feat: login email whitelist (#197)

* feat: parse domain whitelist in next-auth signin callback

* feat: add domain whitelist env var to example envs

Author: rohan-chaturvedi

.env.dev.example

@@ -20,6 +20,10 @@
 HOST=localhost
 HTTP_PROTOCOL=https://
 
+# Whitelist email domains that users are allowed to sign-in with, as a comma separated list. 
+# Leave commented to allow all email domains
+#USER_EMAIL_DOMAIN_WHITELIST=mydomain.com,subdomain.mydomain.com
+
 # Frontend dev
 NEXTAUTH_URL=https://localhost
 OAUTH_REDIRECT_URI=https://localhost

.env.example

@@ -21,6 +21,10 @@
 HOST=localhost
 HTTP_PROTOCOL=https://
 
+# Whitelist email domains that users are allowed to sign-in with, as a comma separated list. 
+# Leave commented to allow all email domains
+#USER_EMAIL_DOMAIN_WHITELIST=mydomain.com,subdomain.mydomain.com
+
 # WARNING: Replace these with a cryptographically strong random values. You can use `openssl rand -hex 32` to generate these.
 NEXTAUTH_SECRET=82031b3760ac58352bb2d48fd9f32e9f72a0614343b669038139f18652ed1447
 SECRET_KEY=92d44efc4f9a4c0556cc67d2d033d3217829c263d5ab7d1954cf4b5bfd533e58

frontend/pages/api/auth/[...nextauth].ts

@@ -52,6 +52,23 @@ export const authOptions: NextAuthOptionsCallback = (_req, res) => {
     },
     providers,
     callbacks: {
+      async signIn({ user }) {
+        const domainWhitelist = process.env.USER_EMAIL_DOMAIN_WHITELIST?.split(',') || []
+
+        if (domainWhitelist.length) {
+          let userEmail = user.email!
+
+          // Extract domain from email
+          const domain = userEmail?.split('@')[1]
+
+          if (domainWhitelist.includes(domain)) {
+            return true // Sign-in allowed
+          } else {
+            return false // Sign-in denied
+          }
+        }
+        return true
+      },
       async jwt({ token, user, account, profile }) {
         if (user) {
           if (account?.provider) {