Add support to white list GitHub accounts that belong to a particular organisation

[jaredhanson]

That would be authorization related, not authentication related, correct? I consider this out of scope of passport.

[aruizca]

I'd like to disallow authentication for GitHub users that are not public members of a particular organisation. So prior to perform authentication I'd check if the user belongs to that organization via API:

https://api.github.com/users/:username/orgs

The org name would be provided as an optional parameter:

new passportGithub({
      clientID: auth.github.clientId,
      clientSecret: auth.github.clientSecret,
      callbackURL: app.locals.baseUrl + '/auth/github/callback'
      organisation: 'whatever'
    }

I could provide PR

[aruizca]

The use case is the following: we have a WIKI engine called Jingo that we would like to use for our organisation. this WIKI has GitHub authentication and we would like to leverage that. This wiki is using this passport module. The problem is that anyone with a GitHub account would be able to edit the WIKI and we don't want that. Only public members of our GitHub organisation should be able to do that.

[jaredhanson]

Authorization can be done in separate middleware, after authentication.

app.get('/login/github/callback',
  passport.authenticate('github'),
  function authorizeOnlyWhitelistOrgs(req, res, next) {
     if (req.user.organization !== 'whatever') {
       return res.send('Unauthorized');
     }
     next();
  },
  ...

[aruizca]

I think you are right. That way the organization members can be public or private. Thanks heaps!