feat: add support of `hd` auth parameter to work with G Suite domains (#4010)

server/modules/authentication/google/authentication.js

@@ -9,14 +9,16 @@ const _ = require('lodash')
 
 module.exports = {
   init (passport, conf) {
-    passport.use('google',
-      new GoogleStrategy({
+    const strategy = new GoogleStrategy({
       clientID: conf.clientId,
       clientSecret: conf.clientSecret,
       callbackURL: conf.callbackURL,
       passReqToCallback: true
     }, async (req, accessToken, refreshToken, profile, cb) => {
       try {
+        if (conf.hostedDomain && conf.hostedDomain != profile._json.hd) {
+          throw new Error('Google authentication should have been performed with domain ' + conf.hostedDomain)
+        }
         const user = await WIKI.models.users.processProfile({
           providerKey: req.params.strategy,
           profile: {
@@ -29,7 +31,16 @@ module.exports = {
         cb(err, null)
       }
     })
-    )
+
+    if (conf.hostedDomain) {
+      strategy.authorizationParams = function(options) {
+        return {
+          hd: conf.hostedDomain
+        }
+      }
+    }
+
+    passport.use('google', strategy)
   },
   logout (conf) {
     return '/'

server/modules/authentication/google/definition.yml

@@ -22,3 +22,8 @@ props:
     title: Client Secret
     hint: Application Client Secret
     order: 2
+  hostedDomain:
+    type: String
+    title: Hosted Domain
+    hint: (optional) Only for G Suite hosted domain. Leave empty otherwise.
+    order: 3