fix: fix cli not exiting on invalid input

refactor: skip all checks when disable continue is enabled
refactor: make totp pending expiry time fixed
2025-10-28 12:45:47 +00:00 · 2025-03-09 18:38:39 +02:00 · 2025-03-09 18:31:11 +02:00 · 2025-03-09 18:20:54 +02:00 · 2025-03-06 19:22:12 +02:00 · 2025-03-06 17:30:35 +02:00
35 changed files with 965 additions and 1242 deletions
--- a/.env.example
+++ b/.env.example
@@ -1,30 +0,0 @@
-PORT=3000
-ADDRESS=0.0.0.0
-SECRET=app_secret
-SECRET_FILE=app_secret_file
-APP_URL=http://localhost:3000
-USERS=your_user_password_hash
-USERS_FILE=users_file
-COOKIE_SECURE=false
-GITHUB_CLIENT_ID=github_client_id
-GITHUB_CLIENT_SECRET=github_client_secret
-GITHUB_CLIENT_SECRET_FILE=github_client_secret_file
-GOOGLE_CLIENT_ID=google_client_id
-GOOGLE_CLIENT_SECRET=google_client_secret
-GOOGLE_CLIENT_SECRET_FILE=google_client_secret_file
-TAILSCALE_CLIENT_ID=tailscale_client_id
-TAILSCALE_CLIENT_SECRET=tailscale_client_secret
-TAILSCALE_CLIENT_SECRET_FILE=tailscale__client_secret_file
-GENERIC_CLIENT_ID=generic_client_id
-GENERIC_CLIENT_SECRET=generic_client_secret
-GENERIC_CLIENT_SECRET_FILE=generic_client_secret_file
-GENERIC_SCOPES=generic_scopes
-GENERIC_AUTH_URL=generic_auth_url
-GENERIC_TOKEN_URL=generic_token_url
-GENERIC_USER_URL=generic_user_url
-DISABLE_CONTINUE=false
-OAUTH_WHITELIST=
-GENERIC_NAME=My OAuth
-SESSION_EXPIRY=7200
-LOG_LEVEL=0
-APP_TITLE=Tinyauth SSO
--- a/.github/workflows/alpha-release.yml
+++ b/.github/workflows/alpha-release.yml
@@ -0,0 +1,58 @@
+name: Alpha Release
+on:
+  workflow_dispatch:
+    inputs:
+      alpha:
+        description: "Alpha version (e.g. 1, 2, 3)"
+        required: true
+
+jobs:
+  get-tag:
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.tag.outputs.name }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Get tag
+        id: tag
+        run: echo "name=$(cat internal/assets/version)-alpha.${{ github.event.inputs.alpha }}" >> $GITHUB_OUTPUT
+
+  build-docker:
+    needs: get-tag
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          platforms: linux/arm64, linux/amd64
+          tags: ghcr.io/${{ github.repository_owner }}/tinyauth:${{ needs.get-tag.outputs.tag }}
+
+  alpha-release:
+    needs: [get-tag, build-docker]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Create alpha release
+        uses: softprops/action-gh-release@v2
+        with:
+          prerelease: true
+          tag_name: ${{ needs.get-tag.outputs.tag }}
--- a/.github/workflows/beta-release.yml
+++ b/.github/workflows/beta-release.yml
@@ -0,0 +1,58 @@
+name: Beta Release
+on:
+  workflow_dispatch:
+    inputs:
+      alpha:
+        description: "Beta version (e.g. 1, 2, 3)"
+        required: true
+
+jobs:
+  get-tag:
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.tag.outputs.name }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Get tag
+        id: tag
+        run: echo "name=$(cat internal/assets/version)-beta.${{ github.event.inputs.alpha }}" >> $GITHUB_OUTPUT
+
+  build-docker:
+    needs: get-tag
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          platforms: linux/arm64, linux/amd64
+          tags: ghcr.io/${{ github.repository_owner }}/tinyauth:${{ needs.get-tag.outputs.tag }}
+
+  beta-release:
+    needs: [get-tag, build-docker]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Create beta release
+        uses: softprops/action-gh-release@v2
+        with:
+          prerelease: true
+          tag_name: ${{ needs.get-tag.outputs.tag }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,22 +1,32 @@
 name: Release
 on:
  workflow_dispatch:
-  push:
-    tags:
-      - "v*"

 jobs:
-  build:
+  get-tag:
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.tag.outputs.name }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Get tag
+        id: tag
+        run: echo "name=$(cat internal/assets/version)" >> $GITHUB_OUTPUT
+
+  build-docker:
+    needs: get-tag
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/${{ github.repository_owner }}/tinyauth
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
@@ -25,112 +35,21 @@ jobs:
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
      - name: Build and push
        uses: docker/build-push-action@v6
-        id: build
        with:
-          platforms: linux/amd64
-          labels: ${{ steps.meta.outputs.labels }}
-          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
-          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
+          context: .
+          push: true
+          platforms: linux/arm64, linux/amd64
+          tags: ghcr.io/${{ github.repository_owner }}/tinyauth:${{ needs.get-tag.outputs.tag }}, ghcr.io/${{ github.repository_owner }}/tinyauth:latest

-      - name: Export digest
-        run: |
-          mkdir -p ${{ runner.temp }}/digests
-          digest="${{ steps.build.outputs.digest }}"
-          touch "${{ runner.temp }}/digests/${digest#sha256:}"
-
-      - name: Upload digest
-        uses: actions/upload-artifact@v4
-        with:
-          name: digests-linux-amd64
-          path: ${{ runner.temp }}/digests/*
-          if-no-files-found: error
-          retention-days: 1
-
-  build-arm:
-    runs-on: ubuntu-24.04-arm
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/${{ github.repository_owner }}/tinyauth
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        id: build
-        with:
-          platforms: linux/arm64
-          labels: ${{ steps.meta.outputs.labels }}
-          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
-          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
-
-      - name: Export digest
-        run: |
-          mkdir -p ${{ runner.temp }}/digests
-          digest="${{ steps.build.outputs.digest }}"
-          touch "${{ runner.temp }}/digests/${digest#sha256:}"
-
-      - name: Upload digest
-        uses: actions/upload-artifact@v4
-        with:
-          name: digests-linux-arm64
-          path: ${{ runner.temp }}/digests/*
-          if-no-files-found: error
-          retention-days: 1
-
-  merge:
+  release:
+    needs: [get-tag, build-docker]
    runs-on: ubuntu-latest
-    needs:
-      - build
-      - build-arm
    steps:
-      - name: Download digests
-        uses: actions/download-artifact@v4
+      - name: Create release
+        uses: softprops/action-gh-release@v2
        with:
-          path: ${{ runner.temp }}/digests
-          pattern: digests-*
-          merge-multiple: true
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/${{ github.repository_owner }}/tinyauth
-          tags: |
-            type=semver,pattern={{version}},prefix=v
-            type=semver,pattern={{major}},prefix=v
-            type=semver,pattern={{major}}.{{minor}},prefix=v
-
-      - name: Create manifest list and push
-        working-directory: ${{ runner.temp }}/digests
-        run: |
-          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf 'ghcr.io/${{ github.repository_owner }}/tinyauth@sha256:%s ' *)
+          prerelease: false
+          make_latest: false
+          tag_name: ${{ needs.get-tag.outputs.tag }}
--- a/.gitignore
+++ b/.gitignore
@@ -18,10 +18,4 @@ secret_oauth.txt
 .vscode

 # apple stuff
-.DS_Store
-
-# env
-.env
-
-# tmp directory
-tmp
+.DS_Store
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,6 +1,6 @@
 # Contributing

-Contributing is relatively easy, you just need to follow the steps carefully and you will be up and running with a development server in less than 5 minutes.
+Contributing is relatively easy.

 ## Requirements

@@ -20,37 +20,62 @@ cd tinyauth

 ## Install requirements

-Although you will not need the requirements in your machine since the development will happen in docker, I still recommend to install them because this way you will not have errors, to install the go requirements, run:
+Now it's time to install the requirements, firstly the Go ones:

 ```sh
-go mod tidy
+go mod download
 ```

-You also need to download the frontend requirements, this can be done like so:
+And now the site ones:

 ```sh
-cd site/
-bun install
+cd site
+bun i
 ```

-## Create your `.env` file
+## Developing locally

-In order to ocnfigure the app you need to create an environment file, this can be done by copying the `.env.example` file to `.env` and modifying the environment variables inside to suit your needs.
+In order to develop the app locally you need to build the frontend and copy it to the assets folder in order for Go to embed it and host it. In order to build the frontend run:

-## Developing
-
-I have designed the development workflow to be entirely in docker, this is because it will directly work with traefik and you will not need to do any building in your host machine. The recommended development setup is to have a subdomain pointing to your machine like this:
-
-```
-*.dev.example.com -> 127.0.0.1
-dev.example.com -> 127.0.0.1
+```sh
+cd site
+bun run build
+cd ..
 ```

-Then you can just make sure the domains are correct in the example docker compose file and run:
+Copy it to the assets folder:
+
+```sh
+rm -rf internal/assets/dist
+cp -r site/dist internal/assets/dist
+```
+
+Finally either run the app with:
+
+```sh
+go run main.go
+```
+
+Or build it with:
+
+```sh
+go build
+```
+
+> [!WARNING]
+> Make sure you have set the environment variables when running outside of docker else the app will fail.
+
+## Developing in docker
+
+My recommended development method is docker so I can test that both my image works and that the app responds correctly to traefik. In my setup I have set these two DNS records in my DNS server:
+
+```
+*.dev.local -> 127.0.0.1
+dev.local -> 127.0.0.1
+```
+
+Then I can just make sure the domains are correct in the example docker compose file and do:

 ```sh
 docker compose -f docker-compose.dev.yml up --build
 ```
-
-> [!NOTE]
-> I would recommend copying the example `docker-compose.dev.yml` into a `docker-compose.test.yml` file, so as you don't accidentally commit any sensitive information.
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@@ -1,22 +0,0 @@
-FROM golang:1.23-alpine3.21
-
-WORKDIR /tinyauth
-
-COPY go.mod ./
-COPY go.sum ./
-
-RUN go mod download
-
-COPY ./cmd ./cmd
-COPY ./internal ./internal
-COPY ./main.go ./
-COPY ./air.toml ./
-
-RUN mkdir -p ./internal/assets/dist && \
-    echo "app running" > ./internal/assets/dist/index.html
-
-RUN go install github.com/air-verse/air@v1.61.7
-
-EXPOSE 3000
-
-ENTRYPOINT ["air", "-c", "air.toml"]
--- a/FUNDING.yml
+++ b/FUNDING.yml
@@ -1,2 +0,0 @@
-github: steveiliop56
-buy_me_a_coffee: steveiliop56
--- a/25
+++ b/25
@@ -0,0 +1,25 @@
+# Build website
+web:
+	cd site; bun run build
+
+# Copy site assets
+assets: web
+	rm -rf internal/assets/dist
+	mkdir -p internal/assets/dist
+	cp -r site/dist/* internal/assets/dist
+
+# Run development binary
+run: assets
+	go run main.go
+
+# Test
+test:
+	go test ./...
+
+# Build
+build: assets
+	go build -o tinyauth
+
+# Build no site
+build-skip-web:
+	go build -o tinyauth
--- a/README.md
+++ b/README.md
@@ -28,11 +28,11 @@ I just made a Discord server for Tinyauth! It is not only for Tinyauth but gener

 ## Getting Started

-You can easily get started with tinyauth by following the guide on the [documentation](https://tinyauth.app/docs/getting-started.html). There is also an available [docker compose file](./docker-compose.example.yml) that has traefik, nginx and tinyauth to demonstrate its capabilities.
+You can easily get started with tinyauth by following the guide on the [documentation](https://tinyauth.doesmycode.work/docs/getting-started.html). There is also an available [docker compose file](./docker-compose.example.yml) that has traefik, nginx and tinyauth to demonstrate its capabilities.

 ## Documentation

-You can find documentation and guides on all available configuration of tinyauth [here](https://tinyauth.app).
+You can find documentation and guides on all available configuration of tinyauth [here](https://tinyauth.doesmycode.work).

 ## Contributing

@@ -42,14 +42,6 @@ All contributions to the codebase are welcome! If you have any recommendations o

 Tinyauth is licensed under the GNU General Public License v3.0. TL;DR — You may copy, distribute and modify the software as long as you track changes/dates in source files. Any modifications to or software including (via compiler) GPL-licensed code must also be made available under the GPL along with build & install instructions. For more information about the license check the [license](./LICENSE) file.

-## Sponsors
-
-Thanks a lot to the following people for providing me with more coffee:
-
-| <img height="64" src="https://avatars.githubusercontent.com/u/47644445?v=4" alt="Nicolas"> | <img height="64" src="https://avatars.githubusercontent.com/u/4255748?v=4" alt="Erwin"> |
-| ------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------- |
-| <div align="center"><a href="https://github.com/nicotsx">Nicolas</a></div>                 | <div align="center"><a href="https://github.com/erwinkramer">Erwin</a></div>            |
-
 ## Acknowledgements

 Credits for the logo of this app go to:
--- a/air.toml
+++ b/air.toml
@@ -1,24 +0,0 @@
-root = "/tinyauth"
-tmp_dir = "tmp"
-
-[build]
-pre_cmd = ["go mod tidy"]
-cmd = "go build -o ./tmp/tinyauth ."
-bin = "tmp/tinyauth"
-include_ext = ["go"]
-exclude_dir = ["internal/assets/dist"]
-exclude_regex = [".*_test\\.go"]
-stop_on_error = true
-
-[color]
-main = "magenta"
-watcher = "cyan"
-build = "yellow"
-runner = "green"
-
-[misc]
-clean_on_exit = true
-
-[screen]
-clear_on_rebuild = false
-keep_scroll = true
--- a/assets/discohook.json
+++ b/assets/discohook.json
@@ -3,8 +3,8 @@
  "embeds": [
    {
      "title": "Welcome to Tinyauth Discord!",
-      "description": "Tinyauth is a simple authentication middleware that adds simple username/password login or OAuth with Google, Github and any generic OAuth provider to all of your docker apps.\n\n**Information**\n\n• Github: <https://github.com/steveiliop56/tinyauth>\n• Website: <https://tinyauth.app>",
-      "url": "https://tinyauth.app",
+      "description": "Tinyauth is a simple authentication middleware that adds simple username/password login or OAuth with Google, Github and any generic OAuth provider to all of your docker apps.\n\n**Information**\n\n• Github: <https://github.com/steveiliop56/tinyauth>\n• Website: <https://tinyauth.doesmycode.work>",
+      "url": "https://tinyauth.doesmycode.work",
      "color": 7002085,
      "author": {
        "name": "Tinyauth"
@@ -12,11 +12,11 @@
      "footer": {
        "text": "Updated at"
      },
-      "timestamp": "2025-03-10T19:00:00.000Z",
+      "timestamp": "2025-02-06T22:00:00.000Z",
      "thumbnail": {
        "url": "https://github.com/steveiliop56/tinyauth/blob/main/site/public/logo.png?raw=true"
      }
    }
  ],
  "attachments": []
-}
+}
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -2,7 +2,6 @@ package cmd

 import (
 	"errors"
-	"fmt"
 	"os"
 	"strings"
 	"time"
@@ -12,7 +11,6 @@ import (
 	"tinyauth/internal/assets"
 	"tinyauth/internal/auth"
 	"tinyauth/internal/docker"
-	"tinyauth/internal/handlers"
 	"tinyauth/internal/hooks"
 	"tinyauth/internal/providers"
 	"tinyauth/internal/types"
@@ -35,8 +33,8 @@ var rootCmd = &cobra.Command{

 		// Get config
 		var config types.Config
-		err := viper.Unmarshal(&config)
-		HandleError(err, "Failed to parse config")
+		parseErr := viper.Unmarshal(&config)
+		HandleError(parseErr, "Failed to parse config")

 		// Secrets
 		config.Secret = utils.GetSecret(config.Secret, config.SecretFile)
@@ -47,8 +45,8 @@ var rootCmd = &cobra.Command{

 		// Validate config
 		validator := validator.New()
-		err = validator.Struct(config)
-		HandleError(err, "Failed to validate config")
+		validateErr := validator.Struct(config)
+		HandleError(validateErr, "Failed to validate config")

 		// Logger
 		log.Logger = log.Level(zerolog.Level(config.LogLevel))
@@ -56,8 +54,9 @@ var rootCmd = &cobra.Command{

 		// Users
 		log.Info().Msg("Parsing users")
-		users, err := utils.GetUsers(config.Users, config.UsersFile)
-		HandleError(err, "Failed to parse users")
+		users, usersErr := utils.GetUsers(config.Users, config.UsersFile)
+
+		HandleError(usersErr, "Failed to parse users")

 		if len(users) == 0 && !utils.OAuthConfigured(config) {
 			HandleError(errors.New("no users or OAuth configured"), "No users or OAuth configured")
@@ -67,15 +66,8 @@ var rootCmd = &cobra.Command{
 		oauthWhitelist := utils.Filter(strings.Split(config.OAuthWhitelist, ","), func(val string) bool {
 			return val != ""
 		})
-
 		log.Debug().Msg("Parsed OAuth whitelist")

-		// Get domain
-		log.Debug().Msg("Getting domain")
-		domain, err := utils.GetUpperDomain(config.AppURL)
-		HandleError(err, "Failed to get upper domain")
-		log.Info().Str("domain", domain).Msg("Using domain for cookie store")
-
 		// Create OAuth config
 		oauthConfig := types.OAuthConfig{
 			GithubClientId:        config.GithubClientId,
@@ -93,25 +85,7 @@ var rootCmd = &cobra.Command{
 			AppURL:                config.AppURL,
 		}

-		// Create handlers config
-		serverConfig := types.HandlersConfig{
-			AppURL:          config.AppURL,
-			Domain:          fmt.Sprintf(".%s", domain),
-			CookieSecure:    config.CookieSecure,
-			DisableContinue: config.DisableContinue,
-			Title:           config.Title,
-			GenericName:     config.GenericName,
-		}
-
-		// Create api config
-		apiConfig := types.APIConfig{
-			Port:          config.Port,
-			Address:       config.Address,
-			Secret:        config.Secret,
-			CookieSecure:  config.CookieSecure,
-			SessionExpiry: config.SessionExpiry,
-			Domain:        domain,
-		}
+		log.Debug().Msg("Parsed OAuth config")

 		// Create docker service
 		docker := docker.NewDocker()
@@ -132,11 +106,18 @@ var rootCmd = &cobra.Command{
 		// Create hooks service
 		hooks := hooks.NewHooks(auth, providers)

-		// Create handlers
-		handlers := handlers.NewHandlers(serverConfig, auth, hooks, providers)
-
 		// Create API
-		api := api.NewAPI(apiConfig, handlers)
+		api := api.NewAPI(types.APIConfig{
+			Port:            config.Port,
+			Address:         config.Address,
+			Secret:          config.Secret,
+			AppURL:          config.AppURL,
+			CookieSecure:    config.CookieSecure,
+			DisableContinue: config.DisableContinue,
+			SessionExpiry:   config.SessionExpiry,
+			Title:           config.Title,
+			GenericName:     config.GenericName,
+		}, hooks, auth, providers)

 		// Setup routes
 		api.Init()
@@ -153,7 +134,7 @@ func Execute() {
 }

 func HandleError(err error, msg string) {
-	// If error, log it and exit
+	// If error log it and exit
 	if err != nil {
 		log.Fatal().Err(err).Msg(msg)
 	}
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -8,41 +8,27 @@ services:
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

-  whoami:
-    container_name: whoami
-    image: traefik/whoami:latest
+  nginx:
+    container_name: nginx
+    image: nginx:latest
    labels:
      traefik.enable: true
-      traefik.http.routers.nginx.rule: Host(`whoami.example.com`)
+      traefik.http.routers.nginx.rule: Host(`nginx.dev.local`)
      traefik.http.services.nginx.loadbalancer.server.port: 80
      traefik.http.routers.nginx.middlewares: tinyauth

-  tinyauth-frontend:
-    container_name: tinyauth-frontend
+  tinyauth:
+    container_name: tinyauth
    build:
      context: .
-      dockerfile: site/Dockerfile.dev
-    volumes:
-      - ./site/src:/site/src
-    ports:
-      - 5173:5173
+      dockerfile: Dockerfile
+    environment:
+      - SECRET=some-random-32-chars-string
+      - APP_URL=http://tinyauth.dev.local
+      - USERS=user:$$2a$$10$$UdLYoJ5lgPsC0RKqYH/jMua7zIn0g9kPqWmhYayJYLaZQ/FTmH2/u # user:password
    labels:
      traefik.enable: true
-      traefik.http.routers.tinyauth.rule: Host(`tinyauth.example.com`)
-      traefik.http.services.tinyauth.loadbalancer.server.port: 5173
-
-  tinyauth-backend:
-    container_name: tinyauth-backend
-    build:
-      context: .
-      dockerfile: Dockerfile.dev
-    env_file: .env
-    volumes:
-      - ./internal:/tinyauth/internal
-      - ./cmd:/tinyauth/cmd
-      - ./main.go:/tinyauth/main.go
-    ports:
-      - 3000:3000
-    labels:
-      traefik.enable: true
-      traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth-backend:3000/api/auth/traefik
+      traefik.http.routers.tinyauth.rule: Host(`tinyauth.dev.local`)
+      traefik.http.services.tinyauth.loadbalancer.server.port: 3000
+      traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth:3000/api/auth/traefik
+      traefik.http.middlewares.tinyauth.forwardauth.authResponseHeaders: X-Tinyauth-User
--- a/docker-compose.example.yml
+++ b/docker-compose.example.yml
@@ -8,18 +8,18 @@ services:
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

-  whoami:
-    container_name: whoami
-    image: traefik/whoami:latest
+  nginx:
+    container_name: nginx
+    image: nginx:latest
    labels:
      traefik.enable: true
-      traefik.http.routers.nginx.rule: Host(`whoami.example.com`)
+      traefik.http.routers.nginx.rule: Host(`nginx.example.com`)
      traefik.http.services.nginx.loadbalancer.server.port: 80
      traefik.http.routers.nginx.middlewares: tinyauth

  tinyauth:
    container_name: tinyauth
-    image: ghcr.io/steveiliop56/tinyauth:v3
+    image: ghcr.io/steveiliop56/tinyauth:latest
    environment:
      - SECRET=some-random-32-chars-string
      - APP_URL=https://tinyauth.example.com
@@ -29,3 +29,4 @@ services:
      traefik.http.routers.tinyauth.rule: Host(`tinyauth.example.com`)
      traefik.http.services.tinyauth.loadbalancer.server.port: 3000
      traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth:3000/api/auth/traefik
+      traefik.http.middlewares.tinyauth.forwardauth.authResponseHeaders: X-Tinyauth-User
--- a/go.mod
+++ b/go.mod
@@ -7,7 +7,6 @@ require (
 	github.com/gin-gonic/gin v1.10.0
 	github.com/go-playground/validator/v10 v10.24.0
 	github.com/google/go-querystring v1.1.0
-	github.com/mdp/qrterminal/v3 v3.2.0
 	github.com/rs/zerolog v1.33.0
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/viper v1.19.0
@@ -16,6 +15,7 @@ require (

 require (
 	github.com/containerd/log v0.1.0 // indirect
+	github.com/mdp/qrterminal/v3 v3.2.0 // indirect
 	github.com/moby/term v0.5.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
--- a/internal/api/api.go
+++ b/internal/api/api.go
@@ -3,30 +3,42 @@ package api
 import (
 	"fmt"
 	"io/fs"
+	"math/rand/v2"
 	"net/http"
+	"os"
 	"strings"
 	"time"
 	"tinyauth/internal/assets"
-	"tinyauth/internal/handlers"
+	"tinyauth/internal/auth"
+	"tinyauth/internal/hooks"
+	"tinyauth/internal/providers"
 	"tinyauth/internal/types"
+	"tinyauth/internal/utils"

 	"github.com/gin-contrib/sessions"
 	"github.com/gin-contrib/sessions/cookie"
 	"github.com/gin-gonic/gin"
+	"github.com/google/go-querystring/query"
+	"github.com/pquerna/otp/totp"
 	"github.com/rs/zerolog/log"
 )

-func NewAPI(config types.APIConfig, handlers *handlers.Handlers) *API {
+func NewAPI(config types.APIConfig, hooks *hooks.Hooks, auth *auth.Auth, providers *providers.Providers) *API {
 	return &API{
-		Config:   config,
-		Handlers: handlers,
+		Config:    config,
+		Hooks:     hooks,
+		Auth:      auth,
+		Providers: providers,
 	}
 }

 type API struct {
-	Config   types.APIConfig
-	Router   *gin.Engine
-	Handlers *handlers.Handlers
+	Config    types.APIConfig
+	Router    *gin.Engine
+	Hooks     *hooks.Hooks
+	Auth      *auth.Auth
+	Providers *providers.Providers
+	Domain    string
 }

 func (api *API) Init() {
@@ -40,10 +52,10 @@ func (api *API) Init() {

 	// Read UI assets
 	log.Debug().Msg("Setting up assets")
-	dist, err := fs.Sub(assets.Assets, "dist")
+	dist, distErr := fs.Sub(assets.Assets, "dist")

-	if err != nil {
-		log.Fatal().Err(err).Msg("Failed to get UI assets")
+	if distErr != nil {
+		log.Fatal().Err(distErr).Msg("Failed to get UI assets")
 	}

 	// Create file server
@@ -54,9 +66,22 @@ func (api *API) Init() {
 	log.Debug().Msg("Setting up cookie store")
 	store := cookie.NewStore([]byte(api.Config.Secret))

+	// Get domain to use for session cookies
+	log.Debug().Msg("Getting domain")
+	domain, domainErr := utils.GetRootURL(api.Config.AppURL)
+
+	if domainErr != nil {
+		log.Fatal().Err(domainErr).Msg("Failed to get domain")
+		os.Exit(1)
+	}
+
+	log.Info().Str("domain", domain).Msg("Using domain for cookies")
+
+	api.Domain = fmt.Sprintf(".%s", domain)
+
 	// Use session middleware
 	store.Options(sessions.Options{
-		Domain:   api.Config.Domain,
+		Domain:   api.Domain,
 		Path:     "/",
 		HttpOnly: true,
 		Secure:   api.Config.CookieSecure,
@@ -69,7 +94,17 @@ func (api *API) Init() {
 	router.Use(func(c *gin.Context) {
 		// If not an API request, serve the UI
 		if !strings.HasPrefix(c.Request.URL.Path, "/api") {
+			_, err := fs.Stat(dist, strings.TrimPrefix(c.Request.URL.Path, "/"))
+
+			// If the file doesn't exist, serve the index.html
+			if os.IsNotExist(err) {
+				c.Request.URL.Path = "/"
+			}
+
+			// Serve the file
 			fileServer.ServeHTTP(c.Writer, c.Request)
+
+			// Stop further processing
 			c.Abort()
 		}
 	})
@@ -79,36 +114,604 @@ func (api *API) Init() {
 }

 func (api *API) SetupRoutes() {
-	// Proxy
-	api.Router.GET("/api/auth/:proxy", api.Handlers.AuthHandler)
+	api.Router.GET("/api/auth/:proxy", func(c *gin.Context) {
+		// Create struct for proxy
+		var proxy types.Proxy

-	// Auth
-	api.Router.POST("/api/login", api.Handlers.LoginHandler)
-	api.Router.POST("/api/totp", api.Handlers.TotpHandler)
-	api.Router.POST("/api/logout", api.Handlers.LogoutHandler)
+		// Bind URI
+		bindErr := c.BindUri(&proxy)

-	// Context
-	api.Router.GET("/api/app", api.Handlers.AppHandler)
-	api.Router.GET("/api/user", api.Handlers.UserHandler)
+		// Handle error
+		if bindErr != nil {
+			log.Error().Err(bindErr).Msg("Failed to bind URI")
+			c.JSON(400, gin.H{
+				"status":  400,
+				"message": "Bad Request",
+			})
+			return
+		}

-	// OAuth
-	api.Router.GET("/api/oauth/url/:provider", api.Handlers.OauthUrlHandler)
-	api.Router.GET("/api/oauth/callback/:provider", api.Handlers.OauthCallbackHandler)
+		log.Debug().Interface("proxy", proxy.Proxy).Msg("Got proxy")

-	// App
-	api.Router.GET("/api/healthcheck", api.Handlers.HealthcheckHandler)
+		// Check if using basic auth
+		_, _, basicAuth := c.Request.BasicAuth()
+
+		// Check if auth is enabled
+		authEnabled, authEnabledErr := api.Auth.AuthEnabled(c)
+
+		// Handle error
+		if authEnabledErr != nil {
+			// Return 500 if nginx is the proxy or if the request is using basic auth
+			if proxy.Proxy == "nginx" || basicAuth {
+				log.Error().Err(authEnabledErr).Msg("Failed to check if auth is enabled")
+				c.JSON(500, gin.H{
+					"status":  500,
+					"message": "Internal Server Error",
+				})
+				return
+			}
+
+			// Return the internal server error page
+			if api.handleError(c, "Failed to check if auth is enabled", authEnabledErr) {
+				return
+			}
+		}
+
+		// If auth is not enabled, return 200
+		if !authEnabled {
+			// The user is allowed to access the app
+			c.JSON(200, gin.H{
+				"status":  200,
+				"message": "Authenticated",
+			})
+
+			// Stop further processing
+			return
+		}
+
+		// Get user context
+		userContext := api.Hooks.UseUserContext(c)
+
+		// Get headers
+		uri := c.Request.Header.Get("X-Forwarded-Uri")
+		proto := c.Request.Header.Get("X-Forwarded-Proto")
+		host := c.Request.Header.Get("X-Forwarded-Host")
+
+		// Check if user is logged in
+		if userContext.IsLoggedIn {
+			log.Debug().Msg("Authenticated")
+
+			// Check if user is allowed to access subdomain, if request is nginx.example.com the subdomain (resource) is nginx
+			appAllowed, appAllowedErr := api.Auth.ResourceAllowed(c, userContext)
+
+			// Check if there was an error
+			if appAllowedErr != nil {
+				// Return 500 if nginx is the proxy or if the request is using basic auth
+				if proxy.Proxy == "nginx" || basicAuth {
+					log.Error().Err(appAllowedErr).Msg("Failed to check if app is allowed")
+					c.JSON(500, gin.H{
+						"status":  500,
+						"message": "Internal Server Error",
+					})
+					return
+				}
+
+				// Return the internal server error page
+				if api.handleError(c, "Failed to check if app is allowed", appAllowedErr) {
+					return
+				}
+			}
+
+			log.Debug().Bool("appAllowed", appAllowed).Msg("Checking if app is allowed")
+
+			// The user is not allowed to access the app
+			if !appAllowed {
+				log.Warn().Str("username", userContext.Username).Str("host", host).Msg("User not allowed")
+
+				// Return 401 if nginx is the proxy or if the request is using an Authorization header
+				if proxy.Proxy == "nginx" || basicAuth {
+					c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
+					c.JSON(401, gin.H{
+						"status":  401,
+						"message": "Unauthorized",
+					})
+					return
+				}
+
+				// Build query
+				queries, queryErr := query.Values(types.UnauthorizedQuery{
+					Username: userContext.Username,
+					Resource: strings.Split(host, ".")[0],
+				})
+
+				// Handle error (no need to check for nginx/headers since we are sure we are using caddy/traefik)
+				if api.handleError(c, "Failed to build query", queryErr) {
+					return
+				}
+
+				// We are using caddy/traefik so redirect
+				c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", api.Config.AppURL, queries.Encode()))
+
+				// Stop further processing
+				return
+			}
+
+			// Set the user header
+			c.Header("X-Tinyauth-User", userContext.Username)
+
+			// The user is allowed to access the app
+			c.JSON(200, gin.H{
+				"status":  200,
+				"message": "Authenticated",
+			})
+
+			// Stop further processing
+			return
+		}
+
+		// The user is not logged in
+		log.Debug().Msg("Unauthorized")
+
+		// Return 401 if nginx is the proxy or if the request is using an Authorization header
+		if proxy.Proxy == "nginx" || basicAuth {
+			c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
+			c.JSON(401, gin.H{
+				"status":  401,
+				"message": "Unauthorized",
+			})
+			return
+		}
+
+		// Build query
+		queries, queryErr := query.Values(types.LoginQuery{
+			RedirectURI: fmt.Sprintf("%s://%s%s", proto, host, uri),
+		})
+
+		// Handle error (no need to check for nginx/headers since we are sure we are using caddy/traefik)
+		if api.handleError(c, "Failed to build query", queryErr) {
+			return
+		}
+
+		log.Debug().Interface("redirect_uri", fmt.Sprintf("%s://%s%s", proto, host, uri)).Msg("Redirecting to login")
+
+		// Redirect to login
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/?%s", api.Config.AppURL, queries.Encode()))
+	})
+
+	api.Router.POST("/api/login", func(c *gin.Context) {
+		// Create login struct
+		var login types.LoginRequest
+
+		// Bind JSON
+		err := c.BindJSON(&login)
+
+		// Handle error
+		if err != nil {
+			log.Error().Err(err).Msg("Failed to bind JSON")
+			c.JSON(400, gin.H{
+				"status":  400,
+				"message": "Bad Request",
+			})
+			return
+		}
+
+		log.Debug().Msg("Got login request")
+
+		// Get user based on username
+		user := api.Auth.GetUser(login.Username)
+
+		// User does not exist
+		if user == nil {
+			log.Debug().Str("username", login.Username).Msg("User not found")
+			c.JSON(401, gin.H{
+				"status":  401,
+				"message": "Unauthorized",
+			})
+			return
+		}
+
+		log.Debug().Msg("Got user")
+
+		// Check if password is correct
+		if !api.Auth.CheckPassword(*user, login.Password) {
+			log.Debug().Str("username", login.Username).Msg("Password incorrect")
+			c.JSON(401, gin.H{
+				"status":  401,
+				"message": "Unauthorized",
+			})
+			return
+		}
+
+		log.Debug().Msg("Password correct, checking totp")
+
+		// Check if user has totp enabled
+		if user.TotpSecret != "" {
+			log.Debug().Msg("Totp enabled")
+
+			// Set totp pending cookie
+			api.Auth.CreateSessionCookie(c, &types.SessionCookie{
+				Username:    login.Username,
+				Provider:    "username",
+				TotpPending: true,
+			})
+
+			// Return totp required
+			c.JSON(200, gin.H{
+				"status":      200,
+				"message":     "Waiting for totp",
+				"totpPending": true,
+			})
+
+			// Stop further processing
+			return
+		}
+
+		// Create session cookie with username as provider
+		api.Auth.CreateSessionCookie(c, &types.SessionCookie{
+			Username: login.Username,
+			Provider: "username",
+		})
+
+		// Return logged in
+		c.JSON(200, gin.H{
+			"status":      200,
+			"message":     "Logged in",
+			"totpPending": false,
+		})
+	})
+
+	api.Router.POST("/api/totp", func(c *gin.Context) {
+		// Create totp struct
+		var totpReq types.Totp
+
+		// Bind JSON
+		err := c.BindJSON(&totpReq)
+
+		// Handle error
+		if err != nil {
+			log.Error().Err(err).Msg("Failed to bind JSON")
+			c.JSON(400, gin.H{
+				"status":  400,
+				"message": "Bad Request",
+			})
+			return
+		}
+
+		log.Debug().Msg("Checking totp")
+
+		// Get user context
+		userContext := api.Hooks.UseUserContext(c)
+
+		// Check if we have a user
+		if userContext.Username == "" {
+			log.Debug().Msg("No user context")
+			c.JSON(401, gin.H{
+				"status":  401,
+				"message": "Unauthorized",
+			})
+			return
+		}
+
+		// Get user
+		user := api.Auth.GetUser(userContext.Username)
+
+		// Check if user exists
+		if user == nil {
+			log.Debug().Msg("User not found")
+			c.JSON(401, gin.H{
+				"status":  401,
+				"message": "Unauthorized",
+			})
+			return
+		}
+
+		// Check if totp is correct
+		totpOk := totp.Validate(totpReq.Code, user.TotpSecret)
+
+		// TOTP is incorrect
+		if !totpOk {
+			log.Debug().Msg("Totp incorrect")
+			c.JSON(401, gin.H{
+				"status":  401,
+				"message": "Unauthorized",
+			})
+			return
+		}
+
+		log.Debug().Msg("Totp correct")
+
+		// Create session cookie with username as provider
+		api.Auth.CreateSessionCookie(c, &types.SessionCookie{
+			Username: user.Username,
+			Provider: "username",
+		})
+
+		// Return logged in
+		c.JSON(200, gin.H{
+			"status":  200,
+			"message": "Logged in",
+		})
+	})
+
+	api.Router.POST("/api/logout", func(c *gin.Context) {
+		log.Debug().Msg("Logging out")
+
+		// Delete session cookie
+		api.Auth.DeleteSessionCookie(c)
+
+		log.Debug().Msg("Cleaning up redirect cookie")
+
+		// Clean up redirect cookie if it exists
+		c.SetCookie("tinyauth_redirect_uri", "", -1, "/", api.Domain, api.Config.CookieSecure, true)
+
+		// Return logged out
+		c.JSON(200, gin.H{
+			"status":  200,
+			"message": "Logged out",
+		})
+	})
+
+	api.Router.GET("/api/status", func(c *gin.Context) {
+		log.Debug().Msg("Checking status")
+
+		// Get user context
+		userContext := api.Hooks.UseUserContext(c)
+
+		// Get configured providers
+		configuredProviders := api.Providers.GetConfiguredProviders()
+
+		// We have username/password configured so add it to our providers
+		if api.Auth.UserAuthConfigured() {
+			configuredProviders = append(configuredProviders, "username")
+		}
+
+		// Fill status struct with data from user context and api config
+		status := types.Status{
+			Username:            userContext.Username,
+			IsLoggedIn:          userContext.IsLoggedIn,
+			Oauth:               userContext.OAuth,
+			Provider:            userContext.Provider,
+			ConfiguredProviders: configuredProviders,
+			DisableContinue:     api.Config.DisableContinue,
+			Title:               api.Config.Title,
+			GenericName:         api.Config.GenericName,
+			TotpPending:         userContext.TotpPending,
+		}
+
+		// If we are not logged in we set the status to 401 and add the WWW-Authenticate header else we set it to 200
+		if !userContext.IsLoggedIn {
+			log.Debug().Msg("Unauthorized")
+			c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
+			status.Status = 401
+			status.Message = "Unauthorized"
+		} else {
+			log.Debug().Interface("userContext", userContext).Strs("configuredProviders", configuredProviders).Bool("disableContinue", api.Config.DisableContinue).Msg("Authenticated")
+			status.Status = 200
+			status.Message = "Authenticated"
+		}
+
+		// Return data
+		c.JSON(200, status)
+	})
+
+	api.Router.GET("/api/oauth/url/:provider", func(c *gin.Context) {
+		// Create struct for OAuth request
+		var request types.OAuthRequest
+
+		// Bind URI
+		bindErr := c.BindUri(&request)
+
+		// Handle error
+		if bindErr != nil {
+			log.Error().Err(bindErr).Msg("Failed to bind URI")
+			c.JSON(400, gin.H{
+				"status":  400,
+				"message": "Bad Request",
+			})
+			return
+		}
+
+		log.Debug().Msg("Got OAuth request")
+
+		// Check if provider exists
+		provider := api.Providers.GetProvider(request.Provider)
+
+		// Provider does not exist
+		if provider == nil {
+			c.JSON(404, gin.H{
+				"status":  404,
+				"message": "Not Found",
+			})
+			return
+		}
+
+		log.Debug().Str("provider", request.Provider).Msg("Got provider")
+
+		// Get auth URL
+		authURL := provider.GetAuthURL()
+
+		log.Debug().Msg("Got auth URL")
+
+		// Get redirect URI
+		redirectURI := c.Query("redirect_uri")
+
+		// Set redirect cookie if redirect URI is provided
+		if redirectURI != "" {
+			log.Debug().Str("redirectURI", redirectURI).Msg("Setting redirect cookie")
+			c.SetCookie("tinyauth_redirect_uri", redirectURI, 3600, "/", api.Domain, api.Config.CookieSecure, true)
+		}
+
+		// Tailscale does not have an auth url so we create a random code (does not need to be secure) to avoid caching and send it
+		if request.Provider == "tailscale" {
+			// Build tailscale query
+			tailscaleQuery, tailscaleQueryErr := query.Values(types.TailscaleQuery{
+				Code: (1000 + rand.IntN(9000)),
+			})
+
+			// Handle error
+			if tailscaleQueryErr != nil {
+				log.Error().Err(tailscaleQueryErr).Msg("Failed to build query")
+				c.JSON(500, gin.H{
+					"status":  500,
+					"message": "Internal Server Error",
+				})
+				return
+			}
+
+			// Return tailscale URL (immidiately redirects to the callback)
+			c.JSON(200, gin.H{
+				"status":  200,
+				"message": "Ok",
+				"url":     fmt.Sprintf("%s/api/oauth/callback/tailscale?%s", api.Config.AppURL, tailscaleQuery.Encode()),
+			})
+			return
+		}
+
+		// Return auth URL
+		c.JSON(200, gin.H{
+			"status":  200,
+			"message": "Ok",
+			"url":     authURL,
+		})
+	})
+
+	api.Router.GET("/api/oauth/callback/:provider", func(c *gin.Context) {
+		// Create struct for OAuth request
+		var providerName types.OAuthRequest
+
+		// Bind URI
+		bindErr := c.BindUri(&providerName)
+
+		// Handle error
+		if api.handleError(c, "Failed to bind URI", bindErr) {
+			return
+		}
+
+		log.Debug().Interface("provider", providerName.Provider).Msg("Got provider name")
+
+		// Get code
+		code := c.Query("code")
+
+		// Code empty so redirect to error
+		if code == "" {
+			log.Error().Msg("No code provided")
+			c.Redirect(http.StatusPermanentRedirect, "/error")
+			return
+		}
+
+		log.Debug().Msg("Got code")
+
+		// Get provider
+		provider := api.Providers.GetProvider(providerName.Provider)
+
+		log.Debug().Str("provider", providerName.Provider).Msg("Got provider")
+
+		// Provider does not exist
+		if provider == nil {
+			c.Redirect(http.StatusPermanentRedirect, "/not-found")
+			return
+		}
+
+		// Exchange token (authenticates user)
+		_, tokenErr := provider.ExchangeToken(code)
+
+		log.Debug().Msg("Got token")
+
+		// Handle error
+		if api.handleError(c, "Failed to exchange token", tokenErr) {
+			return
+		}
+
+		// Get email
+		email, emailErr := api.Providers.GetUser(providerName.Provider)
+
+		log.Debug().Str("email", email).Msg("Got email")
+
+		// Handle error
+		if api.handleError(c, "Failed to get user", emailErr) {
+			return
+		}
+
+		// Email is not whitelisted
+		if !api.Auth.EmailWhitelisted(email) {
+			log.Warn().Str("email", email).Msg("Email not whitelisted")
+
+			// Build query
+			unauthorizedQuery, unauthorizedQueryErr := query.Values(types.UnauthorizedQuery{
+				Username: email,
+			})
+
+			// Handle error
+			if api.handleError(c, "Failed to build query", unauthorizedQueryErr) {
+				return
+			}
+
+			// Redirect to unauthorized
+			c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/unauthorized?%s", api.Config.AppURL, unauthorizedQuery.Encode()))
+		}
+
+		log.Debug().Msg("Email whitelisted")
+
+		// Create session cookie
+		api.Auth.CreateSessionCookie(c, &types.SessionCookie{
+			Username: email,
+			Provider: providerName.Provider,
+		})
+
+		// Get redirect URI
+		redirectURI, redirectURIErr := c.Cookie("tinyauth_redirect_uri")
+
+		// If it is empty it means that no redirect_uri was provided to the login screen so we just log in
+		if redirectURIErr != nil {
+			c.Redirect(http.StatusPermanentRedirect, api.Config.AppURL)
+		}
+
+		log.Debug().Str("redirectURI", redirectURI).Msg("Got redirect URI")
+
+		// Clean up redirect cookie since we already have the value
+		c.SetCookie("tinyauth_redirect_uri", "", -1, "/", api.Domain, api.Config.CookieSecure, true)
+
+		// Build query
+		redirectQuery, redirectQueryErr := query.Values(types.LoginQuery{
+			RedirectURI: redirectURI,
+		})
+
+		log.Debug().Msg("Got redirect query")
+
+		// Handle error
+		if api.handleError(c, "Failed to build query", redirectQueryErr) {
+			return
+		}
+
+		// Redirect to continue with the redirect URI
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/continue?%s", api.Config.AppURL, redirectQuery.Encode()))
+	})
+
+	// Simple healthcheck
+	api.Router.GET("/api/healthcheck", func(c *gin.Context) {
+		c.JSON(200, gin.H{
+			"status":  200,
+			"message": "OK",
+		})
+	})
 }

 func (api *API) Run() {
 	log.Info().Str("address", api.Config.Address).Int("port", api.Config.Port).Msg("Starting server")

 	// Run server
-	err := api.Router.Run(fmt.Sprintf("%s:%d", api.Config.Address, api.Config.Port))
+	api.Router.Run(fmt.Sprintf("%s:%d", api.Config.Address, api.Config.Port))
+}

-	// Check for errors
+// handleError logs the error and redirects to the error page (only meant for stuff the user may access does not apply for login paths)
+func (api *API) handleError(c *gin.Context, msg string, err error) bool {
+	// If error is not nil log it and redirect to error page also return true so we can stop further processing
 	if err != nil {
-		log.Fatal().Err(err).Msg("Failed to start server")
+		log.Error().Err(err).Msg(msg)
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", api.Config.AppURL))
+		return true
 	}
+	return false
 }

 // zerolog is a middleware for gin that logs requests using zerolog
--- a/internal/api/api_test.go
+++ b/internal/api/api_test.go
@@ -2,16 +2,13 @@ package api_test

 import (
 	"encoding/json"
-	"io"
 	"net/http"
 	"net/http/httptest"
-	"reflect"
 	"strings"
 	"testing"
 	"tinyauth/internal/api"
 	"tinyauth/internal/auth"
 	"tinyauth/internal/docker"
-	"tinyauth/internal/handlers"
 	"tinyauth/internal/hooks"
 	"tinyauth/internal/providers"
 	"tinyauth/internal/types"
@@ -21,21 +18,13 @@ import (

 // Simple API config for tests
 var apiConfig = types.APIConfig{
-	Port:          8080,
-	Address:       "0.0.0.0",
-	Secret:        "super-secret-api-thing-for-tests", // It is 32 chars long
-	CookieSecure:  false,
-	SessionExpiry: 3600,
-}
-
-// Simple handlers config for tests
-var handlersConfig = types.HandlersConfig{
-	AppURL:          "http://localhost:8080",
-	Domain:          ".localhost",
+	Port:            8080,
+	Address:         "0.0.0.0",
+	Secret:          "super-secret-api-thing-for-tests", // It is 32 chars long
+	AppURL:          "http://tinyauth.localhost",
 	CookieSecure:    false,
+	SessionExpiry:   3600,
 	DisableContinue: false,
-	Title:           "Tinyauth",
-	GenericName:     "Generic",
 }

 // Cookie
@@ -77,11 +66,8 @@ func getAPI(t *testing.T) *api.API {
 	// Create hooks service
 	hooks := hooks.NewHooks(auth, providers)

-	// Create handlers service
-	handlers := handlers.NewHandlers(handlersConfig, auth, hooks, providers)
-
 	// Create API
-	api := api.NewAPI(apiConfig, handlers)
+	api := api.NewAPI(apiConfig, hooks, auth, providers)

 	// Setup routes
 	api.Init()
@@ -136,9 +122,9 @@ func TestLogin(t *testing.T) {
 	}
 }

-// Test app context
-func TestAppContext(t *testing.T) {
-	t.Log("Testing app context")
+// Test status
+func TestStatus(t *testing.T) {
+	t.Log("Testing status")

 	// Get API
 	api := getAPI(t)
@@ -147,7 +133,7 @@ func TestAppContext(t *testing.T) {
 	recorder := httptest.NewRecorder()

 	// Create request
-	req, err := http.NewRequest("GET", "/api/app", nil)
+	req, err := http.NewRequest("GET", "/api/status", nil)

 	// Check if there was an error
 	if err != nil {
@@ -166,95 +152,11 @@ func TestAppContext(t *testing.T) {
 	// Assert
 	assert.Equal(t, recorder.Code, http.StatusOK)

-	// Read the body of the response
-	body, bodyErr := io.ReadAll(recorder.Body)
+	// Parse the body
+	body := recorder.Body.String()

-	// Check if there was an error
-	if bodyErr != nil {
-		t.Fatalf("Error getting body: %v", bodyErr)
-	}
-
-	// Unmarshal the body into the user struct
-	var app types.AppContext
-
-	jsonErr := json.Unmarshal(body, &app)
-
-	// Check if there was an error
-	if jsonErr != nil {
-		t.Fatalf("Error unmarshalling body: %v", jsonErr)
-	}
-
-	// Create tests values
-	expected := types.AppContext{
-		Status:              200,
-		Message:             "OK",
-		ConfiguredProviders: []string{"username"},
-		DisableContinue:     false,
-		Title:               "Tinyauth",
-		GenericName:         "Generic",
-	}
-
-	// We should get the username back
-	if !reflect.DeepEqual(app, expected) {
-		t.Fatalf("Expected %v, got %v", expected, app)
-	}
-}
-
-// Test user context
-func TestUserContext(t *testing.T) {
-	t.Log("Testing user context")
-
-	// Get API
-	api := getAPI(t)
-
-	// Create recorder
-	recorder := httptest.NewRecorder()
-
-	// Create request
-	req, err := http.NewRequest("GET", "/api/user", nil)
-
-	// Check if there was an error
-	if err != nil {
-		t.Fatalf("Error creating request: %v", err)
-	}
-
-	// Set the cookie
-	req.AddCookie(&http.Cookie{
-		Name:  "tinyauth",
-		Value: cookie,
-	})
-
-	// Serve the request
-	api.Router.ServeHTTP(recorder, req)
-
-	// Assert
-	assert.Equal(t, recorder.Code, http.StatusOK)
-
-	// Read the body of the response
-	body, bodyErr := io.ReadAll(recorder.Body)
-
-	// Check if there was an error
-	if bodyErr != nil {
-		t.Fatalf("Error getting body: %v", bodyErr)
-	}
-
-	// Unmarshal the body into the user struct
-	type User struct {
-		Username string `json:"username"`
-	}
-
-	var user User
-
-	jsonErr := json.Unmarshal(body, &user)
-
-	// Check if there was an error
-	if jsonErr != nil {
-		t.Fatalf("Error unmarshalling body: %v", jsonErr)
-	}
-
-	// We should get the username back
-	if user.Username != "user" {
-		t.Fatalf("Expected user, got %s", user.Username)
+	if !strings.Contains(body, "user") {
+		t.Fatalf("Expected user in body")
 	}
 }

--- a/internal/assets/version
+++ b/internal/assets/version
@@ -1 +1 @@
-v3.1.0
+v3.0.1
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -162,10 +162,7 @@ func (auth *Auth) ResourceAllowed(c *gin.Context, context types.UserContext) (bo
 	// Check if resource is allowed
 	allowed, allowedErr := auth.Docker.ContainerAction(appId, func(labels types.TinyauthLabels) (bool, error) {
 		// If the container has an oauth whitelist, check if the user is in it
-		if context.OAuth {
-			if len(labels.OAuthWhitelist) == 0 {
-				return true, nil
-			}
+		if context.OAuth && len(labels.OAuthWhitelist) != 0 {
 			log.Debug().Msg("Checking OAuth whitelist")
 			if slices.Contains(labels.OAuthWhitelist, context.Username) {
 				return true, nil
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -1,634 +0,0 @@
-package handlers
-
-import (
-	"fmt"
-	"math/rand/v2"
-	"net/http"
-	"strings"
-	"tinyauth/internal/auth"
-	"tinyauth/internal/hooks"
-	"tinyauth/internal/providers"
-	"tinyauth/internal/types"
-
-	"github.com/gin-gonic/gin"
-	"github.com/google/go-querystring/query"
-	"github.com/pquerna/otp/totp"
-	"github.com/rs/zerolog/log"
-)
-
-func NewHandlers(config types.HandlersConfig, auth *auth.Auth, hooks *hooks.Hooks, providers *providers.Providers) *Handlers {
-	return &Handlers{
-		Config:    config,
-		Auth:      auth,
-		Hooks:     hooks,
-		Providers: providers,
-	}
-}
-
-type Handlers struct {
-	Config    types.HandlersConfig
-	Auth      *auth.Auth
-	Hooks     *hooks.Hooks
-	Providers *providers.Providers
-}
-
-func (h *Handlers) AuthHandler(c *gin.Context) {
-	// Create struct for proxy
-	var proxy types.Proxy
-
-	// Bind URI
-	err := c.BindUri(&proxy)
-
-	// Handle error
-	if err != nil {
-		log.Error().Err(err).Msg("Failed to bind URI")
-		c.JSON(400, gin.H{
-			"status":  400,
-			"message": "Bad Request",
-		})
-		return
-	}
-
-	// Check if the request is coming from a browser (tools like curl/bruno use */* and they don't include the text/html)
-	isBrowser := strings.Contains(c.Request.Header.Get("Accept"), "text/html")
-
-	if isBrowser {
-		log.Debug().Msg("Request is most likely coming from a browser")
-	} else {
-		log.Debug().Msg("Request is most likely not coming from a browser")
-	}
-
-	log.Debug().Interface("proxy", proxy.Proxy).Msg("Got proxy")
-
-	// Check if auth is enabled
-	authEnabled, err := h.Auth.AuthEnabled(c)
-
-	// Handle error
-	if err != nil {
-		log.Error().Err(err).Msg("Failed to check if auth is enabled")
-
-		if proxy.Proxy == "nginx" || !isBrowser {
-			c.JSON(500, gin.H{
-				"status":  500,
-				"message": "Internal Server Error",
-			})
-			return
-		}
-
-		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
-		return
-	}
-
-	// If auth is not enabled, return 200
-	if !authEnabled {
-		c.JSON(200, gin.H{
-			"status":  200,
-			"message": "Authenticated",
-		})
-		return
-	}
-
-	// Get user context
-	userContext := h.Hooks.UseUserContext(c)
-
-	// Get headers
-	uri := c.Request.Header.Get("X-Forwarded-Uri")
-	proto := c.Request.Header.Get("X-Forwarded-Proto")
-	host := c.Request.Header.Get("X-Forwarded-Host")
-
-	// Check if user is logged in
-	if userContext.IsLoggedIn {
-		log.Debug().Msg("Authenticated")
-
-		// Check if user is allowed to access subdomain, if request is nginx.example.com the subdomain (resource) is nginx
-		appAllowed, err := h.Auth.ResourceAllowed(c, userContext)
-
-		// Check if there was an error
-		if err != nil {
-			log.Error().Err(err).Msg("Failed to check if app is allowed")
-
-			if proxy.Proxy == "nginx" || !isBrowser {
-				c.JSON(500, gin.H{
-					"status":  500,
-					"message": "Internal Server Error",
-				})
-				return
-			}
-
-			c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
-			return
-		}
-
-		log.Debug().Bool("appAllowed", appAllowed).Msg("Checking if app is allowed")
-
-		// The user is not allowed to access the app
-		if !appAllowed {
-			log.Warn().Str("username", userContext.Username).Str("host", host).Msg("User not allowed")
-
-			// Set WWW-Authenticate header
-			c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
-
-			if proxy.Proxy == "nginx" || !isBrowser {
-				c.JSON(401, gin.H{
-					"status":  401,
-					"message": "Unauthorized",
-				})
-				return
-			}
-
-			// Build query
-			queries, err := query.Values(types.UnauthorizedQuery{
-				Username: userContext.Username,
-				Resource: strings.Split(host, ".")[0],
-			})
-
-			// Handle error (no need to check for nginx/headers since we are sure we are using caddy/traefik)
-			if err != nil {
-				log.Error().Err(err).Msg("Failed to build query")
-				c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
-				return
-			}
-
-			// We are using caddy/traefik so redirect
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, queries.Encode()))
-			return
-		}
-
-		// Set the user header
-		c.Header("Remote-User", userContext.Username)
-
-		// The user is allowed to access the app
-		c.JSON(200, gin.H{
-			"status":  200,
-			"message": "Authenticated",
-		})
-		return
-	}
-
-	// The user is not logged in
-	log.Debug().Msg("Unauthorized")
-
-	// Set www-authenticate header
-	c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
-
-	if proxy.Proxy == "nginx" || !isBrowser {
-		c.JSON(401, gin.H{
-			"status":  401,
-			"message": "Unauthorized",
-		})
-		return
-	}
-
-	queries, err := query.Values(types.LoginQuery{
-		RedirectURI: fmt.Sprintf("%s://%s%s", proto, host, uri),
-	})
-
-	if err != nil {
-		log.Error().Err(err).Msg("Failed to build query")
-		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
-		return
-	}
-
-	log.Debug().Interface("redirect_uri", fmt.Sprintf("%s://%s%s", proto, host, uri)).Msg("Redirecting to login")
-
-	// Redirect to login
-	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/?%s", h.Config.AppURL, queries.Encode()))
-}
-
-func (h *Handlers) LoginHandler(c *gin.Context) {
-	// Create login struct
-	var login types.LoginRequest
-
-	// Bind JSON
-	err := c.BindJSON(&login)
-
-	// Handle error
-	if err != nil {
-		log.Error().Err(err).Msg("Failed to bind JSON")
-		c.JSON(400, gin.H{
-			"status":  400,
-			"message": "Bad Request",
-		})
-		return
-	}
-
-	log.Debug().Msg("Got login request")
-
-	// Get user based on username
-	user := h.Auth.GetUser(login.Username)
-
-	// User does not exist
-	if user == nil {
-		log.Debug().Str("username", login.Username).Msg("User not found")
-		c.JSON(401, gin.H{
-			"status":  401,
-			"message": "Unauthorized",
-		})
-		return
-	}
-
-	log.Debug().Msg("Got user")
-
-	// Check if password is correct
-	if !h.Auth.CheckPassword(*user, login.Password) {
-		log.Debug().Str("username", login.Username).Msg("Password incorrect")
-		c.JSON(401, gin.H{
-			"status":  401,
-			"message": "Unauthorized",
-		})
-		return
-	}
-
-	log.Debug().Msg("Password correct, checking totp")
-
-	// Check if user has totp enabled
-	if user.TotpSecret != "" {
-		log.Debug().Msg("Totp enabled")
-
-		// Set totp pending cookie
-		h.Auth.CreateSessionCookie(c, &types.SessionCookie{
-			Username:    login.Username,
-			Provider:    "username",
-			TotpPending: true,
-		})
-
-		// Return totp required
-		c.JSON(200, gin.H{
-			"status":      200,
-			"message":     "Waiting for totp",
-			"totpPending": true,
-		})
-
-		// Stop further processing
-		return
-	}
-
-	// Create session cookie with username as provider
-	h.Auth.CreateSessionCookie(c, &types.SessionCookie{
-		Username: login.Username,
-		Provider: "username",
-	})
-
-	// Return logged in
-	c.JSON(200, gin.H{
-		"status":      200,
-		"message":     "Logged in",
-		"totpPending": false,
-	})
-}
-
-func (h *Handlers) TotpHandler(c *gin.Context) {
-	// Create totp struct
-	var totpReq types.TotpRequest
-
-	// Bind JSON
-	err := c.BindJSON(&totpReq)
-
-	// Handle error
-	if err != nil {
-		log.Error().Err(err).Msg("Failed to bind JSON")
-		c.JSON(400, gin.H{
-			"status":  400,
-			"message": "Bad Request",
-		})
-		return
-	}
-
-	log.Debug().Msg("Checking totp")
-
-	// Get user context
-	userContext := h.Hooks.UseUserContext(c)
-
-	// Check if we have a user
-	if userContext.Username == "" {
-		log.Debug().Msg("No user context")
-		c.JSON(401, gin.H{
-			"status":  401,
-			"message": "Unauthorized",
-		})
-		return
-	}
-
-	// Get user
-	user := h.Auth.GetUser(userContext.Username)
-
-	// Check if user exists
-	if user == nil {
-		log.Debug().Msg("User not found")
-		c.JSON(401, gin.H{
-			"status":  401,
-			"message": "Unauthorized",
-		})
-		return
-	}
-
-	// Check if totp is correct
-	totpOk := totp.Validate(totpReq.Code, user.TotpSecret)
-
-	// TOTP is incorrect
-	if !totpOk {
-		log.Debug().Msg("Totp incorrect")
-		c.JSON(401, gin.H{
-			"status":  401,
-			"message": "Unauthorized",
-		})
-		return
-	}
-
-	log.Debug().Msg("Totp correct")
-
-	// Create session cookie with username as provider
-	h.Auth.CreateSessionCookie(c, &types.SessionCookie{
-		Username: user.Username,
-		Provider: "username",
-	})
-
-	// Return logged in
-	c.JSON(200, gin.H{
-		"status":  200,
-		"message": "Logged in",
-	})
-}
-
-func (h *Handlers) LogoutHandler(c *gin.Context) {
-	log.Debug().Msg("Logging out")
-
-	// Delete session cookie
-	h.Auth.DeleteSessionCookie(c)
-
-	log.Debug().Msg("Cleaning up redirect cookie")
-
-	// Clean up redirect cookie if it exists
-	c.SetCookie("tinyauth_redirect_uri", "", -1, "/", h.Config.Domain, h.Config.CookieSecure, true)
-
-	// Return logged out
-	c.JSON(200, gin.H{
-		"status":  200,
-		"message": "Logged out",
-	})
-}
-
-func (h *Handlers) AppHandler(c *gin.Context) {
-	log.Debug().Msg("Getting app context")
-
-	// Get configured providers
-	configuredProviders := h.Providers.GetConfiguredProviders()
-
-	// We have username/password configured so add it to our providers
-	if h.Auth.UserAuthConfigured() {
-		configuredProviders = append(configuredProviders, "username")
-	}
-
-	// Create app context struct
-	appContext := types.AppContext{
-		Status:              200,
-		Message:             "OK",
-		ConfiguredProviders: configuredProviders,
-		DisableContinue:     h.Config.DisableContinue,
-		Title:               h.Config.Title,
-		GenericName:         h.Config.GenericName,
-	}
-
-	// Return app context
-	c.JSON(200, appContext)
-}
-
-func (h *Handlers) UserHandler(c *gin.Context) {
-	log.Debug().Msg("Getting user context")
-
-	// Get user context
-	userContext := h.Hooks.UseUserContext(c)
-
-	// Create user context response
-	userContextResponse := types.UserContextResponse{
-		Status:      200,
-		IsLoggedIn:  userContext.IsLoggedIn,
-		Username:    userContext.Username,
-		Provider:    userContext.Provider,
-		Oauth:       userContext.OAuth,
-		TotpPending: userContext.TotpPending,
-	}
-
-	// If we are not logged in we set the status to 401 and add the WWW-Authenticate header else we set it to 200
-	if !userContext.IsLoggedIn {
-		log.Debug().Msg("Unauthorized")
-		c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
-		userContextResponse.Message = "Unauthorized"
-	} else {
-		log.Debug().Interface("userContext", userContext).Msg("Authenticated")
-		userContextResponse.Message = "Authenticated"
-	}
-
-	// Return user context
-	c.JSON(200, userContextResponse)
-}
-
-func (h *Handlers) OauthUrlHandler(c *gin.Context) {
-	// Create struct for OAuth request
-	var request types.OAuthRequest
-
-	// Bind URI
-	err := c.BindUri(&request)
-
-	// Handle error
-	if err != nil {
-		log.Error().Err(err).Msg("Failed to bind URI")
-		c.JSON(400, gin.H{
-			"status":  400,
-			"message": "Bad Request",
-		})
-		return
-	}
-
-	log.Debug().Msg("Got OAuth request")
-
-	// Check if provider exists
-	provider := h.Providers.GetProvider(request.Provider)
-
-	// Provider does not exist
-	if provider == nil {
-		c.JSON(404, gin.H{
-			"status":  404,
-			"message": "Not Found",
-		})
-		return
-	}
-
-	log.Debug().Str("provider", request.Provider).Msg("Got provider")
-
-	// Get auth URL
-	authURL := provider.GetAuthURL()
-
-	log.Debug().Msg("Got auth URL")
-
-	// Get redirect URI
-	redirectURI := c.Query("redirect_uri")
-
-	// Set redirect cookie if redirect URI is provided
-	if redirectURI != "" {
-		log.Debug().Str("redirectURI", redirectURI).Msg("Setting redirect cookie")
-		c.SetCookie("tinyauth_redirect_uri", redirectURI, 3600, "/", h.Config.Domain, h.Config.CookieSecure, true)
-	}
-
-	// Tailscale does not have an auth url so we create a random code (does not need to be secure) to avoid caching and send it
-	if request.Provider == "tailscale" {
-		// Build tailscale query
-		tailscaleQuery, err := query.Values(types.TailscaleQuery{
-			Code: (1000 + rand.IntN(9000)),
-		})
-
-		// Handle error
-		if err != nil {
-			log.Error().Err(err).Msg("Failed to build query")
-			c.JSON(500, gin.H{
-				"status":  500,
-				"message": "Internal Server Error",
-			})
-			return
-		}
-
-		// Return tailscale URL (immidiately redirects to the callback)
-		c.JSON(200, gin.H{
-			"status":  200,
-			"message": "OK",
-			"url":     fmt.Sprintf("%s/api/oauth/callback/tailscale?%s", h.Config.AppURL, tailscaleQuery.Encode()),
-		})
-		return
-	}
-
-	// Return auth URL
-	c.JSON(200, gin.H{
-		"status":  200,
-		"message": "OK",
-		"url":     authURL,
-	})
-}
-
-func (h *Handlers) OauthCallbackHandler(c *gin.Context) {
-	// Create struct for OAuth request
-	var providerName types.OAuthRequest
-
-	// Bind URI
-	err := c.BindUri(&providerName)
-
-	// Handle error
-	if err != nil {
-		log.Error().Err(err).Msg("Failed to bind URI")
-		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
-		return
-	}
-
-	log.Debug().Interface("provider", providerName.Provider).Msg("Got provider name")
-
-	// Get code
-	code := c.Query("code")
-
-	// Code empty so redirect to error
-	if code == "" {
-		log.Error().Msg("No code provided")
-		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
-		return
-	}
-
-	log.Debug().Msg("Got code")
-
-	// Get provider
-	provider := h.Providers.GetProvider(providerName.Provider)
-
-	log.Debug().Str("provider", providerName.Provider).Msg("Got provider")
-
-	// Provider does not exist
-	if provider == nil {
-		c.Redirect(http.StatusPermanentRedirect, "/not-found")
-		return
-	}
-
-	// Exchange token (authenticates user)
-	_, err = provider.ExchangeToken(code)
-
-	log.Debug().Msg("Got token")
-
-	// Handle error
-	if err != nil {
-		log.Error().Msg("Failed to exchange token")
-		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
-		return
-	}
-
-	// Get email
-	email, err := h.Providers.GetUser(providerName.Provider)
-
-	log.Debug().Str("email", email).Msg("Got email")
-
-	// Handle error
-	if err != nil {
-		log.Error().Msg("Failed to get email")
-		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
-		return
-	}
-
-	// Email is not whitelisted
-	if !h.Auth.EmailWhitelisted(email) {
-		log.Warn().Str("email", email).Msg("Email not whitelisted")
-
-		// Build query
-		unauthorizedQuery, err := query.Values(types.UnauthorizedQuery{
-			Username: email,
-		})
-
-		// Handle error
-		if err != nil {
-			log.Error().Msg("Failed to build query")
-			c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
-			return
-		}
-
-		// Redirect to unauthorized
-		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, unauthorizedQuery.Encode()))
-	}
-
-	log.Debug().Msg("Email whitelisted")
-
-	// Create session cookie
-	h.Auth.CreateSessionCookie(c, &types.SessionCookie{
-		Username: email,
-		Provider: providerName.Provider,
-	})
-
-	// Get redirect URI
-	redirectURI, redirectURIErr := c.Cookie("tinyauth_redirect_uri")
-
-	// If it is empty it means that no redirect_uri was provided to the login screen so we just log in
-	if redirectURIErr != nil {
-		c.Redirect(http.StatusPermanentRedirect, h.Config.AppURL)
-	}
-
-	log.Debug().Str("redirectURI", redirectURI).Msg("Got redirect URI")
-
-	// Clean up redirect cookie since we already have the value
-	c.SetCookie("tinyauth_redirect_uri", "", -1, "/", h.Config.Domain, h.Config.CookieSecure, true)
-
-	// Build query
-	redirectQuery, err := query.Values(types.LoginQuery{
-		RedirectURI: redirectURI,
-	})
-
-	log.Debug().Msg("Got redirect query")
-
-	// Handle error
-	if err != nil {
-		log.Error().Msg("Failed to build query")
-		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
-		return
-	}
-
-	// Redirect to continue with the redirect URI
-	c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/continue?%s", h.Config.AppURL, redirectQuery.Encode()))
-}
-
-func (h *Handlers) HealthcheckHandler(c *gin.Context) {
-	c.JSON(200, gin.H{
-		"status":  200,
-		"message": "OK",
-	})
-}
--- a/internal/types/types.go
+++ b/internal/types/types.go
@@ -55,7 +55,6 @@ type Config struct {
 	SessionExpiry             int    `mapstructure:"session-expiry"`
 	LogLevel                  int8   `mapstructure:"log-level" validate:"min=-1,max=5"`
 	Title                     string `mapstructure:"app-title"`
-	EnvFile                   string `mapstructure:"env-file"`
 }

 // UserContext is the context for the user
@@ -69,12 +68,15 @@ type UserContext struct {

 // APIConfig is the configuration for the API
 type APIConfig struct {
-	Port          int
-	Address       string
-	Secret        string
-	CookieSecure  bool
-	SessionExpiry int
-	Domain        string
+	Port            int
+	Address         string
+	Secret          string
+	AppURL          string
+	CookieSecure    bool
+	SessionExpiry   int
+	DisableContinue bool
+	GenericName     string
+	Title           string
 }

 // OAuthConfig is the configuration for the providers
@@ -136,38 +138,22 @@ type Proxy struct {
 	Proxy string `uri:"proxy" binding:"required"`
 }

-// User Context response is the response for the user context endpoint
-type UserContextResponse struct {
-	Status      int    `json:"status"`
-	Message     string `json:"message"`
-	IsLoggedIn  bool   `json:"isLoggedIn"`
-	Username    string `json:"username"`
-	Provider    string `json:"provider"`
-	Oauth       bool   `json:"oauth"`
-	TotpPending bool   `json:"totpPending"`
-}
-
-// App Context is the response for the app context endpoint
-type AppContext struct {
+// Status response
+type Status struct {
 	Status              int      `json:"status"`
 	Message             string   `json:"message"`
+	IsLoggedIn          bool     `json:"isLoggedIn"`
+	Username            string   `json:"username"`
+	Provider            string   `json:"provider"`
+	Oauth               bool     `json:"oauth"`
 	ConfiguredProviders []string `json:"configuredProviders"`
 	DisableContinue     bool     `json:"disableContinue"`
 	Title               string   `json:"title"`
 	GenericName         string   `json:"genericName"`
+	TotpPending         bool     `json:"totpPending"`
 }

-// Totp request is the request for the totp endpoint
-type TotpRequest struct {
+// Totp request
+type Totp struct {
 	Code string `json:"code"`
 }
-
-// Server configuration
-type HandlersConfig struct {
-	AppURL          string
-	Domain          string
-	CookieSecure    bool
-	DisableContinue bool
-	GenericName     string
-	Title           string
-}
--- a/internal/utils/utils.go
+++ b/internal/utils/utils.go
@@ -46,14 +46,14 @@ func ParseUsers(users string) (types.Users, error) {
 	return usersParsed, nil
 }

-// Get upper domain parses a hostname and returns the upper domain (e.g. sub1.sub2.domain.com -> sub2.domain.com)
-func GetUpperDomain(urlSrc string) (string, error) {
+// Root url parses parses a hostname and returns the root domain (e.g. sub1.sub2.domain.com -> sub2.domain.com)
+func GetRootURL(urlSrc string) (string, error) {
 	// Make sure the url is valid
-	urlParsed, err := url.Parse(urlSrc)
+	urlParsed, parseErr := url.Parse(urlSrc)

 	// Check if there was an error
-	if err != nil {
-		return "", err
+	if parseErr != nil {
+		return "", parseErr
 	}

 	// Split the hostname by period
--- a/internal/utils/utils_test.go
+++ b/internal/utils/utils_test.go
@@ -38,15 +38,15 @@ func TestParseUsers(t *testing.T) {
 	}
 }

-// Test the get upper domain function
-func TestGetUpperDomain(t *testing.T) {
-	t.Log("Testing get upper domain with a valid url")
+// Test the get root url function
+func TestGetRootURL(t *testing.T) {
+	t.Log("Testing get root url with a valid url")

-	// Test the get upper domain function with a valid url
+	// Test the get root url function with a valid url
 	url := "https://sub1.sub2.domain.com:8080"
 	expected := "sub2.domain.com"

-	result, err := utils.GetUpperDomain(url)
+	result, err := utils.GetRootURL(url)

 	// Check if there was an error
 	if err != nil {
--- a/site/Dockerfile.dev
+++ b/site/Dockerfile.dev
@@ -1,23 +0,0 @@
-FROM oven/bun:1.1.45-alpine
-
-WORKDIR /site
-
-COPY ./site/package.json ./
-COPY ./site/bun.lockb ./
-
-RUN bun install
-
-COPY ./site/public ./public
-COPY ./site/src ./src
-
-COPY ./site/eslint.config.js ./
-COPY ./site/index.html ./
-COPY ./site/tsconfig.json ./
-COPY ./site/tsconfig.app.json ./
-COPY ./site/tsconfig.node.json ./
-COPY ./site/vite.config.ts ./
-COPY ./site/postcss.config.cjs ./
-
-EXPOSE 5173
-
-ENTRYPOINT ["bun", "run", "dev"]
--- a/site/src/context/app-context.tsx
+++ b/site/src/context/app-context.tsx
@@ -1,42 +0,0 @@
-import { useQuery } from "@tanstack/react-query";
-import React, { createContext, useContext } from "react";
-import axios from "axios";
-import { AppContextSchemaType } from "../schemas/app-context-schema";
-
-const AppContext = createContext<AppContextSchemaType | null>(null);
-
-export const AppContextProvider = ({
-  children,
-}: {
-  children: React.ReactNode;
-}) => {
-  const {
-    data: userContext,
-    isLoading,
-    error,
-  } = useQuery({
-    queryKey: ["appContext"],
-    queryFn: async () => {
-      const res = await axios.get("/api/app");
-      return res.data;
-    },
-  });
-
-  if (error && !isLoading) {
-    throw error;
-  }
-
-  return (
-    <AppContext.Provider value={userContext}>{children}</AppContext.Provider>
-  );
-};
-
-export const useAppContext = () => {
-  const context = useContext(AppContext);
-
-  if (context === null) {
-    throw new Error("useAppContext must be used within an AppContextProvider");
-  }
-
-  return context;
-};
--- a/site/src/context/user-context.tsx
+++ b/site/src/context/user-context.tsx
@@ -17,7 +17,7 @@ export const UserContextProvider = ({
  } = useQuery({
    queryKey: ["userContext"],
    queryFn: async () => {
-      const res = await axios.get("/api/user");
+      const res = await axios.get("/api/status");
      return res.data;
    },
  });
--- a/site/src/main.tsx
+++ b/site/src/main.tsx
@@ -16,7 +16,6 @@ import { NotFoundPage } from "./pages/not-found-page.tsx";
 import { UnauthorizedPage } from "./pages/unauthorized-page.tsx";
 import { InternalServerError } from "./pages/internal-server-error.tsx";
 import { TotpPage } from "./pages/totp-page.tsx";
-import { AppContextProvider } from "./context/app-context.tsx";

 const queryClient = new QueryClient({
  defaultOptions: {
@@ -31,22 +30,20 @@ createRoot(document.getElementById("root")!).render(
    <MantineProvider forceColorScheme="dark">
      <QueryClientProvider client={queryClient}>
        <Notifications />
-        <AppContextProvider>
-          <UserContextProvider>
-            <BrowserRouter>
-              <Routes>
-                <Route path="/" element={<App />} />
-                <Route path="/login" element={<LoginPage />} />
-                <Route path="/totp" element={<TotpPage />} />
-                <Route path="/logout" element={<LogoutPage />} />
-                <Route path="/continue" element={<ContinuePage />} />
-                <Route path="/unauthorized" element={<UnauthorizedPage />} />
-                <Route path="/error" element={<InternalServerError />} />
-                <Route path="*" element={<NotFoundPage />} />
-              </Routes>
-            </BrowserRouter>
-          </UserContextProvider>
-        </AppContextProvider>
+        <UserContextProvider>
+          <BrowserRouter>
+            <Routes>
+              <Route path="/" element={<App />} />
+              <Route path="/login" element={<LoginPage />} />
+              <Route path="/totp" element={<TotpPage />} />
+              <Route path="/logout" element={<LogoutPage />} />
+              <Route path="/continue" element={<ContinuePage />} />
+              <Route path="/unauthorized" element={<UnauthorizedPage />} />
+              <Route path="/error" element={<InternalServerError />} />
+              <Route path="*" element={<NotFoundPage />} />
+            </Routes>
+          </BrowserRouter>
+        </UserContextProvider>
      </QueryClientProvider>
    </MantineProvider>
  </StrictMode>,
--- a/site/src/pages/continue-page.tsx
+++ b/site/src/pages/continue-page.tsx
@@ -5,15 +5,13 @@ import { useUserContext } from "../context/user-context";
 import { Layout } from "../components/layouts/layout";
 import { ReactNode } from "react";
 import { isQueryValid } from "../utils/utils";
-import { useAppContext } from "../context/app-context";

 export const ContinuePage = () => {
  const queryString = window.location.search;
  const params = new URLSearchParams(queryString);
  const redirectUri = params.get("redirect_uri") ?? "";

-  const { isLoggedIn } = useUserContext();
-  const { disableContinue } = useAppContext();
+  const { isLoggedIn, disableContinue } = useUserContext();

  if (!isLoggedIn) {
    return <Navigate to={`/login?redirect_uri=${redirectUri}`} />;
--- a/site/src/pages/login-page.tsx
+++ b/site/src/pages/login-page.tsx
@@ -9,15 +9,14 @@ import { OAuthButtons } from "../components/auth/oauth-buttons";
 import { LoginFormValues } from "../schemas/login-schema";
 import { LoginForm } from "../components/auth/login-forn";
 import { isQueryValid } from "../utils/utils";
-import { useAppContext } from "../context/app-context";

 export const LoginPage = () => {
  const queryString = window.location.search;
  const params = new URLSearchParams(queryString);
  const redirectUri = params.get("redirect_uri") ?? "";

-  const { isLoggedIn } = useUserContext();
-  const { configuredProviders, title, genericName } = useAppContext();
+  const { isLoggedIn, configuredProviders, title, genericName } =
+    useUserContext();

  const oauthProviders = configuredProviders.filter(
    (value) => value !== "username",
--- a/site/src/pages/logout-page.tsx
+++ b/site/src/pages/logout-page.tsx
@@ -6,11 +6,9 @@ import { useUserContext } from "../context/user-context";
 import { Navigate } from "react-router";
 import { Layout } from "../components/layouts/layout";
 import { capitalize } from "../utils/utils";
-import { useAppContext } from "../context/app-context";

 export const LogoutPage = () => {
-  const { isLoggedIn, username, oauth, provider } = useUserContext();
-  const { genericName } = useAppContext();
+  const { isLoggedIn, username, oauth, provider, genericName } = useUserContext();

  if (!isLoggedIn) {
    return <Navigate to="/login" />;
@@ -47,9 +45,8 @@ export const LogoutPage = () => {
        </Text>
        <Text>
          You are currently logged in as <Code>{username}</Code>
-          {oauth &&
-            ` using ${capitalize(provider === "generic" ? genericName : provider)} OAuth`}
-          . Click the button below to log out.
+          {oauth && ` using ${capitalize(provider === "generic" ? genericName : provider)} OAuth`}. Click the button
+          below to log out.
        </Text>
        <Button
          fullWidth
--- a/site/src/pages/totp-page.tsx
+++ b/site/src/pages/totp-page.tsx
@@ -6,15 +6,13 @@ import { TotpForm } from "../components/auth/totp-form";
 import { useMutation } from "@tanstack/react-query";
 import axios from "axios";
 import { notifications } from "@mantine/notifications";
-import { useAppContext } from "../context/app-context";

 export const TotpPage = () => {
  const queryString = window.location.search;
  const params = new URLSearchParams(queryString);
  const redirectUri = params.get("redirect_uri") ?? "";

-  const { totpPending, isLoggedIn } = useUserContext();
-  const { title } = useAppContext();
+  const { totpPending, isLoggedIn, title } = useUserContext();

  if (isLoggedIn) {
    return <Navigate to={`/logout`} />;
--- a/site/src/schemas/app-context-schema.ts
+++ b/site/src/schemas/app-context-schema.ts
@@ -1,10 +0,0 @@
-import { z } from "zod";
-
-export const appContextSchema = z.object({
-  configuredProviders: z.array(z.string()),
-  disableContinue: z.boolean(),
-  title: z.string(),
-  genericName: z.string(),
-});
-
-export type AppContextSchemaType = z.infer<typeof appContextSchema>;
--- a/site/src/schemas/user-context-schema.ts
+++ b/site/src/schemas/user-context-schema.ts
@@ -5,6 +5,10 @@ export const userContextSchema = z.object({
  username: z.string(),
  oauth: z.boolean(),
  provider: z.string(),
+  configuredProviders: z.array(z.string()),
+  disableContinue: z.boolean(),
+  title: z.string(),
+  genericName: z.string(),
  totpPending: z.boolean(),
 });

--- a/site/vite.config.ts
+++ b/site/vite.config.ts
@@ -4,14 +4,4 @@ import react from "@vitejs/plugin-react-swc";
 // https://vite.dev/config/
 export default defineConfig({
  plugins: [react()],
-  server: {
-    host: "0.0.0.0",
-    proxy: {
-      "/api": {
-        target: "http://tinyauth-backend:3000/api",
-        changeOrigin: true,
-        rewrite: (path) => path.replace(/^\/api/, ""),
-      },
-    }
-  }
 });
Author	SHA1	Message	Date
Stavros	ad46624bff	fix: fix cli not exiting on invalid input	2025-03-09 18:38:39 +02:00
Stavros	f1c33d90cd	refactor: skip all checks when disable continue is enabled	2025-03-09 18:31:11 +02:00
Stavros	10877e6f41	refactor: make totp pending expiry time fixed	2025-03-09 18:20:54 +02:00
Stavros	bd7a140676	feat: add totp logic and ui	2025-03-06 19:22:12 +02:00
Stavros	61f4848f20	refactor: split login screen and forms	2025-03-06 17:30:35 +02:00
Stavros	9f5f4adddb	feat: finalize totp gen code	2025-03-06 16:41:57 +02:00
Stavros	746ce016cb	wip	2025-03-04 17:51:47 +02:00