fix(security): enforce domain allowlist for email alias creation

Add ALIAS_ALLOWED_DOMAINS env var (comma-separated) that restricts which
domains users may create aliases under. Alias creation is disabled when
the env var is not set. Prevents users from creating aliases with arbitrary
domains (e.g. for phishing/spoofing).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

addy.go

@@ -129,6 +129,23 @@ func addyAliasAPI(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Validate domain against allowlist
+	if len(allowedAliasDomains) == 0 {
+		http.Error(w, "Alias creation is not configured", http.StatusServiceUnavailable)
+		return
+	}
+	domainAllowed := false
+	for _, d := range allowedAliasDomains {
+		if body.Domain == d {
+			domainAllowed = true
+			break
+		}
+	}
+	if !domainAllowed {
+		http.Error(w, "Domain not allowed", http.StatusBadRequest)
+		return
+	}
+
 	if len(body.Alias) == 0 {
 		body.Alias = generateRandomString(10)
 	}

main.go

@@ -23,6 +23,10 @@ var myPublicURL = "https://ldap.nemunai.re"
 // If empty, the feature is disabled.
 var dockerRegistrySecret string
 
+// allowedAliasDomains is the allowlist of domains users may create aliases under.
+// If empty, alias creation is disabled.
+var allowedAliasDomains []string
+
 var myLDAP = LDAP{
 	Host:     "localhost",
 	Port:     389,
@@ -171,6 +175,9 @@ func main() {
 	if val, ok := os.LookupEnv("DOCKER_REGISTRY_SECRET"); ok {
 		dockerRegistrySecret = val
 	}
+	if val, ok := os.LookupEnv("ALIAS_ALLOWED_DOMAINS"); ok && val != "" {
+		allowedAliasDomains = strings.Split(val, ",")
+	}
 
 	if flag.NArg() > 0 {
 		switch flag.Arg(0) {