diff options
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | server/auth/github/github.go | 7 | ||||
-rw-r--r-- | server/auth/google/google.go | 18 |
3 files changed, 20 insertions, 7 deletions
@@ -86,7 +86,7 @@ Configuration is divided into different sections: `server`, `auth`, `ssh`, and ` - `oauth_client_secret` : string. Oauth secret. - `oauth_callback_url` : string. URL that the Oauth provider will redirect to after user authorisation. The path is hardcoded to `"/auth/callback"` in the source. - `provider_opts` : object. Additional options for the provider. -- `users_whitelist` : array of strings. Optional list of whitelisted usernames. If missing, all users of your current domain/organization are allowed to authenticate against cashierd. +- `users_whitelist` : array of strings. Optional list of whitelisted usernames. If missing, all users of your current domain/organization are allowed to authenticate against cashierd. For Google auth a user is an email address. For GitHub auth a user is a GitHub username. #### Provider-specific options diff --git a/server/auth/github/github.go b/server/auth/github/github.go index 912caae..24a4bbf 100644 --- a/server/auth/github/github.go +++ b/server/auth/github/github.go @@ -62,12 +62,17 @@ func (c *Config) Name() string { // Valid validates the oauth token. func (c *Config) Valid(token *oauth2.Token) bool { - if len(c.whitelist) == 0 && !c.whitelist[c.Username(token)] { + if len(c.whitelist) > 0 && !c.whitelist[c.Username(token)] { return false } if !token.Valid() { return false } + if c.organization == "" { + // There's no organization and the token is valid. Can only reach here + // if there's a user whitelist set and the user is in the whitelist. + return true + } client := githubapi.NewClient(c.newClient(token)) member, _, err := client.Organizations.IsMember(c.organization, c.Username(token)) if err != nil { diff --git a/server/auth/google/google.go b/server/auth/google/google.go index 3a833ab..08a4083 100644 --- a/server/auth/google/google.go +++ b/server/auth/google/google.go @@ -62,7 +62,7 @@ func (c *Config) Name() string { // Valid validates the oauth token. func (c *Config) Valid(token *oauth2.Token) bool { - if len(c.whitelist) == 0 && !c.whitelist[c.Username(token)] { + if len(c.whitelist) > 0 && !c.whitelist[c.Email(token)] { return false } if !token.Valid() { @@ -78,11 +78,14 @@ func (c *Config) Valid(token *oauth2.Token) bool { if err != nil { return false } + if ti.Audience != c.config.ClientID { + return false + } ui, err := svc.Userinfo.Get().Do() if err != nil { return false } - if ti.Audience != c.config.ClientID || ui.Hd != c.domain { + if c.domain != "" && ui.Hd != c.domain { return false } return true @@ -107,8 +110,8 @@ func (c *Config) Exchange(code string) (*oauth2.Token, error) { return c.config.Exchange(oauth2.NoContext, code) } -// Username retrieves the username portion of the user's email address. -func (c *Config) Username(token *oauth2.Token) string { +// Email retrieves the email address of the user. +func (c *Config) Email(token *oauth2.Token) string { svc, err := googleapi.New(c.newClient(token)) if err != nil { return "" @@ -117,5 +120,10 @@ func (c *Config) Username(token *oauth2.Token) string { if err != nil { return "" } - return strings.Split(ui.Email, "@")[0] + return ui.Email +} + +// Username retrieves the username portion of the user's email address. +func (c *Config) Username(token *oauth2.Token) string { + return strings.Split(c.Email(token), "@")[0] } |