restrict user with a whitelist

server/config/config.go

@@ -28,6 +28,7 @@ type Config struct {
 	OpenIdClientId       string   `yaml:"openid_client_id"`
 	OpenIdClientSecret   string   `yaml:"openid_client_secret"`
 	OpenIdRedirectURL    string   `yaml:"openid_redirect_url"`
+	OpenIdEmailWhitelist []string `yaml:"openid_email_whitelist"`
 	FrontendPath         string   `yaml:"frontend_path"`
 	AutoArchive          bool     `yaml:"auto_archive"`
 }

server/openid/handler.go

@@ -6,10 +6,12 @@ import (
 	"encoding/json"
 	"errors"
 	"net/http"
+	"slices"
 	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/google/uuid"
+	"github.com/marcopiovanello/yt-dlp-web-ui/v3/server/config"
 	"golang.org/x/oauth2"
 )
 
@@ -76,6 +78,21 @@ func doAuthentification(r *http.Request, setCookieCallback func(t *oauth2.Token)
 		return nil, err
 	}
 
+	var claims struct {
+		Email    string `json:"email"`
+		Verified bool   `json:"email_verified"`
+	}
+
+	if err := idToken.Claims(&claims); err != nil {
+		return nil, err
+	}
+
+	whitelist := config.Instance().OpenIdEmailWhitelist
+
+	if len(whitelist) > 0 && !slices.Contains(whitelist, claims.Email) {
+		return nil, errors.New("email address not found in ACL")
+	}
+
 	nonce, err := r.Cookie("nonce")
 	if err != nil {
 		return nil, err