feat: implement authentication, user management endpoints, and automated disposable email blocklist synchronization

[Atanu2k4]

Summary

This PR introduces a robust, three-layer defense to block temporary and disposable email addresses from registering on the platform. It replaces the basic syntax check with a fast, offline verification against a comprehensive 72,000+ domain blocklist. Additionally, it resolves several Mongoose deprecation warnings (new: true replaced with returnDocument: 'after') across multiple API routes.

Related issue

Fixes #58

Changes

• Added lib/emailGuard.ts to handle disposable email validation using a multi-layer approach (local blocklist + hardcoded recent bypassers + DNS MX fallback).
• Added lib/disposable-domains.json containing a merged list of 72,266 known disposable domains pulled from community GitHub repositories.
• Added an admin-only API route (/api/admin/refresh-email-blocklist) protected by ADMIN_SECRET to fetch fresh blocklists and hot-reload them into memory without a server restart.
• Updated /api/auth/signup/route.ts to intercept and reject signups using temporary emails before generating or sending OTPs.
• Updated .env to include the ADMIN_SECRET variable.
• Fixed Mongoose new: true deprecation warnings in the following routes by updating them to use returnDocument: 'after':
  • app/api/auth/login/route.ts
  • app/api/auth/signup/route.ts
  • app/api/auth/otp/send/route.ts
  • app/api/users/approve/route.ts
  • app/api/users/update/route.ts
  • app/api/users/keybinds/route.ts

Testing

• Verified that known temporary email domains (e.g., mailinator.com, guerrillamail.com) are instantly blocked with a 400 status and user-friendly message.
• Verified that newer, Cloudflare-routed disposable domains (e.g., minitts.net, 123mails.org, ruutukf.com) are correctly identified and blocked.
• Verified that legitimate email providers (e.g., gmail.com, outlook.com, yahoo.com) successfully pass the validation and proceed to OTP generation.
• Verified that hitting the /api/admin/refresh-email-blocklist endpoint with the correct x-admin-secret successfully fetches and hot-reloads the latest blocklist.
• Verified terminal logs are clear of Mongoose deprecation warnings during local development.

Checklist

• Title follows the repository PR format
• The issue is linked with Fixes #58
• Testing notes are included

[github-actions]

✅ PR Validation Passed

Your PR title and description meet all requirements:

• Title follows conventional format
• All required sections are present
• Issue is properly linked (Bug: Signup flow allows registration with disposable/temporary email addresses #58)

[github-actions]

✅ PR Validation Passed

Your PR title and description meet all requirements:

• Title follows conventional format
• All required sections are present
• Issue is properly linked (Bug: Signup flow allows registration with disposable/temporary email addresses #58)

[github-actions]

✅ PR Validation Passed

Your PR title and description meet all requirements:

• Title follows conventional format
• All required sections are present
• Issue is properly linked (Bug: Signup flow allows registration with disposable/temporary email addresses #58)

[github-actions]

✅ PR Validation Passed

Your PR title and description meet all requirements:

• Title follows conventional format
• All required sections are present
• Issue is properly linked (Bug: Signup flow allows registration with disposable/temporary email addresses #58)