Allow a whitelist of email addresses

2018-08-26 15:19:16 +02:00 · 2018-08-26 15:19:16 +02:00 · eaad0a9054
commit eaad0a9054
parent 36fffd2382
4 changed files with 32 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -33,6 +33,7 @@ The following configuration is supported:
 |-csrf-cookie-name|string|CSRF Cookie Name (default "_forward_auth_csrf")|
 |-direct|bool|Run in direct mode (use own hostname as oppose to <br>X-Forwarded-Host, used for testing/development)
 |-domain|string|Comma separated list of email domains to allow|
+|-whitelist|string|Comma separated list of email addresses to allow (Omit -domain)|
 |-lifetime|int|Session length in seconds (default 43200)|
 |-url-path|string|Callback URL (default "_oauth")|
 |-prompt|string|Space separated list of [OpenID prompt options](https://developers.google.com/identity/protocols/OpenIDConnect#prompt)|
--- a/forwardauth.go
+++ b/forwardauth.go
@ -38,6 +38,7 @@ type ForwardAuth struct {
  CookieSecure bool

  Domain []string
+  Whitelist []string

  Direct bool

@ -86,12 +87,12 @@ func (f *ForwardAuth) ValidateCookie(r *http.Request, c *http.Cookie) (bool, str

 // Validate email
 func (f *ForwardAuth) ValidateEmail(email string) bool {
+  found := false
  if len(f.Domain) > 0 {
    parts := strings.Split(email, "@")
    if len(parts) < 2 {
      return false
    }
-    found := false
    for _, domain := range f.Domain {
      if domain == parts[1] {
        found = true
@ -100,6 +101,15 @@ func (f *ForwardAuth) ValidateEmail(email string) bool {
    if !found {
      return false
    }
+  } else if len(f.Whitelist) > 0 {
+    for _, wlEmail := range f.Whitelist {
+      if wlEmail == email {
+        found = true
+      }
+    }
+    if !found {
+      return false
+    }
  }

  return true
--- a/forwardauth_test.go
+++ b/forwardauth_test.go
@ -81,6 +81,20 @@ func TestValidateEmail(t *testing.T) {
  if !fw.ValidateEmail("test@test.com") {
    t.Error("Should allow user from allowed domain")
  }
+
+  // Should block non whitelisted email address
+  fw.Domain = []string{}
+  fw.Whitelist = []string{"test@test.com"}
+  if fw.ValidateEmail("one@two.com") {
+    t.Error("Should not allow user not in whitelist.")
+  }
+
+  // Should allow matching whitelisted email address
+  fw.Domain = []string{}
+  fw.Whitelist = []string{"test@test.com"}
+  if !fw.ValidateEmail("test@test.com") {
+    t.Error("Should allow user in whitelist.")
+  }
 }

 func TestGetLoginURL(t *testing.T) {
--- a/main.go
+++ b/main.go
@ -141,6 +141,7 @@ func main() {
  cookieSecret := flag.String("cookie-secret", "", "depreciated")
  cookieSecure := flag.Bool("cookie-secure", true, "Use secure cookies")
  domainList := flag.String("domain", "", "Comma separated list of email domains to allow")
+  emailWhitelist := flag.String("whitelist", "", "Comma separated list of emails to allow")
  direct := flag.Bool("direct", false, "Run in direct mode (use own hostname as oppose to X-Forwarded-Host, used for testing/development)")
  prompt := flag.String("prompt", "", "Space separated list of OpenID prompt options")

@ -182,6 +183,10 @@ func main() {
  if *domainList != "" {
    domain = strings.Split(*domainList, ",")
  }
+  var whitelist []string
+  if *emailWhitelist != "" {
+    whitelist = strings.Split(*emailWhitelist, ",")
+  }

  // Setup
  fw = &ForwardAuth{
@ -215,6 +220,7 @@ func main() {
    CookieSecure: *cookieSecure,

    Domain: domain,
+    Whitelist: whitelist,

    Direct: *direct,