Merge pull request #409 from gaepdit/388-filter-account-authenticatio…

…n-by-domain

388 filter account authentication by domain

FMS.Domain/Entities/Users/ApplicationUser.cs

@@ -29,6 +29,8 @@ public class ApplicationUser : IdentityUser<Guid>
         /// In ASP.NET Core, the OpenID Connect middleware converts some of the claim types when it populates the
         /// Claims collection for the user principal:
         /// oid -> http://schemas.microsoft.com/identity/claims/objectidentifier
+        ///
+        /// <para>ID token claims reference: https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#use-claims-to-reliably-identify-a-user</para>
         /// </summary>
         [PersonalData]
         public string ObjectId { get; set; }

FMS/Pages/Account/ExternalLogin.cshtml.cs

@@ -113,6 +113,12 @@ public async Task<IActionResult> OnGetCallbackAsync(string returnUrl = null, str
                 return RedirectToLoginPageWithError("Error loading detailed work account information.");
             }
 
+            if (!preferredUserName.IsValidEmailDomain())
+            {
+                _logger.LogWarning("User {UserName} with invalid email domain attempted signin", preferredUserName);
+                return RedirectToPage("./Unavailable");
+            }
+
             // Determine if a user account already exists.
             var user = await _userManager.FindByNameAsync(preferredUserName);
 

FMS/Pages/Users/UserDomainValidation.cs

@@ -0,0 +1,8 @@
+namespace FMS.Domain.Entities.Users
+{
+    public static class UserDomainValidation
+    {
+        public static bool IsValidEmailDomain(this string email) =>
+            email.EndsWith("@dnr.ga.gov", System.StringComparison.CurrentCultureIgnoreCase);
+    }
+}