start.sh

#!/bin/bash
set -e
set -x

# 1. 强制清理遗留的组织校验变量（避免500错误）
unset OAUTH2_PROXY_GITHUB_ORG OAUTH2_PROXY_GITHUB_ORGS
unset OAUTH2_PROXY_GITHUB_TEAM OAUTH2_PROXY_GITHUB_TEAMS
unset OAUTH2_PROXY_GITHUB_REPO OAUTH2_PROXY_GITHUB_REPOS
unset OAUTH2_PROXY_ALLOWED_GROUPS

# 2. 检查必要变量
if [ -z "$ALLOWED_USERS" ]; then
    echo "Error: ALLOWED_USERS is required."
    exit 1
fi

if [ -z "$GITHUB_CLIENT_ID" ] || [ -z "$GITHUB_CLIENT_SECRET" ] || [ -z "$OAUTH2_PROXY_COOKIE_SECRET" ]; then
    echo "Error: GitHub Secrets (CLIENT_ID, CLIENT_SECRET, COOKIE_SECRET) are required."
    exit 1
fi

if [ -z "$GOOGLE_CLIENT_ID" ] || [ -z "$GOOGLE_CLIENT_SECRET" ]; then
    echo "Error: Google Secrets (GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET) are required."
    exit 1
fi

if [ -z "$SPACE_PUBLIC_URL" ]; then
    echo "Error: SPACE_PUBLIC_URL is required."
    exit 1
fi

# 3. 变量清洗
trim_secret() {
    printf "%s" "$1" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//' | tr -d '\r' | sed 's/^"//;s/"$//'
}
GITHUB_CLIENT_ID=$(trim_secret "$GITHUB_CLIENT_ID")
GITHUB_CLIENT_SECRET=$(trim_secret "$GITHUB_CLIENT_SECRET")
GOOGLE_CLIENT_ID=$(trim_secret "$GOOGLE_CLIENT_ID")
GOOGLE_CLIENT_SECRET=$(trim_secret "$GOOGLE_CLIENT_SECRET")
OAUTH2_PROXY_COOKIE_SECRET=$(trim_secret "$OAUTH2_PROXY_COOKIE_SECRET")
SPACE_PUBLIC_URL=$(echo "$SPACE_PUBLIC_URL" | sed "s/[[:space:]]//g" | sed "s/\`//g")
SPACE_PUBLIC_URL="${SPACE_PUBLIC_URL%/}"

# 4. 生成白名单文件
AUTH_FILE="/tmp/authenticated_emails.txt"
> "$AUTH_FILE"
declare -a GITHUB_USERS
IFS=',' read -ra USERS <<< "$ALLOWED_USERS"
for USER_ITEM in "${USERS[@]}"; do
    USER_ITEM=$(echo "$USER_ITEM" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
    [ -z "$USER_ITEM" ] && continue
    
    # 区分邮箱与用户名
    if [[ "$USER_ITEM" == *"@"* ]]; then
        echo "$USER_ITEM" | tr '[:upper:]' '[:lower:]' >> "$AUTH_FILE"
    else
        GITHUB_USERS+=("$(echo "$USER_ITEM" | tr '[:upper:]' '[:lower:]')")
    fi
done

# 5. 启动 ttyd (放宽绑定限制)
echo "Starting ttyd..."
# 移除 -i 127.0.0.1 限制，允许监听所有接口（解决容器内 ipv4/ipv6 绑定不确定性）
ttyd -p 7681 -W bash &

# 6. 启动 oauth2-proxy (GitHub & Google)
echo "Starting oauth2-proxy (GitHub)..."
GITHUB_CMD=(oauth2-proxy \
    --http-address="127.0.0.1:4180" \
    --provider="github" \
    --email-domain="*" \
    --cookie-secure=true \
    --cookie-httponly=true \
    --cookie-refresh="1h" \
    --cookie-expire="168h" \
    --reverse-proxy=true \
    --set-xauthrequest=true \
    --skip-provider-button=true \
    --client-id="$GITHUB_CLIENT_ID" \
    --client-secret="$GITHUB_CLIENT_SECRET" \
    --cookie-secret="$OAUTH2_PROXY_COOKIE_SECRET" \
    --cookie-name="_oauth2_proxy_github" \
    --proxy-prefix="/oauth2/github" \
    --scope="user:email,read:org" \
    --show-debug-on-error=true \
    --redirect-url="$SPACE_PUBLIC_URL/oauth2/github/callback")

# 按需挂载白名单
if [ -s "$AUTH_FILE" ]; then
    GITHUB_CMD+=("--authenticated-emails-file=$AUTH_FILE")
fi
for GH_USER in "${GITHUB_USERS[@]}"; do
    GITHUB_CMD+=("--github-user=$GH_USER")
done

"${GITHUB_CMD[@]}" 2>&1 &

echo "Starting oauth2-proxy (Google)..."
GOOGLE_CMD=(oauth2-proxy \
    --http-address="127.0.0.1:4181" \
    --provider="google" \
    --email-domain="*" \
    --cookie-secure=true \
    --cookie-httponly=true \
    --cookie-refresh="1h" \
    --cookie-expire="168h" \
    --reverse-proxy=true \
    --set-xauthrequest=true \
    --skip-provider-button=true \
    --client-id="$GOOGLE_CLIENT_ID" \
    --client-secret="$GOOGLE_CLIENT_SECRET" \
    --cookie-secret="$OAUTH2_PROXY_COOKIE_SECRET" \
    --cookie-name="_oauth2_proxy_google" \
    --proxy-prefix="/oauth2/google" \
    --show-debug-on-error=true \
    --redirect-url="$SPACE_PUBLIC_URL/oauth2/google/callback")

if [ -s "$AUTH_FILE" ]; then
    GOOGLE_CMD+=("--authenticated-emails-file=$AUTH_FILE")
fi

"${GOOGLE_CMD[@]}" 2>&1 &

# 7. 等待服务就绪 (更鲁棒的检查)
for i in {1..30}; do
    # 检查 oauth2-proxy (4180/4181) 和 ttyd (7681) 是否在监听
    if (nc -z 127.0.0.1 4180 || nc -z ::1 4180) && \
       (nc -z 127.0.0.1 4181 || nc -z ::1 4181) && \
       (nc -z 127.0.0.1 7681 || nc -z ::1 7681); then
        echo "Services ready."
        break
    fi
    sleep 1
done

# 8. 启动 Nginx
echo "Starting Nginx..."
nginx -g "daemon off;"