federation with allow lists (#5393)

## Description

This addresses Issue #5379.
The email validation was extended.
Additionally to checking whether the email domain is in the block list or in the allow list now we also check if the email domain is the servers own FQDN.
Tests have been written for the correct function of the allow list and if the local FQDN is admitted as email domain.

Edit: Clarifications, Typos

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.

### Documentation

- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] I want the title to show in the release notes with a link to this pull request.

Co-authored-by: Michael Jerger <michael.jerger@meissa-gmbh.de>
Co-authored-by: patdyn <erik.seiert@meissa-gmbh.de>
Co-authored-by: Mirco <mirco.zachmann@meissa.de>
Co-authored-by: jerger <jerger@noreply.codeberg.org>
Co-authored-by: zam <mirco.zachmann@meissa.de>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5393
Reviewed-by: jerger <jerger@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: patdyn <patdyn@noreply.codeberg.org>
Co-committed-by: patdyn <patdyn@noreply.codeberg.org>

modules/setting/service.go

@@ -1,9 +1,11 @@
 // Copyright 2019 The Gitea Authors. All rights reserved.
+// Copyright 2025 The Forgejo Authors. All rights reserved
 // SPDX-License-Identifier: MIT
 
 package setting
 
 import (
+	"net/url"
 	"regexp"
 	"slices"
 	"strings"
@@ -145,6 +147,20 @@ func LoadServiceSetting() {
 	loadServiceFrom(CfgProvider)
 }
 
+func appURLAsGlob(fqdn string) (glob.Glob, error) {
+	localFqdn, err := url.ParseRequestURI(fqdn)
+	if err != nil {
+		log.Error("Error in EmailDomainAllowList: %v", err)
+		return nil, err
+	}
+	appFqdn, err := glob.Compile(localFqdn.Hostname(), ',')
+	if err != nil {
+		log.Error("Error in EmailDomainAllowList: %v", err)
+		return nil, err
+	}
+	return appFqdn, nil
+}
+
 func loadServiceFrom(rootCfg ConfigProvider) {
 	sec := rootCfg.Section("service")
 	Service.ActiveCodeLives = sec.Key("ACTIVE_CODE_LIVE_MINUTES").MustInt(180)
@@ -164,7 +180,15 @@ func loadServiceFrom(rootCfg ConfigProvider) {
 	if sec.HasKey("EMAIL_DOMAIN_WHITELIST") {
 		deprecatedSetting(rootCfg, "service", "EMAIL_DOMAIN_WHITELIST", "service", "EMAIL_DOMAIN_ALLOWLIST", "1.21")
 	}
-	Service.EmailDomainAllowList = CompileEmailGlobList(sec, "EMAIL_DOMAIN_WHITELIST", "EMAIL_DOMAIN_ALLOWLIST")
+	emailDomainAllowList := CompileEmailGlobList(sec, "EMAIL_DOMAIN_WHITELIST", "EMAIL_DOMAIN_ALLOWLIST")
+
+	if len(emailDomainAllowList) > 0 && Federation.Enabled {
+		appURL, err := appURLAsGlob(AppURL)
+		if err == nil {
+			emailDomainAllowList = append(emailDomainAllowList, appURL)
+		}
+	}
+	Service.EmailDomainAllowList = emailDomainAllowList
 	Service.EmailDomainBlockList = CompileEmailGlobList(sec, "EMAIL_DOMAIN_BLOCKLIST")
 	Service.EmailDomainBlockDisposable = sec.Key("EMAIL_DOMAIN_BLOCK_DISPOSABLE").MustBool(false)
 	if Service.EmailDomainBlockDisposable {