fix: use email in oauth whitelist check

Co-authored-by: GitHub <noreply@github.com>

.env.example

@@ -12,9 +12,6 @@ GITHUB_CLIENT_SECRET_FILE=github_client_secret_file
 GOOGLE_CLIENT_ID=google_client_id
 GOOGLE_CLIENT_SECRET=google_client_secret
 GOOGLE_CLIENT_SECRET_FILE=google_client_secret_file
-TAILSCALE_CLIENT_ID=tailscale_client_id
-TAILSCALE_CLIENT_SECRET=tailscale_client_secret
-TAILSCALE_CLIENT_SECRET_FILE=tailscale__client_secret_file
 GENERIC_CLIENT_ID=generic_client_id
 GENERIC_CLIENT_SECRET=generic_client_secret
 GENERIC_CLIENT_SECRET_FILE=generic_client_secret_file
@@ -29,4 +26,6 @@ SESSION_EXPIRY=7200
 LOGIN_TIMEOUT=300
 LOGIN_MAX_RETRIES=5
 LOG_LEVEL=0
-APP_TITLE=Tinyauth SSO
+APP_TITLE=Tinyauth SSO
+FORGOT_PASSWORD_MESSAGE=Some message about resetting the password
+OAUTH_AUTO_REDIRECT=none

.github/dependabot.yml

@@ -0,0 +1,14 @@
+version: 2
+updates:
+  - package-ecosystem: "bun"
+    directory: "/frontend"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/ci.yml

@@ -4,11 +4,9 @@ on:
     branches:
       - main
   pull_request:
-    branches:
-      - main
 
 jobs:
-  test:
+  ci:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code

.github/workflows/release.yml

@@ -46,7 +46,7 @@ jobs:
           path: tinyauth-amd64
 
   binary-build-arm:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04-arm
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -221,7 +221,9 @@ jobs:
     steps:
       - uses: actions/download-artifact@v4
         with:
+          pattern: tinyauth-*
           path: binaries
+          merge-multiple: true
 
       - name: Release
         uses: softprops/action-gh-release@v2

.github/workflows/sponsors.yml

@@ -0,0 +1,31 @@
+name: Generate Sponsors List
+on:
+  workflow_dispatch:
+
+jobs:
+  generate-sponsors:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Generate Sponsors
+        uses: JamesIves/github-sponsors-readme-action@v1
+        with:
+          token: ${{ secrets.SPONSORS_GENERATOR_PAT }}
+          active-only: false
+          file: "README.md"
+          template: '<a href="https://github.com/{{{ login }}}"><img src="{{{ avatarUrl }}}" width="64px" alt="User avatar: {{{ login }}}" /></a>&nbsp;&nbsp;'
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: |
+            docs: regenerate readme sponsors list
+          committer: GitHub <noreply@github.com>
+          author: GitHub <noreply@github.com>
+          branch: docs/update-readme
+          title: |
+            docs: regenerate readme sponsors list
+          labels: bot

.github/workflows/stale.yml

@@ -0,0 +1,20 @@
+name: Close stale issues and PRs
+on:
+  schedule:
+    - cron: 0 10 * * *
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v9
+        with:
+          days-before-stale: 30
+          stale-pr-message: This PR has been inactive for 30 days and will be marked as stale.
+          stale-issue-message: This issue has been inactive for 30 days and will be marked as stale.
+          close-issue-message: Closed for inactivity.
+          close-pr-message: Closed for inactivity.
+          stale-issue-label: stale
+          stale-pr-label: stale
+          exempt-issue-labels: pinned
+          exempt-pr-labels: pinned

Dockerfile

@@ -1,5 +1,5 @@
 # Site builder
-FROM oven/bun:1.1.45-alpine AS frontend-builder
+FROM oven/bun:1.2.11-alpine AS frontend-builder
 
 WORKDIR /frontend
 
@@ -21,7 +21,7 @@ COPY ./frontend/postcss.config.cjs ./
 RUN bun run build
 
 # Builder
-FROM golang:1.23-alpine3.21 AS builder
+FROM golang:1.24-alpine3.21 AS builder
 
 WORKDIR /tinyauth
 

Dockerfile.dev

@@ -1,4 +1,4 @@
-FROM golang:1.23-alpine3.21
+FROM golang:1.24-alpine3.21
 
 WORKDIR /tinyauth
 
@@ -12,9 +12,6 @@ COPY ./internal ./internal
 COPY ./main.go ./
 COPY ./air.toml ./
 
-RUN mkdir -p ./internal/assets/dist && \
-    echo "app running" > ./internal/assets/dist/index.html
-
 RUN go install github.com/air-verse/air@v1.61.7
 
 EXPOSE 3000

README.md

@@ -1,5 +1,5 @@
 <div align="center">
-    <img alt="Tinyauth" title="Tinyauth" width="256" src="frontend/public/logo.png">
+    <img alt="Tinyauth" title="Tinyauth" height="256" src="frontend/public/logo.png">
     <h1>Tinyauth</h1>
     <p>The easiest way to secure your apps with a login screen.</p>
 </div>
@@ -15,9 +15,9 @@
 
 <br />
 
-Tinyauth is a simple authentication middleware that adds simple username/password login or OAuth with Google, Github and any generic OAuth provider to all of your docker apps. It is made for traefik but it can be extended to work with all reverse proxies like caddy and nginx.
+Tinyauth is a simple authentication middleware that adds simple username/password login or OAuth with Google, Github and any generic provider to all of your docker apps. It is designed for traefik but it can be extended to work with all reverse proxies like caddy and nginx.
 
-![Login](assets/login.png)
+![Login](assets/screenshot.png)
 
 > [!WARNING]
 > Tinyauth is in active development and configuration may change often. Please make sure to carefully read the release notes before updating.
@@ -31,11 +31,11 @@ I just made a Discord server for Tinyauth! It is not only for Tinyauth but gener
 
 ## Getting Started
 
-You can easily get started with tinyauth by following the guide on the [documentation](https://tinyauth.app/docs/getting-started.html). There is also an available [docker compose file](./docker-compose.example.yml) that has traefik, nginx and tinyauth to demonstrate its capabilities.
+You can easily get started with tinyauth by following the guide in the [documentation](https://tinyauth.app/docs/getting-started.html). There is also an available [docker compose file](./docker-compose.example.yml) that has traefik, whoami and tinyauth to demonstrate its capabilities.
 
 ## Documentation
 
-You can find documentation and guides on all available configuration of tinyauth [here](https://tinyauth.app).
+You can find documentation and guides on all of the available configuration of tinyauth [here](https://tinyauth.app).
 
 ## Contributing
 
@@ -53,9 +53,7 @@ Tinyauth is licensed under the GNU General Public License v3.0. TL;DR — You ma
 
 Thanks a lot to the following people for providing me with more coffee:
 
-| <img height="64" src="https://avatars.githubusercontent.com/u/47644445?v=4" alt="Nicolas"> | <img height="64" src="https://avatars.githubusercontent.com/u/4255748?v=4" alt="Erwin"> |
-| ------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------- |
-| <div align="center"><a href="https://github.com/nicotsx">Nicolas</a></div>                 | <div align="center"><a href="https://github.com/erwinkramer">Erwin</a></div>            |
+<!-- sponsors --><a href="https://github.com/erwinkramer"><img src="https:&#x2F;&#x2F;github.com&#x2F;erwinkramer.png" width="64px" alt="User avatar: erwinkramer" /></a>&nbsp;&nbsp;<a href="https://github.com/nicotsx"><img src="https:&#x2F;&#x2F;github.com&#x2F;nicotsx.png" width="64px" alt="User avatar: nicotsx" /></a>&nbsp;&nbsp;<a href="https://github.com/SimpleHomelab"><img src="https:&#x2F;&#x2F;github.com&#x2F;SimpleHomelab.png" width="64px" alt="User avatar: SimpleHomelab" /></a>&nbsp;&nbsp;<a href="https://github.com/jmadden91"><img src="https:&#x2F;&#x2F;github.com&#x2F;jmadden91.png" width="64px" alt="User avatar: jmadden91" /></a>&nbsp;&nbsp;<a href="https://github.com/tribor"><img src="https:&#x2F;&#x2F;github.com&#x2F;tribor.png" width="64px" alt="User avatar: tribor" /></a>&nbsp;&nbsp;<!-- sponsors -->
 
 ## Acknowledgements
 

air.toml

@@ -2,6 +2,7 @@ root = "/tinyauth"
 tmp_dir = "tmp"
 
 [build]
+pre_cmd = ["mkdir -p internal/assets/dist", "echo 'backend running' > internal/assets/dist/index.html"]
 cmd = "go build -o ./tmp/tinyauth ."
 bin = "tmp/tinyauth"
 include_ext = ["go"]

cmd/root.go

@@ -42,7 +42,6 @@ var rootCmd = &cobra.Command{
 		config.GithubClientSecret = utils.GetSecret(config.GithubClientSecret, config.GithubClientSecretFile)
 		config.GoogleClientSecret = utils.GetSecret(config.GoogleClientSecret, config.GoogleClientSecretFile)
 		config.GenericClientSecret = utils.GetSecret(config.GenericClientSecret, config.GenericClientSecretFile)
-		config.TailscaleClientSecret = utils.GetSecret(config.TailscaleClientSecret, config.TailscaleClientSecretFile)
 
 		// Validate config
 		validator := validator.New()
@@ -62,13 +61,6 @@ var rootCmd = &cobra.Command{
 			HandleError(errors.New("no users or OAuth configured"), "No users or OAuth configured")
 		}
 
-		// Create oauth whitelist
-		oauthWhitelist := utils.Filter(strings.Split(config.OAuthWhitelist, ","), func(val string) bool {
-			return val != ""
-		})
-
-		log.Debug().Msg("Parsed OAuth whitelist")
-
 		// Get domain
 		log.Debug().Msg("Getting domain")
 		domain, err := utils.GetUpperDomain(config.AppURL)
@@ -77,27 +69,29 @@ var rootCmd = &cobra.Command{
 
 		// Create OAuth config
 		oauthConfig := types.OAuthConfig{
-			GithubClientId:        config.GithubClientId,
-			GithubClientSecret:    config.GithubClientSecret,
-			GoogleClientId:        config.GoogleClientId,
-			GoogleClientSecret:    config.GoogleClientSecret,
-			TailscaleClientId:     config.TailscaleClientId,
-			TailscaleClientSecret: config.TailscaleClientSecret,
-			GenericClientId:       config.GenericClientId,
-			GenericClientSecret:   config.GenericClientSecret,
-			GenericScopes:         strings.Split(config.GenericScopes, ","),
-			GenericAuthURL:        config.GenericAuthURL,
-			GenericTokenURL:       config.GenericTokenURL,
-			GenericUserURL:        config.GenericUserURL,
-			AppURL:                config.AppURL,
+			GithubClientId:      config.GithubClientId,
+			GithubClientSecret:  config.GithubClientSecret,
+			GoogleClientId:      config.GoogleClientId,
+			GoogleClientSecret:  config.GoogleClientSecret,
+			GenericClientId:     config.GenericClientId,
+			GenericClientSecret: config.GenericClientSecret,
+			GenericScopes:       strings.Split(config.GenericScopes, ","),
+			GenericAuthURL:      config.GenericAuthURL,
+			GenericTokenURL:     config.GenericTokenURL,
+			GenericUserURL:      config.GenericUserURL,
+			AppURL:              config.AppURL,
 		}
 
 		// Create handlers config
 		handlersConfig := types.HandlersConfig{
-			AppURL:          config.AppURL,
-			DisableContinue: config.DisableContinue,
-			Title:           config.Title,
-			GenericName:     config.GenericName,
+			AppURL:                config.AppURL,
+			DisableContinue:       config.DisableContinue,
+			Title:                 config.Title,
+			GenericName:           config.GenericName,
+			CookieSecure:          config.CookieSecure,
+			Domain:                domain,
+			ForgotPasswordMessage: config.FogotPasswordMessage,
+			OAuthAutoRedirect:     config.OAuthAutoRedirect,
 		}
 
 		// Create api config
@@ -109,7 +103,7 @@ var rootCmd = &cobra.Command{
 		// Create auth config
 		authConfig := types.AuthConfig{
 			Users:           users,
-			OauthWhitelist:  oauthWhitelist,
+			OauthWhitelist:  config.OAuthWhitelist,
 			Secret:          config.Secret,
 			CookieSecure:    config.CookieSecure,
 			SessionExpiry:   config.SessionExpiry,
@@ -118,6 +112,11 @@ var rootCmd = &cobra.Command{
 			LoginMaxRetries: config.LoginMaxRetries,
 		}
 
+		// Create hooks config
+		hooksConfig := types.HooksConfig{
+			Domain: domain,
+		}
+
 		// Create docker service
 		docker := docker.NewDocker()
 
@@ -135,7 +134,7 @@ var rootCmd = &cobra.Command{
 		providers.Init()
 
 		// Create hooks service
-		hooks := hooks.NewHooks(auth, providers)
+		hooks := hooks.NewHooks(hooksConfig, auth, providers)
 
 		// Create handlers
 		handlers := handlers.NewHandlers(handlersConfig, auth, hooks, providers, docker)
@@ -189,9 +188,6 @@ func init() {
 	rootCmd.Flags().String("google-client-id", "", "Google OAuth client ID.")
 	rootCmd.Flags().String("google-client-secret", "", "Google OAuth client secret.")
 	rootCmd.Flags().String("google-client-secret-file", "", "Google OAuth client secret file.")
-	rootCmd.Flags().String("tailscale-client-id", "", "Tailscale OAuth client ID.")
-	rootCmd.Flags().String("tailscale-client-secret", "", "Tailscale OAuth client secret.")
-	rootCmd.Flags().String("tailscale-client-secret-file", "", "Tailscale OAuth client secret file.")
 	rootCmd.Flags().String("generic-client-id", "", "Generic OAuth client ID.")
 	rootCmd.Flags().String("generic-client-secret", "", "Generic OAuth client secret.")
 	rootCmd.Flags().String("generic-client-secret-file", "", "Generic OAuth client secret file.")
@@ -202,11 +198,13 @@ func init() {
 	rootCmd.Flags().String("generic-name", "Generic", "Generic OAuth provider name.")
 	rootCmd.Flags().Bool("disable-continue", false, "Disable continue screen and redirect to app directly.")
 	rootCmd.Flags().String("oauth-whitelist", "", "Comma separated list of email addresses to whitelist when using OAuth.")
+	rootCmd.Flags().String("oauth-auto-redirect", "none", "Auto redirect to the specified OAuth provider if configured. (available providers: github, google, generic)")
 	rootCmd.Flags().Int("session-expiry", 86400, "Session (cookie) expiration time in seconds.")
 	rootCmd.Flags().Int("login-timeout", 300, "Login timeout in seconds after max retries reached (0 to disable).")
 	rootCmd.Flags().Int("login-max-retries", 5, "Maximum login attempts before timeout (0 to disable).")
 	rootCmd.Flags().Int("log-level", 1, "Log level.")
 	rootCmd.Flags().String("app-title", "Tinyauth", "Title of the app.")
+	rootCmd.Flags().String("forgot-password-message", "You can reset your password by changing the `USERS` environment variable.", "Message to show on the forgot password page.")
 
 	// Bind flags to environment
 	viper.BindEnv("port", "PORT")
@@ -223,9 +221,6 @@ func init() {
 	viper.BindEnv("google-client-id", "GOOGLE_CLIENT_ID")
 	viper.BindEnv("google-client-secret", "GOOGLE_CLIENT_SECRET")
 	viper.BindEnv("google-client-secret-file", "GOOGLE_CLIENT_SECRET_FILE")
-	viper.BindEnv("tailscale-client-id", "TAILSCALE_CLIENT_ID")
-	viper.BindEnv("tailscale-client-secret", "TAILSCALE_CLIENT_SECRET")
-	viper.BindEnv("tailscale-client-secret-file", "TAILSCALE_CLIENT_SECRET_FILE")
 	viper.BindEnv("generic-client-id", "GENERIC_CLIENT_ID")
 	viper.BindEnv("generic-client-secret", "GENERIC_CLIENT_SECRET")
 	viper.BindEnv("generic-client-secret-file", "GENERIC_CLIENT_SECRET_FILE")
@@ -236,11 +231,13 @@ func init() {
 	viper.BindEnv("generic-name", "GENERIC_NAME")
 	viper.BindEnv("disable-continue", "DISABLE_CONTINUE")
 	viper.BindEnv("oauth-whitelist", "OAUTH_WHITELIST")
+	viper.BindEnv("oauth-auto-redirect", "OAUTH_AUTO_REDIRECT")
 	viper.BindEnv("session-expiry", "SESSION_EXPIRY")
 	viper.BindEnv("log-level", "LOG_LEVEL")
 	viper.BindEnv("app-title", "APP_TITLE")
 	viper.BindEnv("login-timeout", "LOGIN_TIMEOUT")
 	viper.BindEnv("login-max-retries", "LOGIN_MAX_RETRIES")
+	viper.BindEnv("forgot-password-message", "FORGOT_PASSWORD_MESSAGE")
 
 	// Bind flags to viper
 	viper.BindPFlags(rootCmd.Flags())

frontend/package.json

@@ -14,34 +14,35 @@
     "@mantine/form": "^7.16.0",
     "@mantine/hooks": "^7.16.0",
     "@mantine/notifications": "^7.16.0",
-    "@tanstack/react-query": "4",
+    "@tanstack/react-query": "5",
     "axios": "^1.7.9",
-    "i18next": "^24.2.3",
+    "i18next": "^25.0.0",
     "i18next-browser-languagedetector": "^8.0.4",
     "i18next-chained-backend": "^4.6.2",
     "i18next-http-backend": "^3.0.2",
     "i18next-resources-to-backend": "^1.2.1",
-    "react": "^18.3.1",
-    "react-dom": "^18.3.1",
+    "react": "^19.1.0",
+    "react-dom": "^19.1.0",
     "react-i18next": "^15.4.1",
-    "react-router": "^7.1.3",
+    "react-markdown": "^10.1.0",
+    "react-router": "^7.5.2",
     "zod": "^3.24.1"
   },
   "devDependencies": {
     "@eslint/js": "^9.17.0",
-    "@types/react": "^18.3.18",
-    "@types/react-dom": "^18.3.5",
+    "@types/react": "^19.1.1",
+    "@types/react-dom": "^19.1.2",
     "@vitejs/plugin-react-swc": "^3.5.0",
     "eslint": "^9.17.0",
     "eslint-plugin-react-hooks": "^5.0.0",
     "eslint-plugin-react-refresh": "^0.4.16",
-    "globals": "^15.14.0",
+    "globals": "^16.0.0",
     "postcss": "^8.5.1",
     "postcss-preset-mantine": "^1.17.0",
     "postcss-simple-vars": "^7.0.1",
-    "prettier": "3.4.2",
-    "typescript": "~5.6.2",
+    "prettier": "3.5.3",
+    "typescript": "~5.8.3",
     "typescript-eslint": "^8.18.2",
-    "vite": "^6.0.5"
+    "vite": "^6.3.4"
   }
 }

frontend/src/components/auth/login-forn.tsx

@@ -1,15 +1,15 @@
-import { TextInput, PasswordInput, Button } from "@mantine/core";
+import { TextInput, PasswordInput, Button, Anchor, Group, Text } from "@mantine/core";
 import { useForm, zodResolver } from "@mantine/form";
 import { LoginFormValues, loginSchema } from "../../schemas/login-schema";
 import { useTranslation } from "react-i18next";
 
 interface LoginFormProps {
-  isLoading: boolean;
+  isPending: boolean;
   onSubmit: (values: LoginFormValues) => void;
 }
 
 export const LoginForm = (props: LoginFormProps) => {
-  const { isLoading, onSubmit } = props;
+  const { isPending, onSubmit } = props;
   const { t } = useTranslation();
 
   const form = useForm({
@@ -25,22 +25,31 @@ export const LoginForm = (props: LoginFormProps) => {
     <form onSubmit={form.onSubmit(onSubmit)}>
       <TextInput
         label={t("loginUsername")}
-        placeholder="username"
+        placeholder="Username"
+        disabled={isPending}
         required
-        disabled={isLoading}
+        withAsterisk={false}
         key={form.key("username")}
         {...form.getInputProps("username")}
       />
+      <Group justify="space-between" mb={5} mt="md">
+        <Text component="label" htmlFor=".password-input" size="sm" fw={500}>
+        {t("loginPassword")}
+        </Text>
+
+        <Anchor href="#" onClick={() => window.location.replace("/forgot-password")} pt={2} fw={500} fz="xs">
+          {t('forgotPasswordTitle')}
+        </Anchor>
+      </Group>
       <PasswordInput
-        label={t("loginPassword")}
-        placeholder="password"
+        className="password-input"
+        placeholder="Password"
         required
-        mt="md"
-        disabled={isLoading}
+        disabled={isPending}
         key={form.key("password")}
         {...form.getInputProps("password")}
       />
-      <Button fullWidth mt="xl" type="submit" loading={isLoading}>
+      <Button fullWidth mt="xl" type="submit" loading={isPending}>
         {t("loginSubmit")}
       </Button>
     </form>

frontend/src/components/auth/oauth-buttons.tsx

@@ -2,17 +2,16 @@ import { Grid, Button } from "@mantine/core";
 import { GithubIcon } from "../../icons/github";
 import { GoogleIcon } from "../../icons/google";
 import { OAuthIcon } from "../../icons/oauth";
-import { TailscaleIcon } from "../../icons/tailscale";
 
 interface OAuthButtonsProps {
   oauthProviders: string[];
-  isLoading: boolean;
+  isPending: boolean;
   mutate: (provider: string) => void;
   genericName: string;
 }
 
 export const OAuthButtons = (props: OAuthButtonsProps) => {
-  const { oauthProviders, isLoading, genericName, mutate } = props;
+  const { oauthProviders, isPending, genericName, mutate } = props;
   return (
     <Grid mb="md" mt="md" align="center" justify="center">
       {oauthProviders.includes("google") && (
@@ -22,7 +21,7 @@ export const OAuthButtons = (props: OAuthButtonsProps) => {
             leftSection={<GoogleIcon style={{ width: 14, height: 14 }} />}
             variant="default"
             onClick={() => mutate("google")}
-            loading={isLoading}
+            loading={isPending}
           >
             Google
           </Button>
@@ -35,25 +34,12 @@ export const OAuthButtons = (props: OAuthButtonsProps) => {
             leftSection={<GithubIcon style={{ width: 14, height: 14 }} />}
             variant="default"
             onClick={() => mutate("github")}
-            loading={isLoading}
+            loading={isPending}
           >
             Github
           </Button>
         </Grid.Col>
       )}
-      {oauthProviders.includes("tailscale") && (
-        <Grid.Col span="content">
-          <Button
-            radius="xl"
-            leftSection={<TailscaleIcon style={{ width: 14, height: 14 }} />}
-            variant="default"
-            onClick={() => mutate("tailscale")}
-            loading={isLoading}
-          >
-            Tailscale
-          </Button>
-        </Grid.Col>
-      )}
       {oauthProviders.includes("generic") && (
         <Grid.Col span="content">
           <Button
@@ -61,7 +47,7 @@ export const OAuthButtons = (props: OAuthButtonsProps) => {
             leftSection={<OAuthIcon style={{ width: 14, height: 14 }} />}
             variant="default"
             onClick={() => mutate("generic")}
-            loading={isLoading}
+            loading={isPending}
           >
             {genericName}
           </Button>

frontend/src/components/auth/totp-form.tsx

@@ -10,11 +10,11 @@ type FormValues = z.infer<typeof schema>;
 
 interface TotpFormProps {
   onSubmit: (values: FormValues) => void;
-  isLoading: boolean;
+  isPending: boolean;
 }
 
 export const TotpForm = (props: TotpFormProps) => {
-  const { onSubmit, isLoading } = props;
+  const { onSubmit, isPending } = props;
 
   const form = useForm({
     mode: "uncontrolled",
@@ -32,7 +32,7 @@ export const TotpForm = (props: TotpFormProps) => {
         placeholder=""
         {...form.getInputProps("code")}
       />
-      <Button type="submit" mt="xl" loading={isLoading} fullWidth>
+      <Button type="submit" mt="xl" loading={isPending} fullWidth>
         Verify
       </Button>
     </form>

frontend/src/context/app-context.tsx

@@ -1,4 +1,4 @@
-import { useQuery } from "@tanstack/react-query";
+import { useSuspenseQuery } from "@tanstack/react-query";
 import React, { createContext, useContext } from "react";
 import axios from "axios";
 import { AppContextSchemaType } from "../schemas/app-context-schema";
@@ -14,7 +14,7 @@ export const AppContextProvider = ({
     data: userContext,
     isLoading,
     error,
-  } = useQuery({
+  } = useSuspenseQuery({
     queryKey: ["appContext"],
     queryFn: async () => {
       const res = await axios.get("/api/app");

frontend/src/context/user-context.tsx

@@ -1,4 +1,4 @@
-import { useQuery } from "@tanstack/react-query";
+import { useSuspenseQuery } from "@tanstack/react-query";
 import React, { createContext, useContext } from "react";
 import axios from "axios";
 import { UserContextSchemaType } from "../schemas/user-context-schema";
@@ -14,7 +14,7 @@ export const UserContextProvider = ({
     data: userContext,
     isLoading,
     error,
-  } = useQuery({
+  } = useSuspenseQuery({
     queryKey: ["userContext"],
     queryFn: async () => {
       const res = await axios.get("/api/user");

frontend/src/icons/tailscale.tsx

@@ -1,27 +0,0 @@
-import { useMantineColorScheme } from "@mantine/core";
-import type { SVGProps } from "react";
-
-export function TailscaleIcon(props: SVGProps<SVGSVGElement>) {
-  const { colorScheme } = useMantineColorScheme();
-  return (
-    <svg
-      xmlns="http://www.w3.org/2000/svg"
-      viewBox="0 0 512 512"
-      width={24}
-      height={24}
-      {...props}
-    >
-      {colorScheme === "dark" ? (
-        <>
-          <path xmlns="http://www.w3.org/2000/svg" d="M65.6 318.1c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9S1.8 219 1.8 254.2s28.6 63.9 63.8 63.9m191.6 0c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9m0 193.9c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9m189.2-193.9c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9" fill="#ffffff"/>
-          <path xmlns="http://www.w3.org/2000/svg" d="M65.6 127.7c35.3 0 63.9-28.6 63.9-63.9S100.9 0 65.6 0 1.8 28.6 1.8 63.9s28.6 63.8 63.8 63.8m0 384.3c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.8 28.7-63.8 63.9S30.4 512 65.6 512m191.6-384.3c35.3 0 63.9-28.6 63.9-63.9S292.5 0 257.2 0s-63.9 28.6-63.9 63.9 28.6 63.8 63.9 63.8m189.2 0c35.3 0 63.9-28.6 63.9-63.9S481.6 0 446.4 0c-35.3 0-63.9 28.6-63.9 63.9s28.6 63.8 63.9 63.8m0 384.3c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9" fill="#CCCAC9" opacity="0.2"/>
-        </>
-      ) : (
-        <>
-          <path xmlns="http://www.w3.org/2000/svg" d="M65.6 318.1c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9S1.8 219 1.8 254.2s28.6 63.9 63.8 63.9m191.6 0c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9m0 193.9c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9m189.2-193.9c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9"/>
-          <path xmlns="http://www.w3.org/2000/svg" d="M65.6 127.7c35.3 0 63.9-28.6 63.9-63.9S100.9 0 65.6 0 1.8 28.6 1.8 63.9s28.6 63.8 63.8 63.8m0 384.3c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.8 28.7-63.8 63.9S30.4 512 65.6 512m191.6-384.3c35.3 0 63.9-28.6 63.9-63.9S292.5 0 257.2 0s-63.9 28.6-63.9 63.9 28.6 63.8 63.9 63.8m189.2 0c35.3 0 63.9-28.6 63.9-63.9S481.6 0 446.4 0c-35.3 0-63.9 28.6-63.9 63.9s28.6 63.8 63.9 63.8m0 384.3c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9" opacity=".2"/>
-        </>
-      )}
-    </svg>
-  );
-}

frontend/src/index.css

@@ -0,0 +1,4 @@
+span,
+p {
+  word-break: break-word;
+}

frontend/src/lib/hooks/use-is-mounted.ts

@@ -0,0 +1,26 @@
+import { useCallback, useEffect, useRef } from 'react'
+
+/**
+ * Custom hook that determines if the component is currently mounted.
+ * @returns {() => boolean} A function that returns a boolean value indicating whether the component is mounted.
+ * @public
+ * @see [Documentation](https://usehooks-ts.com/react-hook/use-is-mounted)
+ * @example
+ * ```tsx
+ * const isComponentMounted = useIsMounted();
+ * // Use isComponentMounted() to check if the component is currently mounted before performing certain actions.
+ * ```
+ */
+export function useIsMounted(): () => boolean {
+  const isMounted = useRef(false)
+
+  useEffect(() => {
+    isMounted.current = true
+
+    return () => {
+      isMounted.current = false
+    }
+  }, [])
+
+  return useCallback(() => isMounted.current, [])
+}

frontend/src/lib/i18n/i18n.ts

@@ -5,6 +5,20 @@ import ChainedBackend from "i18next-chained-backend";
 import resourcesToBackend from "i18next-resources-to-backend";
 import HttpBackend from "i18next-http-backend";
 
+const backends = [
+  HttpBackend,
+  resourcesToBackend(
+    (language: string) => import(`./locales/${language}.json`),
+  ),
+]
+
+const backendOptions =  [
+  {
+    loadPath: "https://cdn.tinyauth.app/i18n/v1/{{lng}}.json",
+  },
+  {}
+]
+
 i18n
   .use(ChainedBackend)
   .use(LanguageDetector)
@@ -20,17 +34,8 @@ i18n
     load: "currentOnly",
 
     backend: {
-      backends: [
-        HttpBackend,
-        resourcesToBackend(
-          (language: string) => import(`./locales/${language}.json`),
-        ),
-      ],
-      backendOptions: [
-        {
-          loadPath: "https://cdn.tinyauth.app/i18n/v1/{{lng}}.json",
-        },
-      ],
+      backends: import.meta.env.MODE !== "development" ? backends : backends.reverse(),
+      backendOptions: import.meta.env.MODE !== "development" ? backendOptions : backendOptions.reverse()
     },
   });
 

frontend/src/lib/i18n/locales/af-ZA.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/ar-SA.json

@@ -1,46 +1,51 @@
 {
-    "loginTitle": "Welcome back, login with",
-    "loginDivider": "Or continue with password",
-    "loginUsername": "Username",
-    "loginPassword": "Password",
-    "loginSubmit": "Login",
-    "loginFailTitle": "Failed to log in",
-    "loginFailSubtitle": "Please check your username and password",
-    "loginFailRateLimit": "You failed to login too many times, please try again later",
-    "loginSuccessTitle": "Logged in",
-    "loginSuccessSubtitle": "Welcome back!",
-    "loginOauthFailTitle": "Internal error",
-    "loginOauthFailSubtitle": "Failed to get OAuth URL",
-    "loginOauthSuccessTitle": "Redirecting",
-    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-    "continueRedirectingTitle": "Redirecting...",
-    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-    "continueInvalidRedirectTitle": "Invalid redirect",
-    "continueInvalidRedirectSubtitle": "The redirect URL is invalid",
-    "continueInsecureRedirectTitle": "Insecure redirect",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <Code>https</Code> to <Code>http</Code>, are you sure you want to continue?",
-    "continueTitle": "Continue",
-    "continueSubtitle": "Click the button to continue to your app.",
-    "internalErrorTitle": "Internal Server Error",
-    "internalErrorSubtitle": "An error occurred on the server and it currently cannot serve your request.",
-    "internalErrorButton": "Try again",
-    "logoutFailTitle": "Failed to log out",
-    "logoutFailSubtitle": "Please try again",
-    "logoutSuccessTitle": "Logged out",
-    "logoutSuccessSubtitle": "You have been logged out",
-    "logoutTitle": "Logout",
-    "logoutUsernameSubtitle": "You are currently logged in as <Code>{{username}}</Code>, click the button below to logout.",
-    "logoutOauthSubtitle": "You are currently logged in as <Code>{{username}}</Code> using the {{provider}} OAuth provider, click the button below to logout.",
-    "notFoundTitle": "Page not found",
-    "notFoundSubtitle": "The page you are looking for does not exist.",
-    "notFoundButton": "Go home",
-    "totpFailTitle": "Failed to verify code",
-    "totpFailSubtitle": "Please check your code and try again",
-    "totpSuccessTitle": "Verified",
-    "totpSuccessSubtitle": "Redirecting to your app",
-    "totpTitle": "Enter your TOTP code",
-    "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "loginTitle": "مرحبا بعودتك، قم بتسجيل الدخول باستخدام",
+    "loginDivider": "أو المتابعة بكلمة المرور",
+    "loginUsername": "اسم المستخدم",
+    "loginPassword": "كلمة المرور",
+    "loginSubmit": "تسجيل الدخول",
+    "loginFailTitle": "فشل تسجيل الدخول",
+    "loginFailSubtitle": "الرجاء التحقق من اسم المستخدم وكلمة المرور",
+    "loginFailRateLimit": "فشلت في تسجيل الدخول عدة مرات، الرجاء المحاولة مرة أخرى لاحقا",
+    "loginSuccessTitle": "تم تسجيل الدخول",
+    "loginSuccessSubtitle": "مرحبا بعودتك!",
+    "loginOauthFailTitle": "خطأ داخلي",
+    "loginOauthFailSubtitle": "فشل في الحصول على رابط OAuth",
+    "loginOauthSuccessTitle": "إعادة توجيه",
+    "loginOauthSuccessSubtitle": "إعادة توجيه إلى مزود OAuth الخاص بك",
+    "continueRedirectingTitle": "إعادة توجيه...",
+    "continueRedirectingSubtitle": "يجب إعادة توجيهك إلى التطبيق قريبا",
+    "continueInvalidRedirectTitle": "إعادة توجيه غير صالحة",
+    "continueInvalidRedirectSubtitle": "رابط إعادة التوجيه غير صالح",
+    "continueInsecureRedirectTitle": "إعادة توجيه غير آمنة",
+    "continueInsecureRedirectSubtitle": "أنت تحاول إعادة التوجيه من <Code>https</Code> إلى <Code>http</Code>، هل أنت متأكد أنك تريد المتابعة؟",
+    "continueTitle": "متابعة",
+    "continueSubtitle": "انقر الزر للمتابعة إلى التطبيق الخاص بك.",
+    "internalErrorTitle": "خطأ داخلي في الخادم",
+    "internalErrorSubtitle": "حدث خطأ على الخادم ولا يمكن حاليا تلبية طلبك.",
+    "internalErrorButton": "حاول مجددا",
+    "logoutFailTitle": "فشل تسجيل الخروج",
+    "logoutFailSubtitle": "يرجى إعادة المحاولة",
+    "logoutSuccessTitle": "تم تسجيل الخروج",
+    "logoutSuccessSubtitle": "تم تسجيل خروجك",
+    "logoutTitle": "تسجيل الخروج",
+    "logoutUsernameSubtitle": "أنت حاليا مسجل الدخول ك <Code>{{username}}</Code>، انقر الزر أدناه لتسجيل الخروج.",
+    "logoutOauthSubtitle": "أنت حاليا مسجل الدخول ك <Code>{{username}}</Code> باستخدام مزود OAuth {{provider}} ، انقر الزر أدناه لتسجيل الخروج.",
+    "notFoundTitle": "الصفحة غير موجودة",
+    "notFoundSubtitle": "الصفحة التي تبحث عنها غير موجودة.",
+    "notFoundButton": "انتقل إلى الرئيسية",
+    "totpFailTitle": "فشل في التحقق من الرمز",
+    "totpFailSubtitle": "الرجاء التحقق من الرمز الخاص بك وحاول مرة أخرى",
+    "totpSuccessTitle": "تم التحقق",
+    "totpSuccessSubtitle": "إعادة توجيه إلى تطبيقك",
+    "totpTitle": "أدخل رمز TOTP الخاص بك",
+    "unauthorizedTitle": "غير مرخص",
+    "unauthorizedResourceSubtitle": "المستخدم الذي يحمل اسم المستخدم <Code>{{username}}</Code> غير مصرح له بالوصول إلى المورد <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "حاول مجددا",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "إلغاء",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/ca-ES.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/cs-CZ.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/da-DK.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/de-DE.json

@@ -7,40 +7,45 @@
     "loginFailTitle": "Login fehlgeschlagen",
     "loginFailSubtitle": "Bitte überprüfe deinen Benutzernamen und Passwort",
     "loginFailRateLimit": "Sie konnten sich zu oft nicht einloggen, bitte versuchen Sie es später erneut",
-    "loginSuccessTitle": "Logged in",
-    "loginSuccessSubtitle": "Welcome back!",
-    "loginOauthFailTitle": "Internal error",
-    "loginOauthFailSubtitle": "Failed to get OAuth URL",
-    "loginOauthSuccessTitle": "Redirecting",
-    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-    "continueRedirectingTitle": "Redirecting...",
-    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-    "continueInvalidRedirectTitle": "Invalid redirect",
-    "continueInvalidRedirectSubtitle": "The redirect URL is invalid",
-    "continueInsecureRedirectTitle": "Insecure redirect",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <Code>https</Code> to <Code>http</Code>, are you sure you want to continue?",
-    "continueTitle": "Continue",
-    "continueSubtitle": "Click the button to continue to your app.",
-    "internalErrorTitle": "Internal Server Error",
-    "internalErrorSubtitle": "An error occurred on the server and it currently cannot serve your request.",
-    "internalErrorButton": "Try again",
-    "logoutFailTitle": "Failed to log out",
-    "logoutFailSubtitle": "Please try again",
-    "logoutSuccessTitle": "Logged out",
-    "logoutSuccessSubtitle": "You have been logged out",
-    "logoutTitle": "Logout",
-    "logoutUsernameSubtitle": "You are currently logged in as <Code>{{username}}</Code>, click the button below to logout.",
-    "logoutOauthSubtitle": "You are currently logged in as <Code>{{username}}</Code> using the {{provider}} OAuth provider, click the button below to logout.",
-    "notFoundTitle": "Page not found",
-    "notFoundSubtitle": "The page you are looking for does not exist.",
-    "notFoundButton": "Go home",
-    "totpFailTitle": "Failed to verify code",
-    "totpFailSubtitle": "Please check your code and try again",
-    "totpSuccessTitle": "Verified",
-    "totpSuccessSubtitle": "Redirecting to your app",
-    "totpTitle": "Enter your TOTP code",
-    "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "loginSuccessTitle": "Angemeldet",
+    "loginSuccessSubtitle": "Willkommen zurück!",
+    "loginOauthFailTitle": "Interner Fehler",
+    "loginOauthFailSubtitle": "Fehler beim Abrufen der OAuth-URL",
+    "loginOauthSuccessTitle": "Leite weiter",
+    "loginOauthSuccessSubtitle": "Weiterleitung zu Ihrem OAuth-Provider",
+    "continueRedirectingTitle": "Leite weiter...",
+    "continueRedirectingSubtitle": "Sie sollten in Kürze zur App weitergeleitet werden",
+    "continueInvalidRedirectTitle": "Ungültige Weiterleitung",
+    "continueInvalidRedirectSubtitle": "Die Weiterleitungs-URL ist ungültig",
+    "continueInsecureRedirectTitle": "Unsichere Weiterleitung",
+    "continueInsecureRedirectSubtitle": "Sie versuchen von <Code>https</Code> auf <Code>http</Code>weiterzuleiten. Sind Sie sicher, dass Sie fortfahren möchten?",
+    "continueTitle": "Weiter",
+    "continueSubtitle": "Klicken Sie auf den Button, um zur App zu gelangen.",
+    "internalErrorTitle": "Interner Serverfehler",
+    "internalErrorSubtitle": "Ein Error ist auf dem Server aufgetreten, weshalb ihre Anfrage derzeit nicht bearbeitet werden kann.",
+    "internalErrorButton": "Erneut versuchen",
+    "logoutFailTitle": "Abmelden fehlgeschlagen",
+    "logoutFailSubtitle": "Bitte versuchen Sie es erneut",
+    "logoutSuccessTitle": "Abgemeldet",
+    "logoutSuccessSubtitle": "Sie wurden abgemeldet",
+    "logoutTitle": "Abmelden",
+    "logoutUsernameSubtitle": "Sie sind derzeit als <Code>{{username}}</Code>angemeldet. Klicken Sie auf den Button unten, um sich abzumelden.",
+    "logoutOauthSubtitle": "Sie sind derzeit als <Code>{{username}}</Code> mit dem {{provider}} OAuth-Anbieter angemeldet. Klicken Sie auf den Button unten, um sich abzumelden.",
+    "notFoundTitle": "Seite nicht gefunden",
+    "notFoundSubtitle": "Die gesuchte Seite existiert nicht.",
+    "notFoundButton": "Nach Hause",
+    "totpFailTitle": "Fehler beim Verifizieren des Codes",
+    "totpFailSubtitle": "Bitte überprüfen Sie Ihren Code und versuchen Sie es erneut",
+    "totpSuccessTitle": "Verifiziert",
+    "totpSuccessSubtitle": "Leite zur App weiter",
+    "totpTitle": "Geben Sie Ihren TOTP Code ein",
+    "unauthorizedTitle": "Unautorisiert",
+    "unauthorizedResourceSubtitle": "Der Benutzer mit Benutzername <Code>{{username}}</Code> ist nicht berechtigt auf die Ressource <Code>{{resource}}</Code> zuzugreifen.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Erneut versuchen",
+    "untrustedRedirectTitle": "Nicht vertrauenswürdige Weiterleitung",
+    "untrustedRedirectSubtitle": "Sie versuchen auf eine Domain umzuleiten, die nicht mit Ihrer konfigurierten Domain übereinstimmt (<Code>{{domain}}</Code>). Sind Sie sicher, dass Sie fortfahren möchten?",
+    "cancelTitle": "Abbrechen",
+    "forgotPasswordTitle": "Passwort vergessen?"
 }

frontend/src/lib/i18n/locales/el-GR.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Ανακατεύθυνση στην εφαρμογή σας",
     "totpTitle": "Εισάγετε τον κωδικό TOTP",
     "unauthorizedTitle": "Μη εξουσιοδοτημένο",
-    "unauthorizedResourceSubtitle": "Ο χρήστης με όνομα χρήστη <Code>{{username}}<Code/> δεν έχει άδεια πρόσβασης στον πόρο <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "Ο χρήστης με όνομα χρήστη <Code>{{username}}<Code/> δεν είναι εξουσιοδοτημένος να συνδεθεί.",
-    "unauthorizedButton": "Προσπαθήστε ξανά"
+    "unauthorizedResourceSubtitle": "Ο χρήστης με όνομα χρήστη <Code>{{username}}</Code> δεν έχει άδεια πρόσβασης στον πόρο <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "Ο χρήστης με όνομα χρήστη <Code>{{username}}</Code> δεν είναι εξουσιοδοτημένος να συνδεθεί.",
+    "unauthorizedGroupsSubtitle": "Ο χρήστης με όνομα χρήστη <Code>{{username}}</Code> δεν είναι στις ομάδες που απαιτούνται από τον πόρο <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Προσπαθήστε ξανά",
+    "untrustedRedirectTitle": "Μη έμπιστη ανακατεύθυνση",
+    "untrustedRedirectSubtitle": "Προσπαθείτε να ανακατευθύνετε σε έναν τομέα που δεν ταιριάζει με τον ρυθμισμένο τομέα σας (<Code>{{domain}}</Code>). Είστε βέβαιοι ότι θέλετε να συνεχίσετε;",
+    "cancelTitle": "Ακύρωση",
+    "forgotPasswordTitle": "Ξεχάσατε το συνθηματικό σας;"
 }

frontend/src/lib/i18n/locales/en-US.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/en.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/es-ES.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/fi-FI.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/fr-FR.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirection vers votre application",
     "totpTitle": "Saisissez votre code TOTP",
     "unauthorizedTitle": "Non autorisé",
-    "unauthorizedResourceSubtitle": "L'utilisateur avec le nom d'utilisateur <Code>{{username}}<Code/> n'est pas autorisé à accéder à la ressource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "L'utilisateur avec le nom d'utilisateur <Code>{{username}}<Code/> n'est pas autorisé à se connecter.",
-    "unauthorizedButton": "Réessayer"
+    "unauthorizedResourceSubtitle": "L'utilisateur avec le nom d'utilisateur <Code>{{username}}</Code> n'est pas autorisé à accéder à la ressource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Réessayer",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/he-IL.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/hu-HU.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/it-IT.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/ja-JP.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/ko-KR.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/nl-NL.json

@@ -5,42 +5,47 @@
     "loginPassword": "Wachtwoord",
     "loginSubmit": "Log in",
     "loginFailTitle": "Mislukt om in te loggen",
-    "loginFailSubtitle": "Gelieve uw gebruikersnaam en wachtwoord te controleren",
-    "loginFailRateLimit": "You failed to login too many times, please try again later",
-    "loginSuccessTitle": "Logged in",
-    "loginSuccessSubtitle": "Welcome back!",
-    "loginOauthFailTitle": "Internal error",
-    "loginOauthFailSubtitle": "Failed to get OAuth URL",
-    "loginOauthSuccessTitle": "Redirecting",
-    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-    "continueRedirectingTitle": "Redirecting...",
-    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-    "continueInvalidRedirectTitle": "Invalid redirect",
-    "continueInvalidRedirectSubtitle": "The redirect URL is invalid",
-    "continueInsecureRedirectTitle": "Insecure redirect",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <Code>https</Code> to <Code>http</Code>, are you sure you want to continue?",
-    "continueTitle": "Continue",
-    "continueSubtitle": "Click the button to continue to your app.",
-    "internalErrorTitle": "Internal Server Error",
-    "internalErrorSubtitle": "An error occurred on the server and it currently cannot serve your request.",
-    "internalErrorButton": "Try again",
-    "logoutFailTitle": "Failed to log out",
-    "logoutFailSubtitle": "Please try again",
-    "logoutSuccessTitle": "Logged out",
-    "logoutSuccessSubtitle": "You have been logged out",
-    "logoutTitle": "Logout",
-    "logoutUsernameSubtitle": "You are currently logged in as <Code>{{username}}</Code>, click the button below to logout.",
-    "logoutOauthSubtitle": "You are currently logged in as <Code>{{username}}</Code> using the {{provider}} OAuth provider, click the button below to logout.",
-    "notFoundTitle": "Page not found",
-    "notFoundSubtitle": "The page you are looking for does not exist.",
-    "notFoundButton": "Go home",
-    "totpFailTitle": "Failed to verify code",
-    "totpFailSubtitle": "Please check your code and try again",
-    "totpSuccessTitle": "Verified",
-    "totpSuccessSubtitle": "Redirecting to your app",
-    "totpTitle": "Enter your TOTP code",
-    "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "loginFailSubtitle": "Controleer je gebruikersnaam en wachtwoord",
+    "loginFailRateLimit": "Inloggen te vaak mislukt, probeer het later opnieuw",
+    "loginSuccessTitle": "Ingelogd",
+    "loginSuccessSubtitle": "Welkom terug!",
+    "loginOauthFailTitle": "Interne fout",
+    "loginOauthFailSubtitle": "Fout bij het ophalen van OAuth URL",
+    "loginOauthSuccessTitle": "Omleiden",
+    "loginOauthSuccessSubtitle": "Omleiden naar je OAuth provider",
+    "continueRedirectingTitle": "Omleiden...",
+    "continueRedirectingSubtitle": "Je wordt naar de app doorgestuurd",
+    "continueInvalidRedirectTitle": "Ongeldige omleiding",
+    "continueInvalidRedirectSubtitle": "De omleidings-URL is ongeldig",
+    "continueInsecureRedirectTitle": "Onveilige doorverwijzing",
+    "continueInsecureRedirectSubtitle": "Je probeert door te verwijzen van <Code>https</Code> naar <Code>http</Code>, weet je zeker dat je wilt doorgaan?",
+    "continueTitle": "Ga verder",
+    "continueSubtitle": "Klik op de knop om door te gaan naar de app.",
+    "internalErrorTitle": "Interne server fout",
+    "internalErrorSubtitle": "Er is een fout opgetreden op de server en het kan momenteel niet voldoen aan je verzoek.",
+    "internalErrorButton": "Opnieuw proberen",
+    "logoutFailTitle": "Afmelden mislukt",
+    "logoutFailSubtitle": "Probeer het opnieuw",
+    "logoutSuccessTitle": "Afgemeld",
+    "logoutSuccessSubtitle": "Je bent afgemeld",
+    "logoutTitle": "Afmelden",
+    "logoutUsernameSubtitle": "Je bent momenteel ingelogd als <Code>{{username}}</Code>, klik op de knop hieronder om uit te loggen.",
+    "logoutOauthSubtitle": "Je bent momenteel ingelogd als <Code>{{username}}</Code> met behulp van de {{provider}} OAuth provider, klik op de knop hieronder om uit te loggen.",
+    "notFoundTitle": "Pagina niet gevonden",
+    "notFoundSubtitle": "De pagina die je zoekt bestaat niet.",
+    "notFoundButton": "Naar startpagina",
+    "totpFailTitle": "Verifiëren van code mislukt",
+    "totpFailSubtitle": "Controleer je code en probeer het opnieuw",
+    "totpSuccessTitle": "Geverifiëerd",
+    "totpSuccessSubtitle": "Omleiden naar je app",
+    "totpTitle": "Voer je TOTP-code in",
+    "unauthorizedTitle": "Ongeautoriseerd",
+    "unauthorizedResourceSubtitle": "De gebruiker met gebruikersnaam <Code>{{username}}</Code> heeft geen toegang tot de bron <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Opnieuw proberen",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/no-NO.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/pl-PL.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Przekierowywanie do aplikacji",
     "totpTitle": "Wprowadź kod TOTP",
     "unauthorizedTitle": "Nieautoryzowany",
-    "unauthorizedResourceSubtitle": "Użytkownik o nazwie <Code>{{username}}<Code/> nie jest upoważniony do uzyskania dostępu do zasobu <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "Użytkownik o nazwie <Code>{{username}}<Code/> nie jest upoważniony do logowania.",
-    "unauthorizedButton": "Spróbuj ponownie"
+    "unauthorizedResourceSubtitle": "Użytkownik o nazwie <Code>{{username}}</Code> nie jest upoważniony do uzyskania dostępu do zasobu <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Spróbuj ponownie",
+    "untrustedRedirectTitle": "Niezaufane przekierowanie",
+    "untrustedRedirectSubtitle": "Próbujesz przekierować do domeny, która nie pasuje do skonfigurowanej przez Ciebie domeny (<Code>{{domain}}</Code>). Czy na pewno chcesz kontynuować?",
+    "cancelTitle": "Anuluj",
+    "forgotPasswordTitle": "Nie pamiętasz hasła?"
 }

frontend/src/lib/i18n/locales/pt-BR.json

@@ -1,46 +1,51 @@
 {
-    "loginTitle": "Welcome back, login with",
-    "loginDivider": "Or continue with password",
-    "loginUsername": "Username",
-    "loginPassword": "Password",
-    "loginSubmit": "Login",
-    "loginFailTitle": "Failed to log in",
-    "loginFailSubtitle": "Please check your username and password",
-    "loginFailRateLimit": "You failed to login too many times, please try again later",
-    "loginSuccessTitle": "Logged in",
-    "loginSuccessSubtitle": "Welcome back!",
-    "loginOauthFailTitle": "Internal error",
-    "loginOauthFailSubtitle": "Failed to get OAuth URL",
-    "loginOauthSuccessTitle": "Redirecting",
-    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-    "continueRedirectingTitle": "Redirecting...",
-    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-    "continueInvalidRedirectTitle": "Invalid redirect",
-    "continueInvalidRedirectSubtitle": "The redirect URL is invalid",
-    "continueInsecureRedirectTitle": "Insecure redirect",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <Code>https</Code> to <Code>http</Code>, are you sure you want to continue?",
-    "continueTitle": "Continue",
-    "continueSubtitle": "Click the button to continue to your app.",
-    "internalErrorTitle": "Internal Server Error",
-    "internalErrorSubtitle": "An error occurred on the server and it currently cannot serve your request.",
-    "internalErrorButton": "Try again",
-    "logoutFailTitle": "Failed to log out",
-    "logoutFailSubtitle": "Please try again",
-    "logoutSuccessTitle": "Logged out",
-    "logoutSuccessSubtitle": "You have been logged out",
-    "logoutTitle": "Logout",
-    "logoutUsernameSubtitle": "You are currently logged in as <Code>{{username}}</Code>, click the button below to logout.",
-    "logoutOauthSubtitle": "You are currently logged in as <Code>{{username}}</Code> using the {{provider}} OAuth provider, click the button below to logout.",
-    "notFoundTitle": "Page not found",
-    "notFoundSubtitle": "The page you are looking for does not exist.",
-    "notFoundButton": "Go home",
-    "totpFailTitle": "Failed to verify code",
-    "totpFailSubtitle": "Please check your code and try again",
-    "totpSuccessTitle": "Verified",
-    "totpSuccessSubtitle": "Redirecting to your app",
-    "totpTitle": "Enter your TOTP code",
-    "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "loginTitle": "Bem-vindo de volta, acesse com",
+    "loginDivider": "Ou continuar com uma senha",
+    "loginUsername": "Nome de usuário",
+    "loginPassword": "Senha",
+    "loginSubmit": "Entrar",
+    "loginFailTitle": "Falha ao iniciar sessão",
+    "loginFailSubtitle": "Por favor, verifique seu usuário e senha",
+    "loginFailRateLimit": "Você falhou em iniciar sessão muitas vezes, por favor tente novamente mais tarde",
+    "loginSuccessTitle": "Sessão Iniciada",
+    "loginSuccessSubtitle": "Bem-vindo de volta!",
+    "loginOauthFailTitle": "Erro interno",
+    "loginOauthFailSubtitle": "Falha ao obter URL de OAuth",
+    "loginOauthSuccessTitle": "Redirecionando",
+    "loginOauthSuccessSubtitle": "Redirecionando para seu provedor OAuth",
+    "continueRedirectingTitle": "Redirecionando...",
+    "continueRedirectingSubtitle": "Você deve ser redirecionado para o aplicativo em breve",
+    "continueInvalidRedirectTitle": "Redirecionamento inválido",
+    "continueInvalidRedirectSubtitle": "O endereço de redirecionamento é inválido",
+    "continueInsecureRedirectTitle": "Redirecionamento inseguro",
+    "continueInsecureRedirectSubtitle": "Você está tentando redirecionar de <Code>https</Code> para <Code>http</Code>, você tem certeza que deseja continuar?",
+    "continueTitle": "Continuar",
+    "continueSubtitle": "Clique no botão para continuar para o seu aplicativo.",
+    "internalErrorTitle": "Erro interno do servidor",
+    "internalErrorSubtitle": "Ocorreu um erro no servidor e atualmente não pode servir sua solicitação.",
+    "internalErrorButton": "Tentar novamente",
+    "logoutFailTitle": "Falha ao encerrar sessão",
+    "logoutFailSubtitle": "Por favor, tente novamente",
+    "logoutSuccessTitle": "Sessão encerrada",
+    "logoutSuccessSubtitle": "Você foi desconectado",
+    "logoutTitle": "Sair",
+    "logoutUsernameSubtitle": "Você está atualmente logado como <Code>{{username}}</Code>, clique no botão abaixo para sair.",
+    "logoutOauthSubtitle": "Você está atualmente logado como <Code>{{username}}</Code> usando o provedor {{provider}} OAuth, clique no botão abaixo para sair.",
+    "notFoundTitle": "Página não encontrada",
+    "notFoundSubtitle": "A página que você está procurando não existe.",
+    "notFoundButton": "Voltar para a tela inicial",
+    "totpFailTitle": "Falha ao verificar código",
+    "totpFailSubtitle": "Por favor, verifique seu código e tente novamente",
+    "totpSuccessTitle": "Verificado",
+    "totpSuccessSubtitle": "Redirecionando para o seu aplicativo",
+    "totpTitle": "Insira o seu código TOTP",
+    "unauthorizedTitle": "Não autorizado",
+    "unauthorizedResourceSubtitle": "O usuário com nome de usuário <Code>{{username}}</Code> não está autorizado a acessar o recurso <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Tentar novamente",
+    "untrustedRedirectTitle": "Redirecionamento não confiável",
+    "untrustedRedirectSubtitle": "Você está tentando redirecionar para um domínio que não corresponde ao seu domínio configurado (<Code>{{domain}}</Code>). Tem certeza que deseja continuar?",
+    "cancelTitle": "Cancelar",
+    "forgotPasswordTitle": "Esqueceu sua senha?"
 }

frontend/src/lib/i18n/locales/pt-PT.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/ro-RO.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/ru-RU.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/sr-SP.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/sv-SE.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/tr-TR.json

@@ -1,46 +1,51 @@
 {
     "loginTitle": "Welcome back, login with",
-    "loginDivider": "Or continue with password",
-    "loginUsername": "Username",
-    "loginPassword": "Password",
-    "loginSubmit": "Login",
-    "loginFailTitle": "Failed to log in",
+    "loginDivider": "Ya da şifre ile devam edin",
+    "loginUsername": "Kullanıcı Adı",
+    "loginPassword": "Şifre",
+    "loginSubmit": "Giriş Yap",
+    "loginFailTitle": "Giriş yapılamadı",
     "loginFailSubtitle": "Please check your username and password",
     "loginFailRateLimit": "You failed to login too many times, please try again later",
-    "loginSuccessTitle": "Logged in",
-    "loginSuccessSubtitle": "Welcome back!",
+    "loginSuccessTitle": "Giriş yapıldı",
+    "loginSuccessSubtitle": "Tekrar hoş geldiniz!",
     "loginOauthFailTitle": "Internal error",
     "loginOauthFailSubtitle": "Failed to get OAuth URL",
-    "loginOauthSuccessTitle": "Redirecting",
+    "loginOauthSuccessTitle": "Yönlendiriliyor",
     "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-    "continueRedirectingTitle": "Redirecting...",
+    "continueRedirectingTitle": "Yönlendiriliyor...",
     "continueRedirectingSubtitle": "You should be redirected to the app soon",
     "continueInvalidRedirectTitle": "Invalid redirect",
     "continueInvalidRedirectSubtitle": "The redirect URL is invalid",
     "continueInsecureRedirectTitle": "Insecure redirect",
     "continueInsecureRedirectSubtitle": "You are trying to redirect from <Code>https</Code> to <Code>http</Code>, are you sure you want to continue?",
-    "continueTitle": "Continue",
+    "continueTitle": "Devam et",
     "continueSubtitle": "Click the button to continue to your app.",
-    "internalErrorTitle": "Internal Server Error",
+    "internalErrorTitle": "İç Sunucu Hatası",
     "internalErrorSubtitle": "An error occurred on the server and it currently cannot serve your request.",
-    "internalErrorButton": "Try again",
+    "internalErrorButton": "Tekrar deneyin",
     "logoutFailTitle": "Failed to log out",
-    "logoutFailSubtitle": "Please try again",
-    "logoutSuccessTitle": "Logged out",
+    "logoutFailSubtitle": "Lütfen tekrar deneyin",
+    "logoutSuccessTitle": "Çıkış yapıldı",
     "logoutSuccessSubtitle": "You have been logged out",
     "logoutTitle": "Logout",
     "logoutUsernameSubtitle": "You are currently logged in as <Code>{{username}}</Code>, click the button below to logout.",
     "logoutOauthSubtitle": "You are currently logged in as <Code>{{username}}</Code> using the {{provider}} OAuth provider, click the button below to logout.",
-    "notFoundTitle": "Page not found",
-    "notFoundSubtitle": "The page you are looking for does not exist.",
-    "notFoundButton": "Go home",
-    "totpFailTitle": "Failed to verify code",
+    "notFoundTitle": "Sayfa bulunamadı",
+    "notFoundSubtitle": "Aradığınız sayfa mevcut değil.",
+    "notFoundButton": "Ana sayfaya git",
+    "totpFailTitle": "Kod doğrulanamadı",
     "totpFailSubtitle": "Please check your code and try again",
-    "totpSuccessTitle": "Verified",
+    "totpSuccessTitle": "Doğrulandı",
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "İptal",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/uk-UA.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/vi-VN.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/zh-CN.json

@@ -1,46 +1,51 @@
 {
-    "loginTitle": "Welcome back, login with",
-    "loginDivider": "Or continue with password",
-    "loginUsername": "Username",
-    "loginPassword": "Password",
-    "loginSubmit": "Login",
-    "loginFailTitle": "Failed to log in",
-    "loginFailSubtitle": "Please check your username and password",
-    "loginFailRateLimit": "You failed to login too many times, please try again later",
-    "loginSuccessTitle": "Logged in",
-    "loginSuccessSubtitle": "Welcome back!",
-    "loginOauthFailTitle": "Internal error",
-    "loginOauthFailSubtitle": "Failed to get OAuth URL",
-    "loginOauthSuccessTitle": "Redirecting",
-    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-    "continueRedirectingTitle": "Redirecting...",
-    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-    "continueInvalidRedirectTitle": "Invalid redirect",
-    "continueInvalidRedirectSubtitle": "The redirect URL is invalid",
-    "continueInsecureRedirectTitle": "Insecure redirect",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <Code>https</Code> to <Code>http</Code>, are you sure you want to continue?",
-    "continueTitle": "Continue",
-    "continueSubtitle": "Click the button to continue to your app.",
-    "internalErrorTitle": "Internal Server Error",
-    "internalErrorSubtitle": "An error occurred on the server and it currently cannot serve your request.",
-    "internalErrorButton": "Try again",
-    "logoutFailTitle": "Failed to log out",
-    "logoutFailSubtitle": "Please try again",
-    "logoutSuccessTitle": "Logged out",
-    "logoutSuccessSubtitle": "You have been logged out",
-    "logoutTitle": "Logout",
-    "logoutUsernameSubtitle": "You are currently logged in as <Code>{{username}}</Code>, click the button below to logout.",
-    "logoutOauthSubtitle": "You are currently logged in as <Code>{{username}}</Code> using the {{provider}} OAuth provider, click the button below to logout.",
-    "notFoundTitle": "Page not found",
-    "notFoundSubtitle": "The page you are looking for does not exist.",
-    "notFoundButton": "Go home",
-    "totpFailTitle": "Failed to verify code",
-    "totpFailSubtitle": "Please check your code and try again",
-    "totpSuccessTitle": "Verified",
-    "totpSuccessSubtitle": "Redirecting to your app",
-    "totpTitle": "Enter your TOTP code",
-    "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "loginTitle": "欢迎回来，请登录",
+    "loginDivider": "或者继续使用密码",
+    "loginUsername": "用户名",
+    "loginPassword": "密码",
+    "loginSubmit": "登录",
+    "loginFailTitle": "登录失败",
+    "loginFailSubtitle": "请检查您的用户名和密码",
+    "loginFailRateLimit": "您登录次数过多，请稍后再试",
+    "loginSuccessTitle": "已登录",
+    "loginSuccessSubtitle": "欢迎回来！",
+    "loginOauthFailTitle": "内部错误",
+    "loginOauthFailSubtitle": "获取 OAuth URL 失败",
+    "loginOauthSuccessTitle": "重定向中",
+    "loginOauthSuccessSubtitle": "重定向到您的 OAuth 提供商",
+    "continueRedirectingTitle": "正在重定向……",
+    "continueRedirectingSubtitle": "您应该很快被重定向到应用",
+    "continueInvalidRedirectTitle": "无效的重定向",
+    "continueInvalidRedirectSubtitle": "重定向URL无效",
+    "continueInsecureRedirectTitle": "不安全的重定向",
+    "continueInsecureRedirectSubtitle": "您正在尝试将 <Code>https</Code> 重定向到 <Code>http</Code>，您确定要继续吗？",
+    "continueTitle": "继续",
+    "continueSubtitle": "点击按钮以继续您的应用。",
+    "internalErrorTitle": "服务器内部错误",
+    "internalErrorSubtitle": "服务器上发生错误，当前无法满足您的请求。",
+    "internalErrorButton": "重试",
+    "logoutFailTitle": "注销失败",
+    "logoutFailSubtitle": "请重试",
+    "logoutSuccessTitle": "已登出",
+    "logoutSuccessSubtitle": "您已登出",
+    "logoutTitle": "登出",
+    "logoutUsernameSubtitle": "您当前以 <Code>{{username}}</Code> 的身份登录，点击下方按钮退出登录。",
+    "logoutOauthSubtitle": "您当前以 <Code>{{username}}</Code> 的身份登录，使用的是 {{provider}} OAuth 提供商，点击下方按钮退出登录。",
+    "notFoundTitle": "无法找到页面",
+    "notFoundSubtitle": "您正在查找的页面不存在。",
+    "notFoundButton": "回到主页",
+    "totpFailTitle": "无法验证代码",
+    "totpFailSubtitle": "请检查您的代码并重试",
+    "totpSuccessTitle": "已验证",
+    "totpSuccessSubtitle": "重定向到您的应用",
+    "totpTitle": "输入您的 TOTP 代码",
+    "unauthorizedTitle": "未授权",
+    "unauthorizedResourceSubtitle": "用户 <Code>{{username}}</Code> 无权访问资源 <Code>{{resource}}</Code>。",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "重试",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/lib/i18n/locales/zh-TW.json

@@ -40,7 +40,12 @@
     "totpSuccessSubtitle": "Redirecting to your app",
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}<Code/> is not authorized to login.",
-    "unauthorizedButton": "Try again"
+    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedButton": "Try again",
+    "untrustedRedirectTitle": "Untrusted redirect",
+    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?"
 }

frontend/src/main.tsx

@@ -18,14 +18,10 @@ import { InternalServerError } from "./pages/internal-server-error.tsx";
 import { TotpPage } from "./pages/totp-page.tsx";
 import { AppContextProvider } from "./context/app-context.tsx";
 import "./lib/i18n/i18n.ts";
+import { ForgotPasswordPage } from "./pages/forgot-password-page.tsx";
+import "./index.css";
 
-const queryClient = new QueryClient({
-  defaultOptions: {
-    queries: {
-      suspense: true,
-    },
-  },
-});
+const queryClient = new QueryClient();
 
 createRoot(document.getElementById("root")!).render(
   <StrictMode>
@@ -43,6 +39,10 @@ createRoot(document.getElementById("root")!).render(
                 <Route path="/continue" element={<ContinuePage />} />
                 <Route path="/unauthorized" element={<UnauthorizedPage />} />
                 <Route path="/error" element={<InternalServerError />} />
+                <Route
+                  path="/forgot-password"
+                  element={<ForgotPasswordPage />}
+                />
                 <Route path="*" element={<NotFoundPage />} />
               </Routes>
             </BrowserRouter>

frontend/src/pages/continue-page.tsx

@@ -4,7 +4,7 @@ import { Navigate } from "react-router";
 import { useUserContext } from "../context/user-context";
 import { Layout } from "../components/layouts/layout";
 import { ReactNode } from "react";
-import { isQueryValid } from "../utils/utils";
+import { escapeRegex, isValidRedirectUri } from "../utils/utils";
 import { useAppContext } from "../context/app-context";
 import { Trans, useTranslation } from "react-i18next";
 
@@ -14,14 +14,14 @@ export const ContinuePage = () => {
   const redirectUri = params.get("redirect_uri") ?? "";
 
   const { isLoggedIn } = useUserContext();
-  const { disableContinue } = useAppContext();
+  const { disableContinue, domain } = useAppContext();
   const { t } = useTranslation();
 
   if (!isLoggedIn) {
     return <Navigate to={`/login?redirect_uri=${redirectUri}`} />;
   }
 
-  if (!isQueryValid(redirectUri)) {
+  if (!isValidRedirectUri(redirectUri)) {
     return <Navigate to="/" />;
   }
 
@@ -51,6 +51,35 @@ export const ContinuePage = () => {
     );
   }
 
+  const regex = new RegExp(`^.*${escapeRegex(domain)}$`);
+
+  if (!regex.test(uri.hostname)) {
+    return (
+      <ContinuePageLayout>
+        <Text size="xl" fw={700}>
+          {t("untrustedRedirectTitle")}
+        </Text>
+        <Trans
+          i18nKey="untrustedRedirectSubtitle"
+          t={t}
+          components={{ Code: <Code /> }}
+          values={{ domain: domain }}
+        />
+        <Button fullWidth mt="xl" color="red" onClick={redirect}>
+          {t("continueTitle")}
+        </Button>
+        <Button
+          fullWidth
+          mt="xs"
+          color="gray"
+          onClick={() => (window.location.href = "/")}
+        >
+          {t("cancelTitle")}
+        </Button>
+      </ContinuePageLayout>
+    );
+  }
+
   if (disableContinue) {
     window.location.href = redirectUri;
     return (
@@ -79,6 +108,14 @@ export const ContinuePage = () => {
         <Button fullWidth mt="xl" color="yellow" onClick={redirect}>
           {t("continueTitle")}
         </Button>
+        <Button
+          fullWidth
+          mt="xs"
+          color="gray"
+          onClick={() => (window.location.href = "/")}
+        >
+          {t("cancelTitle")}
+        </Button>
       </ContinuePageLayout>
     );
   }

frontend/src/pages/forgot-password-page.tsx

@@ -0,0 +1,25 @@
+import { Paper, Text, TypographyStylesProvider } from "@mantine/core";
+import { Layout } from "../components/layouts/layout";
+import { useTranslation } from "react-i18next";
+import { useAppContext } from "../context/app-context";
+import Markdown from 'react-markdown'
+
+export const ForgotPasswordPage = () => {
+  const { t } = useTranslation();
+  const { forgotPasswordMessage } = useAppContext();
+
+  return (
+    <Layout>
+      <Paper shadow="md" p={30} mt={30} radius="md" withBorder>
+        <Text size="xl" fw={700}>
+          {t("forgotPasswordTitle")}
+        </Text>
+        <TypographyStylesProvider>
+            <Markdown>
+                {forgotPasswordMessage}
+            </Markdown>
+        </TypographyStylesProvider>
+      </Paper>
+    </Layout>
+  );
+};

frontend/src/pages/login-page.tsx

@@ -8,9 +8,11 @@ import { Layout } from "../components/layouts/layout";
 import { OAuthButtons } from "../components/auth/oauth-buttons";
 import { LoginFormValues } from "../schemas/login-schema";
 import { LoginForm } from "../components/auth/login-forn";
-import { isQueryValid } from "../utils/utils";
 import { useAppContext } from "../context/app-context";
 import { useTranslation } from "react-i18next";
+import { useEffect, useState } from "react";
+import { useIsMounted } from "../lib/hooks/use-is-mounted";
+import { isValidRedirectUri } from "../utils/utils";
 
 export const LoginPage = () => {
   const queryString = window.location.search;
@@ -18,16 +20,29 @@ export const LoginPage = () => {
   const redirectUri = params.get("redirect_uri") ?? "";
 
   const { isLoggedIn } = useUserContext();
-  const { configuredProviders, title, genericName } = useAppContext();
+
+  if (isLoggedIn) {
+    return <Navigate to="/logout" />;
+  }
+
+  const {
+    configuredProviders,
+    title,
+    genericName,
+    oauthAutoRedirect: oauthAutoRedirectContext,
+  } = useAppContext();
+
   const { t } = useTranslation();
 
+  const [oauthAutoRedirect, setOAuthAutoRedirect] = useState(
+    oauthAutoRedirectContext,
+  );
+
   const oauthProviders = configuredProviders.filter(
     (value) => value !== "username",
   );
 
-  if (isLoggedIn) {
-    return <Navigate to="/logout" />;
-  }
+  const isMounted = useIsMounted();
 
   const loginMutation = useMutation({
     mutationFn: (login: LoginFormValues) => {
@@ -63,7 +78,7 @@ export const LoginPage = () => {
       });
 
       setTimeout(() => {
-        if (!isQueryValid(redirectUri)) {
+        if (!isValidRedirectUri(redirectUri)) {
           window.location.replace("/");
           return;
         }
@@ -85,6 +100,7 @@ export const LoginPage = () => {
         message: t("loginOauthFailSubtitle"),
         color: "red",
       });
+      setOAuthAutoRedirect("none");
     },
     onSuccess: (data) => {
       notifications.show({
@@ -102,6 +118,33 @@ export const LoginPage = () => {
     loginMutation.mutate(values);
   };
 
+  useEffect(() => {
+    if (isMounted()) {
+      if (
+        oauthProviders.includes(oauthAutoRedirect) &&
+        isValidRedirectUri(redirectUri)
+      ) {
+        loginOAuthMutation.mutate(oauthAutoRedirect);
+      }
+    }
+  }, []);
+
+  if (
+    oauthProviders.includes(oauthAutoRedirect) &&
+    isValidRedirectUri(redirectUri)
+  ) {
+    return (
+      <Layout>
+        <Paper shadow="md" p="xl" mt={30} radius="md" withBorder>
+          <Text size="xl" fw={700}>
+            {t("continueRedirectingTitle")}
+          </Text>
+          <Text>{t("loginOauthSuccessSubtitle")}</Text>
+        </Paper>
+      </Layout>
+    );
+  }
+
   return (
     <Layout>
       <Title ta="center">{title}</Title>
@@ -113,7 +156,7 @@ export const LoginPage = () => {
             </Text>
             <OAuthButtons
               oauthProviders={oauthProviders}
-              isLoading={loginOAuthMutation.isLoading}
+              isPending={loginOAuthMutation.isPending}
               mutate={loginOAuthMutation.mutate}
               genericName={genericName}
             />
@@ -128,7 +171,7 @@ export const LoginPage = () => {
         )}
         {configuredProviders.includes("username") && (
           <LoginForm
-            isLoading={loginMutation.isLoading}
+            isPending={loginMutation.isPending}
             onSubmit={handleSubmit}
           />
         )}

frontend/src/pages/logout-page.tsx

@@ -10,7 +10,7 @@ import { useAppContext } from "../context/app-context";
 import { Trans, useTranslation } from "react-i18next";
 
 export const LogoutPage = () => {
-  const { isLoggedIn, username, oauth, provider } = useUserContext();
+  const { isLoggedIn, oauth, provider, email, username } = useUserContext();
   const { genericName } = useAppContext();
   const { t } = useTranslation();
 
@@ -56,7 +56,7 @@ export const LogoutPage = () => {
               values={{
                 provider:
                   provider === "generic" ? genericName : capitalize(provider),
-                username: username,
+                username: email,
               }}
             />
           ) : (
@@ -74,7 +74,7 @@ export const LogoutPage = () => {
           fullWidth
           mt="xl"
           onClick={() => logoutMutation.mutate()}
-          loading={logoutMutation.isLoading}
+          loading={logoutMutation.isPending}
         >
           {t("logoutTitle")}
         </Button>

frontend/src/pages/totp-page.tsx

@@ -57,7 +57,7 @@ export const TotpPage = () => {
           {t("totpTitle")}
         </Text>
         <TotpForm
-          isLoading={totpMutation.isLoading}
+          isPending={totpMutation.isPending}
           onSubmit={(values) => totpMutation.mutate(values)}
         />
       </Paper>

frontend/src/pages/unauthorized-page.tsx

@@ -1,48 +1,90 @@
 import { Button, Code, Paper, Text } from "@mantine/core";
 import { Layout } from "../components/layouts/layout";
 import { Navigate } from "react-router";
-import { isQueryValid } from "../utils/utils";
 import { Trans, useTranslation } from "react-i18next";
+import React, { useEffect } from "react";
+import { isValidQuery } from "../utils/utils";
+import { useIsMounted } from "../lib/hooks/use-is-mounted";
 
 export const UnauthorizedPage = () => {
   const queryString = window.location.search;
   const params = new URLSearchParams(queryString);
   const username = params.get("username") ?? "";
+  const groupErr = params.get("groupErr") ?? "";
   const resource = params.get("resource") ?? "";
 
+  const [isGroupErr, setIsGroupErr] = React.useState(false);
+
+  const useMounted = useIsMounted();
+
+  useEffect(() => {
+    if (useMounted()) {
+      if (isValidQuery(groupErr)) {
+        if (groupErr === "true") {
+          setIsGroupErr(true);
+          return;
+        }
+        setIsGroupErr(false);
+        return;
+      }
+      setIsGroupErr(false);
+    }
+  }, []);
+
   const { t } = useTranslation();
 
-  if (!isQueryValid(username)) {
+  if (!isValidQuery(username)) {
     return <Navigate to="/" />;
   }
 
+  if (isValidQuery(resource) && !isGroupErr) {
+    return (
+      <UnauthorizedLayout>
+        <Trans
+          i18nKey="unauthorizedResourceSubtitle"
+          t={t}
+          components={{ Code: <Code /> }}
+          values={{ resource, username }}
+        />
+      </UnauthorizedLayout>
+    );
+  }
+
+  if (isGroupErr && isValidQuery(resource)) {
+    return (
+      <UnauthorizedLayout>
+        <Trans
+          i18nKey="unauthorizedGroupsSubtitle"
+          t={t}
+          components={{ Code: <Code /> }}
+          values={{ username, resource }}
+        />
+      </UnauthorizedLayout>
+    );
+  }
+
+  return (
+    <UnauthorizedLayout>
+      <Trans
+        i18nKey="unauthorizedLoginSubtitle"
+        t={t}
+        components={{ Code: <Code /> }}
+        values={{ username }}
+      />
+    </UnauthorizedLayout>
+  );
+};
+
+const UnauthorizedLayout = ({ children }: { children: React.ReactNode }) => {
+  const { t } = useTranslation();
+
   return (
     <Layout>
       <Paper shadow="md" p={30} mt={30} radius="md" withBorder>
         <Text size="xl" fw={700}>
           {t("Unauthorized")}
         </Text>
-        <Text>
-          {isQueryValid(resource) ? (
-            <Text>
-              <Trans
-                i18nKey="unauthorizedResourceSubtitle"
-                t={t}
-                components={{ Code: <Code /> }}
-                values={{ resource, username }}
-              />
-            </Text>
-          ) : (
-            <Text>
-              <Trans
-                i18nKey="unauthorizedLoginSubtitle"
-                t={t}
-                components={{ Code: <Code /> }}
-                values={{ username }}
-              />
-            </Text>
-          )}
-        </Text>
+        <Text>{children}</Text>
         <Button
           fullWidth
           mt="xl"

frontend/src/schemas/app-context-schema.ts

@@ -5,6 +5,9 @@ export const appContextSchema = z.object({
   disableContinue: z.boolean(),
   title: z.string(),
   genericName: z.string(),
+  domain: z.string(),
+  forgotPasswordMessage: z.string(),
+  oauthAutoRedirect: z.enum(["none", "github", "google", "generic"]),
 });
 
 export type AppContextSchemaType = z.infer<typeof appContextSchema>;

frontend/src/schemas/user-context-schema.ts

@@ -3,6 +3,8 @@ import { z } from "zod";
 export const userContextSchema = z.object({
   isLoggedIn: z.boolean(),
   username: z.string(),
+  name: z.string(),
+  email: z.string(),
   oauth: z.boolean(),
   provider: z.string(),
   totpPending: z.boolean(),

frontend/src/utils/utils.ts

@@ -1,2 +1,17 @@
 export const capitalize = (s: string) => s.charAt(0).toUpperCase() + s.slice(1);
-export const isQueryValid = (value: string) => value.trim() !== "" && value !== "null";
+export const escapeRegex = (value: string) => value.replace(/[-\/\\^$.*+?()[\]{}|]/g, "\\$&");
+export const isValidQuery = (query: string) => query && query.trim() !== "";
+
+export const isValidRedirectUri = (value: string) => {
+    if (!isValidQuery(value)) {
+        return false;
+    }
+
+    try {
+        new URL(value);
+    } catch {
+        return false;
+    }
+
+    return true;
+}

frontend/vite.config.ts

@@ -12,6 +12,7 @@ export default defineConfig({
         changeOrigin: true,
         rewrite: (path) => path.replace(/^\/api/, ""),
       },
-    }
+    },
+    allowedHosts: true,
   }
 });

go.mod

@@ -4,23 +4,28 @@ go 1.23.2
 
 require (
 	github.com/gin-gonic/gin v1.10.0
-	github.com/go-playground/validator/v10 v10.24.0
+	github.com/go-playground/validator/v10 v10.26.0
 	github.com/google/go-querystring v1.1.0
-	github.com/mdp/qrterminal/v3 v3.2.0
-	github.com/rs/zerolog v1.33.0
-	github.com/spf13/cobra v1.8.1
-	github.com/spf13/viper v1.19.0
-	golang.org/x/crypto v0.32.0
+	github.com/mdp/qrterminal/v3 v3.2.1
+	github.com/rs/zerolog v1.34.0
+	github.com/spf13/cobra v1.9.1
+	github.com/spf13/viper v1.20.1
+	golang.org/x/crypto v0.37.0
 )
 
 require (
+	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
+	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
 	github.com/containerd/log v0.1.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
+	github.com/moby/sys/atomicwriter v0.1.0 // indirect
 	github.com/moby/term v0.5.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
+	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
-	golang.org/x/term v0.28.0 // indirect
+	golang.org/x/term v0.31.0 // indirect
 	gotest.tools/v3 v3.5.2 // indirect
 	rsc.io/qr v0.2.0 // indirect
 )
@@ -32,23 +37,23 @@ require (
 	github.com/boombuler/barcode v1.0.2 // indirect
 	github.com/bytedance/sonic v1.12.7 // indirect
 	github.com/bytedance/sonic/loader v0.2.3 // indirect
-	github.com/catppuccin/go v0.2.0 // indirect
-	github.com/charmbracelet/bubbles v0.20.0 // indirect
-	github.com/charmbracelet/bubbletea v1.1.0 // indirect
-	github.com/charmbracelet/huh v0.6.0
-	github.com/charmbracelet/lipgloss v0.13.0 // indirect
-	github.com/charmbracelet/x/ansi v0.2.3 // indirect
+	github.com/catppuccin/go v0.3.0 // indirect
+	github.com/charmbracelet/bubbles v0.21.0 // indirect
+	github.com/charmbracelet/bubbletea v1.3.4 // indirect
+	github.com/charmbracelet/huh v0.7.0
+	github.com/charmbracelet/lipgloss v1.1.0 // indirect
+	github.com/charmbracelet/x/ansi v0.8.0 // indirect
 	github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0 // indirect
-	github.com/charmbracelet/x/term v0.2.0 // indirect
+	github.com/charmbracelet/x/term v0.2.1 // indirect
 	github.com/cloudwego/base64x v0.1.4 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/docker v27.5.1+incompatible
+	github.com/docker/docker v28.1.1+incompatible
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
 	github.com/gin-contrib/sse v1.0.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
@@ -58,55 +63,50 @@ require (
 	github.com/goccy/go-json v0.10.4 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
-	github.com/gorilla/sessions v1.2.2
-	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/gorilla/sessions v1.4.0
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
-	github.com/magiconair/properties v1.8.7
+	github.com/magiconair/properties v1.8.10
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
-	github.com/muesli/termenv v0.15.3-0.20240618155329-98d742f6907a // indirect
+	github.com/muesli/termenv v0.16.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pquerna/otp v1.4.0
 	github.com/rivo/uniseg v0.4.7 // indirect
-	github.com/sagikazarmark/locafero v0.4.0 // indirect
-	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/sagikazarmark/locafero v0.7.0 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/spf13/afero v1.11.0 // indirect
-	github.com/spf13/cast v1.6.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/afero v1.12.0 // indirect
+	github.com/spf13/cast v1.7.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.12 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect
 	go.opentelemetry.io/otel v1.34.0 // indirect
 	go.opentelemetry.io/otel/metric v1.34.0 // indirect
 	go.opentelemetry.io/otel/trace v1.34.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
 	golang.org/x/arch v0.13.0 // indirect
-	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
-	golang.org/x/net v0.34.0 // indirect
-	golang.org/x/oauth2 v0.25.0
-	golang.org/x/sync v0.10.0 // indirect
-	golang.org/x/sys v0.29.0 // indirect
-	golang.org/x/text v0.21.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
+	golang.org/x/oauth2 v0.29.0
+	golang.org/x/sync v0.13.0 // indirect
+	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
 	google.golang.org/protobuf v1.36.3 // indirect
-	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -8,6 +8,8 @@ github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z
 github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
+github.com/aymanbagabas/go-udiff v0.2.0 h1:TK0fH4MteXUDspT88n8CKzvK0X9O2xu9yQjWpi6yML8=
+github.com/aymanbagabas/go-udiff v0.2.0/go.mod h1:RE4Ex0qsGkTAJoQdQQCA0uG+nAzJO/pI/QwceO5fgrA=
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/boombuler/barcode v1.0.2 h1:79yrbttoZrLGkL/oOI8hBrUKucwOL0oOjUgEguGMcJ4=
 github.com/boombuler/barcode v1.0.2/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
@@ -16,39 +18,54 @@ github.com/bytedance/sonic v1.12.7/go.mod h1:tnbal4mxOMju17EGfknm2XyYcpyCnIROYOE
 github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
 github.com/bytedance/sonic/loader v0.2.3 h1:yctD0Q3v2NOGfSWPLPvG2ggA2kV6TS6s4wioyEqssH0=
 github.com/bytedance/sonic/loader v0.2.3/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
-github.com/catppuccin/go v0.2.0 h1:ktBeIrIP42b/8FGiScP9sgrWOss3lw0Z5SktRoithGA=
-github.com/catppuccin/go v0.2.0/go.mod h1:8IHJuMGaUUjQM82qBrGNBv7LFq6JI3NnQCF6MOlZjpc=
+github.com/catppuccin/go v0.3.0 h1:d+0/YicIq+hSTo5oPuRi5kOpqkVA5tAsU6dNhvRu+aY=
+github.com/catppuccin/go v0.3.0/go.mod h1:8IHJuMGaUUjQM82qBrGNBv7LFq6JI3NnQCF6MOlZjpc=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/charmbracelet/bubbles v0.20.0 h1:jSZu6qD8cRQ6k9OMfR1WlM+ruM8fkPWkHvQWD9LIutE=
-github.com/charmbracelet/bubbles v0.20.0/go.mod h1:39slydyswPy+uVOHZ5x/GjwVAFkCsV8IIVy+4MhzwwU=
-github.com/charmbracelet/bubbletea v1.1.0 h1:FjAl9eAL3HBCHenhz/ZPjkKdScmaS5SK69JAK2YJK9c=
-github.com/charmbracelet/bubbletea v1.1.0/go.mod h1:9Ogk0HrdbHolIKHdjfFpyXJmiCzGwy+FesYkZr7hYU4=
-github.com/charmbracelet/huh v0.6.0 h1:mZM8VvZGuE0hoDXq6XLxRtgfWyTI3b2jZNKh0xWmax8=
-github.com/charmbracelet/huh v0.6.0/go.mod h1:GGNKeWCeNzKpEOh/OJD8WBwTQjV3prFAtQPpLv+AVwU=
-github.com/charmbracelet/lipgloss v0.13.0 h1:4X3PPeoWEDCMvzDvGmTajSyYPcZM4+y8sCA/SsA3cjw=
-github.com/charmbracelet/lipgloss v0.13.0/go.mod h1:nw4zy0SBX/F/eAO1cWdcvy6qnkDUxr8Lw7dvFrAIbbY=
-github.com/charmbracelet/x/ansi v0.2.3 h1:VfFN0NUpcjBRd4DnKfRaIRo53KRgey/nhOoEqosGDEY=
-github.com/charmbracelet/x/ansi v0.2.3/go.mod h1:dk73KoMTT5AX5BsX0KrqhsTqAnhZZoCBjs7dGWp4Ktw=
+github.com/charmbracelet/bubbles v0.21.0 h1:9TdC97SdRVg/1aaXNVWfFH3nnLAwOXr8Fn6u6mfQdFs=
+github.com/charmbracelet/bubbles v0.21.0/go.mod h1:HF+v6QUR4HkEpz62dx7ym2xc71/KBHg+zKwJtMw+qtg=
+github.com/charmbracelet/bubbletea v1.3.4 h1:kCg7B+jSCFPLYRA52SDZjr51kG/fMUEoPoZrkaDHyoI=
+github.com/charmbracelet/bubbletea v1.3.4/go.mod h1:dtcUCyCGEX3g9tosuYiut3MXgY/Jsv9nKVdibKKRRXo=
+github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc h1:4pZI35227imm7yK2bGPcfpFEmuY1gc2YSTShr4iJBfs=
+github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc/go.mod h1:X4/0JoqgTIPSFcRA/P6INZzIuyqdFY5rm8tb41s9okk=
+github.com/charmbracelet/huh v0.7.0 h1:W8S1uyGETgj9Tuda3/JdVkc3x7DBLZYPZc4c+/rnRdc=
+github.com/charmbracelet/huh v0.7.0/go.mod h1:UGC3DZHlgOKHvHC07a5vHag41zzhpPFj34U92sOmyuk=
+github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
+github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
+github.com/charmbracelet/x/ansi v0.8.0 h1:9GTq3xq9caJW8ZrBTe0LIe2fvfLR/bYXKTx2llXn7xE=
+github.com/charmbracelet/x/ansi v0.8.0/go.mod h1:wdYl/ONOLHLIVmQaxbIYEC/cRKOQyjTkowiI4blgS9Q=
+github.com/charmbracelet/x/cellbuf v0.0.13 h1:/KBBKHuVRbq1lYx5BzEHBAFBP8VcQzJejZ/IA3iR28k=
+github.com/charmbracelet/x/cellbuf v0.0.13/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs=
+github.com/charmbracelet/x/conpty v0.1.0 h1:4zc8KaIcbiL4mghEON8D72agYtSeIgq8FSThSPQIb+U=
+github.com/charmbracelet/x/conpty v0.1.0/go.mod h1:rMFsDJoDwVmiYM10aD4bH2XiRgwI7NYJtQgl5yskjEQ=
+github.com/charmbracelet/x/errors v0.0.0-20240508181413-e8d8b6e2de86 h1:JSt3B+U9iqk37QUU2Rvb6DSBYRLtWqFqfxf8l5hOZUA=
+github.com/charmbracelet/x/errors v0.0.0-20240508181413-e8d8b6e2de86/go.mod h1:2P0UgXMEa6TsToMSuFqKFQR+fZTO9CNGUNokkPatT/0=
+github.com/charmbracelet/x/exp/golden v0.0.0-20241011142426-46044092ad91 h1:payRxjMjKgx2PaCWLZ4p3ro9y97+TVLZNaRZgJwSVDQ=
+github.com/charmbracelet/x/exp/golden v0.0.0-20241011142426-46044092ad91/go.mod h1:wDlXFlCrmJ8J+swcL/MnGUuYnqgQdW9rhSD61oNMb6U=
 github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0 h1:qko3AQ4gK1MTS/de7F5hPGx6/k1u0w4TeYmBFwzYVP4=
 github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0/go.mod h1:pBhA0ybfXv6hDjQUZ7hk1lVxBiUbupdw5R31yPUViVQ=
-github.com/charmbracelet/x/term v0.2.0 h1:cNB9Ot9q8I711MyZ7myUR5HFWL/lc3OpU8jZ4hwm0x0=
-github.com/charmbracelet/x/term v0.2.0/go.mod h1:GVxgxAbjUrmpvIINHIQnJJKpMlHiZ4cktEQCN6GWyF0=
+github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ=
+github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg=
+github.com/charmbracelet/x/termios v0.1.1 h1:o3Q2bT8eqzGnGPOYheoYS8eEleT5ZVNYNy8JawjaNZY=
+github.com/charmbracelet/x/termios v0.1.1/go.mod h1:rB7fnv1TgOPOyyKRJ9o+AsTU/vK5WHJ2ivHeut/Pcwo=
+github.com/charmbracelet/x/xpty v0.1.2 h1:Pqmu4TEJ8KeA9uSkISKMU3f+C1F6OGBn8ABuGlqCbtI=
+github.com/charmbracelet/x/xpty v0.1.2/go.mod h1:XK2Z0id5rtLWcpeNiMYBccNNBrP2IJnzHI0Lq13Xzq4=
 github.com/cloudwego/base64x v0.1.4 h1:jwCgWpFanWmN8xoIUHa2rtzmkd5J2plF/dnLS6Xd/0Y=
 github.com/cloudwego/base64x v0.1.4/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
 github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
+github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
-github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/docker v27.5.1+incompatible h1:4PYU5dnBYqRQi0294d1FBECqT9ECWeQAIfE8q4YnPY8=
-github.com/docker/docker v27.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v28.1.1+incompatible h1:49M11BFLsVO1gxY9UX9p/zwkE/rswggs8AdFmXQw51I=
+github.com/docker/docker v28.1.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@@ -61,8 +78,8 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
-github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
-github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
+github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
 github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
 github.com/gin-contrib/sse v1.0.0 h1:y3bT1mUWUxDpW4JLQg/HnTqV4rozuW4tC9eFKTxYI9E=
@@ -80,8 +97,10 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.24.0 h1:KHQckvo8G6hlWnrPX4NJJ+aBfWNAE/HH+qdL2cBpCmg=
-github.com/go-playground/validator/v10 v10.24.0/go.mod h1:GGzBIJMuE98Ic/kJsBXbz1x/7cByt++cQ+YOuDM5wus=
+github.com/go-playground/validator/v10 v10.26.0 h1:SP05Nqhjcvz81uJaRfEV0YBSSSGMc/iMaVtFbr3Sw2k=
+github.com/go-playground/validator/v10 v10.26.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
+github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
+github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/goccy/go-json v0.10.4 h1:JSwxQzIqKfmFX1swYPpUThQZp/Ka4wzJdK0LWVytLPM=
 github.com/goccy/go-json v0.10.4/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
@@ -99,12 +118,10 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
-github.com/gorilla/sessions v1.2.2 h1:lqzMYz6bOfvn2WriPUjNByzeXIlVzURcPmgMczkmTjY=
-github.com/gorilla/sessions v1.2.2/go.mod h1:ePLdVu+jbEgHH+KWw8I1z2wqd0BAdAQh/8LRvBeoNcQ=
+github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=
+github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2emc7lT5ik=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1 h1:VNqngBF40hVlDloBruUehVYC3ArSgIyScOAyMRqBxRg=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1/go.mod h1:RBRO7fro65R6tjKzYgLAFo0t1QEXY1Dp+i/bvpRiqiQ=
-github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
-github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
@@ -124,8 +141,8 @@ github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
 github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
 github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
-github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
-github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
+github.com/magiconair/properties v1.8.10 h1:s31yESBquKXCV9a/ScB3ESkOjUYYv+X0rg8SYxI99mE=
+github.com/magiconair/properties v1.8.10/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
@@ -137,14 +154,16 @@ github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2J
 github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88=
 github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
 github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
-github.com/mdp/qrterminal/v3 v3.2.0 h1:qteQMXO3oyTK4IHwj2mWsKYYRBOp1Pj2WRYFYYNTCdk=
-github.com/mdp/qrterminal/v3 v3.2.0/go.mod h1:XGGuua4Lefrl7TLEsSONiD+UEjQXJZ4mPzF+gWYIJkk=
+github.com/mdp/qrterminal/v3 v3.2.1 h1:6+yQjiiOsSuXT5n9/m60E54vdgFsw0zhADHhHLrFet4=
+github.com/mdp/qrterminal/v3 v3.2.1/go.mod h1:jOTmXvnBsMy5xqLniO0R++Jmjs2sTm9dFSuQ5kpz/SU=
 github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
 github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE=
-github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
-github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
+github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
+github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
+github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
 github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
 github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -158,8 +177,8 @@ github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D
 github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6/go.mod h1:CJlz5H+gyd6CUWT45Oy4q24RdLyn7Md9Vj2/ldJBSIo=
 github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=
 github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=
-github.com/muesli/termenv v0.15.3-0.20240618155329-98d742f6907a h1:2MaM6YC3mGu54x+RKAA6JiFFHlHDY1UbkxqppT7wYOg=
-github.com/muesli/termenv v0.15.3-0.20240618155329-98d742f6907a/go.mod h1:hxSnBBYLK21Vtq/PHd0S2FYCxBXzBua8ov5s1RobyRQ=
+github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc=
+github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
@@ -169,9 +188,8 @@ github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xl
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
-github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/otp v1.4.0 h1:wZvl1TIVxKRThZIBiwOOHOGP/1+nZyWBil9Y2XNEDzg=
 github.com/pquerna/otp v1.4.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
@@ -179,29 +197,27 @@ github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
-github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
-github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
-github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
+github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
+github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
+github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6keLGt6kNQ=
-github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4=
-github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE=
-github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
+github.com/sagikazarmark/locafero v0.7.0 h1:5MqpDsTGNDhY8sGp0Aowyf0qKsPrhewaLSsFaodPcyo=
+github.com/sagikazarmark/locafero v0.7.0/go.mod h1:2za3Cg5rMaTMoG/2Ulr9AwtFaIppKXTRYnozin4aB5k=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
 github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
-github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
-github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
-github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
-github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
-github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
-github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI=
-github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg=
+github.com/spf13/afero v1.12.0 h1:UcOPyRBYczmFn6yvphxkn9ZEOY65cpwGKb5mL36mrqs=
+github.com/spf13/afero v1.12.0/go.mod h1:ZTlWwG4/ahT8W7T0WQ5uYmjI9duaLQGy3Q2OAl4sk/4=
+github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y=
+github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
+github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
+github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4=
+github.com/spf13/viper v1.20.1/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
@@ -222,12 +238,14 @@ github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
 github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
+github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
+github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8=
 go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY=
 go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
@@ -251,25 +269,25 @@ golang.org/x/arch v0.13.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
-golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
-golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g=
-golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k=
+golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
+golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
-golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
-golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
-golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/oauth2 v0.29.0 h1:WdYw2tdTK1S8olAzWHdgeqfy+Mtm9XNhv/xJsY65d98=
+golang.org/x/oauth2 v0.29.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
-golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
+golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -279,16 +297,16 @@ golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
-golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
-golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
+golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
+golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
+golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
+golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
+golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg=
+golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
@@ -297,7 +315,7 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 h1:9+tzLLstTlPTRyJTh+ah5wIMsBW5c4tQwGTN3thOW9Y=
+google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 h1:ToEetK57OidYuqD4Q5w+vfEnPvPpuTwedCNVohYJfNk=
 google.golang.org/genproto/googleapis/api v0.0.0-20250115164207-1a7da9e5054f h1:gap6+3Gk41EItBuyi4XX/bp4oqJ3UwuIMl25yGinuAA=
 google.golang.org/genproto/googleapis/api v0.0.0-20250115164207-1a7da9e5054f/go.mod h1:Ic02D47M+zbarjYYUlK57y316f2MoN0gjAwI3f2S95o=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f h1:OxYkA3wjPsZyBylwymxSHa7ViiW1Sml4ToBrncvFehI=
@@ -309,8 +327,6 @@ google.golang.org/protobuf v1.36.3/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojt
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
-gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

internal/api/api_test.go

@@ -27,16 +27,17 @@ var apiConfig = types.APIConfig{
 
 // Simple handlers config for tests
 var handlersConfig = types.HandlersConfig{
-	AppURL:          "http://localhost:8080",
-	DisableContinue: false,
-	Title:           "Tinyauth",
-	GenericName:     "Generic",
+	AppURL:                "http://localhost:8080",
+	DisableContinue:       false,
+	Title:                 "Tinyauth",
+	GenericName:           "Generic",
+	ForgotPasswordMessage: "Some message",
 }
 
 // Simple auth config for tests
 var authConfig = types.AuthConfig{
 	Users:           types.Users{},
-	OauthWhitelist:  []string{},
+	OauthWhitelist:  "",
 	Secret:          "super-secret-api-thing-for-tests", // It is 32 chars long
 	CookieSecure:    false,
 	SessionExpiry:   3600,
@@ -44,6 +45,11 @@ var authConfig = types.AuthConfig{
 	LoginMaxRetries: 0,
 }
 
+// Simple hooks config for tests
+var hooksConfig = types.HooksConfig{
+	Domain: "localhost",
+}
+
 // Cookie
 var cookie string
 
@@ -82,7 +88,7 @@ func getAPI(t *testing.T) *api.API {
 	providers.Init()
 
 	// Create hooks service
-	hooks := hooks.NewHooks(auth, providers)
+	hooks := hooks.NewHooks(hooksConfig, auth, providers)
 
 	// Create handlers service
 	handlers := handlers.NewHandlers(handlersConfig, auth, hooks, providers, docker)
@@ -193,12 +199,13 @@ func TestAppContext(t *testing.T) {
 
 	// Create tests values
 	expected := types.AppContext{
-		Status:              200,
-		Message:             "OK",
-		ConfiguredProviders: []string{"username"},
-		DisableContinue:     false,
-		Title:               "Tinyauth",
-		GenericName:         "Generic",
+		Status:                200,
+		Message:               "OK",
+		ConfiguredProviders:   []string{"username"},
+		DisableContinue:       false,
+		Title:                 "Tinyauth",
+		GenericName:           "Generic",
+		ForgotPasswordMessage: "Some message",
 	}
 
 	// We should get the username back

internal/assets/version

@@ -1 +1 @@
-v3.2.0
+v3.3.0

internal/auth/auth.go

@@ -2,14 +2,13 @@ package auth
 
 import (
 	"fmt"
-	"net/http"
 	"regexp"
-	"slices"
 	"strings"
 	"sync"
 	"time"
 	"tinyauth/internal/docker"
 	"tinyauth/internal/types"
+	"tinyauth/internal/utils"
 
 	"github.com/gin-gonic/gin"
 	"github.com/gorilla/sessions"
@@ -42,7 +41,6 @@ func (auth *Auth) GetSession(c *gin.Context) (*sessions.Session, error) {
 		MaxAge:   auth.Config.SessionExpiry,
 		Secure:   auth.Config.CookieSecure,
 		HttpOnly: true,
-		SameSite: http.SameSiteDefaultMode,
 		Domain:   fmt.Sprintf(".%s", auth.Config.Domain),
 	}
 
@@ -136,20 +134,7 @@ func (auth *Auth) RecordLoginAttempt(identifier string, success bool) {
 }
 
 func (auth *Auth) EmailWhitelisted(emailSrc string) bool {
-	// If the whitelist is empty, allow all emails
-	if len(auth.Config.OauthWhitelist) == 0 {
-		return true
-	}
-
-	// Loop through the whitelist and return true if the email matches
-	for _, email := range auth.Config.OauthWhitelist {
-		if email == emailSrc {
-			return true
-		}
-	}
-
-	// If no emails match, return false
-	return false
+	return utils.CheckWhitelist(auth.Config.OauthWhitelist, emailSrc)
 }
 
 func (auth *Auth) CreateSessionCookie(c *gin.Context, data *types.SessionCookie) error {
@@ -175,10 +160,12 @@ func (auth *Auth) CreateSessionCookie(c *gin.Context, data *types.SessionCookie)
 
 	// Set data
 	session.Values["username"] = data.Username
+	session.Values["name"] = data.Name
+	session.Values["email"] = data.Email
 	session.Values["provider"] = data.Provider
 	session.Values["expiry"] = time.Now().Add(time.Duration(sessionExpiry) * time.Second).Unix()
 	session.Values["totpPending"] = data.TotpPending
-	session.Values["redirectURI"] = data.RedirectURI
+	session.Values["oauthGroups"] = data.OAuthGroups
 
 	// Save session
 	err = session.Save(c.Request, c.Writer)
@@ -227,15 +214,24 @@ func (auth *Auth) GetSessionCookie(c *gin.Context) (types.SessionCookie, error)
 		return types.SessionCookie{}, err
 	}
 
+	log.Debug().Msg("Got session")
+
 	// Get data from session
 	username, usernameOk := session.Values["username"].(string)
+	email, emailOk := session.Values["email"].(string)
+	name, nameOk := session.Values["name"].(string)
 	provider, providerOK := session.Values["provider"].(string)
-	redirectURI, redirectOK := session.Values["redirectURI"].(string)
 	expiry, expiryOk := session.Values["expiry"].(int64)
 	totpPending, totpPendingOk := session.Values["totpPending"].(bool)
+	oauthGroups, oauthGroupsOk := session.Values["oauthGroups"].(string)
 
-	if !usernameOk || !providerOK || !expiryOk || !redirectOK || !totpPendingOk {
-		log.Warn().Msg("Session cookie is missing data")
+	if !usernameOk || !providerOK || !expiryOk || !totpPendingOk || !emailOk || !nameOk || !oauthGroupsOk {
+		log.Warn().Msg("Session cookie is invalid")
+
+		// If any data is missing, delete the session cookie
+		auth.DeleteSessionCookie(c)
+
+		// Return empty cookie
 		return types.SessionCookie{}, nil
 	}
 
@@ -250,14 +246,16 @@ func (auth *Auth) GetSessionCookie(c *gin.Context) (types.SessionCookie, error)
 		return types.SessionCookie{}, nil
 	}
 
-	log.Debug().Str("username", username).Str("provider", provider).Int64("expiry", expiry).Bool("totpPending", totpPending).Msg("Parsed cookie")
+	log.Debug().Str("username", username).Str("provider", provider).Int64("expiry", expiry).Bool("totpPending", totpPending).Str("name", name).Str("email", email).Str("oauthGroups", oauthGroups).Msg("Parsed cookie")
 
 	// Return the cookie
 	return types.SessionCookie{
 		Username:    username,
+		Name:        name,
+		Email:       email,
 		Provider:    provider,
 		TotpPending: totpPending,
-		RedirectURI: redirectURI,
+		OAuthGroups: oauthGroups,
 	}, nil
 }
 
@@ -266,62 +264,52 @@ func (auth *Auth) UserAuthConfigured() bool {
 	return len(auth.Config.Users) > 0
 }
 
-func (auth *Auth) ResourceAllowed(c *gin.Context, context types.UserContext) (bool, error) {
-	// Get headers
-	host := c.Request.Header.Get("X-Forwarded-Host")
-
-	// Get app id
-	appId := strings.Split(host, ".")[0]
-
-	// Get the container labels
-	labels, err := auth.Docker.GetLabels(appId)
-
-	// If there is an error, return false
-	if err != nil {
-		return false, err
-	}
-
+func (auth *Auth) ResourceAllowed(c *gin.Context, context types.UserContext, labels types.TinyauthLabels) bool {
 	// Check if oauth is allowed
 	if context.OAuth {
-		if len(labels.OAuthWhitelist) == 0 {
-			return true, nil
-		}
 		log.Debug().Msg("Checking OAuth whitelist")
-		if slices.Contains(labels.OAuthWhitelist, context.Username) {
-			return true, nil
-		}
+		return utils.CheckWhitelist(labels.OAuthWhitelist, context.Email)
 	}
 
-	// Check if user is allowed
-	if len(labels.Users) != 0 {
-		log.Debug().Msg("Checking users")
-		if len(labels.Users) == 0 {
-			return true, nil
-		}
-		if slices.Contains(labels.Users, context.Username) {
-			return true, nil
-		}
-	}
+	// Check users
+	log.Debug().Msg("Checking users")
 
-	// Not allowed
-	return false, nil
+	return utils.CheckWhitelist(labels.Users, context.Username)
 }
 
-func (auth *Auth) AuthEnabled(c *gin.Context) (bool, error) {
+func (auth *Auth) OAuthGroup(c *gin.Context, context types.UserContext, labels types.TinyauthLabels) bool {
+	// Check if groups are required
+	if labels.OAuthGroups == "" {
+		return true
+	}
+
+	// Check if we are using the generic oauth provider
+	if context.Provider != "generic" {
+		log.Debug().Msg("Not using generic provider, skipping group check")
+		return true
+	}
+
+	// Split the groups by comma (no need to parse since they are from the API response)
+	oauthGroups := strings.Split(context.OAuthGroups, ",")
+
+	// For every group check if it is in the required groups
+	for _, group := range oauthGroups {
+		if utils.CheckWhitelist(labels.OAuthGroups, group) {
+			log.Debug().Str("group", group).Msg("Group is in required groups")
+			return true
+		}
+	}
+
+	// No groups matched
+	log.Debug().Msg("No groups matched")
+
+	// Return false
+	return false
+}
+
+func (auth *Auth) AuthEnabled(c *gin.Context, labels types.TinyauthLabels) (bool, error) {
 	// Get headers
 	uri := c.Request.Header.Get("X-Forwarded-Uri")
-	host := c.Request.Header.Get("X-Forwarded-Host")
-
-	// Get app id
-	appId := strings.Split(host, ".")[0]
-
-	// Get the container labels
-	labels, err := auth.Docker.GetLabels(appId)
-
-	// If there is an error, auth enabled
-	if err != nil {
-		return true, err
-	}
 
 	// Check if the allowed label is empty
 	if labels.Allowed == "" {

internal/auth/auth_test.go

@@ -10,7 +10,7 @@ import (
 
 var config = types.AuthConfig{
 	Users:          types.Users{},
-	OauthWhitelist: []string{},
+	OauthWhitelist: "",
 	SessionExpiry:  3600,
 }
 

internal/constants/constants.go

@@ -6,4 +6,13 @@ var TinyauthLabels = []string{
 	"tinyauth.users",
 	"tinyauth.allowed",
 	"tinyauth.headers",
+	"tinyauth.oauth.groups",
+}
+
+// Claims are the OIDC supported claims (including preferd username for some reason)
+type Claims struct {
+	Name              string   `json:"name"`
+	Email             string   `json:"email"`
+	PreferredUsername string   `json:"preferred_username"`
+	Groups            []string `json:"groups"`
 }

internal/docker/docker.go

@@ -6,8 +6,7 @@ import (
 	"tinyauth/internal/types"
 	"tinyauth/internal/utils"
 
-	apiTypes "github.com/docker/docker/api/types"
-	containerTypes "github.com/docker/docker/api/types/container"
+	container "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
 	"github.com/rs/zerolog/log"
 )
@@ -38,9 +37,9 @@ func (docker *Docker) Init() error {
 	return nil
 }
 
-func (docker *Docker) GetContainers() ([]apiTypes.Container, error) {
+func (docker *Docker) GetContainers() ([]container.Summary, error) {
 	// Get the list of containers
-	containers, err := docker.Client.ContainerList(docker.Context, containerTypes.ListOptions{})
+	containers, err := docker.Client.ContainerList(docker.Context, container.ListOptions{})
 
 	// Check if there was an error
 	if err != nil {
@@ -51,13 +50,13 @@ func (docker *Docker) GetContainers() ([]apiTypes.Container, error) {
 	return containers, nil
 }
 
-func (docker *Docker) InspectContainer(containerId string) (apiTypes.ContainerJSON, error) {
+func (docker *Docker) InspectContainer(containerId string) (container.InspectResponse, error) {
 	// Inspect the container
 	inspect, err := docker.Client.ContainerInspect(docker.Context, containerId)
 
 	// Check if there was an error
 	if err != nil {
-		return apiTypes.ContainerJSON{}, err
+		return container.InspectResponse{}, err
 	}
 
 	// Return the inspect

internal/handlers/handlers.go

@@ -2,14 +2,15 @@ package handlers
 
 import (
 	"fmt"
-	"math/rand/v2"
 	"net/http"
 	"strings"
+	"time"
 	"tinyauth/internal/auth"
 	"tinyauth/internal/docker"
 	"tinyauth/internal/hooks"
 	"tinyauth/internal/providers"
 	"tinyauth/internal/types"
+	"tinyauth/internal/utils"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -68,12 +69,17 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 	proto := c.Request.Header.Get("X-Forwarded-Proto")
 	host := c.Request.Header.Get("X-Forwarded-Host")
 
-	// Check if auth is enabled
-	authEnabled, err := h.Auth.AuthEnabled(c)
+	// Get the app id
+	appId := strings.Split(host, ".")[0]
+
+	// Get the container labels
+	labels, err := h.Docker.GetLabels(appId)
+
+	log.Debug().Interface("labels", labels).Msg("Got labels")
 
 	// Check if there was an error
 	if err != nil {
-		log.Error().Err(err).Msg("Failed to check if app is allowed")
+		log.Error().Err(err).Msg("Failed to get container labels")
 
 		if proxy.Proxy == "nginx" || !isBrowser {
 			c.JSON(500, gin.H{
@@ -87,11 +93,8 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 		return
 	}
 
-	// Get the app id
-	appId := strings.Split(host, ".")[0]
-
-	// Get the container labels
-	labels, err := h.Docker.GetLabels(appId)
+	// Check if auth is enabled
+	authEnabled, err := h.Auth.AuthEnabled(c, labels)
 
 	// Check if there was an error
 	if err != nil {
@@ -113,7 +116,7 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 	if !authEnabled {
 		for key, value := range labels.Headers {
 			log.Debug().Str("key", key).Str("value", value).Msg("Setting header")
-			c.Header(key, value)
+			c.Header(key, utils.SanitizeHeader(value))
 		}
 		c.JSON(200, gin.H{
 			"status":  200,
@@ -125,28 +128,18 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 	// Get user context
 	userContext := h.Hooks.UseUserContext(c)
 
+	// If we are using basic auth, we need to check if the user has totp and if it does then disable basic auth
+	if userContext.Provider == "basic" && userContext.TotpEnabled {
+		log.Warn().Str("username", userContext.Username).Msg("User has totp enabled, disabling basic auth")
+		userContext.IsLoggedIn = false
+	}
+
 	// Check if user is logged in
 	if userContext.IsLoggedIn {
 		log.Debug().Msg("Authenticated")
 
 		// Check if user is allowed to access subdomain, if request is nginx.example.com the subdomain (resource) is nginx
-		appAllowed, err := h.Auth.ResourceAllowed(c, userContext)
-
-		// Check if there was an error
-		if err != nil {
-			log.Error().Err(err).Msg("Failed to check if app is allowed")
-
-			if proxy.Proxy == "nginx" || !isBrowser {
-				c.JSON(500, gin.H{
-					"status":  500,
-					"message": "Internal Server Error",
-				})
-				return
-			}
-
-			c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
-			return
-		}
+		appAllowed := h.Auth.ResourceAllowed(c, userContext, labels)
 
 		log.Debug().Bool("appAllowed", appAllowed).Msg("Checking if app is allowed")
 
@@ -165,11 +158,20 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 				return
 			}
 
-			// Build query
-			queries, err := query.Values(types.UnauthorizedQuery{
-				Username: userContext.Username,
+			// Values
+			values := types.UnauthorizedQuery{
 				Resource: strings.Split(host, ".")[0],
-			})
+			}
+
+			// Use either username or email
+			if userContext.OAuth {
+				values.Username = userContext.Email
+			} else {
+				values.Username = userContext.Username
+			}
+
+			// Build query
+			queries, err := query.Values(values)
 
 			// Handle error (no need to check for nginx/headers since we are sure we are using caddy/traefik)
 			if err != nil {
@@ -183,13 +185,66 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 			return
 		}
 
-		// Set the user header
-		c.Header("Remote-User", userContext.Username)
+		// Check groups if using OAuth
+		if userContext.OAuth {
+			// Check if user is in required groups
+			groupOk := h.Auth.OAuthGroup(c, userContext, labels)
+
+			log.Debug().Bool("groupOk", groupOk).Msg("Checking if user is in required groups")
+
+			// The user is not allowed to access the app
+			if !groupOk {
+				log.Warn().Str("username", userContext.Username).Str("host", host).Msg("User is not in required groups")
+
+				// Set WWW-Authenticate header
+				c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
+
+				if proxy.Proxy == "nginx" || !isBrowser {
+					c.JSON(401, gin.H{
+						"status":  401,
+						"message": "Unauthorized",
+					})
+					return
+				}
+
+				// Values
+				values := types.UnauthorizedQuery{
+					Resource: strings.Split(host, ".")[0],
+					GroupErr: true,
+				}
+
+				// Use either username or email
+				if userContext.OAuth {
+					values.Username = userContext.Email
+				} else {
+					values.Username = userContext.Username
+				}
+
+				// Build query
+				queries, err := query.Values(values)
+
+				// Handle error (no need to check for nginx/headers since we are sure we are using caddy/traefik)
+				if err != nil {
+					log.Error().Err(err).Msg("Failed to build queries")
+					c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+					return
+				}
+
+				// We are using caddy/traefik so redirect
+				c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, queries.Encode()))
+				return
+			}
+		}
+
+		c.Header("Remote-User", utils.SanitizeHeader(userContext.Username))
+		c.Header("Remote-Name", utils.SanitizeHeader(userContext.Name))
+		c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email))
+		c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups))
 
 		// Set the rest of the headers
 		for key, value := range labels.Headers {
 			log.Debug().Str("key", key).Str("value", value).Msg("Setting header")
-			c.Header(key, value)
+			c.Header(key, utils.SanitizeHeader(value))
 		}
 
 		// The user is allowed to access the app
@@ -310,6 +365,8 @@ func (h *Handlers) LoginHandler(c *gin.Context) {
 		// Set totp pending cookie
 		h.Auth.CreateSessionCookie(c, &types.SessionCookie{
 			Username:    login.Username,
+			Name:        utils.Capitalize(login.Username),
+			Email:       fmt.Sprintf("%s@%s", strings.ToLower(login.Username), h.Config.Domain),
 			Provider:    "username",
 			TotpPending: true,
 		})
@@ -328,6 +385,8 @@ func (h *Handlers) LoginHandler(c *gin.Context) {
 	// Create session cookie with username as provider
 	h.Auth.CreateSessionCookie(c, &types.SessionCookie{
 		Username: login.Username,
+		Name:     utils.Capitalize(login.Username),
+		Email:    fmt.Sprintf("%s@%s", strings.ToLower(login.Username), h.Config.Domain),
 		Provider: "username",
 	})
 
@@ -402,6 +461,8 @@ func (h *Handlers) TotpHandler(c *gin.Context) {
 	// Create session cookie with username as provider
 	h.Auth.CreateSessionCookie(c, &types.SessionCookie{
 		Username: user.Username,
+		Name:     utils.Capitalize(user.Username),
+		Email:    fmt.Sprintf("%s@%s", strings.ToLower(user.Username), h.Config.Domain),
 		Provider: "username",
 	})
 
@@ -440,12 +501,15 @@ func (h *Handlers) AppHandler(c *gin.Context) {
 
 	// Create app context struct
 	appContext := types.AppContext{
-		Status:              200,
-		Message:             "OK",
-		ConfiguredProviders: configuredProviders,
-		DisableContinue:     h.Config.DisableContinue,
-		Title:               h.Config.Title,
-		GenericName:         h.Config.GenericName,
+		Status:                200,
+		Message:               "OK",
+		ConfiguredProviders:   configuredProviders,
+		DisableContinue:       h.Config.DisableContinue,
+		Title:                 h.Config.Title,
+		GenericName:           h.Config.GenericName,
+		Domain:                h.Config.Domain,
+		ForgotPasswordMessage: h.Config.ForgotPasswordMessage,
+		OAuthAutoRedirect:     h.Config.OAuthAutoRedirect,
 	}
 
 	// Return app context
@@ -463,6 +527,8 @@ func (h *Handlers) UserHandler(c *gin.Context) {
 		Status:      200,
 		IsLoggedIn:  userContext.IsLoggedIn,
 		Username:    userContext.Username,
+		Name:        userContext.Name,
+		Email:       userContext.Email,
 		Provider:    userContext.Provider,
 		Oauth:       userContext.OAuth,
 		TotpPending: userContext.TotpPending,
@@ -515,46 +581,24 @@ func (h *Handlers) OauthUrlHandler(c *gin.Context) {
 
 	log.Debug().Str("provider", request.Provider).Msg("Got provider")
 
+	// Create state
+	state := provider.GenerateState()
+
 	// Get auth URL
-	authURL := provider.GetAuthURL()
+	authURL := provider.GetAuthURL(state)
 
 	log.Debug().Msg("Got auth URL")
 
+	// Set CSRF cookie
+	c.SetCookie("tinyauth-csrf", state, int(time.Hour.Seconds()), "/", "", h.Config.CookieSecure, true)
+
 	// Get redirect URI
 	redirectURI := c.Query("redirect_uri")
 
 	// Set redirect cookie if redirect URI is provided
 	if redirectURI != "" {
 		log.Debug().Str("redirectURI", redirectURI).Msg("Setting redirect cookie")
-		h.Auth.CreateSessionCookie(c, &types.SessionCookie{
-			RedirectURI: redirectURI,
-		})
-	}
-
-	// Tailscale does not have an auth url so we create a random code (does not need to be secure) to avoid caching and send it
-	if request.Provider == "tailscale" {
-		// Build tailscale query
-		queries, err := query.Values(types.TailscaleQuery{
-			Code: (1000 + rand.IntN(9000)),
-		})
-
-		// Handle error
-		if err != nil {
-			log.Error().Err(err).Msg("Failed to build queries")
-			c.JSON(500, gin.H{
-				"status":  500,
-				"message": "Internal Server Error",
-			})
-			return
-		}
-
-		// Return tailscale URL (immidiately redirects to the callback)
-		c.JSON(200, gin.H{
-			"status":  200,
-			"message": "OK",
-			"url":     fmt.Sprintf("%s/api/oauth/callback/tailscale?%s", h.Config.AppURL, queries.Encode()),
-		})
-		return
+		c.SetCookie("tinyauth-redirect", redirectURI, int(time.Hour.Seconds()), "/", "", h.Config.CookieSecure, true)
 	}
 
 	// Return auth URL
@@ -581,16 +625,33 @@ func (h *Handlers) OauthCallbackHandler(c *gin.Context) {
 
 	log.Debug().Interface("provider", providerName.Provider).Msg("Got provider name")
 
-	// Get code
-	code := c.Query("code")
+	// Get state
+	state := c.Query("state")
 
-	// Code empty so redirect to error
-	if code == "" {
-		log.Error().Msg("No code provided")
+	// Get CSRF cookie
+	csrfCookie, err := c.Cookie("tinyauth-csrf")
+
+	if err != nil {
+		log.Debug().Msg("No CSRF cookie")
 		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
 		return
 	}
 
+	log.Debug().Str("csrfCookie", csrfCookie).Msg("Got CSRF cookie")
+
+	// Check if CSRF cookie is valid
+	if csrfCookie != state {
+		log.Warn().Msg("Invalid CSRF cookie or CSRF cookie does not match with the state")
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+		return
+	}
+
+	// Clean up CSRF cookie
+	c.SetCookie("tinyauth-csrf", "", -1, "/", "", h.Config.CookieSecure, true)
+
+	// Get code
+	code := c.Query("code")
+
 	log.Debug().Msg("Got code")
 
 	// Get provider
@@ -611,35 +672,42 @@ func (h *Handlers) OauthCallbackHandler(c *gin.Context) {
 
 	// Handle error
 	if err != nil {
-		log.Error().Msg("Failed to exchange token")
+		log.Error().Err(err).Msg("Failed to exchange token")
 		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
 		return
 	}
 
-	// Get email
-	email, err := h.Providers.GetUser(providerName.Provider)
-
-	log.Debug().Str("email", email).Msg("Got email")
+	// Get user
+	user, err := h.Providers.GetUser(providerName.Provider)
 
 	// Handle error
 	if err != nil {
-		log.Error().Msg("Failed to get email")
+		log.Error().Msg("Failed to get user")
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+		return
+	}
+
+	log.Debug().Msg("Got user")
+
+	// Check that email is not empty
+	if user.Email == "" {
+		log.Error().Msg("Email is empty")
 		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
 		return
 	}
 
 	// Email is not whitelisted
-	if !h.Auth.EmailWhitelisted(email) {
-		log.Warn().Str("email", email).Msg("Email not whitelisted")
+	if !h.Auth.EmailWhitelisted(user.Email) {
+		log.Warn().Str("email", user.Email).Msg("Email not whitelisted")
 
 		// Build query
 		queries, err := query.Values(types.UnauthorizedQuery{
-			Username: email,
+			Username: user.Email,
 		})
 
 		// Handle error
 		if err != nil {
-			log.Error().Msg("Failed to build queries")
+			log.Error().Err(err).Msg("Failed to build queries")
 			c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
 			return
 		}
@@ -650,36 +718,61 @@ func (h *Handlers) OauthCallbackHandler(c *gin.Context) {
 
 	log.Debug().Msg("Email whitelisted")
 
-	// Get redirect URI
-	cookie, err := h.Auth.GetSessionCookie(c)
+	// Get username
+	var username string
+
+	if user.PreferredUsername != "" {
+		username = user.PreferredUsername
+	} else {
+		username = fmt.Sprintf("%s_%s", strings.Split(user.Email, "@")[0], strings.Split(user.Email, "@")[1])
+	}
+
+	// Get name
+	var name string
+
+	if user.Name != "" {
+		name = user.Name
+	} else {
+		name = fmt.Sprintf("%s (%s)", utils.Capitalize(strings.Split(user.Email, "@")[0]), strings.Split(user.Email, "@")[1])
+	}
 
 	// Create session cookie (also cleans up redirect cookie)
 	h.Auth.CreateSessionCookie(c, &types.SessionCookie{
-		Username: email,
-		Provider: providerName.Provider,
+		Username:    username,
+		Name:        name,
+		Email:       user.Email,
+		Provider:    providerName.Provider,
+		OAuthGroups: strings.Join(user.Groups, ","),
 	})
 
-	// If it is empty it means that no redirect_uri was provided to the login screen so we just log in
+	// Check if we have a redirect URI
+	redirectCookie, err := c.Cookie("tinyauth-redirect")
+
 	if err != nil {
+		log.Debug().Msg("No redirect cookie")
 		c.Redirect(http.StatusPermanentRedirect, h.Config.AppURL)
+		return
 	}
 
-	log.Debug().Str("redirectURI", cookie.RedirectURI).Msg("Got redirect URI")
+	log.Debug().Str("redirectURI", redirectCookie).Msg("Got redirect URI")
 
 	// Build query
 	queries, err := query.Values(types.LoginQuery{
-		RedirectURI: cookie.RedirectURI,
+		RedirectURI: redirectCookie,
 	})
 
 	log.Debug().Msg("Got redirect query")
 
 	// Handle error
 	if err != nil {
-		log.Error().Msg("Failed to build queries")
+		log.Error().Err(err).Msg("Failed to build queries")
 		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
 		return
 	}
 
+	// Clean up redirect cookie
+	c.SetCookie("tinyauth-redirect", "", -1, "/", "", h.Config.CookieSecure, true)
+
 	// Redirect to continue with the redirect URI
 	c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/continue?%s", h.Config.AppURL, queries.Encode()))
 }

internal/hooks/hooks.go

@@ -1,22 +1,27 @@
 package hooks
 
 import (
+	"fmt"
+	"strings"
 	"tinyauth/internal/auth"
 	"tinyauth/internal/providers"
 	"tinyauth/internal/types"
+	"tinyauth/internal/utils"
 
 	"github.com/gin-gonic/gin"
 	"github.com/rs/zerolog/log"
 )
 
-func NewHooks(auth *auth.Auth, providers *providers.Providers) *Hooks {
+func NewHooks(config types.HooksConfig, auth *auth.Auth, providers *providers.Providers) *Hooks {
 	return &Hooks{
+		Config:    config,
 		Auth:      auth,
 		Providers: providers,
 	}
 }
 
 type Hooks struct {
+	Config    types.HooksConfig
 	Auth      *auth.Auth
 	Providers *providers.Providers
 }
@@ -30,17 +35,27 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
 	if basic != nil {
 		log.Debug().Msg("Got basic auth")
 
-		// Check if user exists and password is correct
+		// Get user
 		user := hooks.Auth.GetUser(basic.Username)
 
-		if user != nil && hooks.Auth.CheckPassword(*user, basic.Password) {
+		// Check we have a user
+		if user == nil {
+			log.Error().Str("username", basic.Username).Msg("User does not exist")
+
+			// Return empty context
+			return types.UserContext{}
+		}
+
+		// Check if the user has a correct password
+		if hooks.Auth.CheckPassword(*user, basic.Password) {
 			// Return user context since we are logged in with basic auth
 			return types.UserContext{
 				Username:    basic.Username,
+				Name:        utils.Capitalize(basic.Username),
+				Email:       fmt.Sprintf("%s@%s", strings.ToLower(basic.Username), hooks.Config.Domain),
 				IsLoggedIn:  true,
-				OAuth:       false,
 				Provider:    "basic",
-				TotpPending: false,
+				TotpEnabled: user.TotpSecret != "",
 			}
 		}
 
@@ -50,13 +65,7 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to get session cookie")
 		// Return empty context
-		return types.UserContext{
-			Username:    "",
-			IsLoggedIn:  false,
-			OAuth:       false,
-			Provider:    "",
-			TotpPending: false,
-		}
+		return types.UserContext{}
 	}
 
 	// Check if session cookie has totp pending
@@ -65,8 +74,8 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
 		// Return empty context since we are pending totp
 		return types.UserContext{
 			Username:    cookie.Username,
-			IsLoggedIn:  false,
-			OAuth:       false,
+			Name:        cookie.Name,
+			Email:       cookie.Email,
 			Provider:    cookie.Provider,
 			TotpPending: true,
 		}
@@ -82,11 +91,11 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
 
 			// It exists so we are logged in
 			return types.UserContext{
-				Username:    cookie.Username,
-				IsLoggedIn:  true,
-				OAuth:       false,
-				Provider:    "username",
-				TotpPending: false,
+				Username:   cookie.Username,
+				Name:       cookie.Name,
+				Email:      cookie.Email,
+				IsLoggedIn: true,
+				Provider:   "username",
 			}
 		}
 	}
@@ -101,20 +110,14 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
 		log.Debug().Msg("Provider exists")
 
 		// Check if the oauth email is whitelisted
-		if !hooks.Auth.EmailWhitelisted(cookie.Username) {
-			log.Error().Str("email", cookie.Username).Msg("Email is not whitelisted")
+		if !hooks.Auth.EmailWhitelisted(cookie.Email) {
+			log.Error().Str("email", cookie.Email).Msg("Email is not whitelisted")
 
 			// It isn't so we delete the cookie and return an empty context
 			hooks.Auth.DeleteSessionCookie(c)
 
 			// Return empty context
-			return types.UserContext{
-				Username:    "",
-				IsLoggedIn:  false,
-				OAuth:       false,
-				Provider:    "",
-				TotpPending: false,
-			}
+			return types.UserContext{}
 		}
 
 		log.Debug().Msg("Email is whitelisted")
@@ -122,19 +125,15 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
 		// Return user context since we are logged in with oauth
 		return types.UserContext{
 			Username:    cookie.Username,
+			Name:        cookie.Name,
+			Email:       cookie.Email,
 			IsLoggedIn:  true,
 			OAuth:       true,
 			Provider:    cookie.Provider,
-			TotpPending: false,
+			OAuthGroups: cookie.OAuthGroups,
 		}
 	}
 
 	// Neither basic auth or oauth is set so we return an empty context
-	return types.UserContext{
-		Username:    "",
-		IsLoggedIn:  false,
-		OAuth:       false,
-		Provider:    "",
-		TotpPending: false,
-	}
+	return types.UserContext{}
 }

internal/oauth/oauth.go

@@ -2,6 +2,8 @@ package oauth
 
 import (
 	"context"
+	"crypto/rand"
+	"encoding/base64"
 	"net/http"
 
 	"golang.org/x/oauth2"
@@ -26,9 +28,9 @@ func (oauth *OAuth) Init() {
 	oauth.Verifier = oauth2.GenerateVerifier()
 }
 
-func (oauth *OAuth) GetAuthURL() string {
+func (oauth *OAuth) GetAuthURL(state string) string {
 	// Return the auth url
-	return oauth.Config.AuthCodeURL("state", oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(oauth.Verifier))
+	return oauth.Config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(oauth.Verifier))
 }
 
 func (oauth *OAuth) ExchangeToken(code string) (string, error) {
@@ -51,3 +53,16 @@ func (oauth *OAuth) GetClient() *http.Client {
 	// Return the http client with the token set
 	return oauth.Config.Client(oauth.Context, oauth.Token)
 }
+
+func (oauth *OAuth) GenerateState() string {
+	// Generate a random state string
+	b := make([]byte, 128)
+
+	// Fill the byte slice with random data
+	rand.Read(b)
+
+	// Encode the byte slice to a base64 string
+	state := base64.URLEncoding.EncodeToString(b)
+
+	return state
+}

internal/providers/generic.go

@@ -4,24 +4,25 @@ import (
 	"encoding/json"
 	"io"
 	"net/http"
+	"tinyauth/internal/constants"
 
 	"github.com/rs/zerolog/log"
 )
 
-// We are assuming that the generic provider will return a JSON object with an email field
-type GenericUserInfoResponse struct {
-	Email string `json:"email"`
-}
+func GetGenericUser(client *http.Client, url string) (constants.Claims, error) {
+	// Create user struct
+	var user constants.Claims
 
-func GetGenericEmail(client *http.Client, url string) (string, error) {
 	// Using the oauth client get the user info url
 	res, err := client.Get(url)
 
 	// Check if there was an error
 	if err != nil {
-		return "", err
+		return user, err
 	}
 
+	defer res.Body.Close()
+
 	log.Debug().Msg("Got response from generic provider")
 
 	// Read the body of the response
@@ -29,24 +30,21 @@ func GetGenericEmail(client *http.Client, url string) (string, error) {
 
 	// Check if there was an error
 	if err != nil {
-		return "", err
+		return user, err
 	}
 
 	log.Debug().Msg("Read body from generic provider")
 
-	// Parse the body into a user struct
-	var user GenericUserInfoResponse
-
 	// Unmarshal the body into the user struct
 	err = json.Unmarshal(body, &user)
 
 	// Check if there was an error
 	if err != nil {
-		return "", err
+		return user, err
 	}
 
 	log.Debug().Msg("Parsed user from generic provider")
 
-	// Return the email
-	return user.Email, nil
+	// Return the user
+	return user, nil
 }

internal/providers/github.go

@@ -5,51 +5,96 @@ import (
 	"errors"
 	"io"
 	"net/http"
+	"tinyauth/internal/constants"
 
 	"github.com/rs/zerolog/log"
 )
 
-// Github has a different response than the generic provider
-type GithubUserInfoResponse []struct {
+// Response for the github email endpoint
+type GithubEmailResponse []struct {
 	Email   string `json:"email"`
 	Primary bool   `json:"primary"`
 }
 
-// The scopes required for the github provider
-func GithubScopes() []string {
-	return []string{"user:email"}
+// Response for the github user endpoint
+type GithubUserInfoResponse struct {
+	Login string `json:"login"`
+	Name  string `json:"name"`
 }
 
-func GetGithubEmail(client *http.Client) (string, error) {
-	// Get the user emails from github using the oauth http client
-	res, err := client.Get("https://api.github.com/user/emails")
+// The scopes required for the github provider
+func GithubScopes() []string {
+	return []string{"user:email", "read:user"}
+}
+
+func GetGithubUser(client *http.Client) (constants.Claims, error) {
+	// Create user struct
+	var user constants.Claims
+
+	// Get the user info from github using the oauth http client
+	res, err := client.Get("https://api.github.com/user")
 
 	// Check if there was an error
 	if err != nil {
-		return "", err
+		return user, err
 	}
 
-	log.Debug().Msg("Got response from github")
+	defer res.Body.Close()
+
+	log.Debug().Msg("Got user response from github")
 
 	// Read the body of the response
 	body, err := io.ReadAll(res.Body)
 
 	// Check if there was an error
 	if err != nil {
-		return "", err
+		return user, err
 	}
 
-	log.Debug().Msg("Read body from github")
+	log.Debug().Msg("Read user body from github")
 
 	// Parse the body into a user struct
-	var emails GithubUserInfoResponse
+	var userInfo GithubUserInfoResponse
+
+	// Unmarshal the body into the user struct
+	err = json.Unmarshal(body, &userInfo)
+
+	// Check if there was an error
+	if err != nil {
+		return user, err
+	}
+
+	// Get the user emails from github using the oauth http client
+	res, err = client.Get("https://api.github.com/user/emails")
+
+	// Check if there was an error
+	if err != nil {
+		return user, err
+	}
+
+	defer res.Body.Close()
+
+	log.Debug().Msg("Got email response from github")
+
+	// Read the body of the response
+	body, err = io.ReadAll(res.Body)
+
+	// Check if there was an error
+	if err != nil {
+		return user, err
+	}
+
+	log.Debug().Msg("Read email body from github")
+
+	// Parse the body into a user struct
+	var emails GithubEmailResponse
 
 	// Unmarshal the body into the user struct
 	err = json.Unmarshal(body, &emails)
 
 	// Check if there was an error
 	if err != nil {
-		return "", err
+		return user, err
 	}
 
 	log.Debug().Msg("Parsed emails from github")
@@ -57,10 +102,28 @@ func GetGithubEmail(client *http.Client) (string, error) {
 	// Find and return the primary email
 	for _, email := range emails {
 		if email.Primary {
-			return email.Email, nil
+			// Set the email then exit
+			log.Debug().Str("email", email.Email).Msg("Found primary email")
+			user.Email = email.Email
+			break
 		}
 	}
 
-	// User does not have a primary email?
-	return "", errors.New("no primary email found")
+	// If no primary email was found, use the first available email
+	if len(emails) == 0 {
+		return user, errors.New("no emails found")
+	}
+
+	// Set the email if it is not set picking the first one
+	if user.Email == "" {
+		log.Warn().Str("email", emails[0].Email).Msg("No primary email found, using first email")
+		user.Email = emails[0].Email
+	}
+
+	// Set the username and name
+	user.PreferredUsername = userInfo.Login
+	user.Name = userInfo.Name
+
+	// Return
+	return user, nil
 }

internal/providers/google.go

@@ -4,29 +4,37 @@ import (
 	"encoding/json"
 	"io"
 	"net/http"
+	"strings"
+	"tinyauth/internal/constants"
 
 	"github.com/rs/zerolog/log"
 )
 
-// Google works the same as the generic provider
+// Response for the google user endpoint
 type GoogleUserInfoResponse struct {
 	Email string `json:"email"`
+	Name  string `json:"name"`
 }
 
 // The scopes required for the google provider
 func GoogleScopes() []string {
-	return []string{"https://www.googleapis.com/auth/userinfo.email"}
+	return []string{"https://www.googleapis.com/auth/userinfo.email", "https://www.googleapis.com/auth/userinfo.profile"}
 }
 
-func GetGoogleEmail(client *http.Client) (string, error) {
+func GetGoogleUser(client *http.Client) (constants.Claims, error) {
+	// Create user struct
+	var user constants.Claims
+
 	// Get the user info from google using the oauth http client
 	res, err := client.Get("https://www.googleapis.com/userinfo/v2/me")
 
 	// Check if there was an error
 	if err != nil {
-		return "", err
+		return user, err
 	}
 
+	defer res.Body.Close()
+
 	log.Debug().Msg("Got response from google")
 
 	// Read the body of the response
@@ -34,24 +42,29 @@ func GetGoogleEmail(client *http.Client) (string, error) {
 
 	// Check if there was an error
 	if err != nil {
-		return "", err
+		return user, err
 	}
 
 	log.Debug().Msg("Read body from google")
 
-	// Parse the body into a user struct
-	var user GoogleUserInfoResponse
+	// Create a new user info struct
+	var userInfo GoogleUserInfoResponse
 
 	// Unmarshal the body into the user struct
-	err = json.Unmarshal(body, &user)
+	err = json.Unmarshal(body, &userInfo)
 
 	// Check if there was an error
 	if err != nil {
-		return "", err
+		return user, err
 	}
 
 	log.Debug().Msg("Parsed user from google")
 
-	// Return the email
-	return user.Email, nil
+	// Map the user info to the user struct
+	user.PreferredUsername = strings.Split(userInfo.Email, "@")[0]
+	user.Name = userInfo.Name
+	user.Email = userInfo.Email
+
+	// Return the user
+	return user, nil
 }

internal/providers/providers.go

@@ -2,6 +2,7 @@ package providers
 
 import (
 	"fmt"
+	"tinyauth/internal/constants"
 	"tinyauth/internal/oauth"
 	"tinyauth/internal/types"
 
@@ -17,11 +18,10 @@ func NewProviders(config types.OAuthConfig) *Providers {
 }
 
 type Providers struct {
-	Config    types.OAuthConfig
-	Github    *oauth.OAuth
-	Google    *oauth.OAuth
-	Tailscale *oauth.OAuth
-	Generic   *oauth.OAuth
+	Config  types.OAuthConfig
+	Github  *oauth.OAuth
+	Google  *oauth.OAuth
+	Generic *oauth.OAuth
 }
 
 func (providers *Providers) Init() {
@@ -59,22 +59,6 @@ func (providers *Providers) Init() {
 		providers.Google.Init()
 	}
 
-	if providers.Config.TailscaleClientId != "" && providers.Config.TailscaleClientSecret != "" {
-		log.Info().Msg("Initializing Tailscale OAuth")
-
-		// Create a new oauth provider with the tailscale config
-		providers.Tailscale = oauth.NewOAuth(oauth2.Config{
-			ClientID:     providers.Config.TailscaleClientId,
-			ClientSecret: providers.Config.TailscaleClientSecret,
-			RedirectURL:  fmt.Sprintf("%s/api/oauth/callback/tailscale", providers.Config.AppURL),
-			Scopes:       TailscaleScopes(),
-			Endpoint:     TailscaleEndpoint,
-		})
-
-		// Initialize the oauth provider
-		providers.Tailscale.Init()
-	}
-
 	// If we have a client id and secret for generic oauth, initialize the oauth provider
 	if providers.Config.GenericClientId != "" && providers.Config.GenericClientSecret != "" {
 		log.Info().Msg("Initializing Generic OAuth")
@@ -103,8 +87,6 @@ func (providers *Providers) GetProvider(provider string) *oauth.OAuth {
 		return providers.Github
 	case "google":
 		return providers.Google
-	case "tailscale":
-		return providers.Tailscale
 	case "generic":
 		return providers.Generic
 	default:
@@ -112,14 +94,17 @@ func (providers *Providers) GetProvider(provider string) *oauth.OAuth {
 	}
 }
 
-func (providers *Providers) GetUser(provider string) (string, error) {
-	// Get the email from the provider
+func (providers *Providers) GetUser(provider string) (constants.Claims, error) {
+	// Create user struct
+	var user constants.Claims
+
+	// Get the user from the provider
 	switch provider {
 	case "github":
 		// If the github provider is not configured, return an error
 		if providers.Github == nil {
 			log.Debug().Msg("Github provider not configured")
-			return "", nil
+			return user, nil
 		}
 
 		// Get the client from the github provider
@@ -127,23 +112,23 @@ func (providers *Providers) GetUser(provider string) (string, error) {
 
 		log.Debug().Msg("Got client from github")
 
-		// Get the email from the github provider
-		email, err := GetGithubEmail(client)
+		// Get the user from the github provider
+		user, err := GetGithubUser(client)
 
 		// Check if there was an error
 		if err != nil {
-			return "", err
+			return user, err
 		}
 
-		log.Debug().Msg("Got email from github")
+		log.Debug().Msg("Got user from github")
 
-		// Return the email
-		return email, nil
+		// Return the user
+		return user, nil
 	case "google":
 		// If the google provider is not configured, return an error
 		if providers.Google == nil {
 			log.Debug().Msg("Google provider not configured")
-			return "", nil
+			return user, nil
 		}
 
 		// Get the client from the google provider
@@ -151,47 +136,23 @@ func (providers *Providers) GetUser(provider string) (string, error) {
 
 		log.Debug().Msg("Got client from google")
 
-		// Get the email from the google provider
-		email, err := GetGoogleEmail(client)
+		// Get the user from the google provider
+		user, err := GetGoogleUser(client)
 
 		// Check if there was an error
 		if err != nil {
-			return "", err
+			return user, err
 		}
 
-		log.Debug().Msg("Got email from google")
+		log.Debug().Msg("Got user from google")
 
-		// Return the email
-		return email, nil
-	case "tailscale":
-		// If the tailscale provider is not configured, return an error
-		if providers.Tailscale == nil {
-			log.Debug().Msg("Tailscale provider not configured")
-			return "", nil
-		}
-
-		// Get the client from the tailscale provider
-		client := providers.Tailscale.GetClient()
-
-		log.Debug().Msg("Got client from tailscale")
-
-		// Get the email from the tailscale provider
-		email, err := GetTailscaleEmail(client)
-
-		// Check if there was an error
-		if err != nil {
-			return "", err
-		}
-
-		log.Debug().Msg("Got email from tailscale")
-
-		// Return the email
-		return email, nil
+		// Return the user
+		return user, nil
 	case "generic":
 		// If the generic provider is not configured, return an error
 		if providers.Generic == nil {
 			log.Debug().Msg("Generic provider not configured")
-			return "", nil
+			return user, nil
 		}
 
 		// Get the client from the generic provider
@@ -199,20 +160,20 @@ func (providers *Providers) GetUser(provider string) (string, error) {
 
 		log.Debug().Msg("Got client from generic")
 
-		// Get the email from the generic provider
-		email, err := GetGenericEmail(client, providers.Config.GenericUserURL)
+		// Get the user from the generic provider
+		user, err := GetGenericUser(client, providers.Config.GenericUserURL)
 
 		// Check if there was an error
 		if err != nil {
-			return "", err
+			return user, err
 		}
 
-		log.Debug().Msg("Got email from generic")
+		log.Debug().Msg("Got user from generic")
 
 		// Return the email
-		return email, nil
+		return user, nil
 	default:
-		return "", nil
+		return user, nil
 	}
 }
 
@@ -225,9 +186,6 @@ func (provider *Providers) GetConfiguredProviders() []string {
 	if provider.Google != nil {
 		providers = append(providers, "google")
 	}
-	if provider.Tailscale != nil {
-		providers = append(providers, "tailscale")
-	}
 	if provider.Generic != nil {
 		providers = append(providers, "generic")
 	}

internal/providers/tailscale.go

@@ -1,68 +0,0 @@
-package providers
-
-import (
-	"encoding/json"
-	"io"
-	"net/http"
-
-	"github.com/rs/zerolog/log"
-	"golang.org/x/oauth2"
-)
-
-// The tailscale email is the loginName
-type TailscaleUser struct {
-	LoginName string `json:"loginName"`
-}
-
-// The response from the tailscale user info endpoint
-type TailscaleUserInfoResponse struct {
-	Users []TailscaleUser `json:"users"`
-}
-
-// The scopes required for the tailscale provider
-func TailscaleScopes() []string {
-	return []string{"users:read"}
-}
-
-// The tailscale endpoint
-var TailscaleEndpoint = oauth2.Endpoint{
-	TokenURL: "https://api.tailscale.com/api/v2/oauth/token",
-}
-
-func GetTailscaleEmail(client *http.Client) (string, error) {
-	// Get the user info from tailscale using the oauth http client
-	res, err := client.Get("https://api.tailscale.com/api/v2/tailnet/-/users")
-
-	// Check if there was an error
-	if err != nil {
-		return "", err
-	}
-
-	log.Debug().Msg("Got response from tailscale")
-
-	// Read the body of the response
-	body, err := io.ReadAll(res.Body)
-
-	// Check if there was an error
-	if err != nil {
-		return "", err
-	}
-
-	log.Debug().Msg("Read body from tailscale")
-
-	// Parse the body into a user struct
-	var users TailscaleUserInfoResponse
-
-	// Unmarshal the body into the user struct
-	err = json.Unmarshal(body, &users)
-
-	// Check if there was an error
-	if err != nil {
-		return "", err
-	}
-
-	log.Debug().Msg("Parsed users from tailscale")
-
-	// Return the email of the first user
-	return users.Users[0].LoginName, nil
-}

internal/types/api.go

@@ -20,11 +20,7 @@ type OAuthRequest struct {
 type UnauthorizedQuery struct {
 	Username string `url:"username"`
 	Resource string `url:"resource"`
-}
-
-// TailscaleQuery is the query parameters for the tailscale endpoint
-type TailscaleQuery struct {
-	Code int `url:"code"`
+	GroupErr bool   `url:"groupErr"`
 }
 
 // Proxy is the uri parameters for the proxy endpoint
@@ -38,6 +34,8 @@ type UserContextResponse struct {
 	Message     string `json:"message"`
 	IsLoggedIn  bool   `json:"isLoggedIn"`
 	Username    string `json:"username"`
+	Name        string `json:"name"`
+	Email       string `json:"email"`
 	Provider    string `json:"provider"`
 	Oauth       bool   `json:"oauth"`
 	TotpPending bool   `json:"totpPending"`
@@ -45,12 +43,15 @@ type UserContextResponse struct {
 
 // App Context is the response for the app context endpoint
 type AppContext struct {
-	Status              int      `json:"status"`
-	Message             string   `json:"message"`
-	ConfiguredProviders []string `json:"configuredProviders"`
-	DisableContinue     bool     `json:"disableContinue"`
-	Title               string   `json:"title"`
-	GenericName         string   `json:"genericName"`
+	Status                int      `json:"status"`
+	Message               string   `json:"message"`
+	ConfiguredProviders   []string `json:"configuredProviders"`
+	DisableContinue       bool     `json:"disableContinue"`
+	Title                 string   `json:"title"`
+	GenericName           string   `json:"genericName"`
+	Domain                string   `json:"domain"`
+	ForgotPasswordMessage string   `json:"forgotPasswordMessage"`
+	OAuthAutoRedirect     string   `json:"oauthAutoRedirect"`
 }
 
 // Totp request is the request for the totp endpoint

internal/types/config.go

@@ -2,64 +2,65 @@ package types
 
 // Config is the configuration for the tinyauth server
 type Config struct {
-	Port                      int    `mapstructure:"port" validate:"required"`
-	Address                   string `validate:"required,ip4_addr" mapstructure:"address"`
-	Secret                    string `validate:"required,len=32" mapstructure:"secret"`
-	SecretFile                string `mapstructure:"secret-file"`
-	AppURL                    string `validate:"required,url" mapstructure:"app-url"`
-	Users                     string `mapstructure:"users"`
-	UsersFile                 string `mapstructure:"users-file"`
-	CookieSecure              bool   `mapstructure:"cookie-secure"`
-	GithubClientId            string `mapstructure:"github-client-id"`
-	GithubClientSecret        string `mapstructure:"github-client-secret"`
-	GithubClientSecretFile    string `mapstructure:"github-client-secret-file"`
-	GoogleClientId            string `mapstructure:"google-client-id"`
-	GoogleClientSecret        string `mapstructure:"google-client-secret"`
-	GoogleClientSecretFile    string `mapstructure:"google-client-secret-file"`
-	TailscaleClientId         string `mapstructure:"tailscale-client-id"`
-	TailscaleClientSecret     string `mapstructure:"tailscale-client-secret"`
-	TailscaleClientSecretFile string `mapstructure:"tailscale-client-secret-file"`
-	GenericClientId           string `mapstructure:"generic-client-id"`
-	GenericClientSecret       string `mapstructure:"generic-client-secret"`
-	GenericClientSecretFile   string `mapstructure:"generic-client-secret-file"`
-	GenericScopes             string `mapstructure:"generic-scopes"`
-	GenericAuthURL            string `mapstructure:"generic-auth-url"`
-	GenericTokenURL           string `mapstructure:"generic-token-url"`
-	GenericUserURL            string `mapstructure:"generic-user-url"`
-	GenericName               string `mapstructure:"generic-name"`
-	DisableContinue           bool   `mapstructure:"disable-continue"`
-	OAuthWhitelist            string `mapstructure:"oauth-whitelist"`
-	SessionExpiry             int    `mapstructure:"session-expiry"`
-	LogLevel                  int8   `mapstructure:"log-level" validate:"min=-1,max=5"`
-	Title                     string `mapstructure:"app-title"`
-	EnvFile                   string `mapstructure:"env-file"`
-	LoginTimeout              int    `mapstructure:"login-timeout"`
-	LoginMaxRetries           int    `mapstructure:"login-max-retries"`
+	Port                    int    `mapstructure:"port" validate:"required"`
+	Address                 string `validate:"required,ip4_addr" mapstructure:"address"`
+	Secret                  string `validate:"required,len=32" mapstructure:"secret"`
+	SecretFile              string `mapstructure:"secret-file"`
+	AppURL                  string `validate:"required,url" mapstructure:"app-url"`
+	Users                   string `mapstructure:"users"`
+	UsersFile               string `mapstructure:"users-file"`
+	CookieSecure            bool   `mapstructure:"cookie-secure"`
+	GithubClientId          string `mapstructure:"github-client-id"`
+	GithubClientSecret      string `mapstructure:"github-client-secret"`
+	GithubClientSecretFile  string `mapstructure:"github-client-secret-file"`
+	GoogleClientId          string `mapstructure:"google-client-id"`
+	GoogleClientSecret      string `mapstructure:"google-client-secret"`
+	GoogleClientSecretFile  string `mapstructure:"google-client-secret-file"`
+	GenericClientId         string `mapstructure:"generic-client-id"`
+	GenericClientSecret     string `mapstructure:"generic-client-secret"`
+	GenericClientSecretFile string `mapstructure:"generic-client-secret-file"`
+	GenericScopes           string `mapstructure:"generic-scopes"`
+	GenericAuthURL          string `mapstructure:"generic-auth-url"`
+	GenericTokenURL         string `mapstructure:"generic-token-url"`
+	GenericUserURL          string `mapstructure:"generic-user-url"`
+	GenericName             string `mapstructure:"generic-name"`
+	DisableContinue         bool   `mapstructure:"disable-continue"`
+	OAuthWhitelist          string `mapstructure:"oauth-whitelist"`
+	OAuthAutoRedirect       string `mapstructure:"oauth-auto-redirect" validate:"oneof=none github google generic"`
+	SessionExpiry           int    `mapstructure:"session-expiry"`
+	LogLevel                int8   `mapstructure:"log-level" validate:"min=-1,max=5"`
+	Title                   string `mapstructure:"app-title"`
+	EnvFile                 string `mapstructure:"env-file"`
+	LoginTimeout            int    `mapstructure:"login-timeout"`
+	LoginMaxRetries         int    `mapstructure:"login-max-retries"`
+	FogotPasswordMessage    string `mapstructure:"forgot-password-message" validate:"required"`
 }
 
 // Server configuration
 type HandlersConfig struct {
-	AppURL          string
-	DisableContinue bool
-	GenericName     string
-	Title           string
+	AppURL                string
+	Domain                string
+	CookieSecure          bool
+	DisableContinue       bool
+	GenericName           string
+	Title                 string
+	ForgotPasswordMessage string
+	OAuthAutoRedirect     string
 }
 
 // OAuthConfig is the configuration for the providers
 type OAuthConfig struct {
-	GithubClientId        string
-	GithubClientSecret    string
-	GoogleClientId        string
-	GoogleClientSecret    string
-	TailscaleClientId     string
-	TailscaleClientSecret string
-	GenericClientId       string
-	GenericClientSecret   string
-	GenericScopes         []string
-	GenericAuthURL        string
-	GenericTokenURL       string
-	GenericUserURL        string
-	AppURL                string
+	GithubClientId      string
+	GithubClientSecret  string
+	GoogleClientId      string
+	GoogleClientSecret  string
+	GenericClientId     string
+	GenericClientSecret string
+	GenericScopes       []string
+	GenericAuthURL      string
+	GenericTokenURL     string
+	GenericUserURL      string
+	AppURL              string
 }
 
 // APIConfig is the configuration for the API
@@ -71,7 +72,7 @@ type APIConfig struct {
 // AuthConfig is the configuration for the auth service
 type AuthConfig struct {
 	Users           Users
-	OauthWhitelist  []string
+	OauthWhitelist  string
 	SessionExpiry   int
 	Secret          string
 	CookieSecure    bool
@@ -79,3 +80,8 @@ type AuthConfig struct {
 	LoginTimeout    int
 	LoginMaxRetries int
 }
+
+// HooksConfig is the configuration for the hooks service
+type HooksConfig struct {
+	Domain string
+}

internal/types/types.go

@@ -25,26 +25,33 @@ type OAuthProviders struct {
 // SessionCookie is the cookie for the session (exculding the expiry)
 type SessionCookie struct {
 	Username    string
+	Name        string
+	Email       string
 	Provider    string
 	TotpPending bool
-	RedirectURI string
+	OAuthGroups string
 }
 
 // TinyauthLabels is the labels for the tinyauth container
 type TinyauthLabels struct {
-	OAuthWhitelist []string
-	Users          []string
+	OAuthWhitelist string
+	Users          string
 	Allowed        string
 	Headers        map[string]string
+	OAuthGroups    string
 }
 
 // UserContext is the context for the user
 type UserContext struct {
 	Username    string
+	Name        string
+	Email       string
 	IsLoggedIn  bool
 	OAuth       bool
 	Provider    string
 	TotpPending bool
+	OAuthGroups string
+	TotpEnabled bool
 }
 
 // LoginAttempt tracks information about login attempts for rate limiting

internal/utils/utils.go

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"net/url"
 	"os"
+	"regexp"
 	"slices"
 	"strings"
 	"tinyauth/internal/constants"
@@ -130,7 +131,7 @@ func GetSecret(conf string, file string) string {
 	}
 
 	// Return the contents of the file
-	return contents
+	return ParseSecretFile(contents)
 }
 
 // Get the users from the config or file
@@ -188,9 +189,9 @@ func GetTinyauthLabels(labels map[string]string) types.TinyauthLabels {
 			// Add the label value to the tinyauth labels struct
 			switch label {
 			case "tinyauth.oauth.whitelist":
-				tinyauthLabels.OAuthWhitelist = strings.Split(value, ",")
+				tinyauthLabels.OAuthWhitelist = value
 			case "tinyauth.users":
-				tinyauthLabels.Users = strings.Split(value, ",")
+				tinyauthLabels.Users = value
 			case "tinyauth.allowed":
 				tinyauthLabels.Allowed = value
 			case "tinyauth.headers":
@@ -203,6 +204,8 @@ func GetTinyauthLabels(labels map[string]string) types.TinyauthLabels {
 					}
 					tinyauthLabels.Headers[headerSplit[0]] = headerSplit[1]
 				}
+			case "tinyauth.oauth.groups":
+				tinyauthLabels.OAuthGroups = value
 			}
 		}
 	}
@@ -213,7 +216,7 @@ func GetTinyauthLabels(labels map[string]string) types.TinyauthLabels {
 
 // Check if any of the OAuth providers are configured based on the client id and secret
 func OAuthConfigured(config types.Config) bool {
-	return (config.GithubClientId != "" && config.GithubClientSecret != "") || (config.GoogleClientId != "" && config.GoogleClientSecret != "") || (config.GenericClientId != "" && config.GenericClientSecret != "") || (config.TailscaleClientId != "" && config.TailscaleClientSecret != "")
+	return (config.GithubClientId != "" && config.GithubClientSecret != "") || (config.GoogleClientId != "" && config.GoogleClientSecret != "") || (config.GenericClientId != "" && config.GenericClientSecret != "")
 }
 
 // Filter helper function
@@ -241,23 +244,21 @@ func ParseUser(user string) (types.User, error) {
 		return types.User{}, errors.New("invalid user format")
 	}
 
-	// Check if the user has a totp secret
-	if len(userSplit) == 2 {
-		// Check for empty username or password
-		if userSplit[1] == "" || userSplit[0] == "" {
+	// Check for empty strings
+	for _, userPart := range userSplit {
+		if strings.TrimSpace(userPart) == "" {
 			return types.User{}, errors.New("invalid user format")
 		}
+	}
+
+	// Check if the user has a totp secret
+	if len(userSplit) == 2 {
 		return types.User{
 			Username: userSplit[0],
 			Password: userSplit[1],
 		}, nil
 	}
 
-	// Check for empty username, password or totp secret
-	if userSplit[2] == "" || userSplit[1] == "" || userSplit[0] == "" {
-		return types.User{}, errors.New("invalid user format")
-	}
-
 	// Return the user struct
 	return types.User{
 		Username:   userSplit[0],
@@ -265,3 +266,81 @@ func ParseUser(user string) (types.User, error) {
 		TotpSecret: userSplit[2],
 	}, nil
 }
+
+// Parse secret file
+func ParseSecretFile(contents string) string {
+	// Split to lines
+	lines := strings.Split(contents, "\n")
+
+	// Loop through the lines
+	for _, line := range lines {
+		// Check if the line is empty
+		if strings.TrimSpace(line) == "" {
+			continue
+		}
+
+		// Return the line
+		return strings.TrimSpace(line)
+	}
+
+	// Return an empty string
+	return ""
+}
+
+// Check if a string matches a regex or a whitelist
+func CheckWhitelist(whitelist string, str string) bool {
+	// Check if the whitelist is empty
+	if len(strings.TrimSpace(whitelist)) == 0 {
+		return true
+	}
+
+	// Check if the whitelist is a regex
+	if strings.HasPrefix(whitelist, "/") && strings.HasSuffix(whitelist, "/") {
+		// Create regex
+		re, err := regexp.Compile(whitelist[1 : len(whitelist)-1])
+
+		// Check if there was an error
+		if err != nil {
+			log.Error().Err(err).Msg("Error compiling regex")
+			return false
+		}
+
+		// Check if the string matches the regex
+		if re.MatchString(str) {
+			return true
+		}
+	}
+
+	// Split the whitelist by comma
+	whitelistSplit := strings.Split(whitelist, ",")
+
+	// Loop through the whitelist
+	for _, item := range whitelistSplit {
+		// Check if the item matches with the string
+		if strings.TrimSpace(item) == str {
+			return true
+		}
+	}
+
+	// Return false if no match was found
+	return false
+}
+
+// Capitalize just the first letter of a string
+func Capitalize(str string) string {
+	if len(str) == 0 {
+		return ""
+	}
+	return strings.ToUpper(string([]rune(str)[0])) + string([]rune(str)[1:])
+}
+
+// Sanitize header removes all control characters from a string
+func SanitizeHeader(header string) string {
+	return strings.Map(func(r rune) rune {
+		// Allow only printable ASCII characters (32-126) and safe whitespace (space, tab)
+		if r == ' ' || r == '\t' || (r >= 32 && r <= 126) {
+			return r
+		}
+		return -1
+	}, header)
+}

internal/utils/utils_test.go

@@ -1,6 +1,7 @@
 package utils_test
 
 import (
+	"fmt"
 	"os"
 	"reflect"
 	"testing"
@@ -123,7 +124,7 @@ func TestGetSecret(t *testing.T) {
 	expected := "test"
 
 	// Create file
-	err := os.WriteFile(file, []byte(expected), 0644)
+	err := os.WriteFile(file, []byte(fmt.Sprintf("\n\n    \n\n\n  %s   \n\n    \n  ", expected)), 0644)
 
 	// Check if there was an error
 	if err != nil {
@@ -285,15 +286,19 @@ func TestGetTinyauthLabels(t *testing.T) {
 	// Test the get tinyauth labels function with a valid map
 	labels := map[string]string{
 		"tinyauth.users":           "user1,user2",
-		"tinyauth.oauth.whitelist": "user1,user2",
+		"tinyauth.oauth.whitelist": "/regex/",
 		"tinyauth.allowed":         "random",
 		"random":                   "random",
+		"tinyauth.headers":         "X-Header=value",
 	}
 
 	expected := types.TinyauthLabels{
-		Users:          []string{"user1", "user2"},
-		OAuthWhitelist: []string{"user1", "user2"},
+		Users:          "user1,user2",
+		OAuthWhitelist: "/regex/",
 		Allowed:        "random",
+		Headers: map[string]string{
+			"X-Header": "value",
+		},
 	}
 
 	result := utils.GetTinyauthLabels(labels)
@@ -384,3 +389,143 @@ func TestParseUser(t *testing.T) {
 		t.Fatalf("Expected error parsing user")
 	}
 }
+
+// Test the whitelist function
+func TestCheckWhitelist(t *testing.T) {
+	t.Log("Testing check whitelist with a comma whitelist")
+
+	// Create variables
+	whitelist := "user1,user2,user3"
+	str := "user1"
+	expected := true
+
+	// Test the check whitelist function
+	result := utils.CheckWhitelist(whitelist, str)
+
+	// Check if the result is equal to the expected
+	if result != expected {
+		t.Fatalf("Expected %v, got %v", expected, result)
+	}
+
+	t.Log("Testing check whitelist with a regex whitelist")
+
+	// Create variables
+	whitelist = "/^user[0-9]+$/"
+	str = "user1"
+	expected = true
+
+	// Test the check whitelist function
+	result = utils.CheckWhitelist(whitelist, str)
+
+	// Check if the result is equal to the expected
+	if result != expected {
+		t.Fatalf("Expected %v, got %v", expected, result)
+	}
+
+	t.Log("Testing check whitelist with an empty whitelist")
+
+	// Create variables
+	whitelist = ""
+	str = "user1"
+	expected = true
+
+	// Test the check whitelist function
+	result = utils.CheckWhitelist(whitelist, str)
+
+	// Check if the result is equal to the expected
+	if result != expected {
+		t.Fatalf("Expected %v, got %v", expected, result)
+	}
+
+	t.Log("Testing check whitelist with an invalid regex whitelist")
+
+	// Create variables
+	whitelist = "/^user[0-9+$/"
+	str = "user1"
+	expected = false
+
+	// Test the check whitelist function
+	result = utils.CheckWhitelist(whitelist, str)
+
+	// Check if the result is equal to the expected
+	if result != expected {
+		t.Fatalf("Expected %v, got %v", expected, result)
+	}
+
+	t.Log("Testing check whitelist with a non matching whitelist")
+
+	// Create variables
+	whitelist = "user1,user2,user3"
+	str = "user4"
+	expected = false
+
+	// Test the check whitelist function
+	result = utils.CheckWhitelist(whitelist, str)
+
+	// Check if the result is equal to the expected
+	if result != expected {
+		t.Fatalf("Expected %v, got %v", expected, result)
+	}
+}
+
+// Test capitalize
+func TestCapitalize(t *testing.T) {
+	t.Log("Testing capitalize with a valid string")
+
+	// Create variables
+	str := "test"
+	expected := "Test"
+
+	// Test the capitalize function
+	result := utils.Capitalize(str)
+
+	// Check if the result is equal to the expected
+	if result != expected {
+		t.Fatalf("Expected %v, got %v", expected, result)
+	}
+
+	t.Log("Testing capitalize with an empty string")
+
+	// Create variables
+	str = ""
+	expected = ""
+
+	// Test the capitalize function
+	result = utils.Capitalize(str)
+
+	// Check if the result is equal to the expected
+	if result != expected {
+		t.Fatalf("Expected %v, got %v", expected, result)
+	}
+}
+
+// Test the header sanitizer
+func TestSanitizeHeader(t *testing.T) {
+	t.Log("Testing sanitize header with a valid string")
+
+	// Create variables
+	str := "X-Header=value"
+	expected := "X-Header=value"
+
+	// Test the sanitize header function
+	result := utils.SanitizeHeader(str)
+
+	// Check if the result is equal to the expected
+	if result != expected {
+		t.Fatalf("Expected %v, got %v", expected, result)
+	}
+
+	t.Log("Testing sanitize header with an invalid string")
+
+	// Create variables
+	str = "X-Header=val\nue"
+	expected = "X-Header=value"
+
+	// Test the sanitize header function
+	result = utils.SanitizeHeader(str)
+
+	// Check if the result is equal to the expected
+	if result != expected {
+		t.Fatalf("Expected %v, got %v", expected, result)
+	}
+}