From e223e030ac165f063a24fe0855eea9720ade3b24 Mon Sep 17 00:00:00 2001
From: Marco Piovanello <35533749+marcopiovanello@users.noreply.github.com>
Date: Mon, 17 Mar 2025 11:13:20 +0100
Subject: [PATCH] restrict user with a whitelist (#282)

---
 server/config/config.go  | 43 ++++++++++++++++++++--------------------
 server/openid/handler.go | 17 ++++++++++++++++
 2 files changed, 39 insertions(+), 21 deletions(-)

diff --git a/server/config/config.go b/server/config/config.go
index 1a60407..5693d13 100644
--- a/server/config/config.go
+++ b/server/config/config.go
@@ -9,27 +9,28 @@ import (
 )
 
 type Config struct {
-	LogPath            string `yaml:"log_path"`
-	EnableFileLogging  bool   `yaml:"enable_file_logging"`
-	BaseURL            string `yaml:"base_url"`
-	Host               string `yaml:"host"`
-	Port               int    `yaml:"port"`
-	DownloadPath       string `yaml:"downloadPath"`
-	DownloaderPath     string `yaml:"downloaderPath"`
-	RequireAuth        bool   `yaml:"require_auth"`
-	Username           string `yaml:"username"`
-	Password           string `yaml:"password"`
-	QueueSize          int    `yaml:"queue_size"`
-	LocalDatabasePath  string `yaml:"local_database_path"`
-	SessionFilePath    string `yaml:"session_file_path"`
-	path               string // private
-	UseOpenId          bool   `yaml:"use_openid"`
-	OpenIdProviderURL  string `yaml:"openid_provider_url"`
-	OpenIdClientId     string `yaml:"openid_client_id"`
-	OpenIdClientSecret string `yaml:"openid_client_secret"`
-	OpenIdRedirectURL  string `yaml:"openid_redirect_url"`
-	FrontendPath       string `yaml:"frontend_path"`
-	AutoArchive        bool   `yaml:"auto_archive"`
+	LogPath              string   `yaml:"log_path"`
+	EnableFileLogging    bool     `yaml:"enable_file_logging"`
+	BaseURL              string   `yaml:"base_url"`
+	Host                 string   `yaml:"host"`
+	Port                 int      `yaml:"port"`
+	DownloadPath         string   `yaml:"downloadPath"`
+	DownloaderPath       string   `yaml:"downloaderPath"`
+	RequireAuth          bool     `yaml:"require_auth"`
+	Username             string   `yaml:"username"`
+	Password             string   `yaml:"password"`
+	QueueSize            int      `yaml:"queue_size"`
+	LocalDatabasePath    string   `yaml:"local_database_path"`
+	SessionFilePath      string   `yaml:"session_file_path"`
+	path                 string   // private
+	UseOpenId            bool     `yaml:"use_openid"`
+	OpenIdProviderURL    string   `yaml:"openid_provider_url"`
+	OpenIdClientId       string   `yaml:"openid_client_id"`
+	OpenIdClientSecret   string   `yaml:"openid_client_secret"`
+	OpenIdRedirectURL    string   `yaml:"openid_redirect_url"`
+	OpenIdEmailWhitelist []string `yaml:"openid_email_whitelist"`
+	FrontendPath         string   `yaml:"frontend_path"`
+	AutoArchive          bool     `yaml:"auto_archive"`
 }
 
 var (
diff --git a/server/openid/handler.go b/server/openid/handler.go
index 7e30aee..2b906b2 100644
--- a/server/openid/handler.go
+++ b/server/openid/handler.go
@@ -6,10 +6,12 @@ import (
 	"encoding/json"
 	"errors"
 	"net/http"
+	"slices"
 	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/google/uuid"
+	"github.com/marcopiovanello/yt-dlp-web-ui/v3/server/config"
 	"golang.org/x/oauth2"
 )
 
@@ -76,6 +78,21 @@ func doAuthentification(r *http.Request, setCookieCallback func(t *oauth2.Token)
 		return nil, err
 	}
 
+	var claims struct {
+		Email    string `json:"email"`
+		Verified bool   `json:"email_verified"`
+	}
+
+	if err := idToken.Claims(&claims); err != nil {
+		return nil, err
+	}
+
+	whitelist := config.Instance().OpenIdEmailWhitelist
+
+	if len(whitelist) > 0 && !slices.Contains(whitelist, claims.Email) {
+		return nil, errors.New("email address not found in ACL")
+	}
+
 	nonce, err := r.Cookie("nonce")
 	if err != nil {
 		return nil, err