redo UI screenshots, fix the responsiveness of the image slider for wgportal.org

* mikrotik: allow to set DNS, wip: handle routes in wg-controller

* replace old route handling for local controller

* cleanup route handling for local backend

* implement route handling for mikrotik controller

docs/documentation/configuration/overview.md

@@ -73,6 +73,7 @@ mail:
   auth_type: plain
   from: Wireguard Portal <noreply@wireguard.local>
   link_only: false
+  allow_peer_email: false
 
 auth:
   oidc: []
@@ -386,7 +387,9 @@ Controls how WireGuard Portal collects and reports usage statistics, including p
 
 ## Mail
 
-Options for configuring email notifications or sending peer configurations via email.
+Options for configuring email notifications or sending peer configurations via email. 
+By default, emails will only be sent to peers that have a valid user record linked. 
+To send emails to all peers that have a valid email-address as user-identifier, set `allow_peer_email` to `true`.
 
 ### `host`
 - **Default:** `127.0.0.1`
@@ -424,6 +427,12 @@ Options for configuring email notifications or sending peer configurations via e
 - **Default:** `false`
 - **Description:** If `true`, emails only contain a link to WireGuard Portal, rather than attaching the full configuration.
 
+### `allow_peer_email`
+- **Default:** `false`
+  - **Description:** If `true`, and a peer has no valid user record linked, but the user-identifier of the peer is a valid email address, emails will be sent to that email address.
+    If false, and the peer has no valid user record linked, emails will not be sent.
+    If a peer has linked a valid user, the email address is always taken from the user record.
+
 ---
 
 ## Auth
@@ -503,13 +512,18 @@ Below are the properties for each OIDC provider entry inside `auth.oidc`:
     - `admin_group_regex`: A regular expression to match the `user_groups` claim. Each entry in the `user_groups` claim is checked against this regex.
 
 #### `registration_enabled`
-- **Default:** *(empty)*
+- **Default:** `false`
 - **Description:** If `true`, a new user will be created in WireGuard Portal if not already present.
 
 #### `log_user_info`
-- **Default:** *(empty)*
+- **Default:** `false`
 - **Description:** If `true`, OIDC user data is logged at the trace level upon login (for debugging).
 
+#### `log_sensitive_info`
+- **Default:** `false`
+- **Description:** If `true`, sensitive OIDC user data, such as tokens and raw responses, will be logged at the trace level upon login (for debugging).
+- **Important:** Keep this setting disabled in production environments! Remove logs once you finished debugging authentication issues.
+
 ---
 
 ### OAuth
@@ -576,13 +590,18 @@ Below are the properties for each OAuth provider entry inside `auth.oauth`:
   - `admin_group_regex`: A regular expression to match the `user_groups` claim. Each entry in the `user_groups` claim is checked against this regex.
 
 #### `registration_enabled`
-- **Default:** *(empty)*
+- **Default:** `false`
 - **Description:** If `true`, new users are created automatically on successful login.
 
 #### `log_user_info`
-- **Default:** *(empty)*
+- **Default:** `false`
 - **Description:** If `true`, logs user info at the trace level upon login.
 
+#### `log_sensitive_info`
+- **Default:** `false`
+- **Description:** If `true`, sensitive OIDC user data, such as tokens and raw responses, will be logged at the trace level upon login (for debugging).
+- **Important:** Keep this setting disabled in production environments! Remove logs once you finished debugging authentication issues.
+
 ---
 
 ### LDAP
@@ -599,11 +618,11 @@ Below are the properties for each LDAP provider entry inside `auth.ldap`:
 - **Description:** The LDAP server URL (e.g., `ldap://srv-ad01.company.local:389`).
 
 #### `start_tls`
-- **Default:** *(empty)*
+- **Default:** `false`
 - **Description:** If `true`, use STARTTLS to secure the LDAP connection.
 
 #### `cert_validation`
-- **Default:** *(empty)*
+- **Default:** `false`
 - **Description:** If `true`, validate the LDAP server’s TLS certificate.
 
 #### `tls_certificate_path`
@@ -673,19 +692,19 @@ Below are the properties for each LDAP provider entry inside `auth.ldap`:
   ```
 
 #### `disable_missing`
-- **Default:** *(empty)*
+- **Default:** `false`
 - **Description:** If `true`, any user **not** found in LDAP (during sync) is disabled in WireGuard Portal.
 
 #### `auto_re_enable`
-- **Default:** *(empty)*
+- **Default:** `false`
 - **Description:** If `true`, users that where disabled because they were missing (see `disable_missing`) will be re-enabled once they are found again.
 
 #### `registration_enabled`
-- **Default:** *(empty)*
+- **Default:** `false`
 - **Description:** If `true`, new user accounts are created in WireGuard Portal upon first login.
 
 #### `log_user_info`
-- **Default:** *(empty)*
+- **Default:** `false`
 - **Description:** If `true`, logs LDAP user data at the trace level upon login.
 
 ---

docs/theme-overrides/layouts/home.html

@@ -68,7 +68,7 @@
 }
 .tx-hero__image {
   max-width: 1000px;
-  min-width: 600px;
+  min-width: 0;
   width: 100%;
   height: auto;
   margin: 0 auto;
@@ -218,7 +218,7 @@
 
 .secondary-section .g .section .component-wrapper .responsive-grid .card {
   position: relative;
-  background-color:  #fff none repeat scroll 0% 0%;
+  background-color:  #fff;
   padding: 1.5rem;
   display: flex;
   flex-direction: row;
@@ -363,7 +363,6 @@
           <h1>A beautiful and simple UI to manage your WireGuard peers and interfaces</h1>
           <p>WireGuard Portal is an open source web-based user interface that makes it easy to setup and manage
             WireGuard VPN connections. It's built on top of WireGuard's official <span class="em">wgctrl</span> library.</p>
-          </p>
           <a
             href="documentation/overview/"
             title="Get Started"

frontend/src/helpers/utils.js

@@ -4,12 +4,12 @@ export function ipToBigInt(ip) {
   // Check if it's an IPv4 address
   if (ip.includes(".")) {
     const addr = new Address4(ip)
-    return addr.bigInteger()
+    return addr.bigInt()
   }
 
   // Otherwise, assume it's an IPv6 address
   const addr = new Address6(ip)
-  return addr.bigInteger()
+  return addr.bigInt()
 }
 
 export function humanFileSize(size) {

internal/app/auth/auth_oauth.go

@@ -19,15 +19,16 @@ import (
 // PlainOauthAuthenticator is an authenticator that uses OAuth for authentication.
 // User information is retrieved from the specified user info endpoint.
 type PlainOauthAuthenticator struct {
-	name                string
+	name                 string
-	cfg                 *oauth2.Config
+	cfg                  *oauth2.Config
-	userInfoEndpoint    string
+	userInfoEndpoint     string
-	client              *http.Client
+	client               *http.Client
-	userInfoMapping     config.OauthFields
+	userInfoMapping      config.OauthFields
-	userAdminMapping    *config.OauthAdminMapping
+	userAdminMapping     *config.OauthAdminMapping
-	registrationEnabled bool
+	registrationEnabled  bool
-	userInfoLogging     bool
+	userInfoLogging      bool
-	allowedDomains      []string
+	sensitiveInfoLogging bool
+	allowedDomains       []string
 }
 
 func newPlainOauthAuthenticator(
@@ -57,6 +58,7 @@ func newPlainOauthAuthenticator(
 	provider.userAdminMapping = &cfg.AdminMapping
 	provider.registrationEnabled = cfg.RegistrationEnabled
 	provider.userInfoLogging = cfg.LogUserInfo
+	provider.sensitiveInfoLogging = cfg.LogSensitiveInfo
 	provider.allowedDomains = cfg.AllowedDomains
 
 	return provider, nil
@@ -110,6 +112,10 @@ func (p PlainOauthAuthenticator) GetUserInfo(
 
 	response, err := p.client.Do(req)
 	if err != nil {
+		if p.sensitiveInfoLogging {
+			slog.Debug("OAuth: failed to get user info", "endpoint", p.userInfoEndpoint,
+				"token", token, "error", err)
+		}
 		return nil, fmt.Errorf("failed to get user info: %w", err)
 	}
 	defer internal.LogClose(response.Body)
@@ -121,11 +127,15 @@ func (p PlainOauthAuthenticator) GetUserInfo(
 	var userFields map[string]any
 	err = json.Unmarshal(contents, &userFields)
 	if err != nil {
+		if p.sensitiveInfoLogging {
+			slog.Debug("OAuth: failed to parse user info", "endpoint", p.userInfoEndpoint,
+				"token", token, "contents", contents, "error", err)
+		}
 		return nil, fmt.Errorf("failed to parse user info: %w", err)
 	}
 
 	if p.userInfoLogging {
-		slog.Debug("OAuth user info",
+		slog.Debug("OAuth: user info debug",
 			"source", p.name,
 			"info", string(contents))
 	}

internal/app/auth/auth_oidc.go

@@ -16,15 +16,16 @@ import (
 
 // OidcAuthenticator is an authenticator for OpenID Connect providers.
 type OidcAuthenticator struct {
-	name                string
+	name                 string
-	provider            *oidc.Provider
+	provider             *oidc.Provider
-	verifier            *oidc.IDTokenVerifier
+	verifier             *oidc.IDTokenVerifier
-	cfg                 *oauth2.Config
+	cfg                  *oauth2.Config
-	userInfoMapping     config.OauthFields
+	userInfoMapping      config.OauthFields
-	userAdminMapping    *config.OauthAdminMapping
+	userAdminMapping     *config.OauthAdminMapping
-	registrationEnabled bool
+	registrationEnabled  bool
-	userInfoLogging     bool
+	userInfoLogging      bool
-	allowedDomains      []string
+	sensitiveInfoLogging bool
+	allowedDomains       []string
 }
 
 func newOidcAuthenticator(
@@ -58,6 +59,7 @@ func newOidcAuthenticator(
 	provider.userAdminMapping = &cfg.AdminMapping
 	provider.registrationEnabled = cfg.RegistrationEnabled
 	provider.userInfoLogging = cfg.LogUserInfo
+	provider.sensitiveInfoLogging = cfg.LogSensitiveInfo
 	provider.allowedDomains = cfg.AllowedDomains
 
 	return provider, nil
@@ -102,24 +104,40 @@ func (o OidcAuthenticator) GetUserInfo(ctx context.Context, token *oauth2.Token,
 ) {
 	rawIDToken, ok := token.Extra("id_token").(string)
 	if !ok {
+		if o.sensitiveInfoLogging {
+			slog.Debug("OIDC: token does not contain id_token", "token", token, "nonce", nonce)
+		}
 		return nil, errors.New("token does not contain id_token")
 	}
 	idToken, err := o.verifier.Verify(ctx, rawIDToken)
 	if err != nil {
+		if o.sensitiveInfoLogging {
+			slog.Debug("OIDC: failed to validate id_token", "token", token, "id_token", rawIDToken, "nonce", nonce,
+				"error",
+				err)
+		}
 		return nil, fmt.Errorf("failed to validate id_token: %w", err)
 	}
 	if idToken.Nonce != nonce {
+		if o.sensitiveInfoLogging {
+			slog.Debug("OIDC: id_token nonce mismatch", "token", token, "id_token", idToken, "nonce", nonce)
+		}
 		return nil, errors.New("nonce mismatch")
 	}
 
 	var tokenFields map[string]any
 	if err = idToken.Claims(&tokenFields); err != nil {
+		if o.sensitiveInfoLogging {
+			slog.Debug("OIDC: failed to parse extra claims", "token", token, "id_token", idToken, "nonce", nonce,
+				"error",
+				err)
+		}
 		return nil, fmt.Errorf("failed to parse extra claims: %w", err)
 	}
 
 	if o.userInfoLogging {
 		contents, _ := json.Marshal(tokenFields)
-		slog.Debug("OIDC user info",
+		slog.Debug("OIDC: user info debug",
 			"source", o.name,
 			"info", string(contents))
 	}

internal/app/mail/manager.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io"
 	"log/slog"
+	"net/mail"
 
 	"github.com/h44z/wg-portal/internal/config"
 	"github.com/h44z/wg-portal/internal/domain"
@@ -101,29 +102,15 @@ func (m Manager) SendPeerEmail(ctx context.Context, linkOnly bool, style string,
 		}
 
 		if peer.UserIdentifier == "" {
-			slog.Debug("skipping peer email",
+			return fmt.Errorf("peer %s has no user linked, no email is sent", peerId)
-				"peer", peerId,
-				"reason", "no user linked")
-			continue
 		}
 
-		user, err := m.users.GetUser(ctx, peer.UserIdentifier)
+		email, user := m.resolveEmail(ctx, peer)
-		if err != nil {
+		if email == "" {
-			slog.Debug("skipping peer email",
+			return fmt.Errorf("peer %s has no valid email address, no email is sent", peerId)
-				"peer", peerId,
-				"reason", "unable to fetch user",
-				"error", err)
-			continue
 		}
 
-		if user.Email == "" {
+		err = m.sendPeerEmail(ctx, linkOnly, style, &user, peer)
-			slog.Debug("skipping peer email",
-				"peer", peerId,
-				"reason", "user has no mail address")
-			continue
-		}
-
-		err = m.sendPeerEmail(ctx, linkOnly, style, user, peer)
 		if err != nil {
 			return fmt.Errorf("failed to send peer email for %s: %w", peerId, err)
 		}
@@ -194,3 +181,37 @@ func (m Manager) sendPeerEmail(
 
 	return nil
 }
+
+func (m Manager) resolveEmail(ctx context.Context, peer *domain.Peer) (string, domain.User) {
+	user, err := m.users.GetUser(ctx, peer.UserIdentifier)
+	if err != nil {
+		if m.cfg.Mail.AllowPeerEmail {
+			_, err := mail.ParseAddress(string(peer.UserIdentifier)) // test if the user identifier is a valid email address
+			if err == nil {
+				slog.Debug("peer email: using user-identifier as email",
+					"peer", peer.Identifier, "email", peer.UserIdentifier)
+				return string(peer.UserIdentifier), domain.User{}
+			} else {
+				slog.Debug("peer email: skipping peer email",
+					"peer", peer.Identifier,
+					"reason", "peer has no user linked and user-identifier is not a valid email address")
+				return "", domain.User{}
+			}
+		} else {
+			slog.Debug("peer email: skipping peer email",
+				"peer", peer.Identifier,
+				"reason", "user has no user linked")
+			return "", domain.User{}
+		}
+	}
+
+	if user.Email == "" {
+		slog.Debug("peer email: skipping peer email",
+			"peer", peer.Identifier,
+			"reason", "user has no mail address")
+		return "", domain.User{}
+	}
+
+	slog.Debug("peer email: using user email", "peer", peer.Identifier, "email", user.Email)
+	return user.Email, *user
+}

internal/config/auth.go

@@ -211,6 +211,10 @@ type OpenIDConnectProvider struct {
 
 	// If LogUserInfo is set to true, the user info retrieved from the OIDC provider will be logged in trace level.
 	LogUserInfo bool `yaml:"log_user_info"`
+
+	// If LogSensitiveInfo is set to true, sensitive information retrieved from the OIDC provider will be logged in trace level.
+	// This also includes OAuth tokens! Keep this disabled in production!
+	LogSensitiveInfo bool `yaml:"log_sensitive_info"`
 }
 
 // OAuthProvider contains the configuration for the OAuth provider.
@@ -252,6 +256,10 @@ type OAuthProvider struct {
 
 	// If LogUserInfo is set to true, the user info retrieved from the OAuth provider will be logged in trace level.
 	LogUserInfo bool `yaml:"log_user_info"`
+
+	// If LogSensitiveInfo is set to true, sensitive information retrieved from the OAuth provider will be logged in trace level.
+	// This also includes OAuth tokens! Keep this disabled in production!
+	LogSensitiveInfo bool `yaml:"log_sensitive_info"`
 }
 
 // WebauthnConfig contains the configuration for the WebAuthn authenticator.

internal/config/mail.go

@@ -41,4 +41,6 @@ type MailConfig struct {
 	From string `yaml:"from"`
 	// LinkOnly specifies whether emails should only contain a link to WireGuard Portal or attach the full configuration
 	LinkOnly bool `yaml:"link_only"`
+	// AllowPeerEmail specifies whether emails should be sent to peers which have no valid user account linked, but an email address is set as "user".
+	AllowPeerEmail bool `yaml:"allow_peer_email"`
 }