gotify · jmattheis · May 26, 2026 · May 26, 2026 · May 26, 2026 · May 26, 2026
@@ -9,4 +9,5 @@ coverage.txt
 **/*-packr.go
 config.yml
 data/
-images/
+images/
+/gotify-server.env.local
@@ -23,11 +23,6 @@ import (
 )
 
 func NewOIDC(conf *config.Configuration, db *database.GormDatabase, userChangeNotifier *UserChangeNotifier) *OIDCAPI {
-	scopes := conf.OIDC.Scopes
-	if len(scopes) == 0 {
-		scopes = []string{"openid", "profile", "email"}
-	}
-
 	cookieKey := make([]byte, 32)
 	if _, err := rand.Read(cookieKey); err != nil {
 		log.Fatal().Err(err).Msg("failed to generate OIDC cookie key")
@@ -46,7 +41,7 @@ func NewOIDC(conf *config.Configuration, db *database.GormDatabase, userChangeNo
 		conf.OIDC.ClientID,
 		conf.OIDC.ClientSecret,
 		conf.OIDC.RedirectURL,
-		scopes,
+		conf.OIDC.Scopes,
 		opts...,
 	)
 	if err != nil {

@@ -11,7 +11,6 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/gorilla/websocket"
 	"github.com/gotify/server/v2/auth"
-	"github.com/gotify/server/v2/mode"
 	"github.com/gotify/server/v2/model"
 )
 
@@ -214,9 +213,6 @@ func newUpgrader(allowedWebSocketOrigins []string) *websocket.Upgrader {
 		ReadBufferSize:  1024,
 		WriteBufferSize: 1024,
 		CheckOrigin: func(r *http.Request) bool {
-			if mode.IsDev() {
-				return true
-			}
 			return isAllowedOrigin(r, compiledAllowedOrigins)
 		},
 	}

@@ -27,13 +27,21 @@ var (
 )
 
 func main() {
-	log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stdout, TimeFormat: time.RFC3339, NoColor: noColor()})
-
 	vInfo := &model.VersionInfo{Version: Version, Commit: Commit, BuildDate: BuildDate}
 	mode.Set(Mode)
 
+	conf, futureLogs := config.Get()
+	log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stdout, TimeFormat: time.RFC3339, NoColor: noColor(conf.NoColor)}).Level(zerolog.Level(conf.LogLevel))
 	log.Info().Str("version", vInfo.Version).Str("build_date", BuildDate).Msg("Gotify")
-	conf := config.Get()
+
+	exit := false
+	for _, futureLog := range futureLogs {
+		log.WithLevel(futureLog.Level).Msg(futureLog.Msg)
+		exit = exit || futureLog.Level == zerolog.FatalLevel || futureLog.Level == zerolog.PanicLevel
+	}
+	if exit {
+		os.Exit(1)
+	}
 
 	if conf.PluginsDir != "" {
 		if err := os.MkdirAll(conf.PluginsDir, 0o755); err != nil {
@@ -59,9 +67,9 @@ func main() {
 	}
 }
 
-func noColor() bool {
+func noColor(noColorEnv string) bool {
 	// https://no-color.org/
-	if os.Getenv("NO_COLOR") == "1" {
+	if noColorEnv == "1" {
 		return true
 	}
 

@@ -7,7 +7,6 @@ import (
 
 	"github.com/gin-contrib/cors"
 	"github.com/gotify/server/v2/config"
-	"github.com/gotify/server/v2/mode"
 )
 
 // CorsConfig generates a config to use in gin cors middleware based on server configuration.
@@ -16,28 +15,19 @@ func CorsConfig(conf *config.Configuration) cors.Config {
 		MaxAge:                 12 * time.Hour,
 		AllowBrowserExtensions: true,
 	}
-	if mode.IsDev() {
-		corsConf.AllowAllOrigins = true
-		corsConf.AllowMethods = []string{"GET", "POST", "DELETE", "OPTIONS", "PUT"}
-		corsConf.AllowHeaders = []string{
-			"X-Gotify-Key", "Authorization", "Content-Type", "Upgrade", "Origin",
-			"Connection", "Accept-Encoding", "Accept-Language", "Host",
-		}
-	} else {
-		compiledOrigins := compileAllowedCORSOrigins(conf.Server.Cors.AllowOrigins)
-		corsConf.AllowMethods = conf.Server.Cors.AllowMethods
-		corsConf.AllowHeaders = conf.Server.Cors.AllowHeaders
-		corsConf.AllowOriginFunc = func(origin string) bool {
-			for _, compiledOrigin := range compiledOrigins {
-				if compiledOrigin.MatchString(strings.ToLower(origin)) {
-					return true
-				}
+	compiledOrigins := compileAllowedCORSOrigins(conf.Server.Cors.AllowOrigins)
+	corsConf.AllowMethods = conf.Server.Cors.AllowMethods
+	corsConf.AllowHeaders = conf.Server.Cors.AllowHeaders
+	corsConf.AllowOriginFunc = func(origin string) bool {
+		for _, compiledOrigin := range compiledOrigins {
+			if compiledOrigin.MatchString(strings.ToLower(origin)) {
+				return true
 			}
-			return false
-		}
-		if allowedOrigin := headerIgnoreCase(conf, "access-control-allow-origin"); allowedOrigin != "" && len(compiledOrigins) == 0 {
-			corsConf.AllowOrigins = append(corsConf.AllowOrigins, allowedOrigin)
 		}
+		return false
+	}
+	if allowedOrigin := headerIgnoreCase(conf, "access-control-allow-origin"); allowedOrigin != "" && len(compiledOrigins) == 0 {
+		corsConf.AllowOrigins = append(corsConf.AllowOrigins, allowedOrigin)
 	}
 
 	return corsConf

@@ -50,24 +50,3 @@ func TestEmptyCorsConfigWithResponseHeaders(t *testing.T) {
 		AllowBrowserExtensions: true,
 	}, actual)
 }
-
-func TestDevCorsConfig(t *testing.T) {
-	mode.Set(mode.Dev)
-	serverConf := config.Configuration{}
-	serverConf.Server.Cors.AllowOrigins = []string{"http://test.com"}
-	serverConf.Server.Cors.AllowHeaders = []string{"content-type"}
-	serverConf.Server.Cors.AllowMethods = []string{"GET"}
-
-	actual := CorsConfig(&serverConf)
-
-	assert.Equal(t, cors.Config{
-		AllowHeaders: []string{
-			"X-Gotify-Key", "Authorization", "Content-Type", "Upgrade", "Origin",
-			"Connection", "Accept-Encoding", "Accept-Language", "Host",
-		},
-		AllowMethods:           []string{"GET", "POST", "DELETE", "OPTIONS", "PUT"},
-		MaxAge:                 12 * time.Hour,
-		AllowAllOrigins:        true,
-		AllowBrowserExtensions: true,
-	}, actual)
-}