SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

Is there a way to restrict google sign-ins only to a single domain? for organisations or school mails. I am using supertoken with NestJs and Vue.

Hey <@610188897980383287> it is possible. I’ll get back in 30 mins or so

You can do that by:
- overriding the signinup recipe function in your recipe (I am assuming you are using ThirdParty recipe) to check the email's domain.
- If the email domain doesn't match, you would return a FIELD_ERROR with custom message. Then on the frontend, you can check for this output and display the message

i can show you some code if you tell me which recipe

I blindly followed to docs. will check the recipe and get back to you in a minute

I am using a ThirdPartyEmailPassword.Google recipe if that's what you are asking

it would be great if you could show some code

```
ThirdPartyEmailPassword.init({
    override: {
        functions: (oI) => {
            return {
                ...oI,
                thirdPartySignInUp: async function (input) {
                    let email = input.email;
                    if (!isEmailAllowed(email)) { // your custom email check
                        return {
                            status: "FIELD_ERROR",
                            message: "Email not allowed to sign up / in"
                        }
                    }
                    return oI.thirdPartySignInUp(input);
                }
            }
        }
    }
})
```

```js

export class SupertokensService {
  constructor(@Inject(ConfigInjectionToken) private config: AuthModuleConfig) {
    supertokens.init({
      appInfo: config.appInfo,
      supertokens: {
        connectionURI:
          'fooBar',
        apiKey: 'fooBar',
      },
      recipeList: [
        ThirdPartyEmailPassword.init({
            override: {
                functions: (oI) => {
                    return {
                        ...oI,
                        thirdPartySignInUp: async function (input) {
                            let email = input.email;
                            if (!isEmailAllowed(email)) { // your custom email check
                                return {
                                    status: "FIELD_ERROR",
                                    message: "Email not allowed to sign up / in"
                                }
                            }
                            return oI.thirdPartySignInUp(input);
                        }
                    }
                }
            },
          providers: [
            ThirdPartyEmailPassword.Google({
              clientId:
                'fooBar',
              clientSecret: 'fooBar',
            })
          ],
        }),
        Session.init(),
      ],
    });
  }
}
```
Hey <@498057949541826571> will it look something like this then?

unknown

this `email` stores the userId and if he is verified or not, for `isEmailAllowed` I would be needing the email itself right?

email.id is the email ID. Not the user Id

<@498057949541826571> this works, thanks man!

just a nitpick its `error: "Email not allowed to sign up / in"` right?