From f2868409641fc0ce28ac140c7f0fb94d10d61d0a Mon Sep 17 00:00:00 2001
From: h44z <christoph.h@sprinternet.at>
Date: Sun, 29 Jun 2025 20:00:15 +0200
Subject: [PATCH] fix oauth domain check (#474) (#476)

---
 internal/app/auth/auth.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/internal/app/auth/auth.go b/internal/app/auth/auth.go
index 380fe81..0ff8d9e 100644
--- a/internal/app/auth/auth.go
+++ b/internal/app/auth/auth.go
@@ -434,6 +434,10 @@ func (a *Authenticator) OauthLoginStep2(ctx context.Context, providerId, nonce,
 		return nil, fmt.Errorf("unable to parse user information: %w", err)
 	}
 
+	if !isDomainAllowed(userInfo.Email, oauthProvider.GetAllowedDomains()) {
+		return nil, fmt.Errorf("user %s is not in allowed domains", userInfo.Email)
+	}
+
 	ctx = domain.SetUserInfo(ctx,
 		domain.SystemAdminContextUserInfo()) // switch to admin user context to check if user exists
 	user, err := a.processUserInfo(ctx, userInfo, domain.UserSourceOauth, oauthProvider.GetName(),
@@ -450,10 +454,6 @@ func (a *Authenticator) OauthLoginStep2(ctx context.Context, providerId, nonce,
 		return nil, fmt.Errorf("unable to process user information: %w", err)
 	}
 
-	if !isDomainAllowed(userInfo.Email, oauthProvider.GetAllowedDomains()) {
-		return nil, fmt.Errorf("user is not in allowed domains: %w", err)
-	}
-
 	if user.IsLocked() || user.IsDisabled() {
 		a.bus.Publish(app.TopicAuditLoginFailed, domain.AuditEventWrapper[audit.AuthEvent]{
 			Ctx:    ctx,