Merge branch 'main' of https://github.com/steveiliop56/tinyauth

steveiliop56 · steveiliop56 · commit 986ac88e14f0 · 2025-12-29T19:46:38.000+02:00
diff --git a/internal/assets/migrations/000003_oauth_sub.down.sql b/internal/assets/migrations/000003_oauth_sub.down.sql
@@ -0,0 +1 @@
+ALTER TABLE "sessions" DROP COLUMN "oauth_sub";
diff --git a/internal/assets/migrations/000003_oauth_sub.up.sql b/internal/assets/migrations/000003_oauth_sub.up.sql
@@ -0,0 +1 @@
+ALTER TABLE "sessions" ADD COLUMN "oauth_sub" TEXT;
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -79,6 +79,7 @@ const DefaultNamePrefix = "TINYAUTH_"
 // OAuth/OIDC config
 
 type Claims struct {
+	Sub               string `json:"sub"`
 	Name              string `json:"name"`
 	Email             string `json:"email"`
 	PreferredUsername string `json:"preferred_username"`
@@ -125,6 +126,7 @@ type SessionCookie struct {
 	TotpPending bool
 	OAuthGroups string
 	OAuthName   string
+	OAuthSub    string
 }
 
 type UserContext struct {
@@ -138,6 +140,7 @@ type UserContext struct {
 	OAuthGroups string
 	TotpEnabled bool
 	OAuthName   string
+	OAuthSub    string
 }
 
 // API responses and queries
diff --git a/internal/controller/context_controller.go b/internal/controller/context_controller.go
@@ -21,6 +21,7 @@ type UserContextResponse struct {
 	OAuth       bool   `json:"oauth"`
 	TotpPending bool   `json:"totpPending"`
 	OAuthName   string `json:"oauthName"`
+	OAuthSub    string `json:"oauthSub"`
 }
 
 type AppContextResponse struct {
@@ -89,6 +90,7 @@ func (controller *ContextController) userContextHandler(c *gin.Context) {
 		OAuth:       context.OAuth,
 		TotpPending: context.TotpPending,
 		OAuthName:   context.OAuthName,
+		OAuthSub:    context.OAuthSub,
 	}
 
 	if err != nil {
diff --git a/internal/controller/context_controller_test.go b/internal/controller/context_controller_test.go
@@ -44,6 +44,7 @@ var userContext = config.UserContext{
 	TotpPending: false,
 	OAuthGroups: "",
 	TotpEnabled: false,
+	OAuthSub:    "",
 }
 
 func setupContextController(middlewares *[]gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder) {
diff --git a/internal/controller/oauth_controller.go b/internal/controller/oauth_controller.go
@@ -197,6 +197,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		Provider:    req.Provider,
 		OAuthGroups: utils.CoalesceToString(user.Groups),
 		OAuthName:   service.GetName(),
+		OAuthSub:    user.Sub,
 	}
 
 	log.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
diff --git a/internal/controller/proxy_controller.go b/internal/controller/proxy_controller.go
@@ -239,6 +239,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		c.Header("Remote-Name", utils.SanitizeHeader(userContext.Name))
 		c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email))
 		c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups))
+		c.Header("Remote-Sub", utils.SanitizeHeader(userContext.OAuthSub))
 
 		controller.setHeaders(c, acls)
 
diff --git a/internal/middleware/context_middleware.go b/internal/middleware/context_middleware.go
@@ -99,6 +99,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 				Provider:    cookie.Provider,
 				OAuthGroups: cookie.OAuthGroups,
 				OAuthName:   cookie.OAuthName,
+				OAuthSub:    cookie.OAuthSub,
 				IsLoggedIn:  true,
 				OAuth:       true,
 			})
diff --git a/internal/model/session_model.go b/internal/model/session_model.go
@@ -10,4 +10,5 @@ type Session struct {
 	OAuthGroups string `gorm:"column:oauth_groups"`
 	Expiry      int64  `gorm:"column:expiry"`
 	OAuthName   string `gorm:"column:oauth_name"`
+	OAuthSub    string `gorm:"column:oauth_sub"`
 }
diff --git a/internal/service/auth_service.go b/internal/service/auth_service.go
@@ -213,6 +213,7 @@ func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *config.Sessio
 		OAuthGroups: data.OAuthGroups,
 		Expiry:      time.Now().Add(time.Duration(expiry) * time.Second).Unix(),
 		OAuthName:   data.OAuthName,
+		OAuthSub:    data.OAuthSub,
 	}
 
 	err = gorm.G[model.Session](auth.database).Create(c, &session)
@@ -314,6 +315,7 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie,
 		TotpPending: session.TOTPPending,
 		OAuthGroups: session.OAuthGroups,
 		OAuthName:   session.OAuthName,
+		OAuthSub:    session.OAuthSub,
 	}, nil
 }
 
diff --git a/internal/service/github_oauth_service.go b/internal/service/github_oauth_service.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"strconv"
 	"time"
 
 	"github.com/steveiliop56/tinyauth/internal/config"
@@ -27,6 +28,7 @@ type GithubEmailResponse []struct {
 type GithubUserInfoResponse struct {
 	Login string `json:"login"`
 	Name  string `json:"name"`
+	ID    int    `json:"id"`
 }
 
 type GithubOAuthService struct {
@@ -172,6 +174,7 @@ func (github *GithubOAuthService) Userinfo() (config.Claims, error) {
 
 	user.PreferredUsername = userInfo.Login
 	user.Name = userInfo.Name
+	user.Sub = strconv.Itoa(userInfo.ID)
 
 	return user, nil
 }
diff --git a/internal/service/google_oauth_service.go b/internal/service/google_oauth_service.go
@@ -17,12 +17,7 @@ import (
 	"golang.org/x/oauth2/endpoints"
 )
 
-var GoogleOAuthScopes = []string{"https://www.googleapis.com/auth/userinfo.email", "https://www.googleapis.com/auth/userinfo.profile"}
-
-type GoogleUserInfoResponse struct {
-	Email string `json:"email"`
-	Name  string `json:"name"`
-}
+var GoogleOAuthScopes = []string{"openid", "email", "profile"}
 
 type GoogleOAuthService struct {
 	config   oauth2.Config
@@ -91,7 +86,7 @@ func (google *GoogleOAuthService) Userinfo() (config.Claims, error) {
 
 	client := google.config.Client(google.context, google.token)
 
-	res, err := client.Get("https://www.googleapis.com/userinfo/v2/me")
+	res, err := client.Get("https://openidconnect.googleapis.com/v1/userinfo")
 	if err != nil {
 		return config.Claims{}, err
 	}
@@ -106,16 +101,12 @@ func (google *GoogleOAuthService) Userinfo() (config.Claims, error) {
 		return config.Claims{}, err
 	}
 
-	var userInfo GoogleUserInfoResponse
-
-	err = json.Unmarshal(body, &userInfo)
+	err = json.Unmarshal(body, &user)
 	if err != nil {
 		return config.Claims{}, err
 	}
 
-	user.PreferredUsername = strings.Split(userInfo.Email, "@")[0]
-	user.Name = userInfo.Name
-	user.Email = userInfo.Email
+	user.PreferredUsername = strings.SplitN(user.Email, "@", 2)[0]
 
 	return user, nil
 }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+ALTER TABLE "sessions" DROP COLUMN "oauth_sub";`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+ALTER TABLE "sessions" ADD COLUMN "oauth_sub" TEXT;`
Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@ type UserContextResponse struct {`
`21`	`21`	OAuth bool `json:"oauth"`
`22`	`22`	TotpPending bool `json:"totpPending"`
`23`	`23`	OAuthName string `json:"oauthName"`
	`24`	+ OAuthSub string `json:"oauthSub"`
`24`	`25`	`}`
`25`	`26`
`26`	`27`	`type AppContextResponse struct {`
`@@ -89,6 +90,7 @@ func (controller ContextController) userContextHandler(c gin.Context) {`
`89`	`90`	`OAuth: context.OAuth,`
`90`	`91`	`TotpPending: context.TotpPending,`
`91`	`92`	`OAuthName: context.OAuthName,`
	`93`	`+ OAuthSub: context.OAuthSub,`
`92`	`94`	`}`
`93`	`95`
`94`	`96`	`if err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,7 @@ var userContext = config.UserContext{`
`44`	`44`	`TotpPending: false,`
`45`	`45`	`OAuthGroups: "",`
`46`	`46`	`TotpEnabled: false,`
	`47`	`+ OAuthSub: "",`
`47`	`48`	`}`
`48`	`49`
`49`	`50`	`func setupContextController(middlewares []gin.HandlerFunc) (gin.Engine, *httptest.ResponseRecorder) {`
Original file line number	Diff line number	Diff line change
`@@ -197,6 +197,7 @@ func (controller OAuthController) oauthCallbackHandler(c gin.Context) {`
`197`	`197`	`Provider: req.Provider,`
`198`	`198`	`OAuthGroups: utils.CoalesceToString(user.Groups),`
`199`	`199`	`OAuthName: service.GetName(),`
	`200`	`+ OAuthSub: user.Sub,`
`200`	`201`	`}`
`201`	`202`
`202`	`203`	`log.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")`
Original file line number	Diff line number	Diff line change
`@@ -10,4 +10,5 @@ type Session struct {`
`10`	`10`	OAuthGroups string `gorm:"column:oauth_groups"`
`11`	`11`	Expiry int64 `gorm:"column:expiry"`
`12`	`12`	OAuthName string `gorm:"column:oauth_name"`
	`13`	+ OAuthSub string `gorm:"column:oauth_sub"`
`13`	`14`	`}`
Original file line number	Diff line number	Diff line change
`@@ -213,6 +213,7 @@ func (auth AuthService) CreateSessionCookie(c gin.Context, data *config.Sessio`
`213`	`213`	`OAuthGroups: data.OAuthGroups,`
`214`	`214`	`Expiry: time.Now().Add(time.Duration(expiry) * time.Second).Unix(),`
`215`	`215`	`OAuthName: data.OAuthName,`
	`216`	`+ OAuthSub: data.OAuthSub,`
`216`	`217`	`}`
`217`	`218`
`218`	`219`	`err = gorm.G[model.Session](auth.database).Create(c, &session)`
`@@ -314,6 +315,7 @@ func (auth AuthService) GetSessionCookie(c gin.Context) (config.SessionCookie,`
`314`	`315`	`TotpPending: session.TOTPPending,`
`315`	`316`	`OAuthGroups: session.OAuthGroups,`
`316`	`317`	`OAuthName: session.OAuthName,`
	`318`	`+ OAuthSub: session.OAuthSub,`
`317`	`319`	`}, nil`
`318`	`320`	`}`
`319`	`321`