feat: add flag decoder (candidate)

This reverts commit f0d2da281a.

cmd/root.go

@@ -95,7 +95,6 @@ func init() {
 		{"generic-user-url", "", "Generic OAuth user info URL."},
 		{"generic-name", "Generic", "Generic OAuth provider name."},
 		{"generic-skip-ssl", false, "Skip SSL verification for the generic OAuth provider."},
-		{"disable-continue", false, "Disable continue screen and redirect to app directly."},
 		{"oauth-whitelist", "", "Comma separated list of email addresses to whitelist when using OAuth."},
 		{"oauth-auto-redirect", "none", "Auto redirect to the specified OAuth provider if configured. (available providers: github, google, generic)"},
 		{"session-expiry", 86400, "Session (cookie) expiration time in seconds."},
@@ -113,6 +112,7 @@ func init() {
 		{"ldap-search-filter", "(uid=%s)", "LDAP search filter for user lookup."},
 		{"resources-dir", "/data/resources", "Path to a directory containing custom resources (e.g. background image)."},
 		{"database-path", "/data/tinyauth.db", "Path to the Sqlite database file."},
+		{"trusted-proxies", "", "Comma separated list of trusted proxies (IP addresses) for correct client IP detection and for header ACLs."},
 	}
 
 	for _, opt := range configOptions {

frontend/bun.lock

@@ -14,7 +14,6 @@
         "axios": "^1.11.0",
         "class-variance-authority": "^0.7.1",
         "clsx": "^2.1.1",
-        "dompurify": "^3.2.6",
         "i18next": "^25.4.2",
         "i18next-browser-languagedetector": "^8.2.0",
         "i18next-resources-to-backend": "^1.2.1",
@@ -364,8 +363,6 @@
 
     "@types/react-dom": ["@types/react-dom@19.1.8", "", { "peerDependencies": { "@types/react": "^19.0.0" } }, "sha512-xG7xaBMJCpcK0RpN8jDbAACQo54ycO6h4dSSmgv8+fu6ZIAdANkx/WsawASUjVXYfy+J9AbUpRMNNEsXCDfDBQ=="],
 
-    "@types/trusted-types": ["@types/trusted-types@2.0.7", "", {}, "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw=="],
-
     "@types/unist": ["@types/unist@3.0.3", "", {}, "sha512-ko/gIFJRv177XgZsZcBwnqJN5x/Gien8qNOn0D5bQU/zAzVf9Zt3BlcUiLqhV9y4ARk0GbT3tnUiPNgnTXzc/Q=="],
 
     "@typescript-eslint/eslint-plugin": ["@typescript-eslint/eslint-plugin@8.41.0", "", { "dependencies": { "@eslint-community/regexpp": "^4.10.0", "@typescript-eslint/scope-manager": "8.41.0", "@typescript-eslint/type-utils": "8.41.0", "@typescript-eslint/utils": "8.41.0", "@typescript-eslint/visitor-keys": "8.41.0", "graphemer": "^1.4.0", "ignore": "^7.0.0", "natural-compare": "^1.4.0", "ts-api-utils": "^2.1.0" }, "peerDependencies": { "@typescript-eslint/parser": "^8.41.0", "eslint": "^8.57.0 || ^9.0.0", "typescript": ">=4.8.4 <6.0.0" } }, "sha512-8fz6oa6wEKZrhXWro/S3n2eRJqlRcIa6SlDh59FXJ5Wp5XRZ8B9ixpJDcjadHq47hMx0u+HW6SNa6LjJQ6NLtw=="],
@@ -476,8 +473,6 @@
 
     "devlop": ["devlop@1.1.0", "", { "dependencies": { "dequal": "^2.0.0" } }, "sha512-RWmIqhcFf1lRYBvNmr7qTNuyCt/7/ns2jbpp1+PalgE/rDQcBT0fioSMUpJ93irlUhC5hrg4cYqe6U+0ImW0rA=="],
 
-    "dompurify": ["dompurify@3.2.6", "", { "optionalDependencies": { "@types/trusted-types": "^2.0.7" } }, "sha512-/2GogDQlohXPZe6D6NOgQvXLPSYBqIWMnZ8zzOhn09REE4eyAzb+Hed3jhoM9OkuaJ8P6ZGTTVWQKAi8ieIzfQ=="],
-
     "dunder-proto": ["dunder-proto@1.0.1", "", { "dependencies": { "call-bind-apply-helpers": "^1.0.1", "es-errors": "^1.3.0", "gopd": "^1.2.0" } }, "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A=="],
 
     "electron-to-chromium": ["electron-to-chromium@1.5.151", "", {}, "sha512-Rl6uugut2l9sLojjS4H4SAr3A4IgACMLgpuEMPYCVcKydzfyPrn5absNRju38IhQOf/NwjJY8OGWjlteqYeBCA=="],

frontend/package.json

@@ -20,7 +20,6 @@
     "axios": "^1.11.0",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
-    "dompurify": "^3.2.6",
     "i18next": "^25.4.2",
     "i18next-browser-languagedetector": "^8.2.0",
     "i18next-resources-to-backend": "^1.2.1",

frontend/src/App.tsx

@@ -5,8 +5,8 @@ export const App = () => {
   const { isLoggedIn } = useUserContext();
 
   if (isLoggedIn) {
-    return <Navigate to="/logout" />;
+    return <Navigate to="/logout" replace />;
   }
 
-  return <Navigate to="/login" />;
+  return <Navigate to="/login" replace />;
 };

frontend/src/components/domain-warning/domain-warning.tsx

@@ -0,0 +1,56 @@
+import {
+  Card,
+  CardDescription,
+  CardFooter,
+  CardHeader,
+  CardTitle,
+} from "../ui/card";
+import { Button } from "../ui/button";
+import { Trans, useTranslation } from "react-i18next";
+import { useLocation } from "react-router";
+
+interface Props {
+  onClick: () => void;
+  appUrl: string;
+  currentUrl: string;
+}
+
+export const DomainWarning = (props: Props) => {
+  const { onClick, appUrl, currentUrl } = props;
+  const { t } = useTranslation();
+  const { search } = useLocation();
+
+  const searchParams = new URLSearchParams(search);
+  const redirectUri = searchParams.get("redirect_uri");
+
+  return (
+    <Card role="alert" aria-live="assertive" className="min-w-xs sm:min-w-sm">
+      <CardHeader>
+        <CardTitle className="text-3xl">{t("domainWarningTitle")}</CardTitle>
+        <CardDescription>
+          <Trans
+            t={t}
+            i18nKey="domainWarningSubtitle"
+            values={{ appUrl, currentUrl }}
+            components={{ code: <code /> }}
+          />
+        </CardDescription>
+      </CardHeader>
+      <CardFooter className="flex flex-col items-stretch gap-2">
+        <Button onClick={onClick} variant="warning">
+          {t("ignoreTitle")}
+        </Button>
+        <Button
+          onClick={() =>
+            window.location.assign(
+              `${appUrl}/login?redirect_uri=${encodeURIComponent(redirectUri || "")}`,
+            )
+          }
+          variant="outline"
+        >
+          {t("goToCorrectDomainTitle")}
+        </Button>
+      </CardFooter>
+    </Card>
+  );
+};

frontend/src/components/layout/layout.tsx

@@ -1,8 +1,10 @@
 import { useAppContext } from "@/context/app-context";
 import { LanguageSelector } from "../language/language";
 import { Outlet } from "react-router";
+import { useCallback, useState } from "react";
+import { DomainWarning } from "../domain-warning/domain-warning";
 
-export const Layout = () => {
+const BaseLayout = ({ children }: { children: React.ReactNode }) => {
   const { backgroundImage } = useAppContext();
 
   return (
@@ -15,7 +17,38 @@ export const Layout = () => {
       }}
     >
       <LanguageSelector />
-      <Outlet />
+      {children}
     </div>
   );
 };
+
+export const Layout = () => {
+  const { appUrl } = useAppContext();
+  const [ignoreDomainWarning, setIgnoreDomainWarning] = useState(() => {
+    return window.sessionStorage.getItem("ignoreDomainWarning") === "true";
+  });
+  const currentUrl = window.location.origin;
+
+  const handleIgnore = useCallback(() => {
+    window.sessionStorage.setItem("ignoreDomainWarning", "true");
+    setIgnoreDomainWarning(true);
+  }, [setIgnoreDomainWarning]);
+
+  if (!ignoreDomainWarning && appUrl !== currentUrl) {
+    return (
+      <BaseLayout>
+        <DomainWarning
+          appUrl={appUrl}
+          currentUrl={currentUrl}
+          onClick={() => handleIgnore()}
+        />
+      </BaseLayout>
+    );
+  }
+
+  return (
+    <BaseLayout>
+      <Outlet />
+    </BaseLayout>
+  );
+};

frontend/src/components/ui/button.tsx

@@ -22,7 +22,7 @@ const buttonVariants = cva(
           "hover:bg-accent hover:text-accent-foreground dark:hover:bg-accent/50",
         link: "text-primary underline-offset-4 hover:underline",
         warning:
-          "bg-amber-500 text-white shadow-xs hover:bg-amber-400 focus-visible:ring-amber-200/20 dark:focus-visible:ring-amber-400/40 dark:bg-amber-600",
+          "bg-amber-500 text-white shadow-xs hover:bg-amber-400 focus-visible:ring-amber-200/20 dark:focus-visible:ring-amber-400/40",
       },
       size: {
         default: "h-9 px-4 py-2 has-[>svg]:px-3",

frontend/src/index.css

@@ -156,7 +156,7 @@ ul {
 }
 
 code {
-  @apply relative rounded bg-muted px-[0.2rem] py-[0.1rem] font-mono text-sm font-semibold;
+  @apply relative rounded bg-muted px-[0.2rem] py-[0.1rem] font-mono text-sm font-semibold break-all;
 }
 
 .lead {

frontend/src/lib/i18n/locales/en-US.json

@@ -14,14 +14,14 @@
     "loginOauthFailSubtitle": "Failed to get OAuth URL",
     "loginOauthSuccessTitle": "Redirecting",
     "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
+    "continueTitle": "Continue",
     "continueRedirectingTitle": "Redirecting...",
     "continueRedirectingSubtitle": "You should be redirected to the app soon",
-    "continueInvalidRedirectTitle": "Invalid redirect",
-    "continueInvalidRedirectSubtitle": "The redirect URL is invalid",
+    "continueRedirectManually": "Redirect me manually",
     "continueInsecureRedirectTitle": "Insecure redirect",
     "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
-    "continueTitle": "Continue",
-    "continueSubtitle": "Click the button to continue to your app.",
+    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
     "logoutFailTitle": "Failed to log out",
     "logoutFailSubtitle": "Please try again",
     "logoutSuccessTitle": "Logged out",
@@ -44,8 +44,6 @@
     "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
     "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
     "unauthorizedButton": "Try again",
-    "untrustedRedirectTitle": "Untrusted redirect",
-    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{domain}}</code>). Are you sure you want to continue?",
     "cancelTitle": "Cancel",
     "forgotPasswordTitle": "Forgot your password?",
     "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
@@ -53,5 +51,9 @@
     "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
     "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
     "fieldRequired": "This field is required",
-    "invalidInput": "Invalid input"
+    "invalidInput": "Invalid input",
+    "domainWarningTitle": "Invalid Domain",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "ignoreTitle": "Ignore",
+    "goToCorrectDomainTitle": "Go to correct domain"
 }

frontend/src/lib/i18n/locales/en.json

@@ -14,14 +14,14 @@
     "loginOauthFailSubtitle": "Failed to get OAuth URL",
     "loginOauthSuccessTitle": "Redirecting",
     "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
+    "continueTitle": "Continue",
     "continueRedirectingTitle": "Redirecting...",
     "continueRedirectingSubtitle": "You should be redirected to the app soon",
-    "continueInvalidRedirectTitle": "Invalid redirect",
-    "continueInvalidRedirectSubtitle": "The redirect URL is invalid",
+    "continueRedirectManually": "Redirect me manually",
     "continueInsecureRedirectTitle": "Insecure redirect",
     "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
-    "continueTitle": "Continue",
-    "continueSubtitle": "Click the button to continue to your app.",
+    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
     "logoutFailTitle": "Failed to log out",
     "logoutFailSubtitle": "Please try again",
     "logoutSuccessTitle": "Logged out",
@@ -44,8 +44,6 @@
     "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
     "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
     "unauthorizedButton": "Try again",
-    "untrustedRedirectTitle": "Untrusted redirect",
-    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{domain}}</code>). Are you sure you want to continue?",
     "cancelTitle": "Cancel",
     "forgotPasswordTitle": "Forgot your password?",
     "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
@@ -53,5 +51,9 @@
     "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
     "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
     "fieldRequired": "This field is required",
-    "invalidInput": "Invalid input"
+    "invalidInput": "Invalid input",
+    "domainWarningTitle": "Invalid Domain",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "ignoreTitle": "Ignore",
+    "goToCorrectDomainTitle": "Go to correct domain"
 }

frontend/src/pages/continue-page.tsx

@@ -11,60 +11,101 @@ import { useUserContext } from "@/context/user-context";
 import { isValidUrl } from "@/lib/utils";
 import { Trans, useTranslation } from "react-i18next";
 import { Navigate, useLocation, useNavigate } from "react-router";
-import DOMPurify from "dompurify";
-import { useState } from "react";
+import { useEffect, useState } from "react";
 
 export const ContinuePage = () => {
+  const { cookieDomain } = useAppContext();
   const { isLoggedIn } = useUserContext();
-
-  if (!isLoggedIn) {
-    return <Navigate to="/login" />;
-  }
-
-  const { domain, disableContinue } = useAppContext();
   const { search } = useLocation();
-  const [loading, setLoading] = useState(false);
-
-  const searchParams = new URLSearchParams(search);
-  const redirectURI = searchParams.get("redirect_uri");
-
-  if (!redirectURI) {
-    return <Navigate to="/logout" />;
-  }
-
-  if (!isValidUrl(DOMPurify.sanitize(redirectURI))) {
-    return <Navigate to="/logout" />;
-  }
-
-  const handleRedirect = () => {
-    setLoading(true);
-    window.location.href = DOMPurify.sanitize(redirectURI);
-  }
-
-  if (disableContinue) {
-    handleRedirect();
-  }
-
   const { t } = useTranslation();
   const navigate = useNavigate();
 
-  const url = new URL(redirectURI);
+  const [loading, setLoading] = useState(false);
+  const [showRedirectButton, setShowRedirectButton] = useState(false);
 
-  if (!(url.hostname == domain) && !url.hostname.endsWith(`.${domain}`)) {
+  const searchParams = new URLSearchParams(search);
+  const redirectUri = searchParams.get("redirect_uri");
+
+  const isValidRedirectUri =
+    redirectUri !== null ? isValidUrl(redirectUri) : false;
+  const redirectUriObj = isValidRedirectUri
+    ? new URL(redirectUri as string)
+    : null;
+  const isTrustedRedirectUri =
+    redirectUriObj !== null
+      ? redirectUriObj.hostname === cookieDomain ||
+        redirectUriObj.hostname.endsWith(`.${cookieDomain}`)
+      : false;
+  const isAllowedRedirectProto =
+    redirectUriObj !== null
+      ? redirectUriObj.protocol === "https:" ||
+        redirectUriObj.protocol === "http:"
+      : false;
+  const isHttpsDowngrade =
+    redirectUriObj !== null
+      ? redirectUriObj.protocol === "http:" &&
+        window.location.protocol === "https:"
+      : false;
+
+  const handleRedirect = () => {
+    setLoading(true);
+    window.location.assign(redirectUriObj!.toString());
+  };
+
+  useEffect(() => {
+    if (
+      !isLoggedIn ||
+      !isValidRedirectUri ||
+      !isTrustedRedirectUri ||
+      !isAllowedRedirectProto ||
+      isHttpsDowngrade
+    ) {
+      return;
+    }
+
+    const auto = setTimeout(() => {
+      handleRedirect();
+    }, 100);
+
+    const reveal = setTimeout(() => {
+      setLoading(false);
+      setShowRedirectButton(true);
+    }, 1000);
+
+    return () => {
+      clearTimeout(auto);
+      clearTimeout(reveal);
+    };
+  }, []);
+
+  if (!isLoggedIn) {
     return (
-      <Card className="min-w-xs sm:min-w-sm">
+      <Navigate
+        to={`/login?redirect_uri=${encodeURIComponent(redirectUri || "")}`}
+        replace
+      />
+    );
+  }
+
+  if (!isValidRedirectUri || !isAllowedRedirectProto) {
+    return <Navigate to="/logout" replace />;
+  }
+
+  if (!isTrustedRedirectUri) {
+    return (
+      <Card role="alert" aria-live="assertive" className="min-w-xs sm:min-w-sm">
         <CardHeader>
           <CardTitle className="text-3xl">
-            {t("untrustedRedirectTitle")}
+            {t("continueUntrustedRedirectTitle")}
           </CardTitle>
           <CardDescription>
             <Trans
-              i18nKey="untrustedRedirectSubtitle"
+              i18nKey="continueUntrustedRedirectSubtitle"
               t={t}
               components={{
                 code: <code />,
               }}
-              values={{ domain }}
+              values={{ cookieDomain }}
             />
           </CardDescription>
         </CardHeader>
@@ -76,7 +117,11 @@ export const ContinuePage = () => {
           >
             {t("continueTitle")}
           </Button>
-          <Button onClick={() => navigate("/logout")} variant="outline" disabled={loading}>
+          <Button
+            onClick={() => navigate("/logout")}
+            variant="outline"
+            disabled={loading}
+          >
             {t("cancelTitle")}
           </Button>
         </CardFooter>
@@ -84,9 +129,9 @@ export const ContinuePage = () => {
     );
   }
 
-  if (url.protocol === "http:" && window.location.protocol === "https:") {
+  if (isHttpsDowngrade) {
     return (
-      <Card className="min-w-xs sm:min-w-sm">
+      <Card role="alert" aria-live="assertive" className="min-w-xs sm:min-w-sm">
         <CardHeader>
           <CardTitle className="text-3xl">
             {t("continueInsecureRedirectTitle")}
@@ -102,14 +147,14 @@ export const ContinuePage = () => {
           </CardDescription>
         </CardHeader>
         <CardFooter className="flex flex-col items-stretch gap-2">
-          <Button
-            onClick={handleRedirect}
-            loading={loading}
-            variant="warning"
-          >
+          <Button onClick={handleRedirect} loading={loading} variant="warning">
             {t("continueTitle")}
           </Button>
-          <Button onClick={() => navigate("/logout")} variant="outline" disabled={loading}>
+          <Button
+            onClick={() => navigate("/logout")}
+            variant="outline"
+            disabled={loading}
+          >
             {t("cancelTitle")}
           </Button>
         </CardFooter>
@@ -120,17 +165,18 @@ export const ContinuePage = () => {
   return (
     <Card className="min-w-xs sm:min-w-sm">
       <CardHeader>
-        <CardTitle className="text-3xl">{t("continueTitle")}</CardTitle>
-        <CardDescription>{t("continueSubtitle")}</CardDescription>
+        <CardTitle className="text-3xl">
+          {t("continueRedirectingTitle")}
+        </CardTitle>
+        <CardDescription>{t("continueRedirectingSubtitle")}</CardDescription>
       </CardHeader>
-      <CardFooter className="flex flex-col items-stretch">
-        <Button
-          onClick={handleRedirect}
-          loading={loading}
-        >
-          {t("continueTitle")}
-        </Button>
-      </CardFooter>
+      {showRedirectButton && (
+        <CardFooter className="flex flex-col items-stretch">
+          <Button onClick={handleRedirect}>
+            {t("continueRedirectManually")}
+          </Button>
+        </CardFooter>
+      )}
     </Card>
   );
 };

frontend/src/pages/login-page.tsx

@@ -17,23 +17,21 @@ import { useIsMounted } from "@/lib/hooks/use-is-mounted";
 import { LoginSchema } from "@/schemas/login-schema";
 import { useMutation } from "@tanstack/react-query";
 import axios, { AxiosError } from "axios";
-import { useEffect } from "react";
+import { useEffect, useRef } from "react";
 import { useTranslation } from "react-i18next";
 import { Navigate, useLocation } from "react-router";
 import { toast } from "sonner";
 
 export const LoginPage = () => {
   const { isLoggedIn } = useUserContext();
-
-  if (isLoggedIn) {
-    return <Navigate to="/logout" />;
-  }
-
-  const { configuredProviders, title, oauthAutoRedirect, genericName } = useAppContext();
+  const { configuredProviders, title, oauthAutoRedirect, genericName } =
+    useAppContext();
   const { search } = useLocation();
   const { t } = useTranslation();
   const isMounted = useIsMounted();
 
+  const redirectTimer = useRef<number | null>(null);
+
   const searchParams = new URLSearchParams(search);
   const redirectUri = searchParams.get("redirect_uri");
 
@@ -53,8 +51,8 @@ export const LoginPage = () => {
         description: t("loginOauthSuccessSubtitle"),
       });
 
-      setTimeout(() => {
-        window.location.href = data.data.url;
+      redirectTimer.current = window.setTimeout(() => {
+        window.location.replace(data.data.url);
       }, 500);
     },
     onError: () => {
@@ -79,7 +77,7 @@ export const LoginPage = () => {
         description: t("loginSuccessSubtitle"),
       });
 
-      setTimeout(() => {
+      redirectTimer.current = window.setTimeout(() => {
         window.location.replace(
           `/continue?redirect_uri=${encodeURIComponent(redirectUri ?? "")}`,
         );
@@ -100,6 +98,7 @@ export const LoginPage = () => {
       if (
         oauthConfigured &&
         configuredProviders.includes(oauthAutoRedirect) &&
+        !isLoggedIn &&
         redirectUri
       ) {
         oauthMutation.mutate(oauthAutoRedirect);
@@ -107,6 +106,26 @@ export const LoginPage = () => {
     }
   }, []);
 
+  useEffect(
+    () => () => {
+      if (redirectTimer.current) clearTimeout(redirectTimer.current);
+    },
+    [],
+  );
+
+  if (isLoggedIn && redirectUri) {
+    return (
+      <Navigate
+        to={`/continue?redirect_uri=${encodeURIComponent(redirectUri)}`}
+        replace
+      />
+    );
+  }
+
+  if (isLoggedIn) {
+    return <Navigate to="/logout" replace />;
+  }
+
   return (
     <Card className="min-w-xs sm:min-w-sm">
       <CardHeader>
@@ -126,7 +145,10 @@ export const LoginPage = () => {
                 icon={<GoogleIcon />}
                 className="w-full"
                 onClick={() => oauthMutation.mutate("google")}
-                loading={oauthMutation.isPending && oauthMutation.variables === "google"}
+                loading={
+                  oauthMutation.isPending &&
+                  oauthMutation.variables === "google"
+                }
                 disabled={oauthMutation.isPending || loginMutation.isPending}
               />
             )}
@@ -136,7 +158,10 @@ export const LoginPage = () => {
                 icon={<GithubIcon />}
                 className="w-full"
                 onClick={() => oauthMutation.mutate("github")}
-                loading={oauthMutation.isPending && oauthMutation.variables === "github"}
+                loading={
+                  oauthMutation.isPending &&
+                  oauthMutation.variables === "github"
+                }
                 disabled={oauthMutation.isPending || loginMutation.isPending}
               />
             )}
@@ -146,7 +171,10 @@ export const LoginPage = () => {
                 icon={<GenericIcon />}
                 className="w-full"
                 onClick={() => oauthMutation.mutate("generic")}
-                loading={oauthMutation.isPending && oauthMutation.variables === "generic"}
+                loading={
+                  oauthMutation.isPending &&
+                  oauthMutation.variables === "generic"
+                }
                 disabled={oauthMutation.isPending || loginMutation.isPending}
               />
             )}

frontend/src/pages/logout-page.tsx

@@ -11,20 +11,18 @@ import { useUserContext } from "@/context/user-context";
 import { capitalize } from "@/lib/utils";
 import { useMutation } from "@tanstack/react-query";
 import axios from "axios";
+import { useEffect, useRef } from "react";
 import { Trans, useTranslation } from "react-i18next";
 import { Navigate } from "react-router";
 import { toast } from "sonner";
 
 export const LogoutPage = () => {
   const { provider, username, isLoggedIn, email } = useUserContext();
-
-  if (!isLoggedIn) {
-    return <Navigate to="/login" />;
-  }
-
   const { genericName } = useAppContext();
   const { t } = useTranslation();
 
+  const redirectTimer = useRef<number | null>(null);
+
   const logoutMutation = useMutation({
     mutationFn: () => axios.post("/api/user/logout"),
     mutationKey: ["logout"],
@@ -33,8 +31,8 @@ export const LogoutPage = () => {
         description: t("logoutSuccessSubtitle"),
       });
 
-      setTimeout(async () => {
-        window.location.replace("/login");
+      redirectTimer.current = window.setTimeout(() => {
+        window.location.assign("/login");
       }, 500);
     },
     onError: () => {
@@ -44,6 +42,17 @@ export const LogoutPage = () => {
     },
   });
 
+  useEffect(
+    () => () => {
+      if (redirectTimer.current) clearTimeout(redirectTimer.current);
+    },
+    [],
+  );
+
+  if (!isLoggedIn) {
+    return <Navigate to="/login" replace />;
+  }
+
   return (
     <Card className="min-w-xs sm:min-w-sm">
       <CardHeader>

frontend/src/pages/totp-page.tsx

@@ -12,22 +12,19 @@ import { useUserContext } from "@/context/user-context";
 import { TotpSchema } from "@/schemas/totp-schema";
 import { useMutation } from "@tanstack/react-query";
 import axios from "axios";
-import { useId } from "react";
+import { useEffect, useId, useRef } from "react";
 import { useTranslation } from "react-i18next";
 import { Navigate, useLocation } from "react-router";
 import { toast } from "sonner";
 
 export const TotpPage = () => {
   const { totpPending } = useUserContext();
-
-  if (!totpPending) {
-    return <Navigate to="/" />;
-  }
-
   const { t } = useTranslation();
   const { search } = useLocation();
   const formId = useId();
 
+  const redirectTimer = useRef<number | null>(null);
+
   const searchParams = new URLSearchParams(search);
   const redirectUri = searchParams.get("redirect_uri");
 
@@ -39,7 +36,7 @@ export const TotpPage = () => {
         description: t("totpSuccessSubtitle"),
       });
 
-      setTimeout(() => {
+      redirectTimer.current = window.setTimeout(() => {
         window.location.replace(
           `/continue?redirect_uri=${encodeURIComponent(redirectUri ?? "")}`,
         );
@@ -52,6 +49,17 @@ export const TotpPage = () => {
     },
   });
 
+  useEffect(
+    () => () => {
+      if (redirectTimer.current) clearTimeout(redirectTimer.current);
+    },
+    [],
+  );
+
+  if (!totpPending) {
+    return <Navigate to="/" replace />;
+  }
+
   return (
     <Card className="min-w-xs sm:min-w-sm">
       <CardHeader>

frontend/src/pages/unauthorized-page.tsx

@@ -12,6 +12,10 @@ import { Navigate, useLocation, useNavigate } from "react-router";
 
 export const UnauthorizedPage = () => {
   const { search } = useLocation();
+  const { t } = useTranslation();
+  const navigate = useNavigate();
+
+  const [loading, setLoading] = useState(false);
 
   const searchParams = new URLSearchParams(search);
   const username = searchParams.get("username");
@@ -19,19 +23,15 @@ export const UnauthorizedPage = () => {
   const groupErr = searchParams.get("groupErr");
   const ip = searchParams.get("ip");
 
-  if (!username && !ip) {
-    return <Navigate to="/" />;
-  }
-
-  const { t } = useTranslation();
-  const navigate = useNavigate();
-  const [loading, setLoading] = useState(false);
-
   const handleRedirect = () => {
     setLoading(true);
     navigate("/login");
   };
 
+  if (!username && !ip) {
+    return <Navigate to="/" />;
+  }
+
   let i18nKey = "unauthorizedLoginSubtitle";
 
   if (resource) {

frontend/src/schemas/app-context-schema.ts

@@ -2,10 +2,10 @@ import { z } from "zod";
 
 export const appContextSchema = z.object({
   configuredProviders: z.array(z.string()),
-  disableContinue: z.boolean(),
   title: z.string(),
   genericName: z.string(),
-  domain: z.string(),
+  appUrl: z.string(),
+  cookieDomain: z.string(),
   forgotPasswordMessage: z.string(),
   oauthAutoRedirect: z.enum(["none", "github", "google", "generic"]),
   backgroundImage: z.string(),

go.mod

@@ -1,10 +1,13 @@
 module tinyauth
 
-go 1.23.2
+go 1.24.0
+
+toolchain go1.24.3
 
 require (
 	github.com/cenkalti/backoff/v5 v5.0.3
 	github.com/gin-gonic/gin v1.10.1
+	github.com/glebarez/sqlite v1.11.0
 	github.com/go-playground/validator/v10 v10.27.0
 	github.com/golang-migrate/migrate/v4 v4.18.3
 	github.com/google/go-querystring v1.1.0
@@ -14,10 +17,11 @@ require (
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/viper v1.20.1
 	github.com/traefik/paerser v0.2.2
-	golang.org/x/crypto v0.41.0
-	gorm.io/driver/sqlite v1.6.0
+	github.com/weppos/publicsuffix-go v0.50.0
+	golang.org/x/crypto v0.42.0
+	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b
 	gorm.io/gorm v1.30.1
-	modernc.org/sqlite v1.38.2
+	gotest.tools/v3 v3.5.2
 )
 
 require (
@@ -28,9 +32,9 @@ require (
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/glebarez/go-sqlite v1.21.2 // indirect
-	github.com/glebarez/sqlite v1.11.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
@@ -44,12 +48,11 @@ require (
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
-	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
-	golang.org/x/term v0.34.0 // indirect
-	gotest.tools/v3 v3.5.2 // indirect
+	golang.org/x/term v0.35.0 // indirect
 	modernc.org/libc v1.66.3 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
+	modernc.org/sqlite v1.38.2 // indirect
 	rsc.io/qr v0.2.0 // indirect
 )
 
@@ -86,8 +89,6 @@ require (
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/goccy/go-json v0.10.4 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/gorilla/securecookie v1.1.2 // indirect
-	github.com/gorilla/sessions v1.4.0
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
@@ -125,11 +126,11 @@ require (
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
 	golang.org/x/arch v0.13.0 // indirect
-	golang.org/x/net v0.42.0 // indirect
+	golang.org/x/net v0.44.0 // indirect
 	golang.org/x/oauth2 v0.30.0
-	golang.org/x/sync v0.16.0 // indirect
-	golang.org/x/sys v0.35.0 // indirect
-	golang.org/x/text v0.28.0 // indirect
+	golang.org/x/sync v0.17.0 // indirect
+	golang.org/x/sys v0.36.0 // indirect
+	golang.org/x/text v0.29.0 // indirect
 	google.golang.org/protobuf v1.36.3 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -132,16 +132,10 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
-github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
-github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
-github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=
-github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2emc7lT5ik=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1 h1:VNqngBF40hVlDloBruUehVYC3ArSgIyScOAyMRqBxRg=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1/go.mod h1:RBRO7fro65R6tjKzYgLAFo0t1QEXY1Dp+i/bvpRiqiQ=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -286,6 +280,8 @@ github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
 github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
+github.com/weppos/publicsuffix-go v0.50.0 h1:M178k6l8cnh9T1c1cStkhytVxdk5zPd6gGZf8ySIuVo=
+github.com/weppos/publicsuffix-go v0.50.0/go.mod h1:VXhClBYMlDrUsome4pOTpe68Ui0p6iQRAbyHQD1yKoU=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -317,27 +313,27 @@ golang.org/x/arch v0.13.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
+golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
+golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o=
 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=
-golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
-golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
+golang.org/x/net v0.44.0 h1:evd8IRDyfNBMBTTY5XRF1vaZlD+EmWx6x8PkhR04H/I=
+golang.org/x/net v0.44.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
 golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
 golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
-golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -345,22 +341,22 @@ golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
-golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
-golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
+golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
-golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
+golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
+golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
 golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg=
 golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
-golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -380,8 +376,6 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EV
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gorm.io/driver/sqlite v1.6.0 h1:WHRRrIiulaPiPFmDcod6prc4l2VGVWHz80KspNsxSfQ=
-gorm.io/driver/sqlite v1.6.0/go.mod h1:AO9V1qIQddBESngQUKWL9yoH93HIeA1X6V633rBwyT8=
 gorm.io/gorm v1.30.1 h1:lSHg33jJTBxs2mgJRfRZeLDG+WZaHYCk3Wtfl6Ngzo4=
 gorm.io/gorm v1.30.1/go.mod h1:8Z33v652h4//uMA76KjeDH8mJXPm1QNCYrMeatR0DOE=
 gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=

internal/bootstrap/app_bootstrap.go

@@ -2,6 +2,7 @@ package bootstrap
 
 import (
 	"fmt"
+	"net/url"
 	"strings"
 	"tinyauth/internal/config"
 	"tinyauth/internal/controller"
@@ -44,15 +45,16 @@ func (app *BootstrapApp) Setup() error {
 		return err
 	}
 
-	// Get domain
-	domain, err := utils.GetUpperDomain(app.Config.AppURL)
+	// Get cookie domain
+	cookieDomain, err := utils.GetCookieDomain(app.Config.AppURL)
 
 	if err != nil {
 		return err
 	}
 
 	// Cookie names
-	cookieId := utils.GenerateIdentifier(strings.Split(domain, ".")[0])
+	appUrl, _ := url.Parse(app.Config.AppURL) // Already validated
+	cookieId := utils.GenerateIdentifier(appUrl.Hostname())
 	sessionCookieName := fmt.Sprintf("%s-%s", config.SessionCookieName, cookieId)
 	csrfCookieName := fmt.Sprintf("%s-%s", config.CSRFCookieName, cookieId)
 	redirectCookieName := fmt.Sprintf("%s-%s", config.RedirectCookieName, cookieId)
@@ -63,7 +65,7 @@ func (app *BootstrapApp) Setup() error {
 		OauthWhitelist:    app.Config.OAuthWhitelist,
 		SessionExpiry:     app.Config.SessionExpiry,
 		SecureCookie:      app.Config.SecureCookie,
-		Domain:            domain,
+		CookieDomain:      cookieDomain,
 		LoginTimeout:      app.Config.LoginTimeout,
 		LoginMaxRetries:   app.Config.LoginMaxRetries,
 		SessionCookieName: sessionCookieName,
@@ -144,6 +146,7 @@ func (app *BootstrapApp) Setup() error {
 
 	// Create engine
 	engine := gin.New()
+	engine.SetTrustedProxies(strings.Split(app.Config.TrustedProxies, ","))
 
 	if config.Version != "development" {
 		gin.SetMode(gin.ReleaseMode)
@@ -153,7 +156,7 @@ func (app *BootstrapApp) Setup() error {
 	var middlewares []Middleware
 
 	contextMiddleware := middleware.NewContextMiddleware(middleware.ContextMiddlewareConfig{
-		Domain: domain,
+		CookieDomain: cookieDomain,
 	}, authService, oauthBrokerService)
 
 	uiMiddleware := middleware.NewUIMiddleware()
@@ -177,10 +180,10 @@ func (app *BootstrapApp) Setup() error {
 	// Create controllers
 	contextController := controller.NewContextController(controller.ContextControllerConfig{
 		ConfiguredProviders:   configuredProviders,
-		DisableContinue:       app.Config.DisableContinue,
 		Title:                 app.Config.Title,
 		GenericName:           app.Config.GenericName,
-		Domain:                domain,
+		AppURL:                app.Config.AppURL,
+		CookieDomain:          cookieDomain,
 		ForgotPasswordMessage: app.Config.ForgotPasswordMessage,
 		BackgroundImage:       app.Config.BackgroundImage,
 		OAuthAutoRedirect:     app.Config.OAuthAutoRedirect,
@@ -191,7 +194,7 @@ func (app *BootstrapApp) Setup() error {
 		SecureCookie:       app.Config.SecureCookie,
 		CSRFCookieName:     csrfCookieName,
 		RedirectCookieName: redirectCookieName,
-		Domain:             domain,
+		CookieDomain:       cookieDomain,
 	}, apiRouter, authService, oauthBrokerService)
 
 	proxyController := controller.NewProxyController(controller.ProxyControllerConfig{
@@ -199,7 +202,7 @@ func (app *BootstrapApp) Setup() error {
 	}, apiRouter, dockerService, authService)
 
 	userController := controller.NewUserController(controller.UserControllerConfig{
-		Domain: domain,
+		CookieDomain: cookieDomain,
 	}, apiRouter, authService)
 
 	resourcesController := controller.NewResourcesController(controller.ResourcesControllerConfig{

internal/config/config.go

@@ -36,7 +36,6 @@ type Config struct {
 	GenericUserURL          string `mapstructure:"generic-user-url"`
 	GenericName             string `mapstructure:"generic-name"`
 	GenericSkipSSL          bool   `mapstructure:"generic-skip-ssl"`
-	DisableContinue         bool   `mapstructure:"disable-continue"`
 	OAuthWhitelist          string `mapstructure:"oauth-whitelist"`
 	OAuthAutoRedirect       string `mapstructure:"oauth-auto-redirect" validate:"oneof=none github google generic"`
 	SessionExpiry           int    `mapstructure:"session-expiry"`
@@ -54,6 +53,7 @@ type Config struct {
 	LdapSearchFilter        string `mapstructure:"ldap-search-filter"`
 	ResourcesDir            string `mapstructure:"resources-dir"`
 	DatabasePath            string `mapstructure:"database-path" validate:"required"`
+	TrustedProxies          string `mapstructure:"trusted-proxies"`
 }
 
 // OAuth/OIDC config
@@ -126,51 +126,61 @@ type RedirectQuery struct {
 
 // Labels
 
-type Labels struct {
-	Apps map[string]AppLabels
+type Apps struct {
+	Apps map[string]App
 }
 
-type AppLabels struct {
-	Config   ConfigLabels
-	Users    UsersLabels
-	OAuth    OAuthLabels
-	IP       IPLabels
-	Response ResponseLabels
-	Path     PathLabels
+type App struct {
+	Config   AppConfig
+	Users    AppUsers
+	OAuth    AppOAuth
+	IP       AppIP
+	Response AppResponse
+	Path     AppPath
 }
 
-type ConfigLabels struct {
+type AppConfig struct {
 	Domain string
 }
 
-type UsersLabels struct {
+type AppUsers struct {
 	Allow string
 	Block string
 }
 
-type OAuthLabels struct {
+type AppOAuth struct {
 	Whitelist string
 	Groups    string
 }
 
-type IPLabels struct {
+type AppIP struct {
 	Allow  []string
 	Block  []string
 	Bypass []string
 }
 
-type ResponseLabels struct {
+type AppResponse struct {
 	Headers   []string
-	BasicAuth BasicAuthLabels
+	BasicAuth AppBasicAuth
 }
 
-type BasicAuthLabels struct {
+type AppBasicAuth struct {
 	Username     string
 	Password     string
 	PasswordFile string
 }
 
-type PathLabels struct {
+type AppPath struct {
 	Allow string
 	Block string
 }
+
+// Flags
+
+type Providers struct {
+	Providers map[string]ProviderConfig
+}
+
+type ProviderConfig struct {
+	Config OAuthServiceConfig
+}

internal/controller/context_controller.go

@@ -1,6 +1,8 @@
 package controller
 
 import (
+	"fmt"
+	"net/url"
 	"tinyauth/internal/utils"
 
 	"github.com/gin-gonic/gin"
@@ -15,7 +17,7 @@ type UserContextResponse struct {
 	Name        string `json:"name"`
 	Email       string `json:"email"`
 	Provider    string `json:"provider"`
-	Oauth       bool   `json:"oauth"`
+	OAuth       bool   `json:"oauth"`
 	TotpPending bool   `json:"totpPending"`
 }
 
@@ -23,10 +25,10 @@ type AppContextResponse struct {
 	Status                int      `json:"status"`
 	Message               string   `json:"message"`
 	ConfiguredProviders   []string `json:"configuredProviders"`
-	DisableContinue       bool     `json:"disableContinue"`
 	Title                 string   `json:"title"`
 	GenericName           string   `json:"genericName"`
-	Domain                string   `json:"domain"`
+	AppURL                string   `json:"appUrl"`
+	CookieDomain          string   `json:"cookieDomain"`
 	ForgotPasswordMessage string   `json:"forgotPasswordMessage"`
 	BackgroundImage       string   `json:"backgroundImage"`
 	OAuthAutoRedirect     string   `json:"oauthAutoRedirect"`
@@ -34,29 +36,29 @@ type AppContextResponse struct {
 
 type ContextControllerConfig struct {
 	ConfiguredProviders   []string
-	DisableContinue       bool
 	Title                 string
 	GenericName           string
-	Domain                string
+	AppURL                string
+	CookieDomain          string
 	ForgotPasswordMessage string
 	BackgroundImage       string
 	OAuthAutoRedirect     string
 }
 
 type ContextController struct {
-	Config ContextControllerConfig
-	Router *gin.RouterGroup
+	config ContextControllerConfig
+	router *gin.RouterGroup
 }
 
 func NewContextController(config ContextControllerConfig, router *gin.RouterGroup) *ContextController {
 	return &ContextController{
-		Config: config,
-		Router: router,
+		config: config,
+		router: router,
 	}
 }
 
 func (controller *ContextController) SetupRoutes() {
-	contextGroup := controller.Router.Group("/context")
+	contextGroup := controller.router.Group("/context")
 	contextGroup.GET("/user", controller.userContextHandler)
 	contextGroup.GET("/app", controller.appContextHandler)
 }
@@ -72,7 +74,7 @@ func (controller *ContextController) userContextHandler(c *gin.Context) {
 		Name:        context.Name,
 		Email:       context.Email,
 		Provider:    context.Provider,
-		Oauth:       context.OAuth,
+		OAuth:       context.OAuth,
 		TotpPending: context.TotpPending,
 	}
 
@@ -89,16 +91,18 @@ func (controller *ContextController) userContextHandler(c *gin.Context) {
 }
 
 func (controller *ContextController) appContextHandler(c *gin.Context) {
+	appUrl, _ := url.Parse(controller.config.AppURL) // no need to check error, validated on startup
+
 	c.JSON(200, AppContextResponse{
 		Status:                200,
 		Message:               "Success",
-		ConfiguredProviders:   controller.Config.ConfiguredProviders,
-		DisableContinue:       controller.Config.DisableContinue,
-		Title:                 controller.Config.Title,
-		GenericName:           controller.Config.GenericName,
-		Domain:                controller.Config.Domain,
-		ForgotPasswordMessage: controller.Config.ForgotPasswordMessage,
-		BackgroundImage:       controller.Config.BackgroundImage,
-		OAuthAutoRedirect:     controller.Config.OAuthAutoRedirect,
+		ConfiguredProviders:   controller.config.ConfiguredProviders,
+		Title:                 controller.config.Title,
+		GenericName:           controller.config.GenericName,
+		AppURL:                fmt.Sprintf("%s://%s", appUrl.Scheme, appUrl.Host),
+		CookieDomain:          controller.config.CookieDomain,
+		ForgotPasswordMessage: controller.config.ForgotPasswordMessage,
+		BackgroundImage:       controller.config.BackgroundImage,
+		OAuthAutoRedirect:     controller.config.OAuthAutoRedirect,
 	})
 }

internal/controller/context_controller_test.go

@@ -0,0 +1,135 @@
+package controller_test
+
+import (
+	"encoding/json"
+	"net/http/httptest"
+	"testing"
+	"tinyauth/internal/config"
+	"tinyauth/internal/controller"
+
+	"github.com/gin-gonic/gin"
+	"gotest.tools/v3/assert"
+)
+
+var controllerCfg = controller.ContextControllerConfig{
+	ConfiguredProviders:   []string{"github", "google", "generic"},
+	Title:                 "Test App",
+	GenericName:           "Generic",
+	AppURL:                "http://localhost:8080",
+	CookieDomain:          "localhost",
+	ForgotPasswordMessage: "Contact admin to reset your password.",
+	BackgroundImage:       "/assets/bg.jpg",
+	OAuthAutoRedirect:     "google",
+}
+
+var userContext = config.UserContext{
+	Username:    "testuser",
+	Name:        "testuser",
+	Email:       "test@example.com",
+	IsLoggedIn:  true,
+	OAuth:       false,
+	Provider:    "username",
+	TotpPending: false,
+	OAuthGroups: "",
+	TotpEnabled: false,
+}
+
+func setupContextController(middlewares *[]gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder) {
+	// Setup
+	gin.SetMode(gin.TestMode)
+	router := gin.Default()
+	recorder := httptest.NewRecorder()
+
+	if middlewares != nil {
+		for _, m := range *middlewares {
+			router.Use(m)
+		}
+	}
+
+	group := router.Group("/api")
+
+	ctrl := controller.NewContextController(controllerCfg, group)
+	ctrl.SetupRoutes()
+
+	return router, recorder
+}
+
+func TestAppContextHandler(t *testing.T) {
+	expectedRes := controller.AppContextResponse{
+		Status:                200,
+		Message:               "Success",
+		ConfiguredProviders:   controllerCfg.ConfiguredProviders,
+		Title:                 controllerCfg.Title,
+		GenericName:           controllerCfg.GenericName,
+		AppURL:                controllerCfg.AppURL,
+		CookieDomain:          controllerCfg.CookieDomain,
+		ForgotPasswordMessage: controllerCfg.ForgotPasswordMessage,
+		BackgroundImage:       controllerCfg.BackgroundImage,
+		OAuthAutoRedirect:     controllerCfg.OAuthAutoRedirect,
+	}
+
+	router, recorder := setupContextController(nil)
+	req := httptest.NewRequest("GET", "/api/context/app", nil)
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 200, recorder.Code)
+
+	var ctrlRes controller.AppContextResponse
+
+	err := json.Unmarshal(recorder.Body.Bytes(), &ctrlRes)
+
+	assert.NilError(t, err)
+	assert.DeepEqual(t, expectedRes, ctrlRes)
+}
+
+func TestUserContextHandler(t *testing.T) {
+	expectedRes := controller.UserContextResponse{
+		Status:      200,
+		Message:     "Success",
+		IsLoggedIn:  userContext.IsLoggedIn,
+		Username:    userContext.Username,
+		Name:        userContext.Name,
+		Email:       userContext.Email,
+		Provider:    userContext.Provider,
+		OAuth:       userContext.OAuth,
+		TotpPending: userContext.TotpPending,
+	}
+
+	// Test with context
+	router, recorder := setupContextController(&[]gin.HandlerFunc{
+		func(c *gin.Context) {
+			c.Set("context", &userContext)
+			c.Next()
+		},
+	})
+
+	req := httptest.NewRequest("GET", "/api/context/user", nil)
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 200, recorder.Code)
+
+	var ctrlRes controller.UserContextResponse
+
+	err := json.Unmarshal(recorder.Body.Bytes(), &ctrlRes)
+
+	assert.NilError(t, err)
+	assert.DeepEqual(t, expectedRes, ctrlRes)
+
+	// Test no context
+	expectedRes = controller.UserContextResponse{
+		Status:     401,
+		Message:    "Unauthorized",
+		IsLoggedIn: false,
+	}
+
+	router, recorder = setupContextController(nil)
+	req = httptest.NewRequest("GET", "/api/context/user", nil)
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 200, recorder.Code)
+
+	err = json.Unmarshal(recorder.Body.Bytes(), &ctrlRes)
+
+	assert.NilError(t, err)
+	assert.DeepEqual(t, expectedRes, ctrlRes)
+}

internal/controller/health_controller.go

@@ -3,18 +3,18 @@ package controller
 import "github.com/gin-gonic/gin"
 
 type HealthController struct {
-	Router *gin.RouterGroup
+	router *gin.RouterGroup
 }
 
 func NewHealthController(router *gin.RouterGroup) *HealthController {
 	return &HealthController{
-		Router: router,
+		router: router,
 	}
 }
 
 func (controller *HealthController) SetupRoutes() {
-	controller.Router.GET("/health", controller.healthHandler)
-	controller.Router.HEAD("/health", controller.healthHandler)
+	controller.router.GET("/health", controller.healthHandler)
+	controller.router.HEAD("/health", controller.healthHandler)
 }
 
 func (controller *HealthController) healthHandler(c *gin.Context) {

internal/controller/oauth_controller.go

@@ -23,27 +23,27 @@ type OAuthControllerConfig struct {
 	RedirectCookieName string
 	SecureCookie       bool
 	AppURL             string
-	Domain             string
+	CookieDomain       string
 }
 
 type OAuthController struct {
-	Config OAuthControllerConfig
-	Router *gin.RouterGroup
-	Auth   *service.AuthService
-	Broker *service.OAuthBrokerService
+	config OAuthControllerConfig
+	router *gin.RouterGroup
+	auth   *service.AuthService
+	broker *service.OAuthBrokerService
 }
 
 func NewOAuthController(config OAuthControllerConfig, router *gin.RouterGroup, auth *service.AuthService, broker *service.OAuthBrokerService) *OAuthController {
 	return &OAuthController{
-		Config: config,
-		Router: router,
-		Auth:   auth,
-		Broker: broker,
+		config: config,
+		router: router,
+		auth:   auth,
+		broker: broker,
 	}
 }
 
 func (controller *OAuthController) SetupRoutes() {
-	oauthGroup := controller.Router.Group("/oauth")
+	oauthGroup := controller.router.Group("/oauth")
 	oauthGroup.GET("/url/:provider", controller.oauthURLHandler)
 	oauthGroup.GET("/callback/:provider", controller.oauthCallbackHandler)
 }
@@ -61,7 +61,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		return
 	}
 
-	service, exists := controller.Broker.GetService(req.Provider)
+	service, exists := controller.broker.GetService(req.Provider)
 
 	if !exists {
 		log.Warn().Msgf("OAuth provider not found: %s", req.Provider)
@@ -74,13 +74,13 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 
 	state := service.GenerateState()
 	authURL := service.GetAuthURL(state)
-	c.SetCookie(controller.Config.CSRFCookieName, state, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.Config.Domain), controller.Config.SecureCookie, true)
+	c.SetCookie(controller.config.CSRFCookieName, state, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 
 	redirectURI := c.Query("redirect_uri")
 
-	if redirectURI != "" && utils.IsRedirectSafe(redirectURI, controller.Config.Domain) {
+	if redirectURI != "" && utils.IsRedirectSafe(redirectURI, controller.config.CookieDomain) {
 		log.Debug().Msg("Setting redirect URI cookie")
-		c.SetCookie(controller.Config.RedirectCookieName, redirectURI, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.Config.Domain), controller.Config.SecureCookie, true)
+		c.SetCookie(controller.config.RedirectCookieName, redirectURI, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 	}
 
 	c.JSON(200, gin.H{
@@ -104,58 +104,59 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	}
 
 	state := c.Query("state")
-	csrfCookie, err := c.Cookie(controller.Config.CSRFCookieName)
+	csrfCookie, err := c.Cookie(controller.config.CSRFCookieName)
 
 	if err != nil || state != csrfCookie {
 		log.Warn().Err(err).Msg("CSRF token mismatch or cookie missing")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+		c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 
-	c.SetCookie(controller.Config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.Config.Domain), controller.Config.SecureCookie, true)
+	c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 
 	code := c.Query("code")
-	service, exists := controller.Broker.GetService(req.Provider)
+	service, exists := controller.broker.GetService(req.Provider)
 
 	if !exists {
 		log.Warn().Msgf("OAuth provider not found: %s", req.Provider)
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 
 	err = service.VerifyCode(code)
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to verify OAuth code")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 
-	user, err := controller.Broker.GetUser(req.Provider)
+	user, err := controller.broker.GetUser(req.Provider)
 
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to get user from OAuth provider")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 
 	if user.Email == "" {
 		log.Error().Msg("OAuth provider did not return an email")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 
-	if !controller.Auth.IsEmailWhitelisted(user.Email) {
+	if !controller.auth.IsEmailWhitelisted(user.Email) {
 		queries, err := query.Values(config.UnauthorizedQuery{
 			Username: user.Email,
 		})
 
 		if err != nil {
 			log.Error().Err(err).Msg("Failed to encode unauthorized query")
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 			return
 		}
 
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.Config.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode()))
 		return
 	}
 
@@ -169,29 +170,35 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		name = fmt.Sprintf("%s (%s)", utils.Capitalize(strings.Split(user.Email, "@")[0]), strings.Split(user.Email, "@")[1])
 	}
 
-	var usename string
+	var username string
 
 	if user.PreferredUsername != "" {
 		log.Debug().Msg("Using preferred username from OAuth provider")
-		usename = user.PreferredUsername
+		username = user.PreferredUsername
 	} else {
 		log.Debug().Msg("No preferred username from OAuth provider, using pseudo username")
-		usename = strings.Replace(user.Email, "@", "_", -1)
+		username = strings.Replace(user.Email, "@", "_", -1)
 	}
 
-	controller.Auth.CreateSessionCookie(c, &config.SessionCookie{
-		Username:    usename,
+	err = controller.auth.CreateSessionCookie(c, &config.SessionCookie{
+		Username:    username,
 		Name:        name,
 		Email:       user.Email,
 		Provider:    req.Provider,
 		OAuthGroups: utils.CoalesceToString(user.Groups),
 	})
 
-	redirectURI, err := c.Cookie(controller.Config.RedirectCookieName)
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to create session cookie")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		return
+	}
 
-	if err != nil || !utils.IsRedirectSafe(redirectURI, controller.Config.Domain) {
+	redirectURI, err := c.Cookie(controller.config.RedirectCookieName)
+
+	if err != nil || !utils.IsRedirectSafe(redirectURI, controller.config.CookieDomain) {
 		log.Debug().Msg("No redirect URI cookie found, redirecting to app root")
-		c.Redirect(http.StatusTemporaryRedirect, controller.Config.AppURL)
+		c.Redirect(http.StatusTemporaryRedirect, controller.config.AppURL)
 		return
 	}
 
@@ -201,10 +208,10 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to encode redirect URI query")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 
-	c.SetCookie(controller.Config.RedirectCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.Config.Domain), controller.Config.SecureCookie, true)
-	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", controller.Config.AppURL, queries.Encode()))
+	c.SetCookie(controller.config.RedirectCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
+	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", controller.config.AppURL, queries.Encode()))
 }

internal/controller/proxy_controller.go

@@ -22,23 +22,23 @@ type ProxyControllerConfig struct {
 }
 
 type ProxyController struct {
-	Config ProxyControllerConfig
-	Router *gin.RouterGroup
-	Docker *service.DockerService
-	Auth   *service.AuthService
+	config ProxyControllerConfig
+	router *gin.RouterGroup
+	docker *service.DockerService
+	auth   *service.AuthService
 }
 
 func NewProxyController(config ProxyControllerConfig, router *gin.RouterGroup, docker *service.DockerService, auth *service.AuthService) *ProxyController {
 	return &ProxyController{
-		Config: config,
-		Router: router,
-		Docker: docker,
-		Auth:   auth,
+		config: config,
+		router: router,
+		docker: docker,
+		auth:   auth,
 	}
 }
 
 func (controller *ProxyController) SetupRoutes() {
-	proxyGroup := controller.Router.Group("/auth")
+	proxyGroup := controller.router.Group("/auth")
 	proxyGroup.GET("/:proxy", controller.proxyHandler)
 }
 
@@ -55,6 +55,15 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
+	if req.Proxy != "nginx" && req.Proxy != "traefik" && req.Proxy != "caddy" {
+		log.Warn().Str("proxy", req.Proxy).Msg("Invalid proxy")
+		c.JSON(400, gin.H{
+			"status":  400,
+			"message": "Bad Request",
+		})
+		return
+	}
+
 	isBrowser := strings.Contains(c.Request.Header.Get("Accept"), "text/html")
 
 	if isBrowser {
@@ -67,44 +76,18 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	proto := c.Request.Header.Get("X-Forwarded-Proto")
 	host := c.Request.Header.Get("X-Forwarded-Host")
 
-	hostWithoutPort := strings.Split(host, ":")[0]
-	id := strings.Split(hostWithoutPort, ".")[0]
-
-	labels, err := controller.Docker.GetLabels(id, hostWithoutPort)
+	labels, err := controller.docker.GetLabels(host)
 
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to get labels from Docker")
-
-		if req.Proxy == "nginx" || !isBrowser {
-			c.JSON(500, gin.H{
-				"status":  500,
-				"message": "Internal Server Error",
-			})
-			return
-		}
-
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+		controller.handleError(c, req, isBrowser)
 		return
 	}
 
 	clientIP := c.ClientIP()
 
-	if controller.Auth.IsBypassedIP(labels.IP, clientIP) {
-		c.Header("Authorization", c.Request.Header.Get("Authorization"))
-
-		headers := utils.ParseHeaders(labels.Response.Headers)
-
-		for key, value := range headers {
-			log.Debug().Str("header", key).Msg("Setting header")
-			c.Header(key, value)
-		}
-
-		basicPassword := utils.GetSecret(labels.Response.BasicAuth.Password, labels.Response.BasicAuth.PasswordFile)
-		if labels.Response.BasicAuth.Username != "" && basicPassword != "" {
-			log.Debug().Str("username", labels.Response.BasicAuth.Username).Msg("Setting basic auth header")
-			c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Response.BasicAuth.Username, basicPassword)))
-		}
-
+	if controller.auth.IsBypassedIP(labels.IP, clientIP) {
+		controller.setHeaders(c, labels)
 		c.JSON(200, gin.H{
 			"status":  200,
 			"message": "Authenticated",
@@ -112,41 +95,17 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	authEnabled, err := controller.Auth.IsAuthEnabled(uri, labels.Path)
+	authEnabled, err := controller.auth.IsAuthEnabled(uri, labels.Path)
 
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to check if auth is enabled for resource")
-
-		if req.Proxy == "nginx" || !isBrowser {
-			c.JSON(500, gin.H{
-				"status":  500,
-				"message": "Internal Server Error",
-			})
-			return
-		}
-
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+		controller.handleError(c, req, isBrowser)
 		return
 	}
 
 	if !authEnabled {
 		log.Debug().Msg("Authentication disabled for resource, allowing access")
-
-		c.Header("Authorization", c.Request.Header.Get("Authorization"))
-
-		headers := utils.ParseHeaders(labels.Response.Headers)
-
-		for key, value := range headers {
-			log.Debug().Str("header", key).Msg("Setting header")
-			c.Header(key, value)
-		}
-
-		basicPassword := utils.GetSecret(labels.Response.BasicAuth.Password, labels.Response.BasicAuth.PasswordFile)
-		if labels.Response.BasicAuth.Username != "" && basicPassword != "" {
-			log.Debug().Str("username", labels.Response.BasicAuth.Username).Msg("Setting basic auth header")
-			c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Response.BasicAuth.Username, basicPassword)))
-		}
-
+		controller.setHeaders(c, labels)
 		c.JSON(200, gin.H{
 			"status":  200,
 			"message": "Authenticated",
@@ -154,7 +113,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	if !controller.Auth.CheckIP(labels.IP, clientIP) {
+	if !controller.auth.CheckIP(labels.IP, clientIP) {
 		if req.Proxy == "nginx" || !isBrowser {
 			c.JSON(401, gin.H{
 				"status":  401,
@@ -170,11 +129,11 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 
 		if err != nil {
 			log.Error().Err(err).Msg("Failed to encode unauthorized query")
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 			return
 		}
 
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.Config.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode()))
 		return
 	}
 
@@ -197,7 +156,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	}
 
 	if userContext.IsLoggedIn {
-		appAllowed := controller.Auth.IsResourceAllowed(c, userContext, labels)
+		appAllowed := controller.auth.IsResourceAllowed(c, userContext, labels)
 
 		if !appAllowed {
 			log.Warn().Str("user", userContext.Username).Str("resource", strings.Split(host, ".")[0]).Msg("User not allowed to access resource")
@@ -214,24 +173,24 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 				Resource: strings.Split(host, ".")[0],
 			})
 
+			if err != nil {
+				log.Error().Err(err).Msg("Failed to encode unauthorized query")
+				c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+				return
+			}
+
 			if userContext.OAuth {
 				queries.Set("username", userContext.Email)
 			} else {
 				queries.Set("username", userContext.Username)
 			}
 
-			if err != nil {
-				log.Error().Err(err).Msg("Failed to encode unauthorized query")
-				c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
-				return
-			}
-
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.Config.AppURL, queries.Encode()))
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode()))
 			return
 		}
 
 		if userContext.OAuth {
-			groupOK := controller.Auth.IsInOAuthGroup(c, userContext, labels.OAuth.Groups)
+			groupOK := controller.auth.IsInOAuthGroup(c, userContext, labels.OAuth.Groups)
 
 			if !groupOK {
 				log.Warn().Str("user", userContext.Username).Str("resource", strings.Split(host, ".")[0]).Msg("User OAuth groups do not match resource requirements")
@@ -249,41 +208,29 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 					GroupErr: true,
 				})
 
+				if err != nil {
+					log.Error().Err(err).Msg("Failed to encode unauthorized query")
+					c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+					return
+				}
+
 				if userContext.OAuth {
 					queries.Set("username", userContext.Email)
 				} else {
 					queries.Set("username", userContext.Username)
 				}
 
-				if err != nil {
-					log.Error().Err(err).Msg("Failed to encode unauthorized query")
-					c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
-					return
-				}
-
-				c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.Config.AppURL, queries.Encode()))
+				c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode()))
 				return
 			}
 		}
 
-		c.Header("Authorization", c.Request.Header.Get("Authorization"))
 		c.Header("Remote-User", utils.SanitizeHeader(userContext.Username))
 		c.Header("Remote-Name", utils.SanitizeHeader(userContext.Name))
 		c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email))
 		c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups))
 
-		headers := utils.ParseHeaders(labels.Response.Headers)
-
-		for key, value := range headers {
-			log.Debug().Str("header", key).Msg("Setting header")
-			c.Header(key, value)
-		}
-
-		basicPassword := utils.GetSecret(labels.Response.BasicAuth.Password, labels.Response.BasicAuth.PasswordFile)
-		if labels.Response.BasicAuth.Username != "" && basicPassword != "" {
-			log.Debug().Str("username", labels.Response.BasicAuth.Username).Msg("Setting basic auth header")
-			c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Response.BasicAuth.Username, basicPassword)))
-		}
+		controller.setHeaders(c, labels)
 
 		c.JSON(200, gin.H{
 			"status":  200,
@@ -306,9 +253,39 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to encode redirect URI query")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 
-	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/login?%s", controller.Config.AppURL, queries.Encode()))
+	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/login?%s", controller.config.AppURL, queries.Encode()))
+}
+
+func (controller *ProxyController) setHeaders(c *gin.Context, labels config.App) {
+	c.Header("Authorization", c.Request.Header.Get("Authorization"))
+
+	headers := utils.ParseHeaders(labels.Response.Headers)
+
+	for key, value := range headers {
+		log.Debug().Str("header", key).Msg("Setting header")
+		c.Header(key, value)
+	}
+
+	basicPassword := utils.GetSecret(labels.Response.BasicAuth.Password, labels.Response.BasicAuth.PasswordFile)
+
+	if labels.Response.BasicAuth.Username != "" && basicPassword != "" {
+		log.Debug().Str("username", labels.Response.BasicAuth.Username).Msg("Setting basic auth header")
+		c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Response.BasicAuth.Username, basicPassword)))
+	}
+}
+
+func (controller *ProxyController) handleError(c *gin.Context, req Proxy, isBrowser bool) {
+	if req.Proxy == "nginx" || !isBrowser {
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "Internal Server Error",
+		})
+		return
+	}
+
+	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 }

internal/controller/proxy_controller_test.go

@@ -0,0 +1,164 @@
+package controller_test
+
+import (
+	"net/http/httptest"
+	"testing"
+	"tinyauth/internal/config"
+	"tinyauth/internal/controller"
+	"tinyauth/internal/service"
+
+	"github.com/gin-gonic/gin"
+	"gotest.tools/v3/assert"
+)
+
+func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder, *service.AuthService) {
+	// Setup
+	gin.SetMode(gin.TestMode)
+	router := gin.Default()
+
+	if middlewares != nil {
+		for _, m := range *middlewares {
+			router.Use(m)
+		}
+	}
+
+	group := router.Group("/api")
+	recorder := httptest.NewRecorder()
+
+	// Database
+	databaseService := service.NewDatabaseService(service.DatabaseServiceConfig{
+		DatabasePath: "/tmp/tinyauth_test.db",
+	})
+
+	assert.NilError(t, databaseService.Init())
+
+	database := databaseService.GetDatabase()
+
+	// Docker
+	dockerService := service.NewDockerService()
+
+	assert.NilError(t, dockerService.Init())
+
+	// Auth service
+	authService := service.NewAuthService(service.AuthServiceConfig{
+		Users: []config.User{
+			{
+				Username: "testuser",
+				Password: "$2a$10$ne6z693sTgzT3ePoQ05PgOecUHnBjM7sSNj6M.l5CLUP.f6NyCnt.", // test
+			},
+		},
+		OauthWhitelist:    "",
+		SessionExpiry:     3600,
+		SecureCookie:      false,
+		CookieDomain:      "localhost",
+		LoginTimeout:      300,
+		LoginMaxRetries:   3,
+		SessionCookieName: "tinyauth-session",
+	}, dockerService, nil, database)
+
+	// Controller
+	ctrl := controller.NewProxyController(controller.ProxyControllerConfig{
+		AppURL: "http://localhost:8080",
+	}, group, dockerService, authService)
+	ctrl.SetupRoutes()
+
+	return router, recorder, authService
+}
+
+func TestProxyHandler(t *testing.T) {
+	// Setup
+	router, recorder, authService := setupProxyController(t, nil)
+
+	// Test invalid proxy
+	req := httptest.NewRequest("GET", "/api/auth/invalidproxy", nil)
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 400, recorder.Code)
+
+	// Test logged out user (traefik/caddy)
+	recorder = httptest.NewRecorder()
+	req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
+	req.Header.Set("X-Forwarded-Proto", "https")
+	req.Header.Set("X-Forwarded-Host", "example.com")
+	req.Header.Set("X-Forwarded-Uri", "/somepath")
+	req.Header.Set("Accept", "text/html")
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 307, recorder.Code)
+	assert.Equal(t, "http://localhost:8080/login?redirect_uri=https%3A%2F%2Fexample.com%2Fsomepath", recorder.Header().Get("Location"))
+
+	// Test logged out user (nginx)
+	recorder = httptest.NewRecorder()
+	req = httptest.NewRequest("GET", "/api/auth/nginx", nil)
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 401, recorder.Code)
+
+	// Test logged in user
+	c := gin.CreateTestContextOnly(recorder, router)
+
+	err := authService.CreateSessionCookie(c, &config.SessionCookie{
+		Username:    "testuser",
+		Name:        "testuser",
+		Email:       "testuser@example.com",
+		Provider:    "username",
+		TotpPending: false,
+		OAuthGroups: "",
+	})
+
+	assert.NilError(t, err)
+
+	cookie := c.Writer.Header().Get("Set-Cookie")
+
+	router, recorder, _ = setupProxyController(t, &[]gin.HandlerFunc{
+		func(c *gin.Context) {
+			c.Set("context", &config.UserContext{
+				Username:    "testuser",
+				Name:        "testuser",
+				Email:       "testuser@example.com",
+				IsLoggedIn:  true,
+				OAuth:       false,
+				Provider:    "username",
+				TotpPending: false,
+				OAuthGroups: "",
+				TotpEnabled: false,
+			})
+			c.Next()
+		},
+	})
+
+	req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
+	req.Header.Set("Cookie", cookie)
+	req.Header.Set("Accept", "text/html")
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 200, recorder.Code)
+
+	assert.Equal(t, "testuser", recorder.Header().Get("Remote-User"))
+	assert.Equal(t, "testuser", recorder.Header().Get("Remote-Name"))
+	assert.Equal(t, "testuser@example.com", recorder.Header().Get("Remote-Email"))
+
+	// Ensure basic auth is disabled for TOTP enabled users
+	router, recorder, _ = setupProxyController(t, &[]gin.HandlerFunc{
+		func(c *gin.Context) {
+			c.Set("context", &config.UserContext{
+				Username:    "testuser",
+				Name:        "testuser",
+				Email:       "testuser@example.com",
+				IsLoggedIn:  true,
+				OAuth:       false,
+				Provider:    "basic",
+				TotpPending: false,
+				OAuthGroups: "",
+				TotpEnabled: true,
+			})
+			c.Next()
+		},
+	})
+
+	req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
+	req.SetBasicAuth("testuser", "test")
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 401, recorder.Code)
+}

internal/controller/resources_controller.go

@@ -11,32 +11,32 @@ type ResourcesControllerConfig struct {
 }
 
 type ResourcesController struct {
-	Config     ResourcesControllerConfig
-	Router     *gin.RouterGroup
-	FileServer http.Handler
+	config     ResourcesControllerConfig
+	router     *gin.RouterGroup
+	fileServer http.Handler
 }
 
 func NewResourcesController(config ResourcesControllerConfig, router *gin.RouterGroup) *ResourcesController {
 	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(config.ResourcesDir)))
 
 	return &ResourcesController{
-		Config:     config,
-		Router:     router,
-		FileServer: fileServer,
+		config:     config,
+		router:     router,
+		fileServer: fileServer,
 	}
 }
 
 func (controller *ResourcesController) SetupRoutes() {
-	controller.Router.GET("/resources/*resource", controller.resourcesHandler)
+	controller.router.GET("/resources/*resource", controller.resourcesHandler)
 }
 
 func (controller *ResourcesController) resourcesHandler(c *gin.Context) {
-	if controller.Config.ResourcesDir == "" {
+	if controller.config.ResourcesDir == "" {
 		c.JSON(404, gin.H{
 			"status":  404,
 			"message": "Resources not found",
 		})
 		return
 	}
-	controller.FileServer.ServeHTTP(c.Writer, c.Request)
+	controller.fileServer.ServeHTTP(c.Writer, c.Request)
 }

internal/controller/resources_controller_test.go

@@ -0,0 +1,57 @@
+package controller_test
+
+import (
+	"net/http/httptest"
+	"os"
+	"testing"
+	"tinyauth/internal/controller"
+
+	"github.com/gin-gonic/gin"
+	"gotest.tools/v3/assert"
+)
+
+func TestResourcesHandler(t *testing.T) {
+	// Setup
+	gin.SetMode(gin.TestMode)
+	router := gin.New()
+	group := router.Group("/")
+
+	ctrl := controller.NewResourcesController(controller.ResourcesControllerConfig{
+		ResourcesDir: "/tmp/tinyauth",
+	}, group)
+	ctrl.SetupRoutes()
+
+	// Create test data
+	err := os.Mkdir("/tmp/tinyauth", 0755)
+	assert.NilError(t, err)
+	defer os.RemoveAll("/tmp/tinyauth")
+
+	file, err := os.Create("/tmp/tinyauth/test.txt")
+	assert.NilError(t, err)
+
+	_, err = file.WriteString("This is a test file.")
+	assert.NilError(t, err)
+	file.Close()
+
+	// Test existing file
+	req := httptest.NewRequest("GET", "/resources/test.txt", nil)
+	recorder := httptest.NewRecorder()
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 200, recorder.Code)
+	assert.Equal(t, "This is a test file.", recorder.Body.String())
+
+	// Test non-existing file
+	req = httptest.NewRequest("GET", "/resources/nonexistent.txt", nil)
+	recorder = httptest.NewRecorder()
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 404, recorder.Code)
+
+	// Test directory traversal attack
+	req = httptest.NewRequest("GET", "/resources/../etc/passwd", nil)
+	recorder = httptest.NewRecorder()
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 404, recorder.Code)
+}

internal/controller/user_controller.go

@@ -22,25 +22,25 @@ type TotpRequest struct {
 }
 
 type UserControllerConfig struct {
-	Domain string
+	CookieDomain string
 }
 
 type UserController struct {
-	Config UserControllerConfig
-	Router *gin.RouterGroup
-	Auth   *service.AuthService
+	config UserControllerConfig
+	router *gin.RouterGroup
+	auth   *service.AuthService
 }
 
 func NewUserController(config UserControllerConfig, router *gin.RouterGroup, auth *service.AuthService) *UserController {
 	return &UserController{
-		Config: config,
-		Router: router,
-		Auth:   auth,
+		config: config,
+		router: router,
+		auth:   auth,
 	}
 }
 
 func (controller *UserController) SetupRoutes() {
-	userGroup := controller.Router.Group("/user")
+	userGroup := controller.router.Group("/user")
 	userGroup.POST("/login", controller.loginHandler)
 	userGroup.POST("/logout", controller.logoutHandler)
 	userGroup.POST("/totp", controller.totpHandler)
@@ -69,7 +69,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 
 	log.Debug().Str("username", req.Username).Str("ip", clientIP).Msg("Login attempt")
 
-	isLocked, remainingTime := controller.Auth.IsAccountLocked(rateIdentifier)
+	isLocked, remainingTime := controller.auth.IsAccountLocked(rateIdentifier)
 
 	if isLocked {
 		log.Warn().Str("username", req.Username).Str("ip", clientIP).Msg("Account is locked due to too many failed login attempts")
@@ -80,11 +80,11 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		return
 	}
 
-	userSearch := controller.Auth.SearchUser(req.Username)
+	userSearch := controller.auth.SearchUser(req.Username)
 
-	if userSearch.Type == "" {
+	if userSearch.Type == "unknown" {
 		log.Warn().Str("username", req.Username).Str("ip", clientIP).Msg("User not found")
-		controller.Auth.RecordLoginAttempt(rateIdentifier, false)
+		controller.auth.RecordLoginAttempt(rateIdentifier, false)
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -92,9 +92,9 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		return
 	}
 
-	if !controller.Auth.VerifyUser(userSearch, req.Password) {
+	if !controller.auth.VerifyUser(userSearch, req.Password) {
 		log.Warn().Str("username", req.Username).Str("ip", clientIP).Msg("Invalid password")
-		controller.Auth.RecordLoginAttempt(rateIdentifier, false)
+		controller.auth.RecordLoginAttempt(rateIdentifier, false)
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -104,18 +104,18 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 
 	log.Info().Str("username", req.Username).Str("ip", clientIP).Msg("Login successful")
 
-	controller.Auth.RecordLoginAttempt(rateIdentifier, true)
+	controller.auth.RecordLoginAttempt(rateIdentifier, true)
 
 	if userSearch.Type == "local" {
-		user := controller.Auth.GetLocalUser(userSearch.Username)
+		user := controller.auth.GetLocalUser(userSearch.Username)
 
 		if user.TotpSecret != "" {
 			log.Debug().Str("username", req.Username).Msg("User has TOTP enabled, requiring TOTP verification")
 
-			err := controller.Auth.CreateSessionCookie(c, &config.SessionCookie{
+			err := controller.auth.CreateSessionCookie(c, &config.SessionCookie{
 				Username:    user.Username,
 				Name:        utils.Capitalize(req.Username),
-				Email:       fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.Config.Domain),
+				Email:       fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.CookieDomain),
 				Provider:    "username",
 				TotpPending: true,
 			})
@@ -138,10 +138,10 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		}
 	}
 
-	err = controller.Auth.CreateSessionCookie(c, &config.SessionCookie{
+	err = controller.auth.CreateSessionCookie(c, &config.SessionCookie{
 		Username: req.Username,
 		Name:     utils.Capitalize(req.Username),
-		Email:    fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.Config.Domain),
+		Email:    fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.CookieDomain),
 		Provider: "username",
 	})
 
@@ -163,7 +163,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 func (controller *UserController) logoutHandler(c *gin.Context) {
 	log.Debug().Msg("Logout request received")
 
-	controller.Auth.DeleteSessionCookie(c)
+	controller.auth.DeleteSessionCookie(c)
 
 	c.JSON(200, gin.H{
 		"status":  200,
@@ -214,24 +214,24 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 
 	log.Debug().Str("username", context.Username).Str("ip", clientIP).Msg("TOTP verification attempt")
 
-	isLocked, remainingTime := controller.Auth.IsAccountLocked(rateIdentifier)
+	isLocked, remainingTime := controller.auth.IsAccountLocked(rateIdentifier)
 
 	if isLocked {
 		log.Warn().Str("username", context.Username).Str("ip", clientIP).Msg("Account is locked due to too many failed TOTP attempts")
 		c.JSON(429, gin.H{
 			"status":  429,
-			"message": fmt.Sprintf("Too many failed login attempts. Try again in %d seconds", remainingTime),
+			"message": fmt.Sprintf("Too many failed TOTP attempts. Try again in %d seconds", remainingTime),
 		})
 		return
 	}
 
-	user := controller.Auth.GetLocalUser(context.Username)
+	user := controller.auth.GetLocalUser(context.Username)
 
 	ok := totp.Validate(req.Code, user.TotpSecret)
 
 	if !ok {
 		log.Warn().Str("username", context.Username).Str("ip", clientIP).Msg("Invalid TOTP code")
-		controller.Auth.RecordLoginAttempt(rateIdentifier, false)
+		controller.auth.RecordLoginAttempt(rateIdentifier, false)
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -241,12 +241,12 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 
 	log.Info().Str("username", context.Username).Str("ip", clientIP).Msg("TOTP verification successful")
 
-	controller.Auth.RecordLoginAttempt(rateIdentifier, true)
+	controller.auth.RecordLoginAttempt(rateIdentifier, true)
 
-	err = controller.Auth.CreateSessionCookie(c, &config.SessionCookie{
+	err = controller.auth.CreateSessionCookie(c, &config.SessionCookie{
 		Username: user.Username,
 		Name:     utils.Capitalize(user.Username),
-		Email:    fmt.Sprintf("%s@%s", strings.ToLower(user.Username), controller.Config.Domain),
+		Email:    fmt.Sprintf("%s@%s", strings.ToLower(user.Username), controller.config.CookieDomain),
 		Provider: "username",
 	})
 

internal/controller/user_controller_test.go

@@ -0,0 +1,297 @@
+package controller_test
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+	"tinyauth/internal/config"
+	"tinyauth/internal/controller"
+	"tinyauth/internal/service"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pquerna/otp/totp"
+	"gotest.tools/v3/assert"
+)
+
+var cookieValue string
+var totpSecret = "6WFZXPEZRK5MZHHYAFW4DAOUYQMCASBJ"
+
+func setupUserController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder) {
+	// Setup
+	gin.SetMode(gin.TestMode)
+	router := gin.Default()
+
+	if middlewares != nil {
+		for _, m := range *middlewares {
+			router.Use(m)
+		}
+	}
+
+	group := router.Group("/api")
+	recorder := httptest.NewRecorder()
+
+	// Database
+	databaseService := service.NewDatabaseService(service.DatabaseServiceConfig{
+		DatabasePath: "/tmp/tinyauth_test.db",
+	})
+
+	assert.NilError(t, databaseService.Init())
+
+	database := databaseService.GetDatabase()
+
+	// Auth service
+	authService := service.NewAuthService(service.AuthServiceConfig{
+		Users: []config.User{
+			{
+				Username: "testuser",
+				Password: "$2a$10$ne6z693sTgzT3ePoQ05PgOecUHnBjM7sSNj6M.l5CLUP.f6NyCnt.", // test
+			},
+			{
+				Username:   "totpuser",
+				Password:   "$2a$10$ne6z693sTgzT3ePoQ05PgOecUHnBjM7sSNj6M.l5CLUP.f6NyCnt.", // test
+				TotpSecret: totpSecret,
+			},
+		},
+		OauthWhitelist:    "",
+		SessionExpiry:     3600,
+		SecureCookie:      false,
+		CookieDomain:      "localhost",
+		LoginTimeout:      300,
+		LoginMaxRetries:   3,
+		SessionCookieName: "tinyauth-session",
+	}, nil, nil, database)
+
+	// Controller
+	ctrl := controller.NewUserController(controller.UserControllerConfig{
+		CookieDomain: "localhost",
+	}, group, authService)
+	ctrl.SetupRoutes()
+
+	return router, recorder
+}
+
+func TestLoginHandler(t *testing.T) {
+	// Setup
+	router, recorder := setupUserController(t, nil)
+
+	loginReq := controller.LoginRequest{
+		Username: "testuser",
+		Password: "test",
+	}
+
+	loginReqJson, err := json.Marshal(loginReq)
+	assert.NilError(t, err)
+
+	// Test
+	req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqJson)))
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 200, recorder.Code)
+
+	cookie := recorder.Result().Cookies()[0]
+
+	assert.Equal(t, "tinyauth-session", cookie.Name)
+	assert.Assert(t, cookie.Value != "")
+
+	cookieValue = cookie.Value
+
+	// Test invalid credentials
+	loginReq = controller.LoginRequest{
+		Username: "testuser",
+		Password: "invalid",
+	}
+
+	loginReqJson, err = json.Marshal(loginReq)
+	assert.NilError(t, err)
+
+	recorder = httptest.NewRecorder()
+	req = httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqJson)))
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 401, recorder.Code)
+
+	// Test totp required
+	loginReq = controller.LoginRequest{
+		Username: "totpuser",
+		Password: "test",
+	}
+
+	loginReqJson, err = json.Marshal(loginReq)
+	assert.NilError(t, err)
+
+	recorder = httptest.NewRecorder()
+	req = httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqJson)))
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 200, recorder.Code)
+
+	loginResJson, err := json.Marshal(map[string]any{
+		"message":     "TOTP required",
+		"status":      200,
+		"totpPending": true,
+	})
+
+	assert.NilError(t, err)
+	assert.Equal(t, string(loginResJson), recorder.Body.String())
+
+	// Test invalid json
+	recorder = httptest.NewRecorder()
+	req = httptest.NewRequest("POST", "/api/user/login", strings.NewReader("{invalid json}"))
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 400, recorder.Code)
+
+	// Test rate limiting
+	loginReq = controller.LoginRequest{
+		Username: "testuser",
+		Password: "invalid",
+	}
+
+	loginReqJson, err = json.Marshal(loginReq)
+	assert.NilError(t, err)
+
+	for range 5 {
+		recorder = httptest.NewRecorder()
+		req = httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqJson)))
+		router.ServeHTTP(recorder, req)
+	}
+
+	assert.Equal(t, 429, recorder.Code)
+}
+
+func TestLogoutHandler(t *testing.T) {
+	// Setup
+	router, recorder := setupUserController(t, nil)
+
+	// Test
+	req := httptest.NewRequest("POST", "/api/user/logout", nil)
+
+	req.AddCookie(&http.Cookie{
+		Name:  "tinyauth-session",
+		Value: cookieValue,
+	})
+
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 200, recorder.Code)
+
+	cookie := recorder.Result().Cookies()[0]
+
+	assert.Equal(t, "tinyauth-session", cookie.Name)
+	assert.Equal(t, "", cookie.Value)
+	assert.Equal(t, -1, cookie.MaxAge)
+}
+
+func TestTotpHandler(t *testing.T) {
+	// Setup
+	router, recorder := setupUserController(t, &[]gin.HandlerFunc{
+		func(c *gin.Context) {
+			c.Set("context", &config.UserContext{
+				Username:    "totpuser",
+				Name:        "totpuser",
+				Email:       "totpuser@example.com",
+				IsLoggedIn:  false,
+				OAuth:       false,
+				Provider:    "username",
+				TotpPending: true,
+				OAuthGroups: "",
+				TotpEnabled: true,
+			})
+			c.Next()
+		},
+	})
+
+	// Test
+	code, err := totp.GenerateCode(totpSecret, time.Now())
+
+	assert.NilError(t, err)
+
+	totpReq := controller.TotpRequest{
+		Code: code,
+	}
+
+	totpReqJson, err := json.Marshal(totpReq)
+	assert.NilError(t, err)
+
+	req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqJson)))
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 200, recorder.Code)
+
+	cookie := recorder.Result().Cookies()[0]
+
+	assert.Equal(t, "tinyauth-session", cookie.Name)
+	assert.Assert(t, cookie.Value != "")
+
+	// Test invalid json
+	recorder = httptest.NewRecorder()
+	req = httptest.NewRequest("POST", "/api/user/totp", strings.NewReader("{invalid json}"))
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 400, recorder.Code)
+
+	// Test rate limiting
+	totpReq = controller.TotpRequest{
+		Code: "000000",
+	}
+
+	totpReqJson, err = json.Marshal(totpReq)
+	assert.NilError(t, err)
+
+	for range 5 {
+		recorder = httptest.NewRecorder()
+		req = httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqJson)))
+		router.ServeHTTP(recorder, req)
+	}
+
+	assert.Equal(t, 429, recorder.Code)
+
+	// Test invalid code
+	router, recorder = setupUserController(t, &[]gin.HandlerFunc{
+		func(c *gin.Context) {
+			c.Set("context", &config.UserContext{
+				Username:    "totpuser",
+				Name:        "totpuser",
+				Email:       "totpuser@example.com",
+				IsLoggedIn:  false,
+				OAuth:       false,
+				Provider:    "username",
+				TotpPending: true,
+				OAuthGroups: "",
+				TotpEnabled: true,
+			})
+			c.Next()
+		},
+	})
+
+	req = httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqJson)))
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 401, recorder.Code)
+
+	// Test no totp pending
+	router, recorder = setupUserController(t, &[]gin.HandlerFunc{
+		func(c *gin.Context) {
+			c.Set("context", &config.UserContext{
+				Username:    "totpuser",
+				Name:        "totpuser",
+				Email:       "totpuser@example.com",
+				IsLoggedIn:  false,
+				OAuth:       false,
+				Provider:    "username",
+				TotpPending: false,
+				OAuthGroups: "",
+				TotpEnabled: false,
+			})
+			c.Next()
+		},
+	})
+
+	req = httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqJson)))
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 401, recorder.Code)
+}

internal/middleware/context_middleware.go

@@ -12,20 +12,20 @@ import (
 )
 
 type ContextMiddlewareConfig struct {
-	Domain string
+	CookieDomain string
 }
 
 type ContextMiddleware struct {
-	Config ContextMiddlewareConfig
-	Auth   *service.AuthService
-	Broker *service.OAuthBrokerService
+	config ContextMiddlewareConfig
+	auth   *service.AuthService
+	broker *service.OAuthBrokerService
 }
 
 func NewContextMiddleware(config ContextMiddlewareConfig, auth *service.AuthService, broker *service.OAuthBrokerService) *ContextMiddleware {
 	return &ContextMiddleware{
-		Config: config,
-		Auth:   auth,
-		Broker: broker,
+		config: config,
+		auth:   auth,
+		broker: broker,
 	}
 }
 
@@ -35,7 +35,7 @@ func (m *ContextMiddleware) Init() error {
 
 func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
-		cookie, err := m.Auth.GetSessionCookie(c)
+		cookie, err := m.auth.GetSessionCookie(c)
 
 		if err != nil {
 			log.Debug().Err(err).Msg("No valid session cookie found")
@@ -57,11 +57,11 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 
 		switch cookie.Provider {
 		case "username":
-			userSearch := m.Auth.SearchUser(cookie.Username)
+			userSearch := m.auth.SearchUser(cookie.Username)
 
-			if userSearch.Type == "unknown" {
+			if userSearch.Type == "unknown" || userSearch.Type == "error" {
 				log.Debug().Msg("User from session cookie not found")
-				m.Auth.DeleteSessionCookie(c)
+				m.auth.DeleteSessionCookie(c)
 				goto basic
 			}
 
@@ -75,17 +75,17 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			c.Next()
 			return
 		default:
-			_, exists := m.Broker.GetService(cookie.Provider)
+			_, exists := m.broker.GetService(cookie.Provider)
 
 			if !exists {
 				log.Debug().Msg("OAuth provider from session cookie not found")
-				m.Auth.DeleteSessionCookie(c)
+				m.auth.DeleteSessionCookie(c)
 				goto basic
 			}
 
-			if !m.Auth.IsEmailWhitelisted(cookie.Email) {
+			if !m.auth.IsEmailWhitelisted(cookie.Email) {
 				log.Debug().Msg("Email from session cookie not whitelisted")
-				m.Auth.DeleteSessionCookie(c)
+				m.auth.DeleteSessionCookie(c)
 				goto basic
 			}
 
@@ -103,7 +103,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 		}
 
 	basic:
-		basic := m.Auth.GetBasicAuth(c)
+		basic := m.auth.GetBasicAuth(c)
 
 		if basic == nil {
 			log.Debug().Msg("No basic auth provided")
@@ -111,15 +111,15 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			return
 		}
 
-		userSearch := m.Auth.SearchUser(basic.Username)
+		userSearch := m.auth.SearchUser(basic.Username)
 
-		if userSearch.Type == "unknown" {
+		if userSearch.Type == "unknown" || userSearch.Type == "error" {
 			log.Debug().Msg("User from basic auth not found")
 			c.Next()
 			return
 		}
 
-		if !m.Auth.VerifyUser(userSearch, basic.Password) {
+		if !m.auth.VerifyUser(userSearch, basic.Password) {
 			log.Debug().Msg("Invalid password for basic auth user")
 			c.Next()
 			return
@@ -129,12 +129,12 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 		case "local":
 			log.Debug().Msg("Basic auth user is local")
 
-			user := m.Auth.GetLocalUser(basic.Username)
+			user := m.auth.GetLocalUser(basic.Username)
 
 			c.Set("context", &config.UserContext{
 				Username:    user.Username,
 				Name:        utils.Capitalize(user.Username),
-				Email:       fmt.Sprintf("%s@%s", strings.ToLower(user.Username), m.Config.Domain),
+				Email:       fmt.Sprintf("%s@%s", strings.ToLower(user.Username), m.config.CookieDomain),
 				Provider:    "basic",
 				IsLoggedIn:  true,
 				TotpEnabled: user.TotpSecret != "",
@@ -146,7 +146,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			c.Set("context", &config.UserContext{
 				Username:   basic.Username,
 				Name:       utils.Capitalize(basic.Username),
-				Email:      fmt.Sprintf("%s@%s", strings.ToLower(basic.Username), m.Config.Domain),
+				Email:      fmt.Sprintf("%s@%s", strings.ToLower(basic.Username), m.config.CookieDomain),
 				Provider:   "basic",
 				IsLoggedIn: true,
 			})

internal/middleware/ui_middleware.go

@@ -11,8 +11,8 @@ import (
 )
 
 type UIMiddleware struct {
-	UIFS         fs.FS
-	UIFileServer http.Handler
+	uiFs         fs.FS
+	uiFileServer http.Handler
 }
 
 func NewUIMiddleware() *UIMiddleware {
@@ -26,8 +26,8 @@ func (m *UIMiddleware) Init() error {
 		return err
 	}
 
-	m.UIFS = ui
-	m.UIFileServer = http.FileServer(http.FS(ui))
+	m.uiFs = ui
+	m.uiFileServer = http.FileServer(http.FS(ui))
 
 	return nil
 }
@@ -42,13 +42,13 @@ func (m *UIMiddleware) Middleware() gin.HandlerFunc {
 			c.Next()
 			return
 		default:
-			_, err := fs.Stat(m.UIFS, strings.TrimPrefix(c.Request.URL.Path, "/"))
+			_, err := fs.Stat(m.uiFs, strings.TrimPrefix(c.Request.URL.Path, "/"))
 
 			if os.IsNotExist(err) {
 				c.Request.URL.Path = "/"
 			}
 
-			m.UIFileServer.ServeHTTP(c.Writer, c.Request)
+			m.uiFileServer.ServeHTTP(c.Writer, c.Request)
 			c.Abort()
 			return
 		}

internal/service/auth_service.go

@@ -28,28 +28,28 @@ type AuthServiceConfig struct {
 	OauthWhitelist    string
 	SessionExpiry     int
 	SecureCookie      bool
-	Domain            string
+	CookieDomain      string
 	LoginTimeout      int
 	LoginMaxRetries   int
 	SessionCookieName string
 }
 
 type AuthService struct {
-	Config        AuthServiceConfig
-	Docker        *DockerService
-	LoginAttempts map[string]*LoginAttempt
-	LoginMutex    sync.RWMutex
-	LDAP          *LdapService
-	Database      *gorm.DB
+	config        AuthServiceConfig
+	docker        *DockerService
+	loginAttempts map[string]*LoginAttempt
+	loginMutex    sync.RWMutex
+	ldap          *LdapService
+	database      *gorm.DB
 }
 
 func NewAuthService(config AuthServiceConfig, docker *DockerService, ldap *LdapService, database *gorm.DB) *AuthService {
 	return &AuthService{
-		Config:        config,
-		Docker:        docker,
-		LoginAttempts: make(map[string]*LoginAttempt),
-		LDAP:          ldap,
-		Database:      database,
+		config:        config,
+		docker:        docker,
+		loginAttempts: make(map[string]*LoginAttempt),
+		ldap:          ldap,
+		database:      database,
 	}
 }
 
@@ -65,12 +65,14 @@ func (auth *AuthService) SearchUser(username string) config.UserSearch {
 		}
 	}
 
-	if auth.LDAP != nil {
-		userDN, err := auth.LDAP.Search(username)
+	if auth.ldap != nil {
+		userDN, err := auth.ldap.Search(username)
 
 		if err != nil {
 			log.Warn().Err(err).Str("username", username).Msg("Failed to search for user in LDAP")
-			return config.UserSearch{}
+			return config.UserSearch{
+				Type: "error",
+			}
 		}
 
 		return config.UserSearch{
@@ -90,14 +92,14 @@ func (auth *AuthService) VerifyUser(search config.UserSearch, password string) b
 		user := auth.GetLocalUser(search.Username)
 		return auth.CheckPassword(user, password)
 	case "ldap":
-		if auth.LDAP != nil {
-			err := auth.LDAP.Bind(search.Username, password)
+		if auth.ldap != nil {
+			err := auth.ldap.Bind(search.Username, password)
 			if err != nil {
 				log.Warn().Err(err).Str("username", search.Username).Msg("Failed to bind to LDAP")
 				return false
 			}
 
-			err = auth.LDAP.Bind(auth.LDAP.Config.BindDN, auth.LDAP.Config.BindPassword)
+			err = auth.ldap.Bind(auth.ldap.Config.BindDN, auth.ldap.Config.BindPassword)
 			if err != nil {
 				log.Error().Err(err).Msg("Failed to rebind with service account after user authentication")
 				return false
@@ -115,7 +117,7 @@ func (auth *AuthService) VerifyUser(search config.UserSearch, password string) b
 }
 
 func (auth *AuthService) GetLocalUser(username string) config.User {
-	for _, user := range auth.Config.Users {
+	for _, user := range auth.config.Users {
 		if user.Username == username {
 			return user
 		}
@@ -130,14 +132,14 @@ func (auth *AuthService) CheckPassword(user config.User, password string) bool {
 }
 
 func (auth *AuthService) IsAccountLocked(identifier string) (bool, int) {
-	auth.LoginMutex.RLock()
-	defer auth.LoginMutex.RUnlock()
+	auth.loginMutex.RLock()
+	defer auth.loginMutex.RUnlock()
 
-	if auth.Config.LoginMaxRetries <= 0 || auth.Config.LoginTimeout <= 0 {
+	if auth.config.LoginMaxRetries <= 0 || auth.config.LoginTimeout <= 0 {
 		return false, 0
 	}
 
-	attempt, exists := auth.LoginAttempts[identifier]
+	attempt, exists := auth.loginAttempts[identifier]
 	if !exists {
 		return false, 0
 	}
@@ -151,17 +153,17 @@ func (auth *AuthService) IsAccountLocked(identifier string) (bool, int) {
 }
 
 func (auth *AuthService) RecordLoginAttempt(identifier string, success bool) {
-	if auth.Config.LoginMaxRetries <= 0 || auth.Config.LoginTimeout <= 0 {
+	if auth.config.LoginMaxRetries <= 0 || auth.config.LoginTimeout <= 0 {
 		return
 	}
 
-	auth.LoginMutex.Lock()
-	defer auth.LoginMutex.Unlock()
+	auth.loginMutex.Lock()
+	defer auth.loginMutex.Unlock()
 
-	attempt, exists := auth.LoginAttempts[identifier]
+	attempt, exists := auth.loginAttempts[identifier]
 	if !exists {
 		attempt = &LoginAttempt{}
-		auth.LoginAttempts[identifier] = attempt
+		auth.loginAttempts[identifier] = attempt
 	}
 
 	attempt.LastAttempt = time.Now()
@@ -174,14 +176,14 @@ func (auth *AuthService) RecordLoginAttempt(identifier string, success bool) {
 
 	attempt.FailedAttempts++
 
-	if attempt.FailedAttempts >= auth.Config.LoginMaxRetries {
-		attempt.LockedUntil = time.Now().Add(time.Duration(auth.Config.LoginTimeout) * time.Second)
-		log.Warn().Str("identifier", identifier).Int("timeout", auth.Config.LoginTimeout).Msg("Account locked due to too many failed login attempts")
+	if attempt.FailedAttempts >= auth.config.LoginMaxRetries {
+		attempt.LockedUntil = time.Now().Add(time.Duration(auth.config.LoginTimeout) * time.Second)
+		log.Warn().Str("identifier", identifier).Int("timeout", auth.config.LoginTimeout).Msg("Account locked due to too many failed login attempts")
 	}
 }
 
 func (auth *AuthService) IsEmailWhitelisted(email string) bool {
-	return utils.CheckFilter(auth.Config.OauthWhitelist, email)
+	return utils.CheckFilter(auth.config.OauthWhitelist, email)
 }
 
 func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *config.SessionCookie) error {
@@ -196,7 +198,7 @@ func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *config.Sessio
 	if data.TotpPending {
 		expiry = 3600
 	} else {
-		expiry = auth.Config.SessionExpiry
+		expiry = auth.config.SessionExpiry
 	}
 
 	session := model.Session{
@@ -210,37 +212,37 @@ func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *config.Sessio
 		Expiry:      time.Now().Add(time.Duration(expiry) * time.Second).Unix(),
 	}
 
-	err = auth.Database.Create(&session).Error
+	err = auth.database.Create(&session).Error
 
 	if err != nil {
 		return err
 	}
 
-	c.SetCookie(auth.Config.SessionCookieName, session.UUID, expiry, "/", fmt.Sprintf(".%s", auth.Config.Domain), auth.Config.SecureCookie, true)
+	c.SetCookie(auth.config.SessionCookieName, session.UUID, expiry, "/", fmt.Sprintf(".%s", auth.config.CookieDomain), auth.config.SecureCookie, true)
 
 	return nil
 }
 
 func (auth *AuthService) DeleteSessionCookie(c *gin.Context) error {
-	cookie, err := c.Cookie(auth.Config.SessionCookieName)
+	cookie, err := c.Cookie(auth.config.SessionCookieName)
 
 	if err != nil {
 		return err
 	}
 
-	res := auth.Database.Unscoped().Where("uuid = ?", cookie).Delete(&model.Session{})
+	res := auth.database.Unscoped().Where("uuid = ?", cookie).Delete(&model.Session{})
 
 	if res.Error != nil {
 		return res.Error
 	}
 
-	c.SetCookie(auth.Config.SessionCookieName, "", -1, "/", fmt.Sprintf(".%s", auth.Config.Domain), auth.Config.SecureCookie, true)
+	c.SetCookie(auth.config.SessionCookieName, "", -1, "/", fmt.Sprintf(".%s", auth.config.CookieDomain), auth.config.SecureCookie, true)
 
 	return nil
 }
 
 func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie, error) {
-	cookie, err := c.Cookie(auth.Config.SessionCookieName)
+	cookie, err := c.Cookie(auth.config.SessionCookieName)
 
 	if err != nil {
 		return config.SessionCookie{}, err
@@ -248,7 +250,7 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie,
 
 	var session model.Session
 
-	res := auth.Database.Unscoped().Where("uuid = ?", cookie).First(&session)
+	res := auth.database.Unscoped().Where("uuid = ?", cookie).First(&session)
 
 	if res.Error != nil {
 		return config.SessionCookie{}, res.Error
@@ -261,7 +263,7 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie,
 	currentTime := time.Now().Unix()
 
 	if currentTime > session.Expiry {
-		res := auth.Database.Unscoped().Where("uuid = ?", session.UUID).Delete(&model.Session{})
+		res := auth.database.Unscoped().Where("uuid = ?", session.UUID).Delete(&model.Session{})
 		if res.Error != nil {
 			log.Error().Err(res.Error).Msg("Failed to delete expired session")
 		}
@@ -280,10 +282,10 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie,
 }
 
 func (auth *AuthService) UserAuthConfigured() bool {
-	return len(auth.Config.Users) > 0 || auth.LDAP != nil
+	return len(auth.config.Users) > 0 || auth.ldap != nil
 }
 
-func (auth *AuthService) IsResourceAllowed(c *gin.Context, context config.UserContext, labels config.AppLabels) bool {
+func (auth *AuthService) IsResourceAllowed(c *gin.Context, context config.UserContext, labels config.App) bool {
 	if context.OAuth {
 		log.Debug().Msg("Checking OAuth whitelist")
 		return utils.CheckFilter(labels.OAuth.Whitelist, context.Email)
@@ -320,7 +322,7 @@ func (auth *AuthService) IsInOAuthGroup(c *gin.Context, context config.UserConte
 	return false
 }
 
-func (auth *AuthService) IsAuthEnabled(uri string, path config.PathLabels) (bool, error) {
+func (auth *AuthService) IsAuthEnabled(uri string, path config.AppPath) (bool, error) {
 	// Check for block list
 	if path.Block != "" {
 		regex, err := regexp.Compile(path.Block)
@@ -362,7 +364,7 @@ func (auth *AuthService) GetBasicAuth(c *gin.Context) *config.User {
 	}
 }
 
-func (auth *AuthService) CheckIP(labels config.IPLabels, ip string) bool {
+func (auth *AuthService) CheckIP(labels config.AppIP, ip string) bool {
 	for _, blocked := range labels.Block {
 		res, err := utils.FilterIP(blocked, ip)
 		if err != nil {
@@ -396,7 +398,7 @@ func (auth *AuthService) CheckIP(labels config.IPLabels, ip string) bool {
 	return true
 }
 
-func (auth *AuthService) IsBypassedIP(labels config.IPLabels, ip string) bool {
+func (auth *AuthService) IsBypassedIP(labels config.AppIP, ip string) bool {
 	for _, bypassed := range labels.Bypass {
 		res, err := utils.FilterIP(bypassed, ip)
 		if err != nil {

internal/service/database_service.go

@@ -16,18 +16,18 @@ type DatabaseServiceConfig struct {
 }
 
 type DatabaseService struct {
-	Config   DatabaseServiceConfig
-	Database *gorm.DB
+	config   DatabaseServiceConfig
+	database *gorm.DB
 }
 
 func NewDatabaseService(config DatabaseServiceConfig) *DatabaseService {
 	return &DatabaseService{
-		Config: config,
+		config: config,
 	}
 }
 
 func (ds *DatabaseService) Init() error {
-	gormDB, err := gorm.Open(sqlite.Open(ds.Config.DatabasePath), &gorm.Config{})
+	gormDB, err := gorm.Open(sqlite.Open(ds.config.DatabasePath), &gorm.Config{})
 
 	if err != nil {
 		return err
@@ -47,7 +47,7 @@ func (ds *DatabaseService) Init() error {
 		return err
 	}
 
-	ds.Database = gormDB
+	ds.database = gormDB
 	return nil
 }
 
@@ -74,5 +74,5 @@ func (ds *DatabaseService) migrateDatabase(sqlDB *sql.DB) error {
 }
 
 func (ds *DatabaseService) GetDatabase() *gorm.DB {
-	return ds.Database
+	return ds.database
 }

internal/service/docker_service.go

@@ -4,7 +4,7 @@ import (
 	"context"
 	"strings"
 	"tinyauth/internal/config"
-	"tinyauth/internal/utils"
+	"tinyauth/internal/utils/decoders"
 
 	container "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
@@ -12,8 +12,8 @@ import (
 )
 
 type DockerService struct {
-	Client  *client.Client
-	Context context.Context
+	client  *client.Client
+	context context.Context
 }
 
 func NewDockerService() *DockerService {
@@ -29,13 +29,13 @@ func (docker *DockerService) Init() error {
 	ctx := context.Background()
 	client.NegotiateAPIVersion(ctx)
 
-	docker.Client = client
-	docker.Context = ctx
+	docker.client = client
+	docker.context = ctx
 	return nil
 }
 
 func (docker *DockerService) GetContainers() ([]container.Summary, error) {
-	containers, err := docker.Client.ContainerList(docker.Context, container.ListOptions{})
+	containers, err := docker.client.ContainerList(docker.context, container.ListOptions{})
 	if err != nil {
 		return nil, err
 	}
@@ -43,7 +43,7 @@ func (docker *DockerService) GetContainers() ([]container.Summary, error) {
 }
 
 func (docker *DockerService) InspectContainer(containerId string) (container.InspectResponse, error) {
-	inspect, err := docker.Client.ContainerInspect(docker.Context, containerId)
+	inspect, err := docker.client.ContainerInspect(docker.context, containerId)
 	if err != nil {
 		return container.InspectResponse{}, err
 	}
@@ -51,38 +51,38 @@ func (docker *DockerService) InspectContainer(containerId string) (container.Ins
 }
 
 func (docker *DockerService) DockerConnected() bool {
-	_, err := docker.Client.Ping(docker.Context)
+	_, err := docker.client.Ping(docker.context)
 	return err == nil
 }
 
-func (docker *DockerService) GetLabels(app string, domain string) (config.AppLabels, error) {
+func (docker *DockerService) GetLabels(appDomain string) (config.App, error) {
 	isConnected := docker.DockerConnected()
 
 	if !isConnected {
 		log.Debug().Msg("Docker not connected, returning empty labels")
-		return config.AppLabels{}, nil
+		return config.App{}, nil
 	}
 
 	containers, err := docker.GetContainers()
 	if err != nil {
-		return config.AppLabels{}, err
+		return config.App{}, err
 	}
 
-	for _, container := range containers {
-		inspect, err := docker.InspectContainer(container.ID)
+	for _, ctr := range containers {
+		inspect, err := docker.InspectContainer(ctr.ID)
 		if err != nil {
-			log.Warn().Str("id", container.ID).Err(err).Msg("Error inspecting container, skipping")
+			log.Warn().Str("id", ctr.ID).Err(err).Msg("Error inspecting container, skipping")
 			continue
 		}
 
-		labels, err := utils.GetLabels(inspect.Config.Labels)
+		labels, err := decoders.DecodeLabels(inspect.Config.Labels)
 		if err != nil {
-			log.Warn().Str("id", container.ID).Err(err).Msg("Error getting container labels, skipping")
+			log.Warn().Str("id", ctr.ID).Err(err).Msg("Error getting container labels, skipping")
 			continue
 		}
 
 		for appName, appLabels := range labels.Apps {
-			if appLabels.Config.Domain == domain {
+			if appLabels.Config.Domain == appDomain {
 				log.Debug().Str("id", inspect.ID).Msg("Found matching container by domain")
 				return appLabels, nil
 			}
@@ -95,5 +95,5 @@ func (docker *DockerService) GetLabels(app string, domain string) (config.AppLab
 	}
 
 	log.Debug().Msg("No matching container found, returning empty labels")
-	return config.AppLabels{}, nil
+	return config.App{}, nil
 }

internal/service/generic_oauth_service.go

@@ -16,17 +16,17 @@ import (
 )
 
 type GenericOAuthService struct {
-	Config             oauth2.Config
-	Context            context.Context
-	Token              *oauth2.Token
-	Verifier           string
-	InsecureSkipVerify bool
-	UserinfoURL        string
+	config             oauth2.Config
+	context            context.Context
+	token              *oauth2.Token
+	verifier           string
+	insecureSkipVerify bool
+	userinfoUrl        string
 }
 
 func NewGenericOAuthService(config config.OAuthServiceConfig) *GenericOAuthService {
 	return &GenericOAuthService{
-		Config: oauth2.Config{
+		config: oauth2.Config{
 			ClientID:     config.ClientID,
 			ClientSecret: config.ClientSecret,
 			RedirectURL:  config.RedirectURL,
@@ -36,15 +36,15 @@ func NewGenericOAuthService(config config.OAuthServiceConfig) *GenericOAuthServi
 				TokenURL: config.TokenURL,
 			},
 		},
-		InsecureSkipVerify: config.InsecureSkipVerify,
-		UserinfoURL:        config.UserinfoURL,
+		insecureSkipVerify: config.InsecureSkipVerify,
+		userinfoUrl:        config.UserinfoURL,
 	}
 }
 
 func (generic *GenericOAuthService) Init() error {
 	transport := &http.Transport{
 		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: generic.InsecureSkipVerify,
+			InsecureSkipVerify: generic.insecureSkipVerify,
 			MinVersion:         tls.VersionTLS12,
 		},
 	}
@@ -58,8 +58,8 @@ func (generic *GenericOAuthService) Init() error {
 	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
 	verifier := oauth2.GenerateVerifier()
 
-	generic.Context = ctx
-	generic.Verifier = verifier
+	generic.context = ctx
+	generic.verifier = verifier
 	return nil
 }
 
@@ -74,26 +74,26 @@ func (generic *GenericOAuthService) GenerateState() string {
 }
 
 func (generic *GenericOAuthService) GetAuthURL(state string) string {
-	return generic.Config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(generic.Verifier))
+	return generic.config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(generic.verifier))
 }
 
 func (generic *GenericOAuthService) VerifyCode(code string) error {
-	token, err := generic.Config.Exchange(generic.Context, code, oauth2.VerifierOption(generic.Verifier))
+	token, err := generic.config.Exchange(generic.context, code, oauth2.VerifierOption(generic.verifier))
 
 	if err != nil {
 		return err
 	}
 
-	generic.Token = token
+	generic.token = token
 	return nil
 }
 
 func (generic *GenericOAuthService) Userinfo() (config.Claims, error) {
 	var user config.Claims
 
-	client := generic.Config.Client(generic.Context, generic.Token)
+	client := generic.config.Client(generic.context, generic.token)
 
-	res, err := client.Get(generic.UserinfoURL)
+	res, err := client.Get(generic.userinfoUrl)
 	if err != nil {
 		return user, err
 	}

internal/service/github_oauth_service.go

@@ -29,15 +29,15 @@ type GithubUserInfoResponse struct {
 }
 
 type GithubOAuthService struct {
-	Config   oauth2.Config
-	Context  context.Context
-	Token    *oauth2.Token
-	Verifier string
+	config   oauth2.Config
+	context  context.Context
+	token    *oauth2.Token
+	verifier string
 }
 
 func NewGithubOAuthService(config config.OAuthServiceConfig) *GithubOAuthService {
 	return &GithubOAuthService{
-		Config: oauth2.Config{
+		config: oauth2.Config{
 			ClientID:     config.ClientID,
 			ClientSecret: config.ClientSecret,
 			RedirectURL:  config.RedirectURL,
@@ -53,8 +53,8 @@ func (github *GithubOAuthService) Init() error {
 	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
 	verifier := oauth2.GenerateVerifier()
 
-	github.Context = ctx
-	github.Verifier = verifier
+	github.context = ctx
+	github.verifier = verifier
 	return nil
 }
 
@@ -69,24 +69,24 @@ func (github *GithubOAuthService) GenerateState() string {
 }
 
 func (github *GithubOAuthService) GetAuthURL(state string) string {
-	return github.Config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(github.Verifier))
+	return github.config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(github.verifier))
 }
 
 func (github *GithubOAuthService) VerifyCode(code string) error {
-	token, err := github.Config.Exchange(github.Context, code, oauth2.VerifierOption(github.Verifier))
+	token, err := github.config.Exchange(github.context, code, oauth2.VerifierOption(github.verifier))
 
 	if err != nil {
 		return err
 	}
 
-	github.Token = token
+	github.token = token
 	return nil
 }
 
 func (github *GithubOAuthService) Userinfo() (config.Claims, error) {
 	var user config.Claims
 
-	client := github.Config.Client(github.Context, github.Token)
+	client := github.config.Client(github.context, github.token)
 
 	req, err := http.NewRequest("GET", "https://api.github.com/user", nil)
 	if err != nil {

internal/service/google_oauth_service.go

@@ -24,15 +24,15 @@ type GoogleUserInfoResponse struct {
 }
 
 type GoogleOAuthService struct {
-	Config   oauth2.Config
-	Context  context.Context
-	Token    *oauth2.Token
-	Verifier string
+	config   oauth2.Config
+	context  context.Context
+	token    *oauth2.Token
+	verifier string
 }
 
 func NewGoogleOAuthService(config config.OAuthServiceConfig) *GoogleOAuthService {
 	return &GoogleOAuthService{
-		Config: oauth2.Config{
+		config: oauth2.Config{
 			ClientID:     config.ClientID,
 			ClientSecret: config.ClientSecret,
 			RedirectURL:  config.RedirectURL,
@@ -48,8 +48,8 @@ func (google *GoogleOAuthService) Init() error {
 	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
 	verifier := oauth2.GenerateVerifier()
 
-	google.Context = ctx
-	google.Verifier = verifier
+	google.context = ctx
+	google.verifier = verifier
 	return nil
 }
 
@@ -64,24 +64,24 @@ func (oauth *GoogleOAuthService) GenerateState() string {
 }
 
 func (google *GoogleOAuthService) GetAuthURL(state string) string {
-	return google.Config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(google.Verifier))
+	return google.config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(google.verifier))
 }
 
 func (google *GoogleOAuthService) VerifyCode(code string) error {
-	token, err := google.Config.Exchange(google.Context, code, oauth2.VerifierOption(google.Verifier))
+	token, err := google.config.Exchange(google.context, code, oauth2.VerifierOption(google.verifier))
 
 	if err != nil {
 		return err
 	}
 
-	google.Token = token
+	google.token = token
 	return nil
 }
 
 func (google *GoogleOAuthService) Userinfo() (config.Claims, error) {
 	var user config.Claims
 
-	client := google.Config.Client(google.Context, google.Token)
+	client := google.config.Client(google.context, google.token)
 
 	res, err := client.Get("https://www.googleapis.com/userinfo/v2/me")
 	if err != nil {

internal/service/ldap_service.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
+	"sync"
 	"time"
 
 	"github.com/cenkalti/backoff/v5"
@@ -21,8 +22,9 @@ type LdapServiceConfig struct {
 }
 
 type LdapService struct {
-	Config LdapServiceConfig
-	Conn   *ldapgo.Conn
+	Config LdapServiceConfig // exported so as the auth service can use it
+	conn   *ldapgo.Conn
+	mutex  sync.RWMutex
 }
 
 func NewLdapService(config LdapServiceConfig) *LdapService {
@@ -55,6 +57,9 @@ func (ldap *LdapService) Init() error {
 }
 
 func (ldap *LdapService) connect() (*ldapgo.Conn, error) {
+	ldap.mutex.Lock()
+	defer ldap.mutex.Unlock()
+
 	conn, err := ldapgo.DialURL(ldap.Config.Address, ldapgo.DialWithTLSConfig(&tls.Config{
 		InsecureSkipVerify: ldap.Config.Insecure,
 		MinVersion:         tls.VersionTLS12,
@@ -69,7 +74,7 @@ func (ldap *LdapService) connect() (*ldapgo.Conn, error) {
 	}
 
 	// Set and return the connection
-	ldap.Conn = conn
+	ldap.conn = conn
 	return conn, nil
 }
 
@@ -86,7 +91,10 @@ func (ldap *LdapService) Search(username string) (string, error) {
 		nil,
 	)
 
-	searchResult, err := ldap.Conn.Search(searchRequest)
+	ldap.mutex.Lock()
+	defer ldap.mutex.Unlock()
+
+	searchResult, err := ldap.conn.Search(searchRequest)
 	if err != nil {
 		return "", err
 	}
@@ -100,7 +108,9 @@ func (ldap *LdapService) Search(username string) (string, error) {
 }
 
 func (ldap *LdapService) Bind(userDN string, password string) error {
-	err := ldap.Conn.Bind(userDN, password)
+	ldap.mutex.Lock()
+	defer ldap.mutex.Unlock()
+	err := ldap.conn.Bind(userDN, password)
 	if err != nil {
 		return err
 	}
@@ -118,7 +128,9 @@ func (ldap *LdapService) heartbeat() error {
 		nil,
 	)
 
-	_, err := ldap.Conn.Search(searchRequest)
+	ldap.mutex.Lock()
+	defer ldap.mutex.Unlock()
+	_, err := ldap.conn.Search(searchRequest)
 	if err != nil {
 		return err
 	}
@@ -137,7 +149,7 @@ func (ldap *LdapService) reconnect() error {
 	exp.Reset()
 
 	operation := func() (*ldapgo.Conn, error) {
-		ldap.Conn.Close()
+		ldap.conn.Close()
 		conn, err := ldap.connect()
 		if err != nil {
 			return nil, err

internal/service/oauth_broker_service.go

@@ -5,6 +5,7 @@ import (
 	"tinyauth/internal/config"
 
 	"github.com/rs/zerolog/log"
+	"golang.org/x/exp/slices"
 )
 
 type OAuthService interface {
@@ -16,59 +17,60 @@ type OAuthService interface {
 }
 
 type OAuthBrokerService struct {
-	Services map[string]OAuthService
-	Configs  map[string]config.OAuthServiceConfig
+	services map[string]OAuthService
+	configs  map[string]config.OAuthServiceConfig
 }
 
 func NewOAuthBrokerService(configs map[string]config.OAuthServiceConfig) *OAuthBrokerService {
 	return &OAuthBrokerService{
-		Services: make(map[string]OAuthService),
-		Configs:  configs,
+		services: make(map[string]OAuthService),
+		configs:  configs,
 	}
 }
 
 func (broker *OAuthBrokerService) Init() error {
-	for name, cfg := range broker.Configs {
+	for name, cfg := range broker.configs {
 		switch name {
 		case "github":
 			service := NewGithubOAuthService(cfg)
-			broker.Services[name] = service
+			broker.services[name] = service
 		case "google":
 			service := NewGoogleOAuthService(cfg)
-			broker.Services[name] = service
+			broker.services[name] = service
 		default:
 			service := NewGenericOAuthService(cfg)
-			broker.Services[name] = service
+			broker.services[name] = service
 		}
 	}
 
-	for name, service := range broker.Services {
+	for name, service := range broker.services {
 		err := service.Init()
 		if err != nil {
-			log.Error().Err(err).Msgf("Failed to initialize OAuth service: %s", name)
+			log.Error().Err(err).Msgf("Failed to initialize OAuth service: %T", name)
 			return err
 		}
-		log.Info().Msgf("Initialized OAuth service: %s", name)
+		log.Info().Msgf("Initialized OAuth service: %T", name)
 	}
 
 	return nil
 }
 
 func (broker *OAuthBrokerService) GetConfiguredServices() []string {
-	services := make([]string, 0, len(broker.Services))
-	for name := range broker.Services {
+	services := make([]string, 0, len(broker.services))
+	for name := range broker.services {
 		services = append(services, name)
 	}
+	slices.Sort(services)
 	return services
 }
 
 func (broker *OAuthBrokerService) GetService(name string) (OAuthService, bool) {
-	service, exists := broker.Services[name]
+	service, exists := broker.services[name]
 	return service, exists
 }
 
 func (broker *OAuthBrokerService) GetUser(service string) (config.Claims, error) {
-	oauthService, exists := broker.Services[service]
+	oauthService, exists := broker.services[service]
 	if !exists {
 		return config.Claims{}, errors.New("oauth service not found")
 	}

internal/utils/app_utils.go

@@ -8,30 +8,38 @@ import (
 	"tinyauth/internal/config"
 
 	"github.com/gin-gonic/gin"
-
 	"github.com/rs/zerolog"
+	"github.com/weppos/publicsuffix-go/publicsuffix"
 )
 
-// Get upper domain parses a hostname and returns the upper domain (e.g. sub1.sub2.domain.com -> sub2.domain.com)
-func GetUpperDomain(appUrl string) (string, error) {
-	appUrlParsed, err := url.Parse(appUrl)
+// Get cookie domain parses a hostname and returns the upper domain (e.g. sub1.sub2.domain.com -> sub2.domain.com)
+func GetCookieDomain(u string) (string, error) {
+	parsed, err := url.Parse(u)
 	if err != nil {
 		return "", err
 	}
 
-	host := appUrlParsed.Hostname()
+	host := parsed.Hostname()
 
 	if netIP := net.ParseIP(host); netIP != nil {
-		return "", errors.New("IP addresses are not allowed")
+		return "", errors.New("IP addresses not allowed")
 	}
 
-	urlParts := strings.Split(host, ".")
+	parts := strings.Split(host, ".")
 
-	if len(urlParts) < 2 {
-		return "", errors.New("invalid domain, must be at least second level domain")
+	if len(parts) < 3 {
+		return "", errors.New("invalid app url, must be at least second level domain")
 	}
 
-	return strings.Join(urlParts[1:], "."), nil
+	domain := strings.Join(parts[1:], ".")
+
+	_, err = publicsuffix.DomainFromListWithOptions(publicsuffix.DefaultList, domain, nil)
+
+	if err != nil {
+		return "", errors.New("domain in public suffix list, cannot set cookies")
+	}
+
+	return domain, nil
 }
 
 func ParseFileToLine(content string) string {
@@ -49,6 +57,7 @@ func ParseFileToLine(content string) string {
 }
 
 func Filter[T any](slice []T, test func(T) bool) (res []T) {
+	res = make([]T, 0)
 	for _, value := range slice {
 		if test(value) {
 			res = append(res, value)
@@ -88,13 +97,13 @@ func IsRedirectSafe(redirectURL string, domain string) bool {
 		return false
 	}
 
-	upper, err := GetUpperDomain(redirectURL)
+	cookieDomain, err := GetCookieDomain(redirectURL)
 
 	if err != nil {
 		return false
 	}
 
-	if upper != domain {
+	if cookieDomain != domain {
 		return false
 	}
 

internal/utils/app_utils_test.go

@@ -0,0 +1,202 @@
+package utils_test
+
+import (
+	"testing"
+	"tinyauth/internal/config"
+	"tinyauth/internal/utils"
+
+	"github.com/gin-gonic/gin"
+	"gotest.tools/v3/assert"
+)
+
+func TestGetRootDomain(t *testing.T) {
+	// Normal case
+	domain := "http://sub.tinyauth.app"
+	expected := "tinyauth.app"
+	result, err := utils.GetCookieDomain(domain)
+	assert.NilError(t, err)
+	assert.Equal(t, expected, result)
+
+	// Domain with multiple subdomains
+	domain = "http://b.c.tinyauth.app"
+	expected = "c.tinyauth.app"
+	result, err = utils.GetCookieDomain(domain)
+	assert.NilError(t, err)
+	assert.Equal(t, expected, result)
+
+	// Domain with no subdomain
+	domain = "http://tinyauth.app"
+	expected = "tinyauth.app"
+	_, err = utils.GetCookieDomain(domain)
+	assert.Error(t, err, "invalid app url, must be at least second level domain")
+
+	// Invalid domain (only TLD)
+	domain = "com"
+	_, err = utils.GetCookieDomain(domain)
+	assert.ErrorContains(t, err, "invalid app url, must be at least second level domain")
+
+	// IP address
+	domain = "http://10.10.10.10"
+	_, err = utils.GetCookieDomain(domain)
+	assert.ErrorContains(t, err, "IP addresses not allowed")
+
+	// Invalid URL
+	domain = "http://[::1]:namedport"
+	_, err = utils.GetCookieDomain(domain)
+	assert.ErrorContains(t, err, "parse \"http://[::1]:namedport\": invalid port \":namedport\" after host")
+
+	// URL with scheme and path
+	domain = "https://sub.tinyauth.app/path"
+	expected = "tinyauth.app"
+	result, err = utils.GetCookieDomain(domain)
+	assert.NilError(t, err)
+	assert.Equal(t, expected, result)
+
+	// URL with port
+	domain = "http://sub.tinyauth.app:8080"
+	expected = "tinyauth.app"
+	result, err = utils.GetCookieDomain(domain)
+	assert.NilError(t, err)
+	assert.Equal(t, expected, result)
+
+	// Domain managed by ICANN
+	domain = "http://example.co.uk"
+	_, err = utils.GetCookieDomain(domain)
+	assert.Error(t, err, "domain in public suffix list, cannot set cookies")
+}
+
+func TestParseFileToLine(t *testing.T) {
+	// Normal case
+	content := "user1\nuser2\nuser3"
+	expected := "user1,user2,user3"
+	result := utils.ParseFileToLine(content)
+	assert.Equal(t, expected, result)
+
+	// Case with empty lines and spaces
+	content = " user1 \n\n user2 \n user3 \n"
+	expected = "user1,user2,user3"
+	result = utils.ParseFileToLine(content)
+	assert.Equal(t, expected, result)
+
+	// Case with only empty lines
+	content = "\n\n\n"
+	expected = ""
+	result = utils.ParseFileToLine(content)
+	assert.Equal(t, expected, result)
+
+	// Case with single user
+	content = "singleuser"
+	expected = "singleuser"
+	result = utils.ParseFileToLine(content)
+	assert.Equal(t, expected, result)
+
+	// Case with trailing newline
+	content = "user1\nuser2\n"
+	expected = "user1,user2"
+	result = utils.ParseFileToLine(content)
+	assert.Equal(t, expected, result)
+}
+
+func TestFilter(t *testing.T) {
+	// Normal case
+	slice := []int{1, 2, 3, 4, 5}
+	testFunc := func(n int) bool { return n%2 == 0 }
+	expected := []int{2, 4}
+	result := utils.Filter(slice, testFunc)
+	assert.DeepEqual(t, expected, result)
+
+	// Case with no matches
+	slice = []int{1, 3, 5}
+	testFunc = func(n int) bool { return n%2 == 0 }
+	expected = []int{}
+	result = utils.Filter(slice, testFunc)
+	assert.DeepEqual(t, expected, result)
+
+	// Case with all matches
+	slice = []int{2, 4, 6}
+	testFunc = func(n int) bool { return n%2 == 0 }
+	expected = []int{2, 4, 6}
+	result = utils.Filter(slice, testFunc)
+	assert.DeepEqual(t, expected, result)
+
+	// Case with empty slice
+	slice = []int{}
+	testFunc = func(n int) bool { return n%2 == 0 }
+	expected = []int{}
+	result = utils.Filter(slice, testFunc)
+	assert.DeepEqual(t, expected, result)
+
+	// Case with different type (string)
+	sliceStr := []string{"apple", "banana", "cherry"}
+	testFuncStr := func(s string) bool { return len(s) > 5 }
+	expectedStr := []string{"banana", "cherry"}
+	resultStr := utils.Filter(sliceStr, testFuncStr)
+	assert.DeepEqual(t, expectedStr, resultStr)
+}
+
+func TestGetContext(t *testing.T) {
+	// Setup
+	gin.SetMode(gin.TestMode)
+	c, _ := gin.CreateTestContext(nil)
+
+	// Normal case
+	c.Set("context", &config.UserContext{Username: "testuser"})
+	result, err := utils.GetContext(c)
+	assert.NilError(t, err)
+	assert.Equal(t, "testuser", result.Username)
+
+	// Case with no context
+	c.Set("context", nil)
+	_, err = utils.GetContext(c)
+	assert.Error(t, err, "invalid user context in request")
+
+	// Case with invalid context type
+	c.Set("context", "invalid type")
+	_, err = utils.GetContext(c)
+	assert.Error(t, err, "invalid user context in request")
+}
+
+func TestIsRedirectSafe(t *testing.T) {
+	// Setup
+	domain := "example.com"
+
+	// Case with no subdomain
+	redirectURL := "http://example.com/welcome"
+	result := utils.IsRedirectSafe(redirectURL, domain)
+	assert.Equal(t, false, result)
+
+	// Case with different domain
+	redirectURL = "http://malicious.com/phishing"
+	result = utils.IsRedirectSafe(redirectURL, domain)
+	assert.Equal(t, false, result)
+
+	// Case with subdomain
+	redirectURL = "http://sub.example.com/page"
+	result = utils.IsRedirectSafe(redirectURL, domain)
+	assert.Equal(t, true, result)
+
+	// Case with empty redirect URL
+	redirectURL = ""
+	result = utils.IsRedirectSafe(redirectURL, domain)
+	assert.Equal(t, false, result)
+
+	// Case with invalid URL
+	redirectURL = "http://[::1]:namedport"
+	result = utils.IsRedirectSafe(redirectURL, domain)
+	assert.Equal(t, false, result)
+
+	// Case with URL having port
+	redirectURL = "http://sub.example.com:8080/page"
+	result = utils.IsRedirectSafe(redirectURL, domain)
+	assert.Equal(t, true, result)
+
+	// Case with URL having different subdomain
+	redirectURL = "http://another.example.com/page"
+	result = utils.IsRedirectSafe(redirectURL, domain)
+	assert.Equal(t, true, result)
+
+	// Case with URL having different TLD
+	redirectURL = "http://example.org/page"
+	result = utils.IsRedirectSafe(redirectURL, domain)
+	assert.Equal(t, false, result)
+}

internal/utils/decoders/flags_decoder.go

@@ -0,0 +1,55 @@
+package decoders
+
+import (
+	"strings"
+	"tinyauth/internal/config"
+	"tinyauth/internal/utils"
+
+	"github.com/traefik/paerser/parser"
+)
+
+func DecodeFlags(flags map[string]string) (config.Providers, error) {
+	// Normalize flags (sorry to whoever has to read this)
+	// --providers-client1-client-id -> tinyauth.providers.client1.clientId
+	normalized := make(map[string]string)
+	for k, v := range flags {
+		newKey := ""
+
+		nk := strings.TrimPrefix(k, "--")
+		parts := strings.SplitN(nk, "-", 4)
+
+		for i, part := range parts {
+			if i == 3 {
+				subParts := strings.Split(part, "-")
+				for j, subPart := range subParts {
+					if j == 0 {
+						newKey += "." + subPart
+					} else {
+						newKey += utils.Capitalize(subPart)
+					}
+				}
+				continue
+			}
+			if i == 0 {
+				newKey += part
+				continue
+			}
+			newKey += "." + part
+		}
+
+		newKey = "tinyauth." + newKey
+		normalized[newKey] = v
+
+	}
+
+	// Decode
+	var providers config.Providers
+
+	err := parser.Decode(normalized, &providers, "tinyauth", "tinyauth.providers")
+
+	if err != nil {
+		return config.Providers{}, err
+	}
+
+	return providers, nil
+}

internal/utils/decoders/flags_decoder_test.go

@@ -0,0 +1,60 @@
+package decoders_test
+
+import (
+	"testing"
+	"tinyauth/internal/config"
+	"tinyauth/internal/utils/decoders"
+
+	"gotest.tools/v3/assert"
+)
+
+func TestDecodeFlags(t *testing.T) {
+	// Variables
+	expected := config.Providers{
+		Providers: map[string]config.ProviderConfig{
+			"client1": {
+				Config: config.OAuthServiceConfig{
+					ClientID:           "client1-id",
+					ClientSecret:       "client1-secret",
+					Scopes:             []string{"client1-scope1", "client1-scope2"},
+					RedirectURL:        "client1-redirect-url",
+					AuthURL:            "client1-auth-url",
+					UserinfoURL:        "client1-user-info-url",
+					InsecureSkipVerify: false,
+				},
+			},
+			"client2": {
+				Config: config.OAuthServiceConfig{
+					ClientID:           "client2-id",
+					ClientSecret:       "client2-secret",
+					Scopes:             []string{"client2-scope1", "client2-scope2"},
+					RedirectURL:        "client2-redirect-url",
+					AuthURL:            "client2-auth-url",
+					UserinfoURL:        "client2-user-info-url",
+					InsecureSkipVerify: false,
+				},
+			},
+		},
+	}
+	test := map[string]string{
+		"--providers-client1-config-client-id":            "client1-id",
+		"--providers-client1-config-client-secret":        "client1-secret",
+		"--providers-client1-config-scopes":               "client1-scope1,client1-scope2",
+		"--providers-client1-config-redirect-url":         "client1-redirect-url",
+		"--providers-client1-config-auth-url":             "client1-auth-url",
+		"--providers-client1-config-user-info-url":        "client1-user-info-url",
+		"--providers-client1-config-insecure-skip-verify": "false",
+		"--providers-client2-config-client-id":            "client2-id",
+		"--providers-client2-config-client-secret":        "client2-secret",
+		"--providers-client2-config-scopes":               "client2-scope1,client2-scope2",
+		"--providers-client2-config-redirect-url":         "client2-redirect-url",
+		"--providers-client2-config-auth-url":             "client2-auth-url",
+		"--providers-client2-config-user-info-url":        "client2-user-info-url",
+		"--providers-client2-config-insecure-skip-verify": "false",
+	}
+
+	// Test
+	res, err := decoders.DecodeFlags(test)
+	assert.NilError(t, err)
+	assert.DeepEqual(t, expected, res)
+}

internal/utils/decoders/label_decoder.go

@@ -0,0 +1,19 @@
+package decoders
+
+import (
+	"tinyauth/internal/config"
+
+	"github.com/traefik/paerser/parser"
+)
+
+func DecodeLabels(labels map[string]string) (config.Apps, error) {
+	var appLabels config.Apps
+
+	err := parser.Decode(labels, &appLabels, "tinyauth", "tinyauth.apps")
+
+	if err != nil {
+		return config.Apps{}, err
+	}
+
+	return appLabels, nil
+}

internal/utils/decoders/label_decoder_test.go

@@ -0,0 +1,68 @@
+package decoders_test
+
+import (
+	"testing"
+	"tinyauth/internal/config"
+	"tinyauth/internal/utils/decoders"
+
+	"gotest.tools/v3/assert"
+)
+
+func TestDecodeLabels(t *testing.T) {
+	// Variables
+	expected := config.Apps{
+		Apps: map[string]config.App{
+			"foo": {
+				Config: config.AppConfig{
+					Domain: "example.com",
+				},
+				Users: config.AppUsers{
+					Allow: "user1,user2",
+					Block: "user3",
+				},
+				OAuth: config.AppOAuth{
+					Whitelist: "somebody@example.com",
+					Groups:    "group3",
+				},
+				IP: config.AppIP{
+					Allow:  []string{"10.71.0.1/24", "10.71.0.2"},
+					Block:  []string{"10.10.10.10", "10.0.0.0/24"},
+					Bypass: []string{"192.168.1.1"},
+				},
+				Response: config.AppResponse{
+					Headers: []string{"X-Foo=Bar", "X-Baz=Qux"},
+					BasicAuth: config.AppBasicAuth{
+						Username:     "admin",
+						Password:     "password",
+						PasswordFile: "/path/to/passwordfile",
+					},
+				},
+				Path: config.AppPath{
+					Allow: "/public",
+					Block: "/private",
+				},
+			},
+		},
+	}
+	test := map[string]string{
+		"tinyauth.apps.foo.config.domain":                   "example.com",
+		"tinyauth.apps.foo.users.allow":                     "user1,user2",
+		"tinyauth.apps.foo.users.block":                     "user3",
+		"tinyauth.apps.foo.oauth.whitelist":                 "somebody@example.com",
+		"tinyauth.apps.foo.oauth.groups":                    "group3",
+		"tinyauth.apps.foo.ip.allow":                        "10.71.0.1/24,10.71.0.2",
+		"tinyauth.apps.foo.ip.block":                        "10.10.10.10,10.0.0.0/24",
+		"tinyauth.apps.foo.ip.bypass":                       "192.168.1.1",
+		"tinyauth.apps.foo.response.headers":                "X-Foo=Bar,X-Baz=Qux",
+		"tinyauth.apps.foo.response.basicauth.username":     "admin",
+		"tinyauth.apps.foo.response.basicauth.password":     "password",
+		"tinyauth.apps.foo.response.basicauth.passwordfile": "/path/to/passwordfile",
+		"tinyauth.apps.foo.path.allow":                      "/public",
+		"tinyauth.apps.foo.path.block":                      "/private",
+	}
+
+	// Test
+	result, err := decoders.DecodeLabels(test)
+	assert.NilError(t, err)
+	assert.DeepEqual(t, expected, result)
+}

internal/utils/fs_utils_test.go

@@ -0,0 +1,31 @@
+package utils
+
+import (
+	"os"
+	"testing"
+
+	"gotest.tools/v3/assert"
+)
+
+func TestReadFile(t *testing.T) {
+	// Setup
+	file, err := os.Create("/tmp/tinyauth_test_file")
+	assert.NilError(t, err)
+
+	_, err = file.WriteString("file content\n")
+	assert.NilError(t, err)
+
+	err = file.Close()
+	assert.NilError(t, err)
+	defer os.Remove("/tmp/tinyauth_test_file")
+
+	// Normal case
+	content, err := ReadFile("/tmp/tinyauth_test_file")
+	assert.NilError(t, err)
+	assert.Equal(t, "file content\n", content)
+
+	// Non-existing file
+	content, err = ReadFile("/tmp/non_existing_file")
+	assert.ErrorContains(t, err, "no such file or directory")
+	assert.Equal(t, "", content)
+}

internal/utils/label_utils.go

@@ -3,22 +3,8 @@ package utils
 import (
 	"net/http"
 	"strings"
-	"tinyauth/internal/config"
-
-	"github.com/traefik/paerser/parser"
 )
 
-func GetLabels(labels map[string]string) (config.Labels, error) {
-	var labelsParsed config.Labels
-
-	err := parser.Decode(labels, &labelsParsed, "tinyauth", "tinyauth.apps")
-	if err != nil {
-		return config.Labels{}, err
-	}
-
-	return labelsParsed, nil
-}
-
 func ParseHeaders(headers []string) map[string]string {
 	headerMap := make(map[string]string)
 	for _, header := range headers {

internal/utils/label_utils_test.go

@@ -0,0 +1,87 @@
+package utils_test
+
+import (
+	"testing"
+	"tinyauth/internal/utils"
+
+	"gotest.tools/v3/assert"
+)
+
+func TestParseHeaders(t *testing.T) {
+	// Normal case
+	headers := []string{
+		"X-Custom-Header=Value",
+		"Another-Header=AnotherValue",
+	}
+	expected := map[string]string{
+		"X-Custom-Header": "Value",
+		"Another-Header":  "AnotherValue",
+	}
+	assert.DeepEqual(t, expected, utils.ParseHeaders(headers))
+
+	// Case insensitivity and trimming
+	headers = []string{
+		"  x-custom-header =  Value  ",
+		"ANOTHER-HEADER=AnotherValue",
+	}
+	expected = map[string]string{
+		"X-Custom-Header": "Value",
+		"Another-Header":  "AnotherValue",
+	}
+	assert.DeepEqual(t, expected, utils.ParseHeaders(headers))
+
+	// Invalid headers (missing '=', empty key/value)
+	headers = []string{
+		"InvalidHeader",
+		"=NoKey",
+		"NoValue=",
+		"   =   ",
+	}
+	expected = map[string]string{}
+	assert.DeepEqual(t, expected, utils.ParseHeaders(headers))
+
+	// Headers with unsafe characters
+	headers = []string{
+		"X-Custom-Header=Val\x00ue",       // Null byte
+		"Another-Header=Anoth\x7FerValue", // DEL character
+		"Good-Header=GoodValue",
+	}
+	expected = map[string]string{
+		"X-Custom-Header": "Value",
+		"Another-Header":  "AnotherValue",
+		"Good-Header":     "GoodValue",
+	}
+	assert.DeepEqual(t, expected, utils.ParseHeaders(headers))
+
+	// Header with spaces in key (should be ignored)
+	headers = []string{
+		"X Custom Header=Value",
+		"Valid-Header=ValidValue",
+	}
+	expected = map[string]string{
+		"Valid-Header": "ValidValue",
+	}
+	assert.DeepEqual(t, expected, utils.ParseHeaders(headers))
+}
+
+func TestSanitizeHeader(t *testing.T) {
+	// Normal case
+	header := "X-Custom-Header"
+	expected := "X-Custom-Header"
+	assert.Equal(t, expected, utils.SanitizeHeader(header))
+
+	// Header with unsafe characters
+	header = "X-Cust\x00om-Hea\x7Fder" // Null byte and DEL character
+	expected = "X-Custom-Header"
+	assert.Equal(t, expected, utils.SanitizeHeader(header))
+
+	// Header with only unsafe characters
+	header = "\x00\x01\x02\x7F"
+	expected = ""
+	assert.Equal(t, expected, utils.SanitizeHeader(header))
+
+	// Header with spaces and tabs (should be preserved)
+	header = "X Custom\tHeader"
+	expected = "X Custom\tHeader"
+	assert.Equal(t, expected, utils.SanitizeHeader(header))
+}

internal/utils/security_utils.go

@@ -48,6 +48,12 @@ func GetBasicAuth(username string, password string) string {
 func FilterIP(filter string, ip string) (bool, error) {
 	ipAddr := net.ParseIP(ip)
 
+	if ipAddr == nil {
+		return false, errors.New("invalid IP address")
+	}
+
+	filter = strings.Replace(filter, "-", "/", -1)
+
 	if strings.Contains(filter, "/") {
 		_, cidr, err := net.ParseCIDR(filter)
 		if err != nil {

internal/utils/security_utils_test.go

@@ -0,0 +1,151 @@
+package utils_test
+
+import (
+	"os"
+	"testing"
+	"tinyauth/internal/utils"
+
+	"gotest.tools/v3/assert"
+)
+
+func TestGetSecret(t *testing.T) {
+	// Setup
+	file, err := os.Create("/tmp/tinyauth_test_secret")
+	assert.NilError(t, err)
+
+	_, err = file.WriteString("       secret       \n")
+	assert.NilError(t, err)
+
+	err = file.Close()
+	assert.NilError(t, err)
+	defer os.Remove("/tmp/tinyauth_test_secret")
+
+	// Get from config
+	assert.Equal(t, "mysecret", utils.GetSecret("mysecret", ""))
+
+	// Get from file
+	assert.Equal(t, "secret", utils.GetSecret("", "/tmp/tinyauth_test_secret"))
+
+	// Get from both (config should take precedence)
+	assert.Equal(t, "mysecret", utils.GetSecret("mysecret", "/tmp/tinyauth_test_secret"))
+
+	// Get from none
+	assert.Equal(t, "", utils.GetSecret("", ""))
+
+	// Get from non-existing file
+	assert.Equal(t, "", utils.GetSecret("", "/tmp/non_existing_file"))
+}
+
+func TestParseSecretFile(t *testing.T) {
+	// Normal case
+	content := "   mysecret   \n"
+	assert.Equal(t, "mysecret", utils.ParseSecretFile(content))
+
+	// Multiple lines (should take the first non-empty line)
+	content = "\n\n   firstsecret   \nsecondsecret\n"
+	assert.Equal(t, "firstsecret", utils.ParseSecretFile(content))
+
+	// All empty lines
+	content = "\n   \n  \n"
+	assert.Equal(t, "", utils.ParseSecretFile(content))
+
+	// Empty content
+	content = ""
+	assert.Equal(t, "", utils.ParseSecretFile(content))
+}
+
+func TestGetBasicAuth(t *testing.T) {
+	// Normal case
+	username := "user"
+	password := "pass"
+	expected := "dXNlcjpwYXNz" // base64 of "user:pass"
+	assert.Equal(t, expected, utils.GetBasicAuth(username, password))
+
+	// Empty username
+	username = ""
+	password = "pass"
+	expected = "OnBhc3M=" // base64 of ":pass"
+	assert.Equal(t, expected, utils.GetBasicAuth(username, password))
+
+	// Empty password
+	username = "user"
+	password = ""
+	expected = "dXNlcjo=" // base64 of "user:"
+	assert.Equal(t, expected, utils.GetBasicAuth(username, password))
+}
+
+func TestFilterIP(t *testing.T) {
+	// Exact match IPv4
+	ok, err := utils.FilterIP("10.10.0.1", "10.10.0.1")
+	assert.NilError(t, err)
+	assert.Equal(t, true, ok)
+
+	// Non-match IPv4
+	ok, err = utils.FilterIP("10.10.0.1", "10.10.0.2")
+	assert.NilError(t, err)
+	assert.Equal(t, false, ok)
+
+	// CIDR match IPv4
+	ok, err = utils.FilterIP("10.10.0.0/24", "10.10.0.2")
+	assert.NilError(t, err)
+	assert.Equal(t, true, ok)
+
+	// CIDR match IPv4 with '-' instead of '/'
+	ok, err = utils.FilterIP("10.10.10.0-24", "10.10.10.5")
+	assert.NilError(t, err)
+	assert.Equal(t, true, ok)
+
+	// CIDR non-match IPv4
+	ok, err = utils.FilterIP("10.10.0.0/24", "10.5.0.1")
+	assert.NilError(t, err)
+	assert.Equal(t, false, ok)
+
+	// Invalid CIDR
+	ok, err = utils.FilterIP("10.10.0.0/222", "10.0.0.1")
+	assert.ErrorContains(t, err, "invalid CIDR address")
+	assert.Equal(t, false, ok)
+
+	// Invalid IP in filter
+	ok, err = utils.FilterIP("invalid_ip", "10.5.5.5")
+	assert.ErrorContains(t, err, "invalid IP address in filter")
+	assert.Equal(t, false, ok)
+
+	// Invalid IP to check
+	ok, err = utils.FilterIP("10.10.10.10", "invalid_ip")
+	assert.ErrorContains(t, err, "invalid IP address")
+	assert.Equal(t, false, ok)
+}
+
+func TestCheckFilter(t *testing.T) {
+	// Empty filter
+	assert.Equal(t, true, utils.CheckFilter("", "anystring"))
+
+	// Exact match
+	assert.Equal(t, true, utils.CheckFilter("hello", "hello"))
+
+	// Regex match
+	assert.Equal(t, true, utils.CheckFilter("/^h.*o$/", "hello"))
+
+	// Invalid regex
+	assert.Equal(t, false, utils.CheckFilter("/[unclosed", "test"))
+
+	// Comma-separated values
+	assert.Equal(t, true, utils.CheckFilter("apple, banana, cherry", "banana"))
+
+	// No match
+	assert.Equal(t, false, utils.CheckFilter("apple, banana, cherry", "grape"))
+}
+
+func TestGenerateIdentifier(t *testing.T) {
+	// Consistent output for same input
+	id1 := utils.GenerateIdentifier("teststring")
+	id2 := utils.GenerateIdentifier("teststring")
+	assert.Equal(t, id1, id2)
+
+	// Different output for different input
+	id3 := utils.GenerateIdentifier("differentstring")
+	assert.Assert(t, id1 != id3)
+
+	// Check length (should be 8 characters from first segment of UUID)
+	assert.Equal(t, 8, len(id1))
+}

internal/utils/string_utils_test.go

@@ -0,0 +1,50 @@
+package utils_test
+
+import (
+	"testing"
+	"tinyauth/internal/utils"
+
+	"gotest.tools/v3/assert"
+)
+
+func TestCapitalize(t *testing.T) {
+	// Test empty string
+	assert.Equal(t, "", utils.Capitalize(""))
+
+	// Test single character
+	assert.Equal(t, "A", utils.Capitalize("a"))
+
+	// Test multiple characters
+	assert.Equal(t, "Hello", utils.Capitalize("hello"))
+
+	// Test already capitalized
+	assert.Equal(t, "World", utils.Capitalize("World"))
+
+	// Test non-alphabetic first character
+	assert.Equal(t, "1number", utils.Capitalize("1number"))
+
+	// Test Unicode characters
+	assert.Equal(t, "Γειά", utils.Capitalize("γειά"))
+	assert.Equal(t, "Привет", utils.Capitalize("привет"))
+
+}
+
+func TestCoalesceToString(t *testing.T) {
+	// Test with []any containing strings
+	assert.Equal(t, "a,b,c", utils.CoalesceToString([]any{"a", "b", "c"}))
+
+	// Test with []any containing mixed types
+	assert.Equal(t, "a,c", utils.CoalesceToString([]any{"a", 1, "c", true}))
+
+	// Test with []any containing no strings
+	assert.Equal(t, "", utils.CoalesceToString([]any{1, 2, 3}))
+
+	// Test with string input
+	assert.Equal(t, "hello", utils.CoalesceToString("hello"))
+
+	// Test with non-string, non-[]any input
+	assert.Equal(t, "", utils.CoalesceToString(123))
+
+	// Test with nil input
+	assert.Equal(t, "", utils.CoalesceToString(nil))
+}

internal/utils/user_utils_test.go

@@ -0,0 +1,163 @@
+package utils_test
+
+import (
+	"os"
+	"testing"
+	"tinyauth/internal/utils"
+
+	"gotest.tools/v3/assert"
+)
+
+func TestGetUsers(t *testing.T) {
+	// Setup
+	file, err := os.Create("/tmp/tinyauth_users_test.txt")
+	assert.NilError(t, err)
+
+	_, err = file.WriteString("      user1:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G        \n         user2:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G                    ") // Spacing is on purpose
+	assert.NilError(t, err)
+
+	err = file.Close()
+	assert.NilError(t, err)
+	defer os.Remove("/tmp/tinyauth_users_test.txt")
+
+	// Test file
+	users, err := utils.GetUsers("", "/tmp/tinyauth_users_test.txt")
+
+	assert.NilError(t, err)
+
+	assert.Equal(t, 2, len(users))
+
+	assert.Equal(t, "user1", users[0].Username)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[0].Password)
+	assert.Equal(t, "user2", users[1].Username)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[1].Password)
+
+	// Test config
+	users, err = utils.GetUsers("user3:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G,user4:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", "")
+
+	assert.NilError(t, err)
+
+	assert.Equal(t, 2, len(users))
+
+	assert.Equal(t, "user3", users[0].Username)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[0].Password)
+	assert.Equal(t, "user4", users[1].Username)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[1].Password)
+
+	// Test both
+	users, err = utils.GetUsers("user5:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", "/tmp/tinyauth_users_test.txt")
+
+	assert.NilError(t, err)
+
+	assert.Equal(t, 3, len(users))
+
+	assert.Equal(t, "user5", users[0].Username)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[0].Password)
+	assert.Equal(t, "user1", users[1].Username)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[1].Password)
+	assert.Equal(t, "user2", users[2].Username)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[2].Password)
+
+	// Test empty
+	users, err = utils.GetUsers("", "")
+
+	assert.NilError(t, err)
+
+	assert.Equal(t, 0, len(users))
+
+	// Test non-existent file
+	users, err = utils.GetUsers("", "/tmp/non_existent_file.txt")
+
+	assert.ErrorContains(t, err, "no such file or directory")
+
+	assert.Equal(t, 0, len(users))
+}
+
+func TestParseUsers(t *testing.T) {
+	// Valid users
+	users, err := utils.ParseUsers("user1:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G,user2:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G:ABCDEF") // user2 has TOTP
+
+	assert.NilError(t, err)
+
+	assert.Equal(t, 2, len(users))
+
+	assert.Equal(t, "user1", users[0].Username)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[0].Password)
+	assert.Equal(t, "", users[0].TotpSecret)
+	assert.Equal(t, "user2", users[1].Username)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[1].Password)
+	assert.Equal(t, "ABCDEF", users[1].TotpSecret)
+
+	// Valid weirdly spaced users
+	users, err = utils.ParseUsers("      user1:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G        ,         user2:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G:ABCDEF                    ") // Spacing is on purpose
+	assert.NilError(t, err)
+
+	assert.Equal(t, 2, len(users))
+
+	assert.Equal(t, "user1", users[0].Username)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[0].Password)
+	assert.Equal(t, "", users[0].TotpSecret)
+	assert.Equal(t, "user2", users[1].Username)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[1].Password)
+	assert.Equal(t, "ABCDEF", users[1].TotpSecret)
+}
+
+func TestParseUser(t *testing.T) {
+	// Valid user without TOTP
+	user, err := utils.ParseUser("user1:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G")
+
+	assert.NilError(t, err)
+
+	assert.Equal(t, "user1", user.Username)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", user.Password)
+	assert.Equal(t, "", user.TotpSecret)
+
+	// Valid user with TOTP
+	user, err = utils.ParseUser("user2:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G:ABCDEF")
+
+	assert.NilError(t, err)
+
+	assert.Equal(t, "user2", user.Username)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", user.Password)
+	assert.Equal(t, "ABCDEF", user.TotpSecret)
+
+	// Valid user with $$ in password
+	user, err = utils.ParseUser("user3:pa$$word123")
+
+	assert.NilError(t, err)
+
+	assert.Equal(t, "user3", user.Username)
+	assert.Equal(t, "pa$word123", user.Password)
+	assert.Equal(t, "", user.TotpSecret)
+
+	// User with spaces
+	user, err = utils.ParseUser("   user4   :   password123   :   TOTPSECRET   ")
+
+	assert.NilError(t, err)
+
+	assert.Equal(t, "user4", user.Username)
+	assert.Equal(t, "password123", user.Password)
+	assert.Equal(t, "TOTPSECRET", user.TotpSecret)
+
+	// Invalid users
+	_, err = utils.ParseUser("user1") // Missing password
+	assert.ErrorContains(t, err, "invalid user format")
+
+	_, err = utils.ParseUser("user1:")
+	assert.ErrorContains(t, err, "invalid user format")
+
+	_, err = utils.ParseUser(":password123")
+	assert.ErrorContains(t, err, "invalid user format")
+
+	_, err = utils.ParseUser("user1:password123:ABC:EXTRA") // Too many parts
+	assert.ErrorContains(t, err, "invalid user format")
+
+	_, err = utils.ParseUser("user1::ABC")
+	assert.ErrorContains(t, err, "invalid user format")
+
+	_, err = utils.ParseUser(":password123:ABC")
+	assert.ErrorContains(t, err, "invalid user format")
+
+	_, err = utils.ParseUser("   :   :   ")
+	assert.ErrorContains(t, err, "invalid user format")
+}