limiting oauth to specific emails

[ananis25]

question

Enabling say, Google OAuth for an app backed by Supabase would mean everyone with a google account will be able to authenticate. Is is possible to limit auth to users from @yourcompany.com? That is only people with a gmail business account from my company.

possible solutions

• Only allowing invite based auth. But then I have to invite everyone individually.
• Serving the OAuth redirect url page only after checking the email of the authentication user, by filtering out uesrs I don't want to access the app. However, this still lets them sign in.

Is it possible to configure the GoTrue component in Supabase directly to achieve this? Thank you.

[GaryAustin1]

This should work but I've not done it.

You can create a trigger function on "before" for the auth.users table on insert/update. In the trigger function check the domain part of the email against the valid domain string and if not valid, return null else return new.
(New is the record passed in to the trigger function and must be returned in order for the insert/update to complete when using the before option on trigger.)
You might still want to do a user friendly check in the app signup screen, but this insures they don't get to sign in if they bypass your code.

[ananis25]

Thank you, this should do it!

[faisalsayed10]

Hey @GaryAustin1, can you please provide a code example for this trigger function? I was looking to have a similar functionality in my app and I can't find any other answers

[faisalsayed10]

I tried doing this, but it throws a syntax error (I'm not familiar with plpgsql)

begin
  if (new.email.domain != "example.com") then
    return null;
  else
    return new;
end;

[GaryAustin1]

@faisalsayed10 Something like this:

begin
if (split_part(new.email, '@', 2) = 'mydomain.com')
  then return new;
  else return null;
end if;
end;

[faisalsayed10]

thanks!

[wnats]

Hey!

~4 years late but now you could also use a "before user created" auth hook:
https://supabase.com/docs/guides/auth/auth-hooks/before-user-created-hook?queryGroups=language&language=sql#examples

The Postgres function attached to the hook will be called by a principal with the role of supabase_auth_admin which neither bypasses RLS nor is a superuser, so make sure it has enough privileges to the function and any entity it may refer