chore(deps): bump github.com/weppos/publicsuffix-go

Bumps the minor-patch group with 1 update: [github.com/weppos/publicsuffix-go](https://github.com/weppos/publicsuffix-go).


Updates `github.com/weppos/publicsuffix-go` from 0.50.2 to 0.50.3
- [Changelog](https://github.com/weppos/publicsuffix-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/weppos/publicsuffix-go/compare/v0.50.2...v0.50.3)

---
updated-dependencies:
- dependency-name: github.com/weppos/publicsuffix-go
  dependency-version: 0.50.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

.env.example

@@ -4,14 +4,23 @@
 
 # The base URL where the app is hosted.
 TINYAUTH_APPURL=
+
+# database config
+
+# The path to the database, including file name.
+TINYAUTH_DATABASE_PATH="./tinyauth.db"
+
+# analytics config
+
+# Enable periodic version information collection.
+TINYAUTH_ANALYTICS_ENABLED=true
+
+# resources config
+
+# Enable the resources server.
+TINYAUTH_RESOURCES_ENABLED=true
 # The directory where resources are stored.
-TINYAUTH_RESOURCESDIR="./resources"
+TINYAUTH_RESOURCES_PATH="./resources"
-# The path to the database file.
-TINYAUTH_DATABASEPATH="./tinyauth.db"
-# Disable analytics.
-TINYAUTH_DISABLEANALYTICS=false
-# Disable resources server.
-TINYAUTH_DISABLERESOURCES=false
 
 # server config
 
@@ -107,9 +116,9 @@ TINYAUTH_OAUTH_PROVIDERS_name_NAME=
 
 # oidc config
 
-# Path to the private key file.
+# Path to the private key file, including file name.
 TINYAUTH_OIDC_PRIVATEKEYPATH="./tinyauth_oidc_key"
-# Path to the public key file.
+# Path to the public key file, including file name.
 TINYAUTH_OIDC_PUBLICKEYPATH="./tinyauth_oidc_key.pub"
 # OIDC client ID.
 TINYAUTH_OIDC_CLIENTS_name_CLIENTID=
@@ -130,8 +139,8 @@ TINYAUTH_UI_TITLE="Tinyauth"
 TINYAUTH_UI_FORGOTPASSWORDMESSAGE="You can change your password by changing the configuration."
 # Path to the background image.
 TINYAUTH_UI_BACKGROUNDIMAGE="/background.jpg"
-# Disable UI warnings.
+# Enable UI warnings.
-TINYAUTH_UI_DISABLEWARNINGS=false
+TINYAUTH_UI_WARNINGSENABLED=true
 
 # ldap config
 

.gitignore

@@ -45,3 +45,6 @@ __debug_*
 
 # generated markdown (for docs)
 /config.gen.md
+
+# testing config
+config.certify.yml

Dockerfile

@@ -57,9 +57,9 @@ EXPOSE 3000
 
 VOLUME ["/data"]
 
-ENV TINYAUTH_DATABASEPATH=/data/tinyauth.db
+ENV TINYAUTH_DATABASE_PATH=/data/tinyauth.db
 
-ENV TINYAUTH_RESOURCESDIR=/data/resources
+ENV TINYAUTH_RESOURCES_PATH=/data/resources
 
 ENV PATH=$PATH:/tinyauth
 

Dockerfile.dev

@@ -18,8 +18,8 @@ COPY ./air.toml ./
 
 EXPOSE 3000
 
-ENV TINYAUTH_DATABASEPATH=/data/tinyauth.db
+ENV TINYAUTH_DATABASE_PATH=/data/tinyauth.db
 
-ENV TINYAUTH_RESOURCESDIR=/data/resources
+ENV TINYAUTH_RESOURCES_PATH=/data/resources
 
 ENTRYPOINT ["air", "-c", "air.toml"]

Dockerfile.distroless

@@ -60,9 +60,9 @@ EXPOSE 3000
 
 VOLUME ["/data"]
 
-ENV TINYAUTH_DATABASEPATH=/data/tinyauth.db
+ENV TINYAUTH_DATABASE_PATH=/data/tinyauth.db
 
-ENV TINYAUTH_RESOURCESDIR=/data/resources
+ENV TINYAUTH_RESOURCES_PATH=/data/resources
 
 ENV PATH=$PATH:/tinyauth
 

frontend/src/components/layout/layout.tsx

@@ -31,7 +31,7 @@ const BaseLayout = ({ children }: { children: React.ReactNode }) => {
 };
 
 export const Layout = () => {
-  const { appUrl, disableUiWarnings } = useAppContext();
+  const { appUrl, warningsEnabled } = useAppContext();
   const [ignoreDomainWarning, setIgnoreDomainWarning] = useState(() => {
     return window.sessionStorage.getItem("ignoreDomainWarning") === "true";
   });
@@ -42,7 +42,7 @@ export const Layout = () => {
     setIgnoreDomainWarning(true);
   }, [setIgnoreDomainWarning]);
 
-  if (!ignoreDomainWarning && !disableUiWarnings && appUrl !== currentUrl) {
+  if (!ignoreDomainWarning && warningsEnabled && appUrl !== currentUrl) {
     return (
       <BaseLayout>
         <DomainWarning

frontend/src/lib/i18n/locales/sr-SP.json

@@ -58,8 +58,8 @@
     "invalidInput": "Неисправан унос",
     "domainWarningTitle": "Неисправан домен",
     "domainWarningSubtitle": "Ова инстанца је подешена да јој се приступа са <code>{{appUrl}}</code>, али се користи <code>{{currentUrl}}</code>. Ако наставите, можете искусити проблеме са аутентификацијом.",
-    "domainWarningCurrent": "Current:",
+    "domainWarningCurrent": "Тренутни:",
-    "domainWarningExpected": "Expected:",
+    "domainWarningExpected": "Очекивани:",
     "ignoreTitle": "Игнориши",
     "goToCorrectDomainTitle": "Иди на исправан домен",
     "authorizeTitle": "Ауторизуј",

frontend/src/pages/authorize-page.tsx

@@ -155,8 +155,8 @@ export const AuthorizePage = () => {
     <Card>
       <CardHeader className="mb-2">
         <div className="flex flex-col gap-3 items-center justify-center text-center">
-          <div className="bg-accent-foreground box-content text-muted text-xl font-bold font-sans rounded-lg size-10 p-2 flex items-center justify-center">
+          <div className="bg-accent-foreground box-content text-muted text-xl font-bold font-sans rounded-lg size-8 p-2 flex items-center justify-center">
-            {getClientInfo.data?.name.slice(0, 1)}
+            {getClientInfo.data?.name.slice(0, 1) || "U"}
           </div>
           <CardTitle className="text-xl">
             {t("authorizeCardTitle", {

frontend/src/pages/continue-page.tsx

@@ -14,7 +14,7 @@ import { useCallback, useEffect, useRef, useState } from "react";
 import { useRedirectUri } from "@/lib/hooks/redirect-uri";
 
 export const ContinuePage = () => {
-  const { cookieDomain, disableUiWarnings } = useAppContext();
+  const { cookieDomain, warningsEnabled } = useAppContext();
   const { isLoggedIn } = useUserContext();
   const { search } = useLocation();
   const { t } = useTranslation();
@@ -35,10 +35,9 @@ export const ContinuePage = () => {
   const urlHref = url?.href;
 
   const hasValidRedirect = valid && allowedProto;
-  const showUntrustedWarning =
+  const showUntrustedWarning = hasValidRedirect && !trusted && warningsEnabled;
-    hasValidRedirect && !trusted && !disableUiWarnings;
   const showInsecureWarning =
-    hasValidRedirect && httpsDowngrade && !disableUiWarnings;
+    hasValidRedirect && httpsDowngrade && warningsEnabled;
   const shouldAutoRedirect =
     isLoggedIn &&
     hasValidRedirect &&

frontend/src/schemas/app-context-schema.ts

@@ -14,7 +14,7 @@ export const appContextSchema = z.object({
   forgotPasswordMessage: z.string(),
   backgroundImage: z.string(),
   oauthAutoRedirect: z.string(),
-  disableUiWarnings: z.boolean(),
+  warningsEnabled: z.boolean(),
 });
 
 export type AppContextSchema = z.infer<typeof appContextSchema>;

go.mod

@@ -18,7 +18,7 @@ require (
 	github.com/pquerna/otp v1.5.0
 	github.com/rs/zerolog v1.34.0
 	github.com/traefik/paerser v0.2.2
-	github.com/weppos/publicsuffix-go v0.50.2
+	github.com/weppos/publicsuffix-go v0.50.3
 	golang.org/x/crypto v0.48.0
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
 	golang.org/x/oauth2 v0.35.0

go.sum

@@ -275,8 +275,8 @@ github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.3.1 h1:waO7eEiFDwidsBN6agj1vJQ4AG7lh2yqXyOXqhgQuyY=
 github.com/ugorji/go/codec v1.3.1/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
-github.com/weppos/publicsuffix-go v0.50.2 h1:KsJFc8IEKTJovM46SRCnGNsM+rFShxcs6VEHjOJcXzE=
+github.com/weppos/publicsuffix-go v0.50.3 h1:eT5dcjHQcVDNc0igpFEsGHKIip30feuB2zuuI9eJxiE=
-github.com/weppos/publicsuffix-go v0.50.2/go.mod h1:CbQCKDtXF8UcT7hrxeMa0MDjwhpOI9iYOU7cfq+yo8k=
+github.com/weppos/publicsuffix-go v0.50.3/go.mod h1:/rOa781xBykZhHK/I3QeHo92qdDKVmKZKF7s8qAEM/4=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=

internal/bootstrap/app_bootstrap.go

@@ -124,7 +124,7 @@ func (app *BootstrapApp) Setup() error {
 	tlog.App.Trace().Str("redirectCookieName", app.context.redirectCookieName).Msg("Redirect cookie name")
 
 	// Database
-	db, err := app.SetupDatabase(app.config.DatabasePath)
+	db, err := app.SetupDatabase(app.config.Database.Path)
 
 	if err != nil {
 		return fmt.Errorf("failed to setup database: %w", err)
@@ -193,7 +193,7 @@ func (app *BootstrapApp) Setup() error {
 	go app.dbCleanup(queries)
 
 	// If analytics are not disabled, start heartbeat
-	if !app.config.DisableAnalytics {
+	if app.config.Analytics.Enabled {
 		tlog.App.Debug().Msg("Starting heartbeat routine")
 		go app.heartbeat()
 	}

internal/bootstrap/router_bootstrap.go

@@ -71,7 +71,7 @@ func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
 		ForgotPasswordMessage: app.config.UI.ForgotPasswordMessage,
 		BackgroundImage:       app.config.UI.BackgroundImage,
 		OAuthAutoRedirect:     app.config.OAuth.AutoRedirect,
-		DisableUIWarnings:     app.config.UI.DisableWarnings,
+		WarningsEnabled:       app.config.UI.WarningsEnabled,
 	}, apiRouter)
 
 	contextController.SetupRoutes()
@@ -103,8 +103,8 @@ func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
 	userController.SetupRoutes()
 
 	resourcesController := controller.NewResourcesController(controller.ResourcesControllerConfig{
-		ResourcesDir:      app.config.ResourcesDir,
+		Path:    app.config.Resources.Path,
-		ResourcesDisabled: app.config.DisableResources,
+		Enabled: app.config.Resources.Enabled,
 	}, &engine.RouterGroup)
 
 	resourcesController.SetupRoutes()

internal/config/config.go

@@ -3,8 +3,16 @@ package config
 // Default configuration
 func NewDefaultConfiguration() *Config {
 	return &Config{
-		ResourcesDir: "./resources",
+		Database: DatabaseConfig{
-		DatabasePath: "./tinyauth.db",
+			Path: "./tinyauth.db",
+		},
+		Analytics: AnalyticsConfig{
+			Enabled: true,
+		},
+		Resources: ResourcesConfig{
+			Enabled: true,
+			Path:    "./resources",
+		},
 		Server: ServerConfig{
 			Port:    3000,
 			Address: "0.0.0.0",
@@ -19,6 +27,7 @@ func NewDefaultConfiguration() *Config {
 			Title:                 "Tinyauth",
 			ForgotPasswordMessage: "You can change your password by changing the configuration.",
 			BackgroundImage:       "/background.jpg",
+			WarningsEnabled:       true,
 		},
 		Ldap: LdapConfig{
 			Insecure:      false,
@@ -68,20 +77,32 @@ var RedirectCookieName = "tinyauth-redirect"
 // Main app config
 
 type Config struct {
-	AppURL           string             `description:"The base URL where the app is hosted." yaml:"appUrl"`
+	AppURL       string             `description:"The base URL where the app is hosted." yaml:"appUrl"`
-	ResourcesDir     string             `description:"The directory where resources are stored." yaml:"resourcesDir"`
+	Database     DatabaseConfig     `description:"Database configuration." yaml:"database"`
-	DatabasePath     string             `description:"The path to the database file." yaml:"databasePath"`
+	Analytics    AnalyticsConfig    `description:"Analytics configuration." yaml:"analytics"`
-	DisableAnalytics bool               `description:"Disable analytics." yaml:"disableAnalytics"`
+	Resources    ResourcesConfig    `description:"Resources configuration." yaml:"resources"`
-	DisableResources bool               `description:"Disable resources server." yaml:"disableResources"`
+	Server       ServerConfig       `description:"Server configuration." yaml:"server"`
-	Server           ServerConfig       `description:"Server configuration." yaml:"server"`
+	Auth         AuthConfig         `description:"Authentication configuration." yaml:"auth"`
-	Auth             AuthConfig         `description:"Authentication configuration." yaml:"auth"`
+	Apps         map[string]App     `description:"Application ACLs configuration." yaml:"apps"`
-	Apps             map[string]App     `description:"Application ACLs configuration." yaml:"apps"`
+	OAuth        OAuthConfig        `description:"OAuth configuration." yaml:"oauth"`
-	OAuth            OAuthConfig        `description:"OAuth configuration." yaml:"oauth"`
+	OIDC         OIDCConfig         `description:"OIDC configuration." yaml:"oidc"`
-	OIDC             OIDCConfig         `description:"OIDC configuration." yaml:"oidc"`
+	UI           UIConfig           `description:"UI customization." yaml:"ui"`
-	UI               UIConfig           `description:"UI customization." yaml:"ui"`
+	Ldap         LdapConfig         `description:"LDAP configuration." yaml:"ldap"`
-	Ldap             LdapConfig         `description:"LDAP configuration." yaml:"ldap"`
+	Experimental ExperimentalConfig `description:"Experimental features, use with caution." yaml:"experimental"`
-	Experimental     ExperimentalConfig `description:"Experimental features, use with caution." yaml:"experimental"`
+	Log          LogConfig          `description:"Logging configuration." yaml:"log"`
-	Log              LogConfig          `description:"Logging configuration." yaml:"log"`
+}
+
+type DatabaseConfig struct {
+	Path string `description:"The path to the database, including file name." yaml:"path"`
+}
+
+type AnalyticsConfig struct {
+	Enabled bool `description:"Enable periodic version information collection." yaml:"enabled"`
+}
+
+type ResourcesConfig struct {
+	Enabled bool   `description:"Enable the resources server." yaml:"enabled"`
+	Path    string `description:"The directory where resources are stored." yaml:"path"`
 }
 
 type ServerConfig struct {
@@ -114,8 +135,8 @@ type OAuthConfig struct {
 }
 
 type OIDCConfig struct {
-	PrivateKeyPath string                      `description:"Path to the private key file." yaml:"privateKeyPath"`
+	PrivateKeyPath string                      `description:"Path to the private key file, including file name." yaml:"privateKeyPath"`
-	PublicKeyPath  string                      `description:"Path to the public key file." yaml:"publicKeyPath"`
+	PublicKeyPath  string                      `description:"Path to the public key file, including file name." yaml:"publicKeyPath"`
 	Clients        map[string]OIDCClientConfig `description:"OIDC clients configuration." yaml:"clients"`
 }
 
@@ -123,7 +144,7 @@ type UIConfig struct {
 	Title                 string `description:"The title of the UI." yaml:"title"`
 	ForgotPasswordMessage string `description:"Message displayed on the forgot password page." yaml:"forgotPasswordMessage"`
 	BackgroundImage       string `description:"Path to the background image." yaml:"backgroundImage"`
-	DisableWarnings       bool   `description:"Disable UI warnings." yaml:"disableWarnings"`
+	WarningsEnabled       bool   `description:"Enable UI warnings." yaml:"warningsEnabled"`
 }
 
 type LdapConfig struct {

internal/controller/context_controller.go

@@ -33,7 +33,7 @@ type AppContextResponse struct {
 	ForgotPasswordMessage string     `json:"forgotPasswordMessage"`
 	BackgroundImage       string     `json:"backgroundImage"`
 	OAuthAutoRedirect     string     `json:"oauthAutoRedirect"`
-	DisableUIWarnings     bool       `json:"disableUiWarnings"`
+	WarningsEnabled       bool       `json:"warningsEnabled"`
 }
 
 type Provider struct {
@@ -50,7 +50,7 @@ type ContextControllerConfig struct {
 	ForgotPasswordMessage string
 	BackgroundImage       string
 	OAuthAutoRedirect     string
-	DisableUIWarnings     bool
+	WarningsEnabled       bool
 }
 
 type ContextController struct {
@@ -59,7 +59,7 @@ type ContextController struct {
 }
 
 func NewContextController(config ContextControllerConfig, router *gin.RouterGroup) *ContextController {
-	if config.DisableUIWarnings {
+	if !config.WarningsEnabled {
 		tlog.App.Warn().Msg("UI warnings are disabled. This may expose users to security risks. Proceed with caution.")
 	}
 
@@ -124,6 +124,6 @@ func (controller *ContextController) appContextHandler(c *gin.Context) {
 		ForgotPasswordMessage: controller.config.ForgotPasswordMessage,
 		BackgroundImage:       controller.config.BackgroundImage,
 		OAuthAutoRedirect:     controller.config.OAuthAutoRedirect,
-		DisableUIWarnings:     controller.config.DisableUIWarnings,
+		WarningsEnabled:       controller.config.WarningsEnabled,
 	})
 }

internal/controller/context_controller_test.go

@@ -32,7 +32,7 @@ var contextControllerCfg = controller.ContextControllerConfig{
 	ForgotPasswordMessage: "Contact admin to reset your password.",
 	BackgroundImage:       "/assets/bg.jpg",
 	OAuthAutoRedirect:     "google",
-	DisableUIWarnings:     false,
+	WarningsEnabled:       true,
 }
 
 var contextCtrlTestContext = config.UserContext{
@@ -82,7 +82,7 @@ func TestAppContextHandler(t *testing.T) {
 		ForgotPasswordMessage: contextControllerCfg.ForgotPasswordMessage,
 		BackgroundImage:       contextControllerCfg.BackgroundImage,
 		OAuthAutoRedirect:     contextControllerCfg.OAuthAutoRedirect,
-		DisableUIWarnings:     contextControllerCfg.DisableUIWarnings,
+		WarningsEnabled:       contextControllerCfg.WarningsEnabled,
 	}
 
 	router, recorder := setupContextController(nil)

internal/controller/resources_controller.go

@@ -7,8 +7,8 @@ import (
 )
 
 type ResourcesControllerConfig struct {
-	ResourcesDir      string
+	Path    string
-	ResourcesDisabled bool
+	Enabled bool
 }
 
 type ResourcesController struct {
@@ -18,7 +18,7 @@ type ResourcesController struct {
 }
 
 func NewResourcesController(config ResourcesControllerConfig, router *gin.RouterGroup) *ResourcesController {
-	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(config.ResourcesDir)))
+	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(config.Path)))
 
 	return &ResourcesController{
 		config:     config,
@@ -32,14 +32,14 @@ func (controller *ResourcesController) SetupRoutes() {
 }
 
 func (controller *ResourcesController) resourcesHandler(c *gin.Context) {
-	if controller.config.ResourcesDir == "" {
+	if controller.config.Path == "" {
 		c.JSON(404, gin.H{
 			"status":  404,
 			"message": "Resources not found",
 		})
 		return
 	}
-	if controller.config.ResourcesDisabled {
+	if !controller.config.Enabled {
 		c.JSON(403, gin.H{
 			"status":  403,
 			"message": "Resources are disabled",

internal/controller/resources_controller_test.go

@@ -18,7 +18,8 @@ func TestResourcesHandler(t *testing.T) {
 	group := router.Group("/")
 
 	ctrl := controller.NewResourcesController(controller.ResourcesControllerConfig{
-		ResourcesDir: "/tmp/tinyauth",
+		Path:    "/tmp/tinyauth",
+		Enabled: true,
 	}, group)
 	ctrl.SetupRoutes()
 

internal/service/oidc_service.go

@@ -8,6 +8,7 @@ import (
 	"crypto/sha256"
 	"crypto/x509"
 	"database/sql"
+	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
 	"errors"
@@ -665,10 +666,21 @@ func (service *OIDCService) Cleanup() {
 }
 
 func (service *OIDCService) GetJWK() ([]byte, error) {
+	hasher := sha256.New()
+
+	der := x509.MarshalPKCS1PublicKey(&service.privateKey.PublicKey)
+
+	if der == nil {
+		return nil, errors.New("failed to marshal public key")
+	}
+
+	hasher.Write(der)
+
 	jwk := jose.JSONWebKey{
 		Key:       service.privateKey,
 		Algorithm: string(jose.RS256),
 		Use:       "sig",
+		KeyID:     base64.URLEncoding.EncodeToString(hasher.Sum(nil)),
 	}
 
 	return jwk.Public().MarshalJSON()

internal/utils/loaders/loader_file.go

@@ -1,6 +1,8 @@
 package loaders
 
 import (
+	"os"
+
 	"github.com/rs/zerolog/log"
 	"github.com/traefik/paerser/cli"
 	"github.com/traefik/paerser/file"
@@ -16,11 +18,16 @@ func (f *FileLoader) Load(args []string, cmd *cli.Command) (bool, error) {
 		return false, err
 	}
 
-	// I guess we are using traefik as the root name
+	// I guess we are using traefik as the root name (we can't change it)
-	configFileFlag := "traefik.experimental.configFile"
+	configFileFlag := "traefik.experimental.configfile"
+	envVar := "TINYAUTH_EXPERIMENTAL_CONFIGFILE"
 
 	if _, ok := flags[configFileFlag]; !ok {
-		return false, nil
+		if value := os.Getenv(envVar); value != "" {
+			flags[configFileFlag] = value
+		} else {
+			return false, nil
+		}
 	}
 
 	log.Warn().Msg("Using experimental file config loader, this feature is experimental and may change or be removed in future releases")