fix(TRI-1444): Allow only logins from WHITELISTED_EMAILS regex (fixes triggerdotdev#685) (triggerdotdev#721)

abelghalem · web-flow · commit 10e935b864f0 · 2023-11-06T09:06:54.000Z
diff --git a/.env.example b/.env.example
@@ -13,6 +13,8 @@ APP_ORIGIN=http://localhost:3030
 NODE_ENV=development
 
 # OPTIONAL VARIABLES
+# This is used for validating emails that are allowed to log in. Every email that do not match this regex will be rejected.
+# WHITELISTED_EMAILS="authorized@yahoo\.com|authorized@gmail\.com"
 # This is used for logging in via GitHub. You can leave these commented out if you don't want to use GitHub for authentication.
 # AUTH_GITHUB_CLIENT_ID=
 # AUTH_GITHUB_CLIENT_SECRET=
diff --git a/apps/webapp/app/env.server.ts b/apps/webapp/app/env.server.ts
@@ -1,5 +1,6 @@
 import { z } from "zod";
 import { SecretStoreOptionsSchema } from "./services/secrets/secretStore.server";
+import { isValidRegex } from "./utils/regex";
 
 const EnvironmentSchema = z.object({
   NODE_ENV: z.union([z.literal("development"), z.literal("production"), z.literal("test")]),
@@ -10,6 +11,7 @@ const EnvironmentSchema = z.object({
   SESSION_SECRET: z.string(),
   MAGIC_LINK_SECRET: z.string(),
   ENCRYPTION_KEY: z.string(),
+  WHITELISTED_EMAILS: z.string().refine(isValidRegex, "WHITELISTED_EMAILS must be a valid regex.").optional(),
   REMIX_APP_PORT: z.string().optional(),
   LOGIN_ORIGIN: z.string().default("http://localhost:3030"),
   APP_ORIGIN: z.string().default("http://localhost:3030"),
diff --git a/apps/webapp/app/models/user.server.ts b/apps/webapp/app/models/user.server.ts
@@ -1,6 +1,7 @@
 import type { Prisma, User } from "@trigger.dev/database";
 import type { GitHubProfile } from "remix-auth-github";
 import { prisma } from "~/db.server";
+import { env } from "~/env.server";
 export type { User } from "@trigger.dev/database";
 
 type FindOrCreateMagicLink = {
@@ -36,6 +37,10 @@ export async function findOrCreateUser(input: FindOrCreateUser): Promise<LoggedI
 export async function findOrCreateMagicLinkUser(
   input: FindOrCreateMagicLink
 ): Promise<LoggedInUser> {
+  if (env.WHITELISTED_EMAILS && !new RegExp(env.WHITELISTED_EMAILS).test(input.email)) {
+    throw new Error("This email is unauthorized");
+  }
+
   const existingUser = await prisma.user.findFirst({
     where: {
       email: input.email,
diff --git a/apps/webapp/app/routes/magic.tsx b/apps/webapp/app/routes/magic.tsx
@@ -7,6 +7,6 @@ export async function loader({ request }: LoaderFunctionArgs) {
 
   await authenticator.authenticate("email-link", request, {
     successRedirect: redirectTo ?? "/",
-    failureRedirect: "/login",
+    failureRedirect: "/login/magic",
   });
 }
diff --git a/apps/webapp/app/utils/regex.ts b/apps/webapp/app/utils/regex.ts
@@ -0,0 +1,8 @@
+export function isValidRegex(regex: string) {
+  try {
+    new RegExp(regex);
+    return true;
+  } catch (err) {
+    return false;
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,6 @@ export async function loader({ request }: LoaderFunctionArgs) {`
`7`	`7`
`8`	`8`	`await authenticator.authenticate("email-link", request, {`
`9`	`9`	`successRedirect: redirectTo ?? "/",`
`10`		`- failureRedirect: "/login",`
	`10`	`+ failureRedirect: "/login/magic",`
`11`	`11`	`});`
`12`	`12`	`}`