Compare commits

..

3 Commits

Author SHA1 Message Date
Stavros 1fcac1b2f7 feat: automatically generate context ignore paths 2026-06-30 17:56:48 +03:00
Stavros ffafb5bff5 feat: add a reconnect to the initial ldap connection (#928) 2026-06-30 15:57:41 +03:00
Stavros bb867ea5f4 docs: update readme with openid certification badge 2026-06-29 01:35:06 +03:00
26 changed files with 206 additions and 40 deletions
+3 -3
View File
@@ -36,9 +36,9 @@ jobs:
- name: Check codegen is up to date
run: |
sqlc generate
go generate ./internal/repository/...
git diff --exit-code -- internal/repository/
git status --porcelain -- internal/repository/ | grep -q . && echo "untracked files in internal/repository/" && exit 1 || true
go generate ./...
git diff --exit-code
git status --porcelain | grep -q . && echo "untracked files in git diff" && exit 1 || true
- name: Install frontend dependencies
working-directory: ./frontend
+1 -2
View File
@@ -94,5 +94,4 @@ sql:
# Go gen
generate:
go run ./gen
go generate ./internal/repository/...
go generate ./...
+5 -1
View File
@@ -1,7 +1,7 @@
<div align="center">
<img alt="Tinyauth" title="Tinyauth" width="96" src="assets/logo-rounded.png">
<h1>Tinyauth</h1>
<p>The tiniest authentication and authorization server you have ever seen.</p>
<p>The tiniest OpenID Certified™ authorization and authentication server you have ever seen.</p>
</div>
<div align="center">
@@ -28,6 +28,10 @@ Tinyauth is the simplest and tiniest authentication and authorization server you
> [!NOTE]
> This is the main development branch. For the latest stable release, see the [documentation](https://tinyauth.app) or the latest stable tag.
As of 2026-06-25, Tinyauth v5.1.0 is OpenID Certified™ for Basic OP. You can find the certification details [here](https://openid.net/certification-old/certified-openid-providers-profiles/), test suite available [here](https://www.certification.openid.net/plan-detail.html?public=true&plan=H0qhpsOcQkxUE).
<img alt="OpenID Certified" width="200" src="https://openid.net/wordpress-content/uploads/2016/05/oid-l-certification-mark-l-cmyk-150dpi-90mm.jpg" />
## Getting Started
You can get started with Tinyauth by following the guide in the [documentation](https://tinyauth.app/docs/getting-started). There is also an available [docker-compose](./docker-compose.example.yml) file that has Traefik, Whoami and Tinyauth to demonstrate its capabilities (keep in mind that this file lives in the development branch so it may have updates that are not yet released).
+131
View File
@@ -0,0 +1,131 @@
// gen/context_paths generates the ignore paths for the user context since
// gin will not less apply the middleware to only specific paths.
//
// The generator reads every controller and looks for the //context:ignore comment.
// The format for the context ignore comment is:
//
// //contxt:ignore /api/mypath GET,POST
package main
import (
"bytes"
"fmt"
"go/format"
"os"
"strings"
"text/template"
_ "embed"
"golang.org/x/tools/go/packages"
)
//go:embed paths.tmpl
var pathsTmplSrc string
var pathsTmpl = template.Must(template.New("paths").Parse(pathsTmplSrc))
func main() {
if err := run(); err != nil {
fmt.Printf("Failed to generate: %s", err.Error())
os.Exit(1)
}
}
func run() error {
// load pkg
pkgConfig := &packages.Config{
Mode: packages.NeedFiles,
}
pkgs, err := packages.Load(pkgConfig, "github.com/tinyauthapp/tinyauth/internal/controller")
if err != nil {
return fmt.Errorf("failed to load pkg: %w", err)
}
if len(pkgs) == 0 {
return fmt.Errorf("failed to get controllers package")
}
pkg := pkgs[0]
// for each file we check the comments and either add or remove the context
var contextIgnorePaths []string
for _, gofile := range pkg.GoFiles {
// read the file
file, err := os.ReadFile(gofile)
if err != nil {
fmt.Printf("Failed to read %s, ignoring", gofile)
continue
}
// get the comment lines
lines := strings.SplitSeq(string(file), "\n")
for line := range lines {
if !strings.HasPrefix(strings.TrimSpace(line), "//context:ignore") {
continue
}
path, methods, ok := parseContextIgnoreLine(line)
if !ok {
fmt.Printf("Failed to parse %s rule, ignore", line)
continue
}
for _, m := range methods {
contextIgnorePaths = append(contextIgnorePaths, m+" "+path)
}
}
}
// generate out
type tmplData struct {
IgnorePaths []string
}
var buf bytes.Buffer
if err := pathsTmpl.Execute(&buf, tmplData{
IgnorePaths: contextIgnorePaths,
}); err != nil {
return err
}
formatted, err := format.Source(buf.Bytes())
if err != nil {
return fmt.Errorf("gofmt failed: %w", err)
}
// write out
err = os.WriteFile("context_paths.go", formatted, 0666)
if err != nil {
return fmt.Errorf("failed to write out: %w", err)
}
return nil
}
func parseContextIgnoreLine(line string) (string, []string, bool) {
line = strings.TrimPrefix(line, "//context:ignore ")
path, methodStr, ok := strings.Cut(line, " ")
if !ok {
return "", []string{}, false
}
var methodsParsed []string
methodParts := strings.SplitSeq(methodStr, ",")
for m := range methodParts {
if strings.TrimSpace(m) == "" {
continue
}
m = strings.ToUpper(m)
methodsParsed = append(methodsParsed, m)
}
return path, methodsParsed, true
}
+6
View File
@@ -0,0 +1,6 @@
// Code generated by gen/context_paths. DO NOT EDIT.
package middleware
var contextSkipPathsPrefix = []string{
{{range .IgnorePaths}}"{{.}}",
{{end}}}
+6
View File
@@ -1,3 +1,9 @@
// gen/docs generates the .env.example and config.gen.md
// files for the configuration of Tinyauth. Run via:
//
// The generator reads the Tinyauth configuration package and using reflection it generates the
// example files. The .env.example is used in this repo while the config.gen.md is used in the
// documentaton alongside some warnings that are added later.
package main
import (
@@ -1,7 +1,5 @@
// gen/sqlc-wrapper generates store.go wrapper files for each sqlc driver package under
// internal/repository/<driver>/. Run via:
//
// go generate ./internal/repository/...
// gen/sqlc_wrapper generates store.go wrapper files for each sqlc driver package under
// internal/repository/<driver>/.
//
// The generator introspects *Queries methods and the model/params types in the
// driver package, then emits a store.go that wraps *Queries so it satisfies
@@ -1,4 +1,4 @@
// Code generated by cmd/gen/sqlc-wrapper. DO NOT EDIT.
// Code generated by cmd/gen/sqlc_wrapper. DO NOT EDIT.
package {{.PkgName}}
import (
+3
View File
@@ -0,0 +1,3 @@
package docs
//go:generate go run github.com/tinyauthapp/tinyauth/gen/docs
@@ -147,6 +147,7 @@ func (controller *ContextController) userContextHandler(c *gin.Context) {
c.JSON(200, userContext)
}
//context:ignore /api/context/app GET
func (controller *ContextController) appContextHandler(c *gin.Context) {
c.JSON(200, AppContextResponse{
Status: 200,
+1
View File
@@ -23,6 +23,7 @@ func NewHealthController(i HealthControllerInput) *HealthController {
return controller
}
//context:ignore /api/healthz GET,HEAD
func (controller *HealthController) healthHandler(c *gin.Context) {
c.JSON(200, gin.H{
"status": 200,
+2
View File
@@ -54,6 +54,7 @@ func NewOAuthController(i OAuthControllerInput) *OAuthController {
return controller
}
//context:ignore /api/oauth/url GET
func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
var req OAuthRequest
@@ -118,6 +119,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
})
}
//context:ignore /api/oauth/callback GET
func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
var req OAuthRequest
+2
View File
@@ -367,6 +367,7 @@ func (controller *OIDCController) authorizeComplete(c *gin.Context) {
})
}
//context:ignore /api/oidc/token POST
func (controller *OIDCController) Token(c *gin.Context) {
if controller.oidc == nil {
controller.log.App.Warn().Msg("Received OIDC request but OIDC server is not configured")
@@ -538,6 +539,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
c.JSON(200, tokenResponse)
}
//context:ignore /api/oidc/userinfo GET,POST
func (controller *OIDCController) Userinfo(c *gin.Context) {
if controller.oidc == nil {
controller.log.App.Warn().Msg("Received OIDC userinfo request but OIDC server is not configured")
@@ -33,6 +33,7 @@ func NewResourcesController(i ResourcesControllerInput) *ResourcesController {
return controller
}
//context:ignore /resources GET
func (controller *ResourcesController) resourcesHandler(c *gin.Context) {
if controller.config.Resources.Path == "" {
c.JSON(404, gin.H{
+1
View File
@@ -57,6 +57,7 @@ func NewUserController(i UserControllerInput) *UserController {
return controller
}
//context:ignore /api/user/login POST
func (controller *UserController) loginHandler(c *gin.Context) {
var req LoginRequest
@@ -65,6 +65,7 @@ func NewWellKnownController(i WellKnownControllerInput) *WellKnownController {
return controller
}
//context:ignore /.well-known/openid-configuration GET
func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context) {
if controller.oidc == nil {
c.JSON(500, gin.H{
@@ -94,6 +95,7 @@ func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context
})
}
//context:ignore /.well-known/jwks.json GET
func (controller *WellKnownController) JWKS(c *gin.Context) {
if controller.oidc == nil {
c.JSON(500, gin.H{
@@ -122,6 +124,7 @@ func (controller *WellKnownController) JWKS(c *gin.Context) {
c.Status(http.StatusOK)
}
//context:ignore /.well-known/webfinger GET
func (controller *WellKnownController) WebFinger(c *gin.Context) {
c.Header("Content-Type", "application/jrd+json")
c.Header("Access-Control-Allow-Origin", "*")
-20
View File
@@ -16,26 +16,6 @@ import (
"github.com/gin-gonic/gin"
)
// Gin won't let us set a middleware on a specific route (at least it doesn't work,
// see https://github.com/gin-gonic/gin/issues/531) so we have to do some hackery
var (
contextSkipPathsPrefix = []string{
"GET /api/context/app",
"GET /api/healthz",
"HEAD /api/healthz",
"GET /api/oauth/url",
"GET /api/oauth/callback",
"GET /api/oidc/clients",
"POST /api/oidc/token",
"GET /api/oidc/userinfo",
"POST /api/oidc/userinfo",
"GET /resources",
"POST /api/user/login",
"GET /.well-known/openid-configuration",
"GET /.well-known/jwks.json",
}
)
type ContextMiddleware struct {
log *logger.Logger
runtime *model.RuntimeConfig
+18
View File
@@ -0,0 +1,18 @@
// Code generated by gen/context_paths. DO NOT EDIT.
package middleware
var contextSkipPathsPrefix = []string{
"GET /api/context/app",
"GET /api/healthz",
"HEAD /api/healthz",
"GET /api/oauth/url",
"GET /api/oauth/callback",
"POST /api/oidc/token",
"GET /api/oidc/userinfo",
"POST /api/oidc/userinfo",
"GET /resources",
"POST /api/user/login",
"GET /.well-known/openid-configuration",
"GET /.well-known/jwks.json",
"GET /.well-known/webfinger",
}
+3
View File
@@ -0,0 +1,3 @@
package middleware
//go:generate go run github.com/tinyauthapp/tinyauth/gen/context_paths
+1 -1
View File
@@ -1,3 +1,3 @@
package postgres
//go:generate go run github.com/tinyauthapp/tinyauth/gen/sqlc-wrapper -pkg github.com/tinyauthapp/tinyauth/internal/repository/postgres
//go:generate go run github.com/tinyauthapp/tinyauth/gen/sqlc_wrapper -pkg github.com/tinyauthapp/tinyauth/internal/repository/postgres
+1 -1
View File
@@ -1,4 +1,4 @@
// Code generated by cmd/gen/sqlc-wrapper. DO NOT EDIT.
// Code generated by cmd/gen/sqlc_wrapper. DO NOT EDIT.
package postgres
import (
+1 -1
View File
@@ -1,3 +1,3 @@
package sqlite
//go:generate go run github.com/tinyauthapp/tinyauth/gen/sqlc-wrapper -pkg github.com/tinyauthapp/tinyauth/internal/repository/sqlite
//go:generate go run github.com/tinyauthapp/tinyauth/gen/sqlc_wrapper -pkg github.com/tinyauthapp/tinyauth/internal/repository/sqlite
+1 -1
View File
@@ -1,4 +1,4 @@
// Code generated by cmd/gen/sqlc-wrapper. DO NOT EDIT.
// Code generated by cmd/gen/sqlc_wrapper. DO NOT EDIT.
package sqlite
import (
+12 -5
View File
@@ -18,6 +18,7 @@ import (
type LdapService struct {
log *logger.Logger
ctx context.Context
config *model.Config
conn *ldapgo.Conn
@@ -32,6 +33,7 @@ type LdapServiceInput struct {
Log *logger.Logger
Config *model.Config
Ding *ding.Ding
Ctx context.Context
}
func NewLdapService(i LdapServiceInput) (*LdapService, error) {
@@ -42,6 +44,7 @@ func NewLdapService(i LdapServiceInput) (*LdapService, error) {
ldap := &LdapService{
log: i.Log,
config: i.Config,
ctx: i.Ctx,
}
ldap.bindPw = utils.GetSecret(i.Config.LDAP.BindPassword, i.Config.LDAP.BindPasswordFile)
@@ -73,6 +76,8 @@ func NewLdapService(i LdapServiceInput) (*LdapService, error) {
_, err := ldap.connect()
if err != nil {
// 3s + 4.5s (3x1.5) = ~6.75-8.25s total wait time before giving up
err = ldap.reconnect(3 * time.Second)
return nil, fmt.Errorf("failed to connect to ldap server: %w", err)
}
@@ -88,7 +93,7 @@ func NewLdapService(i LdapServiceInput) (*LdapService, error) {
err := ldap.heartbeat()
if err != nil {
ldap.log.App.Warn().Err(err).Msg("LDAP connection heartbeat failed, attempting to reconnect")
if reconnectErr := ldap.reconnect(); reconnectErr != nil {
if reconnectErr := ldap.reconnect(1 * time.Second); reconnectErr != nil {
ldap.log.App.Error().Err(reconnectErr).Msg("Failed to reconnect to LDAP server")
continue
}
@@ -276,17 +281,19 @@ func (ldap *LdapService) heartbeat() error {
return nil
}
func (ldap *LdapService) reconnect() error {
func (ldap *LdapService) reconnect(interval time.Duration) error {
ldap.log.App.Info().Msg("Attempting to reconnect to LDAP server")
exp := backoff.NewExponentialBackOff()
exp.InitialInterval = 500 * time.Millisecond
exp.InitialInterval = interval
exp.RandomizationFactor = 0.1
exp.Multiplier = 1.5
exp.Reset()
operation := func() (*ldapgo.Conn, error) {
ldap.conn.Close()
if ldap.conn != nil {
ldap.conn.Close()
}
conn, err := ldap.connect()
if err != nil {
return nil, err
@@ -294,7 +301,7 @@ func (ldap *LdapService) reconnect() error {
return conn, nil
}
_, err := backoff.Retry(context.TODO(), operation, backoff.WithBackOff(exp), backoff.WithMaxTries(3))
_, err := backoff.Retry(ldap.ctx, operation, backoff.WithBackOff(exp), backoff.WithMaxTries(3))
if err != nil {
return err