fix(config): support legacy users config

Author: scottmckendry

internal/utils/loaders/export_test.go

@@ -0,0 +1,4 @@
+package loaders
+
+// ExpandLegacyUsersEnvForTest exposes expandLegacyUsersEnv for package-external tests.
+var ExpandLegacyUsersEnvForTest = expandLegacyUsersEnv

internal/utils/loaders/loader_env.go

@@ -3,6 +3,7 @@ package loaders
 import (
 	"fmt"
 	"os"
+	"strings"
 
 	"github.com/steveiliop56/tinyauth/internal/config"
 
@@ -13,7 +14,9 @@ import (
 type EnvLoader struct{}
 
 func (e *EnvLoader) Load(_ []string, cmd *cli.Command) (bool, error) {
-	vars := env.FindPrefixedEnvVars(os.Environ(), config.DefaultNamePrefix, cmd.Configuration)
+	environ := expandLegacyUsersEnv(os.Environ())
+
+	vars := env.FindPrefixedEnvVars(environ, config.DefaultNamePrefix, cmd.Configuration)
 	if len(vars) == 0 {
 		return false, nil
 	}
@@ -24,3 +27,72 @@ func (e *EnvLoader) Load(_ []string, cmd *cli.Command) (bool, error) {
 
 	return true, nil
 }
+
+// expandLegacyUsersEnv detects the legacy flat TINYAUTH_AUTH_USERS=user:hash,user2:hash2 format
+// and expands it into per-user entries that paerser can decode into map[string]UserConfig:
+//
+//	TINYAUTH_AUTH_USERS_username_PASSWORD=hash
+//	TINYAUTH_AUTH_USERS_username_TOTPSECRET=secret   (when present)
+//
+// If TINYAUTH_AUTH_USERS is already in the new map form (i.e. other
+// TINYAUTH_AUTH_USERS_* keys are present), it is left untouched.
+func expandLegacyUsersEnv(environ []string) []string {
+	const legacyKey = "TINYAUTH_AUTH_USERS"
+	const mapPrefix = legacyKey + "_"
+
+	var legacyValue string
+	hasMapEntries := false
+
+	for _, e := range environ {
+		k, v, _ := strings.Cut(e, "=")
+		ku := strings.ToUpper(k)
+		if ku == legacyKey {
+			legacyValue = v
+		} else if strings.HasPrefix(ku, mapPrefix) {
+			hasMapEntries = true
+		}
+	}
+
+	// Nothing to do: either no legacy var, or already using the new map form.
+	if legacyValue == "" || hasMapEntries {
+		return environ
+	}
+
+	// Filter out the legacy key and replace with expanded entries.
+	expanded := make([]string, 0, len(environ))
+	for _, e := range environ {
+		k, _, _ := strings.Cut(e, "=")
+		if strings.ToUpper(k) == legacyKey {
+			continue
+		}
+		expanded = append(expanded, e)
+	}
+
+	for _, entry := range strings.Split(legacyValue, ",") {
+		entry = strings.TrimSpace(entry)
+		if entry == "" {
+			continue
+		}
+		if strings.Contains(entry, "$$") {
+			entry = strings.ReplaceAll(entry, "$$", "$")
+		}
+		parts := strings.SplitN(entry, ":", 4)
+		if len(parts) < 2 || len(parts) > 3 {
+			continue
+		}
+		username := strings.TrimSpace(parts[0])
+		password := strings.TrimSpace(parts[1])
+		if username == "" || password == "" {
+			continue
+		}
+		expanded = append(expanded, mapPrefix+strings.ToUpper(username)+"_PASSWORD="+password)
+		if len(parts) == 3 {
+			totp := strings.TrimSpace(parts[2])
+			if totp != "" {
+				expanded = append(expanded, mapPrefix+strings.ToUpper(username)+"_TOTPSECRET="+totp)
+			}
+		}
+	}
+
+	return expanded
+}

internal/utils/loaders/loader_file.go

@@ -2,11 +2,14 @@ package loaders
 
 import (
 	"os"
+	"path/filepath"
+	"strings"
 
 	"github.com/rs/zerolog/log"
 	"github.com/traefik/paerser/cli"
 	"github.com/traefik/paerser/file"
 	"github.com/traefik/paerser/flag"
+	"gopkg.in/yaml.v3"
 )
 
 type FileLoader struct{}
@@ -32,11 +35,122 @@ func (f *FileLoader) Load(args []string, cmd *cli.Command) (bool, error) {
 
 	log.Warn().Msg("Using experimental file config loader, this feature is experimental and may change or be removed in future releases")
 
-	err = file.Decode(flags[configFileFlag], cmd.Configuration)
+	filePath := flags[configFileFlag]
 
-	if err != nil {
+	ext := strings.ToLower(filepath.Ext(filePath))
+	if ext == ".yml" || ext == ".yaml" {
+		content, err := os.ReadFile(filepath.Clean(filePath))
+		if err != nil {
+			return false, err
+		}
+
+		data := make(map[string]interface{})
+		if err = yaml.Unmarshal(content, data); err != nil {
+			return false, err
+		}
+
+		normalizeUsersInRawMap(data)
+
+		if err = file.DecodeFromRawMap(data, cmd.Configuration); err != nil {
+			return false, err
+		}
+
+		return true, nil
+	}
+
+	if err = file.Decode(filePath, cmd.Configuration); err != nil {
 		return false, err
 	}
 
 	return true, nil
 }
+
+// normalizeUsersInRawMap converts the legacy users list format to the map format that paerser
+// expects for map[string]UserConfig. Both of these YAML shapes are accepted:
+//
+//	# legacy: list of "username:hash" or "username:hash:totp" strings
+//	auth:
+//	  users:
+//	    - alice:$2a$...
+//	    - bob:$2a$...:TOTPSECRET
+//
+//	# legacy: single-key map per entry  { alice: "$2a$..." }
+//	auth:
+//	  users:
+//	    - alice: "$2a$..."
+//
+//	# new map form (passed through unchanged)
+//	auth:
+//	  users:
+//	    alice:
+//	      password: "$2a$..."
+func normalizeUsersInRawMap(data map[string]interface{}) {
+	authRaw, ok := data["auth"]
+	if !ok {
+		return
+	}
+
+	authMap, ok := authRaw.(map[string]interface{})
+	if !ok {
+		return
+	}
+
+	usersRaw, ok := authMap["users"]
+	if !ok {
+		return
+	}
+
+	// Already a map — the new structured form, leave it alone.
+	if _, isMap := usersRaw.(map[string]interface{}); isMap {
+		return
+	}
+
+	slice, ok := usersRaw.([]interface{})
+	if !ok {
+		return
+	}
+
+	normalized := make(map[string]interface{})
+
+	for _, entry := range slice {
+		switch v := entry.(type) {
+		case string:
+			// "username:hash" or "username:hash:totp"
+			if strings.Contains(v, "$$") {
+				v = strings.ReplaceAll(v, "$$", "$")
+			}
+			parts := strings.SplitN(v, ":", 4)
+			if len(parts) < 2 || len(parts) > 3 {
+				continue
+			}
+			username := strings.TrimSpace(parts[0])
+			password := strings.TrimSpace(parts[1])
+			if username == "" || password == "" {
+				continue
+			}
+			userMap := map[string]interface{}{"password": password}
+			if len(parts) == 3 {
+				totp := strings.TrimSpace(parts[2])
+				if totp != "" {
+					userMap["totpSecret"] = totp
+				}
+			}
+			normalized[username] = userMap
+
+		case map[string]interface{}:
+			// Single-key map: { "username": "hash" } or { "username": { "password": "hash", ... } }
+			for username, val := range v {
+				switch pw := val.(type) {
+				case string:
+					normalized[username] = map[string]interface{}{"password": pw}
+				case map[string]interface{}:
+					normalized[username] = pw
+				}
+			}
+		}
+	}
+
+	if len(normalized) > 0 {
+		authMap["users"] = normalized
+	}
+}