Auth0 Home Blog Docs

Domain restriction in combo with Social Connection

login

#1

Please fill out the following to the best of your ability. Doing so will help out the troubleshooting process

  • What are you trying to achieve? What is the use case or idea behind it?

In my application, I have sign-in with Google since our company’s email provider is google. Though, I want to restrict the app to the domains ending with @weissmaler.de. I have created a pre-registration hook and/or rule to specify allowed domains. Though, I am still able to log-in with Google using my personal @gmail.com email. Is there a way to implement such a logic?

  • If this is caused by an SDK please mention the SDK along with the specific version number.

  • Is this easily reproducible? If not, please explain.

Yes, as explained in the question

  • If this is related to Lock / any SDK please share the SDK as well as lock initialization code or any code that is relevant.

  • If this is an issue with an API please mention the endpoint you are trying to hit. Relevant code, and or a network trace, is really helpful when debugging such issues.

  • Environment-specific information (Which OS, Language Runtime + Version, Browser etc).


#2

:wave: @mohamad.bitar

You say you created a pre-registration hook and/or rule to specify allowed domains, but which one did you try implementing?

You can implement this as a rule. We can use the email domain whitelist to accomplish this.

Code example here:

function (user, context, callback) {
    var whitelist = ['weissmaler.de']; // authorized domains
    var userHasAccess = whitelist.some(
      function (domain) {
        var emailSplit = user.email.split('@');
        return emailSplit[emailSplit.length - 1].toLowerCase() === domain;
      });

    if (!userHasAccess) {
      return callback(new UnauthorizedError('Access denied.'));
    }

    return callback(null, user, context);
}

Please let me know if this solves your problem! If not, can you share the code where you specify allowed domains? More than happy to work through it with you.


#3

Thank you for replying, I have this rule already but with no effect. I also tried a pre-registration hook as the following:

/**
@param {object} user - The user being created
@param {string} user.tenant - Auth0 tenant name
@param {string} user.username - user name
@param {string} user.password - user's password
@param {string} user.email - email
@param {boolean} user.emailVerified - is e-mail verified?
@param {string} user.phoneNumber - phone number
@param {boolean} user.phoneNumberVerified - is phone number verified?
@param {object} context - Auth0 connection and other context info
@param {string} context.requestLanguage - language of the client agent
@param {object} context.connection - information about the Auth0 connection
@param {object} context.connection.id - connection id
@param {object} context.connection.name - connection name
@param {object} context.connection.tenant - connection tenant
@param {object} context.webtask - webtask context
@param {function} cb - function (error, response)
*/
module.exports = function (user, context, cb) {
  var response = {};
  var domain ='@weissmaler.de';
  
  var okDomain = false;
  
  
  if (user.email.indexOf(domain) > -1) {
    okDomain=domain;
    i=domain.length;
  }

  
  if ((user.emailVerified) || (!user.emailVerified && okDomain)) {
   response.user = user;
   return cb(null, response);  
  } else {
    const error = new Error("E-Mail-Address did not match requirements.");
    error.statusCode = 400;
    return cb(error);
  }
  
};

Still, after choosing to login using google, it bypasses those rules/hooks and registers the new user (user@gmail.com still goes through). Am I doing something wrong or missing something?


#4

@mohamad.bitar were you able to solve your issue for allowed domains? Please let me know if you still require assistance.