tests: fix tests for proxy controller

chore: revert 4c741a5 and use 403 for acl errors
fix: use 401 errors instead of 403 for nginx responses
2026-05-16 01:00:14 +00:00 · 2026-05-15 18:43:18 +03:00 · 2026-05-15 18:39:12 +03:00 · 2026-05-15 18:12:15 +03:00 · 2026-05-15 14:43:51 +03:00 · 2026-05-14 00:08:48 +03:00
21 changed files with 5213 additions and 1200 deletions
@@ -1,6 +1,6 @@
 version: 2
 updates:
-  - package-ecosystem: "bun"
+  - package-ecosystem: "npm"
    directory: "/frontend"
    groups:
      minor-patch:
@@ -15,8 +15,10 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Setup bun
+      - name: Setup pnpm
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
        with:
          package_json_file: ./frontend/package.json
      - name: Setup go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -27,27 +29,22 @@ jobs:
        run: go mod download
      - name: Install frontend dependencies
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm ci
          bun install --frozen-lockfile
      - name: Set version
-        run: |
+        run: echo testing > internal/assets/version
          echo testing > internal/assets/version
      - name: Lint frontend
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm run lint
          bun run lint
      - name: Build frontend
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm run build
          bun run build
      - name: Copy frontend
-        run: |
+        run: cp -r frontend/dist internal/assets/dist
          cp -r frontend/dist internal/assets/dist
      - name: Run tests
        run: go test -coverprofile=coverage.txt -v ./...
@@ -59,8 +59,10 @@ jobs:
        with:
          ref: nightly
-      - name: Install bun
+      - name: Setup pnpm
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
        with:
          package_json_file: ./frontend/package.json
      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -68,18 +70,15 @@ jobs:
          go-version: "^1.26.0"
      - name: Install frontend dependencies
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm ci
          bun install --frozen-lockfile
      - name: Install backend dependencies
-        run: |
+        run: go mod download
          go mod download
      - name: Build frontend
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm run build
          bun run build
      - name: Build
        run: |
@@ -105,8 +104,10 @@ jobs:
        with:
          ref: nightly
-      - name: Install bun
+      - name: Setup pnpm
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
        with:
          package_json_file: ./frontend/package.json
      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -114,18 +115,15 @@ jobs:
          go-version: "^1.26.0"
      - name: Install frontend dependencies
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm ci
          bun install --frozen-lockfile
      - name: Install backend dependencies
-        run: |
+        run: go mod download
          go mod download
      - name: Build frontend
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm run build
          bun run build
      - name: Build
        run: |
@@ -35,8 +35,10 @@ jobs:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Install bun
+      - name: Setup pnpm
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
        with:
          package_json_file: ./frontend/package.json
      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -44,18 +46,15 @@ jobs:
          go-version: "^1.26.0"
      - name: Install frontend dependencies
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm ci
          bun install --frozen-lockfile
      - name: Install backend dependencies
-        run: |
+        run: go mod download
          go mod download
      - name: Build frontend
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm run build
          bun run build
      - name: Build
        run: |
@@ -78,8 +77,10 @@ jobs:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Install bun
+      - name: Setup pnpm
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
        with:
          package_json_file: ./frontend/package.json
      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -87,18 +88,15 @@ jobs:
          go-version: "^1.26.0"
      - name: Install frontend dependencies
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm ci
          bun install --frozen-lockfile
      - name: Install backend dependencies
-        run: |
+        run: go mod download
          go mod download
      - name: Build frontend
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm run build
          bun run build
      - name: Build
        run: |
@@ -48,3 +48,6 @@ __debug_*
 # testing config
 config.certify.yml
 # deepsec
 /.deepsec
@@ -7,7 +7,7 @@ Contributing to Tinyauth is straightforward. Follow the steps below to set up a
 ## Requirements
- Bun
+- pnpm
 - Golang v1.24.0 or later
 - Git
 - Docker
@@ -34,7 +34,7 @@ Frontend dependencies can be installed as follows:
 ```sh
 cd frontend/
-bun install
+pnpm ci
 ```
 ## Create the `.env` file
@@ -1,12 +1,14 @@
 # Site builder
-FROM oven/bun:1.3.13-alpine AS frontend-builder
+FROM node:26.1-alpine3.23 AS frontend-builder
 WORKDIR /frontend
-COPY ./frontend/package.json ./
+RUN npm install -g pnpm@11.1.2
 COPY ./frontend/bun.lock ./
-RUN bun install --frozen-lockfile
+COPY ./frontend/package.json ./
 COPY ./frontend/pnpm-lock.yaml ./
 RUN pnpm ci
 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -17,7 +19,7 @@ COPY ./frontend/tsconfig.app.json ./
 COPY ./frontend/tsconfig.node.json ./
 COPY ./frontend/vite.config.ts ./
-RUN bun run build
+RUN pnpm run build
 # Builder
 FROM golang:1.26-alpine3.23 AS builder
@@ -8,7 +8,7 @@ COPY go.sum ./
 RUN go mod download
 RUN go install github.com/air-verse/air@v1.61.7
-RUN go install github.com/go-delve/delve/cmd/dlv@latest
+RUN go install github.com/go-delve/delve/cmd/dlv@v1.26.3
 COPY ./cmd ./cmd
 COPY ./internal ./internal
@@ -1,12 +1,14 @@
 # Site builder
-FROM oven/bun:1.3.13-alpine AS frontend-builder
+FROM node:26.1-alpine3.23 AS frontend-builder
 WORKDIR /frontend
-COPY ./frontend/package.json ./
+RUN npm install -g pnpm@11.1.2
 COPY ./frontend/bun.lock ./
-RUN bun install --frozen-lockfile
+COPY ./frontend/package.json ./
 COPY ./frontend/pnpm-lock.yaml ./
 RUN pnpm ci
 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -17,7 +19,7 @@ COPY ./frontend/tsconfig.app.json ./
 COPY ./frontend/tsconfig.node.json ./
 COPY ./frontend/vite.config.ts ./
-RUN bun run build
+RUN pnpm run build
 # Builder
 FROM golang:1.26-alpine3.23 AS builder
@@ -17,7 +17,7 @@ PROD_COMPOSE := $(shell test -f "docker-compose.test.prod.yml" && echo "docker-c
 # Deps
 deps:
-	bun install --frozen-lockfile --cwd frontend
+	cd frontend && pnpm ci
 	go mod download
 # Clean data
@@ -31,7 +31,7 @@ clean-webui:
 # Build the web UI
 webui: clean-webui
-	bun run --cwd frontend build
+	cd frontend && pnpm run build
 	cp -r frontend/dist internal/assets
 # Build the binary
@@ -2,8 +2,56 @@
 ## Supported Versions
-It is recommended to use the [latest](https://github.com/tinyauthapp/tinyauth/releases/latest) available version of tinyauth. This is because it includes security fixes, new features and dependency updates. Older versions, especially major ones, are not supported and won't receive security or patch updates.
+It is recommended to use the [latest](https://github.com/tinyauthapp/tinyauth/releases/latest) available version of Tinyauth. This is because it includes security fixes, new features and dependency updates. Older versions, especially major ones, are not supported and won't receive security or patch updates.
 ## Reporting a Vulnerability
-Due to the nature of this app, it needs to be secure. If you discover any security issues or vulnerabilities in the app please contact me as soon as possible at <security@tinyauth.app>. Please do not use the issues section to report security issues as I won't be able to patch them in time and they may get exploited by malicious actors.
+Please **do not** report security vulnerabilities through public GitHub issues, discussions, or pull requests as I won't be able to patch them in time and they may get exploited by malicious actors.
 Instead, report them privately using [GitHub's Private Vulnerability Reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) via the **Security** tab of this repository.
 Or send us an email at <security@tinyauth.app>.
 ### A note on AI-assisted reports
 If AI tooling (LLMs, automated scanners, agentic assistants, etc.) helped you discover, analyse, or write up this issue, please say so in your report. This isn't a judgement - AI-assisted findings are welcome - but disclosing it up front helps maintainers calibrate how much additional verification a report needs, and tends to make the report itself clearer.
 When submitting a report, please use the structure below so it can be triaged quickly.
 ---
 ### 1. Summary
 A short, one-paragraph description of the vulnerability and its impact (e.g. what an attacker can achieve, who is affected, and under what conditions).
 ### 2. Steps to Reproduce / Proof of Concept
 Provide a minimal, reliable reproduction:
 1. Step one
 2. Step two
 3. Step three
 Include any required input, payloads, configuration, or code snippets. Attach a PoC script or screenshots where helpful.
 ### 3. Expected vs. Actual Behaviour
 - **Expected:** what *should* happen
 - **Actual:** what *does* happen, and why it's a security issue
 ### 4. Suggested Fix or Mitigation *(optional)*
 If you have an idea for how to address the issue, describe it here. A private gist link is welcome but not required.
 - **Have you tested this fix?** Yes / No
 - **If yes,** briefly describe how it was tested and what was verified.
 ---
 ## What to Expect
 - **Acknowledgement** within a reasonable timeframe after receiving your report
 - **Updates** as the issue is investigated and addressed
 - **Public credit** in the resulting advisory, along with any **CVE assigned**, unless you'd prefer to stay anonymous
 We follow a **90-day coordinated disclosure** window: please allow up to 90 days from the date of your report for the issue to be investigated and patched before publicly disclosing it. The publication date - whether earlier if a fix lands sooner, or later if more time is genuinely needed - will be agreed with you in advance.
@@ -1,6 +0,0 @@
 # Ignore artifacts:
 dist
 node_modules
 bun.lock
 package.json
 src/lib/i18n/locales
@@ -1 +0,0 @@
 {}
@@ -1,11 +1,13 @@
-FROM oven/bun:1.2.16-alpine
+FROM node:26.1-alpine3.23
 RUN npm install -g pnpm@11.1.2
 WORKDIR /frontend
 COPY ./frontend/package.json ./
-COPY ./frontend/bun.lock ./
+COPY ./frontend/pnpm-lock.yaml ./
-RUN bun install --frozen-lockfile
+RUN pnpm ci
 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -19,4 +21,4 @@ COPY ./frontend/vite.config.ts ./
 EXPOSE 5173
-ENTRYPOINT ["bun", "run", "dev"]
+ENTRYPOINT ["pnpm", "run", "dev"]
@@ -10,6 +10,7 @@
    "preview": "vite preview",
    "tsc": "tsc -b"
  },
  "packageManager": "pnpm@11.1.2",
  "dependencies": {
    "@hookform/resolvers": "^5.2.2",
    "@radix-ui/react-dropdown-menu": "^2.1.16",
@@ -0,0 +1,4 @@
 dangerouslyAllowAllBuilds: false
 blockExoticSubdeps: true
 minimumReleaseAge: 1440 # 1 day
 trustPolicy: no-downgrade
@@ -144,9 +144,9 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		if !controller.useBrowserResponse(proxyCtx) {
 			c.Header("x-tinyauth-location", redirectURL)
-			c.JSON(401, gin.H{
+			c.JSON(403, gin.H{
-				"status":  401,
+				"status":  403,
-				"message": "Unauthorized",
+				"message": "Forbidden",
 			})
 			return
 		}
@@ -32,7 +32,7 @@ func (controller *ResourcesController) resourcesHandler(c *gin.Context) {
 	if controller.config.Resources.Path == "" {
 		c.JSON(404, gin.H{
 			"status":  404,
-			"message": "Resources not found",
+			"message": "Resource not found",
 		})
 		return
 	}
@@ -297,6 +297,11 @@ func (service *OIDCService) ValidateAuthorizeParams(req AuthorizeRequest) error
 		return errors.New("access_denied")
 	}
 	// Redirect URI to verify that it's trusted
 	if !slices.Contains(client.TrustedRedirectURIs, req.RedirectURI) {
 		return errors.New("invalid_request_uri")
 	}
 	// Scopes
 	scopes := strings.Split(req.Scope, " ")
@@ -318,11 +323,6 @@ func (service *OIDCService) ValidateAuthorizeParams(req AuthorizeRequest) error
 		return errors.New("unsupported_response_type")
 	}
 	// Redirect URI
 	if !slices.Contains(client.TrustedRedirectURIs, req.RedirectURI) {
 		return errors.New("invalid_request_uri")
 	}
 	// PKCE code challenge method if set
 	if req.CodeChallenge != "" && req.CodeChallengeMethod != "" {
 		if req.CodeChallengeMethod != "S256" && req.CodeChallengeMethod != "plain" {
Author	SHA1	Message	Date
Stavros	ca06099466	tests: fix tests for proxy controller	2026-05-15 18:43:18 +03:00
Stavros	d4b4245017	chore: revert `4c741a5` and use 403 for acl errors	2026-05-15 18:39:12 +03:00
Stavros	4c741a5990	fix: use 401 errors instead of 403 for nginx responses	2026-05-15 18:12:15 +03:00
Stavros	def539a40f	refactor: replace bun with pnpm (#870 )	2026-05-15 14:43:51 +03:00
Dreddy	e6b291d21c	docs: enhance security policy with reporting guidelines (#868 )	2026-05-14 00:08:48 +03:00
Stavros	086e3af4e2	chore: add deepsec to gitignore	2026-05-13 19:11:39 +03:00
Dreddy	f9fff24ca5	fix: oidc open redirect (#854 )	2026-05-13 17:34:39 +03:00