diff --git a/src/api/identity.rs b/src/api/identity.rs index 985841bd..6da7d3f2 100644 --- a/src/api/identity.rs +++ b/src/api/identity.rs @@ -285,7 +285,7 @@ async fn sso_login( // Will trigger 2FA flow if needed let (user, mut device, twofactor_token, sso_user) = match user_with_sso { None => { - if !CONFIG.sso_signups_allowed() { + if !CONFIG.is_sso_signup_allowed(&user_infos.email) { if CONFIG.signups_domains_whitelist().is_empty() { err!( "Signups are disabled. You will need an invitation", @@ -293,14 +293,13 @@ async fn sso_login( event: EventType::UserFailedLogIn } ); - } else if !CONFIG.is_email_domain_allowed(&user_infos.email) { - err!( - "Email domain not allowed", - ErrorEvent { - event: EventType::UserFailedLogIn - } - ); } + err!( + "Email domain not allowed", + ErrorEvent { + event: EventType::UserFailedLogIn + } + ); } match user_infos.email_verified { diff --git a/src/config.rs b/src/config.rs index d37043e6..c4075c4d 100644 --- a/src/config.rs +++ b/src/config.rs @@ -1517,6 +1517,17 @@ impl Config { } } + /// Tests whether SSO signup is allowed for an email address, taking into + /// account the sso_signups_allowed and signups_domains_whitelist settings. + pub fn is_sso_signup_allowed(&self, email: &str) -> bool { + if self.signups_domains_whitelist().is_empty() { + self.sso_signups_allowed() + } else { + // The whitelist setting overrides the signups_allowed setting. + self.is_email_domain_allowed(email) + } + } + // The registration link should be hidden if // - Signup is not allowed and email whitelist is empty unless mail is disabled and invitations are allowed // - The SSO is activated and password login is disabled.