How to block log in for specific providers based on email domain?
My scenario:
I have google and microsoft social providers, and I also have some genericOAuth plugin providers for microsoft oauth for specific tenants so the autherisation screen can be skipped when they login.
My issue:
For users who have a genericOAuth, they should only be able to login using this. I have created a function which checks the email address domain to see if there are any restrictions on which provider they can use. This is to prevent a user creating a google account using their work email address then using the google account to sign in. I have tried to implement this using the before and after hooks, but for the social logins, the email address is not available as the user has not selected which email to use. When the after hook is run, the session has already been created so I can't block it.
I have also tried to use the customSession plugin to do something in there, but when using
customSession(async ({ user, session }, ctx) the provider is not exposed anywhere.
The only method I have found is to use customSession and the user.id to make a db call to get the account which has the providerId. Then i have the provider and the email, so I can run my check and if they don't meet the criteria, I can block them from doing anything and show a helpful error.
Am I missing something?
Thanks0 Replies