fix: review comments

.github/workflows/integration.yml

@@ -1,82 +0,0 @@
-name: Proxy Integration Tests
-
-on:
-  workflow_dispatch:
-    inputs:
-      build:
-        type: boolean
-        description: Build from current tag before running tests
-
-permissions:
-  contents: read
-
-jobs:
-  determine-tag:
-    runs-on: ubuntu-latest
-    outputs:
-      version: ${{ steps.metadata.outputs.VERSION }}
-      commit_hash: ${{ steps.metadata.outputs.COMMIT_HASH }}
-      build_timestamp: ${{ steps.metadata.outputs.BUILD_TIMESTAMP }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Determine metadata
-        id: metadata
-        run: |
-          # Generate static metadata
-          echo "COMMIT_HASH=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
-          echo "BUILD_TIMESTAMP=$(date '+%Y-%m-%dT%H:%M:%S')" >> "$GITHUB_OUTPUT"
-
-          # Determine version
-          if [ "${{ inputs.build }}" == "true" ]; then
-            echo "VERSION=development" >> "$GITHUB_OUTPUT"
-          else
-            echo "VERSION=${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
-          fi
-
-  integration:
-    runs-on: ubuntu-latest
-    needs: determine-tag
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Setup Go
-        uses: actions/setup-go@v6
-        with:
-          go-version: "1.25.0"
-
-      - name: Initialize submodules
-        run: |
-          git submodule init
-          git submodule update
-
-      - name: Apply patches
-        run: |
-          git apply --directory paerser/ patches/nested_maps.diff
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        if: ${{ inputs.build == 'true' }}
-
-      - name: Build
-        uses: docker/build-push-action@v6
-        if: ${{ inputs.build == 'true' }}
-        with:
-          platforms: linux/amd64
-          tags: ghcr.io/${{ github.repository_owner }}/tinyauth:${{ needs.determine-tag.outputs.version }}
-          outputs: type=image,push=false
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          build-args: |
-            VERSION=${{ needs.determine-tag.outputs.version }}
-            COMMIT_HASH=${{ needs.determine-tag.outputs.commit_hash }}
-            BUILD_TIMESTAMP=${{ needs.determine-tag.outputs.build_timestamp }}
-
-      - name: Set tinyauth version
-        run: |
-          sed -i "s/TINYAUTH_VERSION=.*/TINYAUTH_VERSION=${{ needs.determine-tag.outputs.version }}/" integration/.env
-
-      - name: Test
-        run: make integration

.github/workflows/release.yml

@@ -15,6 +15,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          ref: nightly
 
       - name: Generate metadata
         id: metadata

Makefile

@@ -81,11 +81,5 @@ sql:
 	sqlc generate
 
 # Go gen
-.PHONY: generate
 generate:
 	go run ./gen
-
-# Proxy integration tests
-.PHONY: integration
-integration:
-	go run ./integration -- --log=false

integration/.env

@@ -1,16 +0,0 @@
-# Nginx configuration
-NGINX_VERSION=1.29
-
-# Whoami configuration
-WHOAMI_VERSION=latest
-
-# Traefik configuration
-TRAEFIK_VERSION=v3.6
-TINYAUTH_HOST=tinyauth.127.0.0.1.sslip.io
-WHOAMI_HOST=whoami.127.0.0.1.sslip.io
-
-# Envoy configuration
-ENVOY_VERSION=v1.33-latest
-
-# Tinyauth configuration
-TINYAUTH_VERSION=latest

integration/config.yml

@@ -1,15 +0,0 @@
-appUrl: http://tinyauth.127.0.0.1.sslip.io
-
-auth:
-  users: test:$2a$10$eG88kFow83l5YRSlTSL2o.sZimjxFHrpiKdaSUZqpLBGX7Y2.4PZG
-
-log:
-  json: true
-  level: trace
-
-apps:
-  whoami:
-    config:
-      domain: whoami.127.0.0.1.sslip.io
-    path:
-      allow: /allow

integration/docker-compose.envoy.yml

@@ -1,16 +0,0 @@
-services:
-  envoy:
-    image: envoyproxy/envoy:${ENVOY_VERSION}
-    ports:
-      - 80:80
-    volumes:
-      - ./envoy.yml:/etc/envoy/envoy.yaml:ro
-
-  whoami:
-    image: traefik/whoami:${WHOAMI_VERSION}
-
-  tinyauth:
-    image: ghcr.io/steveiliop56/tinyauth:${TINYAUTH_VERSION}
-    command: --experimental.configfile=/data/config.yml
-    volumes:
-      - ./config.yml:/data/config.yml:ro

integration/docker-compose.nginx.yml

@@ -1,16 +0,0 @@
-services:
-  nginx:
-    image: nginx:${NGINX_VERSION}
-    ports:
-      - 80:80
-    volumes:
-      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
-
-  whoami:
-    image: traefik/whoami:${WHOAMI_VERSION}
-
-  tinyauth:
-    image: ghcr.io/steveiliop56/tinyauth:${TINYAUTH_VERSION}
-    command: --experimental.configfile=/data/config.yml
-    volumes:
-      - ./config.yml:/data/config.yml:ro

integration/docker-compose.traefik.yml

@@ -1,28 +0,0 @@
-services:
-  traefik:
-    image: traefik:${TRAEFIK_VERSION}
-    command: |
-      --api.insecure=true
-      --providers.docker
-      --entryPoints.web.address=:80
-    ports:
-      - 80:80
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-
-  whoami:
-    image: traefik/whoami:${WHOAMI_VERSION}
-    labels:
-      traefik.enable: true
-      traefik.http.routers.whoami.rule: Host(`${WHOAMI_HOST}`)
-      traefik.http.routers.whoami.middlewares: tinyauth
-
-  tinyauth:
-    image: ghcr.io/steveiliop56/tinyauth:${TINYAUTH_VERSION}
-    command: --experimental.configfile=/data/config.yml
-    volumes:
-      - ./config.yml:/data/config.yml:ro
-    labels:
-      traefik.enable: true
-      traefik.http.routers.tinyauth.rule: Host(`${TINYAUTH_HOST}`)
-      traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth:3000/api/auth/traefik

integration/envoy.yml

@@ -1,105 +0,0 @@
-static_resources:
-  listeners:
-    - name: "listener_http"
-      address:
-        socket_address:
-          address: "0.0.0.0"
-          port_value: 80
-      filter_chains:
-        - filters:
-            - name: "envoy.filters.network.http_connection_manager"
-              typed_config:
-                "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
-                stat_prefix: "ingress_http"
-                use_remote_address: true
-                skip_xff_append: false
-                route_config:
-                  name: "local_route"
-                  virtual_hosts:
-                    - name: "whoami_service"
-                      domains: ["whoami.127.0.0.1.sslip.io"]
-                      routes:
-                        - match:
-                            prefix: "/"
-                          route:
-                            cluster: "whoami"
-                    - name: "tinyauth_service"
-                      domains: ["tinyauth.127.0.0.1.sslip.io"]
-                      typed_per_filter_config:
-                        envoy.filters.http.ext_authz:
-                          "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute"
-                          disabled: true
-                      routes:
-                        - match:
-                            prefix: "/"
-                          route:
-                            cluster: "tinyauth"
-                http_filters:
-                  - name: "envoy.filters.http.ext_authz"
-                    typed_config:
-                      "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz"
-                      transport_api_version: "v3"
-                      http_service:
-                        path_prefix: "/api/auth/envoy?path="
-                        server_uri:
-                          uri: "tinyauth:3000"
-                          cluster: "tinyauth"
-                          timeout: "0.25s"
-                        authorization_request:
-                          allowed_headers:
-                            patterns:
-                              - exact: "authorization"
-                              - exact: "accept"
-                              - exact: "cookie"
-                          headers_to_add:
-                            - key: "x-forwarded-proto"
-                              value: "%REQ(:SCHEME)%"
-                            - key: "x-forwarded-host"
-                              value: "%REQ(:AUTHORITY)%"
-                            - key: "x-forwarded-uri"
-                              value: "%REQ(:PATH)%"
-                        authorization_response:
-                          allowed_upstream_headers:
-                            patterns:
-                              - prefix: "remote-"
-                          allowed_client_headers:
-                            patterns:
-                              - exact: "set-cookie"
-                              - exact: "location"
-                          allowed_client_headers_on_success:
-                            patterns:
-                              - exact: "set-cookie"
-                              - exact: "location"
-                      failure_mode_allow: false
-                  - name: "envoy.filters.http.router"
-                    typed_config:
-                      "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
-  clusters:
-    - name: "whoami"
-      connect_timeout: "0.25s"
-      type: "logical_dns"
-      dns_lookup_family: "v4_only"
-      lb_policy: "round_robin"
-      load_assignment:
-        cluster_name: "whoami"
-        endpoints:
-          - lb_endpoints:
-              - endpoint:
-                  address:
-                    socket_address:
-                      address: "whoami"
-                      port_value: 80
-    - name: "tinyauth"
-      connect_timeout: "0.25s"
-      type: "logical_dns"
-      dns_lookup_family: "v4_only"
-      lb_policy: "round_robin"
-      load_assignment:
-        cluster_name: "tinyauth"
-        endpoints:
-          - lb_endpoints:
-              - endpoint:
-                  address:
-                    socket_address:
-                      address: "tinyauth"
-                      port_value: 3000

integration/integrarion_tests.go

@@ -1,62 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"io"
-	"net/http"
-	"strings"
-)
-
-func testUnauthorized(client *http.Client) error {
-	req, err := http.NewRequest("GET", WhoamiURL, nil)
-	if err != nil {
-		return err
-	}
-	resp, err := client.Do(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return err
-	}
-	// nginx and envoy will throw us at the frontend
-	if resp.StatusCode != http.StatusUnauthorized && !strings.Contains(string(body), "<div id=\"root\"></div>") {
-		return fmt.Errorf("expected status code %d or to to contain '<div id=\"root\"></div>', got %d", http.StatusUnauthorized, resp.StatusCode)
-	}
-	return nil
-}
-
-func testLoggedIn(client *http.Client) error {
-	req, err := http.NewRequest("GET", WhoamiURL, nil)
-	if err != nil {
-		return err
-	}
-	req.SetBasicAuth(DefaultUsername, DefaultPassword)
-	resp, err := client.Do(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("expected status code %d, got %d", http.StatusOK, resp.StatusCode)
-	}
-	return nil
-}
-
-func testACLAllowed(client *http.Client) error {
-	req, err := http.NewRequest("GET", WhoamiURL+"/allow", nil)
-	if err != nil {
-		return err
-	}
-	resp, err := client.Do(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("expected status code %d, got %d", http.StatusOK, resp.StatusCode)
-	}
-	return nil
-}

integration/integration.go

@@ -1,191 +0,0 @@
-package main
-
-import (
-	"bufio"
-	"context"
-	"errors"
-	"flag"
-	"fmt"
-	"log/slog"
-	"net/http"
-	"os"
-	"os/exec"
-	"path"
-	"time"
-)
-
-var ProxiesToTest = []string{"traefik", "nginx", "envoy"}
-
-const (
-	EnvFile    = ".env"
-	ConfigFile = "config.yml"
-)
-
-const (
-	TinyauthURL = "http://tinyauth.127.0.0.1.sslip.io"
-	WhoamiURL   = "http://whoami.127.0.0.1.sslip.io"
-)
-
-const (
-	DefaultUsername = "test"
-	DefaultPassword = "password"
-)
-
-func main() {
-	logFlag := flag.Bool("log", false, "enable stack logging")
-	flag.Parse()
-
-	rootFolder, err := os.Getwd()
-
-	if err != nil {
-		slog.Error("fail", "error", err)
-		os.Exit(1)
-	}
-
-	slog.Info("root folder", "folder", rootFolder)
-
-	integrationRoot := rootFolder
-
-	if _, err := os.Stat(path.Join(rootFolder, ".git")); err != nil {
-		if !errors.Is(err, os.ErrNotExist) {
-			slog.Error("fail", "error", err)
-			os.Exit(1)
-		}
-	} else {
-		integrationRoot = path.Join(rootFolder, "integration")
-	}
-
-	slog.Info("integration root", "folder", integrationRoot)
-
-	for _, proxy := range ProxiesToTest {
-		slog.Info("begin", "proxy", proxy)
-		compose := fmt.Sprintf("docker-compose.%s.yml", proxy)
-		if _, err := os.Stat(path.Join(integrationRoot, compose)); err != nil {
-			slog.Error("fail", "proxy", proxy, "error", err)
-			os.Exit(1)
-		}
-		if err := createInstanceAndRunTests(compose, *logFlag, proxy, integrationRoot); err != nil {
-			slog.Error("fail", "proxy", proxy, "error", err)
-			os.Exit(1)
-		}
-		slog.Info("end", "proxy", proxy)
-	}
-}
-
-func runTests(client *http.Client, name string) error {
-	if err := testUnauthorized(client); err != nil {
-		slog.Error("fail unauthorized test", "name", name)
-		return err
-	}
-
-	slog.Info("unauthorized test passed", "name", name)
-
-	if err := testLoggedIn(client); err != nil {
-		slog.Error("fail logged in test", "name", name)
-		return err
-	}
-
-	slog.Info("logged in test passed", "name", name)
-
-	if err := testACLAllowed(client); err != nil {
-		slog.Error("fail acl test", "name", name)
-		return err
-	}
-
-	slog.Info("acl test passed", "name", name)
-
-	return nil
-}
-
-func createInstanceAndRunTests(compose string, log bool, name string, integrationDir string) error {
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	composeFile := path.Join(integrationDir, compose)
-	envFile := path.Join(integrationDir, EnvFile)
-	cmdArgs := []string{"compose", "-f", composeFile, "--env-file", envFile, "up", "--build", "--force-recreate", "--remove-orphans"}
-	cmd := exec.CommandContext(ctx, "docker", cmdArgs...)
-
-	if log {
-		setupCmdLogging(cmd)
-	}
-
-	if err := cmd.Start(); err != nil {
-		return err
-	}
-
-	defer func() {
-		cmd.Process.Signal(os.Interrupt)
-		cmd.Wait()
-	}()
-
-	slog.Info("instance created", "name", name)
-
-	if err := waitForHealthy(); err != nil {
-		return err
-	}
-
-	slog.Info("instance healthy", "name", name)
-
-	client := &http.Client{}
-
-	if err := runTests(client, name); err != nil {
-		return err
-	}
-
-	slog.Info("tests passed", "name", name)
-
-	cmd.Process.Signal(os.Interrupt)
-
-	if err := cmd.Wait(); cmd.ProcessState.ExitCode() != 130 && err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func setupCmdLogging(cmd *exec.Cmd) {
-	stdout, _ := cmd.StdoutPipe()
-	stderr, _ := cmd.StderrPipe()
-
-	go func() {
-		scanner := bufio.NewScanner(stdout)
-		for scanner.Scan() {
-			slog.Info("docker out", "stdout", scanner.Text())
-		}
-	}()
-
-	go func() {
-		scanner := bufio.NewScanner(stderr)
-		for scanner.Scan() {
-			slog.Error("docker out", "stderr", scanner.Text())
-		}
-	}()
-}
-
-func waitForHealthy() error {
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
-	defer cancel()
-
-	ticker := time.NewTicker(10 * time.Second)
-	client := http.Client{}
-
-	for {
-		select {
-		case <-ctx.Done():
-			return errors.New("tinyauth not healthy after 5 minutes")
-		case <-ticker.C:
-			req, err := http.NewRequestWithContext(ctx, "GET", TinyauthURL+"/api/healthz", nil)
-			if err != nil {
-				return err
-			}
-			res, err := client.Do(req)
-			if err != nil {
-				continue
-			}
-			if res.StatusCode == http.StatusOK {
-				return nil
-			}
-		}
-	}
-}

integration/nginx.conf

@@ -1,36 +0,0 @@
-server {
-    listen 80;
-    listen [::]:80;
-
-    server_name tinyauth.127.0.0.1.sslip.io;
-
-    location / {
-        proxy_pass http://tinyauth:3000;
-    }
-}
-
-server {
-    listen 80;
-    listen [::]:80;
-
-    server_name whoami.127.0.0.1.sslip.io;
-
-    location / {
-        proxy_pass http://whoami;
-        auth_request /tinyauth;
-        error_page 401 = @tinyauth_login;
-    }
-
-    location /tinyauth {
-        internal;
-        proxy_pass http://tinyauth:3000/api/auth/nginx;
-        proxy_set_header x-original-url $scheme://$http_host$request_uri;
-        proxy_set_header x-forwarded-proto $scheme;
-        proxy_set_header x-forwarded-host $host;
-        proxy_set_header x-forwarded-uri $request_uri;
-    }
-
-    location @tinyauth_login {
-      return 302 http://tinyauth.127.0.0.1.sslip.io/login?redirect_uri=$scheme://$http_host$request_uri;
-    }
-}