chore: update contributing instructions

* feat: forward sub from oidc providers

* fix: review comments

.github/workflows/ci.yml

@@ -18,7 +18,16 @@ jobs:
       - name: Setup go
         uses: actions/setup-go@v5
         with:
-          go-version: "^1.23.2"
+          go-version: "^1.24.0"
+
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff
 
       - name: Install frontend dependencies
         run: |

.github/workflows/nightly.yml

@@ -61,7 +61,16 @@ jobs:
       - name: Install go
         uses: actions/setup-go@v5
         with:
-          go-version: "^1.23.2"
+          go-version: "^1.24.0"
+
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff
 
       - name: Install frontend dependencies
         run: |
@@ -107,7 +116,16 @@ jobs:
       - name: Install go
         uses: actions/setup-go@v5
         with:
-          go-version: "^1.23.2"
+          go-version: "^1.24.0"
+
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff
 
       - name: Install frontend dependencies
         run: |
@@ -147,6 +165,15 @@ jobs:
         with:
           ref: nightly
 
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -205,6 +232,15 @@ jobs:
         with:
           ref: nightly
 
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -263,6 +299,15 @@ jobs:
         with:
           ref: nightly
 
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -321,6 +366,15 @@ jobs:
         with:
           ref: nightly
 
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5

.github/workflows/release.yml

@@ -39,7 +39,16 @@ jobs:
       - name: Install go
         uses: actions/setup-go@v5
         with:
-          go-version: "^1.23.2"
+          go-version: "^1.24.0"
+
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff
 
       - name: Install frontend dependencies
         run: |
@@ -82,7 +91,16 @@ jobs:
       - name: Install go
         uses: actions/setup-go@v5
         with:
-          go-version: "^1.23.2"
+          go-version: "^1.24.0"
+
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff
 
       - name: Install frontend dependencies
         run: |
@@ -119,6 +137,15 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -174,6 +201,15 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -229,6 +265,15 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -284,6 +329,15 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5

.gitmodules

@@ -0,0 +1,4 @@
+[submodule "paerser"]
+	path = paerser
+	url = https://github.com/traefik/paerser
+	ignore = all

CONTRIBUTING.md

@@ -5,7 +5,7 @@ Contributing is relatively easy, you just need to follow the steps below and you
 ## Requirements
 
 - Bun
-- Golang v1.23.2 and above
+- Golang 1.24.0+
 - Git
 - Docker
 
@@ -18,12 +18,21 @@ git clone https://github.com/steveiliop56/tinyauth
 cd tinyauth
 ```
 
-## Install requirements
+## Initialize submodules
 
-Although you will not need the requirements in your machine since the development will happen in docker, I still recommend to install them because this way you will not have import errors. To install the go requirements run:
+The project uses Git submodules for some dependencies, so you need to initialize them with:
 
 ```sh
-go mod tidy
+git submodule init
+git submodule update
+```
+
+## Install requirements
+
+Although you will not need the requirements in your machine since the development will happen in Docker, I still recommend to install them because this way you will not have import errors. To install the Go requirements run:
+
+```sh
+go mod download
 ```
 
 You also need to download the frontend dependencies, this can be done like so:
@@ -33,13 +42,21 @@ cd frontend/
 bun install
 ```
 
+## Apply patches
+
+Some of the dependencies need to be patched in order to work correctly with the project, you can apply the patches by running:
+
+```sh
+git apply --directory paerser/ patches/nested_maps.diff
+```
+
 ## Create your `.env` file
 
 In order to configure the app you need to create an environment file, this can be done by copying the `.env.example` file to `.env` and modifying the environment variables to suit your needs.
 
 ## Developing
 
-I have designed the development workflow to be entirely in docker, this is because it will directly work with traefik and you will not need to do any building in your host machine. The recommended development setup is to have a subdomain pointing to your machine like this:
+I have designed the development workflow to be entirely in Docker, this is because it will directly work with Traefik and you will not need to do any building in your host machine. The recommended development setup is to have a subdomain pointing to your machine like this:
 
 ```
 *.dev.example.com -> 127.0.0.1
@@ -49,7 +66,7 @@ dev.example.com -> 127.0.0.1
 > [!TIP]
 > You can use [sslip.io](https://sslip.io) as a domain if you don't have one to develop with.
 
-Then you can just make sure the domains are correct in the development docker compose file and run:
+Then you can just make sure the domains are correct in the development Docker compose file and run:
 
 ```sh
 docker compose -f docker-compose.dev.yml up --build

Dockerfile

@@ -28,6 +28,8 @@ ARG BUILD_TIMESTAMP
 
 WORKDIR /tinyauth
 
+COPY ./paerser ./paerser
+
 COPY go.mod ./
 COPY go.sum ./
 
@@ -38,7 +40,7 @@ COPY ./internal ./internal
 COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
 
 RUN CGO_ENABLED=0 go build -ldflags "-s -w -X tinyauth/internal/config.Version=${VERSION} -X tinyauth/internal/config.CommitHash=${COMMIT_HASH} -X tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
- 
+
 # Runner
 FROM alpine:3.23 AS runner
 
@@ -62,4 +64,4 @@ ENV PATH=$PATH:/tinyauth
 
 HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 CMD ["tinyauth", "healthcheck"]
 
-ENTRYPOINT ["tinyauth"]
+ENTRYPOINT ["tinyauth"]

Dockerfile.dev

@@ -2,6 +2,8 @@ FROM golang:1.25-alpine3.21
 
 WORKDIR /tinyauth
 
+COPY ./paerser ./paerser
+
 COPY go.mod ./
 COPY go.sum ./
 
@@ -20,4 +22,4 @@ ENV TINYAUTH_DATABASEPATH=/data/tinyauth.db
 
 ENV TINYAUTH_RESOURCESDIR=/data/resources
 
-ENTRYPOINT ["air", "-c", "air.toml"]
+ENTRYPOINT ["air", "-c", "air.toml"]

Dockerfile.distroless

@@ -28,6 +28,8 @@ ARG BUILD_TIMESTAMP
 
 WORKDIR /tinyauth
 
+COPY ./paerser ./paerser
+
 COPY go.mod ./
 COPY go.sum ./
 
@@ -40,7 +42,7 @@ COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
 RUN mkdir -p data
 
 RUN CGO_ENABLED=0 go build -ldflags "-s -w -X tinyauth/internal/config.Version=${VERSION} -X tinyauth/internal/config.CommitHash=${COMMIT_HASH} -X tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
- 
+
 # Runner
 FROM gcr.io/distroless/static-debian12:latest AS runner
 
@@ -65,4 +67,4 @@ ENV PATH=$PATH:/tinyauth
 
 HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 CMD ["tinyauth", "healthcheck"]
 
-ENTRYPOINT ["tinyauth"]
+ENTRYPOINT ["tinyauth"]

cmd/tinyauth/tinyauth.go

@@ -34,6 +34,10 @@ func NewTinyauthCmdConfiguration() *config.Config {
 			ForgotPasswordMessage: "You can change your password by changing the configuration.",
 			BackgroundImage:       "/background.jpg",
 		},
+		Ldap: config.LdapConfig{
+			Insecure:     false,
+			SearchFilter: "(uid=%s)",
+		},
 		Experimental: config.ExperimentalConfig{
 			ConfigFile: "",
 		},

docker-compose.dev.yml

@@ -42,7 +42,6 @@ services:
     volumes:
       - ./internal:/tinyauth/internal
       - ./cmd:/tinyauth/cmd
-      - ./main.go:/tinyauth/main.go
       - /var/run/docker.sock:/var/run/docker.sock
       - ./data:/data
     ports:

go.mod

@@ -4,6 +4,8 @@ go 1.24.0
 
 toolchain go1.24.3
 
+replace github.com/traefik/paerser v0.2.2 => ./paerser
+
 require (
 	github.com/cenkalti/backoff/v5 v5.0.3
 	github.com/charmbracelet/huh v0.8.0

go.sum

@@ -271,8 +271,6 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-github.com/traefik/paerser v0.2.2 h1:cpzW/ZrQrBh3mdwD/jnp6aXASiUFKOVr6ldP+keJTcQ=
-github.com/traefik/paerser v0.2.2/go.mod h1:7BBDd4FANoVgaTZG+yh26jI6CA2nds7D/4VTEdIsh24=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA=

internal/assets/migrations/000003_oauth_sub.down.sql

@@ -0,0 +1 @@
+ALTER TABLE "sessions" DROP COLUMN "oauth_sub";

internal/assets/migrations/000003_oauth_sub.up.sql

@@ -0,0 +1 @@
+ALTER TABLE "sessions" ADD COLUMN "oauth_sub" TEXT;

internal/bootstrap/service_bootstrap.go

@@ -57,7 +57,7 @@ func (app *BootstrapApp) initServices() (Services, error) {
 
 	services.dockerService = dockerService
 
-	accessControlsService := service.NewAccessControlsService(dockerService)
+	accessControlsService := service.NewAccessControlsService(dockerService, app.config.Apps)
 
 	err = accessControlsService.Init()
 

internal/config/config.go

@@ -25,6 +25,7 @@ type Config struct {
 	LogJSON           bool               `description:"Enable JSON formatted logs." yaml:"logJSON"`
 	Server            ServerConfig       `description:"Server configuration." yaml:"server"`
 	Auth              AuthConfig         `description:"Authentication configuration." yaml:"auth"`
+	Apps              map[string]App     `description:"Application ACLs configuration." yaml:"apps"`
 	OAuth             OAuthConfig        `description:"OAuth configuration." yaml:"oauth"`
 	UI                UIConfig           `description:"UI customization." yaml:"ui"`
 	Ldap              LdapConfig         `description:"LDAP configuration." yaml:"ldap"`
@@ -79,6 +80,7 @@ const DefaultNamePrefix = "TINYAUTH_"
 // OAuth/OIDC config
 
 type Claims struct {
+	Sub               string `json:"sub"`
 	Name              string `json:"name"`
 	Email             string `json:"email"`
 	PreferredUsername string `json:"preferred_username"`
@@ -125,6 +127,7 @@ type SessionCookie struct {
 	TotpPending bool
 	OAuthGroups string
 	OAuthName   string
+	OAuthSub    string
 }
 
 type UserContext struct {
@@ -138,6 +141,7 @@ type UserContext struct {
 	OAuthGroups string
 	TotpEnabled bool
 	OAuthName   string
+	OAuthSub    string
 }
 
 // API responses and queries
@@ -153,61 +157,55 @@ type RedirectQuery struct {
 	RedirectURI string `url:"redirect_uri"`
 }
 
-// Labels
+// ACLs
 
 type Apps struct {
-	Apps map[string]App
+	Apps map[string]App `description:"App ACLs configuration." yaml:"apps"`
 }
 
 type App struct {
-	Config   AppConfig
-	Users    AppUsers
-	OAuth    AppOAuth
-	IP       AppIP
-	Response AppResponse
-	Path     AppPath
+	Config   AppConfig   `description:"App configuration." yaml:"config"`
+	Users    AppUsers    `description:"User access configuration." yaml:"users"`
+	OAuth    AppOAuth    `description:"OAuth access configuration." yaml:"oauth"`
+	IP       AppIP       `description:"IP access configuration." yaml:"ip"`
+	Response AppResponse `description:"Response customization." yaml:"response"`
+	Path     AppPath     `description:"Path access configuration." yaml:"path"`
 }
 
 type AppConfig struct {
-	Domain string
+	Domain string `description:"The domain of the app." yaml:"domain"`
 }
 
 type AppUsers struct {
-	Allow string
-	Block string
+	Allow string `description:"Comma-separated list of allowed users." yaml:"allow"`
+	Block string `description:"Comma-separated list of blocked users." yaml:"block"`
 }
 
 type AppOAuth struct {
-	Whitelist string
-	Groups    string
+	Whitelist string `description:"Comma-separated list of allowed OAuth groups." yaml:"whitelist"`
+	Groups    string `description:"Comma-separated list of required OAuth groups." yaml:"groups"`
 }
 
 type AppIP struct {
-	Allow  []string
-	Block  []string
-	Bypass []string
+	Allow  []string `description:"List of allowed IPs or CIDR ranges." yaml:"allow"`
+	Block  []string `description:"List of blocked IPs or CIDR ranges." yaml:"block"`
+	Bypass []string `description:"List of IPs or CIDR ranges that bypass authentication." yaml:"bypass"`
 }
 
 type AppResponse struct {
-	Headers   []string
-	BasicAuth AppBasicAuth
+	Headers   []string     `description:"Custom headers to add to the response." yaml:"headers"`
+	BasicAuth AppBasicAuth `description:"Basic authentication for the app." yaml:"basicAuth"`
 }
 
 type AppBasicAuth struct {
-	Username     string
-	Password     string
-	PasswordFile string
+	Username     string `description:"Basic auth username." yaml:"username"`
+	Password     string `description:"Basic auth password." yaml:"password"`
+	PasswordFile string `description:"Path to the file containing the basic auth password." yaml:"passwordFile"`
 }
 
 type AppPath struct {
-	Allow string
-	Block string
-}
-
-// Flags
-
-type Providers struct {
-	Providers map[string]OAuthServiceConfig
+	Allow string `description:"Comma-separated list of allowed paths." yaml:"allow"`
+	Block string `description:"Comma-separated list of blocked paths." yaml:"block"`
 }
 
 // API server

internal/controller/context_controller.go

@@ -21,6 +21,7 @@ type UserContextResponse struct {
 	OAuth       bool   `json:"oauth"`
 	TotpPending bool   `json:"totpPending"`
 	OAuthName   string `json:"oauthName"`
+	OAuthSub    string `json:"oauthSub"`
 }
 
 type AppContextResponse struct {
@@ -89,6 +90,7 @@ func (controller *ContextController) userContextHandler(c *gin.Context) {
 		OAuth:       context.OAuth,
 		TotpPending: context.TotpPending,
 		OAuthName:   context.OAuthName,
+		OAuthSub:    context.OAuthSub,
 	}
 
 	if err != nil {

internal/controller/context_controller_test.go

@@ -44,6 +44,7 @@ var userContext = config.UserContext{
 	TotpPending: false,
 	OAuthGroups: "",
 	TotpEnabled: false,
+	OAuthSub:    "",
 }
 
 func setupContextController(middlewares *[]gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder) {

internal/controller/oauth_controller.go

@@ -197,6 +197,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		Provider:    req.Provider,
 		OAuthGroups: utils.CoalesceToString(user.Groups),
 		OAuthName:   service.GetName(),
+		OAuthSub:    user.Sub,
 	}
 
 	log.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")

internal/controller/proxy_controller.go

@@ -239,6 +239,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		c.Header("Remote-Name", utils.SanitizeHeader(userContext.Name))
 		c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email))
 		c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups))
+		c.Header("Remote-Sub", utils.SanitizeHeader(userContext.OAuthSub))
 
 		controller.setHeaders(c, acls)
 

internal/controller/proxy_controller_test.go

@@ -41,7 +41,7 @@ func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.En
 	assert.NilError(t, dockerService.Init())
 
 	// Access controls
-	accessControlsService := service.NewAccessControlsService(dockerService)
+	accessControlsService := service.NewAccessControlsService(dockerService, map[string]config.App{})
 
 	assert.NilError(t, accessControlsService.Init())
 

internal/middleware/context_middleware.go

@@ -99,6 +99,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 				Provider:    cookie.Provider,
 				OAuthGroups: cookie.OAuthGroups,
 				OAuthName:   cookie.OAuthName,
+				OAuthSub:    cookie.OAuthSub,
 				IsLoggedIn:  true,
 				OAuth:       true,
 			})

internal/model/session_model.go

@@ -10,4 +10,5 @@ type Session struct {
 	OAuthGroups string `gorm:"column:oauth_groups"`
 	Expiry      int64  `gorm:"column:expiry"`
 	OAuthName   string `gorm:"column:oauth_name"`
+	OAuthSub    string `gorm:"column:oauth_sub"`
 }

internal/service/access_controls_service.go

@@ -1,122 +1,54 @@
 package service
 
 import (
+	"errors"
+	"strings"
+
+	"github.com/rs/zerolog/log"
 	"github.com/steveiliop56/tinyauth/internal/config"
 )
 
-/*
-Environment variable/flag based ACLs are disabled until v5 due to a technical challenge
-with the current parsing logic.
-
-The current parser works for simple OAuth provider configs like:
-- PROVIDERS_MY_AMAZING_PROVIDER_CLIENT_ID
-
-However, it breaks down when handling nested structs required for ACLs. The custom parsing
-solution that worked for v4 OAuth providers is incompatible with the ACL parsing logic,
-making the codebase unmaintainable and fragile.
-
-A solution is being considered for v5 that would standardize the format to something like:
-- TINYAUTH_PROVIDERS_GOOGLE_CLIENTSECRET
-- TINYAUTH_APPS_MYAPP_CONFIG_DOMAIN
-
-This would allow the Traefik parser to handle everything consistently, but requires a
-config migration. Until this is resolved, environment-based ACLs are disabled and only
-Docker label-based ACLs are supported.
-
-See: https://discord.com/channels/1337450123600465984/1337459086270271538/1434986689935179838 for more information
-*/
-
 type AccessControlsService struct {
 	docker *DockerService
-	// envACLs config.Apps
+	static map[string]config.App
 }
 
-func NewAccessControlsService(docker *DockerService) *AccessControlsService {
+func NewAccessControlsService(docker *DockerService, static map[string]config.App) *AccessControlsService {
 	return &AccessControlsService{
 		docker: docker,
+		static: static,
 	}
 }
 
 func (acls *AccessControlsService) Init() error {
-	// acls.envACLs = config.Apps{}
-	// env := os.Environ()
-	// appEnvVars := []string{}
-
-	// for _, e := range env {
-	// 	if strings.HasPrefix(e, "TINYAUTH_APPS_") {
-	// 		appEnvVars = append(appEnvVars, e)
-	// 	}
-	// }
-
-	// err := acls.loadEnvACLs(appEnvVars)
-
-	// if err != nil {
-	// 	return err
-	// }
-
-	// return nil
-
-	return nil
-
+	return nil // No initialization needed
 }
 
-// func (acls *AccessControlsService) loadEnvACLs(appEnvVars []string) error {
-// 	if len(appEnvVars) == 0 {
-// 		return nil
-// 	}
+func (acls *AccessControlsService) lookupStaticACLs(domain string) (config.App, error) {
+	for app, config := range acls.static {
+		if config.Config.Domain == domain {
+			log.Debug().Str("name", app).Msg("Found matching container by domain")
+			return config, nil
+		}
 
-// 	envAcls := map[string]string{}
+		if strings.SplitN(domain, ".", 2)[0] == app {
+			log.Debug().Str("name", app).Msg("Found matching container by app name")
+			return config, nil
+		}
+	}
+	return config.App{}, errors.New("no results")
+}
 
-// 	for _, e := range appEnvVars {
-// 		parts := strings.SplitN(e, "=", 2)
-// 		if len(parts) != 2 {
-// 			continue
-// 		}
+func (acls *AccessControlsService) GetAccessControls(domain string) (config.App, error) {
+	// First check in the static config
+	app, err := acls.lookupStaticACLs(domain)
 
-// 		key := parts[0]
-// 		key = strings.ToLower(key)
-// 		key = strings.ReplaceAll(key, "_", ".")
-// 		value := parts[1]
-// 		envAcls[key] = value
-// 	}
-
-// 	apps, err := decoders.DecodeLabels(envAcls)
-
-// 	if err != nil {
-// 		return err
-// 	}
-
-// 	acls.envACLs = apps
-// 	return nil
-// }
-
-// func (acls *AccessControlsService) lookupEnvACLs(appDomain string) *config.App {
-// 	if len(acls.envACLs.Apps) == 0 {
-// 		return nil
-// 	}
-
-// 	for appName, appACLs := range acls.envACLs.Apps {
-// 		if appACLs.Config.Domain == appDomain {
-// 			return &appACLs
-// 		}
-
-// 		if strings.SplitN(appDomain, ".", 2)[0] == appName {
-// 			return &appACLs
-// 		}
-// 	}
-
-// 	return nil
-// }
-
-func (acls *AccessControlsService) GetAccessControls(appDomain string) (config.App, error) {
-	// First check environment variables
-	// envACLs := acls.lookupEnvACLs(appDomain)
-
-	// if envACLs != nil {
-	// 	log.Debug().Str("domain", appDomain).Msg("Found matching access controls in environment variables")
-	// 	return *envACLs, nil
-	// }
+	if err == nil {
+		log.Debug().Msg("Using ACls from static configuration")
+		return app, nil
+	}
 
 	// Fallback to Docker labels
-	return acls.docker.GetLabels(appDomain)
+	log.Debug().Msg("Falling back to Docker labels for ACLs")
+	return acls.docker.GetLabels(domain)
 }

internal/service/auth_service.go

@@ -213,6 +213,7 @@ func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *config.Sessio
 		OAuthGroups: data.OAuthGroups,
 		Expiry:      time.Now().Add(time.Duration(expiry) * time.Second).Unix(),
 		OAuthName:   data.OAuthName,
+		OAuthSub:    data.OAuthSub,
 	}
 
 	err = gorm.G[model.Session](auth.database).Create(c, &session)
@@ -314,6 +315,7 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie,
 		TotpPending: session.TOTPPending,
 		OAuthGroups: session.OAuthGroups,
 		OAuthName:   session.OAuthName,
+		OAuthSub:    session.OAuthSub,
 	}, nil
 }
 

internal/service/github_oauth_service.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"strconv"
 	"time"
 
 	"github.com/steveiliop56/tinyauth/internal/config"
@@ -27,6 +28,7 @@ type GithubEmailResponse []struct {
 type GithubUserInfoResponse struct {
 	Login string `json:"login"`
 	Name  string `json:"name"`
+	ID    int    `json:"id"`
 }
 
 type GithubOAuthService struct {
@@ -172,6 +174,7 @@ func (github *GithubOAuthService) Userinfo() (config.Claims, error) {
 
 	user.PreferredUsername = userInfo.Login
 	user.Name = userInfo.Name
+	user.Sub = strconv.Itoa(userInfo.ID)
 
 	return user, nil
 }

internal/service/google_oauth_service.go

@@ -17,12 +17,7 @@ import (
 	"golang.org/x/oauth2/endpoints"
 )
 
-var GoogleOAuthScopes = []string{"https://www.googleapis.com/auth/userinfo.email", "https://www.googleapis.com/auth/userinfo.profile"}
-
-type GoogleUserInfoResponse struct {
-	Email string `json:"email"`
-	Name  string `json:"name"`
-}
+var GoogleOAuthScopes = []string{"openid", "email", "profile"}
 
 type GoogleOAuthService struct {
 	config   oauth2.Config
@@ -91,7 +86,7 @@ func (google *GoogleOAuthService) Userinfo() (config.Claims, error) {
 
 	client := google.config.Client(google.context, google.token)
 
-	res, err := client.Get("https://www.googleapis.com/userinfo/v2/me")
+	res, err := client.Get("https://openidconnect.googleapis.com/v1/userinfo")
 	if err != nil {
 		return config.Claims{}, err
 	}
@@ -106,16 +101,12 @@ func (google *GoogleOAuthService) Userinfo() (config.Claims, error) {
 		return config.Claims{}, err
 	}
 
-	var userInfo GoogleUserInfoResponse
-
-	err = json.Unmarshal(body, &userInfo)
+	err = json.Unmarshal(body, &user)
 	if err != nil {
 		return config.Claims{}, err
 	}
 
-	user.PreferredUsername = strings.Split(userInfo.Email, "@")[0]
-	user.Name = userInfo.Name
-	user.Email = userInfo.Email
+	user.PreferredUsername = strings.SplitN(user.Email, "@", 2)[0]
 
 	return user, nil
 }

patches/nested_maps.diff

@@ -0,0 +1,95 @@
+diff --git a/env/env_test.go b/env/env_test.go
+index 7045569..365dc00 100644
+--- a/env/env_test.go
++++ b/env/env_test.go
+@@ -166,6 +166,38 @@ func TestDecode(t *testing.T) {
+ 				Foo: &struct{ Field string }{},
+ 			},
+ 		},
++		{
++			desc:    "map under the root key",
++			environ: []string{"TRAEFIK_FOO_BAR_FOOBAR_BARFOO=foo"},
++			element: &struct {
++				Foo map[string]struct {
++					Foobar struct {
++						Barfoo string
++					}
++				}
++			}{},
++			expected: &struct {
++				Foo map[string]struct {
++					Foobar struct {
++						Barfoo string
++					}
++				}
++			}{
++				Foo: map[string]struct {
++					Foobar struct {
++						Barfoo string
++					}
++				}{
++					"bar": {
++						Foobar: struct {
++							Barfoo string
++						}{
++							Barfoo: "foo",
++						},
++					},
++				},
++			},
++		},
+ 	}
+ 
+ 	for _, test := range testCases {
+diff --git a/parser/nodes_metadata.go b/parser/nodes_metadata.go
+index 36946c1..0279705 100644
+--- a/parser/nodes_metadata.go
++++ b/parser/nodes_metadata.go
+@@ -75,8 +75,13 @@ func (m metadata) add(rootType reflect.Type, node *Node) error {
+ 	node.Kind = fType.Kind()
+ 	node.Tag = field.Tag
+ 
+-	if fType.Kind() == reflect.Struct || fType.Kind() == reflect.Pointer && fType.Elem().Kind() == reflect.Struct ||
+-		fType.Kind() == reflect.Map {
++	if node.Kind == reflect.String && len(node.Children) > 0 {
++		fType = reflect.TypeOf(struct{}{})
++		node.Kind = reflect.Struct
++	}
++
++	if node.Kind == reflect.Struct || node.Kind == reflect.Pointer && fType.Elem().Kind() == reflect.Struct ||
++		node.Kind == reflect.Map {
+ 		if len(node.Children) == 0 && !(field.Tag.Get(m.TagName) == TagLabelAllowEmpty || field.Tag.Get(m.TagName) == "-") {
+ 			return fmt.Errorf("%s cannot be a standalone element (type %s)", node.Name, fType)
+ 		}
+@@ -90,11 +95,11 @@ func (m metadata) add(rootType reflect.Type, node *Node) error {
+ 		return nil
+ 	}
+ 
+-	if fType.Kind() == reflect.Struct || fType.Kind() == reflect.Pointer && fType.Elem().Kind() == reflect.Struct {
++	if node.Kind == reflect.Struct || node.Kind == reflect.Pointer && fType.Elem().Kind() == reflect.Struct {
+ 		return m.browseChildren(fType, node)
+ 	}
+ 
+-	if fType.Kind() == reflect.Map {
++	if node.Kind == reflect.Map {
+ 		if fType.Elem().Kind() == reflect.Interface {
+ 			addRawValue(node)
+ 			return nil
+@@ -115,7 +120,7 @@ func (m metadata) add(rootType reflect.Type, node *Node) error {
+ 		return nil
+ 	}
+ 
+-	if fType.Kind() == reflect.Slice {
++	if node.Kind == reflect.Slice {
+ 		if m.AllowSliceAsStruct && field.Tag.Get(TagLabelSliceAsStruct) != "" {
+ 			return m.browseChildren(fType.Elem(), node)
+ 		}
+@@ -129,7 +134,7 @@ func (m metadata) add(rootType reflect.Type, node *Node) error {
+ 		return nil
+ 	}
+ 
+-	return fmt.Errorf("invalid node %s: %v", node.Name, fType.Kind())
++	return fmt.Errorf("invalid node %s: %v", node.Name, node.Kind)
+ }
+ 
+ func (m metadata) findTypedField(rType reflect.Type, node *Node) (reflect.StructField, error) {