feat: extract tags from tailscale node

* feat: add new logger

* refactor: use one struct for context handling and cancellation

* refactor: rework logging and config in controllers

* refactor: rework logging and config in middlewares

* refactor: rework logging and cancellation in services

* refactor: rework cli logging

* fix: improve logging in routines

* feat: use sync groups for better cancellation

* refactor: simplify middleware, controller and service init

* tests: fix controller tests

* tests: use require instead of assert where previous step is required

* tests: fix middleware tests

* tests: fix service tests

* tests: fix context tests

* fix: fix typos

* feat: add option to enable or disable concurrent listeners

* fix: assign public key correctly in oidc server

* tests: fix don't try to test logger with char size

* fix: coderabbit comments

* tests: use filepath join instead of path join

* fix: ensure unix socket shutdown doesn't run twice

* chore: remove temp lint file

.github/workflows/ci.yml

@@ -49,11 +49,6 @@ jobs:
         run: |
           cp -r frontend/dist internal/assets/dist
 
-      - name: Lint backend
-        uses: golangci/golangci-lint-action@v9
-        with:
-          version: v2.12
-
       - name: Run tests
         run: go test -coverprofile=coverage.txt -v ./...
 

.golangci.yml

@@ -1,17 +0,0 @@
-version: "2"
-linters:
-  settings:
-    errcheck:
-      exclude-functions:
-        - (http.ResponseWriter).Write
-        - (http.ResponseWriter).WriteString
-        - (github.com/gin-gonic/gin.ResponseWriter).Write
-        - (github.com/gin-gonic/gin.ResponseWriter).WriteString
-  exclusions:
-    rules:
-      - linters:
-          - errcheck
-        text: "//nolint:errcheck"
-      - linters:
-          - staticcheck
-        text: "//nolint:staticcheck"

cmd/tinyauth/create_user.go

@@ -6,8 +6,8 @@ import (
 	"strings"
 
 	"charm.land/huh/v2"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/tinyauthapp/paerser/cli"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"golang.org/x/crypto/bcrypt"
 )
 
@@ -40,7 +40,8 @@ func createUserCmd() *cli.Command {
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
-			tlog.NewSimpleLogger().Init()
+			log := logger.NewLogger().WithSimpleConfig()
+			log.Init()
 
 			if tCfg.Interactive {
 				form := huh.NewForm(
@@ -73,7 +74,7 @@ func createUserCmd() *cli.Command {
 				return errors.New("username and password cannot be empty")
 			}
 
-			tlog.App.Info().Str("username", tCfg.Username).Msg("Creating user")
+			log.App.Info().Str("username", tCfg.Username).Msg("Creating user")
 
 			passwd, err := bcrypt.GenerateFromPassword([]byte(tCfg.Password), bcrypt.DefaultCost)
 			if err != nil {
@@ -86,7 +87,7 @@ func createUserCmd() *cli.Command {
 				passwdStr = strings.ReplaceAll(passwdStr, "$", "$$")
 			}
 
-			tlog.App.Info().Str("user", fmt.Sprintf("%s:%s", tCfg.Username, passwdStr)).Msg("User created")
+			log.App.Info().Str("user", fmt.Sprintf("%s:%s", tCfg.Username, passwdStr)).Msg("User created")
 
 			return nil
 		},

cmd/tinyauth/generate_totp.go

@@ -7,7 +7,7 @@ import (
 	"strings"
 
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 
 	"charm.land/huh/v2"
 	"github.com/mdp/qrterminal/v3"
@@ -40,7 +40,8 @@ func generateTotpCmd() *cli.Command {
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
-			tlog.NewSimpleLogger().Init()
+			log := logger.NewLogger().WithSimpleConfig()
+			log.Init()
 
 			if tCfg.Interactive {
 				form := huh.NewForm(
@@ -68,7 +69,10 @@ func generateTotpCmd() *cli.Command {
 				return fmt.Errorf("failed to parse user: %w", err)
 			}
 
-			docker := strings.Contains(tCfg.User, "$$")
+			docker := false
+			if strings.Contains(tCfg.User, "$$") {
+				docker = true
+			}
 
 			if user.TOTPSecret != "" {
 				return fmt.Errorf("user already has a TOTP secret")
@@ -85,9 +89,9 @@ func generateTotpCmd() *cli.Command {
 
 			secret := key.Secret()
 
-			tlog.App.Info().Str("secret", secret).Msg("Generated TOTP secret")
+			log.App.Info().Str("secret", secret).Msg("Generated TOTP secret")
 
-			tlog.App.Info().Msg("Generated QR code")
+			log.App.Info().Msg("Generated QR code")
 
 			config := qrterminal.Config{
 				Level:     qrterminal.L,
@@ -106,7 +110,7 @@ func generateTotpCmd() *cli.Command {
 				user.Password = strings.ReplaceAll(user.Password, "$", "$$")
 			}
 
-			tlog.App.Info().Str("user", fmt.Sprintf("%s:%s:%s", user.Username, user.Password, user.TOTPSecret)).Msg("Add the totp secret to your authenticator app then use the verify command to ensure everything is working correctly.")
+			log.App.Info().Str("user", fmt.Sprintf("%s:%s:%s", user.Username, user.Password, user.TOTPSecret)).Msg("Add the totp secret to your authenticator app then use the verify command to ensure everything is working correctly.")
 
 			return nil
 		},

cmd/tinyauth/healthcheck.go

@@ -10,7 +10,7 @@ import (
 	"time"
 
 	"github.com/tinyauthapp/paerser/cli"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
 type healthzResponse struct {
@@ -26,7 +26,8 @@ func healthcheckCmd() *cli.Command {
 		Resources:     nil,
 		AllowArg:      true,
 		Run: func(args []string) error {
-			tlog.NewSimpleLogger().Init()
+			log := logger.NewLogger().WithSimpleConfig()
+			log.Init()
 
 			srvAddr := os.Getenv("TINYAUTH_SERVER_ADDRESS")
 			if srvAddr == "" {
@@ -45,10 +46,10 @@ func healthcheckCmd() *cli.Command {
 			}
 
 			if appUrl == "" {
-				return errors.New("could not determine app url")
+				return errors.New("Could not determine app URL")
 			}
 
-			tlog.App.Info().Str("app_url", appUrl).Msg("Performing health check")
+			log.App.Info().Str("app_url", appUrl).Msg("Performing health check")
 
 			client := http.Client{
 				Timeout: 30 * time.Second,
@@ -70,7 +71,7 @@ func healthcheckCmd() *cli.Command {
 				return fmt.Errorf("service is not healthy, got: %s", resp.Status)
 			}
 
-			defer resp.Body.Close() //nolint:errcheck
+			defer resp.Body.Close()
 
 			var healthResp healthzResponse
 
@@ -86,7 +87,7 @@ func healthcheckCmd() *cli.Command {
 				return fmt.Errorf("failed to decode response: %w", err)
 			}
 
-			tlog.App.Info().Interface("response", healthResp).Msg("Tinyauth is healthy")
+			log.App.Info().Interface("response", healthResp).Msg("Tinyauth is healthy")
 
 			return nil
 		},

cmd/tinyauth/tinyauth.go

@@ -7,7 +7,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/loaders"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 
 	"github.com/rs/zerolog/log"
 	"github.com/tinyauthapp/paerser/cli"
@@ -109,11 +108,6 @@ func main() {
 }
 
 func runCmd(cfg model.Config) error {
-	logger := tlog.NewLogger(cfg.Log)
-	logger.Init()
-
-	tlog.App.Info().Str("version", model.Version).Msg("Starting tinyauth")
-
 	app := bootstrap.NewBootstrapApp(cfg)
 
 	err := app.Setup()

cmd/tinyauth/verify_user.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 
 	"charm.land/huh/v2"
 	"github.com/pquerna/otp/totp"
@@ -44,7 +44,8 @@ func verifyUserCmd() *cli.Command {
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
-			tlog.NewSimpleLogger().Init()
+			log := logger.NewLogger().WithSimpleConfig()
+			log.Init()
 
 			if tCfg.Interactive {
 				form := huh.NewForm(
@@ -97,9 +98,9 @@ func verifyUserCmd() *cli.Command {
 
 			if user.TOTPSecret == "" {
 				if tCfg.Totp != "" {
-					tlog.App.Warn().Msg("User does not have TOTP secret")
+					log.App.Warn().Msg("User does not have TOTP secret")
 				}
-				tlog.App.Info().Msg("User verified")
+				log.App.Info().Msg("User verified")
 				return nil
 			}
 
@@ -109,7 +110,7 @@ func verifyUserCmd() *cli.Command {
 				return fmt.Errorf("TOTP code incorrect")
 			}
 
-			tlog.App.Info().Msg("User verified")
+			log.App.Info().Msg("User verified")
 
 			return nil
 		},

frontend/src/App.tsx

@@ -2,9 +2,9 @@ import { Navigate } from "react-router";
 import { useUserContext } from "./context/user-context";
 
 export const App = () => {
-  const { isLoggedIn } = useUserContext();
+  const { auth } = useUserContext();
 
-  if (isLoggedIn) {
+  if (auth.authenticated) {
     return <Navigate to="/logout" replace />;
   }
 

frontend/src/components/layout/layout.tsx

@@ -6,17 +6,17 @@ import { DomainWarning } from "../domain-warning/domain-warning";
 import { ThemeToggle } from "../theme-toggle/theme-toggle";
 
 const BaseLayout = ({ children }: { children: React.ReactNode }) => {
-  const { backgroundImage, title } = useAppContext();
+  const { ui } = useAppContext();
 
   useEffect(() => {
-    document.title = title;
-  }, [title]);
+    document.title = ui.title;
+  }, [ui.title]);
 
   return (
     <div
       className="flex flex-col justify-center items-center min-h-svh px-4"
       style={{
-        backgroundImage: `url(${backgroundImage})`,
+        backgroundImage: `url(${ui.backgroundImage})`,
         backgroundSize: "cover",
         backgroundPosition: "center",
       }}
@@ -31,7 +31,7 @@ const BaseLayout = ({ children }: { children: React.ReactNode }) => {
 };
 
 export const Layout = () => {
-  const { appUrl, warningsEnabled } = useAppContext();
+  const { app, ui } = useAppContext();
   const [ignoreDomainWarning, setIgnoreDomainWarning] = useState(() => {
     return window.sessionStorage.getItem("ignoreDomainWarning") === "true";
   });
@@ -42,11 +42,15 @@ export const Layout = () => {
     setIgnoreDomainWarning(true);
   }, [setIgnoreDomainWarning]);
 
-  if (!ignoreDomainWarning && warningsEnabled && appUrl !== currentUrl) {
+  if (
+    !ignoreDomainWarning &&
+    ui.warningsEnabled &&
+    !app.trustedDomains.includes(currentUrl)
+  ) {
     return (
       <BaseLayout>
         <DomainWarning
-          appUrl={appUrl}
+          appUrl={app.appUrl}
           currentUrl={currentUrl}
           onClick={() => handleIgnore()}
         />

frontend/src/pages/authorize-page.tsx

@@ -77,7 +77,7 @@ const createScopeMap = (t: TFunction<"translation", undefined>): Scope[] => {
 };
 
 export const AuthorizePage = () => {
-  const { isLoggedIn } = useUserContext();
+  const { auth } = useUserContext();
   const { search } = useLocation();
   const { t } = useTranslation();
   const navigate = useNavigate();
@@ -127,7 +127,7 @@ export const AuthorizePage = () => {
     );
   }
 
-  if (!isLoggedIn) {
+  if (!auth.authenticated) {
     return <Navigate to={`/login?${oidcParams.compiled}`} replace />;
   }
 

frontend/src/pages/continue-page.tsx

@@ -14,8 +14,8 @@ import { useCallback, useEffect, useRef, useState } from "react";
 import { useRedirectUri } from "@/lib/hooks/redirect-uri";
 
 export const ContinuePage = () => {
-  const { cookieDomain, warningsEnabled } = useAppContext();
-  const { isLoggedIn } = useUserContext();
+  const { app, ui } = useAppContext();
+  const { auth } = useUserContext();
   const { search } = useLocation();
   const { t } = useTranslation();
   const navigate = useNavigate();
@@ -29,17 +29,18 @@ export const ContinuePage = () => {
 
   const { url, valid, trusted, allowedProto, httpsDowngrade } = useRedirectUri(
     redirectUri,
-    cookieDomain,
+    app.cookieDomain,
   );
 
   const urlHref = url?.href;
 
   const hasValidRedirect = valid && allowedProto;
-  const showUntrustedWarning = hasValidRedirect && !trusted && warningsEnabled;
+  const showUntrustedWarning =
+    hasValidRedirect && !trusted && ui.warningsEnabled;
   const showInsecureWarning =
-    hasValidRedirect && httpsDowngrade && warningsEnabled;
+    hasValidRedirect && httpsDowngrade && ui.warningsEnabled;
   const shouldAutoRedirect =
-    isLoggedIn &&
+    auth.authenticated &&
     hasValidRedirect &&
     !showUntrustedWarning &&
     !showInsecureWarning;
@@ -77,7 +78,7 @@ export const ContinuePage = () => {
     };
   }, [shouldAutoRedirect, redirectToTarget]);
 
-  if (!isLoggedIn) {
+  if (!auth.authenticated) {
     return (
       <Navigate
         to={`/login${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`}
@@ -104,7 +105,7 @@ export const ContinuePage = () => {
               components={{
                 code: <code />,
               }}
-              values={{ cookieDomain }}
+              values={{ cookieDomain: app.cookieDomain }}
               shouldUnescape={true}
             />
           </CardDescription>

frontend/src/pages/forgot-password-page.tsx

@@ -13,7 +13,7 @@ import Markdown from "react-markdown";
 import { useLocation } from "react-router";
 
 export const ForgotPasswordPage = () => {
-  const { forgotPasswordMessage } = useAppContext();
+  const { ui } = useAppContext();
   const { t } = useTranslation();
   const { search } = useLocation();
   const searchParams = new URLSearchParams(search);
@@ -26,8 +26,8 @@ export const ForgotPasswordPage = () => {
       <CardContent>
         <CardDescription>
           <Markdown>
-            {forgotPasswordMessage !== ""
-              ? forgotPasswordMessage
+            {ui.forgotPasswordMessage !== ""
+              ? ui.forgotPasswordMessage
               : t("forgotPasswordMessage")}
           </Markdown>
         </CardDescription>

frontend/src/pages/login-page.tsx

@@ -36,12 +36,13 @@ const iconMap: Record<string, React.ReactNode> = {
 };
 
 export const LoginPage = () => {
-  const { isLoggedIn } = useUserContext();
-  const { providers, title, oauthAutoRedirect } = useAppContext();
+  const { auth, tailscale } = useUserContext();
+  const { ui, oauth, auth: cauth } = useAppContext();
   const { search } = useLocation();
   const { t } = useTranslation();
 
   const [showRedirectButton, setShowRedirectButton] = useState(false);
+  const [useTailscale, setUseTailscale] = useState(tailscale.nodeName !== "");
 
   const hasAutoRedirectedRef = useRef(false);
 
@@ -55,15 +56,15 @@ export const LoginPage = () => {
   const oidcParams = useOIDCParams(searchParams);
 
   const [isOauthAutoRedirect, setIsOauthAutoRedirect] = useState(
-    providers.find((provider) => provider.id === oauthAutoRedirect) !==
+    cauth.providers.find((provider) => provider.id === oauth.autoRedirect) !==
       undefined && redirectUri !== undefined,
   );
 
-  const oauthProviders = providers.filter(
+  const oauthProviders = cauth.providers.filter(
     (provider) => provider.id !== "local" && provider.id !== "ldap",
   );
   const userAuthConfigured =
-    providers.find(
+    cauth.providers.find(
       (provider) => provider.id === "local" || provider.id === "ldap",
     ) !== undefined;
 
@@ -148,21 +149,47 @@ export const LoginPage = () => {
     },
   });
 
+  const { mutate: tailscaleMutate, isPending: tailscaleIsPending } =
+    useMutation({
+      mutationFn: () => axios.post("/api/user/tailscale"),
+      mutationKey: ["tailscale"],
+      onSuccess: () => {
+        toast.success("Logged in", {
+          description: t("Tailscale session confirmed"),
+        });
+
+        redirectTimer.current = window.setTimeout(() => {
+          if (oidcParams.isOidc) {
+            window.location.replace(`/authorize?${oidcParams.compiled}`);
+            return;
+          }
+          window.location.replace(
+            `/continue${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`,
+          );
+        }, 500);
+      },
+      onError: () => {
+        toast.error("Failed to login", {
+          description: "Failed to authenticate with Tailscale.",
+        });
+      },
+    });
+
   useEffect(() => {
     if (
-      !isLoggedIn &&
+      !auth.authenticated &&
       isOauthAutoRedirect &&
       !hasAutoRedirectedRef.current &&
       redirectUri !== undefined
     ) {
       hasAutoRedirectedRef.current = true;
-      oauthMutate(oauthAutoRedirect);
+      oauthMutate(oauth.autoRedirect);
     }
   }, [
-    isLoggedIn,
+    auth.authenticated,
     oauthMutate,
     hasAutoRedirectedRef,
-    oauthAutoRedirect,
+    oauth.autoRedirect,
     isOauthAutoRedirect,
     redirectUri,
   ]);
@@ -179,11 +206,11 @@ export const LoginPage = () => {
     };
   }, [redirectTimer, redirectButtonTimer]);
 
-  if (isLoggedIn && oidcParams.isOidc) {
+  if (auth.authenticated && oidcParams.isOidc) {
     return <Navigate to={`/authorize?${oidcParams.compiled}`} replace />;
   }
 
-  if (isLoggedIn && redirectUri !== undefined) {
+  if (auth.authenticated && redirectUri !== undefined) {
     return (
       <Navigate
         to={`/continue${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`}
@@ -192,7 +219,7 @@ export const LoginPage = () => {
     );
   }
 
-  if (isLoggedIn) {
+  if (auth.authenticated) {
     return <Navigate to="/logout" replace />;
   }
 
@@ -228,11 +255,52 @@ export const LoginPage = () => {
       </Card>
     );
   }
+
+  if (useTailscale) {
+    return (
+      <Card>
+        <CardHeader className="gap-3">
+          <TailscaleIcon className="mx-auto h-8 w-8" />
+          <CardTitle className="text-center text-xl">
+            Tinyauth · Tailscale
+          </CardTitle>
+        </CardHeader>
+        <CardContent className="flex flex-col gap-4">
+          <div className="text-muted-foreground text-sm">
+            We detected that you are accessing Tinyauth from an authorized
+            Tailscale device. Would you like to continue with your Tailscale
+            credentials?
+          </div>
+          <div className="text-muted-foreground text-sm">
+            Machine Name: <code>{tailscale.nodeName}</code>
+          </div>
+        </CardContent>
+        <CardFooter className="flex flex-col items-stretch gap-3">
+          <Button
+            className="w-full"
+            onClick={() => tailscaleMutate()}
+            loading={tailscaleIsPending}
+          >
+            Continue with Tailscale
+          </Button>
+          <Button
+            className="w-full"
+            variant="outline"
+            onClick={() => setUseTailscale(false)}
+            disabled={tailscaleIsPending}
+          >
+            Use other login method
+          </Button>
+        </CardFooter>
+      </Card>
+    );
+  }
+
   return (
     <Card>
       <CardHeader className="gap-1.5">
-        <CardTitle className="text-center text-xl">{title}</CardTitle>
-        {providers.length > 0 && (
+        <CardTitle className="text-center text-xl">{ui.title}</CardTitle>
+        {cauth.providers.length > 0 && (
           <CardDescription className="text-center">
             {oauthProviders.length !== 0
               ? t("loginTitle")
@@ -270,7 +338,7 @@ export const LoginPage = () => {
             })()}
           />
         )}
-        {providers.length == 0 && (
+        {cauth.providers.length == 0 && (
           <pre className="break-normal! text-sm text-red-600">
             {t("failedToFetchProvidersTitle")}
           </pre>

frontend/src/pages/logout-page.tsx

@@ -13,9 +13,11 @@ import { useEffect, useRef } from "react";
 import { Trans, useTranslation } from "react-i18next";
 import { Navigate } from "react-router";
 import { toast } from "sonner";
+import { type UseMutationResult } from "@tanstack/react-query";
+import { type AxiosResponse } from "axios";
 
 export const LogoutPage = () => {
-  const { provider, username, isLoggedIn, email, oauthName } = useUserContext();
+  const { auth, oauth, tailscale } = useUserContext();
   const { t } = useTranslation();
 
   const redirectTimer = useRef<number | null>(null);
@@ -47,42 +49,74 @@ export const LogoutPage = () => {
     };
   }, [redirectTimer]);
 
-  if (!isLoggedIn) {
+  if (!auth.authenticated) {
     return <Navigate to="/login" replace />;
   }
 
+  if (oauth.active) {
+    return (
+      <LogoutLayout logoutMutation={logoutMutation}>
+        <Trans
+          i18nKey="logoutOauthSubtitle"
+          t={t}
+          components={{
+            code: <code />,
+          }}
+          values={{
+            username: auth.email,
+            provider: oauth.displayName,
+          }}
+          shouldUnescape={true}
+        />
+      </LogoutLayout>
+    );
+  }
+
+  if (auth.providerId === "tailscale") {
+    return (
+      <LogoutLayout logoutMutation={logoutMutation}>
+        You are currently logged in with the Tailscale integration identified by
+        the <code>{tailscale.nodeName}</code> node. Click the button below to
+        log out.
+      </LogoutLayout>
+    );
+  }
+
+  return (
+    <LogoutLayout logoutMutation={logoutMutation}>
+      <Trans
+        i18nKey="logoutUsernameSubtitle"
+        t={t}
+        components={{
+          code: <code />,
+        }}
+        values={{
+          username: auth.username,
+        }}
+        shouldUnescape={true}
+      />
+    </LogoutLayout>
+  );
+};
+
+interface LogoutLayoutProps {
+  children: React.ReactNode;
+  logoutMutation: UseMutationResult<
+    //eslint-disable-next-line @typescript-eslint/no-explicit-any,@typescript-eslint/no-empty-object-type
+    AxiosResponse<any, any, {}>,
+    Error,
+    void,
+    unknown
+  >;
+}
+
+function LogoutLayout({ children, logoutMutation }: LogoutLayoutProps) {
+  const { t } = useTranslation();
   return (
     <Card>
       <CardHeader className="gap-1.5">
         <CardTitle className="text-xl">{t("logoutTitle")}</CardTitle>
-        <CardDescription>
-          {provider !== "local" && provider !== "ldap" ? (
-            <Trans
-              i18nKey="logoutOauthSubtitle"
-              t={t}
-              components={{
-                code: <code />,
-              }}
-              values={{
-                username: email,
-                provider: oauthName,
-              }}
-              shouldUnescape={true}
-            />
-          ) : (
-            <Trans
-              i18nKey="logoutUsernameSubtitle"
-              t={t}
-              components={{
-                code: <code />,
-              }}
-              values={{
-                username,
-              }}
-              shouldUnescape={true}
-            />
-          )}
-        </CardDescription>
+        <CardDescription>{children}</CardDescription>
       </CardHeader>
       <CardFooter>
         <Button
@@ -96,4 +130,4 @@ export const LogoutPage = () => {
       </CardFooter>
     </Card>
   );
-};
+}

frontend/src/pages/totp-page.tsx

@@ -19,7 +19,7 @@ import { toast } from "sonner";
 import { useOIDCParams } from "@/lib/hooks/oidc";
 
 export const TotpPage = () => {
-  const { totpPending } = useUserContext();
+  const { totp } = useUserContext();
   const { t } = useTranslation();
   const { search } = useLocation();
   const formId = useId();
@@ -64,7 +64,7 @@ export const TotpPage = () => {
     };
   }, [redirectTimer]);
 
-  if (!totpPending) {
+  if (!totp.pending) {
     return <Navigate to="/" replace />;
   }
 

frontend/src/schemas/app-context-schema.ts

@@ -6,15 +6,32 @@ export const providerSchema = z.object({
   oauth: z.boolean(),
 });
 
-export const appContextSchema = z.object({
+const authSchema = z.object({
   providers: z.array(providerSchema),
+});
+
+const oauthSchema = z.object({
+  autoRedirect: z.string(),
+});
+
+const uiSchema = z.object({
   title: z.string(),
-  appUrl: z.string(),
-  cookieDomain: z.string(),
   forgotPasswordMessage: z.string(),
   backgroundImage: z.string(),
-  oauthAutoRedirect: z.string(),
   warningsEnabled: z.boolean(),
 });
 
+const appSchema = z.object({
+  appUrl: z.string(),
+  cookieDomain: z.string(),
+  trustedDomains: z.array(z.string()),
+});
+
+export const appContextSchema = z.object({
+  auth: authSchema,
+  oauth: oauthSchema,
+  ui: uiSchema,
+  app: appSchema,
+});
+
 export type AppContextSchema = z.infer<typeof appContextSchema>;

frontend/src/schemas/user-context-schema.ts

@@ -1,14 +1,31 @@
 import { z } from "zod";
 
-export const userContextSchema = z.object({
-  isLoggedIn: z.boolean(),
+const authSchema = z.object({
+  authenticated: z.boolean(),
   username: z.string(),
   name: z.string(),
   email: z.string(),
-  provider: z.string(),
-  oauth: z.boolean(),
-  totpPending: z.boolean(),
-  oauthName: z.string(),
+  providerId: z.string(),
+});
+
+const oauthSchema = z.object({
+  active: z.boolean(),
+  displayName: z.string(),
+});
+
+const totpSchema = z.object({
+  pending: z.boolean(),
+});
+
+const tailscaleSchema = z.object({
+  nodeName: z.string(),
+});
+
+export const userContextSchema = z.object({
+  auth: authSchema,
+  oauth: oauthSchema,
+  totp: totpSchema,
+  tailscale: tailscaleSchema,
 });
 
 export type UserContextSchema = z.infer<typeof userContextSchema>;

go.mod

@@ -1,6 +1,6 @@
 module github.com/tinyauthapp/tinyauth
 
-go 1.26.0
+go 1.26.1
 
 require (
 	charm.land/huh/v2 v2.0.3
@@ -23,6 +23,7 @@ require (
 	k8s.io/apimachinery v0.36.0
 	k8s.io/client-go v0.36.0
 	modernc.org/sqlite v1.50.0
+	tailscale.com v1.96.5
 )
 
 require (
@@ -30,13 +31,29 @@ require (
 	charm.land/bubbletea/v2 v2.0.2 // indirect
 	charm.land/lipgloss/v2 v2.0.1 // indirect
 	dario.cat/mergo v1.0.1 // indirect
+	filippo.io/edwards25519 v1.2.0 // indirect
 	github.com/Azure/go-ntlmssp v0.1.1 // indirect
 	github.com/BurntSushi/toml v1.6.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver/v3 v3.3.0 // indirect
+	github.com/Masterminds/semver/v3 v3.4.0 // indirect
 	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/akutz/memconn v0.1.0 // indirect
+	github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.41.0 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.29.5 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.58 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.27 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.16 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.24.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.41.5 // indirect
+	github.com/aws/smithy-go v1.24.0 // indirect
 	github.com/boombuler/barcode v1.0.2 // indirect
 	github.com/bytedance/gopkg v0.1.3 // indirect
 	github.com/bytedance/sonic v1.15.0 // indirect
@@ -54,10 +71,12 @@ require (
 	github.com/clipperhouse/displaywidth v0.11.0 // indirect
 	github.com/clipperhouse/uax29/v2 v2.7.0 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
+	github.com/coder/websocket v1.8.12 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
-	github.com/containerd/log v0.1.0 // indirect
+	github.com/creachadair/msync v0.7.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
@@ -65,8 +84,10 @@ require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
+	github.com/gaissmai/bart v0.26.1 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
+	github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
@@ -74,8 +95,16 @@ require (
 	github.com/go-playground/validator/v10 v10.30.1 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/goccy/go-yaml v1.19.2 // indirect
+	github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 // indirect
+	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
+	github.com/google/btree v1.1.3 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/hdevalence/ed25519consensus v0.2.0 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/huin/goupnp v1.3.0 // indirect
+	github.com/jsimonetti/rtnetlink v1.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.18.2 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.3.0 // indirect
@@ -83,35 +112,46 @@ require (
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.20 // indirect
 	github.com/mattn/go-sqlite3 v1.14.32 // indirect
+	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
+	github.com/mdlayher/socket v0.5.0 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/sys/atomicwriter v0.1.0 // indirect
-	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/ncruces/go-strftime v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/pires/go-proxyproto v0.8.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus-community/pro-bing v0.4.0 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/quic-go/quic-go v0.59.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/safchain/ethtool v0.3.0 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/spf13/cast v1.10.0 // indirect
+	github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e // indirect
+	github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 // indirect
+	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a // indirect
+	github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc // indirect
+	github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 // indirect
+	github.com/tailscale/wireguard-go v0.0.0-20250716170648-1d0488a3d7da // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.1 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.mongodb.org/mongo-driver/v2 v2.5.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 // indirect
 	go.opentelemetry.io/otel v1.43.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 // indirect
 	go.opentelemetry.io/otel/metric v1.43.0 // indirect
@@ -119,6 +159,8 @@ require (
 	go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect
 	go.opentelemetry.io/otel/trace v1.43.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	go4.org/mem v0.0.0-20240501181205-ae6ca9944745 // indirect
+	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
 	golang.org/x/arch v0.22.0 // indirect
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
 	golang.org/x/net v0.52.0 // indirect
@@ -127,10 +169,13 @@ require (
 	golang.org/x/term v0.42.0 // indirect
 	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
+	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
+	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
 	google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.5.2 // indirect
+	gvisor.dev/gvisor v0.0.0-20260224225140-573d5e7127a8 // indirect
 	k8s.io/klog/v2 v2.140.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a // indirect
 	k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 // indirect

go.sum

@@ -1,3 +1,5 @@
+9fans.net/go v0.0.8-0.20250307142834-96bdba94b63f h1:1C7nZuxUMNz7eiQALRfiqNOm04+m3edWlRff/BYHf0Q=
+9fans.net/go v0.0.8-0.20250307142834-96bdba94b63f/go.mod h1:hHyrZRryGqVdqrknjq5OWDLGCTJ2NeEvtrpR96mjraM=
 charm.land/bubbles/v2 v2.0.0 h1:tE3eK/pHjmtrDiRdoC9uGNLgpopOd8fjhEe31B/ai5s=
 charm.land/bubbles/v2 v2.0.0/go.mod h1:rCHoleP2XhU8um45NTuOWBPNVHxnkXKTiZqcclL/qOI=
 charm.land/bubbletea/v2 v2.0.2 h1:4CRtRnuZOdFDTWSff9r8QFt/9+z6Emubz3aDMnf/dx0=
@@ -8,6 +10,10 @@ charm.land/lipgloss/v2 v2.0.1 h1:6Xzrn49+Py1Um5q/wZG1gWgER2+7dUyZ9XMEufqPSys=
 charm.land/lipgloss/v2 v2.0.1/go.mod h1:KjPle2Qd3YmvP1KL5OMHiHysGcNwq6u83MUjYkFvEkM=
 dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
 dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+filippo.io/edwards25519 v1.2.0 h1:crnVqOiS4jqYleHd9vaKZ+HKtHfllngJIiOpNpoJsjo=
+filippo.io/edwards25519 v1.2.0/go.mod h1:xzAOLCNug/yB62zG1bQ8uziwrIqIuxhctzJT18Q77mc=
+filippo.io/mkcert v1.4.4 h1:8eVbbwfVlaqUM7OwuftKc2nuYOoTDQWqsoXmzoXZdbc=
+filippo.io/mkcert v1.4.4/go.mod h1:VyvOchVuAye3BoUsPUOOofKygVwLV2KQMVFJNRq+1dA=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-ntlmssp v0.1.1 h1:l+FM/EEMb0U9QZE7mKNEDw5Mu3mFiaa2GKOoTSsNDPw=
@@ -18,16 +24,50 @@ github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ
 github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
-github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0=
-github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs=
 github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/akutz/memconn v0.1.0 h1:NawI0TORU4hcOMsMr11g7vwlCdkYeLKXBcxWu2W/P8A=
+github.com/akutz/memconn v0.1.0/go.mod h1:Jo8rI7m0NieZyLI5e2CDlRdRqRRB4S7Xp77ukDjH+Fw=
 github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=
 github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4=
 github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI=
+github.com/aws/aws-sdk-go-v2 v1.41.0 h1:tNvqh1s+v0vFYdA1xq0aOJH+Y5cRyZ5upu6roPgPKd4=
+github.com/aws/aws-sdk-go-v2 v1.41.0/go.mod h1:MayyLB8y+buD9hZqkCW3kX1AKq07Y5pXxtgB+rRFhz0=
+github.com/aws/aws-sdk-go-v2/config v1.29.5 h1:4lS2IB+wwkj5J43Tq/AwvnscBerBJtQQ6YS7puzCI1k=
+github.com/aws/aws-sdk-go-v2/config v1.29.5/go.mod h1:SNzldMlDVbN6nWxM7XsUiNXPSa1LWlqiXtvh/1PrJGg=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.58 h1:/d7FUpAPU8Lf2KUdjniQvfNdlMID0Sd9pS23FJ3SS9Y=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.58/go.mod h1:aVYW33Ow10CyMQGFgC0ptMRIqJWvJ4nxZb0sUiuQT/A=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.27 h1:7lOW8NUwE9UZekS1DYoiPdVAqZ6A+LheHWb+mHbNOq8=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.27/go.mod h1:w1BASFIPOPUae7AgaH4SbjNbfdkxuggLyGfNFTn8ITY=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.16 h1:rgGwPzb82iBYSvHMHXc8h9mRoOUBZIGFgKb9qniaZZc=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.16/go.mod h1:L/UxsGeKpGoIj6DxfhOWHWQ/kGKcd4I1VncE4++IyKA=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16 h1:1jtGzuV7c82xnqOVfx2F0xmJcOw5374L7N6juGW6x6U=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16/go.mod h1:M2E5OQf+XLe+SZGmmpaI2yy+J326aFf6/+54PoxSANc=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 h1:Pg9URiobXy85kgFev3og2CuOZ8JZUBENF+dcgWBaYNk=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 h1:0ryTNEdJbzUCEWkVXEXoqlXV72J5keC1GvILMOuD00E=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4/go.mod h1:HQ4qwNZh32C3CBeO6iJLQlgtMzqeG17ziAA/3KDJFow=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16 h1:oHjJHeUy0ImIV0bsrX0X91GkV5nJAyv1l1CC9lnO0TI=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16/go.mod h1:iRSNGgOYmiYwSCXxXaKb9HfOEj40+oTKn8pTxMlYkRM=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.44.7 h1:a8HvP/+ew3tKwSXqL3BCSjiuicr+XTU2eFYeogV9GJE=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.44.7/go.mod h1:Q7XIWsMo0JcMpI/6TGD6XXcXcV1DbTj6e9BKNntIMIM=
+github.com/aws/aws-sdk-go-v2/service/sso v1.24.14 h1:c5WJ3iHz7rLIgArznb3JCSQT3uUMiz9DLZhIX+1G8ok=
+github.com/aws/aws-sdk-go-v2/service/sso v1.24.14/go.mod h1:+JJQTxB6N4niArC14YNtxcQtwEqzS3o9Z32n7q33Rfs=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.13 h1:f1L/JtUkVODD+k1+IiSJUUv8A++2qVr+Xvb3xWXETMU=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.13/go.mod h1:tvqlFoja8/s0o+UruA1Nrezo/df0PzdunMDDurUfg6U=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.5 h1:SciGFVNZ4mHdm7gpD1dgZYnCuVdX1s+lFTg4+4DOy70=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.5/go.mod h1:iW40X4QBmUxdP+fZNOpfmkdMZqsovezbAeO+Ubiv2pk=
+github.com/aws/smithy-go v1.24.0 h1:LpilSUItNPFr1eY85RYgTIg5eIEPtvFbskaFcmmIUnk=
+github.com/aws/smithy-go v1.24.0/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
+github.com/axiomhq/hyperloglog v0.0.0-20240319100328-84253e514e02 h1:bXAPYSbdYbS5VTy92NIUbeDI1qyggi+JYh5op9IFlcQ=
+github.com/axiomhq/hyperloglog v0.0.0-20240319100328-84253e514e02/go.mod h1:k08r+Yj1PRAmuayFiRK6MYuR5Ve4IuZtTfxErMIh0+c=
 github.com/aymanbagabas/go-udiff v0.4.1 h1:OEIrQ8maEeDBXQDoGCbbTTXYJMYRCRO1fnodZ12Gv5o=
 github.com/aymanbagabas/go-udiff v0.4.1/go.mod h1:0L9PGwj20lrtmEMeyw4WKJ/TMyDtvAoK9bf2u/mNo3w=
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
@@ -69,26 +109,46 @@ github.com/charmbracelet/x/windows v0.2.2 h1:IofanmuvaxnKHuV04sC0eBy/smG6kIKrWG2
 github.com/charmbracelet/x/windows v0.2.2/go.mod h1:/8XtdKZzedat74NQFn0NGlGL4soHB0YQZrETF96h75k=
 github.com/charmbracelet/x/xpty v0.1.3 h1:eGSitii4suhzrISYH50ZfufV3v085BXQwIytcOdFSsw=
 github.com/charmbracelet/x/xpty v0.1.3/go.mod h1:poPYpWuLDBFCKmKLDnhBp51ATa0ooD8FhypRwEFtH3Y=
+github.com/cilium/ebpf v0.16.0 h1:+BiEnHL6Z7lXnlGUsXQPPAE7+kenAd4ES8MQ5min0Ok=
+github.com/cilium/ebpf v0.16.0/go.mod h1:L7u2Blt2jMM/vLAVgjxluxtBKlz3/GWjB0dMOEngfwE=
 github.com/clipperhouse/displaywidth v0.11.0 h1:lBc6kY44VFw+TDx4I8opi/EtL9m20WSEFgwIwO+UVM8=
 github.com/clipperhouse/displaywidth v0.11.0/go.mod h1:bkrFNkf81G8HyVqmKGxsPufD3JhNl3dSqnGhOoSD/o0=
 github.com/clipperhouse/uax29/v2 v2.7.0 h1:+gs4oBZ2gPfVrKPthwbMzWZDaAFPGYK72F0NJv2v7Vk=
 github.com/clipperhouse/uax29/v2 v2.7.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=
 github.com/cloudwego/base64x v0.1.6 h1:t11wG9AECkCDk5fMSoxmufanudBtJ+/HemLstXDLI2M=
 github.com/cloudwego/base64x v0.1.6/go.mod h1:OFcloc187FXDaYHvrNIjxSe8ncn0OOM8gEHfghB2IPU=
+github.com/coder/websocket v1.8.12 h1:5bUXkEPPIbewrnkU8LTCLVaxi4N4J8ahufH2vlo4NAo=
+github.com/coder/websocket v1.8.12/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
 github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
 github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
 github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
 github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
+github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 h1:8h5+bWd7R6AYUslN6c6iuZWTKsKxUFDlpnmilO6R2n0=
+github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
+github.com/creachadair/mds v0.25.9 h1:080Hr8laN2h+l3NeVCGMBpXtIPnl9mz8e4HLraGPqtA=
+github.com/creachadair/mds v0.25.9/go.mod h1:4hatI3hRM+qhzuAmqPRFvaBM8mONkS7nsLxkcuTYUIs=
+github.com/creachadair/msync v0.7.1 h1:SeZmuEBXQPe5GqV/C94ER7QIZPwtvFbeQiykzt/7uho=
+github.com/creachadair/msync v0.7.1/go.mod h1:8CcFlLsSujfHE5wWm19uUBLHIPDAUr6LXDwneVMO008=
+github.com/creachadair/taskgroup v0.13.2 h1:3KyqakBuFsm3KkXi/9XIb0QcA8tEzLHLgaoidf0MdVc=
+github.com/creachadair/taskgroup v0.13.2/go.mod h1:i3V1Zx7H8RjwljUEeUWYT30Lmb9poewSb2XI1yTwD0g=
 github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
 github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa h1:h8TfIT1xc8FWbwwpmHn1J5i43Y0uZP97GqasGCzSRJk=
+github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa/go.mod h1:Nx87SkVqTKd8UtT+xu7sM/l+LgXs6c0aHrlKusR+2EQ=
+github.com/dgryski/go-metro v0.0.0-20180109044635-280f6062b5bc h1:8WFBn63wegobsYAX0YjD+8suexZDga5CctH4CCTx2+8=
+github.com/dgryski/go-metro v0.0.0-20180109044635-280f6062b5bc/go.mod h1:c9O8+fpSOX1DM8cPNSkX/qsBWdkD4yd2dpciOWQjpBw=
+github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e h1:vUmf0yezR0y7jJ5pceLHthLaYf4bA5T14B6q39S4q2Q=
+github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e/go.mod h1:YTIHhz/QFSYnu/EhlF2SpU2Uk+32abacUYA5ZPljz1A=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
+github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
 github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM=
 github.com/docker/docker v28.5.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
@@ -107,14 +167,20 @@ github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sa
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
 github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gaissmai/bart v0.26.1 h1:+w4rnLGNlA2GDVn382Tfe3jOsK5vOr5n4KmigJ9lbTo=
+github.com/gaissmai/bart v0.26.1/go.mod h1:GREWQfTLRWz/c5FTOsIw+KkscuFkIV5t8Rp7Nd1Td5c=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
 github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
 github.com/gin-gonic/gin v1.12.0 h1:b3YAbrZtnf8N//yjKeU2+MQsh2mY5htkZidOM7O0wG8=
 github.com/gin-gonic/gin v1.12.0/go.mod h1:VxccKfsSllpKshkBWgVgRniFFAzFb9csfngsqANjnLc=
+github.com/github/fakeca v0.1.0 h1:Km/MVOFvclqxPM9dZBC4+QE564nU4gz4iZ0D9pMw28I=
+github.com/github/fakeca v0.1.0/go.mod h1:+bormgoGMMuamOscx7N91aOuUST7wdaJ2rNjeohylyo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
 github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced h1:Q311OHjMh/u5E2TITc++WlTP5We0xNseRMkHDyvhW7I=
+github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced/go.mod h1:TiCD2a1pcmjd7YnhGH0f/zKNcCD06B029pHhzV23c2M=
 github.com/go-ldap/ldap/v3 v3.4.13 h1:+x1nG9h+MZN7h/lUi5Q3UZ0fJ1GyDQYbPvbuH38baDQ=
 github.com/go-ldap/ldap/v3 v3.4.13/go.mod h1:LxsGZV6vbaK0sIvYfsv47rfh4ca0JXokCoKjZxsszv0=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -122,10 +188,12 @@ github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
+github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
-github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
-github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
+github.com/go-openapi/jsonreference v0.20.4 h1:bKlDxQxQJgwpUSgOENiMPzCTBVuc7vTdXSSgNeAhojU=
+github.com/go-openapi/jsonreference v0.20.4/go.mod h1:5pZJyJP2MnYCpoeoMAql78cCHauHj0V9Lhc506VOpw4=
 github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
@@ -136,12 +204,20 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
 github.com/go-playground/validator/v10 v10.30.1 h1:f3zDSN/zOma+w6+1Wswgd9fLkdwy06ntQJp0BBvFG0w=
 github.com/go-playground/validator/v10 v10.30.1/go.mod h1:oSuBIQzuJxL//3MelwSLD5hc2Tu889bF0Idm9Dg26cM=
+github.com/go4org/plan9netshell v0.0.0-20250324183649-788daa080737 h1:cf60tHxREO3g1nroKr2osU3JWZsJzkfi7rEg+oAB0Lo=
+github.com/go4org/plan9netshell v0.0.0-20250324183649-788daa080737/go.mod h1:MIS0jDzbU/vuM9MC4YnBITCv+RYuTRq8dJzmCrFsK9g=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
 github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 h1:sQspH8M4niEijh3PFscJRLDnkL547IeP7kpPe3uUhEg=
+github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466/go.mod h1:ZiQxhyQ+bbbfxUKVvjfO498oPYvtYhZzycal3G/NHmU=
 github.com/golang-migrate/migrate/v4 v4.19.1 h1:OCyb44lFuQfYXYLx1SCxPZQGU7mcaZ7gH9yH4jSFbBA=
 github.com/golang-migrate/migrate/v4 v4.19.1/go.mod h1:CTcgfjxhaUtsLipnLoQRWCrjYXycRz/g5+RWDuYgPrE=
+github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
+github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
+github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
+github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
 github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -149,7 +225,11 @@ github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/go-querystring v1.2.0 h1:yhqkPbu2/OH+V9BfpCVPZkNmUXhb2gBxJArfhIxNtP0=
 github.com/google/go-querystring v1.2.0/go.mod h1:8IFJqpSRITyJ8QhQ13bmbeMBDfmeEJZD5A0egEOmkqU=
+github.com/google/go-tpm v0.9.4 h1:awZRf9FwOeTunQmHoDYSHJps3ie6f1UlhS1fOdPEt1I=
+github.com/google/go-tpm v0.9.4/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806 h1:wG8RYIyctLhdFk6Vl1yPGtSRtwGpVkWyZww1OCil2MI=
+github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806/go.mod h1:Beg6V6zZ3oEn0JuiUQ4wqwuyqqzasOltcoXPtgLbFp4=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -158,10 +238,19 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 h1:HWRh5R2+9EifMyIHV7ZV+MIZqgz
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0/go.mod h1:JfhWUomR1baixubs02l85lZYYOm7LV6om4ceouMv45c=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/golang-lru v0.6.0 h1:uL2shRDx7RTrOrTCUZEGP/wJUFiUI8QT6E7z5o8jga4=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
 github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
+github.com/hdevalence/ed25519consensus v0.2.0 h1:37ICyZqdyj0lAZ8P4D1d1id3HqbbG1N3iBb1Tb4rdcU=
+github.com/hdevalence/ed25519consensus v0.2.0/go.mod h1:w3BHWjwJbFU29IRHL1Iqkw3sus+7FctEyM4RqDxYNzo=
 github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
 github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
+github.com/huin/goupnp v1.3.0 h1:UvLUlWDNpoUdYzb2TCn+MuTWtcjXKSza2n6CBdQ0xXc=
+github.com/huin/goupnp v1.3.0/go.mod h1:gnGPsThkYa7bFi/KWmEysQRf48l2dvR5bxr2OFckNX8=
+github.com/illarion/gonotify/v3 v3.0.2 h1:O7S6vcopHexutmpObkeWsnzMJt/r1hONIEogeVNmJMk=
+github.com/illarion/gonotify/v3 v3.0.2/go.mod h1:HWGPdPe817GfvY3w7cx6zkbzNZfi3QjcBm/wgVvEL1U=
+github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 h1:9K06NfxkBh25x56yVhWWlKFE8YpicaSfHwoV8SFbueA=
+github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
 github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
@@ -174,12 +263,24 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
+github.com/jellydator/ttlcache/v3 v3.1.0 h1:0gPFG0IHHP6xyUyXq+JaD8fwkDCqgqwohXNJBcYE71g=
+github.com/jellydator/ttlcache/v3 v3.1.0/go.mod h1:hi7MGFdMAwZna5n2tuvh63DvFLzVKySzCVW6+0gA2n4=
+github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
+github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/jsimonetti/rtnetlink v1.4.0 h1:Z1BF0fRgcETPEa0Kt0MRk3yV5+kF1FWTni6KUFKrq2I=
+github.com/jsimonetti/rtnetlink v1.4.0/go.mod h1:5W1jDvWdnthFJ7fxYX1GMK07BUpI4oskfOqvPteYS6E=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/klauspost/compress v1.18.2 h1:iiPHWW0YrcFgpBYhsA6D1+fqHssJscY/Tm/y2Uqnapk=
+github.com/klauspost/compress v1.18.2/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
+github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a h1:+RR6SqnTkDLWyICxS1xpjCi/3dhyV+TgZwA6Ww3KncQ=
+github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a/go.mod h1:YTtCCM3ryyfiu4F7t8HQ1mxvp1UBdWM2r6Xa+nGWvDk=
+github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
+github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -200,10 +301,22 @@ github.com/mattn/go-runewidth v0.0.20 h1:WcT52H91ZUAwy8+HUkdM3THM6gXqXuLJi9O3rjc
 github.com/mattn/go-runewidth v0.0.20/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
 github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuErjs=
 github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
+github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
+github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0tpKMbdCXCIfBclan4oHk1Jb+Hrejirg=
+github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42/go.mod h1:BB4YCPDOzfy7FniQ/lxuYQ3dgmM2cZumHbK8RpTjN2o=
+github.com/mdlayher/sdnotify v1.0.0 h1:Ma9XeLVN/l0qpyx1tNeMSeTjCPH6NtuD6/N9XdTlQ3c=
+github.com/mdlayher/sdnotify v1.0.0/go.mod h1:HQUmpM4XgYkhDLtd+Uad8ZFK1T9D5+pNxnXQjCeJlGE=
+github.com/mdlayher/socket v0.5.0 h1:ilICZmJcQz70vrWVes1MFera4jGiWNocSkykwwoy3XI=
+github.com/mdlayher/socket v0.5.0/go.mod h1:WkcBFfvyG8QENs5+hfQPl1X6Jpd2yeLIYgrGFmJiJxI=
 github.com/mdp/qrterminal/v3 v3.2.1 h1:6+yQjiiOsSuXT5n9/m60E54vdgFsw0zhADHhHLrFet4=
 github.com/mdp/qrterminal/v3 v3.2.1/go.mod h1:jOTmXvnBsMy5xqLniO0R++Jmjs2sTm9dFSuQ5kpz/SU=
+github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4=
+github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
+github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
+github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
 github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
 github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
@@ -230,19 +343,33 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
 github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
+github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 h1:zYyBkD/k9seD2A7fsi6Oo2LfFZAehjjQMERAvZLEDnQ=
+github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
-github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
+github.com/pierrec/lz4/v4 v4.1.25 h1:kocOqRffaIbU5djlIBr7Wh+cx82C0vtFb0fOurZHqD0=
+github.com/pierrec/lz4/v4 v4.1.25/go.mod h1:EoQMVJgeeEOMsCqCzqFm2O0cJvljX2nGZjcRIPL34O4=
+github.com/pires/go-proxyproto v0.8.1 h1:9KEixbdJfhrbtjpz/ZwCdWDD2Xem0NZ38qMYaASJgp0=
+github.com/pires/go-proxyproto v0.8.1/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/sftp v1.13.6 h1:JFZT4XbOU7l77xGSpOdW+pwIMqP044IyjXX6FGyEKFo=
+github.com/pkg/sftp v1.13.6/go.mod h1:tz1ryNURKu77RL+GuCzmoJYxQczL3wLNNpPWagdg4Qk=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/otp v1.5.0 h1:NMMR+WrmaqXU4EzdGJEE1aUUI0AMRzsp96fFFWNPwxs=
 github.com/pquerna/otp v1.5.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
+github.com/prometheus-community/pro-bing v0.4.0 h1:YMbv+i08gQz97OZZBwLyvmmQEEzyfyrrjEaAchdy3R4=
+github.com/prometheus-community/pro-bing v0.4.0/go.mod h1:b7wRYZtCcPmt4Sz319BykUU241rWLe1VFXyiyWK/dH4=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.65.0 h1:QDwzd+G1twt//Kwj/Ww6E9FQq1iVMmODnILtW1t2VzE=
+github.com/prometheus/common v0.65.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8=
 github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
 github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
 github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SAw=
@@ -255,6 +382,8 @@ github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0t
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/zerolog v1.35.1 h1:m7xQeoiLIiV0BCEY4Hs+j2NG4Gp2o2KPKmhnnLiazKI=
 github.com/rs/zerolog v1.35.1/go.mod h1:EjML9kdfa/RMA7h/6z6pYmq1ykOuA8/mjWaEvGI+jcw=
+github.com/safchain/ethtool v0.3.0 h1:gimQJpsI6sc1yIqP/y8GYgiXn/NjgvpM0RNoWLVVmP0=
+github.com/safchain/ethtool v0.3.0/go.mod h1:SA9BwrgyAqNo7M+uaL6IYbxpm5wk3L7Mm6ocLW+CJUs=
 github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
 github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
@@ -275,12 +404,40 @@ github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXl
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e h1:PtWT87weP5LWHEY//SWsYkSO3RWRZo4OSWagh3YD2vQ=
+github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e/go.mod h1:XrBNfAFN+pwoWuksbFS9Ccxnopa15zJGgXRFN90l3K4=
+github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 h1:Gzfnfk2TWrk8Jj4P4c1a3CtQyMaTVCznlkLZI++hok4=
+github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55/go.mod h1:4k4QO+dQ3R5FofL+SanAUZe+/QfeK0+OIuwDIRu2vSg=
+github.com/tailscale/golang-x-crypto v0.0.0-20250404221719-a5573b049869 h1:SRL6irQkKGQKKLzvQP/ke/2ZuB7Py5+XuqtOgSj+iMM=
+github.com/tailscale/golang-x-crypto v0.0.0-20250404221719-a5573b049869/go.mod h1:ikbF+YT089eInTp9f2vmvy4+ZVnW5hzX1q2WknxSprQ=
+github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a h1:SJy1Pu0eH1C29XwJucQo73FrleVK6t4kYz4NVhp34Yw=
+github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a/go.mod h1:DFSS3NAGHthKo1gTlmEcSBiZrRJXi28rLNd/1udP1c8=
+github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 h1:uFsXVBE9Qr4ZoF094vE6iYTLDl0qCiKzYXlL6UeWObU=
+github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
+github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc h1:24heQPtnFR+yfntqhI3oAu9i27nEojcQ4NuBQOo5ZFA=
+github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc/go.mod h1:f93CXfllFsO9ZQVq+Zocb1Gp4G5Fz0b0rXHLOzt/Djc=
+github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 h1:UBPHPtv8+nEAy2PD8RyAhOYvau1ek0HDJqLS/Pysi14=
+github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
+github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6 h1:l10Gi6w9jxvinoiq15g8OToDdASBni4CyJOdHY1Hr8M=
+github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6/go.mod h1:ZXRML051h7o4OcI0d3AaILDIad/Xw0IkXaHM17dic1Y=
+github.com/tailscale/wireguard-go v0.0.0-20250716170648-1d0488a3d7da h1:jVRUZPRs9sqyKlYHHzHjAqKN+6e/Vog6NpHYeNPJqOw=
+github.com/tailscale/wireguard-go v0.0.0-20250716170648-1d0488a3d7da/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
+github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e h1:zOGKqN5D5hHhiYUp091JqK7DPCqSARyUfduhGUY8Bek=
+github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e/go.mod h1:orPd6JZXXRyuDusYilywte7k094d7dycXXU5YnWsrwg=
+github.com/tc-hib/winres v0.2.1 h1:YDE0FiP0VmtRaDn7+aaChp1KiF4owBiJa5l964l5ujA=
+github.com/tc-hib/winres v0.2.1/go.mod h1:C/JaNhH3KBvhNKVbvdlDWkbMDO9H4fKKDaN7/07SSuk=
 github.com/tinyauthapp/paerser v0.0.0-20260410140347-85c3740d6298 h1:EYSb5jv8ZL/0/NVFZtY7Ejplk0QG5+3lrdL3mSrjFZQ=
 github.com/tinyauthapp/paerser v0.0.0-20260410140347-85c3740d6298/go.mod h1:TlUDoCF66hMqFZqoBym9bUdJ0bKAWYMir6hLJeYN5z0=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
+github.com/u-root/u-root v0.14.0 h1:Ka4T10EEML7dQ5XDvO9c3MBN8z4nuSnGjcd1jmU2ivg=
+github.com/u-root/u-root v0.14.0/go.mod h1:hAyZorapJe4qzbLWlAkmSVCJGbfoU9Pu4jpJ1WMluqE=
+github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM=
+github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA=
 github.com/ugorji/go/codec v1.3.1 h1:waO7eEiFDwidsBN6agj1vJQ4AG7lh2yqXyOXqhgQuyY=
 github.com/ugorji/go/codec v1.3.1/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
+github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
+github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
 github.com/weppos/publicsuffix-go v0.50.3 h1:eT5dcjHQcVDNc0igpFEsGHKIip30feuB2zuuI9eJxiE=
 github.com/weppos/publicsuffix-go v0.50.3/go.mod h1:/rOa781xBykZhHK/I3QeHo92qdDKVmKZKF7s8qAEM/4=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
@@ -291,8 +448,8 @@ go.mongodb.org/mongo-driver/v2 v2.5.0 h1:yXUhImUjjAInNcpTcAlPHiT7bIXhshCTL3jVBkF
 go.mongodb.org/mongo-driver/v2 v2.5.0/go.mod h1:yOI9kBsufol30iFsl1slpdq1I0eHPzybRWdyYUs8K/0=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 h1:ssfIgGNANqpVFCndZvcuyKbl0g+UAVcbBcqGkG28H0Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0/go.mod h1:GQ/474YrbE4Jx8gZ4q5I4hrhUzM6UPzyrqJYV2AqPoQ=
 go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
 go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 h1:88Y4s2C8oTui1LGM6bTWkw0ICGcOLCAI5l6zsD1j20k=
@@ -315,20 +472,30 @@ go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
 go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+go4.org/mem v0.0.0-20240501181205-ae6ca9944745 h1:Tl++JLUCe4sxGu8cTpDzRLd3tN7US4hOxG5YpKCzkek=
+go4.org/mem v0.0.0-20240501181205-ae6ca9944745/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
+go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
+go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/arch v0.22.0 h1:c/Zle32i5ttqRXjdLyyHZESLD/bB90DCU1g9l/0YBDI=
 golang.org/x/arch v0.22.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
 golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
 golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
+golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f h1:phY1HzDcf18Aq9A8KkmRtY9WvOFIxN8wgfvy6Zm1DV8=
+golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
+golang.org/x/image v0.27.0 h1:C8gA4oWU/tKkdCfYT6T2u4faJu3MeNS5O8UPWlPF61w=
+golang.org/x/image v0.27.0/go.mod h1:xbdrClrAUway1MUTEZDq9mz/UpRwYAkFFNUslZtcB+g=
 golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
 golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
 golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
 golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sys v0.0.0-20220817070843-5a390386f1f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
 golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
@@ -340,6 +507,10 @@ golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
 golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
 golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
+golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
+golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
+golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
+golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
 google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 h1:VPWxll4HlMw1Vs/qXtN7BvhZqsS9cdAittCNvVENElA=
 google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:7QBABkRtR8z+TEnmXTqIqwJLlzrZKVfAUm7tY3yGv0M=
@@ -361,6 +532,12 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
+gvisor.dev/gvisor v0.0.0-20260224225140-573d5e7127a8 h1:Zy8IV/+FMLxy6j6p87vk/vQGKcdnbprwjTxc8UiUtsA=
+gvisor.dev/gvisor v0.0.0-20260224225140-573d5e7127a8/go.mod h1:QkHjoMIBaYtpVufgwv3keYAbln78mBoCuShZrPrer1Q=
+honnef.co/go/tools v0.7.0-0.dev.0.20251022135355-8273271481d0 h1:5SXjd4ET5dYijLaf0O3aOenC0Z4ZafIWSpjUzsQaNho=
+honnef.co/go/tools v0.7.0-0.dev.0.20251022135355-8273271481d0/go.mod h1:EPDDhEZqVHhWuPI5zPAsjU0U7v9xNIWjoOVyZ5ZcniQ=
+howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
+howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
 k8s.io/api v0.36.0 h1:SgqDhZzHdOtMk40xVSvCXkP9ME0H05hPM3p9AB1kL80=
 k8s.io/api v0.36.0/go.mod h1:m1LVrGPNYax5NBHdO+QuAedXyuzTt4RryI/qnmNvs34=
 k8s.io/apimachinery v0.36.0 h1:jZyPzhd5Z+3h9vJLt0z9XdzW9VzNzWAUw+P1xZ9PXtQ=
@@ -411,3 +588,7 @@ sigs.k8s.io/structured-merge-diff/v6 v6.3.2 h1:kwVWMx5yS1CrnFWA/2QHyRVJ8jM6dBA80
 sigs.k8s.io/structured-merge-diff/v6 v6.3.2/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
 sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
+software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k=
+software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
+tailscale.com v1.96.5 h1:gNkfA/KSZAl6jCH9cj8urq00HRWItDDTtGsyATI89jA=
+tailscale.com v1.96.5/go.mod h1:/3lnZBYb2UEwnN0MNu2SDXUtT06AGd5k0s+OWx3WmcY=

internal/bootstrap/app_bootstrap.go

@@ -3,39 +3,51 @@ package bootstrap
 import (
 	"bytes"
 	"context"
+	"database/sql"
 	"encoding/json"
+	"errors"
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
 	"os"
+	"os/signal"
 	"sort"
 	"strings"
+	"sync"
+	"syscall"
 	"time"
 
-	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/gin-gonic/gin"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
+	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
+type Services struct {
+	accessControlService *service.AccessControlsService
+	authService          *service.AuthService
+	dockerService        *service.DockerService
+	kubernetesService    *service.KubernetesService
+	ldapService          *service.LdapService
+	oauthBrokerService   *service.OAuthBrokerService
+	oidcService          *service.OIDCService
+	tailscaleService     *service.TailscaleService
+}
+
 type BootstrapApp struct {
-	config  model.Config
-	context struct {
-		appUrl                 string
-		uuid                   string
-		cookieDomain           string
-		sessionCookieName      string
-		csrfCookieName         string
-		redirectCookieName     string
-		oauthSessionCookieName string
-		localUsers             *[]model.LocalUser
-		oauthProviders         map[string]model.OAuthServiceConfig
-		oauthWhitelist         []string
-		configuredProviders    []controller.Provider
-		oidcClients            []model.OIDCClientConfig
-	}
+	config   model.Config
+	runtime  model.RuntimeConfig
 	services Services
+	log      *logger.Logger
+	ctx      context.Context
+	cancel   context.CancelFunc
+	queries  *repository.Queries
+	router   *gin.Engine
+	db       *sql.DB
+	wg       sync.WaitGroup
 }
 
 func NewBootstrapApp(config model.Config) *BootstrapApp {
@@ -45,56 +57,72 @@ func NewBootstrapApp(config model.Config) *BootstrapApp {
 }
 
 func (app *BootstrapApp) Setup() error {
+	// create context
+	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
+	app.ctx = ctx
+	app.cancel = cancel
+
+	// setup logger
+	log := logger.NewLogger().WithConfig(app.config.Log)
+	log.Init()
+	app.log = log
+
+	app.log.App.Info().Msgf("Starting Tinyauth version: %s", model.Version)
+
 	// get app url
 	if app.config.AppURL == "" {
-		return fmt.Errorf("app URL cannot be empty, perhaps config loading failed")
+		return errors.New("app url cannot be empty, perhaps config loading failed")
 	}
 
 	appUrl, err := url.Parse(app.config.AppURL)
 
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to parse app url: %w", err)
 	}
 
-	app.context.appUrl = appUrl.Scheme + "://" + appUrl.Host
+	app.runtime.AppURL = appUrl.Scheme + "://" + appUrl.Host
+	app.runtime.TrustedDomains = append(app.runtime.TrustedDomains, app.runtime.AppURL)
 
 	// validate session config
 	if app.config.Auth.SessionMaxLifetime != 0 && app.config.Auth.SessionMaxLifetime < app.config.Auth.SessionExpiry {
-		return fmt.Errorf("session max lifetime cannot be less than session expiry")
+		return errors.New("session max lifetime cannot be less than session expiry")
 	}
 
-	// Parse users
+	// parse users
 	users, err := utils.GetUsers(app.config.Auth.Users, app.config.Auth.UsersFile, app.config.Auth.UserAttributes)
 
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to load users: %w", err)
 	}
 
-	app.context.localUsers = users
+	app.runtime.LocalUsers = *users
 
+	// load oauth whitelist
 	oauthWhitelist, err := utils.GetStringList(app.config.OAuth.Whitelist, app.config.OAuth.WhitelistFile)
+
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to load oauth whitelist: %w", err)
 	}
 
-	app.context.oauthWhitelist = oauthWhitelist
+	app.runtime.OAuthWhitelist = oauthWhitelist
 
-	// Setup OAuth providers
-	app.context.oauthProviders = app.config.OAuth.Providers
+	// setup oauth providers
+	app.runtime.OAuthProviders = app.config.OAuth.Providers
 
-	for name, provider := range app.context.oauthProviders {
+	for id, provider := range app.runtime.OAuthProviders {
 		secret := utils.GetSecret(provider.ClientSecret, provider.ClientSecretFile)
 		provider.ClientSecret = secret
 		provider.ClientSecretFile = ""
 
 		if provider.RedirectURL == "" {
-			provider.RedirectURL = app.context.appUrl + "/api/oauth/callback/" + name
+			provider.RedirectURL = app.runtime.AppURL + "/api/oauth/callback/" + id
 		}
 
-		app.context.oauthProviders[name] = provider
+		app.runtime.OAuthProviders[id] = provider
 	}
 
-	for id, provider := range app.context.oauthProviders {
+	// set presets for built-in providers
+	for id, provider := range app.runtime.OAuthProviders {
 		if provider.Name == "" {
 			if name, ok := model.OverrideProviders[id]; ok {
 				provider.Name = name
@@ -102,71 +130,72 @@ func (app *BootstrapApp) Setup() error {
 				provider.Name = utils.Capitalize(id)
 			}
 		}
-		app.context.oauthProviders[id] = provider
+		app.runtime.OAuthProviders[id] = provider
 	}
 
-	// Setup OIDC clients
+	// setup oidc clients
 	for id, client := range app.config.OIDC.Clients {
 		client.ID = id
-		app.context.oidcClients = append(app.context.oidcClients, client)
+		app.runtime.OIDCClients = append(app.runtime.OIDCClients, client)
 	}
 
-	// Get cookie domain
+	// cookie domain
 	cookieDomainResolver := utils.GetCookieDomain
+
 	if !app.config.Auth.SubdomainsEnabled {
-		tlog.App.Info().Msg("Subdomains disabled, automatic authentication for proxied apps will not work")
+		app.log.App.Warn().Msg("Subdomains are disabled, using standalone cookie domain resolver which will not work with subdomains")
 		cookieDomainResolver = utils.GetStandaloneCookieDomain
 	}
 
-	cookieDomain, err := cookieDomainResolver(app.context.appUrl)
+	cookieDomain, err := cookieDomainResolver(app.runtime.AppURL)
 
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to get cookie domain: %w", err)
 	}
 
-	app.context.cookieDomain = cookieDomain
+	app.runtime.CookieDomain = cookieDomain
 
-	// Cookie names
-	app.context.uuid = utils.GenerateUUID(appUrl.Hostname())
-	cookieId := strings.Split(app.context.uuid, "-")[0]
-	app.context.sessionCookieName = fmt.Sprintf("%s-%s", model.SessionCookieName, cookieId)
-	app.context.csrfCookieName = fmt.Sprintf("%s-%s", model.CSRFCookieName, cookieId)
-	app.context.redirectCookieName = fmt.Sprintf("%s-%s", model.RedirectCookieName, cookieId)
-	app.context.oauthSessionCookieName = fmt.Sprintf("%s-%s", model.OAuthSessionCookieName, cookieId)
+	// cookie names
+	app.runtime.UUID = utils.GenerateUUID(appUrl.Hostname())
 
-	// Dumps
-	tlog.App.Trace().Interface("config", app.config).Msg("Config dump")
-	tlog.App.Trace().Interface("users", app.context.localUsers).Msg("Users dump")
-	tlog.App.Trace().Interface("oauthProviders", app.context.oauthProviders).Msg("OAuth providers dump")
-	tlog.App.Trace().Str("cookieDomain", app.context.cookieDomain).Msg("Cookie domain")
-	tlog.App.Trace().Str("sessionCookieName", app.context.sessionCookieName).Msg("Session cookie name")
-	tlog.App.Trace().Str("csrfCookieName", app.context.csrfCookieName).Msg("CSRF cookie name")
-	tlog.App.Trace().Str("redirectCookieName", app.context.redirectCookieName).Msg("Redirect cookie name")
+	cookieId := strings.Split(app.runtime.UUID, "-")[0] // first 8 characters of the uuid should be good enough
 
-	// Database
-	db, err := app.SetupDatabase(app.config.Database.Path)
+	app.runtime.SessionCookieName = fmt.Sprintf("%s-%s", model.SessionCookieName, cookieId)
+	app.runtime.CSRFCookieName = fmt.Sprintf("%s-%s", model.CSRFCookieName, cookieId)
+	app.runtime.RedirectCookieName = fmt.Sprintf("%s-%s", model.RedirectCookieName, cookieId)
+	app.runtime.OAuthSessionCookieName = fmt.Sprintf("%s-%s", model.OAuthSessionCookieName, cookieId)
+
+	// database
+	err = app.SetupDatabase()
 
 	if err != nil {
 		return fmt.Errorf("failed to setup database: %w", err)
 	}
 
-	// Queries
-	queries := repository.New(db)
+	// after this point, we start initializing dependencies so it's a good time to setup a defer
+	// to ensure that resources are cleaned up properly in case of an error during initialization
+	defer func() {
+		app.cancel()
+		app.wg.Wait()
+		app.db.Close()
+	}()
 
-	// Services
-	services, err := app.initServices(queries)
+	// queries
+	queries := repository.New(app.db)
+	app.queries = queries
+
+	// services
+	err = app.setupServices()
 
 	if err != nil {
 		return fmt.Errorf("failed to initialize services: %w", err)
 	}
 
-	app.services = services
+	// configured providers
+	configuredProviders := make([]model.Provider, 0)
 
-	// Configured providers
-	configuredProviders := make([]controller.Provider, 0)
-
-	for id, provider := range app.context.oauthProviders {
-		configuredProviders = append(configuredProviders, controller.Provider{
+	for id, provider := range app.runtime.OAuthProviders {
+		configuredProviders = append(configuredProviders, model.Provider{
 			Name:  provider.Name,
 			ID:    id,
 			OAuth: true,
@@ -177,70 +206,224 @@ func (app *BootstrapApp) Setup() error {
 		return configuredProviders[i].Name < configuredProviders[j].Name
 	})
 
-	if services.authService.LocalAuthConfigured() {
-		configuredProviders = append(configuredProviders, controller.Provider{
+	if app.services.authService.LocalAuthConfigured() {
+		configuredProviders = append(configuredProviders, model.Provider{
 			Name:  "Local",
 			ID:    "local",
 			OAuth: false,
 		})
 	}
 
-	if services.authService.LDAPAuthConfigured() {
-		configuredProviders = append(configuredProviders, controller.Provider{
+	if app.services.authService.LDAPAuthConfigured() {
+		configuredProviders = append(configuredProviders, model.Provider{
 			Name:  "LDAP",
 			ID:    "ldap",
 			OAuth: false,
 		})
 	}
 
-	tlog.App.Debug().Interface("providers", configuredProviders).Msg("Authentication providers")
-
 	if len(configuredProviders) == 0 {
-		return fmt.Errorf("no authentication providers configured")
+		return errors.New("no authentication providers configured")
 	}
 
-	app.context.configuredProviders = configuredProviders
+	for _, provider := range configuredProviders {
+		app.log.App.Debug().Str("provider", provider.Name).Msg("Configured authentication provider")
+	}
 
-	// Setup router
-	router, err := app.setupRouter()
+	app.runtime.ConfiguredProviders = configuredProviders
+
+	// throw in tailscale if it's configured just before setting up the controllers
+	if app.services.tailscaleService != nil {
+		app.runtime.TrustedDomains = append(app.runtime.TrustedDomains, "https://"+app.services.tailscaleService.GetHostname())
+	}
+
+	// setup router
+	err = app.setupRouter()
 
 	if err != nil {
 		return fmt.Errorf("failed to setup routes: %w", err)
 	}
 
-	// Start db cleanup routine
-	tlog.App.Debug().Msg("Starting database cleanup routine")
-	go app.dbCleanupRoutine(queries)
+	// start db cleanup routine
+	app.log.App.Debug().Msg("Starting database cleanup routine")
+	app.wg.Go(app.dbCleanupRoutine)
 
-	// If analytics are not disabled, start heartbeat
+	// if analytics are not disabled, start heartbeat
 	if app.config.Analytics.Enabled {
-		tlog.App.Debug().Msg("Starting heartbeat routine")
-		go app.heartbeatRoutine()
+		app.log.App.Debug().Msg("Starting heartbeat routine")
+		app.wg.Go(app.heartbeatRoutine)
 	}
 
-	// If we have an socket path, bind to it
-	if app.config.Server.SocketPath != "" {
-		if _, err := os.Stat(app.config.Server.SocketPath); err == nil {
-			tlog.App.Info().Msgf("Removing existing socket file %s", app.config.Server.SocketPath)
-			err := os.Remove(app.config.Server.SocketPath)
+	// create err channel to listen for server errors
+	errChanLen := 0
+
+	runUnix := app.config.Server.SocketPath != ""
+	runHTTP := app.config.Server.SocketPath == "" || app.config.Server.ConcurrentListenersEnabled
+	runTailscale := app.services.tailscaleService != nil
+
+	if runUnix {
+		errChanLen++
+	}
+
+	if runHTTP {
+		errChanLen++
+	}
+
+	if runTailscale {
+		errChanLen++
+	}
+
+	errChan := make(chan error, errChanLen)
+
+	if app.config.Server.ConcurrentListenersEnabled {
+		app.log.App.Info().Msg("Concurrent listeners enabled, will run on all available listeners")
+	}
+
+	// serve unix
+	if runUnix {
+		app.wg.Go(func() {
+			if err := app.serveUnix(); err != nil {
+				errChan <- err
+			}
+		})
+	}
+
+	// serve to http
+	if runHTTP {
+		app.wg.Go(func() {
+			if err := app.serveHTTP(); err != nil {
+				errChan <- err
+			}
+		})
+	}
+
+	// serve to tailscale
+	if runTailscale {
+		app.wg.Go(func() {
+			if err := app.serveTailscale(); err != nil {
+				errChan <- err
+			}
+		})
+	}
+
+	// monitor cancellation and server errors
+	for {
+		select {
+		case <-app.ctx.Done():
+			app.log.App.Info().Msg("Oh, it's time for me to go, bye!")
+			return nil
+		case err := <-errChan:
 			if err != nil {
-				return fmt.Errorf("failed to remove existing socket file: %w", err)
+				return fmt.Errorf("server error: %w", err)
 			}
 		}
+	}
+}
 
-		tlog.App.Info().Msgf("Starting server on unix socket %s", app.config.Server.SocketPath)
-		if err := router.RunUnix(app.config.Server.SocketPath); err != nil {
-			tlog.App.Fatal().Err(err).Msg("Failed to start server")
-		}
+func (app *BootstrapApp) serveHTTP() error {
+	address := fmt.Sprintf("%s:%d", app.config.Server.Address, app.config.Server.Port)
 
+	app.log.App.Info().Msgf("Starting server on %s", address)
+
+	server := &http.Server{
+		Addr:    address,
+		Handler: app.router.Handler(),
+	}
+
+	go func() {
+		<-app.ctx.Done()
+		app.log.App.Debug().Msg("Shutting down http listener")
+		server.Shutdown(app.ctx)
+	}()
+
+	err := server.ListenAndServe()
+
+	if err != nil && !errors.Is(err, http.ErrServerClosed) {
+		return fmt.Errorf("failed to start http listener: %w", err)
+	}
+
+	return nil
+}
+
+func (app *BootstrapApp) serveUnix() error {
+	if app.config.Server.SocketPath == "" {
 		return nil
 	}
 
-	// Start server
-	address := fmt.Sprintf("%s:%d", app.config.Server.Address, app.config.Server.Port)
-	tlog.App.Info().Msgf("Starting server on %s", address)
-	if err := router.Run(address); err != nil {
-		tlog.App.Fatal().Err(err).Msg("Failed to start server")
+	_, err := os.Stat(app.config.Server.SocketPath)
+
+	if err == nil {
+		app.log.App.Info().Msgf("Removing existing socket file %s", app.config.Server.SocketPath)
+		err := os.Remove(app.config.Server.SocketPath)
+
+		if err != nil {
+			return fmt.Errorf("failed to remove existing socket file: %w", err)
+		}
+	}
+
+	app.log.App.Info().Msgf("Starting server on unix socket %s", app.config.Server.SocketPath)
+
+	listener, err := net.Listen("unix", app.config.Server.SocketPath)
+
+	if err != nil {
+		return fmt.Errorf("failed to create unix socket listener: %w", err)
+	}
+
+	server := &http.Server{
+		Handler: app.router.Handler(),
+	}
+
+	shutdown := func() {
+		server.Shutdown(app.ctx)
+		listener.Close()
+		os.Remove(app.config.Server.SocketPath)
+	}
+
+	go func() {
+		<-app.ctx.Done()
+		app.log.App.Debug().Msg("Shutting down unix socket listener")
+		shutdown()
+	}()
+
+	err = server.Serve(listener)
+
+	if err != nil && !errors.Is(err, http.ErrServerClosed) {
+		shutdown()
+		return fmt.Errorf("failed to start unix socket listener: %w", err)
+	}
+
+	return nil
+}
+
+func (app *BootstrapApp) serveTailscale() error {
+	app.log.App.Info().Msgf("Starting Tailscale server on %s", app.services.tailscaleService.GetHostname())
+
+	listener, err := app.services.tailscaleService.CreateListener()
+
+	if err != nil {
+		return fmt.Errorf("failed to create tailscale listener: %w", err)
+	}
+
+	server := &http.Server{
+		Handler: app.router.Handler(),
+	}
+
+	shutdown := func() {
+		server.Shutdown(app.ctx)
+		listener.Close()
+	}
+
+	go func() {
+		<-app.ctx.Done()
+		app.log.App.Debug().Msg("Shutting down Tailscale listener")
+		shutdown()
+	}()
+
+	err = server.Serve(listener)
+
+	if err != nil && !errors.Is(err, http.ErrServerClosed) {
+		shutdown()
+		return fmt.Errorf("failed to start tailscale listener: %w", err)
 	}
 
 	return nil
@@ -250,20 +433,20 @@ func (app *BootstrapApp) heartbeatRoutine() {
 	ticker := time.NewTicker(time.Duration(12) * time.Hour)
 	defer ticker.Stop()
 
-	type heartbeat struct {
+	type Heartbeat struct {
 		UUID    string `json:"uuid"`
 		Version string `json:"version"`
 	}
 
-	var body heartbeat
+	var body Heartbeat
 
-	body.UUID = app.context.uuid
+	body.UUID = app.runtime.UUID
 	body.Version = model.Version
 
 	bodyJson, err := json.Marshal(body)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to marshal heartbeat body")
+		app.log.App.Error().Err(err).Msg("Failed to marshal heartbeat body, heartbeat routine will not start")
 		return
 	}
 
@@ -273,43 +456,60 @@ func (app *BootstrapApp) heartbeatRoutine() {
 
 	heartbeatURL := model.APIServer + "/v1/instances/heartbeat"
 
-	for range ticker.C {
-		tlog.App.Debug().Msg("Sending heartbeat")
+	for {
+		select {
+		case <-ticker.C:
+			app.log.App.Debug().Msg("Sending heartbeat")
 
-		req, err := http.NewRequest(http.MethodPost, heartbeatURL, bytes.NewReader(bodyJson))
+			req, err := http.NewRequest(http.MethodPost, heartbeatURL, bytes.NewReader(bodyJson))
 
-		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to create heartbeat request")
-			continue
-		}
+			if err != nil {
+				app.log.App.Error().Err(err).Msg("Failed to create heartbeat request")
+				continue
+			}
 
-		req.Header.Add("Content-Type", "application/json")
+			req.Header.Add("Content-Type", "application/json")
 
-		res, err := client.Do(req)
+			res, err := client.Do(req)
 
-		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to send heartbeat")
-			continue
-		}
+			if err != nil {
+				app.log.App.Error().Err(err).Msg("Failed to send heartbeat")
+				continue
+			}
 
-		res.Body.Close() //nolint:errcheck
+			res.Body.Close()
 
-		if res.StatusCode != 200 && res.StatusCode != 201 {
-			tlog.App.Debug().Str("status", res.Status).Msg("Heartbeat returned non-200/201 status")
+			if res.StatusCode != 200 && res.StatusCode != 201 {
+				app.log.App.Debug().Str("status", res.Status).Msg("Heartbeat returned non-200/201 status")
+			}
+		case <-app.ctx.Done():
+			app.log.App.Debug().Msg("Stopping heartbeat routine")
+			ticker.Stop()
+			return
 		}
 	}
 }
 
-func (app *BootstrapApp) dbCleanupRoutine(queries *repository.Queries) {
+func (app *BootstrapApp) dbCleanupRoutine() {
 	ticker := time.NewTicker(time.Duration(30) * time.Minute)
 	defer ticker.Stop()
-	ctx := context.Background()
 
-	for range ticker.C {
-		tlog.App.Debug().Msg("Cleaning up old database sessions")
-		err := queries.DeleteExpiredSessions(ctx, time.Now().Unix())
-		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to clean up old database sessions")
+	for {
+		select {
+		case <-ticker.C:
+			app.log.App.Debug().Msg("Running database cleanup")
+
+			err := app.queries.DeleteExpiredSessions(app.ctx, time.Now().Unix())
+
+			if err != nil {
+				app.log.App.Error().Err(err).Msg("Failed to delete expired sessions")
+			}
+
+			app.log.App.Debug().Msg("Database cleanup completed")
+		case <-app.ctx.Done():
+			app.log.App.Debug().Msg("Stopping database cleanup routine")
+			ticker.Stop()
+			return
 		}
 	}
 }

internal/bootstrap/db_bootstrap.go

@@ -14,19 +14,26 @@ import (
 	_ "modernc.org/sqlite"
 )
 
-func (app *BootstrapApp) SetupDatabase(databasePath string) (*sql.DB, error) {
-	dir := filepath.Dir(databasePath)
+func (app *BootstrapApp) SetupDatabase() error {
+	dir := filepath.Dir(app.config.Database.Path)
 
 	if err := os.MkdirAll(dir, 0750); err != nil {
-		return nil, fmt.Errorf("failed to create database directory %s: %w", dir, err)
+		return fmt.Errorf("failed to create database directory %s: %w", dir, err)
 	}
 
-	db, err := sql.Open("sqlite", databasePath)
+	db, err := sql.Open("sqlite", app.config.Database.Path)
 
 	if err != nil {
-		return nil, fmt.Errorf("failed to open database: %w", err)
+		return fmt.Errorf("failed to open database: %w", err)
 	}
 
+	// Close the database if there is an error during migration
+	defer func() {
+		if err != nil {
+			db.Close()
+		}
+	}()
+
 	// Limit to 1 connection to sequence writes, this may need to be revisited in the future
 	// if the sqlite connection starts being a bottleneck
 	db.SetMaxOpenConns(1)
@@ -34,24 +41,29 @@ func (app *BootstrapApp) SetupDatabase(databasePath string) (*sql.DB, error) {
 	migrations, err := iofs.New(assets.Migrations, "migrations")
 
 	if err != nil {
-		return nil, fmt.Errorf("failed to create migrations: %w", err)
+		return fmt.Errorf("failed to create migrations: %w", err)
 	}
 
 	target, err := sqlite3.WithInstance(db, &sqlite3.Config{})
 
 	if err != nil {
-		return nil, fmt.Errorf("failed to create sqlite3 instance: %w", err)
+		return fmt.Errorf("failed to create sqlite3 instance: %w", err)
 	}
 
 	migrator, err := migrate.NewWithInstance("iofs", migrations, "sqlite3", target)
 
 	if err != nil {
-		return nil, fmt.Errorf("failed to create migrator: %w", err)
+		return fmt.Errorf("failed to create migrator: %w", err)
 	}
 
 	if err := migrator.Up(); err != nil && err != migrate.ErrNoChange {
-		return nil, fmt.Errorf("failed to migrate database: %w", err)
+		return fmt.Errorf("failed to migrate database: %w", err)
 	}
 
-	return db, nil
+	app.db = db
+	return nil
+}
+
+func (app *BootstrapApp) GetDB() *sql.DB {
+	return app.db
 }

internal/bootstrap/router_bootstrap.go

@@ -2,21 +2,16 @@ package bootstrap
 
 import (
 	"fmt"
-	"slices"
 
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/middleware"
-	"github.com/tinyauthapp/tinyauth/internal/model"
 
 	"github.com/gin-gonic/gin"
 )
 
-var DEV_MODES = []string{"main", "test", "development"}
-
-func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
-	if !slices.Contains(DEV_MODES, model.Version) {
-		gin.SetMode(gin.ReleaseMode)
-	}
+func (app *BootstrapApp) setupRouter() error {
+	// we don't want gin debug mode
+	gin.SetMode(gin.ReleaseMode)
 
 	engine := gin.New()
 	engine.Use(gin.Recovery())
@@ -25,101 +20,36 @@ func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
 		err := engine.SetTrustedProxies(app.config.Auth.TrustedProxies)
 
 		if err != nil {
-			return nil, fmt.Errorf("failed to set trusted proxies: %w", err)
+			return fmt.Errorf("failed to set trusted proxies: %w", err)
 		}
 	}
 
-	contextMiddleware := middleware.NewContextMiddleware(middleware.ContextMiddlewareConfig{
-		CookieDomain:      app.context.cookieDomain,
-		SessionCookieName: app.context.sessionCookieName,
-	}, app.services.authService, app.services.oauthBrokerService)
-
-	err := contextMiddleware.Init()
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to initialize context middleware: %w", err)
-	}
-
+	contextMiddleware := middleware.NewContextMiddleware(app.log, app.runtime, app.services.authService, app.services.oauthBrokerService, app.services.tailscaleService)
 	engine.Use(contextMiddleware.Middleware())
 
-	uiMiddleware := middleware.NewUIMiddleware()
-
-	err = uiMiddleware.Init()
+	uiMiddleware, err := middleware.NewUIMiddleware()
 
 	if err != nil {
-		return nil, fmt.Errorf("failed to initialize UI middleware: %w", err)
+		return fmt.Errorf("failed to initialize UI middleware: %w", err)
 	}
 
 	engine.Use(uiMiddleware.Middleware())
 
-	zerologMiddleware := middleware.NewZerologMiddleware()
-
-	err = zerologMiddleware.Init()
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to initialize zerolog middleware: %w", err)
-	}
+	zerologMiddleware := middleware.NewZerologMiddleware(app.log)
 
 	engine.Use(zerologMiddleware.Middleware())
 
 	apiRouter := engine.Group("/api")
 
-	contextController := controller.NewContextController(controller.ContextControllerConfig{
-		Providers:             app.context.configuredProviders,
-		Title:                 app.config.UI.Title,
-		AppURL:                app.config.AppURL,
-		CookieDomain:          app.context.cookieDomain,
-		ForgotPasswordMessage: app.config.UI.ForgotPasswordMessage,
-		BackgroundImage:       app.config.UI.BackgroundImage,
-		OAuthAutoRedirect:     app.config.OAuth.AutoRedirect,
-		WarningsEnabled:       app.config.UI.WarningsEnabled,
-	}, apiRouter)
+	controller.NewContextController(app.log, app.config, app.runtime, apiRouter)
+	controller.NewOAuthController(app.log, app.config, app.runtime, apiRouter, app.services.authService)
+	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, apiRouter)
+	controller.NewProxyController(app.log, app.runtime, apiRouter, app.services.accessControlService, app.services.authService)
+	controller.NewUserController(app.log, app.runtime, apiRouter, app.services.authService)
+	controller.NewResourcesController(app.config, &engine.RouterGroup)
+	controller.NewHealthController(apiRouter)
+	controller.NewWellKnownController(app.services.oidcService, &engine.RouterGroup)
 
-	contextController.SetupRoutes()
-
-	oauthController := controller.NewOAuthController(controller.OAuthControllerConfig{
-		AppURL:                 app.config.AppURL,
-		SecureCookie:           app.config.Auth.SecureCookie,
-		CSRFCookieName:         app.context.csrfCookieName,
-		RedirectCookieName:     app.context.redirectCookieName,
-		CookieDomain:           app.context.cookieDomain,
-		OAuthSessionCookieName: app.context.oauthSessionCookieName,
-		SubdomainsEnabled:      app.config.Auth.SubdomainsEnabled,
-	}, apiRouter, app.services.authService)
-
-	oauthController.SetupRoutes()
-
-	oidcController := controller.NewOIDCController(controller.OIDCControllerConfig{}, app.services.oidcService, apiRouter)
-
-	oidcController.SetupRoutes()
-
-	proxyController := controller.NewProxyController(controller.ProxyControllerConfig{
-		AppURL: app.config.AppURL,
-	}, apiRouter, app.services.accessControlService, app.services.authService)
-
-	proxyController.SetupRoutes()
-
-	userController := controller.NewUserController(controller.UserControllerConfig{
-		CookieDomain:      app.context.cookieDomain,
-		SessionCookieName: app.context.sessionCookieName,
-	}, apiRouter, app.services.authService)
-
-	userController.SetupRoutes()
-
-	resourcesController := controller.NewResourcesController(controller.ResourcesControllerConfig{
-		Path:    app.config.Resources.Path,
-		Enabled: app.config.Resources.Enabled,
-	}, &engine.RouterGroup)
-
-	resourcesController.SetupRoutes()
-
-	healthController := controller.NewHealthController(apiRouter)
-
-	healthController.SetupRoutes()
-
-	wellknownController := controller.NewWellKnownController(controller.WellKnownControllerConfig{}, app.services.oidcService, engine)
-
-	wellknownController.SetupRoutes()
-
-	return engine, nil
+	app.router = engine
+	return nil
 }

internal/bootstrap/service_bootstrap.go

@@ -1,131 +1,75 @@
 package bootstrap
 
 import (
+	"fmt"
+
 	"os"
 
-	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )
 
-type Services struct {
-	accessControlService *service.AccessControlsService
-	authService          *service.AuthService
-	dockerService        *service.DockerService
-	kubernetesService    *service.KubernetesService
-	ldapService          *service.LdapService
-	oauthBrokerService   *service.OAuthBrokerService
-	oidcService          *service.OIDCService
-}
-
-func (app *BootstrapApp) initServices(queries *repository.Queries) (Services, error) {
-	services := Services{}
-
-	ldapService := service.NewLdapService(service.LdapServiceConfig{
-		Address:      app.config.LDAP.Address,
-		BindDN:       app.config.LDAP.BindDN,
-		BindPassword: app.config.LDAP.BindPassword,
-		BaseDN:       app.config.LDAP.BaseDN,
-		Insecure:     app.config.LDAP.Insecure,
-		SearchFilter: app.config.LDAP.SearchFilter,
-		AuthCert:     app.config.LDAP.AuthCert,
-		AuthKey:      app.config.LDAP.AuthKey,
-	})
-
-	err := ldapService.Init()
+func (app *BootstrapApp) setupServices() error {
+	ldapService, err := service.NewLdapService(app.log, app.config, app.ctx, &app.wg)
 
 	if err != nil {
-		tlog.App.Warn().Err(err).Msg("Failed to setup LDAP service, starting without it")
-		ldapService.Unconfigure() //nolint:errcheck
+		app.log.App.Warn().Err(err).Msg("Failed to initialize LDAP connection, will continue without it")
 	}
 
-	services.ldapService = ldapService
-
-	var labelProvider service.LabelProvider
-	var dockerService *service.DockerService
-	var kubernetesService *service.KubernetesService
+	app.services.ldapService = ldapService
 
 	useKubernetes := app.config.LabelProvider == "kubernetes" ||
 		(app.config.LabelProvider == "auto" && os.Getenv("KUBERNETES_SERVICE_HOST") != "")
 
+	var labelProvider service.LabelProvider
+
 	if useKubernetes {
-		tlog.App.Debug().Msg("Using Kubernetes label provider")
-		kubernetesService = service.NewKubernetesService()
-		err = kubernetesService.Init()
+		app.log.App.Debug().Msg("Using Kubernetes label provider")
+
+		kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, &app.wg)
+
 		if err != nil {
-			return Services{}, err
+			return fmt.Errorf("failed to initialize kubernetes service: %w", err)
 		}
-		services.kubernetesService = kubernetesService
+
+		app.services.kubernetesService = kubernetesService
 		labelProvider = kubernetesService
 	} else {
-		tlog.App.Debug().Msg("Using Docker label provider")
-		dockerService = service.NewDockerService()
-		err = dockerService.Init()
+		app.log.App.Debug().Msg("Using Docker label provider")
+
+		dockerService, err := service.NewDockerService(app.log, app.ctx, &app.wg)
+
 		if err != nil {
-			return Services{}, err
+			return fmt.Errorf("failed to initialize docker service: %w", err)
 		}
-		services.dockerService = dockerService
+
+		app.services.dockerService = dockerService
 		labelProvider = dockerService
 	}
 
-	accessControlsService := service.NewAccessControlsService(labelProvider, app.config.Apps)
-
-	err = accessControlsService.Init()
+	tailscaleService, err := service.NewTailscaleService(app.log, app.config, app.ctx, &app.wg)
 
 	if err != nil {
-		return Services{}, err
+		app.log.App.Warn().Err(err).Msg("Failed to initialize Tailscale connection, will continue without it")
+	} else {
+		app.services.tailscaleService = tailscaleService
 	}
 
-	services.accessControlService = accessControlsService
+	accessControlsService := service.NewAccessControlsService(app.log, &labelProvider, app.config.Apps)
+	app.services.accessControlService = accessControlsService
 
-	oauthBrokerService := service.NewOAuthBrokerService(app.context.oauthProviders)
+	oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
+	app.services.oauthBrokerService = oauthBrokerService
 
-	err = oauthBrokerService.Init()
+	authService := service.NewAuthService(app.log, app.config, app.runtime, app.ctx, &app.wg, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService)
+	app.services.authService = authService
+
+	oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ctx, &app.wg)
 
 	if err != nil {
-		return Services{}, err
+		return fmt.Errorf("failed to initialize oidc service: %w", err)
 	}
 
-	services.oauthBrokerService = oauthBrokerService
+	app.services.oidcService = oidcService
 
-	authService := service.NewAuthService(service.AuthServiceConfig{
-		LocalUsers:         app.context.localUsers,
-		OauthWhitelist:     app.context.oauthWhitelist,
-		SessionExpiry:      app.config.Auth.SessionExpiry,
-		SessionMaxLifetime: app.config.Auth.SessionMaxLifetime,
-		SecureCookie:       app.config.Auth.SecureCookie,
-		CookieDomain:       app.context.cookieDomain,
-		LoginTimeout:       app.config.Auth.LoginTimeout,
-		LoginMaxRetries:    app.config.Auth.LoginMaxRetries,
-		SessionCookieName:  app.context.sessionCookieName,
-		IP:                 app.config.Auth.IP,
-		LDAPGroupsCacheTTL: app.config.LDAP.GroupCacheTTL,
-		SubdomainsEnabled:  app.config.Auth.SubdomainsEnabled,
-	}, services.ldapService, queries, services.oauthBrokerService)
-
-	err = authService.Init()
-
-	if err != nil {
-		return Services{}, err
-	}
-
-	services.authService = authService
-
-	oidcService := service.NewOIDCService(service.OIDCServiceConfig{
-		Clients:        app.config.OIDC.Clients,
-		PrivateKeyPath: app.config.OIDC.PrivateKeyPath,
-		PublicKeyPath:  app.config.OIDC.PublicKeyPath,
-		Issuer:         app.config.AppURL,
-		SessionExpiry:  app.config.Auth.SessionExpiry,
-	}, queries)
-
-	err = oidcService.Init()
-
-	if err != nil {
-		return Services{}, err
-	}
-
-	services.oidcService = oidcService
-
-	return services, nil
+	return nil
 }

internal/controller/context_controller.go

@@ -1,130 +1,163 @@
 package controller
 
 import (
-	"fmt"
-	"net/url"
-
 	"github.com/tinyauthapp/tinyauth/internal/model"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 
 	"github.com/gin-gonic/gin"
 )
 
+// UCR -> User Context Response
+
+type UCRAuth struct {
+	Authenticated bool   `json:"authenticated"`
+	Username      string `json:"username"`
+	Name          string `json:"name"`
+	Email         string `json:"email"`
+	ProviderID    string `json:"providerId"`
+}
+
+type UCROAuth struct {
+	Active      bool   `json:"active"`
+	DisplayName string `json:"displayName"`
+}
+
+type UCRTOTP struct {
+	Pending bool `json:"pending"`
+}
+
+type UCRTailscale struct {
+	NodeName string `json:"nodeName,omitempty"`
+}
+
 type UserContextResponse struct {
-	Status      int    `json:"status"`
-	Message     string `json:"message"`
-	IsLoggedIn  bool   `json:"isLoggedIn"`
-	Username    string `json:"username"`
-	Name        string `json:"name"`
-	Email       string `json:"email"`
-	Provider    string `json:"provider"`
-	OAuth       bool   `json:"oauth"`
-	TOTPPending bool   `json:"totpPending"`
-	OAuthName   string `json:"oauthName"`
+	Status    int          `json:"status"`
+	Message   string       `json:"message"`
+	Auth      UCRAuth      `json:"auth"`
+	OAuth     UCROAuth     `json:"oauth"`
+	TOTP      UCRTOTP      `json:"totp"`
+	Tailscale UCRTailscale `json:"tailscale"`
+}
+
+// ACR -> App Context Response
+
+type ACRAuth struct {
+	Providers []model.Provider `json:"providers"`
+}
+
+type ACROAuth struct {
+	AutoRedirect string `json:"autoRedirect"`
+}
+
+type ACRUI struct {
+	Title                 string `json:"title"`
+	ForgotPasswordMessage string `json:"forgotPasswordMessage"`
+	BackgroundImage       string `json:"backgroundImage"`
+	WarningsEnabled       bool   `json:"warningsEnabled"`
+}
+
+type ACRApp struct {
+	AppURL         string   `json:"appUrl"`
+	CookieDomain   string   `json:"cookieDomain"`
+	TrustedDomains []string `json:"trustedDomains"`
 }
 
 type AppContextResponse struct {
-	Status                int        `json:"status"`
-	Message               string     `json:"message"`
-	Providers             []Provider `json:"providers"`
-	Title                 string     `json:"title"`
-	AppURL                string     `json:"appUrl"`
-	CookieDomain          string     `json:"cookieDomain"`
-	ForgotPasswordMessage string     `json:"forgotPasswordMessage"`
-	BackgroundImage       string     `json:"backgroundImage"`
-	OAuthAutoRedirect     string     `json:"oauthAutoRedirect"`
-	WarningsEnabled       bool       `json:"warningsEnabled"`
-}
-
-type Provider struct {
-	Name  string `json:"name"`
-	ID    string `json:"id"`
-	OAuth bool   `json:"oauth"`
-}
-
-type ContextControllerConfig struct {
-	Providers             []Provider
-	Title                 string
-	AppURL                string
-	CookieDomain          string
-	ForgotPasswordMessage string
-	BackgroundImage       string
-	OAuthAutoRedirect     string
-	WarningsEnabled       bool
+	Status  int      `json:"status"`
+	Message string   `json:"message"`
+	Auth    ACRAuth  `json:"auth"`
+	OAuth   ACROAuth `json:"oauth"`
+	UI      ACRUI    `json:"ui"`
+	App     ACRApp   `json:"app"`
 }
 
 type ContextController struct {
-	config ContextControllerConfig
-	router *gin.RouterGroup
+	log     *logger.Logger
+	config  model.Config
+	runtime model.RuntimeConfig
 }
 
-func NewContextController(config ContextControllerConfig, router *gin.RouterGroup) *ContextController {
-	if !config.WarningsEnabled {
-		tlog.App.Warn().Msg("UI warnings are disabled. This may expose users to security risks. Proceed with caution.")
+func NewContextController(
+	log *logger.Logger,
+	config model.Config,
+	runtimeConfig model.RuntimeConfig,
+	router *gin.RouterGroup,
+) *ContextController {
+	controller := &ContextController{
+		log:     log,
+		config:  config,
+		runtime: runtimeConfig,
 	}
 
-	return &ContextController{
-		config: config,
-		router: router,
+	if !config.UI.WarningsEnabled {
+		log.App.Warn().Msg("UI warnings are disabled. This may lead to security issues if you are not careful. Make sure to enable warnings in production environments.")
 	}
-}
 
-func (controller *ContextController) SetupRoutes() {
-	contextGroup := controller.router.Group("/context")
+	contextGroup := router.Group("/context")
 	contextGroup.GET("/user", controller.userContextHandler)
 	contextGroup.GET("/app", controller.appContextHandler)
+
+	return controller
 }
 
 func (controller *ContextController) userContextHandler(c *gin.Context) {
 	context, err := new(model.UserContext).NewFromGin(c)
 
 	if err != nil {
-		tlog.App.Debug().Err(err).Msg("No user context found in request")
+		controller.log.App.Error().Err(err).Msg("Failed to create user context from request")
 		c.JSON(200, UserContextResponse{
-			Status:     401,
-			Message:    "Unauthorized",
-			IsLoggedIn: false,
+			Status:  401,
+			Message: "Unauthorized",
+			Auth:    UCRAuth{Authenticated: false},
 		})
 		return
 	}
 
 	userContext := UserContextResponse{
-		Status:      200,
-		Message:     "Success",
-		IsLoggedIn:  context.Authenticated,
-		Username:    context.GetUsername(),
-		Name:        context.GetName(),
-		Email:       context.GetEmail(),
-		Provider:    context.GetProviderID(),
-		OAuth:       context.IsOAuth(),
-		TOTPPending: context.TOTPPending(),
-		OAuthName:   context.OAuthName(),
+		Status:  200,
+		Message: "Success",
+		Auth: UCRAuth{
+			Authenticated: context.Authenticated,
+			Username:      context.GetUsername(),
+			Name:          context.GetName(),
+			Email:         context.GetEmail(),
+			ProviderID:    context.GetProviderID(),
+		},
+		OAuth: UCROAuth{
+			Active:      context.IsOAuth(),
+			DisplayName: context.OAuthName(),
+		},
+		TOTP: UCRTOTP{
+			Pending: context.TOTPPending(),
+		},
+		Tailscale: UCRTailscale{
+			NodeName: context.TailscaleNodeName(),
+		},
 	}
 
 	c.JSON(200, userContext)
 }
 
 func (controller *ContextController) appContextHandler(c *gin.Context) {
-	appUrl, err := url.Parse(controller.config.AppURL)
-	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to parse app URL")
-		c.JSON(500, gin.H{
-			"status":  500,
-			"message": "Internal Server Error",
-		})
-		return
-	}
-
 	c.JSON(200, AppContextResponse{
-		Status:                200,
-		Message:               "Success",
-		Providers:             controller.config.Providers,
-		Title:                 controller.config.Title,
-		AppURL:                fmt.Sprintf("%s://%s", appUrl.Scheme, appUrl.Host),
-		CookieDomain:          controller.config.CookieDomain,
-		ForgotPasswordMessage: controller.config.ForgotPasswordMessage,
-		BackgroundImage:       controller.config.BackgroundImage,
-		OAuthAutoRedirect:     controller.config.OAuthAutoRedirect,
-		WarningsEnabled:       controller.config.WarningsEnabled,
+		Status:  200,
+		Message: "Success",
+		Auth: ACRAuth{
+			Providers: controller.runtime.ConfiguredProviders,
+		},
+		OAuth: ACROAuth{
+			AutoRedirect: controller.config.OAuth.AutoRedirect,
+		},
+		UI: ACRUI{
+			Title:                 controller.config.UI.Title,
+			ForgotPasswordMessage: controller.config.UI.ForgotPasswordMessage,
+			BackgroundImage:       controller.config.UI.BackgroundImage,
+			WarningsEnabled:       controller.config.UI.WarningsEnabled,
+		},
+		App: ACRApp{
+			AppURL:         controller.runtime.AppURL,
+			CookieDomain:   controller.runtime.CookieDomain,
+			TrustedDomains: controller.runtime.TrustedDomains,
+		},
 	})
 }

internal/controller/context_controller_test.go

@@ -8,30 +8,19 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/test"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
 func TestContextController(t *testing.T) {
-	tlog.NewTestLogger().Init()
-	controllerConfig := controller.ContextControllerConfig{
-		Providers: []controller.Provider{
-			{
-				Name:  "Local",
-				ID:    "local",
-				OAuth: false,
-			},
-		},
-		Title:                 "Tinyauth",
-		AppURL:                "https://tinyauth.example.com",
-		CookieDomain:          "example.com",
-		ForgotPasswordMessage: "foo",
-		BackgroundImage:       "/background.jpg",
-		OAuthAutoRedirect:     "none",
-		WarningsEnabled:       true,
-	}
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
+
+	cfg, runtime := test.CreateTestConfigs(t)
 
 	tests := []struct {
 		description string
@@ -45,19 +34,28 @@ func TestContextController(t *testing.T) {
 			path:        "/api/context/app",
 			expected: func() string {
 				expectedAppContextResponse := controller.AppContextResponse{
-					Status:                200,
-					Message:               "Success",
-					Providers:             controllerConfig.Providers,
-					Title:                 controllerConfig.Title,
-					AppURL:                controllerConfig.AppURL,
-					CookieDomain:          controllerConfig.CookieDomain,
-					ForgotPasswordMessage: controllerConfig.ForgotPasswordMessage,
-					BackgroundImage:       controllerConfig.BackgroundImage,
-					OAuthAutoRedirect:     controllerConfig.OAuthAutoRedirect,
-					WarningsEnabled:       controllerConfig.WarningsEnabled,
+					Status:  200,
+					Message: "Success",
+					Auth: controller.ACRAuth{
+						Providers: runtime.ConfiguredProviders,
+					},
+					OAuth: controller.ACROAuth{
+						AutoRedirect: cfg.OAuth.AutoRedirect,
+					},
+					UI: controller.ACRUI{
+						Title:                 cfg.UI.Title,
+						ForgotPasswordMessage: cfg.UI.ForgotPasswordMessage,
+						BackgroundImage:       cfg.UI.BackgroundImage,
+						WarningsEnabled:       cfg.UI.WarningsEnabled,
+					},
+					App: controller.ACRApp{
+						AppURL:         runtime.AppURL,
+						CookieDomain:   runtime.CookieDomain,
+						TrustedDomains: runtime.TrustedDomains,
+					},
 				}
 				bytes, err := json.Marshal(expectedAppContextResponse)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -71,7 +69,7 @@ func TestContextController(t *testing.T) {
 					Message: "Unauthorized",
 				}
 				bytes, err := json.Marshal(expectedUserContextResponse)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -86,7 +84,7 @@ func TestContextController(t *testing.T) {
 							BaseContext: model.BaseContext{
 								Username: "johndoe",
 								Name:     "John Doe",
-								Email:    utils.CompileUserEmail("johndoe", controllerConfig.CookieDomain),
+								Email:    utils.CompileUserEmail("johndoe", runtime.CookieDomain),
 							},
 						},
 					})
@@ -95,16 +93,18 @@ func TestContextController(t *testing.T) {
 			path: "/api/context/user",
 			expected: func() string {
 				expectedUserContextResponse := controller.UserContextResponse{
-					Status:     200,
-					Message:    "Success",
-					IsLoggedIn: true,
-					Username:   "johndoe",
-					Name:       "John Doe",
-					Email:      utils.CompileUserEmail("johndoe", controllerConfig.CookieDomain),
-					Provider:   "local",
+					Status:  200,
+					Message: "Success",
+					Auth: controller.UCRAuth{
+						Authenticated: true,
+						Username:      "johndoe",
+						Name:          "John Doe",
+						Email:         utils.CompileUserEmail("johndoe", runtime.CookieDomain),
+						ProviderID:    "local",
+					},
 				}
 				bytes, err := json.Marshal(expectedUserContextResponse)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -121,13 +121,12 @@ func TestContextController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
 
-			contextController := controller.NewContextController(controllerConfig, group)
-			contextController.SetupRoutes()
+			controller.NewContextController(log, cfg, runtime, group)
 
 			recorder := httptest.NewRecorder()
 
 			request, err := http.NewRequest("GET", test.path, nil)
-			assert.NoError(t, err)
+			require.NoError(t, err)
 
 			router.ServeHTTP(recorder, request)
 

internal/controller/health_controller.go

@@ -3,18 +3,15 @@ package controller
 import "github.com/gin-gonic/gin"
 
 type HealthController struct {
-	router *gin.RouterGroup
 }
 
 func NewHealthController(router *gin.RouterGroup) *HealthController {
-	return &HealthController{
-		router: router,
-	}
-}
+	controller := &HealthController{}
 
-func (controller *HealthController) SetupRoutes() {
-	controller.router.GET("/healthz", controller.healthHandler)
-	controller.router.HEAD("/healthz", controller.healthHandler)
+	router.GET("/healthz", controller.healthHandler)
+	router.HEAD("/healthz", controller.healthHandler)
+
+	return controller
 }
 
 func (controller *HealthController) healthHandler(c *gin.Context) {

internal/controller/health_controller_test.go

@@ -7,13 +7,12 @@ import (
 	"testing"
 
 	"github.com/gin-gonic/gin"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
 )
 
 func TestHealthController(t *testing.T) {
-	tlog.NewTestLogger().Init()
 	tests := []struct {
 		description string
 		path        string
@@ -30,7 +29,7 @@ func TestHealthController(t *testing.T) {
 					"message": "Healthy",
 				}
 				bytes, err := json.Marshal(expectedHealthResponse)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -44,7 +43,7 @@ func TestHealthController(t *testing.T) {
 					"message": "Healthy",
 				}
 				bytes, err := json.Marshal(expectedHealthResponse)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -56,13 +55,12 @@ func TestHealthController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
 
-			healthController := controller.NewHealthController(group)
-			healthController.SetupRoutes()
+			controller.NewHealthController(group)
 
 			recorder := httptest.NewRecorder()
 
 			request, err := http.NewRequest(test.method, test.path, nil)
-			assert.NoError(t, err)
+			require.NoError(t, err)
 
 			router.ServeHTTP(recorder, request)
 

internal/controller/oauth_controller.go

@@ -6,10 +6,11 @@ import (
 	"strings"
 	"time"
 
+	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -19,34 +20,32 @@ type OAuthRequest struct {
 	Provider string `uri:"provider" binding:"required"`
 }
 
-type OAuthControllerConfig struct {
-	CSRFCookieName         string
-	OAuthSessionCookieName string
-	RedirectCookieName     string
-	SecureCookie           bool
-	AppURL                 string
-	CookieDomain           string
-	SubdomainsEnabled      bool
-}
-
 type OAuthController struct {
-	config OAuthControllerConfig
-	router *gin.RouterGroup
-	auth   *service.AuthService
+	log     *logger.Logger
+	config  model.Config
+	runtime model.RuntimeConfig
+	auth    *service.AuthService
 }
 
-func NewOAuthController(config OAuthControllerConfig, router *gin.RouterGroup, auth *service.AuthService) *OAuthController {
-	return &OAuthController{
-		config: config,
-		router: router,
-		auth:   auth,
+func NewOAuthController(
+	log *logger.Logger,
+	config model.Config,
+	runtimeConfig model.RuntimeConfig,
+	router *gin.RouterGroup,
+	auth *service.AuthService,
+) *OAuthController {
+	controller := &OAuthController{
+		log:     log,
+		config:  config,
+		runtime: runtimeConfig,
+		auth:    auth,
 	}
-}
 
-func (controller *OAuthController) SetupRoutes() {
-	oauthGroup := controller.router.Group("/oauth")
+	oauthGroup := router.Group("/oauth")
 	oauthGroup.GET("/url/:provider", controller.oauthURLHandler)
 	oauthGroup.GET("/callback/:provider", controller.oauthCallbackHandler)
+
+	return controller
 }
 
 func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
@@ -54,7 +53,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 
 	err := c.BindUri(&req)
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind URI")
+		controller.log.App.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -67,7 +66,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	err = c.BindQuery(&reqParams)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind query parameters")
+		controller.log.App.Error().Err(err).Msg("Failed to bind query parameters")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -76,10 +75,10 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	}
 
 	if !controller.isOidcRequest(reqParams) {
-		isRedirectSafe := utils.IsRedirectSafe(reqParams.RedirectURI, controller.config.CookieDomain)
+		isRedirectSafe := utils.IsRedirectSafe(reqParams.RedirectURI, controller.runtime.CookieDomain)
 
 		if !isRedirectSafe {
-			tlog.App.Warn().Str("redirect_uri", reqParams.RedirectURI).Msg("Unsafe redirect URI detected, ignoring")
+			controller.log.App.Warn().Str("redirectUri", reqParams.RedirectURI).Msg("Unsafe redirect URI, ignoring")
 			reqParams.RedirectURI = ""
 		}
 	}
@@ -87,7 +86,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	sessionId, _, err := controller.auth.NewOAuthSession(req.Provider, reqParams)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to create OAuth session")
+		controller.log.App.Error().Err(err).Msg("Failed to create new OAuth session")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -98,7 +97,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	authUrl, err := controller.auth.GetOAuthURL(sessionId)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to get OAuth URL")
+		controller.log.App.Error().Err(err).Msg("Failed to get OAuth URL for session")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -106,7 +105,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		return
 	}
 
-	c.SetCookie(controller.config.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", controller.getCookieDomain(), controller.config.SecureCookie, true)
+	c.SetCookie(controller.runtime.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)
 
 	c.JSON(200, gin.H{
 		"status":  200,
@@ -120,7 +119,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 
 	err := c.BindUri(&req)
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind URI")
+		controller.log.App.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -128,21 +127,21 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}
 
-	sessionIdCookie, err := c.Cookie(controller.config.OAuthSessionCookieName)
+	sessionIdCookie, err := c.Cookie(controller.runtime.OAuthSessionCookieName)
 
 	if err != nil {
-		tlog.App.Warn().Err(err).Msg("OAuth session cookie missing")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Error().Err(err).Msg("Failed to get OAuth session cookie")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 
-	c.SetCookie(controller.config.OAuthSessionCookieName, "", -1, "/", controller.getCookieDomain(), controller.config.SecureCookie, true)
+	c.SetCookie(controller.runtime.OAuthSessionCookieName, "", -1, "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)
 
 	oauthPendingSession, err := controller.auth.GetOAuthPendingSession(sessionIdCookie)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to get OAuth pending session")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Error().Err(err).Msg("Failed to get pending OAuth session")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 
@@ -150,8 +149,8 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 
 	state := c.Query("state")
 	if state != oauthPendingSession.State {
-		tlog.App.Warn().Err(err).Msg("CSRF token mismatch")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Warn().Msg("OAuth state mismatch")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 
@@ -159,74 +158,80 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	_, err = controller.auth.GetOAuthToken(sessionIdCookie, code)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to exchange code for token")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Error().Err(err).Msg("Failed to exchange code for token")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 
 	user, err := controller.auth.GetOAuthUserinfo(sessionIdCookie)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to get user info from OAuth provider")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Error().Err(err).Msg("Failed to get user info from OAuth provider")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		return
+	}
+
+	if user == nil {
+		controller.log.App.Warn().Msg("OAuth provider did not return user info")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 
 	if user.Email == "" {
-		tlog.App.Error().Msg("OAuth provider did not return an email")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Warn().Msg("OAuth provider did not return an email")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 
 	if !controller.auth.IsEmailWhitelisted(user.Email) {
-		tlog.App.Warn().Str("email", user.Email).Msg("Email not whitelisted")
-		tlog.AuditLoginFailure(c, user.Email, req.Provider, "email not whitelisted")
+		controller.log.App.Warn().Str("email", user.Email).Msg("Email not whitelisted, denying access")
+		controller.log.AuditLoginFailure(user.Email, req.Provider, c.ClientIP(), "email not whitelisted")
 
 		queries, err := query.Values(UnauthorizedQuery{
 			Username: user.Email,
 		})
 
 		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+			controller.log.App.Error().Err(err).Msg("Failed to encode unauthorized query")
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 			return
 		}
 
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.runtime.AppURL, queries.Encode()))
 		return
 	}
 
 	var name string
 
 	if strings.TrimSpace(user.Name) != "" {
-		tlog.App.Debug().Msg("Using name from OAuth provider")
+		controller.log.App.Debug().Msg("Using name from OAuth provider")
 		name = user.Name
 	} else {
-		tlog.App.Debug().Msg("No name from OAuth provider, using pseudo name")
+		controller.log.App.Debug().Msg("No name from OAuth provider, generating from email")
 		name = fmt.Sprintf("%s (%s)", utils.Capitalize(strings.Split(user.Email, "@")[0]), strings.Split(user.Email, "@")[1])
 	}
 
 	var username string
 
 	if strings.TrimSpace(user.PreferredUsername) != "" {
-		tlog.App.Debug().Msg("Using preferred username from OAuth provider")
+		controller.log.App.Debug().Msg("Using preferred username from OAuth provider")
 		username = user.PreferredUsername
 	} else {
-		tlog.App.Debug().Msg("No preferred username from OAuth provider, using pseudo username")
+		controller.log.App.Debug().Msg("No preferred username from OAuth provider, generating from email")
 		username = strings.Replace(user.Email, "@", "_", 1)
 	}
 
 	svc, err := controller.auth.GetOAuthService(sessionIdCookie)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to get OAuth service for session")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Error().Err(err).Msg("Failed to get OAuth service for session")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 
 	if svc.ID() != req.Provider {
-		tlog.App.Error().Msgf("OAuth service ID mismatch: expected %s, got %s", svc.ID(), req.Provider)
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Warn().Msgf("OAuth provider mismatch: expected %s, got %s", req.Provider, svc.ID())
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 
@@ -240,29 +245,29 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		OAuthSub:    user.Sub,
 	}
 
-	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
+	controller.log.App.Debug().Msg("Creating session cookie for user")
 
 	cookie, err := controller.auth.CreateSession(c, sessionCookie)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to create session cookie")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Error().Err(err).Msg("Failed to create session cookie")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 
 	http.SetCookie(c.Writer, cookie)
 
-	tlog.AuditLoginSuccess(c, sessionCookie.Username, sessionCookie.Provider)
+	controller.log.AuditLoginSuccess(sessionCookie.Username, sessionCookie.Provider, c.ClientIP())
 
 	if controller.isOidcRequest(oauthPendingSession.CallbackParams) {
-		tlog.App.Debug().Msg("OIDC request, redirecting to authorize page")
+		controller.log.App.Debug().Msg("OIDC request detected, redirecting to authorization endpoint with callback params")
 		queries, err := query.Values(oauthPendingSession.CallbackParams)
 		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to encode OIDC callback query")
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+			controller.log.App.Error().Err(err).Msg("Failed to encode OIDC callback query")
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 			return
 		}
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/authorize?%s", controller.config.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/authorize?%s", controller.runtime.AppURL, queries.Encode()))
 		return
 	}
 
@@ -272,16 +277,16 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		})
 
 		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to encode redirect URI query")
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+			controller.log.App.Error().Err(err).Msg("Failed to encode redirect query")
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 			return
 		}
 
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", controller.config.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", controller.runtime.AppURL, queries.Encode()))
 		return
 	}
 
-	c.Redirect(http.StatusTemporaryRedirect, controller.config.AppURL)
+	c.Redirect(http.StatusTemporaryRedirect, controller.runtime.AppURL)
 }
 
 func (controller *OAuthController) isOidcRequest(params service.OAuthURLParams) bool {
@@ -292,8 +297,8 @@ func (controller *OAuthController) isOidcRequest(params service.OAuthURLParams)
 }
 
 func (controller *OAuthController) getCookieDomain() string {
-	if controller.config.SubdomainsEnabled {
-		return "." + controller.config.CookieDomain
+	if controller.config.Auth.SubdomainsEnabled {
+		return "." + controller.runtime.CookieDomain
 	}
-	return controller.config.CookieDomain
+	return controller.runtime.CookieDomain
 }

internal/controller/oidc_controller.go

@@ -13,15 +13,13 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
-type OIDCControllerConfig struct{}
-
 type OIDCController struct {
-	config OIDCControllerConfig
-	router *gin.RouterGroup
-	oidc   *service.OIDCService
+	log     *logger.Logger
+	oidc    *service.OIDCService
+	runtime model.RuntimeConfig
 }
 
 type AuthorizeCallback struct {
@@ -58,29 +56,42 @@ type ClientCredentials struct {
 	ClientSecret string
 }
 
-func NewOIDCController(config OIDCControllerConfig, oidcService *service.OIDCService, router *gin.RouterGroup) *OIDCController {
-	return &OIDCController{
-		config: config,
-		oidc:   oidcService,
-		router: router,
+func NewOIDCController(
+	log *logger.Logger,
+	oidcService *service.OIDCService,
+	runtimeConfig model.RuntimeConfig,
+	router *gin.RouterGroup) *OIDCController {
+	controller := &OIDCController{
+		log:     log,
+		oidc:    oidcService,
+		runtime: runtimeConfig,
 	}
-}
 
-func (controller *OIDCController) SetupRoutes() {
-	oidcGroup := controller.router.Group("/oidc")
+	oidcGroup := router.Group("/oidc")
 	oidcGroup.GET("/clients/:id", controller.GetClientInfo)
 	oidcGroup.POST("/authorize", controller.Authorize)
 	oidcGroup.POST("/token", controller.Token)
 	oidcGroup.GET("/userinfo", controller.Userinfo)
 	oidcGroup.POST("/userinfo", controller.Userinfo)
+
+	return controller
 }
 
 func (controller *OIDCController) GetClientInfo(c *gin.Context) {
+	if controller.oidc == nil {
+		controller.log.App.Warn().Msg("Received OIDC client info request but OIDC server is not configured")
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "OIDC not configured",
+		})
+		return
+	}
+
 	var req ClientRequest
 
 	err := c.BindUri(&req)
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind URI")
+		controller.log.App.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -91,7 +102,7 @@ func (controller *OIDCController) GetClientInfo(c *gin.Context) {
 	client, ok := controller.oidc.GetClient(req.ClientID)
 
 	if !ok {
-		tlog.App.Warn().Str("client_id", req.ClientID).Msg("Client not found")
+		controller.log.App.Warn().Str("clientId", req.ClientID).Msg("Client not found")
 		c.JSON(404, gin.H{
 			"status":  404,
 			"message": "Client not found",
@@ -107,7 +118,7 @@ func (controller *OIDCController) GetClientInfo(c *gin.Context) {
 }
 
 func (controller *OIDCController) Authorize(c *gin.Context) {
-	if !controller.oidc.IsConfigured() {
+	if controller.oidc == nil {
 		controller.authorizeError(c, errors.New("err_oidc_not_configured"), "OIDC not configured", "This instance is not configured for OIDC", "", "", "")
 		return
 	}
@@ -142,7 +153,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 	err = controller.oidc.ValidateAuthorizeParams(req)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to validate authorize params")
+		controller.log.App.Warn().Err(err).Msg("Failed to validate authorize params")
 		if err.Error() != "invalid_request_uri" {
 			controller.authorizeError(c, err, "Failed validate authorize params", "Invalid request parameters", req.RedirectURI, err.Error(), req.State)
 			return
@@ -174,7 +185,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 		err = controller.oidc.StoreUserinfo(c, sub, *userContext, req)
 
 		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to insert user info into database")
+			controller.log.App.Error().Err(err).Msg("Failed to store user info")
 			controller.authorizeError(c, err, "Failed to store user info", "Failed to store user info", req.RedirectURI, "server_error", req.State)
 			return
 		}
@@ -197,10 +208,10 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 }
 
 func (controller *OIDCController) Token(c *gin.Context) {
-	if !controller.oidc.IsConfigured() {
-		tlog.App.Warn().Msg("OIDC not configured")
-		c.JSON(404, gin.H{
-			"error": "not_found",
+	if controller.oidc == nil {
+		controller.log.App.Warn().Msg("Received OIDC request but OIDC server is not configured")
+		c.JSON(500, gin.H{
+			"error": "server_error",
 		})
 		return
 	}
@@ -209,7 +220,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 
 	err := c.Bind(&req)
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind token request")
+		controller.log.App.Warn().Err(err).Msg("Failed to bind token request")
 		c.JSON(400, gin.H{
 			"error": "invalid_request",
 		})
@@ -218,7 +229,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 
 	err = controller.oidc.ValidateGrantType(req.GrantType)
 	if err != nil {
-		tlog.App.Warn().Str("grant_type", req.GrantType).Msg("Unsupported grant type")
+		controller.log.App.Warn().Err(err).Msg("Invalid grant type")
 		c.JSON(400, gin.H{
 			"error": err.Error(),
 		})
@@ -233,12 +244,12 @@ func (controller *OIDCController) Token(c *gin.Context) {
 
 	// If it fails, we try basic auth
 	if creds.ClientID == "" || creds.ClientSecret == "" {
-		tlog.App.Debug().Msg("Tried form values and they are empty, trying basic auth")
+		controller.log.App.Debug().Msg("Client credentials not found in form, trying basic auth")
 
 		clientId, clientSecret, ok := c.Request.BasicAuth()
 
 		if !ok {
-			tlog.App.Error().Msg("Missing authorization header")
+			controller.log.App.Warn().Msg("Client credentials not found in basic auth")
 			c.Header("www-authenticate", `Basic realm="Tinyauth OIDC Token Endpoint"`)
 			c.JSON(400, gin.H{
 				"error": "invalid_client",
@@ -255,7 +266,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 	client, ok := controller.oidc.GetClient(creds.ClientID)
 
 	if !ok {
-		tlog.App.Warn().Str("client_id", creds.ClientID).Msg("Client not found")
+		controller.log.App.Warn().Str("clientId", creds.ClientID).Msg("Client not found")
 		c.JSON(400, gin.H{
 			"error": "invalid_client",
 		})
@@ -263,7 +274,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 	}
 
 	if client.ClientSecret != creds.ClientSecret {
-		tlog.App.Warn().Str("client_id", creds.ClientID).Msg("Invalid client secret")
+		controller.log.App.Warn().Str("clientId", creds.ClientID).Msg("Invalid client secret")
 		c.JSON(400, gin.H{
 			"error": "invalid_client",
 		})
@@ -277,30 +288,30 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code), client.ClientID)
 		if err != nil {
 			if err := controller.oidc.DeleteTokenByCodeHash(c, controller.oidc.Hash(req.Code)); err != nil {
-				tlog.App.Error().Err(err).Msg("Failed to delete access token by code hash")
+				controller.log.App.Error().Err(err).Msg("Failed to delete code")
 			}
 			if errors.Is(err, service.ErrCodeNotFound) {
-				tlog.App.Warn().Msg("Code not found")
+				controller.log.App.Warn().Msg("Code not found")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 			if errors.Is(err, service.ErrCodeExpired) {
-				tlog.App.Warn().Msg("Code expired")
+				controller.log.App.Warn().Msg("Code expired")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 			if errors.Is(err, service.ErrInvalidClient) {
-				tlog.App.Warn().Msg("Invalid client ID")
+				controller.log.App.Warn().Msg("Code does not belong to client")
 				c.JSON(400, gin.H{
 					"error": "invalid_client",
 				})
 				return
 			}
-			tlog.App.Warn().Err(err).Msg("Failed to get OIDC code entry")
+			controller.log.App.Error().Err(err).Msg("Failed to get code entry")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
@@ -308,7 +319,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		}
 
 		if entry.RedirectURI != req.RedirectURI {
-			tlog.App.Warn().Str("redirect_uri", req.RedirectURI).Msg("Redirect URI mismatch")
+			controller.log.App.Warn().Msg("Redirect URI does not match")
 			c.JSON(400, gin.H{
 				"error": "invalid_grant",
 			})
@@ -318,7 +329,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		ok := controller.oidc.ValidatePKCE(entry.CodeChallenge, req.CodeVerifier)
 
 		if !ok {
-			tlog.App.Warn().Msg("PKCE validation failed")
+			controller.log.App.Warn().Msg("PKCE validation failed")
 			c.JSON(400, gin.H{
 				"error": "invalid_grant",
 			})
@@ -328,7 +339,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		tokenRes, err := controller.oidc.GenerateAccessToken(c, client, entry)
 
 		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to generate access token")
+			controller.log.App.Error().Err(err).Msg("Failed to generate access token")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
@@ -341,7 +352,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 
 		if err != nil {
 			if errors.Is(err, service.ErrTokenExpired) {
-				tlog.App.Error().Err(err).Msg("Refresh token expired")
+				controller.log.App.Warn().Msg("Refresh token expired")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
@@ -349,14 +360,14 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			}
 
 			if errors.Is(err, service.ErrInvalidClient) {
-				tlog.App.Error().Err(err).Msg("Invalid client")
+				controller.log.App.Warn().Msg("Refresh token does not belong to client")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 
-			tlog.App.Error().Err(err).Msg("Failed to refresh access token")
+			controller.log.App.Error().Err(err).Msg("Failed to refresh access token")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
@@ -373,10 +384,10 @@ func (controller *OIDCController) Token(c *gin.Context) {
 }
 
 func (controller *OIDCController) Userinfo(c *gin.Context) {
-	if !controller.oidc.IsConfigured() {
-		tlog.App.Warn().Msg("OIDC not configured")
-		c.JSON(404, gin.H{
-			"error": "not_found",
+	if controller.oidc == nil {
+		controller.log.App.Warn().Msg("Received OIDC userinfo request but OIDC server is not configured")
+		c.JSON(500, gin.H{
+			"error": "server_error",
 		})
 		return
 	}
@@ -387,7 +398,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 	if authorization != "" {
 		tokenType, bearerToken, ok := strings.Cut(authorization, " ")
 		if !ok {
-			tlog.App.Warn().Msg("OIDC userinfo accessed with malformed authorization header")
+			controller.log.App.Warn().Msg("OIDC userinfo accessed with invalid authorization header")
 			c.JSON(401, gin.H{
 				"error": "invalid_request",
 			})
@@ -395,7 +406,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		}
 
 		if strings.ToLower(tokenType) != "bearer" {
-			tlog.App.Warn().Msg("OIDC userinfo accessed with invalid token type")
+			controller.log.App.Warn().Msg("OIDC userinfo accessed with non-bearer token")
 			c.JSON(401, gin.H{
 				"error": "invalid_request",
 			})
@@ -405,7 +416,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		token = bearerToken
 	} else if c.Request.Method == http.MethodPost {
 		if c.ContentType() != "application/x-www-form-urlencoded" {
-			tlog.App.Warn().Msg("OIDC userinfo POST accessed with invalid content type")
+			controller.log.App.Warn().Msg("OIDC userinfo POST accessed with invalid content type")
 			c.JSON(400, gin.H{
 				"error": "invalid_request",
 			})
@@ -413,14 +424,14 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		}
 		token = c.PostForm("access_token")
 		if token == "" {
-			tlog.App.Warn().Msg("OIDC userinfo POST accessed without access_token in body")
+			controller.log.App.Warn().Msg("OIDC userinfo POST accessed without access_token")
 			c.JSON(401, gin.H{
 				"error": "invalid_request",
 			})
 			return
 		}
 	} else {
-		tlog.App.Warn().Msg("OIDC userinfo accessed without authorization header")
+		controller.log.App.Warn().Msg("OIDC userinfo accessed without authorization header or POST body")
 		c.JSON(401, gin.H{
 			"error": "invalid_request",
 		})
@@ -431,14 +442,14 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 
 	if err != nil {
 		if errors.Is(err, service.ErrTokenNotFound) {
-			tlog.App.Warn().Msg("OIDC userinfo accessed with invalid token")
+			controller.log.App.Warn().Msg("OIDC userinfo accessed with invalid token")
 			c.JSON(401, gin.H{
 				"error": "invalid_grant",
 			})
 			return
 		}
 
-		tlog.App.Err(err).Msg("Failed to get token entry")
+		controller.log.App.Error().Err(err).Msg("Failed to get access token")
 		c.JSON(401, gin.H{
 			"error": "server_error",
 		})
@@ -447,7 +458,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 
 	// If we don't have the openid scope, return an error
 	if !slices.Contains(strings.Split(entry.Scope, ","), "openid") {
-		tlog.App.Warn().Msg("OIDC userinfo accessed without openid scope")
+		controller.log.App.Warn().Msg("OIDC userinfo accessed with token missing openid scope")
 		c.JSON(401, gin.H{
 			"error": "invalid_scope",
 		})
@@ -457,7 +468,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 	user, err := controller.oidc.GetUserinfo(c, entry.Sub)
 
 	if err != nil {
-		tlog.App.Err(err).Msg("Failed to get user entry")
+		controller.log.App.Error().Err(err).Msg("Failed to get user info")
 		c.JSON(401, gin.H{
 			"error": "server_error",
 		})
@@ -468,7 +479,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 }
 
 func (controller *OIDCController) authorizeError(c *gin.Context, err error, reason string, reasonUser string, callback string, callbackError string, state string) {
-	tlog.App.Error().Err(err).Msg(reason)
+	controller.log.App.Warn().Err(err).Str("reason", reason).Msg("Authorization error")
 
 	if callback != "" {
 		errorQueries := CallbackError{
@@ -508,8 +519,16 @@ func (controller *OIDCController) authorizeError(c *gin.Context, err error, reas
 		return
 	}
 
+	redirectUrl := ""
+
+	if controller.oidc != nil {
+		redirectUrl = fmt.Sprintf("%s/error?%s", controller.oidc.GetIssuer(), queries.Encode())
+	} else {
+		redirectUrl = fmt.Sprintf("%s/error?%s", controller.runtime.AppURL, queries.Encode())
+	}
+
 	c.JSON(200, gin.H{
 		"status":       200,
-		"redirect_uri": fmt.Sprintf("%s/error?%s", controller.oidc.GetIssuer(), queries.Encode()),
+		"redirect_uri": redirectUrl,
 	})
 }

internal/controller/oidc_controller_test.go

@@ -1,13 +1,14 @@
 package controller_test
 
 import (
+	"context"
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/json"
 	"net/http/httptest"
 	"net/url"
-	"path"
 	"strings"
+	"sync"
 	"testing"
 
 	"github.com/gin-gonic/gin"
@@ -19,29 +20,15 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/test"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
 func TestOIDCController(t *testing.T) {
-	tlog.NewTestLogger().Init()
-	tempDir := t.TempDir()
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
 
-	oidcServiceCfg := service.OIDCServiceConfig{
-		Clients: map[string]model.OIDCClientConfig{
-			"test": {
-				ClientID:            "some-client-id",
-				ClientSecret:        "some-client-secret",
-				TrustedRedirectURIs: []string{"https://test.example.com/callback"},
-				Name:                "Test Client",
-			},
-		},
-		PrivateKeyPath: path.Join(tempDir, "key.pem"),
-		PublicKeyPath:  path.Join(tempDir, "key.pub"),
-		Issuer:         "https://tinyauth.example.com",
-		SessionExpiry:  500,
-	}
-
-	controllerCfg := controller.OIDCControllerConfig{}
+	cfg, runtime := test.CreateTestConfigs(t)
 
 	simpleCtx := func(c *gin.Context) {
 		c.Set("context", &model.UserContext{
@@ -103,7 +90,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				assert.Equal(t, res["redirect_uri"], "https://tinyauth.example.com/error?error=User+is+not+logged+in+or+the+session+is+invalid")
 			},
@@ -123,7 +110,7 @@ func TestOIDCController(t *testing.T) {
 					Nonce:        "some-nonce",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -131,7 +118,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				assert.Equal(t, res["redirect_uri"], "https://test.example.com/callback?error=unsupported_response_type&error_description=Invalid+request+parameters&state=some-state")
 			},
@@ -151,7 +138,7 @@ func TestOIDCController(t *testing.T) {
 					Nonce:        "some-nonce",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -160,11 +147,11 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				queryParams := url.Query()
 				assert.Equal(t, queryParams.Get("state"), "some-state")
@@ -183,7 +170,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -191,7 +178,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				assert.Equal(t, res["error"], "unsupported_grant_type")
 			},
@@ -206,7 +193,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -244,7 +231,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -267,11 +254,11 @@ func TestOIDCController(t *testing.T) {
 
 				var authorizeRes map[string]any
 				err := json.Unmarshal(authorizeTestRecorder.Body.Bytes(), &authorizeRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				redirectURI := authorizeRes["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				queryParams := url.Query()
 				code := queryParams.Get("code")
@@ -283,7 +270,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -306,7 +293,7 @@ func TestOIDCController(t *testing.T) {
 
 				var tokenRes map[string]any
 				err := json.Unmarshal(tokenRecorder.Body.Bytes(), &tokenRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				_, ok := tokenRes["refresh_token"]
 				assert.True(t, ok, "Expected refresh token in response")
@@ -320,7 +307,7 @@ func TestOIDCController(t *testing.T) {
 					ClientSecret: "some-client-secret",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -332,7 +319,7 @@ func TestOIDCController(t *testing.T) {
 				assert.Equal(t, 200, recorder.Code)
 				var refreshRes map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &refreshRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				_, ok = refreshRes["access_token"]
 				assert.True(t, ok, "Expected access token in refresh response")
@@ -353,11 +340,11 @@ func TestOIDCController(t *testing.T) {
 
 				var authorizeRes map[string]any
 				err := json.Unmarshal(authorizeTestRecorder.Body.Bytes(), &authorizeRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				redirectURI := authorizeRes["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				queryParams := url.Query()
 				code := queryParams.Get("code")
@@ -369,7 +356,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -389,7 +376,7 @@ func TestOIDCController(t *testing.T) {
 
 				var secondRes map[string]any
 				err = json.Unmarshal(secondRecorder.Body.Bytes(), &secondRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				assert.Equal(t, "invalid_grant", secondRes["error"])
 			},
@@ -417,7 +404,7 @@ func TestOIDCController(t *testing.T) {
 
 				var tokenRes map[string]any
 				err := json.Unmarshal(tokenRecorder.Body.Bytes(), &tokenRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				accessToken := tokenRes["access_token"].(string)
 				assert.NotEmpty(t, accessToken)
@@ -429,7 +416,7 @@ func TestOIDCController(t *testing.T) {
 
 				var userInfoRes map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &userInfoRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				_, ok := userInfoRes["sub"]
 				assert.True(t, ok, "Expected sub claim in userinfo response")
@@ -449,7 +436,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -464,7 +451,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -479,7 +466,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -494,7 +481,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, "invalid_grant", res["error"])
 			},
 		},
@@ -509,7 +496,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -524,7 +511,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -541,7 +528,7 @@ func TestOIDCController(t *testing.T) {
 
 				var tokenRes map[string]any
 				err := json.Unmarshal(tokenRecorder.Body.Bytes(), &tokenRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				accessToken := tokenRes["access_token"].(string)
 				assert.NotEmpty(t, accessToken)
@@ -555,7 +542,7 @@ func TestOIDCController(t *testing.T) {
 
 				var userInfoRes map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &userInfoRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				_, ok := userInfoRes["sub"]
 				assert.True(t, ok, "Expected sub claim in userinfo response")
@@ -579,7 +566,7 @@ func TestOIDCController(t *testing.T) {
 					CodeChallengeMethod: "",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -588,11 +575,11 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				queryParams := url.Query()
 				assert.Equal(t, queryParams.Get("state"), "some-state")
@@ -609,7 +596,7 @@ func TestOIDCController(t *testing.T) {
 					CodeVerifier: "some-challenge",
 				}
 				reqBodyEncoded, err := query.Values(tokenReqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req = httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -640,7 +627,7 @@ func TestOIDCController(t *testing.T) {
 					CodeChallengeMethod: "S256",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -649,11 +636,11 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				queryParams := url.Query()
 				assert.Equal(t, queryParams.Get("state"), "some-state")
@@ -670,7 +657,7 @@ func TestOIDCController(t *testing.T) {
 					CodeVerifier: "some-challenge",
 				}
 				reqBodyEncoded, err := query.Values(tokenReqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req = httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -701,7 +688,7 @@ func TestOIDCController(t *testing.T) {
 					CodeChallengeMethod: "S256",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -710,11 +697,11 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				queryParams := url.Query()
 				assert.Equal(t, queryParams.Get("state"), "some-state")
@@ -731,7 +718,7 @@ func TestOIDCController(t *testing.T) {
 					CodeVerifier: "some-challenge-1",
 				}
 				reqBodyEncoded, err := query.Values(tokenReqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req = httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -762,7 +749,7 @@ func TestOIDCController(t *testing.T) {
 					CodeChallengeMethod: "foo",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -771,11 +758,11 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				queryParams := url.Query()
 				error := queryParams.Get("error")
@@ -794,11 +781,11 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				queryParams := url.Query()
 				code := queryParams.Get("code")
@@ -810,7 +797,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -821,7 +808,7 @@ func TestOIDCController(t *testing.T) {
 				assert.Equal(t, 200, recorder.Code)
 
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				accessToken := res["access_token"].(string)
 				assert.NotEmpty(t, accessToken)
@@ -846,20 +833,22 @@ func TestOIDCController(t *testing.T) {
 				assert.Equal(t, 401, recorder.Code)
 
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, "invalid_grant", res["error"])
 			},
 		},
 	}
 
-	app := bootstrap.NewBootstrapApp(model.Config{})
+	app := bootstrap.NewBootstrapApp(cfg)
 
-	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
+	err := app.SetupDatabase()
 	require.NoError(t, err)
 
-	queries := repository.New(db)
-	oidcService := service.NewOIDCService(oidcServiceCfg, queries)
-	err = oidcService.Init()
+	queries := repository.New(app.GetDB())
+
+	wg := &sync.WaitGroup{}
+
+	oidcService, err := service.NewOIDCService(log, cfg, runtime, queries, context.TODO(), wg)
 	require.NoError(t, err)
 
 	for _, test := range tests {
@@ -873,8 +862,7 @@ func TestOIDCController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
 
-			oidcController := controller.NewOIDCController(controllerCfg, oidcService, group)
-			oidcController.SetupRoutes()
+			controller.NewOIDCController(log, oidcService, runtime, group)
 
 			recorder := httptest.NewRecorder()
 
@@ -883,7 +871,6 @@ func TestOIDCController(t *testing.T) {
 	}
 
 	t.Cleanup(func() {
-		err = db.Close()
-		require.NoError(t, err)
+		app.GetDB().Close()
 	})
 }

internal/controller/proxy_controller.go

@@ -11,7 +11,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -50,29 +50,31 @@ type ProxyContext struct {
 	ProxyType ProxyType
 }
 
-type ProxyControllerConfig struct {
-	AppURL string
-}
-
 type ProxyController struct {
-	config ProxyControllerConfig
-	router *gin.RouterGroup
-	acls   *service.AccessControlsService
-	auth   *service.AuthService
+	log     *logger.Logger
+	runtime model.RuntimeConfig
+	acls    *service.AccessControlsService
+	auth    *service.AuthService
 }
 
-func NewProxyController(config ProxyControllerConfig, router *gin.RouterGroup, acls *service.AccessControlsService, auth *service.AuthService) *ProxyController {
-	return &ProxyController{
-		config: config,
-		router: router,
-		acls:   acls,
-		auth:   auth,
+func NewProxyController(
+	log *logger.Logger,
+	runtime model.RuntimeConfig,
+	router *gin.RouterGroup,
+	acls *service.AccessControlsService,
+	auth *service.AuthService,
+) *ProxyController {
+	controller := &ProxyController{
+		log:     log,
+		runtime: runtime,
+		acls:    acls,
+		auth:    auth,
 	}
-}
 
-func (controller *ProxyController) SetupRoutes() {
-	proxyGroup := controller.router.Group("/auth")
+	proxyGroup := router.Group("/auth")
 	proxyGroup.Any("/:proxy", controller.proxyHandler)
+
+	return controller
 }
 
 func (controller *ProxyController) proxyHandler(c *gin.Context) {
@@ -80,7 +82,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	proxyCtx, err := controller.getProxyContext(c)
 
 	if err != nil {
-		tlog.App.Warn().Err(err).Msg("Failed to get proxy context")
+		controller.log.App.Error().Err(err).Msg("Failed to get proxy context from request")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad request",
@@ -88,19 +90,15 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	tlog.App.Trace().Interface("ctx", proxyCtx).Msg("Got proxy context")
-
 	// Get acls
 	acls, err := controller.acls.GetAccessControls(proxyCtx.Host)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to get access controls for resource")
+		controller.log.App.Error().Err(err).Msg("Failed to get ACLs for resource")
 		controller.handleError(c, proxyCtx)
 		return
 	}
 
-	tlog.App.Trace().Interface("acls", acls).Msg("ACLs for resource")
-
 	clientIP := c.ClientIP()
 
 	if controller.auth.IsBypassedIP(clientIP, acls) {
@@ -115,13 +113,13 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	authEnabled, err := controller.auth.IsAuthEnabled(proxyCtx.Path, acls)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to check if auth is enabled for resource")
+		controller.log.App.Error().Err(err).Msg("Failed to determine if authentication is enabled for resource")
 		controller.handleError(c, proxyCtx)
 		return
 	}
 
 	if !authEnabled {
-		tlog.App.Debug().Msg("Authentication disabled for resource, allowing access")
+		controller.log.App.Debug().Msg("Authentication is disabled for this resource, allowing access without authentication")
 		controller.setHeaders(c, acls)
 		c.JSON(200, gin.H{
 			"status":  200,
@@ -137,12 +135,12 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		})
 
 		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
+			controller.log.App.Error().Err(err).Msg("Failed to encode unauthorized query")
 			controller.handleError(c, proxyCtx)
 			return
 		}
 
-		redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())
+		redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.runtime.AppURL, queries.Encode())
 
 		if !controller.useBrowserResponse(proxyCtx) {
 			c.Header("x-tinyauth-location", redirectURL)
@@ -160,26 +158,24 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	userContext, err := new(model.UserContext).NewFromGin(c)
 
 	if err != nil {
-		tlog.App.Debug().Err(err).Msg("No user context found in request, treating as unauthenticated")
+		controller.log.App.Debug().Err(err).Msg("Failed to create user context from request, treating as unauthenticated")
 		userContext = &model.UserContext{
 			Authenticated: false,
 		}
 	}
 
-	tlog.App.Trace().Interface("context", userContext).Msg("User context from request")
-
 	if userContext.Authenticated {
 		userAllowed := controller.auth.IsUserAllowed(c, *userContext, acls)
 
 		if !userAllowed {
-			tlog.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User not allowed to access resource")
+			controller.log.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User is not allowed to access resource")
 
 			queries, err := query.Values(UnauthorizedQuery{
 				Resource: strings.Split(proxyCtx.Host, ".")[0],
 			})
 
 			if err != nil {
-				tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
+				controller.log.App.Error().Err(err).Msg("Failed to encode unauthorized query")
 				controller.handleError(c, proxyCtx)
 				return
 			}
@@ -190,7 +186,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 				queries.Set("username", userContext.GetUsername())
 			}
 
-			redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())
+			redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.runtime.AppURL, queries.Encode())
 
 			if !controller.useBrowserResponse(proxyCtx) {
 				c.Header("x-tinyauth-location", redirectURL)
@@ -215,7 +211,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			}
 
 			if !groupOK {
-				tlog.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User groups do not match resource requirements")
+				controller.log.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User is not in the required group to access resource")
 
 				queries, err := query.Values(UnauthorizedQuery{
 					Resource: strings.Split(proxyCtx.Host, ".")[0],
@@ -223,7 +219,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 				})
 
 				if err != nil {
-					tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
+					controller.log.App.Error().Err(err).Msg("Failed to encode unauthorized query")
 					controller.handleError(c, proxyCtx)
 					return
 				}
@@ -234,7 +230,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 					queries.Set("username", userContext.GetUsername())
 				}
 
-				redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())
+				redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.runtime.AppURL, queries.Encode())
 
 				if !controller.useBrowserResponse(proxyCtx) {
 					c.Header("x-tinyauth-location", redirectURL)
@@ -277,12 +273,12 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	})
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to encode redirect URI query")
+		controller.log.App.Error().Err(err).Msg("Failed to encode redirect query")
 		controller.handleError(c, proxyCtx)
 		return
 	}
 
-	redirectURL := fmt.Sprintf("%s/login?%s", controller.config.AppURL, queries.Encode())
+	redirectURL := fmt.Sprintf("%s/login?%s", controller.runtime.AppURL, queries.Encode())
 
 	if !controller.useBrowserResponse(proxyCtx) {
 		c.Header("x-tinyauth-location", redirectURL)
@@ -306,20 +302,19 @@ func (controller *ProxyController) setHeaders(c *gin.Context, acls *model.App) {
 	headers := utils.ParseHeaders(acls.Response.Headers)
 
 	for key, value := range headers {
-		tlog.App.Debug().Str("header", key).Msg("Setting header")
 		c.Header(key, value)
 	}
 
 	basicPassword := utils.GetSecret(acls.Response.BasicAuth.Password, acls.Response.BasicAuth.PasswordFile)
 
 	if acls.Response.BasicAuth.Username != "" && basicPassword != "" {
-		tlog.App.Debug().Str("username", acls.Response.BasicAuth.Username).Msg("Setting basic auth header")
+		controller.log.App.Debug().Msg("Setting basic auth header for response")
 		c.Header("Authorization", fmt.Sprintf("Basic %s", utils.EncodeBasicAuth(acls.Response.BasicAuth.Username, basicPassword)))
 	}
 }
 
 func (controller *ProxyController) handleError(c *gin.Context, proxyCtx ProxyContext) {
-	redirectURL := fmt.Sprintf("%s/error", controller.config.AppURL)
+	redirectURL := fmt.Sprintf("%s/error", controller.runtime.AppURL)
 
 	if !controller.useBrowserResponse(proxyCtx) {
 		c.Header("x-tinyauth-location", redirectURL)
@@ -520,7 +515,7 @@ func (controller *ProxyController) getProxyContext(c *gin.Context) (ProxyContext
 		return ProxyContext{}, err
 	}
 
-	tlog.App.Debug().Msgf("Proxy: %v", req.Proxy)
+	controller.log.App.Debug().Msgf("Determined proxy type: %v", proxy)
 
 	authModules := controller.determineAuthModules(proxy)
 
@@ -531,13 +526,13 @@ func (controller *ProxyController) getProxyContext(c *gin.Context) (ProxyContext
 	var ctx ProxyContext
 
 	for _, module := range authModules {
-		tlog.App.Debug().Msgf("Trying auth module: %v", module)
+		controller.log.App.Debug().Msgf("Trying to get context from auth module %v", module)
 		ctx, err = controller.getContextFromAuthModule(c, module)
 		if err == nil {
-			tlog.App.Debug().Msgf("Auth module %v succeeded", module)
+			controller.log.App.Debug().Msgf("Successfully got context from auth module %v", module)
 			break
 		}
-		tlog.App.Debug().Err(err).Msgf("Auth module %v failed", module)
+		controller.log.App.Debug().Msgf("Failed to get context from auth module %v: %v", module, err)
 	}
 
 	if err != nil {
@@ -549,9 +544,9 @@ func (controller *ProxyController) getProxyContext(c *gin.Context) (ProxyContext
 	isBrowser := BrowserUserAgentRegex.MatchString(userAgent)
 
 	if isBrowser {
-		tlog.App.Debug().Msg("Request identified as coming from a browser")
+		controller.log.App.Debug().Msg("Request identified as coming from a browser client")
 	} else {
-		tlog.App.Debug().Msg("Request identified as coming from a non-browser client")
+		controller.log.App.Debug().Msg("Request identified as coming from a non-browser client")
 	}
 
 	ctx.IsBrowser = isBrowser

internal/controller/proxy_controller_test.go

@@ -1,8 +1,9 @@
 package controller_test
 
 import (
+	"context"
 	"net/http/httptest"
-	"path"
+	"sync"
 	"testing"
 
 	"github.com/gin-gonic/gin"
@@ -13,35 +14,15 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/test"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
 func TestProxyController(t *testing.T) {
-	tlog.NewTestLogger().Init()
-	tempDir := t.TempDir()
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
 
-	authServiceCfg := service.AuthServiceConfig{
-		LocalUsers: &[]model.LocalUser{
-			{
-				Username: "testuser",
-				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-			},
-			{
-				Username:   "totpuser",
-				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-				TOTPSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
-			},
-		},
-		SessionExpiry:     10, // 10 seconds, useful for testing
-		CookieDomain:      "example.com",
-		LoginTimeout:      10, // 10 seconds, useful for testing
-		LoginMaxRetries:   3,
-		SessionCookieName: "tinyauth-session",
-	}
-
-	controllerCfg := controller.ProxyControllerConfig{
-		AppURL: "https://tinyauth.example.com",
-	}
+	cfg, runtime := test.CreateTestConfigs(t)
 
 	acls := map[string]model.App{
 		"app_path_allow": {
@@ -398,32 +379,19 @@ func TestProxyController(t *testing.T) {
 		},
 	}
 
-	oauthBrokerCfgs := make(map[string]model.OAuthServiceConfig)
+	app := bootstrap.NewBootstrapApp(cfg)
 
-	app := bootstrap.NewBootstrapApp(model.Config{})
-
-	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
+	err := app.SetupDatabase()
 	require.NoError(t, err)
 
-	queries := repository.New(db)
+	queries := repository.New(app.GetDB())
 
-	docker := service.NewDockerService()
-	err = docker.Init()
-	require.NoError(t, err)
+	wg := &sync.WaitGroup{}
+	ctx := context.TODO()
 
-	ldap := service.NewLdapService(service.LdapServiceConfig{})
-	err = ldap.Init()
-	require.NoError(t, err)
-
-	broker := service.NewOAuthBrokerService(oauthBrokerCfgs)
-	err = broker.Init()
-	require.NoError(t, err)
-
-	authService := service.NewAuthService(authServiceCfg, ldap, queries, broker)
-	err = authService.Init()
-	require.NoError(t, err)
-
-	aclsService := service.NewAccessControlsService(docker, acls)
+	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, queries, broker, nil)
+	aclsService := service.NewAccessControlsService(log, nil, acls)
 
 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
@@ -438,15 +406,13 @@ func TestProxyController(t *testing.T) {
 
 			recorder := httptest.NewRecorder()
 
-			proxyController := controller.NewProxyController(controllerCfg, group, aclsService, authService)
-			proxyController.SetupRoutes()
+			controller.NewProxyController(log, runtime, group, aclsService, authService)
 
 			test.run(t, router, recorder)
 		})
 	}
 
 	t.Cleanup(func() {
-		err = db.Close()
-		require.NoError(t, err)
+		app.GetDB().Close()
 	})
 }

internal/controller/resources_controller.go

@@ -4,42 +4,39 @@ import (
 	"net/http"
 
 	"github.com/gin-gonic/gin"
+	"github.com/tinyauthapp/tinyauth/internal/model"
 )
 
-type ResourcesControllerConfig struct {
-	Path    string
-	Enabled bool
-}
-
 type ResourcesController struct {
-	config     ResourcesControllerConfig
-	router     *gin.RouterGroup
+	config     model.Config
 	fileServer http.Handler
 }
 
-func NewResourcesController(config ResourcesControllerConfig, router *gin.RouterGroup) *ResourcesController {
-	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(config.Path)))
+func NewResourcesController(
+	config model.Config,
+	router *gin.RouterGroup,
+) *ResourcesController {
+	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(config.Resources.Path)))
 
-	return &ResourcesController{
+	controller := &ResourcesController{
 		config:     config,
-		router:     router,
 		fileServer: fileServer,
 	}
-}
 
-func (controller *ResourcesController) SetupRoutes() {
-	controller.router.GET("/resources/*resource", controller.resourcesHandler)
+	router.GET("/resources/*resource", controller.resourcesHandler)
+
+	return controller
 }
 
 func (controller *ResourcesController) resourcesHandler(c *gin.Context) {
-	if controller.config.Path == "" {
+	if controller.config.Resources.Path == "" {
 		c.JSON(404, gin.H{
 			"status":  404,
 			"message": "Resources not found",
 		})
 		return
 	}
-	if !controller.config.Enabled {
+	if !controller.config.Resources.Enabled {
 		c.JSON(403, gin.H{
 			"status":  403,
 			"message": "Resources are disabled",

internal/controller/resources_controller_test.go

@@ -3,26 +3,20 @@ package controller_test
 import (
 	"net/http/httptest"
 	"os"
-	"path"
+	"path/filepath"
 	"testing"
 
 	"github.com/gin-gonic/gin"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/tinyauthapp/tinyauth/internal/test"
 )
 
 func TestResourcesController(t *testing.T) {
-	tlog.NewTestLogger().Init()
-	tempDir := t.TempDir()
+	cfg, _ := test.CreateTestConfigs(t)
 
-	resourcesControllerCfg := controller.ResourcesControllerConfig{
-		Path:    path.Join(tempDir, "resources"),
-		Enabled: true,
-	}
-
-	err := os.Mkdir(resourcesControllerCfg.Path, 0777)
+	err := os.MkdirAll(cfg.Resources.Path, 0777)
 	require.NoError(t, err)
 
 	type testCase struct {
@@ -61,11 +55,11 @@ func TestResourcesController(t *testing.T) {
 		},
 	}
 
-	testFilePath := resourcesControllerCfg.Path + "/testfile.txt"
+	testFilePath := cfg.Resources.Path + "/testfile.txt"
 	err = os.WriteFile(testFilePath, []byte("This is a test file."), 0777)
 	require.NoError(t, err)
 
-	testFilePathParent := tempDir + "/somefile.txt"
+	testFilePathParent := filepath.Dir(cfg.Resources.Path) + "/somefile.txt"
 	err = os.WriteFile(testFilePathParent, []byte("This file should not be accessible."), 0777)
 	require.NoError(t, err)
 
@@ -75,8 +69,7 @@ func TestResourcesController(t *testing.T) {
 			group := router.Group("/")
 			gin.SetMode(gin.TestMode)
 
-			resourcesController := controller.NewResourcesController(resourcesControllerCfg, group)
-			resourcesController.SetupRoutes()
+			controller.NewResourcesController(cfg, group)
 
 			recorder := httptest.NewRecorder()
 			test.run(t, router, recorder)

internal/controller/user_controller.go

@@ -10,7 +10,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 
 	"github.com/gin-gonic/gin"
 	"github.com/pquerna/otp/totp"
@@ -25,30 +25,31 @@ type TotpRequest struct {
 	Code string `json:"code"`
 }
 
-type UserControllerConfig struct {
-	CookieDomain      string
-	SessionCookieName string
-}
-
 type UserController struct {
-	config UserControllerConfig
-	router *gin.RouterGroup
-	auth   *service.AuthService
+	log     *logger.Logger
+	runtime model.RuntimeConfig
+	auth    *service.AuthService
 }
 
-func NewUserController(config UserControllerConfig, router *gin.RouterGroup, auth *service.AuthService) *UserController {
-	return &UserController{
-		config: config,
-		router: router,
-		auth:   auth,
+func NewUserController(
+	log *logger.Logger,
+	runtimeConfig model.RuntimeConfig,
+	router *gin.RouterGroup,
+	auth *service.AuthService,
+) *UserController {
+	controller := &UserController{
+		log:     log,
+		runtime: runtimeConfig,
+		auth:    auth,
 	}
-}
 
-func (controller *UserController) SetupRoutes() {
-	userGroup := controller.router.Group("/user")
+	userGroup := router.Group("/user")
 	userGroup.POST("/login", controller.loginHandler)
 	userGroup.POST("/logout", controller.logoutHandler)
 	userGroup.POST("/totp", controller.totpHandler)
+	userGroup.POST("/tailscale", controller.tailscaleHandler)
+
+	return controller
 }
 
 func (controller *UserController) loginHandler(c *gin.Context) {
@@ -56,7 +57,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 
 	err := c.ShouldBindJSON(&req)
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind JSON")
+		controller.log.App.Error().Err(err).Msg("Failed to bind JSON")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -64,13 +65,13 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		return
 	}
 
-	tlog.App.Debug().Str("username", req.Username).Msg("Login attempt")
+	controller.log.App.Debug().Str("username", req.Username).Msg("Login attempt")
 
 	isLocked, remaining := controller.auth.IsAccountLocked(req.Username)
 
 	if isLocked {
-		tlog.App.Warn().Str("username", req.Username).Msg("Account is locked due to too many failed login attempts")
-		tlog.AuditLoginFailure(c, req.Username, "username", "account locked")
+		controller.log.App.Warn().Str("username", req.Username).Msg("Account is locked due to too many failed login attempts")
+		controller.log.AuditLoginFailure(req.Username, "local", c.ClientIP(), "account locked")
 		c.Writer.Header().Add("x-tinyauth-lock-locked", "true")
 		c.Writer.Header().Add("x-tinyauth-lock-reset", time.Now().Add(time.Duration(remaining)*time.Second).Format(time.RFC3339))
 		c.JSON(429, gin.H{
@@ -84,16 +85,16 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 
 	if err != nil {
 		if errors.Is(err, service.ErrUserNotFound) {
-			tlog.App.Warn().Str("username", req.Username).Msg("User not found")
+			controller.log.App.Warn().Str("username", req.Username).Msg("User not found during login attempt")
 			controller.auth.RecordLoginAttempt(req.Username, false)
-			tlog.AuditLoginFailure(c, req.Username, "username", "user not found")
+			controller.log.AuditLoginFailure(req.Username, "unknown", c.ClientIP(), "user not found")
 			c.JSON(401, gin.H{
 				"status":  401,
 				"message": "Unauthorized",
 			})
 			return
 		}
-		tlog.App.Error().Err(err).Str("username", req.Username).Msg("Error searching for user")
+		controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Error searching for user during login attempt")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -102,9 +103,13 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 	}
 
 	if err := controller.auth.CheckUserPassword(*search, req.Password); err != nil {
-		tlog.App.Warn().Err(err).Str("username", req.Username).Msg("Failed to verify password")
+		controller.log.App.Warn().Str("username", req.Username).Msg("Invalid password during login attempt")
 		controller.auth.RecordLoginAttempt(req.Username, false)
-		tlog.AuditLoginFailure(c, req.Username, "username", "invalid password")
+		if search.Type == model.UserLocal {
+			controller.log.AuditLoginFailure(req.Username, "local", c.ClientIP(), "invalid password")
+		} else {
+			controller.log.AuditLoginFailure(req.Username, "ldap", c.ClientIP(), "invalid password")
+		}
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -118,7 +123,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		localUser = controller.auth.GetLocalUser(req.Username)
 
 		if localUser == nil {
-			tlog.App.Warn().Str("username", req.Username).Msg("User disappeared during login")
+			controller.log.App.Error().Str("username", req.Username).Msg("Local user not found after successful password verification")
 			c.JSON(401, gin.H{
 				"status":  401,
 				"message": "Unauthorized",
@@ -127,7 +132,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		}
 
 		if localUser.TOTPSecret != "" {
-			tlog.App.Debug().Str("username", req.Username).Msg("User has TOTP enabled, requiring TOTP verification")
+			controller.log.App.Debug().Str("username", req.Username).Msg("TOTP required for user, creating pending TOTP session")
 
 			name := localUser.Attributes.Name
 			if name == "" {
@@ -136,7 +141,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 
 			email := localUser.Attributes.Email
 			if email == "" {
-				email = utils.CompileUserEmail(localUser.Username, controller.config.CookieDomain)
+				email = utils.CompileUserEmail(localUser.Username, controller.runtime.CookieDomain)
 			}
 
 			cookie, err := controller.auth.CreateSession(c, repository.Session{
@@ -148,7 +153,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 			})
 
 			if err != nil {
-				tlog.App.Error().Err(err).Msg("Failed to create session cookie")
+				controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Failed to create pending TOTP session")
 				c.JSON(500, gin.H{
 					"status":  500,
 					"message": "Internal Server Error",
@@ -170,7 +175,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 	sessionCookie := repository.Session{
 		Username: req.Username,
 		Name:     utils.Capitalize(req.Username),
-		Email:    utils.CompileUserEmail(req.Username, controller.config.CookieDomain),
+		Email:    utils.CompileUserEmail(req.Username, controller.runtime.CookieDomain),
 		Provider: "local",
 	}
 
@@ -187,12 +192,10 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		sessionCookie.Provider = "ldap"
 	}
 
-	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
-
 	cookie, err := controller.auth.CreateSession(c, sessionCookie)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to create session cookie")
+		controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Failed to create session cookie after successful login")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -202,8 +205,13 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 
 	http.SetCookie(c.Writer, cookie)
 
-	tlog.App.Info().Str("username", req.Username).Msg("Login successful")
-	tlog.AuditLoginSuccess(c, req.Username, "username")
+	controller.log.App.Info().Str("username", req.Username).Msg("Login successful")
+
+	if search.Type == model.UserLocal {
+		controller.log.AuditLoginSuccess(req.Username, "local", c.ClientIP())
+	} else {
+		controller.log.AuditLoginSuccess(req.Username, "ldap", c.ClientIP())
+	}
 
 	controller.auth.RecordLoginAttempt(req.Username, true)
 
@@ -214,20 +222,20 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 }
 
 func (controller *UserController) logoutHandler(c *gin.Context) {
-	tlog.App.Debug().Msg("Logout request received")
+	controller.log.App.Debug().Msg("Logout attempt")
 
-	uuid, err := c.Cookie(controller.config.SessionCookieName)
+	uuid, err := c.Cookie(controller.runtime.SessionCookieName)
 
 	if err != nil {
 		if errors.Is(err, http.ErrNoCookie) {
-			tlog.App.Warn().Msg("No session cookie found on logout request")
+			controller.log.App.Warn().Msg("Logout attempt without session cookie, treating as successful logout")
 			c.JSON(200, gin.H{
 				"status":  200,
 				"message": "Logout successful",
 			})
 			return
 		}
-		tlog.App.Error().Err(err).Msg("Error retrieving session cookie on logout")
+		controller.log.App.Error().Err(err).Msg("Error retrieving session cookie on logout")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -238,7 +246,7 @@ func (controller *UserController) logoutHandler(c *gin.Context) {
 	cookie, err := controller.auth.DeleteSession(c, uuid)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Error deleting session on logout")
+		controller.log.App.Error().Err(err).Msg("Error deleting session on logout")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -249,10 +257,10 @@ func (controller *UserController) logoutHandler(c *gin.Context) {
 	context, err := new(model.UserContext).NewFromGin(c)
 
 	if err == nil {
-		tlog.AuditLogout(c, context.GetUsername(), context.GetProviderID())
+		controller.log.AuditLogout(context.GetUsername(), context.GetProviderID(), c.ClientIP())
 	} else {
-		tlog.App.Warn().Err(err).Msg("Failed to get user context for logout audit, proceeding without username")
-		tlog.AuditLogout(c, "unknown", "unknown")
+		controller.log.App.Warn().Err(err).Msg("Failed to get user context during logout, logging audit with unknown user")
+		controller.log.AuditLogout("unknown", "unknown", c.ClientIP())
 	}
 
 	http.SetCookie(c.Writer, cookie)
@@ -268,7 +276,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 
 	err := c.ShouldBindJSON(&req)
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind JSON")
+		controller.log.App.Error().Err(err).Msg("Failed to bind JSON for TOTP verification")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -279,7 +287,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	context, err := new(model.UserContext).NewFromGin(c)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to get user context")
+		controller.log.App.Error().Err(err).Msg("Failed to create user context from request for TOTP verification")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -288,7 +296,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	}
 
 	if !context.TOTPPending() {
-		tlog.App.Warn().Msg("TOTP attempt without a pending TOTP session")
+		controller.log.App.Warn().Str("username", context.GetUsername()).Msg("TOTP verification attempt without pending TOTP session")
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -296,12 +304,13 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}
 
-	tlog.App.Debug().Str("username", context.GetUsername()).Msg("TOTP verification attempt")
+	controller.log.App.Debug().Str("username", context.GetUsername()).Msg("TOTP verification attempt")
 
 	isLocked, remaining := controller.auth.IsAccountLocked(context.GetUsername())
 
 	if isLocked {
-		tlog.App.Warn().Str("username", context.GetUsername()).Msg("Account is locked due to too many failed TOTP attempts")
+		controller.log.App.Warn().Str("username", context.GetUsername()).Msg("Account is locked due to too many failed TOTP attempts")
+		controller.log.AuditLoginFailure(context.GetUsername(), "local", c.ClientIP(), "account locked")
 		c.Writer.Header().Add("x-tinyauth-lock-locked", "true")
 		c.Writer.Header().Add("x-tinyauth-lock-reset", time.Now().Add(time.Duration(remaining)*time.Second).Format(time.RFC3339))
 		c.JSON(429, gin.H{
@@ -314,7 +323,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	user := controller.auth.GetLocalUser(context.GetUsername())
 
 	if user == nil {
-		tlog.App.Error().Str("username", context.GetUsername()).Msg("User not found in TOTP handler")
+		controller.log.App.Error().Str("username", context.GetUsername()).Msg("Local user not found during TOTP verification")
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -325,9 +334,9 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	ok := totp.Validate(req.Code, user.TOTPSecret)
 
 	if !ok {
-		tlog.App.Warn().Str("username", context.GetUsername()).Msg("Invalid TOTP code")
+		controller.log.App.Warn().Str("username", context.GetUsername()).Msg("Invalid TOTP code during verification attempt")
 		controller.auth.RecordLoginAttempt(context.GetUsername(), false)
-		tlog.AuditLoginFailure(c, context.GetUsername(), "totp", "invalid totp code")
+		controller.log.AuditLoginFailure(context.GetUsername(), "local", c.ClientIP(), "invalid TOTP code")
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -335,15 +344,15 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}
 
-	uuid, err := c.Cookie(controller.config.SessionCookieName)
+	uuid, err := c.Cookie(controller.runtime.SessionCookieName)
 
 	if err == nil {
 		_, err = controller.auth.DeleteSession(c, uuid)
 		if err != nil {
-			tlog.App.Warn().Err(err).Msg("Failed to delete pending TOTP session")
+			controller.log.App.Error().Err(err).Msg("Failed to delete pending TOTP session after successful verification")
 		}
 	} else {
-		tlog.App.Warn().Err(err).Msg("Failed to retrieve session cookie for pending TOTP session, proceeding without deleting it")
+		controller.log.App.Warn().Err(err).Msg("Failed to retrieve session cookie for pending TOTP session, cannot delete it")
 	}
 
 	controller.auth.RecordLoginAttempt(context.GetUsername(), true)
@@ -351,7 +360,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	sessionCookie := repository.Session{
 		Username: user.Username,
 		Name:     utils.Capitalize(user.Username),
-		Email:    utils.CompileUserEmail(user.Username, controller.config.CookieDomain),
+		Email:    utils.CompileUserEmail(user.Username, controller.runtime.CookieDomain),
 		Provider: "local",
 	}
 
@@ -362,12 +371,10 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		sessionCookie.Email = user.Attributes.Email
 	}
 
-	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
-
 	cookie, err := controller.auth.CreateSession(c, sessionCookie)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to create session cookie")
+		controller.log.App.Error().Err(err).Str("username", context.GetUsername()).Msg("Failed to create session cookie after successful TOTP verification")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -377,8 +384,58 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 
 	http.SetCookie(c.Writer, cookie)
 
-	tlog.App.Info().Str("username", context.GetUsername()).Msg("TOTP verification successful")
-	tlog.AuditLoginSuccess(c, context.GetUsername(), "totp")
+	controller.log.App.Info().Str("username", context.GetUsername()).Msg("TOTP verification successful, login complete")
+	controller.log.AuditLoginSuccess(context.GetUsername(), "local", c.ClientIP())
+
+	c.JSON(200, gin.H{
+		"status":  200,
+		"message": "Login successful",
+	})
+}
+
+func (controller *UserController) tailscaleHandler(c *gin.Context) {
+	context, err := new(model.UserContext).NewFromGin(c)
+
+	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Failed to create user context from request")
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	if context.Tailscale == nil {
+		controller.log.App.Warn().Msg("Tailscale login attempt without Tailscale context")
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	sessionCookie := repository.Session{
+		Username: context.Tailscale.Username,
+		Name:     context.Tailscale.Name,
+		Email:    context.Tailscale.Email,
+		Provider: "tailscale",
+	}
+
+	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+
+	if err != nil {
+		controller.log.App.Error().Err(err).Str("username", context.GetUsername()).Msg("Failed to create session cookie after successful TOTP verification")
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "Internal Server Error",
+		})
+		return
+	}
+
+	http.SetCookie(c.Writer, cookie)
+
+	controller.log.App.Info().Str("username", context.GetUsername()).Msg("Tailscale login successful, login complete")
+	controller.log.AuditLoginSuccess(context.GetUsername(), "tailscale", c.ClientIP())
 
 	c.JSON(200, gin.H{
 		"status":  200,

internal/controller/user_controller_test.go

@@ -5,8 +5,8 @@ import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
-	"path"
 	"strings"
+	"sync"
 	"testing"
 	"time"
 
@@ -19,53 +19,15 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/test"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
 func TestUserController(t *testing.T) {
-	tlog.NewTestLogger().Init()
-	tempDir := t.TempDir()
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
 
-	authServiceCfg := service.AuthServiceConfig{
-		LocalUsers: &[]model.LocalUser{
-			{
-				Username: "testuser",
-				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-			},
-			{
-				Username:   "totpuser",
-				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-				TOTPSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
-			},
-			{
-				Username: "attruser",
-				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-				Attributes: model.UserAttributes{
-					Name:  "Alice Smith",
-					Email: "alice@example.com",
-				},
-			},
-			{
-				Username:   "attrtotpuser",
-				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-				TOTPSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
-				Attributes: model.UserAttributes{
-					Name:  "Bob Jones",
-					Email: "bob@example.com",
-				},
-			},
-		},
-		SessionExpiry:     10, // 10 seconds, useful for testing
-		CookieDomain:      "example.com",
-		LoginTimeout:      10, // 10 seconds, useful for testing
-		LoginMaxRetries:   3,
-		SessionCookieName: "tinyauth-session",
-	}
-
-	userControllerCfg := controller.UserControllerConfig{
-		CookieDomain:      "example.com",
-		SessionCookieName: "tinyauth-session",
-	}
+	cfg, runtime := test.CreateTestConfigs(t)
 
 	totpCtx := func(c *gin.Context) {
 		c.Set("context", &model.UserContext{
@@ -111,14 +73,12 @@ func TestUserController(t *testing.T) {
 		})
 	}
 
-	oauthBrokerCfgs := make(map[string]model.OAuthServiceConfig)
+	app := bootstrap.NewBootstrapApp(cfg)
 
-	app := bootstrap.NewBootstrapApp(model.Config{})
-
-	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
+	err := app.SetupDatabase()
 	require.NoError(t, err)
 
-	queries := repository.New(db)
+	queries := repository.New(app.GetDB())
 
 	type testCase struct {
 		description string
@@ -136,7 +96,7 @@ func TestUserController(t *testing.T) {
 					Password: "password",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
@@ -144,7 +104,7 @@ func TestUserController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 
 				assert.Equal(t, 200, recorder.Code)
-				assert.Len(t, recorder.Result().Cookies(), 1)
+				require.Len(t, recorder.Result().Cookies(), 1)
 
 				cookie := recorder.Result().Cookies()[0]
 				assert.Equal(t, "tinyauth-session", cookie.Name)
@@ -164,7 +124,7 @@ func TestUserController(t *testing.T) {
 					Password: "wrongpassword",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
@@ -179,13 +139,13 @@ func TestUserController(t *testing.T) {
 		{
 			description: "Should rate limit on 3 invalid attempts",
 			middlewares: []gin.HandlerFunc{},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) { //nolint:staticcheck
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				loginReq := controller.LoginRequest{
 					Username: "testuser",
 					Password: "wrongpassword",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				for range 3 {
 					recorder := httptest.NewRecorder()
@@ -201,7 +161,7 @@ func TestUserController(t *testing.T) {
 				}
 
 				// 4th attempt should be rate limited
-				recorder = httptest.NewRecorder() //nolint:staticcheck
+				recorder = httptest.NewRecorder()
 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
 
@@ -220,7 +180,7 @@ func TestUserController(t *testing.T) {
 					Password: "password",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
@@ -231,12 +191,12 @@ func TestUserController(t *testing.T) {
 
 				decodedBody := make(map[string]any)
 				err = json.Unmarshal(recorder.Body.Bytes(), &decodedBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				assert.Equal(t, decodedBody["totpPending"], true)
 
 				// should set the session cookie
-				assert.Len(t, recorder.Result().Cookies(), 1)
+				require.Len(t, recorder.Result().Cookies(), 1)
 				cookie := recorder.Result().Cookies()[0]
 				assert.Equal(t, "tinyauth-session", cookie.Name)
 				assert.True(t, cookie.HttpOnly)
@@ -257,7 +217,7 @@ func TestUserController(t *testing.T) {
 					Password: "password",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
@@ -266,7 +226,7 @@ func TestUserController(t *testing.T) {
 
 				assert.Equal(t, 200, recorder.Code)
 				cookies := recorder.Result().Cookies()
-				assert.Len(t, cookies, 1)
+				require.Len(t, cookies, 1)
 
 				cookie := cookies[0]
 				assert.Equal(t, "tinyauth-session", cookie.Name)
@@ -280,7 +240,7 @@ func TestUserController(t *testing.T) {
 
 				assert.Equal(t, 200, recorder.Code)
 				cookies = recorder.Result().Cookies()
-				assert.Len(t, cookies, 1)
+				require.Len(t, cookies, 1)
 
 				cookie = cookies[0]
 				assert.Equal(t, "tinyauth-session", cookie.Name)
@@ -293,7 +253,7 @@ func TestUserController(t *testing.T) {
 			middlewares: []gin.HandlerFunc{
 				totpCtx,
 			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) { //nolint:staticcheck
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				_, err := queries.CreateSession(context.TODO(), repository.CreateSessionParams{
 					UUID:        "test-totp-login-uuid",
 					Username:    "test",
@@ -307,16 +267,16 @@ func TestUserController(t *testing.T) {
 				require.NoError(t, err)
 
 				code, err := totp.GenerateCode("JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK", time.Now())
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				totpReq := controller.TotpRequest{
 					Code: code,
 				}
 
 				totpReqBody, err := json.Marshal(totpReq)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
-				recorder = httptest.NewRecorder() //nolint:staticcheck
+				recorder = httptest.NewRecorder()
 				req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqBody)))
 				req.Header.Set("Content-Type", "application/json")
 				req.AddCookie(&http.Cookie{
@@ -329,7 +289,7 @@ func TestUserController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 
 				assert.Equal(t, 200, recorder.Code)
-				assert.Len(t, recorder.Result().Cookies(), 1)
+				require.Len(t, recorder.Result().Cookies(), 1)
 
 				// should set a new session cookie with totp pending removed
 				totpCookie := recorder.Result().Cookies()[0]
@@ -345,16 +305,16 @@ func TestUserController(t *testing.T) {
 			middlewares: []gin.HandlerFunc{
 				totpCtx,
 			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) { //nolint:staticcheck
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				for range 3 {
 					totpReq := controller.TotpRequest{
 						Code: "000000", // invalid code
 					}
 
 					totpReqBody, err := json.Marshal(totpReq)
-					assert.NoError(t, err)
+					require.NoError(t, err)
 
-					recorder = httptest.NewRecorder() //nolint:staticcheck
+					recorder = httptest.NewRecorder()
 					req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqBody)))
 					req.Header.Set("Content-Type", "application/json")
 
@@ -456,21 +416,11 @@ func TestUserController(t *testing.T) {
 		},
 	}
 
-	docker := service.NewDockerService()
-	err = docker.Init()
-	require.NoError(t, err)
+	ctx := context.TODO()
+	wg := &sync.WaitGroup{}
 
-	ldap := service.NewLdapService(service.LdapServiceConfig{})
-	err = ldap.Init()
-	require.NoError(t, err)
-
-	broker := service.NewOAuthBrokerService(oauthBrokerCfgs)
-	err = broker.Init()
-	require.NoError(t, err)
-
-	authService := service.NewAuthService(authServiceCfg, ldap, queries, broker)
-	err = authService.Init()
-	require.NoError(t, err)
+	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, queries, broker, nil)
 
 	beforeEach := func() {
 		// Clear failed login attempts before each test
@@ -489,8 +439,7 @@ func TestUserController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
 
-			userController := controller.NewUserController(userControllerCfg, group, authService)
-			userController.SetupRoutes()
+			controller.NewUserController(log, runtime, group, authService)
 
 			recorder := httptest.NewRecorder()
 
@@ -499,7 +448,6 @@ func TestUserController(t *testing.T) {
 	}
 
 	t.Cleanup(func() {
-		err = db.Close()
-		require.NoError(t, err)
+		app.GetDB().Close()
 	})
 }

internal/controller/well_known_controller.go

@@ -26,28 +26,30 @@ type OpenIDConnectConfiguration struct {
 	RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported"`
 }
 
-type WellKnownControllerConfig struct{}
-
 type WellKnownController struct {
-	config WellKnownControllerConfig
-	engine *gin.Engine
-	oidc   *service.OIDCService
+	oidc *service.OIDCService
 }
 
-func NewWellKnownController(config WellKnownControllerConfig, oidc *service.OIDCService, engine *gin.Engine) *WellKnownController {
-	return &WellKnownController{
-		config: config,
-		oidc:   oidc,
-		engine: engine,
+func NewWellKnownController(oidc *service.OIDCService, router *gin.RouterGroup) *WellKnownController {
+	controller := &WellKnownController{
+		oidc: oidc,
 	}
-}
 
-func (controller *WellKnownController) SetupRoutes() {
-	controller.engine.GET("/.well-known/openid-configuration", controller.OpenIDConnectConfiguration)
-	controller.engine.GET("/.well-known/jwks.json", controller.JWKS)
+	router.GET("/.well-known/openid-configuration", controller.OpenIDConnectConfiguration)
+	router.GET("/.well-known/jwks.json", controller.JWKS)
+
+	return controller
 }
 
 func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context) {
+	if controller.oidc == nil {
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "OIDC service not configured",
+		})
+		return
+	}
+
 	issuer := controller.oidc.GetIssuer()
 	c.JSON(200, OpenIDConnectConfiguration{
 		Issuer:                                 issuer,
@@ -69,11 +71,19 @@ func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context
 }
 
 func (controller *WellKnownController) JWKS(c *gin.Context) {
+	if controller.oidc == nil {
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "OIDC service not configured",
+		})
+		return
+	}
+
 	jwks, err := controller.oidc.GetJWK()
 
 	if err != nil {
 		c.JSON(500, gin.H{
-			"status":  "500",
+			"status":  500,
 			"message": "failed to get JWK",
 		})
 		return

internal/controller/well_known_controller_test.go

@@ -1,10 +1,11 @@
 package controller_test
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"net/http/httptest"
-	"path"
+	"sync"
 	"testing"
 
 	"github.com/gin-gonic/gin"
@@ -12,30 +13,17 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/test"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
 func TestWellKnownController(t *testing.T) {
-	tlog.NewTestLogger().Init()
-	tempDir := t.TempDir()
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
 
-	oidcServiceCfg := service.OIDCServiceConfig{
-		Clients: map[string]model.OIDCClientConfig{
-			"test": {
-				ClientID:            "some-client-id",
-				ClientSecret:        "some-client-secret",
-				TrustedRedirectURIs: []string{"https://test.example.com/callback"},
-				Name:                "Test Client",
-			},
-		},
-		PrivateKeyPath: path.Join(tempDir, "key.pem"),
-		PublicKeyPath:  path.Join(tempDir, "key.pub"),
-		Issuer:         "https://tinyauth.example.com",
-		SessionExpiry:  500,
-	}
+	cfg, runtime := test.CreateTestConfigs(t)
 
 	type testCase struct {
 		description string
@@ -56,11 +44,11 @@ func TestWellKnownController(t *testing.T) {
 				assert.NoError(t, err)
 
 				expected := controller.OpenIDConnectConfiguration{
-					Issuer:                                 oidcServiceCfg.Issuer,
-					AuthorizationEndpoint:                  fmt.Sprintf("%s/authorize", oidcServiceCfg.Issuer),
-					TokenEndpoint:                          fmt.Sprintf("%s/api/oidc/token", oidcServiceCfg.Issuer),
-					UserinfoEndpoint:                       fmt.Sprintf("%s/api/oidc/userinfo", oidcServiceCfg.Issuer),
-					JwksUri:                                fmt.Sprintf("%s/.well-known/jwks.json", oidcServiceCfg.Issuer),
+					Issuer:                                 runtime.AppURL,
+					AuthorizationEndpoint:                  fmt.Sprintf("%s/authorize", runtime.AppURL),
+					TokenEndpoint:                          fmt.Sprintf("%s/api/oidc/token", runtime.AppURL),
+					UserinfoEndpoint:                       fmt.Sprintf("%s/api/oidc/userinfo", runtime.AppURL),
+					JwksUri:                                fmt.Sprintf("%s/.well-known/jwks.json", runtime.AppURL),
 					ScopesSupported:                        service.SupportedScopes,
 					ResponseTypesSupported:                 service.SupportedResponseTypes,
 					GrantTypesSupported:                    service.SupportedGrantTypes,
@@ -101,15 +89,17 @@ func TestWellKnownController(t *testing.T) {
 		},
 	}
 
-	app := bootstrap.NewBootstrapApp(model.Config{})
+	ctx := context.TODO()
+	wg := &sync.WaitGroup{}
 
-	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
+	app := bootstrap.NewBootstrapApp(cfg)
+
+	err := app.SetupDatabase()
 	require.NoError(t, err)
 
-	queries := repository.New(db)
+	queries := repository.New(app.GetDB())
 
-	oidcService := service.NewOIDCService(oidcServiceCfg, queries)
-	err = oidcService.Init()
+	oidcService, err := service.NewOIDCService(log, cfg, runtime, queries, ctx, wg)
 	require.NoError(t, err)
 
 	for _, test := range tests {
@@ -119,15 +109,13 @@ func TestWellKnownController(t *testing.T) {
 
 			recorder := httptest.NewRecorder()
 
-			wellKnownController := controller.NewWellKnownController(controller.WellKnownControllerConfig{}, oidcService, router)
-			wellKnownController.SetupRoutes()
+			controller.NewWellKnownController(oidcService, &router.RouterGroup)
 
 			test.run(t, router, recorder)
 		})
 	}
 
 	t.Cleanup(func() {
-		err = db.Close()
-		require.NoError(t, err)
+		app.GetDB().Close()
 	})
 }

internal/middleware/context_middleware.go

@@ -10,7 +10,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 
 	"github.com/gin-gonic/gin"
 )
@@ -35,29 +35,30 @@ var (
 	}
 )
 
-type ContextMiddlewareConfig struct {
-	CookieDomain      string
-	SessionCookieName string
-}
-
 type ContextMiddleware struct {
-	config ContextMiddlewareConfig
-	auth   *service.AuthService
-	broker *service.OAuthBrokerService
+	log       *logger.Logger
+	runtime   model.RuntimeConfig
+	auth      *service.AuthService
+	broker    *service.OAuthBrokerService
+	tailscale *service.TailscaleService
 }
 
-func NewContextMiddleware(config ContextMiddlewareConfig, auth *service.AuthService, broker *service.OAuthBrokerService) *ContextMiddleware {
+func NewContextMiddleware(
+	log *logger.Logger,
+	runtime model.RuntimeConfig,
+	auth *service.AuthService,
+	broker *service.OAuthBrokerService,
+	tailscale *service.TailscaleService,
+) *ContextMiddleware {
 	return &ContextMiddleware{
-		config: config,
-		auth:   auth,
-		broker: broker,
+		log:       log,
+		runtime:   runtime,
+		auth:      auth,
+		broker:    broker,
+		tailscale: tailscale,
 	}
 }
 
-func (m *ContextMiddleware) Init() error {
-	return nil
-}
-
 func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if m.isIgnorePath(c.Request.Method + " " + c.Request.URL.Path) {
@@ -65,22 +66,22 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			return
 		}
 
-		uuid, err := c.Cookie(m.config.SessionCookieName)
+		uuid, err := c.Cookie(m.runtime.SessionCookieName)
 
 		if err == nil {
-			userContext, cookie, err := m.cookieAuth(c.Request.Context(), uuid)
+			userContext, cookie, err := m.cookieAuth(c.Request.Context(), uuid, c.RemoteIP())
 
 			if err == nil {
 				if cookie != nil {
 					http.SetCookie(c.Writer, cookie)
 				}
 
-				tlog.App.Trace().Msgf("Authenticated user from session cookie: %s", userContext.GetUsername())
+				m.log.App.Debug().Msgf("Authenticated user %s via session cookie", userContext.GetUsername())
 				c.Set("context", userContext)
 				c.Next()
 				return
 			} else {
-				tlog.App.Error().Msgf("Error authenticating session cookie: %v", err)
+				m.log.App.Debug().Msgf("Error authenticating session cookie: %v", err)
 			}
 		}
 
@@ -90,7 +91,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			userContext, headers, err := m.basicAuth(username, password)
 
 			if err != nil {
-				tlog.App.Error().Msgf("Error authenticating basic auth: %v", err)
+				m.log.App.Error().Msgf("Error authenticating basic auth: %v", err)
 				c.Next()
 				return
 			}
@@ -104,11 +105,27 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			return
 		}
 
+		// Lastly check if we have a tailscale session to add
+		if m.tailscale != nil {
+			tailscaleContext, err := m.tailscaleWhois(c.Request.Context(), c.RemoteIP())
+
+			if err != nil {
+				m.log.App.Error().Err(err).Msgf("Error performing tailscale whois for IP %s: %v", c.RemoteIP(), err)
+			}
+
+			if tailscaleContext != nil {
+				c.Set("context", &model.UserContext{
+					Authenticated: false,
+					Tailscale:     tailscaleContext,
+				})
+			}
+		}
+
 		c.Next()
 	}
 }
 
-func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string) (*model.UserContext, *http.Cookie, error) {
+func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string, ip string) (*model.UserContext, *http.Cookie, error) {
 	session, err := m.auth.GetSession(ctx, uuid)
 
 	if err != nil {
@@ -141,8 +158,20 @@ func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string) (*model
 		}
 
 		if userContext.Local.Attributes.Email == "" {
-			userContext.Local.Attributes.Email = utils.CompileUserEmail(user.Username, m.config.CookieDomain)
+			userContext.Local.Attributes.Email = utils.CompileUserEmail(user.Username, m.runtime.CookieDomain)
 		}
+	case model.ProviderTailscale:
+		tailscaleContext, err := m.tailscaleWhois(ctx, ip)
+
+		if err != nil {
+			return nil, nil, fmt.Errorf("error performing tailscale whois: %w", err)
+		}
+
+		if tailscaleContext == nil {
+			return nil, nil, fmt.Errorf("tailscale whois returned no result for IP: %s", ip)
+		}
+
+		userContext.Tailscale = tailscaleContext
 	case model.ProviderLDAP:
 		search, err := m.auth.SearchUser(userContext.LDAP.Username)
 
@@ -162,7 +191,7 @@ func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string) (*model
 
 		userContext.LDAP.Groups = user.Groups
 		userContext.LDAP.Name = utils.Capitalize(userContext.LDAP.Username)
-		userContext.LDAP.Email = utils.CompileUserEmail(userContext.LDAP.Username, m.config.CookieDomain)
+		userContext.LDAP.Email = utils.CompileUserEmail(userContext.LDAP.Username, m.runtime.CookieDomain)
 	case model.ProviderOAuth:
 		_, exists := m.broker.GetService(userContext.OAuth.ID)
 
@@ -171,7 +200,7 @@ func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string) (*model
 		}
 
 		if !m.auth.IsEmailWhitelisted(userContext.OAuth.Email) {
-			m.auth.DeleteSession(ctx, uuid) //nolint:errcheck
+			m.auth.DeleteSession(ctx, uuid)
 			return nil, nil, fmt.Errorf("email from session cookie not whitelisted: %s", userContext.OAuth.Email)
 		}
 	}
@@ -191,7 +220,7 @@ func (m *ContextMiddleware) basicAuth(username string, password string) (*model.
 	locked, remaining := m.auth.IsAccountLocked(username)
 
 	if locked {
-		tlog.App.Debug().Msgf("Account for user %s is locked for %d seconds, denying auth", username, remaining)
+		m.log.App.Debug().Msgf("Account for user %s is locked for %d seconds, denying auth", username, remaining)
 		headers["x-tinyauth-lock-locked"] = "true"
 		headers["x-tinyauth-lock-reset"] = time.Now().Add(time.Duration(remaining) * time.Second).Format(time.RFC3339)
 		return nil, headers, nil
@@ -224,7 +253,7 @@ func (m *ContextMiddleware) basicAuth(username string, password string) (*model.
 			BaseContext: model.BaseContext{
 				Username: user.Username,
 				Name:     utils.Capitalize(user.Username),
-				Email:    utils.CompileUserEmail(user.Username, m.config.CookieDomain),
+				Email:    utils.CompileUserEmail(user.Username, m.runtime.CookieDomain),
 			},
 			Attributes: user.Attributes,
 		}
@@ -240,7 +269,7 @@ func (m *ContextMiddleware) basicAuth(username string, password string) (*model.
 			BaseContext: model.BaseContext{
 				Username: username,
 				Name:     utils.Capitalize(username),
-				Email:    utils.CompileUserEmail(username, m.config.CookieDomain),
+				Email:    utils.CompileUserEmail(username, m.runtime.CookieDomain),
 			},
 			Groups: user.Groups,
 		}
@@ -259,3 +288,36 @@ func (m *ContextMiddleware) isIgnorePath(path string) bool {
 	}
 	return false
 }
+
+func (m *ContextMiddleware) tailscaleWhois(ctx context.Context, ip string) (*model.TailscaleContext, error) {
+	if m.tailscale == nil {
+		return nil, nil
+	}
+
+	whois, err := m.tailscale.Whois(ctx, ip)
+
+	if err != nil {
+		m.log.App.Error().Err(err).Msgf("Error performing Tailscale whois for IP %s: %v", ip, err)
+		return nil, err
+	}
+
+	if whois == nil {
+		return nil, nil
+	}
+
+	uctx := model.TailscaleContext{
+		BaseContext: model.BaseContext{
+			Username: whois.NodeName,
+			Email:    whois.LoginName,
+			Name:     whois.DisplayName,
+		},
+		UserID: whois.UserID,
+		Tags:   whois.Tags,
+	}
+
+	if !strings.ContainsAny(uctx.Email, "@") {
+		uctx.Email = utils.CompileUserEmail(uctx.Email+"-tailscale", m.runtime.CookieDomain)
+	}
+
+	return &uctx, nil
+}

internal/middleware/context_middleware_test.go

@@ -5,7 +5,7 @@ import (
 	"encoding/base64"
 	"net/http"
 	"net/http/httptest"
-	"path"
+	"sync"
 	"testing"
 	"time"
 
@@ -17,36 +17,15 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/test"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
 func TestContextMiddleware(t *testing.T) {
-	tlog.NewTestLogger().Init()
-	tempDir := t.TempDir()
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
 
-	authServiceCfg := service.AuthServiceConfig{
-		LocalUsers: &[]model.LocalUser{
-			{
-				Username: "testuser",
-				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-			},
-			{
-				Username:   "totpuser",
-				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-				TOTPSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
-			},
-		},
-		SessionExpiry:     10, // 10 seconds, useful for testing
-		CookieDomain:      "example.com",
-		LoginTimeout:      10, // 10 seconds, useful for testing
-		LoginMaxRetries:   3,
-		SessionCookieName: "tinyauth-session",
-	}
-
-	middlewareCfg := middleware.ContextMiddlewareConfig{
-		CookieDomain:      "example.com",
-		SessionCookieName: "tinyauth-session",
-	}
+	cfg, runtime := test.CreateTestConfigs(t)
 
 	basicAuthHeader := func(username, password string) string {
 		return "Basic " + base64.StdEncoding.EncodeToString([]byte(username+":"+password))
@@ -270,30 +249,20 @@ func TestContextMiddleware(t *testing.T) {
 		},
 	}
 
-	oauthBrokerCfgs := make(map[string]model.OAuthServiceConfig)
+	ctx := context.TODO()
+	wg := &sync.WaitGroup{}
 
-	app := bootstrap.NewBootstrapApp(model.Config{})
+	app := bootstrap.NewBootstrapApp(cfg)
 
-	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
+	err := app.SetupDatabase()
 	require.NoError(t, err)
 
-	queries := repository.New(db)
+	queries := repository.New(app.GetDB())
 
-	ldap := service.NewLdapService(service.LdapServiceConfig{})
-	err = ldap.Init()
-	require.NoError(t, err)
+	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, queries, broker, nil)
 
-	broker := service.NewOAuthBrokerService(oauthBrokerCfgs)
-	err = broker.Init()
-	require.NoError(t, err)
-
-	authService := service.NewAuthService(authServiceCfg, ldap, queries, broker)
-	err = authService.Init()
-	require.NoError(t, err)
-
-	contextMiddleware := middleware.NewContextMiddleware(middlewareCfg, authService, broker)
-	err = contextMiddleware.Init()
-	require.NoError(t, err)
+	contextMiddleware := middleware.NewContextMiddleware(log, runtime, authService, broker, nil)
 
 	for _, test := range tests {
 		authService.ClearRateLimitsTestingOnly()
@@ -322,7 +291,6 @@ func TestContextMiddleware(t *testing.T) {
 	}
 
 	t.Cleanup(func() {
-		err = db.Close()
-		require.NoError(t, err)
+		app.GetDB().Close()
 	})
 }

internal/middleware/ui_middleware.go

@@ -9,7 +9,6 @@ import (
 	"time"
 
 	"github.com/tinyauthapp/tinyauth/internal/assets"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 
 	"github.com/gin-gonic/gin"
 )
@@ -19,29 +18,25 @@ type UIMiddleware struct {
 	uiFileServer http.Handler
 }
 
-func NewUIMiddleware() *UIMiddleware {
-	return &UIMiddleware{}
-}
+func NewUIMiddleware() (*UIMiddleware, error) {
+	m := &UIMiddleware{}
 
-func (m *UIMiddleware) Init() error {
 	ui, err := fs.Sub(assets.FrontendAssets, "dist")
 
 	if err != nil {
-		return err
+		return nil, fmt.Errorf("failed to load ui assets: %w", err)
 	}
 
 	m.uiFs = ui
 	m.uiFileServer = http.FileServerFS(ui)
 
-	return nil
+	return m, nil
 }
 
 func (m *UIMiddleware) Middleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		path := strings.TrimPrefix(c.Request.URL.Path, "/")
 
-		tlog.App.Debug().Str("path", path).Msg("path")
-
 		switch strings.SplitN(path, "/", 2)[0] {
 		case "api", "resources", ".well-known":
 			c.Next()

internal/middleware/zerolog_middleware.go

@@ -5,7 +5,7 @@ import (
 	"time"
 
 	"github.com/gin-gonic/gin"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
 // See context middleware for explanation of why we have to do this
@@ -17,14 +17,14 @@ var (
 	}
 )
 
-type ZerologMiddleware struct{}
-
-func NewZerologMiddleware() *ZerologMiddleware {
-	return &ZerologMiddleware{}
+type ZerologMiddleware struct {
+	log *logger.Logger
 }
 
-func (m *ZerologMiddleware) Init() error {
-	return nil
+func NewZerologMiddleware(log *logger.Logger) *ZerologMiddleware {
+	return &ZerologMiddleware{
+		log: log,
+	}
 }
 
 func (m *ZerologMiddleware) logPath(path string) bool {
@@ -50,7 +50,7 @@ func (m *ZerologMiddleware) Middleware() gin.HandlerFunc {
 
 		latency := time.Since(tStart).String()
 
-		subLogger := tlog.HTTP.With().Str("method", method).
+		subLogger := m.log.HTTP.With().Str("method", method).
 			Str("path", path).
 			Str("address", address).
 			Str("client_ip", clientIP).

internal/model/config.go

@@ -14,8 +14,9 @@ func NewDefaultConfiguration() *Config {
 			Path:    "./resources",
 		},
 		Server: ServerConfig{
-			Port:    3000,
-			Address: "0.0.0.0",
+			Port:                       3000,
+			Address:                    "0.0.0.0",
+			ConcurrentListenersEnabled: false,
 		},
 		Auth: AuthConfig{
 			SubdomainsEnabled:  true,
@@ -60,6 +61,9 @@ func NewDefaultConfiguration() *Config {
 		Experimental: ExperimentalConfig{
 			ConfigFile: "",
 		},
+		Tailscale: TailscaleConfig{
+			Dir: "./state",
+		},
 		LabelProvider: "auto",
 	}
 }
@@ -77,8 +81,9 @@ type Config struct {
 	UI            UIConfig           `description:"UI customization." yaml:"ui"`
 	LDAP          LDAPConfig         `description:"LDAP configuration." yaml:"ldap"`
 	Experimental  ExperimentalConfig `description:"Experimental features, use with caution." yaml:"experimental"`
-	LabelProvider string             `description:"Label provider to use for ACLs (auto, docker, or kubernetes). auto detects the environment." yaml:"labelProvider"`
 	Log           LogConfig          `description:"Logging configuration." yaml:"log"`
+	Tailscale     TailscaleConfig    `description:"Tailscale configuration." yaml:"tailscale"`
+	LabelProvider string             `description:"Label provider to use (docker, kubernetes, auto)." yaml:"labelProvider"`
 }
 
 type DatabaseConfig struct {
@@ -95,9 +100,10 @@ type ResourcesConfig struct {
 }
 
 type ServerConfig struct {
-	Port       int    `description:"The port on which the server listens." yaml:"port"`
-	Address    string `description:"The address on which the server listens." yaml:"address"`
-	SocketPath string `description:"The path to the Unix socket." yaml:"socketPath"`
+	Port                       int    `description:"The port on which the server listens." yaml:"port"`
+	Address                    string `description:"The address on which the server listens." yaml:"address"`
+	SocketPath                 string `description:"The path to the Unix socket." yaml:"socketPath"`
+	ConcurrentListenersEnabled bool   `description:"Enable listening on both TCP and Unix socket at the same time." yaml:"concurrentListenersEnabled"`
 }
 
 type AuthConfig struct {
@@ -147,10 +153,10 @@ type IPConfig struct {
 }
 
 type OAuthConfig struct {
-	Whitelist    []string                      `description:"Comma-separated list of allowed OAuth domains." yaml:"whitelist"`
-	WhitelistFile string                       `description:"Path to the OAuth whitelist file." yaml:"whitelistFile"`
-	AutoRedirect string                        `description:"The OAuth provider to use for automatic redirection." yaml:"autoRedirect"`
-	Providers    map[string]OAuthServiceConfig `description:"OAuth providers configuration." yaml:"providers"`
+	Whitelist     []string                      `description:"Comma-separated list of allowed OAuth domains." yaml:"whitelist"`
+	WhitelistFile string                        `description:"Path to the OAuth whitelist file." yaml:"whitelistFile"`
+	AutoRedirect  string                        `description:"The OAuth provider to use for automatic redirection." yaml:"autoRedirect"`
+	Providers     map[string]OAuthServiceConfig `description:"OAuth providers configuration." yaml:"providers"`
 }
 
 type OIDCConfig struct {
@@ -199,6 +205,15 @@ type ExperimentalConfig struct {
 	ConfigFile string `description:"Path to config file." yaml:"-"`
 }
 
+type TailscaleConfig struct {
+	Dir       string `description:"Tailscale state directory." yaml:"dir"`
+	Hostname  string `description:"Tailscale hostname." yaml:"hostname"`
+	AuthKey   string `description:"Tailscale auth key." yaml:"authKey"`
+	Ephemeral bool   `description:"Use ephemeral Tailscale node." yaml:"ephemeral"`
+}
+
+// OAuth/OIDC config
+
 type OAuthServiceConfig struct {
 	ClientID         string   `description:"OAuth client ID." yaml:"clientId"`
 	ClientSecret     string   `description:"OAuth client secret." yaml:"clientSecret"`
@@ -221,7 +236,13 @@ type OIDCClientConfig struct {
 	Name                string   `description:"Client name in UI." yaml:"name"`
 }
 
-// ACLs
+type TailscaleWhoisResponse struct {
+	UserID      string
+	LoginName   string
+	DisplayName string
+	NodeName    string
+	Tags        []string
+}
 
 type Apps struct {
 	Apps map[string]App `description:"App ACLs configuration." yaml:"apps"`

internal/model/context.go

@@ -8,6 +8,10 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 )
 
+var (
+	ErrUserContextNotFound = errors.New("user context not found")
+)
+
 type ProviderType int
 
 const (
@@ -15,6 +19,7 @@ const (
 	ProviderBasicAuth
 	ProviderOAuth
 	ProviderLDAP
+	ProviderTailscale
 )
 
 type UserContext struct {
@@ -23,6 +28,7 @@ type UserContext struct {
 	Local         *LocalContext
 	OAuth         *OAuthContext
 	LDAP          *LDAPContext
+	Tailscale     *TailscaleContext
 }
 
 type BaseContext struct {
@@ -50,6 +56,13 @@ type LDAPContext struct {
 	Groups []string
 }
 
+type TailscaleContext struct {
+	BaseContext
+	UserID string
+	// for future use
+	Tags []string
+}
+
 func (c *UserContext) IsAuthenticated() bool {
 	return c.Authenticated
 }
@@ -70,11 +83,15 @@ func (c *UserContext) IsBasicAuth() bool {
 	return c.Provider == ProviderBasicAuth && c.Local != nil
 }
 
+func (c *UserContext) IsTailscale() bool {
+	return c.Provider == ProviderTailscale && c.Tailscale != nil
+}
+
 func (c *UserContext) NewFromGin(ginctx *gin.Context) (*UserContext, error) {
 	userContextValue, exists := ginctx.Get("context")
 
 	if !exists {
-		return nil, errors.New("failed to get user context")
+		return nil, ErrUserContextNotFound
 	}
 
 	userContext, ok := userContextValue.(*UserContext)
@@ -83,7 +100,7 @@ func (c *UserContext) NewFromGin(ginctx *gin.Context) (*UserContext, error) {
 		return nil, errors.New("invalid user context type")
 	}
 
-	if userContext.LDAP == nil && userContext.Local == nil && userContext.OAuth == nil {
+	if userContext.LDAP == nil && userContext.Local == nil && userContext.OAuth == nil && userContext.Tailscale == nil {
 		return nil, errors.New("incomplete user context")
 	}
 
@@ -117,7 +134,16 @@ func (c *UserContext) NewFromSession(session *repository.Session) (*UserContext,
 				Email:    session.Email,
 			},
 		}
-	// By default we assume an unkown name which is oauth
+	case "tailscale":
+		c.Provider = ProviderTailscale
+		c.Tailscale = &TailscaleContext{
+			BaseContext: BaseContext{
+				Username: session.Username,
+				Name:     session.Name,
+				Email:    session.Email,
+			},
+		}
+	// By default we assume an unknown name which is oauth
 	default:
 		c.Provider = ProviderOAuth
 		c.OAuth = &OAuthContext{
@@ -141,85 +167,55 @@ func (c *UserContext) NewFromSession(session *repository.Session) (*UserContext,
 	return c, nil
 }
 
-func (c *UserContext) GetUsername() string {
+func (c *UserContext) getBaseContext() *BaseContext {
 	switch c.Provider {
-	case ProviderLocal:
+	case ProviderLocal, ProviderBasicAuth:
 		if c.Local == nil {
-			return ""
+			return nil
 		}
-		return c.Local.Username
+		return &c.Local.BaseContext
 	case ProviderLDAP:
 		if c.LDAP == nil {
-			return ""
+			return nil
 		}
-		return c.LDAP.Username
-	case ProviderBasicAuth:
-		if c.Local == nil {
-			return ""
-		}
-		return c.Local.Username
+		return &c.LDAP.BaseContext
 	case ProviderOAuth:
 		if c.OAuth == nil {
-			return ""
+			return nil
 		}
-		return c.OAuth.Username
+		return &c.OAuth.BaseContext
+	case ProviderTailscale:
+		if c.Tailscale == nil {
+			return nil
+		}
+		return &c.Tailscale.BaseContext
 	default:
+		return nil
+	}
+}
+
+func (c *UserContext) GetUsername() string {
+	base := c.getBaseContext()
+	if base == nil {
 		return ""
 	}
+	return base.Username
 }
 
 func (c *UserContext) GetEmail() string {
-	switch c.Provider {
-	case ProviderLocal:
-		if c.Local == nil {
-			return ""
-		}
-		return c.Local.Email
-	case ProviderLDAP:
-		if c.LDAP == nil {
-			return ""
-		}
-		return c.LDAP.Email
-	case ProviderBasicAuth:
-		if c.Local == nil {
-			return ""
-		}
-		return c.Local.Email
-	case ProviderOAuth:
-		if c.OAuth == nil {
-			return ""
-		}
-		return c.OAuth.Email
-	default:
+	base := c.getBaseContext()
+	if base == nil {
 		return ""
 	}
+	return base.Email
 }
 
 func (c *UserContext) GetName() string {
-	switch c.Provider {
-	case ProviderLocal:
-		if c.Local == nil {
-			return ""
-		}
-		return c.Local.Name
-	case ProviderLDAP:
-		if c.LDAP == nil {
-			return ""
-		}
-		return c.LDAP.Name
-	case ProviderBasicAuth:
-		if c.Local == nil {
-			return ""
-		}
-		return c.Local.Name
-	case ProviderOAuth:
-		if c.OAuth == nil {
-			return ""
-		}
-		return c.OAuth.Name
-	default:
+	base := c.getBaseContext()
+	if base == nil {
 		return ""
 	}
+	return base.Name
 }
 
 func (c *UserContext) GetProviderID() string {
@@ -230,6 +226,8 @@ func (c *UserContext) GetProviderID() string {
 		return "ldap"
 	case ProviderOAuth:
 		return c.OAuth.ID
+	case ProviderTailscale:
+		return "tailscale"
 	default:
 		return "unknown"
 	}
@@ -248,3 +246,10 @@ func (c *UserContext) OAuthName() string {
 	}
 	return ""
 }
+
+func (c *UserContext) TailscaleNodeName() string {
+	if c.Tailscale != nil {
+		return c.Tailscale.Username
+	}
+	return ""
+}

internal/model/context_test.go

@@ -238,7 +238,7 @@ func TestContext(t *testing.T) {
 				_, err := c.NewFromGin(newGinCtx(nil, false))
 				return err.Error()
 			},
-			expected: "failed to get user context",
+			expected: model.ErrUserContextNotFound.Error(),
 		},
 		{
 			description: "NewFromGin returns error when context value has wrong type",

internal/model/runtime.go

@@ -0,0 +1,23 @@
+package model
+
+type RuntimeConfig struct {
+	AppURL                 string
+	UUID                   string
+	CookieDomain           string
+	SessionCookieName      string
+	CSRFCookieName         string
+	RedirectCookieName     string
+	OAuthSessionCookieName string
+	LocalUsers             []LocalUser
+	OAuthProviders         map[string]OAuthServiceConfig
+	OAuthWhitelist         []string
+	ConfiguredProviders    []Provider
+	OIDCClients            []OIDCClientConfig
+	TrustedDomains         []string
+}
+
+type Provider struct {
+	Name  string `json:"name"`
+	ID    string `json:"id"`
+	OAuth bool   `json:"oauth"`
+}

internal/service/access_controls_service.go

@@ -4,7 +4,7 @@ import (
 	"strings"
 
 	"github.com/tinyauthapp/tinyauth/internal/model"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
 type LabelProvider interface {
@@ -12,32 +12,33 @@ type LabelProvider interface {
 }
 
 type AccessControlsService struct {
-	labelProvider LabelProvider
+	log           *logger.Logger
+	labelProvider *LabelProvider
 	static        map[string]model.App
 }
 
-func NewAccessControlsService(labelProvider LabelProvider, static map[string]model.App) *AccessControlsService {
+func NewAccessControlsService(
+	log *logger.Logger,
+	labelProvider *LabelProvider,
+	static map[string]model.App) *AccessControlsService {
 	return &AccessControlsService{
+		log:           log,
 		labelProvider: labelProvider,
 		static:        static,
 	}
 }
 
-func (acls *AccessControlsService) Init() error {
-	return nil // No initialization needed
-}
-
 func (acls *AccessControlsService) lookupStaticACLs(domain string) *model.App {
 	var appAcls *model.App
 	for app, config := range acls.static {
 		if config.Config.Domain == domain {
-			tlog.App.Debug().Str("name", app).Msg("Found matching container by domain")
+			acls.log.App.Debug().Str("name", app).Msg("Found matching container by domain")
 			appAcls = &config
 			break // If we find a match by domain, we can stop searching
 		}
 
 		if strings.SplitN(domain, ".", 2)[0] == app {
-			tlog.App.Debug().Str("name", app).Msg("Found matching container by app name")
+			acls.log.App.Debug().Str("name", app).Msg("Found matching container by app name")
 			appAcls = &config
 			break // If we find a match by app name, we can stop searching
 		}
@@ -50,11 +51,15 @@ func (acls *AccessControlsService) GetAccessControls(domain string) (*model.App,
 	app := acls.lookupStaticACLs(domain)
 
 	if app != nil {
-		tlog.App.Debug().Msg("Using ACls from static configuration")
+		acls.log.App.Debug().Msg("Using static ACLs for app")
 		return app, nil
 	}
 
-	// Fallback to label provider
-	tlog.App.Debug().Msg("Falling back to label provider for ACLs")
-	return acls.labelProvider.GetLabels(domain)
+	// If we have a label provider configured, try to get ACLs from it
+	if acls.labelProvider != nil {
+		return (*acls.labelProvider).GetLabels(domain)
+	}
+
+	// no labels
+	return nil, nil
 }

internal/service/auth_service.go

@@ -14,7 +14,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 
 	"slices"
 
@@ -72,39 +72,43 @@ type Lockdown struct {
 	ActiveUntil time.Time
 }
 
-type AuthServiceConfig struct {
-	LocalUsers         *[]model.LocalUser
-	OauthWhitelist     []string
-	SessionExpiry      int
-	SessionMaxLifetime int
-	SecureCookie       bool
-	CookieDomain       string
-	LoginTimeout       int
-	LoginMaxRetries    int
-	SessionCookieName  string
-	IP                 model.IPConfig
-	LDAPGroupsCacheTTL int
-	SubdomainsEnabled  bool
-}
-
 type AuthService struct {
-	config               AuthServiceConfig
+	log     *logger.Logger
+	config  model.Config
+	runtime model.RuntimeConfig
+	context context.Context
+
+	ldap        *LdapService
+	queries     *repository.Queries
+	oauthBroker *OAuthBrokerService
+	tailscale   *TailscaleService
+
 	loginAttempts        map[string]*LoginAttempt
 	ldapGroupsCache      map[string]*LdapGroupsCache
 	oauthPendingSessions map[string]*OAuthPendingSession
 	oauthMutex           sync.RWMutex
 	loginMutex           sync.RWMutex
 	ldapGroupsMutex      sync.RWMutex
-	ldap                 *LdapService
-	queries              *repository.Queries
-	oauthBroker          *OAuthBrokerService
 	lockdown             *Lockdown
 	lockdownCtx          context.Context
 	lockdownCancelFunc   context.CancelFunc
 }
 
-func NewAuthService(config AuthServiceConfig, ldap *LdapService, queries *repository.Queries, oauthBroker *OAuthBrokerService) *AuthService {
-	return &AuthService{
+func NewAuthService(
+	log *logger.Logger,
+	config model.Config,
+	runtime model.RuntimeConfig,
+	ctx context.Context,
+	wg *sync.WaitGroup,
+	ldap *LdapService,
+	queries *repository.Queries,
+	oauthBroker *OAuthBrokerService,
+	tailscale *TailscaleService,
+) *AuthService {
+	service := &AuthService{
+		log:                  log,
+		runtime:              runtime,
+		context:              ctx,
 		config:               config,
 		loginAttempts:        make(map[string]*LoginAttempt),
 		ldapGroupsCache:      make(map[string]*LdapGroupsCache),
@@ -112,12 +116,12 @@ func NewAuthService(config AuthServiceConfig, ldap *LdapService, queries *reposi
 		ldap:                 ldap,
 		queries:              queries,
 		oauthBroker:          oauthBroker,
+		tailscale:            tailscale,
 	}
-}
 
-func (auth *AuthService) Init() error {
-	go auth.CleanupOAuthSessionsRoutine()
-	return nil
+	wg.Go(service.CleanupOAuthSessionsRoutine)
+
+	return service
 }
 
 func (auth *AuthService) SearchUser(username string) (*model.UserSearch, error) {
@@ -128,7 +132,7 @@ func (auth *AuthService) SearchUser(username string) (*model.UserSearch, error)
 		}, nil
 	}
 
-	if auth.ldap.IsConfigured() {
+	if auth.ldap != nil {
 		userDN, err := auth.ldap.GetUserDN(username)
 
 		if err != nil {
@@ -153,7 +157,7 @@ func (auth *AuthService) CheckUserPassword(search model.UserSearch, password str
 		}
 		return bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password))
 	case model.UserLDAP:
-		if auth.ldap.IsConfigured() {
+		if auth.ldap != nil {
 			err := auth.ldap.Bind(search.Username, password)
 			if err != nil {
 				return fmt.Errorf("failed to bind to ldap user: %w", err)
@@ -173,10 +177,10 @@ func (auth *AuthService) CheckUserPassword(search model.UserSearch, password str
 }
 
 func (auth *AuthService) GetLocalUser(username string) *model.LocalUser {
-	if auth.config.LocalUsers == nil {
+	if auth.runtime.LocalUsers == nil {
 		return nil
 	}
-	for _, user := range *auth.config.LocalUsers {
+	for _, user := range auth.runtime.LocalUsers {
 		if user.Username == username {
 			return &user
 		}
@@ -185,7 +189,7 @@ func (auth *AuthService) GetLocalUser(username string) *model.LocalUser {
 }
 
 func (auth *AuthService) GetLDAPUser(userDN string) (*model.LDAPUser, error) {
-	if !auth.ldap.IsConfigured() {
+	if auth.ldap == nil {
 		return nil, errors.New("ldap service not configured")
 	}
 
@@ -209,7 +213,7 @@ func (auth *AuthService) GetLDAPUser(userDN string) (*model.LDAPUser, error) {
 	auth.ldapGroupsMutex.Lock()
 	auth.ldapGroupsCache[userDN] = &LdapGroupsCache{
 		Groups:  groups,
-		Expires: time.Now().Add(time.Duration(auth.config.LDAPGroupsCacheTTL) * time.Second),
+		Expires: time.Now().Add(time.Duration(auth.config.LDAP.GroupCacheTTL) * time.Second),
 	}
 	auth.ldapGroupsMutex.Unlock()
 
@@ -228,7 +232,7 @@ func (auth *AuthService) IsAccountLocked(identifier string) (bool, int) {
 		return true, remaining
 	}
 
-	if auth.config.LoginMaxRetries <= 0 || auth.config.LoginTimeout <= 0 {
+	if auth.config.Auth.LoginMaxRetries <= 0 || auth.config.Auth.LoginTimeout <= 0 {
 		return false, 0
 	}
 
@@ -246,7 +250,7 @@ func (auth *AuthService) IsAccountLocked(identifier string) (bool, int) {
 }
 
 func (auth *AuthService) RecordLoginAttempt(identifier string, success bool) {
-	if auth.config.LoginMaxRetries <= 0 || auth.config.LoginTimeout <= 0 {
+	if auth.config.Auth.LoginMaxRetries <= 0 || auth.config.Auth.LoginTimeout <= 0 {
 		return
 	}
 
@@ -277,14 +281,14 @@ func (auth *AuthService) RecordLoginAttempt(identifier string, success bool) {
 
 	attempt.FailedAttempts++
 
-	if attempt.FailedAttempts >= auth.config.LoginMaxRetries {
-		attempt.LockedUntil = time.Now().Add(time.Duration(auth.config.LoginTimeout) * time.Second)
-		tlog.App.Warn().Str("identifier", identifier).Int("timeout", auth.config.LoginTimeout).Msg("Account locked due to too many failed login attempts")
+	if attempt.FailedAttempts >= auth.config.Auth.LoginMaxRetries {
+		attempt.LockedUntil = time.Now().Add(time.Duration(auth.config.Auth.LoginTimeout) * time.Second)
+		auth.log.App.Warn().Str("identifier", identifier).Int("failedAttempts", attempt.FailedAttempts).Msg("Account locked due to too many failed login attempts")
 	}
 }
 
 func (auth *AuthService) IsEmailWhitelisted(email string) bool {
-	return utils.CheckFilter(strings.Join(auth.config.OauthWhitelist, ","), email)
+	return utils.CheckFilter(strings.Join(auth.runtime.OAuthWhitelist, ","), email)
 }
 
 func (auth *AuthService) CreateSession(ctx context.Context, data repository.Session) (*http.Cookie, error) {
@@ -299,7 +303,7 @@ func (auth *AuthService) CreateSession(ctx context.Context, data repository.Sess
 	if data.TotpPending {
 		expiry = 3600
 	} else {
-		expiry = auth.config.SessionExpiry
+		expiry = auth.config.Auth.SessionExpiry
 	}
 
 	expiresAt := time.Now().Add(time.Duration(expiry) * time.Second)
@@ -324,14 +328,40 @@ func (auth *AuthService) CreateSession(ctx context.Context, data repository.Sess
 		return nil, fmt.Errorf("failed to create session entry: %w", err)
 	}
 
+	if data.Provider == "tailscale" {
+		if auth.tailscale == nil {
+			return nil, fmt.Errorf("tailscale service not configured, cannot create session for tailscale user")
+		}
+
+		auth.log.App.Trace().Str("url", fmt.Sprintf("https://%s", auth.tailscale.GetHostname())).Msg("Extracting root domain from Tailscale hostname")
+
+		tsCookieDomain, err := utils.GetCookieDomain(fmt.Sprintf("https://%s", auth.tailscale.GetHostname()))
+
+		if err != nil {
+			return nil, fmt.Errorf("failed to get cookie domain for tailscale user: %w", err)
+		}
+
+		return &http.Cookie{
+			Name:     auth.runtime.SessionCookieName,
+			Value:    session.UUID,
+			Path:     "/",
+			Domain:   fmt.Sprintf(".%s", tsCookieDomain),
+			Expires:  expiresAt,
+			MaxAge:   int(time.Until(expiresAt).Seconds()),
+			Secure:   auth.config.Auth.SecureCookie,
+			HttpOnly: true,
+			SameSite: http.SameSiteLaxMode,
+		}, nil
+	}
+
 	return &http.Cookie{
-		Name:     auth.config.SessionCookieName,
+		Name:     auth.runtime.SessionCookieName,
 		Value:    session.UUID,
 		Path:     "/",
-		Domain:   fmt.Sprintf(".%s", auth.config.CookieDomain),
+		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
 		Expires:  expiresAt,
 		MaxAge:   int(time.Until(expiresAt).Seconds()),
-		Secure:   auth.config.SecureCookie,
+		Secure:   auth.config.Auth.SecureCookie,
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
 	}, nil
@@ -348,8 +378,8 @@ func (auth *AuthService) RefreshSession(ctx context.Context, uuid string) (*http
 
 	var refreshThreshold int64
 
-	if auth.config.SessionExpiry <= int(time.Hour.Seconds()) {
-		refreshThreshold = int64(auth.config.SessionExpiry / 2)
+	if auth.config.Auth.SessionExpiry <= int(time.Hour.Seconds()) {
+		refreshThreshold = int64(auth.config.Auth.SessionExpiry / 2)
 	} else {
 		refreshThreshold = int64(time.Hour.Seconds())
 	}
@@ -378,13 +408,13 @@ func (auth *AuthService) RefreshSession(ctx context.Context, uuid string) (*http
 	}
 
 	return &http.Cookie{
-		Name:     auth.config.SessionCookieName,
+		Name:     auth.runtime.SessionCookieName,
 		Value:    session.UUID,
 		Path:     "/",
-		Domain:   fmt.Sprintf(".%s", auth.config.CookieDomain),
+		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
 		Expires:  time.Now().Add(time.Duration(newExpiry-currentTime) * time.Second),
 		MaxAge:   int(newExpiry - currentTime),
-		Secure:   auth.config.SecureCookie,
+		Secure:   auth.config.Auth.SecureCookie,
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
 	}, nil
@@ -395,23 +425,17 @@ func (auth *AuthService) DeleteSession(ctx context.Context, uuid string) (*http.
 	err := auth.queries.DeleteSession(ctx, uuid)
 
 	if err != nil {
-		tlog.App.Warn().Err(err).Msg("Failed to delete session from database, proceeding to clear cookie anyway")
-	}
-
-	err = auth.queries.DeleteSession(ctx, uuid)
-
-	if err != nil {
-		return nil, err
+		auth.log.App.Error().Err(err).Str("uuid", uuid).Msg("Failed to delete session from database")
 	}
 
 	return &http.Cookie{
-		Name:     auth.config.SessionCookieName,
+		Name:     auth.runtime.SessionCookieName,
 		Value:    "",
 		Path:     "/",
-		Domain:   fmt.Sprintf(".%s", auth.config.CookieDomain),
+		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
 		Expires:  time.Now(),
 		MaxAge:   -1,
-		Secure:   auth.config.SecureCookie,
+		Secure:   auth.config.Auth.SecureCookie,
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
 	}, nil
@@ -429,8 +453,8 @@ func (auth *AuthService) GetSession(ctx context.Context, uuid string) (*reposito
 
 	currentTime := time.Now().Unix()
 
-	if auth.config.SessionMaxLifetime != 0 && session.CreatedAt != 0 {
-		if currentTime-session.CreatedAt > int64(auth.config.SessionMaxLifetime) {
+	if auth.config.Auth.SessionMaxLifetime != 0 && session.CreatedAt != 0 {
+		if currentTime-session.CreatedAt > int64(auth.config.Auth.SessionMaxLifetime) {
 			err = auth.queries.DeleteSession(ctx, uuid)
 			if err != nil {
 				return nil, fmt.Errorf("failed to delete expired session: %w", err)
@@ -451,11 +475,11 @@ func (auth *AuthService) GetSession(ctx context.Context, uuid string) (*reposito
 }
 
 func (auth *AuthService) LocalAuthConfigured() bool {
-	return auth.config.LocalUsers != nil && len(*auth.config.LocalUsers) > 0
+	return len(auth.runtime.LocalUsers) > 0
 }
 
 func (auth *AuthService) LDAPAuthConfigured() bool {
-	return auth.ldap.IsConfigured()
+	return auth.ldap != nil
 }
 
 func (auth *AuthService) IsUserAllowed(c *gin.Context, context model.UserContext, acls *model.App) bool {
@@ -464,18 +488,18 @@ func (auth *AuthService) IsUserAllowed(c *gin.Context, context model.UserContext
 	}
 
 	if context.Provider == model.ProviderOAuth {
-		tlog.App.Debug().Msg("Checking OAuth whitelist")
+		auth.log.App.Debug().Msg("User is an OAuth user, checking OAuth whitelist")
 		return utils.CheckFilter(acls.OAuth.Whitelist, context.OAuth.Email)
 	}
 
 	if acls.Users.Block != "" {
-		tlog.App.Debug().Msg("Checking blocked users")
+		auth.log.App.Debug().Msg("Checking users block list")
 		if utils.CheckFilter(acls.Users.Block, context.GetUsername()) {
 			return false
 		}
 	}
 
-	tlog.App.Debug().Msg("Checking users")
+	auth.log.App.Debug().Msg("Checking users allow list")
 	return utils.CheckFilter(acls.Users.Allow, context.GetUsername())
 }
 
@@ -485,23 +509,23 @@ func (auth *AuthService) IsInOAuthGroup(c *gin.Context, context model.UserContex
 	}
 
 	if !context.IsOAuth() {
-		tlog.App.Debug().Msg("User is not an OAuth user, skipping OAuth group check")
+		auth.log.App.Debug().Msg("User is not an OAuth user, skipping OAuth group check")
 		return false
 	}
 
 	if _, ok := model.OverrideProviders[context.OAuth.ID]; ok {
-		tlog.App.Debug().Msg("Provider override for OAuth groups enabled, skipping group check")
+		auth.log.App.Debug().Str("provider", context.OAuth.ID).Msg("Provider override detected, skipping group check")
 		return true
 	}
 
 	for _, userGroup := range context.OAuth.Groups {
 		if utils.CheckFilter(acls.OAuth.Groups, strings.TrimSpace(userGroup)) {
-			tlog.App.Trace().Str("group", userGroup).Str("required", acls.OAuth.Groups).Msg("User group matched")
+			auth.log.App.Trace().Str("group", userGroup).Str("required", acls.OAuth.Groups).Msg("User group matched")
 			return true
 		}
 	}
 
-	tlog.App.Debug().Msg("No groups matched")
+	auth.log.App.Debug().Msg("No groups matched")
 	return false
 }
 
@@ -511,18 +535,18 @@ func (auth *AuthService) IsInLDAPGroup(c *gin.Context, context model.UserContext
 	}
 
 	if !context.IsLDAP() {
-		tlog.App.Debug().Msg("User is not an LDAP user, skipping LDAP group check")
+		auth.log.App.Debug().Msg("User is not an LDAP user, skipping LDAP group check")
 		return false
 	}
 
 	for _, userGroup := range context.LDAP.Groups {
 		if utils.CheckFilter(acls.LDAP.Groups, strings.TrimSpace(userGroup)) {
-			tlog.App.Trace().Str("group", userGroup).Str("required", acls.LDAP.Groups).Msg("User group matched")
+			auth.log.App.Trace().Str("group", userGroup).Str("required", acls.LDAP.Groups).Msg("User group matched")
 			return true
 		}
 	}
 
-	tlog.App.Debug().Msg("No groups matched")
+	auth.log.App.Debug().Msg("No groups matched")
 	return false
 }
 
@@ -566,17 +590,17 @@ func (auth *AuthService) CheckIP(ip string, acls *model.App) bool {
 	}
 
 	// Merge the global and app IP filter
-	blockedIps := append(auth.config.IP.Block, acls.IP.Block...)
-	allowedIPs := append(auth.config.IP.Allow, acls.IP.Allow...)
+	blockedIps := append(auth.config.Auth.IP.Block, acls.IP.Block...)
+	allowedIPs := append(auth.config.Auth.IP.Allow, acls.IP.Allow...)
 
 	for _, blocked := range blockedIps {
 		res, err := utils.FilterIP(blocked, ip)
 		if err != nil {
-			tlog.App.Warn().Err(err).Str("item", blocked).Msg("Invalid IP/CIDR in block list")
+			auth.log.App.Warn().Err(err).Str("item", blocked).Msg("Invalid IP/CIDR in block list")
 			continue
 		}
 		if res {
-			tlog.App.Debug().Str("ip", ip).Str("item", blocked).Msg("IP is in blocked list, denying access")
+			auth.log.App.Debug().Str("ip", ip).Str("item", blocked).Msg("IP is in block list, denying access")
 			return false
 		}
 	}
@@ -584,21 +608,21 @@ func (auth *AuthService) CheckIP(ip string, acls *model.App) bool {
 	for _, allowed := range allowedIPs {
 		res, err := utils.FilterIP(allowed, ip)
 		if err != nil {
-			tlog.App.Warn().Err(err).Str("item", allowed).Msg("Invalid IP/CIDR in allow list")
+			auth.log.App.Warn().Err(err).Str("item", allowed).Msg("Invalid IP/CIDR in allow list")
 			continue
 		}
 		if res {
-			tlog.App.Debug().Str("ip", ip).Str("item", allowed).Msg("IP is in allowed list, allowing access")
+			auth.log.App.Debug().Str("ip", ip).Str("item", allowed).Msg("IP is in allow list, allowing access")
 			return true
 		}
 	}
 
 	if len(allowedIPs) > 0 {
-		tlog.App.Debug().Str("ip", ip).Msg("IP not in allow list, denying access")
+		auth.log.App.Debug().Str("ip", ip).Msg("IP not in allow list, denying access")
 		return false
 	}
 
-	tlog.App.Debug().Str("ip", ip).Msg("IP not in allow or block list, allowing by default")
+	auth.log.App.Debug().Str("ip", ip).Msg("IP not in any block or allow list, allowing access by default")
 	return true
 }
 
@@ -610,16 +634,16 @@ func (auth *AuthService) IsBypassedIP(ip string, acls *model.App) bool {
 	for _, bypassed := range acls.IP.Bypass {
 		res, err := utils.FilterIP(bypassed, ip)
 		if err != nil {
-			tlog.App.Warn().Err(err).Str("item", bypassed).Msg("Invalid IP/CIDR in bypass list")
+			auth.log.App.Warn().Err(err).Str("item", bypassed).Msg("Invalid IP/CIDR in bypass list")
 			continue
 		}
 		if res {
-			tlog.App.Debug().Str("ip", ip).Str("item", bypassed).Msg("IP is in bypass list, allowing access")
+			auth.log.App.Debug().Str("ip", ip).Str("item", bypassed).Msg("IP is in bypass list, skipping authentication")
 			return true
 		}
 	}
 
-	tlog.App.Debug().Str("ip", ip).Msg("IP not in bypass list, continuing with authentication")
+	auth.log.App.Debug().Str("ip", ip).Msg("IP not in bypass list, proceeding with authentication")
 	return false
 }
 
@@ -723,21 +747,32 @@ func (auth *AuthService) EndOAuthSession(sessionId string) {
 }
 
 func (auth *AuthService) CleanupOAuthSessionsRoutine() {
+	auth.log.App.Debug().Msg("Starting OAuth session cleanup routine")
+
 	ticker := time.NewTicker(30 * time.Minute)
 	defer ticker.Stop()
 
-	for range ticker.C {
-		auth.oauthMutex.Lock()
+	for {
+		select {
+		case <-ticker.C:
+			auth.log.App.Debug().Msg("Running OAuth session cleanup")
 
-		now := time.Now()
+			auth.oauthMutex.Lock()
 
-		for sessionId, session := range auth.oauthPendingSessions {
-			if now.After(session.ExpiresAt) {
-				delete(auth.oauthPendingSessions, sessionId)
+			now := time.Now()
+
+			for sessionId, session := range auth.oauthPendingSessions {
+				if now.After(session.ExpiresAt) {
+					delete(auth.oauthPendingSessions, sessionId)
+				}
 			}
-		}
 
-		auth.oauthMutex.Unlock()
+			auth.oauthMutex.Unlock()
+			auth.log.App.Debug().Msg("OAuth session cleanup completed")
+		case <-auth.context.Done():
+			auth.log.App.Debug().Msg("Stopping OAuth session cleanup routine")
+			return
+		}
 	}
 }
 
@@ -806,11 +841,11 @@ func (auth *AuthService) lockdownMode() {
 
 	auth.loginMutex.Lock()
 
-	tlog.App.Warn().Msg("Multiple login attempts detected, possibly DDOS attack. Activating temporary lockdown.")
+	auth.log.App.Warn().Msg("Too many failed login attempts, entering lockdown mode")
 
 	auth.lockdown = &Lockdown{
 		Active:      true,
-		ActiveUntil: time.Now().Add(time.Duration(auth.config.LoginTimeout) * time.Second),
+		ActiveUntil: time.Now().Add(time.Duration(auth.config.Auth.LoginTimeout) * time.Second),
 	}
 
 	// At this point all login attemps will also expire so,
@@ -827,11 +862,14 @@ func (auth *AuthService) lockdownMode() {
 		// Timer expired, end lockdown
 	case <-ctx.Done():
 		// Context cancelled, end lockdown
+	case <-auth.context.Done():
+		// Service is shutting down, end lockdown
 	}
 
 	auth.loginMutex.Lock()
 
-	tlog.App.Info().Msg("Lockdown period ended, resuming normal operation")
+	auth.log.App.Info().Msg("Exiting lockdown mode")
+
 	auth.lockdown = nil
 	auth.loginMutex.Unlock()
 }

internal/service/docker_service.go

@@ -3,51 +3,56 @@ package service
 import (
 	"context"
 	"strings"
+	"sync"
 
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/decoders"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 
 	container "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
 )
 
 type DockerService struct {
-	client      *client.Client
-	context     context.Context
+	log     *logger.Logger
+	client  *client.Client
+	context context.Context
+
 	isConnected bool
 }
 
-func NewDockerService() *DockerService {
-	return &DockerService{}
-}
+func NewDockerService(
+	log *logger.Logger,
+	ctx context.Context,
+	wg *sync.WaitGroup,
+) (*DockerService, error) {
 
-func (docker *DockerService) Init() error {
 	client, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
-	ctx := context.Background()
 	client.NegotiateAPIVersion(ctx)
 
-	docker.client = client
-	docker.context = ctx
-
-	_, err = docker.client.Ping(docker.context)
+	_, err = client.Ping(ctx)
 
 	if err != nil {
-		tlog.App.Debug().Err(err).Msg("Docker not connected")
-		docker.isConnected = false
-		docker.client = nil
-		docker.context = nil
-		return nil
+		log.App.Debug().Err(err).Msg("Docker not connected")
+		return nil, nil
 	}
 
-	docker.isConnected = true
-	tlog.App.Debug().Msg("Docker connected")
+	service := &DockerService{
+		log:     log,
+		client:  client,
+		context: ctx,
+	}
 
-	return nil
+	service.isConnected = true
+	service.log.App.Debug().Msg("Docker connected successfully")
+
+	wg.Go(service.watchAndClose)
+
+	return service, nil
 }
 
 func (docker *DockerService) getContainers() ([]container.Summary, error) {
@@ -60,7 +65,7 @@ func (docker *DockerService) inspectContainer(containerId string) (container.Ins
 
 func (docker *DockerService) GetLabels(appDomain string) (*model.App, error) {
 	if !docker.isConnected {
-		tlog.App.Debug().Msg("Docker not connected, returning empty labels")
+		docker.log.App.Debug().Msg("Docker service not connected, returning empty labels")
 		return nil, nil
 	}
 
@@ -82,17 +87,28 @@ func (docker *DockerService) GetLabels(appDomain string) (*model.App, error) {
 
 		for appName, appLabels := range labels.Apps {
 			if appLabels.Config.Domain == appDomain {
-				tlog.App.Debug().Str("id", inspect.ID).Str("name", inspect.Name).Msg("Found matching container by domain")
+				docker.log.App.Debug().Str("id", inspect.ID).Str("name", inspect.Name).Msg("Found matching container by domain")
 				return &appLabels, nil
 			}
 
 			if strings.SplitN(appDomain, ".", 2)[0] == appName {
-				tlog.App.Debug().Str("id", inspect.ID).Str("name", inspect.Name).Msg("Found matching container by app name")
+				docker.log.App.Debug().Str("id", inspect.ID).Str("name", inspect.Name).Msg("Found matching container by app name")
 				return &appLabels, nil
 			}
 		}
 	}
 
-	tlog.App.Debug().Msg("No matching container found, returning empty labels")
+	docker.log.App.Debug().Str("domain", appDomain).Msg("No matching container found for domain")
 	return nil, nil
 }
+
+func (docker *DockerService) watchAndClose() {
+	<-docker.context.Done()
+	docker.log.App.Debug().Msg("Closing Docker client")
+	if docker.client != nil {
+		err := docker.client.Close()
+		if err != nil {
+			docker.log.App.Error().Err(err).Msg("Error closing Docker client")
+		}
+	}
+}

internal/service/kubernetes_service.go

@@ -9,7 +9,7 @@ import (
 
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/decoders"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -36,9 +36,10 @@ type ingressApp struct {
 }
 
 type KubernetesService struct {
+	log *logger.Logger
+	ctx context.Context
+
 	client       dynamic.Interface
-	ctx          context.Context
-	cancel       context.CancelFunc
 	started      bool
 	mu           sync.RWMutex
 	ingressApps  map[ingressKey][]ingressApp
@@ -46,12 +47,55 @@ type KubernetesService struct {
 	appNameIndex map[string]ingressAppKey
 }
 
-func NewKubernetesService() *KubernetesService {
-	return &KubernetesService{
+func NewKubernetesService(
+	log *logger.Logger,
+	ctx context.Context,
+	wg *sync.WaitGroup,
+) (*KubernetesService, error) {
+	cfg, err := rest.InClusterConfig()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get in-cluster kubernetes config: %w", err)
+	}
+
+	client, err := dynamic.NewForConfig(cfg)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create kubernetes client: %w", err)
+	}
+
+	gvr := schema.GroupVersionResource{
+		Group:    "networking.k8s.io",
+		Version:  "v1",
+		Resource: "ingresses",
+	}
+
+	accessCtx, accessCancel := context.WithTimeout(ctx, 5*time.Second)
+	defer accessCancel()
+
+	_, err = client.Resource(gvr).List(accessCtx, metav1.ListOptions{Limit: 1})
+	if err != nil {
+		log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to access Ingress API, Kubernetes label provider will be disabled")
+		return nil, fmt.Errorf("failed to access ingress api: %w", err)
+	}
+
+	log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Successfully accessed Ingress API, starting watcher")
+
+	service := &KubernetesService{
+		log:          log,
+		ctx:          ctx,
+		client:       client,
 		ingressApps:  make(map[ingressKey][]ingressApp),
 		domainIndex:  make(map[string]ingressAppKey),
 		appNameIndex: make(map[string]ingressAppKey),
 	}
+
+	wg.Go(func() {
+		service.watchGVR(gvr)
+	})
+
+	service.started = true
+	log.App.Debug().Msg("Kubernetes label provider started successfully")
+
+	return service, nil
 }
 
 func (k *KubernetesService) addIngressApps(namespace, name string, apps []ingressApp) {
@@ -133,7 +177,7 @@ func (k *KubernetesService) updateFromItem(item *unstructured.Unstructured) {
 	}
 	labels, err := decoders.DecodeLabels[model.Apps](annotations, "apps")
 	if err != nil {
-		tlog.App.Debug().Err(err).Msg("Failed to decode labels from annotations")
+		k.log.App.Warn().Err(err).Str("namespace", namespace).Str("name", name).Msg("Failed to decode ingress labels, skipping")
 		k.removeIngress(namespace, name)
 		return
 	}
@@ -161,13 +205,13 @@ func (k *KubernetesService) resyncGVR(gvr schema.GroupVersionResource) error {
 
 	list, err := k.client.Resource(gvr).List(ctx, metav1.ListOptions{})
 	if err != nil {
-		tlog.App.Debug().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to list ingresses during resync")
+		k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to list resources for resync")
 		return err
 	}
 	for i := range list.Items {
 		k.updateFromItem(&list.Items[i])
 	}
-	tlog.App.Debug().Str("api", gvr.GroupVersion().String()).Int("count", len(list.Items)).Msg("Resynced ingress cache")
+	k.log.App.Debug().Str("api", gvr.GroupVersion().String()).Int("count", len(list.Items)).Msg("Resync complete")
 	return nil
 }
 
@@ -181,14 +225,14 @@ func (k *KubernetesService) runWatcher(gvr schema.GroupVersionResource, w watch.
 			return false
 		case event, ok := <-w.ResultChan():
 			if !ok {
-				tlog.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Watcher channel closed, restarting in 5 seconds")
+				k.log.App.Warn().Str("api", gvr.GroupVersion().String()).Msg("Watcher channel closed, restarting watcher")
 				w.Stop()
 				time.Sleep(5 * time.Second)
 				return true
 			}
 			item, ok := event.Object.(*unstructured.Unstructured)
 			if !ok {
-				tlog.App.Warn().Str("api", gvr.GroupVersion().String()).Msg("Failed to cast watched object")
+				k.log.App.Warn().Str("api", gvr.GroupVersion().String()).Msg("Received unexpected event object, skipping")
 				continue
 			}
 			switch event.Type {
@@ -199,7 +243,7 @@ func (k *KubernetesService) runWatcher(gvr schema.GroupVersionResource, w watch.
 			}
 		case <-resyncTicker.C:
 			if err := k.resyncGVR(gvr); err != nil {
-				tlog.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Periodic resync failed")
+				k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Periodic resync failed during watcher run")
 			}
 		}
 	}
@@ -210,29 +254,29 @@ func (k *KubernetesService) watchGVR(gvr schema.GroupVersionResource) {
 	defer resyncTicker.Stop()
 
 	if err := k.resyncGVR(gvr); err != nil {
-		tlog.App.Error().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Initial resync failed, retrying in 30 seconds")
+		k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Initial resync failed, will retry")
 		time.Sleep(30 * time.Second)
 	}
 
 	for {
 		select {
 		case <-k.ctx.Done():
-			tlog.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Stopping watcher")
+			k.log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Shutting down kubernetes watcher")
 			return
 		case <-resyncTicker.C:
 			if err := k.resyncGVR(gvr); err != nil {
-				tlog.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Periodic resync failed")
+				k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Periodic resync failed, will retry")
 			}
 		default:
 			ctx, cancel := context.WithCancel(k.ctx)
 			watcher, err := k.client.Resource(gvr).Watch(ctx, metav1.ListOptions{})
 			if err != nil {
-				tlog.App.Error().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to start watcher")
+				k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to start watcher, will retry")
 				cancel()
 				time.Sleep(10 * time.Second)
 				continue
 			}
-			tlog.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Watcher started")
+			k.log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Watcher started successfully")
 			if !k.runWatcher(gvr, watcher, resyncTicker) {
 				cancel()
 				return
@@ -242,65 +286,25 @@ func (k *KubernetesService) watchGVR(gvr schema.GroupVersionResource) {
 	}
 }
 
-func (k *KubernetesService) Init() error {
-	var cfg *rest.Config
-	var err error
-
-	cfg, err = rest.InClusterConfig()
-	if err != nil {
-		return fmt.Errorf("failed to get in-cluster Kubernetes config: %w", err)
-	}
-
-	client, err := dynamic.NewForConfig(cfg)
-	if err != nil {
-		return fmt.Errorf("failed to create Kubernetes client: %w", err)
-	}
-
-	k.client = client
-	k.ctx, k.cancel = context.WithCancel(context.Background())
-
-	gvr := schema.GroupVersionResource{
-		Group:    "networking.k8s.io",
-		Version:  "v1",
-		Resource: "ingresses",
-	}
-
-	accessCtx, accessCancel := context.WithTimeout(k.ctx, 5*time.Second)
-	defer accessCancel()
-	_, err = k.client.Resource(gvr).List(accessCtx, metav1.ListOptions{Limit: 1})
-	if err != nil {
-		tlog.App.Warn().Err(err).Msg("Insufficient permissions for networking.k8s.io/v1 Ingress, Kubernetes label provider will not work")
-		k.started = false
-		return nil
-	}
-
-	tlog.App.Debug().Msg("networking.k8s.io/v1 Ingress API accessible")
-	go k.watchGVR(gvr)
-
-	k.started = true
-	tlog.App.Info().Msg("Kubernetes label provider initialized")
-	return nil
-}
-
 func (k *KubernetesService) GetLabels(appDomain string) (*model.App, error) {
 	if !k.started {
-		tlog.App.Debug().Msg("Kubernetes not connected, returning empty labels")
+		k.log.App.Debug().Str("domain", appDomain).Msg("Kubernetes label provider not started, skipping")
 		return nil, nil
 	}
 
 	// First check cache
 	app := k.getByDomain(appDomain)
 	if app != nil {
-		tlog.App.Debug().Str("domain", appDomain).Msg("Found labels in cache by domain")
+		k.log.App.Debug().Str("domain", appDomain).Msg("Found labels in cache by domain")
 		return app, nil
 	}
 	appName := strings.SplitN(appDomain, ".", 2)[0]
 	app = k.getByAppName(appName)
 	if app != nil {
-		tlog.App.Debug().Str("domain", appDomain).Str("appName", appName).Msg("Found labels in cache by app name")
+		k.log.App.Debug().Str("domain", appDomain).Str("appName", appName).Msg("Found labels in cache by app name")
 		return app, nil
 	}
 
-	tlog.App.Debug().Str("domain", appDomain).Msg("Cache miss, no matching ingress found")
+	k.log.App.Debug().Str("domain", appDomain).Msg("No labels found for domain")
 	return nil, nil
 }

internal/service/kubernetes_service_test.go

@@ -8,9 +8,13 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
 func TestKubernetesService(t *testing.T) {
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
+
 	type testCase struct {
 		description string
 		run         func(t *testing.T, svc *KubernetesService)
@@ -179,6 +183,7 @@ func TestKubernetesService(t *testing.T) {
 				ingressApps:  make(map[ingressKey][]ingressApp),
 				domainIndex:  make(map[string]ingressAppKey),
 				appNameIndex: make(map[string]ingressAppKey),
+				log:          log,
 			}
 			test.run(t, svc)
 		})

internal/service/ldap_service.go

@@ -9,69 +9,47 @@ import (
 
 	"github.com/cenkalti/backoff/v5"
 	ldapgo "github.com/go-ldap/ldap/v3"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
-type LdapServiceConfig struct {
-	Address      string
-	BindDN       string
-	BindPassword string
-	BaseDN       string
-	Insecure     bool
-	SearchFilter string
-	AuthCert     string
-	AuthKey      string
-}
-
 type LdapService struct {
-	config       LdapServiceConfig
-	conn         *ldapgo.Conn
-	mutex        sync.RWMutex
-	cert         *tls.Certificate
-	isConfigured bool
+	log     *logger.Logger
+	config  model.Config
+	context context.Context
+
+	conn  *ldapgo.Conn
+	mutex sync.RWMutex
+	cert  *tls.Certificate
 }
 
-func NewLdapService(config LdapServiceConfig) *LdapService {
-	return &LdapService{
-		config: config,
-	}
-}
-
-func (ldap *LdapService) IsConfigured() bool {
-	return ldap.isConfigured
-}
-
-func (ldap *LdapService) Unconfigure() error {
-	if !ldap.isConfigured {
-		return nil
+func NewLdapService(
+	log *logger.Logger,
+	config model.Config,
+	ctx context.Context,
+	wg *sync.WaitGroup,
+) (*LdapService, error) {
+	if config.LDAP.Address == "" {
+		return nil, nil
 	}
 
-	if ldap.conn != nil {
-		if err := ldap.conn.Close(); err != nil {
-			return fmt.Errorf("failed to close LDAP connection: %w", err)
-		}
+	ldap := &LdapService{
+		log:     log,
+		config:  config,
+		context: ctx,
 	}
 
-	ldap.isConfigured = false
-	return nil
-}
-
-func (ldap *LdapService) Init() error {
-	if ldap.config.Address == "" {
-		ldap.isConfigured = false
-		return nil
-	}
-
-	ldap.isConfigured = true
-
 	// Check whether authentication with client certificate is possible
-	if ldap.config.AuthCert != "" && ldap.config.AuthKey != "" {
-		cert, err := tls.LoadX509KeyPair(ldap.config.AuthCert, ldap.config.AuthKey)
+	if config.LDAP.AuthCert != "" && config.LDAP.AuthKey != "" {
+		cert, err := tls.LoadX509KeyPair(config.LDAP.AuthCert, config.LDAP.AuthKey)
+
 		if err != nil {
-			return fmt.Errorf("failed to initialize LDAP with mTLS authentication: %w", err)
+			return nil, fmt.Errorf("failed to initialize LDAP with mTLS authentication: %w", err)
 		}
+
+		log.App.Info().Msg("LDAP mTLS authentication configured successfully")
+
 		ldap.cert = &cert
-		tlog.App.Info().Msg("Using LDAP with mTLS authentication")
 
 		// TODO: Add optional extra CA certificates, instead of `InsecureSkipVerify`
 		/*
@@ -84,26 +62,39 @@ func (ldap *LdapService) Init() error {
 			}
 		*/
 	}
+
 	_, err := ldap.connect()
+
 	if err != nil {
-		return fmt.Errorf("failed to connect to LDAP server: %w", err)
+		return nil, fmt.Errorf("failed to connect to ldap server: %w", err)
 	}
 
-	go func() {
-		for range time.Tick(time.Duration(5) * time.Minute) {
-			err := ldap.heartbeat()
-			if err != nil {
-				tlog.App.Error().Err(err).Msg("LDAP connection heartbeat failed")
-				if reconnectErr := ldap.reconnect(); reconnectErr != nil {
-					tlog.App.Error().Err(reconnectErr).Msg("Failed to reconnect to LDAP server")
-					continue
+	wg.Go(func() {
+		ldap.log.App.Debug().Msg("Starting LDAP connection heartbeat routine")
+
+		ticker := time.NewTicker(5 * time.Minute)
+		defer ticker.Stop()
+
+		for {
+			select {
+			case <-ticker.C:
+				err := ldap.heartbeat()
+				if err != nil {
+					ldap.log.App.Warn().Err(err).Msg("LDAP connection heartbeat failed, attempting to reconnect")
+					if reconnectErr := ldap.reconnect(); reconnectErr != nil {
+						ldap.log.App.Error().Err(reconnectErr).Msg("Failed to reconnect to LDAP server")
+						continue
+					}
+					ldap.log.App.Info().Msg("Successfully reconnected to LDAP server")
 				}
-				tlog.App.Info().Msg("Successfully reconnected to LDAP server")
+			case <-ldap.context.Done():
+				ldap.log.App.Debug().Msg("LDAP service context cancelled, stopping heartbeat")
+				return
 			}
 		}
-	}()
+	})
 
-	return nil
+	return ldap, nil
 }
 
 func (ldap *LdapService) connect() (*ldapgo.Conn, error) {
@@ -120,13 +111,13 @@ func (ldap *LdapService) connect() (*ldapgo.Conn, error) {
 	// 2. conn.StartTLS(tlsConfig)
 	// 3. conn.externalBind()
 	if ldap.cert != nil {
-		conn, err = ldapgo.DialURL(ldap.config.Address, ldapgo.DialWithTLSConfig(&tls.Config{
+		conn, err = ldapgo.DialURL(ldap.config.LDAP.Address, ldapgo.DialWithTLSConfig(&tls.Config{
 			MinVersion:   tls.VersionTLS12,
 			Certificates: []tls.Certificate{*ldap.cert},
 		}))
 	} else {
-		conn, err = ldapgo.DialURL(ldap.config.Address, ldapgo.DialWithTLSConfig(&tls.Config{
-			InsecureSkipVerify: ldap.config.Insecure,
+		conn, err = ldapgo.DialURL(ldap.config.LDAP.Address, ldapgo.DialWithTLSConfig(&tls.Config{
+			InsecureSkipVerify: ldap.config.LDAP.Insecure,
 			MinVersion:         tls.VersionTLS12,
 		}))
 	}
@@ -146,10 +137,10 @@ func (ldap *LdapService) connect() (*ldapgo.Conn, error) {
 func (ldap *LdapService) GetUserDN(username string) (string, error) {
 	// Escape the username to prevent LDAP injection
 	escapedUsername := ldapgo.EscapeFilter(username)
-	filter := fmt.Sprintf(ldap.config.SearchFilter, escapedUsername)
+	filter := fmt.Sprintf(ldap.config.LDAP.SearchFilter, escapedUsername)
 
 	searchRequest := ldapgo.NewSearchRequest(
-		ldap.config.BaseDN,
+		ldap.config.LDAP.BaseDN,
 		ldapgo.ScopeWholeSubtree, ldapgo.NeverDerefAliases, 0, 0, false,
 		filter,
 		[]string{"dn"},
@@ -176,7 +167,7 @@ func (ldap *LdapService) GetUserGroups(userDN string) ([]string, error) {
 	escapedUserDN := ldapgo.EscapeFilter(userDN)
 
 	searchRequest := ldapgo.NewSearchRequest(
-		ldap.config.BaseDN,
+		ldap.config.LDAP.BaseDN,
 		ldapgo.ScopeWholeSubtree, ldapgo.NeverDerefAliases, 0, 0, false,
 		fmt.Sprintf("(&(objectclass=groupOfUniqueNames)(uniquemember=%s))", escapedUserDN),
 		[]string{"dn"},
@@ -224,7 +215,7 @@ func (ldap *LdapService) BindService(rebind bool) error {
 	if ldap.cert != nil {
 		return ldap.conn.ExternalBind()
 	}
-	return ldap.conn.Bind(ldap.config.BindDN, ldap.config.BindPassword)
+	return ldap.conn.Bind(ldap.config.LDAP.BindDN, ldap.config.LDAP.BindPassword)
 }
 
 func (ldap *LdapService) Bind(userDN string, password string) error {
@@ -238,7 +229,7 @@ func (ldap *LdapService) Bind(userDN string, password string) error {
 }
 
 func (ldap *LdapService) heartbeat() error {
-	tlog.App.Debug().Msg("Performing LDAP connection heartbeat")
+	ldap.log.App.Debug().Msg("Performing LDAP connection heartbeat")
 
 	searchRequest := ldapgo.NewSearchRequest(
 		"",
@@ -260,7 +251,7 @@ func (ldap *LdapService) heartbeat() error {
 }
 
 func (ldap *LdapService) reconnect() error {
-	tlog.App.Info().Msg("Reconnecting to LDAP server")
+	ldap.log.App.Info().Msg("Attempting to reconnect to LDAP server")
 
 	exp := backoff.NewExponentialBackOff()
 	exp.InitialInterval = 500 * time.Millisecond
@@ -269,7 +260,7 @@ func (ldap *LdapService) reconnect() error {
 	exp.Reset()
 
 	operation := func() (*ldapgo.Conn, error) {
-		ldap.conn.Close() //nolint:errcheck
+		ldap.conn.Close()
 		conn, err := ldap.connect()
 		if err != nil {
 			return nil, err

internal/service/oauth_broker_service.go

@@ -1,8 +1,10 @@
 package service
 
 import (
+	"context"
+
 	"github.com/tinyauthapp/tinyauth/internal/model"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 
 	"slices"
 
@@ -19,33 +21,39 @@ type OAuthServiceImpl interface {
 }
 
 type OAuthBrokerService struct {
+	log *logger.Logger
+
 	services map[string]OAuthServiceImpl
 	configs  map[string]model.OAuthServiceConfig
 }
 
-var presets = map[string]func(config model.OAuthServiceConfig) *OAuthService{
+var presets = map[string]func(config model.OAuthServiceConfig, ctx context.Context) *OAuthService{
 	"github": newGitHubOAuthService,
 	"google": newGoogleOAuthService,
 }
 
-func NewOAuthBrokerService(configs map[string]model.OAuthServiceConfig) *OAuthBrokerService {
-	return &OAuthBrokerService{
+func NewOAuthBrokerService(
+	log *logger.Logger,
+	configs map[string]model.OAuthServiceConfig,
+	ctx context.Context,
+) *OAuthBrokerService {
+	service := &OAuthBrokerService{
+		log:      log,
 		services: make(map[string]OAuthServiceImpl),
 		configs:  configs,
 	}
-}
 
-func (broker *OAuthBrokerService) Init() error {
-	for name, cfg := range broker.configs {
+	for name, cfg := range configs {
 		if presetFunc, exists := presets[name]; exists {
-			broker.services[name] = presetFunc(cfg)
-			tlog.App.Debug().Str("service", name).Msg("Loaded OAuth service from preset")
+			service.services[name] = presetFunc(cfg, ctx)
+			service.log.App.Debug().Str("service", name).Msg("Loaded OAuth service from preset")
 		} else {
-			broker.services[name] = NewOAuthService(cfg, name)
-			tlog.App.Debug().Str("service", name).Msg("Loaded OAuth service from config")
+			service.services[name] = NewOAuthService(cfg, name, ctx)
+			service.log.App.Debug().Str("service", name).Msg("Loaded OAuth service from custom config")
 		}
 	}
-	return nil
+
+	return service
 }
 
 func (broker *OAuthBrokerService) GetConfiguredServices() []string {

internal/service/oauth_extractors.go

@@ -92,7 +92,7 @@ func simpleReq[T any](client *http.Client, url string, headers map[string]string
 	if err != nil {
 		return nil, err
 	}
-	defer res.Body.Close() //nolint:errcheck
+	defer res.Body.Close()
 
 	if res.StatusCode < 200 || res.StatusCode >= 300 {
 		return nil, fmt.Errorf("request failed with status: %s", res.Status)

internal/service/oauth_presets.go

@@ -1,23 +1,25 @@
 package service
 
 import (
+	"context"
+
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"golang.org/x/oauth2/endpoints"
 )
 
-func newGoogleOAuthService(config model.OAuthServiceConfig) *OAuthService {
+func newGoogleOAuthService(config model.OAuthServiceConfig, ctx context.Context) *OAuthService {
 	scopes := []string{"openid", "email", "profile"}
 	config.Scopes = scopes
 	config.AuthURL = endpoints.Google.AuthURL
 	config.TokenURL = endpoints.Google.TokenURL
 	config.UserinfoURL = "https://openidconnect.googleapis.com/v1/userinfo"
-	return NewOAuthService(config, "google")
+	return NewOAuthService(config, "google", ctx)
 }
 
-func newGitHubOAuthService(config model.OAuthServiceConfig) *OAuthService {
+func newGitHubOAuthService(config model.OAuthServiceConfig, ctx context.Context) *OAuthService {
 	scopes := []string{"read:user", "user:email"}
 	config.Scopes = scopes
 	config.AuthURL = endpoints.GitHub.AuthURL
 	config.TokenURL = endpoints.GitHub.TokenURL
-	return NewOAuthService(config, "github").WithUserinfoExtractor(githubExtractor)
+	return NewOAuthService(config, "github", ctx).WithUserinfoExtractor(githubExtractor)
 }

internal/service/oauth_service.go

@@ -20,7 +20,7 @@ type OAuthService struct {
 	id                string
 }
 
-func NewOAuthService(config model.OAuthServiceConfig, id string) *OAuthService {
+func NewOAuthService(config model.OAuthServiceConfig, id string, ctx context.Context) *OAuthService {
 	httpClient := &http.Client{
 		Timeout: 30 * time.Second,
 		Transport: &http.Transport{
@@ -29,8 +29,7 @@ func NewOAuthService(config model.OAuthServiceConfig, id string) *OAuthService {
 			},
 		},
 	}
-	ctx := context.Background()
-	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
+	vctx := context.WithValue(ctx, oauth2.HTTPClient, httpClient)
 
 	return &OAuthService{
 		serviceCfg: config,
@@ -44,7 +43,7 @@ func NewOAuthService(config model.OAuthServiceConfig, id string) *OAuthService {
 				TokenURL: config.TokenURL,
 			},
 		},
-		ctx:               ctx,
+		ctx:               vctx,
 		userinfoExtractor: defaultExtractor,
 		id:                id,
 	}

internal/service/oidc_service.go

@@ -16,6 +16,7 @@ import (
 	"net/url"
 	"os"
 	"strings"
+	"sync"
 	"time"
 
 	"slices"
@@ -25,7 +26,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
 var (
@@ -111,172 +112,173 @@ type AuthorizeRequest struct {
 	CodeChallengeMethod string `json:"code_challenge_method"`
 }
 
-type OIDCServiceConfig struct {
-	Clients        map[string]model.OIDCClientConfig
-	PrivateKeyPath string
-	PublicKeyPath  string
-	Issuer         string
-	SessionExpiry  int
-}
-
 type OIDCService struct {
-	config       OIDCServiceConfig
-	queries      *repository.Queries
-	clients      map[string]model.OIDCClientConfig
-	privateKey   *rsa.PrivateKey
-	publicKey    crypto.PublicKey
-	issuer       string
-	isConfigured bool
+	log     *logger.Logger
+	config  model.Config
+	runtime model.RuntimeConfig
+	queries *repository.Queries
+	context context.Context
+
+	clients    map[string]model.OIDCClientConfig
+	privateKey *rsa.PrivateKey
+	publicKey  crypto.PublicKey
+	issuer     string
 }
 
-func NewOIDCService(config OIDCServiceConfig, queries *repository.Queries) *OIDCService {
-	return &OIDCService{
-		config:  config,
-		queries: queries,
-	}
-}
-
-func (service *OIDCService) IsConfigured() bool {
-	return service.isConfigured
-}
-
-func (service *OIDCService) Init() error {
+func NewOIDCService(
+	log *logger.Logger,
+	config model.Config,
+	runtime model.RuntimeConfig,
+	queries *repository.Queries,
+	ctx context.Context,
+	wg *sync.WaitGroup) (*OIDCService, error) {
 	// If not configured, skip init
-	if len(service.config.Clients) == 0 {
-		service.isConfigured = false
-		return nil
+	if len(runtime.OIDCClients) == 0 {
+		return nil, nil
 	}
 
-	service.isConfigured = true
-
 	// Ensure issuer is https
-	uissuer, err := url.Parse(service.config.Issuer)
+	uissuer, err := url.Parse(runtime.AppURL)
 
 	if err != nil {
-		return err
+		return nil, fmt.Errorf("failed to parse app url: %w", err)
 	}
 
 	if uissuer.Scheme != "https" {
-		return errors.New("issuer must be https")
+		return nil, errors.New("issuer must be https")
 	}
 
-	service.issuer = fmt.Sprintf("%s://%s", uissuer.Scheme, uissuer.Host)
+	issuer := fmt.Sprintf("%s://%s", uissuer.Scheme, uissuer.Host)
 
 	// Create/load private and public keys
-	if strings.TrimSpace(service.config.PrivateKeyPath) == "" ||
-		strings.TrimSpace(service.config.PublicKeyPath) == "" {
-		return errors.New("private key path and public key path are required")
+	if strings.TrimSpace(config.OIDC.PrivateKeyPath) == "" ||
+		strings.TrimSpace(config.OIDC.PublicKeyPath) == "" {
+		return nil, errors.New("private key path and public key path are required")
 	}
 
 	var privateKey *rsa.PrivateKey
 
-	fprivateKey, err := os.ReadFile(service.config.PrivateKeyPath)
+	fprivateKey, err := os.ReadFile(config.OIDC.PrivateKeyPath)
 
 	if err != nil && !errors.Is(err, os.ErrNotExist) {
-		return err
+		return nil, err
 	}
 
 	if errors.Is(err, os.ErrNotExist) {
 		privateKey, err = rsa.GenerateKey(rand.Reader, 2048)
 		if err != nil {
-			return err
+			return nil, fmt.Errorf("failed to generate private key: %w", err)
 		}
 		der := x509.MarshalPKCS1PrivateKey(privateKey)
 		if der == nil {
-			return errors.New("failed to marshal private key")
+			return nil, errors.New("failed to marshal private key")
 		}
 		encoded := pem.EncodeToMemory(&pem.Block{
 			Type:  "RSA PRIVATE KEY",
 			Bytes: der,
 		})
-		tlog.App.Trace().Str("type", "RSA PRIVATE KEY").Msg("Generated private RSA key")
-		err = os.WriteFile(service.config.PrivateKeyPath, encoded, 0600)
+		log.App.Trace().Str("type", "RSA PRIVATE KEY").Msg("Generated private RSA key")
+		err = os.WriteFile(config.OIDC.PrivateKeyPath, encoded, 0600)
 		if err != nil {
-			return err
+			return nil, fmt.Errorf("failed to write private key to file: %w", err)
 		}
-		service.privateKey = privateKey
 	} else {
 		block, _ := pem.Decode(fprivateKey)
 		if block == nil {
-			return errors.New("failed to decode private key")
+			return nil, errors.New("failed to decode private key")
 		}
-		tlog.App.Trace().Str("type", block.Type).Msg("Loaded private key")
+		log.App.Trace().Str("type", block.Type).Msg("Loaded private key")
 		privateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes)
 		if err != nil {
-			return err
+			return nil, fmt.Errorf("failed to parse private key: %w", err)
 		}
-		service.privateKey = privateKey
 	}
 
-	fpublicKey, err := os.ReadFile(service.config.PublicKeyPath)
+	var publicKey crypto.PublicKey
+
+	fpublicKey, err := os.ReadFile(config.OIDC.PublicKeyPath)
 
 	if err != nil && !errors.Is(err, os.ErrNotExist) {
-		return err
+		return nil, fmt.Errorf("failed to read public key: %w", err)
 	}
 
 	if errors.Is(err, os.ErrNotExist) {
-		publicKey := service.privateKey.Public()
+		publicKey = privateKey.Public()
 		der := x509.MarshalPKCS1PublicKey(publicKey.(*rsa.PublicKey))
 		if der == nil {
-			return errors.New("failed to marshal public key")
+			return nil, errors.New("failed to marshal public key")
 		}
 		encoded := pem.EncodeToMemory(&pem.Block{
 			Type:  "RSA PUBLIC KEY",
 			Bytes: der,
 		})
-		tlog.App.Trace().Str("type", "RSA PUBLIC KEY").Msg("Generated public RSA key")
-		err = os.WriteFile(service.config.PublicKeyPath, encoded, 0644)
+		log.App.Trace().Str("type", "RSA PUBLIC KEY").Msg("Generated public RSA key")
+		err = os.WriteFile(config.OIDC.PublicKeyPath, encoded, 0644)
 		if err != nil {
-			return err
+			return nil, err
 		}
-		service.publicKey = publicKey
 	} else {
 		block, _ := pem.Decode(fpublicKey)
 		if block == nil {
-			return errors.New("failed to decode public key")
+			return nil, errors.New("failed to decode public key")
 		}
-		tlog.App.Trace().Str("type", block.Type).Msg("Loaded public key")
+		log.App.Trace().Str("type", block.Type).Msg("Loaded public key")
 		switch block.Type {
 		case "RSA PUBLIC KEY":
-			publicKey, err := x509.ParsePKCS1PublicKey(block.Bytes)
+			publicKey, err = x509.ParsePKCS1PublicKey(block.Bytes)
 			if err != nil {
-				return err
+				return nil, fmt.Errorf("failed to parse public key: %w", err)
 			}
-			service.publicKey = publicKey
 		case "PUBLIC KEY":
-			publicKey, err := x509.ParsePKIXPublicKey(block.Bytes)
+			publicKey, err = x509.ParsePKIXPublicKey(block.Bytes)
 			if err != nil {
-				return err
+				return nil, fmt.Errorf("failed to parse public key: %w", err)
 			}
-			service.publicKey = publicKey.(crypto.PublicKey)
 		default:
-			return fmt.Errorf("unsupported public key type: %s", block.Type)
+			return nil, fmt.Errorf("unsupported public key type: %s", block.Type)
 		}
 	}
 
 	// We will reorganize the client into a map with the client ID as the key
-	service.clients = make(map[string]model.OIDCClientConfig)
+	clients := make(map[string]model.OIDCClientConfig)
 
-	for id, client := range service.config.Clients {
+	for id, client := range config.OIDC.Clients {
 		client.ID = id
 		if client.Name == "" {
 			client.Name = utils.Capitalize(client.ID)
 		}
-		service.clients[client.ClientID] = client
+		clients[client.ClientID] = client
 	}
 
 	// Load the client secrets from files if they exist
-	for id, client := range service.clients {
+	for id, client := range clients {
 		secret := utils.GetSecret(client.ClientSecret, client.ClientSecretFile)
 		if secret != "" {
 			client.ClientSecret = secret
 		}
 		client.ClientSecretFile = ""
-		service.clients[id] = client
-		tlog.App.Info().Str("id", client.ID).Msg("Registered OIDC client")
+		clients[id] = client
+		log.App.Debug().Str("clientId", client.ClientID).Msg("Loaded OIDC client configuration")
 	}
 
-	return nil
+	// Initialize the service
+	service := &OIDCService{
+		log:     log,
+		config:  config,
+		runtime: runtime,
+		queries: queries,
+		context: ctx,
+
+		clients:    clients,
+		privateKey: privateKey,
+		publicKey:  publicKey,
+		issuer:     issuer,
+	}
+
+	// Start cleanup routine
+	wg.Go(service.cleanupRoutine)
+
+	return service, nil
 }
 
 func (service *OIDCService) GetIssuer() string {
@@ -307,7 +309,7 @@ func (service *OIDCService) ValidateAuthorizeParams(req AuthorizeRequest) error
 			return errors.New("invalid_scope")
 		}
 		if !slices.Contains(SupportedScopes, scope) {
-			tlog.App.Warn().Str("scope", scope).Msg("Unsupported OIDC scope, will be ignored")
+			service.log.App.Warn().Str("scope", scope).Msg("Requested unsupported scope")
 		}
 	}
 
@@ -357,7 +359,7 @@ func (service *OIDCService) StoreCode(c *gin.Context, sub string, code string, r
 			entry.CodeChallenge = req.CodeChallenge
 		} else {
 			entry.CodeChallenge = service.hashAndEncodePKCE(req.CodeChallenge)
-			tlog.App.Warn().Msg("Received plain PKCE code challenge, it's recommended to use S256 for better security")
+			service.log.App.Warn().Msg("Using plain PKCE code challenge method is not recommended, consider switching to S256 for better security")
 		}
 	}
 
@@ -449,7 +451,7 @@ func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string, client
 
 func (service *OIDCService) generateIDToken(client model.OIDCClientConfig, user repository.OidcUserinfo, scope string, nonce string) (string, error) {
 	createdAt := time.Now().Unix()
-	expiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry) * time.Second).Unix()
+	expiresAt := time.Now().Add(time.Duration(service.config.Auth.SessionExpiry) * time.Second).Unix()
 
 	hasher := sha256.New()
 
@@ -529,16 +531,16 @@ func (service *OIDCService) GenerateAccessToken(c *gin.Context, client model.OID
 	accessToken := utils.GenerateString(32)
 	refreshToken := utils.GenerateString(32)
 
-	tokenExpiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry) * time.Second).Unix()
+	tokenExpiresAt := time.Now().Add(time.Duration(service.config.Auth.SessionExpiry) * time.Second).Unix()
 
 	// Refresh token lives double the time of an access token but can't be used to access userinfo
-	refreshTokenExpiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry*2) * time.Second).Unix()
+	refreshTokenExpiresAt := time.Now().Add(time.Duration(service.config.Auth.SessionExpiry*2) * time.Second).Unix()
 
 	tokenResponse := TokenResponse{
 		AccessToken:  accessToken,
 		RefreshToken: refreshToken,
 		TokenType:    "Bearer",
-		ExpiresIn:    int64(service.config.SessionExpiry),
+		ExpiresIn:    int64(service.config.Auth.SessionExpiry),
 		IDToken:      idToken,
 		Scope:        strings.ReplaceAll(codeEntry.Scope, ",", " "),
 	}
@@ -598,14 +600,14 @@ func (service *OIDCService) RefreshAccessToken(c *gin.Context, refreshToken stri
 	accessToken := utils.GenerateString(32)
 	newRefreshToken := utils.GenerateString(32)
 
-	tokenExpiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry) * time.Second).Unix()
-	refreshTokenExpiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry*2) * time.Second).Unix()
+	tokenExpiresAt := time.Now().Add(time.Duration(service.config.Auth.SessionExpiry) * time.Second).Unix()
+	refreshTokenExpiresAt := time.Now().Add(time.Duration(service.config.Auth.SessionExpiry*2) * time.Second).Unix()
 
 	tokenResponse := TokenResponse{
 		AccessToken:  accessToken,
 		RefreshToken: newRefreshToken,
 		TokenType:    "Bearer",
-		ExpiresIn:    int64(service.config.SessionExpiry),
+		ExpiresIn:    int64(service.config.Auth.SessionExpiry),
 		IDToken:      idToken,
 		Scope:        strings.ReplaceAll(entry.Scope, ",", " "),
 	}
@@ -748,56 +750,62 @@ func (service *OIDCService) DeleteOldSession(ctx context.Context, sub string) er
 }
 
 // Cleanup routine - Resource heavy due to the linked tables
-func (service *OIDCService) Cleanup() {
-	// We need a context for the routine
-	ctx := context.Background()
-
+func (service *OIDCService) cleanupRoutine() {
+	service.log.App.Debug().Msg("Starting OIDC cleanup routine")
 	ticker := time.NewTicker(time.Duration(30) * time.Minute)
 	defer ticker.Stop()
 
-	for range ticker.C {
-		currentTime := time.Now().Unix()
+	for {
+		select {
+		case <-ticker.C:
+			service.log.App.Debug().Msg("Performing OIDC cleanup routine")
 
-		// For the OIDC tokens, if they are expired we delete the userinfo and codes
-		expiredTokens, err := service.queries.DeleteExpiredOidcTokens(ctx, repository.DeleteExpiredOidcTokensParams{
-			TokenExpiresAt:        currentTime,
-			RefreshTokenExpiresAt: currentTime,
-		})
+			currentTime := time.Now().Unix()
 
-		if err != nil {
-			tlog.App.Warn().Err(err).Msg("Failed to delete expired tokens")
-		}
+			// For the OIDC tokens, if they are expired we delete the userinfo and codes
+			expiredTokens, err := service.queries.DeleteExpiredOidcTokens(service.context, repository.DeleteExpiredOidcTokensParams{
+				TokenExpiresAt:        currentTime,
+				RefreshTokenExpiresAt: currentTime,
+			})
 
-		for _, expiredToken := range expiredTokens {
-			err := service.DeleteOldSession(ctx, expiredToken.Sub)
 			if err != nil {
-				tlog.App.Warn().Err(err).Msg("Failed to delete old session")
+				service.log.App.Warn().Err(err).Msg("Failed to delete expired tokens")
 			}
-		}
 
-		// For expired codes, we need to get the sub, check if tokens are expired and if they are remove everything
-		expiredCodes, err := service.queries.DeleteExpiredOidcCodes(ctx, currentTime)
+			for _, expiredToken := range expiredTokens {
+				err := service.DeleteOldSession(service.context, expiredToken.Sub)
+				if err != nil {
+					service.log.App.Warn().Err(err).Msg("Failed to delete session for expired token")
+				}
+			}
 
-		if err != nil {
-			tlog.App.Warn().Err(err).Msg("Failed to delete expired codes")
-		}
-
-		for _, expiredCode := range expiredCodes {
-			token, err := service.queries.GetOidcTokenBySub(ctx, expiredCode.Sub)
+			// For expired codes, we need to get the sub, check if tokens are expired and if they are remove everything
+			expiredCodes, err := service.queries.DeleteExpiredOidcCodes(service.context, currentTime)
 
 			if err != nil {
-				if errors.Is(err, sql.ErrNoRows) {
+				service.log.App.Warn().Err(err).Msg("Failed to delete expired codes")
+			}
+
+			for _, expiredCode := range expiredCodes {
+				token, err := service.queries.GetOidcTokenBySub(service.context, expiredCode.Sub)
+
+				if err != nil {
+					service.log.App.Warn().Err(err).Msg("Failed to get token by sub for expired code")
 					continue
 				}
-				tlog.App.Warn().Err(err).Msg("Failed to get OIDC token by sub")
-			}
 
-			if token.TokenExpiresAt < currentTime && token.RefreshTokenExpiresAt < currentTime {
-				err := service.DeleteOldSession(ctx, expiredCode.Sub)
-				if err != nil {
-					tlog.App.Warn().Err(err).Msg("Failed to delete session")
+				if token.TokenExpiresAt < currentTime && token.RefreshTokenExpiresAt < currentTime {
+					err := service.DeleteOldSession(service.context, expiredCode.Sub)
+					if err != nil {
+						service.log.App.Warn().Err(err).Msg("Failed to delete session for expired code")
+					}
 				}
 			}
+
+			service.log.App.Debug().Msg("Finished OIDC cleanup routine")
+		case <-service.context.Done():
+			service.log.App.Debug().Msg("Stopping OIDC cleanup routine")
+			return
 		}
 	}
 }

internal/service/oidc_service_test.go

@@ -1,7 +1,9 @@
 package service_test
 
 import (
+	"context"
 	"encoding/json"
+	"sync"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -10,6 +12,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
 func newTestUser() repository.OidcUserinfo {
@@ -48,13 +51,29 @@ func newTestUser() repository.OidcUserinfo {
 
 func TestCompileUserinfo(t *testing.T) {
 	dir := t.TempDir()
-	svc := service.NewOIDCService(service.OIDCServiceConfig{
-		PrivateKeyPath: dir + "/key.pem",
-		PublicKeyPath:  dir + "/key.pub",
-		Issuer:         "https://tinyauth.example.com",
-		SessionExpiry:  3600,
-	}, nil)
-	require.NoError(t, svc.Init())
+
+	cfg := model.Config{
+		OIDC: model.OIDCConfig{
+			PrivateKeyPath: dir + "/key.pem",
+			PublicKeyPath:  dir + "/key.pub",
+		},
+		Auth: model.AuthConfig{
+			SessionExpiry: 3600,
+		},
+	}
+
+	runtime := model.RuntimeConfig{
+		AppURL: "https://tinyauth.example.com",
+	}
+
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
+
+	ctx := context.TODO()
+	wg := &sync.WaitGroup{}
+
+	svc, err := service.NewOIDCService(log, cfg, runtime, nil, ctx, wg)
+	require.NoError(t, err)
 
 	type testCase struct {
 		description string

internal/service/tailscale_service.go

@@ -0,0 +1,146 @@
+package service
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"tailscale.com/client/local"
+	"tailscale.com/tsnet"
+)
+
+type TailscaleService struct {
+	log    *logger.Logger
+	wg     *sync.WaitGroup
+	config model.Config
+	ctx    context.Context
+
+	srv *tsnet.Server
+	lc  *local.Client
+	ln  *net.Listener
+}
+
+func NewTailscaleService(log *logger.Logger, config model.Config, ctx context.Context, wg *sync.WaitGroup) (*TailscaleService, error) {
+	srv := new(tsnet.Server)
+
+	// node options
+	srv.Dir = config.Tailscale.Dir
+	srv.Hostname = config.Tailscale.Hostname
+	srv.AuthKey = config.Tailscale.AuthKey
+	srv.Ephemeral = config.Tailscale.Ephemeral
+
+	// redirect logs to zerolog
+	srv.Logf = log.App.Printf
+	srv.UserLogf = log.App.Printf
+
+	err := srv.Start()
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to start tailscale server: %w", err)
+	}
+
+	lc, err := srv.LocalClient()
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to get tailscale local client: %w", err)
+	}
+
+	service := &TailscaleService{
+		log:    log,
+		wg:     wg,
+		config: config,
+		ctx:    ctx,
+		srv:    srv,
+		lc:     lc,
+	}
+
+	connectCtx, cancel := context.WithTimeout(ctx, 2*time.Minute)
+	defer cancel()
+
+	err = service.waitForConn(connectCtx)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to tailscale network: %w", err)
+	}
+
+	wg.Go(service.watchAndClose)
+
+	return service, nil
+}
+
+func (ts *TailscaleService) watchAndClose() {
+	<-ts.ctx.Done()
+	ts.log.App.Debug().Msg("Shutting down Tailscale service")
+	if ts.ln != nil {
+		(*ts.ln).Close()
+	}
+	if ts.srv != nil {
+		ts.srv.Close()
+	}
+}
+
+func (ts *TailscaleService) Whois(ctx context.Context, addr string) (*model.TailscaleWhoisResponse, error) {
+	who, err := ts.lc.WhoIs(ctx, addr)
+
+	if err != nil {
+		if errors.Is(err, local.ErrPeerNotFound) {
+			return nil, nil
+		}
+		return nil, fmt.Errorf("failed to get client whois: %w", err)
+	}
+
+	res := model.TailscaleWhoisResponse{
+		UserID:      who.UserProfile.ID.String(),
+		LoginName:   who.UserProfile.LoginName,
+		DisplayName: who.UserProfile.DisplayName,
+		NodeName:    strings.TrimSuffix(who.Node.Name, "."),
+		Tags:        who.Node.Tags,
+	}
+
+	return &res, nil
+}
+
+func (ts *TailscaleService) CreateListener() (net.Listener, error) {
+	if ts.ln != nil {
+		return *ts.ln, nil
+	}
+	ln, err := ts.srv.ListenTLS("tcp", ":443")
+	if err != nil {
+		return nil, err
+	}
+	ts.ln = &ln
+	return ln, nil
+}
+
+func (ts *TailscaleService) GetHostname() string {
+	status, err := ts.lc.Status(ts.ctx)
+
+	if err != nil {
+		ts.log.App.Error().Err(err).Msg("Failed to get Tailscale status")
+		return ""
+	}
+
+	return strings.TrimSuffix(status.Self.DNSName, ".")
+}
+
+func (ts *TailscaleService) waitForConn(ctx context.Context) error {
+	for {
+		select {
+		case <-ctx.Done():
+			return fmt.Errorf("timed out waiting for tailscale connection")
+		default:
+			ip4, _ := ts.srv.TailscaleIPs()
+			if !ip4.IsValid() {
+				time.Sleep(1 * time.Second)
+				continue
+			}
+			return nil
+		}
+	}
+}

internal/test/test.go

@@ -0,0 +1,106 @@
+package test
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"golang.org/x/crypto/bcrypt"
+)
+
+var TestingTOTPSecret = "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK"
+
+func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
+	tempDir := t.TempDir()
+
+	config := model.Config{
+		UI: model.UIConfig{
+			Title:                 "Tinyauth Test",
+			ForgotPasswordMessage: "foo",
+			BackgroundImage:       "/background.jpg",
+			WarningsEnabled:       true,
+		},
+		OAuth: model.OAuthConfig{
+			AutoRedirect: "none",
+		},
+		OIDC: model.OIDCConfig{
+			Clients: map[string]model.OIDCClientConfig{
+				"test": {
+					ClientID:            "some-client-id",
+					ClientSecret:        "some-client-secret",
+					TrustedRedirectURIs: []string{"https://test.example.com/callback"},
+					Name:                "Test Client",
+				},
+			},
+			PrivateKeyPath: filepath.Join(tempDir, "key.pem"),
+			PublicKeyPath:  filepath.Join(tempDir, "key.pub"),
+		},
+		Auth: model.AuthConfig{
+			SessionExpiry:   10,
+			LoginTimeout:    10,
+			LoginMaxRetries: 3,
+		},
+		Database: model.DatabaseConfig{
+			Path: filepath.Join(tempDir, "test.db"),
+		},
+		Resources: model.ResourcesConfig{
+			Enabled: true,
+			Path:    filepath.Join(tempDir, "resources"),
+		},
+	}
+
+	passwd, err := bcrypt.GenerateFromPassword([]byte("password"), bcrypt.DefaultCost)
+	require.NoError(t, err)
+
+	runtime := model.RuntimeConfig{
+		ConfiguredProviders: []model.Provider{
+			{
+				Name:  "Local",
+				ID:    "local",
+				OAuth: false,
+			},
+		},
+		LocalUsers: []model.LocalUser{
+			{
+				Username: "testuser",
+				Password: string(passwd),
+			},
+			{
+				Username:   "totpuser",
+				Password:   string(passwd),
+				TOTPSecret: TestingTOTPSecret,
+			},
+			{
+				Username: "attruser",
+				Password: string(passwd),
+				Attributes: model.UserAttributes{
+					Name:  "Alice Smith",
+					Email: "alice@example.com",
+				},
+			},
+			{
+				Username:   "attrtotpuser",
+				Password:   string(passwd),
+				TOTPSecret: TestingTOTPSecret,
+				Attributes: model.UserAttributes{
+					Name:  "Bob Jones",
+					Email: "bob@example.com",
+				},
+			},
+		},
+		CookieDomain:      "example.com",
+		AppURL:            "https://tinyauth.example.com",
+		SessionCookieName: "tinyauth-session",
+		OIDCClients: func() []model.OIDCClientConfig {
+			var clients []model.OIDCClientConfig
+			for id, client := range config.OIDC.Clients {
+				client.ID = id
+				clients = append(clients, client)
+			}
+			return clients
+		}(),
+	}
+
+	return config, runtime
+}

internal/utils/app_utils.go

@@ -7,8 +7,6 @@ import (
 	"net/url"
 	"strings"
 
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
-
 	"github.com/weppos/publicsuffix-go/publicsuffix"
 )
 
@@ -28,7 +26,6 @@ func GetCookieDomain(u string) (string, error) {
 	parts := strings.Split(host, ".")
 
 	if len(parts) == 2 {
-		tlog.App.Warn().Msgf("Running on the root domain, cookies will be set for .%v", host)
 		return host, nil
 	}
 

internal/utils/fs_utils_test.go

@@ -18,7 +18,7 @@ func TestReadFile(t *testing.T) {
 
 	err = file.Close()
 	require.NoError(t, err)
-	defer os.Remove("/tmp/tinyauth_test_file") //nolint:errcheck
+	defer os.Remove("/tmp/tinyauth_test_file")
 
 	// Normal case
 	content, err := ReadFile("/tmp/tinyauth_test_file")

internal/utils/logger/logger.go

@@ -0,0 +1,160 @@
+package logger
+
+import (
+	"io"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+)
+
+type Logger struct {
+	HTTP   zerolog.Logger
+	App    zerolog.Logger
+	config model.LogConfig
+	base   zerolog.Logger
+	audit  zerolog.Logger
+	writer io.Writer
+}
+
+func NewLogger() *Logger {
+	return &Logger{
+		writer: os.Stderr,
+		config: model.LogConfig{
+			Level: "error",
+			Json:  true,
+			Streams: model.LogStreams{
+				HTTP: model.LogStreamConfig{
+					Enabled: true,
+				},
+				App: model.LogStreamConfig{
+					Enabled: true,
+				},
+				// No reason to enable audit by default since it will be suppressed by the log level
+			},
+		},
+	}
+}
+
+func (l *Logger) WithConfig(cfg model.LogConfig) *Logger {
+	l.config = cfg
+	return l
+}
+
+func (l *Logger) WithSimpleConfig() *Logger {
+	l.config = model.LogConfig{
+		Level: "info",
+		Json:  false,
+		Streams: model.LogStreams{
+			HTTP:  model.LogStreamConfig{Enabled: true},
+			App:   model.LogStreamConfig{Enabled: true},
+			Audit: model.LogStreamConfig{Enabled: false},
+		},
+	}
+	return l
+}
+
+func (l *Logger) WithTestConfig() *Logger {
+	l.config = model.LogConfig{
+		Level: "trace",
+		Streams: model.LogStreams{
+			HTTP:  model.LogStreamConfig{Enabled: true},
+			App:   model.LogStreamConfig{Enabled: true},
+			Audit: model.LogStreamConfig{Enabled: true},
+		},
+	}
+	return l
+}
+
+func (l *Logger) WithWriter(writer io.Writer) *Logger {
+	l.writer = writer
+	return l
+}
+
+func (l *Logger) Init() {
+	base := log.With().
+		Timestamp().
+		Logger().
+		Level(l.parseLogLevel(l.config.Level)).Output(l.writer)
+
+	if !l.config.Json {
+		base = base.Output(zerolog.ConsoleWriter{
+			Out:        l.writer,
+			TimeFormat: time.RFC3339,
+		})
+	}
+
+	if base.GetLevel() == zerolog.TraceLevel || base.GetLevel() == zerolog.DebugLevel {
+		base = base.With().Caller().Logger()
+	}
+
+	l.base = base
+	l.audit = l.createLogger("audit", l.config.Streams.Audit)
+	l.HTTP = l.createLogger("http", l.config.Streams.HTTP)
+	l.App = l.createLogger("app", l.config.Streams.App)
+}
+
+func (l *Logger) parseLogLevel(level string) zerolog.Level {
+	if level == "" {
+		return zerolog.InfoLevel
+	}
+	parsed, err := zerolog.ParseLevel(strings.ToLower(level))
+	if err != nil {
+		log.Warn().Err(err).Str("level", level).Msg("Invalid log level, defaulting to error")
+		parsed = zerolog.ErrorLevel
+	}
+	return parsed
+}
+
+func (l *Logger) createLogger(component string, cfg model.LogStreamConfig) zerolog.Logger {
+	if !cfg.Enabled {
+		return zerolog.Nop()
+	}
+	sub := l.base.With().Str("stream", component).Logger()
+	if cfg.Level != "" {
+		sub = sub.Level(l.parseLogLevel(cfg.Level))
+	}
+	return sub
+}
+
+func (l *Logger) AuditLoginSuccess(username, provider, ip string) {
+	l.audit.Info().
+		CallerSkipFrame(1).
+		Str("event", "login").
+		Str("result", "success").
+		Str("username", username).
+		Str("provider", provider).
+		Str("ip", ip).
+		Send()
+}
+
+func (l *Logger) AuditLoginFailure(username, provider, ip, reason string) {
+	l.audit.Warn().
+		CallerSkipFrame(1).
+		Str("event", "login").
+		Str("result", "failure").
+		Str("username", username).
+		Str("provider", provider).
+		Str("ip", ip).
+		Str("reason", reason).
+		Send()
+}
+
+func (l *Logger) AuditLogout(username, provider, ip string) {
+	l.audit.Info().
+		CallerSkipFrame(1).
+		Str("event", "logout").
+		Str("result", "success").
+		Str("username", username).
+		Str("provider", provider).
+		Str("ip", ip).
+		Send()
+}
+
+// Used for testing
+func (l *Logger) GetConfig() model.LogConfig {
+	return l.config
+}

internal/utils/logger/logger_test.go

@@ -0,0 +1,173 @@
+package logger_test
+
+import (
+	"bytes"
+	"encoding/json"
+	"testing"
+
+	"github.com/rs/zerolog"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+)
+
+func TestLogger(t *testing.T) {
+	type testCase struct {
+		description string
+		run         func(t *testing.T)
+	}
+
+	tests := []testCase{
+		{
+			description: "Should create a simple logger with the expected config",
+			run: func(t *testing.T) {
+				l := logger.NewLogger().WithSimpleConfig()
+				l.Init()
+
+				cfg := l.GetConfig()
+
+				assert.Equal(t, cfg, model.LogConfig{
+					Level: "info",
+					Json:  false,
+					Streams: model.LogStreams{
+						HTTP:  model.LogStreamConfig{Enabled: true},
+						App:   model.LogStreamConfig{Enabled: true},
+						Audit: model.LogStreamConfig{Enabled: false},
+					},
+				})
+			},
+		},
+		{
+			description: "Should create a test logger with the expected config",
+			run: func(t *testing.T) {
+				l := logger.NewLogger().WithTestConfig()
+				l.Init()
+
+				cfg := l.GetConfig()
+
+				assert.Equal(t, cfg, model.LogConfig{
+					Level: "trace",
+					Json:  false,
+					Streams: model.LogStreams{
+						HTTP:  model.LogStreamConfig{Enabled: true},
+						App:   model.LogStreamConfig{Enabled: true},
+						Audit: model.LogStreamConfig{Enabled: true},
+					},
+				})
+			},
+		},
+		{
+			description: "Should create a logger with a custom config",
+			run: func(t *testing.T) {
+				customCfg := model.LogConfig{
+					Level: "debug",
+					Json:  true,
+					Streams: model.LogStreams{
+						HTTP:  model.LogStreamConfig{Enabled: false},
+						App:   model.LogStreamConfig{Enabled: true},
+						Audit: model.LogStreamConfig{Enabled: false},
+					},
+				}
+
+				l := logger.NewLogger().WithConfig(customCfg)
+				l.Init()
+
+				cfg := l.GetConfig()
+
+				assert.Equal(t, cfg, customCfg)
+			},
+		},
+		{
+			description: "Default logger should use error type and log json",
+			run: func(t *testing.T) {
+				buf := bytes.Buffer{}
+
+				l := logger.NewLogger().WithWriter(&buf)
+				l.Init()
+
+				cfg := l.GetConfig()
+
+				assert.Equal(t, cfg, model.LogConfig{
+					Level: "error",
+					Json:  true,
+					Streams: model.LogStreams{
+						HTTP:  model.LogStreamConfig{Enabled: true},
+						App:   model.LogStreamConfig{Enabled: true},
+						Audit: model.LogStreamConfig{Enabled: false},
+					},
+				})
+
+				l.App.Error().Msg("test")
+
+				var entry map[string]any
+				err := json.Unmarshal(buf.Bytes(), &entry)
+				require.NoError(t, err)
+
+				assert.Equal(t, "test", entry["message"])
+				assert.Equal(t, "app", entry["stream"])
+				assert.Equal(t, "error", entry["level"])
+				assert.NotEmpty(t, entry["time"])
+			},
+		},
+		{
+			description: "Should default to error level if an invalid level is provided",
+			run: func(t *testing.T) {
+				buf := bytes.Buffer{}
+
+				customCfg := model.LogConfig{
+					Level: "invalid",
+					Json:  false,
+					Streams: model.LogStreams{
+						HTTP:  model.LogStreamConfig{Enabled: true},
+						App:   model.LogStreamConfig{Enabled: true},
+						Audit: model.LogStreamConfig{Enabled: false},
+					},
+				}
+
+				l := logger.NewLogger().WithConfig(customCfg).WithWriter(&buf)
+				l.Init()
+
+				assert.Equal(t, zerolog.ErrorLevel, l.App.GetLevel())
+				assert.Equal(t, zerolog.ErrorLevel, l.HTTP.GetLevel())
+
+				// should not get logged
+				l.AuditLoginFailure("test", "test", "test", "test")
+
+				assert.Empty(t, buf.String())
+			},
+		},
+		{
+			description: "Should use nop logger for disabled streams",
+			run: func(t *testing.T) {
+				buf := bytes.Buffer{}
+
+				customCfg := model.LogConfig{
+					Level: "info",
+					Json:  false,
+					Streams: model.LogStreams{
+						HTTP:  model.LogStreamConfig{Enabled: false},
+						App:   model.LogStreamConfig{Enabled: true},
+						Audit: model.LogStreamConfig{Enabled: false},
+					},
+				}
+
+				l := logger.NewLogger().WithConfig(customCfg).WithWriter(&buf)
+				l.Init()
+
+				assert.Equal(t, zerolog.Disabled, l.HTTP.GetLevel())
+
+				l.App.Info().Msg("test")
+
+				l.AuditLoginFailure("test_nop", "test_nop", "test_nop", "test_nop")
+
+				assert.NotEmpty(t, buf.String())
+				assert.NotContains(t, buf.String(), "test_nop")
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.description, test.run)
+	}
+}

internal/utils/security_utils.go

@@ -53,7 +53,7 @@ func FilterIP(filter string, ip string) (bool, error) {
 		return false, errors.New("invalid IP address")
 	}
 
-	filter = strings.ReplaceAll(filter, "-", "/")
+	filter = strings.Replace(filter, "-", "/", -1)
 
 	if strings.Contains(filter, "/") {
 		_, cidr, err := net.ParseCIDR(filter)

internal/utils/security_utils_test.go

@@ -19,7 +19,7 @@ func TestGetSecret(t *testing.T) {
 
 	err = file.Close()
 	require.NoError(t, err)
-	defer os.Remove("/tmp/tinyauth_test_secret") //nolint:errcheck
+	defer os.Remove("/tmp/tinyauth_test_secret")
 
 	// Get from config
 	assert.Equal(t, "mysecret", utils.GetSecret("mysecret", ""))

internal/utils/string_utils_test.go

@@ -73,7 +73,7 @@ func TestGetStringList(t *testing.T) {
 
 	err = file.Close()
 	assert.NoError(t, err)
-	defer os.Remove("/tmp/tinyauth_list_test_file") //nolint:errcheck
+	defer os.Remove("/tmp/tinyauth_list_test_file")
 
 	values, err := utils.GetStringList([]string{" first@example.com ", "", "second@example.com"}, "/tmp/tinyauth_list_test_file")
 	assert.NoError(t, err)

internal/utils/tlog/log_audit.go

@@ -1,39 +0,0 @@
-package tlog
-
-import "github.com/gin-gonic/gin"
-
-// functions here use CallerSkipFrame to ensure correct caller info is logged
-
-func AuditLoginSuccess(c *gin.Context, username, provider string) {
-	Audit.Info().
-		CallerSkipFrame(1).
-		Str("event", "login").
-		Str("result", "success").
-		Str("username", username).
-		Str("provider", provider).
-		Str("ip", c.ClientIP()).
-		Send()
-}
-
-func AuditLoginFailure(c *gin.Context, username, provider string, reason string) {
-	Audit.Warn().
-		CallerSkipFrame(1).
-		Str("event", "login").
-		Str("result", "failure").
-		Str("username", username).
-		Str("provider", provider).
-		Str("ip", c.ClientIP()).
-		Str("reason", reason).
-		Send()
-}
-
-func AuditLogout(c *gin.Context, username, provider string) {
-	Audit.Info().
-		CallerSkipFrame(1).
-		Str("event", "logout").
-		Str("result", "success").
-		Str("username", username).
-		Str("provider", provider).
-		Str("ip", c.ClientIP()).
-		Send()
-}

internal/utils/tlog/log_wrapper.go

@@ -1,97 +0,0 @@
-package tlog
-
-import (
-	"os"
-	"strings"
-	"time"
-
-	"github.com/rs/zerolog"
-	"github.com/rs/zerolog/log"
-	"github.com/tinyauthapp/tinyauth/internal/model"
-)
-
-type Logger struct {
-	Audit zerolog.Logger
-	HTTP  zerolog.Logger
-	App   zerolog.Logger
-}
-
-var (
-	Audit zerolog.Logger
-	HTTP  zerolog.Logger
-	App   zerolog.Logger
-)
-
-func NewLogger(cfg model.LogConfig) *Logger {
-	baseLogger := log.With().
-		Timestamp().
-		Caller().
-		Logger().
-		Level(parseLogLevel(cfg.Level))
-
-	if !cfg.Json {
-		baseLogger = baseLogger.Output(zerolog.ConsoleWriter{
-			Out:        os.Stderr,
-			TimeFormat: time.RFC3339,
-		})
-	}
-
-	return &Logger{
-		Audit: createLogger("audit", cfg.Streams.Audit, baseLogger),
-		HTTP:  createLogger("http", cfg.Streams.HTTP, baseLogger),
-		App:   createLogger("app", cfg.Streams.App, baseLogger),
-	}
-}
-
-func NewSimpleLogger() *Logger {
-	return NewLogger(model.LogConfig{
-		Level: "info",
-		Json:  false,
-		Streams: model.LogStreams{
-			HTTP:  model.LogStreamConfig{Enabled: true},
-			App:   model.LogStreamConfig{Enabled: true},
-			Audit: model.LogStreamConfig{Enabled: false},
-		},
-	})
-}
-
-func NewTestLogger() *Logger {
-	return NewLogger(model.LogConfig{
-		Level: "trace",
-		Streams: model.LogStreams{
-			HTTP:  model.LogStreamConfig{Enabled: true},
-			App:   model.LogStreamConfig{Enabled: true},
-			Audit: model.LogStreamConfig{Enabled: true},
-		},
-	})
-}
-
-func (l *Logger) Init() {
-	Audit = l.Audit
-	HTTP = l.HTTP
-	App = l.App
-}
-
-func createLogger(component string, streamCfg model.LogStreamConfig, baseLogger zerolog.Logger) zerolog.Logger {
-	if !streamCfg.Enabled {
-		return zerolog.Nop()
-	}
-	subLogger := baseLogger.With().Str("log_stream", component).Logger()
-	// override level if specified, otherwise use base level
-	if streamCfg.Level != "" {
-		subLogger = subLogger.Level(parseLogLevel(streamCfg.Level))
-	}
-	return subLogger
-}
-
-func parseLogLevel(level string) zerolog.Level {
-	if level == "" {
-		return zerolog.InfoLevel
-	}
-	parsedLevel, err := zerolog.ParseLevel(strings.ToLower(level))
-	if err != nil {
-		log.Warn().Err(err).Str("level", level).Msg("Invalid log level, defaulting to info")
-		parsedLevel = zerolog.InfoLevel
-	}
-	return parsedLevel
-}

internal/utils/tlog/log_wrapper_test.go

@@ -1,93 +0,0 @@
-package tlog_test
-
-import (
-	"bytes"
-	"encoding/json"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/tinyauthapp/tinyauth/internal/model"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
-
-	"github.com/rs/zerolog"
-)
-
-func TestNewLogger(t *testing.T) {
-	cfg := model.LogConfig{
-		Level: "debug",
-		Json:  true,
-		Streams: model.LogStreams{
-			HTTP:  model.LogStreamConfig{Enabled: true, Level: "info"},
-			App:   model.LogStreamConfig{Enabled: true, Level: ""},
-			Audit: model.LogStreamConfig{Enabled: false, Level: ""},
-		},
-	}
-
-	logger := tlog.NewLogger(cfg)
-
-	assert.NotNil(t, logger)
-	assert.Equal(t, zerolog.InfoLevel, logger.HTTP.GetLevel())
-	assert.Equal(t, zerolog.DebugLevel, logger.App.GetLevel())
-	assert.Equal(t, zerolog.Disabled, logger.Audit.GetLevel())
-}
-
-func TestNewSimpleLogger(t *testing.T) {
-	logger := tlog.NewSimpleLogger()
-	assert.NotNil(t, logger)
-	assert.Equal(t, zerolog.InfoLevel, logger.HTTP.GetLevel())
-	assert.Equal(t, zerolog.InfoLevel, logger.App.GetLevel())
-	assert.Equal(t, zerolog.Disabled, logger.Audit.GetLevel())
-}
-
-func TestLoggerInit(t *testing.T) {
-	logger := tlog.NewSimpleLogger()
-	logger.Init()
-
-	assert.NotEqual(t, zerolog.Disabled, tlog.App.GetLevel())
-}
-
-func TestLoggerWithDisabledStreams(t *testing.T) {
-	cfg := model.LogConfig{
-		Level: "info",
-		Json:  false,
-		Streams: model.LogStreams{
-			HTTP:  model.LogStreamConfig{Enabled: false},
-			App:   model.LogStreamConfig{Enabled: false},
-			Audit: model.LogStreamConfig{Enabled: false},
-		},
-	}
-
-	logger := tlog.NewLogger(cfg)
-
-	assert.Equal(t, zerolog.Disabled, logger.HTTP.GetLevel())
-	assert.Equal(t, zerolog.Disabled, logger.App.GetLevel())
-	assert.Equal(t, zerolog.Disabled, logger.Audit.GetLevel())
-}
-
-func TestLogStreamField(t *testing.T) {
-	var buf bytes.Buffer
-
-	cfg := model.LogConfig{
-		Level: "info",
-		Json:  true,
-		Streams: model.LogStreams{
-			HTTP:  model.LogStreamConfig{Enabled: true},
-			App:   model.LogStreamConfig{Enabled: true},
-			Audit: model.LogStreamConfig{Enabled: true},
-		},
-	}
-
-	logger := tlog.NewLogger(cfg)
-
-	// Override output for HTTP logger to capture output
-	logger.HTTP = logger.HTTP.Output(&buf)
-
-	logger.HTTP.Info().Msg("test message")
-
-	var logEntry map[string]interface{}
-	err := json.Unmarshal(buf.Bytes(), &logEntry)
-	assert.NoError(t, err)
-
-	assert.Equal(t, "http", logEntry["log_stream"])
-	assert.Equal(t, "test message", logEntry["message"])
-}

internal/utils/user_utils_test.go

@@ -24,7 +24,7 @@ func TestGetUsers(t *testing.T) {
 
 	err = file.Close()
 	require.NoError(t, err)
-	defer os.Remove(tmpDir + "/tinyauth_users_test.txt") //nolint:errcheck
+	defer os.Remove(tmpDir + "/tinyauth_users_test.txt")
 
 	noAttrs := map[string]model.UserAttributes{}