fix: use policy engine in oauth whitelist check

[steveiliop56]

Summary by CodeRabbit

• Refactor
  • Enhanced authentication service to integrate with the policy engine for more consistent access control decisions across the system.
  • Updated email whitelist evaluation to use the centralized policy engine instead of isolated logic.
  • Improved service initialization to ensure the policy engine is properly available during authentication setup.

[coderabbitai]

📝 Walkthrough

Walkthrough

PolicyEngine becomes an explicit dependency of AuthService. A new EvaluateFunc helper method converts effect callbacks to access decisions. Email whitelist evaluation now delegates to PolicyEngine instead of direct filtering, with ErrFilterEmpty sentinel error consolidating filter validation. Service bootstrap and tests wire the policyEngine dependency into AuthService construction.

Changes

PolicyEngine Dependency and AuthService Integration

Layer / File(s)	Summary
PolicyEngine Helper and Filter Error Handling internal/service/policy_engine.go, internal/utils/security_utils.go	PolicyEngine gains EvaluateFunc to convert effect callbacks to access decisions. ErrFilterEmpty sentinel error replaces inline error construction in filter validation.
AuthService PolicyEngine Dependency and Whitelist Refactoring internal/service/auth_service.go	AuthService stores policyEngine and NewAuthService accepts it as a parameter. IsEmailWhitelisted refactored to evaluate decisions via policyEngine.EvaluateFunc with special handling for ErrFilterEmpty.
Service Initialization with PolicyEngine Wiring internal/bootstrap/service_bootstrap.go, internal/controller/proxy_controller_test.go, internal/controller/user_controller_test.go, internal/middleware/context_middleware_test.go	Service bootstrap and test harnesses construct policyEngine and wire it into NewAuthService. Proxy controller test reorders initialization so policyEngine is available when authService is created.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• tinyauthapp/tinyauth#518: Both PRs touch internal/bootstrap/service_bootstrap.go's AuthService wiring and initialization, with this PR adding policyEngine as an explicit dependency during construction.

Suggested reviewers

• Rycochet

Poem

🐰 A policy engine whispers soft and true,
Decisions flowing through each path anew,
AuthService listens, trusts its guiding light,
Whitelists dancing in the email's flight! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: integrating the policy engine into OAuth whitelist validation by wiring it through AuthService.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/oauth-whitelist

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 61.11111% with 7 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
internal/service/auth_service.go	57.14%	5 Missing and 1 partial ⚠️
internal/bootstrap/service_bootstrap.go	0.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/service/auth_service.go`:
- Around line 105-106: The AuthService constructor accepts a policy parameter
but does not validate it, which allows auth.policyEngine to be nil and causes a
panic when auth.policyEngine.EvaluateFunc (and related calls like IsWhitelisted)
are invoked; fix by validating the incoming policy in the constructor that
builds AuthService: if policy is nil assign a safe default/no-op PolicyEngine
implementation (or return an error from the constructor if your API permits) so
that auth.policyEngine is never nil, and also add a defensive nil-check before
calling auth.policyEngine.EvaluateFunc (and any whitelist checks) to avoid
dereferencing a nil pointer at runtime.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: db842da7-2c75-4e7b-9e8d-09bc31b362aa

📥 Commits

Reviewing files that changed from the base of the PR and between c346113 and a40c08f.

📒 Files selected for processing (7)

• internal/bootstrap/service_bootstrap.go
• internal/controller/proxy_controller_test.go
• internal/controller/user_controller_test.go
• internal/middleware/context_middleware_test.go
• internal/service/auth_service.go
• internal/service/policy_engine.go
• internal/utils/security_utils.go