Merge branch 'main' into release

Author: AndrewG828

.env_template

@@ -9,3 +9,5 @@ PORT=
 IMAGE_UPLOAD_URL=
 UPLOAD_BUCKET_NAME=
 UPLOAD_SIZE_LIMIT=
+# Comma-separated full email addresses allowed in addition to @cornell.edu (case-insensitive)
+EMAIL_WHITELIST=

src/api/middlewares/FirebaseAuth.ts

@@ -7,6 +7,10 @@ import {
 import { firebaseAdmin } from "../../firebase";
 import { getManager } from "typeorm";
 import { UserModel } from "../../models/UserModel";
+import {
+  buildForbiddenEmailMessage,
+  isAllowedLoginEmail,
+} from "../../utils/allowlistedEmail";
 
 export const FirebaseCurrentUserChecker = async (
   action: Action,
@@ -25,9 +29,8 @@ export const FirebaseCurrentUserChecker = async (
     const decodedToken = await firebaseAdmin.auth().verifyIdToken(token);
     const userId = decodedToken.uid;
     const email = decodedToken.email;
-    // Enforce Cornell email domain restriction
-    if (email && !email.endsWith("@cornell.edu")) {
-      throw new ForbiddenError("Only Cornell email addresses are allowed");
+    if (!isAllowedLoginEmail(email)) {
+      throw new ForbiddenError(buildForbiddenEmailMessage(email));
     }
     // Fetch and return the user from the database
     const user = await getManager().findOne(UserModel, {
@@ -38,6 +41,9 @@ export const FirebaseCurrentUserChecker = async (
     }
     return user;
   } catch (error) {
+    if (error instanceof ForbiddenError || error instanceof NotFoundError) {
+      throw error;
+    }
     throw new UnauthorizedError("Invalid or expired authorization token");
   }
 };

src/app.ts

@@ -26,6 +26,10 @@ import resellConnection from './utils/DB';
 import { ReportService } from './services/ReportService';
 import { reportToString } from './utils/Requests';
 import { startTransactionConfirmationCron } from './cron/transactionCron';
+import {
+  buildForbiddenEmailMessage,
+  isAllowedLoginEmail,
+} from './utils/allowlistedEmail';
 
 // Setup dependency injection containers
 routingUseContainer(Container);
@@ -56,13 +60,12 @@ async function main() {
       try {
         // Verify the token using Firebase Admin SDK
         const decodedToken = await admin.auth().verifyIdToken(token);
-        // Check if the email is a Cornell email
         const email = decodedToken.email;
         const userId = decodedToken.uid;
         action.request.email = email;
         action.request.firebaseUid = userId;
-        if (!email || !email.endsWith("@cornell.edu")) {
-          throw new ForbiddenError("Only Cornell email addresses are allowed");
+        if (!isAllowedLoginEmail(email)) {
+          throw new ForbiddenError(buildForbiddenEmailMessage(email));
         }
         // Find or create user in your database using Firebase UID
         const manager = getManager();

src/utils/allowlistedEmail.ts

@@ -0,0 +1,79 @@
+const CORNELL_SUFFIX = "@cornell.edu";
+
+function normalizeEmail(email: string): string {
+  return email.trim().toLowerCase();
+}
+
+/** Full addresses from EMAIL_WHITELIST (comma-separated), lowercased. */
+export function getEmailWhitelist(): Set<string> {
+  const raw = process.env.EMAIL_WHITELIST ?? "";
+  const set = new Set<string>();
+  for (const part of raw.split(",")) {
+    const normalized = normalizeEmail(part);
+    if (normalized.length > 0) {
+      set.add(normalized);
+    }
+  }
+  return set;
+}
+
+/**
+ * True if the Firebase user email may use the API: @cornell.edu or listed in EMAIL_WHITELIST.
+ * When true, `email` is a non-empty string.
+ */
+export function isAllowedLoginEmail(
+  email: string | undefined,
+  whitelist: Set<string> = getEmailWhitelist(),
+): email is string {
+  if (!email) {
+    return false;
+  }
+  const e = normalizeEmail(email);
+  if (e.endsWith(CORNELL_SUFFIX)) {
+    return true;
+  }
+  return whitelist.has(e);
+}
+
+function isProdEnv(): boolean {
+  return process.env.IS_PROD?.toLowerCase() === "true";
+}
+
+/**
+ * Human-readable token email for logs / dev error text (never throws).
+ */
+export function normalizedTokenEmailForDebug(
+  email: string | undefined,
+): string {
+  if (!email || !email.trim()) {
+    return "(no email claim on ID token)";
+  }
+  return normalizeEmail(email);
+}
+
+/**
+ * 403 message for disallowed emails. In non-prod, includes normalized token
+ * email and parsed EMAIL_WHITELIST for debugging. Prod stays generic.
+ * Always logs a line to stderr when called.
+ */
+export function buildForbiddenEmailMessage(email: string | undefined): string {
+  const base =
+    "Only Cornell email addresses or whitelisted emails are allowed.";
+  const normalizedFromToken = normalizedTokenEmailForDebug(email);
+  const whitelistEntries = Array.from(getEmailWhitelist()).sort();
+  const listText =
+    whitelistEntries.length > 0
+      ? whitelistEntries.join(", ")
+      : "(EMAIL_WHITELIST is empty)";
+
+  console.warn("[email-auth] rejected", {
+    normalizedFromToken,
+    whitelistEntryCount: whitelistEntries.length,
+    whitelistEntries: isProdEnv() ? "[redacted in prod logs]" : whitelistEntries,
+  });
+
+  if (isProdEnv()) {
+    return base;
+  }
+  return `${base} Token email (normalized): "${normalizedFromToken}". Whitelist: ${listText}.`;
+}