Add support for multiple allowed email domains + make slack bot logs go to stdout

2025-09-19 12:03:54 +02:00 · 2023-08-30 13:37:20 -07:00
parent 038f646c09
commit cea3e1f3d5
5 changed files with 43 additions and 17 deletions
--- a/backend/danswer/auth/users.py
+++ b/backend/danswer/auth/users.py
@@ -40,7 +40,7 @@ from danswer.configs.app_configs import SMTP_PASS
 from danswer.configs.app_configs import SMTP_PORT
 from danswer.configs.app_configs import SMTP_SERVER
 from danswer.configs.app_configs import SMTP_USER
-from danswer.configs.app_configs import VALID_EMAIL_DOMAIN
+from danswer.configs.app_configs import VALID_EMAIL_DOMAINS
 from danswer.configs.app_configs import WEB_DOMAIN
 from danswer.db.auth import get_access_token_db
 from danswer.db.auth import get_user_count
@@ -77,6 +77,21 @@ def verify_email_in_whitelist(email: str) -> None:
        raise PermissionError("User not on allowed user whitelist")


+def verify_email_domain(email: str) -> None:
+    if VALID_EMAIL_DOMAINS:
+        if email.count("@") != 1:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Email is not valid",
+            )
+        domain = email.split("@")[-1]
+        if domain not in VALID_EMAIL_DOMAINS:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Email domain is not valid",
+            )
+
+
 def send_user_verification_email(user_email: str, token: str) -> None:
    msg = MIMEMultipart()
    msg["Subject"] = "Danswer Email Verification"
@@ -107,6 +122,7 @@ class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
        request: Optional[Request] = None,
    ) -> models.UP:
        verify_email_in_whitelist(user_create.email)
+        verify_email_domain(user_create.email)
        if hasattr(user_create, "role"):
            user_count = await get_user_count()
            if user_count == 0:
@@ -129,6 +145,7 @@ class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
        is_verified_by_default: bool = False,
    ) -> models.UOAP:
        verify_email_in_whitelist(account_email)
+        verify_email_domain(account_email)

        return await super().oauth_callback(  # type: ignore
            oauth_name=oauth_name,
@@ -155,18 +172,7 @@ class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
    async def on_after_request_verify(
        self, user: User, token: str, request: Optional[Request] = None
    ) -> None:
-        if VALID_EMAIL_DOMAIN:
-            if user.email.count("@") != 1:
-                raise HTTPException(
-                    status_code=status.HTTP_400_BAD_REQUEST,
-                    detail="Email is not valid",
-                )
-            domain = user.email.split("@")[-1]
-            if domain != VALID_EMAIL_DOMAIN:
-                raise HTTPException(
-                    status_code=status.HTTP_400_BAD_REQUEST,
-                    detail="Email domain is not valid",
-                )
+        verify_email_domain(user.email)

        logger.info(
            f"Verification requested for user {user.id}. Verification token: {token}"
--- a/backend/danswer/configs/app_configs.py
+++ b/backend/danswer/configs/app_configs.py
@@ -45,7 +45,22 @@ SECRET = os.environ.get("SECRET", "")
 SESSION_EXPIRE_TIME_SECONDS = int(
    os.environ.get("SESSION_EXPIRE_TIME_SECONDS", 86400)
 )  # 1 day
-VALID_EMAIL_DOMAIN = os.environ.get("VALID_EMAIL_DOMAIN", "")
+
+# set `VALID_EMAIL_DOMAINS` to a comma seperated list of domains in order to
+# restrict access to Danswer to only users with emails from those domains.
+# E.g. `VALID_EMAIL_DOMAINS=example.com,example.org` will restrict Danswer
+# signups to users with either an @example.com or an @example.org email.
+# NOTE: maintaining `VALID_EMAIL_DOMAIN` to keep backwards compatibility
+_VALID_EMAIL_DOMAIN = os.environ.get("VALID_EMAIL_DOMAIN", "")
+_VALID_EMAIL_DOMAINS_STR = (
+    os.environ.get("VALID_EMAIL_DOMAINS", "") or _VALID_EMAIL_DOMAIN
+)
+VALID_EMAIL_DOMAINS = (
+    [domain.strip() for domain in _VALID_EMAIL_DOMAINS_STR.split(",")]
+    if _VALID_EMAIL_DOMAINS_STR
+    else []
+)
+
 # OAuth Login Flow
 ENABLE_OAUTH = os.environ.get("ENABLE_OAUTH", "").lower() != "false"
 OAUTH_TYPE = os.environ.get("OAUTH_TYPE", "google").lower()
--- a/backend/supervisord.conf
+++ b/backend/supervisord.conf
@@ -39,7 +39,7 @@ startsecs=60

 # pushes all logs from the above programs to stdout
 [program:log-redirect-handler]
-command=tail -qF /var/log/update.log /var/log/connector_deletion.log /var/log/file_deletion.log
+command=tail -qF /var/log/update.log /var/log/connector_deletion.log /var/log/file_deletion.log /var/log/slack_bot_listener.log
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 redirect_stderr=true