Skip to content

Commit

Permalink
Merge pull request #128 from Mintplex-Labs/domain-restriction-bypass-…
Browse files Browse the repository at this point in the history
…security-patch

[FIX] perform more strict domain check when domain restriction is enabled
  • Loading branch information
timothycarambat authored Jan 24, 2024
2 parents 8dc0c29 + a581b81 commit 63501d3
Showing 1 changed file with 11 additions and 12 deletions.
23 changes: 11 additions & 12 deletions backend/endpoints/auth.js
Original file line number Diff line number Diff line change
Expand Up @@ -160,18 +160,17 @@ function authenticationEndpoints(app) {
const domainRestriction = await SystemSettings.get({
label: "account_creation_domain_scope",
});
if (
!!domainRestriction &&
domainRestriction.value !== null &&
!email.includes(domainRestriction.value)
) {
response.status(200).json({
user: null,
valid: false,
token: null,
message: "[003] Invalid account creation values.",
});
return;
if (domainRestriction && domainRestriction.value) {
const emailDomain = email.substring(email.lastIndexOf("@") + 1);
if (emailDomain !== domainRestriction.value) {
response.status(200).json({
user: null,
valid: false,
token: null,
message: "[003] Invalid account creation values.",
});
return;
}
}

const { user, message } = await User.create({ email, password });
Expand Down

0 comments on commit 63501d3

Please sign in to comment.