Hey! My use case is set webapps/tools for a developer/user community, into which I want to use auth0 to manage identity and access.
I am trying to use the Auth0 Github social integration for this. Got it working nicely so, that any github user can authenticate to my apps via auth0. Now I would like so, that only members of specific github organizations can get through. How to?
I already tried actions like so:
/**
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {
const request = require('request');
console.log('Executing post-login action');
// Ensure this action is run only for GitHub login
if (event.connection.name !== 'github') {
console.log('Not a GitHub login');
return;
}
const accessToken = event.user.identities[0].access_token;
const requiredOrgs = event.secrets.REQUIRED_GITHUB_ORGS.split(',');
console.log('Required organizations:', requiredOrgs);
console.log('Access token:', accessToken);
const options = {
url: 'https://api.github.com/user/orgs',
headers: {
'User-Agent': 'Auth0',
'Authorization': `token ${accessToken}`
}
};
request(options, (error, response, body) => {
if (error) {
console.error('Error fetching GitHub orgs:', error);
return api.access.deny('Access denied. Error verifying GitHub organization membership.');
}
if (response.statusCode !== 200) {
console.error('Error fetching GitHub orgs:', response.statusCode, response.statusMessage);
return api.access.deny('Access denied. Error verifying GitHub organization membership.');
}
const orgs = JSON.parse(body).map(org => org.login);
console.log('User organizations:', orgs);
const isMemberOfAllRequiredOrgs = requiredOrgs.every(org => orgs.includes(org));
console.log('Is member of all required orgs:', isMemberOfAllRequiredOrgs);
if (!isMemberOfAllRequiredOrgs) {
return api.access.deny('Access denied. User is not a member of all required GitHub organizations.');
}
// Update user app_metadata with GitHub orgs
api.user.setAppMetadata('github_orgs', orgs);
});
};
Log output:
{
“action_name”: “restrict to github org members”,
“response”: {
“logs”: “Executing post-login action\nRequired organizations: [ ‘myorghere’ ]\nAccess token: undefined\n”,
“stats”: {
“total_request_duration_ms”: 419,
“total_runtime_execution_duration_ms”: 415,
“runtime_processing_duration_ms”: 4,
“action_duration_ms”: 352,
“runtime_external_call_duration_ms”: 59,
“boot_duration_ms”: 63,
“network_duration_ms”: 4
}
},
So question, what would be the ideal way for this use case?