feat: support provider-specific OAuth whitelists (#882)

Co-authored-by: Puneet Dixit <236133619+puneetdixit200@users.noreply.github.com>

.env.example

@@ -101,6 +101,10 @@ TINYAUTH_OAUTH_PROVIDERS_name_CLIENTID=
 TINYAUTH_OAUTH_PROVIDERS_name_CLIENTSECRET=
 # Path to the file containing the OAuth client secret.
 TINYAUTH_OAUTH_PROVIDERS_name_CLIENTSECRETFILE=
+# Comma-separated list of allowed OAuth domains for this provider.
+TINYAUTH_OAUTH_PROVIDERS_name_WHITELIST=
+# Path to the OAuth whitelist file for this provider.
+TINYAUTH_OAUTH_PROVIDERS_name_WHITELISTFILE=
 # OAuth scopes.
 TINYAUTH_OAUTH_PROVIDERS_name_SCOPES=
 # OAuth redirect URL.

go.mod

@@ -15,7 +15,6 @@ require (
 	github.com/mdp/qrterminal/v3 v3.2.1
 	github.com/pquerna/otp v1.5.0
 	github.com/rs/zerolog v1.35.1
-	github.com/steveiliop56/ding v0.1.0
 	github.com/stretchr/testify v1.11.1
 	github.com/tinyauthapp/paerser v0.0.0-20260410140347-85c3740d6298
 	github.com/weppos/publicsuffix-go v0.50.3

go.sum

@@ -390,8 +390,6 @@ github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
 github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
 github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/steveiliop56/ding v0.1.0 h1:LpbcHqgBniRxXsZdfT12izDZsOjFfbhGLTz2lt8H4kc=
-github.com/steveiliop56/ding v0.1.0/go.mod h1:bE2u2XH7CjhPzbb/0Ems+D8YZlf2Ae+eKhj00UR1iAY=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=

internal/bootstrap/app_bootstrap.go

@@ -13,11 +13,11 @@ import (
 	"os/signal"
 	"sort"
 	"strings"
+	"sync"
 	"syscall"
 	"time"
 
 	"github.com/gin-gonic/gin"
-	"github.com/steveiliop56/ding"
 
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
@@ -26,12 +26,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
-// Shutdown order for go routines
-// 1. Lifecycle routines (e.g. database cleanup, heartbeat) - ding.RingMinor
-// 2. HTTP server listeners - ding.RingNormal
-// 3. Services (e.g. auth service, ldap service, tailscale service) - ding.RingMajor
-// 4. Database connection - ding.RingCritical
-
 type Services struct {
 	accessControlService *service.AccessControlsService
 	authService          *service.AuthService
@@ -54,7 +48,7 @@ type BootstrapApp struct {
 	queries   repository.Store
 	router    *gin.Engine
 	db        *sql.DB
-	ding      *ding.Ding
+	wg        sync.WaitGroup
 	listeners []Listener
 }
 
@@ -70,10 +64,6 @@ func (app *BootstrapApp) Setup() error {
 	app.ctx = ctx
 	app.cancel = cancel
 
-	// Create a ding instance
-	dg := ding.New(ctx)
-	app.ding = dg
-
 	// setup logger
 	log := logger.NewLogger().WithConfig(app.config.Log)
 	log.Init()
@@ -127,6 +117,13 @@ func (app *BootstrapApp) Setup() error {
 	app.runtime.OAuthProviders = app.config.OAuth.Providers
 
 	for id, provider := range app.runtime.OAuthProviders {
+		providerWhitelist, err := utils.GetStringList(provider.Whitelist, provider.WhitelistFile)
+		if err != nil {
+			return fmt.Errorf("failed to load oauth whitelist for provider %s: %w", id, err)
+		}
+
+		provider.Whitelist = providerWhitelist
+
 		secret := utils.GetSecret(provider.ClientSecret, provider.ClientSecretFile)
 		provider.ClientSecret = secret
 		provider.ClientSecretFile = ""
@@ -189,17 +186,15 @@ func (app *BootstrapApp) Setup() error {
 		return fmt.Errorf("failed to setup database: %w", err)
 	}
 
-	app.ding.Go(func(ctx context.Context) {
+	// after this point, we start initializing dependencies so it's a good time to setup a defer
-		<-ctx.Done()
+	// to ensure that resources are cleaned up properly in case of an error during initialization
-		app.log.App.Debug().Msg("Shutting down database connection")
+	defer func() {
-		if app.db == nil {
+		app.cancel()
-			// using memory store, no db instance
+		app.wg.Wait()
-			return
+		if app.db != nil {
+			app.db.Close()
 		}
-		if err := app.db.Close(); err != nil {
+	}()
-			app.log.App.Error().Err(err).Msg("Failed to close database connection")
-		}
-	}, ding.RingCritical)
 
 	// store
 	app.queries = store
@@ -266,12 +261,12 @@ func (app *BootstrapApp) Setup() error {
 
 	// start db cleanup routine
 	app.log.App.Debug().Msg("Starting database cleanup routine")
-	app.ding.Go(app.dbCleanupRoutine, ding.RingMinor)
+	app.wg.Go(app.dbCleanupRoutine)
 
 	// if analytics are not disabled, start heartbeat
 	if app.config.Analytics.Enabled {
 		app.log.App.Debug().Msg("Starting heartbeat routine")
-		app.ding.Go(app.heartbeatRoutine, ding.RingMinor)
+		app.wg.Go(app.heartbeatRoutine)
 	}
 
 	// setup listeners
@@ -292,7 +287,6 @@ func (app *BootstrapApp) Setup() error {
 	for {
 		select {
 		case <-app.ctx.Done():
-			app.ding.Wait()
 			app.log.App.Info().Msg("Oh, it's time for me to go, bye!")
 			return nil
 		case err := <-lec:
@@ -303,7 +297,7 @@ func (app *BootstrapApp) Setup() error {
 	}
 }
 
-func (app *BootstrapApp) heartbeatRoutine(ctx context.Context) {
+func (app *BootstrapApp) heartbeatRoutine() {
 	ticker := time.NewTicker(time.Duration(12) * time.Hour)
 	defer ticker.Stop()
 
@@ -356,7 +350,7 @@ func (app *BootstrapApp) heartbeatRoutine(ctx context.Context) {
 			if res.StatusCode != 200 && res.StatusCode != 201 {
 				app.log.App.Debug().Str("status", res.Status).Msg("Heartbeat returned non-200/201 status")
 			}
-		case <-ctx.Done():
+		case <-app.ctx.Done():
 			app.log.App.Debug().Msg("Stopping heartbeat routine")
 			ticker.Stop()
 			return
@@ -364,7 +358,7 @@ func (app *BootstrapApp) heartbeatRoutine(ctx context.Context) {
 	}
 }
 
-func (app *BootstrapApp) dbCleanupRoutine(ctx context.Context) {
+func (app *BootstrapApp) dbCleanupRoutine() {
 	ticker := time.NewTicker(time.Duration(30) * time.Minute)
 	defer ticker.Stop()
 
@@ -373,14 +367,14 @@ func (app *BootstrapApp) dbCleanupRoutine(ctx context.Context) {
 		case <-ticker.C:
 			app.log.App.Debug().Msg("Running database cleanup")
 
-			err := app.queries.DeleteExpiredSessions(ctx, time.Now().Unix())
+			err := app.queries.DeleteExpiredSessions(app.ctx, time.Now().Unix())
 
 			if err != nil {
 				app.log.App.Error().Err(err).Msg("Failed to delete expired sessions")
 			}
 
 			app.log.App.Debug().Msg("Database cleanup completed")
-		case <-ctx.Done():
+		case <-app.ctx.Done():
 			app.log.App.Debug().Msg("Stopping database cleanup routine")
 			ticker.Stop()
 			return

internal/bootstrap/router_bootstrap.go

@@ -9,7 +9,6 @@ import (
 	"os"
 	"time"
 
-	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/middleware"
 	"github.com/tinyauthapp/tinyauth/internal/model"
@@ -81,9 +80,9 @@ func (app *BootstrapApp) runListeners() (chan error, error) {
 			return nil, fmt.Errorf("failed to get listener function: %w", err)
 		}
 
-		app.ding.Go(func(ctx context.Context) {
+		app.wg.Go(func() {
-			lec <- listenerFunc(ctx)
+			lec <- listenerFunc()
-		}, ding.RingNormal)
+		})
 	}
 
 	return lec, nil
@@ -126,7 +125,7 @@ func (app *BootstrapApp) calculateListenerPolicy() []Listener {
 	return l
 }
 
-func (app *BootstrapApp) listenerFromType(listenerType Listener) (func(ctx context.Context) error, error) {
+func (app *BootstrapApp) listenerFromType(listenerType Listener) (func() error, error) {
 	switch listenerType {
 	case ListenerHTTP:
 		return app.serveHTTP, nil
@@ -139,7 +138,7 @@ func (app *BootstrapApp) listenerFromType(listenerType Listener) (func(ctx conte
 	}
 }
 
-func (app *BootstrapApp) serveHTTP(ctx context.Context) error {
+func (app *BootstrapApp) serveHTTP() error {
 	address := fmt.Sprintf("%s:%d", app.config.Server.Address, app.config.Server.Port)
 
 	app.log.App.Info().Msgf("Starting server on %s", address)
@@ -155,10 +154,10 @@ func (app *BootstrapApp) serveHTTP(ctx context.Context) error {
 		Handler: app.router.Handler(),
 	}
 
-	return app.serve(listener, server, ctx, "http")
+	return app.serve(listener, server, "http")
 }
 
-func (app *BootstrapApp) serveUnix(ctx context.Context) error {
+func (app *BootstrapApp) serveUnix() error {
 	_, err := os.Stat(app.config.Server.SocketPath)
 
 	if err == nil {
@@ -182,10 +181,10 @@ func (app *BootstrapApp) serveUnix(ctx context.Context) error {
 		Handler: app.router.Handler(),
 	}
 
-	return app.serve(listener, server, ctx, "unix socket")
+	return app.serve(listener, server, "unix socket")
 }
 
-func (app *BootstrapApp) serveTailscale(ctx context.Context) error {
+func (app *BootstrapApp) serveTailscale() error {
 	app.log.App.Info().Msgf("Starting Tailscale server on %s", fmt.Sprintf("https://%s", app.services.tailscaleService.GetHostname()))
 
 	listener, err := app.services.tailscaleService.CreateListener()
@@ -198,23 +197,27 @@ func (app *BootstrapApp) serveTailscale(ctx context.Context) error {
 		Handler: app.router.Handler(),
 	}
 
-	return app.serve(listener, server, ctx, "tailscale")
+	return app.serve(listener, server, "tailscale")
 }
 
-func (app *BootstrapApp) serve(listener net.Listener, server *http.Server, ctx context.Context, name string) error {
+func (app *BootstrapApp) serve(listener net.Listener, server *http.Server, name string) error {
 	shutdown := func() {
-		// we use a new context for the shutdown since the main one is cancelled
+		ctx, cancel := context.WithTimeout(context.Background(), model.GracefulShutdownTimeout*time.Second)
-		sctx, cancel := context.WithTimeout(context.Background(), model.GracefulShutdownTimeout*time.Second)
 		defer cancel()
-		err := server.Shutdown(sctx)
+		err := server.Shutdown(ctx)
-		if err != nil {
+		if err != nil &&
+			// With tailscale, the goroutine for shutting down the tailscale connection
+			// runs first and causes the connection the tailscale listener is running on to close
+			// first so, the shutdown fails
+			// TODO: add priority to the goroutine shutdowns
+			!errors.Is(err, net.ErrClosed) {
 			app.log.App.Error().Err(err).Msgf("Failed to shutdown %s listener gracefully", name)
 		}
 		listener.Close()
 	}
 
 	go func() {
-		<-ctx.Done()
+		<-app.ctx.Done()
 		app.log.App.Debug().Msgf("Shutting down %s listener", name)
 		shutdown()
 	}()

internal/bootstrap/service_bootstrap.go

@@ -8,7 +8,7 @@ import (
 )
 
 func (app *BootstrapApp) setupServices() error {
-	ldapService, err := service.NewLdapService(app.log, app.config, app.ding)
+	ldapService, err := service.NewLdapService(app.log, app.config, app.ctx, &app.wg)
 
 	if err != nil {
 		app.log.App.Warn().Err(err).Msg("Failed to initialize LDAP connection, will continue without it")
@@ -22,7 +22,7 @@ func (app *BootstrapApp) setupServices() error {
 		return fmt.Errorf("failed to initialize label provider: %w", err)
 	}
 
-	tailscaleService, err := service.NewTailscaleService(app.log, app.config, app.ctx, app.ding)
+	tailscaleService, err := service.NewTailscaleService(app.log, app.config, app.ctx, &app.wg)
 
 	if err != nil {
 		app.log.App.Warn().Err(err).Msg("Failed to initialize Tailscale connection, will continue without it")
@@ -42,10 +42,10 @@ func (app *BootstrapApp) setupServices() error {
 	oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
 	app.services.oauthBrokerService = oauthBrokerService
 
-	authService := service.NewAuthService(app.log, app.config, app.runtime, app.ctx, app.ding, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService)
+	authService := service.NewAuthService(app.log, app.config, app.runtime, app.ctx, &app.wg, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService)
 	app.services.authService = authService
 
-	oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ding)
+	oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ctx, &app.wg)
 
 	if err != nil {
 		return fmt.Errorf("failed to initialize oidc service: %w", err)
@@ -69,7 +69,7 @@ func (app *BootstrapApp) getLabelProvider() (service.LabelProvider, error) {
 		if useKubernetes {
 			app.log.App.Debug().Msg("Using Kubernetes label provider")
 
-			kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, app.ding)
+			kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, &app.wg)
 
 			if err != nil {
 				return nil, fmt.Errorf("failed to initialize kubernetes service: %w", err)
@@ -81,7 +81,7 @@ func (app *BootstrapApp) getLabelProvider() (service.LabelProvider, error) {
 
 		app.log.App.Debug().Msg("Using Docker label provider")
 
-		dockerService, err := service.NewDockerService(app.log, app.ctx, app.ding)
+		dockerService, err := service.NewDockerService(app.log, app.ctx, &app.wg)
 
 		if err != nil {
 			return nil, fmt.Errorf("failed to initialize docker service: %w", err)

internal/controller/oauth_controller.go

@@ -183,9 +183,23 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}
 
-	if !controller.auth.IsEmailWhitelisted(user.Email) {
+	svc, err := controller.auth.GetOAuthService(sessionIdCookie)
+
+	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Failed to get OAuth service for session")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		return
+	}
+
+	if svc.ID() != req.Provider {
+		controller.log.App.Warn().Msgf("OAuth provider mismatch: expected %s, got %s", req.Provider, svc.ID())
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		return
+	}
+
+	if !controller.auth.IsEmailWhitelisted(svc.ID(), user.Email) {
 		controller.log.App.Warn().Str("email", user.Email).Msg("Email not whitelisted, denying access")
-		controller.log.AuditLoginFailure(user.Email, req.Provider, c.ClientIP(), "email not whitelisted")
+		controller.log.AuditLoginFailure(user.Email, svc.ID(), c.ClientIP(), "email not whitelisted")
 
 		queries, err := query.Values(UnauthorizedQuery{
 			Username: user.Email,
@@ -226,20 +240,6 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		username = strings.Replace(user.Email, "@", "_", 1)
 	}
 
-	svc, err := controller.auth.GetOAuthService(sessionIdCookie)
-
-	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to get OAuth service for session")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
-		return
-	}
-
-	if svc.ID() != req.Provider {
-		controller.log.App.Warn().Msgf("OAuth provider mismatch: expected %s, got %s", req.Provider, svc.ID())
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
-		return
-	}
-
 	sessionCookie := repository.Session{
 		Username:    username,
 		Name:        name,

internal/controller/oidc_controller_test.go

@@ -8,11 +8,11 @@ import (
 	"net/http/httptest"
 	"net/url"
 	"strings"
+	"sync"
 	"testing"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
-	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
@@ -840,9 +840,9 @@ func TestOIDCController(t *testing.T) {
 
 	store := memory.New()
 
-	dg := ding.New(context.TODO())
+	wg := &sync.WaitGroup{}
 
-	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, dg)
+	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, context.TODO(), wg)
 	require.NoError(t, err)
 
 	for _, test := range tests {

internal/controller/proxy_controller_test.go

@@ -3,10 +3,10 @@ package controller_test
 import (
 	"context"
 	"net/http/httptest"
+	"sync"
 	"testing"
 
 	"github.com/gin-gonic/gin"
-	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
@@ -353,11 +353,11 @@ func TestProxyController(t *testing.T) {
 
 	store := memory.New()
 
+	wg := &sync.WaitGroup{}
 	ctx := context.TODO()
-	dg := ding.New(ctx)
 
 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker, nil)
 	aclsService := service.NewAccessControlsService(log, cfg, nil)
 
 	policyEngine, err := service.NewPolicyEngine(cfg, log)

internal/controller/user_controller_test.go

@@ -6,12 +6,12 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"strings"
+	"sync"
 	"testing"
 	"time"
 
 	"github.com/gin-gonic/gin"
 	"github.com/pquerna/otp/totp"
-	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
@@ -412,10 +412,10 @@ func TestUserController(t *testing.T) {
 	}
 
 	ctx := context.TODO()
-	dg := ding.New(ctx)
+	wg := &sync.WaitGroup{}
 
 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker, nil)
 
 	beforeEach := func() {
 		// Clear failed login attempts before each test

internal/controller/well_known_controller_test.go

@@ -5,10 +5,10 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http/httptest"
+	"sync"
 	"testing"
 
 	"github.com/gin-gonic/gin"
-	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
@@ -89,11 +89,11 @@ func TestWellKnownController(t *testing.T) {
 	}
 
 	ctx := context.TODO()
-	dg := ding.New(ctx)
+	wg := &sync.WaitGroup{}
 
 	store := memory.New()
 
-	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, dg)
+	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, ctx, wg)
 	require.NoError(t, err)
 
 	for _, test := range tests {

internal/middleware/context_middleware.go

@@ -205,7 +205,7 @@ func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string, ip stri
 			return nil, nil, fmt.Errorf("oauth provider from session cookie not found: %s", userContext.OAuth.ID)
 		}
 
-		if !m.auth.IsEmailWhitelisted(userContext.OAuth.Email) {
+		if !m.auth.IsEmailWhitelisted(userContext.OAuth.ID, userContext.OAuth.Email) {
 			m.auth.DeleteSession(ctx, uuid)
 			return nil, nil, fmt.Errorf("email from session cookie not whitelisted: %s", userContext.OAuth.Email)
 		}

internal/middleware/context_middleware_test.go

@@ -5,11 +5,11 @@ import (
 	"encoding/base64"
 	"net/http"
 	"net/http/httptest"
+	"sync"
 	"testing"
 	"time"
 
 	"github.com/gin-gonic/gin"
-	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/middleware"
@@ -250,12 +250,12 @@ func TestContextMiddleware(t *testing.T) {
 	}
 
 	ctx := context.TODO()
-	dg := ding.New(ctx)
+	wg := &sync.WaitGroup{}
 
 	store := memory.New()
 
 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker, nil)
 
 	contextMiddleware := middleware.NewContextMiddleware(log, runtime, authService, broker, nil)
 

internal/model/config.go

@@ -226,6 +226,8 @@ type OAuthServiceConfig struct {
 	ClientID         string   `description:"OAuth client ID." yaml:"clientId"`
 	ClientSecret     string   `description:"OAuth client secret." yaml:"clientSecret"`
 	ClientSecretFile string   `description:"Path to the file containing the OAuth client secret." yaml:"clientSecretFile"`
+	Whitelist        []string `description:"Comma-separated list of allowed OAuth domains for this provider." yaml:"whitelist"`
+	WhitelistFile    string   `description:"Path to the OAuth whitelist file for this provider." yaml:"whitelistFile"`
 	Scopes           []string `description:"OAuth scopes." yaml:"scopes"`
 	RedirectURL      string   `description:"OAuth redirect URL." yaml:"redirectUrl"`
 	AuthURL          string   `description:"OAuth authorization URL." yaml:"authUrl"`

internal/service/auth_service.go

@@ -9,7 +9,6 @@ import (
 	"sync"
 	"time"
 
-	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
@@ -97,7 +96,7 @@ func NewAuthService(
 	config model.Config,
 	runtime model.RuntimeConfig,
 	ctx context.Context,
-	dg *ding.Ding,
+	wg *sync.WaitGroup,
 	ldap *LdapService,
 	queries repository.Store,
 	oauthBroker *OAuthBrokerService,
@@ -117,7 +116,7 @@ func NewAuthService(
 		tailscale:            tailscale,
 	}
 
-	dg.Go(service.cleanupOAuthSessions, ding.RingMinor)
+	wg.Go(service.CleanupOAuthSessionsRoutine)
 
 	return service
 }
@@ -286,10 +285,15 @@ func (auth *AuthService) RecordLoginAttempt(identifier string, success bool) {
 	}
 }
 
-func (auth *AuthService) IsEmailWhitelisted(email string) bool {
+func (auth *AuthService) IsEmailWhitelisted(provider string, email string) bool {
-	match, err := utils.CheckFilter(strings.Join(auth.runtime.OAuthWhitelist, ","), email)
+	whitelist := auth.runtime.OAuthWhitelist
+	if providerConfig, ok := auth.runtime.OAuthProviders[provider]; ok && len(providerConfig.Whitelist) > 0 {
+		whitelist = providerConfig.Whitelist
+	}
+
+	match, err := utils.CheckFilter(strings.Join(whitelist, ","), email)
 	if err != nil {
-		auth.log.App.Warn().Err(err).Str("email", email).Msg("Invalid email filter pattern")
+		auth.log.App.Warn().Err(err).Str("provider", provider).Str("email", email).Msg("Invalid email filter pattern")
 		return false
 	}
 	return match
@@ -585,7 +589,7 @@ func (auth *AuthService) EndOAuthSession(sessionId string) {
 	auth.oauthMutex.Unlock()
 }
 
-func (auth *AuthService) cleanupOAuthSessions(ctx context.Context) {
+func (auth *AuthService) CleanupOAuthSessionsRoutine() {
 	auth.log.App.Debug().Msg("Starting OAuth session cleanup routine")
 
 	ticker := time.NewTicker(30 * time.Minute)
@@ -608,7 +612,7 @@ func (auth *AuthService) cleanupOAuthSessions(ctx context.Context) {
 
 			auth.oauthMutex.Unlock()
 			auth.log.App.Debug().Msg("OAuth session cleanup completed")
-		case <-ctx.Done():
+		case <-auth.context.Done():
 			auth.log.App.Debug().Msg("Stopping OAuth session cleanup routine")
 			return
 		}

internal/service/auth_service_test.go

@@ -0,0 +1,39 @@
+package service
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+)
+
+func TestIsEmailWhitelistedUsesProviderSpecificList(t *testing.T) {
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
+
+	auth := &AuthService{
+		log: log,
+		runtime: model.RuntimeConfig{
+			OAuthWhitelist: []string{"global@example.com"},
+			OAuthProviders: map[string]model.OAuthServiceConfig{
+				"github": {
+					Whitelist: []string{"github@example.com"},
+				},
+				"pocketid": {
+					Whitelist: []string{"pocket@example.com"},
+				},
+				"gitlab": {
+					Whitelist: []string{},
+				},
+			},
+		},
+	}
+
+	assert.True(t, auth.IsEmailWhitelisted("github", "github@example.com"))
+	assert.False(t, auth.IsEmailWhitelisted("github", "pocket@example.com"))
+	assert.True(t, auth.IsEmailWhitelisted("pocketid", "pocket@example.com"))
+	assert.True(t, auth.IsEmailWhitelisted("google", "global@example.com"))
+	assert.True(t, auth.IsEmailWhitelisted("gitlab", "global@example.com"))
+	assert.False(t, auth.IsEmailWhitelisted("gitlab", "unknown@example.com"))
+}

internal/service/docker_service.go

@@ -3,8 +3,8 @@ package service
 import (
 	"context"
 	"strings"
+	"sync"
 
-	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/decoders"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
@@ -24,7 +24,7 @@ type DockerService struct {
 func NewDockerService(
 	log *logger.Logger,
 	ctx context.Context,
-	dg *ding.Ding,
+	wg *sync.WaitGroup,
 ) (*DockerService, error) {
 
 	client, err := client.NewClientWithOpts(client.FromEnv)
@@ -50,7 +50,7 @@ func NewDockerService(
 	service.isConnected = true
 	service.log.App.Debug().Msg("Docker connected successfully")
 
-	dg.Go(service.watchAndClose, ding.RingMajor)
+	wg.Go(service.watchAndClose)
 
 	return service, nil
 }
@@ -108,8 +108,8 @@ func (docker *DockerService) GetLabels(appDomain string) (*model.App, error) {
 	return nil, nil
 }
 
-func (docker *DockerService) watchAndClose(ctx context.Context) {
+func (docker *DockerService) watchAndClose() {
-	<-ctx.Done()
+	<-docker.context.Done()
 	docker.log.App.Debug().Msg("Closing Docker client")
 	if docker.client != nil {
 		err := docker.client.Close()

internal/service/kubernetes_service.go

@@ -8,7 +8,6 @@ import (
 	"sync"
 	"time"
 
-	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/decoders"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
@@ -39,6 +38,7 @@ type ingressApp struct {
 
 type KubernetesService struct {
 	log *logger.Logger
+	ctx context.Context
 
 	client       dynamic.Interface
 	started      bool
@@ -51,7 +51,7 @@ type KubernetesService struct {
 func NewKubernetesService(
 	log *logger.Logger,
 	ctx context.Context,
-	dg *ding.Ding,
+	wg *sync.WaitGroup,
 ) (*KubernetesService, error) {
 	cfg, err := rest.InClusterConfig()
 	if err != nil {
@@ -82,15 +82,16 @@ func NewKubernetesService(
 
 	service := &KubernetesService{
 		log:          log,
+		ctx:          ctx,
 		client:       client,
 		ingressApps:  make(map[ingressKey][]ingressApp),
 		domainIndex:  make(map[string]ingressAppKey),
 		appNameIndex: make(map[string]ingressAppKey),
 	}
 
-	dg.Go(func(ctx context.Context) {
+	wg.Go(func() {
-		service.watchGVR(gvr, ctx)
+		service.watchGVR(gvr)
-	}, ding.RingMajor)
+	})
 
 	service.started = true
 	log.App.Debug().Msg("Kubernetes label provider started successfully")
@@ -270,8 +271,8 @@ func (k *KubernetesService) updateFromItem(item *unstructured.Unstructured) {
 	}
 }
 
-func (k *KubernetesService) resyncGVR(gvr schema.GroupVersionResource, ctx context.Context) error {
+func (k *KubernetesService) resyncGVR(gvr schema.GroupVersionResource) error {
-	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
+	ctx, cancel := context.WithTimeout(k.ctx, 30*time.Second)
 	defer cancel()
 
 	list, err := k.client.Resource(gvr).List(ctx, metav1.ListOptions{})
@@ -288,10 +289,10 @@ func (k *KubernetesService) resyncGVR(gvr schema.GroupVersionResource, ctx conte
 
 // runWatcher drains events from an active watcher until it closes or the context is done.
 // Returns true if the caller should restart the watcher, false if it should exit.
-func (k *KubernetesService) runWatcher(gvr schema.GroupVersionResource, w watch.Interface, resyncTicker *time.Ticker, ctx context.Context) bool {
+func (k *KubernetesService) runWatcher(gvr schema.GroupVersionResource, w watch.Interface, resyncTicker *time.Ticker) bool {
 	for {
 		select {
-		case <-ctx.Done():
+		case <-k.ctx.Done():
 			w.Stop()
 			return false
 		case event, ok := <-w.ResultChan():
@@ -313,33 +314,33 @@ func (k *KubernetesService) runWatcher(gvr schema.GroupVersionResource, w watch.
 				k.removeIngress(item.GetNamespace(), item.GetName())
 			}
 		case <-resyncTicker.C:
-			if err := k.resyncGVR(gvr, ctx); err != nil {
+			if err := k.resyncGVR(gvr); err != nil {
 				k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Periodic resync failed during watcher run")
 			}
 		}
 	}
 }
 
-func (k *KubernetesService) watchGVR(gvr schema.GroupVersionResource, ctx context.Context) {
+func (k *KubernetesService) watchGVR(gvr schema.GroupVersionResource) {
 	resyncTicker := time.NewTicker(5 * time.Minute)
 	defer resyncTicker.Stop()
 
-	if err := k.resyncGVR(gvr, ctx); err != nil {
+	if err := k.resyncGVR(gvr); err != nil {
 		k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Initial resync failed, will retry")
 		time.Sleep(30 * time.Second)
 	}
 
 	for {
 		select {
-		case <-ctx.Done():
+		case <-k.ctx.Done():
 			k.log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Shutting down kubernetes watcher")
 			return
 		case <-resyncTicker.C:
-			if err := k.resyncGVR(gvr, ctx); err != nil {
+			if err := k.resyncGVR(gvr); err != nil {
 				k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Periodic resync failed, will retry")
 			}
 		default:
-			ctx, cancel := context.WithCancel(ctx)
+			ctx, cancel := context.WithCancel(k.ctx)
 			watcher, err := k.client.Resource(gvr).Watch(ctx, metav1.ListOptions{})
 			if err != nil {
 				k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to start watcher, will retry")
@@ -348,7 +349,7 @@ func (k *KubernetesService) watchGVR(gvr schema.GroupVersionResource, ctx contex
 				continue
 			}
 			k.log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Watcher started successfully")
-			if !k.runWatcher(gvr, watcher, resyncTicker, ctx) {
+			if !k.runWatcher(gvr, watcher, resyncTicker) {
 				cancel()
 				return
 			}

internal/service/ldap_service.go

@@ -9,14 +9,14 @@ import (
 
 	"github.com/cenkalti/backoff/v5"
 	ldapgo "github.com/go-ldap/ldap/v3"
-	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
 type LdapService struct {
-	log    *logger.Logger
+	log     *logger.Logger
-	config model.Config
+	config  model.Config
+	context context.Context
 
 	conn  *ldapgo.Conn
 	mutex sync.RWMutex
@@ -26,15 +26,17 @@ type LdapService struct {
 func NewLdapService(
 	log *logger.Logger,
 	config model.Config,
-	dg *ding.Ding,
+	ctx context.Context,
+	wg *sync.WaitGroup,
 ) (*LdapService, error) {
 	if config.LDAP.Address == "" {
 		return nil, nil
 	}
 
 	ldap := &LdapService{
-		log:    log,
+		log:     log,
-		config: config,
+		config:  config,
+		context: ctx,
 	}
 
 	// Check whether authentication with client certificate is possible
@@ -67,7 +69,7 @@ func NewLdapService(
 		return nil, fmt.Errorf("failed to connect to ldap server: %w", err)
 	}
 
-	dg.Go(func(ctx context.Context) {
+	wg.Go(func() {
 		ldap.log.App.Debug().Msg("Starting LDAP connection heartbeat routine")
 
 		ticker := time.NewTicker(5 * time.Minute)
@@ -85,12 +87,12 @@ func NewLdapService(
 					}
 					ldap.log.App.Info().Msg("Successfully reconnected to LDAP server")
 				}
-			case <-ctx.Done():
+			case <-ldap.context.Done():
 				ldap.log.App.Debug().Msg("LDAP service context cancelled, stopping heartbeat")
 				return
 			}
 		}
-	}, ding.RingMajor)
+	})
 
 	return ldap, nil
 }

internal/service/oidc_service.go

@@ -15,13 +15,13 @@ import (
 	"net/url"
 	"os"
 	"strings"
+	"sync"
 	"time"
 
 	"slices"
 
 	"github.com/gin-gonic/gin"
 	"github.com/go-jose/go-jose/v4"
-	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
@@ -116,6 +116,7 @@ type OIDCService struct {
 	config  model.Config
 	runtime model.RuntimeConfig
 	queries repository.Store
+	context context.Context
 
 	clients    map[string]model.OIDCClientConfig
 	privateKey *rsa.PrivateKey
@@ -128,7 +129,8 @@ func NewOIDCService(
 	config model.Config,
 	runtime model.RuntimeConfig,
 	queries repository.Store,
-	dg *ding.Ding) (*OIDCService, error) {
+	ctx context.Context,
+	wg *sync.WaitGroup) (*OIDCService, error) {
 	// If not configured, skip init
 	if len(runtime.OIDCClients) == 0 {
 		return nil, nil
@@ -274,6 +276,7 @@ func NewOIDCService(
 		config:  config,
 		runtime: runtime,
 		queries: queries,
+		context: ctx,
 
 		clients:    clients,
 		privateKey: privateKey,
@@ -282,7 +285,7 @@ func NewOIDCService(
 	}
 
 	// Start cleanup routine
-	dg.Go(service.cleanupRoutine, ding.RingMinor)
+	wg.Go(service.cleanupRoutine)
 
 	return service, nil
 }
@@ -756,7 +759,7 @@ func (service *OIDCService) DeleteOldSession(ctx context.Context, sub string) er
 }
 
 // Cleanup routine - Resource heavy due to the linked tables
-func (service *OIDCService) cleanupRoutine(ctx context.Context) {
+func (service *OIDCService) cleanupRoutine() {
 	service.log.App.Debug().Msg("Starting OIDC cleanup routine")
 	ticker := time.NewTicker(time.Duration(30) * time.Minute)
 	defer ticker.Stop()
@@ -769,7 +772,7 @@ func (service *OIDCService) cleanupRoutine(ctx context.Context) {
 			currentTime := time.Now().Unix()
 
 			// For the OIDC tokens, if they are expired we delete the userinfo and codes
-			expiredTokens, err := service.queries.DeleteExpiredOidcTokens(ctx, repository.DeleteExpiredOidcTokensParams{
+			expiredTokens, err := service.queries.DeleteExpiredOidcTokens(service.context, repository.DeleteExpiredOidcTokensParams{
 				TokenExpiresAt:        currentTime,
 				RefreshTokenExpiresAt: currentTime,
 			})
@@ -779,21 +782,21 @@ func (service *OIDCService) cleanupRoutine(ctx context.Context) {
 			}
 
 			for _, expiredToken := range expiredTokens {
-				err := service.DeleteOldSession(ctx, expiredToken.Sub)
+				err := service.DeleteOldSession(service.context, expiredToken.Sub)
 				if err != nil {
 					service.log.App.Warn().Err(err).Msg("Failed to delete session for expired token")
 				}
 			}
 
 			// For expired codes, we need to get the sub, check if tokens are expired and if they are remove everything
-			expiredCodes, err := service.queries.DeleteExpiredOidcCodes(ctx, currentTime)
+			expiredCodes, err := service.queries.DeleteExpiredOidcCodes(service.context, currentTime)
 
 			if err != nil {
-				service.log.App.Warn().Err(err).Msg("Failed to delete expired codes")
+			service.log.App.Warn().Err(err).Msg("Failed to delete expired codes")
 			}
 
 			for _, expiredCode := range expiredCodes {
-				token, err := service.queries.GetOidcTokenBySub(ctx, expiredCode.Sub)
+				token, err := service.queries.GetOidcTokenBySub(service.context, expiredCode.Sub)
 
 				if err != nil {
 					if !errors.Is(err, repository.ErrNotFound) {
@@ -803,7 +806,7 @@ func (service *OIDCService) cleanupRoutine(ctx context.Context) {
 				}
 
 				if token.TokenExpiresAt < currentTime && token.RefreshTokenExpiresAt < currentTime {
-					err := service.DeleteOldSession(ctx, expiredCode.Sub)
+					err := service.DeleteOldSession(service.context, expiredCode.Sub)
 					if err != nil {
 						service.log.App.Warn().Err(err).Msg("Failed to delete session for expired code")
 					}
@@ -811,7 +814,7 @@ func (service *OIDCService) cleanupRoutine(ctx context.Context) {
 			}
 
 			service.log.App.Debug().Msg("Finished OIDC cleanup routine")
-		case <-ctx.Done():
+		case <-service.context.Done():
 			service.log.App.Debug().Msg("Stopping OIDC cleanup routine")
 			return
 		}

internal/service/oidc_service_test.go

@@ -3,9 +3,9 @@ package service_test
 import (
 	"context"
 	"encoding/json"
+	"sync"
 	"testing"
 
-	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
@@ -70,9 +70,9 @@ func TestCompileUserinfo(t *testing.T) {
 	log.Init()
 
 	ctx := context.TODO()
-	dg := ding.New(ctx)
+	wg := &sync.WaitGroup{}
 
-	svc, err := service.NewOIDCService(log, cfg, runtime, nil, dg)
+	svc, err := service.NewOIDCService(log, cfg, runtime, nil, ctx, wg)
 	require.NoError(t, err)
 
 	type testCase struct {

internal/service/tailscale_service.go

@@ -9,7 +9,6 @@ import (
 	"sync"
 	"time"
 
-	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"tailscale.com/client/local"
@@ -26,6 +25,7 @@ type TailscaleWhoisResponse struct {
 
 type TailscaleService struct {
 	log    *logger.Logger
+	wg     *sync.WaitGroup
 	config model.Config
 	ctx    context.Context
 
@@ -35,7 +35,7 @@ type TailscaleService struct {
 	mu  sync.Mutex
 }
 
-func NewTailscaleService(log *logger.Logger, config model.Config, ctx context.Context, dg *ding.Ding) (*TailscaleService, error) {
+func NewTailscaleService(log *logger.Logger, config model.Config, ctx context.Context, wg *sync.WaitGroup) (*TailscaleService, error) {
 	if !config.Tailscale.Enabled {
 		return nil, nil
 	}
@@ -67,6 +67,7 @@ func NewTailscaleService(log *logger.Logger, config model.Config, ctx context.Co
 
 	service := &TailscaleService{
 		log:    log,
+		wg:     wg,
 		config: config,
 		ctx:    ctx,
 		srv:    srv,
@@ -83,13 +84,13 @@ func NewTailscaleService(log *logger.Logger, config model.Config, ctx context.Co
 		return nil, fmt.Errorf("failed to connect to tailscale network: %w", err)
 	}
 
-	dg.Go(service.watchAndClose, ding.RingMajor)
+	wg.Go(service.watchAndClose)
 
 	return service, nil
 }
 
-func (ts *TailscaleService) watchAndClose(ctx context.Context) {
+func (ts *TailscaleService) watchAndClose() {
-	<-ctx.Done()
+	<-ts.ctx.Done()
 	ts.log.App.Debug().Msg("Shutting down Tailscale service")
 	ts.mu.Lock()
 	srv := ts.srv