wip

fix: validate client id on oidc token endpoint
fix: ensure user context has is logged in set to true
2026-04-19 03:58:15 +00:00 · 2026-03-12 16:17:16 +02:00 · 2026-03-11 16:48:04 +02:00 · 2026-03-11 15:57:50 +02:00 · 2026-03-11 15:53:39 +02:00 · 2026-03-11 15:47:22 +02:00
11 changed files with 268 additions and 183 deletions
@@ -1,6 +1,5 @@
 services:
  traefik:
-    container_name: traefik
    image: traefik:v3.6
    command: --api.insecure=true --providers.docker
    ports:
@@ -9,7 +8,6 @@ services:
      - /var/run/docker.sock:/var/run/docker.sock

  whoami:
-    container_name: whoami
    image: traefik/whoami:latest
    labels:
      traefik.enable: true
@@ -17,7 +15,6 @@ services:
      traefik.http.routers.whoami.middlewares: tinyauth

  tinyauth-frontend:
-    container_name: tinyauth-frontend
    build:
      context: .
      dockerfile: frontend/Dockerfile.dev
@@ -30,7 +27,6 @@ services:
      traefik.http.routers.tinyauth.rule: Host(`tinyauth.127.0.0.1.sslip.io`)

  tinyauth-backend:
-    container_name: tinyauth-backend
    build:
      context: .
      dockerfile: Dockerfile.dev
@@ -1,6 +1,5 @@
 services:
  traefik:
-    container_name: traefik
    image: traefik:v3.6
    command: --api.insecure=true --providers.docker
    ports:
@@ -9,7 +8,6 @@ services:
      - /var/run/docker.sock:/var/run/docker.sock

  whoami:
-    container_name: whoami
    image: traefik/whoami:latest
    labels:
      traefik.enable: true
@@ -17,8 +15,7 @@ services:
      traefik.http.routers.whoami.middlewares: tinyauth

  tinyauth:
-    container_name: tinyauth
-    image: ghcr.io/steveiliop56/tinyauth:v3
+    image: ghcr.io/steveiliop56/tinyauth:v5
    environment:
      - TINYAUTH_APPURL=https://tinyauth.example.com
      - TINYAUTH_AUTH_USERS=user:$$2a$$10$$UdLYoJ5lgPsC0RKqYH/jMua7zIn0g9kPqWmhYayJYLaZQ/FTmH2/u # user:password
@@ -2,77 +2,77 @@ package controller_test

 import (
 	"encoding/json"
-	"net/http/httptest"
+	"io"
+	"net/http"
 	"testing"

-	"github.com/steveiliop56/tinyauth/internal/config"
-	"github.com/steveiliop56/tinyauth/internal/controller"
-	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
-
 	"github.com/gin-gonic/gin"
+	"github.com/steveiliop56/tinyauth/internal/controller"
 	"gotest.tools/v3/assert"
 )

-var contextControllerCfg = controller.ContextControllerConfig{
-	Providers: []controller.Provider{
-		{
-			Name:  "Local",
-			ID:    "local",
-			OAuth: false,
+func TestUserContextController(t *testing.T) {
+	// Controller setup
+	suite := NewControllerTest(func(router *gin.RouterGroup) *controller.ContextController {
+		ctrl := controller.NewContextController(contextControllerCfg, router)
+		ctrl.SetupRoutes()
+		return ctrl
+	})
+
+	// Test user context
+	req, err := http.NewRequest("GET", "/api/context/user", nil)
+	assert.NilError(t, err)
+
+	ctx := testContext
+	ctx.IsLoggedIn = true
+	ctx.Provider = "local"
+
+	expected, err := json.Marshal(controller.UserContextResponse{
+		Status:      200,
+		Message:     "Success",
+		IsLoggedIn:  ctx.IsLoggedIn,
+		Username:    ctx.Username,
+		Name:        ctx.Name,
+		Email:       ctx.Email,
+		Provider:    ctx.Provider,
+		OAuth:       ctx.OAuth,
+		TotpPending: ctx.TotpPending,
+		OAuthName:   ctx.OAuthName,
+	})
+	assert.NilError(t, err)
+
+	resp := suite.RequestWithMiddleware(req, []gin.HandlerFunc{
+		func(c *gin.Context) {
+			c.Set("context", &ctx)
 		},
-		{
-			Name:  "Google",
-			ID:    "google",
-			OAuth: true,
-		},
-	},
-	Title:                 "Test App",
-	AppURL:                "http://localhost:8080",
-	CookieDomain:          "localhost",
-	ForgotPasswordMessage: "Contact admin to reset your password.",
-	BackgroundImage:       "/assets/bg.jpg",
-	OAuthAutoRedirect:     "google",
-	WarningsEnabled:       true,
-}
+	})

-var contextCtrlTestContext = config.UserContext{
-	Username:    "testuser",
-	Name:        "testuser",
-	Email:       "test@example.com",
-	IsLoggedIn:  true,
-	IsBasicAuth: false,
-	OAuth:       false,
-	Provider:    "local",
-	TotpPending: false,
-	OAuthGroups: "",
-	TotpEnabled: false,
-	OAuthSub:    "",
-}
+	assert.Equal(t, http.StatusOK, resp.Code)
+	bytes, err := io.ReadAll(resp.Body)
+	assert.NilError(t, err)
+	assert.DeepEqual(t, expected, bytes)

-func setupContextController(middlewares *[]gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder) {
-	tlog.NewSimpleLogger().Init()
+	// Ensure user context is not available when not logged in
+	req, err = http.NewRequest("GET", "/api/context/user", nil)
+	assert.NilError(t, err)

-	// Setup
-	gin.SetMode(gin.TestMode)
-	router := gin.Default()
-	recorder := httptest.NewRecorder()
+	expected, err = json.Marshal(controller.UserContextResponse{
+		Status:  http.StatusUnauthorized,
+		Message: "Unauthorized",
+	})
+	assert.NilError(t, err)

-	if middlewares != nil {
-		for _, m := range *middlewares {
-			router.Use(m)
-		}
-	}
+	resp = suite.RequestWithMiddleware(req, nil)
+	assert.Equal(t, 200, resp.Code)
+	bytes, err = io.ReadAll(resp.Body)
+	assert.NilError(t, err)
+	assert.DeepEqual(t, expected, bytes)

-	group := router.Group("/api")
+	// Test app context
+	req, err = http.NewRequest("GET", "/api/context/app", nil)
+	assert.NilError(t, err)

-	ctrl := controller.NewContextController(contextControllerCfg, group)
-	ctrl.SetupRoutes()
-
-	return router, recorder
-}
-
-func TestAppContextHandler(t *testing.T) {
-	expectedRes := controller.AppContextResponse{
+	expected, err = json.Marshal(controller.AppContextResponse{
 		Status:                200,
 		Message:               "Success",
 		Providers:             contextControllerCfg.Providers,
@@ -83,71 +83,13 @@ func TestAppContextHandler(t *testing.T) {
 		BackgroundImage:       contextControllerCfg.BackgroundImage,
 		OAuthAutoRedirect:     contextControllerCfg.OAuthAutoRedirect,
 		WarningsEnabled:       contextControllerCfg.WarningsEnabled,
-	}
-
-	router, recorder := setupContextController(nil)
-	req := httptest.NewRequest("GET", "/api/context/app", nil)
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 200, recorder.Code)
-
-	var ctrlRes controller.AppContextResponse
-
-	err := json.Unmarshal(recorder.Body.Bytes(), &ctrlRes)
-
-	assert.NilError(t, err)
-	assert.DeepEqual(t, expectedRes, ctrlRes)
-}
-
-func TestUserContextHandler(t *testing.T) {
-	expectedRes := controller.UserContextResponse{
-		Status:      200,
-		Message:     "Success",
-		IsLoggedIn:  contextCtrlTestContext.IsLoggedIn,
-		Username:    contextCtrlTestContext.Username,
-		Name:        contextCtrlTestContext.Name,
-		Email:       contextCtrlTestContext.Email,
-		Provider:    contextCtrlTestContext.Provider,
-		OAuth:       contextCtrlTestContext.OAuth,
-		TotpPending: contextCtrlTestContext.TotpPending,
-		OAuthName:   contextCtrlTestContext.OAuthName,
-	}
-
-	// Test with context
-	router, recorder := setupContextController(&[]gin.HandlerFunc{
-		func(c *gin.Context) {
-			c.Set("context", &contextCtrlTestContext)
-			c.Next()
-		},
 	})
-
-	req := httptest.NewRequest("GET", "/api/context/user", nil)
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 200, recorder.Code)
-
-	var ctrlRes controller.UserContextResponse
-
-	err := json.Unmarshal(recorder.Body.Bytes(), &ctrlRes)
-
 	assert.NilError(t, err)
-	assert.DeepEqual(t, expectedRes, ctrlRes)

-	// Test no context
-	expectedRes = controller.UserContextResponse{
-		Status:     401,
-		Message:    "Unauthorized",
-		IsLoggedIn: false,
-	}
-
-	router, recorder = setupContextController(nil)
-	req = httptest.NewRequest("GET", "/api/context/user", nil)
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 200, recorder.Code)
-
-	err = json.Unmarshal(recorder.Body.Bytes(), &ctrlRes)
+	resp = suite.RequestWithMiddleware(req, nil)

+	assert.Equal(t, http.StatusOK, resp.Code)
+	bytes, err = io.ReadAll(resp.Body)
 	assert.NilError(t, err)
-	assert.DeepEqual(t, expectedRes, ctrlRes)
+	assert.DeepEqual(t, expected, bytes)
 }
@@ -0,0 +1,89 @@
+package controller_test
+
+import (
+	"net/http"
+	"net/http/httptest"
+
+	"github.com/gin-gonic/gin"
+	"github.com/steveiliop56/tinyauth/internal/config"
+	"github.com/steveiliop56/tinyauth/internal/controller"
+)
+
+// Testing suite
+
+type ControllerTest[T any] struct {
+	ctrlSetup func(router *gin.RouterGroup) T
+}
+
+func NewControllerTest[T any](setup func(router *gin.RouterGroup) T) *ControllerTest[T] {
+	return &ControllerTest[T]{ctrlSetup: setup}
+}
+
+func (ctrlt *ControllerTest[T]) newEngine(middlewares []gin.HandlerFunc) *gin.Engine {
+	gin.SetMode(gin.TestMode)
+
+	engine := gin.New()
+
+	for _, mw := range middlewares {
+		engine.Use(mw)
+	}
+
+	return engine
+}
+
+func (ctrlrt *ControllerTest[T]) newControllerInstance(engine *gin.Engine) T {
+	ctrl := ctrlrt.ctrlSetup(engine.Group("/api"))
+	return ctrl
+}
+
+func (ctrlt *ControllerTest[T]) RequestWithMiddleware(http *http.Request, middlewares []gin.HandlerFunc) *httptest.ResponseRecorder {
+	engine := ctrlt.newEngine(middlewares)
+	ctrlt.newControllerInstance(engine)
+	recorder := httptest.NewRecorder()
+	engine.ServeHTTP(recorder, http)
+	return recorder
+}
+
+func (ctrlt *ControllerTest[T]) Request(http *http.Request) *httptest.ResponseRecorder {
+	return ctrlt.RequestWithMiddleware(http, nil)
+}
+
+// Controller configs
+
+var contextControllerCfg = controller.ContextControllerConfig{
+	Providers: []controller.Provider{
+		{
+			Name:  "Local",
+			ID:    "local",
+			OAuth: false,
+		},
+		{
+			Name:  "Google",
+			ID:    "google",
+			OAuth: true,
+		},
+	},
+	Title:                 "Tinyauth Testing",
+	AppURL:                "http://tinyauth.example.com:3000",
+	CookieDomain:          "example.com",
+	ForgotPasswordMessage: "Foo bar",
+	BackgroundImage:       "/background.jpg",
+	OAuthAutoRedirect:     "google",
+	WarningsEnabled:       true,
+}
+
+var testContext = config.UserContext{
+	Username:    "user",
+	Name:        "User",
+	Email:       "user@example.com",
+	IsLoggedIn:  false,
+	IsBasicAuth: false,
+	OAuth:       false,
+	Provider:    "",
+	TotpPending: false,
+	OAuthGroups: "group1,group2",
+	TotpEnabled: false,
+	OAuthName:   "test",
+	OAuthSub:    "test",
+	LdapGroups:  "group1,group2",
+}
@@ -19,7 +19,7 @@ func (controller *HealthController) SetupRoutes() {

 func (controller *HealthController) healthHandler(c *gin.Context) {
 	c.JSON(200, gin.H{
-		"status":  "ok",
+		"status":  200,
 		"message": "Healthy",
 	})
 }
@@ -0,0 +1,49 @@
+package controller_test
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/steveiliop56/tinyauth/internal/controller"
+	"gotest.tools/v3/assert"
+)
+
+func TestHealthController(t *testing.T) {
+	// Controller setup
+	suite := NewControllerTest(func(router *gin.RouterGroup) *controller.HealthController {
+		ctrl := controller.NewHealthController(router)
+		ctrl.SetupRoutes()
+		return ctrl
+	})
+
+	expected, err := json.Marshal(map[string]any{
+		"status":  200,
+		"message": "Healthy",
+	})
+	assert.NilError(t, err)
+
+	// Test we are healthy with GET
+	req, err := http.NewRequest("GET", "/api/healthz", nil)
+	assert.NilError(t, err)
+
+	resp := suite.Request(req)
+
+	assert.Equal(t, http.StatusOK, resp.Code)
+	bytes, err := io.ReadAll(resp.Body)
+	assert.NilError(t, err)
+	assert.DeepEqual(t, bytes, expected)
+
+	// Test we are healthy with HEAD
+	req, err = http.NewRequest("HEAD", "/api/healthz", nil)
+	assert.NilError(t, err)
+
+	resp = suite.Request(req)
+
+	assert.Equal(t, http.StatusOK, resp.Code)
+	bytes, err = io.ReadAll(resp.Body)
+	assert.NilError(t, err)
+	assert.DeepEqual(t, expected, bytes)
+}
@@ -115,6 +115,11 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 		return
 	}

+	if !userContext.IsLoggedIn {
+		controller.authorizeError(c, errors.New("err user not logged in"), "User not logged in", "The user is not logged in", "", "", "")
+		return
+	}
+
 	var req service.AuthorizeRequest

 	err = c.BindJSON(&req)
@@ -265,7 +270,7 @@ func (controller *OIDCController) Token(c *gin.Context) {

 	switch req.GrantType {
 	case "authorization_code":
-		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code))
+		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code), client.ClientID)
 		if err != nil {
 			if errors.Is(err, service.ErrCodeNotFound) {
 				tlog.App.Warn().Msg("Code not found")
@@ -281,6 +286,13 @@ func (controller *OIDCController) Token(c *gin.Context) {
 				})
 				return
 			}
+			if errors.Is(err, service.ErrInvalidClient) {
+				tlog.App.Warn().Msg("Invalid client ID")
+				c.JSON(400, gin.H{
+					"error": "invalid_client",
+				})
+				return
+			}
 			tlog.App.Warn().Err(err).Msg("Failed to get OIDC code entry")
 			c.JSON(400, gin.H{
 				"error": "server_error",
@@ -90,9 +90,21 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		tlog.App.Debug().Msg("Request identified as (most likely) coming from a non-browser client")
 	}

-	uri := c.Request.Header.Get("X-Forwarded-Uri")
-	proto := c.Request.Header.Get("X-Forwarded-Proto")
-	host := c.Request.Header.Get("X-Forwarded-Host")
+	uri, ok := controller.requireHeader(c, "x-forwarded-uri")
+
+	if !ok {
+		return
+	}
+
+	host, ok := controller.requireHeader(c, "x-forwarded-host")
+	if !ok {
+		return
+	}
+
+	proto, ok := controller.requireHeader(c, "x-forwarded-proto")
+	if !ok {
+		return
+	}

 	// Get acls
 	acls, err := controller.acls.GetAccessControls(host)
@@ -173,11 +185,6 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {

 	tlog.App.Trace().Interface("context", userContext).Msg("User context from request")

-	if userContext.IsBasicAuth && userContext.TotpEnabled {
-		tlog.App.Debug().Msg("User has TOTP enabled, denying basic auth access")
-		userContext.IsLoggedIn = false
-	}
-
 	if userContext.IsLoggedIn {
 		userAllowed := controller.auth.IsUserAllowed(c, userContext, acls)

@@ -325,3 +332,16 @@ func (controller *ProxyController) handleError(c *gin.Context, req Proxy, isBrow

 	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 }
+
+func (controller *ProxyController) requireHeader(c *gin.Context, header string) (string, bool) {
+	val := c.Request.Header.Get(header)
+	if strings.TrimSpace(val) == "" {
+		tlog.App.Error().Str("header", header).Msg("Header not found")
+		c.JSON(400, gin.H{
+			"status":  400,
+			"message": "Bad Request",
+		})
+		return "", false
+	}
+	return val, true
+}
@@ -59,6 +59,11 @@ func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.En
 				Username: "testuser",
 				Password: "$2a$10$ne6z693sTgzT3ePoQ05PgOecUHnBjM7sSNj6M.l5CLUP.f6NyCnt.", // test
 			},
+			{
+				Username:   "totpuser",
+				Password:   "$2a$10$ne6z693sTgzT3ePoQ05PgOecUHnBjM7sSNj6M.l5CLUP.f6NyCnt.",
+				TotpSecret: "foo",
+			},
 		},
 		OauthWhitelist:     []string{},
 		SessionExpiry:      3600,
@@ -79,9 +84,11 @@ func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.En
 	return router, recorder, authService
 }

+// TODO: Needs tests for context middleware
+
 func TestProxyHandler(t *testing.T) {
 	// Setup
-	router, recorder, authService := setupProxyController(t, nil)
+	router, recorder, _ := setupProxyController(t, nil)

 	// Test invalid proxy
 	req := httptest.NewRequest("GET", "/api/auth/invalidproxy", nil)
@@ -136,26 +143,14 @@ func TestProxyHandler(t *testing.T) {
 	// Test logged out user (nginx)
 	recorder = httptest.NewRecorder()
 	req = httptest.NewRequest("GET", "/api/auth/nginx", nil)
+	req.Header.Set("X-Forwarded-Proto", "https")
+	req.Header.Set("X-Forwarded-Host", "example.com")
+	req.Header.Set("X-Forwarded-Uri", "/somepath")
 	router.ServeHTTP(recorder, req)

 	assert.Equal(t, 401, recorder.Code)

 	// Test logged in user
-	c := gin.CreateTestContextOnly(recorder, router)
-
-	err := authService.CreateSessionCookie(c, &repository.Session{
-		Username:    "testuser",
-		Name:        "testuser",
-		Email:       "testuser@example.com",
-		Provider:    "local",
-		TotpPending: false,
-		OAuthGroups: "",
-	})
-
-	assert.NilError(t, err)
-
-	cookie := c.Writer.Header().Get("Set-Cookie")
-
 	router, recorder, _ = setupProxyController(t, &[]gin.HandlerFunc{
 		func(c *gin.Context) {
 			c.Set("context", &config.UserContext{
@@ -174,38 +169,15 @@ func TestProxyHandler(t *testing.T) {
 	})

 	req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
-	req.Header.Set("Cookie", cookie)
+	req.Header.Set("X-Forwarded-Proto", "https")
+	req.Header.Set("X-Forwarded-Host", "example.com")
+	req.Header.Set("X-Forwarded-Uri", "/somepath")
 	req.Header.Set("Accept", "text/html")
-	router.ServeHTTP(recorder, req)

+	router.ServeHTTP(recorder, req)
 	assert.Equal(t, 200, recorder.Code)

 	assert.Equal(t, "testuser", recorder.Header().Get("Remote-User"))
 	assert.Equal(t, "testuser", recorder.Header().Get("Remote-Name"))
 	assert.Equal(t, "testuser@example.com", recorder.Header().Get("Remote-Email"))
-
-	// Ensure basic auth is disabled for TOTP enabled users
-	router, recorder, _ = setupProxyController(t, &[]gin.HandlerFunc{
-		func(c *gin.Context) {
-			c.Set("context", &config.UserContext{
-				Username:    "testuser",
-				Name:        "testuser",
-				Email:       "testuser@example.com",
-				IsLoggedIn:  true,
-				IsBasicAuth: true,
-				OAuth:       false,
-				Provider:    "local",
-				TotpPending: false,
-				OAuthGroups: "",
-				TotpEnabled: true,
-			})
-			c.Next()
-		},
-	})
-
-	req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
-	req.SetBasicAuth("testuser", "test")
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 401, recorder.Code)
 }
@@ -182,13 +182,17 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {

 			user := m.auth.GetLocalUser(basic.Username)

+			if user.TotpSecret != "" {
+				tlog.App.Debug().Msg("User with TOTP not allowed to login via basic auth")
+				return
+			}
+
 			c.Set("context", &config.UserContext{
 				Username:    user.Username,
 				Name:        utils.Capitalize(user.Username),
 				Email:       utils.CompileUserEmail(user.Username, m.config.CookieDomain),
 				Provider:    "local",
 				IsLoggedIn:  true,
-				TotpEnabled: user.TotpSecret != "",
 				IsBasicAuth: true,
 			})
 			c.Next()
@@ -352,7 +352,7 @@ func (service *OIDCService) ValidateGrantType(grantType string) error {
 	return nil
 }

-func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string) (repository.OidcCode, error) {
+func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string, clientId string) (repository.OidcCode, error) {
 	oidcCode, err := service.queries.GetOidcCode(c, codeHash)

 	if err != nil {
@@ -374,6 +374,10 @@ func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string) (repos
 		return repository.OidcCode{}, ErrCodeExpired
 	}

+	if oidcCode.ClientID != clientId {
+		return repository.OidcCode{}, ErrInvalidClient
+	}
+
 	return oidcCode, nil
 }
Author	SHA1	Message	Date
Stavros	8c8a9e93ff	wip	2026-03-12 16:17:16 +02:00
Stavros	b2a1bfb1f5	fix: validate client id on oidc token endpoint	2026-03-11 16:48:04 +02:00
Stavros	f1e869a920	fix: ensure user context has is logged in set to true	2026-03-11 15:57:50 +02:00
Stavros	cc5a6d73cf	tests: ensure all forwarded headers are set on tests	2026-03-11 15:53:39 +02:00
Stavros	b2e3a85f42	chore: update version in example compose	2026-03-11 15:47:22 +02:00
Stavros	2e03eb9612	fix: do not continue auth on empty x-forwarded headers	2026-03-11 15:46:09 +02:00