From d586bbeabb9b05a3248ad30d3c55fca044d17a71 Mon Sep 17 00:00:00 2001
From: shanshanzhong <shanshanzhong147@gmail.com>
Date: Fri, 3 Apr 2026 06:44:33 -0700
Subject: [PATCH] fix: OAuth registration missing email domain whitelist check
 for trial gifting

**Problem**: OAuth registration path (Google, Apple, Telegram) was missing the
email domain whitelist validation, causing trial subscriptions to be granted to
all users regardless of the whitelist configuration.

**Root Cause**: The previous commit (3417da2a) that implemented trial domain
whitelist only updated device/phone/email direct registration paths, but
missed the OAuth registration path in oAuthLoginGetTokenLogic.go.

**Solution**:
- Added email domain whitelist check to OAuth register() method
- Added isEmailDomainWhitelisted() helper function matching the pattern
  used in other auth logic files
- Only activate trial if EnableTrial=true AND
  (whitelist disabled OR email domain matches whitelist)
- Added email logging to trial subscription activation log

Affected flows:
- OAuth Google login with new user
- OAuth Apple login with new user
- OAuth Telegram login with new user

Co-Authored-By: claude-flow <ruv@ruv.net>
---
 .../auth/oauth/oAuthLoginGetTokenLogic.go     | 27 ++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/internal/logic/auth/oauth/oAuthLoginGetTokenLogic.go b/internal/logic/auth/oauth/oAuthLoginGetTokenLogic.go
index a1dc2a4..58b75f4 100644
--- a/internal/logic/auth/oauth/oAuthLoginGetTokenLogic.go
+++ b/internal/logic/auth/oauth/oAuthLoginGetTokenLogic.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"strings"
 	"time"
 
 	"github.com/perfect-panel/server/internal/config"
@@ -393,10 +394,15 @@ func (l *OAuthLoginGetTokenLogic) register(email, avatar, method, openid, reques
 			}
 		}
 
-		if l.svcCtx.Config.Register.EnableTrial {
+		rc := l.svcCtx.Config.Register
+		// Only activate trial if whitelist is not enabled, or email domain matches whitelist
+		shouldActivateTrial := rc.EnableTrial && (!rc.EnableTrialEmailWhitelist || (email != "" && l.isEmailDomainWhitelisted(email, rc.TrialEmailDomainWhitelist)))
+
+		if shouldActivateTrial {
 			l.Debugw("activating trial subscription",
 				logger.Field("request_id", requestID),
 				logger.Field("user_id", userInfo.Id),
+				logger.Field("email", email),
 			)
 			var trialErr error
 			trialSubscribe, trialErr = l.activeTrial(userInfo.Id, requestID)
@@ -882,3 +888,22 @@ func (l *OAuthLoginGetTokenLogic) activeTrial(uid int64, requestID string) (*use
 	)
 	return userSub, nil
 }
+
+// isEmailDomainWhitelisted checks if the email's domain is in the comma-separated whitelist.
+// Returns false if the email format is invalid.
+func (l *OAuthLoginGetTokenLogic) isEmailDomainWhitelisted(email, whitelistCSV string) bool {
+	if whitelistCSV == "" {
+		return false
+	}
+	parts := strings.SplitN(email, "@", 2)
+	if len(parts) != 2 {
+		return false
+	}
+	domain := strings.ToLower(strings.TrimSpace(parts[1]))
+	for _, d := range strings.Split(whitelistCSV, ",") {
+		if strings.ToLower(strings.TrimSpace(d)) == domain {
+			return true
+		}
+	}
+	return false
+}