From 1832672f5e9178394d7e24627f7341d23cbe21b5 Mon Sep 17 00:00:00 2001
From: Thom Seddon <thom@seddonmedia.co.uk>
Date: Tue, 6 Nov 2018 14:01:06 +0000
Subject: [PATCH] Modify whitelist implementation + expand docs

Closes #4
---
 README.md      | 11 ++++++++++-
 forwardauth.go | 24 ++++++++++--------------
 2 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index 2d5f680..0154bbb 100644
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ The following configuration is supported:
 |-csrf-cookie-name|string|CSRF Cookie Name (default "_forward_auth_csrf")|
 |-direct|bool|Run in direct mode (use own hostname as oppose to <br>X-Forwarded-Host, used for testing/development)
 |-domain|string|Comma separated list of email domains to allow|
-|-whitelist|string|Comma separated list of email addresses to allow (Omit -domain)|
+|-whitelist|string|Comma separated list of email addresses to allow|
 |-lifetime|int|Session length in seconds (default 43200)|
 |-url-path|string|Callback URL (default "_oauth")|
 |-prompt|string|Space separated list of [OpenID prompt options](https://developers.google.com/identity/protocols/OpenIDConnect#prompt)|
@@ -50,6 +50,15 @@ Create a new project then search for and select "Credentials" in the search bar.
 
 Click, "Create Credentials" > "OAuth client ID". Select "Web Application", fill in the name of your app, skip "Authorized JavaScript origins" and fill "Authorized redirect URIs" with all the domains you will allow authentication from, appended with the `url-path` (e.g. https://app.test.com/_oauth)
 
+## User Restriction
+
+You can restrict who can login with the following parameters:
+
+* `-domain` - Use this to limit logins to a specific domain, e.g. test.com only
+* `-whitelist` - Use this to only allow specific users to login e.g. thom@test.com only
+
+Note, if you pass `whitelist` then only this is checked and `domain` is effectively ignored.
+
 ## Cookie Domains
 
 You can supply a comma separated list of cookie domains, if the host of the original request is a subdomain of any given cookie domain, the authentication cookie will set with the given domain.
diff --git a/forwardauth.go b/forwardauth.go
index 975e305..ecd8ae2 100644
--- a/forwardauth.go
+++ b/forwardauth.go
@@ -88,7 +88,13 @@ func (f *ForwardAuth) ValidateCookie(r *http.Request, c *http.Cookie) (bool, str
 // Validate email
 func (f *ForwardAuth) ValidateEmail(email string) bool {
   found := false
-  if len(f.Domain) > 0 {
+  if len(f.Whitelist) > 0 {
+    for _, whitelist := range f.Whitelist {
+      if email == whitelist {
+        found = true
+      }
+    }
+  } else if len(f.Domain) > 0 {
     parts := strings.Split(email, "@")
     if len(parts) < 2 {
       return false
@@ -98,21 +104,11 @@ func (f *ForwardAuth) ValidateEmail(email string) bool {
         found = true
       }
     }
-    if !found {
-      return false
-    }
-  } else if len(f.Whitelist) > 0 {
-    for _, wlEmail := range f.Whitelist {
-      if wlEmail == email {
-        found = true
-      }
-    }
-    if !found {
-      return false
-    }
+  } else {
+    return true
   }
 
-  return true
+  return found
 }