({ user, email, credentials })
| 145 | }, |
| 146 | callbacks: { |
| 147 | async signIn({ user, email, credentials }) { |
| 148 | const allowedDomains = serverEnv().CAP_ALLOWED_SIGNUP_DOMAINS; |
| 149 | if (!allowedDomains) return true; |
| 150 | |
| 151 | const rawEmail = |
| 152 | user?.email || |
| 153 | (typeof email === "string" |
| 154 | |
| 155 | : typeof credentials?.email === "string" |
| 156 | ? credentials.email |
| 157 | : null); |
| 158 | if (!rawEmail || typeof rawEmail !== "string") return true; |
| 159 | const userEmail = rawEmail.toLowerCase(); |
| 160 | |
| 161 | const [existingUser] = await db() |
| 162 | .select() |
| 163 | .from(users) |
| 164 | .where(eq(users.email, userEmail)) |
| 165 | .limit(1); |
| 166 | |
| 167 | // Only apply domain restrictions for new users, existing ones can always sign in |
| 168 | if ( |
| 169 | !existingUser && |
| 170 | !isEmailAllowedForSignup(userEmail, allowedDomains) |
| 171 | ) { |
| 172 | console.warn(`Signup blocked for email domain: ${userEmail}`); |
| 173 | return false; |
| 174 | } |
| 175 | |
| 176 | return true; |
| 177 | }, |
| 178 | async session({ token, session }) { |
| 179 | if (!session.user) return session; |
| 180 |
nothing calls this directly
no test coverage detected