Fixed whitelisted emails.

Author: AndrewG828

src/api/middlewares/FirebaseAuth.ts

@@ -7,7 +7,10 @@ import {
 import { firebaseAdmin } from "../../firebase";
 import { getManager } from "typeorm";
 import { UserModel } from "../../models/UserModel";
-import { isAllowedLoginEmail } from "../../utils/allowlistedEmail";
+import {
+  buildForbiddenEmailMessage,
+  isAllowedLoginEmail,
+} from "../../utils/allowlistedEmail";
 
 export const FirebaseCurrentUserChecker = async (
   action: Action,
@@ -27,9 +30,7 @@ export const FirebaseCurrentUserChecker = async (
     const userId = decodedToken.uid;
     const email = decodedToken.email;
     if (!isAllowedLoginEmail(email)) {
-      throw new ForbiddenError(
-        "Only Cornell email addresses or allowlisted emails are allowed",
-      );
+      throw new ForbiddenError(buildForbiddenEmailMessage(email));
     }
     // Fetch and return the user from the database
     const user = await getManager().findOne(UserModel, {
@@ -40,6 +41,9 @@ export const FirebaseCurrentUserChecker = async (
     }
     return user;
   } catch (error) {
+    if (error instanceof ForbiddenError || error instanceof NotFoundError) {
+      throw error;
+    }
     throw new UnauthorizedError("Invalid or expired authorization token");
   }
 };

src/app.ts

@@ -26,7 +26,10 @@ import resellConnection from './utils/DB';
 import { ReportService } from './services/ReportService';
 import { reportToString } from './utils/Requests';
 import { startTransactionConfirmationCron } from './cron/transactionCron';
-import { isAllowedLoginEmail } from './utils/allowlistedEmail';
+import {
+  buildForbiddenEmailMessage,
+  isAllowedLoginEmail,
+} from './utils/allowlistedEmail';
 
 // Setup dependency injection containers
 routingUseContainer(Container);
@@ -62,9 +65,7 @@ async function main() {
         action.request.email = email;
         action.request.firebaseUid = userId;
         if (!isAllowedLoginEmail(email)) {
-          throw new ForbiddenError(
-            "Only Cornell email addresses or allowlisted emails are allowed",
-          );
+          throw new ForbiddenError(buildForbiddenEmailMessage(email));
         }
         // Find or create user in your database using Firebase UID
         const manager = getManager();

src/utils/allowlistedEmail.ts

@@ -34,3 +34,46 @@ export function isAllowedLoginEmail(
   }
   return whitelist.has(e);
 }
+
+function isProdEnv(): boolean {
+  return process.env.IS_PROD?.toLowerCase() === "true";
+}
+
+/**
+ * Human-readable token email for logs / dev error text (never throws).
+ */
+export function normalizedTokenEmailForDebug(
+  email: string | undefined,
+): string {
+  if (!email || !email.trim()) {
+    return "(no email claim on ID token)";
+  }
+  return normalizeEmail(email);
+}
+
+/**
+ * 403 message for disallowed emails. In non-prod, includes normalized token
+ * email and parsed EMAIL_WHITELIST for debugging. Prod stays generic.
+ * Always logs a line to stderr when called.
+ */
+export function buildForbiddenEmailMessage(email: string | undefined): string {
+  const base =
+    "Only Cornell email addresses or whitelisted emails are allowed.";
+  const normalizedFromToken = normalizedTokenEmailForDebug(email);
+  const whitelistEntries = Array.from(getEmailWhitelist()).sort();
+  const listText =
+    whitelistEntries.length > 0
+      ? whitelistEntries.join(", ")
+      : "(EMAIL_WHITELIST is empty)";
+
+  console.warn("[email-auth] rejected", {
+    normalizedFromToken,
+    whitelistEntryCount: whitelistEntries.length,
+    whitelistEntries: isProdEnv() ? "[redacted in prod logs]" : whitelistEntries,
+  });
+
+  if (isProdEnv()) {
+    return base;
+  }
+  return `${base} Token email (normalized): "${normalizedFromToken}". Whitelist: ${listText}.`;
+}