Enhance email allowlist to support domain patterns and wildcards

[whusterj]

Problem

The current email allowlist implementation only supports exact email matches, which is too restrictive for testing environments. Users must explicitly list every single email address that's allowed to sign up.

Current Behavior

• USE_EMAIL_ALLOWLIST when set to True requires exact email matches
• The check is: email not in settings.EMAIL_ALLOWLIST
• Example: ["admin@thinknimble.com", "william@thinknimble.com"] only allows those exact two emails

Desired Behavior

Support more flexible patterns for testing while maintaining security:

1. Domain allowlisting: Allow entire domains

   • ["*@thinknimble.com"] would allow any thinknimble.com email
   • ["@thinknimble.com"] alternative syntax

2. Pattern matching: Support wildcards or regex patterns

   • ["test-*@example.com"] would allow test-1@example.com, test-abc@example.com, etc.
   • Could use fnmatch or regex for more complex patterns

3. Mixed mode: Support both exact emails and patterns in the same list

   • ["admin@thinknimble.com", "*@trusted-domain.com", "test-*@example.com"]

Implementation Suggestions

Update validate_email in core/serializers.py to check:

1. First check for exact match (current behavior)
2. Then check if any pattern in the allowlist matches the email
3. Use fnmatch or re module for pattern matching

Use Cases

• Review Apps: Allow all emails from a trusted domain for testing
• QA Testing: Allow emails matching a pattern like qa-*@company.com
• Development: More flexible allowlists without listing every developer

Current Workaround

We've set USE_EMAIL_ALLOWLIST=False by default in app.json for review apps, but ideally we want it enabled with more flexible patterns for better security even in testing environments.

Related

• This issue was discovered while implementing pre-commit hooks in PR Add pre-commit hooks and template linting validation #423
• The restrictive nature of exact-match-only allowlists makes testing difficult