thomseddon · LennardSchwarz · Nov 30, 2021 · Sep 12, 2024 · Sep 12, 2024 · Sep 12, 2024
diff --git a/README.md b/README.md
@@ -303,6 +303,12 @@ All options can be supplied in any of the following ways, in the following prece
 
    Please note that when using the default [Overlay Mode](#overlay-mode) requests to this exact path will be intercepted by this service and not forwarded to your application. Use this option (or [Auth Host Mode](#auth-host-mode)) if the default `/_oauth` path will collide with an existing route in your application.
 
+- `logout-if-invalid-email`
+
+   When enabled, logs out users if their email address isn't found on the allow list, allowing them to retry with another email address.
+
+   Default: `false`
+
 - `secret`
 
    Used to sign cookies authentication, should be a random (e.g. `openssl rand -hex 16`)

diff --git a/internal/config.go b/internal/config.go
@@ -40,6 +40,7 @@ type Config struct {
 	SecretString           string               `long:"secret" env:"SECRET" description:"Secret used for signing (required)" json:"-"`
 	Whitelist              CommaSeparatedList   `long:"whitelist" env:"WHITELIST" env-delim:"," description:"Only allow given email addresses, can be set multiple times"`
 	Port                   int                  `long:"port" env:"PORT" default:"4181" description:"Port to listen on"`
+	LogoutIfInvalidEmail   bool                 `long:"logout-if-invalid-email" env:"LOGOUT_IF_INVALID_EMAIL" description:"Allow user to retry another email address if their email address isn't found on the allow list"`
 
 	Providers provider.Providers `group:"providers" namespace:"providers" env-namespace:"PROVIDERS"`
 	Rules     map[string]*Rule   `long:"rule.<name>.<param>" description:"Rule definitions, param can be: \"action\", \"rule\" or \"provider\""`

diff --git a/internal/config_test.go b/internal/config_test.go
@@ -38,6 +38,7 @@ func TestConfigDefaults(t *testing.T) {
 	assert.Equal("/_oauth", c.Path)
 	assert.Len(c.Whitelist, 0)
 	assert.Equal(c.Port, 4181)
+	assert.Equal(false, c.LogoutIfInvalidEmail)
 
 	assert.Equal("select_account", c.Providers.Google.Prompt)
 }

diff --git a/internal/server.go b/internal/server.go
@@ -108,7 +108,15 @@ func (s *Server) AuthHandler(providerName, rule string) http.HandlerFunc {
 		valid := ValidateEmail(email, rule)
 		if !valid {
 			logger.WithField("email", email).Warn("Invalid email")
-			http.Error(w, "Not authorized", 401)
+
+			if config.LogoutIfInvalidEmail {
+				// The email address isn't valid so display an error and clear the cookie
+				// Clearing the cookie will allow the user to try another email address and avoid being trapped on 'Not authorized'
+				http.SetCookie(w, ClearCookie(r))
+				http.Error(w, "Not authorized (refresh to try again with a different email address)", 401)
+			} else {
+				http.Error(w, "Not authorized", 401)
+			}
 			return
 		}