Don't allow wide-open Google or Github configs

Fail loudly if either the google_opts domain value or github_opts organization values are not set in the configuration. The lack of these values means that a) in the Google case any @gmail.com address will be allowed b) the Github case any Github user will be allowed. This was previously documented but left as a foot-gun in the code. Future commits will allow for explicit wildcards to be set.
author: Patrick O'Doherty <p@trickod.com> 2016-05-23 17:56:15 +0100
committer: Patrick O'Doherty <p@trickod.com> 2016-05-24 12:25:15 +0100
commit: 6f86efb594721bc577c56b284f5f2499e563c45c (patch)
tree: d5e98834090b6f800893b7ff3708f0ff419f106c /server/auth/google/google.go
parent: 7f6b342de26e16e197f69c7576bb687aac03e527 (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/server/auth/google/google.go b/server/auth/google/google.go
index cf780f3..0328d42 100644
--- a/server/auth/google/google.go
+++ b/server/auth/google/google.go
@@ -1,6 +1,7 @@
 package google
 
 import (
+	"errors"
 	"fmt"
 	"net/http"
 	"strings"
@@ -26,7 +27,11 @@ type Config struct {
 }
 
 // New creates a new Google provider from a configuration.
-func New(c *config.Auth) auth.Provider {
+func New(c *config.Auth) (auth.Provider, error) {
+	if c.ProviderOpts["domain"] == "" {
+		return nil, errors.New("google_opts domain must not be empty")
+	}
+
 	return &Config{
 		config: &oauth2.Config{
 			ClientID:     c.OauthClientID,
@@ -36,7 +41,7 @@ func New(c *config.Auth) auth.Provider {
 			Scopes:       []string{googleapi.UserinfoEmailScope, googleapi.UserinfoProfileScope},
 		},
 		domain: c.ProviderOpts["domain"],
-	}
+	}, nil
 }
 
 // A new oauth2 http client.
author	Patrick O'Doherty <p@trickod.com>	2016-05-23 17:56:15 +0100
committer	Patrick O'Doherty <p@trickod.com>	2016-05-24 12:25:15 +0100
commit	6f86efb594721bc577c56b284f5f2499e563c45c (patch)
tree	d5e98834090b6f800893b7ff3708f0ff419f106c /server/auth/google/google.go
parent	7f6b342de26e16e197f69c7576bb687aac03e527 (diff)