@lobehub/lobehub 2.0.0-next.355 → 2.0.0-next.357

package/src/envs/auth.ts

@@ -6,23 +6,15 @@ declare global {
   // eslint-disable-next-line @typescript-eslint/no-namespace
   namespace NodeJS {
     interface ProcessEnv {
-      // ===== Auth (shared by Better Auth / Next Auth) ===== //
+      // ===== Better Auth ===== //
       AUTH_SECRET?: string;
       AUTH_EMAIL_VERIFICATION?: string;
       ENABLE_MAGIC_LINK?: string;
       AUTH_SSO_PROVIDERS?: string;
       AUTH_TRUSTED_ORIGINS?: string;
+      AUTH_ALLOWED_EMAILS?: string;
 
-      // ===== Next Auth ===== //
-      NEXT_AUTH_SECRET?: string;
-
-      NEXT_AUTH_SSO_PROVIDERS?: string;
-
-      NEXT_AUTH_DEBUG?: string;
-
-      NEXT_AUTH_SSO_SESSION_STRATEGY?: string;
-
-      // ===== Next Auth Provider Credentials ===== //
+      // ===== Auth Provider Credentials ===== //
       AUTH_GOOGLE_ID?: string;
       AUTH_GOOGLE_SECRET?: string;
 
@@ -130,26 +122,14 @@ declare global {
 
 export const getAuthConfig = () => {
   return createEnv({
-    client: {
-      // ---------------------------------- better auth ----------------------------------
-      NEXT_PUBLIC_ENABLE_BETTER_AUTH: z.boolean().optional(),
-
-      // ---------------------------------- next auth ----------------------------------
-      NEXT_PUBLIC_ENABLE_NEXT_AUTH: z.boolean().optional(),
-    },
+    client: {},
     server: {
-      // ---------------------------------- better auth ----------------------------------
       AUTH_SECRET: z.string().optional(),
       AUTH_SSO_PROVIDERS: z.string().optional().default(''),
       AUTH_TRUSTED_ORIGINS: z.string().optional(),
       AUTH_EMAIL_VERIFICATION: z.boolean().optional().default(false),
       ENABLE_MAGIC_LINK: z.boolean().optional().default(false),
-
-      // ---------------------------------- next auth ----------------------------------
-      NEXT_AUTH_SECRET: z.string().optional(),
-      NEXT_AUTH_SSO_PROVIDERS: z.string().optional().default('auth0'),
-      NEXT_AUTH_DEBUG: z.boolean().optional().default(false),
-      NEXT_AUTH_SSO_SESSION_STRATEGY: z.enum(['jwt', 'database']).optional().default('jwt'),
+      AUTH_ALLOWED_EMAILS: z.string().optional(),
 
       AUTH_GOOGLE_ID: z.string().optional(),
       AUTH_GOOGLE_SECRET: z.string().optional(),
@@ -248,33 +228,19 @@ export const getAuthConfig = () => {
     },
 
     runtimeEnv: {
-      // ---------------------------------- better auth ----------------------------------
-      NEXT_PUBLIC_ENABLE_BETTER_AUTH: process.env.NEXT_PUBLIC_ENABLE_BETTER_AUTH === '1',
-      // Fallback to NEXT_PUBLIC_* for seamless migration
-      AUTH_EMAIL_VERIFICATION:
-        process.env.AUTH_EMAIL_VERIFICATION === '1' ||
-        process.env.NEXT_PUBLIC_AUTH_EMAIL_VERIFICATION === '1',
-      ENABLE_MAGIC_LINK:
-        process.env.ENABLE_MAGIC_LINK === '1' || process.env.NEXT_PUBLIC_ENABLE_MAGIC_LINK === '1',
-      // Fallback to NEXT_AUTH_SECRET for seamless migration from next-auth
-      AUTH_SECRET: process.env.AUTH_SECRET || process.env.NEXT_AUTH_SECRET,
-      // Fallback to NEXT_AUTH_SSO_PROVIDERS for seamless migration from next-auth
-      AUTH_SSO_PROVIDERS: process.env.AUTH_SSO_PROVIDERS || process.env.NEXT_AUTH_SSO_PROVIDERS,
+      AUTH_EMAIL_VERIFICATION: process.env.AUTH_EMAIL_VERIFICATION === '1',
+      ENABLE_MAGIC_LINK: process.env.ENABLE_MAGIC_LINK === '1',
+      AUTH_SECRET: process.env.AUTH_SECRET,
+      AUTH_SSO_PROVIDERS: process.env.AUTH_SSO_PROVIDERS,
       AUTH_TRUSTED_ORIGINS: process.env.AUTH_TRUSTED_ORIGINS,
+      AUTH_ALLOWED_EMAILS: process.env.AUTH_ALLOWED_EMAILS,
 
-      // better-auth env for Cognito provider is different from next-auth's one
+      // Cognito provider specific env vars
       AUTH_COGNITO_DOMAIN: process.env.AUTH_COGNITO_DOMAIN,
       AUTH_COGNITO_REGION: process.env.AUTH_COGNITO_REGION,
       AUTH_COGNITO_USERPOOL_ID: process.env.AUTH_COGNITO_USERPOOL_ID,
 
-      // ---------------------------------- next auth ----------------------------------
-      NEXT_PUBLIC_ENABLE_NEXT_AUTH: process.env.NEXT_PUBLIC_ENABLE_NEXT_AUTH === '1',
-      NEXT_AUTH_SSO_PROVIDERS: process.env.NEXT_AUTH_SSO_PROVIDERS,
-      NEXT_AUTH_SECRET: process.env.NEXT_AUTH_SECRET,
-      NEXT_AUTH_DEBUG: !!process.env.NEXT_AUTH_DEBUG,
-      NEXT_AUTH_SSO_SESSION_STRATEGY: process.env.NEXT_AUTH_SSO_SESSION_STRATEGY || 'jwt',
-
-      // Next Auth Provider Credentials
+      // Auth Provider Credentials
       AUTH_GOOGLE_ID: process.env.AUTH_GOOGLE_ID,
       AUTH_GOOGLE_SECRET: process.env.AUTH_GOOGLE_SECRET,
 
@@ -374,11 +340,6 @@ export const getAuthConfig = () => {
 
 export const authEnv = getAuthConfig();
 
-// Auth flags - use process.env directly for build-time dead code elimination
-// Better Auth is the default auth solution when NextAuth is not explicitly enabled
-export const enableNextAuth = process.env.NEXT_PUBLIC_ENABLE_NEXT_AUTH === '1';
-export const enableBetterAuth = !enableNextAuth;
-
 // Auth headers and constants
 export const LOBE_CHAT_AUTH_HEADER = 'X-lobe-chat-auth';
 export const LOBE_CHAT_OIDC_AUTH_HEADER = 'Oidc-Auth';

package/src/envs/email.ts

@@ -9,6 +9,7 @@ declare global {
       EMAIL_SERVICE_PROVIDER?: string;
       RESEND_API_KEY?: string;
       RESEND_FROM?: string;
+      SMTP_FROM?: string;
       SMTP_HOST?: string;
       SMTP_PASS?: string;
       SMTP_PORT?: string;
@@ -24,6 +25,7 @@ export const getEmailConfig = () => {
       EMAIL_SERVICE_PROVIDER: z.enum(['nodemailer', 'resend']).optional(),
       RESEND_API_KEY: z.string().optional(),
       RESEND_FROM: z.string().optional(),
+      SMTP_FROM: z.string().optional(),
       SMTP_HOST: z.string().optional(),
       SMTP_PORT: z.coerce.number().optional(),
       SMTP_SECURE: z.boolean().optional(),
@@ -31,6 +33,7 @@ export const getEmailConfig = () => {
       SMTP_PASS: z.string().optional(),
     },
     runtimeEnv: {
+      SMTP_FROM: process.env.SMTP_FROM,
       SMTP_HOST: process.env.SMTP_HOST,
       SMTP_PORT: process.env.SMTP_PORT ? Number(process.env.SMTP_PORT) : undefined,
       SMTP_SECURE: process.env.SMTP_SECURE === 'true',

package/src/envs/redis.ts

@@ -4,8 +4,6 @@ import { z } from 'zod';
 
 import type { RedisConfig } from '@/libs/redis';
 
-type UpstashRedisConfig = { token: string; url: string };
-
 const parseNumber = (value?: string) => {
   const parsed = Number.parseInt(value ?? '', 10);
 
@@ -30,8 +28,6 @@ export const getRedisEnv = () => {
       REDIS_TLS: parseRedisTls(process.env.REDIS_TLS),
       REDIS_URL: process.env.REDIS_URL,
       REDIS_USERNAME: process.env.REDIS_USERNAME,
-      UPSTASH_REDIS_REST_TOKEN: process.env.UPSTASH_REDIS_REST_TOKEN,
-      UPSTASH_REDIS_REST_URL: process.env.UPSTASH_REDIS_REST_URL,
     },
     server: {
       REDIS_DATABASE: z.number().int().optional(),
@@ -40,67 +36,29 @@ export const getRedisEnv = () => {
       REDIS_TLS: z.boolean().default(false),
       REDIS_URL: z.string().url().optional(),
       REDIS_USERNAME: z.string().optional(),
-      UPSTASH_REDIS_REST_TOKEN: z.string().optional(),
-      UPSTASH_REDIS_REST_URL: z.string().url().optional(),
     },
   });
 };
 
 export const redisEnv = getRedisEnv();
 
-export const getUpstashRedisConfig = (): UpstashRedisConfig | null => {
-  const upstashConfigSchema = z.union([
-    z.object({
-      token: z.string(),
-      url: z.string().url(),
-    }),
-    z.object({
-      token: z.undefined().optional(),
-      url: z.undefined().optional(),
-    }),
-  ]);
-
-  const parsed = upstashConfigSchema.safeParse({
-    token: redisEnv.UPSTASH_REDIS_REST_TOKEN,
-    url: redisEnv.UPSTASH_REDIS_REST_URL,
-  });
-
-  if (!parsed.success) throw parsed.error;
-  if (!parsed.data.token || !parsed.data.url) return null;
-
-  return parsed.data;
-};
-
 export const getRedisConfig = (): RedisConfig => {
-  const prefix = redisEnv.REDIS_PREFIX;
-
-  if (redisEnv.REDIS_URL) {
-    return {
-      database: redisEnv.REDIS_DATABASE,
-      enabled: true,
-      password: redisEnv.REDIS_PASSWORD,
-      prefix,
-      provider: 'redis',
-      tls: redisEnv.REDIS_TLS,
-      url: redisEnv.REDIS_URL,
-      username: redisEnv.REDIS_USERNAME,
-    };
-  }
-
-  const upstashConfig = getUpstashRedisConfig();
-  if (upstashConfig) {
+  if (!redisEnv.REDIS_URL) {
     return {
-      enabled: true,
-      prefix,
-      provider: 'upstash',
-      token: upstashConfig.token,
-      url: upstashConfig.url,
+      enabled: false,
+      prefix: redisEnv.REDIS_PREFIX,
+      tls: false,
+      url: '',
     };
   }
 
   return {
-    enabled: false,
-    prefix,
-    provider: false,
+    database: redisEnv.REDIS_DATABASE,
+    enabled: true,
+    password: redisEnv.REDIS_PASSWORD,
+    prefix: redisEnv.REDIS_PREFIX,
+    tls: redisEnv.REDIS_TLS,
+    url: redisEnv.REDIS_URL,
+    username: redisEnv.REDIS_USERNAME,
   };
 };

package/src/features/ChatInput/ChatInputProvider.tsx

@@ -1,5 +1,8 @@
 import { useEditor } from '@lobehub/editor/react';
-import { type ReactNode, memo, useRef } from 'react';
+import { type MutableRefObject, type ReactNode, memo, useRef } from 'react';
+
+import { useUserStore } from '@/store/user';
+import { labPreferSelectors } from '@/store/user/selectors';
 
 import StoreUpdater, { type StoreUpdaterProps } from './StoreUpdater';
 import { Provider, createStore } from './store';
@@ -8,10 +11,16 @@ interface ChatInputProviderProps extends StoreUpdaterProps {
   children: ReactNode;
 }
 
-export const ChatInputProvider = memo<ChatInputProviderProps>(
+interface ChatInputProviderInnerProps extends StoreUpdaterProps {
+  children: ReactNode;
+  contentRef: MutableRefObject<string>;
+}
+
+const ChatInputProviderInner = memo<ChatInputProviderInnerProps>(
   ({
     agentId,
     children,
+    contentRef,
     leftActions,
     rightActions,
     mobile,
@@ -31,6 +40,7 @@ export const ChatInputProvider = memo<ChatInputProviderProps>(
         createStore={() =>
           createStore({
             allowExpand,
+            contentRef,
             editor,
             leftActions,
             mentionItems,
@@ -60,3 +70,13 @@ export const ChatInputProvider = memo<ChatInputProviderProps>(
     );
   },
 );
+
+export const ChatInputProvider = (props: ChatInputProviderProps) => {
+  const enableRichRender = useUserStore(labPreferSelectors.enableInputMarkdown);
+  // Ref to persist content across re-mounts when enableRichRender changes
+  const contentRef = useRef<string>('');
+
+  return (
+    <ChatInputProviderInner contentRef={contentRef} key={`editor-${enableRichRender}`} {...props} />
+  );
+};

package/src/features/ChatInput/InputEditor/index.tsx

@@ -37,7 +37,7 @@ const className = cx(css`
 `);
 
 const InputEditor = memo<{ defaultRows?: number }>(({ defaultRows = 2 }) => {
-  const [editor, slashMenuRef, send, updateMarkdownContent, expand, mentionItems] =
+  const [editor, slashMenuRef, send, updateMarkdownContent, expand, mentionItems, contentRef] =
     useChatInputStore((s) => [
       s.editor,
       s.slashMenuRef,
@@ -45,6 +45,7 @@ const InputEditor = memo<{ defaultRows?: number }>(({ defaultRows = 2 }) => {
       s.updateMarkdownContent,
       s.expand,
       s.mentionItems,
+      s.contentRef,
     ]);
 
   const storeApi = useStoreApi();
@@ -151,7 +152,11 @@ const InputEditor = memo<{ defaultRows?: number }>(({ defaultRows = 2 }) => {
       onBlur={() => {
         disableScope(HotkeyEnum.AddUserMessage);
       }}
-      onChange={() => {
+      onChange={(e) => {
+        // Save content to parent ref for restoration when enableRichRender changes
+        if (contentRef) {
+          contentRef.current = e.getDocument('markdown') as unknown as string;
+        }
         updateMarkdownContent();
       }}
       onCompositionEnd={() => {
@@ -177,7 +182,13 @@ const InputEditor = memo<{ defaultRows?: number }>(({ defaultRows = 2 }) => {
       onFocus={() => {
         enableScope(HotkeyEnum.AddUserMessage);
       }}
-      onInit={(editor) => storeApi.setState({ editor })}
+      onInit={(editor) => {
+        storeApi.setState({ editor });
+        // Restore content from parent ref when editor re-initializes
+        if (contentRef?.current) {
+          editor.setDocument('markdown', contentRef.current);
+        }
+      }}
       onPressEnter={({ event: e }) => {
         if (e.shiftKey || isChineseInput.current) return;
         // when user like alt + enter to add ai message

package/src/features/ChatInput/store/initialState.ts

@@ -1,6 +1,7 @@
 import { type IEditor, type SlashOptions } from '@lobehub/editor';
 import type { ChatInputProps } from '@lobehub/editor/react';
 import type { MenuProps } from '@lobehub/ui';
+import type { MutableRefObject } from 'react';
 
 import { type ActionKeys } from '@/features/ChatInput';
 
@@ -39,6 +40,7 @@ export interface PublicState {
 }
 
 export interface State extends PublicState {
+  contentRef?: MutableRefObject<string>;
   editor?: IEditor;
   isContentEmpty: boolean;
   markdownContent: string;

package/src/features/EditorCanvas/DiffAllToolbar.tsx

@@ -42,7 +42,6 @@ const useIsEditorInit = (editor: IEditor) => {
     if (!editor) return;
 
     const onInit = () => {
-      console.log('init: id', editor.getLexicalEditor()?._key);
       setEditInit(true);
     };
     editor.on('initialized', onInit);
@@ -103,13 +102,13 @@ interface DiffAllToolbarProps {
 const DiffAllToolbar = memo<DiffAllToolbarProps>(({ documentId }) => {
   const { t } = useTranslation('editor');
   const isDarkMode = useIsDark();
-  const [editor, performSave, markDirty] = useDocumentStore((s) => [
+  const [storeEditor, performSave, markDirty] = useDocumentStore((s) => [
     s.editor!,
     s.performSave,
     s.markDirty,
   ]);
 
-  const hasPendingDiffs = useEditorHasPendingDiffs(editor);
+  const hasPendingDiffs = useEditorHasPendingDiffs(storeEditor);
 
   if (!hasPendingDiffs) return null;
 
@@ -131,7 +130,7 @@ const DiffAllToolbar = memo<DiffAllToolbarProps>(({ documentId }) => {
         <Space>
           <Button
             onClick={async () => {
-              editor?.dispatchCommand(LITEXML_DIFFNODE_ALL_COMMAND, {
+              storeEditor?.dispatchCommand(LITEXML_DIFFNODE_ALL_COMMAND, {
                 action: DiffAction.Reject,
               });
               await handleSave();
@@ -145,7 +144,7 @@ const DiffAllToolbar = memo<DiffAllToolbarProps>(({ documentId }) => {
           <Button
             color={'default'}
             onClick={async () => {
-              editor?.dispatchCommand(LITEXML_DIFFNODE_ALL_COMMAND, {
+              storeEditor?.dispatchCommand(LITEXML_DIFFNODE_ALL_COMMAND, {
                 action: DiffAction.Accept,
               });
               await handleSave();

package/src/features/EditorCanvas/DocumentIdMode.tsx

@@ -2,7 +2,7 @@
 
 import { type IEditor } from '@lobehub/editor';
 import { Alert, Skeleton } from '@lobehub/ui';
-import { memo } from 'react';
+import { memo, useEffect, useRef } from 'react';
 import { useTranslation } from 'react-i18next';
 import { createStoreUpdater } from 'zustand-utils';
 
@@ -82,6 +82,26 @@ const DocumentIdMode = memo<DocumentIdModeProps>(
       onContentChange?.();
     };
 
+    const isEditorInitialized = !!editor?.getLexicalEditor();
+
+    // 追踪已经为哪个 documentId 调用过 onEditorInit
+    const initializedDocIdRef = useRef<string | null>(null);
+
+    // 关键修复：如果 editor 已经初始化，需要主动调用 onEditorInit
+    // 因为 onInit 回调只在 editor 首次初始化时触发
+    useEffect(() => {
+      // 避免重复调用：只在 documentId 变化且 editor 已初始化时调用
+      if (
+        editor &&
+        isEditorInitialized &&
+        !isLoading &&
+        initializedDocIdRef.current !== documentId
+      ) {
+        initializedDocIdRef.current = documentId;
+        onEditorInit(editor);
+      }
+    }, [documentId, editor, isEditorInitialized, isLoading, onEditorInit]);
+
     // Show loading state
     if (isLoading) {
       return <EditorSkeleton />;

package/src/features/User/__tests__/PanelContent.test.tsx

@@ -67,17 +67,6 @@ vi.mock('@/const/version', () => ({
   isDesktop: false,
 }));
 
-// Use vi.hoisted to ensure variables exist before vi.mock factory executes
-const { enableNextAuth } = vi.hoisted(() => ({
-  enableNextAuth: { value: false },
-}));
-
-vi.mock('@/envs/auth', () => ({
-  get enableNextAuth() {
-    return enableNextAuth.value;
-  },
-}));
-
 describe('PanelContent', () => {
   const closePopover = vi.fn();
 

package/src/features/User/__tests__/UserAvatar.test.tsx

@@ -1,6 +1,6 @@
 import { BRANDING_NAME } from '@lobechat/business-const';
 import { act, render, screen } from '@testing-library/react';
-import { afterEach, describe, expect, it, vi } from 'vitest';
+import { describe, expect, it, vi } from 'vitest';
 
 import { DEFAULT_USER_AVATAR_URL } from '@/const/meta';
 import { useUserStore } from '@/store/user';
@@ -9,21 +9,6 @@ import UserAvatar from '../UserAvatar';
 
 vi.mock('zustand/traditional');
 
-// Use vi.hoisted to ensure variables exist before vi.mock factory executes
-const { enableNextAuth } = vi.hoisted(() => ({
-  enableNextAuth: { value: false },
-}));
-
-vi.mock('@/envs/auth', () => ({
-  get enableNextAuth() {
-    return enableNextAuth.value;
-  },
-}));
-
-afterEach(() => {
-  enableNextAuth.value = false;
-});
-
 describe('UserAvatar', () => {
   it('should show the username and avatar are displayed when the user is logged in', async () => {
     const mockAvatar = 'https://example.com/avatar.png';

package/src/layout/AuthProvider/index.tsx

@@ -5,7 +5,6 @@ import { authEnv } from '@/envs/auth';
 
 import BetterAuth from './BetterAuth';
 import Desktop from './Desktop';
-import NextAuth from './NextAuth';
 import NoAuth from './NoAuth';
 
 const AuthProvider = ({ children }: PropsWithChildren) => {
@@ -13,14 +12,10 @@ const AuthProvider = ({ children }: PropsWithChildren) => {
     return <Desktop>{children}</Desktop>;
   }
 
-  if (authEnv.NEXT_PUBLIC_ENABLE_BETTER_AUTH) {
+  if (authEnv.AUTH_SECRET) {
     return <BetterAuth>{children}</BetterAuth>;
   }
 
-  if (authEnv.NEXT_PUBLIC_ENABLE_NEXT_AUTH) {
-    return <NextAuth>{children}</NextAuth>;
-  }
-
   return <NoAuth>{children}</NoAuth>;
 };
 

package/src/layout/GlobalProvider/StoreInitialization.tsx

@@ -6,7 +6,6 @@ import { useTranslation } from 'react-i18next';
 import { createStoreUpdater } from 'zustand-utils';
 
 import { isDesktop } from '@/const/version';
-import { enableNextAuth } from '@/envs/auth';
 import { useIsMobile } from '@/hooks/useIsMobile';
 import { useAgentStore } from '@/store/agent';
 import { useAiInfraStore } from '@/store/aiInfra';
@@ -25,9 +24,8 @@ const StoreInitialization = memo(() => {
   // prefetch error ns to avoid don't show error content correctly
   useTranslation('error');
 
-  const [isLogin, isSignedIn, useInitUserState] = useUserStore((s) => [
+  const [isLogin, useInitUserState] = useUserStore((s) => [
     authSelectors.isLogin(s),
-    s.isSignedIn,
     s.useInitUserState,
   ]);
 
@@ -65,7 +63,7 @@ const StoreInitialization = memo(() => {
    * IMPORTANT: Explicitly convert to boolean to avoid passing null/undefined downstream,
    * which would cause unnecessary API requests with invalid login state.
    */
-  const isLoginOnInit = Boolean(enableNextAuth ? isSignedIn : isLogin);
+  const isLoginOnInit = Boolean(isLogin);
 
   // init inbox agent via builtin agent mechanism
   useInitBuiltinAgent(INBOX_SESSION_ID, { isLogin: isLoginOnInit });

package/src/libs/better-auth/define-config.ts

@@ -23,6 +23,7 @@ import {
   getVerificationOTPEmailTemplate,
 } from '@/libs/better-auth/email-templates';
 import { initBetterAuthSSOProviders } from '@/libs/better-auth/sso';
+import { emailWhitelist } from '@/libs/better-auth/plugins/email-whitelist';
 import { createSecondaryStorage, getTrustedOrigins } from '@/libs/better-auth/utils/config';
 import { parseSSOProviders } from '@/libs/better-auth/utils/server';
 import { EmailService } from '@/server/services/email';
@@ -222,6 +223,7 @@ export function defineConfig(customOptions: CustomBetterAuthOptions) {
     },
     plugins: [
       ...customOptions.plugins,
+      emailWhitelist(),
       expo(),
       emailHarmony({ allowNormalizedSignin: false, validator: customEmailValidator }),
       admin(),

package/src/libs/better-auth/plugins/email-whitelist.test.ts

@@ -0,0 +1,120 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+
+// Get mocked module
+import { authEnv } from '@/envs/auth';
+
+import { isEmailAllowed } from './email-whitelist';
+
+// Mock authEnv
+vi.mock('@/envs/auth', () => ({
+  authEnv: {
+    AUTH_ALLOWED_EMAILS: undefined as string | undefined,
+  },
+}));
+
+describe('isEmailAllowed', () => {
+  beforeEach(() => {
+    // Reset to undefined before each test
+    (authEnv as { AUTH_ALLOWED_EMAILS: string | undefined }).AUTH_ALLOWED_EMAILS = undefined;
+  });
+
+  describe('when whitelist is empty', () => {
+    it('should allow all emails when AUTH_ALLOWED_EMAILS is undefined', () => {
+      expect(isEmailAllowed('anyone@example.com')).toBe(true);
+    });
+
+    it('should allow all emails when AUTH_ALLOWED_EMAILS is empty string', () => {
+      (authEnv as { AUTH_ALLOWED_EMAILS: string | undefined }).AUTH_ALLOWED_EMAILS = '';
+      expect(isEmailAllowed('anyone@example.com')).toBe(true);
+    });
+  });
+
+  describe('domain matching', () => {
+    beforeEach(() => {
+      (authEnv as { AUTH_ALLOWED_EMAILS: string | undefined }).AUTH_ALLOWED_EMAILS =
+        'example.com,company.org';
+    });
+
+    it('should allow email from whitelisted domain', () => {
+      expect(isEmailAllowed('user@example.com')).toBe(true);
+      expect(isEmailAllowed('admin@company.org')).toBe(true);
+    });
+
+    it('should reject email from non-whitelisted domain', () => {
+      expect(isEmailAllowed('user@other.com')).toBe(false);
+    });
+
+    it('should be case-sensitive for domain', () => {
+      expect(isEmailAllowed('user@Example.com')).toBe(false);
+      expect(isEmailAllowed('user@EXAMPLE.COM')).toBe(false);
+    });
+  });
+
+  describe('exact email matching', () => {
+    beforeEach(() => {
+      (authEnv as { AUTH_ALLOWED_EMAILS: string | undefined }).AUTH_ALLOWED_EMAILS =
+        'admin@special.com,vip@other.com';
+    });
+
+    it('should allow exact email match', () => {
+      expect(isEmailAllowed('admin@special.com')).toBe(true);
+      expect(isEmailAllowed('vip@other.com')).toBe(true);
+    });
+
+    it('should reject different email at same domain', () => {
+      expect(isEmailAllowed('user@special.com')).toBe(false);
+    });
+
+    it('should be case-sensitive for email', () => {
+      expect(isEmailAllowed('Admin@special.com')).toBe(false);
+    });
+  });
+
+  describe('mixed domain and email matching', () => {
+    beforeEach(() => {
+      (authEnv as { AUTH_ALLOWED_EMAILS: string | undefined }).AUTH_ALLOWED_EMAILS =
+        'example.com,admin@other.com';
+    });
+
+    it('should allow any email from whitelisted domain', () => {
+      expect(isEmailAllowed('anyone@example.com')).toBe(true);
+    });
+
+    it('should allow specific whitelisted email', () => {
+      expect(isEmailAllowed('admin@other.com')).toBe(true);
+    });
+
+    it('should reject non-whitelisted email from non-whitelisted domain', () => {
+      expect(isEmailAllowed('user@other.com')).toBe(false);
+    });
+  });
+
+  describe('whitespace handling', () => {
+    it('should trim whitespace from whitelist entries', () => {
+      (authEnv as { AUTH_ALLOWED_EMAILS: string | undefined }).AUTH_ALLOWED_EMAILS =
+        ' example.com , admin@other.com ';
+      expect(isEmailAllowed('user@example.com')).toBe(true);
+      expect(isEmailAllowed('admin@other.com')).toBe(true);
+    });
+
+    it('should filter empty entries', () => {
+      (authEnv as { AUTH_ALLOWED_EMAILS: string | undefined }).AUTH_ALLOWED_EMAILS =
+        'example.com,,other.com';
+      expect(isEmailAllowed('user@example.com')).toBe(true);
+      expect(isEmailAllowed('user@other.com')).toBe(true);
+    });
+  });
+
+  describe('edge cases', () => {
+    it('should reject malformed email without @', () => {
+      (authEnv as { AUTH_ALLOWED_EMAILS: string | undefined }).AUTH_ALLOWED_EMAILS = 'example.com';
+      expect(isEmailAllowed('invalid-email')).toBe(false);
+    });
+
+    it('should handle email with multiple @ symbols', () => {
+      (authEnv as { AUTH_ALLOWED_EMAILS: string | undefined }).AUTH_ALLOWED_EMAILS = 'example.com';
+      // split('@')[1] returns 'middle@example.com', which won't match 'example.com'
+      expect(isEmailAllowed('user@middle@example.com')).toBe(false);
+    });
+  });
+});