Introduce an environment variable to allow JIT OIDC users creation based on their email address domain.

services/web/modules/authentication/oidc/app/src/OIDCAuthenticationManager.mjs

@@ -37,6 +37,13 @@ const OIDCAuthenticationManager = {
 // (Is it safe? Concider: If an account from the specified provider is already linked to this user, throw an error)
       user = await User.findOne({ 'email': email }).exec()
       if (!user) {
+        let allowedDomains = Settings.oidc.allowedOIDCEmailDomains;
+          allowedDomains = allowedDomains.split(',').map(d => d.trim()); // Make sure it's an array
+          const domain = email.split('@')[1];
+
+          if (!allowedDomains.includes(domain)) {
+            return null;
+          }
         if (Settings.oidc.disableJITAccountCreation) {
           return null
         }

services/web/modules/authentication/oidc/app/src/OIDCModuleManager.mjs

@@ -16,6 +16,7 @@ const OIDCModuleManager = {
       attUserId:    process.env.OVERLEAF_OIDC_USER_ID_FIELD || 'id',
       attAdmin:     process.env.OVERLEAF_OIDC_IS_ADMIN_FIELD,
       valAdmin:     process.env.OVERLEAF_OIDC_IS_ADMIN_FIELD_VALUE,
+      allowedOIDCEmailDomains:     process.env.OVERLEAF_OIDC_ALLOWED_EMAIL_DOMAINS,
       updateUserDetailsOnLogin: boolFromEnv(process.env.OVERLEAF_OIDC_UPDATE_USER_DETAILS_ON_LOGIN),
       disableJITAccountCreation: boolFromEnv(process.env.OVERLEAF_OIDC_DISABLE_JIT_ACCOUNT_CREATION),
     }