chore(deps): update rust crate bcrypt to 0.19.0

.gitignore

@@ -1,3 +1,3 @@
 /target
 .idea
-storage
+/storage

Cargo.toml

@@ -8,34 +8,35 @@ edition = "2024"
 [dependencies]
 actix = "0.13.5"
 actix-identity = "0.9.0"
-actix-web = "4.11.0"
+actix-web = "4.13.0"
-actix-session = { version = "0.11.0", features = ["cookie-session"] }
+actix-session = { version = "0.11.0", features = ["cookie-session", "redis-session"] }
 actix-remote-ip = "0.1.0"
-clap = { version = "4.5.50", features = ["derive", "env"] }
+clap = { version = "4.5.60", features = ["derive", "env"] }
 include_dir = "0.7.4"
-log = "0.4.28"
+log = "0.4.29"
-serde_json = "1.0.145"
+serde_json = "1.0.149"
-serde_yaml = "0.9.34"
+serde_yml = "0.0.12"
-env_logger = "0.11.8"
+env_logger = "0.11.9"
 serde = { version = "1.0.228", features = ["derive"] }
-bcrypt = "0.17.1"
+bcrypt = "0.19.0"
-uuid = { version = "1.18.1", features = ["v4"] }
+uuid = { version = "1.21.0", features = ["v4"] }
 mime_guess = "2.0.5"
-askama = "0.14.0"
+askama = "0.15.4"
 urlencoding = "2.1.3"
-rand = "0.9.2"
+rand = "0.10.0"
 base64 = "0.22.1"
-jwt-simple = { version = "0.12.12", default-features = false, features = ["pure-rust"] }
+jwt-simple = { version = "0.12.14", default-features = false, features = ["pure-rust"] }
-digest = "0.10.7"
+sha2 = "0.11.0-rc.5"
-sha2 = "0.10.9"
+lazy-regex = "3.6.0"
-lazy-regex = "3.4.1"
 totp_rfc6238 = "0.6.1"
 base32 = "0.5.1"
 qrcode-generator = "5.0.0"
-webauthn-rs = { version = "0.5.3", features = ["danger-allow-state-serialisation"] }
+webauthn-rs = { version = "0.5.4", features = ["danger-allow-state-serialisation"] }
-url = "2.5.7"
+url = "2.5.8"
-light-openid = { version = "1.0.4", features = ["crypto-wrapper"] }
+light-openid = { version = "1.1.0", features = ["crypto-wrapper"] }
-bincode = "2.0.1"
+rkyv = "0.8.15"
-chrono = "0.4.42"
+chrono = "0.4.44"
-lazy_static = "1.5.0"
 mailchecker = "6.0.19"
+httpdate = "1.0.3"
+build-time = "0.1.3"
+hex = "0.4.3"

README.md

@@ -31,7 +31,7 @@ You can configure a list of clients (Relying Parties) in a `clients.yaml` file w
   enforce_2fa_auth: true
   # Optional, claims to be added to the ID token payload.
   # The following placeholders can be set, they will the replaced when the token is created:
-  # * {username}: user name of the user
+  # * {username}: username of the user
   # * {mail}: email address of the user
   # * {first_name}: first name of the user
   # * {last_name}: last name of the user
@@ -39,6 +39,11 @@ You can configure a list of clients (Relying Parties) in a `clients.yaml` file w
   claims_id_token:
     groups: ["group_{user}"]
     service: "auth"
+  # Optional, claims to be added to the access token payload
+  # The placeholders of `claims_id_token` can also be used here 
+  claims_access_token:
+    groups: ["group_{user}"]
+    service: "auth"
   # Optional, claims to be added to the user info endpoint response
   # The placeholders of `claims_id_token` can also be used here 
   claims_user_info:
@@ -67,10 +72,11 @@ You can add as much upstream provider as you want, using the following syntax in
 ```yaml
 - id: gitlab
   name: GitLab
-  logo: gitlab # Can be either gitea, gitlab, github, microsoft, google or a full URL
+  logo: gitlab # Can be either openid, gitea, gitlab, github, microsoft, google or a full URL
   client_id: CLIENT_ID_GIVEN_BY_PROVIDER
   client_secret: CLIENT_SECRET_GIVEN_BY_PROVIDER
   configuration_url: https://gitlab.com/.well-known/openid-configuration
+  allow_auto_account_creation: true
 
 ```
 
@@ -108,5 +114,20 @@ Corresponding client configuration:
 
 OAuth proxy can then be access on this URL: http://192.168.2.103:4180/
 
+## Testing with upstream identity provider
+The folder [sample_upstream_provider](sample_upstream_provider) contains a working scenario of authentication with an upstream provider.
+
+Run the following command to run the scenario:
+
+```bash
+cd sample_upstream_provider
+docker compose up
+```
+
+- Upstream provider (not to be directly used): http://localhost:9001
+- BasicOIDC: http://localhost:8000
+- Client 2: http://localhost:8012
+- Client 1: http://localhost:8011
+
 ## Contributing
 If you wish to contribute to this software, feel free to send an email to contact@communiquons.org to get an account on my system, managed by BasicOIDC :)

assets/css/base_settings_page.css

@@ -21,3 +21,7 @@ body {
 .form-control::placeholder {
     color: #555;
 }
+
+.table-break-works td {
+    word-break: break-all;
+}

assets/css/bootstrap.css

@@ -11,7 +11,7 @@
  * Copyright 2011-2024 The Bootstrap Authors
  * Licensed under MIT (https://github.com/twbs/bootstrap/blob/main/LICENSE)
  */
-@import url("https://fonts.googleapis.com/css2?family=Roboto:wght@400;700&display=swap");
+@import url("/assets/robotfont/font.css");
 :root,
 [data-bs-theme=light] {
   --bs-blue: #2a9fd6;

assets/img/brands/openid.svg

@@ -0,0 +1 @@
+<svg role="img" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><title>OpenID</title><path d="M14.54.889l-3.63 1.773v18.17c-4.15-.52-7.27-2.78-7.27-5.5 0-2.58 2.8-4.75 6.63-5.41v-2.31C4.42 8.322 0 11.502 0 15.332c0 3.96 4.74 7.24 10.91 7.78l3.63-1.71V.888m.64 6.724v2.31c1.43.25 2.71.7 3.76 1.31l-1.97 1.11 7.03 1.53-.5-5.21-1.87 1.06c-1.74-1.06-3.96-1.81-6.45-2.11z"/></svg>

sample_upstream_provider/dex-provider/dex.config.yaml

@@ -0,0 +1,26 @@
+issuer: http://127.0.0.1:9001/dex
+
+storage:
+  type: memory
+
+web:
+  http: 0.0.0.0:9001
+
+oauth2:
+  # Automate some clicking
+  # Note: this might actually make some tests pass that otherwise wouldn't.
+  skipApprovalScreen: false
+
+connectors:
+  # Note: this might actually make some tests pass that otherwise wouldn't.
+  - type: mockCallback
+    id: mock
+    name: Example
+
+# Basic OP test suite requires two clients.
+staticClients:
+  - id: foo
+    secret: bar
+    redirectURIs:
+      - http://localhost:8000/prov_cb
+    name: Auth

sample_upstream_provider/docker-compose.yaml

@@ -0,0 +1,63 @@
+services:
+  redis:
+    image: redis
+    network_mode: host
+    volumes:
+      - ./redis/redis.conf:/redis.conf:ro
+    command: [ "redis-server", "/redis.conf" ]
+    healthcheck:
+      test: [ "CMD", "redis-cli", "ping" ]
+      interval: 10s
+      timeout: 30s
+      retries: 3
+  upstream:
+    image: dexidp/dex
+    user: "1000"
+    network_mode: host
+    volumes:
+      - ./dex-provider:/conf:ro
+    command: [ "dex", "serve", "/conf/dex.config.yaml" ]
+
+  client1:
+    image: pierre42100/oidc_test_client
+    user: "1000"
+    network_mode: host
+    environment:
+      - LISTEN_ADDR=0.0.0.0:8011
+      - PUBLIC_URL=http://127.0.0.1:8011
+      - CONFIGURATION_URL=http://localhost:8000/.well-known/openid-configuration
+      - CLIENT_ID=testclient1
+      - CLIENT_SECRET=secretone
+
+  client2:
+    image: pierre42100/oidc_test_client
+    user: "1000"
+    network_mode: host
+    environment:
+      - LISTEN_ADDR=0.0.0.0:8012
+      - PUBLIC_URL=http://127.0.0.1:8012
+      - CONFIGURATION_URL=http://localhost:8000/.well-known/openid-configuration
+      - CLIENT_ID=testclient2
+      - CLIENT_SECRET=secrettwo
+
+  basicoidc:
+    image: rust
+    user: "1000"
+    network_mode: host
+    depends_on:
+      redis:
+        condition: service_healthy
+    environment:
+      - STORAGE_PATH=/storage
+      - DISABLE_LOCAL_LOGIN=true
+      - USE_REDIS=true
+      - REDIS_PASSWORD=secretsecret
+      #- RUST_LOG=debug
+    volumes:
+      - ../:/app
+      - ./storage:/storage
+      - ~/.cargo/registry:/usr/local/cargo/registry
+    command:
+      - bash
+      - -c
+      - cd /app && cargo run

sample_upstream_provider/redis/redis.conf

@@ -0,0 +1,3 @@
+maxmemory 256mb
+maxmemory-policy allkeys-lru
+requirepass secretsecret

sample_upstream_provider/storage/.gitignore

@@ -0,0 +1 @@
+users.json

sample_upstream_provider/storage/clients.yaml

@@ -0,0 +1,11 @@
+- id: testclient1
+  name: Client 1
+  description: client1
+  secret: secretone
+  redirect_uri: http://127.0.0.1:8011/
+  granted_to_all_users: true
+- id: testclient2
+  name: Client 2
+  description: client2
+  secret: secrettwo
+  redirect_uri: http://127.0.0.1:8012/

sample_upstream_provider/storage/providers.yaml

@@ -0,0 +1,7 @@
+- id: upstream
+  name: Upstream
+  logo: openid
+  client_id: foo
+  client_secret: bar
+  configuration_url: http://127.0.0.1:9001/dex/.well-known/openid-configuration
+  allow_auto_account_creation: true

src/actors/bruteforce_actor.rs

@@ -5,7 +5,7 @@ use std::net::IpAddr;
 use actix::{Actor, AsyncContext, Context, Handler, Message};
 
 use crate::constants::{FAIL_LOGIN_ATTEMPT_CLEANUP_INTERVAL, KEEP_FAILED_LOGIN_ATTEMPTS_FOR};
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
 #[derive(Message)]
 #[rtype(result = "()")]
@@ -87,7 +87,7 @@ mod test {
     use std::net::{IpAddr, Ipv4Addr};
 
     use crate::actors::bruteforce_actor::BruteForceActor;
-    use crate::utils::time::time;
+    use crate::utils::time_utils::time;
 
     const IP_1: IpAddr = IpAddr::V4(Ipv4Addr::new(192, 168, 1, 1));
     const IP_2: IpAddr = IpAddr::V4(Ipv4Addr::new(192, 168, 1, 2));

src/actors/openid_sessions_actor.rs

@@ -4,30 +4,33 @@ use actix::{Actor, AsyncContext, Context, Handler};
 use crate::constants::*;
 use crate::data::access_token::AccessToken;
 use crate::data::app_config::AppConfig;
-use crate::data::client::ClientID;
+use crate::data::client::{Client, ClientID};
 use crate::data::code_challenge::CodeChallenge;
 use crate::data::jwt_signer::JWTSigner;
-use crate::data::user::UserID;
+use crate::data::user::{User, UserID};
 use crate::utils::err::Res;
 use crate::utils::string_utils::rand_str;
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
 #[derive(Clone, Debug, serde::Serialize, serde::Deserialize, Eq, PartialEq)]
 pub struct SessionID(pub String);
 
 #[derive(Clone, Debug)]
 pub struct Session {
-    pub session_id: SessionID,
     pub client: ClientID,
     pub user: UserID,
     pub auth_time: u64,
     pub redirect_uri: String,
 
+    pub session_id: SessionID,
+    pub session_expire_at: u64,
+
     pub authorization_code: String,
     pub authorization_code_expire_at: u64,
 
     pub access_token: Option<String>,
     pub access_token_expire_at: u64,
+
     pub refresh_token: String,
     pub refresh_token_expire_at: u64,
 
@@ -37,19 +40,23 @@ pub struct Session {
 
 impl Session {
     pub fn is_expired(&self) -> bool {
-        self.authorization_code_expire_at < time()
+        self.session_expire_at < time()
-            && self.access_token_expire_at < time()
+            || (self.authorization_code_expire_at < time()
-            && self.refresh_token_expire_at < time()
+                && self.access_token_expire_at < time()
+                && self.refresh_token_expire_at < time())
     }
 
     pub fn regenerate_access_and_refresh_tokens(
         &mut self,
         app_config: &AppConfig,
         jwt_signer: &JWTSigner,
+        user: &User,
+        client: &Client,
     ) -> Res {
         let access_token = AccessToken {
             issuer: app_config.website_origin.to_string(),
-            subject_identifier: self.user.clone().0,
+            user,
+            client,
             issued_at: time(),
             exp_time: time() + OPEN_ID_ACCESS_TOKEN_TIMEOUT,
             rand_val: rand_str(OPEN_ID_ACCESS_TOKEN_LEN),

src/actors/providers_states_actor.rs

@@ -15,7 +15,7 @@ use std::net::IpAddr;
 use crate::data::login_redirect::LoginRedirect;
 use crate::data::provider::ProviderID;
 use crate::utils::string_utils::rand_str;
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
 #[derive(Debug, Clone, serde::Serialize)]
 pub struct ProviderLoginState {

src/actors/users_actor.rs

@@ -1,10 +1,11 @@
 use std::net::IpAddr;
 
 use crate::data::provider::{Provider, ProviderID};
-use actix::{Actor, Context, Handler, Message, MessageResult};
-
 use crate::data::user::{FactorID, GeneralSettings, GrantedClients, TwoFactor, User, UserID};
 use crate::utils::err::Res;
+use crate::utils::string_utils::is_acceptable_login;
+use actix::{Actor, Context, Handler, Message, MessageResult};
+use light_openid::primitives::OpenIDUserInfo;
 
 /// User storage interface
 pub trait UsersSyncBackend {
@@ -38,6 +39,8 @@ pub enum LoginResult {
     LocalAuthForbidden,
     AuthFromProviderForbidden,
     Success(Box<User>),
+    AccountAutoCreated(Box<User>),
+    CannotAutoCreateAccount(String),
 }
 
 #[derive(Message)]
@@ -51,6 +54,7 @@ pub struct LocalLoginRequest {
 #[rtype(LoginResult)]
 pub struct ProviderLoginRequest {
     pub email: String,
+    pub user_info: OpenIDUserInfo,
     pub provider: Provider,
 }
 
@@ -187,7 +191,86 @@ impl Handler<ProviderLoginRequest> for UsersActor {
                 log::error!("Failed to find user! {e}");
                 MessageResult(LoginResult::Error)
             }
-            Ok(None) => MessageResult(LoginResult::AccountNotFound),
+            Ok(None) => {
+                // Check if automatic account creation is enabled for this provider
+                if !msg.provider.allow_auto_account_creation {
+                    return MessageResult(LoginResult::AccountNotFound);
+                }
+
+                // Extract username for account creation
+                let mut username = msg
+                    .user_info
+                    .preferred_username
+                    .unwrap_or(msg.email.to_string());
+
+                // Determine username from email, if necessary
+                if !is_acceptable_login(&username)
+                    || matches!(
+                        self.manager.find_by_username_or_email(&username),
+                        Ok(Some(_))
+                    )
+                {
+                    username = msg.email.clone();
+                }
+
+                // Check if username is already taken
+                if matches!(
+                    self.manager.find_by_username_or_email(&username),
+                    Ok(Some(_))
+                ) {
+                    return MessageResult(LoginResult::CannotAutoCreateAccount(format!(
+                        "username {username} is already taken!"
+                    )));
+                }
+
+                if !is_acceptable_login(&username) {
+                    return MessageResult(LoginResult::CannotAutoCreateAccount(
+                        "could not determine acceptable login for user!".to_string(),
+                    ));
+                }
+
+                // Automatic account creation
+                let user_id = match self.manager.create_user_account(GeneralSettings {
+                    uid: UserID::random(),
+                    username,
+                    first_name: msg.user_info.given_name.unwrap_or_default(),
+                    last_name: msg.user_info.family_name.unwrap_or_default(),
+                    email: msg.email.to_string(),
+                    enabled: true,
+                    two_factor_exemption_after_successful_login: false,
+                    is_admin: false,
+                }) {
+                    Ok(u) => u,
+                    Err(e) => {
+                        log::error!("Failed to create user account! {e}");
+                        return MessageResult(LoginResult::CannotAutoCreateAccount(
+                            "missing some user information".to_string(),
+                        ));
+                    }
+                };
+
+                // Mark the provider as the only authorized source
+                if let Err(e) = self.manager.set_authorized_authentication_sources(
+                    &user_id,
+                    AuthorizedAuthenticationSources {
+                        local: false,
+                        upstream: vec![msg.provider.id],
+                    },
+                ) {
+                    log::error!(
+                        "Failed to set authorized authentication sources for newly created account! {e}"
+                    );
+                }
+
+                // Extract user information to return them
+                let Ok(Some(user)) = self.manager.find_by_user_id(&user_id) else {
+                    return MessageResult(LoginResult::CannotAutoCreateAccount(
+                        "failed to get created user information".to_string(),
+                    ));
+                };
+
+                MessageResult(LoginResult::AccountAutoCreated(Box::new(user)))
+            }
             Ok(Some(user)) => {
                 if !user.can_login_from_provider(&msg.provider) {
                     return MessageResult(LoginResult::AuthFromProviderForbidden);

src/constants.rs

@@ -64,7 +64,8 @@ pub const USERINFO_URI: &str = "/openid/userinfo";
 
 /// Open ID constants
 pub const OPEN_ID_SESSION_CLEANUP_INTERVAL: Duration = Duration::from_secs(60);
-pub const OPEN_ID_SESSION_LEN: usize = 40;
+pub const OPEN_ID_SESSION_ID_LEN: usize = 40;
+pub const OPEN_ID_SESSION_MAX_DURATION: Duration = Duration::from_secs(3600 * 24 * 7);
 pub const OPEN_ID_AUTHORIZATION_CODE_LEN: usize = 120;
 pub const OPEN_ID_AUTHORIZATION_CODE_TIMEOUT: u64 = 300;
 pub const OPEN_ID_ACCESS_TOKEN_LEN: usize = 50;

src/controllers/assets_controller.rs

@@ -1,7 +1,12 @@
-use std::path::Path;
+use crate::utils::crypt_utils::sha256;
-
+use crate::utils::time_utils;
-use actix_web::{HttpResponse, web};
+use actix_web::http::header;
+use actix_web::{HttpRequest, HttpResponse, web};
 use include_dir::{Dir, include_dir};
+use std::cmp::max;
+use std::ops::Add;
+use std::path::Path;
+use std::time::Duration;
 
 /// Assets directory
 static ASSETS_DIR: Dir = include_dir!("$CARGO_MANIFEST_DIR/assets");
@@ -12,14 +17,37 @@ pub async fn robots_txt() -> HttpResponse {
         .body(include_str!("../../assets/robots.txt"))
 }
 
-pub async fn assets_route(path: web::Path<String>) -> HttpResponse {
+pub async fn assets_route(req: HttpRequest, path: web::Path<String>) -> HttpResponse {
     let path: &Path = path.as_ref().as_ref();
     match ASSETS_DIR.get_file(path) {
         None => HttpResponse::NotFound().body("404 Not found"),
         Some(file) => {
             let res = mime_guess::from_path(path).first_or_octet_stream();
+            let digest = hex::encode(sha256(file.contents()));
+            let file_time = max(time_utils::time_start_of_day(), time_utils::build_time());
+
+            // Check if the browser already knows the file by date
+            if let Some(c) = req.headers().get(header::IF_MODIFIED_SINCE) {
+                let date_str = c.to_str().unwrap_or("");
+                if let Ok(date) = httpdate::parse_http_date(date_str)
+                    && date.add(Duration::from_secs(1))
+                        >= time_utils::unix_to_system_time(file_time)
+                {
+                    return HttpResponse::NotModified().finish();
+                }
+            }
+
+            // Check if the browser already knows the etag
+            if let Some(c) = req.headers().get(header::IF_NONE_MATCH)
+                && c.to_str().unwrap_or("") == digest
+            {
+                return HttpResponse::NotModified().finish();
+            }
+
             HttpResponse::Ok()
                 .content_type(res.to_string())
+                .insert_header(("etag", digest))
+                .insert_header(("last-modified", time_utils::unix_to_http_date(file_time)))
                 .body(file.contents())
         }
     }

src/controllers/login_controller.rs

@@ -49,6 +49,7 @@ impl Default for BaseLoginPage {
 struct LoginTemplate {
     p: BaseLoginPage,
     login: String,
+    show_local_login: bool,
     providers: Vec<Provider>,
 }
 
@@ -156,8 +157,10 @@ pub async fn login_route(
             "Given login could not be processed, because it has an invalid format!".to_string(),
         );
     }
-    // Try to authenticate user
+    // Try to authenticate user (local login)
-    else if let Some(req) = &req {
+    else if let Some(req) = &req
+        && !AppConfig::get().disable_local_login
+    {
         login.clone_from(&req.login);
         let response: LoginResult = users
             .send(users_actor::LocalLoginRequest {
@@ -224,6 +227,10 @@ pub async fn login_route(
             }
         }
     }
+    // If there is only a single provider, trigger auto-login
+    else if AppConfig::get().disable_local_login && providers.len() == 1 {
+        return redirect_user(&providers.cloned()[0].login_url(&query.redirect));
+    }
 
     HttpResponse::Ok().content_type("text/html").body(
         LoginTemplate {
@@ -235,6 +242,7 @@ pub async fn login_route(
                 ..Default::default()
             },
             login,
+            show_local_login: !AppConfig::get().disable_local_login,
             providers: providers.cloned(),
         }
         .render()

src/controllers/openid_controller.rs

@@ -26,7 +26,7 @@ use crate::data::login_redirect::{LoginRedirect, get_2fa_url};
 use crate::data::session_identity::SessionIdentity;
 use crate::data::user::User;
 use crate::utils::string_utils::rand_str;
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
 pub async fn get_configuration(req: HttpRequest) -> impl Responder {
     let is_secure_request = req
@@ -219,11 +219,12 @@ pub async fn authorize(
         (_, "code") => {
             // Save all authentication information in memory
             let session = Session {
-                session_id: SessionID(rand_str(OPEN_ID_SESSION_LEN)),
                 client: client.id.clone(),
                 user: user.uid.clone(),
                 auth_time: SessionIdentity(Some(&id)).auth_time(),
                 redirect_uri,
+                session_id: SessionID(rand_str(OPEN_ID_SESSION_ID_LEN)),
+                session_expire_at: time() + OPEN_ID_SESSION_MAX_DURATION.as_secs(),
                 authorization_code: rand_str(OPEN_ID_AUTHORIZATION_CODE_LEN),
                 authorization_code_expire_at: time() + OPEN_ID_AUTHORIZATION_CODE_TIMEOUT,
                 access_token: None,
@@ -500,13 +501,7 @@ pub async fn token(
                 ));
             }
 
-            session.regenerate_access_and_refresh_tokens(AppConfig::get(), &jwt_signer)?;
+            // Get user information
-
-            sessions
-                .send(openid_sessions_actor::UpdateSession(session.clone()))
-                .await
-                .unwrap();
-
             let user: Option<User> = users
                 .send(users_actor::GetUserRequest(session.user.clone()))
                 .await
@@ -517,6 +512,18 @@ pub async fn token(
                 Some(u) => u,
             };
 
+            // Refresh access and refresh tokens
+            session.regenerate_access_and_refresh_tokens(
+                AppConfig::get(),
+                &jwt_signer,
+                &user,
+                &client,
+            )?;
+            sessions
+                .send(openid_sessions_actor::UpdateSession(session.clone()))
+                .await
+                .unwrap();
+
             // Generate id token
             let id_token = IdToken {
                 issuer: AppConfig::get().website_origin.to_string(),
@@ -573,8 +580,24 @@ pub async fn token(
                 ));
             }
 
-            session.regenerate_access_and_refresh_tokens(AppConfig::get(), &jwt_signer)?;
+            // Get user information
+            let user: Option<User> = users
+                .send(users_actor::GetUserRequest(session.user.clone()))
+                .await
+                .unwrap()
+                .0;
+            let user = match user {
+                None => return Ok(error_response(&query, "invalid_request", "User not found!")),
+                Some(u) => u,
+            };
 
+            // Regenerate user session
+            session.regenerate_access_and_refresh_tokens(
+                AppConfig::get(),
+                &jwt_signer,
+                &user,
+                &client,
+            )?;
             sessions
                 .send(openid_sessions_actor::UpdateSession(session.clone()))
                 .await

src/controllers/providers_controller.rs

@@ -1,11 +1,5 @@
 use std::sync::Arc;
 
-use actix::Addr;
-use actix_identity::Identity;
-use actix_remote_ip::RemoteIP;
-use actix_web::{HttpRequest, HttpResponse, Responder, web};
-use askama::Template;
-
 use crate::actors::bruteforce_actor::BruteForceActor;
 use crate::actors::providers_states_actor::{ProviderLoginState, ProvidersStatesActor};
 use crate::actors::users_actor::{LoginResult, UsersActor};
@@ -18,6 +12,11 @@ use crate::data::login_redirect::LoginRedirect;
 use crate::data::provider::{ProviderID, ProvidersManager};
 use crate::data::provider_configuration::ProviderConfigurationHelper;
 use crate::data::session_identity::{SessionIdentity, SessionStatus};
+use actix::Addr;
+use actix_identity::Identity;
+use actix_remote_ip::RemoteIP;
+use actix_web::{HttpRequest, HttpResponse, Responder, web};
+use askama::Template;
 
 #[derive(askama::Template)]
 #[template(path = "login/prov_login_error.html")]
@@ -273,7 +272,7 @@ pub async fn finish_login(
     }
 
     // Check if email was provided by the userinfo endpoint
-    let email = match user_info.email {
+    let email = match &user_info.email {
         Some(e) => e,
         None => {
             logger.log(Action::ProviderMissingEmailInResponse {
@@ -293,6 +292,7 @@ pub async fn finish_login(
     let result: LoginResult = users
         .send(users_actor::ProviderLoginRequest {
             email: email.clone(),
+            user_info: user_info.clone(),
             provider: provider.clone(),
         })
         .await
@@ -300,6 +300,13 @@ pub async fn finish_login(
 
     let user = match result {
         LoginResult::Success(u) => u,
+        LoginResult::AccountAutoCreated(u) => {
+            logger.log(Action::ProviderAccountAutoCreated {
+                provider: &provider,
+                user: u.loggable(),
+            });
+            u
+        }
         LoginResult::AccountNotFound => {
             logger.log(Action::ProviderAccountNotFound {
                 provider: &provider,

src/controllers/settings_controller.rs

@@ -18,6 +18,7 @@ pub(crate) struct BaseSettingsPage<'a> {
     pub success_message: Option<String>,
     pub page_title: &'static str,
     pub app_name: &'static str,
+    pub local_login_enabled: bool,
     pub user: &'a User,
     pub version: &'static str,
     pub ip_location_api: Option<&'static str>,
@@ -37,6 +38,7 @@ impl<'a> BaseSettingsPage<'a> {
             app_name: APP_NAME,
             user,
             version: env!("CARGO_PKG_VERSION"),
+            local_login_enabled: !AppConfig::get().disable_local_login,
             ip_location_api: AppConfig::get().ip_location_service.as_deref(),
         }
     }

src/controllers/two_factor_api.rs

@@ -1,6 +1,5 @@
 use actix::Addr;
 use actix_web::{HttpResponse, Responder, web};
-use uuid::Uuid;
 use webauthn_rs::prelude::RegisterPublicKeyCredential;
 
 use crate::actors::users_actor;
@@ -53,7 +52,7 @@ pub async fn save_totp_factor(
     }
 
     let factor = TwoFactor {
-        id: FactorID(Uuid::new_v4().to_string()),
+        id: FactorID::random(),
         name: factor_name,
         kind: TwoFactorType::TOTP(key),
     };
@@ -102,7 +101,7 @@ pub async fn save_webauthn_factor(
     };
 
     let factor = TwoFactor {
-        id: FactorID(Uuid::new_v4().to_string()),
+        id: FactorID::random(),
         name: factor_name,
         kind: TwoFactorType::WEBAUTHN(Box::new(key)),
     };

src/controllers/two_factors_controller.rs

@@ -14,7 +14,7 @@ use crate::data::current_user::CurrentUser;
 use crate::data::totp_key::TotpKey;
 use crate::data::user::User;
 use crate::data::webauthn_manager::WebAuthManagerReq;
-use crate::utils::time::fmt_time;
+use crate::utils::time_utils::fmt_time;
 
 #[derive(Template)]
 #[template(path = "settings/two_factors_page.html")]

src/data/access_token.rs

@@ -1,9 +1,12 @@
+use crate::data::client::{AdditionalClaims, Client};
+use crate::data::user::User;
 use jwt_simple::claims::JWTClaims;
 use jwt_simple::prelude::Duration;
 
-pub struct AccessToken {
+pub struct AccessToken<'a> {
     pub issuer: String,
-    pub subject_identifier: String,
+    pub user: &'a User,
+    pub client: &'a Client,
     pub issued_at: u64,
     pub exp_time: u64,
     pub rand_val: String,
@@ -13,21 +16,26 @@ pub struct AccessToken {
 #[derive(serde::Serialize, serde::Deserialize)]
 pub struct CustomAccessTokenClaims {
     rand_val: String,
+    /// Additional claims
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(flatten)]
+    pub additional_claims: Option<AdditionalClaims>,
 }
 
-impl AccessToken {
+impl<'a> AccessToken<'a> {
     pub fn to_jwt_claims(self) -> JWTClaims<CustomAccessTokenClaims> {
         JWTClaims {
             issued_at: Some(Duration::from_secs(self.issued_at)),
             expires_at: Some(Duration::from_secs(self.exp_time)),
             invalid_before: None,
             issuer: Some(self.issuer),
-            subject: Some(self.subject_identifier),
+            subject: Some(self.user.uid.0.to_string()),
             audiences: None,
             jwt_id: None,
             nonce: self.nonce,
             custom: CustomAccessTokenClaims {
                 rand_val: self.rand_val,
+                additional_claims: self.client.claims_access_token(self.user),
             },
         }
     }

src/data/action_logger.rs

@@ -17,7 +17,7 @@ use crate::data::provider::{Provider, ProviderID};
 
 use crate::data::session_identity::SessionIdentity;
 use crate::data::user::{FactorID, GrantedClients, TwoFactor, TwoFactorType, User, UserID};
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
 #[derive(serde::Serialize)]
 pub struct LoggableUser {
@@ -150,6 +150,10 @@ pub enum Action<'a> {
         provider: &'a Provider,
         email: &'a str,
     },
+    ProviderAccountAutoCreated {
+        provider: &'a Provider,
+        user: LoggableUser,
+    },
     ProviderAccountDisabled {
         provider: &'a Provider,
         email: &'a str,
@@ -282,6 +286,11 @@ impl Action<'_> {
                 "could not login using provider {} because the email {email} could not be associated to any account!",
                 &provider.id.0
             ),
+            Action::ProviderAccountAutoCreated { provider, user } => format!(
+                "triggered automatic account creation for {} from provider {} because it was not found in local accounts list!",
+                user.quick_identity(),
+                &provider.id.0
+            ),
             Action::ProviderAccountDisabled { provider, email } => format!(
                 "could not login using provider {} because the account associated to the email {email} is disabled!",
                 &provider.id.0

src/data/app_config.rs

@@ -1,6 +1,6 @@
-use std::path::{Path, PathBuf};
-
 use clap::Parser;
+use std::path::{Path, PathBuf};
+use std::sync::OnceLock;
 
 use crate::constants::{
     APP_NAME, CLIENTS_LIST_FILE, OIDC_PROVIDER_CB_URI, PROVIDERS_LIST_FILE, USERS_LIST_FILE,
@@ -62,25 +62,52 @@ pub struct AppConfig {
     /// Login background image
     #[arg(long, env, default_value = "/assets/img/forest.jpg")]
     pub login_background_image: String,
+
+    /// Disable local login. If this option is set without any upstream providers set, it will be impossible
+    /// to authenticate
+    #[arg(long, env)]
+    pub disable_local_login: bool,
+
+    /// Use Redis to store cookie sessions
+    #[arg(long, env)]
+    pub use_redis: bool,
+
+    /// Redis connection hostname
+    #[clap(long, env, default_value = "localhost")]
+    redis_hostname: String,
+
+    /// Redis connection port
+    #[clap(long, env, default_value_t = 6379)]
+    redis_port: u16,
+
+    /// Redis database number
+    #[clap(long, env, default_value_t = 0)]
+    redis_db_number: i64,
+
+    /// Redis username
+    #[clap(long, env)]
+    redis_username: Option<String>,
+
+    /// Redis password
+    #[clap(long, env, default_value = "secretredis")]
+    redis_password: String,
 }
 
-lazy_static::lazy_static! {
+static ARGS: OnceLock<AppConfig> = OnceLock::new();
-    static ref ARGS: AppConfig = {
-        let mut config = AppConfig::parse();
-
-        // In debug mode only, use dummy token
-        if cfg!(debug_assertions) && config.token_key.is_empty() {
-            config.token_key = String::from_utf8_lossy(&[32; 64]).to_string();
-        }
-
-        config
-    };
-}
 
 impl AppConfig {
     /// Get parsed command line arguments
     pub fn get() -> &'static AppConfig {
-        &ARGS
+        ARGS.get_or_init(|| {
+            let mut config = AppConfig::parse();
+
+            // In debug mode only, use dummy token
+            if cfg!(debug_assertions) && config.token_key.is_empty() {
+                config.token_key = String::from_utf8_lossy(&[32; 64]).to_string();
+            }
+
+            config
+        })
     }
 
     pub fn secure_cookie(&self) -> bool {
@@ -132,6 +159,21 @@ impl AppConfig {
         let domain = self.domain_name();
         domain.split_once(':').map(|i| i.0).unwrap_or(domain)
     }
+
+    /// Get Redis connection configuration
+    pub fn redis_connection_string(&self) -> Option<String> {
+        match self.use_redis {
+            true => Some(format!(
+                "redis://{}:{}@{}:{}/{}",
+                self.redis_username.as_deref().unwrap_or(""),
+                self.redis_password,
+                self.redis_hostname,
+                self.redis_port,
+                self.redis_db_number
+            )),
+            false => None,
+        }
+    }
 }
 
 #[cfg(test)]

src/data/client.rs

@@ -42,6 +42,9 @@ pub struct Client {
     /// Additional claims to return with the id token
     claims_id_token: Option<AdditionalClaims>,
 
+    /// Additional claims to return with the access token
+    claims_access_token: Option<AdditionalClaims>,
+
     /// Additional claims to return through the user info endpoint
     claims_user_info: Option<AdditionalClaims>,
 }
@@ -117,6 +120,11 @@ impl Client {
         self.process_additional_claims(user, &self.claims_id_token)
     }
 
+    /// Get additional claims for access_token for a successful authentication
+    pub fn claims_access_token(&self, user: &User) -> Option<AdditionalClaims> {
+        self.process_additional_claims(user, &self.claims_access_token)
+    }
+
     /// Get additional claims for user info for a successful authentication
     pub fn claims_user_info(&self, user: &User) -> Option<AdditionalClaims> {
         self.process_additional_claims(user, &self.claims_user_info)

src/data/current_user.rs

@@ -13,7 +13,7 @@ use crate::actors::users_actor::UsersActor;
 use crate::constants::SECOND_FACTOR_EXPIRATION_FOR_CRITICAL_OPERATIONS;
 use crate::data::session_identity::SessionIdentity;
 use crate::data::user::User;
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
 pub struct CurrentUser {
     user: User,

src/data/entity_manager.rs

@@ -36,7 +36,7 @@ where
             file_path: path.as_ref().to_path_buf(),
             list: match Self::file_format(path.as_ref()) {
                 FileFormat::Json => serde_json::from_str(&file_content)?,
-                FileFormat::Yaml => serde_yaml::from_str(&file_content)?,
+                FileFormat::Yaml => serde_yml::from_str(&file_content)?,
             },
         })
     }
@@ -47,7 +47,7 @@ where
             &self.file_path,
             match Self::file_format(self.file_path.as_ref()) {
                 FileFormat::Json => serde_json::to_string(&self.list)?,
-                FileFormat::Yaml => serde_yaml::to_string(&self.list)?,
+                FileFormat::Yaml => serde_yml::to_string(&self.list)?,
             },
         )?)
     }

src/data/provider.rs

@@ -26,6 +26,10 @@ pub struct Provider {
     ///
     /// (.well-known/openid-configuration endpoint)
     pub configuration_url: String,
+
+    /// Set to true if accounts on BasicOIDC should be automatically created from this provider
+    #[serde(default)]
+    pub allow_auto_account_creation: bool,
 }
 
 impl Provider {
@@ -42,6 +46,7 @@ impl Provider {
             "github" => "/assets/img/brands/github.svg",
             "microsoft" => "/assets/img/brands/microsoft.svg",
             "google" => "/assets/img/brands/google.svg",
+            "openid" => "/assets/img/brands/openid.svg",
             s => s,
         }
     }

src/data/provider_configuration.rs

@@ -9,7 +9,7 @@ use crate::data::app_config::AppConfig;
 
 use crate::data::provider::Provider;
 use crate::utils::err::Res;
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
 /// Provider configuration
 #[derive(Debug, Clone)]

src/data/session_identity.rs

@@ -3,22 +3,17 @@ use actix_web::{HttpMessage, HttpRequest};
 use serde::{Deserialize, Serialize};
 
 use crate::data::user::{User, UserID};
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
-#[derive(Debug, Serialize, Deserialize, Eq, PartialEq)]
+#[derive(Debug, Serialize, Deserialize, Eq, PartialEq, Default)]
 pub enum SessionStatus {
+    #[default]
     Invalid,
     SignedIn,
     NeedNewPassword,
     Need2FA,
 }
 
-impl Default for SessionStatus {
-    fn default() -> Self {
-        Self::Invalid
-    }
-}
-
 #[derive(Debug, Serialize, Deserialize, Default)]
 pub struct SessionIdentityData {
     pub id: Option<UserID>,

src/data/totp_key.rs

@@ -1,11 +1,11 @@
 use base32::Alphabet;
-use rand::Rng;
+use rand::RngExt;
 use totp_rfc6238::{HashAlgorithm, TotpGenerator};
 
 use crate::data::app_config::AppConfig;
 use crate::data::user::User;
 use crate::utils::err::Res;
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
 const BASE32_ALPHABET: Alphabet = Alphabet::Rfc4648 { padding: true };
 const NUM_DIGITS: usize = 6;

src/data/user.rs

@@ -1,4 +1,3 @@
-use bincode::{Decode, Encode};
 use std::collections::HashMap;
 use std::net::IpAddr;
 
@@ -9,11 +8,27 @@ use crate::data::login_redirect::LoginRedirect;
 use crate::data::provider::{Provider, ProviderID};
 use crate::data::totp_key::TotpKey;
 use crate::data::webauthn_manager::WebauthnPubKey;
-use crate::utils::time::{fmt_time, time};
+use crate::utils::time_utils::{fmt_time, time};
 
-#[derive(Clone, Debug, Eq, PartialEq, serde::Serialize, serde::Deserialize, Encode, Decode)]
+#[derive(
+    Clone,
+    Debug,
+    Eq,
+    PartialEq,
+    serde::Serialize,
+    serde::Deserialize,
+    rkyv::Archive,
+    rkyv::Serialize,
+    rkyv::Deserialize,
+)]
 pub struct UserID(pub String);
 
+impl UserID {
+    pub fn random() -> Self {
+        Self(uuid::Uuid::new_v4().to_string())
+    }
+}
+
 #[derive(Debug, Clone)]
 pub struct GeneralSettings {
     pub uid: UserID,
@@ -46,6 +61,12 @@ impl GrantedClients {
 #[derive(Clone, Debug, Eq, PartialEq, serde::Serialize, serde::Deserialize)]
 pub struct FactorID(pub String);
 
+impl FactorID {
+    pub fn random() -> Self {
+        Self(uuid::Uuid::new_v4().to_string())
+    }
+}
+
 #[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
 pub enum TwoFactorType {
     TOTP(TotpKey),
@@ -295,7 +316,7 @@ impl Eq for User {}
 impl Default for User {
     fn default() -> Self {
         Self {
-            uid: UserID(uuid::Uuid::new_v4().to_string()),
+            uid: UserID::random(),
             first_name: "".to_string(),
             last_name: "".to_string(),
             username: "".to_string(),

src/data/users_file_entity.rs

@@ -4,7 +4,7 @@ use crate::actors::users_actor::{AuthorizedAuthenticationSources, UsersSyncBacke
 use crate::data::entity_manager::EntityManager;
 use crate::data::user::{FactorID, GeneralSettings, GrantedClients, TwoFactor, User, UserID};
 use crate::utils::err::{Res, new_error};
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
 impl EntityManager<User> {
     /// Update user information
@@ -71,7 +71,7 @@ impl UsersSyncBackend for EntityManager<User> {
 
     fn create_user_account(&mut self, settings: GeneralSettings) -> Res<UserID> {
         let mut user = User {
-            uid: UserID(uuid::Uuid::new_v4().to_string()),
+            uid: UserID::random(),
             ..Default::default()
         };
         user.update_general_settings(settings);

src/data/webauthn_manager.rs

@@ -1,7 +1,6 @@
 use std::sync::Arc;
 
 use actix_web::web;
-use bincode::{Decode, Encode};
 use light_openid::crypto_wrapper::CryptoWrapper;
 use uuid::Uuid;
 use webauthn_rs::prelude::{
@@ -16,7 +15,7 @@ use crate::constants::{
 use crate::data::app_config::AppConfig;
 use crate::data::user::{User, UserID};
 use crate::utils::err::Res;
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
 #[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
 pub struct WebauthnPubKey {
@@ -28,7 +27,9 @@ pub struct RegisterKeyRequest {
     pub creation_challenge: CreationChallengeResponse,
 }
 
-#[derive(Debug, serde::Serialize, serde::Deserialize, Encode, Decode)]
+#[derive(
+    Debug, serde::Serialize, serde::Deserialize, rkyv::Archive, rkyv::Serialize, rkyv::Deserialize,
+)]
 struct RegisterKeyOpaqueData {
     registration_state: String,
     user_id: UserID,
@@ -40,7 +41,7 @@ pub struct AuthRequest {
     pub login_challenge: RequestChallengeResponse,
 }
 
-#[derive(Debug, Encode, Decode)]
+#[derive(Debug, rkyv::Archive, rkyv::Serialize, rkyv::Deserialize)]
 struct AuthStateOpaqueData {
     authentication_state: String,
     user_id: UserID,

src/main.rs

@@ -1,12 +1,12 @@
 use core::time::Duration;
 use std::sync::Arc;
 
-use actix::Actor;
+use actix::{Actor, Addr};
 use actix_identity::IdentityMiddleware;
 use actix_identity::config::LogoutBehavior;
 use actix_remote_ip::RemoteIPConfig;
 use actix_session::SessionMiddleware;
-use actix_session::storage::CookieSessionStore;
+use actix_session::storage::{CookieSessionStore, RedisSessionStore};
 use actix_web::cookie::{Key, SameSite};
 use actix_web::middleware::Logger;
 use actix_web::{App, HttpResponse, HttpServer, get, middleware, web};
@@ -14,6 +14,7 @@ use actix_web::{App, HttpResponse, HttpServer, get, middleware, web};
 use basic_oidc::actors::bruteforce_actor::BruteForceActor;
 use basic_oidc::actors::openid_sessions_actor::OpenIDSessionsActor;
 use basic_oidc::actors::providers_states_actor::ProvidersStatesActor;
+use basic_oidc::actors::users_actor;
 use basic_oidc::actors::users_actor::{UsersActor, UsersSyncBackend};
 use basic_oidc::constants::*;
 use basic_oidc::controllers::assets_controller::assets_route;
@@ -26,9 +27,20 @@ use basic_oidc::data::provider::ProvidersManager;
 use basic_oidc::data::user::User;
 use basic_oidc::data::webauthn_manager::WebAuthManager;
 use basic_oidc::middlewares::auth_middleware::AuthMiddleware;
+use basic_oidc::middlewares::multi_session_store::MultiSessionStore;
 
 #[get("/health")]
-async fn health() -> &'static str {
+async fn health(users: web::Data<Addr<UsersActor>>) -> &'static str {
+    // Check users list is working
+    let users = users
+        .send(users_actor::GetAllUsers)
+        .await
+        .expect("Could not retrieve users list!");
+    if users.is_empty() {
+        log::error!("Got empty list of users!");
+        panic!("Got empty list of users!");
+    }
+
     "Running"
 }
 
@@ -69,6 +81,18 @@ async fn main() -> std::io::Result<()> {
             .expect("Failed to change default admin password!");
     }
 
+    let redis_store = match AppConfig::get().redis_connection_string() {
+        Some(s) => {
+            log::info!("Connect to Redis session store...");
+            Some(
+                RedisSessionStore::new(s)
+                    .await
+                    .expect("Failed to connect to Redis!"),
+            )
+        }
+        None => None,
+    };
+
     let users_actor = UsersActor::new(users).start();
     let bruteforce_actor = BruteForceActor::default().start();
     let providers_states_actor = ProvidersStatesActor::default().start();
@@ -91,7 +115,10 @@ async fn main() -> std::io::Result<()> {
 
     HttpServer::new(move || {
         let session_mw = SessionMiddleware::builder(
-            CookieSessionStore::default(),
+            match redis_store.clone() {
+                None => MultiSessionStore::Cookie(CookieSessionStore::default()),
+                Some(s) => MultiSessionStore::Redis(s),
+            },
             Key::from(config.token_key.as_bytes()),
         )
         .cookie_name(SESSION_COOKIE_NAME.to_string())

src/middlewares/mod.rs

@@ -1 +1,2 @@
 pub mod auth_middleware;
+pub mod multi_session_store;

src/middlewares/multi_session_store.rs

@@ -0,0 +1,63 @@
+use actix_session::storage::{
+    CookieSessionStore, LoadError, RedisSessionStore, SaveError, SessionKey, SessionStore,
+    UpdateError,
+};
+use actix_web::cookie::time::Duration;
+use jwt_simple::Error;
+use std::collections::HashMap;
+
+type SessionState = HashMap<String, String>;
+
+/// Session store multiplexer.
+///
+/// Allows to easily support different store without having a lot of duplicate code
+pub enum MultiSessionStore {
+    Cookie(CookieSessionStore),
+    Redis(RedisSessionStore),
+}
+
+impl SessionStore for MultiSessionStore {
+    async fn load(&self, session_key: &SessionKey) -> Result<Option<SessionState>, LoadError> {
+        match self {
+            MultiSessionStore::Cookie(c) => c.load(session_key).await,
+            MultiSessionStore::Redis(r) => r.load(session_key).await,
+        }
+    }
+
+    async fn save(
+        &self,
+        session_state: SessionState,
+        ttl: &Duration,
+    ) -> Result<SessionKey, SaveError> {
+        match self {
+            MultiSessionStore::Cookie(c) => c.save(session_state, ttl).await,
+            MultiSessionStore::Redis(r) => r.save(session_state, ttl).await,
+        }
+    }
+
+    async fn update(
+        &self,
+        session_key: SessionKey,
+        session_state: SessionState,
+        ttl: &Duration,
+    ) -> Result<SessionKey, UpdateError> {
+        match self {
+            MultiSessionStore::Cookie(c) => c.update(session_key, session_state, ttl).await,
+            MultiSessionStore::Redis(r) => r.update(session_key, session_state, ttl).await,
+        }
+    }
+
+    async fn update_ttl(&self, session_key: &SessionKey, ttl: &Duration) -> Result<(), Error> {
+        match self {
+            MultiSessionStore::Cookie(c) => c.update_ttl(session_key, ttl).await,
+            MultiSessionStore::Redis(r) => r.update_ttl(session_key, ttl).await,
+        }
+    }
+
+    async fn delete(&self, session_key: &SessionKey) -> Result<(), Error> {
+        match self {
+            MultiSessionStore::Cookie(c) => c.delete(session_key).await,
+            MultiSessionStore::Redis(r) => r.delete(session_key).await,
+        }
+    }
+}

src/utils/crypt_utils.rs

@@ -1,4 +1,4 @@
-use digest::Digest;
+use sha2::Digest;
 
 #[inline]
 pub fn sha256(input: &[u8]) -> Vec<u8> {

src/utils/mod.rs

@@ -1,4 +1,4 @@
 pub mod crypt_utils;
 pub mod err;
 pub mod string_utils;
-pub mod time;
+pub mod time_utils;

src/utils/time.rs

@@ -1,35 +0,0 @@
-use chrono::DateTime;
-use std::time::{SystemTime, UNIX_EPOCH};
-
-/// Get the current time since epoch
-pub fn time() -> u64 {
-    SystemTime::now()
-        .duration_since(UNIX_EPOCH)
-        .unwrap()
-        .as_secs()
-}
-
-/// Format unix timestamp to a human-readable string
-pub fn fmt_time(timestamp: u64) -> String {
-    // Create a DateTime from the timestamp
-    let datetime =
-        DateTime::from_timestamp(timestamp as i64, 0).expect("Failed to parse timestamp!");
-
-    // Format the datetime how you want
-    datetime.format("%Y-%m-%d %H:%M:%S").to_string()
-}
-
-#[cfg(test)]
-mod test {
-    use crate::utils::time::{fmt_time, time};
-
-    #[test]
-    fn test_time() {
-        assert!(time() > 10);
-    }
-
-    #[test]
-    fn test_fmt_time() {
-        assert_eq!(fmt_time(1693475465), "2023-08-31 09:51:05");
-    }
-}

src/utils/time_utils.rs

@@ -0,0 +1,61 @@
+use chrono::{DateTime, Local, NaiveTime};
+use std::time::{Duration, SystemTime, UNIX_EPOCH};
+
+/// Get the current time since epoch
+pub fn time() -> u64 {
+    SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap()
+        .as_secs()
+}
+
+/// Format unix timestamp to a human-readable string
+pub fn fmt_time(timestamp: u64) -> String {
+    // Create a DateTime from the timestamp
+    let datetime =
+        DateTime::from_timestamp(timestamp as i64, 0).expect("Failed to parse timestamp!");
+
+    // Format the datetime how you want
+    datetime.format("%Y-%m-%d %H:%M:%S").to_string()
+}
+
+/// Convert UNIX time to system time
+pub fn unix_to_system_time(time: u64) -> SystemTime {
+    UNIX_EPOCH + Duration::from_secs(time)
+}
+
+/// Format UNIX time to HTTP date
+pub fn unix_to_http_date(time: u64) -> String {
+    httpdate::fmt_http_date(unix_to_system_time(time))
+}
+
+/// Get build time in UNIX format
+pub fn build_time() -> u64 {
+    let build_time = build_time::build_time_local!();
+    let date =
+        chrono::DateTime::parse_from_rfc3339(build_time).expect("Failed to parse compile date");
+    date.timestamp() as u64
+}
+
+/// Get the first second of the day (local time)
+pub fn time_start_of_day() -> u64 {
+    let local: DateTime<Local> = Local::now()
+        .with_time(NaiveTime::from_hms_opt(0, 0, 0).unwrap())
+        .unwrap();
+    local.timestamp() as u64
+}
+
+#[cfg(test)]
+mod test {
+    use crate::utils::time_utils::{fmt_time, time};
+
+    #[test]
+    fn test_time() {
+        assert!(time() > 10);
+    }
+
+    #[test]
+    fn test_fmt_time() {
+        assert_eq!(fmt_time(1693475465), "2023-08-31 09:51:05");
+    }
+}

templates/login/login.html

@@ -18,6 +18,8 @@
 
 </style>
 
+<!-- Local login -->
+{% if show_local_login %}
 <form action="/login?redirect={{ p.redirect_uri.get_encoded() }}" method="post">
     <div>
         <div class="form-floating">
@@ -36,6 +38,7 @@
     <button class="w-100 btn btn-lg btn-primary" type="submit">Sign in</button>
 
 </form>
+{% endif %}
 
 <!-- Upstream providers -->
 {% if !providers.is_empty() %}

templates/settings/base_settings_page.html

@@ -24,7 +24,7 @@
                 Account details
             </a>
         </li>
-        {% if p.user.allow_local_login %}
+        {% if p.user.allow_local_login && p.local_login_enabled %}
         <li>
             <a href="/settings/change_password" class="nav-link link-dark">
                 Change password

templates/settings/clients_list.html

@@ -1,7 +1,7 @@
 {% extends "base_settings_page.html" %}
 {% block content %}
 
-<table class="table table-hover" style="max-width: 800px;" aria-describedby="Clients list">
+<table class="table table-hover table-break-works" style="max-width: 800px;" aria-describedby="Clients list">
     <thead>
     <tr>
         <th scope="col">ID</th>