From 13032e564d10ab85c23061124dc1e9117b9a602a Mon Sep 17 00:00:00 2001
From: Stavros <steveiliop56@gmail.com>
Date: Fri, 25 Apr 2025 15:02:34 +0300
Subject: [PATCH 1/7] refactor: return all values from body in the providers

---
 internal/handlers/handlers.go   | 19 +++++++++----
 internal/providers/generic.go   | 21 ++++++--------
 internal/providers/github.go    | 16 +++++++----
 internal/providers/google.go    | 23 ++++++----------
 internal/providers/providers.go | 49 +++++++++++++++++----------------
 5 files changed, 67 insertions(+), 61 deletions(-)

diff --git a/internal/handlers/handlers.go b/internal/handlers/handlers.go
index 6e80851f..c873d9fb 100644
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -613,14 +613,23 @@ func (h *Handlers) OauthCallbackHandler(c *gin.Context) {
 		return
 	}
 
-	// Get email
-	email, err := h.Providers.GetUser(providerName.Provider)
-
-	log.Debug().Str("email", email).Msg("Got email")
+	// Get user
+	user, err := h.Providers.GetUser(providerName.Provider)
 
 	// Handle error
 	if err != nil {
-		log.Error().Msg("Failed to get email")
+		log.Error().Msg("Failed to get user")
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+		return
+	}
+
+	log.Debug().Msg("Got user")
+
+	// Get email
+	email, ok := user["email"].(string)
+
+	if !ok {
+		log.Error().Msg("Failed to get email from user")
 		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
 		return
 	}
diff --git a/internal/providers/generic.go b/internal/providers/generic.go
index 798b039d..084d5fbc 100644
--- a/internal/providers/generic.go
+++ b/internal/providers/generic.go
@@ -8,18 +8,16 @@ import (
 	"github.com/rs/zerolog/log"
 )
 
-// We are assuming that the generic provider will return a JSON object with an email field
-type GenericUserInfoResponse struct {
-	Email string `json:"email"`
-}
+func GetGenericUser(client *http.Client, url string) (map[string]interface{}, error) {
+	// Create user struct
+	user := make(map[string]interface{})
 
-func GetGenericEmail(client *http.Client, url string) (string, error) {
 	// Using the oauth client get the user info url
 	res, err := client.Get(url)
 
 	// Check if there was an error
 	if err != nil {
-		return "", err
+		return user, err
 	}
 
 	log.Debug().Msg("Got response from generic provider")
@@ -29,24 +27,21 @@ func GetGenericEmail(client *http.Client, url string) (string, error) {
 
 	// Check if there was an error
 	if err != nil {
-		return "", err
+		return user, err
 	}
 
 	log.Debug().Msg("Read body from generic provider")
 
-	// Parse the body into a user struct
-	var user GenericUserInfoResponse
-
 	// Unmarshal the body into the user struct
 	err = json.Unmarshal(body, &user)
 
 	// Check if there was an error
 	if err != nil {
-		return "", err
+		return user, err
 	}
 
 	log.Debug().Msg("Parsed user from generic provider")
 
-	// Return the email
-	return user.Email, nil
+	// Return the user
+	return user, nil
 }
diff --git a/internal/providers/github.go b/internal/providers/github.go
index 010e799c..3c1a59c8 100644
--- a/internal/providers/github.go
+++ b/internal/providers/github.go
@@ -20,13 +20,16 @@ func GithubScopes() []string {
 	return []string{"user:email"}
 }
 
-func GetGithubEmail(client *http.Client) (string, error) {
+func GetGithubUser(client *http.Client) (map[string]interface{}, error) {
+	// Create user struct
+	user := make(map[string]interface{})
+
 	// Get the user emails from github using the oauth http client
 	res, err := client.Get("https://api.github.com/user/emails")
 
 	// Check if there was an error
 	if err != nil {
-		return "", err
+		return user, err
 	}
 
 	log.Debug().Msg("Got response from github")
@@ -36,7 +39,7 @@ func GetGithubEmail(client *http.Client) (string, error) {
 
 	// Check if there was an error
 	if err != nil {
-		return "", err
+		return user, err
 	}
 
 	log.Debug().Msg("Read body from github")
@@ -49,7 +52,7 @@ func GetGithubEmail(client *http.Client) (string, error) {
 
 	// Check if there was an error
 	if err != nil {
-		return "", err
+		return user, err
 	}
 
 	log.Debug().Msg("Parsed emails from github")
@@ -57,10 +60,11 @@ func GetGithubEmail(client *http.Client) (string, error) {
 	// Find and return the primary email
 	for _, email := range emails {
 		if email.Primary {
-			return email.Email, nil
+			user["email"] = email.Email
+			return user, nil
 		}
 	}
 
 	// User does not have a primary email?
-	return "", errors.New("no primary email found")
+	return user, errors.New("no primary email found")
 }
diff --git a/internal/providers/google.go b/internal/providers/google.go
index ba5c8b44..9785586a 100644
--- a/internal/providers/google.go
+++ b/internal/providers/google.go
@@ -8,23 +8,21 @@ import (
 	"github.com/rs/zerolog/log"
 )
 
-// Google works the same as the generic provider
-type GoogleUserInfoResponse struct {
-	Email string `json:"email"`
-}
-
 // The scopes required for the google provider
 func GoogleScopes() []string {
 	return []string{"https://www.googleapis.com/auth/userinfo.email"}
 }
 
-func GetGoogleEmail(client *http.Client) (string, error) {
+func GetGoogleUser(client *http.Client) (map[string]interface{}, error) {
+	// Create user struct
+	user := make(map[string]interface{})
+
 	// Get the user info from google using the oauth http client
 	res, err := client.Get("https://www.googleapis.com/userinfo/v2/me")
 
 	// Check if there was an error
 	if err != nil {
-		return "", err
+		return user, err
 	}
 
 	log.Debug().Msg("Got response from google")
@@ -34,24 +32,21 @@ func GetGoogleEmail(client *http.Client) (string, error) {
 
 	// Check if there was an error
 	if err != nil {
-		return "", err
+		return user, err
 	}
 
 	log.Debug().Msg("Read body from google")
 
-	// Parse the body into a user struct
-	var user GoogleUserInfoResponse
-
 	// Unmarshal the body into the user struct
 	err = json.Unmarshal(body, &user)
 
 	// Check if there was an error
 	if err != nil {
-		return "", err
+		return user, err
 	}
 
 	log.Debug().Msg("Parsed user from google")
 
-	// Return the email
-	return user.Email, nil
+	// Return the user
+	return user, nil
 }
diff --git a/internal/providers/providers.go b/internal/providers/providers.go
index c1bad5ec..3c4f4fc9 100644
--- a/internal/providers/providers.go
+++ b/internal/providers/providers.go
@@ -93,14 +93,17 @@ func (providers *Providers) GetProvider(provider string) *oauth.OAuth {
 	}
 }
 
-func (providers *Providers) GetUser(provider string) (string, error) {
-	// Get the email from the provider
+func (providers *Providers) GetUser(provider string) (map[string]interface{}, error) {
+	// Create user struct
+	user := make(map[string]interface{})
+
+	// Get the user from the provider
 	switch provider {
 	case "github":
 		// If the github provider is not configured, return an error
 		if providers.Github == nil {
 			log.Debug().Msg("Github provider not configured")
-			return "", nil
+			return user, nil
 		}
 
 		// Get the client from the github provider
@@ -108,23 +111,23 @@ func (providers *Providers) GetUser(provider string) (string, error) {
 
 		log.Debug().Msg("Got client from github")
 
-		// Get the email from the github provider
-		email, err := GetGithubEmail(client)
+		// Get the user from the github provider
+		user, err := GetGithubUser(client)
 
 		// Check if there was an error
 		if err != nil {
-			return "", err
+			return user, err
 		}
 
-		log.Debug().Msg("Got email from github")
+		log.Debug().Msg("Got user from github")
 
-		// Return the email
-		return email, nil
+		// Return the user
+		return user, nil
 	case "google":
 		// If the google provider is not configured, return an error
 		if providers.Google == nil {
 			log.Debug().Msg("Google provider not configured")
-			return "", nil
+			return user, nil
 		}
 
 		// Get the client from the google provider
@@ -132,23 +135,23 @@ func (providers *Providers) GetUser(provider string) (string, error) {
 
 		log.Debug().Msg("Got client from google")
 
-		// Get the email from the google provider
-		email, err := GetGoogleEmail(client)
+		// Get the user from the google provider
+		user, err := GetGoogleUser(client)
 
 		// Check if there was an error
 		if err != nil {
-			return "", err
+			return user, err
 		}
 
-		log.Debug().Msg("Got email from google")
+		log.Debug().Msg("Got user from google")
 
-		// Return the email
-		return email, nil
+		// Return the user
+		return user, nil
 	case "generic":
 		// If the generic provider is not configured, return an error
 		if providers.Generic == nil {
 			log.Debug().Msg("Generic provider not configured")
-			return "", nil
+			return user, nil
 		}
 
 		// Get the client from the generic provider
@@ -156,20 +159,20 @@ func (providers *Providers) GetUser(provider string) (string, error) {
 
 		log.Debug().Msg("Got client from generic")
 
-		// Get the email from the generic provider
-		email, err := GetGenericEmail(client, providers.Config.GenericUserURL)
+		// Get the user from the generic provider
+		user, err := GetGenericUser(client, providers.Config.GenericUserURL)
 
 		// Check if there was an error
 		if err != nil {
-			return "", err
+			return user, err
 		}
 
-		log.Debug().Msg("Got email from generic")
+		log.Debug().Msg("Got user from generic")
 
 		// Return the email
-		return email, nil
+		return user, nil
 	default:
-		return "", nil
+		return user, nil
 	}
 }
 

From 5e4e2ddbd97e31d7ed21f10b6638d748f6b0c370 Mon Sep 17 00:00:00 2001
From: Stavros <steveiliop56@gmail.com>
Date: Fri, 25 Apr 2025 15:28:24 +0300
Subject: [PATCH 2/7] refactor: only accept claims following the OIDC spec

---
 cmd/root.go                     |  2 +-
 internal/constants/constants.go | 11 +++++++++++
 internal/handlers/handlers.go   | 16 +++++++---------
 internal/providers/generic.go   |  5 +++--
 internal/providers/github.go    |  7 ++++---
 internal/providers/google.go    |  5 +++--
 internal/providers/providers.go |  5 +++--
 7 files changed, 32 insertions(+), 19 deletions(-)

diff --git a/cmd/root.go b/cmd/root.go
index beaa5d26..fe10166f 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -189,7 +189,7 @@ func init() {
 	rootCmd.Flags().String("generic-auth-url", "", "Generic OAuth auth URL.")
 	rootCmd.Flags().String("generic-token-url", "", "Generic OAuth token URL.")
 	rootCmd.Flags().String("generic-user-url", "", "Generic OAuth user info URL.")
-	rootCmd.Flags().String("generic-name", "Other", "Generic OAuth provider name.")
+	rootCmd.Flags().String("generic-name", "Generic", "Generic OAuth provider name.")
 	rootCmd.Flags().Bool("disable-continue", false, "Disable continue screen and redirect to app directly.")
 	rootCmd.Flags().String("oauth-whitelist", "", "Comma separated list of email addresses to whitelist when using OAuth.")
 	rootCmd.Flags().Int("session-expiry", 86400, "Session (cookie) expiration time in seconds.")
diff --git a/internal/constants/constants.go b/internal/constants/constants.go
index 37aa55d0..b6b5598b 100644
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@@ -7,3 +7,14 @@ var TinyauthLabels = []string{
 	"tinyauth.allowed",
 	"tinyauth.headers",
 }
+
+// Claims are the OIDC supported claims
+type Claims struct {
+	Name       string `json:"name"`
+	FamilyName string `json:"family_name"`
+	GivenName  string `json:"given_name"`
+	MiddleName string `json:"middle_name"`
+	Nickname   string `json:"nickname"`
+	Picture    string `json:"picture"`
+	Email      string `json:"email"`
+}
diff --git a/internal/handlers/handlers.go b/internal/handlers/handlers.go
index c873d9fb..33908d90 100644
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -625,22 +625,20 @@ func (h *Handlers) OauthCallbackHandler(c *gin.Context) {
 
 	log.Debug().Msg("Got user")
 
-	// Get email
-	email, ok := user["email"].(string)
-
-	if !ok {
-		log.Error().Msg("Failed to get email from user")
+	// Check that email is not empty
+	if user.Email == "" {
+		log.Warn().Msg("Email is empty")
 		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
 		return
 	}
 
 	// Email is not whitelisted
-	if !h.Auth.EmailWhitelisted(email) {
-		log.Warn().Str("email", email).Msg("Email not whitelisted")
+	if !h.Auth.EmailWhitelisted(user.Email) {
+		log.Warn().Str("email", user.Email).Msg("Email not whitelisted")
 
 		// Build query
 		queries, err := query.Values(types.UnauthorizedQuery{
-			Username: email,
+			Username: user.Email,
 		})
 
 		// Handle error
@@ -658,7 +656,7 @@ func (h *Handlers) OauthCallbackHandler(c *gin.Context) {
 
 	// Create session cookie (also cleans up redirect cookie)
 	h.Auth.CreateSessionCookie(c, &types.SessionCookie{
-		Username: email,
+		Username: user.Email,
 		Provider: providerName.Provider,
 	})
 
diff --git a/internal/providers/generic.go b/internal/providers/generic.go
index 084d5fbc..8307600f 100644
--- a/internal/providers/generic.go
+++ b/internal/providers/generic.go
@@ -4,13 +4,14 @@ import (
 	"encoding/json"
 	"io"
 	"net/http"
+	"tinyauth/internal/constants"
 
 	"github.com/rs/zerolog/log"
 )
 
-func GetGenericUser(client *http.Client, url string) (map[string]interface{}, error) {
+func GetGenericUser(client *http.Client, url string) (constants.Claims, error) {
 	// Create user struct
-	user := make(map[string]interface{})
+	var user constants.Claims
 
 	// Using the oauth client get the user info url
 	res, err := client.Get(url)
diff --git a/internal/providers/github.go b/internal/providers/github.go
index 3c1a59c8..2f8862e7 100644
--- a/internal/providers/github.go
+++ b/internal/providers/github.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"io"
 	"net/http"
+	"tinyauth/internal/constants"
 
 	"github.com/rs/zerolog/log"
 )
@@ -20,9 +21,9 @@ func GithubScopes() []string {
 	return []string{"user:email"}
 }
 
-func GetGithubUser(client *http.Client) (map[string]interface{}, error) {
+func GetGithubUser(client *http.Client) (constants.Claims, error) {
 	// Create user struct
-	user := make(map[string]interface{})
+	var user constants.Claims
 
 	// Get the user emails from github using the oauth http client
 	res, err := client.Get("https://api.github.com/user/emails")
@@ -60,7 +61,7 @@ func GetGithubUser(client *http.Client) (map[string]interface{}, error) {
 	// Find and return the primary email
 	for _, email := range emails {
 		if email.Primary {
-			user["email"] = email.Email
+			user.Email = email.Email
 			return user, nil
 		}
 	}
diff --git a/internal/providers/google.go b/internal/providers/google.go
index 9785586a..f8ba30d1 100644
--- a/internal/providers/google.go
+++ b/internal/providers/google.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"io"
 	"net/http"
+	"tinyauth/internal/constants"
 
 	"github.com/rs/zerolog/log"
 )
@@ -13,9 +14,9 @@ func GoogleScopes() []string {
 	return []string{"https://www.googleapis.com/auth/userinfo.email"}
 }
 
-func GetGoogleUser(client *http.Client) (map[string]interface{}, error) {
+func GetGoogleUser(client *http.Client) (constants.Claims, error) {
 	// Create user struct
-	user := make(map[string]interface{})
+	var user constants.Claims
 
 	// Get the user info from google using the oauth http client
 	res, err := client.Get("https://www.googleapis.com/userinfo/v2/me")
diff --git a/internal/providers/providers.go b/internal/providers/providers.go
index 3c4f4fc9..a22e83e9 100644
--- a/internal/providers/providers.go
+++ b/internal/providers/providers.go
@@ -2,6 +2,7 @@ package providers
 
 import (
 	"fmt"
+	"tinyauth/internal/constants"
 	"tinyauth/internal/oauth"
 	"tinyauth/internal/types"
 
@@ -93,9 +94,9 @@ func (providers *Providers) GetProvider(provider string) *oauth.OAuth {
 	}
 }
 
-func (providers *Providers) GetUser(provider string) (map[string]interface{}, error) {
+func (providers *Providers) GetUser(provider string) (constants.Claims, error) {
 	// Create user struct
-	user := make(map[string]interface{})
+	var user constants.Claims
 
 	// Get the user from the provider
 	switch provider {

From dca09a3d9dce9697af0e97f76484b67829d3aada Mon Sep 17 00:00:00 2001
From: Stavros <steveiliop56@gmail.com>
Date: Fri, 25 Apr 2025 16:41:45 +0300
Subject: [PATCH 3/7] feat: map info from OIDC claims to headers

---
 cmd/root.go                                 |  7 ++-
 frontend/src/pages/logout-page.tsx          |  6 +-
 frontend/src/schemas/user-context-schema.ts |  2 +
 internal/api/api_test.go                    |  7 ++-
 internal/auth/auth.go                       | 19 +++++-
 internal/constants/constants.go             | 12 ++--
 internal/docker/docker.go                   | 11 ++--
 internal/handlers/handlers.go               | 34 ++++++++++-
 internal/hooks/hooks.go                     | 66 +++++++++------------
 internal/types/api.go                       |  2 +
 internal/types/config.go                    |  5 ++
 internal/types/types.go                     |  4 ++
 internal/utils/utils.go                     |  5 ++
 13 files changed, 117 insertions(+), 63 deletions(-)

diff --git a/cmd/root.go b/cmd/root.go
index fe10166f..d4167022 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -111,6 +111,11 @@ var rootCmd = &cobra.Command{
 			LoginMaxRetries: config.LoginMaxRetries,
 		}
 
+		// Create hooks config
+		hooksConfig := types.HooksConfig{
+			Domain: domain,
+		}
+
 		// Create docker service
 		docker := docker.NewDocker()
 
@@ -128,7 +133,7 @@ var rootCmd = &cobra.Command{
 		providers.Init()
 
 		// Create hooks service
-		hooks := hooks.NewHooks(auth, providers)
+		hooks := hooks.NewHooks(hooksConfig, auth, providers)
 
 		// Create handlers
 		handlers := handlers.NewHandlers(handlersConfig, auth, hooks, providers, docker)
diff --git a/frontend/src/pages/logout-page.tsx b/frontend/src/pages/logout-page.tsx
index 5ef60417..e05c362a 100644
--- a/frontend/src/pages/logout-page.tsx
+++ b/frontend/src/pages/logout-page.tsx
@@ -10,7 +10,7 @@ import { useAppContext } from "../context/app-context";
 import { Trans, useTranslation } from "react-i18next";
 
 export const LogoutPage = () => {
-  const { isLoggedIn, username, oauth, provider } = useUserContext();
+  const { isLoggedIn, oauth, provider, email } = useUserContext();
   const { genericName } = useAppContext();
   const { t } = useTranslation();
 
@@ -56,7 +56,7 @@ export const LogoutPage = () => {
               values={{
                 provider:
                   provider === "generic" ? genericName : capitalize(provider),
-                username: username,
+                username: email,
               }}
             />
           ) : (
@@ -65,7 +65,7 @@ export const LogoutPage = () => {
               t={t}
               components={{ Code: <Code /> }}
               values={{
-                username: username,
+                username: email,
               }}
             />
           )}
diff --git a/frontend/src/schemas/user-context-schema.ts b/frontend/src/schemas/user-context-schema.ts
index 4d43d7b6..6ebe567b 100644
--- a/frontend/src/schemas/user-context-schema.ts
+++ b/frontend/src/schemas/user-context-schema.ts
@@ -3,6 +3,8 @@ import { z } from "zod";
 export const userContextSchema = z.object({
   isLoggedIn: z.boolean(),
   username: z.string(),
+  name: z.string(),
+  email: z.string(),
   oauth: z.boolean(),
   provider: z.string(),
   totpPending: z.boolean(),
diff --git a/internal/api/api_test.go b/internal/api/api_test.go
index e0cb6e53..23c1baf6 100644
--- a/internal/api/api_test.go
+++ b/internal/api/api_test.go
@@ -45,6 +45,11 @@ var authConfig = types.AuthConfig{
 	LoginMaxRetries: 0,
 }
 
+// Simple hooks config for tests
+var hooksConfig = types.HooksConfig{
+	Domain: "localhost",
+}
+
 // Cookie
 var cookie string
 
@@ -83,7 +88,7 @@ func getAPI(t *testing.T) *api.API {
 	providers.Init()
 
 	// Create hooks service
-	hooks := hooks.NewHooks(auth, providers)
+	hooks := hooks.NewHooks(hooksConfig, auth, providers)
 
 	// Create handlers service
 	handlers := handlers.NewHandlers(handlersConfig, auth, hooks, providers, docker)
diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index d6ed5f38..cf1d0f03 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -160,6 +160,8 @@ func (auth *Auth) CreateSessionCookie(c *gin.Context, data *types.SessionCookie)
 
 	// Set data
 	session.Values["username"] = data.Username
+	session.Values["name"] = data.Name
+	session.Values["email"] = data.Email
 	session.Values["provider"] = data.Provider
 	session.Values["expiry"] = time.Now().Add(time.Duration(sessionExpiry) * time.Second).Unix()
 	session.Values["totpPending"] = data.TotpPending
@@ -211,14 +213,23 @@ func (auth *Auth) GetSessionCookie(c *gin.Context) (types.SessionCookie, error)
 		return types.SessionCookie{}, err
 	}
 
+	log.Debug().Interface("session", session).Msg("Got session")
+
 	// Get data from session
 	username, usernameOk := session.Values["username"].(string)
+	email, emailOk := session.Values["email"].(string)
+	name, nameOk := session.Values["name"].(string)
 	provider, providerOK := session.Values["provider"].(string)
 	expiry, expiryOk := session.Values["expiry"].(int64)
 	totpPending, totpPendingOk := session.Values["totpPending"].(bool)
 
-	if !usernameOk || !providerOK || !expiryOk || !totpPendingOk {
-		log.Warn().Msg("Session cookie is missing data")
+	if !usernameOk || !providerOK || !expiryOk || !totpPendingOk || !emailOk || !nameOk {
+		log.Warn().Msg("Session cookie is invalid")
+
+		// If any data is missing, delete the session cookie
+		auth.DeleteSessionCookie(c)
+
+		// Return empty cookie
 		return types.SessionCookie{}, nil
 	}
 
@@ -233,11 +244,13 @@ func (auth *Auth) GetSessionCookie(c *gin.Context) (types.SessionCookie, error)
 		return types.SessionCookie{}, nil
 	}
 
-	log.Debug().Str("username", username).Str("provider", provider).Int64("expiry", expiry).Bool("totpPending", totpPending).Msg("Parsed cookie")
+	log.Debug().Str("username", username).Str("provider", provider).Int64("expiry", expiry).Bool("totpPending", totpPending).Str("name", name).Str("email", email).Msg("Parsed cookie")
 
 	// Return the cookie
 	return types.SessionCookie{
 		Username:    username,
+		Name:        name,
+		Email:       email,
 		Provider:    provider,
 		TotpPending: totpPending,
 	}, nil
diff --git a/internal/constants/constants.go b/internal/constants/constants.go
index b6b5598b..f3b02d31 100644
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@@ -8,13 +8,9 @@ var TinyauthLabels = []string{
 	"tinyauth.headers",
 }
 
-// Claims are the OIDC supported claims
+// Claims are the OIDC supported claims (including preferd username for some reason)
 type Claims struct {
-	Name       string `json:"name"`
-	FamilyName string `json:"family_name"`
-	GivenName  string `json:"given_name"`
-	MiddleName string `json:"middle_name"`
-	Nickname   string `json:"nickname"`
-	Picture    string `json:"picture"`
-	Email      string `json:"email"`
+	Name              string `json:"name"`
+	Email             string `json:"email"`
+	PreferredUsername string `json:"preferred_username"`
 }
diff --git a/internal/docker/docker.go b/internal/docker/docker.go
index 07962e07..43807cec 100644
--- a/internal/docker/docker.go
+++ b/internal/docker/docker.go
@@ -6,8 +6,7 @@ import (
 	"tinyauth/internal/types"
 	"tinyauth/internal/utils"
 
-	apiTypes "github.com/docker/docker/api/types"
-	containerTypes "github.com/docker/docker/api/types/container"
+	container "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
 	"github.com/rs/zerolog/log"
 )
@@ -38,9 +37,9 @@ func (docker *Docker) Init() error {
 	return nil
 }
 
-func (docker *Docker) GetContainers() ([]apiTypes.Container, error) {
+func (docker *Docker) GetContainers() ([]container.Summary, error) {
 	// Get the list of containers
-	containers, err := docker.Client.ContainerList(docker.Context, containerTypes.ListOptions{})
+	containers, err := docker.Client.ContainerList(docker.Context, container.ListOptions{})
 
 	// Check if there was an error
 	if err != nil {
@@ -51,13 +50,13 @@ func (docker *Docker) GetContainers() ([]apiTypes.Container, error) {
 	return containers, nil
 }
 
-func (docker *Docker) InspectContainer(containerId string) (apiTypes.ContainerJSON, error) {
+func (docker *Docker) InspectContainer(containerId string) (container.InspectResponse, error) {
 	// Inspect the container
 	inspect, err := docker.Client.ContainerInspect(docker.Context, containerId)
 
 	// Check if there was an error
 	if err != nil {
-		return apiTypes.ContainerJSON{}, err
+		return container.InspectResponse{}, err
 	}
 
 	// Return the inspect
diff --git a/internal/handlers/handlers.go b/internal/handlers/handlers.go
index 33908d90..accc2de6 100644
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -10,6 +10,7 @@ import (
 	"tinyauth/internal/hooks"
 	"tinyauth/internal/providers"
 	"tinyauth/internal/types"
+	"tinyauth/internal/utils"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -183,8 +184,9 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 			return
 		}
 
-		// Set the user header
 		c.Header("Remote-User", userContext.Username)
+		c.Header("Remote-Name", userContext.Name)
+		c.Header("Remote-Email", userContext.Email)
 
 		// Set the rest of the headers
 		for key, value := range labels.Headers {
@@ -310,6 +312,8 @@ func (h *Handlers) LoginHandler(c *gin.Context) {
 		// Set totp pending cookie
 		h.Auth.CreateSessionCookie(c, &types.SessionCookie{
 			Username:    login.Username,
+			Name:        utils.Capitalize(login.Username),
+			Email:       fmt.Sprintf("%s@%s", strings.ToLower(login.Username), h.Config.Domain),
 			Provider:    "username",
 			TotpPending: true,
 		})
@@ -328,6 +332,8 @@ func (h *Handlers) LoginHandler(c *gin.Context) {
 	// Create session cookie with username as provider
 	h.Auth.CreateSessionCookie(c, &types.SessionCookie{
 		Username: login.Username,
+		Name:     utils.Capitalize(login.Username),
+		Email:    fmt.Sprintf("%s@%s", strings.ToLower(login.Username), h.Config.Domain),
 		Provider: "username",
 	})
 
@@ -402,6 +408,8 @@ func (h *Handlers) TotpHandler(c *gin.Context) {
 	// Create session cookie with username as provider
 	h.Auth.CreateSessionCookie(c, &types.SessionCookie{
 		Username: user.Username,
+		Name:     utils.Capitalize(user.Username),
+		Email:    fmt.Sprintf("%s@%s", strings.ToLower(user.Username), h.Config.Domain),
 		Provider: "username",
 	})
 
@@ -465,6 +473,8 @@ func (h *Handlers) UserHandler(c *gin.Context) {
 		Status:      200,
 		IsLoggedIn:  userContext.IsLoggedIn,
 		Username:    userContext.Username,
+		Name:        userContext.Name,
+		Email:       userContext.Email,
 		Provider:    userContext.Provider,
 		Oauth:       userContext.OAuth,
 		TotpPending: userContext.TotpPending,
@@ -654,9 +664,29 @@ func (h *Handlers) OauthCallbackHandler(c *gin.Context) {
 
 	log.Debug().Msg("Email whitelisted")
 
+	// Get username
+	var username string
+
+	if user.PreferredUsername != "" {
+		username = user.PreferredUsername
+	} else {
+		username = fmt.Sprintf("%s_%s", strings.Split(user.Email, "@")[0], strings.Split(user.Email, "@")[1])
+	}
+
+	// Get name
+	var name string
+
+	if user.Name != "" {
+		name = user.Name
+	} else {
+		name = fmt.Sprintf("%s (%s)", utils.Capitalize(strings.Split(user.Email, "@")[0]), strings.Split(user.Email, "@")[1])
+	}
+
 	// Create session cookie (also cleans up redirect cookie)
 	h.Auth.CreateSessionCookie(c, &types.SessionCookie{
-		Username: user.Email,
+		Username: username,
+		Name:     name,
+		Email:    user.Email,
 		Provider: providerName.Provider,
 	})
 
diff --git a/internal/hooks/hooks.go b/internal/hooks/hooks.go
index 5e9a6890..29c67867 100644
--- a/internal/hooks/hooks.go
+++ b/internal/hooks/hooks.go
@@ -1,22 +1,27 @@
 package hooks
 
 import (
+	"fmt"
+	"strings"
 	"tinyauth/internal/auth"
 	"tinyauth/internal/providers"
 	"tinyauth/internal/types"
+	"tinyauth/internal/utils"
 
 	"github.com/gin-gonic/gin"
 	"github.com/rs/zerolog/log"
 )
 
-func NewHooks(auth *auth.Auth, providers *providers.Providers) *Hooks {
+func NewHooks(config types.HooksConfig, auth *auth.Auth, providers *providers.Providers) *Hooks {
 	return &Hooks{
+		Config:    config,
 		Auth:      auth,
 		Providers: providers,
 	}
 }
 
 type Hooks struct {
+	Config    types.HooksConfig
 	Auth      *auth.Auth
 	Providers *providers.Providers
 }
@@ -36,11 +41,11 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
 		if user != nil && hooks.Auth.CheckPassword(*user, basic.Password) {
 			// Return user context since we are logged in with basic auth
 			return types.UserContext{
-				Username:    basic.Username,
-				IsLoggedIn:  true,
-				OAuth:       false,
-				Provider:    "basic",
-				TotpPending: false,
+				Username:   basic.Username,
+				Name:       utils.Capitalize(basic.Username),
+				Email:      fmt.Sprintf("%s@%s", strings.ToLower(basic.Username), hooks.Config.Domain),
+				IsLoggedIn: true,
+				Provider:   "basic",
 			}
 		}
 
@@ -50,13 +55,7 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to get session cookie")
 		// Return empty context
-		return types.UserContext{
-			Username:    "",
-			IsLoggedIn:  false,
-			OAuth:       false,
-			Provider:    "",
-			TotpPending: false,
-		}
+		return types.UserContext{}
 	}
 
 	// Check if session cookie has totp pending
@@ -65,8 +64,8 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
 		// Return empty context since we are pending totp
 		return types.UserContext{
 			Username:    cookie.Username,
-			IsLoggedIn:  false,
-			OAuth:       false,
+			Name:        cookie.Name,
+			Email:       cookie.Email,
 			Provider:    cookie.Provider,
 			TotpPending: true,
 		}
@@ -82,11 +81,11 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
 
 			// It exists so we are logged in
 			return types.UserContext{
-				Username:    cookie.Username,
-				IsLoggedIn:  true,
-				OAuth:       false,
-				Provider:    "username",
-				TotpPending: false,
+				Username:   cookie.Username,
+				Name:       cookie.Name,
+				Email:      cookie.Email,
+				IsLoggedIn: true,
+				Provider:   "username",
 			}
 		}
 	}
@@ -108,33 +107,22 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
 			hooks.Auth.DeleteSessionCookie(c)
 
 			// Return empty context
-			return types.UserContext{
-				Username:    "",
-				IsLoggedIn:  false,
-				OAuth:       false,
-				Provider:    "",
-				TotpPending: false,
-			}
+			return types.UserContext{}
 		}
 
 		log.Debug().Msg("Email is whitelisted")
 
 		// Return user context since we are logged in with oauth
 		return types.UserContext{
-			Username:    cookie.Username,
-			IsLoggedIn:  true,
-			OAuth:       true,
-			Provider:    cookie.Provider,
-			TotpPending: false,
+			Username:   cookie.Username,
+			Name:       cookie.Name,
+			Email:      cookie.Email,
+			IsLoggedIn: true,
+			OAuth:      true,
+			Provider:   cookie.Provider,
 		}
 	}
 
 	// Neither basic auth or oauth is set so we return an empty context
-	return types.UserContext{
-		Username:    "",
-		IsLoggedIn:  false,
-		OAuth:       false,
-		Provider:    "",
-		TotpPending: false,
-	}
+	return types.UserContext{}
 }
diff --git a/internal/types/api.go b/internal/types/api.go
index 144bb56a..0e12634f 100644
--- a/internal/types/api.go
+++ b/internal/types/api.go
@@ -33,6 +33,8 @@ type UserContextResponse struct {
 	Message     string `json:"message"`
 	IsLoggedIn  bool   `json:"isLoggedIn"`
 	Username    string `json:"username"`
+	Name        string `json:"name"`
+	Email       string `json:"email"`
 	Provider    string `json:"provider"`
 	Oauth       bool   `json:"oauth"`
 	TotpPending bool   `json:"totpPending"`
diff --git a/internal/types/config.go b/internal/types/config.go
index 88e9169f..cc35de1e 100644
--- a/internal/types/config.go
+++ b/internal/types/config.go
@@ -78,3 +78,8 @@ type AuthConfig struct {
 	LoginTimeout    int
 	LoginMaxRetries int
 }
+
+// HooksConfig is the configuration for the hooks service
+type HooksConfig struct {
+	Domain string
+}
diff --git a/internal/types/types.go b/internal/types/types.go
index dc6f9c1d..f9344c05 100644
--- a/internal/types/types.go
+++ b/internal/types/types.go
@@ -25,6 +25,8 @@ type OAuthProviders struct {
 // SessionCookie is the cookie for the session (exculding the expiry)
 type SessionCookie struct {
 	Username    string
+	Name        string
+	Email       string
 	Provider    string
 	TotpPending bool
 }
@@ -40,6 +42,8 @@ type TinyauthLabels struct {
 // UserContext is the context for the user
 type UserContext struct {
 	Username    string
+	Name        string
+	Email       string
 	IsLoggedIn  bool
 	OAuth       bool
 	Provider    string
diff --git a/internal/utils/utils.go b/internal/utils/utils.go
index 25830153..528ad233 100644
--- a/internal/utils/utils.go
+++ b/internal/utils/utils.go
@@ -323,3 +323,8 @@ func CheckWhitelist(whitelist string, str string) bool {
 	// Return false if no match was found
 	return false
 }
+
+// Capitalize just the first letter of a string
+func Capitalize(str string) string {
+	return strings.ToUpper(string([]rune(str)[0])) + string([]rune(str)[1:])
+}

From 065b9eaf3de6f82fefd1290c5195a6a3b2385f3a Mon Sep 17 00:00:00 2001
From: Stavros <steveiliop56@gmail.com>
Date: Mon, 28 Apr 2025 22:49:56 +0300
Subject: [PATCH 4/7] feat: add support for required oauth groups

---
 frontend/src/lib/i18n/locales/en-US.json |  1 +
 frontend/src/lib/i18n/locales/en.json    |  1 +
 frontend/src/pages/unauthorized-page.tsx | 63 ++++++++++++++------
 internal/auth/auth.go                    | 65 ++++++++++-----------
 internal/constants/constants.go          |  8 ++-
 internal/handlers/handlers.go            | 73 ++++++++++++++++--------
 internal/hooks/hooks.go                  | 13 +++--
 internal/types/api.go                    |  1 +
 internal/types/types.go                  |  3 +
 internal/utils/utils.go                  |  2 +
 10 files changed, 147 insertions(+), 83 deletions(-)

diff --git a/frontend/src/lib/i18n/locales/en-US.json b/frontend/src/lib/i18n/locales/en-US.json
index 12135fe3..acf2a5ff 100644
--- a/frontend/src/lib/i18n/locales/en-US.json
+++ b/frontend/src/lib/i18n/locales/en-US.json
@@ -42,6 +42,7 @@
     "unauthorizedTitle": "Unauthorized",
     "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
     "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
     "unauthorizedButton": "Try again",
     "untrustedRedirectTitle": "Untrusted redirect",
     "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
diff --git a/frontend/src/lib/i18n/locales/en.json b/frontend/src/lib/i18n/locales/en.json
index 12135fe3..acf2a5ff 100644
--- a/frontend/src/lib/i18n/locales/en.json
+++ b/frontend/src/lib/i18n/locales/en.json
@@ -42,6 +42,7 @@
     "unauthorizedTitle": "Unauthorized",
     "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
     "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
     "unauthorizedButton": "Try again",
     "untrustedRedirectTitle": "Untrusted redirect",
     "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
diff --git a/frontend/src/pages/unauthorized-page.tsx b/frontend/src/pages/unauthorized-page.tsx
index 6825bd21..bcb35902 100644
--- a/frontend/src/pages/unauthorized-page.tsx
+++ b/frontend/src/pages/unauthorized-page.tsx
@@ -3,11 +3,13 @@ import { Layout } from "../components/layouts/layout";
 import { Navigate } from "react-router";
 import { isQueryValid } from "../utils/utils";
 import { Trans, useTranslation } from "react-i18next";
+import React from "react";
 
 export const UnauthorizedPage = () => {
   const queryString = window.location.search;
   const params = new URLSearchParams(queryString);
   const username = params.get("username") ?? "";
+  const groupErr = params.get("groupErr") ?? "";
   const resource = params.get("resource") ?? "";
 
   const { t } = useTranslation();
@@ -16,6 +18,47 @@ export const UnauthorizedPage = () => {
     return <Navigate to="/" />;
   }
 
+  if (isQueryValid(resource) && !isQueryValid(groupErr)) {
+    return (
+      <UnauthorizedLayout>
+          <Trans
+            i18nKey="unauthorizedResourceSubtitle"
+            t={t}
+            components={{ Code: <Code /> }}
+            values={{ resource, username }}
+          />
+      </UnauthorizedLayout>
+    );
+  }
+
+  if (isQueryValid(groupErr) && isQueryValid(resource)) {
+    return (
+      <UnauthorizedLayout>
+        <Trans
+        i18nKey="unauthorizedGroupsSubtitle"
+        t={t}
+        components={{ Code: <Code /> }}
+        values={{ username, resource }}
+         />
+      </UnauthorizedLayout>
+    )
+  }
+
+  return (
+    <UnauthorizedLayout>
+      <Trans
+        i18nKey="unaothorizedLoginSubtitle"
+        t={t}
+        components={{ Code: <Code /> }}
+        values={{ username }}
+      />
+    </UnauthorizedLayout>
+  );
+};
+
+const UnauthorizedLayout = ({ children }: { children: React.ReactNode }) => {
+  const { t } = useTranslation();
+
   return (
     <Layout>
       <Paper shadow="md" p={30} mt={30} radius="md" withBorder>
@@ -23,25 +66,7 @@ export const UnauthorizedPage = () => {
           {t("Unauthorized")}
         </Text>
         <Text>
-          {isQueryValid(resource) ? (
-            <Text>
-              <Trans
-                i18nKey="unauthorizedResourceSubtitle"
-                t={t}
-                components={{ Code: <Code /> }}
-                values={{ resource, username }}
-              />
-            </Text>
-          ) : (
-            <Text>
-              <Trans
-                i18nKey="unaothorizedLoginSubtitle"
-                t={t}
-                components={{ Code: <Code /> }}
-                values={{ username }}
-              />
-            </Text>
-          )}
+        {children}
         </Text>
         <Button
           fullWidth
diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index cf1d0f03..0b709b04 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -165,6 +165,7 @@ func (auth *Auth) CreateSessionCookie(c *gin.Context, data *types.SessionCookie)
 	session.Values["provider"] = data.Provider
 	session.Values["expiry"] = time.Now().Add(time.Duration(sessionExpiry) * time.Second).Unix()
 	session.Values["totpPending"] = data.TotpPending
+	session.Values["oauthGroups"] = data.OAuthGroups
 
 	// Save session
 	err = session.Save(c.Request, c.Writer)
@@ -213,7 +214,7 @@ func (auth *Auth) GetSessionCookie(c *gin.Context) (types.SessionCookie, error)
 		return types.SessionCookie{}, err
 	}
 
-	log.Debug().Interface("session", session).Msg("Got session")
+	log.Debug().Msg("Got session")
 
 	// Get data from session
 	username, usernameOk := session.Values["username"].(string)
@@ -222,8 +223,9 @@ func (auth *Auth) GetSessionCookie(c *gin.Context) (types.SessionCookie, error)
 	provider, providerOK := session.Values["provider"].(string)
 	expiry, expiryOk := session.Values["expiry"].(int64)
 	totpPending, totpPendingOk := session.Values["totpPending"].(bool)
+	oauthGroups, oauthGroupsOk := session.Values["oauthGroups"].(string)
 
-	if !usernameOk || !providerOK || !expiryOk || !totpPendingOk || !emailOk || !nameOk {
+	if !usernameOk || !providerOK || !expiryOk || !totpPendingOk || !emailOk || !nameOk || !oauthGroupsOk {
 		log.Warn().Msg("Session cookie is invalid")
 
 		// If any data is missing, delete the session cookie
@@ -244,7 +246,7 @@ func (auth *Auth) GetSessionCookie(c *gin.Context) (types.SessionCookie, error)
 		return types.SessionCookie{}, nil
 	}
 
-	log.Debug().Str("username", username).Str("provider", provider).Int64("expiry", expiry).Bool("totpPending", totpPending).Str("name", name).Str("email", email).Msg("Parsed cookie")
+	log.Debug().Str("username", username).Str("provider", provider).Int64("expiry", expiry).Bool("totpPending", totpPending).Str("name", name).Str("email", email).Str("oauthGroups", oauthGroups).Msg("Parsed cookie")
 
 	// Return the cookie
 	return types.SessionCookie{
@@ -253,6 +255,7 @@ func (auth *Auth) GetSessionCookie(c *gin.Context) (types.SessionCookie, error)
 		Email:       email,
 		Provider:    provider,
 		TotpPending: totpPending,
+		OAuthGroups: oauthGroups,
 	}, nil
 }
 
@@ -261,49 +264,47 @@ func (auth *Auth) UserAuthConfigured() bool {
 	return len(auth.Config.Users) > 0
 }
 
-func (auth *Auth) ResourceAllowed(c *gin.Context, context types.UserContext) (bool, error) {
-	// Get headers
-	host := c.Request.Header.Get("X-Forwarded-Host")
-
-	// Get app id
-	appId := strings.Split(host, ".")[0]
-
-	// Get the container labels
-	labels, err := auth.Docker.GetLabels(appId)
-
-	// If there is an error, return false
-	if err != nil {
-		return false, err
-	}
-
+func (auth *Auth) ResourceAllowed(c *gin.Context, context types.UserContext, labels types.TinyauthLabels) bool {
 	// Check if oauth is allowed
 	if context.OAuth {
 		log.Debug().Msg("Checking OAuth whitelist")
-		return utils.CheckWhitelist(labels.OAuthWhitelist, context.Username), nil
+		return utils.CheckWhitelist(labels.OAuthWhitelist, context.Username)
 	}
 
 	// Check users
 	log.Debug().Msg("Checking users")
 
-	return utils.CheckWhitelist(labels.Users, context.Username), nil
+	return utils.CheckWhitelist(labels.Users, context.Username)
 }
 
-func (auth *Auth) AuthEnabled(c *gin.Context) (bool, error) {
-	// Get headers
-	uri := c.Request.Header.Get("X-Forwarded-Uri")
-	host := c.Request.Header.Get("X-Forwarded-Host")
-
-	// Get app id
-	appId := strings.Split(host, ".")[0]
+func (auth *Auth) OAuthGroup(c *gin.Context, context types.UserContext, labels types.TinyauthLabels) bool {
+	// Check if groups are required
+	if labels.OAuthGroups == "" {
+		return true
+	}
 
-	// Get the container labels
-	labels, err := auth.Docker.GetLabels(appId)
+	// Split the groups by comma (no need to parse since they are from the API response)
+	oauthGroups := strings.Split(context.OAuthGroups, ",")
 
-	// If there is an error, auth enabled
-	if err != nil {
-		return true, err
+	// For every group check if it is in the required groups
+	for _, group := range oauthGroups {
+		if utils.CheckWhitelist(labels.OAuthGroups, group) {
+			log.Debug().Str("group", group).Msg("Group is in required groups")
+			return true
+		}
 	}
 
+	// No groups matched
+	log.Debug().Msg("No groups matched")
+
+	// Return false
+	return false
+}
+
+func (auth *Auth) AuthEnabled(c *gin.Context, labels types.TinyauthLabels) (bool, error) {
+	// Get headers
+	uri := c.Request.Header.Get("X-Forwarded-Uri")
+
 	// Check if the allowed label is empty
 	if labels.Allowed == "" {
 		// Auth enabled
diff --git a/internal/constants/constants.go b/internal/constants/constants.go
index f3b02d31..72480b6e 100644
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@@ -6,11 +6,13 @@ var TinyauthLabels = []string{
 	"tinyauth.users",
 	"tinyauth.allowed",
 	"tinyauth.headers",
+	"tinyauth.oauth.groups",
 }
 
 // Claims are the OIDC supported claims (including preferd username for some reason)
 type Claims struct {
-	Name              string `json:"name"`
-	Email             string `json:"email"`
-	PreferredUsername string `json:"preferred_username"`
+	Name              string   `json:"name"`
+	Email             string   `json:"email"`
+	PreferredUsername string   `json:"preferred_username"`
+	Groups            []string `json:"groups"`
 }
diff --git a/internal/handlers/handlers.go b/internal/handlers/handlers.go
index accc2de6..d170b15e 100644
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -69,12 +69,15 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 	proto := c.Request.Header.Get("X-Forwarded-Proto")
 	host := c.Request.Header.Get("X-Forwarded-Host")
 
-	// Check if auth is enabled
-	authEnabled, err := h.Auth.AuthEnabled(c)
+	// Get the app id
+	appId := strings.Split(host, ".")[0]
+
+	// Get the container labels
+	labels, err := h.Docker.GetLabels(appId)
 
 	// Check if there was an error
 	if err != nil {
-		log.Error().Err(err).Msg("Failed to check if app is allowed")
+		log.Error().Err(err).Msg("Failed to get container labels")
 
 		if proxy.Proxy == "nginx" || !isBrowser {
 			c.JSON(500, gin.H{
@@ -88,11 +91,8 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 		return
 	}
 
-	// Get the app id
-	appId := strings.Split(host, ".")[0]
-
-	// Get the container labels
-	labels, err := h.Docker.GetLabels(appId)
+	// Check if auth is enabled
+	authEnabled, err := h.Auth.AuthEnabled(c, labels)
 
 	// Check if there was an error
 	if err != nil {
@@ -131,29 +131,53 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 		log.Debug().Msg("Authenticated")
 
 		// Check if user is allowed to access subdomain, if request is nginx.example.com the subdomain (resource) is nginx
-		appAllowed, err := h.Auth.ResourceAllowed(c, userContext)
+		appAllowed := h.Auth.ResourceAllowed(c, userContext, labels)
 
-		// Check if there was an error
-		if err != nil {
-			log.Error().Err(err).Msg("Failed to check if app is allowed")
+		log.Debug().Bool("appAllowed", appAllowed).Msg("Checking if app is allowed")
+
+		// The user is not allowed to access the app
+		if !appAllowed {
+			log.Warn().Str("username", userContext.Username).Str("host", host).Msg("User not allowed")
+
+			// Set WWW-Authenticate header
+			c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
 
 			if proxy.Proxy == "nginx" || !isBrowser {
-				c.JSON(500, gin.H{
-					"status":  500,
-					"message": "Internal Server Error",
+				c.JSON(401, gin.H{
+					"status":  401,
+					"message": "Unauthorized",
 				})
 				return
 			}
 
-			c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+			// Build query
+			queries, err := query.Values(types.UnauthorizedQuery{
+				Username: userContext.Username,
+				Resource: strings.Split(host, ".")[0],
+			})
+
+			// Handle error (no need to check for nginx/headers since we are sure we are using caddy/traefik)
+			if err != nil {
+				log.Error().Err(err).Msg("Failed to build queries")
+				c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+				return
+			}
+
+			// We are using caddy/traefik so redirect
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, queries.Encode()))
 			return
 		}
 
-		log.Debug().Bool("appAllowed", appAllowed).Msg("Checking if app is allowed")
+		log.Debug().Interface("labels", labels).Msg("Got labels")
+
+		// Check if user is in required groups
+		groupOk := h.Auth.OAuthGroup(c, userContext, labels)
+
+		log.Debug().Bool("groupOk", groupOk).Msg("Checking if user is in required groups")
 
 		// The user is not allowed to access the app
-		if !appAllowed {
-			log.Warn().Str("username", userContext.Username).Str("host", host).Msg("User not allowed")
+		if !groupOk {
+			log.Warn().Str("username", userContext.Username).Str("host", host).Msg("User is not in required groups")
 
 			// Set WWW-Authenticate header
 			c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
@@ -170,6 +194,7 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 			queries, err := query.Values(types.UnauthorizedQuery{
 				Username: userContext.Username,
 				Resource: strings.Split(host, ".")[0],
+				GroupErr: true,
 			})
 
 			// Handle error (no need to check for nginx/headers since we are sure we are using caddy/traefik)
@@ -187,6 +212,7 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 		c.Header("Remote-User", userContext.Username)
 		c.Header("Remote-Name", userContext.Name)
 		c.Header("Remote-Email", userContext.Email)
+		c.Header("Remote-Groups", userContext.OAuthGroups)
 
 		// Set the rest of the headers
 		for key, value := range labels.Headers {
@@ -684,10 +710,11 @@ func (h *Handlers) OauthCallbackHandler(c *gin.Context) {
 
 	// Create session cookie (also cleans up redirect cookie)
 	h.Auth.CreateSessionCookie(c, &types.SessionCookie{
-		Username: username,
-		Name:     name,
-		Email:    user.Email,
-		Provider: providerName.Provider,
+		Username:    username,
+		Name:        name,
+		Email:       user.Email,
+		Provider:    providerName.Provider,
+		OAuthGroups: strings.Join(user.Groups, ","),
 	})
 
 	// Check if we have a redirect URI
diff --git a/internal/hooks/hooks.go b/internal/hooks/hooks.go
index 29c67867..876e93fd 100644
--- a/internal/hooks/hooks.go
+++ b/internal/hooks/hooks.go
@@ -114,12 +114,13 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
 
 		// Return user context since we are logged in with oauth
 		return types.UserContext{
-			Username:   cookie.Username,
-			Name:       cookie.Name,
-			Email:      cookie.Email,
-			IsLoggedIn: true,
-			OAuth:      true,
-			Provider:   cookie.Provider,
+			Username:    cookie.Username,
+			Name:        cookie.Name,
+			Email:       cookie.Email,
+			IsLoggedIn:  true,
+			OAuth:       true,
+			Provider:    cookie.Provider,
+			OAuthGroups: cookie.OAuthGroups,
 		}
 	}
 
diff --git a/internal/types/api.go b/internal/types/api.go
index 0e12634f..63478849 100644
--- a/internal/types/api.go
+++ b/internal/types/api.go
@@ -20,6 +20,7 @@ type OAuthRequest struct {
 type UnauthorizedQuery struct {
 	Username string `url:"username"`
 	Resource string `url:"resource"`
+	GroupErr bool   `url:"groupErr"`
 }
 
 // Proxy is the uri parameters for the proxy endpoint
diff --git a/internal/types/types.go b/internal/types/types.go
index f9344c05..2b1de641 100644
--- a/internal/types/types.go
+++ b/internal/types/types.go
@@ -29,6 +29,7 @@ type SessionCookie struct {
 	Email       string
 	Provider    string
 	TotpPending bool
+	OAuthGroups string
 }
 
 // TinyauthLabels is the labels for the tinyauth container
@@ -37,6 +38,7 @@ type TinyauthLabels struct {
 	Users          string
 	Allowed        string
 	Headers        map[string]string
+	OAuthGroups    string
 }
 
 // UserContext is the context for the user
@@ -48,6 +50,7 @@ type UserContext struct {
 	OAuth       bool
 	Provider    string
 	TotpPending bool
+	OAuthGroups string
 }
 
 // LoginAttempt tracks information about login attempts for rate limiting
diff --git a/internal/utils/utils.go b/internal/utils/utils.go
index 528ad233..2830a120 100644
--- a/internal/utils/utils.go
+++ b/internal/utils/utils.go
@@ -204,6 +204,8 @@ func GetTinyauthLabels(labels map[string]string) types.TinyauthLabels {
 					}
 					tinyauthLabels.Headers[headerSplit[0]] = headerSplit[1]
 				}
+			case "tinyauth.oauth.groups":
+				tinyauthLabels.OAuthGroups = value
 			}
 		}
 	}

From 3dff650e71d8d2fb6206f6ba44d06513ff88ad62 Mon Sep 17 00:00:00 2001
From: Stavros <steveiliop56@gmail.com>
Date: Wed, 30 Apr 2025 18:15:11 +0300
Subject: [PATCH 5/7] fix: bot suggestions

---
 frontend/bun.lockb                       | Bin 141204 -> 140836 bytes
 frontend/src/lib/i18n/locales/en-US.json |   2 +-
 frontend/src/lib/i18n/locales/en.json    |   2 +-
 frontend/src/pages/logout-page.tsx       |   4 +-
 frontend/src/pages/unauthorized-page.tsx |  30 +++++------
 internal/auth/auth.go                    |   2 +-
 internal/handlers/handlers.go            |  12 ++---
 internal/utils/utils.go                  |  14 +++++
 internal/utils/utils_test.go             |  62 +++++++++++++++++++++++
 9 files changed, 101 insertions(+), 27 deletions(-)

diff --git a/frontend/bun.lockb b/frontend/bun.lockb
index f5d3b69d28ec64f5ef81c9c4a844c18261042a3f..0b06ed59018728bbf30e6106610b97b17a360cd3 100755
GIT binary patch
delta 24183
zcmeHvcUY81_x3XjtE{?$m5yLTP`WhHUF@0_I}$rpgMtXyFh&+*ui%)By_*PjjZxB!
z#zc)8qlqoCCmJC(EKw87cb}&KuPNW}y{_N&eg9-H@8`@tbEce`GlhNDS#-i~{V}_I
zf1mxAZ{G}@|INM`?RQAt5pTWM!1+CMehoI~SjKy2YfL?*Thv4+(I=rGu7Pgw;DQOw
z^sb1hRq&~6!4;==^K2!_C`r}}knWIqkToDr*hrECWQksqoG2ZV^u~@#9hRDsERD&^
z7(4t8Njg=9w_;6m4?vxg*F)BZEVYxQI*?Z&t3iGV=?YmJq#opRgCeg(Qt^$dOHy6P
zt<ZCXOh-A?j6_HzSwB?y3`CNC9x7`DnF8r1Nx9a?Nbp3&4>gqrv_wJ>cymb9VVwnI
zTp%ML>qBO!ygQ^9xECZ<YzOHK*$b^l!PY=XO0TQ(=dh0SZm9AIq`Q<WS(8%|#|}q7
zr)N`dOVTrY#ez1djT+#HhLD8?umojUb0EnQKRn37@sP-3JqAhXj*!$)8%WA`7qyZM
zh7}Y)aeV5Sq&Fm~2)s@%B9<cn<E>thwIDN)0d-n0Leh{7ggGQnLXw5WkSN<414;Sn
zdnmF7Bn{aga0e>q4mdUJ3OEg+<{?Q*8DmF{k)(qtKb;EPuC{O?B=T4%K~hU|n9`7}
zl!PScORf!-o*55GJ(C&~F)C%k80iD_Gc_a-14}({0Guqo22O^IMmeOP#&_5_I>$Fr
z`mGR>ntNB3q5P^%KoD!DxbFjRrOZ-D%KHoANjp6?J;g6MQ91`s#%<zlZ5^E_`zkeF
zLMy4|6*XqsI_55Kp_DNV5~f+B{ggVic87se*{%E)*U5q&*%2L}v~)~%T52Ln-Ulw*
z2?=krx<b;NxEQFEZwpT44^{IgrDab*wgFNMB4`BP4py3X1(FKLgrxWuA<Br2Nk~jg
zNK8v<(_GQ(*-~kkJOF;F*#ew8v?C<BUI0(fJL<j<<rDQDxuYW`sWBqEsnQ1$17NKR
zi2<|z5}{1A!;lTY3spH=m1&SP`rTC-sLDE!w7~opuE-xC;d$22RJm4>xz-s7ke{VP
z!j-LkA)O&dXJn5_%FdP!MJuiU6q34oRKlo?)MQCY$xa-bnwBgTw^w@OJxJ>Qg^=V%
zRy96N<^3ROklRC&o<C$gn#pbmP<PrvQpWr36va!B#1BC_LhexGS3*(&v(@wokd!}J
z<=r8vq9{nxYYIu@U0Y3m)>cWs30YT<gfnfqOI45Df*8fXhmbVPX({7I!4ITTHU6wB
zuR@Y<C#R&0#^_2@!0o|v)cBu!D7;Hg)juK0|I(3O1F{PwCXY2W+i!SUMxyjlFIjJd
zwG9%;KT?N}%E(HQq+pc~OC6Q$H+HmC)>}!xp~}&IX&FfgW6+AU)b!Lb(v3b!dPC$R
z1IG7N8Zay^VayopAtO_A#*smdxR;${uXC|VYD)I#tQ6E{k6hGUeflZpB_w5Jk^MG^
zr)E!#Q{wM-Q-<YdNNTO+b;aD(e3qSe?zR4kv2P?~`=Q?9XTeFUXn^8HPa(;R5=O{P
zk){k(ylxaE4ffcqRKF3~k~DhksGOvX<djpWg$DOCwbs>;<nA2O2>JD3MXKoyt$AvO
z6v!G-AcLvGOmOOyp1haAF}K4|)u?zyrbAM3b_t4+G%yKi*-|g$qGlaMJo!)rI86>0
zNNR@GX}v7UERBGq^!-W7Y>mZ4aRN_=Yz$d~_!_i-W~Zc&OUaU?SDj`SMuME{_AsT{
zA=u-HCuSuirJ!Gmz{#9@kmOYDuq9D?dP>&tl;8@VxrqE^Zdj@^s`DXHvGoT?dnrV+
z9#<8HC1j7uL?30PjLl9RmLp9?3q7HD1(FK(ghgb*dcLHZcTjM;Qtebonv-QJ$3l^k
zjU0_t{v|wznpvHfRSQU{iwdZ$UND%Jm~d5kKvHknLDG!<6?(L0or0wJk07b;b&yos
z9F>oUq)|zSl%0v^RS&S+vSwu5(O6R%|F*i*u6xy2>zwj`Id{o9|KK9s*-Wcw8{GWn
z#@Y5~&Quw_E5GJ?JN|HZOG68tgwBwxb$F0-xNfM9`#PBng@}wsq>k@!4A+(Dc&U>~
z=WfG&olUySHoVB$WN@~Xq%f%1@F1x4u;sokCc{!hVvVud@-nAz!&9(CnFYCq8wTnn
zDN@Pc60TdM=f18c1FIrQm_61iJab5d9SG&F!lAEQR)v?knsk?{a9=l*p>|cJMYhyT
zLvOH_a#>W*bd@nV?IV@xc#uoD;SN|JG<9-|JnST?Jy><V1EnN@#ef-kkXyL^Iaqh@
z=Ne_OV5C~hrDvkuGr)$(B@pvQZ}%=|IhC32Xf-~ffyoe#+1^uDLF05Ys`JtYCf%9p
z+}G1&u!jeR%S8uyh8sG8VF^ZasDoC4QC}!cU2l{mxDXgsTN|E^397OzFnGOHHducP
ztQ${vZ*7M)cy@UK2f$i^DPyq?Q(=&tM*a5^tgp<d@IJM)G-BJpMwF*H*OnwKhib(c
zU|7DusBhD;SXMOZIGCC*Ai@sLS&<~bDhj#%AFMqV6><{A&JAF}V7BCVhO=NTl<MGP
zHubr0Q<I?+<_S40d=vG6P+!9>(DWl<-NE3KEh3mB_w_dEBAoaLi0Mwe2;#C6FZDJV
z{4lo^`^kUuz^IU_av>*GrZlJvW~-t}9`h+!OSx_uzA`YXPVq@Iju0J`%Axr-7<n4w
zW$@*%T)D3=ydB4nZi)&VE}a<n^Ncc-B1GMacEgGeSO641prKk0M#U<_*ceMLG5APi
zgdIq0nb5ec2YaoYJqPPl&f4SLG(=$@5v&0(ZDBI}h&aU-%5CqdjV!TLFzOMdLB(Ln
z<;>kn>k;^XF4K#T@HgphLO7aq-VJ$?qsd@xsJR~O(S3wSsFXG2rT!+?p8Eut4GSA-
z6;O3|!D!;6I#?XkSdyZ^<Q0jH<vxLCww<R2nhg$3v|Kc7Bf(72lgFOz;yyuU{ZquX
zmM3xNrdnT@c|_QO1VU9Jztw%wl=}u_1@l&BksYVO%mbsD=}cpw+w09sgH5a!_X#l@
z1~gMTU0GjNg0+&XMbmX<&3I{uiTQJ%mS$aw4>_5k*r!|{#ytm%kn4s^vrz66YSu6J
zm88zxFEmQ`lP@m{HR%(Y!)BiD7{!)zpD?rjEO=|aB{WK32NR$bh1dpO5@yz2X~BKN
zP5KFblGKH7af~v2ju3SNyf-jh{{pNvzuh3p(9d6)f@rl{xZy)E@>R^-U>F;q<UtxH
z*6{#d8euZLL?ro^Y$nDjHPURDgI-gXyB+@Fh8tjHI-@m-d2*jtW;TwewleE!(gyPM
z22m`Km$Wh)mVkGbtHZR>-3#U;qD-s}FN`v?NxUS=Y$(PQre48X?}lCs;Uij`3<Kbg
zZ4hbC%Ob+rdS24nY`BCt@(o*_*&y8D8LBi~&oetj*n%jXv=kw^lMFv0L<<P)^bI%E
z3sYtR91DFvj2D{BhI5FcnlZm4!!Z|p%x3)}Y)q-#&m5(HULG0-ONYyG#}P`AL&5ON
z1UbYJ8Y+kGmxp>`GAeP~5gII~8etDY?ONL^0aS4ap@DK@LyVgedJCcca@?8nP=HyB
zn~6}IoO&6dSUJ=(T9W!uh|S<W9nAXg!Q1ilz$im~Y$>!XV3g2f@nAH~(FLu-*(&bS
z(X2m;m8k>w>lmfC$AEW|L$L_Kp*otGl5$n%ex1w=YZNrcb|lU8F0E}5cukJdV}VhW
zyCT$ur+3zrFUtHjICfNI&W0~2#q2{!sZigA^4#uX=4qYV*vcfmtC`;d>8k0BL`bP?
zH$tf4HLZrOSn7})TyBBx^lQAxV#4exv6yw&E!?-8i7n%)-OL7CxIIc&J)#?!vJzy%
zp(lY+S4p(p==Tz%F4R5j&WmDbR+q$>^~pV`IW*OZ5F-D#q2q(@K@VQk-DK$9Q!4|L
zLO&m@1HbJQr9XvGH1`XRGSu#c!zHrG)5b6r3@%8^mP@$)AQ<Xw5T&PiX5zPFqL_&n
z_B0!^h(oUmom}+W!NTN)?U@>{Y<aEvXj)jd^b^1$WUcK8Q7y`nTBd4Y{lfwq&{ydZ
zEPPm>^1!GMFu}k+1yl0v=m``1@)3PZ2LD*45*t}14UANjL%>><!8okR*TASSJuidr
zdGwQ{P_Sw;8w7?PCd0A&6@g*O_Kadxd1|cL&?-(j;Gt1iuHFWtp2n_+ay|t^Z&FS)
z(fGR38Z3C2;se0oZPXg1Z2?nv60o~q5lBP3QA*qX+R{L~M|L@*d>d4Ta|b%;9vIx8
zmQ=K*<p8A=rS>#18WyExd%&nZ<*;BgP_Z7HeoQzs^VI%k!*aw8k~OI7pMa4i5-0cT
zf&`kI=z4NSFlsHz!eaFSFC1Vt{Ej#}Au9S&gE9NTl=U~Crw%mh&JN~915JinL&_C#
zaOw?42Eeb;kav0NAhYho5SkPQ+o4K7!!cl65*Uq%(nI^eXk=k2+WH7gZ4Y|LFJ8+>
zBQjlON}qfMM!ldoc&!9&mQX1cuyCZ+r18;D0qe@Q42;rUN#G-fnwT#y9BMXXCo0>F
z(h*m{)JC-m*ZU{o@W{7VqV&dOn)4JYK&Y=Ax{eSgC*qo?;EY2d!$O3x8mcaF8H_r)
zDlfBy8|n;G8fTz$nLY-r6Tj`z+D?r|KSYKb9)q<;7I=eqxS{oMC5t>RhH+q29Qw~C
z!VZKKtI7`c0;~fVod5L*yEl|v%As-^80A6_VWf+}$cOauI`a4pUYcyucTJU~jy!#6
zlwm1C)P7~>E&=N#vmMA9fFrgU3<p3A$|$f9MYCJDVGS4!AM$yI>(7Gq<G15m+m1v_
zX#LU;M@Z?cEeQ3b&eA;}$%}@YSXW*$+-%58Q+giu;B0dujgNT4WQa~z%#yci!!j^T
zT`WtODf*X`M$4TcW>k5<pkaAn)D;H#Y;^)m=}#1EaLTAWX9j>NK1XT!VB{?h<Sn{G
z8N76a$<TDPayHeITj~yu<|9U$SaV)D(ySk!g|jl>GBQekqCDiCEjtY2-a-ggB6J)f
zI0r(_$7rc}2*HUEcN(GIa>#qE7WXDX-6&3XXe=Kw3dbWvV5`TRqO(LRUNXv(tC!?2
zvhe(8X+(N3zyOSw{2{3WLRAT~<#bFr`9snMK%KH4P7QK897n1Obi|h^5OUy8k}87J
z$e+rR8f*a!Kwp6LVgdS)qzYdrf=^{h4aHI?e<~#Ervk91$r5XoWDCRtH2^r191kCn
z<1<x`k&-_oDL=-BzW0}=0+fFyK=HFwIUAB1FjtlHAsv8~iv0+HP|Mc<RKNyR7OHX!
zB&BZ$sNfv{eMl1DNdzB~#CH+Fhon7l0HF9URCy4RKDk<;vaEuHuL0`f?*RIcBnwUx
z!G|Ojc!mf*B&o-)0i^dcK%dHz#{5?~wp`}Q5tQM!n($AO8ukF7iXW=_m8C7>o~Y?h
zRr$NBN0RD!rp7;)<I(>VpaNgW5sD;5IZ~CB&hQ|qQ>6_g>FHHjl@jr(EGfzk50VBv
zNWVHH4P{M=r16&ns-%QkNT9UZ^iU-Q>!`f4qyp=y@g%8-Tp_6(4@gRCph{0j8d4vM
zRAnx8nV+iQugU;ODmX~x!H_g|k&vX{29iFNB~=)$rgu=&Ns@jSNGk6&HJ&6*;~ot5
zQ^ww^LSI#ZBn4wtPLeDe2ub=w)cDGhDu_osB_*hO$*NvuNwXnajn8K2|9Xg+sYd)i
zm%0Cgipk<Rs@`8oXQZ!J)BjtU``>2xU)In4%a)UK6si`HYy^G`l6>Hl8c&kO{Ch}>
zI<3b4lO&Zhcu>A`vVH?C@Yj-Yzj5BRNd1CZJW0mi8t3SPNa->$$SZh|)-@ukq~K5V
z;9JHu=tYD0i<(N3f;Ux8l5&@-@xQ9^Bq`q=HU6#|FH7z|-mxp?y04}_P*X`#@S!Rn
zsqrLfHa=B(WeJPMJMy{X?FhM4>N8cVvZVMIh^M5NYC1_;RO~2Gm6T*qIY|muS2;;a
zuc7kFl5Dltsb>NN<PS*-%A=r4+GyMnNsCfrHN7b*;X{%d6aYyT1*-8Ri3h1N7?S)f
z91{PeNP5T;YXT{@LIlYuRkl_YDoaXlgLq0ZtFkR5#kZr#S0u%^SK~=iu%pUJl7m~4
z)j%&bp|Yd`dLy2?Di)Gd;#Aq62tJi1SvW*Zk5|)4GCnWIQC@tK)YKG6Beb(rt^Z9)
zt<F}<B}p6~-YBEizXwpcH~u|<9#ninB1zNW-vg*NO-Ry=`S$?&?*a6G{eUX(0dTH=
zDwsB#zdCp#T8{ts07}#IpAMeXQ<P46{~kc87x4M_0Q&C%6mIbU?*RIOx1V;P+odKp
zAqy@iH*Wo?$#vtl1v9ceK5@Bu%)##0mEGB+{C6ThU0!#LXW_`j7xe3DrnG)DJ)`>J
z81Zw?FH7pa*tI9~&G+SL{lcF9FtXvbX2tQ1(~Uf3hK1?5VP+hEeTI>z&$QqjQ8Ad^
zOd}sV%fbwNKQ#A(HJNQ;)p_RZIR3^gBR>sh<X&^)xYKMSpEk$B?D<Ks!(gFvEqI-u
zH#d$?m}BJE!SMTnd2zhiTqA#Ho`u!pSHaGKb)0X(Z$}E|$MKo-jQkOpGjF>fjz`Ql
z@(l|t%$1jc-2{uxw=j3UCO?iZUSQ<<0t;Rz_bQ0vUGj~5H<%Y^3*-0`u#|-s)`;%_
z+gM=a^|*yK;Rzh}Ej02k!Mu5`MX-;<zC{-1!}o*j1#9w-1>baMz61Lf!9FlQ?)5J0
zdk6NtYheNWB-mlFP+?&~JWs&BcVQn`2oG8e`vmM;Y{3r?u7aHd>$t?i!g;|G*tZz=
zfkpDROJUy<*tgWeqIenDO|aNy7QD1yvkdkvg?-B{c&F8CIqX{o`@q_AwgUEnrL3^v
z7Xv%MHZF&KD=n-ePgn{2R=_^6&b-zt*tZh)t+L={!+x;6U`<wAn1yGqhJCAGA6N|c
zS_Au5!@e~Z)`On}I}8@O*1~%6ytS}z4eSH!!-LkrzO}G#orT5nt6=BAI<B{{I9{+G
z_N{|`VEuX94X|%L?Au^r19=(PO|Ze!Eo?9^oDTao7`YK%H<WjM5B9xh<Xhgeumt`T
z><QT5_bn`m7rqbs-iPK!3rpesH^RP+M*b<-aBe7seTDGWLJLdf#bA5E+>0!1Bu_1Z
zeMLro94wtXZ-RZBjQp)l7M8(}fE@<&+iYQ(JZCfP+ic_)!Lqr}7TCAN$meab;CC?R
z!OnrT*=k|q`K+z5Z>y2t2Fu}*+hE@|BVV!2!rtU1U^l^Hwp-X+e93m$x82B}gXQwB
zJ7C`q*tf&N^7vD*Ct!njTG-pXa3}2B3Hx?g*fidM7wp>w`@m*!!w0bM1K9V0h0Wr{
zV0*#bcU#yTp1K?M?S_3|^SJYeu<t|I_o0O?;77m?gZb^TumYa52lnlOePEpX?1g=M
zVc%X0dxxI~I|tUL*un&#RSf%zVISBM9{CaM`v~@ZWWj6w60n<KF&|sl3cloH*!MB)
z16#$reiFx4^EG&`;ZN~g%X@tq$JX&eJlAvfSsZ>x(;v_G_zpbZ=Z1Z8Y$H#=vyd0#
zS;T979>+HER6IBH{djKS&imuoR-TFHHhu)p?cD1?9NWQj@Z8By;)!1$eG!Luwt0B&
z=I6hFC11djgBG@j&pHT84#E<!VjlTr9Q%kD;Q28x!SfT|_NzGdDPMx;XS@v0eZ1?T
zIQBVTgXez!6wd>^*Woz!1uw+&AZJJ7*q6LNo?r1Dcpl=0ujANZo`B~OUX170yw=e;
zc9f^$d5rJJ^Eh`t7RSEfnRuSyNAUcXdmWEsCwUH@r}#-czvDjNU_8FTczk1Fr}=rX
zb6{;wSlC%U>jbPg0V}}H^T=;89^Ya-zO}F)c?sA}u$Yq;c9AbRiSamz@c_HbyPkr-
zor1revaqZCDcBRR!QWZfPrUFu_}h2zx9=_NI`98I{Ox=A8`v-0a2o!08vb_L!b*5C
z*j_OAGZywMPdx*FI|F|MyUm@?!r#uq-_BatU48`YFqq#t3oGL}=iqPW;BR0LxX*dm
zcOLegx3EY2JlHv~Ha}R{V?OH#*!KhM1AEFNe}sKM!oD9Z><?Z7b`vb-f`vWjOD@2^
z3$X8kMfXzTuU+iNyIh2U7cGqOrx#%$*x*YRX2T0F!N5x}@G@;^{V&77%P<hEDmPq#
zfmdMQ7242>!S;f=U!@H#^(qX!3IoB6-1!;|yaofW(S~*e>@b+$Pqd-s`~(Akf`MRl
zxX;fp@MjqKGi_++!OnrTxlS9}tm`oFIt&DJ=8-pG;0+jfgEq7hu$y2pztD!Z<QEwD
z3k(Enz`NeW0N#XsH)%tA3ibqSa0zW_g(a}B1ooBEhSt9n_LaguFmG=7754oK`+lVj
ztr%=CnENf-&{A)~zFV*l%#S<YhJCkT-)-8^j({Bo^SeVETFxEVcL(-?g>av{u<tJH
zyGt9|d9ZU}ZSK*AHtQbjy9fKgB6(yP>??zPWwfD{fZYU(xlbF~lKZglKI{WC^R5qI
z-vik9fHt(JU{AmXKco$<@FDDb2>Tw<hSvWP?0W?Jz&dloZ?Nw-*!LT4XvJWA!Q3Cy
zhL-vm_C1DuU@_eJ3G90U`<~E-b_DD&nBP;{&~l!_zNfGctPl73J&yI|d3eV1^S{Ho
z-(lS!w4KfRBaXe!uj1LCM?Q;V19$<R19=IagLvELaoEU~;5mes;W?CdeF3Xpz^WH~
z&uSxk$X<OqF@B}Kt<JUKu1+r->M3j(mpUee{<Ih<-m1>L^$vI=Z7=ewGe^q1Ue-5g
z|M#W0$TYG#x<zfp<m$|Y6zb~q=kRLTSf1k{6No-cMT`8}%ufFTzZ)>f$&@gG5{%yX
zsZBLWvIapqlxN*5S0)_lA=i$fc*$3u5-q0~wf{VD3JtEPaXk~!PRx@<iUcP%Uf&)+
zJE&Hk^Lw`EunS9QUv2eZ<xi+dLqzfr)+YDGOXWkR_mR(|74J_pPG7%nQL;(e`!)K*
ze!ChMtLCFu1dY|Werg<ji(Frgi&Nw1JGueNce+W^>uMx@A>Tm#qPM>qXNNc{h&}_<
zIQoLVIrK=MUg}XY`cS$A&}Wbuw^4n==awvdQ&>~6c_^FY9t;Kgqk-NG6#<)o%>Y@q
zO|*??8GiI_#w=hqKwp>l0p3G+13+)Eh6BmKFu+q>jAxFai3rvM$j&-|5vUH-01N<q
z`$n&b9|28(rhvEbN??t0JrQgOcme6CX*iGui~=%%RA2-!8W;(@0npd&!vK2!VGHPi
zs=#wp^9S$*cnmxO?g3@ME#Njl?}g}x0QBCdgh@lCpAonYTn2ssegx?K7JcP#95@Nk
z`?C|kHvo;>K!Dy9&|8GsKpmhSP#<sxJOCQXIZXH`vcy~~@=XB717m?4U>q<Nm<GHB
z<N?!x8Nl1XWMCrjCNKq{FPkO--2e+fFM@-C5TGRx3WNd80Uv<ehWrig<uAV`w+C?m
z=p{bAho^V<^woJs;6q?9Pz-z|LX%j7+!zFV06l@hz!1O;v<2D$?SV+36+kblssZ#O
zi@uq70MM&7dih2#+^zywfD6DG;4Baf-4GxY2m|O%3%!kb9cV!>vU)(NEf5I=08dd7
z`8Lhp+5o-kr{59Kj~?y=KL9ibE(2G913)Z*Wk-qw5`km@Ylbuo7!Kf<Sn}I7df#^q
zxCofgfHpe3$fCDf5kPN5(hn7?0LPHwIB)_u1zZPi05^dWpcJ?Ud;!o8Ub2Dlzyx3-
z@Fswwr99vg%8N$%^s*}wpr3cpZ&LCB`oDM*2NnT~0eUk=Z`J6Hn*3T1@^=*A3&a8~
z!D&^XNl&lqeny@yG)?hw8bvEW!(2yDT2bO5$te0AN-xNs0QL56@J^5&fet`>fPTBO
z3ZO<W2POk#L=G?-$N;d=O6dUgDD^BYjnvcRU9?J}ITDJ>mETS1L1>+%RhJYS0S$qA
zfC*>=I0KCVC!iKk6QCuI8c%s>2{Z!LRY~tOi4z<E`kjIn*5Vz>1gfMiPzR_DP@(k!
ztr1i)RY>t#oEO5B&kb+|TmY>>RCoix18`U238_^|hBW~wt`>D6MNnchfC_C5GzWYE
zZ-7=tD##O%-_$}<1(Z(ll+Q;E)69!d<EX44AP^vZKOg|0eAGB9H`gBzvZ4i`RYDm_
zS>u|dI8T5IBdIl*ey0`&P(`6YOF*kI1Yz1>s4}Xnay`(=Ew4mtrB>OioEk-iYU!23
zk%*51s3%_oXqc!+2LP0>Kkzz0QyvEr`W>RYR<)z?H-pglk>f-IZGo<UHr7-CjaNrN
z8>%h{cLr#v$U+(>8vjlJ={Nw?kjmvygJ|8UTwV{<Pyhc%9#?8WcOV9cRb^jD>gL`+
zFQ6yTM-5jlymFz`@OU5*7zzvm1_MKYcz|YE0%Q`9n}UZ85D&Zoqyi%VQc8my3B*?d
z#b<+O0hz!AU>q<87z@zCHW8pQmjUkrWaMOk8ZrrZ3!nyp=V}3Yg<F8g`M`7_53mB2
zGfoA68<+x6VFa>dS|vUY;W@xeU^XxVphlDKEP&!QK9ibOL6qMUYFsNs<5a*T;2nSi
z1%MW}uu^!Dnoc^@*rfnjD*#QO_!3|-jV&n|07_g5tWd+nkh_63z-m!8f(7Wwr&bG}
zk<4OTi{M^h5AdPL8_AM#KSGdpM{l4ha2ou3pfSRY0570E-~`aRUk}iBO*#co>GqJ-
z09)V%I4vg6fj@vJz+>PM@DQNJ-UUj4n>3ccAaDct8Tbjf23!Iz0%ri~${!#v06zlf
zfpfrFfZ~ahybN3gt^n5oD(_dI6u1T42JQg&fcroh@PNkhHw1nMo&wZb3O@rVo<L_D
z2E0UAf~2!TRY2Ry?GUEJDIHeHIy$V<p|vJZ7odYI^&mA`>!}EYsaHJdG)6t(2I&Hj
z<<5|<fCu0XGyoa`l!?-tAWXwV!(#^80W^fofM|fqqu!$v91W{Bq@+tHI@;<<m&(i4
z5-H&cB1me9bXuZr^n+{xP=Vwd1b>9DLbisC0K$PVAP@)!f`H0LN-C!f;^-7cd0GKc
z^xH!d0$Qcybd_7FHI7<L7E+6;5nB9ia0_^6fWlo=`5I(bpgTZD&{>xbBcv0fN(!H*
zHS{zBeGs`y5~ZV<zYG0gMou>r(vAupg#bPdTZMlH^W8HjgSp$-g!%`INm;C~D9vK8
z=@M<ky*%cmOScj6<C&9Kp3Pjsw3|}qeOtAi{h;BCb!<qmf1p1$DeW$m=-?pJh4}LW
zkrJY$thW)jvYC^cc5lqR`*HmiuPwL^ji4Y|<$#Uw9K(WjCv3#C@hn(OAH%xq@@z%m
z1k^vzR@@r{sd6{%cAS<|^1Y%?>~D%<S}GN3IW&1eFFqfOoF#fOm*lJQ8ds&LF%H$9
zsv-uBW5ZrGU#D6j9LBSje@fhHCnlodx-ad-R`gZa6?AentlQ4^?+mFiVs=19XK0u4
z+%bn9nV{dDfRs?B^{VmZt-Nj!SKdOmY1i|Fb$-0=?9&FzkwfkB+SSDBiLgtPjjD^D
zR>jU^)N`;)mg)%VX4H6hI-*rI(JhC$Xro(R>*E^2V+KaM#bhKp8pXFcXo7ZePp3^&
z(q>Hf>dT5QZ)p_KlTc=gQFx#!Zh6?<8^Q4A?K|ynKlRSoKQ~sb{U3%=Ge_+JomPhy
zuQt(5yI#o8ZQ78<3qJ4s=enNRi+*onSpLH(I|uREn`p9^gP1fKQmZDyLDYaLZrUwG
zzkT&#kC9$4Y%7XY8xr>SBl7p=XE=!Y)KRL3xM_DFRcke(k$0y$mnv$}%+!YITPsFF
zZQP%R`W5AJJ<Sy~<1}8mC&HBbl5joDYi)h4-H$G<XoGg6QbMbjo!gwfbi5)(?KL;;
z?xm)s)7|!XR;ga0QMZoR{ulkK3#=nvAU;gH&1rpRayw)0$&D2`|F6CGKkv2jQGK<8
zULE!SGF`}{q4nykng1qUOwVI3ZrbHj9kcp2c<=S7DLUpWufh2HP+4K!v|FM~Lv){f
zf7k9ZdPZ3vC2cL%R;)>mqVW_K9Hw3GwDt3L{^6ckJ&{9QbhQhh)=a+8u=8YFhl-Sg
zj$-Z<__=l$Rl_>A1y`p{&8yJ3>nJ{lMwoWpRgdD8AGn<En+lC^Wv$XK#2Vc9M%em8
zM{goUU6cHrM9sHR`rof}+Il|TNem)Q?UF5h)y({l+Z16%4D=87Z;8I~auNB^cy+av
zcOq>u3w9B$XF^9?<Fp=H?jqu+qICI6E-Xm(pH8XUAi5^`sk&RJi<{<`+7hO2LQdlM
zsg;&Tbu0OcA<_o%ZyKvDtm5lw*f-P_SZ%bMcHP&ko1QKm20i?)qHzP=M0c#!|FBAG
z-B|1<mXoG-mDnNcrqhdeY^b#5pi91mM%dqLTya;fdCEWc^}q%0W!@FTsjaoz1!Qf5
zH#OS*Nxe#&Pz?{U8XJbLzK2MIbknXV^Xu3l!s&d!N{fo7`8PfFm&2+#{s&%SG!63s
zFEM*2^VOg6!U0vV`K(^G%M`>2yEYWoxoCiPm6>*-i;fL%DE}pDRSKyqZp~yKEKoF<
z&zxPg3(cAw3%@)nr$#3o3-QOKgZHJ0pt-D`=sSyf=+vD05dUB)Ud)@toZYm$&hmfT
zu=*o+8%$?RfiVA|VCilXabOnf#zKYtZ04-xtwMR#aw>=A*0^bRqAgg``HlOoMKpS<
zn?CRsn`bj8#>AJiS%{l<Nm`HbzN<n{ZhHYmS|f0Z{H2+wJBJ0kZt{`;2DjFoFxj>7
z>MIzk$?7UHStQJ1%^NL*%hKT_pt+(rtAj4M@xh^WbS&IID2!}xBeu<9Ls=hTKbJWh
z`lxzxhdATC2=%jXwIM+f{^%=QAt&>4wHUE$E(>whZcH1${lxYBT?_W0p`rdQ{X_64
zvtaX>Gn*z{Nh}wk^H|4M>k1Pqkf`;YKF~iXBwC!D$C|UA;yF?bJ^kb_1gy$1vQ{E;
zetBXeEm6C@?clP&FP}`YYa)+Ph<`Y|U96dpMh4=0AP00s_@`C(eC*cakldRg)W~RY
zcRuS_%>somDC`RmrUh&WvxpT7Sd1dPbQc3f&3x9uplQja))$%itgG5i{lOsoZ6I>z
zv3k0LLE>IM^JJN#RsjruTQo0VF}f?kVqyX7=Biy7SJ=b-<no25K9-vzk4C1rO8Sa$
z{Q&NcuUM@0Uo`BvZ`*hCp%?BS>K}@~21LL@c(g0L9e)B?wTq49g5XT}(nKUJWHJAs
zAjHvyECjv&E@vI8Y2*HVs2IH#Ga-qy0E`poEThf`=#=WHq#$6xyr#R`MAl{Rih7G!
zlx|;`=)DL>uA^aM`XaVem*FTHz5}n+ZjLio?KLcG=8<Gu24BFiV)qjn?=a^u?W(zt
z>(;M5c)^k>6$<KYbk^N3Z{4rv@^zDnl+VJ&XYVklQ0@LY`)enIT0A@YtU^P(;cjNu
zGVhBsyBaG}>WJ#^qPMgw@v4kDm7Mm?16_qecVUJ?sCI|mjkZnf9<}dqutGt*WiR61
zn>}he%s5$*QYhw8R_$88UQ6%XiC%s3MTLTPabLLimWbd#zU@?zQdRs&&C+iAdopCn
z<d)07ep#W=P1p-~!)W0nFjSvLiy;DQ`=Mz0n?7sv)9bQMj@&s&9`s=9-ZO3GuXC-J
zF6~>fDfrV!TiRY*Vl9$xwiTO^*Yz1R>SHW>o4#%C=3eXl3XR(0GU^I#+D`tq&brby
z@T2cak_J>LL?NXPvIe$WI&@DJd-R@Gcz5Bq7<ME>p)M2-NOw9nEzw0+C`=FuP++sg
zo1~}R+qbrG@`yWjO-@zl?GW3b5OxR!IijGGYaHAUHY@2-p>Rp9!nby_5H{zhH5DoM
z+ld#8VW4(-U}F7e2Kxqef2+`N6G2PR2!COLaBbgSv1X?2<~N4cYBixkub;?;La26K
zA&<J%XvDmwGb<FV$XXlC+kd@aV;#rNk1J9ZisO`3y8+RzmZ|w(w&+-ef_6t@Shr&z
zu37lO#EKM8;kp#f((a8LcHX=*)-M8oH%Isf%YSqC5<Qk;)youji?Ae4u_!Bpi&!CN
z>n6V}uwI?{<Cq=YzqW%*w8ZuVpXen{LV=}-UrA&N{W2C3s@;v3-ECxSeETWWpibv7
ztSj1edIM&7O^n?A8~yc%i5uo0hOgk#mtkzQ`}ZFH(5T*;!k^5t0_wsW5DXdqBDB78
zqQ&BIs+)*jhd=f2EW;`5=We3fax5Bmy9v{B446%fvV<*L()hC&{{BN02$N|Evlp4m
z*>K#CDKAO3Sg0F{2g_LqO7dO-(MAj;(M2p+fu7TDRUGv+@=45y-mWO8CH83eevYtT
z58J1Ri_l{Q;xTgR&c=uqE76RrF(Q5?4jZL0Vj}T}F=8umB^_s5G><mWh<E)Kd3{m)
z2zJ;&Y;9<ss^O|#^Vomi9sTl4x0|8jARH^O@w5^Ft8jYI?teToZ&FQ1-RTK*=#^JP
z-1sPxSFvC>?IOp1y^eNIaQJ|>ChP`ONm*~Pa~12RyV2*})i@Z87tX6$j9a5vWkpW+
z@klIMl-Pp~GD?Z(V#SozSc0|78y7E%KKT9K*PT#eD0Xo4hTN;p;^t~ryYbKclzaHJ
zD;*OKczxM<vGXIj?@%PZ^otc9YtS946g}6lmaf`OkJ0rmFK)HZ?k%XRe-W$}tJdJ)
zqFwgbJ>bAv=dZu0E0-sqw666Rch<0ARwTUEV$Xj%K(t<qURTE0$yK}k@%+rDFH8ex
z8jz8C8{RcVtXm7u{Y&?gTdG|Ed8+!2#5cL$emQGUB=V++>gzD#iWe?r9mJ2IO!bPM
z!e>2Lx)=-}ah({iIODA+i5G{~v1=(eTpkEJQ2+(q(FC!1J=(A4wii#=v*v~`6O}V{
zgz(z{7n>>;V2-l&B7vAPvvvEE#GoSd<dr0`eFI8R+)-DOB;q$QC%;!Gz5{!dq+EKK
zg6nJPzTe`$);G5~Y<%MI>KdR{7c1IQt?8oHCNxy7P8@rWwRkmys;PJaQ&{B;E^L-q
z@xI(gCn2;p3XhGfHrgGuk$L@<*OL!mq!h0Y)$Wy?le}ohCqEpaKX6F_9;jVOxv#~t
zAEIKNUPDR{W<2J1u=sc*>bpHm+}j8z*6zHFjlcEs_xyz4<Ra)8Diw(~g%~dF@=M#-
zgZmz@Qbem2eZdBWb|SM7XSXo14|-vLZVNR9%blcMhdHCF&&rr}JKvYv667C=@8nZO
z%_5A`e|C?ncHw9CC$XEh>g>yqp{24O{M9gs3q|O%SJrH0gy0v=H<fp;uc~CHE$qU7
zGjqb9YT8AbC-Hsy!}K#tP+uh4jz5`$#Z}~ov(?*-qh(pTNZyR4M7uXM$h^MEq_=Ci
zKp)fIKPX80a+KJ)8Gou&7cV!n9D{YVayLm`k+%hZD7a@T8%hEsohUmMy)1Ow(as+E
z(V;Xr>Egr|Y;M|}n}w0@jPC7xf0Zr6Y8Ob$opvi{S=a7^i)xtPu1HxY+_z#Fv}-(9
zZn>29dwlGM3I*+=&)6Cz(^C3R>|BxZYo<usO8a`2a&Yl3IePr<Ix({=G(5yA6dtPG
zC7Rwntj3h=80^<tyR_RzKUlW!?1dZamR6*U6t|I;C5WoqSV*<_tqdN4H!xd8hizCU
zrf<XW=ZoTP%<P?y{g%3AYDDNUHlgMVhi!`P+$K6XPqo%#BTSw_B07UP?}^yX>~wW#
zy&W@r;+U~ni5Y&`V{i#{x`^M&qC~UZtg#rfi@mnzr(G<JiP48x)jfT7Go6PpUuSyZ
Xv71#B%XYFa#E`Q{8T1{C==*;Fv76r|

delta 24313
zcmeHvd03Ry`}cDOMtD@*6^2DXb3p}JlmXE}&3(jh9YIk+QBV+NaVulgRB%b@s7F9l
zTyi(fEwfV7`le+rm5I4T?zt3}rj_}A?q_lMR({{_`(E$wy52vU>-s$R`J8i~<-X54
z^T1j6nd_31u8V^LvfbG5*WXCo((v8424(c<@ykaSq7IgS+ON&r`YVU6e|PI$=Vk_p
zK1l^OUqk$`f+@{ArXi-fB-uZKlp&i#)`s+gbc3v^rH{<W7?+wXNpqMa)j)h^a^lEr
z6jgA@qw@x%s{0Vq2WiESROVi1NvZ|u<RVEPkPoY<dO71$N2ex_lCm>1a>k@c(j6D>
z$(rVFf;v?>AF>Xlb5%*I3;8SBg`oX1q!(nXYLZkR(p{5Jkx0dNK%Mm<KY^Y*<N%aI
z&FBdUReOoXOHm2w7sHOmkhzfFl9X$&jes8_ey*uDpbvNmcvndB&009d6S5y<1IT=h
zr$G9HM?q4>jUY{s<IoxuZ0`k0=|LKIha^2}Ey*je(nrdb?4y#Ca>l@^=~;N-(*OmL
z1vY3=147Uc<grhICFGeAkYq`B)J7H-K%(vT>yVTl0!a<^fuwx0CVRt;6hCcpYW7HU
zz)|qJxro?{0P3(uL85MZK1!!9`2~`?BnRC~@-`&OvVQ?d4HyGS`GS2_*%XqxtUe@_
z<Lak2?AL~B7wRKq<j9Pi@!67e35DcRfyWV`mTrZFu6-FKwR9?m9W^91Bw~E>lx*qq
zMruV<(1B#>1#rsO;ssT20`$payTM5g0H?0#2uXSyo2VYEfTV_+n@Uxbz;s^b)VgQS
z=IY3ef+V{_A*q<w0jhd>YI<_us3ge`oE-iWB<Uq)O&vdSTx#~u=sX&tAM?J>?zws+
zP9c`G_Ck^|S6iv2o`9rrkQb=dsvGwzI5lo&klOfnp-0B%wN@LSot2iFgtA<MHD@56
z=G#a}s=Y~wQhu(zHzKHl4O#&s)3T-@pR^R5y7SXe)yvJp)B^T{Q+zf!bzgR3Qc_}4
zTJr3cs^0Q8YQvO8ATTxSGB_Eu5R%5>WayEhM-)Rbu*aokj86pd4p;p(DK$Hp8ZbI5
zc~bKD?5xa;w6vTFlJribB%#ObOEftVlBVcOkmzB1Ye+xHT96o8_KFBqp3&rPNM+b)
zatg^@C=NjYW7KZZWFtr#4^=ezy;<caAu;ytdmw45uYfc`PRPj09+{OT)$F8NYJ{Y&
z8J{>lBXyJ{C1)k&q^6CMSQpiE_g+-H>O5p_Jt%&H0J(HGB=MDyG_dDGQlCzOq&^!3
zNqVu6q}L9T^qOkCCZs#~<IZaQbx6v829op-K~ny$8ei5K3kwx6OH&*VNfpIw3SA&6
zJy_!nA*q1%=pO3(Vo0(y8H0_cYFUiR+xJn&N?P)y@lcUM!AZ|olL3%4Wkx0ECQrZ^
zk&Yu{O+*}qq=Z(nDqjq#jB>~th~I<s>X3^eF+1(4S%G8HGLj@iKUHrw;%Shjjv1ek
ziBU97<D*l@j|#*fitMkZ2WfJGUtn6s$i!^4A}uvNHCqZApel?-##$)oAZM=bspAH!
zvB_CE*{Nw+=+TKe$(d6nzd>rX$ypOJlTn=wxya$gh$k}=M`mP>hy7N>Q?oy`sqtoT
z>X25D)LcGTHTNc;;o2;+MZ9WkN@7;v=(NN!zTl*FAJPr7(-5`R#IcjexzcfP8jpK<
zxvP7wC(5Kgs-o3#v$s0zzk#IOb%v=@Pd|ou(%%MI9g<2Um+uEB4=f+9+B7yRaB5<D
znv|G1W<p|SR`LSGlm3SzRJjKd<>%UC6ICOrV-n%4LKH;C)=g3emmQp@O%f!{N8M?K
zR(1Z`At_zP)S-D?0_g#{2l55T5J;*xD>;2qa;7Bx`<TIkavD8B-fxTTk}P={l6X>P
z;>hGINxHAaM__lOK{XGO($kYO$0Ub322B&_kq2H)RXuPPk}7UAR_(3&TKee3tn7*K
zT4r)iR;u^tsnTa7RZE(qrBrYVEFuf;@Pew%LZ+pw)qVy^vo#VUgqndRBsmK?)3kKA
z47K_F`K_w06NjP(Dyt9{Q)lODax^4)D;BZ=WEdnZW}aHS0g~#zjr>&G7m&mcLQ=2n
zfg~qw;!~@&_A`7v(JnfLw!FD<Ud^*-t4!EdI?nd#Kug7K%b``xUfq9(@2KYCy7<Pq
zOQyv~m+bna+G@itdyRFj{HjMAL!^Nh1zO}O21)9O0vRuNHyclbwc{nGC_^<TUgU0(
z2Rcbo6p|%g-rsCk?8MKzTMVb1xTl9jc6OGeu1KrO6Wz^*kDYlu(jGhWA`gop%*f9}
zCDn-41S(ay|Hueekj@~^+~31&s9S{>nJjV+4w8|GbmIOdv%DRw2bhtUn#=|-7as3v
zk+WRXd{valJudvbr^WCH2Td=F+{#sLzB9E!P6KPB7Up4=S8I$ZX<us0KouEX(K*5V
zqF;LoU>&ws<E6;*GFS|l8~67z%kJ=WAH6klGFW@1@Y0qMt{|A1b^}lJG|QbZ-}|X7
zB*N7}Jk5q{)p&eEi`*9@5sM=9$@bFf{Cq=;;m7LS)7K&gxJi;(DcIlFERO)gjzkTD
zL-vCW*7M09VBlf+X|=Y(5{y}_u?1i$V5+rMFcUCg)%xUqVDp}_3t;WQlzx!kuPsSK
zl{E68sg5KKP#Nq>2h-BPj)9GRmKKJU6YHi{dp;P}JE{+@o{ORCXxR-gN4~z;u^eeT
z!5pQyU`jYx0$9?s8V-Vmf;rPbl`FtnDQV^Kr;j`LY+{i|V8(>088DVPSS*cY`3geR
zk51HCh7b?#+0<g_XX5b?t4+KJ;<1UJZ)%adW3H;^qnqSnFzPfHr7Lc0OzrX{FI|(y
z&DUUUl$xmvtKm38^{In04y=n>I~raBM&k|h4Q=_>n|lUWWG^fM)LWPYUS{K5V%*0!
zN_NJAOI~$S8ZZn@9ShV`d%>t!wHGZ|dWorxn+ewb8T$aNm%_@MM7a7%QnzPG31H8L
zvEhIpKi|?KKR~2v42|sof4ygk%>pBrs4e;eY}7MmZlt>eW56)K5sweF7z~Yhe2~Qu
z*_amvS=fAD78EU?Z>$%R*f_%V1$B0#bDBgrgGBKJ_bB#0FKZpm9&uA}v^=<pu8&?Z
z?gFz=zp~$W8B#knRgG2F40#cl>Pl+vH(<eNphUycP^}q1A7YUco2fI!l~ZRO1Ebkz
zQdSqKIWG#eusB{88ZEDBt~ynnQrE%SK@q)*o{J3NMPU{;iI;^%8@7R9^spAXK26=O
zU=d2)7_baqM%qLhuOhBHzt|?q(6S|uZ)-7bYDor{1V*u|ysT}s(HDcdJx^#GWgLP~
zI|{M8yf8f4&^(Zz54XsN0@W2#S+8Z+Aov1xxbX7UW@9(7_WWYQD0wA9G|8B<j{O1F
z2h70BLtt=gH4jR_)TtlLiy|=a;iWE028=CqlPNM<{sM9Rlx&GXW;rNCHJ|a)77@HG
zGMatBP3@wMJuoSQc|yY|HiZ|qi<Zm5yDPacF$@u5+%w9;X7jkHXm*qrMn%gEV~hNP
zJ;4ipY{Na<TjVu}?10Fcyfnhh?(o9)(Q?za`hJnv&@88bk*P-RA8a<h38wn#JA@QJ
z$t}ax6#{EefZ3P;){S5Eh+^A$oF!WJLnl+UNR2eJF}%zYZM=Y;CzW5cL>arHXVuVl
zgvKaw^|A3KE1_u!B`TqB5E`z8+F^pJp~7dOM+hY-sRLn*8hZO#s3w{}geP=r@2mu<
z+K&*5Q!+G+)<ct@g-#)4Q&O9Cl%#=5=oN(eQ;419WiLj{-q<T>Q$<gAh;Ri#6KD^B
z$2Nk|Ja*#cu=oZq>k@6Oi%#ysFLsGC+7Rl-OS(q09tyvvr1*5x`NXcY3X$gf2*HyG
zIbr4K#V__~?~Fhfp3ps-5AE532sFFvIn&YoeRxT?_Ra{XMY!}(is+%MEComYo;vsM
zscWVqq*k^Ip<X<pm#)(lYZyxFrPc|e*kSOo@_4HS)2GlHZ3yhm&x2gyrryzVZ;W}=
zLp>f~mY0C3OF?3wSw0Fzp2E2XTZQxzjV7PqC`0>~czg^^>%y35c`Kq}8?Dt?aPNcB
z{KwLVfgKgg<NH|TqFB8gEDFZ6U|qP6N0iaCFU}?WVn~!6k5Hyk2rWpTfni|Ms*O`f
zbxbde;)YSi9tdGki-}@$cwB6>{4R0mVUl2bc?3qe)FrM<e>KgSmkx_?)rfL9k`IB=
zAXgP1fl)Rrt!RJb05zMWu*qQL99Ly)IR-}VP}VltIPh7%SXercd-k`;lMqQQQZ`X}
zx2B@(_w0LK)<0TqF-R@M$jdSMMuTB$;&e!C9T+V^up2wveK5?~*eLcAHw}!IXWG<L
z99Co;yFLX|7h2>r8V6(XSGMti2vG}Ml>S@;MxA3&40r%W(?H#q%yFt4&{ou)4;HFu
zk}nTDW3))$)fjw<w1{~0pIQT2`3hKsQuA(vsAil!P~KB8stYyaP&-658p~pgna$;<
zxM=w*;)W^;<oAvUVq9RT(ZE{_Mw1erreO#cp%xWrX20{e_-MIvf_eZ{^=E;>*EFR)
z&FmaE4T(1R4&(7dEOOj1U9l8J6@gLPkqr&G#7#q^4erBfI>^0;tL{~f7xES`>I&64
zF4!i*!PK)#2QalgG+1-Mu-rhCI^uI;iaTl~>T6D-XM`(AJGD3%%fV<jtwFtFJPy{A
zCk%-)G*9B5!!0b6#|@8`4<xA@i|T{sBlY(9w=)|jfeqpb)+pn^Q5d00s0^V2JYjTu
z=VV$OC@~A6VHA?jBSei<$3e5vs(W!{vzp~0VAM954qNh4Fm=R`ao=cZa7v_Ejvk{=
zfYPRB`86=ghce;W55TC))UPPNYnm>~*y@&|dfmtqaq<VDZ0dRO1Q=yQ&!G^OstzH{
zOspQ!sk~^E#aMvIuH0vMl>8k+WQDq6hm6%19@=>)gJCB?YsiYdU}1`8IV`*dM%{;e
zzGkEEIL&!-4nouvW$7}$1*ZD#0Yb6lH$&Gn9zVt+7o_P^#UI^w42;GG&J#@{SUUGi
zvB-Jps)@>eEnfk{?8U+aJB;1OBaIe3c_~7wlW1BUqj+e^$`Q*wLw7DYegs%&q^U>M
zHDKEKL)tko8a}m@!&uD;ylAXN9zQ`nfx^f5o>_e&_Z(+oSv+oBwDDjjj>J4+T$Is0
zOAlorgb{?ej}U^f2-VM4h6_Sj2&t*Z5W=WJoKFtMqY}zMNR2y!P;ZJe)SSdU$K!-F
z>Df174>Oy|3&&e?t4Na66ktFzO*V(5&wnG`px0K>Rwb1KXDA<%1_0Ahk?2jO9vncF
z4`i<7gdi3sMWG`k70?NA0eS%R`8!E^*j|-SWobkV`k#Kfkgy6X<zZ!2J|w9=EN;qY
z2<q1YY6GxRDWA%cD#F5~6ohq0at1KN>4zB!eXYc!dzE<fhr;1`<wKJ4!}0X<r8F0y
z{PO{dUqJO!U?D)RTBOMW$XY-tKp&FS@^t_euu+p+HMs+l(suz=-fn<CB#G}Kf)7dJ
zdx_waOM#leM*t;!tjT{t(&z6ajhPbwx%ezVAChFiIU@Lwr1Hv$;6su;b`2oC8vs7J
zdO(pbh`Fc4|GT6NKWg#+Nm9ce0#xxYnto+Tp8E};@}2-p;@2nEFp>IGfIcKCnNcKn
zo9-S*0cSiYwu&ZQDH5N`lA>fhNLIyz^s7Tsx74J_KS?J(J<~mx66$HGl_lkFpv99U
z)4U<6G+#(c^3$Y0B=toLiqs^T8l<JS)?_dwl^d$@Fb4mV&)Xq_GFTw#Q(01lowW3>
zS~^M6?+Hl-TD5qRH2-2DDPMmreV~?3l7fRYK8RublVw8@K^cZ?36&*PkcfCnO49U_
zHNDD`Msc<lPqIFEzQ&&`761P?ivPQU{x8zW;M@gT#=ny$D6H4g|A%Dm|8xcaRz8i5
z&6+_Z8`HOz69~{4_(Dq{NqznmBt@Oo;{TH*m9OzI@F#X(UVT!n07OXVwVahDMSVk>
zkQa&Yz)9}P3h=F_O_GA;co=y4Bwu{rk)*3y>@`Zlha`32O^uVJ;4O`lq&jYE@prU%
zl1}{MB=??3lz!AwE3{OSl<Oxg{%0+oBn2O6@}U+_(wTRdtga)!X|exFQt3}Ly~>i}
zpCVpKB0?WXT32L^lce;j8YfA?>IQ8eML<z-(-bO8a#k%ZzOtmKI$AtQ+9Vo6(z?_H
zl9IGP6j3BKC>W8{kPu2#WMefVR7(hhq`?*eNjmN5!P95C2T-;S#Qr2H-lA!DB+1{O
z<xab^^dcCgcF}T?q+mCVlce$6Ta*2?_{x&<_eVTAVGty#4Ax{k5qv63YWr{l)C@f4
zHMJQ@P@`f-YI2m8eKaH;!m=Rg^Z!y(ec1-ZIt2LXsb2q_7ZoSd0h0V(`J6}z#K~#@
zoEQH^?!bp6&5nQ0i{y=e&Wp;l`RBa&+yg1C9{BuSI&B{RoEQH&FJc({b6%uLqMRH5
zIWOWM^8e>~vFx?ade^>l?s(F<o8#6!4Lx=K=Z+QQF7~TGyN+e}gqYLQQ%dL7KRo2%
zipl-%H1abqOMA6>z=kPo@d3Y#pVFIOnfdT>)Tka<51I5w%|9TWc>X#Y?=i=X-(6>A
zMjpA|#vg$VoMVllZwvaz`P+@t$E}`}?$XHM{#*T)3%Z)>#odtY#qY0pTyeS8t(_0P
ze)4&Cm(DHLO^T>?qIl@j?9FfA9aiS_QFzMES^N6&9ZPu0To1l&j+M#$@f;f;oae?9
z=2}@bUNPIoUGv@e9xyk~@@)Jau;e@|tI2nQrOb2V_4BQ)Hc!mAagX_K{3Ecsy!JdB
z{{$>&o|V<-hry;SaN|wpTbVnbIN!#bFLdKyftk4f0vkUEHhY1UdGXU=d9S<iwhOJy
zhtF7O;}MJ8_%$$J9`d@4-vnFwx|R9!a<Ju#-FVkUR@RsoEP|g3-1q~qCcM*P_z7(N
zVk>LLE5J6s0k0KUSpY9BfPLJJ8{e?9mb~v9ux|<M0}JGg!#=QNZe^|cPOy}vuy2W#
zh492Bux}ac0}JD|m%=`<oTXOQmLCS2B4FP#D>L(n%V6Jf*asHL{RQj;n=Py?ik}9{
zD};T^t*ir|u^jdl!9K8P9#RPVz?K$TStni&w!9ej6<OJfyr2m7t$=-CU3sTs*ax=0
z*vh)|3b2hOuy2Kx_2i{1VBbpES7K#W-nRtyt%7}EF`TW0ePGEet$2yI6D(yl>|14J
zeR<+4*jEbs!20vrt6?8l&T1<g$Pa@}Sp)k@t<1(JmcqWZun#Pb`>%n0V6)d)*${pj
zEN>m`TWe(re8yVXw;uL^4d)>k%QwMF)>~O3zlE{9{7p9=^QM)J<b`j-z71~t30N}k
zxdHZpZQEeQOaI4U8#iJ^ZnUygzG)-u+vLXGHd)y?9=8ehZFb}DgQatMGwcIP-)v<W
zd_P#q7B}v*#mXk~)Ge@Ys~bN7mc>n5VISD^tyY%9kAY3u=EeiJS=nShbsOy4?#3^I
zP2~aGVISDS?N;_OF9XYa%Z+z<%Zk4a$$ty>?ZE5=%jJ<fU>{h?4lA3%Z-Fh}3Hx?h
z*(_eT6ZX9g`@m-No^QiGux)Q!@%HgC*v4J3Z<m$j^G&;8-)`8q+loKwh}#YO_P{={
zg<ReP`@quoSlJ@JA1q}r?AvQ)1w3^x?Ar(Xz&JPUgMDDr_gUFeehh5NJFxE^D-(R`
zJFss*>;o(00sCPe*uwo*R?N%5^4^7g?^;<2&wm&89e{mct9axA8(Yl_@GRxG@La<?
zy=P-<c_E(bcm<y8dC&K4>`h*Z=LY^5&yBqA2R62eZ^CmkX9sO;3y;HdE8mIdHZC8s
z;ZHph@qCN#$8!g-eb~l!@>D$E=7;gz#Z4dD*ls=%&prIuhp^-bEIDFj`}ou&u;eH#
z0o%_5j@sC}d<LEecp0AW@sN*f_?x7BJU`&&cpl`DAKTa=UV!IeehbeJd8dEb*b!cc
z=TTmP=SRHfCpPvmFU9j;{4t)N@V>`v>=@sK=W))C+t{Z(4$sf{PCQR=y!&RK^F%yP
z^8I+8;<Z1svC}*i&olfmo?md&3G~Ma^v4M+`-&d}oANoV_}t3A=2Jh16(?Z@SQ!sE
ziT(gvc+$$g;bmZXr_dj#tn4DsKZX7{js5_;%p*@@yn&URwz6`53vBrrjJGpZ{3%7@
z8H~3tFy6qf@t$8`yn$`|!iqmBc?`DkON_TKt?U-x^d-jIR~T<!S=ntK_Z7z5S&TQZ
zyIekt@dlQD*2;e1`@vGa#(4YM$|`v3*BEc-Fy6p^;-+)34{Z85D|^6?flVocePvem
z3!hpB`_98Yu*W>$JnREoc-~5X3kH_=4ea~I%AWB2Z(!dA*a!BMM_zz^U?mr<jPYAw
z%P+#di&o~u3opXHORx{j$a`LbePG)zS(yue47Twy?7K|+*`~{|?_1dSE$wG<-@?9f
z*azmu<#N~umR?T#*?zE;?_l3|w4bGZ2m7wTKCrsnbOrW-O}|3>*)gywS7F~(+Rvt5
zg?-mxADD>;T!VdJ3$M|BRtA=L9rj(P{Ve}F?7IQ`z<hb+4cG@(a)b7>TVTs?!oHid
zpB3JOeYapASQFm!7VHDtc8m72$6y=3hkf7Eezxg**moQD-KPC4?l$bZ1N*=NxqJuq
zfu-M}{cJy2%3auZm-e&NyRh#b>;ntqrhBjtZ2CRg&yImj`2qI*K>OL$A7I~)un#Pf
z2mA>8z!v^U`&k)SUIpx{p#3br0`}d9ePGc%@;>YXE4fem*)6c;Kf%7AXg@3b3HJRA
z`@p*Lo<GArux&rne)bq_;{(|DfcCRZ4`AOz*!Ph3v$%(_?-$qy7Q^LVU>{ieFSMWS
z2TOSb`ySDLmih?xJ%)W?{kiF}jSb)v@f^sHJ%)9^!n$8+H=FvajSc3f@r>gEzu8zk
zpMmEPUWVsT9`d^l`&d4n!+1HK!+GQrSoH)}JyCYCC#(3W2F^9oa3saK+&(fbHE3+s
zzQfg-i(%iX>g*AF-cukon)1r}KjW+wJFBv0#=&@(UUT2XI_v<WWU-<;b2SxpQvZOR
zeuC5g*X07@s_m=o!EQ6Yx`Chgqz3ad`t`<-qiQ78a8n$r&8i!^*~I6y*)ll;e>qbX
z&78U~y$-v~*yDXM_1G9@^c+pOlsZMWJBpc+hTpEm>Dt(SsfqgE&ClQG=D}jSQpq7z
zR}aGx6`xmzi!lkT1O0UT$5Zt~(F2f53i|60os$XM)tr+4dW^p4@6_T3Y5C}NTN5qL
zrp3{z-(8Cvti{o9Z9`C~^3yfFyQFkF9s5yD_{3{*t_V{>^ckYX(QoUmphx=jN{*7@
zAgLUnPl6V=QF}k<mrNSaX`d4oYVm91mz6p#Ib(Dygv6?0EZ@`?iS$D?S-l0=3Ty+m
zi>||2M&PFi(k~tJfcXIZL_Pr6fbg5ZdLRX$YQ~82;mkd-DS{(`1_0S!52yiD2i$<F
zfB|@lnjeY45v*};FoGcf{(y@9ZA<b4@V-Fu2gake6d)bQ044xqfpNe@fJSmEK)<q&
z0qBi}5vT&V0`$G)ci=Jb2%r}-^yU0Ma2L48q;V3x^Pv~>w;;a<t^wD9ZvlE2bpa>?
z&H|qUX8?LDb_zHNP=5{u=nVnAJ*W%R0~!GCfG6M!_!&e{B1_6$hdeWYslXIq5-<&z
z49o`R0Ivcwfw@2)@ESlbLth470cHVqU^);3^aki>yD*>)&=v>>%s?xk1wg|I<FKhj
z<Bnc=*8*w-^se0r@()P*X`KF^W54K-#C&r<MDPf36o>`zXM$3HU<8l|bOyQrU4d>u
zd!PeA@1Cjw^iJwm6#X+mZ_R!H=&jm!0KLJx2z(8k1Hz!&1_%et0N$|VDz9PUKmvhS
zD0K$f0l`2sR77K*rgmMR4nThjK!1bq0JsR01K$BxfR6zB8xyQ6^hfVfGB5^60a5|{
zr4xpO^1@7cm3M{Se_uj@(Wso>KGFNCNT5IBssJv)Nn|($oB_T9ZUVP}+rS;*E^rO_
z7@)sDnFLG&UIwNEuL3iH*MQ3?uM^6rcUtX$d(=|;8xamH0hR#*C<Z!1Aqr>@&>K4^
zfL<-O1O@?Z!D+Ri#em+#-9VmLnyUD`kRj#_!+%kGfMO?5Uf`2a^k*XdAo~L3?Y-dL
zA-e%xfiA$8h+7TVff9h0vR42yY9cTJ$N=yMT8d}M!_@%t_Hck!EHp<#QMt<dOIqq&
z09qSqMRtO828=*6peaD_+B*ZC03V<^;0@4U5!3-{0AvVNM6cUw1N0XMBx`As!u5c<
z8m~u9r$~YqK$Um^?mz>83iSl^Mo`66A;s%)O%SGhet<8~5YQV$<u(Qy0sb0ZfYj@3
zO0Ek4D3S^$ODVAxK!tV$S_45qOP~cn1(7~kMPaId(kV>&0=2LOl4he`R$GMI0HhxR
zgaNsfky=LuhXQ^;FrZgLjUZ*6>yqNA5mXpSy^<(|+W}NjBoG1U72>3z{OOrq7wXA<
zRxl~)h3l<+9;ZfC)~_7yfV60UJlO}JZX%D;vPSt5fT6$;;3ew+9td;?x&bc&)PFQ^
zx&U2)7(nl9DuBAHC!lv#Z-lKtM}RD(ZleD01&|I6IBH1ca;QP^fJyIvDv(yySb+MK
z8qg2u3&d%X7A|u0AYdRc0I+G{%7s^MBsDw{7zvC3oB-l9%aR~-N8vFVplL%1slZrZ
z96(CxkZAy=>7e**@GKw`m<mh=a)3#|6yRlm%3J{mzz&eH)PU*0tAH~_Q3L{tEPz}L
zECS{NGl3aE<&3kzUjt?Vl$Su3%&Ej*M|c5{56lPh0BSVp&I2f3<tW)f)bPS*iH<__
z%v1oiei^U?cmvSmc%|@CEuD0zvBdxxxg5~-i5Jn_E(A!)4WPtTz)CIrF63Td4NwY*
zid5Ek*;ppaG^8kIk1&m8R=52Kz60z7z7P|~vXQy8Q8ovf0cR2Y70?9X7l1~9J75B6
z3upl78z>zJsPtNp)c_;#6r9$QKY-tX$G{`tA@Bg8Hvb5G58MK7Qm5TO;2LlhxB^@T
zE&*Qy<k4>+F9H{U^FSGJ4xo7AB)<i|1ImHx0F`$KxDDI|?g2jl6~Irxec)%{7aBCb
zA@D0et)=i2;1>-}u*v|?F2n#jHn;-%t}Y`?XH`18l67=;r86uYo9Y8}t|bprqjgV_
zhsZ1bh`)*YB_9O50J7W@(i`vv8UlVmV}LSIdQ*g{o2Yv_0xts8g#kb(04`O$M~6A;
zR=rC}mkxKd>ys{(M`^j#-;_YslhhOG;6!c=f(!(xK++|&Mwr~)0WuPZ0L(xL5C((-
zl~0#cjs<aaAfr4{KzksX{&G>Tlm=bpR_ZOM7L$e4VrqmQzZbkWcn^TWJvC{C>;=38
zkP&q3rE>}C^wA`R&nl>{ey3XvGJ=Wo=`5%L4Z0CfM3OW(0|9*6y(JorXD#;i7|;Bj
zoI--aMA}3)z#Ws(uK$a(fei}|3J(f~-^KeASxmV8^;!SlXefjPg^+@NFOL4-(gya9
zL0Qppt&H${jd>UbIE%$|SZMeN%zqD5vhb8k=bA&uEJqokLBUjpeqBq)&=AXo5oJS=
z5~ilicNVW_G7oS4YMLMK+XgLPQ*e#yNA<|O$yt1u$wCc#oyE#YEL1elVtow7M)7SH
zvTZObi;VrXfs0ZexCDHNY;Dwnbq)PWo;EWV`$wHT-1ILR&&tv-=NS{_`qnEMvm>Di
z4^i`-TtrYd41HE+6}8sCYHAv~rr4g1#@=xee`K@KhD!dj=b$*vcJX!&Yx9@HPh{Z@
za}Aee5j%-_gzI+znQAT_R(<Te)@YsPLj9JYd(mx=O)>6CL`qw=-I~kv))<~v6(78c
ziruS;-={&gswVs<SCSp7FM9<PMvSLuU7~-L_LjPd_b6Uf6Za-FPwIOmO*g!D4RL5T
z^AMlE!aTk8+j>6pH+A&+IK79%_g!m<1yj&}`UOMB8(ny~;^>lw(9niVE(#(I{f?rR
zFLpcp;%oPE92$D-)#i9VzoT_U&HVpRsjjJ6;jQ0;6zDyB*z!e(y8pHE2DQbbspzK4
zb{iVi79+^NQME<G>5#hL`_&fP5g)E!m-O)Cy)TXP|HIi)?DPGh_1S;$M}BP){4#3O
zMvS+9SyR<^V;eW?R`-&l7Trv(BX_)vj?~)rY)oil;onuCX=$mtVH&OMgmCpvC&}KY
zSEm;CKA#pjs;Bd#JJyNBc2B!^`1;ZbM~ddKaQ%L$rr*!;-se}PnnOdsL2Ccl7B%hC
z%yLJH-WJ`EUiHLkI6qv!gKFKxQJvj#Pj7VOc>d7RT=`$S@L3Q4$z6XQ0RKnHLg^RX
ztUqP_YqY3kXQAHuMOj@l2l&1@IBKSW{<~WFXfxGYztPGv%<$fqKe%3oKh%X*($^<_
zE-&*CAEV50{VJ;MhdKwD{W4>bLtA?E%c@FWz0j!ptIo9?DVID%&<uEAzc;H<UFU-G
z*{{uTXy{jQZ8~w$-3dofq-ay$$0S}sUT^*Ku7m;C!`J=m)0+;B?k2H=N`L;+_xz2a
zz$E^l(yyD8Z_Re2%f!V8I&8+W85|TE)CRta@)ASmU?S=M(DpZjzW(+05|=3bPivpI
zes|c00I!6dU&YmS*m~4Uc+Vn>YA9cx?0;Plwb5$OmOX8^^AIa$ITl&(=kHMY9^wuv
zF#Ju^D=*I??KNyQf3m}SjF0m5-=2Td&$G+WpT9u6wM{g~NBoE#KK%J>>+}8mg^#dc
zCotUh5ep!_^&8Kcmj7P!NsI67j^5NY^t;g(pF2KekxxZ4hlaMWgzLAdbqd|mc+Y$F
zS2#5E`_}rroHxg~_F#%5CD>QgKyQV+`YGQ*?SWmpM0k`9s<a+GKkwhTlTJE+_TaOT
z@_D0W`K(?QY`@ZlMxxbR*24H>Bm7_}q8GCIRUcCj>z=A5dgQZ)Y>FtK%S?tAFNojg
zG7q*})X!sK21UceOTVLSMwH9Bcf(ipF)*!PqzW-T582F3#qvDX+k1Lb<qNufU5iWe
zb9x5!g7w-ARZG$eR7E|d=C=BcZi@=Lr`-42Oa}_Bbp6h^*WY!!QM7h7jbrUB*i#he
zqj`P-;#5AmwsnB`KA(lMpM=jmW?~-;^E}p4K93crD$JZL#!>8SF?${x&Wc6f1<dq9
zaZ7cq={LglyYl9^B}s1$LLHcXVL_qz`CAN{&svDy^O>tbBeI@tsmPzt!q^7!{(NTg
z(yxP?{q3u{BTPGK;D+K<8;YN@MFkYtRZ(pL>-y)q^;_jSuNyu4MBY<c&q6TuL-0$u
z(tpO_ppdXUv0(vg$(D<PMa(2G4^)1hv#Z_3W{R2%|C-oaBrHUwBSpv})<7&=$b8Vf
zTPP||e6)~tt;+G;I2@jF2^RHUXTum5hhJy@qTB1Nl@>NM2@zLcXI*4nRVi$^)(k`S
zP_cCp91r>NBId{Ti_?o)1Lp`y`c$yREXL40OvEl`y;-&>S&Vv>bX}nL#ht~NiTWjV
z3;NsEEq|-<And0DBkYH}{R%J)my5^(l%~_mqO?F6mEvpx>rz$k4DWEUqZnts_HUs5
z#Uk|$mQnY2*jEiE7PO9E*mO^a$a?IOxcvr;GPsyUbB?J~*DQu|R%F16^$47;5G|LW
zEA{K<W?EN`yS=GuZ)XhkFr`f=#c(Ku>-W>`d3xu5RnOy1918jkc4tEmJY9I-#vCb)
zBE<G3%)?8+^DZy5xY@<Lo^B3}A)*|Gqnm!CMl6FP8=~<8E*&hL`|}J>hu&_{dMO&A
z-?A6+<I6AAs5SSrLqWfXZ&wrNgy5UA>pD_uMT%FKq7nMdedcD{B0_&V)y<*tlGusD
z*+lUvgqMEvU&678UAy#}e#W8qj(ED1g?Sr0sq-r<zsDcD*T3+JGJG*XvAlH>eU@RV
z({Hf5bm?HpmeBVjooQ=pL-QiIv$_F&;u0&m-Aw<`k<z8JSb@A=@tTImufK-$J070w
z&=@aHE@P&)v!GBHP73Z^G<;u`ng)l$GNd#>iko|vTPwFu`j;bRtMCyp?GO~|Kp}O1
z`;Bd?q+fR^oDqGYz^;pN5Z?OLep|YwCS*o8Tj9{F`Jz}Ym`7XvGQbvfnuoFZS4tfk
z`gMV6Bi1}UTd=>ABPCYcrAFxY3*K0keZMsN;Q@!jB;mgtjhHW@AiVVZ2}5g7A5{Ks
zza)p=Zjk|nw)%yJhp!cEtn1$W7l#7fd5ANv{ga1w-&fWR<c^ek;(aPxza%ld_h)-c
z-`G9Pp^zdfs10^etq`J6G%3V7vtRTDYkb_QuAND})nS_T-oP!}4K*t;0MNPgMb$1A
zLeWdVjP8=ZsZP}nH4IR|REmVgHgTBB-7mf=#4>tJ)GWfN)-TPApX)y@a?it$RQ2$n
za7n*buU&|Bfai?MTa}@v%*rY;VptK@lINTzu?l#`hz4u$ef?+=PB5)v#J5E()Jwk;
z@b%KS2R@m8a-h<5<vX@j1Qw%ZHc{<OW)dTc@x57FU)Wf2tQf7GCZ3R(EkahXFfaXb
z#6g}tPWx8uI_7BF9+A5O-J{=_=WF<GSl@g1CO{z!zi40*==U(zueI~Qv_<3TcZ!f8
z?0xv<OPoO22H!qnWeFBG&k}rz)vs|pRO7~`?z={jw`sR%i(iiVh}aUGx%G=6r|f@V
zHn!`z1sZgcg%7lXy!ERgBbEg&@jp@rjeRv(tx?l3w2BpXP^H(*ShbIBeZP!JxPOek
z-)N`v#lm+bwtPcB(QYNy(V+ff{7P&Ek^M#9O4i#;ztgex2Fs!Avy-MHBRYzVIw*cv
z$zs?z(P0(x`wbF<S7F^P7V|-Me}Axw)p?<nO?fr+>;lKc5B)#tzTETxMPV_fqL8`9
zYE-Jq-q^H;tVSU>Mb2t0O!^g$eOiCG#&rBhJtd#ggckAQ=xTUMzuYlt;tL%*R;w8S
z4e}J0u1-Tlol=;k_IZ70MC}#BOHuf7F|`zZf&sU^6b{mFc05z<deX~0@UUuUB+A$(
z%1KcjcSUT0*trJd<oUy3xp+zndq$`~=4|mFyyn;0PhUWRn#VsBF>A3J#U`r9w%gVH
zOx0#K359}oxT>2ZX0FAketsP`adItd+1PEQda0@%GZ$Yw?B#jiWbf>A+!aN&2@0X{
z|C#Vvhnaf^ia3qi3-%p3lG-RF&%h#rLY4WUE(`{Fl<4>-dZ76zF=rh-`uwpRGD=*4
zW<C9;$<bxeZx0NNxK@jG7`1FYHhFbbk@ZzYZ2>D073<;kJt6}_t1eW$x1QDca|TUQ
zov~UzJp(%}vfjjGJuEgr7}U13Kwr9SVE*Cy#iwxx?-^HIy4xIX(1yYDhkyMsV%P@s
zzkXlk!B)lRqXv4=QJ1D;7~a*2f(@vv?HKX#27GJPFT@-;;?C1w7biYcD!~fixEiy=
zPlt9Muho{mE0{4=kP?w1f;Pf6^F;TJEXG^E6Z1s%m@nh^{19MZI3?1|m(ZFWQ1sSs
z%be>Hurg-t+Z&YDgak$6b;MY4btC4P>LtD3Sdy@Af_wkY+2ZX@e|56j4=hEn&CmSk
zA^L27rU{?EyqWp4G*Pk{1y2+EposEsZ^i*Ga=d7_1&uf@(zl>D-7-Yp7Mu?Ii?6n@
zsq!ZilvjfGp~AKm=l0}@>e91GT-=7CsNb1+scqk>37#eGVHzzcA!aNn2e)F|&@b7n
z=-DS>bM@$1&J3x+L1w(kKuPoiPucf*qVXFWPdHKxnWDxv?BDvuodc`inw=ast-C`*
zzuL3Ynaf9340&^^BPCW0p?2waf%<r^y0ztiUqgpNu2=+xw)*9vyNeHgec}4rB8S4R
zOy!4i`=^7JojCL5%;EK({Wzl799A{&E%g_4*B!!hJL@7wY-hpjoG94NqCL-H_r<U5
z_SYiXe#WNM_#<M6s{4D>ecx|qK?Xnk&>oaMW?FVmW>Q9ARyMANPVbmKbwYAhYxU}Q
z(Q+q?5{*u?BVyi8)=Si?XQ)z7OKTmd1p={ei1MS%f8UooSvV6XuP~z+x|0Pd>icT#
TVonXky|0+dzB{K`#DM<=MLRQa

diff --git a/frontend/src/lib/i18n/locales/en-US.json b/frontend/src/lib/i18n/locales/en-US.json
index acf2a5ff..6d1af3c9 100644
--- a/frontend/src/lib/i18n/locales/en-US.json
+++ b/frontend/src/lib/i18n/locales/en-US.json
@@ -41,7 +41,7 @@
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
     "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
     "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
     "unauthorizedButton": "Try again",
     "untrustedRedirectTitle": "Untrusted redirect",
diff --git a/frontend/src/lib/i18n/locales/en.json b/frontend/src/lib/i18n/locales/en.json
index acf2a5ff..6d1af3c9 100644
--- a/frontend/src/lib/i18n/locales/en.json
+++ b/frontend/src/lib/i18n/locales/en.json
@@ -41,7 +41,7 @@
     "totpTitle": "Enter your TOTP code",
     "unauthorizedTitle": "Unauthorized",
     "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unaothorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
+    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
     "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
     "unauthorizedButton": "Try again",
     "untrustedRedirectTitle": "Untrusted redirect",
diff --git a/frontend/src/pages/logout-page.tsx b/frontend/src/pages/logout-page.tsx
index e05c362a..06a94210 100644
--- a/frontend/src/pages/logout-page.tsx
+++ b/frontend/src/pages/logout-page.tsx
@@ -10,7 +10,7 @@ import { useAppContext } from "../context/app-context";
 import { Trans, useTranslation } from "react-i18next";
 
 export const LogoutPage = () => {
-  const { isLoggedIn, oauth, provider, email } = useUserContext();
+  const { isLoggedIn, oauth, provider, email, username } = useUserContext();
   const { genericName } = useAppContext();
   const { t } = useTranslation();
 
@@ -65,7 +65,7 @@ export const LogoutPage = () => {
               t={t}
               components={{ Code: <Code /> }}
               values={{
-                username: email,
+                username: username,
               }}
             />
           )}
diff --git a/frontend/src/pages/unauthorized-page.tsx b/frontend/src/pages/unauthorized-page.tsx
index bcb35902..84bb8d6b 100644
--- a/frontend/src/pages/unauthorized-page.tsx
+++ b/frontend/src/pages/unauthorized-page.tsx
@@ -21,12 +21,12 @@ export const UnauthorizedPage = () => {
   if (isQueryValid(resource) && !isQueryValid(groupErr)) {
     return (
       <UnauthorizedLayout>
-          <Trans
-            i18nKey="unauthorizedResourceSubtitle"
-            t={t}
-            components={{ Code: <Code /> }}
-            values={{ resource, username }}
-          />
+        <Trans
+          i18nKey="unauthorizedResourceSubtitle"
+          t={t}
+          components={{ Code: <Code /> }}
+          values={{ resource, username }}
+        />
       </UnauthorizedLayout>
     );
   }
@@ -35,19 +35,19 @@ export const UnauthorizedPage = () => {
     return (
       <UnauthorizedLayout>
         <Trans
-        i18nKey="unauthorizedGroupsSubtitle"
-        t={t}
-        components={{ Code: <Code /> }}
-        values={{ username, resource }}
-         />
+          i18nKey="unauthorizedGroupsSubtitle"
+          t={t}
+          components={{ Code: <Code /> }}
+          values={{ username, resource }}
+        />
       </UnauthorizedLayout>
-    )
+    );
   }
 
   return (
     <UnauthorizedLayout>
       <Trans
-        i18nKey="unaothorizedLoginSubtitle"
+        i18nKey="unauthorizedLoginSubtitle"
         t={t}
         components={{ Code: <Code /> }}
         values={{ username }}
@@ -65,9 +65,7 @@ const UnauthorizedLayout = ({ children }: { children: React.ReactNode }) => {
         <Text size="xl" fw={700}>
           {t("Unauthorized")}
         </Text>
-        <Text>
-        {children}
-        </Text>
+        <Text>{children}</Text>
         <Button
           fullWidth
           mt="xl"
diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index 0b709b04..d6dfbc3f 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -268,7 +268,7 @@ func (auth *Auth) ResourceAllowed(c *gin.Context, context types.UserContext, lab
 	// Check if oauth is allowed
 	if context.OAuth {
 		log.Debug().Msg("Checking OAuth whitelist")
-		return utils.CheckWhitelist(labels.OAuthWhitelist, context.Username)
+		return utils.CheckWhitelist(labels.OAuthWhitelist, context.Email)
 	}
 
 	// Check users
diff --git a/internal/handlers/handlers.go b/internal/handlers/handlers.go
index 6e314615..4a8f6255 100644
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -114,7 +114,7 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 	if !authEnabled {
 		for key, value := range labels.Headers {
 			log.Debug().Str("key", key).Str("value", value).Msg("Setting header")
-			c.Header(key, value)
+			c.Header(key, utils.SanitizeHeader(value))
 		}
 		c.JSON(200, gin.H{
 			"status":  200,
@@ -209,15 +209,15 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 			return
 		}
 
-		c.Header("Remote-User", userContext.Username)
-		c.Header("Remote-Name", userContext.Name)
-		c.Header("Remote-Email", userContext.Email)
-		c.Header("Remote-Groups", userContext.OAuthGroups)
+		c.Header("Remote-User", utils.SanitizeHeader(userContext.Username))
+		c.Header("Remote-Name", utils.SanitizeHeader(userContext.Name))
+		c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email))
+		c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups))
 
 		// Set the rest of the headers
 		for key, value := range labels.Headers {
 			log.Debug().Str("key", key).Str("value", value).Msg("Setting header")
-			c.Header(key, value)
+			c.Header(key, utils.SanitizeHeader(value))
 		}
 
 		// The user is allowed to access the app
diff --git a/internal/utils/utils.go b/internal/utils/utils.go
index 2830a120..e49075f8 100644
--- a/internal/utils/utils.go
+++ b/internal/utils/utils.go
@@ -328,5 +328,19 @@ func CheckWhitelist(whitelist string, str string) bool {
 
 // Capitalize just the first letter of a string
 func Capitalize(str string) string {
+	if len(str) == 0 {
+		return ""
+	}
 	return strings.ToUpper(string([]rune(str)[0])) + string([]rune(str)[1:])
 }
+
+// Sanitize header removes all control characters from a string
+func SanitizeHeader(header string) string {
+	return strings.Map(func(r rune) rune {
+		// Allow only printable ASCII characters (32-126) and safe whitespace (space, tab)
+		if r == ' ' || r == '\t' || (r >= 32 && r <= 126) {
+			return r
+		}
+		return -1
+	}, header)
+}
diff --git a/internal/utils/utils_test.go b/internal/utils/utils_test.go
index 041da98c..42ae9008 100644
--- a/internal/utils/utils_test.go
+++ b/internal/utils/utils_test.go
@@ -467,3 +467,65 @@ func TestCheckWhitelist(t *testing.T) {
 		t.Fatalf("Expected %v, got %v", expected, result)
 	}
 }
+
+// Test capitalize
+func TestCapitalize(t *testing.T) {
+	t.Log("Testing capitalize with a valid string")
+
+	// Create variables
+	str := "test"
+	expected := "Test"
+
+	// Test the capitalize function
+	result := utils.Capitalize(str)
+
+	// Check if the result is equal to the expected
+	if result != expected {
+		t.Fatalf("Expected %v, got %v", expected, result)
+	}
+
+	t.Log("Testing capitalize with an empty string")
+
+	// Create variables
+	str = ""
+	expected = ""
+
+	// Test the capitalize function
+	result = utils.Capitalize(str)
+
+	// Check if the result is equal to the expected
+	if result != expected {
+		t.Fatalf("Expected %v, got %v", expected, result)
+	}
+}
+
+// Test the header sanitizer
+func TestSanitizeHeader(t *testing.T) {
+	t.Log("Testing sanitize header with a valid string")
+
+	// Create variables
+	str := "X-Header=value"
+	expected := "X-Header=value"
+
+	// Test the sanitize header function
+	result := utils.SanitizeHeader(str)
+
+	// Check if the result is equal to the expected
+	if result != expected {
+		t.Fatalf("Expected %v, got %v", expected, result)
+	}
+
+	t.Log("Testing sanitize header with an invalid string")
+
+	// Create variables
+	str = "X-Header=val\nue"
+	expected = "X-Header=value"
+
+	// Test the sanitize header function
+	result = utils.SanitizeHeader(str)
+
+	// Check if the result is equal to the expected
+	if result != expected {
+		t.Fatalf("Expected %v, got %v", expected, result)
+	}
+}

From d171c5940bbdf274fb84bdeb56be49c0d9146c27 Mon Sep 17 00:00:00 2001
From: Stavros <steveiliop56@gmail.com>
Date: Wed, 30 Apr 2025 19:49:35 +0300
Subject: [PATCH 6/7] feat: get claims from github and google

---
 frontend/src/index.css        |  4 ++
 frontend/src/main.tsx         |  6 ++-
 internal/auth/auth.go         |  6 +++
 internal/handlers/handlers.go | 34 ++++++++++++----
 internal/providers/github.go  | 74 +++++++++++++++++++++++++++++------
 internal/providers/google.go  | 19 ++++++++-
 6 files changed, 121 insertions(+), 22 deletions(-)
 create mode 100644 frontend/src/index.css

diff --git a/frontend/src/index.css b/frontend/src/index.css
new file mode 100644
index 00000000..2ddf63ce
--- /dev/null
+++ b/frontend/src/index.css
@@ -0,0 +1,4 @@
+span,
+p {
+  word-break: break-word;
+}
diff --git a/frontend/src/main.tsx b/frontend/src/main.tsx
index c5a39d67..2efd7970 100644
--- a/frontend/src/main.tsx
+++ b/frontend/src/main.tsx
@@ -19,6 +19,7 @@ import { TotpPage } from "./pages/totp-page.tsx";
 import { AppContextProvider } from "./context/app-context.tsx";
 import "./lib/i18n/i18n.ts";
 import { ForgotPasswordPage } from "./pages/forgot-password-page.tsx";
+import "./index.css";
 
 const queryClient = new QueryClient();
 
@@ -38,7 +39,10 @@ createRoot(document.getElementById("root")!).render(
                 <Route path="/continue" element={<ContinuePage />} />
                 <Route path="/unauthorized" element={<UnauthorizedPage />} />
                 <Route path="/error" element={<InternalServerError />} />
-                <Route path="/forgot-password" element={<ForgotPasswordPage />} />
+                <Route
+                  path="/forgot-password"
+                  element={<ForgotPasswordPage />}
+                />
                 <Route path="*" element={<NotFoundPage />} />
               </Routes>
             </BrowserRouter>
diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index d6dfbc3f..d593f2f6 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -283,6 +283,12 @@ func (auth *Auth) OAuthGroup(c *gin.Context, context types.UserContext, labels t
 		return true
 	}
 
+	// Check if we are using the generic oauth provider
+	if context.Provider != "generic" {
+		log.Debug().Msg("Not using generic provider, skipping group check")
+		return true
+	}
+
 	// Split the groups by comma (no need to parse since they are from the API response)
 	oauthGroups := strings.Split(context.OAuthGroups, ",")
 
diff --git a/internal/handlers/handlers.go b/internal/handlers/handlers.go
index 4a8f6255..31418f6a 100644
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -150,11 +150,20 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 				return
 			}
 
-			// Build query
-			queries, err := query.Values(types.UnauthorizedQuery{
-				Username: userContext.Username,
+			// Values
+			values := types.UnauthorizedQuery{
 				Resource: strings.Split(host, ".")[0],
-			})
+			}
+
+			// Use either username or email
+			if userContext.OAuth {
+				values.Username = userContext.Email
+			} else {
+				values.Username = userContext.Username
+			}
+
+			// Build query
+			queries, err := query.Values(values)
 
 			// Handle error (no need to check for nginx/headers since we are sure we are using caddy/traefik)
 			if err != nil {
@@ -190,12 +199,21 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 				return
 			}
 
-			// Build query
-			queries, err := query.Values(types.UnauthorizedQuery{
-				Username: userContext.Username,
+			// Values
+			values := types.UnauthorizedQuery{
 				Resource: strings.Split(host, ".")[0],
 				GroupErr: true,
-			})
+			}
+
+			// Use either username or email
+			if userContext.OAuth {
+				values.Username = userContext.Email
+			} else {
+				values.Username = userContext.Username
+			}
+
+			// Build query
+			queries, err := query.Values(values)
 
 			// Handle error (no need to check for nginx/headers since we are sure we are using caddy/traefik)
 			if err != nil {
diff --git a/internal/providers/github.go b/internal/providers/github.go
index 2f8862e7..b80c4b1b 100644
--- a/internal/providers/github.go
+++ b/internal/providers/github.go
@@ -10,30 +10,36 @@ import (
 	"github.com/rs/zerolog/log"
 )
 
-// Github has a different response than the generic provider
-type GithubUserInfoResponse []struct {
+// Response for the github email endpoint
+type GithubEmailResponse []struct {
 	Email   string `json:"email"`
 	Primary bool   `json:"primary"`
 }
 
+// Response for the github user endpoint
+type GithubUserInfoResponse struct {
+	Login string `json:"login"`
+	Name  string `json:"name"`
+}
+
 // The scopes required for the github provider
 func GithubScopes() []string {
-	return []string{"user:email"}
+	return []string{"user:email", "read:user"}
 }
 
 func GetGithubUser(client *http.Client) (constants.Claims, error) {
 	// Create user struct
 	var user constants.Claims
 
-	// Get the user emails from github using the oauth http client
-	res, err := client.Get("https://api.github.com/user/emails")
+	// Get the user info from github using the oauth http client
+	res, err := client.Get("https://api.github.com/user")
 
 	// Check if there was an error
 	if err != nil {
 		return user, err
 	}
 
-	log.Debug().Msg("Got response from github")
+	log.Debug().Msg("Got user response from github")
 
 	// Read the body of the response
 	body, err := io.ReadAll(res.Body)
@@ -43,10 +49,41 @@ func GetGithubUser(client *http.Client) (constants.Claims, error) {
 		return user, err
 	}
 
-	log.Debug().Msg("Read body from github")
+	log.Debug().Msg("Read user body from github")
 
 	// Parse the body into a user struct
-	var emails GithubUserInfoResponse
+	var userInfo GithubUserInfoResponse
+
+	// Unmarshal the body into the user struct
+	err = json.Unmarshal(body, &userInfo)
+
+	// Check if there was an error
+	if err != nil {
+		return user, err
+	}
+
+	// Get the user emails from github using the oauth http client
+	res, err = client.Get("https://api.github.com/user/emails")
+
+	// Check if there was an error
+	if err != nil {
+		return user, err
+	}
+
+	log.Debug().Msg("Got email response from github")
+
+	// Read the body of the response
+	body, err = io.ReadAll(res.Body)
+
+	// Check if there was an error
+	if err != nil {
+		return user, err
+	}
+
+	log.Debug().Msg("Read email body from github")
+
+	// Parse the body into a user struct
+	var emails GithubEmailResponse
 
 	// Unmarshal the body into the user struct
 	err = json.Unmarshal(body, &emails)
@@ -61,11 +98,26 @@ func GetGithubUser(client *http.Client) (constants.Claims, error) {
 	// Find and return the primary email
 	for _, email := range emails {
 		if email.Primary {
+			// Set the email then exit
 			user.Email = email.Email
-			return user, nil
+			break
 		}
 	}
 
-	// User does not have a primary email?
-	return user, errors.New("no primary email found")
+	// If no primary email was found, use the first available email
+	if len(emails) == 0 {
+		return user, errors.New("no emails found")
+	}
+
+	// Set the email if it is not set picking the first one
+	if user.Email == "" {
+		user.Email = emails[0].Email
+	}
+
+	// Set the username and name
+	user.PreferredUsername = userInfo.Login
+	user.Name = userInfo.Name
+
+	// Return
+	return user, nil
 }
diff --git a/internal/providers/google.go b/internal/providers/google.go
index f8ba30d1..417de6fd 100644
--- a/internal/providers/google.go
+++ b/internal/providers/google.go
@@ -4,14 +4,21 @@ import (
 	"encoding/json"
 	"io"
 	"net/http"
+	"strings"
 	"tinyauth/internal/constants"
 
 	"github.com/rs/zerolog/log"
 )
 
+// Response for the google user endpoint
+type GoogleUserInfoResponse struct {
+	Email string `json:"email"`
+	Name  string `json:"name"`
+}
+
 // The scopes required for the google provider
 func GoogleScopes() []string {
-	return []string{"https://www.googleapis.com/auth/userinfo.email"}
+	return []string{"https://www.googleapis.com/auth/userinfo.email", "https://www.googleapis.com/auth/userinfo.profile"}
 }
 
 func GetGoogleUser(client *http.Client) (constants.Claims, error) {
@@ -38,8 +45,11 @@ func GetGoogleUser(client *http.Client) (constants.Claims, error) {
 
 	log.Debug().Msg("Read body from google")
 
+	// Create a new user info struct
+	var userInfo GoogleUserInfoResponse
+
 	// Unmarshal the body into the user struct
-	err = json.Unmarshal(body, &user)
+	err = json.Unmarshal(body, &userInfo)
 
 	// Check if there was an error
 	if err != nil {
@@ -48,6 +58,11 @@ func GetGoogleUser(client *http.Client) (constants.Claims, error) {
 
 	log.Debug().Msg("Parsed user from google")
 
+	// Map the user info to the user struct
+	user.PreferredUsername = strings.Split(userInfo.Email, "@")[0]
+	user.Name = userInfo.Name
+	user.Email = userInfo.Email
+
 	// Return the user
 	return user, nil
 }

From 86a18b4cac6cbd4817dd5c78ad75354757e66566 Mon Sep 17 00:00:00 2001
From: Stavros <steveiliop56@gmail.com>
Date: Wed, 30 Apr 2025 19:55:03 +0300
Subject: [PATCH 7/7] fix: close body correctly

---
 internal/providers/generic.go | 2 ++
 internal/providers/github.go  | 4 ++++
 internal/providers/google.go  | 2 ++
 3 files changed, 8 insertions(+)

diff --git a/internal/providers/generic.go b/internal/providers/generic.go
index 8307600f..5e6a0e0d 100644
--- a/internal/providers/generic.go
+++ b/internal/providers/generic.go
@@ -21,6 +21,8 @@ func GetGenericUser(client *http.Client, url string) (constants.Claims, error) {
 		return user, err
 	}
 
+	defer res.Body.Close()
+
 	log.Debug().Msg("Got response from generic provider")
 
 	// Read the body of the response
diff --git a/internal/providers/github.go b/internal/providers/github.go
index b80c4b1b..46657d5f 100644
--- a/internal/providers/github.go
+++ b/internal/providers/github.go
@@ -39,6 +39,8 @@ func GetGithubUser(client *http.Client) (constants.Claims, error) {
 		return user, err
 	}
 
+	defer res.Body.Close()
+
 	log.Debug().Msg("Got user response from github")
 
 	// Read the body of the response
@@ -70,6 +72,8 @@ func GetGithubUser(client *http.Client) (constants.Claims, error) {
 		return user, err
 	}
 
+	defer res.Body.Close()
+
 	log.Debug().Msg("Got email response from github")
 
 	// Read the body of the response
diff --git a/internal/providers/google.go b/internal/providers/google.go
index 417de6fd..2023aec5 100644
--- a/internal/providers/google.go
+++ b/internal/providers/google.go
@@ -33,6 +33,8 @@ func GetGoogleUser(client *http.Client) (constants.Claims, error) {
 		return user, err
 	}
 
+	defer res.Body.Close()
+
 	log.Debug().Msg("Got response from google")
 
 	// Read the body of the response