feat: add support for logging in to a basic auth protected app

.github/workflows/nightly.yml

@@ -1,8 +1,6 @@
 name: Nightly Release
 on:
   workflow_dispatch:
-  schedule:
-    - cron: "0 0 * * *"
 
 jobs:
   create-release:

frontend/bun.lock

@@ -35,7 +35,7 @@
       "devDependencies": {
         "@eslint/js": "^9.29.0",
         "@tanstack/eslint-plugin-query": "^5.78.0",
-        "@types/node": "^24.0.3",
+        "@types/node": "^22.15.29",
         "@types/react": "^19.1.8",
         "@types/react-dom": "^19.1.6",
         "@vitejs/plugin-react": "^4.5.2",
@@ -354,7 +354,7 @@
 
     "@types/ms": ["@types/ms@2.1.0", "", {}, "sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA=="],
 
-    "@types/node": ["@types/node@24.0.3", "", { "dependencies": { "undici-types": "~7.8.0" } }, "sha512-R4I/kzCYAdRLzfiCabn9hxWfbuHS573x+r0dJMkkzThEa7pbrcDWK+9zu3e7aBOouf+rQAciqPFMnxwr0aWgKg=="],
+    "@types/node": ["@types/node@22.15.29", "", { "dependencies": { "undici-types": "~6.21.0" } }, "sha512-LNdjOkUDlU1RZb8e1kOIUpN1qQUlzGkEtbVNo53vbrwDg5om6oduhm4SiUaPW5ASTXhAiP0jInWG8Qx9fVlOeQ=="],
 
     "@types/react": ["@types/react@19.1.8", "", { "dependencies": { "csstype": "^3.0.2" } }, "sha512-AwAfQ2Wa5bCx9WP8nZL2uMZWod7J7/JSplxbTmBQ5ms6QpqNYm672H0Vu9ZVKVngQ+ii4R/byguVEUZQyeg44g=="],
 
@@ -874,7 +874,7 @@
 
     "typescript-eslint": ["typescript-eslint@8.34.1", "", { "dependencies": { "@typescript-eslint/eslint-plugin": "8.34.1", "@typescript-eslint/parser": "8.34.1", "@typescript-eslint/utils": "8.34.1" }, "peerDependencies": { "eslint": "^8.57.0 || ^9.0.0", "typescript": ">=4.8.4 <5.9.0" } }, "sha512-XjS+b6Vg9oT1BaIUfkW3M3LvqZE++rbzAMEHuccCfO/YkP43ha6w3jTEMilQxMF92nVOYCcdjv1ZUhAa1D/0ow=="],
 
-    "undici-types": ["undici-types@7.8.0", "", {}, "sha512-9UJ2xGDvQ43tYyVMpuHlsgApydB8ZKfVYTsLDhXkFL/6gfkp+U8xTGdh8pMJv1SpZna0zxG1DwsKZsreLbXBxw=="],
+    "undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="],
 
     "unified": ["unified@11.0.5", "", { "dependencies": { "@types/unist": "^3.0.0", "bail": "^2.0.0", "devlop": "^1.0.0", "extend": "^3.0.0", "is-plain-obj": "^4.0.0", "trough": "^2.0.0", "vfile": "^6.0.0" } }, "sha512-xKvGhPWw3k84Qjh8bI3ZeJjqnyadK+GEFtazSfZv/rKeTkTjOJho6mFqh2SM96iIcZokxiOpg78GazTSg8+KHA=="],
 

frontend/package.json

@@ -41,7 +41,7 @@
   "devDependencies": {
     "@eslint/js": "^9.29.0",
     "@tanstack/eslint-plugin-query": "^5.78.0",
-    "@types/node": "^24.0.3",
+    "@types/node": "^22.15.29",
     "@types/react": "^19.1.8",
     "@types/react-dom": "^19.1.6",
     "@vitejs/plugin-react": "^4.5.2",

frontend/src/lib/i18n/locales/en-US.json

@@ -42,7 +42,6 @@
     "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
     "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
     "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
     "unauthorizedButton": "Try again",
     "untrustedRedirectTitle": "Untrusted redirect",
     "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{domain}}</code>). Are you sure you want to continue?",

frontend/src/lib/i18n/locales/en.json

@@ -42,7 +42,6 @@
     "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
     "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
     "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
     "unauthorizedButton": "Try again",
     "untrustedRedirectTitle": "Untrusted redirect",
     "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{domain}}</code>). Are you sure you want to continue?",

frontend/src/pages/unauthorized-page.tsx

@@ -17,9 +17,8 @@ export const UnauthorizedPage = () => {
   const username = searchParams.get("username");
   const resource = searchParams.get("resource");
   const groupErr = searchParams.get("groupErr");
-  const ip = searchParams.get("ip");
 
-  if (!username && !ip) {
+  if (!username) {
     return <Navigate to="/" />;
   }
 
@@ -42,10 +41,6 @@ export const UnauthorizedPage = () => {
     i18nKey = "unauthorizedGroupsSubtitle";
   }
 
-  if (ip) {
-    i18nKey = "unauthorizedIpSubtitle";
-  }
-
   return (
     <Card className="min-w-xs sm:min-w-sm">
       <CardHeader>
@@ -60,7 +55,6 @@ export const UnauthorizedPage = () => {
             values={{
               username,
               resource,
-              ip,
             }}
           />
         </CardDescription>

internal/auth/auth.go

@@ -351,44 +351,3 @@ func (auth *Auth) GetBasicAuth(c *gin.Context) *types.User {
 		Password: password,
 	}
 }
-
-func (auth *Auth) CheckIP(c *gin.Context, labels types.Labels) bool {
-	// Get the IP address from the request
-	ip := c.ClientIP()
-
-	// Check if the IP is in block list
-	for _, blocked := range labels.IP.Block {
-		res, err := utils.FilterIP(blocked, ip)
-		if err != nil {
-			log.Warn().Err(err).Str("item", blocked).Msg("Invalid IP/CIDR in block list")
-			continue
-		}
-		if res {
-			log.Warn().Str("ip", ip).Str("item", blocked).Msg("IP is in blocked list, denying access")
-			return false
-		}
-	}
-
-	// For every IP in the allow list, check if the IP matches
-	for _, allowed := range labels.IP.Allow {
-		res, err := utils.FilterIP(allowed, ip)
-		if err != nil {
-			log.Warn().Err(err).Str("item", allowed).Msg("Invalid IP/CIDR in allow list")
-			continue
-		}
-		if res {
-			log.Debug().Str("ip", ip).Str("item", allowed).Msg("IP is in allowed list, allowing access")
-			return true
-		}
-	}
-
-	// If not in allowed range and allowed range is not empty, deny access
-	if len(labels.IP.Allow) > 0 {
-		log.Warn().Str("ip", ip).Msg("IP not in allow list, denying access")
-		return false
-	}
-
-	log.Debug().Str("ip", ip).Msg("IP not in allow or block list, allowing by default")
-
-	return true
-}

internal/handlers/handlers.go

@@ -96,38 +96,6 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 		return
 	}
 
-	// Check if the IP is allowed/blocked
-	ip := c.ClientIP()
-	if !h.Auth.CheckIP(c, labels) {
-		log.Warn().Str("ip", ip).Msg("IP not allowed")
-
-		if proxy.Proxy == "nginx" || !isBrowser {
-			c.JSON(403, gin.H{
-				"status":  403,
-				"message": "Forbidden",
-			})
-			return
-		}
-
-		values := types.UnauthorizedQuery{
-			Resource: strings.Split(host, ".")[0],
-			IP:       ip,
-		}
-
-		// Build query
-		queries, err := query.Values(values)
-
-		// Handle error
-		if err != nil {
-			log.Error().Err(err).Msg("Failed to build queries")
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
-			return
-		}
-
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, queries.Encode()))
-		return
-	}
-
 	// Check if auth is enabled
 	authEnabled, err := h.Auth.AuthEnabled(c, labels)
 

internal/types/api.go

@@ -21,7 +21,6 @@ type UnauthorizedQuery struct {
 	Username string `url:"username"`
 	Resource string `url:"resource"`
 	GroupErr bool   `url:"groupErr"`
-	IP       string `url:"ip"`
 }
 
 // Proxy is the uri parameters for the proxy endpoint

internal/types/config.go

@@ -105,12 +105,6 @@ type BasicLabels struct {
 	Password string
 }
 
-// IP labels for a tinyauth protected container
-type IPLabels struct {
-	Allow []string
-	Block []string
-}
-
 // Labels is a struct that contains the labels for a tinyauth protected container
 type Labels struct {
 	Users   string
@@ -119,5 +113,4 @@ type Labels struct {
 	Domain  string
 	Basic   BasicLabels
 	OAuth   OAuthLabels
-	IP      IPLabels
 }

internal/utils/utils.go

@@ -3,7 +3,6 @@ package utils
 import (
 	"encoding/base64"
 	"errors"
-	"net"
 	"net/url"
 	"os"
 	"regexp"
@@ -203,7 +202,7 @@ func GetLabels(labels map[string]string) (types.Labels, error) {
 	var labelsParsed types.Labels
 
 	// Decode the labels into the labels struct
-	err := parser.Decode(labels, &labelsParsed, "tinyauth", "tinyauth.users", "tinyauth.allowed", "tinyauth.headers", "tinyauth.domain", "tinyauth.basic", "tinyauth.oauth", "tinyauth.ip")
+	err := parser.Decode(labels, &labelsParsed, "tinyauth", "tinyauth.users", "tinyauth.allowed", "tinyauth.headers", "tinyauth.domain", "tinyauth.basic", "tinyauth.oauth")
 
 	// Check if there was an error
 	if err != nil {
@@ -369,39 +368,3 @@ func GetBasicAuth(username string, password string) string {
 	// Encode the auth string to base64
 	return base64.StdEncoding.EncodeToString([]byte(auth))
 }
-
-// Check if an IP is contained in a CIDR range/matches a single IP
-func FilterIP(filter string, ip string) (bool, error) {
-	// Convert the check IP to an IP instance
-	ipAddr := net.ParseIP(ip)
-
-	// Check if the filter is a CIDR range
-	if strings.Contains(filter, "/") {
-		// Parse the CIDR range
-		_, cidr, err := net.ParseCIDR(filter)
-
-		// Check if there was an error
-		if err != nil {
-			return false, err
-		}
-
-		// Check if the IP is in the CIDR range
-		return cidr.Contains(ipAddr), nil
-	}
-
-	// Parse the filter as a single IP
-	ipFilter := net.ParseIP(filter)
-
-	// Check if the IP is valid
-	if ipFilter == nil {
-		return false, errors.New("invalid IP address in filter")
-	}
-
-	// Check if the IP matches the filter
-	if ipFilter.Equal(ipAddr) {
-		return true, nil
-	}
-
-	// If the filter is not a CIDR range or a single IP, return false
-	return false, nil
-}