Merge pull request #17 from defer/ft-allowed-domains

Google: Add an AllowedDomains config clause
qor · Jun 3, 2019 · 709ba0c · 709ba0c
2 parents 46aae9f + 12da3be
commit 709ba0c
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -62,6 +62,7 @@ func init() {
   Auth.RegisterProvider(google.New(&google.Config{
     ClientID:     "google client id",
     ClientSecret: "google client secret",
+    AllowedDomains: []string{}, // Accept all domains, instead you can pass a whitelist of acceptable domains
   }))
 
   // Allow use Facebook

diff --git a/providers/google/google.go b/providers/google/google.go
@@ -3,9 +3,11 @@ package google
 import (
 	"encoding/json"
 	"errors"
+	"fmt"
 	"io/ioutil"
 	"net/http"
 	"reflect"
+	"strings"
 
 	"github.com/qor/auth"
 	"github.com/qor/auth/auth_identity"
@@ -30,6 +32,7 @@ type Config struct {
 	TokenURL         string
 	RedirectURL      string
 	Scopes           []string
+	AllowedDomains   []string
 	AuthorizeHandler func(context *auth.Context) (*claims.Claims, error)
 }
 
@@ -106,6 +109,10 @@ func New(config *Config) *GoogleProvider {
 					schema.RawInfo = userInfo
 				}
 
+				if !isDomainAllowed(schema.Email, config.AllowedDomains) {
+					return nil, auth.ErrUnauthorized
+				}
+
 				authInfo.Provider = provider.GetName()
 				authInfo.UID = schema.UID
 
@@ -132,6 +139,19 @@ func New(config *Config) *GoogleProvider {
 	return provider
 }
 
+func isDomainAllowed(email string, domains []string) bool {
+	if len(domains) == 0 {
+		return true
+	}
+
+	for _, domain := range domains {
+		if strings.HasSuffix(email, fmt.Sprintf("@%s", domain)) {
+			return true
+		}
+	}
+	return false
+}
+
 // GetName return provider name
 func (GoogleProvider) GetName() string {
 	return "google"