feat: Add sample RegistrationGuard for domain-restricted registration

devondragon · devondragon · commit 5ba86c4a1a40 · 2026-03-12T09:29:53.000-06:00
Add a profile-gated DomainRegistrationGuard that restricts form/passwordless registration to @example.com emails while allowing all OAuth2/OIDC registrations. Activated only with the `registration-guard` Spring profile. Also bump library dependency to 4.2.3-SNAPSHOT and fix UserServiceTest for the new SessionInvalidationService constructor parameter. Closes #61 Ref: devondragon/SpringUserFramework#271
diff --git a/build.gradle b/build.gradle
@@ -39,7 +39,7 @@ repositories {
 
 dependencies {
     // DigitalSanctuary Spring User Framework
-    implementation 'com.digitalsanctuary:ds-spring-user-framework:4.2.1'
+    implementation 'com.digitalsanctuary:ds-spring-user-framework:4.2.3-SNAPSHOT'
 
     // WebAuthn support (Passkey authentication)
     implementation 'org.springframework.security:spring-security-webauthn'
diff --git a/src/main/java/com/digitalsanctuary/spring/demo/registration/DomainRegistrationGuard.java b/src/main/java/com/digitalsanctuary/spring/demo/registration/DomainRegistrationGuard.java
@@ -0,0 +1,61 @@
+package com.digitalsanctuary.spring.demo.registration;
+
+import org.springframework.context.annotation.Profile;
+import org.springframework.stereotype.Component;
+
+import com.digitalsanctuary.spring.user.registration.RegistrationContext;
+import com.digitalsanctuary.spring.user.registration.RegistrationDecision;
+import com.digitalsanctuary.spring.user.registration.RegistrationGuard;
+import com.digitalsanctuary.spring.user.registration.RegistrationSource;
+
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * Sample {@link RegistrationGuard} that restricts form and passwordless registration to
+ * {@code @example.com} email addresses while allowing all OAuth2/OIDC registrations.
+ *
+ * <p>This guard is only active when the {@code registration-guard} Spring profile is enabled.
+ * To try it out, add {@code registration-guard} to your active profiles:</p>
+ *
+ * <pre>
+ * ./gradlew bootRun --args='--spring.profiles.active=local,registration-guard'
+ * </pre>
+ *
+ * <p>See the
+ * <a href="https://github.com/devondragon/SpringUserFramework/blob/main/REGISTRATION-GUARD.md">
+ * Registration Guard documentation</a> for the full SPI reference.</p>
+ *
+ * @see RegistrationGuard
+ * @see RegistrationContext
+ * @see RegistrationDecision
+ */
+@Slf4j
+@Component
+@Profile("registration-guard")
+public class DomainRegistrationGuard implements RegistrationGuard {
+
+    private static final String ALLOWED_DOMAIN = "@example.com";
+
+    @Override
+    public RegistrationDecision evaluate(RegistrationContext context) {
+        log.debug("Evaluating registration for email: {}, source: {}, provider: {}",
+                context.email(), context.source(), context.providerName());
+
+        // Allow all OAuth2/OIDC registrations regardless of email domain
+        if (context.source() == RegistrationSource.OAUTH2
+                || context.source() == RegistrationSource.OIDC) {
+            log.debug("Allowing {} registration for: {}", context.source(), context.email());
+            return RegistrationDecision.allow();
+        }
+
+        // For form/passwordless, restrict to the allowed domain
+        if (context.email() != null && context.email().toLowerCase().endsWith(ALLOWED_DOMAIN)) {
+            log.debug("Allowing registration for approved domain: {}", context.email());
+            return RegistrationDecision.allow();
+        }
+
+        log.info("Denied registration for: {} (domain not allowed)", context.email());
+        return RegistrationDecision.deny(
+                "Registration is restricted to " + ALLOWED_DOMAIN + " email addresses.");
+    }
+}
diff --git a/src/test/java/com/digitalsanctuary/spring/user/service/UserServiceTest.java b/src/test/java/com/digitalsanctuary/spring/user/service/UserServiceTest.java
@@ -55,6 +55,9 @@ public class UserServiceTest {
     @Mock
     private PasswordHistoryRepository passwordHistoryRepository;
 
+    @Mock
+    private SessionInvalidationService sessionInvalidationService;
+
     private UserService userService;
     private User testUser;
     private UserDto testUserDto;
@@ -78,7 +81,7 @@ void setUp() {
 
         userService = new UserService(userRepository, tokenRepository, passwordTokenRepository, passwordEncoder,
                 roleRepository, sessionRegistry, userEmailService, userVerificationService, authorityService,
-                dsUserDetailsService, eventPublisher, passwordHistoryRepository);
+                dsUserDetailsService, eventPublisher, passwordHistoryRepository, sessionInvalidationService);
     }
 
     @Test
