fix: review comments

feat: forward sub from oidc providers
feat: refresh session cookie when session is active (#540 )
2025-12-27 18:42:30 +00:00 · 2025-12-26 18:55:08 +02:00 · 2025-12-26 18:28:53 +02:00 · 2025-12-26 17:55:54 +02:00 · 2025-12-26 17:53:24 +02:00
14 changed files with 67 additions and 38 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -33,4 +33,7 @@

 # binary out
 /tinyauth.db
-/resources
+/resources
+
+# debug files
+__debug_*
--- a/internal/assets/migrations/000003_oauth_sub.down.sql
+++ b/internal/assets/migrations/000003_oauth_sub.down.sql
@@ -0,0 +1 @@
+ALTER TABLE "sessions" DROP COLUMN "oauth_sub";
--- a/internal/assets/migrations/000003_oauth_sub.up.sql
+++ b/internal/assets/migrations/000003_oauth_sub.up.sql
@@ -0,0 +1 @@
+ALTER TABLE "sessions" ADD COLUMN "oauth_sub" TEXT;
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -79,6 +79,7 @@ const DefaultNamePrefix = "TINYAUTH_"
 // OAuth/OIDC config

 type Claims struct {
+	Sub               string `json:"sub"`
 	Name              string `json:"name"`
 	Email             string `json:"email"`
 	PreferredUsername string `json:"preferred_username"`
@@ -125,6 +126,7 @@ type SessionCookie struct {
 	TotpPending bool
 	OAuthGroups string
 	OAuthName   string
+	OAuthSub    string
 }

 type UserContext struct {
@@ -138,6 +140,7 @@ type UserContext struct {
 	OAuthGroups string
 	TotpEnabled bool
 	OAuthName   string
+	OAuthSub    string
 }

 // API responses and queries
--- a/internal/controller/context_controller.go
+++ b/internal/controller/context_controller.go
@@ -21,6 +21,7 @@ type UserContextResponse struct {
 	OAuth       bool   `json:"oauth"`
 	TotpPending bool   `json:"totpPending"`
 	OAuthName   string `json:"oauthName"`
+	OAuthSub    string `json:"oauthSub"`
 }

 type AppContextResponse struct {
@@ -89,6 +90,7 @@ func (controller *ContextController) userContextHandler(c *gin.Context) {
 		OAuth:       context.OAuth,
 		TotpPending: context.TotpPending,
 		OAuthName:   context.OAuthName,
+		OAuthSub:    context.OAuthSub,
 	}

 	if err != nil {
--- a/internal/controller/context_controller_test.go
+++ b/internal/controller/context_controller_test.go
@@ -44,6 +44,7 @@ var userContext = config.UserContext{
 	TotpPending: false,
 	OAuthGroups: "",
 	TotpEnabled: false,
+	OAuthSub:    "",
 }

 func setupContextController(middlewares *[]gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder) {
--- a/internal/controller/oauth_controller.go
+++ b/internal/controller/oauth_controller.go
@@ -197,6 +197,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		Provider:    req.Provider,
 		OAuthGroups: utils.CoalesceToString(user.Groups),
 		OAuthName:   service.GetName(),
+		OAuthSub:    user.Sub,
 	}

 	log.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
--- a/internal/controller/proxy_controller.go
+++ b/internal/controller/proxy_controller.go
@@ -43,7 +43,8 @@ func NewProxyController(config ProxyControllerConfig, router *gin.RouterGroup, a

 func (controller *ProxyController) SetupRoutes() {
 	proxyGroup := controller.router.Group("/auth")
-	proxyGroup.Any("/:proxy", controller.proxyHandler)
+	proxyGroup.GET("/:proxy", controller.proxyHandler)
+	proxyGroup.POST("/:proxy", controller.proxyHandler)
 }

 func (controller *ProxyController) proxyHandler(c *gin.Context) {
@@ -68,15 +69,6 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}

-	if req.Proxy != "envoy" && c.Request.Method != http.MethodGet {
-		log.Warn().Str("method", c.Request.Method).Msg("Invalid method for proxy")
-		c.JSON(405, gin.H{
-			"status":  405,
-			"message": "Method Not Allowed",
-		})
-		return
-	}
-
 	isBrowser := strings.Contains(c.Request.Header.Get("Accept"), "text/html")

 	if isBrowser {
@@ -247,6 +239,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		c.Header("Remote-Name", utils.SanitizeHeader(userContext.Name))
 		c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email))
 		c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups))
+		c.Header("Remote-Sub", utils.SanitizeHeader(userContext.OAuthSub))

 		controller.setHeaders(c, acls)

--- a/internal/controller/proxy_controller_test.go
+++ b/internal/controller/proxy_controller_test.go
@@ -81,13 +81,6 @@ func TestProxyHandler(t *testing.T) {

 	assert.Equal(t, 400, recorder.Code)

-	// Test invalid method
-	recorder = httptest.NewRecorder()
-	req = httptest.NewRequest("POST", "/api/auth/traefik", nil)
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 405, recorder.Code)
-
 	// Test logged out user (traefik/caddy)
 	recorder = httptest.NewRecorder()
 	req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
--- a/internal/middleware/context_middleware.go
+++ b/internal/middleware/context_middleware.go
@@ -66,6 +66,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 				goto basic
 			}

+			m.auth.RefreshSessionCookie(c)
 			c.Set("context", &config.UserContext{
 				Username:   cookie.Username,
 				Name:       cookie.Name,
@@ -90,6 +91,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 				goto basic
 			}

+			m.auth.RefreshSessionCookie(c)
 			c.Set("context", &config.UserContext{
 				Username:    cookie.Username,
 				Name:        cookie.Name,
@@ -97,6 +99,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 				Provider:    cookie.Provider,
 				OAuthGroups: cookie.OAuthGroups,
 				OAuthName:   cookie.OAuthName,
+				OAuthSub:    cookie.OAuthSub,
 				IsLoggedIn:  true,
 				OAuth:       true,
 			})
--- a/internal/model/session_model.go
+++ b/internal/model/session_model.go
@@ -10,4 +10,5 @@ type Session struct {
 	OAuthGroups string `gorm:"column:oauth_groups"`
 	Expiry      int64  `gorm:"column:expiry"`
 	OAuthName   string `gorm:"column:oauth_name"`
+	OAuthSub    string `gorm:"column:oauth_sub"`
 }
--- a/internal/service/auth_service.go
+++ b/internal/service/auth_service.go
@@ -1,7 +1,6 @@
 package service

 import (
-	"context"
 	"errors"
 	"fmt"
 	"regexp"
@@ -44,7 +43,6 @@ type AuthService struct {
 	loginMutex    sync.RWMutex
 	ldap          *LdapService
 	database      *gorm.DB
-	ctx           context.Context
 }

 func NewAuthService(config AuthServiceConfig, docker *DockerService, ldap *LdapService, database *gorm.DB) *AuthService {
@@ -58,7 +56,6 @@ func NewAuthService(config AuthServiceConfig, docker *DockerService, ldap *LdapS
 }

 func (auth *AuthService) Init() error {
-	auth.ctx = context.Background()
 	return nil
 }

@@ -216,9 +213,10 @@ func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *config.Sessio
 		OAuthGroups: data.OAuthGroups,
 		Expiry:      time.Now().Add(time.Duration(expiry) * time.Second).Unix(),
 		OAuthName:   data.OAuthName,
+		OAuthSub:    data.OAuthSub,
 	}

-	err = gorm.G[model.Session](auth.database).Create(auth.ctx, &session)
+	err = gorm.G[model.Session](auth.database).Create(c, &session)

 	if err != nil {
 		return err
@@ -229,6 +227,40 @@ func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *config.Sessio
 	return nil
 }

+func (auth *AuthService) RefreshSessionCookie(c *gin.Context) error {
+	cookie, err := c.Cookie(auth.config.SessionCookieName)
+
+	if err != nil {
+		return err
+	}
+
+	session, err := gorm.G[model.Session](auth.database).Where("uuid = ?", cookie).First(c)
+
+	if err != nil {
+		return err
+	}
+
+	currentTime := time.Now().Unix()
+
+	if session.Expiry-currentTime > int64(time.Hour.Seconds()) {
+		return nil
+	}
+
+	newExpiry := currentTime + int64(time.Hour.Seconds())
+
+	_, err = gorm.G[model.Session](auth.database).Where("uuid = ?", cookie).Updates(c, model.Session{
+		Expiry: newExpiry,
+	})
+
+	if err != nil {
+		return err
+	}
+
+	c.SetCookie(auth.config.SessionCookieName, cookie, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", auth.config.CookieDomain), auth.config.SecureCookie, true)
+
+	return nil
+}
+
 func (auth *AuthService) DeleteSessionCookie(c *gin.Context) error {
 	cookie, err := c.Cookie(auth.config.SessionCookieName)

@@ -236,7 +268,7 @@ func (auth *AuthService) DeleteSessionCookie(c *gin.Context) error {
 		return err
 	}

-	_, err = gorm.G[model.Session](auth.database).Where("uuid = ?", cookie).Delete(auth.ctx)
+	_, err = gorm.G[model.Session](auth.database).Where("uuid = ?", cookie).Delete(c)

 	if err != nil {
 		return err
@@ -254,7 +286,7 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie,
 		return config.SessionCookie{}, err
 	}

-	session, err := gorm.G[model.Session](auth.database).Where("uuid = ?", cookie).First(auth.ctx)
+	session, err := gorm.G[model.Session](auth.database).Where("uuid = ?", cookie).First(c)

 	if err != nil {
 		return config.SessionCookie{}, err
@@ -267,7 +299,7 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie,
 	currentTime := time.Now().Unix()

 	if currentTime > session.Expiry {
-		_, err = gorm.G[model.Session](auth.database).Where("uuid = ?", cookie).Delete(auth.ctx)
+		_, err = gorm.G[model.Session](auth.database).Where("uuid = ?", cookie).Delete(c)
 		if err != nil {
 			log.Error().Err(err).Msg("Failed to delete expired session")
 		}
@@ -283,6 +315,7 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie,
 		TotpPending: session.TOTPPending,
 		OAuthGroups: session.OAuthGroups,
 		OAuthName:   session.OAuthName,
+		OAuthSub:    session.OAuthSub,
 	}, nil
 }

--- a/internal/service/github_oauth_service.go
+++ b/internal/service/github_oauth_service.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"strconv"
 	"time"

 	"github.com/steveiliop56/tinyauth/internal/config"
@@ -27,6 +28,7 @@ type GithubEmailResponse []struct {
 type GithubUserInfoResponse struct {
 	Login string `json:"login"`
 	Name  string `json:"name"`
+	ID    int    `json:"id"`
 }

 type GithubOAuthService struct {
@@ -172,6 +174,7 @@ func (github *GithubOAuthService) Userinfo() (config.Claims, error) {

 	user.PreferredUsername = userInfo.Login
 	user.Name = userInfo.Name
+	user.Sub = strconv.Itoa(userInfo.ID)

 	return user, nil
 }
--- a/internal/service/google_oauth_service.go
+++ b/internal/service/google_oauth_service.go
@@ -17,12 +17,7 @@ import (
 	"golang.org/x/oauth2/endpoints"
 )

-var GoogleOAuthScopes = []string{"https://www.googleapis.com/auth/userinfo.email", "https://www.googleapis.com/auth/userinfo.profile"}
-
-type GoogleUserInfoResponse struct {
-	Email string `json:"email"`
-	Name  string `json:"name"`
-}
+var GoogleOAuthScopes = []string{"openid", "email", "profile"}

 type GoogleOAuthService struct {
 	config   oauth2.Config
@@ -91,7 +86,7 @@ func (google *GoogleOAuthService) Userinfo() (config.Claims, error) {

 	client := google.config.Client(google.context, google.token)

-	res, err := client.Get("https://www.googleapis.com/userinfo/v2/me")
+	res, err := client.Get("https://openidconnect.googleapis.com/v1/userinfo")
 	if err != nil {
 		return config.Claims{}, err
 	}
@@ -106,16 +101,12 @@ func (google *GoogleOAuthService) Userinfo() (config.Claims, error) {
 		return config.Claims{}, err
 	}

-	var userInfo GoogleUserInfoResponse
-
-	err = json.Unmarshal(body, &userInfo)
+	err = json.Unmarshal(body, &user)
 	if err != nil {
 		return config.Claims{}, err
 	}

-	user.PreferredUsername = strings.Split(userInfo.Email, "@")[0]
-	user.Name = userInfo.Name
-	user.Email = userInfo.Email
+	user.PreferredUsername = strings.SplitN(user.Email, "@", 2)[0]

 	return user, nil
 }
Author	SHA1	Message	Date
Stavros	80121f2a36	fix: review comments	2025-12-26 18:55:08 +02:00
Stavros	eef674a4e6	feat: forward sub from oidc providers	2025-12-26 18:28:53 +02:00
Stavros	2d8af0510e	feat: refresh session cookie when session is active (#540 ) * feat: refresh session cookie when session is active * refactor: use current time to set new expiry	2025-12-26 17:55:54 +02:00
Stavros	a1c3e416b6	refactor: use proper module name (#542 ) * chore: reorganize go mod * refactor: use proper module name	2025-12-26 17:53:24 +02:00
				`@@ -0,0 +1 @@`
				`ALTER TABLE "sessions" DROP COLUMN "oauth_sub";`
				`@@ -0,0 +1 @@`
				`ALTER TABLE "sessions" ADD COLUMN "oauth_sub" TEXT;`