124 lines
3.1 KiB
Go
124 lines
3.1 KiB
Go
package service
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"regexp"
|
|
"strings"
|
|
)
|
|
|
|
var registrationEmailDomainPattern = regexp.MustCompile(
|
|
`^[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)+$`,
|
|
)
|
|
|
|
// RegistrationEmailSuffix extracts normalized suffix in "@domain" form.
|
|
func RegistrationEmailSuffix(email string) string {
|
|
_, domain, ok := splitEmailForPolicy(email)
|
|
if !ok {
|
|
return ""
|
|
}
|
|
return "@" + domain
|
|
}
|
|
|
|
// IsRegistrationEmailSuffixAllowed checks whether an email is allowed by suffix whitelist.
|
|
// Empty whitelist means allow all.
|
|
func IsRegistrationEmailSuffixAllowed(email string, whitelist []string) bool {
|
|
if len(whitelist) == 0 {
|
|
return true
|
|
}
|
|
suffix := RegistrationEmailSuffix(email)
|
|
if suffix == "" {
|
|
return false
|
|
}
|
|
for _, allowed := range whitelist {
|
|
if suffix == allowed {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// NormalizeRegistrationEmailSuffixWhitelist normalizes and validates suffix whitelist items.
|
|
func NormalizeRegistrationEmailSuffixWhitelist(raw []string) ([]string, error) {
|
|
return normalizeRegistrationEmailSuffixWhitelist(raw, true)
|
|
}
|
|
|
|
// ParseRegistrationEmailSuffixWhitelist parses persisted JSON into normalized suffixes.
|
|
// Invalid entries are ignored to keep old misconfigurations from breaking runtime reads.
|
|
func ParseRegistrationEmailSuffixWhitelist(raw string) []string {
|
|
raw = strings.TrimSpace(raw)
|
|
if raw == "" {
|
|
return []string{}
|
|
}
|
|
var items []string
|
|
if err := json.Unmarshal([]byte(raw), &items); err != nil {
|
|
return []string{}
|
|
}
|
|
normalized, _ := normalizeRegistrationEmailSuffixWhitelist(items, false)
|
|
if len(normalized) == 0 {
|
|
return []string{}
|
|
}
|
|
return normalized
|
|
}
|
|
|
|
func normalizeRegistrationEmailSuffixWhitelist(raw []string, strict bool) ([]string, error) {
|
|
if len(raw) == 0 {
|
|
return nil, nil
|
|
}
|
|
|
|
seen := make(map[string]struct{}, len(raw))
|
|
out := make([]string, 0, len(raw))
|
|
for _, item := range raw {
|
|
normalized, err := normalizeRegistrationEmailSuffix(item)
|
|
if err != nil {
|
|
if strict {
|
|
return nil, err
|
|
}
|
|
continue
|
|
}
|
|
if normalized == "" {
|
|
continue
|
|
}
|
|
if _, ok := seen[normalized]; ok {
|
|
continue
|
|
}
|
|
seen[normalized] = struct{}{}
|
|
out = append(out, normalized)
|
|
}
|
|
|
|
if len(out) == 0 {
|
|
return nil, nil
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
func normalizeRegistrationEmailSuffix(raw string) (string, error) {
|
|
value := strings.ToLower(strings.TrimSpace(raw))
|
|
if value == "" {
|
|
return "", nil
|
|
}
|
|
|
|
domain := value
|
|
if strings.Contains(value, "@") {
|
|
if !strings.HasPrefix(value, "@") || strings.Count(value, "@") != 1 {
|
|
return "", fmt.Errorf("invalid email suffix: %q", raw)
|
|
}
|
|
domain = strings.TrimPrefix(value, "@")
|
|
}
|
|
|
|
if domain == "" || strings.Contains(domain, "@") || !registrationEmailDomainPattern.MatchString(domain) {
|
|
return "", fmt.Errorf("invalid email suffix: %q", raw)
|
|
}
|
|
|
|
return "@" + domain, nil
|
|
}
|
|
|
|
func splitEmailForPolicy(raw string) (local string, domain string, ok bool) {
|
|
email := strings.ToLower(strings.TrimSpace(raw))
|
|
local, domain, found := strings.Cut(email, "@")
|
|
if !found || local == "" || domain == "" || strings.Contains(domain, "@") {
|
|
return "", "", false
|
|
}
|
|
return local, domain, true
|
|
}
|