Merge pull request #22 from nsheridan/whitelist

Update whitelisting

Merge pull request #22 from nsheridan/whitelist
bbbe873e · Niall Sheridan · GitHub · 77c2a946 · cd138ddf · bbbe873e
Commit bbbe873e authored Jun 15, 2016 by Niall Sheridan Committed by GitHub Jun 15, 2016
--- a/README.md
+++ b/README.md
@@ -86,7 +86,7 @@ Configuration is divided into different sections: `server`, `auth`, `ssh`, and `
 - `oauth_client_secret` : string. Oauth secret.
 - `oauth_callback_url` : string. URL that the Oauth provider will redirect to after user authorisation. The path is hardcoded to `"/auth/callback"` in the source.
 - `provider_opts` : object. Additional options for the provider.
- `users_whitelist` : array of strings. Optional list of whitelisted usernames. If missing, all users of your current domain/organization are allowed to authenticate against cashierd.
+- `users_whitelist` : array of strings. Optional list of whitelisted usernames. If missing, all users of your current domain/organization are allowed to authenticate against cashierd. For Google auth a user is an email address. For GitHub auth a user is a GitHub username.
 #### Provider-specific options

--- a/server/auth/github/github.go
+++ b/server/auth/github/github.go
@@ -62,12 +62,17 @@ func (c *Config) Name() string {
 // Valid validates the oauth token.
 func (c *Config) Valid(token *oauth2.Token) bool {
-	if len(c.whitelist) == 0 && !c.whitelist[c.Username(token)] {
+	if len(c.whitelist) > 0 && !c.whitelist[c.Username(token)] {
 		return false
 	}
 	if !token.Valid() {
 		return false
 	}
+	if c.organization == "" {
+		// There's no organization and the token is valid. Can only reach here
+		// if there's a user whitelist set and the user is in the whitelist.
+		return true
+	}
 	client := githubapi.NewClient(c.newClient(token))
 	member, _, err := client.Organizations.IsMember(c.organization, c.Username(token))
 	if err != nil {

--- a/server/auth/google/google.go
+++ b/server/auth/google/google.go
@@ -62,7 +62,7 @@ func (c *Config) Name() string {
 // Valid validates the oauth token.
 func (c *Config) Valid(token *oauth2.Token) bool {
-	if len(c.whitelist) == 0 && !c.whitelist[c.Username(token)] {
+	if len(c.whitelist) > 0 && !c.whitelist[c.Email(token)] {
 		return false
 	}
 	if !token.Valid() {
@@ -78,11 +78,14 @@ func (c *Config) Valid(token *oauth2.Token) bool {
 	if err != nil {
 		return false
 	}
+	if ti.Audience != c.config.ClientID {
+		return false
+	}
 	ui, err := svc.Userinfo.Get().Do()
 	if err != nil {
 		return false
 	}
-	if ti.Audience != c.config.ClientID || ui.Hd != c.domain {
+	if c.domain != "" && ui.Hd != c.domain {
 		return false
 	}
 	return true
@@ -107,8 +110,8 @@ func (c *Config) Exchange(code string) (*oauth2.Token, error) {
 	return c.config.Exchange(oauth2.NoContext, code)
 }
-// Username retrieves the username portion of the user's email address.
+// Email retrieves the email address of the user.
-func (c *Config) Username(token *oauth2.Token) string {
+func (c *Config) Email(token *oauth2.Token) string {
 	svc, err := googleapi.New(c.newClient(token))
 	if err != nil {
 		return ""
@@ -117,5 +120,10 @@ func (c *Config) Username(token *oauth2.Token) string {
 	if err != nil {
 		return ""
 	}
-	return strings.Split(ui.Email, "@")[0]
+	return ui.Email
+}
+// Username retrieves the username portion of the user's email address.
+func (c *Config) Username(token *oauth2.Token) string {
+	return strings.Split(c.Email(token), "@")[0]
 }