Merge branch 'main' into feat/tailscale

2026-05-17 09:40:14 +00:00 · 2026-05-10 16:44:39 +03:00
parent 3971710e87 4f7335ed73
commit 312671c795
81 changed files with 4474 additions and 2655 deletions
@@ -4,114 +4,101 @@ import (
 	"fmt"
 	"net/url"

-	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"

 	"github.com/gin-gonic/gin"
 )

 type UserContextResponse struct {
-	Status            int    `json:"status"`
-	Message           string `json:"message"`
-	IsLoggedIn        bool   `json:"isLoggedIn"`
-	Username          string `json:"username"`
-	Name              string `json:"name"`
-	Email             string `json:"email"`
-	Provider          string `json:"provider"`
-	OAuth             bool   `json:"oauth"`
-	TotpPending       bool   `json:"totpPending"`
-	OAuthName         string `json:"oauthName"`
-	TailscaleNodeName string `json:"tailscaleNodeName"`
+	Status      int    `json:"status"`
+	Message     string `json:"message"`
+	IsLoggedIn  bool   `json:"isLoggedIn"`
+	Username    string `json:"username"`
+	Name        string `json:"name"`
+	Email       string `json:"email"`
+	Provider    string `json:"provider"`
+	OAuth       bool   `json:"oauth"`
+	TOTPPending bool   `json:"totpPending"`
+	OAuthName   string `json:"oauthName"`
 }

 type AppContextResponse struct {
-	Status                int        `json:"status"`
-	Message               string     `json:"message"`
-	Providers             []Provider `json:"providers"`
-	Title                 string     `json:"title"`
-	AppURL                string     `json:"appUrl"`
-	CookieDomain          string     `json:"cookieDomain"`
-	ForgotPasswordMessage string     `json:"forgotPasswordMessage"`
-	BackgroundImage       string     `json:"backgroundImage"`
-	OAuthAutoRedirect     string     `json:"oauthAutoRedirect"`
-	WarningsEnabled       bool       `json:"warningsEnabled"`
-}
-
-type Provider struct {
-	Name  string `json:"name"`
-	ID    string `json:"id"`
-	OAuth bool   `json:"oauth"`
-}
-
-type ContextControllerConfig struct {
-	Providers             []Provider
-	Title                 string
-	AppURL                string
-	CookieDomain          string
-	ForgotPasswordMessage string
-	BackgroundImage       string
-	OAuthAutoRedirect     string
-	WarningsEnabled       bool
+	Status                int              `json:"status"`
+	Message               string           `json:"message"`
+	Providers             []model.Provider `json:"providers"`
+	Title                 string           `json:"title"`
+	AppURL                string           `json:"appUrl"`
+	CookieDomain          string           `json:"cookieDomain"`
+	ForgotPasswordMessage string           `json:"forgotPasswordMessage"`
+	BackgroundImage       string           `json:"backgroundImage"`
+	OAuthAutoRedirect     string           `json:"oauthAutoRedirect"`
+	WarningsEnabled       bool             `json:"warningsEnabled"`
 }

 type ContextController struct {
-	config ContextControllerConfig
-	router *gin.RouterGroup
+	log     *logger.Logger
+	config  model.Config
+	runtime model.RuntimeConfig
 }

-func NewContextController(config ContextControllerConfig, router *gin.RouterGroup) *ContextController {
-	if !config.WarningsEnabled {
-		tlog.App.Warn().Msg("UI warnings are disabled. This may expose users to security risks. Proceed with caution.")
+func NewContextController(
+	log *logger.Logger,
+	config model.Config,
+	runtimeConfig model.RuntimeConfig,
+	router *gin.RouterGroup,
+) *ContextController {
+	controller := &ContextController{
+		log:     log,
+		config:  config,
+		runtime: runtimeConfig,
 	}

-	return &ContextController{
-		config: config,
-		router: router,
+	if !config.UI.WarningsEnabled {
+		log.App.Warn().Msg("UI warnings are disabled. This may lead to security issues if you are not careful. Make sure to enable warnings in production environments.")
 	}
-}

-func (controller *ContextController) SetupRoutes() {
-	contextGroup := controller.router.Group("/context")
+	contextGroup := router.Group("/context")
 	contextGroup.GET("/user", controller.userContextHandler)
 	contextGroup.GET("/app", controller.appContextHandler)
+
+	return controller
 }

 func (controller *ContextController) userContextHandler(c *gin.Context) {
-	context, err := utils.GetContext(c)
+	context, err := new(model.UserContext).NewFromGin(c)
+
+	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Failed to create user context from request")
+		c.JSON(200, UserContextResponse{
+			Status:     401,
+			Message:    "Unauthorized",
+			IsLoggedIn: false,
+		})
+		return
+	}

 	userContext := UserContextResponse{
 		Status:      200,
 		Message:     "Success",
-		IsLoggedIn:  context.IsLoggedIn,
-		Username:    context.Username,
-		Name:        context.Name,
-		Email:       context.Email,
-		Provider:    context.Provider,
-		OAuth:       context.OAuth,
-		TotpPending: context.TotpPending,
-		OAuthName:   context.OAuthName,
-	}
-
-	if context.Tailscale != nil {
-		userContext.TailscaleNodeName = context.Tailscale.NodeName
-	}
-
-	if err != nil {
-		tlog.App.Debug().Err(err).Msg("No user context found in request")
-		userContext.Status = 401
-		userContext.Message = "Unauthorized"
-		userContext.IsLoggedIn = false
-		c.JSON(200, userContext)
-		return
+		IsLoggedIn:  context.Authenticated,
+		Username:    context.GetUsername(),
+		Name:        context.GetName(),
+		Email:       context.GetEmail(),
+		Provider:    context.GetProviderID(),
+		OAuth:       context.IsOAuth(),
+		TOTPPending: context.TOTPPending(),
+		OAuthName:   context.OAuthName(),
 	}

 	c.JSON(200, userContext)
 }

 func (controller *ContextController) appContextHandler(c *gin.Context) {
-	appUrl, err := url.Parse(controller.config.AppURL)
+	appUrl, err := url.Parse(controller.runtime.AppURL)
+
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to parse app URL")
+		controller.log.App.Error().Err(err).Msg("Failed to parse app URL")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -122,13 +109,13 @@ func (controller *ContextController) appContextHandler(c *gin.Context) {
 	c.JSON(200, AppContextResponse{
 		Status:                200,
 		Message:               "Success",
-		Providers:             controller.config.Providers,
-		Title:                 controller.config.Title,
+		Providers:             controller.runtime.ConfiguredProviders,
+		Title:                 controller.config.UI.Title,
 		AppURL:                fmt.Sprintf("%s://%s", appUrl.Scheme, appUrl.Host),
-		CookieDomain:          controller.config.CookieDomain,
-		ForgotPasswordMessage: controller.config.ForgotPasswordMessage,
-		BackgroundImage:       controller.config.BackgroundImage,
-		OAuthAutoRedirect:     controller.config.OAuthAutoRedirect,
-		WarningsEnabled:       controller.config.WarningsEnabled,
+		CookieDomain:          controller.runtime.CookieDomain,
+		ForgotPasswordMessage: controller.config.UI.ForgotPasswordMessage,
+		BackgroundImage:       controller.config.UI.BackgroundImage,
+		OAuthAutoRedirect:     controller.config.OAuth.AutoRedirect,
+		WarningsEnabled:       controller.config.UI.WarningsEnabled,
 	})
 }
@@ -7,31 +7,20 @@ import (
 	"testing"

 	"github.com/gin-gonic/gin"
-	"github.com/tinyauthapp/tinyauth/internal/config"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/test"
+	"github.com/tinyauthapp/tinyauth/internal/utils"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )

 func TestContextController(t *testing.T) {
-	tlog.NewTestLogger().Init()
-	controllerConfig := controller.ContextControllerConfig{
-		Providers: []controller.Provider{
-			{
-				Name:  "Local",
-				ID:    "local",
-				OAuth: false,
-			},
-		},
-		Title:                 "Tinyauth",
-		AppURL:                "https://tinyauth.example.com",
-		CookieDomain:          "example.com",
-		ForgotPasswordMessage: "foo",
-		BackgroundImage:       "/background.jpg",
-		OAuthAutoRedirect:     "none",
-		WarningsEnabled:       true,
-	}
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
+
+	cfg, runtime := test.CreateTestConfigs(t)

 	tests := []struct {
 		description string
@@ -47,17 +36,17 @@ func TestContextController(t *testing.T) {
 				expectedAppContextResponse := controller.AppContextResponse{
 					Status:                200,
 					Message:               "Success",
-					Providers:             controllerConfig.Providers,
-					Title:                 controllerConfig.Title,
-					AppURL:                controllerConfig.AppURL,
-					CookieDomain:          controllerConfig.CookieDomain,
-					ForgotPasswordMessage: controllerConfig.ForgotPasswordMessage,
-					BackgroundImage:       controllerConfig.BackgroundImage,
-					OAuthAutoRedirect:     controllerConfig.OAuthAutoRedirect,
-					WarningsEnabled:       controllerConfig.WarningsEnabled,
+					Providers:             runtime.ConfiguredProviders,
+					Title:                 cfg.UI.Title,
+					AppURL:                runtime.AppURL,
+					CookieDomain:          runtime.CookieDomain,
+					ForgotPasswordMessage: cfg.UI.ForgotPasswordMessage,
+					BackgroundImage:       cfg.UI.BackgroundImage,
+					OAuthAutoRedirect:     cfg.OAuth.AutoRedirect,
+					WarningsEnabled:       cfg.UI.WarningsEnabled,
 				}
 				bytes, err := json.Marshal(expectedAppContextResponse)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -71,7 +60,7 @@ func TestContextController(t *testing.T) {
 					Message: "Unauthorized",
 				}
 				bytes, err := json.Marshal(expectedUserContextResponse)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -79,12 +68,16 @@ func TestContextController(t *testing.T) {
 			description: "Ensure user context returns when authorized",
 			middlewares: []gin.HandlerFunc{
 				func(c *gin.Context) {
-					c.Set("context", &config.UserContext{
-						Username:   "johndoe",
-						Name:       "John Doe",
-						Email:      utils.CompileUserEmail("johndoe", controllerConfig.CookieDomain),
-						Provider:   "local",
-						IsLoggedIn: true,
+					c.Set("context", &model.UserContext{
+						Authenticated: true,
+						Provider:      model.ProviderLocal,
+						Local: &model.LocalContext{
+							BaseContext: model.BaseContext{
+								Username: "johndoe",
+								Name:     "John Doe",
+								Email:    utils.CompileUserEmail("johndoe", runtime.CookieDomain),
+							},
+						},
 					})
 				},
 			},
@@ -96,11 +89,11 @@ func TestContextController(t *testing.T) {
 					IsLoggedIn: true,
 					Username:   "johndoe",
 					Name:       "John Doe",
-					Email:      utils.CompileUserEmail("johndoe", controllerConfig.CookieDomain),
+					Email:      utils.CompileUserEmail("johndoe", runtime.CookieDomain),
 					Provider:   "local",
 				}
 				bytes, err := json.Marshal(expectedUserContextResponse)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -117,13 +110,12 @@ func TestContextController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)

-			contextController := controller.NewContextController(controllerConfig, group)
-			contextController.SetupRoutes()
+			controller.NewContextController(log, cfg, runtime, group)

 			recorder := httptest.NewRecorder()

 			request, err := http.NewRequest("GET", test.path, nil)
-			assert.NoError(t, err)
+			require.NoError(t, err)

 			router.ServeHTTP(recorder, request)

@@ -0,0 +1,12 @@
+package controller
+
+type UnauthorizedQuery struct {
+	Username string `url:"username"`
+	Resource string `url:"resource"`
+	GroupErr bool   `url:"groupErr"`
+	IP       string `url:"ip"`
+}
+
+type RedirectQuery struct {
+	RedirectURI string `url:"redirect_uri"`
+}
@@ -3,18 +3,15 @@ package controller
 import "github.com/gin-gonic/gin"

 type HealthController struct {
-	router *gin.RouterGroup
 }

 func NewHealthController(router *gin.RouterGroup) *HealthController {
-	return &HealthController{
-		router: router,
-	}
-}
+	controller := &HealthController{}

-func (controller *HealthController) SetupRoutes() {
-	controller.router.GET("/healthz", controller.healthHandler)
-	controller.router.HEAD("/healthz", controller.healthHandler)
+	router.GET("/healthz", controller.healthHandler)
+	router.HEAD("/healthz", controller.healthHandler)
+
+	return controller
 }

 func (controller *HealthController) healthHandler(c *gin.Context) {
@@ -7,13 +7,12 @@ import (
 	"testing"

 	"github.com/gin-gonic/gin"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
 )

 func TestHealthController(t *testing.T) {
-	tlog.NewTestLogger().Init()
 	tests := []struct {
 		description string
 		path        string
@@ -30,7 +29,7 @@ func TestHealthController(t *testing.T) {
 					"message": "Healthy",
 				}
 				bytes, err := json.Marshal(expectedHealthResponse)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -44,7 +43,7 @@ func TestHealthController(t *testing.T) {
 					"message": "Healthy",
 				}
 				bytes, err := json.Marshal(expectedHealthResponse)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -56,13 +55,12 @@ func TestHealthController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)

-			healthController := controller.NewHealthController(group)
-			healthController.SetupRoutes()
+			controller.NewHealthController(group)

 			recorder := httptest.NewRecorder()

 			request, err := http.NewRequest(test.method, test.path, nil)
-			assert.NoError(t, err)
+			require.NoError(t, err)

 			router.ServeHTTP(recorder, request)

@@ -6,11 +6,11 @@ import (
 	"strings"
 	"time"

-	"github.com/tinyauthapp/tinyauth/internal/config"
+	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"

 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -20,33 +20,32 @@ type OAuthRequest struct {
 	Provider string `uri:"provider" binding:"required"`
 }

-type OAuthControllerConfig struct {
-	CSRFCookieName         string
-	OAuthSessionCookieName string
-	RedirectCookieName     string
-	SecureCookie           bool
-	AppURL                 string
-	CookieDomain           string
-}
-
 type OAuthController struct {
-	config OAuthControllerConfig
-	router *gin.RouterGroup
-	auth   *service.AuthService
+	log     *logger.Logger
+	config  model.Config
+	runtime model.RuntimeConfig
+	auth    *service.AuthService
 }

-func NewOAuthController(config OAuthControllerConfig, router *gin.RouterGroup, auth *service.AuthService) *OAuthController {
-	return &OAuthController{
-		config: config,
-		router: router,
-		auth:   auth,
+func NewOAuthController(
+	log *logger.Logger,
+	config model.Config,
+	runtimeConfig model.RuntimeConfig,
+	router *gin.RouterGroup,
+	auth *service.AuthService,
+) *OAuthController {
+	controller := &OAuthController{
+		log:     log,
+		config:  config,
+		runtime: runtimeConfig,
+		auth:    auth,
 	}
-}

-func (controller *OAuthController) SetupRoutes() {
-	oauthGroup := controller.router.Group("/oauth")
+	oauthGroup := router.Group("/oauth")
 	oauthGroup.GET("/url/:provider", controller.oauthURLHandler)
 	oauthGroup.GET("/callback/:provider", controller.oauthCallbackHandler)
+
+	return controller
 }

 func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
@@ -54,7 +53,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {

 	err := c.BindUri(&req)
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind URI")
+		controller.log.App.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -67,7 +66,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	err = c.BindQuery(&reqParams)

 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind query parameters")
+		controller.log.App.Error().Err(err).Msg("Failed to bind query parameters")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -76,10 +75,10 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	}

 	if !controller.isOidcRequest(reqParams) {
-		isRedirectSafe := utils.IsRedirectSafe(reqParams.RedirectURI, controller.config.CookieDomain)
+		isRedirectSafe := utils.IsRedirectSafe(reqParams.RedirectURI, controller.runtime.CookieDomain)

 		if !isRedirectSafe {
-			tlog.App.Warn().Str("redirect_uri", reqParams.RedirectURI).Msg("Unsafe redirect URI detected, ignoring")
+			controller.log.App.Warn().Str("redirectUri", reqParams.RedirectURI).Msg("Unsafe redirect URI, ignoring")
 			reqParams.RedirectURI = ""
 		}
 	}
@@ -87,7 +86,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	sessionId, _, err := controller.auth.NewOAuthSession(req.Provider, reqParams)

 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to create OAuth session")
+		controller.log.App.Error().Err(err).Msg("Failed to create new OAuth session")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -98,7 +97,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	authUrl, err := controller.auth.GetOAuthURL(sessionId)

 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to get OAuth URL")
+		controller.log.App.Error().Err(err).Msg("Failed to get OAuth URL for session")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -106,7 +105,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		return
 	}

-	c.SetCookie(controller.config.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
+	c.SetCookie(controller.runtime.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)

 	c.JSON(200, gin.H{
 		"status":  200,
@@ -120,7 +119,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {

 	err := c.BindUri(&req)
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind URI")
+		controller.log.App.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -128,21 +127,21 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}

-	sessionIdCookie, err := c.Cookie(controller.config.OAuthSessionCookieName)
+	sessionIdCookie, err := c.Cookie(controller.runtime.OAuthSessionCookieName)

 	if err != nil {
-		tlog.App.Warn().Err(err).Msg("OAuth session cookie missing")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Error().Err(err).Msg("Failed to get OAuth session cookie")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}

-	c.SetCookie(controller.config.OAuthSessionCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
+	c.SetCookie(controller.runtime.OAuthSessionCookieName, "", -1, "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)

 	oauthPendingSession, err := controller.auth.GetOAuthPendingSession(sessionIdCookie)

 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to get OAuth pending session")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Error().Err(err).Msg("Failed to get pending OAuth session")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}

@@ -150,8 +149,8 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {

 	state := c.Query("state")
 	if state != oauthPendingSession.State {
-		tlog.App.Warn().Err(err).Msg("CSRF token mismatch")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Warn().Msg("OAuth state mismatch")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}

@@ -159,68 +158,80 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	_, err = controller.auth.GetOAuthToken(sessionIdCookie, code)

 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to exchange code for token")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Error().Err(err).Msg("Failed to exchange code for token")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}

 	user, err := controller.auth.GetOAuthUserinfo(sessionIdCookie)

+	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Failed to get user info from OAuth provider")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		return
+	}
+
+	if user == nil {
+		controller.log.App.Warn().Msg("OAuth provider did not return user info")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		return
+	}
+
 	if user.Email == "" {
-		tlog.App.Error().Msg("OAuth provider did not return an email")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Warn().Msg("OAuth provider did not return an email")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}

 	if !controller.auth.IsEmailWhitelisted(user.Email) {
-		tlog.App.Warn().Str("email", user.Email).Msg("Email not whitelisted")
-		tlog.AuditLoginFailure(c, user.Email, req.Provider, "email not whitelisted")
+		controller.log.App.Warn().Str("email", user.Email).Msg("Email not whitelisted, denying access")
+		controller.log.AuditLoginFailure(user.Email, req.Provider, c.ClientIP(), "email not whitelisted")

-		queries, err := query.Values(config.UnauthorizedQuery{
+		queries, err := query.Values(UnauthorizedQuery{
 			Username: user.Email,
 		})

 		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+			controller.log.App.Error().Err(err).Msg("Failed to encode unauthorized query")
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 			return
 		}

-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.runtime.AppURL, queries.Encode()))
 		return
 	}

 	var name string

 	if strings.TrimSpace(user.Name) != "" {
-		tlog.App.Debug().Msg("Using name from OAuth provider")
+		controller.log.App.Debug().Msg("Using name from OAuth provider")
 		name = user.Name
 	} else {
-		tlog.App.Debug().Msg("No name from OAuth provider, using pseudo name")
+		controller.log.App.Debug().Msg("No name from OAuth provider, generating from email")
 		name = fmt.Sprintf("%s (%s)", utils.Capitalize(strings.Split(user.Email, "@")[0]), strings.Split(user.Email, "@")[1])
 	}

 	var username string

 	if strings.TrimSpace(user.PreferredUsername) != "" {
-		tlog.App.Debug().Msg("Using preferred username from OAuth provider")
+		controller.log.App.Debug().Msg("Using preferred username from OAuth provider")
 		username = user.PreferredUsername
 	} else {
-		tlog.App.Debug().Msg("No preferred username from OAuth provider, using pseudo username")
+		controller.log.App.Debug().Msg("No preferred username from OAuth provider, generating from email")
 		username = strings.Replace(user.Email, "@", "_", 1)
 	}

 	svc, err := controller.auth.GetOAuthService(sessionIdCookie)

 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to get OAuth service for session")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Error().Err(err).Msg("Failed to get OAuth service for session")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}

 	if svc.ID() != req.Provider {
-		tlog.App.Error().Msgf("OAuth service ID mismatch: expected %s, got %s", svc.ID(), req.Provider)
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Warn().Msgf("OAuth provider mismatch: expected %s, got %s", req.Provider, svc.ID())
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}

@@ -234,46 +245,48 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		OAuthSub:    user.Sub,
 	}

-	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
+	controller.log.App.Debug().Msg("Creating session cookie for user")

-	err = controller.auth.CreateSessionCookie(c, &sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie)

 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to create session cookie")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Error().Err(err).Msg("Failed to create session cookie")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}

-	tlog.AuditLoginSuccess(c, sessionCookie.Username, sessionCookie.Provider)
+	http.SetCookie(c.Writer, cookie)
+
+	controller.log.AuditLoginSuccess(sessionCookie.Username, sessionCookie.Provider, c.ClientIP())

 	if controller.isOidcRequest(oauthPendingSession.CallbackParams) {
-		tlog.App.Debug().Msg("OIDC request, redirecting to authorize page")
+		controller.log.App.Debug().Msg("OIDC request detected, redirecting to authorization endpoint with callback params")
 		queries, err := query.Values(oauthPendingSession.CallbackParams)
 		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to encode OIDC callback query")
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+			controller.log.App.Error().Err(err).Msg("Failed to encode OIDC callback query")
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 			return
 		}
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/authorize?%s", controller.config.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/authorize?%s", controller.runtime.AppURL, queries.Encode()))
 		return
 	}

 	if oauthPendingSession.CallbackParams.RedirectURI != "" {
-		queries, err := query.Values(config.RedirectQuery{
+		queries, err := query.Values(RedirectQuery{
 			RedirectURI: oauthPendingSession.CallbackParams.RedirectURI,
 		})

 		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to encode redirect URI query")
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+			controller.log.App.Error().Err(err).Msg("Failed to encode redirect query")
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 			return
 		}

-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", controller.config.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", controller.runtime.AppURL, queries.Encode()))
 		return
 	}

-	c.Redirect(http.StatusTemporaryRedirect, controller.config.AppURL)
+	c.Redirect(http.StatusTemporaryRedirect, controller.runtime.AppURL)
 }

 func (controller *OAuthController) isOidcRequest(params service.OAuthURLParams) bool {
@@ -282,3 +295,10 @@ func (controller *OAuthController) isOidcRequest(params service.OAuthURLParams)
 		params.ClientID != "" &&
 		params.RedirectURI != ""
 }
+
+func (controller *OAuthController) getCookieDomain() string {
+	if controller.config.Auth.SubdomainsEnabled {
+		return "." + controller.runtime.CookieDomain
+	}
+	return controller.runtime.CookieDomain
+}
@@ -10,17 +10,16 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"

+	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )

-type OIDCControllerConfig struct{}
-
 type OIDCController struct {
-	config OIDCControllerConfig
-	router *gin.RouterGroup
-	oidc   *service.OIDCService
+	log     *logger.Logger
+	oidc    *service.OIDCService
+	runtime model.RuntimeConfig
 }

 type AuthorizeCallback struct {
@@ -57,29 +56,42 @@ type ClientCredentials struct {
 	ClientSecret string
 }

-func NewOIDCController(config OIDCControllerConfig, oidcService *service.OIDCService, router *gin.RouterGroup) *OIDCController {
-	return &OIDCController{
-		config: config,
-		oidc:   oidcService,
-		router: router,
+func NewOIDCController(
+	log *logger.Logger,
+	oidcService *service.OIDCService,
+	runtimeConfig model.RuntimeConfig,
+	router *gin.RouterGroup) *OIDCController {
+	controller := &OIDCController{
+		log:     log,
+		oidc:    oidcService,
+		runtime: runtimeConfig,
 	}
-}

-func (controller *OIDCController) SetupRoutes() {
-	oidcGroup := controller.router.Group("/oidc")
+	oidcGroup := router.Group("/oidc")
 	oidcGroup.GET("/clients/:id", controller.GetClientInfo)
 	oidcGroup.POST("/authorize", controller.Authorize)
 	oidcGroup.POST("/token", controller.Token)
 	oidcGroup.GET("/userinfo", controller.Userinfo)
 	oidcGroup.POST("/userinfo", controller.Userinfo)
+
+	return controller
 }

 func (controller *OIDCController) GetClientInfo(c *gin.Context) {
+	if controller.oidc == nil {
+		controller.log.App.Warn().Msg("Received OIDC client info request but OIDC server is not configured")
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "OIDC not configured",
+		})
+		return
+	}
+
 	var req ClientRequest

 	err := c.BindUri(&req)
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind URI")
+		controller.log.App.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -90,7 +102,7 @@ func (controller *OIDCController) GetClientInfo(c *gin.Context) {
 	client, ok := controller.oidc.GetClient(req.ClientID)

 	if !ok {
-		tlog.App.Warn().Str("client_id", req.ClientID).Msg("Client not found")
+		controller.log.App.Warn().Str("clientId", req.ClientID).Msg("Client not found")
 		c.JSON(404, gin.H{
 			"status":  404,
 			"message": "Client not found",
@@ -106,19 +118,19 @@ func (controller *OIDCController) GetClientInfo(c *gin.Context) {
 }

 func (controller *OIDCController) Authorize(c *gin.Context) {
-	if !controller.oidc.IsConfigured() {
+	if controller.oidc == nil {
 		controller.authorizeError(c, errors.New("err_oidc_not_configured"), "OIDC not configured", "This instance is not configured for OIDC", "", "", "")
 		return
 	}

-	userContext, err := utils.GetContext(c)
+	userContext, err := new(model.UserContext).NewFromGin(c)

 	if err != nil {
 		controller.authorizeError(c, err, "Failed to get user context", "User is not logged in or the session is invalid", "", "", "")
 		return
 	}

-	if !userContext.IsLoggedIn {
+	if !userContext.Authenticated {
 		controller.authorizeError(c, errors.New("err user not logged in"), "User not logged in", "The user is not logged in", "", "", "")
 		return
 	}
@@ -141,7 +153,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 	err = controller.oidc.ValidateAuthorizeParams(req)

 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to validate authorize params")
+		controller.log.App.Warn().Err(err).Msg("Failed to validate authorize params")
 		if err.Error() != "invalid_request_uri" {
 			controller.authorizeError(c, err, "Failed validate authorize params", "Invalid request parameters", req.RedirectURI, err.Error(), req.State)
 			return
@@ -151,7 +163,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 	}

 	// WARNING: Since Tinyauth is stateless, we cannot have a sub that never changes. We will just create a uuid out of the username and client name which remains stable, but if username or client name changes then sub changes too.
-	sub := utils.GenerateUUID(fmt.Sprintf("%s:%s", userContext.Username, client.ID))
+	sub := utils.GenerateUUID(fmt.Sprintf("%s:%s", userContext.GetUsername(), client.ID))
 	code := utils.GenerateString(32)

 	// Before storing the code, delete old session
@@ -170,10 +182,10 @@ func (controller *OIDCController) Authorize(c *gin.Context) {

 	// We also need a snapshot of the user that authorized this (skip if no openid scope)
 	if slices.Contains(strings.Fields(req.Scope), "openid") {
-		err = controller.oidc.StoreUserinfo(c, sub, userContext, req)
+		err = controller.oidc.StoreUserinfo(c, sub, *userContext, req)

 		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to insert user info into database")
+			controller.log.App.Error().Err(err).Msg("Failed to store user info")
 			controller.authorizeError(c, err, "Failed to store user info", "Failed to store user info", req.RedirectURI, "server_error", req.State)
 			return
 		}
@@ -196,10 +208,10 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 }

 func (controller *OIDCController) Token(c *gin.Context) {
-	if !controller.oidc.IsConfigured() {
-		tlog.App.Warn().Msg("OIDC not configured")
-		c.JSON(404, gin.H{
-			"error": "not_found",
+	if controller.oidc == nil {
+		controller.log.App.Warn().Msg("Received OIDC request but OIDC server is not configured")
+		c.JSON(500, gin.H{
+			"error": "server_error",
 		})
 		return
 	}
@@ -208,7 +220,7 @@ func (controller *OIDCController) Token(c *gin.Context) {

 	err := c.Bind(&req)
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind token request")
+		controller.log.App.Warn().Err(err).Msg("Failed to bind token request")
 		c.JSON(400, gin.H{
 			"error": "invalid_request",
 		})
@@ -217,7 +229,7 @@ func (controller *OIDCController) Token(c *gin.Context) {

 	err = controller.oidc.ValidateGrantType(req.GrantType)
 	if err != nil {
-		tlog.App.Warn().Str("grant_type", req.GrantType).Msg("Unsupported grant type")
+		controller.log.App.Warn().Err(err).Msg("Invalid grant type")
 		c.JSON(400, gin.H{
 			"error": err.Error(),
 		})
@@ -232,12 +244,12 @@ func (controller *OIDCController) Token(c *gin.Context) {

 	// If it fails, we try basic auth
 	if creds.ClientID == "" || creds.ClientSecret == "" {
-		tlog.App.Debug().Msg("Tried form values and they are empty, trying basic auth")
+		controller.log.App.Debug().Msg("Client credentials not found in form, trying basic auth")

 		clientId, clientSecret, ok := c.Request.BasicAuth()

 		if !ok {
-			tlog.App.Error().Msg("Missing authorization header")
+			controller.log.App.Warn().Msg("Client credentials not found in basic auth")
 			c.Header("www-authenticate", `Basic realm="Tinyauth OIDC Token Endpoint"`)
 			c.JSON(400, gin.H{
 				"error": "invalid_client",
@@ -254,7 +266,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 	client, ok := controller.oidc.GetClient(creds.ClientID)

 	if !ok {
-		tlog.App.Warn().Str("client_id", creds.ClientID).Msg("Client not found")
+		controller.log.App.Warn().Str("clientId", creds.ClientID).Msg("Client not found")
 		c.JSON(400, gin.H{
 			"error": "invalid_client",
 		})
@@ -262,7 +274,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 	}

 	if client.ClientSecret != creds.ClientSecret {
-		tlog.App.Warn().Str("client_id", creds.ClientID).Msg("Invalid client secret")
+		controller.log.App.Warn().Str("clientId", creds.ClientID).Msg("Invalid client secret")
 		c.JSON(400, gin.H{
 			"error": "invalid_client",
 		})
@@ -276,30 +288,30 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code), client.ClientID)
 		if err != nil {
 			if err := controller.oidc.DeleteTokenByCodeHash(c, controller.oidc.Hash(req.Code)); err != nil {
-				tlog.App.Error().Err(err).Msg("Failed to delete access token by code hash")
+				controller.log.App.Error().Err(err).Msg("Failed to delete code")
 			}
 			if errors.Is(err, service.ErrCodeNotFound) {
-				tlog.App.Warn().Msg("Code not found")
+				controller.log.App.Warn().Msg("Code not found")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 			if errors.Is(err, service.ErrCodeExpired) {
-				tlog.App.Warn().Msg("Code expired")
+				controller.log.App.Warn().Msg("Code expired")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 			if errors.Is(err, service.ErrInvalidClient) {
-				tlog.App.Warn().Msg("Invalid client ID")
+				controller.log.App.Warn().Msg("Code does not belong to client")
 				c.JSON(400, gin.H{
 					"error": "invalid_client",
 				})
 				return
 			}
-			tlog.App.Warn().Err(err).Msg("Failed to get OIDC code entry")
+			controller.log.App.Error().Err(err).Msg("Failed to get code entry")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
@@ -307,7 +319,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		}

 		if entry.RedirectURI != req.RedirectURI {
-			tlog.App.Warn().Str("redirect_uri", req.RedirectURI).Msg("Redirect URI mismatch")
+			controller.log.App.Warn().Msg("Redirect URI does not match")
 			c.JSON(400, gin.H{
 				"error": "invalid_grant",
 			})
@@ -317,7 +329,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		ok := controller.oidc.ValidatePKCE(entry.CodeChallenge, req.CodeVerifier)

 		if !ok {
-			tlog.App.Warn().Msg("PKCE validation failed")
+			controller.log.App.Warn().Msg("PKCE validation failed")
 			c.JSON(400, gin.H{
 				"error": "invalid_grant",
 			})
@@ -327,7 +339,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		tokenRes, err := controller.oidc.GenerateAccessToken(c, client, entry)

 		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to generate access token")
+			controller.log.App.Error().Err(err).Msg("Failed to generate access token")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
@@ -340,7 +352,7 @@ func (controller *OIDCController) Token(c *gin.Context) {

 		if err != nil {
 			if errors.Is(err, service.ErrTokenExpired) {
-				tlog.App.Error().Err(err).Msg("Refresh token expired")
+				controller.log.App.Warn().Msg("Refresh token expired")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
@@ -348,14 +360,14 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			}

 			if errors.Is(err, service.ErrInvalidClient) {
-				tlog.App.Error().Err(err).Msg("Invalid client")
+				controller.log.App.Warn().Msg("Refresh token does not belong to client")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}

-			tlog.App.Error().Err(err).Msg("Failed to refresh access token")
+			controller.log.App.Error().Err(err).Msg("Failed to refresh access token")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
@@ -372,10 +384,10 @@ func (controller *OIDCController) Token(c *gin.Context) {
 }

 func (controller *OIDCController) Userinfo(c *gin.Context) {
-	if !controller.oidc.IsConfigured() {
-		tlog.App.Warn().Msg("OIDC not configured")
-		c.JSON(404, gin.H{
-			"error": "not_found",
+	if controller.oidc == nil {
+		controller.log.App.Warn().Msg("Received OIDC userinfo request but OIDC server is not configured")
+		c.JSON(500, gin.H{
+			"error": "server_error",
 		})
 		return
 	}
@@ -386,7 +398,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 	if authorization != "" {
 		tokenType, bearerToken, ok := strings.Cut(authorization, " ")
 		if !ok {
-			tlog.App.Warn().Msg("OIDC userinfo accessed with malformed authorization header")
+			controller.log.App.Warn().Msg("OIDC userinfo accessed with invalid authorization header")
 			c.JSON(401, gin.H{
 				"error": "invalid_request",
 			})
@@ -394,7 +406,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		}

 		if strings.ToLower(tokenType) != "bearer" {
-			tlog.App.Warn().Msg("OIDC userinfo accessed with invalid token type")
+			controller.log.App.Warn().Msg("OIDC userinfo accessed with non-bearer token")
 			c.JSON(401, gin.H{
 				"error": "invalid_request",
 			})
@@ -404,7 +416,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		token = bearerToken
 	} else if c.Request.Method == http.MethodPost {
 		if c.ContentType() != "application/x-www-form-urlencoded" {
-			tlog.App.Warn().Msg("OIDC userinfo POST accessed with invalid content type")
+			controller.log.App.Warn().Msg("OIDC userinfo POST accessed with invalid content type")
 			c.JSON(400, gin.H{
 				"error": "invalid_request",
 			})
@@ -412,14 +424,14 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		}
 		token = c.PostForm("access_token")
 		if token == "" {
-			tlog.App.Warn().Msg("OIDC userinfo POST accessed without access_token in body")
+			controller.log.App.Warn().Msg("OIDC userinfo POST accessed without access_token")
 			c.JSON(401, gin.H{
 				"error": "invalid_request",
 			})
 			return
 		}
 	} else {
-		tlog.App.Warn().Msg("OIDC userinfo accessed without authorization header")
+		controller.log.App.Warn().Msg("OIDC userinfo accessed without authorization header or POST body")
 		c.JSON(401, gin.H{
 			"error": "invalid_request",
 		})
@@ -429,15 +441,15 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 	entry, err := controller.oidc.GetAccessToken(c, controller.oidc.Hash(token))

 	if err != nil {
-		if err == service.ErrTokenNotFound {
-			tlog.App.Warn().Msg("OIDC userinfo accessed with invalid token")
+		if errors.Is(err, service.ErrTokenNotFound) {
+			controller.log.App.Warn().Msg("OIDC userinfo accessed with invalid token")
 			c.JSON(401, gin.H{
 				"error": "invalid_grant",
 			})
 			return
 		}

-		tlog.App.Err(err).Msg("Failed to get token entry")
+		controller.log.App.Error().Err(err).Msg("Failed to get access token")
 		c.JSON(401, gin.H{
 			"error": "server_error",
 		})
@@ -446,7 +458,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {

 	// If we don't have the openid scope, return an error
 	if !slices.Contains(strings.Split(entry.Scope, ","), "openid") {
-		tlog.App.Warn().Msg("OIDC userinfo accessed without openid scope")
+		controller.log.App.Warn().Msg("OIDC userinfo accessed with token missing openid scope")
 		c.JSON(401, gin.H{
 			"error": "invalid_scope",
 		})
@@ -456,7 +468,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 	user, err := controller.oidc.GetUserinfo(c, entry.Sub)

 	if err != nil {
-		tlog.App.Err(err).Msg("Failed to get user entry")
+		controller.log.App.Error().Err(err).Msg("Failed to get user info")
 		c.JSON(401, gin.H{
 			"error": "server_error",
 		})
@@ -467,7 +479,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 }

 func (controller *OIDCController) authorizeError(c *gin.Context, err error, reason string, reasonUser string, callback string, callbackError string, state string) {
-	tlog.App.Error().Err(err).Msg(reason)
+	controller.log.App.Warn().Err(err).Str("reason", reason).Msg("Authorization error")

 	if callback != "" {
 		errorQueries := CallbackError{
@@ -507,8 +519,16 @@ func (controller *OIDCController) authorizeError(c *gin.Context, err error, reas
 		return
 	}

+	redirectUrl := ""
+
+	if controller.oidc != nil {
+		redirectUrl = fmt.Sprintf("%s/error?%s", controller.oidc.GetIssuer(), queries.Encode())
+	} else {
+		redirectUrl = fmt.Sprintf("%s/error?%s", controller.runtime.AppURL, queries.Encode())
+	}
+
 	c.JSON(200, gin.H{
 		"status":       200,
-		"redirect_uri": fmt.Sprintf("%s/error?%s", controller.oidc.GetIssuer(), queries.Encode()),
+		"redirect_uri": redirectUrl,
 	})
 }
@@ -1,55 +1,46 @@
 package controller_test

 import (
+	"context"
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/json"
 	"net/http/httptest"
 	"net/url"
-	"path"
 	"strings"
+	"sync"
 	"testing"

 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
-	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
-	"github.com/tinyauthapp/tinyauth/internal/config"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/repository"
-	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/repository"
+	"github.com/tinyauthapp/tinyauth/internal/service"
+	"github.com/tinyauthapp/tinyauth/internal/test"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )

 func TestOIDCController(t *testing.T) {
-	tlog.NewTestLogger().Init()
-	tempDir := t.TempDir()
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()

-	oidcServiceCfg := service.OIDCServiceConfig{
-		Clients: map[string]config.OIDCClientConfig{
-			"test": {
-				ClientID:            "some-client-id",
-				ClientSecret:        "some-client-secret",
-				TrustedRedirectURIs: []string{"https://test.example.com/callback"},
-				Name:                "Test Client",
-			},
-		},
-		PrivateKeyPath: path.Join(tempDir, "key.pem"),
-		PublicKeyPath:  path.Join(tempDir, "key.pub"),
-		Issuer:         "https://tinyauth.example.com",
-		SessionExpiry:  500,
-	}
-
-	controllerCfg := controller.OIDCControllerConfig{}
+	cfg, runtime := test.CreateTestConfigs(t)

 	simpleCtx := func(c *gin.Context) {
-		c.Set("context", &config.UserContext{
-			Username:   "test",
-			Name:       "Test User",
-			Email:      "test@example.com",
-			IsLoggedIn: true,
-			Provider:   "local",
+		c.Set("context", &model.UserContext{
+			Authenticated: true,
+			Provider:      model.ProviderLocal,
+			Local: &model.LocalContext{
+				BaseContext: model.BaseContext{
+					Username: "test",
+					Name:     "Test User",
+					Email:    "test@example.com",
+				},
+			},
 		})
 		c.Next()
 	}
@@ -99,7 +90,7 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				assert.Equal(t, res["redirect_uri"], "https://tinyauth.example.com/error?error=User+is+not+logged+in+or+the+session+is+invalid")
 			},
@@ -119,7 +110,7 @@ func TestOIDCController(t *testing.T) {
 					Nonce:        "some-nonce",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -127,7 +118,7 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				assert.Equal(t, res["redirect_uri"], "https://test.example.com/callback?error=unsupported_response_type&error_description=Invalid+request+parameters&state=some-state")
 			},
@@ -147,7 +138,7 @@ func TestOIDCController(t *testing.T) {
 					Nonce:        "some-nonce",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -156,11 +147,11 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				queryParams := url.Query()
 				assert.Equal(t, queryParams.Get("state"), "some-state")
@@ -179,7 +170,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -187,7 +178,7 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				assert.Equal(t, res["error"], "unsupported_grant_type")
 			},
@@ -202,7 +193,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -240,7 +231,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -263,11 +254,11 @@ func TestOIDCController(t *testing.T) {

 				var authorizeRes map[string]any
 				err := json.Unmarshal(authorizeTestRecorder.Body.Bytes(), &authorizeRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				redirectURI := authorizeRes["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				queryParams := url.Query()
 				code := queryParams.Get("code")
@@ -279,7 +270,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -302,7 +293,7 @@ func TestOIDCController(t *testing.T) {

 				var tokenRes map[string]any
 				err := json.Unmarshal(tokenRecorder.Body.Bytes(), &tokenRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				_, ok := tokenRes["refresh_token"]
 				assert.True(t, ok, "Expected refresh token in response")
@@ -316,7 +307,7 @@ func TestOIDCController(t *testing.T) {
 					ClientSecret: "some-client-secret",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -328,7 +319,7 @@ func TestOIDCController(t *testing.T) {
 				assert.Equal(t, 200, recorder.Code)
 				var refreshRes map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &refreshRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				_, ok = refreshRes["access_token"]
 				assert.True(t, ok, "Expected access token in refresh response")
@@ -349,11 +340,11 @@ func TestOIDCController(t *testing.T) {

 				var authorizeRes map[string]any
 				err := json.Unmarshal(authorizeTestRecorder.Body.Bytes(), &authorizeRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				redirectURI := authorizeRes["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				queryParams := url.Query()
 				code := queryParams.Get("code")
@@ -365,7 +356,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -385,7 +376,7 @@ func TestOIDCController(t *testing.T) {

 				var secondRes map[string]any
 				err = json.Unmarshal(secondRecorder.Body.Bytes(), &secondRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				assert.Equal(t, "invalid_grant", secondRes["error"])
 			},
@@ -413,7 +404,7 @@ func TestOIDCController(t *testing.T) {

 				var tokenRes map[string]any
 				err := json.Unmarshal(tokenRecorder.Body.Bytes(), &tokenRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				accessToken := tokenRes["access_token"].(string)
 				assert.NotEmpty(t, accessToken)
@@ -425,7 +416,7 @@ func TestOIDCController(t *testing.T) {

 				var userInfoRes map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &userInfoRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				_, ok := userInfoRes["sub"]
 				assert.True(t, ok, "Expected sub claim in userinfo response")
@@ -445,7 +436,7 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -460,7 +451,7 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -475,7 +466,7 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -490,7 +481,7 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, "invalid_grant", res["error"])
 			},
 		},
@@ -505,7 +496,7 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -520,7 +511,7 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -537,7 +528,7 @@ func TestOIDCController(t *testing.T) {

 				var tokenRes map[string]any
 				err := json.Unmarshal(tokenRecorder.Body.Bytes(), &tokenRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				accessToken := tokenRes["access_token"].(string)
 				assert.NotEmpty(t, accessToken)
@@ -551,7 +542,7 @@ func TestOIDCController(t *testing.T) {

 				var userInfoRes map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &userInfoRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				_, ok := userInfoRes["sub"]
 				assert.True(t, ok, "Expected sub claim in userinfo response")
@@ -575,7 +566,7 @@ func TestOIDCController(t *testing.T) {
 					CodeChallengeMethod: "",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -584,11 +575,11 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				queryParams := url.Query()
 				assert.Equal(t, queryParams.Get("state"), "some-state")
@@ -605,7 +596,7 @@ func TestOIDCController(t *testing.T) {
 					CodeVerifier: "some-challenge",
 				}
 				reqBodyEncoded, err := query.Values(tokenReqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				req = httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -636,7 +627,7 @@ func TestOIDCController(t *testing.T) {
 					CodeChallengeMethod: "S256",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -645,11 +636,11 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				queryParams := url.Query()
 				assert.Equal(t, queryParams.Get("state"), "some-state")
@@ -666,7 +657,7 @@ func TestOIDCController(t *testing.T) {
 					CodeVerifier: "some-challenge",
 				}
 				reqBodyEncoded, err := query.Values(tokenReqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				req = httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -697,7 +688,7 @@ func TestOIDCController(t *testing.T) {
 					CodeChallengeMethod: "S256",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -706,11 +697,11 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				queryParams := url.Query()
 				assert.Equal(t, queryParams.Get("state"), "some-state")
@@ -727,7 +718,7 @@ func TestOIDCController(t *testing.T) {
 					CodeVerifier: "some-challenge-1",
 				}
 				reqBodyEncoded, err := query.Values(tokenReqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				req = httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -758,7 +749,7 @@ func TestOIDCController(t *testing.T) {
 					CodeChallengeMethod: "foo",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -767,11 +758,11 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				queryParams := url.Query()
 				error := queryParams.Get("error")
@@ -790,11 +781,11 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				queryParams := url.Query()
 				code := queryParams.Get("code")
@@ -806,7 +797,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -817,7 +808,7 @@ func TestOIDCController(t *testing.T) {
 				assert.Equal(t, 200, recorder.Code)

 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				accessToken := res["access_token"].(string)
 				assert.NotEmpty(t, accessToken)
@@ -842,20 +833,22 @@ func TestOIDCController(t *testing.T) {
 				assert.Equal(t, 401, recorder.Code)

 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, "invalid_grant", res["error"])
 			},
 		},
 	}

-	app := bootstrap.NewBootstrapApp(config.Config{})
+	app := bootstrap.NewBootstrapApp(cfg)

-	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
+	err := app.SetupDatabase()
 	require.NoError(t, err)

-	queries := repository.New(db)
-	oidcService := service.NewOIDCService(oidcServiceCfg, queries)
-	err = oidcService.Init()
+	queries := repository.New(app.GetDB())
+
+	wg := &sync.WaitGroup{}
+
+	oidcService, err := service.NewOIDCService(log, cfg, runtime, queries, context.TODO(), wg)
 	require.NoError(t, err)

 	for _, test := range tests {
@@ -869,8 +862,7 @@ func TestOIDCController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)

-			oidcController := controller.NewOIDCController(controllerCfg, oidcService, group)
-			oidcController.SetupRoutes()
+			controller.NewOIDCController(log, oidcService, runtime, group)

 			recorder := httptest.NewRecorder()

@@ -879,7 +871,6 @@ func TestOIDCController(t *testing.T) {
 	}

 	t.Cleanup(func() {
-		err = db.Close()
-		require.NoError(t, err)
+		app.GetDB().Close()
 	})
 }
@@ -8,10 +8,10 @@ import (
 	"regexp"
 	"strings"

-	"github.com/tinyauthapp/tinyauth/internal/config"
+	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"

 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -50,29 +50,31 @@ type ProxyContext struct {
 	ProxyType ProxyType
 }

-type ProxyControllerConfig struct {
-	AppURL string
-}
-
 type ProxyController struct {
-	config ProxyControllerConfig
-	router *gin.RouterGroup
-	acls   *service.AccessControlsService
-	auth   *service.AuthService
+	log     *logger.Logger
+	runtime model.RuntimeConfig
+	acls    *service.AccessControlsService
+	auth    *service.AuthService
 }

-func NewProxyController(config ProxyControllerConfig, router *gin.RouterGroup, acls *service.AccessControlsService, auth *service.AuthService) *ProxyController {
-	return &ProxyController{
-		config: config,
-		router: router,
-		acls:   acls,
-		auth:   auth,
+func NewProxyController(
+	log *logger.Logger,
+	runtime model.RuntimeConfig,
+	router *gin.RouterGroup,
+	acls *service.AccessControlsService,
+	auth *service.AuthService,
+) *ProxyController {
+	controller := &ProxyController{
+		log:     log,
+		runtime: runtime,
+		acls:    acls,
+		auth:    auth,
 	}
-}

-func (controller *ProxyController) SetupRoutes() {
-	proxyGroup := controller.router.Group("/auth")
+	proxyGroup := router.Group("/auth")
 	proxyGroup.Any("/:proxy", controller.proxyHandler)
+
+	return controller
 }

 func (controller *ProxyController) proxyHandler(c *gin.Context) {
@@ -80,7 +82,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	proxyCtx, err := controller.getProxyContext(c)

 	if err != nil {
-		tlog.App.Warn().Err(err).Msg("Failed to get proxy context")
+		controller.log.App.Error().Err(err).Msg("Failed to get proxy context from request")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad request",
@@ -88,22 +90,18 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}

-	tlog.App.Trace().Interface("ctx", proxyCtx).Msg("Got proxy context")
-
 	// Get acls
 	acls, err := controller.acls.GetAccessControls(proxyCtx.Host)

 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to get access controls for resource")
+		controller.log.App.Error().Err(err).Msg("Failed to get ACLs for resource")
 		controller.handleError(c, proxyCtx)
 		return
 	}

-	tlog.App.Trace().Interface("acls", acls).Msg("ACLs for resource")
-
 	clientIP := c.ClientIP()

-	if controller.auth.IsBypassedIP(acls.IP, clientIP) {
+	if controller.auth.IsBypassedIP(clientIP, acls) {
 		controller.setHeaders(c, acls)
 		c.JSON(200, gin.H{
 			"status":  200,
@@ -112,16 +110,16 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}

-	authEnabled, err := controller.auth.IsAuthEnabled(proxyCtx.Path, acls.Path)
+	authEnabled, err := controller.auth.IsAuthEnabled(proxyCtx.Path, acls)

 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to check if auth is enabled for resource")
+		controller.log.App.Error().Err(err).Msg("Failed to determine if authentication is enabled for resource")
 		controller.handleError(c, proxyCtx)
 		return
 	}

 	if !authEnabled {
-		tlog.App.Debug().Msg("Authentication disabled for resource, allowing access")
+		controller.log.App.Debug().Msg("Authentication is disabled for this resource, allowing access without authentication")
 		controller.setHeaders(c, acls)
 		c.JSON(200, gin.H{
 			"status":  200,
@@ -130,19 +128,19 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}

-	if !controller.auth.CheckIP(acls.IP, clientIP) {
-		queries, err := query.Values(config.UnauthorizedQuery{
+	if !controller.auth.CheckIP(clientIP, acls) {
+		queries, err := query.Values(UnauthorizedQuery{
 			Resource: strings.Split(proxyCtx.Host, ".")[0],
 			IP:       clientIP,
 		})

 		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
+			controller.log.App.Error().Err(err).Msg("Failed to encode unauthorized query")
 			controller.handleError(c, proxyCtx)
 			return
 		}

-		redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())
+		redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.runtime.AppURL, queries.Encode())

 		if !controller.useBrowserResponse(proxyCtx) {
 			c.Header("x-tinyauth-location", redirectURL)
@@ -157,44 +155,38 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}

-	var userContext config.UserContext
-
-	context, err := utils.GetContext(c)
+	userContext, err := new(model.UserContext).NewFromGin(c)

 	if err != nil {
-		tlog.App.Debug().Msg("No user context found in request, treating as not logged in")
-		userContext = config.UserContext{
-			IsLoggedIn: false,
+		controller.log.App.Debug().Err(err).Msg("Failed to create user context from request, treating as unauthenticated")
+		userContext = &model.UserContext{
+			Authenticated: false,
 		}
-	} else {
-		userContext = context
 	}

-	tlog.App.Trace().Interface("context", userContext).Msg("User context from request")
-
-	if userContext.IsLoggedIn {
-		userAllowed := controller.auth.IsUserAllowed(c, userContext, acls)
+	if userContext.Authenticated {
+		userAllowed := controller.auth.IsUserAllowed(c, *userContext, acls)

 		if !userAllowed {
-			tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User not allowed to access resource")
+			controller.log.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User is not allowed to access resource")

-			queries, err := query.Values(config.UnauthorizedQuery{
+			queries, err := query.Values(UnauthorizedQuery{
 				Resource: strings.Split(proxyCtx.Host, ".")[0],
 			})

 			if err != nil {
-				tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
+				controller.log.App.Error().Err(err).Msg("Failed to encode unauthorized query")
 				controller.handleError(c, proxyCtx)
 				return
 			}

-			if userContext.OAuth {
-				queries.Set("username", userContext.Email)
+			if userContext.IsOAuth() {
+				queries.Set("username", userContext.GetEmail())
 			} else {
-				queries.Set("username", userContext.Username)
+				queries.Set("username", userContext.GetUsername())
 			}

-			redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())
+			redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.runtime.AppURL, queries.Encode())

 			if !controller.useBrowserResponse(proxyCtx) {
 				c.Header("x-tinyauth-location", redirectURL)
@@ -209,36 +201,36 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			return
 		}

-		if userContext.OAuth || userContext.Provider == "ldap" {
+		if userContext.IsOAuth() || userContext.IsLDAP() {
 			var groupOK bool

-			if userContext.OAuth {
-				groupOK = controller.auth.IsInOAuthGroup(c, userContext, acls.OAuth.Groups)
+			if userContext.IsOAuth() {
+				groupOK = controller.auth.IsInOAuthGroup(c, *userContext, acls)
 			} else {
-				groupOK = controller.auth.IsInLdapGroup(c, userContext, acls.LDAP.Groups)
+				groupOK = controller.auth.IsInLDAPGroup(c, *userContext, acls)
 			}

 			if !groupOK {
-				tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User groups do not match resource requirements")
+				controller.log.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User is not in the required group to access resource")

-				queries, err := query.Values(config.UnauthorizedQuery{
+				queries, err := query.Values(UnauthorizedQuery{
 					Resource: strings.Split(proxyCtx.Host, ".")[0],
 					GroupErr: true,
 				})

 				if err != nil {
-					tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
+					controller.log.App.Error().Err(err).Msg("Failed to encode unauthorized query")
 					controller.handleError(c, proxyCtx)
 					return
 				}

-				if userContext.OAuth {
-					queries.Set("username", userContext.Email)
+				if userContext.IsOAuth() {
+					queries.Set("username", userContext.GetEmail())
 				} else {
-					queries.Set("username", userContext.Username)
+					queries.Set("username", userContext.GetUsername())
 				}

-				redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())
+				redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.runtime.AppURL, queries.Encode())

 				if !controller.useBrowserResponse(proxyCtx) {
 					c.Header("x-tinyauth-location", redirectURL)
@@ -254,17 +246,18 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			}
 		}

-		c.Header("Remote-User", utils.SanitizeHeader(userContext.Username))
-		c.Header("Remote-Name", utils.SanitizeHeader(userContext.Name))
-		c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email))
+		c.Header("Remote-User", utils.SanitizeHeader(userContext.GetUsername()))
+		c.Header("Remote-Name", utils.SanitizeHeader(userContext.GetName()))
+		c.Header("Remote-Email", utils.SanitizeHeader(userContext.GetEmail()))

-		if userContext.Provider == "ldap" {
-			c.Header("Remote-Groups", utils.SanitizeHeader(userContext.LdapGroups))
-		} else if userContext.Provider != "local" {
-			c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups))
+		if userContext.IsLDAP() {
+			c.Header("Remote-Groups", utils.SanitizeHeader(strings.Join(userContext.LDAP.Groups, ",")))
 		}

-		c.Header("Remote-Sub", utils.SanitizeHeader(userContext.OAuthSub))
+		if userContext.IsOAuth() {
+			c.Header("Remote-Groups", utils.SanitizeHeader(strings.Join(userContext.OAuth.Groups, ",")))
+			c.Header("Remote-Sub", utils.SanitizeHeader(userContext.OAuth.Sub))
+		}

 		controller.setHeaders(c, acls)

@@ -275,17 +268,17 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}

-	queries, err := query.Values(config.RedirectQuery{
+	queries, err := query.Values(RedirectQuery{
 		RedirectURI: fmt.Sprintf("%s://%s%s", proxyCtx.Proto, proxyCtx.Host, proxyCtx.Path),
 	})

 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to encode redirect URI query")
+		controller.log.App.Error().Err(err).Msg("Failed to encode redirect query")
 		controller.handleError(c, proxyCtx)
 		return
 	}

-	redirectURL := fmt.Sprintf("%s/login?%s", controller.config.AppURL, queries.Encode())
+	redirectURL := fmt.Sprintf("%s/login?%s", controller.runtime.AppURL, queries.Encode())

 	if !controller.useBrowserResponse(proxyCtx) {
 		c.Header("x-tinyauth-location", redirectURL)
@@ -299,26 +292,29 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 }

-func (controller *ProxyController) setHeaders(c *gin.Context, acls config.App) {
+func (controller *ProxyController) setHeaders(c *gin.Context, acls *model.App) {
 	c.Header("Authorization", c.Request.Header.Get("Authorization"))

+	if acls == nil {
+		return
+	}
+
 	headers := utils.ParseHeaders(acls.Response.Headers)

 	for key, value := range headers {
-		tlog.App.Debug().Str("header", key).Msg("Setting header")
 		c.Header(key, value)
 	}

 	basicPassword := utils.GetSecret(acls.Response.BasicAuth.Password, acls.Response.BasicAuth.PasswordFile)

 	if acls.Response.BasicAuth.Username != "" && basicPassword != "" {
-		tlog.App.Debug().Str("username", acls.Response.BasicAuth.Username).Msg("Setting basic auth header")
-		c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(acls.Response.BasicAuth.Username, basicPassword)))
+		controller.log.App.Debug().Msg("Setting basic auth header for response")
+		c.Header("Authorization", fmt.Sprintf("Basic %s", utils.EncodeBasicAuth(acls.Response.BasicAuth.Username, basicPassword)))
 	}
 }

 func (controller *ProxyController) handleError(c *gin.Context, proxyCtx ProxyContext) {
-	redirectURL := fmt.Sprintf("%s/error", controller.config.AppURL)
+	redirectURL := fmt.Sprintf("%s/error", controller.runtime.AppURL)

 	if !controller.useBrowserResponse(proxyCtx) {
 		c.Header("x-tinyauth-location", redirectURL)
@@ -519,7 +515,7 @@ func (controller *ProxyController) getProxyContext(c *gin.Context) (ProxyContext
 		return ProxyContext{}, err
 	}

-	tlog.App.Debug().Msgf("Proxy: %v", req.Proxy)
+	controller.log.App.Debug().Msgf("Determined proxy type: %v", proxy)

 	authModules := controller.determineAuthModules(proxy)

@@ -530,13 +526,13 @@ func (controller *ProxyController) getProxyContext(c *gin.Context) (ProxyContext
 	var ctx ProxyContext

 	for _, module := range authModules {
-		tlog.App.Debug().Msgf("Trying auth module: %v", module)
+		controller.log.App.Debug().Msgf("Trying to get context from auth module %v", module)
 		ctx, err = controller.getContextFromAuthModule(c, module)
 		if err == nil {
-			tlog.App.Debug().Msgf("Auth module %v succeeded", module)
+			controller.log.App.Debug().Msgf("Successfully got context from auth module %v", module)
 			break
 		}
-		tlog.App.Debug().Err(err).Msgf("Auth module %v failed", module)
+		controller.log.App.Debug().Msgf("Failed to get context from auth module %v: %v", module, err)
 	}

 	if err != nil {
@@ -548,9 +544,9 @@ func (controller *ProxyController) getProxyContext(c *gin.Context) (ProxyContext
 	isBrowser := BrowserUserAgentRegex.MatchString(userAgent)

 	if isBrowser {
-		tlog.App.Debug().Msg("Request identified as coming from a browser")
+		controller.log.App.Debug().Msg("Request identified as coming from a browser client")
 	} else {
-		tlog.App.Debug().Msg("Request identified as coming from a non-browser client")
+		controller.log.App.Debug().Msg("Request identified as coming from a non-browser client")
 	}

 	ctx.IsBrowser = isBrowser
@@ -1,70 +1,51 @@
 package controller_test

 import (
+	"context"
 	"net/http/httptest"
-	"path"
+	"sync"
 	"testing"

 	"github.com/gin-gonic/gin"
-	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
-	"github.com/tinyauthapp/tinyauth/internal/config"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/repository"
-	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/repository"
+	"github.com/tinyauthapp/tinyauth/internal/service"
+	"github.com/tinyauthapp/tinyauth/internal/test"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )

 func TestProxyController(t *testing.T) {
-	tlog.NewTestLogger().Init()
-	tempDir := t.TempDir()
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()

-	authServiceCfg := service.AuthServiceConfig{
-		Users: []config.User{
-			{
-				Username: "testuser",
-				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-			},
-			{
-				Username:   "totpuser",
-				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-				TotpSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
-			},
-		},
-		SessionExpiry:     10, // 10 seconds, useful for testing
-		CookieDomain:      "example.com",
-		LoginTimeout:      10, // 10 seconds, useful for testing
-		LoginMaxRetries:   3,
-		SessionCookieName: "tinyauth-session",
-	}
+	cfg, runtime := test.CreateTestConfigs(t)

-	controllerCfg := controller.ProxyControllerConfig{
-		AppURL: "https://tinyauth.example.com",
-	}
-
-	acls := map[string]config.App{
+	acls := map[string]model.App{
 		"app_path_allow": {
-			Config: config.AppConfig{
+			Config: model.AppConfig{
 				Domain: "path-allow.example.com",
 			},
-			Path: config.AppPath{
+			Path: model.AppPath{
 				Allow: "/allowed",
 			},
 		},
 		"app_user_allow": {
-			Config: config.AppConfig{
+			Config: model.AppConfig{
 				Domain: "user-allow.example.com",
 			},
-			Users: config.AppUsers{
+			Users: model.AppUsers{
 				Allow: "testuser",
 			},
 		},
 		"ip_bypass": {
-			Config: config.AppConfig{
+			Config: model.AppConfig{
 				Domain: "ip-bypass.example.com",
 			},
-			IP: config.AppIP{
+			IP: model.AppIP{
 				Bypass: []string{"10.10.10.10"},
 			},
 		},
@@ -74,24 +55,31 @@ func TestProxyController(t *testing.T) {
 	Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Mobile Safari/537.36`

 	simpleCtx := func(c *gin.Context) {
-		c.Set("context", &config.UserContext{
-			Username:   "testuser",
-			Name:       "Testuser",
-			Email:      "testuser@example.com",
-			IsLoggedIn: true,
-			Provider:   "local",
+		c.Set("context", &model.UserContext{
+			Authenticated: true,
+			Provider:      model.ProviderLocal,
+			Local: &model.LocalContext{
+				BaseContext: model.BaseContext{
+					Username: "testuser",
+					Name:     "Testuser",
+					Email:    "testuser@example.com",
+				},
+			},
 		})
 		c.Next()
 	}

 	simpleCtxTotp := func(c *gin.Context) {
-		c.Set("context", &config.UserContext{
-			Username:    "totpuser",
-			Name:        "Totpuser",
-			Email:       "totpuser@example.com",
-			IsLoggedIn:  true,
-			Provider:    "local",
-			TotpEnabled: true,
+		c.Set("context", &model.UserContext{
+			Authenticated: true,
+			Provider:      model.ProviderLocal,
+			Local: &model.LocalContext{
+				BaseContext: model.BaseContext{
+					Username: "totpuser",
+					Name:     "Totpuser",
+					Email:    "totpuser@example.com",
+				},
+			},
 		})
 		c.Next()
 	}
@@ -391,32 +379,19 @@ func TestProxyController(t *testing.T) {
 		},
 	}

-	oauthBrokerCfgs := make(map[string]config.OAuthServiceConfig)
+	app := bootstrap.NewBootstrapApp(cfg)

-	app := bootstrap.NewBootstrapApp(config.Config{})
-
-	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
+	err := app.SetupDatabase()
 	require.NoError(t, err)

-	queries := repository.New(db)
+	queries := repository.New(app.GetDB())

-	docker := service.NewDockerService()
-	err = docker.Init()
-	require.NoError(t, err)
+	wg := &sync.WaitGroup{}
+	ctx := context.TODO()

-	ldap := service.NewLdapService(service.LdapServiceConfig{})
-	err = ldap.Init()
-	require.NoError(t, err)
-
-	broker := service.NewOAuthBrokerService(oauthBrokerCfgs)
-	err = broker.Init()
-	require.NoError(t, err)
-
-	authService := service.NewAuthService(authServiceCfg, docker, ldap, queries, broker)
-	err = authService.Init()
-	require.NoError(t, err)
-
-	aclsService := service.NewAccessControlsService(docker, acls)
+	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, queries, broker)
+	aclsService := service.NewAccessControlsService(log, nil, acls)

 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
@@ -431,15 +406,13 @@ func TestProxyController(t *testing.T) {

 			recorder := httptest.NewRecorder()

-			proxyController := controller.NewProxyController(controllerCfg, group, aclsService, authService)
-			proxyController.SetupRoutes()
+			controller.NewProxyController(log, runtime, group, aclsService, authService)

 			test.run(t, router, recorder)
 		})
 	}

 	t.Cleanup(func() {
-		err = db.Close()
-		require.NoError(t, err)
+		app.GetDB().Close()
 	})
 }
@@ -4,42 +4,39 @@ import (
 	"net/http"

 	"github.com/gin-gonic/gin"
+	"github.com/tinyauthapp/tinyauth/internal/model"
 )

-type ResourcesControllerConfig struct {
-	Path    string
-	Enabled bool
-}
-
 type ResourcesController struct {
-	config     ResourcesControllerConfig
-	router     *gin.RouterGroup
+	config     model.Config
 	fileServer http.Handler
 }

-func NewResourcesController(config ResourcesControllerConfig, router *gin.RouterGroup) *ResourcesController {
-	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(config.Path)))
+func NewResourcesController(
+	config model.Config,
+	router *gin.RouterGroup,
+) *ResourcesController {
+	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(config.Resources.Path)))

-	return &ResourcesController{
+	controller := &ResourcesController{
 		config:     config,
-		router:     router,
 		fileServer: fileServer,
 	}
-}

-func (controller *ResourcesController) SetupRoutes() {
-	controller.router.GET("/resources/*resource", controller.resourcesHandler)
+	router.GET("/resources/*resource", controller.resourcesHandler)
+
+	return controller
 }

 func (controller *ResourcesController) resourcesHandler(c *gin.Context) {
-	if controller.config.Path == "" {
+	if controller.config.Resources.Path == "" {
 		c.JSON(404, gin.H{
 			"status":  404,
 			"message": "Resources not found",
 		})
 		return
 	}
-	if !controller.config.Enabled {
+	if !controller.config.Resources.Enabled {
 		c.JSON(403, gin.H{
 			"status":  403,
 			"message": "Resources are disabled",
@@ -3,26 +3,20 @@ package controller_test
 import (
 	"net/http/httptest"
 	"os"
-	"path"
+	"path/filepath"
 	"testing"

 	"github.com/gin-gonic/gin"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/tinyauthapp/tinyauth/internal/test"
 )

 func TestResourcesController(t *testing.T) {
-	tlog.NewTestLogger().Init()
-	tempDir := t.TempDir()
+	cfg, _ := test.CreateTestConfigs(t)

-	resourcesControllerCfg := controller.ResourcesControllerConfig{
-		Path:    path.Join(tempDir, "resources"),
-		Enabled: true,
-	}
-
-	err := os.Mkdir(resourcesControllerCfg.Path, 0777)
+	err := os.MkdirAll(cfg.Resources.Path, 0777)
 	require.NoError(t, err)

 	type testCase struct {
@@ -61,11 +55,11 @@ func TestResourcesController(t *testing.T) {
 		},
 	}

-	testFilePath := resourcesControllerCfg.Path + "/testfile.txt"
+	testFilePath := cfg.Resources.Path + "/testfile.txt"
 	err = os.WriteFile(testFilePath, []byte("This is a test file."), 0777)
 	require.NoError(t, err)

-	testFilePathParent := tempDir + "/somefile.txt"
+	testFilePathParent := filepath.Dir(cfg.Resources.Path) + "/somefile.txt"
 	err = os.WriteFile(testFilePathParent, []byte("This file should not be accessible."), 0777)
 	require.NoError(t, err)

@@ -75,8 +69,7 @@ func TestResourcesController(t *testing.T) {
 			group := router.Group("/")
 			gin.SetMode(gin.TestMode)

-			resourcesController := controller.NewResourcesController(resourcesControllerCfg, group)
-			resourcesController.SetupRoutes()
+			controller.NewResourcesController(cfg, group)

 			recorder := httptest.NewRecorder()
 			test.run(t, router, recorder)
@@ -1,14 +1,16 @@
 package controller

 import (
+	"errors"
 	"fmt"
+	"net/http"
 	"time"

-	"github.com/tinyauthapp/tinyauth/internal/config"
+	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"

 	"github.com/gin-gonic/gin"
 	"github.com/pquerna/otp/totp"
@@ -23,30 +25,31 @@ type TotpRequest struct {
 	Code string `json:"code"`
 }

-type UserControllerConfig struct {
-	CookieDomain string
-}
-
 type UserController struct {
-	config UserControllerConfig
-	router *gin.RouterGroup
-	auth   *service.AuthService
+	log     *logger.Logger
+	runtime model.RuntimeConfig
+	auth    *service.AuthService
 }

-func NewUserController(config UserControllerConfig, router *gin.RouterGroup, auth *service.AuthService) *UserController {
-	return &UserController{
-		config: config,
-		router: router,
-		auth:   auth,
+func NewUserController(
+	log *logger.Logger,
+	runtimeConfig model.RuntimeConfig,
+	router *gin.RouterGroup,
+	auth *service.AuthService,
+) *UserController {
+	controller := &UserController{
+		log:     log,
+		runtime: runtimeConfig,
+		auth:    auth,
 	}
-}

-func (controller *UserController) SetupRoutes() {
-	userGroup := controller.router.Group("/user")
+	userGroup := router.Group("/user")
 	userGroup.POST("/login", controller.loginHandler)
 	userGroup.POST("/logout", controller.logoutHandler)
 	userGroup.POST("/totp", controller.totpHandler)
 	userGroup.POST("/tailscale", controller.tailscaleHandler)
+
+	return controller
 }

 func (controller *UserController) loginHandler(c *gin.Context) {
@@ -54,7 +57,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {

 	err := c.ShouldBindJSON(&req)
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind JSON")
+		controller.log.App.Error().Err(err).Msg("Failed to bind JSON")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -62,13 +65,13 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		return
 	}

-	tlog.App.Debug().Str("username", req.Username).Msg("Login attempt")
+	controller.log.App.Debug().Str("username", req.Username).Msg("Login attempt")

 	isLocked, remaining := controller.auth.IsAccountLocked(req.Username)

 	if isLocked {
-		tlog.App.Warn().Str("username", req.Username).Msg("Account is locked due to too many failed login attempts")
-		tlog.AuditLoginFailure(c, req.Username, "username", "account locked")
+		controller.log.App.Warn().Str("username", req.Username).Msg("Account is locked due to too many failed login attempts")
+		controller.log.AuditLoginFailure(req.Username, "local", c.ClientIP(), "account locked")
 		c.Writer.Header().Add("x-tinyauth-lock-locked", "true")
 		c.Writer.Header().Add("x-tinyauth-lock-reset", time.Now().Add(time.Duration(remaining)*time.Second).Format(time.RFC3339))
 		c.JSON(429, gin.H{
@@ -78,12 +81,35 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		return
 	}

-	userSearch := controller.auth.SearchUser(req.Username)
+	search, err := controller.auth.SearchUser(req.Username)

-	if userSearch.Type == "unknown" {
-		tlog.App.Warn().Str("username", req.Username).Msg("User not found")
+	if err != nil {
+		if errors.Is(err, service.ErrUserNotFound) {
+			controller.log.App.Warn().Str("username", req.Username).Msg("User not found during login attempt")
+			controller.auth.RecordLoginAttempt(req.Username, false)
+			controller.log.AuditLoginFailure(req.Username, "unknown", c.ClientIP(), "user not found")
+			c.JSON(401, gin.H{
+				"status":  401,
+				"message": "Unauthorized",
+			})
+			return
+		}
+		controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Error searching for user during login attempt")
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "Internal Server Error",
+		})
+		return
+	}
+
+	if err := controller.auth.CheckUserPassword(*search, req.Password); err != nil {
+		controller.log.App.Warn().Str("username", req.Username).Msg("Invalid password during login attempt")
 		controller.auth.RecordLoginAttempt(req.Username, false)
-		tlog.AuditLoginFailure(c, req.Username, "username", "user not found")
+		if search.Type == model.UserLocal {
+			controller.log.AuditLoginFailure(req.Username, "local", c.ClientIP(), "invalid password")
+		} else {
+			controller.log.AuditLoginFailure(req.Username, "ldap", c.ClientIP(), "invalid password")
+		}
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -91,46 +117,35 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		return
 	}

-	if !controller.auth.VerifyUser(userSearch, req.Password) {
-		tlog.App.Warn().Str("username", req.Username).Msg("Invalid password")
-		controller.auth.RecordLoginAttempt(req.Username, false)
-		tlog.AuditLoginFailure(c, req.Username, "username", "invalid password")
-		c.JSON(401, gin.H{
-			"status":  401,
-			"message": "Unauthorized",
-		})
-		return
-	}
+	var localUser *model.LocalUser

-	tlog.App.Info().Str("username", req.Username).Msg("Login successful")
-	tlog.AuditLoginSuccess(c, req.Username, "username")
+	if search.Type == model.UserLocal {
+		localUser = controller.auth.GetLocalUser(req.Username)

-	controller.auth.RecordLoginAttempt(req.Username, true)
+		if localUser == nil {
+			controller.log.App.Error().Str("username", req.Username).Msg("Local user not found after successful password verification")
+			c.JSON(401, gin.H{
+				"status":  401,
+				"message": "Unauthorized",
+			})
+			return
+		}

-	var localUser *config.User
-	if userSearch.Type == "local" {
-		user := controller.auth.GetLocalUser(userSearch.Username)
-		localUser = &user
-	}
+		if localUser.TOTPSecret != "" {
+			controller.log.App.Debug().Str("username", req.Username).Msg("TOTP required for user, creating pending TOTP session")

-	if userSearch.Type == "local" && localUser != nil {
-		user := *localUser
-
-		if user.TotpSecret != "" {
-			tlog.App.Debug().Str("username", req.Username).Msg("User has TOTP enabled, requiring TOTP verification")
-
-			name := user.Attributes.Name
+			name := localUser.Attributes.Name
 			if name == "" {
-				name = utils.Capitalize(user.Username)
+				name = utils.Capitalize(localUser.Username)
 			}

-			email := user.Attributes.Email
+			email := localUser.Attributes.Email
 			if email == "" {
-				email = utils.CompileUserEmail(user.Username, controller.config.CookieDomain)
+				email = utils.CompileUserEmail(localUser.Username, controller.runtime.CookieDomain)
 			}

-			err := controller.auth.CreateSessionCookie(c, &repository.Session{
-				Username:    user.Username,
+			cookie, err := controller.auth.CreateSession(c, repository.Session{
+				Username:    localUser.Username,
 				Name:        name,
 				Email:       email,
 				Provider:    "local",
@@ -138,7 +153,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 			})

 			if err != nil {
-				tlog.App.Error().Err(err).Msg("Failed to create session cookie")
+				controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Failed to create pending TOTP session")
 				c.JSON(500, gin.H{
 					"status":  500,
 					"message": "Internal Server Error",
@@ -146,6 +161,8 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 				return
 			}

+			http.SetCookie(c.Writer, cookie)
+
 			c.JSON(200, gin.H{
 				"status":      200,
 				"message":     "TOTP required",
@@ -158,11 +175,11 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 	sessionCookie := repository.Session{
 		Username: req.Username,
 		Name:     utils.Capitalize(req.Username),
-		Email:    utils.CompileUserEmail(req.Username, controller.config.CookieDomain),
+		Email:    utils.CompileUserEmail(req.Username, controller.runtime.CookieDomain),
 		Provider: "local",
 	}

-	if userSearch.Type == "local" && localUser != nil {
+	if search.Type == model.UserLocal {
 		if localUser.Attributes.Name != "" {
 			sessionCookie.Name = localUser.Attributes.Name
 		}
@@ -171,16 +188,14 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		}
 	}

-	if userSearch.Type == "ldap" {
+	if search.Type == model.UserLDAP {
 		sessionCookie.Provider = "ldap"
 	}

-	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
-
-	err = controller.auth.CreateSessionCookie(c, &sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie)

 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to create session cookie")
+		controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Failed to create session cookie after successful login")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -188,6 +203,18 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		return
 	}

+	http.SetCookie(c.Writer, cookie)
+
+	controller.log.App.Info().Str("username", req.Username).Msg("Login successful")
+
+	if search.Type == model.UserLocal {
+		controller.log.AuditLoginSuccess(req.Username, "local", c.ClientIP())
+	} else {
+		controller.log.AuditLoginSuccess(req.Username, "ldap", c.ClientIP())
+	}
+
+	controller.auth.RecordLoginAttempt(req.Username, true)
+
 	c.JSON(200, gin.H{
 		"status":  200,
 		"message": "Login successful",
@@ -195,15 +222,49 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 }

 func (controller *UserController) logoutHandler(c *gin.Context) {
-	tlog.App.Debug().Msg("Logout request received")
+	controller.log.App.Debug().Msg("Logout attempt")

-	controller.auth.DeleteSessionCookie(c)
+	uuid, err := c.Cookie(controller.runtime.SessionCookieName)

-	context, err := utils.GetContext(c)
-	if err == nil && context.IsLoggedIn {
-		tlog.AuditLogout(c, context.Username, context.Provider)
+	if err != nil {
+		if errors.Is(err, http.ErrNoCookie) {
+			controller.log.App.Warn().Msg("Logout attempt without session cookie, treating as successful logout")
+			c.JSON(200, gin.H{
+				"status":  200,
+				"message": "Logout successful",
+			})
+			return
+		}
+		controller.log.App.Error().Err(err).Msg("Error retrieving session cookie on logout")
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "Internal Server Error",
+		})
+		return
 	}

+	cookie, err := controller.auth.DeleteSession(c, uuid)
+
+	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Error deleting session on logout")
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "Internal Server Error",
+		})
+		return
+	}
+
+	context, err := new(model.UserContext).NewFromGin(c)
+
+	if err == nil {
+		controller.log.AuditLogout(context.GetUsername(), context.GetProviderID(), c.ClientIP())
+	} else {
+		controller.log.App.Warn().Err(err).Msg("Failed to get user context during logout, logging audit with unknown user")
+		controller.log.AuditLogout("unknown", "unknown", c.ClientIP())
+	}
+
+	http.SetCookie(c.Writer, cookie)
+
 	c.JSON(200, gin.H{
 		"status":  200,
 		"message": "Logout successful",
@@ -215,7 +276,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {

 	err := c.ShouldBindJSON(&req)
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind JSON")
+		controller.log.App.Error().Err(err).Msg("Failed to bind JSON for TOTP verification")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -223,10 +284,10 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}

-	context, err := utils.GetContext(c)
+	context, err := new(model.UserContext).NewFromGin(c)

 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to get user context")
+		controller.log.App.Error().Err(err).Msg("Failed to create user context from request for TOTP verification")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -234,8 +295,8 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}

-	if !context.TotpPending {
-		tlog.App.Warn().Msg("TOTP attempt without a pending TOTP session")
+	if !context.TOTPPending() {
+		controller.log.App.Warn().Str("username", context.GetUsername()).Msg("TOTP verification attempt without pending TOTP session")
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -243,12 +304,13 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}

-	tlog.App.Debug().Str("username", context.Username).Msg("TOTP verification attempt")
+	controller.log.App.Debug().Str("username", context.GetUsername()).Msg("TOTP verification attempt")

-	isLocked, remaining := controller.auth.IsAccountLocked(context.Username)
+	isLocked, remaining := controller.auth.IsAccountLocked(context.GetUsername())

 	if isLocked {
-		tlog.App.Warn().Str("username", context.Username).Msg("Account is locked due to too many failed TOTP attempts")
+		controller.log.App.Warn().Str("username", context.GetUsername()).Msg("Account is locked due to too many failed TOTP attempts")
+		controller.log.AuditLoginFailure(context.GetUsername(), "local", c.ClientIP(), "account locked")
 		c.Writer.Header().Add("x-tinyauth-lock-locked", "true")
 		c.Writer.Header().Add("x-tinyauth-lock-reset", time.Now().Add(time.Duration(remaining)*time.Second).Format(time.RFC3339))
 		c.JSON(429, gin.H{
@@ -258,14 +320,10 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}

-	user := controller.auth.GetLocalUser(context.Username)
+	user := controller.auth.GetLocalUser(context.GetUsername())

-	ok := totp.Validate(req.Code, user.TotpSecret)
-
-	if !ok {
-		tlog.App.Warn().Str("username", context.Username).Msg("Invalid TOTP code")
-		controller.auth.RecordLoginAttempt(context.Username, false)
-		tlog.AuditLoginFailure(c, context.Username, "totp", "invalid totp code")
+	if user == nil {
+		controller.log.App.Error().Str("username", context.GetUsername()).Msg("Local user not found during TOTP verification")
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -273,15 +331,36 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}

-	tlog.App.Info().Str("username", context.Username).Msg("TOTP verification successful")
-	tlog.AuditLoginSuccess(c, context.Username, "totp")
+	ok := totp.Validate(req.Code, user.TOTPSecret)

-	controller.auth.RecordLoginAttempt(context.Username, true)
+	if !ok {
+		controller.log.App.Warn().Str("username", context.GetUsername()).Msg("Invalid TOTP code during verification attempt")
+		controller.auth.RecordLoginAttempt(context.GetUsername(), false)
+		controller.log.AuditLoginFailure(context.GetUsername(), "local", c.ClientIP(), "invalid TOTP code")
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	uuid, err := c.Cookie(controller.runtime.SessionCookieName)
+
+	if err == nil {
+		_, err = controller.auth.DeleteSession(c, uuid)
+		if err != nil {
+			controller.log.App.Error().Err(err).Msg("Failed to delete pending TOTP session after successful verification")
+		}
+	} else {
+		controller.log.App.Warn().Err(err).Msg("Failed to retrieve session cookie for pending TOTP session, cannot delete it")
+	}
+
+	controller.auth.RecordLoginAttempt(context.GetUsername(), true)

 	sessionCookie := repository.Session{
 		Username: user.Username,
 		Name:     utils.Capitalize(user.Username),
-		Email:    utils.CompileUserEmail(user.Username, controller.config.CookieDomain),
+		Email:    utils.CompileUserEmail(user.Username, controller.runtime.CookieDomain),
 		Provider: "local",
 	}

@@ -292,12 +371,10 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		sessionCookie.Email = user.Attributes.Email
 	}

-	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
-
-	err = controller.auth.CreateSessionCookie(c, &sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie)

 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to create session cookie")
+		controller.log.App.Error().Err(err).Str("username", context.GetUsername()).Msg("Failed to create session cookie after successful TOTP verification")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -305,6 +382,11 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}

+	http.SetCookie(c.Writer, cookie)
+
+	controller.log.App.Info().Str("username", context.GetUsername()).Msg("TOTP verification successful, login complete")
+	controller.log.AuditLoginSuccess(context.GetUsername(), "local", c.ClientIP())
+
 	c.JSON(200, gin.H{
 		"status":  200,
 		"message": "Login successful",
@@ -1,69 +1,85 @@
 package controller_test

 import (
+	"context"
 	"encoding/json"
+	"net/http"
 	"net/http/httptest"
-	"path"
 	"strings"
+	"sync"
 	"testing"
 	"time"

 	"github.com/gin-gonic/gin"
 	"github.com/pquerna/otp/totp"
-	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
-	"github.com/tinyauthapp/tinyauth/internal/config"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/repository"
-	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/repository"
+	"github.com/tinyauthapp/tinyauth/internal/service"
+	"github.com/tinyauthapp/tinyauth/internal/test"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )

 func TestUserController(t *testing.T) {
-	tlog.NewTestLogger().Init()
-	tempDir := t.TempDir()
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()

-	authServiceCfg := service.AuthServiceConfig{
-		Users: []config.User{
-			{
-				Username: "testuser",
-				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-			},
-			{
-				Username:   "totpuser",
-				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-				TotpSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
-			},
-			{
-				Username: "attruser",
-				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-				Attributes: config.UserAttributes{
-					Name:  "Alice Smith",
-					Email: "alice@example.com",
+	cfg, runtime := test.CreateTestConfigs(t)
+
+	totpCtx := func(c *gin.Context) {
+		c.Set("context", &model.UserContext{
+			Authenticated: false,
+			Provider:      model.ProviderLocal,
+			Local: &model.LocalContext{
+				BaseContext: model.BaseContext{
+					Username: "totpuser",
+					Name:     "Totpuser",
+					Email:    "totpuser@example.com",
 				},
+				TOTPPending: true,
 			},
-			{
-				Username:   "attrtotpuser",
-				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-				TotpSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
-				Attributes: config.UserAttributes{
-					Name:  "Bob Jones",
-					Email: "bob@example.com",
-				},
-			},
-		},
-		SessionExpiry:     10, // 10 seconds, useful for testing
-		CookieDomain:      "example.com",
-		LoginTimeout:      10, // 10 seconds, useful for testing
-		LoginMaxRetries:   3,
-		SessionCookieName: "tinyauth-session",
+		})
 	}

-	userControllerCfg := controller.UserControllerConfig{
-		CookieDomain: "example.com",
+	totpAttrCtx := func(c *gin.Context) {
+		c.Set("context", &model.UserContext{
+			Authenticated: false,
+			Provider:      model.ProviderLocal,
+			Local: &model.LocalContext{
+				BaseContext: model.BaseContext{
+					Username: "attrtotpuser",
+					Name:     "Bob Jones",
+					Email:    "bob@example.com",
+				},
+				TOTPPending: true,
+			},
+		})
 	}

+	simpleCtx := func(c *gin.Context) {
+		c.Set("context", &model.UserContext{
+			Authenticated: true,
+			Provider:      model.ProviderLocal,
+			Local: &model.LocalContext{
+				BaseContext: model.BaseContext{
+					Username: "testuser",
+					Name:     "Test User",
+					Email:    "testuser@example.com",
+				},
+			},
+		})
+	}
+
+	app := bootstrap.NewBootstrapApp(cfg)
+
+	err := app.SetupDatabase()
+	require.NoError(t, err)
+
+	queries := repository.New(app.GetDB())
+
 	type testCase struct {
 		description string
 		middlewares []gin.HandlerFunc
@@ -80,7 +96,7 @@ func TestUserController(t *testing.T) {
 					Password: "password",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
@@ -88,13 +104,15 @@ func TestUserController(t *testing.T) {
 				router.ServeHTTP(recorder, req)

 				assert.Equal(t, 200, recorder.Code)
-				assert.Len(t, recorder.Result().Cookies(), 1)
+				require.Len(t, recorder.Result().Cookies(), 1)

 				cookie := recorder.Result().Cookies()[0]
 				assert.Equal(t, "tinyauth-session", cookie.Name)
 				assert.True(t, cookie.HttpOnly)
 				assert.Equal(t, "example.com", cookie.Domain)
-				assert.Equal(t, 10, cookie.MaxAge)
+				// 3 seconds should be more than enough for even slow test environments
+				assert.GreaterOrEqual(t, cookie.MaxAge, 7)
+				assert.LessOrEqual(t, cookie.MaxAge, 10)
 			},
 		},
 		{
@@ -106,7 +124,7 @@ func TestUserController(t *testing.T) {
 					Password: "wrongpassword",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
@@ -127,7 +145,7 @@ func TestUserController(t *testing.T) {
 					Password: "wrongpassword",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				for range 3 {
 					recorder := httptest.NewRecorder()
@@ -162,7 +180,7 @@ func TestUserController(t *testing.T) {
 					Password: "password",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
@@ -173,22 +191,25 @@ func TestUserController(t *testing.T) {

 				decodedBody := make(map[string]any)
 				err = json.Unmarshal(recorder.Body.Bytes(), &decodedBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				assert.Equal(t, decodedBody["totpPending"], true)

 				// should set the session cookie
-				assert.Len(t, recorder.Result().Cookies(), 1)
+				require.Len(t, recorder.Result().Cookies(), 1)
 				cookie := recorder.Result().Cookies()[0]
 				assert.Equal(t, "tinyauth-session", cookie.Name)
 				assert.True(t, cookie.HttpOnly)
 				assert.Equal(t, "example.com", cookie.Domain)
-				assert.Equal(t, 3600, cookie.MaxAge) // 1 hour, default for totp pending sessions
+				assert.GreaterOrEqual(t, cookie.MaxAge, 3597)
+				assert.LessOrEqual(t, cookie.MaxAge, 3600)
 			},
 		},
 		{
 			description: "Should be able to logout",
-			middlewares: []gin.HandlerFunc{},
+			middlewares: []gin.HandlerFunc{
+				simpleCtx,
+			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				// First login to get a session cookie
 				loginReq := controller.LoginRequest{
@@ -196,7 +217,7 @@ func TestUserController(t *testing.T) {
 					Password: "password",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
@@ -204,9 +225,10 @@ func TestUserController(t *testing.T) {
 				router.ServeHTTP(recorder, req)

 				assert.Equal(t, 200, recorder.Code)
-				assert.Len(t, recorder.Result().Cookies(), 1)
+				cookies := recorder.Result().Cookies()
+				require.Len(t, cookies, 1)

-				cookie := recorder.Result().Cookies()[0]
+				cookie := cookies[0]
 				assert.Equal(t, "tinyauth-session", cookie.Name)

 				// Now logout using the session cookie
@@ -217,48 +239,72 @@ func TestUserController(t *testing.T) {
 				router.ServeHTTP(recorder, req)

 				assert.Equal(t, 200, recorder.Code)
-				assert.Len(t, recorder.Result().Cookies(), 1)
+				cookies = recorder.Result().Cookies()
+				require.Len(t, cookies, 1)

-				logoutCookie := recorder.Result().Cookies()[0]
-				assert.Equal(t, "tinyauth-session", logoutCookie.Name)
-				assert.Equal(t, "", logoutCookie.Value)
-				assert.Equal(t, -1, logoutCookie.MaxAge) // MaxAge -1 means delete cookie
+				cookie = cookies[0]
+				assert.Equal(t, "tinyauth-session", cookie.Name)
+				assert.Equal(t, "", cookie.Value)
+				assert.Equal(t, -1, cookie.MaxAge) // MaxAge -1 means delete cookie
 			},
 		},
 		{
 			description: "Should be able to login with totp",
-			middlewares: []gin.HandlerFunc{},
+			middlewares: []gin.HandlerFunc{
+				totpCtx,
+			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				_, err := queries.CreateSession(context.TODO(), repository.CreateSessionParams{
+					UUID:        "test-totp-login-uuid",
+					Username:    "test",
+					Email:       "test@example.com",
+					Name:        "Test",
+					Provider:    "local",
+					TotpPending: true,
+					Expiry:      time.Now().Add(1 * time.Hour).Unix(),
+					CreatedAt:   time.Now().Unix(),
+				})
+				require.NoError(t, err)
+
 				code, err := totp.GenerateCode("JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK", time.Now())
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				totpReq := controller.TotpRequest{
 					Code: code,
 				}

 				totpReqBody, err := json.Marshal(totpReq)
-				assert.NoError(t, err)
+				require.NoError(t, err)

 				recorder = httptest.NewRecorder()
 				req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqBody)))
 				req.Header.Set("Content-Type", "application/json")
-
+				req.AddCookie(&http.Cookie{
+					Name:     "tinyauth-session",
+					Value:    "test-totp-login-uuid",
+					HttpOnly: true,
+					MaxAge:   3600,
+					Expires:  time.Now().Add(1 * time.Hour),
+				})
 				router.ServeHTTP(recorder, req)

 				assert.Equal(t, 200, recorder.Code)
-				assert.Len(t, recorder.Result().Cookies(), 1)
+				require.Len(t, recorder.Result().Cookies(), 1)

 				// should set a new session cookie with totp pending removed
 				totpCookie := recorder.Result().Cookies()[0]
 				assert.Equal(t, "tinyauth-session", totpCookie.Name)
 				assert.True(t, totpCookie.HttpOnly)
 				assert.Equal(t, "example.com", totpCookie.Domain)
-				assert.Equal(t, 10, totpCookie.MaxAge) // should use the regular session expiry time
+				assert.GreaterOrEqual(t, totpCookie.MaxAge, 7)
+				assert.LessOrEqual(t, totpCookie.MaxAge, 10)
 			},
 		},
 		{
 			description: "Totp should rate limit on multiple invalid attempts",
-			middlewares: []gin.HandlerFunc{},
+			middlewares: []gin.HandlerFunc{
+				totpCtx,
+			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				for range 3 {
 					totpReq := controller.TotpRequest{
@@ -266,7 +312,7 @@ func TestUserController(t *testing.T) {
 					}

 					totpReqBody, err := json.Marshal(totpReq)
-					assert.NoError(t, err)
+					require.NoError(t, err)

 					recorder = httptest.NewRecorder()
 					req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqBody)))
@@ -328,8 +374,22 @@ func TestUserController(t *testing.T) {
 		},
 		{
 			description: "TOTP completion uses name and email from user attributes",
-			middlewares: []gin.HandlerFunc{},
+			middlewares: []gin.HandlerFunc{
+				totpAttrCtx,
+			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				_, err := queries.CreateSession(context.TODO(), repository.CreateSessionParams{
+					UUID:        "test-totp-login-attributes-uuid",
+					Username:    "test",
+					Email:       "test@example.com",
+					Name:        "Test",
+					Provider:    "local",
+					TotpPending: true,
+					Expiry:      time.Now().Add(1 * time.Hour).Unix(),
+					CreatedAt:   time.Now().Unix(),
+				})
+				require.NoError(t, err)
+
 				code, err := totp.GenerateCode("JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK", time.Now())
 				require.NoError(t, err)

@@ -339,6 +399,13 @@ func TestUserController(t *testing.T) {

 				req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(body)))
 				req.Header.Set("Content-Type", "application/json")
+				req.AddCookie(&http.Cookie{
+					Name:     "tinyauth-session",
+					Value:    "test-totp-login-attributes-uuid",
+					HttpOnly: true,
+					MaxAge:   3600,
+					Expires:  time.Now().Add(1 * time.Hour),
+				})
 				router.ServeHTTP(recorder, req)

 				require.Equal(t, 200, recorder.Code)
@@ -349,63 +416,17 @@ func TestUserController(t *testing.T) {
 		},
 	}

-	oauthBrokerCfgs := make(map[string]config.OAuthServiceConfig)
+	ctx := context.TODO()
+	wg := &sync.WaitGroup{}

-	app := bootstrap.NewBootstrapApp(config.Config{})
-
-	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
-	require.NoError(t, err)
-
-	queries := repository.New(db)
-
-	docker := service.NewDockerService()
-	err = docker.Init()
-	require.NoError(t, err)
-
-	ldap := service.NewLdapService(service.LdapServiceConfig{})
-	err = ldap.Init()
-	require.NoError(t, err)
-
-	broker := service.NewOAuthBrokerService(oauthBrokerCfgs)
-	err = broker.Init()
-	require.NoError(t, err)
-
-	authService := service.NewAuthService(authServiceCfg, docker, ldap, queries, broker)
-	err = authService.Init()
-	require.NoError(t, err)
+	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, queries, broker)

 	beforeEach := func() {
 		// Clear failed login attempts before each test
 		authService.ClearRateLimitsTestingOnly()
 	}

-	setTotpMiddlewareOverrides := map[string]config.UserContext{
-		"Should be able to login with totp": {
-			Username:    "totpuser",
-			Name:        "Totpuser",
-			Email:       "totpuser@example.com",
-			Provider:    "local",
-			TotpPending: true,
-			TotpEnabled: true,
-		},
-		"Totp should rate limit on multiple invalid attempts": {
-			Username:    "totpuser",
-			Name:        "Totpuser",
-			Email:       "totpuser@example.com",
-			Provider:    "local",
-			TotpPending: true,
-			TotpEnabled: true,
-		},
-		"TOTP completion uses name and email from user attributes": {
-			Username:    "attrtotpuser",
-			Name:        "Bob Jones",
-			Email:       "bob@example.com",
-			Provider:    "local",
-			TotpPending: true,
-			TotpEnabled: true,
-		},
-	}
-
 	for _, test := range tests {
 		beforeEach()
 		t.Run(test.description, func(t *testing.T) {
@@ -415,20 +436,10 @@ func TestUserController(t *testing.T) {
 				router.Use(middleware)
 			}

-			// Gin is stupid and doesn't allow setting a middleware after the groups
-			// so we need to do some stupid overrides here
-			if ctx, ok := setTotpMiddlewareOverrides[test.description]; ok {
-				ctx := ctx
-				router.Use(func(c *gin.Context) {
-					c.Set("context", &ctx)
-				})
-			}
-
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)

-			userController := controller.NewUserController(userControllerCfg, group, authService)
-			userController.SetupRoutes()
+			controller.NewUserController(log, runtime, group, authService)

 			recorder := httptest.NewRecorder()

@@ -437,7 +448,6 @@ func TestUserController(t *testing.T) {
 	}

 	t.Cleanup(func() {
-		err = db.Close()
-		require.NoError(t, err)
+		app.GetDB().Close()
 	})
 }
@@ -26,28 +26,30 @@ type OpenIDConnectConfiguration struct {
 	RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported"`
 }

-type WellKnownControllerConfig struct{}
-
 type WellKnownController struct {
-	config WellKnownControllerConfig
-	engine *gin.Engine
-	oidc   *service.OIDCService
+	oidc *service.OIDCService
 }

-func NewWellKnownController(config WellKnownControllerConfig, oidc *service.OIDCService, engine *gin.Engine) *WellKnownController {
-	return &WellKnownController{
-		config: config,
-		oidc:   oidc,
-		engine: engine,
+func NewWellKnownController(oidc *service.OIDCService, router *gin.RouterGroup) *WellKnownController {
+	controller := &WellKnownController{
+		oidc: oidc,
 	}
-}

-func (controller *WellKnownController) SetupRoutes() {
-	controller.engine.GET("/.well-known/openid-configuration", controller.OpenIDConnectConfiguration)
-	controller.engine.GET("/.well-known/jwks.json", controller.JWKS)
+	router.GET("/.well-known/openid-configuration", controller.OpenIDConnectConfiguration)
+	router.GET("/.well-known/jwks.json", controller.JWKS)
+
+	return controller
 }

 func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context) {
+	if controller.oidc == nil {
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "OIDC service not configured",
+		})
+		return
+	}
+
 	issuer := controller.oidc.GetIssuer()
 	c.JSON(200, OpenIDConnectConfiguration{
 		Issuer:                                 issuer,
@@ -69,11 +71,19 @@ func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context
 }

 func (controller *WellKnownController) JWKS(c *gin.Context) {
+	if controller.oidc == nil {
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "OIDC service not configured",
+		})
+		return
+	}
+
 	jwks, err := controller.oidc.GetJWK()

 	if err != nil {
 		c.JSON(500, gin.H{
-			"status":  "500",
+			"status":  500,
 			"message": "failed to get JWK",
 		})
 		return
@@ -1,41 +1,29 @@
 package controller_test

 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"net/http/httptest"
-	"path"
+	"sync"
 	"testing"

 	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
-	"github.com/tinyauthapp/tinyauth/internal/config"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/test"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )

 func TestWellKnownController(t *testing.T) {
-	tlog.NewTestLogger().Init()
-	tempDir := t.TempDir()
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()

-	oidcServiceCfg := service.OIDCServiceConfig{
-		Clients: map[string]config.OIDCClientConfig{
-			"test": {
-				ClientID:            "some-client-id",
-				ClientSecret:        "some-client-secret",
-				TrustedRedirectURIs: []string{"https://test.example.com/callback"},
-				Name:                "Test Client",
-			},
-		},
-		PrivateKeyPath: path.Join(tempDir, "key.pem"),
-		PublicKeyPath:  path.Join(tempDir, "key.pub"),
-		Issuer:         "https://tinyauth.example.com",
-		SessionExpiry:  500,
-	}
+	cfg, runtime := test.CreateTestConfigs(t)

 	type testCase struct {
 		description string
@@ -56,11 +44,11 @@ func TestWellKnownController(t *testing.T) {
 				assert.NoError(t, err)

 				expected := controller.OpenIDConnectConfiguration{
-					Issuer:                                 oidcServiceCfg.Issuer,
-					AuthorizationEndpoint:                  fmt.Sprintf("%s/authorize", oidcServiceCfg.Issuer),
-					TokenEndpoint:                          fmt.Sprintf("%s/api/oidc/token", oidcServiceCfg.Issuer),
-					UserinfoEndpoint:                       fmt.Sprintf("%s/api/oidc/userinfo", oidcServiceCfg.Issuer),
-					JwksUri:                                fmt.Sprintf("%s/.well-known/jwks.json", oidcServiceCfg.Issuer),
+					Issuer:                                 runtime.AppURL,
+					AuthorizationEndpoint:                  fmt.Sprintf("%s/authorize", runtime.AppURL),
+					TokenEndpoint:                          fmt.Sprintf("%s/api/oidc/token", runtime.AppURL),
+					UserinfoEndpoint:                       fmt.Sprintf("%s/api/oidc/userinfo", runtime.AppURL),
+					JwksUri:                                fmt.Sprintf("%s/.well-known/jwks.json", runtime.AppURL),
 					ScopesSupported:                        service.SupportedScopes,
 					ResponseTypesSupported:                 service.SupportedResponseTypes,
 					GrantTypesSupported:                    service.SupportedGrantTypes,
@@ -101,15 +89,17 @@ func TestWellKnownController(t *testing.T) {
 		},
 	}

-	app := bootstrap.NewBootstrapApp(config.Config{})
+	ctx := context.TODO()
+	wg := &sync.WaitGroup{}

-	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
+	app := bootstrap.NewBootstrapApp(cfg)
+
+	err := app.SetupDatabase()
 	require.NoError(t, err)

-	queries := repository.New(db)
+	queries := repository.New(app.GetDB())

-	oidcService := service.NewOIDCService(oidcServiceCfg, queries)
-	err = oidcService.Init()
+	oidcService, err := service.NewOIDCService(log, cfg, runtime, queries, ctx, wg)
 	require.NoError(t, err)

 	for _, test := range tests {
@@ -119,15 +109,13 @@ func TestWellKnownController(t *testing.T) {

 			recorder := httptest.NewRecorder()

-			wellKnownController := controller.NewWellKnownController(controller.WellKnownControllerConfig{}, oidcService, router)
-			wellKnownController.SetupRoutes()
+			controller.NewWellKnownController(oidcService, &router.RouterGroup)

 			test.run(t, router, recorder)
 		})
 	}

 	t.Cleanup(func() {
-		err = db.Close()
-		require.NoError(t, err)
+		app.GetDB().Close()
 	})
 }