Skip to content

Commit

Permalink
Remove is-email-allowed check
Browse files Browse the repository at this point in the history 
In favor of more advanced version based on filtering coming later
  • Loading branch information
@rijkvanzanten
rijkvanzanten committed Oct 21, 2021
1 parent 9e09e50 commit 33dd4b3
Show file tree
Hide file tree
Showing 4 changed files with 15 additions and 21 deletions.
6 changes: 2 additions & 4 deletions api/src/auth/drivers/oauth2.ts
View file
Expand Up @@ -98,7 +98,7 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
throw handleError(e);
}

const { emailKey, identifierKey, allowPublicRegistration, allowedEmailDomains } = this.config;
const { emailKey, identifierKey, allowPublicRegistration } = this.config;

const email = userInfo[emailKey ?? 'email'] as string | undefined;
// Fallback to email if explicit identifier not found
Expand All @@ -121,10 +121,8 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
return userId;
}

const isAllowedEmail = !allowedEmailDomains || (email && isEmailAllowed(email, allowedEmailDomains));

// Is public registration allowed?
if (!allowPublicRegistration || !isAllowedEmail) {
if (!allowPublicRegistration) {
throw new InvalidCredentialsException();
}

Expand Down
5 changes: 2 additions & 3 deletions api/src/auth/drivers/openid.ts
View file
Expand Up @@ -99,7 +99,7 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
throw handleError(e);
}

const { identifierKey, allowPublicRegistration, allowedEmailDomains, requireVerifiedEmail } = this.config;
const { identifierKey, allowPublicRegistration, requireVerifiedEmail } = this.config;

const email = userInfo.email as string;
// Fallback to email if explicit identifier not found
Expand All @@ -122,11 +122,10 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
return userId;
}

const isAllowedEmail = !allowedEmailDomains || (email && isEmailAllowed(email, allowedEmailDomains));
const isEmailVerified = !requireVerifiedEmail || userInfo.email_verified;

// Is public registration allowed?
if (!allowPublicRegistration || !isAllowedEmail || !isEmailVerified) {
if (!allowPublicRegistration || !isEmailVerified) {
throw new InvalidCredentialsException();
}

Expand Down
1 change: 0 additions & 1 deletion docs/guides/api-config.md
View file
Expand Up @@ -79,7 +79,6 @@ AUTH_ADOBE_AUTHORIZE_URL="https://ims-na1.adobelogin.com/ims/authorize/v2"
AUTH_ADOBE_ACCESS_URL="https://ims-na1.adobelogin.com/ims/token/v3"
AUTH_ADOBE_PROFILE_URL="https://ims-na1.adobelogin.com/ims/userinfo/v2"
AUTH_ADOBE_ALLOW_PUBLIC_REGISTRATION="true"
AUTH_ADOBE_ALLOWED_EMAIL_DOMAINS="monospace.io,directus.io"
AUTH_ADOBE_DEFAULT_ROLE_ID="<directus_role_id>"
AUTH_ADOBE_ICON="adobe"
```
Expand Down
24 changes: 11 additions & 13 deletions docs/reference/environment-variables.md
View file
Expand Up @@ -299,7 +299,6 @@ No additional configuration required.
| `AUTH_<PROVIDER>_EMAIL_KEY` | OAuth profile email key used to verify the user. | `email` |
| `AUTH_<PROVIDER>_IDENTIFIER_KEY` | OAuth profile identifier key used to verify the user. Can be used in place of `EMAIL_KEY`. | -- |
| `AUTH_<PROVIDER>_ALLOW_PUBLIC_REGISTRATION` | Whether to allow public registration of authenticating users. | `false` |
| `AUTH_<PROVIDER>_ALLOWED_EMAIL_DOMAINS` | CSV of email domains which can register publicly. Ignored if empty. | -- |
| `AUTH_<PROVIDER>_DEFAULT_ROLE_ID` | Directus role ID to assign to users. | -- |
| `AUTH_<PROVIDER>_ICON` | SVG icon to display with the login link. | `account_circle` |

Expand All @@ -308,18 +307,17 @@ allowing more complete user registrations.

### OpenID (`openid`)

| Variable | Description | Default Value |
| ------------------------------------------- | ------------------------------------------------------------------- | ---------------------- |
| `AUTH_<PROVIDER>_CLIENT_ID` | OpenID identifier for the external service. | -- |
| `AUTH_<PROVIDER>_CLIENT_SECRET` | OpenID secret for the external service. | -- |
| `AUTH_<PROVIDER>_SCOPE` | A white-space separated list of privileges Directus will request. | `openid profile email` |
| `AUTH_<PROVIDER>_ISSUER_URL` | The OpenID `.well-known` Discovery Document URL. | -- |
| `AUTH_<PROVIDER>_IDENTIFIER_KEY` | OpenID profile identifier key used to verify the user. | `sub` |
| `AUTH_<PROVIDER>_ALLOW_PUBLIC_REGISTRATION` | Whether to allow public registration of authenticating users. | `false` |
| `AUTH_<PROVIDER>_ALLOWED_EMAIL_DOMAINS` | CSV of email domains which can register publicly. Ignored if empty. | -- |
| `AUTH_<PROVIDER>_REQUIRE_VERIFIED_EMAIL` | Require users to have a verified email address. | `false` |
| `AUTH_<PROVIDER>_DEFAULT_ROLE_ID` | Directus role ID to assign to users. | -- |
| `AUTH_<PROVIDER>_ICON` | SVG icon to display with the login link. | `account_circle` |
| Variable | Description | Default Value |
| ------------------------------------------- | ----------------------------------------------------------------- | ---------------------- |
| `AUTH_<PROVIDER>_CLIENT_ID` | OpenID identifier for the external service. | -- |
| `AUTH_<PROVIDER>_CLIENT_SECRET` | OpenID secret for the external service. | -- |
| `AUTH_<PROVIDER>_SCOPE` | A white-space separated list of privileges Directus will request. | `openid profile email` |
| `AUTH_<PROVIDER>_ISSUER_URL` | The OpenID `.well-known` Discovery Document URL. | -- |
| `AUTH_<PROVIDER>_IDENTIFIER_KEY` | OpenID profile identifier key used to verify the user. | `sub` |
| `AUTH_<PROVIDER>_ALLOW_PUBLIC_REGISTRATION` | Whether to allow public registration of authenticating users. | `false` |
| `AUTH_<PROVIDER>_REQUIRE_VERIFIED_EMAIL` | Require users to have a verified email address. | `false` |
| `AUTH_<PROVIDER>_DEFAULT_ROLE_ID` | Directus role ID to assign to users. | -- |
| `AUTH_<PROVIDER>_ICON` | SVG icon to display with the login link. | `account_circle` |

## Extensions

Expand Down

0 comments on commit 33dd4b3

Please sign in to comment.