barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2025-10-28 12:45:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: barbercollie:v3.5.0-alpha.2
Branches Tags
barbercollie:main barbercollie:dependabot/bun/frontend/minor-patch-b39938bc8c barbercollie:refactor/decoders barbercollie:dependabot/docker/oven/bun-1.3.1-alpine barbercollie:l10n_main barbercollie:docs/update-readme barbercollie:refactor/cli barbercollie:feat/analytics barbercollie:feat/multi-oauth barbercollie:revert-337-feat/header-acls barbercollie:feat/header-acls barbercollie:refactor/exports barbercollie:feat/domain-warning barbercollie:refactor/labels barbercollie:feat/sqlite barbercollie:refactor/file-structure barbercollie:feat/login-screen-version barbercollie:feat/ldap barbercollie:refactor/remove-init barbercollie:fix/sessions barbercollie:feat/ip-allow-block barbercollie:feat/app-basic-auth barbercollie:feat/app-label-domain barbercollie:refactor/paerser barbercollie:feat/untrusted-ssl-generic barbercollie:feat/cookie-uuid barbercollie:feat/new-ui barbercollie:feat/oauth-info barbercollie:feat/multiple-app-urls barbercollie:refactor/error-handling barbercollie:refactor/handlers barbercollie:feat/swagger barbercollie:refactor/app-context barbercollie:feat/totp barbercollie:chore/comments
barbercollie:nightly barbercollie:v4.0.1 barbercollie:v4.0.1-beta.2 barbercollie:v4.0.1-beta.1 barbercollie:v4.0.0 barbercollie:v4.0.0-rc.1 barbercollie:v4.0.0-beta.3 barbercollie:v4.0.0-beta.2 barbercollie:v4.0.0-beta.1 barbercollie:v4.0.0-alpha.2 barbercollie:v4.0.0-alpha.1 barbercollie:v3.6.2 barbercollie:v3.6.2-beta.4 barbercollie:v3.6.2-beta.3 barbercollie:v3.6.2-beta.2 barbercollie:v3.6.2-beta.1 barbercollie:v3.6.1 barbercollie:v3.6.1-beta.3 barbercollie:v3.6.1-beta.2 barbercollie:v3.6.1-beta.1 barbercollie:v3.6.0 barbercollie:v3.6.0-beta.2 barbercollie:v3.6.0-beta.1 barbercollie:v3.5.0 barbercollie:v3.5.0-alpha.2 barbercollie:v3.5.0-alpha.1 barbercollie:v3.4.1 barbercollie:v3.4.1-beta.1 barbercollie:v3.4.0 barbercollie:v3.4.0-beta.2 barbercollie:v3.4.0-beta.1 barbercollie:v3.4.0-alpha.1 barbercollie:v3.3.1 barbercollie:v3.3.1-beta.1 barbercollie:v3.3.0 barbercollie:v3.3.0-alpha.3 barbercollie:v3.3.0-alpha.2 barbercollie:v3.3.0-alpha.1 barbercollie:v3.2.1 barbercollie:v3.2.1-beta.1 barbercollie:v3.2.0 barbercollie:v3.2.0-beta.6 barbercollie:v3.2.0-beta.5 barbercollie:v3.2.0-beta.4 barbercollie:v3.2.0-beta.3 barbercollie:v3.2.0-beta.2 barbercollie:v3.2.0-beta.1 barbercollie:v3.2.0-alpha.1 barbercollie:v3.1.0 barbercollie:v3.1.0-beta.2 barbercollie:v3.1.0-beta.1 barbercollie:v3.1.0-alpha.1 barbercollie:v3.1.0-exp.3 barbercollie:v3.1.0-exp.2 barbercollie:v3.1.0-exp.1 barbercollie:v3.0.1 barbercollie:v3.0.1-beta.1 barbercollie:v3.0.0 barbercollie:v3.0.0-beta.2 barbercollie:v3.0.0-beta.1 barbercollie:v3.0.0-alpha.4 barbercollie:v3.0.0-alpha.3 barbercollie:v3.0.0-alpha.2 barbercollie:v3.0.0-alpha.1 barbercollie:v2.1.1 barbercollie:v2.1.1-beta.1 barbercollie:v2.1.0 barbercollie:v2.1.0-alpha.2 barbercollie:v2.1.0-alpha.1 barbercollie:v2.0.2 barbercollie:v2.0.2-beta.2 barbercollie:v2.0.2-beta.1 barbercollie:v2.0.1 barbercollie:v2.0.0 barbercollie:v2.0.0-beta.1 barbercollie:v2.0.0-alpha.1 barbercollie:v1.0.0 barbercollie:v1.0.0-beta.3 barbercollie:v1.0.0-beta.2 barbercollie:v1.0.0-beta.1 barbercollie:v1.0.0-alpha.1 barbercollie:v0.3.0 barbercollie:v0.3.0-beta.3 barbercollie:v0.3.0-beta.2 barbercollie:v0.3.0-beta.1 barbercollie:v0.2.0 barbercollie:v0.2.0-beta.1 barbercollie:v0.1.0 barbercollie:v0.1.0-beta.1
...
compare: barbercollie:v3.6.1-beta.3
Branches Tags
barbercollie:dependabot/bun/frontend/minor-patch-b39938bc8c barbercollie:main barbercollie:refactor/decoders barbercollie:dependabot/docker/oven/bun-1.3.1-alpine barbercollie:l10n_main barbercollie:docs/update-readme barbercollie:refactor/cli barbercollie:feat/analytics barbercollie:feat/multi-oauth barbercollie:revert-337-feat/header-acls barbercollie:feat/header-acls barbercollie:refactor/exports barbercollie:feat/domain-warning barbercollie:refactor/labels barbercollie:feat/sqlite barbercollie:refactor/file-structure barbercollie:feat/login-screen-version barbercollie:feat/ldap barbercollie:refactor/remove-init barbercollie:fix/sessions barbercollie:feat/ip-allow-block barbercollie:feat/app-basic-auth barbercollie:feat/app-label-domain barbercollie:refactor/paerser barbercollie:feat/untrusted-ssl-generic barbercollie:feat/cookie-uuid barbercollie:feat/new-ui barbercollie:feat/oauth-info barbercollie:feat/multiple-app-urls barbercollie:refactor/error-handling barbercollie:refactor/handlers barbercollie:feat/swagger barbercollie:refactor/app-context barbercollie:feat/totp barbercollie:chore/comments
barbercollie:nightly barbercollie:v4.0.1 barbercollie:v4.0.1-beta.2 barbercollie:v4.0.1-beta.1 barbercollie:v4.0.0 barbercollie:v4.0.0-rc.1 barbercollie:v4.0.0-beta.3 barbercollie:v4.0.0-beta.2 barbercollie:v4.0.0-beta.1 barbercollie:v4.0.0-alpha.2 barbercollie:v4.0.0-alpha.1 barbercollie:v3.6.2 barbercollie:v3.6.2-beta.4 barbercollie:v3.6.2-beta.3 barbercollie:v3.6.2-beta.2 barbercollie:v3.6.2-beta.1 barbercollie:v3.6.1 barbercollie:v3.6.1-beta.3 barbercollie:v3.6.1-beta.2 barbercollie:v3.6.1-beta.1 barbercollie:v3.6.0 barbercollie:v3.6.0-beta.2 barbercollie:v3.6.0-beta.1 barbercollie:v3.5.0 barbercollie:v3.5.0-alpha.2 barbercollie:v3.5.0-alpha.1 barbercollie:v3.4.1 barbercollie:v3.4.1-beta.1 barbercollie:v3.4.0 barbercollie:v3.4.0-beta.2 barbercollie:v3.4.0-beta.1 barbercollie:v3.4.0-alpha.1 barbercollie:v3.3.1 barbercollie:v3.3.1-beta.1 barbercollie:v3.3.0 barbercollie:v3.3.0-alpha.3 barbercollie:v3.3.0-alpha.2 barbercollie:v3.3.0-alpha.1 barbercollie:v3.2.1 barbercollie:v3.2.1-beta.1 barbercollie:v3.2.0 barbercollie:v3.2.0-beta.6 barbercollie:v3.2.0-beta.5 barbercollie:v3.2.0-beta.4 barbercollie:v3.2.0-beta.3 barbercollie:v3.2.0-beta.2 barbercollie:v3.2.0-beta.1 barbercollie:v3.2.0-alpha.1 barbercollie:v3.1.0 barbercollie:v3.1.0-beta.2 barbercollie:v3.1.0-beta.1 barbercollie:v3.1.0-alpha.1 barbercollie:v3.1.0-exp.3 barbercollie:v3.1.0-exp.2 barbercollie:v3.1.0-exp.1 barbercollie:v3.0.1 barbercollie:v3.0.1-beta.1 barbercollie:v3.0.0 barbercollie:v3.0.0-beta.2 barbercollie:v3.0.0-beta.1 barbercollie:v3.0.0-alpha.4 barbercollie:v3.0.0-alpha.3 barbercollie:v3.0.0-alpha.2 barbercollie:v3.0.0-alpha.1 barbercollie:v2.1.1 barbercollie:v2.1.1-beta.1 barbercollie:v2.1.0 barbercollie:v2.1.0-alpha.2 barbercollie:v2.1.0-alpha.1 barbercollie:v2.0.2 barbercollie:v2.0.2-beta.2 barbercollie:v2.0.2-beta.1 barbercollie:v2.0.1 barbercollie:v2.0.0 barbercollie:v2.0.0-beta.1 barbercollie:v2.0.0-alpha.1 barbercollie:v1.0.0 barbercollie:v1.0.0-beta.3 barbercollie:v1.0.0-beta.2 barbercollie:v1.0.0-beta.1 barbercollie:v1.0.0-alpha.1 barbercollie:v0.3.0 barbercollie:v0.3.0-beta.3 barbercollie:v0.3.0-beta.2 barbercollie:v0.3.0-beta.1 barbercollie:v0.2.0 barbercollie:v0.2.0-beta.1 barbercollie:v0.1.0 barbercollie:v0.1.0-beta.1

19 Commits
v3.5.0-alp ... v3.6.1-bet

Author SHA1 Message Date
Stavros
48b4d78a7c refactor: split handlers into smaller purpose specific files 2025-07-12 13:23:25 +03:00
Stavros
8ebed0ac9a chore: remove meaningless comments 2025-07-12 13:17:06 +03:00
Stavros
e742603c15 fix: add logging to user parse failure 2025-07-12 11:49:37 +03:00
Stavros
3215bb6baa refactor: simplify ldap heartbeat 2025-07-12 00:21:22 +03:00
Stavros
a11aba72d8 feat: add heartbeat to keep ldap connection alive 2025-07-11 23:16:09 +03:00
Stavros
10d1b48505 chore: add dlv for debugging in dev workflow 2025-07-11 17:15:32 +03:00
Stavros
f73eb9571f fix: fix password reset message translations 2025-07-11 16:16:49 +03:00
dependabot[bot]
da2877a682 chore(deps): bump the minor-patch group across 1 directory with 3 updates (#259) 
Bumps the minor-patch group with 3 updates in the /frontend directory: [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query), [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) and [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite).


Updates `@tanstack/react-query` from 5.81.5 to 5.82.0
- [Release notes](https://github.com/TanStack/query/releases)
- [Commits](https://github.com/TanStack/query/commits/v5.82.0/packages/react-query)

Updates `@types/node` from 24.0.12 to 24.0.13
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `vite` from 7.0.3 to 7.0.4
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.0.4/packages/vite)

---
updated-dependencies:
- dependency-name: "@tanstack/react-query"
  dependency-version: 5.82.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: "@types/node"
  dependency-version: 24.0.13
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: vite
  dependency-version: 7.0.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-07-11 16:06:17 +03:00
dependabot[bot]
33cbfef02a chore(deps): bump the minor-patch group across 1 directory with 2 updates (#258) 
Bumps the minor-patch group with 2 updates in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto) and [github.com/docker/docker](https://github.com/docker/docker).


Updates `golang.org/x/crypto` from 0.39.0 to 0.40.0
- [Commits](https://github.com/golang/crypto/compare/v0.39.0...v0.40.0)

Updates `github.com/docker/docker` from 28.3.1+incompatible to 28.3.2+incompatible
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v28.3.1...v28.3.2)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.40.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: github.com/docker/docker
  dependency-version: 28.3.2+incompatible
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-07-11 16:05:54 +03:00
dependabot[bot]
c1a6428ed3 chore(deps): bump zod from 3.25.76 to 4.0.2 in /frontend (#254) 
Bumps [zod](https://github.com/colinhacks/zod) from 3.25.76 to 4.0.2.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Commits](https://github.com/colinhacks/zod/commits)

---
updated-dependencies:
- dependency-name: zod
  dependency-version: 4.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-07-11 16:05:34 +03:00
github-actions[bot]
2ee7932cba docs: regenerate readme sponsors list (#249) 
Co-authored-by: GitHub <noreply@github.com>
 2025-07-10 02:28:58 +03:00
Stavros
fe440a6f2e New translations en.json (Arabic) (#245) 2025-07-10 01:00:34 +03:00
Stavros
0ace88a877 feat: add support for bypassing authentication for specific IPs 2025-07-10 00:53:22 +03:00
Stavros
476ed6964d fix: fix docker label matching logic 2025-07-10 00:34:04 +03:00
Stavros
b3dca0429f New translations en.json (French) (#243) 2025-07-09 23:36:55 +03:00
Vincent Young
9e4b68112c fix: i18n zh-TW locale updates (#242) 2025-07-09 23:30:37 +03:00
dependabot[bot]
364f0e221e chore(deps): bump the minor-patch group in /frontend with 3 updates (#239) 
Bumps the minor-patch group in /frontend with 3 updates: [i18next](https://github.com/i18next/i18next), [zod](https://github.com/colinhacks/zod) and [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node).


Updates `i18next` from 25.3.1 to 25.3.2
- [Release notes](https://github.com/i18next/i18next/releases)
- [Changelog](https://github.com/i18next/i18next/blob/master/CHANGELOG.md)
- [Commits](https://github.com/i18next/i18next/compare/v25.3.1...v25.3.2)

Updates `zod` from 3.25.75 to 3.25.76
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Commits](https://github.com/colinhacks/zod/compare/v3.25.75...v3.25.76)

Updates `@types/node` from 24.0.10 to 24.0.12
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: i18next
  dependency-version: 25.3.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: zod
  dependency-version: 3.25.76
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: "@types/node"
  dependency-version: 24.0.12
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-07-09 18:05:55 +03:00
Stavros
09635666aa New Crowdin updates (#240) 
* New translations en.json (Arabic)

* New translations en.json (Arabic)

* New translations en.json (Danish)

* New translations en.json (Greek)

* New translations en.json (Polish)
 2025-07-09 18:05:28 +03:00
Stavros
9f02710114 feat: add support for comma list in label domain check 2025-07-09 17:49:13 +03:00
48 changed files with 1078 additions and 1733 deletions
Expand all files Collapse all files

6
.gitignore vendored
View File

@@ -11,11 +11,7 @@ docker-compose.test*
users.txt
# secret test file
secret.txt
secret_oauth.txt
# vscode
.vscode
secret*
# apple stuff
.DS_Store

15
.vscode/launch.json vendored Normal file
View File

@@ -0,0 +1,15 @@
{
"version": "0.2.0",
"configurations": [
{
"name": "Connect to server",
"type": "go",
"request": "attach",
"mode": "remote",
"remotePath": "/tinyauth",
"port": 4000,
"host": "127.0.0.1",
"debugAdapter": "legacy"
}
]
}

2
README.md
View File

@@ -53,7 +53,7 @@ Tinyauth is licensed under the GNU General Public License v3.0. TL;DR — You ma
A big thank you to the following people for providing me with more coffee:
<!-- sponsors --><a href="https://github.com/erwinkramer"><img src="https:&#x2F;&#x2F;github.com&#x2F;erwinkramer.png" width="64px" alt="User avatar: erwinkramer" /></a>&nbsp;&nbsp;<a href="https://github.com/nicotsx"><img src="https:&#x2F;&#x2F;github.com&#x2F;nicotsx.png" width="64px" alt="User avatar: nicotsx" /></a>&nbsp;&nbsp;<a href="https://github.com/SimpleHomelab"><img src="https:&#x2F;&#x2F;github.com&#x2F;SimpleHomelab.png" width="64px" alt="User avatar: SimpleHomelab" /></a>&nbsp;&nbsp;<a href="https://github.com/jmadden91"><img src="https:&#x2F;&#x2F;github.com&#x2F;jmadden91.png" width="64px" alt="User avatar: jmadden91" /></a>&nbsp;&nbsp;<a href="https://github.com/tribor"><img src="https:&#x2F;&#x2F;github.com&#x2F;tribor.png" width="64px" alt="User avatar: tribor" /></a>&nbsp;&nbsp;<a href="https://github.com/eliasbenb"><img src="https:&#x2F;&#x2F;github.com&#x2F;eliasbenb.png" width="64px" alt="User avatar: eliasbenb" /></a>&nbsp;&nbsp;<!-- sponsors -->
<!-- sponsors --><a href="https://github.com/erwinkramer"><img src="https:&#x2F;&#x2F;github.com&#x2F;erwinkramer.png" width="64px" alt="User avatar: erwinkramer" /></a>&nbsp;&nbsp;<a href="https://github.com/nicotsx"><img src="https:&#x2F;&#x2F;github.com&#x2F;nicotsx.png" width="64px" alt="User avatar: nicotsx" /></a>&nbsp;&nbsp;<a href="https://github.com/SimpleHomelab"><img src="https:&#x2F;&#x2F;github.com&#x2F;SimpleHomelab.png" width="64px" alt="User avatar: SimpleHomelab" /></a>&nbsp;&nbsp;<a href="https://github.com/jmadden91"><img src="https:&#x2F;&#x2F;github.com&#x2F;jmadden91.png" width="64px" alt="User avatar: jmadden91" /></a>&nbsp;&nbsp;<a href="https://github.com/tribor"><img src="https:&#x2F;&#x2F;github.com&#x2F;tribor.png" width="64px" alt="User avatar: tribor" /></a>&nbsp;&nbsp;<a href="https://github.com/eliasbenb"><img src="https:&#x2F;&#x2F;github.com&#x2F;eliasbenb.png" width="64px" alt="User avatar: eliasbenb" /></a>&nbsp;&nbsp;<a href="https://github.com/afunworm"><img src="https:&#x2F;&#x2F;github.com&#x2F;afunworm.png" width="64px" alt="User avatar: afunworm" /></a>&nbsp;&nbsp;<!-- sponsors -->
## Acknowledgements

6
air.toml
View File

@@ -2,9 +2,9 @@ root = "/tinyauth"
tmp_dir = "tmp"
[build]
pre_cmd = ["mkdir -p internal/assets/dist", "echo 'backend running' > internal/assets/dist/index.html"]
cmd = "CGO_ENABLED=0 go build -o ./tmp/tinyauth ."
bin = "tmp/tinyauth"
pre_cmd = ["mkdir -p internal/assets/dist", "echo 'backend running' > internal/assets/dist/index.html", "go install github.com/go-delve/delve/cmd/dlv@v1.25.0"]
cmd = "CGO_ENABLED=0 go build -gcflags=\"all=-N -l\" -o tmp/tinyauth ."
bin = "/go/bin/dlv --listen :4000 --headless=true --api-version=2 --accept-multiclient --log=true exec tmp/tinyauth --continue"
include_ext = ["go"]
exclude_dir = ["internal/assets/dist"]
exclude_regex = [".*_test\\.go"]

54
cmd/root.go
View File

@@ -3,9 +3,7 @@ package cmd
import (
"errors"
"fmt"
"os"
"strings"
"time"
totpCmd "tinyauth/cmd/totp"
userCmd "tinyauth/cmd/user"
"tinyauth/internal/auth"
@@ -31,47 +29,37 @@ var rootCmd = &cobra.Command{
Short: "The simplest way to protect your apps with a login screen.",
Long: `Tinyauth is a simple authentication middleware that adds simple username/password login or OAuth with Google, Github and any generic OAuth provider to all of your docker apps.`,
Run: func(cmd *cobra.Command, args []string) {
// Logger
log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.RFC3339}).With().Timestamp().Logger().Level(zerolog.FatalLevel)
// Get config
var config types.Config
err := viper.Unmarshal(&config)
HandleError(err, "Failed to parse config")
// Secrets
// Check if secrets have a file associated with them
config.Secret = utils.GetSecret(config.Secret, config.SecretFile)
config.GithubClientSecret = utils.GetSecret(config.GithubClientSecret, config.GithubClientSecretFile)
config.GoogleClientSecret = utils.GetSecret(config.GoogleClientSecret, config.GoogleClientSecretFile)
config.GenericClientSecret = utils.GetSecret(config.GenericClientSecret, config.GenericClientSecretFile)
// Validate config
validator := validator.New()
err = validator.Struct(config)
HandleError(err, "Failed to validate config")
// Logger
log.Logger = log.Level(zerolog.Level(config.LogLevel))
log.Info().Str("version", strings.TrimSpace(constants.Version)).Msg("Starting tinyauth")
// Users
log.Info().Msg("Parsing users")
users, err := utils.GetUsers(config.Users, config.UsersFile)
HandleError(err, "Failed to parse users")
// Get domain
log.Debug().Msg("Getting domain")
domain, err := utils.GetUpperDomain(config.AppURL)
HandleError(err, "Failed to get upper domain")
log.Info().Str("domain", domain).Msg("Using domain for cookie store")
// Generate cookie name
cookieId := utils.GenerateIdentifier(strings.Split(domain, ".")[0])
sessionCookieName := fmt.Sprintf("%s-%s", constants.SessionCookieName, cookieId)
csrfCookieName := fmt.Sprintf("%s-%s", constants.CsrfCookieName, cookieId)
redirectCookieName := fmt.Sprintf("%s-%s", constants.RedirectCookieName, cookieId)
// Generate HMAC and encryption secrets
log.Debug().Msg("Deriving HMAC and encryption secrets")
hmacSecret, err := utils.DeriveKey(config.Secret, "hmac")
@@ -80,7 +68,7 @@ var rootCmd = &cobra.Command{
encryptionSecret, err := utils.DeriveKey(config.Secret, "encryption")
HandleError(err, "Failed to derive encryption secret")
// Create OAuth config
// Split the config into service-specific sub-configs
oauthConfig := types.OAuthConfig{
GithubClientId: config.GithubClientId,
GithubClientSecret: config.GithubClientSecret,
@@ -96,7 +84,6 @@ var rootCmd = &cobra.Command{
AppURL: config.AppURL,
}
// Create handlers config
handlersConfig := types.HandlersConfig{
AppURL: config.AppURL,
DisableContinue: config.DisableContinue,
@@ -111,13 +98,11 @@ var rootCmd = &cobra.Command{
RedirectCookieName: redirectCookieName,
}
// Create server config
serverConfig := types.ServerConfig{
Port: config.Port,
Address: config.Address,
}
// Create auth config
authConfig := types.AuthConfig{
Users: users,
OauthWhitelist: config.OAuthWhitelist,
@@ -131,21 +116,14 @@ var rootCmd = &cobra.Command{
EncryptionSecret: encryptionSecret,
}
// Create hooks config
hooksConfig := types.HooksConfig{
Domain: domain,
}
// Create docker service
docker, err := docker.NewDocker()
HandleError(err, "Failed to initialize docker")
// Create LDAP service if configured
var ldapService *ldap.LDAP
if config.LdapAddress != "" {
log.Info().Msg("Using LDAP for authentication")
ldapConfig := types.LdapConfig{
Address: config.LdapAddress,
BindDN: config.LdapBindDN,
@@ -154,36 +132,28 @@ var rootCmd = &cobra.Command{
Insecure: config.LdapInsecure,
SearchFilter: config.LdapSearchFilter,
}
// Create LDAP service
ldapService, err = ldap.NewLDAP(ldapConfig)
HandleError(err, "Failed to create LDAP service")
} else {
log.Info().Msg("LDAP not configured, using local users or OAuth")
}
// Check if we have any users configured
// Check if we have a source of users
if len(users) == 0 && !utils.OAuthConfigured(config) && ldapService == nil {
HandleError(errors.New("err no users"), "Unable to find a source of users")
}
// Create auth service
// Setup the services
docker, err := docker.NewDocker()
HandleError(err, "Failed to initialize docker")
auth := auth.NewAuth(authConfig, docker, ldapService)
// Create OAuth providers service
providers := providers.NewProviders(oauthConfig)
// Create hooks service
hooks := hooks.NewHooks(hooksConfig, auth, providers)
// Create handlers
handlers := handlers.NewHandlers(handlersConfig, auth, hooks, providers, docker)
// Create server
srv, err := server.NewServer(serverConfig, handlers)
HandleError(err, "Failed to create server")
// Start server
// Start up
err = srv.Start()
HandleError(err, "Failed to start server")
},
@@ -195,23 +165,17 @@ func Execute() {
}
func HandleError(err error, msg string) {
// If error, log it and exit
if err != nil {
log.Fatal().Err(err).Msg(msg)
}
}
func init() {
// Add user command
rootCmd.AddCommand(userCmd.UserCmd())
// Add totp command
rootCmd.AddCommand(totpCmd.TotpCmd())
// Read environment variables
viper.AutomaticEnv()
// Flags
rootCmd.Flags().Int("port", 3000, "Port to run the server on.")
rootCmd.Flags().String("address", "0.0.0.0", "Address to bind the server to.")
rootCmd.Flags().String("secret", "", "Secret to use for the cookie.")
@@ -243,7 +207,7 @@ func init() {
rootCmd.Flags().Int("login-max-retries", 5, "Maximum login attempts before timeout (0 to disable).")
rootCmd.Flags().Int("log-level", 1, "Log level.")
rootCmd.Flags().String("app-title", "Tinyauth", "Title of the app.")
rootCmd.Flags().String("forgot-password-message", "You can reset your password by changing the `USERS` environment variable.", "Message to show on the forgot password page.")
rootCmd.Flags().String("forgot-password-message", "", "Message to show on the forgot password page.")
rootCmd.Flags().String("background-image", "/background.jpg", "Background image URL for the login page.")
rootCmd.Flags().String("ldap-address", "", "LDAP server address (e.g. ldap://localhost:389).")
rootCmd.Flags().String("ldap-bind-dn", "", "LDAP bind DN (e.g. uid=user,dc=example,dc=com).")
@@ -252,7 +216,6 @@ func init() {
rootCmd.Flags().Bool("ldap-insecure", false, "Skip certificate verification for the LDAP server.")
rootCmd.Flags().String("ldap-search-filter", "(uid=%s)", "LDAP search filter for user lookup.")
// Bind flags to environment
viper.BindEnv("port", "PORT")
viper.BindEnv("address", "ADDRESS")
viper.BindEnv("secret", "SECRET")
@@ -293,6 +256,5 @@ func init() {
viper.BindEnv("ldap-insecure", "LDAP_INSECURE")
viper.BindEnv("ldap-search-filter", "LDAP_SEARCH_FILTER")
// Bind flags to viper
viper.BindPFlags(rootCmd.Flags())
}

24
cmd/totp/generate/generate.go
View File

@@ -15,7 +15,6 @@ import (
"github.com/spf13/cobra"
)
// Interactive flag
var interactive bool
// Input user
@@ -25,15 +24,9 @@ var GenerateCmd = &cobra.Command{
Use: "generate",
Short: "Generate a totp secret",
Run: func(cmd *cobra.Command, args []string) {
// Setup logger
log.Logger = log.Level(zerolog.InfoLevel)
// Use simple theme
var baseTheme *huh.Theme = huh.ThemeBase()
// Interactive
if interactive {
// Create huh form
form := huh.NewForm(
huh.NewGroup(
huh.NewInput().Title("Current username:hash").Value(&iUser).Validate((func(s string) error {
@@ -44,51 +37,39 @@ var GenerateCmd = &cobra.Command{
})),
),
)
// Run form
var baseTheme *huh.Theme = huh.ThemeBase()
err := form.WithTheme(baseTheme).Run()
if err != nil {
log.Fatal().Err(err).Msg("Form failed")
}
}
// Parse user
user, err := utils.ParseUser(iUser)
if err != nil {
log.Fatal().Err(err).Msg("Failed to parse user")
}
// Check if user was using docker escape
dockerEscape := false
if strings.Contains(iUser, "$$") {
dockerEscape = true
}
// Check it has totp
if user.TotpSecret != "" {
log.Fatal().Msg("User already has a totp secret")
}
// Generate totp secret
key, err := totp.Generate(totp.GenerateOpts{
Issuer: "Tinyauth",
AccountName: user.Username,
})
if err != nil {
log.Fatal().Err(err).Msg("Failed to generate totp secret")
}
// Create secret
secret := key.Secret()
// Print secret and image
log.Info().Str("secret", secret).Msg("Generated totp secret")
// Print QR code
log.Info().Msg("Generated QR code")
config := qrterminal.Config{
@@ -101,7 +82,6 @@ var GenerateCmd = &cobra.Command{
qrterminal.GenerateWithConfig(key.URL(), config)
// Add the secret to the user
user.TotpSecret = secret
// If using docker escape re-escape it
@@ -109,13 +89,11 @@ var GenerateCmd = &cobra.Command{
user.Password = strings.ReplaceAll(user.Password, "$", "$$")
}
// Print success
log.Info().Str("user", fmt.Sprintf("%s:%s:%s", user.Username, user.Password, user.TotpSecret)).Msg("Add the totp secret to your authenticator app then use the verify command to ensure everything is working correctly.")
},
}
func init() {
// Add interactive flag
GenerateCmd.Flags().BoolVarP(&interactive, "interactive", "i", false, "Run in interactive mode")
GenerateCmd.Flags().StringVar(&iUser, "user", "", "Your current username:hash")
}

5
cmd/totp/totp.go
View File

@@ -7,16 +7,11 @@ import (
)
func TotpCmd() *cobra.Command {
// Create the totp command
totpCmd := &cobra.Command{
Use: "totp",
Short: "Totp utilities",
Long: `Utilities for creating and verifying totp codes.`,
}
// Add the generate command
totpCmd.AddCommand(generate.GenerateCmd)
// Return the totp command
return totpCmd
}

19
cmd/user/create/create.go
View File

@@ -12,10 +12,7 @@ import (
"golang.org/x/crypto/bcrypt"
)
// Interactive flag
var interactive bool
// Docker flag
var docker bool
// i stands for input
@@ -27,12 +24,9 @@ var CreateCmd = &cobra.Command{
Short: "Create a user",
Long: `Create a user either interactively or by passing flags.`,
Run: func(cmd *cobra.Command, args []string) {
// Setup logger
log.Logger = log.Level(zerolog.InfoLevel)
// Check if interactive
if interactive {
// Create huh form
form := huh.NewForm(
huh.NewGroup(
huh.NewInput().Title("Username").Value(&iUsername).Validate((func(s string) error {
@@ -50,46 +44,35 @@ var CreateCmd = &cobra.Command{
huh.NewSelect[bool]().Title("Format the output for docker?").Options(huh.NewOption("Yes", true), huh.NewOption("No", false)).Value(&docker),
),
)
// Use simple theme
var baseTheme *huh.Theme = huh.ThemeBase()
err := form.WithTheme(baseTheme).Run()
if err != nil {
log.Fatal().Err(err).Msg("Form failed")
}
}
// Do we have username and password?
if iUsername == "" || iPassword == "" {
log.Fatal().Err(errors.New("error invalid input")).Msg("Username and password cannot be empty")
}
log.Info().Str("username", iUsername).Str("password", iPassword).Bool("docker", docker).Msg("Creating user")
// Hash password
password, err := bcrypt.GenerateFromPassword([]byte(iPassword), bcrypt.DefaultCost)
if err != nil {
log.Fatal().Err(err).Msg("Failed to hash password")
}
// Convert password to string
// If docker format is enabled, escape the dollar sign
passwordString := string(password)
// Escape $ for docker
if docker {
passwordString = strings.ReplaceAll(passwordString, "$", "$$")
}
// Log user created
log.Info().Str("user", fmt.Sprintf("%s:%s", iUsername, passwordString)).Msg("User created")
},
}
func init() {
// Flags
CreateCmd.Flags().BoolVarP(&interactive, "interactive", "i", false, "Create a user interactively")
CreateCmd.Flags().BoolVar(&docker, "docker", false, "Format output for docker")
CreateCmd.Flags().StringVar(&iUsername, "username", "", "Username")

5
cmd/user/user.go
View File

@@ -8,17 +8,12 @@ import (
)
func UserCmd() *cobra.Command {
// Create the user command
userCmd := &cobra.Command{
Use: "user",
Short: "User utilities",
Long: `Utilities for creating and verifying tinyauth compatible users.`,
}
// Add subcommands
userCmd.AddCommand(create.CreateCmd)
userCmd.AddCommand(verify.VerifyCmd)
// Return the user command
return userCmd
}

23
cmd/user/verify/verify.go
View File

@@ -12,10 +12,7 @@ import (
"golang.org/x/crypto/bcrypt"
)
// Interactive flag
var interactive bool
// Docker flag
var docker bool
// i stands for input
@@ -29,15 +26,9 @@ var VerifyCmd = &cobra.Command{
Short: "Verify a user is set up correctly",
Long: `Verify a user is set up correctly meaning that it has a correct username, password and totp code.`,
Run: func(cmd *cobra.Command, args []string) {
// Setup logger
log.Logger = log.Level(zerolog.InfoLevel)
// Use simple theme
var baseTheme *huh.Theme = huh.ThemeBase()
// Check if interactive
if interactive {
// Create huh form
form := huh.NewForm(
huh.NewGroup(
huh.NewInput().Title("User (username:hash:totp)").Value(&iUser).Validate((func(s string) error {
@@ -61,35 +52,27 @@ var VerifyCmd = &cobra.Command{
huh.NewInput().Title("Totp Code (if setup)").Value(&iTotp),
),
)
// Run form
var baseTheme *huh.Theme = huh.ThemeBase()
err := form.WithTheme(baseTheme).Run()
if err != nil {
log.Fatal().Err(err).Msg("Form failed")
}
}
// Parse user
user, err := utils.ParseUser(iUser)
if err != nil {
log.Fatal().Err(err).Msg("Failed to parse user")
}
// Compare username
if user.Username != iUsername {
log.Fatal().Msg("Username is incorrect")
}
// Compare password
err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(iPassword))
if err != nil {
log.Fatal().Msg("Ppassword is incorrect")
}
// Check if user has 2fa code
if user.TotpSecret == "" {
if iTotp != "" {
log.Warn().Msg("User does not have 2fa secret")
@@ -98,21 +81,17 @@ var VerifyCmd = &cobra.Command{
return
}
// Check totp code
ok := totp.Validate(iTotp, user.TotpSecret)
if !ok {
log.Fatal().Msg("Totp code incorrect")
}
// Done
log.Info().Msg("User verified")
},
}
func init() {
// Flags
VerifyCmd.Flags().BoolVarP(&interactive, "interactive", "i", false, "Create a user interactively")
VerifyCmd.Flags().BoolVar(&docker, "docker", false, "Is the user formatted for docker?")
VerifyCmd.Flags().StringVar(&iUsername, "username", "", "Username")

1
cmd/version.go
View File

@@ -7,7 +7,6 @@ import (
"github.com/spf13/cobra"
)
// Create the version command
var versionCmd = &cobra.Command{
Use: "version",
Short: "Print the version number of Tinyauth",

1
docker-compose.dev.yml
View File

@@ -42,6 +42,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock
ports:
- 3000:3000
- 4000:4000
labels:
traefik.enable: true
traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth-backend:3000/api/auth/traefik

22
frontend/bun.lock
View File

@@ -10,12 +10,12 @@
"@radix-ui/react-separator": "^1.1.7",
"@radix-ui/react-slot": "^1.2.3",
"@tailwindcss/vite": "^4.1.11",
"@tanstack/react-query": "^5.81.5",
"@tanstack/react-query": "^5.82.0",
"axios": "^1.10.0",
"class-variance-authority": "^0.7.1",
"clsx": "^2.1.1",
"dompurify": "^3.2.6",
"i18next": "^25.3.1",
"i18next": "^25.3.2",
"i18next-browser-languagedetector": "^8.2.0",
"i18next-resources-to-backend": "^1.2.1",
"input-otp": "^1.4.2",
@@ -30,12 +30,12 @@
"sonner": "^2.0.6",
"tailwind-merge": "^3.3.1",
"tailwindcss": "^4.1.11",
"zod": "^3.25.75",
"zod": "^4.0.2",
},
"devDependencies": {
"@eslint/js": "^9.30.1",
"@tanstack/eslint-plugin-query": "^5.81.2",
"@types/node": "^24.0.10",
"@types/node": "^24.0.13",
"@types/react": "^19.1.8",
"@types/react-dom": "^19.1.6",
"@vitejs/plugin-react": "^4.6.0",
@@ -47,7 +47,7 @@
"tw-animate-css": "^1.3.5",
"typescript": "~5.8.3",
"typescript-eslint": "^8.36.0",
"vite": "^7.0.3",
"vite": "^7.0.4",
},
},
},
@@ -328,9 +328,9 @@
"@tanstack/eslint-plugin-query": ["@tanstack/eslint-plugin-query@5.81.2", "", { "dependencies": { "@typescript-eslint/utils": "^8.18.1" }, "peerDependencies": { "eslint": "^8.57.0 || ^9.0.0" } }, "sha512-h4k6P6fm5VhKP5NkK+0TTVpGGyKQdx6tk7NYYG7J7PkSu7ClpLgBihw7yzK8N3n5zPaF3IMyErxfoNiXWH/3/A=="],
"@tanstack/query-core": ["@tanstack/query-core@5.81.5", "", {}, "sha512-ZJOgCy/z2qpZXWaj/oxvodDx07XcQa9BF92c0oINjHkoqUPsmm3uG08HpTaviviZ/N9eP1f9CM7mKSEkIo7O1Q=="],
"@tanstack/query-core": ["@tanstack/query-core@5.82.0", "", {}, "sha512-JrjoVuaajBQtnoWSg8iaPHaT4mW73lK2t+exxHNOSMqy0+13eKLqJgTKXKImLejQIfdAHQ6Un0njEhOvUtOd5w=="],
"@tanstack/react-query": ["@tanstack/react-query@5.81.5", "", { "dependencies": { "@tanstack/query-core": "5.81.5" }, "peerDependencies": { "react": "^18 || ^19" } }, "sha512-lOf2KqRRiYWpQT86eeeftAGnjuTR35myTP8MXyvHa81VlomoAWNEd8x5vkcAfQefu0qtYCvyqLropFZqgI2EQw=="],
"@tanstack/react-query": ["@tanstack/react-query@5.82.0", "", { "dependencies": { "@tanstack/query-core": "5.82.0" }, "peerDependencies": { "react": "^18 || ^19" } }, "sha512-mnk8/ofKEthFeMdhV1dV8YXRf+9HqvXAcciXkoo755d/ocfWq7N/Y9jGOzS3h7ZW9dDGwSIhs3/HANWUBsyqYg=="],
"@types/babel__core": ["@types/babel__core@7.20.5", "", { "dependencies": { "@babel/parser": "^7.20.7", "@babel/types": "^7.20.7", "@types/babel__generator": "*", "@types/babel__template": "*", "@types/babel__traverse": "*" } }, "sha512-qoQprZvz5wQFJwMDqeseRXWv3rqMvhgpbXFfVyWhbx9X47POIA6i/+dXefEmZKoAgOaTdaIgNSMqMIU61yRyzA=="],
@@ -354,7 +354,7 @@
"@types/ms": ["@types/ms@2.1.0", "", {}, "sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA=="],
"@types/node": ["@types/node@24.0.10", "", { "dependencies": { "undici-types": "~7.8.0" } }, "sha512-ENHwaH+JIRTDIEEbDK6QSQntAYGtbvdDXnMXnZaZ6k13Du1dPMmprkEHIL7ok2Wl2aZevetwTAb5S+7yIF+enA=="],
"@types/node": ["@types/node@24.0.13", "", { "dependencies": { "undici-types": "~7.8.0" } }, "sha512-Qm9OYVOFHFYg3wJoTSrz80hoec5Lia/dPp84do3X7dZvLikQvM1YpmvTBEdIr/e+U8HTkFjLHLnl78K/qjf+jQ=="],
"@types/react": ["@types/react@19.1.8", "", { "dependencies": { "csstype": "^3.0.2" } }, "sha512-AwAfQ2Wa5bCx9WP8nZL2uMZWod7J7/JSplxbTmBQ5ms6QpqNYm672H0Vu9ZVKVngQ+ii4R/byguVEUZQyeg44g=="],
@@ -582,7 +582,7 @@
"html-url-attributes": ["html-url-attributes@3.0.1", "", {}, "sha512-ol6UPyBWqsrO6EJySPz2O7ZSr856WDrEzM5zMqp+FJJLGMW35cLYmmZnl0vztAZxRUoNZJFTCohfjuIJ8I4QBQ=="],
"i18next": ["i18next@25.3.1", "", { "dependencies": { "@babel/runtime": "^7.27.6" }, "peerDependencies": { "typescript": "^5" }, "optionalPeers": ["typescript"] }, "sha512-S4CPAx8LfMOnURnnJa8jFWvur+UX/LWcl6+61p9VV7SK2m0445JeBJ6tLD0D5SR0H29G4PYfWkEhivKG5p4RDg=="],
"i18next": ["i18next@25.3.2", "", { "dependencies": { "@babel/runtime": "^7.27.6" }, "peerDependencies": { "typescript": "^5" }, "optionalPeers": ["typescript"] }, "sha512-JSnbZDxRVbphc5jiptxr3o2zocy5dEqpVm9qCGdJwRNO+9saUJS0/u4LnM/13C23fUEWxAylPqKU/NpMV/IjqA=="],
"i18next-browser-languagedetector": ["i18next-browser-languagedetector@8.2.0", "", { "dependencies": { "@babel/runtime": "^7.23.2" } }, "sha512-P+3zEKLnOF0qmiesW383vsLdtQVyKtCNA9cjSoKCppTKPQVfKd2W8hbVo5ZhNJKDqeM7BOcvNoKJOjpHh4Js9g=="],
@@ -900,7 +900,7 @@
"vfile-message": ["vfile-message@4.0.2", "", { "dependencies": { "@types/unist": "^3.0.0", "unist-util-stringify-position": "^4.0.0" } }, "sha512-jRDZ1IMLttGj41KcZvlrYAaI3CfqpLpfpf+Mfig13viT6NKvRzWZ+lXz0Y5D60w6uJIBAOGq9mSHf0gktF0duw=="],
"vite": ["vite@7.0.3", "", { "dependencies": { "esbuild": "^0.25.0", "fdir": "^6.4.6", "picomatch": "^4.0.2", "postcss": "^8.5.6", "rollup": "^4.40.0", "tinyglobby": "^0.2.14" }, "optionalDependencies": { "fsevents": "~2.3.3" }, "peerDependencies": { "@types/node": "^20.19.0 || >=22.12.0", "jiti": ">=1.21.0", "less": "^4.0.0", "lightningcss": "^1.21.0", "sass": "^1.70.0", "sass-embedded": "^1.70.0", "stylus": ">=0.54.8", "sugarss": "^5.0.0", "terser": "^5.16.0", "tsx": "^4.8.1", "yaml": "^2.4.2" }, "optionalPeers": ["@types/node", "jiti", "less", "lightningcss", "sass", "sass-embedded", "stylus", "sugarss", "terser", "tsx", "yaml"], "bin": { "vite": "bin/vite.js" } }, "sha512-y2L5oJZF7bj4c0jgGYgBNSdIu+5HF+m68rn2cQXFbGoShdhV1phX9rbnxy9YXj82aS8MMsCLAAFkRxZeWdldrQ=="],
"vite": ["vite@7.0.4", "", { "dependencies": { "esbuild": "^0.25.0", "fdir": "^6.4.6", "picomatch": "^4.0.2", "postcss": "^8.5.6", "rollup": "^4.40.0", "tinyglobby": "^0.2.14" }, "optionalDependencies": { "fsevents": "~2.3.3" }, "peerDependencies": { "@types/node": "^20.19.0 || >=22.12.0", "jiti": ">=1.21.0", "less": "^4.0.0", "lightningcss": "^1.21.0", "sass": "^1.70.0", "sass-embedded": "^1.70.0", "stylus": ">=0.54.8", "sugarss": "^5.0.0", "terser": "^5.16.0", "tsx": "^4.8.1", "yaml": "^2.4.2" }, "optionalPeers": ["@types/node", "jiti", "less", "lightningcss", "sass", "sass-embedded", "stylus", "sugarss", "terser", "tsx", "yaml"], "bin": { "vite": "bin/vite.js" } }, "sha512-SkaSguuS7nnmV7mfJ8l81JGBFV7Gvzp8IzgE8A8t23+AxuNX61Q5H1Tpz5efduSN7NHC8nQXD3sKQKZAu5mNEA=="],
"void-elements": ["void-elements@3.1.0", "", {}, "sha512-Dhxzh5HZuiHQhbvTW9AMetFfBHDMYpo23Uo9btPXgdYP+3T5S+p+jgNy7spra+veYhBP2dCSgxR/i2Y02h5/6w=="],
@@ -912,7 +912,7 @@
"yocto-queue": ["yocto-queue@0.1.0", "", {}, "sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q=="],
"zod": ["zod@3.25.75", "", {}, "sha512-OhpzAmVzabPOL6C3A3gpAifqr9MqihV/Msx3gor2b2kviCgcb+HM9SEOpMWwwNp9MRunWnhtAKUoo0AHhjyPPg=="],
"zod": ["zod@4.0.2", "", {}, "sha512-X2niJNY54MGam4L6Kj0AxeedeDIi/E5QFW0On2faSX5J4/pfLk1tW+cRMIMoojnCavn/u5W/kX17e1CSGnKMxA=="],
"zwitch": ["zwitch@2.0.4", "", {}, "sha512-bXE4cR/kVZhKZX/RjPEflHaKVhUVl85noU3v6b8apfQEc1x4A+zBxjZ4lN8LqGd6WZ3dl98pY4o717VFmoPp+A=="],

10
frontend/package.json
View File

@@ -16,12 +16,12 @@
"@radix-ui/react-separator": "^1.1.7",
"@radix-ui/react-slot": "^1.2.3",
"@tailwindcss/vite": "^4.1.11",
"@tanstack/react-query": "^5.81.5",
"@tanstack/react-query": "^5.82.0",
"axios": "^1.10.0",
"class-variance-authority": "^0.7.1",
"clsx": "^2.1.1",
"dompurify": "^3.2.6",
"i18next": "^25.3.1",
"i18next": "^25.3.2",
"i18next-browser-languagedetector": "^8.2.0",
"i18next-resources-to-backend": "^1.2.1",
"input-otp": "^1.4.2",
@@ -36,12 +36,12 @@
"sonner": "^2.0.6",
"tailwind-merge": "^3.3.1",
"tailwindcss": "^4.1.11",
"zod": "^3.25.75"
"zod": "^4.0.2"
},
"devDependencies": {
"@eslint/js": "^9.30.1",
"@tanstack/eslint-plugin-query": "^5.81.2",
"@types/node": "^24.0.10",
"@types/node": "^24.0.13",
"@types/react": "^19.1.8",
"@types/react-dom": "^19.1.6",
"@vitejs/plugin-react": "^4.6.0",
@@ -53,6 +53,6 @@
"tw-animate-css": "^1.3.5",
"typescript": "~5.8.3",
"typescript-eslint": "^8.36.0",
"vite": "^7.0.3"
"vite": "^7.0.4"
}
}

4
frontend/src/lib/i18n/locales.ts
View File

@@ -27,8 +27,8 @@ export const languages = {
"tr-TR": "Türkçe",
"uk-UA": "Українська",
"vi-VN": "Tiếng Việt",
"zh-CN": "中文",
"zh-TW": "中文",
"zh-CN": "简体中文",
"zh-TW": "繁體中文(台灣)",
};
export type SupportedLanguage = keyof typeof languages;

22
frontend/src/lib/i18n/locales/ar-SA.json
View File

@@ -1,7 +1,7 @@
{
"loginTitle": "مرحبا بعودتك، قم بتسجيل الدخول باستخدام",
"loginTitleSimple": "Welcome back, please login",
"loginDivider": "Or",
"loginTitle": "مرحبا بعودتك، ادخل باستخدام",
"loginTitleSimple": "مرحبا بعودتك، سجل دخولك",
"loginDivider": "أو",
"loginUsername": "اسم المستخدم",
"loginPassword": "كلمة المرور",
"loginSubmit": "تسجيل الدخول",
@@ -10,8 +10,8 @@
"loginFailRateLimit": "You failed to login too many times. Please try again later",
"loginSuccessTitle": "تم تسجيل الدخول",
"loginSuccessSubtitle": "مرحبا بعودتك!",
"loginOauthFailTitle": "An error occurred",
"loginOauthFailSubtitle": "فشل في الحصول على رابط OAuth",
"loginOauthFailTitle": "حدث خطأ",
"loginOauthFailSubtitle": "أخفق الحصول على رابط OAuth",
"loginOauthSuccessTitle": "إعادة توجيه",
"loginOauthSuccessSubtitle": "إعادة توجيه إلى مزود OAuth الخاص بك",
"continueRedirectingTitle": "إعادة توجيه...",
@@ -19,7 +19,7 @@
"continueInvalidRedirectTitle": "إعادة توجيه غير صالحة",
"continueInvalidRedirectSubtitle": "رابط إعادة التوجيه غير صالح",
"continueInsecureRedirectTitle": "إعادة توجيه غير آمنة",
"continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
"continueInsecureRedirectSubtitle": "أنت تحاول إعادة التوجيه من <code>https</code> إلى <code>http</code>، هل أنت متأكد أنك تريد المتابعة؟",
"continueTitle": "متابعة",
"continueSubtitle": "انقر الزر للمتابعة إلى التطبيق الخاص بك.",
"logoutFailTitle": "فشل تسجيل الخروج",
@@ -32,7 +32,7 @@
"notFoundTitle": "الصفحة غير موجودة",
"notFoundSubtitle": "الصفحة التي تبحث عنها غير موجودة.",
"notFoundButton": "انتقل إلى الرئيسية",
"totpFailTitle": "فشل في التحقق من الرمز",
"totpFailTitle": "أخفق التحقق من الرمز",
"totpFailSubtitle": "الرجاء التحقق من الرمز الخاص بك وحاول مرة أخرى",
"totpSuccessTitle": "تم التحقق",
"totpSuccessSubtitle": "إعادة توجيه إلى تطبيقك",
@@ -44,11 +44,11 @@
"unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
"unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
"unauthorizedButton": "حاول مجددا",
"untrustedRedirectTitle": "Untrusted redirect",
"untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{domain}}</code>). Are you sure you want to continue?",
"untrustedRedirectTitle": "إعادة توجيه غير موثوقة",
"untrustedRedirectSubtitle": "أنت تحاول إعادة التوجيه إلى نطاق لا يتطابق مع النطاق المكون الخاص بك (<code>{{domain}}</code>). هل أنت متأكد من أنك تريد المتابعة؟",
"cancelTitle": "إلغاء",
"forgotPasswordTitle": "Forgot your password?",
"forgotPasswordTitle": "نسيت كلمة المرور؟",
"failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
"errorTitle": "An error occurred",
"errorTitle": "حدث خطأ",
"errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information."
}

2
frontend/src/lib/i18n/locales/da-DK.json
View File

@@ -42,7 +42,7 @@
"unauthorizedResourceSubtitle": "Brugeren med brugernavnet <code>{{username}}</code> har ikke tilladelse til at tilgå ressourcen <code>{{resource}}</code>.",
"unauthorizedLoginSubtitle": "Brugeren med brugernavnet <code>{{username}}</code> har ikke tilladelse til at logge ind.",
"unauthorizedGroupsSubtitle": "Brugeren med brugernavnet <code>{{username}}</code> er ikke i de grupper, som ressourcen <code>{{resource}}</code> kræver.",
"unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
"unauthorizedIpSubtitle": "Din IP adresse <code>{{ip}}</code> er ikke autoriseret til at tilgå ressourcen <code>{{resource}}</code>.",
"unauthorizedButton": "Prøv igen",
"untrustedRedirectTitle": "Usikker omdirigering",
"untrustedRedirectSubtitle": "Du forsøger at omdirigere til et domæne, der ikke matcher dit konfigurerede domæne (<code>{{domain}}</code>). Er du sikker på, at du vil fortsætte?",

2
frontend/src/lib/i18n/locales/el-GR.json
View File

@@ -42,7 +42,7 @@
"unauthorizedResourceSubtitle": "Ο χρήστης με όνομα χρήστη <code>{{username}}</code> δεν έχει άδεια πρόσβασης στον πόρο <code>{{resource}}</code>.",
"unauthorizedLoginSubtitle": "Ο χρήστης με όνομα χρήστη <code>{{username}}</code> δεν είναι εξουσιοδοτημένος να συνδεθεί.",
"unauthorizedGroupsSubtitle": "Ο χρήστης με όνομα χρήστη <code>{{username}}</code> δεν είναι στις ομάδες που απαιτούνται από τον πόρο <code>{{resource}}</code>.",
"unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
"unauthorizedIpSubtitle": "Η διεύθυνση IP σας <code>{{ip}}</code> δεν είναι εξουσιοδοτημένη να έχει πρόσβαση στον πόρο <code>{{resource}}</code>.",
"unauthorizedButton": "Προσπαθήστε ξανά",
"untrustedRedirectTitle": "Μη έμπιστη ανακατεύθυνση",
"untrustedRedirectSubtitle": "Προσπαθείτε να ανακατευθύνετε σε ένα domain που δεν ταιριάζει με τον ρυθμισμένο domain σας (<code>{{domain}}</code>). Είστε βέβαιοι ότι θέλετε να συνεχίσετε;",

3
frontend/src/lib/i18n/locales/en-US.json
View File

@@ -50,5 +50,6 @@
"forgotPasswordTitle": "Forgot your password?",
"failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
"errorTitle": "An error occurred",
"errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information."
"errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
"forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable."
}

3
frontend/src/lib/i18n/locales/en.json
View File

@@ -50,5 +50,6 @@
"forgotPasswordTitle": "Forgot your password?",
"failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
"errorTitle": "An error occurred",
"errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information."
"errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
"forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable."
}

2
frontend/src/lib/i18n/locales/fr-FR.json
View File

@@ -10,7 +10,7 @@
"loginFailRateLimit": "You failed to login too many times. Please try again later",
"loginSuccessTitle": "Connecté",
"loginSuccessSubtitle": "Bienvenue!",
"loginOauthFailTitle": "An error occurred",
"loginOauthFailTitle": "Une erreur s'est produite",
"loginOauthFailSubtitle": "Impossible d'obtenir l'URL OAuth",
"loginOauthSuccessTitle": "Redirection",
"loginOauthSuccessSubtitle": "Redirection vers votre fournisseur OAuth",

2
frontend/src/lib/i18n/locales/pl-PL.json
View File

@@ -1,7 +1,7 @@
{
"loginTitle": "Witaj ponownie, zaloguj się przez",
"loginTitleSimple": "Witaj ponownie, zaloguj się",
"loginDivider": "lub",
"loginDivider": "Lub",
"loginUsername": "Nazwa użytkownika",
"loginPassword": "Hasło",
"loginSubmit": "Zaloguj się",

104
frontend/src/lib/i18n/locales/zh-TW.json
View File

@@ -1,54 +1,54 @@
{
"loginTitle": "Welcome back, login with",
"loginTitleSimple": "Welcome back, please login",
"loginDivider": "Or",
"loginUsername": "Username",
"loginPassword": "Password",
"loginSubmit": "Login",
"loginFailTitle": "Failed to log in",
"loginFailSubtitle": "Please check your username and password",
"loginFailRateLimit": "You failed to login too many times. Please try again later",
"loginSuccessTitle": "Logged in",
"loginSuccessSubtitle": "Welcome back!",
"loginOauthFailTitle": "An error occurred",
"loginOauthFailSubtitle": "Failed to get OAuth URL",
"loginOauthSuccessTitle": "Redirecting",
"loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
"continueRedirectingTitle": "Redirecting...",
"continueRedirectingSubtitle": "You should be redirected to the app soon",
"continueInvalidRedirectTitle": "Invalid redirect",
"continueInvalidRedirectSubtitle": "The redirect URL is invalid",
"continueInsecureRedirectTitle": "Insecure redirect",
"continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
"continueTitle": "Continue",
"continueSubtitle": "Click the button to continue to your app.",
"logoutFailTitle": "Failed to log out",
"logoutFailSubtitle": "Please try again",
"logoutSuccessTitle": "Logged out",
"logoutSuccessSubtitle": "You have been logged out",
"logoutTitle": "Logout",
"logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
"logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
"notFoundTitle": "Page not found",
"notFoundSubtitle": "The page you are looking for does not exist.",
"notFoundButton": "Go home",
"totpFailTitle": "Failed to verify code",
"totpFailSubtitle": "Please check your code and try again",
"totpSuccessTitle": "Verified",
"totpSuccessSubtitle": "Redirecting to your app",
"totpTitle": "Enter your TOTP code",
"totpSubtitle": "Please enter the code from your authenticator app.",
"unauthorizedTitle": "Unauthorized",
"unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
"unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
"unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
"unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
"unauthorizedButton": "Try again",
"untrustedRedirectTitle": "Untrusted redirect",
"untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{domain}}</code>). Are you sure you want to continue?",
"cancelTitle": "Cancel",
"forgotPasswordTitle": "Forgot your password?",
"failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
"errorTitle": "An error occurred",
"errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information."
"loginTitle": "歡迎回來,請用以下方式登入",
"loginTitleSimple": "歡迎回來,請登入",
"loginDivider": "",
"loginUsername": "帳號",
"loginPassword": "密碼",
"loginSubmit": "登入",
"loginFailTitle": "登入失敗",
"loginFailSubtitle": "請檢查您的帳號與密碼",
"loginFailRateLimit": "登入失敗次數過多,請稍後再試",
"loginSuccessTitle": "登入成功",
"loginSuccessSubtitle": "歡迎回來!",
"loginOauthFailTitle": "發生錯誤",
"loginOauthFailSubtitle": "無法取得 OAuth 網址",
"loginOauthSuccessTitle": "重新導向中",
"loginOauthSuccessSubtitle": "正在將您重新導向至 OAuth 供應商",
"continueRedirectingTitle": "重新導向中...",
"continueRedirectingSubtitle": "您即將被重新導向至應用程式",
"continueInvalidRedirectTitle": "無效的重新導向",
"continueInvalidRedirectSubtitle": "重新導向的網址無效",
"continueInsecureRedirectTitle": "不安全的重新導向",
"continueInsecureRedirectSubtitle": "您正嘗試從安全的 <code>https</code> 重新導向至不安全的 <code>http</code>。您確定要繼續嗎?",
"continueTitle": "繼續",
"continueSubtitle": "點擊按鈕以繼續前往您的應用程式。",
"logoutFailTitle": "登出失敗",
"logoutFailSubtitle": "請再試一次",
"logoutSuccessTitle": "登出成功",
"logoutSuccessSubtitle": "您已成功登出",
"logoutTitle": "登出",
"logoutUsernameSubtitle": "您目前以 <code>{{username}}</code> 的身分登入。點擊下方按鈕以登出。",
"logoutOauthSubtitle": "您目前使用 {{provider}} OAuth 供應商並以 <code>{{username}}</code> 的身分登入。點擊下方按鈕以登出。",
"notFoundTitle": "找不到頁面",
"notFoundSubtitle": "您要尋找的頁面不存在。",
"notFoundButton": "回到首頁",
"totpFailTitle": "驗證失敗",
"totpFailSubtitle": "請檢查您的驗證碼並再試一次",
"totpSuccessTitle": "驗證成功",
"totpSuccessSubtitle": "正在重新導向至您的應用程式",
"totpTitle": "輸入您的 TOTP 驗證碼",
"totpSubtitle": "請輸入您驗證器應用程式中的代碼。",
"unauthorizedTitle": "未經授權",
"unauthorizedResourceSubtitle": "使用者 <code>{{username}}</code> 未被授權存取資源 <code>{{resource}}</code>",
"unauthorizedLoginSubtitle": "使用者 <code>{{username}}</code> 未被授權登入。",
"unauthorizedGroupsSubtitle": "使用者 <code>{{username}}</code> 不在存取資源 <code>{{resource}}</code> 所需的群組中。",
"unauthorizedIpSubtitle": "您的 IP 位址 <code>{{ip}}</code> 未被授權存取資源 <code>{{resource}}</code>",
"unauthorizedButton": "再試一次",
"untrustedRedirectTitle": "不受信任的重新導向",
"untrustedRedirectSubtitle": "您正嘗試重新導向至的網域與您設定的網域 (<code>{{domain}}</code>) 不符。您確定要繼續嗎?",
"cancelTitle": "取消",
"forgotPasswordTitle": "忘記密碼?",
"failedToFetchProvidersTitle": "載入驗證供應商失敗。請檢查您的設定。",
"errorTitle": "發生錯誤",
"errorSubtitle": "執行此操作時發生錯誤。請檢查主控台以獲取更多資訊。"
}

2
frontend/src/pages/forgot-password-page.tsx
View File

@@ -17,7 +17,7 @@ export const ForgotPasswordPage = () => {
<CardHeader>
<CardTitle className="text-3xl">{t("forgotPasswordTitle")}</CardTitle>
<CardDescription>
<Markdown>{forgotPasswordMessage}</Markdown>
<Markdown>{forgotPasswordMessage !== "" ? forgotPasswordMessage : t('forgotPasswordMessage')}</Markdown>
</CardDescription>
</CardHeader>
</Card>

14
go.mod
View File

@@ -12,7 +12,7 @@ require (
github.com/spf13/cobra v1.9.1
github.com/spf13/viper v1.20.1
github.com/traefik/paerser v0.2.2
golang.org/x/crypto v0.39.0
golang.org/x/crypto v0.40.0
)
require (
@@ -31,7 +31,7 @@ require (
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0 // indirect
go.opentelemetry.io/otel/sdk v1.34.0 // indirect
golang.org/x/term v0.32.0 // indirect
golang.org/x/term v0.33.0 // indirect
gotest.tools/v3 v3.5.2 // indirect
rsc.io/qr v0.2.0 // indirect
)
@@ -53,7 +53,7 @@ require (
github.com/charmbracelet/x/term v0.2.1 // indirect
github.com/cloudwego/base64x v0.1.4 // indirect
github.com/distribution/reference v0.6.0 // indirect
github.com/docker/docker v28.3.1+incompatible
github.com/docker/docker v28.3.2+incompatible
github.com/docker/go-connections v0.5.0 // indirect
github.com/docker/go-units v0.5.0 // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
@@ -109,11 +109,11 @@ require (
go.uber.org/atomic v1.9.0 // indirect
go.uber.org/multierr v1.9.0 // indirect
golang.org/x/arch v0.13.0 // indirect
golang.org/x/net v0.38.0 // indirect
golang.org/x/net v0.41.0 // indirect
golang.org/x/oauth2 v0.30.0
golang.org/x/sync v0.15.0 // indirect
golang.org/x/sys v0.33.0 // indirect
golang.org/x/text v0.26.0 // indirect
golang.org/x/sync v0.16.0 // indirect
golang.org/x/sys v0.34.0 // indirect
golang.org/x/text v0.27.0 // indirect
google.golang.org/protobuf v1.36.3 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)

28
go.sum
View File

@@ -72,8 +72,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
github.com/docker/docker v28.3.1+incompatible h1:20+BmuA9FXlCX4ByQ0vYJcUEnOmRM6XljDnFWR+jCyY=
github.com/docker/docker v28.3.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker v28.3.2+incompatible h1:wn66NJ6pWB1vBZIilP8G3qQPqHy5XymfYn5vsqeA5oA=
github.com/docker/docker v28.3.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@@ -297,8 +297,8 @@ golang.org/x/arch v0.13.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -307,15 +307,15 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -325,14 +325,14 @@ golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg=
golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg=
golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

114
internal/auth/auth.go
View File

@@ -27,10 +27,8 @@ type Auth struct {
}
func NewAuth(config types.AuthConfig, docker *docker.Docker, ldap *ldap.LDAP) *Auth {
// Create cookie store
// Setup cookie store and create the auth service
store := sessions.NewCookieStore([]byte(config.HMACSecret), []byte(config.EncryptionSecret))
// Configure cookie store
store.Options = &sessions.Options{
Path: "/",
MaxAge: config.SessionExpiry,
@@ -38,7 +36,6 @@ func NewAuth(config types.AuthConfig, docker *docker.Docker, ldap *ldap.LDAP) *A
HttpOnly: true,
Domain: fmt.Sprintf(".%s", config.Domain),
}
return &Auth{
Config: config,
Docker: docker,
@@ -49,20 +46,14 @@ func NewAuth(config types.AuthConfig, docker *docker.Docker, ldap *ldap.LDAP) *A
}
func (auth *Auth) GetSession(c *gin.Context) (*sessions.Session, error) {
// Get session
session, err := auth.Store.Get(c.Request, auth.Config.SessionCookieName)
// If there was an error getting the session, it might be invalid so let's clear it and retry
if err != nil {
log.Warn().Err(err).Msg("Invalid session, clearing cookie and retrying")
// Delete the session cookie if there is an error
c.SetCookie(auth.Config.SessionCookieName, "", -1, "/", fmt.Sprintf(".%s", auth.Config.Domain), auth.Config.CookieSecure, true)
// Try to get the session again
session, err = auth.Store.Get(c.Request, auth.Config.SessionCookieName)
if err != nil {
// If we still can't get the session, log the error and return nil
log.Error().Err(err).Msg("Failed to get session")
return nil, err
}
@@ -72,13 +63,11 @@ func (auth *Auth) GetSession(c *gin.Context) (*sessions.Session, error) {
}
func (auth *Auth) SearchUser(username string) types.UserSearch {
// Loop through users and return the user if the username matches
log.Debug().Str("username", username).Msg("Searching for user")
// Check local users first
if auth.GetLocalUser(username).Username != "" {
log.Debug().Str("username", username).Msg("Found local user")
// If user found, return a user with the username and type "local"
return types.UserSearch{
Username: username,
Type: "local",
@@ -88,14 +77,11 @@ func (auth *Auth) SearchUser(username string) types.UserSearch {
// If no user found, check LDAP
if auth.LDAP != nil {
log.Debug().Str("username", username).Msg("Checking LDAP for user")
userDN, err := auth.LDAP.Search(username)
if err != nil {
log.Warn().Err(err).Str("username", username).Msg("Failed to find user in LDAP")
return types.UserSearch{}
}
// If user found in LDAP, return a user with the DN as username
return types.UserSearch{
Username: userDN,
Type: "ldap",
@@ -109,34 +95,28 @@ func (auth *Auth) VerifyUser(search types.UserSearch, password string) bool {
// Authenticate the user based on the type
switch search.Type {
case "local":
// Get local user
// If local user, get the user and check the password
user := auth.GetLocalUser(search.Username)
// Check if password is correct
return auth.CheckPassword(user, password)
case "ldap":
// If LDAP is configured, bind to the LDAP server with the user DN and password
if auth.LDAP != nil {
log.Debug().Str("username", search.Username).Msg("Binding to LDAP for user authentication")
// Bind to the LDAP server
err := auth.LDAP.Bind(search.Username, password)
if err != nil {
log.Warn().Err(err).Str("username", search.Username).Msg("Failed to bind to LDAP")
return false
}
// If bind is successful, rebind with the LDAP bind user
// Rebind with the service account to reset the connection
err = auth.LDAP.Bind(auth.LDAP.Config.BindDN, auth.LDAP.Config.BindPassword)
if err != nil {
log.Error().Err(err).Msg("Failed to rebind with service account after user authentication")
// Consider closing the connection or creating a new one
return false
}
log.Debug().Str("username", search.Username).Msg("LDAP authentication successful")
// Return true if the bind was successful
return true
}
default:
@@ -165,11 +145,9 @@ func (auth *Auth) GetLocalUser(username string) types.User {
}
func (auth *Auth) CheckPassword(user types.User, password string) bool {
// Compare the hashed password with the password provided
return bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password)) == nil
}
// IsAccountLocked checks if a username or IP is locked due to too many failed login attempts
func (auth *Auth) IsAccountLocked(identifier string) (bool, int) {
auth.LoginMutex.RLock()
defer auth.LoginMutex.RUnlock()
@@ -196,7 +174,6 @@ func (auth *Auth) IsAccountLocked(identifier string) (bool, int) {
return false, 0
}
// RecordLoginAttempt records a login attempt for rate limiting
func (auth *Auth) RecordLoginAttempt(identifier string, success bool) {
// Skip if rate limiting is not configured
if auth.Config.LoginMaxRetries <= 0 || auth.Config.LoginTimeout <= 0 {
@@ -233,14 +210,13 @@ func (auth *Auth) RecordLoginAttempt(identifier string, success bool) {
}
}
func (auth *Auth) EmailWhitelisted(emailSrc string) bool {
return utils.CheckWhitelist(auth.Config.OauthWhitelist, emailSrc)
func (auth *Auth) EmailWhitelisted(email string) bool {
return utils.CheckFilter(auth.Config.OauthWhitelist, email)
}
func (auth *Auth) CreateSessionCookie(c *gin.Context, data *types.SessionCookie) error {
log.Debug().Msg("Creating session cookie")
// Get session
session, err := auth.GetSession(c)
if err != nil {
log.Error().Err(err).Msg("Failed to get session")
@@ -249,7 +225,6 @@ func (auth *Auth) CreateSessionCookie(c *gin.Context, data *types.SessionCookie)
log.Debug().Msg("Setting session cookie")
// Calculate expiry
var sessionExpiry int
if data.TotpPending {
@@ -258,7 +233,6 @@ func (auth *Auth) CreateSessionCookie(c *gin.Context, data *types.SessionCookie)
sessionExpiry = auth.Config.SessionExpiry
}
// Set data
session.Values["username"] = data.Username
session.Values["name"] = data.Name
session.Values["email"] = data.Email
@@ -267,21 +241,18 @@ func (auth *Auth) CreateSessionCookie(c *gin.Context, data *types.SessionCookie)
session.Values["totpPending"] = data.TotpPending
session.Values["oauthGroups"] = data.OAuthGroups
// Save session
err = session.Save(c.Request, c.Writer)
if err != nil {
log.Error().Err(err).Msg("Failed to save session")
return err
}
// Return nil
return nil
}
func (auth *Auth) DeleteSessionCookie(c *gin.Context) error {
log.Debug().Msg("Deleting session cookie")
// Get session
session, err := auth.GetSession(c)
if err != nil {
log.Error().Err(err).Msg("Failed to get session")
@@ -293,21 +264,18 @@ func (auth *Auth) DeleteSessionCookie(c *gin.Context) error {
delete(session.Values, key)
}
// Save session
err = session.Save(c.Request, c.Writer)
if err != nil {
log.Error().Err(err).Msg("Failed to save session")
return err
}
// Return nil
return nil
}
func (auth *Auth) GetSessionCookie(c *gin.Context) (types.SessionCookie, error) {
log.Debug().Msg("Getting session cookie")
// Get session
session, err := auth.GetSession(c)
if err != nil {
log.Error().Err(err).Msg("Failed to get session")
@@ -316,7 +284,6 @@ func (auth *Auth) GetSessionCookie(c *gin.Context) (types.SessionCookie, error)
log.Debug().Msg("Got session")
// Get data from session
username, usernameOk := session.Values["username"].(string)
email, emailOk := session.Values["email"].(string)
name, nameOk := session.Values["name"].(string)
@@ -325,30 +292,21 @@ func (auth *Auth) GetSessionCookie(c *gin.Context) (types.SessionCookie, error)
totpPending, totpPendingOk := session.Values["totpPending"].(bool)
oauthGroups, oauthGroupsOk := session.Values["oauthGroups"].(string)
// If any data is missing, delete the session cookie
if !usernameOk || !providerOK || !expiryOk || !totpPendingOk || !emailOk || !nameOk || !oauthGroupsOk {
log.Warn().Msg("Session cookie is invalid")
// If any data is missing, delete the session cookie
auth.DeleteSessionCookie(c)
// Return empty cookie
return types.SessionCookie{}, nil
}
// Check if the cookie has expired
// If the session cookie has expired, delete it
if time.Now().Unix() > expiry {
log.Warn().Msg("Session cookie expired")
// If it has, delete it
auth.DeleteSessionCookie(c)
// Return empty cookie
return types.SessionCookie{}, nil
}
log.Debug().Str("username", username).Str("provider", provider).Int64("expiry", expiry).Bool("totpPending", totpPending).Str("name", name).Str("email", email).Str("oauthGroups", oauthGroups).Msg("Parsed cookie")
// Return the cookie
return types.SessionCookie{
Username: username,
Name: name,
@@ -360,25 +318,21 @@ func (auth *Auth) GetSessionCookie(c *gin.Context) (types.SessionCookie, error)
}
func (auth *Auth) UserAuthConfigured() bool {
// If there are users, return true
// If there are users or LDAP is configured, return true
return len(auth.Config.Users) > 0 || auth.LDAP != nil
}
func (auth *Auth) ResourceAllowed(c *gin.Context, context types.UserContext, labels types.Labels) bool {
// Check if oauth is allowed
if context.OAuth {
log.Debug().Msg("Checking OAuth whitelist")
return utils.CheckWhitelist(labels.OAuth.Whitelist, context.Email)
return utils.CheckFilter(labels.OAuth.Whitelist, context.Email)
}
// Check users
log.Debug().Msg("Checking users")
return utils.CheckWhitelist(labels.Users, context.Username)
return utils.CheckFilter(labels.Users, context.Username)
}
func (auth *Auth) OAuthGroup(c *gin.Context, context types.UserContext, labels types.Labels) bool {
// Check if groups are required
if labels.OAuth.Groups == "" {
return true
}
@@ -394,7 +348,7 @@ func (auth *Auth) OAuthGroup(c *gin.Context, context types.UserContext, labels t
// For every group check if it is in the required groups
for _, group := range oauthGroups {
if utils.CheckWhitelist(labels.OAuth.Groups, group) {
if utils.CheckFilter(labels.OAuth.Groups, group) {
log.Debug().Str("group", group).Msg("Group is in required groups")
return true
}
@@ -402,18 +356,12 @@ func (auth *Auth) OAuthGroup(c *gin.Context, context types.UserContext, labels t
// No groups matched
log.Debug().Msg("No groups matched")
// Return false
return false
}
func (auth *Auth) AuthEnabled(c *gin.Context, labels types.Labels) (bool, error) {
// Get headers
uri := c.Request.Header.Get("X-Forwarded-Uri")
// Check if the allowed label is empty
func (auth *Auth) AuthEnabled(uri string, labels types.Labels) (bool, error) {
// If the label is empty, auth is enabled
if labels.Allowed == "" {
// Auth enabled
return true, nil
}
@@ -426,9 +374,8 @@ func (auth *Auth) AuthEnabled(c *gin.Context, labels types.Labels) (bool, error)
return true, err
}
// Check if the uri matches the regex
// If the regex matches the URI, auth is not enabled
if regex.MatchString(uri) {
// Auth disabled
return false, nil
}
@@ -437,25 +384,17 @@ func (auth *Auth) AuthEnabled(c *gin.Context, labels types.Labels) (bool, error)
}
func (auth *Auth) GetBasicAuth(c *gin.Context) *types.User {
// Get the Authorization header
username, password, ok := c.Request.BasicAuth()
// If not ok, return an empty user
if !ok {
return nil
}
// Return the user
return &types.User{
Username: username,
Password: password,
}
}
func (auth *Auth) CheckIP(c *gin.Context, labels types.Labels) bool {
// Get the IP address from the request
ip := c.ClientIP()
func (auth *Auth) CheckIP(labels types.Labels, ip string) bool {
// Check if the IP is in block list
for _, blocked := range labels.IP.Block {
res, err := utils.FilterIP(blocked, ip)
@@ -489,6 +428,23 @@ func (auth *Auth) CheckIP(c *gin.Context, labels types.Labels) bool {
}
log.Debug().Str("ip", ip).Msg("IP not in allow or block list, allowing by default")
return true
}
func (auth *Auth) BypassedIP(labels types.Labels, ip string) bool {
// For every IP in the bypass list, check if the IP matches
for _, bypassed := range labels.IP.Bypass {
res, err := utils.FilterIP(bypassed, ip)
if err != nil {
log.Warn().Err(err).Str("item", bypassed).Msg("Invalid IP/CIDR in bypass list")
continue
}
if res {
log.Debug().Str("ip", ip).Str("item", bypassed).Msg("IP is in bypass list, allowing access")
return true
}
}
log.Debug().Str("ip", ip).Msg("IP not in bypass list, continuing with authentication")
return false
}

9
internal/auth/auth_test.go
View File

@@ -4,7 +4,6 @@ import (
"testing"
"time"
"tinyauth/internal/auth"
"tinyauth/internal/docker"
"tinyauth/internal/types"
)
@@ -18,7 +17,7 @@ func TestLoginRateLimiting(t *testing.T) {
// Initialize a new auth service with 3 max retries and 5 seconds timeout
config.LoginMaxRetries = 3
config.LoginTimeout = 5
authService := auth.NewAuth(config, &docker.Docker{}, nil)
authService := auth.NewAuth(config, nil, nil)
// Test identifier
identifier := "test_user"
@@ -62,7 +61,7 @@ func TestLoginRateLimiting(t *testing.T) {
// Reinitialize auth service with a shorter timeout for testing
config.LoginTimeout = 1
config.LoginMaxRetries = 3
authService = auth.NewAuth(config, &docker.Docker{}, nil)
authService = auth.NewAuth(config, nil, nil)
// Add enough failed attempts to lock the account
for i := 0; i < 3; i++ {
@@ -87,7 +86,7 @@ func TestLoginRateLimiting(t *testing.T) {
t.Log("Testing disabled rate limiting")
config.LoginMaxRetries = 0
config.LoginTimeout = 0
authService = auth.NewAuth(config, &docker.Docker{}, nil)
authService = auth.NewAuth(config, nil, nil)
for i := 0; i < 10; i++ {
authService.RecordLoginAttempt(identifier, false)
@@ -103,7 +102,7 @@ func TestConcurrentLoginAttempts(t *testing.T) {
// Initialize a new auth service with 2 max retries and 5 seconds timeout
config.LoginMaxRetries = 2
config.LoginTimeout = 5
authService := auth.NewAuth(config, &docker.Docker{}, nil)
authService := auth.NewAuth(config, nil, nil)
// Test multiple identifiers
identifiers := []string{"user1", "user2", "user3"}

4
internal/constants/constants.go
View File

@@ -1,6 +1,6 @@
package constants
// Claims are the OIDC supported claims (including preferd username for some reason)
// Claims are the OIDC supported claims (prefered username is included for convinience)
type Claims struct {
Name string `json:"name"`
Email string `json:"email"`
@@ -13,7 +13,7 @@ var Version = "development"
var CommitHash = "n/a"
var BuildTimestamp = "n/a"
// Cookie names
// Base cookie names
var SessionCookieName = "tinyauth-session"
var CsrfCookieName = "tinyauth-csrf"
var RedirectCookieName = "tinyauth-redirect"

46
internal/docker/docker.go
View File

@@ -17,18 +17,12 @@ type Docker struct {
}
func NewDocker() (*Docker, error) {
// Create a new docker client
client, err := client.NewClientWithOpts(client.FromEnv)
// Check if there was an error
if err != nil {
return nil, err
}
// Create the context
ctx := context.Background()
// Negotiate API version
client.NegotiateAPIVersion(ctx)
return &Docker{
@@ -38,89 +32,71 @@ func NewDocker() (*Docker, error) {
}
func (docker *Docker) GetContainers() ([]container.Summary, error) {
// Get the list of containers
containers, err := docker.Client.ContainerList(docker.Context, container.ListOptions{})
// Check if there was an error
if err != nil {
return nil, err
}
// Return the containers
return containers, nil
}
func (docker *Docker) InspectContainer(containerId string) (container.InspectResponse, error) {
// Inspect the container
inspect, err := docker.Client.ContainerInspect(docker.Context, containerId)
// Check if there was an error
if err != nil {
return container.InspectResponse{}, err
}
// Return the inspect
return inspect, nil
}
func (docker *Docker) DockerConnected() bool {
// Ping the docker client if there is an error it is not connected
_, err := docker.Client.Ping(docker.Context)
return err == nil
}
func (docker *Docker) GetLabels(id string, domain string) (types.Labels, error) {
// Check if we have access to the Docker API
func (docker *Docker) GetLabels(app string, domain string) (types.Labels, error) {
isConnected := docker.DockerConnected()
// If we don't have access, return an empty struct
if !isConnected {
log.Debug().Msg("Docker not connected, returning empty labels")
return types.Labels{}, nil
}
// Get the containers
log.Debug().Msg("Getting containers")
containers, err := docker.GetContainers()
// If there is an error, return false
if err != nil {
log.Error().Err(err).Msg("Error getting containers")
return types.Labels{}, err
}
// Loop through the containers
for _, container := range containers {
// Inspect the container
inspect, err := docker.InspectContainer(container.ID)
// Check if there was an error
if err != nil {
log.Warn().Str("id", container.ID).Err(err).Msg("Error inspecting container, skipping")
continue
}
// Get the labels
log.Debug().Str("id", inspect.ID).Msg("Getting labels for container")
labels, err := utils.GetLabels(inspect.Config.Labels)
// Check if there was an error
if err != nil {
log.Warn().Str("id", container.ID).Err(err).Msg("Error getting container labels, skipping")
continue
}
// Check if the labels match the id or the domain
if strings.TrimPrefix(inspect.Name, "/") == id || labels.Domain == domain {
log.Debug().Str("id", inspect.ID).Msg("Found matching container")
// Check if the container matches the ID or domain
for _, lDomain := range labels.Domain {
if lDomain == domain {
log.Debug().Str("id", inspect.ID).Msg("Found matching container by domain")
return labels, nil
}
}
if strings.TrimPrefix(inspect.Name, "/") == app {
log.Debug().Str("id", inspect.ID).Msg("Found matching container by name")
return labels, nil
}
}
log.Debug().Msg("No matching container found, returning empty labels")
// If no matching container is found, return empty labels
return types.Labels{}, nil
}

64
internal/handlers/context.go Normal file
View File

@@ -0,0 +1,64 @@
package handlers
import (
"tinyauth/internal/types"
"github.com/gin-gonic/gin"
"github.com/rs/zerolog/log"
)
func (h *Handlers) AppContextHandler(c *gin.Context) {
log.Debug().Msg("Getting app context")
// Get configured providers
configuredProviders := h.Providers.GetConfiguredProviders()
// We have username/password configured so add it to our providers
if h.Auth.UserAuthConfigured() {
configuredProviders = append(configuredProviders, "username")
}
// Return app context
appContext := types.AppContext{
Status: 200,
Message: "OK",
ConfiguredProviders: configuredProviders,
DisableContinue: h.Config.DisableContinue,
Title: h.Config.Title,
GenericName: h.Config.GenericName,
Domain: h.Config.Domain,
ForgotPasswordMessage: h.Config.ForgotPasswordMessage,
BackgroundImage: h.Config.BackgroundImage,
OAuthAutoRedirect: h.Config.OAuthAutoRedirect,
}
c.JSON(200, appContext)
}
func (h *Handlers) UserContextHandler(c *gin.Context) {
log.Debug().Msg("Getting user context")
// Create user context using hooks
userContext := h.Hooks.UseUserContext(c)
userContextResponse := types.UserContextResponse{
Status: 200,
IsLoggedIn: userContext.IsLoggedIn,
Username: userContext.Username,
Name: userContext.Name,
Email: userContext.Email,
Provider: userContext.Provider,
Oauth: userContext.OAuth,
TotpPending: userContext.TotpPending,
}
// If we are not logged in we set the status to 401 else we set it to 200
if !userContext.IsLoggedIn {
log.Debug().Msg("Unauthorized")
userContextResponse.Message = "Unauthorized"
} else {
log.Debug().Interface("userContext", userContext).Msg("Authenticated")
userContextResponse.Message = "Authenticated"
}
c.JSON(200, userContextResponse)
}

785
internal/handlers/handlers.go
View File

@@ -1,21 +1,13 @@
package handlers
import (
"fmt"
"net/http"
"strings"
"time"
"tinyauth/internal/auth"
"tinyauth/internal/docker"
"tinyauth/internal/hooks"
"tinyauth/internal/providers"
"tinyauth/internal/types"
"tinyauth/internal/utils"
"github.com/gin-gonic/gin"
"github.com/google/go-querystring/query"
"github.com/pquerna/otp/totp"
"github.com/rs/zerolog/log"
)
type Handlers struct {
@@ -36,783 +28,6 @@ func NewHandlers(config types.HandlersConfig, auth *auth.Auth, hooks *hooks.Hook
}
}
func (h *Handlers) AuthHandler(c *gin.Context) {
// Create struct for proxy
var proxy types.Proxy
// Bind URI
err := c.BindUri(&proxy)
// Handle error
if err != nil {
log.Error().Err(err).Msg("Failed to bind URI")
c.JSON(400, gin.H{
"status": 400,
"message": "Bad Request",
})
return
}
// Check if the request is coming from a browser (tools like curl/bruno use */* and they don't include the text/html)
isBrowser := strings.Contains(c.Request.Header.Get("Accept"), "text/html")
if isBrowser {
log.Debug().Msg("Request is most likely coming from a browser")
} else {
log.Debug().Msg("Request is most likely not coming from a browser")
}
log.Debug().Interface("proxy", proxy.Proxy).Msg("Got proxy")
// Get headers
uri := c.Request.Header.Get("X-Forwarded-Uri")
proto := c.Request.Header.Get("X-Forwarded-Proto")
host := c.Request.Header.Get("X-Forwarded-Host")
// Remove the port from the host if it exists
hostPortless := strings.Split(host, ":")[0] // *lol*
// Get the id
id := strings.Split(hostPortless, ".")[0]
// Get the container labels
labels, err := h.Docker.GetLabels(id, hostPortless)
log.Debug().Interface("labels", labels).Msg("Got labels")
// Check if there was an error
if err != nil {
log.Error().Err(err).Msg("Failed to get container labels")
if proxy.Proxy == "nginx" || !isBrowser {
c.JSON(500, gin.H{
"status": 500,
"message": "Internal Server Error",
})
return
}
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
// Check if the IP is allowed/blocked
ip := c.ClientIP()
if !h.Auth.CheckIP(c, labels) {
log.Warn().Str("ip", ip).Msg("IP not allowed")
if proxy.Proxy == "nginx" || !isBrowser {
c.JSON(403, gin.H{
"status": 403,
"message": "Forbidden",
})
return
}
values := types.UnauthorizedQuery{
Resource: strings.Split(host, ".")[0],
IP: ip,
}
// Build query
queries, err := query.Values(values)
// Handle error
if err != nil {
log.Error().Err(err).Msg("Failed to build queries")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, queries.Encode()))
return
}
// Check if auth is enabled
authEnabled, err := h.Auth.AuthEnabled(c, labels)
// Check if there was an error
if err != nil {
log.Error().Err(err).Msg("Failed to check if app is allowed")
if proxy.Proxy == "nginx" || !isBrowser {
c.JSON(500, gin.H{
"status": 500,
"message": "Internal Server Error",
})
return
}
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
// If auth is not enabled, return 200
if !authEnabled {
headersParsed := utils.ParseHeaders(labels.Headers)
for key, value := range headersParsed {
log.Debug().Str("key", key).Msg("Setting header")
c.Header(key, value)
}
if labels.Basic.Username != "" && utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File) != "" {
log.Debug().Str("username", labels.Basic.Username).Msg("Setting basic auth headers")
c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Basic.Username, utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File))))
}
c.JSON(200, gin.H{
"status": 200,
"message": "Authenticated",
})
return
}
// Get user context
userContext := h.Hooks.UseUserContext(c)
// If we are using basic auth, we need to check if the user has totp and if it does then disable basic auth
if userContext.Provider == "basic" && userContext.TotpEnabled {
log.Warn().Str("username", userContext.Username).Msg("User has totp enabled, disabling basic auth")
userContext.IsLoggedIn = false
}
// Check if user is logged in
if userContext.IsLoggedIn {
log.Debug().Msg("Authenticated")
// Check if user is allowed to access subdomain, if request is nginx.example.com the subdomain (resource) is nginx
appAllowed := h.Auth.ResourceAllowed(c, userContext, labels)
log.Debug().Bool("appAllowed", appAllowed).Msg("Checking if app is allowed")
// The user is not allowed to access the app
if !appAllowed {
log.Warn().Str("username", userContext.Username).Str("host", host).Msg("User not allowed")
if proxy.Proxy == "nginx" || !isBrowser {
c.JSON(401, gin.H{
"status": 401,
"message": "Unauthorized",
})
return
}
// Values
values := types.UnauthorizedQuery{
Resource: strings.Split(host, ".")[0],
}
// Use either username or email
if userContext.OAuth {
values.Username = userContext.Email
} else {
values.Username = userContext.Username
}
// Build query
queries, err := query.Values(values)
// Handle error (no need to check for nginx/headers since we are sure we are using caddy/traefik)
if err != nil {
log.Error().Err(err).Msg("Failed to build queries")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
// We are using caddy/traefik so redirect
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, queries.Encode()))
return
}
// Check groups if using OAuth
if userContext.OAuth {
// Check if user is in required groups
groupOk := h.Auth.OAuthGroup(c, userContext, labels)
log.Debug().Bool("groupOk", groupOk).Msg("Checking if user is in required groups")
// The user is not allowed to access the app
if !groupOk {
log.Warn().Str("username", userContext.Username).Str("host", host).Msg("User is not in required groups")
if proxy.Proxy == "nginx" || !isBrowser {
c.JSON(401, gin.H{
"status": 401,
"message": "Unauthorized",
})
return
}
// Values
values := types.UnauthorizedQuery{
Resource: strings.Split(host, ".")[0],
GroupErr: true,
}
// Use either username or email
if userContext.OAuth {
values.Username = userContext.Email
} else {
values.Username = userContext.Username
}
// Build query
queries, err := query.Values(values)
// Handle error (no need to check for nginx/headers since we are sure we are using caddy/traefik)
if err != nil {
log.Error().Err(err).Msg("Failed to build queries")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
// We are using caddy/traefik so redirect
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, queries.Encode()))
return
}
}
c.Header("Remote-User", utils.SanitizeHeader(userContext.Username))
c.Header("Remote-Name", utils.SanitizeHeader(userContext.Name))
c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email))
c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups))
// Set the rest of the headers
parsedHeaders := utils.ParseHeaders(labels.Headers)
for key, value := range parsedHeaders {
log.Debug().Str("key", key).Msg("Setting header")
c.Header(key, value)
}
// Set basic auth headers if configured
if labels.Basic.Username != "" && utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File) != "" {
log.Debug().Str("username", labels.Basic.Username).Msg("Setting basic auth headers")
c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Basic.Username, utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File))))
}
// The user is allowed to access the app
c.JSON(200, gin.H{
"status": 200,
"message": "Authenticated",
})
return
}
// The user is not logged in
log.Debug().Msg("Unauthorized")
if proxy.Proxy == "nginx" || !isBrowser {
c.JSON(401, gin.H{
"status": 401,
"message": "Unauthorized",
})
return
}
queries, err := query.Values(types.LoginQuery{
RedirectURI: fmt.Sprintf("%s://%s%s", proto, host, uri),
})
if err != nil {
log.Error().Err(err).Msg("Failed to build queries")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
log.Debug().Interface("redirect_uri", fmt.Sprintf("%s://%s%s", proto, host, uri)).Msg("Redirecting to login")
// Redirect to login
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/login?%s", h.Config.AppURL, queries.Encode()))
}
func (h *Handlers) LoginHandler(c *gin.Context) {
// Create login struct
var login types.LoginRequest
// Bind JSON
err := c.BindJSON(&login)
// Handle error
if err != nil {
log.Error().Err(err).Msg("Failed to bind JSON")
c.JSON(400, gin.H{
"status": 400,
"message": "Bad Request",
})
return
}
log.Debug().Msg("Got login request")
// Get client IP for rate limiting
clientIP := c.ClientIP()
// Create an identifier for rate limiting (username or IP if username doesn't exist yet)
rateIdentifier := login.Username
if rateIdentifier == "" {
rateIdentifier = clientIP
}
// Check if the account is locked due to too many failed attempts
locked, remainingTime := h.Auth.IsAccountLocked(rateIdentifier)
if locked {
log.Warn().Str("identifier", rateIdentifier).Int("remaining_seconds", remainingTime).Msg("Account is locked due to too many failed login attempts")
c.JSON(429, gin.H{
"status": 429,
"message": fmt.Sprintf("Too many failed login attempts. Try again in %d seconds", remainingTime),
})
return
}
// Search for a user based on username
userSearch := h.Auth.SearchUser(login.Username)
log.Debug().Interface("userSearch", userSearch).Msg("Searching for user")
// User does not exist
if userSearch.Type == "" {
log.Debug().Str("username", login.Username).Msg("User not found")
// Record failed login attempt
h.Auth.RecordLoginAttempt(rateIdentifier, false)
c.JSON(401, gin.H{
"status": 401,
"message": "Unauthorized",
})
return
}
log.Debug().Msg("Got user")
// Check if password is correct
if !h.Auth.VerifyUser(userSearch, login.Password) {
log.Debug().Str("username", login.Username).Msg("Password incorrect")
// Record failed login attempt
h.Auth.RecordLoginAttempt(rateIdentifier, false)
c.JSON(401, gin.H{
"status": 401,
"message": "Unauthorized",
})
return
}
log.Debug().Msg("Password correct, checking totp")
// Record successful login attempt (will reset failed attempt counter)
h.Auth.RecordLoginAttempt(rateIdentifier, true)
// Check if user is using TOTP
if userSearch.Type == "local" {
// Get local user
localUser := h.Auth.GetLocalUser(login.Username)
// Check if TOTP is enabled
if localUser.TotpSecret != "" {
log.Debug().Msg("Totp enabled")
// Set totp pending cookie
h.Auth.CreateSessionCookie(c, &types.SessionCookie{
Username: login.Username,
Name: utils.Capitalize(login.Username),
Email: fmt.Sprintf("%s@%s", strings.ToLower(login.Username), h.Config.Domain),
Provider: "username",
TotpPending: true,
})
// Return totp required
c.JSON(200, gin.H{
"status": 200,
"message": "Waiting for totp",
"totpPending": true,
})
// Stop further processing
return
}
}
// Create session cookie with username as provider
h.Auth.CreateSessionCookie(c, &types.SessionCookie{
Username: login.Username,
Name: utils.Capitalize(login.Username),
Email: fmt.Sprintf("%s@%s", strings.ToLower(login.Username), h.Config.Domain),
Provider: "username",
})
// Return logged in
c.JSON(200, gin.H{
"status": 200,
"message": "Logged in",
"totpPending": false,
})
}
func (h *Handlers) TotpHandler(c *gin.Context) {
// Create totp struct
var totpReq types.TotpRequest
// Bind JSON
err := c.BindJSON(&totpReq)
// Handle error
if err != nil {
log.Error().Err(err).Msg("Failed to bind JSON")
c.JSON(400, gin.H{
"status": 400,
"message": "Bad Request",
})
return
}
log.Debug().Msg("Checking totp")
// Get user context
userContext := h.Hooks.UseUserContext(c)
// Check if we have a user
if userContext.Username == "" {
log.Debug().Msg("No user context")
c.JSON(401, gin.H{
"status": 401,
"message": "Unauthorized",
})
return
}
// Get user
user := h.Auth.GetLocalUser(userContext.Username)
// Check if totp is correct
ok := totp.Validate(totpReq.Code, user.TotpSecret)
// TOTP is incorrect
if !ok {
log.Debug().Msg("Totp incorrect")
c.JSON(401, gin.H{
"status": 401,
"message": "Unauthorized",
})
return
}
log.Debug().Msg("Totp correct")
// Create session cookie with username as provider
h.Auth.CreateSessionCookie(c, &types.SessionCookie{
Username: user.Username,
Name: utils.Capitalize(user.Username),
Email: fmt.Sprintf("%s@%s", strings.ToLower(user.Username), h.Config.Domain),
Provider: "username",
})
// Return logged in
c.JSON(200, gin.H{
"status": 200,
"message": "Logged in",
})
}
func (h *Handlers) LogoutHandler(c *gin.Context) {
log.Debug().Msg("Logging out")
// Delete session cookie
h.Auth.DeleteSessionCookie(c)
log.Debug().Msg("Cleaning up redirect cookie")
// Return logged out
c.JSON(200, gin.H{
"status": 200,
"message": "Logged out",
})
}
func (h *Handlers) AppHandler(c *gin.Context) {
log.Debug().Msg("Getting app context")
// Get configured providers
configuredProviders := h.Providers.GetConfiguredProviders()
// We have username/password configured so add it to our providers
if h.Auth.UserAuthConfigured() {
configuredProviders = append(configuredProviders, "username")
}
// Create app context struct
appContext := types.AppContext{
Status: 200,
Message: "OK",
ConfiguredProviders: configuredProviders,
DisableContinue: h.Config.DisableContinue,
Title: h.Config.Title,
GenericName: h.Config.GenericName,
Domain: h.Config.Domain,
ForgotPasswordMessage: h.Config.ForgotPasswordMessage,
BackgroundImage: h.Config.BackgroundImage,
OAuthAutoRedirect: h.Config.OAuthAutoRedirect,
}
// Return app context
c.JSON(200, appContext)
}
func (h *Handlers) UserHandler(c *gin.Context) {
log.Debug().Msg("Getting user context")
// Get user context
userContext := h.Hooks.UseUserContext(c)
// Create user context response
userContextResponse := types.UserContextResponse{
Status: 200,
IsLoggedIn: userContext.IsLoggedIn,
Username: userContext.Username,
Name: userContext.Name,
Email: userContext.Email,
Provider: userContext.Provider,
Oauth: userContext.OAuth,
TotpPending: userContext.TotpPending,
}
// If we are not logged in we set the status to 401 else we set it to 200
if !userContext.IsLoggedIn {
log.Debug().Msg("Unauthorized")
userContextResponse.Message = "Unauthorized"
} else {
log.Debug().Interface("userContext", userContext).Msg("Authenticated")
userContextResponse.Message = "Authenticated"
}
// Return user context
c.JSON(200, userContextResponse)
}
func (h *Handlers) OauthUrlHandler(c *gin.Context) {
// Create struct for OAuth request
var request types.OAuthRequest
// Bind URI
err := c.BindUri(&request)
// Handle error
if err != nil {
log.Error().Err(err).Msg("Failed to bind URI")
c.JSON(400, gin.H{
"status": 400,
"message": "Bad Request",
})
return
}
log.Debug().Msg("Got OAuth request")
// Check if provider exists
provider := h.Providers.GetProvider(request.Provider)
// Provider does not exist
if provider == nil {
c.JSON(404, gin.H{
"status": 404,
"message": "Not Found",
})
return
}
log.Debug().Str("provider", request.Provider).Msg("Got provider")
// Create state
state := provider.GenerateState()
// Get auth URL
authURL := provider.GetAuthURL(state)
log.Debug().Msg("Got auth URL")
// Set CSRF cookie
c.SetCookie(h.Config.CsrfCookieName, state, int(time.Hour.Seconds()), "/", "", h.Config.CookieSecure, true)
// Get redirect URI
redirectURI := c.Query("redirect_uri")
// Set redirect cookie if redirect URI is provided
if redirectURI != "" {
log.Debug().Str("redirectURI", redirectURI).Msg("Setting redirect cookie")
c.SetCookie(h.Config.RedirectCookieName, redirectURI, int(time.Hour.Seconds()), "/", "", h.Config.CookieSecure, true)
}
// Return auth URL
c.JSON(200, gin.H{
"status": 200,
"message": "OK",
"url": authURL,
})
}
func (h *Handlers) OauthCallbackHandler(c *gin.Context) {
// Create struct for OAuth request
var providerName types.OAuthRequest
// Bind URI
err := c.BindUri(&providerName)
// Handle error
if err != nil {
log.Error().Err(err).Msg("Failed to bind URI")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
log.Debug().Interface("provider", providerName.Provider).Msg("Got provider name")
// Get state
state := c.Query("state")
// Get CSRF cookie
csrfCookie, err := c.Cookie(h.Config.CsrfCookieName)
if err != nil {
log.Debug().Msg("No CSRF cookie")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
log.Debug().Str("csrfCookie", csrfCookie).Msg("Got CSRF cookie")
// Check if CSRF cookie is valid
if csrfCookie != state {
log.Warn().Msg("Invalid CSRF cookie or CSRF cookie does not match with the state")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
// Clean up CSRF cookie
c.SetCookie(h.Config.CsrfCookieName, "", -1, "/", "", h.Config.CookieSecure, true)
// Get code
code := c.Query("code")
log.Debug().Msg("Got code")
// Get provider
provider := h.Providers.GetProvider(providerName.Provider)
log.Debug().Str("provider", providerName.Provider).Msg("Got provider")
// Provider does not exist
if provider == nil {
c.Redirect(http.StatusTemporaryRedirect, "/not-found")
return
}
// Exchange token (authenticates user)
_, err = provider.ExchangeToken(code)
log.Debug().Msg("Got token")
// Handle error
if err != nil {
log.Error().Err(err).Msg("Failed to exchange token")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
// Get user
user, err := h.Providers.GetUser(providerName.Provider)
// Handle error
if err != nil {
log.Error().Msg("Failed to get user")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
log.Debug().Msg("Got user")
// Check that email is not empty
if user.Email == "" {
log.Error().Msg("Email is empty")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
// Email is not whitelisted
if !h.Auth.EmailWhitelisted(user.Email) {
log.Warn().Str("email", user.Email).Msg("Email not whitelisted")
// Build query
queries, err := query.Values(types.UnauthorizedQuery{
Username: user.Email,
})
// Handle error
if err != nil {
log.Error().Err(err).Msg("Failed to build queries")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
// Redirect to unauthorized
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, queries.Encode()))
}
log.Debug().Msg("Email whitelisted")
// Get username
var username string
if user.PreferredUsername != "" {
username = user.PreferredUsername
} else {
username = fmt.Sprintf("%s_%s", strings.Split(user.Email, "@")[0], strings.Split(user.Email, "@")[1])
}
// Get name
var name string
if user.Name != "" {
name = user.Name
} else {
name = fmt.Sprintf("%s (%s)", utils.Capitalize(strings.Split(user.Email, "@")[0]), strings.Split(user.Email, "@")[1])
}
// Create session cookie (also cleans up redirect cookie)
h.Auth.CreateSessionCookie(c, &types.SessionCookie{
Username: username,
Name: name,
Email: user.Email,
Provider: providerName.Provider,
OAuthGroups: strings.Join(user.Groups, ","),
})
// Check if we have a redirect URI
redirectCookie, err := c.Cookie(h.Config.RedirectCookieName)
if err != nil {
log.Debug().Msg("No redirect cookie")
c.Redirect(http.StatusTemporaryRedirect, h.Config.AppURL)
return
}
log.Debug().Str("redirectURI", redirectCookie).Msg("Got redirect URI")
// Build query
queries, err := query.Values(types.LoginQuery{
RedirectURI: redirectCookie,
})
log.Debug().Msg("Got redirect query")
// Handle error
if err != nil {
log.Error().Err(err).Msg("Failed to build queries")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
// Clean up redirect cookie
c.SetCookie(h.Config.RedirectCookieName, "", -1, "/", "", h.Config.CookieSecure, true)
// Redirect to continue with the redirect URI
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", h.Config.AppURL, queries.Encode()))
}
func (h *Handlers) HealthcheckHandler(c *gin.Context) {
c.JSON(200, gin.H{
"status": 200,

223
internal/handlers/oauth.go Normal file
View File

@@ -0,0 +1,223 @@
package handlers
import (
"fmt"
"net/http"
"strings"
"time"
"tinyauth/internal/types"
"tinyauth/internal/utils"
"github.com/gin-gonic/gin"
"github.com/google/go-querystring/query"
"github.com/rs/zerolog/log"
)
func (h *Handlers) OAuthURLHandler(c *gin.Context) {
var request types.OAuthRequest
err := c.BindUri(&request)
if err != nil {
log.Error().Err(err).Msg("Failed to bind URI")
c.JSON(400, gin.H{
"status": 400,
"message": "Bad Request",
})
return
}
log.Debug().Msg("Got OAuth request")
// Check if provider exists
provider := h.Providers.GetProvider(request.Provider)
if provider == nil {
c.JSON(404, gin.H{
"status": 404,
"message": "Not Found",
})
return
}
log.Debug().Str("provider", request.Provider).Msg("Got provider")
// Create state
state := provider.GenerateState()
// Get auth URL
authURL := provider.GetAuthURL(state)
log.Debug().Msg("Got auth URL")
// Set CSRF cookie
c.SetCookie(h.Config.CsrfCookieName, state, int(time.Hour.Seconds()), "/", "", h.Config.CookieSecure, true)
// Get redirect URI
redirectURI := c.Query("redirect_uri")
// Set redirect cookie if redirect URI is provided
if redirectURI != "" {
log.Debug().Str("redirectURI", redirectURI).Msg("Setting redirect cookie")
c.SetCookie(h.Config.RedirectCookieName, redirectURI, int(time.Hour.Seconds()), "/", "", h.Config.CookieSecure, true)
}
// Return auth URL
c.JSON(200, gin.H{
"status": 200,
"message": "OK",
"url": authURL,
})
}
func (h *Handlers) OAuthCallbackHandler(c *gin.Context) {
var providerName types.OAuthRequest
err := c.BindUri(&providerName)
if err != nil {
log.Error().Err(err).Msg("Failed to bind URI")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
log.Debug().Interface("provider", providerName.Provider).Msg("Got provider name")
// Get state
state := c.Query("state")
// Get CSRF cookie
csrfCookie, err := c.Cookie(h.Config.CsrfCookieName)
if err != nil {
log.Debug().Msg("No CSRF cookie")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
log.Debug().Str("csrfCookie", csrfCookie).Msg("Got CSRF cookie")
// Check if CSRF cookie is valid
if csrfCookie != state {
log.Warn().Msg("Invalid CSRF cookie or CSRF cookie does not match with the state")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
// Clean up CSRF cookie
c.SetCookie(h.Config.CsrfCookieName, "", -1, "/", "", h.Config.CookieSecure, true)
// Get code
code := c.Query("code")
log.Debug().Msg("Got code")
// Get provider
provider := h.Providers.GetProvider(providerName.Provider)
if provider == nil {
c.Redirect(http.StatusTemporaryRedirect, "/not-found")
return
}
log.Debug().Str("provider", providerName.Provider).Msg("Got provider")
// Exchange token (authenticates user)
_, err = provider.ExchangeToken(code)
if err != nil {
log.Error().Err(err).Msg("Failed to exchange token")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
log.Debug().Msg("Got token")
// Get user
user, err := h.Providers.GetUser(providerName.Provider)
if err != nil {
log.Error().Err(err).Msg("Failed to get user")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
log.Debug().Msg("Got user")
// Check that email is not empty
if user.Email == "" {
log.Error().Msg("Email is empty")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
// Email is not whitelisted
if !h.Auth.EmailWhitelisted(user.Email) {
log.Warn().Str("email", user.Email).Msg("Email not whitelisted")
queries, err := query.Values(types.UnauthorizedQuery{
Username: user.Email,
})
if err != nil {
log.Error().Err(err).Msg("Failed to build queries")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, queries.Encode()))
}
log.Debug().Msg("Email whitelisted")
// Get username
var username string
if user.PreferredUsername != "" {
username = user.PreferredUsername
} else {
username = fmt.Sprintf("%s_%s", strings.Split(user.Email, "@")[0], strings.Split(user.Email, "@")[1])
}
// Get name
var name string
if user.Name != "" {
name = user.Name
} else {
name = fmt.Sprintf("%s (%s)", utils.Capitalize(strings.Split(user.Email, "@")[0]), strings.Split(user.Email, "@")[1])
}
// Create session cookie
h.Auth.CreateSessionCookie(c, &types.SessionCookie{
Username: username,
Name: name,
Email: user.Email,
Provider: providerName.Provider,
OAuthGroups: strings.Join(user.Groups, ","),
})
// Check if we have a redirect URI
redirectCookie, err := c.Cookie(h.Config.RedirectCookieName)
if err != nil {
log.Debug().Msg("No redirect cookie")
c.Redirect(http.StatusTemporaryRedirect, h.Config.AppURL)
return
}
log.Debug().Str("redirectURI", redirectCookie).Msg("Got redirect URI")
queries, err := query.Values(types.LoginQuery{
RedirectURI: redirectCookie,
})
if err != nil {
log.Error().Err(err).Msg("Failed to build queries")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
log.Debug().Msg("Got redirect query")
// Clean up redirect cookie
c.SetCookie(h.Config.RedirectCookieName, "", -1, "/", "", h.Config.CookieSecure, true)
// Redirect to continue with the redirect URI
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", h.Config.AppURL, queries.Encode()))
}

290
internal/handlers/proxy.go Normal file
View File

@@ -0,0 +1,290 @@
package handlers
import (
"fmt"
"net/http"
"strings"
"tinyauth/internal/types"
"tinyauth/internal/utils"
"github.com/gin-gonic/gin"
"github.com/google/go-querystring/query"
"github.com/rs/zerolog/log"
)
func (h *Handlers) ProxyHandler(c *gin.Context) {
var proxy types.Proxy
err := c.BindUri(&proxy)
if err != nil {
log.Error().Err(err).Msg("Failed to bind URI")
c.JSON(400, gin.H{
"status": 400,
"message": "Bad Request",
})
return
}
// Check if the request is coming from a browser (tools like curl/bruno use */* and they don't include the text/html)
isBrowser := strings.Contains(c.Request.Header.Get("Accept"), "text/html")
if isBrowser {
log.Debug().Msg("Request is most likely coming from a browser")
} else {
log.Debug().Msg("Request is most likely not coming from a browser")
}
log.Debug().Interface("proxy", proxy.Proxy).Msg("Got proxy")
uri := c.Request.Header.Get("X-Forwarded-Uri")
proto := c.Request.Header.Get("X-Forwarded-Proto")
host := c.Request.Header.Get("X-Forwarded-Host")
// Remove the port from the host if it exists
hostPortless := strings.Split(host, ":")[0] // *lol*
// Get the id
id := strings.Split(hostPortless, ".")[0]
labels, err := h.Docker.GetLabels(id, hostPortless)
if err != nil {
log.Error().Err(err).Msg("Failed to get container labels")
if proxy.Proxy == "nginx" || !isBrowser {
c.JSON(500, gin.H{
"status": 500,
"message": "Internal Server Error",
})
return
}
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
log.Debug().Interface("labels", labels).Msg("Got labels")
ip := c.ClientIP()
// Check if the IP is in bypass list
if h.Auth.BypassedIP(labels, ip) {
headersParsed := utils.ParseHeaders(labels.Headers)
for key, value := range headersParsed {
log.Debug().Str("key", key).Msg("Setting header")
c.Header(key, value)
}
if labels.Basic.Username != "" && utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File) != "" {
log.Debug().Str("username", labels.Basic.Username).Msg("Setting basic auth headers")
c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Basic.Username, utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File))))
}
c.JSON(200, gin.H{
"status": 200,
"message": "Authenticated",
})
return
}
// Check if the IP is allowed/blocked
if !h.Auth.CheckIP(labels, ip) {
if proxy.Proxy == "nginx" || !isBrowser {
c.JSON(403, gin.H{
"status": 403,
"message": "Forbidden",
})
return
}
values := types.UnauthorizedQuery{
Resource: strings.Split(host, ".")[0],
IP: ip,
}
queries, err := query.Values(values)
if err != nil {
log.Error().Err(err).Msg("Failed to build queries")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, queries.Encode()))
return
}
// Check if auth is enabled
authEnabled, err := h.Auth.AuthEnabled(uri, labels)
if err != nil {
log.Error().Err(err).Msg("Failed to check if app is allowed")
if proxy.Proxy == "nginx" || !isBrowser {
c.JSON(500, gin.H{
"status": 500,
"message": "Internal Server Error",
})
return
}
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
// If auth is not enabled, return 200
if !authEnabled {
headersParsed := utils.ParseHeaders(labels.Headers)
for key, value := range headersParsed {
log.Debug().Str("key", key).Msg("Setting header")
c.Header(key, value)
}
if labels.Basic.Username != "" && utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File) != "" {
log.Debug().Str("username", labels.Basic.Username).Msg("Setting basic auth headers")
c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Basic.Username, utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File))))
}
c.JSON(200, gin.H{
"status": 200,
"message": "Authenticated",
})
return
}
// Get user context
userContext := h.Hooks.UseUserContext(c)
// If we are using basic auth, we need to check if the user has totp and if it does then disable basic auth
if userContext.Provider == "basic" && userContext.TotpEnabled {
log.Warn().Str("username", userContext.Username).Msg("User has totp enabled, disabling basic auth")
userContext.IsLoggedIn = false
}
// Check if user is logged in
if userContext.IsLoggedIn {
log.Debug().Msg("Authenticated")
// Check if user is allowed to access subdomain, if request is nginx.example.com the subdomain (resource) is nginx
appAllowed := h.Auth.ResourceAllowed(c, userContext, labels)
log.Debug().Bool("appAllowed", appAllowed).Msg("Checking if app is allowed")
if !appAllowed {
log.Warn().Str("username", userContext.Username).Str("host", host).Msg("User not allowed")
if proxy.Proxy == "nginx" || !isBrowser {
c.JSON(401, gin.H{
"status": 401,
"message": "Unauthorized",
})
return
}
values := types.UnauthorizedQuery{
Resource: strings.Split(host, ".")[0],
}
if userContext.OAuth {
values.Username = userContext.Email
} else {
values.Username = userContext.Username
}
queries, err := query.Values(values)
if err != nil {
log.Error().Err(err).Msg("Failed to build queries")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, queries.Encode()))
return
}
// Check groups if using OAuth
if userContext.OAuth {
groupOk := h.Auth.OAuthGroup(c, userContext, labels)
log.Debug().Bool("groupOk", groupOk).Msg("Checking if user is in required groups")
if !groupOk {
log.Warn().Str("username", userContext.Username).Str("host", host).Msg("User is not in required groups")
if proxy.Proxy == "nginx" || !isBrowser {
c.JSON(401, gin.H{
"status": 401,
"message": "Unauthorized",
})
return
}
values := types.UnauthorizedQuery{
Resource: strings.Split(host, ".")[0],
GroupErr: true,
}
if userContext.OAuth {
values.Username = userContext.Email
} else {
values.Username = userContext.Username
}
queries, err := query.Values(values)
if err != nil {
log.Error().Err(err).Msg("Failed to build queries")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, queries.Encode()))
return
}
}
c.Header("Remote-User", utils.SanitizeHeader(userContext.Username))
c.Header("Remote-Name", utils.SanitizeHeader(userContext.Name))
c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email))
c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups))
// Set the rest of the headers
parsedHeaders := utils.ParseHeaders(labels.Headers)
for key, value := range parsedHeaders {
log.Debug().Str("key", key).Msg("Setting header")
c.Header(key, value)
}
// Set basic auth headers if configured
if labels.Basic.Username != "" && utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File) != "" {
log.Debug().Str("username", labels.Basic.Username).Msg("Setting basic auth headers")
c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Basic.Username, utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File))))
}
c.JSON(200, gin.H{
"status": 200,
"message": "Authenticated",
})
return
}
// The user is not logged in
log.Debug().Msg("Unauthorized")
if proxy.Proxy == "nginx" || !isBrowser {
c.JSON(401, gin.H{
"status": 401,
"message": "Unauthorized",
})
return
}
queries, err := query.Values(types.LoginQuery{
RedirectURI: fmt.Sprintf("%s://%s%s", proto, host, uri),
})
if err != nil {
log.Error().Err(err).Msg("Failed to build queries")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
log.Debug().Interface("redirect_uri", fmt.Sprintf("%s://%s%s", proto, host, uri)).Msg("Redirecting to login")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/login?%s", h.Config.AppURL, queries.Encode()))
}

197
internal/handlers/user.go Normal file
View File

@@ -0,0 +1,197 @@
package handlers
import (
"fmt"
"strings"
"tinyauth/internal/types"
"tinyauth/internal/utils"
"github.com/gin-gonic/gin"
"github.com/pquerna/otp/totp"
"github.com/rs/zerolog/log"
)
func (h *Handlers) LoginHandler(c *gin.Context) {
var login types.LoginRequest
err := c.BindJSON(&login)
if err != nil {
log.Error().Err(err).Msg("Failed to bind JSON")
c.JSON(400, gin.H{
"status": 400,
"message": "Bad Request",
})
return
}
log.Debug().Msg("Got login request")
clientIP := c.ClientIP()
// Create an identifier for rate limiting (username or IP if username doesn't exist yet)
rateIdentifier := login.Username
if rateIdentifier == "" {
rateIdentifier = clientIP
}
// Check if the account is locked due to too many failed attempts
locked, remainingTime := h.Auth.IsAccountLocked(rateIdentifier)
if locked {
log.Warn().Str("identifier", rateIdentifier).Int("remaining_seconds", remainingTime).Msg("Account is locked due to too many failed login attempts")
c.JSON(429, gin.H{
"status": 429,
"message": fmt.Sprintf("Too many failed login attempts. Try again in %d seconds", remainingTime),
})
return
}
// Search for a user based on username
log.Debug().Interface("username", login.Username).Msg("Searching for user")
userSearch := h.Auth.SearchUser(login.Username)
// User does not exist
if userSearch.Type == "" {
log.Debug().Str("username", login.Username).Msg("User not found")
// Record failed login attempt
h.Auth.RecordLoginAttempt(rateIdentifier, false)
c.JSON(401, gin.H{
"status": 401,
"message": "Unauthorized",
})
return
}
log.Debug().Msg("Got user")
// Check if password is correct
if !h.Auth.VerifyUser(userSearch, login.Password) {
log.Debug().Str("username", login.Username).Msg("Password incorrect")
// Record failed login attempt
h.Auth.RecordLoginAttempt(rateIdentifier, false)
c.JSON(401, gin.H{
"status": 401,
"message": "Unauthorized",
})
return
}
log.Debug().Msg("Password correct, checking totp")
// Record successful login attempt (will reset failed attempt counter)
h.Auth.RecordLoginAttempt(rateIdentifier, true)
// Check if user is using TOTP
if userSearch.Type == "local" {
// Get local user
localUser := h.Auth.GetLocalUser(login.Username)
// Check if TOTP is enabled
if localUser.TotpSecret != "" {
log.Debug().Msg("Totp enabled")
// Set totp pending cookie
h.Auth.CreateSessionCookie(c, &types.SessionCookie{
Username: login.Username,
Name: utils.Capitalize(login.Username),
Email: fmt.Sprintf("%s@%s", strings.ToLower(login.Username), h.Config.Domain),
Provider: "username",
TotpPending: true,
})
// Return totp required
c.JSON(200, gin.H{
"status": 200,
"message": "Waiting for totp",
"totpPending": true,
})
return
}
}
// Create session cookie with username as provider
h.Auth.CreateSessionCookie(c, &types.SessionCookie{
Username: login.Username,
Name: utils.Capitalize(login.Username),
Email: fmt.Sprintf("%s@%s", strings.ToLower(login.Username), h.Config.Domain),
Provider: "username",
})
// Return logged in
c.JSON(200, gin.H{
"status": 200,
"message": "Logged in",
"totpPending": false,
})
}
func (h *Handlers) TOTPHandler(c *gin.Context) {
var totpReq types.TotpRequest
err := c.BindJSON(&totpReq)
if err != nil {
log.Error().Err(err).Msg("Failed to bind JSON")
c.JSON(400, gin.H{
"status": 400,
"message": "Bad Request",
})
return
}
log.Debug().Msg("Checking totp")
// Get user context
userContext := h.Hooks.UseUserContext(c)
// Check if we have a user
if userContext.Username == "" {
log.Debug().Msg("No user context")
c.JSON(401, gin.H{
"status": 401,
"message": "Unauthorized",
})
return
}
// Get user
user := h.Auth.GetLocalUser(userContext.Username)
// Check if totp is correct
ok := totp.Validate(totpReq.Code, user.TotpSecret)
if !ok {
log.Debug().Msg("Totp incorrect")
c.JSON(401, gin.H{
"status": 401,
"message": "Unauthorized",
})
return
}
log.Debug().Msg("Totp correct")
// Create session cookie with username as provider
h.Auth.CreateSessionCookie(c, &types.SessionCookie{
Username: user.Username,
Name: utils.Capitalize(user.Username),
Email: fmt.Sprintf("%s@%s", strings.ToLower(user.Username), h.Config.Domain),
Provider: "username",
})
// Return logged in
c.JSON(200, gin.H{
"status": 200,
"message": "Logged in",
})
}
func (h *Handlers) LogoutHandler(c *gin.Context) {
log.Debug().Msg("Cleaning up redirect cookie")
h.Auth.DeleteSessionCookie(c)
c.JSON(200, gin.H{
"status": 200,
"message": "Logged out",
})
}

20
internal/hooks/hooks.go
View File

@@ -35,21 +35,16 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
if basic != nil {
log.Debug().Msg("Got basic auth")
// Search for a user based on username
userSearch := hooks.Auth.SearchUser(basic.Username)
if userSearch.Type == "" {
log.Error().Str("username", basic.Username).Msg("User does not exist")
// Return empty context
return types.UserContext{}
}
// Verify the user
if !hooks.Auth.VerifyUser(userSearch, basic.Password) {
log.Error().Str("username", basic.Username).Msg("Password incorrect")
// Return empty context
return types.UserContext{}
}
@@ -83,14 +78,11 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
// Check cookie error after basic auth
if err != nil {
log.Error().Err(err).Msg("Failed to get session cookie")
// Return empty context
return types.UserContext{}
}
// Check if session cookie has totp pending
if cookie.TotpPending {
log.Debug().Msg("Totp pending")
// Return empty context since we are pending totp
return types.UserContext{
Username: cookie.Username,
Name: cookie.Name,
@@ -104,19 +96,15 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
if cookie.Provider == "username" {
log.Debug().Msg("Provider is username")
// Search for the user with the username
userSearch := hooks.Auth.SearchUser(cookie.Username)
if userSearch.Type == "" {
log.Error().Str("username", cookie.Username).Msg("User does not exist")
// Return empty context
return types.UserContext{}
}
log.Debug().Str("type", userSearch.Type).Msg("User exists")
// It exists so we are logged in
return types.UserContext{
Username: cookie.Username,
Name: cookie.Name,
@@ -135,20 +123,15 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
if provider != nil {
log.Debug().Msg("Provider exists")
// Check if the oauth email is whitelisted
// If the email is not whitelisted we delete the cookie and return an empty context
if !hooks.Auth.EmailWhitelisted(cookie.Email) {
log.Error().Str("email", cookie.Email).Msg("Email is not whitelisted")
// It isn't so we delete the cookie and return an empty context
hooks.Auth.DeleteSessionCookie(c)
// Return empty context
return types.UserContext{}
}
log.Debug().Msg("Email is whitelisted")
// Return user context since we are logged in with oauth
return types.UserContext{
Username: cookie.Username,
Name: cookie.Name,
@@ -160,6 +143,5 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
}
}
// Neither basic auth or oauth is set so we return an empty context
return types.UserContext{}
}

68
internal/ldap/ldap.go
View File

@@ -3,38 +3,57 @@ package ldap
import (
"crypto/tls"
"fmt"
"time"
"tinyauth/internal/types"
ldapgo "github.com/go-ldap/ldap/v3"
"github.com/rs/zerolog/log"
)
type LDAP struct {
Config types.LdapConfig
Conn *ldapgo.Conn
BaseDN string
}
func NewLDAP(config types.LdapConfig) (*LDAP, error) {
// Connect to the LDAP server
conn, err := ldapgo.DialURL(config.Address, ldapgo.DialWithTLSConfig(&tls.Config{
InsecureSkipVerify: config.Insecure,
ldap := &LDAP{
Config: config,
}
_, err := ldap.connect()
if err != nil {
return nil, fmt.Errorf("failed to connect to LDAP server: %w", err)
}
go func() {
for range time.Tick(time.Duration(5) * time.Minute) {
err := ldap.heartbeat()
if err != nil {
log.Error().Err(err).Msg("LDAP connection heartbeat failed")
}
}
}()
return ldap, nil
}
func (l *LDAP) connect() (*ldapgo.Conn, error) {
conn, err := ldapgo.DialURL(l.Config.Address, ldapgo.DialWithTLSConfig(&tls.Config{
InsecureSkipVerify: l.Config.Insecure,
MinVersion: tls.VersionTLS12,
}))
if err != nil {
return nil, err
}
// Bind to the LDAP server with the provided credentials
err = conn.Bind(config.BindDN, config.BindPassword)
err = conn.Bind(l.Config.BindDN, l.Config.BindPassword)
if err != nil {
return nil, err
}
return &LDAP{
Config: config,
Conn: conn,
BaseDN: config.BaseDN,
}, nil
// Set and return the connection
l.Conn = conn
return conn, nil
}
func (l *LDAP) Search(username string) (string, error) {
@@ -42,16 +61,14 @@ func (l *LDAP) Search(username string) (string, error) {
escapedUsername := ldapgo.EscapeFilter(username)
filter := fmt.Sprintf(l.Config.SearchFilter, escapedUsername)
// Create a search request to find the user by username
searchRequest := ldapgo.NewSearchRequest(
l.BaseDN,
l.Config.BaseDN,
ldapgo.ScopeWholeSubtree, ldapgo.NeverDerefAliases, 0, 0, false,
filter,
[]string{"dn"},
nil,
)
// Perform the search
searchResult, err := l.Conn.Search(searchRequest)
if err != nil {
return "", err
@@ -61,17 +78,34 @@ func (l *LDAP) Search(username string) (string, error) {
return "", fmt.Errorf("err multiple or no entries found for user %s", username)
}
// User found, return the distinguished name (DN)
userDN := searchResult.Entries[0].DN
return userDN, nil
}
func (l *LDAP) Bind(userDN string, password string) error {
// Bind to the LDAP server with the user's DN and password
err := l.Conn.Bind(userDN, password)
if err != nil {
return err
}
return nil
}
func (l *LDAP) heartbeat() error {
log.Info().Msg("Performing LDAP connection heartbeat")
searchRequest := ldapgo.NewSearchRequest(
"",
ldapgo.ScopeBaseObject, ldapgo.NeverDerefAliases, 0, 0, false,
"(objectClass=*)",
[]string{},
nil,
)
_, err := l.Conn.Search(searchRequest)
if err != nil {
return err
}
// No error means the connection is alive
return nil
}

22
internal/oauth/oauth.go
View File

@@ -18,7 +18,6 @@ type OAuth struct {
}
func NewOAuth(config oauth2.Config, insecureSkipVerify bool) *OAuth {
// Create transport with TLS
transport := &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: insecureSkipVerify,
@@ -26,18 +25,15 @@ func NewOAuth(config oauth2.Config, insecureSkipVerify bool) *OAuth {
},
}
// Create a new context
ctx := context.Background()
// Create the HTTP client with the transport
httpClient := &http.Client{
Transport: transport,
}
ctx := context.Background()
// Set the HTTP client in the context
ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
// Create the verifier
verifier := oauth2.GenerateVerifier()
return &OAuth{
@@ -48,40 +44,28 @@ func NewOAuth(config oauth2.Config, insecureSkipVerify bool) *OAuth {
}
func (oauth *OAuth) GetAuthURL(state string) string {
// Return the auth url
return oauth.Config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(oauth.Verifier))
}
func (oauth *OAuth) ExchangeToken(code string) (string, error) {
// Exchange the code for a token
token, err := oauth.Config.Exchange(oauth.Context, code, oauth2.VerifierOption(oauth.Verifier))
// Check if there was an error
if err != nil {
return "", err
}
// Set the token
// Set and return the token
oauth.Token = token
// Return the access token
return oauth.Token.AccessToken, nil
}
func (oauth *OAuth) GetClient() *http.Client {
// Return the http client with the token set
return oauth.Config.Client(oauth.Context, oauth.Token)
}
func (oauth *OAuth) GenerateState() string {
// Generate a random state string
b := make([]byte, 128)
// Fill the byte slice with random data
rand.Read(b)
// Encode the byte slice to a base64 string
state := base64.URLEncoding.EncodeToString(b)
return state
}

13
internal/providers/generic.go
View File

@@ -10,41 +10,28 @@ import (
)
func GetGenericUser(client *http.Client, url string) (constants.Claims, error) {
// Create user struct
var user constants.Claims
// Using the oauth client get the user info url
res, err := client.Get(url)
// Check if there was an error
if err != nil {
return user, err
}
defer res.Body.Close()
log.Debug().Msg("Got response from generic provider")
// Read the body of the response
body, err := io.ReadAll(res.Body)
// Check if there was an error
if err != nil {
return user, err
}
log.Debug().Msg("Read body from generic provider")
// Unmarshal the body into the user struct
err = json.Unmarshal(body, &user)
// Check if there was an error
if err != nil {
return user, err
}
log.Debug().Msg("Parsed user from generic provider")
// Return the user
return user, nil
}

29
internal/providers/github.go
View File

@@ -28,71 +28,48 @@ func GithubScopes() []string {
}
func GetGithubUser(client *http.Client) (constants.Claims, error) {
// Create user struct
var user constants.Claims
// Get the user info from github using the oauth http client
res, err := client.Get("https://api.github.com/user")
// Check if there was an error
if err != nil {
return user, err
}
defer res.Body.Close()
log.Debug().Msg("Got user response from github")
// Read the body of the response
body, err := io.ReadAll(res.Body)
// Check if there was an error
if err != nil {
return user, err
}
log.Debug().Msg("Read user body from github")
// Parse the body into a user struct
var userInfo GithubUserInfoResponse
// Unmarshal the body into the user struct
err = json.Unmarshal(body, &userInfo)
// Check if there was an error
if err != nil {
return user, err
}
// Get the user emails from github using the oauth http client
res, err = client.Get("https://api.github.com/user/emails")
// Check if there was an error
if err != nil {
return user, err
}
defer res.Body.Close()
log.Debug().Msg("Got email response from github")
// Read the body of the response
body, err = io.ReadAll(res.Body)
// Check if there was an error
if err != nil {
return user, err
}
log.Debug().Msg("Read email body from github")
// Parse the body into a user struct
var emails GithubEmailResponse
// Unmarshal the body into the user struct
err = json.Unmarshal(body, &emails)
// Check if there was an error
if err != nil {
return user, err
}
@@ -102,28 +79,24 @@ func GetGithubUser(client *http.Client) (constants.Claims, error) {
// Find and return the primary email
for _, email := range emails {
if email.Primary {
// Set the email then exit
log.Debug().Str("email", email.Email).Msg("Found primary email")
user.Email = email.Email
break
}
}
// If no primary email was found, use the first available email
if len(emails) == 0 {
return user, errors.New("no emails found")
}
// Set the email if it is not set picking the first one
// Use first available email if no primary email was found
if user.Email == "" {
log.Warn().Str("email", emails[0].Email).Msg("No primary email found, using first email")
user.Email = emails[0].Email
}
// Set the username and name
user.PreferredUsername = userInfo.Login
user.Name = userInfo.Name
// Return
return user, nil
}

14
internal/providers/google.go
View File

@@ -22,49 +22,35 @@ func GoogleScopes() []string {
}
func GetGoogleUser(client *http.Client) (constants.Claims, error) {
// Create user struct
var user constants.Claims
// Get the user info from google using the oauth http client
res, err := client.Get("https://www.googleapis.com/userinfo/v2/me")
// Check if there was an error
if err != nil {
return user, err
}
defer res.Body.Close()
log.Debug().Msg("Got response from google")
// Read the body of the response
body, err := io.ReadAll(res.Body)
// Check if there was an error
if err != nil {
return user, err
}
log.Debug().Msg("Read body from google")
// Create a new user info struct
var userInfo GoogleUserInfoResponse
// Unmarshal the body into the user struct
err = json.Unmarshal(body, &userInfo)
// Check if there was an error
if err != nil {
return user, err
}
log.Debug().Msg("Parsed user from google")
// Map the user info to the user struct
user.PreferredUsername = strings.Split(userInfo.Email, "@")[0]
user.Name = userInfo.Name
user.Email = userInfo.Email
// Return the user
return user, nil
}

30
internal/providers/providers.go
View File

@@ -23,11 +23,8 @@ func NewProviders(config types.OAuthConfig) *Providers {
Config: config,
}
// If we have a client id and secret for github, initialize the oauth provider
if config.GithubClientId != "" && config.GithubClientSecret != "" {
log.Info().Msg("Initializing Github OAuth")
// Create a new oauth provider with the github config
providers.Github = oauth.NewOAuth(oauth2.Config{
ClientID: config.GithubClientId,
ClientSecret: config.GithubClientSecret,
@@ -37,11 +34,8 @@ func NewProviders(config types.OAuthConfig) *Providers {
}, false)
}
// If we have a client id and secret for google, initialize the oauth provider
if config.GoogleClientId != "" && config.GoogleClientSecret != "" {
log.Info().Msg("Initializing Google OAuth")
// Create a new oauth provider with the google config
providers.Google = oauth.NewOAuth(oauth2.Config{
ClientID: config.GoogleClientId,
ClientSecret: config.GoogleClientSecret,
@@ -51,11 +45,8 @@ func NewProviders(config types.OAuthConfig) *Providers {
}, false)
}
// If we have a client id and secret for generic oauth, initialize the oauth provider
if config.GenericClientId != "" && config.GenericClientSecret != "" {
log.Info().Msg("Initializing Generic OAuth")
// Create a new oauth provider with the generic config
providers.Generic = oauth.NewOAuth(oauth2.Config{
ClientID: config.GenericClientId,
ClientSecret: config.GenericClientSecret,
@@ -72,7 +63,6 @@ func NewProviders(config types.OAuthConfig) *Providers {
}
func (providers *Providers) GetProvider(provider string) *oauth.OAuth {
// Return the provider based on the provider string
switch provider {
case "github":
return providers.Github
@@ -86,82 +76,63 @@ func (providers *Providers) GetProvider(provider string) *oauth.OAuth {
}
func (providers *Providers) GetUser(provider string) (constants.Claims, error) {
// Create user struct
var user constants.Claims
// Get the user from the provider
switch provider {
case "github":
// If the github provider is not configured, return an error
if providers.Github == nil {
log.Debug().Msg("Github provider not configured")
return user, nil
}
// Get the client from the github provider
client := providers.Github.GetClient()
log.Debug().Msg("Got client from github")
// Get the user from the github provider
user, err := GetGithubUser(client)
// Check if there was an error
if err != nil {
return user, err
}
log.Debug().Msg("Got user from github")
// Return the user
return user, nil
case "google":
// If the google provider is not configured, return an error
if providers.Google == nil {
log.Debug().Msg("Google provider not configured")
return user, nil
}
// Get the client from the google provider
client := providers.Google.GetClient()
log.Debug().Msg("Got client from google")
// Get the user from the google provider
user, err := GetGoogleUser(client)
// Check if there was an error
if err != nil {
return user, err
}
log.Debug().Msg("Got user from google")
// Return the user
return user, nil
case "generic":
// If the generic provider is not configured, return an error
if providers.Generic == nil {
log.Debug().Msg("Generic provider not configured")
return user, nil
}
// Get the client from the generic provider
client := providers.Generic.GetClient()
log.Debug().Msg("Got client from generic")
// Get the user from the generic provider
user, err := GetGenericUser(client, providers.Config.GenericUserURL)
// Check if there was an error
if err != nil {
return user, err
}
log.Debug().Msg("Got user from generic")
// Return the email
return user, nil
default:
return user, nil
@@ -169,7 +140,6 @@ func (providers *Providers) GetUser(provider string) (constants.Claims, error) {
}
func (provider *Providers) GetConfiguredProviders() []string {
// Create a list of the configured providers
providers := []string{}
if provider.Github != nil {
providers = append(providers, "github")

27
internal/server/server.go
View File

@@ -22,23 +22,18 @@ type Server struct {
}
func NewServer(config types.ServerConfig, handlers *handlers.Handlers) (*Server, error) {
// Disable gin logs
gin.SetMode(gin.ReleaseMode)
// Create router and use zerolog for logs
log.Debug().Msg("Setting up router")
router := gin.New()
router.Use(zerolog())
// Read UI assets
log.Debug().Msg("Setting up assets")
dist, err := fs.Sub(assets.Assets, "dist")
if err != nil {
return nil, err
}
// Create file server
log.Debug().Msg("Setting up file server")
fileServer := http.FileServer(http.FS(dist))
@@ -46,42 +41,34 @@ func NewServer(config types.ServerConfig, handlers *handlers.Handlers) (*Server,
router.Use(func(c *gin.Context) {
// If not an API request, serve the UI
if !strings.HasPrefix(c.Request.URL.Path, "/api") {
// Check if the file exists
_, err := fs.Stat(dist, strings.TrimPrefix(c.Request.URL.Path, "/"))
// If the file doesn't exist, serve the index.html
if os.IsNotExist(err) {
c.Request.URL.Path = "/"
}
// Serve the file
fileServer.ServeHTTP(c.Writer, c.Request)
// Stop further processing
c.Abort()
}
})
// Proxy routes
router.GET("/api/auth/:proxy", handlers.AuthHandler)
router.GET("/api/auth/:proxy", handlers.ProxyHandler)
// Auth routes
router.POST("/api/login", handlers.LoginHandler)
router.POST("/api/totp", handlers.TotpHandler)
router.POST("/api/totp", handlers.TOTPHandler)
router.POST("/api/logout", handlers.LogoutHandler)
// Context routes
router.GET("/api/app", handlers.AppHandler)
router.GET("/api/user", handlers.UserHandler)
router.GET("/api/app", handlers.AppContextHandler)
router.GET("/api/user", handlers.UserContextHandler)
// OAuth routes
router.GET("/api/oauth/url/:provider", handlers.OauthUrlHandler)
router.GET("/api/oauth/callback/:provider", handlers.OauthCallbackHandler)
router.GET("/api/oauth/url/:provider", handlers.OAuthURLHandler)
router.GET("/api/oauth/callback/:provider", handlers.OAuthCallbackHandler)
// App routes
router.GET("/api/healthcheck", handlers.HealthcheckHandler)
// Return the server
return &Server{
Config: config,
Handlers: handlers,
@@ -90,9 +77,7 @@ func NewServer(config types.ServerConfig, handlers *handlers.Handlers) (*Server,
}
func (s *Server) Start() error {
// Run server
log.Info().Str("address", s.Config.Address).Int("port", s.Config.Port).Msg("Starting server")
return s.Router.Run(fmt.Sprintf("%s:%d", s.Config.Address, s.Config.Port))
}

165
internal/server/server_test.go
View File

@@ -21,13 +21,13 @@ import (
"github.com/pquerna/otp/totp"
)
// Simple server config for tests
// Simple server config
var serverConfig = types.ServerConfig{
Port: 8080,
Address: "0.0.0.0",
}
// Simple handlers config for tests
// Simple handlers config
var handlersConfig = types.HandlersConfig{
AppURL: "http://localhost:8080",
Domain: "localhost",
@@ -42,7 +42,7 @@ var handlersConfig = types.HandlersConfig{
OAuthAutoRedirect: "none",
}
// Simple auth config for tests
// Simple auth config
var authConfig = types.AuthConfig{
Users: types.Users{},
OauthWhitelist: "",
@@ -56,13 +56,13 @@ var authConfig = types.AuthConfig{
Domain: "localhost",
}
// Simple hooks config for tests
// Simple hooks config
var hooksConfig = types.HooksConfig{
Domain: "localhost",
}
// Cookie
var cookie = "MTc1MTkyMzM5MnxiME9aTzlGQjZMNEJMdDZMc0lHMk9zcXQyME9SR1ZnUmlaYWZNcWplek5vcVNpdkdHRTZqb09YWkVUYUN6NEt4MkEyOGEyX2hFQWZEUEYtbllDX0h5eDBCb3VyT2phQlRpZWFfRFdTMGw2WUg2VWw4RGdNbEhQclotOUJjblJGaWFQcmhyaWFna0dXRWNud2c1akg5eEpLZ3JzS0pfWktscVZyckZFR1VDX0R5QjFOT0hzMTNKb18ySEMxZlluSWNxa1ByM0VhSzNyMkRtdDNORWJXVGFYSnMzWjFGa0lrZlhSTWduRmttMHhQUXN4UFhNbHFXY0lBWjBnUWpKU0xXMHRubjlKbjV0LXBGdjk0MmpJX0xMX1ZYblVJVW9LWUJoWmpNanVXNkNjamhYWlR2V29rY0RNYWkxY2lMQnpqLUI2cHMyYTZkWWgtWnlFdGN0amh2WURUeUNGT3ZLS1FJVUFIb0NWR1RPMlRtY2c9PXwerwFtb9urOXnwA02qXbLeorMloaK_paQd0in4BAesmg=="
var cookie string
// User
var user = types.User{
@@ -72,14 +72,7 @@ var user = types.User{
// Initialize the server for tests
func getServer(t *testing.T) *server.Server {
// Create docker service
docker, err := docker.NewDocker()
if err != nil {
t.Fatalf("Failed to initialize docker: %v", err)
}
// Create auth service
// Create services
authConfig.Users = types.Users{
{
Username: user.Username,
@@ -87,69 +80,51 @@ func getServer(t *testing.T) *server.Server {
TotpSecret: user.TotpSecret,
},
}
auth := auth.NewAuth(authConfig, docker, nil)
// Create providers service
docker, err := docker.NewDocker()
if err != nil {
t.Fatalf("Failed to create docker client: %v", err)
}
auth := auth.NewAuth(authConfig, nil, nil)
providers := providers.NewProviders(types.OAuthConfig{})
// Create hooks service
hooks := hooks.NewHooks(hooksConfig, auth, providers)
// Create handlers service
handlers := handlers.NewHandlers(handlersConfig, auth, hooks, providers, docker)
// Create server
srv, err := server.NewServer(serverConfig, handlers)
if err != nil {
t.Fatalf("Failed to create server: %v", err)
}
// Return the server
return srv
}
// Test login
func TestLogin(t *testing.T) {
t.Log("Testing login")
// Get server
srv := getServer(t)
// Create recorder
recorder := httptest.NewRecorder()
// Create request
user := types.LoginRequest{
Username: "user",
Password: "pass",
}
json, err := json.Marshal(user)
// Check if there was an error
if err != nil {
t.Fatalf("Error marshalling json: %v", err)
}
// Create request
req, err := http.NewRequest("POST", "/api/login", strings.NewReader(string(json)))
// Check if there was an error
if err != nil {
t.Fatalf("Error creating request: %v", err)
}
// Serve the request
srv.Router.ServeHTTP(recorder, req)
// Assert
assert.Equal(t, recorder.Code, http.StatusOK)
// Get the result cookie
cookies := recorder.Result().Cookies()
// Check if the cookie is set
if len(cookies) == 0 {
t.Fatalf("Cookie not set")
}
@@ -158,55 +133,42 @@ func TestLogin(t *testing.T) {
cookie = cookies[0].Value
}
// Test app context
func TestAppContext(t *testing.T) {
// Refresh the cookie
TestLogin(t)
t.Log("Testing app context")
// Get server
srv := getServer(t)
// Create recorder
recorder := httptest.NewRecorder()
// Create request
req, err := http.NewRequest("GET", "/api/app", nil)
// Check if there was an error
if err != nil {
t.Fatalf("Error creating request: %v", err)
}
// Set the cookie
// Set the cookie from the previous test
req.AddCookie(&http.Cookie{
Name: "tinyauth",
Value: cookie,
})
// Serve the request
srv.Router.ServeHTTP(recorder, req)
// Assert
assert.Equal(t, recorder.Code, http.StatusOK)
// Read the body of the response
body, err := io.ReadAll(recorder.Body)
// Check if there was an error
if err != nil {
t.Fatalf("Error getting body: %v", err)
}
// Unmarshal the body into the user struct
var app types.AppContext
err = json.Unmarshal(body, &app)
// Check if there was an error
if err != nil {
t.Fatalf("Error unmarshalling body: %v", err)
}
// Create tests values
expected := types.AppContext{
Status: 200,
Message: "OK",
@@ -226,48 +188,34 @@ func TestAppContext(t *testing.T) {
}
}
// Test user context
func TestUserContext(t *testing.T) {
// Refresh the cookie
TestLogin(t)
t.Log("Testing user context")
// Get server
srv := getServer(t)
// Create recorder
recorder := httptest.NewRecorder()
// Create request
req, err := http.NewRequest("GET", "/api/user", nil)
// Check if there was an error
if err != nil {
t.Fatalf("Error creating request: %v", err)
}
// Set the cookie
req.AddCookie(&http.Cookie{
Name: "tinyauth-session",
Value: cookie,
})
// Serve the request
srv.Router.ServeHTTP(recorder, req)
// Assert
assert.Equal(t, recorder.Code, http.StatusOK)
// Read the body of the response
body, err := io.ReadAll(recorder.Body)
// Check if there was an error
if err != nil {
t.Fatalf("Error getting body: %v", err)
}
// Unmarshal the body into the user struct
type User struct {
Username string `json:"username"`
}
@@ -275,49 +223,37 @@ func TestUserContext(t *testing.T) {
var user User
err = json.Unmarshal(body, &user)
// Check if there was an error
if err != nil {
t.Fatalf("Error unmarshalling body: %v", err)
}
// We should get the username back
// We should get the user back
if user.Username != "user" {
t.Fatalf("Expected user, got %s", user.Username)
}
}
// Test logout
func TestLogout(t *testing.T) {
// Refresh the cookie
TestLogin(t)
t.Log("Testing logout")
// Get server
srv := getServer(t)
// Create recorder
recorder := httptest.NewRecorder()
// Create request
req, err := http.NewRequest("POST", "/api/logout", nil)
// Check if there was an error
if err != nil {
t.Fatalf("Error creating request: %v", err)
}
// Set the cookie
req.AddCookie(&http.Cookie{
Name: "tinyauth-session",
Value: cookie,
})
// Serve the request
srv.Router.ServeHTTP(recorder, req)
// Assert
assert.Equal(t, recorder.Code, http.StatusOK)
// Check if the cookie is different (means the cookie is gone)
@@ -326,196 +262,133 @@ func TestLogout(t *testing.T) {
}
}
// Test auth endpoint
func TestAuth(t *testing.T) {
// Refresh the cookie
TestLogin(t)
t.Log("Testing auth endpoint")
// Get server
srv := getServer(t)
// Create recorder
recorder := httptest.NewRecorder()
// Create request
req, err := http.NewRequest("GET", "/api/auth/traefik", nil)
if err != nil {
t.Fatalf("Error creating request: %v", err)
}
// Set the accept header
req.Header.Set("Accept", "text/html")
// Check if there was an error
if err != nil {
t.Fatalf("Error creating request: %v", err)
}
// Serve the request
srv.Router.ServeHTTP(recorder, req)
// Assert
assert.Equal(t, recorder.Code, http.StatusTemporaryRedirect)
// Recreate recorder
recorder = httptest.NewRecorder()
// Recreate the request
req, err = http.NewRequest("GET", "/api/auth/traefik", nil)
// Check if there was an error
if err != nil {
t.Fatalf("Error creating request: %v", err)
}
// Test with the cookie
req.AddCookie(&http.Cookie{
Name: "tinyauth-session",
Value: cookie,
})
// Serve the request again
srv.Router.ServeHTTP(recorder, req)
// Assert
assert.Equal(t, recorder.Code, http.StatusOK)
// Recreate recorder
recorder = httptest.NewRecorder()
// Recreate the request
req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
// Check if there was an error
if err != nil {
t.Fatalf("Error creating request: %v", err)
}
// Serve the request again
srv.Router.ServeHTTP(recorder, req)
// Assert
assert.Equal(t, recorder.Code, http.StatusUnauthorized)
// Recreate recorder
recorder = httptest.NewRecorder()
// Recreate the request
req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
// Check if there was an error
if err != nil {
t.Fatalf("Error creating request: %v", err)
}
// Test with the cookie
req.AddCookie(&http.Cookie{
Name: "tinyauth-session",
Value: cookie,
})
// Serve the request again
srv.Router.ServeHTTP(recorder, req)
// Assert
assert.Equal(t, recorder.Code, http.StatusOK)
}
func TestTOTP(t *testing.T) {
t.Log("Testing TOTP")
// Generate totp secret
key, err := totp.Generate(totp.GenerateOpts{
Issuer: "Tinyauth",
AccountName: user.Username,
})
if err != nil {
t.Fatalf("Failed to generate TOTP secret: %v", err)
}
// Create secret
secret := key.Secret()
// Set the user's TOTP secret
user.TotpSecret = secret
// Get server
srv := getServer(t)
// Create request
user := types.LoginRequest{
Username: "user",
Password: "pass",
}
loginJson, err := json.Marshal(user)
// Check if there was an error
if err != nil {
t.Fatalf("Error marshalling json: %v", err)
}
// Create recorder
recorder := httptest.NewRecorder()
// Create request
req, err := http.NewRequest("POST", "/api/login", strings.NewReader(string(loginJson)))
// Check if there was an error
if err != nil {
t.Fatalf("Error creating request: %v", err)
}
// Serve the request
srv.Router.ServeHTTP(recorder, req)
// Assert
assert.Equal(t, recorder.Code, http.StatusOK)
// Set the cookie for next test
cookie = recorder.Result().Cookies()[0].Value
// Create TOTP code
code, err := totp.GenerateCode(secret, time.Now())
// Check if there was an error
if err != nil {
t.Fatalf("Failed to generate TOTP code: %v", err)
}
// Create TOTP request
totpRequest := types.TotpRequest{
Code: code,
}
// Marshal the TOTP request
totpJson, err := json.Marshal(totpRequest)
// Check if there was an error
if err != nil {
t.Fatalf("Error marshalling TOTP request: %v", err)
}
// Create recorder
recorder = httptest.NewRecorder()
// Create request
req, err = http.NewRequest("POST", "/api/totp", strings.NewReader(string(totpJson)))
// Check if there was an error
if err != nil {
t.Fatalf("Error creating request: %v", err)
}
// Set the cookie
req.AddCookie(&http.Cookie{
Name: "tinyauth-session",
Value: cookie,
})
// Serve the request
srv.Router.ServeHTTP(recorder, req)
// Assert
assert.Equal(t, recorder.Code, http.StatusOK)
}

9
internal/types/config.go
View File

@@ -34,7 +34,7 @@ type Config struct {
EnvFile string `mapstructure:"env-file"`
LoginTimeout int `mapstructure:"login-timeout"`
LoginMaxRetries int `mapstructure:"login-max-retries"`
FogotPasswordMessage string `mapstructure:"forgot-password-message" validate:"required"`
FogotPasswordMessage string `mapstructure:"forgot-password-message"`
BackgroundImage string `mapstructure:"background-image" validate:"required"`
LdapAddress string `mapstructure:"ldap-address"`
LdapBindDN string `mapstructure:"ldap-bind-dn"`
@@ -120,8 +120,9 @@ type PassowrdLabels struct {
// IP labels for a tinyauth protected container
type IPLabels struct {
Allow []string
Block []string
Allow []string
Block []string
Bypass []string
}
// Labels is a struct that contains the labels for a tinyauth protected container
@@ -129,7 +130,7 @@ type Labels struct {
Users string
Allowed string
Headers []string
Domain string
Domain []string
Basic BasicLabels
OAuth OAuthLabels
IP IPLabels

125
internal/utils/utils.go
View File

@@ -24,168 +24,118 @@ import (
func ParseUsers(users string) (types.Users, error) {
log.Debug().Msg("Parsing users")
// Create a new users struct
var usersParsed types.Users
// Split the users by comma
userList := strings.Split(users, ",")
// Check if there are any users
if len(userList) == 0 {
return types.Users{}, errors.New("invalid user format")
}
// Loop through the users and split them by colon
for _, user := range userList {
parsed, err := ParseUser(user)
// Check if there was an error
if err != nil {
return types.Users{}, err
}
// Append the user to the users struct
usersParsed = append(usersParsed, parsed)
}
log.Debug().Msg("Parsed users")
// Return the users struct
return usersParsed, nil
}
// Get upper domain parses a hostname and returns the upper domain (e.g. sub1.sub2.domain.com -> sub2.domain.com)
func GetUpperDomain(urlSrc string) (string, error) {
// Make sure the url is valid
urlParsed, err := url.Parse(urlSrc)
// Check if there was an error
if err != nil {
return "", err
}
// Split the hostname by period
urlSplitted := strings.Split(urlParsed.Hostname(), ".")
// Get the last part of the url
urlFinal := strings.Join(urlSplitted[1:], ".")
// Return the root domain
return urlFinal, nil
}
// Reads a file and returns the contents
func ReadFile(file string) (string, error) {
// Check if the file exists
_, err := os.Stat(file)
// Check if there was an error
if err != nil {
return "", err
}
// Read the file
data, err := os.ReadFile(file)
// Check if there was an error
if err != nil {
return "", err
}
// Return the file contents
return string(data), nil
}
// Parses a file into a comma separated list of users
func ParseFileToLine(content string) string {
// Split the content by newline
lines := strings.Split(content, "\n")
// Create a list of users
users := make([]string, 0)
// Loop through the lines, trimming the whitespace and appending to the users list
for _, line := range lines {
if strings.TrimSpace(line) == "" {
continue
}
users = append(users, strings.TrimSpace(line))
}
// Return the users as a comma separated string
return strings.Join(users, ",")
}
// Get the secret from the config or file
func GetSecret(conf string, file string) string {
// If neither the config or file is set, return an empty string
if conf == "" && file == "" {
return ""
}
// If the config is set, return the config (environment variable)
if conf != "" {
return conf
}
// If the file is set, read the file
contents, err := ReadFile(file)
// Check if there was an error
if err != nil {
return ""
}
// Return the contents of the file
return ParseSecretFile(contents)
}
// Get the users from the config or file
func GetUsers(conf string, file string) (types.Users, error) {
// Create a string to store the users
var users string
// If neither the config or file is set, return an empty users struct
if conf == "" && file == "" {
return types.Users{}, nil
}
// If the config (environment) is set, append the users to the users string
if conf != "" {
log.Debug().Msg("Using users from config")
users += conf
}
// If the file is set, read the file and append the users to the users string
if file != "" {
// Read the file
contents, err := ReadFile(file)
// If there isn't an error we can append the users to the users string
if err == nil {
log.Debug().Msg("Using users from file")
// Append the users to the users string
if users != "" {
users += ","
}
// Parse the file contents into a comma separated list of users
users += ParseFileToLine(contents)
}
}
// Return the parsed users
return ParseUsers(users)
}
// Parse the headers in a map[string]string format
func ParseHeaders(headers []string) map[string]string {
// Create a map to store the headers
headerMap := make(map[string]string)
// Loop through the headers
for _, header := range headers {
split := strings.SplitN(header, "=", 2)
if len(split) != 2 || strings.TrimSpace(split[0]) == "" || strings.TrimSpace(split[1]) == "" {
@@ -197,25 +147,19 @@ func ParseHeaders(headers []string) map[string]string {
headerMap[key] = value
}
// Return the header map
return headerMap
}
// Get labels parses a map of labels into a struct with only the needed labels
func GetLabels(labels map[string]string) (types.Labels, error) {
// Create a new labels struct
var labelsParsed types.Labels
// Decode the labels into the labels struct
err := parser.Decode(labels, &labelsParsed, "tinyauth", "tinyauth.users", "tinyauth.allowed", "tinyauth.headers", "tinyauth.domain", "tinyauth.basic", "tinyauth.oauth", "tinyauth.ip")
// Check if there was an error
if err != nil {
log.Error().Err(err).Msg("Error parsing labels")
return types.Labels{}, err
}
// Return the labels struct
return labelsParsed, nil
}
@@ -236,27 +180,22 @@ func Filter[T any](slice []T, test func(T) bool) (res []T) {
// Parse user
func ParseUser(user string) (types.User, error) {
// Check if the user is escaped
if strings.Contains(user, "$$") {
user = strings.ReplaceAll(user, "$$", "$")
}
// Split the user by colon
userSplit := strings.Split(user, ":")
// Check if the user is in the correct format
if len(userSplit) < 2 || len(userSplit) > 3 {
return types.User{}, errors.New("invalid user format")
}
// Check for empty strings
for _, userPart := range userSplit {
if strings.TrimSpace(userPart) == "" {
return types.User{}, errors.New("invalid user format")
}
}
// Check if the user has a totp secret
if len(userSplit) == 2 {
return types.User{
Username: strings.TrimSpace(userSplit[0]),
@@ -264,7 +203,6 @@ func ParseUser(user string) (types.User, error) {
}, nil
}
// Return the user struct
return types.User{
Username: strings.TrimSpace(userSplit[0]),
Password: strings.TrimSpace(userSplit[1]),
@@ -274,60 +212,44 @@ func ParseUser(user string) (types.User, error) {
// Parse secret file
func ParseSecretFile(contents string) string {
// Split to lines
lines := strings.Split(contents, "\n")
// Loop through the lines
for _, line := range lines {
// Check if the line is empty
if strings.TrimSpace(line) == "" {
continue
}
// Return the line
return strings.TrimSpace(line)
}
// Return an empty string
return ""
}
// Check if a string matches a regex or a whitelist
func CheckWhitelist(whitelist string, str string) bool {
// Check if the whitelist is empty
if len(strings.TrimSpace(whitelist)) == 0 {
// Check if a string matches a regex or if it is included in a comma separated list
func CheckFilter(filter string, str string) bool {
if len(strings.TrimSpace(filter)) == 0 {
return true
}
// Check if the whitelist is a regex
if strings.HasPrefix(whitelist, "/") && strings.HasSuffix(whitelist, "/") {
// Create regex
re, err := regexp.Compile(whitelist[1 : len(whitelist)-1])
// Check if there was an error
if strings.HasPrefix(filter, "/") && strings.HasSuffix(filter, "/") {
re, err := regexp.Compile(filter[1 : len(filter)-1])
if err != nil {
log.Error().Err(err).Msg("Error compiling regex")
return false
}
// Check if the string matches the regex
if re.MatchString(str) {
return true
}
}
// Split the whitelist by comma
whitelistSplit := strings.Split(whitelist, ",")
filterSplit := strings.Split(filter, ",")
// Loop through the whitelist
for _, item := range whitelistSplit {
// Check if the item matches with the string
for _, item := range filterSplit {
if strings.TrimSpace(item) == str {
return true
}
}
// Return false if no match was found
return false
}
@@ -352,89 +274,56 @@ func SanitizeHeader(header string) string {
// Generate a static identifier from a string
func GenerateIdentifier(str string) string {
// Create a new UUID
uuid := uuid.NewSHA1(uuid.NameSpaceURL, []byte(str))
// Convert the UUID to a string
uuidString := uuid.String()
// Show the UUID
log.Debug().Str("uuid", uuidString).Msg("Generated UUID")
// Convert the UUID to a string
return strings.Split(uuidString, "-")[0]
}
// Get a basic auth header from a username and password
func GetBasicAuth(username string, password string) string {
// Create the auth string
auth := username + ":" + password
// Encode the auth string to base64
return base64.StdEncoding.EncodeToString([]byte(auth))
}
// Check if an IP is contained in a CIDR range/matches a single IP
func FilterIP(filter string, ip string) (bool, error) {
// Convert the check IP to an IP instance
ipAddr := net.ParseIP(ip)
// Check if the filter is a CIDR range
if strings.Contains(filter, "/") {
// Parse the CIDR range
_, cidr, err := net.ParseCIDR(filter)
// Check if there was an error
if err != nil {
return false, err
}
// Check if the IP is in the CIDR range
return cidr.Contains(ipAddr), nil
}
// Parse the filter as a single IP
ipFilter := net.ParseIP(filter)
// Check if the IP is valid
if ipFilter == nil {
return false, errors.New("invalid IP address in filter")
}
// Check if the IP matches the filter
if ipFilter.Equal(ipAddr) {
return true, nil
}
// If the filter is not a CIDR range or a single IP, return false
return false, nil
}
func DeriveKey(secret string, info string) (string, error) {
// Create hashing function
hash := sha256.New
// Create a new key using the secret and info
hkdf := hkdf.New(hash, []byte(secret), nil, []byte(info)) // I am not using a salt because I just want two different keys from one secret, maybe bad practice
// Create a new key
key := make([]byte, 24)
// Read the key from the HKDF
_, err := io.ReadFull(hkdf, key)
if err != nil {
return "", err
}
// Verify the key is not empty
if bytes.Equal(key, make([]byte, 24)) {
return "", errors.New("derived key is empty")
}
// Encode the key to base64
encodedKey := base64.StdEncoding.EncodeToString(key)
// Return the key as a base64 encoded string
return encodedKey, nil
}

173
internal/utils/utils_test.go
View File

@@ -9,11 +9,9 @@ import (
"tinyauth/internal/utils"
)
// Test the parse users function
func TestParseUsers(t *testing.T) {
t.Log("Testing parse users with a valid string")
// Test the parse users function with a valid string
users := "user1:pass1,user2:pass2"
expected := types.Users{
{
@@ -27,154 +25,116 @@ func TestParseUsers(t *testing.T) {
}
result, err := utils.ParseUsers(users)
// Check if there was an error
if err != nil {
t.Fatalf("Error parsing users: %v", err)
}
// Check if the result is equal to the expected
if !reflect.DeepEqual(expected, result) {
t.Fatalf("Expected %v, got %v", expected, result)
}
}
// Test the get upper domain function
func TestGetUpperDomain(t *testing.T) {
t.Log("Testing get upper domain with a valid url")
// Test the get upper domain function with a valid url
url := "https://sub1.sub2.domain.com:8080"
expected := "sub2.domain.com"
result, err := utils.GetUpperDomain(url)
// Check if there was an error
if err != nil {
t.Fatalf("Error getting root url: %v", err)
}
// Check if the result is equal to the expected
if expected != result {
t.Fatalf("Expected %v, got %v", expected, result)
}
}
// Test the read file function
func TestReadFile(t *testing.T) {
t.Log("Creating a test file")
// Create a test file
err := os.WriteFile("/tmp/test.txt", []byte("test"), 0644)
// Check if there was an error
if err != nil {
t.Fatalf("Error creating test file: %v", err)
}
// Test the read file function
t.Log("Testing read file with a valid file")
data, err := utils.ReadFile("/tmp/test.txt")
// Check if there was an error
if err != nil {
t.Fatalf("Error reading file: %v", err)
}
// Check if the data is equal to the expected
if data != "test" {
t.Fatalf("Expected test, got %v", data)
}
// Cleanup the test file
t.Log("Cleaning up test file")
err = os.Remove("/tmp/test.txt")
// Check if there was an error
if err != nil {
t.Fatalf("Error cleaning up test file: %v", err)
}
}
// Test the parse file to line function
func TestParseFileToLine(t *testing.T) {
t.Log("Testing parse file to line with a valid string")
// Test the parse file to line function with a valid string
content := "\nuser1:pass1\nuser2:pass2\n"
expected := "user1:pass1,user2:pass2"
result := utils.ParseFileToLine(content)
// Check if the result is equal to the expected
if expected != result {
t.Fatalf("Expected %v, got %v", expected, result)
}
}
// Test the get secret function
func TestGetSecret(t *testing.T) {
t.Log("Testing get secret with an empty config and file")
// Test the get secret function with an empty config and file
conf := ""
file := "/tmp/test.txt"
expected := "test"
// Create file
err := os.WriteFile(file, []byte(fmt.Sprintf("\n\n \n\n\n %s \n\n \n ", expected)), 0644)
// Check if there was an error
if err != nil {
t.Fatalf("Error creating test file: %v", err)
}
// Test
result := utils.GetSecret(conf, file)
// Check if the result is equal to the expected
if result != expected {
t.Fatalf("Expected %v, got %v", expected, result)
}
t.Log("Testing get secret with an empty file and a valid config")
// Test the get secret function with an empty file and a valid config
result = utils.GetSecret(expected, "")
// Check if the result is equal to the expected
if result != expected {
t.Fatalf("Expected %v, got %v", expected, result)
}
t.Log("Testing get secret with both a valid config and file")
// Test the get secret function with both a valid config and file
result = utils.GetSecret(expected, file)
// Check if the result is equal to the expected
if result != expected {
t.Fatalf("Expected %v, got %v", expected, result)
}
// Cleanup the test file
t.Log("Cleaning up test file")
err = os.Remove(file)
// Check if there was an error
if err != nil {
t.Fatalf("Error cleaning up test file: %v", err)
}
}
// Test the get users function
func TestGetUsers(t *testing.T) {
t.Log("Testing get users with a config and no file")
// Test the get users function with a config and no file
conf := "user1:pass1,user2:pass2"
file := ""
expected := types.Users{
@@ -189,20 +149,16 @@ func TestGetUsers(t *testing.T) {
}
result, err := utils.GetUsers(conf, file)
// Check if there was an error
if err != nil {
t.Fatalf("Error getting users: %v", err)
}
// Check if the result is equal to the expected
if !reflect.DeepEqual(expected, result) {
t.Fatalf("Expected %v, got %v", expected, result)
}
t.Log("Testing get users with a file and no config")
// Test the get users function with a file and no config
conf = ""
file = "/tmp/test.txt"
expected = types.Users{
@@ -216,28 +172,20 @@ func TestGetUsers(t *testing.T) {
},
}
// Create file
err = os.WriteFile(file, []byte("user1:pass1\nuser2:pass2"), 0644)
// Check if there was an error
if err != nil {
t.Fatalf("Error creating test file: %v", err)
}
// Test
result, err = utils.GetUsers(conf, file)
// Check if there was an error
if err != nil {
t.Fatalf("Error getting users: %v", err)
}
// Check if the result is equal to the expected
if !reflect.DeepEqual(expected, result) {
t.Fatalf("Expected %v, got %v", expected, result)
}
// Test the get users function with both a config and file
t.Log("Testing get users with both a config and file")
conf = "user3:pass3"
@@ -257,33 +205,25 @@ func TestGetUsers(t *testing.T) {
}
result, err = utils.GetUsers(conf, file)
// Check if there was an error
if err != nil {
t.Fatalf("Error getting users: %v", err)
}
// Check if the result is equal to the expected
if !reflect.DeepEqual(expected, result) {
t.Fatalf("Expected %v, got %v", expected, result)
}
// Cleanup the test file
t.Log("Cleaning up test file")
err = os.Remove(file)
// Check if there was an error
if err != nil {
t.Fatalf("Error cleaning up test file: %v", err)
}
}
// Test the get labels function
func TestGetLabels(t *testing.T) {
t.Log("Testing get labels with a valid map")
// Test the get tinyauth labels function with a valid map
labels := map[string]string{
"tinyauth.users": "user1,user2",
"tinyauth.oauth.whitelist": "/regex/",
@@ -303,23 +243,18 @@ func TestGetLabels(t *testing.T) {
}
result, err := utils.GetLabels(labels)
// Check if there was an error
if err != nil {
t.Fatalf("Error getting labels: %v", err)
}
// Check if the result is equal to the expected
if !reflect.DeepEqual(expected, result) {
t.Fatalf("Expected %v, got %v", expected, result)
}
}
// Test parse user
func TestParseUser(t *testing.T) {
t.Log("Testing parse user with a valid user")
// Create variables
user := "user:pass:secret"
expected := types.User{
Username: "user",
@@ -327,22 +262,17 @@ func TestParseUser(t *testing.T) {
TotpSecret: "secret",
}
// Test the parse user function
result, err := utils.ParseUser(user)
// Check if there was an error
if err != nil {
t.Fatalf("Error parsing user: %v", err)
}
// Check if the result is equal to the expected
if !reflect.DeepEqual(expected, result) {
t.Fatalf("Expected %v, got %v", expected, result)
}
t.Log("Testing parse user with an escaped user")
// Create variables
user = "user:p$$ass$$:secret"
expected = types.User{
Username: "user",
@@ -350,304 +280,233 @@ func TestParseUser(t *testing.T) {
TotpSecret: "secret",
}
// Test the parse user function
result, err = utils.ParseUser(user)
// Check if there was an error
if err != nil {
t.Fatalf("Error parsing user: %v", err)
}
// Check if the result is equal to the expected
if !reflect.DeepEqual(expected, result) {
t.Fatalf("Expected %v, got %v", expected, result)
}
t.Log("Testing parse user with an invalid user")
// Create variables
user = "user::pass"
// Test the parse user function
_, err = utils.ParseUser(user)
// Check if there was an error
if err == nil {
t.Fatalf("Expected error parsing user")
}
}
// Test the whitelist function
func TestCheckWhitelist(t *testing.T) {
t.Log("Testing check whitelist with a comma whitelist")
func TestCheckFilter(t *testing.T) {
t.Log("Testing check filter with a comma separated list")
// Create variables
whitelist := "user1,user2,user3"
filter := "user1,user2,user3"
str := "user1"
expected := true
// Test the check whitelist function
result := utils.CheckWhitelist(whitelist, str)
result := utils.CheckFilter(filter, str)
// Check if the result is equal to the expected
if result != expected {
t.Fatalf("Expected %v, got %v", expected, result)
}
t.Log("Testing check whitelist with a regex whitelist")
t.Log("Testing check filter with a regex filter")
// Create variables
whitelist = "/^user[0-9]+$/"
filter = "/^user[0-9]+$/"
str = "user1"
expected = true
// Test the check whitelist function
result = utils.CheckWhitelist(whitelist, str)
result = utils.CheckFilter(filter, str)
// Check if the result is equal to the expected
if result != expected {
t.Fatalf("Expected %v, got %v", expected, result)
}
t.Log("Testing check whitelist with an empty whitelist")
t.Log("Testing check filter with an empty filter")
// Create variables
whitelist = ""
filter = ""
str = "user1"
expected = true
// Test the check whitelist function
result = utils.CheckWhitelist(whitelist, str)
result = utils.CheckFilter(filter, str)
// Check if the result is equal to the expected
if result != expected {
t.Fatalf("Expected %v, got %v", expected, result)
}
t.Log("Testing check whitelist with an invalid regex whitelist")
t.Log("Testing check filter with an invalid regex filter")
// Create variables
whitelist = "/^user[0-9+$/"
filter = "/^user[0-9+$/"
str = "user1"
expected = false
// Test the check whitelist function
result = utils.CheckWhitelist(whitelist, str)
result = utils.CheckFilter(filter, str)
// Check if the result is equal to the expected
if result != expected {
t.Fatalf("Expected %v, got %v", expected, result)
}
t.Log("Testing check whitelist with a non matching whitelist")
t.Log("Testing check filter with a non matching list")
// Create variables
whitelist = "user1,user2,user3"
filter = "user1,user2,user3"
str = "user4"
expected = false
// Test the check whitelist function
result = utils.CheckWhitelist(whitelist, str)
result = utils.CheckFilter(filter, str)
// Check if the result is equal to the expected
if result != expected {
t.Fatalf("Expected %v, got %v", expected, result)
}
}
// Test the header sanitizer
func TestSanitizeHeader(t *testing.T) {
t.Log("Testing sanitize header with a valid string")
// Create variables
str := "X-Header=value"
expected := "X-Header=value"
// Test the sanitize header function
result := utils.SanitizeHeader(str)
// Check if the result is equal to the expected
if result != expected {
t.Fatalf("Expected %v, got %v", expected, result)
}
t.Log("Testing sanitize header with an invalid string")
// Create variables
str = "X-Header=val\nue"
expected = "X-Header=value"
// Test the sanitize header function
result = utils.SanitizeHeader(str)
// Check if the result is equal to the expected
if result != expected {
t.Fatalf("Expected %v, got %v", expected, result)
}
}
// Test the parse headers function
func TestParseHeaders(t *testing.T) {
t.Log("Testing parse headers with a valid string")
// Create variables
headers := []string{"X-Hea\x00der1=value1", "X-Header2=value\n2"}
expected := map[string]string{
"X-Header1": "value1",
"X-Header2": "value2",
}
// Test the parse headers function
result := utils.ParseHeaders(headers)
// Check if the result is equal to the expected
if !reflect.DeepEqual(expected, result) {
t.Fatalf("Expected %v, got %v", expected, result)
}
t.Log("Testing parse headers with an invalid string")
// Create variables
headers = []string{"X-Header1=", "X-Header2", "=value", "X-Header3=value3"}
expected = map[string]string{"X-Header3": "value3"}
// Test the parse headers function
result = utils.ParseHeaders(headers)
// Check if the result is equal to the expected
if !reflect.DeepEqual(expected, result) {
t.Fatalf("Expected %v, got %v", expected, result)
}
}
// Test the parse secret file function
func TestParseSecretFile(t *testing.T) {
t.Log("Testing parse secret file with a valid file")
// Create variables
content := "\n\n \n\n\n secret \n\n \n "
expected := "secret"
// Test the parse secret file function
result := utils.ParseSecretFile(content)
// Check if the result is equal to the expected
if result != expected {
t.Fatalf("Expected %v, got %v", expected, result)
}
}
// Test the filter IP function
func TestFilterIP(t *testing.T) {
t.Log("Testing filter IP with an IP and a valid CIDR")
// Create variables
ip := "10.10.10.10"
filter := "10.10.10.0/24"
expected := true
// Test the filter IP function
result, err := utils.FilterIP(filter, ip)
// Check if there was an error
if err != nil {
t.Fatalf("Error filtering IP: %v", err)
}
// Check if the result is equal to the expected
if result != expected {
t.Fatalf("Expected %v, got %v", expected, result)
}
t.Log("Testing filter IP with an IP and a valid IP")
// Create variables
filter = "10.10.10.10"
expected = true
// Test the filter IP function
result, err = utils.FilterIP(filter, ip)
// Check if there was an error
if err != nil {
t.Fatalf("Error filtering IP: %v", err)
}
// Check if the result is equal to the expected
if result != expected {
t.Fatalf("Expected %v, got %v", expected, result)
}
t.Log("Testing filter IP with an IP and an non matching CIDR")
// Create variables
filter = "10.10.15.0/24"
expected = false
// Test the filter IP function
result, err = utils.FilterIP(filter, ip)
// Check if there was an error
if err != nil {
t.Fatalf("Error filtering IP: %v", err)
}
// Check if the result is equal to the expected
if result != expected {
t.Fatalf("Expected %v, got %v", expected, result)
}
t.Log("Testing filter IP with a non matching IP and a valid CIDR")
// Create variables
filter = "10.10.10.11"
expected = false
// Test the filter IP function
result, err = utils.FilterIP(filter, ip)
// Check if there was an error
if err != nil {
t.Fatalf("Error filtering IP: %v", err)
}
// Check if the result is equal to the expected
if result != expected {
t.Fatalf("Expected %v, got %v", expected, result)
}
t.Log("Testing filter IP with an IP and an invalid CIDR")
// Create variables
filter = "10.../83"
// Test the filter IP function
_, err = utils.FilterIP(filter, ip)
// Check if there was an error
if err == nil {
t.Fatalf("Expected error filtering IP")
}
}
// Test the derive key function
func TestDeriveKey(t *testing.T) {
t.Log("Testing the derive key function")
// Create variables
master := "master"
info := "info"
expected := "gdrdU/fXzclYjiSXRexEatVgV13qQmKl"
// Test the derive key function
result, err := utils.DeriveKey(master, info)
// Check if there was an error
if err != nil {
t.Fatalf("Error deriving key: %v", err)
}
// Check if the result is equal to the expected
if result != expected {
t.Fatalf("Expected %v, got %v", expected, result)
}

3
main.go
View File

@@ -10,9 +10,6 @@ import (
)
func main() {
// Logger
log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.RFC3339}).With().Timestamp().Logger().Level(zerolog.FatalLevel)
// Run cmd
cmd.Execute()
}