Initial thoughts

2026-04-13 09:18:10 +00:00 · 2026-04-12 21:42:43 +01:00
5 changed files with 137 additions and 0 deletions
--- a/e2e/README.md
+++ b/e2e/README.md
@@ -0,0 +1,28 @@
+# E2E Framework
+
+[Project link](https://github.com/orgs/tinyauthapp/projects/1/views/1)
+
+This is designed as an E2E framework to be able to test for changes in common proxy and application apps that tinyauth users are likely to use.
+
+This is **not** designed to test functionality, it is a [Canary](https://en.wikipedia.org/wiki/Sentinel_species#Canaries). All functionailty testing is already done by Unit tests within the standard tinyauth PR / release workflows.
+
+## Design
+
+Primary testing is via Docker, although a minimal Kubernetes stack is also planned.
+
+Initially this is being created to test the proxy connection, and ability to login.
+
+Testing of endpoints and providers will be done via `traefik`.
+
+It requires at least two endpoints, one will be `whoami` as an easy "is this working", but it also later requires an OIDC test (TBD), and a nested HTTP Auth (TBD).
+
+It should test against all "known" Oauth providers (ie, the ones that are specifically mentioned in the documentation, including community supplied if possible).
+
+> [!NOTE]
+> This requires having both Google and Github logins for the built-in providers, so security for those on a public E2E setup must be taken into account.
+
+## Running
+
+Run the <./test.sh> script, this handles everything for all tests.
+
+TODO: Implement options to limit testing to specific proxies and auth services.
--- a/e2e/compose.base.yaml
+++ b/e2e/compose.base.yaml
@@ -0,0 +1,10 @@
+# This contains base apps without any proxy information
+
+services:
+  tinyauth:
+    image: ${TINYAUTH_IMAGE:-ghcr.io/steveiliop56/tinyauth}:${TINYAUTH_IMAGE_TAG:-v5}
+    environment:
+      TINYAUTH_ANALYTICS_ENABLED: "false"
+      TINYAUTH_APPURL: "https://tinyauth.${DOMAIN:-local}"
+    volumes:
+      - "./config:/data"
--- a/e2e/compose.traefik.yaml
+++ b/e2e/compose.traefik.yaml
@@ -0,0 +1,44 @@
+# This contains Traefik proxy versions
+# All apps must be prefixed by `traefik-`
+
+services:
+  traefik:
+    container_name: traefik
+    image: ${TRAEFIK_IMAGE:-traefik}:${TRAEFIK_IMAGE_TAG:-v3}
+    networks:
+      - e2e
+    environment:
+      TZ: "${TZ:-Europe/London}"
+      PUID: "${PUID:-1000}"
+      PGID: "${PGID:-1000}"
+      UMASK: "000"
+    command:
+      - "--entryPoints.web.address=:80"
+      - "--entryPoints.web.http.redirections.entryPoint.scheme=https"
+      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
+      - "--entryPoints.websecure.address=:443"
+      - "--providers.docker=true"
+      - "--providers.docker.endpoint=/var/run/docker.sock"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "./.ssl/key.pem:/run/secrets/key.pem:ro"
+      - "./.ssl/cert.pem:/run/secrets/cert.pem:ro"
+      - "./config:/etc/traefik"
+
+  traefik-tinyauth:
+    container_name: traefik-tinyauth
+    extends:
+      file: ../compose.base.yaml
+      service: tinyauth
+    networks:
+      e2e-external:
+      e2e:
+        aliases:
+          - "traefik-tinyauth.$DOMAIN"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.tinyauth.rule=Host(`tinyauth.$DOMAIN`)"
+      - "traefik.http.services.tinyauth.loadbalancer.server.port=3000"
+      - "traefik.http.middlewares.tinyauth.forwardauth.address=http://tinyauth:3000/api/auth/traefik"
+      - "traefik.http.middlewares.tinyauth.forwardauth.authResponseHeaders=X-Forwarded-User"
+      - "traefik.http.middlewares.tinyauth.forwardauth.maxResponseBodySize=32768"
--- a/e2e/compose.yaml
+++ b/e2e/compose.yaml
@@ -0,0 +1,53 @@
+name: tinyauth-e2e
+
+services:
+  traefik-tinyauth:
+    container_name: traefik-tinyauth
+    extends:
+      file: ../compose.base.yaml
+      service: tinyauth
+    networks:
+      e2e-external:
+      e2e:
+        aliases:
+          - "traefik-tinyauth.$DOMAIN"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.tinyauth.rule=Host(`tinyauth.$DOMAIN`)"
+      - "traefik.http.services.tinyauth.loadbalancer.server.port=3000"
+      - "traefik.http.middlewares.tinyauth.forwardauth.address=http://tinyauth:3000/api/auth/traefik"
+      - "traefik.http.middlewares.tinyauth.forwardauth.authResponseHeaders=X-Forwarded-User"
+      - "traefik.http.middlewares.tinyauth.forwardauth.maxResponseBodySize=32768"
+
+  traefik-tinyauth-google:
+    container_name: traefik-tinyauth-google
+    secrets:
+      - google_client_secret
+    environment:
+      TINYAUTH_OAUTH_PROVIDERS_GOOGLE_CLIENTID: "$GOOGLE_CLIENT_ID"
+      TINYAUTH_OAUTH_PROVIDERS_GOOGLE_CLIENTSECRETFILE: "/run/secrets/google_client_secret"
+      TINYAUTH_OAUTH_WHITELIST: "${WHITELIST:?Set the WHITELIST to your google email address!}"
+
+  whoami:
+    image: traefik/whoami:latest
+    networks:
+      e2e:
+        aliases:
+          - "whoami.$DOMAIN"
+    labels:
+      traefik.enable: true
+      traefik.http.routers.whoami.rule: Host(`whoami.$DOMAIN`)
+      traefik.http.routers.whoami.middlewares: tinyauth
+
+networks:
+  e2e-external:
+    name: "e2e-external"
+    driver: bridge
+    enable_ipv4: true
+    enable_ipv6: true
+  e2e:
+    name: "e2e"
+    driver: bridge
+    internal: true
+    enable_ipv4: true
+    enable_ipv6: false
--- a/e2e/test.sh
+++ b/e2e/test.sh
@@ -0,0 +1,2 @@
+#! /bin/bash
+