Merge branch 'main' into build

Author: simonrob

.github/workflows/build.yml

@@ -0,0 +1,136 @@
+name: Add built assets to latest release
+
+on:
+  push:
+
+permissions:
+  contents: write
+
+jobs:
+  get_tag:
+    # get the latest tag (separate job as Windows doesn't support this method)
+    # straightforward because in this repository tags are used only for releases, but we could do a regex match if not
+    runs-on: ubuntu-latest
+    outputs:
+      output: ${{ steps.latest_tag.outputs.tag }}
+
+    steps:
+      - uses: actions/checkout@v4
+      - id: latest_tag
+        run: |
+            git fetch -a
+            echo "tag=$(git tag --sort -committerdate | head -n 1)" >> $GITHUB_OUTPUT
+
+  build:
+    needs: get_tag
+
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [macos-latest, windows-latest]
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      # install requirements
+      # - note: `imageio` is required here to convert our PNG icon to a format nuitka can handle (nuitka itself is a separate action)
+      # - note: `certifi` is required here because pyinstaller no longer bundles certificates (pyinstaller #7229)
+      # - note: `boto3`, `requests`, `google-auth` and corresponding pyinstaller hidden imports / nuitka included 
+      #         packages are so that advanced proxy features work in pre-built binaries
+      # - note: `--hidden-import timeago.locales.en_short` is required for GUI mode until `timeago` #40 is fixed
+      - run: |
+            python -m pip install --upgrade pip
+            python -m pip install wheel
+            python -m pip install pyinstaller imageio
+            python -m pip install -r requirements-core.txt -r requirements-gui.txt
+            python -m pip install certifi
+            python -m pip install boto3 requests google-auth
+
+      # build the pyinstaller version (same method for both macOS and Windows), outputting to the folder `dist`
+      - run: python -m PyInstaller --clean --noconsole --onefile --hidden-import prompt_toolkit --hidden-import timeago.locales.en_short --hidden-import certifi --hidden-import boto3 --hidden-import requests --hidden-import google --hidden-import jwt --icon icon.png --distpath dist/ emailproxy.py
+
+      # add license, documentation, configuration file sample and disclaimer
+      # - note: `move [...] alias move=mv [...]` is to support using the same commands on all platforms
+      - run: |
+            move LICENSE . 2> nul || { shopt -s expand_aliases; alias move=mv; }
+            move LICENSE dist/
+            move README.md dist/
+            move emailproxy.config dist/
+            echo 'This binary distribution is automatically created for each Email OAuth 2.0 Proxy release, ' >> _.txt
+            echo 'but is not tested, and is not officially supported. Using the main emailproxy.py script ' >> _.txt
+            echo 'directly is recommended for best results: https://github.com/simonrob/email-oauth2-proxy/' >> _.txt
+            move _.txt dist/GettingStarted.txt
+
+      # on macOS pyinstaller `--onefile` creates bundle *and* binary; we don't need both (and the .app also contains the binary)
+      - if: runner.os == 'macOS'
+        run: rm dist/emailproxy
+
+      # zip the built pyinstaller output, naming according to tag and OS
+      - uses: thedoctor0/[email protected]
+        with:
+          type: zip
+          directory: dist/
+          filename: emailproxy-${{ needs.get_tag.outputs.output }}_pyinstaller-${{ runner.os }}.zip
+
+      # append the pyinstaller zip to the latest release
+      - uses: xresloader/[email protected]
+        with:
+          file: dist/*.zip
+          update_latest_release: true
+
+      # clean up pyinstaller assets and add platform-specific nuitka configuration options (`move` alias usage as above)
+      - run: |
+            rm dist/emailproxy-${{ needs.get_tag.outputs.output }}_pyinstaller-${{ runner.os }}.zip
+            move emailproxy.py . 2> nul || { shopt -s expand_aliases; alias move=mv; }
+            move emailproxy.py _.py
+            echo '# nuitka-project-if: {OS} in ("Windows"):' >> _.txt
+            echo '#    nuitka-project: --windows-icon-from-ico=icon.png' >> _.txt
+            echo '# nuitka-project-if: {OS} == "Darwin":' >> _.txt
+            echo '#    nuitka-project: --macos-app-icon=icon.png' >> _.txt
+            move _.txt emailproxy.py
+            cat _.py >> emailproxy.py
+
+      # build the nuitka version - by default, this uses the options `--mode=app --assume-yes-for-downloads --output-dir=build` (see: https://github.com/Nuitka/Nuitka-Action/blob/main/action.yml)
+      - uses: Nuitka/Nuitka-Action@main
+        with:
+          nuitka-version: main
+          script-name: emailproxy.py
+          include-package: |
+                          prompt_toolkit
+                          timeago.locales.en_short
+                          certifi
+                          boto3
+                          requests
+                          google
+                          jwt
+          nofollow-import-to: '*.tests'
+      
+      # replace previous build files (-f vs. -fo behaviour differences mean we can't combine); add macOS quarantine tips
+      - if: runner.os == 'macOS'
+        run: |
+            rm -rf dist/emailproxy.app/
+            echo "\nIf macOS says the app is damaged, run `xattr -dr com.apple.quarantine emailproxy.app`" >> dist/GettingStarted.txt
+            echo 'If you still have problems, try no-GUI mode: `emailproxy.app/Contents/MacOS/emailproxy --no-gui`' >> dist/GettingStarted.txt
+            mv build/emailproxy.app/ dist/
+
+      - if: runner.os == 'Windows'
+        run: |
+            rm dist/emailproxy.exe
+            move build/emailproxy.exe dist/
+
+      # zip the built nuitka output, naming according to tag and OS
+      - uses: thedoctor0/[email protected]
+        with:
+          type: zip
+          directory: dist/
+          filename: emailproxy-${{ needs.get_tag.outputs.output }}_nuitka-${{ runner.os }}.zip
+
+      # append the nuitka zip to the latest release
+      - uses: xresloader/[email protected]
+        with:
+          file: dist/*.zip
+          update_latest_release: true

.github/workflows/pyinstaller.yml

@@ -1,10 +1,24 @@
 # Email OAuth 2.0 Proxy<a id="email-oauth-20-proxy"></a>
 Transparently add OAuth 2.0 support to IMAP/POP/SMTP client applications, scripts or any other email use-cases that don't support this authentication method.
 
+<div align="center">
+  <br><strong>Email OAuth 2.0 Proxy is sponsored by</strong><br><br>
+  <a href="https://auth-email.com/?ref=emailproxy">
+    <picture>
+      <source width="300" media="(prefers-color-scheme: dark)" srcset="https://auth-email.com/static/img/logo-full-dark.svg">
+      <source width="300" media="(prefers-color-scheme: light)" srcset="https://auth-email.com/static/img/logo-full-light.svg">
+      <img width="300" src="https://auth-email.com/static/img/logo-full.png" alt="Email-Auth logo">
+    </picture><br>
+    <b>Email OAuth made simple</b><br>
+    <sub>Auth-Email.com is a unified proxy for all your OAuth 2.0 email accounts.</sub><br>
+    <sup>Use any app or client to access your accounts with ease.</sup>
+  </a><br><br>
+</div>
+
 
 ## Motivation and capabilities<a id="motivation-and-capabilities"></a>
 Email services that support IMAP, POP and/or SMTP access are increasingly requiring the use of OAuth 2.0 to authenticate connections, but not all clients support this method.
-This tool creates a simple local proxy that intercepts the traditional IMAP/POP/SMTP authentication commands and transparently replaces them with the appropriate SASL (X)OAuth 2.0 commands and credentials.
+This tool creates a local proxy that intercepts the traditional IMAP/POP/SMTP authentication commands and transparently replaces them with the appropriate SASL (X)OAuth 2.0 commands and credentials.
 Your email client can continue to use the `login` or `auth`/`authenticate` options, with no need to make it aware of OAuth's existence.
 The proxy works in the background with a menu bar/taskbar helper or as a headless system service, and is compatible with macOS, Windows and Linux.
 
@@ -194,7 +208,7 @@ Please [open an issue](https://github.com/simonrob/email-oauth2-proxy/issues) if
 
 When first launching on Linux in GUI mode you may encounter errors similar to `Namespace […] not available`, issues with the task bar icon display, or no browser popup when attempting to authorise your accounts.
 This is caused by missing dependencies for [pystray](https://github.com/moses-palmer/pystray/) and [pywebview](https://github.com/r0x0r/pywebview/), which are used to display the menu bar icon and authentication windows.
-See the [pywebview dependencies](https://pywebview.flowrl.com/guide/installation.html#dependencies) and [pystray FAQ](https://pystray.readthedocs.io/en/latest/faq.html) pages and [existing](https://github.com/simonrob/email-oauth2-proxy/issues/1#issuecomment-831746642) [closed issues](https://github.com/simonrob/email-oauth2-proxy/issues/136#issuecomment-1430417456) in this repository for a summary and suggestions about how to resolve this.
+See the [pywebview dependencies](https://pywebview.flowrl.com/guide/installation.html#dependencies) and [pystray FAQ](https://pystray.readthedocs.io/en/latest/faq.html) pages and [existing](https://github.com/simonrob/email-oauth2-proxy/issues/1#issuecomment-831746642) [closed](https://github.com/simonrob/email-oauth2-proxy/issues/136#issuecomment-1430417456) [issues](https://github.com/simonrob/email-oauth2-proxy/issues/305#issuecomment-2482989955) in this repository for a summary and suggestions about how to resolve this.
 
 A similar issue may occur on Windows with the [pythonnet](https://github.com/pythonnet/pythonnet) package, which is required by [pywebview](https://github.com/r0x0r/pywebview).
 The [pythonnet installation instructions](https://github.com/pythonnet/pythonnet/wiki/Installation) may offer alternative ways to install this package if the default installation fails.
@@ -206,6 +220,9 @@ On Windows this is normally limited to keyboard shortcuts (i.e., copy/paste), bu
 As a workaround, the proxy will enable pywebview's debug mode when you run the proxy itself in debug mode, which should allow you to use the right-click context menu to copy/paste to enter text.
 If you are unable to proceed with popup-based authentication even with this workaround, it is worth trying the proxy's `--external-auth` or `--local-server-auth` options.
 
+- If the authorisation window fails to render due to an issue with hardware acceleration (for example: `MESA: error: ZINK: failed to choose pdev`), you can try disabling hardware rendering by setting the environment variable `LIBGL_ALWAYS_SOFTWARE=1`.
+You may also wish to try disabling the DMABUF renderer in WebKit with `WEBKIT_DISABLE_DMABUF_RENDERER=1`.
+
 - On macOS (10.14 and later), you may find that when first running the proxy as a service you need to manually load its launch agent in order to trigger a file access permission prompt.
 You will know intervention is necessary if the proxy exits (rather than restarts) the first time you click `Start at login` from its menu bar icon.
 To resolve this, exit the proxy and then run `launchctl load ~/Library/LaunchAgents/ac.robinson.email-oauth2-proxy.plist` from a terminal.

README.md

@@ -166,10 +166,12 @@ documentation = Accounts are specified using your email address as the section h
 		attempts before the first valid login, pre-encrypting account entries is highly recommended. See the example
 		script at https://github.com/simonrob/email-oauth2-proxy/issues/61#issuecomment-1259110336.
 
-	- The proxy supports the device authorisation grant (DAG) OAuth 2.0 flow, which may better suit headless systems
-	(currently only known to be available for Office 365 / Outlook). To use this flow, set `oauth2_flow = device`. With
+	- The proxy supports the device authorisation grant (DAG) OAuth 2.0 flow (currently only known to be available for
+    Office 365 / Outlook), which may better suit headless systems. To use this flow, set `oauth2_flow = device`. With
 	this flow, the proxy receives authorisation responses directly from the service provider, so no `redirect_uri` is
-	needed. An example account configuration is given below.
+	needed. An example account configuration is given below. For additional customisation, the proxy modifications and
+	scripts demonstrated at https://github.com/simonrob/email-oauth2-proxy/pull/317 show how the DAG flow authorisation
+    message could be pushed to a separate device, which may be useful when running the proxy headless or without a GUI.
 
 	Gmail customisation:
 	- The proxy supports the use of service accounts with Gmail for Google Workspace (note: normal Gmail accounts do not