barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2026-04-11 00:07:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
742 Commits 23 Branches 122 Tags
ba8dc42578614f9770919425c158fe0ca22a21df
Commit Graph

71 Commits

Author SHA1 Message Date
Stavros
ba8dc42578 feat: add x-tinyauth-location to nginx response 
Solves #773. Normally you let Nginx handle the login URL creation but with this "hack"
we can set an arbitary header with where Tinyauth wants the user to go to. Later the
Nginx error page can get this header and redirect accordingly.
 2026-04-10 18:21:33 +03:00
Stavros
b44dc75f54 fix: return 307 redirects for envoy proxy instead of 401 (#782) 
* fix: return 307 redirects for envoy proxy instead of 401

* tests: extend testing for non browser detection in all proxies
 2026-04-10 18:11:10 +03:00
Stavros
2c1b62f464 feat: preserve oidc params in oauth flow (#772) 2026-04-10 15:58:31 +03:00
Scott McKendry
646e24d98c feat(oidc): support access token in body for user info post (#769) 2026-04-08 09:54:54 +01:00
Scott McKendry
0d286d1864 feat(oidc): add post route for /userinfo (#767) 
easy two-liner to pass `oidcc-userinfo-post-header` test in conformance
suite.
 2026-04-07 23:28:38 +01:00
Stavros
165197e472 feat: add pkce support to oidc server (#766) 
* feat: add pkce support to oidc server

* tests: add test cases for pkce

* fix: review comments

* chore: remove debug line

* chore: remove simple logger from testing

* tests: add test for invalid challenge method

* chore: fix typo
 2026-04-07 19:04:20 +03:00
Stavros
3373dcc412 test: extend traefik browser tests 2026-04-02 18:46:38 +03:00
Stavros
9d666dc108 fix: skip browser detection for nginx and envoy 2026-04-02 18:24:38 +03:00
Stavros
892097dc4d fix: account for proxy type in browser response 2026-04-02 15:35:55 +03:00
Stavros
da247f8552 fix: handle oauth provider id mismatch correctly 2026-03-30 23:02:20 +03:00
Stavros
5811218dbf refactor: tests (#731) 
* tests: rework tests for context controller

* tests: add tests for health controller

* tests: add tests for oidc controller

* tests: use testify assert in context and health controller

* tests: add tests for user controller

* tests: add tests for resources controller

* tests: add well known controller tests

* test: add proxy controller tests

* chore: review comments

* chore: more review comments

* chore: cancel lockdown in testing

* tests: fix get cookie domain tests

* chore: add comment for testing passwords
 2026-03-30 15:31:34 +03:00
Stavros
f26c217161 refactor: oauth flow (#726) 
* wip

* feat: add oauth session impl in auth service

* feat: move oauth logic into auth service and handle multiple sessions

* tests: fix tests

* fix: review comments

* fix: prevent ddos attacks in oauth rate limit
 2026-03-22 21:03:32 +02:00
Stavros
dc3fa58d21 refactor: refactor proxy controller to handle proxy auth modules better (#714) 
* wip

* fix: add extauthz to friendly error messages

* refactor: better module handling per proxy

* fix: get envoy host from the gin request

* tests: rework tests for proxy controller

* fix: review comments
 2026-03-14 19:56:15 +02:00
Stavros
b3de69e5d6 chore: add comment explaining uri header 2026-03-12 16:36:13 +02:00
Stavros
016a954963 fix: make a x forwarded uri an non required header 2026-03-12 16:26:42 +02:00
Stavros
b2a1bfb1f5 fix: validate client id on oidc token endpoint 2026-03-11 16:48:04 +02:00
Stavros
f1e869a920 fix: ensure user context has is logged in set to true 2026-03-11 15:57:50 +02:00
Stavros
cc5a6d73cf tests: ensure all forwarded headers are set on tests 2026-03-11 15:53:39 +02:00
Stavros
2e03eb9612 fix: do not continue auth on empty x-forwarded headers 2026-03-11 15:46:09 +02:00
Stavros
d7d540000f fix: state should not be a required field in oidc 2026-03-08 11:17:44 +02:00
Stavros
69c6c0ba1d fix: add cache control header to token response 2026-03-04 19:38:52 +02:00
Stavros
a71f61df8d feat: add email verified claim 2026-03-04 15:52:31 +02:00
Stavros
6bf444010b feat: add nonce claim support to oidc server (#686) 
* feat: add nonce claim support to oidc server

* fix: review feedback
 2026-03-04 15:34:11 +02:00
Stavros
cd410b6cdf refactor: categorize leftover config options (#682) 
* refactor: categorize leftover config options

* chore: update config description
 2026-03-02 19:49:59 +02:00
Stavros
43e0f3e713 chore: add correct oidc service documetation url 2026-02-26 17:37:47 +02:00
Stavros
4a1889c20b feat: oidc client create command (#672) 
* feat: add oidc client create command

* refactor: use own utility for creating random strings (more flexible
than stdlib)

* feat: validate client name to avoid config errors

* refactor: limit to only alphanumeric characters and hyphens

* refactor: remove the need of the logger in the create oidc client cmd
 2026-02-26 17:28:58 +02:00
Stavros
22c4c262ea feat: add support for client secret post auth to oidc token endpoint 2026-02-07 21:04:58 +02:00
Stavros
51d95fa455 fix: do not append domains to users that have an email as the username 2026-02-02 16:25:49 +02:00
Stavros
fd16f91011 fix: ensure oidc service is configured before performing any actions 2026-02-02 16:25:49 +02:00
Stavros
671343f677 feat: oidc (#605) 
* chore: add oidc base config

* wip: authorize page

* feat: implement basic oidc functionality

* refactor: implement oidc following tinyauth patterns

* feat: adapt frontend to oidc flow

* fix: review comments

* fix: oidc review comments

* feat: refresh token grant type support

* feat: cleanup expired oidc sessions

* feat: frontend i18n

* fix: fix typo in error screen

* tests: add basic testing

* fix: more review comments

* refactor: rework oidc error messages

* feat: openid discovery endpoint

* feat: jwk endpoint

* i18n: fix typo

* fix: more rabbit nitpicks

* fix: final review comments

* i18n: authorize page error messages
 2026-02-01 19:00:59 +02:00
Stavros
4926e53409 feat: ldap group acls (#590) 
* wip

* refactor: remove useless session struct abstraction

* feat: retrieve and store groups from ldap provider

* chore: fix merge issue

* refactor: rework ldap group fetching logic

* feat: store ldap group results in cache

* fix: review nitpicks

* fix: review feedback
 2026-01-17 20:03:29 +02:00
Pushpinder Singh
53bd413046 feat: configurable component-level logging (#575) 
* Refactor logging to use centralized logger utility

- Removed direct usage of zerolog in multiple files and replaced it with a centralized logging utility in the `utils` package.
- Introduced `Loggers` struct to manage different loggers (Audit, HTTP, App) with configurable levels and outputs.
- Updated all relevant files to utilize the new logging structure, ensuring consistent logging practices across the application.
- Enhanced error handling and logging messages for better traceability and debugging.

* refactor: update logging implementation to use new logger structure

* Refactor logging to use tlog package

- Replaced instances of utils logging with tlog in various controllers, services, and middleware.
- Introduced audit logging for login success, login failure, and logout events.
- Created tlog package with structured logging capabilities using zerolog.
- Added tests for the new tlog logger functionality.

* refactor: update logging configuration in environment files

* fix: adding coderabbit suggestions

* fix: ensure correct audit caller

* fix: include reason in audit login failure logs
 2026-01-15 15:57:19 +02:00
Stavros
e3f92ce4fc refactor: simplify user parsing (#571) 2026-01-08 16:03:37 +02:00
Stavros
1ffb838c0f feat: add support for global ip filters (#567) 2026-01-08 15:26:53 +02:00
Pushpinder Singh
e7bd64d7a3 feat: add session max lifetime and fix refresh logic (#559) 
* feat: allow any HTTP method for /api/auth/envoy and restrict methods for non-envoy proxies

* feat: add Allow header for invalid methods in proxyHandler

* feat: add session max lifetime and fix refresh logic

* fix: set default value for created_at column and improve session expiration logic

---------

Co-authored-by: Stavros <steveiliop56@gmail.com>
 2026-01-07 13:37:23 +02:00
Stavros
f1e2b55cd1 fix: add rate limiting in the forward auth endpoint (#555) 2025-12-31 21:04:08 +02:00
Stavros
7e17a4ad86 refactor: replace gorm with vanilla sql and sqlc (#541) 
* refactor: replace gorm with vanilla sql and sqlc

* chore: go mod tidy

* refactor: rebase for main

* tests: fix tests

* fix: review comments
 2025-12-31 17:59:21 +02:00
Pushpinder Singh
974f2a67f0 fix: allow any HTTP method for /api/auth/envoy (#551) 
* feat: allow any HTTP method for /api/auth/envoy and restrict methods for non-envoy proxies

* feat: add Allow header for invalid methods in proxyHandler
 2025-12-31 11:34:25 +02:00
Stavros
9a3fecd565 feat: non-docker acls (#549) 
* wip

* feat: add paerser as submodule and apply patch for nested maps

* refactor: update release workflows to include submodule and patches

* chore: update contributing instructions
 2025-12-30 18:26:57 +02:00
Stavros
43487d44f7 feat: forward sub from oidc providers (#543) 
* feat: forward sub from oidc providers

* fix: review comments
 2025-12-26 19:02:51 +02:00
Stavros
2d8af0510e feat: refresh session cookie when session is active (#540) 
* feat: refresh session cookie when session is active

* refactor: use current time to set new expiry
 2025-12-26 17:55:54 +02:00
Stavros
a1c3e416b6 refactor: use proper module name (#542) 
* chore: reorganize go mod

* refactor: use proper module name
 2025-12-26 17:53:24 +02:00
Stavros
ef25872fc3 feat: add support for Envoy proxy (#538) 
* feat: add support for 'envoy' proxy in proxyHandler validation

* refactor: simplify proxy route setup by consolidating envoy handling

* feat(proxy): add method validation for proxy authentication

* fix(proxy): reorder method validation for proxy authentication

* refactor: use a slice to check for supported proxies

---------

Co-authored-by: pushpinderbal <me@s1ngh.ca>
Co-authored-by: Pushpinder Singh <53684951+pushpinderbal@users.noreply.github.com>
Co-authored-by: Pushpinder Singh <pushpinder.singh@arcticwolf.com>
 2025-12-22 22:28:34 +02:00
Stavros
641b9aa531 feat: log unsafe redirect uri in oauth controller 2025-11-23 14:06:35 +02:00
Stavros
6c90046343 feat: add option to disable ui warnings 2025-11-21 17:37:08 +02:00
Stavros
2af036b38e feat: add logging for session creation 2025-11-06 16:18:01 +02:00
Stavros
60dada86a6 feat: add support for listening on unix sockets 2025-11-04 18:42:04 +02:00
Chris Ellrich
c5bb389258 feat: ACL labels from environment variables (#422) 
* feat: add LabelService to retrieve application labels from environment variables

* feat: allow usage of labels from docker and env variables simultaneously

Prioritize labels from environment variables over labels from docker
labels

* fix: handle error returned by label_serive.go/LoadLabels

see https://github.com/steveiliop56/tinyauth/pull/422#discussion_r2443443032

* refactor(label_service): use simple loop instead of slices.ContainsFunc to avoid experimental slices package
see https://github.com/steveiliop56/tinyauth/pull/422#pullrequestreview-3354632045

* refactor: merge acl logic into one service

---------

Co-authored-by: Stavros <steveiliop56@gmail.com>
 2025-10-21 16:02:31 +03:00
Stavros
5482430907 refactor: generate a verifier on every oauth auth session 2025-10-19 19:03:38 +03:00
Stavros
9b76a84ee2 feat: add trace logging 2025-10-11 15:27:01 +03:00