diff --git a/internal/cli/data/rule-template-simple-domain-allow-list.js b/internal/cli/data/rule-template-simple-domain-allow-list.js new file mode 100644 index 000000000..b2c3f29ae --- /dev/null +++ b/internal/cli/data/rule-template-simple-domain-allow-list.js @@ -0,0 +1,28 @@ +/** + * @title Email domain allow list + * @overview Only allow access to users with specific allow list email domains. + * @gallery true + * @category access control + * + * This rule will only allow access to users with specific email domains. + * + */ + +function emailDomainAllowList(user, context, callback) { + // Access should only be granted to verified users. + if (!user.email || !user.email_verified) { + return callback(new UnauthorizedError('Access denied.')); + } + + const allowList = ['example.com', 'example.org']; //authorized domains + const userHasAccess = allowList.some(function (domain) { + const emailSplit = user.email.split('@'); + return emailSplit[emailSplit.length - 1].toLowerCase() === domain; + }); + + if (!userHasAccess) { + return callback(new UnauthorizedError('Access denied.')); + } + + return callback(null, user, context); +} diff --git a/internal/cli/rules.go b/internal/cli/rules.go index dd647ac7c..e1713c858 100644 --- a/internal/cli/rules.go +++ b/internal/cli/rules.go @@ -43,6 +43,7 @@ var ( {"Empty rule", ruleTemplateEmptyRule}, {"Add email to access token", ruleTemplateAddEmailToAccessToken}, {"Check last password reset", ruleTemplateCheckLastPasswordReset}, + {"Simple domain allow list", ruleTemplateSimpleDomainAllowList}, {"IP address allow list", ruleTemplateIPAddressAllowList}, {"IP address deny list", ruleTemplateIPAddressDenyList}, } diff --git a/internal/cli/rules_embed.go b/internal/cli/rules_embed.go index 14fc553b0..45c20f120 100644 --- a/internal/cli/rules_embed.go +++ b/internal/cli/rules_embed.go @@ -19,4 +19,7 @@ var ( //go:embed data/rule-template-ip-address-deny-list.js ruleTemplateIPAddressDenyList string + + //go:embed data/rule-template-simple-domain-allow-list.js + ruleTemplateSimpleDomainAllowList string )