From 50bc4d9b627c9e8927f71f36a56ff7476ac91987 Mon Sep 17 00:00:00 2001
From: Rafael da Fonseca <rafael.fonseca@wildlifestudios.com>
Date: Wed, 10 Apr 2024 15:53:24 +0100
Subject: [PATCH 1/2] Allow external email domains when explicitly defined

---
 oauth2/google.go | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/oauth2/google.go b/oauth2/google.go
index 00e1a4e..7031b56 100644
--- a/oauth2/google.go
+++ b/oauth2/google.go
@@ -88,7 +88,9 @@ func (g *Google) ExchangeCode(code string) (*models.AuthResult, error) {
 	if err != nil {
 		return nil, err
 	}
-	allowed := g.checkHostedDomain(userInfo.HostedDomain)
+	emailDomainSplit := strings.Split(userInfo.Email, "@")
+	emailDomain := emailDomainSplit[len(emailDomainSplit)-1]
+	allowed := g.checkHostedDomain(userInfo.HostedDomain, emailDomain)
 	if !allowed {
 		return nil, errors.NewNonAllowedEmailDomainError(userInfo.HostedDomain)
 	}
@@ -196,12 +198,12 @@ func (g *Google) getUserInfo(accessToken string) (*userInfo, error) {
 	return ui, nil
 }
 
-func (g *Google) checkHostedDomain(hd string) bool {
+func (g *Google) checkHostedDomain(hd string, emailDomain string) bool {
 	if !g.config.CheckHostedDomain || g.config.HostedDomains == nil || len(g.config.HostedDomains) == 0 {
 		return true
 	}
 	for _, allowed := range g.config.HostedDomains {
-		if hd == allowed {
+		if hd == allowed || emailDomain == allowed {
 			return true
 		}
 	}

From 02795d05da13509a655c0c92e846a1ba1a27f4aa Mon Sep 17 00:00:00 2001
From: Rafael da Fonseca <rafael.fonseca@wildlifestudios.com>
Date: Wed, 10 Apr 2024 15:57:34 +0100
Subject: [PATCH 2/2] Log the actual email domain, even if it isn't present on
 hd property

---
 oauth2/google.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/oauth2/google.go b/oauth2/google.go
index 7031b56..3425b84 100644
--- a/oauth2/google.go
+++ b/oauth2/google.go
@@ -92,7 +92,7 @@ func (g *Google) ExchangeCode(code string) (*models.AuthResult, error) {
 	emailDomain := emailDomainSplit[len(emailDomainSplit)-1]
 	allowed := g.checkHostedDomain(userInfo.HostedDomain, emailDomain)
 	if !allowed {
-		return nil, errors.NewNonAllowedEmailDomainError(userInfo.HostedDomain)
+		return nil, errors.NewNonAllowedEmailDomainError(emailDomain)
 	}
 	t.Email = userInfo.Email
 	// TODO: don't return sso_access_token to user, return 2 tokens to sso