feat: add support for oauth whitelist file (#817)

[djedditt]

Fixes #817.

Added TINYAUTH_OAUTH_WHITELISTFILE support for loading whitelist entries from a file, merged with the existing inline whitelist config. This follows the same pattern as auth users/usersfile. Extracted shared inline/file parsing into reusable string utils.

Summary by CodeRabbit

Release Notes

• New Features
  • OAuth domain whitelist can now be loaded from an external file path, providing a flexible alternative to inline configuration for easier management and updates of authorized OAuth domains.

[coderabbitai]

📝 Walkthrough

Walkthrough

This change introduces file-based OAuth whitelist support, enabling whitelists to be loaded from a filesystem path (TINYAUTH_OAUTH_WHITELISTFILE) as an alternative to inline comma-separated values. A new utility function consolidates values from both sources during bootstrap initialization, and the auth service consumes the consolidated result from application context.

Changes

Cohort / File(s)	Summary
Configuration & Utilities internal/config/config.go, internal/utils/string_utils.go, internal/utils/string_utils_test.go	Added WhitelistFile field to OAuthConfig struct. Introduced ParseNonEmptyLines and GetStringList utility functions to parse multi-line text and merge inline config values with file-based entries; includes comprehensive test coverage.
Bootstrap Integration internal/bootstrap/app_bootstrap.go, internal/bootstrap/service_bootstrap.go	Modified app bootstrap to load consolidated OAuth whitelist during Setup via GetStringList, storing result in context. Updated service bootstrap to consume whitelist from context instead of raw config.
Refactoring internal/utils/user_utils.go	Simplified GetUsers to delegate string aggregation and file handling to the new GetStringList utility, reducing manual parsing logic.
Documentation .env.example	Added environment variable documentation for TINYAUTH_OAUTH_WHITELISTFILE.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 OAuth whitelists now take flight,
From files instead of comma-delimited sight!
No more string truncation woes and pain,
Configuration's hopping down a cleaner lane.
Parse those lines, trim that space—
Bootstrap loads with newfound grace! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding support for OAuth whitelist file configuration, matching the PR's core objective.
Linked Issues check	✅ Passed	The PR successfully implements the requested OAuth whitelist file support following the USERS/USERSFILE pattern, reading from file or inline config.
Out of Scope Changes check	✅ Passed	All changes are in scope: new config field, utility functions for parsing, OAuth whitelist file loading, and refactored user utilities to use shared helpers.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 2/3 reviews remaining, refill in 20 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

internal/utils/string_utils_test.go (1)

4-4: Harden temp-file test setup to avoid collisions and OS-specific assertions.

Line 69 and Line 87 use fixed /tmp/... paths, and Line 88 asserts an OS-specific error string. Prefer t.TempDir() + errors.Is(err, os.ErrNotExist) for stable tests.

Proposed test hardening diff

 import (
+	"errors"
 	"os"
+	"path/filepath"
 	"testing"
@@
 func TestGetStringList(t *testing.T) {
-	file, err := os.Create("/tmp/tinyauth_list_test_file")
-	assert.NilError(t, err)
-
-	_, err = file.WriteString(" third@example.com \n\n fourth@example.com \n")
-	assert.NilError(t, err)
-
-	err = file.Close()
-	assert.NilError(t, err)
-	defer os.Remove("/tmp/tinyauth_list_test_file")
+	tmpDir := t.TempDir()
+	filePath := filepath.Join(tmpDir, "tinyauth_list_test_file")
+	err := os.WriteFile(filePath, []byte(" third@example.com \n\n fourth@example.com \n"), 0o600)
+	assert.NilError(t, err)
 
-	values, err := utils.GetStringList([]string{" first@example.com ", "", "second@example.com"}, "/tmp/tinyauth_list_test_file")
+	values, err := utils.GetStringList([]string{" first@example.com ", "", "second@example.com"}, filePath)
 	assert.NilError(t, err)
 	assert.DeepEqual(t, []string{"first@example.com", "second@example.com", "third@example.com", "fourth@example.com"}, values)
@@
-	values, err = utils.GetStringList(nil, "/tmp/non_existing_list_file")
-	assert.ErrorContains(t, err, "no such file or directory")
+	values, err = utils.GetStringList(nil, filepath.Join(tmpDir, "non_existing_list_file"))
+	assert.Assert(t, errors.Is(err, os.ErrNotExist))
 	assert.DeepEqual(t, []string{}, values)
 }

Also applies to: 69-90

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/utils/string_utils_test.go` at line 4, Tests in
internal/utils/string_utils_test.go use hard-coded /tmp/... paths and assert
OS-specific error text; update the failing test setup to use t.TempDir() to
create unique temp directories and files, construct expected paths relative to
that temp dir instead of using fixed /tmp paths, and replace string equality on
the error with errors.Is(err, os.ErrNotExist) (importing "errors" and "os" as
needed). Locate the test function(s) that reference the fixed paths and the
error assertion (search for the hard-coded "/tmp/" literals and the assertion
comparing err.Error()) and modify them to use t.TempDir(), build paths with
filepath.Join, and use errors.Is for the non-existence check.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@internal/utils/string_utils_test.go`:
- Line 4: Tests in internal/utils/string_utils_test.go use hard-coded /tmp/...
paths and assert OS-specific error text; update the failing test setup to use
t.TempDir() to create unique temp directories and files, construct expected
paths relative to that temp dir instead of using fixed /tmp paths, and replace
string equality on the error with errors.Is(err, os.ErrNotExist) (importing
"errors" and "os" as needed). Locate the test function(s) that reference the
fixed paths and the error assertion (search for the hard-coded "/tmp/" literals
and the assertion comparing err.Error()) and modify them to use t.TempDir(),
build paths with filepath.Join, and use errors.Is for the non-existence check.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: b5b80f72-6e46-43a7-abcc-42c066793a67

📥 Commits

Reviewing files that changed from the base of the PR and between d51e3ef and 6b5a6bd.

📒 Files selected for processing (7)

• .env.example
• internal/bootstrap/app_bootstrap.go
• internal/bootstrap/service_bootstrap.go
• internal/config/config.go
• internal/utils/string_utils.go
• internal/utils/string_utils_test.go
• internal/utils/user_utils.go