start.sh

#!/bin/bash

# 打印所有命令，方便调试
set -x

# =========================================================
# 环境变量检查与配置
# =========================================================

# 2. 生成 Cookie Secret (如果未设置)
if [ -z "$OAUTH2_PROXY_COOKIE_SECRET" ]; then
    echo "Generating temporary cookie secret..."
    # 生成 16 字节的随机字符串 (32 字符 hex) 确保符合长度要求
    export OAUTH2_PROXY_COOKIE_SECRET=$(head -c 32 /dev/urandom | base64 | head -c 32)
    echo "Cookie Secret Generated."
fi

# 3. 生成白名单 (支持 Email 和 GitHub Username 混合)
# 使用 /tmp 目录，确保任何用户都可写，避免 Docker 权限问题
AUTH_FILE="/tmp/authenticated_emails.txt"
GITHUB_USERS=""

if [ -n "$ALLOWED_USERS" ]; then
    echo "Processing ALLOWED_USERS: $ALLOWED_USERS"
    
    # 清空文件
    > "$AUTH_FILE"
    
    # 分割并处理每个用户
    IFS=',' read -ra ADDR <<< "$ALLOWED_USERS"
    for user in "${ADDR[@]}"; do
        # 去除首尾空格
        user=$(echo "$user" | xargs)
        
        if [[ "$user" == *"@"* ]]; then
            # 如果包含 @，视为邮箱
            echo "$user" >> "$AUTH_FILE"
        else
            # 如果不含 @，且是 GitHub Provider，视为 GitHub 用户名
            if [ -z "$GITHUB_USERS" ]; then
                GITHUB_USERS="$user"
            else
                GITHUB_USERS="$GITHUB_USERS,$user"
            fi
        fi
    done
else
    echo "Warning: ALLOWED_USERS is not set! Creating empty whitelist."
    touch "$AUTH_FILE"
fi

# =========================================================
# 启动服务
# =========================================================

# 1. 启动 ttyd (本地监听 7681)
# -b /: 设置 Web 终端为根路径，登录即是终端
echo "Starting ttyd on 127.0.0.1:7681..."
ttyd -p 7681 -i 127.0.0.1 -W bash &
TTYD_PID=$!

# 2. OpenClaw 已在降级方案中移除预启动
# (保留手动启动逻辑作为注释参考)
# export OPENCLAW_AUTH_DISABLE=true
# openclaw gateway run &

# 3. 启动 oauth2-proxy (本地监听 4180)
# 回退到稳定模式：根据环境变量智能选择单个 Provider
echo "Starting oauth2-proxy on 127.0.0.1:4180..."

if [ -n "$GITHUB_CLIENT_ID" ] && [ -n "$GITHUB_CLIENT_SECRET" ]; then
    echo "Detected GITHUB_CLIENT_ID/SECRET. Using GitHub Provider."
    export OAUTH2_PROXY_PROVIDER="github"
    export OAUTH2_PROXY_CLIENT_ID="$GITHUB_CLIENT_ID"
    export OAUTH2_PROXY_CLIENT_SECRET="$GITHUB_CLIENT_SECRET"
elif [ -n "$GOOGLE_CLIENT_ID" ] && [ -n "$GOOGLE_CLIENT_SECRET" ]; then
    echo "Detected GOOGLE_CLIENT_ID/SECRET. Using Google Provider."
    export OAUTH2_PROXY_PROVIDER="google"
    export OAUTH2_PROXY_CLIENT_ID="$GOOGLE_CLIENT_ID"
    export OAUTH2_PROXY_CLIENT_SECRET="$GOOGLE_CLIENT_SECRET"
else
    # Fallback to defaults or generic variables
    if [ -z "$OAUTH2_PROXY_PROVIDER" ]; then
        export OAUTH2_PROXY_PROVIDER="github"
    fi
    echo "Using generic/default Provider: $OAUTH2_PROXY_PROVIDER"
fi

# 构建 oauth2-proxy 命令 (标准命令行模式)
# 上游指向 ttyd (127.0.0.1:7681)
CMD="oauth2-proxy \
    --config=oauth2-proxy.cfg \
    --provider=$OAUTH2_PROXY_PROVIDER \
    --client-id=$OAUTH2_PROXY_CLIENT_ID \
    --client-secret=$OAUTH2_PROXY_CLIENT_SECRET \
    --cookie-secret=$OAUTH2_PROXY_COOKIE_SECRET \
    --email-domain=* \
    --upstream=http://127.0.0.1:7681 \
    --http-address=127.0.0.1:4180 \
    --authenticated-emails-file=$AUTH_FILE \
    --custom-sign-in-logo="-" \
    --banner="-" \
    --footer="-" \
    --custom-templates-dir=/var/www/html/theme"

# 如果有 GitHub Users，追加参数
if [ -n "$GITHUB_USERS" ]; then
    echo "Adding GitHub User whitelist: $GITHUB_USERS"
    CMD="$CMD --github-user=$GITHUB_USERS"
fi

# 执行命令
$CMD 2>&1 &
OAUTH2_PROXY_PID=$!

# 4. 健康检查与等待
echo "Waiting for services to start..."

# 等待 oauth2-proxy 启动 (最多 10 秒)
for i in {1..10}; do
    if nc -z 127.0.0.1 4180; then
        echo "oauth2-proxy is up and running!"
        break
    fi
    echo "Waiting for oauth2-proxy (attempt $i/10)..."
    sleep 1
    
    # 检查进程是否还在
    if ! kill -0 $OAUTH2_PROXY_PID 2>/dev/null; then
        echo "CRITICAL: oauth2-proxy failed to start! Checking logs..."
        # 这里的日志已经在上面重定向到 stdout 了，所以会在 Space logs 中显示
        # 我们可以尝试重新启动或直接退出
        echo "Exiting due to oauth2-proxy failure."
        exit 1
    fi
done

# 5. 启动 Nginx (对外监听 7860)
echo "Starting Nginx on port 7860..."
nginx -g "daemon off;"