feat: support provider-specific OAuth whitelists

[puneetdixit200]

Summary

• Add per-provider OAuth whitelist and whitelist file config fields.
• Use a provider-specific whitelist during OAuth callbacks and session validation when one is configured; otherwise keep the existing global OAuth whitelist behavior.
• Document the new provider-level env vars in .env.example.

Closes #622

Validation

• go test ./internal/service -run TestIsEmailWhitelistedUsesProviderSpecificList -count=1
• go test ./internal/service ./internal/controller ./internal/model ./internal/utils ./internal/utils/decoders
• go test ./... (with a temporary internal/assets/dist/index.html placeholder so the Go embed target exists in a fresh checkout; removed before commit)
• git diff HEAD^ --check

AI assistance

OpenAI GPT-5 assisted with repository navigation, drafting the focused regression test, and summarizing validation. I reviewed the change and take responsibility for the submitted code.

Summary by CodeRabbit

• New Features

  • Added support for per-OAuth-provider email whitelists. Configure separate allowlists for each provider using TINYAUTH_OAUTH_PROVIDERS_<name>_WHITELIST and TINYAUTH_OAUTH_PROVIDERS_<name>_WHITELISTFILE environment variables. Provider-specific whitelists override the global whitelist when configured.

• Tests

  • Added unit test for provider-specific whitelist functionality.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: b2929020-9c67-468c-8c1e-aa64c580e8c1

📥 Commits

Reviewing files that changed from the base of the PR and between 3194f4b and 4852cfd.

📒 Files selected for processing (7)

• .env.example
• internal/bootstrap/app_bootstrap.go
• internal/controller/oauth_controller.go
• internal/middleware/context_middleware.go
• internal/model/config.go
• internal/service/auth_service.go
• internal/service/auth_service_test.go

---

📝 Walkthrough

Walkthrough

The PR enables per-provider OAuth email whitelisting by extending the configuration model with provider-specific allowlists, loading them during bootstrap, updating the auth service to accept and evaluate provider context, and integrating these changes into OAuth callback and session middleware paths.

Changes

Provider-specific OAuth whitelists

Layer / File(s)	Summary
Config contract and environment variables .env.example, internal/model/config.go	Environment template and OAuthServiceConfig struct now define per-provider Whitelist and WhitelistFile fields with YAML bindings.
Bootstrap provider whitelist loading internal/bootstrap/app_bootstrap.go	Application setup loads each provider's whitelist from configuration or file using utils.GetStringList(), assigning the resolved list to the provider and failing fast on load errors.
Auth service provider-specific evaluation internal/service/auth_service.go, internal/service/auth_service_test.go	IsEmailWhitelisted signature expanded to accept provider argument; method selects provider-specific whitelist when available, otherwise falls back to global whitelist; new unit test validates fallback and provider-matching behavior.
OAuth callback and session middleware integration internal/controller/oauth_controller.go, internal/middleware/context_middleware.go	OAuth callback handler and session cookie authentication both updated to pass provider ID alongside email to IsEmailWhitelisted, enabling provider-scoped access control.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• tinyauthapp/tinyauth#826: Shares the utils.GetStringList() file-backed whitelist loading mechanism and config structure pattern; this PR extends that infrastructure to provider-specific contexts.

Suggested labels

size:M, lgtm

Suggested reviewers

• steveiliop56
• Rycochet

Poem

A whitelist per provider, the feature now shines, ✨
GitHub sees one list, while PocketID defines,
Bootstrap loads them all, with fallback so grand,
OAuth now tailors each email across the land! 🐰

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: support provider-specific OAuth whitelists' clearly summarizes the main change: adding provider-specific whitelist support to OAuth configuration.
Linked Issues check	✅ Passed	The PR fully addresses issue #622 by implementing provider-specific OAuth whitelists with fallback to global whitelist, allowing different emails per OAuth provider.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to implementing provider-specific OAuth whitelists: config model updates, bootstrap loading, auth service logic, controller/middleware callbacks, environment documentation, and unit tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}