank you for creating a PR!
I've deployed the frontend changes of this PR on a preview environment under this URL: https://2332-feature-oidc-email-domain-restri--vikunja-frontend-preview.netlify.app
You can use this url to view the changes live and test them out.
You will need to manually connect this to an api running somewhere. The easiest to use is https://try.vikunja.io/.
This preview does not contain any changes made to the api, only the frontend.
Have a nice day!
@ -53,6 +53,7 @@ type Provider struct {
OriginalAuthURL string `json:"-"`
AuthURL string `json:"auth_url"`
LogoutURL string `json:"logout_url"`
Domain string `json:"domain"`
Can you make this a string slice so that it's possible to add multiple domains?
done (the slicing is done at L44 though).
@ -192,2 +193,4 @@
}
//Check is the email address is at the domain configured for the provider, and return the error if not
if provider.Domain != "" && !strings.HasSuffix(cl.Email, provider.Domain) {
The comparison should include the
@
, otherwise it would be possible for a malicious attacker to usemalicous-example.com
when you only allowedexample.com
.done here
@ -427,4 +427,2 @@
}
// ErrNoOpenIDEmailProvided represents a "NoEmailProvided" kind of error.
type ErrOpenIDCustomScopeMalformed struct {
Why did you remove this error?
This error was just moved further down the code to be in the ascending order by error code. The error code for this was also fixed, as the code number was duplicate.
Ah makes sense, good catch!
@ -534,1 +508,4 @@
}
// ErrOpenIDCustomScopeMalformed represents a "ErrOpenIDCustomScopeMalformed" kind of error.
type ErrOpenIDCustomScopeMalformed struct {
Please add this error to the docs.
I'm not the autor of this, i guess you meant ErrCodeOpenIDEmailBadDomain.
Yeah, the new error you added.
done here
6e747e19a8
to9202e035ae
Updated the PR with the requested changes and rebased.
@ -194,0 +197,4 @@
splitEmail := strings.Split(cl.Email, "@")
foundGoodDomain := false
for domain, _ := range provider.Domains {
if strings.HasSuffix(splitEmail[len(splitEmail) -1], provider.Domains[domain]) {
Why the split instead of something like
strings.HasSuffix(cl.Email, "@"+domain)
?no particular reason, fixed.
@ -125,6 +125,11 @@ func getProviderFromMap(pi map[string]interface{}) (provider *Provider, err erro
logoutURL = ""
}
domains, ok := pi["domains"].(string)
This should be a list, not a string split by spaces.
fixed.
@ -535,0 +534,4 @@
}
// ErrOpenIDEmailBadDomain represents a "OpenIDEmailBadDomain" kind of error.
type ErrOpenIDEmailBadDomain struct {
Can you include the wrong email domain in the error?
done
298e12bc32
to538653c363
538653c363
todc47c1dc9e
Updated the PR with the requested changes and rebased. (again)
b0164e891f
to6a35cb9239
6a35cb9239
to07a4eabe78
07a4eabe78
toa244a9506c
@ -325,0 +325,4 @@
# The list of e-mail domains that will be allowed to authenticate using OpenID Connect. If empty, any domain is allowed.
# Use this only if you want to restrict which users are allowed to authenticate using OpenID Connect.
domains:
- example.com
The
.sample
file will be copied as the default config file, that means by default, it will be restricted to@example.com
emails. I think it's enough to leave it at that and expect people to read the config file, but worth keeping in mind.@ -194,0 +196,4 @@
if len(provider.Domains) > 0 {
foundGoodDomain := false
for domain := range provider.Domains {
if strings.HasSuffix(cl.Email, "@"+provider.Domains[domain]) {
Please change the loop to
@ -535,0 +535,4 @@
// ErrOpenIDEmailBadDomain represents a "OpenIDEmailBadDomain" kind of error.
type ErrOpenIDEmailBadDomain struct {
Email string
This should only include the domain, not the full email. We should not log emails as they are user-identifiable information.
a244a9506c
to686569a368
Thanks for the code review, done requested changes, squashed and rebased.
Looks good, will test it properly when I'm back at my computer.
Please fix the lint issues.
Checkout
From your project repository, check out a new branch and test the changes.