fix: lowercase key and filter before comparing

refactor: use stdlib prefix check in header decoder
refactor: simplify decode header to node function
2025-10-28 12:45:47 +00:00 · 2025-09-02 19:00:41 +03:00 · 2025-09-02 18:54:38 +03:00 · 2025-09-02 18:45:36 +03:00 · 2025-09-02 18:19:18 +03:00 · 2025-09-02 17:47:29 +03:00
52 changed files with 503 additions and 2195 deletions
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -27,6 +27,11 @@ var rootCmd = &cobra.Command{
 			log.Fatal().Err(err).Msg("Failed to parse config")
 		}

+		// Check if secrets have a file associated with them
+		conf.GithubClientSecret = utils.GetSecret(conf.GithubClientSecret, conf.GithubClientSecretFile)
+		conf.GoogleClientSecret = utils.GetSecret(conf.GoogleClientSecret, conf.GoogleClientSecretFile)
+		conf.GenericClientSecret = utils.GetSecret(conf.GenericClientSecret, conf.GenericClientSecretFile)
+
 		// Validate config
 		v := validator.New()

@@ -52,7 +57,6 @@ var rootCmd = &cobra.Command{
 }

 func Execute() {
-	rootCmd.FParseErrWhitelist.UnknownFlags = true
 	err := rootCmd.Execute()
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to execute command")
@@ -76,6 +80,21 @@ func init() {
 		{"users", "", "Comma separated list of users in the format username:hash."},
 		{"users-file", "", "Path to a file containing users in the format username:hash."},
 		{"secure-cookie", false, "Send cookie over secure connection only."},
+		{"github-client-id", "", "Github OAuth client ID."},
+		{"github-client-secret", "", "Github OAuth client secret."},
+		{"github-client-secret-file", "", "Github OAuth client secret file."},
+		{"google-client-id", "", "Google OAuth client ID."},
+		{"google-client-secret", "", "Google OAuth client secret."},
+		{"google-client-secret-file", "", "Google OAuth client secret file."},
+		{"generic-client-id", "", "Generic OAuth client ID."},
+		{"generic-client-secret", "", "Generic OAuth client secret."},
+		{"generic-client-secret-file", "", "Generic OAuth client secret file."},
+		{"generic-scopes", "", "Generic OAuth scopes."},
+		{"generic-auth-url", "", "Generic OAuth auth URL."},
+		{"generic-token-url", "", "Generic OAuth token URL."},
+		{"generic-user-url", "", "Generic OAuth user info URL."},
+		{"generic-name", "Generic", "Generic OAuth provider name."},
+		{"generic-skip-ssl", false, "Skip SSL verification for the generic OAuth provider."},
 		{"oauth-whitelist", "", "Comma separated list of email addresses to whitelist when using OAuth."},
 		{"oauth-auto-redirect", "none", "Auto redirect to the specified OAuth provider if configured. (available providers: github, google, generic)"},
 		{"session-expiry", 86400, "Session (cookie) expiration time in seconds."},
@@ -93,7 +112,6 @@ func init() {
 		{"ldap-search-filter", "(uid=%s)", "LDAP search filter for user lookup."},
 		{"resources-dir", "/data/resources", "Path to a directory containing custom resources (e.g. background image)."},
 		{"database-path", "/data/tinyauth.db", "Path to the Sqlite database file."},
-		{"trusted-proxies", "", "Comma separated list of trusted proxies (IP addresses or CIDRs) for correct client IP detection."},
 	}

 	for _, opt := range configOptions {
--- a/frontend/src/components/icons/generic.tsx
+++ b/frontend/src/components/icons/generic.tsx
@@ -1,6 +1,6 @@
 import type { SVGProps } from "react";

-export function OAuthIcon(props: SVGProps<SVGSVGElement>) {
+export function GenericIcon(props: SVGProps<SVGSVGElement>) {
  return (
    <svg
      xmlns="http://www.w3.org/2000/svg"
--- a/frontend/src/components/icons/microsoft.tsx
+++ b/frontend/src/components/icons/microsoft.tsx
@@ -1,18 +0,0 @@
-import type { SVGProps } from "react";
-
-export function MicrosoftIcon(props: SVGProps<SVGSVGElement>) {
-  return (
-    <svg
-      xmlns="http://www.w3.org/2000/svg"
-      width="2em"
-      height="2em"
-      viewBox="0 0 256 256"
-      {...props}
-    >
-      <path fill="#f1511b" d="M121.666 121.666H0V0h121.666z"></path>
-      <path fill="#80cc28" d="M256 121.666H134.335V0H256z"></path>
-      <path fill="#00adef" d="M121.663 256.002H0V134.336h121.663z"></path>
-      <path fill="#fbbc09" d="M256 256.002H134.335V134.336H256z"></path>
-    </svg>
-  );
-}
--- a/frontend/src/components/icons/pocket-id.tsx
+++ b/frontend/src/components/icons/pocket-id.tsx
@@ -1,20 +0,0 @@
-import type { SVGProps } from "react";
-
-export function PocketIDIcon(props: SVGProps<SVGSVGElement>) {
-  return (
-    <svg
-      xmlns="http://www.w3.org/2000/svg"
-      xmlSpace="preserve"
-      width={512}
-      height={512}
-      viewBox="0 0 512 512"
-      {...props}
-    >
-      <circle cx="256" cy="256" r="256" />
-      <path
-        d="M268.6 102.4c64.4 0 116.8 52.4 116.8 116.7 0 25.3-8 49.4-23 69.6-14.8 19.9-35 34.3-58.4 41.7l-6.5 2-15.5-76.2 4.3-2c14-6.7 23-21.1 23-36.6 0-22.4-18.2-40.6-40.6-40.6S228 195.2 228 217.6c0 15.5 9 29.8 23 36.6l4.2 2-25 153.4h-69.5V102.4z"
-        className="fill-white"
-      />
-    </svg>
-  );
-}
--- a/frontend/src/components/icons/tailscale.tsx
+++ b/frontend/src/components/icons/tailscale.tsx
@@ -1,26 +0,0 @@
-import type { SVGProps } from "react";
-
-export function TailscaleIcon(props: SVGProps<SVGSVGElement>) {
-  return (
-    <svg
-      xmlns="http://www.w3.org/2000/svg"
-      xmlSpace="preserve"
-      width={512}
-      height={512}
-      viewBox="0 0 512 512"
-      {...props}
-    >
-      <path
-        className="opacity-80"
-        fill="currentColor"
-        d="M65.6 318.1c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9S1.8 219 1.8 254.2s28.6 63.9 63.8 63.9m191.6 0c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9m0 193.9c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9m189.2-193.9c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9"
-      />
-
-      <path
-        d="M65.6 127.7c35.3 0 63.9-28.6 63.9-63.9S100.9 0 65.6 0 1.8 28.6 1.8 63.9s28.6 63.8 63.8 63.8m0 384.3c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.8 28.7-63.8 63.9S30.4 512 65.6 512m191.6-384.3c35.3 0 63.9-28.6 63.9-63.9S292.5 0 257.2 0s-63.9 28.6-63.9 63.9 28.6 63.8 63.9 63.8m189.2 0c35.3 0 63.9-28.6 63.9-63.9S481.6 0 446.4 0c-35.3 0-63.9 28.6-63.9 63.9s28.6 63.8 63.9 63.8m0 384.3c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9"
-        className="opacity-20"
-        fill="currentColor"
-      />
-    </svg>
-  );
-}
--- a/frontend/src/lib/i18n/locales/en-US.json
+++ b/frontend/src/lib/i18n/locales/en-US.json
@@ -14,9 +14,6 @@
    "loginOauthFailSubtitle": "Failed to get OAuth URL",
    "loginOauthSuccessTitle": "Redirecting",
    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-    "loginOauthAutoRedirectButton": "Redirect now",
    "continueTitle": "Continue",
    "continueRedirectingTitle": "Redirecting...",
    "continueRedirectingSubtitle": "You should be redirected to the app soon",
@@ -24,7 +21,7 @@
    "continueInsecureRedirectTitle": "Insecure redirect",
    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
    "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{rootDomain}}</code>). Are you sure you want to continue?",
    "logoutFailTitle": "Failed to log out",
    "logoutFailSubtitle": "Please try again",
    "logoutSuccessTitle": "Logged out",
--- a/frontend/src/lib/i18n/locales/en.json
+++ b/frontend/src/lib/i18n/locales/en.json
@@ -14,9 +14,6 @@
    "loginOauthFailSubtitle": "Failed to get OAuth URL",
    "loginOauthSuccessTitle": "Redirecting",
    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-    "loginOauthAutoRedirectButton": "Redirect now",
    "continueTitle": "Continue",
    "continueRedirectingTitle": "Redirecting...",
    "continueRedirectingSubtitle": "You should be redirected to the app soon",
@@ -24,7 +21,7 @@
    "continueInsecureRedirectTitle": "Insecure redirect",
    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
    "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{rootDomain}}</code>). Are you sure you want to continue?",
    "logoutFailTitle": "Failed to log out",
    "logoutFailSubtitle": "Please try again",
    "logoutSuccessTitle": "Logged out",
--- a/frontend/src/pages/continue-page.tsx
+++ b/frontend/src/pages/continue-page.tsx
@@ -14,7 +14,7 @@ import { Navigate, useLocation, useNavigate } from "react-router";
 import { useEffect, useState } from "react";

 export const ContinuePage = () => {
-  const { cookieDomain } = useAppContext();
+  const { rootDomain } = useAppContext();
  const { isLoggedIn } = useUserContext();
  const { search } = useLocation();
  const { t } = useTranslation();
@@ -33,8 +33,8 @@ export const ContinuePage = () => {
    : null;
  const isTrustedRedirectUri =
    redirectUriObj !== null
-      ? redirectUriObj.hostname === cookieDomain ||
-        redirectUriObj.hostname.endsWith(`.${cookieDomain}`)
+      ? redirectUriObj.hostname === rootDomain ||
+        redirectUriObj.hostname.endsWith(`.${rootDomain}`)
      : false;
  const isAllowedRedirectProto =
    redirectUriObj !== null
@@ -70,7 +70,7 @@ export const ContinuePage = () => {
    const reveal = setTimeout(() => {
      setLoading(false);
      setShowRedirectButton(true);
-    }, 5000);
+    }, 1000);

    return () => {
      clearTimeout(auto);
@@ -105,7 +105,7 @@ export const ContinuePage = () => {
              components={{
                code: <code />,
              }}
-              values={{ cookieDomain }}
+              values={{ rootDomain }}
            />
          </CardDescription>
        </CardHeader>
--- a/frontend/src/pages/login-page.tsx
+++ b/frontend/src/pages/login-page.tsx
@@ -1,18 +1,13 @@
 import { LoginForm } from "@/components/auth/login-form";
+import { GenericIcon } from "@/components/icons/generic";
 import { GithubIcon } from "@/components/icons/github";
 import { GoogleIcon } from "@/components/icons/google";
-import { MicrosoftIcon } from "@/components/icons/microsoft";
-import { OAuthIcon } from "@/components/icons/oauth";
-import { PocketIDIcon } from "@/components/icons/pocket-id";
-import { TailscaleIcon } from "@/components/icons/tailscale";
-import { Button } from "@/components/ui/button";
 import {
  Card,
  CardHeader,
  CardTitle,
  CardDescription,
  CardContent,
-  CardFooter,
 } from "@/components/ui/card";
 import { OAuthButton } from "@/components/ui/oauth-button";
 import { SeperatorWithChildren } from "@/components/ui/separator";
@@ -22,40 +17,28 @@ import { useIsMounted } from "@/lib/hooks/use-is-mounted";
 import { LoginSchema } from "@/schemas/login-schema";
 import { useMutation } from "@tanstack/react-query";
 import axios, { AxiosError } from "axios";
-import { useEffect, useRef, useState } from "react";
+import { useEffect, useRef } from "react";
 import { useTranslation } from "react-i18next";
 import { Navigate, useLocation } from "react-router";
 import { toast } from "sonner";

-const iconMap: Record<string, React.ReactNode> = {
-  google: <GoogleIcon />,
-  github: <GithubIcon />,
-  tailscale: <TailscaleIcon />,
-  microsoft: <MicrosoftIcon />,
-  pocketid: <PocketIDIcon />,
-};
-
 export const LoginPage = () => {
  const { isLoggedIn } = useUserContext();
-  const { providers, title, oauthAutoRedirect } = useAppContext();
+  const { configuredProviders, title, oauthAutoRedirect, genericName } =
+    useAppContext();
  const { search } = useLocation();
  const { t } = useTranslation();
  const isMounted = useIsMounted();
-  const [oauthAutoRedirectHandover, setOauthAutoRedirectHandover] =
-    useState(false);
-  const [showRedirectButton, setShowRedirectButton] = useState(false);

  const redirectTimer = useRef<number | null>(null);
-  const redirectButtonTimer = useRef<number | null>(null);

  const searchParams = new URLSearchParams(search);
  const redirectUri = searchParams.get("redirect_uri");

-  const oauthProviders = providers.filter(
-    (provider) => provider.id !== "username",
-  );
-  const userAuthConfigured =
-    providers.find((provider) => provider.id === "username") !== undefined;
+  const oauthConfigured =
+    configuredProviders.filter((provider) => provider !== "username").length >
+    0;
+  const userAuthConfigured = configuredProviders.includes("username");

  const oauthMutation = useMutation({
    mutationFn: (provider: string) =>
@@ -73,7 +56,6 @@ export const LoginPage = () => {
      }, 500);
    },
    onError: () => {
-      setOauthAutoRedirectHandover(false);
      toast.error(t("loginOauthFailTitle"), {
        description: t("loginOauthFailSubtitle"),
      });
@@ -114,16 +96,12 @@ export const LoginPage = () => {
  useEffect(() => {
    if (isMounted()) {
      if (
-        oauthProviders.length !== 0 &&
-        providers.find((provider) => provider.id === oauthAutoRedirect) &&
+        oauthConfigured &&
+        configuredProviders.includes(oauthAutoRedirect) &&
        !isLoggedIn &&
        redirectUri
      ) {
-        setOauthAutoRedirectHandover(true);
        oauthMutation.mutate(oauthAutoRedirect);
-        redirectButtonTimer.current = window.setTimeout(() => {
-          setShowRedirectButton(true);
-        }, 5000);
      }
    }
  }, []);
@@ -131,8 +109,6 @@ export const LoginPage = () => {
  useEffect(
    () => () => {
      if (redirectTimer.current) clearTimeout(redirectTimer.current);
-      if (redirectButtonTimer.current)
-        clearTimeout(redirectButtonTimer.current);
    },
    [],
  );
@@ -150,63 +126,61 @@ export const LoginPage = () => {
    return <Navigate to="/logout" replace />;
  }

-  if (oauthAutoRedirectHandover) {
-    return (
-      <Card className="min-w-xs sm:min-w-sm">
-        <CardHeader>
-          <CardTitle className="text-3xl">
-            {t("loginOauthAutoRedirectTitle")}
-          </CardTitle>
-          <CardDescription>
-            {t("loginOauthAutoRedirectSubtitle")}
-          </CardDescription>
-        </CardHeader>
-        {showRedirectButton && (
-          <CardFooter className="flex flex-col items-stretch">
-            <Button
-              onClick={() => {
-                window.location.replace(oauthMutation.data?.data.url);
-              }}
-            >
-              {t("loginOauthAutoRedirectButton")}
-            </Button>
-          </CardFooter>
-        )}
-      </Card>
-    );
-  }
  return (
    <Card className="min-w-xs sm:min-w-sm">
      <CardHeader>
        <CardTitle className="text-center text-3xl">{title}</CardTitle>
-        {providers.length > 0 && (
+        {configuredProviders.length > 0 && (
          <CardDescription className="text-center">
-            {oauthProviders.length !== 0
-              ? t("loginTitle")
-              : t("loginTitleSimple")}
+            {oauthConfigured ? t("loginTitle") : t("loginTitleSimple")}
          </CardDescription>
        )}
      </CardHeader>
      <CardContent className="flex flex-col gap-4">
-        {oauthProviders.length !== 0 && (
+        {oauthConfigured && (
          <div className="flex flex-col gap-2 items-center justify-center">
-            {oauthProviders.map((provider) => (
+            {configuredProviders.includes("google") && (
              <OAuthButton
-                key={provider.id}
-                title={provider.name}
-                icon={iconMap[provider.id] ?? <OAuthIcon />}
+                title="Google"
+                icon={<GoogleIcon />}
                className="w-full"
-                onClick={() => oauthMutation.mutate(provider.id)}
+                onClick={() => oauthMutation.mutate("google")}
                loading={
                  oauthMutation.isPending &&
-                  oauthMutation.variables === provider.id
+                  oauthMutation.variables === "google"
                }
                disabled={oauthMutation.isPending || loginMutation.isPending}
              />
-            ))}
+            )}
+            {configuredProviders.includes("github") && (
+              <OAuthButton
+                title="Github"
+                icon={<GithubIcon />}
+                className="w-full"
+                onClick={() => oauthMutation.mutate("github")}
+                loading={
+                  oauthMutation.isPending &&
+                  oauthMutation.variables === "github"
+                }
+                disabled={oauthMutation.isPending || loginMutation.isPending}
+              />
+            )}
+            {configuredProviders.includes("generic") && (
+              <OAuthButton
+                title={genericName}
+                icon={<GenericIcon />}
+                className="w-full"
+                onClick={() => oauthMutation.mutate("generic")}
+                loading={
+                  oauthMutation.isPending &&
+                  oauthMutation.variables === "generic"
+                }
+                disabled={oauthMutation.isPending || loginMutation.isPending}
+              />
+            )}
          </div>
        )}
-        {userAuthConfigured && oauthProviders.length !== 0 && (
+        {userAuthConfigured && oauthConfigured && (
          <SeperatorWithChildren>{t("loginDivider")}</SeperatorWithChildren>
        )}
        {userAuthConfigured && (
@@ -215,7 +189,7 @@ export const LoginPage = () => {
            loading={loginMutation.isPending || oauthMutation.isPending}
          />
        )}
-        {providers.length == 0 && (
+        {configuredProviders.length == 0 && (
          <p className="text-center text-red-600 max-w-sm">
            {t("failedToFetchProvidersTitle")}
          </p>
--- a/frontend/src/pages/logout-page.tsx
+++ b/frontend/src/pages/logout-page.tsx
@@ -6,7 +6,9 @@ import {
  CardHeader,
  CardTitle,
 } from "@/components/ui/card";
+import { useAppContext } from "@/context/app-context";
 import { useUserContext } from "@/context/user-context";
+import { capitalize } from "@/lib/utils";
 import { useMutation } from "@tanstack/react-query";
 import axios from "axios";
 import { useEffect, useRef } from "react";
@@ -15,7 +17,8 @@ import { Navigate } from "react-router";
 import { toast } from "sonner";

 export const LogoutPage = () => {
-  const { provider, username, isLoggedIn, email, oauthName } = useUserContext();
+  const { provider, username, isLoggedIn, email } = useUserContext();
+  const { genericName } = useAppContext();
  const { t } = useTranslation();

  const redirectTimer = useRef<number | null>(null);
@@ -64,7 +67,8 @@ export const LogoutPage = () => {
              }}
              values={{
                username: email,
-                provider: oauthName,
+                provider:
+                  provider === "generic" ? genericName : capitalize(provider),
              }}
            />
          ) : (
--- a/frontend/src/schemas/app-context-schema.ts
+++ b/frontend/src/schemas/app-context-schema.ts
@@ -1,19 +1,14 @@
 import { z } from "zod";

-export const providerSchema = z.object({
-  id: z.string(),
-  name: z.string(),
-  oauth: z.boolean(),
-});
-
 export const appContextSchema = z.object({
-  providers: z.array(providerSchema),
+  configuredProviders: z.array(z.string()),
  title: z.string(),
+  genericName: z.string(),
  appUrl: z.string(),
-  cookieDomain: z.string(),
+  rootDomain: z.string(),
  forgotPasswordMessage: z.string(),
+  oauthAutoRedirect: z.enum(["none", "github", "google", "generic"]),
  backgroundImage: z.string(),
-  oauthAutoRedirect: z.string(),
 });

 export type AppContextSchema = z.infer<typeof appContextSchema>;
--- a/frontend/src/schemas/user-context-schema.ts
+++ b/frontend/src/schemas/user-context-schema.ts
@@ -8,7 +8,6 @@ export const userContextSchema = z.object({
  provider: z.string(),
  oauth: z.boolean(),
  totpPending: z.boolean(),
-  oauthName: z.string(),
 });

 export type UserContextSchema = z.infer<typeof userContextSchema>;
--- a/go.mod
+++ b/go.mod
@@ -1,13 +1,10 @@
 module tinyauth

-go 1.24.0
-
-toolchain go1.24.3
+go 1.23.2

 require (
 	github.com/cenkalti/backoff/v5 v5.0.3
 	github.com/gin-gonic/gin v1.10.1
-	github.com/glebarez/sqlite v1.11.0
 	github.com/go-playground/validator/v10 v10.27.0
 	github.com/golang-migrate/migrate/v4 v4.18.3
 	github.com/google/go-querystring v1.1.0
@@ -17,11 +14,10 @@ require (
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/viper v1.20.1
 	github.com/traefik/paerser v0.2.2
-	github.com/weppos/publicsuffix-go v0.50.0
-	golang.org/x/crypto v0.42.0
-	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b
+	golang.org/x/crypto v0.41.0
+	gorm.io/driver/sqlite v1.6.0
 	gorm.io/gorm v1.30.1
-	gotest.tools/v3 v3.5.2
+	modernc.org/sqlite v1.38.2
 )

 require (
@@ -32,9 +28,9 @@ require (
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/glebarez/go-sqlite v1.21.2 // indirect
+	github.com/glebarez/sqlite v1.11.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
@@ -48,11 +44,12 @@ require (
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
+	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
+	golang.org/x/term v0.34.0 // indirect
+	gotest.tools/v3 v3.5.2 // indirect
 	modernc.org/libc v1.66.3 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
-	modernc.org/sqlite v1.38.2 // indirect
 	rsc.io/qr v0.2.0 // indirect
 )

@@ -89,6 +86,8 @@ require (
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/goccy/go-json v0.10.4 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/gorilla/securecookie v1.1.2 // indirect
+	github.com/gorilla/sessions v1.4.0
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
@@ -126,11 +125,11 @@ require (
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
 	golang.org/x/arch v0.13.0 // indirect
-	golang.org/x/net v0.44.0 // indirect
+	golang.org/x/net v0.42.0 // indirect
 	golang.org/x/oauth2 v0.30.0
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/sync v0.16.0 // indirect
+	golang.org/x/sys v0.35.0 // indirect
+	golang.org/x/text v0.28.0 // indirect
 	google.golang.org/protobuf v1.36.3 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -132,10 +132,16 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
+github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
+github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=
+github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2emc7lT5ik=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1 h1:VNqngBF40hVlDloBruUehVYC3ArSgIyScOAyMRqBxRg=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1/go.mod h1:RBRO7fro65R6tjKzYgLAFo0t1QEXY1Dp+i/bvpRiqiQ=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -280,8 +286,6 @@ github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
 github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
-github.com/weppos/publicsuffix-go v0.50.0 h1:M178k6l8cnh9T1c1cStkhytVxdk5zPd6gGZf8ySIuVo=
-github.com/weppos/publicsuffix-go v0.50.0/go.mod h1:VXhClBYMlDrUsome4pOTpe68Ui0p6iQRAbyHQD1yKoU=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -313,27 +317,27 @@ golang.org/x/arch v0.13.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
-golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
+golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
+golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o=
 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=
+golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.44.0 h1:evd8IRDyfNBMBTTY5XRF1vaZlD+EmWx6x8PkhR04H/I=
-golang.org/x/net v0.44.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
+golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
+golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
 golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
 golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -341,22 +345,22 @@ golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
+golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
+golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
 golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg=
 golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
+golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
+golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -376,6 +380,8 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EV
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gorm.io/driver/sqlite v1.6.0 h1:WHRRrIiulaPiPFmDcod6prc4l2VGVWHz80KspNsxSfQ=
+gorm.io/driver/sqlite v1.6.0/go.mod h1:AO9V1qIQddBESngQUKWL9yoH93HIeA1X6V633rBwyT8=
 gorm.io/gorm v1.30.1 h1:lSHg33jJTBxs2mgJRfRZeLDG+WZaHYCk3Wtfl6Ngzo4=
 gorm.io/gorm v1.30.1/go.mod h1:8Z33v652h4//uMA76KjeDH8mJXPm1QNCYrMeatR0DOE=
 gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
--- a/internal/assets/migrations/000002_oauth_name.down.sql
+++ b/internal/assets/migrations/000002_oauth_name.down.sql
@@ -1 +0,0 @@
-ALTER TABLE "sessions" DROP COLUMN "oauth_name";
--- a/internal/assets/migrations/000002_oauth_name.up.sql
+++ b/internal/assets/migrations/000002_oauth_name.up.sql
@@ -1,10 +0,0 @@
-ALTER TABLE "sessions" ADD COLUMN "oauth_name" TEXT;
-
-UPDATE "sessions"
-SET "oauth_name" = CASE
-  WHEN LOWER("provider") = 'github' THEN 'GitHub'
-  WHEN LOWER("provider") = 'google' THEN 'Google'
-  ELSE UPPER(SUBSTR("provider", 1, 1)) || SUBSTR("provider", 2)
-END
-WHERE "oauth_name" IS NULL AND "provider" IS NOT NULL;
-
--- a/internal/bootstrap/app_bootstrap.go
+++ b/internal/bootstrap/app_bootstrap.go
@@ -3,7 +3,6 @@ package bootstrap
 import (
 	"fmt"
 	"net/url"
-	"os"
 	"strings"
 	"tinyauth/internal/config"
 	"tinyauth/internal/controller"
@@ -46,15 +45,8 @@ func (app *BootstrapApp) Setup() error {
 		return err
 	}

-	// Get OAuth configs
-	oauthProviders, err := utils.GetOAuthProvidersConfig(os.Environ(), os.Args, app.Config.AppURL)
-
-	if err != nil {
-		return err
-	}
-
-	// Get cookie domain
-	cookieDomain, err := utils.GetCookieDomain(app.Config.AppURL)
+	// Get root domain
+	rootDomain, err := utils.GetRootDomain(app.Config.AppURL)

 	if err != nil {
 		return err
@@ -73,7 +65,7 @@ func (app *BootstrapApp) Setup() error {
 		OauthWhitelist:    app.Config.OAuthWhitelist,
 		SessionExpiry:     app.Config.SessionExpiry,
 		SecureCookie:      app.Config.SecureCookie,
-		CookieDomain:      cookieDomain,
+		RootDomain:        rootDomain,
 		LoginTimeout:      app.Config.LoginTimeout,
 		LoginMaxRetries:   app.Config.LoginMaxRetries,
 		SessionCookieName: sessionCookieName,
@@ -120,7 +112,7 @@ func (app *BootstrapApp) Setup() error {
 	// Create services
 	dockerService := service.NewDockerService()
 	authService := service.NewAuthService(authConfig, dockerService, ldapService, database)
-	oauthBrokerService := service.NewOAuthBrokerService(oauthProviders)
+	oauthBrokerService := service.NewOAuthBrokerService(app.getOAuthBrokerConfig())

 	// Initialize services
 	services := []Service{
@@ -140,41 +132,13 @@ func (app *BootstrapApp) Setup() error {
 	}

 	// Configured providers
-	babysit := map[string]string{
-		"google": "Google",
-		"github": "GitHub",
-	}
-	configuredProviders := make([]controller.Provider, 0)
-
-	for id, provider := range oauthProviders {
-		if id == "" {
-			continue
-		}
-
-		if provider.Name == "" {
-			if name, ok := babysit[id]; ok {
-				provider.Name = name
-			} else {
-				provider.Name = utils.Capitalize(id)
-			}
-		}
-
-		configuredProviders = append(configuredProviders, controller.Provider{
-			Name:  provider.Name,
-			ID:    id,
-			OAuth: true,
-		})
-	}
+	var configuredProviders []string

 	if authService.UserAuthConfigured() || ldapService != nil {
-		configuredProviders = append(configuredProviders, controller.Provider{
-			Name:  "Username",
-			ID:    "username",
-			OAuth: false,
-		})
+		configuredProviders = append(configuredProviders, "username")
 	}

-	log.Debug().Interface("providers", configuredProviders).Msg("Authentication providers")
+	configuredProviders = append(configuredProviders, oauthBrokerService.GetConfiguredServices()...)

 	if len(configuredProviders) == 0 {
 		return fmt.Errorf("no authentication providers configured")
@@ -182,7 +146,6 @@ func (app *BootstrapApp) Setup() error {

 	// Create engine
 	engine := gin.New()
-	engine.SetTrustedProxies(strings.Split(app.Config.TrustedProxies, ","))

 	if config.Version != "development" {
 		gin.SetMode(gin.ReleaseMode)
@@ -192,7 +155,7 @@ func (app *BootstrapApp) Setup() error {
 	var middlewares []Middleware

 	contextMiddleware := middleware.NewContextMiddleware(middleware.ContextMiddlewareConfig{
-		CookieDomain: cookieDomain,
+		RootDomain: rootDomain,
 	}, authService, oauthBrokerService)

 	uiMiddleware := middleware.NewUIMiddleware()
@@ -215,10 +178,11 @@ func (app *BootstrapApp) Setup() error {

 	// Create controllers
 	contextController := controller.NewContextController(controller.ContextControllerConfig{
-		Providers:             configuredProviders,
+		ConfiguredProviders:   configuredProviders,
 		Title:                 app.Config.Title,
+		GenericName:           app.Config.GenericName,
 		AppURL:                app.Config.AppURL,
-		CookieDomain:          cookieDomain,
+		RootDomain:            rootDomain,
 		ForgotPasswordMessage: app.Config.ForgotPasswordMessage,
 		BackgroundImage:       app.Config.BackgroundImage,
 		OAuthAutoRedirect:     app.Config.OAuthAutoRedirect,
@@ -229,7 +193,7 @@ func (app *BootstrapApp) Setup() error {
 		SecureCookie:       app.Config.SecureCookie,
 		CSRFCookieName:     csrfCookieName,
 		RedirectCookieName: redirectCookieName,
-		CookieDomain:       cookieDomain,
+		RootDomain:         rootDomain,
 	}, apiRouter, authService, oauthBrokerService)

 	proxyController := controller.NewProxyController(controller.ProxyControllerConfig{
@@ -237,7 +201,7 @@ func (app *BootstrapApp) Setup() error {
 	}, apiRouter, dockerService, authService)

 	userController := controller.NewUserController(controller.UserControllerConfig{
-		CookieDomain: cookieDomain,
+		RootDomain: rootDomain,
 	}, apiRouter, authService)

 	resourcesController := controller.NewResourcesController(controller.ResourcesControllerConfig{
@@ -270,3 +234,30 @@ func (app *BootstrapApp) Setup() error {

 	return nil
 }
+
+// Temporary
+func (app *BootstrapApp) getOAuthBrokerConfig() map[string]config.OAuthServiceConfig {
+	return map[string]config.OAuthServiceConfig{
+		"google": {
+			ClientID:     app.Config.GoogleClientId,
+			ClientSecret: app.Config.GoogleClientSecret,
+			RedirectURL:  fmt.Sprintf("%s/api/oauth/callback/google", app.Config.AppURL),
+		},
+		"github": {
+			ClientID:     app.Config.GithubClientId,
+			ClientSecret: app.Config.GithubClientSecret,
+			RedirectURL:  fmt.Sprintf("%s/api/oauth/callback/github", app.Config.AppURL),
+		},
+		"generic": {
+			ClientID:           app.Config.GenericClientId,
+			ClientSecret:       app.Config.GenericClientSecret,
+			RedirectURL:        fmt.Sprintf("%s/api/oauth/callback/generic", app.Config.AppURL),
+			Scopes:             strings.Split(app.Config.GenericScopes, ","),
+			AuthURL:            app.Config.GenericAuthURL,
+			TokenURL:           app.Config.GenericTokenURL,
+			UserinfoURL:        app.Config.GenericUserURL,
+			InsecureSkipVerify: app.Config.GenericSkipSSL,
+		},
+	}
+
+}
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -15,30 +15,44 @@ var RedirectCookieName = "tinyauth-redirect"
 // Main app config

 type Config struct {
-	Port                  int    `mapstructure:"port" validate:"required"`
-	Address               string `validate:"required,ip4_addr" mapstructure:"address"`
-	AppURL                string `validate:"required,url" mapstructure:"app-url"`
-	Users                 string `mapstructure:"users"`
-	UsersFile             string `mapstructure:"users-file"`
-	SecureCookie          bool   `mapstructure:"secure-cookie"`
-	OAuthWhitelist        string `mapstructure:"oauth-whitelist"`
-	OAuthAutoRedirect     string `mapstructure:"oauth-auto-redirect"`
-	SessionExpiry         int    `mapstructure:"session-expiry"`
-	LogLevel              string `mapstructure:"log-level" validate:"oneof=trace debug info warn error fatal panic"`
-	Title                 string `mapstructure:"app-title"`
-	LoginTimeout          int    `mapstructure:"login-timeout"`
-	LoginMaxRetries       int    `mapstructure:"login-max-retries"`
-	ForgotPasswordMessage string `mapstructure:"forgot-password-message"`
-	BackgroundImage       string `mapstructure:"background-image" validate:"required"`
-	LdapAddress           string `mapstructure:"ldap-address"`
-	LdapBindDN            string `mapstructure:"ldap-bind-dn"`
-	LdapBindPassword      string `mapstructure:"ldap-bind-password"`
-	LdapBaseDN            string `mapstructure:"ldap-base-dn"`
-	LdapInsecure          bool   `mapstructure:"ldap-insecure"`
-	LdapSearchFilter      string `mapstructure:"ldap-search-filter"`
-	ResourcesDir          string `mapstructure:"resources-dir"`
-	DatabasePath          string `mapstructure:"database-path" validate:"required"`
-	TrustedProxies        string `mapstructure:"trusted-proxies"`
+	Port                    int    `mapstructure:"port" validate:"required"`
+	Address                 string `validate:"required,ip4_addr" mapstructure:"address"`
+	AppURL                  string `validate:"required,url" mapstructure:"app-url"`
+	Users                   string `mapstructure:"users"`
+	UsersFile               string `mapstructure:"users-file"`
+	SecureCookie            bool   `mapstructure:"secure-cookie"`
+	GithubClientId          string `mapstructure:"github-client-id"`
+	GithubClientSecret      string `mapstructure:"github-client-secret"`
+	GithubClientSecretFile  string `mapstructure:"github-client-secret-file"`
+	GoogleClientId          string `mapstructure:"google-client-id"`
+	GoogleClientSecret      string `mapstructure:"google-client-secret"`
+	GoogleClientSecretFile  string `mapstructure:"google-client-secret-file"`
+	GenericClientId         string `mapstructure:"generic-client-id"`
+	GenericClientSecret     string `mapstructure:"generic-client-secret"`
+	GenericClientSecretFile string `mapstructure:"generic-client-secret-file"`
+	GenericScopes           string `mapstructure:"generic-scopes"`
+	GenericAuthURL          string `mapstructure:"generic-auth-url"`
+	GenericTokenURL         string `mapstructure:"generic-token-url"`
+	GenericUserURL          string `mapstructure:"generic-user-url"`
+	GenericName             string `mapstructure:"generic-name"`
+	GenericSkipSSL          bool   `mapstructure:"generic-skip-ssl"`
+	OAuthWhitelist          string `mapstructure:"oauth-whitelist"`
+	OAuthAutoRedirect       string `mapstructure:"oauth-auto-redirect" validate:"oneof=none github google generic"`
+	SessionExpiry           int    `mapstructure:"session-expiry"`
+	LogLevel                string `mapstructure:"log-level" validate:"oneof=trace debug info warn error fatal panic"`
+	Title                   string `mapstructure:"app-title"`
+	LoginTimeout            int    `mapstructure:"login-timeout"`
+	LoginMaxRetries         int    `mapstructure:"login-max-retries"`
+	ForgotPasswordMessage   string `mapstructure:"forgot-password-message"`
+	BackgroundImage         string `mapstructure:"background-image" validate:"required"`
+	LdapAddress             string `mapstructure:"ldap-address"`
+	LdapBindDN              string `mapstructure:"ldap-bind-dn"`
+	LdapBindPassword        string `mapstructure:"ldap-bind-password"`
+	LdapBaseDN              string `mapstructure:"ldap-base-dn"`
+	LdapInsecure            bool   `mapstructure:"ldap-insecure"`
+	LdapSearchFilter        string `mapstructure:"ldap-search-filter"`
+	ResourcesDir            string `mapstructure:"resources-dir"`
+	DatabasePath            string `mapstructure:"database-path" validate:"required"`
 }

 // OAuth/OIDC config
@@ -51,16 +65,14 @@ type Claims struct {
 }

 type OAuthServiceConfig struct {
-	ClientID           string   `key:"client-id"`
-	ClientSecret       string   `key:"client-secret"`
-	ClientSecretFile   string   `key:"client-secret-file"`
-	Scopes             []string `key:"scopes"`
-	RedirectURL        string   `key:"redirect-url"`
-	AuthURL            string   `key:"auth-url"`
-	TokenURL           string   `key:"token-url"`
-	UserinfoURL        string   `key:"user-info-url"`
-	InsecureSkipVerify bool     `key:"insecure-skip-verify"`
-	Name               string   `key:"name"`
+	ClientID           string
+	ClientSecret       string
+	Scopes             []string
+	RedirectURL        string
+	AuthURL            string
+	TokenURL           string
+	UserinfoURL        string
+	InsecureSkipVerify bool
 }

 // User/session related stuff
@@ -84,7 +96,6 @@ type SessionCookie struct {
 	Provider    string
 	TotpPending bool
 	OAuthGroups string
-	OAuthName   string
 }

 type UserContext struct {
@@ -97,7 +108,6 @@ type UserContext struct {
 	TotpPending bool
 	OAuthGroups string
 	TotpEnabled bool
-	OAuthName   string
 }

 // API responses and queries
@@ -113,9 +123,9 @@ type RedirectQuery struct {
 	RedirectURI string `url:"redirect_uri"`
 }

-// Labels
+// App config

-type Apps struct {
+type AppConfigs struct {
 	Apps map[string]App
 }

@@ -163,9 +173,3 @@ type AppPath struct {
 	Allow string
 	Block string
 }
-
-// Flags
-
-type Providers struct {
-	Providers map[string]OAuthServiceConfig
-}
--- a/internal/controller/context_controller.go
+++ b/internal/controller/context_controller.go
@@ -19,32 +19,27 @@ type UserContextResponse struct {
 	Provider    string `json:"provider"`
 	OAuth       bool   `json:"oauth"`
 	TotpPending bool   `json:"totpPending"`
-	OAuthName   string `json:"oauthName"`
 }

 type AppContextResponse struct {
-	Status                int        `json:"status"`
-	Message               string     `json:"message"`
-	Providers             []Provider `json:"providers"`
-	Title                 string     `json:"title"`
-	AppURL                string     `json:"appUrl"`
-	CookieDomain          string     `json:"cookieDomain"`
-	ForgotPasswordMessage string     `json:"forgotPasswordMessage"`
-	BackgroundImage       string     `json:"backgroundImage"`
-	OAuthAutoRedirect     string     `json:"oauthAutoRedirect"`
-}
-
-type Provider struct {
-	Name  string `json:"name"`
-	ID    string `json:"id"`
-	OAuth bool   `json:"oauth"`
+	Status                int      `json:"status"`
+	Message               string   `json:"message"`
+	ConfiguredProviders   []string `json:"configuredProviders"`
+	Title                 string   `json:"title"`
+	GenericName           string   `json:"genericName"`
+	AppURL                string   `json:"appUrl"`
+	RootDomain            string   `json:"rootDomain"`
+	ForgotPasswordMessage string   `json:"forgotPasswordMessage"`
+	BackgroundImage       string   `json:"backgroundImage"`
+	OAuthAutoRedirect     string   `json:"oauthAutoRedirect"`
 }

 type ContextControllerConfig struct {
-	Providers             []Provider
+	ConfiguredProviders   []string
 	Title                 string
+	GenericName           string
 	AppURL                string
-	CookieDomain          string
+	RootDomain            string
 	ForgotPasswordMessage string
 	BackgroundImage       string
 	OAuthAutoRedirect     string
@@ -81,7 +76,6 @@ func (controller *ContextController) userContextHandler(c *gin.Context) {
 		Provider:    context.Provider,
 		OAuth:       context.OAuth,
 		TotpPending: context.TotpPending,
-		OAuthName:   context.OAuthName,
 	}

 	if err != nil {
@@ -102,10 +96,11 @@ func (controller *ContextController) appContextHandler(c *gin.Context) {
 	c.JSON(200, AppContextResponse{
 		Status:                200,
 		Message:               "Success",
-		Providers:             controller.config.Providers,
+		ConfiguredProviders:   controller.config.ConfiguredProviders,
 		Title:                 controller.config.Title,
+		GenericName:           controller.config.GenericName,
 		AppURL:                fmt.Sprintf("%s://%s", appUrl.Scheme, appUrl.Host),
-		CookieDomain:          controller.config.CookieDomain,
+		RootDomain:            controller.config.RootDomain,
 		ForgotPasswordMessage: controller.config.ForgotPasswordMessage,
 		BackgroundImage:       controller.config.BackgroundImage,
 		OAuthAutoRedirect:     controller.config.OAuthAutoRedirect,
--- a/internal/controller/context_controller_test.go
+++ b/internal/controller/context_controller_test.go
@@ -1,144 +0,0 @@
-package controller_test
-
-import (
-	"encoding/json"
-	"net/http/httptest"
-	"testing"
-	"tinyauth/internal/config"
-	"tinyauth/internal/controller"
-
-	"github.com/gin-gonic/gin"
-	"gotest.tools/v3/assert"
-)
-
-var controllerCfg = controller.ContextControllerConfig{
-	Providers: []controller.Provider{
-		{
-			Name:  "Username",
-			ID:    "username",
-			OAuth: false,
-		},
-		{
-			Name:  "Google",
-			ID:    "google",
-			OAuth: true,
-		},
-	},
-	Title:                 "Test App",
-	AppURL:                "http://localhost:8080",
-	CookieDomain:          "localhost",
-	ForgotPasswordMessage: "Contact admin to reset your password.",
-	BackgroundImage:       "/assets/bg.jpg",
-	OAuthAutoRedirect:     "google",
-}
-
-var userContext = config.UserContext{
-	Username:    "testuser",
-	Name:        "testuser",
-	Email:       "test@example.com",
-	IsLoggedIn:  true,
-	OAuth:       false,
-	Provider:    "username",
-	TotpPending: false,
-	OAuthGroups: "",
-	TotpEnabled: false,
-}
-
-func setupContextController(middlewares *[]gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder) {
-	// Setup
-	gin.SetMode(gin.TestMode)
-	router := gin.Default()
-	recorder := httptest.NewRecorder()
-
-	if middlewares != nil {
-		for _, m := range *middlewares {
-			router.Use(m)
-		}
-	}
-
-	group := router.Group("/api")
-
-	ctrl := controller.NewContextController(controllerCfg, group)
-	ctrl.SetupRoutes()
-
-	return router, recorder
-}
-
-func TestAppContextHandler(t *testing.T) {
-	expectedRes := controller.AppContextResponse{
-		Status:                200,
-		Message:               "Success",
-		Providers:             controllerCfg.Providers,
-		Title:                 controllerCfg.Title,
-		AppURL:                controllerCfg.AppURL,
-		CookieDomain:          controllerCfg.CookieDomain,
-		ForgotPasswordMessage: controllerCfg.ForgotPasswordMessage,
-		BackgroundImage:       controllerCfg.BackgroundImage,
-		OAuthAutoRedirect:     controllerCfg.OAuthAutoRedirect,
-	}
-
-	router, recorder := setupContextController(nil)
-	req := httptest.NewRequest("GET", "/api/context/app", nil)
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 200, recorder.Code)
-
-	var ctrlRes controller.AppContextResponse
-
-	err := json.Unmarshal(recorder.Body.Bytes(), &ctrlRes)
-
-	assert.NilError(t, err)
-	assert.DeepEqual(t, expectedRes, ctrlRes)
-}
-
-func TestUserContextHandler(t *testing.T) {
-	expectedRes := controller.UserContextResponse{
-		Status:      200,
-		Message:     "Success",
-		IsLoggedIn:  userContext.IsLoggedIn,
-		Username:    userContext.Username,
-		Name:        userContext.Name,
-		Email:       userContext.Email,
-		Provider:    userContext.Provider,
-		OAuth:       userContext.OAuth,
-		TotpPending: userContext.TotpPending,
-	}
-
-	// Test with context
-	router, recorder := setupContextController(&[]gin.HandlerFunc{
-		func(c *gin.Context) {
-			c.Set("context", &userContext)
-			c.Next()
-		},
-	})
-
-	req := httptest.NewRequest("GET", "/api/context/user", nil)
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 200, recorder.Code)
-
-	var ctrlRes controller.UserContextResponse
-
-	err := json.Unmarshal(recorder.Body.Bytes(), &ctrlRes)
-
-	assert.NilError(t, err)
-	assert.DeepEqual(t, expectedRes, ctrlRes)
-
-	// Test no context
-	expectedRes = controller.UserContextResponse{
-		Status:     401,
-		Message:    "Unauthorized",
-		IsLoggedIn: false,
-	}
-
-	router, recorder = setupContextController(nil)
-	req = httptest.NewRequest("GET", "/api/context/user", nil)
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 200, recorder.Code)
-
-	err = json.Unmarshal(recorder.Body.Bytes(), &ctrlRes)
-
-	assert.NilError(t, err)
-	assert.DeepEqual(t, expectedRes, ctrlRes)
-}
--- a/internal/controller/oauth_controller.go
+++ b/internal/controller/oauth_controller.go
@@ -23,7 +23,7 @@ type OAuthControllerConfig struct {
 	RedirectCookieName string
 	SecureCookie       bool
 	AppURL             string
-	CookieDomain       string
+	RootDomain         string
 }

 type OAuthController struct {
@@ -74,13 +74,13 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {

 	state := service.GenerateState()
 	authURL := service.GetAuthURL(state)
-	c.SetCookie(controller.config.CSRFCookieName, state, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
+	c.SetCookie(controller.config.CSRFCookieName, state, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.RootDomain), controller.config.SecureCookie, true)

 	redirectURI := c.Query("redirect_uri")

-	if redirectURI != "" && utils.IsRedirectSafe(redirectURI, controller.config.CookieDomain) {
+	if redirectURI != "" && utils.IsRedirectSafe(redirectURI, controller.config.RootDomain) {
 		log.Debug().Msg("Setting redirect URI cookie")
-		c.SetCookie(controller.config.RedirectCookieName, redirectURI, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
+		c.SetCookie(controller.config.RedirectCookieName, redirectURI, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.RootDomain), controller.config.SecureCookie, true)
 	}

 	c.JSON(200, gin.H{
@@ -108,12 +108,11 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {

 	if err != nil || state != csrfCookie {
 		log.Warn().Err(err).Msg("CSRF token mismatch or cookie missing")
-		c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}

-	c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
+	c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.RootDomain), controller.config.SecureCookie, true)

 	code := c.Query("code")
 	service, exists := controller.broker.GetService(req.Provider)
@@ -186,7 +185,6 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		Email:       user.Email,
 		Provider:    req.Provider,
 		OAuthGroups: utils.CoalesceToString(user.Groups),
-		OAuthName:   service.GetName(),
 	})

 	if err != nil {
@@ -197,7 +195,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {

 	redirectURI, err := c.Cookie(controller.config.RedirectCookieName)

-	if err != nil || !utils.IsRedirectSafe(redirectURI, controller.config.CookieDomain) {
+	if err != nil || !utils.IsRedirectSafe(redirectURI, controller.config.RootDomain) {
 		log.Debug().Msg("No redirect URI cookie found, redirecting to app root")
 		c.Redirect(http.StatusTemporaryRedirect, controller.config.AppURL)
 		return
@@ -213,6 +211,6 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}

-	c.SetCookie(controller.config.RedirectCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
+	c.SetCookie(controller.config.RedirectCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.RootDomain), controller.config.SecureCookie, true)
 	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", controller.config.AppURL, queries.Encode()))
 }
--- a/internal/controller/proxy_controller.go
+++ b/internal/controller/proxy_controller.go
@@ -7,6 +7,7 @@ import (
 	"tinyauth/internal/config"
 	"tinyauth/internal/service"
 	"tinyauth/internal/utils"
+	"tinyauth/internal/utils/decoders"

 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -55,15 +56,6 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}

-	if req.Proxy != "nginx" && req.Proxy != "traefik" && req.Proxy != "caddy" {
-		log.Warn().Str("proxy", req.Proxy).Msg("Invalid proxy")
-		c.JSON(400, gin.H{
-			"status":  400,
-			"message": "Bad Request",
-		})
-		return
-	}
-
 	isBrowser := strings.Contains(c.Request.Header.Get("Accept"), "text/html")

 	if isBrowser {
@@ -76,6 +68,16 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	proto := c.Request.Header.Get("X-Forwarded-Proto")
 	host := c.Request.Header.Get("X-Forwarded-Host")

+	var app config.App
+
+	headers, err := decoders.DecodeHeaders(utils.NormalizeHeaders(c.Request.Header))
+
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to decode headers")
+		controller.handleError(c, req, isBrowser)
+		return
+	}
+
 	labels, err := controller.docker.GetLabels(host)

 	if err != nil {
@@ -84,10 +86,21 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}

+	if len(headers.Apps) > 0 {
+		for k, v := range headers.Apps {
+			log.Debug().Str("app", k).Msg("Using headers for app config instead of labels")
+			app = v
+			break
+		}
+	} else {
+		log.Debug().Msg("No app config found in headers, using labels")
+		app = labels
+	}
+
 	clientIP := c.ClientIP()

-	if controller.auth.IsBypassedIP(labels.IP, clientIP) {
-		controller.setHeaders(c, labels)
+	if controller.auth.IsBypassedIP(app.IP, clientIP) {
+		controller.setHeaders(c, app)
 		c.JSON(200, gin.H{
 			"status":  200,
 			"message": "Authenticated",
@@ -95,7 +108,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}

-	authEnabled, err := controller.auth.IsAuthEnabled(uri, labels.Path)
+	authEnabled, err := controller.auth.IsAuthEnabled(uri, app.Path)

 	if err != nil {
 		log.Error().Err(err).Msg("Failed to check if auth is enabled for resource")
@@ -105,7 +118,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {

 	if !authEnabled {
 		log.Debug().Msg("Authentication disabled for resource, allowing access")
-		controller.setHeaders(c, labels)
+		controller.setHeaders(c, app)
 		c.JSON(200, gin.H{
 			"status":  200,
 			"message": "Authenticated",
@@ -113,7 +126,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}

-	if !controller.auth.CheckIP(labels.IP, clientIP) {
+	if !controller.auth.CheckIP(app.IP, clientIP) {
 		if req.Proxy == "nginx" || !isBrowser {
 			c.JSON(401, gin.H{
 				"status":  401,
@@ -156,7 +169,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	}

 	if userContext.IsLoggedIn {
-		appAllowed := controller.auth.IsResourceAllowed(c, userContext, labels)
+		appAllowed := controller.auth.IsResourceAllowed(c, userContext, app)

 		if !appAllowed {
 			log.Warn().Str("user", userContext.Username).Str("resource", strings.Split(host, ".")[0]).Msg("User not allowed to access resource")
@@ -190,7 +203,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		}

 		if userContext.OAuth {
-			groupOK := controller.auth.IsInOAuthGroup(c, userContext, labels.OAuth.Groups)
+			groupOK := controller.auth.IsInOAuthGroup(c, userContext, app.OAuth.Groups)

 			if !groupOK {
 				log.Warn().Str("user", userContext.Username).Str("resource", strings.Split(host, ".")[0]).Msg("User OAuth groups do not match resource requirements")
@@ -230,7 +243,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email))
 		c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups))

-		controller.setHeaders(c, labels)
+		controller.setHeaders(c, app)

 		c.JSON(200, gin.H{
 			"status":  200,
--- a/internal/controller/proxy_controller_test.go
+++ b/internal/controller/proxy_controller_test.go
@@ -1,164 +0,0 @@
-package controller_test
-
-import (
-	"net/http/httptest"
-	"testing"
-	"tinyauth/internal/config"
-	"tinyauth/internal/controller"
-	"tinyauth/internal/service"
-
-	"github.com/gin-gonic/gin"
-	"gotest.tools/v3/assert"
-)
-
-func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder, *service.AuthService) {
-	// Setup
-	gin.SetMode(gin.TestMode)
-	router := gin.Default()
-
-	if middlewares != nil {
-		for _, m := range *middlewares {
-			router.Use(m)
-		}
-	}
-
-	group := router.Group("/api")
-	recorder := httptest.NewRecorder()
-
-	// Database
-	databaseService := service.NewDatabaseService(service.DatabaseServiceConfig{
-		DatabasePath: "/tmp/tinyauth_test.db",
-	})
-
-	assert.NilError(t, databaseService.Init())
-
-	database := databaseService.GetDatabase()
-
-	// Docker
-	dockerService := service.NewDockerService()
-
-	assert.NilError(t, dockerService.Init())
-
-	// Auth service
-	authService := service.NewAuthService(service.AuthServiceConfig{
-		Users: []config.User{
-			{
-				Username: "testuser",
-				Password: "$2a$10$ne6z693sTgzT3ePoQ05PgOecUHnBjM7sSNj6M.l5CLUP.f6NyCnt.", // test
-			},
-		},
-		OauthWhitelist:    "",
-		SessionExpiry:     3600,
-		SecureCookie:      false,
-		CookieDomain:      "localhost",
-		LoginTimeout:      300,
-		LoginMaxRetries:   3,
-		SessionCookieName: "tinyauth-session",
-	}, dockerService, nil, database)
-
-	// Controller
-	ctrl := controller.NewProxyController(controller.ProxyControllerConfig{
-		AppURL: "http://localhost:8080",
-	}, group, dockerService, authService)
-	ctrl.SetupRoutes()
-
-	return router, recorder, authService
-}
-
-func TestProxyHandler(t *testing.T) {
-	// Setup
-	router, recorder, authService := setupProxyController(t, nil)
-
-	// Test invalid proxy
-	req := httptest.NewRequest("GET", "/api/auth/invalidproxy", nil)
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 400, recorder.Code)
-
-	// Test logged out user (traefik/caddy)
-	recorder = httptest.NewRecorder()
-	req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
-	req.Header.Set("X-Forwarded-Proto", "https")
-	req.Header.Set("X-Forwarded-Host", "example.com")
-	req.Header.Set("X-Forwarded-Uri", "/somepath")
-	req.Header.Set("Accept", "text/html")
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 307, recorder.Code)
-	assert.Equal(t, "http://localhost:8080/login?redirect_uri=https%3A%2F%2Fexample.com%2Fsomepath", recorder.Header().Get("Location"))
-
-	// Test logged out user (nginx)
-	recorder = httptest.NewRecorder()
-	req = httptest.NewRequest("GET", "/api/auth/nginx", nil)
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 401, recorder.Code)
-
-	// Test logged in user
-	c := gin.CreateTestContextOnly(recorder, router)
-
-	err := authService.CreateSessionCookie(c, &config.SessionCookie{
-		Username:    "testuser",
-		Name:        "testuser",
-		Email:       "testuser@example.com",
-		Provider:    "username",
-		TotpPending: false,
-		OAuthGroups: "",
-	})
-
-	assert.NilError(t, err)
-
-	cookie := c.Writer.Header().Get("Set-Cookie")
-
-	router, recorder, _ = setupProxyController(t, &[]gin.HandlerFunc{
-		func(c *gin.Context) {
-			c.Set("context", &config.UserContext{
-				Username:    "testuser",
-				Name:        "testuser",
-				Email:       "testuser@example.com",
-				IsLoggedIn:  true,
-				OAuth:       false,
-				Provider:    "username",
-				TotpPending: false,
-				OAuthGroups: "",
-				TotpEnabled: false,
-			})
-			c.Next()
-		},
-	})
-
-	req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
-	req.Header.Set("Cookie", cookie)
-	req.Header.Set("Accept", "text/html")
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 200, recorder.Code)
-
-	assert.Equal(t, "testuser", recorder.Header().Get("Remote-User"))
-	assert.Equal(t, "testuser", recorder.Header().Get("Remote-Name"))
-	assert.Equal(t, "testuser@example.com", recorder.Header().Get("Remote-Email"))
-
-	// Ensure basic auth is disabled for TOTP enabled users
-	router, recorder, _ = setupProxyController(t, &[]gin.HandlerFunc{
-		func(c *gin.Context) {
-			c.Set("context", &config.UserContext{
-				Username:    "testuser",
-				Name:        "testuser",
-				Email:       "testuser@example.com",
-				IsLoggedIn:  true,
-				OAuth:       false,
-				Provider:    "basic",
-				TotpPending: false,
-				OAuthGroups: "",
-				TotpEnabled: true,
-			})
-			c.Next()
-		},
-	})
-
-	req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
-	req.SetBasicAuth("testuser", "test")
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 401, recorder.Code)
-}
--- a/internal/controller/resources_controller_test.go
+++ b/internal/controller/resources_controller_test.go
@@ -1,57 +0,0 @@
-package controller_test
-
-import (
-	"net/http/httptest"
-	"os"
-	"testing"
-	"tinyauth/internal/controller"
-
-	"github.com/gin-gonic/gin"
-	"gotest.tools/v3/assert"
-)
-
-func TestResourcesHandler(t *testing.T) {
-	// Setup
-	gin.SetMode(gin.TestMode)
-	router := gin.New()
-	group := router.Group("/")
-
-	ctrl := controller.NewResourcesController(controller.ResourcesControllerConfig{
-		ResourcesDir: "/tmp/tinyauth",
-	}, group)
-	ctrl.SetupRoutes()
-
-	// Create test data
-	err := os.Mkdir("/tmp/tinyauth", 0755)
-	assert.NilError(t, err)
-	defer os.RemoveAll("/tmp/tinyauth")
-
-	file, err := os.Create("/tmp/tinyauth/test.txt")
-	assert.NilError(t, err)
-
-	_, err = file.WriteString("This is a test file.")
-	assert.NilError(t, err)
-	file.Close()
-
-	// Test existing file
-	req := httptest.NewRequest("GET", "/resources/test.txt", nil)
-	recorder := httptest.NewRecorder()
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 200, recorder.Code)
-	assert.Equal(t, "This is a test file.", recorder.Body.String())
-
-	// Test non-existing file
-	req = httptest.NewRequest("GET", "/resources/nonexistent.txt", nil)
-	recorder = httptest.NewRecorder()
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 404, recorder.Code)
-
-	// Test directory traversal attack
-	req = httptest.NewRequest("GET", "/resources/../etc/passwd", nil)
-	recorder = httptest.NewRecorder()
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 404, recorder.Code)
-}
--- a/internal/controller/user_controller.go
+++ b/internal/controller/user_controller.go
@@ -22,7 +22,7 @@ type TotpRequest struct {
 }

 type UserControllerConfig struct {
-	CookieDomain string
+	RootDomain string
 }

 type UserController struct {
@@ -115,7 +115,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 			err := controller.auth.CreateSessionCookie(c, &config.SessionCookie{
 				Username:    user.Username,
 				Name:        utils.Capitalize(req.Username),
-				Email:       fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.CookieDomain),
+				Email:       fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.RootDomain),
 				Provider:    "username",
 				TotpPending: true,
 			})
@@ -141,7 +141,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 	err = controller.auth.CreateSessionCookie(c, &config.SessionCookie{
 		Username: req.Username,
 		Name:     utils.Capitalize(req.Username),
-		Email:    fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.CookieDomain),
+		Email:    fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.config.RootDomain),
 		Provider: "username",
 	})

@@ -246,7 +246,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	err = controller.auth.CreateSessionCookie(c, &config.SessionCookie{
 		Username: user.Username,
 		Name:     utils.Capitalize(user.Username),
-		Email:    fmt.Sprintf("%s@%s", strings.ToLower(user.Username), controller.config.CookieDomain),
+		Email:    fmt.Sprintf("%s@%s", strings.ToLower(user.Username), controller.config.RootDomain),
 		Provider: "username",
 	})

--- a/internal/controller/user_controller_test.go
+++ b/internal/controller/user_controller_test.go
@@ -1,297 +0,0 @@
-package controller_test
-
-import (
-	"encoding/json"
-	"net/http"
-	"net/http/httptest"
-	"strings"
-	"testing"
-	"time"
-	"tinyauth/internal/config"
-	"tinyauth/internal/controller"
-	"tinyauth/internal/service"
-
-	"github.com/gin-gonic/gin"
-	"github.com/pquerna/otp/totp"
-	"gotest.tools/v3/assert"
-)
-
-var cookieValue string
-var totpSecret = "6WFZXPEZRK5MZHHYAFW4DAOUYQMCASBJ"
-
-func setupUserController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder) {
-	// Setup
-	gin.SetMode(gin.TestMode)
-	router := gin.Default()
-
-	if middlewares != nil {
-		for _, m := range *middlewares {
-			router.Use(m)
-		}
-	}
-
-	group := router.Group("/api")
-	recorder := httptest.NewRecorder()
-
-	// Database
-	databaseService := service.NewDatabaseService(service.DatabaseServiceConfig{
-		DatabasePath: "/tmp/tinyauth_test.db",
-	})
-
-	assert.NilError(t, databaseService.Init())
-
-	database := databaseService.GetDatabase()
-
-	// Auth service
-	authService := service.NewAuthService(service.AuthServiceConfig{
-		Users: []config.User{
-			{
-				Username: "testuser",
-				Password: "$2a$10$ne6z693sTgzT3ePoQ05PgOecUHnBjM7sSNj6M.l5CLUP.f6NyCnt.", // test
-			},
-			{
-				Username:   "totpuser",
-				Password:   "$2a$10$ne6z693sTgzT3ePoQ05PgOecUHnBjM7sSNj6M.l5CLUP.f6NyCnt.", // test
-				TotpSecret: totpSecret,
-			},
-		},
-		OauthWhitelist:    "",
-		SessionExpiry:     3600,
-		SecureCookie:      false,
-		CookieDomain:      "localhost",
-		LoginTimeout:      300,
-		LoginMaxRetries:   3,
-		SessionCookieName: "tinyauth-session",
-	}, nil, nil, database)
-
-	// Controller
-	ctrl := controller.NewUserController(controller.UserControllerConfig{
-		CookieDomain: "localhost",
-	}, group, authService)
-	ctrl.SetupRoutes()
-
-	return router, recorder
-}
-
-func TestLoginHandler(t *testing.T) {
-	// Setup
-	router, recorder := setupUserController(t, nil)
-
-	loginReq := controller.LoginRequest{
-		Username: "testuser",
-		Password: "test",
-	}
-
-	loginReqJson, err := json.Marshal(loginReq)
-	assert.NilError(t, err)
-
-	// Test
-	req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqJson)))
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 200, recorder.Code)
-
-	cookie := recorder.Result().Cookies()[0]
-
-	assert.Equal(t, "tinyauth-session", cookie.Name)
-	assert.Assert(t, cookie.Value != "")
-
-	cookieValue = cookie.Value
-
-	// Test invalid credentials
-	loginReq = controller.LoginRequest{
-		Username: "testuser",
-		Password: "invalid",
-	}
-
-	loginReqJson, err = json.Marshal(loginReq)
-	assert.NilError(t, err)
-
-	recorder = httptest.NewRecorder()
-	req = httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqJson)))
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 401, recorder.Code)
-
-	// Test totp required
-	loginReq = controller.LoginRequest{
-		Username: "totpuser",
-		Password: "test",
-	}
-
-	loginReqJson, err = json.Marshal(loginReq)
-	assert.NilError(t, err)
-
-	recorder = httptest.NewRecorder()
-	req = httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqJson)))
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 200, recorder.Code)
-
-	loginResJson, err := json.Marshal(map[string]any{
-		"message":     "TOTP required",
-		"status":      200,
-		"totpPending": true,
-	})
-
-	assert.NilError(t, err)
-	assert.Equal(t, string(loginResJson), recorder.Body.String())
-
-	// Test invalid json
-	recorder = httptest.NewRecorder()
-	req = httptest.NewRequest("POST", "/api/user/login", strings.NewReader("{invalid json}"))
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 400, recorder.Code)
-
-	// Test rate limiting
-	loginReq = controller.LoginRequest{
-		Username: "testuser",
-		Password: "invalid",
-	}
-
-	loginReqJson, err = json.Marshal(loginReq)
-	assert.NilError(t, err)
-
-	for range 5 {
-		recorder = httptest.NewRecorder()
-		req = httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqJson)))
-		router.ServeHTTP(recorder, req)
-	}
-
-	assert.Equal(t, 429, recorder.Code)
-}
-
-func TestLogoutHandler(t *testing.T) {
-	// Setup
-	router, recorder := setupUserController(t, nil)
-
-	// Test
-	req := httptest.NewRequest("POST", "/api/user/logout", nil)
-
-	req.AddCookie(&http.Cookie{
-		Name:  "tinyauth-session",
-		Value: cookieValue,
-	})
-
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 200, recorder.Code)
-
-	cookie := recorder.Result().Cookies()[0]
-
-	assert.Equal(t, "tinyauth-session", cookie.Name)
-	assert.Equal(t, "", cookie.Value)
-	assert.Equal(t, -1, cookie.MaxAge)
-}
-
-func TestTotpHandler(t *testing.T) {
-	// Setup
-	router, recorder := setupUserController(t, &[]gin.HandlerFunc{
-		func(c *gin.Context) {
-			c.Set("context", &config.UserContext{
-				Username:    "totpuser",
-				Name:        "totpuser",
-				Email:       "totpuser@example.com",
-				IsLoggedIn:  false,
-				OAuth:       false,
-				Provider:    "username",
-				TotpPending: true,
-				OAuthGroups: "",
-				TotpEnabled: true,
-			})
-			c.Next()
-		},
-	})
-
-	// Test
-	code, err := totp.GenerateCode(totpSecret, time.Now())
-
-	assert.NilError(t, err)
-
-	totpReq := controller.TotpRequest{
-		Code: code,
-	}
-
-	totpReqJson, err := json.Marshal(totpReq)
-	assert.NilError(t, err)
-
-	req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqJson)))
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 200, recorder.Code)
-
-	cookie := recorder.Result().Cookies()[0]
-
-	assert.Equal(t, "tinyauth-session", cookie.Name)
-	assert.Assert(t, cookie.Value != "")
-
-	// Test invalid json
-	recorder = httptest.NewRecorder()
-	req = httptest.NewRequest("POST", "/api/user/totp", strings.NewReader("{invalid json}"))
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 400, recorder.Code)
-
-	// Test rate limiting
-	totpReq = controller.TotpRequest{
-		Code: "000000",
-	}
-
-	totpReqJson, err = json.Marshal(totpReq)
-	assert.NilError(t, err)
-
-	for range 5 {
-		recorder = httptest.NewRecorder()
-		req = httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqJson)))
-		router.ServeHTTP(recorder, req)
-	}
-
-	assert.Equal(t, 429, recorder.Code)
-
-	// Test invalid code
-	router, recorder = setupUserController(t, &[]gin.HandlerFunc{
-		func(c *gin.Context) {
-			c.Set("context", &config.UserContext{
-				Username:    "totpuser",
-				Name:        "totpuser",
-				Email:       "totpuser@example.com",
-				IsLoggedIn:  false,
-				OAuth:       false,
-				Provider:    "username",
-				TotpPending: true,
-				OAuthGroups: "",
-				TotpEnabled: true,
-			})
-			c.Next()
-		},
-	})
-
-	req = httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqJson)))
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 401, recorder.Code)
-
-	// Test no totp pending
-	router, recorder = setupUserController(t, &[]gin.HandlerFunc{
-		func(c *gin.Context) {
-			c.Set("context", &config.UserContext{
-				Username:    "totpuser",
-				Name:        "totpuser",
-				Email:       "totpuser@example.com",
-				IsLoggedIn:  false,
-				OAuth:       false,
-				Provider:    "username",
-				TotpPending: false,
-				OAuthGroups: "",
-				TotpEnabled: false,
-			})
-			c.Next()
-		},
-	})
-
-	req = httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqJson)))
-	router.ServeHTTP(recorder, req)
-
-	assert.Equal(t, 401, recorder.Code)
-}
--- a/internal/middleware/context_middleware.go
+++ b/internal/middleware/context_middleware.go
@@ -12,7 +12,7 @@ import (
 )

 type ContextMiddlewareConfig struct {
-	CookieDomain string
+	RootDomain string
 }

 type ContextMiddleware struct {
@@ -95,7 +95,6 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 				Email:       cookie.Email,
 				Provider:    cookie.Provider,
 				OAuthGroups: cookie.OAuthGroups,
-				OAuthName:   cookie.OAuthName,
 				IsLoggedIn:  true,
 				OAuth:       true,
 			})
@@ -135,7 +134,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			c.Set("context", &config.UserContext{
 				Username:    user.Username,
 				Name:        utils.Capitalize(user.Username),
-				Email:       fmt.Sprintf("%s@%s", strings.ToLower(user.Username), m.config.CookieDomain),
+				Email:       fmt.Sprintf("%s@%s", strings.ToLower(user.Username), m.config.RootDomain),
 				Provider:    "basic",
 				IsLoggedIn:  true,
 				TotpEnabled: user.TotpSecret != "",
@@ -147,7 +146,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			c.Set("context", &config.UserContext{
 				Username:   basic.Username,
 				Name:       utils.Capitalize(basic.Username),
-				Email:      fmt.Sprintf("%s@%s", strings.ToLower(basic.Username), m.config.CookieDomain),
+				Email:      fmt.Sprintf("%s@%s", strings.ToLower(basic.Username), m.config.RootDomain),
 				Provider:   "basic",
 				IsLoggedIn: true,
 			})
--- a/internal/model/session_model.go
+++ b/internal/model/session_model.go
@@ -9,5 +9,4 @@ type Session struct {
 	TOTPPending bool   `gorm:"column:totp_pending"`
 	OAuthGroups string `gorm:"column:oauth_groups"`
 	Expiry      int64  `gorm:"column:expiry"`
-	OAuthName   string `gorm:"column:oauth_name"`
 }
--- a/internal/service/auth_service.go
+++ b/internal/service/auth_service.go
@@ -28,7 +28,7 @@ type AuthServiceConfig struct {
 	OauthWhitelist    string
 	SessionExpiry     int
 	SecureCookie      bool
-	CookieDomain      string
+	RootDomain        string
 	LoginTimeout      int
 	LoginMaxRetries   int
 	SessionCookieName string
@@ -210,7 +210,6 @@ func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *config.Sessio
 		TOTPPending: data.TotpPending,
 		OAuthGroups: data.OAuthGroups,
 		Expiry:      time.Now().Add(time.Duration(expiry) * time.Second).Unix(),
-		OAuthName:   data.OAuthName,
 	}

 	err = auth.database.Create(&session).Error
@@ -219,7 +218,7 @@ func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *config.Sessio
 		return err
 	}

-	c.SetCookie(auth.config.SessionCookieName, session.UUID, expiry, "/", fmt.Sprintf(".%s", auth.config.CookieDomain), auth.config.SecureCookie, true)
+	c.SetCookie(auth.config.SessionCookieName, session.UUID, expiry, "/", fmt.Sprintf(".%s", auth.config.RootDomain), auth.config.SecureCookie, true)

 	return nil
 }
@@ -237,7 +236,7 @@ func (auth *AuthService) DeleteSessionCookie(c *gin.Context) error {
 		return res.Error
 	}

-	c.SetCookie(auth.config.SessionCookieName, "", -1, "/", fmt.Sprintf(".%s", auth.config.CookieDomain), auth.config.SecureCookie, true)
+	c.SetCookie(auth.config.SessionCookieName, "", -1, "/", fmt.Sprintf(".%s", auth.config.RootDomain), auth.config.SecureCookie, true)

 	return nil
 }
@@ -279,7 +278,6 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie,
 		Provider:    session.Provider,
 		TotpPending: session.TOTPPending,
 		OAuthGroups: session.OAuthGroups,
-		OAuthName:   session.OAuthName,
 	}, nil
 }

--- a/internal/service/generic_oauth_service.go
+++ b/internal/service/generic_oauth_service.go
@@ -22,7 +22,6 @@ type GenericOAuthService struct {
 	verifier           string
 	insecureSkipVerify bool
 	userinfoUrl        string
-	name               string
 }

 func NewGenericOAuthService(config config.OAuthServiceConfig) *GenericOAuthService {
@@ -39,7 +38,6 @@ func NewGenericOAuthService(config config.OAuthServiceConfig) *GenericOAuthServi
 		},
 		insecureSkipVerify: config.InsecureSkipVerify,
 		userinfoUrl:        config.UserinfoURL,
-		name:               config.Name,
 	}
 }

@@ -117,7 +115,3 @@ func (generic *GenericOAuthService) Userinfo() (config.Claims, error) {

 	return user, nil
 }
-
-func (generic *GenericOAuthService) GetName() string {
-	return generic.name
-}
--- a/internal/service/github_oauth_service.go
+++ b/internal/service/github_oauth_service.go
@@ -33,7 +33,6 @@ type GithubOAuthService struct {
 	context  context.Context
 	token    *oauth2.Token
 	verifier string
-	name     string
 }

 func NewGithubOAuthService(config config.OAuthServiceConfig) *GithubOAuthService {
@@ -45,7 +44,6 @@ func NewGithubOAuthService(config config.OAuthServiceConfig) *GithubOAuthService
 			Scopes:       GithubOAuthScopes,
 			Endpoint:     endpoints.GitHub,
 		},
-		name: config.Name,
 	}
 }

@@ -169,7 +167,3 @@ func (github *GithubOAuthService) Userinfo() (config.Claims, error) {

 	return user, nil
 }
-
-func (github *GithubOAuthService) GetName() string {
-	return github.name
-}
--- a/internal/service/google_oauth_service.go
+++ b/internal/service/google_oauth_service.go
@@ -28,7 +28,6 @@ type GoogleOAuthService struct {
 	context  context.Context
 	token    *oauth2.Token
 	verifier string
-	name     string
 }

 func NewGoogleOAuthService(config config.OAuthServiceConfig) *GoogleOAuthService {
@@ -40,7 +39,6 @@ func NewGoogleOAuthService(config config.OAuthServiceConfig) *GoogleOAuthService
 			Scopes:       GoogleOAuthScopes,
 			Endpoint:     endpoints.Google,
 		},
-		name: config.Name,
 	}
 }

@@ -113,7 +111,3 @@ func (google *GoogleOAuthService) Userinfo() (config.Claims, error) {

 	return user, nil
 }
-
-func (google *GoogleOAuthService) GetName() string {
-	return google.name
-}
--- a/internal/service/oauth_broker_service.go
+++ b/internal/service/oauth_broker_service.go
@@ -14,7 +14,6 @@ type OAuthService interface {
 	GetAuthURL(state string) string
 	VerifyCode(code string) error
 	Userinfo() (config.Claims, error)
-	GetName() string
 }

 type OAuthBrokerService struct {
--- a/internal/utils/app_utils.go
+++ b/internal/utils/app_utils.go
@@ -6,43 +6,32 @@ import (
 	"net/url"
 	"strings"
 	"tinyauth/internal/config"
-	"tinyauth/internal/utils/decoders"
-
-	"maps"

 	"github.com/gin-gonic/gin"
+
 	"github.com/rs/zerolog"
-	"github.com/weppos/publicsuffix-go/publicsuffix"
 )

-// Get cookie domain parses a hostname and returns the upper domain (e.g. sub1.sub2.domain.com -> sub2.domain.com)
-func GetCookieDomain(u string) (string, error) {
-	parsed, err := url.Parse(u)
+// Get root domain parses a hostname and returns the upper domain (e.g. sub1.sub2.domain.com -> sub2.domain.com)
+func GetRootDomain(appUrl string) (string, error) {
+	appUrlParsed, err := url.Parse(appUrl)
 	if err != nil {
 		return "", err
 	}

-	host := parsed.Hostname()
+	host := appUrlParsed.Hostname()

 	if netIP := net.ParseIP(host); netIP != nil {
-		return "", errors.New("IP addresses not allowed")
+		return "", errors.New("IP addresses are not allowed")
 	}

-	parts := strings.Split(host, ".")
+	urlParts := strings.Split(host, ".")

-	if len(parts) < 3 {
-		return "", errors.New("invalid app url, must be at least second level domain")
+	if len(urlParts) < 2 {
+		return "", errors.New("invalid domain, must be at least second level domain")
 	}

-	domain := strings.Join(parts[1:], ".")
-
-	_, err = publicsuffix.DomainFromListWithOptions(publicsuffix.DefaultList, domain, nil)
-
-	if err != nil {
-		return "", errors.New("domain in public suffix list, cannot set cookies")
-	}
-
-	return domain, nil
+	return strings.Join(urlParts[1:], "."), nil
 }

 func ParseFileToLine(content string) string {
@@ -60,7 +49,6 @@ func ParseFileToLine(content string) string {
 }

 func Filter[T any](slice []T, test func(T) bool) (res []T) {
-	res = make([]T, 0)
 	for _, value := range slice {
 		if test(value) {
 			res = append(res, value)
@@ -100,13 +88,13 @@ func IsRedirectSafe(redirectURL string, domain string) bool {
 		return false
 	}

-	cookieDomain, err := GetCookieDomain(redirectURL)
+	upper, err := GetRootDomain(redirectURL)

 	if err != nil {
 		return false
 	}

-	if cookieDomain != domain {
+	if upper != domain {
 		return false
 	}

@@ -133,68 +121,3 @@ func GetLogLevel(level string) zerolog.Level {
 		return zerolog.InfoLevel
 	}
 }
-
-func GetOAuthProvidersConfig(env []string, args []string, appUrl string) (map[string]config.OAuthServiceConfig, error) {
-	providers := make(map[string]config.OAuthServiceConfig)
-
-	// Get from environment variables
-	envMap := make(map[string]string)
-
-	for _, e := range env {
-		pair := strings.SplitN(e, "=", 2)
-		if len(pair) == 2 {
-			envMap[pair[0]] = pair[1]
-		}
-	}
-
-	envProviders, err := decoders.DecodeEnv(envMap)
-
-	if err != nil {
-		return nil, err
-	}
-
-	maps.Copy(providers, envProviders.Providers)
-
-	// Get from flags
-	flagsMap := make(map[string]string)
-
-	for _, arg := range args[1:] {
-		if strings.HasPrefix(arg, "--") {
-			pair := strings.SplitN(arg[2:], "=", 2)
-			if len(pair) == 2 {
-				flagsMap[pair[0]] = pair[1]
-			}
-		}
-	}
-
-	flagProviders, err := decoders.DecodeFlags(flagsMap)
-
-	if err != nil {
-		return nil, err
-	}
-
-	maps.Copy(providers, flagProviders.Providers)
-
-	// For every provider get correct secret from file if set
-	for name, provider := range providers {
-		secret := GetSecret(provider.ClientSecret, provider.ClientSecretFile)
-		provider.ClientSecret = secret
-		provider.ClientSecretFile = ""
-		providers[name] = provider
-	}
-
-	// If we have google/github providers and no redirect URL babysit them
-	babysitProviders := []string{"google", "github"}
-
-	for _, name := range babysitProviders {
-		if provider, exists := providers[name]; exists {
-			if provider.RedirectURL == "" {
-				provider.RedirectURL = appUrl + "/api/oauth/callback/" + name
-				providers[name] = provider
-			}
-		}
-	}
-
-	// Return combined providers
-	return providers, nil
-}
--- a/internal/utils/app_utils_test.go
+++ b/internal/utils/app_utils_test.go
@@ -1,271 +0,0 @@
-package utils_test
-
-import (
-	"os"
-	"testing"
-	"tinyauth/internal/config"
-	"tinyauth/internal/utils"
-
-	"github.com/gin-gonic/gin"
-	"gotest.tools/v3/assert"
-)
-
-func TestGetRootDomain(t *testing.T) {
-	// Normal case
-	domain := "http://sub.tinyauth.app"
-	expected := "tinyauth.app"
-	result, err := utils.GetCookieDomain(domain)
-	assert.NilError(t, err)
-	assert.Equal(t, expected, result)
-
-	// Domain with multiple subdomains
-	domain = "http://b.c.tinyauth.app"
-	expected = "c.tinyauth.app"
-	result, err = utils.GetCookieDomain(domain)
-	assert.NilError(t, err)
-	assert.Equal(t, expected, result)
-
-	// Domain with no subdomain
-	domain = "http://tinyauth.app"
-	expected = "tinyauth.app"
-	_, err = utils.GetCookieDomain(domain)
-	assert.Error(t, err, "invalid app url, must be at least second level domain")
-
-	// Invalid domain (only TLD)
-	domain = "com"
-	_, err = utils.GetCookieDomain(domain)
-	assert.ErrorContains(t, err, "invalid app url, must be at least second level domain")
-
-	// IP address
-	domain = "http://10.10.10.10"
-	_, err = utils.GetCookieDomain(domain)
-	assert.ErrorContains(t, err, "IP addresses not allowed")
-
-	// Invalid URL
-	domain = "http://[::1]:namedport"
-	_, err = utils.GetCookieDomain(domain)
-	assert.ErrorContains(t, err, "parse \"http://[::1]:namedport\": invalid port \":namedport\" after host")
-
-	// URL with scheme and path
-	domain = "https://sub.tinyauth.app/path"
-	expected = "tinyauth.app"
-	result, err = utils.GetCookieDomain(domain)
-	assert.NilError(t, err)
-	assert.Equal(t, expected, result)
-
-	// URL with port
-	domain = "http://sub.tinyauth.app:8080"
-	expected = "tinyauth.app"
-	result, err = utils.GetCookieDomain(domain)
-	assert.NilError(t, err)
-	assert.Equal(t, expected, result)
-
-	// Domain managed by ICANN
-	domain = "http://example.co.uk"
-	_, err = utils.GetCookieDomain(domain)
-	assert.Error(t, err, "domain in public suffix list, cannot set cookies")
-}
-
-func TestParseFileToLine(t *testing.T) {
-	// Normal case
-	content := "user1\nuser2\nuser3"
-	expected := "user1,user2,user3"
-	result := utils.ParseFileToLine(content)
-	assert.Equal(t, expected, result)
-
-	// Case with empty lines and spaces
-	content = " user1 \n\n user2 \n user3 \n"
-	expected = "user1,user2,user3"
-	result = utils.ParseFileToLine(content)
-	assert.Equal(t, expected, result)
-
-	// Case with only empty lines
-	content = "\n\n\n"
-	expected = ""
-	result = utils.ParseFileToLine(content)
-	assert.Equal(t, expected, result)
-
-	// Case with single user
-	content = "singleuser"
-	expected = "singleuser"
-	result = utils.ParseFileToLine(content)
-	assert.Equal(t, expected, result)
-
-	// Case with trailing newline
-	content = "user1\nuser2\n"
-	expected = "user1,user2"
-	result = utils.ParseFileToLine(content)
-	assert.Equal(t, expected, result)
-}
-
-func TestFilter(t *testing.T) {
-	// Normal case
-	slice := []int{1, 2, 3, 4, 5}
-	testFunc := func(n int) bool { return n%2 == 0 }
-	expected := []int{2, 4}
-	result := utils.Filter(slice, testFunc)
-	assert.DeepEqual(t, expected, result)
-
-	// Case with no matches
-	slice = []int{1, 3, 5}
-	testFunc = func(n int) bool { return n%2 == 0 }
-	expected = []int{}
-	result = utils.Filter(slice, testFunc)
-	assert.DeepEqual(t, expected, result)
-
-	// Case with all matches
-	slice = []int{2, 4, 6}
-	testFunc = func(n int) bool { return n%2 == 0 }
-	expected = []int{2, 4, 6}
-	result = utils.Filter(slice, testFunc)
-	assert.DeepEqual(t, expected, result)
-
-	// Case with empty slice
-	slice = []int{}
-	testFunc = func(n int) bool { return n%2 == 0 }
-	expected = []int{}
-	result = utils.Filter(slice, testFunc)
-	assert.DeepEqual(t, expected, result)
-
-	// Case with different type (string)
-	sliceStr := []string{"apple", "banana", "cherry"}
-	testFuncStr := func(s string) bool { return len(s) > 5 }
-	expectedStr := []string{"banana", "cherry"}
-	resultStr := utils.Filter(sliceStr, testFuncStr)
-	assert.DeepEqual(t, expectedStr, resultStr)
-}
-
-func TestGetContext(t *testing.T) {
-	// Setup
-	gin.SetMode(gin.TestMode)
-	c, _ := gin.CreateTestContext(nil)
-
-	// Normal case
-	c.Set("context", &config.UserContext{Username: "testuser"})
-	result, err := utils.GetContext(c)
-	assert.NilError(t, err)
-	assert.Equal(t, "testuser", result.Username)
-
-	// Case with no context
-	c.Set("context", nil)
-	_, err = utils.GetContext(c)
-	assert.Error(t, err, "invalid user context in request")
-
-	// Case with invalid context type
-	c.Set("context", "invalid type")
-	_, err = utils.GetContext(c)
-	assert.Error(t, err, "invalid user context in request")
-}
-
-func TestIsRedirectSafe(t *testing.T) {
-	// Setup
-	domain := "example.com"
-
-	// Case with no subdomain
-	redirectURL := "http://example.com/welcome"
-	result := utils.IsRedirectSafe(redirectURL, domain)
-	assert.Equal(t, false, result)
-
-	// Case with different domain
-	redirectURL = "http://malicious.com/phishing"
-	result = utils.IsRedirectSafe(redirectURL, domain)
-	assert.Equal(t, false, result)
-
-	// Case with subdomain
-	redirectURL = "http://sub.example.com/page"
-	result = utils.IsRedirectSafe(redirectURL, domain)
-	assert.Equal(t, true, result)
-
-	// Case with empty redirect URL
-	redirectURL = ""
-	result = utils.IsRedirectSafe(redirectURL, domain)
-	assert.Equal(t, false, result)
-
-	// Case with invalid URL
-	redirectURL = "http://[::1]:namedport"
-	result = utils.IsRedirectSafe(redirectURL, domain)
-	assert.Equal(t, false, result)
-
-	// Case with URL having port
-	redirectURL = "http://sub.example.com:8080/page"
-	result = utils.IsRedirectSafe(redirectURL, domain)
-	assert.Equal(t, true, result)
-
-	// Case with URL having different subdomain
-	redirectURL = "http://another.example.com/page"
-	result = utils.IsRedirectSafe(redirectURL, domain)
-	assert.Equal(t, true, result)
-
-	// Case with URL having different TLD
-	redirectURL = "http://example.org/page"
-	result = utils.IsRedirectSafe(redirectURL, domain)
-	assert.Equal(t, false, result)
-}
-
-func TestGetOAuthProvidersConfig(t *testing.T) {
-	env := []string{"PROVIDERS_CLIENT1_CLIENT_ID=client1-id", "PROVIDERS_CLIENT1_CLIENT_SECRET=client1-secret"}
-	args := []string{"/tinyauth/tinyauth", "--providers-client2-client-id=client2-id", "--providers-client2-client-secret=client2-secret"}
-
-	expected := map[string]config.OAuthServiceConfig{
-		"client1": {
-			ClientID:     "client1-id",
-			ClientSecret: "client1-secret",
-		},
-		"client2": {
-			ClientID:     "client2-id",
-			ClientSecret: "client2-secret",
-		},
-	}
-
-	result, err := utils.GetOAuthProvidersConfig(env, args, "")
-	assert.NilError(t, err)
-	assert.DeepEqual(t, expected, result)
-
-	// Case with no providers
-	env = []string{}
-	args = []string{"/tinyauth/tinyauth"}
-	expected = map[string]config.OAuthServiceConfig{}
-
-	result, err = utils.GetOAuthProvidersConfig(env, args, "")
-	assert.NilError(t, err)
-	assert.DeepEqual(t, expected, result)
-
-	// Case with secret from file
-	file, err := os.Create("/tmp/tinyauth_test_file")
-	assert.NilError(t, err)
-
-	_, err = file.WriteString("file content\n")
-	assert.NilError(t, err)
-
-	err = file.Close()
-	assert.NilError(t, err)
-	defer os.Remove("/tmp/tinyauth_test_file")
-
-	env = []string{"PROVIDERS_CLIENT1_CLIENT_ID=client1-id", "PROVIDERS_CLIENT1_CLIENT_SECRET_FILE=/tmp/tinyauth_test_file"}
-	args = []string{"/tinyauth/tinyauth"}
-	expected = map[string]config.OAuthServiceConfig{
-		"client1": {
-			ClientID:     "client1-id",
-			ClientSecret: "file content",
-		},
-	}
-
-	result, err = utils.GetOAuthProvidersConfig(env, args, "")
-	assert.NilError(t, err)
-	assert.DeepEqual(t, expected, result)
-
-	// Case with google provider and no redirect URL
-	env = []string{"PROVIDERS_GOOGLE_CLIENT_ID=google-id", "PROVIDERS_GOOGLE_CLIENT_SECRET=google-secret"}
-	args = []string{"/tinyauth/tinyauth"}
-	expected = map[string]config.OAuthServiceConfig{
-		"google": {
-			ClientID:     "google-id",
-			ClientSecret: "google-secret",
-			RedirectURL:  "http://app.url/api/oauth/callback/google",
-		},
-	}
-
-	result, err = utils.GetOAuthProvidersConfig(env, args, "http://app.url")
-	assert.NilError(t, err)
-	assert.DeepEqual(t, expected, result)
-}
--- a/internal/utils/decoders/decoders.go
+++ b/internal/utils/decoders/decoders.go
@@ -1,81 +0,0 @@
-package decoders
-
-import (
-	"reflect"
-	"strings"
-	"tinyauth/internal/config"
-)
-
-func NormalizeKeys(keys map[string]string, rootName string, sep string) map[string]string {
-	normalized := make(map[string]string)
-	knownKeys := getKnownKeys()
-
-	for k, v := range keys {
-		var finalKey []string
-		var suffix string
-		var camelClientName string
-		var camelField string
-
-		finalKey = append(finalKey, rootName)
-		finalKey = append(finalKey, "providers")
-		cebabKey := strings.ToLower(k)
-
-		for _, known := range knownKeys {
-			if strings.HasSuffix(cebabKey, strings.ReplaceAll(known, "-", sep)) {
-				suffix = known
-				break
-			}
-		}
-
-		if suffix == "" {
-			continue
-		}
-
-		clientNameParts := strings.Split(strings.TrimPrefix(strings.TrimSuffix(cebabKey, sep+strings.ReplaceAll(suffix, "-", sep)), "providers"+sep), sep)
-
-		for i, p := range clientNameParts {
-			if i == 0 {
-				camelClientName += p
-				continue
-			}
-			if p == "" {
-				continue
-			}
-			camelClientName += strings.ToUpper(string([]rune(p)[0])) + string([]rune(p)[1:])
-		}
-
-		finalKey = append(finalKey, camelClientName)
-
-		filedParts := strings.Split(suffix, "-")
-
-		for i, p := range filedParts {
-			if i == 0 {
-				camelField += p
-				continue
-			}
-			if p == "" {
-				continue
-			}
-			camelField += strings.ToUpper(string([]rune(p)[0])) + string([]rune(p)[1:])
-		}
-
-		finalKey = append(finalKey, camelField)
-		normalized[strings.Join(finalKey, ".")] = v
-	}
-
-	return normalized
-}
-
-func getKnownKeys() []string {
-	var known []string
-
-	p := config.OAuthServiceConfig{}
-	v := reflect.ValueOf(p)
-	typeOfP := v.Type()
-
-	for field := range typeOfP.NumField() {
-		known = append(known, typeOfP.Field(field).Tag.Get("key"))
-	}
-
-	return known
-}
--- a/internal/utils/decoders/decoders_test.go
+++ b/internal/utils/decoders/decoders_test.go
@@ -1,44 +0,0 @@
-package decoders_test
-
-import (
-	"testing"
-	"tinyauth/internal/utils/decoders"
-
-	"gotest.tools/v3/assert"
-)
-
-func TestNormalizeKeys(t *testing.T) {
-	// Test with env
-	test := map[string]string{
-		"PROVIDERS_CLIENT1_CLIENT_ID":                    "my-client-id",
-		"PROVIDERS_CLIENT1_CLIENT_SECRET":                "my-client-secret",
-		"PROVIDERS_MY_AWESOME_CLIENT_CLIENT_ID":          "my-awesome-client-id",
-		"PROVIDERS_MY_AWESOME_CLIENT_CLIENT_SECRET_FILE": "/path/to/secret",
-	}
-	expected := map[string]string{
-		"tinyauth.providers.client1.clientId":                 "my-client-id",
-		"tinyauth.providers.client1.clientSecret":             "my-client-secret",
-		"tinyauth.providers.myAwesomeClient.clientId":         "my-awesome-client-id",
-		"tinyauth.providers.myAwesomeClient.clientSecretFile": "/path/to/secret",
-	}
-
-	normalized := decoders.NormalizeKeys(test, "tinyauth", "_")
-	assert.DeepEqual(t, normalized, expected)
-
-	// Test with flags (assume -- is already stripped)
-	test = map[string]string{
-		"providers-client1-client-id":                    "my-client-id",
-		"providers-client1-client-secret":                "my-client-secret",
-		"providers-my-awesome-client-client-id":          "my-awesome-client-id",
-		"providers-my-awesome-client-client-secret-file": "/path/to/secret",
-	}
-	expected = map[string]string{
-		"tinyauth.providers.client1.clientId":                 "my-client-id",
-		"tinyauth.providers.client1.clientSecret":             "my-client-secret",
-		"tinyauth.providers.myAwesomeClient.clientId":         "my-awesome-client-id",
-		"tinyauth.providers.myAwesomeClient.clientSecretFile": "/path/to/secret",
-	}
-
-	normalized = decoders.NormalizeKeys(test, "tinyauth", "-")
-	assert.DeepEqual(t, normalized, expected)
-}
--- a/internal/utils/decoders/env_decoder.go
+++ b/internal/utils/decoders/env_decoder.go
@@ -1,20 +0,0 @@
-package decoders
-
-import (
-	"tinyauth/internal/config"
-
-	"github.com/traefik/paerser/parser"
-)
-
-func DecodeEnv(env map[string]string) (config.Providers, error) {
-	normalized := NormalizeKeys(env, "tinyauth", "_")
-	var providers config.Providers
-
-	err := parser.Decode(normalized, &providers, "tinyauth", "tinyauth.providers")
-
-	if err != nil {
-		return config.Providers{}, err
-	}
-
-	return providers, nil
-}
--- a/internal/utils/decoders/env_decoder_test.go
+++ b/internal/utils/decoders/env_decoder_test.go
@@ -1,60 +0,0 @@
-package decoders_test
-
-import (
-	"testing"
-	"tinyauth/internal/config"
-	"tinyauth/internal/utils/decoders"
-
-	"gotest.tools/v3/assert"
-)
-
-func TestDecodeEnv(t *testing.T) {
-	// Variables
-	expected := config.Providers{
-		Providers: map[string]config.OAuthServiceConfig{
-			"client1": {
-				ClientID:           "client1-id",
-				ClientSecret:       "client1-secret",
-				Scopes:             []string{"client1-scope1", "client1-scope2"},
-				RedirectURL:        "client1-redirect-url",
-				AuthURL:            "client1-auth-url",
-				UserinfoURL:        "client1-user-info-url",
-				Name:               "Client1",
-				InsecureSkipVerify: false,
-			},
-			"client2": {
-				ClientID:           "client2-id",
-				ClientSecret:       "client2-secret",
-				Scopes:             []string{"client2-scope1", "client2-scope2"},
-				RedirectURL:        "client2-redirect-url",
-				AuthURL:            "client2-auth-url",
-				UserinfoURL:        "client2-user-info-url",
-				Name:               "My Awesome Client2",
-				InsecureSkipVerify: false,
-			},
-		},
-	}
-	test := map[string]string{
-		"PROVIDERS_CLIENT1_CLIENT_ID":            "client1-id",
-		"PROVIDERS_CLIENT1_CLIENT_SECRET":        "client1-secret",
-		"PROVIDERS_CLIENT1_SCOPES":               "client1-scope1,client1-scope2",
-		"PROVIDERS_CLIENT1_REDIRECT_URL":         "client1-redirect-url",
-		"PROVIDERS_CLIENT1_AUTH_URL":             "client1-auth-url",
-		"PROVIDERS_CLIENT1_USER_INFO_URL":        "client1-user-info-url",
-		"PROVIDERS_CLIENT1_NAME":                 "Client1",
-		"PROVIDERS_CLIENT1_INSECURE_SKIP_VERIFY": "false",
-		"PROVIDERS_CLIENT2_CLIENT_ID":            "client2-id",
-		"PROVIDERS_CLIENT2_CLIENT_SECRET":        "client2-secret",
-		"PROVIDERS_CLIENT2_SCOPES":               "client2-scope1,client2-scope2",
-		"PROVIDERS_CLIENT2_REDIRECT_URL":         "client2-redirect-url",
-		"PROVIDERS_CLIENT2_AUTH_URL":             "client2-auth-url",
-		"PROVIDERS_CLIENT2_USER_INFO_URL":        "client2-user-info-url",
-		"PROVIDERS_CLIENT2_NAME":                 "My Awesome Client2",
-		"PROVIDERS_CLIENT2_INSECURE_SKIP_VERIFY": "false",
-	}
-
-	// Test
-	res, err := decoders.DecodeEnv(test)
-	assert.NilError(t, err)
-	assert.DeepEqual(t, expected, res)
-}
--- a/internal/utils/decoders/flags_decoder.go
+++ b/internal/utils/decoders/flags_decoder.go
@@ -1,30 +0,0 @@
-package decoders
-
-import (
-	"strings"
-	"tinyauth/internal/config"
-
-	"github.com/traefik/paerser/parser"
-)
-
-func DecodeFlags(flags map[string]string) (config.Providers, error) {
-	filtered := filterFlags(flags)
-	normalized := NormalizeKeys(filtered, "tinyauth", "-")
-	var providers config.Providers
-
-	err := parser.Decode(normalized, &providers, "tinyauth", "tinyauth.providers")
-
-	if err != nil {
-		return config.Providers{}, err
-	}
-
-	return providers, nil
-}
-
-func filterFlags(flags map[string]string) map[string]string {
-	filtered := make(map[string]string)
-	for k, v := range flags {
-		filtered[strings.TrimPrefix(k, "--")] = v
-	}
-	return filtered
-}
--- a/internal/utils/decoders/flags_decoder_test.go
+++ b/internal/utils/decoders/flags_decoder_test.go
@@ -1,60 +0,0 @@
-package decoders_test
-
-import (
-	"testing"
-	"tinyauth/internal/config"
-	"tinyauth/internal/utils/decoders"
-
-	"gotest.tools/v3/assert"
-)
-
-func TestDecodeFlags(t *testing.T) {
-	// Variables
-	expected := config.Providers{
-		Providers: map[string]config.OAuthServiceConfig{
-			"client1": {
-				ClientID:           "client1-id",
-				ClientSecret:       "client1-secret",
-				Scopes:             []string{"client1-scope1", "client1-scope2"},
-				RedirectURL:        "client1-redirect-url",
-				AuthURL:            "client1-auth-url",
-				UserinfoURL:        "client1-user-info-url",
-				Name:               "Client1",
-				InsecureSkipVerify: false,
-			},
-			"client2": {
-				ClientID:           "client2-id",
-				ClientSecret:       "client2-secret",
-				Scopes:             []string{"client2-scope1", "client2-scope2"},
-				RedirectURL:        "client2-redirect-url",
-				AuthURL:            "client2-auth-url",
-				UserinfoURL:        "client2-user-info-url",
-				Name:               "My Awesome Client2",
-				InsecureSkipVerify: false,
-			},
-		},
-	}
-	test := map[string]string{
-		"--providers-client1-client-id":            "client1-id",
-		"--providers-client1-client-secret":        "client1-secret",
-		"--providers-client1-scopes":               "client1-scope1,client1-scope2",
-		"--providers-client1-redirect-url":         "client1-redirect-url",
-		"--providers-client1-auth-url":             "client1-auth-url",
-		"--providers-client1-user-info-url":        "client1-user-info-url",
-		"--providers-client1-name":                 "Client1",
-		"--providers-client1-insecure-skip-verify": "false",
-		"--providers-client2-client-id":            "client2-id",
-		"--providers-client2-client-secret":        "client2-secret",
-		"--providers-client2-scopes":               "client2-scope1,client2-scope2",
-		"--providers-client2-redirect-url":         "client2-redirect-url",
-		"--providers-client2-auth-url":             "client2-auth-url",
-		"--providers-client2-user-info-url":        "client2-user-info-url",
-		"--providers-client2-name":                 "My Awesome Client2",
-		"--providers-client2-insecure-skip-verify": "false",
-	}
-
-	// Test
-	res, err := decoders.DecodeFlags(test)
-	assert.NilError(t, err)
-	assert.DeepEqual(t, expected, res)
-}
--- a/internal/utils/decoders/header_decoder.go
+++ b/internal/utils/decoders/header_decoder.go
@@ -0,0 +1,119 @@
+package decoders
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+	"tinyauth/internal/config"
+
+	"github.com/traefik/paerser/parser"
+)
+
+// Based on: https://github.com/traefik/paerser/blob/master/parser/labels_decode.go (Apache 2.0 License)
+
+func DecodeHeaders(headers map[string]string) (config.AppConfigs, error) {
+	var app config.AppConfigs
+
+	err := decodeHeadersHelper(headers, &app, "tinyauth", "tinyauth-apps")
+
+	if err != nil {
+		return config.AppConfigs{}, err
+	}
+
+	return app, nil
+}
+
+func decodeHeadersHelper(headers map[string]string, element any, rootName string, filters ...string) error {
+	node, err := decodeHeadersToNode(headers, rootName, filters...)
+
+	if err != nil {
+		return err
+	}
+
+	opts := parser.MetadataOpts{TagName: "header", AllowSliceAsStruct: true}
+	err = parser.AddMetadata(element, node, opts)
+
+	if err != nil {
+		return err
+	}
+
+	return parser.Fill(element, node, parser.FillerOpts{AllowSliceAsStruct: true})
+}
+
+func decodeHeadersToNode(headers map[string]string, rootName string, filters ...string) (*parser.Node, error) {
+	sortedKeys := sortKeys(headers, filters)
+
+	var node *parser.Node
+
+	for i, key := range sortedKeys {
+		split := strings.Split(strings.ToLower(key), "-")
+
+		if split[0] != rootName {
+			return nil, fmt.Errorf("invalid header root %s", split[0])
+		}
+
+		for _, v := range split {
+			if v == "" {
+				return nil, fmt.Errorf("invalid element: %s", key)
+			}
+		}
+
+		if i == 0 {
+			node = &parser.Node{}
+		}
+
+		decodeHeaderToNode(node, split, headers[key])
+	}
+
+	return node, nil
+}
+
+func decodeHeaderToNode(root *parser.Node, path []string, value string) {
+	if len(root.Name) == 0 {
+		root.Name = path[0]
+	}
+
+	if len(path) > 1 {
+		node := containsNode(root.Children, path[1])
+
+		if node != nil {
+			decodeHeaderToNode(node, path[1:], value)
+		} else {
+			child := &parser.Node{Name: path[1]}
+			decodeHeaderToNode(child, path[1:], value)
+			root.Children = append(root.Children, child)
+		}
+	} else {
+		root.Value = value
+	}
+}
+
+func containsNode(nodes []*parser.Node, name string) *parser.Node {
+	for _, node := range nodes {
+		if strings.EqualFold(node.Name, name) {
+			return node
+		}
+	}
+	return nil
+}
+
+func sortKeys(headers map[string]string, filters []string) []string {
+	var sortedKeys []string
+
+	for key := range headers {
+		if len(filters) == 0 {
+			sortedKeys = append(sortedKeys, key)
+			continue
+		}
+
+		for _, filter := range filters {
+			if strings.HasPrefix(strings.ToLower(key), strings.ToLower(filter)) {
+				sortedKeys = append(sortedKeys, key)
+				continue
+			}
+		}
+	}
+
+	sort.Strings(sortedKeys)
+	return sortedKeys
+}
--- a/internal/utils/decoders/header_decoder_test.go
+++ b/internal/utils/decoders/header_decoder_test.go
@@ -0,0 +1,73 @@
+package decoders_test
+
+import (
+	"reflect"
+	"testing"
+	"tinyauth/internal/config"
+	"tinyauth/internal/utils/decoders"
+)
+
+func TestDecodeHeaders(t *testing.T) {
+	// Variables
+	expected := config.AppConfigs{
+		Apps: map[string]config.App{
+			"foo": {
+				Config: config.AppConfig{
+					Domain: "example.com",
+				},
+				Users: config.AppUsers{
+					Allow: "user1,user2",
+					Block: "user3",
+				},
+				OAuth: config.AppOAuth{
+					Whitelist: "somebody@example.com",
+					Groups:    "group3",
+				},
+				IP: config.AppIP{
+					Allow:  []string{"10.71.0.1/24", "10.71.0.2"},
+					Block:  []string{"10.10.10.10", "10.0.0.0/24"},
+					Bypass: []string{"192.168.1.1"},
+				},
+				Response: config.AppResponse{
+					Headers: []string{"X-Foo=Bar", "X-Baz=Qux"},
+					BasicAuth: config.AppBasicAuth{
+						Username:     "admin",
+						Password:     "password",
+						PasswordFile: "/path/to/passwordfile",
+					},
+				},
+				Path: config.AppPath{
+					Allow: "/public",
+					Block: "/private",
+				},
+			},
+		},
+	}
+	test := map[string]string{
+		"Tinyauth-Apps-Foo-Config-Domain":                   "example.com",
+		"Tinyauth-Apps-Foo-Users-Allow":                     "user1,user2",
+		"Tinyauth-Apps-Foo-Users-Block":                     "user3",
+		"Tinyauth-Apps-Foo-OAuth-Whitelist":                 "somebody@example.com",
+		"Tinyauth-Apps-Foo-OAuth-Groups":                    "group3",
+		"Tinyauth-Apps-Foo-IP-Allow":                        "10.71.0.1/24,10.71.0.2",
+		"Tinyauth-Apps-Foo-IP-Block":                        "10.10.10.10,10.0.0.0/24",
+		"Tinyauth-Apps-Foo-IP-Bypass":                       "192.168.1.1",
+		"Tinyauth-Apps-Foo-Response-Headers":                "X-Foo=Bar,X-Baz=Qux",
+		"Tinyauth-Apps-Foo-Response-BasicAuth-Username":     "admin",
+		"Tinyauth-Apps-Foo-Response-BasicAuth-Password":     "password",
+		"Tinyauth-Apps-Foo-Response-BasicAuth-PasswordFile": "/path/to/passwordfile",
+		"Tinyauth-Apps-Foo-Path-Allow":                      "/public",
+		"Tinyauth-Apps-Foo-Path-Block":                      "/private",
+	}
+
+	// Test
+	result, err := decoders.DecodeHeaders(test)
+
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+
+	if !reflect.DeepEqual(expected, result) {
+		t.Fatalf("Expected %v but got %v", expected, result)
+	}
+}
--- a/internal/utils/decoders/label_decoder.go
+++ b/internal/utils/decoders/label_decoder.go
@@ -6,13 +6,13 @@ import (
 	"github.com/traefik/paerser/parser"
 )

-func DecodeLabels(labels map[string]string) (config.Apps, error) {
-	var appLabels config.Apps
+func DecodeLabels(labels map[string]string) (config.AppConfigs, error) {
+	var appLabels config.AppConfigs

 	err := parser.Decode(labels, &appLabels, "tinyauth", "tinyauth.apps")

 	if err != nil {
-		return config.Apps{}, err
+		return config.AppConfigs{}, err
 	}

 	return appLabels, nil
--- a/internal/utils/decoders/label_decoder_test.go
+++ b/internal/utils/decoders/label_decoder_test.go
@@ -1,16 +1,15 @@
 package decoders_test

 import (
+	"reflect"
 	"testing"
 	"tinyauth/internal/config"
 	"tinyauth/internal/utils/decoders"
-
-	"gotest.tools/v3/assert"
 )

 func TestDecodeLabels(t *testing.T) {
 	// Variables
-	expected := config.Apps{
+	expected := config.AppConfigs{
 		Apps: map[string]config.App{
 			"foo": {
 				Config: config.AppConfig{
@@ -63,6 +62,12 @@ func TestDecodeLabels(t *testing.T) {

 	// Test
 	result, err := decoders.DecodeLabels(test)
-	assert.NilError(t, err)
-	assert.DeepEqual(t, expected, result)
+
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+
+	if reflect.DeepEqual(expected, result) == false {
+		t.Fatalf("Expected %v but got %v", expected, result)
+	}
 }
--- a/internal/utils/fs_utils_test.go
+++ b/internal/utils/fs_utils_test.go
@@ -1,31 +0,0 @@
-package utils
-
-import (
-	"os"
-	"testing"
-
-	"gotest.tools/v3/assert"
-)
-
-func TestReadFile(t *testing.T) {
-	// Setup
-	file, err := os.Create("/tmp/tinyauth_test_file")
-	assert.NilError(t, err)
-
-	_, err = file.WriteString("file content\n")
-	assert.NilError(t, err)
-
-	err = file.Close()
-	assert.NilError(t, err)
-	defer os.Remove("/tmp/tinyauth_test_file")
-
-	// Normal case
-	content, err := ReadFile("/tmp/tinyauth_test_file")
-	assert.NilError(t, err)
-	assert.Equal(t, "file content\n", content)
-
-	// Non-existing file
-	content, err = ReadFile("/tmp/non_existing_file")
-	assert.ErrorContains(t, err, "no such file or directory")
-	assert.Equal(t, "", content)
-}
--- a/internal/utils/header_utils.go
+++ b/internal/utils/header_utils.go
@@ -32,3 +32,13 @@ func SanitizeHeader(header string) string {
 		return -1
 	}, header)
 }
+
+func NormalizeHeaders(headers http.Header) map[string]string {
+	var result = make(map[string]string)
+
+	for key, values := range headers {
+		result[key] = strings.Join(values, ",")
+	}
+
+	return result
+}
--- a/internal/utils/label_utils_test.go
+++ b/internal/utils/label_utils_test.go
@@ -1,87 +0,0 @@
-package utils_test
-
-import (
-	"testing"
-	"tinyauth/internal/utils"
-
-	"gotest.tools/v3/assert"
-)
-
-func TestParseHeaders(t *testing.T) {
-	// Normal case
-	headers := []string{
-		"X-Custom-Header=Value",
-		"Another-Header=AnotherValue",
-	}
-	expected := map[string]string{
-		"X-Custom-Header": "Value",
-		"Another-Header":  "AnotherValue",
-	}
-	assert.DeepEqual(t, expected, utils.ParseHeaders(headers))
-
-	// Case insensitivity and trimming
-	headers = []string{
-		"  x-custom-header =  Value  ",
-		"ANOTHER-HEADER=AnotherValue",
-	}
-	expected = map[string]string{
-		"X-Custom-Header": "Value",
-		"Another-Header":  "AnotherValue",
-	}
-	assert.DeepEqual(t, expected, utils.ParseHeaders(headers))
-
-	// Invalid headers (missing '=', empty key/value)
-	headers = []string{
-		"InvalidHeader",
-		"=NoKey",
-		"NoValue=",
-		"   =   ",
-	}
-	expected = map[string]string{}
-	assert.DeepEqual(t, expected, utils.ParseHeaders(headers))
-
-	// Headers with unsafe characters
-	headers = []string{
-		"X-Custom-Header=Val\x00ue",       // Null byte
-		"Another-Header=Anoth\x7FerValue", // DEL character
-		"Good-Header=GoodValue",
-	}
-	expected = map[string]string{
-		"X-Custom-Header": "Value",
-		"Another-Header":  "AnotherValue",
-		"Good-Header":     "GoodValue",
-	}
-	assert.DeepEqual(t, expected, utils.ParseHeaders(headers))
-
-	// Header with spaces in key (should be ignored)
-	headers = []string{
-		"X Custom Header=Value",
-		"Valid-Header=ValidValue",
-	}
-	expected = map[string]string{
-		"Valid-Header": "ValidValue",
-	}
-	assert.DeepEqual(t, expected, utils.ParseHeaders(headers))
-}
-
-func TestSanitizeHeader(t *testing.T) {
-	// Normal case
-	header := "X-Custom-Header"
-	expected := "X-Custom-Header"
-	assert.Equal(t, expected, utils.SanitizeHeader(header))
-
-	// Header with unsafe characters
-	header = "X-Cust\x00om-Hea\x7Fder" // Null byte and DEL character
-	expected = "X-Custom-Header"
-	assert.Equal(t, expected, utils.SanitizeHeader(header))
-
-	// Header with only unsafe characters
-	header = "\x00\x01\x02\x7F"
-	expected = ""
-	assert.Equal(t, expected, utils.SanitizeHeader(header))
-
-	// Header with spaces and tabs (should be preserved)
-	header = "X Custom\tHeader"
-	expected = "X Custom\tHeader"
-	assert.Equal(t, expected, utils.SanitizeHeader(header))
-}
--- a/internal/utils/security_utils.go
+++ b/internal/utils/security_utils.go
@@ -46,14 +46,10 @@ func GetBasicAuth(username string, password string) string {
 }

 func FilterIP(filter string, ip string) (bool, error) {
-	ipAddr := net.ParseIP(ip)
-
-	if ipAddr == nil {
-		return false, errors.New("invalid IP address")
-	}
-
 	filter = strings.Replace(filter, "-", "/", -1)

+	ipAddr := net.ParseIP(ip)
+
 	if strings.Contains(filter, "/") {
 		_, cidr, err := net.ParseCIDR(filter)
 		if err != nil {
--- a/internal/utils/security_utils_test.go
+++ b/internal/utils/security_utils_test.go
@@ -1,151 +0,0 @@
-package utils_test
-
-import (
-	"os"
-	"testing"
-	"tinyauth/internal/utils"
-
-	"gotest.tools/v3/assert"
-)
-
-func TestGetSecret(t *testing.T) {
-	// Setup
-	file, err := os.Create("/tmp/tinyauth_test_secret")
-	assert.NilError(t, err)
-
-	_, err = file.WriteString("       secret       \n")
-	assert.NilError(t, err)
-
-	err = file.Close()
-	assert.NilError(t, err)
-	defer os.Remove("/tmp/tinyauth_test_secret")
-
-	// Get from config
-	assert.Equal(t, "mysecret", utils.GetSecret("mysecret", ""))
-
-	// Get from file
-	assert.Equal(t, "secret", utils.GetSecret("", "/tmp/tinyauth_test_secret"))
-
-	// Get from both (config should take precedence)
-	assert.Equal(t, "mysecret", utils.GetSecret("mysecret", "/tmp/tinyauth_test_secret"))
-
-	// Get from none
-	assert.Equal(t, "", utils.GetSecret("", ""))
-
-	// Get from non-existing file
-	assert.Equal(t, "", utils.GetSecret("", "/tmp/non_existing_file"))
-}
-
-func TestParseSecretFile(t *testing.T) {
-	// Normal case
-	content := "   mysecret   \n"
-	assert.Equal(t, "mysecret", utils.ParseSecretFile(content))
-
-	// Multiple lines (should take the first non-empty line)
-	content = "\n\n   firstsecret   \nsecondsecret\n"
-	assert.Equal(t, "firstsecret", utils.ParseSecretFile(content))
-
-	// All empty lines
-	content = "\n   \n  \n"
-	assert.Equal(t, "", utils.ParseSecretFile(content))
-
-	// Empty content
-	content = ""
-	assert.Equal(t, "", utils.ParseSecretFile(content))
-}
-
-func TestGetBasicAuth(t *testing.T) {
-	// Normal case
-	username := "user"
-	password := "pass"
-	expected := "dXNlcjpwYXNz" // base64 of "user:pass"
-	assert.Equal(t, expected, utils.GetBasicAuth(username, password))
-
-	// Empty username
-	username = ""
-	password = "pass"
-	expected = "OnBhc3M=" // base64 of ":pass"
-	assert.Equal(t, expected, utils.GetBasicAuth(username, password))
-
-	// Empty password
-	username = "user"
-	password = ""
-	expected = "dXNlcjo=" // base64 of "user:"
-	assert.Equal(t, expected, utils.GetBasicAuth(username, password))
-}
-
-func TestFilterIP(t *testing.T) {
-	// Exact match IPv4
-	ok, err := utils.FilterIP("10.10.0.1", "10.10.0.1")
-	assert.NilError(t, err)
-	assert.Equal(t, true, ok)
-
-	// Non-match IPv4
-	ok, err = utils.FilterIP("10.10.0.1", "10.10.0.2")
-	assert.NilError(t, err)
-	assert.Equal(t, false, ok)
-
-	// CIDR match IPv4
-	ok, err = utils.FilterIP("10.10.0.0/24", "10.10.0.2")
-	assert.NilError(t, err)
-	assert.Equal(t, true, ok)
-
-	// CIDR match IPv4 with '-' instead of '/'
-	ok, err = utils.FilterIP("10.10.10.0-24", "10.10.10.5")
-	assert.NilError(t, err)
-	assert.Equal(t, true, ok)
-
-	// CIDR non-match IPv4
-	ok, err = utils.FilterIP("10.10.0.0/24", "10.5.0.1")
-	assert.NilError(t, err)
-	assert.Equal(t, false, ok)
-
-	// Invalid CIDR
-	ok, err = utils.FilterIP("10.10.0.0/222", "10.0.0.1")
-	assert.ErrorContains(t, err, "invalid CIDR address")
-	assert.Equal(t, false, ok)
-
-	// Invalid IP in filter
-	ok, err = utils.FilterIP("invalid_ip", "10.5.5.5")
-	assert.ErrorContains(t, err, "invalid IP address in filter")
-	assert.Equal(t, false, ok)
-
-	// Invalid IP to check
-	ok, err = utils.FilterIP("10.10.10.10", "invalid_ip")
-	assert.ErrorContains(t, err, "invalid IP address")
-	assert.Equal(t, false, ok)
-}
-
-func TestCheckFilter(t *testing.T) {
-	// Empty filter
-	assert.Equal(t, true, utils.CheckFilter("", "anystring"))
-
-	// Exact match
-	assert.Equal(t, true, utils.CheckFilter("hello", "hello"))
-
-	// Regex match
-	assert.Equal(t, true, utils.CheckFilter("/^h.*o$/", "hello"))
-
-	// Invalid regex
-	assert.Equal(t, false, utils.CheckFilter("/[unclosed", "test"))
-
-	// Comma-separated values
-	assert.Equal(t, true, utils.CheckFilter("apple, banana, cherry", "banana"))
-
-	// No match
-	assert.Equal(t, false, utils.CheckFilter("apple, banana, cherry", "grape"))
-}
-
-func TestGenerateIdentifier(t *testing.T) {
-	// Consistent output for same input
-	id1 := utils.GenerateIdentifier("teststring")
-	id2 := utils.GenerateIdentifier("teststring")
-	assert.Equal(t, id1, id2)
-
-	// Different output for different input
-	id3 := utils.GenerateIdentifier("differentstring")
-	assert.Assert(t, id1 != id3)
-
-	// Check length (should be 8 characters from first segment of UUID)
-	assert.Equal(t, 8, len(id1))
-}
--- a/internal/utils/string_utils_test.go
+++ b/internal/utils/string_utils_test.go
@@ -1,50 +0,0 @@
-package utils_test
-
-import (
-	"testing"
-	"tinyauth/internal/utils"
-
-	"gotest.tools/v3/assert"
-)
-
-func TestCapitalize(t *testing.T) {
-	// Test empty string
-	assert.Equal(t, "", utils.Capitalize(""))
-
-	// Test single character
-	assert.Equal(t, "A", utils.Capitalize("a"))
-
-	// Test multiple characters
-	assert.Equal(t, "Hello", utils.Capitalize("hello"))
-
-	// Test already capitalized
-	assert.Equal(t, "World", utils.Capitalize("World"))
-
-	// Test non-alphabetic first character
-	assert.Equal(t, "1number", utils.Capitalize("1number"))
-
-	// Test Unicode characters
-	assert.Equal(t, "Γειά", utils.Capitalize("γειά"))
-	assert.Equal(t, "Привет", utils.Capitalize("привет"))
-
-}
-
-func TestCoalesceToString(t *testing.T) {
-	// Test with []any containing strings
-	assert.Equal(t, "a,b,c", utils.CoalesceToString([]any{"a", "b", "c"}))
-
-	// Test with []any containing mixed types
-	assert.Equal(t, "a,c", utils.CoalesceToString([]any{"a", 1, "c", true}))
-
-	// Test with []any containing no strings
-	assert.Equal(t, "", utils.CoalesceToString([]any{1, 2, 3}))
-
-	// Test with string input
-	assert.Equal(t, "hello", utils.CoalesceToString("hello"))
-
-	// Test with non-string, non-[]any input
-	assert.Equal(t, "", utils.CoalesceToString(123))
-
-	// Test with nil input
-	assert.Equal(t, "", utils.CoalesceToString(nil))
-}
--- a/internal/utils/user_utils_test.go
+++ b/internal/utils/user_utils_test.go
@@ -1,163 +0,0 @@
-package utils_test
-
-import (
-	"os"
-	"testing"
-	"tinyauth/internal/utils"
-
-	"gotest.tools/v3/assert"
-)
-
-func TestGetUsers(t *testing.T) {
-	// Setup
-	file, err := os.Create("/tmp/tinyauth_users_test.txt")
-	assert.NilError(t, err)
-
-	_, err = file.WriteString("      user1:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G        \n         user2:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G                    ") // Spacing is on purpose
-	assert.NilError(t, err)
-
-	err = file.Close()
-	assert.NilError(t, err)
-	defer os.Remove("/tmp/tinyauth_users_test.txt")
-
-	// Test file
-	users, err := utils.GetUsers("", "/tmp/tinyauth_users_test.txt")
-
-	assert.NilError(t, err)
-
-	assert.Equal(t, 2, len(users))
-
-	assert.Equal(t, "user1", users[0].Username)
-	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[0].Password)
-	assert.Equal(t, "user2", users[1].Username)
-	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[1].Password)
-
-	// Test config
-	users, err = utils.GetUsers("user3:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G,user4:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", "")
-
-	assert.NilError(t, err)
-
-	assert.Equal(t, 2, len(users))
-
-	assert.Equal(t, "user3", users[0].Username)
-	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[0].Password)
-	assert.Equal(t, "user4", users[1].Username)
-	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[1].Password)
-
-	// Test both
-	users, err = utils.GetUsers("user5:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", "/tmp/tinyauth_users_test.txt")
-
-	assert.NilError(t, err)
-
-	assert.Equal(t, 3, len(users))
-
-	assert.Equal(t, "user5", users[0].Username)
-	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[0].Password)
-	assert.Equal(t, "user1", users[1].Username)
-	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[1].Password)
-	assert.Equal(t, "user2", users[2].Username)
-	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[2].Password)
-
-	// Test empty
-	users, err = utils.GetUsers("", "")
-
-	assert.NilError(t, err)
-
-	assert.Equal(t, 0, len(users))
-
-	// Test non-existent file
-	users, err = utils.GetUsers("", "/tmp/non_existent_file.txt")
-
-	assert.ErrorContains(t, err, "no such file or directory")
-
-	assert.Equal(t, 0, len(users))
-}
-
-func TestParseUsers(t *testing.T) {
-	// Valid users
-	users, err := utils.ParseUsers("user1:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G,user2:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G:ABCDEF") // user2 has TOTP
-
-	assert.NilError(t, err)
-
-	assert.Equal(t, 2, len(users))
-
-	assert.Equal(t, "user1", users[0].Username)
-	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[0].Password)
-	assert.Equal(t, "", users[0].TotpSecret)
-	assert.Equal(t, "user2", users[1].Username)
-	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[1].Password)
-	assert.Equal(t, "ABCDEF", users[1].TotpSecret)
-
-	// Valid weirdly spaced users
-	users, err = utils.ParseUsers("      user1:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G        ,         user2:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G:ABCDEF                    ") // Spacing is on purpose
-	assert.NilError(t, err)
-
-	assert.Equal(t, 2, len(users))
-
-	assert.Equal(t, "user1", users[0].Username)
-	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[0].Password)
-	assert.Equal(t, "", users[0].TotpSecret)
-	assert.Equal(t, "user2", users[1].Username)
-	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[1].Password)
-	assert.Equal(t, "ABCDEF", users[1].TotpSecret)
-}
-
-func TestParseUser(t *testing.T) {
-	// Valid user without TOTP
-	user, err := utils.ParseUser("user1:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G")
-
-	assert.NilError(t, err)
-
-	assert.Equal(t, "user1", user.Username)
-	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", user.Password)
-	assert.Equal(t, "", user.TotpSecret)
-
-	// Valid user with TOTP
-	user, err = utils.ParseUser("user2:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G:ABCDEF")
-
-	assert.NilError(t, err)
-
-	assert.Equal(t, "user2", user.Username)
-	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", user.Password)
-	assert.Equal(t, "ABCDEF", user.TotpSecret)
-
-	// Valid user with $$ in password
-	user, err = utils.ParseUser("user3:pa$$word123")
-
-	assert.NilError(t, err)
-
-	assert.Equal(t, "user3", user.Username)
-	assert.Equal(t, "pa$word123", user.Password)
-	assert.Equal(t, "", user.TotpSecret)
-
-	// User with spaces
-	user, err = utils.ParseUser("   user4   :   password123   :   TOTPSECRET   ")
-
-	assert.NilError(t, err)
-
-	assert.Equal(t, "user4", user.Username)
-	assert.Equal(t, "password123", user.Password)
-	assert.Equal(t, "TOTPSECRET", user.TotpSecret)
-
-	// Invalid users
-	_, err = utils.ParseUser("user1") // Missing password
-	assert.ErrorContains(t, err, "invalid user format")
-
-	_, err = utils.ParseUser("user1:")
-	assert.ErrorContains(t, err, "invalid user format")
-
-	_, err = utils.ParseUser(":password123")
-	assert.ErrorContains(t, err, "invalid user format")
-
-	_, err = utils.ParseUser("user1:password123:ABC:EXTRA") // Too many parts
-	assert.ErrorContains(t, err, "invalid user format")
-
-	_, err = utils.ParseUser("user1::ABC")
-	assert.ErrorContains(t, err, "invalid user format")
-
-	_, err = utils.ParseUser(":password123:ABC")
-	assert.ErrorContains(t, err, "invalid user format")
-
-	_, err = utils.ParseUser("   :   :   ")
-	assert.ErrorContains(t, err, "invalid user format")
-}
Author	SHA1	Message	Date
Stavros	1a83e1c811	fix: lowercase key and filter before comparing	2025-09-02 19:00:41 +03:00
Stavros	b15f91967b	refactor: use stdlib prefix check in header decoder	2025-09-02 18:54:38 +03:00
Stavros	6e88a89730	refactor: simplify decode header to node function	2025-09-02 18:45:36 +03:00
Stavros	78920cba64	feat: use decoded headers in proxy controller	2025-09-02 18:19:18 +03:00
Stavros	b6bc3d0020	feat: allow for dash substitute over slash for environments like kubernetes	2025-09-02 17:47:29 +03:00
Stavros	ca772ed24f	feat: add header decoder	2025-09-02 17:44:44 +03:00
				`@@ -1 +0,0 @@`
				`ALTER TABLE "sessions" DROP COLUMN "oauth_name";`