From 9839dc795b9d281d65201b41773298f8c95b4587 Mon Sep 17 00:00:00 2001
From: Panam Shah <67643848+Shah-Panam@users.noreply.github.com>
Date: Tue, 14 May 2024 11:40:53 +0000
Subject: [PATCH] Added OAuth Allowed Groups Option

---
 packages/api/src/controllers/auth.js | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/packages/api/src/controllers/auth.js b/packages/api/src/controllers/auth.js
index 0171f3ae0..1d1b127ab 100644
--- a/packages/api/src/controllers/auth.js
+++ b/packages/api/src/controllers/auth.js
@@ -90,6 +90,24 @@ module.exports = {
     ) {
       return { error: `Username ${login} not allowed to log in` };
     }
+
+    const groups = 
+      process.env.OAUTH_GROUP_FIELD && payload && payload[process.env.OAUTH_GROUP_FIELD]
+        ? payload[process.env.OAUTH_GROUP_FIELD]
+        : [];
+
+    const allowedGroups = 
+      process.env.OAUTH_ALLOWED_GROUPS
+        ? process.env.OAUTH_ALLOWED_GROUPS.split(',').map(group => group.toLowerCase().trim())
+        : [];
+    
+    if (
+      process.env.OAUTH_ALLOWED_GROUPS && 
+      !groups.some(group => allowedGroups.includes(group.toLowerCase().trim()))
+    ) {
+      return { error: `Username ${login} does not belong to an allowed group` };
+    }
+
     if (access_token) {
       return {
         accessToken: jwt.sign({ login }, tokenSecret, { expiresIn: getTokenLifetime() }),