From 1e281e692f935b0e1cff1f55c4b03732e5d9b34b Mon Sep 17 00:00:00 2001
From: Nivedita Priyadarshini <nid.mishra7@gmail.com>
Date: Tue, 10 Oct 2023 16:46:07 +0530
Subject: [PATCH] Restrict uninvited signups from configured domains

---
 .env.development            |  1 +
 app/models/accounts/user.rb | 16 ++++++++++++++++
 config/locales/en.yml       |  1 +
 3 files changed, 18 insertions(+)

diff --git a/.env.development b/.env.development
index 52a948071..7548b3d22 100644
--- a/.env.development
+++ b/.env.development
@@ -15,3 +15,4 @@ BILLING_URL=https://billing.stripe.com/p/login
 SENTRY_SECURITY_HEADER_ENDPOINT=
 SESSION_TIMEOUT_IN_MINUTES=7200
 JUNE_ANALYTICS_KEY=
+DISALLOWED_SIGN_UP_DOMAINS=
diff --git a/app/models/accounts/user.rb b/app/models/accounts/user.rb
index ce82867f7..887219191 100644
--- a/app/models/accounts/user.rb
+++ b/app/models/accounts/user.rb
@@ -52,12 +52,28 @@ class Accounts::User < ApplicationRecord
 
   accepts_nested_attributes_for :organizations
 
+  def self.valid_email_domain?(user)
+    return false if user.email.blank?
+    begin
+      disallowed_domains = ENV["DISALLOWED_SIGN_UP_DOMAINS"].split(",")
+      parsed_email = Mail::Address.new(user.email)
+      disallowed_domains.include?(parsed_email.domain)
+    rescue
+      false
+    end
+  end
+
   def self.onboard(user)
     if find_by(email: user.email)
       user.errors.add(:account_exists, "you already have an account with tramline!")
       return user
     end
 
+    if valid_email_domain?(user)
+      user.errors.add(:email, :invalid_domain)
+      return
+    end
+
     new_organization = user.organizations.first
     new_membership = user.memberships.first
     new_organization.status = Accounts::Organization.statuses[:active]
diff --git a/config/locales/en.yml b/config/locales/en.yml
index db4456d70..0f150ceda 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -108,6 +108,7 @@ en:
               not_blank: "The email can't be blank"
               already_taken: "This email has already been taken"
               too_long: "The email is too long (maximum is 105 characters)"
+              invalid_domain: "This email domain is invite-only. Please use a different address or contact support!"
         accounts/invite:
           attributes:
             role: