barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2026-06-22 11:20:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
859 Commits 30 Branches 127 Tags
474e297d9d7ab9e48f401296758efd11a4402f2b
Commit Graph

340 Commits

Author SHA1 Message Date
Stavros 474e297d9d feat: inject runtime helpers to controllers and services 2026-06-21 13:00:36 +03:00
Stavros 23af559f2f Merge branch 'main' into feat/oidc-preserve-consent 2026-06-21 12:53:07 +03:00
Stavros efe373084f feat: support for oidc max age (#949) 2026-06-20 00:21:22 +03:00
Stavros 7f18b45e21 feat: support for the prompt parameter in the oidc flow (#948) 2026-06-20 00:04:41 +03:00
Stavros 6ccc894570 tests: improve test coverage for controllers (#946) 2026-06-19 11:59:16 +03:00
Stavros 53af1b99c0 tests: don't use _test suffix in service and controller tests (#944) 2026-06-17 17:03:30 +03:00
Stavros 654b5cc436 fix: use better limits in lockdown to limit dos attack window (#943) 2026-06-17 13:10:58 +03:00
Stavros f7d7f1c4f0 feat: add psl checks to the oauth controller is safe redirect check 2026-06-17 13:05:42 +03:00
Stavros e7d26f497d fix: use runtime trusted uris in oauth controller 2026-06-17 12:33:09 +03:00
Stavros a9face749d chore: remove leftover debug log line from tailscale service 2026-06-17 12:15:51 +03:00
Stavros c825d81b2d feat: add support for webfinger (#941) 2026-06-16 15:05:11 +03:00
Stavros f404c2ef16 feat: use dig for di in services and controllers (#936) 2026-06-16 13:00:48 +03:00
Stavros a0e74cd5f2 refactor: move oidc handling to backend and add support for oidc post (#923) 
Co-authored-by: Claude <noreply@anthropic.com>
 2026-06-13 16:45:12 +03:00
Stavros cd51263428 feat: add frontend 2026-06-11 18:40:56 +03:00
Stavros 24f166551e feat: add backend for oidc consent 2026-06-11 18:18:47 +03:00
Stavros e4c5f14d8c chore: init db migrations 2026-06-11 18:18:39 +03:00
Stavros ed97021c19 chore: merge oidc-authorize branch 2026-06-11 18:18:21 +03:00
Ryc O'Chet 49105ce5ff feat: add ldap bind password file (#929) 2026-06-11 13:25:22 +03:00
Stavros 426eac2d0b refactor: rework oidc session storage (#913) 2026-06-06 16:26:08 +03:00
Stavros dac844595d refactor: use new cache store in services (#912) 2026-05-31 18:55:06 +03:00
Stavros 940ba6dff7 fix: don't allow tagged devices in tailscale integration 2026-05-31 12:42:00 +03:00
Stavros faee58ca8e feat: use ding for ordered go routine shutdown order (#896) 2026-05-27 12:46:28 +03:00
Stavros e9b8ca3cf8 fix: cleanup acl logic to match stable one 2026-05-27 12:11:17 +03:00
Stavros 4538922caf refactor: simplify error handling in oidc authorize handler (#907) 2026-05-27 11:27:10 +03:00
Stavros 672db84200 feat: make config file a stable feature (#897) 2026-05-27 11:26:09 +03:00
Scott McKendry 359000f731 feat(db): add postgresql support (#892) 2026-05-26 00:08:59 +03:00
Stavros 0a3e7bf265 fix: use policy engine in oauth whitelist check (#904) 2026-05-26 00:07:46 +03:00
Puneet Dixit c3461131f5 feat: support provider-specific OAuth whitelists (#882) 
Co-authored-by: Puneet Dixit <236133619+puneetdixit200@users.noreply.github.com>
 2026-05-24 20:18:33 +03:00
Scott McKendry e532cde2b6 fix: potential nil pointer dereferences (#893) 2026-05-24 17:23:48 +03:00
Stavros 2737a25227 fix: don't point to nil local users in bootstrap app 2026-05-23 20:24:54 +03:00
Scott McKendry 7aa25210f5 feat(config): allow global bypass by ip (#889) 2026-05-23 19:58:48 +03:00
Stavros 55bef72639 fix: ensure domain defined in acls is included in host rules (#884) 2026-05-23 17:13:41 +03:00
Stavros ae17bd3b66 fix: do not log user context not found errors in proxy controller 2026-05-23 16:43:03 +03:00
Stavros 3194f4b987 chore: remove stale error from tailscale service 2026-05-20 23:04:38 +03:00
Stavros 9b50670925 fix: handle panics in tailscale service 2026-05-20 23:01:14 +03:00
Stavros 1166a15aa7 feat: tailscale integration (#847) 2026-05-20 20:10:38 +03:00
Stavros c855f9b8ac feat: add support for deny by default access controls (#852) 2026-05-19 18:07:55 +03:00
Scott McKendry a56c349525 refactor(db): use new store interface (#831) 2026-05-18 22:33:09 +03:00
Stavros 8932f2ad46 feat: ensure public key pairs with private key in oidc service 2026-05-16 20:43:50 +03:00
Stavros 5349f21212 fix: use loaded public key in oidc service, fixes #860 2026-05-16 17:09:21 +03:00
Dreddy e8071a9d80 fix: bug fixes for issues #859, 860, 861, 862, 863, 864, 865, 866 (#867) 
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
 2026-05-16 17:04:01 +03:00
Stavros ca06099466 tests: fix tests for proxy controller 2026-05-15 18:43:18 +03:00
Stavros d4b4245017 chore: revert 4c741a5 and use 403 for acl errors 2026-05-15 18:39:12 +03:00
Stavros 4c741a5990 fix: use 401 errors instead of 403 for nginx responses 2026-05-15 18:12:15 +03:00
Dreddy f9fff24ca5 fix: oidc open redirect (#854) 2026-05-13 17:34:39 +03:00
Ilyas a9eac7edd2 fix(ldap): pass through LDAP mail attribute instead of crafting email (#834) 
* fix(ldap): pass through LDAP mail attribute instead of crafting email

TinyAuth was constructing LDAP user emails as username@CookieDomain
instead of using the mail attribute stored in the directory. This caused
OIDC clients like Grafana to receive a synthetic email rather than the
real one.

Rename GetUserDN to GetUserInfo and extend it to also fetch the mail
attribute in the same LDAP query. Thread the result through UserSearch
and use it in both the login flow and the basic auth middleware, falling
back to the crafted email only when LDAP returns no mail value.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: add ldap email logic back after main merge

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Stavros <steveiliop56@gmail.com>
 2026-05-11 15:40:15 +03:00
Stavros 4f7335ed73 refactor: rework app logging, dependency injection and cancellation (#844) 
* feat: add new logger

* refactor: use one struct for context handling and cancellation

* refactor: rework logging and config in controllers

* refactor: rework logging and config in middlewares

* refactor: rework logging and cancellation in services

* refactor: rework cli logging

* fix: improve logging in routines

* feat: use sync groups for better cancellation

* refactor: simplify middleware, controller and service init

* tests: fix controller tests

* tests: use require instead of assert where previous step is required

* tests: fix middleware tests

* tests: fix service tests

* tests: fix context tests

* fix: fix typos

* feat: add option to enable or disable concurrent listeners

* fix: assign public key correctly in oidc server

* tests: fix don't try to test logger with char size

* fix: coderabbit comments

* tests: use filepath join instead of path join

* fix: ensure unix socket shutdown doesn't run twice

* chore: remove temp lint file
 2026-05-10 16:10:36 +03:00
djedditt 6602b52f85 feat: add support for oauth whitelist file (#817) (#826) 
* feat: add support for oauth whitelist file (#817)

* Merge branch 'main' into feat/oauth-whitelist-file

* fix: fix conflicts

* tests: use testify for testing

---------

Co-authored-by: Stavros <steveiliop56@gmail.com>
 2026-05-07 16:35:38 +03:00
Jacek Kowalski ca6a7fa551 feat: add option to run tinyauth on a top-level domain (#710) 
* Add TINYAUTH_AUTH_SUBDOMAINSENABLED option

Setting it to false allows to use Tinyauth on top-level domain only,
but forbids automatic cross-app authentication using Traefik/Nginx.

* fix: inform services and controllers if subdomain cookie domain is enabled

* chore: rabbit feedback

* fix: deny ip addresses for standalone domain

---------

Co-authored-by: Stavros <steveiliop56@gmail.com>
 2026-05-07 16:12:24 +03:00
Stavros 1382ab41e7 refactor: rework user context handling throughout tinyauth (#829) 
* wip

* fix: fix util imports

* fix: fix bootstrap import issues

* fix: fix cli imports

* fix: context controller

* fix: use new context in user controller

* fix: fix imports and context in proxy controller

* fix: fix oauth and oidc controller imports and context

* feat: finalize context functionality

* refactor: simplify acls checking logic by passing the entire acl struct

* chore: rename get basic auth to encode basic auth for clarity

* fix: fix controller tests

* tests: fix service tests

* tests: fix utils tests

* tests: move to testify for testing in utils

* fix: fix config reference generator

* tests: add tests for context parsing

* tests: add tests for context middleware

* tests: remove error wrapper from context tests

* tests: fix log wrapper tests

* fix: fix verion setting in cd and dockerfiles

* fix: review comments batch 1

* fix: review comments batch 2

* fix: review comments batch 3

* fix: delete totp pending session cookie on totp success

* tests: fix user controller tests

* fix: don't audit login too early

* fix: own comments
 2026-05-07 15:41:07 +03:00