chore(deps): bump the minor-patch group across 1 directory with 5 updates

Bumps the minor-patch group with 5 updates in the /frontend directory:

| Package | From | To |
| --- | --- | --- |
| [i18next](https://github.com/i18next/i18next) | `25.8.14` | `25.8.17` |
| [react-i18next](https://github.com/i18next/react-i18next) | `16.5.5` | `16.5.6` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.3.5` | `25.4.0` |
| [eslint](https://github.com/eslint/eslint) | `10.0.2` | `10.0.3` |
| [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.56.1` | `8.57.0` |



Updates `i18next` from 25.8.14 to 25.8.17
- [Release notes](https://github.com/i18next/i18next/releases)
- [Changelog](https://github.com/i18next/i18next/blob/master/CHANGELOG.md)
- [Commits](https://github.com/i18next/i18next/compare/v25.8.14...v25.8.17)

Updates `react-i18next` from 16.5.5 to 16.5.6
- [Changelog](https://github.com/i18next/react-i18next/blob/master/CHANGELOG.md)
- [Commits](https://github.com/i18next/react-i18next/compare/v16.5.5...v16.5.6)

Updates `@types/node` from 25.3.5 to 25.4.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `eslint` from 10.0.2 to 10.0.3
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](https://github.com/eslint/eslint/compare/v10.0.2...v10.0.3)

Updates `typescript-eslint` from 8.56.1 to 8.57.0
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.57.0/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: i18next
  dependency-version: 25.8.17
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: react-i18next
  dependency-version: 16.5.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: "@types/node"
  dependency-version: 25.4.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: eslint
  dependency-version: 10.0.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: typescript-eslint
  dependency-version: 8.57.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/integration.yml

@@ -1,82 +0,0 @@
-name: Proxy Integration Tests
-
-on:
-  workflow_dispatch:
-    inputs:
-      build:
-        type: boolean
-        description: Build from current tag before running tests
-
-permissions:
-  contents: read
-
-jobs:
-  determine-tag:
-    runs-on: ubuntu-latest
-    outputs:
-      version: ${{ steps.metadata.outputs.VERSION }}
-      commit_hash: ${{ steps.metadata.outputs.COMMIT_HASH }}
-      build_timestamp: ${{ steps.metadata.outputs.BUILD_TIMESTAMP }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Determine metadata
-        id: metadata
-        run: |
-          # Generate static metadata
-          echo "COMMIT_HASH=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
-          echo "BUILD_TIMESTAMP=$(date '+%Y-%m-%dT%H:%M:%S')" >> "$GITHUB_OUTPUT"
-
-          # Determine version
-          if [ "${{ inputs.build }}" == "true" ]; then
-            echo "VERSION=development" >> "$GITHUB_OUTPUT"
-          else
-            echo "VERSION=${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
-          fi
-
-  integration:
-    runs-on: ubuntu-latest
-    needs: determine-tag
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Setup Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: "1.25.0"
-
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        if: ${{ inputs.build == 'true' }}
-
-      - name: Build
-        uses: docker/build-push-action@v6
-        if: ${{ inputs.build == 'true' }}
-        with:
-          platforms: linux/amd64
-          tags: ghcr.io/${{ github.repository_owner }}/tinyauth:${{ needs.determine-tag.outputs.version }}
-          outputs: type=image,push=false
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          build-args: |
-            VERSION=${{ needs.determine-tag.outputs.version }}
-            COMMIT_HASH=${{ needs.determine-tag.outputs.commit_hash }}
-            BUILD_TIMESTAMP=${{ needs.determine-tag.outputs.build_timestamp }}
-
-      - name: Set tinyauth version
-        run: |
-          sed -i "s/TINYAUTH_VERSION=.*/TINYAUTH_VERSION=${{ needs.determine-tag.outputs.version }}/" integration/.env
-
-      - name: Test
-        run: make integration

.github/workflows/release.yml

@@ -15,6 +15,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          ref: nightly
 
       - name: Generate metadata
         id: metadata

Makefile

@@ -81,11 +81,5 @@ sql:
 	sqlc generate
 
 # Go gen
-.PHONY: generate
 generate:
 	go run ./gen
-
-# Proxy integration tests
-.PHONY: integration
-integration:
-	go run ./integration -- --log=false

docker-compose.dev.yml

@@ -1,5 +1,6 @@
 services:
   traefik:
+    container_name: traefik
     image: traefik:v3.6
     command: --api.insecure=true --providers.docker
     ports:
@@ -8,6 +9,7 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
 
   whoami:
+    container_name: whoami
     image: traefik/whoami:latest
     labels:
       traefik.enable: true
@@ -15,6 +17,7 @@ services:
       traefik.http.routers.whoami.middlewares: tinyauth
 
   tinyauth-frontend:
+    container_name: tinyauth-frontend
     build:
       context: .
       dockerfile: frontend/Dockerfile.dev
@@ -27,6 +30,7 @@ services:
       traefik.http.routers.tinyauth.rule: Host(`tinyauth.127.0.0.1.sslip.io`)
 
   tinyauth-backend:
+    container_name: tinyauth-backend
     build:
       context: .
       dockerfile: Dockerfile.dev

docker-compose.example.yml

@@ -1,5 +1,6 @@
 services:
   traefik:
+    container_name: traefik
     image: traefik:v3.6
     command: --api.insecure=true --providers.docker
     ports:
@@ -8,6 +9,7 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
 
   whoami:
+    container_name: whoami
     image: traefik/whoami:latest
     labels:
       traefik.enable: true
@@ -15,7 +17,8 @@ services:
       traefik.http.routers.whoami.middlewares: tinyauth
 
   tinyauth:
-    image: ghcr.io/steveiliop56/tinyauth:v5
+    container_name: tinyauth
+    image: ghcr.io/steveiliop56/tinyauth:v3
     environment:
       - TINYAUTH_APPURL=https://tinyauth.example.com
       - TINYAUTH_AUTH_USERS=user:$$2a$$10$$UdLYoJ5lgPsC0RKqYH/jMua7zIn0g9kPqWmhYayJYLaZQ/FTmH2/u # user:password

frontend/bun.lock

@@ -16,7 +16,7 @@
         "axios": "^1.13.6",
         "class-variance-authority": "^0.7.1",
         "clsx": "^2.1.1",
-        "i18next": "^25.8.18",
+        "i18next": "^25.8.17",
         "i18next-browser-languagedetector": "^8.2.1",
         "i18next-resources-to-backend": "^1.2.1",
         "input-otp": "^1.4.2",
@@ -26,7 +26,7 @@
         "react": "^19.2.4",
         "react-dom": "^19.2.4",
         "react-hook-form": "^7.71.2",
-        "react-i18next": "^16.5.8",
+        "react-i18next": "^16.5.6",
         "react-markdown": "^10.1.0",
         "react-router": "^7.13.1",
         "sonner": "^2.0.7",
@@ -637,7 +637,7 @@
 
     "html-url-attributes": ["html-url-attributes@3.0.1", "", {}, "sha512-ol6UPyBWqsrO6EJySPz2O7ZSr856WDrEzM5zMqp+FJJLGMW35cLYmmZnl0vztAZxRUoNZJFTCohfjuIJ8I4QBQ=="],
 
-    "i18next": ["i18next@25.8.18", "", { "dependencies": { "@babel/runtime": "^7.28.6" }, "peerDependencies": { "typescript": "^5" }, "optionalPeers": ["typescript"] }, "sha512-lzY5X83BiL5AP77+9DydbrqkQHFN9hUzWGjqjLpPcp5ZOzuu1aSoKaU3xbBLSjWx9dAzW431y+d+aogxOZaKRA=="],
+    "i18next": ["i18next@25.8.17", "", { "dependencies": { "@babel/runtime": "^7.28.6" }, "peerDependencies": { "typescript": "^5" }, "optionalPeers": ["typescript"] }, "sha512-vWtCttyn5bpOK4hWbRAe1ZXkA+Yzcn2OcACT+WJavtfGMcxzkfvXTLMeOU8MUhRmAySKjU4VVuKlo0sSGeBokA=="],
 
     "i18next-browser-languagedetector": ["i18next-browser-languagedetector@8.2.1", "", { "dependencies": { "@babel/runtime": "^7.23.2" } }, "sha512-bZg8+4bdmaOiApD7N7BPT9W8MLZG+nPTOFlLiJiT8uzKXFjhxw4v2ierCXOwB5sFDMtuA5G4kgYZ0AznZxQ/cw=="],
 
@@ -843,7 +843,7 @@
 
     "react-hook-form": ["react-hook-form@7.71.2", "", { "peerDependencies": { "react": "^16.8.0 || ^17 || ^18 || ^19" } }, "sha512-1CHvcDYzuRUNOflt4MOq3ZM46AronNJtQ1S7tnX6YN4y72qhgiUItpacZUAQ0TyWYci3yz1X+rXaSxiuEm86PA=="],
 
-    "react-i18next": ["react-i18next@16.5.8", "", { "dependencies": { "@babel/runtime": "^7.28.4", "html-parse-stringify": "^3.0.1", "use-sync-external-store": "^1.6.0" }, "peerDependencies": { "i18next": ">= 25.6.2", "react": ">= 16.8.0", "typescript": "^5" }, "optionalPeers": ["typescript"] }, "sha512-2ABeHHlakxVY+LSirD+OiERxFL6+zip0PaHo979bgwzeHg27Sqc82xxXWIrSFmfWX0ZkrvXMHwhsi/NGUf5VQg=="],
+    "react-i18next": ["react-i18next@16.5.6", "", { "dependencies": { "@babel/runtime": "^7.28.4", "html-parse-stringify": "^3.0.1", "use-sync-external-store": "^1.6.0" }, "peerDependencies": { "i18next": ">= 25.6.2", "react": ">= 16.8.0", "typescript": "^5" }, "optionalPeers": ["typescript"] }, "sha512-Ua7V2/efA88ido7KyK51fb8Ki8M/sRfW8LR/rZ/9ZKr2luhuTI7kwYZN5agT1rWG7aYm5G0RYE/6JR8KJoCMDw=="],
 
     "react-markdown": ["react-markdown@10.1.0", "", { "dependencies": { "@types/hast": "^3.0.0", "@types/mdast": "^4.0.0", "devlop": "^1.0.0", "hast-util-to-jsx-runtime": "^2.0.0", "html-url-attributes": "^3.0.0", "mdast-util-to-hast": "^13.0.0", "remark-parse": "^11.0.0", "remark-rehype": "^11.0.0", "unified": "^11.0.0", "unist-util-visit": "^5.0.0", "vfile": "^6.0.0" }, "peerDependencies": { "@types/react": ">=18", "react": ">=18" } }, "sha512-qKxVopLT/TyA6BX3Ue5NwabOsAzm0Q7kAPwq6L+wWDwisYs7R8vZ0nRXqq6rkueboxpkjvLGU9fWifiX/ZZFxQ=="],
 

frontend/package.json

@@ -22,7 +22,7 @@
     "axios": "^1.13.6",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
-    "i18next": "^25.8.18",
+    "i18next": "^25.8.17",
     "i18next-browser-languagedetector": "^8.2.1",
     "i18next-resources-to-backend": "^1.2.1",
     "input-otp": "^1.4.2",
@@ -32,7 +32,7 @@
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
     "react-hook-form": "^7.71.2",
-    "react-i18next": "^16.5.8",
+    "react-i18next": "^16.5.6",
     "react-markdown": "^10.1.0",
     "react-router": "^7.13.1",
     "sonner": "^2.0.7",

frontend/src/lib/i18n/locales/fr-FR.json

@@ -58,8 +58,8 @@
     "invalidInput": "Saisie non valide",
     "domainWarningTitle": "Domaine invalide",
     "domainWarningSubtitle": "Cette instance est configurée pour être accédée depuis <code>{{appUrl}}</code>, mais <code>{{currentUrl}}</code> est utilisé. Si vous continuez, vous pourriez rencontrer des problèmes d'authentification.",
-    "domainWarningCurrent": "Actuellement :",
+    "domainWarningCurrent": "Current:",
-    "domainWarningExpected": "Attendu :",
+    "domainWarningExpected": "Expected:",
     "ignoreTitle": "Ignorer",
     "goToCorrectDomainTitle": "Aller au bon domaine",
     "authorizeTitle": "Autoriser",

go.mod

@@ -19,9 +19,9 @@ require (
 	github.com/rs/zerolog v1.34.0
 	github.com/traefik/paerser v0.2.2
 	github.com/weppos/publicsuffix-go v0.50.3
-	golang.org/x/crypto v0.49.0
+	golang.org/x/crypto v0.48.0
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
-	golang.org/x/oauth2 v0.36.0
+	golang.org/x/oauth2 v0.35.0
 	gotest.tools/v3 v3.5.2
 	modernc.org/sqlite v1.46.1
 )
@@ -114,10 +114,10 @@ require (
 	go.opentelemetry.io/otel/trace v1.37.0 // indirect
 	golang.org/x/arch v0.22.0 // indirect
 	golang.org/x/net v0.51.0 // indirect
-	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/sys v0.41.0 // indirect
-	golang.org/x/term v0.41.0 // indirect
+	golang.org/x/term v0.40.0 // indirect
-	golang.org/x/text v0.35.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	modernc.org/libc v1.67.6 // indirect

go.sum

@@ -309,25 +309,25 @@ golang.org/x/arch v0.22.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
+golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
-golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
+golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
+golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
-golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
+golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
 golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
-golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
+golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ=
-golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
+golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -338,26 +338,26 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
+golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
-golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
+golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
+golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
-golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
+golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
+golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
-golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
+golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
 google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c h1:AtEkQdl5b6zsybXcbz00j1LwNodDuH6hVifIaNqk7NQ=

integration/.env

@@ -1,16 +0,0 @@
-# Nginx configuration
-NGINX_VERSION=1.29
-
-# Whoami configuration
-WHOAMI_VERSION=latest
-
-# Traefik configuration
-TRAEFIK_VERSION=v3.6
-TINYAUTH_HOST=tinyauth.127.0.0.1.sslip.io
-WHOAMI_HOST=whoami.127.0.0.1.sslip.io
-
-# Envoy configuration
-ENVOY_VERSION=v1.33-latest
-
-# Tinyauth configuration
-TINYAUTH_VERSION=latest

integration/config.yml

@@ -1,15 +0,0 @@
-appUrl: http://tinyauth.127.0.0.1.sslip.io
-
-auth:
-  users: test:$2a$10$eG88kFow83l5YRSlTSL2o.sZimjxFHrpiKdaSUZqpLBGX7Y2.4PZG
-
-log:
-  json: true
-  level: trace
-
-apps:
-  whoami:
-    config:
-      domain: whoami.127.0.0.1.sslip.io
-    path:
-      allow: /allow

integration/docker-compose.envoy.yml

@@ -1,16 +0,0 @@
-services:
-  envoy:
-    image: envoyproxy/envoy:${ENVOY_VERSION}
-    ports:
-      - 80:80
-    volumes:
-      - ./envoy.yml:/etc/envoy/envoy.yaml:ro
-
-  whoami:
-    image: traefik/whoami:${WHOAMI_VERSION}
-
-  tinyauth:
-    image: ghcr.io/steveiliop56/tinyauth:${TINYAUTH_VERSION}
-    command: --experimental.configfile=/data/config.yml
-    volumes:
-      - ./config.yml:/data/config.yml:ro

integration/docker-compose.nginx.yml

@@ -1,16 +0,0 @@
-services:
-  nginx:
-    image: nginx:${NGINX_VERSION}
-    ports:
-      - 80:80
-    volumes:
-      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
-
-  whoami:
-    image: traefik/whoami:${WHOAMI_VERSION}
-
-  tinyauth:
-    image: ghcr.io/steveiliop56/tinyauth:${TINYAUTH_VERSION}
-    command: --experimental.configfile=/data/config.yml
-    volumes:
-      - ./config.yml:/data/config.yml:ro

integration/docker-compose.traefik.yml

@@ -1,28 +0,0 @@
-services:
-  traefik:
-    image: traefik:${TRAEFIK_VERSION}
-    command: |
-      --api.insecure=true
-      --providers.docker
-      --entryPoints.web.address=:80
-    ports:
-      - 80:80
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-
-  whoami:
-    image: traefik/whoami:${WHOAMI_VERSION}
-    labels:
-      traefik.enable: true
-      traefik.http.routers.whoami.rule: Host(`${WHOAMI_HOST}`)
-      traefik.http.routers.whoami.middlewares: tinyauth
-
-  tinyauth:
-    image: ghcr.io/steveiliop56/tinyauth:${TINYAUTH_VERSION}
-    command: --experimental.configfile=/data/config.yml
-    volumes:
-      - ./config.yml:/data/config.yml:ro
-    labels:
-      traefik.enable: true
-      traefik.http.routers.tinyauth.rule: Host(`${TINYAUTH_HOST}`)
-      traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth:3000/api/auth/traefik

integration/envoy.yml

@@ -1,105 +0,0 @@
-static_resources:
-  listeners:
-    - name: "listener_http"
-      address:
-        socket_address:
-          address: "0.0.0.0"
-          port_value: 80
-      filter_chains:
-        - filters:
-            - name: "envoy.filters.network.http_connection_manager"
-              typed_config:
-                "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
-                stat_prefix: "ingress_http"
-                use_remote_address: true
-                skip_xff_append: false
-                route_config:
-                  name: "local_route"
-                  virtual_hosts:
-                    - name: "whoami_service"
-                      domains: ["whoami.127.0.0.1.sslip.io"]
-                      routes:
-                        - match:
-                            prefix: "/"
-                          route:
-                            cluster: "whoami"
-                    - name: "tinyauth_service"
-                      domains: ["tinyauth.127.0.0.1.sslip.io"]
-                      typed_per_filter_config:
-                        envoy.filters.http.ext_authz:
-                          "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute"
-                          disabled: true
-                      routes:
-                        - match:
-                            prefix: "/"
-                          route:
-                            cluster: "tinyauth"
-                http_filters:
-                  - name: "envoy.filters.http.ext_authz"
-                    typed_config:
-                      "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz"
-                      transport_api_version: "v3"
-                      http_service:
-                        path_prefix: "/api/auth/envoy?path="
-                        server_uri:
-                          uri: "tinyauth:3000"
-                          cluster: "tinyauth"
-                          timeout: "0.25s"
-                        authorization_request:
-                          allowed_headers:
-                            patterns:
-                              - exact: "authorization"
-                              - exact: "accept"
-                              - exact: "cookie"
-                          headers_to_add:
-                            - key: "x-forwarded-proto"
-                              value: "%REQ(:SCHEME)%"
-                            - key: "x-forwarded-host"
-                              value: "%REQ(:AUTHORITY)%"
-                            - key: "x-forwarded-uri"
-                              value: "%REQ(:PATH)%"
-                        authorization_response:
-                          allowed_upstream_headers:
-                            patterns:
-                              - prefix: "remote-"
-                          allowed_client_headers:
-                            patterns:
-                              - exact: "set-cookie"
-                              - exact: "location"
-                          allowed_client_headers_on_success:
-                            patterns:
-                              - exact: "set-cookie"
-                              - exact: "location"
-                      failure_mode_allow: false
-                  - name: "envoy.filters.http.router"
-                    typed_config:
-                      "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
-  clusters:
-    - name: "whoami"
-      connect_timeout: "0.25s"
-      type: "logical_dns"
-      dns_lookup_family: "v4_only"
-      lb_policy: "round_robin"
-      load_assignment:
-        cluster_name: "whoami"
-        endpoints:
-          - lb_endpoints:
-              - endpoint:
-                  address:
-                    socket_address:
-                      address: "whoami"
-                      port_value: 80
-    - name: "tinyauth"
-      connect_timeout: "0.25s"
-      type: "logical_dns"
-      dns_lookup_family: "v4_only"
-      lb_policy: "round_robin"
-      load_assignment:
-        cluster_name: "tinyauth"
-        endpoints:
-          - lb_endpoints:
-              - endpoint:
-                  address:
-                    socket_address:
-                      address: "tinyauth"
-                      port_value: 3000

integration/integrarion_tests.go

@@ -1,62 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"io"
-	"net/http"
-	"strings"
-)
-
-func testUnauthorized(client *http.Client) error {
-	req, err := http.NewRequest("GET", WhoamiURL, nil)
-	if err != nil {
-		return err
-	}
-	resp, err := client.Do(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return err
-	}
-	// nginx and envoy will throw us at the frontend
-	if resp.StatusCode != http.StatusUnauthorized && !strings.Contains(string(body), "<div id=\"root\"></div>") {
-		return fmt.Errorf("expected status code %d or to to contain '<div id=\"root\"></div>', got %d", http.StatusUnauthorized, resp.StatusCode)
-	}
-	return nil
-}
-
-func testLoggedIn(client *http.Client) error {
-	req, err := http.NewRequest("GET", WhoamiURL, nil)
-	if err != nil {
-		return err
-	}
-	req.SetBasicAuth(DefaultUsername, DefaultPassword)
-	resp, err := client.Do(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("expected status code %d, got %d", http.StatusOK, resp.StatusCode)
-	}
-	return nil
-}
-
-func testACLAllowed(client *http.Client) error {
-	req, err := http.NewRequest("GET", WhoamiURL+"/allow", nil)
-	if err != nil {
-		return err
-	}
-	resp, err := client.Do(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("expected status code %d, got %d", http.StatusOK, resp.StatusCode)
-	}
-	return nil
-}

integration/integration.go

@@ -1,191 +0,0 @@
-package main
-
-import (
-	"bufio"
-	"context"
-	"errors"
-	"flag"
-	"fmt"
-	"log/slog"
-	"net/http"
-	"os"
-	"os/exec"
-	"path"
-	"time"
-)
-
-var ProxiesToTest = []string{"traefik", "nginx", "envoy"}
-
-const (
-	EnvFile    = ".env"
-	ConfigFile = "config.yml"
-)
-
-const (
-	TinyauthURL = "http://tinyauth.127.0.0.1.sslip.io"
-	WhoamiURL   = "http://whoami.127.0.0.1.sslip.io"
-)
-
-const (
-	DefaultUsername = "test"
-	DefaultPassword = "password"
-)
-
-func main() {
-	logFlag := flag.Bool("log", false, "enable stack logging")
-	flag.Parse()
-
-	rootFolder, err := os.Getwd()
-
-	if err != nil {
-		slog.Error("fail", "error", err)
-		os.Exit(1)
-	}
-
-	slog.Info("root folder", "folder", rootFolder)
-
-	integrationRoot := rootFolder
-
-	if _, err := os.Stat(path.Join(rootFolder, ".git")); err != nil {
-		if !errors.Is(err, os.ErrNotExist) {
-			slog.Error("fail", "error", err)
-			os.Exit(1)
-		}
-	} else {
-		integrationRoot = path.Join(rootFolder, "integration")
-	}
-
-	slog.Info("integration root", "folder", integrationRoot)
-
-	for _, proxy := range ProxiesToTest {
-		slog.Info("begin", "proxy", proxy)
-		compose := fmt.Sprintf("docker-compose.%s.yml", proxy)
-		if _, err := os.Stat(path.Join(integrationRoot, compose)); err != nil {
-			slog.Error("fail", "proxy", proxy, "error", err)
-			os.Exit(1)
-		}
-		if err := createInstanceAndRunTests(compose, *logFlag, proxy, integrationRoot); err != nil {
-			slog.Error("fail", "proxy", proxy, "error", err)
-			os.Exit(1)
-		}
-		slog.Info("end", "proxy", proxy)
-	}
-}
-
-func runTests(client *http.Client, name string) error {
-	if err := testUnauthorized(client); err != nil {
-		slog.Error("fail unauthorized test", "name", name)
-		return err
-	}
-
-	slog.Info("unauthorized test passed", "name", name)
-
-	if err := testLoggedIn(client); err != nil {
-		slog.Error("fail logged in test", "name", name)
-		return err
-	}
-
-	slog.Info("logged in test passed", "name", name)
-
-	if err := testACLAllowed(client); err != nil {
-		slog.Error("fail acl test", "name", name)
-		return err
-	}
-
-	slog.Info("acl test passed", "name", name)
-
-	return nil
-}
-
-func createInstanceAndRunTests(compose string, log bool, name string, integrationDir string) error {
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	composeFile := path.Join(integrationDir, compose)
-	envFile := path.Join(integrationDir, EnvFile)
-	cmdArgs := []string{"compose", "-f", composeFile, "--env-file", envFile, "up", "--build", "--force-recreate", "--remove-orphans"}
-	cmd := exec.CommandContext(ctx, "docker", cmdArgs...)
-
-	if log {
-		setupCmdLogging(cmd)
-	}
-
-	if err := cmd.Start(); err != nil {
-		return err
-	}
-
-	defer func() {
-		cmd.Process.Signal(os.Interrupt)
-		cmd.Wait()
-	}()
-
-	slog.Info("instance created", "name", name)
-
-	if err := waitForHealthy(); err != nil {
-		return err
-	}
-
-	slog.Info("instance healthy", "name", name)
-
-	client := &http.Client{}
-
-	if err := runTests(client, name); err != nil {
-		return err
-	}
-
-	slog.Info("tests passed", "name", name)
-
-	cmd.Process.Signal(os.Interrupt)
-
-	if err := cmd.Wait(); cmd.ProcessState.ExitCode() != 130 && err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func setupCmdLogging(cmd *exec.Cmd) {
-	stdout, _ := cmd.StdoutPipe()
-	stderr, _ := cmd.StderrPipe()
-
-	go func() {
-		scanner := bufio.NewScanner(stdout)
-		for scanner.Scan() {
-			slog.Info("docker out", "stdout", scanner.Text())
-		}
-	}()
-
-	go func() {
-		scanner := bufio.NewScanner(stderr)
-		for scanner.Scan() {
-			slog.Error("docker out", "stderr", scanner.Text())
-		}
-	}()
-}
-
-func waitForHealthy() error {
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
-	defer cancel()
-
-	ticker := time.NewTicker(10 * time.Second)
-	client := http.Client{}
-
-	for {
-		select {
-		case <-ctx.Done():
-			return errors.New("tinyauth not healthy after 5 minutes")
-		case <-ticker.C:
-			req, err := http.NewRequestWithContext(ctx, "GET", TinyauthURL+"/api/healthz", nil)
-			if err != nil {
-				return err
-			}
-			res, err := client.Do(req)
-			if err != nil {
-				continue
-			}
-			if res.StatusCode == http.StatusOK {
-				return nil
-			}
-		}
-	}
-}

integration/nginx.conf

@@ -1,36 +0,0 @@
-server {
-    listen 80;
-    listen [::]:80;
-
-    server_name tinyauth.127.0.0.1.sslip.io;
-
-    location / {
-        proxy_pass http://tinyauth:3000;
-    }
-}
-
-server {
-    listen 80;
-    listen [::]:80;
-
-    server_name whoami.127.0.0.1.sslip.io;
-
-    location / {
-        proxy_pass http://whoami;
-        auth_request /tinyauth;
-        error_page 401 = @tinyauth_login;
-    }
-
-    location /tinyauth {
-        internal;
-        proxy_pass http://tinyauth:3000/api/auth/nginx;
-        proxy_set_header x-original-url $scheme://$http_host$request_uri;
-        proxy_set_header x-forwarded-proto $scheme;
-        proxy_set_header x-forwarded-host $host;
-        proxy_set_header x-forwarded-uri $request_uri;
-    }
-
-    location @tinyauth_login {
-      return 302 http://tinyauth.127.0.0.1.sslip.io/login?redirect_uri=$scheme://$http_host$request_uri;
-    }
-}

internal/controller/oidc_controller.go

@@ -115,11 +115,6 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 		return
 	}
 
-	if !userContext.IsLoggedIn {
-		controller.authorizeError(c, errors.New("err user not logged in"), "User not logged in", "The user is not logged in", "", "", "")
-		return
-	}
-
 	var req service.AuthorizeRequest
 
 	err = c.BindJSON(&req)
@@ -270,7 +265,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 
 	switch req.GrantType {
 	case "authorization_code":
-		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code), client.ClientID)
+		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code))
 		if err != nil {
 			if errors.Is(err, service.ErrCodeNotFound) {
 				tlog.App.Warn().Msg("Code not found")
@@ -286,13 +281,6 @@ func (controller *OIDCController) Token(c *gin.Context) {
 				})
 				return
 			}
-			if errors.Is(err, service.ErrInvalidClient) {
-				tlog.App.Warn().Msg("Invalid client ID")
-				c.JSON(400, gin.H{
-					"error": "invalid_client",
-				})
-				return
-			}
 			tlog.App.Warn().Err(err).Msg("Failed to get OIDC code entry")
 			c.JSON(400, gin.H{
 				"error": "server_error",

internal/controller/proxy_controller.go

@@ -1,11 +1,9 @@
 package controller
 
 import (
-	"errors"
 	"fmt"
 	"net/http"
-	"net/url"
+	"slices"
-	"regexp"
 	"strings"
 
 	"github.com/steveiliop56/tinyauth/internal/config"
@@ -17,29 +15,12 @@ import (
 	"github.com/google/go-querystring/query"
 )
 
-type AuthModuleType int
+var SupportedProxies = []string{"nginx", "traefik", "caddy", "envoy"}
-
-const (
-	AuthRequest AuthModuleType = iota
-	ExtAuthz
-	ForwardAuth
-)
-
-var BrowserUserAgentRegex = regexp.MustCompile("Chrome|Gecko|AppleWebKit|Opera|Edge")
 
 type Proxy struct {
 	Proxy string `uri:"proxy" binding:"required"`
 }
 
-type ProxyContext struct {
-	Host      string
-	Proto     string
-	Path      string
-	Method    string
-	Type      AuthModuleType
-	IsBrowser bool
-}
-
 type ProxyControllerConfig struct {
 	AppURL string
 }
@@ -62,30 +43,63 @@ func NewProxyController(config ProxyControllerConfig, router *gin.RouterGroup, a
 
 func (controller *ProxyController) SetupRoutes() {
 	proxyGroup := controller.router.Group("/auth")
+	// There is a later check to control allowed methods per proxy
 	proxyGroup.Any("/:proxy", controller.proxyHandler)
 }
 
 func (controller *ProxyController) proxyHandler(c *gin.Context) {
-	// Load proxy context based on the request type
+	var req Proxy
-	proxyCtx, err := controller.getProxyContext(c)
 
+	err := c.BindUri(&req)
 	if err != nil {
-		tlog.App.Warn().Err(err).Msg("Failed to get proxy context")
+		tlog.App.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
-			"message": "Bad request",
+			"message": "Bad Request",
 		})
 		return
 	}
 
-	tlog.App.Trace().Interface("ctx", proxyCtx).Msg("Got proxy context")
+	if !slices.Contains(SupportedProxies, req.Proxy) {
+		tlog.App.Warn().Str("proxy", req.Proxy).Msg("Invalid proxy")
+		c.JSON(400, gin.H{
+			"status":  400,
+			"message": "Bad Request",
+		})
+		return
+	}
+
+	// Only allow GET for non-envoy proxies.
+	// Envoy uses the original client method for the external auth request
+	// so we allow Any standard HTTP method for /api/auth/envoy
+	if req.Proxy != "envoy" && c.Request.Method != http.MethodGet {
+		tlog.App.Warn().Str("method", c.Request.Method).Msg("Invalid method for proxy")
+		c.Header("Allow", "GET")
+		c.JSON(405, gin.H{
+			"status":  405,
+			"message": "Method Not Allowed",
+		})
+		return
+	}
+
+	isBrowser := strings.Contains(c.Request.Header.Get("Accept"), "text/html")
+
+	if isBrowser {
+		tlog.App.Debug().Msg("Request identified as (most likely) coming from a browser")
+	} else {
+		tlog.App.Debug().Msg("Request identified as (most likely) coming from a non-browser client")
+	}
+
+	uri := c.Request.Header.Get("X-Forwarded-Uri")
+	proto := c.Request.Header.Get("X-Forwarded-Proto")
+	host := c.Request.Header.Get("X-Forwarded-Host")
 
 	// Get acls
-	acls, err := controller.acls.GetAccessControls(proxyCtx.Host)
+	acls, err := controller.acls.GetAccessControls(host)
 
 	if err != nil {
 		tlog.App.Error().Err(err).Msg("Failed to get access controls for resource")
-		controller.handleError(c, proxyCtx)
+		controller.handleError(c, req, isBrowser)
 		return
 	}
 
@@ -102,11 +116,11 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	authEnabled, err := controller.auth.IsAuthEnabled(proxyCtx.Path, acls.Path)
+	authEnabled, err := controller.auth.IsAuthEnabled(uri, acls.Path)
 
 	if err != nil {
 		tlog.App.Error().Err(err).Msg("Failed to check if auth is enabled for resource")
-		controller.handleError(c, proxyCtx)
+		controller.handleError(c, req, isBrowser)
 		return
 	}
 
@@ -121,7 +135,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	}
 
 	if !controller.auth.CheckIP(acls.IP, clientIP) {
-		if !controller.useFriendlyError(proxyCtx) {
+		if req.Proxy == "nginx" || !isBrowser {
 			c.JSON(401, gin.H{
 				"status":  401,
 				"message": "Unauthorized",
@@ -130,7 +144,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		}
 
 		queries, err := query.Values(config.UnauthorizedQuery{
-			Resource: strings.Split(proxyCtx.Host, ".")[0],
+			Resource: strings.Split(host, ".")[0],
 			IP:       clientIP,
 		})
 
@@ -159,13 +173,18 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 
 	tlog.App.Trace().Interface("context", userContext).Msg("User context from request")
 
+	if userContext.IsBasicAuth && userContext.TotpEnabled {
+		tlog.App.Debug().Msg("User has TOTP enabled, denying basic auth access")
+		userContext.IsLoggedIn = false
+	}
+
 	if userContext.IsLoggedIn {
 		userAllowed := controller.auth.IsUserAllowed(c, userContext, acls)
 
 		if !userAllowed {
-			tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User not allowed to access resource")
+			tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(host, ".")[0]).Msg("User not allowed to access resource")
 
-			if !controller.useFriendlyError(proxyCtx) {
+			if req.Proxy == "nginx" || !isBrowser {
 				c.JSON(403, gin.H{
 					"status":  403,
 					"message": "Forbidden",
@@ -174,7 +193,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			}
 
 			queries, err := query.Values(config.UnauthorizedQuery{
-				Resource: strings.Split(proxyCtx.Host, ".")[0],
+				Resource: strings.Split(host, ".")[0],
 			})
 
 			if err != nil {
@@ -203,9 +222,9 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			}
 
 			if !groupOK {
-				tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User groups do not match resource requirements")
+				tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(host, ".")[0]).Msg("User groups do not match resource requirements")
 
-				if !controller.useFriendlyError(proxyCtx) {
+				if req.Proxy == "nginx" || !isBrowser {
 					c.JSON(403, gin.H{
 						"status":  403,
 						"message": "Forbidden",
@@ -214,7 +233,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 				}
 
 				queries, err := query.Values(config.UnauthorizedQuery{
-					Resource: strings.Split(proxyCtx.Host, ".")[0],
+					Resource: strings.Split(host, ".")[0],
 					GroupErr: true,
 				})
 
@@ -256,7 +275,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	if !controller.useFriendlyError(proxyCtx) {
+	if req.Proxy == "nginx" || !isBrowser {
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -265,7 +284,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	}
 
 	queries, err := query.Values(config.RedirectQuery{
-		RedirectURI: fmt.Sprintf("%s://%s%s", proxyCtx.Proto, proxyCtx.Host, proxyCtx.Path),
+		RedirectURI: fmt.Sprintf("%s://%s%s", proto, host, uri),
 	})
 
 	if err != nil {
@@ -295,8 +314,8 @@ func (controller *ProxyController) setHeaders(c *gin.Context, acls config.App) {
 	}
 }
 
-func (controller *ProxyController) handleError(c *gin.Context, proxyCtx ProxyContext) {
+func (controller *ProxyController) handleError(c *gin.Context, req Proxy, isBrowser bool) {
-	if !controller.useFriendlyError(proxyCtx) {
+	if req.Proxy == "nginx" || !isBrowser {
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -306,196 +325,3 @@ func (controller *ProxyController) handleError(c *gin.Context, proxyCtx ProxyCon
 
 	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 }
-
-func (controller *ProxyController) getHeader(c *gin.Context, header string) (string, bool) {
-	val := c.Request.Header.Get(header)
-	return val, strings.TrimSpace(val) != ""
-}
-
-func (controller *ProxyController) useFriendlyError(proxyCtx ProxyContext) bool {
-	return (proxyCtx.Type == ForwardAuth || proxyCtx.Type == ExtAuthz) && proxyCtx.IsBrowser
-}
-
-// Code below is inspired from https://github.com/authelia/authelia/blob/master/internal/handlers/handler_authz.go
-// and thus it may be subject to Apache 2.0 License
-func (controller *ProxyController) getForwardAuthContext(c *gin.Context) (ProxyContext, error) {
-	host, ok := controller.getHeader(c, "x-forwarded-host")
-
-	if !ok {
-		return ProxyContext{}, errors.New("x-forwarded-host not found")
-	}
-
-	uri, ok := controller.getHeader(c, "x-forwarded-uri")
-
-	if !ok {
-		return ProxyContext{}, errors.New("x-forwarded-uri not found")
-	}
-
-	proto, ok := controller.getHeader(c, "x-forwarded-proto")
-
-	if !ok {
-		return ProxyContext{}, errors.New("x-forwarded-proto not found")
-	}
-
-	// Normally we should only allow GET for forward auth but since it's a fallback
-	// for envoy we should allow everything, not a big deal
-	method := c.Request.Method
-
-	return ProxyContext{
-		Host:   host,
-		Proto:  proto,
-		Path:   uri,
-		Method: method,
-		Type:   ForwardAuth,
-	}, nil
-}
-
-func (controller *ProxyController) getAuthRequestContext(c *gin.Context) (ProxyContext, error) {
-	xOriginalUrl, ok := controller.getHeader(c, "x-original-url")
-
-	if !ok {
-		return ProxyContext{}, errors.New("x-original-url not found")
-	}
-
-	url, err := url.Parse(xOriginalUrl)
-
-	if err != nil {
-		return ProxyContext{}, err
-	}
-
-	host := url.Host
-
-	if strings.TrimSpace(host) == "" {
-		return ProxyContext{}, errors.New("host not found")
-	}
-
-	proto := url.Scheme
-
-	if strings.TrimSpace(proto) == "" {
-		return ProxyContext{}, errors.New("proto not found")
-	}
-
-	path := url.Path
-	method := c.Request.Method
-
-	return ProxyContext{
-		Host:   host,
-		Proto:  proto,
-		Path:   path,
-		Method: method,
-		Type:   AuthRequest,
-	}, nil
-}
-
-func (controller *ProxyController) getExtAuthzContext(c *gin.Context) (ProxyContext, error) {
-	// We hope for the someone to set the x-forwarded-proto header
-	proto, ok := controller.getHeader(c, "x-forwarded-proto")
-
-	if !ok {
-		return ProxyContext{}, errors.New("x-forwarded-proto not found")
-	}
-
-	// It sets the host to the original host, not the forwarded host
-	host := c.Request.Host
-
-	if strings.TrimSpace(host) == "" {
-		return ProxyContext{}, errors.New("host not found")
-	}
-
-	// We get the path from the query string
-	path := c.Query("path")
-
-	// For envoy we need to support every method
-	method := c.Request.Method
-
-	return ProxyContext{
-		Host:   host,
-		Proto:  proto,
-		Path:   path,
-		Method: method,
-		Type:   ExtAuthz,
-	}, nil
-}
-
-func (controller *ProxyController) determineAuthModules(proxy string) []AuthModuleType {
-	switch proxy {
-	case "traefik", "caddy":
-		return []AuthModuleType{ForwardAuth}
-	case "envoy":
-		return []AuthModuleType{ExtAuthz, ForwardAuth}
-	case "nginx":
-		return []AuthModuleType{AuthRequest, ForwardAuth}
-	default:
-		return []AuthModuleType{}
-	}
-}
-
-func (controller *ProxyController) getContextFromAuthModule(c *gin.Context, module AuthModuleType) (ProxyContext, error) {
-	switch module {
-	case ForwardAuth:
-		ctx, err := controller.getForwardAuthContext(c)
-		if err != nil {
-			return ProxyContext{}, err
-		}
-		return ctx, nil
-	case ExtAuthz:
-		ctx, err := controller.getExtAuthzContext(c)
-		if err != nil {
-			return ProxyContext{}, err
-		}
-		return ctx, nil
-	case AuthRequest:
-		ctx, err := controller.getAuthRequestContext(c)
-		if err != nil {
-			return ProxyContext{}, err
-		}
-		return ctx, nil
-	}
-	return ProxyContext{}, fmt.Errorf("unsupported auth module: %v", module)
-}
-
-func (controller *ProxyController) getProxyContext(c *gin.Context) (ProxyContext, error) {
-	var req Proxy
-
-	err := c.BindUri(&req)
-	if err != nil {
-		return ProxyContext{}, err
-	}
-
-	tlog.App.Debug().Msgf("Proxy: %v", req.Proxy)
-
-	authModules := controller.determineAuthModules(req.Proxy)
-
-	if len(authModules) == 0 {
-		return ProxyContext{}, fmt.Errorf("no auth modules supported for proxy: %v", req.Proxy)
-	}
-
-	var ctx ProxyContext
-
-	for _, module := range authModules {
-		tlog.App.Debug().Msgf("Trying auth module: %v", module)
-		ctx, err = controller.getContextFromAuthModule(c, module)
-		if err == nil {
-			tlog.App.Debug().Msgf("Auth module %v succeeded", module)
-			break
-		}
-		tlog.App.Debug().Err(err).Msgf("Auth module %v failed", module)
-	}
-
-	if err != nil {
-		return ProxyContext{}, err
-	}
-
-	// We don't care if the header is empty, we will just assume it's not a browser
-	userAgent, _ := controller.getHeader(c, "user-agent")
-	isBrowser := BrowserUserAgentRegex.MatchString(userAgent)
-
-	if isBrowser {
-		tlog.App.Debug().Msg("Request identified as coming from a browser")
-	} else {
-		tlog.App.Debug().Msg("Request identified as coming from a non-browser client")
-	}
-
-	ctx.IsBrowser = isBrowser
-	return ctx, nil
-}

internal/controller/proxy_controller_test.go

@@ -1,7 +1,6 @@
 package controller_test
 
 import (
-	"net/http"
 	"net/http/httptest"
 	"testing"
 
@@ -10,26 +9,21 @@ import (
 	"github.com/steveiliop56/tinyauth/internal/controller"
 	"github.com/steveiliop56/tinyauth/internal/repository"
 	"github.com/steveiliop56/tinyauth/internal/service"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 
 	"github.com/gin-gonic/gin"
 	"gotest.tools/v3/assert"
 )
 
-var loggedInCtx = config.UserContext{
+func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder, *service.AuthService) {
-	Username:   "test",
+	tlog.NewSimpleLogger().Init()
-	Name:       "Test",
-	Email:      "test@example.com",
-	IsLoggedIn: true,
-	Provider:   "local",
-}
 
-func setupProxyController(t *testing.T, middlewares []gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder) {
 	// Setup
 	gin.SetMode(gin.TestMode)
 	router := gin.Default()
 
-	if len(middlewares) > 0 {
+	if middlewares != nil {
-		for _, m := range middlewares {
+		for _, m := range *middlewares {
 			router.Use(m)
 		}
 	}
@@ -54,13 +48,7 @@ func setupProxyController(t *testing.T, middlewares []gin.HandlerFunc) (*gin.Eng
 	assert.NilError(t, dockerService.Init())
 
 	// Access controls
-	accessControlsService := service.NewAccessControlsService(dockerService, map[string]config.App{
+	accessControlsService := service.NewAccessControlsService(dockerService, map[string]config.App{})
-		"whoami": {
-			Path: config.AppPath{
-				Allow: "/allow",
-			},
-		},
-	})
 
 	assert.NilError(t, accessControlsService.Init())
 
@@ -71,11 +59,6 @@ func setupProxyController(t *testing.T, middlewares []gin.HandlerFunc) (*gin.Eng
 				Username: "testuser",
 				Password: "$2a$10$ne6z693sTgzT3ePoQ05PgOecUHnBjM7sSNj6M.l5CLUP.f6NyCnt.", // test
 			},
-			{
-				Username:   "totpuser",
-				Password:   "$2a$10$ne6z693sTgzT3ePoQ05PgOecUHnBjM7sSNj6M.l5CLUP.f6NyCnt.",
-				TotpSecret: "foo",
-			},
 		},
 		OauthWhitelist:     []string{},
 		SessionExpiry:      3600,
@@ -89,214 +72,140 @@ func setupProxyController(t *testing.T, middlewares []gin.HandlerFunc) (*gin.Eng
 
 	// Controller
 	ctrl := controller.NewProxyController(controller.ProxyControllerConfig{
-		AppURL: "http://tinyauth.example.com",
+		AppURL: "http://localhost:8080",
 	}, group, accessControlsService, authService)
 	ctrl.SetupRoutes()
 
-	return router, recorder
+	return router, recorder, authService
 }
 
-// TODO: Needs tests for context middleware
-
 func TestProxyHandler(t *testing.T) {
-	// Test logged out user traefik/caddy (forward_auth)
+	// Setup
-	router, recorder := setupProxyController(t, nil)
+	router, recorder, authService := setupProxyController(t, nil)
+
+	// Test invalid proxy
+	req := httptest.NewRequest("GET", "/api/auth/invalidproxy", nil)
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 400, recorder.Code)
+
+	// Test invalid method for non-envoy proxy
+	recorder = httptest.NewRecorder()
+	req = httptest.NewRequest("POST", "/api/auth/traefik", nil)
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 405, recorder.Code)
+	assert.Equal(t, "GET", recorder.Header().Get("Allow"))
+
+	// Test logged out user (traefik/caddy)
+	recorder = httptest.NewRecorder()
+	req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
+	req.Header.Set("X-Forwarded-Proto", "https")
+	req.Header.Set("X-Forwarded-Host", "example.com")
+	req.Header.Set("X-Forwarded-Uri", "/somepath")
+	req.Header.Set("Accept", "text/html")
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 307, recorder.Code)
+	assert.Equal(t, "http://localhost:8080/login?redirect_uri=https%3A%2F%2Fexample.com%2Fsomepath", recorder.Header().Get("Location"))
+
+	// Test logged out user (envoy - POST method)
+	recorder = httptest.NewRecorder()
+	req = httptest.NewRequest("POST", "/api/auth/envoy", nil)
+	req.Header.Set("X-Forwarded-Proto", "https")
+	req.Header.Set("X-Forwarded-Host", "example.com")
+	req.Header.Set("X-Forwarded-Uri", "/somepath")
+	req.Header.Set("Accept", "text/html")
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 307, recorder.Code)
+	assert.Equal(t, "http://localhost:8080/login?redirect_uri=https%3A%2F%2Fexample.com%2Fsomepath", recorder.Header().Get("Location"))
+
+	// Test logged out user (envoy - DELETE method)
+	recorder = httptest.NewRecorder()
+	req = httptest.NewRequest("DELETE", "/api/auth/envoy", nil)
+	req.Header.Set("X-Forwarded-Proto", "https")
+	req.Header.Set("X-Forwarded-Host", "example.com")
+	req.Header.Set("X-Forwarded-Uri", "/somepath")
+	req.Header.Set("Accept", "text/html")
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 307, recorder.Code)
+	assert.Equal(t, "http://localhost:8080/login?redirect_uri=https%3A%2F%2Fexample.com%2Fsomepath", recorder.Header().Get("Location"))
+
+	// Test logged out user (nginx)
+	recorder = httptest.NewRecorder()
+	req = httptest.NewRequest("GET", "/api/auth/nginx", nil)
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 401, recorder.Code)
+
+	// Test logged in user
+	c := gin.CreateTestContextOnly(recorder, router)
+
+	err := authService.CreateSessionCookie(c, &repository.Session{
+		Username:    "testuser",
+		Name:        "testuser",
+		Email:       "testuser@example.com",
+		Provider:    "local",
+		TotpPending: false,
+		OAuthGroups: "",
+	})
 
-	req, err := http.NewRequest("GET", "/api/auth/traefik", nil)
 	assert.NilError(t, err)
 
-	req.Header.Set("x-forwarded-host", "whoami.example.com")
+	cookie := c.Writer.Header().Get("Set-Cookie")
-	req.Header.Set("x-forwarded-proto", "http")
-	req.Header.Set("x-forwarded-uri", "/")
 
-	router.ServeHTTP(recorder, req)
+	router, recorder, _ = setupProxyController(t, &[]gin.HandlerFunc{
-	assert.Equal(t, recorder.Code, http.StatusUnauthorized)
-
-	// Test logged out user nginx (auth_request)
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
-	assert.NilError(t, err)
-
-	req.Header.Set("x-original-url", "http://whoami.example.com/")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusUnauthorized)
-
-	// Test logged out user envoy (ext_authz)
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/envoy?path=/", nil)
-	assert.NilError(t, err)
-
-	req.Host = "whoami.example.com"
-	req.Header.Set("x-forwarded-proto", "http")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusUnauthorized)
-
-	// Test logged in user traefik/caddy (forward_auth)
-	router, recorder = setupProxyController(t, []gin.HandlerFunc{
 		func(c *gin.Context) {
-			c.Set("context", &loggedInCtx)
+			c.Set("context", &config.UserContext{
+				Username:    "testuser",
+				Name:        "testuser",
+				Email:       "testuser@example.com",
+				IsLoggedIn:  true,
+				OAuth:       false,
+				Provider:    "local",
+				TotpPending: false,
+				OAuthGroups: "",
+				TotpEnabled: false,
+			})
 			c.Next()
 		},
 	})
 
-	req, err = http.NewRequest("GET", "/api/auth/traefik", nil)
+	req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
-	assert.NilError(t, err)
+	req.Header.Set("Cookie", cookie)
-
+	req.Header.Set("Accept", "text/html")
-	req.Header.Set("x-forwarded-host", "whoami.example.com")
-	req.Header.Set("x-forwarded-proto", "http")
-	req.Header.Set("x-forwarded-uri", "/")
-
 	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusOK)
 
-	// Test logged in user nginx (auth_request)
+	assert.Equal(t, 200, recorder.Code)
-	router, recorder = setupProxyController(t, []gin.HandlerFunc{
+
+	assert.Equal(t, "testuser", recorder.Header().Get("Remote-User"))
+	assert.Equal(t, "testuser", recorder.Header().Get("Remote-Name"))
+	assert.Equal(t, "testuser@example.com", recorder.Header().Get("Remote-Email"))
+
+	// Ensure basic auth is disabled for TOTP enabled users
+	router, recorder, _ = setupProxyController(t, &[]gin.HandlerFunc{
 		func(c *gin.Context) {
-			c.Set("context", &loggedInCtx)
+			c.Set("context", &config.UserContext{
+				Username:    "testuser",
+				Name:        "testuser",
+				Email:       "testuser@example.com",
+				IsLoggedIn:  true,
+				IsBasicAuth: true,
+				OAuth:       false,
+				Provider:    "local",
+				TotpPending: false,
+				OAuthGroups: "",
+				TotpEnabled: true,
+			})
 			c.Next()
 		},
 	})
 
-	req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
+	req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
-	assert.NilError(t, err)
+	req.SetBasicAuth("testuser", "test")
-
-	req.Header.Set("x-original-url", "http://whoami.example.com/")
-
 	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusOK)
 
-	// Test logged in user envoy (ext_authz)
+	assert.Equal(t, 401, recorder.Code)
-	router, recorder = setupProxyController(t, []gin.HandlerFunc{
-		func(c *gin.Context) {
-			c.Set("context", &loggedInCtx)
-			c.Next()
-		},
-	})
-
-	req, err = http.NewRequest("GET", "/api/auth/envoy?path=/", nil)
-	assert.NilError(t, err)
-
-	req.Host = "whoami.example.com"
-	req.Header.Set("x-forwarded-proto", "http")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusOK)
-
-	// Test ACL allow caddy/traefik (forward_auth)
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/traefik", nil)
-	assert.NilError(t, err)
-
-	req.Header.Set("x-forwarded-host", "whoami.example.com")
-	req.Header.Set("x-forwarded-proto", "http")
-	req.Header.Set("x-forwarded-uri", "/allow")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusOK)
-
-	// Test ACL allow nginx
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
-	assert.NilError(t, err)
-
-	req.Header.Set("x-original-url", "http://whoami.example.com/allow")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusOK)
-
-	// Test ACL allow envoy
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/envoy?path=/allow", nil)
-	assert.NilError(t, err)
-
-	req.Host = "whoami.example.com"
-	req.Header.Set("x-forwarded-proto", "http")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusOK)
-
-	// Test traefik/caddy (forward_auth) without required headers
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/traefik", nil)
-	assert.NilError(t, err)
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusBadRequest)
-
-	// Test nginx (forward_auth) without required headers
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
-	assert.NilError(t, err)
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusBadRequest)
-
-	// Test envoy (forward_auth) without required headers
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/envoy", nil)
-	assert.NilError(t, err)
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusBadRequest)
-
-	// Test nginx (auth_request) with forward_auth fallback with ACLs
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
-	assert.NilError(t, err)
-
-	req.Header.Set("x-forwarded-host", "whoami.example.com")
-	req.Header.Set("x-forwarded-proto", "http")
-	req.Header.Set("x-forwarded-uri", "/allow")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusOK)
-
-	// Test envoy (ext_authz) with forward_auth fallback with ACLs
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/envoy", nil)
-	assert.NilError(t, err)
-
-	req.Header.Set("x-forwarded-host", "whoami.example.com")
-	req.Header.Set("x-forwarded-proto", "http")
-	req.Header.Set("x-forwarded-uri", "/allow")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusOK)
-
-	// Test envoy (ext_authz) with empty path
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/envoy", nil)
-	assert.NilError(t, err)
-
-	req.Host = "whoami.example.com"
-	req.Header.Set("x-forwarded-proto", "http")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusUnauthorized)
-
-	// Ensure forward_auth fallback works with path (should ignore)
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/traefik?path=/allow", nil)
-	assert.NilError(t, err)
-
-	req.Header.Set("x-forwarded-proto", "http")
-	req.Header.Set("x-forwarded-host", "whoami.example.com")
-	req.Header.Set("x-forwarded-uri", "/allow")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusOK)
 }

internal/middleware/context_middleware.go

@@ -182,17 +182,13 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 
 			user := m.auth.GetLocalUser(basic.Username)
 
-			if user.TotpSecret != "" {
-				tlog.App.Debug().Msg("User with TOTP not allowed to login via basic auth")
-				return
-			}
-
 			c.Set("context", &config.UserContext{
 				Username:    user.Username,
 				Name:        utils.Capitalize(user.Username),
 				Email:       utils.CompileUserEmail(user.Username, m.config.CookieDomain),
 				Provider:    "local",
 				IsLoggedIn:  true,
+				TotpEnabled: user.TotpSecret != "",
 				IsBasicAuth: true,
 			})
 			c.Next()

internal/service/oidc_service.go

@@ -352,7 +352,7 @@ func (service *OIDCService) ValidateGrantType(grantType string) error {
 	return nil
 }
 
-func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string, clientId string) (repository.OidcCode, error) {
+func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string) (repository.OidcCode, error) {
 	oidcCode, err := service.queries.GetOidcCode(c, codeHash)
 
 	if err != nil {
@@ -374,10 +374,6 @@ func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string, client
 		return repository.OidcCode{}, ErrCodeExpired
 	}
 
-	if oidcCode.ClientID != clientId {
-		return repository.OidcCode{}, ErrInvalidClient
-	}
-
 	return oidcCode, nil
 }