chore: review comments

internal/bootstrap/app_bootstrap.go

@@ -316,7 +316,11 @@ func (app *BootstrapApp) Setup() error {
 	}
 
 	// get listener
-	listenerFunc := app.getListenerFunc()
+	listenerFunc, err := app.getListenerFunc()
+
+	if err != nil {
+		return fmt.Errorf("failed to get listener function: %w", err)
+	}
 
 	// run listener
 	lec := make(chan error, 1)

internal/bootstrap/router_bootstrap.go

@@ -129,16 +129,19 @@ func (app *BootstrapApp) setupRouter() error {
 // 1. Tailscale (if tailscale.listen)
 // 2. Unix socket (if server.socketPath)
 // 3. HTTP - default
-func (app *BootstrapApp) getListenerFunc() func(ctx context.Context) error {
+func (app *BootstrapApp) getListenerFunc() (func(ctx context.Context) error, error) {
-	if app.services.tailscaleService != nil && app.config.Tailscale.Listen {
+	if app.config.Tailscale.Listen {
-		return app.serveTailscale
+		if app.services.tailscaleService == nil {
+			return nil, fmt.Errorf("tailscale.listen is enabled but tailscale service is not initialized")
+		}
+		return app.serveTailscale, nil
 	}
 
 	if app.config.Server.SocketPath != "" {
-		return app.serveUnix
+		return app.serveUnix, nil
 	}
 
-	return app.serveHTTP
+	return app.serveHTTP, nil
 }
 
 func (app *BootstrapApp) serveHTTP(ctx context.Context) error {

internal/controller/oauth_controller.go

@@ -304,8 +304,8 @@ func (controller *OAuthController) isOidcRequest(params service.OAuthCallbackPar
 }
 
 func (controller *OAuthController) getCookieDomain() string {
-	if controller.config.Auth.SubdomainsEnabled {
+	if !controller.config.Auth.SubdomainsEnabled {
-		return "." + controller.runtime.CookieDomain
+		return ""
 	}
 	return controller.runtime.CookieDomain
 }
@@ -314,29 +314,29 @@ func (controller *OAuthController) isRedirectSafe(redirectURI string) bool {
 	u, err := url.Parse(redirectURI)
 
 	if err != nil {
-		controller.log.App.Error().Err(err).Str("redirectUri", redirectURI).Msg("Failed to parse redirect URI")
+		controller.log.App.Error().Err(err).Msg("Failed to parse redirect URI")
 		return false
 	}
 
 	if u.Scheme == "" || u.Host == "" {
-		controller.log.App.Warn().Str("redirectUri", redirectURI).Msg("Redirect URI has invalid scheme or host")
+		controller.log.App.Warn().Msg("Redirect URI has invalid scheme or host")
 		return false
 	}
 
 	au, err := url.Parse(controller.runtime.AppURL)
 
 	if err != nil {
-		controller.log.App.Error().Err(err).Str("appUrl", controller.runtime.AppURL).Msg("Failed to parse app URL")
+		controller.log.App.Error().Err(err).Msg("Failed to parse app URL")
 		return false
 	}
 
 	if u.Scheme != au.Scheme {
-		controller.log.App.Warn().Str("redirectUri", redirectURI).Str("appUrl", controller.runtime.AppURL).Msg("Redirect URI scheme does not match app URL scheme")
+		controller.log.App.Warn().Msg("Redirect URI scheme does not match app URL scheme")
 		return false
 	}
 
 	if u.Port() != au.Port() {
-		controller.log.App.Warn().Str("redirectUri", redirectURI).Str("appUrl", controller.runtime.AppURL).Msg("Redirect URI port does not match app URL port")
+		controller.log.App.Warn().Msg("Redirect URI port does not match app URL port")
 		return false
 	}
 

internal/service/auth_service.go

@@ -706,8 +706,8 @@ func (auth *AuthService) calculateLockdownLimit() int {
 }
 
 func (auth *AuthService) getCookieDomain() string {
-	if auth.config.Auth.SubdomainsEnabled {
+	if !auth.config.Auth.SubdomainsEnabled {
-		return "." + auth.runtime.CookieDomain
+		return ""
 	}
 	return auth.runtime.CookieDomain
 }

internal/service/tailscale_service.go

@@ -94,6 +94,10 @@ func NewTailscaleService(i TailscaleServiceInput) (*TailscaleService, error) {
 
 	i.Ding.Go(service.watchAndClose, ding.RingMajor)
 
+	if i.Config.Tailscale.Funnel && !i.Config.Tailscale.Listen {
+		service.log.App.Warn().Msg("Tailscale Funnel is enabled but listen is disabled. Funnel will not work without listen enabled.")
+	}
+
 	return service, nil
 }