feat(infra): Add WAF implementation (#5213) (#5217)

justin-tahara · web-flow · commit 32f20f2e2efd · 2025-08-19T13:01:40.000-07:00
* feat(infra): Add WAF implementation

* Addressing greptile comments

* Additional removal of unnecessary code
diff --git a/backend/onyx/auth/users.py b/backend/onyx/auth/users.py
@@ -241,7 +241,7 @@ def verify_email_domain(email: str) -> None:
                 status_code=status.HTTP_400_BAD_REQUEST,
                 detail="Email is not valid",
             )
-        domain = email.split("@")[-1]
+        domain = email.split("@")[-1].lower()
         if domain not in VALID_EMAIL_DOMAINS:
             raise HTTPException(
                 status_code=status.HTTP_400_BAD_REQUEST,
diff --git a/backend/onyx/configs/app_configs.py b/backend/onyx/configs/app_configs.py
@@ -108,7 +108,11 @@
     os.environ.get("VALID_EMAIL_DOMAINS", "") or _VALID_EMAIL_DOMAIN
 )
 VALID_EMAIL_DOMAINS = (
-    [domain.strip() for domain in _VALID_EMAIL_DOMAINS_STR.split(",")]
+    [
+        domain.strip().lower()
+        for domain in _VALID_EMAIL_DOMAINS_STR.split(",")
+        if domain.strip()
+    ]
     if _VALID_EMAIL_DOMAINS_STR
     else []
 )
diff --git a/backend/tests/unit/onyx/auth/test_verify_email_domain.py b/backend/tests/unit/onyx/auth/test_verify_email_domain.py
@@ -0,0 +1,37 @@
+import pytest
+from fastapi import HTTPException
+
+import onyx.auth.users as users
+from onyx.auth.users import verify_email_domain
+
+
+def test_verify_email_domain_allows_case_insensitive_match(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    # Configure whitelist to lowercase while email has uppercase domain
+    monkeypatch.setattr(users, "VALID_EMAIL_DOMAINS", ["example.com"], raising=False)
+
+    # Should not raise
+    verify_email_domain("User@EXAMPLE.COM")
+
+
+def test_verify_email_domain_rejects_non_whitelisted_domain(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    monkeypatch.setattr(users, "VALID_EMAIL_DOMAINS", ["example.com"], raising=False)
+
+    with pytest.raises(HTTPException) as exc:
+        verify_email_domain("user@another.com")
+    assert exc.value.status_code == 400
+    assert "Email domain is not valid" in exc.value.detail
+
+
+def test_verify_email_domain_invalid_email_format(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    monkeypatch.setattr(users, "VALID_EMAIL_DOMAINS", ["example.com"], raising=False)
+
+    with pytest.raises(HTTPException) as exc:
+        verify_email_domain("userexample.com")  # missing '@'
+    assert exc.value.status_code == 400
+    assert "Email is not valid" in exc.value.detail

Original file line number	Diff line number	Diff line change
`@@ -241,7 +241,7 @@ def verify_email_domain(email: str) -> None:`
`241`	`241`	`status_code=status.HTTP_400_BAD_REQUEST,`
`242`	`242`	`detail="Email is not valid",`
`243`	`243`	`)`
`244`		`- domain = email.split("@")[-1]`
	`244`	`+ domain = email.split("@")[-1].lower()`
`245`	`245`	`if domain not in VALID_EMAIL_DOMAINS:`
`246`	`246`	`raise HTTPException(`
`247`	`247`	`status_code=status.HTTP_400_BAD_REQUEST,`
Original file line number	Diff line number	Diff line change
`@@ -108,7 +108,11 @@`
`108`	`108`	`os.environ.get("VALID_EMAIL_DOMAINS", "") or _VALID_EMAIL_DOMAIN`
`109`	`109`	`)`
`110`	`110`	`VALID_EMAIL_DOMAINS = (`
`111`		`- [domain.strip() for domain in _VALID_EMAIL_DOMAINS_STR.split(",")]`
	`111`	`+ [`
	`112`	`+ domain.strip().lower()`
	`113`	`+ for domain in _VALID_EMAIL_DOMAINS_STR.split(",")`
	`114`	`+ if domain.strip()`
	`115`	`+ ]`
`112`	`116`	`if _VALID_EMAIL_DOMAINS_STR`
`113`	`117`	`else []`
`114`	`118`	`)`