chore(deps): bump modernc.org/sqlite in the minor-patch group

Bumps the minor-patch group with 1 update: [modernc.org/sqlite](https://gitlab.com/cznic/sqlite).


Updates `modernc.org/sqlite` from 1.48.2 to 1.49.1
- [Changelog](https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md)
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.48.2...v1.49.1)

---
updated-dependencies:
- dependency-name: modernc.org/sqlite
  dependency-version: 1.49.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/nightly.yml

@@ -19,7 +19,7 @@ jobs:
           REPO: ${{ github.event.repository.name }}
 
       - name: Create release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@v3
         with:
           prerelease: true
           tag_name: nightly
@@ -459,7 +459,7 @@ jobs:
           merge-multiple: true
 
       - name: Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@v3
         with:
           files: binaries/*
           tag_name: nightly

.github/workflows/release.yml

@@ -426,6 +426,6 @@ jobs:
           merge-multiple: true
 
       - name: Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@v3
         with:
           files: binaries/*

frontend/index.html

@@ -9,6 +9,10 @@
     <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />
     <meta name="apple-mobile-web-app-title" content="Tinyauth" />
     <meta name="robots" content="nofollow, noindex" />
+    <meta
+      name="description"
+      content="The tiniest authentication and authorization server you have ever seen."
+    />
     <link rel="manifest" href="/site.webmanifest" />
     <title>Tinyauth</title>
   </head>

frontend/src/components/language/language.tsx

@@ -21,7 +21,7 @@ export const LanguageSelector = () => {
 
   return (
     <Select onValueChange={handleSelect} value={language}>
-      <SelectTrigger>
+      <SelectTrigger aria-label="Select language">
         <SelectValue placeholder="Select language" />
       </SelectTrigger>
       <SelectContent>

frontend/src/lib/hooks/oidc.ts

@@ -11,6 +11,33 @@ export const oidcParamsSchema = z.object({
   code_challenge_method: z.string().optional(),
 });
 
+function b64urlDecode(s: string): string {
+  const base64 = s.replace(/-/g, "+").replace(/_/g, "/");
+  return atob(base64.padEnd(base64.length + ((4 - (base64.length % 4)) % 4), "="));
+}
+
+function decodeRequestObject(jwt: string): Record<string, string> {
+  try {
+    // Must have exactly 3 parts: header, payload, signature
+    const parts = jwt.split(".");
+    if (parts.length !== 3) return {};
+
+    // Header must specify "alg": "none" and signature must be empty string
+    const header = JSON.parse(b64urlDecode(parts[0]));
+    if (!header || typeof header !== "object" || header.alg !== "none" || parts[2] !== "") return {};
+
+    const payload = JSON.parse(b64urlDecode(parts[1]));
+    if (!payload || typeof payload !== "object" || Array.isArray(payload)) return {};
+    const result: Record<string, string> = {};
+    for (const [k, v] of Object.entries(payload)) {
+      if (typeof v === "string") result[k] = v;
+    }
+    return result;
+  } catch {
+    return {};
+  }
+}
+
 export const useOIDCParams = (
   params: URLSearchParams,
 ): {
@@ -20,6 +47,15 @@ export const useOIDCParams = (
   compiled: string;
 } => {
   const obj = Object.fromEntries(params.entries());
+
+  // RFC 9101 / OIDC Core 6.1: if `request` param present, decode JWT payload
+  // and merge claims over top-level params (JWT claims take precedence)
+  const requestJwt = params.get("request");
+  if (requestJwt) {
+    const claims = decodeRequestObject(requestJwt);
+    Object.assign(obj, claims);
+  }
+
   const parsed = oidcParamsSchema.safeParse(obj);
 
   if (parsed.success) {

frontend/src/lib/i18n/locales/af-ZA.json

@@ -57,7 +57,7 @@
     "fieldRequired": "This field is required",
     "invalidInput": "Invalid input",
     "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
     "domainWarningCurrent": "Current:",
     "domainWarningExpected": "Expected:",
     "ignoreTitle": "Ignore",

frontend/src/lib/i18n/locales/ar-SA.json

@@ -57,7 +57,7 @@
     "fieldRequired": "This field is required",
     "invalidInput": "Invalid input",
     "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
     "domainWarningCurrent": "Current:",
     "domainWarningExpected": "Expected:",
     "ignoreTitle": "تجاهل",

frontend/src/lib/i18n/locales/ca-ES.json

@@ -57,7 +57,7 @@
     "fieldRequired": "This field is required",
     "invalidInput": "Invalid input",
     "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
     "domainWarningCurrent": "Current:",
     "domainWarningExpected": "Expected:",
     "ignoreTitle": "Ignore",

frontend/src/lib/i18n/locales/cs-CZ.json

@@ -57,7 +57,7 @@
     "fieldRequired": "Toto pole je povinné",
     "invalidInput": "Neplatný údaj",
     "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
     "domainWarningCurrent": "Current:",
     "domainWarningExpected": "Expected:",
     "ignoreTitle": "Ignore",

frontend/src/lib/i18n/locales/da-DK.json

@@ -57,7 +57,7 @@
     "fieldRequired": "This field is required",
     "invalidInput": "Invalid input",
     "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
     "domainWarningCurrent": "Current:",
     "domainWarningExpected": "Expected:",
     "ignoreTitle": "Ignore",

frontend/src/lib/i18n/locales/de-DE.json

@@ -57,7 +57,7 @@
     "fieldRequired": "Dieses Feld ist notwendig",
     "invalidInput": "Ungültige Eingabe",
     "domainWarningTitle": "Ungültige Domain",
-    "domainWarningSubtitle": "Diese Instanz ist so konfiguriert, dass sie von <code>{{appUrl}}</code> aufgerufen werden kann, aber <code>{{currentUrl}}</code> wird verwendet. Wenn Sie fortfahren, können Probleme bei der Authentifizierung auftreten.",
+    "domainWarningSubtitle": "Sie greifen von einer falschen Domäne aus auf diese Instanz zu. Wenn Sie fortfahren, können Probleme mit der Authentifizierung auftreten.",
     "domainWarningCurrent": "Current:",
     "domainWarningExpected": "Expected:",
     "ignoreTitle": "Ignorieren",

frontend/src/lib/i18n/locales/es-ES.json

@@ -57,7 +57,7 @@
     "fieldRequired": "This field is required",
     "invalidInput": "Invalid input",
     "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "Estás accediendo a esta instancia desde un dominio incorrecto. Si sigues, puedes encontrar problemas con la autenticación.",
     "domainWarningCurrent": "Current:",
     "domainWarningExpected": "Expected:",
     "ignoreTitle": "Ignore",

frontend/src/lib/i18n/locales/fi-FI.json

@@ -57,7 +57,7 @@
     "fieldRequired": "Tämä kenttä on pakollinen",
     "invalidInput": "Virheellinen syöte",
     "domainWarningTitle": "Virheellinen verkkotunnus",
-    "domainWarningSubtitle": "Tämä instanssi on määritelty käyttämään osoitetta <code>{{appUrl}}</code>, mutta nykyinen osoite on <code>{{currentUrl}}</code>. Jos jatkat, saatat törmätä ongelmiin autentikoinnissa.",
+    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
     "domainWarningCurrent": "Current:",
     "domainWarningExpected": "Expected:",
     "ignoreTitle": "Jätä huomiotta",

frontend/src/lib/i18n/locales/he-IL.json

@@ -57,7 +57,7 @@
     "fieldRequired": "This field is required",
     "invalidInput": "Invalid input",
     "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
     "domainWarningCurrent": "Current:",
     "domainWarningExpected": "Expected:",
     "ignoreTitle": "Ignore",

frontend/src/lib/i18n/locales/it-IT.json

@@ -57,7 +57,7 @@
     "fieldRequired": "Questo campo è obbligatorio",
     "invalidInput": "Input non valido",
     "domainWarningTitle": "Dominio non valido",
-    "domainWarningSubtitle": "Questa istanza è configurata per essere accessibile da <code>{{appUrl}}</code>, ma la stai visitando da <code>{{currentUrl}}</code>. Se procedi, potresti incorrere in problemi di autenticazione.",
+    "domainWarningSubtitle": "Stai accedendo a questa istanza da un dominio errato. Scegliendo di procedere, potresti incontrare problemi con l'autenticazione.",
     "domainWarningCurrent": "Current:",
     "domainWarningExpected": "Expected:",
     "ignoreTitle": "Ignora",

frontend/src/lib/i18n/locales/ja-JP.json

@@ -57,7 +57,7 @@
     "fieldRequired": "This field is required",
     "invalidInput": "Invalid input",
     "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "不正なドメインからこのインスタンスにアクセスしています。続行すると、認証に問題が発生する可能性があります。",
     "domainWarningCurrent": "Current:",
     "domainWarningExpected": "Expected:",
     "ignoreTitle": "Ignore",

frontend/src/lib/i18n/locales/ko-KR.json

@@ -30,7 +30,7 @@
     "logoutSuccessTitle": "로그아웃 완료",
     "logoutSuccessSubtitle": "로그아웃되었습니다",
     "logoutTitle": "로그아웃",
-    "logoutUsernameSubtitle": "현재 <code>{{username}}</code>(으)로 로그인되어 있습니다. 아래 버튼을 클릭하여 로그아웃하세요.",
+    "logoutUsernameSubtitle": "현재 <code>{{username}}</code>로 로그인되어 있습니다. 아래 버튼을 클릭하여 로그아웃하세요.",
     "logoutOauthSubtitle": "현재 {{provider}} OAuth 제공자를 통해 <code>{{username}}</code>(으)로 로그인되어 있습니다. 아래 버튼을 클릭하여 로그아웃하세요.",
     "notFoundTitle": "페이지를 찾을 수 없습니다",
     "notFoundSubtitle": "찾으시는 페이지가 존재하지 않습니다.",

frontend/src/lib/i18n/locales/nl-NL.json

@@ -57,7 +57,7 @@
     "fieldRequired": "Dit veld is verplicht",
     "invalidInput": "Ongeldige invoer",
     "domainWarningTitle": "Ongeldig domein",
-    "domainWarningSubtitle": "Deze instantie is geconfigureerd voor toegang tot <code>{{appUrl}}</code>, maar <code>{{currentUrl}}</code> wordt gebruikt. Als je doorgaat, kun je problemen ondervinden met authenticatie.",
+    "domainWarningSubtitle": "U benadert deze instantie vanuit een onjuist domein. Als u doorgaat, kunt u problemen ondervinden met authenticatie.",
     "domainWarningCurrent": "Huidig:",
     "domainWarningExpected": "Verwacht:",
     "ignoreTitle": "Negeren",

frontend/src/lib/i18n/locales/no-NO.json

@@ -57,7 +57,7 @@
     "fieldRequired": "This field is required",
     "invalidInput": "Invalid input",
     "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "Du bruker denne forekomsten fra et feil domene. Dersom du fortsetter kan du få problemer med autentiseringen.",
     "domainWarningCurrent": "Current:",
     "domainWarningExpected": "Expected:",
     "ignoreTitle": "Ignore",

frontend/src/lib/i18n/locales/pl-PL.json

@@ -57,7 +57,7 @@
     "fieldRequired": "To pole jest wymagane",
     "invalidInput": "Nieprawidłowe dane wejściowe",
     "domainWarningTitle": "Nieprawidłowa domena",
-    "domainWarningSubtitle": "Ta instancja jest skonfigurowana do uzyskania dostępu z <code>{{appUrl}}</code>, ale <code>{{currentUrl}}</code> jest w użyciu. Jeśli będziesz kontynuować, mogą wystąpić problemy z uwierzytelnianiem.",
+    "domainWarningSubtitle": "Masz dostęp do tej instancji z nieprawidłowej domeny. Jeśli kontynuujesz, możesz napotkać problemy z uwierzytelnianiem.",
     "domainWarningCurrent": "Bieżąca:",
     "domainWarningExpected": "Oczekiwana:",
     "ignoreTitle": "Zignoruj",

frontend/src/lib/i18n/locales/pt-BR.json

@@ -57,7 +57,7 @@
     "fieldRequired": "Este campo é obrigatório",
     "invalidInput": "Entrada Inválida",
     "domainWarningTitle": "Domínio inválido",
-    "domainWarningSubtitle": "Esta instância está configurada para ser acessada de <code>{{appUrl}}</code>, mas <code>{{currentUrl}}</code> está sendo usado. Se você continuar, você pode encontrar problemas com a autenticação.",
+    "domainWarningSubtitle": "Você está acessando essa instância de um domínio incorreto. Se você continuar, você pode encontrar problemas com a autenticação.",
     "domainWarningCurrent": "Current:",
     "domainWarningExpected": "Expected:",
     "ignoreTitle": "Ignorar",

frontend/src/lib/i18n/locales/pt-PT.json

@@ -57,7 +57,7 @@
     "fieldRequired": "Este campo é obrigatório",
     "invalidInput": "Entrada inválida",
     "domainWarningTitle": "Domínio inválido",
-    "domainWarningSubtitle": "Esta instância está configurada para ser acedida a partir de <code>{{appUrl}}</code>, mas está a ser usado <code>{{currentUrl}}</code>. Se continuares, poderás ter problemas de autenticação.",
+    "domainWarningSubtitle": "Acessa essa instância de um domínio incorreto. Se você continuar, você pode encontrar problemas com a autenticação.",
     "domainWarningCurrent": "Current:",
     "domainWarningExpected": "Expected:",
     "ignoreTitle": "Ignorar",

frontend/src/lib/i18n/locales/ro-RO.json

@@ -57,7 +57,7 @@
     "fieldRequired": "This field is required",
     "invalidInput": "Invalid input",
     "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
     "domainWarningCurrent": "Current:",
     "domainWarningExpected": "Expected:",
     "ignoreTitle": "Ignore",

frontend/src/lib/i18n/locales/ru-RU.json

@@ -51,33 +51,33 @@
     "forgotPasswordTitle": "Забыли пароль?",
     "failedToFetchProvidersTitle": "Не удалось загрузить поставщика авторизации. Пожалуйста, проверьте конфигурацию.",
     "errorTitle": "Произошла ошибка",
-    "errorSubtitleInfo": "The following error occurred while processing your request:",
+    "errorSubtitleInfo": "При обработке вашего запроса произошла следующая ошибка:",
     "errorSubtitle": "Произошла ошибка при попытке выполнить это действие. Проверьте консоль для дополнительной информации.",
     "forgotPasswordMessage": "Вы можете сбросить свой пароль, изменив переменную окружения `USERS`.",
     "fieldRequired": "Это поле является обязательным",
     "invalidInput": "Недопустимый ввод",
     "domainWarningTitle": "Неверный домен",
-    "domainWarningSubtitle": "Этот экземпляр настроен на доступ к нему из <code>{{appUrl}}</code>, но <code>{{currentUrl}}</code> в настоящее время используется. Если вы продолжите, то могут возникнуть проблемы с авторизацией.",
-    "domainWarningCurrent": "Current:",
-    "domainWarningExpected": "Expected:",
+    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningCurrent": "Текущий:",
+    "domainWarningExpected": "Ожидается:",
     "ignoreTitle": "Игнорировать",
     "goToCorrectDomainTitle": "Перейти к правильному домену",
-    "authorizeTitle": "Authorize",
-    "authorizeCardTitle": "Continue to {{app}}?",
-    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
-    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
-    "authorizeLoadingTitle": "Loading...",
-    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
-    "authorizeSuccessTitle": "Authorized",
-    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
-    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
-    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
-    "openidScopeName": "OpenID Connect",
-    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
-    "emailScopeName": "Email",
-    "emailScopeDescription": "Allows the app to access your email address.",
-    "profileScopeName": "Profile",
-    "profileScopeDescription": "Allows the app to access your profile information.",
-    "groupsScopeName": "Groups",
-    "groupsScopeDescription": "Allows the app to access your group information."
+    "authorizeTitle": "Разрешить",
+    "authorizeCardTitle": "Продолжить с {{app}}?",
+    "authorizeSubtitle": "Вы хотите продолжить работу с этим приложением? Внимательно проверьте запрашиваемые приложением разрешения.",
+    "authorizeSubtitleOAuth": "Вы хотите продолжить работу с этим приложением?",
+    "authorizeLoadingTitle": "Загрузка...",
+    "authorizeLoadingSubtitle": "Пожалуйста, подождите, пока мы загрузим информацию о клиенте.",
+    "authorizeSuccessTitle": "Разрешено",
+    "authorizeSuccessSubtitle": "Вы будете перенаправлены в приложение через несколько секунд.",
+    "authorizeErrorClientInfo": "Произошла ошибка при загрузке информации о клиенте. Пожалуйста, повторите попытку позже.",
+    "authorizeErrorMissingParams": "Отсутствуют следующие параметры: {{missingParams}}",
+    "openidScopeName": "Подключение OpenID",
+    "openidScopeDescription": "Приложение сможет получить доступ к информации подключённого OpenID.",
+    "emailScopeName": "Эл. Почта",
+    "emailScopeDescription": "Приложение сможет получить доступ к вашему электронному адресу.",
+    "profileScopeName": "Профиль",
+    "profileScopeDescription": "Приложение сможет получить доступ к информации вашего профиля.",
+    "groupsScopeName": "Группы",
+    "groupsScopeDescription": "Приложение сможет получать доступ к информации о вашей группе."
 }

frontend/src/lib/i18n/locales/sr-SP.json

@@ -57,7 +57,7 @@
     "fieldRequired": "Ово поље је неопходно",
     "invalidInput": "Неисправан унос",
     "domainWarningTitle": "Неисправан домен",
-    "domainWarningSubtitle": "Ова инстанца је подешена да јој се приступа са <code>{{appUrl}}</code>, али се користи <code>{{currentUrl}}</code>. Ако наставите, можете искусити проблеме са аутентификацијом.",
+    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
     "domainWarningCurrent": "Тренутни:",
     "domainWarningExpected": "Очекивани:",
     "ignoreTitle": "Игнориши",

frontend/src/lib/i18n/locales/sv-SE.json

@@ -57,7 +57,7 @@
     "fieldRequired": "This field is required",
     "invalidInput": "Invalid input",
     "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "Du kommer åt den här instansen från en felaktig domän. Om du fortsätter kan du stöta på problem med autentisering.",
     "domainWarningCurrent": "Current:",
     "domainWarningExpected": "Expected:",
     "ignoreTitle": "Ignore",

frontend/src/lib/i18n/locales/tr-TR.json

@@ -57,7 +57,7 @@
     "fieldRequired": "Bu alan zorunludur",
     "invalidInput": "Geçersiz girdi",
     "domainWarningTitle": "Geçersiz alan adı",
-    "domainWarningSubtitle": "Bu örnek, <code>{{appUrl}}</code> adresinden erişilecek şekilde yapılandırılmıştır, ancak <code>{{currentUrl}}</code> kullanılmaktadır. Devam ederseniz, kimlik doğrulama ile ilgili sorunlarla karşılaşabilirsiniz.",
+    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
     "domainWarningCurrent": "Current:",
     "domainWarningExpected": "Expected:",
     "ignoreTitle": "Yoksay",

frontend/src/lib/i18n/locales/vi-VN.json

@@ -57,7 +57,7 @@
     "fieldRequired": "This field is required",
     "invalidInput": "Invalid input",
     "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
     "domainWarningCurrent": "Current:",
     "domainWarningExpected": "Expected:",
     "ignoreTitle": "Ignore",

frontend/src/lib/i18n/locales/zh-TW.json

@@ -57,7 +57,7 @@
     "fieldRequired": "此為必填欄位",
     "invalidInput": "無效的輸入",
     "domainWarningTitle": "無效的網域",
-    "domainWarningSubtitle": "此服務設定為透過 <code>{{appUrl}}</code> 存取，但目前使用的是 <code>{{currentUrl}}</code>。若繼續操作，可能會遇到驗證問題。",
+    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
     "domainWarningCurrent": "Current:",
     "domainWarningExpected": "Expected:",
     "ignoreTitle": "忽略",

frontend/src/main.tsx

@@ -23,39 +23,41 @@ import { TooltipProvider } from "@/components/ui/tooltip";
 const queryClient = new QueryClient();
 
 createRoot(document.getElementById("root")!).render(
-  <StrictMode>
-    <QueryClientProvider client={queryClient}>
-      <AppContextProvider>
-        <UserContextProvider>
-          <TooltipProvider>
-            <ThemeProvider defaultTheme="system" storageKey="tinyauth-theme">
-              <BrowserRouter>
-                <Routes>
-                  <Route element={<Layout />} errorElement={<ErrorPage />}>
-                    <Route path="/" element={<App />} />
-                    <Route path="/login" element={<LoginPage />} />
-                    <Route path="/authorize" element={<AuthorizePage />} />
-                    <Route path="/logout" element={<LogoutPage />} />
-                    <Route path="/continue" element={<ContinuePage />} />
-                    <Route path="/totp" element={<TotpPage />} />
-                    <Route
-                      path="/forgot-password"
-                      element={<ForgotPasswordPage />}
-                    />
-                    <Route
-                      path="/unauthorized"
-                      element={<UnauthorizedPage />}
-                    />
-                    <Route path="/error" element={<ErrorPage />} />
-                    <Route path="*" element={<NotFoundPage />} />
-                  </Route>
-                </Routes>
-              </BrowserRouter>
-              <Toaster />
-            </ThemeProvider>
-          </TooltipProvider>
-        </UserContextProvider>
-      </AppContextProvider>
-    </QueryClientProvider>
-  </StrictMode>,
+  <main>
+    <StrictMode>
+      <QueryClientProvider client={queryClient}>
+        <AppContextProvider>
+          <UserContextProvider>
+            <TooltipProvider>
+              <ThemeProvider defaultTheme="system" storageKey="tinyauth-theme">
+                <BrowserRouter>
+                  <Routes>
+                    <Route element={<Layout />} errorElement={<ErrorPage />}>
+                      <Route path="/" element={<App />} />
+                      <Route path="/login" element={<LoginPage />} />
+                      <Route path="/authorize" element={<AuthorizePage />} />
+                      <Route path="/logout" element={<LogoutPage />} />
+                      <Route path="/continue" element={<ContinuePage />} />
+                      <Route path="/totp" element={<TotpPage />} />
+                      <Route
+                        path="/forgot-password"
+                        element={<ForgotPasswordPage />}
+                      />
+                      <Route
+                        path="/unauthorized"
+                        element={<UnauthorizedPage />}
+                      />
+                      <Route path="/error" element={<ErrorPage />} />
+                      <Route path="*" element={<NotFoundPage />} />
+                    </Route>
+                  </Routes>
+                </BrowserRouter>
+                <Toaster />
+              </ThemeProvider>
+            </TooltipProvider>
+          </UserContextProvider>
+        </AppContextProvider>
+      </QueryClientProvider>
+    </StrictMode>
+  </main>,
 );

frontend/vite.config.ts

@@ -52,6 +52,11 @@ export default defineConfig({
         changeOrigin: true,
         rewrite: (path) => path.replace(/^\/\.well-known/, ""),
       },
+      "/robots.txt": {
+        target: "http://tinyauth-backend:3000/robots.txt",
+        changeOrigin: true,
+        rewrite: (path) => path.replace(/^\/robots.txt/, ""),
+      },
     },
     allowedHosts: true,
   },

go.mod

@@ -22,7 +22,7 @@ require (
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
 	golang.org/x/oauth2 v0.36.0
 	gotest.tools/v3 v3.5.2
-	modernc.org/sqlite v1.48.2
+	modernc.org/sqlite v1.49.1
 )
 
 require (
@@ -124,7 +124,7 @@ require (
 	golang.org/x/text v0.36.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	modernc.org/libc v1.70.0 // indirect
+	modernc.org/libc v1.72.0 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 	rsc.io/qr v0.2.0 // indirect

go.sum

@@ -329,10 +329,10 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
-modernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis=
-modernc.org/cc/v4 v4.27.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
-modernc.org/ccgo/v4 v4.32.0 h1:hjG66bI/kqIPX1b2yT6fr/jt+QedtP2fqojG2VrFuVw=
-modernc.org/ccgo/v4 v4.32.0/go.mod h1:6F08EBCx5uQc38kMGl+0Nm0oWczoo1c7cgpzEry7Uc0=
+modernc.org/cc/v4 v4.27.3 h1:uNCgn37E5U09mTv1XgskEVUJ8ADKpmFMPxzGJ0TSo+U=
+modernc.org/cc/v4 v4.27.3/go.mod h1:3YjcbCqhoTTHPycJDRl2WZKKFj0nwcOIPBfEZK0Hdk8=
+modernc.org/ccgo/v4 v4.32.4 h1:L5OB8rpEX4ZsXEQwGozRfJyJSFHbbNVOoQ59DU9/KuU=
+modernc.org/ccgo/v4 v4.32.4/go.mod h1:lY7f+fiTDHfcv6YlRgSkxYfhs+UvOEEzj49jAn2TOx0=
 modernc.org/fileutil v1.4.0 h1:j6ZzNTftVS054gi281TyLjHPp6CPHr2KCxEXjEbD6SM=
 modernc.org/fileutil v1.4.0/go.mod h1:EqdKFDxiByqxLk8ozOxObDSfcVOv/54xDs/DUHdvCUU=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
@@ -341,8 +341,8 @@ modernc.org/gc/v3 v3.1.2 h1:ZtDCnhonXSZexk/AYsegNRV1lJGgaNZJuKjJSWKyEqo=
 modernc.org/gc/v3 v3.1.2/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
 modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
 modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
-modernc.org/libc v1.70.0 h1:U58NawXqXbgpZ/dcdS9kMshu08aiA6b7gusEusqzNkw=
-modernc.org/libc v1.70.0/go.mod h1:OVmxFGP1CI/Z4L3E0Q3Mf1PDE0BucwMkcXjjLntvHJo=
+modernc.org/libc v1.72.0 h1:IEu559v9a0XWjw0DPoVKtXpO2qt5NVLAnFaBbjq+n8c=
+modernc.org/libc v1.72.0/go.mod h1:tTU8DL8A+XLVkEY3x5E/tO7s2Q/q42EtnNWda/L5QhQ=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
@@ -351,8 +351,8 @@ modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
 modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.48.2 h1:5CnW4uP8joZtA0LedVqLbZV5GD7F/0x91AXeSyjoh5c=
-modernc.org/sqlite v1.48.2/go.mod h1:hWjRO6Tj/5Ik8ieqxQybiEOUXy0NJFNp2tpvVpKlvig=
+modernc.org/sqlite v1.49.1 h1:dYGHTKcX1sJ+EQDnUzvz4TJ5GbuvhNJa8Fg6ElGx73U=
+modernc.org/sqlite v1.49.1/go.mod h1:m0w8xhwYUVY3H6pSDwc3gkJ/irZT/0YEXwBlhaxQEew=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=

internal/assets/migrations/000008_oidc_code_reuse.down.sql

@@ -0,0 +1 @@
+ALTER TABLE "oidc_tokens" DROP COLUMN "code_hash";

internal/assets/migrations/000008_oidc_code_reuse.up.sql

@@ -0,0 +1 @@
+ALTER TABLE "oidc_tokens" ADD COLUMN "code_hash" TEXT NOT NULL DEFAULT "";

internal/bootstrap/app_bootstrap.go

@@ -44,7 +44,13 @@ func NewBootstrapApp(config config.Config) *BootstrapApp {
 }
 
 func (app *BootstrapApp) Setup() error {
+	fmt.Println("Tinyauth is moving to an organization! All versions after v5.0.7 will be released under ghcr.io/tinyauthapp/tinyauth. Existing images will continue to work but new features and updates (including security ones) will only be released under the new image path.")
+
 	// get app url
+	if app.config.AppURL == "" {
+		return fmt.Errorf("app URL cannot be empty, perhaps config loading failed")
+	}
+
 	appUrl, err := url.Parse(app.config.AppURL)
 
 	if err != nil {

internal/controller/oidc_controller.go

@@ -275,6 +275,9 @@ func (controller *OIDCController) Token(c *gin.Context) {
 	case "authorization_code":
 		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code), client.ClientID)
 		if err != nil {
+			if err := controller.oidc.DeleteTokenByCodeHash(c, controller.oidc.Hash(req.Code)); err != nil {
+				tlog.App.Error().Err(err).Msg("Failed to delete access token by code hash")
+			}
 			if errors.Is(err, service.ErrCodeNotFound) {
 				tlog.App.Warn().Msg("Code not found")
 				c.JSON(400, gin.H{

internal/controller/oidc_controller_test.go

@@ -387,7 +387,7 @@ func TestOIDCController(t *testing.T) {
 				err = json.Unmarshal(secondRecorder.Body.Bytes(), &secondRes)
 				assert.NoError(t, err)
 
-				assert.Equal(t, secondRes["error"], "invalid_grant")
+				assert.Equal(t, "invalid_grant", secondRes["error"])
 			},
 		},
 		{
@@ -778,6 +778,74 @@ func TestOIDCController(t *testing.T) {
 				assert.NotEmpty(t, error)
 			},
 		},
+		{
+			description: "Ensure access token gets invalidated on double code use",
+			middlewares: []gin.HandlerFunc{
+				simpleCtx,
+			},
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				authorizeCodeTest, found := getTestByDescription("Ensure authorize succeeds with valid params")
+				assert.True(t, found, "Authorize test not found")
+				authorizeCodeTest(t, router, recorder)
+
+				var res map[string]any
+				err := json.Unmarshal(recorder.Body.Bytes(), &res)
+				assert.NoError(t, err)
+
+				redirectURI := res["redirect_uri"].(string)
+				url, err := url.Parse(redirectURI)
+				assert.NoError(t, err)
+
+				queryParams := url.Query()
+				code := queryParams.Get("code")
+				assert.NotEmpty(t, code)
+
+				reqBody := controller.TokenRequest{
+					GrantType:   "authorization_code",
+					Code:        code,
+					RedirectURI: "https://test.example.com/callback",
+				}
+				reqBodyEncoded, err := query.Values(reqBody)
+				assert.NoError(t, err)
+
+				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				req.SetBasicAuth("some-client-id", "some-client-secret")
+				recorder = httptest.NewRecorder()
+				router.ServeHTTP(recorder, req)
+
+				assert.Equal(t, 200, recorder.Code)
+
+				err = json.Unmarshal(recorder.Body.Bytes(), &res)
+				assert.NoError(t, err)
+
+				accessToken := res["access_token"].(string)
+				assert.NotEmpty(t, accessToken)
+
+				req = httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
+				req.Header.Set("Authorization", "Bearer "+accessToken)
+				recorder = httptest.NewRecorder()
+				router.ServeHTTP(recorder, req)
+				assert.Equal(t, 200, recorder.Code)
+
+				req = httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				req.SetBasicAuth("some-client-id", "some-client-secret")
+				recorder = httptest.NewRecorder()
+				router.ServeHTTP(recorder, req)
+				assert.Equal(t, 400, recorder.Code)
+
+				req = httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
+				req.Header.Set("Authorization", "Bearer "+accessToken)
+				recorder = httptest.NewRecorder()
+				router.ServeHTTP(recorder, req)
+				assert.Equal(t, 401, recorder.Code)
+
+				err = json.Unmarshal(recorder.Body.Bytes(), &res)
+				assert.NoError(t, err)
+				assert.Equal(t, "invalid_grant", res["error"])
+			},
+		},
 	}
 
 	app := bootstrap.NewBootstrapApp(config.Config{})

internal/controller/well_known_controller.go

@@ -9,19 +9,21 @@ import (
 )
 
 type OpenIDConnectConfiguration struct {
-	Issuer                            string   `json:"issuer"`
-	AuthorizationEndpoint             string   `json:"authorization_endpoint"`
-	TokenEndpoint                     string   `json:"token_endpoint"`
-	UserinfoEndpoint                  string   `json:"userinfo_endpoint"`
-	JwksUri                           string   `json:"jwks_uri"`
-	ScopesSupported                   []string `json:"scopes_supported"`
-	ResponseTypesSupported            []string `json:"response_types_supported"`
-	GrantTypesSupported               []string `json:"grant_types_supported"`
-	SubjectTypesSupported             []string `json:"subject_types_supported"`
-	IDTokenSigningAlgValuesSupported  []string `json:"id_token_signing_alg_values_supported"`
-	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"`
-	ClaimsSupported                   []string `json:"claims_supported"`
-	ServiceDocumentation              string   `json:"service_documentation"`
+	Issuer                                 string   `json:"issuer"`
+	AuthorizationEndpoint                  string   `json:"authorization_endpoint"`
+	TokenEndpoint                          string   `json:"token_endpoint"`
+	UserinfoEndpoint                       string   `json:"userinfo_endpoint"`
+	JwksUri                                string   `json:"jwks_uri"`
+	ScopesSupported                        []string `json:"scopes_supported"`
+	ResponseTypesSupported                 []string `json:"response_types_supported"`
+	GrantTypesSupported                    []string `json:"grant_types_supported"`
+	SubjectTypesSupported                  []string `json:"subject_types_supported"`
+	IDTokenSigningAlgValuesSupported       []string `json:"id_token_signing_alg_values_supported"`
+	TokenEndpointAuthMethodsSupported      []string `json:"token_endpoint_auth_methods_supported"`
+	ClaimsSupported                        []string `json:"claims_supported"`
+	ServiceDocumentation                   string   `json:"service_documentation"`
+	RequestParameterSupported              bool     `json:"request_parameter_supported"`
+	RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported"`
 }
 
 type WellKnownControllerConfig struct{}
@@ -48,19 +50,21 @@ func (controller *WellKnownController) SetupRoutes() {
 func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context) {
 	issuer := controller.oidc.GetIssuer()
 	c.JSON(200, OpenIDConnectConfiguration{
-		Issuer:                            issuer,
-		AuthorizationEndpoint:             fmt.Sprintf("%s/authorize", issuer),
-		TokenEndpoint:                     fmt.Sprintf("%s/api/oidc/token", issuer),
-		UserinfoEndpoint:                  fmt.Sprintf("%s/api/oidc/userinfo", issuer),
-		JwksUri:                           fmt.Sprintf("%s/.well-known/jwks.json", issuer),
-		ScopesSupported:                   service.SupportedScopes,
-		ResponseTypesSupported:            service.SupportedResponseTypes,
-		GrantTypesSupported:               service.SupportedGrantTypes,
-		SubjectTypesSupported:             []string{"pairwise"},
-		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
-		TokenEndpointAuthMethodsSupported: []string{"client_secret_basic", "client_secret_post"},
-		ClaimsSupported:                   []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
-		ServiceDocumentation:              "https://tinyauth.app/docs/guides/oidc",
+		Issuer:                                 issuer,
+		AuthorizationEndpoint:                  fmt.Sprintf("%s/authorize", issuer),
+		TokenEndpoint:                          fmt.Sprintf("%s/api/oidc/token", issuer),
+		UserinfoEndpoint:                       fmt.Sprintf("%s/api/oidc/userinfo", issuer),
+		JwksUri:                                fmt.Sprintf("%s/.well-known/jwks.json", issuer),
+		ScopesSupported:                        service.SupportedScopes,
+		ResponseTypesSupported:                 service.SupportedResponseTypes,
+		GrantTypesSupported:                    service.SupportedGrantTypes,
+		SubjectTypesSupported:                  []string{"pairwise"},
+		IDTokenSigningAlgValuesSupported:       []string{"RS256"},
+		TokenEndpointAuthMethodsSupported:      []string{"client_secret_basic", "client_secret_post"},
+		ClaimsSupported:                        []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
+		ServiceDocumentation:                   "https://tinyauth.app/docs/guides/oidc",
+		RequestParameterSupported:              true,
+		RequestObjectSigningAlgValuesSupported: []string{"none"},
 	})
 }
 

internal/controller/well_known_controller_test.go

@@ -56,19 +56,21 @@ func TestWellKnownController(t *testing.T) {
 				assert.NoError(t, err)
 
 				expected := controller.OpenIDConnectConfiguration{
-					Issuer:                            oidcServiceCfg.Issuer,
-					AuthorizationEndpoint:             fmt.Sprintf("%s/authorize", oidcServiceCfg.Issuer),
-					TokenEndpoint:                     fmt.Sprintf("%s/api/oidc/token", oidcServiceCfg.Issuer),
-					UserinfoEndpoint:                  fmt.Sprintf("%s/api/oidc/userinfo", oidcServiceCfg.Issuer),
-					JwksUri:                           fmt.Sprintf("%s/.well-known/jwks.json", oidcServiceCfg.Issuer),
-					ScopesSupported:                   service.SupportedScopes,
-					ResponseTypesSupported:            service.SupportedResponseTypes,
-					GrantTypesSupported:               service.SupportedGrantTypes,
-					SubjectTypesSupported:             []string{"pairwise"},
-					IDTokenSigningAlgValuesSupported:  []string{"RS256"},
-					TokenEndpointAuthMethodsSupported: []string{"client_secret_basic", "client_secret_post"},
-					ClaimsSupported:                   []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
-					ServiceDocumentation:              "https://tinyauth.app/docs/guides/oidc",
+					Issuer:                                 oidcServiceCfg.Issuer,
+					AuthorizationEndpoint:                  fmt.Sprintf("%s/authorize", oidcServiceCfg.Issuer),
+					TokenEndpoint:                          fmt.Sprintf("%s/api/oidc/token", oidcServiceCfg.Issuer),
+					UserinfoEndpoint:                       fmt.Sprintf("%s/api/oidc/userinfo", oidcServiceCfg.Issuer),
+					JwksUri:                                fmt.Sprintf("%s/.well-known/jwks.json", oidcServiceCfg.Issuer),
+					ScopesSupported:                        service.SupportedScopes,
+					ResponseTypesSupported:                 service.SupportedResponseTypes,
+					GrantTypesSupported:                    service.SupportedGrantTypes,
+					SubjectTypesSupported:                  []string{"pairwise"},
+					IDTokenSigningAlgValuesSupported:       []string{"RS256"},
+					TokenEndpointAuthMethodsSupported:      []string{"client_secret_basic", "client_secret_post"},
+					ClaimsSupported:                        []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
+					ServiceDocumentation:                   "https://tinyauth.app/docs/guides/oidc",
+					RequestParameterSupported:              true,
+					RequestObjectSigningAlgValuesSupported: []string{"none"},
 				}
 
 				assert.Equal(t, expected, res)

internal/middleware/ui_middleware.go

@@ -46,6 +46,11 @@ func (m *UIMiddleware) Middleware() gin.HandlerFunc {
 		case "api", "resources", ".well-known":
 			c.Next()
 			return
+		case "robots.txt":
+			c.Writer.Header().Set("Content-Type", "text/plain")
+			c.Writer.WriteHeader(http.StatusOK)
+			c.Writer.Write([]byte("User-agent: *\nDisallow: /\n"))
+			return
 		default:
 			_, err := fs.Stat(m.uiFs, path)
 

internal/repository/models.go

@@ -19,6 +19,7 @@ type OidcToken struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
+	CodeHash              string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64

internal/repository/oidc_queries.sql.go

@@ -70,11 +70,12 @@ INSERT INTO "oidc_tokens" (
     "client_id",
     "token_expires_at",
     "refresh_token_expires_at",
+    "code_hash",
     "nonce"
 ) VALUES (
-    ?, ?, ?, ?, ?, ?, ?, ?
+    ?, ?, ?, ?, ?, ?, ?, ?, ?
 )
-RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
+RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 `
 
 type CreateOidcTokenParams struct {
@@ -85,6 +86,7 @@ type CreateOidcTokenParams struct {
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
+	CodeHash              string
 	Nonce                 string
 }
 
@@ -97,6 +99,7 @@ func (q *Queries) CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams
 		arg.ClientID,
 		arg.TokenExpiresAt,
 		arg.RefreshTokenExpiresAt,
+		arg.CodeHash,
 		arg.Nonce,
 	)
 	var i OidcToken
@@ -104,6 +107,7 @@ func (q *Queries) CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
+		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
@@ -198,7 +202,7 @@ func (q *Queries) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) (
 const deleteExpiredOidcTokens = `-- name: DeleteExpiredOidcTokens :many
 DELETE FROM "oidc_tokens"
 WHERE "token_expires_at" < ? AND "refresh_token_expires_at" < ?
-RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
+RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 `
 
 type DeleteExpiredOidcTokensParams struct {
@@ -219,6 +223,7 @@ func (q *Queries) DeleteExpiredOidcTokens(ctx context.Context, arg DeleteExpired
 			&i.Sub,
 			&i.AccessTokenHash,
 			&i.RefreshTokenHash,
+			&i.CodeHash,
 			&i.Scope,
 			&i.ClientID,
 			&i.TokenExpiresAt,
@@ -268,6 +273,16 @@ func (q *Queries) DeleteOidcToken(ctx context.Context, accessTokenHash string) e
 	return err
 }
 
+const deleteOidcTokenByCodeHash = `-- name: DeleteOidcTokenByCodeHash :exec
+DELETE FROM "oidc_tokens"
+WHERE "code_hash" = ?
+`
+
+func (q *Queries) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
+	_, err := q.db.ExecContext(ctx, deleteOidcTokenByCodeHash, codeHash)
+	return err
+}
+
 const deleteOidcTokenBySub = `-- name: DeleteOidcTokenBySub :exec
 DELETE FROM "oidc_tokens"
 WHERE "sub" = ?
@@ -375,7 +390,7 @@ func (q *Queries) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (OidcC
 }
 
 const getOidcToken = `-- name: GetOidcToken :one
-SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
+SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "access_token_hash" = ?
 `
 
@@ -386,6 +401,7 @@ func (q *Queries) GetOidcToken(ctx context.Context, accessTokenHash string) (Oid
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
+		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
@@ -396,7 +412,7 @@ func (q *Queries) GetOidcToken(ctx context.Context, accessTokenHash string) (Oid
 }
 
 const getOidcTokenByRefreshToken = `-- name: GetOidcTokenByRefreshToken :one
-SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
+SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "refresh_token_hash" = ?
 `
 
@@ -407,6 +423,7 @@ func (q *Queries) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHa
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
+		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
@@ -417,7 +434,7 @@ func (q *Queries) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHa
 }
 
 const getOidcTokenBySub = `-- name: GetOidcTokenBySub :one
-SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
+SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "sub" = ?
 `
 
@@ -428,6 +445,7 @@ func (q *Queries) GetOidcTokenBySub(ctx context.Context, sub string) (OidcToken,
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
+		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
@@ -463,7 +481,7 @@ UPDATE "oidc_tokens" SET
     "token_expires_at" = ?,
     "refresh_token_expires_at" = ?
 WHERE "refresh_token_hash" = ?
-RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
+RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 `
 
 type UpdateOidcTokenByRefreshTokenParams struct {
@@ -487,6 +505,7 @@ func (q *Queries) UpdateOidcTokenByRefreshToken(ctx context.Context, arg UpdateO
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
+		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,

internal/service/oidc_service.go

@@ -506,6 +506,7 @@ func (service *OIDCService) GenerateAccessToken(c *gin.Context, client config.OI
 		TokenExpiresAt:        tokenExpiresAt,
 		RefreshTokenExpiresAt: refrshTokenExpiresAt,
 		Nonce:                 codeEntry.Nonce,
+		CodeHash:              codeEntry.CodeHash,
 	})
 
 	if err != nil {
@@ -590,6 +591,10 @@ func (service *OIDCService) DeleteToken(c *gin.Context, tokenHash string) error
 	return service.queries.DeleteOidcToken(c, tokenHash)
 }
 
+func (service *OIDCService) DeleteTokenByCodeHash(c *gin.Context, codeHash string) error {
+	return service.queries.DeleteOidcTokenByCodeHash(c, codeHash)
+}
+
 func (service *OIDCService) GetAccessToken(c *gin.Context, tokenHash string) (repository.OidcToken, error) {
 	entry, err := service.queries.GetOidcToken(c, tokenHash)
 

sql/oidc_queries.sql

@@ -48,9 +48,10 @@ INSERT INTO "oidc_tokens" (
     "client_id",
     "token_expires_at",
     "refresh_token_expires_at",
+    "code_hash",
     "nonce"
 ) VALUES (
-    ?, ?, ?, ?, ?, ?, ?, ?
+    ?, ?, ?, ?, ?, ?, ?, ?, ?
 )
 RETURNING *;
 
@@ -75,6 +76,10 @@ WHERE "refresh_token_hash" = ?;
 SELECT * FROM "oidc_tokens"
 WHERE "sub" = ?;
 
+-- name: DeleteOidcTokenByCodeHash :exec
+DELETE FROM "oidc_tokens"
+WHERE "code_hash" = ?;
+
 -- name: DeleteOidcToken :exec
 DELETE FROM "oidc_tokens"
 WHERE "access_token_hash" = ?;

sql/oidc_schemas.sql

@@ -13,6 +13,7 @@ CREATE TABLE IF NOT EXISTS "oidc_tokens" (
     "sub" TEXT NOT NULL UNIQUE,
     "access_token_hash" TEXT NOT NULL PRIMARY KEY UNIQUE,
     "refresh_token_hash" TEXT NOT NULL,
+    "code_hash" TEXT NOT NULL,
     "scope" TEXT NOT NULL,
     "client_id" TEXT NOT NULL,
     "token_expires_at" INTEGER NOT NULL,