fix: review comments

.github/workflows/ci.yml

@@ -18,16 +18,7 @@ jobs:
       - name: Setup go
         uses: actions/setup-go@v5
         with:
-          go-version: "^1.24.0"
-
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
+          go-version: "^1.23.2"
 
       - name: Install frontend dependencies
         run: |

.github/workflows/nightly.yml

@@ -61,16 +61,7 @@ jobs:
       - name: Install go
         uses: actions/setup-go@v5
         with:
-          go-version: "^1.24.0"
-
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
+          go-version: "^1.23.2"
 
       - name: Install frontend dependencies
         run: |
@@ -116,16 +107,7 @@ jobs:
       - name: Install go
         uses: actions/setup-go@v5
         with:
-          go-version: "^1.24.0"
-
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
+          go-version: "^1.23.2"
 
       - name: Install frontend dependencies
         run: |
@@ -165,15 +147,6 @@ jobs:
         with:
           ref: nightly
 
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
-
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -232,15 +205,6 @@ jobs:
         with:
           ref: nightly
 
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
-
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -299,15 +263,6 @@ jobs:
         with:
           ref: nightly
 
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
-
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -366,15 +321,6 @@ jobs:
         with:
           ref: nightly
 
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
-
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5

.github/workflows/release.yml

@@ -39,16 +39,7 @@ jobs:
       - name: Install go
         uses: actions/setup-go@v5
         with:
-          go-version: "^1.24.0"
-
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
+          go-version: "^1.23.2"
 
       - name: Install frontend dependencies
         run: |
@@ -91,16 +82,7 @@ jobs:
       - name: Install go
         uses: actions/setup-go@v5
         with:
-          go-version: "^1.24.0"
-
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
+          go-version: "^1.23.2"
 
       - name: Install frontend dependencies
         run: |
@@ -137,15 +119,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
-
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -201,15 +174,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
-
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -265,15 +229,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
-
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -329,15 +284,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
-
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5

.gitmodules

@@ -1,4 +0,0 @@
-[submodule "paerser"]
-	path = paerser
-	url = https://github.com/traefik/paerser
-	ignore = all

CONTRIBUTING.md

@@ -5,7 +5,7 @@ Contributing is relatively easy, you just need to follow the steps below and you
 ## Requirements
 
 - Bun
-- Golang 1.24.0+
+- Golang v1.23.2 and above
 - Git
 - Docker
 
@@ -18,21 +18,12 @@ git clone https://github.com/steveiliop56/tinyauth
 cd tinyauth
 ```
 
-## Initialize submodules
-
-The project uses Git submodules for some dependencies, so you need to initialize them with:
-
-```sh
-git submodule init
-git submodule update
-```
-
 ## Install requirements
 
-Although you will not need the requirements in your machine since the development will happen in Docker, I still recommend to install them because this way you will not have import errors. To install the Go requirements run:
+Although you will not need the requirements in your machine since the development will happen in docker, I still recommend to install them because this way you will not have import errors. To install the go requirements run:
 
 ```sh
-go mod download
+go mod tidy
 ```
 
 You also need to download the frontend dependencies, this can be done like so:
@@ -42,21 +33,13 @@ cd frontend/
 bun install
 ```
 
-## Apply patches
-
-Some of the dependencies need to be patched in order to work correctly with the project, you can apply the patches by running:
-
-```sh
-git apply --directory paerser/ patches/nested_maps.diff
-```
-
 ## Create your `.env` file
 
 In order to configure the app you need to create an environment file, this can be done by copying the `.env.example` file to `.env` and modifying the environment variables to suit your needs.
 
 ## Developing
 
-I have designed the development workflow to be entirely in Docker, this is because it will directly work with Traefik and you will not need to do any building in your host machine. The recommended development setup is to have a subdomain pointing to your machine like this:
+I have designed the development workflow to be entirely in docker, this is because it will directly work with traefik and you will not need to do any building in your host machine. The recommended development setup is to have a subdomain pointing to your machine like this:
 
 ```
 *.dev.example.com -> 127.0.0.1
@@ -66,7 +49,7 @@ dev.example.com -> 127.0.0.1
 > [!TIP]
 > You can use [sslip.io](https://sslip.io) as a domain if you don't have one to develop with.
 
-Then you can just make sure the domains are correct in the development Docker compose file and run:
+Then you can just make sure the domains are correct in the development docker compose file and run:
 
 ```sh
 docker compose -f docker-compose.dev.yml up --build

Dockerfile

@@ -28,8 +28,6 @@ ARG BUILD_TIMESTAMP
 
 WORKDIR /tinyauth
 
-COPY ./paerser ./paerser
-
 COPY go.mod ./
 COPY go.sum ./
 
@@ -40,7 +38,7 @@ COPY ./internal ./internal
 COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
 
 RUN CGO_ENABLED=0 go build -ldflags "-s -w -X tinyauth/internal/config.Version=${VERSION} -X tinyauth/internal/config.CommitHash=${COMMIT_HASH} -X tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
-
+ 
 # Runner
 FROM alpine:3.23 AS runner
 
@@ -64,4 +62,4 @@ ENV PATH=$PATH:/tinyauth
 
 HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 CMD ["tinyauth", "healthcheck"]
 
-ENTRYPOINT ["tinyauth"]
+ENTRYPOINT ["tinyauth"]

Dockerfile.dev

@@ -2,8 +2,6 @@ FROM golang:1.25-alpine3.21
 
 WORKDIR /tinyauth
 
-COPY ./paerser ./paerser
-
 COPY go.mod ./
 COPY go.sum ./
 
@@ -22,4 +20,4 @@ ENV TINYAUTH_DATABASEPATH=/data/tinyauth.db
 
 ENV TINYAUTH_RESOURCESDIR=/data/resources
 
-ENTRYPOINT ["air", "-c", "air.toml"]
+ENTRYPOINT ["air", "-c", "air.toml"]

Dockerfile.distroless

@@ -28,8 +28,6 @@ ARG BUILD_TIMESTAMP
 
 WORKDIR /tinyauth
 
-COPY ./paerser ./paerser
-
 COPY go.mod ./
 COPY go.sum ./
 
@@ -42,7 +40,7 @@ COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
 RUN mkdir -p data
 
 RUN CGO_ENABLED=0 go build -ldflags "-s -w -X tinyauth/internal/config.Version=${VERSION} -X tinyauth/internal/config.CommitHash=${COMMIT_HASH} -X tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
-
+ 
 # Runner
 FROM gcr.io/distroless/static-debian12:latest AS runner
 
@@ -67,4 +65,4 @@ ENV PATH=$PATH:/tinyauth
 
 HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 CMD ["tinyauth", "healthcheck"]
 
-ENTRYPOINT ["tinyauth"]
+ENTRYPOINT ["tinyauth"]

cmd/tinyauth/tinyauth.go

@@ -34,10 +34,6 @@ func NewTinyauthCmdConfiguration() *config.Config {
 			ForgotPasswordMessage: "You can change your password by changing the configuration.",
 			BackgroundImage:       "/background.jpg",
 		},
-		Ldap: config.LdapConfig{
-			Insecure:     false,
-			SearchFilter: "(uid=%s)",
-		},
 		Experimental: config.ExperimentalConfig{
 			ConfigFile: "",
 		},

docker-compose.dev.yml

@@ -42,6 +42,7 @@ services:
     volumes:
       - ./internal:/tinyauth/internal
       - ./cmd:/tinyauth/cmd
+      - ./main.go:/tinyauth/main.go
       - /var/run/docker.sock:/var/run/docker.sock
       - ./data:/data
     ports:

go.mod

@@ -4,8 +4,6 @@ go 1.24.0
 
 toolchain go1.24.3
 
-replace github.com/traefik/paerser v0.2.2 => ./paerser
-
 require (
 	github.com/cenkalti/backoff/v5 v5.0.3
 	github.com/charmbracelet/huh v0.8.0

go.sum

@@ -271,6 +271,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/traefik/paerser v0.2.2 h1:cpzW/ZrQrBh3mdwD/jnp6aXASiUFKOVr6ldP+keJTcQ=
+github.com/traefik/paerser v0.2.2/go.mod h1:7BBDd4FANoVgaTZG+yh26jI6CA2nds7D/4VTEdIsh24=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA=

internal/bootstrap/service_bootstrap.go

@@ -57,7 +57,7 @@ func (app *BootstrapApp) initServices() (Services, error) {
 
 	services.dockerService = dockerService
 
-	accessControlsService := service.NewAccessControlsService(dockerService, app.config.Apps)
+	accessControlsService := service.NewAccessControlsService(dockerService)
 
 	err = accessControlsService.Init()
 

internal/config/config.go

@@ -25,7 +25,6 @@ type Config struct {
 	LogJSON           bool               `description:"Enable JSON formatted logs." yaml:"logJSON"`
 	Server            ServerConfig       `description:"Server configuration." yaml:"server"`
 	Auth              AuthConfig         `description:"Authentication configuration." yaml:"auth"`
-	Apps              map[string]App     `description:"Application ACLs configuration." yaml:"apps"`
 	OAuth             OAuthConfig        `description:"OAuth configuration." yaml:"oauth"`
 	UI                UIConfig           `description:"UI customization." yaml:"ui"`
 	Ldap              LdapConfig         `description:"LDAP configuration." yaml:"ldap"`
@@ -157,55 +156,61 @@ type RedirectQuery struct {
 	RedirectURI string `url:"redirect_uri"`
 }
 
-// ACLs
+// Labels
 
 type Apps struct {
-	Apps map[string]App `description:"App ACLs configuration." yaml:"apps"`
+	Apps map[string]App
 }
 
 type App struct {
-	Config   AppConfig   `description:"App configuration." yaml:"config"`
-	Users    AppUsers    `description:"User access configuration." yaml:"users"`
-	OAuth    AppOAuth    `description:"OAuth access configuration." yaml:"oauth"`
-	IP       AppIP       `description:"IP access configuration." yaml:"ip"`
-	Response AppResponse `description:"Response customization." yaml:"response"`
-	Path     AppPath     `description:"Path access configuration." yaml:"path"`
+	Config   AppConfig
+	Users    AppUsers
+	OAuth    AppOAuth
+	IP       AppIP
+	Response AppResponse
+	Path     AppPath
 }
 
 type AppConfig struct {
-	Domain string `description:"The domain of the app." yaml:"domain"`
+	Domain string
 }
 
 type AppUsers struct {
-	Allow string `description:"Comma-separated list of allowed users." yaml:"allow"`
-	Block string `description:"Comma-separated list of blocked users." yaml:"block"`
+	Allow string
+	Block string
 }
 
 type AppOAuth struct {
-	Whitelist string `description:"Comma-separated list of allowed OAuth groups." yaml:"whitelist"`
-	Groups    string `description:"Comma-separated list of required OAuth groups." yaml:"groups"`
+	Whitelist string
+	Groups    string
 }
 
 type AppIP struct {
-	Allow  []string `description:"List of allowed IPs or CIDR ranges." yaml:"allow"`
-	Block  []string `description:"List of blocked IPs or CIDR ranges." yaml:"block"`
-	Bypass []string `description:"List of IPs or CIDR ranges that bypass authentication." yaml:"bypass"`
+	Allow  []string
+	Block  []string
+	Bypass []string
 }
 
 type AppResponse struct {
-	Headers   []string     `description:"Custom headers to add to the response." yaml:"headers"`
-	BasicAuth AppBasicAuth `description:"Basic authentication for the app." yaml:"basicAuth"`
+	Headers   []string
+	BasicAuth AppBasicAuth
 }
 
 type AppBasicAuth struct {
-	Username     string `description:"Basic auth username." yaml:"username"`
-	Password     string `description:"Basic auth password." yaml:"password"`
-	PasswordFile string `description:"Path to the file containing the basic auth password." yaml:"passwordFile"`
+	Username     string
+	Password     string
+	PasswordFile string
 }
 
 type AppPath struct {
-	Allow string `description:"Comma-separated list of allowed paths." yaml:"allow"`
-	Block string `description:"Comma-separated list of blocked paths." yaml:"block"`
+	Allow string
+	Block string
+}
+
+// Flags
+
+type Providers struct {
+	Providers map[string]OAuthServiceConfig
 }
 
 // API server

internal/controller/proxy_controller_test.go

@@ -41,7 +41,7 @@ func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.En
 	assert.NilError(t, dockerService.Init())
 
 	// Access controls
-	accessControlsService := service.NewAccessControlsService(dockerService, map[string]config.App{})
+	accessControlsService := service.NewAccessControlsService(dockerService)
 
 	assert.NilError(t, accessControlsService.Init())
 

internal/service/access_controls_service.go

@@ -1,54 +1,122 @@
 package service
 
 import (
-	"errors"
-	"strings"
-
-	"github.com/rs/zerolog/log"
 	"github.com/steveiliop56/tinyauth/internal/config"
 )
 
+/*
+Environment variable/flag based ACLs are disabled until v5 due to a technical challenge
+with the current parsing logic.
+
+The current parser works for simple OAuth provider configs like:
+- PROVIDERS_MY_AMAZING_PROVIDER_CLIENT_ID
+
+However, it breaks down when handling nested structs required for ACLs. The custom parsing
+solution that worked for v4 OAuth providers is incompatible with the ACL parsing logic,
+making the codebase unmaintainable and fragile.
+
+A solution is being considered for v5 that would standardize the format to something like:
+- TINYAUTH_PROVIDERS_GOOGLE_CLIENTSECRET
+- TINYAUTH_APPS_MYAPP_CONFIG_DOMAIN
+
+This would allow the Traefik parser to handle everything consistently, but requires a
+config migration. Until this is resolved, environment-based ACLs are disabled and only
+Docker label-based ACLs are supported.
+
+See: https://discord.com/channels/1337450123600465984/1337459086270271538/1434986689935179838 for more information
+*/
+
 type AccessControlsService struct {
 	docker *DockerService
-	static map[string]config.App
+	// envACLs config.Apps
 }
 
-func NewAccessControlsService(docker *DockerService, static map[string]config.App) *AccessControlsService {
+func NewAccessControlsService(docker *DockerService) *AccessControlsService {
 	return &AccessControlsService{
 		docker: docker,
-		static: static,
 	}
 }
 
 func (acls *AccessControlsService) Init() error {
-	return nil // No initialization needed
+	// acls.envACLs = config.Apps{}
+	// env := os.Environ()
+	// appEnvVars := []string{}
+
+	// for _, e := range env {
+	// 	if strings.HasPrefix(e, "TINYAUTH_APPS_") {
+	// 		appEnvVars = append(appEnvVars, e)
+	// 	}
+	// }
+
+	// err := acls.loadEnvACLs(appEnvVars)
+
+	// if err != nil {
+	// 	return err
+	// }
+
+	// return nil
+
+	return nil
+
 }
 
-func (acls *AccessControlsService) lookupStaticACLs(domain string) (config.App, error) {
-	for app, config := range acls.static {
-		if config.Config.Domain == domain {
-			log.Debug().Str("name", app).Msg("Found matching container by domain")
-			return config, nil
-		}
+// func (acls *AccessControlsService) loadEnvACLs(appEnvVars []string) error {
+// 	if len(appEnvVars) == 0 {
+// 		return nil
+// 	}
 
-		if strings.SplitN(domain, ".", 2)[0] == app {
-			log.Debug().Str("name", app).Msg("Found matching container by app name")
-			return config, nil
-		}
-	}
-	return config.App{}, errors.New("no results")
-}
+// 	envAcls := map[string]string{}
 
-func (acls *AccessControlsService) GetAccessControls(domain string) (config.App, error) {
-	// First check in the static config
-	app, err := acls.lookupStaticACLs(domain)
+// 	for _, e := range appEnvVars {
+// 		parts := strings.SplitN(e, "=", 2)
+// 		if len(parts) != 2 {
+// 			continue
+// 		}
 
-	if err == nil {
-		log.Debug().Msg("Using ACls from static configuration")
-		return app, nil
-	}
+// 		key := parts[0]
+// 		key = strings.ToLower(key)
+// 		key = strings.ReplaceAll(key, "_", ".")
+// 		value := parts[1]
+// 		envAcls[key] = value
+// 	}
+
+// 	apps, err := decoders.DecodeLabels(envAcls)
+
+// 	if err != nil {
+// 		return err
+// 	}
+
+// 	acls.envACLs = apps
+// 	return nil
+// }
+
+// func (acls *AccessControlsService) lookupEnvACLs(appDomain string) *config.App {
+// 	if len(acls.envACLs.Apps) == 0 {
+// 		return nil
+// 	}
+
+// 	for appName, appACLs := range acls.envACLs.Apps {
+// 		if appACLs.Config.Domain == appDomain {
+// 			return &appACLs
+// 		}
+
+// 		if strings.SplitN(appDomain, ".", 2)[0] == appName {
+// 			return &appACLs
+// 		}
+// 	}
+
+// 	return nil
+// }
+
+func (acls *AccessControlsService) GetAccessControls(appDomain string) (config.App, error) {
+	// First check environment variables
+	// envACLs := acls.lookupEnvACLs(appDomain)
+
+	// if envACLs != nil {
+	// 	log.Debug().Str("domain", appDomain).Msg("Found matching access controls in environment variables")
+	// 	return *envACLs, nil
+	// }
 
 	// Fallback to Docker labels
-	log.Debug().Msg("Falling back to Docker labels for ACLs")
-	return acls.docker.GetLabels(domain)
+	return acls.docker.GetLabels(appDomain)
 }

patches/nested_maps.diff

@@ -1,95 +0,0 @@
-diff --git a/env/env_test.go b/env/env_test.go
-index 7045569..365dc00 100644
---- a/env/env_test.go
-+++ b/env/env_test.go
-@@ -166,6 +166,38 @@ func TestDecode(t *testing.T) {
- 				Foo: &struct{ Field string }{},
- 			},
- 		},
-+		{
-+			desc:    "map under the root key",
-+			environ: []string{"TRAEFIK_FOO_BAR_FOOBAR_BARFOO=foo"},
-+			element: &struct {
-+				Foo map[string]struct {
-+					Foobar struct {
-+						Barfoo string
-+					}
-+				}
-+			}{},
-+			expected: &struct {
-+				Foo map[string]struct {
-+					Foobar struct {
-+						Barfoo string
-+					}
-+				}
-+			}{
-+				Foo: map[string]struct {
-+					Foobar struct {
-+						Barfoo string
-+					}
-+				}{
-+					"bar": {
-+						Foobar: struct {
-+							Barfoo string
-+						}{
-+							Barfoo: "foo",
-+						},
-+					},
-+				},
-+			},
-+		},
- 	}
- 
- 	for _, test := range testCases {
-diff --git a/parser/nodes_metadata.go b/parser/nodes_metadata.go
-index 36946c1..0279705 100644
---- a/parser/nodes_metadata.go
-+++ b/parser/nodes_metadata.go
-@@ -75,8 +75,13 @@ func (m metadata) add(rootType reflect.Type, node *Node) error {
- 	node.Kind = fType.Kind()
- 	node.Tag = field.Tag
- 
--	if fType.Kind() == reflect.Struct || fType.Kind() == reflect.Pointer && fType.Elem().Kind() == reflect.Struct ||
--		fType.Kind() == reflect.Map {
-+	if node.Kind == reflect.String && len(node.Children) > 0 {
-+		fType = reflect.TypeOf(struct{}{})
-+		node.Kind = reflect.Struct
-+	}
-+
-+	if node.Kind == reflect.Struct || node.Kind == reflect.Pointer && fType.Elem().Kind() == reflect.Struct ||
-+		node.Kind == reflect.Map {
- 		if len(node.Children) == 0 && !(field.Tag.Get(m.TagName) == TagLabelAllowEmpty || field.Tag.Get(m.TagName) == "-") {
- 			return fmt.Errorf("%s cannot be a standalone element (type %s)", node.Name, fType)
- 		}
-@@ -90,11 +95,11 @@ func (m metadata) add(rootType reflect.Type, node *Node) error {
- 		return nil
- 	}
- 
--	if fType.Kind() == reflect.Struct || fType.Kind() == reflect.Pointer && fType.Elem().Kind() == reflect.Struct {
-+	if node.Kind == reflect.Struct || node.Kind == reflect.Pointer && fType.Elem().Kind() == reflect.Struct {
- 		return m.browseChildren(fType, node)
- 	}
- 
--	if fType.Kind() == reflect.Map {
-+	if node.Kind == reflect.Map {
- 		if fType.Elem().Kind() == reflect.Interface {
- 			addRawValue(node)
- 			return nil
-@@ -115,7 +120,7 @@ func (m metadata) add(rootType reflect.Type, node *Node) error {
- 		return nil
- 	}
- 
--	if fType.Kind() == reflect.Slice {
-+	if node.Kind == reflect.Slice {
- 		if m.AllowSliceAsStruct && field.Tag.Get(TagLabelSliceAsStruct) != "" {
- 			return m.browseChildren(fType.Elem(), node)
- 		}
-@@ -129,7 +134,7 @@ func (m metadata) add(rootType reflect.Type, node *Node) error {
- 		return nil
- 	}
- 
--	return fmt.Errorf("invalid node %s: %v", node.Name, fType.Kind())
-+	return fmt.Errorf("invalid node %s: %v", node.Name, node.Kind)
- }
- 
- func (m metadata) findTypedField(rType reflect.Type, node *Node) (reflect.StructField, error) {