chore: add linter to ci

feat: add golangci-lint for go linting
2026-05-14 16:20:14 +00:00 · 2026-05-09 18:02:08 +03:00 · 2026-05-09 18:00:41 +03:00
64 changed files with 1820 additions and 2033 deletions
@@ -49,6 +49,11 @@ jobs:
        run: |
          cp -r frontend/dist internal/assets/dist

+      - name: Lint backend
+        uses: golangci/golangci-lint-action@v9
+        with:
+          version: v2.12
+
      - name: Run tests
        run: go test -coverprofile=coverage.txt -v ./...

@@ -38,6 +38,6 @@ jobs:
          retention-days: 5

      - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
+        uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4
        with:
          sarif_file: results.sarif
@@ -48,6 +48,3 @@ __debug_*

 # testing config
 config.certify.yml
-
-# deepsec
-/.deepsec
@@ -0,0 +1,17 @@
+version: "2"
+linters:
+  settings:
+    errcheck:
+      exclude-functions:
+        - (http.ResponseWriter).Write
+        - (http.ResponseWriter).WriteString
+        - (github.com/gin-gonic/gin.ResponseWriter).Write
+        - (github.com/gin-gonic/gin.ResponseWriter).WriteString
+  exclusions:
+    rules:
+      - linters:
+          - errcheck
+        text: "//nolint:errcheck"
+      - linters:
+          - staticcheck
+        text: "//nolint:staticcheck"
@@ -2,56 +2,8 @@

 ## Supported Versions

-It is recommended to use the [latest](https://github.com/tinyauthapp/tinyauth/releases/latest) available version of Tinyauth. This is because it includes security fixes, new features and dependency updates. Older versions, especially major ones, are not supported and won't receive security or patch updates.
+It is recommended to use the [latest](https://github.com/tinyauthapp/tinyauth/releases/latest) available version of tinyauth. This is because it includes security fixes, new features and dependency updates. Older versions, especially major ones, are not supported and won't receive security or patch updates.

 ## Reporting a Vulnerability

-Please **do not** report security vulnerabilities through public GitHub issues, discussions, or pull requests as I won't be able to patch them in time and they may get exploited by malicious actors.
-
-Instead, report them privately using [GitHub's Private Vulnerability Reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) via the **Security** tab of this repository.
-
-Or send us an email at <security@tinyauth.app>.
-
-### A note on AI-assisted reports
-
-If AI tooling (LLMs, automated scanners, agentic assistants, etc.) helped you discover, analyse, or write up this issue, please say so in your report. This isn't a judgement - AI-assisted findings are welcome - but disclosing it up front helps maintainers calibrate how much additional verification a report needs, and tends to make the report itself clearer.
-
-When submitting a report, please use the structure below so it can be triaged quickly.
-
---
-
-### 1. Summary
-
-A short, one-paragraph description of the vulnerability and its impact (e.g. what an attacker can achieve, who is affected, and under what conditions).
-
-### 2. Steps to Reproduce / Proof of Concept
-
-Provide a minimal, reliable reproduction:
-
-1. Step one
-2. Step two
-3. Step three
-
-Include any required input, payloads, configuration, or code snippets. Attach a PoC script or screenshots where helpful.
-
-### 3. Expected vs. Actual Behaviour
-
- **Expected:** what *should* happen
- **Actual:** what *does* happen, and why it's a security issue
-
-### 4. Suggested Fix or Mitigation *(optional)*
-
-If you have an idea for how to address the issue, describe it here. A private gist link is welcome but not required.
-
- **Have you tested this fix?** Yes / No
- **If yes,** briefly describe how it was tested and what was verified.
-
---
-
-## What to Expect
-
- **Acknowledgement** within a reasonable timeframe after receiving your report
- **Updates** as the issue is investigated and addressed
- **Public credit** in the resulting advisory, along with any **CVE assigned**, unless you'd prefer to stay anonymous
-
-We follow a **90-day coordinated disclosure** window: please allow up to 90 days from the date of your report for the issue to be investigated and patched before publicly disclosing it. The publication date - whether earlier if a fix lands sooner, or later if more time is genuinely needed - will be agreed with you in advance.
+Due to the nature of this app, it needs to be secure. If you discover any security issues or vulnerabilities in the app please contact me as soon as possible at <security@tinyauth.app>. Please do not use the issues section to report security issues as I won't be able to patch them in time and they may get exploited by malicious actors.
@@ -6,8 +6,8 @@ import (
 	"strings"

 	"charm.land/huh/v2"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/tinyauthapp/paerser/cli"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"golang.org/x/crypto/bcrypt"
 )

@@ -40,8 +40,7 @@ func createUserCmd() *cli.Command {
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
-			log := logger.NewLogger().WithSimpleConfig()
-			log.Init()
+			tlog.NewSimpleLogger().Init()

 			if tCfg.Interactive {
 				form := huh.NewForm(
@@ -74,7 +73,7 @@ func createUserCmd() *cli.Command {
 				return errors.New("username and password cannot be empty")
 			}

-			log.App.Info().Str("username", tCfg.Username).Msg("Creating user")
+			tlog.App.Info().Str("username", tCfg.Username).Msg("Creating user")

 			passwd, err := bcrypt.GenerateFromPassword([]byte(tCfg.Password), bcrypt.DefaultCost)
 			if err != nil {
@@ -87,7 +86,7 @@ func createUserCmd() *cli.Command {
 				passwdStr = strings.ReplaceAll(passwdStr, "$", "$$")
 			}

-			log.App.Info().Str("user", fmt.Sprintf("%s:%s", tCfg.Username, passwdStr)).Msg("User created")
+			tlog.App.Info().Str("user", fmt.Sprintf("%s:%s", tCfg.Username, passwdStr)).Msg("User created")

 			return nil
 		},
@@ -7,7 +7,7 @@ import (
 	"strings"

 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"

 	"charm.land/huh/v2"
 	"github.com/mdp/qrterminal/v3"
@@ -40,8 +40,7 @@ func generateTotpCmd() *cli.Command {
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
-			log := logger.NewLogger().WithSimpleConfig()
-			log.Init()
+			tlog.NewSimpleLogger().Init()

 			if tCfg.Interactive {
 				form := huh.NewForm(
@@ -69,10 +68,7 @@ func generateTotpCmd() *cli.Command {
 				return fmt.Errorf("failed to parse user: %w", err)
 			}

-			docker := false
-			if strings.Contains(tCfg.User, "$$") {
-				docker = true
-			}
+			docker := strings.Contains(tCfg.User, "$$")

 			if user.TOTPSecret != "" {
 				return fmt.Errorf("user already has a TOTP secret")
@@ -89,9 +85,9 @@ func generateTotpCmd() *cli.Command {

 			secret := key.Secret()

-			log.App.Info().Str("secret", secret).Msg("Generated TOTP secret")
+			tlog.App.Info().Str("secret", secret).Msg("Generated TOTP secret")

-			log.App.Info().Msg("Generated QR code")
+			tlog.App.Info().Msg("Generated QR code")

 			config := qrterminal.Config{
 				Level:     qrterminal.L,
@@ -110,7 +106,7 @@ func generateTotpCmd() *cli.Command {
 				user.Password = strings.ReplaceAll(user.Password, "$", "$$")
 			}

-			log.App.Info().Str("user", fmt.Sprintf("%s:%s:%s", user.Username, user.Password, user.TOTPSecret)).Msg("Add the totp secret to your authenticator app then use the verify command to ensure everything is working correctly.")
+			tlog.App.Info().Str("user", fmt.Sprintf("%s:%s:%s", user.Username, user.Password, user.TOTPSecret)).Msg("Add the totp secret to your authenticator app then use the verify command to ensure everything is working correctly.")

 			return nil
 		},
@@ -10,7 +10,7 @@ import (
 	"time"

 	"github.com/tinyauthapp/paerser/cli"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )

 type healthzResponse struct {
@@ -26,8 +26,7 @@ func healthcheckCmd() *cli.Command {
 		Resources:     nil,
 		AllowArg:      true,
 		Run: func(args []string) error {
-			log := logger.NewLogger().WithSimpleConfig()
-			log.Init()
+			tlog.NewSimpleLogger().Init()

 			srvAddr := os.Getenv("TINYAUTH_SERVER_ADDRESS")
 			if srvAddr == "" {
@@ -46,10 +45,10 @@ func healthcheckCmd() *cli.Command {
 			}

 			if appUrl == "" {
-				return errors.New("Could not determine app URL")
+				return errors.New("could not determine app url")
 			}

-			log.App.Info().Str("app_url", appUrl).Msg("Performing health check")
+			tlog.App.Info().Str("app_url", appUrl).Msg("Performing health check")

 			client := http.Client{
 				Timeout: 30 * time.Second,
@@ -71,7 +70,7 @@ func healthcheckCmd() *cli.Command {
 				return fmt.Errorf("service is not healthy, got: %s", resp.Status)
 			}

-			defer resp.Body.Close()
+			defer resp.Body.Close() //nolint:errcheck

 			var healthResp healthzResponse

@@ -87,7 +86,7 @@ func healthcheckCmd() *cli.Command {
 				return fmt.Errorf("failed to decode response: %w", err)
 			}

-			log.App.Info().Interface("response", healthResp).Msg("Tinyauth is healthy")
+			tlog.App.Info().Interface("response", healthResp).Msg("Tinyauth is healthy")

 			return nil
 		},
@@ -7,6 +7,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/loaders"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"

 	"github.com/rs/zerolog/log"
 	"github.com/tinyauthapp/paerser/cli"
@@ -108,6 +109,11 @@ func main() {
 }

 func runCmd(cfg model.Config) error {
+	logger := tlog.NewLogger(cfg.Log)
+	logger.Init()
+
+	tlog.App.Info().Str("version", model.Version).Msg("Starting tinyauth")
+
 	app := bootstrap.NewBootstrapApp(cfg)

 	err := app.Setup()
@@ -5,7 +5,7 @@ import (
 	"fmt"

 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"

 	"charm.land/huh/v2"
 	"github.com/pquerna/otp/totp"
@@ -44,8 +44,7 @@ func verifyUserCmd() *cli.Command {
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
-			log := logger.NewLogger().WithSimpleConfig()
-			log.Init()
+			tlog.NewSimpleLogger().Init()

 			if tCfg.Interactive {
 				form := huh.NewForm(
@@ -98,9 +97,9 @@ func verifyUserCmd() *cli.Command {

 			if user.TOTPSecret == "" {
 				if tCfg.Totp != "" {
-					log.App.Warn().Msg("User does not have TOTP secret")
+					tlog.App.Warn().Msg("User does not have TOTP secret")
 				}
-				log.App.Info().Msg("User verified")
+				tlog.App.Info().Msg("User verified")
 				return nil
 			}

@@ -110,7 +109,7 @@ func verifyUserCmd() *cli.Command {
 				return fmt.Errorf("TOTP code incorrect")
 			}

-			log.App.Info().Msg("User verified")
+			tlog.App.Info().Msg("User verified")

 			return nil
 		},
@@ -18,11 +18,11 @@ require (
 	github.com/stretchr/testify v1.11.1
 	github.com/tinyauthapp/paerser v0.0.0-20260410140347-85c3740d6298
 	github.com/weppos/publicsuffix-go v0.50.3
-	golang.org/x/crypto v0.51.0
+	golang.org/x/crypto v0.50.0
 	golang.org/x/oauth2 v0.36.0
-	k8s.io/apimachinery v0.36.1
-	k8s.io/client-go v0.36.1
-	modernc.org/sqlite v1.50.1
+	k8s.io/apimachinery v0.36.0
+	k8s.io/client-go v0.36.0
+	modernc.org/sqlite v1.50.0
 )

 require (
@@ -121,11 +121,11 @@ require (
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	golang.org/x/arch v0.22.0 // indirect
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
-	golang.org/x/net v0.53.0 // indirect
+	golang.org/x/net v0.52.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/sys v0.44.0 // indirect
-	golang.org/x/term v0.43.0 // indirect
-	golang.org/x/text v0.37.0 // indirect
+	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/term v0.42.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
 	google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
@@ -134,7 +134,7 @@ require (
 	k8s.io/klog/v2 v2.140.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a // indirect
 	k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 // indirect
-	modernc.org/libc v1.72.3 // indirect
+	modernc.org/libc v1.72.0 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 	rsc.io/qr v0.2.0 // indirect
@@ -317,29 +317,29 @@ go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/arch v0.22.0 h1:c/Zle32i5ttqRXjdLyyHZESLD/bB90DCU1g9l/0YBDI=
 golang.org/x/arch v0.22.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
-golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI=
-golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8=
+golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
+golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
-golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
-golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
-golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
-golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
+golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
+golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
+golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
-golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
-golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
-golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
-golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
+golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
 golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
-golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
-golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
+golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
+golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
 google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
 google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 h1:VPWxll4HlMw1Vs/qXtN7BvhZqsS9cdAittCNvVENElA=
 google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:7QBABkRtR8z+TEnmXTqIqwJLlzrZKVfAUm7tY3yGv0M=
@@ -361,22 +361,22 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
-k8s.io/api v0.36.1 h1:XbL/EMj8K2aJpJtePmqUyQMsM0D4QI2pvl7YKJ20FTY=
-k8s.io/api v0.36.1/go.mod h1:KOWo4ey3TINlXjeHVuwB3i+tXXnu+UcwFBHlI/9dvEo=
-k8s.io/apimachinery v0.36.1 h1:G63Gjx2W+q0YD+72Vo8oY0nDnePVwnuzTmmy5ENrVSA=
-k8s.io/apimachinery v0.36.1/go.mod h1:ibYOR00vW/I1kzvi5SF0dRuJ52BvKtfvRdOn35GPQ+8=
-k8s.io/client-go v0.36.1 h1:FN/K8QIT2CEDt+2WB2HnWrUANZ50AP5GII43/SP2JR0=
-k8s.io/client-go v0.36.1/go.mod h1:s6rAnCtTGYDQnpNjEhSaISV+2O8jwruZ6m3QOYBFbtU=
+k8s.io/api v0.36.0 h1:SgqDhZzHdOtMk40xVSvCXkP9ME0H05hPM3p9AB1kL80=
+k8s.io/api v0.36.0/go.mod h1:m1LVrGPNYax5NBHdO+QuAedXyuzTt4RryI/qnmNvs34=
+k8s.io/apimachinery v0.36.0 h1:jZyPzhd5Z+3h9vJLt0z9XdzW9VzNzWAUw+P1xZ9PXtQ=
+k8s.io/apimachinery v0.36.0/go.mod h1:FklypaRJt6n5wUIwWXIP6GJlIpUizTgfo1T/As+Tyxc=
+k8s.io/client-go v0.36.0 h1:pOYi7C4RHChYjMiHpZSpSbIM6ZxVbRXBy7CuiIwqA3c=
+k8s.io/client-go v0.36.0/go.mod h1:ZKKcpwF0aLYfkHFCjillCKaTK/yBkEDHTDXCFY6AS9Y=
 k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc=
 k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0=
 k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a h1:xCeOEAOoGYl2jnJoHkC3hkbPJgdATINPMAxaynU2Ovg=
 k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a/go.mod h1:uGBT7iTA6c6MvqUvSXIaYZo9ukscABYi2btjhvgKGZ0=
 k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 h1:AZYQSJemyQB5eRxqcPky+/7EdBj0xi3g0ZcxxJ7vbWU=
 k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk=
-modernc.org/cc/v4 v4.28.2 h1:3tQ0lf2ADtoby2EtSP+J7IE2SHwEJdP8ioR59wx7XpY=
-modernc.org/cc/v4 v4.28.2/go.mod h1:OnovgIhbbMXMu1aISnJ0wvVD1KnW+cAUJkIrAWh+kVI=
-modernc.org/ccgo/v4 v4.34.0 h1:yRLPFZieg532OT4rp4JFNIVcquwalMX26G95WQDqwCQ=
-modernc.org/ccgo/v4 v4.34.0/go.mod h1:AS5WYMyBakQ+fhsHhtP8mWB82KTGPkNNJDGfGQCe0/A=
+modernc.org/cc/v4 v4.27.3 h1:uNCgn37E5U09mTv1XgskEVUJ8ADKpmFMPxzGJ0TSo+U=
+modernc.org/cc/v4 v4.27.3/go.mod h1:3YjcbCqhoTTHPycJDRl2WZKKFj0nwcOIPBfEZK0Hdk8=
+modernc.org/ccgo/v4 v4.32.4 h1:L5OB8rpEX4ZsXEQwGozRfJyJSFHbbNVOoQ59DU9/KuU=
+modernc.org/ccgo/v4 v4.32.4/go.mod h1:lY7f+fiTDHfcv6YlRgSkxYfhs+UvOEEzj49jAn2TOx0=
 modernc.org/fileutil v1.4.0 h1:j6ZzNTftVS054gi281TyLjHPp6CPHr2KCxEXjEbD6SM=
 modernc.org/fileutil v1.4.0/go.mod h1:EqdKFDxiByqxLk8ozOxObDSfcVOv/54xDs/DUHdvCUU=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
@@ -385,18 +385,18 @@ modernc.org/gc/v3 v3.1.2 h1:ZtDCnhonXSZexk/AYsegNRV1lJGgaNZJuKjJSWKyEqo=
 modernc.org/gc/v3 v3.1.2/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
 modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
 modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
-modernc.org/libc v1.72.3 h1:ZnDF4tXn4NBXFutMMQC4vtbTFSXhhKzR73fv0beZEAU=
-modernc.org/libc v1.72.3/go.mod h1:dn0dZNnnn1clLyvRxLxYExxiKRZIRENOfqQ8XEeg4Qs=
+modernc.org/libc v1.72.0 h1:IEu559v9a0XWjw0DPoVKtXpO2qt5NVLAnFaBbjq+n8c=
+modernc.org/libc v1.72.0/go.mod h1:tTU8DL8A+XLVkEY3x5E/tO7s2Q/q42EtnNWda/L5QhQ=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
 modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
-modernc.org/opt v0.2.0 h1:tGyef5ApycA7FSEOMraay9SaTk5zmbx7Tu+cJs4QKZg=
-modernc.org/opt v0.2.0/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
+modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
+modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.50.1 h1:l+cQvn0sd0zJJtfygGHuQJ5AjlrwXmWPw4KP3ZMwr9w=
-modernc.org/sqlite v1.50.1/go.mod h1:tcNzv5p84E0skkmJn038y+hWJbLQXQqEnQfeh5r2JLM=
+modernc.org/sqlite v1.50.0 h1:eMowQSWLK0MeiQTdmz3lqoF5dqclujdlIKeJA11+7oM=
+modernc.org/sqlite v1.50.0/go.mod h1:m0w8xhwYUVY3H6pSDwc3gkJ/irZT/0YEXwBlhaxQEew=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
@@ -3,50 +3,39 @@ package bootstrap
 import (
 	"bytes"
 	"context"
-	"database/sql"
 	"encoding/json"
-	"errors"
 	"fmt"
-	"net"
 	"net/http"
 	"net/url"
 	"os"
-	"os/signal"
 	"sort"
 	"strings"
-	"sync"
-	"syscall"
 	"time"

-	"github.com/gin-gonic/gin"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
-	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )

-type Services struct {
-	accessControlService *service.AccessControlsService
-	authService          *service.AuthService
-	dockerService        *service.DockerService
-	kubernetesService    *service.KubernetesService
-	ldapService          *service.LdapService
-	oauthBrokerService   *service.OAuthBrokerService
-	oidcService          *service.OIDCService
-}
-
 type BootstrapApp struct {
-	config   model.Config
-	runtime  model.RuntimeConfig
+	config  model.Config
+	context struct {
+		appUrl                 string
+		uuid                   string
+		cookieDomain           string
+		sessionCookieName      string
+		csrfCookieName         string
+		redirectCookieName     string
+		oauthSessionCookieName string
+		localUsers             *[]model.LocalUser
+		oauthProviders         map[string]model.OAuthServiceConfig
+		oauthWhitelist         []string
+		configuredProviders    []controller.Provider
+		oidcClients            []model.OIDCClientConfig
+	}
 	services Services
-	log      *logger.Logger
-	ctx      context.Context
-	cancel   context.CancelFunc
-	queries  *repository.Queries
-	router   *gin.Engine
-	db       *sql.DB
-	wg       sync.WaitGroup
 }

 func NewBootstrapApp(config model.Config) *BootstrapApp {
@@ -56,69 +45,56 @@ func NewBootstrapApp(config model.Config) *BootstrapApp {
 }

 func (app *BootstrapApp) Setup() error {
-	// create context
-	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
-	app.ctx = ctx
-	app.cancel = cancel
-
-	// setup logger
-	log := logger.NewLogger().WithConfig(app.config.Log)
-	log.Init()
-	app.log = log
-
 	// get app url
 	if app.config.AppURL == "" {
-		return errors.New("app url cannot be empty, perhaps config loading failed")
+		return fmt.Errorf("app URL cannot be empty, perhaps config loading failed")
 	}

 	appUrl, err := url.Parse(app.config.AppURL)

 	if err != nil {
-		return fmt.Errorf("failed to parse app url: %w", err)
+		return err
 	}

-	app.runtime.AppURL = appUrl.Scheme + "://" + appUrl.Host
+	app.context.appUrl = appUrl.Scheme + "://" + appUrl.Host

 	// validate session config
 	if app.config.Auth.SessionMaxLifetime != 0 && app.config.Auth.SessionMaxLifetime < app.config.Auth.SessionExpiry {
-		return errors.New("session max lifetime cannot be less than session expiry")
+		return fmt.Errorf("session max lifetime cannot be less than session expiry")
 	}

-	// parse users
+	// Parse users
 	users, err := utils.GetUsers(app.config.Auth.Users, app.config.Auth.UsersFile, app.config.Auth.UserAttributes)

 	if err != nil {
-		return fmt.Errorf("failed to load users: %w", err)
+		return err
 	}

-	app.runtime.LocalUsers = *users
+	app.context.localUsers = users

-	// load oauth whitelist
 	oauthWhitelist, err := utils.GetStringList(app.config.OAuth.Whitelist, app.config.OAuth.WhitelistFile)
-
 	if err != nil {
-		return fmt.Errorf("failed to load oauth whitelist: %w", err)
+		return err
 	}

-	app.runtime.OAuthWhitelist = oauthWhitelist
+	app.context.oauthWhitelist = oauthWhitelist

-	// setup oauth providers
-	app.runtime.OAuthProviders = app.config.OAuth.Providers
+	// Setup OAuth providers
+	app.context.oauthProviders = app.config.OAuth.Providers

-	for id, provider := range app.runtime.OAuthProviders {
+	for name, provider := range app.context.oauthProviders {
 		secret := utils.GetSecret(provider.ClientSecret, provider.ClientSecretFile)
 		provider.ClientSecret = secret
 		provider.ClientSecretFile = ""

 		if provider.RedirectURL == "" {
-			provider.RedirectURL = app.runtime.AppURL + "/api/oauth/callback/" + id
+			provider.RedirectURL = app.context.appUrl + "/api/oauth/callback/" + name
 		}

-		app.runtime.OAuthProviders[id] = provider
+		app.context.oauthProviders[name] = provider
 	}

-	// set presets for built-in providers
-	for id, provider := range app.runtime.OAuthProviders {
+	for id, provider := range app.context.oauthProviders {
 		if provider.Name == "" {
 			if name, ok := model.OverrideProviders[id]; ok {
 				provider.Name = name
@@ -126,72 +102,71 @@ func (app *BootstrapApp) Setup() error {
 				provider.Name = utils.Capitalize(id)
 			}
 		}
-		app.runtime.OAuthProviders[id] = provider
+		app.context.oauthProviders[id] = provider
 	}

-	// setup oidc clients
+	// Setup OIDC clients
 	for id, client := range app.config.OIDC.Clients {
 		client.ID = id
-		app.runtime.OIDCClients = append(app.runtime.OIDCClients, client)
+		app.context.oidcClients = append(app.context.oidcClients, client)
 	}

-	// cookie domain
+	// Get cookie domain
 	cookieDomainResolver := utils.GetCookieDomain
-
 	if !app.config.Auth.SubdomainsEnabled {
-		app.log.App.Warn().Msg("Subdomains are disabled, using standalone cookie domain resolver which will not work with subdomains")
+		tlog.App.Info().Msg("Subdomains disabled, automatic authentication for proxied apps will not work")
 		cookieDomainResolver = utils.GetStandaloneCookieDomain
 	}

-	cookieDomain, err := cookieDomainResolver(app.runtime.AppURL)
+	cookieDomain, err := cookieDomainResolver(app.context.appUrl)

 	if err != nil {
-		return fmt.Errorf("failed to get cookie domain: %w", err)
+		return err
 	}

-	app.runtime.CookieDomain = cookieDomain
+	app.context.cookieDomain = cookieDomain

-	// cookie names
-	app.runtime.UUID = utils.GenerateUUID(appUrl.Hostname())
+	// Cookie names
+	app.context.uuid = utils.GenerateUUID(appUrl.Hostname())
+	cookieId := strings.Split(app.context.uuid, "-")[0]
+	app.context.sessionCookieName = fmt.Sprintf("%s-%s", model.SessionCookieName, cookieId)
+	app.context.csrfCookieName = fmt.Sprintf("%s-%s", model.CSRFCookieName, cookieId)
+	app.context.redirectCookieName = fmt.Sprintf("%s-%s", model.RedirectCookieName, cookieId)
+	app.context.oauthSessionCookieName = fmt.Sprintf("%s-%s", model.OAuthSessionCookieName, cookieId)

-	cookieId := strings.Split(app.runtime.UUID, "-")[0] // first 8 characters of the uuid should be good enough
+	// Dumps
+	tlog.App.Trace().Interface("config", app.config).Msg("Config dump")
+	tlog.App.Trace().Interface("users", app.context.localUsers).Msg("Users dump")
+	tlog.App.Trace().Interface("oauthProviders", app.context.oauthProviders).Msg("OAuth providers dump")
+	tlog.App.Trace().Str("cookieDomain", app.context.cookieDomain).Msg("Cookie domain")
+	tlog.App.Trace().Str("sessionCookieName", app.context.sessionCookieName).Msg("Session cookie name")
+	tlog.App.Trace().Str("csrfCookieName", app.context.csrfCookieName).Msg("CSRF cookie name")
+	tlog.App.Trace().Str("redirectCookieName", app.context.redirectCookieName).Msg("Redirect cookie name")

-	app.runtime.SessionCookieName = fmt.Sprintf("%s-%s", model.SessionCookieName, cookieId)
-	app.runtime.CSRFCookieName = fmt.Sprintf("%s-%s", model.CSRFCookieName, cookieId)
-	app.runtime.RedirectCookieName = fmt.Sprintf("%s-%s", model.RedirectCookieName, cookieId)
-	app.runtime.OAuthSessionCookieName = fmt.Sprintf("%s-%s", model.OAuthSessionCookieName, cookieId)
-
-	// database
-	err = app.SetupDatabase()
+	// Database
+	db, err := app.SetupDatabase(app.config.Database.Path)

 	if err != nil {
 		return fmt.Errorf("failed to setup database: %w", err)
 	}

-	// after this point, we start initializing dependencies so it's a good time to setup a defer
-	// to ensure that resources are cleaned up properly in case of an error during initialization
-	defer func() {
-		app.cancel()
-		app.wg.Wait()
-		app.db.Close()
-	}()
+	// Queries
+	queries := repository.New(db)

-	// queries
-	queries := repository.New(app.db)
-	app.queries = queries
-
-	// services
-	err = app.setupServices()
+	// Services
+	services, err := app.initServices(queries)

 	if err != nil {
 		return fmt.Errorf("failed to initialize services: %w", err)
 	}

-	// configured providers
-	configuredProviders := make([]model.Provider, 0)
+	app.services = services

-	for id, provider := range app.runtime.OAuthProviders {
-		configuredProviders = append(configuredProviders, model.Provider{
+	// Configured providers
+	configuredProviders := make([]controller.Provider, 0)
+
+	for id, provider := range app.context.oauthProviders {
+		configuredProviders = append(configuredProviders, controller.Provider{
 			Name:  provider.Name,
 			ID:    id,
 			OAuth: true,
@@ -202,171 +177,70 @@ func (app *BootstrapApp) Setup() error {
 		return configuredProviders[i].Name < configuredProviders[j].Name
 	})

-	if app.services.authService.LocalAuthConfigured() {
-		configuredProviders = append(configuredProviders, model.Provider{
+	if services.authService.LocalAuthConfigured() {
+		configuredProviders = append(configuredProviders, controller.Provider{
 			Name:  "Local",
 			ID:    "local",
 			OAuth: false,
 		})
 	}

-	if app.services.authService.LDAPAuthConfigured() {
-		configuredProviders = append(configuredProviders, model.Provider{
+	if services.authService.LDAPAuthConfigured() {
+		configuredProviders = append(configuredProviders, controller.Provider{
 			Name:  "LDAP",
 			ID:    "ldap",
 			OAuth: false,
 		})
 	}

+	tlog.App.Debug().Interface("providers", configuredProviders).Msg("Authentication providers")
+
 	if len(configuredProviders) == 0 {
-		return errors.New("no authentication providers configured")
+		return fmt.Errorf("no authentication providers configured")
 	}

-	for _, provider := range configuredProviders {
-		app.log.App.Debug().Str("provider", provider.Name).Msg("Configured authentication provider")
-	}
+	app.context.configuredProviders = configuredProviders

-	app.runtime.ConfiguredProviders = configuredProviders
-
-	// setup router
-	err = app.setupRouter()
+	// Setup router
+	router, err := app.setupRouter()

 	if err != nil {
 		return fmt.Errorf("failed to setup routes: %w", err)
 	}

-	// start db cleanup routine
-	app.log.App.Debug().Msg("Starting database cleanup routine")
-	app.wg.Go(app.dbCleanupRoutine)
+	// Start db cleanup routine
+	tlog.App.Debug().Msg("Starting database cleanup routine")
+	go app.dbCleanupRoutine(queries)

-	// if analytics are not disabled, start heartbeat
+	// If analytics are not disabled, start heartbeat
 	if app.config.Analytics.Enabled {
-		app.log.App.Debug().Msg("Starting heartbeat routine")
-		app.wg.Go(app.heartbeatRoutine)
+		tlog.App.Debug().Msg("Starting heartbeat routine")
+		go app.heartbeatRoutine()
 	}

-	// create err channel to listen for server errors
-	errChanLen := 0
-
-	runUnix := app.config.Server.SocketPath != ""
-	runHTTP := app.config.Server.SocketPath == "" || app.config.Server.ConcurrentListenersEnabled
-
-	if runUnix {
-		errChanLen++
-	}
-
-	if runHTTP {
-		errChanLen++
-	}
-
-	errChan := make(chan error, errChanLen)
-
-	if app.config.Server.ConcurrentListenersEnabled {
-		app.log.App.Info().Msg("Concurrent listeners enabled, will run on all available listeners")
-	}
-
-	// serve unix
-	if runUnix {
-		app.wg.Go(func() {
-			if err := app.serveUnix(); err != nil {
-				errChan <- err
-			}
-		})
-	}
-
-	// serve to http
-	if runHTTP {
-		app.wg.Go(func() {
-			if err := app.serveHTTP(); err != nil {
-				errChan <- err
-			}
-		})
-	}
-
-	// monitor cancellation and server errors
-	for {
-		select {
-		case <-app.ctx.Done():
-			app.log.App.Info().Msg("Oh, it's time for me to go, bye!")
-			return nil
-		case err := <-errChan:
+	// If we have an socket path, bind to it
+	if app.config.Server.SocketPath != "" {
+		if _, err := os.Stat(app.config.Server.SocketPath); err == nil {
+			tlog.App.Info().Msgf("Removing existing socket file %s", app.config.Server.SocketPath)
+			err := os.Remove(app.config.Server.SocketPath)
 			if err != nil {
-				return fmt.Errorf("server error: %w", err)
+				return fmt.Errorf("failed to remove existing socket file: %w", err)
 			}
 		}
-	}
-}

-func (app *BootstrapApp) serveHTTP() error {
-	address := fmt.Sprintf("%s:%d", app.config.Server.Address, app.config.Server.Port)
+		tlog.App.Info().Msgf("Starting server on unix socket %s", app.config.Server.SocketPath)
+		if err := router.RunUnix(app.config.Server.SocketPath); err != nil {
+			tlog.App.Fatal().Err(err).Msg("Failed to start server")
+		}

-	app.log.App.Info().Msgf("Starting server on %s", address)
-
-	server := &http.Server{
-		Addr:    address,
-		Handler: app.router.Handler(),
-	}
-
-	go func() {
-		<-app.ctx.Done()
-		app.log.App.Debug().Msg("Shutting down http listener")
-		server.Shutdown(app.ctx)
-	}()
-
-	err := server.ListenAndServe()
-
-	if err != nil && !errors.Is(err, http.ErrServerClosed) {
-		return fmt.Errorf("failed to start http listener: %w", err)
-	}
-
-	return nil
-}
-
-func (app *BootstrapApp) serveUnix() error {
-	if app.config.Server.SocketPath == "" {
 		return nil
 	}

-	_, err := os.Stat(app.config.Server.SocketPath)
-
-	if err == nil {
-		app.log.App.Info().Msgf("Removing existing socket file %s", app.config.Server.SocketPath)
-		err := os.Remove(app.config.Server.SocketPath)
-
-		if err != nil {
-			return fmt.Errorf("failed to remove existing socket file: %w", err)
-		}
-	}
-
-	app.log.App.Info().Msgf("Starting server on unix socket %s", app.config.Server.SocketPath)
-
-	listener, err := net.Listen("unix", app.config.Server.SocketPath)
-
-	if err != nil {
-		return fmt.Errorf("failed to create unix socket listener: %w", err)
-	}
-
-	server := &http.Server{
-		Handler: app.router.Handler(),
-	}
-
-	shutdown := func() {
-		server.Shutdown(app.ctx)
-		listener.Close()
-		os.Remove(app.config.Server.SocketPath)
-	}
-
-	go func() {
-		<-app.ctx.Done()
-		app.log.App.Debug().Msg("Shutting down unix socket listener")
-		shutdown()
-	}()
-
-	err = server.Serve(listener)
-
-	if err != nil && !errors.Is(err, http.ErrServerClosed) {
-		shutdown()
-		return fmt.Errorf("failed to start unix socket listener: %w", err)
+	// Start server
+	address := fmt.Sprintf("%s:%d", app.config.Server.Address, app.config.Server.Port)
+	tlog.App.Info().Msgf("Starting server on %s", address)
+	if err := router.Run(address); err != nil {
+		tlog.App.Fatal().Err(err).Msg("Failed to start server")
 	}

 	return nil
@@ -376,20 +250,20 @@ func (app *BootstrapApp) heartbeatRoutine() {
 	ticker := time.NewTicker(time.Duration(12) * time.Hour)
 	defer ticker.Stop()

-	type Heartbeat struct {
+	type heartbeat struct {
 		UUID    string `json:"uuid"`
 		Version string `json:"version"`
 	}

-	var body Heartbeat
+	var body heartbeat

-	body.UUID = app.runtime.UUID
+	body.UUID = app.context.uuid
 	body.Version = model.Version

 	bodyJson, err := json.Marshal(body)

 	if err != nil {
-		app.log.App.Error().Err(err).Msg("Failed to marshal heartbeat body, heartbeat routine will not start")
+		tlog.App.Error().Err(err).Msg("Failed to marshal heartbeat body")
 		return
 	}

@@ -399,60 +273,43 @@ func (app *BootstrapApp) heartbeatRoutine() {

 	heartbeatURL := model.APIServer + "/v1/instances/heartbeat"

-	for {
-		select {
-		case <-ticker.C:
-			app.log.App.Debug().Msg("Sending heartbeat")
+	for range ticker.C {
+		tlog.App.Debug().Msg("Sending heartbeat")

-			req, err := http.NewRequest(http.MethodPost, heartbeatURL, bytes.NewReader(bodyJson))
+		req, err := http.NewRequest(http.MethodPost, heartbeatURL, bytes.NewReader(bodyJson))

-			if err != nil {
-				app.log.App.Error().Err(err).Msg("Failed to create heartbeat request")
-				continue
-			}
+		if err != nil {
+			tlog.App.Error().Err(err).Msg("Failed to create heartbeat request")
+			continue
+		}

-			req.Header.Add("Content-Type", "application/json")
+		req.Header.Add("Content-Type", "application/json")

-			res, err := client.Do(req)
+		res, err := client.Do(req)

-			if err != nil {
-				app.log.App.Error().Err(err).Msg("Failed to send heartbeat")
-				continue
-			}
+		if err != nil {
+			tlog.App.Error().Err(err).Msg("Failed to send heartbeat")
+			continue
+		}

-			res.Body.Close()
+		res.Body.Close() //nolint:errcheck

-			if res.StatusCode != 200 && res.StatusCode != 201 {
-				app.log.App.Debug().Str("status", res.Status).Msg("Heartbeat returned non-200/201 status")
-			}
-		case <-app.ctx.Done():
-			app.log.App.Debug().Msg("Stopping heartbeat routine")
-			ticker.Stop()
-			return
+		if res.StatusCode != 200 && res.StatusCode != 201 {
+			tlog.App.Debug().Str("status", res.Status).Msg("Heartbeat returned non-200/201 status")
 		}
 	}
 }

-func (app *BootstrapApp) dbCleanupRoutine() {
+func (app *BootstrapApp) dbCleanupRoutine(queries *repository.Queries) {
 	ticker := time.NewTicker(time.Duration(30) * time.Minute)
 	defer ticker.Stop()
+	ctx := context.Background()

-	for {
-		select {
-		case <-ticker.C:
-			app.log.App.Debug().Msg("Running database cleanup")
-
-			err := app.queries.DeleteExpiredSessions(app.ctx, time.Now().Unix())
-
-			if err != nil {
-				app.log.App.Error().Err(err).Msg("Failed to delete expired sessions")
-			}
-
-			app.log.App.Debug().Msg("Database cleanup completed")
-		case <-app.ctx.Done():
-			app.log.App.Debug().Msg("Stopping database cleanup routine")
-			ticker.Stop()
-			return
+	for range ticker.C {
+		tlog.App.Debug().Msg("Cleaning up old database sessions")
+		err := queries.DeleteExpiredSessions(ctx, time.Now().Unix())
+		if err != nil {
+			tlog.App.Error().Err(err).Msg("Failed to clean up old database sessions")
 		}
 	}
 }
@@ -14,26 +14,19 @@ import (
 	_ "modernc.org/sqlite"
 )

-func (app *BootstrapApp) SetupDatabase() error {
-	dir := filepath.Dir(app.config.Database.Path)
+func (app *BootstrapApp) SetupDatabase(databasePath string) (*sql.DB, error) {
+	dir := filepath.Dir(databasePath)

 	if err := os.MkdirAll(dir, 0750); err != nil {
-		return fmt.Errorf("failed to create database directory %s: %w", dir, err)
+		return nil, fmt.Errorf("failed to create database directory %s: %w", dir, err)
 	}

-	db, err := sql.Open("sqlite", app.config.Database.Path)
+	db, err := sql.Open("sqlite", databasePath)

 	if err != nil {
-		return fmt.Errorf("failed to open database: %w", err)
+		return nil, fmt.Errorf("failed to open database: %w", err)
 	}

-	// Close the database if there is an error during migration
-	defer func() {
-		if err != nil {
-			db.Close()
-		}
-	}()
-
 	// Limit to 1 connection to sequence writes, this may need to be revisited in the future
 	// if the sqlite connection starts being a bottleneck
 	db.SetMaxOpenConns(1)
@@ -41,29 +34,24 @@ func (app *BootstrapApp) SetupDatabase() error {
 	migrations, err := iofs.New(assets.Migrations, "migrations")

 	if err != nil {
-		return fmt.Errorf("failed to create migrations: %w", err)
+		return nil, fmt.Errorf("failed to create migrations: %w", err)
 	}

 	target, err := sqlite3.WithInstance(db, &sqlite3.Config{})

 	if err != nil {
-		return fmt.Errorf("failed to create sqlite3 instance: %w", err)
+		return nil, fmt.Errorf("failed to create sqlite3 instance: %w", err)
 	}

 	migrator, err := migrate.NewWithInstance("iofs", migrations, "sqlite3", target)

 	if err != nil {
-		return fmt.Errorf("failed to create migrator: %w", err)
+		return nil, fmt.Errorf("failed to create migrator: %w", err)
 	}

 	if err := migrator.Up(); err != nil && err != migrate.ErrNoChange {
-		return fmt.Errorf("failed to migrate database: %w", err)
+		return nil, fmt.Errorf("failed to migrate database: %w", err)
 	}

-	app.db = db
-	return nil
-}
-
-func (app *BootstrapApp) GetDB() *sql.DB {
-	return app.db
+	return db, nil
 }
@@ -2,16 +2,21 @@ package bootstrap

 import (
 	"fmt"
+	"slices"

 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/middleware"
+	"github.com/tinyauthapp/tinyauth/internal/model"

 	"github.com/gin-gonic/gin"
 )

-func (app *BootstrapApp) setupRouter() error {
-	// we don't want gin debug mode
-	gin.SetMode(gin.ReleaseMode)
+var DEV_MODES = []string{"main", "test", "development"}
+
+func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
+	if !slices.Contains(DEV_MODES, model.Version) {
+		gin.SetMode(gin.ReleaseMode)
+	}

 	engine := gin.New()
 	engine.Use(gin.Recovery())
@@ -20,36 +25,101 @@ func (app *BootstrapApp) setupRouter() error {
 		err := engine.SetTrustedProxies(app.config.Auth.TrustedProxies)

 		if err != nil {
-			return fmt.Errorf("failed to set trusted proxies: %w", err)
+			return nil, fmt.Errorf("failed to set trusted proxies: %w", err)
 		}
 	}

-	contextMiddleware := middleware.NewContextMiddleware(app.log, app.runtime, app.services.authService, app.services.oauthBrokerService)
-	engine.Use(contextMiddleware.Middleware())
+	contextMiddleware := middleware.NewContextMiddleware(middleware.ContextMiddlewareConfig{
+		CookieDomain:      app.context.cookieDomain,
+		SessionCookieName: app.context.sessionCookieName,
+	}, app.services.authService, app.services.oauthBrokerService)

-	uiMiddleware, err := middleware.NewUIMiddleware()
+	err := contextMiddleware.Init()

 	if err != nil {
-		return fmt.Errorf("failed to initialize UI middleware: %w", err)
+		return nil, fmt.Errorf("failed to initialize context middleware: %w", err)
+	}
+
+	engine.Use(contextMiddleware.Middleware())
+
+	uiMiddleware := middleware.NewUIMiddleware()
+
+	err = uiMiddleware.Init()
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize UI middleware: %w", err)
 	}

 	engine.Use(uiMiddleware.Middleware())

-	zerologMiddleware := middleware.NewZerologMiddleware(app.log)
+	zerologMiddleware := middleware.NewZerologMiddleware()
+
+	err = zerologMiddleware.Init()
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize zerolog middleware: %w", err)
+	}

 	engine.Use(zerologMiddleware.Middleware())

 	apiRouter := engine.Group("/api")

-	controller.NewContextController(app.log, app.config, app.runtime, apiRouter)
-	controller.NewOAuthController(app.log, app.config, app.runtime, apiRouter, app.services.authService)
-	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, apiRouter)
-	controller.NewProxyController(app.log, app.runtime, apiRouter, app.services.accessControlService, app.services.authService)
-	controller.NewUserController(app.log, app.runtime, apiRouter, app.services.authService)
-	controller.NewResourcesController(app.config, &engine.RouterGroup)
-	controller.NewHealthController(apiRouter)
-	controller.NewWellKnownController(app.services.oidcService, &engine.RouterGroup)
+	contextController := controller.NewContextController(controller.ContextControllerConfig{
+		Providers:             app.context.configuredProviders,
+		Title:                 app.config.UI.Title,
+		AppURL:                app.config.AppURL,
+		CookieDomain:          app.context.cookieDomain,
+		ForgotPasswordMessage: app.config.UI.ForgotPasswordMessage,
+		BackgroundImage:       app.config.UI.BackgroundImage,
+		OAuthAutoRedirect:     app.config.OAuth.AutoRedirect,
+		WarningsEnabled:       app.config.UI.WarningsEnabled,
+	}, apiRouter)

-	app.router = engine
-	return nil
+	contextController.SetupRoutes()
+
+	oauthController := controller.NewOAuthController(controller.OAuthControllerConfig{
+		AppURL:                 app.config.AppURL,
+		SecureCookie:           app.config.Auth.SecureCookie,
+		CSRFCookieName:         app.context.csrfCookieName,
+		RedirectCookieName:     app.context.redirectCookieName,
+		CookieDomain:           app.context.cookieDomain,
+		OAuthSessionCookieName: app.context.oauthSessionCookieName,
+		SubdomainsEnabled:      app.config.Auth.SubdomainsEnabled,
+	}, apiRouter, app.services.authService)
+
+	oauthController.SetupRoutes()
+
+	oidcController := controller.NewOIDCController(controller.OIDCControllerConfig{}, app.services.oidcService, apiRouter)
+
+	oidcController.SetupRoutes()
+
+	proxyController := controller.NewProxyController(controller.ProxyControllerConfig{
+		AppURL: app.config.AppURL,
+	}, apiRouter, app.services.accessControlService, app.services.authService)
+
+	proxyController.SetupRoutes()
+
+	userController := controller.NewUserController(controller.UserControllerConfig{
+		CookieDomain:      app.context.cookieDomain,
+		SessionCookieName: app.context.sessionCookieName,
+	}, apiRouter, app.services.authService)
+
+	userController.SetupRoutes()
+
+	resourcesController := controller.NewResourcesController(controller.ResourcesControllerConfig{
+		Path:    app.config.Resources.Path,
+		Enabled: app.config.Resources.Enabled,
+	}, &engine.RouterGroup)
+
+	resourcesController.SetupRoutes()
+
+	healthController := controller.NewHealthController(apiRouter)
+
+	healthController.SetupRoutes()
+
+	wellknownController := controller.NewWellKnownController(controller.WellKnownControllerConfig{}, app.services.oidcService, engine)
+
+	wellknownController.SetupRoutes()
+
+	return engine, nil
 }
@@ -1,66 +1,131 @@
 package bootstrap

 import (
-	"fmt"
 	"os"

+	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )

-func (app *BootstrapApp) setupServices() error {
-	ldapService, err := service.NewLdapService(app.log, app.config, app.ctx, &app.wg)
+type Services struct {
+	accessControlService *service.AccessControlsService
+	authService          *service.AuthService
+	dockerService        *service.DockerService
+	kubernetesService    *service.KubernetesService
+	ldapService          *service.LdapService
+	oauthBrokerService   *service.OAuthBrokerService
+	oidcService          *service.OIDCService
+}
+
+func (app *BootstrapApp) initServices(queries *repository.Queries) (Services, error) {
+	services := Services{}
+
+	ldapService := service.NewLdapService(service.LdapServiceConfig{
+		Address:      app.config.LDAP.Address,
+		BindDN:       app.config.LDAP.BindDN,
+		BindPassword: app.config.LDAP.BindPassword,
+		BaseDN:       app.config.LDAP.BaseDN,
+		Insecure:     app.config.LDAP.Insecure,
+		SearchFilter: app.config.LDAP.SearchFilter,
+		AuthCert:     app.config.LDAP.AuthCert,
+		AuthKey:      app.config.LDAP.AuthKey,
+	})
+
+	err := ldapService.Init()

 	if err != nil {
-		app.log.App.Warn().Err(err).Msg("Failed to initialize LDAP connection, will continue without it")
+		tlog.App.Warn().Err(err).Msg("Failed to setup LDAP service, starting without it")
+		ldapService.Unconfigure() //nolint:errcheck
 	}

-	app.services.ldapService = ldapService
+	services.ldapService = ldapService
+
+	var labelProvider service.LabelProvider
+	var dockerService *service.DockerService
+	var kubernetesService *service.KubernetesService

 	useKubernetes := app.config.LabelProvider == "kubernetes" ||
 		(app.config.LabelProvider == "auto" && os.Getenv("KUBERNETES_SERVICE_HOST") != "")

-	var labelProvider service.LabelProvider
-
 	if useKubernetes {
-		app.log.App.Debug().Msg("Using Kubernetes label provider")
-
-		kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, &app.wg)
-
+		tlog.App.Debug().Msg("Using Kubernetes label provider")
+		kubernetesService = service.NewKubernetesService()
+		err = kubernetesService.Init()
 		if err != nil {
-			return fmt.Errorf("failed to initialize kubernetes service: %w", err)
+			return Services{}, err
 		}
-
-		app.services.kubernetesService = kubernetesService
+		services.kubernetesService = kubernetesService
 		labelProvider = kubernetesService
 	} else {
-		app.log.App.Debug().Msg("Using Docker label provider")
-
-		dockerService, err := service.NewDockerService(app.log, app.ctx, &app.wg)
-
+		tlog.App.Debug().Msg("Using Docker label provider")
+		dockerService = service.NewDockerService()
+		err = dockerService.Init()
 		if err != nil {
-			return fmt.Errorf("failed to initialize docker service: %w", err)
+			return Services{}, err
 		}
-
-		app.services.dockerService = dockerService
+		services.dockerService = dockerService
 		labelProvider = dockerService
 	}

-	accessControlsService := service.NewAccessControlsService(app.log, &labelProvider, app.config.Apps)
-	app.services.accessControlService = accessControlsService
+	accessControlsService := service.NewAccessControlsService(labelProvider, app.config.Apps)

-	oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
-	app.services.oauthBrokerService = oauthBrokerService
-
-	authService := service.NewAuthService(app.log, app.config, app.runtime, app.ctx, &app.wg, app.services.ldapService, app.queries, app.services.oauthBrokerService)
-	app.services.authService = authService
-
-	oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ctx, &app.wg)
+	err = accessControlsService.Init()

 	if err != nil {
-		return fmt.Errorf("failed to initialize oidc service: %w", err)
+		return Services{}, err
 	}

-	app.services.oidcService = oidcService
+	services.accessControlService = accessControlsService

-	return nil
+	oauthBrokerService := service.NewOAuthBrokerService(app.context.oauthProviders)
+
+	err = oauthBrokerService.Init()
+
+	if err != nil {
+		return Services{}, err
+	}
+
+	services.oauthBrokerService = oauthBrokerService
+
+	authService := service.NewAuthService(service.AuthServiceConfig{
+		LocalUsers:         app.context.localUsers,
+		OauthWhitelist:     app.context.oauthWhitelist,
+		SessionExpiry:      app.config.Auth.SessionExpiry,
+		SessionMaxLifetime: app.config.Auth.SessionMaxLifetime,
+		SecureCookie:       app.config.Auth.SecureCookie,
+		CookieDomain:       app.context.cookieDomain,
+		LoginTimeout:       app.config.Auth.LoginTimeout,
+		LoginMaxRetries:    app.config.Auth.LoginMaxRetries,
+		SessionCookieName:  app.context.sessionCookieName,
+		IP:                 app.config.Auth.IP,
+		LDAPGroupsCacheTTL: app.config.LDAP.GroupCacheTTL,
+		SubdomainsEnabled:  app.config.Auth.SubdomainsEnabled,
+	}, services.ldapService, queries, services.oauthBrokerService)
+
+	err = authService.Init()
+
+	if err != nil {
+		return Services{}, err
+	}
+
+	services.authService = authService
+
+	oidcService := service.NewOIDCService(service.OIDCServiceConfig{
+		Clients:        app.config.OIDC.Clients,
+		PrivateKeyPath: app.config.OIDC.PrivateKeyPath,
+		PublicKeyPath:  app.config.OIDC.PublicKeyPath,
+		Issuer:         app.config.AppURL,
+		SessionExpiry:  app.config.Auth.SessionExpiry,
+	}, queries)
+
+	err = oidcService.Init()
+
+	if err != nil {
+		return Services{}, err
+	}
+
+	services.oidcService = oidcService
+
+	return services, nil
 }
@@ -5,7 +5,7 @@ import (
 	"net/url"

 	"github.com/tinyauthapp/tinyauth/internal/model"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"

 	"github.com/gin-gonic/gin"
 )
@@ -24,52 +24,62 @@ type UserContextResponse struct {
 }

 type AppContextResponse struct {
-	Status                int              `json:"status"`
-	Message               string           `json:"message"`
-	Providers             []model.Provider `json:"providers"`
-	Title                 string           `json:"title"`
-	AppURL                string           `json:"appUrl"`
-	CookieDomain          string           `json:"cookieDomain"`
-	ForgotPasswordMessage string           `json:"forgotPasswordMessage"`
-	BackgroundImage       string           `json:"backgroundImage"`
-	OAuthAutoRedirect     string           `json:"oauthAutoRedirect"`
-	WarningsEnabled       bool             `json:"warningsEnabled"`
+	Status                int        `json:"status"`
+	Message               string     `json:"message"`
+	Providers             []Provider `json:"providers"`
+	Title                 string     `json:"title"`
+	AppURL                string     `json:"appUrl"`
+	CookieDomain          string     `json:"cookieDomain"`
+	ForgotPasswordMessage string     `json:"forgotPasswordMessage"`
+	BackgroundImage       string     `json:"backgroundImage"`
+	OAuthAutoRedirect     string     `json:"oauthAutoRedirect"`
+	WarningsEnabled       bool       `json:"warningsEnabled"`
+}
+
+type Provider struct {
+	Name  string `json:"name"`
+	ID    string `json:"id"`
+	OAuth bool   `json:"oauth"`
+}
+
+type ContextControllerConfig struct {
+	Providers             []Provider
+	Title                 string
+	AppURL                string
+	CookieDomain          string
+	ForgotPasswordMessage string
+	BackgroundImage       string
+	OAuthAutoRedirect     string
+	WarningsEnabled       bool
 }

 type ContextController struct {
-	log     *logger.Logger
-	config  model.Config
-	runtime model.RuntimeConfig
+	config ContextControllerConfig
+	router *gin.RouterGroup
 }

-func NewContextController(
-	log *logger.Logger,
-	config model.Config,
-	runtimeConfig model.RuntimeConfig,
-	router *gin.RouterGroup,
-) *ContextController {
-	controller := &ContextController{
-		log:     log,
-		config:  config,
-		runtime: runtimeConfig,
+func NewContextController(config ContextControllerConfig, router *gin.RouterGroup) *ContextController {
+	if !config.WarningsEnabled {
+		tlog.App.Warn().Msg("UI warnings are disabled. This may expose users to security risks. Proceed with caution.")
 	}

-	if !config.UI.WarningsEnabled {
-		log.App.Warn().Msg("UI warnings are disabled. This may lead to security issues if you are not careful. Make sure to enable warnings in production environments.")
+	return &ContextController{
+		config: config,
+		router: router,
 	}
+}

-	contextGroup := router.Group("/context")
+func (controller *ContextController) SetupRoutes() {
+	contextGroup := controller.router.Group("/context")
 	contextGroup.GET("/user", controller.userContextHandler)
 	contextGroup.GET("/app", controller.appContextHandler)
-
-	return controller
 }

 func (controller *ContextController) userContextHandler(c *gin.Context) {
 	context, err := new(model.UserContext).NewFromGin(c)

 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to create user context from request")
+		tlog.App.Debug().Err(err).Msg("No user context found in request")
 		c.JSON(200, UserContextResponse{
 			Status:     401,
 			Message:    "Unauthorized",
@@ -95,10 +105,9 @@ func (controller *ContextController) userContextHandler(c *gin.Context) {
 }

 func (controller *ContextController) appContextHandler(c *gin.Context) {
-	appUrl, err := url.Parse(controller.runtime.AppURL)
-
+	appUrl, err := url.Parse(controller.config.AppURL)
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to parse app URL")
+		tlog.App.Error().Err(err).Msg("Failed to parse app URL")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -109,13 +118,13 @@ func (controller *ContextController) appContextHandler(c *gin.Context) {
 	c.JSON(200, AppContextResponse{
 		Status:                200,
 		Message:               "Success",
-		Providers:             controller.runtime.ConfiguredProviders,
-		Title:                 controller.config.UI.Title,
+		Providers:             controller.config.Providers,
+		Title:                 controller.config.Title,
 		AppURL:                fmt.Sprintf("%s://%s", appUrl.Scheme, appUrl.Host),
-		CookieDomain:          controller.runtime.CookieDomain,
-		ForgotPasswordMessage: controller.config.UI.ForgotPasswordMessage,
-		BackgroundImage:       controller.config.UI.BackgroundImage,
-		OAuthAutoRedirect:     controller.config.OAuth.AutoRedirect,
-		WarningsEnabled:       controller.config.UI.WarningsEnabled,
+		CookieDomain:          controller.config.CookieDomain,
+		ForgotPasswordMessage: controller.config.ForgotPasswordMessage,
+		BackgroundImage:       controller.config.BackgroundImage,
+		OAuthAutoRedirect:     controller.config.OAuthAutoRedirect,
+		WarningsEnabled:       controller.config.WarningsEnabled,
 	})
 }
@@ -8,19 +8,30 @@ import (

 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
-	"github.com/tinyauthapp/tinyauth/internal/test"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )

 func TestContextController(t *testing.T) {
-	log := logger.NewLogger().WithTestConfig()
-	log.Init()
-
-	cfg, runtime := test.CreateTestConfigs(t)
+	tlog.NewTestLogger().Init()
+	controllerConfig := controller.ContextControllerConfig{
+		Providers: []controller.Provider{
+			{
+				Name:  "Local",
+				ID:    "local",
+				OAuth: false,
+			},
+		},
+		Title:                 "Tinyauth",
+		AppURL:                "https://tinyauth.example.com",
+		CookieDomain:          "example.com",
+		ForgotPasswordMessage: "foo",
+		BackgroundImage:       "/background.jpg",
+		OAuthAutoRedirect:     "none",
+		WarningsEnabled:       true,
+	}

 	tests := []struct {
 		description string
@@ -36,17 +47,17 @@ func TestContextController(t *testing.T) {
 				expectedAppContextResponse := controller.AppContextResponse{
 					Status:                200,
 					Message:               "Success",
-					Providers:             runtime.ConfiguredProviders,
-					Title:                 cfg.UI.Title,
-					AppURL:                runtime.AppURL,
-					CookieDomain:          runtime.CookieDomain,
-					ForgotPasswordMessage: cfg.UI.ForgotPasswordMessage,
-					BackgroundImage:       cfg.UI.BackgroundImage,
-					OAuthAutoRedirect:     cfg.OAuth.AutoRedirect,
-					WarningsEnabled:       cfg.UI.WarningsEnabled,
+					Providers:             controllerConfig.Providers,
+					Title:                 controllerConfig.Title,
+					AppURL:                controllerConfig.AppURL,
+					CookieDomain:          controllerConfig.CookieDomain,
+					ForgotPasswordMessage: controllerConfig.ForgotPasswordMessage,
+					BackgroundImage:       controllerConfig.BackgroundImage,
+					OAuthAutoRedirect:     controllerConfig.OAuthAutoRedirect,
+					WarningsEnabled:       controllerConfig.WarningsEnabled,
 				}
 				bytes, err := json.Marshal(expectedAppContextResponse)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -60,7 +71,7 @@ func TestContextController(t *testing.T) {
 					Message: "Unauthorized",
 				}
 				bytes, err := json.Marshal(expectedUserContextResponse)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -75,7 +86,7 @@ func TestContextController(t *testing.T) {
 							BaseContext: model.BaseContext{
 								Username: "johndoe",
 								Name:     "John Doe",
-								Email:    utils.CompileUserEmail("johndoe", runtime.CookieDomain),
+								Email:    utils.CompileUserEmail("johndoe", controllerConfig.CookieDomain),
 							},
 						},
 					})
@@ -89,11 +100,11 @@ func TestContextController(t *testing.T) {
 					IsLoggedIn: true,
 					Username:   "johndoe",
 					Name:       "John Doe",
-					Email:      utils.CompileUserEmail("johndoe", runtime.CookieDomain),
+					Email:      utils.CompileUserEmail("johndoe", controllerConfig.CookieDomain),
 					Provider:   "local",
 				}
 				bytes, err := json.Marshal(expectedUserContextResponse)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -110,12 +121,13 @@ func TestContextController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)

-			controller.NewContextController(log, cfg, runtime, group)
+			contextController := controller.NewContextController(controllerConfig, group)
+			contextController.SetupRoutes()

 			recorder := httptest.NewRecorder()

 			request, err := http.NewRequest("GET", test.path, nil)
-			require.NoError(t, err)
+			assert.NoError(t, err)

 			router.ServeHTTP(recorder, request)

@@ -3,15 +3,18 @@ package controller
 import "github.com/gin-gonic/gin"

 type HealthController struct {
+	router *gin.RouterGroup
 }

 func NewHealthController(router *gin.RouterGroup) *HealthController {
-	controller := &HealthController{}
+	return &HealthController{
+		router: router,
+	}
+}

-	router.GET("/healthz", controller.healthHandler)
-	router.HEAD("/healthz", controller.healthHandler)
-
-	return controller
+func (controller *HealthController) SetupRoutes() {
+	controller.router.GET("/healthz", controller.healthHandler)
+	controller.router.HEAD("/healthz", controller.healthHandler)
 }

 func (controller *HealthController) healthHandler(c *gin.Context) {
@@ -7,12 +7,13 @@ import (
 	"testing"

 	"github.com/gin-gonic/gin"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/stretchr/testify/assert"
 )

 func TestHealthController(t *testing.T) {
+	tlog.NewTestLogger().Init()
 	tests := []struct {
 		description string
 		path        string
@@ -29,7 +30,7 @@ func TestHealthController(t *testing.T) {
 					"message": "Healthy",
 				}
 				bytes, err := json.Marshal(expectedHealthResponse)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -43,7 +44,7 @@ func TestHealthController(t *testing.T) {
 					"message": "Healthy",
 				}
 				bytes, err := json.Marshal(expectedHealthResponse)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -55,12 +56,13 @@ func TestHealthController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)

-			controller.NewHealthController(group)
+			healthController := controller.NewHealthController(group)
+			healthController.SetupRoutes()

 			recorder := httptest.NewRecorder()

 			request, err := http.NewRequest(test.method, test.path, nil)
-			require.NoError(t, err)
+			assert.NoError(t, err)

 			router.ServeHTTP(recorder, request)

@@ -6,11 +6,10 @@ import (
 	"strings"
 	"time"

-	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"

 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -20,32 +19,34 @@ type OAuthRequest struct {
 	Provider string `uri:"provider" binding:"required"`
 }

-type OAuthController struct {
-	log     *logger.Logger
-	config  model.Config
-	runtime model.RuntimeConfig
-	auth    *service.AuthService
+type OAuthControllerConfig struct {
+	CSRFCookieName         string
+	OAuthSessionCookieName string
+	RedirectCookieName     string
+	SecureCookie           bool
+	AppURL                 string
+	CookieDomain           string
+	SubdomainsEnabled      bool
 }

-func NewOAuthController(
-	log *logger.Logger,
-	config model.Config,
-	runtimeConfig model.RuntimeConfig,
-	router *gin.RouterGroup,
-	auth *service.AuthService,
-) *OAuthController {
-	controller := &OAuthController{
-		log:     log,
-		config:  config,
-		runtime: runtimeConfig,
-		auth:    auth,
-	}
+type OAuthController struct {
+	config OAuthControllerConfig
+	router *gin.RouterGroup
+	auth   *service.AuthService
+}

-	oauthGroup := router.Group("/oauth")
+func NewOAuthController(config OAuthControllerConfig, router *gin.RouterGroup, auth *service.AuthService) *OAuthController {
+	return &OAuthController{
+		config: config,
+		router: router,
+		auth:   auth,
+	}
+}
+
+func (controller *OAuthController) SetupRoutes() {
+	oauthGroup := controller.router.Group("/oauth")
 	oauthGroup.GET("/url/:provider", controller.oauthURLHandler)
 	oauthGroup.GET("/callback/:provider", controller.oauthCallbackHandler)
-
-	return controller
 }

 func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
@@ -53,7 +54,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {

 	err := c.BindUri(&req)
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to bind URI")
+		tlog.App.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -66,7 +67,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	err = c.BindQuery(&reqParams)

 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to bind query parameters")
+		tlog.App.Error().Err(err).Msg("Failed to bind query parameters")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -75,10 +76,10 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	}

 	if !controller.isOidcRequest(reqParams) {
-		isRedirectSafe := utils.IsRedirectSafe(reqParams.RedirectURI, controller.runtime.CookieDomain)
+		isRedirectSafe := utils.IsRedirectSafe(reqParams.RedirectURI, controller.config.CookieDomain)

 		if !isRedirectSafe {
-			controller.log.App.Warn().Str("redirectUri", reqParams.RedirectURI).Msg("Unsafe redirect URI, ignoring")
+			tlog.App.Warn().Str("redirect_uri", reqParams.RedirectURI).Msg("Unsafe redirect URI detected, ignoring")
 			reqParams.RedirectURI = ""
 		}
 	}
@@ -86,7 +87,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	sessionId, _, err := controller.auth.NewOAuthSession(req.Provider, reqParams)

 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to create new OAuth session")
+		tlog.App.Error().Err(err).Msg("Failed to create OAuth session")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -97,7 +98,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	authUrl, err := controller.auth.GetOAuthURL(sessionId)

 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to get OAuth URL for session")
+		tlog.App.Error().Err(err).Msg("Failed to get OAuth URL")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -105,7 +106,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		return
 	}

-	c.SetCookie(controller.runtime.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)
+	c.SetCookie(controller.config.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", controller.getCookieDomain(), controller.config.SecureCookie, true)

 	c.JSON(200, gin.H{
 		"status":  200,
@@ -119,7 +120,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {

 	err := c.BindUri(&req)
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to bind URI")
+		tlog.App.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -127,21 +128,21 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}

-	sessionIdCookie, err := c.Cookie(controller.runtime.OAuthSessionCookieName)
+	sessionIdCookie, err := c.Cookie(controller.config.OAuthSessionCookieName)

 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to get OAuth session cookie")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		tlog.App.Warn().Err(err).Msg("OAuth session cookie missing")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}

-	c.SetCookie(controller.runtime.OAuthSessionCookieName, "", -1, "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)
+	c.SetCookie(controller.config.OAuthSessionCookieName, "", -1, "/", controller.getCookieDomain(), controller.config.SecureCookie, true)

 	oauthPendingSession, err := controller.auth.GetOAuthPendingSession(sessionIdCookie)

 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to get pending OAuth session")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		tlog.App.Error().Err(err).Msg("Failed to get OAuth pending session")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}

@@ -149,8 +150,8 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {

 	state := c.Query("state")
 	if state != oauthPendingSession.State {
-		controller.log.App.Warn().Msg("OAuth state mismatch")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		tlog.App.Warn().Err(err).Msg("CSRF token mismatch")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}

@@ -158,80 +159,74 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	_, err = controller.auth.GetOAuthToken(sessionIdCookie, code)

 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to exchange code for token")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		tlog.App.Error().Err(err).Msg("Failed to exchange code for token")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}

 	user, err := controller.auth.GetOAuthUserinfo(sessionIdCookie)

 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to get user info from OAuth provider")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
-		return
-	}
-
-	if user == nil {
-		controller.log.App.Warn().Msg("OAuth provider did not return user info")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		tlog.App.Error().Err(err).Msg("Failed to get user info from OAuth provider")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}

 	if user.Email == "" {
-		controller.log.App.Warn().Msg("OAuth provider did not return an email")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		tlog.App.Error().Msg("OAuth provider did not return an email")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}

 	if !controller.auth.IsEmailWhitelisted(user.Email) {
-		controller.log.App.Warn().Str("email", user.Email).Msg("Email not whitelisted, denying access")
-		controller.log.AuditLoginFailure(user.Email, req.Provider, c.ClientIP(), "email not whitelisted")
+		tlog.App.Warn().Str("email", user.Email).Msg("Email not whitelisted")
+		tlog.AuditLoginFailure(c, user.Email, req.Provider, "email not whitelisted")

 		queries, err := query.Values(UnauthorizedQuery{
 			Username: user.Email,
 		})

 		if err != nil {
-			controller.log.App.Error().Err(err).Msg("Failed to encode unauthorized query")
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+			tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 			return
 		}

-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.runtime.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode()))
 		return
 	}

 	var name string

 	if strings.TrimSpace(user.Name) != "" {
-		controller.log.App.Debug().Msg("Using name from OAuth provider")
+		tlog.App.Debug().Msg("Using name from OAuth provider")
 		name = user.Name
 	} else {
-		controller.log.App.Debug().Msg("No name from OAuth provider, generating from email")
+		tlog.App.Debug().Msg("No name from OAuth provider, using pseudo name")
 		name = fmt.Sprintf("%s (%s)", utils.Capitalize(strings.Split(user.Email, "@")[0]), strings.Split(user.Email, "@")[1])
 	}

 	var username string

 	if strings.TrimSpace(user.PreferredUsername) != "" {
-		controller.log.App.Debug().Msg("Using preferred username from OAuth provider")
+		tlog.App.Debug().Msg("Using preferred username from OAuth provider")
 		username = user.PreferredUsername
 	} else {
-		controller.log.App.Debug().Msg("No preferred username from OAuth provider, generating from email")
+		tlog.App.Debug().Msg("No preferred username from OAuth provider, using pseudo username")
 		username = strings.Replace(user.Email, "@", "_", 1)
 	}

 	svc, err := controller.auth.GetOAuthService(sessionIdCookie)

 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to get OAuth service for session")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		tlog.App.Error().Err(err).Msg("Failed to get OAuth service for session")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}

 	if svc.ID() != req.Provider {
-		controller.log.App.Warn().Msgf("OAuth provider mismatch: expected %s, got %s", req.Provider, svc.ID())
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		tlog.App.Error().Msgf("OAuth service ID mismatch: expected %s, got %s", svc.ID(), req.Provider)
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}

@@ -245,29 +240,29 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		OAuthSub:    user.Sub,
 	}

-	controller.log.App.Debug().Msg("Creating session cookie for user")
+	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")

 	cookie, err := controller.auth.CreateSession(c, sessionCookie)

 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to create session cookie")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		tlog.App.Error().Err(err).Msg("Failed to create session cookie")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}

 	http.SetCookie(c.Writer, cookie)

-	controller.log.AuditLoginSuccess(sessionCookie.Username, sessionCookie.Provider, c.ClientIP())
+	tlog.AuditLoginSuccess(c, sessionCookie.Username, sessionCookie.Provider)

 	if controller.isOidcRequest(oauthPendingSession.CallbackParams) {
-		controller.log.App.Debug().Msg("OIDC request detected, redirecting to authorization endpoint with callback params")
+		tlog.App.Debug().Msg("OIDC request, redirecting to authorize page")
 		queries, err := query.Values(oauthPendingSession.CallbackParams)
 		if err != nil {
-			controller.log.App.Error().Err(err).Msg("Failed to encode OIDC callback query")
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+			tlog.App.Error().Err(err).Msg("Failed to encode OIDC callback query")
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 			return
 		}
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/authorize?%s", controller.runtime.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/authorize?%s", controller.config.AppURL, queries.Encode()))
 		return
 	}

@@ -277,16 +272,16 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		})

 		if err != nil {
-			controller.log.App.Error().Err(err).Msg("Failed to encode redirect query")
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+			tlog.App.Error().Err(err).Msg("Failed to encode redirect URI query")
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 			return
 		}

-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", controller.runtime.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", controller.config.AppURL, queries.Encode()))
 		return
 	}

-	c.Redirect(http.StatusTemporaryRedirect, controller.runtime.AppURL)
+	c.Redirect(http.StatusTemporaryRedirect, controller.config.AppURL)
 }

 func (controller *OAuthController) isOidcRequest(params service.OAuthURLParams) bool {
@@ -297,8 +292,8 @@ func (controller *OAuthController) isOidcRequest(params service.OAuthURLParams)
 }

 func (controller *OAuthController) getCookieDomain() string {
-	if controller.config.Auth.SubdomainsEnabled {
-		return "." + controller.runtime.CookieDomain
+	if controller.config.SubdomainsEnabled {
+		return "." + controller.config.CookieDomain
 	}
-	return controller.runtime.CookieDomain
+	return controller.config.CookieDomain
 }
@@ -13,13 +13,15 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )

+type OIDCControllerConfig struct{}
+
 type OIDCController struct {
-	log     *logger.Logger
-	oidc    *service.OIDCService
-	runtime model.RuntimeConfig
+	config OIDCControllerConfig
+	router *gin.RouterGroup
+	oidc   *service.OIDCService
 }

 type AuthorizeCallback struct {
@@ -56,42 +58,29 @@ type ClientCredentials struct {
 	ClientSecret string
 }

-func NewOIDCController(
-	log *logger.Logger,
-	oidcService *service.OIDCService,
-	runtimeConfig model.RuntimeConfig,
-	router *gin.RouterGroup) *OIDCController {
-	controller := &OIDCController{
-		log:     log,
-		oidc:    oidcService,
-		runtime: runtimeConfig,
+func NewOIDCController(config OIDCControllerConfig, oidcService *service.OIDCService, router *gin.RouterGroup) *OIDCController {
+	return &OIDCController{
+		config: config,
+		oidc:   oidcService,
+		router: router,
 	}
+}

-	oidcGroup := router.Group("/oidc")
+func (controller *OIDCController) SetupRoutes() {
+	oidcGroup := controller.router.Group("/oidc")
 	oidcGroup.GET("/clients/:id", controller.GetClientInfo)
 	oidcGroup.POST("/authorize", controller.Authorize)
 	oidcGroup.POST("/token", controller.Token)
 	oidcGroup.GET("/userinfo", controller.Userinfo)
 	oidcGroup.POST("/userinfo", controller.Userinfo)
-
-	return controller
 }

 func (controller *OIDCController) GetClientInfo(c *gin.Context) {
-	if controller.oidc == nil {
-		controller.log.App.Warn().Msg("Received OIDC client info request but OIDC server is not configured")
-		c.JSON(500, gin.H{
-			"status":  500,
-			"message": "OIDC not configured",
-		})
-		return
-	}
-
 	var req ClientRequest

 	err := c.BindUri(&req)
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to bind URI")
+		tlog.App.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -102,7 +91,7 @@ func (controller *OIDCController) GetClientInfo(c *gin.Context) {
 	client, ok := controller.oidc.GetClient(req.ClientID)

 	if !ok {
-		controller.log.App.Warn().Str("clientId", req.ClientID).Msg("Client not found")
+		tlog.App.Warn().Str("client_id", req.ClientID).Msg("Client not found")
 		c.JSON(404, gin.H{
 			"status":  404,
 			"message": "Client not found",
@@ -118,7 +107,7 @@ func (controller *OIDCController) GetClientInfo(c *gin.Context) {
 }

 func (controller *OIDCController) Authorize(c *gin.Context) {
-	if controller.oidc == nil {
+	if !controller.oidc.IsConfigured() {
 		controller.authorizeError(c, errors.New("err_oidc_not_configured"), "OIDC not configured", "This instance is not configured for OIDC", "", "", "")
 		return
 	}
@@ -153,7 +142,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 	err = controller.oidc.ValidateAuthorizeParams(req)

 	if err != nil {
-		controller.log.App.Warn().Err(err).Msg("Failed to validate authorize params")
+		tlog.App.Error().Err(err).Msg("Failed to validate authorize params")
 		if err.Error() != "invalid_request_uri" {
 			controller.authorizeError(c, err, "Failed validate authorize params", "Invalid request parameters", req.RedirectURI, err.Error(), req.State)
 			return
@@ -185,7 +174,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 		err = controller.oidc.StoreUserinfo(c, sub, *userContext, req)

 		if err != nil {
-			controller.log.App.Error().Err(err).Msg("Failed to store user info")
+			tlog.App.Error().Err(err).Msg("Failed to insert user info into database")
 			controller.authorizeError(c, err, "Failed to store user info", "Failed to store user info", req.RedirectURI, "server_error", req.State)
 			return
 		}
@@ -208,10 +197,10 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 }

 func (controller *OIDCController) Token(c *gin.Context) {
-	if controller.oidc == nil {
-		controller.log.App.Warn().Msg("Received OIDC request but OIDC server is not configured")
-		c.JSON(500, gin.H{
-			"error": "server_error",
+	if !controller.oidc.IsConfigured() {
+		tlog.App.Warn().Msg("OIDC not configured")
+		c.JSON(404, gin.H{
+			"error": "not_found",
 		})
 		return
 	}
@@ -220,7 +209,7 @@ func (controller *OIDCController) Token(c *gin.Context) {

 	err := c.Bind(&req)
 	if err != nil {
-		controller.log.App.Warn().Err(err).Msg("Failed to bind token request")
+		tlog.App.Error().Err(err).Msg("Failed to bind token request")
 		c.JSON(400, gin.H{
 			"error": "invalid_request",
 		})
@@ -229,7 +218,7 @@ func (controller *OIDCController) Token(c *gin.Context) {

 	err = controller.oidc.ValidateGrantType(req.GrantType)
 	if err != nil {
-		controller.log.App.Warn().Err(err).Msg("Invalid grant type")
+		tlog.App.Warn().Str("grant_type", req.GrantType).Msg("Unsupported grant type")
 		c.JSON(400, gin.H{
 			"error": err.Error(),
 		})
@@ -244,12 +233,12 @@ func (controller *OIDCController) Token(c *gin.Context) {

 	// If it fails, we try basic auth
 	if creds.ClientID == "" || creds.ClientSecret == "" {
-		controller.log.App.Debug().Msg("Client credentials not found in form, trying basic auth")
+		tlog.App.Debug().Msg("Tried form values and they are empty, trying basic auth")

 		clientId, clientSecret, ok := c.Request.BasicAuth()

 		if !ok {
-			controller.log.App.Warn().Msg("Client credentials not found in basic auth")
+			tlog.App.Error().Msg("Missing authorization header")
 			c.Header("www-authenticate", `Basic realm="Tinyauth OIDC Token Endpoint"`)
 			c.JSON(400, gin.H{
 				"error": "invalid_client",
@@ -266,7 +255,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 	client, ok := controller.oidc.GetClient(creds.ClientID)

 	if !ok {
-		controller.log.App.Warn().Str("clientId", creds.ClientID).Msg("Client not found")
+		tlog.App.Warn().Str("client_id", creds.ClientID).Msg("Client not found")
 		c.JSON(400, gin.H{
 			"error": "invalid_client",
 		})
@@ -274,7 +263,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 	}

 	if client.ClientSecret != creds.ClientSecret {
-		controller.log.App.Warn().Str("clientId", creds.ClientID).Msg("Invalid client secret")
+		tlog.App.Warn().Str("client_id", creds.ClientID).Msg("Invalid client secret")
 		c.JSON(400, gin.H{
 			"error": "invalid_client",
 		})
@@ -288,30 +277,30 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code), client.ClientID)
 		if err != nil {
 			if err := controller.oidc.DeleteTokenByCodeHash(c, controller.oidc.Hash(req.Code)); err != nil {
-				controller.log.App.Error().Err(err).Msg("Failed to delete code")
+				tlog.App.Error().Err(err).Msg("Failed to delete access token by code hash")
 			}
 			if errors.Is(err, service.ErrCodeNotFound) {
-				controller.log.App.Warn().Msg("Code not found")
+				tlog.App.Warn().Msg("Code not found")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 			if errors.Is(err, service.ErrCodeExpired) {
-				controller.log.App.Warn().Msg("Code expired")
+				tlog.App.Warn().Msg("Code expired")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 			if errors.Is(err, service.ErrInvalidClient) {
-				controller.log.App.Warn().Msg("Code does not belong to client")
+				tlog.App.Warn().Msg("Invalid client ID")
 				c.JSON(400, gin.H{
 					"error": "invalid_client",
 				})
 				return
 			}
-			controller.log.App.Error().Err(err).Msg("Failed to get code entry")
+			tlog.App.Warn().Err(err).Msg("Failed to get OIDC code entry")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
@@ -319,7 +308,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		}

 		if entry.RedirectURI != req.RedirectURI {
-			controller.log.App.Warn().Msg("Redirect URI does not match")
+			tlog.App.Warn().Str("redirect_uri", req.RedirectURI).Msg("Redirect URI mismatch")
 			c.JSON(400, gin.H{
 				"error": "invalid_grant",
 			})
@@ -329,7 +318,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		ok := controller.oidc.ValidatePKCE(entry.CodeChallenge, req.CodeVerifier)

 		if !ok {
-			controller.log.App.Warn().Msg("PKCE validation failed")
+			tlog.App.Warn().Msg("PKCE validation failed")
 			c.JSON(400, gin.H{
 				"error": "invalid_grant",
 			})
@@ -339,7 +328,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		tokenRes, err := controller.oidc.GenerateAccessToken(c, client, entry)

 		if err != nil {
-			controller.log.App.Error().Err(err).Msg("Failed to generate access token")
+			tlog.App.Error().Err(err).Msg("Failed to generate access token")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
@@ -352,7 +341,7 @@ func (controller *OIDCController) Token(c *gin.Context) {

 		if err != nil {
 			if errors.Is(err, service.ErrTokenExpired) {
-				controller.log.App.Warn().Msg("Refresh token expired")
+				tlog.App.Error().Err(err).Msg("Refresh token expired")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
@@ -360,14 +349,14 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			}

 			if errors.Is(err, service.ErrInvalidClient) {
-				controller.log.App.Warn().Msg("Refresh token does not belong to client")
+				tlog.App.Error().Err(err).Msg("Invalid client")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}

-			controller.log.App.Error().Err(err).Msg("Failed to refresh access token")
+			tlog.App.Error().Err(err).Msg("Failed to refresh access token")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
@@ -384,10 +373,10 @@ func (controller *OIDCController) Token(c *gin.Context) {
 }

 func (controller *OIDCController) Userinfo(c *gin.Context) {
-	if controller.oidc == nil {
-		controller.log.App.Warn().Msg("Received OIDC userinfo request but OIDC server is not configured")
-		c.JSON(500, gin.H{
-			"error": "server_error",
+	if !controller.oidc.IsConfigured() {
+		tlog.App.Warn().Msg("OIDC not configured")
+		c.JSON(404, gin.H{
+			"error": "not_found",
 		})
 		return
 	}
@@ -398,7 +387,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 	if authorization != "" {
 		tokenType, bearerToken, ok := strings.Cut(authorization, " ")
 		if !ok {
-			controller.log.App.Warn().Msg("OIDC userinfo accessed with invalid authorization header")
+			tlog.App.Warn().Msg("OIDC userinfo accessed with malformed authorization header")
 			c.JSON(401, gin.H{
 				"error": "invalid_request",
 			})
@@ -406,7 +395,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		}

 		if strings.ToLower(tokenType) != "bearer" {
-			controller.log.App.Warn().Msg("OIDC userinfo accessed with non-bearer token")
+			tlog.App.Warn().Msg("OIDC userinfo accessed with invalid token type")
 			c.JSON(401, gin.H{
 				"error": "invalid_request",
 			})
@@ -416,7 +405,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		token = bearerToken
 	} else if c.Request.Method == http.MethodPost {
 		if c.ContentType() != "application/x-www-form-urlencoded" {
-			controller.log.App.Warn().Msg("OIDC userinfo POST accessed with invalid content type")
+			tlog.App.Warn().Msg("OIDC userinfo POST accessed with invalid content type")
 			c.JSON(400, gin.H{
 				"error": "invalid_request",
 			})
@@ -424,14 +413,14 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		}
 		token = c.PostForm("access_token")
 		if token == "" {
-			controller.log.App.Warn().Msg("OIDC userinfo POST accessed without access_token")
+			tlog.App.Warn().Msg("OIDC userinfo POST accessed without access_token in body")
 			c.JSON(401, gin.H{
 				"error": "invalid_request",
 			})
 			return
 		}
 	} else {
-		controller.log.App.Warn().Msg("OIDC userinfo accessed without authorization header or POST body")
+		tlog.App.Warn().Msg("OIDC userinfo accessed without authorization header")
 		c.JSON(401, gin.H{
 			"error": "invalid_request",
 		})
@@ -442,14 +431,14 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {

 	if err != nil {
 		if errors.Is(err, service.ErrTokenNotFound) {
-			controller.log.App.Warn().Msg("OIDC userinfo accessed with invalid token")
+			tlog.App.Warn().Msg("OIDC userinfo accessed with invalid token")
 			c.JSON(401, gin.H{
 				"error": "invalid_grant",
 			})
 			return
 		}

-		controller.log.App.Error().Err(err).Msg("Failed to get access token")
+		tlog.App.Err(err).Msg("Failed to get token entry")
 		c.JSON(401, gin.H{
 			"error": "server_error",
 		})
@@ -458,7 +447,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {

 	// If we don't have the openid scope, return an error
 	if !slices.Contains(strings.Split(entry.Scope, ","), "openid") {
-		controller.log.App.Warn().Msg("OIDC userinfo accessed with token missing openid scope")
+		tlog.App.Warn().Msg("OIDC userinfo accessed without openid scope")
 		c.JSON(401, gin.H{
 			"error": "invalid_scope",
 		})
@@ -468,7 +457,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 	user, err := controller.oidc.GetUserinfo(c, entry.Sub)

 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to get user info")
+		tlog.App.Err(err).Msg("Failed to get user entry")
 		c.JSON(401, gin.H{
 			"error": "server_error",
 		})
@@ -479,7 +468,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 }

 func (controller *OIDCController) authorizeError(c *gin.Context, err error, reason string, reasonUser string, callback string, callbackError string, state string) {
-	controller.log.App.Warn().Err(err).Str("reason", reason).Msg("Authorization error")
+	tlog.App.Error().Err(err).Msg(reason)

 	if callback != "" {
 		errorQueries := CallbackError{
@@ -519,16 +508,8 @@ func (controller *OIDCController) authorizeError(c *gin.Context, err error, reas
 		return
 	}

-	redirectUrl := ""
-
-	if controller.oidc != nil {
-		redirectUrl = fmt.Sprintf("%s/error?%s", controller.oidc.GetIssuer(), queries.Encode())
-	} else {
-		redirectUrl = fmt.Sprintf("%s/error?%s", controller.runtime.AppURL, queries.Encode())
-	}
-
 	c.JSON(200, gin.H{
 		"status":       200,
-		"redirect_uri": redirectUrl,
+		"redirect_uri": fmt.Sprintf("%s/error?%s", controller.oidc.GetIssuer(), queries.Encode()),
 	})
 }
@@ -1,14 +1,13 @@
 package controller_test

 import (
-	"context"
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/json"
 	"net/http/httptest"
 	"net/url"
+	"path"
 	"strings"
-	"sync"
 	"testing"

 	"github.com/gin-gonic/gin"
@@ -20,15 +19,29 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/test"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )

 func TestOIDCController(t *testing.T) {
-	log := logger.NewLogger().WithTestConfig()
-	log.Init()
+	tlog.NewTestLogger().Init()
+	tempDir := t.TempDir()

-	cfg, runtime := test.CreateTestConfigs(t)
+	oidcServiceCfg := service.OIDCServiceConfig{
+		Clients: map[string]model.OIDCClientConfig{
+			"test": {
+				ClientID:            "some-client-id",
+				ClientSecret:        "some-client-secret",
+				TrustedRedirectURIs: []string{"https://test.example.com/callback"},
+				Name:                "Test Client",
+			},
+		},
+		PrivateKeyPath: path.Join(tempDir, "key.pem"),
+		PublicKeyPath:  path.Join(tempDir, "key.pub"),
+		Issuer:         "https://tinyauth.example.com",
+		SessionExpiry:  500,
+	}
+
+	controllerCfg := controller.OIDCControllerConfig{}

 	simpleCtx := func(c *gin.Context) {
 		c.Set("context", &model.UserContext{
@@ -90,7 +103,7 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				assert.Equal(t, res["redirect_uri"], "https://tinyauth.example.com/error?error=User+is+not+logged+in+or+the+session+is+invalid")
 			},
@@ -110,7 +123,7 @@ func TestOIDCController(t *testing.T) {
 					Nonce:        "some-nonce",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -118,7 +131,7 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				assert.Equal(t, res["redirect_uri"], "https://test.example.com/callback?error=unsupported_response_type&error_description=Invalid+request+parameters&state=some-state")
 			},
@@ -138,7 +151,7 @@ func TestOIDCController(t *testing.T) {
 					Nonce:        "some-nonce",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -147,11 +160,11 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				queryParams := url.Query()
 				assert.Equal(t, queryParams.Get("state"), "some-state")
@@ -170,7 +183,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -178,7 +191,7 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				assert.Equal(t, res["error"], "unsupported_grant_type")
 			},
@@ -193,7 +206,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -231,7 +244,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -254,11 +267,11 @@ func TestOIDCController(t *testing.T) {

 				var authorizeRes map[string]any
 				err := json.Unmarshal(authorizeTestRecorder.Body.Bytes(), &authorizeRes)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				redirectURI := authorizeRes["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				queryParams := url.Query()
 				code := queryParams.Get("code")
@@ -270,7 +283,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -293,7 +306,7 @@ func TestOIDCController(t *testing.T) {

 				var tokenRes map[string]any
 				err := json.Unmarshal(tokenRecorder.Body.Bytes(), &tokenRes)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				_, ok := tokenRes["refresh_token"]
 				assert.True(t, ok, "Expected refresh token in response")
@@ -307,7 +320,7 @@ func TestOIDCController(t *testing.T) {
 					ClientSecret: "some-client-secret",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -319,7 +332,7 @@ func TestOIDCController(t *testing.T) {
 				assert.Equal(t, 200, recorder.Code)
 				var refreshRes map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &refreshRes)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				_, ok = refreshRes["access_token"]
 				assert.True(t, ok, "Expected access token in refresh response")
@@ -340,11 +353,11 @@ func TestOIDCController(t *testing.T) {

 				var authorizeRes map[string]any
 				err := json.Unmarshal(authorizeTestRecorder.Body.Bytes(), &authorizeRes)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				redirectURI := authorizeRes["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				queryParams := url.Query()
 				code := queryParams.Get("code")
@@ -356,7 +369,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -376,7 +389,7 @@ func TestOIDCController(t *testing.T) {

 				var secondRes map[string]any
 				err = json.Unmarshal(secondRecorder.Body.Bytes(), &secondRes)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				assert.Equal(t, "invalid_grant", secondRes["error"])
 			},
@@ -404,7 +417,7 @@ func TestOIDCController(t *testing.T) {

 				var tokenRes map[string]any
 				err := json.Unmarshal(tokenRecorder.Body.Bytes(), &tokenRes)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				accessToken := tokenRes["access_token"].(string)
 				assert.NotEmpty(t, accessToken)
@@ -416,7 +429,7 @@ func TestOIDCController(t *testing.T) {

 				var userInfoRes map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &userInfoRes)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				_, ok := userInfoRes["sub"]
 				assert.True(t, ok, "Expected sub claim in userinfo response")
@@ -436,7 +449,7 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -451,7 +464,7 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -466,7 +479,7 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -481,7 +494,7 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				assert.Equal(t, "invalid_grant", res["error"])
 			},
 		},
@@ -496,7 +509,7 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -511,7 +524,7 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -528,7 +541,7 @@ func TestOIDCController(t *testing.T) {

 				var tokenRes map[string]any
 				err := json.Unmarshal(tokenRecorder.Body.Bytes(), &tokenRes)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				accessToken := tokenRes["access_token"].(string)
 				assert.NotEmpty(t, accessToken)
@@ -542,7 +555,7 @@ func TestOIDCController(t *testing.T) {

 				var userInfoRes map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &userInfoRes)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				_, ok := userInfoRes["sub"]
 				assert.True(t, ok, "Expected sub claim in userinfo response")
@@ -566,7 +579,7 @@ func TestOIDCController(t *testing.T) {
 					CodeChallengeMethod: "",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -575,11 +588,11 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				queryParams := url.Query()
 				assert.Equal(t, queryParams.Get("state"), "some-state")
@@ -596,7 +609,7 @@ func TestOIDCController(t *testing.T) {
 					CodeVerifier: "some-challenge",
 				}
 				reqBodyEncoded, err := query.Values(tokenReqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				req = httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -627,7 +640,7 @@ func TestOIDCController(t *testing.T) {
 					CodeChallengeMethod: "S256",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -636,11 +649,11 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				queryParams := url.Query()
 				assert.Equal(t, queryParams.Get("state"), "some-state")
@@ -657,7 +670,7 @@ func TestOIDCController(t *testing.T) {
 					CodeVerifier: "some-challenge",
 				}
 				reqBodyEncoded, err := query.Values(tokenReqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				req = httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -688,7 +701,7 @@ func TestOIDCController(t *testing.T) {
 					CodeChallengeMethod: "S256",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -697,11 +710,11 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				queryParams := url.Query()
 				assert.Equal(t, queryParams.Get("state"), "some-state")
@@ -718,7 +731,7 @@ func TestOIDCController(t *testing.T) {
 					CodeVerifier: "some-challenge-1",
 				}
 				reqBodyEncoded, err := query.Values(tokenReqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				req = httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -749,7 +762,7 @@ func TestOIDCController(t *testing.T) {
 					CodeChallengeMethod: "foo",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -758,11 +771,11 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				queryParams := url.Query()
 				error := queryParams.Get("error")
@@ -781,11 +794,11 @@ func TestOIDCController(t *testing.T) {

 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				queryParams := url.Query()
 				code := queryParams.Get("code")
@@ -797,7 +810,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -808,7 +821,7 @@ func TestOIDCController(t *testing.T) {
 				assert.Equal(t, 200, recorder.Code)

 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				accessToken := res["access_token"].(string)
 				assert.NotEmpty(t, accessToken)
@@ -833,22 +846,20 @@ func TestOIDCController(t *testing.T) {
 				assert.Equal(t, 401, recorder.Code)

 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				assert.Equal(t, "invalid_grant", res["error"])
 			},
 		},
 	}

-	app := bootstrap.NewBootstrapApp(cfg)
+	app := bootstrap.NewBootstrapApp(model.Config{})

-	err := app.SetupDatabase()
+	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
 	require.NoError(t, err)

-	queries := repository.New(app.GetDB())
-
-	wg := &sync.WaitGroup{}
-
-	oidcService, err := service.NewOIDCService(log, cfg, runtime, queries, context.TODO(), wg)
+	queries := repository.New(db)
+	oidcService := service.NewOIDCService(oidcServiceCfg, queries)
+	err = oidcService.Init()
 	require.NoError(t, err)

 	for _, test := range tests {
@@ -862,7 +873,8 @@ func TestOIDCController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)

-			controller.NewOIDCController(log, oidcService, runtime, group)
+			oidcController := controller.NewOIDCController(controllerCfg, oidcService, group)
+			oidcController.SetupRoutes()

 			recorder := httptest.NewRecorder()

@@ -871,6 +883,7 @@ func TestOIDCController(t *testing.T) {
 	}

 	t.Cleanup(func() {
-		app.GetDB().Close()
+		err = db.Close()
+		require.NoError(t, err)
 	})
 }
@@ -11,7 +11,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"

 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -50,31 +50,29 @@ type ProxyContext struct {
 	ProxyType ProxyType
 }

-type ProxyController struct {
-	log     *logger.Logger
-	runtime model.RuntimeConfig
-	acls    *service.AccessControlsService
-	auth    *service.AuthService
+type ProxyControllerConfig struct {
+	AppURL string
 }

-func NewProxyController(
-	log *logger.Logger,
-	runtime model.RuntimeConfig,
-	router *gin.RouterGroup,
-	acls *service.AccessControlsService,
-	auth *service.AuthService,
-) *ProxyController {
-	controller := &ProxyController{
-		log:     log,
-		runtime: runtime,
-		acls:    acls,
-		auth:    auth,
+type ProxyController struct {
+	config ProxyControllerConfig
+	router *gin.RouterGroup
+	acls   *service.AccessControlsService
+	auth   *service.AuthService
+}
+
+func NewProxyController(config ProxyControllerConfig, router *gin.RouterGroup, acls *service.AccessControlsService, auth *service.AuthService) *ProxyController {
+	return &ProxyController{
+		config: config,
+		router: router,
+		acls:   acls,
+		auth:   auth,
 	}
+}

-	proxyGroup := router.Group("/auth")
+func (controller *ProxyController) SetupRoutes() {
+	proxyGroup := controller.router.Group("/auth")
 	proxyGroup.Any("/:proxy", controller.proxyHandler)
-
-	return controller
 }

 func (controller *ProxyController) proxyHandler(c *gin.Context) {
@@ -82,7 +80,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	proxyCtx, err := controller.getProxyContext(c)

 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to get proxy context from request")
+		tlog.App.Warn().Err(err).Msg("Failed to get proxy context")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad request",
@@ -90,15 +88,19 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}

+	tlog.App.Trace().Interface("ctx", proxyCtx).Msg("Got proxy context")
+
 	// Get acls
 	acls, err := controller.acls.GetAccessControls(proxyCtx.Host)

 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to get ACLs for resource")
+		tlog.App.Error().Err(err).Msg("Failed to get access controls for resource")
 		controller.handleError(c, proxyCtx)
 		return
 	}

+	tlog.App.Trace().Interface("acls", acls).Msg("ACLs for resource")
+
 	clientIP := c.ClientIP()

 	if controller.auth.IsBypassedIP(clientIP, acls) {
@@ -113,13 +115,13 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	authEnabled, err := controller.auth.IsAuthEnabled(proxyCtx.Path, acls)

 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to determine if authentication is enabled for resource")
+		tlog.App.Error().Err(err).Msg("Failed to check if auth is enabled for resource")
 		controller.handleError(c, proxyCtx)
 		return
 	}

 	if !authEnabled {
-		controller.log.App.Debug().Msg("Authentication is disabled for this resource, allowing access without authentication")
+		tlog.App.Debug().Msg("Authentication disabled for resource, allowing access")
 		controller.setHeaders(c, acls)
 		c.JSON(200, gin.H{
 			"status":  200,
@@ -135,12 +137,12 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		})

 		if err != nil {
-			controller.log.App.Error().Err(err).Msg("Failed to encode unauthorized query")
+			tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
 			controller.handleError(c, proxyCtx)
 			return
 		}

-		redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.runtime.AppURL, queries.Encode())
+		redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())

 		if !controller.useBrowserResponse(proxyCtx) {
 			c.Header("x-tinyauth-location", redirectURL)
@@ -158,24 +160,26 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	userContext, err := new(model.UserContext).NewFromGin(c)

 	if err != nil {
-		controller.log.App.Debug().Err(err).Msg("Failed to create user context from request, treating as unauthenticated")
+		tlog.App.Debug().Err(err).Msg("No user context found in request, treating as unauthenticated")
 		userContext = &model.UserContext{
 			Authenticated: false,
 		}
 	}

+	tlog.App.Trace().Interface("context", userContext).Msg("User context from request")
+
 	if userContext.Authenticated {
 		userAllowed := controller.auth.IsUserAllowed(c, *userContext, acls)

 		if !userAllowed {
-			controller.log.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User is not allowed to access resource")
+			tlog.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User not allowed to access resource")

 			queries, err := query.Values(UnauthorizedQuery{
 				Resource: strings.Split(proxyCtx.Host, ".")[0],
 			})

 			if err != nil {
-				controller.log.App.Error().Err(err).Msg("Failed to encode unauthorized query")
+				tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
 				controller.handleError(c, proxyCtx)
 				return
 			}
@@ -186,7 +190,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 				queries.Set("username", userContext.GetUsername())
 			}

-			redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.runtime.AppURL, queries.Encode())
+			redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())

 			if !controller.useBrowserResponse(proxyCtx) {
 				c.Header("x-tinyauth-location", redirectURL)
@@ -211,7 +215,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			}

 			if !groupOK {
-				controller.log.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User is not in the required group to access resource")
+				tlog.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User groups do not match resource requirements")

 				queries, err := query.Values(UnauthorizedQuery{
 					Resource: strings.Split(proxyCtx.Host, ".")[0],
@@ -219,7 +223,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 				})

 				if err != nil {
-					controller.log.App.Error().Err(err).Msg("Failed to encode unauthorized query")
+					tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
 					controller.handleError(c, proxyCtx)
 					return
 				}
@@ -230,7 +234,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 					queries.Set("username", userContext.GetUsername())
 				}

-				redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.runtime.AppURL, queries.Encode())
+				redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())

 				if !controller.useBrowserResponse(proxyCtx) {
 					c.Header("x-tinyauth-location", redirectURL)
@@ -273,12 +277,12 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	})

 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to encode redirect query")
+		tlog.App.Error().Err(err).Msg("Failed to encode redirect URI query")
 		controller.handleError(c, proxyCtx)
 		return
 	}

-	redirectURL := fmt.Sprintf("%s/login?%s", controller.runtime.AppURL, queries.Encode())
+	redirectURL := fmt.Sprintf("%s/login?%s", controller.config.AppURL, queries.Encode())

 	if !controller.useBrowserResponse(proxyCtx) {
 		c.Header("x-tinyauth-location", redirectURL)
@@ -302,19 +306,20 @@ func (controller *ProxyController) setHeaders(c *gin.Context, acls *model.App) {
 	headers := utils.ParseHeaders(acls.Response.Headers)

 	for key, value := range headers {
+		tlog.App.Debug().Str("header", key).Msg("Setting header")
 		c.Header(key, value)
 	}

 	basicPassword := utils.GetSecret(acls.Response.BasicAuth.Password, acls.Response.BasicAuth.PasswordFile)

 	if acls.Response.BasicAuth.Username != "" && basicPassword != "" {
-		controller.log.App.Debug().Msg("Setting basic auth header for response")
+		tlog.App.Debug().Str("username", acls.Response.BasicAuth.Username).Msg("Setting basic auth header")
 		c.Header("Authorization", fmt.Sprintf("Basic %s", utils.EncodeBasicAuth(acls.Response.BasicAuth.Username, basicPassword)))
 	}
 }

 func (controller *ProxyController) handleError(c *gin.Context, proxyCtx ProxyContext) {
-	redirectURL := fmt.Sprintf("%s/error", controller.runtime.AppURL)
+	redirectURL := fmt.Sprintf("%s/error", controller.config.AppURL)

 	if !controller.useBrowserResponse(proxyCtx) {
 		c.Header("x-tinyauth-location", redirectURL)
@@ -515,7 +520,7 @@ func (controller *ProxyController) getProxyContext(c *gin.Context) (ProxyContext
 		return ProxyContext{}, err
 	}

-	controller.log.App.Debug().Msgf("Determined proxy type: %v", proxy)
+	tlog.App.Debug().Msgf("Proxy: %v", req.Proxy)

 	authModules := controller.determineAuthModules(proxy)

@@ -526,13 +531,13 @@ func (controller *ProxyController) getProxyContext(c *gin.Context) (ProxyContext
 	var ctx ProxyContext

 	for _, module := range authModules {
-		controller.log.App.Debug().Msgf("Trying to get context from auth module %v", module)
+		tlog.App.Debug().Msgf("Trying auth module: %v", module)
 		ctx, err = controller.getContextFromAuthModule(c, module)
 		if err == nil {
-			controller.log.App.Debug().Msgf("Successfully got context from auth module %v", module)
+			tlog.App.Debug().Msgf("Auth module %v succeeded", module)
 			break
 		}
-		controller.log.App.Debug().Msgf("Failed to get context from auth module %v: %v", module, err)
+		tlog.App.Debug().Err(err).Msgf("Auth module %v failed", module)
 	}

 	if err != nil {
@@ -544,9 +549,9 @@ func (controller *ProxyController) getProxyContext(c *gin.Context) (ProxyContext
 	isBrowser := BrowserUserAgentRegex.MatchString(userAgent)

 	if isBrowser {
-		controller.log.App.Debug().Msg("Request identified as coming from a browser client")
+		tlog.App.Debug().Msg("Request identified as coming from a browser")
 	} else {
-		controller.log.App.Debug().Msg("Request identified as coming from a non-browser client")
+		tlog.App.Debug().Msg("Request identified as coming from a non-browser client")
 	}

 	ctx.IsBrowser = isBrowser
@@ -1,9 +1,8 @@
 package controller_test

 import (
-	"context"
 	"net/http/httptest"
-	"sync"
+	"path"
 	"testing"

 	"github.com/gin-gonic/gin"
@@ -14,15 +13,35 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/test"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )

 func TestProxyController(t *testing.T) {
-	log := logger.NewLogger().WithTestConfig()
-	log.Init()
+	tlog.NewTestLogger().Init()
+	tempDir := t.TempDir()

-	cfg, runtime := test.CreateTestConfigs(t)
+	authServiceCfg := service.AuthServiceConfig{
+		LocalUsers: &[]model.LocalUser{
+			{
+				Username: "testuser",
+				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
+			},
+			{
+				Username:   "totpuser",
+				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
+				TOTPSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
+			},
+		},
+		SessionExpiry:     10, // 10 seconds, useful for testing
+		CookieDomain:      "example.com",
+		LoginTimeout:      10, // 10 seconds, useful for testing
+		LoginMaxRetries:   3,
+		SessionCookieName: "tinyauth-session",
+	}
+
+	controllerCfg := controller.ProxyControllerConfig{
+		AppURL: "https://tinyauth.example.com",
+	}

 	acls := map[string]model.App{
 		"app_path_allow": {
@@ -379,19 +398,32 @@ func TestProxyController(t *testing.T) {
 		},
 	}

-	app := bootstrap.NewBootstrapApp(cfg)
+	oauthBrokerCfgs := make(map[string]model.OAuthServiceConfig)

-	err := app.SetupDatabase()
+	app := bootstrap.NewBootstrapApp(model.Config{})
+
+	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
 	require.NoError(t, err)

-	queries := repository.New(app.GetDB())
+	queries := repository.New(db)

-	wg := &sync.WaitGroup{}
-	ctx := context.TODO()
+	docker := service.NewDockerService()
+	err = docker.Init()
+	require.NoError(t, err)

-	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, queries, broker)
-	aclsService := service.NewAccessControlsService(log, nil, acls)
+	ldap := service.NewLdapService(service.LdapServiceConfig{})
+	err = ldap.Init()
+	require.NoError(t, err)
+
+	broker := service.NewOAuthBrokerService(oauthBrokerCfgs)
+	err = broker.Init()
+	require.NoError(t, err)
+
+	authService := service.NewAuthService(authServiceCfg, ldap, queries, broker)
+	err = authService.Init()
+	require.NoError(t, err)
+
+	aclsService := service.NewAccessControlsService(docker, acls)

 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
@@ -406,13 +438,15 @@ func TestProxyController(t *testing.T) {

 			recorder := httptest.NewRecorder()

-			controller.NewProxyController(log, runtime, group, aclsService, authService)
+			proxyController := controller.NewProxyController(controllerCfg, group, aclsService, authService)
+			proxyController.SetupRoutes()

 			test.run(t, router, recorder)
 		})
 	}

 	t.Cleanup(func() {
-		app.GetDB().Close()
+		err = db.Close()
+		require.NoError(t, err)
 	})
 }
@@ -4,39 +4,42 @@ import (
 	"net/http"

 	"github.com/gin-gonic/gin"
-	"github.com/tinyauthapp/tinyauth/internal/model"
 )

+type ResourcesControllerConfig struct {
+	Path    string
+	Enabled bool
+}
+
 type ResourcesController struct {
-	config     model.Config
+	config     ResourcesControllerConfig
+	router     *gin.RouterGroup
 	fileServer http.Handler
 }

-func NewResourcesController(
-	config model.Config,
-	router *gin.RouterGroup,
-) *ResourcesController {
-	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(config.Resources.Path)))
+func NewResourcesController(config ResourcesControllerConfig, router *gin.RouterGroup) *ResourcesController {
+	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(config.Path)))

-	controller := &ResourcesController{
+	return &ResourcesController{
 		config:     config,
+		router:     router,
 		fileServer: fileServer,
 	}
+}

-	router.GET("/resources/*resource", controller.resourcesHandler)
-
-	return controller
+func (controller *ResourcesController) SetupRoutes() {
+	controller.router.GET("/resources/*resource", controller.resourcesHandler)
 }

 func (controller *ResourcesController) resourcesHandler(c *gin.Context) {
-	if controller.config.Resources.Path == "" {
+	if controller.config.Path == "" {
 		c.JSON(404, gin.H{
 			"status":  404,
 			"message": "Resources not found",
 		})
 		return
 	}
-	if !controller.config.Resources.Enabled {
+	if !controller.config.Enabled {
 		c.JSON(403, gin.H{
 			"status":  403,
 			"message": "Resources are disabled",
@@ -3,20 +3,26 @@ package controller_test
 import (
 	"net/http/httptest"
 	"os"
-	"path/filepath"
+	"path"
 	"testing"

 	"github.com/gin-gonic/gin"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/test"
 )

 func TestResourcesController(t *testing.T) {
-	cfg, _ := test.CreateTestConfigs(t)
+	tlog.NewTestLogger().Init()
+	tempDir := t.TempDir()

-	err := os.MkdirAll(cfg.Resources.Path, 0777)
+	resourcesControllerCfg := controller.ResourcesControllerConfig{
+		Path:    path.Join(tempDir, "resources"),
+		Enabled: true,
+	}
+
+	err := os.Mkdir(resourcesControllerCfg.Path, 0777)
 	require.NoError(t, err)

 	type testCase struct {
@@ -55,11 +61,11 @@ func TestResourcesController(t *testing.T) {
 		},
 	}

-	testFilePath := cfg.Resources.Path + "/testfile.txt"
+	testFilePath := resourcesControllerCfg.Path + "/testfile.txt"
 	err = os.WriteFile(testFilePath, []byte("This is a test file."), 0777)
 	require.NoError(t, err)

-	testFilePathParent := filepath.Dir(cfg.Resources.Path) + "/somefile.txt"
+	testFilePathParent := tempDir + "/somefile.txt"
 	err = os.WriteFile(testFilePathParent, []byte("This file should not be accessible."), 0777)
 	require.NoError(t, err)

@@ -69,7 +75,8 @@ func TestResourcesController(t *testing.T) {
 			group := router.Group("/")
 			gin.SetMode(gin.TestMode)

-			controller.NewResourcesController(cfg, group)
+			resourcesController := controller.NewResourcesController(resourcesControllerCfg, group)
+			resourcesController.SetupRoutes()

 			recorder := httptest.NewRecorder()
 			test.run(t, router, recorder)
@@ -10,7 +10,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"

 	"github.com/gin-gonic/gin"
 	"github.com/pquerna/otp/totp"
@@ -25,30 +25,30 @@ type TotpRequest struct {
 	Code string `json:"code"`
 }

-type UserController struct {
-	log     *logger.Logger
-	runtime model.RuntimeConfig
-	auth    *service.AuthService
+type UserControllerConfig struct {
+	CookieDomain      string
+	SessionCookieName string
 }

-func NewUserController(
-	log *logger.Logger,
-	runtimeConfig model.RuntimeConfig,
-	router *gin.RouterGroup,
-	auth *service.AuthService,
-) *UserController {
-	controller := &UserController{
-		log:     log,
-		runtime: runtimeConfig,
-		auth:    auth,
-	}
+type UserController struct {
+	config UserControllerConfig
+	router *gin.RouterGroup
+	auth   *service.AuthService
+}

-	userGroup := router.Group("/user")
+func NewUserController(config UserControllerConfig, router *gin.RouterGroup, auth *service.AuthService) *UserController {
+	return &UserController{
+		config: config,
+		router: router,
+		auth:   auth,
+	}
+}
+
+func (controller *UserController) SetupRoutes() {
+	userGroup := controller.router.Group("/user")
 	userGroup.POST("/login", controller.loginHandler)
 	userGroup.POST("/logout", controller.logoutHandler)
 	userGroup.POST("/totp", controller.totpHandler)
-
-	return controller
 }

 func (controller *UserController) loginHandler(c *gin.Context) {
@@ -56,7 +56,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {

 	err := c.ShouldBindJSON(&req)
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to bind JSON")
+		tlog.App.Error().Err(err).Msg("Failed to bind JSON")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -64,13 +64,13 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		return
 	}

-	controller.log.App.Debug().Str("username", req.Username).Msg("Login attempt")
+	tlog.App.Debug().Str("username", req.Username).Msg("Login attempt")

 	isLocked, remaining := controller.auth.IsAccountLocked(req.Username)

 	if isLocked {
-		controller.log.App.Warn().Str("username", req.Username).Msg("Account is locked due to too many failed login attempts")
-		controller.log.AuditLoginFailure(req.Username, "local", c.ClientIP(), "account locked")
+		tlog.App.Warn().Str("username", req.Username).Msg("Account is locked due to too many failed login attempts")
+		tlog.AuditLoginFailure(c, req.Username, "username", "account locked")
 		c.Writer.Header().Add("x-tinyauth-lock-locked", "true")
 		c.Writer.Header().Add("x-tinyauth-lock-reset", time.Now().Add(time.Duration(remaining)*time.Second).Format(time.RFC3339))
 		c.JSON(429, gin.H{
@@ -84,16 +84,16 @@ func (controller *UserController) loginHandler(c *gin.Context) {

 	if err != nil {
 		if errors.Is(err, service.ErrUserNotFound) {
-			controller.log.App.Warn().Str("username", req.Username).Msg("User not found during login attempt")
+			tlog.App.Warn().Str("username", req.Username).Msg("User not found")
 			controller.auth.RecordLoginAttempt(req.Username, false)
-			controller.log.AuditLoginFailure(req.Username, "unknown", c.ClientIP(), "user not found")
+			tlog.AuditLoginFailure(c, req.Username, "username", "user not found")
 			c.JSON(401, gin.H{
 				"status":  401,
 				"message": "Unauthorized",
 			})
 			return
 		}
-		controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Error searching for user during login attempt")
+		tlog.App.Error().Err(err).Str("username", req.Username).Msg("Error searching for user")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -102,13 +102,9 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 	}

 	if err := controller.auth.CheckUserPassword(*search, req.Password); err != nil {
-		controller.log.App.Warn().Str("username", req.Username).Msg("Invalid password during login attempt")
+		tlog.App.Warn().Err(err).Str("username", req.Username).Msg("Failed to verify password")
 		controller.auth.RecordLoginAttempt(req.Username, false)
-		if search.Type == model.UserLocal {
-			controller.log.AuditLoginFailure(req.Username, "local", c.ClientIP(), "invalid password")
-		} else {
-			controller.log.AuditLoginFailure(req.Username, "ldap", c.ClientIP(), "invalid password")
-		}
+		tlog.AuditLoginFailure(c, req.Username, "username", "invalid password")
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -122,7 +118,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		localUser = controller.auth.GetLocalUser(req.Username)

 		if localUser == nil {
-			controller.log.App.Error().Str("username", req.Username).Msg("Local user not found after successful password verification")
+			tlog.App.Warn().Str("username", req.Username).Msg("User disappeared during login")
 			c.JSON(401, gin.H{
 				"status":  401,
 				"message": "Unauthorized",
@@ -131,7 +127,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		}

 		if localUser.TOTPSecret != "" {
-			controller.log.App.Debug().Str("username", req.Username).Msg("TOTP required for user, creating pending TOTP session")
+			tlog.App.Debug().Str("username", req.Username).Msg("User has TOTP enabled, requiring TOTP verification")

 			name := localUser.Attributes.Name
 			if name == "" {
@@ -140,7 +136,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {

 			email := localUser.Attributes.Email
 			if email == "" {
-				email = utils.CompileUserEmail(localUser.Username, controller.runtime.CookieDomain)
+				email = utils.CompileUserEmail(localUser.Username, controller.config.CookieDomain)
 			}

 			cookie, err := controller.auth.CreateSession(c, repository.Session{
@@ -152,7 +148,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 			})

 			if err != nil {
-				controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Failed to create pending TOTP session")
+				tlog.App.Error().Err(err).Msg("Failed to create session cookie")
 				c.JSON(500, gin.H{
 					"status":  500,
 					"message": "Internal Server Error",
@@ -174,7 +170,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 	sessionCookie := repository.Session{
 		Username: req.Username,
 		Name:     utils.Capitalize(req.Username),
-		Email:    utils.CompileUserEmail(req.Username, controller.runtime.CookieDomain),
+		Email:    utils.CompileUserEmail(req.Username, controller.config.CookieDomain),
 		Provider: "local",
 	}

@@ -189,15 +185,14 @@ func (controller *UserController) loginHandler(c *gin.Context) {

 	if search.Type == model.UserLDAP {
 		sessionCookie.Provider = "ldap"
-		if search.Email != "" {
-			sessionCookie.Email = search.Email
-		}
 	}

+	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
+
 	cookie, err := controller.auth.CreateSession(c, sessionCookie)

 	if err != nil {
-		controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Failed to create session cookie after successful login")
+		tlog.App.Error().Err(err).Msg("Failed to create session cookie")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -207,13 +202,8 @@ func (controller *UserController) loginHandler(c *gin.Context) {

 	http.SetCookie(c.Writer, cookie)

-	controller.log.App.Info().Str("username", req.Username).Msg("Login successful")
-
-	if search.Type == model.UserLocal {
-		controller.log.AuditLoginSuccess(req.Username, "local", c.ClientIP())
-	} else {
-		controller.log.AuditLoginSuccess(req.Username, "ldap", c.ClientIP())
-	}
+	tlog.App.Info().Str("username", req.Username).Msg("Login successful")
+	tlog.AuditLoginSuccess(c, req.Username, "username")

 	controller.auth.RecordLoginAttempt(req.Username, true)

@@ -224,20 +214,20 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 }

 func (controller *UserController) logoutHandler(c *gin.Context) {
-	controller.log.App.Debug().Msg("Logout attempt")
+	tlog.App.Debug().Msg("Logout request received")

-	uuid, err := c.Cookie(controller.runtime.SessionCookieName)
+	uuid, err := c.Cookie(controller.config.SessionCookieName)

 	if err != nil {
 		if errors.Is(err, http.ErrNoCookie) {
-			controller.log.App.Warn().Msg("Logout attempt without session cookie, treating as successful logout")
+			tlog.App.Warn().Msg("No session cookie found on logout request")
 			c.JSON(200, gin.H{
 				"status":  200,
 				"message": "Logout successful",
 			})
 			return
 		}
-		controller.log.App.Error().Err(err).Msg("Error retrieving session cookie on logout")
+		tlog.App.Error().Err(err).Msg("Error retrieving session cookie on logout")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -248,7 +238,7 @@ func (controller *UserController) logoutHandler(c *gin.Context) {
 	cookie, err := controller.auth.DeleteSession(c, uuid)

 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Error deleting session on logout")
+		tlog.App.Error().Err(err).Msg("Error deleting session on logout")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -259,10 +249,10 @@ func (controller *UserController) logoutHandler(c *gin.Context) {
 	context, err := new(model.UserContext).NewFromGin(c)

 	if err == nil {
-		controller.log.AuditLogout(context.GetUsername(), context.GetProviderID(), c.ClientIP())
+		tlog.AuditLogout(c, context.GetUsername(), context.GetProviderID())
 	} else {
-		controller.log.App.Warn().Err(err).Msg("Failed to get user context during logout, logging audit with unknown user")
-		controller.log.AuditLogout("unknown", "unknown", c.ClientIP())
+		tlog.App.Warn().Err(err).Msg("Failed to get user context for logout audit, proceeding without username")
+		tlog.AuditLogout(c, "unknown", "unknown")
 	}

 	http.SetCookie(c.Writer, cookie)
@@ -278,7 +268,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {

 	err := c.ShouldBindJSON(&req)
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to bind JSON for TOTP verification")
+		tlog.App.Error().Err(err).Msg("Failed to bind JSON")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -289,7 +279,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	context, err := new(model.UserContext).NewFromGin(c)

 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to create user context from request for TOTP verification")
+		tlog.App.Error().Err(err).Msg("Failed to get user context")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -298,7 +288,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	}

 	if !context.TOTPPending() {
-		controller.log.App.Warn().Str("username", context.GetUsername()).Msg("TOTP verification attempt without pending TOTP session")
+		tlog.App.Warn().Msg("TOTP attempt without a pending TOTP session")
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -306,13 +296,12 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}

-	controller.log.App.Debug().Str("username", context.GetUsername()).Msg("TOTP verification attempt")
+	tlog.App.Debug().Str("username", context.GetUsername()).Msg("TOTP verification attempt")

 	isLocked, remaining := controller.auth.IsAccountLocked(context.GetUsername())

 	if isLocked {
-		controller.log.App.Warn().Str("username", context.GetUsername()).Msg("Account is locked due to too many failed TOTP attempts")
-		controller.log.AuditLoginFailure(context.GetUsername(), "local", c.ClientIP(), "account locked")
+		tlog.App.Warn().Str("username", context.GetUsername()).Msg("Account is locked due to too many failed TOTP attempts")
 		c.Writer.Header().Add("x-tinyauth-lock-locked", "true")
 		c.Writer.Header().Add("x-tinyauth-lock-reset", time.Now().Add(time.Duration(remaining)*time.Second).Format(time.RFC3339))
 		c.JSON(429, gin.H{
@@ -325,7 +314,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	user := controller.auth.GetLocalUser(context.GetUsername())

 	if user == nil {
-		controller.log.App.Error().Str("username", context.GetUsername()).Msg("Local user not found during TOTP verification")
+		tlog.App.Error().Str("username", context.GetUsername()).Msg("User not found in TOTP handler")
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -336,9 +325,9 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	ok := totp.Validate(req.Code, user.TOTPSecret)

 	if !ok {
-		controller.log.App.Warn().Str("username", context.GetUsername()).Msg("Invalid TOTP code during verification attempt")
+		tlog.App.Warn().Str("username", context.GetUsername()).Msg("Invalid TOTP code")
 		controller.auth.RecordLoginAttempt(context.GetUsername(), false)
-		controller.log.AuditLoginFailure(context.GetUsername(), "local", c.ClientIP(), "invalid TOTP code")
+		tlog.AuditLoginFailure(c, context.GetUsername(), "totp", "invalid totp code")
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -346,15 +335,15 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}

-	uuid, err := c.Cookie(controller.runtime.SessionCookieName)
+	uuid, err := c.Cookie(controller.config.SessionCookieName)

 	if err == nil {
 		_, err = controller.auth.DeleteSession(c, uuid)
 		if err != nil {
-			controller.log.App.Error().Err(err).Msg("Failed to delete pending TOTP session after successful verification")
+			tlog.App.Warn().Err(err).Msg("Failed to delete pending TOTP session")
 		}
 	} else {
-		controller.log.App.Warn().Err(err).Msg("Failed to retrieve session cookie for pending TOTP session, cannot delete it")
+		tlog.App.Warn().Err(err).Msg("Failed to retrieve session cookie for pending TOTP session, proceeding without deleting it")
 	}

 	controller.auth.RecordLoginAttempt(context.GetUsername(), true)
@@ -362,7 +351,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	sessionCookie := repository.Session{
 		Username: user.Username,
 		Name:     utils.Capitalize(user.Username),
-		Email:    utils.CompileUserEmail(user.Username, controller.runtime.CookieDomain),
+		Email:    utils.CompileUserEmail(user.Username, controller.config.CookieDomain),
 		Provider: "local",
 	}

@@ -373,10 +362,12 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		sessionCookie.Email = user.Attributes.Email
 	}

+	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
+
 	cookie, err := controller.auth.CreateSession(c, sessionCookie)

 	if err != nil {
-		controller.log.App.Error().Err(err).Str("username", context.GetUsername()).Msg("Failed to create session cookie after successful TOTP verification")
+		tlog.App.Error().Err(err).Msg("Failed to create session cookie")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -386,8 +377,8 @@ func (controller *UserController) totpHandler(c *gin.Context) {

 	http.SetCookie(c.Writer, cookie)

-	controller.log.App.Info().Str("username", context.GetUsername()).Msg("TOTP verification successful, login complete")
-	controller.log.AuditLoginSuccess(context.GetUsername(), "local", c.ClientIP())
+	tlog.App.Info().Str("username", context.GetUsername()).Msg("TOTP verification successful")
+	tlog.AuditLoginSuccess(c, context.GetUsername(), "totp")

 	c.JSON(200, gin.H{
 		"status":  200,
@@ -5,8 +5,8 @@ import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
+	"path"
 	"strings"
-	"sync"
 	"testing"
 	"time"

@@ -19,15 +19,53 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/test"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )

 func TestUserController(t *testing.T) {
-	log := logger.NewLogger().WithTestConfig()
-	log.Init()
+	tlog.NewTestLogger().Init()
+	tempDir := t.TempDir()

-	cfg, runtime := test.CreateTestConfigs(t)
+	authServiceCfg := service.AuthServiceConfig{
+		LocalUsers: &[]model.LocalUser{
+			{
+				Username: "testuser",
+				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
+			},
+			{
+				Username:   "totpuser",
+				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
+				TOTPSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
+			},
+			{
+				Username: "attruser",
+				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
+				Attributes: model.UserAttributes{
+					Name:  "Alice Smith",
+					Email: "alice@example.com",
+				},
+			},
+			{
+				Username:   "attrtotpuser",
+				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
+				TOTPSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
+				Attributes: model.UserAttributes{
+					Name:  "Bob Jones",
+					Email: "bob@example.com",
+				},
+			},
+		},
+		SessionExpiry:     10, // 10 seconds, useful for testing
+		CookieDomain:      "example.com",
+		LoginTimeout:      10, // 10 seconds, useful for testing
+		LoginMaxRetries:   3,
+		SessionCookieName: "tinyauth-session",
+	}
+
+	userControllerCfg := controller.UserControllerConfig{
+		CookieDomain:      "example.com",
+		SessionCookieName: "tinyauth-session",
+	}

 	totpCtx := func(c *gin.Context) {
 		c.Set("context", &model.UserContext{
@@ -73,12 +111,14 @@ func TestUserController(t *testing.T) {
 		})
 	}

-	app := bootstrap.NewBootstrapApp(cfg)
+	oauthBrokerCfgs := make(map[string]model.OAuthServiceConfig)

-	err := app.SetupDatabase()
+	app := bootstrap.NewBootstrapApp(model.Config{})
+
+	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
 	require.NoError(t, err)

-	queries := repository.New(app.GetDB())
+	queries := repository.New(db)

 	type testCase struct {
 		description string
@@ -96,7 +136,7 @@ func TestUserController(t *testing.T) {
 					Password: "password",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
@@ -104,7 +144,7 @@ func TestUserController(t *testing.T) {
 				router.ServeHTTP(recorder, req)

 				assert.Equal(t, 200, recorder.Code)
-				require.Len(t, recorder.Result().Cookies(), 1)
+				assert.Len(t, recorder.Result().Cookies(), 1)

 				cookie := recorder.Result().Cookies()[0]
 				assert.Equal(t, "tinyauth-session", cookie.Name)
@@ -124,7 +164,7 @@ func TestUserController(t *testing.T) {
 					Password: "wrongpassword",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
@@ -139,13 +179,13 @@ func TestUserController(t *testing.T) {
 		{
 			description: "Should rate limit on 3 invalid attempts",
 			middlewares: []gin.HandlerFunc{},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) { //nolint:staticcheck
 				loginReq := controller.LoginRequest{
 					Username: "testuser",
 					Password: "wrongpassword",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				for range 3 {
 					recorder := httptest.NewRecorder()
@@ -161,7 +201,7 @@ func TestUserController(t *testing.T) {
 				}

 				// 4th attempt should be rate limited
-				recorder = httptest.NewRecorder()
+				recorder = httptest.NewRecorder() //nolint:staticcheck
 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")

@@ -180,7 +220,7 @@ func TestUserController(t *testing.T) {
 					Password: "password",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
@@ -191,12 +231,12 @@ func TestUserController(t *testing.T) {

 				decodedBody := make(map[string]any)
 				err = json.Unmarshal(recorder.Body.Bytes(), &decodedBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				assert.Equal(t, decodedBody["totpPending"], true)

 				// should set the session cookie
-				require.Len(t, recorder.Result().Cookies(), 1)
+				assert.Len(t, recorder.Result().Cookies(), 1)
 				cookie := recorder.Result().Cookies()[0]
 				assert.Equal(t, "tinyauth-session", cookie.Name)
 				assert.True(t, cookie.HttpOnly)
@@ -217,7 +257,7 @@ func TestUserController(t *testing.T) {
 					Password: "password",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
@@ -226,7 +266,7 @@ func TestUserController(t *testing.T) {

 				assert.Equal(t, 200, recorder.Code)
 				cookies := recorder.Result().Cookies()
-				require.Len(t, cookies, 1)
+				assert.Len(t, cookies, 1)

 				cookie := cookies[0]
 				assert.Equal(t, "tinyauth-session", cookie.Name)
@@ -240,7 +280,7 @@ func TestUserController(t *testing.T) {

 				assert.Equal(t, 200, recorder.Code)
 				cookies = recorder.Result().Cookies()
-				require.Len(t, cookies, 1)
+				assert.Len(t, cookies, 1)

 				cookie = cookies[0]
 				assert.Equal(t, "tinyauth-session", cookie.Name)
@@ -253,7 +293,7 @@ func TestUserController(t *testing.T) {
 			middlewares: []gin.HandlerFunc{
 				totpCtx,
 			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) { //nolint:staticcheck
 				_, err := queries.CreateSession(context.TODO(), repository.CreateSessionParams{
 					UUID:        "test-totp-login-uuid",
 					Username:    "test",
@@ -267,16 +307,16 @@ func TestUserController(t *testing.T) {
 				require.NoError(t, err)

 				code, err := totp.GenerateCode("JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK", time.Now())
-				require.NoError(t, err)
+				assert.NoError(t, err)

 				totpReq := controller.TotpRequest{
 					Code: code,
 				}

 				totpReqBody, err := json.Marshal(totpReq)
-				require.NoError(t, err)
+				assert.NoError(t, err)

-				recorder = httptest.NewRecorder()
+				recorder = httptest.NewRecorder() //nolint:staticcheck
 				req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqBody)))
 				req.Header.Set("Content-Type", "application/json")
 				req.AddCookie(&http.Cookie{
@@ -289,7 +329,7 @@ func TestUserController(t *testing.T) {
 				router.ServeHTTP(recorder, req)

 				assert.Equal(t, 200, recorder.Code)
-				require.Len(t, recorder.Result().Cookies(), 1)
+				assert.Len(t, recorder.Result().Cookies(), 1)

 				// should set a new session cookie with totp pending removed
 				totpCookie := recorder.Result().Cookies()[0]
@@ -305,16 +345,16 @@ func TestUserController(t *testing.T) {
 			middlewares: []gin.HandlerFunc{
 				totpCtx,
 			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) { //nolint:staticcheck
 				for range 3 {
 					totpReq := controller.TotpRequest{
 						Code: "000000", // invalid code
 					}

 					totpReqBody, err := json.Marshal(totpReq)
-					require.NoError(t, err)
+					assert.NoError(t, err)

-					recorder = httptest.NewRecorder()
+					recorder = httptest.NewRecorder() //nolint:staticcheck
 					req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqBody)))
 					req.Header.Set("Content-Type", "application/json")

@@ -416,11 +456,21 @@ func TestUserController(t *testing.T) {
 		},
 	}

-	ctx := context.TODO()
-	wg := &sync.WaitGroup{}
+	docker := service.NewDockerService()
+	err = docker.Init()
+	require.NoError(t, err)

-	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, queries, broker)
+	ldap := service.NewLdapService(service.LdapServiceConfig{})
+	err = ldap.Init()
+	require.NoError(t, err)
+
+	broker := service.NewOAuthBrokerService(oauthBrokerCfgs)
+	err = broker.Init()
+	require.NoError(t, err)
+
+	authService := service.NewAuthService(authServiceCfg, ldap, queries, broker)
+	err = authService.Init()
+	require.NoError(t, err)

 	beforeEach := func() {
 		// Clear failed login attempts before each test
@@ -439,7 +489,8 @@ func TestUserController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)

-			controller.NewUserController(log, runtime, group, authService)
+			userController := controller.NewUserController(userControllerCfg, group, authService)
+			userController.SetupRoutes()

 			recorder := httptest.NewRecorder()

@@ -448,6 +499,7 @@ func TestUserController(t *testing.T) {
 	}

 	t.Cleanup(func() {
-		app.GetDB().Close()
+		err = db.Close()
+		require.NoError(t, err)
 	})
 }
@@ -26,30 +26,28 @@ type OpenIDConnectConfiguration struct {
 	RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported"`
 }

+type WellKnownControllerConfig struct{}
+
 type WellKnownController struct {
-	oidc *service.OIDCService
+	config WellKnownControllerConfig
+	engine *gin.Engine
+	oidc   *service.OIDCService
 }

-func NewWellKnownController(oidc *service.OIDCService, router *gin.RouterGroup) *WellKnownController {
-	controller := &WellKnownController{
-		oidc: oidc,
+func NewWellKnownController(config WellKnownControllerConfig, oidc *service.OIDCService, engine *gin.Engine) *WellKnownController {
+	return &WellKnownController{
+		config: config,
+		oidc:   oidc,
+		engine: engine,
 	}
+}

-	router.GET("/.well-known/openid-configuration", controller.OpenIDConnectConfiguration)
-	router.GET("/.well-known/jwks.json", controller.JWKS)
-
-	return controller
+func (controller *WellKnownController) SetupRoutes() {
+	controller.engine.GET("/.well-known/openid-configuration", controller.OpenIDConnectConfiguration)
+	controller.engine.GET("/.well-known/jwks.json", controller.JWKS)
 }

 func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context) {
-	if controller.oidc == nil {
-		c.JSON(500, gin.H{
-			"status":  500,
-			"message": "OIDC service not configured",
-		})
-		return
-	}
-
 	issuer := controller.oidc.GetIssuer()
 	c.JSON(200, OpenIDConnectConfiguration{
 		Issuer:                                 issuer,
@@ -71,19 +69,11 @@ func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context
 }

 func (controller *WellKnownController) JWKS(c *gin.Context) {
-	if controller.oidc == nil {
-		c.JSON(500, gin.H{
-			"status":  500,
-			"message": "OIDC service not configured",
-		})
-		return
-	}
-
 	jwks, err := controller.oidc.GetJWK()

 	if err != nil {
 		c.JSON(500, gin.H{
-			"status":  500,
+			"status":  "500",
 			"message": "failed to get JWK",
 		})
 		return
@@ -1,11 +1,10 @@
 package controller_test

 import (
-	"context"
 	"encoding/json"
 	"fmt"
 	"net/http/httptest"
-	"sync"
+	"path"
 	"testing"

 	"github.com/gin-gonic/gin"
@@ -13,17 +12,30 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/test"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )

 func TestWellKnownController(t *testing.T) {
-	log := logger.NewLogger().WithTestConfig()
-	log.Init()
+	tlog.NewTestLogger().Init()
+	tempDir := t.TempDir()

-	cfg, runtime := test.CreateTestConfigs(t)
+	oidcServiceCfg := service.OIDCServiceConfig{
+		Clients: map[string]model.OIDCClientConfig{
+			"test": {
+				ClientID:            "some-client-id",
+				ClientSecret:        "some-client-secret",
+				TrustedRedirectURIs: []string{"https://test.example.com/callback"},
+				Name:                "Test Client",
+			},
+		},
+		PrivateKeyPath: path.Join(tempDir, "key.pem"),
+		PublicKeyPath:  path.Join(tempDir, "key.pub"),
+		Issuer:         "https://tinyauth.example.com",
+		SessionExpiry:  500,
+	}

 	type testCase struct {
 		description string
@@ -44,11 +56,11 @@ func TestWellKnownController(t *testing.T) {
 				assert.NoError(t, err)

 				expected := controller.OpenIDConnectConfiguration{
-					Issuer:                                 runtime.AppURL,
-					AuthorizationEndpoint:                  fmt.Sprintf("%s/authorize", runtime.AppURL),
-					TokenEndpoint:                          fmt.Sprintf("%s/api/oidc/token", runtime.AppURL),
-					UserinfoEndpoint:                       fmt.Sprintf("%s/api/oidc/userinfo", runtime.AppURL),
-					JwksUri:                                fmt.Sprintf("%s/.well-known/jwks.json", runtime.AppURL),
+					Issuer:                                 oidcServiceCfg.Issuer,
+					AuthorizationEndpoint:                  fmt.Sprintf("%s/authorize", oidcServiceCfg.Issuer),
+					TokenEndpoint:                          fmt.Sprintf("%s/api/oidc/token", oidcServiceCfg.Issuer),
+					UserinfoEndpoint:                       fmt.Sprintf("%s/api/oidc/userinfo", oidcServiceCfg.Issuer),
+					JwksUri:                                fmt.Sprintf("%s/.well-known/jwks.json", oidcServiceCfg.Issuer),
 					ScopesSupported:                        service.SupportedScopes,
 					ResponseTypesSupported:                 service.SupportedResponseTypes,
 					GrantTypesSupported:                    service.SupportedGrantTypes,
@@ -89,17 +101,15 @@ func TestWellKnownController(t *testing.T) {
 		},
 	}

-	ctx := context.TODO()
-	wg := &sync.WaitGroup{}
+	app := bootstrap.NewBootstrapApp(model.Config{})

-	app := bootstrap.NewBootstrapApp(cfg)
-
-	err := app.SetupDatabase()
+	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
 	require.NoError(t, err)

-	queries := repository.New(app.GetDB())
+	queries := repository.New(db)

-	oidcService, err := service.NewOIDCService(log, cfg, runtime, queries, ctx, wg)
+	oidcService := service.NewOIDCService(oidcServiceCfg, queries)
+	err = oidcService.Init()
 	require.NoError(t, err)

 	for _, test := range tests {
@@ -109,13 +119,15 @@ func TestWellKnownController(t *testing.T) {

 			recorder := httptest.NewRecorder()

-			controller.NewWellKnownController(oidcService, &router.RouterGroup)
+			wellKnownController := controller.NewWellKnownController(controller.WellKnownControllerConfig{}, oidcService, router)
+			wellKnownController.SetupRoutes()

 			test.run(t, router, recorder)
 		})
 	}

 	t.Cleanup(func() {
-		app.GetDB().Close()
+		err = db.Close()
+		require.NoError(t, err)
 	})
 }
@@ -10,7 +10,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"

 	"github.com/gin-gonic/gin"
 )
@@ -35,27 +35,29 @@ var (
 	}
 )

-type ContextMiddleware struct {
-	log     *logger.Logger
-	runtime model.RuntimeConfig
-	auth    *service.AuthService
-	broker  *service.OAuthBrokerService
+type ContextMiddlewareConfig struct {
+	CookieDomain      string
+	SessionCookieName string
 }

-func NewContextMiddleware(
-	log *logger.Logger,
-	runtime model.RuntimeConfig,
-	auth *service.AuthService,
-	broker *service.OAuthBrokerService,
-) *ContextMiddleware {
+type ContextMiddleware struct {
+	config ContextMiddlewareConfig
+	auth   *service.AuthService
+	broker *service.OAuthBrokerService
+}
+
+func NewContextMiddleware(config ContextMiddlewareConfig, auth *service.AuthService, broker *service.OAuthBrokerService) *ContextMiddleware {
 	return &ContextMiddleware{
-		log:     log,
-		runtime: runtime,
-		auth:    auth,
-		broker:  broker,
+		config: config,
+		auth:   auth,
+		broker: broker,
 	}
 }

+func (m *ContextMiddleware) Init() error {
+	return nil
+}
+
 func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if m.isIgnorePath(c.Request.Method + " " + c.Request.URL.Path) {
@@ -63,7 +65,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			return
 		}

-		uuid, err := c.Cookie(m.runtime.SessionCookieName)
+		uuid, err := c.Cookie(m.config.SessionCookieName)

 		if err == nil {
 			userContext, cookie, err := m.cookieAuth(c.Request.Context(), uuid)
@@ -73,12 +75,12 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 					http.SetCookie(c.Writer, cookie)
 				}

-				m.log.App.Debug().Msgf("Authenticated user %s via session cookie", userContext.GetUsername())
+				tlog.App.Trace().Msgf("Authenticated user from session cookie: %s", userContext.GetUsername())
 				c.Set("context", userContext)
 				c.Next()
 				return
 			} else {
-				m.log.App.Debug().Msgf("Error authenticating session cookie: %v", err)
+				tlog.App.Error().Msgf("Error authenticating session cookie: %v", err)
 			}
 		}

@@ -88,7 +90,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			userContext, headers, err := m.basicAuth(username, password)

 			if err != nil {
-				m.log.App.Error().Msgf("Error authenticating basic auth: %v", err)
+				tlog.App.Error().Msgf("Error authenticating basic auth: %v", err)
 				c.Next()
 				return
 			}
@@ -139,7 +141,7 @@ func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string) (*model
 		}

 		if userContext.Local.Attributes.Email == "" {
-			userContext.Local.Attributes.Email = utils.CompileUserEmail(user.Username, m.runtime.CookieDomain)
+			userContext.Local.Attributes.Email = utils.CompileUserEmail(user.Username, m.config.CookieDomain)
 		}
 	case model.ProviderLDAP:
 		search, err := m.auth.SearchUser(userContext.LDAP.Username)
@@ -160,12 +162,7 @@ func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string) (*model

 		userContext.LDAP.Groups = user.Groups
 		userContext.LDAP.Name = utils.Capitalize(userContext.LDAP.Username)
-
-		userContext.LDAP.Email = utils.CompileUserEmail(userContext.LDAP.Username, m.runtime.CookieDomain)
-		if search.Email != "" {
-			userContext.LDAP.Email = search.Email
-		}
-
+		userContext.LDAP.Email = utils.CompileUserEmail(userContext.LDAP.Username, m.config.CookieDomain)
 	case model.ProviderOAuth:
 		_, exists := m.broker.GetService(userContext.OAuth.ID)

@@ -174,7 +171,7 @@ func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string) (*model
 		}

 		if !m.auth.IsEmailWhitelisted(userContext.OAuth.Email) {
-			m.auth.DeleteSession(ctx, uuid)
+			m.auth.DeleteSession(ctx, uuid) //nolint:errcheck
 			return nil, nil, fmt.Errorf("email from session cookie not whitelisted: %s", userContext.OAuth.Email)
 		}
 	}
@@ -194,7 +191,7 @@ func (m *ContextMiddleware) basicAuth(username string, password string) (*model.
 	locked, remaining := m.auth.IsAccountLocked(username)

 	if locked {
-		m.log.App.Debug().Msgf("Account for user %s is locked for %d seconds, denying auth", username, remaining)
+		tlog.App.Debug().Msgf("Account for user %s is locked for %d seconds, denying auth", username, remaining)
 		headers["x-tinyauth-lock-locked"] = "true"
 		headers["x-tinyauth-lock-reset"] = time.Now().Add(time.Duration(remaining) * time.Second).Format(time.RFC3339)
 		return nil, headers, nil
@@ -227,7 +224,7 @@ func (m *ContextMiddleware) basicAuth(username string, password string) (*model.
 			BaseContext: model.BaseContext{
 				Username: user.Username,
 				Name:     utils.Capitalize(user.Username),
-				Email:    utils.CompileUserEmail(user.Username, m.runtime.CookieDomain),
+				Email:    utils.CompileUserEmail(user.Username, m.config.CookieDomain),
 			},
 			Attributes: user.Attributes,
 		}
@@ -243,15 +240,11 @@ func (m *ContextMiddleware) basicAuth(username string, password string) (*model.
 			BaseContext: model.BaseContext{
 				Username: username,
 				Name:     utils.Capitalize(username),
+				Email:    utils.CompileUserEmail(username, m.config.CookieDomain),
 			},
 			Groups: user.Groups,
 		}
 		userContext.Provider = model.ProviderLDAP
-
-		userContext.LDAP.Email = utils.CompileUserEmail(username, m.runtime.CookieDomain)
-		if search.Email != "" {
-			userContext.LDAP.Email = search.Email
-		}
 	}

 	userContext.Authenticated = true
@@ -5,7 +5,7 @@ import (
 	"encoding/base64"
 	"net/http"
 	"net/http/httptest"
-	"sync"
+	"path"
 	"testing"
 	"time"

@@ -17,15 +17,36 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/test"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )

 func TestContextMiddleware(t *testing.T) {
-	log := logger.NewLogger().WithTestConfig()
-	log.Init()
+	tlog.NewTestLogger().Init()
+	tempDir := t.TempDir()

-	cfg, runtime := test.CreateTestConfigs(t)
+	authServiceCfg := service.AuthServiceConfig{
+		LocalUsers: &[]model.LocalUser{
+			{
+				Username: "testuser",
+				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
+			},
+			{
+				Username:   "totpuser",
+				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
+				TOTPSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
+			},
+		},
+		SessionExpiry:     10, // 10 seconds, useful for testing
+		CookieDomain:      "example.com",
+		LoginTimeout:      10, // 10 seconds, useful for testing
+		LoginMaxRetries:   3,
+		SessionCookieName: "tinyauth-session",
+	}
+
+	middlewareCfg := middleware.ContextMiddlewareConfig{
+		CookieDomain:      "example.com",
+		SessionCookieName: "tinyauth-session",
+	}

 	basicAuthHeader := func(username, password string) string {
 		return "Basic " + base64.StdEncoding.EncodeToString([]byte(username+":"+password))
@@ -249,20 +270,30 @@ func TestContextMiddleware(t *testing.T) {
 		},
 	}

-	ctx := context.TODO()
-	wg := &sync.WaitGroup{}
+	oauthBrokerCfgs := make(map[string]model.OAuthServiceConfig)

-	app := bootstrap.NewBootstrapApp(cfg)
+	app := bootstrap.NewBootstrapApp(model.Config{})

-	err := app.SetupDatabase()
+	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
 	require.NoError(t, err)

-	queries := repository.New(app.GetDB())
+	queries := repository.New(db)

-	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, queries, broker)
+	ldap := service.NewLdapService(service.LdapServiceConfig{})
+	err = ldap.Init()
+	require.NoError(t, err)

-	contextMiddleware := middleware.NewContextMiddleware(log, runtime, authService, broker)
+	broker := service.NewOAuthBrokerService(oauthBrokerCfgs)
+	err = broker.Init()
+	require.NoError(t, err)
+
+	authService := service.NewAuthService(authServiceCfg, ldap, queries, broker)
+	err = authService.Init()
+	require.NoError(t, err)
+
+	contextMiddleware := middleware.NewContextMiddleware(middlewareCfg, authService, broker)
+	err = contextMiddleware.Init()
+	require.NoError(t, err)

 	for _, test := range tests {
 		authService.ClearRateLimitsTestingOnly()
@@ -291,6 +322,7 @@ func TestContextMiddleware(t *testing.T) {
 	}

 	t.Cleanup(func() {
-		app.GetDB().Close()
+		err = db.Close()
+		require.NoError(t, err)
 	})
 }
@@ -9,6 +9,7 @@ import (
 	"time"

 	"github.com/tinyauthapp/tinyauth/internal/assets"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"

 	"github.com/gin-gonic/gin"
 )
@@ -18,25 +19,29 @@ type UIMiddleware struct {
 	uiFileServer http.Handler
 }

-func NewUIMiddleware() (*UIMiddleware, error) {
-	m := &UIMiddleware{}
+func NewUIMiddleware() *UIMiddleware {
+	return &UIMiddleware{}
+}

+func (m *UIMiddleware) Init() error {
 	ui, err := fs.Sub(assets.FrontendAssets, "dist")

 	if err != nil {
-		return nil, fmt.Errorf("failed to load ui assets: %w", err)
+		return err
 	}

 	m.uiFs = ui
 	m.uiFileServer = http.FileServerFS(ui)

-	return m, nil
+	return nil
 }

 func (m *UIMiddleware) Middleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		path := strings.TrimPrefix(c.Request.URL.Path, "/")

+		tlog.App.Debug().Str("path", path).Msg("path")
+
 		switch strings.SplitN(path, "/", 2)[0] {
 		case "api", "resources", ".well-known":
 			c.Next()
@@ -5,7 +5,7 @@ import (
 	"time"

 	"github.com/gin-gonic/gin"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )

 // See context middleware for explanation of why we have to do this
@@ -17,14 +17,14 @@ var (
 	}
 )

-type ZerologMiddleware struct {
-	log *logger.Logger
+type ZerologMiddleware struct{}
+
+func NewZerologMiddleware() *ZerologMiddleware {
+	return &ZerologMiddleware{}
 }

-func NewZerologMiddleware(log *logger.Logger) *ZerologMiddleware {
-	return &ZerologMiddleware{
-		log: log,
-	}
+func (m *ZerologMiddleware) Init() error {
+	return nil
 }

 func (m *ZerologMiddleware) logPath(path string) bool {
@@ -50,7 +50,7 @@ func (m *ZerologMiddleware) Middleware() gin.HandlerFunc {

 		latency := time.Since(tStart).String()

-		subLogger := m.log.HTTP.With().Str("method", method).
+		subLogger := tlog.HTTP.With().Str("method", method).
 			Str("path", path).
 			Str("address", address).
 			Str("client_ip", clientIP).
@@ -14,9 +14,8 @@ func NewDefaultConfiguration() *Config {
 			Path:    "./resources",
 		},
 		Server: ServerConfig{
-			Port:                       3000,
-			Address:                    "0.0.0.0",
-			ConcurrentListenersEnabled: false,
+			Port:    3000,
+			Address: "0.0.0.0",
 		},
 		Auth: AuthConfig{
 			SubdomainsEnabled:  true,
@@ -96,10 +95,9 @@ type ResourcesConfig struct {
 }

 type ServerConfig struct {
-	Port                       int    `description:"The port on which the server listens." yaml:"port"`
-	Address                    string `description:"The address on which the server listens." yaml:"address"`
-	SocketPath                 string `description:"The path to the Unix socket." yaml:"socketPath"`
-	ConcurrentListenersEnabled bool   `description:"Enable listening on both TCP and Unix socket at the same time." yaml:"concurrentListenersEnabled"`
+	Port       int    `description:"The port on which the server listens." yaml:"port"`
+	Address    string `description:"The address on which the server listens." yaml:"address"`
+	SocketPath string `description:"The path to the Unix socket." yaml:"socketPath"`
 }

 type AuthConfig struct {
@@ -149,10 +147,10 @@ type IPConfig struct {
 }

 type OAuthConfig struct {
-	Whitelist     []string                      `description:"Comma-separated list of allowed OAuth domains." yaml:"whitelist"`
-	WhitelistFile string                        `description:"Path to the OAuth whitelist file." yaml:"whitelistFile"`
-	AutoRedirect  string                        `description:"The OAuth provider to use for automatic redirection." yaml:"autoRedirect"`
-	Providers     map[string]OAuthServiceConfig `description:"OAuth providers configuration." yaml:"providers"`
+	Whitelist    []string                      `description:"Comma-separated list of allowed OAuth domains." yaml:"whitelist"`
+	WhitelistFile string                       `description:"Path to the OAuth whitelist file." yaml:"whitelistFile"`
+	AutoRedirect string                        `description:"The OAuth provider to use for automatic redirection." yaml:"autoRedirect"`
+	Providers    map[string]OAuthServiceConfig `description:"OAuth providers configuration." yaml:"providers"`
 }

 type OIDCConfig struct {
@@ -8,10 +8,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 )

-var (
-	ErrUserContextNotFound = errors.New("user context not found")
-)
-
 type ProviderType int

 const (
@@ -78,7 +74,7 @@ func (c *UserContext) NewFromGin(ginctx *gin.Context) (*UserContext, error) {
 	userContextValue, exists := ginctx.Get("context")

 	if !exists {
-		return nil, ErrUserContextNotFound
+		return nil, errors.New("failed to get user context")
 	}

 	userContext, ok := userContextValue.(*UserContext)
@@ -121,7 +117,7 @@ func (c *UserContext) NewFromSession(session *repository.Session) (*UserContext,
 				Email:    session.Email,
 			},
 		}
-	// By default we assume an unknown name which is oauth
+	// By default we assume an unkown name which is oauth
 	default:
 		c.Provider = ProviderOAuth
 		c.OAuth = &OAuthContext{
@@ -238,7 +238,7 @@ func TestContext(t *testing.T) {
 				_, err := c.NewFromGin(newGinCtx(nil, false))
 				return err.Error()
 			},
-			expected: model.ErrUserContextNotFound.Error(),
+			expected: "failed to get user context",
 		},
 		{
 			description: "NewFromGin returns error when context value has wrong type",
@@ -1,22 +0,0 @@
-package model
-
-type RuntimeConfig struct {
-	AppURL                 string
-	UUID                   string
-	CookieDomain           string
-	SessionCookieName      string
-	CSRFCookieName         string
-	RedirectCookieName     string
-	OAuthSessionCookieName string
-	LocalUsers             []LocalUser
-	OAuthProviders         map[string]OAuthServiceConfig
-	OAuthWhitelist         []string
-	ConfiguredProviders    []Provider
-	OIDCClients            []OIDCClientConfig
-}
-
-type Provider struct {
-	Name  string `json:"name"`
-	ID    string `json:"id"`
-	OAuth bool   `json:"oauth"`
-}
@@ -21,6 +21,5 @@ type LocalUser struct {

 type UserSearch struct {
 	Username string
-	Email    string // used for LDAP, we can't throw it to LDAPUser because it would need another cache or an LDAP lookup every time
 	Type     UserSearchType
 }
@@ -4,7 +4,7 @@ import (
 	"strings"

 	"github.com/tinyauthapp/tinyauth/internal/model"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )

 type LabelProvider interface {
@@ -12,33 +12,32 @@ type LabelProvider interface {
 }

 type AccessControlsService struct {
-	log           *logger.Logger
-	labelProvider *LabelProvider
+	labelProvider LabelProvider
 	static        map[string]model.App
 }

-func NewAccessControlsService(
-	log *logger.Logger,
-	labelProvider *LabelProvider,
-	static map[string]model.App) *AccessControlsService {
+func NewAccessControlsService(labelProvider LabelProvider, static map[string]model.App) *AccessControlsService {
 	return &AccessControlsService{
-		log:           log,
 		labelProvider: labelProvider,
 		static:        static,
 	}
 }

+func (acls *AccessControlsService) Init() error {
+	return nil // No initialization needed
+}
+
 func (acls *AccessControlsService) lookupStaticACLs(domain string) *model.App {
 	var appAcls *model.App
 	for app, config := range acls.static {
 		if config.Config.Domain == domain {
-			acls.log.App.Debug().Str("name", app).Msg("Found matching container by domain")
+			tlog.App.Debug().Str("name", app).Msg("Found matching container by domain")
 			appAcls = &config
 			break // If we find a match by domain, we can stop searching
 		}

 		if strings.SplitN(domain, ".", 2)[0] == app {
-			acls.log.App.Debug().Str("name", app).Msg("Found matching container by app name")
+			tlog.App.Debug().Str("name", app).Msg("Found matching container by app name")
 			appAcls = &config
 			break // If we find a match by app name, we can stop searching
 		}
@@ -51,15 +50,11 @@ func (acls *AccessControlsService) GetAccessControls(domain string) (*model.App,
 	app := acls.lookupStaticACLs(domain)

 	if app != nil {
-		acls.log.App.Debug().Msg("Using static ACLs for app")
+		tlog.App.Debug().Msg("Using ACls from static configuration")
 		return app, nil
 	}

-	// If we have a label provider configured, try to get ACLs from it
-	if acls.labelProvider != nil {
-		return (*acls.labelProvider).GetLabels(domain)
-	}
-
-	// no labels
-	return nil, nil
+	// Fallback to label provider
+	tlog.App.Debug().Msg("Falling back to label provider for ACLs")
+	return acls.labelProvider.GetLabels(domain)
 }
@@ -14,7 +14,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"

 	"slices"

@@ -72,41 +72,39 @@ type Lockdown struct {
 	ActiveUntil time.Time
 }

+type AuthServiceConfig struct {
+	LocalUsers         *[]model.LocalUser
+	OauthWhitelist     []string
+	SessionExpiry      int
+	SessionMaxLifetime int
+	SecureCookie       bool
+	CookieDomain       string
+	LoginTimeout       int
+	LoginMaxRetries    int
+	SessionCookieName  string
+	IP                 model.IPConfig
+	LDAPGroupsCacheTTL int
+	SubdomainsEnabled  bool
+}
+
 type AuthService struct {
-	log     *logger.Logger
-	config  model.Config
-	runtime model.RuntimeConfig
-	context context.Context
-
-	ldap        *LdapService
-	queries     *repository.Queries
-	oauthBroker *OAuthBrokerService
-
+	config               AuthServiceConfig
 	loginAttempts        map[string]*LoginAttempt
 	ldapGroupsCache      map[string]*LdapGroupsCache
 	oauthPendingSessions map[string]*OAuthPendingSession
 	oauthMutex           sync.RWMutex
 	loginMutex           sync.RWMutex
 	ldapGroupsMutex      sync.RWMutex
+	ldap                 *LdapService
+	queries              *repository.Queries
+	oauthBroker          *OAuthBrokerService
 	lockdown             *Lockdown
 	lockdownCtx          context.Context
 	lockdownCancelFunc   context.CancelFunc
 }

-func NewAuthService(
-	log *logger.Logger,
-	config model.Config,
-	runtime model.RuntimeConfig,
-	ctx context.Context,
-	wg *sync.WaitGroup,
-	ldap *LdapService,
-	queries *repository.Queries,
-	oauthBroker *OAuthBrokerService,
-) *AuthService {
-	service := &AuthService{
-		log:                  log,
-		runtime:              runtime,
-		context:              ctx,
+func NewAuthService(config AuthServiceConfig, ldap *LdapService, queries *repository.Queries, oauthBroker *OAuthBrokerService) *AuthService {
+	return &AuthService{
 		config:               config,
 		loginAttempts:        make(map[string]*LoginAttempt),
 		ldapGroupsCache:      make(map[string]*LdapGroupsCache),
@@ -115,10 +113,11 @@ func NewAuthService(
 		queries:              queries,
 		oauthBroker:          oauthBroker,
 	}
+}

-	wg.Go(service.CleanupOAuthSessionsRoutine)
-
-	return service
+func (auth *AuthService) Init() error {
+	go auth.CleanupOAuthSessionsRoutine()
+	return nil
 }

 func (auth *AuthService) SearchUser(username string) (*model.UserSearch, error) {
@@ -129,8 +128,8 @@ func (auth *AuthService) SearchUser(username string) (*model.UserSearch, error)
 		}, nil
 	}

-	if auth.ldap != nil {
-		userDN, email, err := auth.ldap.GetUserInfo(username)
+	if auth.ldap.IsConfigured() {
+		userDN, err := auth.ldap.GetUserDN(username)

 		if err != nil {
 			return nil, fmt.Errorf("failed to get ldap user: %w", err)
@@ -138,7 +137,6 @@ func (auth *AuthService) SearchUser(username string) (*model.UserSearch, error)

 		return &model.UserSearch{
 			Username: userDN,
-			Email:    email,
 			Type:     model.UserLDAP,
 		}, nil
 	}
@@ -155,7 +153,7 @@ func (auth *AuthService) CheckUserPassword(search model.UserSearch, password str
 		}
 		return bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password))
 	case model.UserLDAP:
-		if auth.ldap != nil {
+		if auth.ldap.IsConfigured() {
 			err := auth.ldap.Bind(search.Username, password)
 			if err != nil {
 				return fmt.Errorf("failed to bind to ldap user: %w", err)
@@ -175,10 +173,10 @@ func (auth *AuthService) CheckUserPassword(search model.UserSearch, password str
 }

 func (auth *AuthService) GetLocalUser(username string) *model.LocalUser {
-	if auth.runtime.LocalUsers == nil {
+	if auth.config.LocalUsers == nil {
 		return nil
 	}
-	for _, user := range auth.runtime.LocalUsers {
+	for _, user := range *auth.config.LocalUsers {
 		if user.Username == username {
 			return &user
 		}
@@ -187,7 +185,7 @@ func (auth *AuthService) GetLocalUser(username string) *model.LocalUser {
 }

 func (auth *AuthService) GetLDAPUser(userDN string) (*model.LDAPUser, error) {
-	if auth.ldap == nil {
+	if !auth.ldap.IsConfigured() {
 		return nil, errors.New("ldap service not configured")
 	}

@@ -211,7 +209,7 @@ func (auth *AuthService) GetLDAPUser(userDN string) (*model.LDAPUser, error) {
 	auth.ldapGroupsMutex.Lock()
 	auth.ldapGroupsCache[userDN] = &LdapGroupsCache{
 		Groups:  groups,
-		Expires: time.Now().Add(time.Duration(auth.config.LDAP.GroupCacheTTL) * time.Second),
+		Expires: time.Now().Add(time.Duration(auth.config.LDAPGroupsCacheTTL) * time.Second),
 	}
 	auth.ldapGroupsMutex.Unlock()

@@ -230,7 +228,7 @@ func (auth *AuthService) IsAccountLocked(identifier string) (bool, int) {
 		return true, remaining
 	}

-	if auth.config.Auth.LoginMaxRetries <= 0 || auth.config.Auth.LoginTimeout <= 0 {
+	if auth.config.LoginMaxRetries <= 0 || auth.config.LoginTimeout <= 0 {
 		return false, 0
 	}

@@ -248,7 +246,7 @@ func (auth *AuthService) IsAccountLocked(identifier string) (bool, int) {
 }

 func (auth *AuthService) RecordLoginAttempt(identifier string, success bool) {
-	if auth.config.Auth.LoginMaxRetries <= 0 || auth.config.Auth.LoginTimeout <= 0 {
+	if auth.config.LoginMaxRetries <= 0 || auth.config.LoginTimeout <= 0 {
 		return
 	}

@@ -279,14 +277,14 @@ func (auth *AuthService) RecordLoginAttempt(identifier string, success bool) {

 	attempt.FailedAttempts++

-	if attempt.FailedAttempts >= auth.config.Auth.LoginMaxRetries {
-		attempt.LockedUntil = time.Now().Add(time.Duration(auth.config.Auth.LoginTimeout) * time.Second)
-		auth.log.App.Warn().Str("identifier", identifier).Int("failedAttempts", attempt.FailedAttempts).Msg("Account locked due to too many failed login attempts")
+	if attempt.FailedAttempts >= auth.config.LoginMaxRetries {
+		attempt.LockedUntil = time.Now().Add(time.Duration(auth.config.LoginTimeout) * time.Second)
+		tlog.App.Warn().Str("identifier", identifier).Int("timeout", auth.config.LoginTimeout).Msg("Account locked due to too many failed login attempts")
 	}
 }

 func (auth *AuthService) IsEmailWhitelisted(email string) bool {
-	return utils.CheckFilter(strings.Join(auth.runtime.OAuthWhitelist, ","), email)
+	return utils.CheckFilter(strings.Join(auth.config.OauthWhitelist, ","), email)
 }

 func (auth *AuthService) CreateSession(ctx context.Context, data repository.Session) (*http.Cookie, error) {
@@ -301,7 +299,7 @@ func (auth *AuthService) CreateSession(ctx context.Context, data repository.Sess
 	if data.TotpPending {
 		expiry = 3600
 	} else {
-		expiry = auth.config.Auth.SessionExpiry
+		expiry = auth.config.SessionExpiry
 	}

 	expiresAt := time.Now().Add(time.Duration(expiry) * time.Second)
@@ -327,13 +325,13 @@ func (auth *AuthService) CreateSession(ctx context.Context, data repository.Sess
 	}

 	return &http.Cookie{
-		Name:     auth.runtime.SessionCookieName,
+		Name:     auth.config.SessionCookieName,
 		Value:    session.UUID,
 		Path:     "/",
-		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
+		Domain:   fmt.Sprintf(".%s", auth.config.CookieDomain),
 		Expires:  expiresAt,
 		MaxAge:   int(time.Until(expiresAt).Seconds()),
-		Secure:   auth.config.Auth.SecureCookie,
+		Secure:   auth.config.SecureCookie,
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
 	}, nil
@@ -350,8 +348,8 @@ func (auth *AuthService) RefreshSession(ctx context.Context, uuid string) (*http

 	var refreshThreshold int64

-	if auth.config.Auth.SessionExpiry <= int(time.Hour.Seconds()) {
-		refreshThreshold = int64(auth.config.Auth.SessionExpiry / 2)
+	if auth.config.SessionExpiry <= int(time.Hour.Seconds()) {
+		refreshThreshold = int64(auth.config.SessionExpiry / 2)
 	} else {
 		refreshThreshold = int64(time.Hour.Seconds())
 	}
@@ -380,13 +378,13 @@ func (auth *AuthService) RefreshSession(ctx context.Context, uuid string) (*http
 	}

 	return &http.Cookie{
-		Name:     auth.runtime.SessionCookieName,
+		Name:     auth.config.SessionCookieName,
 		Value:    session.UUID,
 		Path:     "/",
-		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
+		Domain:   fmt.Sprintf(".%s", auth.config.CookieDomain),
 		Expires:  time.Now().Add(time.Duration(newExpiry-currentTime) * time.Second),
 		MaxAge:   int(newExpiry - currentTime),
-		Secure:   auth.config.Auth.SecureCookie,
+		Secure:   auth.config.SecureCookie,
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
 	}, nil
@@ -397,17 +395,23 @@ func (auth *AuthService) DeleteSession(ctx context.Context, uuid string) (*http.
 	err := auth.queries.DeleteSession(ctx, uuid)

 	if err != nil {
-		auth.log.App.Error().Err(err).Str("uuid", uuid).Msg("Failed to delete session from database")
+		tlog.App.Warn().Err(err).Msg("Failed to delete session from database, proceeding to clear cookie anyway")
+	}
+
+	err = auth.queries.DeleteSession(ctx, uuid)
+
+	if err != nil {
+		return nil, err
 	}

 	return &http.Cookie{
-		Name:     auth.runtime.SessionCookieName,
+		Name:     auth.config.SessionCookieName,
 		Value:    "",
 		Path:     "/",
-		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
+		Domain:   fmt.Sprintf(".%s", auth.config.CookieDomain),
 		Expires:  time.Now(),
 		MaxAge:   -1,
-		Secure:   auth.config.Auth.SecureCookie,
+		Secure:   auth.config.SecureCookie,
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
 	}, nil
@@ -425,8 +429,8 @@ func (auth *AuthService) GetSession(ctx context.Context, uuid string) (*reposito

 	currentTime := time.Now().Unix()

-	if auth.config.Auth.SessionMaxLifetime != 0 && session.CreatedAt != 0 {
-		if currentTime-session.CreatedAt > int64(auth.config.Auth.SessionMaxLifetime) {
+	if auth.config.SessionMaxLifetime != 0 && session.CreatedAt != 0 {
+		if currentTime-session.CreatedAt > int64(auth.config.SessionMaxLifetime) {
 			err = auth.queries.DeleteSession(ctx, uuid)
 			if err != nil {
 				return nil, fmt.Errorf("failed to delete expired session: %w", err)
@@ -447,11 +451,11 @@ func (auth *AuthService) GetSession(ctx context.Context, uuid string) (*reposito
 }

 func (auth *AuthService) LocalAuthConfigured() bool {
-	return len(auth.runtime.LocalUsers) > 0
+	return auth.config.LocalUsers != nil && len(*auth.config.LocalUsers) > 0
 }

 func (auth *AuthService) LDAPAuthConfigured() bool {
-	return auth.ldap != nil
+	return auth.ldap.IsConfigured()
 }

 func (auth *AuthService) IsUserAllowed(c *gin.Context, context model.UserContext, acls *model.App) bool {
@@ -460,18 +464,18 @@ func (auth *AuthService) IsUserAllowed(c *gin.Context, context model.UserContext
 	}

 	if context.Provider == model.ProviderOAuth {
-		auth.log.App.Debug().Msg("User is an OAuth user, checking OAuth whitelist")
+		tlog.App.Debug().Msg("Checking OAuth whitelist")
 		return utils.CheckFilter(acls.OAuth.Whitelist, context.OAuth.Email)
 	}

 	if acls.Users.Block != "" {
-		auth.log.App.Debug().Msg("Checking users block list")
+		tlog.App.Debug().Msg("Checking blocked users")
 		if utils.CheckFilter(acls.Users.Block, context.GetUsername()) {
 			return false
 		}
 	}

-	auth.log.App.Debug().Msg("Checking users allow list")
+	tlog.App.Debug().Msg("Checking users")
 	return utils.CheckFilter(acls.Users.Allow, context.GetUsername())
 }

@@ -481,23 +485,23 @@ func (auth *AuthService) IsInOAuthGroup(c *gin.Context, context model.UserContex
 	}

 	if !context.IsOAuth() {
-		auth.log.App.Debug().Msg("User is not an OAuth user, skipping OAuth group check")
+		tlog.App.Debug().Msg("User is not an OAuth user, skipping OAuth group check")
 		return false
 	}

 	if _, ok := model.OverrideProviders[context.OAuth.ID]; ok {
-		auth.log.App.Debug().Str("provider", context.OAuth.ID).Msg("Provider override detected, skipping group check")
+		tlog.App.Debug().Msg("Provider override for OAuth groups enabled, skipping group check")
 		return true
 	}

 	for _, userGroup := range context.OAuth.Groups {
 		if utils.CheckFilter(acls.OAuth.Groups, strings.TrimSpace(userGroup)) {
-			auth.log.App.Trace().Str("group", userGroup).Str("required", acls.OAuth.Groups).Msg("User group matched")
+			tlog.App.Trace().Str("group", userGroup).Str("required", acls.OAuth.Groups).Msg("User group matched")
 			return true
 		}
 	}

-	auth.log.App.Debug().Msg("No groups matched")
+	tlog.App.Debug().Msg("No groups matched")
 	return false
 }

@@ -507,18 +511,18 @@ func (auth *AuthService) IsInLDAPGroup(c *gin.Context, context model.UserContext
 	}

 	if !context.IsLDAP() {
-		auth.log.App.Debug().Msg("User is not an LDAP user, skipping LDAP group check")
+		tlog.App.Debug().Msg("User is not an LDAP user, skipping LDAP group check")
 		return false
 	}

 	for _, userGroup := range context.LDAP.Groups {
 		if utils.CheckFilter(acls.LDAP.Groups, strings.TrimSpace(userGroup)) {
-			auth.log.App.Trace().Str("group", userGroup).Str("required", acls.LDAP.Groups).Msg("User group matched")
+			tlog.App.Trace().Str("group", userGroup).Str("required", acls.LDAP.Groups).Msg("User group matched")
 			return true
 		}
 	}

-	auth.log.App.Debug().Msg("No groups matched")
+	tlog.App.Debug().Msg("No groups matched")
 	return false
 }

@@ -562,17 +566,17 @@ func (auth *AuthService) CheckIP(ip string, acls *model.App) bool {
 	}

 	// Merge the global and app IP filter
-	blockedIps := append(auth.config.Auth.IP.Block, acls.IP.Block...)
-	allowedIPs := append(auth.config.Auth.IP.Allow, acls.IP.Allow...)
+	blockedIps := append(auth.config.IP.Block, acls.IP.Block...)
+	allowedIPs := append(auth.config.IP.Allow, acls.IP.Allow...)

 	for _, blocked := range blockedIps {
 		res, err := utils.FilterIP(blocked, ip)
 		if err != nil {
-			auth.log.App.Warn().Err(err).Str("item", blocked).Msg("Invalid IP/CIDR in block list")
+			tlog.App.Warn().Err(err).Str("item", blocked).Msg("Invalid IP/CIDR in block list")
 			continue
 		}
 		if res {
-			auth.log.App.Debug().Str("ip", ip).Str("item", blocked).Msg("IP is in block list, denying access")
+			tlog.App.Debug().Str("ip", ip).Str("item", blocked).Msg("IP is in blocked list, denying access")
 			return false
 		}
 	}
@@ -580,21 +584,21 @@ func (auth *AuthService) CheckIP(ip string, acls *model.App) bool {
 	for _, allowed := range allowedIPs {
 		res, err := utils.FilterIP(allowed, ip)
 		if err != nil {
-			auth.log.App.Warn().Err(err).Str("item", allowed).Msg("Invalid IP/CIDR in allow list")
+			tlog.App.Warn().Err(err).Str("item", allowed).Msg("Invalid IP/CIDR in allow list")
 			continue
 		}
 		if res {
-			auth.log.App.Debug().Str("ip", ip).Str("item", allowed).Msg("IP is in allow list, allowing access")
+			tlog.App.Debug().Str("ip", ip).Str("item", allowed).Msg("IP is in allowed list, allowing access")
 			return true
 		}
 	}

 	if len(allowedIPs) > 0 {
-		auth.log.App.Debug().Str("ip", ip).Msg("IP not in allow list, denying access")
+		tlog.App.Debug().Str("ip", ip).Msg("IP not in allow list, denying access")
 		return false
 	}

-	auth.log.App.Debug().Str("ip", ip).Msg("IP not in any block or allow list, allowing access by default")
+	tlog.App.Debug().Str("ip", ip).Msg("IP not in allow or block list, allowing by default")
 	return true
 }

@@ -606,16 +610,16 @@ func (auth *AuthService) IsBypassedIP(ip string, acls *model.App) bool {
 	for _, bypassed := range acls.IP.Bypass {
 		res, err := utils.FilterIP(bypassed, ip)
 		if err != nil {
-			auth.log.App.Warn().Err(err).Str("item", bypassed).Msg("Invalid IP/CIDR in bypass list")
+			tlog.App.Warn().Err(err).Str("item", bypassed).Msg("Invalid IP/CIDR in bypass list")
 			continue
 		}
 		if res {
-			auth.log.App.Debug().Str("ip", ip).Str("item", bypassed).Msg("IP is in bypass list, skipping authentication")
+			tlog.App.Debug().Str("ip", ip).Str("item", bypassed).Msg("IP is in bypass list, allowing access")
 			return true
 		}
 	}

-	auth.log.App.Debug().Str("ip", ip).Msg("IP not in bypass list, proceeding with authentication")
+	tlog.App.Debug().Str("ip", ip).Msg("IP not in bypass list, continuing with authentication")
 	return false
 }

@@ -719,32 +723,21 @@ func (auth *AuthService) EndOAuthSession(sessionId string) {
 }

 func (auth *AuthService) CleanupOAuthSessionsRoutine() {
-	auth.log.App.Debug().Msg("Starting OAuth session cleanup routine")
-
 	ticker := time.NewTicker(30 * time.Minute)
 	defer ticker.Stop()

-	for {
-		select {
-		case <-ticker.C:
-			auth.log.App.Debug().Msg("Running OAuth session cleanup")
+	for range ticker.C {
+		auth.oauthMutex.Lock()

-			auth.oauthMutex.Lock()
+		now := time.Now()

-			now := time.Now()
-
-			for sessionId, session := range auth.oauthPendingSessions {
-				if now.After(session.ExpiresAt) {
-					delete(auth.oauthPendingSessions, sessionId)
-				}
+		for sessionId, session := range auth.oauthPendingSessions {
+			if now.After(session.ExpiresAt) {
+				delete(auth.oauthPendingSessions, sessionId)
 			}
-
-			auth.oauthMutex.Unlock()
-			auth.log.App.Debug().Msg("OAuth session cleanup completed")
-		case <-auth.context.Done():
-			auth.log.App.Debug().Msg("Stopping OAuth session cleanup routine")
-			return
 		}
+
+		auth.oauthMutex.Unlock()
 	}
 }

@@ -813,11 +806,11 @@ func (auth *AuthService) lockdownMode() {

 	auth.loginMutex.Lock()

-	auth.log.App.Warn().Msg("Too many failed login attempts, entering lockdown mode")
+	tlog.App.Warn().Msg("Multiple login attempts detected, possibly DDOS attack. Activating temporary lockdown.")

 	auth.lockdown = &Lockdown{
 		Active:      true,
-		ActiveUntil: time.Now().Add(time.Duration(auth.config.Auth.LoginTimeout) * time.Second),
+		ActiveUntil: time.Now().Add(time.Duration(auth.config.LoginTimeout) * time.Second),
 	}

 	// At this point all login attemps will also expire so,
@@ -834,14 +827,11 @@ func (auth *AuthService) lockdownMode() {
 		// Timer expired, end lockdown
 	case <-ctx.Done():
 		// Context cancelled, end lockdown
-	case <-auth.context.Done():
-		// Service is shutting down, end lockdown
 	}

 	auth.loginMutex.Lock()

-	auth.log.App.Info().Msg("Exiting lockdown mode")
-
+	tlog.App.Info().Msg("Lockdown period ended, resuming normal operation")
 	auth.lockdown = nil
 	auth.loginMutex.Unlock()
 }
@@ -3,56 +3,51 @@ package service
 import (
 	"context"
 	"strings"
-	"sync"

 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/decoders"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"

 	container "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
 )

 type DockerService struct {
-	log     *logger.Logger
-	client  *client.Client
-	context context.Context
-
+	client      *client.Client
+	context     context.Context
 	isConnected bool
 }

-func NewDockerService(
-	log *logger.Logger,
-	ctx context.Context,
-	wg *sync.WaitGroup,
-) (*DockerService, error) {
+func NewDockerService() *DockerService {
+	return &DockerService{}
+}

+func (docker *DockerService) Init() error {
 	client, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
-		return nil, err
+		return err
 	}

+	ctx := context.Background()
 	client.NegotiateAPIVersion(ctx)

-	_, err = client.Ping(ctx)
+	docker.client = client
+	docker.context = ctx
+
+	_, err = docker.client.Ping(docker.context)

 	if err != nil {
-		log.App.Debug().Err(err).Msg("Docker not connected")
-		return nil, nil
+		tlog.App.Debug().Err(err).Msg("Docker not connected")
+		docker.isConnected = false
+		docker.client = nil
+		docker.context = nil
+		return nil
 	}

-	service := &DockerService{
-		log:     log,
-		client:  client,
-		context: ctx,
-	}
+	docker.isConnected = true
+	tlog.App.Debug().Msg("Docker connected")

-	service.isConnected = true
-	service.log.App.Debug().Msg("Docker connected successfully")
-
-	wg.Go(service.watchAndClose)
-
-	return service, nil
+	return nil
 }

 func (docker *DockerService) getContainers() ([]container.Summary, error) {
@@ -65,7 +60,7 @@ func (docker *DockerService) inspectContainer(containerId string) (container.Ins

 func (docker *DockerService) GetLabels(appDomain string) (*model.App, error) {
 	if !docker.isConnected {
-		docker.log.App.Debug().Msg("Docker service not connected, returning empty labels")
+		tlog.App.Debug().Msg("Docker not connected, returning empty labels")
 		return nil, nil
 	}

@@ -87,28 +82,17 @@ func (docker *DockerService) GetLabels(appDomain string) (*model.App, error) {

 		for appName, appLabels := range labels.Apps {
 			if appLabels.Config.Domain == appDomain {
-				docker.log.App.Debug().Str("id", inspect.ID).Str("name", inspect.Name).Msg("Found matching container by domain")
+				tlog.App.Debug().Str("id", inspect.ID).Str("name", inspect.Name).Msg("Found matching container by domain")
 				return &appLabels, nil
 			}

 			if strings.SplitN(appDomain, ".", 2)[0] == appName {
-				docker.log.App.Debug().Str("id", inspect.ID).Str("name", inspect.Name).Msg("Found matching container by app name")
+				tlog.App.Debug().Str("id", inspect.ID).Str("name", inspect.Name).Msg("Found matching container by app name")
 				return &appLabels, nil
 			}
 		}
 	}

-	docker.log.App.Debug().Str("domain", appDomain).Msg("No matching container found for domain")
+	tlog.App.Debug().Msg("No matching container found, returning empty labels")
 	return nil, nil
 }
-
-func (docker *DockerService) watchAndClose() {
-	<-docker.context.Done()
-	docker.log.App.Debug().Msg("Closing Docker client")
-	if docker.client != nil {
-		err := docker.client.Close()
-		if err != nil {
-			docker.log.App.Error().Err(err).Msg("Error closing Docker client")
-		}
-	}
-}
@@ -9,7 +9,7 @@ import (

 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/decoders"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"

 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -36,10 +36,9 @@ type ingressApp struct {
 }

 type KubernetesService struct {
-	log *logger.Logger
-	ctx context.Context
-
 	client       dynamic.Interface
+	ctx          context.Context
+	cancel       context.CancelFunc
 	started      bool
 	mu           sync.RWMutex
 	ingressApps  map[ingressKey][]ingressApp
@@ -47,55 +46,12 @@ type KubernetesService struct {
 	appNameIndex map[string]ingressAppKey
 }

-func NewKubernetesService(
-	log *logger.Logger,
-	ctx context.Context,
-	wg *sync.WaitGroup,
-) (*KubernetesService, error) {
-	cfg, err := rest.InClusterConfig()
-	if err != nil {
-		return nil, fmt.Errorf("failed to get in-cluster kubernetes config: %w", err)
-	}
-
-	client, err := dynamic.NewForConfig(cfg)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create kubernetes client: %w", err)
-	}
-
-	gvr := schema.GroupVersionResource{
-		Group:    "networking.k8s.io",
-		Version:  "v1",
-		Resource: "ingresses",
-	}
-
-	accessCtx, accessCancel := context.WithTimeout(ctx, 5*time.Second)
-	defer accessCancel()
-
-	_, err = client.Resource(gvr).List(accessCtx, metav1.ListOptions{Limit: 1})
-	if err != nil {
-		log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to access Ingress API, Kubernetes label provider will be disabled")
-		return nil, fmt.Errorf("failed to access ingress api: %w", err)
-	}
-
-	log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Successfully accessed Ingress API, starting watcher")
-
-	service := &KubernetesService{
-		log:          log,
-		ctx:          ctx,
-		client:       client,
+func NewKubernetesService() *KubernetesService {
+	return &KubernetesService{
 		ingressApps:  make(map[ingressKey][]ingressApp),
 		domainIndex:  make(map[string]ingressAppKey),
 		appNameIndex: make(map[string]ingressAppKey),
 	}
-
-	wg.Go(func() {
-		service.watchGVR(gvr)
-	})
-
-	service.started = true
-	log.App.Debug().Msg("Kubernetes label provider started successfully")
-
-	return service, nil
 }

 func (k *KubernetesService) addIngressApps(namespace, name string, apps []ingressApp) {
@@ -177,7 +133,7 @@ func (k *KubernetesService) updateFromItem(item *unstructured.Unstructured) {
 	}
 	labels, err := decoders.DecodeLabels[model.Apps](annotations, "apps")
 	if err != nil {
-		k.log.App.Warn().Err(err).Str("namespace", namespace).Str("name", name).Msg("Failed to decode ingress labels, skipping")
+		tlog.App.Debug().Err(err).Msg("Failed to decode labels from annotations")
 		k.removeIngress(namespace, name)
 		return
 	}
@@ -205,13 +161,13 @@ func (k *KubernetesService) resyncGVR(gvr schema.GroupVersionResource) error {

 	list, err := k.client.Resource(gvr).List(ctx, metav1.ListOptions{})
 	if err != nil {
-		k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to list resources for resync")
+		tlog.App.Debug().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to list ingresses during resync")
 		return err
 	}
 	for i := range list.Items {
 		k.updateFromItem(&list.Items[i])
 	}
-	k.log.App.Debug().Str("api", gvr.GroupVersion().String()).Int("count", len(list.Items)).Msg("Resync complete")
+	tlog.App.Debug().Str("api", gvr.GroupVersion().String()).Int("count", len(list.Items)).Msg("Resynced ingress cache")
 	return nil
 }

@@ -225,14 +181,14 @@ func (k *KubernetesService) runWatcher(gvr schema.GroupVersionResource, w watch.
 			return false
 		case event, ok := <-w.ResultChan():
 			if !ok {
-				k.log.App.Warn().Str("api", gvr.GroupVersion().String()).Msg("Watcher channel closed, restarting watcher")
+				tlog.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Watcher channel closed, restarting in 5 seconds")
 				w.Stop()
 				time.Sleep(5 * time.Second)
 				return true
 			}
 			item, ok := event.Object.(*unstructured.Unstructured)
 			if !ok {
-				k.log.App.Warn().Str("api", gvr.GroupVersion().String()).Msg("Received unexpected event object, skipping")
+				tlog.App.Warn().Str("api", gvr.GroupVersion().String()).Msg("Failed to cast watched object")
 				continue
 			}
 			switch event.Type {
@@ -243,7 +199,7 @@ func (k *KubernetesService) runWatcher(gvr schema.GroupVersionResource, w watch.
 			}
 		case <-resyncTicker.C:
 			if err := k.resyncGVR(gvr); err != nil {
-				k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Periodic resync failed during watcher run")
+				tlog.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Periodic resync failed")
 			}
 		}
 	}
@@ -254,29 +210,29 @@ func (k *KubernetesService) watchGVR(gvr schema.GroupVersionResource) {
 	defer resyncTicker.Stop()

 	if err := k.resyncGVR(gvr); err != nil {
-		k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Initial resync failed, will retry")
+		tlog.App.Error().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Initial resync failed, retrying in 30 seconds")
 		time.Sleep(30 * time.Second)
 	}

 	for {
 		select {
 		case <-k.ctx.Done():
-			k.log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Shutting down kubernetes watcher")
+			tlog.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Stopping watcher")
 			return
 		case <-resyncTicker.C:
 			if err := k.resyncGVR(gvr); err != nil {
-				k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Periodic resync failed, will retry")
+				tlog.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Periodic resync failed")
 			}
 		default:
 			ctx, cancel := context.WithCancel(k.ctx)
 			watcher, err := k.client.Resource(gvr).Watch(ctx, metav1.ListOptions{})
 			if err != nil {
-				k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to start watcher, will retry")
+				tlog.App.Error().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to start watcher")
 				cancel()
 				time.Sleep(10 * time.Second)
 				continue
 			}
-			k.log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Watcher started successfully")
+			tlog.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Watcher started")
 			if !k.runWatcher(gvr, watcher, resyncTicker) {
 				cancel()
 				return
@@ -286,25 +242,65 @@ func (k *KubernetesService) watchGVR(gvr schema.GroupVersionResource) {
 	}
 }

+func (k *KubernetesService) Init() error {
+	var cfg *rest.Config
+	var err error
+
+	cfg, err = rest.InClusterConfig()
+	if err != nil {
+		return fmt.Errorf("failed to get in-cluster Kubernetes config: %w", err)
+	}
+
+	client, err := dynamic.NewForConfig(cfg)
+	if err != nil {
+		return fmt.Errorf("failed to create Kubernetes client: %w", err)
+	}
+
+	k.client = client
+	k.ctx, k.cancel = context.WithCancel(context.Background())
+
+	gvr := schema.GroupVersionResource{
+		Group:    "networking.k8s.io",
+		Version:  "v1",
+		Resource: "ingresses",
+	}
+
+	accessCtx, accessCancel := context.WithTimeout(k.ctx, 5*time.Second)
+	defer accessCancel()
+	_, err = k.client.Resource(gvr).List(accessCtx, metav1.ListOptions{Limit: 1})
+	if err != nil {
+		tlog.App.Warn().Err(err).Msg("Insufficient permissions for networking.k8s.io/v1 Ingress, Kubernetes label provider will not work")
+		k.started = false
+		return nil
+	}
+
+	tlog.App.Debug().Msg("networking.k8s.io/v1 Ingress API accessible")
+	go k.watchGVR(gvr)
+
+	k.started = true
+	tlog.App.Info().Msg("Kubernetes label provider initialized")
+	return nil
+}
+
 func (k *KubernetesService) GetLabels(appDomain string) (*model.App, error) {
 	if !k.started {
-		k.log.App.Debug().Str("domain", appDomain).Msg("Kubernetes label provider not started, skipping")
+		tlog.App.Debug().Msg("Kubernetes not connected, returning empty labels")
 		return nil, nil
 	}

 	// First check cache
 	app := k.getByDomain(appDomain)
 	if app != nil {
-		k.log.App.Debug().Str("domain", appDomain).Msg("Found labels in cache by domain")
+		tlog.App.Debug().Str("domain", appDomain).Msg("Found labels in cache by domain")
 		return app, nil
 	}
 	appName := strings.SplitN(appDomain, ".", 2)[0]
 	app = k.getByAppName(appName)
 	if app != nil {
-		k.log.App.Debug().Str("domain", appDomain).Str("appName", appName).Msg("Found labels in cache by app name")
+		tlog.App.Debug().Str("domain", appDomain).Str("appName", appName).Msg("Found labels in cache by app name")
 		return app, nil
 	}

-	k.log.App.Debug().Str("domain", appDomain).Msg("No labels found for domain")
+	tlog.App.Debug().Str("domain", appDomain).Msg("Cache miss, no matching ingress found")
 	return nil, nil
 }
@@ -8,13 +8,9 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/model"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )

 func TestKubernetesService(t *testing.T) {
-	log := logger.NewLogger().WithTestConfig()
-	log.Init()
-
 	type testCase struct {
 		description string
 		run         func(t *testing.T, svc *KubernetesService)
@@ -183,7 +179,6 @@ func TestKubernetesService(t *testing.T) {
 				ingressApps:  make(map[ingressKey][]ingressApp),
 				domainIndex:  make(map[string]ingressAppKey),
 				appNameIndex: make(map[string]ingressAppKey),
-				log:          log,
 			}
 			test.run(t, svc)
 		})
@@ -9,47 +9,69 @@ import (

 	"github.com/cenkalti/backoff/v5"
 	ldapgo "github.com/go-ldap/ldap/v3"
-	"github.com/tinyauthapp/tinyauth/internal/model"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )

-type LdapService struct {
-	log     *logger.Logger
-	config  model.Config
-	context context.Context
-
-	conn  *ldapgo.Conn
-	mutex sync.RWMutex
-	cert  *tls.Certificate
+type LdapServiceConfig struct {
+	Address      string
+	BindDN       string
+	BindPassword string
+	BaseDN       string
+	Insecure     bool
+	SearchFilter string
+	AuthCert     string
+	AuthKey      string
 }

-func NewLdapService(
-	log *logger.Logger,
-	config model.Config,
-	ctx context.Context,
-	wg *sync.WaitGroup,
-) (*LdapService, error) {
-	if config.LDAP.Address == "" {
-		return nil, nil
+type LdapService struct {
+	config       LdapServiceConfig
+	conn         *ldapgo.Conn
+	mutex        sync.RWMutex
+	cert         *tls.Certificate
+	isConfigured bool
+}
+
+func NewLdapService(config LdapServiceConfig) *LdapService {
+	return &LdapService{
+		config: config,
+	}
+}
+
+func (ldap *LdapService) IsConfigured() bool {
+	return ldap.isConfigured
+}
+
+func (ldap *LdapService) Unconfigure() error {
+	if !ldap.isConfigured {
+		return nil
 	}

-	ldap := &LdapService{
-		log:     log,
-		config:  config,
-		context: ctx,
+	if ldap.conn != nil {
+		if err := ldap.conn.Close(); err != nil {
+			return fmt.Errorf("failed to close LDAP connection: %w", err)
+		}
 	}

+	ldap.isConfigured = false
+	return nil
+}
+
+func (ldap *LdapService) Init() error {
+	if ldap.config.Address == "" {
+		ldap.isConfigured = false
+		return nil
+	}
+
+	ldap.isConfigured = true
+
 	// Check whether authentication with client certificate is possible
-	if config.LDAP.AuthCert != "" && config.LDAP.AuthKey != "" {
-		cert, err := tls.LoadX509KeyPair(config.LDAP.AuthCert, config.LDAP.AuthKey)
-
+	if ldap.config.AuthCert != "" && ldap.config.AuthKey != "" {
+		cert, err := tls.LoadX509KeyPair(ldap.config.AuthCert, ldap.config.AuthKey)
 		if err != nil {
-			return nil, fmt.Errorf("failed to initialize LDAP with mTLS authentication: %w", err)
+			return fmt.Errorf("failed to initialize LDAP with mTLS authentication: %w", err)
 		}
-
-		log.App.Info().Msg("LDAP mTLS authentication configured successfully")
-
 		ldap.cert = &cert
+		tlog.App.Info().Msg("Using LDAP with mTLS authentication")

 		// TODO: Add optional extra CA certificates, instead of `InsecureSkipVerify`
 		/*
@@ -62,39 +84,26 @@ func NewLdapService(
 			}
 		*/
 	}
-
 	_, err := ldap.connect()
-
 	if err != nil {
-		return nil, fmt.Errorf("failed to connect to ldap server: %w", err)
+		return fmt.Errorf("failed to connect to LDAP server: %w", err)
 	}

-	wg.Go(func() {
-		ldap.log.App.Debug().Msg("Starting LDAP connection heartbeat routine")
-
-		ticker := time.NewTicker(5 * time.Minute)
-		defer ticker.Stop()
-
-		for {
-			select {
-			case <-ticker.C:
-				err := ldap.heartbeat()
-				if err != nil {
-					ldap.log.App.Warn().Err(err).Msg("LDAP connection heartbeat failed, attempting to reconnect")
-					if reconnectErr := ldap.reconnect(); reconnectErr != nil {
-						ldap.log.App.Error().Err(reconnectErr).Msg("Failed to reconnect to LDAP server")
-						continue
-					}
-					ldap.log.App.Info().Msg("Successfully reconnected to LDAP server")
+	go func() {
+		for range time.Tick(time.Duration(5) * time.Minute) {
+			err := ldap.heartbeat()
+			if err != nil {
+				tlog.App.Error().Err(err).Msg("LDAP connection heartbeat failed")
+				if reconnectErr := ldap.reconnect(); reconnectErr != nil {
+					tlog.App.Error().Err(reconnectErr).Msg("Failed to reconnect to LDAP server")
+					continue
 				}
-			case <-ldap.context.Done():
-				ldap.log.App.Debug().Msg("LDAP service context cancelled, stopping heartbeat")
-				return
+				tlog.App.Info().Msg("Successfully reconnected to LDAP server")
 			}
 		}
-	})
+	}()

-	return ldap, nil
+	return nil
 }

 func (ldap *LdapService) connect() (*ldapgo.Conn, error) {
@@ -111,13 +120,13 @@ func (ldap *LdapService) connect() (*ldapgo.Conn, error) {
 	// 2. conn.StartTLS(tlsConfig)
 	// 3. conn.externalBind()
 	if ldap.cert != nil {
-		conn, err = ldapgo.DialURL(ldap.config.LDAP.Address, ldapgo.DialWithTLSConfig(&tls.Config{
+		conn, err = ldapgo.DialURL(ldap.config.Address, ldapgo.DialWithTLSConfig(&tls.Config{
 			MinVersion:   tls.VersionTLS12,
 			Certificates: []tls.Certificate{*ldap.cert},
 		}))
 	} else {
-		conn, err = ldapgo.DialURL(ldap.config.LDAP.Address, ldapgo.DialWithTLSConfig(&tls.Config{
-			InsecureSkipVerify: ldap.config.LDAP.Insecure,
+		conn, err = ldapgo.DialURL(ldap.config.Address, ldapgo.DialWithTLSConfig(&tls.Config{
+			InsecureSkipVerify: ldap.config.Insecure,
 			MinVersion:         tls.VersionTLS12,
 		}))
 	}
@@ -134,15 +143,16 @@ func (ldap *LdapService) connect() (*ldapgo.Conn, error) {
 	return ldap.conn, nil
 }

-func (ldap *LdapService) GetUserInfo(username string) (dn string, email string, err error) {
+func (ldap *LdapService) GetUserDN(username string) (string, error) {
+	// Escape the username to prevent LDAP injection
 	escapedUsername := ldapgo.EscapeFilter(username)
-	filter := fmt.Sprintf(ldap.config.LDAP.SearchFilter, escapedUsername)
+	filter := fmt.Sprintf(ldap.config.SearchFilter, escapedUsername)

 	searchRequest := ldapgo.NewSearchRequest(
-		ldap.config.LDAP.BaseDN,
+		ldap.config.BaseDN,
 		ldapgo.ScopeWholeSubtree, ldapgo.NeverDerefAliases, 0, 0, false,
 		filter,
-		[]string{"dn", "mail"},
+		[]string{"dn"},
 		nil,
 	)

@@ -151,22 +161,22 @@ func (ldap *LdapService) GetUserInfo(username string) (dn string, email string,

 	searchResult, err := ldap.conn.Search(searchRequest)
 	if err != nil {
-		return "", "", err
+		return "", err
 	}

 	if len(searchResult.Entries) != 1 {
-		return "", "", fmt.Errorf("multiple or no entries found for user %s", username)
+		return "", fmt.Errorf("multiple or no entries found for user %s", username)
 	}

-	entry := searchResult.Entries[0]
-	return entry.DN, entry.GetAttributeValue("mail"), nil
+	userDN := searchResult.Entries[0].DN
+	return userDN, nil
 }

 func (ldap *LdapService) GetUserGroups(userDN string) ([]string, error) {
 	escapedUserDN := ldapgo.EscapeFilter(userDN)

 	searchRequest := ldapgo.NewSearchRequest(
-		ldap.config.LDAP.BaseDN,
+		ldap.config.BaseDN,
 		ldapgo.ScopeWholeSubtree, ldapgo.NeverDerefAliases, 0, 0, false,
 		fmt.Sprintf("(&(objectclass=groupOfUniqueNames)(uniquemember=%s))", escapedUserDN),
 		[]string{"dn"},
@@ -214,7 +224,7 @@ func (ldap *LdapService) BindService(rebind bool) error {
 	if ldap.cert != nil {
 		return ldap.conn.ExternalBind()
 	}
-	return ldap.conn.Bind(ldap.config.LDAP.BindDN, ldap.config.LDAP.BindPassword)
+	return ldap.conn.Bind(ldap.config.BindDN, ldap.config.BindPassword)
 }

 func (ldap *LdapService) Bind(userDN string, password string) error {
@@ -228,7 +238,7 @@ func (ldap *LdapService) Bind(userDN string, password string) error {
 }

 func (ldap *LdapService) heartbeat() error {
-	ldap.log.App.Debug().Msg("Performing LDAP connection heartbeat")
+	tlog.App.Debug().Msg("Performing LDAP connection heartbeat")

 	searchRequest := ldapgo.NewSearchRequest(
 		"",
@@ -250,7 +260,7 @@ func (ldap *LdapService) heartbeat() error {
 }

 func (ldap *LdapService) reconnect() error {
-	ldap.log.App.Info().Msg("Attempting to reconnect to LDAP server")
+	tlog.App.Info().Msg("Reconnecting to LDAP server")

 	exp := backoff.NewExponentialBackOff()
 	exp.InitialInterval = 500 * time.Millisecond
@@ -259,7 +269,7 @@ func (ldap *LdapService) reconnect() error {
 	exp.Reset()

 	operation := func() (*ldapgo.Conn, error) {
-		ldap.conn.Close()
+		ldap.conn.Close() //nolint:errcheck
 		conn, err := ldap.connect()
 		if err != nil {
 			return nil, err
@@ -1,10 +1,8 @@
 package service

 import (
-	"context"
-
 	"github.com/tinyauthapp/tinyauth/internal/model"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"

 	"slices"

@@ -21,39 +19,33 @@ type OAuthServiceImpl interface {
 }

 type OAuthBrokerService struct {
-	log *logger.Logger
-
 	services map[string]OAuthServiceImpl
 	configs  map[string]model.OAuthServiceConfig
 }

-var presets = map[string]func(config model.OAuthServiceConfig, ctx context.Context) *OAuthService{
+var presets = map[string]func(config model.OAuthServiceConfig) *OAuthService{
 	"github": newGitHubOAuthService,
 	"google": newGoogleOAuthService,
 }

-func NewOAuthBrokerService(
-	log *logger.Logger,
-	configs map[string]model.OAuthServiceConfig,
-	ctx context.Context,
-) *OAuthBrokerService {
-	service := &OAuthBrokerService{
-		log:      log,
+func NewOAuthBrokerService(configs map[string]model.OAuthServiceConfig) *OAuthBrokerService {
+	return &OAuthBrokerService{
 		services: make(map[string]OAuthServiceImpl),
 		configs:  configs,
 	}
+}

-	for name, cfg := range configs {
+func (broker *OAuthBrokerService) Init() error {
+	for name, cfg := range broker.configs {
 		if presetFunc, exists := presets[name]; exists {
-			service.services[name] = presetFunc(cfg, ctx)
-			service.log.App.Debug().Str("service", name).Msg("Loaded OAuth service from preset")
+			broker.services[name] = presetFunc(cfg)
+			tlog.App.Debug().Str("service", name).Msg("Loaded OAuth service from preset")
 		} else {
-			service.services[name] = NewOAuthService(cfg, name, ctx)
-			service.log.App.Debug().Str("service", name).Msg("Loaded OAuth service from custom config")
+			broker.services[name] = NewOAuthService(cfg, name)
+			tlog.App.Debug().Str("service", name).Msg("Loaded OAuth service from config")
 		}
 	}
-
-	return service
+	return nil
 }

 func (broker *OAuthBrokerService) GetConfiguredServices() []string {
@@ -92,7 +92,7 @@ func simpleReq[T any](client *http.Client, url string, headers map[string]string
 	if err != nil {
 		return nil, err
 	}
-	defer res.Body.Close()
+	defer res.Body.Close() //nolint:errcheck

 	if res.StatusCode < 200 || res.StatusCode >= 300 {
 		return nil, fmt.Errorf("request failed with status: %s", res.Status)
@@ -1,25 +1,23 @@
 package service

 import (
-	"context"
-
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"golang.org/x/oauth2/endpoints"
 )

-func newGoogleOAuthService(config model.OAuthServiceConfig, ctx context.Context) *OAuthService {
+func newGoogleOAuthService(config model.OAuthServiceConfig) *OAuthService {
 	scopes := []string{"openid", "email", "profile"}
 	config.Scopes = scopes
 	config.AuthURL = endpoints.Google.AuthURL
 	config.TokenURL = endpoints.Google.TokenURL
 	config.UserinfoURL = "https://openidconnect.googleapis.com/v1/userinfo"
-	return NewOAuthService(config, "google", ctx)
+	return NewOAuthService(config, "google")
 }

-func newGitHubOAuthService(config model.OAuthServiceConfig, ctx context.Context) *OAuthService {
+func newGitHubOAuthService(config model.OAuthServiceConfig) *OAuthService {
 	scopes := []string{"read:user", "user:email"}
 	config.Scopes = scopes
 	config.AuthURL = endpoints.GitHub.AuthURL
 	config.TokenURL = endpoints.GitHub.TokenURL
-	return NewOAuthService(config, "github", ctx).WithUserinfoExtractor(githubExtractor)
+	return NewOAuthService(config, "github").WithUserinfoExtractor(githubExtractor)
 }
@@ -20,7 +20,7 @@ type OAuthService struct {
 	id                string
 }

-func NewOAuthService(config model.OAuthServiceConfig, id string, ctx context.Context) *OAuthService {
+func NewOAuthService(config model.OAuthServiceConfig, id string) *OAuthService {
 	httpClient := &http.Client{
 		Timeout: 30 * time.Second,
 		Transport: &http.Transport{
@@ -29,7 +29,8 @@ func NewOAuthService(config model.OAuthServiceConfig, id string, ctx context.Con
 			},
 		},
 	}
-	vctx := context.WithValue(ctx, oauth2.HTTPClient, httpClient)
+	ctx := context.Background()
+	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)

 	return &OAuthService{
 		serviceCfg: config,
@@ -43,7 +44,7 @@ func NewOAuthService(config model.OAuthServiceConfig, id string, ctx context.Con
 				TokenURL: config.TokenURL,
 			},
 		},
-		ctx:               vctx,
+		ctx:               ctx,
 		userinfoExtractor: defaultExtractor,
 		id:                id,
 	}
@@ -16,7 +16,6 @@ import (
 	"net/url"
 	"os"
 	"strings"
-	"sync"
 	"time"

 	"slices"
@@ -26,7 +25,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )

 var (
@@ -112,173 +111,172 @@ type AuthorizeRequest struct {
 	CodeChallengeMethod string `json:"code_challenge_method"`
 }

-type OIDCService struct {
-	log     *logger.Logger
-	config  model.Config
-	runtime model.RuntimeConfig
-	queries *repository.Queries
-	context context.Context
-
-	clients    map[string]model.OIDCClientConfig
-	privateKey *rsa.PrivateKey
-	publicKey  crypto.PublicKey
-	issuer     string
+type OIDCServiceConfig struct {
+	Clients        map[string]model.OIDCClientConfig
+	PrivateKeyPath string
+	PublicKeyPath  string
+	Issuer         string
+	SessionExpiry  int
 }

-func NewOIDCService(
-	log *logger.Logger,
-	config model.Config,
-	runtime model.RuntimeConfig,
-	queries *repository.Queries,
-	ctx context.Context,
-	wg *sync.WaitGroup) (*OIDCService, error) {
+type OIDCService struct {
+	config       OIDCServiceConfig
+	queries      *repository.Queries
+	clients      map[string]model.OIDCClientConfig
+	privateKey   *rsa.PrivateKey
+	publicKey    crypto.PublicKey
+	issuer       string
+	isConfigured bool
+}
+
+func NewOIDCService(config OIDCServiceConfig, queries *repository.Queries) *OIDCService {
+	return &OIDCService{
+		config:  config,
+		queries: queries,
+	}
+}
+
+func (service *OIDCService) IsConfigured() bool {
+	return service.isConfigured
+}
+
+func (service *OIDCService) Init() error {
 	// If not configured, skip init
-	if len(runtime.OIDCClients) == 0 {
-		return nil, nil
+	if len(service.config.Clients) == 0 {
+		service.isConfigured = false
+		return nil
 	}

+	service.isConfigured = true
+
 	// Ensure issuer is https
-	uissuer, err := url.Parse(runtime.AppURL)
+	uissuer, err := url.Parse(service.config.Issuer)

 	if err != nil {
-		return nil, fmt.Errorf("failed to parse app url: %w", err)
+		return err
 	}

 	if uissuer.Scheme != "https" {
-		return nil, errors.New("issuer must be https")
+		return errors.New("issuer must be https")
 	}

-	issuer := fmt.Sprintf("%s://%s", uissuer.Scheme, uissuer.Host)
+	service.issuer = fmt.Sprintf("%s://%s", uissuer.Scheme, uissuer.Host)

 	// Create/load private and public keys
-	if strings.TrimSpace(config.OIDC.PrivateKeyPath) == "" ||
-		strings.TrimSpace(config.OIDC.PublicKeyPath) == "" {
-		return nil, errors.New("private key path and public key path are required")
+	if strings.TrimSpace(service.config.PrivateKeyPath) == "" ||
+		strings.TrimSpace(service.config.PublicKeyPath) == "" {
+		return errors.New("private key path and public key path are required")
 	}

 	var privateKey *rsa.PrivateKey

-	fprivateKey, err := os.ReadFile(config.OIDC.PrivateKeyPath)
+	fprivateKey, err := os.ReadFile(service.config.PrivateKeyPath)

 	if err != nil && !errors.Is(err, os.ErrNotExist) {
-		return nil, err
+		return err
 	}

 	if errors.Is(err, os.ErrNotExist) {
 		privateKey, err = rsa.GenerateKey(rand.Reader, 2048)
 		if err != nil {
-			return nil, fmt.Errorf("failed to generate private key: %w", err)
+			return err
 		}
 		der := x509.MarshalPKCS1PrivateKey(privateKey)
 		if der == nil {
-			return nil, errors.New("failed to marshal private key")
+			return errors.New("failed to marshal private key")
 		}
 		encoded := pem.EncodeToMemory(&pem.Block{
 			Type:  "RSA PRIVATE KEY",
 			Bytes: der,
 		})
-		log.App.Trace().Str("type", "RSA PRIVATE KEY").Msg("Generated private RSA key")
-		err = os.WriteFile(config.OIDC.PrivateKeyPath, encoded, 0600)
+		tlog.App.Trace().Str("type", "RSA PRIVATE KEY").Msg("Generated private RSA key")
+		err = os.WriteFile(service.config.PrivateKeyPath, encoded, 0600)
 		if err != nil {
-			return nil, fmt.Errorf("failed to write private key to file: %w", err)
+			return err
 		}
+		service.privateKey = privateKey
 	} else {
 		block, _ := pem.Decode(fprivateKey)
 		if block == nil {
-			return nil, errors.New("failed to decode private key")
+			return errors.New("failed to decode private key")
 		}
-		log.App.Trace().Str("type", block.Type).Msg("Loaded private key")
+		tlog.App.Trace().Str("type", block.Type).Msg("Loaded private key")
 		privateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes)
 		if err != nil {
-			return nil, fmt.Errorf("failed to parse private key: %w", err)
+			return err
 		}
+		service.privateKey = privateKey
 	}

-	var publicKey crypto.PublicKey
-
-	fpublicKey, err := os.ReadFile(config.OIDC.PublicKeyPath)
+	fpublicKey, err := os.ReadFile(service.config.PublicKeyPath)

 	if err != nil && !errors.Is(err, os.ErrNotExist) {
-		return nil, fmt.Errorf("failed to read public key: %w", err)
+		return err
 	}

 	if errors.Is(err, os.ErrNotExist) {
-		publicKey = privateKey.Public()
+		publicKey := service.privateKey.Public()
 		der := x509.MarshalPKCS1PublicKey(publicKey.(*rsa.PublicKey))
 		if der == nil {
-			return nil, errors.New("failed to marshal public key")
+			return errors.New("failed to marshal public key")
 		}
 		encoded := pem.EncodeToMemory(&pem.Block{
 			Type:  "RSA PUBLIC KEY",
 			Bytes: der,
 		})
-		log.App.Trace().Str("type", "RSA PUBLIC KEY").Msg("Generated public RSA key")
-		err = os.WriteFile(config.OIDC.PublicKeyPath, encoded, 0644)
+		tlog.App.Trace().Str("type", "RSA PUBLIC KEY").Msg("Generated public RSA key")
+		err = os.WriteFile(service.config.PublicKeyPath, encoded, 0644)
 		if err != nil {
-			return nil, err
+			return err
 		}
+		service.publicKey = publicKey
 	} else {
 		block, _ := pem.Decode(fpublicKey)
 		if block == nil {
-			return nil, errors.New("failed to decode public key")
+			return errors.New("failed to decode public key")
 		}
-		log.App.Trace().Str("type", block.Type).Msg("Loaded public key")
+		tlog.App.Trace().Str("type", block.Type).Msg("Loaded public key")
 		switch block.Type {
 		case "RSA PUBLIC KEY":
-			publicKey, err = x509.ParsePKCS1PublicKey(block.Bytes)
+			publicKey, err := x509.ParsePKCS1PublicKey(block.Bytes)
 			if err != nil {
-				return nil, fmt.Errorf("failed to parse public key: %w", err)
+				return err
 			}
+			service.publicKey = publicKey
 		case "PUBLIC KEY":
-			publicKey, err = x509.ParsePKIXPublicKey(block.Bytes)
+			publicKey, err := x509.ParsePKIXPublicKey(block.Bytes)
 			if err != nil {
-				return nil, fmt.Errorf("failed to parse public key: %w", err)
+				return err
 			}
+			service.publicKey = publicKey.(crypto.PublicKey)
 		default:
-			return nil, fmt.Errorf("unsupported public key type: %s", block.Type)
+			return fmt.Errorf("unsupported public key type: %s", block.Type)
 		}
 	}

 	// We will reorganize the client into a map with the client ID as the key
-	clients := make(map[string]model.OIDCClientConfig)
+	service.clients = make(map[string]model.OIDCClientConfig)

-	for id, client := range config.OIDC.Clients {
+	for id, client := range service.config.Clients {
 		client.ID = id
 		if client.Name == "" {
 			client.Name = utils.Capitalize(client.ID)
 		}
-		clients[client.ClientID] = client
+		service.clients[client.ClientID] = client
 	}

 	// Load the client secrets from files if they exist
-	for id, client := range clients {
+	for id, client := range service.clients {
 		secret := utils.GetSecret(client.ClientSecret, client.ClientSecretFile)
 		if secret != "" {
 			client.ClientSecret = secret
 		}
 		client.ClientSecretFile = ""
-		clients[id] = client
-		log.App.Debug().Str("clientId", client.ClientID).Msg("Loaded OIDC client configuration")
+		service.clients[id] = client
+		tlog.App.Info().Str("id", client.ID).Msg("Registered OIDC client")
 	}

-	// Initialize the service
-	service := &OIDCService{
-		log:     log,
-		config:  config,
-		runtime: runtime,
-		queries: queries,
-		context: ctx,
-
-		clients:    clients,
-		privateKey: privateKey,
-		publicKey:  publicKey,
-		issuer:     issuer,
-	}
-
-	// Start cleanup routine
-	wg.Go(service.cleanupRoutine)
-
-	return service, nil
+	return nil
 }

 func (service *OIDCService) GetIssuer() string {
@@ -296,11 +294,6 @@ func (service *OIDCService) ValidateAuthorizeParams(req AuthorizeRequest) error
 	if !ok {
 		return errors.New("access_denied")
 	}
-	
-	// Redirect URI to verify that it's trusted
-	if !slices.Contains(client.TrustedRedirectURIs, req.RedirectURI) {
-		return errors.New("invalid_request_uri")
-	}

 	// Scopes
 	scopes := strings.Split(req.Scope, " ")
@@ -314,7 +307,7 @@ func (service *OIDCService) ValidateAuthorizeParams(req AuthorizeRequest) error
 			return errors.New("invalid_scope")
 		}
 		if !slices.Contains(SupportedScopes, scope) {
-			service.log.App.Warn().Str("scope", scope).Msg("Requested unsupported scope")
+			tlog.App.Warn().Str("scope", scope).Msg("Unsupported OIDC scope, will be ignored")
 		}
 	}

@@ -323,6 +316,11 @@ func (service *OIDCService) ValidateAuthorizeParams(req AuthorizeRequest) error
 		return errors.New("unsupported_response_type")
 	}

+	// Redirect URI
+	if !slices.Contains(client.TrustedRedirectURIs, req.RedirectURI) {
+		return errors.New("invalid_request_uri")
+	}
+
 	// PKCE code challenge method if set
 	if req.CodeChallenge != "" && req.CodeChallengeMethod != "" {
 		if req.CodeChallengeMethod != "S256" && req.CodeChallengeMethod != "plain" {
@@ -359,7 +357,7 @@ func (service *OIDCService) StoreCode(c *gin.Context, sub string, code string, r
 			entry.CodeChallenge = req.CodeChallenge
 		} else {
 			entry.CodeChallenge = service.hashAndEncodePKCE(req.CodeChallenge)
-			service.log.App.Warn().Msg("Using plain PKCE code challenge method is not recommended, consider switching to S256 for better security")
+			tlog.App.Warn().Msg("Received plain PKCE code challenge, it's recommended to use S256 for better security")
 		}
 	}

@@ -451,7 +449,7 @@ func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string, client

 func (service *OIDCService) generateIDToken(client model.OIDCClientConfig, user repository.OidcUserinfo, scope string, nonce string) (string, error) {
 	createdAt := time.Now().Unix()
-	expiresAt := time.Now().Add(time.Duration(service.config.Auth.SessionExpiry) * time.Second).Unix()
+	expiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry) * time.Second).Unix()

 	hasher := sha256.New()

@@ -531,16 +529,16 @@ func (service *OIDCService) GenerateAccessToken(c *gin.Context, client model.OID
 	accessToken := utils.GenerateString(32)
 	refreshToken := utils.GenerateString(32)

-	tokenExpiresAt := time.Now().Add(time.Duration(service.config.Auth.SessionExpiry) * time.Second).Unix()
+	tokenExpiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry) * time.Second).Unix()

 	// Refresh token lives double the time of an access token but can't be used to access userinfo
-	refreshTokenExpiresAt := time.Now().Add(time.Duration(service.config.Auth.SessionExpiry*2) * time.Second).Unix()
+	refreshTokenExpiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry*2) * time.Second).Unix()

 	tokenResponse := TokenResponse{
 		AccessToken:  accessToken,
 		RefreshToken: refreshToken,
 		TokenType:    "Bearer",
-		ExpiresIn:    int64(service.config.Auth.SessionExpiry),
+		ExpiresIn:    int64(service.config.SessionExpiry),
 		IDToken:      idToken,
 		Scope:        strings.ReplaceAll(codeEntry.Scope, ",", " "),
 	}
@@ -600,14 +598,14 @@ func (service *OIDCService) RefreshAccessToken(c *gin.Context, refreshToken stri
 	accessToken := utils.GenerateString(32)
 	newRefreshToken := utils.GenerateString(32)

-	tokenExpiresAt := time.Now().Add(time.Duration(service.config.Auth.SessionExpiry) * time.Second).Unix()
-	refreshTokenExpiresAt := time.Now().Add(time.Duration(service.config.Auth.SessionExpiry*2) * time.Second).Unix()
+	tokenExpiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry) * time.Second).Unix()
+	refreshTokenExpiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry*2) * time.Second).Unix()

 	tokenResponse := TokenResponse{
 		AccessToken:  accessToken,
 		RefreshToken: newRefreshToken,
 		TokenType:    "Bearer",
-		ExpiresIn:    int64(service.config.Auth.SessionExpiry),
+		ExpiresIn:    int64(service.config.SessionExpiry),
 		IDToken:      idToken,
 		Scope:        strings.ReplaceAll(entry.Scope, ",", " "),
 	}
@@ -750,62 +748,56 @@ func (service *OIDCService) DeleteOldSession(ctx context.Context, sub string) er
 }

 // Cleanup routine - Resource heavy due to the linked tables
-func (service *OIDCService) cleanupRoutine() {
-	service.log.App.Debug().Msg("Starting OIDC cleanup routine")
+func (service *OIDCService) Cleanup() {
+	// We need a context for the routine
+	ctx := context.Background()
+
 	ticker := time.NewTicker(time.Duration(30) * time.Minute)
 	defer ticker.Stop()

-	for {
-		select {
-		case <-ticker.C:
-			service.log.App.Debug().Msg("Performing OIDC cleanup routine")
+	for range ticker.C {
+		currentTime := time.Now().Unix()

-			currentTime := time.Now().Unix()
+		// For the OIDC tokens, if they are expired we delete the userinfo and codes
+		expiredTokens, err := service.queries.DeleteExpiredOidcTokens(ctx, repository.DeleteExpiredOidcTokensParams{
+			TokenExpiresAt:        currentTime,
+			RefreshTokenExpiresAt: currentTime,
+		})

-			// For the OIDC tokens, if they are expired we delete the userinfo and codes
-			expiredTokens, err := service.queries.DeleteExpiredOidcTokens(service.context, repository.DeleteExpiredOidcTokensParams{
-				TokenExpiresAt:        currentTime,
-				RefreshTokenExpiresAt: currentTime,
-			})
+		if err != nil {
+			tlog.App.Warn().Err(err).Msg("Failed to delete expired tokens")
+		}
+
+		for _, expiredToken := range expiredTokens {
+			err := service.DeleteOldSession(ctx, expiredToken.Sub)
+			if err != nil {
+				tlog.App.Warn().Err(err).Msg("Failed to delete old session")
+			}
+		}
+
+		// For expired codes, we need to get the sub, check if tokens are expired and if they are remove everything
+		expiredCodes, err := service.queries.DeleteExpiredOidcCodes(ctx, currentTime)
+
+		if err != nil {
+			tlog.App.Warn().Err(err).Msg("Failed to delete expired codes")
+		}
+
+		for _, expiredCode := range expiredCodes {
+			token, err := service.queries.GetOidcTokenBySub(ctx, expiredCode.Sub)

 			if err != nil {
-				service.log.App.Warn().Err(err).Msg("Failed to delete expired tokens")
-			}
-
-			for _, expiredToken := range expiredTokens {
-				err := service.DeleteOldSession(service.context, expiredToken.Sub)
-				if err != nil {
-					service.log.App.Warn().Err(err).Msg("Failed to delete session for expired token")
-				}
-			}
-
-			// For expired codes, we need to get the sub, check if tokens are expired and if they are remove everything
-			expiredCodes, err := service.queries.DeleteExpiredOidcCodes(service.context, currentTime)
-
-			if err != nil {
-				service.log.App.Warn().Err(err).Msg("Failed to delete expired codes")
-			}
-
-			for _, expiredCode := range expiredCodes {
-				token, err := service.queries.GetOidcTokenBySub(service.context, expiredCode.Sub)
-
-				if err != nil {
-					service.log.App.Warn().Err(err).Msg("Failed to get token by sub for expired code")
+				if errors.Is(err, sql.ErrNoRows) {
 					continue
 				}
-
-				if token.TokenExpiresAt < currentTime && token.RefreshTokenExpiresAt < currentTime {
-					err := service.DeleteOldSession(service.context, expiredCode.Sub)
-					if err != nil {
-						service.log.App.Warn().Err(err).Msg("Failed to delete session for expired code")
-					}
-				}
+				tlog.App.Warn().Err(err).Msg("Failed to get OIDC token by sub")
 			}

-			service.log.App.Debug().Msg("Finished OIDC cleanup routine")
-		case <-service.context.Done():
-			service.log.App.Debug().Msg("Stopping OIDC cleanup routine")
-			return
+			if token.TokenExpiresAt < currentTime && token.RefreshTokenExpiresAt < currentTime {
+				err := service.DeleteOldSession(ctx, expiredCode.Sub)
+				if err != nil {
+					tlog.App.Warn().Err(err).Msg("Failed to delete session")
+				}
+			}
 		}
 	}
 }
@@ -1,9 +1,7 @@
 package service_test

 import (
-	"context"
 	"encoding/json"
-	"sync"
 	"testing"

 	"github.com/stretchr/testify/assert"
@@ -12,7 +10,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )

 func newTestUser() repository.OidcUserinfo {
@@ -51,29 +48,13 @@ func newTestUser() repository.OidcUserinfo {

 func TestCompileUserinfo(t *testing.T) {
 	dir := t.TempDir()
-
-	cfg := model.Config{
-		OIDC: model.OIDCConfig{
-			PrivateKeyPath: dir + "/key.pem",
-			PublicKeyPath:  dir + "/key.pub",
-		},
-		Auth: model.AuthConfig{
-			SessionExpiry: 3600,
-		},
-	}
-
-	runtime := model.RuntimeConfig{
-		AppURL: "https://tinyauth.example.com",
-	}
-
-	log := logger.NewLogger().WithTestConfig()
-	log.Init()
-
-	ctx := context.TODO()
-	wg := &sync.WaitGroup{}
-
-	svc, err := service.NewOIDCService(log, cfg, runtime, nil, ctx, wg)
-	require.NoError(t, err)
+	svc := service.NewOIDCService(service.OIDCServiceConfig{
+		PrivateKeyPath: dir + "/key.pem",
+		PublicKeyPath:  dir + "/key.pub",
+		Issuer:         "https://tinyauth.example.com",
+		SessionExpiry:  3600,
+	}, nil)
+	require.NoError(t, svc.Init())

 	type testCase struct {
 		description string
@@ -1,106 +0,0 @@
-package test
-
-import (
-	"path/filepath"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-	"github.com/tinyauthapp/tinyauth/internal/model"
-	"golang.org/x/crypto/bcrypt"
-)
-
-var TestingTOTPSecret = "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK"
-
-func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
-	tempDir := t.TempDir()
-
-	config := model.Config{
-		UI: model.UIConfig{
-			Title:                 "Tinyauth Test",
-			ForgotPasswordMessage: "foo",
-			BackgroundImage:       "/background.jpg",
-			WarningsEnabled:       true,
-		},
-		OAuth: model.OAuthConfig{
-			AutoRedirect: "none",
-		},
-		OIDC: model.OIDCConfig{
-			Clients: map[string]model.OIDCClientConfig{
-				"test": {
-					ClientID:            "some-client-id",
-					ClientSecret:        "some-client-secret",
-					TrustedRedirectURIs: []string{"https://test.example.com/callback"},
-					Name:                "Test Client",
-				},
-			},
-			PrivateKeyPath: filepath.Join(tempDir, "key.pem"),
-			PublicKeyPath:  filepath.Join(tempDir, "key.pub"),
-		},
-		Auth: model.AuthConfig{
-			SessionExpiry:   10,
-			LoginTimeout:    10,
-			LoginMaxRetries: 3,
-		},
-		Database: model.DatabaseConfig{
-			Path: filepath.Join(tempDir, "test.db"),
-		},
-		Resources: model.ResourcesConfig{
-			Enabled: true,
-			Path:    filepath.Join(tempDir, "resources"),
-		},
-	}
-
-	passwd, err := bcrypt.GenerateFromPassword([]byte("password"), bcrypt.DefaultCost)
-	require.NoError(t, err)
-
-	runtime := model.RuntimeConfig{
-		ConfiguredProviders: []model.Provider{
-			{
-				Name:  "Local",
-				ID:    "local",
-				OAuth: false,
-			},
-		},
-		LocalUsers: []model.LocalUser{
-			{
-				Username: "testuser",
-				Password: string(passwd),
-			},
-			{
-				Username:   "totpuser",
-				Password:   string(passwd),
-				TOTPSecret: TestingTOTPSecret,
-			},
-			{
-				Username: "attruser",
-				Password: string(passwd),
-				Attributes: model.UserAttributes{
-					Name:  "Alice Smith",
-					Email: "alice@example.com",
-				},
-			},
-			{
-				Username:   "attrtotpuser",
-				Password:   string(passwd),
-				TOTPSecret: TestingTOTPSecret,
-				Attributes: model.UserAttributes{
-					Name:  "Bob Jones",
-					Email: "bob@example.com",
-				},
-			},
-		},
-		CookieDomain:      "example.com",
-		AppURL:            "https://tinyauth.example.com",
-		SessionCookieName: "tinyauth-session",
-		OIDCClients: func() []model.OIDCClientConfig {
-			var clients []model.OIDCClientConfig
-			for id, client := range config.OIDC.Clients {
-				client.ID = id
-				clients = append(clients, client)
-			}
-			return clients
-		}(),
-	}
-
-	return config, runtime
-}
@@ -7,6 +7,8 @@ import (
 	"net/url"
 	"strings"

+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+
 	"github.com/weppos/publicsuffix-go/publicsuffix"
 )

@@ -26,6 +28,7 @@ func GetCookieDomain(u string) (string, error) {
 	parts := strings.Split(host, ".")

 	if len(parts) == 2 {
+		tlog.App.Warn().Msgf("Running on the root domain, cookies will be set for .%v", host)
 		return host, nil
 	}

@@ -18,7 +18,7 @@ func TestReadFile(t *testing.T) {

 	err = file.Close()
 	require.NoError(t, err)
-	defer os.Remove("/tmp/tinyauth_test_file")
+	defer os.Remove("/tmp/tinyauth_test_file") //nolint:errcheck

 	// Normal case
 	content, err := ReadFile("/tmp/tinyauth_test_file")
@@ -1,160 +0,0 @@
-package logger
-
-import (
-	"io"
-	"os"
-	"strings"
-	"time"
-
-	"github.com/rs/zerolog"
-	"github.com/rs/zerolog/log"
-	"github.com/tinyauthapp/tinyauth/internal/model"
-)
-
-type Logger struct {
-	HTTP   zerolog.Logger
-	App    zerolog.Logger
-	config model.LogConfig
-	base   zerolog.Logger
-	audit  zerolog.Logger
-	writer io.Writer
-}
-
-func NewLogger() *Logger {
-	return &Logger{
-		writer: os.Stderr,
-		config: model.LogConfig{
-			Level: "error",
-			Json:  true,
-			Streams: model.LogStreams{
-				HTTP: model.LogStreamConfig{
-					Enabled: true,
-				},
-				App: model.LogStreamConfig{
-					Enabled: true,
-				},
-				// No reason to enable audit by default since it will be suppressed by the log level
-			},
-		},
-	}
-}
-
-func (l *Logger) WithConfig(cfg model.LogConfig) *Logger {
-	l.config = cfg
-	return l
-}
-
-func (l *Logger) WithSimpleConfig() *Logger {
-	l.config = model.LogConfig{
-		Level: "info",
-		Json:  false,
-		Streams: model.LogStreams{
-			HTTP:  model.LogStreamConfig{Enabled: true},
-			App:   model.LogStreamConfig{Enabled: true},
-			Audit: model.LogStreamConfig{Enabled: false},
-		},
-	}
-	return l
-}
-
-func (l *Logger) WithTestConfig() *Logger {
-	l.config = model.LogConfig{
-		Level: "trace",
-		Streams: model.LogStreams{
-			HTTP:  model.LogStreamConfig{Enabled: true},
-			App:   model.LogStreamConfig{Enabled: true},
-			Audit: model.LogStreamConfig{Enabled: true},
-		},
-	}
-	return l
-}
-
-func (l *Logger) WithWriter(writer io.Writer) *Logger {
-	l.writer = writer
-	return l
-}
-
-func (l *Logger) Init() {
-	base := log.With().
-		Timestamp().
-		Logger().
-		Level(l.parseLogLevel(l.config.Level)).Output(l.writer)
-
-	if !l.config.Json {
-		base = base.Output(zerolog.ConsoleWriter{
-			Out:        l.writer,
-			TimeFormat: time.RFC3339,
-		})
-	}
-
-	if base.GetLevel() == zerolog.TraceLevel || base.GetLevel() == zerolog.DebugLevel {
-		base = base.With().Caller().Logger()
-	}
-
-	l.base = base
-	l.audit = l.createLogger("audit", l.config.Streams.Audit)
-	l.HTTP = l.createLogger("http", l.config.Streams.HTTP)
-	l.App = l.createLogger("app", l.config.Streams.App)
-}
-
-func (l *Logger) parseLogLevel(level string) zerolog.Level {
-	if level == "" {
-		return zerolog.InfoLevel
-	}
-	parsed, err := zerolog.ParseLevel(strings.ToLower(level))
-	if err != nil {
-		log.Warn().Err(err).Str("level", level).Msg("Invalid log level, defaulting to error")
-		parsed = zerolog.ErrorLevel
-	}
-	return parsed
-}
-
-func (l *Logger) createLogger(component string, cfg model.LogStreamConfig) zerolog.Logger {
-	if !cfg.Enabled {
-		return zerolog.Nop()
-	}
-	sub := l.base.With().Str("stream", component).Logger()
-	if cfg.Level != "" {
-		sub = sub.Level(l.parseLogLevel(cfg.Level))
-	}
-	return sub
-}
-
-func (l *Logger) AuditLoginSuccess(username, provider, ip string) {
-	l.audit.Info().
-		CallerSkipFrame(1).
-		Str("event", "login").
-		Str("result", "success").
-		Str("username", username).
-		Str("provider", provider).
-		Str("ip", ip).
-		Send()
-}
-
-func (l *Logger) AuditLoginFailure(username, provider, ip, reason string) {
-	l.audit.Warn().
-		CallerSkipFrame(1).
-		Str("event", "login").
-		Str("result", "failure").
-		Str("username", username).
-		Str("provider", provider).
-		Str("ip", ip).
-		Str("reason", reason).
-		Send()
-}
-
-func (l *Logger) AuditLogout(username, provider, ip string) {
-	l.audit.Info().
-		CallerSkipFrame(1).
-		Str("event", "logout").
-		Str("result", "success").
-		Str("username", username).
-		Str("provider", provider).
-		Str("ip", ip).
-		Send()
-}
-
-// Used for testing
-func (l *Logger) GetConfig() model.LogConfig {
-	return l.config
-}
@@ -1,173 +0,0 @@
-package logger_test
-
-import (
-	"bytes"
-	"encoding/json"
-	"testing"
-
-	"github.com/rs/zerolog"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"github.com/tinyauthapp/tinyauth/internal/model"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-)
-
-func TestLogger(t *testing.T) {
-	type testCase struct {
-		description string
-		run         func(t *testing.T)
-	}
-
-	tests := []testCase{
-		{
-			description: "Should create a simple logger with the expected config",
-			run: func(t *testing.T) {
-				l := logger.NewLogger().WithSimpleConfig()
-				l.Init()
-
-				cfg := l.GetConfig()
-
-				assert.Equal(t, cfg, model.LogConfig{
-					Level: "info",
-					Json:  false,
-					Streams: model.LogStreams{
-						HTTP:  model.LogStreamConfig{Enabled: true},
-						App:   model.LogStreamConfig{Enabled: true},
-						Audit: model.LogStreamConfig{Enabled: false},
-					},
-				})
-			},
-		},
-		{
-			description: "Should create a test logger with the expected config",
-			run: func(t *testing.T) {
-				l := logger.NewLogger().WithTestConfig()
-				l.Init()
-
-				cfg := l.GetConfig()
-
-				assert.Equal(t, cfg, model.LogConfig{
-					Level: "trace",
-					Json:  false,
-					Streams: model.LogStreams{
-						HTTP:  model.LogStreamConfig{Enabled: true},
-						App:   model.LogStreamConfig{Enabled: true},
-						Audit: model.LogStreamConfig{Enabled: true},
-					},
-				})
-			},
-		},
-		{
-			description: "Should create a logger with a custom config",
-			run: func(t *testing.T) {
-				customCfg := model.LogConfig{
-					Level: "debug",
-					Json:  true,
-					Streams: model.LogStreams{
-						HTTP:  model.LogStreamConfig{Enabled: false},
-						App:   model.LogStreamConfig{Enabled: true},
-						Audit: model.LogStreamConfig{Enabled: false},
-					},
-				}
-
-				l := logger.NewLogger().WithConfig(customCfg)
-				l.Init()
-
-				cfg := l.GetConfig()
-
-				assert.Equal(t, cfg, customCfg)
-			},
-		},
-		{
-			description: "Default logger should use error type and log json",
-			run: func(t *testing.T) {
-				buf := bytes.Buffer{}
-
-				l := logger.NewLogger().WithWriter(&buf)
-				l.Init()
-
-				cfg := l.GetConfig()
-
-				assert.Equal(t, cfg, model.LogConfig{
-					Level: "error",
-					Json:  true,
-					Streams: model.LogStreams{
-						HTTP:  model.LogStreamConfig{Enabled: true},
-						App:   model.LogStreamConfig{Enabled: true},
-						Audit: model.LogStreamConfig{Enabled: false},
-					},
-				})
-
-				l.App.Error().Msg("test")
-
-				var entry map[string]any
-				err := json.Unmarshal(buf.Bytes(), &entry)
-				require.NoError(t, err)
-
-				assert.Equal(t, "test", entry["message"])
-				assert.Equal(t, "app", entry["stream"])
-				assert.Equal(t, "error", entry["level"])
-				assert.NotEmpty(t, entry["time"])
-			},
-		},
-		{
-			description: "Should default to error level if an invalid level is provided",
-			run: func(t *testing.T) {
-				buf := bytes.Buffer{}
-
-				customCfg := model.LogConfig{
-					Level: "invalid",
-					Json:  false,
-					Streams: model.LogStreams{
-						HTTP:  model.LogStreamConfig{Enabled: true},
-						App:   model.LogStreamConfig{Enabled: true},
-						Audit: model.LogStreamConfig{Enabled: false},
-					},
-				}
-
-				l := logger.NewLogger().WithConfig(customCfg).WithWriter(&buf)
-				l.Init()
-
-				assert.Equal(t, zerolog.ErrorLevel, l.App.GetLevel())
-				assert.Equal(t, zerolog.ErrorLevel, l.HTTP.GetLevel())
-
-				// should not get logged
-				l.AuditLoginFailure("test", "test", "test", "test")
-
-				assert.Empty(t, buf.String())
-			},
-		},
-		{
-			description: "Should use nop logger for disabled streams",
-			run: func(t *testing.T) {
-				buf := bytes.Buffer{}
-
-				customCfg := model.LogConfig{
-					Level: "info",
-					Json:  false,
-					Streams: model.LogStreams{
-						HTTP:  model.LogStreamConfig{Enabled: false},
-						App:   model.LogStreamConfig{Enabled: true},
-						Audit: model.LogStreamConfig{Enabled: false},
-					},
-				}
-
-				l := logger.NewLogger().WithConfig(customCfg).WithWriter(&buf)
-				l.Init()
-
-				assert.Equal(t, zerolog.Disabled, l.HTTP.GetLevel())
-
-				l.App.Info().Msg("test")
-
-				l.AuditLoginFailure("test_nop", "test_nop", "test_nop", "test_nop")
-
-				assert.NotEmpty(t, buf.String())
-				assert.NotContains(t, buf.String(), "test_nop")
-			},
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.description, test.run)
-	}
-}
@@ -53,7 +53,7 @@ func FilterIP(filter string, ip string) (bool, error) {
 		return false, errors.New("invalid IP address")
 	}

-	filter = strings.Replace(filter, "-", "/", -1)
+	filter = strings.ReplaceAll(filter, "-", "/")

 	if strings.Contains(filter, "/") {
 		_, cidr, err := net.ParseCIDR(filter)
@@ -19,7 +19,7 @@ func TestGetSecret(t *testing.T) {

 	err = file.Close()
 	require.NoError(t, err)
-	defer os.Remove("/tmp/tinyauth_test_secret")
+	defer os.Remove("/tmp/tinyauth_test_secret") //nolint:errcheck

 	// Get from config
 	assert.Equal(t, "mysecret", utils.GetSecret("mysecret", ""))
@@ -73,7 +73,7 @@ func TestGetStringList(t *testing.T) {

 	err = file.Close()
 	assert.NoError(t, err)
-	defer os.Remove("/tmp/tinyauth_list_test_file")
+	defer os.Remove("/tmp/tinyauth_list_test_file") //nolint:errcheck

 	values, err := utils.GetStringList([]string{" first@example.com ", "", "second@example.com"}, "/tmp/tinyauth_list_test_file")
 	assert.NoError(t, err)
@@ -0,0 +1,39 @@
+package tlog
+
+import "github.com/gin-gonic/gin"
+
+// functions here use CallerSkipFrame to ensure correct caller info is logged
+
+func AuditLoginSuccess(c *gin.Context, username, provider string) {
+	Audit.Info().
+		CallerSkipFrame(1).
+		Str("event", "login").
+		Str("result", "success").
+		Str("username", username).
+		Str("provider", provider).
+		Str("ip", c.ClientIP()).
+		Send()
+}
+
+func AuditLoginFailure(c *gin.Context, username, provider string, reason string) {
+	Audit.Warn().
+		CallerSkipFrame(1).
+		Str("event", "login").
+		Str("result", "failure").
+		Str("username", username).
+		Str("provider", provider).
+		Str("ip", c.ClientIP()).
+		Str("reason", reason).
+		Send()
+}
+
+func AuditLogout(c *gin.Context, username, provider string) {
+	Audit.Info().
+		CallerSkipFrame(1).
+		Str("event", "logout").
+		Str("result", "success").
+		Str("username", username).
+		Str("provider", provider).
+		Str("ip", c.ClientIP()).
+		Send()
+}
@@ -0,0 +1,97 @@
+package tlog
+
+import (
+	"os"
+	"strings"
+	"time"
+
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+)
+
+type Logger struct {
+	Audit zerolog.Logger
+	HTTP  zerolog.Logger
+	App   zerolog.Logger
+}
+
+var (
+	Audit zerolog.Logger
+	HTTP  zerolog.Logger
+	App   zerolog.Logger
+)
+
+func NewLogger(cfg model.LogConfig) *Logger {
+	baseLogger := log.With().
+		Timestamp().
+		Caller().
+		Logger().
+		Level(parseLogLevel(cfg.Level))
+
+	if !cfg.Json {
+		baseLogger = baseLogger.Output(zerolog.ConsoleWriter{
+			Out:        os.Stderr,
+			TimeFormat: time.RFC3339,
+		})
+	}
+
+	return &Logger{
+		Audit: createLogger("audit", cfg.Streams.Audit, baseLogger),
+		HTTP:  createLogger("http", cfg.Streams.HTTP, baseLogger),
+		App:   createLogger("app", cfg.Streams.App, baseLogger),
+	}
+}
+
+func NewSimpleLogger() *Logger {
+	return NewLogger(model.LogConfig{
+		Level: "info",
+		Json:  false,
+		Streams: model.LogStreams{
+			HTTP:  model.LogStreamConfig{Enabled: true},
+			App:   model.LogStreamConfig{Enabled: true},
+			Audit: model.LogStreamConfig{Enabled: false},
+		},
+	})
+}
+
+func NewTestLogger() *Logger {
+	return NewLogger(model.LogConfig{
+		Level: "trace",
+		Streams: model.LogStreams{
+			HTTP:  model.LogStreamConfig{Enabled: true},
+			App:   model.LogStreamConfig{Enabled: true},
+			Audit: model.LogStreamConfig{Enabled: true},
+		},
+	})
+}
+
+func (l *Logger) Init() {
+	Audit = l.Audit
+	HTTP = l.HTTP
+	App = l.App
+}
+
+func createLogger(component string, streamCfg model.LogStreamConfig, baseLogger zerolog.Logger) zerolog.Logger {
+	if !streamCfg.Enabled {
+		return zerolog.Nop()
+	}
+	subLogger := baseLogger.With().Str("log_stream", component).Logger()
+	// override level if specified, otherwise use base level
+	if streamCfg.Level != "" {
+		subLogger = subLogger.Level(parseLogLevel(streamCfg.Level))
+	}
+	return subLogger
+}
+
+func parseLogLevel(level string) zerolog.Level {
+	if level == "" {
+		return zerolog.InfoLevel
+	}
+	parsedLevel, err := zerolog.ParseLevel(strings.ToLower(level))
+	if err != nil {
+		log.Warn().Err(err).Str("level", level).Msg("Invalid log level, defaulting to info")
+		parsedLevel = zerolog.InfoLevel
+	}
+	return parsedLevel
+}
@@ -0,0 +1,93 @@
+package tlog_test
+
+import (
+	"bytes"
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+
+	"github.com/rs/zerolog"
+)
+
+func TestNewLogger(t *testing.T) {
+	cfg := model.LogConfig{
+		Level: "debug",
+		Json:  true,
+		Streams: model.LogStreams{
+			HTTP:  model.LogStreamConfig{Enabled: true, Level: "info"},
+			App:   model.LogStreamConfig{Enabled: true, Level: ""},
+			Audit: model.LogStreamConfig{Enabled: false, Level: ""},
+		},
+	}
+
+	logger := tlog.NewLogger(cfg)
+
+	assert.NotNil(t, logger)
+	assert.Equal(t, zerolog.InfoLevel, logger.HTTP.GetLevel())
+	assert.Equal(t, zerolog.DebugLevel, logger.App.GetLevel())
+	assert.Equal(t, zerolog.Disabled, logger.Audit.GetLevel())
+}
+
+func TestNewSimpleLogger(t *testing.T) {
+	logger := tlog.NewSimpleLogger()
+	assert.NotNil(t, logger)
+	assert.Equal(t, zerolog.InfoLevel, logger.HTTP.GetLevel())
+	assert.Equal(t, zerolog.InfoLevel, logger.App.GetLevel())
+	assert.Equal(t, zerolog.Disabled, logger.Audit.GetLevel())
+}
+
+func TestLoggerInit(t *testing.T) {
+	logger := tlog.NewSimpleLogger()
+	logger.Init()
+
+	assert.NotEqual(t, zerolog.Disabled, tlog.App.GetLevel())
+}
+
+func TestLoggerWithDisabledStreams(t *testing.T) {
+	cfg := model.LogConfig{
+		Level: "info",
+		Json:  false,
+		Streams: model.LogStreams{
+			HTTP:  model.LogStreamConfig{Enabled: false},
+			App:   model.LogStreamConfig{Enabled: false},
+			Audit: model.LogStreamConfig{Enabled: false},
+		},
+	}
+
+	logger := tlog.NewLogger(cfg)
+
+	assert.Equal(t, zerolog.Disabled, logger.HTTP.GetLevel())
+	assert.Equal(t, zerolog.Disabled, logger.App.GetLevel())
+	assert.Equal(t, zerolog.Disabled, logger.Audit.GetLevel())
+}
+
+func TestLogStreamField(t *testing.T) {
+	var buf bytes.Buffer
+
+	cfg := model.LogConfig{
+		Level: "info",
+		Json:  true,
+		Streams: model.LogStreams{
+			HTTP:  model.LogStreamConfig{Enabled: true},
+			App:   model.LogStreamConfig{Enabled: true},
+			Audit: model.LogStreamConfig{Enabled: true},
+		},
+	}
+
+	logger := tlog.NewLogger(cfg)
+
+	// Override output for HTTP logger to capture output
+	logger.HTTP = logger.HTTP.Output(&buf)
+
+	logger.HTTP.Info().Msg("test message")
+
+	var logEntry map[string]interface{}
+	err := json.Unmarshal(buf.Bytes(), &logEntry)
+	assert.NoError(t, err)
+
+	assert.Equal(t, "http", logEntry["log_stream"])
+	assert.Equal(t, "test message", logEntry["message"])
+}
@@ -24,7 +24,7 @@ func TestGetUsers(t *testing.T) {

 	err = file.Close()
 	require.NoError(t, err)
-	defer os.Remove(tmpDir + "/tinyauth_users_test.txt")
+	defer os.Remove(tmpDir + "/tinyauth_users_test.txt") //nolint:errcheck

 	noAttrs := map[string]model.UserAttributes{}
Author	SHA1	Message	Date
Stavros	5649aea507	chore: add linter to ci	2026-05-09 18:02:08 +03:00
Stavros	3da9a5b18b	feat: add golangci-lint for go linting	2026-05-09 18:00:41 +03:00