barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2025-10-29 21:25:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: barbercollie:feat/domain-warning
Branches Tags
barbercollie:main barbercollie:refactor/acl-decoder barbercollie:dependabot/bun/frontend/minor-patch-b39938bc8c barbercollie:refactor/decoders barbercollie:dependabot/docker/oven/bun-1.3.1-alpine barbercollie:l10n_main barbercollie:docs/update-readme barbercollie:refactor/cli barbercollie:feat/analytics barbercollie:feat/multi-oauth barbercollie:revert-337-feat/header-acls barbercollie:feat/header-acls barbercollie:refactor/exports barbercollie:feat/domain-warning barbercollie:refactor/labels barbercollie:feat/sqlite barbercollie:refactor/file-structure barbercollie:feat/login-screen-version barbercollie:feat/ldap barbercollie:refactor/remove-init barbercollie:fix/sessions barbercollie:feat/ip-allow-block barbercollie:feat/app-basic-auth barbercollie:feat/app-label-domain barbercollie:refactor/paerser barbercollie:feat/untrusted-ssl-generic barbercollie:feat/cookie-uuid barbercollie:feat/new-ui barbercollie:feat/oauth-info barbercollie:feat/multiple-app-urls barbercollie:refactor/error-handling barbercollie:refactor/handlers barbercollie:feat/swagger barbercollie:refactor/app-context barbercollie:feat/totp barbercollie:chore/comments
barbercollie:nightly barbercollie:v4.0.1 barbercollie:v4.0.1-beta.2 barbercollie:v4.0.1-beta.1 barbercollie:v4.0.0 barbercollie:v4.0.0-rc.1 barbercollie:v4.0.0-beta.3 barbercollie:v4.0.0-beta.2 barbercollie:v4.0.0-beta.1 barbercollie:v4.0.0-alpha.2 barbercollie:v4.0.0-alpha.1 barbercollie:v3.6.2 barbercollie:v3.6.2-beta.4 barbercollie:v3.6.2-beta.3 barbercollie:v3.6.2-beta.2 barbercollie:v3.6.2-beta.1 barbercollie:v3.6.1 barbercollie:v3.6.1-beta.3 barbercollie:v3.6.1-beta.2 barbercollie:v3.6.1-beta.1 barbercollie:v3.6.0 barbercollie:v3.6.0-beta.2 barbercollie:v3.6.0-beta.1 barbercollie:v3.5.0 barbercollie:v3.5.0-alpha.2 barbercollie:v3.5.0-alpha.1 barbercollie:v3.4.1 barbercollie:v3.4.1-beta.1 barbercollie:v3.4.0 barbercollie:v3.4.0-beta.2 barbercollie:v3.4.0-beta.1 barbercollie:v3.4.0-alpha.1 barbercollie:v3.3.1 barbercollie:v3.3.1-beta.1 barbercollie:v3.3.0 barbercollie:v3.3.0-alpha.3 barbercollie:v3.3.0-alpha.2 barbercollie:v3.3.0-alpha.1 barbercollie:v3.2.1 barbercollie:v3.2.1-beta.1 barbercollie:v3.2.0 barbercollie:v3.2.0-beta.6 barbercollie:v3.2.0-beta.5 barbercollie:v3.2.0-beta.4 barbercollie:v3.2.0-beta.3 barbercollie:v3.2.0-beta.2 barbercollie:v3.2.0-beta.1 barbercollie:v3.2.0-alpha.1 barbercollie:v3.1.0 barbercollie:v3.1.0-beta.2 barbercollie:v3.1.0-beta.1 barbercollie:v3.1.0-alpha.1 barbercollie:v3.1.0-exp.3 barbercollie:v3.1.0-exp.2 barbercollie:v3.1.0-exp.1 barbercollie:v3.0.1 barbercollie:v3.0.1-beta.1 barbercollie:v3.0.0 barbercollie:v3.0.0-beta.2 barbercollie:v3.0.0-beta.1 barbercollie:v3.0.0-alpha.4 barbercollie:v3.0.0-alpha.3 barbercollie:v3.0.0-alpha.2 barbercollie:v3.0.0-alpha.1 barbercollie:v2.1.1 barbercollie:v2.1.1-beta.1 barbercollie:v2.1.0 barbercollie:v2.1.0-alpha.2 barbercollie:v2.1.0-alpha.1 barbercollie:v2.0.2 barbercollie:v2.0.2-beta.2 barbercollie:v2.0.2-beta.1 barbercollie:v2.0.1 barbercollie:v2.0.0 barbercollie:v2.0.0-beta.1 barbercollie:v2.0.0-alpha.1 barbercollie:v1.0.0 barbercollie:v1.0.0-beta.3 barbercollie:v1.0.0-beta.2 barbercollie:v1.0.0-beta.1 barbercollie:v1.0.0-alpha.1 barbercollie:v0.3.0 barbercollie:v0.3.0-beta.3 barbercollie:v0.3.0-beta.2 barbercollie:v0.3.0-beta.1 barbercollie:v0.2.0 barbercollie:v0.2.0-beta.1 barbercollie:v0.1.0 barbercollie:v0.1.0-beta.1
...
compare: barbercollie:060e20e578cfa94c27e1de2bfd809f5ce0b9288d
Branches Tags
barbercollie:refactor/acl-decoder barbercollie:dependabot/bun/frontend/minor-patch-b39938bc8c barbercollie:main barbercollie:refactor/decoders barbercollie:dependabot/docker/oven/bun-1.3.1-alpine barbercollie:l10n_main barbercollie:docs/update-readme barbercollie:refactor/cli barbercollie:feat/analytics barbercollie:feat/multi-oauth barbercollie:revert-337-feat/header-acls barbercollie:feat/header-acls barbercollie:refactor/exports barbercollie:feat/domain-warning barbercollie:refactor/labels barbercollie:feat/sqlite barbercollie:refactor/file-structure barbercollie:feat/login-screen-version barbercollie:feat/ldap barbercollie:refactor/remove-init barbercollie:fix/sessions barbercollie:feat/ip-allow-block barbercollie:feat/app-basic-auth barbercollie:feat/app-label-domain barbercollie:refactor/paerser barbercollie:feat/untrusted-ssl-generic barbercollie:feat/cookie-uuid barbercollie:feat/new-ui barbercollie:feat/oauth-info barbercollie:feat/multiple-app-urls barbercollie:refactor/error-handling barbercollie:refactor/handlers barbercollie:feat/swagger barbercollie:refactor/app-context barbercollie:feat/totp barbercollie:chore/comments
barbercollie:nightly barbercollie:v4.0.1 barbercollie:v4.0.1-beta.2 barbercollie:v4.0.1-beta.1 barbercollie:v4.0.0 barbercollie:v4.0.0-rc.1 barbercollie:v4.0.0-beta.3 barbercollie:v4.0.0-beta.2 barbercollie:v4.0.0-beta.1 barbercollie:v4.0.0-alpha.2 barbercollie:v4.0.0-alpha.1 barbercollie:v3.6.2 barbercollie:v3.6.2-beta.4 barbercollie:v3.6.2-beta.3 barbercollie:v3.6.2-beta.2 barbercollie:v3.6.2-beta.1 barbercollie:v3.6.1 barbercollie:v3.6.1-beta.3 barbercollie:v3.6.1-beta.2 barbercollie:v3.6.1-beta.1 barbercollie:v3.6.0 barbercollie:v3.6.0-beta.2 barbercollie:v3.6.0-beta.1 barbercollie:v3.5.0 barbercollie:v3.5.0-alpha.2 barbercollie:v3.5.0-alpha.1 barbercollie:v3.4.1 barbercollie:v3.4.1-beta.1 barbercollie:v3.4.0 barbercollie:v3.4.0-beta.2 barbercollie:v3.4.0-beta.1 barbercollie:v3.4.0-alpha.1 barbercollie:v3.3.1 barbercollie:v3.3.1-beta.1 barbercollie:v3.3.0 barbercollie:v3.3.0-alpha.3 barbercollie:v3.3.0-alpha.2 barbercollie:v3.3.0-alpha.1 barbercollie:v3.2.1 barbercollie:v3.2.1-beta.1 barbercollie:v3.2.0 barbercollie:v3.2.0-beta.6 barbercollie:v3.2.0-beta.5 barbercollie:v3.2.0-beta.4 barbercollie:v3.2.0-beta.3 barbercollie:v3.2.0-beta.2 barbercollie:v3.2.0-beta.1 barbercollie:v3.2.0-alpha.1 barbercollie:v3.1.0 barbercollie:v3.1.0-beta.2 barbercollie:v3.1.0-beta.1 barbercollie:v3.1.0-alpha.1 barbercollie:v3.1.0-exp.3 barbercollie:v3.1.0-exp.2 barbercollie:v3.1.0-exp.1 barbercollie:v3.0.1 barbercollie:v3.0.1-beta.1 barbercollie:v3.0.0 barbercollie:v3.0.0-beta.2 barbercollie:v3.0.0-beta.1 barbercollie:v3.0.0-alpha.4 barbercollie:v3.0.0-alpha.3 barbercollie:v3.0.0-alpha.2 barbercollie:v3.0.0-alpha.1 barbercollie:v2.1.1 barbercollie:v2.1.1-beta.1 barbercollie:v2.1.0 barbercollie:v2.1.0-alpha.2 barbercollie:v2.1.0-alpha.1 barbercollie:v2.0.2 barbercollie:v2.0.2-beta.2 barbercollie:v2.0.2-beta.1 barbercollie:v2.0.1 barbercollie:v2.0.0 barbercollie:v2.0.0-beta.1 barbercollie:v2.0.0-alpha.1 barbercollie:v1.0.0 barbercollie:v1.0.0-beta.3 barbercollie:v1.0.0-beta.2 barbercollie:v1.0.0-beta.1 barbercollie:v1.0.0-alpha.1 barbercollie:v0.3.0 barbercollie:v0.3.0-beta.3 barbercollie:v0.3.0-beta.2 barbercollie:v0.3.0-beta.1 barbercollie:v0.2.0 barbercollie:v0.2.0-beta.1 barbercollie:v0.1.0 barbercollie:v0.1.0-beta.1

27 Commits
feat/domai ... 060e20e578

Author SHA1 Message Date
Stavros
060e20e578 feat: style oauth auto redirect screen 2025-09-12 17:30:30 +03:00
Stavros
e001f63eb5 chore: add credits for parser 2025-09-12 15:11:40 +03:00
Stavros
9f97a4ddd5 feat: add some default icons 2025-09-12 14:57:26 +03:00
Stavros
e5ecf6336f feat: implement multiple oauth providers in the frontend 2025-09-12 14:38:06 +03:00
Stavros
fbf5843592 feat: implement backend logic for multiple oauth providers 2025-09-12 13:46:07 +03:00
Stavros
5fcc50d5fd feat: add oauth config parsing logic 2025-09-12 13:16:45 +03:00
Stavros
68fd5ac24c feat: add env decoder 2025-09-12 12:54:44 +03:00
Stavros
b30b908de3 refactor: finalize flags decoder 2025-09-12 12:47:58 +03:00
Stavros
91048c16f8 feat: add flag decoder (candidate) 2025-09-11 23:10:36 +03:00
Stavros
2d78e6b598 feat: add cookie domain back to context controller 2025-09-10 13:47:48 +03:00
Stavros
e03eaf4f08 feat: add psl check in cookie domain 2025-09-10 13:43:08 +03:00
Stavros
74cb8067a8 tests: add util tests 2025-09-03 17:52:51 +03:00
Stavros
ba46493a7b tests: add proxy controller tests 2025-09-03 15:30:24 +03:00
Stavros
bb0373758a tests: add resources controller test 2025-09-03 14:58:24 +03:00
Stavros
f8836fc964 tests: test user context handler with no context 2025-09-03 13:36:11 +03:00
Stavros
53856e0a70 tests: test invalid json in user controller 2025-09-03 13:31:45 +03:00
Stavros
9b7dcfd86f tests: add user controller tests 2025-09-03 13:28:27 +03:00
Stavros
7afea8b3fc tests: add tests for context controller 2025-09-03 12:45:23 +03:00
Stavros
f5ac7eff99 refactor: mode label decoder to separate package 2025-09-03 12:23:21 +03:00
Stavros
b024d5ffda feat: allow for dash substitute in ip filters for environments like kubernetes 2025-09-03 12:16:06 +03:00
Stavros
773cd6d171 feat: add trusted proxies config value 2025-09-03 12:14:13 +03:00
Stavros
f3eb7f69b4 Revert "feat: header based acls (#337)" (#340) 
This reverts commit f0d2da281a.
 2025-09-03 12:12:18 +03:00
Stavros
f0d2da281a feat: header based acls (#337) 
* feat: add header decoder

* feat: allow for dash substitute over slash for environments like kubernetes

* feat: use decoded headers in proxy controller

* refactor: simplify decode header to node function

* refactor: use stdlib prefix check in header decoder

* fix: lowercase key and filter before comparing
 2025-09-02 19:06:52 +03:00
Stavros
9ce16c9652 fix: expire csrf cookie if it's invalid 2025-09-02 18:38:11 +03:00
Stavros
ad4fc7ef5f refactor: don't export non-needed fields (#336) 
* refactor: don't export non-needed fields

* feat: coderabbit suggestions

* fix: avoid queries panic
 2025-09-02 01:27:55 +03:00
Stavros
5184c96e85 feat: add mutex to ldap service 2025-09-02 00:08:19 +03:00
Stavros
b9e35716ac feat: invalid domain warning (#332) 
* wip

* refactor: update domain warning layout

* i18n: add domain warning translations

* refactor: rework hooks usage

* feat: clear timeouts

* fix: use useeffect to cleanup timeout

* refactor: rework redirects and history storage

* refactor: rename domain to root domain
 2025-09-01 18:22:42 +03:00
63 changed files with 2974 additions and 713 deletions
Expand all files Collapse all files

23
cmd/root.go
View File

@@ -27,11 +27,6 @@ var rootCmd = &cobra.Command{
log.Fatal().Err(err).Msg("Failed to parse config")
}
// Check if secrets have a file associated with them
conf.GithubClientSecret = utils.GetSecret(conf.GithubClientSecret, conf.GithubClientSecretFile)
conf.GoogleClientSecret = utils.GetSecret(conf.GoogleClientSecret, conf.GoogleClientSecretFile)
conf.GenericClientSecret = utils.GetSecret(conf.GenericClientSecret, conf.GenericClientSecretFile)
// Validate config
v := validator.New()
@@ -57,6 +52,7 @@ var rootCmd = &cobra.Command{
}
func Execute() {
rootCmd.FParseErrWhitelist.UnknownFlags = true
err := rootCmd.Execute()
if err != nil {
log.Fatal().Err(err).Msg("Failed to execute command")
@@ -80,22 +76,6 @@ func init() {
{"users", "", "Comma separated list of users in the format username:hash."},
{"users-file", "", "Path to a file containing users in the format username:hash."},
{"secure-cookie", false, "Send cookie over secure connection only."},
{"github-client-id", "", "Github OAuth client ID."},
{"github-client-secret", "", "Github OAuth client secret."},
{"github-client-secret-file", "", "Github OAuth client secret file."},
{"google-client-id", "", "Google OAuth client ID."},
{"google-client-secret", "", "Google OAuth client secret."},
{"google-client-secret-file", "", "Google OAuth client secret file."},
{"generic-client-id", "", "Generic OAuth client ID."},
{"generic-client-secret", "", "Generic OAuth client secret."},
{"generic-client-secret-file", "", "Generic OAuth client secret file."},
{"generic-scopes", "", "Generic OAuth scopes."},
{"generic-auth-url", "", "Generic OAuth auth URL."},
{"generic-token-url", "", "Generic OAuth token URL."},
{"generic-user-url", "", "Generic OAuth user info URL."},
{"generic-name", "Generic", "Generic OAuth provider name."},
{"generic-skip-ssl", false, "Skip SSL verification for the generic OAuth provider."},
{"disable-continue", false, "Disable continue screen and redirect to app directly."},
{"oauth-whitelist", "", "Comma separated list of email addresses to whitelist when using OAuth."},
{"oauth-auto-redirect", "none", "Auto redirect to the specified OAuth provider if configured. (available providers: github, google, generic)"},
{"session-expiry", 86400, "Session (cookie) expiration time in seconds."},
@@ -113,6 +93,7 @@ func init() {
{"ldap-search-filter", "(uid=%s)", "LDAP search filter for user lookup."},
{"resources-dir", "/data/resources", "Path to a directory containing custom resources (e.g. background image)."},
{"database-path", "/data/tinyauth.db", "Path to the Sqlite database file."},
{"trusted-proxies", "", "Comma separated list of trusted proxies (IP addresses or CIDRs) for correct client IP detection."},
}
for _, opt := range configOptions {

5
frontend/bun.lock
View File

@@ -14,7 +14,6 @@
"axios": "^1.11.0",
"class-variance-authority": "^0.7.1",
"clsx": "^2.1.1",
"dompurify": "^3.2.6",
"i18next": "^25.4.2",
"i18next-browser-languagedetector": "^8.2.0",
"i18next-resources-to-backend": "^1.2.1",
@@ -364,8 +363,6 @@
"@types/react-dom": ["@types/react-dom@19.1.8", "", { "peerDependencies": { "@types/react": "^19.0.0" } }, "sha512-xG7xaBMJCpcK0RpN8jDbAACQo54ycO6h4dSSmgv8+fu6ZIAdANkx/WsawASUjVXYfy+J9AbUpRMNNEsXCDfDBQ=="],
"@types/trusted-types": ["@types/trusted-types@2.0.7", "", {}, "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw=="],
"@types/unist": ["@types/unist@3.0.3", "", {}, "sha512-ko/gIFJRv177XgZsZcBwnqJN5x/Gien8qNOn0D5bQU/zAzVf9Zt3BlcUiLqhV9y4ARk0GbT3tnUiPNgnTXzc/Q=="],
"@typescript-eslint/eslint-plugin": ["@typescript-eslint/eslint-plugin@8.41.0", "", { "dependencies": { "@eslint-community/regexpp": "^4.10.0", "@typescript-eslint/scope-manager": "8.41.0", "@typescript-eslint/type-utils": "8.41.0", "@typescript-eslint/utils": "8.41.0", "@typescript-eslint/visitor-keys": "8.41.0", "graphemer": "^1.4.0", "ignore": "^7.0.0", "natural-compare": "^1.4.0", "ts-api-utils": "^2.1.0" }, "peerDependencies": { "@typescript-eslint/parser": "^8.41.0", "eslint": "^8.57.0 || ^9.0.0", "typescript": ">=4.8.4 <6.0.0" } }, "sha512-8fz6oa6wEKZrhXWro/S3n2eRJqlRcIa6SlDh59FXJ5Wp5XRZ8B9ixpJDcjadHq47hMx0u+HW6SNa6LjJQ6NLtw=="],
@@ -476,8 +473,6 @@
"devlop": ["devlop@1.1.0", "", { "dependencies": { "dequal": "^2.0.0" } }, "sha512-RWmIqhcFf1lRYBvNmr7qTNuyCt/7/ns2jbpp1+PalgE/rDQcBT0fioSMUpJ93irlUhC5hrg4cYqe6U+0ImW0rA=="],
"dompurify": ["dompurify@3.2.6", "", { "optionalDependencies": { "@types/trusted-types": "^2.0.7" } }, "sha512-/2GogDQlohXPZe6D6NOgQvXLPSYBqIWMnZ8zzOhn09REE4eyAzb+Hed3jhoM9OkuaJ8P6ZGTTVWQKAi8ieIzfQ=="],
"dunder-proto": ["dunder-proto@1.0.1", "", { "dependencies": { "call-bind-apply-helpers": "^1.0.1", "es-errors": "^1.3.0", "gopd": "^1.2.0" } }, "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A=="],
"electron-to-chromium": ["electron-to-chromium@1.5.151", "", {}, "sha512-Rl6uugut2l9sLojjS4H4SAr3A4IgACMLgpuEMPYCVcKydzfyPrn5absNRju38IhQOf/NwjJY8OGWjlteqYeBCA=="],

1
frontend/package.json
View File

@@ -20,7 +20,6 @@
"axios": "^1.11.0",
"class-variance-authority": "^0.7.1",
"clsx": "^2.1.1",
"dompurify": "^3.2.6",
"i18next": "^25.4.2",
"i18next-browser-languagedetector": "^8.2.0",
"i18next-resources-to-backend": "^1.2.1",

4
frontend/src/App.tsx
View File

@@ -5,8 +5,8 @@ export const App = () => {
const { isLoggedIn } = useUserContext();
if (isLoggedIn) {
return <Navigate to="/logout" />;
return <Navigate to="/logout" replace />;
}
return <Navigate to="/login" />;
return <Navigate to="/login" replace />;
};

56
frontend/src/components/domain-warning/domain-warning.tsx Normal file
View File

@@ -0,0 +1,56 @@
import {
Card,
CardDescription,
CardFooter,
CardHeader,
CardTitle,
} from "../ui/card";
import { Button } from "../ui/button";
import { Trans, useTranslation } from "react-i18next";
import { useLocation } from "react-router";
interface Props {
onClick: () => void;
appUrl: string;
currentUrl: string;
}
export const DomainWarning = (props: Props) => {
const { onClick, appUrl, currentUrl } = props;
const { t } = useTranslation();
const { search } = useLocation();
const searchParams = new URLSearchParams(search);
const redirectUri = searchParams.get("redirect_uri");
return (
<Card role="alert" aria-live="assertive" className="min-w-xs sm:min-w-sm">
<CardHeader>
<CardTitle className="text-3xl">{t("domainWarningTitle")}</CardTitle>
<CardDescription>
<Trans
t={t}
i18nKey="domainWarningSubtitle"
values={{ appUrl, currentUrl }}
components={{ code: <code /> }}
/>
</CardDescription>
</CardHeader>
<CardFooter className="flex flex-col items-stretch gap-2">
<Button onClick={onClick} variant="warning">
{t("ignoreTitle")}
</Button>
<Button
onClick={() =>
window.location.assign(
`${appUrl}/login?redirect_uri=${encodeURIComponent(redirectUri || "")}`,
)
}
variant="outline"
>
{t("goToCorrectDomainTitle")}
</Button>
</CardFooter>
</Card>
);
};

18
frontend/src/components/icons/microsoft.tsx Normal file
View File

@@ -0,0 +1,18 @@
import type { SVGProps } from "react";
export function MicrosoftIcon(props: SVGProps<SVGSVGElement>) {
return (
<svg
xmlns="http://www.w3.org/2000/svg"
width="2em"
height="2em"
viewBox="0 0 256 256"
{...props}
>
<path fill="#f1511b" d="M121.666 121.666H0V0h121.666z"></path>
<path fill="#80cc28" d="M256 121.666H134.335V0H256z"></path>
<path fill="#00adef" d="M121.663 256.002H0V134.336h121.663z"></path>
<path fill="#fbbc09" d="M256 256.002H134.335V134.336H256z"></path>
</svg>
);
}

2
frontend/src/components/icons/generic.tsx → frontend/src/components/icons/oauth.tsx
View File

@@ -1,6 +1,6 @@
import type { SVGProps } from "react";
export function GenericIcon(props: SVGProps<SVGSVGElement>) {
export function OAuthIcon(props: SVGProps<SVGSVGElement>) {
return (
<svg
xmlns="http://www.w3.org/2000/svg"

20
frontend/src/components/icons/pocket-id.tsx Normal file
View File

@@ -0,0 +1,20 @@
import type { SVGProps } from "react";
export function PocketIDIcon(props: SVGProps<SVGSVGElement>) {
return (
<svg
xmlns="http://www.w3.org/2000/svg"
xmlSpace="preserve"
width={512}
height={512}
viewBox="0 0 512 512"
{...props}
>
<circle cx="256" cy="256" r="256" />
<path
d="M268.6 102.4c64.4 0 116.8 52.4 116.8 116.7 0 25.3-8 49.4-23 69.6-14.8 19.9-35 34.3-58.4 41.7l-6.5 2-15.5-76.2 4.3-2c14-6.7 23-21.1 23-36.6 0-22.4-18.2-40.6-40.6-40.6S228 195.2 228 217.6c0 15.5 9 29.8 23 36.6l4.2 2-25 153.4h-69.5V102.4z"
className="fill-white"
/>
</svg>
);
}

24
frontend/src/components/icons/tailscale.tsx Normal file
View File

@@ -0,0 +1,24 @@
import type { SVGProps } from "react";
export function TailscaleIcon(props: SVGProps<SVGSVGElement>) {
return (
<svg
xmlns="http://www.w3.org/2000/svg"
xmlSpace="preserve"
width={512}
height={512}
viewBox="0 0 512 512"
{...props}
>
<path
className="opacity-80 fill-white"
d="M65.6 318.1c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9S1.8 219 1.8 254.2s28.6 63.9 63.8 63.9m191.6 0c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9m0 193.9c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9m189.2-193.9c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9"
/>
<path
d="M65.6 127.7c35.3 0 63.9-28.6 63.9-63.9S100.9 0 65.6 0 1.8 28.6 1.8 63.9s28.6 63.8 63.8 63.8m0 384.3c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.8 28.7-63.8 63.9S30.4 512 65.6 512m191.6-384.3c35.3 0 63.9-28.6 63.9-63.9S292.5 0 257.2 0s-63.9 28.6-63.9 63.9 28.6 63.8 63.9 63.8m189.2 0c35.3 0 63.9-28.6 63.9-63.9S481.6 0 446.4 0c-35.3 0-63.9 28.6-63.9 63.9s28.6 63.8 63.9 63.8m0 384.3c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9"
className="opacity-20 fill-white"
/>
</svg>
);
}

37
frontend/src/components/layout/layout.tsx
View File

@@ -1,8 +1,10 @@
import { useAppContext } from "@/context/app-context";
import { LanguageSelector } from "../language/language";
import { Outlet } from "react-router";
import { useCallback, useState } from "react";
import { DomainWarning } from "../domain-warning/domain-warning";
export const Layout = () => {
const BaseLayout = ({ children }: { children: React.ReactNode }) => {
const { backgroundImage } = useAppContext();
return (
@@ -15,7 +17,38 @@ export const Layout = () => {
}}
>
<LanguageSelector />
<Outlet />
{children}
</div>
);
};
export const Layout = () => {
const { appUrl } = useAppContext();
const [ignoreDomainWarning, setIgnoreDomainWarning] = useState(() => {
return window.sessionStorage.getItem("ignoreDomainWarning") === "true";
});
const currentUrl = window.location.origin;
const handleIgnore = useCallback(() => {
window.sessionStorage.setItem("ignoreDomainWarning", "true");
setIgnoreDomainWarning(true);
}, [setIgnoreDomainWarning]);
if (!ignoreDomainWarning && appUrl !== currentUrl) {
return (
<BaseLayout>
<DomainWarning
appUrl={appUrl}
currentUrl={currentUrl}
onClick={() => handleIgnore()}
/>
</BaseLayout>
);
}
return (
<BaseLayout>
<Outlet />
</BaseLayout>
);
};

2
frontend/src/components/ui/button.tsx
View File

@@ -22,7 +22,7 @@ const buttonVariants = cva(
"hover:bg-accent hover:text-accent-foreground dark:hover:bg-accent/50",
link: "text-primary underline-offset-4 hover:underline",
warning:
"bg-amber-500 text-white shadow-xs hover:bg-amber-400 focus-visible:ring-amber-200/20 dark:focus-visible:ring-amber-400/40 dark:bg-amber-600",
"bg-amber-500 text-white shadow-xs hover:bg-amber-400 focus-visible:ring-amber-200/20 dark:focus-visible:ring-amber-400/40",
},
size: {
default: "h-9 px-4 py-2 has-[>svg]:px-3",

2
frontend/src/index.css
View File

@@ -156,7 +156,7 @@ ul {
}
code {
@apply relative rounded bg-muted px-[0.2rem] py-[0.1rem] font-mono text-sm font-semibold;
@apply relative rounded bg-muted px-[0.2rem] py-[0.1rem] font-mono text-sm font-semibold break-all;
}
.lead {

19
frontend/src/lib/i18n/locales/en-US.json
View File

@@ -14,14 +14,17 @@
"loginOauthFailSubtitle": "Failed to get OAuth URL",
"loginOauthSuccessTitle": "Redirecting",
"loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
"loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
"loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
"loginOauthAutoRedirectButton": "Redirect now",
"continueTitle": "Continue",
"continueRedirectingTitle": "Redirecting...",
"continueRedirectingSubtitle": "You should be redirected to the app soon",
"continueInvalidRedirectTitle": "Invalid redirect",
"continueInvalidRedirectSubtitle": "The redirect URL is invalid",
"continueRedirectManually": "Redirect me manually",
"continueInsecureRedirectTitle": "Insecure redirect",
"continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
"continueTitle": "Continue",
"continueSubtitle": "Click the button to continue to your app.",
"continueUntrustedRedirectTitle": "Untrusted redirect",
"continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
"logoutFailTitle": "Failed to log out",
"logoutFailSubtitle": "Please try again",
"logoutSuccessTitle": "Logged out",
@@ -44,8 +47,6 @@
"unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
"unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
"unauthorizedButton": "Try again",
"untrustedRedirectTitle": "Untrusted redirect",
"untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{domain}}</code>). Are you sure you want to continue?",
"cancelTitle": "Cancel",
"forgotPasswordTitle": "Forgot your password?",
"failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
@@ -53,5 +54,9 @@
"errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
"forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
"fieldRequired": "This field is required",
"invalidInput": "Invalid input"
"invalidInput": "Invalid input",
"domainWarningTitle": "Invalid Domain",
"domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
"ignoreTitle": "Ignore",
"goToCorrectDomainTitle": "Go to correct domain"
}

19
frontend/src/lib/i18n/locales/en.json
View File

@@ -14,14 +14,17 @@
"loginOauthFailSubtitle": "Failed to get OAuth URL",
"loginOauthSuccessTitle": "Redirecting",
"loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
"loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
"loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
"loginOauthAutoRedirectButton": "Redirect now",
"continueTitle": "Continue",
"continueRedirectingTitle": "Redirecting...",
"continueRedirectingSubtitle": "You should be redirected to the app soon",
"continueInvalidRedirectTitle": "Invalid redirect",
"continueInvalidRedirectSubtitle": "The redirect URL is invalid",
"continueRedirectManually": "Redirect me manually",
"continueInsecureRedirectTitle": "Insecure redirect",
"continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
"continueTitle": "Continue",
"continueSubtitle": "Click the button to continue to your app.",
"continueUntrustedRedirectTitle": "Untrusted redirect",
"continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
"logoutFailTitle": "Failed to log out",
"logoutFailSubtitle": "Please try again",
"logoutSuccessTitle": "Logged out",
@@ -44,8 +47,6 @@
"unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
"unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
"unauthorizedButton": "Try again",
"untrustedRedirectTitle": "Untrusted redirect",
"untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{domain}}</code>). Are you sure you want to continue?",
"cancelTitle": "Cancel",
"forgotPasswordTitle": "Forgot your password?",
"failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
@@ -53,5 +54,9 @@
"errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
"forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
"fieldRequired": "This field is required",
"invalidInput": "Invalid input"
"invalidInput": "Invalid input",
"domainWarningTitle": "Invalid Domain",
"domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
"ignoreTitle": "Ignore",
"goToCorrectDomainTitle": "Go to correct domain"
}

156
frontend/src/pages/continue-page.tsx
View File

@@ -11,60 +11,101 @@ import { useUserContext } from "@/context/user-context";
import { isValidUrl } from "@/lib/utils";
import { Trans, useTranslation } from "react-i18next";
import { Navigate, useLocation, useNavigate } from "react-router";
import DOMPurify from "dompurify";
import { useState } from "react";
import { useEffect, useState } from "react";
export const ContinuePage = () => {
const { cookieDomain } = useAppContext();
const { isLoggedIn } = useUserContext();
if (!isLoggedIn) {
return <Navigate to="/login" />;
}
const { domain, disableContinue } = useAppContext();
const { search } = useLocation();
const [loading, setLoading] = useState(false);
const searchParams = new URLSearchParams(search);
const redirectURI = searchParams.get("redirect_uri");
if (!redirectURI) {
return <Navigate to="/logout" />;
}
if (!isValidUrl(DOMPurify.sanitize(redirectURI))) {
return <Navigate to="/logout" />;
}
const handleRedirect = () => {
setLoading(true);
window.location.href = DOMPurify.sanitize(redirectURI);
}
if (disableContinue) {
handleRedirect();
}
const { t } = useTranslation();
const navigate = useNavigate();
const url = new URL(redirectURI);
const [loading, setLoading] = useState(false);
const [showRedirectButton, setShowRedirectButton] = useState(false);
if (!(url.hostname == domain) && !url.hostname.endsWith(`.${domain}`)) {
const searchParams = new URLSearchParams(search);
const redirectUri = searchParams.get("redirect_uri");
const isValidRedirectUri =
redirectUri !== null ? isValidUrl(redirectUri) : false;
const redirectUriObj = isValidRedirectUri
? new URL(redirectUri as string)
: null;
const isTrustedRedirectUri =
redirectUriObj !== null
? redirectUriObj.hostname === cookieDomain ||
redirectUriObj.hostname.endsWith(`.${cookieDomain}`)
: false;
const isAllowedRedirectProto =
redirectUriObj !== null
? redirectUriObj.protocol === "https:" ||
redirectUriObj.protocol === "http:"
: false;
const isHttpsDowngrade =
redirectUriObj !== null
? redirectUriObj.protocol === "http:" &&
window.location.protocol === "https:"
: false;
const handleRedirect = () => {
setLoading(true);
window.location.assign(redirectUriObj!.toString());
};
useEffect(() => {
if (
!isLoggedIn ||
!isValidRedirectUri ||
!isTrustedRedirectUri ||
!isAllowedRedirectProto ||
isHttpsDowngrade
) {
return;
}
const auto = setTimeout(() => {
handleRedirect();
}, 100);
const reveal = setTimeout(() => {
setLoading(false);
setShowRedirectButton(true);
}, 5000);
return () => {
clearTimeout(auto);
clearTimeout(reveal);
};
}, []);
if (!isLoggedIn) {
return (
<Card className="min-w-xs sm:min-w-sm">
<Navigate
to={`/login?redirect_uri=${encodeURIComponent(redirectUri || "")}`}
replace
/>
);
}
if (!isValidRedirectUri || !isAllowedRedirectProto) {
return <Navigate to="/logout" replace />;
}
if (!isTrustedRedirectUri) {
return (
<Card role="alert" aria-live="assertive" className="min-w-xs sm:min-w-sm">
<CardHeader>
<CardTitle className="text-3xl">
{t("untrustedRedirectTitle")}
{t("continueUntrustedRedirectTitle")}
</CardTitle>
<CardDescription>
<Trans
i18nKey="untrustedRedirectSubtitle"
i18nKey="continueUntrustedRedirectSubtitle"
t={t}
components={{
code: <code />,
}}
values={{ domain }}
values={{ cookieDomain }}
/>
</CardDescription>
</CardHeader>
@@ -76,7 +117,11 @@ export const ContinuePage = () => {
>
{t("continueTitle")}
</Button>
<Button onClick={() => navigate("/logout")} variant="outline" disabled={loading}>
<Button
onClick={() => navigate("/logout")}
variant="outline"
disabled={loading}
>
{t("cancelTitle")}
</Button>
</CardFooter>
@@ -84,9 +129,9 @@ export const ContinuePage = () => {
);
}
if (url.protocol === "http:" && window.location.protocol === "https:") {
if (isHttpsDowngrade) {
return (
<Card className="min-w-xs sm:min-w-sm">
<Card role="alert" aria-live="assertive" className="min-w-xs sm:min-w-sm">
<CardHeader>
<CardTitle className="text-3xl">
{t("continueInsecureRedirectTitle")}
@@ -102,14 +147,14 @@ export const ContinuePage = () => {
</CardDescription>
</CardHeader>
<CardFooter className="flex flex-col items-stretch gap-2">
<Button
onClick={handleRedirect}
loading={loading}
variant="warning"
>
<Button onClick={handleRedirect} loading={loading} variant="warning">
{t("continueTitle")}
</Button>
<Button onClick={() => navigate("/logout")} variant="outline" disabled={loading}>
<Button
onClick={() => navigate("/logout")}
variant="outline"
disabled={loading}
>
{t("cancelTitle")}
</Button>
</CardFooter>
@@ -120,17 +165,18 @@ export const ContinuePage = () => {
return (
<Card className="min-w-xs sm:min-w-sm">
<CardHeader>
<CardTitle className="text-3xl">{t("continueTitle")}</CardTitle>
<CardDescription>{t("continueSubtitle")}</CardDescription>
<CardTitle className="text-3xl">
{t("continueRedirectingTitle")}
</CardTitle>
<CardDescription>{t("continueRedirectingSubtitle")}</CardDescription>
</CardHeader>
<CardFooter className="flex flex-col items-stretch">
<Button
onClick={handleRedirect}
loading={loading}
>
{t("continueTitle")}
</Button>
</CardFooter>
{showRedirectButton && (
<CardFooter className="flex flex-col items-stretch">
<Button onClick={handleRedirect}>
{t("continueRedirectManually")}
</Button>
</CardFooter>
)}
</Card>
);
};

150
frontend/src/pages/login-page.tsx
View File

@@ -1,13 +1,18 @@
import { LoginForm } from "@/components/auth/login-form";
import { GenericIcon } from "@/components/icons/generic";
import { GithubIcon } from "@/components/icons/github";
import { GoogleIcon } from "@/components/icons/google";
import { MicrosoftIcon } from "@/components/icons/microsoft";
import { OAuthIcon } from "@/components/icons/oauth";
import { PocketIDIcon } from "@/components/icons/pocket-id";
import { TailscaleIcon } from "@/components/icons/tailscale";
import { Button } from "@/components/ui/button";
import {
Card,
CardHeader,
CardTitle,
CardDescription,
CardContent,
CardFooter,
} from "@/components/ui/card";
import { OAuthButton } from "@/components/ui/oauth-button";
import { SeperatorWithChildren } from "@/components/ui/separator";
@@ -17,30 +22,40 @@ import { useIsMounted } from "@/lib/hooks/use-is-mounted";
import { LoginSchema } from "@/schemas/login-schema";
import { useMutation } from "@tanstack/react-query";
import axios, { AxiosError } from "axios";
import { useEffect } from "react";
import { useEffect, useRef, useState } from "react";
import { useTranslation } from "react-i18next";
import { Navigate, useLocation } from "react-router";
import { toast } from "sonner";
const iconMap: Record<string, React.ReactNode> = {
google: <GoogleIcon />,
github: <GithubIcon />,
tailscale: <TailscaleIcon />,
microsoft: <MicrosoftIcon />,
pocketid: <PocketIDIcon />,
};
export const LoginPage = () => {
const { isLoggedIn } = useUserContext();
if (isLoggedIn) {
return <Navigate to="/logout" />;
}
const { configuredProviders, title, oauthAutoRedirect, genericName } = useAppContext();
const { providers, title, oauthAutoRedirect } = useAppContext();
const { search } = useLocation();
const { t } = useTranslation();
const isMounted = useIsMounted();
const [oauthAutoRedirectHandover, setOauthAutoRedirectHandover] =
useState(false);
const [showRedirectButton, setShowRedirectButton] = useState(false);
const redirectTimer = useRef<number | null>(null);
const redirectButtonTimer = useRef<number | null>(null);
const searchParams = new URLSearchParams(search);
const redirectUri = searchParams.get("redirect_uri");
const oauthConfigured =
configuredProviders.filter((provider) => provider !== "username").length >
0;
const userAuthConfigured = configuredProviders.includes("username");
const oauthProviders = providers.filter(
(provider) => provider.id !== "username",
);
const userAuthConfigured =
providers.find((provider) => provider.id === "username") !== undefined;
const oauthMutation = useMutation({
mutationFn: (provider: string) =>
@@ -53,11 +68,12 @@ export const LoginPage = () => {
description: t("loginOauthSuccessSubtitle"),
});
setTimeout(() => {
window.location.href = data.data.url;
redirectTimer.current = window.setTimeout(() => {
window.location.replace(data.data.url);
}, 500);
},
onError: () => {
setOauthAutoRedirectHandover(false);
toast.error(t("loginOauthFailTitle"), {
description: t("loginOauthFailSubtitle"),
});
@@ -79,7 +95,7 @@ export const LoginPage = () => {
description: t("loginSuccessSubtitle"),
});
setTimeout(() => {
redirectTimer.current = window.setTimeout(() => {
window.location.replace(
`/continue?redirect_uri=${encodeURIComponent(redirectUri ?? "")}`,
);
@@ -98,61 +114,99 @@ export const LoginPage = () => {
useEffect(() => {
if (isMounted()) {
if (
oauthConfigured &&
configuredProviders.includes(oauthAutoRedirect) &&
oauthProviders.length !== 0 &&
providers.find((provider) => provider.id === oauthAutoRedirect) &&
!isLoggedIn &&
redirectUri
) {
setOauthAutoRedirectHandover(true);
oauthMutation.mutate(oauthAutoRedirect);
redirectButtonTimer.current = window.setTimeout(() => {
setShowRedirectButton(true);
}, 5000);
}
}
}, []);
useEffect(
() => () => {
if (redirectTimer.current) clearTimeout(redirectTimer.current);
if (redirectButtonTimer.current)
clearTimeout(redirectButtonTimer.current);
},
[],
);
if (isLoggedIn && redirectUri) {
return (
<Navigate
to={`/continue?redirect_uri=${encodeURIComponent(redirectUri)}`}
replace
/>
);
}
if (isLoggedIn) {
return <Navigate to="/logout" replace />;
}
if (oauthAutoRedirectHandover) {
return (
<Card className="min-w-xs sm:min-w-sm">
<CardHeader>
<CardTitle className="text-3xl">
{t("loginOauthAutoRedirectTitle")}
</CardTitle>
<CardDescription>
{t("loginOauthAutoRedirectSubtitle")}
</CardDescription>
</CardHeader>
{showRedirectButton && (
<CardFooter className="flex flex-col items-stretch">
<Button
onClick={() => {
window.location.replace(oauthMutation.data?.data.url);
}}
>
{t("loginOauthAutoRedirectButton")}
</Button>
</CardFooter>
)}
</Card>
);
}
return (
<Card className="min-w-xs sm:min-w-sm">
<CardHeader>
<CardTitle className="text-center text-3xl">{title}</CardTitle>
{configuredProviders.length > 0 && (
{providers.length > 0 && (
<CardDescription className="text-center">
{oauthConfigured ? t("loginTitle") : t("loginTitleSimple")}
{oauthProviders.length !== 0
? t("loginTitle")
: t("loginTitleSimple")}
</CardDescription>
)}
</CardHeader>
<CardContent className="flex flex-col gap-4">
{oauthConfigured && (
{oauthProviders.length !== 0 && (
<div className="flex flex-col gap-2 items-center justify-center">
{configuredProviders.includes("google") && (
{oauthProviders.map((provider) => (
<OAuthButton
title="Google"
icon={<GoogleIcon />}
key={provider.id}
title={provider.name}
icon={iconMap[provider.id] ?? <OAuthIcon />}
className="w-full"
onClick={() => oauthMutation.mutate("google")}
loading={oauthMutation.isPending && oauthMutation.variables === "google"}
onClick={() => oauthMutation.mutate(provider.id)}
loading={
oauthMutation.isPending &&
oauthMutation.variables === provider.id
}
disabled={oauthMutation.isPending || loginMutation.isPending}
/>
)}
{configuredProviders.includes("github") && (
<OAuthButton
title="Github"
icon={<GithubIcon />}
className="w-full"
onClick={() => oauthMutation.mutate("github")}
loading={oauthMutation.isPending && oauthMutation.variables === "github"}
disabled={oauthMutation.isPending || loginMutation.isPending}
/>
)}
{configuredProviders.includes("generic") && (
<OAuthButton
title={genericName}
icon={<GenericIcon />}
className="w-full"
onClick={() => oauthMutation.mutate("generic")}
loading={oauthMutation.isPending && oauthMutation.variables === "generic"}
disabled={oauthMutation.isPending || loginMutation.isPending}
/>
)}
))}
</div>
)}
{userAuthConfigured && oauthConfigured && (
{userAuthConfigured && oauthProviders.length !== 0 && (
<SeperatorWithChildren>{t("loginDivider")}</SeperatorWithChildren>
)}
{userAuthConfigured && (
@@ -161,7 +215,7 @@ export const LoginPage = () => {
loading={loginMutation.isPending || oauthMutation.isPending}
/>
)}
{configuredProviders.length == 0 && (
{providers.length == 0 && (
<p className="text-center text-red-600 max-w-sm">
{t("failedToFetchProvidersTitle")}
</p>

31
frontend/src/pages/logout-page.tsx
View File

@@ -6,25 +6,20 @@ import {
CardHeader,
CardTitle,
} from "@/components/ui/card";
import { useAppContext } from "@/context/app-context";
import { useUserContext } from "@/context/user-context";
import { capitalize } from "@/lib/utils";
import { useMutation } from "@tanstack/react-query";
import axios from "axios";
import { useEffect, useRef } from "react";
import { Trans, useTranslation } from "react-i18next";
import { Navigate } from "react-router";
import { toast } from "sonner";
export const LogoutPage = () => {
const { provider, username, isLoggedIn, email } = useUserContext();
if (!isLoggedIn) {
return <Navigate to="/login" />;
}
const { genericName } = useAppContext();
const { provider, username, isLoggedIn, email, oauthName } = useUserContext();
const { t } = useTranslation();
const redirectTimer = useRef<number | null>(null);
const logoutMutation = useMutation({
mutationFn: () => axios.post("/api/user/logout"),
mutationKey: ["logout"],
@@ -33,8 +28,8 @@ export const LogoutPage = () => {
description: t("logoutSuccessSubtitle"),
});
setTimeout(async () => {
window.location.replace("/login");
redirectTimer.current = window.setTimeout(() => {
window.location.assign("/login");
}, 500);
},
onError: () => {
@@ -44,6 +39,17 @@ export const LogoutPage = () => {
},
});
useEffect(
() => () => {
if (redirectTimer.current) clearTimeout(redirectTimer.current);
},
[],
);
if (!isLoggedIn) {
return <Navigate to="/login" replace />;
}
return (
<Card className="min-w-xs sm:min-w-sm">
<CardHeader>
@@ -58,8 +64,7 @@ export const LogoutPage = () => {
}}
values={{
username: email,
provider:
provider === "generic" ? genericName : capitalize(provider),
provider: oauthName,
}}
/>
) : (

22
frontend/src/pages/totp-page.tsx
View File

@@ -12,22 +12,19 @@ import { useUserContext } from "@/context/user-context";
import { TotpSchema } from "@/schemas/totp-schema";
import { useMutation } from "@tanstack/react-query";
import axios from "axios";
import { useId } from "react";
import { useEffect, useId, useRef } from "react";
import { useTranslation } from "react-i18next";
import { Navigate, useLocation } from "react-router";
import { toast } from "sonner";
export const TotpPage = () => {
const { totpPending } = useUserContext();
if (!totpPending) {
return <Navigate to="/" />;
}
const { t } = useTranslation();
const { search } = useLocation();
const formId = useId();
const redirectTimer = useRef<number | null>(null);
const searchParams = new URLSearchParams(search);
const redirectUri = searchParams.get("redirect_uri");
@@ -39,7 +36,7 @@ export const TotpPage = () => {
description: t("totpSuccessSubtitle"),
});
setTimeout(() => {
redirectTimer.current = window.setTimeout(() => {
window.location.replace(
`/continue?redirect_uri=${encodeURIComponent(redirectUri ?? "")}`,
);
@@ -52,6 +49,17 @@ export const TotpPage = () => {
},
});
useEffect(
() => () => {
if (redirectTimer.current) clearTimeout(redirectTimer.current);
},
[],
);
if (!totpPending) {
return <Navigate to="/" replace />;
}
return (
<Card className="min-w-xs sm:min-w-sm">
<CardHeader>

16
frontend/src/pages/unauthorized-page.tsx
View File

@@ -12,6 +12,10 @@ import { Navigate, useLocation, useNavigate } from "react-router";
export const UnauthorizedPage = () => {
const { search } = useLocation();
const { t } = useTranslation();
const navigate = useNavigate();
const [loading, setLoading] = useState(false);
const searchParams = new URLSearchParams(search);
const username = searchParams.get("username");
@@ -19,19 +23,15 @@ export const UnauthorizedPage = () => {
const groupErr = searchParams.get("groupErr");
const ip = searchParams.get("ip");
if (!username && !ip) {
return <Navigate to="/" />;
}
const { t } = useTranslation();
const navigate = useNavigate();
const [loading, setLoading] = useState(false);
const handleRedirect = () => {
setLoading(true);
navigate("/login");
};
if (!username && !ip) {
return <Navigate to="/" />;
}
let i18nKey = "unauthorizedLoginSubtitle";
if (resource) {

15
frontend/src/schemas/app-context-schema.ts
View File

@@ -1,14 +1,19 @@
import { z } from "zod";
export const providerSchema = z.object({
id: z.string(),
name: z.string(),
oauth: z.boolean(),
});
export const appContextSchema = z.object({
configuredProviders: z.array(z.string()),
disableContinue: z.boolean(),
providers: z.array(providerSchema),
title: z.string(),
genericName: z.string(),
domain: z.string(),
appUrl: z.string(),
cookieDomain: z.string(),
forgotPasswordMessage: z.string(),
oauthAutoRedirect: z.enum(["none", "github", "google", "generic"]),
backgroundImage: z.string(),
oauthAutoRedirect: z.string(),
});
export type AppContextSchema = z.infer<typeof appContextSchema>;

1
frontend/src/schemas/user-context-schema.ts
View File

@@ -8,6 +8,7 @@ export const userContextSchema = z.object({
provider: z.string(),
oauth: z.boolean(),
totpPending: z.boolean(),
oauthName: z.string(),
});
export type UserContextSchema = z.infer<typeof userContextSchema>;

29
go.mod
View File

@@ -1,10 +1,13 @@
module tinyauth
go 1.23.2
go 1.24.0
toolchain go1.24.3
require (
github.com/cenkalti/backoff/v5 v5.0.3
github.com/gin-gonic/gin v1.10.1
github.com/glebarez/sqlite v1.11.0
github.com/go-playground/validator/v10 v10.27.0
github.com/golang-migrate/migrate/v4 v4.18.3
github.com/google/go-querystring v1.1.0
@@ -14,10 +17,11 @@ require (
github.com/spf13/cobra v1.9.1
github.com/spf13/viper v1.20.1
github.com/traefik/paerser v0.2.2
golang.org/x/crypto v0.41.0
gorm.io/driver/sqlite v1.6.0
github.com/weppos/publicsuffix-go v0.50.0
golang.org/x/crypto v0.42.0
golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b
gorm.io/gorm v1.30.1
modernc.org/sqlite v1.38.2
gotest.tools/v3 v3.5.2
)
require (
@@ -28,9 +32,9 @@ require (
github.com/containerd/errdefs/pkg v0.3.0 // indirect
github.com/containerd/log v0.1.0 // indirect
github.com/glebarez/go-sqlite v1.21.2 // indirect
github.com/glebarez/sqlite v1.11.0 // indirect
github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-multierror v1.1.1 // indirect
github.com/jinzhu/inflection v1.0.0 // indirect
@@ -44,12 +48,11 @@ require (
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0 // indirect
go.opentelemetry.io/otel/sdk v1.34.0 // indirect
golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
golang.org/x/term v0.34.0 // indirect
gotest.tools/v3 v3.5.2 // indirect
golang.org/x/term v0.35.0 // indirect
modernc.org/libc v1.66.3 // indirect
modernc.org/mathutil v1.7.1 // indirect
modernc.org/memory v1.11.0 // indirect
modernc.org/sqlite v1.38.2 // indirect
rsc.io/qr v0.2.0 // indirect
)
@@ -86,8 +89,6 @@ require (
github.com/go-playground/universal-translator v0.18.1 // indirect
github.com/goccy/go-json v0.10.4 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/gorilla/securecookie v1.1.2 // indirect
github.com/gorilla/sessions v1.4.0
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/klauspost/cpuid/v2 v2.2.9 // indirect
@@ -125,11 +126,11 @@ require (
go.uber.org/atomic v1.9.0 // indirect
go.uber.org/multierr v1.9.0 // indirect
golang.org/x/arch v0.13.0 // indirect
golang.org/x/net v0.42.0 // indirect
golang.org/x/net v0.44.0 // indirect
golang.org/x/oauth2 v0.30.0
golang.org/x/sync v0.16.0 // indirect
golang.org/x/sys v0.35.0 // indirect
golang.org/x/text v0.28.0 // indirect
golang.org/x/sync v0.17.0 // indirect
golang.org/x/sys v0.36.0 // indirect
golang.org/x/text v0.29.0 // indirect
google.golang.org/protobuf v1.36.3 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)

42
go.sum
View File

@@ -132,16 +132,10 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=
github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2emc7lT5ik=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1 h1:VNqngBF40hVlDloBruUehVYC3ArSgIyScOAyMRqBxRg=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1/go.mod h1:RBRO7fro65R6tjKzYgLAFo0t1QEXY1Dp+i/bvpRiqiQ=
github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -286,6 +280,8 @@ github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS
github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
github.com/weppos/publicsuffix-go v0.50.0 h1:M178k6l8cnh9T1c1cStkhytVxdk5zPd6gGZf8ySIuVo=
github.com/weppos/publicsuffix-go v0.50.0/go.mod h1:VXhClBYMlDrUsome4pOTpe68Ui0p6iQRAbyHQD1yKoU=
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -317,27 +313,27 @@ golang.org/x/arch v0.13.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o=
golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=
golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
golang.org/x/net v0.44.0 h1:evd8IRDyfNBMBTTY5XRF1vaZlD+EmWx6x8PkhR04H/I=
golang.org/x/net v0.44.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -345,22 +341,22 @@ golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg=
golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -380,8 +376,6 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EV
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gorm.io/driver/sqlite v1.6.0 h1:WHRRrIiulaPiPFmDcod6prc4l2VGVWHz80KspNsxSfQ=
gorm.io/driver/sqlite v1.6.0/go.mod h1:AO9V1qIQddBESngQUKWL9yoH93HIeA1X6V633rBwyT8=
gorm.io/gorm v1.30.1 h1:lSHg33jJTBxs2mgJRfRZeLDG+WZaHYCk3Wtfl6Ngzo4=
gorm.io/gorm v1.30.1/go.mod h1:8Z33v652h4//uMA76KjeDH8mJXPm1QNCYrMeatR0DOE=
gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=

1
internal/assets/migrations/000002_oauth_name.down.sql Normal file
View File

@@ -0,0 +1 @@
ALTER TABLE "sessions" DROP COLUMN "oauth_name";

8
internal/assets/migrations/000002_oauth_name.up.sql Normal file
View File

@@ -0,0 +1,8 @@
ALTER TABLE "sessions" ADD COLUMN "oauth_name" TEXT;
UPDATE
"sessions"
SET
"oauth_name" = "Generic"
WHERE
"oauth_name" IS NULL AND "provider" IS NOT NULL;

97
internal/bootstrap/app_bootstrap.go
View File

@@ -2,6 +2,8 @@ package bootstrap
import (
"fmt"
"net/url"
"os"
"strings"
"tinyauth/internal/config"
"tinyauth/internal/controller"
@@ -44,15 +46,23 @@ func (app *BootstrapApp) Setup() error {
return err
}
// Get domain
domain, err := utils.GetUpperDomain(app.Config.AppURL)
// Get OAuth configs
oauthProviders, err := utils.GetOAuthProvidersConfig(os.Environ(), os.Args, app.Config.AppURL)
if err != nil {
return err
}
// Get cookie domain
cookieDomain, err := utils.GetCookieDomain(app.Config.AppURL)
if err != nil {
return err
}
// Cookie names
cookieId := utils.GenerateIdentifier(strings.Split(domain, ".")[0])
appUrl, _ := url.Parse(app.Config.AppURL) // Already validated
cookieId := utils.GenerateIdentifier(appUrl.Hostname())
sessionCookieName := fmt.Sprintf("%s-%s", config.SessionCookieName, cookieId)
csrfCookieName := fmt.Sprintf("%s-%s", config.CSRFCookieName, cookieId)
redirectCookieName := fmt.Sprintf("%s-%s", config.RedirectCookieName, cookieId)
@@ -63,7 +73,7 @@ func (app *BootstrapApp) Setup() error {
OauthWhitelist: app.Config.OAuthWhitelist,
SessionExpiry: app.Config.SessionExpiry,
SecureCookie: app.Config.SecureCookie,
Domain: domain,
CookieDomain: cookieDomain,
LoginTimeout: app.Config.LoginTimeout,
LoginMaxRetries: app.Config.LoginMaxRetries,
SessionCookieName: sessionCookieName,
@@ -110,7 +120,7 @@ func (app *BootstrapApp) Setup() error {
// Create services
dockerService := service.NewDockerService()
authService := service.NewAuthService(authConfig, dockerService, ldapService, database)
oauthBrokerService := service.NewOAuthBrokerService(app.getOAuthBrokerConfig())
oauthBrokerService := service.NewOAuthBrokerService(oauthProviders)
// Initialize services
services := []Service{
@@ -130,13 +140,41 @@ func (app *BootstrapApp) Setup() error {
}
// Configured providers
var configuredProviders []string
babysit := map[string]string{
"google": "Google",
"github": "GitHub",
}
configuredProviders := make([]controller.Provider, 0)
if authService.UserAuthConfigured() || ldapService != nil {
configuredProviders = append(configuredProviders, "username")
for id, provider := range oauthProviders {
if id == "" {
continue
}
if provider.Name == "" {
if name, ok := babysit[id]; ok {
provider.Name = name
} else {
provider.Name = utils.Capitalize(id)
}
}
configuredProviders = append(configuredProviders, controller.Provider{
Name: provider.Name,
ID: id,
OAuth: true,
})
}
configuredProviders = append(configuredProviders, oauthBrokerService.GetConfiguredServices()...)
if authService.UserAuthConfigured() || ldapService != nil {
configuredProviders = append(configuredProviders, controller.Provider{
Name: "Username",
ID: "username",
OAuth: false,
})
}
log.Debug().Interface("providers", configuredProviders).Msg("Authentication providers")
if len(configuredProviders) == 0 {
return fmt.Errorf("no authentication providers configured")
@@ -144,6 +182,7 @@ func (app *BootstrapApp) Setup() error {
// Create engine
engine := gin.New()
engine.SetTrustedProxies(strings.Split(app.Config.TrustedProxies, ","))
if config.Version != "development" {
gin.SetMode(gin.ReleaseMode)
@@ -153,7 +192,7 @@ func (app *BootstrapApp) Setup() error {
var middlewares []Middleware
contextMiddleware := middleware.NewContextMiddleware(middleware.ContextMiddlewareConfig{
Domain: domain,
CookieDomain: cookieDomain,
}, authService, oauthBrokerService)
uiMiddleware := middleware.NewUIMiddleware()
@@ -176,11 +215,10 @@ func (app *BootstrapApp) Setup() error {
// Create controllers
contextController := controller.NewContextController(controller.ContextControllerConfig{
ConfiguredProviders: configuredProviders,
DisableContinue: app.Config.DisableContinue,
Providers: configuredProviders,
Title: app.Config.Title,
GenericName: app.Config.GenericName,
Domain: domain,
AppURL: app.Config.AppURL,
CookieDomain: cookieDomain,
ForgotPasswordMessage: app.Config.ForgotPasswordMessage,
BackgroundImage: app.Config.BackgroundImage,
OAuthAutoRedirect: app.Config.OAuthAutoRedirect,
@@ -191,7 +229,7 @@ func (app *BootstrapApp) Setup() error {
SecureCookie: app.Config.SecureCookie,
CSRFCookieName: csrfCookieName,
RedirectCookieName: redirectCookieName,
Domain: domain,
CookieDomain: cookieDomain,
}, apiRouter, authService, oauthBrokerService)
proxyController := controller.NewProxyController(controller.ProxyControllerConfig{
@@ -199,7 +237,7 @@ func (app *BootstrapApp) Setup() error {
}, apiRouter, dockerService, authService)
userController := controller.NewUserController(controller.UserControllerConfig{
Domain: domain,
CookieDomain: cookieDomain,
}, apiRouter, authService)
resourcesController := controller.NewResourcesController(controller.ResourcesControllerConfig{
@@ -232,30 +270,3 @@ func (app *BootstrapApp) Setup() error {
return nil
}
// Temporary
func (app *BootstrapApp) getOAuthBrokerConfig() map[string]config.OAuthServiceConfig {
return map[string]config.OAuthServiceConfig{
"google": {
ClientID: app.Config.GoogleClientId,
ClientSecret: app.Config.GoogleClientSecret,
RedirectURL: fmt.Sprintf("%s/api/oauth/callback/google", app.Config.AppURL),
},
"github": {
ClientID: app.Config.GithubClientId,
ClientSecret: app.Config.GithubClientSecret,
RedirectURL: fmt.Sprintf("%s/api/oauth/callback/github", app.Config.AppURL),
},
"generic": {
ClientID: app.Config.GenericClientId,
ClientSecret: app.Config.GenericClientSecret,
RedirectURL: fmt.Sprintf("%s/api/oauth/callback/generic", app.Config.AppURL),
Scopes: strings.Split(app.Config.GenericScopes, ","),
AuthURL: app.Config.GenericAuthURL,
TokenURL: app.Config.GenericTokenURL,
UserinfoURL: app.Config.GenericUserURL,
InsecureSkipVerify: app.Config.GenericSkipSSL,
},
}
}

107
internal/config/config.go
View File

@@ -15,45 +15,30 @@ var RedirectCookieName = "tinyauth-redirect"
// Main app config
type Config struct {
Port int `mapstructure:"port" validate:"required"`
Address string `validate:"required,ip4_addr" mapstructure:"address"`
AppURL string `validate:"required,url" mapstructure:"app-url"`
Users string `mapstructure:"users"`
UsersFile string `mapstructure:"users-file"`
SecureCookie bool `mapstructure:"secure-cookie"`
GithubClientId string `mapstructure:"github-client-id"`
GithubClientSecret string `mapstructure:"github-client-secret"`
GithubClientSecretFile string `mapstructure:"github-client-secret-file"`
GoogleClientId string `mapstructure:"google-client-id"`
GoogleClientSecret string `mapstructure:"google-client-secret"`
GoogleClientSecretFile string `mapstructure:"google-client-secret-file"`
GenericClientId string `mapstructure:"generic-client-id"`
GenericClientSecret string `mapstructure:"generic-client-secret"`
GenericClientSecretFile string `mapstructure:"generic-client-secret-file"`
GenericScopes string `mapstructure:"generic-scopes"`
GenericAuthURL string `mapstructure:"generic-auth-url"`
GenericTokenURL string `mapstructure:"generic-token-url"`
GenericUserURL string `mapstructure:"generic-user-url"`
GenericName string `mapstructure:"generic-name"`
GenericSkipSSL bool `mapstructure:"generic-skip-ssl"`
DisableContinue bool `mapstructure:"disable-continue"`
OAuthWhitelist string `mapstructure:"oauth-whitelist"`
OAuthAutoRedirect string `mapstructure:"oauth-auto-redirect" validate:"oneof=none github google generic"`
SessionExpiry int `mapstructure:"session-expiry"`
LogLevel string `mapstructure:"log-level" validate:"oneof=trace debug info warn error fatal panic"`
Title string `mapstructure:"app-title"`
LoginTimeout int `mapstructure:"login-timeout"`
LoginMaxRetries int `mapstructure:"login-max-retries"`
ForgotPasswordMessage string `mapstructure:"forgot-password-message"`
BackgroundImage string `mapstructure:"background-image" validate:"required"`
LdapAddress string `mapstructure:"ldap-address"`
LdapBindDN string `mapstructure:"ldap-bind-dn"`
LdapBindPassword string `mapstructure:"ldap-bind-password"`
LdapBaseDN string `mapstructure:"ldap-base-dn"`
LdapInsecure bool `mapstructure:"ldap-insecure"`
LdapSearchFilter string `mapstructure:"ldap-search-filter"`
ResourcesDir string `mapstructure:"resources-dir"`
DatabasePath string `mapstructure:"database-path" validate:"required"`
Port int `mapstructure:"port" validate:"required"`
Address string `validate:"required,ip4_addr" mapstructure:"address"`
AppURL string `validate:"required,url" mapstructure:"app-url"`
Users string `mapstructure:"users"`
UsersFile string `mapstructure:"users-file"`
SecureCookie bool `mapstructure:"secure-cookie"`
OAuthWhitelist string `mapstructure:"oauth-whitelist"`
OAuthAutoRedirect string `mapstructure:"oauth-auto-redirect"`
SessionExpiry int `mapstructure:"session-expiry"`
LogLevel string `mapstructure:"log-level" validate:"oneof=trace debug info warn error fatal panic"`
Title string `mapstructure:"app-title"`
LoginTimeout int `mapstructure:"login-timeout"`
LoginMaxRetries int `mapstructure:"login-max-retries"`
ForgotPasswordMessage string `mapstructure:"forgot-password-message"`
BackgroundImage string `mapstructure:"background-image" validate:"required"`
LdapAddress string `mapstructure:"ldap-address"`
LdapBindDN string `mapstructure:"ldap-bind-dn"`
LdapBindPassword string `mapstructure:"ldap-bind-password"`
LdapBaseDN string `mapstructure:"ldap-base-dn"`
LdapInsecure bool `mapstructure:"ldap-insecure"`
LdapSearchFilter string `mapstructure:"ldap-search-filter"`
ResourcesDir string `mapstructure:"resources-dir"`
DatabasePath string `mapstructure:"database-path" validate:"required"`
TrustedProxies string `mapstructure:"trusted-proxies"`
}
// OAuth/OIDC config
@@ -68,12 +53,14 @@ type Claims struct {
type OAuthServiceConfig struct {
ClientID string
ClientSecret string
ClientSecretFile string
Scopes []string
RedirectURL string
AuthURL string
TokenURL string
UserinfoURL string
InsecureSkipVerify bool
Name string
}
// User/session related stuff
@@ -97,6 +84,7 @@ type SessionCookie struct {
Provider string
TotpPending bool
OAuthGroups string
OAuthName string
}
type UserContext struct {
@@ -109,6 +97,7 @@ type UserContext struct {
TotpPending bool
OAuthGroups string
TotpEnabled bool
OAuthName string
}
// API responses and queries
@@ -126,51 +115,57 @@ type RedirectQuery struct {
// Labels
type Labels struct {
Apps map[string]AppLabels
type Apps struct {
Apps map[string]App
}
type AppLabels struct {
Config ConfigLabels
Users UsersLabels
OAuth OAuthLabels
IP IPLabels
Response ResponseLabels
Path PathLabels
type App struct {
Config AppConfig
Users AppUsers
OAuth AppOAuth
IP AppIP
Response AppResponse
Path AppPath
}
type ConfigLabels struct {
type AppConfig struct {
Domain string
}
type UsersLabels struct {
type AppUsers struct {
Allow string
Block string
}
type OAuthLabels struct {
type AppOAuth struct {
Whitelist string
Groups string
}
type IPLabels struct {
type AppIP struct {
Allow []string
Block []string
Bypass []string
}
type ResponseLabels struct {
type AppResponse struct {
Headers []string
BasicAuth BasicAuthLabels
BasicAuth AppBasicAuth
}
type BasicAuthLabels struct {
type AppBasicAuth struct {
Username string
Password string
PasswordFile string
}
type PathLabels struct {
type AppPath struct {
Allow string
Block string
}
// Flags
type Providers struct {
Providers map[string]OAuthServiceConfig
}

67
internal/controller/context_controller.go
View File

@@ -1,6 +1,8 @@
package controller
import (
"fmt"
"net/url"
"tinyauth/internal/utils"
"github.com/gin-gonic/gin"
@@ -15,48 +17,53 @@ type UserContextResponse struct {
Name string `json:"name"`
Email string `json:"email"`
Provider string `json:"provider"`
Oauth bool `json:"oauth"`
OAuth bool `json:"oauth"`
TotpPending bool `json:"totpPending"`
OAuthName string `json:"oauthName"`
}
type AppContextResponse struct {
Status int `json:"status"`
Message string `json:"message"`
ConfiguredProviders []string `json:"configuredProviders"`
DisableContinue bool `json:"disableContinue"`
Title string `json:"title"`
GenericName string `json:"genericName"`
Domain string `json:"domain"`
ForgotPasswordMessage string `json:"forgotPasswordMessage"`
BackgroundImage string `json:"backgroundImage"`
OAuthAutoRedirect string `json:"oauthAutoRedirect"`
Status int `json:"status"`
Message string `json:"message"`
Providers []Provider `json:"providers"`
Title string `json:"title"`
AppURL string `json:"appUrl"`
CookieDomain string `json:"cookieDomain"`
ForgotPasswordMessage string `json:"forgotPasswordMessage"`
BackgroundImage string `json:"backgroundImage"`
OAuthAutoRedirect string `json:"oauthAutoRedirect"`
}
type Provider struct {
Name string `json:"name"`
ID string `json:"id"`
OAuth bool `json:"oauth"`
}
type ContextControllerConfig struct {
ConfiguredProviders []string
DisableContinue bool
Providers []Provider
Title string
GenericName string
Domain string
AppURL string
CookieDomain string
ForgotPasswordMessage string
BackgroundImage string
OAuthAutoRedirect string
}
type ContextController struct {
Config ContextControllerConfig
Router *gin.RouterGroup
config ContextControllerConfig
router *gin.RouterGroup
}
func NewContextController(config ContextControllerConfig, router *gin.RouterGroup) *ContextController {
return &ContextController{
Config: config,
Router: router,
config: config,
router: router,
}
}
func (controller *ContextController) SetupRoutes() {
contextGroup := controller.Router.Group("/context")
contextGroup := controller.router.Group("/context")
contextGroup.GET("/user", controller.userContextHandler)
contextGroup.GET("/app", controller.appContextHandler)
}
@@ -72,8 +79,9 @@ func (controller *ContextController) userContextHandler(c *gin.Context) {
Name: context.Name,
Email: context.Email,
Provider: context.Provider,
Oauth: context.OAuth,
OAuth: context.OAuth,
TotpPending: context.TotpPending,
OAuthName: context.OAuthName,
}
if err != nil {
@@ -89,16 +97,17 @@ func (controller *ContextController) userContextHandler(c *gin.Context) {
}
func (controller *ContextController) appContextHandler(c *gin.Context) {
appUrl, _ := url.Parse(controller.config.AppURL) // no need to check error, validated on startup
c.JSON(200, AppContextResponse{
Status: 200,
Message: "Success",
ConfiguredProviders: controller.Config.ConfiguredProviders,
DisableContinue: controller.Config.DisableContinue,
Title: controller.Config.Title,
GenericName: controller.Config.GenericName,
Domain: controller.Config.Domain,
ForgotPasswordMessage: controller.Config.ForgotPasswordMessage,
BackgroundImage: controller.Config.BackgroundImage,
OAuthAutoRedirect: controller.Config.OAuthAutoRedirect,
Providers: controller.config.Providers,
Title: controller.config.Title,
AppURL: fmt.Sprintf("%s://%s", appUrl.Scheme, appUrl.Host),
CookieDomain: controller.config.CookieDomain,
ForgotPasswordMessage: controller.config.ForgotPasswordMessage,
BackgroundImage: controller.config.BackgroundImage,
OAuthAutoRedirect: controller.config.OAuthAutoRedirect,
})
}

144
internal/controller/context_controller_test.go Normal file
View File

@@ -0,0 +1,144 @@
package controller_test
import (
"encoding/json"
"net/http/httptest"
"testing"
"tinyauth/internal/config"
"tinyauth/internal/controller"
"github.com/gin-gonic/gin"
"gotest.tools/v3/assert"
)
var controllerCfg = controller.ContextControllerConfig{
Providers: []controller.Provider{
{
Name: "Username",
ID: "username",
OAuth: false,
},
{
Name: "Google",
ID: "google",
OAuth: true,
},
},
Title: "Test App",
AppURL: "http://localhost:8080",
CookieDomain: "localhost",
ForgotPasswordMessage: "Contact admin to reset your password.",
BackgroundImage: "/assets/bg.jpg",
OAuthAutoRedirect: "google",
}
var userContext = config.UserContext{
Username: "testuser",
Name: "testuser",
Email: "test@example.com",
IsLoggedIn: true,
OAuth: false,
Provider: "username",
TotpPending: false,
OAuthGroups: "",
TotpEnabled: false,
}
func setupContextController(middlewares *[]gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder) {
// Setup
gin.SetMode(gin.TestMode)
router := gin.Default()
recorder := httptest.NewRecorder()
if middlewares != nil {
for _, m := range *middlewares {
router.Use(m)
}
}
group := router.Group("/api")
ctrl := controller.NewContextController(controllerCfg, group)
ctrl.SetupRoutes()
return router, recorder
}
func TestAppContextHandler(t *testing.T) {
expectedRes := controller.AppContextResponse{
Status: 200,
Message: "Success",
Providers: controllerCfg.Providers,
Title: controllerCfg.Title,
AppURL: controllerCfg.AppURL,
CookieDomain: controllerCfg.CookieDomain,
ForgotPasswordMessage: controllerCfg.ForgotPasswordMessage,
BackgroundImage: controllerCfg.BackgroundImage,
OAuthAutoRedirect: controllerCfg.OAuthAutoRedirect,
}
router, recorder := setupContextController(nil)
req := httptest.NewRequest("GET", "/api/context/app", nil)
router.ServeHTTP(recorder, req)
assert.Equal(t, 200, recorder.Code)
var ctrlRes controller.AppContextResponse
err := json.Unmarshal(recorder.Body.Bytes(), &ctrlRes)
assert.NilError(t, err)
assert.DeepEqual(t, expectedRes, ctrlRes)
}
func TestUserContextHandler(t *testing.T) {
expectedRes := controller.UserContextResponse{
Status: 200,
Message: "Success",
IsLoggedIn: userContext.IsLoggedIn,
Username: userContext.Username,
Name: userContext.Name,
Email: userContext.Email,
Provider: userContext.Provider,
OAuth: userContext.OAuth,
TotpPending: userContext.TotpPending,
}
// Test with context
router, recorder := setupContextController(&[]gin.HandlerFunc{
func(c *gin.Context) {
c.Set("context", &userContext)
c.Next()
},
})
req := httptest.NewRequest("GET", "/api/context/user", nil)
router.ServeHTTP(recorder, req)
assert.Equal(t, 200, recorder.Code)
var ctrlRes controller.UserContextResponse
err := json.Unmarshal(recorder.Body.Bytes(), &ctrlRes)
assert.NilError(t, err)
assert.DeepEqual(t, expectedRes, ctrlRes)
// Test no context
expectedRes = controller.UserContextResponse{
Status: 401,
Message: "Unauthorized",
IsLoggedIn: false,
}
router, recorder = setupContextController(nil)
req = httptest.NewRequest("GET", "/api/context/user", nil)
router.ServeHTTP(recorder, req)
assert.Equal(t, 200, recorder.Code)
err = json.Unmarshal(recorder.Body.Bytes(), &ctrlRes)
assert.NilError(t, err)
assert.DeepEqual(t, expectedRes, ctrlRes)
}

8
internal/controller/health_controller.go
View File

@@ -3,18 +3,18 @@ package controller
import "github.com/gin-gonic/gin"
type HealthController struct {
Router *gin.RouterGroup
router *gin.RouterGroup
}
func NewHealthController(router *gin.RouterGroup) *HealthController {
return &HealthController{
Router: router,
router: router,
}
}
func (controller *HealthController) SetupRoutes() {
controller.Router.GET("/health", controller.healthHandler)
controller.Router.HEAD("/health", controller.healthHandler)
controller.router.GET("/health", controller.healthHandler)
controller.router.HEAD("/health", controller.healthHandler)
}
func (controller *HealthController) healthHandler(c *gin.Context) {

82
internal/controller/oauth_controller.go
View File

@@ -23,27 +23,27 @@ type OAuthControllerConfig struct {
RedirectCookieName string
SecureCookie bool
AppURL string
Domain string
CookieDomain string
}
type OAuthController struct {
Config OAuthControllerConfig
Router *gin.RouterGroup
Auth *service.AuthService
Broker *service.OAuthBrokerService
config OAuthControllerConfig
router *gin.RouterGroup
auth *service.AuthService
broker *service.OAuthBrokerService
}
func NewOAuthController(config OAuthControllerConfig, router *gin.RouterGroup, auth *service.AuthService, broker *service.OAuthBrokerService) *OAuthController {
return &OAuthController{
Config: config,
Router: router,
Auth: auth,
Broker: broker,
config: config,
router: router,
auth: auth,
broker: broker,
}
}
func (controller *OAuthController) SetupRoutes() {
oauthGroup := controller.Router.Group("/oauth")
oauthGroup := controller.router.Group("/oauth")
oauthGroup.GET("/url/:provider", controller.oauthURLHandler)
oauthGroup.GET("/callback/:provider", controller.oauthCallbackHandler)
}
@@ -61,7 +61,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
return
}
service, exists := controller.Broker.GetService(req.Provider)
service, exists := controller.broker.GetService(req.Provider)
if !exists {
log.Warn().Msgf("OAuth provider not found: %s", req.Provider)
@@ -74,13 +74,13 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
state := service.GenerateState()
authURL := service.GetAuthURL(state)
c.SetCookie(controller.Config.CSRFCookieName, state, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.Config.Domain), controller.Config.SecureCookie, true)
c.SetCookie(controller.config.CSRFCookieName, state, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
redirectURI := c.Query("redirect_uri")
if redirectURI != "" && utils.IsRedirectSafe(redirectURI, controller.Config.Domain) {
if redirectURI != "" && utils.IsRedirectSafe(redirectURI, controller.config.CookieDomain) {
log.Debug().Msg("Setting redirect URI cookie")
c.SetCookie(controller.Config.RedirectCookieName, redirectURI, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.Config.Domain), controller.Config.SecureCookie, true)
c.SetCookie(controller.config.RedirectCookieName, redirectURI, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
}
c.JSON(200, gin.H{
@@ -104,58 +104,59 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
}
state := c.Query("state")
csrfCookie, err := c.Cookie(controller.Config.CSRFCookieName)
csrfCookie, err := c.Cookie(controller.config.CSRFCookieName)
if err != nil || state != csrfCookie {
log.Warn().Err(err).Msg("CSRF token mismatch or cookie missing")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
return
}
c.SetCookie(controller.Config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.Config.Domain), controller.Config.SecureCookie, true)
c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
code := c.Query("code")
service, exists := controller.Broker.GetService(req.Provider)
service, exists := controller.broker.GetService(req.Provider)
if !exists {
log.Warn().Msgf("OAuth provider not found: %s", req.Provider)
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
return
}
err = service.VerifyCode(code)
if err != nil {
log.Error().Err(err).Msg("Failed to verify OAuth code")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
return
}
user, err := controller.Broker.GetUser(req.Provider)
user, err := controller.broker.GetUser(req.Provider)
if err != nil {
log.Error().Err(err).Msg("Failed to get user from OAuth provider")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
return
}
if user.Email == "" {
log.Error().Msg("OAuth provider did not return an email")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
return
}
if !controller.Auth.IsEmailWhitelisted(user.Email) {
if !controller.auth.IsEmailWhitelisted(user.Email) {
queries, err := query.Values(config.UnauthorizedQuery{
Username: user.Email,
})
if err != nil {
log.Error().Err(err).Msg("Failed to encode unauthorized query")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
return
}
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.Config.AppURL, queries.Encode()))
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode()))
return
}
@@ -169,29 +170,36 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
name = fmt.Sprintf("%s (%s)", utils.Capitalize(strings.Split(user.Email, "@")[0]), strings.Split(user.Email, "@")[1])
}
var usename string
var username string
if user.PreferredUsername != "" {
log.Debug().Msg("Using preferred username from OAuth provider")
usename = user.PreferredUsername
username = user.PreferredUsername
} else {
log.Debug().Msg("No preferred username from OAuth provider, using pseudo username")
usename = strings.Replace(user.Email, "@", "_", -1)
username = strings.Replace(user.Email, "@", "_", -1)
}
controller.Auth.CreateSessionCookie(c, &config.SessionCookie{
Username: usename,
err = controller.auth.CreateSessionCookie(c, &config.SessionCookie{
Username: username,
Name: name,
Email: user.Email,
Provider: req.Provider,
OAuthGroups: utils.CoalesceToString(user.Groups),
OAuthName: service.GetName(),
})
redirectURI, err := c.Cookie(controller.Config.RedirectCookieName)
if err != nil {
log.Error().Err(err).Msg("Failed to create session cookie")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
return
}
if err != nil || !utils.IsRedirectSafe(redirectURI, controller.Config.Domain) {
redirectURI, err := c.Cookie(controller.config.RedirectCookieName)
if err != nil || !utils.IsRedirectSafe(redirectURI, controller.config.CookieDomain) {
log.Debug().Msg("No redirect URI cookie found, redirecting to app root")
c.Redirect(http.StatusTemporaryRedirect, controller.Config.AppURL)
c.Redirect(http.StatusTemporaryRedirect, controller.config.AppURL)
return
}
@@ -201,10 +209,10 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
if err != nil {
log.Error().Err(err).Msg("Failed to encode redirect URI query")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
return
}
c.SetCookie(controller.Config.RedirectCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.Config.Domain), controller.Config.SecureCookie, true)
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", controller.Config.AppURL, queries.Encode()))
c.SetCookie(controller.config.RedirectCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", controller.config.AppURL, queries.Encode()))
}

177
internal/controller/proxy_controller.go
View File

@@ -22,23 +22,23 @@ type ProxyControllerConfig struct {
}
type ProxyController struct {
Config ProxyControllerConfig
Router *gin.RouterGroup
Docker *service.DockerService
Auth *service.AuthService
config ProxyControllerConfig
router *gin.RouterGroup
docker *service.DockerService
auth *service.AuthService
}
func NewProxyController(config ProxyControllerConfig, router *gin.RouterGroup, docker *service.DockerService, auth *service.AuthService) *ProxyController {
return &ProxyController{
Config: config,
Router: router,
Docker: docker,
Auth: auth,
config: config,
router: router,
docker: docker,
auth: auth,
}
}
func (controller *ProxyController) SetupRoutes() {
proxyGroup := controller.Router.Group("/auth")
proxyGroup := controller.router.Group("/auth")
proxyGroup.GET("/:proxy", controller.proxyHandler)
}
@@ -55,6 +55,15 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
return
}
if req.Proxy != "nginx" && req.Proxy != "traefik" && req.Proxy != "caddy" {
log.Warn().Str("proxy", req.Proxy).Msg("Invalid proxy")
c.JSON(400, gin.H{
"status": 400,
"message": "Bad Request",
})
return
}
isBrowser := strings.Contains(c.Request.Header.Get("Accept"), "text/html")
if isBrowser {
@@ -67,44 +76,18 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
proto := c.Request.Header.Get("X-Forwarded-Proto")
host := c.Request.Header.Get("X-Forwarded-Host")
hostWithoutPort := strings.Split(host, ":")[0]
id := strings.Split(hostWithoutPort, ".")[0]
labels, err := controller.Docker.GetLabels(id, hostWithoutPort)
labels, err := controller.docker.GetLabels(host)
if err != nil {
log.Error().Err(err).Msg("Failed to get labels from Docker")
if req.Proxy == "nginx" || !isBrowser {
c.JSON(500, gin.H{
"status": 500,
"message": "Internal Server Error",
})
return
}
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
controller.handleError(c, req, isBrowser)
return
}
clientIP := c.ClientIP()
if controller.Auth.IsBypassedIP(labels.IP, clientIP) {
c.Header("Authorization", c.Request.Header.Get("Authorization"))
headers := utils.ParseHeaders(labels.Response.Headers)
for key, value := range headers {
log.Debug().Str("header", key).Msg("Setting header")
c.Header(key, value)
}
basicPassword := utils.GetSecret(labels.Response.BasicAuth.Password, labels.Response.BasicAuth.PasswordFile)
if labels.Response.BasicAuth.Username != "" && basicPassword != "" {
log.Debug().Str("username", labels.Response.BasicAuth.Username).Msg("Setting basic auth header")
c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Response.BasicAuth.Username, basicPassword)))
}
if controller.auth.IsBypassedIP(labels.IP, clientIP) {
controller.setHeaders(c, labels)
c.JSON(200, gin.H{
"status": 200,
"message": "Authenticated",
@@ -112,41 +95,17 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
return
}
authEnabled, err := controller.Auth.IsAuthEnabled(uri, labels.Path)
authEnabled, err := controller.auth.IsAuthEnabled(uri, labels.Path)
if err != nil {
log.Error().Err(err).Msg("Failed to check if auth is enabled for resource")
if req.Proxy == "nginx" || !isBrowser {
c.JSON(500, gin.H{
"status": 500,
"message": "Internal Server Error",
})
return
}
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
controller.handleError(c, req, isBrowser)
return
}
if !authEnabled {
log.Debug().Msg("Authentication disabled for resource, allowing access")
c.Header("Authorization", c.Request.Header.Get("Authorization"))
headers := utils.ParseHeaders(labels.Response.Headers)
for key, value := range headers {
log.Debug().Str("header", key).Msg("Setting header")
c.Header(key, value)
}
basicPassword := utils.GetSecret(labels.Response.BasicAuth.Password, labels.Response.BasicAuth.PasswordFile)
if labels.Response.BasicAuth.Username != "" && basicPassword != "" {
log.Debug().Str("username", labels.Response.BasicAuth.Username).Msg("Setting basic auth header")
c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Response.BasicAuth.Username, basicPassword)))
}
controller.setHeaders(c, labels)
c.JSON(200, gin.H{
"status": 200,
"message": "Authenticated",
@@ -154,7 +113,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
return
}
if !controller.Auth.CheckIP(labels.IP, clientIP) {
if !controller.auth.CheckIP(labels.IP, clientIP) {
if req.Proxy == "nginx" || !isBrowser {
c.JSON(401, gin.H{
"status": 401,
@@ -170,11 +129,11 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
if err != nil {
log.Error().Err(err).Msg("Failed to encode unauthorized query")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
return
}
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.Config.AppURL, queries.Encode()))
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode()))
return
}
@@ -197,7 +156,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
}
if userContext.IsLoggedIn {
appAllowed := controller.Auth.IsResourceAllowed(c, userContext, labels)
appAllowed := controller.auth.IsResourceAllowed(c, userContext, labels)
if !appAllowed {
log.Warn().Str("user", userContext.Username).Str("resource", strings.Split(host, ".")[0]).Msg("User not allowed to access resource")
@@ -214,24 +173,24 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
Resource: strings.Split(host, ".")[0],
})
if err != nil {
log.Error().Err(err).Msg("Failed to encode unauthorized query")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
return
}
if userContext.OAuth {
queries.Set("username", userContext.Email)
} else {
queries.Set("username", userContext.Username)
}
if err != nil {
log.Error().Err(err).Msg("Failed to encode unauthorized query")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
return
}
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.Config.AppURL, queries.Encode()))
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode()))
return
}
if userContext.OAuth {
groupOK := controller.Auth.IsInOAuthGroup(c, userContext, labels.OAuth.Groups)
groupOK := controller.auth.IsInOAuthGroup(c, userContext, labels.OAuth.Groups)
if !groupOK {
log.Warn().Str("user", userContext.Username).Str("resource", strings.Split(host, ".")[0]).Msg("User OAuth groups do not match resource requirements")
@@ -249,41 +208,29 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
GroupErr: true,
})
if err != nil {
log.Error().Err(err).Msg("Failed to encode unauthorized query")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
return
}
if userContext.OAuth {
queries.Set("username", userContext.Email)
} else {
queries.Set("username", userContext.Username)
}
if err != nil {
log.Error().Err(err).Msg("Failed to encode unauthorized query")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
return
}
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.Config.AppURL, queries.Encode()))
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode()))
return
}
}
c.Header("Authorization", c.Request.Header.Get("Authorization"))
c.Header("Remote-User", utils.SanitizeHeader(userContext.Username))
c.Header("Remote-Name", utils.SanitizeHeader(userContext.Name))
c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email))
c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups))
headers := utils.ParseHeaders(labels.Response.Headers)
for key, value := range headers {
log.Debug().Str("header", key).Msg("Setting header")
c.Header(key, value)
}
basicPassword := utils.GetSecret(labels.Response.BasicAuth.Password, labels.Response.BasicAuth.PasswordFile)
if labels.Response.BasicAuth.Username != "" && basicPassword != "" {
log.Debug().Str("username", labels.Response.BasicAuth.Username).Msg("Setting basic auth header")
c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Response.BasicAuth.Username, basicPassword)))
}
controller.setHeaders(c, labels)
c.JSON(200, gin.H{
"status": 200,
@@ -306,9 +253,39 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
if err != nil {
log.Error().Err(err).Msg("Failed to encode redirect URI query")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
return
}
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/login?%s", controller.Config.AppURL, queries.Encode()))
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/login?%s", controller.config.AppURL, queries.Encode()))
}
func (controller *ProxyController) setHeaders(c *gin.Context, labels config.App) {
c.Header("Authorization", c.Request.Header.Get("Authorization"))
headers := utils.ParseHeaders(labels.Response.Headers)
for key, value := range headers {
log.Debug().Str("header", key).Msg("Setting header")
c.Header(key, value)
}
basicPassword := utils.GetSecret(labels.Response.BasicAuth.Password, labels.Response.BasicAuth.PasswordFile)
if labels.Response.BasicAuth.Username != "" && basicPassword != "" {
log.Debug().Str("username", labels.Response.BasicAuth.Username).Msg("Setting basic auth header")
c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Response.BasicAuth.Username, basicPassword)))
}
}
func (controller *ProxyController) handleError(c *gin.Context, req Proxy, isBrowser bool) {
if req.Proxy == "nginx" || !isBrowser {
c.JSON(500, gin.H{
"status": 500,
"message": "Internal Server Error",
})
return
}
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
}

164
internal/controller/proxy_controller_test.go Normal file
View File

@@ -0,0 +1,164 @@
package controller_test
import (
"net/http/httptest"
"testing"
"tinyauth/internal/config"
"tinyauth/internal/controller"
"tinyauth/internal/service"
"github.com/gin-gonic/gin"
"gotest.tools/v3/assert"
)
func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder, *service.AuthService) {
// Setup
gin.SetMode(gin.TestMode)
router := gin.Default()
if middlewares != nil {
for _, m := range *middlewares {
router.Use(m)
}
}
group := router.Group("/api")
recorder := httptest.NewRecorder()
// Database
databaseService := service.NewDatabaseService(service.DatabaseServiceConfig{
DatabasePath: "/tmp/tinyauth_test.db",
})
assert.NilError(t, databaseService.Init())
database := databaseService.GetDatabase()
// Docker
dockerService := service.NewDockerService()
assert.NilError(t, dockerService.Init())
// Auth service
authService := service.NewAuthService(service.AuthServiceConfig{
Users: []config.User{
{
Username: "testuser",
Password: "$2a$10$ne6z693sTgzT3ePoQ05PgOecUHnBjM7sSNj6M.l5CLUP.f6NyCnt.", // test
},
},
OauthWhitelist: "",
SessionExpiry: 3600,
SecureCookie: false,
CookieDomain: "localhost",
LoginTimeout: 300,
LoginMaxRetries: 3,
SessionCookieName: "tinyauth-session",
}, dockerService, nil, database)
// Controller
ctrl := controller.NewProxyController(controller.ProxyControllerConfig{
AppURL: "http://localhost:8080",
}, group, dockerService, authService)
ctrl.SetupRoutes()
return router, recorder, authService
}
func TestProxyHandler(t *testing.T) {
// Setup
router, recorder, authService := setupProxyController(t, nil)
// Test invalid proxy
req := httptest.NewRequest("GET", "/api/auth/invalidproxy", nil)
router.ServeHTTP(recorder, req)
assert.Equal(t, 400, recorder.Code)
// Test logged out user (traefik/caddy)
recorder = httptest.NewRecorder()
req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
req.Header.Set("X-Forwarded-Proto", "https")
req.Header.Set("X-Forwarded-Host", "example.com")
req.Header.Set("X-Forwarded-Uri", "/somepath")
req.Header.Set("Accept", "text/html")
router.ServeHTTP(recorder, req)
assert.Equal(t, 307, recorder.Code)
assert.Equal(t, "http://localhost:8080/login?redirect_uri=https%3A%2F%2Fexample.com%2Fsomepath", recorder.Header().Get("Location"))
// Test logged out user (nginx)
recorder = httptest.NewRecorder()
req = httptest.NewRequest("GET", "/api/auth/nginx", nil)
router.ServeHTTP(recorder, req)
assert.Equal(t, 401, recorder.Code)
// Test logged in user
c := gin.CreateTestContextOnly(recorder, router)
err := authService.CreateSessionCookie(c, &config.SessionCookie{
Username: "testuser",
Name: "testuser",
Email: "testuser@example.com",
Provider: "username",
TotpPending: false,
OAuthGroups: "",
})
assert.NilError(t, err)
cookie := c.Writer.Header().Get("Set-Cookie")
router, recorder, _ = setupProxyController(t, &[]gin.HandlerFunc{
func(c *gin.Context) {
c.Set("context", &config.UserContext{
Username: "testuser",
Name: "testuser",
Email: "testuser@example.com",
IsLoggedIn: true,
OAuth: false,
Provider: "username",
TotpPending: false,
OAuthGroups: "",
TotpEnabled: false,
})
c.Next()
},
})
req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
req.Header.Set("Cookie", cookie)
req.Header.Set("Accept", "text/html")
router.ServeHTTP(recorder, req)
assert.Equal(t, 200, recorder.Code)
assert.Equal(t, "testuser", recorder.Header().Get("Remote-User"))
assert.Equal(t, "testuser", recorder.Header().Get("Remote-Name"))
assert.Equal(t, "testuser@example.com", recorder.Header().Get("Remote-Email"))
// Ensure basic auth is disabled for TOTP enabled users
router, recorder, _ = setupProxyController(t, &[]gin.HandlerFunc{
func(c *gin.Context) {
c.Set("context", &config.UserContext{
Username: "testuser",
Name: "testuser",
Email: "testuser@example.com",
IsLoggedIn: true,
OAuth: false,
Provider: "basic",
TotpPending: false,
OAuthGroups: "",
TotpEnabled: true,
})
c.Next()
},
})
req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
req.SetBasicAuth("testuser", "test")
router.ServeHTTP(recorder, req)
assert.Equal(t, 401, recorder.Code)
}

18
internal/controller/resources_controller.go
View File

@@ -11,32 +11,32 @@ type ResourcesControllerConfig struct {
}
type ResourcesController struct {
Config ResourcesControllerConfig
Router *gin.RouterGroup
FileServer http.Handler
config ResourcesControllerConfig
router *gin.RouterGroup
fileServer http.Handler
}
func NewResourcesController(config ResourcesControllerConfig, router *gin.RouterGroup) *ResourcesController {
fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(config.ResourcesDir)))
return &ResourcesController{
Config: config,
Router: router,
FileServer: fileServer,
config: config,
router: router,
fileServer: fileServer,
}
}
func (controller *ResourcesController) SetupRoutes() {
controller.Router.GET("/resources/*resource", controller.resourcesHandler)
controller.router.GET("/resources/*resource", controller.resourcesHandler)
}
func (controller *ResourcesController) resourcesHandler(c *gin.Context) {
if controller.Config.ResourcesDir == "" {
if controller.config.ResourcesDir == "" {
c.JSON(404, gin.H{
"status": 404,
"message": "Resources not found",
})
return
}
controller.FileServer.ServeHTTP(c.Writer, c.Request)
controller.fileServer.ServeHTTP(c.Writer, c.Request)
}

57
internal/controller/resources_controller_test.go Normal file
View File

@@ -0,0 +1,57 @@
package controller_test
import (
"net/http/httptest"
"os"
"testing"
"tinyauth/internal/controller"
"github.com/gin-gonic/gin"
"gotest.tools/v3/assert"
)
func TestResourcesHandler(t *testing.T) {
// Setup
gin.SetMode(gin.TestMode)
router := gin.New()
group := router.Group("/")
ctrl := controller.NewResourcesController(controller.ResourcesControllerConfig{
ResourcesDir: "/tmp/tinyauth",
}, group)
ctrl.SetupRoutes()
// Create test data
err := os.Mkdir("/tmp/tinyauth", 0755)
assert.NilError(t, err)
defer os.RemoveAll("/tmp/tinyauth")
file, err := os.Create("/tmp/tinyauth/test.txt")
assert.NilError(t, err)
_, err = file.WriteString("This is a test file.")
assert.NilError(t, err)
file.Close()
// Test existing file
req := httptest.NewRequest("GET", "/resources/test.txt", nil)
recorder := httptest.NewRecorder()
router.ServeHTTP(recorder, req)
assert.Equal(t, 200, recorder.Code)
assert.Equal(t, "This is a test file.", recorder.Body.String())
// Test non-existing file
req = httptest.NewRequest("GET", "/resources/nonexistent.txt", nil)
recorder = httptest.NewRecorder()
router.ServeHTTP(recorder, req)
assert.Equal(t, 404, recorder.Code)
// Test directory traversal attack
req = httptest.NewRequest("GET", "/resources/../etc/passwd", nil)
recorder = httptest.NewRecorder()
router.ServeHTTP(recorder, req)
assert.Equal(t, 404, recorder.Code)
}

56
internal/controller/user_controller.go
View File

@@ -22,25 +22,25 @@ type TotpRequest struct {
}
type UserControllerConfig struct {
Domain string
CookieDomain string
}
type UserController struct {
Config UserControllerConfig
Router *gin.RouterGroup
Auth *service.AuthService
config UserControllerConfig
router *gin.RouterGroup
auth *service.AuthService
}
func NewUserController(config UserControllerConfig, router *gin.RouterGroup, auth *service.AuthService) *UserController {
return &UserController{
Config: config,
Router: router,
Auth: auth,
config: config,
router: router,
auth: auth,
}
}
func (controller *UserController) SetupRoutes() {
userGroup := controller.Router.Group("/user")
userGroup := controller.router.Group("/user")
userGroup.POST("/login", controller.loginHandler)
userGroup.POST("/logout", controller.logoutHandler)
userGroup.POST("/totp", controller.totpHandler)
@@ -69,7 +69,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
log.Debug().Str("username", req.Username).Str("ip", clientIP).Msg("Login attempt")
isLocked, remainingTime := controller.Auth.IsAccountLocked(rateIdentifier)
isLocked, remainingTime := controller.auth.IsAccountLocked(rateIdentifier)
if isLocked {
log.Warn().Str("username", req.Username).Str("ip", clientIP).Msg("Account is locked due to too many failed login attempts")
@@ -80,11 +80,11 @@ func (controller *UserController) loginHandler(c *gin.Context) {
return
}
userSearch := controller.Auth.SearchUser(req.Username)
userSearch := controller.auth.SearchUser(req.Username)
if userSearch.Type == "" {
if userSearch.Type == "unknown" {
log.Warn().Str("username", req.Username).Str("ip", clientIP).Msg("User not found")
controller.Auth.RecordLoginAttempt(rateIdentifier, false)
controller.auth.RecordLoginAttempt(rateIdentifier, false)
c.JSON(401, gin.H{
"status": 401,
"message": "Unauthorized",
@@ -92,9 +92,9 @@ func (controller *UserController) loginHandler(c *gin.Context) {
return
}
if !controller.Auth.VerifyUser(userSearch, req.Password) {
if !controller.auth.VerifyUser(userSearch, req.Password) {
log.Warn().Str("username", req.Username).Str("ip", clientIP).Msg("Invalid password")
controller.Auth.RecordLoginAttempt(rateIdentifier, false)
controller.auth.RecordLoginAttempt(rateIdentifier, false)
c.JSON(401, gin.H{
"status": 401,
"message": "Unauthorized",
@@ -104,18 +104,18 @@ func (controller *UserController) loginHandler(c *gin.Context) {
log.Info().Str("username", req.Username).Str("ip", clientIP).Msg("Login successful")
controller.Auth.RecordLoginAttempt(rateIdentifier, true)
controller.auth.RecordLoginAttempt(rateIdentifier, true)
if userSearch.Type == "local" {
user := controller.Auth.GetLocalUser(userSearch.Username)
user := controller.auth.GetLocalUser(userSearch.Username)
if user.TotpSecret != "" {
log.Debug().Str("username", req.Username).Msg("User has TOTP enabled, requiring TOTP verification")
err := controller.Auth.CreateSessionCookie(c, &config.SessionCookie{
err := controller.auth.CreateSessionCookie(c, &config.SessionCookie{
Username: user.Username,
Name: utils.Capitalize(req.Username),
Email: fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.Config.Domain),
Email: fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.CookieDomain),
Provider: "username",
TotpPending: true,
})
@@ -138,10 +138,10 @@ func (controller *UserController) loginHandler(c *gin.Context) {
}
}
err = controller.Auth.CreateSessionCookie(c, &config.SessionCookie{
err = controller.auth.CreateSessionCookie(c, &config.SessionCookie{
Username: req.Username,
Name: utils.Capitalize(req.Username),
Email: fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.Config.Domain),
Email: fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.CookieDomain),
Provider: "username",
})
@@ -163,7 +163,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
func (controller *UserController) logoutHandler(c *gin.Context) {
log.Debug().Msg("Logout request received")
controller.Auth.DeleteSessionCookie(c)
controller.auth.DeleteSessionCookie(c)
c.JSON(200, gin.H{
"status": 200,
@@ -214,24 +214,24 @@ func (controller *UserController) totpHandler(c *gin.Context) {
log.Debug().Str("username", context.Username).Str("ip", clientIP).Msg("TOTP verification attempt")
isLocked, remainingTime := controller.Auth.IsAccountLocked(rateIdentifier)
isLocked, remainingTime := controller.auth.IsAccountLocked(rateIdentifier)
if isLocked {
log.Warn().Str("username", context.Username).Str("ip", clientIP).Msg("Account is locked due to too many failed TOTP attempts")
c.JSON(429, gin.H{
"status": 429,
"message": fmt.Sprintf("Too many failed login attempts. Try again in %d seconds", remainingTime),
"message": fmt.Sprintf("Too many failed TOTP attempts. Try again in %d seconds", remainingTime),
})
return
}
user := controller.Auth.GetLocalUser(context.Username)
user := controller.auth.GetLocalUser(context.Username)
ok := totp.Validate(req.Code, user.TotpSecret)
if !ok {
log.Warn().Str("username", context.Username).Str("ip", clientIP).Msg("Invalid TOTP code")
controller.Auth.RecordLoginAttempt(rateIdentifier, false)
controller.auth.RecordLoginAttempt(rateIdentifier, false)
c.JSON(401, gin.H{
"status": 401,
"message": "Unauthorized",
@@ -241,12 +241,12 @@ func (controller *UserController) totpHandler(c *gin.Context) {
log.Info().Str("username", context.Username).Str("ip", clientIP).Msg("TOTP verification successful")
controller.Auth.RecordLoginAttempt(rateIdentifier, true)
controller.auth.RecordLoginAttempt(rateIdentifier, true)
err = controller.Auth.CreateSessionCookie(c, &config.SessionCookie{
err = controller.auth.CreateSessionCookie(c, &config.SessionCookie{
Username: user.Username,
Name: utils.Capitalize(user.Username),
Email: fmt.Sprintf("%s@%s", strings.ToLower(user.Username), controller.Config.Domain),
Email: fmt.Sprintf("%s@%s", strings.ToLower(user.Username), controller.config.CookieDomain),
Provider: "username",
})

297
internal/controller/user_controller_test.go Normal file
View File

@@ -0,0 +1,297 @@
package controller_test
import (
"encoding/json"
"net/http"
"net/http/httptest"
"strings"
"testing"
"time"
"tinyauth/internal/config"
"tinyauth/internal/controller"
"tinyauth/internal/service"
"github.com/gin-gonic/gin"
"github.com/pquerna/otp/totp"
"gotest.tools/v3/assert"
)
var cookieValue string
var totpSecret = "6WFZXPEZRK5MZHHYAFW4DAOUYQMCASBJ"
func setupUserController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder) {
// Setup
gin.SetMode(gin.TestMode)
router := gin.Default()
if middlewares != nil {
for _, m := range *middlewares {
router.Use(m)
}
}
group := router.Group("/api")
recorder := httptest.NewRecorder()
// Database
databaseService := service.NewDatabaseService(service.DatabaseServiceConfig{
DatabasePath: "/tmp/tinyauth_test.db",
})
assert.NilError(t, databaseService.Init())
database := databaseService.GetDatabase()
// Auth service
authService := service.NewAuthService(service.AuthServiceConfig{
Users: []config.User{
{
Username: "testuser",
Password: "$2a$10$ne6z693sTgzT3ePoQ05PgOecUHnBjM7sSNj6M.l5CLUP.f6NyCnt.", // test
},
{
Username: "totpuser",
Password: "$2a$10$ne6z693sTgzT3ePoQ05PgOecUHnBjM7sSNj6M.l5CLUP.f6NyCnt.", // test
TotpSecret: totpSecret,
},
},
OauthWhitelist: "",
SessionExpiry: 3600,
SecureCookie: false,
CookieDomain: "localhost",
LoginTimeout: 300,
LoginMaxRetries: 3,
SessionCookieName: "tinyauth-session",
}, nil, nil, database)
// Controller
ctrl := controller.NewUserController(controller.UserControllerConfig{
CookieDomain: "localhost",
}, group, authService)
ctrl.SetupRoutes()
return router, recorder
}
func TestLoginHandler(t *testing.T) {
// Setup
router, recorder := setupUserController(t, nil)
loginReq := controller.LoginRequest{
Username: "testuser",
Password: "test",
}
loginReqJson, err := json.Marshal(loginReq)
assert.NilError(t, err)
// Test
req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqJson)))
router.ServeHTTP(recorder, req)
assert.Equal(t, 200, recorder.Code)
cookie := recorder.Result().Cookies()[0]
assert.Equal(t, "tinyauth-session", cookie.Name)
assert.Assert(t, cookie.Value != "")
cookieValue = cookie.Value
// Test invalid credentials
loginReq = controller.LoginRequest{
Username: "testuser",
Password: "invalid",
}
loginReqJson, err = json.Marshal(loginReq)
assert.NilError(t, err)
recorder = httptest.NewRecorder()
req = httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqJson)))
router.ServeHTTP(recorder, req)
assert.Equal(t, 401, recorder.Code)
// Test totp required
loginReq = controller.LoginRequest{
Username: "totpuser",
Password: "test",
}
loginReqJson, err = json.Marshal(loginReq)
assert.NilError(t, err)
recorder = httptest.NewRecorder()
req = httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqJson)))
router.ServeHTTP(recorder, req)
assert.Equal(t, 200, recorder.Code)
loginResJson, err := json.Marshal(map[string]any{
"message": "TOTP required",
"status": 200,
"totpPending": true,
})
assert.NilError(t, err)
assert.Equal(t, string(loginResJson), recorder.Body.String())
// Test invalid json
recorder = httptest.NewRecorder()
req = httptest.NewRequest("POST", "/api/user/login", strings.NewReader("{invalid json}"))
router.ServeHTTP(recorder, req)
assert.Equal(t, 400, recorder.Code)
// Test rate limiting
loginReq = controller.LoginRequest{
Username: "testuser",
Password: "invalid",
}
loginReqJson, err = json.Marshal(loginReq)
assert.NilError(t, err)
for range 5 {
recorder = httptest.NewRecorder()
req = httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqJson)))
router.ServeHTTP(recorder, req)
}
assert.Equal(t, 429, recorder.Code)
}
func TestLogoutHandler(t *testing.T) {
// Setup
router, recorder := setupUserController(t, nil)
// Test
req := httptest.NewRequest("POST", "/api/user/logout", nil)
req.AddCookie(&http.Cookie{
Name: "tinyauth-session",
Value: cookieValue,
})
router.ServeHTTP(recorder, req)
assert.Equal(t, 200, recorder.Code)
cookie := recorder.Result().Cookies()[0]
assert.Equal(t, "tinyauth-session", cookie.Name)
assert.Equal(t, "", cookie.Value)
assert.Equal(t, -1, cookie.MaxAge)
}
func TestTotpHandler(t *testing.T) {
// Setup
router, recorder := setupUserController(t, &[]gin.HandlerFunc{
func(c *gin.Context) {
c.Set("context", &config.UserContext{
Username: "totpuser",
Name: "totpuser",
Email: "totpuser@example.com",
IsLoggedIn: false,
OAuth: false,
Provider: "username",
TotpPending: true,
OAuthGroups: "",
TotpEnabled: true,
})
c.Next()
},
})
// Test
code, err := totp.GenerateCode(totpSecret, time.Now())
assert.NilError(t, err)
totpReq := controller.TotpRequest{
Code: code,
}
totpReqJson, err := json.Marshal(totpReq)
assert.NilError(t, err)
req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqJson)))
router.ServeHTTP(recorder, req)
assert.Equal(t, 200, recorder.Code)
cookie := recorder.Result().Cookies()[0]
assert.Equal(t, "tinyauth-session", cookie.Name)
assert.Assert(t, cookie.Value != "")
// Test invalid json
recorder = httptest.NewRecorder()
req = httptest.NewRequest("POST", "/api/user/totp", strings.NewReader("{invalid json}"))
router.ServeHTTP(recorder, req)
assert.Equal(t, 400, recorder.Code)
// Test rate limiting
totpReq = controller.TotpRequest{
Code: "000000",
}
totpReqJson, err = json.Marshal(totpReq)
assert.NilError(t, err)
for range 5 {
recorder = httptest.NewRecorder()
req = httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqJson)))
router.ServeHTTP(recorder, req)
}
assert.Equal(t, 429, recorder.Code)
// Test invalid code
router, recorder = setupUserController(t, &[]gin.HandlerFunc{
func(c *gin.Context) {
c.Set("context", &config.UserContext{
Username: "totpuser",
Name: "totpuser",
Email: "totpuser@example.com",
IsLoggedIn: false,
OAuth: false,
Provider: "username",
TotpPending: true,
OAuthGroups: "",
TotpEnabled: true,
})
c.Next()
},
})
req = httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqJson)))
router.ServeHTTP(recorder, req)
assert.Equal(t, 401, recorder.Code)
// Test no totp pending
router, recorder = setupUserController(t, &[]gin.HandlerFunc{
func(c *gin.Context) {
c.Set("context", &config.UserContext{
Username: "totpuser",
Name: "totpuser",
Email: "totpuser@example.com",
IsLoggedIn: false,
OAuth: false,
Provider: "username",
TotpPending: false,
OAuthGroups: "",
TotpEnabled: false,
})
c.Next()
},
})
req = httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqJson)))
router.ServeHTTP(recorder, req)
assert.Equal(t, 401, recorder.Code)
}

45
internal/middleware/context_middleware.go
View File

@@ -12,20 +12,20 @@ import (
)
type ContextMiddlewareConfig struct {
Domain string
CookieDomain string
}
type ContextMiddleware struct {
Config ContextMiddlewareConfig
Auth *service.AuthService
Broker *service.OAuthBrokerService
config ContextMiddlewareConfig
auth *service.AuthService
broker *service.OAuthBrokerService
}
func NewContextMiddleware(config ContextMiddlewareConfig, auth *service.AuthService, broker *service.OAuthBrokerService) *ContextMiddleware {
return &ContextMiddleware{
Config: config,
Auth: auth,
Broker: broker,
config: config,
auth: auth,
broker: broker,
}
}
@@ -35,7 +35,7 @@ func (m *ContextMiddleware) Init() error {
func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
return func(c *gin.Context) {
cookie, err := m.Auth.GetSessionCookie(c)
cookie, err := m.auth.GetSessionCookie(c)
if err != nil {
log.Debug().Err(err).Msg("No valid session cookie found")
@@ -57,11 +57,11 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
switch cookie.Provider {
case "username":
userSearch := m.Auth.SearchUser(cookie.Username)
userSearch := m.auth.SearchUser(cookie.Username)
if userSearch.Type == "unknown" {
if userSearch.Type == "unknown" || userSearch.Type == "error" {
log.Debug().Msg("User from session cookie not found")
m.Auth.DeleteSessionCookie(c)
m.auth.DeleteSessionCookie(c)
goto basic
}
@@ -75,17 +75,17 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
c.Next()
return
default:
_, exists := m.Broker.GetService(cookie.Provider)
_, exists := m.broker.GetService(cookie.Provider)
if !exists {
log.Debug().Msg("OAuth provider from session cookie not found")
m.Auth.DeleteSessionCookie(c)
m.auth.DeleteSessionCookie(c)
goto basic
}
if !m.Auth.IsEmailWhitelisted(cookie.Email) {
if !m.auth.IsEmailWhitelisted(cookie.Email) {
log.Debug().Msg("Email from session cookie not whitelisted")
m.Auth.DeleteSessionCookie(c)
m.auth.DeleteSessionCookie(c)
goto basic
}
@@ -95,6 +95,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
Email: cookie.Email,
Provider: cookie.Provider,
OAuthGroups: cookie.OAuthGroups,
OAuthName: cookie.OAuthName,
IsLoggedIn: true,
OAuth: true,
})
@@ -103,7 +104,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
}
basic:
basic := m.Auth.GetBasicAuth(c)
basic := m.auth.GetBasicAuth(c)
if basic == nil {
log.Debug().Msg("No basic auth provided")
@@ -111,15 +112,15 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
return
}
userSearch := m.Auth.SearchUser(basic.Username)
userSearch := m.auth.SearchUser(basic.Username)
if userSearch.Type == "unknown" {
if userSearch.Type == "unknown" || userSearch.Type == "error" {
log.Debug().Msg("User from basic auth not found")
c.Next()
return
}
if !m.Auth.VerifyUser(userSearch, basic.Password) {
if !m.auth.VerifyUser(userSearch, basic.Password) {
log.Debug().Msg("Invalid password for basic auth user")
c.Next()
return
@@ -129,12 +130,12 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
case "local":
log.Debug().Msg("Basic auth user is local")
user := m.Auth.GetLocalUser(basic.Username)
user := m.auth.GetLocalUser(basic.Username)
c.Set("context", &config.UserContext{
Username: user.Username,
Name: utils.Capitalize(user.Username),
Email: fmt.Sprintf("%s@%s", strings.ToLower(user.Username), m.Config.Domain),
Email: fmt.Sprintf("%s@%s", strings.ToLower(user.Username), m.config.CookieDomain),
Provider: "basic",
IsLoggedIn: true,
TotpEnabled: user.TotpSecret != "",
@@ -146,7 +147,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
c.Set("context", &config.UserContext{
Username: basic.Username,
Name: utils.Capitalize(basic.Username),
Email: fmt.Sprintf("%s@%s", strings.ToLower(basic.Username), m.Config.Domain),
Email: fmt.Sprintf("%s@%s", strings.ToLower(basic.Username), m.config.CookieDomain),
Provider: "basic",
IsLoggedIn: true,
})

12
internal/middleware/ui_middleware.go
View File

@@ -11,8 +11,8 @@ import (
)
type UIMiddleware struct {
UIFS fs.FS
UIFileServer http.Handler
uiFs fs.FS
uiFileServer http.Handler
}
func NewUIMiddleware() *UIMiddleware {
@@ -26,8 +26,8 @@ func (m *UIMiddleware) Init() error {
return err
}
m.UIFS = ui
m.UIFileServer = http.FileServer(http.FS(ui))
m.uiFs = ui
m.uiFileServer = http.FileServer(http.FS(ui))
return nil
}
@@ -42,13 +42,13 @@ func (m *UIMiddleware) Middleware() gin.HandlerFunc {
c.Next()
return
default:
_, err := fs.Stat(m.UIFS, strings.TrimPrefix(c.Request.URL.Path, "/"))
_, err := fs.Stat(m.uiFs, strings.TrimPrefix(c.Request.URL.Path, "/"))
if os.IsNotExist(err) {
c.Request.URL.Path = "/"
}
m.UIFileServer.ServeHTTP(c.Writer, c.Request)
m.uiFileServer.ServeHTTP(c.Writer, c.Request)
c.Abort()
return
}

1
internal/model/session_model.go
View File

@@ -9,4 +9,5 @@ type Session struct {
TOTPPending bool `gorm:"column:totp_pending"`
OAuthGroups string `gorm:"column:oauth_groups"`
Expiry int64 `gorm:"column:expiry"`
OAuthName string `gorm:"column:oauth_name"`
}

96
internal/service/auth_service.go
View File

@@ -28,28 +28,28 @@ type AuthServiceConfig struct {
OauthWhitelist string
SessionExpiry int
SecureCookie bool
Domain string
CookieDomain string
LoginTimeout int
LoginMaxRetries int
SessionCookieName string
}
type AuthService struct {
Config AuthServiceConfig
Docker *DockerService
LoginAttempts map[string]*LoginAttempt
LoginMutex sync.RWMutex
LDAP *LdapService
Database *gorm.DB
config AuthServiceConfig
docker *DockerService
loginAttempts map[string]*LoginAttempt
loginMutex sync.RWMutex
ldap *LdapService
database *gorm.DB
}
func NewAuthService(config AuthServiceConfig, docker *DockerService, ldap *LdapService, database *gorm.DB) *AuthService {
return &AuthService{
Config: config,
Docker: docker,
LoginAttempts: make(map[string]*LoginAttempt),
LDAP: ldap,
Database: database,
config: config,
docker: docker,
loginAttempts: make(map[string]*LoginAttempt),
ldap: ldap,
database: database,
}
}
@@ -65,12 +65,14 @@ func (auth *AuthService) SearchUser(username string) config.UserSearch {
}
}
if auth.LDAP != nil {
userDN, err := auth.LDAP.Search(username)
if auth.ldap != nil {
userDN, err := auth.ldap.Search(username)
if err != nil {
log.Warn().Err(err).Str("username", username).Msg("Failed to search for user in LDAP")
return config.UserSearch{}
return config.UserSearch{
Type: "error",
}
}
return config.UserSearch{
@@ -90,14 +92,14 @@ func (auth *AuthService) VerifyUser(search config.UserSearch, password string) b
user := auth.GetLocalUser(search.Username)
return auth.CheckPassword(user, password)
case "ldap":
if auth.LDAP != nil {
err := auth.LDAP.Bind(search.Username, password)
if auth.ldap != nil {
err := auth.ldap.Bind(search.Username, password)
if err != nil {
log.Warn().Err(err).Str("username", search.Username).Msg("Failed to bind to LDAP")
return false
}
err = auth.LDAP.Bind(auth.LDAP.Config.BindDN, auth.LDAP.Config.BindPassword)
err = auth.ldap.Bind(auth.ldap.Config.BindDN, auth.ldap.Config.BindPassword)
if err != nil {
log.Error().Err(err).Msg("Failed to rebind with service account after user authentication")
return false
@@ -115,7 +117,7 @@ func (auth *AuthService) VerifyUser(search config.UserSearch, password string) b
}
func (auth *AuthService) GetLocalUser(username string) config.User {
for _, user := range auth.Config.Users {
for _, user := range auth.config.Users {
if user.Username == username {
return user
}
@@ -130,14 +132,14 @@ func (auth *AuthService) CheckPassword(user config.User, password string) bool {
}
func (auth *AuthService) IsAccountLocked(identifier string) (bool, int) {
auth.LoginMutex.RLock()
defer auth.LoginMutex.RUnlock()
auth.loginMutex.RLock()
defer auth.loginMutex.RUnlock()
if auth.Config.LoginMaxRetries <= 0 || auth.Config.LoginTimeout <= 0 {
if auth.config.LoginMaxRetries <= 0 || auth.config.LoginTimeout <= 0 {
return false, 0
}
attempt, exists := auth.LoginAttempts[identifier]
attempt, exists := auth.loginAttempts[identifier]
if !exists {
return false, 0
}
@@ -151,17 +153,17 @@ func (auth *AuthService) IsAccountLocked(identifier string) (bool, int) {
}
func (auth *AuthService) RecordLoginAttempt(identifier string, success bool) {
if auth.Config.LoginMaxRetries <= 0 || auth.Config.LoginTimeout <= 0 {
if auth.config.LoginMaxRetries <= 0 || auth.config.LoginTimeout <= 0 {
return
}
auth.LoginMutex.Lock()
defer auth.LoginMutex.Unlock()
auth.loginMutex.Lock()
defer auth.loginMutex.Unlock()
attempt, exists := auth.LoginAttempts[identifier]
attempt, exists := auth.loginAttempts[identifier]
if !exists {
attempt = &LoginAttempt{}
auth.LoginAttempts[identifier] = attempt
auth.loginAttempts[identifier] = attempt
}
attempt.LastAttempt = time.Now()
@@ -174,14 +176,14 @@ func (auth *AuthService) RecordLoginAttempt(identifier string, success bool) {
attempt.FailedAttempts++
if attempt.FailedAttempts >= auth.Config.LoginMaxRetries {
attempt.LockedUntil = time.Now().Add(time.Duration(auth.Config.LoginTimeout) * time.Second)
log.Warn().Str("identifier", identifier).Int("timeout", auth.Config.LoginTimeout).Msg("Account locked due to too many failed login attempts")
if attempt.FailedAttempts >= auth.config.LoginMaxRetries {
attempt.LockedUntil = time.Now().Add(time.Duration(auth.config.LoginTimeout) * time.Second)
log.Warn().Str("identifier", identifier).Int("timeout", auth.config.LoginTimeout).Msg("Account locked due to too many failed login attempts")
}
}
func (auth *AuthService) IsEmailWhitelisted(email string) bool {
return utils.CheckFilter(auth.Config.OauthWhitelist, email)
return utils.CheckFilter(auth.config.OauthWhitelist, email)
}
func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *config.SessionCookie) error {
@@ -196,7 +198,7 @@ func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *config.Sessio
if data.TotpPending {
expiry = 3600
} else {
expiry = auth.Config.SessionExpiry
expiry = auth.config.SessionExpiry
}
session := model.Session{
@@ -208,39 +210,40 @@ func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *config.Sessio
TOTPPending: data.TotpPending,
OAuthGroups: data.OAuthGroups,
Expiry: time.Now().Add(time.Duration(expiry) * time.Second).Unix(),
OAuthName: data.OAuthName,
}
err = auth.Database.Create(&session).Error
err = auth.database.Create(&session).Error
if err != nil {
return err
}
c.SetCookie(auth.Config.SessionCookieName, session.UUID, expiry, "/", fmt.Sprintf(".%s", auth.Config.Domain), auth.Config.SecureCookie, true)
c.SetCookie(auth.config.SessionCookieName, session.UUID, expiry, "/", fmt.Sprintf(".%s", auth.config.CookieDomain), auth.config.SecureCookie, true)
return nil
}
func (auth *AuthService) DeleteSessionCookie(c *gin.Context) error {
cookie, err := c.Cookie(auth.Config.SessionCookieName)
cookie, err := c.Cookie(auth.config.SessionCookieName)
if err != nil {
return err
}
res := auth.Database.Unscoped().Where("uuid = ?", cookie).Delete(&model.Session{})
res := auth.database.Unscoped().Where("uuid = ?", cookie).Delete(&model.Session{})
if res.Error != nil {
return res.Error
}
c.SetCookie(auth.Config.SessionCookieName, "", -1, "/", fmt.Sprintf(".%s", auth.Config.Domain), auth.Config.SecureCookie, true)
c.SetCookie(auth.config.SessionCookieName, "", -1, "/", fmt.Sprintf(".%s", auth.config.CookieDomain), auth.config.SecureCookie, true)
return nil
}
func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie, error) {
cookie, err := c.Cookie(auth.Config.SessionCookieName)
cookie, err := c.Cookie(auth.config.SessionCookieName)
if err != nil {
return config.SessionCookie{}, err
@@ -248,7 +251,7 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie,
var session model.Session
res := auth.Database.Unscoped().Where("uuid = ?", cookie).First(&session)
res := auth.database.Unscoped().Where("uuid = ?", cookie).First(&session)
if res.Error != nil {
return config.SessionCookie{}, res.Error
@@ -261,7 +264,7 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie,
currentTime := time.Now().Unix()
if currentTime > session.Expiry {
res := auth.Database.Unscoped().Where("uuid = ?", session.UUID).Delete(&model.Session{})
res := auth.database.Unscoped().Where("uuid = ?", session.UUID).Delete(&model.Session{})
if res.Error != nil {
log.Error().Err(res.Error).Msg("Failed to delete expired session")
}
@@ -276,14 +279,15 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie,
Provider: session.Provider,
TotpPending: session.TOTPPending,
OAuthGroups: session.OAuthGroups,
OAuthName: session.OAuthName,
}, nil
}
func (auth *AuthService) UserAuthConfigured() bool {
return len(auth.Config.Users) > 0 || auth.LDAP != nil
return len(auth.config.Users) > 0 || auth.ldap != nil
}
func (auth *AuthService) IsResourceAllowed(c *gin.Context, context config.UserContext, labels config.AppLabels) bool {
func (auth *AuthService) IsResourceAllowed(c *gin.Context, context config.UserContext, labels config.App) bool {
if context.OAuth {
log.Debug().Msg("Checking OAuth whitelist")
return utils.CheckFilter(labels.OAuth.Whitelist, context.Email)
@@ -320,7 +324,7 @@ func (auth *AuthService) IsInOAuthGroup(c *gin.Context, context config.UserConte
return false
}
func (auth *AuthService) IsAuthEnabled(uri string, path config.PathLabels) (bool, error) {
func (auth *AuthService) IsAuthEnabled(uri string, path config.AppPath) (bool, error) {
// Check for block list
if path.Block != "" {
regex, err := regexp.Compile(path.Block)
@@ -362,7 +366,7 @@ func (auth *AuthService) GetBasicAuth(c *gin.Context) *config.User {
}
}
func (auth *AuthService) CheckIP(labels config.IPLabels, ip string) bool {
func (auth *AuthService) CheckIP(labels config.AppIP, ip string) bool {
for _, blocked := range labels.Block {
res, err := utils.FilterIP(blocked, ip)
if err != nil {
@@ -396,7 +400,7 @@ func (auth *AuthService) CheckIP(labels config.IPLabels, ip string) bool {
return true
}
func (auth *AuthService) IsBypassedIP(labels config.IPLabels, ip string) bool {
func (auth *AuthService) IsBypassedIP(labels config.AppIP, ip string) bool {
for _, bypassed := range labels.Bypass {
res, err := utils.FilterIP(bypassed, ip)
if err != nil {

12
internal/service/database_service.go
View File

@@ -16,18 +16,18 @@ type DatabaseServiceConfig struct {
}
type DatabaseService struct {
Config DatabaseServiceConfig
Database *gorm.DB
config DatabaseServiceConfig
database *gorm.DB
}
func NewDatabaseService(config DatabaseServiceConfig) *DatabaseService {
return &DatabaseService{
Config: config,
config: config,
}
}
func (ds *DatabaseService) Init() error {
gormDB, err := gorm.Open(sqlite.Open(ds.Config.DatabasePath), &gorm.Config{})
gormDB, err := gorm.Open(sqlite.Open(ds.config.DatabasePath), &gorm.Config{})
if err != nil {
return err
@@ -47,7 +47,7 @@ func (ds *DatabaseService) Init() error {
return err
}
ds.Database = gormDB
ds.database = gormDB
return nil
}
@@ -74,5 +74,5 @@ func (ds *DatabaseService) migrateDatabase(sqlDB *sql.DB) error {
}
func (ds *DatabaseService) GetDatabase() *gorm.DB {
return ds.Database
return ds.database
}

36
internal/service/docker_service.go
View File

@@ -4,7 +4,7 @@ import (
"context"
"strings"
"tinyauth/internal/config"
"tinyauth/internal/utils"
"tinyauth/internal/utils/decoders"
container "github.com/docker/docker/api/types/container"
"github.com/docker/docker/client"
@@ -12,8 +12,8 @@ import (
)
type DockerService struct {
Client *client.Client
Context context.Context
client *client.Client
context context.Context
}
func NewDockerService() *DockerService {
@@ -29,13 +29,13 @@ func (docker *DockerService) Init() error {
ctx := context.Background()
client.NegotiateAPIVersion(ctx)
docker.Client = client
docker.Context = ctx
docker.client = client
docker.context = ctx
return nil
}
func (docker *DockerService) GetContainers() ([]container.Summary, error) {
containers, err := docker.Client.ContainerList(docker.Context, container.ListOptions{})
containers, err := docker.client.ContainerList(docker.context, container.ListOptions{})
if err != nil {
return nil, err
}
@@ -43,7 +43,7 @@ func (docker *DockerService) GetContainers() ([]container.Summary, error) {
}
func (docker *DockerService) InspectContainer(containerId string) (container.InspectResponse, error) {
inspect, err := docker.Client.ContainerInspect(docker.Context, containerId)
inspect, err := docker.client.ContainerInspect(docker.context, containerId)
if err != nil {
return container.InspectResponse{}, err
}
@@ -51,38 +51,38 @@ func (docker *DockerService) InspectContainer(containerId string) (container.Ins
}
func (docker *DockerService) DockerConnected() bool {
_, err := docker.Client.Ping(docker.Context)
_, err := docker.client.Ping(docker.context)
return err == nil
}
func (docker *DockerService) GetLabels(app string, domain string) (config.AppLabels, error) {
func (docker *DockerService) GetLabels(appDomain string) (config.App, error) {
isConnected := docker.DockerConnected()
if !isConnected {
log.Debug().Msg("Docker not connected, returning empty labels")
return config.AppLabels{}, nil
return config.App{}, nil
}
containers, err := docker.GetContainers()
if err != nil {
return config.AppLabels{}, err
return config.App{}, err
}
for _, container := range containers {
inspect, err := docker.InspectContainer(container.ID)
for _, ctr := range containers {
inspect, err := docker.InspectContainer(ctr.ID)
if err != nil {
log.Warn().Str("id", container.ID).Err(err).Msg("Error inspecting container, skipping")
log.Warn().Str("id", ctr.ID).Err(err).Msg("Error inspecting container, skipping")
continue
}
labels, err := utils.GetLabels(inspect.Config.Labels)
labels, err := decoders.DecodeLabels(inspect.Config.Labels)
if err != nil {
log.Warn().Str("id", container.ID).Err(err).Msg("Error getting container labels, skipping")
log.Warn().Str("id", ctr.ID).Err(err).Msg("Error getting container labels, skipping")
continue
}
for appName, appLabels := range labels.Apps {
if appLabels.Config.Domain == domain {
if appLabels.Config.Domain == appDomain {
log.Debug().Str("id", inspect.ID).Msg("Found matching container by domain")
return appLabels, nil
}
@@ -95,5 +95,5 @@ func (docker *DockerService) GetLabels(app string, domain string) (config.AppLab
}
log.Debug().Msg("No matching container found, returning empty labels")
return config.AppLabels{}, nil
return config.App{}, nil
}

40
internal/service/generic_oauth_service.go
View File

@@ -16,17 +16,18 @@ import (
)
type GenericOAuthService struct {
Config oauth2.Config
Context context.Context
Token *oauth2.Token
Verifier string
InsecureSkipVerify bool
UserinfoURL string
config oauth2.Config
context context.Context
token *oauth2.Token
verifier string
insecureSkipVerify bool
userinfoUrl string
name string
}
func NewGenericOAuthService(config config.OAuthServiceConfig) *GenericOAuthService {
return &GenericOAuthService{
Config: oauth2.Config{
config: oauth2.Config{
ClientID: config.ClientID,
ClientSecret: config.ClientSecret,
RedirectURL: config.RedirectURL,
@@ -36,15 +37,16 @@ func NewGenericOAuthService(config config.OAuthServiceConfig) *GenericOAuthServi
TokenURL: config.TokenURL,
},
},
InsecureSkipVerify: config.InsecureSkipVerify,
UserinfoURL: config.UserinfoURL,
insecureSkipVerify: config.InsecureSkipVerify,
userinfoUrl: config.UserinfoURL,
name: config.Name,
}
}
func (generic *GenericOAuthService) Init() error {
transport := &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: generic.InsecureSkipVerify,
InsecureSkipVerify: generic.insecureSkipVerify,
MinVersion: tls.VersionTLS12,
},
}
@@ -58,8 +60,8 @@ func (generic *GenericOAuthService) Init() error {
ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
verifier := oauth2.GenerateVerifier()
generic.Context = ctx
generic.Verifier = verifier
generic.context = ctx
generic.verifier = verifier
return nil
}
@@ -74,26 +76,26 @@ func (generic *GenericOAuthService) GenerateState() string {
}
func (generic *GenericOAuthService) GetAuthURL(state string) string {
return generic.Config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(generic.Verifier))
return generic.config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(generic.verifier))
}
func (generic *GenericOAuthService) VerifyCode(code string) error {
token, err := generic.Config.Exchange(generic.Context, code, oauth2.VerifierOption(generic.Verifier))
token, err := generic.config.Exchange(generic.context, code, oauth2.VerifierOption(generic.verifier))
if err != nil {
return err
}
generic.Token = token
generic.token = token
return nil
}
func (generic *GenericOAuthService) Userinfo() (config.Claims, error) {
var user config.Claims
client := generic.Config.Client(generic.Context, generic.Token)
client := generic.config.Client(generic.context, generic.token)
res, err := client.Get(generic.UserinfoURL)
res, err := client.Get(generic.userinfoUrl)
if err != nil {
return user, err
}
@@ -115,3 +117,7 @@ func (generic *GenericOAuthService) Userinfo() (config.Claims, error) {
return user, nil
}
func (generic *GenericOAuthService) GetName() string {
return generic.name
}

28
internal/service/github_oauth_service.go
View File

@@ -29,21 +29,23 @@ type GithubUserInfoResponse struct {
}
type GithubOAuthService struct {
Config oauth2.Config
Context context.Context
Token *oauth2.Token
Verifier string
config oauth2.Config
context context.Context
token *oauth2.Token
verifier string
name string
}
func NewGithubOAuthService(config config.OAuthServiceConfig) *GithubOAuthService {
return &GithubOAuthService{
Config: oauth2.Config{
config: oauth2.Config{
ClientID: config.ClientID,
ClientSecret: config.ClientSecret,
RedirectURL: config.RedirectURL,
Scopes: GithubOAuthScopes,
Endpoint: endpoints.GitHub,
},
name: config.Name,
}
}
@@ -53,8 +55,8 @@ func (github *GithubOAuthService) Init() error {
ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
verifier := oauth2.GenerateVerifier()
github.Context = ctx
github.Verifier = verifier
github.context = ctx
github.verifier = verifier
return nil
}
@@ -69,24 +71,24 @@ func (github *GithubOAuthService) GenerateState() string {
}
func (github *GithubOAuthService) GetAuthURL(state string) string {
return github.Config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(github.Verifier))
return github.config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(github.verifier))
}
func (github *GithubOAuthService) VerifyCode(code string) error {
token, err := github.Config.Exchange(github.Context, code, oauth2.VerifierOption(github.Verifier))
token, err := github.config.Exchange(github.context, code, oauth2.VerifierOption(github.verifier))
if err != nil {
return err
}
github.Token = token
github.token = token
return nil
}
func (github *GithubOAuthService) Userinfo() (config.Claims, error) {
var user config.Claims
client := github.Config.Client(github.Context, github.Token)
client := github.config.Client(github.context, github.token)
req, err := http.NewRequest("GET", "https://api.github.com/user", nil)
if err != nil {
@@ -167,3 +169,7 @@ func (github *GithubOAuthService) Userinfo() (config.Claims, error) {
return user, nil
}
func (github *GithubOAuthService) GetName() string {
return github.name
}

28
internal/service/google_oauth_service.go
View File

@@ -24,21 +24,23 @@ type GoogleUserInfoResponse struct {
}
type GoogleOAuthService struct {
Config oauth2.Config
Context context.Context
Token *oauth2.Token
Verifier string
config oauth2.Config
context context.Context
token *oauth2.Token
verifier string
name string
}
func NewGoogleOAuthService(config config.OAuthServiceConfig) *GoogleOAuthService {
return &GoogleOAuthService{
Config: oauth2.Config{
config: oauth2.Config{
ClientID: config.ClientID,
ClientSecret: config.ClientSecret,
RedirectURL: config.RedirectURL,
Scopes: GoogleOAuthScopes,
Endpoint: endpoints.Google,
},
name: config.Name,
}
}
@@ -48,8 +50,8 @@ func (google *GoogleOAuthService) Init() error {
ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
verifier := oauth2.GenerateVerifier()
google.Context = ctx
google.Verifier = verifier
google.context = ctx
google.verifier = verifier
return nil
}
@@ -64,24 +66,24 @@ func (oauth *GoogleOAuthService) GenerateState() string {
}
func (google *GoogleOAuthService) GetAuthURL(state string) string {
return google.Config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(google.Verifier))
return google.config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(google.verifier))
}
func (google *GoogleOAuthService) VerifyCode(code string) error {
token, err := google.Config.Exchange(google.Context, code, oauth2.VerifierOption(google.Verifier))
token, err := google.config.Exchange(google.context, code, oauth2.VerifierOption(google.verifier))
if err != nil {
return err
}
google.Token = token
google.token = token
return nil
}
func (google *GoogleOAuthService) Userinfo() (config.Claims, error) {
var user config.Claims
client := google.Config.Client(google.Context, google.Token)
client := google.config.Client(google.context, google.token)
res, err := client.Get("https://www.googleapis.com/userinfo/v2/me")
if err != nil {
@@ -111,3 +113,7 @@ func (google *GoogleOAuthService) Userinfo() (config.Claims, error) {
return user, nil
}
func (google *GoogleOAuthService) GetName() string {
return google.name
}

26
internal/service/ldap_service.go
View File

@@ -4,6 +4,7 @@ import (
"context"
"crypto/tls"
"fmt"
"sync"
"time"
"github.com/cenkalti/backoff/v5"
@@ -21,8 +22,9 @@ type LdapServiceConfig struct {
}
type LdapService struct {
Config LdapServiceConfig
Conn *ldapgo.Conn
Config LdapServiceConfig // exported so as the auth service can use it
conn *ldapgo.Conn
mutex sync.RWMutex
}
func NewLdapService(config LdapServiceConfig) *LdapService {
@@ -55,6 +57,9 @@ func (ldap *LdapService) Init() error {
}
func (ldap *LdapService) connect() (*ldapgo.Conn, error) {
ldap.mutex.Lock()
defer ldap.mutex.Unlock()
conn, err := ldapgo.DialURL(ldap.Config.Address, ldapgo.DialWithTLSConfig(&tls.Config{
InsecureSkipVerify: ldap.Config.Insecure,
MinVersion: tls.VersionTLS12,
@@ -69,7 +74,7 @@ func (ldap *LdapService) connect() (*ldapgo.Conn, error) {
}
// Set and return the connection
ldap.Conn = conn
ldap.conn = conn
return conn, nil
}
@@ -86,7 +91,10 @@ func (ldap *LdapService) Search(username string) (string, error) {
nil,
)
searchResult, err := ldap.Conn.Search(searchRequest)
ldap.mutex.Lock()
defer ldap.mutex.Unlock()
searchResult, err := ldap.conn.Search(searchRequest)
if err != nil {
return "", err
}
@@ -100,7 +108,9 @@ func (ldap *LdapService) Search(username string) (string, error) {
}
func (ldap *LdapService) Bind(userDN string, password string) error {
err := ldap.Conn.Bind(userDN, password)
ldap.mutex.Lock()
defer ldap.mutex.Unlock()
err := ldap.conn.Bind(userDN, password)
if err != nil {
return err
}
@@ -118,7 +128,9 @@ func (ldap *LdapService) heartbeat() error {
nil,
)
_, err := ldap.Conn.Search(searchRequest)
ldap.mutex.Lock()
defer ldap.mutex.Unlock()
_, err := ldap.conn.Search(searchRequest)
if err != nil {
return err
}
@@ -137,7 +149,7 @@ func (ldap *LdapService) reconnect() error {
exp.Reset()
operation := func() (*ldapgo.Conn, error) {
ldap.Conn.Close()
ldap.conn.Close()
conn, err := ldap.connect()
if err != nil {
return nil, err

33
internal/service/oauth_broker_service.go
View File

@@ -5,6 +5,7 @@ import (
"tinyauth/internal/config"
"github.com/rs/zerolog/log"
"golang.org/x/exp/slices"
)
type OAuthService interface {
@@ -13,62 +14,64 @@ type OAuthService interface {
GetAuthURL(state string) string
VerifyCode(code string) error
Userinfo() (config.Claims, error)
GetName() string
}
type OAuthBrokerService struct {
Services map[string]OAuthService
Configs map[string]config.OAuthServiceConfig
services map[string]OAuthService
configs map[string]config.OAuthServiceConfig
}
func NewOAuthBrokerService(configs map[string]config.OAuthServiceConfig) *OAuthBrokerService {
return &OAuthBrokerService{
Services: make(map[string]OAuthService),
Configs: configs,
services: make(map[string]OAuthService),
configs: configs,
}
}
func (broker *OAuthBrokerService) Init() error {
for name, cfg := range broker.Configs {
for name, cfg := range broker.configs {
switch name {
case "github":
service := NewGithubOAuthService(cfg)
broker.Services[name] = service
broker.services[name] = service
case "google":
service := NewGoogleOAuthService(cfg)
broker.Services[name] = service
broker.services[name] = service
default:
service := NewGenericOAuthService(cfg)
broker.Services[name] = service
broker.services[name] = service
}
}
for name, service := range broker.Services {
for name, service := range broker.services {
err := service.Init()
if err != nil {
log.Error().Err(err).Msgf("Failed to initialize OAuth service: %s", name)
log.Error().Err(err).Msgf("Failed to initialize OAuth service: %T", name)
return err
}
log.Info().Msgf("Initialized OAuth service: %s", name)
log.Info().Msgf("Initialized OAuth service: %T", name)
}
return nil
}
func (broker *OAuthBrokerService) GetConfiguredServices() []string {
services := make([]string, 0, len(broker.Services))
for name := range broker.Services {
services := make([]string, 0, len(broker.services))
for name := range broker.services {
services = append(services, name)
}
slices.Sort(services)
return services
}
func (broker *OAuthBrokerService) GetService(name string) (OAuthService, bool) {
service, exists := broker.Services[name]
service, exists := broker.services[name]
return service, exists
}
func (broker *OAuthBrokerService) GetUser(service string) (config.Claims, error) {
oauthService, exists := broker.Services[service]
oauthService, exists := broker.services[service]
if !exists {
return config.Claims{}, errors.New("oauth service not found")
}

99
internal/utils/app_utils.go
View File

@@ -6,32 +6,43 @@ import (
"net/url"
"strings"
"tinyauth/internal/config"
"tinyauth/internal/utils/decoders"
"maps"
"github.com/gin-gonic/gin"
"github.com/rs/zerolog"
"github.com/weppos/publicsuffix-go/publicsuffix"
)
// Get upper domain parses a hostname and returns the upper domain (e.g. sub1.sub2.domain.com -> sub2.domain.com)
func GetUpperDomain(appUrl string) (string, error) {
appUrlParsed, err := url.Parse(appUrl)
// Get cookie domain parses a hostname and returns the upper domain (e.g. sub1.sub2.domain.com -> sub2.domain.com)
func GetCookieDomain(u string) (string, error) {
parsed, err := url.Parse(u)
if err != nil {
return "", err
}
host := appUrlParsed.Hostname()
host := parsed.Hostname()
if netIP := net.ParseIP(host); netIP != nil {
return "", errors.New("IP addresses are not allowed")
return "", errors.New("IP addresses not allowed")
}
urlParts := strings.Split(host, ".")
parts := strings.Split(host, ".")
if len(urlParts) < 2 {
return "", errors.New("invalid domain, must be at least second level domain")
if len(parts) < 3 {
return "", errors.New("invalid app url, must be at least second level domain")
}
return strings.Join(urlParts[1:], "."), nil
domain := strings.Join(parts[1:], ".")
_, err = publicsuffix.DomainFromListWithOptions(publicsuffix.DefaultList, domain, nil)
if err != nil {
return "", errors.New("domain in public suffix list, cannot set cookies")
}
return domain, nil
}
func ParseFileToLine(content string) string {
@@ -49,6 +60,7 @@ func ParseFileToLine(content string) string {
}
func Filter[T any](slice []T, test func(T) bool) (res []T) {
res = make([]T, 0)
for _, value := range slice {
if test(value) {
res = append(res, value)
@@ -88,13 +100,13 @@ func IsRedirectSafe(redirectURL string, domain string) bool {
return false
}
upper, err := GetUpperDomain(redirectURL)
cookieDomain, err := GetCookieDomain(redirectURL)
if err != nil {
return false
}
if upper != domain {
if cookieDomain != domain {
return false
}
@@ -121,3 +133,66 @@ func GetLogLevel(level string) zerolog.Level {
return zerolog.InfoLevel
}
}
func GetOAuthProvidersConfig(env []string, args []string, appUrl string) (map[string]config.OAuthServiceConfig, error) {
providers := make(map[string]config.OAuthServiceConfig)
// Get from environment variables
envMap := make(map[string]string)
for _, e := range env {
pair := strings.SplitN(e, "=", 2)
envMap[pair[0]] = pair[1]
}
envProviders, err := decoders.DecodeEnv(envMap)
if err != nil {
return nil, err
}
maps.Copy(providers, envProviders.Providers)
// Get from flags
flagsMap := make(map[string]string)
for _, arg := range args[1:] {
if strings.HasPrefix(arg, "--") {
pair := strings.SplitN(arg[2:], "=", 2)
if len(pair) == 2 {
flagsMap[pair[0]] = pair[1]
}
}
}
flagProviders, err := decoders.DecodeFlags(flagsMap)
if err != nil {
return nil, err
}
maps.Copy(providers, flagProviders.Providers)
// For every provider get correct secret from file if set
for name, provider := range providers {
secret := GetSecret(provider.ClientSecret, provider.ClientSecretFile)
provider.ClientSecret = secret
provider.ClientSecretFile = ""
providers[name] = provider
}
// If we have google/github providers and no redirect URL babysit them
babysitProviders := []string{"google", "github"}
for _, name := range babysitProviders {
if provider, exists := providers[name]; exists {
if provider.RedirectURL == "" {
provider.RedirectURL = appUrl + "/api/oauth/callback/" + name
providers[name] = provider
}
}
}
// Return combined providers
return providers, nil
}

271
internal/utils/app_utils_test.go Normal file
View File

@@ -0,0 +1,271 @@
package utils_test
import (
"os"
"testing"
"tinyauth/internal/config"
"tinyauth/internal/utils"
"github.com/gin-gonic/gin"
"gotest.tools/v3/assert"
)
func TestGetRootDomain(t *testing.T) {
// Normal case
domain := "http://sub.tinyauth.app"
expected := "tinyauth.app"
result, err := utils.GetCookieDomain(domain)
assert.NilError(t, err)
assert.Equal(t, expected, result)
// Domain with multiple subdomains
domain = "http://b.c.tinyauth.app"
expected = "c.tinyauth.app"
result, err = utils.GetCookieDomain(domain)
assert.NilError(t, err)
assert.Equal(t, expected, result)
// Domain with no subdomain
domain = "http://tinyauth.app"
expected = "tinyauth.app"
_, err = utils.GetCookieDomain(domain)
assert.Error(t, err, "invalid app url, must be at least second level domain")
// Invalid domain (only TLD)
domain = "com"
_, err = utils.GetCookieDomain(domain)
assert.ErrorContains(t, err, "invalid app url, must be at least second level domain")
// IP address
domain = "http://10.10.10.10"
_, err = utils.GetCookieDomain(domain)
assert.ErrorContains(t, err, "IP addresses not allowed")
// Invalid URL
domain = "http://[::1]:namedport"
_, err = utils.GetCookieDomain(domain)
assert.ErrorContains(t, err, "parse \"http://[::1]:namedport\": invalid port \":namedport\" after host")
// URL with scheme and path
domain = "https://sub.tinyauth.app/path"
expected = "tinyauth.app"
result, err = utils.GetCookieDomain(domain)
assert.NilError(t, err)
assert.Equal(t, expected, result)
// URL with port
domain = "http://sub.tinyauth.app:8080"
expected = "tinyauth.app"
result, err = utils.GetCookieDomain(domain)
assert.NilError(t, err)
assert.Equal(t, expected, result)
// Domain managed by ICANN
domain = "http://example.co.uk"
_, err = utils.GetCookieDomain(domain)
assert.Error(t, err, "domain in public suffix list, cannot set cookies")
}
func TestParseFileToLine(t *testing.T) {
// Normal case
content := "user1\nuser2\nuser3"
expected := "user1,user2,user3"
result := utils.ParseFileToLine(content)
assert.Equal(t, expected, result)
// Case with empty lines and spaces
content = " user1 \n\n user2 \n user3 \n"
expected = "user1,user2,user3"
result = utils.ParseFileToLine(content)
assert.Equal(t, expected, result)
// Case with only empty lines
content = "\n\n\n"
expected = ""
result = utils.ParseFileToLine(content)
assert.Equal(t, expected, result)
// Case with single user
content = "singleuser"
expected = "singleuser"
result = utils.ParseFileToLine(content)
assert.Equal(t, expected, result)
// Case with trailing newline
content = "user1\nuser2\n"
expected = "user1,user2"
result = utils.ParseFileToLine(content)
assert.Equal(t, expected, result)
}
func TestFilter(t *testing.T) {
// Normal case
slice := []int{1, 2, 3, 4, 5}
testFunc := func(n int) bool { return n%2 == 0 }
expected := []int{2, 4}
result := utils.Filter(slice, testFunc)
assert.DeepEqual(t, expected, result)
// Case with no matches
slice = []int{1, 3, 5}
testFunc = func(n int) bool { return n%2 == 0 }
expected = []int{}
result = utils.Filter(slice, testFunc)
assert.DeepEqual(t, expected, result)
// Case with all matches
slice = []int{2, 4, 6}
testFunc = func(n int) bool { return n%2 == 0 }
expected = []int{2, 4, 6}
result = utils.Filter(slice, testFunc)
assert.DeepEqual(t, expected, result)
// Case with empty slice
slice = []int{}
testFunc = func(n int) bool { return n%2 == 0 }
expected = []int{}
result = utils.Filter(slice, testFunc)
assert.DeepEqual(t, expected, result)
// Case with different type (string)
sliceStr := []string{"apple", "banana", "cherry"}
testFuncStr := func(s string) bool { return len(s) > 5 }
expectedStr := []string{"banana", "cherry"}
resultStr := utils.Filter(sliceStr, testFuncStr)
assert.DeepEqual(t, expectedStr, resultStr)
}
func TestGetContext(t *testing.T) {
// Setup
gin.SetMode(gin.TestMode)
c, _ := gin.CreateTestContext(nil)
// Normal case
c.Set("context", &config.UserContext{Username: "testuser"})
result, err := utils.GetContext(c)
assert.NilError(t, err)
assert.Equal(t, "testuser", result.Username)
// Case with no context
c.Set("context", nil)
_, err = utils.GetContext(c)
assert.Error(t, err, "invalid user context in request")
// Case with invalid context type
c.Set("context", "invalid type")
_, err = utils.GetContext(c)
assert.Error(t, err, "invalid user context in request")
}
func TestIsRedirectSafe(t *testing.T) {
// Setup
domain := "example.com"
// Case with no subdomain
redirectURL := "http://example.com/welcome"
result := utils.IsRedirectSafe(redirectURL, domain)
assert.Equal(t, false, result)
// Case with different domain
redirectURL = "http://malicious.com/phishing"
result = utils.IsRedirectSafe(redirectURL, domain)
assert.Equal(t, false, result)
// Case with subdomain
redirectURL = "http://sub.example.com/page"
result = utils.IsRedirectSafe(redirectURL, domain)
assert.Equal(t, true, result)
// Case with empty redirect URL
redirectURL = ""
result = utils.IsRedirectSafe(redirectURL, domain)
assert.Equal(t, false, result)
// Case with invalid URL
redirectURL = "http://[::1]:namedport"
result = utils.IsRedirectSafe(redirectURL, domain)
assert.Equal(t, false, result)
// Case with URL having port
redirectURL = "http://sub.example.com:8080/page"
result = utils.IsRedirectSafe(redirectURL, domain)
assert.Equal(t, true, result)
// Case with URL having different subdomain
redirectURL = "http://another.example.com/page"
result = utils.IsRedirectSafe(redirectURL, domain)
assert.Equal(t, true, result)
// Case with URL having different TLD
redirectURL = "http://example.org/page"
result = utils.IsRedirectSafe(redirectURL, domain)
assert.Equal(t, false, result)
}
func TestGetOAuthProvidersConfig(t *testing.T) {
env := []string{"PROVIDERS_CLIENT1_CLIENT_ID=client1-id", "PROVIDERS_CLIENT1_CLIENT_SECRET=client1-secret"}
args := []string{"/tinyauth/tinyauth", "--providers-client2-client-id=client2-id", "--providers-client2-client-secret=client2-secret"}
expected := map[string]config.OAuthServiceConfig{
"client1": {
ClientID: "client1-id",
ClientSecret: "client1-secret",
},
"client2": {
ClientID: "client2-id",
ClientSecret: "client2-secret",
},
}
result, err := utils.GetOAuthProvidersConfig(env, args, "")
assert.NilError(t, err)
assert.DeepEqual(t, expected, result)
// Case with no providers
env = []string{}
args = []string{"/tinyauth/tinyauth"}
expected = map[string]config.OAuthServiceConfig{}
result, err = utils.GetOAuthProvidersConfig(env, args, "")
assert.NilError(t, err)
assert.DeepEqual(t, expected, result)
// Case with secret from file
file, err := os.Create("/tmp/tinyauth_test_file")
assert.NilError(t, err)
_, err = file.WriteString("file content\n")
assert.NilError(t, err)
err = file.Close()
assert.NilError(t, err)
defer os.Remove("/tmp/tinyauth_test_file")
env = []string{"PROVIDERS_CLIENT1_CLIENT_ID=client1-id", "PROVIDERS_CLIENT1_CLIENT_SECRET_FILE=/tmp/tinyauth_test_file"}
args = []string{"/tinyauth/tinyauth"}
expected = map[string]config.OAuthServiceConfig{
"client1": {
ClientID: "client1-id",
ClientSecret: "file content",
},
}
result, err = utils.GetOAuthProvidersConfig(env, args, "")
assert.NilError(t, err)
assert.DeepEqual(t, expected, result)
// Case with google provider and no redirect URL
env = []string{"PROVIDERS_GOOGLE_CLIENT_ID=google-id", "PROVIDERS_GOOGLE_CLIENT_SECRET=google-secret"}
args = []string{"/tinyauth/tinyauth"}
expected = map[string]config.OAuthServiceConfig{
"google": {
ClientID: "google-id",
ClientSecret: "google-secret",
RedirectURL: "http://app.url/api/oauth/callback/google",
},
}
result, err = utils.GetOAuthProvidersConfig(env, args, "http://app.url")
assert.NilError(t, err)
assert.DeepEqual(t, expected, result)
}

137
internal/utils/decoders/env_decoder.go Normal file
View File

@@ -0,0 +1,137 @@
package decoders
import (
"fmt"
"slices"
"sort"
"strings"
"tinyauth/internal/config"
"github.com/traefik/paerser/parser"
)
// Based on https://github.com/traefik/paerser/blob/master/parser/labels_decode.go
func DecodeEnv(env map[string]string) (config.Providers, error) {
normalized := normalizeEnv(env, "tinyauth")
node, err := decodeEnvsToNode(normalized, "tinyauth", "tinyauth_providers")
if err != nil {
return config.Providers{}, err
}
var providers config.Providers
metaOpts := parser.MetadataOpts{TagName: "env", AllowSliceAsStruct: true}
err = parser.AddMetadata(&providers, node, metaOpts)
if err != nil {
return config.Providers{}, err
}
err = parser.Fill(&providers, node, parser.FillerOpts{AllowSliceAsStruct: true})
if err != nil {
return config.Providers{}, err
}
return providers, nil
}
func decodeEnvsToNode(env map[string]string, rootName string, filters ...string) (*parser.Node, error) {
sorted := sortEnvKeys(env, filters)
var node *parser.Node
for i, k := range sorted {
split := strings.SplitN(k, "_", 4) // Something like PROVIDERS_MY_AWESOME_CLIENT is not supported because it will confuse the parser
if split[0] != rootName {
return nil, fmt.Errorf("invalid env root %s", split[0])
}
if slices.Contains(split, "") {
return nil, fmt.Errorf("invalid element: %s", k)
}
if i == 0 {
node = &parser.Node{}
}
decodeEnvToNode(node, split, env[k])
}
return node, nil
}
func decodeEnvToNode(root *parser.Node, path []string, value string) {
if len(root.Name) == 0 {
root.Name = path[0]
}
if len(path) <= 1 {
root.Value = value
return
}
if n := containsEnvNode(root.Children, path[1]); n != nil {
decodeEnvToNode(n, path[1:], value)
return
}
child := &parser.Node{Name: path[1]}
decodeEnvToNode(child, path[1:], value)
root.Children = append(root.Children, child)
}
func containsEnvNode(node []*parser.Node, name string) *parser.Node {
for _, n := range node {
if strings.EqualFold(n.Name, name) {
return n
}
}
return nil
}
func sortEnvKeys(env map[string]string, filters []string) []string {
var sorted []string
for k := range env {
if len(filters) == 0 {
sorted = append(sorted, k)
continue
}
for _, f := range filters {
if strings.HasPrefix(k, f) {
sorted = append(sorted, k)
break
}
}
}
sort.Strings(sorted)
return sorted
}
// normalizeEnv converts env vars from PROVIDERS_CLIENT1_CLIENT_ID to tinyauth_providers_client_clientId
func normalizeEnv(env map[string]string, rootName string) map[string]string {
n := make(map[string]string)
for k, v := range env {
fk := strings.ToLower(k)
fks := strings.SplitN(fk, "_", 3)
fkb := ""
for i, s := range strings.Split(fks[len(fks)-1], "_") {
if i == 0 {
fkb += s
continue
}
fkb += strings.ToUpper(string([]rune(s)[0])) + string([]rune(s)[1:])
}
fk = rootName + "_" + strings.Join(fks[:len(fks)-1], "_") + "_" + fkb
n[fk] = v
}
return n
}

60
internal/utils/decoders/env_decoder_test.go Normal file
View File

@@ -0,0 +1,60 @@
package decoders_test
import (
"testing"
"tinyauth/internal/config"
"tinyauth/internal/utils/decoders"
"gotest.tools/v3/assert"
)
func TestDecodeEnv(t *testing.T) {
// Variables
expected := config.Providers{
Providers: map[string]config.OAuthServiceConfig{
"client1": {
ClientID: "client1-id",
ClientSecret: "client1-secret",
Scopes: []string{"client1-scope1", "client1-scope2"},
RedirectURL: "client1-redirect-url",
AuthURL: "client1-auth-url",
UserinfoURL: "client1-user-info-url",
Name: "Client1",
InsecureSkipVerify: false,
},
"client2": {
ClientID: "client2-id",
ClientSecret: "client2-secret",
Scopes: []string{"client2-scope1", "client2-scope2"},
RedirectURL: "client2-redirect-url",
AuthURL: "client2-auth-url",
UserinfoURL: "client2-user-info-url",
Name: "My Awesome Client2",
InsecureSkipVerify: false,
},
},
}
test := map[string]string{
"PROVIDERS_CLIENT1_CLIENT_ID": "client1-id",
"PROVIDERS_CLIENT1_CLIENT_SECRET": "client1-secret",
"PROVIDERS_CLIENT1_SCOPES": "client1-scope1,client1-scope2",
"PROVIDERS_CLIENT1_REDIRECT_URL": "client1-redirect-url",
"PROVIDERS_CLIENT1_AUTH_URL": "client1-auth-url",
"PROVIDERS_CLIENT1_USER_INFO_URL": "client1-user-info-url",
"PROVIDERS_CLIENT1_NAME": "Client1",
"PROVIDERS_CLIENT1_INSECURE_SKIP_VERIFY": "false",
"PROVIDERS_CLIENT2_CLIENT_ID": "client2-id",
"PROVIDERS_CLIENT2_CLIENT_SECRET": "client2-secret",
"PROVIDERS_CLIENT2_SCOPES": "client2-scope1,client2-scope2",
"PROVIDERS_CLIENT2_REDIRECT_URL": "client2-redirect-url",
"PROVIDERS_CLIENT2_AUTH_URL": "client2-auth-url",
"PROVIDERS_CLIENT2_USER_INFO_URL": "client2-user-info-url",
"PROVIDERS_CLIENT2_NAME": "My Awesome Client2",
"PROVIDERS_CLIENT2_INSECURE_SKIP_VERIFY": "false",
}
// Test
res, err := decoders.DecodeEnv(test)
assert.NilError(t, err)
assert.DeepEqual(t, expected, res)
}

137
internal/utils/decoders/flags_decoder.go Normal file
View File

@@ -0,0 +1,137 @@
package decoders
import (
"fmt"
"slices"
"sort"
"strings"
"tinyauth/internal/config"
"github.com/traefik/paerser/parser"
)
// Based on https://github.com/traefik/paerser/blob/master/parser/labels_decode.go
func DecodeFlags(flags map[string]string) (config.Providers, error) {
normalized := normalizeFlags(flags, "tinyauth")
node, err := decodeFlagsToNode(normalized, "tinyauth", "tinyauth_providers")
if err != nil {
return config.Providers{}, err
}
var providers config.Providers
metaOpts := parser.MetadataOpts{TagName: "flag", AllowSliceAsStruct: true}
err = parser.AddMetadata(&providers, node, metaOpts)
if err != nil {
return config.Providers{}, err
}
err = parser.Fill(&providers, node, parser.FillerOpts{AllowSliceAsStruct: true})
if err != nil {
return config.Providers{}, err
}
return providers, nil
}
func decodeFlagsToNode(flags map[string]string, rootName string, filters ...string) (*parser.Node, error) {
sorted := sortFlagKeys(flags, filters)
var node *parser.Node
for i, k := range sorted {
split := strings.SplitN(k, "_", 4) // Something like --providers-my-awesome-client is not supported because it will confuse the parser
if split[0] != rootName {
return nil, fmt.Errorf("invalid flag root %s", split[0])
}
if slices.Contains(split, "") {
return nil, fmt.Errorf("invalid element: %s", k)
}
if i == 0 {
node = &parser.Node{}
}
decodeFlagToNode(node, split, flags[k])
}
return node, nil
}
func decodeFlagToNode(root *parser.Node, path []string, value string) {
if len(root.Name) == 0 {
root.Name = path[0]
}
if len(path) <= 1 {
root.Value = value
return
}
if n := containsFlagNode(root.Children, path[1]); n != nil {
decodeFlagToNode(n, path[1:], value)
return
}
child := &parser.Node{Name: path[1]}
decodeFlagToNode(child, path[1:], value)
root.Children = append(root.Children, child)
}
func containsFlagNode(node []*parser.Node, name string) *parser.Node {
for _, n := range node {
if strings.EqualFold(n.Name, name) {
return n
}
}
return nil
}
func sortFlagKeys(flags map[string]string, filters []string) []string {
var sorted []string
for k := range flags {
if len(filters) == 0 {
sorted = append(sorted, k)
continue
}
for _, f := range filters {
if strings.HasPrefix(k, f) {
sorted = append(sorted, k)
break
}
}
}
sort.Strings(sorted)
return sorted
}
// normalizeFlags converts flags from --providers-client-client-id to tinyauth_providers_client_clientId
func normalizeFlags(flags map[string]string, rootName string) map[string]string {
n := make(map[string]string)
for k, v := range flags {
fk := strings.TrimPrefix(k, "--")
fks := strings.SplitN(fk, "-", 3)
fkb := ""
for i, s := range strings.Split(fks[len(fks)-1], "-") {
if i == 0 {
fkb += s
continue
}
fkb += strings.ToUpper(string([]rune(s)[0])) + string([]rune(s)[1:])
}
fk = rootName + "_" + strings.Join(fks[:len(fks)-1], "_") + "_" + fkb
n[fk] = v
}
return n
}

60
internal/utils/decoders/flags_decoder_test.go Normal file
View File

@@ -0,0 +1,60 @@
package decoders_test
import (
"testing"
"tinyauth/internal/config"
"tinyauth/internal/utils/decoders"
"gotest.tools/v3/assert"
)
func TestDecodeFlags(t *testing.T) {
// Variables
expected := config.Providers{
Providers: map[string]config.OAuthServiceConfig{
"client1": {
ClientID: "client1-id",
ClientSecret: "client1-secret",
Scopes: []string{"client1-scope1", "client1-scope2"},
RedirectURL: "client1-redirect-url",
AuthURL: "client1-auth-url",
UserinfoURL: "client1-user-info-url",
Name: "Client1",
InsecureSkipVerify: false,
},
"client2": {
ClientID: "client2-id",
ClientSecret: "client2-secret",
Scopes: []string{"client2-scope1", "client2-scope2"},
RedirectURL: "client2-redirect-url",
AuthURL: "client2-auth-url",
UserinfoURL: "client2-user-info-url",
Name: "My Awesome Client2",
InsecureSkipVerify: false,
},
},
}
test := map[string]string{
"--providers-client1-client-id": "client1-id",
"--providers-client1-client-secret": "client1-secret",
"--providers-client1-scopes": "client1-scope1,client1-scope2",
"--providers-client1-redirect-url": "client1-redirect-url",
"--providers-client1-auth-url": "client1-auth-url",
"--providers-client1-user-info-url": "client1-user-info-url",
"--providers-client1-name": "Client1",
"--providers-client1-insecure-skip-verify": "false",
"--providers-client2-client-id": "client2-id",
"--providers-client2-client-secret": "client2-secret",
"--providers-client2-scopes": "client2-scope1,client2-scope2",
"--providers-client2-redirect-url": "client2-redirect-url",
"--providers-client2-auth-url": "client2-auth-url",
"--providers-client2-user-info-url": "client2-user-info-url",
"--providers-client2-name": "My Awesome Client2",
"--providers-client2-insecure-skip-verify": "false",
}
// Test
res, err := decoders.DecodeFlags(test)
assert.NilError(t, err)
assert.DeepEqual(t, expected, res)
}

19
internal/utils/decoders/label_decoder.go Normal file
View File

@@ -0,0 +1,19 @@
package decoders
import (
"tinyauth/internal/config"
"github.com/traefik/paerser/parser"
)
func DecodeLabels(labels map[string]string) (config.Apps, error) {
var appLabels config.Apps
err := parser.Decode(labels, &appLabels, "tinyauth", "tinyauth.apps")
if err != nil {
return config.Apps{}, err
}
return appLabels, nil
}

68
internal/utils/decoders/label_decoder_test.go Normal file
View File

@@ -0,0 +1,68 @@
package decoders_test
import (
"testing"
"tinyauth/internal/config"
"tinyauth/internal/utils/decoders"
"gotest.tools/v3/assert"
)
func TestDecodeLabels(t *testing.T) {
// Variables
expected := config.Apps{
Apps: map[string]config.App{
"foo": {
Config: config.AppConfig{
Domain: "example.com",
},
Users: config.AppUsers{
Allow: "user1,user2",
Block: "user3",
},
OAuth: config.AppOAuth{
Whitelist: "somebody@example.com",
Groups: "group3",
},
IP: config.AppIP{
Allow: []string{"10.71.0.1/24", "10.71.0.2"},
Block: []string{"10.10.10.10", "10.0.0.0/24"},
Bypass: []string{"192.168.1.1"},
},
Response: config.AppResponse{
Headers: []string{"X-Foo=Bar", "X-Baz=Qux"},
BasicAuth: config.AppBasicAuth{
Username: "admin",
Password: "password",
PasswordFile: "/path/to/passwordfile",
},
},
Path: config.AppPath{
Allow: "/public",
Block: "/private",
},
},
},
}
test := map[string]string{
"tinyauth.apps.foo.config.domain": "example.com",
"tinyauth.apps.foo.users.allow": "user1,user2",
"tinyauth.apps.foo.users.block": "user3",
"tinyauth.apps.foo.oauth.whitelist": "somebody@example.com",
"tinyauth.apps.foo.oauth.groups": "group3",
"tinyauth.apps.foo.ip.allow": "10.71.0.1/24,10.71.0.2",
"tinyauth.apps.foo.ip.block": "10.10.10.10,10.0.0.0/24",
"tinyauth.apps.foo.ip.bypass": "192.168.1.1",
"tinyauth.apps.foo.response.headers": "X-Foo=Bar,X-Baz=Qux",
"tinyauth.apps.foo.response.basicauth.username": "admin",
"tinyauth.apps.foo.response.basicauth.password": "password",
"tinyauth.apps.foo.response.basicauth.passwordfile": "/path/to/passwordfile",
"tinyauth.apps.foo.path.allow": "/public",
"tinyauth.apps.foo.path.block": "/private",
}
// Test
result, err := decoders.DecodeLabels(test)
assert.NilError(t, err)
assert.DeepEqual(t, expected, result)
}

31
internal/utils/fs_utils_test.go Normal file
View File

@@ -0,0 +1,31 @@
package utils
import (
"os"
"testing"
"gotest.tools/v3/assert"
)
func TestReadFile(t *testing.T) {
// Setup
file, err := os.Create("/tmp/tinyauth_test_file")
assert.NilError(t, err)
_, err = file.WriteString("file content\n")
assert.NilError(t, err)
err = file.Close()
assert.NilError(t, err)
defer os.Remove("/tmp/tinyauth_test_file")
// Normal case
content, err := ReadFile("/tmp/tinyauth_test_file")
assert.NilError(t, err)
assert.Equal(t, "file content\n", content)
// Non-existing file
content, err = ReadFile("/tmp/non_existing_file")
assert.ErrorContains(t, err, "no such file or directory")
assert.Equal(t, "", content)
}

14
internal/utils/label_utils.go
View File

@@ -3,22 +3,8 @@ package utils
import (
"net/http"
"strings"
"tinyauth/internal/config"
"github.com/traefik/paerser/parser"
)
func GetLabels(labels map[string]string) (config.Labels, error) {
var labelsParsed config.Labels
err := parser.Decode(labels, &labelsParsed, "tinyauth", "tinyauth.apps")
if err != nil {
return config.Labels{}, err
}
return labelsParsed, nil
}
func ParseHeaders(headers []string) map[string]string {
headerMap := make(map[string]string)
for _, header := range headers {

87
internal/utils/label_utils_test.go Normal file
View File

@@ -0,0 +1,87 @@
package utils_test
import (
"testing"
"tinyauth/internal/utils"
"gotest.tools/v3/assert"
)
func TestParseHeaders(t *testing.T) {
// Normal case
headers := []string{
"X-Custom-Header=Value",
"Another-Header=AnotherValue",
}
expected := map[string]string{
"X-Custom-Header": "Value",
"Another-Header": "AnotherValue",
}
assert.DeepEqual(t, expected, utils.ParseHeaders(headers))
// Case insensitivity and trimming
headers = []string{
" x-custom-header = Value ",
"ANOTHER-HEADER=AnotherValue",
}
expected = map[string]string{
"X-Custom-Header": "Value",
"Another-Header": "AnotherValue",
}
assert.DeepEqual(t, expected, utils.ParseHeaders(headers))
// Invalid headers (missing '=', empty key/value)
headers = []string{
"InvalidHeader",
"=NoKey",
"NoValue=",
" = ",
}
expected = map[string]string{}
assert.DeepEqual(t, expected, utils.ParseHeaders(headers))
// Headers with unsafe characters
headers = []string{
"X-Custom-Header=Val\x00ue", // Null byte
"Another-Header=Anoth\x7FerValue", // DEL character
"Good-Header=GoodValue",
}
expected = map[string]string{
"X-Custom-Header": "Value",
"Another-Header": "AnotherValue",
"Good-Header": "GoodValue",
}
assert.DeepEqual(t, expected, utils.ParseHeaders(headers))
// Header with spaces in key (should be ignored)
headers = []string{
"X Custom Header=Value",
"Valid-Header=ValidValue",
}
expected = map[string]string{
"Valid-Header": "ValidValue",
}
assert.DeepEqual(t, expected, utils.ParseHeaders(headers))
}
func TestSanitizeHeader(t *testing.T) {
// Normal case
header := "X-Custom-Header"
expected := "X-Custom-Header"
assert.Equal(t, expected, utils.SanitizeHeader(header))
// Header with unsafe characters
header = "X-Cust\x00om-Hea\x7Fder" // Null byte and DEL character
expected = "X-Custom-Header"
assert.Equal(t, expected, utils.SanitizeHeader(header))
// Header with only unsafe characters
header = "\x00\x01\x02\x7F"
expected = ""
assert.Equal(t, expected, utils.SanitizeHeader(header))
// Header with spaces and tabs (should be preserved)
header = "X Custom\tHeader"
expected = "X Custom\tHeader"
assert.Equal(t, expected, utils.SanitizeHeader(header))
}

6
internal/utils/security_utils.go
View File

@@ -48,6 +48,12 @@ func GetBasicAuth(username string, password string) string {
func FilterIP(filter string, ip string) (bool, error) {
ipAddr := net.ParseIP(ip)
if ipAddr == nil {
return false, errors.New("invalid IP address")
}
filter = strings.Replace(filter, "-", "/", -1)
if strings.Contains(filter, "/") {
_, cidr, err := net.ParseCIDR(filter)
if err != nil {

151
internal/utils/security_utils_test.go Normal file
View File

@@ -0,0 +1,151 @@
package utils_test
import (
"os"
"testing"
"tinyauth/internal/utils"
"gotest.tools/v3/assert"
)
func TestGetSecret(t *testing.T) {
// Setup
file, err := os.Create("/tmp/tinyauth_test_secret")
assert.NilError(t, err)
_, err = file.WriteString(" secret \n")
assert.NilError(t, err)
err = file.Close()
assert.NilError(t, err)
defer os.Remove("/tmp/tinyauth_test_secret")
// Get from config
assert.Equal(t, "mysecret", utils.GetSecret("mysecret", ""))
// Get from file
assert.Equal(t, "secret", utils.GetSecret("", "/tmp/tinyauth_test_secret"))
// Get from both (config should take precedence)
assert.Equal(t, "mysecret", utils.GetSecret("mysecret", "/tmp/tinyauth_test_secret"))
// Get from none
assert.Equal(t, "", utils.GetSecret("", ""))
// Get from non-existing file
assert.Equal(t, "", utils.GetSecret("", "/tmp/non_existing_file"))
}
func TestParseSecretFile(t *testing.T) {
// Normal case
content := " mysecret \n"
assert.Equal(t, "mysecret", utils.ParseSecretFile(content))
// Multiple lines (should take the first non-empty line)
content = "\n\n firstsecret \nsecondsecret\n"
assert.Equal(t, "firstsecret", utils.ParseSecretFile(content))
// All empty lines
content = "\n \n \n"
assert.Equal(t, "", utils.ParseSecretFile(content))
// Empty content
content = ""
assert.Equal(t, "", utils.ParseSecretFile(content))
}
func TestGetBasicAuth(t *testing.T) {
// Normal case
username := "user"
password := "pass"
expected := "dXNlcjpwYXNz" // base64 of "user:pass"
assert.Equal(t, expected, utils.GetBasicAuth(username, password))
// Empty username
username = ""
password = "pass"
expected = "OnBhc3M=" // base64 of ":pass"
assert.Equal(t, expected, utils.GetBasicAuth(username, password))
// Empty password
username = "user"
password = ""
expected = "dXNlcjo=" // base64 of "user:"
assert.Equal(t, expected, utils.GetBasicAuth(username, password))
}
func TestFilterIP(t *testing.T) {
// Exact match IPv4
ok, err := utils.FilterIP("10.10.0.1", "10.10.0.1")
assert.NilError(t, err)
assert.Equal(t, true, ok)
// Non-match IPv4
ok, err = utils.FilterIP("10.10.0.1", "10.10.0.2")
assert.NilError(t, err)
assert.Equal(t, false, ok)
// CIDR match IPv4
ok, err = utils.FilterIP("10.10.0.0/24", "10.10.0.2")
assert.NilError(t, err)
assert.Equal(t, true, ok)
// CIDR match IPv4 with '-' instead of '/'
ok, err = utils.FilterIP("10.10.10.0-24", "10.10.10.5")
assert.NilError(t, err)
assert.Equal(t, true, ok)
// CIDR non-match IPv4
ok, err = utils.FilterIP("10.10.0.0/24", "10.5.0.1")
assert.NilError(t, err)
assert.Equal(t, false, ok)
// Invalid CIDR
ok, err = utils.FilterIP("10.10.0.0/222", "10.0.0.1")
assert.ErrorContains(t, err, "invalid CIDR address")
assert.Equal(t, false, ok)
// Invalid IP in filter
ok, err = utils.FilterIP("invalid_ip", "10.5.5.5")
assert.ErrorContains(t, err, "invalid IP address in filter")
assert.Equal(t, false, ok)
// Invalid IP to check
ok, err = utils.FilterIP("10.10.10.10", "invalid_ip")
assert.ErrorContains(t, err, "invalid IP address")
assert.Equal(t, false, ok)
}
func TestCheckFilter(t *testing.T) {
// Empty filter
assert.Equal(t, true, utils.CheckFilter("", "anystring"))
// Exact match
assert.Equal(t, true, utils.CheckFilter("hello", "hello"))
// Regex match
assert.Equal(t, true, utils.CheckFilter("/^h.*o$/", "hello"))
// Invalid regex
assert.Equal(t, false, utils.CheckFilter("/[unclosed", "test"))
// Comma-separated values
assert.Equal(t, true, utils.CheckFilter("apple, banana, cherry", "banana"))
// No match
assert.Equal(t, false, utils.CheckFilter("apple, banana, cherry", "grape"))
}
func TestGenerateIdentifier(t *testing.T) {
// Consistent output for same input
id1 := utils.GenerateIdentifier("teststring")
id2 := utils.GenerateIdentifier("teststring")
assert.Equal(t, id1, id2)
// Different output for different input
id3 := utils.GenerateIdentifier("differentstring")
assert.Assert(t, id1 != id3)
// Check length (should be 8 characters from first segment of UUID)
assert.Equal(t, 8, len(id1))
}

50
internal/utils/string_utils_test.go Normal file
View File

@@ -0,0 +1,50 @@
package utils_test
import (
"testing"
"tinyauth/internal/utils"
"gotest.tools/v3/assert"
)
func TestCapitalize(t *testing.T) {
// Test empty string
assert.Equal(t, "", utils.Capitalize(""))
// Test single character
assert.Equal(t, "A", utils.Capitalize("a"))
// Test multiple characters
assert.Equal(t, "Hello", utils.Capitalize("hello"))
// Test already capitalized
assert.Equal(t, "World", utils.Capitalize("World"))
// Test non-alphabetic first character
assert.Equal(t, "1number", utils.Capitalize("1number"))
// Test Unicode characters
assert.Equal(t, "Γειά", utils.Capitalize("γειά"))
assert.Equal(t, "Привет", utils.Capitalize("привет"))
}
func TestCoalesceToString(t *testing.T) {
// Test with []any containing strings
assert.Equal(t, "a,b,c", utils.CoalesceToString([]any{"a", "b", "c"}))
// Test with []any containing mixed types
assert.Equal(t, "a,c", utils.CoalesceToString([]any{"a", 1, "c", true}))
// Test with []any containing no strings
assert.Equal(t, "", utils.CoalesceToString([]any{1, 2, 3}))
// Test with string input
assert.Equal(t, "hello", utils.CoalesceToString("hello"))
// Test with non-string, non-[]any input
assert.Equal(t, "", utils.CoalesceToString(123))
// Test with nil input
assert.Equal(t, "", utils.CoalesceToString(nil))
}

163
internal/utils/user_utils_test.go Normal file
View File

@@ -0,0 +1,163 @@
package utils_test
import (
"os"
"testing"
"tinyauth/internal/utils"
"gotest.tools/v3/assert"
)
func TestGetUsers(t *testing.T) {
// Setup
file, err := os.Create("/tmp/tinyauth_users_test.txt")
assert.NilError(t, err)
_, err = file.WriteString(" user1:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G \n user2:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G ") // Spacing is on purpose
assert.NilError(t, err)
err = file.Close()
assert.NilError(t, err)
defer os.Remove("/tmp/tinyauth_users_test.txt")
// Test file
users, err := utils.GetUsers("", "/tmp/tinyauth_users_test.txt")
assert.NilError(t, err)
assert.Equal(t, 2, len(users))
assert.Equal(t, "user1", users[0].Username)
assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[0].Password)
assert.Equal(t, "user2", users[1].Username)
assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[1].Password)
// Test config
users, err = utils.GetUsers("user3:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G,user4:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", "")
assert.NilError(t, err)
assert.Equal(t, 2, len(users))
assert.Equal(t, "user3", users[0].Username)
assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[0].Password)
assert.Equal(t, "user4", users[1].Username)
assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[1].Password)
// Test both
users, err = utils.GetUsers("user5:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", "/tmp/tinyauth_users_test.txt")
assert.NilError(t, err)
assert.Equal(t, 3, len(users))
assert.Equal(t, "user5", users[0].Username)
assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[0].Password)
assert.Equal(t, "user1", users[1].Username)
assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[1].Password)
assert.Equal(t, "user2", users[2].Username)
assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[2].Password)
// Test empty
users, err = utils.GetUsers("", "")
assert.NilError(t, err)
assert.Equal(t, 0, len(users))
// Test non-existent file
users, err = utils.GetUsers("", "/tmp/non_existent_file.txt")
assert.ErrorContains(t, err, "no such file or directory")
assert.Equal(t, 0, len(users))
}
func TestParseUsers(t *testing.T) {
// Valid users
users, err := utils.ParseUsers("user1:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G,user2:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G:ABCDEF") // user2 has TOTP
assert.NilError(t, err)
assert.Equal(t, 2, len(users))
assert.Equal(t, "user1", users[0].Username)
assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[0].Password)
assert.Equal(t, "", users[0].TotpSecret)
assert.Equal(t, "user2", users[1].Username)
assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[1].Password)
assert.Equal(t, "ABCDEF", users[1].TotpSecret)
// Valid weirdly spaced users
users, err = utils.ParseUsers(" user1:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G , user2:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G:ABCDEF ") // Spacing is on purpose
assert.NilError(t, err)
assert.Equal(t, 2, len(users))
assert.Equal(t, "user1", users[0].Username)
assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[0].Password)
assert.Equal(t, "", users[0].TotpSecret)
assert.Equal(t, "user2", users[1].Username)
assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[1].Password)
assert.Equal(t, "ABCDEF", users[1].TotpSecret)
}
func TestParseUser(t *testing.T) {
// Valid user without TOTP
user, err := utils.ParseUser("user1:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G")
assert.NilError(t, err)
assert.Equal(t, "user1", user.Username)
assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", user.Password)
assert.Equal(t, "", user.TotpSecret)
// Valid user with TOTP
user, err = utils.ParseUser("user2:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G:ABCDEF")
assert.NilError(t, err)
assert.Equal(t, "user2", user.Username)
assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", user.Password)
assert.Equal(t, "ABCDEF", user.TotpSecret)
// Valid user with $$ in password
user, err = utils.ParseUser("user3:pa$$word123")
assert.NilError(t, err)
assert.Equal(t, "user3", user.Username)
assert.Equal(t, "pa$word123", user.Password)
assert.Equal(t, "", user.TotpSecret)
// User with spaces
user, err = utils.ParseUser(" user4 : password123 : TOTPSECRET ")
assert.NilError(t, err)
assert.Equal(t, "user4", user.Username)
assert.Equal(t, "password123", user.Password)
assert.Equal(t, "TOTPSECRET", user.TotpSecret)
// Invalid users
_, err = utils.ParseUser("user1") // Missing password
assert.ErrorContains(t, err, "invalid user format")
_, err = utils.ParseUser("user1:")
assert.ErrorContains(t, err, "invalid user format")
_, err = utils.ParseUser(":password123")
assert.ErrorContains(t, err, "invalid user format")
_, err = utils.ParseUser("user1:password123:ABC:EXTRA") // Too many parts
assert.ErrorContains(t, err, "invalid user format")
_, err = utils.ParseUser("user1::ABC")
assert.ErrorContains(t, err, "invalid user format")
_, err = utils.ParseUser(":password123:ABC")
assert.ErrorContains(t, err, "invalid user format")
_, err = utils.ParseUser(" : : ")
assert.ErrorContains(t, err, "invalid user format")
}