fix: better logic for multiple restricted domains (#860)

api/v1/server/handlers/users/github_oauth_callback.go

@@ -38,6 +38,10 @@ func (u *UserService) UserUpdateGithubOauthCallback(ctx echo.Context, _ gen.User
 	user, err := u.upsertGithubUserFromToken(u.config, token)
 
 	if err != nil {
+		if errors.Is(err, ErrNotInRestrictedDomain) {
+			return nil, redirect.GetRedirectWithError(ctx, u.config.Logger, err, "Email is not in the restricted domain group.")
+		}
+
 		if errors.Is(err, ErrGithubNotVerified) {
 			return nil, redirect.GetRedirectWithError(ctx, u.config.Logger, err, "Please verify your email on Github.")
 		}

api/v1/server/handlers/users/google_oauth_callback.go

@@ -3,6 +3,7 @@ package users
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -39,6 +40,10 @@ func (u *UserService) UserUpdateGoogleOauthCallback(ctx echo.Context, _ gen.User
 	user, err := u.upsertGoogleUserFromToken(u.config, token)
 
 	if err != nil {
+		if errors.Is(err, ErrNotInRestrictedDomain) {
+			return nil, redirect.GetRedirectWithError(ctx, u.config.Logger, err, "Email is not in the restricted domain group.")
+		}
+
 		return nil, redirect.GetRedirectWithError(ctx, u.config.Logger, err, "Internal error.")
 	}
 

api/v1/server/handlers/users/service.go

@@ -2,7 +2,6 @@ package users
 
 import (
 	"errors"
-	"fmt"
 	"strings"
 
 	"github.com/hatchet-dev/hatchet/pkg/config/server"
@@ -19,7 +18,7 @@ func NewUserService(config *server.ServerConfig) *UserService {
 }
 
 func (u *UserService) checkUserRestrictionsForEmail(conf *server.ServerConfig, email string) error {
-	if len(conf.Auth.ConfigFile.RestrictedEmailDomains) == 0 {
+	if len(conf.Auth.RestrictedEmailDomains) == 0 {
 		return nil
 	}
 
@@ -34,16 +33,18 @@ func (u *UserService) checkUserRestrictionsForEmail(conf *server.ServerConfig, e
 	return u.checkUserRestrictions(conf, domain)
 }
 
+var ErrNotInRestrictedDomain = errors.New("email is not in the restricted domain group")
+
 func (u *UserService) checkUserRestrictions(conf *server.ServerConfig, emailDomain string) error {
 	if len(conf.Auth.ConfigFile.RestrictedEmailDomains) == 0 {
 		return nil
 	}
 
-	for _, domain := range conf.Auth.ConfigFile.RestrictedEmailDomains {
+	for _, domain := range conf.Auth.RestrictedEmailDomains {
 		if domain == emailDomain {
 			return nil
 		}
 	}
 
-	return fmt.Errorf("email is not in the restricted domain group")
+	return ErrNotInRestrictedDomain
 }

api/v1/server/handlers/users/update_login.go

@@ -29,6 +29,12 @@ func (u *UserService) UserUpdateLogin(ctx echo.Context, request gen.UserUpdateLo
 		return gen.UserUpdateLogin400JSONResponse(*apiErrors), nil
 	}
 
+	if err := u.checkUserRestrictionsForEmail(u.config, string(request.Body.Email)); err != nil {
+		return gen.UserUpdateLogin401JSONResponse(
+			apierrors.NewAPIErrors("Email is not in the restricted domain group."),
+		), nil
+	}
+
 	// determine if the user exists before attempting to write the user
 	existingUser, err := u.config.APIRepository.User().GetUserByEmail(string(request.Body.Email))
 	if err != nil {

pkg/config/loader/loader.go

@@ -331,7 +331,8 @@ func GetServerConfigFromConfigfile(dc *database.Config, cf *server.ServerConfigF
 	}
 
 	auth := server.AuthConfig{
-		ConfigFile: cf.Auth,
+		RestrictedEmailDomains: getStrArr(cf.Auth.RestrictedEmailDomains),
+		ConfigFile:             cf.Auth,
 	}
 
 	if cf.Auth.Google.Enabled {

pkg/config/server/server.go

@@ -223,7 +223,8 @@ type EncryptionConfigFileCloudKMS struct {
 
 type ConfigFileAuth struct {
 	// RestrictedEmailDomains sets the restricted email domains for the instance.
-	RestrictedEmailDomains []string `mapstructure:"restrictedEmailDomains" json:"restrictedEmailDomains,omitempty"`
+	// NOTE: do not use this on the server from the config file.
+	RestrictedEmailDomains string `mapstructure:"restrictedEmailDomains" json:"restrictedEmailDomains,omitempty"`
 
 	// BasedAuthEnabled controls whether email and password-based login is enabled for this
 	// Hatchet instance
@@ -302,6 +303,8 @@ type PostmarkConfigFile struct {
 }
 
 type AuthConfig struct {
+	RestrictedEmailDomains []string
+
 	ConfigFile ConfigFileAuth
 
 	GoogleOAuthConfig *oauth2.Config