fix: New user is created on SAML login even if attribute-based login control failure (#4422)

- verifySAMLResponseByABLCRule() should be executed before getOrCreateUser()

packages/app/src/server/routes/login-passport.js

@@ -467,6 +467,11 @@ module.exports = function(crowi, app) {
       userInfo.name = `${response[attrMapFirstName]} ${response[attrMapLastName]}`.trim();
     }
 
+    // Attribute-based Login Control
+    if (!crowi.passportService.verifySAMLResponseByABLCRule(response)) {
+      return loginFailureHandler(req, res, 'Sign in failure due to insufficient privileges.');
+    }
+
     const externalAccount = await getOrCreateUser(req, res, userInfo, providerId);
     if (!externalAccount) {
       return loginFailureHandler(req, res);
@@ -474,11 +479,6 @@ module.exports = function(crowi, app) {
 
     const user = await externalAccount.getPopulatedUser();
 
-    // Attribute-based Login Control
-    if (!crowi.passportService.verifySAMLResponseByABLCRule(response)) {
-      return loginFailureHandler(req, res, 'Sign in failure due to insufficient privileges.');
-    }
-
     // login
     req.logIn(user, (err) => {
       if (err != null) {