refactor: use controller approach in handlers

2025-10-30 13:45:47 +00:00 · 2025-08-25 16:40:06 +03:00
parent e1d8ce3cb5
commit dfdc656145
23 changed files with 910 additions and 1428 deletions
--- a/internal/controller/context_controller.go
+++ b/internal/controller/context_controller.go
@@ -0,0 +1,102 @@
+package controller
+
+import (
+	"tinyauth/internal/utils"
+
+	"github.com/gin-gonic/gin"
+)
+
+type UserContextResponse struct {
+	Status      int    `json:"status"`
+	Message     string `json:"message"`
+	IsLoggedIn  bool   `json:"isLoggedIn"`
+	Username    string `json:"username"`
+	Name        string `json:"name"`
+	Email       string `json:"email"`
+	Provider    string `json:"provider"`
+	Oauth       bool   `json:"oauth"`
+	TotpPending bool   `json:"totpPending"`
+}
+
+type AppContextResponse struct {
+	Status                int      `json:"status"`
+	Message               string   `json:"message"`
+	ConfiguredProviders   []string `json:"configuredProviders"`
+	DisableContinue       bool     `json:"disableContinue"`
+	Title                 string   `json:"title"`
+	GenericName           string   `json:"genericName"`
+	Domain                string   `json:"domain"`
+	ForgotPasswordMessage string   `json:"forgotPasswordMessage"`
+	BackgroundImage       string   `json:"backgroundImage"`
+	OAuthAutoRedirect     string   `json:"oauthAutoRedirect"`
+}
+
+type ContextControllerConfig struct {
+	ConfiguredProviders   []string
+	DisableContinue       bool
+	Title                 string
+	GenericName           string
+	Domain                string
+	ForgotPasswordMessage string
+	BackgroundImage       string
+	OAuthAutoRedirect     string
+}
+
+type ContextController struct {
+	Config ContextControllerConfig
+	Router *gin.RouterGroup
+}
+
+func NewContextController(config ContextControllerConfig, router *gin.RouterGroup) *ContextController {
+	return &ContextController{
+		Config: config,
+		Router: router,
+	}
+}
+
+func (controller *ContextController) SetupRoutes() {
+	contextGroup := controller.Router.Group("/context")
+	contextGroup.GET("/user", controller.userContextHandler)
+	contextGroup.GET("/app", controller.appContextHandler)
+}
+
+func (controller *ContextController) userContextHandler(c *gin.Context) {
+	context, err := utils.GetContext(c)
+
+	userContext := UserContextResponse{
+		Status:      200,
+		Message:     "Success",
+		IsLoggedIn:  context.IsLoggedIn,
+		Username:    context.Username,
+		Name:        context.Name,
+		Email:       context.Email,
+		Provider:    context.Provider,
+		Oauth:       context.OAuth,
+		TotpPending: context.TotpPending,
+	}
+
+	if err != nil {
+		userContext.Status = 401
+		userContext.Message = "Unauthorized"
+		userContext.IsLoggedIn = false
+		c.JSON(200, userContext)
+		return
+	}
+
+	c.JSON(200, userContext)
+}
+
+func (controller *ContextController) appContextHandler(c *gin.Context) {
+	c.JSON(200, AppContextResponse{
+		Status:                200,
+		Message:               "Success",
+		ConfiguredProviders:   controller.Config.ConfiguredProviders,
+		DisableContinue:       controller.Config.DisableContinue,
+		Title:                 controller.Config.Title,
+		GenericName:           controller.Config.GenericName,
+		Domain:                controller.Config.Domain,
+		ForgotPasswordMessage: controller.Config.ForgotPasswordMessage,
+		BackgroundImage:       controller.Config.BackgroundImage,
+		OAuthAutoRedirect:     controller.Config.OAuthAutoRedirect,
+	})
+}
--- a/internal/controller/health_controller.go
+++ b/internal/controller/health_controller.go
@@ -0,0 +1,24 @@
+package controller
+
+import "github.com/gin-gonic/gin"
+
+type HealthController struct {
+	Router *gin.RouterGroup
+}
+
+func NewHealthController(router *gin.RouterGroup) *HealthController {
+	return &HealthController{
+		Router: router,
+	}
+}
+
+func (controller *HealthController) SetupRoutes() {
+	controller.Router.GET("/health", controller.healthHandler)
+}
+
+func (controller *HealthController) healthHandler(c *gin.Context) {
+	c.JSON(200, gin.H{
+		"status":  "ok",
+		"message": "Healthy",
+	})
+}
--- a/internal/controller/oauth_controller.go
+++ b/internal/controller/oauth_controller.go
@@ -0,0 +1,185 @@
+package controller
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+	"tinyauth/internal/auth"
+	"tinyauth/internal/providers"
+	"tinyauth/internal/types"
+	"tinyauth/internal/utils"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/go-querystring/query"
+)
+
+type OAuthRequest struct {
+	Provider string `uri:"provider" binding:"required"`
+}
+
+type OAuthControllerConfig struct {
+	CSRFCookieName     string
+	RedirectCookieName string
+	SecureCookie       bool
+	AppURL             string
+}
+
+type OAuthController struct {
+	Config    OAuthControllerConfig
+	Router    *gin.RouterGroup
+	Auth      *auth.Auth
+	Providers *providers.Providers
+}
+
+func NewOAuthController(config OAuthControllerConfig, router *gin.RouterGroup, auth *auth.Auth, providers *providers.Providers) *OAuthController {
+	return &OAuthController{
+		Config:    config,
+		Router:    router,
+		Auth:      auth,
+		Providers: providers,
+	}
+}
+
+func (controller *OAuthController) SetupRoutes() {
+	oauthGroup := controller.Router.Group("/oauth")
+	oauthGroup.GET("/url/:provider", controller.oauthURLHandler)
+	oauthGroup.GET("/callback/:provider", controller.oauthCallbackHandler)
+}
+
+func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
+	var req OAuthRequest
+
+	err := c.BindUri(&req)
+	if err != nil {
+		c.JSON(400, gin.H{
+			"status":  400,
+			"message": "Bad Request",
+		})
+		return
+	}
+
+	provider := controller.Providers.GetProvider(req.Provider)
+
+	if provider == nil {
+		c.JSON(404, gin.H{
+			"status":  404,
+			"message": "Not Found",
+		})
+		return
+	}
+
+	state := provider.GenerateState()
+	authURL := provider.GetAuthURL(state)
+	c.SetCookie(controller.Config.CSRFCookieName, state, int(time.Hour.Seconds()), "/", "", controller.Config.SecureCookie, true)
+
+	redirectURI := c.Query("redirect_uri")
+
+	if redirectURI != "" {
+		c.SetCookie(controller.Config.RedirectCookieName, redirectURI, int(time.Hour.Seconds()), "/", "", controller.Config.SecureCookie, true)
+	}
+
+	c.JSON(200, gin.H{
+		"status":  200,
+		"message": "OK",
+		"url":     authURL,
+	})
+}
+
+func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
+	var req OAuthRequest
+
+	err := c.BindUri(&req)
+	if err != nil {
+		c.JSON(400, gin.H{
+			"status":  400,
+			"message": "Bad Request",
+		})
+		return
+	}
+
+	state := c.Query("state")
+	csrfCookie, err := c.Cookie(controller.Config.CSRFCookieName)
+
+	if err != nil || state != csrfCookie {
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+		return
+	}
+
+	c.SetCookie(controller.Config.CSRFCookieName, "", -1, "/", "", controller.Config.SecureCookie, true)
+
+	code := c.Query("code")
+	provider := controller.Providers.GetProvider(req.Provider)
+
+	if provider == nil {
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+		return
+	}
+
+	_, err = provider.ExchangeToken(code)
+	if err != nil {
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+		return
+	}
+
+	user, err := controller.Providers.GetUser(req.Provider)
+
+	if err != nil {
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+		return
+	}
+
+	if user.Email == "" {
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+		return
+	}
+
+	if !controller.Auth.EmailWhitelisted(user.Email) {
+		queries, err := query.Values(types.UnauthorizedQuery{
+			Username: user.Email,
+		})
+
+		if err != nil {
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+			return
+		}
+
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.Config.AppURL, queries.Encode()))
+		return
+	}
+
+	var name string
+
+	if user.Name != "" {
+		name = user.Name
+	} else {
+		name = fmt.Sprintf("%s (%s)", utils.Capitalize(strings.Split(user.Email, "@")[0]), strings.Split(user.Email, "@")[1])
+	}
+
+	controller.Auth.CreateSessionCookie(c, &types.SessionCookie{
+		Username:    user.Email,
+		Name:        name,
+		Email:       user.Email,
+		Provider:    req.Provider,
+		OAuthGroups: utils.CoalesceToString(user.Groups),
+	})
+
+	redirectURI, err := c.Cookie(controller.Config.RedirectCookieName)
+
+	if err != nil {
+		c.Redirect(http.StatusTemporaryRedirect, controller.Config.AppURL)
+		return
+	}
+
+	queries, err := query.Values(types.RedirectQuery{
+		RedirectURI: redirectURI,
+	})
+
+	if err != nil {
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+		return
+	}
+
+	c.SetCookie(controller.Config.RedirectCookieName, "", -1, "/", "", controller.Config.SecureCookie, true)
+	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/login?%s", controller.Config.AppURL, queries.Encode()))
+}
--- a/internal/controller/proxy_controller.go
+++ b/internal/controller/proxy_controller.go
@@ -0,0 +1,281 @@
+package controller
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+	"tinyauth/internal/auth"
+	"tinyauth/internal/docker"
+	"tinyauth/internal/types"
+	"tinyauth/internal/utils"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/go-querystring/query"
+)
+
+type Proxy struct {
+	Proxy string `uri:"proxy" binding:"required"`
+}
+
+type ProxyControllerConfig struct {
+	AppURL string
+}
+
+type ProxyController struct {
+	Config ProxyControllerConfig
+	Router *gin.RouterGroup
+	Docker *docker.Docker
+	Auth   *auth.Auth
+}
+
+func NewProxyController(config ProxyControllerConfig, router *gin.RouterGroup, docker *docker.Docker, auth *auth.Auth) *ProxyController {
+	return &ProxyController{
+		Config: config,
+		Router: router,
+		Docker: docker,
+		Auth:   auth,
+	}
+}
+
+func (controller *ProxyController) SetupRoutes() {
+	proxyGroup := controller.Router.Group("/api/auth")
+	proxyGroup.GET("/:proxy", controller.proxyHandler)
+}
+
+func (controller *ProxyController) proxyHandler(c *gin.Context) {
+	var req Proxy
+
+	err := c.BindUri(&req)
+	if err != nil {
+		c.JSON(400, gin.H{
+			"status":  400,
+			"message": "Bad Request",
+		})
+		return
+	}
+
+	isBrowser := strings.Contains(c.Request.Header.Get("Accept"), "text/html")
+
+	uri := c.Request.Header.Get("X-Forwarded-Uri")
+	proto := c.Request.Header.Get("X-Forwarded-Proto")
+	host := c.Request.Header.Get("X-Forwarded-Host")
+
+	hostWithoutPort := strings.Split(host, ":")[0]
+	id := strings.Split(hostWithoutPort, ".")[0]
+
+	labels, err := controller.Docker.GetLabels(id, hostWithoutPort)
+
+	if err != nil {
+		if req.Proxy == "nginx" || !isBrowser {
+			c.JSON(500, gin.H{
+				"status":  500,
+				"message": "Internal Server Error",
+			})
+			return
+		}
+
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+		return
+	}
+
+	clientIP := c.ClientIP()
+
+	if controller.Auth.BypassedIP(labels, clientIP) {
+		c.Header("Authorization", c.Request.Header.Get("Authorization"))
+
+		headers := utils.ParseHeaders(labels.Headers)
+
+		for key, value := range headers {
+			c.Header(key, value)
+		}
+
+		if labels.Basic.Username != "" && utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File) != "" {
+			c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Basic.Username, utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File))))
+		}
+
+		c.JSON(200, gin.H{
+			"status":  200,
+			"message": "Authenticated",
+		})
+		return
+	}
+
+	if !controller.Auth.CheckIP(labels, clientIP) {
+		if req.Proxy == "nginx" || !isBrowser {
+			c.JSON(401, gin.H{
+				"status":  401,
+				"message": "Unauthorized",
+			})
+			return
+		}
+
+		queries, err := query.Values(types.UnauthorizedQuery{
+			Resource: strings.Split(host, ".")[0],
+			IP:       clientIP,
+		})
+
+		if err != nil {
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+		}
+
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.Config.AppURL, queries.Encode()))
+		return
+	}
+
+	authEnabled, err := controller.Auth.AuthEnabled(uri, labels)
+
+	if err != nil {
+		if req.Proxy == "nginx" || !isBrowser {
+			c.JSON(500, gin.H{
+				"status":  500,
+				"message": "Internal Server Error",
+			})
+			return
+		}
+
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+		return
+	}
+
+	if !authEnabled {
+		c.Header("Authorization", c.Request.Header.Get("Authorization"))
+
+		headers := utils.ParseHeaders(labels.Headers)
+
+		for key, value := range headers {
+			c.Header(key, value)
+		}
+
+		if labels.Basic.Username != "" && utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File) != "" {
+			c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Basic.Username, utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File))))
+		}
+
+		c.JSON(200, gin.H{
+			"status":  200,
+			"message": "Authenticated",
+		})
+		return
+	}
+
+	var userContext types.UserContext
+
+	context, err := utils.GetContext(c)
+
+	if err != nil {
+		userContext = types.UserContext{
+			IsLoggedIn: false,
+		}
+	} else {
+		userContext = context
+	}
+
+	if userContext.Provider == "basic" && userContext.TotpEnabled {
+		userContext.IsLoggedIn = false
+	}
+
+	if userContext.IsLoggedIn {
+		appAllowed := controller.Auth.ResourceAllowed(c, userContext, labels)
+
+		if !appAllowed {
+			if req.Proxy == "nginx" || !isBrowser {
+				c.JSON(403, gin.H{
+					"status":  403,
+					"message": "Forbidden",
+				})
+				return
+			}
+
+			queries, err := query.Values(types.UnauthorizedQuery{
+				Resource: strings.Split(host, ".")[0],
+			})
+
+			if userContext.OAuth {
+				queries.Set("username", userContext.Username)
+			} else {
+				queries.Set("username", userContext.Email)
+			}
+
+			if err != nil {
+				c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+				return
+			}
+
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.Config.AppURL, queries.Encode()))
+			return
+		}
+
+		if userContext.OAuth {
+			groupOK := controller.Auth.OAuthGroup(c, userContext, labels)
+
+			if !groupOK {
+				if req.Proxy == "nginx" || !isBrowser {
+					c.JSON(403, gin.H{
+						"status":  403,
+						"message": "Forbidden",
+					})
+					return
+				}
+
+				queries, err := query.Values(types.UnauthorizedQuery{
+					Resource: strings.Split(host, ".")[0],
+					GroupErr: true,
+				})
+
+				if userContext.OAuth {
+					queries.Set("username", userContext.Username)
+				} else {
+					queries.Set("username", userContext.Email)
+				}
+
+				if err != nil {
+					c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+					return
+				}
+
+				c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.Config.AppURL, queries.Encode()))
+				return
+			}
+		}
+
+		c.Header("Authorization", c.Request.Header.Get("Authorization"))
+		c.Header("Remote-User", utils.SanitizeHeader(userContext.Username))
+		c.Header("Remote-Name", utils.SanitizeHeader(userContext.Name))
+		c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email))
+		c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups))
+
+		headers := utils.ParseHeaders(labels.Headers)
+
+		for key, value := range headers {
+			c.Header(key, value)
+		}
+
+		if labels.Basic.Username != "" && utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File) != "" {
+			c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Basic.Username, utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File))))
+		}
+
+		c.JSON(200, gin.H{
+			"status":  200,
+			"message": "Authenticated",
+		})
+		return
+	}
+
+	if req.Proxy == "nginx" || !isBrowser {
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	queries, err := query.Values(types.RedirectQuery{
+		RedirectURI: fmt.Sprintf("%s://%s%s", proto, host, uri),
+	})
+
+	if err != nil {
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+		return
+	}
+
+	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/login?%s", controller.Config.AppURL, queries.Encode()))
+}
--- a/internal/controller/user_controller.go
+++ b/internal/controller/user_controller.go
@@ -0,0 +1,216 @@
+package controller
+
+import (
+	"fmt"
+	"strings"
+	"tinyauth/internal/auth"
+	"tinyauth/internal/types"
+	"tinyauth/internal/utils"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pquerna/otp/totp"
+)
+
+type LoginRequest struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+type TotpRequest struct {
+	Code string `json:"code"`
+}
+
+type UserControllerConfig struct {
+	Domain string
+}
+
+type UserController struct {
+	Config UserControllerConfig
+	Router *gin.RouterGroup
+	Auth   *auth.Auth
+}
+
+func NewUserController(config UserControllerConfig, router *gin.RouterGroup, auth *auth.Auth) *UserController {
+	return &UserController{
+		Config: config,
+		Router: router,
+		Auth:   auth,
+	}
+}
+
+func (controller *UserController) SetupRoutes() {
+	userGroup := controller.Router.Group("/user")
+	userGroup.POST("/login", controller.loginHandler)
+	userGroup.POST("/logout", controller.logoutHandler)
+	userGroup.POST("/totp", controller.totpHandler)
+}
+
+func (controller *UserController) loginHandler(c *gin.Context) {
+	var req LoginRequest
+
+	err := c.BindJSON(&req)
+	if err != nil {
+		c.JSON(400, gin.H{
+			"status":  400,
+			"message": "Bad Request",
+		})
+		return
+	}
+
+	clientIP := c.ClientIP()
+
+	rateIdentifier := req.Username
+
+	if rateIdentifier == "" {
+		rateIdentifier = clientIP
+	}
+
+	isLocked, remainingTime := controller.Auth.IsAccountLocked(rateIdentifier)
+
+	if isLocked {
+		c.JSON(429, gin.H{
+			"status":  429,
+			"message": fmt.Sprintf("Too many failed login attempts. Try again in %d seconds", remainingTime),
+		})
+		return
+	}
+
+	userSearch := controller.Auth.SearchUser(req.Username)
+
+	if userSearch.Type == "" {
+		controller.Auth.RecordLoginAttempt(rateIdentifier, false)
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	if !controller.Auth.VerifyUser(userSearch, req.Password) {
+		controller.Auth.RecordLoginAttempt(rateIdentifier, false)
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	controller.Auth.RecordLoginAttempt(rateIdentifier, true)
+
+	if userSearch.Type == "local" {
+		user := controller.Auth.GetLocalUser(userSearch.Username)
+
+		if user.TotpSecret != "" {
+			controller.Auth.CreateSessionCookie(c, &types.SessionCookie{
+				Username:    user.Username,
+				Name:        utils.Capitalize(req.Username),
+				Email:       fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.Config.Domain),
+				Provider:    "username",
+				TotpPending: true,
+			})
+
+			c.JSON(200, gin.H{
+				"status":      200,
+				"message":     "TOTP required",
+				"totpPending": true,
+			})
+			return
+		}
+	}
+
+	controller.Auth.CreateSessionCookie(c, &types.SessionCookie{
+		Username: req.Username,
+		Name:     utils.Capitalize(req.Username),
+		Email:    fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.Config.Domain),
+		Provider: "username",
+	})
+
+	c.JSON(200, gin.H{
+		"status":  200,
+		"message": "Login successful",
+	})
+}
+
+func (controller *UserController) logoutHandler(c *gin.Context) {
+	controller.Auth.DeleteSessionCookie(c)
+	c.JSON(200, gin.H{
+		"status":  200,
+		"message": "Logout successful",
+	})
+}
+
+func (controller *UserController) totpHandler(c *gin.Context) {
+	var req TotpRequest
+
+	err := c.BindJSON(&req)
+	if err != nil {
+		c.JSON(400, gin.H{
+			"status":  400,
+			"message": "Bad Request",
+		})
+		return
+	}
+
+	context, err := utils.GetContext(c)
+
+	if err != nil {
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "Internal Server Error",
+		})
+		return
+	}
+
+	if !context.IsLoggedIn {
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	clientIP := c.ClientIP()
+
+	rateIdentifier := context.Username
+
+	if rateIdentifier == "" {
+		rateIdentifier = clientIP
+	}
+
+	isLocked, remainingTime := controller.Auth.IsAccountLocked(rateIdentifier)
+
+	if isLocked {
+		c.JSON(429, gin.H{
+			"status":  429,
+			"message": fmt.Sprintf("Too many failed login attempts. Try again in %d seconds", remainingTime),
+		})
+		return
+	}
+
+	user := controller.Auth.GetLocalUser(context.Username)
+
+	ok := totp.Validate(req.Code, user.TotpSecret)
+
+	if !ok {
+		controller.Auth.RecordLoginAttempt(rateIdentifier, false)
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	controller.Auth.RecordLoginAttempt(rateIdentifier, true)
+
+	controller.Auth.CreateSessionCookie(c, &types.SessionCookie{
+		Username: user.Username,
+		Name:     utils.Capitalize(user.Username),
+		Email:    fmt.Sprintf("%s@%s", strings.ToLower(user.Username), controller.Config.Domain),
+		Provider: "username",
+	})
+
+	c.JSON(200, gin.H{
+		"status":  200,
+		"message": "Login successful",
+	})
+}