chore: set permissions for integration workflow

* wip

* fix: add extauthz to friendly error messages

* refactor: better module handling per proxy

* fix: get envoy host from the gin request

* tests: rework tests for proxy controller

* fix: review comments

.github/workflows/integration.yml

@@ -0,0 +1,82 @@
+name: Proxy Integration Tests
+
+on:
+  workflow_dispatch:
+    inputs:
+      build:
+        type: boolean
+        description: Build from current tag before running tests
+
+permissions:
+  contents: read
+
+jobs:
+  determine-tag:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.metadata.outputs.VERSION }}
+      commit_hash: ${{ steps.metadata.outputs.COMMIT_HASH }}
+      build_timestamp: ${{ steps.metadata.outputs.BUILD_TIMESTAMP }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Determine metadata
+        id: metadata
+        run: |
+          # Generate static metadata
+          echo "COMMIT_HASH=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
+          echo "BUILD_TIMESTAMP=$(date '+%Y-%m-%dT%H:%M:%S')" >> "$GITHUB_OUTPUT"
+
+          # Determine version
+          if [ "${{ inputs.build }}" == "true" ]; then
+            echo "VERSION=development" >> "$GITHUB_OUTPUT"
+          else
+            echo "VERSION=${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
+          fi
+
+  integration:
+    runs-on: ubuntu-latest
+    needs: determine-tag
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: "1.25.0"
+
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        if: ${{ inputs.build == 'true' }}
+
+      - name: Build
+        uses: docker/build-push-action@v6
+        if: ${{ inputs.build == 'true' }}
+        with:
+          platforms: linux/amd64
+          tags: ghcr.io/${{ github.repository_owner }}/tinyauth:${{ needs.determine-tag.outputs.version }}
+          outputs: type=image,push=false
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            VERSION=${{ needs.determine-tag.outputs.version }}
+            COMMIT_HASH=${{ needs.determine-tag.outputs.commit_hash }}
+            BUILD_TIMESTAMP=${{ needs.determine-tag.outputs.build_timestamp }}
+
+      - name: Set tinyauth version
+        run: |
+          sed -i "s/TINYAUTH_VERSION=.*/TINYAUTH_VERSION=${{ needs.determine-tag.outputs.version }}/" integration/.env
+
+      - name: Test
+        run: make integration

.github/workflows/release.yml

@@ -15,8 +15,6 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-        with:
-          ref: nightly
 
       - name: Generate metadata
         id: metadata

Makefile

@@ -81,5 +81,11 @@ sql:
 	sqlc generate
 
 # Go gen
+.PHONY: generate
 generate:
 	go run ./gen
+
+# Proxy integration tests
+.PHONY: integration
+integration:
+	go run ./integration -- --log=false

frontend/bun.lock

@@ -16,7 +16,7 @@
         "axios": "^1.13.6",
         "class-variance-authority": "^0.7.1",
         "clsx": "^2.1.1",
-        "i18next": "^25.8.17",
+        "i18next": "^25.8.18",
         "i18next-browser-languagedetector": "^8.2.1",
         "i18next-resources-to-backend": "^1.2.1",
         "input-otp": "^1.4.2",
@@ -26,7 +26,7 @@
         "react": "^19.2.4",
         "react-dom": "^19.2.4",
         "react-hook-form": "^7.71.2",
-        "react-i18next": "^16.5.6",
+        "react-i18next": "^16.5.8",
         "react-markdown": "^10.1.0",
         "react-router": "^7.13.1",
         "sonner": "^2.0.7",
@@ -637,7 +637,7 @@
 
     "html-url-attributes": ["html-url-attributes@3.0.1", "", {}, "sha512-ol6UPyBWqsrO6EJySPz2O7ZSr856WDrEzM5zMqp+FJJLGMW35cLYmmZnl0vztAZxRUoNZJFTCohfjuIJ8I4QBQ=="],
 
-    "i18next": ["i18next@25.8.17", "", { "dependencies": { "@babel/runtime": "^7.28.6" }, "peerDependencies": { "typescript": "^5" }, "optionalPeers": ["typescript"] }, "sha512-vWtCttyn5bpOK4hWbRAe1ZXkA+Yzcn2OcACT+WJavtfGMcxzkfvXTLMeOU8MUhRmAySKjU4VVuKlo0sSGeBokA=="],
+    "i18next": ["i18next@25.8.18", "", { "dependencies": { "@babel/runtime": "^7.28.6" }, "peerDependencies": { "typescript": "^5" }, "optionalPeers": ["typescript"] }, "sha512-lzY5X83BiL5AP77+9DydbrqkQHFN9hUzWGjqjLpPcp5ZOzuu1aSoKaU3xbBLSjWx9dAzW431y+d+aogxOZaKRA=="],
 
     "i18next-browser-languagedetector": ["i18next-browser-languagedetector@8.2.1", "", { "dependencies": { "@babel/runtime": "^7.23.2" } }, "sha512-bZg8+4bdmaOiApD7N7BPT9W8MLZG+nPTOFlLiJiT8uzKXFjhxw4v2ierCXOwB5sFDMtuA5G4kgYZ0AznZxQ/cw=="],
 
@@ -843,7 +843,7 @@
 
     "react-hook-form": ["react-hook-form@7.71.2", "", { "peerDependencies": { "react": "^16.8.0 || ^17 || ^18 || ^19" } }, "sha512-1CHvcDYzuRUNOflt4MOq3ZM46AronNJtQ1S7tnX6YN4y72qhgiUItpacZUAQ0TyWYci3yz1X+rXaSxiuEm86PA=="],
 
-    "react-i18next": ["react-i18next@16.5.6", "", { "dependencies": { "@babel/runtime": "^7.28.4", "html-parse-stringify": "^3.0.1", "use-sync-external-store": "^1.6.0" }, "peerDependencies": { "i18next": ">= 25.6.2", "react": ">= 16.8.0", "typescript": "^5" }, "optionalPeers": ["typescript"] }, "sha512-Ua7V2/efA88ido7KyK51fb8Ki8M/sRfW8LR/rZ/9ZKr2luhuTI7kwYZN5agT1rWG7aYm5G0RYE/6JR8KJoCMDw=="],
+    "react-i18next": ["react-i18next@16.5.8", "", { "dependencies": { "@babel/runtime": "^7.28.4", "html-parse-stringify": "^3.0.1", "use-sync-external-store": "^1.6.0" }, "peerDependencies": { "i18next": ">= 25.6.2", "react": ">= 16.8.0", "typescript": "^5" }, "optionalPeers": ["typescript"] }, "sha512-2ABeHHlakxVY+LSirD+OiERxFL6+zip0PaHo979bgwzeHg27Sqc82xxXWIrSFmfWX0ZkrvXMHwhsi/NGUf5VQg=="],
 
     "react-markdown": ["react-markdown@10.1.0", "", { "dependencies": { "@types/hast": "^3.0.0", "@types/mdast": "^4.0.0", "devlop": "^1.0.0", "hast-util-to-jsx-runtime": "^2.0.0", "html-url-attributes": "^3.0.0", "mdast-util-to-hast": "^13.0.0", "remark-parse": "^11.0.0", "remark-rehype": "^11.0.0", "unified": "^11.0.0", "unist-util-visit": "^5.0.0", "vfile": "^6.0.0" }, "peerDependencies": { "@types/react": ">=18", "react": ">=18" } }, "sha512-qKxVopLT/TyA6BX3Ue5NwabOsAzm0Q7kAPwq6L+wWDwisYs7R8vZ0nRXqq6rkueboxpkjvLGU9fWifiX/ZZFxQ=="],
 

frontend/package.json

@@ -22,7 +22,7 @@
     "axios": "^1.13.6",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
-    "i18next": "^25.8.17",
+    "i18next": "^25.8.18",
     "i18next-browser-languagedetector": "^8.2.1",
     "i18next-resources-to-backend": "^1.2.1",
     "input-otp": "^1.4.2",
@@ -32,7 +32,7 @@
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
     "react-hook-form": "^7.71.2",
-    "react-i18next": "^16.5.6",
+    "react-i18next": "^16.5.8",
     "react-markdown": "^10.1.0",
     "react-router": "^7.13.1",
     "sonner": "^2.0.7",

go.mod

@@ -19,7 +19,7 @@ require (
 	github.com/rs/zerolog v1.34.0
 	github.com/traefik/paerser v0.2.2
 	github.com/weppos/publicsuffix-go v0.50.3
-	golang.org/x/crypto v0.48.0
+	golang.org/x/crypto v0.49.0
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
 	golang.org/x/oauth2 v0.36.0
 	gotest.tools/v3 v3.5.2
@@ -114,10 +114,10 @@ require (
 	go.opentelemetry.io/otel/trace v1.37.0 // indirect
 	golang.org/x/arch v0.22.0 // indirect
 	golang.org/x/net v0.51.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.41.0 // indirect
-	golang.org/x/term v0.40.0 // indirect
-	golang.org/x/text v0.34.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/term v0.41.0 // indirect
+	golang.org/x/text v0.35.0 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	modernc.org/libc v1.67.6 // indirect

go.sum

@@ -309,13 +309,13 @@ golang.org/x/arch v0.22.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
-golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
+golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
+golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
-golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
+golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
+golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
@@ -326,8 +326,8 @@ golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -338,26 +338,26 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
-golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
+golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
+golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
-golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
+golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
-golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
+golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
+golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
 google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c h1:AtEkQdl5b6zsybXcbz00j1LwNodDuH6hVifIaNqk7NQ=

integration/.env

@@ -0,0 +1,16 @@
+# Nginx configuration
+NGINX_VERSION=1.29
+
+# Whoami configuration
+WHOAMI_VERSION=latest
+
+# Traefik configuration
+TRAEFIK_VERSION=v3.6
+TINYAUTH_HOST=tinyauth.127.0.0.1.sslip.io
+WHOAMI_HOST=whoami.127.0.0.1.sslip.io
+
+# Envoy configuration
+ENVOY_VERSION=v1.33-latest
+
+# Tinyauth configuration
+TINYAUTH_VERSION=latest

integration/config.yml

@@ -0,0 +1,15 @@
+appUrl: http://tinyauth.127.0.0.1.sslip.io
+
+auth:
+  users: test:$2a$10$eG88kFow83l5YRSlTSL2o.sZimjxFHrpiKdaSUZqpLBGX7Y2.4PZG
+
+log:
+  json: true
+  level: trace
+
+apps:
+  whoami:
+    config:
+      domain: whoami.127.0.0.1.sslip.io
+    path:
+      allow: /allow

integration/docker-compose.envoy.yml

@@ -0,0 +1,16 @@
+services:
+  envoy:
+    image: envoyproxy/envoy:${ENVOY_VERSION}
+    ports:
+      - 80:80
+    volumes:
+      - ./envoy.yml:/etc/envoy/envoy.yaml:ro
+
+  whoami:
+    image: traefik/whoami:${WHOAMI_VERSION}
+
+  tinyauth:
+    image: ghcr.io/steveiliop56/tinyauth:${TINYAUTH_VERSION}
+    command: --experimental.configfile=/data/config.yml
+    volumes:
+      - ./config.yml:/data/config.yml:ro

integration/docker-compose.nginx.yml

@@ -0,0 +1,16 @@
+services:
+  nginx:
+    image: nginx:${NGINX_VERSION}
+    ports:
+      - 80:80
+    volumes:
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
+
+  whoami:
+    image: traefik/whoami:${WHOAMI_VERSION}
+
+  tinyauth:
+    image: ghcr.io/steveiliop56/tinyauth:${TINYAUTH_VERSION}
+    command: --experimental.configfile=/data/config.yml
+    volumes:
+      - ./config.yml:/data/config.yml:ro

integration/docker-compose.traefik.yml

@@ -0,0 +1,28 @@
+services:
+  traefik:
+    image: traefik:${TRAEFIK_VERSION}
+    command: |
+      --api.insecure=true
+      --providers.docker
+      --entryPoints.web.address=:80
+    ports:
+      - 80:80
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+
+  whoami:
+    image: traefik/whoami:${WHOAMI_VERSION}
+    labels:
+      traefik.enable: true
+      traefik.http.routers.whoami.rule: Host(`${WHOAMI_HOST}`)
+      traefik.http.routers.whoami.middlewares: tinyauth
+
+  tinyauth:
+    image: ghcr.io/steveiliop56/tinyauth:${TINYAUTH_VERSION}
+    command: --experimental.configfile=/data/config.yml
+    volumes:
+      - ./config.yml:/data/config.yml:ro
+    labels:
+      traefik.enable: true
+      traefik.http.routers.tinyauth.rule: Host(`${TINYAUTH_HOST}`)
+      traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth:3000/api/auth/traefik

integration/envoy.yml

@@ -0,0 +1,105 @@
+static_resources:
+  listeners:
+    - name: "listener_http"
+      address:
+        socket_address:
+          address: "0.0.0.0"
+          port_value: 80
+      filter_chains:
+        - filters:
+            - name: "envoy.filters.network.http_connection_manager"
+              typed_config:
+                "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
+                stat_prefix: "ingress_http"
+                use_remote_address: true
+                skip_xff_append: false
+                route_config:
+                  name: "local_route"
+                  virtual_hosts:
+                    - name: "whoami_service"
+                      domains: ["whoami.127.0.0.1.sslip.io"]
+                      routes:
+                        - match:
+                            prefix: "/"
+                          route:
+                            cluster: "whoami"
+                    - name: "tinyauth_service"
+                      domains: ["tinyauth.127.0.0.1.sslip.io"]
+                      typed_per_filter_config:
+                        envoy.filters.http.ext_authz:
+                          "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute"
+                          disabled: true
+                      routes:
+                        - match:
+                            prefix: "/"
+                          route:
+                            cluster: "tinyauth"
+                http_filters:
+                  - name: "envoy.filters.http.ext_authz"
+                    typed_config:
+                      "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz"
+                      transport_api_version: "v3"
+                      http_service:
+                        path_prefix: "/api/auth/envoy?path="
+                        server_uri:
+                          uri: "tinyauth:3000"
+                          cluster: "tinyauth"
+                          timeout: "0.25s"
+                        authorization_request:
+                          allowed_headers:
+                            patterns:
+                              - exact: "authorization"
+                              - exact: "accept"
+                              - exact: "cookie"
+                          headers_to_add:
+                            - key: "x-forwarded-proto"
+                              value: "%REQ(:SCHEME)%"
+                            - key: "x-forwarded-host"
+                              value: "%REQ(:AUTHORITY)%"
+                            - key: "x-forwarded-uri"
+                              value: "%REQ(:PATH)%"
+                        authorization_response:
+                          allowed_upstream_headers:
+                            patterns:
+                              - prefix: "remote-"
+                          allowed_client_headers:
+                            patterns:
+                              - exact: "set-cookie"
+                              - exact: "location"
+                          allowed_client_headers_on_success:
+                            patterns:
+                              - exact: "set-cookie"
+                              - exact: "location"
+                      failure_mode_allow: false
+                  - name: "envoy.filters.http.router"
+                    typed_config:
+                      "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
+  clusters:
+    - name: "whoami"
+      connect_timeout: "0.25s"
+      type: "logical_dns"
+      dns_lookup_family: "v4_only"
+      lb_policy: "round_robin"
+      load_assignment:
+        cluster_name: "whoami"
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: "whoami"
+                      port_value: 80
+    - name: "tinyauth"
+      connect_timeout: "0.25s"
+      type: "logical_dns"
+      dns_lookup_family: "v4_only"
+      lb_policy: "round_robin"
+      load_assignment:
+        cluster_name: "tinyauth"
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: "tinyauth"
+                      port_value: 3000

integration/integrarion_tests.go

@@ -0,0 +1,62 @@
+package main
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+)
+
+func testUnauthorized(client *http.Client) error {
+	req, err := http.NewRequest("GET", WhoamiURL, nil)
+	if err != nil {
+		return err
+	}
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return err
+	}
+	// nginx and envoy will throw us at the frontend
+	if resp.StatusCode != http.StatusUnauthorized && !strings.Contains(string(body), "<div id=\"root\"></div>") {
+		return fmt.Errorf("expected status code %d or to to contain '<div id=\"root\"></div>', got %d", http.StatusUnauthorized, resp.StatusCode)
+	}
+	return nil
+}
+
+func testLoggedIn(client *http.Client) error {
+	req, err := http.NewRequest("GET", WhoamiURL, nil)
+	if err != nil {
+		return err
+	}
+	req.SetBasicAuth(DefaultUsername, DefaultPassword)
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("expected status code %d, got %d", http.StatusOK, resp.StatusCode)
+	}
+	return nil
+}
+
+func testACLAllowed(client *http.Client) error {
+	req, err := http.NewRequest("GET", WhoamiURL+"/allow", nil)
+	if err != nil {
+		return err
+	}
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("expected status code %d, got %d", http.StatusOK, resp.StatusCode)
+	}
+	return nil
+}

integration/integration.go

@@ -0,0 +1,191 @@
+package main
+
+import (
+	"bufio"
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"os"
+	"os/exec"
+	"path"
+	"time"
+)
+
+var ProxiesToTest = []string{"traefik", "nginx", "envoy"}
+
+const (
+	EnvFile    = ".env"
+	ConfigFile = "config.yml"
+)
+
+const (
+	TinyauthURL = "http://tinyauth.127.0.0.1.sslip.io"
+	WhoamiURL   = "http://whoami.127.0.0.1.sslip.io"
+)
+
+const (
+	DefaultUsername = "test"
+	DefaultPassword = "password"
+)
+
+func main() {
+	logFlag := flag.Bool("log", false, "enable stack logging")
+	flag.Parse()
+
+	rootFolder, err := os.Getwd()
+
+	if err != nil {
+		slog.Error("fail", "error", err)
+		os.Exit(1)
+	}
+
+	slog.Info("root folder", "folder", rootFolder)
+
+	integrationRoot := rootFolder
+
+	if _, err := os.Stat(path.Join(rootFolder, ".git")); err != nil {
+		if !errors.Is(err, os.ErrNotExist) {
+			slog.Error("fail", "error", err)
+			os.Exit(1)
+		}
+	} else {
+		integrationRoot = path.Join(rootFolder, "integration")
+	}
+
+	slog.Info("integration root", "folder", integrationRoot)
+
+	for _, proxy := range ProxiesToTest {
+		slog.Info("begin", "proxy", proxy)
+		compose := fmt.Sprintf("docker-compose.%s.yml", proxy)
+		if _, err := os.Stat(path.Join(integrationRoot, compose)); err != nil {
+			slog.Error("fail", "proxy", proxy, "error", err)
+			os.Exit(1)
+		}
+		if err := createInstanceAndRunTests(compose, *logFlag, proxy, integrationRoot); err != nil {
+			slog.Error("fail", "proxy", proxy, "error", err)
+			os.Exit(1)
+		}
+		slog.Info("end", "proxy", proxy)
+	}
+}
+
+func runTests(client *http.Client, name string) error {
+	if err := testUnauthorized(client); err != nil {
+		slog.Error("fail unauthorized test", "name", name)
+		return err
+	}
+
+	slog.Info("unauthorized test passed", "name", name)
+
+	if err := testLoggedIn(client); err != nil {
+		slog.Error("fail logged in test", "name", name)
+		return err
+	}
+
+	slog.Info("logged in test passed", "name", name)
+
+	if err := testACLAllowed(client); err != nil {
+		slog.Error("fail acl test", "name", name)
+		return err
+	}
+
+	slog.Info("acl test passed", "name", name)
+
+	return nil
+}
+
+func createInstanceAndRunTests(compose string, log bool, name string, integrationDir string) error {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	composeFile := path.Join(integrationDir, compose)
+	envFile := path.Join(integrationDir, EnvFile)
+	cmdArgs := []string{"compose", "-f", composeFile, "--env-file", envFile, "up", "--build", "--force-recreate", "--remove-orphans"}
+	cmd := exec.CommandContext(ctx, "docker", cmdArgs...)
+
+	if log {
+		setupCmdLogging(cmd)
+	}
+
+	if err := cmd.Start(); err != nil {
+		return err
+	}
+
+	defer func() {
+		cmd.Process.Signal(os.Interrupt)
+		cmd.Wait()
+	}()
+
+	slog.Info("instance created", "name", name)
+
+	if err := waitForHealthy(); err != nil {
+		return err
+	}
+
+	slog.Info("instance healthy", "name", name)
+
+	client := &http.Client{}
+
+	if err := runTests(client, name); err != nil {
+		return err
+	}
+
+	slog.Info("tests passed", "name", name)
+
+	cmd.Process.Signal(os.Interrupt)
+
+	if err := cmd.Wait(); cmd.ProcessState.ExitCode() != 130 && err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func setupCmdLogging(cmd *exec.Cmd) {
+	stdout, _ := cmd.StdoutPipe()
+	stderr, _ := cmd.StderrPipe()
+
+	go func() {
+		scanner := bufio.NewScanner(stdout)
+		for scanner.Scan() {
+			slog.Info("docker out", "stdout", scanner.Text())
+		}
+	}()
+
+	go func() {
+		scanner := bufio.NewScanner(stderr)
+		for scanner.Scan() {
+			slog.Error("docker out", "stderr", scanner.Text())
+		}
+	}()
+}
+
+func waitForHealthy() error {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
+	defer cancel()
+
+	ticker := time.NewTicker(10 * time.Second)
+	client := http.Client{}
+
+	for {
+		select {
+		case <-ctx.Done():
+			return errors.New("tinyauth not healthy after 5 minutes")
+		case <-ticker.C:
+			req, err := http.NewRequestWithContext(ctx, "GET", TinyauthURL+"/api/healthz", nil)
+			if err != nil {
+				return err
+			}
+			res, err := client.Do(req)
+			if err != nil {
+				continue
+			}
+			if res.StatusCode == http.StatusOK {
+				return nil
+			}
+		}
+	}
+}

integration/nginx.conf

@@ -0,0 +1,36 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name tinyauth.127.0.0.1.sslip.io;
+
+    location / {
+        proxy_pass http://tinyauth:3000;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name whoami.127.0.0.1.sslip.io;
+
+    location / {
+        proxy_pass http://whoami;
+        auth_request /tinyauth;
+        error_page 401 = @tinyauth_login;
+    }
+
+    location /tinyauth {
+        internal;
+        proxy_pass http://tinyauth:3000/api/auth/nginx;
+        proxy_set_header x-original-url $scheme://$http_host$request_uri;
+        proxy_set_header x-forwarded-proto $scheme;
+        proxy_set_header x-forwarded-host $host;
+        proxy_set_header x-forwarded-uri $request_uri;
+    }
+
+    location @tinyauth_login {
+      return 302 http://tinyauth.127.0.0.1.sslip.io/login?redirect_uri=$scheme://$http_host$request_uri;
+    }
+}

internal/controller/proxy_controller.go

@@ -1,9 +1,11 @@
 package controller
 
 import (
+	"errors"
 	"fmt"
 	"net/http"
-	"slices"
+	"net/url"
+	"regexp"
 	"strings"
 
 	"github.com/steveiliop56/tinyauth/internal/config"
@@ -15,12 +17,29 @@ import (
 	"github.com/google/go-querystring/query"
 )
 
-var SupportedProxies = []string{"nginx", "traefik", "caddy", "envoy"}
+type AuthModuleType int
+
+const (
+	AuthRequest AuthModuleType = iota
+	ExtAuthz
+	ForwardAuth
+)
+
+var BrowserUserAgentRegex = regexp.MustCompile("Chrome|Gecko|AppleWebKit|Opera|Edge")
 
 type Proxy struct {
 	Proxy string `uri:"proxy" binding:"required"`
 }
 
+type ProxyContext struct {
+	Host      string
+	Proto     string
+	Path      string
+	Method    string
+	Type      AuthModuleType
+	IsBrowser bool
+}
+
 type ProxyControllerConfig struct {
 	AppURL string
 }
@@ -43,75 +62,30 @@ func NewProxyController(config ProxyControllerConfig, router *gin.RouterGroup, a
 
 func (controller *ProxyController) SetupRoutes() {
 	proxyGroup := controller.router.Group("/auth")
-	// There is a later check to control allowed methods per proxy
 	proxyGroup.Any("/:proxy", controller.proxyHandler)
 }
 
 func (controller *ProxyController) proxyHandler(c *gin.Context) {
-	var req Proxy
+	// Load proxy context based on the request type
+	proxyCtx, err := controller.getProxyContext(c)
 
-	err := c.BindUri(&req)
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind URI")
+		tlog.App.Warn().Err(err).Msg("Failed to get proxy context")
 		c.JSON(400, gin.H{
 			"status":  400,
-			"message": "Bad Request",
+			"message": "Bad request",
 		})
 		return
 	}
 
-	if !slices.Contains(SupportedProxies, req.Proxy) {
-		tlog.App.Warn().Str("proxy", req.Proxy).Msg("Invalid proxy")
-		c.JSON(400, gin.H{
-			"status":  400,
-			"message": "Bad Request",
-		})
-		return
-	}
-
-	// Only allow GET for non-envoy proxies.
-	// Envoy uses the original client method for the external auth request
-	// so we allow Any standard HTTP method for /api/auth/envoy
-	if req.Proxy != "envoy" && c.Request.Method != http.MethodGet {
-		tlog.App.Warn().Str("method", c.Request.Method).Msg("Invalid method for proxy")
-		c.Header("Allow", "GET")
-		c.JSON(405, gin.H{
-			"status":  405,
-			"message": "Method Not Allowed",
-		})
-		return
-	}
-
-	isBrowser := strings.Contains(c.Request.Header.Get("Accept"), "text/html")
-
-	if isBrowser {
-		tlog.App.Debug().Msg("Request identified as (most likely) coming from a browser")
-	} else {
-		tlog.App.Debug().Msg("Request identified as (most likely) coming from a non-browser client")
-	}
-
-	uri, ok := controller.requireHeader(c, "x-forwarded-uri")
-
-	if !ok {
-		return
-	}
-
-	host, ok := controller.requireHeader(c, "x-forwarded-host")
-	if !ok {
-		return
-	}
-
-	proto, ok := controller.requireHeader(c, "x-forwarded-proto")
-	if !ok {
-		return
-	}
+	tlog.App.Trace().Interface("ctx", proxyCtx).Msg("Got proxy context")
 
 	// Get acls
-	acls, err := controller.acls.GetAccessControls(host)
+	acls, err := controller.acls.GetAccessControls(proxyCtx.Host)
 
 	if err != nil {
 		tlog.App.Error().Err(err).Msg("Failed to get access controls for resource")
-		controller.handleError(c, req, isBrowser)
+		controller.handleError(c, proxyCtx)
 		return
 	}
 
@@ -128,11 +102,11 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	authEnabled, err := controller.auth.IsAuthEnabled(uri, acls.Path)
+	authEnabled, err := controller.auth.IsAuthEnabled(proxyCtx.Path, acls.Path)
 
 	if err != nil {
 		tlog.App.Error().Err(err).Msg("Failed to check if auth is enabled for resource")
-		controller.handleError(c, req, isBrowser)
+		controller.handleError(c, proxyCtx)
 		return
 	}
 
@@ -147,7 +121,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	}
 
 	if !controller.auth.CheckIP(acls.IP, clientIP) {
-		if req.Proxy == "nginx" || !isBrowser {
+		if !controller.useFriendlyError(proxyCtx) {
 			c.JSON(401, gin.H{
 				"status":  401,
 				"message": "Unauthorized",
@@ -156,7 +130,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		}
 
 		queries, err := query.Values(config.UnauthorizedQuery{
-			Resource: strings.Split(host, ".")[0],
+			Resource: strings.Split(proxyCtx.Host, ".")[0],
 			IP:       clientIP,
 		})
 
@@ -189,9 +163,9 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		userAllowed := controller.auth.IsUserAllowed(c, userContext, acls)
 
 		if !userAllowed {
-			tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(host, ".")[0]).Msg("User not allowed to access resource")
+			tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User not allowed to access resource")
 
-			if req.Proxy == "nginx" || !isBrowser {
+			if !controller.useFriendlyError(proxyCtx) {
 				c.JSON(403, gin.H{
 					"status":  403,
 					"message": "Forbidden",
@@ -200,7 +174,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			}
 
 			queries, err := query.Values(config.UnauthorizedQuery{
-				Resource: strings.Split(host, ".")[0],
+				Resource: strings.Split(proxyCtx.Host, ".")[0],
 			})
 
 			if err != nil {
@@ -229,9 +203,9 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			}
 
 			if !groupOK {
-				tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(host, ".")[0]).Msg("User groups do not match resource requirements")
+				tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User groups do not match resource requirements")
 
-				if req.Proxy == "nginx" || !isBrowser {
+				if !controller.useFriendlyError(proxyCtx) {
 					c.JSON(403, gin.H{
 						"status":  403,
 						"message": "Forbidden",
@@ -240,7 +214,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 				}
 
 				queries, err := query.Values(config.UnauthorizedQuery{
-					Resource: strings.Split(host, ".")[0],
+					Resource: strings.Split(proxyCtx.Host, ".")[0],
 					GroupErr: true,
 				})
 
@@ -282,7 +256,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	if req.Proxy == "nginx" || !isBrowser {
+	if !controller.useFriendlyError(proxyCtx) {
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -291,7 +265,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	}
 
 	queries, err := query.Values(config.RedirectQuery{
-		RedirectURI: fmt.Sprintf("%s://%s%s", proto, host, uri),
+		RedirectURI: fmt.Sprintf("%s://%s%s", proxyCtx.Proto, proxyCtx.Host, proxyCtx.Path),
 	})
 
 	if err != nil {
@@ -321,8 +295,8 @@ func (controller *ProxyController) setHeaders(c *gin.Context, acls config.App) {
 	}
 }
 
-func (controller *ProxyController) handleError(c *gin.Context, req Proxy, isBrowser bool) {
-	if req.Proxy == "nginx" || !isBrowser {
+func (controller *ProxyController) handleError(c *gin.Context, proxyCtx ProxyContext) {
+	if !controller.useFriendlyError(proxyCtx) {
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -333,15 +307,195 @@ func (controller *ProxyController) handleError(c *gin.Context, req Proxy, isBrow
 	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 }
 
-func (controller *ProxyController) requireHeader(c *gin.Context, header string) (string, bool) {
+func (controller *ProxyController) getHeader(c *gin.Context, header string) (string, bool) {
 	val := c.Request.Header.Get(header)
-	if strings.TrimSpace(val) == "" {
-		tlog.App.Error().Str("header", header).Msg("Header not found")
-		c.JSON(400, gin.H{
-			"status":  400,
-			"message": "Bad Request",
-		})
-		return "", false
-	}
-	return val, true
+	return val, strings.TrimSpace(val) != ""
+}
+
+func (controller *ProxyController) useFriendlyError(proxyCtx ProxyContext) bool {
+	return (proxyCtx.Type == ForwardAuth || proxyCtx.Type == ExtAuthz) && proxyCtx.IsBrowser
+}
+
+// Code below is inspired from https://github.com/authelia/authelia/blob/master/internal/handlers/handler_authz.go
+// and thus it may be subject to Apache 2.0 License
+func (controller *ProxyController) getForwardAuthContext(c *gin.Context) (ProxyContext, error) {
+	host, ok := controller.getHeader(c, "x-forwarded-host")
+
+	if !ok {
+		return ProxyContext{}, errors.New("x-forwarded-host not found")
+	}
+
+	uri, ok := controller.getHeader(c, "x-forwarded-uri")
+
+	if !ok {
+		return ProxyContext{}, errors.New("x-forwarded-uri not found")
+	}
+
+	proto, ok := controller.getHeader(c, "x-forwarded-proto")
+
+	if !ok {
+		return ProxyContext{}, errors.New("x-forwarded-proto not found")
+	}
+
+	// Normally we should only allow GET for forward auth but since it's a fallback
+	// for envoy we should allow everything, not a big deal
+	method := c.Request.Method
+
+	return ProxyContext{
+		Host:   host,
+		Proto:  proto,
+		Path:   uri,
+		Method: method,
+		Type:   ForwardAuth,
+	}, nil
+}
+
+func (controller *ProxyController) getAuthRequestContext(c *gin.Context) (ProxyContext, error) {
+	xOriginalUrl, ok := controller.getHeader(c, "x-original-url")
+
+	if !ok {
+		return ProxyContext{}, errors.New("x-original-url not found")
+	}
+
+	url, err := url.Parse(xOriginalUrl)
+
+	if err != nil {
+		return ProxyContext{}, err
+	}
+
+	host := url.Host
+
+	if strings.TrimSpace(host) == "" {
+		return ProxyContext{}, errors.New("host not found")
+	}
+
+	proto := url.Scheme
+
+	if strings.TrimSpace(proto) == "" {
+		return ProxyContext{}, errors.New("proto not found")
+	}
+
+	path := url.Path
+	method := c.Request.Method
+
+	return ProxyContext{
+		Host:   host,
+		Proto:  proto,
+		Path:   path,
+		Method: method,
+		Type:   AuthRequest,
+	}, nil
+}
+
+func (controller *ProxyController) getExtAuthzContext(c *gin.Context) (ProxyContext, error) {
+	// We hope for the someone to set the x-forwarded-proto header
+	proto, ok := controller.getHeader(c, "x-forwarded-proto")
+
+	if !ok {
+		return ProxyContext{}, errors.New("x-forwarded-proto not found")
+	}
+
+	// It sets the host to the original host, not the forwarded host
+	host := c.Request.Host
+
+	if strings.TrimSpace(host) == "" {
+		return ProxyContext{}, errors.New("host not found")
+	}
+
+	// We get the path from the query string
+	path := c.Query("path")
+
+	// For envoy we need to support every method
+	method := c.Request.Method
+
+	return ProxyContext{
+		Host:   host,
+		Proto:  proto,
+		Path:   path,
+		Method: method,
+		Type:   ExtAuthz,
+	}, nil
+}
+
+func (controller *ProxyController) determineAuthModules(proxy string) []AuthModuleType {
+	switch proxy {
+	case "traefik", "caddy":
+		return []AuthModuleType{ForwardAuth}
+	case "envoy":
+		return []AuthModuleType{ExtAuthz, ForwardAuth}
+	case "nginx":
+		return []AuthModuleType{AuthRequest, ForwardAuth}
+	default:
+		return []AuthModuleType{}
+	}
+}
+
+func (controller *ProxyController) getContextFromAuthModule(c *gin.Context, module AuthModuleType) (ProxyContext, error) {
+	switch module {
+	case ForwardAuth:
+		ctx, err := controller.getForwardAuthContext(c)
+		if err != nil {
+			return ProxyContext{}, err
+		}
+		return ctx, nil
+	case ExtAuthz:
+		ctx, err := controller.getExtAuthzContext(c)
+		if err != nil {
+			return ProxyContext{}, err
+		}
+		return ctx, nil
+	case AuthRequest:
+		ctx, err := controller.getAuthRequestContext(c)
+		if err != nil {
+			return ProxyContext{}, err
+		}
+		return ctx, nil
+	}
+	return ProxyContext{}, fmt.Errorf("unsupported auth module: %v", module)
+}
+
+func (controller *ProxyController) getProxyContext(c *gin.Context) (ProxyContext, error) {
+	var req Proxy
+
+	err := c.BindUri(&req)
+	if err != nil {
+		return ProxyContext{}, err
+	}
+
+	tlog.App.Debug().Msgf("Proxy: %v", req.Proxy)
+
+	authModules := controller.determineAuthModules(req.Proxy)
+
+	if len(authModules) == 0 {
+		return ProxyContext{}, fmt.Errorf("no auth modules supported for proxy: %v", req.Proxy)
+	}
+
+	var ctx ProxyContext
+
+	for _, module := range authModules {
+		tlog.App.Debug().Msgf("Trying auth module: %v", module)
+		ctx, err = controller.getContextFromAuthModule(c, module)
+		if err == nil {
+			tlog.App.Debug().Msgf("Auth module %v succeeded", module)
+			break
+		}
+		tlog.App.Debug().Err(err).Msgf("Auth module %v failed", module)
+	}
+
+	if err != nil {
+		return ProxyContext{}, err
+	}
+
+	// We don't care if the header is empty, we will just assume it's not a browser
+	userAgent, _ := controller.getHeader(c, "user-agent")
+	isBrowser := BrowserUserAgentRegex.MatchString(userAgent)
+
+	if isBrowser {
+		tlog.App.Debug().Msg("Request identified as coming from a browser")
+	} else {
+		tlog.App.Debug().Msg("Request identified as coming from a non-browser client")
+	}
+
+	ctx.IsBrowser = isBrowser
+	return ctx, nil
 }

internal/controller/proxy_controller_test.go

@@ -1,6 +1,7 @@
 package controller_test
 
 import (
+	"net/http"
 	"net/http/httptest"
 	"testing"
 
@@ -9,21 +10,26 @@ import (
 	"github.com/steveiliop56/tinyauth/internal/controller"
 	"github.com/steveiliop56/tinyauth/internal/repository"
 	"github.com/steveiliop56/tinyauth/internal/service"
-	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 
 	"github.com/gin-gonic/gin"
 	"gotest.tools/v3/assert"
 )
 
-func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder, *service.AuthService) {
-	tlog.NewSimpleLogger().Init()
+var loggedInCtx = config.UserContext{
+	Username:   "test",
+	Name:       "Test",
+	Email:      "test@example.com",
+	IsLoggedIn: true,
+	Provider:   "local",
+}
 
+func setupProxyController(t *testing.T, middlewares []gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder) {
 	// Setup
 	gin.SetMode(gin.TestMode)
 	router := gin.Default()
 
-	if middlewares != nil {
-		for _, m := range *middlewares {
+	if len(middlewares) > 0 {
+		for _, m := range middlewares {
 			router.Use(m)
 		}
 	}
@@ -48,7 +54,13 @@ func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.En
 	assert.NilError(t, dockerService.Init())
 
 	// Access controls
-	accessControlsService := service.NewAccessControlsService(dockerService, map[string]config.App{})
+	accessControlsService := service.NewAccessControlsService(dockerService, map[string]config.App{
+		"whoami": {
+			Path: config.AppPath{
+				Allow: "/allow",
+			},
+		},
+	})
 
 	assert.NilError(t, accessControlsService.Init())
 
@@ -77,107 +89,214 @@ func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.En
 
 	// Controller
 	ctrl := controller.NewProxyController(controller.ProxyControllerConfig{
-		AppURL: "http://localhost:8080",
+		AppURL: "http://tinyauth.example.com",
 	}, group, accessControlsService, authService)
 	ctrl.SetupRoutes()
 
-	return router, recorder, authService
+	return router, recorder
 }
 
 // TODO: Needs tests for context middleware
 
 func TestProxyHandler(t *testing.T) {
-	// Setup
-	router, recorder, _ := setupProxyController(t, nil)
+	// Test logged out user traefik/caddy (forward_auth)
+	router, recorder := setupProxyController(t, nil)
+
+	req, err := http.NewRequest("GET", "/api/auth/traefik", nil)
+	assert.NilError(t, err)
+
+	req.Header.Set("x-forwarded-host", "whoami.example.com")
+	req.Header.Set("x-forwarded-proto", "http")
+	req.Header.Set("x-forwarded-uri", "/")
 
-	// Test invalid proxy
-	req := httptest.NewRequest("GET", "/api/auth/invalidproxy", nil)
 	router.ServeHTTP(recorder, req)
+	assert.Equal(t, recorder.Code, http.StatusUnauthorized)
 
-	assert.Equal(t, 400, recorder.Code)
+	// Test logged out user nginx (auth_request)
+	router, recorder = setupProxyController(t, nil)
+
+	req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
+	assert.NilError(t, err)
+
+	req.Header.Set("x-original-url", "http://whoami.example.com/")
 
-	// Test invalid method for non-envoy proxy
-	recorder = httptest.NewRecorder()
-	req = httptest.NewRequest("POST", "/api/auth/traefik", nil)
 	router.ServeHTTP(recorder, req)
+	assert.Equal(t, recorder.Code, http.StatusUnauthorized)
 
-	assert.Equal(t, 405, recorder.Code)
-	assert.Equal(t, "GET", recorder.Header().Get("Allow"))
+	// Test logged out user envoy (ext_authz)
+	router, recorder = setupProxyController(t, nil)
+
+	req, err = http.NewRequest("GET", "/api/auth/envoy?path=/", nil)
+	assert.NilError(t, err)
+
+	req.Host = "whoami.example.com"
+	req.Header.Set("x-forwarded-proto", "http")
 
-	// Test logged out user (traefik/caddy)
-	recorder = httptest.NewRecorder()
-	req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
-	req.Header.Set("X-Forwarded-Proto", "https")
-	req.Header.Set("X-Forwarded-Host", "example.com")
-	req.Header.Set("X-Forwarded-Uri", "/somepath")
-	req.Header.Set("Accept", "text/html")
 	router.ServeHTTP(recorder, req)
+	assert.Equal(t, recorder.Code, http.StatusUnauthorized)
 
-	assert.Equal(t, 307, recorder.Code)
-	assert.Equal(t, "http://localhost:8080/login?redirect_uri=https%3A%2F%2Fexample.com%2Fsomepath", recorder.Header().Get("Location"))
-
-	// Test logged out user (envoy - POST method)
-	recorder = httptest.NewRecorder()
-	req = httptest.NewRequest("POST", "/api/auth/envoy", nil)
-	req.Header.Set("X-Forwarded-Proto", "https")
-	req.Header.Set("X-Forwarded-Host", "example.com")
-	req.Header.Set("X-Forwarded-Uri", "/somepath")
-	req.Header.Set("Accept", "text/html")
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 307, recorder.Code)
-	assert.Equal(t, "http://localhost:8080/login?redirect_uri=https%3A%2F%2Fexample.com%2Fsomepath", recorder.Header().Get("Location"))
-
-	// Test logged out user (envoy - DELETE method)
-	recorder = httptest.NewRecorder()
-	req = httptest.NewRequest("DELETE", "/api/auth/envoy", nil)
-	req.Header.Set("X-Forwarded-Proto", "https")
-	req.Header.Set("X-Forwarded-Host", "example.com")
-	req.Header.Set("X-Forwarded-Uri", "/somepath")
-	req.Header.Set("Accept", "text/html")
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 307, recorder.Code)
-	assert.Equal(t, "http://localhost:8080/login?redirect_uri=https%3A%2F%2Fexample.com%2Fsomepath", recorder.Header().Get("Location"))
-
-	// Test logged out user (nginx)
-	recorder = httptest.NewRecorder()
-	req = httptest.NewRequest("GET", "/api/auth/nginx", nil)
-	req.Header.Set("X-Forwarded-Proto", "https")
-	req.Header.Set("X-Forwarded-Host", "example.com")
-	req.Header.Set("X-Forwarded-Uri", "/somepath")
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 401, recorder.Code)
-
-	// Test logged in user
-	router, recorder, _ = setupProxyController(t, &[]gin.HandlerFunc{
+	// Test logged in user traefik/caddy (forward_auth)
+	router, recorder = setupProxyController(t, []gin.HandlerFunc{
 		func(c *gin.Context) {
-			c.Set("context", &config.UserContext{
-				Username:    "testuser",
-				Name:        "testuser",
-				Email:       "testuser@example.com",
-				IsLoggedIn:  true,
-				OAuth:       false,
-				Provider:    "local",
-				TotpPending: false,
-				OAuthGroups: "",
-				TotpEnabled: false,
-			})
+			c.Set("context", &loggedInCtx)
 			c.Next()
 		},
 	})
 
-	req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
-	req.Header.Set("X-Forwarded-Proto", "https")
-	req.Header.Set("X-Forwarded-Host", "example.com")
-	req.Header.Set("X-Forwarded-Uri", "/somepath")
-	req.Header.Set("Accept", "text/html")
+	req, err = http.NewRequest("GET", "/api/auth/traefik", nil)
+	assert.NilError(t, err)
+
+	req.Header.Set("x-forwarded-host", "whoami.example.com")
+	req.Header.Set("x-forwarded-proto", "http")
+	req.Header.Set("x-forwarded-uri", "/")
 
 	router.ServeHTTP(recorder, req)
-	assert.Equal(t, 200, recorder.Code)
+	assert.Equal(t, recorder.Code, http.StatusOK)
 
-	assert.Equal(t, "testuser", recorder.Header().Get("Remote-User"))
-	assert.Equal(t, "testuser", recorder.Header().Get("Remote-Name"))
-	assert.Equal(t, "testuser@example.com", recorder.Header().Get("Remote-Email"))
+	// Test logged in user nginx (auth_request)
+	router, recorder = setupProxyController(t, []gin.HandlerFunc{
+		func(c *gin.Context) {
+			c.Set("context", &loggedInCtx)
+			c.Next()
+		},
+	})
+
+	req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
+	assert.NilError(t, err)
+
+	req.Header.Set("x-original-url", "http://whoami.example.com/")
+
+	router.ServeHTTP(recorder, req)
+	assert.Equal(t, recorder.Code, http.StatusOK)
+
+	// Test logged in user envoy (ext_authz)
+	router, recorder = setupProxyController(t, []gin.HandlerFunc{
+		func(c *gin.Context) {
+			c.Set("context", &loggedInCtx)
+			c.Next()
+		},
+	})
+
+	req, err = http.NewRequest("GET", "/api/auth/envoy?path=/", nil)
+	assert.NilError(t, err)
+
+	req.Host = "whoami.example.com"
+	req.Header.Set("x-forwarded-proto", "http")
+
+	router.ServeHTTP(recorder, req)
+	assert.Equal(t, recorder.Code, http.StatusOK)
+
+	// Test ACL allow caddy/traefik (forward_auth)
+	router, recorder = setupProxyController(t, nil)
+
+	req, err = http.NewRequest("GET", "/api/auth/traefik", nil)
+	assert.NilError(t, err)
+
+	req.Header.Set("x-forwarded-host", "whoami.example.com")
+	req.Header.Set("x-forwarded-proto", "http")
+	req.Header.Set("x-forwarded-uri", "/allow")
+
+	router.ServeHTTP(recorder, req)
+	assert.Equal(t, recorder.Code, http.StatusOK)
+
+	// Test ACL allow nginx
+	router, recorder = setupProxyController(t, nil)
+
+	req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
+	assert.NilError(t, err)
+
+	req.Header.Set("x-original-url", "http://whoami.example.com/allow")
+
+	router.ServeHTTP(recorder, req)
+	assert.Equal(t, recorder.Code, http.StatusOK)
+
+	// Test ACL allow envoy
+	router, recorder = setupProxyController(t, nil)
+
+	req, err = http.NewRequest("GET", "/api/auth/envoy?path=/allow", nil)
+	assert.NilError(t, err)
+
+	req.Host = "whoami.example.com"
+	req.Header.Set("x-forwarded-proto", "http")
+
+	router.ServeHTTP(recorder, req)
+	assert.Equal(t, recorder.Code, http.StatusOK)
+
+	// Test traefik/caddy (forward_auth) without required headers
+	router, recorder = setupProxyController(t, nil)
+
+	req, err = http.NewRequest("GET", "/api/auth/traefik", nil)
+	assert.NilError(t, err)
+
+	router.ServeHTTP(recorder, req)
+	assert.Equal(t, recorder.Code, http.StatusBadRequest)
+
+	// Test nginx (forward_auth) without required headers
+	router, recorder = setupProxyController(t, nil)
+
+	req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
+	assert.NilError(t, err)
+
+	router.ServeHTTP(recorder, req)
+	assert.Equal(t, recorder.Code, http.StatusBadRequest)
+
+	// Test envoy (forward_auth) without required headers
+	router, recorder = setupProxyController(t, nil)
+
+	req, err = http.NewRequest("GET", "/api/auth/envoy", nil)
+	assert.NilError(t, err)
+
+	router.ServeHTTP(recorder, req)
+	assert.Equal(t, recorder.Code, http.StatusBadRequest)
+
+	// Test nginx (auth_request) with forward_auth fallback with ACLs
+	router, recorder = setupProxyController(t, nil)
+
+	req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
+	assert.NilError(t, err)
+
+	req.Header.Set("x-forwarded-host", "whoami.example.com")
+	req.Header.Set("x-forwarded-proto", "http")
+	req.Header.Set("x-forwarded-uri", "/allow")
+
+	router.ServeHTTP(recorder, req)
+	assert.Equal(t, recorder.Code, http.StatusOK)
+
+	// Test envoy (ext_authz) with forward_auth fallback with ACLs
+	router, recorder = setupProxyController(t, nil)
+
+	req, err = http.NewRequest("GET", "/api/auth/envoy", nil)
+	assert.NilError(t, err)
+
+	req.Header.Set("x-forwarded-host", "whoami.example.com")
+	req.Header.Set("x-forwarded-proto", "http")
+	req.Header.Set("x-forwarded-uri", "/allow")
+
+	router.ServeHTTP(recorder, req)
+	assert.Equal(t, recorder.Code, http.StatusOK)
+
+	// Test envoy (ext_authz) with empty path
+	router, recorder = setupProxyController(t, nil)
+
+	req, err = http.NewRequest("GET", "/api/auth/envoy", nil)
+	assert.NilError(t, err)
+
+	req.Host = "whoami.example.com"
+	req.Header.Set("x-forwarded-proto", "http")
+
+	router.ServeHTTP(recorder, req)
+	assert.Equal(t, recorder.Code, http.StatusUnauthorized)
+
+	// Ensure forward_auth fallback works with path (should ignore)
+	router, recorder = setupProxyController(t, nil)
+
+	req, err = http.NewRequest("GET", "/api/auth/traefik?path=/allow", nil)
+	assert.NilError(t, err)
+
+	req.Header.Set("x-forwarded-proto", "http")
+	req.Header.Set("x-forwarded-host", "whoami.example.com")
+	req.Header.Set("x-forwarded-uri", "/allow")
+
+	router.ServeHTTP(recorder, req)
+	assert.Equal(t, recorder.Code, http.StatusOK)
 }