From ea1f9d7debfb760924680657edbf94fb49cbd445 Mon Sep 17 00:00:00 2001
From: Jori Lallo <jorilallo@Macintosh.local>
Date: Wed, 21 Sep 2016 23:02:29 -0700
Subject: [PATCH] Use Slack's domain for whitelisting

---
 server/api/auth.js | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/server/api/auth.js b/server/api/auth.js
index 5a7545b0..8aa84e72 100644
--- a/server/api/auth.js
+++ b/server/api/auth.js
@@ -84,8 +84,10 @@ router.post('auth.slack', async (ctx) => {
   if (!data.ok) throw httpErrors.BadRequest(data.error);
 
   // Temp to block
-  const allowedSlackIds = process.env.ALLOWED_SLACK_IDS.split(',');
-  if (!allowedSlackIds.includes(data.team.id)) throw httpErrors.BadRequest('Invalid Slack team');
+  const allowedSlackDomains = process.env.ALLOWED_SLACK_DOMAINS.split(',');
+  if (!allowedSlackDomains.includes(data.team.domain)) {
+    throw httpErrors.BadRequest('Invalid Slack team');
+  }
 
   // User
   let user = await User.findOne({ where: { slackId: data.user.id } });