feat: add x-tinyauth-location to nginx response

[steveiliop56]

Solves #773. Normally you let Nginx handle the login URL creation but with this "hack" we can set an arbitary header with where Tinyauth wants the user to go to. Later the Nginx error page can get this header and redirect accordingly.

Summary by CodeRabbit

• Bug Fixes

  • Centralized construction of error redirect URLs for consistent authorization failure handling.
  • Non-browser and forward-auth clients now receive redirect location via a response header when appropriate.

• Tests

  • Strengthened tests to assert exact login redirect URLs and verify redirect-location headers for non-browser fallback cases.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 96ecbc3c-e7ce-4a56-bd69-f2cc6e194b2b

📥 Commits

Reviewing files that changed from the base of the PR and between ba8dc42 and e000959.

📒 Files selected for processing (1)

• internal/controller/proxy_controller_test.go

---

📝 Walkthrough

Walkthrough

Centralized proxy error-redirect URL construction and unified 401/403 handling: the controller now sets an x-tinyauth-location header for non-browser responses and either returns JSON (401/403) or redirects for browsers. Tests updated to assert exact login redirect URLs and x-tinyauth-location on non-browser 401 cases.

Changes

Cohort / File(s)	Summary
Proxy Controller Implementation internal/controller/proxy_controller.go	Centralized redirect URL construction into handleError and unified authorization-failure flow: build unauthorized/forbidden redirect URL, set x-tinyauth-location for non-browser responses, then return c.JSON(401/403) or c.Redirect for browsers. Replaced inline non-browser JSON early returns and direct "%s/error" redirects with handleError(c, proxyCtx).
Proxy Controller Tests internal/controller/proxy_controller_test.go	Tightened assertions to expect exact fully-qualified login redirect URLs (https://tinyauth.example.com/login?redirect_uri=...) and added assertions that x-tinyauth-location matches the login URL for nginx forward-auth/non-browser 401 fallbacks.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Issue #773: Implements sending an x-tinyauth-location header on non-browser 401/403 responses, matching the described request for nginx auth_request 401 behavior.

Possibly related PRs

• PR #782: Alters proxy redirect/non-redirect response handling in the same proxy_controller.go area.
• PR #714: Refactors proxy error handling toward a ProxyContext-driven handleError, touching similar header/redirect logic.

Suggested labels

size:M

Suggested reviewers

• Rycochet

Poem

🐰 I hopped through handlers, tidy and bright,
Centralized redirects — set headers right.
For browsers I bounce, for bots I proclaim,
x-tinyauth-location points to the same. ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding the x-tinyauth-location header to nginx responses. It is concise, specific, and clearly reflects the primary objective of the pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/nginx-x-tinyauth-location

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 39.53488% with 26 lines in your changes missing coverage. Please review.
✅ Project coverage is 20.12%. Comparing base (b44dc75) to head (e000959).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/controller/proxy_controller.go	39.53%	26 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #783      +/-   ##
==========================================
+ Coverage   19.97%   20.12%   +0.15%     
==========================================
  Files          50       50              
  Lines        3960     3970      +10     
==========================================
+ Hits          791      799       +8     
+ Misses       3100     3099       -1     
- Partials       69       72       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[dosubot]

Documentation Updates

2 document(s) were updated by changes in this PR:

headers

View Changes

@@ -36,6 +36,10 @@
 ### Remote sub
 
 The `Remote-Sub` header contains the subject identifier of the currently logged-in user, retrieved from the `sub` claim in the OIDC server. This can be used to uniquely identify the user across different authentication providers.
+
+### X-Tinyauth-Location
+
+The `x-tinyauth-location` header contains the redirect URL when authentication or authorization fails. This header is included in 401, 403, and 500 responses for non-browser clients (like Nginx auth_request module) and indicates where the client should redirect the user (e.g., `/login` or `/unauthorized` with appropriate query parameters). This allows proxy servers to use custom error pages that read this header and perform redirects dynamically, rather than hardcoding redirect URLs in the proxy configuration.
 
 ### Custom headers
 

nginx-proxy-manager

View Changes

@@ -118,19 +118,21 @@
   technologies like WebSockets.
 :::
 
-:::note
-  Due to the way Nginx handles forward auth, Tinyauth cannot automatically redirect to the unauthorized page. Thus, users may be redirected to a blank 403 Forbidden page in case of a failed authentication. This can be somehow mitigated by configuring a custom error page for the 403 status code:
+:::tip
+  Tinyauth sets the `x-tinyauth-location` header with the redirect URL for non-browser and forward-auth clients. This can be used to dynamically redirect users instead of using hardcoded URLs:
 
   ```sh
   location / {
     # Rest of your configuration
-    error_page 403 = @tinyauth_unauthorized;
+    error_page 401 403 = @tinyauth_error;
   }
 
-  location @tinyauth_unauthorized {
-    return 302 http://tinyauth.example.com/unauthorized?username=unavailable; # Replace with your app URL
+  location @tinyauth_error {
+    return 302 $upstream_http_x_tinyauth_location;
   }
   ```
+
+  This handles both login redirects (401) and unauthorized page redirects (403) automatically.
 :::
 
 Save the host configuration. Accessing the protected host will redirect to the Tinyauth login page if not already logged in. Repeat this process for each host to be protected by Tinyauth.

^{How did I do? Any feedback?}  

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@internal/controller/proxy_controller_test.go`:
- Line 119: The assertions using testify's assert.Equal in
internal/controller/proxy_controller_test.go are passing (actual, expected)
instead of (expected, actual); update all assert.Equal calls (e.g., the call
comparing variable location to the URL string — the assert.Equal invocation
referencing location and "https://tinyauth.example.com/login?redirect_uri=..."
and the other instances at the same file) to swap the arguments so the expected
literal/string is the second-to-last parameter and the actual variable (e.g.,
location) is the last parameter; apply this same swap to the other occurrences
noted (lines near 131, 146, 162, 177, 193) for every assert.Equal usage in that
test.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3f981954-a11c-4913-ab0b-d8acdd3c4117

📥 Commits

Reviewing files that changed from the base of the PR and between b44dc75 and ba8dc42.

📒 Files selected for processing (2)

• internal/controller/proxy_controller.go
• internal/controller/proxy_controller_test.go