Remove OVERLEAF_OIDC_DISABLE_JIT_ACCOUNT_CREATION in favor of OVERLEAF_OIDC_ALLOWED_EMAIL_DOMAINS

services/web/app/src/infrastructure/Features.mjs

@@ -53,7 +53,7 @@ const Features = {
       case 'registration-page':
         return (
           !Features.externalAuthenticationSystemUsed() ||
-          Boolean(Settings.overleaf) || Settings.oidc?.disableJITAccountCreation
+          Boolean(Settings.overleaf) || Settings.oidc?.allowedOIDCEmailDomains
         )
       case 'registration':
         return Boolean(Settings.overleaf)

services/web/modules/authentication/oidc/app/src/OIDCAuthenticationController.mjs

@@ -103,7 +103,7 @@ const OIDCAuthenticationController = {
     if (user) {
       return { user, info: undefined }
     } else { // user account is not created
-      logger.debug({ email : profile.emails[0].value }, 'OIDC users JIT account creation is off')
+      logger.debug({ email : profile.emails[0].value }, 'OIDC JIT account creation is not allowed for this email')
       return {
         user: false,
         info: {

services/web/modules/authentication/oidc/app/src/OIDCAuthenticationManager.mjs

@@ -31,20 +31,24 @@ const OIDCAuthenticationManager = {
       user = await ThirdPartyIdentityManager.promises.login(providerId, oidcUserId, oidcUserData)
     } catch {
 // A user with the specified OIDC ID and provider ID is not found. Search for a user with the given email.
-// If no user exists with this email, create a new user and link the OIDC account to it.
+// If no user exists with this email, create a new user and link the OIDC account to it (provided this is allowed by allowedOIDCEmailDomains).
 // If a user exists but no account from the specified OIDC provider is linked to this user, link the OIDC account to this user.
 // If an account from the specified provider is already linked to this user, unlink it, and link the OIDC account to this user.
 // (Is it safe? Concider: If an account from the specified provider is already linked to this user, throw an error)
       user = await User.findOne({ 'email': email }).exec()
       if (!user) {
-        let allowedDomains = Settings.oidc.allowedOIDCEmailDomains;
-          allowedDomains = allowedDomains.split(',').map(d => d.trim()); // Make sure it's an array
-          const domain = email.split('@')[1];
-
-          if (!allowedDomains.includes(domain)) {
-            return null;
-          }
-        if (Settings.oidc.disableJITAccountCreation) {
+        const allowedDomains = Settings.oidc.allowedOIDCEmailDomains
+        if (
+          allowedDomains &&
+          !allowedDomains.some(pattern => {
+            const domain = email.split('@')[1]
+            if (pattern.startsWith('*.')) {
+              const base = pattern.slice(2)
+              return domain.endsWith(`.${base}`)
+            }
+            return domain === pattern
+          })
+        ) {
           return null
         }
         user = await UserCreator.promises.createNewUser(

services/web/modules/authentication/oidc/app/src/OIDCModuleManager.mjs

@@ -16,9 +16,10 @@ const OIDCModuleManager = {
       attUserId:    process.env.OVERLEAF_OIDC_USER_ID_FIELD || 'id',
       attAdmin:     process.env.OVERLEAF_OIDC_IS_ADMIN_FIELD,
       valAdmin:     process.env.OVERLEAF_OIDC_IS_ADMIN_FIELD_VALUE,
-      allowedOIDCEmailDomains:     process.env.OVERLEAF_OIDC_ALLOWED_EMAIL_DOMAINS,
       updateUserDetailsOnLogin: boolFromEnv(process.env.OVERLEAF_OIDC_UPDATE_USER_DETAILS_ON_LOGIN),
-      disableJITAccountCreation: boolFromEnv(process.env.OVERLEAF_OIDC_DISABLE_JIT_ACCOUNT_CREATION),
+      allowedOIDCEmailDomains: process.env.OVERLEAF_OIDC_ALLOWED_EMAIL_DOMAINS === undefined
+        ? null
+        : process.env.OVERLEAF_OIDC_ALLOWED_EMAIL_DOMAINS.split(',').map(s => s.trim()).filter(Boolean),
     }
   },
   passportSetup(passport, callback) {