diff --git a/app/controllers/devise_overrides/omniauth_callbacks_controller.rb b/app/controllers/devise_overrides/omniauth_callbacks_controller.rb index e1cf76d6b..2b3ea9067 100644 --- a/app/controllers/devise_overrides/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_overrides/omniauth_callbacks_controller.rb @@ -55,7 +55,7 @@ class DeviseOverrides::OmniauthCallbacksController < DeviseTokenAuth::OmniauthCa def validate_business_account? # return true if the user is a business account, false if it is a gmail account - auth_hash['info']['email'].exclude?('@gmail.com') + auth_hash['info']['email'].downcase.exclude?('@gmail.com') end def create_account_for_user diff --git a/spec/controllers/devise/omniauth_callbacks_controller_spec.rb b/spec/controllers/devise/omniauth_callbacks_controller_spec.rb index b6c5cd781..3513b9c34 100644 --- a/spec/controllers/devise/omniauth_callbacks_controller_spec.rb +++ b/spec/controllers/devise/omniauth_callbacks_controller_spec.rb @@ -56,6 +56,23 @@ RSpec.describe 'DeviseOverrides::OmniauthCallbacksController', type: :request do end end + it 'blocks personal accounts signup with different Gmail case variations' do + with_modified_env ENABLE_ACCOUNT_SIGNUP: 'true' do + # Test different case variations of Gmail + ['personal@Gmail.com', 'personal@GMAIL.com', 'personal@Gmail.COM'].each do |email| + set_omniauth_config(email) + get '/omniauth/google_oauth2/callback' + + # expect a 302 redirect to auth/google_oauth2/callback + expect(response).to redirect_to('http://www.example.com/auth/google_oauth2/callback') + follow_redirect! + + # expect a 302 redirect to app/login with error disallowing personal accounts + expect(response).to redirect_to(%r{/app/login\?error=business-account-only$}) + end + end + end + # This test does not affect line coverage, but it is important to ensure that the logic # does not allow any signup if the ENV explicitly disables it it 'blocks signup if ENV disabled' do