Merge pull request #488 from sebadob/user-reg-domain-blacklisting

featu: open user registration domain blacklisting
sebadob · Jun 20, 2024 · 824b109 · 824b109
2 parents 8320891 + 77494a9
commit 824b109
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 2 deletions.
diff --git a/book/src/config/config.md b/book/src/config/config.md
@@ -36,6 +36,14 @@ extract these values, create Kubernetes Secrets and provide them as environment
 # registrations with 'user@gmail.com' (default: '')
 #USER_REG_DOMAIN_RESTRICTION=some-domain.com
 
+# If `OPEN_USER_REG=true`, you can blacklist certain domains
+# on the open registration endpoint.
+# Provide the domains as a `\n` separated list.
+#USER_REG_DOMAIN_BLACKLIST="
+#example.com
+#evil.net
+#"
+
 # If set to true, a violation inside the CSRF protection middleware based
 # on Sec-* headers will block invalid requests. Usually you always want this
 # enabled. You may only set it to false during the first testing phase if you
@@ -951,6 +959,15 @@ PUB_URL=localhost:8080
 # default: false
 PROXY_MODE=false
 
+# A `\n` separated list of trusted proxy CIDRs.
+# When `PROXY_MODE=true` or `PEER_IP_HEADER_NAME` is set,
+# these are mandatory to be able to extract the real client
+# IP properly and safely to prevent IP header spoofing.
+# All requests with a different source will be blocked.
+#TRUSTED_PROXIES="
+#192.168.14.0/24
+#"
+
 # To enable or disable the additional HTTP server to expose the /metrics endpoint
 # default: true
 #METRICS_ENABLE=true

diff --git a/rauthy.cfg b/rauthy.cfg
@@ -50,6 +50,14 @@ USERINFO_STRICT=true
 # default: ''
 #USER_REG_DOMAIN_RESTRICTION=@some-mail-domain.com
 
+# If `OPEN_USER_REG=true`, you can blacklist certain domains
+# on the open registration endpoint.
+# Provide the domains as a `\n` separated list.
+USER_REG_DOMAIN_BLACKLIST="
+example.com
+evil.net
+"
+
 # If set to true, a violation inside the CSRF protection middleware based
 # on Sec-* headers will block invalid requests. Usually you always want this
 # enabled. You may only set it to false during the first testing phase if you

diff --git a/src/api/src/users.rs b/src/api/src/users.rs
@@ -15,7 +15,8 @@ use rauthy_api_types::users::{
 };
 use rauthy_common::constants::{
     COOKIE_MFA, ENABLE_WEB_ID, HEADER_ALLOW_ALL_ORIGINS, HEADER_HTML, HEADER_JSON, OPEN_USER_REG,
-    PWD_RESET_COOKIE, SSP_THRESHOLD, TEXT_TURTLE, USER_REG_DOMAIN_RESTRICTION,
+    PWD_RESET_COOKIE, SSP_THRESHOLD, TEXT_TURTLE, USER_REG_DOMAIN_BLACKLIST,
+    USER_REG_DOMAIN_RESTRICTION,
 };
 use rauthy_common::utils::real_ip_from_req;
 use rauthy_error::{ErrorResponse, ErrorResponseType};
@@ -327,6 +328,15 @@ pub async fn post_users_register(
                 ),
             ));
         }
+    } else if let Some(blacklist) = &*USER_REG_DOMAIN_BLACKLIST {
+        for blacklisted in blacklist {
+            if req_data.email.ends_with(blacklisted) {
+                return Err(ErrorResponse::new(
+                    ErrorResponseType::BadRequest,
+                    "Domain is blacklisted",
+                ));
+            }
+        }
     }
 
     // validate the PoW

diff --git a/src/common/src/constants.rs b/src/common/src/constants.rs
@@ -4,6 +4,7 @@ use actix_web::http::Uri;
 use lazy_static::lazy_static;
 use regex::Regex;
 use std::env;
+use std::ops::Not;
 use std::str::FromStr;
 use std::string::ToString;
 
@@ -348,6 +349,15 @@ lazy_static! {
             Ok(domain) => Some(domain)
         }
     };
+    pub static ref USER_REG_DOMAIN_BLACKLIST: Option<Vec<String>> = env::var("USER_REG_DOMAIN_BLACKLIST")
+        .ok()
+        .map(|blacklist| blacklist.lines()
+            .filter_map(|line| {
+                let trimmed = line.trim();
+                trimmed.is_empty().not().then_some(trimmed.to_string())
+            })
+            .collect()
+        );
 
     pub static ref PEER_IP_HEADER_NAME: Option<String> = env::var("PEER_IP_HEADER_NAME").ok();
 

diff --git a/src/middlewares/src/logging.rs b/src/middlewares/src/logging.rs
@@ -1,5 +1,5 @@
 use actix_web::http::header::HeaderValue;
-use actix_web::http::{Method, Uri};
+use actix_web::http::Method;
 use actix_web::{
     dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
     Error,