Make the registration webhook be a blocker for undesired emails

Signed-off-by: Federico Busetti <[email protected]>

Author: febus982

auth_volumes/kratos/kratos.yml

@@ -81,26 +81,18 @@ selfservice:
     registration:
       lifespan: 10m
       ui_url: http://127.0.0.1:8080/registration
+
       after:
         password:
           hooks:
-            - hook: session
             - hook: web_hook
               config:
                 url: http://dev:8000/user_registered/
                 method: "POST"
-#                headers: { }
-                # https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks#jsonnet-templating
                 body: file:///etc/config/kratos/user_registered.jsonnet
-                can_interrupt: false
-                emit_analytics_event: false
-#                auth:
-#                  type: api_key
-#                  config:
-#                    name: ""
-#                    value: ""
-#                    in: header
-#            - hook: show_verification_ui
+                can_interrupt: true
+                emit_analytics_event: true
+            - hook: session
 
 log:
   level: info

auth_volumes/kratos/user_registered.jsonnet

@@ -1,7 +1,4 @@
 function(ctx) {
     user_id: ctx.identity.id,
-    traits: {
     email: ctx.identity.traits.email,
-    name: ctx.identity.traits.name,
-  }
 }

src/http_app/routes/user_registered_hook.py

@@ -1,12 +1,64 @@
 import logging
 
-from fastapi import APIRouter, Request
+from fastapi import APIRouter, status
+from fastapi.responses import JSONResponse, Response
+from pydantic import BaseModel
 
 router = APIRouter(prefix="/user_registered")
 
 
+class UserRegisteredWebhook(BaseModel):
+    user_id: str
+    email: str
+
+
 @router.post("/")
-async def user_registered(request: Request):  # pragma: no cover
-    # Here we could check the email and add staff metadata to the identity
-    logging.info("User registered", extra={"body": await request.json()})
-    return {"user_registered": "OK"}
+async def user_registered(user: UserRegisteredWebhook):  # pragma: no cover
+    """
+    Handles the user registration webhook.
+
+    This function is triggered when a user registration webhook is received.
+    It logs the event details, evaluates the email validity, and returns an
+    appropriate HTTP response based on the validation. If the user's email
+    is invalid, it returns an error response along with a structured error
+    message. Otherwise, it confirms successful processing with no additional
+    content.
+
+    Args:
+        user (UserRegisteredWebhook): The webhook payload received when a user
+            registers, containing user details such as email and traits.
+
+    Returns:
+        Response: An HTTP response with a 403 Forbidden status and structured
+            error message if the user email is invalid.
+            Otherwise, an HTTP 204 No Content response to confirm successful
+            processing.
+    """
+    logging.info("User registered", extra={"user": user.model_dump()})
+
+    error_message = {
+        "messages": [
+            {
+                "instance_ptr": "#/traits/email",
+                "messages": [
+                    {
+                        "id": 123,  # Error id to be evaluated in frontend
+                        "text": "You are not allowed to register.",
+                        "type": "error",
+                        "context": {  # Additional context we can send to the Frontend
+                            "value": "short value",
+                            "any": "additional information",
+                        },
+                    }
+                ],
+            }
+        ]
+    }
+
+    if user.email == "[email protected]":
+        return JSONResponse(
+            error_message,
+            status.HTTP_403_FORBIDDEN,
+        )
+    else:
+        return Response(status_code=status.HTTP_204_NO_CONTENT)