From 2b4ed248b1738ba57293934eb1fcdd59a0c85189 Mon Sep 17 00:00:00 2001
From: Paul Gschwendtner <paulgschwendtner@gmail.com>
Date: Mon, 22 Aug 2022 09:19:55 +0000
Subject: [PATCH] fix(apps): ensure credential service login only works with
 `@google.com` mail

Currently we just test if @google.com is part of the email. With custom
domains it looks like this could be abused to something like:

`paul@google.com.my-domain.net`
---
 apps/account-functions/before-create.ts | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/apps/account-functions/before-create.ts b/apps/account-functions/before-create.ts
index a4b55614d..a922d0f4a 100644
--- a/apps/account-functions/before-create.ts
+++ b/apps/account-functions/before-create.ts
@@ -1,8 +1,11 @@
 import {Auth, https, UserRecord} from 'gcip-cloud-functions';
 
-/** Validate accounts before their creation using google cloud before create syncronous function. */
+/**
+ * Validate accounts before their creation using google cloud before create
+ * synchronous function.
+ */
 export const beforeCreate = new Auth().functions().beforeCreateHandler((user: UserRecord) => {
-  if (user.email && user.email.indexOf('@google.com') === -1) {
+  if (user.email && !user.email.endsWith('@google.com')) {
     throw new https.HttpsError('invalid-argument', `Unauthorized email "${user.email}"`);
   }