chore(deps): bump codecov/codecov-action from 6.0.1 to 7.0.0 (#925)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Stavros <steveiliop56@gmail.com>

.env.example

@@ -32,8 +32,6 @@ TINYAUTH_SERVER_PORT=3000
 TINYAUTH_SERVER_ADDRESS="0.0.0.0"
 # The path to the Unix socket.
 TINYAUTH_SERVER_SOCKETPATH=
-# Enable listening on both TCP and Unix socket at the same time.
-TINYAUTH_SERVER_CONCURRENTLISTENERSENABLED=false
 
 # auth config
 
@@ -99,6 +97,8 @@ TINYAUTH_AUTH_SESSIONMAXLIFETIME=0
 TINYAUTH_AUTH_LOGINTIMEOUT=300
 # Maximum login retries.
 TINYAUTH_AUTH_LOGINMAXRETRIES=3
+# Enable lockdown mode after maximum login retries. Lockdown mode limit is calculated automatically.
+TINYAUTH_AUTH_LOCKDOWNENABLED=true
 # Comma-separated list of trusted proxy addresses.
 TINYAUTH_AUTH_TRUSTEDPROXIES=
 # ACL policy for allow-by-default or deny-by-default, available options are allow and deny, default is allow.
@@ -206,6 +206,8 @@ TINYAUTH_LDAP_ADDRESS=
 TINYAUTH_LDAP_BINDDN=
 # Bind password for LDAP authentication.
 TINYAUTH_LDAP_BINDPASSWORD=
+# Path to the Bind password.
+TINYAUTH_LDAP_BINDPASSWORDFILE=
 # Base DN for LDAP searches.
 TINYAUTH_LDAP_BASEDN=
 # Allow insecure LDAP connections.
@@ -252,3 +254,7 @@ TINYAUTH_TAILSCALE_HOSTNAME=
 TINYAUTH_TAILSCALE_AUTHKEY=
 # Use ephemeral Tailscale node.
 TINYAUTH_TAILSCALE_EPHEMERAL=false
+# Enable Tailscale Funnel.
+TINYAUTH_TAILSCALE_FUNNEL=false
+# Listen on the Tailscale address instead of standard address.
+TINYAUTH_TAILSCALE_LISTEN=false

.github/workflows/ci.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Setup pnpm
         uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
@@ -62,6 +62,6 @@ jobs:
         run: go test -coverprofile=coverage.txt -v ./...
 
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6
+        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/nightly.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Delete old release
         run: gh release delete --cleanup-tag --yes nightly || echo release not found
@@ -23,7 +23,7 @@ jobs:
           REPO: ${{ github.event.repository.name }}
 
       - name: Create release
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
+        uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3
         with:
           prerelease: true
           tag_name: nightly
@@ -37,7 +37,7 @@ jobs:
       BUILD_TIMESTAMP: ${{ steps.metadata.outputs.BUILD_TIMESTAMP }}
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           ref: nightly
 
@@ -55,7 +55,7 @@ jobs:
       - generate-metadata
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           ref: nightly
 
@@ -100,7 +100,7 @@ jobs:
       - generate-metadata
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           ref: nightly
 
@@ -145,7 +145,7 @@ jobs:
       - generate-metadata
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           ref: nightly
 
@@ -203,7 +203,7 @@ jobs:
       - image-build
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           ref: nightly
 
@@ -261,7 +261,7 @@ jobs:
       - generate-metadata
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           ref: nightly
 
@@ -319,7 +319,7 @@ jobs:
       - image-build-arm
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           ref: nightly
 
@@ -461,7 +461,7 @@ jobs:
           merge-multiple: true
 
       - name: Release
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
+        uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3
         with:
           files: binaries/*
           tag_name: nightly

.github/workflows/release.yml

@@ -18,7 +18,7 @@ jobs:
       BUILD_TIMESTAMP: ${{ steps.metadata.outputs.BUILD_TIMESTAMP }}
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Generate metadata
         id: metadata
@@ -33,7 +33,7 @@ jobs:
       - generate-metadata
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Setup pnpm
         uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
@@ -75,7 +75,7 @@ jobs:
       - generate-metadata
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Setup pnpm
         uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
@@ -117,7 +117,7 @@ jobs:
       - generate-metadata
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Docker meta
         id: meta
@@ -173,7 +173,7 @@ jobs:
       - image-build
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Docker meta
         id: meta
@@ -229,7 +229,7 @@ jobs:
       - generate-metadata
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Docker meta
         id: meta
@@ -285,7 +285,7 @@ jobs:
       - image-build-arm
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Docker meta
         id: meta
@@ -432,6 +432,6 @@ jobs:
           merge-multiple: true
 
       - name: Release
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
+        uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3
         with:
           files: binaries/*

.github/workflows/scorecard.yml

@@ -19,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
         with:
           persist-credentials: false
 

.github/workflows/sponsors.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Generate Sponsors
         uses: JamesIves/github-sponsors-readme-action@2fd9142e765f755780202122261dc85e78459405 # v1

frontend/src/components/layout/layout.tsx

@@ -3,6 +3,7 @@ import { Outlet } from "react-router";
 import { useCallback, useEffect, useState } from "react";
 import { DomainWarning } from "../domain-warning/domain-warning";
 import { QuickActions } from "../quick-actions/quick-actions";
+import { isTrustedDomain } from "@/lib/hooks/redirect-uri";
 
 const BaseLayout = ({ children }: { children: React.ReactNode }) => {
   const { ui } = useAppContext();
@@ -40,11 +41,18 @@ export const Layout = () => {
     setIgnoreDomainWarning(true);
   }, [setIgnoreDomainWarning]);
 
-  if (
+  const isTrusted = (() => {
-    !ignoreDomainWarning &&
+    try {
-    ui.warningsEnabled &&
+      const appUrlObj = new URL(app.appUrl);
-    !app.trustedDomains.includes(currentUrl)
+      const currentUrlObj = new URL(currentUrl);
-  ) {
+
+      return isTrustedDomain(currentUrlObj, appUrlObj, "", false);
+    } catch {
+      return false;
+    }
+  })();
+
+  if (!ignoreDomainWarning && ui.warningsEnabled && !isTrusted) {
     return (
       <BaseLayout>
         <DomainWarning

frontend/src/lib/hooks/redirect-uri.ts

@@ -9,12 +9,27 @@ type IuseRedirectUri = {
 export const useRedirectUri = (
   redirect_uri: string | undefined,
   cookieDomain: string,
+  appUrl: string,
+  subdomainsEnabled: boolean,
 ): IuseRedirectUri => {
   let isValid = false;
   let isTrusted = false;
   let isAllowedProto = false;
   let isHttpsDowngrade = false;
 
+  let appUrlObj: URL;
+
+  try {
+    appUrlObj = new URL(appUrl);
+  } catch {
+    return {
+      valid: isValid,
+      trusted: isTrusted,
+      allowedProto: isAllowedProto,
+      httpsDowngrade: isHttpsDowngrade,
+    };
+  }
+
   if (!redirect_uri) {
     return {
       valid: isValid,
@@ -39,10 +54,7 @@ export const useRedirectUri = (
 
   isValid = true;
 
-  if (
+  if (isTrustedDomain(url, appUrlObj, cookieDomain, subdomainsEnabled)) {
-    url.hostname == cookieDomain ||
-    url.hostname.endsWith(`.${cookieDomain}`)
-  ) {
     isTrusted = true;
   }
 
@@ -62,3 +74,45 @@ export const useRedirectUri = (
     httpsDowngrade: isHttpsDowngrade,
   };
 };
+
+// ported from internal/controller/oauth_controller.go
+const getEffectivePort = (url: URL): string => {
+  if (url.port) {
+    return url.port;
+  }
+
+  if (url.protocol == "https:") {
+    return "443";
+  }
+
+  return "80";
+};
+
+export const isTrustedDomain = (
+  url: URL,
+  appUrl: URL,
+  cookieDomain: string,
+  subdomainsEnabled: boolean,
+): boolean => {
+  if (url.protocol != appUrl.protocol) {
+    return false;
+  }
+
+  if (getEffectivePort(url) != getEffectivePort(appUrl)) {
+    return false;
+  }
+
+  if (url.hostname == appUrl.hostname) {
+    return true;
+  }
+
+  if (!subdomainsEnabled) {
+    return false;
+  }
+
+  if (url.hostname.endsWith("." + cookieDomain.toLowerCase())) {
+    return true;
+  }
+
+  return false;
+};

frontend/src/pages/continue-page.tsx

@@ -37,6 +37,8 @@ export const ContinuePage = () => {
   const { url, valid, trusted, allowedProto, httpsDowngrade } = useRedirectUri(
     redirectUri,
     app.cookieDomain,
+    app.appUrl,
+    app.subdomainsEnabled,
   );
 
   const urlHref = url?.href;
@@ -108,7 +110,11 @@ export const ContinuePage = () => {
               components={{
                 code: <code />,
               }}
-              values={{ cookieDomain: app.cookieDomain }}
+              values={{
+                cookieDomain: app.subdomainsEnabled
+                  ? `.${app.cookieDomain}`
+                  : app.cookieDomain,
+              }}
               shouldUnescape={true}
             />
           </CardDescription>

frontend/src/schemas/app-context-schema.ts

@@ -24,7 +24,7 @@ const uiSchema = z.object({
 const appSchema = z.object({
   appUrl: z.string(),
   cookieDomain: z.string(),
-  trustedDomains: z.array(z.string()),
+  subdomainsEnabled: z.boolean(),
 });
 
 export const appContextSchema = z.object({

go.mod

@@ -27,7 +27,7 @@ require (
 	golang.org/x/tools v0.46.0
 	k8s.io/apimachinery v0.36.2
 	k8s.io/client-go v0.36.2
-	modernc.org/sqlite v1.53.0
+	modernc.org/sqlite v1.52.0
 	tailscale.com v1.100.0
 )
 
@@ -175,7 +175,7 @@ require (
 	k8s.io/klog/v2 v2.140.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a // indirect
 	k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 // indirect
-	modernc.org/libc v1.73.4 // indirect
+	modernc.org/libc v1.72.3 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 	rsc.io/qr v0.2.0 // indirect

go.sum

@@ -571,20 +571,20 @@ k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a h1:xCeOEAOoGYl2jnJoHkC3hk
 k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a/go.mod h1:uGBT7iTA6c6MvqUvSXIaYZo9ukscABYi2btjhvgKGZ0=
 k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 h1:AZYQSJemyQB5eRxqcPky+/7EdBj0xi3g0ZcxxJ7vbWU=
 k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk=
-modernc.org/cc/v4 v4.28.4 h1:Hd/4Es+MBj+/7hSdZaisNyu6bv3V0Dp2MdllyfqaH+c=
+modernc.org/cc/v4 v4.28.2 h1:3tQ0lf2ADtoby2EtSP+J7IE2SHwEJdP8ioR59wx7XpY=
-modernc.org/cc/v4 v4.28.4/go.mod h1:OnovgIhbbMXMu1aISnJ0wvVD1KnW+cAUJkIrAWh+kVI=
+modernc.org/cc/v4 v4.28.2/go.mod h1:OnovgIhbbMXMu1aISnJ0wvVD1KnW+cAUJkIrAWh+kVI=
-modernc.org/ccgo/v4 v4.34.4 h1:OVnSOWQjVKOYkFxoHYB+qQmSHK5gqMqARM+K9DpR/Ws=
+modernc.org/ccgo/v4 v4.34.0 h1:yRLPFZieg532OT4rp4JFNIVcquwalMX26G95WQDqwCQ=
-modernc.org/ccgo/v4 v4.34.4/go.mod h1:qdKqE8FNIYyysougB1RX9MxCzp5oJOcQXSobANJ4TuE=
+modernc.org/ccgo/v4 v4.34.0/go.mod h1:AS5WYMyBakQ+fhsHhtP8mWB82KTGPkNNJDGfGQCe0/A=
 modernc.org/fileutil v1.4.0 h1:j6ZzNTftVS054gi281TyLjHPp6CPHr2KCxEXjEbD6SM=
 modernc.org/fileutil v1.4.0/go.mod h1:EqdKFDxiByqxLk8ozOxObDSfcVOv/54xDs/DUHdvCUU=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
 modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
-modernc.org/gc/v3 v3.1.3 h1:6QAplYyVO+KdPW3pGnqmJDUxtkec8ooEWvks/hhU3lc=
+modernc.org/gc/v3 v3.1.2 h1:ZtDCnhonXSZexk/AYsegNRV1lJGgaNZJuKjJSWKyEqo=
-modernc.org/gc/v3 v3.1.3/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
+modernc.org/gc/v3 v3.1.2/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
 modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
 modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
-modernc.org/libc v1.73.4 h1:+ra4Ui8ngyt8HDcO1FTDPWlkAh6yOdaO2yAoh8MddQA=
+modernc.org/libc v1.72.3 h1:ZnDF4tXn4NBXFutMMQC4vtbTFSXhhKzR73fv0beZEAU=
-modernc.org/libc v1.73.4/go.mod h1:DXZ3eO8qMCNn2SnmTNCiC71nJ9Rcq3PsnpU6Vc4rWK8=
+modernc.org/libc v1.72.3/go.mod h1:dn0dZNnnn1clLyvRxLxYExxiKRZIRENOfqQ8XEeg4Qs=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
@@ -593,8 +593,8 @@ modernc.org/opt v0.2.0 h1:tGyef5ApycA7FSEOMraay9SaTk5zmbx7Tu+cJs4QKZg=
 modernc.org/opt v0.2.0/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.53.0 h1:20WG8N9q4ji/dEqGk4uiI0c6OPjSeLTNYGFCc3+7c1M=
+modernc.org/sqlite v1.52.0 h1:p4dhYh2tXZCiyaqHwRVJDjIGKWyXayiQpThxgDzJaxo=
-modernc.org/sqlite v1.53.0/go.mod h1:xoEpOIpGrgT48H5iiyt/YXPCZPEzlfmfFwtk8Lklw8s=
+modernc.org/sqlite v1.52.0/go.mod h1:tcNzv5p84E0skkmJn038y+hWJbLQXQqEnQfeh5r2JLM=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=

internal/bootstrap/app_bootstrap.go

@@ -46,18 +46,17 @@ type Services struct {
 }
 
 type BootstrapApp struct {
-	config    model.Config
+	config   model.Config
-	runtime   model.RuntimeConfig
+	runtime  model.RuntimeConfig
-	services  Services
+	services Services
-	log       *logger.Logger
+	log      *logger.Logger
-	ctx       context.Context
+	ctx      context.Context
-	cancel    context.CancelFunc
+	cancel   context.CancelFunc
-	queries   repository.Store
+	queries  repository.Store
-	router    *gin.Engine
+	router   *gin.Engine
-	db        *sql.DB
+	db       *sql.DB
-	ding      *ding.Ding
+	ding     *ding.Ding
-	listeners []Listener
+	dig      *dig.Container
-	dig       *dig.Container
 }
 
 func NewBootstrapApp(config model.Config) *BootstrapApp {
@@ -98,8 +97,7 @@ func (app *BootstrapApp) Setup() error {
 		return fmt.Errorf("failed to parse app url: %w", err)
 	}
 
-	app.runtime.AppURL = appUrl.Scheme + "://" + appUrl.Host
+	app.runtime.AppURL = strings.ToLower(appUrl.Scheme + "://" + appUrl.Host)
-	app.runtime.TrustedDomains = append(app.runtime.TrustedDomains, app.runtime.AppURL)
 
 	// validate session config
 	if app.config.Auth.SessionMaxLifetime != 0 && app.config.Auth.SessionMaxLifetime < app.config.Auth.SessionExpiry {
@@ -144,15 +142,6 @@ func (app *BootstrapApp) Setup() error {
 		provider.ClientSecret = secret
 		provider.ClientSecretFile = ""
 
-		if provider.RedirectURL == "" {
-			provider.RedirectURL = app.runtime.AppURL + "/api/oauth/callback/" + id
-		}
-
-		app.runtime.OAuthProviders[id] = provider
-	}
-
-	// set presets for built-in providers
-	for id, provider := range app.runtime.OAuthProviders {
 		if provider.Name == "" {
 			if name, ok := model.OverrideProviders[id]; ok {
 				provider.Name = name
@@ -160,18 +149,16 @@ func (app *BootstrapApp) Setup() error {
 				provider.Name = utils.Capitalize(id)
 			}
 		}
+
 		app.runtime.OAuthProviders[id] = provider
 	}
 
 	// cookie domain
-	cookieDomainResolver := utils.GetCookieDomain
-
 	if !app.config.Auth.SubdomainsEnabled {
-		app.log.App.Warn().Msg("Subdomains are disabled, using standalone cookie domain resolver which will not work with subdomains")
+		app.log.App.Warn().Msg("Subdomains are disabled, cookies will be set for the current domain only")
-		cookieDomainResolver = utils.GetStandaloneCookieDomain
 	}
 
-	cookieDomain, err := cookieDomainResolver(app.runtime.AppURL)
+	cookieDomain, err := utils.GetCookieDomain(app.runtime.AppURL, app.config.Auth.SubdomainsEnabled)
 
 	if err != nil {
 		return fmt.Errorf("failed to get cookie domain: %w", err)
@@ -286,9 +273,43 @@ func (app *BootstrapApp) Setup() error {
 
 	app.runtime.ConfiguredProviders = configuredProviders
 
-	// throw in tailscale if it's configured just before setting up the controllers
+	// if tailscale is enabled and listening, replace the app url with the tailscale hostname
-	if app.services.tailscaleService != nil {
+	if app.services.tailscaleService != nil && app.config.Tailscale.Listen {
-		app.runtime.TrustedDomains = append(app.runtime.TrustedDomains, "https://"+app.services.tailscaleService.GetHostname())
+		tailscaleUrl := "https://" + app.services.tailscaleService.GetHostname()
+
+		// if the tailscale url is different from the app url, replace it
+		if tailscaleUrl != app.runtime.AppURL {
+			app.log.App.Info().Msg("Listening on tailscale, replacing app url with tailscale hostname")
+
+			app.runtime.AppURL = tailscaleUrl
+
+			// also update cookie domain
+			cookieDomain, err := utils.GetCookieDomain(tailscaleUrl, app.config.Auth.SubdomainsEnabled)
+
+			if err != nil {
+				return fmt.Errorf("failed to get cookie domain: %w", err)
+			}
+
+			app.runtime.CookieDomain = cookieDomain
+		}
+	}
+
+	// force an update of the redirect urls for all oauth providers, if they are empty
+	services := app.services.oauthBrokerService.GetConfiguredServices()
+
+	for _, service := range services {
+		oauthService, ok := app.services.oauthBrokerService.GetService(service)
+
+		if !ok {
+			return fmt.Errorf("failed to get oauth service for provider %s", service)
+		}
+
+		providerConfig := oauthService.GetConfig()
+
+		if providerConfig.RedirectURL == "" {
+			providerConfig.RedirectURL = app.runtime.AppURL + "/api/oauth/callback/" + service
+			oauthService.UpdateConfig(providerConfig)
+		}
 	}
 
 	// setup router
@@ -308,20 +329,20 @@ func (app *BootstrapApp) Setup() error {
 		app.ding.Go(app.heartbeatRoutine, ding.RingMinor)
 	}
 
-	// setup listeners
+	// get listener
-	app.listeners = app.calculateListenerPolicy()
+	listenerFunc, err := app.getListenerFunc()
-
-	if app.config.Server.ConcurrentListenersEnabled {
-		app.log.App.Info().Msg("Concurrent listeners enabled, will run on all available listeners")
-	}
-
-	// run listeners
-	lec, err := app.runListeners()
 
 	if err != nil {
-		return fmt.Errorf("failed to run listeners: %w", err)
+		return fmt.Errorf("failed to get listener function: %w", err)
 	}
 
+	// run listener
+	lec := make(chan error, 1)
+
+	app.ding.Go(func(ctx context.Context) {
+		lec <- listenerFunc(ctx)
+	}, ding.RingNormal)
+
 	// monitor cancellation and server errors
 	for {
 		select {

internal/bootstrap/router_bootstrap.go

@@ -9,7 +9,6 @@ import (
 	"os"
 	"time"
 
-	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/middleware"
 	"github.com/tinyauthapp/tinyauth/internal/model"
@@ -18,14 +17,6 @@ import (
 	"github.com/gin-gonic/gin"
 )
 
-type Listener int
-
-const (
-	ListenerHTTP Listener = iota
-	ListenerUnix
-	ListenerTailscale
-)
-
 func (app *BootstrapApp) setupRouter() error {
 	// we don't want gin debug mode
 	gin.SetMode(gin.ReleaseMode)
@@ -134,79 +125,29 @@ func (app *BootstrapApp) setupRouter() error {
 	return nil
 }
 
-func (app *BootstrapApp) runListeners() (chan error, error) {
+// Top down
-	// lec -> listener error channel
+// 1. Tailscale (if tailscale.listen)
-	lec := make(chan error, len(app.listeners))
+// 2. Unix socket (if server.socketPath)
-
+// 3. HTTP - default
-	for _, listenerType := range app.listeners {
+func (app *BootstrapApp) getListenerFunc() (func(ctx context.Context) error, error) {
-		listenerFunc, err := app.listenerFromType(listenerType)
+	if app.config.Tailscale.Listen {
-
+		if app.services.tailscaleService == nil {
-		if err != nil {
+			return nil, fmt.Errorf("tailscale.listen is enabled but tailscale service is not initialized")
-			return nil, fmt.Errorf("failed to get listener function: %w", err)
 		}
-
+		return app.serveTailscale, nil
-		app.ding.Go(func(ctx context.Context) {
-			lec <- listenerFunc(ctx)
-		}, ding.RingNormal)
-	}
-
-	return lec, nil
-}
-
-// The way we calculate listeners is as follows:
-// If concurrent listeners are disabled, we pick the first available listener, so:
-// 1. If tailscale is enabled, we use tailscale
-// 2. If socket path is configured, we use unix socket
-// 3. Finally if none is configured we use http
-// If concurrent listeners are enabled, we add all available listeners in the following order
-func (app *BootstrapApp) calculateListenerPolicy() []Listener {
-	l := []Listener{}
-
-	if !app.config.Server.ConcurrentListenersEnabled {
-		if app.services.tailscaleService != nil {
-			l = append(l, ListenerTailscale)
-			return l
-		}
-
-		if app.config.Server.SocketPath != "" {
-			l = append(l, ListenerUnix)
-			return l
-		}
-
-		l = append(l, ListenerHTTP)
-		return l
 	}
 
 	if app.config.Server.SocketPath != "" {
-		l = append(l, ListenerUnix)
-	}
-
-	if app.services.tailscaleService != nil {
-		l = append(l, ListenerTailscale)
-	}
-
-	l = append(l, ListenerHTTP)
-
-	return l
-}
-
-func (app *BootstrapApp) listenerFromType(listenerType Listener) (func(ctx context.Context) error, error) {
-	switch listenerType {
-	case ListenerHTTP:
-		return app.serveHTTP, nil
-	case ListenerUnix:
 		return app.serveUnix, nil
-	case ListenerTailscale:
-		return app.serveTailscale, nil
-	default:
-		return nil, fmt.Errorf("invalid listener type: %d", listenerType)
 	}
+
+	return app.serveHTTP, nil
 }
 
 func (app *BootstrapApp) serveHTTP(ctx context.Context) error {
 	address := fmt.Sprintf("%s:%d", app.config.Server.Address, app.config.Server.Port)
 
-	app.log.App.Info().Msgf("Starting server on %s", address)
+	app.log.App.Info().Msgf("Starting server on http://%s", address)
 
 	listener, err := net.Listen("tcp", address)
 

internal/controller/context_controller.go

@@ -1,6 +1,8 @@
 package controller
 
 import (
+	"errors"
+
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"go.uber.org/dig"
@@ -58,9 +60,9 @@ type ACRUI struct {
 }
 
 type ACRApp struct {
-	AppURL         string   `json:"appUrl"`
+	AppURL            string `json:"appUrl"`
-	CookieDomain   string   `json:"cookieDomain"`
+	CookieDomain      string `json:"cookieDomain"`
-	TrustedDomains []string `json:"trustedDomains"`
+	SubdomainsEnabled bool   `json:"subdomainsEnabled"`
 }
 
 type AppContextResponse struct {
@@ -109,7 +111,9 @@ func (controller *ContextController) userContextHandler(c *gin.Context) {
 	context, err := new(model.UserContext).NewFromGin(c)
 
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to create user context from request")
+		if !errors.Is(err, model.ErrUserContextNotFound) {
+			controller.log.App.Error().Err(err).Msg("Failed to create user context from request")
+		}
 		c.JSON(200, UserContextResponse{
 			Status:  401,
 			Message: "Unauthorized",
@@ -160,9 +164,9 @@ func (controller *ContextController) appContextHandler(c *gin.Context) {
 			WarningsEnabled:       controller.config.UI.WarningsEnabled,
 		},
 		App: ACRApp{
-			AppURL:         controller.runtime.AppURL,
+			AppURL:            controller.runtime.AppURL,
-			CookieDomain:   controller.runtime.CookieDomain,
+			CookieDomain:      controller.runtime.CookieDomain,
-			TrustedDomains: controller.runtime.TrustedDomains,
+			SubdomainsEnabled: controller.config.Auth.SubdomainsEnabled,
 		},
 	})
 }

internal/controller/context_controller_test.go

@@ -48,9 +48,9 @@ func TestContextController(t *testing.T) {
 						WarningsEnabled:       cfg.UI.WarningsEnabled,
 					},
 					App: ACRApp{
-						AppURL:         runtime.AppURL,
+						AppURL:            runtime.AppURL,
-						CookieDomain:   runtime.CookieDomain,
+						CookieDomain:      runtime.CookieDomain,
-						TrustedDomains: runtime.TrustedDomains,
+						SubdomainsEnabled: cfg.Auth.SubdomainsEnabled,
 					},
 				}
 				bytes, err := json.Marshal(expectedAppContextResponse)

internal/controller/oauth_controller.go

@@ -12,7 +12,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-	"github.com/weppos/publicsuffix-go/publicsuffix"
 	"go.uber.org/dig"
 
 	"github.com/gin-gonic/gin"
@@ -305,8 +304,8 @@ func (controller *OAuthController) isOidcRequest(params service.OAuthCallbackPar
 }
 
 func (controller *OAuthController) getCookieDomain() string {
-	if controller.config.Auth.SubdomainsEnabled {
+	if !controller.config.Auth.SubdomainsEnabled {
-		return "." + controller.runtime.CookieDomain
+		return ""
 	}
 	return controller.runtime.CookieDomain
 }
@@ -314,51 +313,53 @@ func (controller *OAuthController) getCookieDomain() string {
 func (controller *OAuthController) isRedirectSafe(redirectURI string) bool {
 	u, err := url.Parse(redirectURI)
 
-	if err != nil || u.Host == "" || u.Scheme == "" {
+	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Failed to parse redirect URI")
 		return false
 	}
 
-	for _, allowed := range controller.runtime.TrustedDomains {
+	if u.Scheme == "" || u.Host == "" {
-		tu, err := url.Parse(allowed)
+		controller.log.App.Warn().Msg("Redirect URI has invalid scheme or host")
-		if err != nil {
+		return false
-			controller.log.App.Error().Err(err).Str("allowed", allowed).Msg("Failed to parse trusted domain")
+	}
-			continue
+
+	au, err := url.Parse(controller.runtime.AppURL)
+
+	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Failed to parse app URL")
+		return false
+	}
+
+	if u.Scheme != au.Scheme {
+		controller.log.App.Warn().Msg("Redirect URI scheme does not match app URL scheme")
+		return false
+	}
+
+	getEffectivePort := func(u *url.URL) string {
+		if u.Port() != "" {
+			return u.Port()
 		}
-
+		if u.Scheme == "https" {
-		if tu.Scheme != u.Scheme {
+			return "443"
-			continue
 		}
+		return "80"
+	}
 
-		// exact match
+	if getEffectivePort(u) != getEffectivePort(au) {
-		if strings.EqualFold(u.Host, tu.Host) {
+		controller.log.App.Warn().Msg("Redirect URI port does not match app URL port")
-			return true
+		return false
-		}
+	}
 
-		// if subdomains are disabled, end here
+	if strings.EqualFold(u.Hostname(), au.Hostname()) {
-		if !controller.config.Auth.SubdomainsEnabled {
+		return true
-			continue
+	}
-		}
 
-		// get the root domain (e.g. tinyauth.example.com -> example.com or
+	if !controller.config.Auth.SubdomainsEnabled {
-		// tinyauth.sub.example.com -> sub.example.com)
+		return false
-		_, root, ok := strings.Cut(tu.Host, ".")
+	}
-		if !ok {
-			continue
-		}
 
-		root = strings.ToLower(root)
+	if strings.HasSuffix(strings.ToLower(u.Hostname()), "."+strings.ToLower(controller.runtime.CookieDomain)) {
-
+		return true
-		// check if the root domain is in the psl
-		_, err = publicsuffix.DomainFromListWithOptions(publicsuffix.DefaultList, root, nil)
-
-		if err != nil {
-			continue
-		}
-
-		// subdomain match
-		if strings.HasSuffix(strings.ToLower(u.Host), "."+root) {
-			return true
-		}
 	}
 
 	return false

internal/controller/oauth_controller_test.go

@@ -9,7 +9,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
-func TestOAuthController(t *testing.T) {
+func TestOAuthControllerIsRedirectSafe(t *testing.T) {
 	log := logger.NewLogger().WithTestConfig()
 	log.Init()
 
@@ -17,145 +17,171 @@ func TestOAuthController(t *testing.T) {
 
 	type testCase struct {
 		description       string
-		run               func(ctrl *OAuthController)
+		appURL            string
-		trustedDomains    []string
+		cookieDomain      string
 		subdomainsEnabled bool
+		redirectURI       string
+		expected          bool
 	}
 
 	tests := []testCase{
 		{
-			description:       "Test exact match of redirect URI",
+			description:       "Exact host match returns true",
-			trustedDomains:    []string{"https://tinyauth.example.com"},
+			appURL:            "https://tinyauth.example.com",
+			cookieDomain:      "example.com",
 			subdomainsEnabled: true,
-			run: func(ctrl *OAuthController) {
+			redirectURI:       "https://tinyauth.example.com",
-				redirectUri := "https://tinyauth.example.com"
+			expected:          true,
-				assert.True(t, ctrl.isRedirectSafe(redirectUri))
-			},
 		},
 		{
-			description:       "Test subdomain match of redirect URI",
+			description:       "Exact host match is case insensitive",
-			trustedDomains:    []string{"https://tinyauth.example.com"},
+			appURL:            "https://tinyauth.example.com",
+			cookieDomain:      "example.com",
 			subdomainsEnabled: true,
-			run: func(ctrl *OAuthController) {
+			redirectURI:       "https://TinyAuth.Example.com",
-				redirectUri := "https://sub.example.com"
+			expected:          true,
-				assert.True(t, ctrl.isRedirectSafe(redirectUri))
-			},
 		},
 		{
-			description:       "Test different trusted domain",
+			description:       "Exact host match with subdomains disabled returns true",
-			trustedDomains:    []string{"https://tinyauth.example.com", "https://tinyauth.foo.com"},
+			appURL:            "https://tinyauth.example.com",
-			subdomainsEnabled: true,
+			cookieDomain:      "example.com",
-			run: func(ctrl *OAuthController) {
-				redirectUri := "https://app.foo.com"
-				assert.True(t, ctrl.isRedirectSafe(redirectUri))
-			},
-		},
-		{
-			description: "Test invalid redirect URI",
-			run: func(ctrl *OAuthController) {
-				redirectUri := "https:/malicious"
-				assert.False(t, ctrl.isRedirectSafe(redirectUri))
-			},
-		},
-		{
-			description: "Test empty redirect URI",
-			run: func(ctrl *OAuthController) {
-				redirectUri := ""
-				assert.False(t, ctrl.isRedirectSafe(redirectUri))
-			},
-		},
-		{
-			description:       "Test redirect URI with different scheme",
-			trustedDomains:    []string{"https://tinyauth.example.com"},
-			subdomainsEnabled: true,
-			run: func(ctrl *OAuthController) {
-				redirectUri := "http://tinyauth.example.com"
-				assert.False(t, ctrl.isRedirectSafe(redirectUri))
-			},
-		},
-		{
-			description:       "Test redirect URI with different port",
-			trustedDomains:    []string{"https://tinyauth.example.com"},
-			subdomainsEnabled: true,
-			run: func(ctrl *OAuthController) {
-				redirectUri := "https://tinyauth.example.com:8080"
-				assert.False(t, ctrl.isRedirectSafe(redirectUri))
-			},
-		},
-		{
-			// weird case, subdomains enabled and domain without subdomain can't happen
-			description:    "Test with trusted domain that's in PSL when split",
-			trustedDomains: []string{"https://example.com"}, // will become .com which we
-			// obviously don't want to allow
-			subdomainsEnabled: true,
-			run: func(ctrl *OAuthController) {
-				redirectUri := "https://sub.example.com"
-				assert.False(t, ctrl.isRedirectSafe(redirectUri))
-			},
-		},
-		{
-			description:       "Test subdomain redirect URI when subdomains are disabled",
-			trustedDomains:    []string{"https://tinyauth.example.com"},
 			subdomainsEnabled: false,
-			run: func(ctrl *OAuthController) {
+			redirectURI:       "https://tinyauth.example.com",
-				redirectUri := "https://sub.tinyauth.example.com"
+			expected:          true,
-				assert.False(t, ctrl.isRedirectSafe(redirectUri))
-			},
 		},
 		{
-			description:       "Test domain like the .co.uk",
+			description:       "Subdomain of cookie domain returns true when subdomains enabled",
-			trustedDomains:    []string{"https://example.co.uk"},
+			appURL:            "https://tinyauth.example.com",
+			cookieDomain:      "example.com",
 			subdomainsEnabled: true,
-			run: func(ctrl *OAuthController) {
+			redirectURI:       "https://sub.example.com",
-				redirectUri := "https://sub.example.co.uk"
+			expected:          true,
-				assert.False(t, ctrl.isRedirectSafe(redirectUri))
-			},
 		},
 		{
-			description:       "Test domain like the .co.uk with subdomains disabled",
+			description:       "Subdomain of cookie domain is case insensitive",
-			trustedDomains:    []string{"https://example.co.uk"},
+			appURL:            "https://tinyauth.example.com",
+			cookieDomain:      "Example.COM",
+			subdomainsEnabled: true,
+			redirectURI:       "https://SUB.example.com",
+			expected:          true,
+		},
+		{
+			description:       "Subdomain not matching cookie domain returns false",
+			appURL:            "https://tinyauth.example.com",
+			cookieDomain:      "example.com",
+			subdomainsEnabled: true,
+			redirectURI:       "https://sub.evil.com",
+			expected:          false,
+		},
+		{
+			description:       "Subdomain returns false when subdomains disabled",
+			appURL:            "https://tinyauth.example.com",
+			cookieDomain:      "example.com",
 			subdomainsEnabled: false,
-			run: func(ctrl *OAuthController) {
+			redirectURI:       "https://sub.example.com",
-				redirectUri := "https://example.co.uk"
+			expected:          false,
-				assert.True(t, ctrl.isRedirectSafe(redirectUri))
-			},
 		},
 		{
-			description:       "Test caps domain",
+			description:       "Cookie domain itself is not a subdomain match",
-			trustedDomains:    []string{"https://TINYAUTH.ExAmpLe.com"},
+			appURL:            "https://tinyauth.example.com",
+			cookieDomain:      "example.com",
 			subdomainsEnabled: true,
-			run: func(ctrl *OAuthController) {
+			redirectURI:       "https://example.com",
-				redirectUri := "https://sUb.ExAmPle.com"
+			expected:          false,
-				assert.True(t, ctrl.isRedirectSafe(redirectUri))
-			},
 		},
 		{
-			description:       "Test edge case with @",
+			description:       "Different scheme returns false",
-			trustedDomains:    []string{"https://tinyauth.example.com"},
+			appURL:            "https://tinyauth.example.com",
+			cookieDomain:      "example.com",
 			subdomainsEnabled: true,
-			run: func(ctrl *OAuthController) {
+			redirectURI:       "http://tinyauth.example.com",
-				redirectUri := "https://malicious.example.com@evil.com"
+			expected:          false,
-				assert.False(t, ctrl.isRedirectSafe(redirectUri))
+		},
-			},
+		{
+			description:       "Different port returns false",
+			appURL:            "https://tinyauth.example.com",
+			cookieDomain:      "example.com",
+			subdomainsEnabled: true,
+			redirectURI:       "https://tinyauth.example.com:8080",
+			expected:          false,
+		},
+		{
+			description:       "Empty redirect URI returns false",
+			appURL:            "https://tinyauth.example.com",
+			cookieDomain:      "example.com",
+			subdomainsEnabled: true,
+			redirectURI:       "",
+			expected:          false,
+		},
+		{
+			description:       "Redirect URI without host returns false",
+			appURL:            "https://tinyauth.example.com",
+			cookieDomain:      "example.com",
+			subdomainsEnabled: true,
+			redirectURI:       "https:/malicious",
+			expected:          false,
+		},
+		{
+			description:       "Redirect URI without scheme returns false",
+			appURL:            "https://tinyauth.example.com",
+			cookieDomain:      "example.com",
+			subdomainsEnabled: true,
+			redirectURI:       "tinyauth.example.com",
+			expected:          false,
+		},
+		{
+			description:       "Relative redirect URI returns false",
+			appURL:            "https://tinyauth.example.com",
+			cookieDomain:      "example.com",
+			subdomainsEnabled: true,
+			redirectURI:       "/some/path",
+			expected:          false,
+		},
+		{
+			description:       "Userinfo trick with malicious host returns false",
+			appURL:            "https://tinyauth.example.com",
+			cookieDomain:      "example.com",
+			subdomainsEnabled: true,
+			redirectURI:       "https://malicious.example.com@evil.com",
+			expected:          false,
+		},
+		{
+			description:       "Unparseable redirect URI returns false",
+			appURL:            "https://tinyauth.example.com",
+			cookieDomain:      "example.com",
+			subdomainsEnabled: true,
+			redirectURI:       "https://exa\x7fmple.com",
+			expected:          false,
+		},
+		{
+			description:       "Unparseable app URL returns false",
+			appURL:            "https://tinyauth.\x7fexample.com",
+			cookieDomain:      "example.com",
+			subdomainsEnabled: true,
+			redirectURI:       "https://tinyauth.example.com",
+			expected:          false,
 		},
 	}
 
-	// TODO: add auth service
 	for _, tc := range tests {
 		t.Run(tc.description, func(t *testing.T) {
 			router := gin.Default()
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
-			// overwrite the trusted domains and subdomain setting for each test case
+
-			runtime.TrustedDomains = tc.trustedDomains
+			// Overwrite the app URL, cookie domain and subdomain setting for each test case
+			runtime.AppURL = tc.appURL
+			runtime.CookieDomain = tc.cookieDomain
 			cfg.Auth.SubdomainsEnabled = tc.subdomainsEnabled
+
 			ctrl := NewOAuthController(OAuthControllerInput{
 				Log:           log,
 				Config:        &cfg,
 				RuntimeConfig: &runtime,
 				RouterGroup:   group,
 			})
-			tc.run(ctrl)
+
+			assert.Equal(t, tc.expected, ctrl.isRedirectSafe(tc.redirectURI))
 		})
 	}
 }

internal/controller/user_controller.go

@@ -295,6 +295,14 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	context, err := new(model.UserContext).NewFromGin(c)
 
 	if err != nil {
+		if errors.Is(err, model.ErrUserContextNotFound) {
+			controller.log.App.Warn().Msg("TOTP verification attempt without user context")
+			c.JSON(401, gin.H{
+				"status":  401,
+				"message": "Unauthorized",
+			})
+			return
+		}
 		controller.log.App.Error().Err(err).Msg("Failed to create user context from request for TOTP verification")
 		c.JSON(500, gin.H{
 			"status":  500,
@@ -405,6 +413,14 @@ func (controller *UserController) tailscaleHandler(c *gin.Context) {
 	context, err := new(model.UserContext).NewFromGin(c)
 
 	if err != nil {
+		if errors.Is(err, model.ErrUserContextNotFound) {
+			controller.log.App.Warn().Msg("Tailscale login attempt without user context")
+			c.JSON(401, gin.H{
+				"status":  401,
+				"message": "Unauthorized",
+			})
+			return
+		}
 		controller.log.App.Error().Err(err).Msg("Failed to create user context from request")
 		c.JSON(401, gin.H{
 			"status":  401,

internal/model/config.go

@@ -15,9 +15,8 @@ func NewDefaultConfiguration() *Config {
 			Path:    "./resources",
 		},
 		Server: ServerConfig{
-			Port:                       3000,
+			Port:    3000,
-			Address:                    "0.0.0.0",
+			Address: "0.0.0.0",
-			ConcurrentListenersEnabled: false,
 		},
 		Auth: AuthConfig{
 			SubdomainsEnabled:  true,
@@ -104,10 +103,9 @@ type ResourcesConfig struct {
 }
 
 type ServerConfig struct {
-	Port                       int    `description:"The port on which the server listens." yaml:"port"`
+	Port       int    `description:"The port on which the server listens." yaml:"port"`
-	Address                    string `description:"The address on which the server listens." yaml:"address"`
+	Address    string `description:"The address on which the server listens." yaml:"address"`
-	SocketPath                 string `description:"The path to the Unix socket." yaml:"socketPath"`
+	SocketPath string `description:"The path to the Unix socket." yaml:"socketPath"`
-	ConcurrentListenersEnabled bool   `description:"Enable listening on both TCP and Unix socket at the same time." yaml:"concurrentListenersEnabled"`
 }
 
 type AuthConfig struct {
@@ -218,6 +216,8 @@ type TailscaleConfig struct {
 	Hostname  string `description:"Tailscale hostname." yaml:"hostname"`
 	AuthKey   string `description:"Tailscale auth key." yaml:"authKey"`
 	Ephemeral bool   `description:"Use ephemeral Tailscale node." yaml:"ephemeral"`
+	Funnel    bool   `description:"Enable Tailscale Funnel." yaml:"funnel"`
+	Listen    bool   `description:"Listen on the Tailscale address instead of standard address." yaml:"listen"`
 }
 
 // OAuth/OIDC config

internal/model/runtime.go

@@ -12,7 +12,6 @@ type RuntimeConfig struct {
 	OAuthProviders         map[string]OAuthServiceConfig
 	OAuthWhitelist         []string
 	ConfiguredProviders    []Provider
-	TrustedDomains         []string
 }
 
 type Provider struct {

internal/service/auth_service.go

@@ -46,7 +46,7 @@ type OAuthPendingSession struct {
 	State          string
 	Verifier       string
 	Token          *oauth2.Token
-	Service        *OAuthServiceImpl
+	Service        IOAuthService
 	ExpiresAt      time.Time
 	CallbackParams OAuthCallbackParams
 }
@@ -380,33 +380,11 @@ func (auth *AuthService) CreateSession(ctx context.Context, data repository.Sess
 		return nil, fmt.Errorf("failed to create session entry: %w", err)
 	}
 
-	if data.Provider == "tailscale" {
-		auth.log.App.Trace().Str("url", fmt.Sprintf("https://%s", auth.tailscale.GetHostname())).Msg("Extracting root domain from Tailscale hostname")
-
-		tsCookieDomain, err := utils.GetCookieDomain(fmt.Sprintf("https://%s", auth.tailscale.GetHostname()))
-
-		if err != nil {
-			return nil, fmt.Errorf("failed to get cookie domain for tailscale user: %w", err)
-		}
-
-		return &http.Cookie{
-			Name:     auth.runtime.SessionCookieName,
-			Value:    session.UUID,
-			Path:     "/",
-			Domain:   fmt.Sprintf(".%s", tsCookieDomain),
-			Expires:  expiresAt,
-			MaxAge:   int(time.Until(expiresAt).Seconds()),
-			Secure:   auth.config.Auth.SecureCookie,
-			HttpOnly: true,
-			SameSite: http.SameSiteLaxMode,
-		}, nil
-	}
-
 	return &http.Cookie{
 		Name:     auth.runtime.SessionCookieName,
 		Value:    session.UUID,
 		Path:     "/",
-		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
+		Domain:   auth.getCookieDomain(),
 		Expires:  expiresAt,
 		MaxAge:   int(time.Until(expiresAt).Seconds()),
 		Secure:   auth.config.Auth.SecureCookie,
@@ -459,7 +437,7 @@ func (auth *AuthService) RefreshSession(ctx context.Context, uuid string) (*http
 		Name:     auth.runtime.SessionCookieName,
 		Value:    session.UUID,
 		Path:     "/",
-		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
+		Domain:   auth.getCookieDomain(),
 		Expires:  time.Now().Add(time.Duration(newExpiry-currentTime) * time.Second),
 		MaxAge:   int(newExpiry - currentTime),
 		Secure:   auth.config.Auth.SecureCookie,
@@ -480,7 +458,7 @@ func (auth *AuthService) DeleteSession(ctx context.Context, uuid string) (*http.
 		Name:     auth.runtime.SessionCookieName,
 		Value:    "",
 		Path:     "/",
-		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
+		Domain:   auth.getCookieDomain(),
 		Expires:  time.Now(),
 		MaxAge:   -1,
 		Secure:   auth.config.Auth.SecureCookie,
@@ -549,7 +527,7 @@ func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthCallbac
 	session := OAuthPendingSession{
 		State:          state,
 		Verifier:       verifier,
-		Service:        &service,
+		Service:        service,
 		ExpiresAt:      time.Now().Add(1 * time.Hour),
 		CallbackParams: params,
 	}
@@ -566,7 +544,7 @@ func (auth *AuthService) GetOAuthURL(sessionId string) (string, error) {
 		return "", err
 	}
 
-	return (*session.Service).GetAuthURL(session.State, session.Verifier), nil
+	return session.Service.GetAuthURL(session.State, session.Verifier), nil
 }
 
 func (auth *AuthService) GetOAuthToken(sessionId string, code string) (*oauth2.Token, error) {
@@ -576,7 +554,7 @@ func (auth *AuthService) GetOAuthToken(sessionId string, code string) (*oauth2.T
 		return nil, fmt.Errorf("oauth session not found: %s", sessionId)
 	}
 
-	token, err := (*session.Service).GetToken(code, session.Verifier)
+	token, err := session.Service.GetToken(code, session.Verifier)
 
 	if err != nil {
 		return nil, fmt.Errorf("failed to exchange code for token: %w", err)
@@ -605,7 +583,7 @@ func (auth *AuthService) GetOAuthUserinfo(sessionId string) (*model.Claims, erro
 		return nil, fmt.Errorf("oauth token not found for session: %s", sessionId)
 	}
 
-	userinfo, err := (*session.Service).GetUserinfo(session.Token)
+	userinfo, err := session.Service.GetUserinfo(session.Token)
 
 	if err != nil {
 		return nil, fmt.Errorf("failed to get userinfo: %w", err)
@@ -614,14 +592,14 @@ func (auth *AuthService) GetOAuthUserinfo(sessionId string) (*model.Claims, erro
 	return userinfo, nil
 }
 
-func (auth *AuthService) GetOAuthService(sessionId string) (OAuthServiceImpl, error) {
+func (auth *AuthService) GetOAuthService(sessionId string) (IOAuthService, error) {
 	session, err := auth.GetOAuthPendingSession(sessionId)
 
 	if err != nil {
 		return nil, err
 	}
 
-	return *session.Service, nil
+	return session.Service, nil
 }
 
 func (auth *AuthService) EndOAuthSession(sessionId string) {
@@ -726,3 +704,10 @@ func (auth *AuthService) calculateLockdownLimit() int {
 
 	return limit
 }
+
+func (auth *AuthService) getCookieDomain() string {
+	if !auth.config.Auth.SubdomainsEnabled {
+		return ""
+	}
+	return auth.runtime.CookieDomain
+}

internal/service/oauth_broker_service.go

@@ -12,19 +12,21 @@ import (
 	"golang.org/x/oauth2"
 )
 
-type OAuthServiceImpl interface {
+type IOAuthService interface {
 	Name() string
 	ID() string
 	NewRandom() string
-	GetAuthURL(state string, verifier string) string
+	GetAuthURL(state, verifier string) string
-	GetToken(code string, verifier string) (*oauth2.Token, error)
+	GetToken(code, verifier string) (*oauth2.Token, error)
 	GetUserinfo(token *oauth2.Token) (*model.Claims, error)
+	GetConfig() model.OAuthServiceConfig
+	UpdateConfig(config model.OAuthServiceConfig)
 }
 
 type OAuthBrokerService struct {
 	log *logger.Logger
 
-	services map[string]OAuthServiceImpl
+	services map[string]IOAuthService
 	configs  map[string]model.OAuthServiceConfig
 }
 
@@ -44,7 +46,7 @@ type OAuthBrokerServiceInput struct {
 func NewOAuthBrokerService(i OAuthBrokerServiceInput) *OAuthBrokerService {
 	service := &OAuthBrokerService{
 		log:      i.Log,
-		services: make(map[string]OAuthServiceImpl),
+		services: make(map[string]IOAuthService),
 		configs:  i.Runtime.OAuthProviders,
 	}
 
@@ -70,7 +72,7 @@ func (broker *OAuthBrokerService) GetConfiguredServices() []string {
 	return services
 }
 
-func (broker *OAuthBrokerService) GetService(name string) (OAuthServiceImpl, bool) {
+func (broker *OAuthBrokerService) GetService(name string) (IOAuthService, bool) {
 	service, exists := broker.services[name]
 	return service, exists
 }

internal/service/oauth_service.go

@@ -70,7 +70,7 @@ func (s *OAuthService) NewRandom() string {
 	return random
 }
 
-func (s *OAuthService) GetAuthURL(state string, verifier string) string {
+func (s *OAuthService) GetAuthURL(state, verifier string) string {
 	return s.config.AuthCodeURL(state, oauth2.AccessTypeOnline, oauth2.S256ChallengeOption(verifier))
 }
 
@@ -82,3 +82,17 @@ func (s *OAuthService) GetUserinfo(token *oauth2.Token) (*model.Claims, error) {
 	client := oauth2.NewClient(s.ctx, oauth2.StaticTokenSource(token))
 	return s.userinfoExtractor(client, s.serviceCfg.UserinfoURL)
 }
+
+func (s *OAuthService) GetConfig() model.OAuthServiceConfig {
+	return s.serviceCfg
+}
+
+func (s *OAuthService) UpdateConfig(config model.OAuthServiceConfig) {
+	s.serviceCfg = config
+	s.config.ClientID = config.ClientID
+	s.config.ClientSecret = config.ClientSecret
+	s.config.Scopes = config.Scopes
+	s.config.Endpoint.AuthURL = config.AuthURL
+	s.config.Endpoint.TokenURL = config.TokenURL
+	s.config.RedirectURL = config.RedirectURL
+}

internal/service/tailscale_service.go

@@ -94,6 +94,10 @@ func NewTailscaleService(i TailscaleServiceInput) (*TailscaleService, error) {
 
 	i.Ding.Go(service.watchAndClose, ding.RingMajor)
 
+	if i.Config.Tailscale.Funnel && !i.Config.Tailscale.Listen {
+		service.log.App.Warn().Msg("Tailscale Funnel is enabled but listen is disabled. Funnel will not work without listen enabled.")
+	}
+
 	return service, nil
 }
 
@@ -148,6 +152,16 @@ func (ts *TailscaleService) CreateListener() (net.Listener, error) {
 	if ts.ln != nil {
 		return *ts.ln, nil
 	}
+
+	if ts.config.Tailscale.Funnel {
+		ln, err := ts.srv.ListenFunnel("tcp", ":443")
+		if err != nil {
+			return nil, err
+		}
+		ts.ln = &ln
+		return ln, nil
+	}
+
 	ln, err := ts.srv.ListenTLS("tcp", ":443")
 	if err != nil {
 		return nil, err

internal/test/test.go

@@ -43,6 +43,7 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
 			ACLs: model.ACLsConfig{
 				Policy: "allow",
 			},
+			SubdomainsEnabled: true,
 		},
 		Database: model.DatabaseConfig{
 			Path: filepath.Join(tempDir, "test.db"),
@@ -165,10 +166,6 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
 		CookieDomain:      "example.com",
 		AppURL:            "https://tinyauth.example.com",
 		SessionCookieName: "tinyauth-session",
-		TrustedDomains: []string{
-			"https://tinyauth.example.com",
-			"https://tinyauth.foo.com",
-		},
 	}
 
 	return config, runtime

internal/utils/app_utils.go

@@ -1,7 +1,7 @@
 package utils
 
 import (
-	"errors"
+	"fmt"
 	"net"
 	"net/url"
 	"strings"
@@ -9,27 +9,36 @@ import (
 	"github.com/weppos/publicsuffix-go/publicsuffix"
 )
 
-// Get cookie domain parses a hostname and returns the upper domain (e.g. sub1.sub2.domain.com -> sub2.domain.com)
+// GetCookieDomain parses the app url and returns the domain value to use for cookies.
-func GetCookieDomain(u string) (string, error) {
+// When auth for subdomains is enabled, it strips the leftmost label
-	parsed, err := url.Parse(u)
+// (e.g. sub1.sub2.domain.com -> sub2.domain.com), otherwise it returns the full hostname.
+func GetCookieDomain(appUrl string, subdomainsEnabled bool) (string, error) {
+	u, err := url.Parse(appUrl)
+
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("invalid app url: %w", err)
 	}
 
-	host := parsed.Hostname()
+	hostname := strings.ToLower(u.Hostname())
 
-	if netIP := net.ParseIP(host); netIP != nil {
+	if netIP := net.ParseIP(hostname); netIP != nil {
-		return "", errors.New("ip addresses not allowed")
+		return "", fmt.Errorf("ip addresses not allowed")
 	}
 
-	parts := strings.Split(host, ".")
+	parts := strings.Split(hostname, ".")
 
-	if len(parts) == 2 {
+	if len(parts) < 2 {
-		return host, nil
+		return "", fmt.Errorf("invalid app url, must be in format subdomain.domain.tld or domain.tld")
 	}
 
-	if len(parts) < 3 {
+	if !subdomainsEnabled || len(parts) == 2 {
-		return "", errors.New("invalid app url, must be at least second level domain")
+		_, err = publicsuffix.DomainFromListWithOptions(publicsuffix.DefaultList, hostname, nil)
+
+		if err != nil {
+			return "", fmt.Errorf("domain in public suffix list, cannot set cookies: %w", err)
+		}
+
+		return hostname, nil
 	}
 
 	domain := strings.Join(parts[1:], ".")
@@ -37,33 +46,12 @@ func GetCookieDomain(u string) (string, error) {
 	_, err = publicsuffix.DomainFromListWithOptions(publicsuffix.DefaultList, domain, nil)
 
 	if err != nil {
-		return "", errors.New("domain in public suffix list, cannot set cookies")
+		return "", fmt.Errorf("domain in public suffix list, cannot set cookies: %w", err)
 	}
 
 	return domain, nil
 }
 
-func GetStandaloneCookieDomain(u string) (string, error) {
-	parsed, err := url.Parse(u)
-	if err != nil {
-		return "", err
-	}
-
-	host := parsed.Hostname()
-
-	if netIP := net.ParseIP(host); netIP != nil {
-		return "", errors.New("ip addresses not allowed")
-	}
-
-	parts := strings.Split(host, ".")
-
-	if len(parts) < 2 {
-		return "", errors.New("invalid app url")
-	}
-
-	return host, nil
-}
-
 func ParseFileToLine(content string) string {
 	lines := strings.Split(content, "\n")
 	users := make([]string, 0)

internal/utils/app_utils_test.go

@@ -11,50 +11,71 @@ func TestGetRootDomain(t *testing.T) {
 	// Normal case
 	domain := "http://sub.tinyauth.app"
 	expected := "tinyauth.app"
-	result, err := utils.GetCookieDomain(domain)
+	result, err := utils.GetCookieDomain(domain, true)
 	assert.NoError(t, err)
 	assert.Equal(t, expected, result)
 
 	// Domain with multiple subdomains
 	domain = "http://b.c.tinyauth.app"
 	expected = "c.tinyauth.app"
-	result, err = utils.GetCookieDomain(domain)
+	result, err = utils.GetCookieDomain(domain, true)
 	assert.NoError(t, err)
 	assert.Equal(t, expected, result)
 
 	// Invalid domain (only TLD)
 	domain = "com"
-	_, err = utils.GetCookieDomain(domain)
+	_, err = utils.GetCookieDomain(domain, true)
-	assert.ErrorContains(t, err, "invalid app url, must be at least second level domain")
+	assert.EqualError(t, err, "invalid app url, must be in format subdomain.domain.tld or domain.tld")
 
 	// IP address
 	domain = "http://10.10.10.10"
-	_, err = utils.GetCookieDomain(domain)
+	_, err = utils.GetCookieDomain(domain, true)
 	assert.ErrorContains(t, err, "ip addresses not allowed")
 
 	// Invalid URL
 	domain = "http://[::1]:namedport"
-	_, err = utils.GetCookieDomain(domain)
+	_, err = utils.GetCookieDomain(domain, true)
 	assert.ErrorContains(t, err, "parse \"http://[::1]:namedport\": invalid port \":namedport\" after host")
 
 	// URL with scheme and path
 	domain = "https://sub.tinyauth.app/path"
 	expected = "tinyauth.app"
-	result, err = utils.GetCookieDomain(domain)
+	result, err = utils.GetCookieDomain(domain, true)
 	assert.NoError(t, err)
 	assert.Equal(t, expected, result)
 
 	// URL with port
 	domain = "http://sub.tinyauth.app:8080"
 	expected = "tinyauth.app"
-	result, err = utils.GetCookieDomain(domain)
+	result, err = utils.GetCookieDomain(domain, true)
 	assert.NoError(t, err)
 	assert.Equal(t, expected, result)
 
 	// Domain managed by ICANN
 	domain = "http://example.co.uk"
-	_, err = utils.GetCookieDomain(domain)
+	_, err = utils.GetCookieDomain(domain, true)
-	assert.Error(t, err, "domain in public suffix list, cannot set cookies")
+	assert.ErrorContains(t, err, "domain in public suffix list, cannot set cookies")
+
+	// Domain without subdomain
+	domain = "http://tinyauth.app"
+	expected = "tinyauth.app"
+	result, err = utils.GetCookieDomain(domain, true)
+	assert.NoError(t, err)
+	assert.Equal(t, expected, result)
+
+	// Case insensitivity
+	domain = "http://Sub.Tinyauth.App"
+	expected = "tinyauth.app"
+	result, err = utils.GetCookieDomain(domain, true)
+	assert.NoError(t, err)
+	assert.Equal(t, expected, result)
+
+	// Subdomains disabled
+	domain = "http://sub.tinyauth.app"
+	expected = "sub.tinyauth.app"
+	result, err = utils.GetCookieDomain(domain, false)
+	assert.NoError(t, err)
+	assert.Equal(t, expected, result)
 }
 
 func TestParseFileToLine(t *testing.T) {
@@ -125,48 +146,3 @@ func TestFilter(t *testing.T) {
 	resultStr := utils.Filter(sliceStr, testFuncStr)
 	assert.Equal(t, expectedStr, resultStr)
 }
-
-func TestGetStandaloneCookieDomain(t *testing.T) {
-	// Normal case
-	domain := "http://tinyauth.app"
-	expected := "tinyauth.app"
-	result, err := utils.GetStandaloneCookieDomain(domain)
-	assert.NoError(t, err)
-	assert.Equal(t, expected, result)
-
-	// URL with subdomain (full hostname is returned, no subdomain stripping)
-	domain = "http://sub.tinyauth.app"
-	expected = "sub.tinyauth.app"
-	result, err = utils.GetStandaloneCookieDomain(domain)
-	assert.NoError(t, err)
-	assert.Equal(t, expected, result)
-
-	// URL with port (port should be stripped)
-	domain = "http://tinyauth.app:8080"
-	expected = "tinyauth.app"
-	result, err = utils.GetStandaloneCookieDomain(domain)
-	assert.NoError(t, err)
-	assert.Equal(t, expected, result)
-
-	// URL with path
-	domain = "https://tinyauth.app/some/path"
-	expected = "tinyauth.app"
-	result, err = utils.GetStandaloneCookieDomain(domain)
-	assert.NoError(t, err)
-	assert.Equal(t, expected, result)
-
-	// IP address
-	domain = "http://10.10.10.10"
-	_, err = utils.GetStandaloneCookieDomain(domain)
-	assert.ErrorContains(t, err, "ip addresses not allowed")
-
-	// Invalid domain (only TLD)
-	domain = "com"
-	_, err = utils.GetStandaloneCookieDomain(domain)
-	assert.ErrorContains(t, err, "invalid app url")
-
-	// Invalid URL
-	domain = "http://[::1]:namedport"
-	_, err = utils.GetStandaloneCookieDomain(domain)
-	assert.ErrorContains(t, err, "parse \"http://[::1]:namedport\": invalid port \":namedport\" after host")
-}