refactor: use proper module name

.github/workflows/ci.yml

@@ -18,16 +18,7 @@ jobs:
       - name: Setup go
         uses: actions/setup-go@v5
         with:
-          go-version: "^1.24.0"
+          go-version: "^1.23.2"
-
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
 
       - name: Install frontend dependencies
         run: |

.github/workflows/nightly.yml

@@ -61,16 +61,7 @@ jobs:
       - name: Install go
         uses: actions/setup-go@v5
         with:
-          go-version: "^1.24.0"
+          go-version: "^1.23.2"
-
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
 
       - name: Install frontend dependencies
         run: |
@@ -116,16 +107,7 @@ jobs:
       - name: Install go
         uses: actions/setup-go@v5
         with:
-          go-version: "^1.24.0"
+          go-version: "^1.23.2"
-
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
 
       - name: Install frontend dependencies
         run: |
@@ -165,15 +147,6 @@ jobs:
         with:
           ref: nightly
 
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
-
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -232,15 +205,6 @@ jobs:
         with:
           ref: nightly
 
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
-
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -299,15 +263,6 @@ jobs:
         with:
           ref: nightly
 
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
-
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -366,15 +321,6 @@ jobs:
         with:
           ref: nightly
 
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
-
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5

.github/workflows/release.yml

@@ -39,16 +39,7 @@ jobs:
       - name: Install go
         uses: actions/setup-go@v5
         with:
-          go-version: "^1.24.0"
+          go-version: "^1.23.2"
-
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
 
       - name: Install frontend dependencies
         run: |
@@ -91,16 +82,7 @@ jobs:
       - name: Install go
         uses: actions/setup-go@v5
         with:
-          go-version: "^1.24.0"
+          go-version: "^1.23.2"
-
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
 
       - name: Install frontend dependencies
         run: |
@@ -137,15 +119,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
-
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -201,15 +174,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
-
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -265,15 +229,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
-
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -329,15 +284,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
-
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5

.gitignore

@@ -33,7 +33,4 @@
 
 # binary out
 /tinyauth.db
-/resources
+/resources
-
-# debug files
-__debug_*

.gitmodules

@@ -1,4 +0,0 @@
-[submodule "paerser"]
-	path = paerser
-	url = https://github.com/traefik/paerser
-	ignore = all

CONTRIBUTING.md

@@ -5,7 +5,7 @@ Contributing is relatively easy, you just need to follow the steps below and you
 ## Requirements
 
 - Bun
-- Golang 1.24.0+
+- Golang v1.23.2 and above
 - Git
 - Docker
 
@@ -18,21 +18,12 @@ git clone https://github.com/steveiliop56/tinyauth
 cd tinyauth
 ```
 
-## Initialize submodules
-
-The project uses Git submodules for some dependencies, so you need to initialize them with:
-
-```sh
-git submodule init
-git submodule update
-```
-
 ## Install requirements
 
-Although you will not need the requirements in your machine since the development will happen in Docker, I still recommend to install them because this way you will not have import errors. To install the Go requirements run:
+Although you will not need the requirements in your machine since the development will happen in docker, I still recommend to install them because this way you will not have import errors. To install the go requirements run:
 
 ```sh
-go mod download
+go mod tidy
 ```
 
 You also need to download the frontend dependencies, this can be done like so:
@@ -42,21 +33,13 @@ cd frontend/
 bun install
 ```
 
-## Apply patches
-
-Some of the dependencies need to be patched in order to work correctly with the project, you can apply the patches by running:
-
-```sh
-git apply --directory paerser/ patches/nested_maps.diff
-```
-
 ## Create your `.env` file
 
 In order to configure the app you need to create an environment file, this can be done by copying the `.env.example` file to `.env` and modifying the environment variables to suit your needs.
 
 ## Developing
 
-I have designed the development workflow to be entirely in Docker, this is because it will directly work with Traefik and you will not need to do any building in your host machine. The recommended development setup is to have a subdomain pointing to your machine like this:
+I have designed the development workflow to be entirely in docker, this is because it will directly work with traefik and you will not need to do any building in your host machine. The recommended development setup is to have a subdomain pointing to your machine like this:
 
 ```
 *.dev.example.com -> 127.0.0.1
@@ -66,7 +49,7 @@ dev.example.com -> 127.0.0.1
 > [!TIP]
 > You can use [sslip.io](https://sslip.io) as a domain if you don't have one to develop with.
 
-Then you can just make sure the domains are correct in the development Docker compose file and run:
+Then you can just make sure the domains are correct in the development docker compose file and run:
 
 ```sh
 docker compose -f docker-compose.dev.yml up --build

Dockerfile

@@ -28,8 +28,6 @@ ARG BUILD_TIMESTAMP
 
 WORKDIR /tinyauth
 
-COPY ./paerser ./paerser
-
 COPY go.mod ./
 COPY go.sum ./
 
@@ -40,7 +38,7 @@ COPY ./internal ./internal
 COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
 
 RUN CGO_ENABLED=0 go build -ldflags "-s -w -X tinyauth/internal/config.Version=${VERSION} -X tinyauth/internal/config.CommitHash=${COMMIT_HASH} -X tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
-
+ 
 # Runner
 FROM alpine:3.23 AS runner
 
@@ -64,4 +62,4 @@ ENV PATH=$PATH:/tinyauth
 
 HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 CMD ["tinyauth", "healthcheck"]
 
-ENTRYPOINT ["tinyauth"]
+ENTRYPOINT ["tinyauth"]

Dockerfile.dev

@@ -2,8 +2,6 @@ FROM golang:1.25-alpine3.21
 
 WORKDIR /tinyauth
 
-COPY ./paerser ./paerser
-
 COPY go.mod ./
 COPY go.sum ./
 
@@ -22,4 +20,4 @@ ENV TINYAUTH_DATABASEPATH=/data/tinyauth.db
 
 ENV TINYAUTH_RESOURCESDIR=/data/resources
 
-ENTRYPOINT ["air", "-c", "air.toml"]
+ENTRYPOINT ["air", "-c", "air.toml"]

Dockerfile.distroless

@@ -28,8 +28,6 @@ ARG BUILD_TIMESTAMP
 
 WORKDIR /tinyauth
 
-COPY ./paerser ./paerser
-
 COPY go.mod ./
 COPY go.sum ./
 
@@ -42,7 +40,7 @@ COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
 RUN mkdir -p data
 
 RUN CGO_ENABLED=0 go build -ldflags "-s -w -X tinyauth/internal/config.Version=${VERSION} -X tinyauth/internal/config.CommitHash=${COMMIT_HASH} -X tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
-
+ 
 # Runner
 FROM gcr.io/distroless/static-debian12:latest AS runner
 
@@ -67,4 +65,4 @@ ENV PATH=$PATH:/tinyauth
 
 HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 CMD ["tinyauth", "healthcheck"]
 
-ENTRYPOINT ["tinyauth"]
+ENTRYPOINT ["tinyauth"]

cmd/tinyauth/tinyauth.go

@@ -34,10 +34,6 @@ func NewTinyauthCmdConfiguration() *config.Config {
 			ForgotPasswordMessage: "You can change your password by changing the configuration.",
 			BackgroundImage:       "/background.jpg",
 		},
-		Ldap: config.LdapConfig{
-			Insecure:     false,
-			SearchFilter: "(uid=%s)",
-		},
 		Experimental: config.ExperimentalConfig{
 			ConfigFile: "",
 		},

docker-compose.dev.yml

@@ -42,6 +42,7 @@ services:
     volumes:
       - ./internal:/tinyauth/internal
       - ./cmd:/tinyauth/cmd
+      - ./main.go:/tinyauth/main.go
       - /var/run/docker.sock:/var/run/docker.sock
       - ./data:/data
     ports:

go.mod

@@ -4,8 +4,6 @@ go 1.24.0
 
 toolchain go1.24.3
 
-replace github.com/traefik/paerser v0.2.2 => ./paerser
-
 require (
 	github.com/cenkalti/backoff/v5 v5.0.3
 	github.com/charmbracelet/huh v0.8.0

go.sum

@@ -271,6 +271,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/traefik/paerser v0.2.2 h1:cpzW/ZrQrBh3mdwD/jnp6aXASiUFKOVr6ldP+keJTcQ=
+github.com/traefik/paerser v0.2.2/go.mod h1:7BBDd4FANoVgaTZG+yh26jI6CA2nds7D/4VTEdIsh24=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA=

internal/assets/migrations/000003_oauth_sub.down.sql

@@ -1 +0,0 @@
-ALTER TABLE "sessions" DROP COLUMN "oauth_sub";

internal/assets/migrations/000003_oauth_sub.up.sql

@@ -1 +0,0 @@
-ALTER TABLE "sessions" ADD COLUMN "oauth_sub" TEXT;

internal/bootstrap/service_bootstrap.go

@@ -57,7 +57,7 @@ func (app *BootstrapApp) initServices() (Services, error) {
 
 	services.dockerService = dockerService
 
-	accessControlsService := service.NewAccessControlsService(dockerService, app.config.Apps)
+	accessControlsService := service.NewAccessControlsService(dockerService)
 
 	err = accessControlsService.Init()
 

internal/config/config.go

@@ -25,7 +25,6 @@ type Config struct {
 	LogJSON           bool               `description:"Enable JSON formatted logs." yaml:"logJSON"`
 	Server            ServerConfig       `description:"Server configuration." yaml:"server"`
 	Auth              AuthConfig         `description:"Authentication configuration." yaml:"auth"`
-	Apps              map[string]App     `description:"Application ACLs configuration." yaml:"apps"`
 	OAuth             OAuthConfig        `description:"OAuth configuration." yaml:"oauth"`
 	UI                UIConfig           `description:"UI customization." yaml:"ui"`
 	Ldap              LdapConfig         `description:"LDAP configuration." yaml:"ldap"`
@@ -80,7 +79,6 @@ const DefaultNamePrefix = "TINYAUTH_"
 // OAuth/OIDC config
 
 type Claims struct {
-	Sub               string `json:"sub"`
 	Name              string `json:"name"`
 	Email             string `json:"email"`
 	PreferredUsername string `json:"preferred_username"`
@@ -127,7 +125,6 @@ type SessionCookie struct {
 	TotpPending bool
 	OAuthGroups string
 	OAuthName   string
-	OAuthSub    string
 }
 
 type UserContext struct {
@@ -141,7 +138,6 @@ type UserContext struct {
 	OAuthGroups string
 	TotpEnabled bool
 	OAuthName   string
-	OAuthSub    string
 }
 
 // API responses and queries
@@ -157,55 +153,61 @@ type RedirectQuery struct {
 	RedirectURI string `url:"redirect_uri"`
 }
 
-// ACLs
+// Labels
 
 type Apps struct {
-	Apps map[string]App `description:"App ACLs configuration." yaml:"apps"`
+	Apps map[string]App
 }
 
 type App struct {
-	Config   AppConfig   `description:"App configuration." yaml:"config"`
+	Config   AppConfig
-	Users    AppUsers    `description:"User access configuration." yaml:"users"`
+	Users    AppUsers
-	OAuth    AppOAuth    `description:"OAuth access configuration." yaml:"oauth"`
+	OAuth    AppOAuth
-	IP       AppIP       `description:"IP access configuration." yaml:"ip"`
+	IP       AppIP
-	Response AppResponse `description:"Response customization." yaml:"response"`
+	Response AppResponse
-	Path     AppPath     `description:"Path access configuration." yaml:"path"`
+	Path     AppPath
 }
 
 type AppConfig struct {
-	Domain string `description:"The domain of the app." yaml:"domain"`
+	Domain string
 }
 
 type AppUsers struct {
-	Allow string `description:"Comma-separated list of allowed users." yaml:"allow"`
+	Allow string
-	Block string `description:"Comma-separated list of blocked users." yaml:"block"`
+	Block string
 }
 
 type AppOAuth struct {
-	Whitelist string `description:"Comma-separated list of allowed OAuth groups." yaml:"whitelist"`
+	Whitelist string
-	Groups    string `description:"Comma-separated list of required OAuth groups." yaml:"groups"`
+	Groups    string
 }
 
 type AppIP struct {
-	Allow  []string `description:"List of allowed IPs or CIDR ranges." yaml:"allow"`
+	Allow  []string
-	Block  []string `description:"List of blocked IPs or CIDR ranges." yaml:"block"`
+	Block  []string
-	Bypass []string `description:"List of IPs or CIDR ranges that bypass authentication." yaml:"bypass"`
+	Bypass []string
 }
 
 type AppResponse struct {
-	Headers   []string     `description:"Custom headers to add to the response." yaml:"headers"`
+	Headers   []string
-	BasicAuth AppBasicAuth `description:"Basic authentication for the app." yaml:"basicAuth"`
+	BasicAuth AppBasicAuth
 }
 
 type AppBasicAuth struct {
-	Username     string `description:"Basic auth username." yaml:"username"`
+	Username     string
-	Password     string `description:"Basic auth password." yaml:"password"`
+	Password     string
-	PasswordFile string `description:"Path to the file containing the basic auth password." yaml:"passwordFile"`
+	PasswordFile string
 }
 
 type AppPath struct {
-	Allow string `description:"Comma-separated list of allowed paths." yaml:"allow"`
+	Allow string
-	Block string `description:"Comma-separated list of blocked paths." yaml:"block"`
+	Block string
+}
+
+// Flags
+
+type Providers struct {
+	Providers map[string]OAuthServiceConfig
 }
 
 // API server

internal/controller/context_controller.go

@@ -21,7 +21,6 @@ type UserContextResponse struct {
 	OAuth       bool   `json:"oauth"`
 	TotpPending bool   `json:"totpPending"`
 	OAuthName   string `json:"oauthName"`
-	OAuthSub    string `json:"oauthSub"`
 }
 
 type AppContextResponse struct {
@@ -90,7 +89,6 @@ func (controller *ContextController) userContextHandler(c *gin.Context) {
 		OAuth:       context.OAuth,
 		TotpPending: context.TotpPending,
 		OAuthName:   context.OAuthName,
-		OAuthSub:    context.OAuthSub,
 	}
 
 	if err != nil {

internal/controller/context_controller_test.go

@@ -44,7 +44,6 @@ var userContext = config.UserContext{
 	TotpPending: false,
 	OAuthGroups: "",
 	TotpEnabled: false,
-	OAuthSub:    "",
 }
 
 func setupContextController(middlewares *[]gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder) {

internal/controller/oauth_controller.go

@@ -197,7 +197,6 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		Provider:    req.Provider,
 		OAuthGroups: utils.CoalesceToString(user.Groups),
 		OAuthName:   service.GetName(),
-		OAuthSub:    user.Sub,
 	}
 
 	log.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")

internal/controller/proxy_controller.go

@@ -43,8 +43,7 @@ func NewProxyController(config ProxyControllerConfig, router *gin.RouterGroup, a
 
 func (controller *ProxyController) SetupRoutes() {
 	proxyGroup := controller.router.Group("/auth")
-	proxyGroup.GET("/:proxy", controller.proxyHandler)
+	proxyGroup.Any("/:proxy", controller.proxyHandler)
-	proxyGroup.POST("/:proxy", controller.proxyHandler)
 }
 
 func (controller *ProxyController) proxyHandler(c *gin.Context) {
@@ -69,6 +68,15 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
+	if req.Proxy != "envoy" && c.Request.Method != http.MethodGet {
+		log.Warn().Str("method", c.Request.Method).Msg("Invalid method for proxy")
+		c.JSON(405, gin.H{
+			"status":  405,
+			"message": "Method Not Allowed",
+		})
+		return
+	}
+
 	isBrowser := strings.Contains(c.Request.Header.Get("Accept"), "text/html")
 
 	if isBrowser {
@@ -239,7 +247,6 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		c.Header("Remote-Name", utils.SanitizeHeader(userContext.Name))
 		c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email))
 		c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups))
-		c.Header("Remote-Sub", utils.SanitizeHeader(userContext.OAuthSub))
 
 		controller.setHeaders(c, acls)
 

internal/controller/proxy_controller_test.go

@@ -41,7 +41,7 @@ func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.En
 	assert.NilError(t, dockerService.Init())
 
 	// Access controls
-	accessControlsService := service.NewAccessControlsService(dockerService, map[string]config.App{})
+	accessControlsService := service.NewAccessControlsService(dockerService)
 
 	assert.NilError(t, accessControlsService.Init())
 
@@ -81,6 +81,13 @@ func TestProxyHandler(t *testing.T) {
 
 	assert.Equal(t, 400, recorder.Code)
 
+	// Test invalid method
+	recorder = httptest.NewRecorder()
+	req = httptest.NewRequest("POST", "/api/auth/traefik", nil)
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 405, recorder.Code)
+
 	// Test logged out user (traefik/caddy)
 	recorder = httptest.NewRecorder()
 	req = httptest.NewRequest("GET", "/api/auth/traefik", nil)

internal/middleware/context_middleware.go

@@ -66,7 +66,6 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 				goto basic
 			}
 
-			m.auth.RefreshSessionCookie(c)
 			c.Set("context", &config.UserContext{
 				Username:   cookie.Username,
 				Name:       cookie.Name,
@@ -91,7 +90,6 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 				goto basic
 			}
 
-			m.auth.RefreshSessionCookie(c)
 			c.Set("context", &config.UserContext{
 				Username:    cookie.Username,
 				Name:        cookie.Name,
@@ -99,7 +97,6 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 				Provider:    cookie.Provider,
 				OAuthGroups: cookie.OAuthGroups,
 				OAuthName:   cookie.OAuthName,
-				OAuthSub:    cookie.OAuthSub,
 				IsLoggedIn:  true,
 				OAuth:       true,
 			})

internal/model/session_model.go

@@ -10,5 +10,4 @@ type Session struct {
 	OAuthGroups string `gorm:"column:oauth_groups"`
 	Expiry      int64  `gorm:"column:expiry"`
 	OAuthName   string `gorm:"column:oauth_name"`
-	OAuthSub    string `gorm:"column:oauth_sub"`
 }

internal/service/access_controls_service.go

@@ -1,54 +1,122 @@
 package service
 
 import (
-	"errors"
-	"strings"
-
-	"github.com/rs/zerolog/log"
 	"github.com/steveiliop56/tinyauth/internal/config"
 )
 
+/*
+Environment variable/flag based ACLs are disabled until v5 due to a technical challenge
+with the current parsing logic.
+
+The current parser works for simple OAuth provider configs like:
+- PROVIDERS_MY_AMAZING_PROVIDER_CLIENT_ID
+
+However, it breaks down when handling nested structs required for ACLs. The custom parsing
+solution that worked for v4 OAuth providers is incompatible with the ACL parsing logic,
+making the codebase unmaintainable and fragile.
+
+A solution is being considered for v5 that would standardize the format to something like:
+- TINYAUTH_PROVIDERS_GOOGLE_CLIENTSECRET
+- TINYAUTH_APPS_MYAPP_CONFIG_DOMAIN
+
+This would allow the Traefik parser to handle everything consistently, but requires a
+config migration. Until this is resolved, environment-based ACLs are disabled and only
+Docker label-based ACLs are supported.
+
+See: https://discord.com/channels/1337450123600465984/1337459086270271538/1434986689935179838 for more information
+*/
+
 type AccessControlsService struct {
 	docker *DockerService
-	static map[string]config.App
+	// envACLs config.Apps
 }
 
-func NewAccessControlsService(docker *DockerService, static map[string]config.App) *AccessControlsService {
+func NewAccessControlsService(docker *DockerService) *AccessControlsService {
 	return &AccessControlsService{
 		docker: docker,
-		static: static,
 	}
 }
 
 func (acls *AccessControlsService) Init() error {
-	return nil // No initialization needed
+	// acls.envACLs = config.Apps{}
+	// env := os.Environ()
+	// appEnvVars := []string{}
+
+	// for _, e := range env {
+	// 	if strings.HasPrefix(e, "TINYAUTH_APPS_") {
+	// 		appEnvVars = append(appEnvVars, e)
+	// 	}
+	// }
+
+	// err := acls.loadEnvACLs(appEnvVars)
+
+	// if err != nil {
+	// 	return err
+	// }
+
+	// return nil
+
+	return nil
+
 }
 
-func (acls *AccessControlsService) lookupStaticACLs(domain string) (config.App, error) {
+// func (acls *AccessControlsService) loadEnvACLs(appEnvVars []string) error {
-	for app, config := range acls.static {
+// 	if len(appEnvVars) == 0 {
-		if config.Config.Domain == domain {
+// 		return nil
-			log.Debug().Str("name", app).Msg("Found matching container by domain")
+// 	}
-			return config, nil
-		}
 
-		if strings.SplitN(domain, ".", 2)[0] == app {
+// 	envAcls := map[string]string{}
-			log.Debug().Str("name", app).Msg("Found matching container by app name")
-			return config, nil
-		}
-	}
-	return config.App{}, errors.New("no results")
-}
 
-func (acls *AccessControlsService) GetAccessControls(domain string) (config.App, error) {
+// 	for _, e := range appEnvVars {
-	// First check in the static config
+// 		parts := strings.SplitN(e, "=", 2)
-	app, err := acls.lookupStaticACLs(domain)
+// 		if len(parts) != 2 {
+// 			continue
+// 		}
 
-	if err == nil {
+// 		key := parts[0]
-		log.Debug().Msg("Using ACls from static configuration")
+// 		key = strings.ToLower(key)
-		return app, nil
+// 		key = strings.ReplaceAll(key, "_", ".")
-	}
+// 		value := parts[1]
+// 		envAcls[key] = value
+// 	}
+
+// 	apps, err := decoders.DecodeLabels(envAcls)
+
+// 	if err != nil {
+// 		return err
+// 	}
+
+// 	acls.envACLs = apps
+// 	return nil
+// }
+
+// func (acls *AccessControlsService) lookupEnvACLs(appDomain string) *config.App {
+// 	if len(acls.envACLs.Apps) == 0 {
+// 		return nil
+// 	}
+
+// 	for appName, appACLs := range acls.envACLs.Apps {
+// 		if appACLs.Config.Domain == appDomain {
+// 			return &appACLs
+// 		}
+
+// 		if strings.SplitN(appDomain, ".", 2)[0] == appName {
+// 			return &appACLs
+// 		}
+// 	}
+
+// 	return nil
+// }
+
+func (acls *AccessControlsService) GetAccessControls(appDomain string) (config.App, error) {
+	// First check environment variables
+	// envACLs := acls.lookupEnvACLs(appDomain)
+
+	// if envACLs != nil {
+	// 	log.Debug().Str("domain", appDomain).Msg("Found matching access controls in environment variables")
+	// 	return *envACLs, nil
+	// }
 
 	// Fallback to Docker labels
-	log.Debug().Msg("Falling back to Docker labels for ACLs")
+	return acls.docker.GetLabels(appDomain)
-	return acls.docker.GetLabels(domain)
 }

internal/service/auth_service.go

@@ -1,6 +1,7 @@
 package service
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"regexp"
@@ -43,6 +44,7 @@ type AuthService struct {
 	loginMutex    sync.RWMutex
 	ldap          *LdapService
 	database      *gorm.DB
+	ctx           context.Context
 }
 
 func NewAuthService(config AuthServiceConfig, docker *DockerService, ldap *LdapService, database *gorm.DB) *AuthService {
@@ -56,6 +58,7 @@ func NewAuthService(config AuthServiceConfig, docker *DockerService, ldap *LdapS
 }
 
 func (auth *AuthService) Init() error {
+	auth.ctx = context.Background()
 	return nil
 }
 
@@ -213,10 +216,9 @@ func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *config.Sessio
 		OAuthGroups: data.OAuthGroups,
 		Expiry:      time.Now().Add(time.Duration(expiry) * time.Second).Unix(),
 		OAuthName:   data.OAuthName,
-		OAuthSub:    data.OAuthSub,
 	}
 
-	err = gorm.G[model.Session](auth.database).Create(c, &session)
+	err = gorm.G[model.Session](auth.database).Create(auth.ctx, &session)
 
 	if err != nil {
 		return err
@@ -227,40 +229,6 @@ func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *config.Sessio
 	return nil
 }
 
-func (auth *AuthService) RefreshSessionCookie(c *gin.Context) error {
-	cookie, err := c.Cookie(auth.config.SessionCookieName)
-
-	if err != nil {
-		return err
-	}
-
-	session, err := gorm.G[model.Session](auth.database).Where("uuid = ?", cookie).First(c)
-
-	if err != nil {
-		return err
-	}
-
-	currentTime := time.Now().Unix()
-
-	if session.Expiry-currentTime > int64(time.Hour.Seconds()) {
-		return nil
-	}
-
-	newExpiry := currentTime + int64(time.Hour.Seconds())
-
-	_, err = gorm.G[model.Session](auth.database).Where("uuid = ?", cookie).Updates(c, model.Session{
-		Expiry: newExpiry,
-	})
-
-	if err != nil {
-		return err
-	}
-
-	c.SetCookie(auth.config.SessionCookieName, cookie, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", auth.config.CookieDomain), auth.config.SecureCookie, true)
-
-	return nil
-}
-
 func (auth *AuthService) DeleteSessionCookie(c *gin.Context) error {
 	cookie, err := c.Cookie(auth.config.SessionCookieName)
 
@@ -268,7 +236,7 @@ func (auth *AuthService) DeleteSessionCookie(c *gin.Context) error {
 		return err
 	}
 
-	_, err = gorm.G[model.Session](auth.database).Where("uuid = ?", cookie).Delete(c)
+	_, err = gorm.G[model.Session](auth.database).Where("uuid = ?", cookie).Delete(auth.ctx)
 
 	if err != nil {
 		return err
@@ -286,7 +254,7 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie,
 		return config.SessionCookie{}, err
 	}
 
-	session, err := gorm.G[model.Session](auth.database).Where("uuid = ?", cookie).First(c)
+	session, err := gorm.G[model.Session](auth.database).Where("uuid = ?", cookie).First(auth.ctx)
 
 	if err != nil {
 		return config.SessionCookie{}, err
@@ -299,7 +267,7 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie,
 	currentTime := time.Now().Unix()
 
 	if currentTime > session.Expiry {
-		_, err = gorm.G[model.Session](auth.database).Where("uuid = ?", cookie).Delete(c)
+		_, err = gorm.G[model.Session](auth.database).Where("uuid = ?", cookie).Delete(auth.ctx)
 		if err != nil {
 			log.Error().Err(err).Msg("Failed to delete expired session")
 		}
@@ -315,7 +283,6 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie,
 		TotpPending: session.TOTPPending,
 		OAuthGroups: session.OAuthGroups,
 		OAuthName:   session.OAuthName,
-		OAuthSub:    session.OAuthSub,
 	}, nil
 }
 

internal/service/github_oauth_service.go

@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"io"
 	"net/http"
-	"strconv"
 	"time"
 
 	"github.com/steveiliop56/tinyauth/internal/config"
@@ -28,7 +27,6 @@ type GithubEmailResponse []struct {
 type GithubUserInfoResponse struct {
 	Login string `json:"login"`
 	Name  string `json:"name"`
-	ID    int    `json:"id"`
 }
 
 type GithubOAuthService struct {
@@ -174,7 +172,6 @@ func (github *GithubOAuthService) Userinfo() (config.Claims, error) {
 
 	user.PreferredUsername = userInfo.Login
 	user.Name = userInfo.Name
-	user.Sub = strconv.Itoa(userInfo.ID)
 
 	return user, nil
 }

internal/service/google_oauth_service.go

@@ -17,7 +17,12 @@ import (
 	"golang.org/x/oauth2/endpoints"
 )
 
-var GoogleOAuthScopes = []string{"openid", "email", "profile"}
+var GoogleOAuthScopes = []string{"https://www.googleapis.com/auth/userinfo.email", "https://www.googleapis.com/auth/userinfo.profile"}
+
+type GoogleUserInfoResponse struct {
+	Email string `json:"email"`
+	Name  string `json:"name"`
+}
 
 type GoogleOAuthService struct {
 	config   oauth2.Config
@@ -86,7 +91,7 @@ func (google *GoogleOAuthService) Userinfo() (config.Claims, error) {
 
 	client := google.config.Client(google.context, google.token)
 
-	res, err := client.Get("https://openidconnect.googleapis.com/v1/userinfo")
+	res, err := client.Get("https://www.googleapis.com/userinfo/v2/me")
 	if err != nil {
 		return config.Claims{}, err
 	}
@@ -101,12 +106,16 @@ func (google *GoogleOAuthService) Userinfo() (config.Claims, error) {
 		return config.Claims{}, err
 	}
 
-	err = json.Unmarshal(body, &user)
+	var userInfo GoogleUserInfoResponse
+
+	err = json.Unmarshal(body, &userInfo)
 	if err != nil {
 		return config.Claims{}, err
 	}
 
-	user.PreferredUsername = strings.SplitN(user.Email, "@", 2)[0]
+	user.PreferredUsername = strings.Split(userInfo.Email, "@")[0]
+	user.Name = userInfo.Name
+	user.Email = userInfo.Email
 
 	return user, nil
 }

patches/nested_maps.diff

@@ -1,95 +0,0 @@
-diff --git a/env/env_test.go b/env/env_test.go
-index 7045569..365dc00 100644
---- a/env/env_test.go
-+++ b/env/env_test.go
-@@ -166,6 +166,38 @@ func TestDecode(t *testing.T) {
- 				Foo: &struct{ Field string }{},
- 			},
- 		},
-+		{
-+			desc:    "map under the root key",
-+			environ: []string{"TRAEFIK_FOO_BAR_FOOBAR_BARFOO=foo"},
-+			element: &struct {
-+				Foo map[string]struct {
-+					Foobar struct {
-+						Barfoo string
-+					}
-+				}
-+			}{},
-+			expected: &struct {
-+				Foo map[string]struct {
-+					Foobar struct {
-+						Barfoo string
-+					}
-+				}
-+			}{
-+				Foo: map[string]struct {
-+					Foobar struct {
-+						Barfoo string
-+					}
-+				}{
-+					"bar": {
-+						Foobar: struct {
-+							Barfoo string
-+						}{
-+							Barfoo: "foo",
-+						},
-+					},
-+				},
-+			},
-+		},
- 	}
- 
- 	for _, test := range testCases {
-diff --git a/parser/nodes_metadata.go b/parser/nodes_metadata.go
-index 36946c1..0279705 100644
---- a/parser/nodes_metadata.go
-+++ b/parser/nodes_metadata.go
-@@ -75,8 +75,13 @@ func (m metadata) add(rootType reflect.Type, node *Node) error {
- 	node.Kind = fType.Kind()
- 	node.Tag = field.Tag
- 
--	if fType.Kind() == reflect.Struct || fType.Kind() == reflect.Pointer && fType.Elem().Kind() == reflect.Struct ||
--		fType.Kind() == reflect.Map {
-+	if node.Kind == reflect.String && len(node.Children) > 0 {
-+		fType = reflect.TypeOf(struct{}{})
-+		node.Kind = reflect.Struct
-+	}
-+
-+	if node.Kind == reflect.Struct || node.Kind == reflect.Pointer && fType.Elem().Kind() == reflect.Struct ||
-+		node.Kind == reflect.Map {
- 		if len(node.Children) == 0 && !(field.Tag.Get(m.TagName) == TagLabelAllowEmpty || field.Tag.Get(m.TagName) == "-") {
- 			return fmt.Errorf("%s cannot be a standalone element (type %s)", node.Name, fType)
- 		}
-@@ -90,11 +95,11 @@ func (m metadata) add(rootType reflect.Type, node *Node) error {
- 		return nil
- 	}
- 
--	if fType.Kind() == reflect.Struct || fType.Kind() == reflect.Pointer && fType.Elem().Kind() == reflect.Struct {
-+	if node.Kind == reflect.Struct || node.Kind == reflect.Pointer && fType.Elem().Kind() == reflect.Struct {
- 		return m.browseChildren(fType, node)
- 	}
- 
--	if fType.Kind() == reflect.Map {
-+	if node.Kind == reflect.Map {
- 		if fType.Elem().Kind() == reflect.Interface {
- 			addRawValue(node)
- 			return nil
-@@ -115,7 +120,7 @@ func (m metadata) add(rootType reflect.Type, node *Node) error {
- 		return nil
- 	}
- 
--	if fType.Kind() == reflect.Slice {
-+	if node.Kind == reflect.Slice {
- 		if m.AllowSliceAsStruct && field.Tag.Get(TagLabelSliceAsStruct) != "" {
- 			return m.browseChildren(fType.Elem(), node)
- 		}
-@@ -129,7 +134,7 @@ func (m metadata) add(rootType reflect.Type, node *Node) error {
- 		return nil
- 	}
- 
--	return fmt.Errorf("invalid node %s: %v", node.Name, fType.Kind())
-+	return fmt.Errorf("invalid node %s: %v", node.Name, node.Kind)
- }
- 
- func (m metadata) findTypedField(rType reflect.Type, node *Node) (reflect.StructField, error) {