chore(deps): bump golang.org/x/tools in the minor-patch group

Bumps the minor-patch group with 1 update: [golang.org/x/tools](https://github.com/golang/tools).


Updates `golang.org/x/tools` from 0.44.0 to 0.45.0
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.44.0...v0.45.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-version: 0.45.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

.env.example

@@ -7,9 +7,7 @@ TINYAUTH_APPURL=
 
 # database config
 
-# The database driver to use. Valid values: sqlite, memory.
-TINYAUTH_DATABASE_DRIVER="sqlite"
-# The path to the SQLite database, including file name. Only used when driver is sqlite.
+# The path to the database, including file name.
 TINYAUTH_DATABASE_PATH="./tinyauth.db"
 
 # analytics config
@@ -32,8 +30,6 @@ TINYAUTH_SERVER_PORT=3000
 TINYAUTH_SERVER_ADDRESS="0.0.0.0"
 # The path to the Unix socket.
 TINYAUTH_SERVER_SOCKETPATH=
-# Enable listening on both TCP and Unix socket at the same time.
-TINYAUTH_SERVER_CONCURRENTLISTENERSENABLED=false
 
 # auth config
 
@@ -41,52 +37,8 @@ TINYAUTH_SERVER_CONCURRENTLISTENERSENABLED=false
 TINYAUTH_AUTH_IP_ALLOW=
 # List of blocked IPs or CIDR ranges.
 TINYAUTH_AUTH_IP_BLOCK=
-# List of IPs or CIDR ranges that bypass authentication entirely.
-TINYAUTH_AUTH_IP_BYPASS=
 # Comma-separated list of users (username:hashed_password).
 TINYAUTH_AUTH_USERS=
-# Enable subdomains support.
-TINYAUTH_AUTH_SUBDOMAINSENABLED=true
-# Full name of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_NAME=
-# Given (first) name of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_GIVENNAME=
-# Family (last) name of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_FAMILYNAME=
-# Middle name of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_MIDDLENAME=
-# Nickname of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_NICKNAME=
-# URL of the user's profile page.
-TINYAUTH_AUTH_USERATTRIBUTES_name_PROFILE=
-# URL of the user's profile picture.
-TINYAUTH_AUTH_USERATTRIBUTES_name_PICTURE=
-# URL of the user's website.
-TINYAUTH_AUTH_USERATTRIBUTES_name_WEBSITE=
-# Email address of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_EMAIL=
-# Gender of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_GENDER=
-# Birthdate of the user (YYYY-MM-DD).
-TINYAUTH_AUTH_USERATTRIBUTES_name_BIRTHDATE=
-# Time zone of the user (e.g. Europe/Athens).
-TINYAUTH_AUTH_USERATTRIBUTES_name_ZONEINFO=
-# Locale of the user (e.g. en-US).
-TINYAUTH_AUTH_USERATTRIBUTES_name_LOCALE=
-# Phone number of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_PHONENUMBER=
-# Full mailing address, formatted for display.
-TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_FORMATTED=
-# Street address.
-TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_STREETADDRESS=
-# City or locality.
-TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_LOCALITY=
-# State, province, or region.
-TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_REGION=
-# Zip or postal code.
-TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_POSTALCODE=
-# Country.
-TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_COUNTRY=
 # Path to the users file.
 TINYAUTH_AUTH_USERSFILE=
 # Enable secure cookies.
@@ -101,8 +53,6 @@ TINYAUTH_AUTH_LOGINTIMEOUT=300
 TINYAUTH_AUTH_LOGINMAXRETRIES=3
 # Comma-separated list of trusted proxy addresses.
 TINYAUTH_AUTH_TRUSTEDPROXIES=
-# ACL policy for allow-by-default or deny-by-default, available options are allow and deny, default is allow.
-TINYAUTH_AUTH_ACLS_POLICY="allow"
 
 # apps config
 
@@ -151,6 +101,10 @@ TINYAUTH_OAUTH_PROVIDERS_name_CLIENTID=
 TINYAUTH_OAUTH_PROVIDERS_name_CLIENTSECRET=
 # Path to the file containing the OAuth client secret.
 TINYAUTH_OAUTH_PROVIDERS_name_CLIENTSECRETFILE=
+# Comma-separated list of allowed OAuth domains for this provider.
+TINYAUTH_OAUTH_PROVIDERS_name_WHITELIST=
+# Path to the OAuth whitelist file for this provider.
+TINYAUTH_OAUTH_PROVIDERS_name_WHITELISTFILE=
 # OAuth scopes.
 TINYAUTH_OAUTH_PROVIDERS_name_SCOPES=
 # OAuth redirect URL.
@@ -214,8 +168,6 @@ TINYAUTH_LDAP_AUTHCERT=
 TINYAUTH_LDAP_AUTHKEY=
 # Cache duration for LDAP group membership in seconds.
 TINYAUTH_LDAP_GROUPCACHETTL=900
-# Label provider to use for ACLs (auto, docker, kubernetes or none to disable). auto detects the environment.
-TINYAUTH_LABELPROVIDER="auto"
 
 # log config
 
@@ -235,16 +187,3 @@ TINYAUTH_LOG_STREAMS_APP_LEVEL=
 TINYAUTH_LOG_STREAMS_AUDIT_ENABLED=false
 # Log level for this stream. Use global if empty.
 TINYAUTH_LOG_STREAMS_AUDIT_LEVEL=
-
-# tailscale config
-
-# Enable Tailscale integration.
-TINYAUTH_TAILSCALE_ENABLED=false
-# Tailscale state directory.
-TINYAUTH_TAILSCALE_DIR="./tailscale_state"
-# Tailscale hostname.
-TINYAUTH_TAILSCALE_HOSTNAME=
-# Tailscale auth key.
-TINYAUTH_TAILSCALE_AUTHKEY=
-# Use ephemeral Tailscale node.
-TINYAUTH_TAILSCALE_EPHEMERAL=false

go.mod

@@ -20,7 +20,7 @@ require (
 	github.com/weppos/publicsuffix-go v0.50.3
 	golang.org/x/crypto v0.52.0
 	golang.org/x/oauth2 v0.36.0
-	golang.org/x/tools v0.44.0
+	golang.org/x/tools v0.45.0
 	k8s.io/apimachinery v0.36.1
 	k8s.io/client-go v0.36.1
 	modernc.org/sqlite v1.50.1
@@ -150,7 +150,7 @@ require (
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
 	golang.org/x/arch v0.22.0 // indirect
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
-	golang.org/x/mod v0.35.0 // indirect
+	golang.org/x/mod v0.36.0 // indirect
 	golang.org/x/net v0.54.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/sys v0.45.0 // indirect

go.sum

@@ -486,8 +486,8 @@ golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f h1:phY1HzDcf18Aq9
 golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/image v0.27.0 h1:C8gA4oWU/tKkdCfYT6T2u4faJu3MeNS5O8UPWlPF61w=
 golang.org/x/image v0.27.0/go.mod h1:xbdrClrAUway1MUTEZDq9mz/UpRwYAkFFNUslZtcB+g=
-golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
-golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
+golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
+golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
 golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w=
 golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
@@ -505,8 +505,8 @@ golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
 golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
 golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
-golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
-golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
+golang.org/x/tools v0.45.0 h1:18qN3FAooORvApf5XjCXgsuayZOEtXf6JK18I3+ONa8=
+golang.org/x/tools v0.45.0/go.mod h1:LuUGqqaXcXMEFEruIVJVm5mgDD8vww/z/SR1gQ4uE/0=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=

internal/bootstrap/app_bootstrap.go

@@ -117,6 +117,13 @@ func (app *BootstrapApp) Setup() error {
 	app.runtime.OAuthProviders = app.config.OAuth.Providers
 
 	for id, provider := range app.runtime.OAuthProviders {
+		providerWhitelist, err := utils.GetStringList(provider.Whitelist, provider.WhitelistFile)
+		if err != nil {
+			return fmt.Errorf("failed to load oauth whitelist for provider %s: %w", id, err)
+		}
+
+		provider.Whitelist = providerWhitelist
+
 		secret := utils.GetSecret(provider.ClientSecret, provider.ClientSecretFile)
 		provider.ClientSecret = secret
 		provider.ClientSecretFile = ""

internal/controller/oauth_controller.go

@@ -183,9 +183,23 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}
 
-	if !controller.auth.IsEmailWhitelisted(user.Email) {
+	svc, err := controller.auth.GetOAuthService(sessionIdCookie)
+
+	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Failed to get OAuth service for session")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		return
+	}
+
+	if svc.ID() != req.Provider {
+		controller.log.App.Warn().Msgf("OAuth provider mismatch: expected %s, got %s", req.Provider, svc.ID())
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		return
+	}
+
+	if !controller.auth.IsEmailWhitelisted(svc.ID(), user.Email) {
 		controller.log.App.Warn().Str("email", user.Email).Msg("Email not whitelisted, denying access")
-		controller.log.AuditLoginFailure(user.Email, req.Provider, c.ClientIP(), "email not whitelisted")
+		controller.log.AuditLoginFailure(user.Email, svc.ID(), c.ClientIP(), "email not whitelisted")
 
 		queries, err := query.Values(UnauthorizedQuery{
 			Username: user.Email,
@@ -226,20 +240,6 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		username = strings.Replace(user.Email, "@", "_", 1)
 	}
 
-	svc, err := controller.auth.GetOAuthService(sessionIdCookie)
-
-	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to get OAuth service for session")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
-		return
-	}
-
-	if svc.ID() != req.Provider {
-		controller.log.App.Warn().Msgf("OAuth provider mismatch: expected %s, got %s", req.Provider, svc.ID())
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
-		return
-	}
-
 	sessionCookie := repository.Session{
 		Username:    username,
 		Name:        name,

internal/middleware/context_middleware.go

@@ -205,7 +205,7 @@ func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string, ip stri
 			return nil, nil, fmt.Errorf("oauth provider from session cookie not found: %s", userContext.OAuth.ID)
 		}
 
-		if !m.auth.IsEmailWhitelisted(userContext.OAuth.Email) {
+		if !m.auth.IsEmailWhitelisted(userContext.OAuth.ID, userContext.OAuth.Email) {
 			m.auth.DeleteSession(ctx, uuid)
 			return nil, nil, fmt.Errorf("email from session cookie not whitelisted: %s", userContext.OAuth.Email)
 		}

internal/model/config.go

@@ -62,6 +62,9 @@ func NewDefaultConfiguration() *Config {
 			PrivateKeyPath: "./tinyauth_oidc_key",
 			PublicKeyPath:  "./tinyauth_oidc_key.pub",
 		},
+		Experimental: ExperimentalConfig{
+			ConfigFile: "",
+		},
 		Tailscale: TailscaleConfig{
 			Dir: "./tailscale_state",
 		},
@@ -85,7 +88,6 @@ type Config struct {
 	LabelProvider string             `description:"Label provider to use for ACLs (auto, docker, kubernetes or none to disable). auto detects the environment." yaml:"labelProvider"`
 	Log           LogConfig          `description:"Logging configuration." yaml:"log"`
 	Tailscale     TailscaleConfig    `description:"Tailscale configuration." yaml:"tailscale"`
-	ConfigFile    string             `description:"Path to config file." yaml:"-"`
 }
 
 type DatabaseConfig struct {
@@ -206,8 +208,9 @@ type LogStreamConfig struct {
 	Level   string `description:"Log level for this stream. Use global if empty." yaml:"level"`
 }
 
-// no experimental features
-type ExperimentalConfig struct{}
+type ExperimentalConfig struct {
+	ConfigFile string `description:"Path to config file." yaml:"-"`
+}
 
 type TailscaleConfig struct {
 	Enabled   bool   `description:"Enable Tailscale integration." yaml:"enabled"`
@@ -223,6 +226,8 @@ type OAuthServiceConfig struct {
 	ClientID         string   `description:"OAuth client ID." yaml:"clientId"`
 	ClientSecret     string   `description:"OAuth client secret." yaml:"clientSecret"`
 	ClientSecretFile string   `description:"Path to the file containing the OAuth client secret." yaml:"clientSecretFile"`
+	Whitelist        []string `description:"Comma-separated list of allowed OAuth domains for this provider." yaml:"whitelist"`
+	WhitelistFile    string   `description:"Path to the OAuth whitelist file for this provider." yaml:"whitelistFile"`
 	Scopes           []string `description:"OAuth scopes." yaml:"scopes"`
 	RedirectURL      string   `description:"OAuth redirect URL." yaml:"redirectUrl"`
 	AuthURL          string   `description:"OAuth authorization URL." yaml:"authUrl"`

internal/service/auth_service.go

@@ -285,10 +285,15 @@ func (auth *AuthService) RecordLoginAttempt(identifier string, success bool) {
 	}
 }
 
-func (auth *AuthService) IsEmailWhitelisted(email string) bool {
-	match, err := utils.CheckFilter(strings.Join(auth.runtime.OAuthWhitelist, ","), email)
+func (auth *AuthService) IsEmailWhitelisted(provider string, email string) bool {
+	whitelist := auth.runtime.OAuthWhitelist
+	if providerConfig, ok := auth.runtime.OAuthProviders[provider]; ok && len(providerConfig.Whitelist) > 0 {
+		whitelist = providerConfig.Whitelist
+	}
+
+	match, err := utils.CheckFilter(strings.Join(whitelist, ","), email)
 	if err != nil {
-		auth.log.App.Warn().Err(err).Str("email", email).Msg("Invalid email filter pattern")
+		auth.log.App.Warn().Err(err).Str("provider", provider).Str("email", email).Msg("Invalid email filter pattern")
 		return false
 	}
 	return match

internal/service/auth_service_test.go

@@ -0,0 +1,39 @@
+package service
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+)
+
+func TestIsEmailWhitelistedUsesProviderSpecificList(t *testing.T) {
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
+
+	auth := &AuthService{
+		log: log,
+		runtime: model.RuntimeConfig{
+			OAuthWhitelist: []string{"global@example.com"},
+			OAuthProviders: map[string]model.OAuthServiceConfig{
+				"github": {
+					Whitelist: []string{"github@example.com"},
+				},
+				"pocketid": {
+					Whitelist: []string{"pocket@example.com"},
+				},
+				"gitlab": {
+					Whitelist: []string{},
+				},
+			},
+		},
+	}
+
+	assert.True(t, auth.IsEmailWhitelisted("github", "github@example.com"))
+	assert.False(t, auth.IsEmailWhitelisted("github", "pocket@example.com"))
+	assert.True(t, auth.IsEmailWhitelisted("pocketid", "pocket@example.com"))
+	assert.True(t, auth.IsEmailWhitelisted("google", "global@example.com"))
+	assert.True(t, auth.IsEmailWhitelisted("gitlab", "global@example.com"))
+	assert.False(t, auth.IsEmailWhitelisted("gitlab", "unknown@example.com"))
+}

internal/utils/loaders/loader_file.go

@@ -3,6 +3,7 @@ package loaders
 import (
 	"os"
 
+	"github.com/rs/zerolog/log"
 	"github.com/tinyauthapp/paerser/cli"
 	"github.com/tinyauthapp/paerser/file"
 	"github.com/tinyauthapp/paerser/flag"
@@ -18,8 +19,8 @@ func (f *FileLoader) Load(args []string, cmd *cli.Command) (bool, error) {
 	}
 
 	// I guess we are using traefik as the root name (we can't change it)
-	configFileFlag := "traefik.configfile"
-	envVar := "TINYAUTH_CONFIGFILE"
+	configFileFlag := "traefik.experimental.configfile"
+	envVar := "TINYAUTH_EXPERIMENTAL_CONFIGFILE"
 
 	if _, ok := flags[configFileFlag]; !ok {
 		if value := os.Getenv(envVar); value != "" {
@@ -29,6 +30,8 @@ func (f *FileLoader) Load(args []string, cmd *cli.Command) (bool, error) {
 		}
 	}
 
+	log.Warn().Msg("Using experimental file config loader, this feature is experimental and may change or be removed in future releases")
+
 	err = file.Decode(flags[configFileFlag], cmd.Configuration)
 
 	if err != nil {