Fix regression with domain_allowed in SSO onboarding

2 weeks ago · 17eb54e0c5
2 changed files with 18 additions and 8 deletions
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@ -285,7 +285,7 @@ async fn sso_login(
    // Will trigger 2FA flow if needed
    let (user, mut device, twofactor_token, sso_user) = match user_with_sso {
        None => {
-            if !CONFIG.sso_signups_allowed() {
+            if !CONFIG.is_sso_signup_allowed(&user_infos.email) {
                if CONFIG.signups_domains_whitelist().is_empty() {
                    err!(
                        "Signups are disabled. You will need an invitation",
@ -293,14 +293,13 @@ async fn sso_login(
                            event: EventType::UserFailedLogIn
                        }
                    );
-                } else if !CONFIG.is_email_domain_allowed(&user_infos.email) {
-                    err!(
-                        "Email domain not allowed",
-                        ErrorEvent {
-                            event: EventType::UserFailedLogIn
-                        }
-                    );
                }
+                err!(
+                    "Email domain not allowed",
+                    ErrorEvent {
+                        event: EventType::UserFailedLogIn
+                    }
+                );
            }

            match user_infos.email_verified {
--- a/src/config.rs
+++ b/src/config.rs
@ -1517,6 +1517,17 @@ impl Config {
        }
    }

+    /// Tests whether SSO signup is allowed for an email address, taking into
+    /// account the sso_signups_allowed and signups_domains_whitelist settings.
+    pub fn is_sso_signup_allowed(&self, email: &str) -> bool {
+        if self.signups_domains_whitelist().is_empty() {
+            self.sso_signups_allowed()
+        } else {
+            // The whitelist setting overrides the signups_allowed setting.
+            self.is_email_domain_allowed(email)
+        }
+    }
+
    // The registration link should be hidden if
    //  - Signup is not allowed and email whitelist is empty unless mail is disabled and invitations are allowed
    //  - The SSO is activated and password login is disabled.