From 494c3c3b82463d63c3aecc7a86c758fa6b7467c0 Mon Sep 17 00:00:00 2001
From: Justin Tahara <105671973+justin-tahara@users.noreply.github.com>
Date: Mon, 18 Aug 2025 17:45:50 -0700
Subject: [PATCH] feat(infra): Add WAF implementation (#5213)

* feat(infra): Add WAF implementation

* Addressing greptile comments

* Additional removal of unnecessary code
---
 backend/onyx/auth/users.py                    |  2 +-
 backend/onyx/configs/app_configs.py           |  6 ++-
 .../onyx/auth/test_verify_email_domain.py     | 37 +++++++++++++++++++
 3 files changed, 43 insertions(+), 2 deletions(-)
 create mode 100644 backend/tests/unit/onyx/auth/test_verify_email_domain.py

diff --git a/backend/onyx/auth/users.py b/backend/onyx/auth/users.py
index 977b99cdb8..5838501757 100644
--- a/backend/onyx/auth/users.py
+++ b/backend/onyx/auth/users.py
@@ -241,7 +241,7 @@ def verify_email_domain(email: str) -> None:
                 status_code=status.HTTP_400_BAD_REQUEST,
                 detail="Email is not valid",
             )
-        domain = email.split("@")[-1]
+        domain = email.split("@")[-1].lower()
         if domain not in VALID_EMAIL_DOMAINS:
             raise HTTPException(
                 status_code=status.HTTP_400_BAD_REQUEST,
diff --git a/backend/onyx/configs/app_configs.py b/backend/onyx/configs/app_configs.py
index 61b7530e07..cbc33d1f6c 100644
--- a/backend/onyx/configs/app_configs.py
+++ b/backend/onyx/configs/app_configs.py
@@ -108,7 +108,11 @@
     os.environ.get("VALID_EMAIL_DOMAINS", "") or _VALID_EMAIL_DOMAIN
 )
 VALID_EMAIL_DOMAINS = (
-    [domain.strip() for domain in _VALID_EMAIL_DOMAINS_STR.split(",")]
+    [
+        domain.strip().lower()
+        for domain in _VALID_EMAIL_DOMAINS_STR.split(",")
+        if domain.strip()
+    ]
     if _VALID_EMAIL_DOMAINS_STR
     else []
 )
diff --git a/backend/tests/unit/onyx/auth/test_verify_email_domain.py b/backend/tests/unit/onyx/auth/test_verify_email_domain.py
new file mode 100644
index 0000000000..ee21f85aa5
--- /dev/null
+++ b/backend/tests/unit/onyx/auth/test_verify_email_domain.py
@@ -0,0 +1,37 @@
+import pytest
+from fastapi import HTTPException
+
+import onyx.auth.users as users
+from onyx.auth.users import verify_email_domain
+
+
+def test_verify_email_domain_allows_case_insensitive_match(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    # Configure whitelist to lowercase while email has uppercase domain
+    monkeypatch.setattr(users, "VALID_EMAIL_DOMAINS", ["example.com"], raising=False)
+
+    # Should not raise
+    verify_email_domain("User@EXAMPLE.COM")
+
+
+def test_verify_email_domain_rejects_non_whitelisted_domain(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    monkeypatch.setattr(users, "VALID_EMAIL_DOMAINS", ["example.com"], raising=False)
+
+    with pytest.raises(HTTPException) as exc:
+        verify_email_domain("user@another.com")
+    assert exc.value.status_code == 400
+    assert "Email domain is not valid" in exc.value.detail
+
+
+def test_verify_email_domain_invalid_email_format(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    monkeypatch.setattr(users, "VALID_EMAIL_DOMAINS", ["example.com"], raising=False)
+
+    with pytest.raises(HTTPException) as exc:
+        verify_email_domain("userexample.com")  # missing '@'
+    assert exc.value.status_code == 400
+    assert "Email is not valid" in exc.value.detail