6d6b53270d
token cleanup consistency
2026-05-17 18:42:07 +12:00
225041126e
refactor memeory_test.go
2026-05-17 18:27:18 +12:00
ac1ff0a07f
nil check on db close
2026-05-17 18:12:29 +12:00
ea15206906
add sqlc to ci diff check
2026-05-17 18:12:28 +12:00
169fd8e903
more wrapper cleanup
2026-05-17 18:12:28 +12:00
91856cc56c
test(db): add memory driver tests
2026-05-17 18:12:28 +12:00
36a3c3fbc6
refactor(db): cleanup sqlc-wrapper gen
2026-05-17 18:12:28 +12:00
71b97040d3
feat(db): add memory storage driver
...
removes the sqlite dependency for tests, also brings back the option for
users to run zero persistence instances of tinyauth.
adds new mapErr fn for sqlc wrapper gen to prevent sql errors from
leaking out of the store implementation.
2026-05-17 18:12:28 +12:00
8be53e5866
feat(db): add code gen to build sqlc-compatible wrappers
2026-05-17 18:12:28 +12:00
7927a977ec
refactor(db): use new store interface
2026-05-17 18:12:28 +12:00
8932f2ad46
feat: ensure public key pairs with private key in oidc service
2026-05-16 20:43:50 +03:00
482ba9d99f
fix: use yml instead of yaml files for issue templates
2026-05-16 20:27:48 +03:00
1bcd1bb59a
fix: fix feature request template and allow blank issues
2026-05-16 20:24:11 +03:00
5349f21212
fix: use loaded public key in oidc service, fixes #860
2026-05-16 17:09:21 +03:00
e8071a9d80
fix: bug fixes for issues #859 , 860, 861, 862, 863, 864, 865, 866 ( #867 )
...
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
2026-05-16 17:04:01 +03:00
1f67797605
Update templates to use forms ( #872 )
2026-05-16 17:01:18 +03:00
ca06099466
tests: fix tests for proxy controller
2026-05-15 18:43:18 +03:00
d4b4245017
chore: revert 4c741a5 and use 403 for acl errors
2026-05-15 18:39:12 +03:00
4c741a5990
fix: use 401 errors instead of 403 for nginx responses
2026-05-15 18:12:15 +03:00
def539a40f
refactor: replace bun with pnpm ( #870 )
2026-05-15 14:43:51 +03:00
e6b291d21c
docs: enhance security policy with reporting guidelines ( #868 )
2026-05-14 00:08:48 +03:00
086e3af4e2
chore: add deepsec to gitignore
2026-05-13 19:11:39 +03:00
f9fff24ca5
fix: oidc open redirect ( #854 )
2026-05-13 17:34:39 +03:00
a9eac7edd2
fix(ldap): pass through LDAP mail attribute instead of crafting email ( #834 )
...
* fix(ldap): pass through LDAP mail attribute instead of crafting email
TinyAuth was constructing LDAP user emails as username@CookieDomain
instead of using the mail attribute stored in the directory. This caused
OIDC clients like Grafana to receive a synthetic email rather than the
real one.
Rename GetUserDN to GetUserInfo and extend it to also fetch the mail
attribute in the same LDAP query. Thread the result through UserSearch
and use it in both the login flow and the basic auth middleware, falling
back to the crafted email only when LDAP returns no mail value.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
* chore: add ldap email logic back after main merge
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com >
Co-authored-by: Stavros <steveiliop56@gmail.com >
2026-05-11 15:40:15 +03:00
a6351790c3
chore(deps): bump github/codeql-action from 4.35.3 to 4.35.4 ( #842 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.35.3 to 4.35.4.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](https://github.com/github/codeql-action/compare/e46ed2cbd01164d986452f91f178727624ae40d7...68bde559dea0fdcac2102bfdf6230c5f70eb485e )
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-version: 4.35.4
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-10 16:36:01 +03:00
4f7335ed73
refactor: rework app logging, dependency injection and cancellation ( #844 )
...
* feat: add new logger
* refactor: use one struct for context handling and cancellation
* refactor: rework logging and config in controllers
* refactor: rework logging and config in middlewares
* refactor: rework logging and cancellation in services
* refactor: rework cli logging
* fix: improve logging in routines
* feat: use sync groups for better cancellation
* refactor: simplify middleware, controller and service init
* tests: fix controller tests
* tests: use require instead of assert where previous step is required
* tests: fix middleware tests
* tests: fix service tests
* tests: fix context tests
* fix: fix typos
* feat: add option to enable or disable concurrent listeners
* fix: assign public key correctly in oidc server
* tests: fix don't try to test logger with char size
* fix: coderabbit comments
* tests: use filepath join instead of path join
* fix: ensure unix socket shutdown doesn't run twice
* chore: remove temp lint file
2026-05-10 16:10:36 +03:00
1b18e68ce0
docs: regenerate readme sponsors list ( #841 )
...
Co-authored-by: GitHub <noreply@github.com >
2026-05-07 16:53:07 +03:00
6602b52f85
feat: add support for oauth whitelist file ( #817 ) ( #826 )
...
* feat: add support for oauth whitelist file (#817 )
* Merge branch 'main' into feat/oauth-whitelist-file
* fix: fix conflicts
* tests: use testify for testing
---------
Co-authored-by: Stavros <steveiliop56@gmail.com >
2026-05-07 16:35:38 +03:00
a8a98bd8d5
chore(deps): bump the minor-patch group across 1 directory with 3 updates ( #827 )
...
Bumps the minor-patch group with 3 updates in the / directory: [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery ), [k8s.io/client-go](https://github.com/kubernetes/client-go ) and [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ).
Updates `k8s.io/apimachinery` from 0.32.2 to 0.36.0
- [Commits](https://github.com/kubernetes/apimachinery/compare/v0.32.2...v0.36.0 )
Updates `k8s.io/client-go` from 0.32.2 to 0.36.0
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md )
- [Commits](https://github.com/kubernetes/client-go/compare/v0.32.2...v0.36.0 )
Updates `modernc.org/sqlite` from 1.49.1 to 1.50.0
- [Changelog](https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md )
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.49.1...v1.50.0 )
---
updated-dependencies:
- dependency-name: k8s.io/apimachinery
dependency-version: 0.36.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: minor-patch
- dependency-name: k8s.io/client-go
dependency-version: 0.36.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: minor-patch
- dependency-name: modernc.org/sqlite
dependency-version: 1.50.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-07 16:13:04 +03:00
ca6a7fa551
feat: add option to run tinyauth on a top-level domain ( #710 )
...
* Add TINYAUTH_AUTH_SUBDOMAINSENABLED option
Setting it to false allows to use Tinyauth on top-level domain only,
but forbids automatic cross-app authentication using Traefik/Nginx.
* fix: inform services and controllers if subdomain cookie domain is enabled
* chore: rabbit feedback
* fix: deny ip addresses for standalone domain
---------
Co-authored-by: Stavros <steveiliop56@gmail.com >
2026-05-07 16:12:24 +03:00
1382ab41e7
refactor: rework user context handling throughout tinyauth ( #829 )
...
* wip
* fix: fix util imports
* fix: fix bootstrap import issues
* fix: fix cli imports
* fix: context controller
* fix: use new context in user controller
* fix: fix imports and context in proxy controller
* fix: fix oauth and oidc controller imports and context
* feat: finalize context functionality
* refactor: simplify acls checking logic by passing the entire acl struct
* chore: rename get basic auth to encode basic auth for clarity
* fix: fix controller tests
* tests: fix service tests
* tests: fix utils tests
* tests: move to testify for testing in utils
* fix: fix config reference generator
* tests: add tests for context parsing
* tests: add tests for context middleware
* tests: remove error wrapper from context tests
* tests: fix log wrapper tests
* fix: fix verion setting in cd and dockerfiles
* fix: review comments batch 1
* fix: review comments batch 2
* fix: review comments batch 3
* fix: delete totp pending session cookie on totp success
* tests: fix user controller tests
* fix: don't audit login too early
* fix: own comments
2026-05-07 15:41:07 +03:00
24f2da4e58
chore(deps): bump github/codeql-action from 4.35.2 to 4.35.3 ( #837 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.35.2 to 4.35.3.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](https://github.com/github/codeql-action/compare/95e58e9a2cdfd71adc6e0353d5c52f41a045d225...e46ed2cbd01164d986452f91f178727624ae40d7 )
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-version: 4.35.3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-06 18:49:37 +03:00
956d2f55c3
feat(access-control): Add support for Kubernetes Label ( #627 )
...
* feat(access-control): Add support for Kubernetes Label
* feat(access-control): Defaults to Docker
* feat(access-control): Remove kubeconfig fallback
* feat(watcher): Watcher for kubernetes service
* feat(watcher): Merge with main + remove nightly fix redirect
* fix(go): Go mod + Go sum after sync with main
* fix(config): Ser default value for LabelProvider to Docker
* feat(go): go mod tidy
* feat(k8s_service): Remove logic for deprecated Ingress k8s v1.22
* feat(k8s_service): (Watcher) -> Wait 5s before breaking to outer loop again
* feat(k8s_service): Remove logic for deprecated Ingress k8s v1.22
* feat(k8s_service): Remove logic for deprecated Ingress k8s v1.22
* feat(k8s_service): Remove logic for deprecated Ingress k8s v1.22
* feat(k8s_service): Remove
var _ = unstructured.Unstructured{} + comments + msg edits
* feat(bootstrap): Remove dockerService from bootstrap svc
* feat(auth_svc): Remove dockerService from authservice
* feat(test): Add tests for kubernetes_services
* feat(test): Remove docker serivce form proxy/user test
* fix(refactor): Remove update logic from watcher and resync
* fix(refactor): Split watchGVR to make it more readable
* fix(refactor): Remove discovery + drop K 1.22 completely
* fix(refactor): Move interface to acess_controls_service
* feat: Autodetect labelprovider if TINYAUTH_LABELPROVIDER not set
* fix(test): Match testing scheme to the controllers
* fix: service bootstrap import after merge
* fix: service bootstrap import after merge
2026-04-29 16:16:21 +03:00
5e822d99e1
chore: fix typos in oidc service
2026-04-29 16:08:21 +03:00
373ee8806e
chore: prefer errors.is instead of comparison
2026-04-29 16:04:27 +03:00
a14d64c8ba
chore: remove exp slices package and use stdlib
2026-04-29 15:56:35 +03:00
d51e3efe32
fix: use pinned step versions and set workflow permissions ( #825 )
...
* fix: use pinned step versions and set workflow permissions
* fix: use contents write in sponsors list action
2026-04-28 15:52:02 +03:00
d73cc628fb
chore: add openssf baseline badge to readme
2026-04-28 15:46:40 +03:00
a8737ab0bd
fix: use frozen lockfile in makefile bun install
2026-04-28 15:31:07 +03:00
11793c9869
fix: use frozen lockfile in all bun installs
2026-04-28 15:30:21 +03:00
c68a022ed0
docs: add ai policy ( #821 )
...
* docs: add ai policy
* docs: rework ai policy for more clear rules and expectations
* chore: review comments
* chore: rabbit feedback
* chore: update contributing guide to reference ai policy
2026-04-27 20:44:44 +03:00
5d95123dcb
feat(oidc): support for all in-spec attributes and scopes ( #777 )
...
* feat(oidc): support for all in-spec attributes and scopes
* add tests
* assert phone/email verified when either is set
* update tests
* add claims back to userinfo
* remove redundant column drop in migration
* fix duplicate migration id
* fix clobbered imports post-rebase
2026-04-27 19:25:52 +03:00
c364b8682c
feat: preserve login params in forgot password screen ( #819 )
2026-04-26 18:03:25 +03:00
ab7c81f63b
chore(deps): bump github.com/Azure/go-ntlmssp from 0.1.0 to 0.1.1 ( #814 )
...
Bumps [github.com/Azure/go-ntlmssp](https://github.com/Azure/go-ntlmssp ) from 0.1.0 to 0.1.1.
- [Release notes](https://github.com/Azure/go-ntlmssp/releases )
- [Commits](https://github.com/Azure/go-ntlmssp/compare/v0.1.0...v0.1.1 )
---
updated-dependencies:
- dependency-name: github.com/Azure/go-ntlmssp
dependency-version: 0.1.1
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-26 17:16:39 +03:00
a9a782a9e4
chore(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 ( #812 )
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 2.4.1 to 2.4.3.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](https://github.com/ossf/scorecard-action/compare/f49aabe0b5af0936a0987cfb85d86b75731b0186...4eaacf0543bb3f2c246792bd56e8cdeffafb205a )
---
updated-dependencies:
- dependency-name: ossf/scorecard-action
dependency-version: 2.4.3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-26 17:16:15 +03:00
399dee2ee5
chore(deps): bump actions/upload-artifact from 4.6.1 to 7.0.1 ( #811 )
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 4.6.1 to 7.0.1.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](https://github.com/actions/upload-artifact/compare/v4.6.1...v7.0.1 )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: 7.0.1
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-26 17:15:57 +03:00
6422d5e491
chore(deps): bump github/codeql-action from 3 to 4 ( #810 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3 to 4.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](https://github.com/github/codeql-action/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-version: '4'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-26 17:15:28 +03:00
a96ee13876
chore(deps): bump actions/checkout from 4.2.2 to 6.0.2 ( #809 )
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.2.2 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases )
- [Commits](https://github.com/actions/checkout/compare/v4.2.2...v6.0.2 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: 6.0.2
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-26 17:15:05 +03:00
92b435d8cb
chore(deps): bump the minor-patch group across 1 directory with 2 updates ( #807 )
...
Bumps the minor-patch group with 2 updates in the / directory: [github.com/rs/zerolog](https://github.com/rs/zerolog ) and [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ).
Updates `github.com/rs/zerolog` from 1.35.0 to 1.35.1
- [Commits](https://github.com/rs/zerolog/compare/v1.35.0...v1.35.1 )
Updates `modernc.org/sqlite` from 1.48.2 to 1.49.1
- [Changelog](https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md )
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.48.2...v1.49.1 )
---
updated-dependencies:
- dependency-name: github.com/rs/zerolog
dependency-version: 1.35.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: minor-patch
- dependency-name: modernc.org/sqlite
dependency-version: 1.49.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-26 17:14:40 +03:00
03164f6c97
chore(deps): bump oven/bun from 1.3.12-alpine to 1.3.13-alpine ( #804 )
...
Bumps oven/bun from 1.3.12-alpine to 1.3.13-alpine.
---
updated-dependencies:
- dependency-name: oven/bun
dependency-version: 1.3.13-alpine
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-26 17:14:21 +03:00
Scott McKendry