chore: remove auth response headers from example compose since it's an advanced feature

* wip

* feat: finalize totp gen code

* refactor: split login screen and forms

* feat: add totp logic and ui

* refactor: make totp pending expiry time fixed

* refactor: skip all checks when disable continue is enabled

* fix: fix cli not exiting on invalid input

.github/workflows/alpha-release.yml

@@ -1,58 +0,0 @@
-name: Alpha Release
-on:
-  workflow_dispatch:
-    inputs:
-      alpha:
-        description: "Alpha version (e.g. 1, 2, 3)"
-        required: true
-
-jobs:
-  get-tag:
-    runs-on: ubuntu-latest
-    outputs:
-      tag: ${{ steps.tag.outputs.name }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Get tag
-        id: tag
-        run: echo "name=$(cat internal/assets/version)-alpha.${{ github.event.inputs.alpha }}" >> $GITHUB_OUTPUT
-
-  build-docker:
-    needs: get-tag
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          push: true
-          platforms: linux/arm64, linux/amd64
-          tags: ghcr.io/${{ github.repository_owner }}/tinyauth:${{ needs.get-tag.outputs.tag }}
-
-  alpha-release:
-    needs: [get-tag, build-docker]
-    runs-on: ubuntu-latest
-    steps:
-      - name: Create alpha release
-        uses: softprops/action-gh-release@v2
-        with:
-          prerelease: true
-          tag_name: ${{ needs.get-tag.outputs.tag }}

.github/workflows/beta-release.yml

@@ -1,58 +0,0 @@
-name: Beta Release
-on:
-  workflow_dispatch:
-    inputs:
-      alpha:
-        description: "Beta version (e.g. 1, 2, 3)"
-        required: true
-
-jobs:
-  get-tag:
-    runs-on: ubuntu-latest
-    outputs:
-      tag: ${{ steps.tag.outputs.name }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Get tag
-        id: tag
-        run: echo "name=$(cat internal/assets/version)-beta.${{ github.event.inputs.alpha }}" >> $GITHUB_OUTPUT
-
-  build-docker:
-    needs: get-tag
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          push: true
-          platforms: linux/arm64, linux/amd64
-          tags: ghcr.io/${{ github.repository_owner }}/tinyauth:${{ needs.get-tag.outputs.tag }}
-
-  beta-release:
-    needs: [get-tag, build-docker]
-    runs-on: ubuntu-latest
-    steps:
-      - name: Create beta release
-        uses: softprops/action-gh-release@v2
-        with:
-          prerelease: true
-          tag_name: ${{ needs.get-tag.outputs.tag }}

.github/workflows/release.yml

@@ -1,32 +1,22 @@
 name: Release
 on:
   workflow_dispatch:
+  push:
+    tags:
+      - "v*"
 
 jobs:
-  get-tag:
-    runs-on: ubuntu-latest
-    outputs:
-      tag: ${{ steps.tag.outputs.name }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Get tag
-        id: tag
-        run: echo "name=$(cat internal/assets/version)" >> $GITHUB_OUTPUT
-
-  build-docker:
-    needs: get-tag
+  build:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/tinyauth
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
@@ -35,21 +25,112 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Build and push
         uses: docker/build-push-action@v6
+        id: build
         with:
-          context: .
-          push: true
-          platforms: linux/arm64, linux/amd64
-          tags: ghcr.io/${{ github.repository_owner }}/tinyauth:${{ needs.get-tag.outputs.tag }}, ghcr.io/${{ github.repository_owner }}/tinyauth:latest
+          platforms: linux/amd64
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
+          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
 
-  release:
-    needs: [get-tag, build-docker]
-    runs-on: ubuntu-latest
-    steps:
-      - name: Create release
-        uses: softprops/action-gh-release@v2
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
         with:
-          prerelease: false
-          make_latest: false
-          tag_name: ${{ needs.get-tag.outputs.tag }}
+          name: digests-linux-amd64
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  build-arm:
+    runs-on: ubuntu-24.04-arm
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/tinyauth
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        id: build
+        with:
+          platforms: linux/arm64
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
+          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
+
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-linux-arm64
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    runs-on: ubuntu-latest
+    needs:
+      - build
+      - build-arm
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/tinyauth
+          tags: |
+            type=semver,pattern=v{{version}}
+            type=semver,pattern=v{{major}}
+            type=semver,pattern=v{{major}}.{{minor}}
+
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf 'ghcr.io/${{ github.repository_owner }}/tinyauth@sha256:%s ' *)

CONTRIBUTING.md

@@ -1,6 +1,6 @@
 # Contributing
 
-Contributing is relatively easy.
+Contributing is relatively easy, you just need to follow the steps carefully and you will be up and running with a development server in less than 5 minutes.
 
 ## Requirements
 
@@ -8,6 +8,7 @@ Contributing is relatively easy.
 - Golang v1.23.2 and above
 - Git
 - Docker
+- Make (not required but it will make your life easier)
 
 ## Cloning the repository
 
@@ -20,48 +21,42 @@ cd tinyauth
 
 ## Install requirements
 
-Now it's time to install the requirements, firstly the Go ones:
+To install the requirements simply run:
 
 ```sh
-go mod download
+make requirements
 ```
 
-And now the site ones:
-
-```sh
-cd site
-bun i
-```
+It will download all the node packages required by the frontend as well as all the go requirements.
 
 ## Developing locally
 
-In order to develop the app locally you need to build the frontend and copy it to the assets folder in order for Go to embed it and host it. In order to build the frontend run:
+In order to develop the app you need to firstly compile the frontend and then the go app. To avoid running the same commands over and over again you can just run:
 
 ```sh
-cd site
-bun run build
-cd ..
+make run
 ```
 
-Copy it to the assets folder:
+This is the equivalent of `go run main.go`, if you would like to build a binary run:
 
 ```sh
-rm -rf internal/assets/dist
-cp -r site/dist internal/assets/dist
+make build
 ```
 
-Finally either run the app with:
+To avoid rebuilding the frontend every time you can run:
 
 ```sh
-go run main.go
+make run-no-web
 ```
 
-Or build it with:
+And:
 
 ```sh
-go build
+make build-no-web
 ```
 
+For these commands to succeed you must have built the frontend at least once.
+
 > [!WARNING]
 > Make sure you have set the environment variables when running outside of docker else the app will fail.
 
@@ -70,8 +65,8 @@ go build
 My recommended development method is docker so I can test that both my image works and that the app responds correctly to traefik. In my setup I have set these two DNS records in my DNS server:
 
 ```
-*.dev.local -> 127.0.0.1
-dev.local -> 127.0.0.1
+*.dev.example.com -> 127.0.0.1
+dev.example.com -> 127.0.0.1
 ```
 
 Then I can just make sure the domains are correct in the example docker compose file and do:
@@ -79,3 +74,6 @@ Then I can just make sure the domains are correct in the example docker compose
 ```sh
 docker compose -f docker-compose.dev.yml up --build
 ```
+
+> [!NOTE]
+> I would recommend copying the example `docker-compose.dev.yml` into a `docker-compose.test.yml` file, so as you don't accidentally commit any sensitive information.

FUNDING.yml

@@ -0,0 +1,2 @@
+github: steveiliop56
+buy_me_a_coffee: steveiliop56

Makefile

@@ -2,6 +2,11 @@
 web:
 	cd site; bun run build
 
+# Requirements
+requirements:
+	cd site; bun install
+	go mod tidy
+
 # Copy site assets
 assets: web
 	rm -rf internal/assets/dist
@@ -12,6 +17,10 @@ assets: web
 run: assets
 	go run main.go
 
+# Run development binary without compiling the frontend
+run-skip-web:
+	go run main.go
+
 # Test
 test:
 	go test ./...
@@ -20,6 +29,6 @@ test:
 build: assets
 	go build -o tinyauth
 
-# Build no site
+# Build the binary without compiling the frontend
 build-skip-web:
 	go build -o tinyauth

README.md

@@ -28,11 +28,11 @@ I just made a Discord server for Tinyauth! It is not only for Tinyauth but gener
 
 ## Getting Started
 
-You can easily get started with tinyauth by following the guide on the [documentation](https://tinyauth.doesmycode.work/docs/getting-started.html). There is also an available [docker compose file](./docker-compose.example.yml) that has traefik, nginx and tinyauth to demonstrate its capabilities.
+You can easily get started with tinyauth by following the guide on the [documentation](https://tinyauth.app/docs/getting-started.html). There is also an available [docker compose file](./docker-compose.example.yml) that has traefik, nginx and tinyauth to demonstrate its capabilities.
 
 ## Documentation
 
-You can find documentation and guides on all available configuration of tinyauth [here](https://tinyauth.doesmycode.work).
+You can find documentation and guides on all available configuration of tinyauth [here](https://tinyauth.app).
 
 ## Contributing
 
@@ -42,6 +42,14 @@ All contributions to the codebase are welcome! If you have any recommendations o
 
 Tinyauth is licensed under the GNU General Public License v3.0. TL;DR — You may copy, distribute and modify the software as long as you track changes/dates in source files. Any modifications to or software including (via compiler) GPL-licensed code must also be made available under the GPL along with build & install instructions. For more information about the license check the [license](./LICENSE) file.
 
+## Sponsors
+
+Thanks a lot to the following people for providing me with more coffee:
+
+| <img height="64" src="https://avatars.githubusercontent.com/u/47644445?v=4" alt="Nicolas"> | <img height="64" src="https://avatars.githubusercontent.com/u/4255748?v=4" alt="Erwin"> |
+| ------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------- |
+| <div align="center"><a href="https://github.com/nicotsx">Nicolas</a></div>                 | <div align="center"><a href="https://github.com/erwinkramer">Erwin</a></div>            |
+
 ## Acknowledgements
 
 Credits for the logo of this app go to:

assets/discohook.json

@@ -3,8 +3,8 @@
   "embeds": [
     {
       "title": "Welcome to Tinyauth Discord!",
-      "description": "Tinyauth is a simple authentication middleware that adds simple username/password login or OAuth with Google, Github and any generic OAuth provider to all of your docker apps.\n\n**Information**\n\n• Github: <https://github.com/steveiliop56/tinyauth>\n• Website: <https://tinyauth.doesmycode.work>",
-      "url": "https://tinyauth.doesmycode.work",
+      "description": "Tinyauth is a simple authentication middleware that adds simple username/password login or OAuth with Google, Github and any generic OAuth provider to all of your docker apps.\n\n**Information**\n\n• Github: <https://github.com/steveiliop56/tinyauth>\n• Website: <https://tinyauth.app>",
+      "url": "https://tinyauth.app",
       "color": 7002085,
       "author": {
         "name": "Tinyauth"
@@ -12,11 +12,11 @@
       "footer": {
         "text": "Updated at"
       },
-      "timestamp": "2025-02-06T22:00:00.000Z",
+      "timestamp": "2025-03-10T19:00:00.000Z",
       "thumbnail": {
         "url": "https://github.com/steveiliop56/tinyauth/blob/main/site/public/logo.png?raw=true"
       }
     }
   ],
   "attachments": []
-}
+}

docker-compose.dev.yml

@@ -8,12 +8,12 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
 
-  nginx:
-    container_name: nginx
-    image: nginx:latest
+  whoami:
+    container_name: whoami
+    image: traefik/whoami:latest
     labels:
       traefik.enable: true
-      traefik.http.routers.nginx.rule: Host(`nginx.dev.local`)
+      traefik.http.routers.nginx.rule: Host(`whoami.dev.example.com`)
       traefik.http.services.nginx.loadbalancer.server.port: 80
       traefik.http.routers.nginx.middlewares: tinyauth
 
@@ -24,11 +24,10 @@ services:
       dockerfile: Dockerfile
     environment:
       - SECRET=some-random-32-chars-string
-      - APP_URL=http://tinyauth.dev.local
+      - APP_URL=http://tinyauth.dev.example.com
       - USERS=user:$$2a$$10$$UdLYoJ5lgPsC0RKqYH/jMua7zIn0g9kPqWmhYayJYLaZQ/FTmH2/u # user:password
     labels:
       traefik.enable: true
-      traefik.http.routers.tinyauth.rule: Host(`tinyauth.dev.local`)
+      traefik.http.routers.tinyauth.rule: Host(`tinyauth.dev.example.com`)
       traefik.http.services.tinyauth.loadbalancer.server.port: 3000
       traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth:3000/api/auth/traefik
-      traefik.http.middlewares.tinyauth.forwardauth.authResponseHeaders: X-Tinyauth-User

docker-compose.example.yml

@@ -8,12 +8,12 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
 
-  nginx:
-    container_name: nginx
-    image: nginx:latest
+  whoami:
+    container_name: whoami
+    image: traefik/whoami:latest
     labels:
       traefik.enable: true
-      traefik.http.routers.nginx.rule: Host(`nginx.example.com`)
+      traefik.http.routers.nginx.rule: Host(`whoami.example.com`)
       traefik.http.services.nginx.loadbalancer.server.port: 80
       traefik.http.routers.nginx.middlewares: tinyauth
 
@@ -29,4 +29,3 @@ services:
       traefik.http.routers.tinyauth.rule: Host(`tinyauth.example.com`)
       traefik.http.services.tinyauth.loadbalancer.server.port: 3000
       traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth:3000/api/auth/traefik
-      traefik.http.middlewares.tinyauth.forwardauth.authResponseHeaders: X-Tinyauth-User

go.mod

@@ -7,6 +7,7 @@ require (
 	github.com/gin-gonic/gin v1.10.0
 	github.com/go-playground/validator/v10 v10.24.0
 	github.com/google/go-querystring v1.1.0
+	github.com/mdp/qrterminal/v3 v3.2.0
 	github.com/rs/zerolog v1.33.0
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/viper v1.19.0
@@ -15,7 +16,6 @@ require (
 
 require (
 	github.com/containerd/log v0.1.0 // indirect
-	github.com/mdp/qrterminal/v3 v3.2.0 // indirect
 	github.com/moby/term v0.5.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect

internal/api/api.go

@@ -131,18 +131,24 @@ func (api *API) SetupRoutes() {
 			return
 		}
 
-		log.Debug().Interface("proxy", proxy.Proxy).Msg("Got proxy")
+		// Check if the request is coming from a browser (tools like curl/bruno use */* and they don't include the text/html)
+		isBrowser := strings.Contains(c.Request.Header.Get("Accept"), "text/html")
 
-		// Check if using basic auth
-		_, _, basicAuth := c.Request.BasicAuth()
+		if isBrowser {
+			log.Debug().Msg("Request is most likely coming from a browser")
+		} else {
+			log.Debug().Msg("Request is most likely not coming from a browser")
+		}
+
+		log.Debug().Interface("proxy", proxy.Proxy).Msg("Got proxy")
 
 		// Check if auth is enabled
 		authEnabled, authEnabledErr := api.Auth.AuthEnabled(c)
 
 		// Handle error
 		if authEnabledErr != nil {
-			// Return 500 if nginx is the proxy or if the request is using basic auth
-			if proxy.Proxy == "nginx" || basicAuth {
+			// Return 500 if nginx is the proxy or if the request is not coming from a browser
+			if proxy.Proxy == "nginx" || !isBrowser {
 				log.Error().Err(authEnabledErr).Msg("Failed to check if auth is enabled")
 				c.JSON(500, gin.H{
 					"status":  500,
@@ -186,8 +192,8 @@ func (api *API) SetupRoutes() {
 
 			// Check if there was an error
 			if appAllowedErr != nil {
-				// Return 500 if nginx is the proxy or if the request is using basic auth
-				if proxy.Proxy == "nginx" || basicAuth {
+				// Return 500 if nginx is the proxy or if the request is not coming from a browser
+				if proxy.Proxy == "nginx" || !isBrowser {
 					log.Error().Err(appAllowedErr).Msg("Failed to check if app is allowed")
 					c.JSON(500, gin.H{
 						"status":  500,
@@ -208,9 +214,11 @@ func (api *API) SetupRoutes() {
 			if !appAllowed {
 				log.Warn().Str("username", userContext.Username).Str("host", host).Msg("User not allowed")
 
-				// Return 401 if nginx is the proxy or if the request is using an Authorization header
-				if proxy.Proxy == "nginx" || basicAuth {
-					c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
+				// Set WWW-Authenticate header
+				c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
+
+				// Return 401 if nginx is the proxy or if the request is not coming from a browser
+				if proxy.Proxy == "nginx" || !isBrowser {
 					c.JSON(401, gin.H{
 						"status":  401,
 						"message": "Unauthorized",
@@ -237,7 +245,7 @@ func (api *API) SetupRoutes() {
 			}
 
 			// Set the user header
-			c.Header("X-Tinyauth-User", userContext.Username)
+			c.Header("Remote-User", userContext.Username)
 
 			// The user is allowed to access the app
 			c.JSON(200, gin.H{
@@ -252,9 +260,11 @@ func (api *API) SetupRoutes() {
 		// The user is not logged in
 		log.Debug().Msg("Unauthorized")
 
-		// Return 401 if nginx is the proxy or if the request is using an Authorization header
-		if proxy.Proxy == "nginx" || basicAuth {
-			c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
+		// Set www-authenticate header
+		c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
+
+		// Return 401 if nginx is the proxy or if the request is not coming from a browser
+		if proxy.Proxy == "nginx" || !isBrowser {
 			c.JSON(401, gin.H{
 				"status":  401,
 				"message": "Unauthorized",

internal/assets/version

@@ -1 +1 @@
-v3.0.1
+v3.1.0

internal/auth/auth.go

@@ -162,7 +162,10 @@ func (auth *Auth) ResourceAllowed(c *gin.Context, context types.UserContext) (bo
 	// Check if resource is allowed
 	allowed, allowedErr := auth.Docker.ContainerAction(appId, func(labels types.TinyauthLabels) (bool, error) {
 		// If the container has an oauth whitelist, check if the user is in it
-		if context.OAuth && len(labels.OAuthWhitelist) != 0 {
+		if context.OAuth {
+			if len(labels.OAuthWhitelist) == 0 {
+				return true, nil
+			}
 			log.Debug().Msg("Checking OAuth whitelist")
 			if slices.Contains(labels.OAuthWhitelist, context.Username) {
 				return true, nil