From 4360cd039730ec627c948ed1d8b651661216290c Mon Sep 17 00:00:00 2001
From: Prashant Shahi <prashant@signoz.io>
Date: Sat, 27 Jul 2024 09:52:53 +0530
Subject: [PATCH] fix(saml): handle invalid email domain (#5580)

### Summary

Handle the scenario when email with domain is used for SSO Login which does not match authenticated domains.

Signed-off-by: Prashant Shahi <prashant@signoz.io>
---
 ee/query-service/dao/sqlite/auth.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ee/query-service/dao/sqlite/auth.go b/ee/query-service/dao/sqlite/auth.go
index 4418b04cbf..b8bc5e0fa0 100644
--- a/ee/query-service/dao/sqlite/auth.go
+++ b/ee/query-service/dao/sqlite/auth.go
@@ -20,11 +20,14 @@ import (
 func (m *modelDao) createUserForSAMLRequest(ctx context.Context, email string) (*basemodel.User, basemodel.BaseApiError) {
 	// get auth domain from email domain
 	domain, apierr := m.GetDomainByEmail(ctx, email)
-
 	if apierr != nil {
 		zap.L().Error("failed to get domain from email", zap.Error(apierr))
 		return nil, model.InternalErrorStr("failed to get domain from email")
 	}
+	if domain == nil {
+		zap.L().Error("email domain does not match any authenticated domain", zap.String("email", email))
+		return nil, model.InternalErrorStr("email domain does not match any authenticated domain")
+	}
 
 	hash, err := baseauth.PasswordHash(utils.GeneratePassowrd())
 	if err != nil {