From fcdae2bac7211eac4960a8112b0114d0d7660381 Mon Sep 17 00:00:00 2001
From: Cian Johnston <cian@coder.com>
Date: Thu, 13 Jun 2024 14:27:16 +0100
Subject: [PATCH] fix(coderd): userOIDC: ignore leading @ of EmailDomain

---
 coderd/userauth.go      |  2 ++
 coderd/userauth_test.go | 24 ++++++++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/coderd/userauth.go b/coderd/userauth.go
index b9d163a6afdac..bb7f0ee64c293 100644
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@@ -960,6 +960,8 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		}
 		userEmailDomain := emailSp[len(emailSp)-1]
 		for _, domain := range api.OIDCConfig.EmailDomain {
+			// Folks sometimes enter EmailDomain with a leading '@'.
+			domain = strings.TrimPrefix(domain, "@")
 			if strings.EqualFold(userEmailDomain, domain) {
 				ok = true
 				break
diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go
index ef62005b9e1f4..bc556fe604ebe 100644
--- a/coderd/userauth_test.go
+++ b/coderd/userauth_test.go
@@ -941,6 +941,30 @@ func TestUserOIDC(t *testing.T) {
 			},
 			StatusCode: http.StatusForbidden,
 		},
+		{
+			Name: "EmailDomainWithLeadingAt",
+			IDTokenClaims: jwt.MapClaims{
+				"email":          "cian@coder.com",
+				"email_verified": true,
+			},
+			AllowSignups: true,
+			EmailDomain: []string{
+				"@coder.com",
+			},
+			StatusCode: http.StatusOK,
+		},
+		{
+			Name: "EmailDomainForbiddenWithLeadingAt",
+			IDTokenClaims: jwt.MapClaims{
+				"email":          "kyle@kwc.io",
+				"email_verified": true,
+			},
+			AllowSignups: true,
+			EmailDomain: []string{
+				"@coder.com",
+			},
+			StatusCode: http.StatusForbidden,
+		},
 		{
 			Name: "EmailDomainCaseInsensitive",
 			IDTokenClaims: jwt.MapClaims{