chore(deps): bump golang.org/x/oauth2 in the minor-patch group

Bumps the minor-patch group with 1 update: [golang.org/x/oauth2](https://github.com/golang/oauth2).


Updates `golang.org/x/oauth2` from 0.35.0 to 0.36.0
- [Commits](https://github.com/golang/oauth2/compare/v0.35.0...v0.36.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

docker-compose.dev.yml

@@ -1,5 +1,6 @@
 services:
   traefik:
+    container_name: traefik
     image: traefik:v3.6
     command: --api.insecure=true --providers.docker
     ports:
@@ -8,6 +9,7 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
 
   whoami:
+    container_name: whoami
     image: traefik/whoami:latest
     labels:
       traefik.enable: true
@@ -15,6 +17,7 @@ services:
       traefik.http.routers.whoami.middlewares: tinyauth
 
   tinyauth-frontend:
+    container_name: tinyauth-frontend
     build:
       context: .
       dockerfile: frontend/Dockerfile.dev
@@ -27,6 +30,7 @@ services:
       traefik.http.routers.tinyauth.rule: Host(`tinyauth.127.0.0.1.sslip.io`)
 
   tinyauth-backend:
+    container_name: tinyauth-backend
     build:
       context: .
       dockerfile: Dockerfile.dev

docker-compose.example.yml

@@ -1,5 +1,6 @@
 services:
   traefik:
+    container_name: traefik
     image: traefik:v3.6
     command: --api.insecure=true --providers.docker
     ports:
@@ -8,6 +9,7 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
 
   whoami:
+    container_name: whoami
     image: traefik/whoami:latest
     labels:
       traefik.enable: true
@@ -15,7 +17,8 @@ services:
       traefik.http.routers.whoami.middlewares: tinyauth
 
   tinyauth:
-    image: ghcr.io/steveiliop56/tinyauth:v5
+    container_name: tinyauth
+    image: ghcr.io/steveiliop56/tinyauth:v3
     environment:
       - TINYAUTH_APPURL=https://tinyauth.example.com
       - TINYAUTH_AUTH_USERS=user:$$2a$$10$$UdLYoJ5lgPsC0RKqYH/jMua7zIn0g9kPqWmhYayJYLaZQ/FTmH2/u # user:password

go.mod

@@ -21,7 +21,7 @@ require (
 	github.com/weppos/publicsuffix-go v0.50.3
 	golang.org/x/crypto v0.48.0
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
-	golang.org/x/oauth2 v0.35.0
+	golang.org/x/oauth2 v0.36.0
 	gotest.tools/v3 v3.5.2
 	modernc.org/sqlite v1.46.1
 )

go.sum

@@ -322,8 +322,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
 golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
-golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ=
-golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
+golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=

internal/controller/context_controller_test.go

@@ -2,77 +2,77 @@ package controller_test
 
 import (
 	"encoding/json"
-	"io"
-	"net/http"
+	"net/http/httptest"
 	"testing"
 
-	"github.com/gin-gonic/gin"
+	"github.com/steveiliop56/tinyauth/internal/config"
 	"github.com/steveiliop56/tinyauth/internal/controller"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
+
+	"github.com/gin-gonic/gin"
 	"gotest.tools/v3/assert"
 )
 
-func TestUserContextController(t *testing.T) {
-	// Controller setup
-	suite := NewControllerTest(func(router *gin.RouterGroup) *controller.ContextController {
-		ctrl := controller.NewContextController(contextControllerCfg, router)
-		ctrl.SetupRoutes()
-		return ctrl
-	})
-
-	// Test user context
-	req, err := http.NewRequest("GET", "/api/context/user", nil)
-	assert.NilError(t, err)
-
-	ctx := testContext
-	ctx.IsLoggedIn = true
-	ctx.Provider = "local"
-
-	expected, err := json.Marshal(controller.UserContextResponse{
-		Status:      200,
-		Message:     "Success",
-		IsLoggedIn:  ctx.IsLoggedIn,
-		Username:    ctx.Username,
-		Name:        ctx.Name,
-		Email:       ctx.Email,
-		Provider:    ctx.Provider,
-		OAuth:       ctx.OAuth,
-		TotpPending: ctx.TotpPending,
-		OAuthName:   ctx.OAuthName,
-	})
-	assert.NilError(t, err)
-
-	resp := suite.RequestWithMiddleware(req, []gin.HandlerFunc{
-		func(c *gin.Context) {
-			c.Set("context", &ctx)
+var contextControllerCfg = controller.ContextControllerConfig{
+	Providers: []controller.Provider{
+		{
+			Name:  "Local",
+			ID:    "local",
+			OAuth: false,
 		},
-	})
+		{
+			Name:  "Google",
+			ID:    "google",
+			OAuth: true,
+		},
+	},
+	Title:                 "Test App",
+	AppURL:                "http://localhost:8080",
+	CookieDomain:          "localhost",
+	ForgotPasswordMessage: "Contact admin to reset your password.",
+	BackgroundImage:       "/assets/bg.jpg",
+	OAuthAutoRedirect:     "google",
+	WarningsEnabled:       true,
+}
 
-	assert.Equal(t, http.StatusOK, resp.Code)
-	bytes, err := io.ReadAll(resp.Body)
-	assert.NilError(t, err)
-	assert.DeepEqual(t, expected, bytes)
+var contextCtrlTestContext = config.UserContext{
+	Username:    "testuser",
+	Name:        "testuser",
+	Email:       "test@example.com",
+	IsLoggedIn:  true,
+	IsBasicAuth: false,
+	OAuth:       false,
+	Provider:    "local",
+	TotpPending: false,
+	OAuthGroups: "",
+	TotpEnabled: false,
+	OAuthSub:    "",
+}
 
-	// Ensure user context is not available when not logged in
-	req, err = http.NewRequest("GET", "/api/context/user", nil)
-	assert.NilError(t, err)
+func setupContextController(middlewares *[]gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder) {
+	tlog.NewSimpleLogger().Init()
 
-	expected, err = json.Marshal(controller.UserContextResponse{
-		Status:  http.StatusUnauthorized,
-		Message: "Unauthorized",
-	})
-	assert.NilError(t, err)
+	// Setup
+	gin.SetMode(gin.TestMode)
+	router := gin.Default()
+	recorder := httptest.NewRecorder()
 
-	resp = suite.RequestWithMiddleware(req, nil)
-	assert.Equal(t, 200, resp.Code)
-	bytes, err = io.ReadAll(resp.Body)
-	assert.NilError(t, err)
-	assert.DeepEqual(t, expected, bytes)
+	if middlewares != nil {
+		for _, m := range *middlewares {
+			router.Use(m)
+		}
+	}
 
-	// Test app context
-	req, err = http.NewRequest("GET", "/api/context/app", nil)
-	assert.NilError(t, err)
+	group := router.Group("/api")
 
-	expected, err = json.Marshal(controller.AppContextResponse{
+	ctrl := controller.NewContextController(contextControllerCfg, group)
+	ctrl.SetupRoutes()
+
+	return router, recorder
+}
+
+func TestAppContextHandler(t *testing.T) {
+	expectedRes := controller.AppContextResponse{
 		Status:                200,
 		Message:               "Success",
 		Providers:             contextControllerCfg.Providers,
@@ -83,13 +83,71 @@ func TestUserContextController(t *testing.T) {
 		BackgroundImage:       contextControllerCfg.BackgroundImage,
 		OAuthAutoRedirect:     contextControllerCfg.OAuthAutoRedirect,
 		WarningsEnabled:       contextControllerCfg.WarningsEnabled,
-	})
-	assert.NilError(t, err)
+	}
 
-	resp = suite.RequestWithMiddleware(req, nil)
+	router, recorder := setupContextController(nil)
+	req := httptest.NewRequest("GET", "/api/context/app", nil)
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 200, recorder.Code)
+
+	var ctrlRes controller.AppContextResponse
+
+	err := json.Unmarshal(recorder.Body.Bytes(), &ctrlRes)
 
-	assert.Equal(t, http.StatusOK, resp.Code)
-	bytes, err = io.ReadAll(resp.Body)
 	assert.NilError(t, err)
-	assert.DeepEqual(t, expected, bytes)
+	assert.DeepEqual(t, expectedRes, ctrlRes)
+}
+
+func TestUserContextHandler(t *testing.T) {
+	expectedRes := controller.UserContextResponse{
+		Status:      200,
+		Message:     "Success",
+		IsLoggedIn:  contextCtrlTestContext.IsLoggedIn,
+		Username:    contextCtrlTestContext.Username,
+		Name:        contextCtrlTestContext.Name,
+		Email:       contextCtrlTestContext.Email,
+		Provider:    contextCtrlTestContext.Provider,
+		OAuth:       contextCtrlTestContext.OAuth,
+		TotpPending: contextCtrlTestContext.TotpPending,
+		OAuthName:   contextCtrlTestContext.OAuthName,
+	}
+
+	// Test with context
+	router, recorder := setupContextController(&[]gin.HandlerFunc{
+		func(c *gin.Context) {
+			c.Set("context", &contextCtrlTestContext)
+			c.Next()
+		},
+	})
+
+	req := httptest.NewRequest("GET", "/api/context/user", nil)
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 200, recorder.Code)
+
+	var ctrlRes controller.UserContextResponse
+
+	err := json.Unmarshal(recorder.Body.Bytes(), &ctrlRes)
+
+	assert.NilError(t, err)
+	assert.DeepEqual(t, expectedRes, ctrlRes)
+
+	// Test no context
+	expectedRes = controller.UserContextResponse{
+		Status:     401,
+		Message:    "Unauthorized",
+		IsLoggedIn: false,
+	}
+
+	router, recorder = setupContextController(nil)
+	req = httptest.NewRequest("GET", "/api/context/user", nil)
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 200, recorder.Code)
+
+	err = json.Unmarshal(recorder.Body.Bytes(), &ctrlRes)
+
+	assert.NilError(t, err)
+	assert.DeepEqual(t, expectedRes, ctrlRes)
 }

internal/controller/controller_test.go

@@ -1,89 +0,0 @@
-package controller_test
-
-import (
-	"net/http"
-	"net/http/httptest"
-
-	"github.com/gin-gonic/gin"
-	"github.com/steveiliop56/tinyauth/internal/config"
-	"github.com/steveiliop56/tinyauth/internal/controller"
-)
-
-// Testing suite
-
-type ControllerTest[T any] struct {
-	ctrlSetup func(router *gin.RouterGroup) T
-}
-
-func NewControllerTest[T any](setup func(router *gin.RouterGroup) T) *ControllerTest[T] {
-	return &ControllerTest[T]{ctrlSetup: setup}
-}
-
-func (ctrlt *ControllerTest[T]) newEngine(middlewares []gin.HandlerFunc) *gin.Engine {
-	gin.SetMode(gin.TestMode)
-
-	engine := gin.New()
-
-	for _, mw := range middlewares {
-		engine.Use(mw)
-	}
-
-	return engine
-}
-
-func (ctrlrt *ControllerTest[T]) newControllerInstance(engine *gin.Engine) T {
-	ctrl := ctrlrt.ctrlSetup(engine.Group("/api"))
-	return ctrl
-}
-
-func (ctrlt *ControllerTest[T]) RequestWithMiddleware(http *http.Request, middlewares []gin.HandlerFunc) *httptest.ResponseRecorder {
-	engine := ctrlt.newEngine(middlewares)
-	ctrlt.newControllerInstance(engine)
-	recorder := httptest.NewRecorder()
-	engine.ServeHTTP(recorder, http)
-	return recorder
-}
-
-func (ctrlt *ControllerTest[T]) Request(http *http.Request) *httptest.ResponseRecorder {
-	return ctrlt.RequestWithMiddleware(http, nil)
-}
-
-// Controller configs
-
-var contextControllerCfg = controller.ContextControllerConfig{
-	Providers: []controller.Provider{
-		{
-			Name:  "Local",
-			ID:    "local",
-			OAuth: false,
-		},
-		{
-			Name:  "Google",
-			ID:    "google",
-			OAuth: true,
-		},
-	},
-	Title:                 "Tinyauth Testing",
-	AppURL:                "http://tinyauth.example.com:3000",
-	CookieDomain:          "example.com",
-	ForgotPasswordMessage: "Foo bar",
-	BackgroundImage:       "/background.jpg",
-	OAuthAutoRedirect:     "google",
-	WarningsEnabled:       true,
-}
-
-var testContext = config.UserContext{
-	Username:    "user",
-	Name:        "User",
-	Email:       "user@example.com",
-	IsLoggedIn:  false,
-	IsBasicAuth: false,
-	OAuth:       false,
-	Provider:    "",
-	TotpPending: false,
-	OAuthGroups: "group1,group2",
-	TotpEnabled: false,
-	OAuthName:   "test",
-	OAuthSub:    "test",
-	LdapGroups:  "group1,group2",
-}

internal/controller/health_controller.go

@@ -19,7 +19,7 @@ func (controller *HealthController) SetupRoutes() {
 
 func (controller *HealthController) healthHandler(c *gin.Context) {
 	c.JSON(200, gin.H{
-		"status":  200,
+		"status":  "ok",
 		"message": "Healthy",
 	})
 }

internal/controller/health_controller_test.go

@@ -1,49 +0,0 @@
-package controller_test
-
-import (
-	"encoding/json"
-	"io"
-	"net/http"
-	"testing"
-
-	"github.com/gin-gonic/gin"
-	"github.com/steveiliop56/tinyauth/internal/controller"
-	"gotest.tools/v3/assert"
-)
-
-func TestHealthController(t *testing.T) {
-	// Controller setup
-	suite := NewControllerTest(func(router *gin.RouterGroup) *controller.HealthController {
-		ctrl := controller.NewHealthController(router)
-		ctrl.SetupRoutes()
-		return ctrl
-	})
-
-	expected, err := json.Marshal(map[string]any{
-		"status":  200,
-		"message": "Healthy",
-	})
-	assert.NilError(t, err)
-
-	// Test we are healthy with GET
-	req, err := http.NewRequest("GET", "/api/healthz", nil)
-	assert.NilError(t, err)
-
-	resp := suite.Request(req)
-
-	assert.Equal(t, http.StatusOK, resp.Code)
-	bytes, err := io.ReadAll(resp.Body)
-	assert.NilError(t, err)
-	assert.DeepEqual(t, bytes, expected)
-
-	// Test we are healthy with HEAD
-	req, err = http.NewRequest("HEAD", "/api/healthz", nil)
-	assert.NilError(t, err)
-
-	resp = suite.Request(req)
-
-	assert.Equal(t, http.StatusOK, resp.Code)
-	bytes, err = io.ReadAll(resp.Body)
-	assert.NilError(t, err)
-	assert.DeepEqual(t, expected, bytes)
-}

internal/controller/oidc_controller.go

@@ -115,11 +115,6 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 		return
 	}
 
-	if !userContext.IsLoggedIn {
-		controller.authorizeError(c, errors.New("err user not logged in"), "User not logged in", "The user is not logged in", "", "", "")
-		return
-	}
-
 	var req service.AuthorizeRequest
 
 	err = c.BindJSON(&req)
@@ -270,7 +265,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 
 	switch req.GrantType {
 	case "authorization_code":
-		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code), client.ClientID)
+		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code))
 		if err != nil {
 			if errors.Is(err, service.ErrCodeNotFound) {
 				tlog.App.Warn().Msg("Code not found")
@@ -286,13 +281,6 @@ func (controller *OIDCController) Token(c *gin.Context) {
 				})
 				return
 			}
-			if errors.Is(err, service.ErrInvalidClient) {
-				tlog.App.Warn().Msg("Invalid client ID")
-				c.JSON(400, gin.H{
-					"error": "invalid_client",
-				})
-				return
-			}
 			tlog.App.Warn().Err(err).Msg("Failed to get OIDC code entry")
 			c.JSON(400, gin.H{
 				"error": "server_error",

internal/controller/proxy_controller.go

@@ -90,21 +90,9 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		tlog.App.Debug().Msg("Request identified as (most likely) coming from a non-browser client")
 	}
 
-	uri, ok := controller.requireHeader(c, "x-forwarded-uri")
-
-	if !ok {
-		return
-	}
-
-	host, ok := controller.requireHeader(c, "x-forwarded-host")
-	if !ok {
-		return
-	}
-
-	proto, ok := controller.requireHeader(c, "x-forwarded-proto")
-	if !ok {
-		return
-	}
+	uri := c.Request.Header.Get("X-Forwarded-Uri")
+	proto := c.Request.Header.Get("X-Forwarded-Proto")
+	host := c.Request.Header.Get("X-Forwarded-Host")
 
 	// Get acls
 	acls, err := controller.acls.GetAccessControls(host)
@@ -185,6 +173,11 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 
 	tlog.App.Trace().Interface("context", userContext).Msg("User context from request")
 
+	if userContext.IsBasicAuth && userContext.TotpEnabled {
+		tlog.App.Debug().Msg("User has TOTP enabled, denying basic auth access")
+		userContext.IsLoggedIn = false
+	}
+
 	if userContext.IsLoggedIn {
 		userAllowed := controller.auth.IsUserAllowed(c, userContext, acls)
 
@@ -332,16 +325,3 @@ func (controller *ProxyController) handleError(c *gin.Context, req Proxy, isBrow
 
 	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 }
-
-func (controller *ProxyController) requireHeader(c *gin.Context, header string) (string, bool) {
-	val := c.Request.Header.Get(header)
-	if strings.TrimSpace(val) == "" {
-		tlog.App.Error().Str("header", header).Msg("Header not found")
-		c.JSON(400, gin.H{
-			"status":  400,
-			"message": "Bad Request",
-		})
-		return "", false
-	}
-	return val, true
-}

internal/controller/proxy_controller_test.go

@@ -59,11 +59,6 @@ func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.En
 				Username: "testuser",
 				Password: "$2a$10$ne6z693sTgzT3ePoQ05PgOecUHnBjM7sSNj6M.l5CLUP.f6NyCnt.", // test
 			},
-			{
-				Username:   "totpuser",
-				Password:   "$2a$10$ne6z693sTgzT3ePoQ05PgOecUHnBjM7sSNj6M.l5CLUP.f6NyCnt.",
-				TotpSecret: "foo",
-			},
 		},
 		OauthWhitelist:     []string{},
 		SessionExpiry:      3600,
@@ -84,11 +79,9 @@ func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.En
 	return router, recorder, authService
 }
 
-// TODO: Needs tests for context middleware
-
 func TestProxyHandler(t *testing.T) {
 	// Setup
-	router, recorder, _ := setupProxyController(t, nil)
+	router, recorder, authService := setupProxyController(t, nil)
 
 	// Test invalid proxy
 	req := httptest.NewRequest("GET", "/api/auth/invalidproxy", nil)
@@ -143,14 +136,26 @@ func TestProxyHandler(t *testing.T) {
 	// Test logged out user (nginx)
 	recorder = httptest.NewRecorder()
 	req = httptest.NewRequest("GET", "/api/auth/nginx", nil)
-	req.Header.Set("X-Forwarded-Proto", "https")
-	req.Header.Set("X-Forwarded-Host", "example.com")
-	req.Header.Set("X-Forwarded-Uri", "/somepath")
 	router.ServeHTTP(recorder, req)
 
 	assert.Equal(t, 401, recorder.Code)
 
 	// Test logged in user
+	c := gin.CreateTestContextOnly(recorder, router)
+
+	err := authService.CreateSessionCookie(c, &repository.Session{
+		Username:    "testuser",
+		Name:        "testuser",
+		Email:       "testuser@example.com",
+		Provider:    "local",
+		TotpPending: false,
+		OAuthGroups: "",
+	})
+
+	assert.NilError(t, err)
+
+	cookie := c.Writer.Header().Get("Set-Cookie")
+
 	router, recorder, _ = setupProxyController(t, &[]gin.HandlerFunc{
 		func(c *gin.Context) {
 			c.Set("context", &config.UserContext{
@@ -169,15 +174,38 @@ func TestProxyHandler(t *testing.T) {
 	})
 
 	req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
-	req.Header.Set("X-Forwarded-Proto", "https")
-	req.Header.Set("X-Forwarded-Host", "example.com")
-	req.Header.Set("X-Forwarded-Uri", "/somepath")
+	req.Header.Set("Cookie", cookie)
 	req.Header.Set("Accept", "text/html")
-
 	router.ServeHTTP(recorder, req)
+
 	assert.Equal(t, 200, recorder.Code)
 
 	assert.Equal(t, "testuser", recorder.Header().Get("Remote-User"))
 	assert.Equal(t, "testuser", recorder.Header().Get("Remote-Name"))
 	assert.Equal(t, "testuser@example.com", recorder.Header().Get("Remote-Email"))
+
+	// Ensure basic auth is disabled for TOTP enabled users
+	router, recorder, _ = setupProxyController(t, &[]gin.HandlerFunc{
+		func(c *gin.Context) {
+			c.Set("context", &config.UserContext{
+				Username:    "testuser",
+				Name:        "testuser",
+				Email:       "testuser@example.com",
+				IsLoggedIn:  true,
+				IsBasicAuth: true,
+				OAuth:       false,
+				Provider:    "local",
+				TotpPending: false,
+				OAuthGroups: "",
+				TotpEnabled: true,
+			})
+			c.Next()
+		},
+	})
+
+	req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
+	req.SetBasicAuth("testuser", "test")
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 401, recorder.Code)
 }

internal/middleware/context_middleware.go

@@ -182,17 +182,13 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 
 			user := m.auth.GetLocalUser(basic.Username)
 
-			if user.TotpSecret != "" {
-				tlog.App.Debug().Msg("User with TOTP not allowed to login via basic auth")
-				return
-			}
-
 			c.Set("context", &config.UserContext{
 				Username:    user.Username,
 				Name:        utils.Capitalize(user.Username),
 				Email:       utils.CompileUserEmail(user.Username, m.config.CookieDomain),
 				Provider:    "local",
 				IsLoggedIn:  true,
+				TotpEnabled: user.TotpSecret != "",
 				IsBasicAuth: true,
 			})
 			c.Next()

internal/service/oidc_service.go

@@ -352,7 +352,7 @@ func (service *OIDCService) ValidateGrantType(grantType string) error {
 	return nil
 }
 
-func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string, clientId string) (repository.OidcCode, error) {
+func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string) (repository.OidcCode, error) {
 	oidcCode, err := service.queries.GetOidcCode(c, codeHash)
 
 	if err != nil {
@@ -374,10 +374,6 @@ func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string, client
 		return repository.OidcCode{}, ErrCodeExpired
 	}
 
-	if oidcCode.ClientID != clientId {
-		return repository.OidcCode{}, ErrInvalidClient
-	}
-
 	return oidcCode, nil
 }