Authentication bypass in vector-admin domain restriction

An attacker can register an account on a vector-admin server that has "domain restriction" enabled without owning an authorized email address. The original check used `email.includes(domainRestriction.value)`, which only verified that the restricted domain string appeared anywhere in the email address. An attacker could bypass this by registering with an email like `attacker@evil.com` when the restriction is set to `evil.com`, or even `attacker@allowed.com.evil.com` since `includes` would match a substring. [ref_id=1]

The vulnerability resides in the authentication endpoint of vector-admin, specifically in the domain restriction check during user registration. The patch modifies the logic in `function authenticationEndpoints(app)` where the `email.includes(domainRestriction.value)` check was replaced with a proper domain extraction and comparison using `email.substring(email.lastIndexOf("@") + 1)` and `emailDomain !== domainRestriction.value`.

The patch replaces the loose `email.includes(domainRestriction.value)` check with a precise domain extraction and strict equality comparison. The new code extracts the domain portion after the last `@` symbol using `email.substring(email.lastIndexOf("@") + 1)` and then checks `emailDomain !== domainRestriction.value`. This ensures only email addresses whose domain exactly matches the configured restriction are accepted, preventing registration with unauthorized domains. [ref_id=1]