chore(deps): bump the minor-patch group across 1 directory with 5 updates

Bumps the minor-patch group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [golang.org/x/crypto](https://github.com/golang/crypto) | `0.52.0` | `0.53.0` |
| [golang.org/x/tools](https://github.com/golang/tools) | `0.45.0` | `0.46.0` |
| [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) | `0.36.1` | `0.36.2` |
| [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.36.1` | `0.36.2` |
| [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) | `1.51.0` | `1.52.0` |



Updates `golang.org/x/crypto` from 0.52.0 to 0.53.0
- [Commits](https://github.com/golang/crypto/compare/v0.52.0...v0.53.0)

Updates `golang.org/x/tools` from 0.45.0 to 0.46.0
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.45.0...v0.46.0)

Updates `k8s.io/apimachinery` from 0.36.1 to 0.36.2
- [Commits](https://github.com/kubernetes/apimachinery/compare/v0.36.1...v0.36.2)

Updates `k8s.io/client-go` from 0.36.1 to 0.36.2
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.36.1...v0.36.2)

Updates `modernc.org/sqlite` from 1.51.0 to 1.52.0
- [Changelog](https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md)
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.51.0...v1.52.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.53.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: golang.org/x/tools
  dependency-version: 0.46.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
- dependency-name: k8s.io/apimachinery
  dependency-version: 0.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: k8s.io/client-go
  dependency-version: 0.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-patch
- dependency-name: modernc.org/sqlite
  dependency-version: 1.52.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

go.mod

@@ -22,12 +22,12 @@ require (
 	github.com/tinyauthapp/paerser v0.0.0-20260410140347-85c3740d6298
 	github.com/weppos/publicsuffix-go v0.50.3
 	go.uber.org/dig v1.19.0
-	golang.org/x/crypto v0.52.0
+	golang.org/x/crypto v0.53.0
 	golang.org/x/oauth2 v0.36.0
-	golang.org/x/tools v0.45.0
+	golang.org/x/tools v0.46.0
-	k8s.io/apimachinery v0.36.1
+	k8s.io/apimachinery v0.36.2
-	k8s.io/client-go v0.36.1
+	k8s.io/client-go v0.36.2
-	modernc.org/sqlite v1.51.0
+	modernc.org/sqlite v1.52.0
 	tailscale.com v1.100.0
 )
 
@@ -158,12 +158,12 @@ require (
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
 	golang.org/x/arch v0.22.0 // indirect
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
-	golang.org/x/mod v0.36.0 // indirect
+	golang.org/x/mod v0.37.0 // indirect
-	golang.org/x/net v0.55.0 // indirect
+	golang.org/x/net v0.56.0 // indirect
-	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sync v0.21.0 // indirect
-	golang.org/x/sys v0.45.0 // indirect
+	golang.org/x/sys v0.46.0 // indirect
-	golang.org/x/term v0.43.0 // indirect
+	golang.org/x/term v0.44.0 // indirect
-	golang.org/x/text v0.37.0 // indirect
+	golang.org/x/text v0.38.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect

go.sum

@@ -499,35 +499,35 @@ go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBs
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/arch v0.22.0 h1:c/Zle32i5ttqRXjdLyyHZESLD/bB90DCU1g9l/0YBDI=
 golang.org/x/arch v0.22.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
-golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
+golang.org/x/crypto v0.53.0 h1:QZ4Muo8THX6CizN2vPPd5fBGHyogrdK9fG4wLPFUsto=
-golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
+golang.org/x/crypto v0.53.0/go.mod h1:DNLU434OwVakk9PzuwV8w62mAJpRJL3vsgcfp4Qnsio=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
 golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f h1:phY1HzDcf18Aq9A8KkmRtY9WvOFIxN8wgfvy6Zm1DV8=
 golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/image v0.41.0 h1:8wS72eGJMJaBxK6okTzd4WaXumUlTVlb753MlsSvTCo=
 golang.org/x/image v0.41.0/go.mod h1:uIc348UZMSvS5Z65CVZ7iDPaNobNFEPeJ4kbqTOszmA=
-golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
+golang.org/x/mod v0.37.0 h1:vF1DjpVEshcIqoEaauuHebaLk1O1forxjxBaVn884JQ=
-golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
+golang.org/x/mod v0.37.0/go.mod h1:m8S8VeM9r4dzDwjrKO0a1sZP3YjeMamRRlD+fmR2Q/0=
-golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
+golang.org/x/net v0.56.0 h1:Rw8j/hFzGvJUZwNBXnAtf5sVDVt+65SK2C7IxCxZt5o=
-golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
+golang.org/x/net v0.56.0/go.mod h1:D3Ku6r+V6JROoZK144D2XfMHFcMq/0zSfLelVTCFKec=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.21.0 h1:HLII4xRRTtCRkxYp4HNFF0Js/Og6q2i++KXbg0gHCwM=
-golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sync v0.21.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20220817070843-5a390386f1f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
+golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw=
-golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
+golang.org/x/term v0.44.0 h1:0rLvDRCtNj0gZkyIXhCyOb2OAzEhLVqc4B+hrsBhrmc=
-golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
+golang.org/x/term v0.44.0/go.mod h1:7ze4MdzUzLXpSAoFP1H0bOI9aXDqveSvatT5vKcFh2Y=
-golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.38.0 h1:sXmwo9DwP3OK9EZ7PqAdaooSGozfl/3a6/xJcbzPRhE=
-golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
+golang.org/x/text v0.38.0/go.mod h1:YXZt3QhHUKYT53r2lLKFIVi6Ao1jdzrTR/KQ09qyxF4=
 golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
 golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
-golang.org/x/tools v0.45.0 h1:18qN3FAooORvApf5XjCXgsuayZOEtXf6JK18I3+ONa8=
+golang.org/x/tools v0.46.0 h1:7jTurBkPZu4moS/Uy4OQT1M+QBlsj3wejyZwsT8Z7rk=
-golang.org/x/tools v0.45.0/go.mod h1:LuUGqqaXcXMEFEruIVJVm5mgDD8vww/z/SR1gQ4uE/0=
+golang.org/x/tools v0.46.0/go.mod h1:FrD85F8l+NWL+9XWBSyVSHO6Ne4jutsfIFba7AWQ5Ys=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
@@ -559,12 +559,12 @@ honnef.co/go/tools v0.7.0 h1:w6WUp1VbkqPEgLz4rkBzH/CSU6HkoqNLp6GstyTx3lU=
 honnef.co/go/tools v0.7.0/go.mod h1:pm29oPxeP3P82ISxZDgIYeOaf9ta6Pi0EWvCFoLG2vc=
 howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
 howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
-k8s.io/api v0.36.1 h1:XbL/EMj8K2aJpJtePmqUyQMsM0D4QI2pvl7YKJ20FTY=
+k8s.io/api v0.36.2 h1:TF6YDLIzKfccK7cq9YpTcGX8TJmEkHVRv78DM51fRYY=
-k8s.io/api v0.36.1/go.mod h1:KOWo4ey3TINlXjeHVuwB3i+tXXnu+UcwFBHlI/9dvEo=
+k8s.io/api v0.36.2/go.mod h1:F4LbMO4brjZYh7yFkXWhynSvtB7YauxV4c+HHkNRGNg=
-k8s.io/apimachinery v0.36.1 h1:G63Gjx2W+q0YD+72Vo8oY0nDnePVwnuzTmmy5ENrVSA=
+k8s.io/apimachinery v0.36.2 h1:0PE/W/WNy1UX61NLbXY5TMbJ6UwLL6E6lAPkYrKFxbQ=
-k8s.io/apimachinery v0.36.1/go.mod h1:ibYOR00vW/I1kzvi5SF0dRuJ52BvKtfvRdOn35GPQ+8=
+k8s.io/apimachinery v0.36.2/go.mod h1:fvf/HOLXq9RId0rnDIbN1OEBvHXdQbLMM8nu0LcBUf4=
-k8s.io/client-go v0.36.1 h1:FN/K8QIT2CEDt+2WB2HnWrUANZ50AP5GII43/SP2JR0=
+k8s.io/client-go v0.36.2 h1:bfgxmFKc9CgqsgX4xKLAAdmTQlWee7Ob/HlDOrJ5TBI=
-k8s.io/client-go v0.36.1/go.mod h1:s6rAnCtTGYDQnpNjEhSaISV+2O8jwruZ6m3QOYBFbtU=
+k8s.io/client-go v0.36.2/go.mod h1:1vgO4OAlfPnoLcb+Rze2GF5rAr14w8qjrYMoyXJzQj0=
 k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc=
 k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0=
 k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a h1:xCeOEAOoGYl2jnJoHkC3hkbPJgdATINPMAxaynU2Ovg=
@@ -593,8 +593,8 @@ modernc.org/opt v0.2.0 h1:tGyef5ApycA7FSEOMraay9SaTk5zmbx7Tu+cJs4QKZg=
 modernc.org/opt v0.2.0/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.51.0 h1:aH/MMSoayAIhozZ7uJbVTT9QO/VhzBf0J9tymmmuC/U=
+modernc.org/sqlite v1.52.0 h1:p4dhYh2tXZCiyaqHwRVJDjIGKWyXayiQpThxgDzJaxo=
-modernc.org/sqlite v1.51.0/go.mod h1:tcNzv5p84E0skkmJn038y+hWJbLQXQqEnQfeh5r2JLM=
+modernc.org/sqlite v1.52.0/go.mod h1:tcNzv5p84E0skkmJn038y+hWJbLQXQqEnQfeh5r2JLM=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=

internal/controller/context_controller_test.go

@@ -1,4 +1,4 @@
-package controller_test
+package controller
 
 import (
 	"encoding/json"
@@ -9,7 +9,6 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/test"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
@@ -33,22 +32,22 @@ func TestContextController(t *testing.T) {
 			middlewares: []gin.HandlerFunc{},
 			path:        "/api/context/app",
 			expected: func() string {
-				expectedAppContextResponse := controller.AppContextResponse{
+				expectedAppContextResponse := AppContextResponse{
 					Status:  200,
 					Message: "Success",
-					Auth: controller.ACRAuth{
+					Auth: ACRAuth{
 						Providers: runtime.ConfiguredProviders,
 					},
-					OAuth: controller.ACROAuth{
+					OAuth: ACROAuth{
 						AutoRedirect: cfg.OAuth.AutoRedirect,
 					},
-					UI: controller.ACRUI{
+					UI: ACRUI{
 						Title:                 cfg.UI.Title,
 						ForgotPasswordMessage: cfg.UI.ForgotPasswordMessage,
 						BackgroundImage:       cfg.UI.BackgroundImage,
 						WarningsEnabled:       cfg.UI.WarningsEnabled,
 					},
-					App: controller.ACRApp{
+					App: ACRApp{
 						AppURL:         runtime.AppURL,
 						CookieDomain:   runtime.CookieDomain,
 						TrustedDomains: runtime.TrustedDomains,
@@ -64,7 +63,7 @@ func TestContextController(t *testing.T) {
 			middlewares: []gin.HandlerFunc{},
 			path:        "/api/context/user",
 			expected: func() string {
-				expectedUserContextResponse := controller.UserContextResponse{
+				expectedUserContextResponse := UserContextResponse{
 					Status:  401,
 					Message: "Unauthorized",
 				}
@@ -92,10 +91,10 @@ func TestContextController(t *testing.T) {
 			},
 			path: "/api/context/user",
 			expected: func() string {
-				expectedUserContextResponse := controller.UserContextResponse{
+				expectedUserContextResponse := UserContextResponse{
 					Status:  200,
 					Message: "Success",
-					Auth: controller.UCRAuth{
+					Auth: UCRAuth{
 						Authenticated: true,
 						Username:      "johndoe",
 						Name:          "John Doe",
@@ -121,7 +120,7 @@ func TestContextController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
 
-			controller.NewContextController(controller.ContextControllerInput{
+			NewContextController(ContextControllerInput{
 				Log:         log,
 				Config:      &cfg,
 				Runtime:     &runtime,

internal/controller/health_controller_test.go

@@ -1,4 +1,4 @@
-package controller_test
+package controller
 
 import (
 	"encoding/json"
@@ -9,7 +9,6 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
 )
 
 func TestHealthController(t *testing.T) {
@@ -55,7 +54,7 @@ func TestHealthController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
 
-			controller.NewHealthController(controller.HealthControllerInput{
+			NewHealthController(HealthControllerInput{
 				RouterGroup: group,
 			})
 

internal/controller/oauth_controller.go

@@ -3,6 +3,7 @@ package controller
 import (
 	"fmt"
 	"net/http"
+	"net/url"
 	"strings"
 	"time"
 
@@ -11,6 +12,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/weppos/publicsuffix-go/publicsuffix"
 	"go.uber.org/dig"
 
 	"github.com/gin-gonic/gin"
@@ -80,9 +82,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	}
 
 	if !controller.isOidcRequest(reqParams) {
-		isRedirectSafe := utils.IsRedirectSafe(reqParams.RedirectURI, controller.runtime.CookieDomain)
+		if !controller.isRedirectSafe(reqParams.RedirectURI) {
-
-		if !isRedirectSafe {
 			controller.log.App.Warn().Str("redirectUri", reqParams.RedirectURI).Msg("Unsafe redirect URI, ignoring")
 			reqParams.RedirectURI = ""
 		}
@@ -310,3 +310,56 @@ func (controller *OAuthController) getCookieDomain() string {
 	}
 	return controller.runtime.CookieDomain
 }
+
+func (controller *OAuthController) isRedirectSafe(redirectURI string) bool {
+	u, err := url.Parse(redirectURI)
+
+	if err != nil || u.Host == "" || u.Scheme == "" {
+		return false
+	}
+
+	for _, allowed := range controller.runtime.TrustedDomains {
+		tu, err := url.Parse(allowed)
+		if err != nil {
+			controller.log.App.Error().Err(err).Str("allowed", allowed).Msg("Failed to parse trusted domain")
+			continue
+		}
+
+		if tu.Scheme != u.Scheme {
+			continue
+		}
+
+		// exact match
+		if strings.EqualFold(u.Host, tu.Host) {
+			return true
+		}
+
+		// if subdomains are disabled, end here
+		if !controller.config.Auth.SubdomainsEnabled {
+			continue
+		}
+
+		// get the root domain (e.g. tinyauth.example.com -> example.com or
+		// tinyauth.sub.example.com -> sub.example.com)
+		_, root, ok := strings.Cut(tu.Host, ".")
+		if !ok {
+			continue
+		}
+
+		root = strings.ToLower(root)
+
+		// check if the root domain is in the psl
+		_, err = publicsuffix.DomainFromListWithOptions(publicsuffix.DefaultList, root, nil)
+
+		if err != nil {
+			continue
+		}
+
+		// subdomain match
+		if strings.HasSuffix(strings.ToLower(u.Host), "."+root) {
+			return true
+		}
+	}
+
+	return false
+}

internal/controller/oauth_controller_test.go

@@ -0,0 +1,161 @@
+package controller
+
+import (
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/assert"
+	"github.com/tinyauthapp/tinyauth/internal/test"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+)
+
+func TestOAuthController(t *testing.T) {
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
+
+	cfg, runtime := test.CreateTestConfigs(t)
+
+	type testCase struct {
+		description       string
+		run               func(ctrl *OAuthController)
+		trustedDomains    []string
+		subdomainsEnabled bool
+	}
+
+	tests := []testCase{
+		{
+			description:       "Test exact match of redirect URI",
+			trustedDomains:    []string{"https://tinyauth.example.com"},
+			subdomainsEnabled: true,
+			run: func(ctrl *OAuthController) {
+				redirectUri := "https://tinyauth.example.com"
+				assert.True(t, ctrl.isRedirectSafe(redirectUri))
+			},
+		},
+		{
+			description:       "Test subdomain match of redirect URI",
+			trustedDomains:    []string{"https://tinyauth.example.com"},
+			subdomainsEnabled: true,
+			run: func(ctrl *OAuthController) {
+				redirectUri := "https://sub.example.com"
+				assert.True(t, ctrl.isRedirectSafe(redirectUri))
+			},
+		},
+		{
+			description:       "Test different trusted domain",
+			trustedDomains:    []string{"https://tinyauth.example.com", "https://tinyauth.foo.com"},
+			subdomainsEnabled: true,
+			run: func(ctrl *OAuthController) {
+				redirectUri := "https://app.foo.com"
+				assert.True(t, ctrl.isRedirectSafe(redirectUri))
+			},
+		},
+		{
+			description: "Test invalid redirect URI",
+			run: func(ctrl *OAuthController) {
+				redirectUri := "https:/malicious"
+				assert.False(t, ctrl.isRedirectSafe(redirectUri))
+			},
+		},
+		{
+			description: "Test empty redirect URI",
+			run: func(ctrl *OAuthController) {
+				redirectUri := ""
+				assert.False(t, ctrl.isRedirectSafe(redirectUri))
+			},
+		},
+		{
+			description:       "Test redirect URI with different scheme",
+			trustedDomains:    []string{"https://tinyauth.example.com"},
+			subdomainsEnabled: true,
+			run: func(ctrl *OAuthController) {
+				redirectUri := "http://tinyauth.example.com"
+				assert.False(t, ctrl.isRedirectSafe(redirectUri))
+			},
+		},
+		{
+			description:       "Test redirect URI with different port",
+			trustedDomains:    []string{"https://tinyauth.example.com"},
+			subdomainsEnabled: true,
+			run: func(ctrl *OAuthController) {
+				redirectUri := "https://tinyauth.example.com:8080"
+				assert.False(t, ctrl.isRedirectSafe(redirectUri))
+			},
+		},
+		{
+			// weird case, subdomains enabled and domain without subdomain can't happen
+			description:    "Test with trusted domain that's in PSL when split",
+			trustedDomains: []string{"https://example.com"}, // will become .com which we
+			// obviously don't want to allow
+			subdomainsEnabled: true,
+			run: func(ctrl *OAuthController) {
+				redirectUri := "https://sub.example.com"
+				assert.False(t, ctrl.isRedirectSafe(redirectUri))
+			},
+		},
+		{
+			description:       "Test subdomain redirect URI when subdomains are disabled",
+			trustedDomains:    []string{"https://tinyauth.example.com"},
+			subdomainsEnabled: false,
+			run: func(ctrl *OAuthController) {
+				redirectUri := "https://sub.tinyauth.example.com"
+				assert.False(t, ctrl.isRedirectSafe(redirectUri))
+			},
+		},
+		{
+			description:       "Test domain like the .co.uk",
+			trustedDomains:    []string{"https://example.co.uk"},
+			subdomainsEnabled: true,
+			run: func(ctrl *OAuthController) {
+				redirectUri := "https://sub.example.co.uk"
+				assert.False(t, ctrl.isRedirectSafe(redirectUri))
+			},
+		},
+		{
+			description:       "Test domain like the .co.uk with subdomains disabled",
+			trustedDomains:    []string{"https://example.co.uk"},
+			subdomainsEnabled: false,
+			run: func(ctrl *OAuthController) {
+				redirectUri := "https://example.co.uk"
+				assert.True(t, ctrl.isRedirectSafe(redirectUri))
+			},
+		},
+		{
+			description:       "Test caps domain",
+			trustedDomains:    []string{"https://TINYAUTH.ExAmpLe.com"},
+			subdomainsEnabled: true,
+			run: func(ctrl *OAuthController) {
+				redirectUri := "https://sUb.ExAmPle.com"
+				assert.True(t, ctrl.isRedirectSafe(redirectUri))
+			},
+		},
+		{
+			description:       "Test edge case with @",
+			trustedDomains:    []string{"https://tinyauth.example.com"},
+			subdomainsEnabled: true,
+			run: func(ctrl *OAuthController) {
+				redirectUri := "https://malicious.example.com@evil.com"
+				assert.False(t, ctrl.isRedirectSafe(redirectUri))
+			},
+		},
+	}
+
+	// TODO: add auth service
+	for _, tc := range tests {
+		t.Run(tc.description, func(t *testing.T) {
+			router := gin.Default()
+			group := router.Group("/api")
+			gin.SetMode(gin.TestMode)
+			// overwrite the trusted domains and subdomain setting for each test case
+			runtime.TrustedDomains = tc.trustedDomains
+			cfg.Auth.SubdomainsEnabled = tc.subdomainsEnabled
+			ctrl := NewOAuthController(OAuthControllerInput{
+				Log:           log,
+				Config:        &cfg,
+				RuntimeConfig: &runtime,
+				RouterGroup:   group,
+			})
+			tc.run(ctrl)
+		})
+	}
+}

internal/controller/oidc_controller_test.go

@@ -1,4 +1,4 @@
-package controller_test
+package controller
 
 import (
 	"context"
@@ -15,7 +15,6 @@ import (
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
@@ -45,7 +44,7 @@ func TestOIDCController(t *testing.T) {
 	require.NoError(t, err)
 
 	// Middleware that injects an authenticated local user into the gin context,
-	// mimicking the context middleware that runs before the OIDC controller.
+	// mimicking the context middleware that runs before the OIDC
 	authedUser := func(c *gin.Context) {
 		c.Set("context", &model.UserContext{
 			Authenticated: true,
@@ -213,7 +212,7 @@ func TestOIDCController(t *testing.T) {
 		{
 			description: "Authorize complete returns a JSON error when the user context is missing",
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				body, err := json.Marshal(controller.AuthorizeCompleteRequest{Ticket: "some-ticket"})
+				body, err := json.Marshal(AuthorizeCompleteRequest{Ticket: "some-ticket"})
 				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize-complete", strings.NewReader(string(body)))
@@ -243,7 +242,7 @@ func TestOIDCController(t *testing.T) {
 				},
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				body, err := json.Marshal(controller.AuthorizeCompleteRequest{Ticket: "some-ticket"})
+				body, err := json.Marshal(AuthorizeCompleteRequest{Ticket: "some-ticket"})
 				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize-complete", strings.NewReader(string(body)))
@@ -263,7 +262,7 @@ func TestOIDCController(t *testing.T) {
 			description: "Authorize complete returns a JSON error when the ticket is invalid",
 			middlewares: []gin.HandlerFunc{authedUser},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				body, err := json.Marshal(controller.AuthorizeCompleteRequest{Ticket: "nonexistent-ticket"})
+				body, err := json.Marshal(AuthorizeCompleteRequest{Ticket: "nonexistent-ticket"})
 				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize-complete", strings.NewReader(string(body)))
@@ -291,7 +290,7 @@ func TestOIDCController(t *testing.T) {
 					State:        "state-123",
 				})
 
-				body, err := json.Marshal(controller.AuthorizeCompleteRequest{Ticket: ticket})
+				body, err := json.Marshal(AuthorizeCompleteRequest{Ticket: ticket})
 				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize-complete", strings.NewReader(string(body)))
@@ -837,7 +836,7 @@ func TestOIDCController(t *testing.T) {
 				svc = nil
 			}
 
-			controller.NewOIDCController(controller.OIDCControllerInput{
+			NewOIDCController(OIDCControllerInput{
 				Log:           log,
 				OIDCService:   svc,
 				RuntimeConfig: &runtime,

internal/controller/proxy_controller_test.go

@@ -1,4 +1,4 @@
-package controller_test
+package controller
 
 import (
 	"context"
@@ -10,7 +10,6 @@ import (
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/service"
@@ -432,7 +431,7 @@ func TestProxyController(t *testing.T) {
 
 			recorder := httptest.NewRecorder()
 
-			controller.NewProxyController(controller.ProxyControllerInput{
+			NewProxyController(ProxyControllerInput{
 				Log:           log,
 				RuntimeConfig: &runtime,
 				RouterGroup:   group,

internal/controller/resources_controller_test.go

@@ -1,4 +1,4 @@
-package controller_test
+package controller
 
 import (
 	"net/http/httptest"
@@ -9,7 +9,6 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/test"
 )
 
@@ -69,7 +68,7 @@ func TestResourcesController(t *testing.T) {
 			group := router.Group("/")
 			gin.SetMode(gin.TestMode)
 
-			controller.NewResourcesController(controller.ResourcesControllerInput{
+			NewResourcesController(ResourcesControllerInput{
 				RouterGroup: group,
 				Config:      &cfg,
 			})

internal/controller/user_controller_test.go

@@ -1,4 +1,4 @@
-package controller_test
+package controller
 
 import (
 	"context"
@@ -14,7 +14,6 @@ import (
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
@@ -86,7 +85,7 @@ func TestUserController(t *testing.T) {
 			description: "Should be able to login with valid credentials",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				loginReq := controller.LoginRequest{
+				loginReq := LoginRequest{
 					Username: "testuser",
 					Password: "password",
 				}
@@ -114,7 +113,7 @@ func TestUserController(t *testing.T) {
 			description: "Should reject login with invalid credentials",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				loginReq := controller.LoginRequest{
+				loginReq := LoginRequest{
 					Username: "testuser",
 					Password: "wrongpassword",
 				}
@@ -135,7 +134,7 @@ func TestUserController(t *testing.T) {
 			description: "Should rate limit on 3 invalid attempts",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				loginReq := controller.LoginRequest{
+				loginReq := LoginRequest{
 					Username: "testuser",
 					Password: "wrongpassword",
 				}
@@ -170,7 +169,7 @@ func TestUserController(t *testing.T) {
 			description: "Should not allow full login with totp",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				loginReq := controller.LoginRequest{
+				loginReq := LoginRequest{
 					Username: "totpuser",
 					Password: "password",
 				}
@@ -207,7 +206,7 @@ func TestUserController(t *testing.T) {
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				// First login to get a session cookie
-				loginReq := controller.LoginRequest{
+				loginReq := LoginRequest{
 					Username: "testuser",
 					Password: "password",
 				}
@@ -264,7 +263,7 @@ func TestUserController(t *testing.T) {
 				code, err := totp.GenerateCode("JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK", time.Now())
 				require.NoError(t, err)
 
-				totpReq := controller.TotpRequest{
+				totpReq := TotpRequest{
 					Code: code,
 				}
 
@@ -302,7 +301,7 @@ func TestUserController(t *testing.T) {
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				for range 3 {
-					totpReq := controller.TotpRequest{
+					totpReq := TotpRequest{
 						Code: "000000", // invalid code
 					}
 
@@ -334,7 +333,7 @@ func TestUserController(t *testing.T) {
 			description: "Login uses name and email from user attributes",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				loginReq := controller.LoginRequest{Username: "attruser", Password: "password"}
+				loginReq := LoginRequest{Username: "attruser", Password: "password"}
 				body, err := json.Marshal(loginReq)
 				require.NoError(t, err)
 
@@ -352,7 +351,7 @@ func TestUserController(t *testing.T) {
 			description: "Login with TOTP uses name and email from user attributes in pending session",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				loginReq := controller.LoginRequest{Username: "attrtotpuser", Password: "password"}
+				loginReq := LoginRequest{Username: "attrtotpuser", Password: "password"}
 				body, err := json.Marshal(loginReq)
 				require.NoError(t, err)
 
@@ -388,7 +387,7 @@ func TestUserController(t *testing.T) {
 				code, err := totp.GenerateCode("JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK", time.Now())
 				require.NoError(t, err)
 
-				totpReq := controller.TotpRequest{Code: code}
+				totpReq := TotpRequest{Code: code}
 				body, err := json.Marshal(totpReq)
 				require.NoError(t, err)
 
@@ -455,7 +454,7 @@ func TestUserController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
 
-			controller.NewUserController(controller.UserControllerInput{
+			NewUserController(UserControllerInput{
 				Log:           log,
 				RuntimeConfig: &runtime,
 				RouterGroup:   group,

internal/controller/well_known_controller_test.go

@@ -1,4 +1,4 @@
-package controller_test
+package controller
 
 import (
 	"context"
@@ -11,7 +11,6 @@ import (
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/test"
@@ -38,11 +37,11 @@ func TestWellKnownController(t *testing.T) {
 
 				assert.Equal(t, 200, recorder.Code)
 
-				res := controller.OpenIDConnectConfiguration{}
+				res := OpenIDConnectConfiguration{}
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
 				assert.NoError(t, err)
 
-				expected := controller.OpenIDConnectConfiguration{
+				expected := OpenIDConnectConfiguration{
 					Issuer:                                 runtime.AppURL,
 					AuthorizationEndpoint:                  fmt.Sprintf("%s/authorize", runtime.AppURL),
 					TokenEndpoint:                          fmt.Sprintf("%s/api/oidc/token", runtime.AppURL),
@@ -109,7 +108,7 @@ func TestWellKnownController(t *testing.T) {
 
 			recorder := httptest.NewRecorder()
 
-			controller.NewWellKnownController(controller.WellKnownControllerInput{
+			NewWellKnownController(WellKnownControllerInput{
 				OIDCService: oidcService,
 				RouterGroup: &router.RouterGroup,
 			})

internal/middleware/context_middleware_test.go

@@ -1,4 +1,4 @@
-package middleware_test
+package middleware
 
 import (
 	"context"
@@ -12,7 +12,6 @@ import (
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/tinyauthapp/tinyauth/internal/middleware"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
@@ -278,7 +277,7 @@ func TestContextMiddleware(t *testing.T) {
 		PolicyEngine: policyEngine,
 	})
 
-	contextMiddleware := middleware.NewContextMiddleware(middleware.ContextMiddlewareInput{
+	contextMiddleware := NewContextMiddleware(ContextMiddlewareInput{
 		Log:              log,
 		RuntimeConfig:    &runtime,
 		AuthService:      authService,

internal/model/config.go

@@ -28,6 +28,7 @@ func NewDefaultConfiguration() *Config {
 			ACLs: ACLsConfig{
 				Policy: "allow",
 			},
+			LockdownEnabled: true,
 		},
 		UI: UIConfig{
 			Title:                 "Tinyauth",
@@ -120,6 +121,7 @@ type AuthConfig struct {
 	SessionMaxLifetime int                       `description:"Maximum session lifetime in seconds." yaml:"sessionMaxLifetime"`
 	LoginTimeout       int                       `description:"Login timeout in seconds." yaml:"loginTimeout"`
 	LoginMaxRetries    int                       `description:"Maximum login retries." yaml:"loginMaxRetries"`
+	LockdownEnabled    bool                      `description:"Enable lockdown mode after maximum login retries. Lockdown mode limit is calculated automatically." yaml:"lockdownEnabled"`
 	TrustedProxies     []string                  `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
 	ACLs               ACLsConfig                `description:"ACLs configuration." yaml:"acls"`
 }
@@ -178,16 +180,16 @@ type UIConfig struct {
 }
 
 type LDAPConfig struct {
-	Address      	 string `description:"LDAP server address." yaml:"address"`
+	Address          string `description:"LDAP server address." yaml:"address"`
-	BindDN       	 string `description:"Bind DN for LDAP authentication." yaml:"bindDn"`
+	BindDN           string `description:"Bind DN for LDAP authentication." yaml:"bindDn"`
-	BindPassword  	 string `description:"Bind password for LDAP authentication." yaml:"bindPassword"`
+	BindPassword     string `description:"Bind password for LDAP authentication." yaml:"bindPassword"`
 	BindPasswordFile string `description:"Path to the Bind password." yaml:"bindPasswordFile"`
-	BaseDN       	 string `description:"Base DN for LDAP searches." yaml:"baseDn"`
+	BaseDN           string `description:"Base DN for LDAP searches." yaml:"baseDn"`
-	Insecure     	 bool   `description:"Allow insecure LDAP connections." yaml:"insecure"`
+	Insecure         bool   `description:"Allow insecure LDAP connections." yaml:"insecure"`
-	SearchFilter 	 string `description:"LDAP search filter." yaml:"searchFilter"`
+	SearchFilter     string `description:"LDAP search filter." yaml:"searchFilter"`
-	AuthCert     	 string `description:"Certificate for mTLS authentication." yaml:"authCert"`
+	AuthCert         string `description:"Certificate for mTLS authentication." yaml:"authCert"`
-	AuthKey      	 string `description:"Certificate key for mTLS authentication." yaml:"authKey"`
+	AuthKey          string `description:"Certificate key for mTLS authentication." yaml:"authKey"`
-	GroupCacheTTL	 int    `description:"Cache duration for LDAP group membership in seconds." yaml:"groupCacheTTL"`
+	GroupCacheTTL    int    `description:"Cache duration for LDAP group membership in seconds." yaml:"groupCacheTTL"`
 }
 
 type LogConfig struct {

internal/model/context_test.go

@@ -1,4 +1,4 @@
-package model_test
+package model
 
 import (
 	"net/http/httptest"
@@ -7,7 +7,6 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 )
 
@@ -22,44 +21,44 @@ func TestContext(t *testing.T) {
 
 	tests := []struct {
 		description string
-		context     *model.UserContext
+		context     *UserContext
-		run         func(*testing.T, *model.UserContext) any
+		run         func(*testing.T, *UserContext) any
 		expected    any
 	}{
 		{
 			description: "IsAuthenticated reflects Authenticated field",
-			context:     &model.UserContext{Authenticated: true},
+			context:     &UserContext{Authenticated: true},
-			run:         func(t *testing.T, c *model.UserContext) any { return c.IsAuthenticated() },
+			run:         func(t *testing.T, c *UserContext) any { return c.IsAuthenticated() },
 			expected:    true,
 		},
 		{
 			description: "IsLocal returns true for ProviderLocal",
-			context:     &model.UserContext{Provider: model.ProviderLocal, Local: &model.LocalContext{}},
+			context:     &UserContext{Provider: ProviderLocal, Local: &LocalContext{}},
-			run:         func(t *testing.T, c *model.UserContext) any { return c.IsLocal() },
+			run:         func(t *testing.T, c *UserContext) any { return c.IsLocal() },
 			expected:    true,
 		},
 		{
 			description: "IsOAuth returns true for ProviderOAuth",
-			context:     &model.UserContext{Provider: model.ProviderOAuth, OAuth: &model.OAuthContext{}},
+			context:     &UserContext{Provider: ProviderOAuth, OAuth: &OAuthContext{}},
-			run:         func(t *testing.T, c *model.UserContext) any { return c.IsOAuth() },
+			run:         func(t *testing.T, c *UserContext) any { return c.IsOAuth() },
 			expected:    true,
 		},
 		{
 			description: "IsLDAP returns true for ProviderLDAP",
-			context:     &model.UserContext{Provider: model.ProviderLDAP, LDAP: &model.LDAPContext{}},
+			context:     &UserContext{Provider: ProviderLDAP, LDAP: &LDAPContext{}},
-			run:         func(t *testing.T, c *model.UserContext) any { return c.IsLDAP() },
+			run:         func(t *testing.T, c *UserContext) any { return c.IsLDAP() },
 			expected:    true,
 		},
 		{
 			description: "IsBasicAuth returns true for ProviderBasicAuth",
-			context:     &model.UserContext{Provider: model.ProviderBasicAuth, Local: &model.LocalContext{}},
+			context:     &UserContext{Provider: ProviderBasicAuth, Local: &LocalContext{}},
-			run:         func(t *testing.T, c *model.UserContext) any { return c.IsBasicAuth() },
+			run:         func(t *testing.T, c *UserContext) any { return c.IsBasicAuth() },
 			expected:    true,
 		},
 		{
 			description: "NewFromSession local session is authenticated and ProviderLocal",
-			context:     &model.UserContext{},
+			context:     &UserContext{},
-			run: func(t *testing.T, c *model.UserContext) any {
+			run: func(t *testing.T, c *UserContext) any {
 				got, err := c.NewFromSession(&repository.Session{
 					Username: "alice", Email: "alice@example.com", Name: "Alice",
 					Provider: "local",
@@ -67,12 +66,12 @@ func TestContext(t *testing.T) {
 				require.NoError(t, err)
 				return [2]any{got.Provider, got.Authenticated}
 			},
-			expected: [2]any{model.ProviderLocal, true},
+			expected: [2]any{ProviderLocal, true},
 		},
 		{
 			description: "NewFromSession local session with TotpPending is not authenticated",
-			context:     &model.UserContext{},
+			context:     &UserContext{},
-			run: func(t *testing.T, c *model.UserContext) any {
+			run: func(t *testing.T, c *UserContext) any {
 				got, err := c.NewFromSession(&repository.Session{
 					Username: "bob", Provider: "local", TotpPending: true,
 				})
@@ -83,20 +82,20 @@ func TestContext(t *testing.T) {
 		},
 		{
 			description: "NewFromSession ldap session is ProviderLDAP",
-			context:     &model.UserContext{},
+			context:     &UserContext{},
-			run: func(t *testing.T, c *model.UserContext) any {
+			run: func(t *testing.T, c *UserContext) any {
 				got, err := c.NewFromSession(&repository.Session{
 					Username: "carol", Provider: "ldap",
 				})
 				require.NoError(t, err)
 				return got.Provider
 			},
-			expected: model.ProviderLDAP,
+			expected: ProviderLDAP,
 		},
 		{
 			description: "NewFromSession unknown provider defaults to OAuth and populates oauth fields",
-			context:     &model.UserContext{},
+			context:     &UserContext{},
-			run: func(t *testing.T, c *model.UserContext) any {
+			run: func(t *testing.T, c *UserContext) any {
 				got, err := c.NewFromSession(&repository.Session{
 					Username: "dave", Provider: "github",
 					OAuthGroups: "devs,admins", OAuthSub: "sub-123", OAuthName: "GitHub",
@@ -104,126 +103,126 @@ func TestContext(t *testing.T) {
 				require.NoError(t, err)
 				return [5]any{got.Provider, got.OAuth.ID, got.OAuth.Sub, got.OAuth.DisplayName, got.OAuth.Groups}
 			},
-			expected: [5]any{model.ProviderOAuth, "github", "sub-123", "GitHub", []string{"devs", "admins"}},
+			expected: [5]any{ProviderOAuth, "github", "sub-123", "GitHub", []string{"devs", "admins"}},
 		},
 		{
 			description: "Local getters return BaseContext fields",
-			context: &model.UserContext{
+			context: &UserContext{
-				Provider: model.ProviderLocal,
+				Provider: ProviderLocal,
-				Local:    &model.LocalContext{BaseContext: model.BaseContext{Username: "alice", Email: "alice@example.com", Name: "Alice"}},
+				Local:    &LocalContext{BaseContext: BaseContext{Username: "alice", Email: "alice@example.com", Name: "Alice"}},
 			},
-			run: func(t *testing.T, c *model.UserContext) any {
+			run: func(t *testing.T, c *UserContext) any {
 				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
 			},
 			expected: [3]string{"alice", "alice@example.com", "Alice"},
 		},
 		{
 			description: "BasicAuth getters fall back to local fields",
-			context: &model.UserContext{
+			context: &UserContext{
-				Provider: model.ProviderBasicAuth,
+				Provider: ProviderBasicAuth,
-				Local:    &model.LocalContext{BaseContext: model.BaseContext{Username: "bob", Email: "bob@example.com", Name: "Bob"}},
+				Local:    &LocalContext{BaseContext: BaseContext{Username: "bob", Email: "bob@example.com", Name: "Bob"}},
 			},
-			run: func(t *testing.T, c *model.UserContext) any {
+			run: func(t *testing.T, c *UserContext) any {
 				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
 			},
 			expected: [3]string{"bob", "bob@example.com", "Bob"},
 		},
 		{
 			description: "LDAP getters return LDAP fields",
-			context: &model.UserContext{
+			context: &UserContext{
-				Provider: model.ProviderLDAP,
+				Provider: ProviderLDAP,
-				LDAP:     &model.LDAPContext{BaseContext: model.BaseContext{Username: "carol", Email: "carol@example.com", Name: "Carol"}},
+				LDAP:     &LDAPContext{BaseContext: BaseContext{Username: "carol", Email: "carol@example.com", Name: "Carol"}},
 			},
-			run: func(t *testing.T, c *model.UserContext) any {
+			run: func(t *testing.T, c *UserContext) any {
 				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
 			},
 			expected: [3]string{"carol", "carol@example.com", "Carol"},
 		},
 		{
 			description: "OAuth getters return OAuth fields",
-			context: &model.UserContext{
+			context: &UserContext{
-				Provider: model.ProviderOAuth,
+				Provider: ProviderOAuth,
-				OAuth:    &model.OAuthContext{BaseContext: model.BaseContext{Username: "dave", Email: "dave@example.com", Name: "Dave"}},
+				OAuth:    &OAuthContext{BaseContext: BaseContext{Username: "dave", Email: "dave@example.com", Name: "Dave"}},
 			},
-			run: func(t *testing.T, c *model.UserContext) any {
+			run: func(t *testing.T, c *UserContext) any {
 				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
 			},
 			expected: [3]string{"dave", "dave@example.com", "Dave"},
 		},
 		{
 			description: "ProviderName returns 'local' for ProviderLocal",
-			context:     &model.UserContext{Provider: model.ProviderLocal},
+			context:     &UserContext{Provider: ProviderLocal},
-			run:         func(t *testing.T, c *model.UserContext) any { return c.GetProviderID() },
+			run:         func(t *testing.T, c *UserContext) any { return c.GetProviderID() },
 			expected:    "local",
 		},
 		{
 			description: "ProviderName returns 'local' for ProviderBasicAuth",
-			context:     &model.UserContext{Provider: model.ProviderBasicAuth},
+			context:     &UserContext{Provider: ProviderBasicAuth},
-			run:         func(t *testing.T, c *model.UserContext) any { return c.GetProviderID() },
+			run:         func(t *testing.T, c *UserContext) any { return c.GetProviderID() },
 			expected:    "local",
 		},
 		{
 			description: "ProviderName returns 'ldap' for ProviderLDAP",
-			context:     &model.UserContext{Provider: model.ProviderLDAP},
+			context:     &UserContext{Provider: ProviderLDAP},
-			run:         func(t *testing.T, c *model.UserContext) any { return c.GetProviderID() },
+			run:         func(t *testing.T, c *UserContext) any { return c.GetProviderID() },
 			expected:    "ldap",
 		},
 		{
 			description: "ProviderName returns OAuth provider ID for ProviderOAuth",
-			context: &model.UserContext{
+			context: &UserContext{
-				Provider: model.ProviderOAuth,
+				Provider: ProviderOAuth,
-				OAuth:    &model.OAuthContext{ID: "github"},
+				OAuth:    &OAuthContext{ID: "github"},
 			},
-			run:      func(t *testing.T, c *model.UserContext) any { return c.GetProviderID() },
+			run:      func(t *testing.T, c *UserContext) any { return c.GetProviderID() },
 			expected: "github",
 		},
 		{
 			description: "TOTPPending returns true when local context is pending",
-			context: &model.UserContext{
+			context: &UserContext{
-				Provider: model.ProviderLocal,
+				Provider: ProviderLocal,
-				Local:    &model.LocalContext{TOTPPending: true},
+				Local:    &LocalContext{TOTPPending: true},
 			},
-			run:      func(t *testing.T, c *model.UserContext) any { return c.TOTPPending() },
+			run:      func(t *testing.T, c *UserContext) any { return c.TOTPPending() },
 			expected: true,
 		},
 		{
 			description: "TOTPPending returns false when local context is not pending",
-			context: &model.UserContext{
+			context: &UserContext{
-				Provider: model.ProviderLocal,
+				Provider: ProviderLocal,
-				Local:    &model.LocalContext{TOTPPending: false},
+				Local:    &LocalContext{TOTPPending: false},
 			},
-			run:      func(t *testing.T, c *model.UserContext) any { return c.TOTPPending() },
+			run:      func(t *testing.T, c *UserContext) any { return c.TOTPPending() },
 			expected: false,
 		},
 		{
 			description: "TOTPPending returns false for non-local providers",
-			context:     &model.UserContext{Provider: model.ProviderOAuth, OAuth: &model.OAuthContext{}},
+			context:     &UserContext{Provider: ProviderOAuth, OAuth: &OAuthContext{}},
-			run:         func(t *testing.T, c *model.UserContext) any { return c.TOTPPending() },
+			run:         func(t *testing.T, c *UserContext) any { return c.TOTPPending() },
 			expected:    false,
 		},
 		{
 			description: "OAuthName returns DisplayName for ProviderOAuth",
-			context: &model.UserContext{
+			context: &UserContext{
-				Provider: model.ProviderOAuth,
+				Provider: ProviderOAuth,
-				OAuth:    &model.OAuthContext{DisplayName: "Google"},
+				OAuth:    &OAuthContext{DisplayName: "Google"},
 			},
-			run:      func(t *testing.T, c *model.UserContext) any { return c.OAuthName() },
+			run:      func(t *testing.T, c *UserContext) any { return c.OAuthName() },
 			expected: "Google",
 		},
 		{
 			description: "OAuthName returns empty string for non-oauth providers",
-			context:     &model.UserContext{Provider: model.ProviderLocal, Local: &model.LocalContext{}},
+			context:     &UserContext{Provider: ProviderLocal, Local: &LocalContext{}},
-			run:         func(t *testing.T, c *model.UserContext) any { return c.OAuthName() },
+			run:         func(t *testing.T, c *UserContext) any { return c.OAuthName() },
 			expected:    "",
 		},
 		{
 			description: "NewFromGin populates context from gin value",
-			context:     &model.UserContext{},
+			context:     &UserContext{},
-			run: func(t *testing.T, c *model.UserContext) any {
+			run: func(t *testing.T, c *UserContext) any {
-				stored := &model.UserContext{
+				stored := &UserContext{
 					Authenticated: true,
-					Provider:      model.ProviderLocal,
+					Provider:      ProviderLocal,
-					Local:         &model.LocalContext{BaseContext: model.BaseContext{Username: "alice"}},
+					Local:         &LocalContext{BaseContext: BaseContext{Username: "alice"}},
 				}
 				got, err := c.NewFromGin(newGinCtx(stored, true))
 				require.NoError(t, err)
@@ -233,17 +232,17 @@ func TestContext(t *testing.T) {
 		},
 		{
 			description: "NewFromGin returns error when context value is missing",
-			context:     &model.UserContext{},
+			context:     &UserContext{},
-			run: func(t *testing.T, c *model.UserContext) any {
+			run: func(t *testing.T, c *UserContext) any {
 				_, err := c.NewFromGin(newGinCtx(nil, false))
 				return err.Error()
 			},
-			expected: model.ErrUserContextNotFound.Error(),
+			expected: ErrUserContextNotFound.Error(),
 		},
 		{
 			description: "NewFromGin returns error when context value has wrong type",
-			context:     &model.UserContext{},
+			context:     &UserContext{},
-			run: func(t *testing.T, c *model.UserContext) any {
+			run: func(t *testing.T, c *UserContext) any {
 				_, err := c.NewFromGin(newGinCtx("not a user context", true))
 				return err.Error()
 			},
@@ -251,17 +250,17 @@ func TestContext(t *testing.T) {
 		},
 		{
 			description: "NewFromGin returns an error when context doesn't include user information",
-			context:     &model.UserContext{},
+			context:     &UserContext{},
-			run: func(t *testing.T, c *model.UserContext) any {
+			run: func(t *testing.T, c *UserContext) any {
-				_, err := c.NewFromGin(newGinCtx(&model.UserContext{Provider: model.ProviderLocal}, true))
+				_, err := c.NewFromGin(newGinCtx(&UserContext{Provider: ProviderLocal}, true))
 				return err.Error()
 			},
 			expected: "incomplete user context",
 		},
 		{
 			description: "Getters should not panic if provider context is empty",
-			context:     &model.UserContext{Provider: model.ProviderLocal},
+			context:     &UserContext{Provider: ProviderLocal},
-			run: func(t *testing.T, c *model.UserContext) any {
+			run: func(t *testing.T, c *UserContext) any {
 				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
 			},
 			expected: [3]string{"", "", ""},

internal/service/auth_service.go

@@ -2,8 +2,10 @@ package service
 
 import (
 	"context"
+	"crypto/rand"
 	"errors"
 	"fmt"
+	"math/big"
 	"net/http"
 	"strings"
 	"sync"
@@ -25,7 +27,6 @@ import (
 // but for now these are just safety limits to prevent unbounded memory usage
 const MaxOAuthPendingSessions = 256
 const OAuthCleanupCount = 16
-const MaxLoginAttemptRecords = 256
 
 var (
 	ErrUserNotFound = errors.New("user not found")
@@ -81,6 +82,8 @@ type AuthService struct {
 		oauth *CacheStore[OAuthPendingSession]
 		ldap  *CacheStore[[]string]
 	}
+
+	maxLoginLimits int
 }
 
 type AuthServiceInput struct {
@@ -111,9 +114,18 @@ func NewAuthService(i AuthServiceInput) *AuthService {
 		policyEngine: i.PolicyEngine,
 	}
 
+	// get the max login limits based on the number of users and the configured max retries
+	service.maxLoginLimits = service.calculateLockdownLimit()
+
+	loginCacheSize := 0
+
+	if !service.config.Auth.LockdownEnabled {
+		loginCacheSize = service.maxLoginLimits
+	}
+
 	// caches setup
 	oauthCache := NewCacheStore[OAuthPendingSession](256)
-	loginCache := NewCacheStore[LoginAttempt](1024)
+	loginCache := NewCacheStore[LoginAttempt](loginCacheSize)
 	ldapCache := NewCacheStore[[]string](1024)
 
 	service.caches.oauth = oauthCache
@@ -259,7 +271,7 @@ func (auth *AuthService) RecordLoginAttempt(identifier string, success bool) {
 		return
 	}
 
-	if auth.caches.login.Size() >= MaxLoginAttemptRecords {
+	if !success && auth.config.Auth.LockdownEnabled && auth.caches.login.Size() >= auth.maxLoginLimits {
 		if locked, _ := auth.IsInLockdown(); locked {
 			return
 		}
@@ -634,16 +646,17 @@ func (auth *AuthService) lockdownMode() {
 		return
 	}
 
-	ctx, cancel := context.WithCancel(context.Background())
+	ctx, cancel := context.WithCancel(auth.ctx)
 
 	auth.log.App.Warn().Msg("Too many failed login attempts, entering lockdown mode")
 
 	auth.lockdown.active = true
 	auth.lockdown.ctx = ctx
 	auth.lockdown.cancelFunc = cancel
-	auth.lockdown.until = time.Now().Add(time.Duration(auth.config.Auth.LoginTimeout) * time.Second)
 
-	timer := time.NewTimer(time.Until(auth.lockdown.until))
+	d := time.Duration(auth.config.Auth.LoginTimeout) * time.Second
+	auth.lockdown.until = time.Now().Add(d)
+	timer := time.NewTimer(d)
 
 	auth.lockdown.mu.Unlock()
 
@@ -655,14 +668,13 @@ func (auth *AuthService) lockdownMode() {
 		// Timer expired, end lockdown
 	case <-ctx.Done():
 		// Context cancelled, end lockdown
-	case <-auth.ctx.Done():
-		// Service is shutting down, end lockdown
 	}
 
 	auth.lockdown.mu.Lock()
 
 	auth.log.App.Info().Msg("Exiting lockdown mode")
 
+	auth.caches.login.Clear()
 	auth.lockdown.active = false
 	auth.lockdown.until = time.Time{}
 	auth.lockdown.ctx = nil
@@ -685,3 +697,32 @@ func (auth *AuthService) IsInLockdown() (bool, int) {
 func (auth *AuthService) ClearLoginAttempts() {
 	auth.caches.login.Clear()
 }
+
+func (auth *AuthService) calculateLockdownLimit() int {
+	userCount := len(auth.runtime.LocalUsers)
+
+	if auth.ldap != nil {
+		ldapUsers, err := auth.ldap.GetUserCount()
+		if err != nil {
+			auth.log.App.Warn().Err(err).Msg("Failed to get LDAP user count")
+		} else {
+			userCount += ldapUsers
+		}
+	}
+
+	limit := userCount * auth.config.Auth.LoginMaxRetries
+
+	jitter, err := rand.Int(rand.Reader, big.NewInt(64))
+
+	if err != nil {
+		auth.log.App.Warn().Err(err).Msg("Failed to generate jitter for lockdown limit")
+	} else {
+		limit += int(jitter.Int64())
+	}
+
+	if limit < 256 {
+		limit = 256
+	}
+
+	return limit
+}

internal/service/ldap_service.go

@@ -169,6 +169,26 @@ func (ldap *LdapService) GetUserInfo(username string) (dn string, email string,
 	return entry.DN, entry.GetAttributeValue("mail"), nil
 }
 
+func (ldap *LdapService) GetUserCount() (int, error) {
+	searchRequest := ldapgo.NewSearchRequest(
+		ldap.config.LDAP.BaseDN,
+		ldapgo.ScopeWholeSubtree, ldapgo.NeverDerefAliases, 0, 0, false,
+		"(objectClass=person)",
+		[]string{"dn"},
+		nil,
+	)
+
+	ldap.mutex.Lock()
+	defer ldap.mutex.Unlock()
+
+	searchResult, err := ldap.conn.Search(searchRequest)
+	if err != nil {
+		return 0, err
+	}
+
+	return len(searchResult.Entries), nil
+}
+
 func (ldap *LdapService) GetUserGroups(userDN string) ([]string, error) {
 	escapedUserDN := ldapgo.EscapeFilter(userDN)
 

internal/service/oidc_service_test.go

@@ -1,4 +1,4 @@
-package service_test
+package service
 
 import (
 	"context"
@@ -10,12 +10,11 @@ import (
 
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
-	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
-func newTestUser() service.UserinfoResponse {
+func newTestUser() UserinfoResponse {
-	return service.UserinfoResponse{
+	return UserinfoResponse{
 		Sub:               "test-sub",
 		Name:              "Test User",
 		PreferredUsername: "testuser",
@@ -70,7 +69,7 @@ func TestCompileUserinfo(t *testing.T) {
 
 	store := memory.New()
 
-	svc, err := service.NewOIDCService(service.OIDCServiceInput{
+	svc, err := NewOIDCService(OIDCServiceInput{
 		Log:     log,
 		Config:  &cfg,
 		Runtime: &runtime,
@@ -81,16 +80,16 @@ func TestCompileUserinfo(t *testing.T) {
 
 	type testCase struct {
 		description string
-		mutate      func(u *service.UserinfoResponse)
+		mutate      func(u *UserinfoResponse)
 		scope       string
-		run         func(t *testing.T, info service.UserinfoResponse)
+		run         func(t *testing.T, info UserinfoResponse)
 	}
 
 	tests := []testCase{
 		{
 			description: "openid scope only returns sub and updated_at",
 			scope:       "openid",
-			run: func(t *testing.T, info service.UserinfoResponse) {
+			run: func(t *testing.T, info UserinfoResponse) {
 				assert.Equal(t, "test-sub", info.Sub)
 				assert.Equal(t, int64(1234567890), info.UpdatedAt)
 				assert.Empty(t, info.Name)
@@ -103,7 +102,7 @@ func TestCompileUserinfo(t *testing.T) {
 		{
 			description: "profile scope returns all profile fields",
 			scope:       "openid profile",
-			run: func(t *testing.T, info service.UserinfoResponse) {
+			run: func(t *testing.T, info UserinfoResponse) {
 				assert.Equal(t, "Test User", info.Name)
 				assert.Equal(t, "testuser", info.PreferredUsername)
 				assert.Equal(t, "Test", info.GivenName)
@@ -123,7 +122,7 @@ func TestCompileUserinfo(t *testing.T) {
 		{
 			description: "email scope sets email and email_verified true when email present",
 			scope:       "openid email",
-			run: func(t *testing.T, info service.UserinfoResponse) {
+			run: func(t *testing.T, info UserinfoResponse) {
 				assert.Equal(t, "test@example.com", info.Email)
 				assert.True(t, info.EmailVerified)
 				assert.Empty(t, info.Name)
@@ -132,8 +131,8 @@ func TestCompileUserinfo(t *testing.T) {
 		{
 			description: "email scope sets email_verified false when email absent",
 			scope:       "openid email",
-			mutate:      func(u *service.UserinfoResponse) { u.Email = "" },
+			mutate:      func(u *UserinfoResponse) { u.Email = "" },
-			run: func(t *testing.T, info service.UserinfoResponse) {
+			run: func(t *testing.T, info UserinfoResponse) {
 				assert.Empty(t, info.Email)
 				assert.False(t, info.EmailVerified)
 			},
@@ -141,7 +140,7 @@ func TestCompileUserinfo(t *testing.T) {
 		{
 			description: "phone scope sets phone_number_verified true when phone present",
 			scope:       "openid phone",
-			run: func(t *testing.T, info service.UserinfoResponse) {
+			run: func(t *testing.T, info UserinfoResponse) {
 				assert.Equal(t, "+15555550100", info.PhoneNumber)
 				require.NotNil(t, info.PhoneNumberVerified)
 				assert.True(t, *info.PhoneNumberVerified)
@@ -150,8 +149,8 @@ func TestCompileUserinfo(t *testing.T) {
 		{
 			description: "phone scope sets phone_number_verified false when phone absent",
 			scope:       "openid phone",
-			mutate:      func(u *service.UserinfoResponse) { u.PhoneNumber = "" },
+			mutate:      func(u *UserinfoResponse) { u.PhoneNumber = "" },
-			run: func(t *testing.T, info service.UserinfoResponse) {
+			run: func(t *testing.T, info UserinfoResponse) {
 				require.NotNil(t, info.PhoneNumberVerified)
 				assert.False(t, *info.PhoneNumberVerified)
 			},
@@ -159,7 +158,7 @@ func TestCompileUserinfo(t *testing.T) {
 		{
 			description: "address scope returns parsed address",
 			scope:       "openid address",
-			run: func(t *testing.T, info service.UserinfoResponse) {
+			run: func(t *testing.T, info UserinfoResponse) {
 				require.NotNil(t, info.Address)
 				assert.Equal(t, "123 Main St", info.Address.Formatted)
 				assert.Equal(t, "123 Main St", info.Address.StreetAddress)
@@ -172,14 +171,14 @@ func TestCompileUserinfo(t *testing.T) {
 		{
 			description: "groups scope returns split groups",
 			scope:       "openid groups",
-			run: func(t *testing.T, info service.UserinfoResponse) {
+			run: func(t *testing.T, info UserinfoResponse) {
 				assert.Equal(t, []string{"admins", "users"}, info.Groups)
 			},
 		},
 		{
 			description: "all scopes return all fields",
 			scope:       "openid profile email phone address groups",
-			run: func(t *testing.T, info service.UserinfoResponse) {
+			run: func(t *testing.T, info UserinfoResponse) {
 				assert.Equal(t, "Test User", info.Name)
 				assert.Equal(t, "test@example.com", info.Email)
 				assert.Equal(t, "+15555550100", info.PhoneNumber)

internal/service/policy_engine_test.go

@@ -1,10 +1,9 @@
-package service_test
+package service
 
 import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/test"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
@@ -12,14 +11,14 @@ import (
 // Create test rule
 type TestRule struct{}
 
-func (rule *TestRule) Evaluate(ctx *service.ACLContext) service.Effect {
+func (rule *TestRule) Evaluate(ctx *ACLContext) Effect {
 	switch ctx.Path {
 	case "/allowed":
-		return service.EffectAllow
+		return EffectAllow
 	case "/denied":
-		return service.EffectDeny
+		return EffectDeny
 	default:
-		return service.EffectAbstain
+		return EffectAbstain
 	}
 }
 
@@ -33,32 +32,32 @@ func TestPolicyEngine(t *testing.T) {
 
 	// Engine should fail with invalid policy
 	cfg.Auth.ACLs.Policy = "invalid_policy"
-	_, err := service.NewPolicyEngine(service.PolicyEngineInput{
+	_, err := NewPolicyEngine(PolicyEngineInput{
 		Log:    log,
 		Config: &cfg,
 	})
 	assert.Error(t, err)
 
 	// Engine should initialize with 'allow' policy
-	cfg.Auth.ACLs.Policy = string(service.PolicyAllow)
+	cfg.Auth.ACLs.Policy = string(PolicyAllow)
-	engine, err := service.NewPolicyEngine(service.PolicyEngineInput{
+	engine, err := NewPolicyEngine(PolicyEngineInput{
 		Log:    log,
 		Config: &cfg,
 	})
 	assert.NoError(t, err)
-	assert.Equal(t, service.PolicyAllow, engine.Policy())
+	assert.Equal(t, PolicyAllow, engine.Policy())
 
 	// Engine should initialize with 'deny' policy
-	cfg.Auth.ACLs.Policy = string(service.PolicyDeny)
+	cfg.Auth.ACLs.Policy = string(PolicyDeny)
-	engine, err = service.NewPolicyEngine(service.PolicyEngineInput{
+	engine, err = NewPolicyEngine(PolicyEngineInput{
 		Log:    log,
 		Config: &cfg,
 	})
 	assert.NoError(t, err)
-	assert.Equal(t, service.PolicyDeny, engine.Policy())
+	assert.Equal(t, PolicyDeny, engine.Policy())
 
 	// Engine should allow adding rules
-	engine, err = service.NewPolicyEngine(service.PolicyEngineInput{
+	engine, err = NewPolicyEngine(PolicyEngineInput{
 		Log:    log,
 		Config: &cfg,
 	})
@@ -68,8 +67,8 @@ func TestPolicyEngine(t *testing.T) {
 	assert.True(t, ok)
 
 	// Begin allow policy tests
-	cfg.Auth.ACLs.Policy = string(service.PolicyAllow)
+	cfg.Auth.ACLs.Policy = string(PolicyAllow)
-	engine, err = service.NewPolicyEngine(service.PolicyEngineInput{
+	engine, err = NewPolicyEngine(PolicyEngineInput{
 		Log:    log,
 		Config: &cfg,
 	})
@@ -77,7 +76,7 @@ func TestPolicyEngine(t *testing.T) {
 	engine.RegisterRule("test-rule", testRule)
 
 	// With allow policy, if rule allows, access should be allowed
-	ctx := &service.ACLContext{Path: "/allowed"}
+	ctx := &ACLContext{Path: "/allowed"}
 	assert.Equal(t, true, engine.Evaluate("test-rule", ctx))
 
 	// With allow policy, if rule denies, access should be denied
@@ -89,8 +88,8 @@ func TestPolicyEngine(t *testing.T) {
 	assert.Equal(t, true, engine.Evaluate("test-rule", ctx))
 
 	// Begin deny policy tests
-	cfg.Auth.ACLs.Policy = string(service.PolicyDeny)
+	cfg.Auth.ACLs.Policy = string(PolicyDeny)
-	engine, err = service.NewPolicyEngine(service.PolicyEngineInput{
+	engine, err = NewPolicyEngine(PolicyEngineInput{
 		Log:    log,
 		Config: &cfg,
 	})

internal/service/tailscale_service.go

@@ -138,8 +138,6 @@ func (ts *TailscaleService) Whois(ctx context.Context, addr string) (*TailscaleW
 		NodeName:    strings.TrimSuffix(who.Node.Name, "."),
 	}
 
-	ts.log.App.Debug().Interface("res", res).Msg("tailscale")
-
 	return &res, nil
 }
 

internal/test/test.go

@@ -121,6 +121,10 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
 		CookieDomain:      "example.com",
 		AppURL:            "https://tinyauth.example.com",
 		SessionCookieName: "tinyauth-session",
+		TrustedDomains: []string{
+			"https://tinyauth.example.com",
+			"https://tinyauth.foo.com",
+		},
 	}
 
 	return config, runtime

internal/utils/app_utils.go

@@ -2,7 +2,6 @@ package utils
 
 import (
 	"errors"
-	"fmt"
 	"net"
 	"net/url"
 	"strings"
@@ -88,23 +87,3 @@ func Filter[T any](slice []T, test func(T) bool) (res []T) {
 	}
 	return res
 }
-
-func IsRedirectSafe(redirectURL string, domain string) bool {
-	if redirectURL == "" {
-		return false
-	}
-
-	parsed, err := url.Parse(redirectURL)
-
-	if err != nil {
-		return false
-	}
-
-	hostname := parsed.Hostname()
-
-	if strings.HasSuffix(hostname, fmt.Sprintf(".%s", domain)) {
-		return true
-	}
-
-	return hostname == domain
-}

internal/utils/app_utils_test.go

@@ -126,61 +126,6 @@ func TestFilter(t *testing.T) {
 	assert.Equal(t, expectedStr, resultStr)
 }
 
-func TestIsRedirectSafe(t *testing.T) {
-	// Setup
-	domain := "example.com"
-
-	// Case with no subdomain
-	redirectURL := "http://example.com/welcome"
-	result := utils.IsRedirectSafe(redirectURL, domain)
-	assert.True(t, result)
-
-	// Case with different domain
-	redirectURL = "http://malicious.com/phishing"
-	result = utils.IsRedirectSafe(redirectURL, domain)
-	assert.False(t, result)
-
-	// Case with subdomain
-	redirectURL = "http://sub.example.com/page"
-	result = utils.IsRedirectSafe(redirectURL, domain)
-	assert.True(t, result)
-
-	// Case with sub-subdomain
-	redirectURL = "http://a.b.example.com/home"
-	result = utils.IsRedirectSafe(redirectURL, domain)
-	assert.True(t, result)
-
-	// Case with empty redirect URL
-	redirectURL = ""
-	result = utils.IsRedirectSafe(redirectURL, domain)
-	assert.False(t, result)
-
-	// Case with invalid URL
-	redirectURL = "http://[::1]:namedport"
-	result = utils.IsRedirectSafe(redirectURL, domain)
-	assert.False(t, result)
-
-	// Case with URL having port
-	redirectURL = "http://sub.example.com:8080/page"
-	result = utils.IsRedirectSafe(redirectURL, domain)
-	assert.True(t, result)
-
-	// Case with URL having different subdomain
-	redirectURL = "http://another.example.com/page"
-	result = utils.IsRedirectSafe(redirectURL, domain)
-	assert.True(t, result)
-
-	// Case with URL having different TLD
-	redirectURL = "http://example.org/page"
-	result = utils.IsRedirectSafe(redirectURL, domain)
-	assert.False(t, result)
-
-	// Case with malicious domain
-	redirectURL = "https://malicious-example.com/yoyo"
-	result = utils.IsRedirectSafe(redirectURL, domain)
-	assert.False(t, result)
-}
-
 func TestGetStandaloneCookieDomain(t *testing.T) {
 	// Normal case
 	domain := "http://tinyauth.app"