fix: ensure safe redirect check only accepts actual domains

Bumps the minor-patch group with 1 update: [modernc.org/sqlite](https://gitlab.com/cznic/sqlite).


Updates `modernc.org/sqlite` from 1.44.0 to 1.44.1
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.44.0...v1.44.1)

---
updated-dependencies:
- dependency-name: modernc.org/sqlite
  dependency-version: 1.44.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/nightly.yml

@@ -89,7 +89,7 @@ jobs:
       - name: Build
         run: |
           cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
+          go build -ldflags "-s -w -X github.com/steveiliop56/tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
         env:
           CGO_ENABLED: 0
 
@@ -144,7 +144,7 @@ jobs:
       - name: Build
         run: |
           cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
+          go build -ldflags "-s -w -X github.com/steveiliop56/tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
         env:
           CGO_ENABLED: 0
 

.github/workflows/release.yml

@@ -67,7 +67,7 @@ jobs:
       - name: Build
         run: |
           cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
+          go build -ldflags "-s -w -X github.com/steveiliop56/tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
         env:
           CGO_ENABLED: 0
 
@@ -119,7 +119,7 @@ jobs:
       - name: Build
         run: |
           cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
+          go build -ldflags "-s -w -X github.com/steveiliop56/tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
         env:
           CGO_ENABLED: 0
 

.zed/debug.json

@@ -0,0 +1,13 @@
+[
+  {
+    "label": "Attach to remote Delve",
+    "adapter": "Delve",
+    "mode": "remote",
+    "remotePath": "/tinyauth",
+    "request": "attach",
+    "tcp_connection": {
+      "host": "127.0.0.1",
+      "port": 4000,
+    },
+  },
+]

Dockerfile

@@ -39,7 +39,10 @@ COPY ./cmd ./cmd
 COPY ./internal ./internal
 COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
 
-RUN CGO_ENABLED=0 go build -ldflags "-s -w -X tinyauth/internal/config.Version=${VERSION} -X tinyauth/internal/config.CommitHash=${COMMIT_HASH} -X tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
+RUN CGO_ENABLED=0 go build -ldflags "-s -w \
+    -X github.com/steveiliop56/tinyauth/internal/config.Version=${VERSION} \
+    -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${COMMIT_HASH} \
+    -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
 
 # Runner
 FROM alpine:3.23 AS runner
@@ -54,11 +57,9 @@ EXPOSE 3000
 
 VOLUME ["/data"]
 
-ENV DATABASEPATH=/data/tinyauth.db
+ENV TINYAUTH_DATABASEPATH=/data/tinyauth.db
 
-ENV RESOURCESDIR=/data/resources
-
-ENV GIN_MODE=release
+ENV TINYAUTH_RESOURCESDIR=/data/resources
 
 ENV PATH=$PATH:/tinyauth
 

Dockerfile.distroless

@@ -41,7 +41,10 @@ COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
 
 RUN mkdir -p data
 
-RUN CGO_ENABLED=0 go build -ldflags "-s -w -X tinyauth/internal/config.Version=${VERSION} -X tinyauth/internal/config.CommitHash=${COMMIT_HASH} -X tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
+RUN CGO_ENABLED=0 go build -ldflags "-s -w \
+    -X github.com/steveiliop56/tinyauth/internal/config.Version=${VERSION} \
+    -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${COMMIT_HASH} \
+    -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
 
 # Runner
 FROM gcr.io/distroless/static-debian12:latest AS runner
@@ -61,8 +64,6 @@ ENV TINYAUTH_DATABASEPATH=/data/tinyauth.db
 
 ENV TINYAUTH_RESOURCESDIR=/data/resources
 
-ENV GIN_MODE=release
-
 ENV PATH=$PATH:/tinyauth
 
 HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 CMD ["tinyauth", "healthcheck"]

Makefile

@@ -31,9 +31,9 @@ webui: clean-webui
 # Build the binary
 binary: webui
 	CGO_ENABLED=$(CGO_ENABLED) go build -ldflags "-s -w \
-	-X tinyauth/internal/config.Version=${TAG_NAME} \
-	-X tinyauth/internal/config.CommitHash=${COMMIT_HASH} \
-	-X tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" \
+	-X github.com/steveiliop56/tinyauth/internal/config.Version=${TAG_NAME} \
+	-X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${COMMIT_HASH} \
+	-X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" \
 	-o ${BIN_NAME} ./cmd/tinyauth
 
 # Build for amd64
@@ -62,3 +62,8 @@ develop:
 # Production
 prod:
 	docker compose -f $(PROD_COMPOSE) up --force-recreate --pull=always --remove-orphans
+
+# SQL
+.PHONY: sql
+sql:
+	sqlc generate

cmd/tinyauth/tinyauth.go

@@ -21,9 +21,9 @@ func NewTinyauthCmdConfiguration() *config.Config {
 			Address: "0.0.0.0",
 		},
 		Auth: config.AuthConfig{
-			SessionExpiry:      3600,
-			SessionMaxLifetime: 0,
-			LoginTimeout:       300,
+			SessionExpiry:      86400, // 1 day
+			SessionMaxLifetime: 0,     // disabled
+			LoginTimeout:       300,   // 5 minutes
 			LoginMaxRetries:    3,
 		},
 		UI: config.UIConfig{
@@ -34,6 +34,7 @@ func NewTinyauthCmdConfiguration() *config.Config {
 		Ldap: config.LdapConfig{
 			Insecure:      false,
 			SearchFilter:  "(uid=%s)",
+			GroupCacheTTL: 900, // 15 minutes
 		},
 		Log: config.LogConfig{
 			Level: "info",

frontend/bun.lock

@@ -36,7 +36,7 @@
       "devDependencies": {
         "@eslint/js": "^9.39.2",
         "@tanstack/eslint-plugin-query": "^5.91.2",
-        "@types/node": "^25.0.8",
+        "@types/node": "^25.0.9",
         "@types/react": "^19.2.8",
         "@types/react-dom": "^19.2.3",
         "@vitejs/plugin-react": "^5.1.2",
@@ -365,7 +365,7 @@
 
     "@types/ms": ["@types/ms@2.1.0", "", {}, "sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA=="],
 
-    "@types/node": ["@types/node@25.0.8", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-powIePYMmC3ibL0UJ2i2s0WIbq6cg6UyVFQxSCpaPxxzAaziRfimGivjdF943sSGV6RADVbk0Nvlm5P/FB44Zg=="],
+    "@types/node": ["@types/node@25.0.9", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-/rpCXHlCWeqClNBwUhDcusJxXYDjZTyE8v5oTO7WbL8eij2nKhUeU89/6xgjU7N4/Vh3He0BtyhJdQbDyhiXAw=="],
 
     "@types/react": ["@types/react@19.2.8", "", { "dependencies": { "csstype": "^3.2.2" } }, "sha512-3MbSL37jEchWZz2p2mjntRZtPt837ij10ApxKfgmXCTuHWagYg7iA5bqPw6C8BMPfwidlvfPI/fxOc42HLhcyg=="],
 

frontend/package.json

@@ -42,7 +42,7 @@
   "devDependencies": {
     "@eslint/js": "^9.39.2",
     "@tanstack/eslint-plugin-query": "^5.91.2",
-    "@types/node": "^25.0.8",
+    "@types/node": "^25.0.9",
     "@types/react": "^19.2.8",
     "@types/react-dom": "^19.2.3",
     "@vitejs/plugin-react": "^5.1.2",

frontend/src/pages/login-page.tsx

@@ -50,10 +50,12 @@ export const LoginPage = () => {
   const redirectUri = searchParams.get("redirect_uri");
 
   const oauthProviders = providers.filter(
-    (provider) => provider.id !== "username",
+    (provider) => provider.id !== "local" && provider.id !== "ldap",
   );
   const userAuthConfigured =
-    providers.find((provider) => provider.id === "username") !== undefined;
+    providers.find(
+      (provider) => provider.id === "local" || provider.id === "ldap",
+    ) !== undefined;
 
   const oauthMutation = useMutation({
     mutationFn: (provider: string) =>

go.mod

@@ -24,7 +24,7 @@ require (
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
 	golang.org/x/oauth2 v0.34.0
 	gotest.tools/v3 v3.5.2
-	modernc.org/sqlite v1.44.0
+	modernc.org/sqlite v1.44.1
 )
 
 require (
@@ -119,7 +119,7 @@ require (
 	golang.org/x/text v0.33.0 // indirect
 	google.golang.org/protobuf v1.36.9 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	modernc.org/libc v1.67.4 // indirect
+	modernc.org/libc v1.67.6 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 	rsc.io/qr v0.2.0 // indirect

go.sum

@@ -383,8 +383,8 @@ modernc.org/gc/v3 v3.1.1 h1:k8T3gkXWY9sEiytKhcgyiZ2L0DTyCQ/nvX+LoCljoRE=
 modernc.org/gc/v3 v3.1.1/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
 modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
 modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
-modernc.org/libc v1.67.4 h1:zZGmCMUVPORtKv95c2ReQN5VDjvkoRm9GWPTEPuvlWg=
-modernc.org/libc v1.67.4/go.mod h1:QvvnnJ5P7aitu0ReNpVIEyesuhmDLQ8kaEoyMjIFZJA=
+modernc.org/libc v1.67.6 h1:eVOQvpModVLKOdT+LvBPjdQqfrZq+pC39BygcT+E7OI=
+modernc.org/libc v1.67.6/go.mod h1:JAhxUVlolfYDErnwiqaLvUqc8nfb2r6S6slAgZOnaiE=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
@@ -393,8 +393,8 @@ modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
 modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.44.0 h1:YjCKJnzZde2mLVy0cMKTSL4PxCmbIguOq9lGp8ZvGOc=
-modernc.org/sqlite v1.44.0/go.mod h1:2Dq41ir5/qri7QJJJKNZcP4UF7TsX/KNeykYgPDtGhE=
+modernc.org/sqlite v1.44.1 h1:qybx/rNpfQipX/t47OxbHmkkJuv2JWifCMH8SVUiDas=
+modernc.org/sqlite v1.44.1/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=

internal/bootstrap/app_bootstrap.go

@@ -144,10 +144,18 @@ func (app *BootstrapApp) Setup() error {
 		return configuredProviders[i].Name < configuredProviders[j].Name
 	})
 
-	if services.authService.UserAuthConfigured() {
+	if services.authService.LocalAuthConfigured() {
 		configuredProviders = append(configuredProviders, controller.Provider{
-			Name:  "Username",
-			ID:    "username",
+			Name:  "Local",
+			ID:    "local",
+			OAuth: false,
+		})
+	}
+
+	if services.authService.LdapAuthConfigured() {
+		configuredProviders = append(configuredProviders, controller.Provider{
+			Name:  "LDAP",
+			ID:    "ldap",
 			OAuth: false,
 		})
 	}

internal/bootstrap/router_bootstrap.go

@@ -2,14 +2,22 @@ package bootstrap
 
 import (
 	"fmt"
+	"slices"
 
+	"github.com/steveiliop56/tinyauth/internal/config"
 	"github.com/steveiliop56/tinyauth/internal/controller"
 	"github.com/steveiliop56/tinyauth/internal/middleware"
 
 	"github.com/gin-gonic/gin"
 )
 
+var DEV_MODES = []string{"main", "test", "development"}
+
 func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
+	if !slices.Contains(DEV_MODES, config.Version) {
+		gin.SetMode(gin.ReleaseMode)
+	}
+
 	engine := gin.New()
 	engine.Use(gin.Recovery())
 

internal/bootstrap/service_bootstrap.go

@@ -67,6 +67,7 @@ func (app *BootstrapApp) initServices(queries *repository.Queries) (Services, er
 		LoginMaxRetries:    app.config.Auth.LoginMaxRetries,
 		SessionCookieName:  app.context.sessionCookieName,
 		IP:                 app.config.Auth.IP,
+		LDAPGroupsCacheTTL: app.config.Ldap.GroupCacheTTL,
 	}, dockerService, services.ldapService, queries)
 
 	err = authService.Init()

internal/config/config.go

@@ -75,6 +75,7 @@ type LdapConfig struct {
 	SearchFilter  string `description:"LDAP search filter." yaml:"searchFilter"`
 	AuthCert      string `description:"Certificate for mTLS authentication." yaml:"authCert"`
 	AuthKey       string `description:"Certificate key for mTLS authentication." yaml:"authKey"`
+	GroupCacheTTL int    `description:"Cache duration for LDAP group membership in seconds." yaml:"groupCacheTTL"`
 }
 
 type LogConfig struct {
@@ -138,28 +139,22 @@ type User struct {
 	TotpSecret string
 }
 
+type LdapUser struct {
+	DN     string
+	Groups []string
+}
+
 type UserSearch struct {
 	Username string
 	Type     string // local, ldap or unknown
 }
 
-type SessionCookie struct {
-	UUID        string
-	Username    string
-	Name        string
-	Email       string
-	Provider    string
-	TotpPending bool
-	OAuthGroups string
-	OAuthName   string
-	OAuthSub    string
-}
-
 type UserContext struct {
 	Username    string
 	Name        string
 	Email       string
 	IsLoggedIn  bool
+	IsBasicAuth bool
 	OAuth       bool
 	Provider    string
 	TotpPending bool
@@ -167,6 +162,7 @@ type UserContext struct {
 	TotpEnabled bool
 	OAuthName   string
 	OAuthSub    string
+	LdapGroups  string
 }
 
 // API responses and queries
@@ -195,6 +191,7 @@ type App struct {
 	IP       AppIP       `description:"IP access configuration." yaml:"ip"`
 	Response AppResponse `description:"Response customization." yaml:"response"`
 	Path     AppPath     `description:"Path access configuration." yaml:"path"`
+	LDAP     AppLDAP     `description:"LDAP access configuration." yaml:"ldap"`
 }
 
 type AppConfig struct {
@@ -211,6 +208,10 @@ type AppOAuth struct {
 	Groups    string `description:"Comma-separated list of required OAuth groups." yaml:"groups"`
 }
 
+type AppLDAP struct {
+	Groups string `description:"Comma-separated list of required LDAP groups." yaml:"groups"`
+}
+
 type AppIP struct {
 	Allow  []string `description:"List of allowed IPs or CIDR ranges." yaml:"allow"`
 	Block  []string `description:"List of blocked IPs or CIDR ranges." yaml:"block"`

internal/controller/context_controller.go

@@ -21,7 +21,6 @@ type UserContextResponse struct {
 	OAuth       bool   `json:"oauth"`
 	TotpPending bool   `json:"totpPending"`
 	OAuthName   string `json:"oauthName"`
-	OAuthSub    string `json:"oauthSub"`
 }
 
 type AppContextResponse struct {
@@ -90,7 +89,6 @@ func (controller *ContextController) userContextHandler(c *gin.Context) {
 		OAuth:       context.OAuth,
 		TotpPending: context.TotpPending,
 		OAuthName:   context.OAuthName,
-		OAuthSub:    context.OAuthSub,
 	}
 
 	if err != nil {

internal/controller/context_controller_test.go

@@ -16,8 +16,8 @@ import (
 var controllerCfg = controller.ContextControllerConfig{
 	Providers: []controller.Provider{
 		{
-			Name:  "Username",
-			ID:    "username",
+			Name:  "Local",
+			ID:    "local",
 			OAuth: false,
 		},
 		{
@@ -40,8 +40,9 @@ var userContext = config.UserContext{
 	Name:        "testuser",
 	Email:       "test@example.com",
 	IsLoggedIn:  true,
+	IsBasicAuth: false,
 	OAuth:       false,
-	Provider:    "username",
+	Provider:    "local",
 	TotpPending: false,
 	OAuthGroups: "",
 	TotpEnabled: false,

internal/controller/oauth_controller.go

@@ -7,6 +7,7 @@ import (
 	"time"
 
 	"github.com/steveiliop56/tinyauth/internal/config"
+	"github.com/steveiliop56/tinyauth/internal/repository"
 	"github.com/steveiliop56/tinyauth/internal/service"
 	"github.com/steveiliop56/tinyauth/internal/utils"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
@@ -188,10 +189,10 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		username = user.PreferredUsername
 	} else {
 		tlog.App.Debug().Msg("No preferred username from OAuth provider, using pseudo username")
-		username = strings.Replace(user.Email, "@", "_", -1)
+		username = strings.Replace(user.Email, "@", "_", 1)
 	}
 
-	sessionCookie := config.SessionCookie{
+	sessionCookie := repository.Session{
 		Username:    username,
 		Name:        name,
 		Email:       user.Email,

internal/controller/proxy_controller.go

@@ -173,7 +173,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 
 	tlog.App.Trace().Interface("context", userContext).Msg("User context from request")
 
-	if userContext.Provider == "basic" && userContext.TotpEnabled {
+	if userContext.IsBasicAuth && userContext.TotpEnabled {
 		tlog.App.Debug().Msg("User has TOTP enabled, denying basic auth access")
 		userContext.IsLoggedIn = false
 	}
@@ -212,11 +212,17 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			return
 		}
 
+		if userContext.OAuth || userContext.Provider == "ldap" {
+			var groupOK bool
+
 			if userContext.OAuth {
-			groupOK := controller.auth.IsInOAuthGroup(c, userContext, acls.OAuth.Groups)
+				groupOK = controller.auth.IsInOAuthGroup(c, userContext, acls.OAuth.Groups)
+			} else {
+				groupOK = controller.auth.IsInLdapGroup(c, userContext, acls.LDAP.Groups)
+			}
 
 			if !groupOK {
-				tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(host, ".")[0]).Msg("User OAuth groups do not match resource requirements")
+				tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(host, ".")[0]).Msg("User groups do not match resource requirements")
 
 				if req.Proxy == "nginx" || !isBrowser {
 					c.JSON(403, gin.H{
@@ -251,7 +257,13 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		c.Header("Remote-User", utils.SanitizeHeader(userContext.Username))
 		c.Header("Remote-Name", utils.SanitizeHeader(userContext.Name))
 		c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email))
+
+		if userContext.Provider == "ldap" {
+			c.Header("Remote-Groups", utils.SanitizeHeader(userContext.LdapGroups))
+		} else if userContext.Provider != "local" {
 			c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups))
+		}
+
 		c.Header("Remote-Sub", utils.SanitizeHeader(userContext.OAuthSub))
 
 		controller.setHeaders(c, acls)

internal/controller/proxy_controller_test.go

@@ -143,11 +143,11 @@ func TestProxyHandler(t *testing.T) {
 	// Test logged in user
 	c := gin.CreateTestContextOnly(recorder, router)
 
-	err := authService.CreateSessionCookie(c, &config.SessionCookie{
+	err := authService.CreateSessionCookie(c, &repository.Session{
 		Username:    "testuser",
 		Name:        "testuser",
 		Email:       "testuser@example.com",
-		Provider:    "username",
+		Provider:    "local",
 		TotpPending: false,
 		OAuthGroups: "",
 	})
@@ -164,7 +164,7 @@ func TestProxyHandler(t *testing.T) {
 				Email:       "testuser@example.com",
 				IsLoggedIn:  true,
 				OAuth:       false,
-				Provider:    "username",
+				Provider:    "local",
 				TotpPending: false,
 				OAuthGroups: "",
 				TotpEnabled: false,
@@ -192,8 +192,9 @@ func TestProxyHandler(t *testing.T) {
 				Name:        "testuser",
 				Email:       "testuser@example.com",
 				IsLoggedIn:  true,
+				IsBasicAuth: true,
 				OAuth:       false,
-				Provider:    "basic",
+				Provider:    "local",
 				TotpPending: false,
 				OAuthGroups: "",
 				TotpEnabled: true,

internal/controller/user_controller.go

@@ -5,7 +5,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/steveiliop56/tinyauth/internal/config"
+	"github.com/steveiliop56/tinyauth/internal/repository"
 	"github.com/steveiliop56/tinyauth/internal/service"
 	"github.com/steveiliop56/tinyauth/internal/utils"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
@@ -112,11 +112,11 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		if user.TotpSecret != "" {
 			tlog.App.Debug().Str("username", req.Username).Msg("User has TOTP enabled, requiring TOTP verification")
 
-			err := controller.auth.CreateSessionCookie(c, &config.SessionCookie{
+			err := controller.auth.CreateSessionCookie(c, &repository.Session{
 				Username:    user.Username,
 				Name:        utils.Capitalize(req.Username),
 				Email:       fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.CookieDomain),
-				Provider:    "username",
+				Provider:    "local",
 				TotpPending: true,
 			})
 
@@ -138,11 +138,15 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		}
 	}
 
-	sessionCookie := config.SessionCookie{
+	sessionCookie := repository.Session{
 		Username: req.Username,
 		Name:     utils.Capitalize(req.Username),
 		Email:    fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.CookieDomain),
-		Provider: "username",
+		Provider: "local",
+	}
+
+	if userSearch.Type == "ldap" {
+		sessionCookie.Provider = "ldap"
 	}
 
 	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
@@ -248,11 +252,11 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 
 	controller.auth.RecordLoginAttempt(context.Username, true)
 
-	sessionCookie := config.SessionCookie{
+	sessionCookie := repository.Session{
 		Username: user.Username,
 		Name:     utils.Capitalize(user.Username),
 		Email:    fmt.Sprintf("%s@%s", strings.ToLower(user.Username), controller.config.CookieDomain),
-		Provider: "username",
+		Provider: "local",
 	}
 
 	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")

internal/controller/user_controller_test.go

@@ -204,7 +204,7 @@ func TestTotpHandler(t *testing.T) {
 				Email:       "totpuser@example.com",
 				IsLoggedIn:  false,
 				OAuth:       false,
-				Provider:    "username",
+				Provider:    "local",
 				TotpPending: true,
 				OAuthGroups: "",
 				TotpEnabled: true,
@@ -267,7 +267,7 @@ func TestTotpHandler(t *testing.T) {
 				Email:       "totpuser@example.com",
 				IsLoggedIn:  false,
 				OAuth:       false,
-				Provider:    "username",
+				Provider:    "local",
 				TotpPending: true,
 				OAuthGroups: "",
 				TotpEnabled: true,
@@ -290,7 +290,7 @@ func TestTotpHandler(t *testing.T) {
 				Email:       "totpuser@example.com",
 				IsLoggedIn:  false,
 				OAuth:       false,
-				Provider:    "username",
+				Provider:    "local",
 				TotpPending: false,
 				OAuthGroups: "",
 				TotpEnabled: false,

internal/middleware/context_middleware.go

@@ -49,7 +49,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 				Username:    cookie.Username,
 				Name:        cookie.Name,
 				Email:       cookie.Email,
-				Provider:    "username",
+				Provider:    "local",
 				TotpPending: true,
 				TotpEnabled: true,
 			})
@@ -58,22 +58,44 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 		}
 
 		switch cookie.Provider {
-		case "username":
+		case "local", "ldap":
 			userSearch := m.auth.SearchUser(cookie.Username)
 
-			if userSearch.Type == "unknown" || userSearch.Type == "error" {
+			if userSearch.Type == "unknown" {
 				tlog.App.Debug().Msg("User from session cookie not found")
 				m.auth.DeleteSessionCookie(c)
 				goto basic
 			}
 
+			if userSearch.Type != cookie.Provider {
+				tlog.App.Warn().Msg("User type from session cookie does not match user search type")
+				m.auth.DeleteSessionCookie(c)
+				c.Next()
+				return
+			}
+
+			var ldapGroups []string
+
+			if cookie.Provider == "ldap" {
+				ldapUser, err := m.auth.GetLdapUser(userSearch.Username)
+
+				if err != nil {
+					tlog.App.Error().Err(err).Msg("Error retrieving LDAP user details")
+					c.Next()
+					return
+				}
+
+				ldapGroups = ldapUser.Groups
+			}
+
 			m.auth.RefreshSessionCookie(c)
 			c.Set("context", &config.UserContext{
 				Username:   cookie.Username,
 				Name:       cookie.Name,
 				Email:      cookie.Email,
-				Provider:   "username",
+				Provider:   cookie.Provider,
 				IsLoggedIn: true,
+				LdapGroups: strings.Join(ldapGroups, ","),
 			})
 			c.Next()
 			return
@@ -155,20 +177,32 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 				Username:    user.Username,
 				Name:        utils.Capitalize(user.Username),
 				Email:       fmt.Sprintf("%s@%s", strings.ToLower(user.Username), m.config.CookieDomain),
-				Provider:    "basic",
+				Provider:    "local",
 				IsLoggedIn:  true,
 				TotpEnabled: user.TotpSecret != "",
+				IsBasicAuth: true,
 			})
 			c.Next()
 			return
 		case "ldap":
 			tlog.App.Debug().Msg("Basic auth user is LDAP")
+
+			ldapUser, err := m.auth.GetLdapUser(basic.Username)
+
+			if err != nil {
+				tlog.App.Debug().Err(err).Msg("Error retrieving LDAP user details")
+				c.Next()
+				return
+			}
+
 			c.Set("context", &config.UserContext{
 				Username:    basic.Username,
 				Name:        utils.Capitalize(basic.Username),
 				Email:       fmt.Sprintf("%s@%s", strings.ToLower(basic.Username), m.config.CookieDomain),
-				Provider:   "basic",
+				Provider:    "ldap",
 				IsLoggedIn:  true,
+				LdapGroups:  strings.Join(ldapUser.Groups, ","),
+				IsBasicAuth: true,
 			})
 			c.Next()
 			return

internal/service/auth_service.go

@@ -19,6 +19,11 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )
 
+type LdapGroupsCache struct {
+	Groups  []string
+	Expires time.Time
+}
+
 type LoginAttempt struct {
 	FailedAttempts int
 	LastAttempt    time.Time
@@ -36,13 +41,16 @@ type AuthServiceConfig struct {
 	LoginMaxRetries    int
 	SessionCookieName  string
 	IP                 config.IPConfig
+	LDAPGroupsCacheTTL int
 }
 
 type AuthService struct {
 	config          AuthServiceConfig
 	docker          *DockerService
 	loginAttempts   map[string]*LoginAttempt
+	ldapGroupsCache map[string]*LdapGroupsCache
 	loginMutex      sync.RWMutex
+	ldapGroupsMutex sync.RWMutex
 	ldap            *LdapService
 	queries         *repository.Queries
 }
@@ -52,6 +60,7 @@ func NewAuthService(config AuthServiceConfig, docker *DockerService, ldap *LdapS
 		config:          config,
 		docker:          docker,
 		loginAttempts:   make(map[string]*LoginAttempt),
+		ldapGroupsCache: make(map[string]*LdapGroupsCache),
 		ldap:            ldap,
 		queries:         queries,
 	}
@@ -70,12 +79,12 @@ func (auth *AuthService) SearchUser(username string) config.UserSearch {
 	}
 
 	if auth.ldap != nil {
-		userDN, err := auth.ldap.Search(username)
+		userDN, err := auth.ldap.GetUserDN(username)
 
 		if err != nil {
 			tlog.App.Warn().Err(err).Str("username", username).Msg("Failed to search for user in LDAP")
 			return config.UserSearch{
-				Type: "error",
+				Type: "unknown",
 			}
 		}
 
@@ -131,6 +140,41 @@ func (auth *AuthService) GetLocalUser(username string) config.User {
 	return config.User{}
 }
 
+func (auth *AuthService) GetLdapUser(userDN string) (config.LdapUser, error) {
+	if auth.ldap == nil {
+		return config.LdapUser{}, errors.New("LDAP service not initialized")
+	}
+
+	auth.ldapGroupsMutex.RLock()
+	entry, exists := auth.ldapGroupsCache[userDN]
+	auth.ldapGroupsMutex.RUnlock()
+
+	if exists && time.Now().Before(entry.Expires) {
+		return config.LdapUser{
+			DN:     userDN,
+			Groups: entry.Groups,
+		}, nil
+	}
+
+	groups, err := auth.ldap.GetUserGroups(userDN)
+
+	if err != nil {
+		return config.LdapUser{}, err
+	}
+
+	auth.ldapGroupsMutex.Lock()
+	auth.ldapGroupsCache[userDN] = &LdapGroupsCache{
+		Groups:  groups,
+		Expires: time.Now().Add(time.Duration(auth.config.LDAPGroupsCacheTTL) * time.Second),
+	}
+	auth.ldapGroupsMutex.Unlock()
+
+	return config.LdapUser{
+		DN:     userDN,
+		Groups: groups,
+	}, nil
+}
+
 func (auth *AuthService) CheckPassword(user config.User, password string) bool {
 	return bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password)) == nil
 }
@@ -190,7 +234,7 @@ func (auth *AuthService) IsEmailWhitelisted(email string) bool {
 	return utils.CheckFilter(strings.Join(auth.config.OauthWhitelist, ","), email)
 }
 
-func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *config.SessionCookie) error {
+func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *repository.Session) error {
 	uuid, err := uuid.NewRandom()
 
 	if err != nil {
@@ -300,20 +344,20 @@ func (auth *AuthService) DeleteSessionCookie(c *gin.Context) error {
 	return nil
 }
 
-func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie, error) {
+func (auth *AuthService) GetSessionCookie(c *gin.Context) (repository.Session, error) {
 	cookie, err := c.Cookie(auth.config.SessionCookieName)
 
 	if err != nil {
-		return config.SessionCookie{}, err
+		return repository.Session{}, err
 	}
 
 	session, err := auth.queries.GetSession(c, cookie)
 
 	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
-			return config.SessionCookie{}, fmt.Errorf("session not found")
+			return repository.Session{}, fmt.Errorf("session not found")
 		}
-		return config.SessionCookie{}, err
+		return repository.Session{}, err
 	}
 
 	currentTime := time.Now().Unix()
@@ -324,7 +368,7 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie,
 			if err != nil {
 				tlog.App.Error().Err(err).Msg("Failed to delete session exceeding max lifetime")
 			}
-			return config.SessionCookie{}, fmt.Errorf("session expired due to max lifetime exceeded")
+			return repository.Session{}, fmt.Errorf("session expired due to max lifetime exceeded")
 		}
 	}
 
@@ -333,10 +377,10 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie,
 		if err != nil {
 			tlog.App.Error().Err(err).Msg("Failed to delete expired session")
 		}
-		return config.SessionCookie{}, fmt.Errorf("session expired")
+		return repository.Session{}, fmt.Errorf("session expired")
 	}
 
-	return config.SessionCookie{
+	return repository.Session{
 		UUID:        session.UUID,
 		Username:    session.Username,
 		Email:       session.Email,
@@ -349,8 +393,12 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie,
 	}, nil
 }
 
-func (auth *AuthService) UserAuthConfigured() bool {
-	return len(auth.config.Users) > 0 || auth.ldap != nil
+func (auth *AuthService) LocalAuthConfigured() bool {
+	return len(auth.config.Users) > 0
+}
+
+func (auth *AuthService) LdapAuthConfigured() bool {
+	return auth.ldap != nil
 }
 
 func (auth *AuthService) IsUserAllowed(c *gin.Context, context config.UserContext, acls config.App) bool {
@@ -393,6 +441,22 @@ func (auth *AuthService) IsInOAuthGroup(c *gin.Context, context config.UserConte
 	return false
 }
 
+func (auth *AuthService) IsInLdapGroup(c *gin.Context, context config.UserContext, requiredGroups string) bool {
+	if requiredGroups == "" {
+		return true
+	}
+
+	for userGroup := range strings.SplitSeq(context.LdapGroups, ",") {
+		if utils.CheckFilter(requiredGroups, strings.TrimSpace(userGroup)) {
+			tlog.App.Trace().Str("group", userGroup).Str("required", requiredGroups).Msg("User group matched")
+			return true
+		}
+	}
+
+	tlog.App.Debug().Msg("No groups matched")
+	return false
+}
+
 func (auth *AuthService) IsAuthEnabled(uri string, path config.AppPath) (bool, error) {
 	// Check for block list
 	if path.Block != "" {

internal/service/ldap_service.go

@@ -116,7 +116,7 @@ func (ldap *LdapService) connect() (*ldapgo.Conn, error) {
 	return ldap.conn, nil
 }
 
-func (ldap *LdapService) Search(username string) (string, error) {
+func (ldap *LdapService) GetUserDN(username string) (string, error) {
 	// Escape the username to prevent LDAP injection
 	escapedUsername := ldapgo.EscapeFilter(username)
 	filter := fmt.Sprintf(ldap.config.SearchFilter, escapedUsername)
@@ -145,6 +145,48 @@ func (ldap *LdapService) Search(username string) (string, error) {
 	return userDN, nil
 }
 
+func (ldap *LdapService) GetUserGroups(userDN string) ([]string, error) {
+	escapedUserDN := ldapgo.EscapeFilter(userDN)
+
+	searchRequest := ldapgo.NewSearchRequest(
+		ldap.config.BaseDN,
+		ldapgo.ScopeWholeSubtree, ldapgo.NeverDerefAliases, 0, 0, false,
+		fmt.Sprintf("(&(objectclass=groupOfUniqueNames)(uniquemember=%s))", escapedUserDN),
+		[]string{"dn"},
+		nil,
+	)
+
+	ldap.mutex.Lock()
+	defer ldap.mutex.Unlock()
+
+	searchResult, err := ldap.conn.Search(searchRequest)
+	if err != nil {
+		return []string{}, err
+	}
+
+	groupDNs := []string{}
+
+	for _, entry := range searchResult.Entries {
+		groupDNs = append(groupDNs, entry.DN)
+	}
+
+	groups := []string{}
+
+	// I guess it should work for most ldap providers
+	for _, dn := range groupDNs {
+		rdnParts, err := ldapgo.ParseDN(dn)
+		if err != nil {
+			return []string{}, err
+		}
+		if len(rdnParts.RDNs) == 0 || len(rdnParts.RDNs[0].Attributes) == 0 {
+			return []string{}, fmt.Errorf("invalid DN format: %s", dn)
+		}
+		groups = append(groups, rdnParts.RDNs[0].Attributes[0].Value)
+	}
+
+	return groups, nil
+}
+
 func (ldap *LdapService) BindService(rebind bool) error {
 	// Locks must not be used for initial binding attempt
 	if rebind {

internal/utils/app_utils.go

@@ -2,6 +2,7 @@ package utils
 
 import (
 	"errors"
+	"fmt"
 	"net"
 	"net/url"
 	"strings"
@@ -95,7 +96,7 @@ func IsRedirectSafe(redirectURL string, domain string) bool {
 
 	hostname := parsed.Hostname()
 
-	if strings.HasSuffix(hostname, domain) {
+	if strings.HasSuffix(hostname, fmt.Sprintf(".%s", domain)) {
 		return true
 	}
 

internal/utils/app_utils_test.go

@@ -205,4 +205,9 @@ func TestIsRedirectSafe(t *testing.T) {
 	redirectURL = "http://example.org/page"
 	result = utils.IsRedirectSafe(redirectURL, domain)
 	assert.Equal(t, false, result)
+
+	// Case with malicious domain
+	redirectURL = "https://malicious-example.com/yoyo"
+	result = utils.IsRedirectSafe(redirectURL, domain)
+	assert.Equal(t, false, result)
 }

sqlc.yml

@@ -19,3 +19,5 @@ sql:
             go_type: "string"
           - column: "sessions.oauth_sub"
             go_type: "string"
+          - column: "sessions.ldap_groups"
+            go_type: "string"