Added the optional oauth allowed roles environment variable

- Setting this prevents users without the specified roles from accessing the Fider instance

Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>

Author: JimKnoxx

.example.env

@@ -23,6 +23,8 @@ OAUTH_GOOGLE_SECRET=
 OAUTH_GITHUB_CLIENTID=
 OAUTH_GITHUB_SECRET=
 
+OAUTH_ALLOWED_ROLES=
+
 EMAIL_NOREPLY=noreply@yourdomain.com
 
 #EMAIL_MAILGUN_API=

app/actions/oauth.go

@@ -33,6 +33,7 @@ type CreateEditOAuthConfig struct {
 	JSONUserIDPath    string           `json:"jsonUserIDPath"`
 	JSONUserNamePath  string           `json:"jsonUserNamePath"`
 	JSONUserEmailPath string           `json:"jsonUserEmailPath"`
+	JSONUserRolesPath string           `json:"jsonUserRolesPath"`
 }
 
 func NewCreateEditOAuthConfig() *CreateEditOAuthConfig {
@@ -184,5 +185,9 @@ func (action *CreateEditOAuthConfig) Validate(ctx context.Context, user *entity.
 		result.AddFieldFailure("jsonUserEmailPath", "JSON User Email Path must have less than 100 characters.")
 	}
 
+	if len(action.JSONUserRolesPath) > 100 {
+		result.AddFieldFailure("jsonUserRolesPath", "JSON User Roles Path must have less than 100 characters.")
+	}
+
 	return result
 }

app/cmd/routes.go

@@ -120,6 +120,7 @@ func routes(r *web.Engine) *web.Engine {
 	r.Get("/signin/complete", handlers.CompleteSignInProfilePage())
 	r.Get("/loginemailsent", handlers.LoginEmailSentPage())
 	r.Get("/not-invited", handlers.NotInvitedPage())
+	r.Get("/access-denied", handlers.AccessDeniedPage())
 	r.Get("/signin/verify", handlers.VerifySignInKey(enum.EmailVerificationKindSignIn))
 	r.Get("/invite/verify", handlers.VerifySignInKey(enum.EmailVerificationKindUserInvitation))
 	r.Post("/_api/signin/complete", handlers.CompleteSignInProfile())

app/handlers/admin.go

@@ -242,6 +242,7 @@ func SaveOAuthConfig() web.HandlerFunc {
 				JSONUserIDPath:    action.JSONUserIDPath,
 				JSONUserNamePath:  action.JSONUserNamePath,
 				JSONUserEmailPath: action.JSONUserEmailPath,
+				JSONUserRolesPath: action.JSONUserRolesPath,
 			},
 		); err != nil {
 			return c.Failure(err)

app/handlers/oauth.go

@@ -17,6 +17,7 @@ import (
 	"github.com/getfider/fider/app/pkg/bus"
 
 	"github.com/getfider/fider/app"
+	"github.com/getfider/fider/app/pkg/env"
 	"github.com/getfider/fider/app/pkg/errors"
 	"github.com/getfider/fider/app/pkg/jwt"
 	"github.com/getfider/fider/app/pkg/log"
@@ -91,6 +92,17 @@ func OAuthToken() web.HandlerFunc {
 			return c.Failure(err)
 		}
 
+		// Check if user has required roles (if OAUTH_ALLOWED_ROLES is configured)
+		if !hasAllowedRole(oauthUser.Result.Roles) {
+			log.Warnf(c, "User @{UserID} attempted OAuth login but does not have required role. User roles: @{UserRoles}, Allowed roles: @{AllowedRoles}",
+				dto.Props{
+					"UserID":       oauthUser.Result.ID,
+					"UserRoles":    oauthUser.Result.Roles,
+					"AllowedRoles": env.Config.OAuth.AllowedRoles,
+				})
+			return c.Redirect("/access-denied")
+		}
+
 		var user *entity.User
 
 		userByProvider := &query.GetUserByProvider{Provider: provider, UID: oauthUser.Result.ID}
@@ -264,3 +276,42 @@ func SignInByOAuth() web.HandlerFunc {
 		return c.Redirect(authURL.Result)
 	}
 }
+
+// hasAllowedRole checks if the user has any of the allowed roles configured in OAUTH_ALLOWED_ROLES
+// If OAUTH_ALLOWED_ROLES is not set or empty, all users are allowed (returns true)
+// If set, user must have at least one of the specified roles
+func hasAllowedRole(userRoles []string) bool {
+	allowedRolesConfig := strings.TrimSpace(env.Config.OAuth.AllowedRoles)
+
+	// If no roles restriction is configured, allow all users
+	if allowedRolesConfig == "" {
+		return true
+	}
+
+	// Parse allowed roles from config (semicolon-separated)
+	allowedRoles := strings.Split(allowedRolesConfig, ";")
+	allowedRolesMap := make(map[string]bool)
+	for _, role := range allowedRoles {
+		role = strings.TrimSpace(role)
+		if role != "" {
+			allowedRolesMap[role] = true
+		}
+	}
+
+	// If no valid roles in config, allow all
+	if len(allowedRolesMap) == 0 {
+		return true
+	}
+
+	// Check if user has any of the allowed roles
+	for _, userRole := range userRoles {
+		userRole = strings.TrimSpace(userRole)
+		if allowedRolesMap[userRole] {
+			return true
+		}
+	}
+
+	// User doesn't have any of the required roles
+	return false
+}
+

app/handlers/signin.go

@@ -71,6 +71,17 @@ func NotInvitedPage() web.HandlerFunc {
 	}
 }
 
+// AccessDeniedPage renders the access denied page for OAuth role mismatches
+func AccessDeniedPage() web.HandlerFunc {
+	return func(c *web.Context) error {
+		return c.Page(http.StatusForbidden, web.Props{
+			Page:        "Error/AccessDenied.page",
+			Title:       "Access Denied",
+			Description: "You do not have the required permissions to access this site.",
+		})
+	}
+}
+
 // SignInByEmail checks if user exists and sends code only for existing users
 func SignInByEmail() web.HandlerFunc {
 	return func(c *web.Context) error {

app/models/cmd/oauth.go

@@ -20,6 +20,7 @@ type SaveCustomOAuthConfig struct {
 	JSONUserIDPath    string
 	JSONUserNamePath  string
 	JSONUserEmailPath string
+	JSONUserRolesPath string
 }
 
 type ParseOAuthRawProfile struct {

app/models/dto/oauth.go

@@ -2,9 +2,10 @@ package dto
 
 //OAuthUserProfile represents an OAuth user profile
 type OAuthUserProfile struct {
-	ID    string `json:"id"`
-	Name  string `json:"name"`
-	Email string `json:"email"`
+	ID    string   `json:"id"`
+	Name  string   `json:"name"`
+	Email string   `json:"email"`
+	Roles []string `json:"roles"`
 }
 
 //OAuthProviderOption represents an OAuth provider that can be used to authenticate

app/models/entity/oauth.go

@@ -27,6 +27,7 @@ type OAuthConfig struct {
 	JSONUserIDPath    string
 	JSONUserNamePath  string
 	JSONUserEmailPath string
+	JSONUserRolesPath string
 }
 
 // MarshalJSON returns the JSON encoding of OAuthConfig
@@ -51,5 +52,6 @@ func (o OAuthConfig) MarshalJSON() ([]byte, error) {
 		"jsonUserIDPath":    o.JSONUserIDPath,
 		"jsonUserNamePath":  o.JSONUserNamePath,
 		"jsonUserEmailPath": o.JSONUserEmailPath,
+		"jsonUserRolesPath": o.JSONUserRolesPath,
 	})
 }

app/pkg/env/env.go

@@ -99,6 +99,7 @@ type config struct {
 			ClientID string `env:"OAUTH_GITHUB_CLIENTID"`
 			Secret   string `env:"OAUTH_GITHUB_SECRET"`
 		}
+		AllowedRoles string `env:"OAUTH_ALLOWED_ROLES"`
 	}
 	Email struct {
 		Type      string `env:"EMAIL"` // possible values: smtp, mailgun, awsses