Merge pull request #504 from bheesham/deny-email-registration-for-matrix

bheesham · web-flow · commit bc87db6b72ee · 2025-04-15T08:59:45.000-04:00
Deny email registration for Matrix
diff --git a/tf/.terraform.lock.hcl b/tf/.terraform.lock.hcl
diff --git a/tf/actions-pre-user-registration.tf b/tf/actions-pre-user-registration.tf
@@ -0,0 +1,18 @@
+resource "auth0_trigger_actions" "pre_user_registration_flow" {
+  trigger = "pre-user-registration"
+  actions {
+    id           = auth0_action.deny_registration.id
+    display_name = auth0_action.deny_registration.name
+  }
+}
+
+resource "auth0_action" "deny_registration" {
+  name    = "denyRegistration"
+  runtime = "node22"
+  deploy  = true
+  code    = file("${path.module}/actions/denyRegistration.js")
+  supported_triggers {
+    id      = "pre-user-registration"
+    version = "v2"
+  }
+}
diff --git a/tf/actions/denyRegistration.js b/tf/actions/denyRegistration.js
@@ -0,0 +1,32 @@
+// Reject users from registering for an application (by client id) using a
+// specific connection.
+//
+// This is a workaround for disabling a connection entirely for an application,
+// since we may have allowed registrations already.
+//
+// If we instead disabled the connection then we'd break logins for users who
+// only have that connection available.
+//
+// DEBT(bhee): LDAP's connection name is
+// * `Mozilla-LDAP` on prod;
+// * `Mozilla-LDAP-Dev` on dev.
+//
+// If we need to deny registrations on those, for some reason, we'll need to
+// think of a better way. Connection Ids are not stable across tenants either.
+
+exports.onExecutePreUserRegistration = async (event, api) => {
+  const CLIENT_CONNECTIONS_DENYLIST = {
+    // Matrix, IAM-1617
+    pFf6sBIfp4n3Wcs3F9Q7a9ry8MTrbi2F: ["email"],
+  };
+
+  const denylist = CLIENT_CONNECTIONS_DENYLIST[event.client.client_id] ?? [];
+
+  if (denylist.includes(event.connection.name)) {
+    return api.access.deny(
+      `Not allowed to register for ${event.client.name} using ${event.connection.name}.`
+    );
+  }
+
+  return;
+};
diff --git a/tf/providers.tf b/tf/providers.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     auth0 = {
       source  = "auth0/auth0"
-      version = "1.2.0"
+      version = "1.15.0"
     }
   }
   backend "gcs" {
diff --git a/tf/tests/denyRegistration.test.js b/tf/tests/denyRegistration.test.js
@@ -0,0 +1,26 @@
+const _ = require("lodash");
+const eventObj = require("./modules/event.json");
+const {
+  onExecutePreUserRegistration,
+} = require("../actions/denyRegistration.js");
+
+beforeEach(() => {
+  _event = _.cloneDeep(eventObj);
+  api = {
+    access: {
+      deny: jest.fn(),
+    },
+  };
+});
+
+test("Should not deny registration an app we haven't specified", async () => {
+  await onExecutePreUserRegistration(_event, api);
+  expect(api.access.deny).not.toHaveBeenCalled();
+});
+
+test("Should deny registration for Matrix", async () => {
+  _event.connection.name = "email";
+  _event.client.client_id = "pFf6sBIfp4n3Wcs3F9Q7a9ry8MTrbi2F";
+  await onExecutePreUserRegistration(_event, api);
+  expect(api.access.deny).toHaveBeenCalled();
+});

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@ terraform {`
`2`	`2`	`required_providers {`
`3`	`3`	`auth0 = {`
`4`	`4`	`source = "auth0/auth0"`
`5`		`- version = "1.2.0"`
	`5`	`+ version = "1.15.0"`
`6`	`6`	`}`
`7`	`7`	`}`
`8`	`8`	`backend "gcs" {`