fix(oauth2): Allow to specify to show only Google Workspace accounts …

…on OAuth2 login screen
postalsys · Oct 21, 2024 · a3b2412 · a3b2412
1 parent 2ff26e3
commit a3b2412
Show file tree

Hide file tree

Showing 6 changed files with 53 additions and 4 deletions.
diff --git a/lib/oauth/gmail.js b/lib/oauth/gmail.js
@@ -146,6 +146,8 @@ class GmailOauth {
         this.serviceClientEmail = opts.serviceClientEmail;
         this.serviceKey = opts.serviceKey;
 
+        this.workspaceAccounts = !!opts.workspaceAccounts;
+
         this.clientId = opts.clientId;
         this.clientSecret = opts.clientSecret;
         this.redirectUrl = opts.redirectUrl;
@@ -171,6 +173,10 @@ class GmailOauth {
         url.searchParams.set('scope', this.scopes.join(' '));
         url.searchParams.set('access_type', 'offline');
 
+        if (this.workspaceAccounts) {
+            url.searchParams.set('hd', '*');
+        }
+
         if (opts.email) {
             url.searchParams.set('login_hint', opts.email);
         }

diff --git a/lib/oauth2-apps.js b/lib/oauth2-apps.js
@@ -1064,6 +1064,9 @@ class OAuth2AppsHandler {
                 let redirectUrl = appData.redirectUrl;
                 let scopes = formatExtraScopes(appData.extraScopes, appData.baseScopes, GMAIL_SCOPES, appData.skipScopes);
 
+                let googleProjectId = appData.projectIdv;
+                let workspaceAccounts = appData.googleWorkspaceAccounts;
+
                 if (!clientId || !clientSecret || !redirectUrl) {
                     let error = Boom.boomify(new Error('OAuth2 credentials not set up for Gmail'), { statusCode: 400 });
                     throw error;
@@ -1076,6 +1079,8 @@ class OAuth2AppsHandler {
                             clientSecret,
                             redirectUrl,
                             scopes,
+                            googleProjectId,
+                            workspaceAccounts,
                             setFlag: async flag => {
                                 try {
                                     if (appData.legacy) {
@@ -1095,12 +1100,15 @@ class OAuth2AppsHandler {
 
             case 'gmailService': {
                 let serviceClient = appData.serviceClient;
-                let googleProjectId = appData.projectIdv;
+
                 let serviceClientEmail = appData.serviceClientEmail;
                 let serviceKey = appData.serviceKey ? await decrypt(appData.serviceKey) : null;
 
                 let scopes = formatExtraScopes(appData.extraScopes, appData.baseScopes, GMAIL_SCOPES, appData.skipScopes);
 
+                let googleProjectId = appData.projectIdv;
+                let workspaceAccounts = appData.googleWorkspaceAccounts;
+
                 if (!serviceClient || !serviceKey) {
                     let error = Boom.boomify(new Error('OAuth2 credentials not set up for Gmail'), { statusCode: 400 });
                     throw error;
@@ -1114,6 +1122,7 @@ class OAuth2AppsHandler {
                             googleProjectId,
                             serviceClientEmail,
                             scopes,
+                            workspaceAccounts,
                             setFlag: async flag => {
                                 try {
                                     if (appData.legacy) {

diff --git a/lib/routes-ui.js b/lib/routes-ui.js
@@ -43,7 +43,8 @@ const {
     oauthCreateSchema,
     accountIdSchema,
     defaultAccountTypeSchema,
-    googleProjectIdSchema
+    googleProjectIdSchema,
+    googleWorkspaceAccountsSchema
 } = require('./schemas');
 const fs = require('fs');
 const pathlib = require('path');
@@ -421,6 +422,11 @@ const oauthUpdateSchema = {
 
     googleProjectId: googleProjectIdSchema,
 
+    googleWorkspaceAccounts: googleWorkspaceAccountsSchema.when('provider', {
+        is: 'gmail',
+        then: Joi.optional().default(false)
+    }),
+
     serviceClientEmail: Joi.string()
         .trim()
         .allow('')

diff --git a/lib/schemas.js b/lib/schemas.js
@@ -1205,6 +1205,11 @@ const accountSchemas = {
 };
 
 const googleProjectIdSchema = Joi.string().trim().allow('', false, null).max(256).example('project-name-425411').description('Google Cloud Project ID');
+const googleWorkspaceAccountsSchema = Joi.boolean()
+    .truthy('Y', 'true', '1', 'on')
+    .falsy('N', 'false', 0, '')
+    .example(false)
+    .description('Show only Google Workspace accounts on the OAuth2 login page');
 
 const oauthCreateSchema = {
     name: Joi.string().trim().empty('').max(256).example('My Gmail App').required().description('Application name'),
@@ -1298,6 +1303,7 @@ const oauthCreateSchema = {
         .description('Service client ID for 2-legged OAuth2 applications'),
 
     googleProjectId: googleProjectIdSchema,
+    googleWorkspaceAccounts: googleWorkspaceAccountsSchema,
 
     serviceClientEmail: Joi.string()
         .trim()
@@ -1506,7 +1512,8 @@ module.exports = {
     defaultAccountTypeSchema,
     fromAddressSchema,
     outboxEntrySchema,
-    googleProjectIdSchema
+    googleProjectIdSchema,
+    googleWorkspaceAccountsSchema
 };
 
 /*

diff --git a/views/partials/oauth_form.hbs b/views/partials/oauth_form.hbs
@@ -65,6 +65,23 @@
         </div>
         {{/unless}}
 
+
+        {{#if activeGmail}}
+        <div class="form-group form-check">
+
+            <input type="checkbox" class="form-check-input {{#if errors.googleWorkspaceAccounts}}is-invalid{{/if}}"
+                id="googleWorkspaceAccounts" name="googleWorkspaceAccounts" {{#if
+                values.googleWorkspaceAccounts}}checked{{/if}} />
+            <label class="form-check-label" for="googleWorkspaceAccounts">Show only Google Workspace accounts on the
+                OAuth2 login page</label>
+            {{#if errors.googleWorkspaceAccounts}}
+            <span class="invalid-feedback">{{errors.googleWorkspaceAccounts}}</span>
+            {{/if}}
+            <small class="form-text text-muted">When enabled, only Google Workspace accounts will be available on the
+                Gmail OAuth2 login screen.</small>
+        </div>
+        {{/if}}
+
         {{#unless activeGmailService}}
         <div class="form-group form-check">
 

diff --git a/workers/api.js b/workers/api.js
@@ -162,7 +162,8 @@ const {
     defaultAccountTypeSchema,
     fromAddressSchema,
     outboxEntrySchema,
-    googleProjectIdSchema
+    googleProjectIdSchema,
+    googleWorkspaceAccountsSchema
 } = require('../lib/schemas');
 
 const listMessageFolderPathDescription =
@@ -6852,6 +6853,7 @@ const init = async () => {
                                 serviceClient: Joi.string().example('9103965568215821627203').description('Service client ID for 2-legged OAuth2 applications'),
 
                                 googleProjectId: googleProjectIdSchema,
+                                googleWorkspaceAccounts: googleWorkspaceAccountsSchema,
 
                                 serviceClientEmail: Joi.string()
                                     .email()
@@ -6980,6 +6982,7 @@ const init = async () => {
                         .description('Redirect URL for 3-legged OAuth2 applications'),
 
                     googleProjectId: googleProjectIdSchema,
+                    googleWorkspaceAccounts: googleWorkspaceAccountsSchema,
 
                     serviceClientEmail: Joi.string()
                         .email()
@@ -7154,6 +7157,7 @@ const init = async () => {
                         .description('Service client ID for 2-legged OAuth2 applications'),
 
                     googleProjectId: googleProjectIdSchema,
+                    googleWorkspaceAccounts: googleWorkspaceAccountsSchema,
 
                     serviceClientEmail: Joi.string()
                         .email()