Validate GODOXY_LOCAL_API_ADDR before starting the unauthenticated local
API. Loopback listeners still succeed by default; addresses that bind
all interfaces, unspecified IPs, LAN hosts, or non-loopback names need
GODOXY_LOCAL_API_ALLOW_NON_LOOPBACK=true.
When that opt-in is set and the host is not loopback, log a warning so
non-local exposure is obvious. Wire common.LocalAPIAllowNonLoopback from
LOCAL_API_ALLOW_NON_LOOPBACK and document it (with a risk note) in
.env.example.
Add TestValidateLocalAPIAddr for loopback, wildcard, LAN, and hostname
cases with the allow flag on and off.
* implement OIDC middleware
* auth code cleanup
* allow override allowed_user in middleware, fix typos
* fix tests and callbackURL
* update next release docs
* fix OIDC middleware not working with Authentik
* feat: add groups support for OIDC claims (#41)
Allow users to specify allowed groups in the env and use it to inspect the claims.
This performs a logical AND of users and groups (additive).
* merge feat/oidc-middleware (#49)
* api: enrich provider statistifcs
* fix: docker monitor now uses container status
* Feat/auto schemas (#48)
* use auto generated schemas
* go version bump and dependencies upgrade
* clarify some error messages
---------
Co-authored-by: yusing <yusing@6uo.me>
* cleanup some loadbalancer code
* api: cleanup websocket code
* api: add /v1/health/ws for health bubbles on dashboard
* feat: experimental memory logger and logs api for WebUI
---------
Co-authored-by: yusing <yusing@6uo.me>
---------
Co-authored-by: yusing <yusing@6uo.me>
Co-authored-by: Peter Olds <peter@olds.co>
This allows the API to trigger an OAuth workflow to create the JWT for authentication. For now the workflow is triggered by manually visiting `/api/login/oidc` on the frontend app until the UI repo is updated to add support.
Co-authored-by: Peter Olds <peter@olds.co>
