Adding documentation around blocking a domain

[jeremyf]

Explain the changes

Addressing the following issue: Allow admins to set a list of disallowed emails for sign up. · Issue #281 · forem/rfcs

The following pull requests introduced changes to complete the issue:

• Guarding against spam from OAuth Sources by jeremyf · Pull Request #15404 · forem/forem
• Adding ability to block domains from registration by jeremyf · Pull Request #15397 · forem/forem
• Moving blocked registration domains up by jeremyf · Pull Request #15403 · forem/forem

Suggested changes

This change impacts the administrative settings, by introducing a new field. When you fill out a comma separate list of domains, and save the change, future attempts to register via that OAuth provider will fail if their associated email is from any of the blocked domains.

Additional context

Note: There is an edge case around whether or not they've stated "Only allow emails from this domain." If that is set, the OAuth2 authentication and email checks will also honor that.

[ellativity]

@jeremyf thanks for this issue! I'm just wanting to clarify one small thing:

Note: There is an edge case around whether or not they've stated "Only allow emails from this domain." If that is set, the OAuth2 authentication and email checks will also honor that.

This means that "only allow" overrides "never allow" if both fields contain the same domains?

[jeremyf]

I mis-explained.

There is the logic of is it an acceptable domain:

https://github.com/forem/forem/blob/7ba0b49ea8ee7b64481ef55351f847574018a846/app/models/settings/authentication.rb#L45-L54

That logic is used for both OAuth email checks and enabled email checks. And if the domain is blocked, that takes precedence.

The edge case is when we have both Email Enabled registration and OAuth enabled registration, and someone fills in a blocked domain of "gmail.com" and an allowed domain of "yahoo.com". From that point forward the logic will block anyone with "gmail.com" and then only allow someone from "yahoo.com". The end result being only emails, via email registration or OAuth, that are "yahoo.com" will be allowed.

I think it's a super edge case but one that might help in trouble shooting. (And if we need to, it's a quick change to rework that logic for the two different registration vectors)

[FounderCasey]

Documentation has been updated here: https://admin.forem.com/docs/advanced-customization/config/authentication#block-email-domains