rules: add simple domain allow list (#192)

auth0 · Mar 25, 2021 · cee090b · cee090b
1 parent 993837a
commit cee090b
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 0 deletions.
diff --git a/internal/cli/data/rule-template-simple-domain-allow-list.js b/internal/cli/data/rule-template-simple-domain-allow-list.js
@@ -0,0 +1,28 @@
+/**
+ * @title Email domain allow list
+ * @overview Only allow access to users with specific allow list email domains.
+ * @gallery true
+ * @category access control
+ *
+ * This rule will only allow access to users with specific email domains.
+ *
+ */
+
+function emailDomainAllowList(user, context, callback) {
+  // Access should only be granted to verified users.
+  if (!user.email || !user.email_verified) {
+    return callback(new UnauthorizedError('Access denied.'));
+  }
+
+  const allowList = ['example.com', 'example.org']; //authorized domains
+  const userHasAccess = allowList.some(function (domain) {
+    const emailSplit = user.email.split('@');
+    return emailSplit[emailSplit.length - 1].toLowerCase() === domain;
+  });
+
+  if (!userHasAccess) {
+    return callback(new UnauthorizedError('Access denied.'));
+  }
+
+  return callback(null, user, context);
+}
diff --git a/internal/cli/rules.go b/internal/cli/rules.go
@@ -43,6 +43,7 @@ var (
 		{"Empty rule", ruleTemplateEmptyRule},
 		{"Add email to access token", ruleTemplateAddEmailToAccessToken},
 		{"Check last password reset", ruleTemplateCheckLastPasswordReset},
+		{"Simple domain allow list", ruleTemplateSimpleDomainAllowList},
 		{"IP address allow list", ruleTemplateIPAddressAllowList},
 		{"IP address deny list", ruleTemplateIPAddressDenyList},
 	}

diff --git a/internal/cli/rules_embed.go b/internal/cli/rules_embed.go
@@ -19,4 +19,7 @@ var (
 
 	//go:embed data/rule-template-ip-address-deny-list.js
 	ruleTemplateIPAddressDenyList string
+
+	//go:embed data/rule-template-simple-domain-allow-list.js
+	ruleTemplateSimpleDomainAllowList string
 )