Merge pull request #128 from Mintplex-Labs/domain-restriction-bypass-…

…security-patch [FIX] perform more strict domain check when domain restriction is enabled
Mintplex-Labs · Jan 24, 2024 · 63501d3 · 63501d3
2 parents 8dc0c29 + a581b81
commit 63501d3
Showing 1 changed file with 11 additions and 12 deletions.
diff --git a/backend/endpoints/auth.js b/backend/endpoints/auth.js
@@ -160,18 +160,17 @@ function authenticationEndpoints(app) {
       const domainRestriction = await SystemSettings.get({
         label: "account_creation_domain_scope",
       });
-      if (
-        !!domainRestriction &&
-        domainRestriction.value !== null &&
-        !email.includes(domainRestriction.value)
-      ) {
-        response.status(200).json({
-          user: null,
-          valid: false,
-          token: null,
-          message: "[003] Invalid account creation values.",
-        });
-        return;
+      if (domainRestriction && domainRestriction.value) {
+        const emailDomain = email.substring(email.lastIndexOf("@") + 1);
+        if (emailDomain !== domainRestriction.value) {
+          response.status(200).json({
+            user: null,
+            valid: false,
+            token: null,
+            message: "[003] Invalid account creation values.",
+          });
+          return;
+        }
       }
 
       const { user, message } = await User.create({ email, password });