Ability to restrict authentication to GitHub Org

.env.sample

@@ -1,2 +1,3 @@
 export GITHUB_KEY=[key]
 export GITHUB_SECRET=[secret]
+export GITHUB_TEAM_ID=[team_id]

app/controllers/sessions_controller.rb

@@ -1,11 +1,19 @@
 class SessionsController < ApplicationController
   def create
+    if org.nil? || in_organization?(org)
+      session[:token] = auth.credentials.token
       user = User.find_or_create_from_auth(auth)
       session[:current_user_id] = user.id
       redirect_to root_path
+    else
+      flash[:error] = "You must be in the #{org} organization "\
+                      "to access that page"
+      redirect_to new_session_path
+    end
   end
 
   def destroy
+    session[:token] = nil
     session[:current_user_id] = nil
     @current_user = nil
     redirect_to root_path
@@ -13,6 +21,30 @@ class SessionsController < ApplicationController
 
   private
 
+  def org
+    ENV["GITHUB_ORG"]
+  end
+
+  def in_organization?(org_name)
+    organizations.select do |organization|
+      organization["login"] == org_name
+    end.any?
+  end
+
+  def organizations
+    JSON.parse(get_organizations.body)
+  end
+
+  def get_organizations
+    HTTP.
+      auth("token #{auth.credentials.token}").
+      get(organizations_url)
+  end
+
+  def organizations_url
+    "https://api.github.com/user/orgs"
+  end
+
   def auth
     request.env["omniauth.auth"]
   end

app/views/layouts/application.html.erb

@@ -20,6 +20,10 @@
 
   <main>
     <div class="container">
+      <% flash.each do |name, msg| %>
+        <%= content_tag :div, msg, class: "alert alert-info" %>
+      <% end %>
+
       <%= yield %>
     </div>
   </main>

config/initializers/omniauth.rb

@@ -1,3 +1,6 @@
 Rails.application.config.middleware.use OmniAuth::Builder do
-  provider :github, ENV["GITHUB_KEY"], ENV["GITHUB_SECRET"]
+  provider :github,
+    ENV["GITHUB_KEY"],
+    ENV["GITHUB_SECRET"],
+    scope: "read:org"
 end