chore: bump version

Feat/docker labels

.gitignore

@@ -8,4 +8,8 @@ tinyauth
 docker-compose.test.yml
 
 # users file
-users.txt
+users.txt
+
+# secret test file
+secret.txt
+secret_oauth.txt

Dockerfile

@@ -35,10 +35,10 @@ COPY ./cmd ./cmd
 COPY ./internal ./internal
 COPY --from=site-builder /site/dist ./internal/assets/dist
 
-RUN go build
+RUN CGO_ENABLED=0 go build
 
 # Runner
-FROM busybox:1.37-musl AS runner
+FROM alpine:3.21 AS runner
 
 WORKDIR /tinyauth
 
@@ -46,4 +46,4 @@ COPY --from=builder /tinyauth/tinyauth ./
 
 EXPOSE 3000
 
-CMD ["./tinyauth"]
+ENTRYPOINT ["./tinyauth"]

README.md

@@ -1,36 +1,46 @@
-# Tinyauth - The simplest way to protect your apps with a login screen
+<div align="center">
+    <img alt="Tinyauth" title="Tinyauth" width="256" src="site/public/logo.png">
+    <h1>Tinyauth</h1>
+    <p>The easiest way to secure your apps with a login screen.</p>
+</div>
 
-Tinyauth is an extremely simple traefik middleware that adds a login screen to all of your apps that are using the traefik reverse proxy. Tinyauth is configurable through environment variables and it is only 20MB in size.
+<div align="center">
+    <img alt="License" src="https://img.shields.io/github/license/steveiliop56/tinyauth">
+    <img alt="Release" src="https://img.shields.io/github/v/release/steveiliop56/tinyauth">
+    <img alt="Commit activity" src="https://img.shields.io/github/commit-activity/w/steveiliop56/tinyauth">
+    <img alt="Actions Workflow Status" src="https://img.shields.io/github/actions/workflow/status/steveiliop56/tinyauth/release.yml">
+    <img alt="Issues" src="https://img.shields.io/github/issues/steveiliop56/tinyauth">
+</div>
 
-## Getting started
+<br />
 
-Tinyauth is extremely easy to run since it's shipped as a docker container. The guide on how to get started is available on the website [here](https://tinyauth.doesmycode.work/).
+Tinyauth is a simple authentication middleware that adds simple username/password login or OAuth with Google, Github and any generic OAuth provider to all of your docker apps. It is made for traefik but it can be extended to work with all reverse proxies like caddy and nginx.
 
-## FAQ
+> [!WARNING]
+> Tinyauth is in active development and configuration may change often. Please make sure to carefully read the release notes before updating.
 
-### Why?
+> [!NOTE]
+> Tinyauth is intended for homelab use and it is not made for production use cases. If you are looking for something production ready please use [authentik](https://goauthentik.io).
 
-Why make this project? Well, we all know that more powerful alternatives like authentik and authelia exist, but when I tried to use them, I felt overwhelmed with all the configration options and environment variables I had to configure in order for them to work. So, I decided to make a small alternative in Go to both test my skills and cover my simple login screen needs.
+## Getting Started
 
-### Is this secure?
+You can easily get started with tinyauth by following the guide on the documentation [here](https://tinyauth.doesmycode.work/docs/getting-started.html). There is also an available docker compose file [here](./docker-compose.example.yml) that has traefik, nginx and tinyauth to demonstrate its capabilities.
 
-Probably, the sessions are managed with the gin sessions package so it should be very secure. It is definitely not made for production but it could easily serve as a simple login screen to all of your homelab apps.
+## Documentation
 
-### Do I need to login every time?
-
-No, when you login, tinyauth sets a `tinyauth` cookie in your browser that applies to all of the subdomains of your domain.
-
-## License
-
-Tinyauth is licensed under the GNU General Public License v3.0. TL;DR — You may copy, distribute and modify the software as long as you track changes/dates in source files. Any modifications to or software including (via compiler) GPL-licensed code must also be made available under the GPL along with build & install instructions.
+You can find documentation and guides on all available configuration of tinyauth [here](https://tinyauth.doesmycode.work).
 
 ## Contributing
 
-Any contributions to the codebase are welcome! I am not a cybersecurity person so my code may have a security issue, if you find something that could be used to exploit and bypass tinyauth please let me know as soon as possible so I can fix it.
+All contributions to the codebase are welcome! If you have any recommendations on how to improve security or find a security issue in tinyauth please open an issue or pull request so it can be fixed as soon as possible!
+
+## License
+
+Tinyauth is licensed under the GNU General Public License v3.0. TL;DR — You may copy, distribute and modify the software as long as you track changes/dates in source files. Any modifications to or software including (via compiler) GPL-licensed code must also be made available under the GPL along with build & install instructions. For more information about the license check the [license](./LICENSE) file.
 
 ## Acknowledgements
 
-Credits for the logo go to:
+Credits for the logo of this app go to:
 
-- Freepik for providing the hat and police badge.
-- Renee French for making the gopher logo.
+- **Freepik** for providing the police hat and logo.
+- **Renee French** for the original gopher logo.

cmd/root.go

@@ -3,14 +3,19 @@ package cmd
 import (
 	"os"
 	"strings"
+	"time"
 	cmd "tinyauth/cmd/user"
 	"tinyauth/internal/api"
+	"tinyauth/internal/assets"
 	"tinyauth/internal/auth"
+	"tinyauth/internal/docker"
 	"tinyauth/internal/hooks"
+	"tinyauth/internal/providers"
 	"tinyauth/internal/types"
 	"tinyauth/internal/utils"
 
 	"github.com/go-playground/validator/v10"
+	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -18,60 +23,93 @@ import (
 
 var rootCmd = &cobra.Command{
 	Use:   "tinyauth",
-	Short: "An extremely simple traefik forward auth proxy.",
-	Long: `Tinyauth is an extremely simple traefik forward-auth login screen that makes securing your apps easy.`,
+	Short: "The simplest way to protect your apps with a login screen.",
+	Long:  `Tinyauth is a simple authentication middleware that adds simple username/password login or OAuth with Google, Github and any generic OAuth provider to all of your docker apps.`,
 	Run: func(cmd *cobra.Command, args []string) {
+		// Logger
+		log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.RFC3339}).With().Timestamp().Logger().Level(zerolog.FatalLevel)
+
 		// Get config
-		log.Info().Msg("Parsing config")
 		var config types.Config
 		parseErr := viper.Unmarshal(&config)
 		HandleError(parseErr, "Failed to parse config")
 
+		// Secrets
+		config.Secret = utils.GetSecret(config.Secret, config.SecretFile)
+		config.GithubClientSecret = utils.GetSecret(config.GithubClientSecret, config.GithubClientSecretFile)
+		config.GoogleClientSecret = utils.GetSecret(config.GoogleClientSecret, config.GoogleClientSecretFile)
+		config.GenericClientSecret = utils.GetSecret(config.GenericClientSecret, config.GenericClientSecretFile)
+		config.TailscaleClientSecret = utils.GetSecret(config.TailscaleClientSecret, config.TailscaleClientSecretFile)
+
 		// Validate config
-		log.Info().Msg("Validating config")
 		validator := validator.New()
 		validateErr := validator.Struct(config)
-		HandleError(validateErr, "Invalid config")
+		HandleError(validateErr, "Failed to validate config")
 
-		// Parse users
+		// Logger
+		log.Logger = log.Level(zerolog.Level(config.LogLevel))
+		log.Info().Str("version", assets.Version).Msg("Starting tinyauth")
+
+		// Users
 		log.Info().Msg("Parsing users")
+		users, usersErr := utils.GetUsers(config.Users, config.UsersFile)
 
-		if config.UsersFile == "" && config.Users == "" {
-			log.Fatal().Msg("No users provided")
-			os.Exit(1)
+		if (len(users) == 0 || usersErr != nil) && !utils.OAuthConfigured(config) {
+			log.Fatal().Err(usersErr).Msg("Failed to parse users")
 		}
 
-		usersString := config.Users
+		// Create oauth whitelist
+		oauthWhitelist := strings.Split(config.OAuthWhitelist, ",")
+		log.Debug().Msg("Parsed OAuth whitelist")
 
-		if config.UsersFile != "" {
-			log.Info().Msg("Reading users from file")
-			usersFromFile, readErr := utils.GetUsersFromFile(config.UsersFile)
-			HandleError(readErr, "Failed to read users from file")
-			usersFromFileParsed := strings.Join(strings.Split(usersFromFile, "\n"), ",")
-			if usersString != "" {
-				usersString = usersString + "," + usersFromFileParsed
-			} else {
-				usersString = usersFromFileParsed
-			}
+		// Create OAuth config
+		oauthConfig := types.OAuthConfig{
+			GithubClientId:        config.GithubClientId,
+			GithubClientSecret:    config.GithubClientSecret,
+			GoogleClientId:        config.GoogleClientId,
+			GoogleClientSecret:    config.GoogleClientSecret,
+			TailscaleClientId:     config.TailscaleClientId,
+			TailscaleClientSecret: config.TailscaleClientSecret,
+			GenericClientId:       config.GenericClientId,
+			GenericClientSecret:   config.GenericClientSecret,
+			GenericScopes:         strings.Split(config.GenericScopes, ","),
+			GenericAuthURL:        config.GenericAuthURL,
+			GenericTokenURL:       config.GenericTokenURL,
+			GenericUserURL:        config.GenericUserURL,
+			AppURL:                config.AppURL,
 		}
 
-		users, parseErr := utils.ParseUsers(usersString)
-		HandleError(parseErr, "Failed to parse users")
+		log.Debug().Msg("Parsed OAuth config")
+
+		// Create docker service
+		docker := docker.NewDocker()
+
+		// Initialize docker
+		dockerErr := docker.Init()
+		HandleError(dockerErr, "Failed to initialize docker")
 
 		// Create auth service
-		auth := auth.NewAuth(users)
-		
+		auth := auth.NewAuth(docker, users, oauthWhitelist)
+
+		// Create OAuth providers service
+		providers := providers.NewProviders(oauthConfig)
+
+		// Initialize providers
+		providers.Init()
+
 		// Create hooks service
-		hooks := hooks.NewHooks(auth)
-		
+		hooks := hooks.NewHooks(auth, providers)
+
 		// Create API
 		api := api.NewAPI(types.APIConfig{
-			Port: config.Port,
-			Address: config.Address,
-			Secret: config.Secret,
-			AppURL: config.AppURL,
-			CookieSecure: config.CookieSecure,
-		}, hooks, auth)
+			Port:            config.Port,
+			Address:         config.Address,
+			Secret:          config.Secret,
+			AppURL:          config.AppURL,
+			CookieSecure:    config.CookieSecure,
+			DisableContinue: config.DisableContinue,
+			CookieExpiry:    config.CookieExpiry,
+		}, hooks, auth, providers)
 
 		// Setup routes
 		api.Init()
@@ -86,31 +124,73 @@ func Execute() {
 	err := rootCmd.Execute()
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to execute command")
-		os.Exit(1)
 	}
 }
 
 func HandleError(err error, msg string) {
 	if err != nil {
 		log.Fatal().Err(err).Msg(msg)
-		os.Exit(1)
 	}
 }
 
 func init() {
 	rootCmd.AddCommand(cmd.UserCmd())
 	viper.AutomaticEnv()
-	rootCmd.Flags().IntP("port", "p", 3000, "Port to run the server on.")
+	rootCmd.Flags().Int("port", 3000, "Port to run the server on.")
 	rootCmd.Flags().String("address", "0.0.0.0", "Address to bind the server to.")
 	rootCmd.Flags().String("secret", "", "Secret to use for the cookie.")
+	rootCmd.Flags().String("secret-file", "", "Path to a file containing the secret.")
 	rootCmd.Flags().String("app-url", "", "The tinyauth URL.")
-	rootCmd.Flags().String("users", "", "Comma separated list of users in the format username:bcrypt-hashed-password.")
-	rootCmd.Flags().String("users-file", "", "Path to a file containing users in the format username:bcrypt-hashed-password.")
+	rootCmd.Flags().String("users", "", "Comma separated list of users in the format username:hash.")
+	rootCmd.Flags().String("users-file", "", "Path to a file containing users in the format username:hash.")
+	rootCmd.Flags().Bool("cookie-secure", false, "Send cookie over secure connection only.")
+	rootCmd.Flags().String("github-client-id", "", "Github OAuth client ID.")
+	rootCmd.Flags().String("github-client-secret", "", "Github OAuth client secret.")
+	rootCmd.Flags().String("github-client-secret-file", "", "Github OAuth client secret file.")
+	rootCmd.Flags().String("google-client-id", "", "Google OAuth client ID.")
+	rootCmd.Flags().String("google-client-secret", "", "Google OAuth client secret.")
+	rootCmd.Flags().String("google-client-secret-file", "", "Google OAuth client secret file.")
+	rootCmd.Flags().String("tailscale-client-id", "", "Tailscale OAuth client ID.")
+	rootCmd.Flags().String("tailscale-client-secret", "", "Tailscale OAuth client secret.")
+	rootCmd.Flags().String("tailscale-client-secret-file", "", "Tailscale OAuth client secret file.")
+	rootCmd.Flags().String("generic-client-id", "", "Generic OAuth client ID.")
+	rootCmd.Flags().String("generic-client-secret", "", "Generic OAuth client secret.")
+	rootCmd.Flags().String("generic-client-secret-file", "", "Generic OAuth client secret file.")
+	rootCmd.Flags().String("generic-scopes", "", "Generic OAuth scopes.")
+	rootCmd.Flags().String("generic-auth-url", "", "Generic OAuth auth URL.")
+	rootCmd.Flags().String("generic-token-url", "", "Generic OAuth token URL.")
+	rootCmd.Flags().String("generic-user-url", "", "Generic OAuth user info URL.")
+	rootCmd.Flags().Bool("disable-continue", false, "Disable continue screen and redirect to app directly.")
+	rootCmd.Flags().String("oauth-whitelist", "", "Comma separated list of email addresses to whitelist when using OAuth.")
+	rootCmd.Flags().Int("cookie-expiry", 86400, "Cookie expiration time in seconds.")
+	rootCmd.Flags().Int("log-level", 1, "Log level.")
 	viper.BindEnv("port", "PORT")
 	viper.BindEnv("address", "ADDRESS")
 	viper.BindEnv("secret", "SECRET")
+	viper.BindEnv("secret-file", "SECRET_FILE")
 	viper.BindEnv("app-url", "APP_URL")
 	viper.BindEnv("users", "USERS")
 	viper.BindEnv("users-file", "USERS_FILE")
+	viper.BindEnv("cookie-secure", "COOKIE_SECURE")
+	viper.BindEnv("github-client-id", "GITHUB_CLIENT_ID")
+	viper.BindEnv("github-client-secret", "GITHUB_CLIENT_SECRET")
+	viper.BindEnv("github-client-secret-file", "GITHUB_CLIENT_SECRET_FILE")
+	viper.BindEnv("google-client-id", "GOOGLE_CLIENT_ID")
+	viper.BindEnv("google-client-secret", "GOOGLE_CLIENT_SECRET")
+	viper.BindEnv("google-client-secret-file", "GOOGLE_CLIENT_SECRET_FILE")
+	viper.BindEnv("tailscale-client-id", "TAILSCALE_CLIENT_ID")
+	viper.BindEnv("tailscale-client-secret", "TAILSCALE_CLIENT_SECRET")
+	viper.BindEnv("tailscale-client-secret-file", "TAILSCALE_CLIENT_SECRET_FILE")
+	viper.BindEnv("generic-client-id", "GENERIC_CLIENT_ID")
+	viper.BindEnv("generic-client-secret", "GENERIC_CLIENT_SECRET")
+	viper.BindEnv("generic-client-secret-file", "GENERIC_CLIENT_SECRET_FILE")
+	viper.BindEnv("generic-scopes", "GENERIC_SCOPES")
+	viper.BindEnv("generic-auth-url", "GENERIC_AUTH_URL")
+	viper.BindEnv("generic-token-url", "GENERIC_TOKEN_URL")
+	viper.BindEnv("generic-user-url", "GENERIC_USER_URL")
+	viper.BindEnv("disable-continue", "DISABLE_CONTINUE")
+	viper.BindEnv("oauth-whitelist", "OAUTH_WHITELIST")
+	viper.BindEnv("cookie-expiry", "COOKIE_EXPIRY")
+	viper.BindEnv("log-level", "LOG_LEVEL")
 	viper.BindPFlags(rootCmd.Flags())
 }

cmd/user/create/create.go

@@ -3,10 +3,10 @@ package create
 import (
 	"errors"
 	"fmt"
-	"os"
 	"strings"
 
 	"github.com/charmbracelet/huh"
+	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"golang.org/x/crypto/bcrypt"
@@ -18,10 +18,12 @@ var password string
 var docker bool
 
 var CreateCmd = &cobra.Command{
-	Use:  "create",
+	Use:   "create",
 	Short: "Create a user",
-	Long: `Create a user either interactively or by passing flags.`,
+	Long:  `Create a user either interactively or by passing flags.`,
 	Run: func(cmd *cobra.Command, args []string) {
+		log.Logger = log.Level(zerolog.InfoLevel)
+
 		if interactive {
 			form := huh.NewForm(
 				huh.NewGroup(
@@ -47,13 +49,11 @@ var CreateCmd = &cobra.Command{
 
 			if formErr != nil {
 				log.Fatal().Err(formErr).Msg("Form failed")
-				os.Exit(1)
 			}
 		}
 
 		if username == "" || password == "" {
 			log.Error().Msg("Username and password cannot be empty")
-			os.Exit(1)
 		}
 
 		log.Info().Str("username", username).Str("password", password).Bool("docker", docker).Msg("Creating user")
@@ -62,7 +62,6 @@ var CreateCmd = &cobra.Command{
 
 		if passwordErr != nil {
 			log.Fatal().Err(passwordErr).Msg("Failed to hash password")
-			os.Exit(1)
 		}
 
 		passwordString := string(passwordByte)
@@ -76,8 +75,8 @@ var CreateCmd = &cobra.Command{
 }
 
 func init() {
-	CreateCmd.Flags().BoolVarP(&interactive, "interactive", "i", false, "Create a user interactively")
-	CreateCmd.Flags().BoolVarP(&docker, "docker", "d", false, "Format output for docker")
-	CreateCmd.Flags().StringVarP(&username, "username", "u", "", "Username")
-	CreateCmd.Flags().StringVarP(&password, "password", "p", "", "Password")
-}
+	CreateCmd.Flags().BoolVar(&interactive, "interactive", false, "Create a user interactively")
+	CreateCmd.Flags().BoolVar(&docker, "docker", false, "Format output for docker")
+	CreateCmd.Flags().StringVar(&username, "username", "", "Username")
+	CreateCmd.Flags().StringVar(&password, "password", "", "Password")
+}

cmd/user/user.go

@@ -8,12 +8,17 @@ import (
 )
 
 func UserCmd() *cobra.Command {
+	// Create the user command
 	userCmd := &cobra.Command{
-		Use:  "user",
+		Use:   "user",
 		Short: "User utilities",
-		Long: `Utilities for creating and verifying tinyauth compatible users.`,
+		Long:  `Utilities for creating and verifying tinyauth compatible users.`,
 	}
+
+	// Add subcommands
 	userCmd.AddCommand(create.CreateCmd)
 	userCmd.AddCommand(verify.VerifyCmd)
+
+	// Return the user command
 	return userCmd
-}	
+}

cmd/user/verify/verify.go

@@ -2,10 +2,10 @@ package verify
 
 import (
 	"errors"
-	"os"
 	"strings"
 
 	"github.com/charmbracelet/huh"
+	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"golang.org/x/crypto/bcrypt"
@@ -18,14 +18,16 @@ var docker bool
 var user string
 
 var VerifyCmd = &cobra.Command{
-	Use: "verify",
+	Use:   "verify",
 	Short: "Verify a user is set up correctly",
-	Long: `Verify a user is set up correctly meaning that it has a correct password.`,
+	Long:  `Verify a user is set up correctly meaning that it has a correct username and password.`,
 	Run: func(cmd *cobra.Command, args []string) {
+		log.Logger = log.Level(zerolog.InfoLevel)
+
 		if interactive {
 			form := huh.NewForm(
 				huh.NewGroup(
-					huh.NewInput().Title("User (user:hash)").Value(&user).Validate((func(s string) error {
+					huh.NewInput().Title("User (username:hash)").Value(&user).Validate((func(s string) error {
 						if s == "" {
 							return errors.New("user cannot be empty")
 						}
@@ -53,34 +55,29 @@ var VerifyCmd = &cobra.Command{
 
 			if formErr != nil {
 				log.Fatal().Err(formErr).Msg("Form failed")
-				os.Exit(1)
 			}
 		}
 
-		if username == "" || password == "" || user == "" { 
-			log.Error().Msg("Username, password and user cannot be empty")
-			os.Exit(1)
+		if username == "" || password == "" || user == "" {
+			log.Fatal().Msg("Username, password and user cannot be empty")
 		}
 
-
 		log.Info().Str("user", user).Str("username", username).Str("password", password).Bool("docker", docker).Msg("Verifying user")
 
 		userSplit := strings.Split(user, ":")
 
 		if userSplit[1] == "" {
-			log.Error().Msg("User is not formatted correctly")
-			os.Exit(1)
+			log.Fatal().Msg("User is not formatted correctly")
 		}
 
 		if docker {
-			userSplit[1] = strings.ReplaceAll(password, "$$", "$")
+			userSplit[1] = strings.ReplaceAll(userSplit[1], "$$", "$")
 		}
 
 		verifyErr := bcrypt.CompareHashAndPassword([]byte(userSplit[1]), []byte(password))
 
 		if verifyErr != nil || username != userSplit[0] {
-			log.Error().Msg("Username or password incorrect")
-			os.Exit(1)
+			log.Fatal().Msg("Username or password incorrect")
 		} else {
 			log.Info().Msg("Verification successful")
 		}
@@ -92,5 +89,5 @@ func init() {
 	VerifyCmd.Flags().BoolVar(&docker, "docker", false, "Is the user formatted for docker?")
 	VerifyCmd.Flags().StringVar(&username, "username", "", "Username")
 	VerifyCmd.Flags().StringVar(&password, "password", "", "Password")
-	VerifyCmd.Flags().StringVar(&user, "user", "", "Hash (user:hash combination)")
-}
+	VerifyCmd.Flags().StringVar(&user, "user", "", "Hash (username:hash combination)")
+}

go.mod

@@ -14,6 +14,7 @@ require (
 )
 
 require (
+	github.com/Microsoft/go-winio v0.4.14 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/bytedance/sonic v1.12.7 // indirect
@@ -27,14 +28,22 @@ require (
 	github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0 // indirect
 	github.com/charmbracelet/x/term v0.2.0 // indirect
 	github.com/cloudwego/base64x v0.1.4 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/docker/docker v27.5.1+incompatible // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
 	github.com/gin-contrib/sse v1.0.0 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/goccy/go-json v0.10.4 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/gorilla/context v1.1.2 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
 	github.com/gorilla/sessions v1.2.2 // indirect
@@ -51,12 +60,16 @@ require (
 	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/termenv v0.15.3-0.20240618155329-98d742f6907a // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
@@ -67,11 +80,16 @@ require (
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.12 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
+	go.opentelemetry.io/otel v1.24.0 // indirect
+	go.opentelemetry.io/otel/metric v1.24.0 // indirect
+	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
 	golang.org/x/arch v0.13.0 // indirect
 	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
 	golang.org/x/net v0.34.0 // indirect
+	golang.org/x/oauth2 v0.25.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/text v0.21.0 // indirect

go.sum

@@ -1,3 +1,5 @@
+github.com/Microsoft/go-winio v0.4.14 h1:+hMXMk01us9KgxGb7ftKQt2Xpf5hH/yky+TDA+qxleU=
+github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
 github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4=
 github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
@@ -32,10 +34,20 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
+github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/docker/docker v27.5.1+incompatible h1:4PYU5dnBYqRQi0294d1FBECqT9ECWeQAIfE8q4YnPY8=
+github.com/docker/docker v27.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
+github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
@@ -48,6 +60,11 @@ github.com/gin-contrib/sse v1.0.0 h1:y3bT1mUWUxDpW4JLQg/HnTqV4rozuW4tC9eFKTxYI9E
 github.com/gin-contrib/sse v1.0.0/go.mod h1:zNuFdwarAygJBht0NTKiSi3jRf6RbqeILZ9Sp6Slhe0=
 github.com/gin-gonic/gin v1.10.0 h1:nTuyha1TYqgedzytsKYqna+DfLos46nTv2ygFy86HFU=
 github.com/gin-gonic/gin v1.10.0/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
+github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
 github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
@@ -59,6 +76,8 @@ github.com/go-playground/validator/v10 v10.24.0/go.mod h1:GGzBIJMuE98Ic/kJsBXbz1
 github.com/goccy/go-json v0.10.4 h1:JSwxQzIqKfmFX1swYPpUThQZp/Ka4wzJdK0LWVytLPM=
 github.com/goccy/go-json v0.10.4/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -79,10 +98,13 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.2.9 h1:66ze0taIn2H33fBvCkXuv9BmCwDfafmiIVpKV9kKGuY=
 github.com/klauspost/cpuid/v2 v2.2.9/go.mod h1:rqkxqrZ1EhYM9G+hXH7YdowN5R5RGN6NK4QwQ3WMXF8=
 github.com/knz/go-libedit v1.10.1/go.mod h1:MZTVkCWyz0oBc7JOWP3wNAzd002ZbM/5hgShxwh4x8M=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -108,6 +130,8 @@ github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4
 github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -119,8 +143,14 @@ github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELU
 github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=
 github.com/muesli/termenv v0.15.3-0.20240618155329-98d742f6907a h1:2MaM6YC3mGu54x+RKAA6JiFFHlHDY1UbkxqppT7wYOg=
 github.com/muesli/termenv v0.15.3-0.20240618155329-98d742f6907a/go.mod h1:hxSnBBYLK21Vtq/PHd0S2FYCxBXzBua8ov5s1RobyRQ=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
+github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
 github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
 github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
@@ -138,6 +168,7 @@ github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6ke
 github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4=
 github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE=
 github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
+github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
 github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
 github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
@@ -151,9 +182,11 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI=
 github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -168,29 +201,67 @@ github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
 github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw=
+go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo=
+go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo=
+go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI=
+go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco=
+go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI=
+go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/multierr v1.9.0 h1:7fIwc/ZtS0q++VgcfqFDxSBZVv/Xo49/SYnDFupUwlI=
 go.uber.org/multierr v1.9.0/go.mod h1:X2jQV1h+kxSjClGpnseKVIxpmcjrj7MNnI0bnlfKTVQ=
 golang.org/x/arch v0.13.0 h1:KCkqVVV1kGg0X87TFysjCJ8MxtZEIU4Ja/yXGeoECdA=
 golang.org/x/arch v0.13.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
 golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g=
 golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
 golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
+golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
+golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
 golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/protobuf v1.36.3 h1:82DV7MYdb8anAVi3qge1wSnMDrnKK7ebr+I0hHRN1BU=
 google.golang.org/protobuf v1.36.3/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

internal/api/api.go

@@ -3,6 +3,7 @@ package api
 import (
 	"fmt"
 	"io/fs"
+	"math/rand/v2"
 	"net/http"
 	"os"
 	"strings"
@@ -10,6 +11,7 @@ import (
 	"tinyauth/internal/assets"
 	"tinyauth/internal/auth"
 	"tinyauth/internal/hooks"
+	"tinyauth/internal/providers"
 	"tinyauth/internal/types"
 	"tinyauth/internal/utils"
 
@@ -20,64 +22,65 @@ import (
 	"github.com/rs/zerolog/log"
 )
 
-func NewAPI(config types.APIConfig, hooks *hooks.Hooks, auth *auth.Auth) (*API) {
+func NewAPI(config types.APIConfig, hooks *hooks.Hooks, auth *auth.Auth, providers *providers.Providers) *API {
 	return &API{
-		Config: config,
-		Hooks: hooks,
-		Auth: auth,
-		Router: nil,
+		Config:    config,
+		Hooks:     hooks,
+		Auth:      auth,
+		Providers: providers,
 	}
 }
 
 type API struct {
-	Config types.APIConfig
-	Router *gin.Engine
-	Hooks *hooks.Hooks
-	Auth *auth.Auth
+	Config    types.APIConfig
+	Router    *gin.Engine
+	Hooks     *hooks.Hooks
+	Auth      *auth.Auth
+	Providers *providers.Providers
+	Domain    string
 }
 
 func (api *API) Init() {
 	gin.SetMode(gin.ReleaseMode)
-	
+
+	log.Debug().Msg("Setting up router")
 	router := gin.New()
 	router.Use(zerolog())
+	log.Debug().Msg("Setting up assets")
 	dist, distErr := fs.Sub(assets.Assets, "dist")
 
 	if distErr != nil {
 		log.Fatal().Err(distErr).Msg("Failed to get UI assets")
-		os.Exit(1)
 	}
 
+	log.Debug().Msg("Setting up file server")
 	fileServer := http.FileServer(http.FS(dist))
+	log.Debug().Msg("Setting up cookie store")
 	store := cookie.NewStore([]byte(api.Config.Secret))
 
+	log.Debug().Msg("Getting domain")
 	domain, domainErr := utils.GetRootURL(api.Config.AppURL)
 
-	log.Info().Str("domain", domain).Msg("Using domain for cookies")
-
 	if domainErr != nil {
 		log.Fatal().Err(domainErr).Msg("Failed to get domain")
 		os.Exit(1)
 	}
 
-	var isSecure bool
+	log.Info().Str("domain", domain).Msg("Using domain for cookies")
+
+	api.Domain = fmt.Sprintf(".%s", domain)
 
-	if api.Config.CookieSecure {
-		isSecure = true
-	} else {
-		isSecure = false
-	}
-	
 	store.Options(sessions.Options{
-		Domain: fmt.Sprintf(".%s", domain),
-		Path: "/",
+		Domain:   api.Domain,
+		Path:     "/",
 		HttpOnly: true,
-		Secure: isSecure,
+		Secure:   api.Config.CookieSecure,
+		MaxAge:   api.Config.CookieExpiry,
 	})
-	
-  	router.Use(sessions.Sessions("tinyauth", store))
 
-	  router.Use(func(c *gin.Context) {
+	router.Use(sessions.Sessions("tinyauth", store))
+
+	router.Use(func(c *gin.Context) {
 		if !strings.HasPrefix(c.Request.URL.Path, "/api") {
 			_, err := fs.Stat(dist, strings.TrimPrefix(c.Request.URL.Path, "/"))
 			if os.IsNotExist(err) {
@@ -92,27 +95,51 @@ func (api *API) Init() {
 }
 
 func (api *API) SetupRoutes() {
-	api.Router.GET("/api/auth", func (c *gin.Context) {
+	api.Router.GET("/api/auth", func(c *gin.Context) {
+		log.Debug().Msg("Checking auth")
 		userContext := api.Hooks.UseUserContext(c)
 
+		uri := c.Request.Header.Get("X-Forwarded-Uri")
+		proto := c.Request.Header.Get("X-Forwarded-Proto")
+		host := c.Request.Header.Get("X-Forwarded-Host")
+
 		if userContext.IsLoggedIn {
+			log.Debug().Msg("Authenticated")
+
+			appAllowed, appAllowedErr := api.Auth.ResourceAllowed(userContext, host)
+			if handleApiError(c, "Failed to check if resource is allowed", appAllowedErr) {
+				return
+			}
+
+			if !appAllowed {
+				log.Warn().Str("username", userContext.Username).Str("host", host).Msg("User not allowed")
+				queries, queryErr := query.Values(types.UnauthorizedQuery{
+					Username: userContext.Username,
+					Resource: strings.Split(host, ".")[0],
+				})
+				if handleApiError(c, "Failed to build query", queryErr) {
+					return
+				}
+				c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", api.Config.AppURL, queries.Encode()))
+			}
+
 			c.JSON(200, gin.H{
-				"status": 200,
+				"status":  200,
 				"message": "Authenticated",
 			})
 			return
 		}
 
-		uri := c.Request.Header.Get("X-Forwarded-Uri")
-		proto := c.Request.Header.Get("X-Forwarded-Proto")
-		host := c.Request.Header.Get("X-Forwarded-Host")
 		queries, queryErr := query.Values(types.LoginQuery{
 			RedirectURI: fmt.Sprintf("%s://%s%s", proto, host, uri),
 		})
 
+		log.Debug().Interface("redirect_uri", fmt.Sprintf("%s://%s%s", proto, host, uri)).Msg("Redirecting to login")
+
 		if queryErr != nil {
+			log.Error().Err(queryErr).Msg("Failed to build query")
 			c.JSON(501, gin.H{
-				"status": 501,
+				"status":  501,
 				"message": "Internal Server Error",
 			})
 			return
@@ -121,87 +148,265 @@ func (api *API) SetupRoutes() {
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/?%s", api.Config.AppURL, queries.Encode()))
 	})
 
-	api.Router.POST("/api/login", func (c *gin.Context) {
+	api.Router.POST("/api/login", func(c *gin.Context) {
 		var login types.LoginRequest
 
 		err := c.BindJSON(&login)
 
 		if err != nil {
+			log.Error().Err(err).Msg("Failed to bind JSON")
 			c.JSON(400, gin.H{
-				"status": 400,
+				"status":  400,
 				"message": "Bad Request",
 			})
 			return
 		}
 
+		log.Debug().Msg("Got login request")
+
 		user := api.Auth.GetUser(login.Username)
 
 		if user == nil {
+			log.Debug().Str("username", login.Username).Msg("User not found")
 			c.JSON(401, gin.H{
-				"status": 401,
+				"status":  401,
 				"message": "Unauthorized",
 			})
 			return
 		}
 
 		if !api.Auth.CheckPassword(*user, login.Password) {
+			log.Debug().Str("username", login.Username).Msg("Password incorrect")
 			c.JSON(401, gin.H{
-				"status": 401,
+				"status":  401,
 				"message": "Unauthorized",
 			})
 			return
 		}
 
-		session := sessions.Default(c)
-		session.Set("tinyauth", user.Username)
-		session.Save()
+		log.Debug().Msg("Password correct, logging in")
+
+		api.Auth.CreateSessionCookie(c, &types.SessionCookie{
+			Username: login.Username,
+			Provider: "username",
+		})
 
 		c.JSON(200, gin.H{
-			"status": 200,
+			"status":  200,
 			"message": "Logged in",
 		})
 	})
 
-	api.Router.POST("/api/logout", func (c *gin.Context) {
-		session := sessions.Default(c)
-		session.Delete("tinyauth")
-		session.Save()
+	api.Router.POST("/api/logout", func(c *gin.Context) {
+		api.Auth.DeleteSessionCookie(c)
+
+		log.Debug().Msg("Cleaning up redirect cookie")
+
+		c.SetCookie("tinyauth_redirect_uri", "", -1, "/", api.Domain, api.Config.CookieSecure, true)
 
 		c.JSON(200, gin.H{
-			"status": 200,
+			"status":  200,
 			"message": "Logged out",
 		})
 	})
 
-	api.Router.GET("/api/status", func (c *gin.Context) {
+	api.Router.GET("/api/status", func(c *gin.Context) {
+		log.Debug().Msg("Checking status")
 		userContext := api.Hooks.UseUserContext(c)
 
+		configuredProviders := api.Providers.GetConfiguredProviders()
+
+		if api.Auth.UserAuthConfigured() {
+			configuredProviders = append(configuredProviders, "username")
+		}
+
 		if !userContext.IsLoggedIn {
+			log.Debug().Msg("Unauthenticated")
 			c.JSON(200, gin.H{
-				"status": 200,
-				"message": "Unauthenticated",
-				"username": "",
-				"isLoggedIn": false,
+				"status":              200,
+				"message":             "Unauthenticated",
+				"username":            "",
+				"isLoggedIn":          false,
+				"oauth":               false,
+				"provider":            "",
+				"configuredProviders": configuredProviders,
+				"disableContinue":     api.Config.DisableContinue,
 			})
 			return
-		} 
+		}
+
+		log.Debug().Interface("userContext", userContext).Strs("configuredProviders", configuredProviders).Bool("disableContinue", api.Config.DisableContinue).Msg("Authenticated")
 
 		c.JSON(200, gin.H{
-			"status": 200,
-			"message": "Authenticated",
-			"username": userContext.Username,
-			"isLoggedIn": true,
+			"status":              200,
+			"message":             "Authenticated",
+			"username":            userContext.Username,
+			"isLoggedIn":          userContext.IsLoggedIn,
+			"oauth":               userContext.OAuth,
+			"provider":            userContext.Provider,
+			"configuredProviders": configuredProviders,
+			"disableContinue":     api.Config.DisableContinue,
 		})
 	})
 
-	api.Router.GET("/api/healthcheck", func (c *gin.Context) {
+	api.Router.GET("/api/healthcheck", func(c *gin.Context) {
 		c.JSON(200, gin.H{
-			"status": 200,
+			"status":  200,
 			"message": "OK",
 		})
 	})
-}
 
+	api.Router.GET("/api/oauth/url/:provider", func(c *gin.Context) {
+		var request types.OAuthRequest
+
+		bindErr := c.BindUri(&request)
+
+		if bindErr != nil {
+			log.Error().Err(bindErr).Msg("Failed to bind URI")
+			c.JSON(400, gin.H{
+				"status":  400,
+				"message": "Bad Request",
+			})
+			return
+		}
+
+		log.Debug().Msg("Got OAuth request")
+
+		provider := api.Providers.GetProvider(request.Provider)
+
+		if provider == nil {
+			c.JSON(404, gin.H{
+				"status":  404,
+				"message": "Not Found",
+			})
+			return
+		}
+
+		log.Debug().Str("provider", request.Provider).Msg("Got provider")
+
+		authURL := provider.GetAuthURL()
+
+		log.Debug().Msg("Got auth URL")
+
+		redirectURI := c.Query("redirect_uri")
+
+		if redirectURI != "" {
+			log.Debug().Str("redirectURI", redirectURI).Msg("Setting redirect cookie")
+			c.SetCookie("tinyauth_redirect_uri", redirectURI, 3600, "/", api.Domain, api.Config.CookieSecure, true)
+		}
+
+		if request.Provider == "tailscale" {
+			tailscaleQuery, tailscaleQueryErr := query.Values(types.TailscaleQuery{
+				Code: (1000 + rand.IntN(9000)), // doesn't need to be secure, just there to avoid caching
+			})
+			if handleApiError(c, "Failed to build query", tailscaleQueryErr) {
+				return
+			}
+			c.JSON(200, gin.H{
+				"status":  200,
+				"message": "Ok",
+				"url":     fmt.Sprintf("%s/api/oauth/callback/tailscale?%s", api.Config.AppURL, tailscaleQuery.Encode()),
+			})
+			return
+		}
+
+		c.JSON(200, gin.H{
+			"status":  200,
+			"message": "Ok",
+			"url":     authURL,
+		})
+	})
+
+	api.Router.GET("/api/oauth/callback/:provider", func(c *gin.Context) {
+		var providerName types.OAuthRequest
+
+		bindErr := c.BindUri(&providerName)
+
+		if handleApiError(c, "Failed to bind URI", bindErr) {
+			return
+		}
+
+		log.Debug().Interface("provider", providerName.Provider).Msg("Got provider name")
+
+		code := c.Query("code")
+
+		if code == "" {
+			log.Error().Msg("No code provided")
+			c.Redirect(http.StatusPermanentRedirect, "/error")
+			return
+		}
+
+		log.Debug().Msg("Got code")
+
+		provider := api.Providers.GetProvider(providerName.Provider)
+
+		log.Debug().Str("provider", providerName.Provider).Msg("Got provider")
+
+		if provider == nil {
+			c.Redirect(http.StatusPermanentRedirect, "/not-found")
+			return
+		}
+
+		_, tokenErr := provider.ExchangeToken(code)
+
+		log.Debug().Msg("Got token")
+
+		if handleApiError(c, "Failed to exchange token", tokenErr) {
+			return
+		}
+
+		email, emailErr := api.Providers.GetUser(providerName.Provider)
+
+		log.Debug().Str("email", email).Msg("Got email")
+
+		if handleApiError(c, "Failed to get user", emailErr) {
+			return
+		}
+
+		if !api.Auth.EmailWhitelisted(email) {
+			log.Warn().Str("email", email).Msg("Email not whitelisted")
+			unauthorizedQuery, unauthorizedQueryErr := query.Values(types.UnauthorizedQuery{
+				Username: email,
+			})
+			if handleApiError(c, "Failed to build query", unauthorizedQueryErr) {
+				return
+			}
+			c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/unauthorized?%s", api.Config.AppURL, unauthorizedQuery.Encode()))
+		}
+
+		log.Debug().Msg("Email whitelisted")
+
+		api.Auth.CreateSessionCookie(c, &types.SessionCookie{
+			Username: email,
+			Provider: providerName.Provider,
+		})
+
+		redirectURI, redirectURIErr := c.Cookie("tinyauth_redirect_uri")
+
+		if redirectURIErr != nil {
+			c.JSON(200, gin.H{
+				"status":  200,
+				"message": "Logged in",
+			})
+		}
+
+		log.Debug().Str("redirectURI", redirectURI).Msg("Got redirect URI")
+
+		c.SetCookie("tinyauth_redirect_uri", "", -1, "/", api.Domain, api.Config.CookieSecure, true)
+
+		redirectQuery, redirectQueryErr := query.Values(types.LoginQuery{
+			RedirectURI: redirectURI,
+		})
+
+		log.Debug().Msg("Got redirect query")
+
+		if handleApiError(c, "Failed to build query", redirectQueryErr) {
+			return
+		}
+
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/continue?%s", api.Config.AppURL, redirectQuery.Encode()))
+	})
+}
 
 func (api *API) Run() {
 	log.Info().Str("address", api.Config.Address).Int("port", api.Config.Port).Msg("Starting server")
@@ -218,16 +423,25 @@ func zerolog() gin.HandlerFunc {
 		address := c.Request.RemoteAddr
 		method := c.Request.Method
 		path := c.Request.URL.Path
-		
+
 		latency := time.Since(tStart).String()
 
 		switch {
-			case code >= 200 && code < 300:
-				log.Info().Str("method", method).Str("path", path).Str("address", address).Int("status", code).Str("latency", latency).Msg("Request")
-			case code >= 300 && code < 400:
-				log.Warn().Str("method", method).Str("path", path).Str("address", address).Int("status", code).Str("latency", latency).Msg("Request")
-			case code >= 400:
-				log.Error().Str("method", method).Str("path", path).Str("address", address).Int("status", code).Str("latency", latency).Msg("Request")
+		case code >= 200 && code < 300:
+			log.Info().Str("method", method).Str("path", path).Str("address", address).Int("status", code).Str("latency", latency).Msg("Request")
+		case code >= 300 && code < 400:
+			log.Warn().Str("method", method).Str("path", path).Str("address", address).Int("status", code).Str("latency", latency).Msg("Request")
+		case code >= 400:
+			log.Error().Str("method", method).Str("path", path).Str("address", address).Int("status", code).Str("latency", latency).Msg("Request")
 		}
 	}
-}
+}
+
+func handleApiError(c *gin.Context, msg string, err error) bool {
+	if err != nil {
+		log.Error().Err(err).Msg(msg)
+		c.Redirect(http.StatusPermanentRedirect, "/error")
+		return true
+	}
+	return false
+}

internal/assets/version

@@ -1 +1 @@
-v0.3.0
+v2.1.0

internal/auth/auth.go

@@ -1,19 +1,30 @@
 package auth
 
 import (
+	"slices"
+	"strings"
+	"tinyauth/internal/docker"
 	"tinyauth/internal/types"
+	"tinyauth/internal/utils"
 
+	"github.com/gin-contrib/sessions"
+	"github.com/gin-gonic/gin"
+	"github.com/rs/zerolog/log"
 	"golang.org/x/crypto/bcrypt"
 )
 
-func NewAuth(userList types.Users) *Auth {
+func NewAuth(docker *docker.Docker, userList types.Users, oauthWhitelist []string) *Auth {
 	return &Auth{
-		Users: userList,
+		Docker:         docker,
+		Users:          userList,
+		OAuthWhitelist: oauthWhitelist,
 	}
 }
 
 type Auth struct {
-	Users types.Users
+	Users          types.Users
+	Docker         *docker.Docker
+	OAuthWhitelist []string
 }
 
 func (auth *Auth) GetUser(username string) *types.User {
@@ -28,4 +39,109 @@ func (auth *Auth) GetUser(username string) *types.User {
 func (auth *Auth) CheckPassword(user types.User, password string) bool {
 	hashedPasswordErr := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password))
 	return hashedPasswordErr == nil
-}
+}
+
+func (auth *Auth) EmailWhitelisted(emailSrc string) bool {
+	if len(auth.OAuthWhitelist) == 0 {
+		return true
+	}
+	for _, email := range auth.OAuthWhitelist {
+		if email == emailSrc {
+			return true
+		}
+	}
+	return false
+}
+
+func (auth *Auth) CreateSessionCookie(c *gin.Context, data *types.SessionCookie) {
+	log.Debug().Msg("Creating session cookie")
+	sessions := sessions.Default(c)
+	log.Debug().Msg("Setting session cookie")
+	sessions.Set("username", data.Username)
+	sessions.Set("provider", data.Provider)
+	sessions.Save()
+}
+
+func (auth *Auth) DeleteSessionCookie(c *gin.Context) {
+	log.Debug().Msg("Deleting session cookie")
+	sessions := sessions.Default(c)
+	sessions.Clear()
+	sessions.Save()
+}
+
+func (auth *Auth) GetSessionCookie(c *gin.Context) (types.SessionCookie, error) {
+	log.Debug().Msg("Getting session cookie")
+	sessions := sessions.Default(c)
+
+	cookieUsername := sessions.Get("username")
+	cookieProvider := sessions.Get("provider")
+
+	username, usernameOk := cookieUsername.(string)
+	provider, providerOk := cookieProvider.(string)
+
+	log.Debug().Str("username", username).Str("provider", provider).Msg("Parsed cookie")
+
+	if !usernameOk || !providerOk {
+		log.Warn().Msg("Session cookie invalid")
+		return types.SessionCookie{}, nil
+	}
+
+	return types.SessionCookie{
+		Username: username,
+		Provider: provider,
+	}, nil
+}
+
+func (auth *Auth) UserAuthConfigured() bool {
+	return len(auth.Users) > 0
+}
+
+func (auth *Auth) ResourceAllowed(context types.UserContext, host string) (bool, error) {
+	appId := strings.Split(host, ".")[0]
+	containers, containersErr := auth.Docker.GetContainers()
+
+	if containersErr != nil {
+		return false, containersErr
+	}
+
+	log.Debug().Msg("Got containers")
+
+	for _, container := range containers {
+		inspect, inspectErr := auth.Docker.InspectContainer(container.ID)
+
+		if inspectErr != nil {
+			return false, inspectErr
+		}
+
+		containerName := strings.Split(inspect.Name, "/")[1]
+
+		if containerName == appId {
+			log.Debug().Str("container", containerName).Msg("Found container")
+
+			labels := utils.GetTinyauthLabels(inspect.Config.Labels)
+
+			log.Debug().Msg("Got labels")
+
+			if context.OAuth && len(labels.OAuthWhitelist) != 0 {
+				log.Debug().Msg("Checking OAuth whitelist")
+				if slices.Contains(labels.OAuthWhitelist, context.Username) {
+					return true, nil
+				}
+				return false, nil
+			}
+
+			if len(labels.Users) != 0 {
+				log.Debug().Msg("Checking users")
+				if slices.Contains(labels.Users, context.Username) {
+					return true, nil
+				}
+				return false, nil
+			}
+		}
+
+	}
+
+	log.Debug().Msg("No matching container found, allowing access")
+
+	return true, nil
+}

internal/constants/constants.go

@@ -0,0 +1,6 @@
+package constants
+
+var TinyauthLabels = []string{
+	"tinyauth.oauth.whitelist",
+	"tinyauth.users",
+}

internal/docker/docker.go

@@ -0,0 +1,51 @@
+package docker
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/client"
+)
+
+func NewDocker() *Docker {
+	return &Docker{}
+}
+
+type Docker struct {
+	Client  *client.Client
+	Context context.Context
+}
+
+func (docker *Docker) Init() error {
+	apiClient, err := client.NewClientWithOpts(client.FromEnv)
+
+	if err != nil {
+		return err
+	}
+
+	docker.Context = context.Background()
+	docker.Client = apiClient
+
+	return nil
+}
+
+func (docker *Docker) GetContainers() ([]types.Container, error) {
+	containers, err := docker.Client.ContainerList(docker.Context, container.ListOptions{})
+
+	if err != nil {
+		return nil, err
+	}
+
+	return containers, nil
+}
+
+func (docker *Docker) InspectContainer(containerId string) (types.ContainerJSON, error) {
+	inspect, err := docker.Client.ContainerInspect(docker.Context, containerId)
+
+	if err != nil {
+		return types.ContainerJSON{}, err
+	}
+
+	return inspect, nil
+}

internal/hooks/hooks.go

@@ -2,53 +2,79 @@ package hooks
 
 import (
 	"tinyauth/internal/auth"
+	"tinyauth/internal/providers"
 	"tinyauth/internal/types"
 
-	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
+	"github.com/rs/zerolog/log"
 )
 
-func NewHooks(auth *auth.Auth) *Hooks {
+func NewHooks(auth *auth.Auth, providers *providers.Providers) *Hooks {
 	return &Hooks{
-		Auth: auth,
+		Auth:      auth,
+		Providers: providers,
 	}
 }
 
 type Hooks struct {
-	Auth *auth.Auth
+	Auth      *auth.Auth
+	Providers *providers.Providers
 }
 
-func (hooks *Hooks) UseUserContext(c *gin.Context) (types.UserContext) {
-	session := sessions.Default(c)
-	cookie := session.Get("tinyauth")
+func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
+	cookie, cookiErr := hooks.Auth.GetSessionCookie(c)
 
-	if cookie == nil {
+	if cookiErr != nil {
+		log.Error().Err(cookiErr).Msg("Failed to get session cookie")
 		return types.UserContext{
-			Username: "",
+			Username:   "",
 			IsLoggedIn: false,
+			OAuth:      false,
+			Provider:   "",
 		}
 	}
 
-	username, ok := cookie.(string)
-
-	if !ok {
-		return types.UserContext{
-			Username: "",
-			IsLoggedIn: false,
+	if cookie.Provider == "username" {
+		log.Debug().Msg("Provider is username")
+		if hooks.Auth.GetUser(cookie.Username) != nil {
+			log.Debug().Msg("User exists")
+			return types.UserContext{
+				Username:   cookie.Username,
+				IsLoggedIn: true,
+				OAuth:      false,
+				Provider:   "",
+			}
 		}
 	}
 
-	user := hooks.Auth.GetUser(username)
+	log.Debug().Msg("Provider is not username")
+	provider := hooks.Providers.GetProvider(cookie.Provider)
 
-	if user == nil {
+	if provider != nil {
+		log.Debug().Msg("Provider exists")
+		if !hooks.Auth.EmailWhitelisted(cookie.Username) {
+			log.Error().Str("email", cookie.Username).Msg("Email is not whitelisted")
+			hooks.Auth.DeleteSessionCookie(c)
+			return types.UserContext{
+				Username:   "",
+				IsLoggedIn: false,
+				OAuth:      false,
+				Provider:   "",
+			}
+		}
+		log.Debug().Msg("Email is whitelisted")
 		return types.UserContext{
-			Username: "",
-			IsLoggedIn: false,
+			Username:   cookie.Username,
+			IsLoggedIn: true,
+			OAuth:      true,
+			Provider:   cookie.Provider,
 		}
 	}
 
 	return types.UserContext{
-		Username: username,
-		IsLoggedIn: true,
+		Username:   "",
+		IsLoggedIn: false,
+		OAuth:      false,
+		Provider:   "",
 	}
-}
+}

internal/oauth/oauth.go

@@ -0,0 +1,43 @@
+package oauth
+
+import (
+	"context"
+	"net/http"
+
+	"golang.org/x/oauth2"
+)
+
+func NewOAuth(config oauth2.Config) *OAuth {
+	return &OAuth{
+		Config: config,
+	}
+}
+
+type OAuth struct {
+	Config   oauth2.Config
+	Context  context.Context
+	Token    *oauth2.Token
+	Verifier string
+}
+
+func (oauth *OAuth) Init() {
+	oauth.Context = context.Background()
+	oauth.Verifier = oauth2.GenerateVerifier()
+}
+
+func (oauth *OAuth) GetAuthURL() string {
+	return oauth.Config.AuthCodeURL("state", oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(oauth.Verifier))
+}
+
+func (oauth *OAuth) ExchangeToken(code string) (string, error) {
+	token, err := oauth.Config.Exchange(oauth.Context, code, oauth2.VerifierOption(oauth.Verifier))
+	if err != nil {
+		return "", err
+	}
+	oauth.Token = token
+	return oauth.Token.AccessToken, nil
+}
+
+func (oauth *OAuth) GetClient() *http.Client {
+	return oauth.Config.Client(oauth.Context, oauth.Token)
+}

internal/providers/generic.go

@@ -0,0 +1,43 @@
+package providers
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+
+	"github.com/rs/zerolog/log"
+)
+
+type GenericUserInfoResponse struct {
+	Email string `json:"email"`
+}
+
+func GetGenericEmail(client *http.Client, url string) (string, error) {
+	res, resErr := client.Get(url)
+
+	if resErr != nil {
+		return "", resErr
+	}
+
+	log.Debug().Msg("Got response from generic provider")
+
+	body, bodyErr := io.ReadAll(res.Body)
+
+	if bodyErr != nil {
+		return "", bodyErr
+	}
+
+	log.Debug().Msg("Read body from generic provider")
+
+	var user GenericUserInfoResponse
+
+	jsonErr := json.Unmarshal(body, &user)
+
+	if jsonErr != nil {
+		return "", jsonErr
+	}
+
+	log.Debug().Msg("Parsed user from generic provider")
+
+	return user.Email, nil
+}

internal/providers/github.go

@@ -0,0 +1,55 @@
+package providers
+
+import (
+	"encoding/json"
+	"errors"
+	"io"
+	"net/http"
+
+	"github.com/rs/zerolog/log"
+)
+
+type GithubUserInfoResponse []struct {
+	Email   string `json:"email"`
+	Primary bool   `json:"primary"`
+}
+
+func GithubScopes() []string {
+	return []string{"user:email"}
+}
+
+func GetGithubEmail(client *http.Client) (string, error) {
+	res, resErr := client.Get("https://api.github.com/user/emails")
+
+	if resErr != nil {
+		return "", resErr
+	}
+
+	log.Debug().Msg("Got response from github")
+
+	body, bodyErr := io.ReadAll(res.Body)
+
+	if bodyErr != nil {
+		return "", bodyErr
+	}
+
+	log.Debug().Msg("Read body from github")
+
+	var emails GithubUserInfoResponse
+
+	jsonErr := json.Unmarshal(body, &emails)
+
+	if jsonErr != nil {
+		return "", jsonErr
+	}
+
+	log.Debug().Msg("Parsed emails from github")
+
+	for _, email := range emails {
+		if email.Primary {
+			return email.Email, nil
+		}
+	}
+
+	return "", errors.New("no primary email found")
+}

internal/providers/google.go

@@ -0,0 +1,47 @@
+package providers
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+
+	"github.com/rs/zerolog/log"
+)
+
+type GoogleUserInfoResponse struct {
+	Email string `json:"email"`
+}
+
+func GoogleScopes() []string {
+	return []string{"https://www.googleapis.com/auth/userinfo.email"}
+}
+
+func GetGoogleEmail(client *http.Client) (string, error) {
+	res, resErr := client.Get("https://www.googleapis.com/userinfo/v2/me")
+
+	if resErr != nil {
+		return "", resErr
+	}
+
+	log.Debug().Msg("Got response from google")
+
+	body, bodyErr := io.ReadAll(res.Body)
+
+	if bodyErr != nil {
+		return "", bodyErr
+	}
+
+	log.Debug().Msg("Read body from google")
+
+	var user GoogleUserInfoResponse
+
+	jsonErr := json.Unmarshal(body, &user)
+
+	if jsonErr != nil {
+		return "", jsonErr
+	}
+
+	log.Debug().Msg("Parsed user from google")
+
+	return user.Email, nil
+}

internal/providers/providers.go

@@ -0,0 +1,166 @@
+package providers
+
+import (
+	"fmt"
+	"tinyauth/internal/oauth"
+	"tinyauth/internal/types"
+
+	"github.com/rs/zerolog/log"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/endpoints"
+)
+
+func NewProviders(config types.OAuthConfig) *Providers {
+	return &Providers{
+		Config: config,
+	}
+}
+
+type Providers struct {
+	Config    types.OAuthConfig
+	Github    *oauth.OAuth
+	Google    *oauth.OAuth
+	Tailscale *oauth.OAuth
+	Generic   *oauth.OAuth
+}
+
+func (providers *Providers) Init() {
+	if providers.Config.GithubClientId != "" && providers.Config.GithubClientSecret != "" {
+		log.Info().Msg("Initializing Github OAuth")
+		providers.Github = oauth.NewOAuth(oauth2.Config{
+			ClientID:     providers.Config.GithubClientId,
+			ClientSecret: providers.Config.GithubClientSecret,
+			RedirectURL:  fmt.Sprintf("%s/api/oauth/callback/github", providers.Config.AppURL),
+			Scopes:       GithubScopes(),
+			Endpoint:     endpoints.GitHub,
+		})
+		providers.Github.Init()
+	}
+	if providers.Config.GoogleClientId != "" && providers.Config.GoogleClientSecret != "" {
+		log.Info().Msg("Initializing Google OAuth")
+		providers.Google = oauth.NewOAuth(oauth2.Config{
+			ClientID:     providers.Config.GoogleClientId,
+			ClientSecret: providers.Config.GoogleClientSecret,
+			RedirectURL:  fmt.Sprintf("%s/api/oauth/callback/google", providers.Config.AppURL),
+			Scopes:       GoogleScopes(),
+			Endpoint:     endpoints.Google,
+		})
+		providers.Google.Init()
+	}
+	if providers.Config.TailscaleClientId != "" && providers.Config.TailscaleClientSecret != "" {
+		log.Info().Msg("Initializing Tailscale OAuth")
+		providers.Tailscale = oauth.NewOAuth(oauth2.Config{
+			ClientID:     providers.Config.TailscaleClientId,
+			ClientSecret: providers.Config.TailscaleClientSecret,
+			RedirectURL:  fmt.Sprintf("%s/api/oauth/callback/tailscale", providers.Config.AppURL),
+			Scopes:       TailscaleScopes(),
+			Endpoint:     TailscaleEndpoint,
+		})
+		providers.Tailscale.Init()
+	}
+	if providers.Config.GenericClientId != "" && providers.Config.GenericClientSecret != "" {
+		log.Info().Msg("Initializing Generic OAuth")
+		providers.Generic = oauth.NewOAuth(oauth2.Config{
+			ClientID:     providers.Config.GenericClientId,
+			ClientSecret: providers.Config.GenericClientSecret,
+			RedirectURL:  fmt.Sprintf("%s/api/oauth/callback/generic", providers.Config.AppURL),
+			Scopes:       providers.Config.GenericScopes,
+			Endpoint: oauth2.Endpoint{
+				AuthURL:  providers.Config.GenericAuthURL,
+				TokenURL: providers.Config.GenericTokenURL,
+			},
+		})
+		providers.Generic.Init()
+	}
+}
+
+func (providers *Providers) GetProvider(provider string) *oauth.OAuth {
+	switch provider {
+	case "github":
+		return providers.Github
+	case "google":
+		return providers.Google
+	case "tailscale":
+		return providers.Tailscale
+	case "generic":
+		return providers.Generic
+	default:
+		return nil
+	}
+}
+
+func (providers *Providers) GetUser(provider string) (string, error) {
+	switch provider {
+	case "github":
+		if providers.Github == nil {
+			log.Debug().Msg("Github provider not configured")
+			return "", nil
+		}
+		client := providers.Github.GetClient()
+		log.Debug().Msg("Got client from github")
+		email, emailErr := GetGithubEmail(client)
+		if emailErr != nil {
+			return "", emailErr
+		}
+		log.Debug().Msg("Got email from github")
+		return email, nil
+	case "google":
+		if providers.Google == nil {
+			log.Debug().Msg("Google provider not configured")
+			return "", nil
+		}
+		client := providers.Google.GetClient()
+		log.Debug().Msg("Got client from google")
+		email, emailErr := GetGoogleEmail(client)
+		if emailErr != nil {
+			return "", emailErr
+		}
+		log.Debug().Msg("Got email from google")
+		return email, nil
+	case "tailscale":
+		if providers.Tailscale == nil {
+			log.Debug().Msg("Tailscale provider not configured")
+			return "", nil
+		}
+		client := providers.Tailscale.GetClient()
+		log.Debug().Msg("Got client from tailscale")
+		email, emailErr := GetTailscaleEmail(client)
+		if emailErr != nil {
+			return "", emailErr
+		}
+		log.Debug().Msg("Got email from tailscale")
+		return email, nil
+	case "generic":
+		if providers.Generic == nil {
+			log.Debug().Msg("Generic provider not configured")
+			return "", nil
+		}
+		client := providers.Generic.GetClient()
+		log.Debug().Msg("Got client from generic")
+		email, emailErr := GetGenericEmail(client, providers.Config.GenericUserURL)
+		if emailErr != nil {
+			return "", emailErr
+		}
+		log.Debug().Msg("Got email from generic")
+		return email, nil
+	default:
+		return "", nil
+	}
+}
+
+func (provider *Providers) GetConfiguredProviders() []string {
+	providers := []string{}
+	if provider.Github != nil {
+		providers = append(providers, "github")
+	}
+	if provider.Google != nil {
+		providers = append(providers, "google")
+	}
+	if provider.Tailscale != nil {
+		providers = append(providers, "tailscale")
+	}
+	if provider.Generic != nil {
+		providers = append(providers, "generic")
+	}
+	return providers
+}

internal/providers/tailscale.go

@@ -0,0 +1,56 @@
+package providers
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+
+	"github.com/rs/zerolog/log"
+	"golang.org/x/oauth2"
+)
+
+type TailscaleUser struct {
+	LoginName string `json:"loginName"`
+}
+
+type TailscaleUserInfoResponse struct {
+	Users []TailscaleUser `json:"users"`
+}
+
+func TailscaleScopes() []string {
+	return []string{"users:read"}
+}
+
+var TailscaleEndpoint = oauth2.Endpoint{
+	TokenURL: "https://api.tailscale.com/api/v2/oauth/token",
+}
+
+func GetTailscaleEmail(client *http.Client) (string, error) {
+	res, resErr := client.Get("https://api.tailscale.com/api/v2/tailnet/-/users")
+
+	if resErr != nil {
+		return "", resErr
+	}
+
+	log.Debug().Msg("Got response from tailscale")
+
+	body, bodyErr := io.ReadAll(res.Body)
+
+	if bodyErr != nil {
+		return "", bodyErr
+	}
+
+	log.Debug().Msg("Read body from tailscale")
+
+	var users TailscaleUserInfoResponse
+
+	jsonErr := json.Unmarshal(body, &users)
+
+	if jsonErr != nil {
+		return "", jsonErr
+	}
+
+	log.Debug().Msg("Parsed users from tailscale")
+
+	return users.Users[0].LoginName, nil
+}

internal/types/types.go

@@ -1,5 +1,7 @@
 package types
 
+import "tinyauth/internal/oauth"
+
 type LoginQuery struct {
 	RedirectURI string `url:"redirect_uri"`
 }
@@ -17,24 +19,94 @@ type User struct {
 type Users []User
 
 type Config struct {
-	Port int `validate:"number" mapstructure:"port"`
-	Address string `mapstructure:"address, ip4_addr"`
-	Secret string `validate:"required,len=32" mapstructure:"secret"`
-	AppURL string `validate:"required,url" mapstructure:"app-url"`
-	Users string `mapstructure:"users"`
-	UsersFile string `mapstructure:"users-file"`
-	CookieSecure bool `mapstructure:"cookie-secure"`
+	Port                      int    `mapstructure:"port" validate:"required"`
+	Address                   string `validate:"required,ip4_addr" mapstructure:"address"`
+	Secret                    string `validate:"required,len=32" mapstructure:"secret"`
+	SecretFile                string `mapstructure:"secret-file"`
+	AppURL                    string `validate:"required,url" mapstructure:"app-url"`
+	Users                     string `mapstructure:"users"`
+	UsersFile                 string `mapstructure:"users-file"`
+	CookieSecure              bool   `mapstructure:"cookie-secure"`
+	GithubClientId            string `mapstructure:"github-client-id"`
+	GithubClientSecret        string `mapstructure:"github-client-secret"`
+	GithubClientSecretFile    string `mapstructure:"github-client-secret-file"`
+	GoogleClientId            string `mapstructure:"google-client-id"`
+	GoogleClientSecret        string `mapstructure:"google-client-secret"`
+	GoogleClientSecretFile    string `mapstructure:"google-client-secret-file"`
+	TailscaleClientId         string `mapstructure:"tailscale-client-id"`
+	TailscaleClientSecret     string `mapstructure:"tailscale-client-secret"`
+	TailscaleClientSecretFile string `mapstructure:"tailscale-client-secret-file"`
+	GenericClientId           string `mapstructure:"generic-client-id"`
+	GenericClientSecret       string `mapstructure:"generic-client-secret"`
+	GenericClientSecretFile   string `mapstructure:"generic-client-secret-file"`
+	GenericScopes             string `mapstructure:"generic-scopes"`
+	GenericAuthURL            string `mapstructure:"generic-auth-url"`
+	GenericTokenURL           string `mapstructure:"generic-token-url"`
+	GenericUserURL            string `mapstructure:"generic-user-url"`
+	DisableContinue           bool   `mapstructure:"disable-continue"`
+	OAuthWhitelist            string `mapstructure:"oauth-whitelist"`
+	CookieExpiry              int    `mapstructure:"cookie-expiry"`
+	LogLevel                  int8   `mapstructure:"log-level" validate:"min=-1,max=5"`
 }
 
 type UserContext struct {
-	Username string
+	Username   string
 	IsLoggedIn bool
+	OAuth      bool
+	Provider   string
 }
 
 type APIConfig struct {
-	Port int
-	Address string
-	Secret string
-	AppURL string
-	CookieSecure bool
-}
+	Port            int
+	Address         string
+	Secret          string
+	AppURL          string
+	CookieSecure    bool
+	CookieExpiry    int
+	DisableContinue bool
+}
+
+type OAuthConfig struct {
+	GithubClientId        string
+	GithubClientSecret    string
+	GoogleClientId        string
+	GoogleClientSecret    string
+	TailscaleClientId     string
+	TailscaleClientSecret string
+	GenericClientId       string
+	GenericClientSecret   string
+	GenericScopes         []string
+	GenericAuthURL        string
+	GenericTokenURL       string
+	GenericUserURL        string
+	AppURL                string
+}
+
+type OAuthRequest struct {
+	Provider string `uri:"provider" binding:"required"`
+}
+
+type OAuthProviders struct {
+	Github    *oauth.OAuth
+	Google    *oauth.OAuth
+	Microsoft *oauth.OAuth
+}
+
+type UnauthorizedQuery struct {
+	Username string `url:"username"`
+	Resource string `url:"resource"`
+}
+
+type SessionCookie struct {
+	Username string
+	Provider string
+}
+
+type TinyauthLabels struct {
+	OAuthWhitelist []string
+	Users          []string
+}
+
+type TailscaleQuery struct {
+	Code int `url:"code"`
+}

internal/utils/utils.go

@@ -4,11 +4,16 @@ import (
 	"errors"
 	"net/url"
 	"os"
+	"slices"
 	"strings"
+	"tinyauth/internal/constants"
 	"tinyauth/internal/types"
+
+	"github.com/rs/zerolog/log"
 )
 
 func ParseUsers(users string) (types.Users, error) {
+	log.Debug().Msg("Parsing users")
 	var usersParsed types.Users
 	userList := strings.Split(users, ",")
 
@@ -27,6 +32,8 @@ func ParseUsers(users string) (types.Users, error) {
 		})
 	}
 
+	log.Debug().Msg("Parsed users")
+
 	return usersParsed, nil
 }
 
@@ -37,21 +44,21 @@ func GetRootURL(urlSrc string) (string, error) {
 		return "", parseErr
 	}
 
-	urlSplitted := strings.Split(urlParsed.Host, ".")
+	urlSplitted := strings.Split(urlParsed.Hostname(), ".")
 
 	urlFinal := strings.Join(urlSplitted[1:], ".")
 
 	return urlFinal, nil
 }
 
-func GetUsersFromFile(usersFile string) (string, error) {
-	_, statErr := os.Stat(usersFile)
+func ReadFile(file string) (string, error) {
+	_, statErr := os.Stat(file)
 
 	if statErr != nil {
 		return "", statErr
 	}
 
-	data, readErr := os.ReadFile(usersFile)
+	data, readErr := os.ReadFile(file)
 
 	if readErr != nil {
 		return "", readErr
@@ -59,3 +66,83 @@ func GetUsersFromFile(usersFile string) (string, error) {
 
 	return string(data), nil
 }
+
+func ParseFileToLine(content string) string {
+	lines := strings.Split(content, "\n")
+	users := make([]string, 0)
+
+	for _, line := range lines {
+		if strings.TrimSpace(line) == "" {
+			continue
+		}
+
+		users = append(users, strings.TrimSpace(line))
+	}
+
+	return strings.Join(users, ",")
+}
+
+func GetSecret(conf string, file string) string {
+	if conf == "" && file == "" {
+		return ""
+	}
+
+	if conf != "" {
+		return conf
+	}
+
+	contents, err := ReadFile(file)
+
+	if err != nil {
+		return ""
+	}
+
+	return contents
+}
+
+func GetUsers(conf string, file string) (types.Users, error) {
+	var users string
+
+	if conf == "" && file == "" {
+		return types.Users{}, errors.New("no users provided")
+	}
+
+	if conf != "" {
+		log.Debug().Msg("Using users from config")
+		users += conf
+	}
+
+	if file != "" {
+		fileContents, fileErr := ReadFile(file)
+
+		if fileErr == nil {
+			log.Debug().Msg("Using users from file")
+			if users != "" {
+				users += ","
+			}
+			users += ParseFileToLine(fileContents)
+		}
+	}
+
+	return ParseUsers(users)
+}
+
+func OAuthConfigured(config types.Config) bool {
+	return (config.GithubClientId != "" && config.GithubClientSecret != "") || (config.GoogleClientId != "" && config.GoogleClientSecret != "") || (config.GenericClientId != "" && config.GenericClientSecret != "")
+}
+
+func GetTinyauthLabels(labels map[string]string) types.TinyauthLabels {
+	var tinyauthLabels types.TinyauthLabels
+	for label, value := range labels {
+		if slices.Contains(constants.TinyauthLabels, label) {
+			log.Debug().Str("label", label).Msg("Found label")
+			switch label {
+			case "tinyauth.oauth.whitelist":
+				tinyauthLabels.OAuthWhitelist = strings.Split(value, ",")
+			case "tinyauth.users":
+				tinyauthLabels.Users = strings.Split(value, ",")
+			}
+		}
+	}
+	return tinyauthLabels
+}

main.go

@@ -4,7 +4,6 @@ import (
 	"os"
 	"time"
 	"tinyauth/cmd"
-	"tinyauth/internal/assets"
 
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
@@ -12,9 +11,8 @@ import (
 
 func main() {
 	// Logger
-	log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.RFC3339}).With().Timestamp().Logger()
-	log.Info().Str("version", assets.Version).Msg("Starting tinyauth")
-	
+	log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.RFC3339}).With().Timestamp().Logger().Level(zerolog.FatalLevel)
+
 	// Run cmd
 	cmd.Execute()
 }

site/src/icons/github.tsx

@@ -0,0 +1,18 @@
+import type { SVGProps } from "react";
+
+export function GithubIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      xmlns="http://www.w3.org/2000/svg"
+      width={24}
+      height={24}
+      viewBox="0 0 24 24"
+      {...props}
+    >
+      <path
+        fill="currentColor"
+        d="M12 2A10 10 0 0 0 2 12c0 4.42 2.87 8.17 6.84 9.5c.5.08.66-.23.66-.5v-1.69c-2.77.6-3.36-1.34-3.36-1.34c-.46-1.16-1.11-1.47-1.11-1.47c-.91-.62.07-.6.07-.6c1 .07 1.53 1.03 1.53 1.03c.87 1.52 2.34 1.07 2.91.83c.09-.65.35-1.09.63-1.34c-2.22-.25-4.55-1.11-4.55-4.92c0-1.11.38-2 1.03-2.71c-.1-.25-.45-1.29.1-2.64c0 0 .84-.27 2.75 1.02c.79-.22 1.65-.33 2.5-.33s1.71.11 2.5.33c1.91-1.29 2.75-1.02 2.75-1.02c.55 1.35.2 2.39.1 2.64c.65.71 1.03 1.6 1.03 2.71c0 3.82-2.34 4.66-4.57 4.91c.36.31.69.92.69 1.85V21c0 .27.16.59.67.5C19.14 20.16 22 16.42 22 12A10 10 0 0 0 12 2"
+      ></path>
+    </svg>
+  );
+}

site/src/icons/google.tsx

@@ -0,0 +1,30 @@
+import type { SVGProps } from "react";
+
+export function GoogleIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      xmlns="http://www.w3.org/2000/svg"
+      width={48}
+      height={48}
+      viewBox="0 0 48 48"
+      {...props}
+    >
+      <path
+        fill="#ffc107"
+        d="M43.611 20.083H42V20H24v8h11.303c-1.649 4.657-6.08 8-11.303 8c-6.627 0-12-5.373-12-12s5.373-12 12-12c3.059 0 5.842 1.154 7.961 3.039l5.657-5.657C34.046 6.053 29.268 4 24 4C12.955 4 4 12.955 4 24s8.955 20 20 20s20-8.955 20-20c0-1.341-.138-2.65-.389-3.917"
+      ></path>
+      <path
+        fill="#ff3d00"
+        d="m6.306 14.691l6.571 4.819C14.655 15.108 18.961 12 24 12c3.059 0 5.842 1.154 7.961 3.039l5.657-5.657C34.046 6.053 29.268 4 24 4C16.318 4 9.656 8.337 6.306 14.691"
+      ></path>
+      <path
+        fill="#4caf50"
+        d="M24 44c5.166 0 9.86-1.977 13.409-5.192l-6.19-5.238A11.9 11.9 0 0 1 24 36c-5.202 0-9.619-3.317-11.283-7.946l-6.522 5.025C9.505 39.556 16.227 44 24 44"
+      ></path>
+      <path
+        fill="#1976d2"
+        d="M43.611 20.083H42V20H24v8h11.303a12.04 12.04 0 0 1-4.087 5.571l.003-.002l6.19 5.238C36.971 39.205 44 34 44 24c0-1.341-.138-2.65-.389-3.917"
+      ></path>
+    </svg>
+  );
+}

site/src/icons/oauth.tsx

@@ -0,0 +1,24 @@
+import type { SVGProps } from "react";
+
+export function OAuthIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      xmlns="http://www.w3.org/2000/svg"
+      width={24}
+      height={24}
+      viewBox="0 0 24 24"
+      {...props}
+    >
+      <g
+        fill="none"
+        stroke="currentColor"
+        strokeLinecap="round"
+        strokeLinejoin="round"
+        strokeWidth={2}
+      >
+        <path d="M2 12a10 10 0 1 0 20 0a10 10 0 1 0-20 0"></path>
+        <path d="M12.556 6c.65 0 1.235.373 1.508.947l2.839 7.848a1.646 1.646 0 0 1-1.01 2.108a1.673 1.673 0 0 1-2.068-.851L13.365 15h-2.73l-.398.905A1.67 1.67 0 0 1 8.26 16.95l-.153-.047a1.647 1.647 0 0 1-1.056-1.956l2.824-7.852a1.66 1.66 0 0 1 1.409-1.087z"></path>
+      </g>
+    </svg>
+  );
+}

site/src/icons/tailscale.tsx

@@ -0,0 +1,55 @@
+import type { SVGProps } from "react";
+
+export function TailscaleIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      xmlns="http://www.w3.org/2000/svg"
+      viewBox="0 0 512 512"
+      width={24}
+      height={24}
+      {...props}
+    >
+      <style>{".st0{opacity:0.2;fill:#CCCAC9;}.st1{fill:#FFFFFF;}"}</style>
+      <g>
+        <g>
+          <path
+            className="st0"
+            d="M65.6,127.7c35.3,0,63.9-28.6,63.9-63.9S100.9,0,65.6,0S1.8,28.6,1.8,63.9S30.4,127.7,65.6,127.7z"
+          />
+          <path
+            className="st1"
+            d="M65.6,318.1c35.3,0,63.9-28.6,63.9-63.9s-28.6-63.9-63.9-63.9S1.8,219,1.8,254.2S30.4,318.1,65.6,318.1z"
+          />
+          <path
+            className="st0"
+            d="M65.6,512c35.3,0,63.9-28.6,63.9-63.9s-28.6-63.9-63.9-63.9S1.8,412.9,1.8,448.1S30.4,512,65.6,512z"
+          />
+          <path
+            className="st1"
+            d="M257.2,318.1c35.3,0,63.9-28.6,63.9-63.9s-28.6-63.9-63.9-63.9s-63.9,28.6-63.9,63.9S221.9,318.1,257.2,318.1z"
+          />
+          <path
+            className="st1"
+            d="M257.2,512c35.3,0,63.9-28.6,63.9-63.9s-28.6-63.9-63.9-63.9s-63.9,28.6-63.9,63.9S221.9,512,257.2,512z"
+          />
+          <path
+            className="st0"
+            d="M257.2,127.7c35.3,0,63.9-28.6,63.9-63.9S292.5,0,257.2,0s-63.9,28.6-63.9,63.9S221.9,127.7,257.2,127.7z"
+          />
+          <path
+            className="st0"
+            d="M446.4,127.7c35.3,0,63.9-28.6,63.9-63.9S481.6,0,446.4,0c-35.3,0-63.9,28.6-63.9,63.9S411.1,127.7,446.4,127.7z"
+          />
+          <path
+            className="st1"
+            d="M446.4,318.1c35.3,0,63.9-28.6,63.9-63.9s-28.6-63.9-63.9-63.9s-63.9,28.6-63.9,63.9S411.1,318.1,446.4,318.1z"
+          />
+          <path
+            className="st0"
+            d="M446.4,512c35.3,0,63.9-28.6,63.9-63.9s-28.6-63.9-63.9-63.9s-63.9,28.6-63.9,63.9S411.1,512,446.4,512z"
+          />
+        </g>
+      </g>
+    </svg>
+  );
+}

site/src/main.tsx

@@ -13,6 +13,8 @@ import { LoginPage } from "./pages/login-page.tsx";
 import { LogoutPage } from "./pages/logout-page.tsx";
 import { ContinuePage } from "./pages/continue-page.tsx";
 import { NotFoundPage } from "./pages/not-found-page.tsx";
+import { UnauthorizedPage } from "./pages/unauthorized-page.tsx";
+import { InternalServerError } from "./pages/internal-server-error.tsx";
 
 const queryClient = new QueryClient({
   defaultOptions: {
@@ -34,6 +36,8 @@ createRoot(document.getElementById("root")!).render(
               <Route path="/login" element={<LoginPage />} />
               <Route path="/logout" element={<LogoutPage />} />
               <Route path="/continue" element={<ContinuePage />} />
+              <Route path="/unauthorized" element={<UnauthorizedPage />} />
+              <Route path="/error" element={<InternalServerError />} />
               <Route path="*" element={<NotFoundPage />} />
             </Routes>
           </BrowserRouter>

site/src/pages/continue-page.tsx

@@ -1,18 +1,23 @@
-import { Button, Paper, Text } from "@mantine/core";
+import { Button, Code, Paper, Text } from "@mantine/core";
 import { notifications } from "@mantine/notifications";
 import { Navigate } from "react-router";
 import { useUserContext } from "../context/user-context";
 import { Layout } from "../components/layouts/layout";
+import { ReactNode } from "react";
 
 export const ContinuePage = () => {
   const queryString = window.location.search;
   const params = new URLSearchParams(queryString);
   const redirectUri = params.get("redirect_uri");
 
-  const { isLoggedIn } = useUserContext();
+  const { isLoggedIn, disableContinue } = useUserContext();
 
   if (!isLoggedIn) {
-    return <Navigate to="/login" />;
+    return <Navigate to={`/login?redirect_uri=${redirectUri}`} />;
+  }
+
+  if (redirectUri === "null") {
+    return <Navigate to="/" />;
   }
 
   const redirect = () => {
@@ -22,31 +27,62 @@ export const ContinuePage = () => {
       color: "blue",
     });
     setTimeout(() => {
-      window.location.replace(redirectUri!);
+      window.location.href = redirectUri!;
     }, 500);
   };
 
+  const urlParsed = URL.parse(redirectUri!);
+
+  if (
+    window.location.protocol === "https:" &&
+    urlParsed!.protocol === "http:"
+  ) {
+    return (
+      <ContinuePageLayout>
+        <Text size="xl" fw={700}>
+          Insecure Redirect
+        </Text>
+        <Text>
+          Your are logged in but trying to redirect from <Code>https</Code> to{" "}
+          <Code>http</Code>, please click the button to redirect.
+        </Text>
+        <Button fullWidth mt="xl" onClick={redirect}>
+          Continue
+        </Button>
+      </ContinuePageLayout>
+    );
+  }
+
+  if (disableContinue) {
+    window.location.href = redirectUri!;
+    return (
+      <ContinuePageLayout>
+        <Text size="xl" fw={700}>
+          Redirecting
+        </Text>
+        <Text>You should be redirected to your app soon.</Text>
+      </ContinuePageLayout>
+    );
+  }
+
+  return (
+    <ContinuePageLayout>
+      <Text size="xl" fw={700}>
+        Continue
+      </Text>
+      <Text>Click the button to continue to your app.</Text>
+      <Button fullWidth mt="xl" onClick={redirect}>
+        Continue
+      </Button>
+    </ContinuePageLayout>
+  );
+};
+
+export const ContinuePageLayout = ({ children }: { children: ReactNode }) => {
   return (
     <Layout>
       <Paper shadow="md" p={30} mt={30} radius="md" withBorder>
-        {redirectUri !== "null" ? (
-          <>
-            <Text size="xl" fw={700}>
-              Continue
-            </Text>
-            <Text>Click the button to continue to your app.</Text>
-            <Button fullWidth mt="xl" onClick={redirect}>
-              Continue
-            </Button>
-          </>
-        ) : (
-          <>
-            <Text size="xl" fw={700}>
-              Logged in
-            </Text>
-            <Text>You are now signed in and can use your apps.</Text>
-          </>
-        )}
+        {children}
       </Paper>
     </Layout>
   );

site/src/pages/internal-server-error.tsx

@@ -0,0 +1,21 @@
+import { Button, Paper, Text } from "@mantine/core";
+import { Layout } from "../components/layouts/layout";
+
+export const InternalServerError = () => {
+  return (
+    <Layout>
+      <Paper shadow="md" p={30} mt={30} radius="md" withBorder>
+        <Text size="xl" fw={700}>
+          Internal Server Error
+        </Text>
+        <Text>
+          An error occured on the server and it currently cannot serve your
+          request.
+        </Text>
+        <Button fullWidth mt="xl" onClick={() => window.location.replace("/")}>
+          Try again
+        </Button>
+      </Paper>
+    </Layout>
+  );
+};

site/src/pages/login-page.tsx

@@ -1,4 +1,13 @@
-import { Button, Paper, PasswordInput, TextInput, Title } from "@mantine/core";
+import {
+  Button,
+  Paper,
+  PasswordInput,
+  TextInput,
+  Title,
+  Text,
+  Divider,
+  Grid,
+} from "@mantine/core";
 import { useForm, zodResolver } from "@mantine/form";
 import { notifications } from "@mantine/notifications";
 import { useMutation } from "@tanstack/react-query";
@@ -7,13 +16,20 @@ import { z } from "zod";
 import { useUserContext } from "../context/user-context";
 import { Navigate } from "react-router";
 import { Layout } from "../components/layouts/layout";
+import { GoogleIcon } from "../icons/google";
+import { GithubIcon } from "../icons/github";
+import { OAuthIcon } from "../icons/oauth";
+import { TailscaleIcon } from "../icons/tailscale";
 
 export const LoginPage = () => {
   const queryString = window.location.search;
   const params = new URLSearchParams(queryString);
   const redirectUri = params.get("redirect_uri");
 
-  const { isLoggedIn } = useUserContext();
+  const { isLoggedIn, configuredProviders } = useUserContext();
+  const oauthProviders = configuredProviders.filter(
+    (value) => value !== "username",
+  );
 
   if (isLoggedIn) {
     return <Navigate to="/logout" />;
@@ -53,9 +69,38 @@ export const LoginPage = () => {
         color: "green",
       });
       setTimeout(() => {
-        window.location.replace(`/continue?redirect_uri=${redirectUri}`);
+        if (redirectUri === "null") {
+          window.location.replace("/");
+        } else {
+          window.location.replace(`/continue?redirect_uri=${redirectUri}`);
+        }
+      }, 500);
+    },
+  });
+
+  const loginOAuthMutation = useMutation({
+    mutationFn: (provider: string) => {
+      return axios.get(
+        `/api/oauth/url/${provider}?redirect_uri=${redirectUri}`,
+      );
+    },
+    onError: () => {
+      notifications.show({
+        title: "Internal error",
+        message: "Failed to get OAuth URL",
+        color: "red",
       });
     },
+    onSuccess: (data) => {
+      notifications.show({
+        title: "Redirecting",
+        message: "Redirecting to your OAuth provider",
+        color: "blue",
+      });
+      setTimeout(() => {
+        window.location.href = data.data.url;
+      }, 500);
+    },
   });
 
   const handleSubmit = (values: FormValues) => {
@@ -64,35 +109,113 @@ export const LoginPage = () => {
 
   return (
     <Layout>
-      <Title ta="center">Welcome back!</Title>
-      <Paper shadow="md" p={30} mt={30} radius="md" withBorder>
-        <form onSubmit={form.onSubmit(handleSubmit)}>
-          <TextInput
-            label="Username"
-            placeholder="tinyauth"
-            required
-            disabled={loginMutation.isLoading}
-            key={form.key("username")}
-            {...form.getInputProps("username")}
-          />
-          <PasswordInput
-            label="Password"
-            placeholder="password"
-            required
-            mt="md"
-            disabled={loginMutation.isLoading}
-            key={form.key("password")}
-            {...form.getInputProps("password")}
-          />
-          <Button
-            fullWidth
-            mt="xl"
-            type="submit"
-            loading={loginMutation.isLoading}
-          >
-            Sign in
-          </Button>
-        </form>
+      <Title ta="center">Tinyauth</Title>
+      <Paper shadow="md" p="xl" mt={30} radius="md" withBorder>
+        {oauthProviders.length > 0 && (
+          <>
+            <Text size="lg" fw={500} ta="center">
+              Welcome back, login with
+            </Text>
+            <Grid mb="md" mt="md" align="center" justify="center">
+              {oauthProviders.includes("google") && (
+                <Grid.Col span="content">
+                  <Button
+                    radius="xl"
+                    leftSection={
+                      <GoogleIcon style={{ width: 14, height: 14 }} />
+                    }
+                    variant="default"
+                    onClick={() => loginOAuthMutation.mutate("google")}
+                    loading={loginOAuthMutation.isLoading}
+                  >
+                    Google
+                  </Button>
+                </Grid.Col>
+              )}
+              {oauthProviders.includes("github") && (
+                <Grid.Col span="content">
+                  <Button
+                    radius="xl"
+                    leftSection={
+                      <GithubIcon style={{ width: 14, height: 14 }} />
+                    }
+                    variant="default"
+                    onClick={() => loginOAuthMutation.mutate("github")}
+                    loading={loginOAuthMutation.isLoading}
+                  >
+                    Github
+                  </Button>
+                </Grid.Col>
+              )}
+              {oauthProviders.includes("tailscale") && (
+                <Grid.Col span="content">
+                  <Button
+                    radius="xl"
+                    leftSection={
+                      <TailscaleIcon style={{ width: 14, height: 14 }} />
+                    }
+                    variant="default"
+                    onClick={() => loginOAuthMutation.mutate("tailscale")}
+                    loading={loginOAuthMutation.isLoading}
+                  >
+                    Tailscale
+                  </Button>
+                </Grid.Col>
+              )}
+              {oauthProviders.includes("generic") && (
+                <Grid.Col span="content">
+                  <Button
+                    radius="xl"
+                    leftSection={
+                      <OAuthIcon style={{ width: 14, height: 14 }} />
+                    }
+                    variant="default"
+                    onClick={() => loginOAuthMutation.mutate("generic")}
+                    loading={loginOAuthMutation.isLoading}
+                  >
+                    Generic
+                  </Button>
+                </Grid.Col>
+              )}
+            </Grid>
+            {configuredProviders.includes("username") && (
+              <Divider
+                label="Or continue with password"
+                labelPosition="center"
+                my="lg"
+              />
+            )}
+          </>
+        )}
+        {configuredProviders.includes("username") && (
+          <form onSubmit={form.onSubmit(handleSubmit)}>
+            <TextInput
+              label="Username"
+              placeholder="user@example.com"
+              required
+              disabled={loginMutation.isLoading}
+              key={form.key("username")}
+              {...form.getInputProps("username")}
+            />
+            <PasswordInput
+              label="Password"
+              placeholder="password"
+              required
+              mt="md"
+              disabled={loginMutation.isLoading}
+              key={form.key("password")}
+              {...form.getInputProps("password")}
+            />
+            <Button
+              fullWidth
+              mt="xl"
+              type="submit"
+              loading={loginMutation.isLoading}
+            >
+              Login
+            </Button>
+          </form>
+        )}
       </Paper>
     </Layout>
   );

site/src/pages/logout-page.tsx

@@ -5,9 +5,10 @@ import axios from "axios";
 import { useUserContext } from "../context/user-context";
 import { Navigate } from "react-router";
 import { Layout } from "../components/layouts/layout";
+import { capitalize } from "../utils/utils";
 
 export const LogoutPage = () => {
-  const { isLoggedIn, username } = useUserContext();
+  const { isLoggedIn, username, oauth, provider } = useUserContext();
 
   if (!isLoggedIn) {
     return <Navigate to="/login" />;
@@ -31,7 +32,7 @@ export const LogoutPage = () => {
         color: "green",
       });
       setTimeout(() => {
-        window.location.reload();
+        window.location.replace("/login");
       }, 500);
     },
   });
@@ -43,8 +44,9 @@ export const LogoutPage = () => {
           Logout
         </Text>
         <Text>
-          You are currently logged in as <Code>{username}</Code>, click the
-          button below to log out.
+          You are currently logged in as <Code>{username}</Code>
+          {oauth && ` using ${capitalize(provider)} OAuth`}. Click the button
+          below to log out.
         </Text>
         <Button
           fullWidth

site/src/pages/unauthorized-page.tsx

@@ -0,0 +1,41 @@
+import { Button, Code, Paper, Text } from "@mantine/core";
+import { Layout } from "../components/layouts/layout";
+import { Navigate } from "react-router";
+
+export const UnauthorizedPage = () => {
+  const queryString = window.location.search;
+  const params = new URLSearchParams(queryString);
+  const username = params.get("username");
+  const resource = params.get("resource");
+
+  if (username === "null") {
+    return <Navigate to="/" />;
+  }
+
+  return (
+    <Layout>
+      <Paper shadow="md" p={30} mt={30} radius="md" withBorder>
+        <Text size="xl" fw={700}>
+          Unauthorized
+        </Text>
+        <Text>
+          The user with username <Code>{username}</Code> is not authorized to{" "}
+          {resource !== "null" ? (
+            <span>
+              access the <Code>{resource}</Code> resource.
+            </span>
+          ) : (
+            "login."
+          )}
+        </Text>
+        <Button
+          fullWidth
+          mt="xl"
+          onClick={() => window.location.replace("/login")}
+        >
+          Try again
+        </Button>
+      </Paper>
+    </Layout>
+  );
+};

site/src/schemas/user-context-schema.ts

@@ -3,6 +3,10 @@ import { z } from "zod";
 export const userContextSchema = z.object({
   isLoggedIn: z.boolean(),
   username: z.string(),
+  oauth: z.boolean(),
+  provider: z.string(),
+  configuredProviders: z.array(z.string()),
+  disableContinue: z.boolean(),
 });
 
 export type UserContextSchemaType = z.infer<typeof userContextSchema>;

site/src/utils/utils.ts

@@ -0,0 +1 @@
+export const capitalize = (s: string) => s.charAt(0).toUpperCase() + s.slice(1);