refactor: make error handling simpler

* wip

* refactor: use prefix instead of patern in docker meta

* tests: fix tests

.env.example

@@ -0,0 +1,30 @@
+PORT=3000
+ADDRESS=0.0.0.0
+SECRET=app_secret
+SECRET_FILE=app_secret_file
+APP_URL=http://localhost:3000
+USERS=your_user_password_hash
+USERS_FILE=users_file
+COOKIE_SECURE=false
+GITHUB_CLIENT_ID=github_client_id
+GITHUB_CLIENT_SECRET=github_client_secret
+GITHUB_CLIENT_SECRET_FILE=github_client_secret_file
+GOOGLE_CLIENT_ID=google_client_id
+GOOGLE_CLIENT_SECRET=google_client_secret
+GOOGLE_CLIENT_SECRET_FILE=google_client_secret_file
+TAILSCALE_CLIENT_ID=tailscale_client_id
+TAILSCALE_CLIENT_SECRET=tailscale_client_secret
+TAILSCALE_CLIENT_SECRET_FILE=tailscale__client_secret_file
+GENERIC_CLIENT_ID=generic_client_id
+GENERIC_CLIENT_SECRET=generic_client_secret
+GENERIC_CLIENT_SECRET_FILE=generic_client_secret_file
+GENERIC_SCOPES=generic_scopes
+GENERIC_AUTH_URL=generic_auth_url
+GENERIC_TOKEN_URL=generic_token_url
+GENERIC_USER_URL=generic_user_url
+DISABLE_CONTINUE=false
+OAUTH_WHITELIST=
+GENERIC_NAME=My OAuth
+SESSION_EXPIRY=7200
+LOG_LEVEL=0
+APP_TITLE=Tinyauth SSO

.github/workflows/alpha-release.yml

@@ -1,58 +0,0 @@
-name: Alpha Release
-on:
-  workflow_dispatch:
-    inputs:
-      alpha:
-        description: "Alpha version (e.g. 1, 2, 3)"
-        required: true
-
-jobs:
-  get-tag:
-    runs-on: ubuntu-latest
-    outputs:
-      tag: ${{ steps.tag.outputs.name }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Get tag
-        id: tag
-        run: echo "name=$(cat internal/assets/version)-alpha.${{ github.event.inputs.alpha }}" >> $GITHUB_OUTPUT
-
-  build-docker:
-    needs: get-tag
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          push: true
-          platforms: linux/arm64, linux/amd64
-          tags: ghcr.io/${{ github.repository_owner }}/tinyauth:${{ needs.get-tag.outputs.tag }}
-
-  alpha-release:
-    needs: [get-tag, build-docker]
-    runs-on: ubuntu-latest
-    steps:
-      - name: Create alpha release
-        uses: softprops/action-gh-release@v2
-        with:
-          prerelease: true
-          tag_name: ${{ needs.get-tag.outputs.tag }}

.github/workflows/beta-release.yml

@@ -1,58 +0,0 @@
-name: Beta Release
-on:
-  workflow_dispatch:
-    inputs:
-      alpha:
-        description: "Beta version (e.g. 1, 2, 3)"
-        required: true
-
-jobs:
-  get-tag:
-    runs-on: ubuntu-latest
-    outputs:
-      tag: ${{ steps.tag.outputs.name }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Get tag
-        id: tag
-        run: echo "name=$(cat internal/assets/version)-beta.${{ github.event.inputs.alpha }}" >> $GITHUB_OUTPUT
-
-  build-docker:
-    needs: get-tag
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          push: true
-          platforms: linux/arm64, linux/amd64
-          tags: ghcr.io/${{ github.repository_owner }}/tinyauth:${{ needs.get-tag.outputs.tag }}
-
-  beta-release:
-    needs: [get-tag, build-docker]
-    runs-on: ubuntu-latest
-    steps:
-      - name: Create beta release
-        uses: softprops/action-gh-release@v2
-        with:
-          prerelease: true
-          tag_name: ${{ needs.get-tag.outputs.tag }}

.github/workflows/release.yml

@@ -1,32 +1,22 @@
 name: Release
 on:
   workflow_dispatch:
+  push:
+    tags:
+      - "v*"
 
 jobs:
-  get-tag:
-    runs-on: ubuntu-latest
-    outputs:
-      tag: ${{ steps.tag.outputs.name }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Get tag
-        id: tag
-        run: echo "name=$(cat internal/assets/version)" >> $GITHUB_OUTPUT
-
-  build-docker:
-    needs: get-tag
+  build:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/tinyauth
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
@@ -35,21 +25,112 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Build and push
         uses: docker/build-push-action@v6
+        id: build
         with:
-          context: .
-          push: true
-          platforms: linux/arm64, linux/amd64
-          tags: ghcr.io/${{ github.repository_owner }}/tinyauth:${{ needs.get-tag.outputs.tag }}, ghcr.io/${{ github.repository_owner }}/tinyauth:latest
+          platforms: linux/amd64
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
+          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
 
-  release:
-    needs: [get-tag, build-docker]
-    runs-on: ubuntu-latest
-    steps:
-      - name: Create release
-        uses: softprops/action-gh-release@v2
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
         with:
-          prerelease: false
-          make_latest: false
-          tag_name: ${{ needs.get-tag.outputs.tag }}
+          name: digests-linux-amd64
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  build-arm:
+    runs-on: ubuntu-24.04-arm
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/tinyauth
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        id: build
+        with:
+          platforms: linux/arm64
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
+          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
+
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-linux-arm64
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    runs-on: ubuntu-latest
+    needs:
+      - build
+      - build-arm
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/tinyauth
+          tags: |
+            type=semver,pattern={{version}},prefix=v
+            type=semver,pattern={{major}},prefix=v
+            type=semver,pattern={{major}}.{{minor}},prefix=v
+
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf 'ghcr.io/${{ github.repository_owner }}/tinyauth@sha256:%s ' *)

.gitignore

@@ -18,4 +18,10 @@ secret_oauth.txt
 .vscode
 
 # apple stuff
-.DS_Store
+.DS_Store
+
+# env
+.env
+
+# tmp directory
+tmp

CONTRIBUTING.md

@@ -1,6 +1,6 @@
 # Contributing
 
-Contributing is relatively easy.
+Contributing is relatively easy, you just need to follow the steps carefully and you will be up and running with a development server in less than 5 minutes.
 
 ## Requirements
 
@@ -20,62 +20,37 @@ cd tinyauth
 
 ## Install requirements
 
-Now it's time to install the requirements, firstly the Go ones:
+Although you will not need the requirements in your machine since the development will happen in docker, I still recommend to install them because this way you will not have errors, to install the go requirements, run:
 
 ```sh
-go mod download
+go mod tidy
 ```
 
-And now the site ones:
+You also need to download the frontend requirements, this can be done like so:
 
 ```sh
-cd site
-bun i
+cd site/
+bun install
 ```
 
-## Developing locally
+## Create your `.env` file
 
-In order to develop the app locally you need to build the frontend and copy it to the assets folder in order for Go to embed it and host it. In order to build the frontend run:
+In order to ocnfigure the app you need to create an environment file, this can be done by copying the `.env.example` file to `.env` and modifying the environment variables inside to suit your needs.
 
-```sh
-cd site
-bun run build
-cd ..
-```
+## Developing
 
-Copy it to the assets folder:
-
-```sh
-rm -rf internal/assets/dist
-cp -r site/dist internal/assets/dist
-```
-
-Finally either run the app with:
-
-```sh
-go run main.go
-```
-
-Or build it with:
-
-```sh
-go build
-```
-
-> [!WARNING]
-> Make sure you have set the environment variables when running outside of docker else the app will fail.
-
-## Developing in docker
-
-My recommended development method is docker so I can test that both my image works and that the app responds correctly to traefik. In my setup I have set these two DNS records in my DNS server:
+I have designed the development workflow to be entirely in docker, this is because it will directly work with traefik and you will not need to do any building in your host machine. The recommended development setup is to have a subdomain pointing to your machine like this:
 
 ```
-*.dev.local -> 127.0.0.1
-dev.local -> 127.0.0.1
+*.dev.example.com -> 127.0.0.1
+dev.example.com -> 127.0.0.1
 ```
 
-Then I can just make sure the domains are correct in the example docker compose file and do:
+Then you can just make sure the domains are correct in the example docker compose file and run:
 
 ```sh
 docker compose -f docker-compose.dev.yml up --build
 ```
+
+> [!NOTE]
+> I would recommend copying the example `docker-compose.dev.yml` into a `docker-compose.test.yml` file, so as you don't accidentally commit any sensitive information.

Dockerfile.dev

@@ -0,0 +1,22 @@
+FROM golang:1.23-alpine3.21
+
+WORKDIR /tinyauth
+
+COPY go.mod ./
+COPY go.sum ./
+
+RUN go mod download
+
+COPY ./cmd ./cmd
+COPY ./internal ./internal
+COPY ./main.go ./
+COPY ./air.toml ./
+
+RUN mkdir -p ./internal/assets/dist && \
+    echo "app running" > ./internal/assets/dist/index.html
+
+RUN go install github.com/air-verse/air@v1.61.7
+
+EXPOSE 3000
+
+ENTRYPOINT ["air", "-c", "air.toml"]

FUNDING.yml

@@ -0,0 +1,2 @@
+github: steveiliop56
+buy_me_a_coffee: steveiliop56

README.md

@@ -24,15 +24,15 @@ Tinyauth is a simple authentication middleware that adds simple username/passwor
 
 ## Discord
 
-I just made a Discord server for Tinyauth! It is not only for Tinyauth but general self-hosting because I just like chatting with people! The link is [here](https://discord.gg/gWpzrksk), see you there!
+I just made a Discord server for Tinyauth! It is not only for Tinyauth but general self-hosting because I just like chatting with people! The link is [here](https://discord.gg/eHzVaCzRRd), see you there!
 
 ## Getting Started
 
-You can easily get started with tinyauth by following the guide on the [documentation](https://tinyauth.doesmycode.work/docs/getting-started.html). There is also an available [docker compose file](./docker-compose.example.yml) that has traefik, nginx and tinyauth to demonstrate its capabilities.
+You can easily get started with tinyauth by following the guide on the [documentation](https://tinyauth.app/docs/getting-started.html). There is also an available [docker compose file](./docker-compose.example.yml) that has traefik, nginx and tinyauth to demonstrate its capabilities.
 
 ## Documentation
 
-You can find documentation and guides on all available configuration of tinyauth [here](https://tinyauth.doesmycode.work).
+You can find documentation and guides on all available configuration of tinyauth [here](https://tinyauth.app).
 
 ## Contributing
 
@@ -42,9 +42,17 @@ All contributions to the codebase are welcome! If you have any recommendations o
 
 Tinyauth is licensed under the GNU General Public License v3.0. TL;DR — You may copy, distribute and modify the software as long as you track changes/dates in source files. Any modifications to or software including (via compiler) GPL-licensed code must also be made available under the GPL along with build & install instructions. For more information about the license check the [license](./LICENSE) file.
 
+## Sponsors
+
+Thanks a lot to the following people for providing me with more coffee:
+
+| <img height="64" src="https://avatars.githubusercontent.com/u/47644445?v=4" alt="Nicolas"> | <img height="64" src="https://avatars.githubusercontent.com/u/4255748?v=4" alt="Erwin"> |
+| ------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------- |
+| <div align="center"><a href="https://github.com/nicotsx">Nicolas</a></div>                 | <div align="center"><a href="https://github.com/erwinkramer">Erwin</a></div>            |
+
 ## Acknowledgements
 
 Credits for the logo of this app go to:
 
-- **Freepik** for providing the police hat and logo.
+- **Freepik** for providing the police hat and badge.
 - **Renee French** for the original gopher logo.

air.toml

@@ -0,0 +1,24 @@
+root = "/tinyauth"
+tmp_dir = "tmp"
+
+[build]
+pre_cmd = ["go mod tidy"]
+cmd = "go build -o ./tmp/tinyauth ."
+bin = "tmp/tinyauth"
+include_ext = ["go"]
+exclude_dir = ["internal/assets/dist"]
+exclude_regex = [".*_test\\.go"]
+stop_on_error = true
+
+[color]
+main = "magenta"
+watcher = "cyan"
+build = "yellow"
+runner = "green"
+
+[misc]
+clean_on_exit = true
+
+[screen]
+clear_on_rebuild = false
+keep_scroll = true

assets/discohook.json

@@ -3,8 +3,8 @@
   "embeds": [
     {
       "title": "Welcome to Tinyauth Discord!",
-      "description": "Tinyauth is a simple authentication middleware that adds simple username/password login or OAuth with Google, Github and any generic OAuth provider to all of your docker apps.\n\n**Information**\n\n• Github: <https://github.com/steveiliop56/tinyauth>\n• Website: <https://tinyauth.doesmycode.work>",
-      "url": "https://tinyauth.doesmycode.work",
+      "description": "Tinyauth is a simple authentication middleware that adds simple username/password login or OAuth with Google, Github and any generic OAuth provider to all of your docker apps.\n\n**Information**\n\n• Github: <https://github.com/steveiliop56/tinyauth>\n• Website: <https://tinyauth.app>",
+      "url": "https://tinyauth.app",
       "color": 7002085,
       "author": {
         "name": "Tinyauth"
@@ -12,11 +12,11 @@
       "footer": {
         "text": "Updated at"
       },
-      "timestamp": "2025-02-06T22:00:00.000Z",
+      "timestamp": "2025-03-10T19:00:00.000Z",
       "thumbnail": {
         "url": "https://github.com/steveiliop56/tinyauth/blob/main/site/public/logo.png?raw=true"
       }
     }
   ],
   "attachments": []
-}
+}

cmd/root.go

@@ -2,14 +2,17 @@ package cmd
 
 import (
 	"errors"
+	"fmt"
 	"os"
 	"strings"
 	"time"
-	cmd "tinyauth/cmd/user"
+	totpCmd "tinyauth/cmd/totp"
+	userCmd "tinyauth/cmd/user"
 	"tinyauth/internal/api"
 	"tinyauth/internal/assets"
 	"tinyauth/internal/auth"
 	"tinyauth/internal/docker"
+	"tinyauth/internal/handlers"
 	"tinyauth/internal/hooks"
 	"tinyauth/internal/providers"
 	"tinyauth/internal/types"
@@ -32,8 +35,8 @@ var rootCmd = &cobra.Command{
 
 		// Get config
 		var config types.Config
-		parseErr := viper.Unmarshal(&config)
-		HandleError(parseErr, "Failed to parse config")
+		err := viper.Unmarshal(&config)
+		HandleError(err, "Failed to parse config")
 
 		// Secrets
 		config.Secret = utils.GetSecret(config.Secret, config.SecretFile)
@@ -44,8 +47,8 @@ var rootCmd = &cobra.Command{
 
 		// Validate config
 		validator := validator.New()
-		validateErr := validator.Struct(config)
-		HandleError(validateErr, "Failed to validate config")
+		err = validator.Struct(config)
+		HandleError(err, "Failed to validate config")
 
 		// Logger
 		log.Logger = log.Level(zerolog.Level(config.LogLevel))
@@ -53,18 +56,26 @@ var rootCmd = &cobra.Command{
 
 		// Users
 		log.Info().Msg("Parsing users")
-		users, usersErr := utils.GetUsers(config.Users, config.UsersFile)
-
-		HandleError(usersErr, "Failed to parse users")
+		users, err := utils.GetUsers(config.Users, config.UsersFile)
+		HandleError(err, "Failed to parse users")
 
 		if len(users) == 0 && !utils.OAuthConfigured(config) {
 			HandleError(errors.New("no users or OAuth configured"), "No users or OAuth configured")
 		}
 
 		// Create oauth whitelist
-		oauthWhitelist := strings.Split(config.OAuthWhitelist, ",")
+		oauthWhitelist := utils.Filter(strings.Split(config.OAuthWhitelist, ","), func(val string) bool {
+			return val != ""
+		})
+
 		log.Debug().Msg("Parsed OAuth whitelist")
 
+		// Get domain
+		log.Debug().Msg("Getting domain")
+		domain, err := utils.GetUpperDomain(config.AppURL)
+		HandleError(err, "Failed to get upper domain")
+		log.Info().Str("domain", domain).Msg("Using domain for cookie store")
+
 		// Create OAuth config
 		oauthConfig := types.OAuthConfig{
 			GithubClientId:        config.GithubClientId,
@@ -82,14 +93,32 @@ var rootCmd = &cobra.Command{
 			AppURL:                config.AppURL,
 		}
 
-		log.Debug().Msg("Parsed OAuth config")
+		// Create handlers config
+		serverConfig := types.HandlersConfig{
+			AppURL:          config.AppURL,
+			Domain:          fmt.Sprintf(".%s", domain),
+			CookieSecure:    config.CookieSecure,
+			DisableContinue: config.DisableContinue,
+			Title:           config.Title,
+			GenericName:     config.GenericName,
+		}
+
+		// Create api config
+		apiConfig := types.APIConfig{
+			Port:          config.Port,
+			Address:       config.Address,
+			Secret:        config.Secret,
+			CookieSecure:  config.CookieSecure,
+			SessionExpiry: config.SessionExpiry,
+			Domain:        domain,
+		}
 
 		// Create docker service
 		docker := docker.NewDocker()
 
 		// Initialize docker
-		dockerErr := docker.Init()
-		HandleError(dockerErr, "Failed to initialize docker")
+		err = docker.Init()
+		HandleError(err, "Failed to initialize docker")
 
 		// Create auth service
 		auth := auth.NewAuth(docker, users, oauthWhitelist, config.SessionExpiry)
@@ -103,16 +132,11 @@ var rootCmd = &cobra.Command{
 		// Create hooks service
 		hooks := hooks.NewHooks(auth, providers)
 
+		// Create handlers
+		handlers := handlers.NewHandlers(serverConfig, auth, hooks, providers)
+
 		// Create API
-		api := api.NewAPI(types.APIConfig{
-			Port:            config.Port,
-			Address:         config.Address,
-			Secret:          config.Secret,
-			AppURL:          config.AppURL,
-			CookieSecure:    config.CookieSecure,
-			DisableContinue: config.DisableContinue,
-			CookieExpiry:    config.SessionExpiry,
-		}, hooks, auth, providers)
+		api := api.NewAPI(apiConfig, handlers)
 
 		// Setup routes
 		api.Init()
@@ -129,7 +153,7 @@ func Execute() {
 }
 
 func HandleError(err error, msg string) {
-	// If error log it and exit
+	// If error, log it and exit
 	if err != nil {
 		log.Fatal().Err(err).Msg(msg)
 	}
@@ -137,7 +161,10 @@ func HandleError(err error, msg string) {
 
 func init() {
 	// Add user command
-	rootCmd.AddCommand(cmd.UserCmd())
+	rootCmd.AddCommand(userCmd.UserCmd())
+
+	// Add totp command
+	rootCmd.AddCommand(totpCmd.TotpCmd())
 
 	// Read environment variables
 	viper.AutomaticEnv()
@@ -167,10 +194,12 @@ func init() {
 	rootCmd.Flags().String("generic-auth-url", "", "Generic OAuth auth URL.")
 	rootCmd.Flags().String("generic-token-url", "", "Generic OAuth token URL.")
 	rootCmd.Flags().String("generic-user-url", "", "Generic OAuth user info URL.")
+	rootCmd.Flags().String("generic-name", "Generic", "Generic OAuth provider name.")
 	rootCmd.Flags().Bool("disable-continue", false, "Disable continue screen and redirect to app directly.")
 	rootCmd.Flags().String("oauth-whitelist", "", "Comma separated list of email addresses to whitelist when using OAuth.")
 	rootCmd.Flags().Int("session-expiry", 86400, "Session (cookie) expiration time in seconds.")
 	rootCmd.Flags().Int("log-level", 1, "Log level.")
+	rootCmd.Flags().String("app-title", "Tinyauth", "Title of the app.")
 
 	// Bind flags to environment
 	viper.BindEnv("port", "PORT")
@@ -197,10 +226,12 @@ func init() {
 	viper.BindEnv("generic-auth-url", "GENERIC_AUTH_URL")
 	viper.BindEnv("generic-token-url", "GENERIC_TOKEN_URL")
 	viper.BindEnv("generic-user-url", "GENERIC_USER_URL")
+	viper.BindEnv("generic-name", "GENERIC_NAME")
 	viper.BindEnv("disable-continue", "DISABLE_CONTINUE")
 	viper.BindEnv("oauth-whitelist", "OAUTH_WHITELIST")
 	viper.BindEnv("session-expiry", "SESSION_EXPIRY")
 	viper.BindEnv("log-level", "LOG_LEVEL")
+	viper.BindEnv("app-title", "APP_TITLE")
 
 	// Bind flags to viper
 	viper.BindPFlags(rootCmd.Flags())

cmd/totp/generate/generate.go

@@ -0,0 +1,121 @@
+package generate
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"strings"
+	"tinyauth/internal/utils"
+
+	"github.com/charmbracelet/huh"
+	"github.com/mdp/qrterminal/v3"
+	"github.com/pquerna/otp/totp"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+)
+
+// Interactive flag
+var interactive bool
+
+// Input user
+var iUser string
+
+var GenerateCmd = &cobra.Command{
+	Use:   "generate",
+	Short: "Generate a totp secret",
+	Run: func(cmd *cobra.Command, args []string) {
+		// Setup logger
+		log.Logger = log.Level(zerolog.InfoLevel)
+
+		// Use simple theme
+		var baseTheme *huh.Theme = huh.ThemeBase()
+
+		// Interactive
+		if interactive {
+			// Create huh form
+			form := huh.NewForm(
+				huh.NewGroup(
+					huh.NewInput().Title("Current username:hash").Value(&iUser).Validate((func(s string) error {
+						if s == "" {
+							return errors.New("user cannot be empty")
+						}
+						return nil
+					})),
+				),
+			)
+
+			// Run form
+			err := form.WithTheme(baseTheme).Run()
+
+			if err != nil {
+				log.Fatal().Err(err).Msg("Form failed")
+			}
+		}
+
+		// Parse user
+		user, err := utils.ParseUser(iUser)
+
+		if err != nil {
+			log.Fatal().Err(err).Msg("Failed to parse user")
+		}
+
+		// Check if user was using docker escape
+		dockerEscape := false
+
+		if strings.Contains(iUser, "$$") {
+			dockerEscape = true
+		}
+
+		// Check it has totp
+		if user.TotpSecret != "" {
+			log.Fatal().Msg("User already has a totp secret")
+		}
+
+		// Generate totp secret
+		key, err := totp.Generate(totp.GenerateOpts{
+			Issuer:      "Tinyauth",
+			AccountName: user.Username,
+		})
+
+		if err != nil {
+			log.Fatal().Err(err).Msg("Failed to generate totp secret")
+		}
+
+		// Create secret
+		secret := key.Secret()
+
+		// Print secret and image
+		log.Info().Str("secret", secret).Msg("Generated totp secret")
+
+		// Print QR code
+		log.Info().Msg("Generated QR code")
+
+		config := qrterminal.Config{
+			Level:     qrterminal.L,
+			Writer:    os.Stdout,
+			BlackChar: qrterminal.BLACK,
+			WhiteChar: qrterminal.WHITE,
+			QuietZone: 2,
+		}
+
+		qrterminal.GenerateWithConfig(key.URL(), config)
+
+		// Add the secret to the user
+		user.TotpSecret = secret
+
+		// If using docker escape re-escape it
+		if dockerEscape {
+			user.Password = strings.ReplaceAll(user.Password, "$", "$$")
+		}
+
+		// Print success
+		log.Info().Str("user", fmt.Sprintf("%s:%s:%s", user.Username, user.Password, user.TotpSecret)).Msg("Add the totp secret to your authenticator app then use the verify command to ensure everything is working correctly.")
+	},
+}
+
+func init() {
+	// Add interactive flag
+	GenerateCmd.Flags().BoolVarP(&interactive, "interactive", "i", false, "Run in interactive mode")
+	GenerateCmd.Flags().StringVar(&iUser, "user", "", "Your current username:hash")
+}

cmd/totp/totp.go

@@ -0,0 +1,22 @@
+package cmd
+
+import (
+	"tinyauth/cmd/totp/generate"
+
+	"github.com/spf13/cobra"
+)
+
+func TotpCmd() *cobra.Command {
+	// Create the totp command
+	totpCmd := &cobra.Command{
+		Use:   "totp",
+		Short: "Totp utilities",
+		Long:  `Utilities for creating and verifying totp codes.`,
+	}
+
+	// Add the generate command
+	totpCmd.AddCommand(generate.GenerateCmd)
+
+	// Return the totp command
+	return totpCmd
+}

cmd/user/create/create.go

@@ -12,7 +12,10 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )
 
+// Interactive flag
 var interactive bool
+
+// Docker flag
 var docker bool
 
 // i stands for input
@@ -51,25 +54,25 @@ var CreateCmd = &cobra.Command{
 			// Use simple theme
 			var baseTheme *huh.Theme = huh.ThemeBase()
 
-			formErr := form.WithTheme(baseTheme).Run()
+			err := form.WithTheme(baseTheme).Run()
 
-			if formErr != nil {
-				log.Fatal().Err(formErr).Msg("Form failed")
+			if err != nil {
+				log.Fatal().Err(err).Msg("Form failed")
 			}
 		}
 
 		// Do we have username and password?
 		if iUsername == "" || iPassword == "" {
-			log.Error().Msg("Username and password cannot be empty")
+			log.Fatal().Err(errors.New("error invalid input")).Msg("Username and password cannot be empty")
 		}
 
 		log.Info().Str("username", iUsername).Str("password", iPassword).Bool("docker", docker).Msg("Creating user")
 
 		// Hash password
-		password, passwordErr := bcrypt.GenerateFromPassword([]byte(iPassword), bcrypt.DefaultCost)
+		password, err := bcrypt.GenerateFromPassword([]byte(iPassword), bcrypt.DefaultCost)
 
-		if passwordErr != nil {
-			log.Fatal().Err(passwordErr).Msg("Failed to hash password")
+		if err != nil {
+			log.Fatal().Err(err).Msg("Failed to hash password")
 		}
 
 		// Convert password to string

cmd/user/verify/verify.go

@@ -2,37 +2,45 @@ package verify
 
 import (
 	"errors"
-	"strings"
+	"tinyauth/internal/utils"
 
 	"github.com/charmbracelet/huh"
+	"github.com/pquerna/otp/totp"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"golang.org/x/crypto/bcrypt"
 )
 
+// Interactive flag
 var interactive bool
+
+// Docker flag
 var docker bool
 
 // i stands for input
 var iUsername string
 var iPassword string
+var iTotp string
 var iUser string
 
 var VerifyCmd = &cobra.Command{
 	Use:   "verify",
 	Short: "Verify a user is set up correctly",
-	Long:  `Verify a user is set up correctly meaning that it has a correct username and password.`,
+	Long:  `Verify a user is set up correctly meaning that it has a correct username, password and totp code.`,
 	Run: func(cmd *cobra.Command, args []string) {
 		// Setup logger
 		log.Logger = log.Level(zerolog.InfoLevel)
 
+		// Use simple theme
+		var baseTheme *huh.Theme = huh.ThemeBase()
+
 		// Check if interactive
 		if interactive {
 			// Create huh form
 			form := huh.NewForm(
 				huh.NewGroup(
-					huh.NewInput().Title("User (username:hash)").Value(&iUser).Validate((func(s string) error {
+					huh.NewInput().Title("User (username:hash:totp)").Value(&iUser).Validate((func(s string) error {
 						if s == "" {
 							return errors.New("user cannot be empty")
 						}
@@ -50,47 +58,56 @@ var VerifyCmd = &cobra.Command{
 						}
 						return nil
 					})),
-					huh.NewSelect[bool]().Title("Is the user formatted for docker?").Options(huh.NewOption("Yes", true), huh.NewOption("No", false)).Value(&docker),
+					huh.NewInput().Title("Totp Code (if setup)").Value(&iTotp),
 				),
 			)
 
-			// Use simple theme
-			var baseTheme *huh.Theme = huh.ThemeBase()
+			// Run form
+			err := form.WithTheme(baseTheme).Run()
 
-			formErr := form.WithTheme(baseTheme).Run()
-
-			if formErr != nil {
-				log.Fatal().Err(formErr).Msg("Form failed")
+			if err != nil {
+				log.Fatal().Err(err).Msg("Form failed")
 			}
 		}
 
-		// Do we have username, password and user?
-		if iUsername == "" || iPassword == "" || iUser == "" {
-			log.Fatal().Msg("Username, password and user cannot be empty")
+		// Parse user
+		user, err := utils.ParseUser(iUser)
+
+		if err != nil {
+			log.Fatal().Err(err).Msg("Failed to parse user")
 		}
 
-		log.Info().Str("user", iUser).Str("username", iUsername).Str("password", iPassword).Bool("docker", docker).Msg("Verifying user")
+		// Compare username
+		if user.Username != iUsername {
+			log.Fatal().Msg("Username is incorrect")
+		}
 
-		// Split username and password hash
-		username, hash, ok := strings.Cut(iUser, ":")
+		// Compare password
+		err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(iPassword))
+
+		if err != nil {
+			log.Fatal().Msg("Ppassword is incorrect")
+		}
+
+		// Check if user has 2fa code
+		if user.TotpSecret == "" {
+			if iTotp != "" {
+				log.Warn().Msg("User does not have 2fa secret")
+			}
+			log.Info().Msg("User verified")
+			return
+		}
+
+		// Check totp code
+		ok := totp.Validate(iTotp, user.TotpSecret)
 
 		if !ok {
-			log.Fatal().Msg("User is not formatted correctly")
+			log.Fatal().Msg("Totp code incorrect")
+
 		}
 
-		// Replace $$ with $ if formatted for docker
-		if docker {
-			hash = strings.ReplaceAll(hash, "$$", "$")
-		}
-
-		// Compare username and password
-		verifyErr := bcrypt.CompareHashAndPassword([]byte(hash), []byte(iPassword))
-
-		if verifyErr != nil || username != iUsername {
-			log.Fatal().Msg("Username or password incorrect")
-		} else {
-			log.Info().Msg("Verification successful")
-		}
+		// Done
+		log.Info().Msg("User verified")
 	},
 }
 
@@ -100,5 +117,6 @@ func init() {
 	VerifyCmd.Flags().BoolVar(&docker, "docker", false, "Is the user formatted for docker?")
 	VerifyCmd.Flags().StringVar(&iUsername, "username", "", "Username")
 	VerifyCmd.Flags().StringVar(&iPassword, "password", "", "Password")
-	VerifyCmd.Flags().StringVar(&iUser, "user", "", "Hash (username:hash combination)")
+	VerifyCmd.Flags().StringVar(&iTotp, "totp", "", "Totp code")
+	VerifyCmd.Flags().StringVar(&iUser, "user", "", "Hash (username:hash:totp combination)")
 }

docker-compose.dev.yml

@@ -8,26 +8,41 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
 
-  nginx:
-    container_name: nginx
-    image: nginx:latest
+  whoami:
+    container_name: whoami
+    image: traefik/whoami:latest
     labels:
       traefik.enable: true
-      traefik.http.routers.nginx.rule: Host(`nginx.dev.local`)
+      traefik.http.routers.nginx.rule: Host(`whoami.example.com`)
       traefik.http.services.nginx.loadbalancer.server.port: 80
       traefik.http.routers.nginx.middlewares: tinyauth
 
-  tinyauth:
-    container_name: tinyauth
+  tinyauth-frontend:
+    container_name: tinyauth-frontend
     build:
       context: .
-      dockerfile: Dockerfile
-    environment:
-      - SECRET=some-random-32-chars-string
-      - APP_URL=http://tinyauth.dev.local
-      - USERS=user:$$2a$$10$$UdLYoJ5lgPsC0RKqYH/jMua7zIn0g9kPqWmhYayJYLaZQ/FTmH2/u # user:password
+      dockerfile: site/Dockerfile.dev
+    volumes:
+      - ./site/src:/site/src
+    ports:
+      - 5173:5173
     labels:
       traefik.enable: true
-      traefik.http.routers.tinyauth.rule: Host(`tinyauth.dev.local`)
-      traefik.http.services.tinyauth.loadbalancer.server.port: 3000
-      traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth:3000/api/auth
+      traefik.http.routers.tinyauth.rule: Host(`tinyauth.example.com`)
+      traefik.http.services.tinyauth.loadbalancer.server.port: 5173
+
+  tinyauth-backend:
+    container_name: tinyauth-backend
+    build:
+      context: .
+      dockerfile: Dockerfile.dev
+    env_file: .env
+    volumes:
+      - ./internal:/tinyauth/internal
+      - ./cmd:/tinyauth/cmd
+      - ./main.go:/tinyauth/main.go
+    ports:
+      - 3000:3000
+    labels:
+      traefik.enable: true
+      traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth-backend:3000/api/auth/traefik

docker-compose.example.yml

@@ -8,18 +8,18 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
 
-  nginx:
-    container_name: nginx
-    image: nginx:latest
+  whoami:
+    container_name: whoami
+    image: traefik/whoami:latest
     labels:
       traefik.enable: true
-      traefik.http.routers.nginx.rule: Host(`nginx.example.com`)
+      traefik.http.routers.nginx.rule: Host(`whoami.example.com`)
       traefik.http.services.nginx.loadbalancer.server.port: 80
       traefik.http.routers.nginx.middlewares: tinyauth
 
   tinyauth:
     container_name: tinyauth
-    image: ghcr.io/steveiliop56/tinyauth:latest
+    image: ghcr.io/steveiliop56/tinyauth:v3
     environment:
       - SECRET=some-random-32-chars-string
       - APP_URL=https://tinyauth.example.com
@@ -28,4 +28,4 @@ services:
       traefik.enable: true
       traefik.http.routers.tinyauth.rule: Host(`tinyauth.example.com`)
       traefik.http.services.tinyauth.loadbalancer.server.port: 3000
-      traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth:3000/api/auth
+      traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth:3000/api/auth/traefik

go.mod

@@ -7,29 +7,43 @@ require (
 	github.com/gin-gonic/gin v1.10.0
 	github.com/go-playground/validator/v10 v10.24.0
 	github.com/google/go-querystring v1.1.0
+	github.com/mdp/qrterminal/v3 v3.2.0
 	github.com/rs/zerolog v1.33.0
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/viper v1.19.0
 	golang.org/x/crypto v0.32.0
 )
 
+require (
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
+	github.com/morikuni/aec v1.0.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
+	golang.org/x/term v0.28.0 // indirect
+	gotest.tools/v3 v3.5.2 // indirect
+	rsc.io/qr v0.2.0 // indirect
+)
+
 require (
 	github.com/Microsoft/go-winio v0.4.14 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/boombuler/barcode v1.0.2 // indirect
 	github.com/bytedance/sonic v1.12.7 // indirect
 	github.com/bytedance/sonic/loader v0.2.3 // indirect
 	github.com/catppuccin/go v0.2.0 // indirect
 	github.com/charmbracelet/bubbles v0.20.0 // indirect
 	github.com/charmbracelet/bubbletea v1.1.0 // indirect
-	github.com/charmbracelet/huh v0.6.0 // indirect
+	github.com/charmbracelet/huh v0.6.0
 	github.com/charmbracelet/lipgloss v0.13.0 // indirect
 	github.com/charmbracelet/x/ansi v0.2.3 // indirect
 	github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0 // indirect
 	github.com/charmbracelet/x/term v0.2.0 // indirect
 	github.com/cloudwego/base64x v0.1.4 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/docker v27.5.1+incompatible // indirect
+	github.com/docker/docker v27.5.1+incompatible
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
@@ -38,7 +52,7 @@ require (
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
 	github.com/gin-contrib/sse v1.0.0 // indirect
-	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
@@ -53,7 +67,7 @@ require (
 	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
-	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/magiconair/properties v1.8.7
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
@@ -70,6 +84,7 @@ require (
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pquerna/otp v1.4.0
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
@@ -81,15 +96,15 @@ require (
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.12 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
-	go.opentelemetry.io/otel v1.24.0 // indirect
-	go.opentelemetry.io/otel/metric v1.24.0 // indirect
-	go.opentelemetry.io/otel/trace v1.24.0 // indirect
+	go.opentelemetry.io/otel v1.34.0 // indirect
+	go.opentelemetry.io/otel/metric v1.34.0 // indirect
+	go.opentelemetry.io/otel/trace v1.34.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
 	golang.org/x/arch v0.13.0 // indirect
 	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
 	golang.org/x/net v0.34.0 // indirect
-	golang.org/x/oauth2 v0.25.0 // indirect
+	golang.org/x/oauth2 v0.25.0
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/text v0.21.0 // indirect

go.sum

@@ -1,9 +1,16 @@
+github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
+github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
+github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
 github.com/Microsoft/go-winio v0.4.14 h1:+hMXMk01us9KgxGb7ftKQt2Xpf5hH/yky+TDA+qxleU=
 github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
 github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4=
 github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
+github.com/boombuler/barcode v1.0.2 h1:79yrbttoZrLGkL/oOI8hBrUKucwOL0oOjUgEguGMcJ4=
+github.com/boombuler/barcode v1.0.2/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/bytedance/sonic v1.12.7 h1:CQU8pxOy9HToxhndH0Kx/S1qU/CuS9GnKYrGioDcU1Q=
 github.com/bytedance/sonic v1.12.7/go.mod h1:tnbal4mxOMju17EGfknm2XyYcpyCnIROYOEYuemj13I=
 github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
@@ -11,6 +18,8 @@ github.com/bytedance/sonic/loader v0.2.3 h1:yctD0Q3v2NOGfSWPLPvG2ggA2kV6TS6s4wio
 github.com/bytedance/sonic/loader v0.2.3/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
 github.com/catppuccin/go v0.2.0 h1:ktBeIrIP42b/8FGiScP9sgrWOss3lw0Z5SktRoithGA=
 github.com/catppuccin/go v0.2.0/go.mod h1:8IHJuMGaUUjQM82qBrGNBv7LFq6JI3NnQCF6MOlZjpc=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/charmbracelet/bubbles v0.20.0 h1:jSZu6qD8cRQ6k9OMfR1WlM+ruM8fkPWkHvQWD9LIutE=
 github.com/charmbracelet/bubbles v0.20.0/go.mod h1:39slydyswPy+uVOHZ5x/GjwVAFkCsV8IIVy+4MhzwwU=
 github.com/charmbracelet/bubbletea v1.1.0 h1:FjAl9eAL3HBCHenhz/ZPjkKdScmaS5SK69JAK2YJK9c=
@@ -28,6 +37,8 @@ github.com/charmbracelet/x/term v0.2.0/go.mod h1:GVxgxAbjUrmpvIINHIQnJJKpMlHiZ4c
 github.com/cloudwego/base64x v0.1.4 h1:jwCgWpFanWmN8xoIUHa2rtzmkd5J2plF/dnLS6Xd/0Y=
 github.com/cloudwego/base64x v0.1.4/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
 github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=
+github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
+github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -61,8 +72,8 @@ github.com/gin-contrib/sse v1.0.0/go.mod h1:zNuFdwarAygJBht0NTKiSi3jRf6RbqeILZ9S
 github.com/gin-gonic/gin v1.10.0 h1:nTuyha1TYqgedzytsKYqna+DfLos46nTv2ygFy86HFU=
 github.com/gin-gonic/gin v1.10.0/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
-github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
@@ -79,19 +90,23 @@ github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/context v1.1.2 h1:WRkNAv2uoa03QNIc1A6u4O7DAGMUVoopZhkiXWA2V1o=
 github.com/gorilla/context v1.1.2/go.mod h1:KDPwT9i/MeWHiLl90fuTgrt4/wPcv75vFAZLaOOcbxM=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/gorilla/sessions v1.2.2 h1:lqzMYz6bOfvn2WriPUjNByzeXIlVzURcPmgMczkmTjY=
 github.com/gorilla/sessions v1.2.2/go.mod h1:ePLdVu+jbEgHH+KWw8I1z2wqd0BAdAQh/8LRvBeoNcQ=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1 h1:VNqngBF40hVlDloBruUehVYC3ArSgIyScOAyMRqBxRg=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1/go.mod h1:RBRO7fro65R6tjKzYgLAFo0t1QEXY1Dp+i/bvpRiqiQ=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
@@ -126,17 +141,23 @@ github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2J
 github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88=
 github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
 github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mdp/qrterminal/v3 v3.2.0 h1:qteQMXO3oyTK4IHwj2mWsKYYRBOp1Pj2WRYFYYNTCdk=
+github.com/mdp/qrterminal/v3 v3.2.0/go.mod h1:XGGuua4Lefrl7TLEsSONiD+UEjQXJZ4mPzF+gWYIJkk=
 github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
 github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
+github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
+github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI=
 github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6/go.mod h1:CJlz5H+gyd6CUWT45Oy4q24RdLyn7Md9Vj2/ldJBSIo=
 github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=
@@ -155,11 +176,13 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pquerna/otp v1.4.0 h1:wZvl1TIVxKRThZIBiwOOHOGP/1+nZyWBil9Y2XNEDzg=
+github.com/pquerna/otp v1.4.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
-github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
 github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
@@ -169,6 +192,8 @@ github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgY
 github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE=
 github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
 github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
 github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
@@ -203,14 +228,24 @@ github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65E
 github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw=
-go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo=
-go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo=
-go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI=
-go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco=
-go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI=
-go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
+go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY=
+go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0 h1:BEj3SPM81McUZHYjRS5pEgNgnmzGJ5tRpU5krWnV8Bs=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0/go.mod h1:9cKLGBDzI/F3NoHLQGm4ZrYdIHsvGt6ej6hUowxY0J4=
+go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ=
+go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
+go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
+go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
+go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
+go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
+go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
+go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/multierr v1.9.0 h1:7fIwc/ZtS0q++VgcfqFDxSBZVv/Xo49/SYnDFupUwlI=
@@ -250,10 +285,14 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
 golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
+golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
+golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
@@ -262,14 +301,25 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 h1:9+tzLLstTlPTRyJTh+ah5wIMsBW5c4tQwGTN3thOW9Y=
+google.golang.org/genproto/googleapis/api v0.0.0-20250115164207-1a7da9e5054f h1:gap6+3Gk41EItBuyi4XX/bp4oqJ3UwuIMl25yGinuAA=
+google.golang.org/genproto/googleapis/api v0.0.0-20250115164207-1a7da9e5054f/go.mod h1:Ic02D47M+zbarjYYUlK57y316f2MoN0gjAwI3f2S95o=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f h1:OxYkA3wjPsZyBylwymxSHa7ViiW1Sml4ToBrncvFehI=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f/go.mod h1:+2Yz8+CLJbIfL9z73EW45avw8Lmge3xVElCP9zEKi50=
+google.golang.org/grpc v1.69.4 h1:MF5TftSMkd8GLw/m0KM6V8CMOCY6NZ1NQDPGFgbTt4A=
+google.golang.org/grpc v1.69.4/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4=
 google.golang.org/protobuf v1.36.3 h1:82DV7MYdb8anAVi3qge1wSnMDrnKK7ebr+I0hHRN1BU=
 google.golang.org/protobuf v1.36.3/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
+gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
 nullprogram.com/x/optparse v1.0.0/go.mod h1:KdyPE+Igbe0jQUrVfMqDMeJQIJZEuyV7pjYmp6pbG50=
+rsc.io/qr v0.2.0 h1:6vBLea5/NRMVTz8V66gipeLycZMl/+UlFmk8DvqQ6WY=
+rsc.io/qr v0.2.0/go.mod h1:IF+uZjkb9fqyeF/4tlBoynqmQxUoPfWEKh921coOuXs=

internal/api/api.go

@@ -3,41 +3,30 @@ package api
 import (
 	"fmt"
 	"io/fs"
-	"math/rand/v2"
 	"net/http"
-	"os"
 	"strings"
 	"time"
 	"tinyauth/internal/assets"
-	"tinyauth/internal/auth"
-	"tinyauth/internal/hooks"
-	"tinyauth/internal/providers"
+	"tinyauth/internal/handlers"
 	"tinyauth/internal/types"
-	"tinyauth/internal/utils"
 
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-contrib/sessions/cookie"
 	"github.com/gin-gonic/gin"
-	"github.com/google/go-querystring/query"
 	"github.com/rs/zerolog/log"
 )
 
-func NewAPI(config types.APIConfig, hooks *hooks.Hooks, auth *auth.Auth, providers *providers.Providers) *API {
+func NewAPI(config types.APIConfig, handlers *handlers.Handlers) *API {
 	return &API{
-		Config:    config,
-		Hooks:     hooks,
-		Auth:      auth,
-		Providers: providers,
+		Config:   config,
+		Handlers: handlers,
 	}
 }
 
 type API struct {
-	Config    types.APIConfig
-	Router    *gin.Engine
-	Hooks     *hooks.Hooks
-	Auth      *auth.Auth
-	Providers *providers.Providers
-	Domain    string
+	Config   types.APIConfig
+	Router   *gin.Engine
+	Handlers *handlers.Handlers
 }
 
 func (api *API) Init() {
@@ -51,10 +40,10 @@ func (api *API) Init() {
 
 	// Read UI assets
 	log.Debug().Msg("Setting up assets")
-	dist, distErr := fs.Sub(assets.Assets, "dist")
+	dist, err := fs.Sub(assets.Assets, "dist")
 
-	if distErr != nil {
-		log.Fatal().Err(distErr).Msg("Failed to get UI assets")
+	if err != nil {
+		log.Fatal().Err(err).Msg("Failed to get UI assets")
 	}
 
 	// Create file server
@@ -65,26 +54,13 @@ func (api *API) Init() {
 	log.Debug().Msg("Setting up cookie store")
 	store := cookie.NewStore([]byte(api.Config.Secret))
 
-	// Get domain to use for session cookies
-	log.Debug().Msg("Getting domain")
-	domain, domainErr := utils.GetRootURL(api.Config.AppURL)
-
-	if domainErr != nil {
-		log.Fatal().Err(domainErr).Msg("Failed to get domain")
-		os.Exit(1)
-	}
-
-	log.Info().Str("domain", domain).Msg("Using domain for cookies")
-
-	api.Domain = fmt.Sprintf(".%s", domain)
-
 	// Use session middleware
 	store.Options(sessions.Options{
-		Domain:   api.Domain,
+		Domain:   api.Config.Domain,
 		Path:     "/",
 		HttpOnly: true,
 		Secure:   api.Config.CookieSecure,
-		MaxAge:   api.Config.CookieExpiry,
+		MaxAge:   api.Config.SessionExpiry,
 	})
 
 	router.Use(sessions.Sessions("tinyauth", store))
@@ -93,17 +69,7 @@ func (api *API) Init() {
 	router.Use(func(c *gin.Context) {
 		// If not an API request, serve the UI
 		if !strings.HasPrefix(c.Request.URL.Path, "/api") {
-			_, err := fs.Stat(dist, strings.TrimPrefix(c.Request.URL.Path, "/"))
-
-			// If the file doesn't exist, serve the index.html
-			if os.IsNotExist(err) {
-				c.Request.URL.Path = "/"
-			}
-
-			// Serve the file
 			fileServer.ServeHTTP(c.Writer, c.Request)
-
-			// Stop further processing
 			c.Abort()
 		}
 	})
@@ -113,478 +79,36 @@ func (api *API) Init() {
 }
 
 func (api *API) SetupRoutes() {
-	api.Router.GET("/api/auth/:proxy", func(c *gin.Context) {
-		// Create struct for proxy
-		var proxy types.Proxy
+	// Proxy
+	api.Router.GET("/api/auth/:proxy", api.Handlers.AuthHandler)
 
-		// Bind URI
-		bindErr := c.BindUri(&proxy)
+	// Auth
+	api.Router.POST("/api/login", api.Handlers.LoginHandler)
+	api.Router.POST("/api/totp", api.Handlers.TotpHandler)
+	api.Router.POST("/api/logout", api.Handlers.LogoutHandler)
 
-		// Handle error
-		if bindErr != nil {
-			log.Error().Err(bindErr).Msg("Failed to bind URI")
-			c.JSON(400, gin.H{
-				"status":  400,
-				"message": "Bad Request",
-			})
-			return
-		}
+	// Context
+	api.Router.GET("/api/app", api.Handlers.AppHandler)
+	api.Router.GET("/api/user", api.Handlers.UserHandler)
 
-		log.Debug().Interface("proxy", proxy.Proxy).Msg("Got proxy")
+	// OAuth
+	api.Router.GET("/api/oauth/url/:provider", api.Handlers.OauthUrlHandler)
+	api.Router.GET("/api/oauth/callback/:provider", api.Handlers.OauthCallbackHandler)
 
-		// Get user context
-		userContext := api.Hooks.UseUserContext(c)
-
-		// Check if using basic auth
-		_, _, basicAuth := c.Request.BasicAuth()
-
-		// Get headers
-		uri := c.Request.Header.Get("X-Forwarded-Uri")
-		proto := c.Request.Header.Get("X-Forwarded-Proto")
-		host := c.Request.Header.Get("X-Forwarded-Host")
-
-		// Check if user is logged in
-		if userContext.IsLoggedIn {
-			log.Debug().Msg("Authenticated")
-
-			// Check if user is allowed to access subdomain, if request is nginx.example.com the subdomain (resource) is nginx
-			appAllowed, appAllowedErr := api.Auth.ResourceAllowed(userContext, host)
-
-			// Check if there was an error
-			if appAllowedErr != nil {
-				// Return 501 if nginx is the proxy or if the request is using basic auth
-				if proxy.Proxy == "nginx" || basicAuth {
-					log.Error().Err(appAllowedErr).Msg("Failed to check if app is allowed")
-					c.JSON(501, gin.H{
-						"status":  501,
-						"message": "Internal Server Error",
-					})
-					return
-				}
-
-				// Return the internal server error page
-				if api.handleError(c, "Failed to check if app is allowed", appAllowedErr) {
-					return
-				}
-			}
-
-			log.Debug().Bool("appAllowed", appAllowed).Msg("Checking if app is allowed")
-
-			// The user is not allowed to access the app
-			if !appAllowed {
-				log.Warn().Str("username", userContext.Username).Str("host", host).Msg("User not allowed")
-
-				// Return 401 if nginx is the proxy or if the request is using an Authorization header
-				if proxy.Proxy == "nginx" || basicAuth {
-					c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
-					c.JSON(401, gin.H{
-						"status":  401,
-						"message": "Unauthorized",
-					})
-					return
-				}
-
-				// Build query
-				queries, queryErr := query.Values(types.UnauthorizedQuery{
-					Username: userContext.Username,
-					Resource: strings.Split(host, ".")[0],
-				})
-
-				// Handle error (no need to check for nginx/headers since we are sure we are using caddy/traefik)
-				if api.handleError(c, "Failed to build query", queryErr) {
-					return
-				}
-
-				// We are using caddy/traefik so redirect
-				c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", api.Config.AppURL, queries.Encode()))
-
-				// Stop further processing
-				return
-			}
-
-			// The user is allowed to access the app
-			c.JSON(200, gin.H{
-				"status":  200,
-				"message": "Authenticated",
-			})
-
-			// Stop further processing
-			return
-		}
-
-		// The user is not logged in
-		log.Debug().Msg("Unauthorized")
-
-		// Return 401 if nginx is the proxy or if the request is using an Authorization header
-		if proxy.Proxy == "nginx" || basicAuth {
-			c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
-			c.JSON(401, gin.H{
-				"status":  401,
-				"message": "Unauthorized",
-			})
-			return
-		}
-
-		// Build query
-		queries, queryErr := query.Values(types.LoginQuery{
-			RedirectURI: fmt.Sprintf("%s://%s%s", proto, host, uri),
-		})
-
-		// Handle error (no need to check for nginx/headers since we are sure we are using caddy/traefik)
-		if api.handleError(c, "Failed to build query", queryErr) {
-			return
-		}
-
-		log.Debug().Interface("redirect_uri", fmt.Sprintf("%s://%s%s", proto, host, uri)).Msg("Redirecting to login")
-
-		// Redirect to login
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/?%s", api.Config.AppURL, queries.Encode()))
-	})
-
-	api.Router.POST("/api/login", func(c *gin.Context) {
-		// Create login struct
-		var login types.LoginRequest
-
-		// Bind JSON
-		err := c.BindJSON(&login)
-
-		// Handle error
-		if err != nil {
-			log.Error().Err(err).Msg("Failed to bind JSON")
-			c.JSON(400, gin.H{
-				"status":  400,
-				"message": "Bad Request",
-			})
-			return
-		}
-
-		log.Debug().Msg("Got login request")
-
-		// Get user based on username
-		user := api.Auth.GetUser(login.Username)
-
-		// User does not exist
-		if user == nil {
-			log.Debug().Str("username", login.Username).Msg("User not found")
-			c.JSON(401, gin.H{
-				"status":  401,
-				"message": "Unauthorized",
-			})
-			return
-		}
-
-		log.Debug().Msg("Got user")
-
-		// Check if password is correct
-		if !api.Auth.CheckPassword(*user, login.Password) {
-			log.Debug().Str("username", login.Username).Msg("Password incorrect")
-			c.JSON(401, gin.H{
-				"status":  401,
-				"message": "Unauthorized",
-			})
-			return
-		}
-
-		log.Debug().Msg("Password correct, logging in")
-
-		// Create session cookie with username as provider
-		api.Auth.CreateSessionCookie(c, &types.SessionCookie{
-			Username: login.Username,
-			Provider: "username",
-		})
-
-		// Return logged in
-		c.JSON(200, gin.H{
-			"status":  200,
-			"message": "Logged in",
-		})
-	})
-
-	api.Router.POST("/api/logout", func(c *gin.Context) {
-		log.Debug().Msg("Logging out")
-
-		// Delete session cookie
-		api.Auth.DeleteSessionCookie(c)
-
-		log.Debug().Msg("Cleaning up redirect cookie")
-
-		// Clean up redirect cookie if it exists
-		c.SetCookie("tinyauth_redirect_uri", "", -1, "/", api.Domain, api.Config.CookieSecure, true)
-
-		// Return logged out
-		c.JSON(200, gin.H{
-			"status":  200,
-			"message": "Logged out",
-		})
-	})
-
-	api.Router.GET("/api/status", func(c *gin.Context) {
-		log.Debug().Msg("Checking status")
-
-		// Get user context
-		userContext := api.Hooks.UseUserContext(c)
-
-		// Get configured providers
-		configuredProviders := api.Providers.GetConfiguredProviders()
-
-		// We have username/password configured so add it to our providers
-		if api.Auth.UserAuthConfigured() {
-			configuredProviders = append(configuredProviders, "username")
-		}
-
-		// We are not logged in so return unauthorized
-		if !userContext.IsLoggedIn {
-			log.Debug().Msg("Unauthorized")
-			c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
-			c.JSON(200, gin.H{
-				"status":              200,
-				"message":             "Unauthorized",
-				"username":            "",
-				"isLoggedIn":          false,
-				"oauth":               false,
-				"provider":            "",
-				"configuredProviders": configuredProviders,
-				"disableContinue":     api.Config.DisableContinue,
-			})
-			return
-		}
-
-		log.Debug().Interface("userContext", userContext).Strs("configuredProviders", configuredProviders).Bool("disableContinue", api.Config.DisableContinue).Msg("Authenticated")
-
-		// We are logged in so return our user context
-		c.JSON(200, gin.H{
-			"status":              200,
-			"message":             "Authenticated",
-			"username":            userContext.Username,
-			"isLoggedIn":          userContext.IsLoggedIn,
-			"oauth":               userContext.OAuth,
-			"provider":            userContext.Provider,
-			"configuredProviders": configuredProviders,
-			"disableContinue":     api.Config.DisableContinue,
-		})
-	})
-
-	api.Router.GET("/api/oauth/url/:provider", func(c *gin.Context) {
-		// Create struct for OAuth request
-		var request types.OAuthRequest
-
-		// Bind URI
-		bindErr := c.BindUri(&request)
-
-		// Handle error
-		if bindErr != nil {
-			log.Error().Err(bindErr).Msg("Failed to bind URI")
-			c.JSON(400, gin.H{
-				"status":  400,
-				"message": "Bad Request",
-			})
-			return
-		}
-
-		log.Debug().Msg("Got OAuth request")
-
-		// Check if provider exists
-		provider := api.Providers.GetProvider(request.Provider)
-
-		// Provider does not exist
-		if provider == nil {
-			c.JSON(404, gin.H{
-				"status":  404,
-				"message": "Not Found",
-			})
-			return
-		}
-
-		log.Debug().Str("provider", request.Provider).Msg("Got provider")
-
-		// Get auth URL
-		authURL := provider.GetAuthURL()
-
-		log.Debug().Msg("Got auth URL")
-
-		// Get redirect URI
-		redirectURI := c.Query("redirect_uri")
-
-		// Set redirect cookie if redirect URI is provided
-		if redirectURI != "" {
-			log.Debug().Str("redirectURI", redirectURI).Msg("Setting redirect cookie")
-			c.SetCookie("tinyauth_redirect_uri", redirectURI, 3600, "/", api.Domain, api.Config.CookieSecure, true)
-		}
-
-		// Tailscale does not have an auth url so we create a random code (does not need to be secure) to avoid caching and send it
-		if request.Provider == "tailscale" {
-			// Build tailscale query
-			tailscaleQuery, tailscaleQueryErr := query.Values(types.TailscaleQuery{
-				Code: (1000 + rand.IntN(9000)),
-			})
-
-			// Handle error
-			if tailscaleQueryErr != nil {
-				log.Error().Err(tailscaleQueryErr).Msg("Failed to build query")
-				c.JSON(500, gin.H{
-					"status":  500,
-					"message": "Internal Server Error",
-				})
-				return
-			}
-
-			// Return tailscale URL (immidiately redirects to the callback)
-			c.JSON(200, gin.H{
-				"status":  200,
-				"message": "Ok",
-				"url":     fmt.Sprintf("%s/api/oauth/callback/tailscale?%s", api.Config.AppURL, tailscaleQuery.Encode()),
-			})
-			return
-		}
-
-		// Return auth URL
-		c.JSON(200, gin.H{
-			"status":  200,
-			"message": "Ok",
-			"url":     authURL,
-		})
-	})
-
-	api.Router.GET("/api/oauth/callback/:provider", func(c *gin.Context) {
-		// Create struct for OAuth request
-		var providerName types.OAuthRequest
-
-		// Bind URI
-		bindErr := c.BindUri(&providerName)
-
-		// Handle error
-		if api.handleError(c, "Failed to bind URI", bindErr) {
-			return
-		}
-
-		log.Debug().Interface("provider", providerName.Provider).Msg("Got provider name")
-
-		// Get code
-		code := c.Query("code")
-
-		// Code empty so redirect to error
-		if code == "" {
-			log.Error().Msg("No code provided")
-			c.Redirect(http.StatusPermanentRedirect, "/error")
-			return
-		}
-
-		log.Debug().Msg("Got code")
-
-		// Get provider
-		provider := api.Providers.GetProvider(providerName.Provider)
-
-		log.Debug().Str("provider", providerName.Provider).Msg("Got provider")
-
-		// Provider does not exist
-		if provider == nil {
-			c.Redirect(http.StatusPermanentRedirect, "/not-found")
-			return
-		}
-
-		// Exchange token (authenticates user)
-		_, tokenErr := provider.ExchangeToken(code)
-
-		log.Debug().Msg("Got token")
-
-		// Handle error
-		if api.handleError(c, "Failed to exchange token", tokenErr) {
-			return
-		}
-
-		// Get email
-		email, emailErr := api.Providers.GetUser(providerName.Provider)
-
-		log.Debug().Str("email", email).Msg("Got email")
-
-		// Handle error
-		if api.handleError(c, "Failed to get user", emailErr) {
-			return
-		}
-
-		// Email is not whitelisted
-		if !api.Auth.EmailWhitelisted(email) {
-			log.Warn().Str("email", email).Msg("Email not whitelisted")
-
-			// Build query
-			unauthorizedQuery, unauthorizedQueryErr := query.Values(types.UnauthorizedQuery{
-				Username: email,
-			})
-
-			// Handle error
-			if api.handleError(c, "Failed to build query", unauthorizedQueryErr) {
-				return
-			}
-
-			// Redirect to unauthorized
-			c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/unauthorized?%s", api.Config.AppURL, unauthorizedQuery.Encode()))
-		}
-
-		log.Debug().Msg("Email whitelisted")
-
-		// Create session cookie
-		api.Auth.CreateSessionCookie(c, &types.SessionCookie{
-			Username: email,
-			Provider: providerName.Provider,
-		})
-
-		// Get redirect URI
-		redirectURI, redirectURIErr := c.Cookie("tinyauth_redirect_uri")
-
-		// If it is empty it means that no redirect_uri was provided to the login screen so we just log in
-		if redirectURIErr != nil {
-			c.JSON(200, gin.H{
-				"status":  200,
-				"message": "Logged in",
-			})
-		}
-
-		log.Debug().Str("redirectURI", redirectURI).Msg("Got redirect URI")
-
-		// Clean up redirect cookie since we already have the value
-		c.SetCookie("tinyauth_redirect_uri", "", -1, "/", api.Domain, api.Config.CookieSecure, true)
-
-		// Build query
-		redirectQuery, redirectQueryErr := query.Values(types.LoginQuery{
-			RedirectURI: redirectURI,
-		})
-
-		log.Debug().Msg("Got redirect query")
-
-		// Handle error
-		if api.handleError(c, "Failed to build query", redirectQueryErr) {
-			return
-		}
-
-		// Redirect to continue with the redirect URI
-		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/continue?%s", api.Config.AppURL, redirectQuery.Encode()))
-	})
-
-	// Simple healthcheck
-	api.Router.GET("/api/healthcheck", func(c *gin.Context) {
-		c.JSON(200, gin.H{
-			"status":  200,
-			"message": "OK",
-		})
-	})
+	// App
+	api.Router.GET("/api/healthcheck", api.Handlers.HealthcheckHandler)
 }
 
 func (api *API) Run() {
 	log.Info().Str("address", api.Config.Address).Int("port", api.Config.Port).Msg("Starting server")
 
 	// Run server
-	api.Router.Run(fmt.Sprintf("%s:%d", api.Config.Address, api.Config.Port))
-}
+	err := api.Router.Run(fmt.Sprintf("%s:%d", api.Config.Address, api.Config.Port))
 
-// handleError logs the error and redirects to the error page (only meant for stuff the user may access does not apply for login paths)
-func (api *API) handleError(c *gin.Context, msg string, err error) bool {
-	// If error is not nil log it and redirect to error page also return true so we can stop further processing
+	// Check for errors
 	if err != nil {
-		log.Error().Err(err).Msg(msg)
-		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", api.Config.AppURL))
-		return true
+		log.Fatal().Err(err).Msg("Failed to start server")
 	}
-	return false
 }
 
 // zerolog is a middleware for gin that logs requests using zerolog

internal/api/api_test.go

@@ -2,13 +2,16 @@ package api_test
 
 import (
 	"encoding/json"
+	"io"
 	"net/http"
 	"net/http/httptest"
+	"reflect"
 	"strings"
 	"testing"
 	"tinyauth/internal/api"
 	"tinyauth/internal/auth"
 	"tinyauth/internal/docker"
+	"tinyauth/internal/handlers"
 	"tinyauth/internal/hooks"
 	"tinyauth/internal/providers"
 	"tinyauth/internal/types"
@@ -18,13 +21,21 @@ import (
 
 // Simple API config for tests
 var apiConfig = types.APIConfig{
-	Port:            8080,
-	Address:         "0.0.0.0",
-	Secret:          "super-secret-api-thing-for-tests", // It is 32 chars long
-	AppURL:          "http://tinyauth.localhost",
+	Port:          8080,
+	Address:       "0.0.0.0",
+	Secret:        "super-secret-api-thing-for-tests", // It is 32 chars long
+	CookieSecure:  false,
+	SessionExpiry: 3600,
+}
+
+// Simple handlers config for tests
+var handlersConfig = types.HandlersConfig{
+	AppURL:          "http://localhost:8080",
+	Domain:          ".localhost",
 	CookieSecure:    false,
-	CookieExpiry:    3600,
 	DisableContinue: false,
+	Title:           "Tinyauth",
+	GenericName:     "Generic",
 }
 
 // Cookie
@@ -42,11 +53,11 @@ func getAPI(t *testing.T) *api.API {
 	docker := docker.NewDocker()
 
 	// Initialize docker
-	dockerErr := docker.Init()
+	err := docker.Init()
 
 	// Check if there was an error
-	if dockerErr != nil {
-		t.Fatalf("Failed to initialize docker: %v", dockerErr)
+	if err != nil {
+		t.Fatalf("Failed to initialize docker: %v", err)
 	}
 
 	// Create auth service
@@ -55,7 +66,7 @@ func getAPI(t *testing.T) *api.API {
 			Username: user.Username,
 			Password: user.Password,
 		},
-	}, nil, apiConfig.CookieExpiry)
+	}, nil, apiConfig.SessionExpiry)
 
 	// Create providers service
 	providers := providers.NewProviders(types.OAuthConfig{})
@@ -66,8 +77,11 @@ func getAPI(t *testing.T) *api.API {
 	// Create hooks service
 	hooks := hooks.NewHooks(auth, providers)
 
+	// Create handlers service
+	handlers := handlers.NewHandlers(handlersConfig, auth, hooks, providers)
+
 	// Create API
-	api := api.NewAPI(apiConfig, hooks, auth, providers)
+	api := api.NewAPI(apiConfig, handlers)
 
 	// Setup routes
 	api.Init()
@@ -122,9 +136,9 @@ func TestLogin(t *testing.T) {
 	}
 }
 
-// Test status
-func TestStatus(t *testing.T) {
-	t.Log("Testing status")
+// Test app context
+func TestAppContext(t *testing.T) {
+	t.Log("Testing app context")
 
 	// Get API
 	api := getAPI(t)
@@ -133,7 +147,7 @@ func TestStatus(t *testing.T) {
 	recorder := httptest.NewRecorder()
 
 	// Create request
-	req, err := http.NewRequest("GET", "/api/status", nil)
+	req, err := http.NewRequest("GET", "/api/app", nil)
 
 	// Check if there was an error
 	if err != nil {
@@ -152,11 +166,95 @@ func TestStatus(t *testing.T) {
 	// Assert
 	assert.Equal(t, recorder.Code, http.StatusOK)
 
-	// Parse the body
-	body := recorder.Body.String()
+	// Read the body of the response
+	body, err := io.ReadAll(recorder.Body)
 
-	if !strings.Contains(body, "user") {
-		t.Fatalf("Expected user in body")
+	// Check if there was an error
+	if err != nil {
+		t.Fatalf("Error getting body: %v", err)
+	}
+
+	// Unmarshal the body into the user struct
+	var app types.AppContext
+
+	err = json.Unmarshal(body, &app)
+
+	// Check if there was an error
+	if err != nil {
+		t.Fatalf("Error unmarshalling body: %v", err)
+	}
+
+	// Create tests values
+	expected := types.AppContext{
+		Status:              200,
+		Message:             "OK",
+		ConfiguredProviders: []string{"username"},
+		DisableContinue:     false,
+		Title:               "Tinyauth",
+		GenericName:         "Generic",
+	}
+
+	// We should get the username back
+	if !reflect.DeepEqual(app, expected) {
+		t.Fatalf("Expected %v, got %v", expected, app)
+	}
+}
+
+// Test user context
+func TestUserContext(t *testing.T) {
+	t.Log("Testing user context")
+
+	// Get API
+	api := getAPI(t)
+
+	// Create recorder
+	recorder := httptest.NewRecorder()
+
+	// Create request
+	req, err := http.NewRequest("GET", "/api/user", nil)
+
+	// Check if there was an error
+	if err != nil {
+		t.Fatalf("Error creating request: %v", err)
+	}
+
+	// Set the cookie
+	req.AddCookie(&http.Cookie{
+		Name:  "tinyauth",
+		Value: cookie,
+	})
+
+	// Serve the request
+	api.Router.ServeHTTP(recorder, req)
+
+	// Assert
+	assert.Equal(t, recorder.Code, http.StatusOK)
+
+	// Read the body of the response
+	body, err := io.ReadAll(recorder.Body)
+
+	// Check if there was an error
+	if err != nil {
+		t.Fatalf("Error getting body: %v", err)
+	}
+
+	// Unmarshal the body into the user struct
+	type User struct {
+		Username string `json:"username"`
+	}
+
+	var user User
+
+	err = json.Unmarshal(body, &user)
+
+	// Check if there was an error
+	if err != nil {
+		t.Fatalf("Error unmarshalling body: %v", err)
+	}
+
+	// We should get the username back
+	if user.Username != "user" {
+		t.Fatalf("Expected user, got %s", user.Username)
 	}
 }
 

internal/assets/version

@@ -1 +1 @@
-v3.0.0
+v3.1.0

internal/auth/auth.go

@@ -1,12 +1,12 @@
 package auth
 
 import (
+	"regexp"
 	"slices"
 	"strings"
 	"time"
 	"tinyauth/internal/docker"
 	"tinyauth/internal/types"
-	"tinyauth/internal/utils"
 
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
@@ -70,10 +70,20 @@ func (auth *Auth) CreateSessionCookie(c *gin.Context, data *types.SessionCookie)
 
 	log.Debug().Msg("Setting session cookie")
 
+	// Calculate expiry
+	var sessionExpiry int
+
+	if data.TotpPending {
+		sessionExpiry = 3600
+	} else {
+		sessionExpiry = auth.SessionExpiry
+	}
+
 	// Set data
 	sessions.Set("username", data.Username)
 	sessions.Set("provider", data.Provider)
-	sessions.Set("expiry", time.Now().Add(time.Duration(auth.SessionExpiry)*time.Second).Unix())
+	sessions.Set("expiry", time.Now().Add(time.Duration(sessionExpiry)*time.Second).Unix())
+	sessions.Set("totpPending", data.TotpPending)
 
 	// Save session
 	sessions.Save()
@@ -102,14 +112,16 @@ func (auth *Auth) GetSessionCookie(c *gin.Context) types.SessionCookie {
 	cookieUsername := sessions.Get("username")
 	cookieProvider := sessions.Get("provider")
 	cookieExpiry := sessions.Get("expiry")
+	cookieTotpPending := sessions.Get("totpPending")
 
 	// Convert interfaces to correct types
 	username, usernameOk := cookieUsername.(string)
 	provider, providerOk := cookieProvider.(string)
 	expiry, expiryOk := cookieExpiry.(int64)
+	totpPending, totpPendingOk := cookieTotpPending.(bool)
 
 	// Check if the cookie is invalid
-	if !usernameOk || !providerOk || !expiryOk {
+	if !usernameOk || !providerOk || !expiryOk || !totpPendingOk {
 		log.Warn().Msg("Session cookie invalid")
 		return types.SessionCookie{}
 	}
@@ -125,12 +137,13 @@ func (auth *Auth) GetSessionCookie(c *gin.Context) types.SessionCookie {
 		return types.SessionCookie{}
 	}
 
-	log.Debug().Str("username", username).Str("provider", provider).Int64("expiry", expiry).Msg("Parsed cookie")
+	log.Debug().Str("username", username).Str("provider", provider).Int64("expiry", expiry).Bool("totpPending", totpPending).Msg("Parsed cookie")
 
 	// Return the cookie
 	return types.SessionCookie{
-		Username: username,
-		Provider: provider,
+		Username:    username,
+		Provider:    provider,
+		TotpPending: totpPending,
 	}
 }
 
@@ -139,76 +152,92 @@ func (auth *Auth) UserAuthConfigured() bool {
 	return len(auth.Users) > 0
 }
 
-func (auth *Auth) ResourceAllowed(context types.UserContext, host string) (bool, error) {
-	// Check if we have access to the Docker API
-	isConnected := auth.Docker.DockerConnected()
+func (auth *Auth) ResourceAllowed(c *gin.Context, context types.UserContext) (bool, error) {
+	// Get headers
+	host := c.Request.Header.Get("X-Forwarded-Host")
 
-	// If we don't have access, it is assumed that the user has access
-	if !isConnected {
-		log.Debug().Msg("Docker not connected, allowing access")
-		return true, nil
-	}
-
-	// Get the app ID from the host
+	// Get app id
 	appId := strings.Split(host, ".")[0]
 
-	// Get the containers
-	containers, containersErr := auth.Docker.GetContainers()
+	// Check if resource is allowed
+	allowed, err := auth.Docker.ContainerAction(appId, func(labels types.TinyauthLabels) (bool, error) {
+		// If the container has an oauth whitelist, check if the user is in it
+		if context.OAuth {
+			if len(labels.OAuthWhitelist) == 0 {
+				return true, nil
+			}
+			log.Debug().Msg("Checking OAuth whitelist")
+			if slices.Contains(labels.OAuthWhitelist, context.Username) {
+				return true, nil
+			}
+			return false, nil
+		}
+
+		// If the container has users, check if the user is in it
+		if len(labels.Users) != 0 {
+			log.Debug().Msg("Checking users")
+			if slices.Contains(labels.Users, context.Username) {
+				return true, nil
+			}
+			return false, nil
+		}
+
+		// Allowed
+		return true, nil
+	})
 
 	// If there is an error, return false
-	if containersErr != nil {
-		return false, containersErr
+	if err != nil {
+		log.Error().Err(err).Msg("Error checking if resource is allowed")
+		return false, err
 	}
 
-	log.Debug().Msg("Got containers")
+	// Return if the resource is allowed
+	return allowed, nil
+}
 
-	// Loop through the containers
-	for _, container := range containers {
-		// Inspect the container
-		inspect, inspectErr := auth.Docker.InspectContainer(container.ID)
+func (auth *Auth) AuthEnabled(c *gin.Context) (bool, error) {
+	// Get headers
+	uri := c.Request.Header.Get("X-Forwarded-Uri")
+	host := c.Request.Header.Get("X-Forwarded-Host")
 
-		// If there is an error, return false
-		if inspectErr != nil {
-			return false, inspectErr
+	// Get app id
+	appId := strings.Split(host, ".")[0]
+
+	// Check if auth is enabled
+	enabled, err := auth.Docker.ContainerAction(appId, func(labels types.TinyauthLabels) (bool, error) {
+		// Check if the allowed label is empty
+		if labels.Allowed == "" {
+			// Auth enabled
+			return true, nil
 		}
 
-		// Get the container name (for some reason it is /name)
-		containerName := strings.Split(inspect.Name, "/")[1]
+		// Compile regex
+		regex, err := regexp.Compile(labels.Allowed)
 
-		// There is a container with the same name as the app ID
-		if containerName == appId {
-			log.Debug().Str("container", containerName).Msg("Found container")
-
-			// Get only the tinyauth labels in a struct
-			labels := utils.GetTinyauthLabels(inspect.Config.Labels)
-
-			log.Debug().Msg("Got labels")
-
-			// If the container has an oauth whitelist, check if the user is in it
-			if context.OAuth && len(labels.OAuthWhitelist) != 0 {
-				log.Debug().Msg("Checking OAuth whitelist")
-				if slices.Contains(labels.OAuthWhitelist, context.Username) {
-					return true, nil
-				}
-				return false, nil
-			}
-
-			// If the container has users, check if the user is in it
-			if len(labels.Users) != 0 {
-				log.Debug().Msg("Checking users")
-				if slices.Contains(labels.Users, context.Username) {
-					return true, nil
-				}
-				return false, nil
-			}
+		// If there is an error, invalid regex, auth enabled
+		if err != nil {
+			log.Warn().Err(err).Msg("Invalid regex")
+			return true, err
 		}
 
+		// Check if the uri matches the regex
+		if regex.MatchString(uri) {
+			// Auth disabled
+			return false, nil
+		}
+
+		// Auth enabled
+		return true, nil
+	})
+
+	// If there is an error, auth enabled
+	if err != nil {
+		log.Error().Err(err).Msg("Error checking if auth is enabled")
+		return true, err
 	}
 
-	log.Debug().Msg("No matching container found, allowing access")
-
-	// If no matching container is found, allow access
-	return true, nil
+	return enabled, nil
 }
 
 func (auth *Auth) GetBasicAuth(c *gin.Context) *types.User {

internal/constants/constants.go

@@ -4,4 +4,5 @@ package constants
 var TinyauthLabels = []string{
 	"tinyauth.oauth.whitelist",
 	"tinyauth.users",
+	"tinyauth.allowed",
 }

internal/docker/docker.go

@@ -2,10 +2,14 @@ package docker
 
 import (
 	"context"
+	"strings"
+	appTypes "tinyauth/internal/types"
+	"tinyauth/internal/utils"
 
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/container"
+	apiTypes "github.com/docker/docker/api/types"
+	containerTypes "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
+	"github.com/rs/zerolog/log"
 )
 
 func NewDocker() *Docker {
@@ -19,7 +23,7 @@ type Docker struct {
 
 func (docker *Docker) Init() error {
 	// Create a new docker client
-	apiClient, err := client.NewClientWithOpts(client.FromEnv)
+	client, err := client.NewClientWithOpts(client.FromEnv)
 
 	// Check if there was an error
 	if err != nil {
@@ -28,15 +32,15 @@ func (docker *Docker) Init() error {
 
 	// Set the context and api client
 	docker.Context = context.Background()
-	docker.Client = apiClient
+	docker.Client = client
 
 	// Done
 	return nil
 }
 
-func (docker *Docker) GetContainers() ([]types.Container, error) {
+func (docker *Docker) GetContainers() ([]apiTypes.Container, error) {
 	// Get the list of containers
-	containers, err := docker.Client.ContainerList(docker.Context, container.ListOptions{})
+	containers, err := docker.Client.ContainerList(docker.Context, containerTypes.ListOptions{})
 
 	// Check if there was an error
 	if err != nil {
@@ -47,13 +51,13 @@ func (docker *Docker) GetContainers() ([]types.Container, error) {
 	return containers, nil
 }
 
-func (docker *Docker) InspectContainer(containerId string) (types.ContainerJSON, error) {
+func (docker *Docker) InspectContainer(containerId string) (apiTypes.ContainerJSON, error) {
 	// Inspect the container
 	inspect, err := docker.Client.ContainerInspect(docker.Context, containerId)
 
 	// Check if there was an error
 	if err != nil {
-		return types.ContainerJSON{}, err
+		return apiTypes.ContainerJSON{}, err
 	}
 
 	// Return the inspect
@@ -65,3 +69,57 @@ func (docker *Docker) DockerConnected() bool {
 	_, err := docker.Client.Ping(docker.Context)
 	return err == nil
 }
+
+func (docker *Docker) ContainerAction(appId string, runCheck func(labels appTypes.TinyauthLabels) (bool, error)) (bool, error) {
+	// Check if we have access to the Docker API
+	isConnected := docker.DockerConnected()
+
+	// If we don't have access, it is assumed that the check passed
+	if !isConnected {
+		log.Debug().Msg("Docker not connected, passing check")
+		return true, nil
+	}
+
+	// Get the containers
+	containers, err := docker.GetContainers()
+
+	// If there is an error, return false
+	if err != nil {
+		return false, err
+	}
+
+	log.Debug().Msg("Got containers")
+
+	// Loop through the containers
+	for _, container := range containers {
+		// Inspect the container
+		inspect, err := docker.InspectContainer(container.ID)
+
+		// If there is an error, return false
+		if err != nil {
+			return false, err
+		}
+
+		// Get the container name (for some reason it is /name)
+		containerName := strings.Split(inspect.Name, "/")[1]
+
+		// There is a container with the same name as the app ID
+		if containerName == appId {
+			log.Debug().Str("container", containerName).Msg("Found container")
+
+			// Get only the tinyauth labels in a struct
+			labels := utils.GetTinyauthLabels(inspect.Config.Labels)
+
+			log.Debug().Msg("Got labels")
+
+			// Run the check
+			return runCheck(labels)
+		}
+
+	}
+
+	log.Debug().Msg("No matching container found, passing check")
+
+	// If no matching container is found, pass check
+	return true, nil
+}

internal/handlers/handlers.go

@@ -0,0 +1,634 @@
+package handlers
+
+import (
+	"fmt"
+	"math/rand/v2"
+	"net/http"
+	"strings"
+	"tinyauth/internal/auth"
+	"tinyauth/internal/hooks"
+	"tinyauth/internal/providers"
+	"tinyauth/internal/types"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/go-querystring/query"
+	"github.com/pquerna/otp/totp"
+	"github.com/rs/zerolog/log"
+)
+
+func NewHandlers(config types.HandlersConfig, auth *auth.Auth, hooks *hooks.Hooks, providers *providers.Providers) *Handlers {
+	return &Handlers{
+		Config:    config,
+		Auth:      auth,
+		Hooks:     hooks,
+		Providers: providers,
+	}
+}
+
+type Handlers struct {
+	Config    types.HandlersConfig
+	Auth      *auth.Auth
+	Hooks     *hooks.Hooks
+	Providers *providers.Providers
+}
+
+func (h *Handlers) AuthHandler(c *gin.Context) {
+	// Create struct for proxy
+	var proxy types.Proxy
+
+	// Bind URI
+	err := c.BindUri(&proxy)
+
+	// Handle error
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to bind URI")
+		c.JSON(400, gin.H{
+			"status":  400,
+			"message": "Bad Request",
+		})
+		return
+	}
+
+	// Check if the request is coming from a browser (tools like curl/bruno use */* and they don't include the text/html)
+	isBrowser := strings.Contains(c.Request.Header.Get("Accept"), "text/html")
+
+	if isBrowser {
+		log.Debug().Msg("Request is most likely coming from a browser")
+	} else {
+		log.Debug().Msg("Request is most likely not coming from a browser")
+	}
+
+	log.Debug().Interface("proxy", proxy.Proxy).Msg("Got proxy")
+
+	// Check if auth is enabled
+	authEnabled, err := h.Auth.AuthEnabled(c)
+
+	// Handle error
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to check if auth is enabled")
+
+		if proxy.Proxy == "nginx" || !isBrowser {
+			c.JSON(500, gin.H{
+				"status":  500,
+				"message": "Internal Server Error",
+			})
+			return
+		}
+
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+		return
+	}
+
+	// If auth is not enabled, return 200
+	if !authEnabled {
+		c.JSON(200, gin.H{
+			"status":  200,
+			"message": "Authenticated",
+		})
+		return
+	}
+
+	// Get user context
+	userContext := h.Hooks.UseUserContext(c)
+
+	// Get headers
+	uri := c.Request.Header.Get("X-Forwarded-Uri")
+	proto := c.Request.Header.Get("X-Forwarded-Proto")
+	host := c.Request.Header.Get("X-Forwarded-Host")
+
+	// Check if user is logged in
+	if userContext.IsLoggedIn {
+		log.Debug().Msg("Authenticated")
+
+		// Check if user is allowed to access subdomain, if request is nginx.example.com the subdomain (resource) is nginx
+		appAllowed, err := h.Auth.ResourceAllowed(c, userContext)
+
+		// Check if there was an error
+		if err != nil {
+			log.Error().Err(err).Msg("Failed to check if app is allowed")
+
+			if proxy.Proxy == "nginx" || !isBrowser {
+				c.JSON(500, gin.H{
+					"status":  500,
+					"message": "Internal Server Error",
+				})
+				return
+			}
+
+			c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+			return
+		}
+
+		log.Debug().Bool("appAllowed", appAllowed).Msg("Checking if app is allowed")
+
+		// The user is not allowed to access the app
+		if !appAllowed {
+			log.Warn().Str("username", userContext.Username).Str("host", host).Msg("User not allowed")
+
+			// Set WWW-Authenticate header
+			c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
+
+			if proxy.Proxy == "nginx" || !isBrowser {
+				c.JSON(401, gin.H{
+					"status":  401,
+					"message": "Unauthorized",
+				})
+				return
+			}
+
+			// Build query
+			queries, err := query.Values(types.UnauthorizedQuery{
+				Username: userContext.Username,
+				Resource: strings.Split(host, ".")[0],
+			})
+
+			// Handle error (no need to check for nginx/headers since we are sure we are using caddy/traefik)
+			if err != nil {
+				log.Error().Err(err).Msg("Failed to build queries")
+				c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+				return
+			}
+
+			// We are using caddy/traefik so redirect
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, queries.Encode()))
+			return
+		}
+
+		// Set the user header
+		c.Header("Remote-User", userContext.Username)
+
+		// The user is allowed to access the app
+		c.JSON(200, gin.H{
+			"status":  200,
+			"message": "Authenticated",
+		})
+		return
+	}
+
+	// The user is not logged in
+	log.Debug().Msg("Unauthorized")
+
+	// Set www-authenticate header
+	c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
+
+	if proxy.Proxy == "nginx" || !isBrowser {
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	queries, err := query.Values(types.LoginQuery{
+		RedirectURI: fmt.Sprintf("%s://%s%s", proto, host, uri),
+	})
+
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to build queries")
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+		return
+	}
+
+	log.Debug().Interface("redirect_uri", fmt.Sprintf("%s://%s%s", proto, host, uri)).Msg("Redirecting to login")
+
+	// Redirect to login
+	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/?%s", h.Config.AppURL, queries.Encode()))
+}
+
+func (h *Handlers) LoginHandler(c *gin.Context) {
+	// Create login struct
+	var login types.LoginRequest
+
+	// Bind JSON
+	err := c.BindJSON(&login)
+
+	// Handle error
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to bind JSON")
+		c.JSON(400, gin.H{
+			"status":  400,
+			"message": "Bad Request",
+		})
+		return
+	}
+
+	log.Debug().Msg("Got login request")
+
+	// Get user based on username
+	user := h.Auth.GetUser(login.Username)
+
+	// User does not exist
+	if user == nil {
+		log.Debug().Str("username", login.Username).Msg("User not found")
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	log.Debug().Msg("Got user")
+
+	// Check if password is correct
+	if !h.Auth.CheckPassword(*user, login.Password) {
+		log.Debug().Str("username", login.Username).Msg("Password incorrect")
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	log.Debug().Msg("Password correct, checking totp")
+
+	// Check if user has totp enabled
+	if user.TotpSecret != "" {
+		log.Debug().Msg("Totp enabled")
+
+		// Set totp pending cookie
+		h.Auth.CreateSessionCookie(c, &types.SessionCookie{
+			Username:    login.Username,
+			Provider:    "username",
+			TotpPending: true,
+		})
+
+		// Return totp required
+		c.JSON(200, gin.H{
+			"status":      200,
+			"message":     "Waiting for totp",
+			"totpPending": true,
+		})
+
+		// Stop further processing
+		return
+	}
+
+	// Create session cookie with username as provider
+	h.Auth.CreateSessionCookie(c, &types.SessionCookie{
+		Username: login.Username,
+		Provider: "username",
+	})
+
+	// Return logged in
+	c.JSON(200, gin.H{
+		"status":      200,
+		"message":     "Logged in",
+		"totpPending": false,
+	})
+}
+
+func (h *Handlers) TotpHandler(c *gin.Context) {
+	// Create totp struct
+	var totpReq types.TotpRequest
+
+	// Bind JSON
+	err := c.BindJSON(&totpReq)
+
+	// Handle error
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to bind JSON")
+		c.JSON(400, gin.H{
+			"status":  400,
+			"message": "Bad Request",
+		})
+		return
+	}
+
+	log.Debug().Msg("Checking totp")
+
+	// Get user context
+	userContext := h.Hooks.UseUserContext(c)
+
+	// Check if we have a user
+	if userContext.Username == "" {
+		log.Debug().Msg("No user context")
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	// Get user
+	user := h.Auth.GetUser(userContext.Username)
+
+	// Check if user exists
+	if user == nil {
+		log.Debug().Msg("User not found")
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	// Check if totp is correct
+	ok := totp.Validate(totpReq.Code, user.TotpSecret)
+
+	// TOTP is incorrect
+	if !ok {
+		log.Debug().Msg("Totp incorrect")
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	log.Debug().Msg("Totp correct")
+
+	// Create session cookie with username as provider
+	h.Auth.CreateSessionCookie(c, &types.SessionCookie{
+		Username: user.Username,
+		Provider: "username",
+	})
+
+	// Return logged in
+	c.JSON(200, gin.H{
+		"status":  200,
+		"message": "Logged in",
+	})
+}
+
+func (h *Handlers) LogoutHandler(c *gin.Context) {
+	log.Debug().Msg("Logging out")
+
+	// Delete session cookie
+	h.Auth.DeleteSessionCookie(c)
+
+	log.Debug().Msg("Cleaning up redirect cookie")
+
+	// Clean up redirect cookie if it exists
+	c.SetCookie("tinyauth_redirect_uri", "", -1, "/", h.Config.Domain, h.Config.CookieSecure, true)
+
+	// Return logged out
+	c.JSON(200, gin.H{
+		"status":  200,
+		"message": "Logged out",
+	})
+}
+
+func (h *Handlers) AppHandler(c *gin.Context) {
+	log.Debug().Msg("Getting app context")
+
+	// Get configured providers
+	configuredProviders := h.Providers.GetConfiguredProviders()
+
+	// We have username/password configured so add it to our providers
+	if h.Auth.UserAuthConfigured() {
+		configuredProviders = append(configuredProviders, "username")
+	}
+
+	// Create app context struct
+	appContext := types.AppContext{
+		Status:              200,
+		Message:             "OK",
+		ConfiguredProviders: configuredProviders,
+		DisableContinue:     h.Config.DisableContinue,
+		Title:               h.Config.Title,
+		GenericName:         h.Config.GenericName,
+	}
+
+	// Return app context
+	c.JSON(200, appContext)
+}
+
+func (h *Handlers) UserHandler(c *gin.Context) {
+	log.Debug().Msg("Getting user context")
+
+	// Get user context
+	userContext := h.Hooks.UseUserContext(c)
+
+	// Create user context response
+	userContextResponse := types.UserContextResponse{
+		Status:      200,
+		IsLoggedIn:  userContext.IsLoggedIn,
+		Username:    userContext.Username,
+		Provider:    userContext.Provider,
+		Oauth:       userContext.OAuth,
+		TotpPending: userContext.TotpPending,
+	}
+
+	// If we are not logged in we set the status to 401 and add the WWW-Authenticate header else we set it to 200
+	if !userContext.IsLoggedIn {
+		log.Debug().Msg("Unauthorized")
+		c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
+		userContextResponse.Message = "Unauthorized"
+	} else {
+		log.Debug().Interface("userContext", userContext).Msg("Authenticated")
+		userContextResponse.Message = "Authenticated"
+	}
+
+	// Return user context
+	c.JSON(200, userContextResponse)
+}
+
+func (h *Handlers) OauthUrlHandler(c *gin.Context) {
+	// Create struct for OAuth request
+	var request types.OAuthRequest
+
+	// Bind URI
+	err := c.BindUri(&request)
+
+	// Handle error
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to bind URI")
+		c.JSON(400, gin.H{
+			"status":  400,
+			"message": "Bad Request",
+		})
+		return
+	}
+
+	log.Debug().Msg("Got OAuth request")
+
+	// Check if provider exists
+	provider := h.Providers.GetProvider(request.Provider)
+
+	// Provider does not exist
+	if provider == nil {
+		c.JSON(404, gin.H{
+			"status":  404,
+			"message": "Not Found",
+		})
+		return
+	}
+
+	log.Debug().Str("provider", request.Provider).Msg("Got provider")
+
+	// Get auth URL
+	authURL := provider.GetAuthURL()
+
+	log.Debug().Msg("Got auth URL")
+
+	// Get redirect URI
+	redirectURI := c.Query("redirect_uri")
+
+	// Set redirect cookie if redirect URI is provided
+	if redirectURI != "" {
+		log.Debug().Str("redirectURI", redirectURI).Msg("Setting redirect cookie")
+		c.SetCookie("tinyauth_redirect_uri", redirectURI, 3600, "/", h.Config.Domain, h.Config.CookieSecure, true)
+	}
+
+	// Tailscale does not have an auth url so we create a random code (does not need to be secure) to avoid caching and send it
+	if request.Provider == "tailscale" {
+		// Build tailscale query
+		queries, err := query.Values(types.TailscaleQuery{
+			Code: (1000 + rand.IntN(9000)),
+		})
+
+		// Handle error
+		if err != nil {
+			log.Error().Err(err).Msg("Failed to build queries")
+			c.JSON(500, gin.H{
+				"status":  500,
+				"message": "Internal Server Error",
+			})
+			return
+		}
+
+		// Return tailscale URL (immidiately redirects to the callback)
+		c.JSON(200, gin.H{
+			"status":  200,
+			"message": "OK",
+			"url":     fmt.Sprintf("%s/api/oauth/callback/tailscale?%s", h.Config.AppURL, queries.Encode()),
+		})
+		return
+	}
+
+	// Return auth URL
+	c.JSON(200, gin.H{
+		"status":  200,
+		"message": "OK",
+		"url":     authURL,
+	})
+}
+
+func (h *Handlers) OauthCallbackHandler(c *gin.Context) {
+	// Create struct for OAuth request
+	var providerName types.OAuthRequest
+
+	// Bind URI
+	err := c.BindUri(&providerName)
+
+	// Handle error
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to bind URI")
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+		return
+	}
+
+	log.Debug().Interface("provider", providerName.Provider).Msg("Got provider name")
+
+	// Get code
+	code := c.Query("code")
+
+	// Code empty so redirect to error
+	if code == "" {
+		log.Error().Msg("No code provided")
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+		return
+	}
+
+	log.Debug().Msg("Got code")
+
+	// Get provider
+	provider := h.Providers.GetProvider(providerName.Provider)
+
+	log.Debug().Str("provider", providerName.Provider).Msg("Got provider")
+
+	// Provider does not exist
+	if provider == nil {
+		c.Redirect(http.StatusPermanentRedirect, "/not-found")
+		return
+	}
+
+	// Exchange token (authenticates user)
+	_, err = provider.ExchangeToken(code)
+
+	log.Debug().Msg("Got token")
+
+	// Handle error
+	if err != nil {
+		log.Error().Msg("Failed to exchange token")
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+		return
+	}
+
+	// Get email
+	email, err := h.Providers.GetUser(providerName.Provider)
+
+	log.Debug().Str("email", email).Msg("Got email")
+
+	// Handle error
+	if err != nil {
+		log.Error().Msg("Failed to get email")
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+		return
+	}
+
+	// Email is not whitelisted
+	if !h.Auth.EmailWhitelisted(email) {
+		log.Warn().Str("email", email).Msg("Email not whitelisted")
+
+		// Build query
+		queries, err := query.Values(types.UnauthorizedQuery{
+			Username: email,
+		})
+
+		// Handle error
+		if err != nil {
+			log.Error().Msg("Failed to build queries")
+			c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+			return
+		}
+
+		// Redirect to unauthorized
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, queries.Encode()))
+	}
+
+	log.Debug().Msg("Email whitelisted")
+
+	// Create session cookie
+	h.Auth.CreateSessionCookie(c, &types.SessionCookie{
+		Username: email,
+		Provider: providerName.Provider,
+	})
+
+	// Get redirect URI
+	redirectURI, err := c.Cookie("tinyauth_redirect_uri")
+
+	// If it is empty it means that no redirect_uri was provided to the login screen so we just log in
+	if err != nil {
+		c.Redirect(http.StatusPermanentRedirect, h.Config.AppURL)
+	}
+
+	log.Debug().Str("redirectURI", redirectURI).Msg("Got redirect URI")
+
+	// Clean up redirect cookie since we already have the value
+	c.SetCookie("tinyauth_redirect_uri", "", -1, "/", h.Config.Domain, h.Config.CookieSecure, true)
+
+	// Build query
+	queries, err := query.Values(types.LoginQuery{
+		RedirectURI: redirectURI,
+	})
+
+	log.Debug().Msg("Got redirect query")
+
+	// Handle error
+	if err != nil {
+		log.Error().Msg("Failed to build queries")
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+		return
+	}
+
+	// Redirect to continue with the redirect URI
+	c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/continue?%s", h.Config.AppURL, queries.Encode()))
+}
+
+func (h *Handlers) HealthcheckHandler(c *gin.Context) {
+	c.JSON(200, gin.H{
+		"status":  200,
+		"message": "OK",
+	})
+}

internal/hooks/hooks.go

@@ -36,15 +36,29 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
 		if user != nil && hooks.Auth.CheckPassword(*user, basic.Password) {
 			// Return user context since we are logged in with basic auth
 			return types.UserContext{
-				Username:   basic.Username,
-				IsLoggedIn: true,
-				OAuth:      false,
-				Provider:   "basic",
+				Username:    basic.Username,
+				IsLoggedIn:  true,
+				OAuth:       false,
+				Provider:    "basic",
+				TotpPending: false,
 			}
 		}
 
 	}
 
+	// Check if session cookie has totp pending
+	if cookie.TotpPending {
+		log.Debug().Msg("Totp pending")
+		// Return empty context since we are pending totp
+		return types.UserContext{
+			Username:    cookie.Username,
+			IsLoggedIn:  false,
+			OAuth:       false,
+			Provider:    cookie.Provider,
+			TotpPending: true,
+		}
+	}
+
 	// Check if session cookie is username/password auth
 	if cookie.Provider == "username" {
 		log.Debug().Msg("Provider is username")
@@ -55,10 +69,11 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
 
 			// It exists so we are logged in
 			return types.UserContext{
-				Username:   cookie.Username,
-				IsLoggedIn: true,
-				OAuth:      false,
-				Provider:   "username",
+				Username:    cookie.Username,
+				IsLoggedIn:  true,
+				OAuth:       false,
+				Provider:    "username",
+				TotpPending: false,
 			}
 		}
 	}
@@ -81,10 +96,11 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
 
 			// Return empty context
 			return types.UserContext{
-				Username:   "",
-				IsLoggedIn: false,
-				OAuth:      false,
-				Provider:   "",
+				Username:    "",
+				IsLoggedIn:  false,
+				OAuth:       false,
+				Provider:    "",
+				TotpPending: false,
 			}
 		}
 
@@ -92,18 +108,20 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
 
 		// Return user context since we are logged in with oauth
 		return types.UserContext{
-			Username:   cookie.Username,
-			IsLoggedIn: true,
-			OAuth:      true,
-			Provider:   cookie.Provider,
+			Username:    cookie.Username,
+			IsLoggedIn:  true,
+			OAuth:       true,
+			Provider:    cookie.Provider,
+			TotpPending: false,
 		}
 	}
 
 	// Neither basic auth or oauth is set so we return an empty context
 	return types.UserContext{
-		Username:   "",
-		IsLoggedIn: false,
-		OAuth:      false,
-		Provider:   "",
+		Username:    "",
+		IsLoggedIn:  false,
+		OAuth:       false,
+		Provider:    "",
+		TotpPending: false,
 	}
 }

internal/providers/generic.go

@@ -15,21 +15,21 @@ type GenericUserInfoResponse struct {
 
 func GetGenericEmail(client *http.Client, url string) (string, error) {
 	// Using the oauth client get the user info url
-	res, resErr := client.Get(url)
+	res, err := client.Get(url)
 
 	// Check if there was an error
-	if resErr != nil {
-		return "", resErr
+	if err != nil {
+		return "", err
 	}
 
 	log.Debug().Msg("Got response from generic provider")
 
 	// Read the body of the response
-	body, bodyErr := io.ReadAll(res.Body)
+	body, err := io.ReadAll(res.Body)
 
 	// Check if there was an error
-	if bodyErr != nil {
-		return "", bodyErr
+	if err != nil {
+		return "", err
 	}
 
 	log.Debug().Msg("Read body from generic provider")
@@ -38,11 +38,11 @@ func GetGenericEmail(client *http.Client, url string) (string, error) {
 	var user GenericUserInfoResponse
 
 	// Unmarshal the body into the user struct
-	jsonErr := json.Unmarshal(body, &user)
+	err = json.Unmarshal(body, &user)
 
 	// Check if there was an error
-	if jsonErr != nil {
-		return "", jsonErr
+	if err != nil {
+		return "", err
 	}
 
 	log.Debug().Msg("Parsed user from generic provider")

internal/providers/github.go

@@ -22,21 +22,21 @@ func GithubScopes() []string {
 
 func GetGithubEmail(client *http.Client) (string, error) {
 	// Get the user emails from github using the oauth http client
-	res, resErr := client.Get("https://api.github.com/user/emails")
+	res, err := client.Get("https://api.github.com/user/emails")
 
 	// Check if there was an error
-	if resErr != nil {
-		return "", resErr
+	if err != nil {
+		return "", err
 	}
 
 	log.Debug().Msg("Got response from github")
 
 	// Read the body of the response
-	body, bodyErr := io.ReadAll(res.Body)
+	body, err := io.ReadAll(res.Body)
 
 	// Check if there was an error
-	if bodyErr != nil {
-		return "", bodyErr
+	if err != nil {
+		return "", err
 	}
 
 	log.Debug().Msg("Read body from github")
@@ -45,11 +45,11 @@ func GetGithubEmail(client *http.Client) (string, error) {
 	var emails GithubUserInfoResponse
 
 	// Unmarshal the body into the user struct
-	jsonErr := json.Unmarshal(body, &emails)
+	err = json.Unmarshal(body, &emails)
 
 	// Check if there was an error
-	if jsonErr != nil {
-		return "", jsonErr
+	if err != nil {
+		return "", err
 	}
 
 	log.Debug().Msg("Parsed emails from github")

internal/providers/google.go

@@ -20,21 +20,21 @@ func GoogleScopes() []string {
 
 func GetGoogleEmail(client *http.Client) (string, error) {
 	// Get the user info from google using the oauth http client
-	res, resErr := client.Get("https://www.googleapis.com/userinfo/v2/me")
+	res, err := client.Get("https://www.googleapis.com/userinfo/v2/me")
 
 	// Check if there was an error
-	if resErr != nil {
-		return "", resErr
+	if err != nil {
+		return "", err
 	}
 
 	log.Debug().Msg("Got response from google")
 
 	// Read the body of the response
-	body, bodyErr := io.ReadAll(res.Body)
+	body, err := io.ReadAll(res.Body)
 
 	// Check if there was an error
-	if bodyErr != nil {
-		return "", bodyErr
+	if err != nil {
+		return "", err
 	}
 
 	log.Debug().Msg("Read body from google")
@@ -43,11 +43,11 @@ func GetGoogleEmail(client *http.Client) (string, error) {
 	var user GoogleUserInfoResponse
 
 	// Unmarshal the body into the user struct
-	jsonErr := json.Unmarshal(body, &user)
+	err = json.Unmarshal(body, &user)
 
 	// Check if there was an error
-	if jsonErr != nil {
-		return "", jsonErr
+	if err != nil {
+		return "", err
 	}
 
 	log.Debug().Msg("Parsed user from google")

internal/providers/providers.go

@@ -128,11 +128,11 @@ func (providers *Providers) GetUser(provider string) (string, error) {
 		log.Debug().Msg("Got client from github")
 
 		// Get the email from the github provider
-		email, emailErr := GetGithubEmail(client)
+		email, err := GetGithubEmail(client)
 
 		// Check if there was an error
-		if emailErr != nil {
-			return "", emailErr
+		if err != nil {
+			return "", err
 		}
 
 		log.Debug().Msg("Got email from github")
@@ -152,11 +152,11 @@ func (providers *Providers) GetUser(provider string) (string, error) {
 		log.Debug().Msg("Got client from google")
 
 		// Get the email from the google provider
-		email, emailErr := GetGoogleEmail(client)
+		email, err := GetGoogleEmail(client)
 
 		// Check if there was an error
-		if emailErr != nil {
-			return "", emailErr
+		if err != nil {
+			return "", err
 		}
 
 		log.Debug().Msg("Got email from google")
@@ -176,11 +176,11 @@ func (providers *Providers) GetUser(provider string) (string, error) {
 		log.Debug().Msg("Got client from tailscale")
 
 		// Get the email from the tailscale provider
-		email, emailErr := GetTailscaleEmail(client)
+		email, err := GetTailscaleEmail(client)
 
 		// Check if there was an error
-		if emailErr != nil {
-			return "", emailErr
+		if err != nil {
+			return "", err
 		}
 
 		log.Debug().Msg("Got email from tailscale")
@@ -200,11 +200,11 @@ func (providers *Providers) GetUser(provider string) (string, error) {
 		log.Debug().Msg("Got client from generic")
 
 		// Get the email from the generic provider
-		email, emailErr := GetGenericEmail(client, providers.Config.GenericUserURL)
+		email, err := GetGenericEmail(client, providers.Config.GenericUserURL)
 
 		// Check if there was an error
-		if emailErr != nil {
-			return "", emailErr
+		if err != nil {
+			return "", err
 		}
 
 		log.Debug().Msg("Got email from generic")

internal/providers/tailscale.go

@@ -31,21 +31,21 @@ var TailscaleEndpoint = oauth2.Endpoint{
 
 func GetTailscaleEmail(client *http.Client) (string, error) {
 	// Get the user info from tailscale using the oauth http client
-	res, resErr := client.Get("https://api.tailscale.com/api/v2/tailnet/-/users")
+	res, err := client.Get("https://api.tailscale.com/api/v2/tailnet/-/users")
 
 	// Check if there was an error
-	if resErr != nil {
-		return "", resErr
+	if err != nil {
+		return "", err
 	}
 
 	log.Debug().Msg("Got response from tailscale")
 
 	// Read the body of the response
-	body, bodyErr := io.ReadAll(res.Body)
+	body, err := io.ReadAll(res.Body)
 
 	// Check if there was an error
-	if bodyErr != nil {
-		return "", bodyErr
+	if err != nil {
+		return "", err
 	}
 
 	log.Debug().Msg("Read body from tailscale")
@@ -54,11 +54,11 @@ func GetTailscaleEmail(client *http.Client) (string, error) {
 	var users TailscaleUserInfoResponse
 
 	// Unmarshal the body into the user struct
-	jsonErr := json.Unmarshal(body, &users)
+	err = json.Unmarshal(body, &users)
 
 	// Check if there was an error
-	if jsonErr != nil {
-		return "", jsonErr
+	if err != nil {
+		return "", err
 	}
 
 	log.Debug().Msg("Parsed users from tailscale")

internal/types/types.go

@@ -15,8 +15,9 @@ type LoginRequest struct {
 
 // User is the struct for a user
 type User struct {
-	Username string
-	Password string
+	Username   string
+	Password   string
+	TotpSecret string
 }
 
 // Users is a list of users
@@ -48,29 +49,32 @@ type Config struct {
 	GenericAuthURL            string `mapstructure:"generic-auth-url"`
 	GenericTokenURL           string `mapstructure:"generic-token-url"`
 	GenericUserURL            string `mapstructure:"generic-user-url"`
+	GenericName               string `mapstructure:"generic-name"`
 	DisableContinue           bool   `mapstructure:"disable-continue"`
 	OAuthWhitelist            string `mapstructure:"oauth-whitelist"`
 	SessionExpiry             int    `mapstructure:"session-expiry"`
 	LogLevel                  int8   `mapstructure:"log-level" validate:"min=-1,max=5"`
+	Title                     string `mapstructure:"app-title"`
+	EnvFile                   string `mapstructure:"env-file"`
 }
 
 // UserContext is the context for the user
 type UserContext struct {
-	Username   string
-	IsLoggedIn bool
-	OAuth      bool
-	Provider   string
+	Username    string
+	IsLoggedIn  bool
+	OAuth       bool
+	Provider    string
+	TotpPending bool
 }
 
 // APIConfig is the configuration for the API
 type APIConfig struct {
-	Port            int
-	Address         string
-	Secret          string
-	AppURL          string
-	CookieSecure    bool
-	CookieExpiry    int
-	DisableContinue bool
+	Port          int
+	Address       string
+	Secret        string
+	CookieSecure  bool
+	SessionExpiry int
+	Domain        string
 }
 
 // OAuthConfig is the configuration for the providers
@@ -110,14 +114,16 @@ type UnauthorizedQuery struct {
 
 // SessionCookie is the cookie for the session (exculding the expiry)
 type SessionCookie struct {
-	Username string
-	Provider string
+	Username    string
+	Provider    string
+	TotpPending bool
 }
 
 // TinyauthLabels is the labels for the tinyauth container
 type TinyauthLabels struct {
 	OAuthWhitelist []string
 	Users          []string
+	Allowed        string
 }
 
 // TailscaleQuery is the query parameters for the tailscale endpoint
@@ -129,3 +135,39 @@ type TailscaleQuery struct {
 type Proxy struct {
 	Proxy string `uri:"proxy" binding:"required"`
 }
+
+// User Context response is the response for the user context endpoint
+type UserContextResponse struct {
+	Status      int    `json:"status"`
+	Message     string `json:"message"`
+	IsLoggedIn  bool   `json:"isLoggedIn"`
+	Username    string `json:"username"`
+	Provider    string `json:"provider"`
+	Oauth       bool   `json:"oauth"`
+	TotpPending bool   `json:"totpPending"`
+}
+
+// App Context is the response for the app context endpoint
+type AppContext struct {
+	Status              int      `json:"status"`
+	Message             string   `json:"message"`
+	ConfiguredProviders []string `json:"configuredProviders"`
+	DisableContinue     bool     `json:"disableContinue"`
+	Title               string   `json:"title"`
+	GenericName         string   `json:"genericName"`
+}
+
+// Totp request is the request for the totp endpoint
+type TotpRequest struct {
+	Code string `json:"code"`
+}
+
+// Server configuration
+type HandlersConfig struct {
+	AppURL          string
+	Domain          string
+	CookieSecure    bool
+	DisableContinue bool
+	GenericName     string
+	Title           string
+}

internal/utils/utils.go

@@ -29,19 +29,15 @@ func ParseUsers(users string) (types.Users, error) {
 
 	// Loop through the users and split them by colon
 	for _, user := range userList {
-		// Split the user by colon
-		userSplit := strings.Split(user, ":")
+		parsed, err := ParseUser(user)
 
-		// Check if the user is in the correct format
-		if len(userSplit) != 2 {
-			return types.Users{}, errors.New("invalid user format")
+		// Check if there was an error
+		if err != nil {
+			return types.Users{}, err
 		}
 
 		// Append the user to the users struct
-		usersParsed = append(usersParsed, types.User{
-			Username: userSplit[0],
-			Password: userSplit[1],
-		})
+		usersParsed = append(usersParsed, parsed)
 	}
 
 	log.Debug().Msg("Parsed users")
@@ -50,14 +46,14 @@ func ParseUsers(users string) (types.Users, error) {
 	return usersParsed, nil
 }
 
-// Root url parses parses a hostname and returns the root domain (e.g. sub1.sub2.domain.com -> sub2.domain.com)
-func GetRootURL(urlSrc string) (string, error) {
+// Get upper domain parses a hostname and returns the upper domain (e.g. sub1.sub2.domain.com -> sub2.domain.com)
+func GetUpperDomain(urlSrc string) (string, error) {
 	// Make sure the url is valid
-	urlParsed, parseErr := url.Parse(urlSrc)
+	urlParsed, err := url.Parse(urlSrc)
 
 	// Check if there was an error
-	if parseErr != nil {
-		return "", parseErr
+	if err != nil {
+		return "", err
 	}
 
 	// Split the hostname by period
@@ -73,19 +69,19 @@ func GetRootURL(urlSrc string) (string, error) {
 // Reads a file and returns the contents
 func ReadFile(file string) (string, error) {
 	// Check if the file exists
-	_, statErr := os.Stat(file)
+	_, err := os.Stat(file)
 
 	// Check if there was an error
-	if statErr != nil {
-		return "", statErr
+	if err != nil {
+		return "", err
 	}
 
 	// Read the file
-	data, readErr := os.ReadFile(file)
+	data, err := os.ReadFile(file)
 
 	// Check if there was an error
-	if readErr != nil {
-		return "", readErr
+	if err != nil {
+		return "", err
 	}
 
 	// Return the file contents
@@ -156,10 +152,10 @@ func GetUsers(conf string, file string) (types.Users, error) {
 	// If the file is set, read the file and append the users to the users string
 	if file != "" {
 		// Read the file
-		fileContents, fileErr := ReadFile(file)
+		contents, err := ReadFile(file)
 
 		// If there isn't an error we can append the users to the users string
-		if fileErr == nil {
+		if err == nil {
 			log.Debug().Msg("Using users from file")
 
 			// Append the users to the users string
@@ -168,7 +164,7 @@ func GetUsers(conf string, file string) (types.Users, error) {
 			}
 
 			// Parse the file contents into a comma separated list of users
-			users += ParseFileToLine(fileContents)
+			users += ParseFileToLine(contents)
 		}
 	}
 
@@ -195,6 +191,8 @@ func GetTinyauthLabels(labels map[string]string) types.TinyauthLabels {
 				tinyauthLabels.OAuthWhitelist = strings.Split(value, ",")
 			case "tinyauth.users":
 				tinyauthLabels.Users = strings.Split(value, ",")
+			case "tinyauth.allowed":
+				tinyauthLabels.Allowed = value
 			}
 		}
 	}
@@ -207,3 +205,53 @@ func GetTinyauthLabels(labels map[string]string) types.TinyauthLabels {
 func OAuthConfigured(config types.Config) bool {
 	return (config.GithubClientId != "" && config.GithubClientSecret != "") || (config.GoogleClientId != "" && config.GoogleClientSecret != "") || (config.GenericClientId != "" && config.GenericClientSecret != "") || (config.TailscaleClientId != "" && config.TailscaleClientSecret != "")
 }
+
+// Filter helper function
+func Filter[T any](slice []T, test func(T) bool) (res []T) {
+	for _, value := range slice {
+		if test(value) {
+			res = append(res, value)
+		}
+	}
+	return res
+}
+
+// Parse user
+func ParseUser(user string) (types.User, error) {
+	// Check if the user is escaped
+	if strings.Contains(user, "$$") {
+		user = strings.ReplaceAll(user, "$$", "$")
+	}
+
+	// Split the user by colon
+	userSplit := strings.Split(user, ":")
+
+	// Check if the user is in the correct format
+	if len(userSplit) < 2 || len(userSplit) > 3 {
+		return types.User{}, errors.New("invalid user format")
+	}
+
+	// Check if the user has a totp secret
+	if len(userSplit) == 2 {
+		// Check for empty username or password
+		if userSplit[1] == "" || userSplit[0] == "" {
+			return types.User{}, errors.New("invalid user format")
+		}
+		return types.User{
+			Username: userSplit[0],
+			Password: userSplit[1],
+		}, nil
+	}
+
+	// Check for empty username, password or totp secret
+	if userSplit[2] == "" || userSplit[1] == "" || userSplit[0] == "" {
+		return types.User{}, errors.New("invalid user format")
+	}
+
+	// Return the user struct
+	return types.User{
+		Username:   userSplit[0],
+		Password:   userSplit[1],
+		TotpSecret: userSplit[2],
+	}, nil
+}

internal/utils/utils_test.go

@@ -36,29 +36,17 @@ func TestParseUsers(t *testing.T) {
 	if !reflect.DeepEqual(expected, result) {
 		t.Fatalf("Expected %v, got %v", expected, result)
 	}
-
-	t.Log("Testing parse users with an invalid string")
-
-	// Test the parse users function with an invalid string
-	users = "user1:pass1,user2"
-
-	_, err = utils.ParseUsers(users)
-
-	// There should be an error
-	if err == nil {
-		t.Fatalf("Expected error parsing users")
-	}
 }
 
-// Test the get root url function
-func TestGetRootURL(t *testing.T) {
-	t.Log("Testing get root url with a valid url")
+// Test the get upper domain function
+func TestGetUpperDomain(t *testing.T) {
+	t.Log("Testing get upper domain with a valid url")
 
-	// Test the get root url function with a valid url
+	// Test the get upper domain function with a valid url
 	url := "https://sub1.sub2.domain.com:8080"
 	expected := "sub2.domain.com"
 
-	result, err := utils.GetRootURL(url)
+	result, err := utils.GetUpperDomain(url)
 
 	// Check if there was an error
 	if err != nil {
@@ -114,7 +102,7 @@ func TestParseFileToLine(t *testing.T) {
 	t.Log("Testing parse file to line with a valid string")
 
 	// Test the parse file to line function with a valid string
-	content := "user1:pass1\nuser2:pass2"
+	content := "\nuser1:pass1\nuser2:pass2\n"
 	expected := "user1:pass1,user2:pass2"
 
 	result := utils.ParseFileToLine(content)
@@ -298,12 +286,14 @@ func TestGetTinyauthLabels(t *testing.T) {
 	labels := map[string]string{
 		"tinyauth.users":           "user1,user2",
 		"tinyauth.oauth.whitelist": "user1,user2",
+		"tinyauth.allowed":         "random",
 		"random":                   "random",
 	}
 
 	expected := types.TinyauthLabels{
 		Users:          []string{"user1", "user2"},
 		OAuthWhitelist: []string{"user1", "user2"},
+		Allowed:        "random",
 	}
 
 	result := utils.GetTinyauthLabels(labels)
@@ -313,3 +303,84 @@ func TestGetTinyauthLabels(t *testing.T) {
 		t.Fatalf("Expected %v, got %v", expected, result)
 	}
 }
+
+// Test the filter function
+func TestFilter(t *testing.T) {
+	t.Log("Testing filter helper")
+
+	// Create variables
+	data := []string{"", "val1", "", "val2", "", "val3", ""}
+	expected := []string{"val1", "val2", "val3"}
+
+	// Test the filter function
+	result := utils.Filter(data, func(val string) bool {
+		return val != ""
+	})
+
+	// Check if the result is equal to the expected
+	if !reflect.DeepEqual(expected, result) {
+		t.Fatalf("Expected %v, got %v", expected, result)
+	}
+}
+
+// Test parse user
+func TestParseUser(t *testing.T) {
+	t.Log("Testing parse user with a valid user")
+
+	// Create variables
+	user := "user:pass:secret"
+	expected := types.User{
+		Username:   "user",
+		Password:   "pass",
+		TotpSecret: "secret",
+	}
+
+	// Test the parse user function
+	result, err := utils.ParseUser(user)
+
+	// Check if there was an error
+	if err != nil {
+		t.Fatalf("Error parsing user: %v", err)
+	}
+
+	// Check if the result is equal to the expected
+	if !reflect.DeepEqual(expected, result) {
+		t.Fatalf("Expected %v, got %v", expected, result)
+	}
+
+	t.Log("Testing parse user with an escaped user")
+
+	// Create variables
+	user = "user:p$$ass$$:secret"
+	expected = types.User{
+		Username:   "user",
+		Password:   "p$ass$",
+		TotpSecret: "secret",
+	}
+
+	// Test the parse user function
+	result, err = utils.ParseUser(user)
+
+	// Check if there was an error
+	if err != nil {
+		t.Fatalf("Error parsing user: %v", err)
+	}
+
+	// Check if the result is equal to the expected
+	if !reflect.DeepEqual(expected, result) {
+		t.Fatalf("Expected %v, got %v", expected, result)
+	}
+
+	t.Log("Testing parse user with an invalid user")
+
+	// Create variables
+	user = "user::pass"
+
+	// Test the parse user function
+	_, err = utils.ParseUser(user)
+
+	// Check if there was an error
+	if err == nil {
+		t.Fatalf("Expected error parsing user")
+	}
+}

site/Dockerfile.dev

@@ -0,0 +1,23 @@
+FROM oven/bun:1.1.45-alpine
+
+WORKDIR /site
+
+COPY ./site/package.json ./
+COPY ./site/bun.lockb ./
+
+RUN bun install
+
+COPY ./site/public ./public
+COPY ./site/src ./src
+
+COPY ./site/eslint.config.js ./
+COPY ./site/index.html ./
+COPY ./site/tsconfig.json ./
+COPY ./site/tsconfig.app.json ./
+COPY ./site/tsconfig.node.json ./
+COPY ./site/vite.config.ts ./
+COPY ./site/postcss.config.cjs ./
+
+EXPOSE 5173
+
+ENTRYPOINT ["bun", "run", "dev"]

site/src/components/auth/login-forn.tsx

@@ -0,0 +1,46 @@
+import { TextInput, PasswordInput, Button } from "@mantine/core";
+import { useForm, zodResolver } from "@mantine/form";
+import { LoginFormValues, loginSchema } from "../../schemas/login-schema";
+
+interface LoginFormProps {
+  isLoading: boolean;
+  onSubmit: (values: LoginFormValues) => void;
+}
+
+export const LoginForm = (props: LoginFormProps) => {
+  const { isLoading, onSubmit } = props;
+
+  const form = useForm({
+    mode: "uncontrolled",
+    initialValues: {
+      username: "",
+      password: "",
+    },
+    validate: zodResolver(loginSchema),
+  });
+
+  return (
+    <form onSubmit={form.onSubmit(onSubmit)}>
+      <TextInput
+        label="Username"
+        placeholder="user@example.com"
+        required
+        disabled={isLoading}
+        key={form.key("username")}
+        {...form.getInputProps("username")}
+      />
+      <PasswordInput
+        label="Password"
+        placeholder="password"
+        required
+        mt="md"
+        disabled={isLoading}
+        key={form.key("password")}
+        {...form.getInputProps("password")}
+      />
+      <Button fullWidth mt="xl" type="submit" loading={isLoading}>
+        Login
+      </Button>
+    </form>
+  );
+};

site/src/components/auth/oauth-buttons.tsx

@@ -0,0 +1,72 @@
+import { Grid, Button } from "@mantine/core";
+import { GithubIcon } from "../../icons/github";
+import { GoogleIcon } from "../../icons/google";
+import { OAuthIcon } from "../../icons/oauth";
+import { TailscaleIcon } from "../../icons/tailscale";
+
+interface OAuthButtonsProps {
+  oauthProviders: string[];
+  isLoading: boolean;
+  mutate: (provider: string) => void;
+  genericName: string;
+}
+
+export const OAuthButtons = (props: OAuthButtonsProps) => {
+  const { oauthProviders, isLoading, genericName, mutate } = props;
+  return (
+    <Grid mb="md" mt="md" align="center" justify="center">
+      {oauthProviders.includes("google") && (
+        <Grid.Col span="content">
+          <Button
+            radius="xl"
+            leftSection={<GoogleIcon style={{ width: 14, height: 14 }} />}
+            variant="default"
+            onClick={() => mutate("google")}
+            loading={isLoading}
+          >
+            Google
+          </Button>
+        </Grid.Col>
+      )}
+      {oauthProviders.includes("github") && (
+        <Grid.Col span="content">
+          <Button
+            radius="xl"
+            leftSection={<GithubIcon style={{ width: 14, height: 14 }} />}
+            variant="default"
+            onClick={() => mutate("github")}
+            loading={isLoading}
+          >
+            Github
+          </Button>
+        </Grid.Col>
+      )}
+      {oauthProviders.includes("tailscale") && (
+        <Grid.Col span="content">
+          <Button
+            radius="xl"
+            leftSection={<TailscaleIcon style={{ width: 14, height: 14 }} />}
+            variant="default"
+            onClick={() => mutate("tailscale")}
+            loading={isLoading}
+          >
+            Tailscale
+          </Button>
+        </Grid.Col>
+      )}
+      {oauthProviders.includes("generic") && (
+        <Grid.Col span="content">
+          <Button
+            radius="xl"
+            leftSection={<OAuthIcon style={{ width: 14, height: 14 }} />}
+            variant="default"
+            onClick={() => mutate("generic")}
+            loading={isLoading}
+          >
+            {genericName}
+          </Button>
+        </Grid.Col>
+      )}
+    </Grid>
+  );
+};

site/src/components/auth/totp-form.tsx

@@ -0,0 +1,40 @@
+import { Button, PinInput } from "@mantine/core";
+import { useForm, zodResolver } from "@mantine/form";
+import { z } from "zod";
+
+const schema = z.object({
+  code: z.string(),
+});
+
+type FormValues = z.infer<typeof schema>;
+
+interface TotpFormProps {
+  onSubmit: (values: FormValues) => void;
+  isLoading: boolean;
+}
+
+export const TotpForm = (props: TotpFormProps) => {
+  const { onSubmit, isLoading } = props;
+
+  const form = useForm({
+    mode: "uncontrolled",
+    initialValues: {
+      code: "",
+    },
+    validate: zodResolver(schema),
+  });
+
+  return (
+    <form onSubmit={form.onSubmit(onSubmit)}>
+      <PinInput
+        length={6}
+        type={"number"}
+        placeholder=""
+        {...form.getInputProps("code")}
+      />
+      <Button type="submit" mt="xl" loading={isLoading} fullWidth>
+        Verify
+      </Button>
+    </form>
+  );
+};

site/src/context/app-context.tsx

@@ -0,0 +1,42 @@
+import { useQuery } from "@tanstack/react-query";
+import React, { createContext, useContext } from "react";
+import axios from "axios";
+import { AppContextSchemaType } from "../schemas/app-context-schema";
+
+const AppContext = createContext<AppContextSchemaType | null>(null);
+
+export const AppContextProvider = ({
+  children,
+}: {
+  children: React.ReactNode;
+}) => {
+  const {
+    data: userContext,
+    isLoading,
+    error,
+  } = useQuery({
+    queryKey: ["appContext"],
+    queryFn: async () => {
+      const res = await axios.get("/api/app");
+      return res.data;
+    },
+  });
+
+  if (error && !isLoading) {
+    throw error;
+  }
+
+  return (
+    <AppContext.Provider value={userContext}>{children}</AppContext.Provider>
+  );
+};
+
+export const useAppContext = () => {
+  const context = useContext(AppContext);
+
+  if (context === null) {
+    throw new Error("useAppContext must be used within an AppContextProvider");
+  }
+
+  return context;
+};

site/src/context/user-context.tsx

@@ -1,7 +1,7 @@
 import { useQuery } from "@tanstack/react-query";
 import React, { createContext, useContext } from "react";
-import { UserContextSchemaType } from "../schemas/user-context-schema";
 import axios from "axios";
+import { UserContextSchemaType } from "../schemas/user-context-schema";
 
 const UserContext = createContext<UserContextSchemaType | null>(null);
 
@@ -15,9 +15,9 @@ export const UserContextProvider = ({
     isLoading,
     error,
   } = useQuery({
-    queryKey: ["isLoggedIn"],
+    queryKey: ["userContext"],
     queryFn: async () => {
-      const res = await axios.get("/api/status");
+      const res = await axios.get("/api/user");
       return res.data;
     },
   });

site/src/main.tsx

@@ -15,6 +15,8 @@ import { ContinuePage } from "./pages/continue-page.tsx";
 import { NotFoundPage } from "./pages/not-found-page.tsx";
 import { UnauthorizedPage } from "./pages/unauthorized-page.tsx";
 import { InternalServerError } from "./pages/internal-server-error.tsx";
+import { TotpPage } from "./pages/totp-page.tsx";
+import { AppContextProvider } from "./context/app-context.tsx";
 
 const queryClient = new QueryClient({
   defaultOptions: {
@@ -29,19 +31,22 @@ createRoot(document.getElementById("root")!).render(
     <MantineProvider forceColorScheme="dark">
       <QueryClientProvider client={queryClient}>
         <Notifications />
-        <UserContextProvider>
-          <BrowserRouter>
-            <Routes>
-              <Route path="/" element={<App />} />
-              <Route path="/login" element={<LoginPage />} />
-              <Route path="/logout" element={<LogoutPage />} />
-              <Route path="/continue" element={<ContinuePage />} />
-              <Route path="/unauthorized" element={<UnauthorizedPage />} />
-              <Route path="/error" element={<InternalServerError />} />
-              <Route path="*" element={<NotFoundPage />} />
-            </Routes>
-          </BrowserRouter>
-        </UserContextProvider>
+        <AppContextProvider>
+          <UserContextProvider>
+            <BrowserRouter>
+              <Routes>
+                <Route path="/" element={<App />} />
+                <Route path="/login" element={<LoginPage />} />
+                <Route path="/totp" element={<TotpPage />} />
+                <Route path="/logout" element={<LogoutPage />} />
+                <Route path="/continue" element={<ContinuePage />} />
+                <Route path="/unauthorized" element={<UnauthorizedPage />} />
+                <Route path="/error" element={<InternalServerError />} />
+                <Route path="*" element={<NotFoundPage />} />
+              </Routes>
+            </BrowserRouter>
+          </UserContextProvider>
+        </AppContextProvider>
       </QueryClientProvider>
     </MantineProvider>
   </StrictMode>,

site/src/pages/continue-page.tsx

@@ -4,19 +4,22 @@ import { Navigate } from "react-router";
 import { useUserContext } from "../context/user-context";
 import { Layout } from "../components/layouts/layout";
 import { ReactNode } from "react";
+import { isQueryValid } from "../utils/utils";
+import { useAppContext } from "../context/app-context";
 
 export const ContinuePage = () => {
   const queryString = window.location.search;
   const params = new URLSearchParams(queryString);
   const redirectUri = params.get("redirect_uri") ?? "";
 
-  const { isLoggedIn, disableContinue } = useUserContext();
+  const { isLoggedIn } = useUserContext();
+  const { disableContinue } = useAppContext();
 
   if (!isLoggedIn) {
     return <Navigate to={`/login?redirect_uri=${redirectUri}`} />;
   }
 
-  if (redirectUri === "null" || redirectUri === "") {
+  if (!isQueryValid(redirectUri)) {
     return <Navigate to="/" />;
   }
 
@@ -31,9 +34,11 @@ export const ContinuePage = () => {
     }, 500);
   };
 
-  const urlParsed = URL.parse(redirectUri);
+  let uri;
 
-  if (urlParsed === null) {
+  try {
+    uri = new URL(redirectUri);
+  } catch {
     return (
       <ContinuePageLayout>
         <Text size="xl" fw={700}>
@@ -47,26 +52,6 @@ export const ContinuePage = () => {
     );
   }
 
-  if (
-    window.location.protocol === "https:" &&
-    urlParsed.protocol === "http:"
-  ) {
-    return (
-      <ContinuePageLayout>
-        <Text size="xl" fw={700}>
-          Insecure Redirect
-        </Text>
-        <Text>
-          Your are logged in but trying to redirect from <Code>https</Code> to{" "}
-          <Code>http</Code>, please click the button to redirect.
-        </Text>
-        <Button fullWidth mt="xl" onClick={redirect}>
-          Continue
-        </Button>
-      </ContinuePageLayout>
-    );
-  }
-
   if (disableContinue) {
     window.location.href = redirectUri;
     return (
@@ -79,6 +64,23 @@ export const ContinuePage = () => {
     );
   }
 
+  if (window.location.protocol === "https:" && uri.protocol === "http:") {
+    return (
+      <ContinuePageLayout>
+        <Text size="xl" fw={700}>
+          Insecure Redirect
+        </Text>
+        <Text>
+          Your are trying to redirect from <Code>https</Code> to{" "}
+          <Code>http</Code>, are you sure you want to continue?
+        </Text>
+        <Button fullWidth mt="xl" color="yellow" onClick={redirect}>
+          Continue
+        </Button>
+      </ContinuePageLayout>
+    );
+  }
+
   return (
     <ContinuePageLayout>
       <Text size="xl" fw={700}>

site/src/pages/login-page.tsx

@@ -1,32 +1,23 @@
-import {
-  Button,
-  Paper,
-  PasswordInput,
-  TextInput,
-  Title,
-  Text,
-  Divider,
-  Grid,
-} from "@mantine/core";
-import { useForm, zodResolver } from "@mantine/form";
+import { Paper, Title, Text, Divider } from "@mantine/core";
 import { notifications } from "@mantine/notifications";
 import { useMutation } from "@tanstack/react-query";
 import axios from "axios";
-import { z } from "zod";
 import { useUserContext } from "../context/user-context";
 import { Navigate } from "react-router";
 import { Layout } from "../components/layouts/layout";
-import { GoogleIcon } from "../icons/google";
-import { GithubIcon } from "../icons/github";
-import { OAuthIcon } from "../icons/oauth";
-import { TailscaleIcon } from "../icons/tailscale";
+import { OAuthButtons } from "../components/auth/oauth-buttons";
+import { LoginFormValues } from "../schemas/login-schema";
+import { LoginForm } from "../components/auth/login-forn";
+import { isQueryValid } from "../utils/utils";
+import { useAppContext } from "../context/app-context";
 
 export const LoginPage = () => {
   const queryString = window.location.search;
   const params = new URLSearchParams(queryString);
   const redirectUri = params.get("redirect_uri") ?? "";
 
-  const { isLoggedIn, configuredProviders } = useUserContext();
+  const { isLoggedIn } = useUserContext();
+  const { configuredProviders, title, genericName } = useAppContext();
 
   const oauthProviders = configuredProviders.filter(
     (value) => value !== "username",
@@ -36,24 +27,8 @@ export const LoginPage = () => {
     return <Navigate to="/logout" />;
   }
 
-  const schema = z.object({
-    username: z.string(),
-    password: z.string(),
-  });
-
-  type FormValues = z.infer<typeof schema>;
-
-  const form = useForm({
-    mode: "uncontrolled",
-    initialValues: {
-      username: "",
-      password: "",
-    },
-    validate: zodResolver(schema),
-  });
-
   const loginMutation = useMutation({
-    mutationFn: (login: FormValues) => {
+    mutationFn: (login: LoginFormValues) => {
       return axios.post("/api/login", login);
     },
     onError: () => {
@@ -63,18 +38,25 @@ export const LoginPage = () => {
         color: "red",
       });
     },
-    onSuccess: () => {
+    onSuccess: async (data) => {
+      if (data.data.totpPending) {
+        window.location.replace(`/totp?redirect_uri=${redirectUri}`);
+        return;
+      }
+
       notifications.show({
         title: "Logged in",
         message: "Welcome back!",
         color: "green",
       });
+
       setTimeout(() => {
-        if (redirectUri === "null" || redirectUri === "") {
+        if (!isQueryValid(redirectUri)) {
           window.location.replace("/");
-        } else {
-          window.location.replace(`/continue?redirect_uri=${redirectUri}`);
+          return;
         }
+
+        window.location.replace(`/continue?redirect_uri=${redirectUri}`);
       }, 500);
     },
   });
@@ -104,81 +86,25 @@ export const LoginPage = () => {
     },
   });
 
-  const handleSubmit = (values: FormValues) => {
+  const handleSubmit = (values: LoginFormValues) => {
     loginMutation.mutate(values);
   };
 
   return (
     <Layout>
-      <Title ta="center">Tinyauth</Title>
+      <Title ta="center">{title}</Title>
       <Paper shadow="md" p="xl" mt={30} radius="md" withBorder>
         {oauthProviders.length > 0 && (
           <>
             <Text size="lg" fw={500} ta="center">
               Welcome back, login with
             </Text>
-            <Grid mb="md" mt="md" align="center" justify="center">
-              {oauthProviders.includes("google") && (
-                <Grid.Col span="content">
-                  <Button
-                    radius="xl"
-                    leftSection={
-                      <GoogleIcon style={{ width: 14, height: 14 }} />
-                    }
-                    variant="default"
-                    onClick={() => loginOAuthMutation.mutate("google")}
-                    loading={loginOAuthMutation.isLoading}
-                  >
-                    Google
-                  </Button>
-                </Grid.Col>
-              )}
-              {oauthProviders.includes("github") && (
-                <Grid.Col span="content">
-                  <Button
-                    radius="xl"
-                    leftSection={
-                      <GithubIcon style={{ width: 14, height: 14 }} />
-                    }
-                    variant="default"
-                    onClick={() => loginOAuthMutation.mutate("github")}
-                    loading={loginOAuthMutation.isLoading}
-                  >
-                    Github
-                  </Button>
-                </Grid.Col>
-              )}
-              {oauthProviders.includes("tailscale") && (
-                <Grid.Col span="content">
-                  <Button
-                    radius="xl"
-                    leftSection={
-                      <TailscaleIcon style={{ width: 14, height: 14 }} />
-                    }
-                    variant="default"
-                    onClick={() => loginOAuthMutation.mutate("tailscale")}
-                    loading={loginOAuthMutation.isLoading}
-                  >
-                    Tailscale
-                  </Button>
-                </Grid.Col>
-              )}
-              {oauthProviders.includes("generic") && (
-                <Grid.Col span="content">
-                  <Button
-                    radius="xl"
-                    leftSection={
-                      <OAuthIcon style={{ width: 14, height: 14 }} />
-                    }
-                    variant="default"
-                    onClick={() => loginOAuthMutation.mutate("generic")}
-                    loading={loginOAuthMutation.isLoading}
-                  >
-                    Generic
-                  </Button>
-                </Grid.Col>
-              )}
-            </Grid>
+            <OAuthButtons
+              oauthProviders={oauthProviders}
+              isLoading={loginOAuthMutation.isLoading}
+              mutate={loginOAuthMutation.mutate}
+              genericName={genericName}
+            />
             {configuredProviders.includes("username") && (
               <Divider
                 label="Or continue with password"
@@ -189,33 +115,10 @@ export const LoginPage = () => {
           </>
         )}
         {configuredProviders.includes("username") && (
-          <form onSubmit={form.onSubmit(handleSubmit)}>
-            <TextInput
-              label="Username"
-              placeholder="user@example.com"
-              required
-              disabled={loginMutation.isLoading}
-              key={form.key("username")}
-              {...form.getInputProps("username")}
-            />
-            <PasswordInput
-              label="Password"
-              placeholder="password"
-              required
-              mt="md"
-              disabled={loginMutation.isLoading}
-              key={form.key("password")}
-              {...form.getInputProps("password")}
-            />
-            <Button
-              fullWidth
-              mt="xl"
-              type="submit"
-              loading={loginMutation.isLoading}
-            >
-              Login
-            </Button>
-          </form>
+          <LoginForm
+            isLoading={loginMutation.isLoading}
+            onSubmit={handleSubmit}
+          />
         )}
       </Paper>
     </Layout>

site/src/pages/logout-page.tsx

@@ -6,9 +6,11 @@ import { useUserContext } from "../context/user-context";
 import { Navigate } from "react-router";
 import { Layout } from "../components/layouts/layout";
 import { capitalize } from "../utils/utils";
+import { useAppContext } from "../context/app-context";
 
 export const LogoutPage = () => {
   const { isLoggedIn, username, oauth, provider } = useUserContext();
+  const { genericName } = useAppContext();
 
   if (!isLoggedIn) {
     return <Navigate to="/login" />;
@@ -45,8 +47,9 @@ export const LogoutPage = () => {
         </Text>
         <Text>
           You are currently logged in as <Code>{username}</Code>
-          {oauth && ` using ${capitalize(provider)} OAuth`}. Click the button
-          below to log out.
+          {oauth &&
+            ` using ${capitalize(provider === "generic" ? genericName : provider)} OAuth`}
+          . Click the button below to log out.
         </Text>
         <Button
           fullWidth

site/src/pages/totp-page.tsx

@@ -0,0 +1,64 @@
+import { Navigate } from "react-router";
+import { useUserContext } from "../context/user-context";
+import { Title, Paper, Text } from "@mantine/core";
+import { Layout } from "../components/layouts/layout";
+import { TotpForm } from "../components/auth/totp-form";
+import { useMutation } from "@tanstack/react-query";
+import axios from "axios";
+import { notifications } from "@mantine/notifications";
+import { useAppContext } from "../context/app-context";
+
+export const TotpPage = () => {
+  const queryString = window.location.search;
+  const params = new URLSearchParams(queryString);
+  const redirectUri = params.get("redirect_uri") ?? "";
+
+  const { totpPending, isLoggedIn } = useUserContext();
+  const { title } = useAppContext();
+
+  if (isLoggedIn) {
+    return <Navigate to={`/logout`} />;
+  }
+
+  if (!totpPending) {
+    return <Navigate to={`/login?redirect_uri=${redirectUri}`} />;
+  }
+
+  const totpMutation = useMutation({
+    mutationFn: async (totp: { code: string }) => {
+      await axios.post("/api/totp", totp);
+    },
+    onError: () => {
+      notifications.show({
+        title: "Failed to verify code",
+        message: "Please try again",
+        color: "red",
+      });
+    },
+    onSuccess: () => {
+      notifications.show({
+        title: "Verified",
+        message: "Redirecting to your app",
+        color: "green",
+      });
+      setTimeout(() => {
+        window.location.replace(`/continue?redirect_uri=${redirectUri}`);
+      }, 500);
+    },
+  });
+
+  return (
+    <Layout>
+      <Title ta="center">{title}</Title>
+      <Paper shadow="md" p="xl" mt={30} radius="md" withBorder>
+        <Text size="lg" fw={500} mb="md" ta="center">
+          Enter your TOTP code
+        </Text>
+        <TotpForm
+          isLoading={totpMutation.isLoading}
+          onSubmit={(values) => totpMutation.mutate(values)}
+        />
+      </Paper>
+    </Layout>
+  );
+};

site/src/pages/unauthorized-page.tsx

@@ -1,6 +1,7 @@
 import { Button, Code, Paper, Text } from "@mantine/core";
 import { Layout } from "../components/layouts/layout";
 import { Navigate } from "react-router";
+import { isQueryValid } from "../utils/utils";
 
 export const UnauthorizedPage = () => {
   const queryString = window.location.search;
@@ -8,7 +9,7 @@ export const UnauthorizedPage = () => {
   const username = params.get("username") ?? "";
   const resource = params.get("resource") ?? "";
 
-  if (username === "null" || username === "") {
+  if (!isQueryValid(username)) {
     return <Navigate to="/" />;
   }
 
@@ -20,7 +21,7 @@ export const UnauthorizedPage = () => {
         </Text>
         <Text>
           The user with username <Code>{username}</Code> is not authorized to{" "}
-          {resource !== "null" && resource !== "" ? (
+          {isQueryValid(resource) ? (
             <span>
               access the <Code>{resource}</Code> resource.
             </span>

site/src/schemas/app-context-schema.ts

@@ -0,0 +1,10 @@
+import { z } from "zod";
+
+export const appContextSchema = z.object({
+  configuredProviders: z.array(z.string()),
+  disableContinue: z.boolean(),
+  title: z.string(),
+  genericName: z.string(),
+});
+
+export type AppContextSchemaType = z.infer<typeof appContextSchema>;

site/src/schemas/login-schema.ts

@@ -0,0 +1,8 @@
+import { z } from "zod";
+
+export const loginSchema = z.object({
+  username: z.string(),
+  password: z.string(),
+});
+
+export type LoginFormValues = z.infer<typeof loginSchema>;

site/src/schemas/user-context-schema.ts

@@ -5,8 +5,7 @@ export const userContextSchema = z.object({
   username: z.string(),
   oauth: z.boolean(),
   provider: z.string(),
-  configuredProviders: z.array(z.string()),
-  disableContinue: z.boolean(),
+  totpPending: z.boolean(),
 });
 
 export type UserContextSchemaType = z.infer<typeof userContextSchema>;

site/src/utils/utils.ts

@@ -1 +1,2 @@
-export const capitalize = (s: string) => s.charAt(0).toUpperCase() + s.slice(1);
+export const capitalize = (s: string) => s.charAt(0).toUpperCase() + s.slice(1);
+export const isQueryValid = (value: string) => value.trim() !== "" && value !== "null";

site/vite.config.ts

@@ -4,4 +4,14 @@ import react from "@vitejs/plugin-react-swc";
 // https://vite.dev/config/
 export default defineConfig({
   plugins: [react()],
+  server: {
+    host: "0.0.0.0",
+    proxy: {
+      "/api": {
+        target: "http://tinyauth-backend:3000/api",
+        changeOrigin: true,
+        rewrite: (path) => path.replace(/^\/api/, ""),
+      },
+    }
+  }
 });