I have been working on something similar for blacklisting domains. You can use a rule eg.
function (user, context, callback) {
var whitelist = 'example.com', 'example.edu']; //authorized domains
var userHasAccess = whitelist.some(
function (domain) {
var emailSplit = user.email.split('@');
return emailSplit[emailSplit.length - 1].toLowerCase() === domain;
});
if (!userHasAccess) {
return callback(new UnauthorizedError('Access denied.'));
}
return callback(null, user, context);
}
to whitelist domains. But this for some reason does not work until after the user signs up! Trying to create a workaround that automatically deletes the blacklisted email user and does not send a verification email on signup, but I am not having much luck.