feat: add backend for oidc consent

chore: init db migrations
Merge branch 'refactor/oidc-authorize' into feat/preserve-authorize
2026-06-12 14:30:18 +00:00 · 2026-06-11 18:09:14 +03:00 · 2026-06-11 17:15:09 +03:00 · 2026-06-11 16:40:23 +03:00 · 2026-06-11 13:25:22 +03:00 · 2026-06-09 16:17:57 +03:00
98 changed files with 4555 additions and 4151 deletions
@@ -7,7 +7,9 @@ TINYAUTH_APPURL=
 # database config
-# The path to the database, including file name.
+# The database driver to use. Valid values: sqlite, postgres, memory.
 TINYAUTH_DATABASE_DRIVER="sqlite"
 # The path to the SQLite database file, or connection URL when driver is postgres.
 TINYAUTH_DATABASE_PATH="./tinyauth.db"
 # analytics config
@@ -30,6 +32,8 @@ TINYAUTH_SERVER_PORT=3000
 TINYAUTH_SERVER_ADDRESS="0.0.0.0"
 # The path to the Unix socket.
 TINYAUTH_SERVER_SOCKETPATH=
 # Enable listening on both TCP and Unix socket at the same time.
 TINYAUTH_SERVER_CONCURRENTLISTENERSENABLED=false
 # auth config
@@ -37,8 +41,52 @@ TINYAUTH_SERVER_SOCKETPATH=
 TINYAUTH_AUTH_IP_ALLOW=
 # List of blocked IPs or CIDR ranges.
 TINYAUTH_AUTH_IP_BLOCK=
 # List of IPs or CIDR ranges that bypass authentication entirely.
 TINYAUTH_AUTH_IP_BYPASS=
 # Comma-separated list of users (username:hashed_password).
 TINYAUTH_AUTH_USERS=
 # Enable subdomains support.
 TINYAUTH_AUTH_SUBDOMAINSENABLED=true
 # Full name of the user.
 TINYAUTH_AUTH_USERATTRIBUTES_name_NAME=
 # Given (first) name of the user.
 TINYAUTH_AUTH_USERATTRIBUTES_name_GIVENNAME=
 # Family (last) name of the user.
 TINYAUTH_AUTH_USERATTRIBUTES_name_FAMILYNAME=
 # Middle name of the user.
 TINYAUTH_AUTH_USERATTRIBUTES_name_MIDDLENAME=
 # Nickname of the user.
 TINYAUTH_AUTH_USERATTRIBUTES_name_NICKNAME=
 # URL of the user's profile page.
 TINYAUTH_AUTH_USERATTRIBUTES_name_PROFILE=
 # URL of the user's profile picture.
 TINYAUTH_AUTH_USERATTRIBUTES_name_PICTURE=
 # URL of the user's website.
 TINYAUTH_AUTH_USERATTRIBUTES_name_WEBSITE=
 # Email address of the user.
 TINYAUTH_AUTH_USERATTRIBUTES_name_EMAIL=
 # Gender of the user.
 TINYAUTH_AUTH_USERATTRIBUTES_name_GENDER=
 # Birthdate of the user (YYYY-MM-DD).
 TINYAUTH_AUTH_USERATTRIBUTES_name_BIRTHDATE=
 # Time zone of the user (e.g. Europe/Athens).
 TINYAUTH_AUTH_USERATTRIBUTES_name_ZONEINFO=
 # Locale of the user (e.g. en-US).
 TINYAUTH_AUTH_USERATTRIBUTES_name_LOCALE=
 # Phone number of the user.
 TINYAUTH_AUTH_USERATTRIBUTES_name_PHONENUMBER=
 # Full mailing address, formatted for display.
 TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_FORMATTED=
 # Street address.
 TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_STREETADDRESS=
 # City or locality.
 TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_LOCALITY=
 # State, province, or region.
 TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_REGION=
 # Zip or postal code.
 TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_POSTALCODE=
 # Country.
 TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_COUNTRY=
 # Path to the users file.
 TINYAUTH_AUTH_USERSFILE=
 # Enable secure cookies.
@@ -53,6 +101,8 @@ TINYAUTH_AUTH_LOGINTIMEOUT=300
 TINYAUTH_AUTH_LOGINMAXRETRIES=3
 # Comma-separated list of trusted proxy addresses.
 TINYAUTH_AUTH_TRUSTEDPROXIES=
 # ACL policy for allow-by-default or deny-by-default, available options are allow and deny, default is allow.
 TINYAUTH_AUTH_ACLS_POLICY="allow"
 # apps config
@@ -101,6 +151,10 @@ TINYAUTH_OAUTH_PROVIDERS_name_CLIENTID=
 TINYAUTH_OAUTH_PROVIDERS_name_CLIENTSECRET=
 # Path to the file containing the OAuth client secret.
 TINYAUTH_OAUTH_PROVIDERS_name_CLIENTSECRETFILE=
 # Comma-separated list of allowed OAuth domains for this provider.
 TINYAUTH_OAUTH_PROVIDERS_name_WHITELIST=
 # Path to the OAuth whitelist file for this provider.
 TINYAUTH_OAUTH_PROVIDERS_name_WHITELISTFILE=
 # OAuth scopes.
 TINYAUTH_OAUTH_PROVIDERS_name_SCOPES=
 # OAuth redirect URL.
@@ -152,6 +206,8 @@ TINYAUTH_LDAP_ADDRESS=
 TINYAUTH_LDAP_BINDDN=
 # Bind password for LDAP authentication.
 TINYAUTH_LDAP_BINDPASSWORD=
 # Path to the Bind password.
 TINYAUTH_LDAP_BINDPASSWORDFILE=
 # Base DN for LDAP searches.
 TINYAUTH_LDAP_BASEDN=
 # Allow insecure LDAP connections.
@@ -164,6 +220,8 @@ TINYAUTH_LDAP_AUTHCERT=
 TINYAUTH_LDAP_AUTHKEY=
 # Cache duration for LDAP group membership in seconds.
 TINYAUTH_LDAP_GROUPCACHETTL=900
 # Label provider to use for ACLs (auto, docker, kubernetes or none to disable). auto detects the environment.
 TINYAUTH_LABELPROVIDER="auto"
 # log config
@@ -183,3 +241,16 @@ TINYAUTH_LOG_STREAMS_APP_LEVEL=
 TINYAUTH_LOG_STREAMS_AUDIT_ENABLED=false
 # Log level for this stream. Use global if empty.
 TINYAUTH_LOG_STREAMS_AUDIT_LEVEL=
 # tailscale config
 # Enable Tailscale integration.
 TINYAUTH_TAILSCALE_ENABLED=false
 # Tailscale state directory.
 TINYAUTH_TAILSCALE_DIR="./tailscale_state"
 # Tailscale hostname.
 TINYAUTH_TAILSCALE_HOSTNAME=
 # Tailscale auth key.
 TINYAUTH_TAILSCALE_AUTHKEY=
 # Use ephemeral Tailscale node.
 TINYAUTH_TAILSCALE_EPHEMERAL=false
@@ -13,7 +13,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Setup pnpm
        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
@@ -23,13 +23,13 @@ jobs:
      - name: Setup go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
-          go-version: "^1.26.0"
+          go-version: "^1.26.4"
      - name: Go dependencies
        run: go mod download
      - name: Setup sqlc
-        uses: sqlc-dev/setup-sqlc@v4
+        uses: sqlc-dev/setup-sqlc@v5
        with:
          sqlc-version: "1.31.1"
@@ -62,6 +62,6 @@ jobs:
        run: go test -coverprofile=coverage.txt -v ./...
      - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
@@ -13,7 +13,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Delete old release
        run: gh release delete --cleanup-tag --yes nightly || echo release not found
@@ -37,7 +37,7 @@ jobs:
      BUILD_TIMESTAMP: ${{ steps.metadata.outputs.BUILD_TIMESTAMP }}
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          ref: nightly
@@ -55,7 +55,7 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          ref: nightly
@@ -67,7 +67,7 @@ jobs:
      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
-          go-version: "^1.26.0"
+          go-version: "^1.26.4"
      - name: Install frontend dependencies
        working-directory: ./frontend
@@ -83,7 +83,7 @@ jobs:
      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
+          go build -ldflags "-X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0
@@ -100,7 +100,7 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          ref: nightly
@@ -112,7 +112,7 @@ jobs:
      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
-          go-version: "^1.26.0"
+          go-version: "^1.26.4"
      - name: Install frontend dependencies
        working-directory: ./frontend
@@ -128,7 +128,7 @@ jobs:
      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
+          go build -ldflags "-X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0
@@ -145,28 +145,28 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          ref: nightly
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
        id: build
        with:
          platforms: linux/amd64
@@ -203,28 +203,28 @@ jobs:
      - image-build
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          ref: nightly
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
        id: build
        with:
          platforms: linux/amd64
@@ -261,28 +261,28 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          ref: nightly
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
        id: build
        with:
          platforms: linux/arm64
@@ -319,28 +319,28 @@ jobs:
      - image-build-arm
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          ref: nightly
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
        id: build
        with:
          platforms: linux/arm64
@@ -384,18 +384,18 @@ jobs:
          merge-multiple: true
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
          flavor: |
@@ -423,18 +423,18 @@ jobs:
          merge-multiple: true
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
          flavor: |
@@ -18,7 +18,7 @@ jobs:
      BUILD_TIMESTAMP: ${{ steps.metadata.outputs.BUILD_TIMESTAMP }}
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Generate metadata
        id: metadata
@@ -33,7 +33,7 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Setup pnpm
        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
@@ -43,7 +43,7 @@ jobs:
      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
-          go-version: "^1.26.0"
+          go-version: "^1.26.4"
      - name: Install frontend dependencies
        working-directory: ./frontend
@@ -75,7 +75,7 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Setup pnpm
        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
@@ -85,7 +85,7 @@ jobs:
      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
-          go-version: "^1.26.0"
+          go-version: "^1.26.4"
      - name: Install frontend dependencies
        working-directory: ./frontend
@@ -117,26 +117,26 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
        id: build
        with:
          platforms: linux/amd64
@@ -150,6 +150,7 @@ jobs:
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
            LDFLAGS="-s -w"
      - name: Export digest
        run: |
@@ -172,26 +173,26 @@ jobs:
      - image-build
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
        id: build
        with:
          platforms: linux/amd64
@@ -206,6 +207,7 @@ jobs:
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
            LDFLAGS="-s -w"
      - name: Export digest
        run: |
@@ -227,26 +229,26 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
        id: build
        with:
          platforms: linux/arm64
@@ -260,6 +262,7 @@ jobs:
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
            LDFLAGS="-s -w"
      - name: Export digest
        run: |
@@ -282,26 +285,26 @@ jobs:
      - image-build-arm
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
        id: build
        with:
          platforms: linux/arm64
@@ -316,6 +319,7 @@ jobs:
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
            LDFLAGS="-s -w"
      - name: Export digest
        run: |
@@ -345,18 +349,18 @@ jobs:
          merge-multiple: true
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
          flavor: |
@@ -386,18 +390,18 @@ jobs:
          merge-multiple: true
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
          flavor: |
@@ -19,7 +19,7 @@ jobs:
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
        with:
          persist-credentials: false
@@ -38,6 +38,6 @@ jobs:
          retention-days: 5
      - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
+        uses: github/codeql-action/upload-sarif@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4
        with:
          sarif_file: results.sarif
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Generate Sponsors
        uses: JamesIves/github-sponsors-readme-action@2fd9142e765f755780202122261dc85e78459405 # v1
@@ -8,7 +8,7 @@ Contributing to Tinyauth is straightforward. Follow the steps below to set up a
 ## Requirements
 - pnpm
- Golang v1.24.0 or later
+- Golang v1.26.4 or later
 - Git
 - Docker
 - Make
@@ -1,5 +1,5 @@
 # Site builder
-FROM node:26.1-alpine3.23 AS frontend-builder
+FROM node:26.3-alpine3.23 AS frontend-builder
 WORKDIR /frontend
@@ -27,6 +27,7 @@ FROM golang:1.26-alpine3.23 AS builder
 ARG VERSION
 ARG COMMIT_HASH
 ARG BUILD_TIMESTAMP
 ARG LDFLAGS
 WORKDIR /tinyauth
@@ -39,7 +40,7 @@ COPY ./cmd ./cmd
 COPY ./internal ./internal
 COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
-RUN CGO_ENABLED=0 go build -ldflags "-s -w \
+RUN CGO_ENABLED=0 go build -ldflags "${LDFLAGS} \
    -X github.com/tinyauthapp/tinyauth/internal/model.Version=${VERSION} \
    -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${COMMIT_HASH} \
    -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
@@ -1,5 +1,5 @@
 # Site builder
-FROM node:26.1-alpine3.23 AS frontend-builder
+FROM node:26.3-alpine3.23 AS frontend-builder
 WORKDIR /frontend
@@ -27,6 +27,7 @@ FROM golang:1.26-alpine3.23 AS builder
 ARG VERSION
 ARG COMMIT_HASH
 ARG BUILD_TIMESTAMP
 ARG LDFLAGS
 WORKDIR /tinyauth
@@ -41,7 +42,7 @@ COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
 RUN mkdir -p data
-RUN CGO_ENABLED=0 go build -ldflags "-s -w \
+RUN CGO_ENABLED=0 go build -ldflags "${LDFLAGS} \
    -X github.com/tinyauthapp/tinyauth/internal/model.Version=${VERSION} \
    -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${COMMIT_HASH} \
    -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
@@ -8,6 +8,7 @@ TAG_NAME := $(shell git describe --abbrev=0 --exact-match 2> /dev/null || echo "
 COMMIT_HASH := $(shell git rev-parse HEAD)
 BUILD_TIMESTAMP := $(shell date '+%Y-%m-%dT%H:%M:%S')
 BIN_NAME := tinyauth-$(GOARCH)
 LDFLAGS := -s -w
 # Development vars
 DEV_COMPOSE := $(shell test -f "docker-compose.test.yml" && echo "docker-compose.test.yml" || echo "docker-compose.dev.yml" )
@@ -36,7 +37,7 @@ webui: clean-webui
 # Build the binary
 binary: webui
-	CGO_ENABLED=$(CGO_ENABLED) go build -ldflags "-s -w \
+	CGO_ENABLED=$(CGO_ENABLED) go build -ldflags "${LDFLAGS} \
 	-X github.com/tinyauthapp/tinyauth/internal/model.Version=${TAG_NAME} \
 	-X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${COMMIT_HASH} \
 	-X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" \
@@ -61,6 +62,15 @@ binary-linux-arm64:
 test:
 	go test -v ./...
 # Go vet
 .PHONY: vet
 vet:
 	go vet ./...
 # Go race
 test-race:
 	go test -race ./...
 # Development
 dev:
 	docker compose -f $(DEV_COMPOSE) up --force-recreate --pull=always --remove-orphans --build
@@ -1,36 +0,0 @@
 import { languages, SupportedLanguage } from "@/lib/i18n/locales";
 import {
  Select,
  SelectContent,
  SelectItem,
  SelectTrigger,
  SelectValue,
 } from "../ui/select";
 import { useState } from "react";
 import i18n from "@/lib/i18n/i18n";
 export const LanguageSelector = () => {
  const [language, setLanguage] = useState<SupportedLanguage>(
    i18n.language as SupportedLanguage,
  );
  const handleSelect = (option: string) => {
    setLanguage(option as SupportedLanguage);
    i18n.changeLanguage(option as SupportedLanguage);
  };
  return (
    <Select onValueChange={handleSelect} value={language}>
      <SelectTrigger aria-label="Select language">
        <SelectValue placeholder="Select language" />
      </SelectTrigger>
      <SelectContent>
        {Object.entries(languages).map(([key, value]) => (
          <SelectItem key={key} value={key}>
            {value}
          </SelectItem>
        ))}
      </SelectContent>
    </Select>
  );
 };
@@ -1,9 +1,8 @@
 import { useAppContext } from "@/context/app-context";
 import { LanguageSelector } from "../language/language";
 import { Outlet } from "react-router";
 import { useCallback, useEffect, useState } from "react";
 import { DomainWarning } from "../domain-warning/domain-warning";
-import { ThemeToggle } from "../theme-toggle/theme-toggle";
+import { QuickActions } from "../quick-actions/quick-actions";
 const BaseLayout = ({ children }: { children: React.ReactNode }) => {
  const { ui } = useAppContext();
@@ -21,9 +20,8 @@ const BaseLayout = ({ children }: { children: React.ReactNode }) => {
        backgroundPosition: "center",
      }}
    >
-      <div className="absolute top-4 right-4 flex flex-row gap-2">
+      <div className="absolute top-4 right-4">
-        <ThemeToggle />
+        <QuickActions />
        <LanguageSelector />
      </div>
      <div className="max-w-sm md:min-w-sm min-w-xs">{children}</div>
    </div>
@@ -0,0 +1,208 @@
 import { languages, SupportedLanguage } from "@/lib/i18n/locales";
 import {
  DropdownMenu,
  DropdownMenuContent,
  DropdownMenuItem,
  DropdownMenuLabel,
  DropdownMenuPortal,
  DropdownMenuSeparator,
  DropdownMenuSub,
  DropdownMenuSubContent,
  DropdownMenuSubTrigger,
  DropdownMenuTrigger,
 } from "../ui/dropdown-menu";
 import { useState } from "react";
 import i18n from "@/lib/i18n/i18n";
 import { useUserContext } from "@/context/user-context";
 import { ScrollArea } from "../ui/scroll-area";
 import { useTheme } from "../providers/theme-provider";
 import {
  Check,
  DoorOpenIcon,
  Languages,
  Monitor,
  Moon,
  Palette,
  Settings,
  Sun,
 } from "lucide-react";
 import { useTranslation } from "react-i18next";
 import { useLocation } from "react-router";
 import { useRef } from "react";
 import {
  useScreenParams,
  recompileScreenParams,
 } from "@/lib/hooks/screen-params";
 import { useMutation } from "@tanstack/react-query";
 import axios from "axios";
 import { toast } from "sonner";
 import { useEffect } from "react";
 function Avatar({ initial }: { initial: string }) {
  return (
    <span className="group relative grid size-10 place-items-center rounded-full">
      <span className="absolute inset-0 overflow-hidden rounded-full bg-linear-to-b from-neutral-50 to-neutral-100 dark:from-neutral-700 dark:to-neutral-950 shadow-lg"></span>
      <span className="relative text-sm font-semibold text-primary">
        {initial}
      </span>
    </span>
  );
 }
 export const QuickActions = () => {
  const { auth } = useUserContext();
  const { theme, setTheme } = useTheme();
  const { t } = useTranslation();
  const { search } = useLocation();
  const [language, setLanguage] = useState<SupportedLanguage>(
    i18n.language as SupportedLanguage,
  );
  const redirectTimer = useRef<number | null>(null);
  const searchParams = new URLSearchParams(search);
  const screenParams = useScreenParams(searchParams);
  const compiledParams = recompileScreenParams(screenParams);
  const logoutMutation = useMutation({
    mutationFn: () => axios.post("/api/user/logout"),
    mutationKey: ["logout"],
    onSuccess: () => {
      toast.success(t("logoutSuccessTitle"), {
        description: t("logoutSuccessSubtitle"),
      });
      redirectTimer.current = window.setTimeout(() => {
        window.location.replace(`/login${compiledParams}`);
      }, 500);
    },
    onError: () => {
      toast.error(t("logoutFailTitle"), {
        description: t("logoutFailSubtitle"),
      });
    },
  });
  useEffect(() => {
    return () => {
      if (redirectTimer.current) {
        clearTimeout(redirectTimer.current);
      }
    };
  }, [redirectTimer]);
  const initial = auth.authenticated
    ? (auth.name[0] || "U").toUpperCase()
    : null;
  const handleSelect = (option: string) => {
    setLanguage(option as SupportedLanguage);
    i18n.changeLanguage(option as SupportedLanguage);
  };
  const themes = [
    { key: "light", label: t("quickActionsThemeLight"), icon: Sun },
    { key: "dark", label: t("quickActionsThemeDark"), icon: Moon },
    { key: "system", label: t("quickActionsThemeSystem"), icon: Monitor },
  ] as const;
  return (
    <DropdownMenu>
      <DropdownMenuTrigger asChild>
        <button
          aria-label={t("quickActionsTitle")}
          className="rounded-full transition-transform duration-200 will-change-transform hover:scale-105 hover:cursor-pointer focus:ring-0 focus:outline-3 focus:outline-ring/50"
        >
          {auth.authenticated ? (
            <Avatar initial={initial!} />
          ) : (
            <span className="bg-card text-primary border-border size-10 flex items-center justify-center rounded-full border shadow-lg">
              <Settings className="size-4" />
            </span>
          )}
        </button>
      </DropdownMenuTrigger>
      <DropdownMenuContent
        align="end"
        sideOffset={8}
        className="rounded-xl p-1"
      >
        {auth.authenticated && (
          <>
            <DropdownMenuLabel className="flex items-center gap-3 p-2">
              <div className="bg-foreground text-background flex size-9 shrink-0 items-center justify-center rounded-full text-sm font-medium">
                {initial}
              </div>
              <div className="flex min-w-0 flex-col">
                <span className="truncate text-sm font-medium">
                  {auth.name}
                </span>
                <span className="text-muted-foreground truncate text-xs font-normal">
                  {auth.email}
                </span>
              </div>
            </DropdownMenuLabel>
            <DropdownMenuSeparator />
          </>
        )}
        <DropdownMenuSub>
          <DropdownMenuSubTrigger>
            <Languages className="size-4" />
            {t("quickActionsLanguage")}
          </DropdownMenuSubTrigger>
          <DropdownMenuPortal>
            <DropdownMenuSubContent sideOffset={8} className="rounded-xl p-1">
              <ScrollArea className="h-80">
                {Object.entries(languages).map(([key, value]) => (
                  <DropdownMenuItem
                    key={key}
                    onSelect={() => handleSelect(key)}
                  >
                    {value}
                    {language === key && <Check className="size-4" />}
                  </DropdownMenuItem>
                ))}
              </ScrollArea>
            </DropdownMenuSubContent>
          </DropdownMenuPortal>
        </DropdownMenuSub>
        <DropdownMenuSub>
          <DropdownMenuSubTrigger>
            <Palette className="size-4" />
            {t("quickActionsTheme")}
          </DropdownMenuSubTrigger>
          <DropdownMenuPortal>
            <DropdownMenuSubContent className="rounded-xl p-1" sideOffset={8}>
              {themes.map(({ key, label, icon: Icon }) => (
                <DropdownMenuItem key={key} onClick={() => setTheme(key)}>
                  <span className="flex items-center gap-2">
                    <Icon className="size-4" />
                    {label}
                  </span>
                  {theme === key && <Check className="size-4" />}
                </DropdownMenuItem>
              ))}
            </DropdownMenuSubContent>
          </DropdownMenuPortal>
        </DropdownMenuSub>
        {auth.authenticated && (
          <>
            <DropdownMenuSeparator />
            <DropdownMenuItem
              onSelect={() => logoutMutation.mutate()}
              className="text-destructive"
            >
              <DoorOpenIcon className="size-4" />
              {t("quickActionsLogout")}
            </DropdownMenuItem>
          </>
        )}
      </DropdownMenuContent>
    </DropdownMenu>
  );
 };
@@ -1,40 +0,0 @@
 import { Moon, Sun } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import {
  DropdownMenu,
  DropdownMenuContent,
  DropdownMenuItem,
  DropdownMenuTrigger,
 } from "@/components/ui/dropdown-menu";
 import { useTheme } from "@/components/providers/theme-provider";
 export function ThemeToggle() {
  const { setTheme } = useTheme();
  return (
    <DropdownMenu>
      <DropdownMenuTrigger asChild>
        <Button
          className="bg-card text-card-foreground hover:bg-card/90"
          size="icon"
        >
          <Sun className="h-[1.2rem] w-[1.2rem] scale-100 rotate-0 transition-all dark:scale-0 dark:-rotate-90" />
          <Moon className="absolute h-[1.2rem] w-[1.2rem] scale-0 rotate-90 transition-all dark:scale-100 dark:rotate-0" />
          <span className="sr-only">Toggle theme</span>
        </Button>
      </DropdownMenuTrigger>
      <DropdownMenuContent align="end">
        <DropdownMenuItem onClick={() => setTheme("light")}>
          Light
        </DropdownMenuItem>
        <DropdownMenuItem onClick={() => setTheme("dark")}>
          Dark
        </DropdownMenuItem>
        <DropdownMenuItem onClick={() => setTheme("system")}>
          System
        </DropdownMenuItem>
      </DropdownMenuContent>
    </DropdownMenu>
  );
 }
@@ -0,0 +1,56 @@
 import * as React from "react"
 import { ScrollArea as ScrollAreaPrimitive } from "radix-ui"
 import { cn } from "@/lib/utils"
 function ScrollArea({
  className,
  children,
  ...props
 }: React.ComponentProps<typeof ScrollAreaPrimitive.Root>) {
  return (
    <ScrollAreaPrimitive.Root
      data-slot="scroll-area"
      className={cn("relative", className)}
      {...props}
    >
      <ScrollAreaPrimitive.Viewport
        data-slot="scroll-area-viewport"
        className="size-full rounded-[inherit] transition-[color,box-shadow] outline-none focus-visible:ring-[3px] focus-visible:ring-ring/50 focus-visible:outline-1"
      >
        {children}
      </ScrollAreaPrimitive.Viewport>
      <ScrollBar />
      <ScrollAreaPrimitive.Corner />
    </ScrollAreaPrimitive.Root>
  )
 }
 function ScrollBar({
  className,
  orientation = "vertical",
  ...props
 }: React.ComponentProps<typeof ScrollAreaPrimitive.ScrollAreaScrollbar>) {
  return (
    <ScrollAreaPrimitive.ScrollAreaScrollbar
      data-slot="scroll-area-scrollbar"
      orientation={orientation}
      className={cn(
        "flex touch-none p-px transition-colors select-none",
        orientation === "vertical" &&
          "h-full w-2.5 border-l border-l-transparent",
        orientation === "horizontal" &&
          "h-2.5 flex-col border-t border-t-transparent",
        className
      )}
      {...props}
    >
      <ScrollAreaPrimitive.ScrollAreaThumb
        data-slot="scroll-area-thumb"
        className="relative flex-1 rounded-full bg-border"
      />
    </ScrollAreaPrimitive.ScrollAreaScrollbar>
  )
 }
 export { ScrollArea, ScrollBar }
@@ -0,0 +1,17 @@
 type UseLoginForProps = {
  login_for?: "oidc" | "app";
  compiledParams: string;
 };
 export const useLoginFor = (props: UseLoginForProps): string => {
  const { login_for, compiledParams } = props;
  switch (login_for) {
    case "oidc":
      return "/oidc/authorize" + compiledParams;
    case "app":
      return "/continue" + compiledParams;
    default:
      return "/logout";
  }
 };
@@ -1,76 +0,0 @@
 import { z } from "zod";
 export const oidcParamsSchema = z.object({
  scope: z.string().min(1),
  response_type: z.string().min(1),
  client_id: z.string().min(1),
  redirect_uri: z.string().min(1),
  state: z.string().optional(),
  nonce: z.string().optional(),
  code_challenge: z.string().optional(),
  code_challenge_method: z.string().optional(),
 });
 function b64urlDecode(s: string): string {
  const base64 = s.replace(/-/g, "+").replace(/_/g, "/");
  return atob(base64.padEnd(base64.length + ((4 - (base64.length % 4)) % 4), "="));
 }
 function decodeRequestObject(jwt: string): Record<string, string> {
  try {
    // Must have exactly 3 parts: header, payload, signature
    const parts = jwt.split(".");
    if (parts.length !== 3) return {};
    // Header must specify "alg": "none" and signature must be empty string
    const header = JSON.parse(b64urlDecode(parts[0]));
    if (!header || typeof header !== "object" || header.alg !== "none" || parts[2] !== "") return {};
    const payload = JSON.parse(b64urlDecode(parts[1]));
    if (!payload || typeof payload !== "object" || Array.isArray(payload)) return {};
    const result: Record<string, string> = {};
    for (const [k, v] of Object.entries(payload)) {
      if (typeof v === "string") result[k] = v;
    }
    return result;
  } catch {
    return {};
  }
 }
 export const useOIDCParams = (
  params: URLSearchParams,
 ): {
  values: z.infer<typeof oidcParamsSchema>;
  issues: string[];
  isOidc: boolean;
  compiled: string;
 } => {
  const obj = Object.fromEntries(params.entries());
  // RFC 9101 / OIDC Core 6.1: if `request` param present, decode JWT payload
  // and merge claims over top-level params (JWT claims take precedence)
  const requestJwt = params.get("request");
  if (requestJwt) {
    const claims = decodeRequestObject(requestJwt);
    Object.assign(obj, claims);
  }
  const parsed = oidcParamsSchema.safeParse(obj);
  if (parsed.success) {
    return {
      values: parsed.data,
      issues: [],
      isOidc: true,
      compiled: new URLSearchParams(parsed.data).toString(),
    };
  }
  return {
    issues: parsed.error.issues.map((issue) => issue.path.toString()),
    values: {} as z.infer<typeof oidcParamsSchema>,
    isOidc: false,
    compiled: "",
  };
 };
@@ -7,7 +7,7 @@ type IuseRedirectUri = {
 };
 export const useRedirectUri = (
-  redirect_uri: string | null,
+  redirect_uri: string | undefined,
  cookieDomain: string,
 ): IuseRedirectUri => {
  let isValid = false;
@@ -15,7 +15,7 @@ export const useRedirectUri = (
  let isAllowedProto = false;
  let isHttpsDowngrade = false;
-  if (!redirect_uri) {
+  if (redirect_uri === undefined) {
    return {
      valid: isValid,
      trusted: isTrusted,
@@ -0,0 +1,40 @@
 import { z } from "zod";
 type ScreenParams = {
  login_for?: "oidc" | "app";
  redirect_uri?: string;
  oidc_ticket?: string;
  oidc_scope?: string;
  oidc_name?: string;
 };
 const zodScreenParams = z.object({
  login_for: z.enum(["oidc", "app"]).optional(),
  redirect_uri: z.string().optional(),
  oidc_ticket: z.string().optional(),
  oidc_scope: z.string().optional(),
  oidc_name: z.string().optional(),
 });
 export function useScreenParams(params: URLSearchParams): ScreenParams {
  const paramsObj = Object.fromEntries(params.entries());
  const parsed = zodScreenParams.safeParse(paramsObj);
  if (!parsed.success) {
    return {};
  }
  return parsed.data;
 }
 export function recompileScreenParams(params: ScreenParams): string {
  const p = new URLSearchParams(
    Object.fromEntries(
      Object.entries(params).filter(([, v]) => v !== undefined),
    ) as Record<string, string>,
  ).toString();
  if (p.length > 0) {
    return "?" + p;
  }
  return "";
 }
@@ -71,7 +71,7 @@
  "authorizeSuccessTitle": "Authorized",
  "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
  "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
-    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+  "authorizeErrorInvalidParams": "The request is missing required parameters or has invalid parameters. Please check the URL and try again.",
  "openidScopeName": "OpenID Connect",
  "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
  "emailScopeName": "Email",
@@ -92,5 +92,12 @@
  "loginTailscaleOtherMethod": "Login with another method",
  "loginTailscaleSuccess": "Successfully authenticated with Tailscale.",
  "loginTailscaleFail": "Failed to authenticate with Tailscale. Please try again or use another login method.",
-    "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout."
+  "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout.",
  "quickActionsLanguage": "Language",
  "quickActionsTheme": "Theme",
  "quickActionsThemeLight": "Light",
  "quickActionsThemeDark": "Dark",
  "quickActionsThemeSystem": "System",
  "quickActionsLogout": "Logout",
  "quickActionsTitle": "Quick Actions"
 }
@@ -71,7 +71,7 @@
  "authorizeSuccessTitle": "Authorized",
  "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
  "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
-    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+  "authorizeErrorInvalidParams": "The request is missing required parameters or has invalid parameters. Please check the URL and try again.",
  "openidScopeName": "OpenID Connect",
  "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
  "emailScopeName": "Email",
@@ -92,5 +92,12 @@
  "loginTailscaleOtherMethod": "Login with another method",
  "loginTailscaleSuccess": "Successfully authenticated with Tailscale.",
  "loginTailscaleFail": "Failed to authenticate with Tailscale. Please try again or use another login method.",
-    "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout."
+  "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout.",
  "quickActionsLanguage": "Language",
  "quickActionsTheme": "Theme",
  "quickActionsThemeLight": "Light",
  "quickActionsThemeDark": "Dark",
  "quickActionsThemeSystem": "System",
  "quickActionsLogout": "Logout",
  "quickActionsTitle": "Quick Actions"
 }
@@ -58,8 +58,8 @@
    "invalidInput": "Input non valido",
    "domainWarningTitle": "Dominio non valido",
    "domainWarningSubtitle": "Stai accedendo a questa istanza da un dominio errato. Scegliendo di procedere, potresti incontrare problemi con l'autenticazione.",
-    "domainWarningCurrent": "Current:",
+    "domainWarningCurrent": "Attuale:",
-    "domainWarningExpected": "Expected:",
+    "domainWarningExpected": "Previsto:",
    "ignoreTitle": "Ignora",
    "goToCorrectDomainTitle": "Vai al dominio corretto",
    "authorizeTitle": "Autorizza",
@@ -57,7 +57,7 @@
    "fieldRequired": "Ово поље је неопходно",
    "invalidInput": "Неисправан унос",
    "domainWarningTitle": "Неисправан домен",
-    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "Приступате овој инстанци са неисправног домена. Ако наставите, можете наићи на проблеме са аутентификацијом.",
    "domainWarningCurrent": "Тренутни:",
    "domainWarningExpected": "Очекивани:",
    "ignoreTitle": "Игнориши",
@@ -35,7 +35,10 @@ createRoot(document.getElementById("root")!).render(
                    <Route element={<Layout />} errorElement={<ErrorPage />}>
                      <Route path="/" element={<App />} />
                      <Route path="/login" element={<LoginPage />} />
-                      <Route path="/authorize" element={<AuthorizePage />} />
+                      <Route
                        path="/oidc/authorize"
                        element={<AuthorizePage />}
                      />
                      <Route path="/logout" element={<LogoutPage />} />
                      <Route path="/continue" element={<ContinuePage />} />
                      <Route path="/totp" element={<TotpPage />} />
@@ -1,5 +1,5 @@
 import { useUserContext } from "@/context/user-context";
-import { useMutation, useQuery } from "@tanstack/react-query";
+import { useMutation } from "@tanstack/react-query";
 import { Navigate, useNavigate } from "react-router";
 import { useLocation } from "react-router";
 import {
@@ -10,11 +10,9 @@ import {
  CardFooter,
  CardContent,
 } from "@/components/ui/card";
 import { getOidcClientInfoSchema } from "@/schemas/oidc-schemas";
 import { Button } from "@/components/ui/button";
 import axios from "axios";
 import { toast } from "sonner";
 import { useOIDCParams } from "@/lib/hooks/oidc";
 import { useTranslation } from "react-i18next";
 import { TFunction } from "i18next";
 import { Mail, MapPin, Phone, Shield, User, Users } from "lucide-react";
@@ -23,6 +21,10 @@ import {
  TooltipContent,
  TooltipTrigger,
 } from "@/components/ui/tooltip";
 import {
  recompileScreenParams,
  useScreenParams,
 } from "@/lib/hooks/screen-params";
 type Scope = {
  id: string;
@@ -84,27 +86,17 @@ export const AuthorizePage = () => {
  const scopeMap = createScopeMap(t);
  const searchParams = new URLSearchParams(search);
-  const oidcParams = useOIDCParams(searchParams);
+  const screenParams = useScreenParams(searchParams);
-
+  const isOidc = screenParams.login_for === "oidc";
-  const getClientInfo = useQuery({
+  const compiledParams = recompileScreenParams(screenParams);
    queryKey: ["client", oidcParams.values.client_id],
    queryFn: async () => {
      const res = await fetch(
        `/api/oidc/clients/${encodeURIComponent(oidcParams.values.client_id)}`,
      );
      const data = await getOidcClientInfoSchema.parseAsync(await res.json());
      return data;
    },
    enabled: oidcParams.isOidc,
  });
  const authorizeMutation = useMutation({
    mutationFn: () => {
-      return axios.post("/api/oidc/authorize", {
+      return axios.post("/api/oidc/authorize-complete", {
-        ...oidcParams.values,
+        ticket: screenParams.oidc_ticket,
      });
    },
-    mutationKey: ["authorize", oidcParams.values.client_id],
+    mutationKey: ["authorize", screenParams.oidc_ticket],
    onSuccess: (data) => {
      toast.info(t("authorizeSuccessTitle"), {
        description: t("authorizeSuccessSubtitle"),
@@ -118,56 +110,36 @@ export const AuthorizePage = () => {
    },
  });
-  if (oidcParams.issues.length > 0) {
+  if (
    !isOidc ||
    screenParams.oidc_ticket === undefined ||
    screenParams.oidc_scope === undefined
  ) {
    return (
      <Navigate
-        to={`/error?error=${encodeURIComponent(t("authorizeErrorMissingParams", { missingParams: oidcParams.issues.join(", ") }))}`}
+        to={`/error?error=${encodeURIComponent(t("authorizeErrorInvalidParams"))}`}
        replace
      />
    );
  }
  if (!auth.authenticated) {
-    return <Navigate to={`/login?${oidcParams.compiled}`} replace />;
+    return <Navigate to={`/login${compiledParams}`} replace />;
  }
  if (getClientInfo.isLoading) {
    return (
      <Card className="gap-0">
        <CardHeader>
          <CardTitle className="text-xl">
            {t("authorizeLoadingTitle")}
          </CardTitle>
        </CardHeader>
        <CardContent>
          <CardDescription>{t("authorizeLoadingSubtitle")}</CardDescription>
        </CardContent>
      </Card>
    );
  }
  if (getClientInfo.isError) {
    return (
      <Navigate
        to={`/error?error=${encodeURIComponent(t("authorizeErrorClientInfo"))}`}
        replace
      />
    );
  }
  const scopes =
-    oidcParams.values.scope.split(" ").filter((s) => s.trim() !== "") || [];
+    screenParams.oidc_scope.split(" ").filter((s) => s.trim() !== "") || [];
  return (
    <Card>
      <CardHeader className="mb-2">
        <div className="flex flex-col gap-3 items-center justify-center text-center">
          <div className="bg-accent-foreground box-content text-muted text-xl font-bold font-sans rounded-lg size-8 p-2 flex items-center justify-center">
-            {getClientInfo.data?.name.slice(0, 1) || "U"}
+            {screenParams.oidc_name ? screenParams.oidc_name.slice(0, 1) : "U"}
          </div>
          <CardTitle className="text-xl">
            {t("authorizeCardTitle", {
-              app: getClientInfo.data?.name || "Unknown",
+              app: screenParams.oidc_name || "Unknown",
            })}
          </CardTitle>
          <CardDescription className="text-sm max-w-sm">
@@ -206,7 +178,7 @@ export const AuthorizePage = () => {
          {t("authorizeTitle")}
        </Button>
        <Button
-          onClick={() => navigate("/")}
+          onClick={() => navigate(`/logout${compiledParams}`)}
          disabled={authorizeMutation.isPending}
          variant="outline"
        >
@@ -12,6 +12,10 @@ import { Trans, useTranslation } from "react-i18next";
 import { Navigate, useLocation, useNavigate } from "react-router";
 import { useCallback, useEffect, useRef, useState } from "react";
 import { useRedirectUri } from "@/lib/hooks/redirect-uri";
 import {
  recompileScreenParams,
  useScreenParams,
 } from "@/lib/hooks/screen-params";
 export const ContinuePage = () => {
  const { app, ui } = useAppContext();
@@ -25,7 +29,10 @@ export const ContinuePage = () => {
  const hasRedirected = useRef(false);
  const searchParams = new URLSearchParams(search);
-  const redirectUri = searchParams.get("redirect_uri");
+  const screenParams = useScreenParams(searchParams);
  const redirectUri = screenParams.redirect_uri;
  const isAppLogin = screenParams.login_for === "app";
  const recompiledParams = recompileScreenParams(screenParams);
  const { url, valid, trusted, allowedProto, httpsDowngrade } = useRedirectUri(
    redirectUri,
@@ -43,7 +50,8 @@ export const ContinuePage = () => {
    auth.authenticated &&
    hasValidRedirect &&
    !showUntrustedWarning &&
-    !showInsecureWarning;
+    !showInsecureWarning &&
    isAppLogin;
  const redirectToTarget = useCallback(() => {
    if (!urlHref || hasRedirected.current) {
@@ -79,15 +87,10 @@ export const ContinuePage = () => {
  }, [shouldAutoRedirect, redirectToTarget]);
  if (!auth.authenticated) {
-    return (
+    return <Navigate to={`/login${recompiledParams}`} replace />;
      <Navigate
        to={`/login${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`}
        replace
      />
    );
  }
-  if (!hasValidRedirect) {
+  if (!hasValidRedirect || !isAppLogin) {
    return <Navigate to="/logout" replace />;
  }
@@ -11,12 +11,18 @@ import { useAppContext } from "@/context/app-context";
 import { useTranslation } from "react-i18next";
 import Markdown from "react-markdown";
 import { useLocation } from "react-router";
 import {
  recompileScreenParams,
  useScreenParams,
 } from "@/lib/hooks/screen-params";
 export const ForgotPasswordPage = () => {
  const { ui } = useAppContext();
  const { t } = useTranslation();
  const { search } = useLocation();
  const searchParams = new URLSearchParams(search);
  const screenParams = useScreenParams(searchParams);
  const compiledParams = recompileScreenParams(screenParams);
  return (
    <Card>
@@ -37,10 +43,7 @@ export const ForgotPasswordPage = () => {
          className="w-full"
          variant="outline"
          onClick={() => {
-            const eparams = searchParams.toString();
+            window.location.replace(`/login${compiledParams}`);
            window.location.replace(
              `/login${eparams.length > 0 ? `?${eparams}` : ""}`,
            );
          }}
        >
          {t("backToLoginButton")}
@@ -18,7 +18,6 @@ import { OAuthButton } from "@/components/ui/oauth-button";
 import { SeperatorWithChildren } from "@/components/ui/separator";
 import { useAppContext } from "@/context/app-context";
 import { useUserContext } from "@/context/user-context";
 import { useOIDCParams } from "@/lib/hooks/oidc";
 import { LoginSchema } from "@/schemas/login-schema";
 import { useMutation } from "@tanstack/react-query";
 import axios, { AxiosError } from "axios";
@@ -26,6 +25,11 @@ import { useEffect, useId, useRef, useState } from "react";
 import { useTranslation } from "react-i18next";
 import { Navigate, useLocation } from "react-router";
 import { toast } from "sonner";
 import {
  recompileScreenParams,
  useScreenParams,
 } from "@/lib/hooks/screen-params";
 import { useLoginFor } from "@/lib/hooks/login-for";
 const iconMap: Record<string, React.ReactNode> = {
  google: <GoogleIcon />,
@@ -46,7 +50,9 @@ export const LoginPage = () => {
  const { t } = useTranslation();
  const [showRedirectButton, setShowRedirectButton] = useState(false);
-  const [useTailscale, setUseTailscale] = useState(tailscale.nodeName !== undefined);
+  const [useTailscale, setUseTailscale] = useState(
    tailscale.nodeName !== undefined,
  );
  const hasAutoRedirectedRef = useRef(false);
@@ -56,17 +62,22 @@ export const LoginPage = () => {
  const formId = useId();
  const searchParams = new URLSearchParams(search);
-  const redirectUri = searchParams.get("redirect_uri") || undefined;
+  const screenParams = useScreenParams(searchParams);
-  const oidcParams = useOIDCParams(searchParams);
+  const compiledParams = recompileScreenParams(screenParams);
  const loginForUrl = useLoginFor({
    login_for: screenParams.login_for,
    compiledParams,
  });
  const [isOauthAutoRedirect, setIsOauthAutoRedirect] = useState(
    providers.find((provider) => provider.id === oauth.autoRedirect) !==
-      undefined && redirectUri !== undefined,
+      undefined && screenParams.redirect_uri !== undefined,
  );
  const oauthProviders = providers.filter(
    (provider) => provider.id !== "local" && provider.id !== "ldap",
  );
  const userAuthConfigured =
    providers.find(
      (provider) => provider.id === "local" || provider.id === "ldap",
@@ -79,16 +90,7 @@ export const LoginPage = () => {
    variables: oauthVariables,
  } = useMutation({
    mutationFn: (provider: string) => {
-      const getParams = function (): string {
+      return axios.get(`/api/oauth/url/${provider}${compiledParams}`);
        if (oidcParams.isOidc) {
          return `?${oidcParams.compiled}`;
        }
        if (redirectUri) {
          return `?redirect_uri=${encodeURIComponent(redirectUri)}`;
        }
        return "";
      };
      return axios.get(`/api/oauth/url/${provider}${getParams()}`);
    },
    mutationKey: ["oauth"],
    onSuccess: (data) => {
@@ -119,13 +121,7 @@ export const LoginPage = () => {
    mutationKey: ["login"],
    onSuccess: (data) => {
      if (data.data.totpPending) {
-        if (oidcParams.isOidc) {
+        window.location.replace(`/totp${compiledParams}`);
          window.location.replace(`/totp?${oidcParams.compiled}`);
          return;
        }
        window.location.replace(
          `/totp${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`,
        );
        return;
      }
@@ -134,13 +130,7 @@ export const LoginPage = () => {
      });
      redirectTimer.current = window.setTimeout(() => {
-        if (oidcParams.isOidc) {
+        window.location.replace(loginForUrl);
          window.location.replace(`/authorize?${oidcParams.compiled}`);
          return;
        }
        window.location.replace(
          `/continue${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`,
        );
      }, 500);
    },
    onError: (error: AxiosError) => {
@@ -163,13 +153,7 @@ export const LoginPage = () => {
        });
        redirectTimer.current = window.setTimeout(() => {
-          if (oidcParams.isOidc) {
+          window.location.replace(loginForUrl);
            window.location.replace(`/authorize?${oidcParams.compiled}`);
            return;
          }
          window.location.replace(
            `/continue${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`,
          );
        }, 500);
      },
      onError: () => {
@@ -184,7 +168,7 @@ export const LoginPage = () => {
      !auth.authenticated &&
      isOauthAutoRedirect &&
      !hasAutoRedirectedRef.current &&
-      redirectUri !== undefined
+      screenParams.login_for !== undefined
    ) {
      hasAutoRedirectedRef.current = true;
      oauthMutate(oauth.autoRedirect);
@@ -195,7 +179,7 @@ export const LoginPage = () => {
    hasAutoRedirectedRef,
    oauth.autoRedirect,
    isOauthAutoRedirect,
-    redirectUri,
+    screenParams.login_for,
  ]);
  useEffect(() => {
@@ -210,21 +194,8 @@ export const LoginPage = () => {
    };
  }, [redirectTimer, redirectButtonTimer]);
  if (auth.authenticated && oidcParams.isOidc) {
    return <Navigate to={`/authorize?${oidcParams.compiled}`} replace />;
  }
  if (auth.authenticated && redirectUri !== undefined) {
    return (
      <Navigate
        to={`/continue${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`}
        replace
      />
    );
  }
  if (auth.authenticated) {
-    return <Navigate to="/logout" replace />;
+    return <Navigate to={loginForUrl} replace />;
  }
  if (isOauthAutoRedirect) {
@@ -15,12 +15,21 @@ import { Navigate } from "react-router";
 import { toast } from "sonner";
 import { type UseMutationResult } from "@tanstack/react-query";
 import { type AxiosResponse } from "axios";
 import { useLocation } from "react-router";
 import {
  useScreenParams,
  recompileScreenParams,
 } from "@/lib/hooks/screen-params";
 export const LogoutPage = () => {
  const { auth, oauth, tailscale } = useUserContext();
  const { t } = useTranslation();
  const { search } = useLocation();
  const redirectTimer = useRef<number | null>(null);
  const searchParams = new URLSearchParams(search);
  const screenParams = useScreenParams(searchParams);
  const compiledParams = recompileScreenParams(screenParams);
  const logoutMutation = useMutation({
    mutationFn: () => axios.post("/api/user/logout"),
@@ -31,7 +40,7 @@ export const LogoutPage = () => {
      });
      redirectTimer.current = window.setTimeout(() => {
-        window.location.replace("/login");
+        window.location.replace(`/login${compiledParams}`);
      }, 500);
    },
    onError: () => {
@@ -50,7 +59,7 @@ export const LogoutPage = () => {
  }, [redirectTimer]);
  if (!auth.authenticated) {
-    return <Navigate to="/login" replace />;
+    return <Navigate to={`/login${compiledParams}`} replace />;
  }
  if (oauth.active) {
@@ -16,10 +16,14 @@ import { useEffect, useId, useRef } from "react";
 import { useTranslation } from "react-i18next";
 import { Navigate, useLocation } from "react-router";
 import { toast } from "sonner";
-import { useOIDCParams } from "@/lib/hooks/oidc";
+import {
  recompileScreenParams,
  useScreenParams,
 } from "@/lib/hooks/screen-params";
 import { useLoginFor } from "@/lib/hooks/login-for";
 export const TotpPage = () => {
-  const { totp } = useUserContext();
+  const { totp, auth } = useUserContext();
  const { t } = useTranslation();
  const { search } = useLocation();
  const formId = useId();
@@ -27,8 +31,12 @@ export const TotpPage = () => {
  const redirectTimer = useRef<number | null>(null);
  const searchParams = new URLSearchParams(search);
-  const redirectUri = searchParams.get("redirect_uri") || undefined;
+  const screenParams = useScreenParams(searchParams);
-  const oidcParams = useOIDCParams(searchParams);
+  const compiledParams = recompileScreenParams(screenParams);
  const loginForUrl = useLoginFor({
    login_for: screenParams.login_for,
    compiledParams,
  });
  const totpMutation = useMutation({
    mutationFn: (values: TotpSchema) => axios.post("/api/user/totp", values),
@@ -39,14 +47,7 @@ export const TotpPage = () => {
      });
      redirectTimer.current = window.setTimeout(() => {
-        if (oidcParams.isOidc) {
+        window.location.replace(loginForUrl);
          window.location.replace(`/authorize?${oidcParams.compiled}`);
          return;
        }
        window.location.replace(
          `/continue${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`,
        );
      }, 500);
    },
    onError: () => {
@@ -65,7 +66,10 @@ export const TotpPage = () => {
  }, [redirectTimer]);
  if (!totp.pending) {
-    return <Navigate to="/" replace />;
+    if (auth.authenticated) {
      return <Navigate to={loginForUrl} replace />;
    }
    return <Navigate to={`/login${compiledParams}`} replace />;
  }
  return (
@@ -1,5 +0,0 @@
 import { z } from "zod";
 export const getOidcClientInfoSchema = z.object({
  name: z.string(),
 });
@@ -57,6 +57,11 @@ export default defineConfig({
        changeOrigin: true,
        rewrite: (path) => path.replace(/^\/robots.txt/, ""),
      },
      "/authorize": {
        target: "http://tinyauth-backend:3000/authorize",
        changeOrigin: true,
        rewrite: (path) => path.replace(/^\/authorize/, ""),
      },
    },
    allowedHosts: true,
  },
@@ -67,15 +67,24 @@ func run() error {
 		Overlay: map[string][]byte{outPath: stub},
 	}
-	driverTypePkg, err := loadOnePkg(cfg, *driverPkg)
+	repoPkgPath := parentPkg(*driverPkg)
 	pkgs, err := loadMultiplePkgs(cfg, *driverPkg, repoPkgPath)
 	if err != nil {
-		return fmt.Errorf("load driver package: %w", err)
+		return fmt.Errorf("load packages: %w", err)
 	}
-	repoPkgPath := parentPkg(*driverPkg)
+	driverTypePkg, ok := pkgs[*driverPkg]
-	repoTypePkg, err := loadOnePkg(cfg, repoPkgPath)
+
-	if err != nil {
+	if !ok {
-		return fmt.Errorf("load repo package: %w", err)
+		return fmt.Errorf("driver package %s not found in loaded packages", *driverPkg)
 	}
 	repoTypePkg, ok := pkgs[repoPkgPath]
 	if !ok {
 		return fmt.Errorf("repository package %s not found in loaded packages", repoPkgPath)
 	}
 	if err := validateStructShapes(driverTypePkg, repoTypePkg); err != nil {
@@ -106,25 +115,25 @@ func run() error {
 	return nil
 }
-// loadOnePkg loads a single package via cfg and returns its *types.Package,
+// loadMultiplePkgs loads multiple packages via cfg and returns a map of import path → *types.Package,
-// or an error if the package fails to load or has type errors.
+// or an error if any package fails to load or has type errors.
-func loadOnePkg(cfg *packages.Config, importPath string) (*types.Package, error) {
+func loadMultiplePkgs(cfg *packages.Config, importPaths ...string) (map[string]*types.Package, error) {
-	pkgs, err := packages.Load(cfg, importPath)
+	pkgs, err := packages.Load(cfg, importPaths...)
 	if err != nil {
-		return nil, fmt.Errorf("load %s: %w", importPath, err)
+		return nil, fmt.Errorf("load %v: %w", importPaths, err)
 	}
-	if len(pkgs) != 1 {
+	out := make(map[string]*types.Package)
-		return nil, fmt.Errorf("expected 1 package for %s, got %d", importPath, len(pkgs))
+	for _, pkg := range pkgs {
 	}
 	pkg := pkgs[0]
 		if len(pkg.Errors) > 0 {
 			msgs := make([]string, len(pkg.Errors))
 			for i, e := range pkg.Errors {
 				msgs[i] = e.Error()
 			}
-		return nil, fmt.Errorf("package %s has errors:\n  %s", importPath, strings.Join(msgs, "\n  "))
+			return nil, fmt.Errorf("package %s has errors:\n  %s", pkg.PkgPath, strings.Join(msgs, "\n  "))
 		}
-	return pkg.Types, nil
+		out[pkg.PkgPath] = pkg.Types
 	}
 	return out, nil
 }
 // parentPkg returns the parent import path (everything before the last /).
@@ -1,6 +1,6 @@
 module github.com/tinyauthapp/tinyauth
-go 1.26.1
+go 1.26.4
 require (
 	charm.land/huh/v2 v2.0.3
@@ -9,22 +9,25 @@ require (
 	github.com/gin-gonic/gin v1.12.0
 	github.com/go-jose/go-jose/v4 v4.1.4
 	github.com/go-ldap/ldap/v3 v3.4.13
 	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/golang-migrate/migrate/v4 v4.19.1
 	github.com/google/go-querystring v1.2.0
 	github.com/google/uuid v1.6.0
 	github.com/jackc/pgx/v5 v5.10.0
 	github.com/mdp/qrterminal/v3 v3.2.1
 	github.com/pquerna/otp v1.5.0
 	github.com/rs/zerolog v1.35.1
 	github.com/steveiliop56/ding v0.2.0
 	github.com/stretchr/testify v1.11.1
 	github.com/tinyauthapp/paerser v0.0.0-20260410140347-85c3740d6298
 	github.com/weppos/publicsuffix-go v0.50.3
-	golang.org/x/crypto v0.50.0
+	golang.org/x/crypto v0.52.0
 	golang.org/x/oauth2 v0.36.0
-	golang.org/x/tools v0.43.0
+	golang.org/x/tools v0.45.0
-	k8s.io/apimachinery v0.36.0
+	k8s.io/apimachinery v0.36.1
-	k8s.io/client-go v0.36.0
+	k8s.io/client-go v0.36.1
-	modernc.org/sqlite v1.50.0
+	modernc.org/sqlite v1.51.0
-	tailscale.com v1.96.5
+	tailscale.com v1.100.0
 )
 require (
@@ -42,19 +45,6 @@ require (
 	github.com/akutz/memconn v0.1.0 // indirect
 	github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.41.0 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.29.5 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.58 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.27 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.16 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.24.14 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.13 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.5 // indirect
 	github.com/aws/smithy-go v1.24.0 // indirect
 	github.com/boombuler/barcode v1.0.2 // indirect
 	github.com/bytedance/gopkg v0.1.3 // indirect
 	github.com/bytedance/sonic v1.15.0 // indirect
@@ -79,7 +69,7 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
@@ -88,7 +78,7 @@ require (
 	github.com/gaissmai/bart v0.26.1 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
-	github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced // indirect
+	github.com/go-json-experiment/json v0.0.0-20260214004413-d219187c3433 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
@@ -106,11 +96,10 @@ require (
 	github.com/jackc/pgerrcode v0.0.0-20220416144525-469b46aa5efa // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/pgx/v5 v5.9.2 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jsimonetti/rtnetlink v1.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.18.2 // indirect
+	github.com/klauspost/compress v1.18.5 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.3.0 // indirect
@@ -137,20 +126,19 @@ require (
 	github.com/pires/go-proxyproto v0.8.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus-community/pro-bing v0.4.0 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
-	github.com/quic-go/quic-go v0.59.0 // indirect
+	github.com/quic-go/quic-go v0.59.1 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/safchain/ethtool v0.3.0 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/spf13/cast v1.10.0 // indirect
-	github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e // indirect
+	github.com/tailscale/certstore v0.1.1-0.20260409135935-3638fb84b77d // indirect
 	github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 // indirect
-	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a // indirect
+	github.com/tailscale/hujson v0.0.0-20260302212456-ecc657c15afd // indirect
 	github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc // indirect
 	github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 // indirect
-	github.com/tailscale/wireguard-go v0.0.0-20250716170648-1d0488a3d7da // indirect
+	github.com/tailscale/wireguard-go v0.0.0-20260527010701-b48af7099cad // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.1 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
@@ -169,12 +157,12 @@ require (
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
 	golang.org/x/arch v0.22.0 // indirect
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
-	golang.org/x/mod v0.34.0 // indirect
+	golang.org/x/mod v0.36.0 // indirect
-	golang.org/x/net v0.52.0 // indirect
+	golang.org/x/net v0.55.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/sys v0.45.0 // indirect
-	golang.org/x/term v0.42.0 // indirect
+	golang.org/x/term v0.43.0 // indirect
-	golang.org/x/text v0.36.0 // indirect
+	golang.org/x/text v0.37.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
@@ -186,7 +174,7 @@ require (
 	k8s.io/klog/v2 v2.140.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a // indirect
 	k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 // indirect
-	modernc.org/libc v1.72.0 // indirect
+	modernc.org/libc v1.72.3 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 	rsc.io/qr v0.2.0 // indirect
@@ -143,6 +143,8 @@ github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa h1:h8TfIT1xc8FWbww
 github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa/go.mod h1:Nx87SkVqTKd8UtT+xu7sM/l+LgXs6c0aHrlKusR+2EQ=
 github.com/dgryski/go-metro v0.0.0-20180109044635-280f6062b5bc h1:8WFBn63wegobsYAX0YjD+8suexZDga5CctH4CCTx2+8=
 github.com/dgryski/go-metro v0.0.0-20180109044635-280f6062b5bc/go.mod h1:c9O8+fpSOX1DM8cPNSkX/qsBWdkD4yd2dpciOWQjpBw=
 github.com/dhui/dktest v0.4.6 h1:+DPKyScKSEp3VLtbMDHcUq6V5Lm5zfZZVb0Sk7Ahom4=
 github.com/dhui/dktest v0.4.6/go.mod h1:JHTSYDtKkvFNFHJKqCzVzqXecyv+tKt8EzceOmQOgbU=
 github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e h1:vUmf0yezR0y7jJ5pceLHthLaYf4bA5T14B6q39S4q2Q=
 github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e/go.mod h1:YTIHhz/QFSYnu/EhlF2SpU2Uk+32abacUYA5ZPljz1A=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
@@ -151,8 +153,8 @@ github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
 github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
 github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM=
 github.com/docker/docker v28.5.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
+github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
-github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
@@ -179,8 +181,8 @@ github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
 github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
-github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced h1:Q311OHjMh/u5E2TITc++WlTP5We0xNseRMkHDyvhW7I=
+github.com/go-json-experiment/json v0.0.0-20260214004413-d219187c3433 h1:vymEbVwYFP/L05h5TKQxvkXoKxNvTpjxYKdF1Nlwuao=
-github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced/go.mod h1:TiCD2a1pcmjd7YnhGH0f/zKNcCD06B029pHhzV23c2M=
+github.com/go-json-experiment/json v0.0.0-20260214004413-d219187c3433/go.mod h1:tphK2c80bpPhMOI4v6bIc2xWywPfbqi1Z06+RcrMkDg=
 github.com/go-ldap/ldap/v3 v3.4.13 h1:+x1nG9h+MZN7h/lUi5Q3UZ0fJ1GyDQYbPvbuH38baDQ=
 github.com/go-ldap/ldap/v3 v3.4.13/go.mod h1:LxsGZV6vbaK0sIvYfsv47rfh4ca0JXokCoKjZxsszv0=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -204,6 +206,8 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
 github.com/go-playground/validator/v10 v10.30.1 h1:f3zDSN/zOma+w6+1Wswgd9fLkdwy06ntQJp0BBvFG0w=
 github.com/go-playground/validator/v10 v10.30.1/go.mod h1:oSuBIQzuJxL//3MelwSLD5hc2Tu889bF0Idm9Dg26cM=
 github.com/go4org/hashtriemap v0.0.0-20251130024219-545ba229f689 h1:0psnKZ+N2IP43/SZC8SKx6OpFJwLmQb9m9QyV9BC2f8=
 github.com/go4org/hashtriemap v0.0.0-20251130024219-545ba229f689/go.mod h1:OGmRfY/9QEK2P5zCRtmqfbCF283xPkU2dvVA4MvbvpI=
 github.com/go4org/plan9netshell v0.0.0-20250324183649-788daa080737 h1:cf60tHxREO3g1nroKr2osU3JWZsJzkfi7rEg+oAB0Lo=
 github.com/go4org/plan9netshell v0.0.0-20250324183649-788daa080737/go.mod h1:MIS0jDzbU/vuM9MC4YnBITCv+RYuTRq8dJzmCrFsK9g=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
@@ -212,6 +216,8 @@ github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
 github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 h1:sQspH8M4niEijh3PFscJRLDnkL547IeP7kpPe3uUhEg=
 github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466/go.mod h1:ZiQxhyQ+bbbfxUKVvjfO498oPYvtYhZzycal3G/NHmU=
 github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
 github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang-migrate/migrate/v4 v4.19.1 h1:OCyb44lFuQfYXYLx1SCxPZQGU7mcaZ7gH9yH4jSFbBA=
 github.com/golang-migrate/migrate/v4 v4.19.1/go.mod h1:CTcgfjxhaUtsLipnLoQRWCrjYXycRz/g5+RWDuYgPrE=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
@@ -257,8 +263,8 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw=
+github.com/jackc/pgx/v5 v5.10.0 h1:VhSvgU2jSli8o3AqIEOTJr7rZwAEUVo4E4XhR94Zfr0=
-github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
+github.com/jackc/pgx/v5 v5.10.0/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
@@ -283,8 +289,8 @@ github.com/jsimonetti/rtnetlink v1.4.0 h1:Z1BF0fRgcETPEa0Kt0MRk3yV5+kF1FWTni6KUF
 github.com/jsimonetti/rtnetlink v1.4.0/go.mod h1:5W1jDvWdnthFJ7fxYX1GMK07BUpI4oskfOqvPteYS6E=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/klauspost/compress v1.18.2 h1:iiPHWW0YrcFgpBYhsA6D1+fqHssJscY/Tm/y2Uqnapk=
+github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=
-github.com/klauspost/compress v1.18.2/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/klauspost/compress v1.18.5/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a h1:+RR6SqnTkDLWyICxS1xpjCi/3dhyV+TgZwA6Ww3KncQ=
@@ -374,16 +380,14 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/otp v1.5.0 h1:NMMR+WrmaqXU4EzdGJEE1aUUI0AMRzsp96fFFWNPwxs=
 github.com/pquerna/otp v1.5.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/prometheus-community/pro-bing v0.4.0 h1:YMbv+i08gQz97OZZBwLyvmmQEEzyfyrrjEaAchdy3R4=
 github.com/prometheus-community/pro-bing v0.4.0/go.mod h1:b7wRYZtCcPmt4Sz319BykUU241rWLe1VFXyiyWK/dH4=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
 github.com/prometheus/common v0.65.0 h1:QDwzd+G1twt//Kwj/Ww6E9FQq1iVMmODnILtW1t2VzE=
 github.com/prometheus/common v0.65.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8=
 github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
 github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
-github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SAw=
+github.com/quic-go/quic-go v0.59.1 h1:0Gmua0HW1Tv7ANR7hUYwRyD0MG5OJfgvYSZasGZzBic=
-github.com/quic-go/quic-go v0.59.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU=
+github.com/quic-go/quic-go v0.59.1/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
@@ -396,12 +400,14 @@ github.com/safchain/ethtool v0.3.0 h1:gimQJpsI6sc1yIqP/y8GYgiXn/NjgvpM0RNoWLVVmP
 github.com/safchain/ethtool v0.3.0/go.mod h1:SA9BwrgyAqNo7M+uaL6IYbxpm5wk3L7Mm6ocLW+CJUs=
 github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
 github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
-github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w=
-github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
 github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
 github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
-github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
-github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/steveiliop56/ding v0.2.0 h1:m/Fj99wBpVVLHlpqb2RDJkWubOc5cWJ11ZYCHya3Sk0=
 github.com/steveiliop56/ding v0.2.0/go.mod h1:bE2u2XH7CjhPzbb/0Ems+D8YZlf2Ae+eKhj00UR1iAY=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -415,14 +421,16 @@ github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXl
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e h1:PtWT87weP5LWHEY//SWsYkSO3RWRZo4OSWagh3YD2vQ=
+github.com/tailscale/certstore v0.1.1-0.20260409135935-3638fb84b77d h1:JcGKBZAL7ePLwOhUdN8qGQZlP5GueEiIZwY7R62pejE=
-github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e/go.mod h1:XrBNfAFN+pwoWuksbFS9Ccxnopa15zJGgXRFN90l3K4=
+github.com/tailscale/certstore v0.1.1-0.20260409135935-3638fb84b77d/go.mod h1:XrBNfAFN+pwoWuksbFS9Ccxnopa15zJGgXRFN90l3K4=
 github.com/tailscale/gliderssh v0.3.4-0.20260330083525-c1389c70ff89 h1:glgVc1ZYMjwN1Q/ITWeuSQyl029uayagaR2sjsifehc=
 github.com/tailscale/gliderssh v0.3.4-0.20260330083525-c1389c70ff89/go.mod h1:wn16Km1EZOX4UEAyaZa3dBwfFGOJ7neck40NcwosJUw=
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 h1:Gzfnfk2TWrk8Jj4P4c1a3CtQyMaTVCznlkLZI++hok4=
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55/go.mod h1:4k4QO+dQ3R5FofL+SanAUZe+/QfeK0+OIuwDIRu2vSg=
 github.com/tailscale/golang-x-crypto v0.0.0-20250404221719-a5573b049869 h1:SRL6irQkKGQKKLzvQP/ke/2ZuB7Py5+XuqtOgSj+iMM=
 github.com/tailscale/golang-x-crypto v0.0.0-20250404221719-a5573b049869/go.mod h1:ikbF+YT089eInTp9f2vmvy4+ZVnW5hzX1q2WknxSprQ=
-github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a h1:SJy1Pu0eH1C29XwJucQo73FrleVK6t4kYz4NVhp34Yw=
+github.com/tailscale/hujson v0.0.0-20260302212456-ecc657c15afd h1:Rf9uhF1+VJ7ZHqxrG8pJ6YacmHvVCmByDmGbAWCc/gA=
-github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a/go.mod h1:DFSS3NAGHthKo1gTlmEcSBiZrRJXi28rLNd/1udP1c8=
+github.com/tailscale/hujson v0.0.0-20260302212456-ecc657c15afd/go.mod h1:EbW0wDK/qEUYI0A5bqq0C2kF8JTQwWONmGDBbzsxxHo=
 github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 h1:uFsXVBE9Qr4ZoF094vE6iYTLDl0qCiKzYXlL6UeWObU=
 github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
 github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc h1:24heQPtnFR+yfntqhI3oAu9i27nEojcQ4NuBQOo5ZFA=
@@ -431,8 +439,8 @@ github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 h1:U
 github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
 github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6 h1:l10Gi6w9jxvinoiq15g8OToDdASBni4CyJOdHY1Hr8M=
 github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6/go.mod h1:ZXRML051h7o4OcI0d3AaILDIad/Xw0IkXaHM17dic1Y=
-github.com/tailscale/wireguard-go v0.0.0-20250716170648-1d0488a3d7da h1:jVRUZPRs9sqyKlYHHzHjAqKN+6e/Vog6NpHYeNPJqOw=
+github.com/tailscale/wireguard-go v0.0.0-20260527010701-b48af7099cad h1:Ky26FR5yZ5IKEB0xtm5A8xSTb06ImY7kxBFrvgOmJSg=
-github.com/tailscale/wireguard-go v0.0.0-20250716170648-1d0488a3d7da/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
+github.com/tailscale/wireguard-go v0.0.0-20260527010701-b48af7099cad/go.mod h1:6SerzcvHWQchKO2BfNdmquA77CHSECZuFl+D9fp4RnI=
 github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e h1:zOGKqN5D5hHhiYUp091JqK7DPCqSARyUfduhGUY8Bek=
 github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e/go.mod h1:orPd6JZXXRyuDusYilywte7k094d7dycXXU5YnWsrwg=
 github.com/tc-hib/winres v0.2.1 h1:YDE0FiP0VmtRaDn7+aaChp1KiF4owBiJa5l964l5ujA=
@@ -489,18 +497,18 @@ go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBs
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/arch v0.22.0 h1:c/Zle32i5ttqRXjdLyyHZESLD/bB90DCU1g9l/0YBDI=
 golang.org/x/arch v0.22.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
-golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
+golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
-golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
 golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f h1:phY1HzDcf18Aq9A8KkmRtY9WvOFIxN8wgfvy6Zm1DV8=
 golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
-golang.org/x/image v0.27.0 h1:C8gA4oWU/tKkdCfYT6T2u4faJu3MeNS5O8UPWlPF61w=
+golang.org/x/image v0.41.0 h1:8wS72eGJMJaBxK6okTzd4WaXumUlTVlb753MlsSvTCo=
-golang.org/x/image v0.27.0/go.mod h1:xbdrClrAUway1MUTEZDq9mz/UpRwYAkFFNUslZtcB+g=
+golang.org/x/image v0.41.0/go.mod h1:uIc348UZMSvS5Z65CVZ7iDPaNobNFEPeJ4kbqTOszmA=
-golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
+golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
-golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
+golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
-golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
+golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
-golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
+golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -508,16 +516,16 @@ golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20220817070843-5a390386f1f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
-golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
-golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
-golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
-golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
 golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
-golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
+golang.org/x/tools v0.45.0 h1:18qN3FAooORvApf5XjCXgsuayZOEtXf6JK18I3+ONa8=
-golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
+golang.org/x/tools v0.45.0/go.mod h1:LuUGqqaXcXMEFEruIVJVm5mgDD8vww/z/SR1gQ4uE/0=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
@@ -545,26 +553,26 @@ gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
 gvisor.dev/gvisor v0.0.0-20260224225140-573d5e7127a8 h1:Zy8IV/+FMLxy6j6p87vk/vQGKcdnbprwjTxc8UiUtsA=
 gvisor.dev/gvisor v0.0.0-20260224225140-573d5e7127a8/go.mod h1:QkHjoMIBaYtpVufgwv3keYAbln78mBoCuShZrPrer1Q=
-honnef.co/go/tools v0.7.0-0.dev.0.20251022135355-8273271481d0 h1:5SXjd4ET5dYijLaf0O3aOenC0Z4ZafIWSpjUzsQaNho=
+honnef.co/go/tools v0.7.0 h1:w6WUp1VbkqPEgLz4rkBzH/CSU6HkoqNLp6GstyTx3lU=
-honnef.co/go/tools v0.7.0-0.dev.0.20251022135355-8273271481d0/go.mod h1:EPDDhEZqVHhWuPI5zPAsjU0U7v9xNIWjoOVyZ5ZcniQ=
+honnef.co/go/tools v0.7.0/go.mod h1:pm29oPxeP3P82ISxZDgIYeOaf9ta6Pi0EWvCFoLG2vc=
 howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
 howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
-k8s.io/api v0.36.0 h1:SgqDhZzHdOtMk40xVSvCXkP9ME0H05hPM3p9AB1kL80=
+k8s.io/api v0.36.1 h1:XbL/EMj8K2aJpJtePmqUyQMsM0D4QI2pvl7YKJ20FTY=
-k8s.io/api v0.36.0/go.mod h1:m1LVrGPNYax5NBHdO+QuAedXyuzTt4RryI/qnmNvs34=
+k8s.io/api v0.36.1/go.mod h1:KOWo4ey3TINlXjeHVuwB3i+tXXnu+UcwFBHlI/9dvEo=
-k8s.io/apimachinery v0.36.0 h1:jZyPzhd5Z+3h9vJLt0z9XdzW9VzNzWAUw+P1xZ9PXtQ=
+k8s.io/apimachinery v0.36.1 h1:G63Gjx2W+q0YD+72Vo8oY0nDnePVwnuzTmmy5ENrVSA=
-k8s.io/apimachinery v0.36.0/go.mod h1:FklypaRJt6n5wUIwWXIP6GJlIpUizTgfo1T/As+Tyxc=
+k8s.io/apimachinery v0.36.1/go.mod h1:ibYOR00vW/I1kzvi5SF0dRuJ52BvKtfvRdOn35GPQ+8=
-k8s.io/client-go v0.36.0 h1:pOYi7C4RHChYjMiHpZSpSbIM6ZxVbRXBy7CuiIwqA3c=
+k8s.io/client-go v0.36.1 h1:FN/K8QIT2CEDt+2WB2HnWrUANZ50AP5GII43/SP2JR0=
-k8s.io/client-go v0.36.0/go.mod h1:ZKKcpwF0aLYfkHFCjillCKaTK/yBkEDHTDXCFY6AS9Y=
+k8s.io/client-go v0.36.1/go.mod h1:s6rAnCtTGYDQnpNjEhSaISV+2O8jwruZ6m3QOYBFbtU=
 k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc=
 k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0=
 k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a h1:xCeOEAOoGYl2jnJoHkC3hkbPJgdATINPMAxaynU2Ovg=
 k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a/go.mod h1:uGBT7iTA6c6MvqUvSXIaYZo9ukscABYi2btjhvgKGZ0=
 k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 h1:AZYQSJemyQB5eRxqcPky+/7EdBj0xi3g0ZcxxJ7vbWU=
 k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk=
-modernc.org/cc/v4 v4.27.3 h1:uNCgn37E5U09mTv1XgskEVUJ8ADKpmFMPxzGJ0TSo+U=
+modernc.org/cc/v4 v4.28.2 h1:3tQ0lf2ADtoby2EtSP+J7IE2SHwEJdP8ioR59wx7XpY=
-modernc.org/cc/v4 v4.27.3/go.mod h1:3YjcbCqhoTTHPycJDRl2WZKKFj0nwcOIPBfEZK0Hdk8=
+modernc.org/cc/v4 v4.28.2/go.mod h1:OnovgIhbbMXMu1aISnJ0wvVD1KnW+cAUJkIrAWh+kVI=
-modernc.org/ccgo/v4 v4.32.4 h1:L5OB8rpEX4ZsXEQwGozRfJyJSFHbbNVOoQ59DU9/KuU=
+modernc.org/ccgo/v4 v4.34.0 h1:yRLPFZieg532OT4rp4JFNIVcquwalMX26G95WQDqwCQ=
-modernc.org/ccgo/v4 v4.32.4/go.mod h1:lY7f+fiTDHfcv6YlRgSkxYfhs+UvOEEzj49jAn2TOx0=
+modernc.org/ccgo/v4 v4.34.0/go.mod h1:AS5WYMyBakQ+fhsHhtP8mWB82KTGPkNNJDGfGQCe0/A=
 modernc.org/fileutil v1.4.0 h1:j6ZzNTftVS054gi281TyLjHPp6CPHr2KCxEXjEbD6SM=
 modernc.org/fileutil v1.4.0/go.mod h1:EqdKFDxiByqxLk8ozOxObDSfcVOv/54xDs/DUHdvCUU=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
@@ -573,18 +581,18 @@ modernc.org/gc/v3 v3.1.2 h1:ZtDCnhonXSZexk/AYsegNRV1lJGgaNZJuKjJSWKyEqo=
 modernc.org/gc/v3 v3.1.2/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
 modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
 modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
-modernc.org/libc v1.72.0 h1:IEu559v9a0XWjw0DPoVKtXpO2qt5NVLAnFaBbjq+n8c=
+modernc.org/libc v1.72.3 h1:ZnDF4tXn4NBXFutMMQC4vtbTFSXhhKzR73fv0beZEAU=
-modernc.org/libc v1.72.0/go.mod h1:tTU8DL8A+XLVkEY3x5E/tO7s2Q/q42EtnNWda/L5QhQ=
+modernc.org/libc v1.72.3/go.mod h1:dn0dZNnnn1clLyvRxLxYExxiKRZIRENOfqQ8XEeg4Qs=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
 modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
-modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
+modernc.org/opt v0.2.0 h1:tGyef5ApycA7FSEOMraay9SaTk5zmbx7Tu+cJs4QKZg=
-modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
+modernc.org/opt v0.2.0/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.50.0 h1:eMowQSWLK0MeiQTdmz3lqoF5dqclujdlIKeJA11+7oM=
+modernc.org/sqlite v1.51.0 h1:aH/MMSoayAIhozZ7uJbVTT9QO/VhzBf0J9tymmmuC/U=
-modernc.org/sqlite v1.50.0/go.mod h1:m0w8xhwYUVY3H6pSDwc3gkJ/irZT/0YEXwBlhaxQEew=
+modernc.org/sqlite v1.51.0/go.mod h1:tcNzv5p84E0skkmJn038y+hWJbLQXQqEnQfeh5r2JLM=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
@@ -601,5 +609,5 @@ sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
 software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k=
 software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
-tailscale.com v1.96.5 h1:gNkfA/KSZAl6jCH9cj8urq00HRWItDDTtGsyATI89jA=
+tailscale.com v1.100.0 h1:nm/M/dEaW9RaRsGUjW2HsSDpsZ60Jwd9k4gNW9tTFiE=
-tailscale.com v1.96.5/go.mod h1:/3lnZBYb2UEwnN0MNu2SDXUtT06AGd5k0s+OWx3WmcY=
+tailscale.com v1.100.0/go.mod h1:DQ9YBy85DpNlSyeU2XRIWzbAu3RsGp/frv+Khg57meE=
@@ -0,0 +1,46 @@
 DROP TABLE IF EXISTS "oidc_sessions";
 CREATE TABLE "oidc_codes" (
    "sub"            TEXT   NOT NULL UNIQUE,
    "code_hash"      TEXT   NOT NULL PRIMARY KEY,
    "scope"          TEXT   NOT NULL,
    "redirect_uri"   TEXT   NOT NULL,
    "client_id"      TEXT   NOT NULL,
    "expires_at"     BIGINT NOT NULL,
    "nonce"          TEXT   NOT NULL DEFAULT '',
    "code_challenge" TEXT   NOT NULL DEFAULT ''
 );
 CREATE TABLE "oidc_tokens" (
    "sub"                      TEXT   NOT NULL UNIQUE,
    "access_token_hash"        TEXT   NOT NULL PRIMARY KEY,
    "refresh_token_hash"       TEXT   NOT NULL,
    "code_hash"                TEXT   NOT NULL,
    "scope"                    TEXT   NOT NULL,
    "client_id"                TEXT   NOT NULL,
    "token_expires_at"         BIGINT NOT NULL,
    "refresh_token_expires_at" BIGINT NOT NULL,
    "nonce"                    TEXT   NOT NULL DEFAULT ''
 );
 CREATE TABLE "oidc_userinfo" (
    "sub"                TEXT   NOT NULL PRIMARY KEY,
    "name"               TEXT   NOT NULL,
    "preferred_username" TEXT   NOT NULL,
    "email"              TEXT   NOT NULL,
    "groups"             TEXT   NOT NULL,
    "updated_at"         BIGINT NOT NULL,
    "given_name"         TEXT   NOT NULL,
    "family_name"        TEXT   NOT NULL,
    "middle_name"        TEXT   NOT NULL,
    "nickname"           TEXT   NOT NULL,
    "profile"            TEXT   NOT NULL,
    "picture"            TEXT   NOT NULL,
    "website"            TEXT   NOT NULL,
    "gender"             TEXT   NOT NULL,
    "birthdate"          TEXT   NOT NULL,
    "zoneinfo"           TEXT   NOT NULL,
    "locale"             TEXT   NOT NULL,
    "phone_number"       TEXT   NOT NULL,
    "address"            TEXT   NOT NULL
 );
@@ -0,0 +1,28 @@
 /*
 This migration will nuke the entire setup of OIDC sessions and merge everything
 into one table.
 */
 /*
 Drop all the old tables. Yes, we will log out all OIDC users, but not really a big deal
 */
 DROP TABLE IF EXISTS "oidc_tokens";
 DROP TABLE IF EXISTS "oidc_userinfo";
 DROP TABLE IF EXISTS "oidc_codes";
 /*
 Create a new simple OIDC sessions table that will hold tokens + userinfo.
 */
 CREATE TABLE IF NOT EXISTS "oidc_sessions" (
    "sub" TEXT NOT NULL UNIQUE PRIMARY KEY,
    "access_token_hash" TEXT NOT NULL UNIQUE,
    "refresh_token_hash" TEXT NOT NULL UNIQUE,
    "scope" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "token_expires_at" BIGINT NOT NULL,
    "refresh_token_expires_at" BIGINT NOT NULL,
    "nonce" TEXT NOT NULL DEFAULT '',
    "userinfo_json" TEXT NOT NULL
 );
@@ -0,0 +1,7 @@
 CREATE TABLE IF NOT EXISTS "oidc_consent" (
    "uuid" TEXT NOT NULL UNIQUE PRIMARY KEY,
    "client_id" TEXT NOT NULL,
    "scopes" TEXT NOT NULL,
    "created_at" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
    "updated_at" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
 );
@@ -0,0 +1 @@
 DROP TABLE IF EXISTS "oidc_consent";
@@ -0,0 +1,46 @@
 DROP TABLE IF EXISTS "oidc_sessions";
 CREATE TABLE IF NOT EXISTS "oidc_codes" (
    "sub" TEXT NOT NULL UNIQUE,
    "code_hash" TEXT NOT NULL PRIMARY KEY UNIQUE,
    "scope" TEXT NOT NULL,
    "redirect_uri" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "expires_at" INTEGER NOT NULL,
    "nonce" TEXT DEFAULT "",
    "code_challenge" TEXT DEFAULT ""
 );
 CREATE TABLE IF NOT EXISTS "oidc_tokens" (
    "sub" TEXT NOT NULL UNIQUE,
    "access_token_hash" TEXT NOT NULL PRIMARY KEY UNIQUE,
    "refresh_token_hash" TEXT NOT NULL,
    "code_hash" TEXT NOT NULL,
    "scope" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "token_expires_at" INTEGER NOT NULL,
    "refresh_token_expires_at" INTEGER NOT NULL,
    "nonce" TEXT DEFAULT ""
 );
 CREATE TABLE IF NOT EXISTS "oidc_userinfo" (
    "sub"                   TEXT    NOT NULL UNIQUE PRIMARY KEY,
    "name"                  TEXT    NOT NULL,
    "preferred_username"    TEXT    NOT NULL,
    "email"                 TEXT    NOT NULL,
    "groups"                TEXT    NOT NULL,
    "updated_at"            INTEGER NOT NULL,
    "given_name"            TEXT    NOT NULL,
    "family_name"           TEXT    NOT NULL,
    "middle_name"           TEXT    NOT NULL,
    "nickname"              TEXT    NOT NULL,
    "profile"               TEXT    NOT NULL,
    "picture"               TEXT    NOT NULL,
    "website"               TEXT    NOT NULL,
    "gender"                TEXT    NOT NULL,
    "birthdate"             TEXT    NOT NULL,
    "zoneinfo"              TEXT    NOT NULL,
    "locale"                TEXT    NOT NULL,
    "phone_number"          TEXT    NOT NULL,
    "address"               TEXT    NOT NULL
 );
@@ -0,0 +1,28 @@
 /*
 This migration will nuke the entire setup of OIDC sessions and merge everything
 into one table.
 */
 /*
 Drop all the old tables. Yes, we will log out all OIDC users, but not really a big deal
 */
 DROP TABLE IF EXISTS "oidc_tokens";
 DROP TABLE IF EXISTS "oidc_userinfo";
 DROP TABLE IF EXISTS "oidc_codes";
 /*
 Create a new simple OIDC sessions table that will hold tokens + userinfo.
 */
 CREATE TABLE IF NOT EXISTS "oidc_sessions" (
    "sub" TEXT NOT NULL UNIQUE PRIMARY KEY,
    "access_token_hash" TEXT NOT NULL UNIQUE,
    "refresh_token_hash" TEXT NOT NULL UNIQUE,
    "scope" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "token_expires_at" INTEGER NOT NULL,
    "refresh_token_expires_at" INTEGER NOT NULL,
    "nonce" TEXT DEFAULT "",
    "userinfo_json" TEXT NOT NULL
 );
@@ -0,0 +1 @@
 DROP TABLE IF EXISTS "oidc_consent";
@@ -0,0 +1,7 @@
 CREATE TABLE IF NOT EXISTS "oidc_consent" (
    "uuid" TEXT NOT NULL UNIQUE PRIMARY KEY,
    "client_id" TEXT NOT NULL,
    "scopes" TEXT NOT NULL,
    "created_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
    "updated_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
 );
@@ -13,11 +13,11 @@ import (
 	"os/signal"
 	"sort"
 	"strings"
 	"sync"
 	"syscall"
 	"time"
 	"github.com/gin-gonic/gin"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
@@ -26,6 +26,12 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 // Shutdown order for go routines
 // 1. Janitor routines (e.g. database cleanup, heartbeat) - ding.RingMinor
 // 2. HTTP server listeners - ding.RingNormal
 // 3. Networking layers, user and label providers (e.g. ailscale service, kubernetes service) - ding.RingMajor
 // 4. Database connection - ding.RingCritical
 type Services struct {
 	accessControlService *service.AccessControlsService
 	authService          *service.AuthService
@@ -41,6 +47,7 @@ type Services struct {
 type BootstrapApp struct {
 	config    model.Config
 	runtime   model.RuntimeConfig
 	helpers   model.RuntimeHelpers
 	services  Services
 	log       *logger.Logger
 	ctx       context.Context
@@ -48,7 +55,7 @@ type BootstrapApp struct {
 	queries   repository.Store
 	router    *gin.Engine
 	db        *sql.DB
-	wg        sync.WaitGroup
+	ding      *ding.Ding
 	listeners []Listener
 }
@@ -64,6 +71,10 @@ func (app *BootstrapApp) Setup() error {
 	app.ctx = ctx
 	app.cancel = cancel
 	// Create a ding instance
 	dg := ding.New(ctx)
 	app.ding = dg
 	// setup logger
 	log := logger.NewLogger().WithConfig(app.config.Log)
 	log.Init()
@@ -97,7 +108,12 @@ func (app *BootstrapApp) Setup() error {
 		return fmt.Errorf("failed to load users: %w", err)
 	}
 	if users != nil {
 		app.runtime.LocalUsers = *users
 	} else {
 		log.App.Debug().Msg("No local users found, local authentication will not be available")
 		app.runtime.LocalUsers = []model.LocalUser{}
 	}
 	// load oauth whitelist
 	oauthWhitelist, err := utils.GetStringList(app.config.OAuth.Whitelist, app.config.OAuth.WhitelistFile)
@@ -112,6 +128,13 @@ func (app *BootstrapApp) Setup() error {
 	app.runtime.OAuthProviders = app.config.OAuth.Providers
 	for id, provider := range app.runtime.OAuthProviders {
 		providerWhitelist, err := utils.GetStringList(provider.Whitelist, provider.WhitelistFile)
 		if err != nil {
 			return fmt.Errorf("failed to load oauth whitelist for provider %s: %w", id, err)
 		}
 		provider.Whitelist = providerWhitelist
 		secret := utils.GetSecret(provider.ClientSecret, provider.ClientSecretFile)
 		provider.ClientSecret = secret
 		provider.ClientSecretFile = ""
@@ -163,9 +186,8 @@ func (app *BootstrapApp) Setup() error {
 	cookieId := strings.Split(app.runtime.UUID, "-")[0] // first 8 characters of the uuid should be good enough
 	app.runtime.SessionCookieName = fmt.Sprintf("%s-%s", model.SessionCookieName, cookieId)
 	app.runtime.CSRFCookieName = fmt.Sprintf("%s-%s", model.CSRFCookieName, cookieId)
 	app.runtime.RedirectCookieName = fmt.Sprintf("%s-%s", model.RedirectCookieName, cookieId)
 	app.runtime.OAuthSessionCookieName = fmt.Sprintf("%s-%s", model.OAuthSessionCookieName, cookieId)
 	app.runtime.ConsentCookieName = fmt.Sprintf("%s-%s", model.ConsentCookieName, cookieId)
 	// database
 	store, err := app.SetupStore()
@@ -174,15 +196,17 @@ func (app *BootstrapApp) Setup() error {
 		return fmt.Errorf("failed to setup database: %w", err)
 	}
-	// after this point, we start initializing dependencies so it's a good time to setup a defer
+	app.ding.Go(func(ctx context.Context) {
-	// to ensure that resources are cleaned up properly in case of an error during initialization
+		<-ctx.Done()
-	defer func() {
+		app.log.App.Debug().Msg("Shutting down database connection")
-		app.cancel()
+		if app.db == nil {
-		app.wg.Wait()
+			// using memory store, no db instance
-		if app.db != nil {
+			return
 			app.db.Close()
 		}
-	}()
+		if err := app.db.Close(); err != nil {
 			app.log.App.Error().Err(err).Msg("Failed to close database connection")
 		}
 	}, ding.RingCritical)
 	// store
 	app.queries = store
@@ -240,6 +264,9 @@ func (app *BootstrapApp) Setup() error {
 		app.runtime.TrustedDomains = append(app.runtime.TrustedDomains, "https://"+app.services.tailscaleService.GetHostname())
 	}
 	// runtime helpers
 	app.helpers.GetCookieDomain = app.getCookieDomain
 	// setup router
 	err = app.setupRouter()
@@ -249,12 +276,12 @@ func (app *BootstrapApp) Setup() error {
 	// start db cleanup routine
 	app.log.App.Debug().Msg("Starting database cleanup routine")
-	app.wg.Go(app.dbCleanupRoutine)
+	app.ding.Go(app.dbCleanupRoutine, ding.RingMinor)
 	// if analytics are not disabled, start heartbeat
 	if app.config.Analytics.Enabled {
 		app.log.App.Debug().Msg("Starting heartbeat routine")
-		app.wg.Go(app.heartbeatRoutine)
+		app.ding.Go(app.heartbeatRoutine, ding.RingMinor)
 	}
 	// setup listeners
@@ -275,6 +302,7 @@ func (app *BootstrapApp) Setup() error {
 	for {
 		select {
 		case <-app.ctx.Done():
 			app.ding.Wait()
 			app.log.App.Info().Msg("Oh, it's time for me to go, bye!")
 			return nil
 		case err := <-lec:
@@ -285,7 +313,7 @@ func (app *BootstrapApp) Setup() error {
 	}
 }
-func (app *BootstrapApp) heartbeatRoutine() {
+func (app *BootstrapApp) heartbeatRoutine(ctx context.Context) {
 	ticker := time.NewTicker(time.Duration(12) * time.Hour)
 	defer ticker.Stop()
@@ -338,7 +366,7 @@ func (app *BootstrapApp) heartbeatRoutine() {
 			if res.StatusCode != 200 && res.StatusCode != 201 {
 				app.log.App.Debug().Str("status", res.Status).Msg("Heartbeat returned non-200/201 status")
 			}
-		case <-app.ctx.Done():
+		case <-ctx.Done():
 			app.log.App.Debug().Msg("Stopping heartbeat routine")
 			ticker.Stop()
 			return
@@ -346,7 +374,7 @@ func (app *BootstrapApp) heartbeatRoutine() {
 	}
 }
-func (app *BootstrapApp) dbCleanupRoutine() {
+func (app *BootstrapApp) dbCleanupRoutine(ctx context.Context) {
 	ticker := time.NewTicker(time.Duration(30) * time.Minute)
 	defer ticker.Stop()
@@ -355,14 +383,14 @@ func (app *BootstrapApp) dbCleanupRoutine() {
 		case <-ticker.C:
 			app.log.App.Debug().Msg("Running database cleanup")
-			err := app.queries.DeleteExpiredSessions(app.ctx, time.Now().Unix())
+			err := app.queries.DeleteExpiredSessions(ctx, time.Now().Unix())
 			if err != nil {
 				app.log.App.Error().Err(err).Msg("Failed to delete expired sessions")
 			}
 			app.log.App.Debug().Msg("Database cleanup completed")
-		case <-app.ctx.Done():
+		case <-ctx.Done():
 			app.log.App.Debug().Msg("Stopping database cleanup routine")
 			ticker.Stop()
 			return
@@ -0,0 +1,55 @@
 package bootstrap
 import (
 	"context"
 	"errors"
 	"fmt"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 )
 // Not really the best place for the helpers to be but it works because bootstrap app provides
 // them with everything they need
 func (app *BootstrapApp) getCookieDomain(ctx context.Context, ip string) (string, error) {
 	cookieDomain := app.runtime.CookieDomain
 	if app.isTailscaleRequest(ctx, ip) {
 		if app.services.tailscaleService == nil {
 			return "", errors.New("tailscale service is not configured")
 		}
 		tsCookieDomain, err := utils.GetCookieDomain(fmt.Sprintf("https://%s", app.services.tailscaleService.GetHostname()))
 		if err != nil {
 			return "", fmt.Errorf("failed to get cookie domain for tailscale user: %w", err)
 		}
 		cookieDomain = tsCookieDomain
 	}
 	if app.config.Auth.SubdomainsEnabled {
 		cookieDomain = "." + cookieDomain
 	}
 	return cookieDomain, nil
 }
 func (app *BootstrapApp) isTailscaleRequest(ctx context.Context, ip string) bool {
 	if app.services.tailscaleService == nil {
 		return false
 	}
 	whois, err := app.services.tailscaleService.Whois(ctx, ip)
 	if err != nil {
 		app.log.App.Error().Err(err).Msgf("Error performing Tailscale whois for IP %s: %v", ip, err)
 		return false
 	}
 	if whois == nil {
 		return false
 	}
 	return true
 }
@@ -9,6 +9,7 @@ import (
 	"os"
 	"time"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/middleware"
 	"github.com/tinyauthapp/tinyauth/internal/model"
@@ -57,8 +58,8 @@ func (app *BootstrapApp) setupRouter() error {
 	apiRouter := engine.Group("/api")
 	controller.NewContextController(app.log, app.config, app.runtime, apiRouter)
-	controller.NewOAuthController(app.log, app.config, app.runtime, apiRouter, app.services.authService)
+	controller.NewOAuthController(app.log, app.config, app.runtime, app.helpers, apiRouter, app.services.authService)
-	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, apiRouter)
+	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, app.helpers, app.config, apiRouter, &engine.RouterGroup)
 	controller.NewProxyController(app.log, app.runtime, apiRouter, app.services.accessControlService, app.services.authService, app.services.policyEngine)
 	controller.NewUserController(app.log, app.runtime, apiRouter, app.services.authService)
 	controller.NewResourcesController(app.config, &engine.RouterGroup)
@@ -80,9 +81,9 @@ func (app *BootstrapApp) runListeners() (chan error, error) {
 			return nil, fmt.Errorf("failed to get listener function: %w", err)
 		}
-		app.wg.Go(func() {
+		app.ding.Go(func(ctx context.Context) {
-			lec <- listenerFunc()
+			lec <- listenerFunc(ctx)
-		})
+		}, ding.RingNormal)
 	}
 	return lec, nil
@@ -125,7 +126,7 @@ func (app *BootstrapApp) calculateListenerPolicy() []Listener {
 	return l
 }
-func (app *BootstrapApp) listenerFromType(listenerType Listener) (func() error, error) {
+func (app *BootstrapApp) listenerFromType(listenerType Listener) (func(ctx context.Context) error, error) {
 	switch listenerType {
 	case ListenerHTTP:
 		return app.serveHTTP, nil
@@ -138,7 +139,7 @@ func (app *BootstrapApp) listenerFromType(listenerType Listener) (func() error,
 	}
 }
-func (app *BootstrapApp) serveHTTP() error {
+func (app *BootstrapApp) serveHTTP(ctx context.Context) error {
 	address := fmt.Sprintf("%s:%d", app.config.Server.Address, app.config.Server.Port)
 	app.log.App.Info().Msgf("Starting server on %s", address)
@@ -154,10 +155,10 @@ func (app *BootstrapApp) serveHTTP() error {
 		Handler: app.router.Handler(),
 	}
-	return app.serve(listener, server, "http")
+	return app.serve(listener, server, ctx, "http")
 }
-func (app *BootstrapApp) serveUnix() error {
+func (app *BootstrapApp) serveUnix(ctx context.Context) error {
 	_, err := os.Stat(app.config.Server.SocketPath)
 	if err == nil {
@@ -181,10 +182,10 @@ func (app *BootstrapApp) serveUnix() error {
 		Handler: app.router.Handler(),
 	}
-	return app.serve(listener, server, "unix socket")
+	return app.serve(listener, server, ctx, "unix socket")
 }
-func (app *BootstrapApp) serveTailscale() error {
+func (app *BootstrapApp) serveTailscale(ctx context.Context) error {
 	app.log.App.Info().Msgf("Starting Tailscale server on %s", fmt.Sprintf("https://%s", app.services.tailscaleService.GetHostname()))
 	listener, err := app.services.tailscaleService.CreateListener()
@@ -197,27 +198,23 @@ func (app *BootstrapApp) serveTailscale() error {
 		Handler: app.router.Handler(),
 	}
-	return app.serve(listener, server, "tailscale")
+	return app.serve(listener, server, ctx, "tailscale")
 }
-func (app *BootstrapApp) serve(listener net.Listener, server *http.Server, name string) error {
+func (app *BootstrapApp) serve(listener net.Listener, server *http.Server, ctx context.Context, name string) error {
 	shutdown := func() {
-		ctx, cancel := context.WithTimeout(context.Background(), model.GracefulShutdownTimeout*time.Second)
+		// we use a new context for the shutdown since the main one is cancelled
 		sctx, cancel := context.WithTimeout(context.Background(), model.GracefulShutdownTimeout*time.Second)
 		defer cancel()
-		err := server.Shutdown(ctx)
+		err := server.Shutdown(sctx)
-		if err != nil &&
+		if err != nil {
 			// With tailscale, the goroutine for shutting down the tailscale connection
 			// runs first and causes the connection the tailscale listener is running on to close
 			// first so, the shutdown fails
 			// TODO: add priority to the goroutine shutdowns
 			!errors.Is(err, net.ErrClosed) {
 			app.log.App.Error().Err(err).Msgf("Failed to shutdown %s listener gracefully", name)
 		}
 		listener.Close()
 	}
 	go func() {
-		<-app.ctx.Done()
+		<-ctx.Done()
 		app.log.App.Debug().Msgf("Shutting down %s listener", name)
 		shutdown()
 	}()
@@ -2,14 +2,13 @@ package bootstrap
 import (
 	"fmt"
 	"os"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 )
 func (app *BootstrapApp) setupServices() error {
-	ldapService, err := service.NewLdapService(app.log, app.config, app.ctx, &app.wg)
+	ldapService, err := service.NewLdapService(app.log, app.config, app.ding)
 	if err != nil {
 		app.log.App.Warn().Err(err).Msg("Failed to initialize LDAP connection, will continue without it")
@@ -23,7 +22,7 @@ func (app *BootstrapApp) setupServices() error {
 		return fmt.Errorf("failed to initialize label provider: %w", err)
 	}
-	tailscaleService, err := service.NewTailscaleService(app.log, app.config, app.ctx, &app.wg)
+	tailscaleService, err := service.NewTailscaleService(app.log, app.config, app.ctx, app.ding)
 	if err != nil {
 		app.log.App.Warn().Err(err).Msg("Failed to initialize Tailscale connection, will continue without it")
@@ -43,10 +42,10 @@ func (app *BootstrapApp) setupServices() error {
 	oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
 	app.services.oauthBrokerService = oauthBrokerService
-	authService := service.NewAuthService(app.log, app.config, app.runtime, app.ctx, &app.wg, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService)
+	authService := service.NewAuthService(app.log, app.config, app.runtime, app.helpers, app.ctx, app.ding, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService, app.services.policyEngine)
 	app.services.authService = authService
-	oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ctx, &app.wg)
+	oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ding)
 	if err != nil {
 		return fmt.Errorf("failed to initialize oidc service: %w", err)
@@ -70,7 +69,7 @@ func (app *BootstrapApp) getLabelProvider() (service.LabelProvider, error) {
 		if useKubernetes {
 			app.log.App.Debug().Msg("Using Kubernetes label provider")
-			kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, &app.wg)
+			kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, app.ding)
 			if err != nil {
 				return nil, fmt.Errorf("failed to initialize kubernetes service: %w", err)
@@ -82,7 +81,7 @@ func (app *BootstrapApp) getLabelProvider() (service.LabelProvider, error) {
 		app.log.App.Debug().Msg("Using Docker label provider")
-		dockerService, err := service.NewDockerService(app.log, app.ctx, &app.wg)
+		dockerService, err := service.NewDockerService(app.log, app.ctx, app.ding)
 		if err != nil {
 			return nil, fmt.Errorf("failed to initialize docker service: %w", err)
@@ -127,6 +126,7 @@ func (app *BootstrapApp) setupPolicyEngine() error {
 	})
 	policyEngine.RegisterRule(service.RuleIPBypassed, &service.IPBypassedRule{
 		Log:    app.log,
 		Config: app.config,
 	})
 	app.services.policyEngine = policyEngine
@@ -1,5 +1,12 @@
 package controller
 type FrontendLoginFor string
 const (
 	FrontendLoginForOIDC FrontendLoginFor = "oidc"
 	FrontendLoginForApp  FrontendLoginFor = "app"
 )
 type UnauthorizedQuery struct {
 	Username string `url:"username"`
 	Resource string `url:"resource"`
@@ -9,4 +16,5 @@ type UnauthorizedQuery struct {
 type RedirectQuery struct {
 	RedirectURI string           `url:"redirect_uri"`
 	LoginFor    FrontendLoginFor `url:"login_for"`
 }
@@ -24,6 +24,7 @@ type OAuthController struct {
 	log     *logger.Logger
 	config  model.Config
 	runtime model.RuntimeConfig
 	helpers model.RuntimeHelpers
 	auth    *service.AuthService
 }
@@ -31,6 +32,7 @@ func NewOAuthController(
 	log *logger.Logger,
 	config model.Config,
 	runtimeConfig model.RuntimeConfig,
 	helpers model.RuntimeHelpers,
 	router *gin.RouterGroup,
 	auth *service.AuthService,
 ) *OAuthController {
@@ -38,6 +40,7 @@ func NewOAuthController(
 		log:     log,
 		config:  config,
 		runtime: runtimeConfig,
 		helpers: helpers,
 		auth:    auth,
 	}
@@ -61,7 +64,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		return
 	}
-	var reqParams service.OAuthURLParams
+	var reqParams service.OAuthCallbackParams
 	err = c.BindQuery(&reqParams)
@@ -83,7 +86,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		}
 	}
-	sessionId, _, err := controller.auth.NewOAuthSession(req.Provider, reqParams)
+	sessionId, err := controller.auth.NewOAuthSession(req.Provider, reqParams)
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to create new OAuth session")
@@ -105,7 +108,18 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		return
 	}
-	c.SetCookie(controller.runtime.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)
+	cookieDomain, err := controller.helpers.GetCookieDomain(c, c.RemoteIP())
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to determine cookie domain")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
 		})
 		return
 	}
 	c.SetCookie(controller.runtime.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", cookieDomain, controller.config.Auth.SecureCookie, true)
 	c.JSON(200, gin.H{
 		"status":  200,
@@ -135,7 +149,15 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}
-	c.SetCookie(controller.runtime.OAuthSessionCookieName, "", -1, "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)
+	cookieDomain, err := controller.helpers.GetCookieDomain(c, c.RemoteIP())
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to determine cookie domain")
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 	c.SetCookie(controller.runtime.OAuthSessionCookieName, "", -1, "/", cookieDomain, controller.config.Auth.SecureCookie, true)
 	oauthPendingSession, err := controller.auth.GetOAuthPendingSession(sessionIdCookie)
@@ -183,9 +205,23 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}
-	if !controller.auth.IsEmailWhitelisted(user.Email) {
+	svc, err := controller.auth.GetOAuthService(sessionIdCookie)
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to get OAuth service for session")
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 	if svc.ID() != req.Provider {
 		controller.log.App.Warn().Msgf("OAuth provider mismatch: expected %s, got %s", req.Provider, svc.ID())
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 	if !controller.auth.IsEmailWhitelisted(svc.ID(), user.Email) {
 		controller.log.App.Warn().Str("email", user.Email).Msg("Email not whitelisted, denying access")
-		controller.log.AuditLoginFailure(user.Email, req.Provider, c.ClientIP(), "email not whitelisted")
+		controller.log.AuditLoginFailure(user.Email, svc.ID(), c.ClientIP(), "email not whitelisted")
 		queries, err := query.Values(UnauthorizedQuery{
 			Username: user.Email,
@@ -226,20 +262,6 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		username = strings.Replace(user.Email, "@", "_", 1)
 	}
 	svc, err := controller.auth.GetOAuthService(sessionIdCookie)
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to get OAuth service for session")
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 	if svc.ID() != req.Provider {
 		controller.log.App.Warn().Msgf("OAuth provider mismatch: expected %s, got %s", req.Provider, svc.ID())
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 	sessionCookie := repository.Session{
 		Username:    username,
 		Name:        name,
@@ -252,7 +274,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	controller.log.App.Debug().Msg("Creating session cookie for user")
-	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie, c.RemoteIP())
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to create session cookie")
@@ -272,13 +294,14 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 			return
 		}
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/authorize?%s", controller.runtime.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/oidc/authorize?%s", controller.runtime.AppURL, queries.Encode()))
 		return
 	}
 	if oauthPendingSession.CallbackParams.RedirectURI != "" {
 		queries, err := query.Values(RedirectQuery{
 			RedirectURI: oauthPendingSession.CallbackParams.RedirectURI,
 			LoginFor:    FrontendLoginForApp,
 		})
 		if err != nil {
@@ -294,16 +317,6 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	c.Redirect(http.StatusTemporaryRedirect, controller.runtime.AppURL)
 }
-func (controller *OAuthController) isOidcRequest(params service.OAuthURLParams) bool {
+func (controller *OAuthController) isOidcRequest(params service.OAuthCallbackParams) bool {
-	return params.Scope != "" &&
+	return params.LoginFor == string(FrontendLoginForOIDC)
 		params.ResponseType != "" &&
 		params.ClientID != "" &&
 		params.RedirectURI != ""
 }
 func (controller *OAuthController) getCookieDomain() string {
 	if controller.config.Auth.SubdomainsEnabled {
 		return "." + controller.runtime.CookieDomain
 	}
 	return controller.runtime.CookieDomain
 }
@@ -1,25 +1,40 @@
 package controller
 import (
 	"database/sql"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"slices"
 	"strings"
 	"time"
 	"github.com/gin-gonic/gin"
 	"github.com/gin-gonic/gin/binding"
 	"github.com/google/go-querystring/query"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 type authorizeErrorParams struct {
 	err           error
 	reason        string
 	reasonPublic  string
 	callback      string
 	callbackError string
 	state         string
 	json          bool
 }
 type OIDCController struct {
 	log     *logger.Logger
 	oidc    *service.OIDCService
 	runtime model.RuntimeConfig
 	helpers model.RuntimeHelpers
 	config  model.Config
 }
 type AuthorizeCallback struct {
@@ -56,20 +71,39 @@ type ClientCredentials struct {
 	ClientSecret string
 }
 type AuthorizeScreenParams struct {
 	LoginFor        FrontendLoginFor `url:"login_for"`
 	OIDCTicket      string           `url:"oidc_ticket"`
 	OIDCScope       string           `url:"oidc_scope"`
 	OIDCName        string           `url:"oidc_name"`
 	OIDCShowConsent bool             `url:"oidc_show_consent"`
 }
 type AuthorizeCompleteRequest struct {
 	Ticket string `json:"ticket" binding:"required"`
 }
 func NewOIDCController(
 	log *logger.Logger,
 	oidcService *service.OIDCService,
 	runtimeConfig model.RuntimeConfig,
-	router *gin.RouterGroup) *OIDCController {
+	helpers model.RuntimeHelpers,
 	config model.Config,
 	router *gin.RouterGroup,
 	mainRouter *gin.RouterGroup) *OIDCController {
 	controller := &OIDCController{
 		log:     log,
 		oidc:    oidcService,
 		runtime: runtimeConfig,
 		helpers: helpers,
 		config:  config,
 	}
 	mainRouter.POST("/authorize", controller.authorize)
 	mainRouter.GET("/authorize", controller.authorize)
 	oidcGroup := router.Group("/oidc")
-	oidcGroup.GET("/clients/:id", controller.GetClientInfo)
+	oidcGroup.POST("/authorize-complete", controller.authorizeComplete)
 	oidcGroup.POST("/authorize", controller.Authorize)
 	oidcGroup.POST("/token", controller.Token)
 	oidcGroup.GET("/userinfo", controller.Userinfo)
 	oidcGroup.POST("/userinfo", controller.Userinfo)
@@ -77,24 +111,27 @@ func NewOIDCController(
 	return controller
 }
-func (controller *OIDCController) GetClientInfo(c *gin.Context) {
+// This endpoint does **not** return a code, it handles param validation, ticket creation
 // and then redirects to the frontend to handle the consent screen. It performs no destructive
 // actions (like logging out an existing session)
 func (controller *OIDCController) authorize(c *gin.Context) {
 	if controller.oidc == nil {
-		controller.log.App.Warn().Msg("Received OIDC client info request but OIDC server is not configured")
+		controller.authorizeError(c, authorizeErrorParams{
-		c.JSON(500, gin.H{
+			err:          errors.New("err_oidc_not_configured"),
-			"status":  500,
+			reason:       "OIDC not configured",
-			"message": "OIDC not configured",
+			reasonPublic: "This instance is not configured for OIDC",
 		})
 		return
 	}
-	var req ClientRequest
+	req, err := controller.resolveAuthorizeRequest(c)
 	err := c.BindUri(&req)
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to bind URI")
+		controller.log.App.Warn().Err(err).Msg("Failed to resolve authorize request")
-		c.JSON(400, gin.H{
+		controller.authorizeError(c, authorizeErrorParams{
-			"status":  400,
+			err:          err,
-			"message": "Bad Request",
+			reason:       "Failed to resolve authorize request",
 			reasonPublic: "The authorization request is invalid",
 		})
 		return
 	}
@@ -102,108 +139,215 @@ func (controller *OIDCController) GetClientInfo(c *gin.Context) {
 	client, ok := controller.oidc.GetClient(req.ClientID)
 	if !ok {
-		controller.log.App.Warn().Str("clientId", req.ClientID).Msg("Client not found")
+		controller.authorizeError(c, authorizeErrorParams{
-		c.JSON(404, gin.H{
+			err:          fmt.Errorf("client not found: %s", req.ClientID),
-			"status":  404,
+			reason:       "Client not found",
-			"message": "Client not found",
+			reasonPublic: "The client ID is invalid",
 		})
 		return
 	}
-	c.JSON(200, gin.H{
+	err = controller.oidc.ValidateAuthorizeParams(*req)
-		"status": 200,
+
-		"client": client.ClientID,
+	if err != nil {
-		"name":   client.Name,
+		controller.log.App.Warn().Err(err).Msg("Failed to validate authorize params")
 		if err.Error() != "invalid_request_uri" {
 			controller.authorizeError(c, authorizeErrorParams{
 				err:           err,
 				reason:        "Failed validate authorize params",
 				reasonPublic:  "Invalid request parameters",
 				callback:      req.RedirectURI,
 				callbackError: err.Error(),
 				state:         req.State,
 			})
 			return
 		}
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          err,
 			reason:       "Redirect URI not trusted",
 			reasonPublic: "The provided redirect URI is not trusted",
 		})
 		return
 	}
-func (controller *OIDCController) Authorize(c *gin.Context) {
+	ticket := controller.oidc.CreateAuthorizeRequestTicket(*req)
 	// Check if we have consented before for this client and scope
 	consnetCookie, err := c.Cookie(controller.runtime.ConsentCookieName)
 	showConsent := true
 	if err == nil {
 		consentEntry, err := controller.oidc.GetConsentEntry(c, consnetCookie)
 		if err == nil && consentEntry != nil {
 			if consentEntry.ClientID == req.ClientID && consentEntry.Scopes == req.Scope {
 				showConsent = false
 			}
 		} else {
 			if !errors.Is(err, sql.ErrNoRows) {
 				controller.log.App.Error().Err(err).Msg("Failed to get consent entry for consent cookie")
 			}
 		}
 	}
 	queries, err := query.Values(AuthorizeScreenParams{
 		LoginFor:        FrontendLoginForOIDC,
 		OIDCTicket:      ticket,
 		OIDCScope:       req.Scope,
 		OIDCName:        client.Name,
 		OIDCShowConsent: showConsent,
 	})
 	if err != nil {
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          err,
 			reason:       "Failed to compile authorize queries",
 			reasonPublic: "An internal error occured while processing your request",
 		})
 		return
 	}
 	redirectUrl := fmt.Sprintf("%s/oidc/authorize?%s", controller.oidc.GetIssuer(), queries.Encode())
 	c.Redirect(http.StatusFound, redirectUrl)
 }
 // The actual **internal** endpoint that actually creates the code and session.
 // It is called by the frontend after the user has logged in and given consent.
 func (controller *OIDCController) authorizeComplete(c *gin.Context) {
 	if controller.oidc == nil {
-		controller.authorizeError(c, errors.New("err_oidc_not_configured"), "OIDC not configured", "This instance is not configured for OIDC", "", "", "")
+		// For this endpoint we return JSON errors since it's called
 		// by the frontend and not an external client, so there's
 		// no redirect_uri to send the user to in case of error
 		controller.authorizeError(c, authorizeErrorParams{
 			err:          errors.New("err_oidc_not_configured"),
 			reason:       "OIDC not configured",
 			reasonPublic: "This instance is not configured for OIDC",
 			json:         true,
 		})
 		return
 	}
 	userContext, err := new(model.UserContext).NewFromGin(c)
 	if err != nil {
-		controller.authorizeError(c, err, "Failed to get user context", "User is not logged in or the session is invalid", "", "", "")
+		controller.authorizeError(c, authorizeErrorParams{
 			err:          err,
 			reason:       "Failed to get user context",
 			reasonPublic: "User is not logged in or the session is invalid",
 			json:         true,
 		})
 		return
 	}
 	if !userContext.Authenticated {
-		controller.authorizeError(c, errors.New("err user not logged in"), "User not logged in", "The user is not logged in", "", "", "")
+		controller.authorizeError(c, authorizeErrorParams{
 			err:          errors.New("err user not logged in"),
 			reason:       "User not logged in",
 			reasonPublic: "The user is not logged in",
 			json:         true,
 		})
 		return
 	}
-	var req service.AuthorizeRequest
+	var req AuthorizeCompleteRequest
 	err = c.BindJSON(&req)
 	if err != nil {
-		controller.authorizeError(c, err, "Failed to bind JSON", "The client provided an invalid authorization request", "", "", "")
+		controller.authorizeError(c, authorizeErrorParams{
 			err:          err,
 			reason:       "Failed to bind JSON",
 			reasonPublic: "The client provided an invalid authorization request",
 			json:         true,
 		})
 		return
 	}
-	client, ok := controller.oidc.GetClient(req.ClientID)
+	authorizeReq, ok := controller.oidc.GetAuthorizeRequestByTicket(req.Ticket)
 	if !ok {
-		controller.authorizeError(c, fmt.Errorf("client not found: %s", req.ClientID), "Client not found", "The client ID is invalid", "", "", "")
+		controller.authorizeError(c, authorizeErrorParams{
 			err:          errors.New("authorize request not found for ticket"),
 			reason:       "Invalid or expired ticket",
 			reasonPublic: "The authorization request has expired or is invalid",
 			json:         true,
 		})
 		return
 	}
-	err = controller.oidc.ValidateAuthorizeParams(req)
+	// We no longer need the ticket
 	controller.oidc.DeleteAuthorizeRequestTicket(req.Ticket)
-	if err != nil {
+	// Create the sub to find and delete old sessions
-		controller.log.App.Warn().Err(err).Msg("Failed to validate authorize params")
+	sub := controller.oidc.CreateSub(*userContext, authorizeReq.ClientID)
 		if err.Error() != "invalid_request_uri" {
 			controller.authorizeError(c, err, "Failed validate authorize params", "Invalid request parameters", req.RedirectURI, err.Error(), req.State)
 			return
 		}
 		controller.authorizeError(c, err, "Redirect URI not trusted", "The provided redirect URI is not trusted", "", "", "")
 		return
 	}
 	// WARNING: Since Tinyauth is stateless, we cannot have a sub that never changes. We will just create a uuid out of the username and client name which remains stable, but if username or client name changes then sub changes too.
 	sub := utils.GenerateUUID(fmt.Sprintf("%s:%s", userContext.GetUsername(), client.ID))
 	code := utils.GenerateString(32)
 	// Before storing the code, delete old session
 	err = controller.oidc.DeleteOldSession(c, sub)
 	if err != nil {
-		controller.authorizeError(c, err, "Failed to delete old sessions", "Failed to delete old sessions", req.RedirectURI, "server_error", req.State)
+		controller.authorizeError(c, authorizeErrorParams{
 			err:           err,
 			reason:        "Failed to delete old sessions",
 			reasonPublic:  "Failed to delete old sessions",
 			callback:      authorizeReq.RedirectURI,
 			callbackError: "server_error",
 			state:         authorizeReq.State,
 			json:          true,
 		})
 		return
 	}
-	err = controller.oidc.StoreCode(c, sub, code, req)
+	// Create the authorization code
-
+	code := controller.oidc.CreateCode(*authorizeReq, *userContext)
 	if err != nil {
 		controller.authorizeError(c, err, "Failed to store code", "Failed to store code", req.RedirectURI, "server_error", req.State)
 		return
 	}
 	// We also need a snapshot of the user that authorized this (skip if no openid scope)
 	if slices.Contains(strings.Fields(req.Scope), "openid") {
 		err = controller.oidc.StoreUserinfo(c, sub, *userContext, req)
 		if err != nil {
 			controller.log.App.Error().Err(err).Msg("Failed to store user info")
 			controller.authorizeError(c, err, "Failed to store user info", "Failed to store user info", req.RedirectURI, "server_error", req.State)
 			return
 		}
 	}
 	queries, err := query.Values(AuthorizeCallback{
 		Code:  code,
-		State: req.State,
+		State: authorizeReq.State,
 	})
 	if err != nil {
-		controller.authorizeError(c, err, "Failed to build query", "Failed to build query", req.RedirectURI, "server_error", req.State)
+		controller.authorizeError(c, authorizeErrorParams{
 			err:           err,
 			reason:        "Failed to build query",
 			reasonPublic:  "Failed to build query",
 			callback:      authorizeReq.RedirectURI,
 			callbackError: "server_error",
 			state:         authorizeReq.State,
 			json:          true,
 		})
 		return
 	}
 	// Just before returning let's set the consent cookie
 	consnetUUID, err := controller.oidc.CreateConsentEntry(c, authorizeReq.ClientID, authorizeReq.Scope)
 	// If we fail to create the consent entry, we don't want to block the authorization flow,
 	// but we log the error and move on without setting the cookie
 	if err == nil {
 		cookieDomain, err := controller.helpers.GetCookieDomain(c.Request.Context(), c.RemoteIP())
 		if err == nil {
 			cookie := &http.Cookie{
 				Name:     controller.runtime.ConsentCookieName,
 				Value:    consnetUUID,
 				Path:     "/",
 				Domain:   cookieDomain,
 				Expires:  time.Now().Add(365 * 24 * time.Hour), // set consent cookie for 1 year
 				Secure:   controller.config.Auth.SecureCookie,
 				HttpOnly: true,
 				SameSite: http.SameSiteLaxMode,
 			}
 			http.SetCookie(c.Writer, cookie)
 		} else {
 			controller.log.App.Error().Err(err).Msg("Failed to determine cookie domain for consent cookie")
 		}
 	} else {
 		controller.log.App.Error().Err(err).Msg("Failed to create consent entry")
 	}
 	c.JSON(200, gin.H{
 		"status":       200,
-		"redirect_uri": fmt.Sprintf("%s?%s", req.RedirectURI, queries.Encode()),
+		"redirect_uri": fmt.Sprintf("%s?%s", authorizeReq.RedirectURI, queries.Encode()),
 	})
 }
@@ -285,38 +429,33 @@ func (controller *OIDCController) Token(c *gin.Context) {
 	switch req.GrantType {
 	case "authorization_code":
-		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code), client.ClientID)
+		entry, ok := controller.oidc.GetCodeEntry(controller.oidc.Hash(req.Code), client.ClientID)
 		if !ok {
 			// ensure no code reuse
 			usedCodeSub, ok := controller.oidc.IsCodeUsed(controller.oidc.Hash(req.Code))
 			if ok {
 				controller.log.App.Warn().Msg("Code reuse detected")
 				err := controller.oidc.DeleteSessionBySub(c, usedCodeSub)
 				if err != nil {
-			if err := controller.oidc.DeleteTokenByCodeHash(c, controller.oidc.Hash(req.Code)); err != nil {
+					controller.log.App.Error().Err(err).Msg("Failed to delete session for reused code")
 				controller.log.App.Error().Err(err).Msg("Failed to revoke tokens for replayed code")
 				}
-			if errors.Is(err, service.ErrCodeNotFound) {
+				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 			controller.log.App.Warn().Msg("Code not found")
 			c.JSON(400, gin.H{
 				"error": "invalid_grant",
 			})
 			return
 		}
-			if errors.Is(err, service.ErrCodeExpired) {
+
-				controller.log.App.Warn().Msg("Code expired")
+		// mark code as used to prevent reuse
-				c.JSON(400, gin.H{
+		controller.oidc.MarkCodeAsUsed(controller.oidc.Hash(req.Code), entry.Userinfo.Sub)
 					"error": "invalid_grant",
 				})
 				return
 			}
 			if errors.Is(err, service.ErrInvalidClient) {
 				controller.log.App.Warn().Msg("Code does not belong to client")
 				c.JSON(400, gin.H{
 					"error": "invalid_client",
 				})
 				return
 			}
 			controller.log.App.Error().Err(err).Msg("Failed to get code entry")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
 			return
 		}
 		if entry.RedirectURI != req.RedirectURI {
 			controller.log.App.Warn().Msg("Redirect URI does not match")
@@ -326,7 +465,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			return
 		}
-		ok := controller.oidc.ValidatePKCE(entry.CodeChallenge, req.CodeVerifier)
+		ok = controller.oidc.ValidatePKCE(entry.CodeChallenge, req.CodeVerifier)
 		if !ok {
 			controller.log.App.Warn().Msg("PKCE validation failed")
@@ -336,7 +475,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			return
 		}
-		tokenRes, err := controller.oidc.GenerateAccessToken(c, client, entry)
+		tokenRes, err := controller.oidc.GenerateAccessToken(c, client, *entry)
 		if err != nil {
 			controller.log.App.Error().Err(err).Msg("Failed to generate access token")
@@ -346,7 +485,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			return
 		}
-		tokenResponse = tokenRes
+		tokenResponse = *tokenRes
 	case "refresh_token":
 		tokenRes, err := controller.oidc.RefreshAccessToken(c, req.RefreshToken, creds.ClientID)
@@ -374,7 +513,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			return
 		}
-		tokenResponse = tokenRes
+		tokenResponse = *tokenRes
 	}
 	c.Header("cache-control", "no-store")
@@ -438,7 +577,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		return
 	}
-	entry, err := controller.oidc.GetAccessToken(c, controller.oidc.Hash(token))
+	entry, err := controller.oidc.GetSessionByToken(c, controller.oidc.Hash(token))
 	if err != nil {
 		if errors.Is(err, service.ErrTokenNotFound) {
@@ -457,15 +596,17 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 	}
 	// If we don't have the openid scope, return an error
-	if !slices.Contains(strings.Split(entry.Scope, ","), "openid") {
+	if !slices.Contains(strings.Split(entry.Scope, " "), "openid") {
-		controller.log.App.Warn().Msg("OIDC userinfo accessed with token missing openid scope")
+		controller.log.App.Warn().Msg("OIDC userinfo accessed with missing openid scope")
 		c.JSON(401, gin.H{
 			"error": "invalid_scope",
 		})
 		return
 	}
-	user, err := controller.oidc.GetUserinfo(c, entry.Sub)
+	var userinfo service.UserinfoResponse
 	err = json.Unmarshal([]byte(entry.UserinfoJson), &userinfo)
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to get user info")
@@ -475,46 +616,55 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		return
 	}
-	c.JSON(200, controller.oidc.CompileUserinfo(user, entry.Scope))
+	c.JSON(200, controller.oidc.CompileUserinfo(userinfo, entry.Scope))
 }
-func (controller *OIDCController) authorizeError(c *gin.Context, err error, reason string, reasonUser string, callback string, callbackError string, state string) {
+func (controller *OIDCController) authorizeError(c *gin.Context, params authorizeErrorParams) {
-	controller.log.App.Warn().Err(err).Str("reason", reason).Msg("Authorization error")
+	controller.log.App.Error().Err(params.err).Str("reason", params.reason).Msg("Authorization error")
-	if callback != "" {
+	if params.callback != "" {
 		errorQueries := CallbackError{
-			Error: callbackError,
+			Error: params.callbackError,
 		}
-		if reasonUser != "" {
+		if params.reasonPublic != "" {
-			errorQueries.ErrorDescription = reasonUser
+			errorQueries.ErrorDescription = params.reasonPublic
 		}
-		if state != "" {
+		if params.state != "" {
-			errorQueries.State = state
+			errorQueries.State = params.state
 		}
 		queries, err := query.Values(errorQueries)
 		if err != nil {
 			controller.log.App.Error().Err(err).Msg("Failed to build callback error query")
 			c.AbortWithStatus(http.StatusInternalServerError)
 			return
 		}
 		redirectUrl := fmt.Sprintf("%s?%s", params.callback, queries.Encode())
 		if params.json {
 			c.JSON(200, gin.H{
 				"status":       200,
-			"redirect_uri": fmt.Sprintf("%s?%s", callback, queries.Encode()),
+				"redirect_uri": redirectUrl,
 			})
 			return
 		}
 		c.Redirect(http.StatusFound, redirectUrl)
 		return
 	}
 	errorQueries := ErrorScreen{
-		Error: reasonUser,
+		Error: params.reasonPublic,
 	}
 	queries, err := query.Values(errorQueries)
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to build error query")
 		c.AbortWithStatus(http.StatusInternalServerError)
 		return
 	}
@@ -527,8 +677,61 @@ func (controller *OIDCController) authorizeError(c *gin.Context, err error, reas
 		redirectUrl = fmt.Sprintf("%s/error?%s", controller.runtime.AppURL, queries.Encode())
 	}
 	if params.json {
 		c.JSON(200, gin.H{
 			"status":       200,
 			"redirect_uri": redirectUrl,
 		})
 		return
 	}
 	c.Redirect(http.StatusFound, redirectUrl)
 }
 func (controller *OIDCController) resolveAuthorizeRequest(c *gin.Context) (*service.AuthorizeRequest, error) {
 	// step 1: if we have a request object, decode it and ignore other params. If not, bind the params as usual
 	// we check both query and form parameters for the request object since this endpoint can be called with both GET and POST
 	requestObject, err := controller.resolveRequestObject(c)
 	if err != nil {
 		return nil, err
 	}
 	if requestObject != nil {
 		return requestObject, nil
 	}
 	// step 2: by default we assume normal GET query parameters
 	// step 3: if it's a POST request, we try form parameters
 	return controller.resolveNormalParams(c)
 }
 func (controller *OIDCController) resolveRequestObject(c *gin.Context) (*service.AuthorizeRequest, error) {
 	raw := c.Query("request")
 	if raw == "" && c.Request.Method == http.MethodPost {
 		raw = c.PostForm("request")
 	}
 	if raw == "" {
 		return nil, nil
 	}
 	return controller.oidc.DecodeAuthorizeJWT(raw)
 }
 func (controller *OIDCController) resolveNormalParams(c *gin.Context) (*service.AuthorizeRequest, error) {
 	var req service.AuthorizeRequest
 	bind := binding.Query
 	if c.Request.Method == http.MethodPost {
 		bind = binding.Form
 	}
 	if err := c.ShouldBindWith(&req, bind); err != nil {
 		return nil, err
 	}
 	return &req, nil
 }
@@ -160,7 +160,10 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	userContext, err := new(model.UserContext).NewFromGin(c)
 	if err != nil {
-		controller.log.App.Debug().Err(err).Msg("Failed to create user context from request, treating as unauthenticated")
+		// No user context found is not an issue
 		if !errors.Is(err, model.ErrUserContextNotFound) {
 			controller.log.App.Error().Err(err).Msg("Failed to create user context from request, treating as unauthenticated")
 		}
 		userContext = &model.UserContext{
 			Authenticated: false,
 		}
@@ -272,6 +275,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	queries, err := query.Values(RedirectQuery{
 		RedirectURI: fmt.Sprintf("%s://%s%s", proxyCtx.Proto, proxyCtx.Host, proxyCtx.Path),
 		LoginFor:    FrontendLoginForApp,
 	})
 	if err != nil {
@@ -3,10 +3,11 @@ package controller_test
 import (
 	"context"
 	"net/http/httptest"
-	"sync"
+	"net/url"
 	"testing"
 	"github.com/gin-gonic/gin"
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
@@ -23,6 +24,8 @@ func TestProxyController(t *testing.T) {
 	cfg, runtime := test.CreateTestConfigs(t)
 	helpers := test.CreateTestHelpers()
 	const browserUserAgent = `
 	Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Mobile Safari/537.36`
@@ -76,7 +79,9 @@ func TestProxyController(t *testing.T) {
 				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
+				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
 				assert.Contains(t, location, "login_for=app")
 				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -89,7 +94,9 @@ func TestProxyController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 401, recorder.Code)
 				location := recorder.Header().Get("x-tinyauth-location")
-				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
+				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
 				assert.Contains(t, location, "login_for=app")
 				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -103,7 +110,9 @@ func TestProxyController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2Fhello", location)
+				assert.Contains(t, location, url.QueryEscape("https://test.example.com/hello"))
 				assert.Contains(t, location, "login_for=app")
 				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -119,7 +128,9 @@ func TestProxyController(t *testing.T) {
 				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
+				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
 				assert.Contains(t, location, "login_for=app")
 				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -134,7 +145,9 @@ func TestProxyController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 401, recorder.Code)
 				location := recorder.Header().Get("x-tinyauth-location")
-				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2F", location)
+				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
 				assert.Contains(t, location, "login_for=app")
 				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -150,7 +163,9 @@ func TestProxyController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
-				assert.Equal(t, "https://tinyauth.example.com/login?redirect_uri=https%3A%2F%2Ftest.example.com%2Fhello", location)
+				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
 				assert.Contains(t, location, "login_for=app")
 				assert.Contains(t, location, "https://tinyauth.example.com/login")
 			},
 		},
 		{
@@ -353,11 +368,10 @@ func TestProxyController(t *testing.T) {
 	store := memory.New()
 	wg := &sync.WaitGroup{}
 	ctx := context.TODO()
 	dg := ding.New(ctx)
 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
 	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker, nil)
 	aclsService := service.NewAccessControlsService(log, cfg, nil)
 	policyEngine, err := service.NewPolicyEngine(cfg, log)
@@ -383,6 +397,8 @@ func TestProxyController(t *testing.T) {
 		Log: log,
 	})
 	authService := service.NewAuthService(log, cfg, runtime, helpers, ctx, dg, nil, store, broker, nil, policyEngine)
 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
 			router := gin.Default()
@@ -150,7 +150,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 				Email:       email,
 				Provider:    "local",
 				TotpPending: true,
-			})
+			}, c.RemoteIP())
 			if err != nil {
 				controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Failed to create pending TOTP session")
@@ -195,7 +195,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		}
 	}
-	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie, c.RemoteIP())
 	if err != nil {
 		controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Failed to create session cookie after successful login")
@@ -246,7 +246,7 @@ func (controller *UserController) logoutHandler(c *gin.Context) {
 		return
 	}
-	cookie, err := controller.auth.DeleteSession(c, uuid)
+	cookie, err := controller.auth.DeleteSession(c, uuid, c.RemoteIP())
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Error deleting session on logout")
@@ -350,7 +350,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	uuid, err := c.Cookie(controller.runtime.SessionCookieName)
 	if err == nil {
-		_, err = controller.auth.DeleteSession(c, uuid)
+		_, err = controller.auth.DeleteSession(c, uuid, c.RemoteIP())
 		if err != nil {
 			controller.log.App.Error().Err(err).Msg("Failed to delete pending TOTP session after successful verification")
 		}
@@ -374,7 +374,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		sessionCookie.Email = user.Attributes.Email
 	}
-	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie, c.RemoteIP())
 	if err != nil {
 		controller.log.App.Error().Err(err).Str("username", context.GetUsername()).Msg("Failed to create session cookie after successful TOTP verification")
@@ -424,7 +424,7 @@ func (controller *UserController) tailscaleHandler(c *gin.Context) {
 		Provider: "tailscale",
 	}
-	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie, c.RemoteIP())
 	if err != nil {
 		controller.log.App.Error().Err(err).Str("username", context.GetUsername()).Msg("Failed to create session cookie after successful Tailscale login")
@@ -6,12 +6,12 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"sync"
 	"testing"
 	"time"
 	"github.com/gin-gonic/gin"
 	"github.com/pquerna/otp/totp"
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
@@ -29,6 +29,8 @@ func TestUserController(t *testing.T) {
 	cfg, runtime := test.CreateTestConfigs(t)
 	helpers := test.CreateTestHelpers()
 	totpCtx := func(c *gin.Context) {
 		c.Set("context", &model.UserContext{
 			Authenticated: false,
@@ -412,14 +414,17 @@ func TestUserController(t *testing.T) {
 	}
 	ctx := context.TODO()
-	wg := &sync.WaitGroup{}
+	dg := ding.New(ctx)
 	policyEngine, err := service.NewPolicyEngine(cfg, log)
 	require.NoError(t, err)
 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker, nil)
+	authService := service.NewAuthService(log, cfg, runtime, helpers, ctx, dg, nil, store, broker, nil, policyEngine)
 	beforeEach := func() {
 		// Clear failed login attempts before each test
-		authService.ClearRateLimitsTestingOnly()
+		authService.ClearLoginAttempts()
 	}
 	for _, test := range tests {
@@ -5,10 +5,10 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http/httptest"
 	"sync"
 	"testing"
 	"github.com/gin-gonic/gin"
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
@@ -89,11 +89,11 @@ func TestWellKnownController(t *testing.T) {
 	}
 	ctx := context.TODO()
-	wg := &sync.WaitGroup{}
+	dg := ding.New(ctx)
 	store := memory.New()
-	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, ctx, wg)
+	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, dg)
 	require.NoError(t, err)
 	for _, test := range tests {
@@ -205,13 +205,13 @@ func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string, ip stri
 			return nil, nil, fmt.Errorf("oauth provider from session cookie not found: %s", userContext.OAuth.ID)
 		}
-		if !m.auth.IsEmailWhitelisted(userContext.OAuth.Email) {
+		if !m.auth.IsEmailWhitelisted(userContext.OAuth.ID, userContext.OAuth.Email) {
-			m.auth.DeleteSession(ctx, uuid)
+			m.auth.DeleteSession(ctx, uuid, ip)
 			return nil, nil, fmt.Errorf("email from session cookie not whitelisted: %s", userContext.OAuth.Email)
 		}
 	}
-	cookie, err := m.auth.RefreshSession(ctx, uuid)
+	cookie, err := m.auth.RefreshSession(ctx, uuid, ip)
 	if err != nil {
 		return nil, nil, fmt.Errorf("error refreshing session: %w", err)
@@ -251,6 +251,10 @@ func (m *ContextMiddleware) basicAuth(username string, password string) (*model.
 	case model.UserLocal:
 		user := m.auth.GetLocalUser(username)
 		if user == nil {
 			return nil, nil, fmt.Errorf("user not found locally: %s", username)
 		}
 		if user.TOTPSecret != "" {
 			return nil, nil, fmt.Errorf("user with totp not allowed to login via basic auth: %s", username)
 		}
@@ -322,11 +326,6 @@ func (m *ContextMiddleware) tailscaleWhois(ctx context.Context, ip string) (*mod
 			Name:     whois.DisplayName,
 		},
 		UserID: whois.UserID,
 		Tags:   whois.Tags,
 	}
 	if !strings.ContainsAny(uctx.Email, "@") {
 		uctx.Email = utils.CompileUserEmail(uctx.Email+"-tailscale", m.runtime.CookieDomain)
 	}
 	return &uctx, nil
@@ -5,11 +5,11 @@ import (
 	"encoding/base64"
 	"net/http"
 	"net/http/httptest"
 	"sync"
 	"testing"
 	"time"
 	"github.com/gin-gonic/gin"
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/middleware"
@@ -27,6 +27,8 @@ func TestContextMiddleware(t *testing.T) {
 	cfg, runtime := test.CreateTestConfigs(t)
 	helpers := test.CreateTestHelpers()
 	basicAuthHeader := func(username, password string) string {
 		return "Basic " + base64.StdEncoding.EncodeToString([]byte(username+":"+password))
 	}
@@ -250,17 +252,20 @@ func TestContextMiddleware(t *testing.T) {
 	}
 	ctx := context.TODO()
-	wg := &sync.WaitGroup{}
+	dg := ding.New(ctx)
 	store := memory.New()
 	policyEngine, err := service.NewPolicyEngine(cfg, log)
 	require.NoError(t, err)
 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker, nil)
+	authService := service.NewAuthService(log, cfg, runtime, helpers, ctx, dg, nil, store, broker, nil, policyEngine)
 	contextMiddleware := middleware.NewContextMiddleware(log, runtime, authService, broker, nil)
 	for _, test := range tests {
-		authService.ClearRateLimitsTestingOnly()
+		authService.ClearLoginAttempts()
 		t.Run(test.description, func(t *testing.T) {
 			gin.SetMode(gin.TestMode)
@@ -38,7 +38,7 @@ func (m *UIMiddleware) Middleware() gin.HandlerFunc {
 		path := strings.TrimPrefix(c.Request.URL.Path, "/")
 		switch strings.SplitN(path, "/", 2)[0] {
-		case "api", "resources", ".well-known":
+		case "api", "resources", ".well-known", "authorize":
 			c.Next()
 			return
 		case "robots.txt":
@@ -62,9 +62,6 @@ func NewDefaultConfiguration() *Config {
 			PrivateKeyPath: "./tinyauth_oidc_key",
 			PublicKeyPath:  "./tinyauth_oidc_key.pub",
 		},
 		Experimental: ExperimentalConfig{
 			ConfigFile: "",
 		},
 		Tailscale: TailscaleConfig{
 			Dir: "./tailscale_state",
 		},
@@ -88,6 +85,7 @@ type Config struct {
 	LabelProvider string             `description:"Label provider to use for ACLs (auto, docker, kubernetes or none to disable). auto detects the environment." yaml:"labelProvider"`
 	Log           LogConfig          `description:"Logging configuration." yaml:"log"`
 	Tailscale     TailscaleConfig    `description:"Tailscale configuration." yaml:"tailscale"`
 	ConfigFile    string             `description:"Path to config file." yaml:"-"`
 }
 type DatabaseConfig struct {
@@ -156,6 +154,7 @@ type AddressClaim struct {
 type IPConfig struct {
 	Allow  []string `description:"List of allowed IPs or CIDR ranges." yaml:"allow"`
 	Block  []string `description:"List of blocked IPs or CIDR ranges." yaml:"block"`
 	Bypass []string `description:"List of IPs or CIDR ranges that bypass authentication entirely." yaml:"bypass"`
 }
 type OAuthConfig struct {
@@ -182,6 +181,7 @@ type LDAPConfig struct {
 	Address      	 string `description:"LDAP server address." yaml:"address"`
 	BindDN       	 string `description:"Bind DN for LDAP authentication." yaml:"bindDn"`
 	BindPassword  	 string `description:"Bind password for LDAP authentication." yaml:"bindPassword"`
 	BindPasswordFile string `description:"Path to the Bind password." yaml:"bindPasswordFile"`
 	BaseDN       	 string `description:"Base DN for LDAP searches." yaml:"baseDn"`
 	Insecure     	 bool   `description:"Allow insecure LDAP connections." yaml:"insecure"`
 	SearchFilter 	 string `description:"LDAP search filter." yaml:"searchFilter"`
@@ -207,9 +207,8 @@ type LogStreamConfig struct {
 	Level   string `description:"Log level for this stream. Use global if empty." yaml:"level"`
 }
-type ExperimentalConfig struct {
+// no experimental features
-	ConfigFile string `description:"Path to config file." yaml:"-"`
+type ExperimentalConfig struct{}
 }
 type TailscaleConfig struct {
 	Enabled   bool   `description:"Enable Tailscale integration." yaml:"enabled"`
@@ -225,6 +224,8 @@ type OAuthServiceConfig struct {
 	ClientID         string   `description:"OAuth client ID." yaml:"clientId"`
 	ClientSecret     string   `description:"OAuth client secret." yaml:"clientSecret"`
 	ClientSecretFile string   `description:"Path to the file containing the OAuth client secret." yaml:"clientSecretFile"`
 	Whitelist        []string `description:"Comma-separated list of allowed OAuth domains for this provider." yaml:"whitelist"`
 	WhitelistFile    string   `description:"Path to the OAuth whitelist file for this provider." yaml:"whitelistFile"`
 	Scopes           []string `description:"OAuth scopes." yaml:"scopes"`
 	RedirectURL      string   `description:"OAuth redirect URL." yaml:"redirectUrl"`
 	AuthURL          string   `description:"OAuth authorization URL." yaml:"authUrl"`
@@ -18,8 +18,7 @@ var OverrideProviders = map[string]string{
 }
 const SessionCookieName = "tinyauth-session"
 const CSRFCookieName = "tinyauth-csrf"
 const RedirectCookieName = "tinyauth-redirect"
 const OAuthSessionCookieName = "tinyauth-oauth"
 const ConsentCookieName = "tinyauth-consent"
 const GracefulShutdownTimeout = 5 // seconds
@@ -59,8 +59,6 @@ type LDAPContext struct {
 type TailscaleContext struct {
 	BaseContext
 	UserID string
 	// for future use
 	Tags []string
 }
 func (c *UserContext) IsAuthenticated() bool {
@@ -1,13 +1,14 @@
 package model
 import "context"
 type RuntimeConfig struct {
 	AppURL                 string
 	UUID                   string
 	CookieDomain           string
 	SessionCookieName      string
 	CSRFCookieName         string
 	RedirectCookieName     string
 	OAuthSessionCookieName string
 	ConsentCookieName      string
 	LocalUsers             []LocalUser
 	OAuthProviders         map[string]OAuthServiceConfig
 	OAuthWhitelist         []string
@@ -16,6 +17,10 @@ type RuntimeConfig struct {
 	TrustedDomains         []string
 }
 type RuntimeHelpers struct {
 	GetCookieDomain func(ctx context.Context, ip string) (string, error)
 }
 type Provider struct {
 	Name  string `json:"name"`
 	ID    string `json:"id"`
@@ -101,363 +101,251 @@ func TestMemoryStore(t *testing.T) {
 			},
 		},
 		{
-			description: "Create and get OIDC code",
+			description: "Create and get OIDC session",
 			run: func(t *testing.T, s repository.Store) {
-				code, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{
+				sess, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
 					Sub:              "sub-1",
-					CodeHash: "hash-1",
+					AccessTokenHash:  "at-1",
 					RefreshTokenHash: "rt-1",
 					Scope:            "openid",
 				})
 				require.NoError(t, err)
-				assert.Equal(t, "sub-1", code.Sub)
+				assert.Equal(t, "sub-1", sess.Sub)
-				// destructive read removes the record
+				got, err := s.GetOIDCSessionBySub(ctx, "sub-1")
 				got, err := s.GetOidcCode(ctx, "hash-1")
 				require.NoError(t, err)
-				assert.Equal(t, code, got)
+				assert.Equal(t, sess, got)
-
+			},
-				_, err = s.GetOidcCode(ctx, "hash-1")
+		},
 		{
 			description: "Get OIDC session by sub not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOIDCSessionBySub(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
-			description: "Get OIDC code not found",
+			description: "Get OIDC session by access token hash",
 			run: func(t *testing.T, s repository.Store) {
-				_, err := s.GetOidcCode(ctx, "missing")
+				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Get OIDC code by sub",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				got, err := s.GetOidcCodeBySub(ctx, "sub-1")
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", got.Sub)
 				// destructive — gone after read
 				_, err = s.GetOidcCodeBySub(ctx, "sub-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Get OIDC code by sub not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcCodeBySub(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Get OIDC code unsafe",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				got, err := s.GetOidcCodeUnsafe(ctx, "hash-1")
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", got.Sub)
 				// non-destructive — still present
 				_, err = s.GetOidcCodeUnsafe(ctx, "hash-1")
 				assert.NoError(t, err)
 			},
 		},
 		{
 			description: "Get OIDC code unsafe not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcCodeUnsafe(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Get OIDC code by sub unsafe",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				got, err := s.GetOidcCodeBySubUnsafe(ctx, "sub-1")
 				require.NoError(t, err)
 				assert.Equal(t, "hash-1", got.CodeHash)
 				// non-destructive — still present
 				_, err = s.GetOidcCodeBySubUnsafe(ctx, "sub-1")
 				assert.NoError(t, err)
 			},
 		},
 		{
 			description: "Get OIDC code by sub unsafe not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcCodeBySubUnsafe(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Create OIDC code unique sub constraint",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				_, err = s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-2"})
 				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_codes.sub")
 			},
 		},
 		{
 			description: "Delete OIDC code",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteOidcCode(ctx, "hash-1"))
 				_, err = s.GetOidcCodeUnsafe(ctx, "hash-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete OIDC code by sub",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteOidcCodeBySub(ctx, "sub-1"))
 				_, err = s.GetOidcCodeUnsafe(ctx, "hash-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete expired OIDC codes",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1", ExpiresAt: 10})
 				require.NoError(t, err)
 				_, err = s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-2", CodeHash: "hash-2", ExpiresAt: 100})
 				require.NoError(t, err)
 				deleted, err := s.DeleteExpiredOidcCodes(ctx, 50)
 				require.NoError(t, err)
 				require.Len(t, deleted, 1)
 				assert.Equal(t, "hash-1", deleted[0].CodeHash)
 				_, err = s.GetOidcCodeUnsafe(ctx, "hash-2")
 				assert.NoError(t, err)
 			},
 		},
 		{
 			description: "Create and get OIDC token",
 			run: func(t *testing.T, s repository.Store) {
 				tok, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 					Sub:             "sub-1",
 					AccessTokenHash: "at-hash-1",
 					CodeHash:        "code-hash-1",
 				})
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", tok.Sub)
 				got, err := s.GetOidcToken(ctx, "at-hash-1")
 				require.NoError(t, err)
 				assert.Equal(t, tok, got)
 			},
 		},
 		{
 			description: "Get OIDC token not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcToken(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Create OIDC token unique sub constraint",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-1"})
 				require.NoError(t, err)
 				_, err = s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-2"})
 				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_tokens.sub")
 			},
 		},
 		{
 			description: "Get OIDC token by refresh token",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 					Sub:              "sub-1",
 					AccessTokenHash:  "at-1",
 					RefreshTokenHash: "rt-1",
 				})
 				require.NoError(t, err)
-				got, err := s.GetOidcTokenByRefreshToken(ctx, "rt-1")
+				got, err := s.GetOIDCSessionByAccessTokenHash(ctx, "at-1")
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", got.Sub)
 			},
 		},
 		{
-			description: "Get OIDC token by refresh token not found",
+			description: "Get OIDC session by access token hash not found",
 			run: func(t *testing.T, s repository.Store) {
-				_, err := s.GetOidcTokenByRefreshToken(ctx, "missing")
+				_, err := s.GetOIDCSessionByAccessTokenHash(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
-			description: "Get OIDC token by sub",
+			description: "Get OIDC session by refresh token hash",
 			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
+				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
 					Sub:             "sub-1",
 					AccessTokenHash: "at-1",
 				})
 				require.NoError(t, err)
 				got, err := s.GetOidcTokenBySub(ctx, "sub-1")
 				require.NoError(t, err)
 				assert.Equal(t, "at-1", got.AccessTokenHash)
 			},
 		},
 		{
 			description: "Get OIDC token by sub not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcTokenBySub(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Update OIDC token by refresh token",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 					Sub:              "sub-1",
 					AccessTokenHash:  "at-1",
 					RefreshTokenHash: "rt-1",
 				})
 				require.NoError(t, err)
-				updated, err := s.UpdateOidcTokenByRefreshToken(ctx, repository.UpdateOidcTokenByRefreshTokenParams{
+				got, err := s.GetOIDCSessionByRefreshTokenHash(ctx, "rt-1")
-					RefreshTokenHash_2:    "rt-1",
+				require.NoError(t, err)
 				assert.Equal(t, "sub-1", got.Sub)
 			},
 		},
 		{
 			description: "Get OIDC session by refresh token hash not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOIDCSessionByRefreshTokenHash(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Create OIDC session unique sub constraint",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{Sub: "sub-1", AccessTokenHash: "at-1", RefreshTokenHash: "rt-1"})
 				require.NoError(t, err)
 				_, err = s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{Sub: "sub-1", AccessTokenHash: "at-2", RefreshTokenHash: "rt-2"})
 				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_sessions.sub")
 			},
 		},
 		{
 			description: "Create OIDC session unique access token hash constraint",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{Sub: "sub-1", AccessTokenHash: "at-1", RefreshTokenHash: "rt-1"})
 				require.NoError(t, err)
 				_, err = s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{Sub: "sub-2", AccessTokenHash: "at-1", RefreshTokenHash: "rt-2"})
 				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_sessions.access_token_hash")
 			},
 		},
 		{
 			description: "Create OIDC session unique refresh token hash constraint",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{Sub: "sub-1", AccessTokenHash: "at-1", RefreshTokenHash: "rt-1"})
 				require.NoError(t, err)
 				_, err = s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{Sub: "sub-2", AccessTokenHash: "at-2", RefreshTokenHash: "rt-1"})
 				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_sessions.refresh_token_hash")
 			},
 		},
 		{
 			description: "Update OIDC session",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
 					Sub:              "sub-1",
 					AccessTokenHash:  "at-1",
 					RefreshTokenHash: "rt-1",
 				})
 				require.NoError(t, err)
 				updated, err := s.UpdateOIDCSession(ctx, repository.UpdateOIDCSessionParams{
 					Sub:                   "sub-1",
 					AccessTokenHash:       "at-2",
 					RefreshTokenHash:      "rt-2",
 					Scope:                 "openid profile",
 					TokenExpiresAt:        200,
 					RefreshTokenExpiresAt: 400,
 				})
 				require.NoError(t, err)
 				assert.Equal(t, "at-2", updated.AccessTokenHash)
 				assert.Equal(t, "rt-2", updated.RefreshTokenHash)
 				assert.Equal(t, "openid profile", updated.Scope)
-				// old key gone, new key present
+				// updated token hashes are now queryable, old ones are gone
-				_, err = s.GetOidcToken(ctx, "at-1")
+				got, err := s.GetOIDCSessionByAccessTokenHash(ctx, "at-2")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 				got, err := s.GetOidcToken(ctx, "at-2")
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", got.Sub)
-			},
+
-		},
+				_, err = s.GetOIDCSessionByAccessTokenHash(ctx, "at-1")
 		{
 			description: "Update OIDC token by refresh token not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.UpdateOidcTokenByRefreshToken(ctx, repository.UpdateOidcTokenByRefreshTokenParams{
 					RefreshTokenHash_2: "missing",
 				})
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
-			description: "Delete OIDC token",
+			description: "Update OIDC session not found",
 			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-1"})
+				_, err := s.UpdateOIDCSession(ctx, repository.UpdateOIDCSessionParams{Sub: "missing"})
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete OIDC session by sub",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{Sub: "sub-1", AccessTokenHash: "at-1", RefreshTokenHash: "rt-1"})
 				require.NoError(t, err)
-				require.NoError(t, s.DeleteOidcToken(ctx, "at-1"))
+				require.NoError(t, s.DeleteOIDCSessionBySub(ctx, "sub-1"))
-				_, err = s.GetOidcToken(ctx, "at-1")
+				_, err = s.GetOIDCSessionBySub(ctx, "sub-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
-			description: "Delete OIDC token by sub",
+			description: "Delete expired OIDC sessions",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-1"})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteOidcTokenBySub(ctx, "sub-1"))
 				_, err = s.GetOidcToken(ctx, "at-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete OIDC token by code hash",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 					Sub:             "sub-1",
 					AccessTokenHash: "at-1",
 					CodeHash:        "code-1",
 				})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteOidcTokenByCodeHash(ctx, "code-1"))
 				_, err = s.GetOidcToken(ctx, "at-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete expired OIDC tokens",
 			run: func(t *testing.T, s repository.Store) {
 				// both expiries past
-				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
+				_, err := s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
-					Sub: "sub-1", AccessTokenHash: "at-1",
+					Sub: "sub-1", AccessTokenHash: "at-1", RefreshTokenHash: "rt-1",
 					TokenExpiresAt: 10, RefreshTokenExpiresAt: 10,
 				})
 				require.NoError(t, err)
 				// valid
-				_, err = s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
+				_, err = s.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
-					Sub: "sub-3", AccessTokenHash: "at-3",
+					Sub: "sub-2", AccessTokenHash: "at-2", RefreshTokenHash: "rt-2",
 					TokenExpiresAt: 100, RefreshTokenExpiresAt: 100,
 				})
 				require.NoError(t, err)
-				deleted, err := s.DeleteExpiredOidcTokens(ctx, repository.DeleteExpiredOidcTokensParams{
+				require.NoError(t, s.DeleteExpiredOIDCSessions(ctx, repository.DeleteExpiredOIDCSessionsParams{
 					TokenExpiresAt:        50,
 					RefreshTokenExpiresAt: 50,
-				})
+				}))
 				require.NoError(t, err)
 				assert.Len(t, deleted, 1)
-				_, err = s.GetOidcToken(ctx, "at-3")
+				_, err = s.GetOIDCSessionBySub(ctx, "sub-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 				_, err = s.GetOIDCSessionBySub(ctx, "sub-2")
 				assert.NoError(t, err)
 			},
 		},
 		{
-			description: "Create and get OIDC user info",
+			description: "Create and get OIDC consent",
 			run: func(t *testing.T, s repository.Store) {
-				u, err := s.CreateOidcUserInfo(ctx, repository.CreateOidcUserInfoParams{
+				consent, err := s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{
-					Sub:   "sub-1",
+					UUID:     "uuid-1",
-					Name:  "Alice",
+					ClientID: "client-1",
-					Email: "alice@example.com",
+					Scopes:   "openid profile",
 				})
 				require.NoError(t, err)
-				assert.Equal(t, "sub-1", u.Sub)
+				assert.Equal(t, "uuid-1", consent.UUID)
 				assert.Equal(t, "client-1", consent.ClientID)
 				assert.Equal(t, "openid profile", consent.Scopes)
-				got, err := s.GetOidcUserInfo(ctx, "sub-1")
+				got, err := s.GetOIDCConsentByUUID(ctx, "uuid-1")
 				require.NoError(t, err)
-				assert.Equal(t, u, got)
+				assert.Equal(t, consent, got)
 			},
 		},
 		{
-			description: "Get OIDC user info not found",
+			description: "Get OIDC consent by UUID not found",
 			run: func(t *testing.T, s repository.Store) {
-				_, err := s.GetOidcUserInfo(ctx, "missing")
+				_, err := s.GetOIDCConsentByUUID(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
-			description: "Delete OIDC user info",
+			description: "Create OIDC consent unique UUID constraint",
 			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOidcUserInfo(ctx, repository.CreateOidcUserInfoParams{Sub: "sub-1"})
+				_, err := s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{UUID: "uuid-1", ClientID: "client-1", Scopes: "openid"})
 				require.NoError(t, err)
-				require.NoError(t, s.DeleteOidcUserInfo(ctx, "sub-1"))
+				_, err = s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{UUID: "uuid-1", ClientID: "client-2", Scopes: "profile"})
 				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_consent.uuid")
 			},
 		},
 		{
 			description: "Update OIDC consent",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{UUID: "uuid-1", ClientID: "client-1", Scopes: "openid"})
 				require.NoError(t, err)
-				_, err = s.GetOidcUserInfo(ctx, "sub-1")
+				updated, err := s.UpdateOIDCConsent(ctx, repository.UpdateOIDCConsentParams{
 					UUID:   "uuid-1",
 					Scopes: "profile email",
 				})
 				require.NoError(t, err)
 				assert.Equal(t, "profile email", updated.Scopes)
 				got, err := s.GetOIDCConsentByUUID(ctx, "uuid-1")
 				require.NoError(t, err)
 				assert.Equal(t, updated, got)
 			},
 		},
 		{
 			description: "Update OIDC consent not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.UpdateOIDCConsent(ctx, repository.UpdateOIDCConsentParams{UUID: "missing"})
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete OIDC consent by UUID",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{UUID: "uuid-1", ClientID: "client-1", Scopes: "openid"})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteOIDCConsentByUUID(ctx, "uuid-1"))
 				_, err = s.GetOIDCConsentByUUID(ctx, "uuid-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
@@ -7,235 +7,134 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 )
-func (s *Store) CreateOidcCode(_ context.Context, arg repository.CreateOidcCodeParams) (repository.OidcCode, error) {
+func (s *Store) CreateOIDCSession(_ context.Context, arg repository.CreateOIDCSessionParams) (repository.OidcSession, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	// Enforce sub UNIQUE constraint
+	// Enforce UNIQUE constraints (sub is the primary key, access/refresh token hashes are unique).
-	for _, c := range s.oidcCodes {
+	for _, sess := range s.oidcSessions {
-		if c.Sub == arg.Sub {
+		switch {
-			return repository.OidcCode{}, fmt.Errorf("UNIQUE constraint failed: oidc_codes.sub")
+		case sess.Sub == arg.Sub:
 			return repository.OidcSession{}, fmt.Errorf("UNIQUE constraint failed: oidc_sessions.sub")
 		case sess.AccessTokenHash == arg.AccessTokenHash:
 			return repository.OidcSession{}, fmt.Errorf("UNIQUE constraint failed: oidc_sessions.access_token_hash")
 		case sess.RefreshTokenHash == arg.RefreshTokenHash:
 			return repository.OidcSession{}, fmt.Errorf("UNIQUE constraint failed: oidc_sessions.refresh_token_hash")
 		}
 	}
-	code := repository.OidcCode(arg)
+	sess := repository.OidcSession(arg)
-	s.oidcCodes[arg.CodeHash] = code
+	s.oidcSessions[arg.Sub] = sess
-	return code, nil
+	return sess, nil
 }
-// GetOidcCode is a destructive read: it deletes and returns the code (mirrors SQLite's DELETE...RETURNING).
+func (s *Store) GetOIDCSessionBySub(_ context.Context, sub string) (repository.OidcSession, error) {
 func (s *Store) GetOidcCode(_ context.Context, codeHash string) (repository.OidcCode, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	c, ok := s.oidcCodes[codeHash]
 	if !ok {
 		return repository.OidcCode{}, repository.ErrNotFound
 	}
 	delete(s.oidcCodes, codeHash)
 	return c, nil
 }
 // GetOidcCodeBySub is a destructive read: it deletes and returns the code (mirrors SQLite's DELETE...RETURNING).
 func (s *Store) GetOidcCodeBySub(_ context.Context, sub string) (repository.OidcCode, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, c := range s.oidcCodes {
 		if c.Sub == sub {
 			delete(s.oidcCodes, k)
 			return c, nil
 		}
 	}
 	return repository.OidcCode{}, repository.ErrNotFound
 }
 // GetOidcCodeUnsafe is a non-destructive read (mirrors SQLite's SELECT).
 func (s *Store) GetOidcCodeUnsafe(_ context.Context, codeHash string) (repository.OidcCode, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
-	c, ok := s.oidcCodes[codeHash]
+	sess, ok := s.oidcSessions[sub]
 	if !ok {
-		return repository.OidcCode{}, repository.ErrNotFound
+		return repository.OidcSession{}, repository.ErrNotFound
 	}
-	return c, nil
+	return sess, nil
 }
-// GetOidcCodeBySubUnsafe is a non-destructive read (mirrors SQLite's SELECT).
+func (s *Store) GetOIDCSessionByAccessTokenHash(_ context.Context, accessTokenHash string) (repository.OidcSession, error) {
 func (s *Store) GetOidcCodeBySubUnsafe(_ context.Context, sub string) (repository.OidcCode, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
-	for _, c := range s.oidcCodes {
+	for _, sess := range s.oidcSessions {
-		if c.Sub == sub {
+		if sess.AccessTokenHash == accessTokenHash {
-			return c, nil
+			return sess, nil
 		}
 	}
-	return repository.OidcCode{}, repository.ErrNotFound
+	return repository.OidcSession{}, repository.ErrNotFound
 }
-func (s *Store) DeleteOidcCode(_ context.Context, codeHash string) error {
+func (s *Store) GetOIDCSessionByRefreshTokenHash(_ context.Context, refreshTokenHash string) (repository.OidcSession, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	for _, sess := range s.oidcSessions {
 		if sess.RefreshTokenHash == refreshTokenHash {
 			return sess, nil
 		}
 	}
 	return repository.OidcSession{}, repository.ErrNotFound
 }
 func (s *Store) UpdateOIDCSession(_ context.Context, arg repository.UpdateOIDCSessionParams) (repository.OidcSession, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	delete(s.oidcCodes, codeHash)
+	sess, ok := s.oidcSessions[arg.Sub]
 	if !ok {
 		return repository.OidcSession{}, repository.ErrNotFound
 	}
 	sess.AccessTokenHash = arg.AccessTokenHash
 	sess.RefreshTokenHash = arg.RefreshTokenHash
 	sess.Scope = arg.Scope
 	sess.ClientID = arg.ClientID
 	sess.TokenExpiresAt = arg.TokenExpiresAt
 	sess.RefreshTokenExpiresAt = arg.RefreshTokenExpiresAt
 	sess.Nonce = arg.Nonce
 	sess.UserinfoJson = arg.UserinfoJson
 	s.oidcSessions[arg.Sub] = sess
 	return sess, nil
 }
 func (s *Store) DeleteOIDCSessionBySub(_ context.Context, sub string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	delete(s.oidcSessions, sub)
 	return nil
 }
-func (s *Store) DeleteOidcCodeBySub(_ context.Context, sub string) error {
+func (s *Store) DeleteExpiredOIDCSessions(_ context.Context, arg repository.DeleteExpiredOIDCSessionsParams) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	for k, c := range s.oidcCodes {
+	for k, sess := range s.oidcSessions {
-		if c.Sub == sub {
+		if sess.TokenExpiresAt < arg.TokenExpiresAt && sess.RefreshTokenExpiresAt < arg.RefreshTokenExpiresAt {
-			delete(s.oidcCodes, k)
+			delete(s.oidcSessions, k)
 		}
 	}
 	return nil
 }
-func (s *Store) DeleteExpiredOidcCodes(_ context.Context, expiresAt int64) ([]repository.OidcCode, error) {
+func (s *Store) CreateOIDCConsent(_ context.Context, arg repository.CreateOIDCConsentParams) (repository.OidcConsent, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	var deleted []repository.OidcCode
+	if _, ok := s.oidcConsent[arg.UUID]; ok {
-	for k, c := range s.oidcCodes {
+		return repository.OidcConsent{}, fmt.Errorf("UNIQUE constraint failed: oidc_consent.uuid")
 		if c.ExpiresAt < expiresAt {
 			deleted = append(deleted, c)
 			delete(s.oidcCodes, k)
 	}
-	}
+	consent := repository.OidcConsent{
-	return deleted, nil
+		UUID:     arg.UUID,
 }
 func (s *Store) CreateOidcToken(_ context.Context, arg repository.CreateOidcTokenParams) (repository.OidcToken, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	// Enforce sub UNIQUE constraint
 	for _, t := range s.oidcTokens {
 		if t.Sub == arg.Sub {
 			return repository.OidcToken{}, fmt.Errorf("UNIQUE constraint failed: oidc_tokens.sub")
 		}
 	}
 	tok := repository.OidcToken{
 		Sub:                   arg.Sub,
 		AccessTokenHash:       arg.AccessTokenHash,
 		RefreshTokenHash:      arg.RefreshTokenHash,
 		CodeHash:              arg.CodeHash,
 		Scope:                 arg.Scope,
 		ClientID: arg.ClientID,
-		TokenExpiresAt:        arg.TokenExpiresAt,
+		Scopes:   arg.Scopes,
 		RefreshTokenExpiresAt: arg.RefreshTokenExpiresAt,
 		Nonce:                 arg.Nonce,
 	}
-	s.oidcTokens[arg.AccessTokenHash] = tok
+	s.oidcConsent[arg.UUID] = consent
-	return tok, nil
+	return consent, nil
 }
-func (s *Store) GetOidcToken(_ context.Context, accessTokenHash string) (repository.OidcToken, error) {
+func (s *Store) GetOIDCConsentByUUID(_ context.Context, uuid string) (repository.OidcConsent, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
-	t, ok := s.oidcTokens[accessTokenHash]
+	consent, ok := s.oidcConsent[uuid]
 	if !ok {
-		return repository.OidcToken{}, repository.ErrNotFound
+		return repository.OidcConsent{}, repository.ErrNotFound
 	}
-	return t, nil
+	return consent, nil
 }
-func (s *Store) GetOidcTokenByRefreshToken(_ context.Context, refreshTokenHash string) (repository.OidcToken, error) {
+func (s *Store) UpdateOIDCConsent(_ context.Context, arg repository.UpdateOIDCConsentParams) (repository.OidcConsent, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	for _, t := range s.oidcTokens {
 		if t.RefreshTokenHash == refreshTokenHash {
 			return t, nil
 		}
 	}
 	return repository.OidcToken{}, repository.ErrNotFound
 }
 func (s *Store) GetOidcTokenBySub(_ context.Context, sub string) (repository.OidcToken, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	for _, t := range s.oidcTokens {
 		if t.Sub == sub {
 			return t, nil
 		}
 	}
 	return repository.OidcToken{}, repository.ErrNotFound
 }
 func (s *Store) UpdateOidcTokenByRefreshToken(_ context.Context, arg repository.UpdateOidcTokenByRefreshTokenParams) (repository.OidcToken, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	for k, t := range s.oidcTokens {
+	consent, ok := s.oidcConsent[arg.UUID]
 		if t.RefreshTokenHash == arg.RefreshTokenHash_2 {
 			delete(s.oidcTokens, k)
 			t.AccessTokenHash = arg.AccessTokenHash
 			t.RefreshTokenHash = arg.RefreshTokenHash
 			t.TokenExpiresAt = arg.TokenExpiresAt
 			t.RefreshTokenExpiresAt = arg.RefreshTokenExpiresAt
 			s.oidcTokens[arg.AccessTokenHash] = t
 			return t, nil
 		}
 	}
 	return repository.OidcToken{}, repository.ErrNotFound
 }
 func (s *Store) DeleteOidcToken(_ context.Context, accessTokenHash string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	delete(s.oidcTokens, accessTokenHash)
 	return nil
 }
 func (s *Store) DeleteOidcTokenBySub(_ context.Context, sub string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, t := range s.oidcTokens {
 		if t.Sub == sub {
 			delete(s.oidcTokens, k)
 		}
 	}
 	return nil
 }
 func (s *Store) DeleteOidcTokenByCodeHash(_ context.Context, codeHash string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, t := range s.oidcTokens {
 		if t.CodeHash == codeHash {
 			delete(s.oidcTokens, k)
 		}
 	}
 	return nil
 }
 func (s *Store) DeleteExpiredOidcTokens(_ context.Context, arg repository.DeleteExpiredOidcTokensParams) ([]repository.OidcToken, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	var deleted []repository.OidcToken
 	for k, t := range s.oidcTokens {
 		if t.TokenExpiresAt < arg.TokenExpiresAt && t.RefreshTokenExpiresAt < arg.RefreshTokenExpiresAt {
 			deleted = append(deleted, t)
 			delete(s.oidcTokens, k)
 		}
 	}
 	return deleted, nil
 }
 func (s *Store) CreateOidcUserInfo(_ context.Context, arg repository.CreateOidcUserInfoParams) (repository.OidcUserinfo, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	u := repository.OidcUserinfo(arg)
 	s.oidcUsers[arg.Sub] = u
 	return u, nil
 }
 func (s *Store) GetOidcUserInfo(_ context.Context, sub string) (repository.OidcUserinfo, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	u, ok := s.oidcUsers[sub]
 	if !ok {
-		return repository.OidcUserinfo{}, repository.ErrNotFound
+		return repository.OidcConsent{}, repository.ErrNotFound
 	}
-	return u, nil
+	consent.Scopes = arg.Scopes
 	s.oidcConsent[arg.UUID] = consent
 	return consent, nil
 }
-func (s *Store) DeleteOidcUserInfo(_ context.Context, sub string) error {
+func (s *Store) DeleteOIDCConsentByUUID(_ context.Context, uuid string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	delete(s.oidcUsers, sub)
+	delete(s.oidcConsent, uuid)
 	return nil
 }
@@ -11,17 +11,15 @@ import (
 type Store struct {
 	mu           sync.RWMutex
 	sessions     map[string]repository.Session
-	oidcCodes  map[string]repository.OidcCode
+	oidcSessions map[string]repository.OidcSession
-	oidcTokens map[string]repository.OidcToken
+	oidcConsent  map[string]repository.OidcConsent
 	oidcUsers  map[string]repository.OidcUserinfo
 }
 // New returns a new empty in-memory Store.
 func New() repository.Store {
 	return &Store{
 		sessions:     make(map[string]repository.Session),
-		oidcCodes:  make(map[string]repository.OidcCode),
+		oidcSessions: make(map[string]repository.OidcSession),
-		oidcTokens: make(map[string]repository.OidcToken),
+		oidcConsent:  make(map[string]repository.OidcConsent),
 		oidcUsers:  make(map[string]repository.OidcUserinfo),
 	}
 }
@@ -1,8 +1,18 @@
 package repository
 import "time"
 // Shared model and parameter types for all storage drivers.
 // sqlc-generated driver packages use these via the conversion layer in their store.go.
 type OidcConsent struct {
 	UUID      string
 	ClientID  string
 	Scopes    string
 	CreatedAt time.Time
 	UpdatedAt time.Time
 }
 type Session struct {
 	UUID        string
 	Username    string
@@ -17,49 +27,16 @@ type Session struct {
 	OAuthSub    string
 }
-type OidcCode struct {
+type OidcSession struct {
 	Sub           string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	ExpiresAt     int64
 	Nonce         string
 	CodeChallenge string
 }
 type OidcToken struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	CodeHash              string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	Nonce                 string
-}
+	UserinfoJson          string
 type OidcUserinfo struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
 type CreateSessionParams struct {
@@ -89,18 +66,7 @@ type UpdateSessionParams struct {
 	UUID        string
 }
-type CreateOidcCodeParams struct {
+type CreateOIDCSessionParams struct {
 	Sub           string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	ExpiresAt     int64
 	Nonce         string
 	CodeChallenge string
 }
 type CreateOidcTokenParams struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
@@ -108,41 +74,34 @@ type CreateOidcTokenParams struct {
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	CodeHash              string
 	Nonce                 string
 	UserinfoJson          string
 }
-type UpdateOidcTokenByRefreshTokenParams struct {
+type UpdateOIDCSessionParams struct {
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
-	RefreshTokenHash_2    string
+	Nonce                 string
-}
+	UserinfoJson          string
 type DeleteExpiredOidcTokensParams struct {
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 }
 type CreateOidcUserInfoParams struct {
 	Sub                   string
-	Name              string
+}
-	PreferredUsername string
+
-	Email             string
+type DeleteExpiredOIDCSessionsParams struct {
-	Groups            string
+	TokenExpiresAt        int64
-	UpdatedAt         int64
+	RefreshTokenExpiresAt int64
-	GivenName         string
+}
-	FamilyName        string
+
-	MiddleName        string
+type CreateOIDCConsentParams struct {
-	Nickname          string
+	UUID     string
-	Profile           string
+	ClientID string
-	Picture           string
+	Scopes   string
-	Website           string
+}
-	Gender            string
+
-	Birthdate         string
+type UpdateOIDCConsentParams struct {
-	Zoneinfo          string
+	Scopes string
-	Locale            string
+	UUID   string
 	PhoneNumber       string
 	Address           string
 }
@@ -16,8 +16,6 @@ type DBTX interface {
 	QueryRowContext(context.Context, string, ...interface{}) *sql.Row
 }
 // New returns a *Queries configured to use the provided DBTX for executing database operations.
 // The returned *Queries will use db as its database handle for all query method calls.
 func New(db DBTX) *Queries {
 	return &Queries{db: db}
 }
@@ -4,49 +4,28 @@
 package postgres
-type OidcCode struct {
+import (
-	Sub           string
+	"time"
-	CodeHash      string
+)
-	Scope         string
+
-	RedirectURI   string
+type OidcConsent struct {
 	UUID      string
 	ClientID  string
-	ExpiresAt     int64
+	Scopes    string
-	Nonce         string
+	CreatedAt time.Time
-	CodeChallenge string
+	UpdatedAt time.Time
 }
-type OidcToken struct {
+type OidcSession struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	CodeHash              string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	Nonce                 string
-}
+	UserinfoJson          string
 type OidcUserinfo struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
 type Session struct {
@@ -9,60 +9,38 @@ import (
 	"context"
 )
-const createOidcCode = `-- name: CreateOidcCode :one
+const createOIDCConsent = `-- name: CreateOIDCConsent :one
-INSERT INTO "oidc_codes" (
+INSERT INTO "oidc_consent" (
-    "sub",
+    "uuid",
    "code_hash",
    "scope",
    "redirect_uri",
    "client_id",
-    "expires_at",
+    "scopes"
    "nonce",
    "code_challenge"
 ) VALUES (
-    $1, $2, $3, $4, $5, $6, $7, $8
+    $1, $2, $3
 )
-RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
+RETURNING uuid, client_id, scopes, created_at, updated_at
 `
-type CreateOidcCodeParams struct {
+type CreateOIDCConsentParams struct {
-	Sub           string
+	UUID     string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID string
-	ExpiresAt     int64
+	Scopes   string
 	Nonce         string
 	CodeChallenge string
 }
-func (q *Queries) CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams) (OidcCode, error) {
+func (q *Queries) CreateOIDCConsent(ctx context.Context, arg CreateOIDCConsentParams) (OidcConsent, error) {
-	row := q.db.QueryRowContext(ctx, createOidcCode,
+	row := q.db.QueryRowContext(ctx, createOIDCConsent, arg.UUID, arg.ClientID, arg.Scopes)
-		arg.Sub,
+	var i OidcConsent
 		arg.CodeHash,
 		arg.Scope,
 		arg.RedirectURI,
 		arg.ClientID,
 		arg.ExpiresAt,
 		arg.Nonce,
 		arg.CodeChallenge,
 	)
 	var i OidcCode
 	err := row.Scan(
-		&i.Sub,
+		&i.UUID,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
-		&i.ExpiresAt,
+		&i.Scopes,
-		&i.Nonce,
+		&i.CreatedAt,
-		&i.CodeChallenge,
+		&i.UpdatedAt,
 	)
 	return i, err
 }
-const createOidcToken = `-- name: CreateOidcToken :one
+const createOIDCSession = `-- name: CreateOIDCSession :one
-INSERT INTO "oidc_tokens" (
+INSERT INTO "oidc_sessions" (
    "sub",
    "access_token_hash",
    "refresh_token_hash",
@@ -70,15 +48,15 @@ INSERT INTO "oidc_tokens" (
    "client_id",
    "token_expires_at",
    "refresh_token_expires_at",
-    "code_hash",
+    "nonce",
-    "nonce"
+    "userinfo_json"
 ) VALUES (
    $1, $2, $3, $4, $5, $6, $7, $8, $9
 )
-RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
+RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json
 `
-type CreateOidcTokenParams struct {
+type CreateOIDCSessionParams struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
@@ -86,12 +64,12 @@ type CreateOidcTokenParams struct {
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	CodeHash              string
 	Nonce                 string
 	UserinfoJson          string
 }
-func (q *Queries) CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams) (OidcToken, error) {
+func (q *Queries) CreateOIDCSession(ctx context.Context, arg CreateOIDCSessionParams) (OidcSession, error) {
-	row := q.db.QueryRowContext(ctx, createOidcToken,
+	row := q.db.QueryRowContext(ctx, createOIDCSession,
 		arg.Sub,
 		arg.AccessTokenHash,
 		arg.RefreshTokenHash,
@@ -99,483 +77,218 @@ func (q *Queries) CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams
 		arg.ClientID,
 		arg.TokenExpiresAt,
 		arg.RefreshTokenExpiresAt,
 		arg.CodeHash,
 		arg.Nonce,
 		arg.UserinfoJson,
 	)
-	var i OidcToken
+	var i OidcSession
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
-const createOidcUserInfo = `-- name: CreateOidcUserInfo :one
+const deleteExpiredOIDCSessions = `-- name: DeleteExpiredOIDCSessions :exec
-INSERT INTO "oidc_userinfo" (
+DELETE FROM "oidc_sessions"
    "sub",
    "name",
    "preferred_username",
    "email",
    "groups",
    "updated_at",
    "given_name",
    "family_name",
    "middle_name",
    "nickname",
    "profile",
    "picture",
    "website",
    "gender",
    "birthdate",
    "zoneinfo",
    "locale",
    "phone_number",
    "address"
 ) VALUES (
    $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19
 )
 RETURNING sub, name, preferred_username, email, groups, updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address
 `
 type CreateOidcUserInfoParams struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
 func (q *Queries) CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfoParams) (OidcUserinfo, error) {
 	row := q.db.QueryRowContext(ctx, createOidcUserInfo,
 		arg.Sub,
 		arg.Name,
 		arg.PreferredUsername,
 		arg.Email,
 		arg.Groups,
 		arg.UpdatedAt,
 		arg.GivenName,
 		arg.FamilyName,
 		arg.MiddleName,
 		arg.Nickname,
 		arg.Profile,
 		arg.Picture,
 		arg.Website,
 		arg.Gender,
 		arg.Birthdate,
 		arg.Zoneinfo,
 		arg.Locale,
 		arg.PhoneNumber,
 		arg.Address,
 	)
 	var i OidcUserinfo
 	err := row.Scan(
 		&i.Sub,
 		&i.Name,
 		&i.PreferredUsername,
 		&i.Email,
 		&i.Groups,
 		&i.UpdatedAt,
 		&i.GivenName,
 		&i.FamilyName,
 		&i.MiddleName,
 		&i.Nickname,
 		&i.Profile,
 		&i.Picture,
 		&i.Website,
 		&i.Gender,
 		&i.Birthdate,
 		&i.Zoneinfo,
 		&i.Locale,
 		&i.PhoneNumber,
 		&i.Address,
 	)
 	return i, err
 }
 const deleteExpiredOidcCodes = `-- name: DeleteExpiredOidcCodes :many
 DELETE FROM "oidc_codes"
 WHERE "expires_at" < $1
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 func (q *Queries) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]OidcCode, error) {
 	rows, err := q.db.QueryContext(ctx, deleteExpiredOidcCodes, expiresAt)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
 	var items []OidcCode
 	for rows.Next() {
 		var i OidcCode
 		if err := rows.Scan(
 			&i.Sub,
 			&i.CodeHash,
 			&i.Scope,
 			&i.RedirectURI,
 			&i.ClientID,
 			&i.ExpiresAt,
 			&i.Nonce,
 			&i.CodeChallenge,
 		); err != nil {
 			return nil, err
 		}
 		items = append(items, i)
 	}
 	if err := rows.Close(); err != nil {
 		return nil, err
 	}
 	if err := rows.Err(); err != nil {
 		return nil, err
 	}
 	return items, nil
 }
 const deleteExpiredOidcTokens = `-- name: DeleteExpiredOidcTokens :many
 DELETE FROM "oidc_tokens"
 WHERE "token_expires_at" < $1 AND "refresh_token_expires_at" < $2
 RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 `
-type DeleteExpiredOidcTokensParams struct {
+type DeleteExpiredOIDCSessionsParams struct {
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 }
-func (q *Queries) DeleteExpiredOidcTokens(ctx context.Context, arg DeleteExpiredOidcTokensParams) ([]OidcToken, error) {
+func (q *Queries) DeleteExpiredOIDCSessions(ctx context.Context, arg DeleteExpiredOIDCSessionsParams) error {
-	rows, err := q.db.QueryContext(ctx, deleteExpiredOidcTokens, arg.TokenExpiresAt, arg.RefreshTokenExpiresAt)
+	_, err := q.db.ExecContext(ctx, deleteExpiredOIDCSessions, arg.TokenExpiresAt, arg.RefreshTokenExpiresAt)
-	if err != nil {
+	return err
 		return nil, err
 }
-	defer rows.Close()
+
-	var items []OidcToken
+const deleteOIDCConsentByUUID = `-- name: DeleteOIDCConsentByUUID :exec
-	for rows.Next() {
+DELETE FROM "oidc_consent"
-		var i OidcToken
+WHERE "uuid" = $1
-		if err := rows.Scan(
+`
 func (q *Queries) DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error {
 	_, err := q.db.ExecContext(ctx, deleteOIDCConsentByUUID, uuid)
 	return err
 }
 const deleteOIDCSessionBySub = `-- name: DeleteOIDCSessionBySub :exec
 DELETE FROM "oidc_sessions"
 WHERE "sub" = $1
 `
 func (q *Queries) DeleteOIDCSessionBySub(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOIDCSessionBySub, sub)
 	return err
 }
 const getOIDCConsentByUUID = `-- name: GetOIDCConsentByUUID :one
 SELECT uuid, client_id, scopes, created_at, updated_at FROM "oidc_consent"
 WHERE "uuid" = $1
 `
 func (q *Queries) GetOIDCConsentByUUID(ctx context.Context, uuid string) (OidcConsent, error) {
 	row := q.db.QueryRowContext(ctx, getOIDCConsentByUUID, uuid)
 	var i OidcConsent
 	err := row.Scan(
 		&i.UUID,
 		&i.ClientID,
 		&i.Scopes,
 		&i.CreatedAt,
 		&i.UpdatedAt,
 	)
 	return i, err
 }
 const getOIDCSessionByAccessTokenHash = `-- name: GetOIDCSessionByAccessTokenHash :one
 SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
 WHERE "access_token_hash" = $1
 `
 func (q *Queries) GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (OidcSession, error) {
 	row := q.db.QueryRowContext(ctx, getOIDCSessionByAccessTokenHash, accessTokenHash)
 	var i OidcSession
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 			&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
-		); err != nil {
+		&i.UserinfoJson,
 			return nil, err
 		}
 		items = append(items, i)
 	}
 	if err := rows.Close(); err != nil {
 		return nil, err
 	}
 	if err := rows.Err(); err != nil {
 		return nil, err
 	}
 	return items, nil
 }
 const deleteOidcCode = `-- name: DeleteOidcCode :exec
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = $1
 `
 func (q *Queries) DeleteOidcCode(ctx context.Context, codeHash string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcCode, codeHash)
 	return err
 }
 const deleteOidcCodeBySub = `-- name: DeleteOidcCodeBySub :exec
 DELETE FROM "oidc_codes"
 WHERE "sub" = $1
 `
 func (q *Queries) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcCodeBySub, sub)
 	return err
 }
 const deleteOidcToken = `-- name: DeleteOidcToken :exec
 DELETE FROM "oidc_tokens"
 WHERE "access_token_hash" = $1
 `
 func (q *Queries) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcToken, accessTokenHash)
 	return err
 }
 const deleteOidcTokenByCodeHash = `-- name: DeleteOidcTokenByCodeHash :exec
 DELETE FROM "oidc_tokens"
 WHERE "code_hash" = $1
 `
 func (q *Queries) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcTokenByCodeHash, codeHash)
 	return err
 }
 const deleteOidcTokenBySub = `-- name: DeleteOidcTokenBySub :exec
 DELETE FROM "oidc_tokens"
 WHERE "sub" = $1
 `
 func (q *Queries) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcTokenBySub, sub)
 	return err
 }
 const deleteOidcUserInfo = `-- name: DeleteOidcUserInfo :exec
 DELETE FROM "oidc_userinfo"
 WHERE "sub" = $1
 `
 func (q *Queries) DeleteOidcUserInfo(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcUserInfo, sub)
 	return err
 }
 const getOidcCode = `-- name: GetOidcCode :one
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = $1
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 func (q *Queries) GetOidcCode(ctx context.Context, codeHash string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCode, codeHash)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
-const getOidcCodeBySub = `-- name: GetOidcCodeBySub :one
+const getOIDCSessionByRefreshTokenHash = `-- name: GetOIDCSessionByRefreshTokenHash :one
-DELETE FROM "oidc_codes"
+SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
 WHERE "sub" = $1
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 func (q *Queries) GetOidcCodeBySub(ctx context.Context, sub string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeBySub, sub)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcCodeBySubUnsafe = `-- name: GetOidcCodeBySubUnsafe :one
 SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge FROM "oidc_codes"
 WHERE "sub" = $1
 `
 func (q *Queries) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeBySubUnsafe, sub)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcCodeUnsafe = `-- name: GetOidcCodeUnsafe :one
 SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge FROM "oidc_codes"
 WHERE "code_hash" = $1
 `
 func (q *Queries) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeUnsafe, codeHash)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcToken = `-- name: GetOidcToken :one
 SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "access_token_hash" = $1
 `
 func (q *Queries) GetOidcToken(ctx context.Context, accessTokenHash string) (OidcToken, error) {
 	row := q.db.QueryRowContext(ctx, getOidcToken, accessTokenHash)
 	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
 const getOidcTokenByRefreshToken = `-- name: GetOidcTokenByRefreshToken :one
 SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "refresh_token_hash" = $1
 `
-func (q *Queries) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (OidcToken, error) {
+func (q *Queries) GetOIDCSessionByRefreshTokenHash(ctx context.Context, refreshTokenHash string) (OidcSession, error) {
-	row := q.db.QueryRowContext(ctx, getOidcTokenByRefreshToken, refreshTokenHash)
+	row := q.db.QueryRowContext(ctx, getOIDCSessionByRefreshTokenHash, refreshTokenHash)
-	var i OidcToken
+	var i OidcSession
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
-const getOidcTokenBySub = `-- name: GetOidcTokenBySub :one
+const getOIDCSessionBySub = `-- name: GetOIDCSessionBySub :one
-SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
+SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
 WHERE "sub" = $1
 `
-func (q *Queries) GetOidcTokenBySub(ctx context.Context, sub string) (OidcToken, error) {
+func (q *Queries) GetOIDCSessionBySub(ctx context.Context, sub string) (OidcSession, error) {
-	row := q.db.QueryRowContext(ctx, getOidcTokenBySub, sub)
+	row := q.db.QueryRowContext(ctx, getOIDCSessionBySub, sub)
-	var i OidcToken
+	var i OidcSession
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
-const getOidcUserInfo = `-- name: GetOidcUserInfo :one
+const updateOIDCConsent = `-- name: UpdateOIDCConsent :one
-SELECT sub, name, preferred_username, email, groups, updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address FROM "oidc_userinfo"
+UPDATE "oidc_consent" SET
-WHERE "sub" = $1
+    "scopes" = $1,
    "updated_at" = CURRENT_TIMESTAMP
 WHERE "uuid" = $2
 RETURNING uuid, client_id, scopes, created_at, updated_at
 `
-func (q *Queries) GetOidcUserInfo(ctx context.Context, sub string) (OidcUserinfo, error) {
+type UpdateOIDCConsentParams struct {
-	row := q.db.QueryRowContext(ctx, getOidcUserInfo, sub)
+	Scopes string
-	var i OidcUserinfo
+	UUID   string
 }
 func (q *Queries) UpdateOIDCConsent(ctx context.Context, arg UpdateOIDCConsentParams) (OidcConsent, error) {
 	row := q.db.QueryRowContext(ctx, updateOIDCConsent, arg.Scopes, arg.UUID)
 	var i OidcConsent
 	err := row.Scan(
-		&i.Sub,
+		&i.UUID,
-		&i.Name,
+		&i.ClientID,
-		&i.PreferredUsername,
+		&i.Scopes,
-		&i.Email,
+		&i.CreatedAt,
 		&i.Groups,
 		&i.UpdatedAt,
 		&i.GivenName,
 		&i.FamilyName,
 		&i.MiddleName,
 		&i.Nickname,
 		&i.Profile,
 		&i.Picture,
 		&i.Website,
 		&i.Gender,
 		&i.Birthdate,
 		&i.Zoneinfo,
 		&i.Locale,
 		&i.PhoneNumber,
 		&i.Address,
 	)
 	return i, err
 }
-const updateOidcTokenByRefreshToken = `-- name: UpdateOidcTokenByRefreshToken :one
+const updateOIDCSession = `-- name: UpdateOIDCSession :one
-UPDATE "oidc_tokens" SET
+UPDATE "oidc_sessions" SET
    "access_token_hash" = $1,
    "refresh_token_hash" = $2,
-    "token_expires_at"         = $3,
+    "scope" = $3,
-    "refresh_token_expires_at" = $4
+    "client_id" = $4,
-WHERE "refresh_token_hash" = $5
+    "token_expires_at" = $5,
-RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
+    "refresh_token_expires_at" = $6,
    "nonce" = $7,
    "userinfo_json" = $8
 WHERE "sub" = $9
 RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json
 `
-type UpdateOidcTokenByRefreshTokenParams struct {
+type UpdateOIDCSessionParams struct {
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
-	RefreshTokenHash_2    string
+	Nonce                 string
 	UserinfoJson          string
 	Sub                   string
 }
-func (q *Queries) UpdateOidcTokenByRefreshToken(ctx context.Context, arg UpdateOidcTokenByRefreshTokenParams) (OidcToken, error) {
+func (q *Queries) UpdateOIDCSession(ctx context.Context, arg UpdateOIDCSessionParams) (OidcSession, error) {
-	row := q.db.QueryRowContext(ctx, updateOidcTokenByRefreshToken,
+	row := q.db.QueryRowContext(ctx, updateOIDCSession,
 		arg.AccessTokenHash,
 		arg.RefreshTokenHash,
 		arg.Scope,
 		arg.ClientID,
 		arg.TokenExpiresAt,
 		arg.RefreshTokenExpiresAt,
-		arg.RefreshTokenHash_2,
+		arg.Nonce,
 		arg.UserinfoJson,
 		arg.Sub,
 	)
-	var i OidcToken
+	var i OidcSession
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
@@ -14,7 +14,7 @@ type Store struct {
 	q *Queries
 }
-// NewStore returns a repository.Store backed by the provided *Queries.
+// NewStore wraps a *Queries to satisfy repository.Store.
 func NewStore(q *Queries) repository.Store {
 	return &Store{q: q}
 }
@@ -23,8 +23,6 @@ var errorMap = map[error]error{
 	sql.ErrNoRows: repository.ErrNotFound,
 }
 // mapErr maps known database errors to repository-level errors using the package-level errorMap.
 // It uses errors.Is to match (so wrapped errors are recognized) and returns the original error if no mapping applies.
 func mapErr(err error) error {
 	for from, to := range errorMap {
 		if errors.Is(err, from) {
@@ -34,28 +32,20 @@ func mapErr(err error) error {
 	return err
 }
-func (s *Store) CreateOidcCode(ctx context.Context, arg repository.CreateOidcCodeParams) (repository.OidcCode, error) {
+func (s *Store) CreateOIDCConsent(ctx context.Context, arg repository.CreateOIDCConsentParams) (repository.OidcConsent, error) {
-	r, err := s.q.CreateOidcCode(ctx, CreateOidcCodeParams(arg))
+	r, err := s.q.CreateOIDCConsent(ctx, CreateOIDCConsentParams(arg))
 	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
+		return repository.OidcConsent{}, mapErr(err)
 	}
-	return repository.OidcCode(r), nil
+	return repository.OidcConsent(r), nil
 }
-func (s *Store) CreateOidcToken(ctx context.Context, arg repository.CreateOidcTokenParams) (repository.OidcToken, error) {
+func (s *Store) CreateOIDCSession(ctx context.Context, arg repository.CreateOIDCSessionParams) (repository.OidcSession, error) {
-	r, err := s.q.CreateOidcToken(ctx, CreateOidcTokenParams(arg))
+	r, err := s.q.CreateOIDCSession(ctx, CreateOIDCSessionParams(arg))
 	if err != nil {
-		return repository.OidcToken{}, mapErr(err)
+		return repository.OidcSession{}, mapErr(err)
 	}
-	return repository.OidcToken(r), nil
+	return repository.OidcSession(r), nil
 }
 func (s *Store) CreateOidcUserInfo(ctx context.Context, arg repository.CreateOidcUserInfoParams) (repository.OidcUserinfo, error) {
 	r, err := s.q.CreateOidcUserInfo(ctx, CreateOidcUserInfoParams(arg))
 	if err != nil {
 		return repository.OidcUserinfo{}, mapErr(err)
 	}
 	return repository.OidcUserinfo(r), nil
 }
 func (s *Store) CreateSession(ctx context.Context, arg repository.CreateSessionParams) (repository.Session, error) {
@@ -66,124 +56,56 @@ func (s *Store) CreateSession(ctx context.Context, arg repository.CreateSessionP
 	return repository.Session(r), nil
 }
-func (s *Store) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]repository.OidcCode, error) {
+func (s *Store) DeleteExpiredOIDCSessions(ctx context.Context, arg repository.DeleteExpiredOIDCSessionsParams) error {
-	rows, err := s.q.DeleteExpiredOidcCodes(ctx, expiresAt)
+	return mapErr(s.q.DeleteExpiredOIDCSessions(ctx, DeleteExpiredOIDCSessionsParams(arg)))
 	if err != nil {
 		return nil, mapErr(err)
 	}
 	out := make([]repository.OidcCode, len(rows))
 	for i, row := range rows {
 		out[i] = repository.OidcCode(row)
 	}
 	return out, nil
 }
 func (s *Store) DeleteExpiredOidcTokens(ctx context.Context, arg repository.DeleteExpiredOidcTokensParams) ([]repository.OidcToken, error) {
 	rows, err := s.q.DeleteExpiredOidcTokens(ctx, DeleteExpiredOidcTokensParams(arg))
 	if err != nil {
 		return nil, mapErr(err)
 	}
 	out := make([]repository.OidcToken, len(rows))
 	for i, row := range rows {
 		out[i] = repository.OidcToken(row)
 	}
 	return out, nil
 }
 func (s *Store) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
 	return mapErr(s.q.DeleteExpiredSessions(ctx, expiry))
 }
-func (s *Store) DeleteOidcCode(ctx context.Context, codeHash string) error {
+func (s *Store) DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error {
-	return mapErr(s.q.DeleteOidcCode(ctx, codeHash))
+	return mapErr(s.q.DeleteOIDCConsentByUUID(ctx, uuid))
 }
-func (s *Store) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
+func (s *Store) DeleteOIDCSessionBySub(ctx context.Context, sub string) error {
-	return mapErr(s.q.DeleteOidcCodeBySub(ctx, sub))
+	return mapErr(s.q.DeleteOIDCSessionBySub(ctx, sub))
 }
 func (s *Store) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
 	return mapErr(s.q.DeleteOidcToken(ctx, accessTokenHash))
 }
 func (s *Store) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
 	return mapErr(s.q.DeleteOidcTokenByCodeHash(ctx, codeHash))
 }
 func (s *Store) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcTokenBySub(ctx, sub))
 }
 func (s *Store) DeleteOidcUserInfo(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcUserInfo(ctx, sub))
 }
 func (s *Store) DeleteSession(ctx context.Context, uuid string) error {
 	return mapErr(s.q.DeleteSession(ctx, uuid))
 }
-func (s *Store) GetOidcCode(ctx context.Context, codeHash string) (repository.OidcCode, error) {
+func (s *Store) GetOIDCConsentByUUID(ctx context.Context, uuid string) (repository.OidcConsent, error) {
-	r, err := s.q.GetOidcCode(ctx, codeHash)
+	r, err := s.q.GetOIDCConsentByUUID(ctx, uuid)
 	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
+		return repository.OidcConsent{}, mapErr(err)
 	}
-	return repository.OidcCode(r), nil
+	return repository.OidcConsent(r), nil
 }
-func (s *Store) GetOidcCodeBySub(ctx context.Context, sub string) (repository.OidcCode, error) {
+func (s *Store) GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (repository.OidcSession, error) {
-	r, err := s.q.GetOidcCodeBySub(ctx, sub)
+	r, err := s.q.GetOIDCSessionByAccessTokenHash(ctx, accessTokenHash)
 	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
+		return repository.OidcSession{}, mapErr(err)
 	}
-	return repository.OidcCode(r), nil
+	return repository.OidcSession(r), nil
 }
-func (s *Store) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (repository.OidcCode, error) {
+func (s *Store) GetOIDCSessionByRefreshTokenHash(ctx context.Context, refreshTokenHash string) (repository.OidcSession, error) {
-	r, err := s.q.GetOidcCodeBySubUnsafe(ctx, sub)
+	r, err := s.q.GetOIDCSessionByRefreshTokenHash(ctx, refreshTokenHash)
 	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
+		return repository.OidcSession{}, mapErr(err)
 	}
-	return repository.OidcCode(r), nil
+	return repository.OidcSession(r), nil
 }
-func (s *Store) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (repository.OidcCode, error) {
+func (s *Store) GetOIDCSessionBySub(ctx context.Context, sub string) (repository.OidcSession, error) {
-	r, err := s.q.GetOidcCodeUnsafe(ctx, codeHash)
+	r, err := s.q.GetOIDCSessionBySub(ctx, sub)
 	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
+		return repository.OidcSession{}, mapErr(err)
 	}
-	return repository.OidcCode(r), nil
+	return repository.OidcSession(r), nil
 }
 func (s *Store) GetOidcToken(ctx context.Context, accessTokenHash string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcToken(ctx, accessTokenHash)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcTokenByRefreshToken(ctx, refreshTokenHash)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcTokenBySub(ctx context.Context, sub string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcTokenBySub(ctx, sub)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcUserInfo(ctx context.Context, sub string) (repository.OidcUserinfo, error) {
 	r, err := s.q.GetOidcUserInfo(ctx, sub)
 	if err != nil {
 		return repository.OidcUserinfo{}, mapErr(err)
 	}
 	return repository.OidcUserinfo(r), nil
 }
 func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session, error) {
@@ -194,12 +116,20 @@ func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session
 	return repository.Session(r), nil
 }
-func (s *Store) UpdateOidcTokenByRefreshToken(ctx context.Context, arg repository.UpdateOidcTokenByRefreshTokenParams) (repository.OidcToken, error) {
+func (s *Store) UpdateOIDCConsent(ctx context.Context, arg repository.UpdateOIDCConsentParams) (repository.OidcConsent, error) {
-	r, err := s.q.UpdateOidcTokenByRefreshToken(ctx, UpdateOidcTokenByRefreshTokenParams(arg))
+	r, err := s.q.UpdateOIDCConsent(ctx, UpdateOIDCConsentParams(arg))
 	if err != nil {
-		return repository.OidcToken{}, mapErr(err)
+		return repository.OidcConsent{}, mapErr(err)
 	}
-	return repository.OidcToken(r), nil
+	return repository.OidcConsent(r), nil
 }
 func (s *Store) UpdateOIDCSession(ctx context.Context, arg repository.UpdateOIDCSessionParams) (repository.OidcSession, error) {
 	r, err := s.q.UpdateOIDCSession(ctx, UpdateOIDCSessionParams(arg))
 	if err != nil {
 		return repository.OidcSession{}, mapErr(err)
 	}
 	return repository.OidcSession(r), nil
 }
 func (s *Store) UpdateSession(ctx context.Context, arg repository.UpdateSessionParams) (repository.Session, error) {
@@ -4,49 +4,28 @@
 package sqlite
-type OidcCode struct {
+import (
-	Sub           string
+	"time"
-	CodeHash      string
+)
-	Scope         string
+
-	RedirectURI   string
+type OidcConsent struct {
 	UUID      string
 	ClientID  string
-	ExpiresAt     int64
+	Scopes    string
-	Nonce         string
+	CreatedAt time.Time
-	CodeChallenge string
+	UpdatedAt time.Time
 }
-type OidcToken struct {
+type OidcSession struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	CodeHash              string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	Nonce                 string
-}
+	UserinfoJson          string
 type OidcUserinfo struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
 type Session struct {
@@ -9,60 +9,38 @@ import (
 	"context"
 )
-const createOidcCode = `-- name: CreateOidcCode :one
+const createOIDCConsent = `-- name: CreateOIDCConsent :one
-INSERT INTO "oidc_codes" (
+INSERT INTO "oidc_consent" (
-    "sub",
+    "uuid",
    "code_hash",
    "scope",
    "redirect_uri",
    "client_id",
-    "expires_at",
+    "scopes"
    "nonce",
    "code_challenge"
 ) VALUES (
-    ?, ?, ?, ?, ?, ?, ?, ?
+    ?, ?, ?
 )
-RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
+RETURNING uuid, client_id, scopes, created_at, updated_at
 `
-type CreateOidcCodeParams struct {
+type CreateOIDCConsentParams struct {
-	Sub           string
+	UUID     string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID string
-	ExpiresAt     int64
+	Scopes   string
 	Nonce         string
 	CodeChallenge string
 }
-func (q *Queries) CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams) (OidcCode, error) {
+func (q *Queries) CreateOIDCConsent(ctx context.Context, arg CreateOIDCConsentParams) (OidcConsent, error) {
-	row := q.db.QueryRowContext(ctx, createOidcCode,
+	row := q.db.QueryRowContext(ctx, createOIDCConsent, arg.UUID, arg.ClientID, arg.Scopes)
-		arg.Sub,
+	var i OidcConsent
 		arg.CodeHash,
 		arg.Scope,
 		arg.RedirectURI,
 		arg.ClientID,
 		arg.ExpiresAt,
 		arg.Nonce,
 		arg.CodeChallenge,
 	)
 	var i OidcCode
 	err := row.Scan(
-		&i.Sub,
+		&i.UUID,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
-		&i.ExpiresAt,
+		&i.Scopes,
-		&i.Nonce,
+		&i.CreatedAt,
-		&i.CodeChallenge,
+		&i.UpdatedAt,
 	)
 	return i, err
 }
-const createOidcToken = `-- name: CreateOidcToken :one
+const createOIDCSession = `-- name: CreateOIDCSession :one
-INSERT INTO "oidc_tokens" (
+INSERT INTO "oidc_sessions" (
    "sub",
    "access_token_hash",
    "refresh_token_hash",
@@ -70,15 +48,15 @@ INSERT INTO "oidc_tokens" (
    "client_id",
    "token_expires_at",
    "refresh_token_expires_at",
-    "code_hash",
+    "nonce",
-    "nonce"
+    "userinfo_json"
 ) VALUES (
    ?, ?, ?, ?, ?, ?, ?, ?, ?
 )
-RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
+RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json
 `
-type CreateOidcTokenParams struct {
+type CreateOIDCSessionParams struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
@@ -86,12 +64,12 @@ type CreateOidcTokenParams struct {
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	CodeHash              string
 	Nonce                 string
 	UserinfoJson          string
 }
-func (q *Queries) CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams) (OidcToken, error) {
+func (q *Queries) CreateOIDCSession(ctx context.Context, arg CreateOIDCSessionParams) (OidcSession, error) {
-	row := q.db.QueryRowContext(ctx, createOidcToken,
+	row := q.db.QueryRowContext(ctx, createOIDCSession,
 		arg.Sub,
 		arg.AccessTokenHash,
 		arg.RefreshTokenHash,
@@ -99,483 +77,218 @@ func (q *Queries) CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams
 		arg.ClientID,
 		arg.TokenExpiresAt,
 		arg.RefreshTokenExpiresAt,
 		arg.CodeHash,
 		arg.Nonce,
 		arg.UserinfoJson,
 	)
-	var i OidcToken
+	var i OidcSession
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
-const createOidcUserInfo = `-- name: CreateOidcUserInfo :one
+const deleteExpiredOIDCSessions = `-- name: DeleteExpiredOIDCSessions :exec
-INSERT INTO "oidc_userinfo" (
+DELETE FROM "oidc_sessions"
    "sub",
    "name",
    "preferred_username",
    "email",
    "groups",
    "updated_at",
    "given_name",
    "family_name",
    "middle_name",
    "nickname",
    "profile",
    "picture",
    "website",
    "gender",
    "birthdate",
    "zoneinfo",
    "locale",
    "phone_number",
    "address"
 ) VALUES (
    ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?
 )
 RETURNING sub, name, preferred_username, email, "groups", updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address
 `
 type CreateOidcUserInfoParams struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
 func (q *Queries) CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfoParams) (OidcUserinfo, error) {
 	row := q.db.QueryRowContext(ctx, createOidcUserInfo,
 		arg.Sub,
 		arg.Name,
 		arg.PreferredUsername,
 		arg.Email,
 		arg.Groups,
 		arg.UpdatedAt,
 		arg.GivenName,
 		arg.FamilyName,
 		arg.MiddleName,
 		arg.Nickname,
 		arg.Profile,
 		arg.Picture,
 		arg.Website,
 		arg.Gender,
 		arg.Birthdate,
 		arg.Zoneinfo,
 		arg.Locale,
 		arg.PhoneNumber,
 		arg.Address,
 	)
 	var i OidcUserinfo
 	err := row.Scan(
 		&i.Sub,
 		&i.Name,
 		&i.PreferredUsername,
 		&i.Email,
 		&i.Groups,
 		&i.UpdatedAt,
 		&i.GivenName,
 		&i.FamilyName,
 		&i.MiddleName,
 		&i.Nickname,
 		&i.Profile,
 		&i.Picture,
 		&i.Website,
 		&i.Gender,
 		&i.Birthdate,
 		&i.Zoneinfo,
 		&i.Locale,
 		&i.PhoneNumber,
 		&i.Address,
 	)
 	return i, err
 }
 const deleteExpiredOidcCodes = `-- name: DeleteExpiredOidcCodes :many
 DELETE FROM "oidc_codes"
 WHERE "expires_at" < ?
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 func (q *Queries) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]OidcCode, error) {
 	rows, err := q.db.QueryContext(ctx, deleteExpiredOidcCodes, expiresAt)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
 	var items []OidcCode
 	for rows.Next() {
 		var i OidcCode
 		if err := rows.Scan(
 			&i.Sub,
 			&i.CodeHash,
 			&i.Scope,
 			&i.RedirectURI,
 			&i.ClientID,
 			&i.ExpiresAt,
 			&i.Nonce,
 			&i.CodeChallenge,
 		); err != nil {
 			return nil, err
 		}
 		items = append(items, i)
 	}
 	if err := rows.Close(); err != nil {
 		return nil, err
 	}
 	if err := rows.Err(); err != nil {
 		return nil, err
 	}
 	return items, nil
 }
 const deleteExpiredOidcTokens = `-- name: DeleteExpiredOidcTokens :many
 DELETE FROM "oidc_tokens"
 WHERE "token_expires_at" < ? AND "refresh_token_expires_at" < ?
 RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 `
-type DeleteExpiredOidcTokensParams struct {
+type DeleteExpiredOIDCSessionsParams struct {
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 }
-func (q *Queries) DeleteExpiredOidcTokens(ctx context.Context, arg DeleteExpiredOidcTokensParams) ([]OidcToken, error) {
+func (q *Queries) DeleteExpiredOIDCSessions(ctx context.Context, arg DeleteExpiredOIDCSessionsParams) error {
-	rows, err := q.db.QueryContext(ctx, deleteExpiredOidcTokens, arg.TokenExpiresAt, arg.RefreshTokenExpiresAt)
+	_, err := q.db.ExecContext(ctx, deleteExpiredOIDCSessions, arg.TokenExpiresAt, arg.RefreshTokenExpiresAt)
-	if err != nil {
+	return err
 		return nil, err
 }
-	defer rows.Close()
+
-	var items []OidcToken
+const deleteOIDCConsentByUUID = `-- name: DeleteOIDCConsentByUUID :exec
-	for rows.Next() {
+DELETE FROM "oidc_consent"
-		var i OidcToken
+WHERE "uuid" = ?
-		if err := rows.Scan(
+`
 func (q *Queries) DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error {
 	_, err := q.db.ExecContext(ctx, deleteOIDCConsentByUUID, uuid)
 	return err
 }
 const deleteOIDCSessionBySub = `-- name: DeleteOIDCSessionBySub :exec
 DELETE FROM "oidc_sessions"
 WHERE "sub" = ?
 `
 func (q *Queries) DeleteOIDCSessionBySub(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOIDCSessionBySub, sub)
 	return err
 }
 const getOIDCConsentByUUID = `-- name: GetOIDCConsentByUUID :one
 SELECT uuid, client_id, scopes, created_at, updated_at FROM "oidc_consent"
 WHERE "uuid" = ?
 `
 func (q *Queries) GetOIDCConsentByUUID(ctx context.Context, uuid string) (OidcConsent, error) {
 	row := q.db.QueryRowContext(ctx, getOIDCConsentByUUID, uuid)
 	var i OidcConsent
 	err := row.Scan(
 		&i.UUID,
 		&i.ClientID,
 		&i.Scopes,
 		&i.CreatedAt,
 		&i.UpdatedAt,
 	)
 	return i, err
 }
 const getOIDCSessionByAccessTokenHash = `-- name: GetOIDCSessionByAccessTokenHash :one
 SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
 WHERE "access_token_hash" = ?
 `
 func (q *Queries) GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (OidcSession, error) {
 	row := q.db.QueryRowContext(ctx, getOIDCSessionByAccessTokenHash, accessTokenHash)
 	var i OidcSession
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 			&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
-		); err != nil {
+		&i.UserinfoJson,
 			return nil, err
 		}
 		items = append(items, i)
 	}
 	if err := rows.Close(); err != nil {
 		return nil, err
 	}
 	if err := rows.Err(); err != nil {
 		return nil, err
 	}
 	return items, nil
 }
 const deleteOidcCode = `-- name: DeleteOidcCode :exec
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = ?
 `
 func (q *Queries) DeleteOidcCode(ctx context.Context, codeHash string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcCode, codeHash)
 	return err
 }
 const deleteOidcCodeBySub = `-- name: DeleteOidcCodeBySub :exec
 DELETE FROM "oidc_codes"
 WHERE "sub" = ?
 `
 func (q *Queries) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcCodeBySub, sub)
 	return err
 }
 const deleteOidcToken = `-- name: DeleteOidcToken :exec
 DELETE FROM "oidc_tokens"
 WHERE "access_token_hash" = ?
 `
 func (q *Queries) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcToken, accessTokenHash)
 	return err
 }
 const deleteOidcTokenByCodeHash = `-- name: DeleteOidcTokenByCodeHash :exec
 DELETE FROM "oidc_tokens"
 WHERE "code_hash" = ?
 `
 func (q *Queries) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcTokenByCodeHash, codeHash)
 	return err
 }
 const deleteOidcTokenBySub = `-- name: DeleteOidcTokenBySub :exec
 DELETE FROM "oidc_tokens"
 WHERE "sub" = ?
 `
 func (q *Queries) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcTokenBySub, sub)
 	return err
 }
 const deleteOidcUserInfo = `-- name: DeleteOidcUserInfo :exec
 DELETE FROM "oidc_userinfo"
 WHERE "sub" = ?
 `
 func (q *Queries) DeleteOidcUserInfo(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcUserInfo, sub)
 	return err
 }
 const getOidcCode = `-- name: GetOidcCode :one
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = ?
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 func (q *Queries) GetOidcCode(ctx context.Context, codeHash string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCode, codeHash)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
-const getOidcCodeBySub = `-- name: GetOidcCodeBySub :one
+const getOIDCSessionByRefreshTokenHash = `-- name: GetOIDCSessionByRefreshTokenHash :one
-DELETE FROM "oidc_codes"
+SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
 WHERE "sub" = ?
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 func (q *Queries) GetOidcCodeBySub(ctx context.Context, sub string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeBySub, sub)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcCodeBySubUnsafe = `-- name: GetOidcCodeBySubUnsafe :one
 SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge FROM "oidc_codes"
 WHERE "sub" = ?
 `
 func (q *Queries) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeBySubUnsafe, sub)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcCodeUnsafe = `-- name: GetOidcCodeUnsafe :one
 SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge FROM "oidc_codes"
 WHERE "code_hash" = ?
 `
 func (q *Queries) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeUnsafe, codeHash)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcToken = `-- name: GetOidcToken :one
 SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "access_token_hash" = ?
 `
 func (q *Queries) GetOidcToken(ctx context.Context, accessTokenHash string) (OidcToken, error) {
 	row := q.db.QueryRowContext(ctx, getOidcToken, accessTokenHash)
 	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
 const getOidcTokenByRefreshToken = `-- name: GetOidcTokenByRefreshToken :one
 SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "refresh_token_hash" = ?
 `
-func (q *Queries) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (OidcToken, error) {
+func (q *Queries) GetOIDCSessionByRefreshTokenHash(ctx context.Context, refreshTokenHash string) (OidcSession, error) {
-	row := q.db.QueryRowContext(ctx, getOidcTokenByRefreshToken, refreshTokenHash)
+	row := q.db.QueryRowContext(ctx, getOIDCSessionByRefreshTokenHash, refreshTokenHash)
-	var i OidcToken
+	var i OidcSession
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
-const getOidcTokenBySub = `-- name: GetOidcTokenBySub :one
+const getOIDCSessionBySub = `-- name: GetOIDCSessionBySub :one
-SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
+SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
 WHERE "sub" = ?
 `
-func (q *Queries) GetOidcTokenBySub(ctx context.Context, sub string) (OidcToken, error) {
+func (q *Queries) GetOIDCSessionBySub(ctx context.Context, sub string) (OidcSession, error) {
-	row := q.db.QueryRowContext(ctx, getOidcTokenBySub, sub)
+	row := q.db.QueryRowContext(ctx, getOIDCSessionBySub, sub)
-	var i OidcToken
+	var i OidcSession
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
-const getOidcUserInfo = `-- name: GetOidcUserInfo :one
+const updateOIDCConsent = `-- name: UpdateOIDCConsent :one
-SELECT sub, name, preferred_username, email, "groups", updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address FROM "oidc_userinfo"
+UPDATE "oidc_consent" SET
-WHERE "sub" = ?
+    "scopes" = ?,
    "updated_at" = CURRENT_TIMESTAMP
 WHERE "uuid" = ?
 RETURNING uuid, client_id, scopes, created_at, updated_at
 `
-func (q *Queries) GetOidcUserInfo(ctx context.Context, sub string) (OidcUserinfo, error) {
+type UpdateOIDCConsentParams struct {
-	row := q.db.QueryRowContext(ctx, getOidcUserInfo, sub)
+	Scopes string
-	var i OidcUserinfo
+	UUID   string
 }
 func (q *Queries) UpdateOIDCConsent(ctx context.Context, arg UpdateOIDCConsentParams) (OidcConsent, error) {
 	row := q.db.QueryRowContext(ctx, updateOIDCConsent, arg.Scopes, arg.UUID)
 	var i OidcConsent
 	err := row.Scan(
-		&i.Sub,
+		&i.UUID,
-		&i.Name,
+		&i.ClientID,
-		&i.PreferredUsername,
+		&i.Scopes,
-		&i.Email,
+		&i.CreatedAt,
 		&i.Groups,
 		&i.UpdatedAt,
 		&i.GivenName,
 		&i.FamilyName,
 		&i.MiddleName,
 		&i.Nickname,
 		&i.Profile,
 		&i.Picture,
 		&i.Website,
 		&i.Gender,
 		&i.Birthdate,
 		&i.Zoneinfo,
 		&i.Locale,
 		&i.PhoneNumber,
 		&i.Address,
 	)
 	return i, err
 }
-const updateOidcTokenByRefreshToken = `-- name: UpdateOidcTokenByRefreshToken :one
+const updateOIDCSession = `-- name: UpdateOIDCSession :one
-UPDATE "oidc_tokens" SET
+UPDATE "oidc_sessions" SET
    "access_token_hash" = ?,
    "refresh_token_hash" = ?,
    "scope" = ?,
    "client_id" = ?,
    "token_expires_at" = ?,
-    "refresh_token_expires_at" = ?
+    "refresh_token_expires_at" = ?,
-WHERE "refresh_token_hash" = ?
+    "nonce" = ?,
-RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
+    "userinfo_json" = ?
 WHERE "sub" = ?
 RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json
 `
-type UpdateOidcTokenByRefreshTokenParams struct {
+type UpdateOIDCSessionParams struct {
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
-	RefreshTokenHash_2    string
+	Nonce                 string
 	UserinfoJson          string
 	Sub                   string
 }
-func (q *Queries) UpdateOidcTokenByRefreshToken(ctx context.Context, arg UpdateOidcTokenByRefreshTokenParams) (OidcToken, error) {
+func (q *Queries) UpdateOIDCSession(ctx context.Context, arg UpdateOIDCSessionParams) (OidcSession, error) {
-	row := q.db.QueryRowContext(ctx, updateOidcTokenByRefreshToken,
+	row := q.db.QueryRowContext(ctx, updateOIDCSession,
 		arg.AccessTokenHash,
 		arg.RefreshTokenHash,
 		arg.Scope,
 		arg.ClientID,
 		arg.TokenExpiresAt,
 		arg.RefreshTokenExpiresAt,
-		arg.RefreshTokenHash_2,
+		arg.Nonce,
 		arg.UserinfoJson,
 		arg.Sub,
 	)
-	var i OidcToken
+	var i OidcSession
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 		&i.UserinfoJson,
 	)
 	return i, err
 }
@@ -32,28 +32,20 @@ func mapErr(err error) error {
 	return err
 }
-func (s *Store) CreateOidcCode(ctx context.Context, arg repository.CreateOidcCodeParams) (repository.OidcCode, error) {
+func (s *Store) CreateOIDCConsent(ctx context.Context, arg repository.CreateOIDCConsentParams) (repository.OidcConsent, error) {
-	r, err := s.q.CreateOidcCode(ctx, CreateOidcCodeParams(arg))
+	r, err := s.q.CreateOIDCConsent(ctx, CreateOIDCConsentParams(arg))
 	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
+		return repository.OidcConsent{}, mapErr(err)
 	}
-	return repository.OidcCode(r), nil
+	return repository.OidcConsent(r), nil
 }
-func (s *Store) CreateOidcToken(ctx context.Context, arg repository.CreateOidcTokenParams) (repository.OidcToken, error) {
+func (s *Store) CreateOIDCSession(ctx context.Context, arg repository.CreateOIDCSessionParams) (repository.OidcSession, error) {
-	r, err := s.q.CreateOidcToken(ctx, CreateOidcTokenParams(arg))
+	r, err := s.q.CreateOIDCSession(ctx, CreateOIDCSessionParams(arg))
 	if err != nil {
-		return repository.OidcToken{}, mapErr(err)
+		return repository.OidcSession{}, mapErr(err)
 	}
-	return repository.OidcToken(r), nil
+	return repository.OidcSession(r), nil
 }
 func (s *Store) CreateOidcUserInfo(ctx context.Context, arg repository.CreateOidcUserInfoParams) (repository.OidcUserinfo, error) {
 	r, err := s.q.CreateOidcUserInfo(ctx, CreateOidcUserInfoParams(arg))
 	if err != nil {
 		return repository.OidcUserinfo{}, mapErr(err)
 	}
 	return repository.OidcUserinfo(r), nil
 }
 func (s *Store) CreateSession(ctx context.Context, arg repository.CreateSessionParams) (repository.Session, error) {
@@ -64,124 +56,56 @@ func (s *Store) CreateSession(ctx context.Context, arg repository.CreateSessionP
 	return repository.Session(r), nil
 }
-func (s *Store) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]repository.OidcCode, error) {
+func (s *Store) DeleteExpiredOIDCSessions(ctx context.Context, arg repository.DeleteExpiredOIDCSessionsParams) error {
-	rows, err := s.q.DeleteExpiredOidcCodes(ctx, expiresAt)
+	return mapErr(s.q.DeleteExpiredOIDCSessions(ctx, DeleteExpiredOIDCSessionsParams(arg)))
 	if err != nil {
 		return nil, mapErr(err)
 	}
 	out := make([]repository.OidcCode, len(rows))
 	for i, row := range rows {
 		out[i] = repository.OidcCode(row)
 	}
 	return out, nil
 }
 func (s *Store) DeleteExpiredOidcTokens(ctx context.Context, arg repository.DeleteExpiredOidcTokensParams) ([]repository.OidcToken, error) {
 	rows, err := s.q.DeleteExpiredOidcTokens(ctx, DeleteExpiredOidcTokensParams(arg))
 	if err != nil {
 		return nil, mapErr(err)
 	}
 	out := make([]repository.OidcToken, len(rows))
 	for i, row := range rows {
 		out[i] = repository.OidcToken(row)
 	}
 	return out, nil
 }
 func (s *Store) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
 	return mapErr(s.q.DeleteExpiredSessions(ctx, expiry))
 }
-func (s *Store) DeleteOidcCode(ctx context.Context, codeHash string) error {
+func (s *Store) DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error {
-	return mapErr(s.q.DeleteOidcCode(ctx, codeHash))
+	return mapErr(s.q.DeleteOIDCConsentByUUID(ctx, uuid))
 }
-func (s *Store) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
+func (s *Store) DeleteOIDCSessionBySub(ctx context.Context, sub string) error {
-	return mapErr(s.q.DeleteOidcCodeBySub(ctx, sub))
+	return mapErr(s.q.DeleteOIDCSessionBySub(ctx, sub))
 }
 func (s *Store) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
 	return mapErr(s.q.DeleteOidcToken(ctx, accessTokenHash))
 }
 func (s *Store) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
 	return mapErr(s.q.DeleteOidcTokenByCodeHash(ctx, codeHash))
 }
 func (s *Store) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcTokenBySub(ctx, sub))
 }
 func (s *Store) DeleteOidcUserInfo(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcUserInfo(ctx, sub))
 }
 func (s *Store) DeleteSession(ctx context.Context, uuid string) error {
 	return mapErr(s.q.DeleteSession(ctx, uuid))
 }
-func (s *Store) GetOidcCode(ctx context.Context, codeHash string) (repository.OidcCode, error) {
+func (s *Store) GetOIDCConsentByUUID(ctx context.Context, uuid string) (repository.OidcConsent, error) {
-	r, err := s.q.GetOidcCode(ctx, codeHash)
+	r, err := s.q.GetOIDCConsentByUUID(ctx, uuid)
 	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
+		return repository.OidcConsent{}, mapErr(err)
 	}
-	return repository.OidcCode(r), nil
+	return repository.OidcConsent(r), nil
 }
-func (s *Store) GetOidcCodeBySub(ctx context.Context, sub string) (repository.OidcCode, error) {
+func (s *Store) GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (repository.OidcSession, error) {
-	r, err := s.q.GetOidcCodeBySub(ctx, sub)
+	r, err := s.q.GetOIDCSessionByAccessTokenHash(ctx, accessTokenHash)
 	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
+		return repository.OidcSession{}, mapErr(err)
 	}
-	return repository.OidcCode(r), nil
+	return repository.OidcSession(r), nil
 }
-func (s *Store) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (repository.OidcCode, error) {
+func (s *Store) GetOIDCSessionByRefreshTokenHash(ctx context.Context, refreshTokenHash string) (repository.OidcSession, error) {
-	r, err := s.q.GetOidcCodeBySubUnsafe(ctx, sub)
+	r, err := s.q.GetOIDCSessionByRefreshTokenHash(ctx, refreshTokenHash)
 	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
+		return repository.OidcSession{}, mapErr(err)
 	}
-	return repository.OidcCode(r), nil
+	return repository.OidcSession(r), nil
 }
-func (s *Store) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (repository.OidcCode, error) {
+func (s *Store) GetOIDCSessionBySub(ctx context.Context, sub string) (repository.OidcSession, error) {
-	r, err := s.q.GetOidcCodeUnsafe(ctx, codeHash)
+	r, err := s.q.GetOIDCSessionBySub(ctx, sub)
 	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
+		return repository.OidcSession{}, mapErr(err)
 	}
-	return repository.OidcCode(r), nil
+	return repository.OidcSession(r), nil
 }
 func (s *Store) GetOidcToken(ctx context.Context, accessTokenHash string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcToken(ctx, accessTokenHash)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcTokenByRefreshToken(ctx, refreshTokenHash)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcTokenBySub(ctx context.Context, sub string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcTokenBySub(ctx, sub)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcUserInfo(ctx context.Context, sub string) (repository.OidcUserinfo, error) {
 	r, err := s.q.GetOidcUserInfo(ctx, sub)
 	if err != nil {
 		return repository.OidcUserinfo{}, mapErr(err)
 	}
 	return repository.OidcUserinfo(r), nil
 }
 func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session, error) {
@@ -192,12 +116,20 @@ func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session
 	return repository.Session(r), nil
 }
-func (s *Store) UpdateOidcTokenByRefreshToken(ctx context.Context, arg repository.UpdateOidcTokenByRefreshTokenParams) (repository.OidcToken, error) {
+func (s *Store) UpdateOIDCConsent(ctx context.Context, arg repository.UpdateOIDCConsentParams) (repository.OidcConsent, error) {
-	r, err := s.q.UpdateOidcTokenByRefreshToken(ctx, UpdateOidcTokenByRefreshTokenParams(arg))
+	r, err := s.q.UpdateOIDCConsent(ctx, UpdateOIDCConsentParams(arg))
 	if err != nil {
-		return repository.OidcToken{}, mapErr(err)
+		return repository.OidcConsent{}, mapErr(err)
 	}
-	return repository.OidcToken(r), nil
+	return repository.OidcConsent(r), nil
 }
 func (s *Store) UpdateOIDCSession(ctx context.Context, arg repository.UpdateOIDCSessionParams) (repository.OidcSession, error) {
 	r, err := s.q.UpdateOIDCSession(ctx, UpdateOIDCSessionParams(arg))
 	if err != nil {
 		return repository.OidcSession{}, mapErr(err)
 	}
 	return repository.OidcSession(r), nil
 }
 func (s *Store) UpdateSession(ctx context.Context, arg repository.UpdateSessionParams) (repository.Session, error) {
@@ -19,29 +19,18 @@ type Store interface {
 	DeleteSession(ctx context.Context, uuid string) error
 	DeleteExpiredSessions(ctx context.Context, expiry int64) error
-	// OIDC codes
+	// OIDC sessions
-	CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams) (OidcCode, error)
+	CreateOIDCSession(ctx context.Context, arg CreateOIDCSessionParams) (OidcSession, error)
-	GetOidcCode(ctx context.Context, codeHash string) (OidcCode, error)
+	DeleteExpiredOIDCSessions(ctx context.Context, arg DeleteExpiredOIDCSessionsParams) error
-	GetOidcCodeBySub(ctx context.Context, sub string) (OidcCode, error)
+	DeleteOIDCSessionBySub(ctx context.Context, sub string) error
-	GetOidcCodeUnsafe(ctx context.Context, codeHash string) (OidcCode, error)
+	GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (OidcSession, error)
-	GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (OidcCode, error)
+	GetOIDCSessionByRefreshTokenHash(ctx context.Context, refreshTokenHash string) (OidcSession, error)
-	DeleteOidcCode(ctx context.Context, codeHash string) error
+	GetOIDCSessionBySub(ctx context.Context, sub string) (OidcSession, error)
-	DeleteOidcCodeBySub(ctx context.Context, sub string) error
+	UpdateOIDCSession(ctx context.Context, arg UpdateOIDCSessionParams) (OidcSession, error)
 	DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]OidcCode, error)
-	// OIDC tokens
+	// OIDC consents
-	CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams) (OidcToken, error)
+	CreateOIDCConsent(ctx context.Context, arg CreateOIDCConsentParams) (OidcConsent, error)
-	GetOidcToken(ctx context.Context, accessTokenHash string) (OidcToken, error)
+	DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error
-	GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (OidcToken, error)
+	GetOIDCConsentByUUID(ctx context.Context, uuid string) (OidcConsent, error)
-	GetOidcTokenBySub(ctx context.Context, sub string) (OidcToken, error)
+	UpdateOIDCConsent(ctx context.Context, arg UpdateOIDCConsentParams) (OidcConsent, error)
 	UpdateOidcTokenByRefreshToken(ctx context.Context, arg UpdateOidcTokenByRefreshTokenParams) (OidcToken, error)
 	DeleteOidcToken(ctx context.Context, accessTokenHash string) error
 	DeleteOidcTokenBySub(ctx context.Context, sub string) error
 	DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error
 	DeleteExpiredOidcTokens(ctx context.Context, arg DeleteExpiredOidcTokensParams) ([]OidcToken, error)
 	// OIDC userinfo
 	CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfoParams) (OidcUserinfo, error)
 	GetOidcUserInfo(ctx context.Context, sub string) (OidcUserinfo, error)
 	DeleteOidcUserInfo(ctx context.Context, sub string) error
 }
@@ -9,6 +9,12 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 // For LDAP and OAuth groups and IP allow/deny, we default to allow even with a deny policy.
 // This is because we can't force the user to use groups in LDAP and OAuth if they would like to use
 // a deny policy. As for IP checks, we can't reliably get the client IP (most of Tinyauth instances are
 // behind a Docker bridge network) so to make it easier for users to use a deny policy without
 // issues with IPs we allow by default.
 type RuleName string
 const (
@@ -25,7 +31,11 @@ type UserAllowedRule struct {
 }
 func (rule *UserAllowedRule) Evaluate(ctx *ACLContext) Effect {
-	if ctx.ACLs == nil || ctx.UserContext == nil {
+	if ctx.UserContext == nil {
 		return EffectDeny
 	}
 	if ctx.ACLs == nil {
 		return EffectAbstain
 	}
@@ -34,7 +44,7 @@ func (rule *UserAllowedRule) Evaluate(ctx *ACLContext) Effect {
 		match, err := utils.CheckFilter(ctx.ACLs.OAuth.Whitelist, ctx.UserContext.OAuth.Email)
 		if err != nil {
 			rule.Log.App.Warn().Err(err).Str("item", ctx.UserContext.OAuth.Email).Msg("Invalid entry in OAuth whitelist")
-			return EffectAbstain
+			return EffectDeny
 		}
 		if match {
 			rule.Log.App.Debug().Str("email", ctx.UserContext.OAuth.Email).Msg("User is in OAuth whitelist, allowing access")
@@ -48,7 +58,7 @@ func (rule *UserAllowedRule) Evaluate(ctx *ACLContext) Effect {
 		match, err := utils.CheckFilter(ctx.ACLs.Users.Block, ctx.UserContext.GetUsername())
 		if err != nil {
 			rule.Log.App.Warn().Err(err).Str("item", ctx.UserContext.GetUsername()).Msg("Invalid entry in users block list")
-			return EffectAbstain
+			return EffectDeny
 		}
 		if match {
 			rule.Log.App.Debug().Str("username", ctx.UserContext.GetUsername()).Msg("User is in users block list, denying access")
@@ -62,9 +72,12 @@ func (rule *UserAllowedRule) Evaluate(ctx *ACLContext) Effect {
 	match, err := utils.CheckFilter(ctx.ACLs.Users.Allow, ctx.UserContext.GetUsername())
 	if err != nil {
-		rule.Log.App.Warn().Err(err).Str("item", ctx.UserContext.GetUsername()).Msg("Invalid entry in users allow list")
+		if err == utils.ErrFilterEmpty {
 			return EffectAbstain
 		}
 		rule.Log.App.Warn().Err(err).Str("item", ctx.UserContext.GetUsername()).Msg("Invalid entry in users allow list")
 		return EffectDeny
 	}
 	if match {
 		rule.Log.App.Debug().Str("username", ctx.UserContext.GetUsername()).Msg("User is in users allow list, allowing access")
@@ -80,13 +93,22 @@ type OAuthGroupRule struct {
 }
 func (rule *OAuthGroupRule) Evaluate(ctx *ACLContext) Effect {
-	if ctx.ACLs == nil || ctx.UserContext == nil {
+	if ctx.UserContext == nil {
-		return EffectAbstain
+		return EffectDeny
 	}
 	if ctx.ACLs == nil {
 		return EffectAllow
 	}
 	if !ctx.UserContext.IsOAuth() {
 		rule.Log.App.Debug().Msg("User is not an OAuth user, skipping OAuth group check")
-		return EffectAbstain
+		return EffectAllow
 	}
 	if len(ctx.ACLs.OAuth.Groups) == 0 {
 		rule.Log.App.Debug().Msg("No OAuth groups specified in ACLs, allowing access")
 		return EffectAllow
 	}
 	if _, ok := model.OverrideProviders[ctx.UserContext.OAuth.ID]; ok {
@@ -97,7 +119,8 @@ func (rule *OAuthGroupRule) Evaluate(ctx *ACLContext) Effect {
 	for _, group := range ctx.UserContext.OAuth.Groups {
 		match, err := utils.CheckFilter(ctx.ACLs.OAuth.Groups, strings.TrimSpace(group))
 		if err != nil {
-			return EffectAbstain
+			rule.Log.App.Warn().Err(err).Str("item", group).Msg("Invalid entry in OAuth groups ACL")
 			return EffectDeny
 		}
 		if match {
 			rule.Log.App.Trace().Str("group", group).Str("required", ctx.ACLs.OAuth.Groups).Msg("User group matched, allowing access")
@@ -114,19 +137,29 @@ type LDAPGroupRule struct {
 }
 func (rule *LDAPGroupRule) Evaluate(ctx *ACLContext) Effect {
-	if ctx == nil || ctx.UserContext == nil {
+	if ctx.UserContext == nil {
-		return EffectAbstain
+		return EffectDeny
 	}
 	if ctx.ACLs == nil {
 		return EffectAllow
 	}
 	if !ctx.UserContext.IsLDAP() {
 		rule.Log.App.Debug().Msg("User is not an LDAP user, skipping LDAP group check")
-		return EffectAbstain
+		return EffectAllow
 	}
 	if len(ctx.ACLs.LDAP.Groups) == 0 {
 		rule.Log.App.Debug().Msg("No LDAP groups specified in ACLs, allowing access")
 		return EffectAllow
 	}
 	for _, group := range ctx.UserContext.LDAP.Groups {
 		match, err := utils.CheckFilter(ctx.ACLs.LDAP.Groups, strings.TrimSpace(group))
 		if err != nil {
-			return EffectAbstain
+			rule.Log.App.Warn().Err(err).Str("item", group).Msg("Invalid entry in LDAP groups ACL")
 			return EffectDeny
 		}
 		if match {
 			rule.Log.App.Trace().Str("group", group).Str("required", ctx.ACLs.LDAP.Groups).Msg("User group matched, allowing access")
@@ -182,13 +215,14 @@ type IPAllowedRule struct {
 }
 func (rule *IPAllowedRule) Evaluate(ctx *ACLContext) Effect {
-	if ctx.ACLs == nil {
+	// merge global and per-app block/allow lists
-		return EffectAbstain
+	blockedIps := append([]string{}, rule.Config.Auth.IP.Block...)
-	}
+	allowedIPs := append([]string{}, rule.Config.Auth.IP.Allow...)
-	// Merge the global and app IP filter
+	if ctx.ACLs != nil {
-	blockedIps := append(ctx.ACLs.IP.Block, rule.Config.Auth.IP.Block...)
+		blockedIps = append(blockedIps, ctx.ACLs.IP.Block...)
-	allowedIPs := append(ctx.ACLs.IP.Allow, rule.Config.Auth.IP.Allow...)
+		allowedIPs = append(allowedIPs, ctx.ACLs.IP.Allow...)
 	}
 	for _, blocked := range blockedIps {
 		match, err := utils.CheckIPFilter(blocked, ctx.IP.String())
@@ -225,14 +259,17 @@ func (rule *IPAllowedRule) Evaluate(ctx *ACLContext) Effect {
 type IPBypassedRule struct {
 	Log    *logger.Logger
 	Config model.Config
 }
 func (rule *IPBypassedRule) Evaluate(ctx *ACLContext) Effect {
-	if ctx.ACLs == nil {
+	// merge global and per-app bypass lists
-		return EffectDeny
+	bypassList := append([]string{}, rule.Config.Auth.IP.Bypass...)
 	if ctx.ACLs != nil {
 		bypassList = append(bypassList, ctx.ACLs.IP.Bypass...)
 	}
-	for _, bypassed := range ctx.ACLs.IP.Bypass {
+	for _, bypassed := range bypassList {
 		match, err := utils.CheckIPFilter(bypassed, ctx.IP.String())
 		if err != nil {
 			rule.Log.App.Warn().Err(err).Str("item", bypassed).Msg("Invalid IP/CIDR in bypass list")
@@ -5,6 +5,7 @@ import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
@@ -20,6 +21,16 @@ func TestUserAllowedRule(t *testing.T) {
 		ctx      *ACLContext
 		expected Effect
 	}{
 		{
 			name: "denies when user context is nil",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Whitelist: "alice"},
 				},
 				UserContext: nil,
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "abstains when ACLs are nil",
 			ctx: &ACLContext{
@@ -33,16 +44,6 @@ func TestUserAllowedRule(t *testing.T) {
 			},
 			expected: EffectAbstain,
 		},
 		{
 			name: "abstains when user context is nil",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Whitelist: "alice"},
 				},
 				UserContext: nil,
 			},
 			expected: EffectAbstain,
 		},
 		{
 			name: "allows OAuth user when email matches whitelist",
 			ctx: &ACLContext{
@@ -77,7 +78,7 @@ func TestUserAllowedRule(t *testing.T) {
 			expected: EffectDeny,
 		},
 		{
-			name: "abstains for OAuth user when whitelist filter is invalid",
+			name: "denies for OAuth user when whitelist filter is invalid",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Whitelist: "/[/"},
@@ -89,7 +90,7 @@ func TestUserAllowedRule(t *testing.T) {
 					},
 				},
 			},
-			expected: EffectAbstain,
+			expected: EffectDeny,
 		},
 		{
 			name: "denies local user when username matches block list",
@@ -122,7 +123,7 @@ func TestUserAllowedRule(t *testing.T) {
 			expected: EffectAllow,
 		},
 		{
-			name: "abstains when block list filter is invalid",
+			name: "denies when block list filter is invalid",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					Users: model.AppUsers{Block: "/[/"},
@@ -134,6 +135,21 @@ func TestUserAllowedRule(t *testing.T) {
 					},
 				},
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "abstains when allow list is empty",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					Users: model.AppUsers{Allow: ""},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderLocal,
 					Local: &model.LocalContext{
 						BaseContext: model.BaseContext{Username: "alice"},
 					},
 				},
 			},
 			expected: EffectAbstain,
 		},
 		{
@@ -167,7 +183,7 @@ func TestUserAllowedRule(t *testing.T) {
 			expected: EffectDeny,
 		},
 		{
-			name: "abstains when allow list filter is invalid",
+			name: "denies when allow list filter is invalid",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					Users: model.AppUsers{Allow: "/[/"},
@@ -179,7 +195,7 @@ func TestUserAllowedRule(t *testing.T) {
 					},
 				},
 			},
-			expected: EffectAbstain,
+			expected: EffectDeny,
 		},
 	}
@@ -202,7 +218,17 @@ func TestOAuthGroupRule(t *testing.T) {
 		expected Effect
 	}{
 		{
-			name: "abstains when ACLs are nil",
+			name: "denies when user context is nil",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Whitelist: "alice"},
 				},
 				UserContext: nil,
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "allows when ACLs are nil",
 			ctx: &ACLContext{
 				ACLs: nil,
 				UserContext: &model.UserContext{
@@ -212,20 +238,10 @@ func TestOAuthGroupRule(t *testing.T) {
 					},
 				},
 			},
-			expected: EffectAbstain,
+			expected: EffectAllow,
 		},
 		{
-			name: "abstains when user context is nil",
+			name: "allows when user is not OAuth",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Whitelist: "alice"},
 				},
 				UserContext: nil,
 			},
 			expected: EffectAbstain,
 		},
 		{
 			name: "abstains when user is not OAuth",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Groups: "admins"},
@@ -237,7 +253,22 @@ func TestOAuthGroupRule(t *testing.T) {
 					},
 				},
 			},
-			expected: EffectAbstain,
+			expected: EffectAllow,
 		},
 		{
 			name: "allows when group filter is empty",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Groups: ""},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderOAuth,
 					OAuth: &model.OAuthContext{
 						BaseContext: model.BaseContext{Username: "alice"},
 					},
 				},
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "allows when provider is an override provider regardless of groups",
@@ -304,7 +335,7 @@ func TestOAuthGroupRule(t *testing.T) {
 			expected: EffectDeny,
 		},
 		{
-			name: "abstains when groups filter is invalid",
+			name: "denies when groups filter is invalid",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Groups: "/[/"},
@@ -317,7 +348,7 @@ func TestOAuthGroupRule(t *testing.T) {
 					},
 				},
 			},
-			expected: EffectAbstain,
+			expected: EffectDeny,
 		},
 	}
@@ -340,22 +371,30 @@ func TestLDAPGroupRule(t *testing.T) {
 		expected Effect
 	}{
 		{
-			name:     "abstains when context is nil",
+			name: "denies when user context is nil",
 			ctx:      nil,
 			expected: EffectAbstain,
 		},
 		{
 			name: "abstains when user context is nil",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Whitelist: "alice"},
 				},
 				UserContext: nil,
 			},
-			expected: EffectAbstain,
+			expected: EffectDeny,
 		},
 		{
-			name: "abstains when user is not LDAP",
+			name: "allows when acls are nil",
 			ctx: &ACLContext{
 				ACLs: nil,
 				UserContext: &model.UserContext{
 					Provider: model.ProviderLocal,
 					Local: &model.LocalContext{
 						BaseContext: model.BaseContext{Username: "alice"},
 					},
 				},
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "allows when user is not LDAP",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					LDAP: model.AppLDAP{Groups: "admins"},
@@ -367,7 +406,22 @@ func TestLDAPGroupRule(t *testing.T) {
 					},
 				},
 			},
-			expected: EffectAbstain,
+			expected: EffectAllow,
 		},
 		{
 			name: "allows when group filter is empty",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					LDAP: model.AppLDAP{Groups: ""},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderLDAP,
 					LDAP: &model.LDAPContext{
 						BaseContext: model.BaseContext{Username: "alice"},
 					},
 				},
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "allows LDAP user when a group matches",
@@ -415,7 +469,7 @@ func TestLDAPGroupRule(t *testing.T) {
 			expected: EffectDeny,
 		},
 		{
-			name: "abstains when groups filter is invalid",
+			name: "denies when groups filter is invalid",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					LDAP: model.AppLDAP{Groups: "/[/"},
@@ -427,7 +481,7 @@ func TestLDAPGroupRule(t *testing.T) {
 					},
 				},
 			},
-			expected: EffectAbstain,
+			expected: EffectDeny,
 		},
 	}
@@ -558,12 +612,12 @@ func TestIPAllowedRule(t *testing.T) {
 		expected Effect
 	}{
 		{
-			name: "abstains when ACLs are nil",
+			name: "allows when ACLs are nil and no global lists configured",
 			ctx: &ACLContext{
 				ACLs: nil,
 				IP:   net.ParseIP("10.0.0.1"),
 			},
-			expected: EffectAbstain,
+			expected: EffectAllow,
 		},
 		{
 			name: "denies when IP matches app block list",
@@ -669,23 +723,70 @@ func TestIPBypassedRule(t *testing.T) {
 	log := logger.NewLogger().WithTestConfig()
 	log.Init()
-	rule := &IPBypassedRule{Log: log}
+	defaultIPBR := &IPBypassedRule{Log: log}
 	globBypassIPBR := &IPBypassedRule{
 		Log:    log,
 		Config: model.Config{Auth: model.AuthConfig{IP: model.IPConfig{Bypass: []string{"10.0.0.0/24"}}}},
 	}
 	tests := []struct {
 		name     string
 		rule     *IPBypassedRule
 		ctx      *ACLContext
 		expected Effect
 	}{
 		{
-			name: "deny when ACLs are nil",
+			name: "deny when ACLs are nil and no global bypass",
 			rule: defaultIPBR,
 			ctx: &ACLContext{
 				ACLs: nil,
 				IP:   net.ParseIP("10.0.0.1"),
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "allows when ACLs are nil but IP matches global bypass",
 			rule: globBypassIPBR,
 			ctx: &ACLContext{
 				ACLs: nil,
 				IP:   net.ParseIP("10.0.0.5"),
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "denies when ACLs are nil and IP does not match global bypass",
 			rule: globBypassIPBR,
 			ctx: &ACLContext{
 				ACLs: nil,
 				IP:   net.ParseIP("192.168.1.1"),
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "allows when IP matches per-app bypass but not global bypass",
 			rule: defaultIPBR,
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					IP: model.AppIP{Bypass: []string{"10.0.0.0/24"}},
 				},
 				IP: net.ParseIP("10.0.0.5"),
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "allows when IP matches global bypass but not per-app bypass",
 			rule: globBypassIPBR,
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					IP: model.AppIP{Bypass: []string{"172.16.0.0/24"}},
 				},
 				IP: net.ParseIP("10.0.0.5"),
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "allows when IP matches bypass list",
 			rule: defaultIPBR,
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					IP: model.AppIP{Bypass: []string{"10.0.0.0/24"}},
@@ -696,6 +797,7 @@ func TestIPBypassedRule(t *testing.T) {
 		},
 		{
 			name: "denies when IP does not match bypass list",
 			rule: defaultIPBR,
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					IP: model.AppIP{Bypass: []string{"10.0.0.0/24"}},
@@ -706,6 +808,7 @@ func TestIPBypassedRule(t *testing.T) {
 		},
 		{
 			name: "denies when bypass list is empty",
 			rule: defaultIPBR,
 			ctx: &ACLContext{
 				ACLs: &model.App{},
 				IP:   net.ParseIP("10.0.0.1"),
@@ -714,6 +817,7 @@ func TestIPBypassedRule(t *testing.T) {
 		},
 		{
 			name: "skips invalid bypass entries and allows on later match",
 			rule: defaultIPBR,
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					IP: model.AppIP{Bypass: []string{"not-an-ip", "10.0.0.1"}},
@@ -726,7 +830,7 @@ func TestIPBypassedRule(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			assert.Equal(t, tt.expected, rule.Evaluate(tt.ctx))
+			assert.Equal(t, tt.expected, tt.rule.Evaluate(tt.ctx))
 		})
 	}
 }
@@ -9,13 +9,12 @@ import (
 	"sync"
 	"time"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"slices"
 	"github.com/google/uuid"
 	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/oauth2"
@@ -31,17 +30,14 @@ var (
 	ErrUserNotFound = errors.New("user not found")
 )
-// slightly modified version of the AuthorizeRequest from the OIDC service to basically accept all
+// We either store params for redirecting to an app after OAuth login,
-// parameters and pass them to the authorize page if needed
+// or for redirecting back to the authorize screen to continue OIDC
-type OAuthURLParams struct {
+type OAuthCallbackParams struct {
-	Scope               string `form:"scope" url:"scope"`
+	LoginFor    string `form:"login_for" url:"login_for"`
-	ResponseType        string `form:"response_type" url:"response_type"`
+	OIDCTicket  string `form:"oidc_ticket" url:"oidc_ticket"`
-	ClientID            string `form:"client_id" url:"client_id"`
+	OIDCScope   string `form:"oidc_scope" url:"oidc_scope"`
 	OIDCName    string `form:"oidc_name" url:"oidc_name"`
 	RedirectURI string `form:"redirect_uri" url:"redirect_uri"`
 	State               string `form:"state" url:"state"`
 	Nonce               string `form:"nonce" url:"nonce"`
 	CodeChallenge       string `form:"code_challenge" url:"code_challenge"`
 	CodeChallengeMethod string `form:"code_challenge_method" url:"code_challenge_method"`
 }
 type OAuthPendingSession struct {
@@ -50,12 +46,7 @@ type OAuthPendingSession struct {
 	Token          *oauth2.Token
 	Service        *OAuthServiceImpl
 	ExpiresAt      time.Time
-	CallbackParams OAuthURLParams
+	CallbackParams OAuthCallbackParams
 }
 type LdapGroupsCache struct {
 	Groups  []string
 	Expires time.Time
 }
 type LoginAttempt struct {
@@ -64,59 +55,84 @@ type LoginAttempt struct {
 	LockedUntil    time.Time
 }
 type Lockdown struct {
 	Active      bool
 	ActiveUntil time.Time
 }
 type AuthService struct {
 	log     *logger.Logger
 	config  model.Config
 	runtime model.RuntimeConfig
-	context context.Context
+	helpers model.RuntimeHelpers
 	ctx     context.Context
 	ldap         *LdapService
 	queries      repository.Store
 	oauthBroker  *OAuthBrokerService
 	tailscale    *TailscaleService
 	policyEngine *PolicyEngine
-	loginAttempts        map[string]*LoginAttempt
+	lockdown struct {
-	ldapGroupsCache      map[string]*LdapGroupsCache
+		active     bool
-	oauthPendingSessions map[string]*OAuthPendingSession
+		until      time.Time
-	oauthMutex           sync.RWMutex
+		ctx        context.Context
-	loginMutex           sync.RWMutex
+		cancelFunc context.CancelFunc
-	ldapGroupsMutex      sync.RWMutex
+		mu         sync.RWMutex
-	lockdown             *Lockdown
+	}
-	lockdownCtx          context.Context
+
-	lockdownCancelFunc   context.CancelFunc
+	caches struct {
 		login *CacheStore[LoginAttempt]
 		oauth *CacheStore[OAuthPendingSession]
 		ldap  *CacheStore[[]string]
 	}
 }
 func NewAuthService(
 	log *logger.Logger,
 	config model.Config,
 	runtime model.RuntimeConfig,
 	helpers model.RuntimeHelpers,
 	ctx context.Context,
-	wg *sync.WaitGroup,
+	dg *ding.Ding,
 	ldap *LdapService,
 	queries repository.Store,
 	oauthBroker *OAuthBrokerService,
 	tailscale *TailscaleService,
 	policy *PolicyEngine,
 ) *AuthService {
 	service := &AuthService{
 		log:          log,
 		runtime:      runtime,
-		context:              ctx,
+		helpers:      helpers,
 		ctx:          ctx,
 		config:       config,
 		loginAttempts:        make(map[string]*LoginAttempt),
 		ldapGroupsCache:      make(map[string]*LdapGroupsCache),
 		oauthPendingSessions: make(map[string]*OAuthPendingSession),
 		ldap:         ldap,
 		queries:      queries,
 		oauthBroker:  oauthBroker,
 		tailscale:    tailscale,
 		policyEngine: policy,
 	}
-	wg.Go(service.CleanupOAuthSessionsRoutine)
+	// caches setup
 	oauthCache := NewCacheStore[OAuthPendingSession](256)
 	loginCache := NewCacheStore[LoginAttempt](1024)
 	ldapCache := NewCacheStore[[]string](1024)
 	service.caches.oauth = oauthCache
 	service.caches.login = loginCache
 	service.caches.ldap = ldapCache
 	dg.Go(func(ctx context.Context) {
 		ticker := time.NewTicker(1 * time.Minute)
 		defer ticker.Stop()
 		for {
 			select {
 			case <-ticker.C:
 				service.caches.oauth.Sweep()
 				service.caches.login.Sweep()
 				service.caches.ldap.Sweep()
 			case <-ctx.Done():
 				return
 			}
 		}
 	}, ding.RingMinor)
 	return service
 }
@@ -191,14 +207,12 @@ func (auth *AuthService) GetLDAPUser(userDN string) (*model.LDAPUser, error) {
 		return nil, errors.New("ldap service not configured")
 	}
-	auth.ldapGroupsMutex.RLock()
+	entry, exists := auth.caches.ldap.Get(userDN)
 	entry, exists := auth.ldapGroupsCache[userDN]
 	auth.ldapGroupsMutex.RUnlock()
-	if exists && time.Now().Before(entry.Expires) {
+	if exists {
 		return &model.LDAPUser{
 			DN:     userDN,
-			Groups: entry.Groups,
+			Groups: entry,
 		}, nil
 	}
@@ -208,12 +222,7 @@ func (auth *AuthService) GetLDAPUser(userDN string) (*model.LDAPUser, error) {
 		return nil, fmt.Errorf("failed to get ldap groups: %w", err)
 	}
-	auth.ldapGroupsMutex.Lock()
+	auth.caches.ldap.Set(userDN, groups, time.Duration(auth.config.LDAP.GroupCacheTTL)*time.Second)
 	auth.ldapGroupsCache[userDN] = &LdapGroupsCache{
 		Groups:  groups,
 		Expires: time.Now().Add(time.Duration(auth.config.LDAP.GroupCacheTTL) * time.Second),
 	}
 	auth.ldapGroupsMutex.Unlock()
 	return &model.LDAPUser{
 		DN:     userDN,
@@ -222,11 +231,7 @@ func (auth *AuthService) GetLDAPUser(userDN string) (*model.LDAPUser, error) {
 }
 func (auth *AuthService) IsAccountLocked(identifier string) (bool, int) {
-	auth.loginMutex.RLock()
+	if locked, remaining := auth.IsInLockdown(); locked {
 	defer auth.loginMutex.RUnlock()
 	if auth.lockdown != nil && auth.lockdown.Active {
 		remaining := int(time.Until(auth.lockdown.ActiveUntil).Seconds())
 		return true, remaining
 	}
@@ -234,7 +239,7 @@ func (auth *AuthService) IsAccountLocked(identifier string) (bool, int) {
 		return false, 0
 	}
-	attempt, exists := auth.loginAttempts[identifier]
+	attempt, exists := auth.caches.login.Get(identifier)
 	if !exists {
 		return false, 0
 	}
@@ -252,49 +257,75 @@ func (auth *AuthService) RecordLoginAttempt(identifier string, success bool) {
 		return
 	}
-	auth.loginMutex.Lock()
+	if auth.caches.login.Size() >= MaxLoginAttemptRecords {
-	defer auth.loginMutex.Unlock()
+		if locked, _ := auth.IsInLockdown(); locked {
 	if len(auth.loginAttempts) >= MaxLoginAttemptRecords {
 		if auth.lockdown != nil && auth.lockdown.Active {
 			return
 		}
 		go auth.lockdownMode()
 		return
 	}
-	attempt, exists := auth.loginAttempts[identifier]
+	auth.caches.login.WithLock(func(actions CacheStoreActions[LoginAttempt]) {
-	if !exists {
+		entry, ok := actions.Get(identifier)
-		attempt = &LoginAttempt{}
+
-		auth.loginAttempts[identifier] = attempt
+		if !ok {
 			attempt := LoginAttempt{
 				LastAttempt: time.Now(),
 			}
-
+			if !success {
-	attempt.LastAttempt = time.Now()
+				attempt.FailedAttempts = 1
 	if success {
 		attempt.FailedAttempts = 0
 		attempt.LockedUntil = time.Time{} // Reset lock time
 		return
 	}
 	attempt.FailedAttempts++
 				if attempt.FailedAttempts >= auth.config.Auth.LoginMaxRetries {
 					attempt.LockedUntil = time.Now().Add(time.Duration(auth.config.Auth.LoginTimeout) * time.Second)
 					auth.log.App.Warn().Str("identifier", identifier).Int("failedAttempts", attempt.FailedAttempts).Msg("Account locked due to too many failed login attempts")
 				}
 			}
 			// match current tinyauth behavior which doesn't expire rate limits
 			actions.Set(identifier, attempt, 0)
 			return
 		}
-func (auth *AuthService) IsEmailWhitelisted(email string) bool {
+		entry.LastAttempt = time.Now()
-	match, err := utils.CheckFilter(strings.Join(auth.runtime.OAuthWhitelist, ","), email)
+
 		if success {
 			entry.FailedAttempts = 0
 			entry.LockedUntil = time.Time{}
 		} else {
 			entry.FailedAttempts++
 			if entry.FailedAttempts >= auth.config.Auth.LoginMaxRetries {
 				entry.LockedUntil = time.Now().Add(time.Duration(auth.config.Auth.LoginTimeout) * time.Second)
 				auth.log.App.Warn().Str("identifier", identifier).Int("failedAttempts", entry.FailedAttempts).Msg("Account locked due to too many failed login attempts")
 			}
 		}
 		actions.Set(identifier, entry, 0)
 	})
 }
 // We could also directly access the policyEngine.effectToAccess but
 // I believe it's better to use the exported functions instead
 func (auth *AuthService) IsEmailWhitelisted(provider string, email string) bool {
 	return auth.policyEngine.EvaluateFunc(func() Effect {
 		whitelist := auth.runtime.OAuthWhitelist
 		if providerConfig, ok := auth.runtime.OAuthProviders[provider]; ok && len(providerConfig.Whitelist) > 0 {
 			whitelist = providerConfig.Whitelist
 		}
 		match, err := utils.CheckFilter(strings.Join(whitelist, ","), email)
 		if err != nil {
-		auth.log.App.Warn().Err(err).Str("email", email).Msg("Invalid email filter pattern")
+			if err == utils.ErrFilterEmpty {
-		return false
+				return EffectAbstain
 			}
-	return match
+			auth.log.App.Error().Err(err).Str("email", email).Msg("Failed to evaluate email whitelist filter, defaulting to deny")
 			return EffectDeny
 		}
 		if match {
 			return EffectAllow
 		}
 		return EffectDeny
 	})
 }
-func (auth *AuthService) CreateSession(ctx context.Context, data repository.Session) (*http.Cookie, error) {
+func (auth *AuthService) CreateSession(ctx context.Context, data repository.Session, ip string) (*http.Cookie, error) {
 	if data.Provider == "tailscale" && auth.tailscale == nil {
 		return nil, fmt.Errorf("tailscale service not configured, cannot create session for tailscale user")
 	}
@@ -335,20 +366,17 @@ func (auth *AuthService) CreateSession(ctx context.Context, data repository.Sess
 		return nil, fmt.Errorf("failed to create session entry: %w", err)
 	}
-	if data.Provider == "tailscale" {
+	cookieDomain, err := auth.helpers.GetCookieDomain(ctx, ip)
 		auth.log.App.Trace().Str("url", fmt.Sprintf("https://%s", auth.tailscale.GetHostname())).Msg("Extracting root domain from Tailscale hostname")
 		tsCookieDomain, err := utils.GetCookieDomain(fmt.Sprintf("https://%s", auth.tailscale.GetHostname()))
 	if err != nil {
-			return nil, fmt.Errorf("failed to get cookie domain for tailscale user: %w", err)
+		return nil, fmt.Errorf("failed to determine cookie domain: %w", err)
 	}
 	return &http.Cookie{
 		Name:     auth.runtime.SessionCookieName,
 		Value:    session.UUID,
 		Path:     "/",
-			Domain:   fmt.Sprintf(".%s", tsCookieDomain),
+		Domain:   cookieDomain,
 		Expires:  expiresAt,
 		MaxAge:   int(time.Until(expiresAt).Seconds()),
 		Secure:   auth.config.Auth.SecureCookie,
@@ -357,26 +385,17 @@ func (auth *AuthService) CreateSession(ctx context.Context, data repository.Sess
 	}, nil
 }
-	return &http.Cookie{
+func (auth *AuthService) RefreshSession(ctx context.Context, uuid string, ip string) (*http.Cookie, error) {
 		Name:     auth.runtime.SessionCookieName,
 		Value:    session.UUID,
 		Path:     "/",
 		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
 		Expires:  expiresAt,
 		MaxAge:   int(time.Until(expiresAt).Seconds()),
 		Secure:   auth.config.Auth.SecureCookie,
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
 	}, nil
 }
 func (auth *AuthService) RefreshSession(ctx context.Context, uuid string) (*http.Cookie, error) {
 	session, err := auth.queries.GetSession(ctx, uuid)
 	if err != nil {
 		return nil, fmt.Errorf("failed to retrieve session: %w", err)
 	}
 	if session.Provider == "tailscale" && auth.tailscale == nil {
 		return nil, fmt.Errorf("tailscale service not configured, cannot create session for tailscale user")
 	}
 	currentTime := time.Now().Unix()
 	var refreshThreshold int64
@@ -410,11 +429,17 @@ func (auth *AuthService) RefreshSession(ctx context.Context, uuid string) (*http
 		return nil, fmt.Errorf("failed to update session expiry: %w", err)
 	}
 	cookieDomain, err := auth.helpers.GetCookieDomain(ctx, ip)
 	if err != nil {
 		return nil, fmt.Errorf("failed to determine cookie domain: %w", err)
 	}
 	return &http.Cookie{
 		Name:     auth.runtime.SessionCookieName,
 		Value:    session.UUID,
 		Path:     "/",
-		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
+		Domain:   cookieDomain,
 		Expires:  time.Now().Add(time.Duration(newExpiry-currentTime) * time.Second),
 		MaxAge:   int(newExpiry - currentTime),
 		Secure:   auth.config.Auth.SecureCookie,
@@ -424,18 +449,24 @@ func (auth *AuthService) RefreshSession(ctx context.Context, uuid string) (*http
 }
-func (auth *AuthService) DeleteSession(ctx context.Context, uuid string) (*http.Cookie, error) {
+func (auth *AuthService) DeleteSession(ctx context.Context, uuid string, ip string) (*http.Cookie, error) {
 	err := auth.queries.DeleteSession(ctx, uuid)
 	if err != nil {
 		auth.log.App.Error().Err(err).Str("uuid", uuid).Msg("Failed to delete session from database")
 	}
 	cookieDomain, err := auth.helpers.GetCookieDomain(ctx, ip)
 	if err != nil {
 		return nil, fmt.Errorf("failed to determine cookie domain: %w", err)
 	}
 	return &http.Cookie{
 		Name:     auth.runtime.SessionCookieName,
 		Value:    "",
 		Path:     "/",
-		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
+		Domain:   cookieDomain,
 		Expires:  time.Now(),
 		MaxAge:   -1,
 		Secure:   auth.config.Auth.SecureCookie,
@@ -485,19 +516,17 @@ func (auth *AuthService) LDAPAuthConfigured() bool {
 	return auth.ldap != nil
 }
-func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthURLParams) (string, OAuthPendingSession, error) {
+func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthCallbackParams) (string, error) {
 	auth.ensureOAuthSessionLimit()
 	service, ok := auth.oauthBroker.GetService(serviceName)
 	if !ok {
-		return "", OAuthPendingSession{}, fmt.Errorf("oauth service not found: %s", serviceName)
+		return "", fmt.Errorf("oauth service not found: %s", serviceName)
 	}
 	sessionId, err := uuid.NewRandom()
 	if err != nil {
-		return "", OAuthPendingSession{}, fmt.Errorf("failed to generate session ID: %w", err)
+		return "", fmt.Errorf("failed to generate session ID: %w", err)
 	}
 	state := service.NewRandom()
@@ -511,11 +540,9 @@ func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthURLPara
 		CallbackParams: params,
 	}
-	auth.oauthMutex.Lock()
+	auth.caches.oauth.Set(sessionId.String(), session, time.Minute*10)
 	auth.oauthPendingSessions[sessionId.String()] = &session
 	auth.oauthMutex.Unlock()
-	return sessionId.String(), session, nil
+	return sessionId.String(), nil
 }
 func (auth *AuthService) GetOAuthURL(sessionId string) (string, error) {
@@ -529,10 +556,10 @@ func (auth *AuthService) GetOAuthURL(sessionId string) (string, error) {
 }
 func (auth *AuthService) GetOAuthToken(sessionId string, code string) (*oauth2.Token, error) {
-	session, err := auth.GetOAuthPendingSession(sessionId)
+	session, ok := auth.caches.oauth.Get(sessionId)
-	if err != nil {
+	if !ok {
-		return nil, err
+		return nil, fmt.Errorf("oauth session not found: %s", sessionId)
 	}
 	token, err := (*session.Service).GetToken(code, session.Verifier)
@@ -541,9 +568,14 @@ func (auth *AuthService) GetOAuthToken(sessionId string, code string) (*oauth2.T
 		return nil, fmt.Errorf("failed to exchange code for token: %w", err)
 	}
 	auth.oauthMutex.Lock()
 	session.Token = token
-	auth.oauthMutex.Unlock()
+
 	// ttl 0 means keep current expiration
 	ok = auth.caches.oauth.Update(sessionId, session, 0)
 	if !ok {
 		return nil, fmt.Errorf("failed to update oauth session with token: %s", sessionId)
 	}
 	return token, nil
 }
@@ -579,123 +611,39 @@ func (auth *AuthService) GetOAuthService(sessionId string) (OAuthServiceImpl, er
 }
 func (auth *AuthService) EndOAuthSession(sessionId string) {
-	auth.oauthMutex.Lock()
+	auth.caches.oauth.Delete(sessionId)
 	delete(auth.oauthPendingSessions, sessionId)
 	auth.oauthMutex.Unlock()
 }
 func (auth *AuthService) CleanupOAuthSessionsRoutine() {
 	auth.log.App.Debug().Msg("Starting OAuth session cleanup routine")
 	ticker := time.NewTicker(30 * time.Minute)
 	defer ticker.Stop()
 	for {
 		select {
 		case <-ticker.C:
 			auth.log.App.Debug().Msg("Running OAuth session cleanup")
 			auth.oauthMutex.Lock()
 			now := time.Now()
 			for sessionId, session := range auth.oauthPendingSessions {
 				if now.After(session.ExpiresAt) {
 					delete(auth.oauthPendingSessions, sessionId)
 				}
 			}
 			auth.oauthMutex.Unlock()
 			auth.log.App.Debug().Msg("OAuth session cleanup completed")
 		case <-auth.context.Done():
 			auth.log.App.Debug().Msg("Stopping OAuth session cleanup routine")
 			return
 		}
 	}
 }
 func (auth *AuthService) GetOAuthPendingSession(sessionId string) (*OAuthPendingSession, error) {
-	auth.ensureOAuthSessionLimit()
+	session, exists := auth.caches.oauth.Get(sessionId)
 	auth.oauthMutex.RLock()
 	session, exists := auth.oauthPendingSessions[sessionId]
 	auth.oauthMutex.RUnlock()
 	if !exists {
 		return &OAuthPendingSession{}, fmt.Errorf("oauth session not found: %s", sessionId)
 	}
-	if time.Now().After(session.ExpiresAt) {
+	return &session, nil
 		auth.oauthMutex.Lock()
 		delete(auth.oauthPendingSessions, sessionId)
 		auth.oauthMutex.Unlock()
 		return &OAuthPendingSession{}, fmt.Errorf("oauth session expired: %s", sessionId)
 	}
 	return session, nil
 }
 func (auth *AuthService) ensureOAuthSessionLimit() {
 	auth.oauthMutex.Lock()
 	defer auth.oauthMutex.Unlock()
 	if len(auth.oauthPendingSessions) <= MaxOAuthPendingSessions {
 		return
 	}
 	type entry struct {
 		id        string
 		expiresAt int64
 	}
 	entries := make([]entry, 0, len(auth.oauthPendingSessions))
 	for id, session := range auth.oauthPendingSessions {
 		entries = append(entries, entry{id, session.ExpiresAt.Unix()})
 	}
 	slices.SortFunc(entries, func(a, b entry) int {
 		if a.expiresAt < b.expiresAt {
 			return -1
 		}
 		if a.expiresAt > b.expiresAt {
 			return 1
 		}
 		return 0
 	})
 	for _, e := range entries[:OAuthCleanupCount] {
 		delete(auth.oauthPendingSessions, e.id)
 	}
 }
 func (auth *AuthService) lockdownMode() {
-	ctx, cancel := context.WithCancel(context.Background())
+	auth.lockdown.mu.Lock()
-	auth.loginMutex.Lock()
+	if auth.lockdown.active {
-
+		auth.lockdown.mu.Unlock()
 	if auth.lockdown != nil && auth.lockdown.Active {
 		auth.loginMutex.Unlock()
 		cancel()
 		return
 	}
-	auth.lockdownCtx = ctx
+	ctx, cancel := context.WithCancel(context.Background())
 	auth.lockdownCancelFunc = cancel
 	auth.log.App.Warn().Msg("Too many failed login attempts, entering lockdown mode")
-	auth.lockdown = &Lockdown{
+	auth.lockdown.active = true
-		Active:      true,
+	auth.lockdown.ctx = ctx
-		ActiveUntil: time.Now().Add(time.Duration(auth.config.Auth.LoginTimeout) * time.Second),
+	auth.lockdown.cancelFunc = cancel
-	}
+	auth.lockdown.until = time.Now().Add(time.Duration(auth.config.Auth.LoginTimeout) * time.Second)
-	// At this point all login attemps will also expire so,
+	timer := time.NewTimer(time.Until(auth.lockdown.until))
 	// we might as well clear them to free up memory
 	auth.loginAttempts = make(map[string]*LoginAttempt)
-	timer := time.NewTimer(time.Until(auth.lockdown.ActiveUntil))
+	auth.lockdown.mu.Unlock()
 	auth.loginMutex.Unlock()
 	defer cancel()
 	defer timer.Stop()
@@ -705,24 +653,33 @@ func (auth *AuthService) lockdownMode() {
 		// Timer expired, end lockdown
 	case <-ctx.Done():
 		// Context cancelled, end lockdown
-	case <-auth.context.Done():
+	case <-auth.ctx.Done():
 		// Service is shutting down, end lockdown
 	}
-	auth.loginMutex.Lock()
+	auth.lockdown.mu.Lock()
 	auth.log.App.Info().Msg("Exiting lockdown mode")
-	auth.lockdown = nil
+	auth.lockdown.active = false
-	auth.loginMutex.Unlock()
+	auth.lockdown.until = time.Time{}
 	auth.lockdown.ctx = nil
 	auth.lockdown.cancelFunc = nil
 	auth.lockdown.mu.Unlock()
 }
-// Function only used for testing - do not use in prod!
+func (auth *AuthService) IsInLockdown() (bool, int) {
-func (auth *AuthService) ClearRateLimitsTestingOnly() {
+	auth.lockdown.mu.RLock()
-	auth.loginMutex.Lock()
+	defer auth.lockdown.mu.RUnlock()
-	auth.loginAttempts = make(map[string]*LoginAttempt)
+	if auth.lockdown.active {
-	if auth.lockdown != nil {
+		remaining := int(time.Until(auth.lockdown.until).Seconds())
-		auth.lockdownCancelFunc()
+		return true, remaining
 	}
-	auth.loginMutex.Unlock()
+	return false, 0
 }
 // mostly a testing function, not useful for anything else
 func (auth *AuthService) ClearLoginAttempts() {
 	auth.caches.login.Clear()
 }
@@ -0,0 +1,39 @@
 package service
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 func TestIsEmailWhitelistedUsesProviderSpecificList(t *testing.T) {
 	log := logger.NewLogger().WithTestConfig()
 	log.Init()
 	auth := &AuthService{
 		log: log,
 		runtime: model.RuntimeConfig{
 			OAuthWhitelist: []string{"global@example.com"},
 			OAuthProviders: map[string]model.OAuthServiceConfig{
 				"github": {
 					Whitelist: []string{"github@example.com"},
 				},
 				"pocketid": {
 					Whitelist: []string{"pocket@example.com"},
 				},
 				"gitlab": {
 					Whitelist: []string{},
 				},
 			},
 		},
 	}
 	assert.True(t, auth.IsEmailWhitelisted("github", "github@example.com"))
 	assert.False(t, auth.IsEmailWhitelisted("github", "pocket@example.com"))
 	assert.True(t, auth.IsEmailWhitelisted("pocketid", "pocket@example.com"))
 	assert.True(t, auth.IsEmailWhitelisted("google", "global@example.com"))
 	assert.True(t, auth.IsEmailWhitelisted("gitlab", "global@example.com"))
 	assert.False(t, auth.IsEmailWhitelisted("gitlab", "unknown@example.com"))
 }
@@ -0,0 +1,197 @@
 package service
 import (
 	"slices"
 	"sync"
 	"time"
 )
 type CacheStoreActions[T any] struct {
 	Set    func(key string, value T, ttl time.Duration)
 	Get    func(key string) (T, bool)
 	Delete func(key string)
 	Update func(key string, value T, ttl time.Duration) bool
 }
 type cacheEntry[T any] struct {
 	value     T
 	expiresAt *time.Time
 }
 type CacheStore[T any] struct {
 	cache   map[string]cacheEntry[T]
 	order   []string
 	mu      sync.RWMutex
 	maxSize int
 }
 func NewCacheStore[T any](maxSize int) *CacheStore[T] {
 	return &CacheStore[T]{
 		cache:   make(map[string]cacheEntry[T]),
 		order:   make([]string, 0),
 		maxSize: maxSize,
 	}
 }
 // With lock allows performing multiple operations on the cache store atomically.
 // The provided mutate function receives a set of actions (Set, Get, Delete) that
 // can be used to manipulate the cache store within the locked context.
 func (cs *CacheStore[T]) WithLock(mutate func(actions CacheStoreActions[T])) {
 	cs.mu.Lock()
 	defer cs.mu.Unlock()
 	actions := CacheStoreActions[T]{
 		Set:    cs.setCallback,
 		Get:    cs.getCallback,
 		Delete: cs.deleteCallback,
 		Update: cs.updateCallback,
 	}
 	mutate(actions)
 }
 func (cs *CacheStore[T]) updateCallback(key string, value T, ttl time.Duration) bool {
 	if currentEntry, exists := cs.cache[key]; exists {
 		if currentEntry.expiresAt != nil && time.Now().After(*currentEntry.expiresAt) {
 			return false
 		}
 		entry := cacheEntry[T]{
 			value:     value,
 			expiresAt: currentEntry.expiresAt,
 		}
 		if ttl > 0 {
 			expiration := time.Now().Add(ttl)
 			entry.expiresAt = &expiration
 		}
 		cs.cache[key] = entry
 		return true
 	}
 	return false
 }
 func (cs *CacheStore[T]) Update(key string, value T, ttl time.Duration) bool {
 	cs.mu.Lock()
 	defer cs.mu.Unlock()
 	return cs.updateCallback(key, value, ttl)
 }
 func (cs *CacheStore[T]) setCallback(key string, value T, ttl time.Duration) {
 	if cs.maxSize > 0 {
 		if _, exists := cs.cache[key]; !exists && len(cs.cache) >= cs.maxSize {
 			cs.evictOne()
 		}
 	}
 	var expiresAt *time.Time
 	if ttl > 0 {
 		expiration := time.Now().Add(ttl)
 		expiresAt = &expiration
 	}
 	cs.cache[key] = cacheEntry[T]{
 		value:     value,
 		expiresAt: expiresAt,
 	}
 	if !slices.Contains(cs.order, key) {
 		cs.order = append(cs.order, key)
 	}
 }
 func (cs *CacheStore[T]) Set(key string, value T, ttl time.Duration) {
 	cs.mu.Lock()
 	defer cs.mu.Unlock()
 	cs.setCallback(key, value, ttl)
 }
 func (cs *CacheStore[T]) getCallback(key string) (T, bool) {
 	entry, exists := cs.cache[key]
 	if !exists {
 		var zero T
 		return zero, false
 	}
 	if entry.expiresAt != nil && time.Now().After(*entry.expiresAt) {
 		var zero T
 		return zero, false
 	}
 	return entry.value, true
 }
 func (cs *CacheStore[T]) Get(key string) (T, bool) {
 	cs.mu.RLock()
 	defer cs.mu.RUnlock()
 	return cs.getCallback(key)
 }
 func (cs *CacheStore[T]) deleteCallback(key string) {
 	delete(cs.cache, key)
 	keyIdx := slices.Index(cs.order, key)
 	if keyIdx != -1 {
 		cs.order = append(cs.order[:keyIdx], cs.order[keyIdx+1:]...)
 	}
 }
 func (cs *CacheStore[T]) Delete(key string) {
 	cs.mu.Lock()
 	defer cs.mu.Unlock()
 	cs.deleteCallback(key)
 }
 func (cs *CacheStore[T]) Sweep() {
 	cs.mu.Lock()
 	for key, entry := range cs.cache {
 		if entry.expiresAt != nil && time.Now().After(*entry.expiresAt) {
 			cs.deleteCallback(key)
 		}
 	}
 	cs.mu.Unlock()
 }
 func (cs *CacheStore[T]) evictOne() bool {
 	now := time.Now()
 	var oldestKey string
 	var oldestExp *time.Time
 	for k, e := range cs.cache {
 		if e.expiresAt != nil && now.After(*e.expiresAt) {
 			cs.deleteCallback(k)
 			return true
 		}
 		if e.expiresAt != nil && (oldestExp == nil || e.expiresAt.Before(*oldestExp)) {
 			oldestKey, oldestExp = k, e.expiresAt
 		}
 	}
 	// If we found an oldest key, evict it else we delete the first key in the order list
 	if oldestKey != "" {
 		cs.deleteCallback(oldestKey)
 		return true
 	} else {
 		if len(cs.order) > 0 {
 			cs.deleteCallback(cs.order[0])
 			return true
 		}
 	}
 	return false
 }
 func (cs *CacheStore[T]) Size() int {
 	cs.mu.RLock()
 	defer cs.mu.RUnlock()
 	return len(cs.cache)
 }
 func (cs *CacheStore[T]) Clear() {
 	cs.mu.Lock()
 	defer cs.mu.Unlock()
 	cs.cache = make(map[string]cacheEntry[T])
 	cs.order = make([]string, 0)
 }
@@ -0,0 +1,383 @@
 package service
 import (
 	"strconv"
 	"sync"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 )
 func TestCacheStoreGet(t *testing.T) {
 	tests := []struct {
 		name      string
 		setup     func(cs *CacheStore[string])
 		wantValue string
 		wantOk    bool
 	}{
 		{
 			name:      "returns a stored value",
 			setup:     func(cs *CacheStore[string]) { cs.Set("key", "value", 0) },
 			wantValue: "value",
 			wantOk:    true,
 		},
 		{
 			name:   "reports a missing key",
 			setup:  func(cs *CacheStore[string]) {},
 			wantOk: false,
 		},
 		{
 			name: "returns the latest value after an overwrite",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("key", "first", 0)
 				cs.Set("key", "second", 0)
 			},
 			wantValue: "second",
 			wantOk:    true,
 		},
 		{
 			name:      "returns a non-expired entry",
 			setup:     func(cs *CacheStore[string]) { cs.Set("key", "value", time.Minute) },
 			wantValue: "value",
 			wantOk:    true,
 		},
 		{
 			name: "treats an expired entry as missing",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("key", "value", 10*time.Millisecond)
 				time.Sleep(20 * time.Millisecond)
 			},
 			wantOk: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cs := NewCacheStore[string](0)
 			tt.setup(cs)
 			value, ok := cs.Get("key")
 			assert.Equal(t, tt.wantOk, ok)
 			if tt.wantOk {
 				assert.Equal(t, tt.wantValue, value)
 			}
 		})
 	}
 }
 func TestCacheStoreUpdate(t *testing.T) {
 	tests := []struct {
 		name        string
 		setup       func(cs *CacheStore[string])
 		ttl         time.Duration
 		wantOk      bool
 		afterWait   time.Duration
 		wantPresent bool
 		wantValue   string
 	}{
 		{
 			name:        "updates an existing entry",
 			setup:       func(cs *CacheStore[string]) { cs.Set("key", "old", 0) },
 			ttl:         0,
 			wantOk:      true,
 			wantPresent: true,
 			wantValue:   "new",
 		},
 		{
 			name:        "does not create a missing entry",
 			setup:       func(cs *CacheStore[string]) {},
 			ttl:         0,
 			wantOk:      false,
 			wantPresent: false,
 		},
 		{
 			name:        "preserves the existing expiry when ttl is zero",
 			setup:       func(cs *CacheStore[string]) { cs.Set("key", "old", 30*time.Millisecond) },
 			ttl:         0,
 			wantOk:      true,
 			afterWait:   40 * time.Millisecond,
 			wantPresent: false,
 		},
 		{
 			name:        "refreshes the expiry when ttl is provided",
 			setup:       func(cs *CacheStore[string]) { cs.Set("key", "old", 10*time.Millisecond) },
 			ttl:         time.Minute,
 			wantOk:      true,
 			afterWait:   20 * time.Millisecond,
 			wantPresent: true,
 			wantValue:   "new",
 		},
 		{
 			name: "does not update an expired entry",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("key", "old", 10*time.Millisecond)
 				time.Sleep(20 * time.Millisecond)
 			},
 			ttl:         time.Minute,
 			wantOk:      false,
 			wantPresent: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cs := NewCacheStore[string](0)
 			tt.setup(cs)
 			ok := cs.Update("key", "new", tt.ttl)
 			assert.Equal(t, tt.wantOk, ok)
 			time.Sleep(tt.afterWait)
 			value, present := cs.Get("key")
 			assert.Equal(t, tt.wantPresent, present)
 			if tt.wantPresent {
 				assert.Equal(t, tt.wantValue, value)
 			}
 		})
 	}
 }
 func TestCacheStoreDelete(t *testing.T) {
 	tests := []struct {
 		name     string
 		setup    func(cs *CacheStore[string])
 		key      string
 		wantSize int
 	}{
 		{
 			name: "removes an existing key",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("a", "1", 0)
 				cs.Set("b", "2", 0)
 			},
 			key:      "a",
 			wantSize: 1,
 		},
 		{
 			name:     "is a no-op for a missing key",
 			setup:    func(cs *CacheStore[string]) { cs.Set("a", "1", 0) },
 			key:      "missing",
 			wantSize: 1,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cs := NewCacheStore[string](0)
 			tt.setup(cs)
 			cs.Delete(tt.key)
 			_, ok := cs.Get(tt.key)
 			assert.False(t, ok)
 			assert.Equal(t, tt.wantSize, cs.Size())
 		})
 	}
 }
 func TestCacheStoreSweep(t *testing.T) {
 	tests := []struct {
 		name     string
 		setup    func(cs *CacheStore[string])
 		present  []string
 		absent   []string
 		wantSize int
 	}{
 		{
 			name: "removes expired entries and keeps the rest",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("permanent", "value", 0)
 				cs.Set("expired", "value", 10*time.Millisecond)
 				time.Sleep(20 * time.Millisecond)
 			},
 			present:  []string{"permanent"},
 			absent:   []string{"expired"},
 			wantSize: 1,
 		},
 		{
 			name: "keeps all live entries",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("a", "value", 0)
 				cs.Set("b", "value", time.Minute)
 			},
 			present:  []string{"a", "b"},
 			wantSize: 2,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cs := NewCacheStore[string](0)
 			tt.setup(cs)
 			cs.Sweep()
 			for _, key := range tt.present {
 				_, ok := cs.Get(key)
 				assert.True(t, ok)
 			}
 			for _, key := range tt.absent {
 				_, ok := cs.Get(key)
 				assert.False(t, ok)
 			}
 			assert.Equal(t, tt.wantSize, cs.Size())
 		})
 	}
 }
 func TestCacheStoreEviction(t *testing.T) {
 	// Every case uses a cache with maxSize 2; the final Set in setup is the
 	// insertion that overflows the cache and triggers an eviction.
 	tests := []struct {
 		name     string
 		setup    func(cs *CacheStore[string])
 		present  []string
 		absent   []string
 		wantSize int
 	}{
 		{
 			name: "evicts an already expired entry first",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("expired", "value", 10*time.Millisecond)
 				cs.Set("fresh", "value", time.Minute)
 				time.Sleep(20 * time.Millisecond)
 				cs.Set("new", "value", time.Minute)
 			},
 			present:  []string{"fresh", "new"},
 			absent:   []string{"expired"},
 			wantSize: 2,
 		},
 		{
 			name: "evicts the entry expiring soonest",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("soon", "value", 50*time.Millisecond)
 				cs.Set("later", "value", time.Hour)
 				cs.Set("new", "value", time.Hour)
 			},
 			present:  []string{"later", "new"},
 			absent:   []string{"soon"},
 			wantSize: 2,
 		},
 		{
 			name: "evicts the oldest inserted entry when none have a ttl",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("first", "value", 0)
 				cs.Set("second", "value", 0)
 				cs.Set("third", "value", 0)
 			},
 			present:  []string{"second", "third"},
 			absent:   []string{"first"},
 			wantSize: 2,
 		},
 		{
 			name: "overwriting an existing key does not trigger eviction",
 			setup: func(cs *CacheStore[string]) {
 				cs.Set("a", "1", 0)
 				cs.Set("b", "2", 0)
 				cs.Set("a", "updated", 0)
 			},
 			present:  []string{"a", "b"},
 			wantSize: 2,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cs := NewCacheStore[string](2)
 			tt.setup(cs)
 			for _, key := range tt.present {
 				_, ok := cs.Get(key)
 				assert.True(t, ok)
 			}
 			for _, key := range tt.absent {
 				_, ok := cs.Get(key)
 				assert.False(t, ok)
 			}
 			assert.Equal(t, tt.wantSize, cs.Size())
 		})
 	}
 }
 func TestCacheStoreSizeAndClear(t *testing.T) {
 	cs := NewCacheStore[string](0)
 	assert.Equal(t, 0, cs.Size())
 	cs.Set("a", "1", 0)
 	cs.Set("b", "2", 0)
 	assert.Equal(t, 2, cs.Size())
 	cs.Clear()
 	assert.Equal(t, 0, cs.Size())
 	_, ok := cs.Get("a")
 	assert.False(t, ok)
 }
 func TestCacheStoreWithLock(t *testing.T) {
 	cs := NewCacheStore[int](0)
 	cs.Set("counter", 1, 0)
 	// All four actions run atomically under a single lock.
 	cs.WithLock(func(actions CacheStoreActions[int]) {
 		current, ok := actions.Get("counter")
 		assert.True(t, ok)
 		actions.Set("counter", current+1, 0)
 		actions.Set("other", 100, 0)
 		actions.Delete("counter")
 		updated := actions.Update("other", 200, 0)
 		assert.True(t, updated)
 	})
 	_, ok := cs.Get("counter")
 	assert.False(t, ok)
 	value, ok := cs.Get("other")
 	assert.True(t, ok)
 	assert.Equal(t, 200, value)
 }
 // TestCacheStoreConcurrency exercises every locking path concurrently so the
 // race detector (go test -race) can flag unsynchronised access.
 func TestCacheStoreConcurrency(t *testing.T) {
 	cs := NewCacheStore[int](64)
 	const goroutines = 16
 	const iterations = 200
 	var wg sync.WaitGroup
 	wg.Add(goroutines)
 	for g := range goroutines {
 		go func(g int) {
 			defer wg.Done()
 			for i := range iterations {
 				key := strconv.Itoa((g*iterations + i) % 32)
 				switch i % 6 {
 				case 0:
 					cs.Set(key, i, time.Minute)
 				case 1:
 					cs.Get(key)
 				case 2:
 					cs.Update(key, i, time.Minute)
 				case 3:
 					cs.Delete(key)
 				case 4:
 					cs.Size()
 				case 5:
 					cs.WithLock(func(actions CacheStoreActions[int]) {
 						if v, ok := actions.Get(key); ok {
 							actions.Set(key, v+1, time.Minute)
 						}
 					})
 				}
 			}
 		}(g)
 	}
 	wg.Wait()
 }
@@ -3,8 +3,8 @@ package service
 import (
 	"context"
 	"strings"
 	"sync"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/decoders"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
@@ -24,7 +24,7 @@ type DockerService struct {
 func NewDockerService(
 	log *logger.Logger,
 	ctx context.Context,
-	wg *sync.WaitGroup,
+	dg *ding.Ding,
 ) (*DockerService, error) {
 	client, err := client.NewClientWithOpts(client.FromEnv)
@@ -50,7 +50,7 @@ func NewDockerService(
 	service.isConnected = true
 	service.log.App.Debug().Msg("Docker connected successfully")
-	wg.Go(service.watchAndClose)
+	dg.Go(service.watchAndClose, ding.RingMajor)
 	return service, nil
 }
@@ -108,8 +108,8 @@ func (docker *DockerService) GetLabels(appDomain string) (*model.App, error) {
 	return nil, nil
 }
-func (docker *DockerService) watchAndClose() {
+func (docker *DockerService) watchAndClose(ctx context.Context) {
-	<-docker.context.Done()
+	<-ctx.Done()
 	docker.log.App.Debug().Msg("Closing Docker client")
 	if docker.client != nil {
 		err := docker.client.Close()
@@ -3,10 +3,12 @@ package service
 import (
 	"context"
 	"fmt"
 	"slices"
 	"strings"
 	"sync"
 	"time"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/decoders"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
@@ -37,7 +39,6 @@ type ingressApp struct {
 type KubernetesService struct {
 	log *logger.Logger
 	ctx context.Context
 	client       dynamic.Interface
 	started      bool
@@ -50,7 +51,7 @@ type KubernetesService struct {
 func NewKubernetesService(
 	log *logger.Logger,
 	ctx context.Context,
-	wg *sync.WaitGroup,
+	dg *ding.Ding,
 ) (*KubernetesService, error) {
 	cfg, err := rest.InClusterConfig()
 	if err != nil {
@@ -81,16 +82,15 @@ func NewKubernetesService(
 	service := &KubernetesService{
 		log:          log,
 		ctx:          ctx,
 		client:       client,
 		ingressApps:  make(map[ingressKey][]ingressApp),
 		domainIndex:  make(map[string]ingressAppKey),
 		appNameIndex: make(map[string]ingressAppKey),
 	}
-	wg.Go(func() {
+	dg.Go(func(ctx context.Context) {
-		service.watchGVR(gvr)
+		service.watchGVR(gvr, ctx)
-	})
+	}, ding.RingMajor)
 	service.started = true
 	log.App.Debug().Msg("Kubernetes label provider started successfully")
@@ -167,6 +167,68 @@ func (k *KubernetesService) getByAppName(appName string) *model.App {
 	return nil
 }
 func (k *KubernetesService) extractPaths(rule map[string]any) ([]string, error) {
 	http, found, err := unstructured.NestedMap(rule, "http")
 	if err != nil {
 		return nil, fmt.Errorf("reading http from rule: %w", err)
 	}
 	if !found {
 		return nil, nil
 	}
 	paths, found, err := unstructured.NestedSlice(http, "paths")
 	if err != nil {
 		return nil, fmt.Errorf("reading http.paths: %w", err)
 	}
 	if !found {
 		return nil, nil
 	}
 	var result []string
 	for _, p := range paths {
 		path, ok := p.(map[string]any)
 		if !ok {
 			continue
 		}
 		if p, ok := path["path"].(string); ok && p != "" {
 			result = append(result, p)
 		}
 	}
 	return result, nil
 }
 func (k *KubernetesService) extractHosts(item *unstructured.Unstructured) ([]string, error) {
 	rules, found, err := unstructured.NestedSlice(item.Object, "spec", "rules")
 	if err != nil {
 		return nil, fmt.Errorf("reading spec.rules: %w", err)
 	}
 	if !found {
 		return nil, nil
 	}
 	var hosts []string
 	for _, r := range rules {
 		rule, ok := r.(map[string]any)
 		if !ok {
 			continue
 		}
 		if host, ok := rule["host"].(string); ok && host != "" {
 			hosts = append(hosts, host)
 		}
 		paths, err := k.extractPaths(rule)
 		if err != nil {
 			// This is purely to warn users, it doesn't affect our ability to extract hosts so we won't fail the whole operation
 			k.log.App.Warn().Err(err).Str("namespace", item.GetNamespace()).Str("name", item.GetName()).Msg("Failed to extract paths from ingress rule")
 			continue
 		}
 		if len(paths) == 0 {
 			continue
 		}
 		if !slices.Contains(paths, "/") {
 			k.log.App.Warn().Str("namespace", item.GetNamespace()).Str("name", item.GetName()).Strs("paths", paths).Msg("Ingress rule does not contain a catch-all path, another ingress may be able to bypass auth checks if it routes the same host with a different path. Consider adding a catch-all path to this rule to ensure auth checks are applied to all paths for this host.")
 		}
 	}
 	k.log.App.Trace().Strs("hosts", hosts).Msg("Extracted hosts from ingress rules")
 	return hosts, nil
 }
 func (k *KubernetesService) updateFromItem(item *unstructured.Unstructured) {
 	namespace := item.GetNamespace()
 	name := item.GetName()
@@ -175,6 +237,11 @@ func (k *KubernetesService) updateFromItem(item *unstructured.Unstructured) {
 		k.removeIngress(namespace, name)
 		return
 	}
 	hosts, err := k.extractHosts(item)
 	if err != nil {
 		k.removeIngress(namespace, name)
 		return
 	}
 	labels, err := decoders.DecodeLabels[model.Apps](annotations, "apps")
 	if err != nil {
 		k.log.App.Warn().Err(err).Str("namespace", namespace).Str("name", name).Msg("Failed to decode ingress labels, skipping")
@@ -186,6 +253,10 @@ func (k *KubernetesService) updateFromItem(item *unstructured.Unstructured) {
 		if appLabels.Config.Domain == "" {
 			continue
 		}
 		if len(hosts) > 0 && !slices.Contains(hosts, appLabels.Config.Domain) {
 			k.log.App.Warn().Str("namespace", namespace).Str("name", name).Str("appName", appName).Str("domain", appLabels.Config.Domain).Msg("App domain does not match any hosts defined in ingress rules, skipping")
 			continue
 		}
 		apps = append(apps, ingressApp{
 			domain:  appLabels.Config.Domain,
 			appName: appName,
@@ -199,8 +270,8 @@ func (k *KubernetesService) updateFromItem(item *unstructured.Unstructured) {
 	}
 }
-func (k *KubernetesService) resyncGVR(gvr schema.GroupVersionResource) error {
+func (k *KubernetesService) resyncGVR(gvr schema.GroupVersionResource, ctx context.Context) error {
-	ctx, cancel := context.WithTimeout(k.ctx, 30*time.Second)
+	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
 	defer cancel()
 	list, err := k.client.Resource(gvr).List(ctx, metav1.ListOptions{})
@@ -217,10 +288,10 @@ func (k *KubernetesService) resyncGVR(gvr schema.GroupVersionResource) error {
 // runWatcher drains events from an active watcher until it closes or the context is done.
 // Returns true if the caller should restart the watcher, false if it should exit.
-func (k *KubernetesService) runWatcher(gvr schema.GroupVersionResource, w watch.Interface, resyncTicker *time.Ticker) bool {
+func (k *KubernetesService) runWatcher(gvr schema.GroupVersionResource, w watch.Interface, resyncTicker *time.Ticker, ctx context.Context) bool {
 	for {
 		select {
-		case <-k.ctx.Done():
+		case <-ctx.Done():
 			w.Stop()
 			return false
 		case event, ok := <-w.ResultChan():
@@ -242,33 +313,33 @@ func (k *KubernetesService) runWatcher(gvr schema.GroupVersionResource, w watch.
 				k.removeIngress(item.GetNamespace(), item.GetName())
 			}
 		case <-resyncTicker.C:
-			if err := k.resyncGVR(gvr); err != nil {
+			if err := k.resyncGVR(gvr, ctx); err != nil {
 				k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Periodic resync failed during watcher run")
 			}
 		}
 	}
 }
-func (k *KubernetesService) watchGVR(gvr schema.GroupVersionResource) {
+func (k *KubernetesService) watchGVR(gvr schema.GroupVersionResource, ctx context.Context) {
 	resyncTicker := time.NewTicker(5 * time.Minute)
 	defer resyncTicker.Stop()
-	if err := k.resyncGVR(gvr); err != nil {
+	if err := k.resyncGVR(gvr, ctx); err != nil {
 		k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Initial resync failed, will retry")
 		time.Sleep(30 * time.Second)
 	}
 	for {
 		select {
-		case <-k.ctx.Done():
+		case <-ctx.Done():
 			k.log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Shutting down kubernetes watcher")
 			return
 		case <-resyncTicker.C:
-			if err := k.resyncGVR(gvr); err != nil {
+			if err := k.resyncGVR(gvr, ctx); err != nil {
 				k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Periodic resync failed, will retry")
 			}
 		default:
-			ctx, cancel := context.WithCancel(k.ctx)
+			ctx, cancel := context.WithCancel(ctx)
 			watcher, err := k.client.Resource(gvr).Watch(ctx, metav1.ListOptions{})
 			if err != nil {
 				k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to start watcher, will retry")
@@ -277,7 +348,7 @@ func (k *KubernetesService) watchGVR(gvr schema.GroupVersionResource) {
 				continue
 			}
 			k.log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Watcher started successfully")
-			if !k.runWatcher(gvr, watcher, resyncTicker) {
+			if !k.runWatcher(gvr, watcher, resyncTicker, ctx) {
 				cancel()
 				return
 			}
@@ -9,14 +9,15 @@ import (
 	"github.com/cenkalti/backoff/v5"
 	ldapgo "github.com/go-ldap/ldap/v3"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 type LdapService struct {
 	log    *logger.Logger
 	config model.Config
 	context context.Context
 	conn  *ldapgo.Conn
 	mutex sync.RWMutex
@@ -26,17 +27,19 @@ type LdapService struct {
 func NewLdapService(
 	log *logger.Logger,
 	config model.Config,
-	ctx context.Context,
+	dg *ding.Ding,
 	wg *sync.WaitGroup,
 ) (*LdapService, error) {
 	if config.LDAP.Address == "" {
 		return nil, nil
 	}
 	secret := utils.GetSecret(config.LDAP.BindPassword, config.LDAP.BindPasswordFile)
 	config.LDAP.BindPassword = secret
 	config.LDAP.BindPasswordFile = ""
 	ldap := &LdapService{
 		log:    log,
 		config: config,
 		context: ctx,
 	}
 	// Check whether authentication with client certificate is possible
@@ -69,7 +72,7 @@ func NewLdapService(
 		return nil, fmt.Errorf("failed to connect to ldap server: %w", err)
 	}
-	wg.Go(func() {
+	dg.Go(func(ctx context.Context) {
 		ldap.log.App.Debug().Msg("Starting LDAP connection heartbeat routine")
 		ticker := time.NewTicker(5 * time.Minute)
@@ -87,12 +90,12 @@ func NewLdapService(
 					}
 					ldap.log.App.Info().Msg("Successfully reconnected to LDAP server")
 				}
-			case <-ldap.context.Done():
+			case <-ctx.Done():
 				ldap.log.App.Debug().Msg("LDAP service context cancelled, stopping heartbeat")
 				return
 			}
 		}
-	})
+	}, ding.RingMajor)
 	return ldap, nil
 }
@@ -17,7 +17,7 @@ type GithubEmailResponse []struct {
 	Verified bool   `json:"verified"`
 }
-type GithubUserInfoResponse struct {
+type GithubUserinfoResponse struct {
 	Login string `json:"login"`
 	Name  string `json:"name"`
 	ID    int    `json:"id"`
@@ -30,7 +30,7 @@ func defaultExtractor(client *http.Client, url string) (*model.Claims, error) {
 func githubExtractor(client *http.Client, _ string) (*model.Claims, error) {
 	var user model.Claims
-	userInfo, err := simpleReq[GithubUserInfoResponse](client, "https://api.github.com/user", map[string]string{
+	userInfo, err := simpleReq[GithubUserinfoResponse](client, "https://api.github.com/user", map[string]string{
 		"accept": "application/vnd.github+json",
 	})
 	if err != nil {
@@ -10,13 +10,13 @@ import (
 	"golang.org/x/oauth2"
 )
-type UserinfoExtractor func(client *http.Client, url string) (*model.Claims, error)
+type OAuthUserinfoExtractor func(client *http.Client, url string) (*model.Claims, error)
 type OAuthService struct {
 	serviceCfg        model.OAuthServiceConfig
 	config            *oauth2.Config
 	ctx               context.Context
-	userinfoExtractor UserinfoExtractor
+	userinfoExtractor OAuthUserinfoExtractor
 	id                string
 }
@@ -50,7 +50,7 @@ func NewOAuthService(config model.OAuthServiceConfig, id string, ctx context.Con
 	}
 }
-func (s *OAuthService) WithUserinfoExtractor(extractor UserinfoExtractor) *OAuthService {
+func (s *OAuthService) WithUserinfoExtractor(extractor OAuthUserinfoExtractor) *OAuthService {
 	s.userinfoExtractor = extractor
 	return s
 }
@@ -15,13 +15,14 @@ import (
 	"net/url"
 	"os"
 	"strings"
 	"sync"
 	"time"
 	"slices"
 	"github.com/gin-gonic/gin"
 	"github.com/go-jose/go-jose/v4"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/google/uuid"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
@@ -42,6 +43,10 @@ var (
 	ErrInvalidClient = errors.New("invalid_client")
 )
 // This is not spec-compliant, the ID token SHOULD NOT contain user info claims but,
 // it has became a "standard" and apps are looking for the claims in the ID tokens
 // instead of calling the userinfo endpoint, so we include them in the ID token as well
 // for better compatibility with existing apps
 type ClaimSet struct {
 	Iss               string   `json:"iss"`
 	Aud               string   `json:"aud"`
@@ -67,6 +72,8 @@ type ClaimSet struct {
 	Nonce             string   `json:"nonce,omitempty"`
 }
 // We use this struct as both a response struct and a struct to store userinfo
 // in the database
 type UserinfoResponse struct {
 	Sub                 string              `json:"sub"`
 	Name                string              `json:"name,omitempty"`
@@ -101,14 +108,29 @@ type TokenResponse struct {
 }
 type AuthorizeRequest struct {
-	Scope               string `json:"scope" binding:"required"`
+	jwt.Claims
-	ResponseType        string `json:"response_type" binding:"required"`
+	Scope               string `form:"scope" json:"scope" url:"scope"`
-	ClientID            string `json:"client_id" binding:"required"`
+	ResponseType        string `form:"response_type" json:"response_type" url:"response_type"`
-	RedirectURI         string `json:"redirect_uri" binding:"required"`
+	ClientID            string `form:"client_id" json:"client_id" url:"client_id"`
-	State               string `json:"state"`
+	RedirectURI         string `form:"redirect_uri" json:"redirect_uri" url:"redirect_uri"`
-	Nonce               string `json:"nonce"`
+	State               string `form:"state" json:"state" url:"state"`
-	CodeChallenge       string `json:"code_challenge"`
+	Nonce               string `form:"nonce" json:"nonce" url:"nonce"`
-	CodeChallengeMethod string `json:"code_challenge_method"`
+	CodeChallenge       string `form:"code_challenge" json:"code_challenge" url:"code_challenge"`
 	CodeChallengeMethod string `form:"code_challenge_method" json:"code_challenge_method" url:"code_challenge_method"`
 }
 type AuthorizeCodeEntry struct {
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	Nonce         string
 	CodeChallenge string
 	Userinfo      UserinfoResponse
 }
 type UsedCodeEntry struct {
 	Sub string
 }
 type OIDCService struct {
@@ -116,12 +138,17 @@ type OIDCService struct {
 	config  model.Config
 	runtime model.RuntimeConfig
 	queries repository.Store
 	context context.Context
 	clients    map[string]model.OIDCClientConfig
 	privateKey *rsa.PrivateKey
 	publicKey  *rsa.PublicKey
 	issuer     string
 	caches struct {
 		code      *CacheStore[AuthorizeCodeEntry]
 		usedCode  *CacheStore[UsedCodeEntry]
 		authorize *CacheStore[AuthorizeRequest]
 	}
 }
 func NewOIDCService(
@@ -129,8 +156,7 @@ func NewOIDCService(
 	config model.Config,
 	runtime model.RuntimeConfig,
 	queries repository.Store,
-	ctx context.Context,
+	dg *ding.Ding) (*OIDCService, error) {
 	wg *sync.WaitGroup) (*OIDCService, error) {
 	// If not configured, skip init
 	if len(runtime.OIDCClients) == 0 {
 		return nil, nil
@@ -276,7 +302,6 @@ func NewOIDCService(
 		config:  config,
 		runtime: runtime,
 		queries: queries,
 		context: ctx,
 		clients:    clients,
 		privateKey: privateKey,
@@ -285,7 +310,33 @@ func NewOIDCService(
 	}
 	// Start cleanup routine
-	wg.Go(service.cleanupRoutine)
+	dg.Go(service.cleanupRoutine, ding.RingMinor)
 	// Create caches
 	codeCash := NewCacheStore[AuthorizeCodeEntry](256)
 	usedCode := NewCacheStore[UsedCodeEntry](256)
 	authorize := NewCacheStore[AuthorizeRequest](256)
 	service.caches.code = codeCash
 	service.caches.usedCode = usedCode
 	service.caches.authorize = authorize
 	// Start cache cleanup routine
 	dg.Go(func(ctx context.Context) {
 		ticker := time.NewTicker(1 * time.Minute)
 		defer ticker.Stop()
 		for {
 			select {
 			case <-ticker.C:
 				service.caches.code.Sweep()
 				service.caches.usedCode.Sweep()
 				service.caches.authorize.Sweep()
 			case <-ctx.Done():
 				return
 			}
 		}
 	}, ding.RingMinor)
 	return service, nil
 }
@@ -348,19 +399,17 @@ func (service *OIDCService) filterScopes(scopes []string) []string {
 	})
 }
-func (service *OIDCService) StoreCode(c *gin.Context, sub string, code string, req AuthorizeRequest) error {
+func (service *OIDCService) CreateCode(req AuthorizeRequest, userContext model.UserContext) string {
-	// Fixed 10 minutes
+	code := utils.GenerateString(32)
-	expiresAt := time.Now().Add(time.Minute * time.Duration(10)).Unix()
+	sub := service.CreateSub(userContext, req.ClientID)
-	entry := repository.CreateOidcCodeParams{
+	entry := AuthorizeCodeEntry{
 		Sub:      sub,
 		CodeHash:    service.Hash(code),
-		// Here it's safe to split and trust the output since, we validated the scopes before
+		Scope:       strings.Join(service.filterScopes(strings.Split(req.Scope, " ")), " "),
 		Scope:       strings.Join(service.filterScopes(strings.Split(req.Scope, " ")), ","),
 		RedirectURI: req.RedirectURI,
 		ClientID:    req.ClientID,
 		ExpiresAt:   expiresAt,
 		Nonce:       req.Nonce,
 		Userinfo:    service.userinfoFromContext(userContext, sub),
 	}
 	if req.CodeChallenge != "" {
@@ -372,14 +421,14 @@ func (service *OIDCService) StoreCode(c *gin.Context, sub string, code string, r
 		}
 	}
-	// Insert the code into the database
+	// Store the code in the cache
-	_, err := service.queries.CreateOidcCode(c, entry)
+	service.caches.code.Set(entry.CodeHash, entry, 1*time.Minute)
-	return err
+	return code
 }
-func (service *OIDCService) StoreUserinfo(c *gin.Context, sub string, userContext model.UserContext, req AuthorizeRequest) error {
+func (service *OIDCService) userinfoFromContext(userContext model.UserContext, sub string) UserinfoResponse {
-	userInfoParams := repository.CreateOidcUserInfoParams{
+	userInfo := UserinfoResponse{
 		Sub:               sub,
 		Name:              userContext.GetName(),
 		Email:             userContext.GetEmail(),
@@ -388,37 +437,31 @@ func (service *OIDCService) StoreUserinfo(c *gin.Context, sub string, userContex
 	}
 	if userContext.IsLocal() {
-		addressJSON, err := json.Marshal(userContext.Local.Attributes.Address)
+		userInfo.GivenName = userContext.Local.Attributes.GivenName
-		if err != nil {
+		userInfo.FamilyName = userContext.Local.Attributes.FamilyName
-			return err
+		userInfo.MiddleName = userContext.Local.Attributes.MiddleName
-		}
+		userInfo.Nickname = userContext.Local.Attributes.Nickname
-		userInfoParams.GivenName = userContext.Local.Attributes.GivenName
+		userInfo.Profile = userContext.Local.Attributes.Profile
-		userInfoParams.FamilyName = userContext.Local.Attributes.FamilyName
+		userInfo.Picture = userContext.Local.Attributes.Picture
-		userInfoParams.MiddleName = userContext.Local.Attributes.MiddleName
+		userInfo.Website = userContext.Local.Attributes.Website
-		userInfoParams.Nickname = userContext.Local.Attributes.Nickname
+		userInfo.Gender = userContext.Local.Attributes.Gender
-		userInfoParams.Profile = userContext.Local.Attributes.Profile
+		userInfo.Birthdate = userContext.Local.Attributes.Birthdate
-		userInfoParams.Picture = userContext.Local.Attributes.Picture
+		userInfo.Zoneinfo = userContext.Local.Attributes.Zoneinfo
-		userInfoParams.Website = userContext.Local.Attributes.Website
+		userInfo.Locale = userContext.Local.Attributes.Locale
-		userInfoParams.Gender = userContext.Local.Attributes.Gender
+		userInfo.PhoneNumber = userContext.Local.Attributes.PhoneNumber
-		userInfoParams.Birthdate = userContext.Local.Attributes.Birthdate
+		userInfo.Address = &userContext.Local.Attributes.Address
 		userInfoParams.Zoneinfo = userContext.Local.Attributes.Zoneinfo
 		userInfoParams.Locale = userContext.Local.Attributes.Locale
 		userInfoParams.PhoneNumber = userContext.Local.Attributes.PhoneNumber
 		userInfoParams.Address = string(addressJSON)
 	}
 	// Tinyauth will pass through the groups it got from an LDAP or an OIDC server
 	if userContext.IsLDAP() {
-		userInfoParams.Groups = strings.Join(userContext.LDAP.Groups, ",")
+		userInfo.Groups = userContext.LDAP.Groups
 	}
 	if userContext.IsOAuth() {
-		userInfoParams.Groups = strings.Join(userContext.OAuth.Groups, ",")
+		userInfo.Groups = userContext.OAuth.Groups
 	}
-	_, err := service.queries.CreateOidcUserInfo(c, userInfoParams)
+	return userInfo
 	return err
 }
 func (service *OIDCService) ValidateGrantType(grantType string) error {
@@ -429,36 +472,34 @@ func (service *OIDCService) ValidateGrantType(grantType string) error {
 	return nil
 }
-func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string, clientId string) (repository.OidcCode, error) {
+func (service *OIDCService) GetCodeEntry(codeHash string, clientId string) (*AuthorizeCodeEntry, bool) {
-	oidcCode, err := service.queries.GetOidcCode(c, codeHash)
+	var entry AuthorizeCodeEntry
 	var ok bool
-	if err != nil {
+	service.caches.code.WithLock(func(actions CacheStoreActions[AuthorizeCodeEntry]) {
-		if errors.Is(err, repository.ErrNotFound) {
+		entry, ok = actions.Get(codeHash)
-			return repository.OidcCode{}, ErrCodeNotFound
+
-		}
+		if !ok {
-		return repository.OidcCode{}, err
+			return
 		}
-	if time.Now().Unix() > oidcCode.ExpiresAt {
+		if entry.ClientID != clientId {
-		err = service.queries.DeleteOidcCode(c, codeHash)
+			ok = false
-		if err != nil {
+			return
 			return repository.OidcCode{}, err
 		}
 		err = service.DeleteUserinfo(c, oidcCode.Sub)
 		if err != nil {
 			return repository.OidcCode{}, err
 		}
 		return repository.OidcCode{}, ErrCodeExpired
 		}
-	if oidcCode.ClientID != clientId {
+		// Since the code can only be used once, we delete it from the cache after retrieving it
-		return repository.OidcCode{}, ErrInvalidClient
+		actions.Delete(codeHash)
 	})
 	if !ok {
 		return nil, false
 	}
-	return oidcCode, nil
+	return &entry, true
 }
-func (service *OIDCService) generateIDToken(client model.OIDCClientConfig, user repository.OidcUserinfo, scope string, nonce string) (string, error) {
+func (service *OIDCService) generateIDToken(client model.OIDCClientConfig, user UserinfoResponse, scope string, nonce string) (string, error) {
 	createdAt := time.Now().Unix()
 	expiresAt := time.Now().Add(time.Duration(service.config.Auth.SessionExpiry) * time.Second).Unix()
@@ -524,17 +565,11 @@ func (service *OIDCService) generateIDToken(client model.OIDCClientConfig, user
 	return token, nil
 }
-func (service *OIDCService) GenerateAccessToken(c *gin.Context, client model.OIDCClientConfig, codeEntry repository.OidcCode) (TokenResponse, error) {
+func (service *OIDCService) GenerateAccessToken(ctx context.Context, client model.OIDCClientConfig, codeEntry AuthorizeCodeEntry) (*TokenResponse, error) {
-	user, err := service.GetUserinfo(c, codeEntry.Sub)
+	idToken, err := service.generateIDToken(client, codeEntry.Userinfo, codeEntry.Scope, codeEntry.Nonce)
 	if err != nil {
-		return TokenResponse{}, err
+		return nil, err
 	}
 	idToken, err := service.generateIDToken(client, user, codeEntry.Scope, codeEntry.Nonce)
 	if err != nil {
 		return TokenResponse{}, err
 	}
 	accessToken := utils.GenerateString(32)
@@ -554,56 +589,68 @@ func (service *OIDCService) GenerateAccessToken(c *gin.Context, client model.OID
 		Scope:        strings.ReplaceAll(codeEntry.Scope, ",", " "),
 	}
-	_, err = service.queries.CreateOidcToken(c, repository.CreateOidcTokenParams{
+	var userInfoJson []byte
-		Sub:                   codeEntry.Sub,
+
 	userInfoJson, err = json.Marshal(codeEntry.Userinfo)
 	if err != nil {
 		return nil, err
 	}
 	_, err = service.queries.CreateOIDCSession(ctx, repository.CreateOIDCSessionParams{
 		Sub:                   codeEntry.Userinfo.Sub,
 		AccessTokenHash:       service.Hash(accessToken),
 		RefreshTokenHash:      service.Hash(refreshToken),
 		ClientID:              client.ClientID,
 		Scope:                 codeEntry.Scope,
 		ClientID:              client.ClientID,
 		TokenExpiresAt:        tokenExpiresAt,
 		RefreshTokenExpiresAt: refreshTokenExpiresAt,
 		Nonce:                 codeEntry.Nonce,
-		CodeHash:              codeEntry.CodeHash,
+		UserinfoJson:          string(userInfoJson),
 	})
 	if err != nil {
-		return TokenResponse{}, err
+		return nil, err
 	}
-	return tokenResponse, nil
+	return &tokenResponse, nil
 }
-func (service *OIDCService) RefreshAccessToken(c *gin.Context, refreshToken string, reqClientId string) (TokenResponse, error) {
+func (service *OIDCService) RefreshAccessToken(ctx context.Context, refreshToken string, clientId string) (*TokenResponse, error) {
-	entry, err := service.queries.GetOidcTokenByRefreshToken(c, service.Hash(refreshToken))
+	entry, err := service.queries.GetOIDCSessionByRefreshTokenHash(ctx, service.Hash(refreshToken))
 	if err != nil {
 		if errors.Is(err, repository.ErrNotFound) {
-			return TokenResponse{}, ErrTokenNotFound
+			return nil, ErrTokenNotFound
 		}
-		return TokenResponse{}, err
+		return nil, err
 	}
 	if entry.RefreshTokenExpiresAt < time.Now().Unix() {
-		return TokenResponse{}, ErrTokenExpired
+		return nil, ErrTokenExpired
 	}
 	// Ensure the client ID in the request matches the client ID in the token
-	if entry.ClientID != reqClientId {
+	if entry.ClientID != clientId {
-		return TokenResponse{}, ErrInvalidClient
+		return nil, ErrInvalidClient
 	}
-	user, err := service.GetUserinfo(c, entry.Sub)
+	// we need to unmarshal the userinfo from the database to include it in the new ID token,
 	// since the ID token includes user claims for better compatibility with existing apps
 	var userInfo UserinfoResponse
 	err = json.Unmarshal([]byte(entry.UserinfoJson), &userInfo)
 	if err != nil {
-		return TokenResponse{}, err
+		return nil, err
 	}
 	idToken, err := service.generateIDToken(model.OIDCClientConfig{
 		ClientID: entry.ClientID,
-	}, user, entry.Scope, entry.Nonce)
+	}, userInfo, entry.Scope, entry.Nonce)
 	if err != nil {
-		return TokenResponse{}, err
+		return nil, err
 	}
 	accessToken := utils.GenerateString(32)
@@ -621,71 +668,54 @@ func (service *OIDCService) RefreshAccessToken(c *gin.Context, refreshToken stri
 		Scope:        strings.ReplaceAll(entry.Scope, ",", " "),
 	}
-	_, err = service.queries.UpdateOidcTokenByRefreshToken(c, repository.UpdateOidcTokenByRefreshTokenParams{
+	_, err = service.queries.UpdateOIDCSession(ctx, repository.UpdateOIDCSessionParams{
 		Sub:                   entry.Sub,
 		AccessTokenHash:       service.Hash(accessToken),
 		RefreshTokenHash:      service.Hash(newRefreshToken),
 		Scope:                 entry.Scope,
 		ClientID:              entry.ClientID,
 		TokenExpiresAt:        tokenExpiresAt,
 		RefreshTokenExpiresAt: refreshTokenExpiresAt,
-		RefreshTokenHash_2:    service.Hash(refreshToken), // that's the selector, it's not stored in the db
+		Nonce:                 entry.Nonce,
 		UserinfoJson:          entry.UserinfoJson,
 	})
 	if err != nil {
-		return TokenResponse{}, err
+		return nil, err
 	}
-	return tokenResponse, nil
+	return &tokenResponse, nil
 }
-func (service *OIDCService) DeleteCodeEntry(c *gin.Context, codeHash string) error {
+func (service *OIDCService) GetSessionByToken(ctx context.Context, tokenHash string) (*repository.OidcSession, error) {
-	return service.queries.DeleteOidcCode(c, codeHash)
+	entry, err := service.queries.GetOIDCSessionByAccessTokenHash(ctx, tokenHash)
 }
 func (service *OIDCService) DeleteUserinfo(c *gin.Context, sub string) error {
 	return service.queries.DeleteOidcUserInfo(c, sub)
 }
 func (service *OIDCService) DeleteToken(c *gin.Context, tokenHash string) error {
 	return service.queries.DeleteOidcToken(c, tokenHash)
 }
 func (service *OIDCService) DeleteTokenByCodeHash(c *gin.Context, codeHash string) error {
 	return service.queries.DeleteOidcTokenByCodeHash(c, codeHash)
 }
 func (service *OIDCService) GetAccessToken(c *gin.Context, tokenHash string) (repository.OidcToken, error) {
 	entry, err := service.queries.GetOidcToken(c, tokenHash)
 	if err != nil {
 		if errors.Is(err, repository.ErrNotFound) {
-			return repository.OidcToken{}, ErrTokenNotFound
+			return nil, ErrTokenNotFound
 		}
-		return repository.OidcToken{}, err
+		return nil, err
 	}
 	if entry.TokenExpiresAt < time.Now().Unix() {
-		// If refresh token is expired, delete the token and userinfo since there is no way for the client to access anything anymore
+		// If refresh token is expired, delete the session
 		// since there is no way for the client to access anything anymore
 		if entry.RefreshTokenExpiresAt < time.Now().Unix() {
-			err := service.DeleteToken(c, tokenHash)
+			// Deletes by sub
 			err := service.queries.DeleteOIDCSessionBySub(ctx, entry.Sub)
 			if err != nil {
-				return repository.OidcToken{}, err
+				return nil, err
 			}
-			err = service.DeleteUserinfo(c, entry.Sub)
+			return nil, ErrTokenExpired
 			if err != nil {
 				return repository.OidcToken{}, err
 		}
-		}
+		return nil, ErrTokenExpired
 		return repository.OidcToken{}, ErrTokenExpired
 	}
-	return entry, nil
+	return &entry, nil
 }
-func (service *OIDCService) GetUserinfo(c *gin.Context, sub string) (repository.OidcUserinfo, error) {
+func (service *OIDCService) CompileUserinfo(user UserinfoResponse, scope string) UserinfoResponse {
-	return service.queries.GetOidcUserInfo(c, sub)
+	scopes := strings.Split(scope, " ")
 }
 func (service *OIDCService) CompileUserinfo(user repository.OidcUserinfo, scope string) UserinfoResponse {
 	scopes := strings.Split(scope, ",") // split by comma since it's a db entry
 	userInfo := UserinfoResponse{
 		Sub:       user.Sub,
 		UpdatedAt: user.UpdatedAt,
@@ -713,11 +743,7 @@ func (service *OIDCService) CompileUserinfo(user repository.OidcUserinfo, scope
 	}
 	if slices.Contains(scopes, "groups") {
-		if user.Groups != "" {
+		userInfo.Groups = user.Groups
 			userInfo.Groups = strings.Split(user.Groups, ",")
 		} else {
 			userInfo.Groups = []string{}
 		}
 	}
 	if slices.Contains(scopes, "phone") {
@@ -727,10 +753,7 @@ func (service *OIDCService) CompileUserinfo(user repository.OidcUserinfo, scope
 	}
 	if slices.Contains(scopes, "address") {
-		var addr model.AddressClaim
+		userInfo.Address = user.Address
 		if err := json.Unmarshal([]byte(user.Address), &addr); err == nil {
 			userInfo.Address = &addr
 		}
 	}
 	return userInfo
@@ -743,25 +766,16 @@ func (service *OIDCService) Hash(token string) string {
 }
 func (service *OIDCService) DeleteOldSession(ctx context.Context, sub string) error {
-	err := service.queries.DeleteOidcCodeBySub(ctx, sub)
+	err := service.queries.DeleteOIDCSessionBySub(ctx, sub)
 	if err != nil && !errors.Is(err, repository.ErrNotFound) {
 		return err
 	}
 	err = service.queries.DeleteOidcTokenBySub(ctx, sub)
 	if err != nil && !errors.Is(err, repository.ErrNotFound) {
 		return err
 	}
 	err = service.queries.DeleteOidcUserInfo(ctx, sub)
 	if err != nil && !errors.Is(err, repository.ErrNotFound) {
 		return err
 	}
 	return nil
 }
-// Cleanup routine - Resource heavy due to the linked tables
+func (service *OIDCService) cleanupRoutine(ctx context.Context) {
 func (service *OIDCService) cleanupRoutine() {
 	service.log.App.Debug().Msg("Starting OIDC cleanup routine")
-	ticker := time.NewTicker(time.Duration(30) * time.Minute)
+	ticker := time.NewTicker(30 * time.Minute)
 	defer ticker.Stop()
 	for {
@@ -771,50 +785,18 @@ func (service *OIDCService) cleanupRoutine() {
 			currentTime := time.Now().Unix()
-			// For the OIDC tokens, if they are expired we delete the userinfo and codes
+			// Limitation of sqlc, meaning we need to specify a timestamp for both token and refresh token expiry
-			expiredTokens, err := service.queries.DeleteExpiredOidcTokens(service.context, repository.DeleteExpiredOidcTokensParams{
+			err := service.queries.DeleteExpiredOIDCSessions(ctx, repository.DeleteExpiredOIDCSessionsParams{
 				TokenExpiresAt:        currentTime,
 				RefreshTokenExpiresAt: currentTime,
 			})
 			if err != nil {
-				service.log.App.Warn().Err(err).Msg("Failed to delete expired tokens")
+				service.log.App.Warn().Err(err).Msg("Failed to delete expired OIDC sessions")
 			}
 			for _, expiredToken := range expiredTokens {
 				err := service.DeleteOldSession(service.context, expiredToken.Sub)
 				if err != nil {
 					service.log.App.Warn().Err(err).Msg("Failed to delete session for expired token")
 				}
 			}
 			// For expired codes, we need to get the sub, check if tokens are expired and if they are remove everything
 			expiredCodes, err := service.queries.DeleteExpiredOidcCodes(service.context, currentTime)
 			if err != nil {
 			service.log.App.Warn().Err(err).Msg("Failed to delete expired codes")
 			}
 			for _, expiredCode := range expiredCodes {
 				token, err := service.queries.GetOidcTokenBySub(service.context, expiredCode.Sub)
 				if err != nil {
 					if !errors.Is(err, repository.ErrNotFound) {
 						service.log.App.Warn().Err(err).Msg("Failed to get token by sub for expired code")
 					}
 					continue
 				}
 				if token.TokenExpiresAt < currentTime && token.RefreshTokenExpiresAt < currentTime {
 					err := service.DeleteOldSession(service.context, expiredCode.Sub)
 					if err != nil {
 						service.log.App.Warn().Err(err).Msg("Failed to delete session for expired code")
 					}
 				}
 			}
 			service.log.App.Debug().Msg("Finished OIDC cleanup routine")
-		case <-service.context.Done():
+		case <-ctx.Done():
 			service.log.App.Debug().Msg("Stopping OIDC cleanup routine")
 			return
 		}
@@ -854,3 +836,116 @@ func (service *OIDCService) hashAndEncodePKCE(codeVerifier string) string {
 	hasher.Write([]byte(codeVerifier))
 	return base64.RawURLEncoding.EncodeToString(hasher.Sum(nil))
 }
 // WARNING: Since Tinyauth is stateless, we cannot have a sub that never changes.
 // We will just create a uuid out of the username and client name which remains stable,
 // but if username or client name changes then sub changes too.
 func (service *OIDCService) CreateSub(userContext model.UserContext, clientId string) string {
 	return utils.GenerateUUID(fmt.Sprintf("%s:%s", userContext.GetUsername(), clientId))
 }
 func (service *OIDCService) IsCodeUsed(codeHash string) (string, bool) {
 	entry, ok := service.caches.usedCode.Get(codeHash)
 	if !ok {
 		return "", false
 	}
 	return entry.Sub, true
 }
 func (service *OIDCService) MarkCodeAsUsed(codeHash string, sub string) {
 	entry := UsedCodeEntry{
 		Sub: sub,
 	}
 	service.caches.usedCode.Set(codeHash, entry, 2*time.Minute)
 }
 func (service *OIDCService) DeleteSessionBySub(ctx context.Context, sub string) error {
 	return service.queries.DeleteOIDCSessionBySub(ctx, sub)
 }
 func (service *OIDCService) CreateAuthorizeRequestTicket(req AuthorizeRequest) string {
 	ticket := utils.GenerateString(32)
 	service.caches.authorize.Set(ticket, req, 10*time.Minute)
 	return ticket
 }
 func (service *OIDCService) GetAuthorizeRequestByTicket(ticket string) (*AuthorizeRequest, bool) {
 	entry, ok := service.caches.authorize.Get(ticket)
 	if !ok {
 		return nil, false
 	}
 	return &entry, true
 }
 func (service *OIDCService) DeleteAuthorizeRequestTicket(ticket string) {
 	service.caches.authorize.Delete(ticket)
 }
 // TODO: support signed request objects in the future
 func (service *OIDCService) DecodeAuthorizeJWT(tokenString string) (*AuthorizeRequest, error) {
 	var req AuthorizeRequest
 	token, _, err := jwt.NewParser().ParseUnverified(tokenString, &req)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse authorize request jwt: %w", err)
 	}
 	claims, ok := token.Claims.(*AuthorizeRequest)
 	if !ok {
 		return nil, errors.New("failed to parse claims from authorize request jwt")
 	}
 	return claims, nil
 }
 func (service *OIDCService) CreateConsentEntry(ctx context.Context, clientId string, scope string) (string, error) {
 	u := uuid.New()
 	entry := repository.CreateOIDCConsentParams{
 		UUID:     u.String(),
 		ClientID: clientId,
 		Scopes:   scope,
 	}
 	_, err := service.queries.CreateOIDCConsent(ctx, entry)
 	if err != nil {
 		return "", err
 	}
 	return entry.UUID, nil
 }
 func (service *OIDCService) GetConsentEntry(ctx context.Context, uuid string) (*repository.OidcConsent, error) {
 	entry, err := service.queries.GetOIDCConsentByUUID(ctx, uuid)
 	if err != nil {
 		if errors.Is(err, repository.ErrNotFound) {
 			return nil, nil
 		}
 		return nil, err
 	}
 	return &entry, nil
 }
 func (service *OIDCService) DeleteConsentEntry(ctx context.Context, uuid string) error {
 	return service.queries.DeleteOIDCConsentByUUID(ctx, uuid)
 }
 func (service *OIDCService) UpdateConsentEntry(ctx context.Context, uuid string, scopes string) error {
 	_, err := service.queries.UpdateOIDCConsent(ctx, repository.UpdateOIDCConsentParams{
 		UUID:   uuid,
 		Scopes: scopes,
 	})
 	return err
 }
@@ -2,36 +2,24 @@ package service_test
 import (
 	"context"
 	"encoding/json"
 	"sync"
 	"testing"
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
-func newTestUser() repository.OidcUserinfo {
+func newTestUser() service.UserinfoResponse {
-	addr := model.AddressClaim{
+	return service.UserinfoResponse{
 		Formatted:     "123 Main St",
 		StreetAddress: "123 Main St",
 		Locality:      "Springfield",
 		Region:        "IL",
 		PostalCode:    "62701",
 		Country:       "US",
 	}
 	addrJSON, _ := json.Marshal(addr)
 	return repository.OidcUserinfo{
 		Sub:               "test-sub",
 		Name:              "Test User",
 		PreferredUsername: "testuser",
 		Email:             "test@example.com",
-		Groups:            "admins,users",
+		Groups:            []string{"admins", "users"},
 		UpdatedAt:         1234567890,
 		GivenName:         "Test",
 		FamilyName:        "User",
@@ -45,7 +33,14 @@ func newTestUser() repository.OidcUserinfo {
 		Zoneinfo:          "America/Chicago",
 		Locale:            "en-US",
 		PhoneNumber:       "+15555550100",
-		Address:           string(addrJSON),
+		Address: &model.AddressClaim{
 			Formatted:     "123 Main St",
 			StreetAddress: "123 Main St",
 			Locality:      "Springfield",
 			Region:        "IL",
 			PostalCode:    "62701",
 			Country:       "US",
 		},
 	}
 }
@@ -70,14 +65,14 @@ func TestCompileUserinfo(t *testing.T) {
 	log.Init()
 	ctx := context.TODO()
-	wg := &sync.WaitGroup{}
+	dg := ding.New(ctx)
-	svc, err := service.NewOIDCService(log, cfg, runtime, nil, ctx, wg)
+	svc, err := service.NewOIDCService(log, cfg, runtime, nil, dg)
 	require.NoError(t, err)
 	type testCase struct {
 		description string
-		mutate      func(u *repository.OidcUserinfo)
+		mutate      func(u *service.UserinfoResponse)
 		scope       string
 		run         func(t *testing.T, info service.UserinfoResponse)
 	}
@@ -98,7 +93,7 @@ func TestCompileUserinfo(t *testing.T) {
 		},
 		{
 			description: "profile scope returns all profile fields",
-			scope:       "openid,profile",
+			scope:       "openid profile",
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, "Test User", info.Name)
 				assert.Equal(t, "testuser", info.PreferredUsername)
@@ -118,7 +113,7 @@ func TestCompileUserinfo(t *testing.T) {
 		},
 		{
 			description: "email scope sets email and email_verified true when email present",
-			scope:       "openid,email",
+			scope:       "openid email",
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, "test@example.com", info.Email)
 				assert.True(t, info.EmailVerified)
@@ -127,8 +122,8 @@ func TestCompileUserinfo(t *testing.T) {
 		},
 		{
 			description: "email scope sets email_verified false when email absent",
-			scope:       "openid,email",
+			scope:       "openid email",
-			mutate:      func(u *repository.OidcUserinfo) { u.Email = "" },
+			mutate:      func(u *service.UserinfoResponse) { u.Email = "" },
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Empty(t, info.Email)
 				assert.False(t, info.EmailVerified)
@@ -136,7 +131,7 @@ func TestCompileUserinfo(t *testing.T) {
 		},
 		{
 			description: "phone scope sets phone_number_verified true when phone present",
-			scope:       "openid,phone",
+			scope:       "openid phone",
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, "+15555550100", info.PhoneNumber)
 				require.NotNil(t, info.PhoneNumberVerified)
@@ -145,8 +140,8 @@ func TestCompileUserinfo(t *testing.T) {
 		},
 		{
 			description: "phone scope sets phone_number_verified false when phone absent",
-			scope:       "openid,phone",
+			scope:       "openid phone",
-			mutate:      func(u *repository.OidcUserinfo) { u.PhoneNumber = "" },
+			mutate:      func(u *service.UserinfoResponse) { u.PhoneNumber = "" },
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				require.NotNil(t, info.PhoneNumberVerified)
 				assert.False(t, *info.PhoneNumberVerified)
@@ -154,7 +149,7 @@ func TestCompileUserinfo(t *testing.T) {
 		},
 		{
 			description: "address scope returns parsed address",
-			scope:       "openid,address",
+			scope:       "openid address",
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				require.NotNil(t, info.Address)
 				assert.Equal(t, "123 Main St", info.Address.Formatted)
@@ -165,32 +160,16 @@ func TestCompileUserinfo(t *testing.T) {
 				assert.Equal(t, "US", info.Address.Country)
 			},
 		},
 		{
 			description: "address scope with invalid JSON omits address",
 			scope:       "openid,address",
 			mutate:      func(u *repository.OidcUserinfo) { u.Address = "not-valid-json" },
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Nil(t, info.Address)
 			},
 		},
 		{
 			description: "groups scope returns split groups",
-			scope:       "openid,groups",
+			scope:       "openid groups",
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, []string{"admins", "users"}, info.Groups)
 			},
 		},
 		{
 			description: "groups scope returns empty slice when no groups",
 			scope:       "openid,groups",
 			mutate:      func(u *repository.OidcUserinfo) { u.Groups = "" },
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, []string{}, info.Groups)
 			},
 		},
 		{
 			description: "all scopes return all fields",
-			scope:       "openid,profile,email,phone,address,groups",
+			scope:       "openid profile email phone address groups",
 			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, "Test User", info.Name)
 				assert.Equal(t, "test@example.com", info.Email)
@@ -108,3 +108,7 @@ func (engine *PolicyEngine) Policy() Policy {
 func (engine *PolicyEngine) Rules() map[RuleName]Rule {
 	return engine.rules
 }
 func (engine *PolicyEngine) EvaluateFunc(f func() Effect) bool {
 	return engine.effectToAccess(f())
 }
@@ -9,6 +9,7 @@ import (
 	"sync"
 	"time"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"tailscale.com/client/local"
@@ -20,12 +21,10 @@ type TailscaleWhoisResponse struct {
 	LoginName   string
 	DisplayName string
 	NodeName    string
 	Tags        []string
 }
 type TailscaleService struct {
 	log    *logger.Logger
 	wg     *sync.WaitGroup
 	config model.Config
 	ctx    context.Context
@@ -35,7 +34,7 @@ type TailscaleService struct {
 	mu  sync.Mutex
 }
-func NewTailscaleService(log *logger.Logger, config model.Config, ctx context.Context, wg *sync.WaitGroup) (*TailscaleService, error) {
+func NewTailscaleService(log *logger.Logger, config model.Config, ctx context.Context, dg *ding.Ding) (*TailscaleService, error) {
 	if !config.Tailscale.Enabled {
 		return nil, nil
 	}
@@ -67,7 +66,6 @@ func NewTailscaleService(log *logger.Logger, config model.Config, ctx context.Co
 	service := &TailscaleService{
 		log:    log,
 		wg:     wg,
 		config: config,
 		ctx:    ctx,
 		srv:    srv,
@@ -84,13 +82,13 @@ func NewTailscaleService(log *logger.Logger, config model.Config, ctx context.Co
 		return nil, fmt.Errorf("failed to connect to tailscale network: %w", err)
 	}
-	wg.Go(service.watchAndClose)
+	dg.Go(service.watchAndClose, ding.RingMajor)
 	return service, nil
 }
-func (ts *TailscaleService) watchAndClose() {
+func (ts *TailscaleService) watchAndClose(ctx context.Context) {
-	<-ts.ctx.Done()
+	<-ctx.Done()
 	ts.log.App.Debug().Msg("Shutting down Tailscale service")
 	ts.mu.Lock()
 	srv := ts.srv
@@ -116,14 +114,22 @@ func (ts *TailscaleService) Whois(ctx context.Context, addr string) (*TailscaleW
 		return nil, fmt.Errorf("failed to get client whois: %w", err)
 	}
 	if who.Node.IsTagged() {
 		ts.log.App.Debug().Msgf("Skipping whois for tagged node %s", who.Node.Name)
 		return nil, nil
 	}
 	uid := strings.TrimPrefix(who.UserProfile.ID.String(), "userid:")
 	res := TailscaleWhoisResponse{
-		UserID:      who.UserProfile.ID.String(),
+		UserID:      uid,
 		LoginName:   who.UserProfile.LoginName,
 		DisplayName: who.UserProfile.DisplayName,
 		NodeName:    strings.TrimSuffix(who.Node.Name, "."),
 		Tags:        who.Node.Tags,
 	}
 	ts.log.App.Debug().Interface("res", res).Msg("tailscale")
 	return &res, nil
 }
@@ -1,6 +1,7 @@
 package test
 import (
 	"context"
 	"path/filepath"
 	"testing"
@@ -133,3 +134,11 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
 	return config, runtime
 }
 func CreateTestHelpers() model.RuntimeHelpers {
 	return model.RuntimeHelpers{
 		GetCookieDomain: func(ctx context.Context, ip string) (string, error) {
 			return "example.com", nil
 		},
 	}
 }
@@ -3,7 +3,6 @@ package loaders
 import (
 	"os"
 	"github.com/rs/zerolog/log"
 	"github.com/tinyauthapp/paerser/cli"
 	"github.com/tinyauthapp/paerser/file"
 	"github.com/tinyauthapp/paerser/flag"
@@ -19,8 +18,8 @@ func (f *FileLoader) Load(args []string, cmd *cli.Command) (bool, error) {
 	}
 	// I guess we are using traefik as the root name (we can't change it)
-	configFileFlag := "traefik.experimental.configfile"
+	configFileFlag := "traefik.configfile"
-	envVar := "TINYAUTH_EXPERIMENTAL_CONFIGFILE"
+	envVar := "TINYAUTH_CONFIGFILE"
 	if _, ok := flags[configFileFlag]; !ok {
 		if value := os.Getenv(envVar); value != "" {
@@ -30,8 +29,6 @@ func (f *FileLoader) Load(args []string, cmd *cli.Command) (bool, error) {
 		}
 	}
 	log.Warn().Msg("Using experimental file config loader, this feature is experimental and may change or be removed in future releases")
 	err = file.Decode(flags[configFileFlag], cmd.Configuration)
 	if err != nil {
@@ -3,6 +3,7 @@ package utils
 import (
 	"crypto/rand"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"net"
 	"regexp"
@@ -11,6 +12,10 @@ import (
 	"github.com/google/uuid"
 )
 var (
 	ErrFilterEmpty = errors.New("filter is empty")
 )
 func GetSecret(conf string, file string) string {
 	if conf == "" && file == "" {
 		return ""
@@ -78,7 +83,7 @@ func CheckIPFilter(filter string, ip string) (bool, error) {
 func CheckFilter(filter string, input string) (bool, error) {
 	if len(strings.TrimSpace(filter)) == 0 {
-		return false, fmt.Errorf("filter is empty")
+		return false, ErrFilterEmpty
 	}
 	if strings.HasPrefix(filter, "/") && strings.HasSuffix(filter, "/") {
@@ -1,46 +1,17 @@
-- name: CreateOidcCode :one
+-- name: GetOIDCSessionBySub :one
-INSERT INTO "oidc_codes" (
+SELECT * FROM "oidc_sessions"
    "sub",
    "code_hash",
    "scope",
    "redirect_uri",
    "client_id",
    "expires_at",
    "nonce",
    "code_challenge"
 ) VALUES (
    $1, $2, $3, $4, $5, $6, $7, $8
 )
 RETURNING *;
 -- name: GetOidcCodeUnsafe :one
 SELECT * FROM "oidc_codes"
 WHERE "code_hash" = $1;
 -- name: GetOidcCode :one
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = $1
 RETURNING *;
 -- name: GetOidcCodeBySubUnsafe :one
 SELECT * FROM "oidc_codes"
 WHERE "sub" = $1;
-- name: GetOidcCodeBySub :one
+-- name: GetOIDCSessionByAccessTokenHash :one
-DELETE FROM "oidc_codes"
+SELECT * FROM "oidc_sessions"
-WHERE "sub" = $1
+WHERE "access_token_hash" = $1;
 RETURNING *;
-- name: DeleteOidcCode :exec
+-- name: GetOIDCSessionByRefreshTokenHash :one
-DELETE FROM "oidc_codes"
+SELECT * FROM "oidc_sessions"
-WHERE "code_hash" = $1;
+WHERE "refresh_token_hash" = $1;
-- name: DeleteOidcCodeBySub :exec
+-- name: CreateOIDCSession :one
-DELETE FROM "oidc_codes"
+INSERT INTO "oidc_sessions" (
 WHERE "sub" = $1;
 -- name: CreateOidcToken :one
 INSERT INTO "oidc_tokens" (
    "sub",
    "access_token_hash",
    "refresh_token_hash",
@@ -48,86 +19,55 @@ INSERT INTO "oidc_tokens" (
    "client_id",
    "token_expires_at",
    "refresh_token_expires_at",
-    "code_hash",
+    "nonce",
-    "nonce"
+    "userinfo_json"
 ) VALUES (
    $1, $2, $3, $4, $5, $6, $7, $8, $9
 )
 RETURNING *;
-- name: UpdateOidcTokenByRefreshToken :one
+-- name: DeleteOIDCSessionBySub :exec
-UPDATE "oidc_tokens" SET
+DELETE FROM "oidc_sessions"
 WHERE "sub" = $1;
 -- name: DeleteExpiredOIDCSessions :exec
 DELETE FROM "oidc_sessions"
 WHERE "token_expires_at" < $1 AND "refresh_token_expires_at" < $2;
 -- name: UpdateOIDCSession :one
 UPDATE "oidc_sessions" SET
    "access_token_hash" = $1,
    "refresh_token_hash" = $2,
-    "token_expires_at"         = $3,
+    "scope" = $3,
-    "refresh_token_expires_at" = $4
+    "client_id" = $4,
-WHERE "refresh_token_hash" = $5
+    "token_expires_at" = $5,
    "refresh_token_expires_at" = $6,
    "nonce" = $7,
    "userinfo_json" = $8
 WHERE "sub" = $9
 RETURNING *;
-- name: GetOidcToken :one
+-- name: CreateOIDCConsent :one
-SELECT * FROM "oidc_tokens"
+INSERT INTO "oidc_consent" (
-WHERE "access_token_hash" = $1;
+    "uuid",
-
+    "client_id",
-- name: GetOidcTokenByRefreshToken :one
+    "scopes"
 SELECT * FROM "oidc_tokens"
 WHERE "refresh_token_hash" = $1;
 -- name: GetOidcTokenBySub :one
 SELECT * FROM "oidc_tokens"
 WHERE "sub" = $1;
 -- name: DeleteOidcTokenByCodeHash :exec
 DELETE FROM "oidc_tokens"
 WHERE "code_hash" = $1;
 -- name: DeleteOidcToken :exec
 DELETE FROM "oidc_tokens"
 WHERE "access_token_hash" = $1;
 -- name: DeleteOidcTokenBySub :exec
 DELETE FROM "oidc_tokens"
 WHERE "sub" = $1;
 -- name: CreateOidcUserInfo :one
 INSERT INTO "oidc_userinfo" (
    "sub",
    "name",
    "preferred_username",
    "email",
    "groups",
    "updated_at",
    "given_name",
    "family_name",
    "middle_name",
    "nickname",
    "profile",
    "picture",
    "website",
    "gender",
    "birthdate",
    "zoneinfo",
    "locale",
    "phone_number",
    "address"
 ) VALUES (
-    $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19
+    $1, $2, $3
 )
 RETURNING *;
-- name: GetOidcUserInfo :one
+-- name: GetOIDCConsentByUUID :one
-SELECT * FROM "oidc_userinfo"
+SELECT * FROM "oidc_consent"
-WHERE "sub" = $1;
+WHERE "uuid" = $1;
-- name: DeleteOidcUserInfo :exec
+-- name: UpdateOIDCConsent :one
-DELETE FROM "oidc_userinfo"
+UPDATE "oidc_consent" SET
-WHERE "sub" = $1;
+    "scopes" = $1,
-
+    "updated_at" = CURRENT_TIMESTAMP
-- name: DeleteExpiredOidcCodes :many
+WHERE "uuid" = $2
 DELETE FROM "oidc_codes"
 WHERE "expires_at" < $1
 RETURNING *;
-- name: DeleteExpiredOidcTokens :many
+-- name: DeleteOIDCConsentByUUID :exec
-DELETE FROM "oidc_tokens"
+DELETE FROM "oidc_consent"
-WHERE "token_expires_at" < $1 AND "refresh_token_expires_at" < $2
+WHERE "uuid" = $1;
 RETURNING *;
@@ -1,44 +1,19 @@
-CREATE TABLE IF NOT EXISTS "oidc_codes" (
+CREATE TABLE IF NOT EXISTS "oidc_sessions" (
-    "sub"            TEXT   NOT NULL UNIQUE,
+    "sub" TEXT NOT NULL UNIQUE PRIMARY KEY,
-    "code_hash"      TEXT   NOT NULL PRIMARY KEY,
+    "access_token_hash" TEXT NOT NULL UNIQUE,
-    "scope"          TEXT   NOT NULL,
+    "refresh_token_hash" TEXT NOT NULL UNIQUE,
    "redirect_uri"   TEXT   NOT NULL,
    "client_id"      TEXT   NOT NULL,
    "expires_at"     BIGINT NOT NULL,
    "nonce"          TEXT   NOT NULL DEFAULT '',
    "code_challenge" TEXT   NOT NULL DEFAULT ''
 );
 CREATE TABLE IF NOT EXISTS "oidc_tokens" (
    "sub"                      TEXT   NOT NULL UNIQUE,
    "access_token_hash"        TEXT   NOT NULL PRIMARY KEY,
    "refresh_token_hash"       TEXT   NOT NULL,
    "code_hash"                TEXT   NOT NULL,
    "scope" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "token_expires_at" BIGINT NOT NULL,
    "refresh_token_expires_at" BIGINT NOT NULL,
-    "nonce"                    TEXT   NOT NULL DEFAULT ''
+    "nonce" TEXT NOT NULL DEFAULT '',
    "userinfo_json" TEXT NOT NULL
 );
-CREATE TABLE IF NOT EXISTS "oidc_userinfo" (
+CREATE TABLE IF NOT EXISTS "oidc_consent" (
-    "sub"                TEXT   NOT NULL PRIMARY KEY,
+    "uuid" TEXT NOT NULL UNIQUE PRIMARY KEY,
-    "name"               TEXT   NOT NULL,
+    "client_id" TEXT NOT NULL,
-    "preferred_username" TEXT   NOT NULL,
+    "scopes" TEXT NOT NULL,
-    "email"              TEXT   NOT NULL,
+    "created_at" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "groups"             TEXT   NOT NULL,
+    "updated_at" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
    "updated_at"         BIGINT NOT NULL,
    "given_name"         TEXT   NOT NULL,
    "family_name"        TEXT   NOT NULL,
    "middle_name"        TEXT   NOT NULL,
    "nickname"           TEXT   NOT NULL,
    "profile"            TEXT   NOT NULL,
    "picture"            TEXT   NOT NULL,
    "website"            TEXT   NOT NULL,
    "gender"             TEXT   NOT NULL,
    "birthdate"          TEXT   NOT NULL,
    "zoneinfo"           TEXT   NOT NULL,
    "locale"             TEXT   NOT NULL,
    "phone_number"       TEXT   NOT NULL,
    "address"            TEXT   NOT NULL
 );
@@ -1,46 +1,17 @@
-- name: CreateOidcCode :one
+-- name: GetOIDCSessionBySub :one
-INSERT INTO "oidc_codes" (
+SELECT * FROM "oidc_sessions"
    "sub",
    "code_hash",
    "scope",
    "redirect_uri",
    "client_id",
    "expires_at",
    "nonce",
    "code_challenge"
 ) VALUES (
    ?, ?, ?, ?, ?, ?, ?, ?
 )
 RETURNING *;
 -- name: GetOidcCodeUnsafe :one
 SELECT * FROM "oidc_codes"
 WHERE "code_hash" = ?;
 -- name: GetOidcCode :one
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = ?
 RETURNING *;
 -- name: GetOidcCodeBySubUnsafe :one
 SELECT * FROM "oidc_codes"
 WHERE "sub" = ?;
-- name: GetOidcCodeBySub :one
+-- name: GetOIDCSessionByAccessTokenHash :one
-DELETE FROM "oidc_codes"
+SELECT * FROM "oidc_sessions"
-WHERE "sub" = ?
+WHERE "access_token_hash" = ?;
 RETURNING *;
-- name: DeleteOidcCode :exec
+-- name: GetOIDCSessionByRefreshTokenHash :one
-DELETE FROM "oidc_codes"
+SELECT * FROM "oidc_sessions"
-WHERE "code_hash" = ?;
+WHERE "refresh_token_hash" = ?;
-- name: DeleteOidcCodeBySub :exec
+-- name: CreateOIDCSession :one
-DELETE FROM "oidc_codes"
+INSERT INTO "oidc_sessions" (
 WHERE "sub" = ?;
 -- name: CreateOidcToken :one
 INSERT INTO "oidc_tokens" (
    "sub",
    "access_token_hash",
    "refresh_token_hash",
@@ -48,86 +19,55 @@ INSERT INTO "oidc_tokens" (
    "client_id",
    "token_expires_at",
    "refresh_token_expires_at",
-    "code_hash",
+    "nonce",
-    "nonce"
+    "userinfo_json"
 ) VALUES (
    ?, ?, ?, ?, ?, ?, ?, ?, ?
 )
 RETURNING *;
-- name: UpdateOidcTokenByRefreshToken :one
+-- name: DeleteOIDCSessionBySub :exec
-UPDATE "oidc_tokens" SET
+DELETE FROM "oidc_sessions"
 WHERE "sub" = ?;
 -- name: DeleteExpiredOIDCSessions :exec
 DELETE FROM "oidc_sessions"
 WHERE "token_expires_at" < ? AND "refresh_token_expires_at" < ?;
 -- name: UpdateOIDCSession :one
 UPDATE "oidc_sessions" SET
    "access_token_hash" = ?,
    "refresh_token_hash" = ?,
    "scope" = ?,
    "client_id" = ?,
    "token_expires_at" = ?,
-    "refresh_token_expires_at" = ?
+    "refresh_token_expires_at" = ?,
-WHERE "refresh_token_hash" = ?
+    "nonce" = ?,
    "userinfo_json" = ?
 WHERE "sub" = ?
 RETURNING *;
-- name: GetOidcToken :one
+-- name: CreateOIDCConsent :one
-SELECT * FROM "oidc_tokens"
+INSERT INTO "oidc_consent" (
-WHERE "access_token_hash" = ?;
+    "uuid",
-
+    "client_id",
-- name: GetOidcTokenByRefreshToken :one
+    "scopes"
 SELECT * FROM "oidc_tokens"
 WHERE "refresh_token_hash" = ?;
 -- name: GetOidcTokenBySub :one
 SELECT * FROM "oidc_tokens"
 WHERE "sub" = ?;
 -- name: DeleteOidcTokenByCodeHash :exec
 DELETE FROM "oidc_tokens"
 WHERE "code_hash" = ?;
 -- name: DeleteOidcToken :exec
 DELETE FROM "oidc_tokens"
 WHERE "access_token_hash" = ?;
 -- name: DeleteOidcTokenBySub :exec
 DELETE FROM "oidc_tokens"
 WHERE "sub" = ?;
 -- name: CreateOidcUserInfo :one
 INSERT INTO "oidc_userinfo" (
    "sub",
    "name",
    "preferred_username",
    "email",
    "groups",
    "updated_at",
    "given_name",
    "family_name",
    "middle_name",
    "nickname",
    "profile",
    "picture",
    "website",
    "gender",
    "birthdate",
    "zoneinfo",
    "locale",
    "phone_number",
    "address"
 ) VALUES (
-    ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?
+    ?, ?, ?
 )
 RETURNING *;
-- name: GetOidcUserInfo :one
+-- name: GetOIDCConsentByUUID :one
-SELECT * FROM "oidc_userinfo"
+SELECT * FROM "oidc_consent"
-WHERE "sub" = ?;
+WHERE "uuid" = ?;
-- name: DeleteOidcUserInfo :exec
+-- name: UpdateOIDCConsent :one
-DELETE FROM "oidc_userinfo"
+UPDATE "oidc_consent" SET
-WHERE "sub" = ?;
+    "scopes" = ?,
-
+    "updated_at" = CURRENT_TIMESTAMP
-- name: DeleteExpiredOidcCodes :many
+WHERE "uuid" = ?
 DELETE FROM "oidc_codes"
 WHERE "expires_at" < ?
 RETURNING *;
-- name: DeleteExpiredOidcTokens :many
+-- name: DeleteOIDCConsentByUUID :exec
-DELETE FROM "oidc_tokens"
+DELETE FROM "oidc_consent"
-WHERE "token_expires_at" < ? AND "refresh_token_expires_at" < ?
+WHERE "uuid" = ?;
 RETURNING *;
@@ -1,44 +1,19 @@
-CREATE TABLE IF NOT EXISTS "oidc_codes" (
+CREATE TABLE IF NOT EXISTS "oidc_sessions" (
-    "sub" TEXT NOT NULL UNIQUE,
+    "sub" TEXT NOT NULL UNIQUE PRIMARY KEY,
-    "code_hash" TEXT NOT NULL PRIMARY KEY UNIQUE,
+    "access_token_hash" TEXT NOT NULL UNIQUE,
-    "scope" TEXT NOT NULL,
+    "refresh_token_hash" TEXT NOT NULL UNIQUE,
    "redirect_uri" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "expires_at" INTEGER NOT NULL,
    "nonce" TEXT DEFAULT "",
    "code_challenge" TEXT DEFAULT ""
 );
 CREATE TABLE IF NOT EXISTS "oidc_tokens" (
    "sub" TEXT NOT NULL UNIQUE,
    "access_token_hash" TEXT NOT NULL PRIMARY KEY UNIQUE,
    "refresh_token_hash" TEXT NOT NULL,
    "code_hash" TEXT NOT NULL,
    "scope" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "token_expires_at" INTEGER NOT NULL,
    "refresh_token_expires_at" INTEGER NOT NULL,
-    "nonce" TEXT DEFAULT ""
+    "nonce" TEXT NOT NULL DEFAULT "",
    "userinfo_json" TEXT NOT NULL
 );
-CREATE TABLE IF NOT EXISTS "oidc_userinfo" (
+CREATE TABLE IF NOT EXISTS "oidc_consent" (
-    "sub"                   TEXT    NOT NULL UNIQUE PRIMARY KEY,
+    "uuid" TEXT NOT NULL UNIQUE PRIMARY KEY,
-    "name"                  TEXT    NOT NULL,
+    "client_id" TEXT NOT NULL,
-    "preferred_username"    TEXT    NOT NULL,
+    "scopes" TEXT NOT NULL,
-    "email"                 TEXT    NOT NULL,
+    "created_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "groups"                TEXT    NOT NULL,
+    "updated_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
    "updated_at"            INTEGER NOT NULL,
    "given_name"            TEXT    NOT NULL,
    "family_name"           TEXT    NOT NULL,
    "middle_name"           TEXT    NOT NULL,
    "nickname"              TEXT    NOT NULL,
    "profile"               TEXT    NOT NULL,
    "picture"               TEXT    NOT NULL,
    "website"               TEXT    NOT NULL,
    "gender"                TEXT    NOT NULL,
    "birthdate"             TEXT    NOT NULL,
    "zoneinfo"              TEXT    NOT NULL,
    "locale"                TEXT    NOT NULL,
    "phone_number"          TEXT    NOT NULL,
    "address"               TEXT    NOT NULL
 );
@@ -22,11 +22,7 @@ sql:
            go_type: "string"
          - column: "sessions.ldap_groups"
            go_type: "string"
-          - column: "oidc_codes.nonce"
+          - column: "oidc_sessions.nonce"
            go_type: "string"
          - column: "oidc_tokens.nonce"
            go_type: "string"
          - column: "oidc_codes.code_challenge"
            go_type: "string"
  - engine: "postgresql"
    queries: "sql/postgres/*_queries.sql"
Author	SHA1	Message	Date
Stavros	026a460d67	feat: add backend for oidc consent	2026-06-11 18:09:14 +03:00
Stavros	abb47a8180	chore: init db migrations	2026-06-11 17:15:09 +03:00
Stavros	0e00552004	Merge branch 'refactor/oidc-authorize' into feat/preserve-authorize	2026-06-11 16:40:23 +03:00
Ryc O'Chet	49105ce5ff	feat: add ldap bind password file (#929 )	2026-06-11 13:25:22 +03:00
Stavros	5c5d7a43ef	chore: own review comments	2026-06-09 16:17:57 +03:00
Stavros	6a4d85dc41	chore: rabbit comments	2026-06-09 11:57:29 +03:00
Stavros	57c573502d	chore: bump go to 1.26.4	2026-06-09 11:44:03 +03:00
Stavros	3c9817cf39	tests: fix oidc controller tests	2026-06-08 12:38:44 +03:00
Stavros	ede6e8084d	fix: support for oidc post (forgot that)	2026-06-08 12:35:13 +03:00
Stavros	4e671ed48c	tests: fix proxy controller tests	2026-06-08 12:24:19 +03:00
Stavros	a69d22bb0e	feat: add new quick actions menu instead of individual dropdowns in frontend	2026-06-08 12:16:40 +03:00
Stavros	ace64fa7ee	tests: rework oidc tests and aim for better coverage Co-Authored-By: Claude <noreply@anthropic.com>	2026-06-07 18:57:41 +03:00
Stavros	5e954da5ff	chore: go mod tidy	2026-06-06 18:05:48 +03:00
Stavros	47b7f1e6f2	feat: add back support for request oidc param	2026-06-06 18:01:59 +03:00
Stavros	f078e3549e	fix: fix oauth oidc flow	2026-06-06 17:02:06 +03:00
Stavros	da9079246a	Merge branch 'main' into refactor/oidc-authorize	2026-06-06 16:31:13 +03:00
Stavros	426eac2d0b	refactor: rework oidc session storage (#913 )	2026-06-06 16:26:08 +03:00
dependabot[bot]	da17be400e	chore(deps): bump the minor-patch group across 1 directory with 4 updates (#920 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-06-06 15:53:46 +03:00
dependabot[bot]	514fcb8fcc	chore(deps): bump docker/setup-buildx-action from 4.0.0 to 4.1.0 (#901 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-06-06 15:53:24 +03:00
dependabot[bot]	831180c7fa	chore(deps): bump docker/metadata-action from 6.0.0 to 6.1.0 (#900 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-06-06 15:53:10 +03:00
dependabot[bot]	e0ab7c75bc	chore(deps): bump node from 26.2-alpine3.23 to 26.3-alpine3.23 (#914 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-06-06 15:52:53 +03:00
dependabot[bot]	66546439fa	chore(deps): bump docker/login-action from 4.1.0 to 4.2.0 (#902 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-06-06 15:52:38 +03:00
dependabot[bot]	df742abb8d	chore(deps): bump github.com/quic-go/quic-go from 0.59.0 to 0.59.1 (#917 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-06-06 15:52:18 +03:00
dependabot[bot]	57e1f963df	chore(deps): bump github/codeql-action from 4.35.5 to 4.36.1 (#918 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-06-06 15:51:55 +03:00
dependabot[bot]	d7c255948c	chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#919 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-06-06 15:51:33 +03:00
Stavros	2454ba58ea	refactor: use ticket approach for oidc flow	2026-06-01 17:04:08 +03:00
Stavros	97e0e0dfff	wip: backend	2026-06-01 16:26:42 +03:00
Stavros	b3c152fa1c	chore: rabbit comments	2026-06-01 15:47:19 +03:00
Stavros	5caee887de	fix: ensure no oidc code reuse	2026-06-01 12:22:49 +03:00
Stavros	b5770ef305	fix: add memory back in the db bootstrap	2026-06-01 12:10:59 +03:00
Stavros	1c4ca8f436	chore: differentiate oauth userinfo from oidc userinfo	2026-06-01 12:02:11 +03:00
Stavros	a72300484b	tests: fix oidc service tests	2026-06-01 12:00:50 +03:00
Stavros	4fe5de241b	chore: fix memory store	2026-06-01 11:55:47 +03:00
Stavros	83ed9ece57	feat: add db cleanup routine back	2026-06-01 11:47:17 +03:00
Stavros	faa3156672	Merge branch 'main' into refactor/oidc-store	2026-05-31 20:11:37 +03:00
Stavros	695feca71c	refactor: rework oidc session storage	2026-05-31 20:10:53 +03:00
Stavros	dac844595d	refactor: use new cache store in services (#912 )	2026-05-31 18:55:06 +03:00
Stavros	82d21c3b28	Merge branch 'refactor/service-cache' into refactor/oidc-codes	2026-05-31 18:34:52 +03:00
Stavros	fe8463890a	fix: fix bugs in cache order	2026-05-31 18:29:14 +03:00
Stavros	940ba6dff7	fix: don't allow tagged devices in tailscale integration	2026-05-31 12:42:00 +03:00
Stavros	ac9689dc9b	tests: add cache store tests	2026-05-30 15:18:23 +03:00
Stavros	3e5757cfc9	fix: fix race conditions	2026-05-30 15:04:53 +03:00
Stavros	ed94490efd	refactor: use new cache store in auth service	2026-05-29 23:33:35 +03:00
Stavros	faee58ca8e	feat: use ding for ordered go routine shutdown order (#896 )	2026-05-27 12:46:28 +03:00
Stavros	e9b8ca3cf8	fix: cleanup acl logic to match stable one	2026-05-27 12:11:17 +03:00
Stavros	f2c4e7932d	chore: include debug symbols in nightly images (#908 )	2026-05-27 11:43:43 +03:00
Stavros	4538922caf	refactor: simplify error handling in oidc authorize handler (#907 )	2026-05-27 11:27:10 +03:00
Stavros	672db84200	feat: make config file a stable feature (#897 )	2026-05-27 11:26:09 +03:00
Scott McKendry	359000f731	feat(db): add postgresql support (#892 )	2026-05-26 00:08:59 +03:00
Stavros	0a3e7bf265	fix: use policy engine in oauth whitelist check (#904 )	2026-05-26 00:07:46 +03:00
Puneet Dixit	c3461131f5	feat: support provider-specific OAuth whitelists (#882 ) Co-authored-by: Puneet Dixit <236133619+puneetdixit200@users.noreply.github.com>	2026-05-24 20:18:33 +03:00
Stavros	3f584ca741	New Crowdin updates (#798 )	2026-05-24 19:16:29 +03:00
dependabot[bot]	36d0ffc2b5	chore(deps): bump sqlc-dev/setup-sqlc from 4 to 5 (#880 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-24 19:14:15 +03:00
dependabot[bot]	37b79735f0	chore(deps): bump the minor-patch group across 1 directory with 6 updates (#881 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-24 19:13:53 +03:00
dependabot[bot]	09540fbe6e	chore(deps): bump docker/build-push-action from 7.1.0 to 7.2.0 (#891 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-24 19:13:15 +03:00
dependabot[bot]	8e60a2e28e	chore(deps): bump codecov/codecov-action from 6.0.0 to 6.0.1 (#879 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-24 19:12:51 +03:00
dependabot[bot]	9619024c37	chore(deps): bump github/codeql-action from 4.35.4 to 4.35.5 (#871 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-24 19:12:20 +03:00
dependabot[bot]	1c305bacca	chore(deps): bump node from 26.1-alpine3.23 to 26.2-alpine3.23 (#883 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-24 19:11:55 +03:00
Scott McKendry	e532cde2b6	fix: potential nil pointer dereferences (#893 )	2026-05-24 17:23:48 +03:00
Stavros	2737a25227	fix: don't point to nil local users in bootstrap app	2026-05-23 20:24:54 +03:00
Scott McKendry	7aa25210f5	feat(config): allow global bypass by ip (#889 )	2026-05-23 19:58:48 +03:00
Stavros	55bef72639	fix: ensure domain defined in acls is included in host rules (#884 )	2026-05-23 17:13:41 +03:00
Stavros	ae17bd3b66	fix: do not log user context not found errors in proxy controller	2026-05-23 16:43:03 +03:00