mirror of
https://github.com/steveiliop56/tinyauth.git
synced 2025-10-28 20:55:42 +00:00
Compare commits
14 Commits
v4.0.0-bet
...
9b76a84ee2
| Author | SHA1 | Date | |
|---|---|---|---|
|
9b76a84ee2 | ||
|
|
ed20d2cf51 | ||
|
|
fc7e395e66 | ||
|
|
b940d681c3 | ||
|
|
a1ec4a69cf | ||
|
|
4047cea451 | ||
|
|
5a4855c12c | ||
|
|
05d4dbd68e | ||
|
|
ae8347fd28 | ||
|
|
76f2014444 | ||
|
|
5b7bda3378 | ||
|
|
e878516130 | ||
|
|
e5f1df03c4 | ||
|
|
c77da30d87 |
2
.github/workflows/ci.yml
vendored
2
.github/workflows/ci.yml
vendored
@@ -23,7 +23,7 @@ jobs:
|
||||
- name: Install frontend dependencies
|
||||
run: |
|
||||
cd frontend
|
||||
bun install
|
||||
bun install --frozen-lockfile
|
||||
|
||||
- name: Set version
|
||||
run: |
|
||||
|
||||
8
.github/workflows/nightly.yml
vendored
8
.github/workflows/nightly.yml
vendored
@@ -66,7 +66,7 @@ jobs:
|
||||
- name: Install frontend dependencies
|
||||
run: |
|
||||
cd frontend
|
||||
bun install
|
||||
bun install --frozen-lockfile
|
||||
|
||||
- name: Install backend dependencies
|
||||
run: |
|
||||
@@ -112,7 +112,7 @@ jobs:
|
||||
- name: Install frontend dependencies
|
||||
run: |
|
||||
cd frontend
|
||||
bun install
|
||||
bun install --frozen-lockfile
|
||||
|
||||
- name: Install backend dependencies
|
||||
run: |
|
||||
@@ -396,6 +396,8 @@ jobs:
|
||||
uses: docker/metadata-action@v5
|
||||
with:
|
||||
images: ghcr.io/${{ github.repository_owner }}/tinyauth
|
||||
flavor: |
|
||||
latest=false
|
||||
tags: |
|
||||
type=raw,nightly
|
||||
|
||||
@@ -433,6 +435,8 @@ jobs:
|
||||
uses: docker/metadata-action@v5
|
||||
with:
|
||||
images: ghcr.io/${{ github.repository_owner }}/tinyauth
|
||||
flavor: |
|
||||
latest=false
|
||||
tags: |
|
||||
type=raw,nightly-distroless
|
||||
|
||||
|
||||
23
.github/workflows/release.yml
vendored
23
.github/workflows/release.yml
vendored
@@ -44,7 +44,7 @@ jobs:
|
||||
- name: Install frontend dependencies
|
||||
run: |
|
||||
cd frontend
|
||||
bun install
|
||||
bun install --frozen-lockfile
|
||||
|
||||
- name: Install backend dependencies
|
||||
run: |
|
||||
@@ -87,7 +87,7 @@ jobs:
|
||||
- name: Install frontend dependencies
|
||||
run: |
|
||||
cd frontend
|
||||
bun install
|
||||
bun install --frozen-lockfile
|
||||
|
||||
- name: Install backend dependencies
|
||||
run: |
|
||||
@@ -359,10 +359,13 @@ jobs:
|
||||
uses: docker/metadata-action@v5
|
||||
with:
|
||||
images: ghcr.io/${{ github.repository_owner }}/tinyauth
|
||||
flavor: |
|
||||
latest=true
|
||||
prefix=v,onlatest=false
|
||||
tags: |
|
||||
type=semver,pattern={{version}},prefix=v
|
||||
type=semver,pattern={{major}},prefix=v
|
||||
type=semver,pattern={{major}}.{{minor}},prefix=v
|
||||
type=semver,pattern={{version}}
|
||||
type=semver,pattern={{major}}
|
||||
type=semver,pattern={{major}}.{{minor}}
|
||||
|
||||
- name: Create manifest list and push
|
||||
working-directory: ${{ runner.temp }}/digests
|
||||
@@ -398,10 +401,14 @@ jobs:
|
||||
uses: docker/metadata-action@v5
|
||||
with:
|
||||
images: ghcr.io/${{ github.repository_owner }}/tinyauth
|
||||
flavor: |
|
||||
latest=false
|
||||
prefix=v,onlatest=false
|
||||
suffix=-distroless,onlatest=false
|
||||
tags: |
|
||||
type=semver,pattern={{version}},prefix=v,suffix=-distroless
|
||||
type=semver,pattern={{major}},prefix=v,suffix=-distroless
|
||||
type=semver,pattern={{major}}.{{minor}},prefix=v,suffix=-distroless
|
||||
type=semver,pattern={{version}}
|
||||
type=semver,pattern={{major}}
|
||||
type=semver,pattern={{major}}.{{minor}}
|
||||
|
||||
- name: Create manifest list and push
|
||||
working-directory: ${{ runner.temp }}/digests
|
||||
|
||||
12
Dockerfile
12
Dockerfile
@@ -6,7 +6,7 @@ WORKDIR /frontend
|
||||
COPY ./frontend/package.json ./
|
||||
COPY ./frontend/bun.lock ./
|
||||
|
||||
RUN bun install
|
||||
RUN bun install --frozen-lockfile
|
||||
|
||||
COPY ./frontend/public ./public
|
||||
COPY ./frontend/src ./src
|
||||
@@ -47,10 +47,16 @@ WORKDIR /tinyauth
|
||||
|
||||
COPY --from=builder /tinyauth/tinyauth ./
|
||||
|
||||
RUN mkdir -p /data
|
||||
|
||||
EXPOSE 3000
|
||||
|
||||
VOLUME ["/data"]
|
||||
|
||||
HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 CMD ["/tinyauth/tinyauth", "healthcheck"]
|
||||
ENV GIN_MODE=release
|
||||
|
||||
ENTRYPOINT ["/tinyauth/tinyauth"]
|
||||
ENV PATH=$PATH:/tinyauth
|
||||
|
||||
HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 CMD ["tinyauth", "healthcheck"]
|
||||
|
||||
ENTRYPOINT ["tinyauth"]
|
||||
@@ -6,7 +6,7 @@ WORKDIR /frontend
|
||||
COPY ./frontend/package.json ./
|
||||
COPY ./frontend/bun.lock ./
|
||||
|
||||
RUN bun install
|
||||
RUN bun install --frozen-lockfile
|
||||
|
||||
COPY ./frontend/public ./public
|
||||
COPY ./frontend/src ./src
|
||||
@@ -38,6 +38,8 @@ COPY ./cmd ./cmd
|
||||
COPY ./internal ./internal
|
||||
COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
|
||||
|
||||
RUN mkdir -p data
|
||||
|
||||
RUN CGO_ENABLED=0 go build -ldflags "-s -w -X tinyauth/internal/config.Version=${VERSION} -X tinyauth/internal/config.CommitHash=${COMMIT_HASH} -X tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}"
|
||||
|
||||
# Runner
|
||||
@@ -47,10 +49,17 @@ WORKDIR /tinyauth
|
||||
|
||||
COPY --from=builder /tinyauth/tinyauth ./
|
||||
|
||||
# Since it's distroless, we need to copy the data directory from the builder stage
|
||||
COPY --from=builder /tinyauth/data /data
|
||||
|
||||
EXPOSE 3000
|
||||
|
||||
VOLUME ["/data"]
|
||||
|
||||
HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 CMD ["/tinyauth/tinyauth", "healthcheck"]
|
||||
ENV GIN_MODE=release
|
||||
|
||||
ENTRYPOINT ["/tinyauth/tinyauth"]
|
||||
ENV PATH=$PATH:/tinyauth
|
||||
|
||||
HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 CMD ["tinyauth", "healthcheck"]
|
||||
|
||||
ENTRYPOINT ["tinyauth"]
|
||||
@@ -53,7 +53,7 @@ Tinyauth is licensed under the GNU General Public License v3.0. TL;DR — You ma
|
||||
|
||||
A big thank you to the following people for providing me with more coffee:
|
||||
|
||||
<!-- sponsors --><a href="https://github.com/erwinkramer"><img src="https://github.com/erwinkramer.png" width="64px" alt="User avatar: erwinkramer" /></a> <a href="https://github.com/nicotsx"><img src="https://github.com/nicotsx.png" width="64px" alt="User avatar: nicotsx" /></a> <a href="https://github.com/SimpleHomelab"><img src="https://github.com/SimpleHomelab.png" width="64px" alt="User avatar: SimpleHomelab" /></a> <a href="https://github.com/jmadden91"><img src="https://github.com/jmadden91.png" width="64px" alt="User avatar: jmadden91" /></a> <a href="https://github.com/tribor"><img src="https://github.com/tribor.png" width="64px" alt="User avatar: tribor" /></a> <a href="https://github.com/eliasbenb"><img src="https://github.com/eliasbenb.png" width="64px" alt="User avatar: eliasbenb" /></a> <a href="https://github.com/afunworm"><img src="https://github.com/afunworm.png" width="64px" alt="User avatar: afunworm" /></a> <!-- sponsors -->
|
||||
<!-- sponsors --><a href="https://github.com/erwinkramer"><img src="https://github.com/erwinkramer.png" width="64px" alt="User avatar: erwinkramer" /></a> <a href="https://github.com/nicotsx"><img src="https://github.com/nicotsx.png" width="64px" alt="User avatar: nicotsx" /></a> <a href="https://github.com/SimpleHomelab"><img src="https://github.com/SimpleHomelab.png" width="64px" alt="User avatar: SimpleHomelab" /></a> <a href="https://github.com/jmadden91"><img src="https://github.com/jmadden91.png" width="64px" alt="User avatar: jmadden91" /></a> <a href="https://github.com/tribor"><img src="https://github.com/tribor.png" width="64px" alt="User avatar: tribor" /></a> <a href="https://github.com/eliasbenb"><img src="https://github.com/eliasbenb.png" width="64px" alt="User avatar: eliasbenb" /></a> <a href="https://github.com/afunworm"><img src="https://github.com/afunworm.png" width="64px" alt="User avatar: afunworm" /></a> <a href="https://github.com/chip-well"><img src="https://github.com/chip-well.png" width="64px" alt="User avatar: chip-well" /></a> <a href="https://github.com/Lancelot-Enguerrand"><img src="https://github.com/Lancelot-Enguerrand.png" width="64px" alt="User avatar: Lancelot-Enguerrand" /></a> <!-- sponsors -->
|
||||
|
||||
## Acknowledgements
|
||||
|
||||
|
||||
2
air.toml
2
air.toml
@@ -2,7 +2,7 @@ root = "/tinyauth"
|
||||
tmp_dir = "tmp"
|
||||
|
||||
[build]
|
||||
pre_cmd = ["mkdir -p internal/assets/dist", "echo 'backend running' > internal/assets/dist/index.html", "go install github.com/go-delve/delve/cmd/dlv@v1.25.0"]
|
||||
pre_cmd = ["mkdir -p internal/assets/dist", "mkdir -p /data", "echo 'backend running' > internal/assets/dist/index.html", "go install github.com/go-delve/delve/cmd/dlv@v1.25.0"]
|
||||
cmd = "CGO_ENABLED=0 go build -gcflags=\"all=-N -l\" -o tmp/tinyauth ."
|
||||
bin = "/go/bin/dlv --listen :4000 --headless=true --api-version=2 --accept-multiclient --log=true exec tmp/tinyauth --continue --check-go-version=false"
|
||||
include_ext = ["go"]
|
||||
|
||||
@@ -112,6 +112,10 @@ func (c *rootCmd) run(cmd *cobra.Command, args []string) {
|
||||
log.Logger = log.Level(zerolog.Level(utils.GetLogLevel(conf.LogLevel)))
|
||||
log.Info().Str("version", strings.TrimSpace(config.Version)).Msg("Starting Tinyauth")
|
||||
|
||||
if log.Logger.GetLevel() == zerolog.TraceLevel {
|
||||
log.Warn().Msg("Log level set to trace, this will log sensitive information!")
|
||||
}
|
||||
|
||||
app := bootstrap.NewBootstrapApp(conf)
|
||||
|
||||
err = app.Setup()
|
||||
|
||||
@@ -8,9 +8,7 @@ const BaseLayout = ({ children }: { children: React.ReactNode }) => {
|
||||
const { backgroundImage, title } = useAppContext();
|
||||
|
||||
useEffect(() => {
|
||||
if (title !== "Tinyauth") {
|
||||
document.title = title + " - Tinyauth";
|
||||
}
|
||||
document.title = title;
|
||||
}, [title]);
|
||||
|
||||
return (
|
||||
|
||||
@@ -7,6 +7,7 @@ import (
|
||||
"net/http"
|
||||
"net/url"
|
||||
"os"
|
||||
"sort"
|
||||
"strings"
|
||||
"time"
|
||||
"tinyauth/internal/config"
|
||||
@@ -157,6 +158,10 @@ func (app *BootstrapApp) Setup() error {
|
||||
})
|
||||
}
|
||||
|
||||
sort.Slice(configuredProviders, func(i, j int) bool {
|
||||
return configuredProviders[i].Name < configuredProviders[j].Name
|
||||
})
|
||||
|
||||
if authService.UserAuthConfigured() || ldapService != nil {
|
||||
configuredProviders = append(configuredProviders, controller.Provider{
|
||||
Name: "Username",
|
||||
@@ -172,11 +177,8 @@ func (app *BootstrapApp) Setup() error {
|
||||
}
|
||||
|
||||
// Create engine
|
||||
if config.Version != "development" {
|
||||
gin.SetMode(gin.ReleaseMode)
|
||||
}
|
||||
|
||||
engine := gin.New()
|
||||
engine.Use(gin.Recovery())
|
||||
|
||||
if len(app.config.TrustedProxies) > 0 {
|
||||
err := engine.SetTrustedProxies(strings.Split(app.config.TrustedProxies, ","))
|
||||
|
||||
@@ -162,7 +162,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
|
||||
|
||||
var name string
|
||||
|
||||
if user.Name != "" {
|
||||
if strings.TrimSpace(user.Name) != "" {
|
||||
log.Debug().Msg("Using name from OAuth provider")
|
||||
name = user.Name
|
||||
} else {
|
||||
@@ -172,7 +172,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
|
||||
|
||||
var username string
|
||||
|
||||
if user.PreferredUsername != "" {
|
||||
if strings.TrimSpace(user.PreferredUsername) != "" {
|
||||
log.Debug().Msg("Using preferred username from OAuth provider")
|
||||
username = user.PreferredUsername
|
||||
} else {
|
||||
|
||||
@@ -84,6 +84,8 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
|
||||
return
|
||||
}
|
||||
|
||||
log.Trace().Interface("labels", labels).Msg("Labels for resource")
|
||||
|
||||
clientIP := c.ClientIP()
|
||||
|
||||
if controller.auth.IsBypassedIP(labels.IP, clientIP) {
|
||||
@@ -150,6 +152,8 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
|
||||
userContext = context
|
||||
}
|
||||
|
||||
log.Trace().Interface("context", userContext).Msg("User context from request")
|
||||
|
||||
if userContext.Provider == "basic" && userContext.TotpEnabled {
|
||||
log.Debug().Msg("User has TOTP enabled, denying basic auth access")
|
||||
userContext.IsLoggedIn = false
|
||||
|
||||
@@ -1,10 +1,12 @@
|
||||
package middleware
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"io/fs"
|
||||
"net/http"
|
||||
"os"
|
||||
"strings"
|
||||
"time"
|
||||
"tinyauth/internal/assets"
|
||||
|
||||
"github.com/gin-gonic/gin"
|
||||
@@ -27,14 +29,16 @@ func (m *UIMiddleware) Init() error {
|
||||
}
|
||||
|
||||
m.uiFs = ui
|
||||
m.uiFileServer = http.FileServer(http.FS(ui))
|
||||
m.uiFileServer = http.FileServerFS(ui)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (m *UIMiddleware) Middleware() gin.HandlerFunc {
|
||||
return func(c *gin.Context) {
|
||||
switch strings.Split(c.Request.URL.Path, "/")[1] {
|
||||
path := strings.TrimPrefix(c.Request.URL.Path, "/")
|
||||
|
||||
switch strings.SplitN(path, "/", 2)[0] {
|
||||
case "api":
|
||||
c.Next()
|
||||
return
|
||||
@@ -42,12 +46,19 @@ func (m *UIMiddleware) Middleware() gin.HandlerFunc {
|
||||
c.Next()
|
||||
return
|
||||
default:
|
||||
_, err := fs.Stat(m.uiFs, strings.TrimPrefix(c.Request.URL.Path, "/"))
|
||||
_, err := fs.Stat(m.uiFs, path)
|
||||
|
||||
// Enough for one authentication flow
|
||||
maxAge := 15 * time.Minute
|
||||
|
||||
if os.IsNotExist(err) {
|
||||
c.Request.URL.Path = "/"
|
||||
} else if strings.HasPrefix(path, "assets/") {
|
||||
// assets are named with a hash and can be cached for a long time
|
||||
maxAge = 30 * 24 * time.Hour
|
||||
}
|
||||
|
||||
c.Writer.Header().Set("Cache-Control", fmt.Sprintf("public, max-age=%d", int(maxAge.Seconds())))
|
||||
m.uiFileServer.ServeHTTP(c.Writer, c.Request)
|
||||
c.Abort()
|
||||
return
|
||||
|
||||
@@ -318,6 +318,7 @@ func (auth *AuthService) IsInOAuthGroup(c *gin.Context, context config.UserConte
|
||||
|
||||
for userGroup := range strings.SplitSeq(context.OAuthGroups, ",") {
|
||||
if utils.CheckFilter(requiredGroups, strings.TrimSpace(userGroup)) {
|
||||
log.Trace().Str("group", userGroup).Str("required", requiredGroups).Msg("User group matched")
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
@@ -12,8 +12,9 @@ import (
|
||||
)
|
||||
|
||||
type DockerService struct {
|
||||
client *client.Client
|
||||
context context.Context
|
||||
client *client.Client
|
||||
context context.Context
|
||||
isConnected bool
|
||||
}
|
||||
|
||||
func NewDockerService() *DockerService {
|
||||
@@ -31,10 +32,24 @@ func (docker *DockerService) Init() error {
|
||||
|
||||
docker.client = client
|
||||
docker.context = ctx
|
||||
|
||||
_, err = docker.client.Ping(docker.context)
|
||||
|
||||
if err != nil {
|
||||
log.Debug().Err(err).Msg("Docker not connected")
|
||||
docker.isConnected = false
|
||||
docker.client = nil
|
||||
docker.context = nil
|
||||
return nil
|
||||
}
|
||||
|
||||
docker.isConnected = true
|
||||
log.Debug().Msg("Docker connected")
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (docker *DockerService) GetContainers() ([]container.Summary, error) {
|
||||
func (docker *DockerService) getContainers() ([]container.Summary, error) {
|
||||
containers, err := docker.client.ContainerList(docker.context, container.ListOptions{})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
@@ -42,7 +57,7 @@ func (docker *DockerService) GetContainers() ([]container.Summary, error) {
|
||||
return containers, nil
|
||||
}
|
||||
|
||||
func (docker *DockerService) InspectContainer(containerId string) (container.InspectResponse, error) {
|
||||
func (docker *DockerService) inspectContainer(containerId string) (container.InspectResponse, error) {
|
||||
inspect, err := docker.client.ContainerInspect(docker.context, containerId)
|
||||
if err != nil {
|
||||
return container.InspectResponse{}, err
|
||||
@@ -50,26 +65,19 @@ func (docker *DockerService) InspectContainer(containerId string) (container.Ins
|
||||
return inspect, nil
|
||||
}
|
||||
|
||||
func (docker *DockerService) DockerConnected() bool {
|
||||
_, err := docker.client.Ping(docker.context)
|
||||
return err == nil
|
||||
}
|
||||
|
||||
func (docker *DockerService) GetLabels(appDomain string) (config.App, error) {
|
||||
isConnected := docker.DockerConnected()
|
||||
|
||||
if !isConnected {
|
||||
if !docker.isConnected {
|
||||
log.Debug().Msg("Docker not connected, returning empty labels")
|
||||
return config.App{}, nil
|
||||
}
|
||||
|
||||
containers, err := docker.GetContainers()
|
||||
containers, err := docker.getContainers()
|
||||
if err != nil {
|
||||
return config.App{}, err
|
||||
}
|
||||
|
||||
for _, ctr := range containers {
|
||||
inspect, err := docker.InspectContainer(ctr.ID)
|
||||
inspect, err := docker.inspectContainer(ctr.ID)
|
||||
if err != nil {
|
||||
return config.App{}, err
|
||||
}
|
||||
@@ -81,12 +89,12 @@ func (docker *DockerService) GetLabels(appDomain string) (config.App, error) {
|
||||
|
||||
for appName, appLabels := range labels.Apps {
|
||||
if appLabels.Config.Domain == appDomain {
|
||||
log.Debug().Str("id", inspect.ID).Msg("Found matching container by domain")
|
||||
log.Debug().Str("id", inspect.ID).Str("name", inspect.Name).Msg("Found matching container by domain")
|
||||
return appLabels, nil
|
||||
}
|
||||
|
||||
if strings.TrimPrefix(inspect.Name, "/") == appName {
|
||||
log.Debug().Str("id", inspect.ID).Msg("Found matching container by app name")
|
||||
log.Debug().Str("id", inspect.ID).Str("name", inspect.Name).Msg("Found matching container by app name")
|
||||
return appLabels, nil
|
||||
}
|
||||
}
|
||||
|
||||
@@ -12,6 +12,7 @@ import (
|
||||
"time"
|
||||
"tinyauth/internal/config"
|
||||
|
||||
"github.com/rs/zerolog/log"
|
||||
"golang.org/x/oauth2"
|
||||
)
|
||||
|
||||
@@ -110,6 +111,8 @@ func (generic *GenericOAuthService) Userinfo() (config.Claims, error) {
|
||||
return user, err
|
||||
}
|
||||
|
||||
log.Trace().Str("body", string(body)).Msg("Userinfo response body")
|
||||
|
||||
err = json.Unmarshal(body, &user)
|
||||
if err != nil {
|
||||
return user, err
|
||||
|
||||
Reference in New Issue
Block a user