Skip to content

Commit fe240ad

Browse files
johnstcnjohnstcn
authored
fix(coderd): userOIDC: ignore leading @ of EmailDomain (coder#13568)
1 parent d04959c commit fe240ad

File tree

2 files changed

+26
-0
lines changed

2 files changed

+26
-0
lines changed

coderd/userauth.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -960,6 +960,8 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
960960
}
961961
userEmailDomain := emailSp[len(emailSp)-1]
962962
for _, domain := range api.OIDCConfig.EmailDomain {
963+
// Folks sometimes enter EmailDomain with a leading '@'.
964+
domain = strings.TrimPrefix(domain, "@")
963965
if strings.EqualFold(userEmailDomain, domain) {
964966
ok = true
965967
break

coderd/userauth_test.go

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -941,6 +941,30 @@ func TestUserOIDC(t *testing.T) {
941941
},
942942
StatusCode: http.StatusForbidden,
943943
},
944+
{
945+
Name: "EmailDomainWithLeadingAt",
946+
IDTokenClaims: jwt.MapClaims{
947+
"email": "cian@coder.com",
948+
"email_verified": true,
949+
},
950+
AllowSignups: true,
951+
EmailDomain: []string{
952+
"@coder.com",
953+
},
954+
StatusCode: http.StatusOK,
955+
},
956+
{
957+
Name: "EmailDomainForbiddenWithLeadingAt",
958+
IDTokenClaims: jwt.MapClaims{
959+
"email": "kyle@kwc.io",
960+
"email_verified": true,
961+
},
962+
AllowSignups: true,
963+
EmailDomain: []string{
964+
"@coder.com",
965+
},
966+
StatusCode: http.StatusForbidden,
967+
},
944968
{
945969
Name: "EmailDomainCaseInsensitive",
946970
IDTokenClaims: jwt.MapClaims{

0 commit comments

Comments
 (0)