feat: add ALLOWED_USERS allowlist for OAuth login

.env.example

@@ -4,5 +4,9 @@ HF_TOKEN=your_hf_token_here
 # Optional: Override the default HF dataset repo
 # HF_DATASET_REPO=rafmacalaba/wbg_annotation_data
 
-# Optional: Number of documents to scan on initial load (default: 5)
-# MAX_DOCS_TO_SCAN=5
+# Optional: Number of documents to scan on initial load (default: 50)
+# MAX_DOCS_TO_SCAN=50
+
+# Optional: Comma-separated list of allowed HF usernames for OAuth login
+# If not set, any HF user can sign in
+# ALLOWED_USERS=rafmacalaba,rafamacalaba

app/api/auth/callback/route.js

@@ -67,6 +67,18 @@ export async function GET(request) {
         const userInfo = await userRes.json();
         const username = userInfo.preferred_username || userInfo.name || 'user';
 
+        // Check allowlist (if ALLOWED_USERS is set)
+        const allowedUsers = process.env.ALLOWED_USERS;
+        if (allowedUsers) {
+            const allowlist = allowedUsers.split(',').map(u => u.trim().toLowerCase());
+            if (!allowlist.includes(username.toLowerCase())) {
+                return NextResponse.json(
+                    { error: `Access denied. User "${username}" is not in the allowed list.` },
+                    { status: 403 }
+                );
+            }
+        }
+
         // Set session cookie with username
         const response = NextResponse.redirect(host);
         response.cookies.set('hf_user', JSON.stringify({