token cleanup consistency

removes the sqlite dependency for tests, also brings back the option for
users to run zero persistence instances of tinyauth.

adds new mapErr fn for sqlc wrapper gen to prevent sql errors from
leaking out of the store implementation.

.env.example

@@ -91,6 +91,8 @@ TINYAUTH_APPS_name_LDAP_GROUPS=
 
 # Comma-separated list of allowed OAuth domains.
 TINYAUTH_OAUTH_WHITELIST=
+# Path to the OAuth whitelist file.
+TINYAUTH_OAUTH_WHITELISTFILE=
 # The OAuth provider to use for automatic redirection.
 TINYAUTH_OAUTH_AUTOREDIRECT=
 # OAuth client ID.

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,38 +0,0 @@
----
-name: Bug report
-about: Create a report to help improve Tinyauth
-title: "[BUG]"
-labels: bug
-assignees:
-  - steveiliop56
-
----
-
-**Describe the bug**
-A clear and concise description of what the bug is.
-
-**To Reproduce**
-Steps to reproduce the behavior:
-1. Go to '...'
-2. Click on '....'
-3. Scroll down to '....'
-4. See error
-
-**Expected behavior**
-A clear and concise description of what you expected to happen.
-
-**Screenshots**
-If applicable, add screenshots to help explain your problem.
-
-**Logs**
-Please include the Tinyauth logs below, make sure to not include sensitive info.
-
-**Device (please complete the following information):**
- - OS: [e.g. iOS]
- - Browser [e.g. chrome, safari]
- - Tinyauth [e.g. v2.1.1]
- - Docker [e.g. 27.3.1]
-
-**
-**Additional context**
-Add any other context about the problem here.

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,89 @@
+name: Bug Report
+description: Create a report to help us improve this project
+title: "[BUG]"
+labels: bug
+assignees:
+  - steveiliop56
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for reporting a bug! Please provide detailed information below.
+
+  - type: textarea
+    id: description
+    attributes:
+      label: Describe the Bug
+      description: "A clear and concise description of what the bug is."
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: How to Reproduce
+      description: Steps to reproduce the behavior.
+      value: |
+        1. Go to '...'
+        2. Click on '....'
+        3. Scroll down to '....'
+        4. See error
+    validations:
+      required: false
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected Behavior
+      description: "A clear and concise description of what you expected to happen."
+    validations:
+      required: true
+
+  - type: textarea
+    id: context
+    attributes:
+      label: "Additional Context"
+      description: "If applicable add screenshots to help explain your problem."
+    validations:
+      required: false
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: "Logs"
+      description: "Please include the Tinyauth logs, make sure to not include sensitive info."
+    validations:
+      required: false
+
+  - type: input
+    id: os
+    attributes:
+      label: Operating System
+      placeholder: "e.g. iOS, Android, Windows, Linux, etc"
+
+  - type: input
+    id: browser
+    attributes:
+      label: Browser
+      placeholder: "e.g. Chrome, Firefox, Safari, Edge, etc"
+
+  - type: input
+    id: tinyauth
+    attributes:
+      label: Tinyauth Version
+      placeholder: "e.g. v5.0.0"
+
+  - type: input
+    id: docker
+    attributes:
+      label: Docker Version (if applicable)
+      placeholder: "e.g. 27.3.1"
+
+  - type: checkboxes
+    id: not-llm
+    attributes:
+      label: Human Written Confirmation
+      options:
+        - label: I confirm this issue was written by me and not generated by an LLM or AI assistant.
+          required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Tinyauth Community Support on Discord
+    url: https://discord.gg/eHzVaCzRRd
+    about: Please ask and answer questions here.
+  - name: Tinyauth Documentation
+    url: https://tinyauth.app/docs/getting-started/
+    about: Please check the documentation here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,21 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-title: "[FEATURE]"
-labels: enhancement
-assignees:
-  - steveiliop56
-
----
-
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
-
-**Additional context**
-Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,52 @@
+name: Feature request
+description: Suggest an idea for this project
+title: "[FEATURE]"
+labels: enhancement
+assignees:
+  - steveiliop56
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for suggesting a feature! Please provide detailed information below.
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: Is your feature request related to a problem? Please describe.
+      description: "A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]"
+    validations:
+      required: false
+
+  - type: textarea
+    id: solution
+    attributes:
+      label: Describe the solution you'd like.
+      description: "A clear and concise description of what you want to happen."
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Describe alternatives you've considered.
+      description: "A clear and concise description of any alternative solutions or features you've considered."
+    validations:
+      required: false
+
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional context
+      description: "Add any other context or screenshots about the feature request here."
+    validations:
+      required: false
+
+  - type: checkboxes
+    id: not-llm
+    attributes:
+      label: Human Written Confirmation
+      options:
+        - label: I confirm this request was written by me and not generated by an LLM or AI assistant.
+          required: true

.github/dependabot.yml

@@ -1,6 +1,6 @@
 version: 2
 updates:
-  - package-ecosystem: "bun"
+  - package-ecosystem: "npm"
     directory: "/frontend"
     groups:
       minor-patch:

.github/workflows/ci.yml

@@ -15,8 +15,10 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Setup bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+      - name: Setup pnpm
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+        with:
+          package_json_file: ./frontend/package.json
 
       - name: Setup go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -26,28 +28,35 @@ jobs:
       - name: Go dependencies
         run: go mod download
 
-      - name: Install frontend dependencies
+      - name: Setup sqlc
+        uses: sqlc-dev/setup-sqlc@v4
+        with:
+          sqlc-version: "1.31.1"
+
+      - name: Check codegen is up to date
         run: |
-          cd frontend
-          bun install --frozen-lockfile
+          sqlc generate
+          go generate ./internal/repository/...
+          git diff --exit-code -- internal/repository/
+          git status --porcelain -- internal/repository/ | grep -q . && echo "untracked files in internal/repository/" && exit 1 || true
+
+      - name: Install frontend dependencies
+        working-directory: ./frontend
+        run: pnpm ci
 
       - name: Set version
-        run: |
-          echo testing > internal/assets/version
+        run: echo testing > internal/assets/version
 
       - name: Lint frontend
-        run: |
-          cd frontend
-          bun run lint
+        working-directory: ./frontend
+        run: pnpm run lint
 
       - name: Build frontend
-        run: |
-          cd frontend
-          bun run build
+        working-directory: ./frontend
+        run: pnpm run build
 
       - name: Copy frontend
-        run: |
-          cp -r frontend/dist internal/assets/dist
+        run: cp -r frontend/dist internal/assets/dist
 
       - name: Run tests
         run: go test -coverprofile=coverage.txt -v ./...

.github/workflows/nightly.yml

@@ -59,8 +59,10 @@ jobs:
         with:
           ref: nightly
 
-      - name: Install bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+      - name: Setup pnpm
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+        with:
+          package_json_file: ./frontend/package.json
 
       - name: Install go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -68,23 +70,20 @@ jobs:
           go-version: "^1.26.0"
 
       - name: Install frontend dependencies
-        run: |
-          cd frontend
-          bun install --frozen-lockfile
+        working-directory: ./frontend
+        run: pnpm ci
 
       - name: Install backend dependencies
-        run: |
-          go mod download
+        run: go mod download
 
       - name: Build frontend
-        run: |
-          cd frontend
-          bun run build
+        working-directory: ./frontend
+        run: pnpm run build
 
       - name: Build
         run: |
           cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X github.com/tinyauthapp/tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
+          go build -ldflags "-s -w -X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
         env:
           CGO_ENABLED: 0
 
@@ -105,8 +104,10 @@ jobs:
         with:
           ref: nightly
 
-      - name: Install bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+      - name: Setup pnpm
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+        with:
+          package_json_file: ./frontend/package.json
 
       - name: Install go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -114,23 +115,20 @@ jobs:
           go-version: "^1.26.0"
 
       - name: Install frontend dependencies
-        run: |
-          cd frontend
-          bun install --frozen-lockfile
+        working-directory: ./frontend
+        run: pnpm ci
 
       - name: Install backend dependencies
-        run: |
-          go mod download
+        run: go mod download
 
       - name: Build frontend
-        run: |
-          cd frontend
-          bun run build
+        working-directory: ./frontend
+        run: pnpm run build
 
       - name: Build
         run: |
           cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X github.com/tinyauthapp/tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
+          go build -ldflags "-s -w -X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
         env:
           CGO_ENABLED: 0
 

.github/workflows/release.yml

@@ -35,8 +35,10 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Install bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+      - name: Setup pnpm
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+        with:
+          package_json_file: ./frontend/package.json
 
       - name: Install go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -44,23 +46,20 @@ jobs:
           go-version: "^1.26.0"
 
       - name: Install frontend dependencies
-        run: |
-          cd frontend
-          bun install --frozen-lockfile
+        working-directory: ./frontend
+        run: pnpm ci
 
       - name: Install backend dependencies
-        run: |
-          go mod download
+        run: go mod download
 
       - name: Build frontend
-        run: |
-          cd frontend
-          bun run build
+        working-directory: ./frontend
+        run: pnpm run build
 
       - name: Build
         run: |
           cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X github.com/tinyauthapp/tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
+          go build -ldflags "-s -w -X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
         env:
           CGO_ENABLED: 0
 
@@ -78,8 +77,10 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Install bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+      - name: Setup pnpm
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+        with:
+          package_json_file: ./frontend/package.json
 
       - name: Install go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -87,23 +88,20 @@ jobs:
           go-version: "^1.26.0"
 
       - name: Install frontend dependencies
-        run: |
-          cd frontend
-          bun install --frozen-lockfile
+        working-directory: ./frontend
+        run: pnpm ci
 
       - name: Install backend dependencies
-        run: |
-          go mod download
+        run: go mod download
 
       - name: Build frontend
-        run: |
-          cd frontend
-          bun run build
+        working-directory: ./frontend
+        run: pnpm run build
 
       - name: Build
         run: |
           cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X github.com/tinyauthapp/tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
+          go build -ldflags "-s -w -X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
         env:
           CGO_ENABLED: 0
 

.github/workflows/scorecard.yml

@@ -38,6 +38,6 @@ jobs:
           retention-days: 5
 
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
         with:
           sarif_file: results.sarif

.gitignore

@@ -48,3 +48,6 @@ __debug_*
 
 # testing config
 config.certify.yml
+
+# deepsec
+/.deepsec

CONTRIBUTING.md

@@ -7,7 +7,7 @@ Contributing to Tinyauth is straightforward. Follow the steps below to set up a
 
 ## Requirements
 
-- Bun
+- pnpm
 - Golang v1.24.0 or later
 - Git
 - Docker
@@ -34,7 +34,7 @@ Frontend dependencies can be installed as follows:
 
 ```sh
 cd frontend/
-bun install
+pnpm ci
 ```
 
 ## Create the `.env` file

Dockerfile

@@ -1,12 +1,14 @@
 # Site builder
-FROM oven/bun:1.3.13-alpine AS frontend-builder
+FROM node:26.1-alpine3.23 AS frontend-builder
 
 WORKDIR /frontend
 
-COPY ./frontend/package.json ./
-COPY ./frontend/bun.lock ./
+RUN npm install -g pnpm@11.1.2
 
-RUN bun install --frozen-lockfile
+COPY ./frontend/package.json ./
+COPY ./frontend/pnpm-lock.yaml ./
+
+RUN pnpm ci
 
 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -17,7 +19,7 @@ COPY ./frontend/tsconfig.app.json ./
 COPY ./frontend/tsconfig.node.json ./
 COPY ./frontend/vite.config.ts ./
 
-RUN bun run build
+RUN pnpm run build
 
 # Builder
 FROM golang:1.26-alpine3.23 AS builder
@@ -38,9 +40,9 @@ COPY ./internal ./internal
 COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
 
 RUN CGO_ENABLED=0 go build -ldflags "-s -w \
-    -X github.com/tinyauthapp/tinyauth/internal/config.Version=${VERSION} \
-    -X github.com/tinyauthapp/tinyauth/internal/config.CommitHash=${COMMIT_HASH} \
-    -X github.com/tinyauthapp/tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
+    -X github.com/tinyauthapp/tinyauth/internal/model.Version=${VERSION} \
+    -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${COMMIT_HASH} \
+    -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
 
 # Runner
 FROM alpine:3.23 AS runner

Dockerfile.dev

@@ -8,7 +8,7 @@ COPY go.sum ./
 RUN go mod download
 
 RUN go install github.com/air-verse/air@v1.61.7
-RUN go install github.com/go-delve/delve/cmd/dlv@latest
+RUN go install github.com/go-delve/delve/cmd/dlv@v1.26.3
 
 COPY ./cmd ./cmd
 COPY ./internal ./internal

Dockerfile.distroless

@@ -1,12 +1,14 @@
 # Site builder
-FROM oven/bun:1.3.13-alpine AS frontend-builder
+FROM node:26.1-alpine3.23 AS frontend-builder
 
 WORKDIR /frontend
 
-COPY ./frontend/package.json ./
-COPY ./frontend/bun.lock ./
+RUN npm install -g pnpm@11.1.2
 
-RUN bun install --frozen-lockfile
+COPY ./frontend/package.json ./
+COPY ./frontend/pnpm-lock.yaml ./
+
+RUN pnpm ci
 
 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -17,7 +19,7 @@ COPY ./frontend/tsconfig.app.json ./
 COPY ./frontend/tsconfig.node.json ./
 COPY ./frontend/vite.config.ts ./
 
-RUN bun run build
+RUN pnpm run build
 
 # Builder
 FROM golang:1.26-alpine3.23 AS builder
@@ -40,9 +42,9 @@ COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
 RUN mkdir -p data
 
 RUN CGO_ENABLED=0 go build -ldflags "-s -w \
-    -X github.com/tinyauthapp/tinyauth/internal/config.Version=${VERSION} \
-    -X github.com/tinyauthapp/tinyauth/internal/config.CommitHash=${COMMIT_HASH} \
-    -X github.com/tinyauthapp/tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
+    -X github.com/tinyauthapp/tinyauth/internal/model.Version=${VERSION} \
+    -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${COMMIT_HASH} \
+    -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
 
 # Runner
 FROM gcr.io/distroless/static-debian12:latest AS runner

Makefile

@@ -17,7 +17,7 @@ PROD_COMPOSE := $(shell test -f "docker-compose.test.prod.yml" && echo "docker-c
 
 # Deps
 deps:
-	bun install --frozen-lockfile --cwd frontend
+	cd frontend && pnpm ci
 	go mod download
 
 # Clean data
@@ -31,15 +31,15 @@ clean-webui:
 
 # Build the web UI
 webui: clean-webui
-	bun run --cwd frontend build
+	cd frontend && pnpm run build
 	cp -r frontend/dist internal/assets
 
 # Build the binary
 binary: webui
 	CGO_ENABLED=$(CGO_ENABLED) go build -ldflags "-s -w \
-	-X github.com/tinyauthapp/tinyauth/internal/config.Version=${TAG_NAME} \
-	-X github.com/tinyauthapp/tinyauth/internal/config.CommitHash=${COMMIT_HASH} \
-	-X github.com/tinyauthapp/tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" \
+	-X github.com/tinyauthapp/tinyauth/internal/model.Version=${TAG_NAME} \
+	-X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${COMMIT_HASH} \
+	-X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" \
 	-o ${BIN_NAME} ./cmd/tinyauth
 
 # Build for amd64
@@ -85,3 +85,4 @@ sql:
 # Go gen
 generate:
 	go run ./gen
+	go generate ./internal/repository/...

README.md

@@ -65,7 +65,7 @@ Tinyauth is licensed under the GNU General Public License v3.0. TL;DR — You ma
 
 A big thank you to the following people for providing me with more coffee:
 
-<!-- sponsors --><a href="https://github.com/erwinkramer"><img src="https:&#x2F;&#x2F;github.com&#x2F;erwinkramer.png" width="64px" alt="User avatar: erwinkramer" /></a>&nbsp;&nbsp;<a href="https://github.com/nicotsx"><img src="https:&#x2F;&#x2F;github.com&#x2F;nicotsx.png" width="64px" alt="User avatar: nicotsx" /></a>&nbsp;&nbsp;<a href="https://github.com/SimpleHomelab"><img src="https:&#x2F;&#x2F;github.com&#x2F;SimpleHomelab.png" width="64px" alt="User avatar: SimpleHomelab" /></a>&nbsp;&nbsp;<a href="https://github.com/jmadden91"><img src="https:&#x2F;&#x2F;github.com&#x2F;jmadden91.png" width="64px" alt="User avatar: jmadden91" /></a>&nbsp;&nbsp;<a href="https://github.com/tribor"><img src="https:&#x2F;&#x2F;github.com&#x2F;tribor.png" width="64px" alt="User avatar: tribor" /></a>&nbsp;&nbsp;<a href="https://github.com/eliasbenb"><img src="https:&#x2F;&#x2F;github.com&#x2F;eliasbenb.png" width="64px" alt="User avatar: eliasbenb" /></a>&nbsp;&nbsp;<a href="https://github.com/afunworm"><img src="https:&#x2F;&#x2F;github.com&#x2F;afunworm.png" width="64px" alt="User avatar: afunworm" /></a>&nbsp;&nbsp;<a href="https://github.com/chip-well"><img src="https:&#x2F;&#x2F;github.com&#x2F;chip-well.png" width="64px" alt="User avatar: chip-well" /></a>&nbsp;&nbsp;<a href="https://github.com/Lancelot-Enguerrand"><img src="https:&#x2F;&#x2F;github.com&#x2F;Lancelot-Enguerrand.png" width="64px" alt="User avatar: Lancelot-Enguerrand" /></a>&nbsp;&nbsp;<a href="https://github.com/allgoewer"><img src="https:&#x2F;&#x2F;github.com&#x2F;allgoewer.png" width="64px" alt="User avatar: allgoewer" /></a>&nbsp;&nbsp;<a href="https://github.com/NEANC"><img src="https:&#x2F;&#x2F;github.com&#x2F;NEANC.png" width="64px" alt="User avatar: NEANC" /></a>&nbsp;&nbsp;<a href="https://github.com/ax-mad"><img src="https:&#x2F;&#x2F;github.com&#x2F;ax-mad.png" width="64px" alt="User avatar: ax-mad" /></a>&nbsp;&nbsp;<a href="https://github.com/stegratech"><img src="https:&#x2F;&#x2F;github.com&#x2F;stegratech.png" width="64px" alt="User avatar: stegratech" /></a>&nbsp;&nbsp;<!-- sponsors -->
+<!-- sponsors --><a href="https://github.com/erwinkramer"><img src="https:&#x2F;&#x2F;github.com&#x2F;erwinkramer.png" width="64px" alt="User avatar: erwinkramer" /></a>&nbsp;&nbsp;<a href="https://github.com/nicotsx"><img src="https:&#x2F;&#x2F;github.com&#x2F;nicotsx.png" width="64px" alt="User avatar: nicotsx" /></a>&nbsp;&nbsp;<a href="https://github.com/SimpleHomelab"><img src="https:&#x2F;&#x2F;github.com&#x2F;SimpleHomelab.png" width="64px" alt="User avatar: SimpleHomelab" /></a>&nbsp;&nbsp;<a href="https://github.com/jmadden91"><img src="https:&#x2F;&#x2F;github.com&#x2F;jmadden91.png" width="64px" alt="User avatar: jmadden91" /></a>&nbsp;&nbsp;<a href="https://github.com/tribor"><img src="https:&#x2F;&#x2F;github.com&#x2F;tribor.png" width="64px" alt="User avatar: tribor" /></a>&nbsp;&nbsp;<a href="https://github.com/eliasbenb"><img src="https:&#x2F;&#x2F;github.com&#x2F;eliasbenb.png" width="64px" alt="User avatar: eliasbenb" /></a>&nbsp;&nbsp;<a href="https://github.com/afunworm"><img src="https:&#x2F;&#x2F;github.com&#x2F;afunworm.png" width="64px" alt="User avatar: afunworm" /></a>&nbsp;&nbsp;<a href="https://github.com/chip-well"><img src="https:&#x2F;&#x2F;github.com&#x2F;chip-well.png" width="64px" alt="User avatar: chip-well" /></a>&nbsp;&nbsp;<a href="https://github.com/Lancelot-Enguerrand"><img src="https:&#x2F;&#x2F;github.com&#x2F;Lancelot-Enguerrand.png" width="64px" alt="User avatar: Lancelot-Enguerrand" /></a>&nbsp;&nbsp;<a href="https://github.com/allgoewer"><img src="https:&#x2F;&#x2F;github.com&#x2F;allgoewer.png" width="64px" alt="User avatar: allgoewer" /></a>&nbsp;&nbsp;<a href="https://github.com/NEANC"><img src="https:&#x2F;&#x2F;github.com&#x2F;NEANC.png" width="64px" alt="User avatar: NEANC" /></a>&nbsp;&nbsp;<a href="https://github.com/ax-mad"><img src="https:&#x2F;&#x2F;github.com&#x2F;ax-mad.png" width="64px" alt="User avatar: ax-mad" /></a>&nbsp;&nbsp;<a href="https://github.com/stegratech"><img src="https:&#x2F;&#x2F;github.com&#x2F;stegratech.png" width="64px" alt="User avatar: stegratech" /></a>&nbsp;&nbsp;<a href="https://github.com/apearson"><img src="https:&#x2F;&#x2F;github.com&#x2F;apearson.png" width="64px" alt="User avatar: apearson" /></a>&nbsp;&nbsp;<!-- sponsors -->
 
 ## Acknowledgements
 

SECURITY.md

@@ -2,8 +2,56 @@
 
 ## Supported Versions
 
-It is recommended to use the [latest](https://github.com/tinyauthapp/tinyauth/releases/latest) available version of tinyauth. This is because it includes security fixes, new features and dependency updates. Older versions, especially major ones, are not supported and won't receive security or patch updates.
+It is recommended to use the [latest](https://github.com/tinyauthapp/tinyauth/releases/latest) available version of Tinyauth. This is because it includes security fixes, new features and dependency updates. Older versions, especially major ones, are not supported and won't receive security or patch updates.
 
 ## Reporting a Vulnerability
 
-Due to the nature of this app, it needs to be secure. If you discover any security issues or vulnerabilities in the app please contact me as soon as possible at <security@tinyauth.app>. Please do not use the issues section to report security issues as I won't be able to patch them in time and they may get exploited by malicious actors.
+Please **do not** report security vulnerabilities through public GitHub issues, discussions, or pull requests as I won't be able to patch them in time and they may get exploited by malicious actors.
+
+Instead, report them privately using [GitHub's Private Vulnerability Reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) via the **Security** tab of this repository.
+
+Or send us an email at <security@tinyauth.app>.
+
+### A note on AI-assisted reports
+
+If AI tooling (LLMs, automated scanners, agentic assistants, etc.) helped you discover, analyse, or write up this issue, please say so in your report. This isn't a judgement - AI-assisted findings are welcome - but disclosing it up front helps maintainers calibrate how much additional verification a report needs, and tends to make the report itself clearer.
+
+When submitting a report, please use the structure below so it can be triaged quickly.
+
+---
+
+### 1. Summary
+
+A short, one-paragraph description of the vulnerability and its impact (e.g. what an attacker can achieve, who is affected, and under what conditions).
+
+### 2. Steps to Reproduce / Proof of Concept
+
+Provide a minimal, reliable reproduction:
+
+1. Step one
+2. Step two
+3. Step three
+
+Include any required input, payloads, configuration, or code snippets. Attach a PoC script or screenshots where helpful.
+
+### 3. Expected vs. Actual Behaviour
+
+- **Expected:** what *should* happen
+- **Actual:** what *does* happen, and why it's a security issue
+
+### 4. Suggested Fix or Mitigation *(optional)*
+
+If you have an idea for how to address the issue, describe it here. A private gist link is welcome but not required.
+
+- **Have you tested this fix?** Yes / No
+- **If yes,** briefly describe how it was tested and what was verified.
+
+---
+
+## What to Expect
+
+- **Acknowledgement** within a reasonable timeframe after receiving your report
+- **Updates** as the issue is investigated and addressed
+- **Public credit** in the resulting advisory, along with any **CVE assigned**, unless you'd prefer to stay anonymous
+
+We follow a **90-day coordinated disclosure** window: please allow up to 90 days from the date of your report for the issue to be investigated and patched before publicly disclosing it. The publication date - whether earlier if a fix lands sooner, or later if more time is genuinely needed - will be agreed with you in advance.

cmd/tinyauth/create_user.go

@@ -6,8 +6,8 @@ import (
 	"strings"
 
 	"charm.land/huh/v2"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/tinyauthapp/paerser/cli"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"golang.org/x/crypto/bcrypt"
 )
 
@@ -40,7 +40,8 @@ func createUserCmd() *cli.Command {
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
-			tlog.NewSimpleLogger().Init()
+			log := logger.NewLogger().WithSimpleConfig()
+			log.Init()
 
 			if tCfg.Interactive {
 				form := huh.NewForm(
@@ -73,7 +74,7 @@ func createUserCmd() *cli.Command {
 				return errors.New("username and password cannot be empty")
 			}
 
-			tlog.App.Info().Str("username", tCfg.Username).Msg("Creating user")
+			log.App.Info().Str("username", tCfg.Username).Msg("Creating user")
 
 			passwd, err := bcrypt.GenerateFromPassword([]byte(tCfg.Password), bcrypt.DefaultCost)
 			if err != nil {
@@ -86,7 +87,7 @@ func createUserCmd() *cli.Command {
 				passwdStr = strings.ReplaceAll(passwdStr, "$", "$$")
 			}
 
-			tlog.App.Info().Str("user", fmt.Sprintf("%s:%s", tCfg.Username, passwdStr)).Msg("User created")
+			log.App.Info().Str("user", fmt.Sprintf("%s:%s", tCfg.Username, passwdStr)).Msg("User created")
 
 			return nil
 		},

cmd/tinyauth/generate_totp.go

@@ -7,7 +7,7 @@ import (
 	"strings"
 
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 
 	"charm.land/huh/v2"
 	"github.com/mdp/qrterminal/v3"
@@ -40,7 +40,8 @@ func generateTotpCmd() *cli.Command {
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
-			tlog.NewSimpleLogger().Init()
+			log := logger.NewLogger().WithSimpleConfig()
+			log.Init()
 
 			if tCfg.Interactive {
 				form := huh.NewForm(
@@ -73,7 +74,7 @@ func generateTotpCmd() *cli.Command {
 				docker = true
 			}
 
-			if user.TotpSecret != "" {
+			if user.TOTPSecret != "" {
 				return fmt.Errorf("user already has a TOTP secret")
 			}
 
@@ -88,9 +89,9 @@ func generateTotpCmd() *cli.Command {
 
 			secret := key.Secret()
 
-			tlog.App.Info().Str("secret", secret).Msg("Generated TOTP secret")
+			log.App.Info().Str("secret", secret).Msg("Generated TOTP secret")
 
-			tlog.App.Info().Msg("Generated QR code")
+			log.App.Info().Msg("Generated QR code")
 
 			config := qrterminal.Config{
 				Level:     qrterminal.L,
@@ -102,14 +103,14 @@ func generateTotpCmd() *cli.Command {
 
 			qrterminal.GenerateWithConfig(key.URL(), config)
 
-			user.TotpSecret = secret
+			user.TOTPSecret = secret
 
 			// If using docker escape re-escape it
 			if docker {
 				user.Password = strings.ReplaceAll(user.Password, "$", "$$")
 			}
 
-			tlog.App.Info().Str("user", fmt.Sprintf("%s:%s:%s", user.Username, user.Password, user.TotpSecret)).Msg("Add the totp secret to your authenticator app then use the verify command to ensure everything is working correctly.")
+			log.App.Info().Str("user", fmt.Sprintf("%s:%s:%s", user.Username, user.Password, user.TOTPSecret)).Msg("Add the totp secret to your authenticator app then use the verify command to ensure everything is working correctly.")
 
 			return nil
 		},

cmd/tinyauth/healthcheck.go

@@ -9,8 +9,8 @@ import (
 	"os"
 	"time"
 
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/tinyauthapp/paerser/cli"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
 type healthzResponse struct {
@@ -26,7 +26,8 @@ func healthcheckCmd() *cli.Command {
 		Resources:     nil,
 		AllowArg:      true,
 		Run: func(args []string) error {
-			tlog.NewSimpleLogger().Init()
+			log := logger.NewLogger().WithSimpleConfig()
+			log.Init()
 
 			srvAddr := os.Getenv("TINYAUTH_SERVER_ADDRESS")
 			if srvAddr == "" {
@@ -48,7 +49,7 @@ func healthcheckCmd() *cli.Command {
 				return errors.New("Could not determine app URL")
 			}
 
-			tlog.App.Info().Str("app_url", appUrl).Msg("Performing health check")
+			log.App.Info().Str("app_url", appUrl).Msg("Performing health check")
 
 			client := http.Client{
 				Timeout: 30 * time.Second,
@@ -86,7 +87,7 @@ func healthcheckCmd() *cli.Command {
 				return fmt.Errorf("failed to decode response: %w", err)
 			}
 
-			tlog.App.Info().Interface("response", healthResp).Msg("Tinyauth is healthy")
+			log.App.Info().Interface("response", healthResp).Msg("Tinyauth is healthy")
 
 			return nil
 		},

cmd/tinyauth/tinyauth.go

@@ -5,16 +5,15 @@ import (
 
 	"charm.land/huh/v2"
 	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
-	"github.com/tinyauthapp/tinyauth/internal/config"
+	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/loaders"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 
 	"github.com/rs/zerolog/log"
 	"github.com/tinyauthapp/paerser/cli"
 )
 
 func main() {
-	tConfig := config.NewDefaultConfiguration()
+	tConfig := model.NewDefaultConfiguration()
 
 	loaders := []cli.ResourceLoader{
 		&loaders.FileLoader{},
@@ -108,12 +107,7 @@ func main() {
 	}
 }
 
-func runCmd(cfg config.Config) error {
-	logger := tlog.NewLogger(cfg.Log)
-	logger.Init()
-
-	tlog.App.Info().Str("version", config.Version).Msg("Starting tinyauth")
-
+func runCmd(cfg model.Config) error {
 	app := bootstrap.NewBootstrapApp(cfg)
 
 	err := app.Setup()

cmd/tinyauth/verify_user.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 
 	"charm.land/huh/v2"
 	"github.com/pquerna/otp/totp"
@@ -44,7 +44,8 @@ func verifyUserCmd() *cli.Command {
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
-			tlog.NewSimpleLogger().Init()
+			log := logger.NewLogger().WithSimpleConfig()
+			log.Init()
 
 			if tCfg.Interactive {
 				form := huh.NewForm(
@@ -95,21 +96,21 @@ func verifyUserCmd() *cli.Command {
 				return fmt.Errorf("password is incorrect: %w", err)
 			}
 
-			if user.TotpSecret == "" {
+			if user.TOTPSecret == "" {
 				if tCfg.Totp != "" {
-					tlog.App.Warn().Msg("User does not have TOTP secret")
+					log.App.Warn().Msg("User does not have TOTP secret")
 				}
-				tlog.App.Info().Msg("User verified")
+				log.App.Info().Msg("User verified")
 				return nil
 			}
 
-			ok := totp.Validate(tCfg.Totp, user.TotpSecret)
+			ok := totp.Validate(tCfg.Totp, user.TOTPSecret)
 
 			if !ok {
 				return fmt.Errorf("TOTP code incorrect")
 			}
 
-			tlog.App.Info().Msg("User verified")
+			log.App.Info().Msg("User verified")
 
 			return nil
 		},

cmd/tinyauth/version.go

@@ -3,9 +3,8 @@ package main
 import (
 	"fmt"
 
-	"github.com/tinyauthapp/tinyauth/internal/config"
-
 	"github.com/tinyauthapp/paerser/cli"
+	"github.com/tinyauthapp/tinyauth/internal/model"
 )
 
 func versionCmd() *cli.Command {
@@ -15,9 +14,9 @@ func versionCmd() *cli.Command {
 		Configuration: nil,
 		Resources:     nil,
 		Run: func(_ []string) error {
-			fmt.Printf("Version: %s\n", config.Version)
-			fmt.Printf("Commit Hash: %s\n", config.CommitHash)
-			fmt.Printf("Build Timestamp: %s\n", config.BuildTimestamp)
+			fmt.Printf("Version: %s\n", model.Version)
+			fmt.Printf("Commit Hash: %s\n", model.CommitHash)
+			fmt.Printf("Build Timestamp: %s\n", model.BuildTimestamp)
 			return nil
 		},
 	}

docker-compose.dev.yml

@@ -1,9 +1,10 @@
 services:
   traefik:
     image: traefik:v3.6
-    command: --api.insecure=true --providers.docker
+    command: --api.insecure=true --providers.docker --entrypoints.web.address=:80 --entrypoints.websecure.address=:443
     ports:
       - 80:80
+      - 443:443
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
 
@@ -25,6 +26,8 @@ services:
     labels:
       traefik.enable: true
       traefik.http.routers.tinyauth.rule: Host(`tinyauth.127.0.0.1.sslip.io`)
+      traefik.http.routers.tinyauth.entrypoints: websecure
+      traefik.http.routers.tinyauth.tls: true
 
   tinyauth-backend:
     build:

frontend/.prettierignore

@@ -1,6 +0,0 @@
-# Ignore artifacts:
-dist
-node_modules
-bun.lock
-package.json
-src/lib/i18n/locales

frontend/.prettierrc

@@ -1 +0,0 @@
-{}

frontend/Dockerfile.dev

@@ -1,11 +1,13 @@
-FROM oven/bun:1.2.16-alpine
+FROM node:26.1-alpine3.23
+
+RUN npm install -g pnpm@11.1.2
 
 WORKDIR /frontend
 
 COPY ./frontend/package.json ./
-COPY ./frontend/bun.lock ./
+COPY ./frontend/pnpm-lock.yaml ./
 
-RUN bun install --frozen-lockfile
+RUN pnpm ci
 
 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -19,4 +21,4 @@ COPY ./frontend/vite.config.ts ./
 
 EXPOSE 5173
 
-ENTRYPOINT ["bun", "run", "dev"]
+ENTRYPOINT ["pnpm", "run", "dev"]

frontend/package.json

@@ -10,6 +10,7 @@
     "preview": "vite preview",
     "tsc": "tsc -b"
   },
+  "packageManager": "pnpm@11.1.2",
   "dependencies": {
     "@hookform/resolvers": "^5.2.2",
     "@radix-ui/react-dropdown-menu": "^2.1.16",

frontend/pnpm-workspace.yaml

@@ -0,0 +1,4 @@
+dangerouslyAllowAllBuilds: false
+blockExoticSubdeps: true
+minimumReleaseAge: 1440 # 1 day
+trustPolicy: no-downgrade

gen/gen_env.go

@@ -10,7 +10,7 @@ import (
 	"reflect"
 	"strings"
 
-	"github.com/tinyauthapp/tinyauth/internal/config"
+	"github.com/tinyauthapp/tinyauth/internal/model"
 )
 
 type EnvEntry struct {
@@ -20,7 +20,7 @@ type EnvEntry struct {
 }
 
 func generateExampleEnv() {
-	cfg := config.NewDefaultConfiguration()
+	cfg := model.NewDefaultConfiguration()
 	entries := make([]EnvEntry, 0)
 
 	root := reflect.TypeOf(cfg).Elem()

gen/gen_md.go

@@ -10,7 +10,7 @@ import (
 	"reflect"
 	"strings"
 
-	"github.com/tinyauthapp/tinyauth/internal/config"
+	"github.com/tinyauthapp/tinyauth/internal/model"
 )
 
 type MarkdownEntry struct {
@@ -21,7 +21,7 @@ type MarkdownEntry struct {
 }
 
 func generateMarkdown() {
-	cfg := config.NewDefaultConfiguration()
+	cfg := model.NewDefaultConfiguration()
 	entries := make([]MarkdownEntry, 0)
 
 	root := reflect.TypeOf(cfg).Elem()

gen/sqlc-wrapper/sqlc_wrapper.go

@@ -0,0 +1,473 @@
+// gen/sqlc-wrapper generates store.go wrapper files for each sqlc driver package under
+// internal/repository/<driver>/. Run via:
+//
+//	go generate ./internal/repository/...
+//
+// The generator introspects *Queries methods and the model/params types in the
+// driver package, then emits a store.go that wraps *Queries so it satisfies
+// repository.Store using the canonical shared types in the parent package.
+// This generator is specific to sqlc-generated drivers. Non-sqlc drivers should
+// implement repository.Store directly by hand.
+package main
+
+import (
+	"bytes"
+	_ "embed"
+	"flag"
+	"fmt"
+	"go/format"
+	"go/types"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"sort"
+	"strings"
+	"text/template"
+
+	"golang.org/x/tools/go/packages"
+)
+
+//go:embed store.tmpl
+var storeSrc string
+
+func main() {
+	fmt.Println("sqlc-wrapper: generating store.go files for sqlc driver packages...")
+	if err := run(); err != nil {
+		log.Fatal(err)
+	}
+}
+
+func run() error {
+	driverPkg := flag.String("pkg", "", "import path of the driver package")
+	out := flag.String("out", "store.go", "output filename relative to driver package directory")
+	flag.Parse()
+
+	if *driverPkg == "" {
+		return fmt.Errorf("-pkg is required")
+	}
+
+	// Resolve the driver package directory so we can overlay the output file
+	// with a valid stub. This prevents a stale store.go from poisoning the
+	// type-checker and producing cryptic "undefined" errors.
+	driverDir, err := pkgDir(*driverPkg)
+	if err != nil {
+		return fmt.Errorf("resolve driver dir: %w", err)
+	}
+
+	outPath := filepath.Join(driverDir, *out)
+	if filepath.IsAbs(*out) {
+		outPath = *out
+	}
+
+	// Stub replaces the output file during load so stale generated code is ignored.
+	stub := []byte("package " + filepath.Base(driverDir) + "\n")
+	cfg := &packages.Config{
+		Mode:    packages.NeedName | packages.NeedTypes | packages.NeedSyntax | packages.NeedImports,
+		Overlay: map[string][]byte{outPath: stub},
+	}
+
+	driverTypePkg, err := loadOnePkg(cfg, *driverPkg)
+	if err != nil {
+		return fmt.Errorf("load driver package: %w", err)
+	}
+
+	repoPkgPath := parentPkg(*driverPkg)
+	repoTypePkg, err := loadOnePkg(cfg, repoPkgPath)
+	if err != nil {
+		return fmt.Errorf("load repo package: %w", err)
+	}
+
+	if err := validateStructShapes(driverTypePkg, repoTypePkg); err != nil {
+		return fmt.Errorf("struct shape mismatch: %w", err)
+	}
+	if err := validateStoreCoverage(driverTypePkg, repoTypePkg); err != nil {
+		return err
+	}
+
+	methods, err := collectMethods(driverTypePkg)
+	if err != nil {
+		return err
+	}
+
+	src, err := render(tmplData{
+		PkgName: driverTypePkg.Name(),
+		RepoPkg: repoPkgPath,
+		Methods: renderMethods(methods),
+	})
+	if err != nil {
+		return fmt.Errorf("render: %w", err)
+	}
+
+	if err := os.WriteFile(outPath, src, 0644); err != nil {
+		return fmt.Errorf("write %s: %w", outPath, err)
+	}
+	fmt.Printf("wrote %s\n", outPath)
+	return nil
+}
+
+// loadOnePkg loads a single package via cfg and returns its *types.Package,
+// or an error if the package fails to load or has type errors.
+func loadOnePkg(cfg *packages.Config, importPath string) (*types.Package, error) {
+	pkgs, err := packages.Load(cfg, importPath)
+	if err != nil {
+		return nil, fmt.Errorf("load %s: %w", importPath, err)
+	}
+	if len(pkgs) != 1 {
+		return nil, fmt.Errorf("expected 1 package for %s, got %d", importPath, len(pkgs))
+	}
+	pkg := pkgs[0]
+	if len(pkg.Errors) > 0 {
+		msgs := make([]string, len(pkg.Errors))
+		for i, e := range pkg.Errors {
+			msgs[i] = e.Error()
+		}
+		return nil, fmt.Errorf("package %s has errors:\n  %s", importPath, strings.Join(msgs, "\n  "))
+	}
+	return pkg.Types, nil
+}
+
+// parentPkg returns the parent import path (everything before the last /).
+// Panics if imp contains no slash — callers are expected to pass driver sub-packages.
+func parentPkg(imp string) string {
+	i := strings.LastIndex(imp, "/")
+	if i < 0 {
+		panic(fmt.Sprintf("parentPkg: import path %q has no parent", imp))
+	}
+	return imp[:i]
+}
+
+// pkgDir returns the on-disk directory for an import path using `go list`.
+func pkgDir(importPath string) (string, error) {
+	out, err := exec.Command("go", "list", "-f", "{{.Dir}}", importPath).Output()
+	if err != nil {
+		return "", fmt.Errorf("go list %s: %w", importPath, err)
+	}
+	return strings.TrimSpace(string(out)), nil
+}
+
+// scopeStructs returns all named struct types in pkg, excluding the internal
+// sqlc types Queries, DBTX, and Store. Names are returned in sorted order.
+func scopeStructs(pkg *types.Package) (names []string, byName map[string]*types.Struct) {
+	byName = make(map[string]*types.Struct)
+	for _, name := range pkg.Scope().Names() { // Names() is already sorted
+		switch name {
+		case "Queries", "DBTX", "Store":
+			continue
+		}
+		obj, ok := pkg.Scope().Lookup(name).(*types.TypeName)
+		if !ok {
+			continue
+		}
+		named, ok := obj.Type().(*types.Named)
+		if !ok {
+			continue
+		}
+		s, ok := named.Underlying().(*types.Struct)
+		if !ok {
+			continue
+		}
+		names = append(names, name)
+		byName[name] = s
+	}
+	return
+}
+
+// validateStoreCoverage checks that every method declared in repository.Store
+// exists on *Queries in the driver package. Missing methods are reported by
+// name so the developer knows exactly which SQL queries need to be added.
+func validateStoreCoverage(driverPkg, repoPkg *types.Package) error {
+	queriesObj := driverPkg.Scope().Lookup("Queries")
+	if queriesObj == nil {
+		return fmt.Errorf("queries type not found in driver package")
+	}
+	queriesNamed := queriesObj.Type().(*types.Named)
+	queriesMS := types.NewMethodSet(types.NewPointer(queriesNamed))
+	queriesMethods := make(map[string]bool)
+	for m := range queriesMS.Methods() {
+		queriesMethods[m.Obj().Name()] = true
+	}
+
+	storeObj := repoPkg.Scope().Lookup("Store")
+	if storeObj == nil {
+		return fmt.Errorf("store type not found in repository package")
+	}
+	storeIface, ok := storeObj.Type().Underlying().(*types.Interface)
+	if !ok {
+		return fmt.Errorf("repository.Store is not an interface")
+	}
+
+	var missing []string
+	for method := range storeIface.Methods() {
+		if name := method.Name(); !queriesMethods[name] {
+			missing = append(missing, name)
+		}
+	}
+	if len(missing) > 0 {
+		sort.Strings(missing)
+		return fmt.Errorf(
+			"driver *Queries is missing %d method(s) required by repository.Store:\n  - %s\n\nRun sqlc generate to regenerate query methods, or add the missing SQL queries",
+			len(missing), strings.Join(missing, "\n  - "),
+		)
+	}
+	return nil
+}
+
+// validateStructShapes checks that every model/params struct in the driver
+// package has fields that exactly match the corresponding type in the repo
+// (parent) package. This catches drift between sqlc-generated types and the
+// canonical repository types before a broken cast reaches the compiler.
+func validateStructShapes(driverPkg, repoPkg *types.Package) error {
+	_, repoStructs := scopeStructs(repoPkg)
+	driverNames, driverStructs := scopeStructs(driverPkg)
+
+	var errs []string
+	for _, name := range driverNames {
+		repoStruct, ok := repoStructs[name]
+		if !ok {
+			// Driver has a type not in repo — fine (e.g. internal helpers).
+			continue
+		}
+		if err := compareStructs(name, driverStructs[name], repoStruct); err != nil {
+			errs = append(errs, err.Error())
+		}
+	}
+	if len(errs) > 0 {
+		sort.Strings(errs)
+		return fmt.Errorf("%s", strings.Join(errs, "\n  "))
+	}
+	return nil
+}
+
+func compareStructs(name string, driver, repo *types.Struct) error {
+	if driver.NumFields() != repo.NumFields() {
+		return fmt.Errorf("%s: field count mismatch (driver=%d, repo=%d)",
+			name, driver.NumFields(), repo.NumFields())
+	}
+	for i := range driver.NumFields() {
+		df := driver.Field(i)
+		rf := repo.Field(i)
+		if df.Name() != rf.Name() {
+			return fmt.Errorf("%s: field %d name mismatch (driver=%q, repo=%q)",
+				name, i, df.Name(), rf.Name())
+		}
+		if !types.Identical(df.Type(), rf.Type()) {
+			return fmt.Errorf("%s.%s: type mismatch (driver=%s, repo=%s)",
+				name, df.Name(), df.Type(), rf.Type())
+		}
+	}
+	return nil
+}
+
+type methodInfo struct {
+	Name    string
+	Params  []paramInfo
+	Results []resultInfo
+}
+
+type paramInfo struct {
+	Name     string
+	TypeStr  string // local (unqualified) type name
+	RepoType string // "repository.X" if this is a driver model/params type; else ""
+}
+
+type resultInfo struct {
+	TypeStr  string
+	IsSlice  bool
+	RepoType string // "repository.X" if driver type; else ""
+}
+
+func collectMethods(pkg *types.Package) ([]methodInfo, error) {
+	obj := pkg.Scope().Lookup("Queries")
+	if obj == nil {
+		return nil, fmt.Errorf("queries type not found in %s", pkg.Path())
+	}
+	named, ok := obj.Type().(*types.Named)
+	if !ok {
+		return nil, fmt.Errorf("queries is not a named type")
+	}
+	ms := types.NewMethodSet(types.NewPointer(named))
+
+	var out []methodInfo
+	for method := range ms.Methods() {
+		fn, ok := method.Obj().(*types.Func)
+		if !ok || fn.Name() == "WithTx" {
+			continue
+		}
+		sig := fn.Type().(*types.Signature)
+		mi := methodInfo{Name: fn.Name()}
+
+		// params: skip receiver + first (context.Context)
+		for i := 1; i < sig.Params().Len(); i++ {
+			p := sig.Params().At(i)
+			mi.Params = append(mi.Params, makeParam(p.Name(), p.Type(), pkg.Path()))
+		}
+		// results: skip error
+		for r := range sig.Results().Variables() {
+			if r.Type().String() == "error" {
+				continue
+			}
+			mi.Results = append(mi.Results, makeResult(r.Type(), pkg.Path()))
+		}
+		out = append(out, mi)
+	}
+	return out, nil
+}
+
+func makeParam(name string, t types.Type, driverPath string) paramInfo {
+	return paramInfo{
+		Name:     name,
+		TypeStr:  localName(t, driverPath),
+		RepoType: repoName(t, driverPath),
+	}
+}
+
+func makeResult(t types.Type, driverPath string) resultInfo {
+	ri := resultInfo{}
+	if sl, ok := t.(*types.Slice); ok {
+		ri.IsSlice = true
+		t = sl.Elem()
+	}
+	ri.TypeStr = localName(t, driverPath)
+	ri.RepoType = repoName(t, driverPath)
+	return ri
+}
+
+func localName(t types.Type, driverPath string) string {
+	named, ok := t.(*types.Named)
+	if !ok {
+		return types.TypeString(t, nil)
+	}
+	if named.Obj().Pkg() != nil && named.Obj().Pkg().Path() == driverPath {
+		return named.Obj().Name()
+	}
+	return types.TypeString(t, func(p *types.Package) string { return p.Name() })
+}
+
+func repoName(t types.Type, driverPath string) string {
+	named, ok := t.(*types.Named)
+	if !ok {
+		return ""
+	}
+	if named.Obj().Pkg() != nil && named.Obj().Pkg().Path() == driverPath {
+		return "repository." + named.Obj().Name()
+	}
+	return ""
+}
+
+// renderedMethod holds pre-built signature and body strings passed to the template.
+type renderedMethod struct {
+	Signature string
+	Body      string
+}
+
+func renderMethods(methods []methodInfo) []renderedMethod {
+	out := make([]renderedMethod, len(methods))
+	for i, m := range methods {
+		out[i] = renderedMethod{
+			Signature: buildSig(m),
+			Body:      buildBody(m),
+		}
+	}
+	return out
+}
+
+func buildSig(m methodInfo) string {
+	var sb strings.Builder
+	sb.WriteString("func (s *Store) ")
+	sb.WriteString(m.Name)
+	sb.WriteString("(ctx context.Context")
+	for _, p := range m.Params {
+		sb.WriteString(", ")
+		sb.WriteString(p.Name)
+		sb.WriteString(" ")
+		if p.RepoType != "" {
+			sb.WriteString(p.RepoType)
+		} else {
+			sb.WriteString(p.TypeStr)
+		}
+	}
+	sb.WriteString(") (")
+	for _, r := range m.Results {
+		if r.IsSlice {
+			sb.WriteString("[]")
+		}
+		if r.RepoType != "" {
+			sb.WriteString(r.RepoType)
+		} else {
+			sb.WriteString(r.TypeStr)
+		}
+		sb.WriteString(", ")
+	}
+	sb.WriteString("error)")
+	return sb.String()
+}
+
+func callArgs(m methodInfo) string {
+	args := make([]string, 0, len(m.Params))
+	for _, p := range m.Params {
+		if p.RepoType != "" {
+			// convert repo type → driver type: DriverType(arg)
+			args = append(args, p.TypeStr+"("+p.Name+")")
+		} else {
+			args = append(args, p.Name)
+		}
+	}
+	if len(args) == 0 {
+		return "ctx"
+	}
+	return "ctx, " + strings.Join(args, ", ")
+}
+
+var bodyTmpl = template.Must(template.New("store").Parse(storeSrc))
+
+type bodyData struct {
+	Call     string
+	RepoType string
+}
+
+func buildBody(m methodInfo) string {
+	call := "s.q." + m.Name + "(" + callArgs(m) + ")"
+
+	var (
+		name string
+		data bodyData
+	)
+
+	switch {
+	case len(m.Results) == 0 || m.Results[0].RepoType == "":
+		name = "void"
+		data = bodyData{Call: call}
+	case m.Results[0].IsSlice:
+		name = "slice"
+		data = bodyData{Call: call, RepoType: m.Results[0].RepoType}
+	default:
+		name = "scalar"
+		data = bodyData{Call: call, RepoType: m.Results[0].RepoType}
+	}
+
+	var buf bytes.Buffer
+	if err := bodyTmpl.ExecuteTemplate(&buf, name, data); err != nil {
+		panic(fmt.Sprintf("buildBody %s: %v", name, err))
+	}
+	return buf.String()
+}
+
+type tmplData struct {
+	PkgName string
+	RepoPkg string
+	Methods []renderedMethod
+}
+
+func render(data tmplData) ([]byte, error) {
+	var buf bytes.Buffer
+	if err := bodyTmpl.Execute(&buf, data); err != nil {
+		return nil, fmt.Errorf("execute template: %w", err)
+	}
+
+	formatted, err := format.Source(buf.Bytes())
+	if err != nil {
+		return buf.Bytes(), fmt.Errorf("format source: %w\nraw:\n%s", err, buf.String())
+	}
+	return formatted, nil
+}

gen/sqlc-wrapper/store.tmpl

@@ -0,0 +1,59 @@
+// Code generated by cmd/gen/sqlc-wrapper. DO NOT EDIT.
+package {{.PkgName}}
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+
+	"{{.RepoPkg}}"
+)
+
+// Store wraps *Queries and implements repository.Store.
+type Store struct {
+	q *Queries
+}
+
+// NewStore wraps a *Queries to satisfy repository.Store.
+func NewStore(q *Queries) repository.Store {
+	return &Store{q: q}
+}
+
+var errorMap = map[error]error{
+	sql.ErrNoRows: repository.ErrNotFound,
+}
+
+func mapErr(err error) error {
+	for from, to := range errorMap {
+		if errors.Is(err, from) {
+			return to
+		}
+	}
+	return err
+}
+
+{{range .Methods}}{{.Signature}} {
+{{.Body}}}
+
+{{end}}
+
+{{- define "void"}}	return mapErr({{.Call}})
+{{end}}
+
+{{- define "scalar"}}	r, err := {{.Call}}
+	if err != nil {
+		return {{.RepoType}}{}, mapErr(err)
+	}
+	return {{.RepoType}}(r), nil
+{{end}}
+
+{{- define "slice"}}	rows, err := {{.Call}}
+	if err != nil {
+		return nil, mapErr(err)
+	}
+	out := make([]{{.RepoType}}, len(rows))
+	for i, row := range rows {
+		out[i] = {{.RepoType}}(row)
+	}
+	return out, nil
+{{end}}

go.mod

@@ -19,10 +19,11 @@ require (
 	github.com/tinyauthapp/paerser v0.0.0-20260410140347-85c3740d6298
 	github.com/weppos/publicsuffix-go v0.50.3
 	golang.org/x/crypto v0.50.0
-	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
 	golang.org/x/oauth2 v0.36.0
-	gotest.tools/v3 v3.5.2
-	modernc.org/sqlite v1.49.1
+	golang.org/x/tools v0.43.0
+	k8s.io/apimachinery v0.36.0
+	k8s.io/client-go v0.36.0
+	modernc.org/sqlite v1.50.0
 )
 
 require (
@@ -63,6 +64,7 @@ require (
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
@@ -73,7 +75,6 @@ require (
 	github.com/go-playground/validator/v10 v10.30.1 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/goccy/go-yaml v1.19.2 // indirect
-	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
@@ -90,8 +91,9 @@ require (
 	github.com/moby/sys/atomicwriter v0.1.0 // indirect
 	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/ncruces/go-strftime v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
@@ -106,6 +108,7 @@ require (
 	github.com/spf13/cast v1.10.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.1 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.mongodb.org/mongo-driver/v2 v2.5.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
@@ -116,16 +119,29 @@ require (
 	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
 	go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect
 	go.opentelemetry.io/otel/trace v1.43.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	golang.org/x/arch v0.22.0 // indirect
+	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
+	golang.org/x/mod v0.34.0 // indirect
 	golang.org/x/net v0.52.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/sys v0.43.0 // indirect
 	golang.org/x/term v0.42.0 // indirect
 	golang.org/x/text v0.36.0 // indirect
-	google.golang.org/protobuf v1.36.11 // indirect
+	golang.org/x/time v0.14.0 // indirect
+	google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	gotest.tools/v3 v3.5.2 // indirect
+	k8s.io/klog/v2 v2.140.0 // indirect
+	k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a // indirect
+	k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 // indirect
 	modernc.org/libc v1.72.0 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 	rsc.io/qr v0.2.0 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.2 // indirect
+	sigs.k8s.io/yaml v1.6.0 // indirect
 )

go.sum

@@ -97,10 +97,14 @@ github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes=
+github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
+github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
+github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
 github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
@@ -118,6 +122,12 @@ github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
+github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
+github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
+github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
+github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
+github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
 github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
@@ -132,6 +142,8 @@ github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
 github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/golang-migrate/migrate/v4 v4.19.1 h1:OCyb44lFuQfYXYLx1SCxPZQGU7mcaZ7gH9yH4jSFbBA=
 github.com/golang-migrate/migrate/v4 v4.19.1/go.mod h1:CTcgfjxhaUtsLipnLoQRWCrjYXycRz/g5+RWDuYgPrE=
+github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
+github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
@@ -162,6 +174,8 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
@@ -176,6 +190,8 @@ github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lucasb-eyer/go-colorful v1.3.0 h1:2/yBRLdWBZKrf7gB40FoiKfAWYQ0lqNcbuQwVHXptag=
 github.com/lucasb-eyer/go-colorful v1.3.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
@@ -203,12 +219,15 @@ github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFL
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=
 github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
 github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
@@ -242,9 +261,12 @@ github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
 github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -261,6 +283,8 @@ github.com/ugorji/go/codec v1.3.1 h1:waO7eEiFDwidsBN6agj1vJQ4AG7lh2yqXyOXqhgQuyY
 github.com/ugorji/go/codec v1.3.1/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
 github.com/weppos/publicsuffix-go v0.50.3 h1:eT5dcjHQcVDNc0igpFEsGHKIip30feuB2zuuI9eJxiE=
 github.com/weppos/publicsuffix-go v0.50.3/go.mod h1:/rOa781xBykZhHK/I3QeHo92qdDKVmKZKF7s8qAEM/4=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 go.mongodb.org/mongo-driver/v2 v2.5.0 h1:yXUhImUjjAInNcpTcAlPHiT7bIXhshCTL3jVBkF3xaE=
@@ -287,6 +311,10 @@ go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpu
 go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk=
 go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
 go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
+go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/arch v0.22.0 h1:c/Zle32i5ttqRXjdLyyHZESLD/bB90DCU1g9l/0YBDI=
 golang.org/x/arch v0.22.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
 golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
@@ -308,8 +336,8 @@ golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
 golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
 golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
 golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
-golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
-golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
 golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
 google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
@@ -319,16 +347,32 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 h1:
 google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
 google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM=
 google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4=
-google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
-google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af h1:+5/Sw3GsDNlEmu7TfklWKPdQ0Ykja5VEmq2i817+jbI=
+google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
+k8s.io/api v0.36.0 h1:SgqDhZzHdOtMk40xVSvCXkP9ME0H05hPM3p9AB1kL80=
+k8s.io/api v0.36.0/go.mod h1:m1LVrGPNYax5NBHdO+QuAedXyuzTt4RryI/qnmNvs34=
+k8s.io/apimachinery v0.36.0 h1:jZyPzhd5Z+3h9vJLt0z9XdzW9VzNzWAUw+P1xZ9PXtQ=
+k8s.io/apimachinery v0.36.0/go.mod h1:FklypaRJt6n5wUIwWXIP6GJlIpUizTgfo1T/As+Tyxc=
+k8s.io/client-go v0.36.0 h1:pOYi7C4RHChYjMiHpZSpSbIM6ZxVbRXBy7CuiIwqA3c=
+k8s.io/client-go v0.36.0/go.mod h1:ZKKcpwF0aLYfkHFCjillCKaTK/yBkEDHTDXCFY6AS9Y=
+k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc=
+k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0=
+k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a h1:xCeOEAOoGYl2jnJoHkC3hkbPJgdATINPMAxaynU2Ovg=
+k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a/go.mod h1:uGBT7iTA6c6MvqUvSXIaYZo9ukscABYi2btjhvgKGZ0=
+k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 h1:AZYQSJemyQB5eRxqcPky+/7EdBj0xi3g0ZcxxJ7vbWU=
+k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk=
 modernc.org/cc/v4 v4.27.3 h1:uNCgn37E5U09mTv1XgskEVUJ8ADKpmFMPxzGJ0TSo+U=
 modernc.org/cc/v4 v4.27.3/go.mod h1:3YjcbCqhoTTHPycJDRl2WZKKFj0nwcOIPBfEZK0Hdk8=
 modernc.org/ccgo/v4 v4.32.4 h1:L5OB8rpEX4ZsXEQwGozRfJyJSFHbbNVOoQ59DU9/KuU=
@@ -351,11 +395,19 @@ modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
 modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.49.1 h1:dYGHTKcX1sJ+EQDnUzvz4TJ5GbuvhNJa8Fg6ElGx73U=
-modernc.org/sqlite v1.49.1/go.mod h1:m0w8xhwYUVY3H6pSDwc3gkJ/irZT/0YEXwBlhaxQEew=
+modernc.org/sqlite v1.50.0 h1:eMowQSWLK0MeiQTdmz3lqoF5dqclujdlIKeJA11+7oM=
+modernc.org/sqlite v1.50.0/go.mod h1:m0w8xhwYUVY3H6pSDwc3gkJ/irZT/0YEXwBlhaxQEew=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
 modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
 rsc.io/qr v0.2.0 h1:6vBLea5/NRMVTz8V66gipeLycZMl/+UlFmk8DvqQ6WY=
 rsc.io/qr v0.2.0/go.mod h1:IF+uZjkb9fqyeF/4tlBoynqmQxUoPfWEKh921coOuXs=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.2 h1:kwVWMx5yS1CrnFWA/2QHyRVJ8jM6dBA80uLmm0wJkk8=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.2/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
+sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
+sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=

internal/assets/assets.go

@@ -11,5 +11,5 @@ var FrontendAssets embed.FS
 
 // Migrations
 //
-//go:embed migrations/*.sql
+//go:embed migrations/sqlite/*.sql
 var Migrations embed.FS

internal/bootstrap/app_bootstrap.go

@@ -3,156 +3,197 @@ package bootstrap
 import (
 	"bytes"
 	"context"
+	"database/sql"
 	"encoding/json"
+	"errors"
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
 	"os"
+	"os/signal"
 	"sort"
 	"strings"
+	"sync"
+	"syscall"
 	"time"
 
-	"github.com/tinyauthapp/tinyauth/internal/config"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/gin-gonic/gin"
+
+	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
+	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
-type BootstrapApp struct {
-	config  config.Config
-	context struct {
-		appUrl                 string
-		uuid                   string
-		cookieDomain           string
-		sessionCookieName      string
-		csrfCookieName         string
-		redirectCookieName     string
-		oauthSessionCookieName string
-		users                  []config.User
-		oauthProviders         map[string]config.OAuthServiceConfig
-		configuredProviders    []controller.Provider
-		oidcClients            []config.OIDCClientConfig
-	}
-	services Services
+type Services struct {
+	accessControlService *service.AccessControlsService
+	authService          *service.AuthService
+	dockerService        *service.DockerService
+	kubernetesService    *service.KubernetesService
+	ldapService          *service.LdapService
+	oauthBrokerService   *service.OAuthBrokerService
+	oidcService          *service.OIDCService
 }
 
-func NewBootstrapApp(config config.Config) *BootstrapApp {
+type BootstrapApp struct {
+	config   model.Config
+	runtime  model.RuntimeConfig
+	services Services
+	log      *logger.Logger
+	ctx      context.Context
+	cancel   context.CancelFunc
+	queries  repository.Store
+	router   *gin.Engine
+	db       *sql.DB
+	wg       sync.WaitGroup
+}
+
+func NewBootstrapApp(config model.Config) *BootstrapApp {
 	return &BootstrapApp{
 		config: config,
 	}
 }
 
 func (app *BootstrapApp) Setup() error {
+	// create context
+	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
+	app.ctx = ctx
+	app.cancel = cancel
+
+	// setup logger
+	log := logger.NewLogger().WithConfig(app.config.Log)
+	log.Init()
+	app.log = log
+
 	// get app url
 	if app.config.AppURL == "" {
-		return fmt.Errorf("app URL cannot be empty, perhaps config loading failed")
+		return errors.New("app url cannot be empty, perhaps config loading failed")
 	}
 
 	appUrl, err := url.Parse(app.config.AppURL)
 
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to parse app url: %w", err)
 	}
 
-	app.context.appUrl = appUrl.Scheme + "://" + appUrl.Host
+	app.runtime.AppURL = appUrl.Scheme + "://" + appUrl.Host
 
 	// validate session config
 	if app.config.Auth.SessionMaxLifetime != 0 && app.config.Auth.SessionMaxLifetime < app.config.Auth.SessionExpiry {
-		return fmt.Errorf("session max lifetime cannot be less than session expiry")
+		return errors.New("session max lifetime cannot be less than session expiry")
 	}
 
-	// Parse users
+	// parse users
 	users, err := utils.GetUsers(app.config.Auth.Users, app.config.Auth.UsersFile, app.config.Auth.UserAttributes)
 
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to load users: %w", err)
 	}
 
-	app.context.users = users
+	app.runtime.LocalUsers = *users
 
-	// Setup OAuth providers
-	app.context.oauthProviders = app.config.OAuth.Providers
+	// load oauth whitelist
+	oauthWhitelist, err := utils.GetStringList(app.config.OAuth.Whitelist, app.config.OAuth.WhitelistFile)
 
-	for name, provider := range app.context.oauthProviders {
+	if err != nil {
+		return fmt.Errorf("failed to load oauth whitelist: %w", err)
+	}
+
+	app.runtime.OAuthWhitelist = oauthWhitelist
+
+	// setup oauth providers
+	app.runtime.OAuthProviders = app.config.OAuth.Providers
+
+	for id, provider := range app.runtime.OAuthProviders {
 		secret := utils.GetSecret(provider.ClientSecret, provider.ClientSecretFile)
 		provider.ClientSecret = secret
 		provider.ClientSecretFile = ""
 
 		if provider.RedirectURL == "" {
-			provider.RedirectURL = app.context.appUrl + "/api/oauth/callback/" + name
+			provider.RedirectURL = app.runtime.AppURL + "/api/oauth/callback/" + id
 		}
 
-		app.context.oauthProviders[name] = provider
+		app.runtime.OAuthProviders[id] = provider
 	}
 
-	for id, provider := range app.context.oauthProviders {
+	// set presets for built-in providers
+	for id, provider := range app.runtime.OAuthProviders {
 		if provider.Name == "" {
-			if name, ok := config.OverrideProviders[id]; ok {
+			if name, ok := model.OverrideProviders[id]; ok {
 				provider.Name = name
 			} else {
 				provider.Name = utils.Capitalize(id)
 			}
 		}
-		app.context.oauthProviders[id] = provider
+		app.runtime.OAuthProviders[id] = provider
 	}
 
-	// Setup OIDC clients
+	// setup oidc clients
 	for id, client := range app.config.OIDC.Clients {
 		client.ID = id
-		app.context.oidcClients = append(app.context.oidcClients, client)
+		app.runtime.OIDCClients = append(app.runtime.OIDCClients, client)
 	}
 
-	// Get cookie domain
-	cookieDomain, err := utils.GetCookieDomain(app.context.appUrl)
+	// cookie domain
+	cookieDomainResolver := utils.GetCookieDomain
+
+	if !app.config.Auth.SubdomainsEnabled {
+		app.log.App.Warn().Msg("Subdomains are disabled, using standalone cookie domain resolver which will not work with subdomains")
+		cookieDomainResolver = utils.GetStandaloneCookieDomain
+	}
+
+	cookieDomain, err := cookieDomainResolver(app.runtime.AppURL)
 
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to get cookie domain: %w", err)
 	}
 
-	app.context.cookieDomain = cookieDomain
+	app.runtime.CookieDomain = cookieDomain
 
-	// Cookie names
-	app.context.uuid = utils.GenerateUUID(appUrl.Hostname())
-	cookieId := strings.Split(app.context.uuid, "-")[0]
-	app.context.sessionCookieName = fmt.Sprintf("%s-%s", config.SessionCookieName, cookieId)
-	app.context.csrfCookieName = fmt.Sprintf("%s-%s", config.CSRFCookieName, cookieId)
-	app.context.redirectCookieName = fmt.Sprintf("%s-%s", config.RedirectCookieName, cookieId)
-	app.context.oauthSessionCookieName = fmt.Sprintf("%s-%s", config.OAuthSessionCookieName, cookieId)
+	// cookie names
+	app.runtime.UUID = utils.GenerateUUID(appUrl.Hostname())
 
-	// Dumps
-	tlog.App.Trace().Interface("config", app.config).Msg("Config dump")
-	tlog.App.Trace().Interface("users", app.context.users).Msg("Users dump")
-	tlog.App.Trace().Interface("oauthProviders", app.context.oauthProviders).Msg("OAuth providers dump")
-	tlog.App.Trace().Str("cookieDomain", app.context.cookieDomain).Msg("Cookie domain")
-	tlog.App.Trace().Str("sessionCookieName", app.context.sessionCookieName).Msg("Session cookie name")
-	tlog.App.Trace().Str("csrfCookieName", app.context.csrfCookieName).Msg("CSRF cookie name")
-	tlog.App.Trace().Str("redirectCookieName", app.context.redirectCookieName).Msg("Redirect cookie name")
+	cookieId := strings.Split(app.runtime.UUID, "-")[0] // first 8 characters of the uuid should be good enough
 
-	// Database
-	db, err := app.SetupDatabase(app.config.Database.Path)
+	app.runtime.SessionCookieName = fmt.Sprintf("%s-%s", model.SessionCookieName, cookieId)
+	app.runtime.CSRFCookieName = fmt.Sprintf("%s-%s", model.CSRFCookieName, cookieId)
+	app.runtime.RedirectCookieName = fmt.Sprintf("%s-%s", model.RedirectCookieName, cookieId)
+	app.runtime.OAuthSessionCookieName = fmt.Sprintf("%s-%s", model.OAuthSessionCookieName, cookieId)
+
+	// database
+	store, err := app.SetupStore()
 
 	if err != nil {
 		return fmt.Errorf("failed to setup database: %w", err)
 	}
 
-	// Queries
-	queries := repository.New(db)
+	// after this point, we start initializing dependencies so it's a good time to setup a defer
+	// to ensure that resources are cleaned up properly in case of an error during initialization
+	defer func() {
+		app.cancel()
+		app.wg.Wait()
+		if app.db != nil {
+			app.db.Close()
+		}
+	}()
 
-	// Services
-	services, err := app.initServices(queries)
+	// store
+	app.queries = store
+
+	// services
+	err = app.setupServices()
 
 	if err != nil {
 		return fmt.Errorf("failed to initialize services: %w", err)
 	}
 
-	app.services = services
+	// configured providers
+	configuredProviders := make([]model.Provider, 0)
 
-	// Configured providers
-	configuredProviders := make([]controller.Provider, 0)
-
-	for id, provider := range app.context.oauthProviders {
-		configuredProviders = append(configuredProviders, controller.Provider{
+	for id, provider := range app.runtime.OAuthProviders {
+		configuredProviders = append(configuredProviders, model.Provider{
 			Name:  provider.Name,
 			ID:    id,
 			OAuth: true,
@@ -163,70 +204,171 @@ func (app *BootstrapApp) Setup() error {
 		return configuredProviders[i].Name < configuredProviders[j].Name
 	})
 
-	if services.authService.LocalAuthConfigured() {
-		configuredProviders = append(configuredProviders, controller.Provider{
+	if app.services.authService.LocalAuthConfigured() {
+		configuredProviders = append(configuredProviders, model.Provider{
 			Name:  "Local",
 			ID:    "local",
 			OAuth: false,
 		})
 	}
 
-	if services.authService.LdapAuthConfigured() {
-		configuredProviders = append(configuredProviders, controller.Provider{
+	if app.services.authService.LDAPAuthConfigured() {
+		configuredProviders = append(configuredProviders, model.Provider{
 			Name:  "LDAP",
 			ID:    "ldap",
 			OAuth: false,
 		})
 	}
 
-	tlog.App.Debug().Interface("providers", configuredProviders).Msg("Authentication providers")
-
 	if len(configuredProviders) == 0 {
-		return fmt.Errorf("no authentication providers configured")
+		return errors.New("no authentication providers configured")
 	}
 
-	app.context.configuredProviders = configuredProviders
+	for _, provider := range configuredProviders {
+		app.log.App.Debug().Str("provider", provider.Name).Msg("Configured authentication provider")
+	}
 
-	// Setup router
-	router, err := app.setupRouter()
+	app.runtime.ConfiguredProviders = configuredProviders
+
+	// setup router
+	err = app.setupRouter()
 
 	if err != nil {
 		return fmt.Errorf("failed to setup routes: %w", err)
 	}
 
-	// Start db cleanup routine
-	tlog.App.Debug().Msg("Starting database cleanup routine")
-	go app.dbCleanupRoutine(queries)
+	// start db cleanup routine
+	app.log.App.Debug().Msg("Starting database cleanup routine")
+	app.wg.Go(app.dbCleanupRoutine)
 
-	// If analytics are not disabled, start heartbeat
+	// if analytics are not disabled, start heartbeat
 	if app.config.Analytics.Enabled {
-		tlog.App.Debug().Msg("Starting heartbeat routine")
-		go app.heartbeatRoutine()
+		app.log.App.Debug().Msg("Starting heartbeat routine")
+		app.wg.Go(app.heartbeatRoutine)
 	}
 
-	// If we have an socket path, bind to it
-	if app.config.Server.SocketPath != "" {
-		if _, err := os.Stat(app.config.Server.SocketPath); err == nil {
-			tlog.App.Info().Msgf("Removing existing socket file %s", app.config.Server.SocketPath)
-			err := os.Remove(app.config.Server.SocketPath)
+	// create err channel to listen for server errors
+	errChanLen := 0
+
+	runUnix := app.config.Server.SocketPath != ""
+	runHTTP := app.config.Server.SocketPath == "" || app.config.Server.ConcurrentListenersEnabled
+
+	if runUnix {
+		errChanLen++
+	}
+
+	if runHTTP {
+		errChanLen++
+	}
+
+	errChan := make(chan error, errChanLen)
+
+	if app.config.Server.ConcurrentListenersEnabled {
+		app.log.App.Info().Msg("Concurrent listeners enabled, will run on all available listeners")
+	}
+
+	// serve unix
+	if runUnix {
+		app.wg.Go(func() {
+			if err := app.serveUnix(); err != nil {
+				errChan <- err
+			}
+		})
+	}
+
+	// serve to http
+	if runHTTP {
+		app.wg.Go(func() {
+			if err := app.serveHTTP(); err != nil {
+				errChan <- err
+			}
+		})
+	}
+
+	// monitor cancellation and server errors
+	for {
+		select {
+		case <-app.ctx.Done():
+			app.log.App.Info().Msg("Oh, it's time for me to go, bye!")
+			return nil
+		case err := <-errChan:
 			if err != nil {
-				return fmt.Errorf("failed to remove existing socket file: %w", err)
+				return fmt.Errorf("server error: %w", err)
+			}
+		}
 	}
 }
 
-		tlog.App.Info().Msgf("Starting server on unix socket %s", app.config.Server.SocketPath)
-		if err := router.RunUnix(app.config.Server.SocketPath); err != nil {
-			tlog.App.Fatal().Err(err).Msg("Failed to start server")
+func (app *BootstrapApp) serveHTTP() error {
+	address := fmt.Sprintf("%s:%d", app.config.Server.Address, app.config.Server.Port)
+
+	app.log.App.Info().Msgf("Starting server on %s", address)
+
+	server := &http.Server{
+		Addr:    address,
+		Handler: app.router.Handler(),
+	}
+
+	go func() {
+		<-app.ctx.Done()
+		app.log.App.Debug().Msg("Shutting down http listener")
+		server.Shutdown(app.ctx)
+	}()
+
+	err := server.ListenAndServe()
+
+	if err != nil && !errors.Is(err, http.ErrServerClosed) {
+		return fmt.Errorf("failed to start http listener: %w", err)
 	}
 
 	return nil
 }
 
-	// Start server
-	address := fmt.Sprintf("%s:%d", app.config.Server.Address, app.config.Server.Port)
-	tlog.App.Info().Msgf("Starting server on %s", address)
-	if err := router.Run(address); err != nil {
-		tlog.App.Fatal().Err(err).Msg("Failed to start server")
+func (app *BootstrapApp) serveUnix() error {
+	if app.config.Server.SocketPath == "" {
+		return nil
+	}
+
+	_, err := os.Stat(app.config.Server.SocketPath)
+
+	if err == nil {
+		app.log.App.Info().Msgf("Removing existing socket file %s", app.config.Server.SocketPath)
+		err := os.Remove(app.config.Server.SocketPath)
+
+		if err != nil {
+			return fmt.Errorf("failed to remove existing socket file: %w", err)
+		}
+	}
+
+	app.log.App.Info().Msgf("Starting server on unix socket %s", app.config.Server.SocketPath)
+
+	listener, err := net.Listen("unix", app.config.Server.SocketPath)
+
+	if err != nil {
+		return fmt.Errorf("failed to create unix socket listener: %w", err)
+	}
+
+	server := &http.Server{
+		Handler: app.router.Handler(),
+	}
+
+	shutdown := func() {
+		server.Shutdown(app.ctx)
+		listener.Close()
+		os.Remove(app.config.Server.SocketPath)
+	}
+
+	go func() {
+		<-app.ctx.Done()
+		app.log.App.Debug().Msg("Shutting down unix socket listener")
+		shutdown()
+	}()
+
+	err = server.Serve(listener)
+
+	if err != nil && !errors.Is(err, http.ErrServerClosed) {
+		shutdown()
+		return fmt.Errorf("failed to start unix socket listener: %w", err)
 	}
 
 	return nil
@@ -236,20 +378,20 @@ func (app *BootstrapApp) heartbeatRoutine() {
 	ticker := time.NewTicker(time.Duration(12) * time.Hour)
 	defer ticker.Stop()
 
-	type heartbeat struct {
+	type Heartbeat struct {
 		UUID    string `json:"uuid"`
 		Version string `json:"version"`
 	}
 
-	var body heartbeat
+	var body Heartbeat
 
-	body.UUID = app.context.uuid
-	body.Version = config.Version
+	body.UUID = app.runtime.UUID
+	body.Version = model.Version
 
 	bodyJson, err := json.Marshal(body)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to marshal heartbeat body")
+		app.log.App.Error().Err(err).Msg("Failed to marshal heartbeat body, heartbeat routine will not start")
 		return
 	}
 
@@ -257,15 +399,17 @@ func (app *BootstrapApp) heartbeatRoutine() {
 		Timeout: 30 * time.Second, // The server should never take more than 30 seconds to respond
 	}
 
-	heartbeatURL := config.ApiServer + "/v1/instances/heartbeat"
+	heartbeatURL := model.APIServer + "/v1/instances/heartbeat"
 
-	for range ticker.C {
-		tlog.App.Debug().Msg("Sending heartbeat")
+	for {
+		select {
+		case <-ticker.C:
+			app.log.App.Debug().Msg("Sending heartbeat")
 
 			req, err := http.NewRequest(http.MethodPost, heartbeatURL, bytes.NewReader(bodyJson))
 
 			if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to create heartbeat request")
+				app.log.App.Error().Err(err).Msg("Failed to create heartbeat request")
 				continue
 			}
 
@@ -274,28 +418,43 @@ func (app *BootstrapApp) heartbeatRoutine() {
 			res, err := client.Do(req)
 
 			if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to send heartbeat")
+				app.log.App.Error().Err(err).Msg("Failed to send heartbeat")
 				continue
 			}
 
 			res.Body.Close()
 
 			if res.StatusCode != 200 && res.StatusCode != 201 {
-			tlog.App.Debug().Str("status", res.Status).Msg("Heartbeat returned non-200/201 status")
+				app.log.App.Debug().Str("status", res.Status).Msg("Heartbeat returned non-200/201 status")
+			}
+		case <-app.ctx.Done():
+			app.log.App.Debug().Msg("Stopping heartbeat routine")
+			ticker.Stop()
+			return
 		}
 	}
 }
 
-func (app *BootstrapApp) dbCleanupRoutine(queries *repository.Queries) {
+func (app *BootstrapApp) dbCleanupRoutine() {
 	ticker := time.NewTicker(time.Duration(30) * time.Minute)
 	defer ticker.Stop()
-	ctx := context.Background()
 
-	for range ticker.C {
-		tlog.App.Debug().Msg("Cleaning up old database sessions")
-		err := queries.DeleteExpiredSessions(ctx, time.Now().Unix())
+	for {
+		select {
+		case <-ticker.C:
+			app.log.App.Debug().Msg("Running database cleanup")
+
+			err := app.queries.DeleteExpiredSessions(app.ctx, time.Now().Unix())
+
 			if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to clean up old database sessions")
+				app.log.App.Error().Err(err).Msg("Failed to delete expired sessions")
+			}
+
+			app.log.App.Debug().Msg("Database cleanup completed")
+		case <-app.ctx.Done():
+			app.log.App.Debug().Msg("Stopping database cleanup routine")
+			ticker.Stop()
+			return
 		}
 	}
 }

internal/bootstrap/db_bootstrap.go

@@ -7,6 +7,9 @@ import (
 	"path/filepath"
 
 	"github.com/tinyauthapp/tinyauth/internal/assets"
+	"github.com/tinyauthapp/tinyauth/internal/repository"
+	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
+	"github.com/tinyauthapp/tinyauth/internal/repository/sqlite"
 
 	"github.com/golang-migrate/migrate/v4"
 	"github.com/golang-migrate/migrate/v4/database/sqlite3"
@@ -14,7 +17,18 @@ import (
 	_ "modernc.org/sqlite"
 )
 
-func (app *BootstrapApp) SetupDatabase(databasePath string) (*sql.DB, error) {
+func (app *BootstrapApp) SetupStore() (repository.Store, error) {
+	switch app.config.Database.Driver {
+	case "memory":
+		return memory.New(), nil
+	case "sqlite", "":
+		return app.setupSQLite(app.config.Database.Path)
+	default:
+		return nil, fmt.Errorf("unknown database driver %q: valid values are sqlite, memory", app.config.Database.Driver)
+	}
+}
+
+func (app *BootstrapApp) setupSQLite(databasePath string) (repository.Store, error) {
 	dir := filepath.Dir(databasePath)
 
 	if err := os.MkdirAll(dir, 0750); err != nil {
@@ -27,11 +41,18 @@ func (app *BootstrapApp) SetupDatabase(databasePath string) (*sql.DB, error) {
 		return nil, fmt.Errorf("failed to open database: %w", err)
 	}
 
+	// Close the database if there is an error during migration
+	defer func() {
+		if err != nil {
+			db.Close()
+		}
+	}()
+
 	// Limit to 1 connection to sequence writes, this may need to be revisited in the future
 	// if the sqlite connection starts being a bottleneck
 	db.SetMaxOpenConns(1)
 
-	migrations, err := iofs.New(assets.Migrations, "migrations")
+	migrations, err := iofs.New(assets.Migrations, "migrations/sqlite")
 
 	if err != nil {
 		return nil, fmt.Errorf("failed to create migrations: %w", err)
@@ -53,5 +74,7 @@ func (app *BootstrapApp) SetupDatabase(databasePath string) (*sql.DB, error) {
 		return nil, fmt.Errorf("failed to migrate database: %w", err)
 	}
 
-	return db, nil
+	app.db = db
+
+	return sqlite.NewStore(sqlite.New(db)), nil
 }

internal/bootstrap/router_bootstrap.go

@@ -2,21 +2,16 @@ package bootstrap
 
 import (
 	"fmt"
-	"slices"
 
-	"github.com/tinyauthapp/tinyauth/internal/config"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/middleware"
 
 	"github.com/gin-gonic/gin"
 )
 
-var DEV_MODES = []string{"main", "test", "development"}
-
-func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
-	if !slices.Contains(DEV_MODES, config.Version) {
+func (app *BootstrapApp) setupRouter() error {
+	// we don't want gin debug mode
 	gin.SetMode(gin.ReleaseMode)
-	}
 
 	engine := gin.New()
 	engine.Use(gin.Recovery())
@@ -25,98 +20,36 @@ func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
 		err := engine.SetTrustedProxies(app.config.Auth.TrustedProxies)
 
 		if err != nil {
-			return nil, fmt.Errorf("failed to set trusted proxies: %w", err)
+			return fmt.Errorf("failed to set trusted proxies: %w", err)
 		}
 	}
 
-	contextMiddleware := middleware.NewContextMiddleware(middleware.ContextMiddlewareConfig{
-		CookieDomain: app.context.cookieDomain,
-	}, app.services.authService, app.services.oauthBrokerService)
-
-	err := contextMiddleware.Init()
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to initialize context middleware: %w", err)
-	}
-
+	contextMiddleware := middleware.NewContextMiddleware(app.log, app.runtime, app.services.authService, app.services.oauthBrokerService)
 	engine.Use(contextMiddleware.Middleware())
 
-	uiMiddleware := middleware.NewUIMiddleware()
-
-	err = uiMiddleware.Init()
+	uiMiddleware, err := middleware.NewUIMiddleware()
 
 	if err != nil {
-		return nil, fmt.Errorf("failed to initialize UI middleware: %w", err)
+		return fmt.Errorf("failed to initialize UI middleware: %w", err)
 	}
 
 	engine.Use(uiMiddleware.Middleware())
 
-	zerologMiddleware := middleware.NewZerologMiddleware()
-
-	err = zerologMiddleware.Init()
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to initialize zerolog middleware: %w", err)
-	}
+	zerologMiddleware := middleware.NewZerologMiddleware(app.log)
 
 	engine.Use(zerologMiddleware.Middleware())
 
 	apiRouter := engine.Group("/api")
 
-	contextController := controller.NewContextController(controller.ContextControllerConfig{
-		Providers:             app.context.configuredProviders,
-		Title:                 app.config.UI.Title,
-		AppURL:                app.config.AppURL,
-		CookieDomain:          app.context.cookieDomain,
-		ForgotPasswordMessage: app.config.UI.ForgotPasswordMessage,
-		BackgroundImage:       app.config.UI.BackgroundImage,
-		OAuthAutoRedirect:     app.config.OAuth.AutoRedirect,
-		WarningsEnabled:       app.config.UI.WarningsEnabled,
-	}, apiRouter)
+	controller.NewContextController(app.log, app.config, app.runtime, apiRouter)
+	controller.NewOAuthController(app.log, app.config, app.runtime, apiRouter, app.services.authService)
+	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, apiRouter)
+	controller.NewProxyController(app.log, app.runtime, apiRouter, app.services.accessControlService, app.services.authService)
+	controller.NewUserController(app.log, app.runtime, apiRouter, app.services.authService)
+	controller.NewResourcesController(app.config, &engine.RouterGroup)
+	controller.NewHealthController(apiRouter)
+	controller.NewWellKnownController(app.services.oidcService, &engine.RouterGroup)
 
-	contextController.SetupRoutes()
-
-	oauthController := controller.NewOAuthController(controller.OAuthControllerConfig{
-		AppURL:                 app.config.AppURL,
-		SecureCookie:           app.config.Auth.SecureCookie,
-		CSRFCookieName:         app.context.csrfCookieName,
-		RedirectCookieName:     app.context.redirectCookieName,
-		CookieDomain:           app.context.cookieDomain,
-		OAuthSessionCookieName: app.context.oauthSessionCookieName,
-	}, apiRouter, app.services.authService)
-
-	oauthController.SetupRoutes()
-
-	oidcController := controller.NewOIDCController(controller.OIDCControllerConfig{}, app.services.oidcService, apiRouter)
-
-	oidcController.SetupRoutes()
-
-	proxyController := controller.NewProxyController(controller.ProxyControllerConfig{
-		AppURL: app.config.AppURL,
-	}, apiRouter, app.services.accessControlService, app.services.authService)
-
-	proxyController.SetupRoutes()
-
-	userController := controller.NewUserController(controller.UserControllerConfig{
-		CookieDomain: app.context.cookieDomain,
-	}, apiRouter, app.services.authService)
-
-	userController.SetupRoutes()
-
-	resourcesController := controller.NewResourcesController(controller.ResourcesControllerConfig{
-		Path:    app.config.Resources.Path,
-		Enabled: app.config.Resources.Enabled,
-	}, &engine.RouterGroup)
-
-	resourcesController.SetupRoutes()
-
-	healthController := controller.NewHealthController(apiRouter)
-
-	healthController.SetupRoutes()
-
-	wellknownController := controller.NewWellKnownController(controller.WellKnownControllerConfig{}, app.services.oidcService, engine)
-
-	wellknownController.SetupRoutes()
-
-	return engine, nil
+	app.router = engine
+	return nil
 }

internal/bootstrap/service_bootstrap.go

@@ -1,110 +1,66 @@
 package bootstrap
 
 import (
-	"github.com/tinyauthapp/tinyauth/internal/repository"
+	"fmt"
+	"os"
+
 	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )
 
-type Services struct {
-	accessControlService *service.AccessControlsService
-	authService          *service.AuthService
-	dockerService        *service.DockerService
-	ldapService          *service.LdapService
-	oauthBrokerService   *service.OAuthBrokerService
-	oidcService          *service.OIDCService
-}
-
-func (app *BootstrapApp) initServices(queries *repository.Queries) (Services, error) {
-	services := Services{}
-
-	ldapService := service.NewLdapService(service.LdapServiceConfig{
-		Address:      app.config.Ldap.Address,
-		BindDN:       app.config.Ldap.BindDN,
-		BindPassword: app.config.Ldap.BindPassword,
-		BaseDN:       app.config.Ldap.BaseDN,
-		Insecure:     app.config.Ldap.Insecure,
-		SearchFilter: app.config.Ldap.SearchFilter,
-		AuthCert:     app.config.Ldap.AuthCert,
-		AuthKey:      app.config.Ldap.AuthKey,
-	})
-
-	err := ldapService.Init()
+func (app *BootstrapApp) setupServices() error {
+	ldapService, err := service.NewLdapService(app.log, app.config, app.ctx, &app.wg)
 
 	if err != nil {
-		tlog.App.Warn().Err(err).Msg("Failed to setup LDAP service, starting without it")
-		ldapService.Unconfigure()
+		app.log.App.Warn().Err(err).Msg("Failed to initialize LDAP connection, will continue without it")
 	}
 
-	services.ldapService = ldapService
+	app.services.ldapService = ldapService
 
-	dockerService := service.NewDockerService()
+	useKubernetes := app.config.LabelProvider == "kubernetes" ||
+		(app.config.LabelProvider == "auto" && os.Getenv("KUBERNETES_SERVICE_HOST") != "")
 
-	err = dockerService.Init()
+	var labelProvider service.LabelProvider
+
+	if useKubernetes {
+		app.log.App.Debug().Msg("Using Kubernetes label provider")
+
+		kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, &app.wg)
 
 		if err != nil {
-		return Services{}, err
+			return fmt.Errorf("failed to initialize kubernetes service: %w", err)
 		}
 
-	services.dockerService = dockerService
+		app.services.kubernetesService = kubernetesService
+		labelProvider = kubernetesService
+	} else {
+		app.log.App.Debug().Msg("Using Docker label provider")
 
-	accessControlsService := service.NewAccessControlsService(dockerService, app.config.Apps)
-
-	err = accessControlsService.Init()
+		dockerService, err := service.NewDockerService(app.log, app.ctx, &app.wg)
 
 		if err != nil {
-		return Services{}, err
+			return fmt.Errorf("failed to initialize docker service: %w", err)
 		}
 
-	services.accessControlService = accessControlsService
+		app.services.dockerService = dockerService
+		labelProvider = dockerService
+	}
 
-	oauthBrokerService := service.NewOAuthBrokerService(app.context.oauthProviders)
+	accessControlsService := service.NewAccessControlsService(app.log, &labelProvider, app.config.Apps)
+	app.services.accessControlService = accessControlsService
 
-	err = oauthBrokerService.Init()
+	oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
+	app.services.oauthBrokerService = oauthBrokerService
+
+	authService := service.NewAuthService(app.log, app.config, app.runtime, app.ctx, &app.wg, app.services.ldapService, app.queries, app.services.oauthBrokerService)
+	app.services.authService = authService
+
+	oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ctx, &app.wg)
 
 	if err != nil {
-		return Services{}, err
+		return fmt.Errorf("failed to initialize oidc service: %w", err)
 	}
 
-	services.oauthBrokerService = oauthBrokerService
+	app.services.oidcService = oidcService
 
-	authService := service.NewAuthService(service.AuthServiceConfig{
-		Users:              app.context.users,
-		OauthWhitelist:     app.config.OAuth.Whitelist,
-		SessionExpiry:      app.config.Auth.SessionExpiry,
-		SessionMaxLifetime: app.config.Auth.SessionMaxLifetime,
-		SecureCookie:       app.config.Auth.SecureCookie,
-		CookieDomain:       app.context.cookieDomain,
-		LoginTimeout:       app.config.Auth.LoginTimeout,
-		LoginMaxRetries:    app.config.Auth.LoginMaxRetries,
-		SessionCookieName:  app.context.sessionCookieName,
-		IP:                 app.config.Auth.IP,
-		LDAPGroupsCacheTTL: app.config.Ldap.GroupCacheTTL,
-	}, dockerService, services.ldapService, queries, services.oauthBrokerService)
-
-	err = authService.Init()
-
-	if err != nil {
-		return Services{}, err
-	}
-
-	services.authService = authService
-
-	oidcService := service.NewOIDCService(service.OIDCServiceConfig{
-		Clients:        app.config.OIDC.Clients,
-		PrivateKeyPath: app.config.OIDC.PrivateKeyPath,
-		PublicKeyPath:  app.config.OIDC.PublicKeyPath,
-		Issuer:         app.config.AppURL,
-		SessionExpiry:  app.config.Auth.SessionExpiry,
-	}, queries)
-
-	err = oidcService.Init()
-
-	if err != nil {
-		return Services{}, err
-	}
-
-	services.oidcService = oidcService
-
-	return services, nil
+	return nil
 }

internal/controller/context_controller.go

@@ -4,8 +4,8 @@ import (
 	"fmt"
 	"net/url"
 
-	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 
 	"github.com/gin-gonic/gin"
 )
@@ -19,14 +19,14 @@ type UserContextResponse struct {
 	Email       string `json:"email"`
 	Provider    string `json:"provider"`
 	OAuth       bool   `json:"oauth"`
-	TotpPending bool   `json:"totpPending"`
+	TOTPPending bool   `json:"totpPending"`
 	OAuthName   string `json:"oauthName"`
 }
 
 type AppContextResponse struct {
 	Status                int              `json:"status"`
 	Message               string           `json:"message"`
-	Providers             []Provider `json:"providers"`
+	Providers             []model.Provider `json:"providers"`
 	Title                 string           `json:"title"`
 	AppURL                string           `json:"appUrl"`
 	CookieDomain          string           `json:"cookieDomain"`
@@ -36,77 +36,69 @@ type AppContextResponse struct {
 	WarningsEnabled       bool             `json:"warningsEnabled"`
 }
 
-type Provider struct {
-	Name  string `json:"name"`
-	ID    string `json:"id"`
-	OAuth bool   `json:"oauth"`
-}
-
-type ContextControllerConfig struct {
-	Providers             []Provider
-	Title                 string
-	AppURL                string
-	CookieDomain          string
-	ForgotPasswordMessage string
-	BackgroundImage       string
-	OAuthAutoRedirect     string
-	WarningsEnabled       bool
-}
-
 type ContextController struct {
-	config ContextControllerConfig
-	router *gin.RouterGroup
+	log     *logger.Logger
+	config  model.Config
+	runtime model.RuntimeConfig
 }
 
-func NewContextController(config ContextControllerConfig, router *gin.RouterGroup) *ContextController {
-	if !config.WarningsEnabled {
-		tlog.App.Warn().Msg("UI warnings are disabled. This may expose users to security risks. Proceed with caution.")
-	}
-
-	return &ContextController{
+func NewContextController(
+	log *logger.Logger,
+	config model.Config,
+	runtimeConfig model.RuntimeConfig,
+	router *gin.RouterGroup,
+) *ContextController {
+	controller := &ContextController{
+		log:     log,
 		config:  config,
-		router: router,
-	}
+		runtime: runtimeConfig,
 	}
 
-func (controller *ContextController) SetupRoutes() {
-	contextGroup := controller.router.Group("/context")
+	if !config.UI.WarningsEnabled {
+		log.App.Warn().Msg("UI warnings are disabled. This may lead to security issues if you are not careful. Make sure to enable warnings in production environments.")
+	}
+
+	contextGroup := router.Group("/context")
 	contextGroup.GET("/user", controller.userContextHandler)
 	contextGroup.GET("/app", controller.appContextHandler)
+
+	return controller
 }
 
 func (controller *ContextController) userContextHandler(c *gin.Context) {
-	context, err := utils.GetContext(c)
+	context, err := new(model.UserContext).NewFromGin(c)
+
+	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Failed to create user context from request")
+		c.JSON(200, UserContextResponse{
+			Status:     401,
+			Message:    "Unauthorized",
+			IsLoggedIn: false,
+		})
+		return
+	}
 
 	userContext := UserContextResponse{
 		Status:      200,
 		Message:     "Success",
-		IsLoggedIn:  context.IsLoggedIn,
-		Username:    context.Username,
-		Name:        context.Name,
-		Email:       context.Email,
-		Provider:    context.Provider,
-		OAuth:       context.OAuth,
-		TotpPending: context.TotpPending,
-		OAuthName:   context.OAuthName,
-	}
-
-	if err != nil {
-		tlog.App.Debug().Err(err).Msg("No user context found in request")
-		userContext.Status = 401
-		userContext.Message = "Unauthorized"
-		userContext.IsLoggedIn = false
-		c.JSON(200, userContext)
-		return
+		IsLoggedIn:  context.Authenticated,
+		Username:    context.GetUsername(),
+		Name:        context.GetName(),
+		Email:       context.GetEmail(),
+		Provider:    context.GetProviderID(),
+		OAuth:       context.IsOAuth(),
+		TOTPPending: context.TOTPPending(),
+		OAuthName:   context.OAuthName(),
 	}
 
 	c.JSON(200, userContext)
 }
 
 func (controller *ContextController) appContextHandler(c *gin.Context) {
-	appUrl, err := url.Parse(controller.config.AppURL)
+	appUrl, err := url.Parse(controller.runtime.AppURL)
+
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to parse app URL")
+		controller.log.App.Error().Err(err).Msg("Failed to parse app URL")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -117,13 +109,13 @@ func (controller *ContextController) appContextHandler(c *gin.Context) {
 	c.JSON(200, AppContextResponse{
 		Status:                200,
 		Message:               "Success",
-		Providers:             controller.config.Providers,
-		Title:                 controller.config.Title,
+		Providers:             controller.runtime.ConfiguredProviders,
+		Title:                 controller.config.UI.Title,
 		AppURL:                fmt.Sprintf("%s://%s", appUrl.Scheme, appUrl.Host),
-		CookieDomain:          controller.config.CookieDomain,
-		ForgotPasswordMessage: controller.config.ForgotPasswordMessage,
-		BackgroundImage:       controller.config.BackgroundImage,
-		OAuthAutoRedirect:     controller.config.OAuthAutoRedirect,
-		WarningsEnabled:       controller.config.WarningsEnabled,
+		CookieDomain:          controller.runtime.CookieDomain,
+		ForgotPasswordMessage: controller.config.UI.ForgotPasswordMessage,
+		BackgroundImage:       controller.config.UI.BackgroundImage,
+		OAuthAutoRedirect:     controller.config.OAuth.AutoRedirect,
+		WarningsEnabled:       controller.config.UI.WarningsEnabled,
 	})
 }

internal/controller/context_controller_test.go

@@ -7,31 +7,20 @@ import (
 	"testing"
 
 	"github.com/gin-gonic/gin"
-	"github.com/tinyauthapp/tinyauth/internal/config"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/test"
+	"github.com/tinyauthapp/tinyauth/internal/utils"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
 func TestContextController(t *testing.T) {
-	tlog.NewTestLogger().Init()
-	controllerConfig := controller.ContextControllerConfig{
-		Providers: []controller.Provider{
-			{
-				Name:  "Local",
-				ID:    "local",
-				OAuth: false,
-			},
-		},
-		Title:                 "Tinyauth",
-		AppURL:                "https://tinyauth.example.com",
-		CookieDomain:          "example.com",
-		ForgotPasswordMessage: "foo",
-		BackgroundImage:       "/background.jpg",
-		OAuthAutoRedirect:     "none",
-		WarningsEnabled:       true,
-	}
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
+
+	cfg, runtime := test.CreateTestConfigs(t)
 
 	tests := []struct {
 		description string
@@ -47,17 +36,17 @@ func TestContextController(t *testing.T) {
 				expectedAppContextResponse := controller.AppContextResponse{
 					Status:                200,
 					Message:               "Success",
-					Providers:             controllerConfig.Providers,
-					Title:                 controllerConfig.Title,
-					AppURL:                controllerConfig.AppURL,
-					CookieDomain:          controllerConfig.CookieDomain,
-					ForgotPasswordMessage: controllerConfig.ForgotPasswordMessage,
-					BackgroundImage:       controllerConfig.BackgroundImage,
-					OAuthAutoRedirect:     controllerConfig.OAuthAutoRedirect,
-					WarningsEnabled:       controllerConfig.WarningsEnabled,
+					Providers:             runtime.ConfiguredProviders,
+					Title:                 cfg.UI.Title,
+					AppURL:                runtime.AppURL,
+					CookieDomain:          runtime.CookieDomain,
+					ForgotPasswordMessage: cfg.UI.ForgotPasswordMessage,
+					BackgroundImage:       cfg.UI.BackgroundImage,
+					OAuthAutoRedirect:     cfg.OAuth.AutoRedirect,
+					WarningsEnabled:       cfg.UI.WarningsEnabled,
 				}
 				bytes, err := json.Marshal(expectedAppContextResponse)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -71,7 +60,7 @@ func TestContextController(t *testing.T) {
 					Message: "Unauthorized",
 				}
 				bytes, err := json.Marshal(expectedUserContextResponse)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -79,12 +68,16 @@ func TestContextController(t *testing.T) {
 			description: "Ensure user context returns when authorized",
 			middlewares: []gin.HandlerFunc{
 				func(c *gin.Context) {
-					c.Set("context", &config.UserContext{
+					c.Set("context", &model.UserContext{
+						Authenticated: true,
+						Provider:      model.ProviderLocal,
+						Local: &model.LocalContext{
+							BaseContext: model.BaseContext{
 								Username: "johndoe",
 								Name:     "John Doe",
-						Email:      utils.CompileUserEmail("johndoe", controllerConfig.CookieDomain),
-						Provider:   "local",
-						IsLoggedIn: true,
+								Email:    utils.CompileUserEmail("johndoe", runtime.CookieDomain),
+							},
+						},
 					})
 				},
 			},
@@ -96,11 +89,11 @@ func TestContextController(t *testing.T) {
 					IsLoggedIn: true,
 					Username:   "johndoe",
 					Name:       "John Doe",
-					Email:      utils.CompileUserEmail("johndoe", controllerConfig.CookieDomain),
+					Email:      utils.CompileUserEmail("johndoe", runtime.CookieDomain),
 					Provider:   "local",
 				}
 				bytes, err := json.Marshal(expectedUserContextResponse)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -117,13 +110,12 @@ func TestContextController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
 
-			contextController := controller.NewContextController(controllerConfig, group)
-			contextController.SetupRoutes()
+			controller.NewContextController(log, cfg, runtime, group)
 
 			recorder := httptest.NewRecorder()
 
 			request, err := http.NewRequest("GET", test.path, nil)
-			assert.NoError(t, err)
+			require.NoError(t, err)
 
 			router.ServeHTTP(recorder, request)
 

internal/controller/controller.go

@@ -0,0 +1,12 @@
+package controller
+
+type UnauthorizedQuery struct {
+	Username string `url:"username"`
+	Resource string `url:"resource"`
+	GroupErr bool   `url:"groupErr"`
+	IP       string `url:"ip"`
+}
+
+type RedirectQuery struct {
+	RedirectURI string `url:"redirect_uri"`
+}

internal/controller/health_controller.go

@@ -3,18 +3,15 @@ package controller
 import "github.com/gin-gonic/gin"
 
 type HealthController struct {
-	router *gin.RouterGroup
 }
 
 func NewHealthController(router *gin.RouterGroup) *HealthController {
-	return &HealthController{
-		router: router,
-	}
-}
+	controller := &HealthController{}
 
-func (controller *HealthController) SetupRoutes() {
-	controller.router.GET("/healthz", controller.healthHandler)
-	controller.router.HEAD("/healthz", controller.healthHandler)
+	router.GET("/healthz", controller.healthHandler)
+	router.HEAD("/healthz", controller.healthHandler)
+
+	return controller
 }
 
 func (controller *HealthController) healthHandler(c *gin.Context) {

internal/controller/health_controller_test.go

@@ -7,13 +7,12 @@ import (
 	"testing"
 
 	"github.com/gin-gonic/gin"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
 )
 
 func TestHealthController(t *testing.T) {
-	tlog.NewTestLogger().Init()
 	tests := []struct {
 		description string
 		path        string
@@ -30,7 +29,7 @@ func TestHealthController(t *testing.T) {
 					"message": "Healthy",
 				}
 				bytes, err := json.Marshal(expectedHealthResponse)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -44,7 +43,7 @@ func TestHealthController(t *testing.T) {
 					"message": "Healthy",
 				}
 				bytes, err := json.Marshal(expectedHealthResponse)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -56,13 +55,12 @@ func TestHealthController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
 
-			healthController := controller.NewHealthController(group)
-			healthController.SetupRoutes()
+			controller.NewHealthController(group)
 
 			recorder := httptest.NewRecorder()
 
 			request, err := http.NewRequest(test.method, test.path, nil)
-			assert.NoError(t, err)
+			require.NoError(t, err)
 
 			router.ServeHTTP(recorder, request)
 

internal/controller/oauth_controller.go

@@ -6,11 +6,11 @@ import (
 	"strings"
 	"time"
 
-	"github.com/tinyauthapp/tinyauth/internal/config"
+	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -20,33 +20,32 @@ type OAuthRequest struct {
 	Provider string `uri:"provider" binding:"required"`
 }
 
-type OAuthControllerConfig struct {
-	CSRFCookieName         string
-	OAuthSessionCookieName string
-	RedirectCookieName     string
-	SecureCookie           bool
-	AppURL                 string
-	CookieDomain           string
-}
-
 type OAuthController struct {
-	config OAuthControllerConfig
-	router *gin.RouterGroup
+	log     *logger.Logger
+	config  model.Config
+	runtime model.RuntimeConfig
 	auth    *service.AuthService
 }
 
-func NewOAuthController(config OAuthControllerConfig, router *gin.RouterGroup, auth *service.AuthService) *OAuthController {
-	return &OAuthController{
+func NewOAuthController(
+	log *logger.Logger,
+	config model.Config,
+	runtimeConfig model.RuntimeConfig,
+	router *gin.RouterGroup,
+	auth *service.AuthService,
+) *OAuthController {
+	controller := &OAuthController{
+		log:     log,
 		config:  config,
-		router: router,
+		runtime: runtimeConfig,
 		auth:    auth,
 	}
-}
 
-func (controller *OAuthController) SetupRoutes() {
-	oauthGroup := controller.router.Group("/oauth")
+	oauthGroup := router.Group("/oauth")
 	oauthGroup.GET("/url/:provider", controller.oauthURLHandler)
 	oauthGroup.GET("/callback/:provider", controller.oauthCallbackHandler)
+
+	return controller
 }
 
 func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
@@ -54,7 +53,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 
 	err := c.BindUri(&req)
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind URI")
+		controller.log.App.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -67,7 +66,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	err = c.BindQuery(&reqParams)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind query parameters")
+		controller.log.App.Error().Err(err).Msg("Failed to bind query parameters")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -76,10 +75,10 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	}
 
 	if !controller.isOidcRequest(reqParams) {
-		isRedirectSafe := utils.IsRedirectSafe(reqParams.RedirectURI, controller.config.CookieDomain)
+		isRedirectSafe := utils.IsRedirectSafe(reqParams.RedirectURI, controller.runtime.CookieDomain)
 
 		if !isRedirectSafe {
-			tlog.App.Warn().Str("redirect_uri", reqParams.RedirectURI).Msg("Unsafe redirect URI detected, ignoring")
+			controller.log.App.Warn().Str("redirectUri", reqParams.RedirectURI).Msg("Unsafe redirect URI, ignoring")
 			reqParams.RedirectURI = ""
 		}
 	}
@@ -87,7 +86,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	sessionId, _, err := controller.auth.NewOAuthSession(req.Provider, reqParams)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to create OAuth session")
+		controller.log.App.Error().Err(err).Msg("Failed to create new OAuth session")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -98,7 +97,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	authUrl, err := controller.auth.GetOAuthURL(sessionId)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to get OAuth URL")
+		controller.log.App.Error().Err(err).Msg("Failed to get OAuth URL for session")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -106,7 +105,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		return
 	}
 
-	c.SetCookie(controller.config.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
+	c.SetCookie(controller.runtime.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)
 
 	c.JSON(200, gin.H{
 		"status":  200,
@@ -120,7 +119,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 
 	err := c.BindUri(&req)
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind URI")
+		controller.log.App.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -128,21 +127,21 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}
 
-	sessionIdCookie, err := c.Cookie(controller.config.OAuthSessionCookieName)
+	sessionIdCookie, err := c.Cookie(controller.runtime.OAuthSessionCookieName)
 
 	if err != nil {
-		tlog.App.Warn().Err(err).Msg("OAuth session cookie missing")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Error().Err(err).Msg("Failed to get OAuth session cookie")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 
-	c.SetCookie(controller.config.OAuthSessionCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
+	c.SetCookie(controller.runtime.OAuthSessionCookieName, "", -1, "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)
 
 	oauthPendingSession, err := controller.auth.GetOAuthPendingSession(sessionIdCookie)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to get OAuth pending session")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Error().Err(err).Msg("Failed to get pending OAuth session")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 
@@ -150,8 +149,8 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 
 	state := c.Query("state")
 	if state != oauthPendingSession.State {
-		tlog.App.Warn().Err(err).Msg("CSRF token mismatch")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Warn().Msg("OAuth state mismatch")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 
@@ -159,68 +158,85 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	_, err = controller.auth.GetOAuthToken(sessionIdCookie, code)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to exchange code for token")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Error().Err(err).Msg("Failed to exchange code for token")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 
 	user, err := controller.auth.GetOAuthUserinfo(sessionIdCookie)
 
+	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Failed to get user info from OAuth provider")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		return
+	}
+
+	if user == nil {
+		controller.log.App.Warn().Msg("OAuth provider did not return user info")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		return
+	}
+
 	if user.Email == "" {
-		tlog.App.Error().Msg("OAuth provider did not return an email")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Warn().Msg("OAuth provider did not return an email")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 
 	if !controller.auth.IsEmailWhitelisted(user.Email) {
-		tlog.App.Warn().Str("email", user.Email).Msg("Email not whitelisted")
-		tlog.AuditLoginFailure(c, user.Email, req.Provider, "email not whitelisted")
+		controller.log.App.Warn().Str("email", user.Email).Msg("Email not whitelisted, denying access")
+		controller.log.AuditLoginFailure(user.Email, req.Provider, c.ClientIP(), "email not whitelisted")
 
-		queries, err := query.Values(config.UnauthorizedQuery{
+		queries, err := query.Values(UnauthorizedQuery{
 			Username: user.Email,
 		})
 
 		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+			controller.log.App.Error().Err(err).Msg("Failed to encode unauthorized query")
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 			return
 		}
 
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.runtime.AppURL, queries.Encode()))
 		return
 	}
 
 	var name string
 
 	if strings.TrimSpace(user.Name) != "" {
-		tlog.App.Debug().Msg("Using name from OAuth provider")
+		controller.log.App.Debug().Msg("Using name from OAuth provider")
 		name = user.Name
 	} else {
-		tlog.App.Debug().Msg("No name from OAuth provider, using pseudo name")
-		name = fmt.Sprintf("%s (%s)", utils.Capitalize(strings.Split(user.Email, "@")[0]), strings.Split(user.Email, "@")[1])
+		controller.log.App.Debug().Msg("No name from OAuth provider, generating from email")
+		parts := strings.SplitN(user.Email, "@", 2)
+		if len(parts) == 2 {
+			name = fmt.Sprintf("%s (%s)", utils.Capitalize(parts[0]), parts[1])
+		} else {
+			name = utils.Capitalize(user.Email)
+		}
 	}
 
 	var username string
 
 	if strings.TrimSpace(user.PreferredUsername) != "" {
-		tlog.App.Debug().Msg("Using preferred username from OAuth provider")
+		controller.log.App.Debug().Msg("Using preferred username from OAuth provider")
 		username = user.PreferredUsername
 	} else {
-		tlog.App.Debug().Msg("No preferred username from OAuth provider, using pseudo username")
+		controller.log.App.Debug().Msg("No preferred username from OAuth provider, generating from email")
 		username = strings.Replace(user.Email, "@", "_", 1)
 	}
 
 	svc, err := controller.auth.GetOAuthService(sessionIdCookie)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to get OAuth service for session")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Error().Err(err).Msg("Failed to get OAuth service for session")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 
 	if svc.ID() != req.Provider {
-		tlog.App.Error().Msgf("OAuth service ID mismatch: expected %s, got %s", svc.ID(), req.Provider)
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Warn().Msgf("OAuth provider mismatch: expected %s, got %s", req.Provider, svc.ID())
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 
@@ -234,46 +250,48 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		OAuthSub:    user.Sub,
 	}
 
-	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
+	controller.log.App.Debug().Msg("Creating session cookie for user")
 
-	err = controller.auth.CreateSessionCookie(c, &sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to create session cookie")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+		controller.log.App.Error().Err(err).Msg("Failed to create session cookie")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 
-	tlog.AuditLoginSuccess(c, sessionCookie.Username, sessionCookie.Provider)
+	http.SetCookie(c.Writer, cookie)
+
+	controller.log.AuditLoginSuccess(sessionCookie.Username, sessionCookie.Provider, c.ClientIP())
 
 	if controller.isOidcRequest(oauthPendingSession.CallbackParams) {
-		tlog.App.Debug().Msg("OIDC request, redirecting to authorize page")
+		controller.log.App.Debug().Msg("OIDC request detected, redirecting to authorization endpoint with callback params")
 		queries, err := query.Values(oauthPendingSession.CallbackParams)
 		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to encode OIDC callback query")
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+			controller.log.App.Error().Err(err).Msg("Failed to encode OIDC callback query")
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 			return
 		}
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/authorize?%s", controller.config.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/authorize?%s", controller.runtime.AppURL, queries.Encode()))
 		return
 	}
 
 	if oauthPendingSession.CallbackParams.RedirectURI != "" {
-		queries, err := query.Values(config.RedirectQuery{
+		queries, err := query.Values(RedirectQuery{
 			RedirectURI: oauthPendingSession.CallbackParams.RedirectURI,
 		})
 
 		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to encode redirect URI query")
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
+			controller.log.App.Error().Err(err).Msg("Failed to encode redirect query")
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 			return
 		}
 
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", controller.config.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", controller.runtime.AppURL, queries.Encode()))
 		return
 	}
 
-	c.Redirect(http.StatusTemporaryRedirect, controller.config.AppURL)
+	c.Redirect(http.StatusTemporaryRedirect, controller.runtime.AppURL)
 }
 
 func (controller *OAuthController) isOidcRequest(params service.OAuthURLParams) bool {
@@ -282,3 +300,10 @@ func (controller *OAuthController) isOidcRequest(params service.OAuthURLParams)
 		params.ClientID != "" &&
 		params.RedirectURI != ""
 }
+
+func (controller *OAuthController) getCookieDomain() string {
+	if controller.config.Auth.SubdomainsEnabled {
+		return "." + controller.runtime.CookieDomain
+	}
+	return controller.runtime.CookieDomain
+}

internal/controller/oidc_controller.go

@@ -10,17 +10,16 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
 
+	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
-type OIDCControllerConfig struct{}
-
 type OIDCController struct {
-	config OIDCControllerConfig
-	router *gin.RouterGroup
+	log     *logger.Logger
 	oidc    *service.OIDCService
+	runtime model.RuntimeConfig
 }
 
 type AuthorizeCallback struct {
@@ -57,29 +56,42 @@ type ClientCredentials struct {
 	ClientSecret string
 }
 
-func NewOIDCController(config OIDCControllerConfig, oidcService *service.OIDCService, router *gin.RouterGroup) *OIDCController {
-	return &OIDCController{
-		config: config,
+func NewOIDCController(
+	log *logger.Logger,
+	oidcService *service.OIDCService,
+	runtimeConfig model.RuntimeConfig,
+	router *gin.RouterGroup) *OIDCController {
+	controller := &OIDCController{
+		log:     log,
 		oidc:    oidcService,
-		router: router,
-	}
+		runtime: runtimeConfig,
 	}
 
-func (controller *OIDCController) SetupRoutes() {
-	oidcGroup := controller.router.Group("/oidc")
+	oidcGroup := router.Group("/oidc")
 	oidcGroup.GET("/clients/:id", controller.GetClientInfo)
 	oidcGroup.POST("/authorize", controller.Authorize)
 	oidcGroup.POST("/token", controller.Token)
 	oidcGroup.GET("/userinfo", controller.Userinfo)
 	oidcGroup.POST("/userinfo", controller.Userinfo)
+
+	return controller
 }
 
 func (controller *OIDCController) GetClientInfo(c *gin.Context) {
+	if controller.oidc == nil {
+		controller.log.App.Warn().Msg("Received OIDC client info request but OIDC server is not configured")
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "OIDC not configured",
+		})
+		return
+	}
+
 	var req ClientRequest
 
 	err := c.BindUri(&req)
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind URI")
+		controller.log.App.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -90,7 +102,7 @@ func (controller *OIDCController) GetClientInfo(c *gin.Context) {
 	client, ok := controller.oidc.GetClient(req.ClientID)
 
 	if !ok {
-		tlog.App.Warn().Str("client_id", req.ClientID).Msg("Client not found")
+		controller.log.App.Warn().Str("clientId", req.ClientID).Msg("Client not found")
 		c.JSON(404, gin.H{
 			"status":  404,
 			"message": "Client not found",
@@ -106,19 +118,19 @@ func (controller *OIDCController) GetClientInfo(c *gin.Context) {
 }
 
 func (controller *OIDCController) Authorize(c *gin.Context) {
-	if !controller.oidc.IsConfigured() {
+	if controller.oidc == nil {
 		controller.authorizeError(c, errors.New("err_oidc_not_configured"), "OIDC not configured", "This instance is not configured for OIDC", "", "", "")
 		return
 	}
 
-	userContext, err := utils.GetContext(c)
+	userContext, err := new(model.UserContext).NewFromGin(c)
 
 	if err != nil {
 		controller.authorizeError(c, err, "Failed to get user context", "User is not logged in or the session is invalid", "", "", "")
 		return
 	}
 
-	if !userContext.IsLoggedIn {
+	if !userContext.Authenticated {
 		controller.authorizeError(c, errors.New("err user not logged in"), "User not logged in", "The user is not logged in", "", "", "")
 		return
 	}
@@ -134,14 +146,14 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 	client, ok := controller.oidc.GetClient(req.ClientID)
 
 	if !ok {
-		controller.authorizeError(c, err, "Client not found", "The client ID is invalid", "", "", "")
+		controller.authorizeError(c, fmt.Errorf("client not found: %s", req.ClientID), "Client not found", "The client ID is invalid", "", "", "")
 		return
 	}
 
 	err = controller.oidc.ValidateAuthorizeParams(req)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to validate authorize params")
+		controller.log.App.Warn().Err(err).Msg("Failed to validate authorize params")
 		if err.Error() != "invalid_request_uri" {
 			controller.authorizeError(c, err, "Failed validate authorize params", "Invalid request parameters", req.RedirectURI, err.Error(), req.State)
 			return
@@ -151,7 +163,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 	}
 
 	// WARNING: Since Tinyauth is stateless, we cannot have a sub that never changes. We will just create a uuid out of the username and client name which remains stable, but if username or client name changes then sub changes too.
-	sub := utils.GenerateUUID(fmt.Sprintf("%s:%s", userContext.Username, client.ID))
+	sub := utils.GenerateUUID(fmt.Sprintf("%s:%s", userContext.GetUsername(), client.ID))
 	code := utils.GenerateString(32)
 
 	// Before storing the code, delete old session
@@ -170,10 +182,10 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 
 	// We also need a snapshot of the user that authorized this (skip if no openid scope)
 	if slices.Contains(strings.Fields(req.Scope), "openid") {
-		err = controller.oidc.StoreUserinfo(c, sub, userContext, req)
+		err = controller.oidc.StoreUserinfo(c, sub, *userContext, req)
 
 		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to insert user info into database")
+			controller.log.App.Error().Err(err).Msg("Failed to store user info")
 			controller.authorizeError(c, err, "Failed to store user info", "Failed to store user info", req.RedirectURI, "server_error", req.State)
 			return
 		}
@@ -196,10 +208,10 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 }
 
 func (controller *OIDCController) Token(c *gin.Context) {
-	if !controller.oidc.IsConfigured() {
-		tlog.App.Warn().Msg("OIDC not configured")
-		c.JSON(404, gin.H{
-			"error": "not_found",
+	if controller.oidc == nil {
+		controller.log.App.Warn().Msg("Received OIDC request but OIDC server is not configured")
+		c.JSON(500, gin.H{
+			"error": "server_error",
 		})
 		return
 	}
@@ -208,7 +220,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 
 	err := c.Bind(&req)
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind token request")
+		controller.log.App.Warn().Err(err).Msg("Failed to bind token request")
 		c.JSON(400, gin.H{
 			"error": "invalid_request",
 		})
@@ -217,7 +229,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 
 	err = controller.oidc.ValidateGrantType(req.GrantType)
 	if err != nil {
-		tlog.App.Warn().Str("grant_type", req.GrantType).Msg("Unsupported grant type")
+		controller.log.App.Warn().Err(err).Msg("Invalid grant type")
 		c.JSON(400, gin.H{
 			"error": err.Error(),
 		})
@@ -232,12 +244,12 @@ func (controller *OIDCController) Token(c *gin.Context) {
 
 	// If it fails, we try basic auth
 	if creds.ClientID == "" || creds.ClientSecret == "" {
-		tlog.App.Debug().Msg("Tried form values and they are empty, trying basic auth")
+		controller.log.App.Debug().Msg("Client credentials not found in form, trying basic auth")
 
 		clientId, clientSecret, ok := c.Request.BasicAuth()
 
 		if !ok {
-			tlog.App.Error().Msg("Missing authorization header")
+			controller.log.App.Warn().Msg("Client credentials not found in basic auth")
 			c.Header("www-authenticate", `Basic realm="Tinyauth OIDC Token Endpoint"`)
 			c.JSON(400, gin.H{
 				"error": "invalid_client",
@@ -254,7 +266,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 	client, ok := controller.oidc.GetClient(creds.ClientID)
 
 	if !ok {
-		tlog.App.Warn().Str("client_id", creds.ClientID).Msg("Client not found")
+		controller.log.App.Warn().Str("clientId", creds.ClientID).Msg("Client not found")
 		c.JSON(400, gin.H{
 			"error": "invalid_client",
 		})
@@ -262,7 +274,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 	}
 
 	if client.ClientSecret != creds.ClientSecret {
-		tlog.App.Warn().Str("client_id", creds.ClientID).Msg("Invalid client secret")
+		controller.log.App.Warn().Str("clientId", creds.ClientID).Msg("Invalid client secret")
 		c.JSON(400, gin.H{
 			"error": "invalid_client",
 		})
@@ -276,30 +288,30 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code), client.ClientID)
 		if err != nil {
 			if err := controller.oidc.DeleteTokenByCodeHash(c, controller.oidc.Hash(req.Code)); err != nil {
-				tlog.App.Error().Err(err).Msg("Failed to delete access token by code hash")
+				controller.log.App.Error().Err(err).Msg("Failed to revoke tokens for replayed code")
 			}
 			if errors.Is(err, service.ErrCodeNotFound) {
-				tlog.App.Warn().Msg("Code not found")
+				controller.log.App.Warn().Msg("Code not found")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 			if errors.Is(err, service.ErrCodeExpired) {
-				tlog.App.Warn().Msg("Code expired")
+				controller.log.App.Warn().Msg("Code expired")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 			if errors.Is(err, service.ErrInvalidClient) {
-				tlog.App.Warn().Msg("Invalid client ID")
+				controller.log.App.Warn().Msg("Code does not belong to client")
 				c.JSON(400, gin.H{
 					"error": "invalid_client",
 				})
 				return
 			}
-			tlog.App.Warn().Err(err).Msg("Failed to get OIDC code entry")
+			controller.log.App.Error().Err(err).Msg("Failed to get code entry")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
@@ -307,7 +319,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		}
 
 		if entry.RedirectURI != req.RedirectURI {
-			tlog.App.Warn().Str("redirect_uri", req.RedirectURI).Msg("Redirect URI mismatch")
+			controller.log.App.Warn().Msg("Redirect URI does not match")
 			c.JSON(400, gin.H{
 				"error": "invalid_grant",
 			})
@@ -317,7 +329,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		ok := controller.oidc.ValidatePKCE(entry.CodeChallenge, req.CodeVerifier)
 
 		if !ok {
-			tlog.App.Warn().Msg("PKCE validation failed")
+			controller.log.App.Warn().Msg("PKCE validation failed")
 			c.JSON(400, gin.H{
 				"error": "invalid_grant",
 			})
@@ -327,7 +339,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		tokenRes, err := controller.oidc.GenerateAccessToken(c, client, entry)
 
 		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to generate access token")
+			controller.log.App.Error().Err(err).Msg("Failed to generate access token")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
@@ -340,7 +352,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 
 		if err != nil {
 			if errors.Is(err, service.ErrTokenExpired) {
-				tlog.App.Error().Err(err).Msg("Refresh token expired")
+				controller.log.App.Warn().Msg("Refresh token expired")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
@@ -348,14 +360,14 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			}
 
 			if errors.Is(err, service.ErrInvalidClient) {
-				tlog.App.Error().Err(err).Msg("Invalid client")
+				controller.log.App.Warn().Msg("Refresh token does not belong to client")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 
-			tlog.App.Error().Err(err).Msg("Failed to refresh access token")
+			controller.log.App.Error().Err(err).Msg("Failed to refresh access token")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
@@ -372,10 +384,10 @@ func (controller *OIDCController) Token(c *gin.Context) {
 }
 
 func (controller *OIDCController) Userinfo(c *gin.Context) {
-	if !controller.oidc.IsConfigured() {
-		tlog.App.Warn().Msg("OIDC not configured")
-		c.JSON(404, gin.H{
-			"error": "not_found",
+	if controller.oidc == nil {
+		controller.log.App.Warn().Msg("Received OIDC userinfo request but OIDC server is not configured")
+		c.JSON(500, gin.H{
+			"error": "server_error",
 		})
 		return
 	}
@@ -386,7 +398,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 	if authorization != "" {
 		tokenType, bearerToken, ok := strings.Cut(authorization, " ")
 		if !ok {
-			tlog.App.Warn().Msg("OIDC userinfo accessed with malformed authorization header")
+			controller.log.App.Warn().Msg("OIDC userinfo accessed with invalid authorization header")
 			c.JSON(401, gin.H{
 				"error": "invalid_request",
 			})
@@ -394,7 +406,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		}
 
 		if strings.ToLower(tokenType) != "bearer" {
-			tlog.App.Warn().Msg("OIDC userinfo accessed with invalid token type")
+			controller.log.App.Warn().Msg("OIDC userinfo accessed with non-bearer token")
 			c.JSON(401, gin.H{
 				"error": "invalid_request",
 			})
@@ -404,7 +416,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		token = bearerToken
 	} else if c.Request.Method == http.MethodPost {
 		if c.ContentType() != "application/x-www-form-urlencoded" {
-			tlog.App.Warn().Msg("OIDC userinfo POST accessed with invalid content type")
+			controller.log.App.Warn().Msg("OIDC userinfo POST accessed with invalid content type")
 			c.JSON(400, gin.H{
 				"error": "invalid_request",
 			})
@@ -412,14 +424,14 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		}
 		token = c.PostForm("access_token")
 		if token == "" {
-			tlog.App.Warn().Msg("OIDC userinfo POST accessed without access_token in body")
+			controller.log.App.Warn().Msg("OIDC userinfo POST accessed without access_token")
 			c.JSON(401, gin.H{
 				"error": "invalid_request",
 			})
 			return
 		}
 	} else {
-		tlog.App.Warn().Msg("OIDC userinfo accessed without authorization header")
+		controller.log.App.Warn().Msg("OIDC userinfo accessed without authorization header or POST body")
 		c.JSON(401, gin.H{
 			"error": "invalid_request",
 		})
@@ -429,15 +441,15 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 	entry, err := controller.oidc.GetAccessToken(c, controller.oidc.Hash(token))
 
 	if err != nil {
-		if err == service.ErrTokenNotFound {
-			tlog.App.Warn().Msg("OIDC userinfo accessed with invalid token")
+		if errors.Is(err, service.ErrTokenNotFound) {
+			controller.log.App.Warn().Msg("OIDC userinfo accessed with invalid token")
 			c.JSON(401, gin.H{
 				"error": "invalid_grant",
 			})
 			return
 		}
 
-		tlog.App.Err(err).Msg("Failed to get token entry")
+		controller.log.App.Error().Err(err).Msg("Failed to get access token")
 		c.JSON(401, gin.H{
 			"error": "server_error",
 		})
@@ -446,7 +458,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 
 	// If we don't have the openid scope, return an error
 	if !slices.Contains(strings.Split(entry.Scope, ","), "openid") {
-		tlog.App.Warn().Msg("OIDC userinfo accessed without openid scope")
+		controller.log.App.Warn().Msg("OIDC userinfo accessed with token missing openid scope")
 		c.JSON(401, gin.H{
 			"error": "invalid_scope",
 		})
@@ -456,7 +468,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 	user, err := controller.oidc.GetUserinfo(c, entry.Sub)
 
 	if err != nil {
-		tlog.App.Err(err).Msg("Failed to get user entry")
+		controller.log.App.Error().Err(err).Msg("Failed to get user info")
 		c.JSON(401, gin.H{
 			"error": "server_error",
 		})
@@ -467,7 +479,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 }
 
 func (controller *OIDCController) authorizeError(c *gin.Context, err error, reason string, reasonUser string, callback string, callbackError string, state string) {
-	tlog.App.Error().Err(err).Msg(reason)
+	controller.log.App.Warn().Err(err).Str("reason", reason).Msg("Authorization error")
 
 	if callback != "" {
 		errorQueries := CallbackError{
@@ -507,8 +519,16 @@ func (controller *OIDCController) authorizeError(c *gin.Context, err error, reas
 		return
 	}
 
+	redirectUrl := ""
+
+	if controller.oidc != nil {
+		redirectUrl = fmt.Sprintf("%s/error?%s", controller.oidc.GetIssuer(), queries.Encode())
+	} else {
+		redirectUrl = fmt.Sprintf("%s/error?%s", controller.runtime.AppURL, queries.Encode())
+	}
+
 	c.JSON(200, gin.H{
 		"status":       200,
-		"redirect_uri": fmt.Sprintf("%s/error?%s", controller.oidc.GetIssuer(), queries.Encode()),
+		"redirect_uri": redirectUrl,
 	})
 }

internal/controller/oidc_controller_test.go

@@ -1,55 +1,45 @@
 package controller_test
 
 import (
+	"context"
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/json"
 	"net/http/httptest"
 	"net/url"
-	"path"
 	"strings"
+	"sync"
 	"testing"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
-	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
-	"github.com/tinyauthapp/tinyauth/internal/config"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/repository"
-	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
+	"github.com/tinyauthapp/tinyauth/internal/service"
+	"github.com/tinyauthapp/tinyauth/internal/test"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
 func TestOIDCController(t *testing.T) {
-	tlog.NewTestLogger().Init()
-	tempDir := t.TempDir()
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
 
-	oidcServiceCfg := service.OIDCServiceConfig{
-		Clients: map[string]config.OIDCClientConfig{
-			"test": {
-				ClientID:            "some-client-id",
-				ClientSecret:        "some-client-secret",
-				TrustedRedirectURIs: []string{"https://test.example.com/callback"},
-				Name:                "Test Client",
-			},
-		},
-		PrivateKeyPath: path.Join(tempDir, "key.pem"),
-		PublicKeyPath:  path.Join(tempDir, "key.pub"),
-		Issuer:         "https://tinyauth.example.com",
-		SessionExpiry:  500,
-	}
-
-	controllerCfg := controller.OIDCControllerConfig{}
+	cfg, runtime := test.CreateTestConfigs(t)
 
 	simpleCtx := func(c *gin.Context) {
-		c.Set("context", &config.UserContext{
+		c.Set("context", &model.UserContext{
+			Authenticated: true,
+			Provider:      model.ProviderLocal,
+			Local: &model.LocalContext{
+				BaseContext: model.BaseContext{
 					Username: "test",
 					Name:     "Test User",
 					Email:    "test@example.com",
-			IsLoggedIn: true,
-			Provider:   "local",
+				},
+			},
 		})
 		c.Next()
 	}
@@ -99,7 +89,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				assert.Equal(t, res["redirect_uri"], "https://tinyauth.example.com/error?error=User+is+not+logged+in+or+the+session+is+invalid")
 			},
@@ -119,7 +109,7 @@ func TestOIDCController(t *testing.T) {
 					Nonce:        "some-nonce",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -127,7 +117,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				assert.Equal(t, res["redirect_uri"], "https://test.example.com/callback?error=unsupported_response_type&error_description=Invalid+request+parameters&state=some-state")
 			},
@@ -147,7 +137,7 @@ func TestOIDCController(t *testing.T) {
 					Nonce:        "some-nonce",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -156,11 +146,11 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				queryParams := url.Query()
 				assert.Equal(t, queryParams.Get("state"), "some-state")
@@ -179,7 +169,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -187,7 +177,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				assert.Equal(t, res["error"], "unsupported_grant_type")
 			},
@@ -202,7 +192,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -240,7 +230,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -263,11 +253,11 @@ func TestOIDCController(t *testing.T) {
 
 				var authorizeRes map[string]any
 				err := json.Unmarshal(authorizeTestRecorder.Body.Bytes(), &authorizeRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				redirectURI := authorizeRes["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				queryParams := url.Query()
 				code := queryParams.Get("code")
@@ -279,7 +269,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -302,7 +292,7 @@ func TestOIDCController(t *testing.T) {
 
 				var tokenRes map[string]any
 				err := json.Unmarshal(tokenRecorder.Body.Bytes(), &tokenRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				_, ok := tokenRes["refresh_token"]
 				assert.True(t, ok, "Expected refresh token in response")
@@ -316,7 +306,7 @@ func TestOIDCController(t *testing.T) {
 					ClientSecret: "some-client-secret",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -328,7 +318,7 @@ func TestOIDCController(t *testing.T) {
 				assert.Equal(t, 200, recorder.Code)
 				var refreshRes map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &refreshRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				_, ok = refreshRes["access_token"]
 				assert.True(t, ok, "Expected access token in refresh response")
@@ -349,11 +339,11 @@ func TestOIDCController(t *testing.T) {
 
 				var authorizeRes map[string]any
 				err := json.Unmarshal(authorizeTestRecorder.Body.Bytes(), &authorizeRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				redirectURI := authorizeRes["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				queryParams := url.Query()
 				code := queryParams.Get("code")
@@ -365,7 +355,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -385,7 +375,7 @@ func TestOIDCController(t *testing.T) {
 
 				var secondRes map[string]any
 				err = json.Unmarshal(secondRecorder.Body.Bytes(), &secondRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				assert.Equal(t, "invalid_grant", secondRes["error"])
 			},
@@ -413,7 +403,7 @@ func TestOIDCController(t *testing.T) {
 
 				var tokenRes map[string]any
 				err := json.Unmarshal(tokenRecorder.Body.Bytes(), &tokenRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				accessToken := tokenRes["access_token"].(string)
 				assert.NotEmpty(t, accessToken)
@@ -425,7 +415,7 @@ func TestOIDCController(t *testing.T) {
 
 				var userInfoRes map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &userInfoRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				_, ok := userInfoRes["sub"]
 				assert.True(t, ok, "Expected sub claim in userinfo response")
@@ -445,7 +435,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -460,7 +450,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -475,7 +465,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -490,7 +480,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, "invalid_grant", res["error"])
 			},
 		},
@@ -505,7 +495,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -520,7 +510,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -537,7 +527,7 @@ func TestOIDCController(t *testing.T) {
 
 				var tokenRes map[string]any
 				err := json.Unmarshal(tokenRecorder.Body.Bytes(), &tokenRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				accessToken := tokenRes["access_token"].(string)
 				assert.NotEmpty(t, accessToken)
@@ -551,7 +541,7 @@ func TestOIDCController(t *testing.T) {
 
 				var userInfoRes map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &userInfoRes)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				_, ok := userInfoRes["sub"]
 				assert.True(t, ok, "Expected sub claim in userinfo response")
@@ -575,7 +565,7 @@ func TestOIDCController(t *testing.T) {
 					CodeChallengeMethod: "",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -584,11 +574,11 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				queryParams := url.Query()
 				assert.Equal(t, queryParams.Get("state"), "some-state")
@@ -605,7 +595,7 @@ func TestOIDCController(t *testing.T) {
 					CodeVerifier: "some-challenge",
 				}
 				reqBodyEncoded, err := query.Values(tokenReqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req = httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -636,7 +626,7 @@ func TestOIDCController(t *testing.T) {
 					CodeChallengeMethod: "S256",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -645,11 +635,11 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				queryParams := url.Query()
 				assert.Equal(t, queryParams.Get("state"), "some-state")
@@ -666,7 +656,7 @@ func TestOIDCController(t *testing.T) {
 					CodeVerifier: "some-challenge",
 				}
 				reqBodyEncoded, err := query.Values(tokenReqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req = httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -697,7 +687,7 @@ func TestOIDCController(t *testing.T) {
 					CodeChallengeMethod: "S256",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -706,11 +696,11 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				queryParams := url.Query()
 				assert.Equal(t, queryParams.Get("state"), "some-state")
@@ -727,7 +717,7 @@ func TestOIDCController(t *testing.T) {
 					CodeVerifier: "some-challenge-1",
 				}
 				reqBodyEncoded, err := query.Values(tokenReqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req = httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -758,7 +748,7 @@ func TestOIDCController(t *testing.T) {
 					CodeChallengeMethod: "foo",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -767,11 +757,11 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				queryParams := url.Query()
 				error := queryParams.Get("error")
@@ -790,11 +780,11 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				queryParams := url.Query()
 				code := queryParams.Get("code")
@@ -806,7 +796,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -817,7 +807,7 @@ func TestOIDCController(t *testing.T) {
 				assert.Equal(t, 200, recorder.Code)
 
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				accessToken := res["access_token"].(string)
 				assert.NotEmpty(t, accessToken)
@@ -842,20 +832,17 @@ func TestOIDCController(t *testing.T) {
 				assert.Equal(t, 401, recorder.Code)
 
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 				assert.Equal(t, "invalid_grant", res["error"])
 			},
 		},
 	}
 
-	app := bootstrap.NewBootstrapApp(config.Config{})
+	store := memory.New()
 
-	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
-	require.NoError(t, err)
+	wg := &sync.WaitGroup{}
 
-	queries := repository.New(db)
-	oidcService := service.NewOIDCService(oidcServiceCfg, queries)
-	err = oidcService.Init()
+	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, context.TODO(), wg)
 	require.NoError(t, err)
 
 	for _, test := range tests {
@@ -869,17 +856,11 @@ func TestOIDCController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
 
-			oidcController := controller.NewOIDCController(controllerCfg, oidcService, group)
-			oidcController.SetupRoutes()
+			controller.NewOIDCController(log, oidcService, runtime, group)
 
 			recorder := httptest.NewRecorder()
 
 			test.run(t, router, recorder)
 		})
 	}
-
-	t.Cleanup(func() {
-		err = db.Close()
-		require.NoError(t, err)
-	})
 }

internal/controller/proxy_controller.go

@@ -8,10 +8,10 @@ import (
 	"regexp"
 	"strings"
 
-	"github.com/tinyauthapp/tinyauth/internal/config"
+	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -50,29 +50,31 @@ type ProxyContext struct {
 	ProxyType ProxyType
 }
 
-type ProxyControllerConfig struct {
-	AppURL string
-}
-
 type ProxyController struct {
-	config ProxyControllerConfig
-	router *gin.RouterGroup
+	log     *logger.Logger
+	runtime model.RuntimeConfig
 	acls    *service.AccessControlsService
 	auth    *service.AuthService
 }
 
-func NewProxyController(config ProxyControllerConfig, router *gin.RouterGroup, acls *service.AccessControlsService, auth *service.AuthService) *ProxyController {
-	return &ProxyController{
-		config: config,
-		router: router,
+func NewProxyController(
+	log *logger.Logger,
+	runtime model.RuntimeConfig,
+	router *gin.RouterGroup,
+	acls *service.AccessControlsService,
+	auth *service.AuthService,
+) *ProxyController {
+	controller := &ProxyController{
+		log:     log,
+		runtime: runtime,
 		acls:    acls,
 		auth:    auth,
 	}
-}
 
-func (controller *ProxyController) SetupRoutes() {
-	proxyGroup := controller.router.Group("/auth")
+	proxyGroup := router.Group("/auth")
 	proxyGroup.Any("/:proxy", controller.proxyHandler)
+
+	return controller
 }
 
 func (controller *ProxyController) proxyHandler(c *gin.Context) {
@@ -80,7 +82,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	proxyCtx, err := controller.getProxyContext(c)
 
 	if err != nil {
-		tlog.App.Warn().Err(err).Msg("Failed to get proxy context")
+		controller.log.App.Error().Err(err).Msg("Failed to get proxy context from request")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad request",
@@ -88,22 +90,18 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	tlog.App.Trace().Interface("ctx", proxyCtx).Msg("Got proxy context")
-
 	// Get acls
 	acls, err := controller.acls.GetAccessControls(proxyCtx.Host)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to get access controls for resource")
+		controller.log.App.Error().Err(err).Msg("Failed to get ACLs for resource")
 		controller.handleError(c, proxyCtx)
 		return
 	}
 
-	tlog.App.Trace().Interface("acls", acls).Msg("ACLs for resource")
-
 	clientIP := c.ClientIP()
 
-	if controller.auth.IsBypassedIP(acls.IP, clientIP) {
+	if controller.auth.IsBypassedIP(clientIP, acls) {
 		controller.setHeaders(c, acls)
 		c.JSON(200, gin.H{
 			"status":  200,
@@ -112,16 +110,16 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	authEnabled, err := controller.auth.IsAuthEnabled(proxyCtx.Path, acls.Path)
+	authEnabled, err := controller.auth.IsAuthEnabled(proxyCtx.Path, acls)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to check if auth is enabled for resource")
+		controller.log.App.Error().Err(err).Msg("Failed to determine if authentication is enabled for resource")
 		controller.handleError(c, proxyCtx)
 		return
 	}
 
 	if !authEnabled {
-		tlog.App.Debug().Msg("Authentication disabled for resource, allowing access")
+		controller.log.App.Debug().Msg("Authentication is disabled for this resource, allowing access without authentication")
 		controller.setHeaders(c, acls)
 		c.JSON(200, gin.H{
 			"status":  200,
@@ -130,71 +128,19 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	if !controller.auth.CheckIP(acls.IP, clientIP) {
-		queries, err := query.Values(config.UnauthorizedQuery{
+	if !controller.auth.CheckIP(clientIP, acls) {
+		queries, err := query.Values(UnauthorizedQuery{
 			Resource: strings.Split(proxyCtx.Host, ".")[0],
 			IP:       clientIP,
 		})
 
 		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
+			controller.log.App.Error().Err(err).Msg("Failed to encode unauthorized query")
 			controller.handleError(c, proxyCtx)
 			return
 		}
 
-		redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())
-
-		if !controller.useBrowserResponse(proxyCtx) {
-			c.Header("x-tinyauth-location", redirectURL)
-			c.JSON(401, gin.H{
-				"status":  401,
-				"message": "Unauthorized",
-			})
-			return
-		}
-
-		c.Redirect(http.StatusTemporaryRedirect, redirectURL)
-		return
-	}
-
-	var userContext config.UserContext
-
-	context, err := utils.GetContext(c)
-
-	if err != nil {
-		tlog.App.Debug().Msg("No user context found in request, treating as not logged in")
-		userContext = config.UserContext{
-			IsLoggedIn: false,
-		}
-	} else {
-		userContext = context
-	}
-
-	tlog.App.Trace().Interface("context", userContext).Msg("User context from request")
-
-	if userContext.IsLoggedIn {
-		userAllowed := controller.auth.IsUserAllowed(c, userContext, acls)
-
-		if !userAllowed {
-			tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User not allowed to access resource")
-
-			queries, err := query.Values(config.UnauthorizedQuery{
-				Resource: strings.Split(proxyCtx.Host, ".")[0],
-			})
-
-			if err != nil {
-				tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
-				controller.handleError(c, proxyCtx)
-				return
-			}
-
-			if userContext.OAuth {
-				queries.Set("username", userContext.Email)
-			} else {
-				queries.Set("username", userContext.Username)
-			}
-
-			redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())
+		redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.runtime.AppURL, queries.Encode())
 
 		if !controller.useBrowserResponse(proxyCtx) {
 			c.Header("x-tinyauth-location", redirectURL)
@@ -209,36 +155,82 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-		if userContext.OAuth || userContext.Provider == "ldap" {
+	userContext, err := new(model.UserContext).NewFromGin(c)
+
+	if err != nil {
+		controller.log.App.Debug().Err(err).Msg("Failed to create user context from request, treating as unauthenticated")
+		userContext = &model.UserContext{
+			Authenticated: false,
+		}
+	}
+
+	if userContext.Authenticated {
+		userAllowed := controller.auth.IsUserAllowed(c, *userContext, acls)
+
+		if !userAllowed {
+			controller.log.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User is not allowed to access resource")
+
+			queries, err := query.Values(UnauthorizedQuery{
+				Resource: strings.Split(proxyCtx.Host, ".")[0],
+			})
+
+			if err != nil {
+				controller.log.App.Error().Err(err).Msg("Failed to encode unauthorized query")
+				controller.handleError(c, proxyCtx)
+				return
+			}
+
+			if userContext.IsOAuth() {
+				queries.Set("username", userContext.GetEmail())
+			} else {
+				queries.Set("username", userContext.GetUsername())
+			}
+
+			redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.runtime.AppURL, queries.Encode())
+
+			if !controller.useBrowserResponse(proxyCtx) {
+				c.Header("x-tinyauth-location", redirectURL)
+				c.JSON(403, gin.H{
+					"status":  403,
+					"message": "Forbidden",
+				})
+				return
+			}
+
+			c.Redirect(http.StatusTemporaryRedirect, redirectURL)
+			return
+		}
+
+		if userContext.IsOAuth() || userContext.IsLDAP() {
 			var groupOK bool
 
-			if userContext.OAuth {
-				groupOK = controller.auth.IsInOAuthGroup(c, userContext, acls.OAuth.Groups)
+			if userContext.IsOAuth() {
+				groupOK = controller.auth.IsInOAuthGroup(c, *userContext, acls)
 			} else {
-				groupOK = controller.auth.IsInLdapGroup(c, userContext, acls.LDAP.Groups)
+				groupOK = controller.auth.IsInLDAPGroup(c, *userContext, acls)
 			}
 
 			if !groupOK {
-				tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User groups do not match resource requirements")
+				controller.log.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User is not in the required group to access resource")
 
-				queries, err := query.Values(config.UnauthorizedQuery{
+				queries, err := query.Values(UnauthorizedQuery{
 					Resource: strings.Split(proxyCtx.Host, ".")[0],
 					GroupErr: true,
 				})
 
 				if err != nil {
-					tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
+					controller.log.App.Error().Err(err).Msg("Failed to encode unauthorized query")
 					controller.handleError(c, proxyCtx)
 					return
 				}
 
-				if userContext.OAuth {
-					queries.Set("username", userContext.Email)
+				if userContext.IsOAuth() {
+					queries.Set("username", userContext.GetEmail())
 				} else {
-					queries.Set("username", userContext.Username)
+					queries.Set("username", userContext.GetUsername())
 				}
 
-				redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())
+				redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.runtime.AppURL, queries.Encode())
 
 				if !controller.useBrowserResponse(proxyCtx) {
 					c.Header("x-tinyauth-location", redirectURL)
@@ -254,17 +246,18 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			}
 		}
 
-		c.Header("Remote-User", utils.SanitizeHeader(userContext.Username))
-		c.Header("Remote-Name", utils.SanitizeHeader(userContext.Name))
-		c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email))
+		c.Header("Remote-User", utils.SanitizeHeader(userContext.GetUsername()))
+		c.Header("Remote-Name", utils.SanitizeHeader(userContext.GetName()))
+		c.Header("Remote-Email", utils.SanitizeHeader(userContext.GetEmail()))
 
-		if userContext.Provider == "ldap" {
-			c.Header("Remote-Groups", utils.SanitizeHeader(userContext.LdapGroups))
-		} else if userContext.Provider != "local" {
-			c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups))
+		if userContext.IsLDAP() {
+			c.Header("Remote-Groups", utils.SanitizeHeader(strings.Join(userContext.LDAP.Groups, ",")))
 		}
 
-		c.Header("Remote-Sub", utils.SanitizeHeader(userContext.OAuthSub))
+		if userContext.IsOAuth() {
+			c.Header("Remote-Groups", utils.SanitizeHeader(strings.Join(userContext.OAuth.Groups, ",")))
+			c.Header("Remote-Sub", utils.SanitizeHeader(userContext.OAuth.Sub))
+		}
 
 		controller.setHeaders(c, acls)
 
@@ -275,17 +268,17 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	queries, err := query.Values(config.RedirectQuery{
+	queries, err := query.Values(RedirectQuery{
 		RedirectURI: fmt.Sprintf("%s://%s%s", proxyCtx.Proto, proxyCtx.Host, proxyCtx.Path),
 	})
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to encode redirect URI query")
+		controller.log.App.Error().Err(err).Msg("Failed to encode redirect query")
 		controller.handleError(c, proxyCtx)
 		return
 	}
 
-	redirectURL := fmt.Sprintf("%s/login?%s", controller.config.AppURL, queries.Encode())
+	redirectURL := fmt.Sprintf("%s/login?%s", controller.runtime.AppURL, queries.Encode())
 
 	if !controller.useBrowserResponse(proxyCtx) {
 		c.Header("x-tinyauth-location", redirectURL)
@@ -299,26 +292,29 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 }
 
-func (controller *ProxyController) setHeaders(c *gin.Context, acls config.App) {
+func (controller *ProxyController) setHeaders(c *gin.Context, acls *model.App) {
 	c.Header("Authorization", c.Request.Header.Get("Authorization"))
 
+	if acls == nil {
+		return
+	}
+
 	headers := utils.ParseHeaders(acls.Response.Headers)
 
 	for key, value := range headers {
-		tlog.App.Debug().Str("header", key).Msg("Setting header")
 		c.Header(key, value)
 	}
 
 	basicPassword := utils.GetSecret(acls.Response.BasicAuth.Password, acls.Response.BasicAuth.PasswordFile)
 
 	if acls.Response.BasicAuth.Username != "" && basicPassword != "" {
-		tlog.App.Debug().Str("username", acls.Response.BasicAuth.Username).Msg("Setting basic auth header")
-		c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(acls.Response.BasicAuth.Username, basicPassword)))
+		controller.log.App.Debug().Msg("Setting basic auth header for response")
+		c.Header("Authorization", fmt.Sprintf("Basic %s", utils.EncodeBasicAuth(acls.Response.BasicAuth.Username, basicPassword)))
 	}
 }
 
 func (controller *ProxyController) handleError(c *gin.Context, proxyCtx ProxyContext) {
-	redirectURL := fmt.Sprintf("%s/error", controller.config.AppURL)
+	redirectURL := fmt.Sprintf("%s/error", controller.runtime.AppURL)
 
 	if !controller.useBrowserResponse(proxyCtx) {
 		c.Header("x-tinyauth-location", redirectURL)
@@ -519,7 +515,7 @@ func (controller *ProxyController) getProxyContext(c *gin.Context) (ProxyContext
 		return ProxyContext{}, err
 	}
 
-	tlog.App.Debug().Msgf("Proxy: %v", req.Proxy)
+	controller.log.App.Debug().Msgf("Determined proxy type: %v", proxy)
 
 	authModules := controller.determineAuthModules(proxy)
 
@@ -530,13 +526,13 @@ func (controller *ProxyController) getProxyContext(c *gin.Context) (ProxyContext
 	var ctx ProxyContext
 
 	for _, module := range authModules {
-		tlog.App.Debug().Msgf("Trying auth module: %v", module)
+		controller.log.App.Debug().Msgf("Trying to get context from auth module %v", module)
 		ctx, err = controller.getContextFromAuthModule(c, module)
 		if err == nil {
-			tlog.App.Debug().Msgf("Auth module %v succeeded", module)
+			controller.log.App.Debug().Msgf("Successfully got context from auth module %v", module)
 			break
 		}
-		tlog.App.Debug().Err(err).Msgf("Auth module %v failed", module)
+		controller.log.App.Debug().Msgf("Failed to get context from auth module %v: %v", module, err)
 	}
 
 	if err != nil {
@@ -548,9 +544,9 @@ func (controller *ProxyController) getProxyContext(c *gin.Context) (ProxyContext
 	isBrowser := BrowserUserAgentRegex.MatchString(userAgent)
 
 	if isBrowser {
-		tlog.App.Debug().Msg("Request identified as coming from a browser")
+		controller.log.App.Debug().Msg("Request identified as coming from a browser client")
 	} else {
-		tlog.App.Debug().Msg("Request identified as coming from a non-browser client")
+		controller.log.App.Debug().Msg("Request identified as coming from a non-browser client")
 	}
 
 	ctx.IsBrowser = isBrowser

internal/controller/proxy_controller_test.go

@@ -1,70 +1,49 @@
 package controller_test
 
 import (
+	"context"
 	"net/http/httptest"
-	"path"
+	"sync"
 	"testing"
 
 	"github.com/gin-gonic/gin"
-	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
-	"github.com/tinyauthapp/tinyauth/internal/config"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/repository"
-	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
+	"github.com/tinyauthapp/tinyauth/internal/service"
+	"github.com/tinyauthapp/tinyauth/internal/test"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
 func TestProxyController(t *testing.T) {
-	tlog.NewTestLogger().Init()
-	tempDir := t.TempDir()
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
 
-	authServiceCfg := service.AuthServiceConfig{
-		Users: []config.User{
-			{
-				Username: "testuser",
-				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-			},
-			{
-				Username:   "totpuser",
-				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-				TotpSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
-			},
-		},
-		SessionExpiry:     10, // 10 seconds, useful for testing
-		CookieDomain:      "example.com",
-		LoginTimeout:      10, // 10 seconds, useful for testing
-		LoginMaxRetries:   3,
-		SessionCookieName: "tinyauth-session",
-	}
+	cfg, runtime := test.CreateTestConfigs(t)
 
-	controllerCfg := controller.ProxyControllerConfig{
-		AppURL: "https://tinyauth.example.com",
-	}
-
-	acls := map[string]config.App{
+	acls := map[string]model.App{
 		"app_path_allow": {
-			Config: config.AppConfig{
+			Config: model.AppConfig{
 				Domain: "path-allow.example.com",
 			},
-			Path: config.AppPath{
+			Path: model.AppPath{
 				Allow: "/allowed",
 			},
 		},
 		"app_user_allow": {
-			Config: config.AppConfig{
+			Config: model.AppConfig{
 				Domain: "user-allow.example.com",
 			},
-			Users: config.AppUsers{
+			Users: model.AppUsers{
 				Allow: "testuser",
 			},
 		},
 		"ip_bypass": {
-			Config: config.AppConfig{
+			Config: model.AppConfig{
 				Domain: "ip-bypass.example.com",
 			},
-			IP: config.AppIP{
+			IP: model.AppIP{
 				Bypass: []string{"10.10.10.10"},
 			},
 		},
@@ -74,24 +53,31 @@ func TestProxyController(t *testing.T) {
 	Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Mobile Safari/537.36`
 
 	simpleCtx := func(c *gin.Context) {
-		c.Set("context", &config.UserContext{
+		c.Set("context", &model.UserContext{
+			Authenticated: true,
+			Provider:      model.ProviderLocal,
+			Local: &model.LocalContext{
+				BaseContext: model.BaseContext{
 					Username: "testuser",
 					Name:     "Testuser",
 					Email:    "testuser@example.com",
-			IsLoggedIn: true,
-			Provider:   "local",
+				},
+			},
 		})
 		c.Next()
 	}
 
 	simpleCtxTotp := func(c *gin.Context) {
-		c.Set("context", &config.UserContext{
+		c.Set("context", &model.UserContext{
+			Authenticated: true,
+			Provider:      model.ProviderLocal,
+			Local: &model.LocalContext{
+				BaseContext: model.BaseContext{
 					Username: "totpuser",
 					Name:     "Totpuser",
 					Email:    "totpuser@example.com",
-			IsLoggedIn:  true,
-			Provider:    "local",
-			TotpEnabled: true,
+				},
+			},
 		})
 		c.Next()
 	}
@@ -391,32 +377,14 @@ func TestProxyController(t *testing.T) {
 		},
 	}
 
-	oauthBrokerCfgs := make(map[string]config.OAuthServiceConfig)
+	store := memory.New()
 
-	app := bootstrap.NewBootstrapApp(config.Config{})
+	wg := &sync.WaitGroup{}
+	ctx := context.TODO()
 
-	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
-	require.NoError(t, err)
-
-	queries := repository.New(db)
-
-	docker := service.NewDockerService()
-	err = docker.Init()
-	require.NoError(t, err)
-
-	ldap := service.NewLdapService(service.LdapServiceConfig{})
-	err = ldap.Init()
-	require.NoError(t, err)
-
-	broker := service.NewOAuthBrokerService(oauthBrokerCfgs)
-	err = broker.Init()
-	require.NoError(t, err)
-
-	authService := service.NewAuthService(authServiceCfg, docker, ldap, queries, broker)
-	err = authService.Init()
-	require.NoError(t, err)
-
-	aclsService := service.NewAccessControlsService(docker, acls)
+	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker)
+	aclsService := service.NewAccessControlsService(log, nil, acls)
 
 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
@@ -431,15 +399,9 @@ func TestProxyController(t *testing.T) {
 
 			recorder := httptest.NewRecorder()
 
-			proxyController := controller.NewProxyController(controllerCfg, group, aclsService, authService)
-			proxyController.SetupRoutes()
+			controller.NewProxyController(log, runtime, group, aclsService, authService)
 
 			test.run(t, router, recorder)
 		})
 	}
-
-	t.Cleanup(func() {
-		err = db.Close()
-		require.NoError(t, err)
-	})
 }

internal/controller/resources_controller.go

@@ -4,42 +4,39 @@ import (
 	"net/http"
 
 	"github.com/gin-gonic/gin"
+	"github.com/tinyauthapp/tinyauth/internal/model"
 )
 
-type ResourcesControllerConfig struct {
-	Path    string
-	Enabled bool
-}
-
 type ResourcesController struct {
-	config     ResourcesControllerConfig
-	router     *gin.RouterGroup
+	config     model.Config
 	fileServer http.Handler
 }
 
-func NewResourcesController(config ResourcesControllerConfig, router *gin.RouterGroup) *ResourcesController {
-	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(config.Path)))
+func NewResourcesController(
+	config model.Config,
+	router *gin.RouterGroup,
+) *ResourcesController {
+	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(config.Resources.Path)))
 
-	return &ResourcesController{
+	controller := &ResourcesController{
 		config:     config,
-		router:     router,
 		fileServer: fileServer,
 	}
-}
 
-func (controller *ResourcesController) SetupRoutes() {
-	controller.router.GET("/resources/*resource", controller.resourcesHandler)
+	router.GET("/resources/*resource", controller.resourcesHandler)
+
+	return controller
 }
 
 func (controller *ResourcesController) resourcesHandler(c *gin.Context) {
-	if controller.config.Path == "" {
+	if controller.config.Resources.Path == "" {
 		c.JSON(404, gin.H{
 			"status":  404,
-			"message": "Resources not found",
+			"message": "Resource not found",
 		})
 		return
 	}
-	if !controller.config.Enabled {
+	if !controller.config.Resources.Enabled {
 		c.JSON(403, gin.H{
 			"status":  403,
 			"message": "Resources are disabled",

internal/controller/resources_controller_test.go

@@ -3,26 +3,20 @@ package controller_test
 import (
 	"net/http/httptest"
 	"os"
-	"path"
+	"path/filepath"
 	"testing"
 
 	"github.com/gin-gonic/gin"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/tinyauthapp/tinyauth/internal/test"
 )
 
 func TestResourcesController(t *testing.T) {
-	tlog.NewTestLogger().Init()
-	tempDir := t.TempDir()
+	cfg, _ := test.CreateTestConfigs(t)
 
-	resourcesControllerCfg := controller.ResourcesControllerConfig{
-		Path:    path.Join(tempDir, "resources"),
-		Enabled: true,
-	}
-
-	err := os.Mkdir(resourcesControllerCfg.Path, 0777)
+	err := os.MkdirAll(cfg.Resources.Path, 0777)
 	require.NoError(t, err)
 
 	type testCase struct {
@@ -61,11 +55,11 @@ func TestResourcesController(t *testing.T) {
 		},
 	}
 
-	testFilePath := resourcesControllerCfg.Path + "/testfile.txt"
+	testFilePath := cfg.Resources.Path + "/testfile.txt"
 	err = os.WriteFile(testFilePath, []byte("This is a test file."), 0777)
 	require.NoError(t, err)
 
-	testFilePathParent := tempDir + "/somefile.txt"
+	testFilePathParent := filepath.Dir(cfg.Resources.Path) + "/somefile.txt"
 	err = os.WriteFile(testFilePathParent, []byte("This file should not be accessible."), 0777)
 	require.NoError(t, err)
 
@@ -75,8 +69,7 @@ func TestResourcesController(t *testing.T) {
 			group := router.Group("/")
 			gin.SetMode(gin.TestMode)
 
-			resourcesController := controller.NewResourcesController(resourcesControllerCfg, group)
-			resourcesController.SetupRoutes()
+			controller.NewResourcesController(cfg, group)
 
 			recorder := httptest.NewRecorder()
 			test.run(t, router, recorder)

internal/controller/user_controller.go

@@ -1,14 +1,16 @@
 package controller
 
 import (
+	"errors"
 	"fmt"
+	"net/http"
 	"time"
 
-	"github.com/tinyauthapp/tinyauth/internal/config"
+	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 
 	"github.com/gin-gonic/gin"
 	"github.com/pquerna/otp/totp"
@@ -23,29 +25,30 @@ type TotpRequest struct {
 	Code string `json:"code"`
 }
 
-type UserControllerConfig struct {
-	CookieDomain string
-}
-
 type UserController struct {
-	config UserControllerConfig
-	router *gin.RouterGroup
+	log     *logger.Logger
+	runtime model.RuntimeConfig
 	auth    *service.AuthService
 }
 
-func NewUserController(config UserControllerConfig, router *gin.RouterGroup, auth *service.AuthService) *UserController {
-	return &UserController{
-		config: config,
-		router: router,
+func NewUserController(
+	log *logger.Logger,
+	runtimeConfig model.RuntimeConfig,
+	router *gin.RouterGroup,
+	auth *service.AuthService,
+) *UserController {
+	controller := &UserController{
+		log:     log,
+		runtime: runtimeConfig,
 		auth:    auth,
 	}
-}
 
-func (controller *UserController) SetupRoutes() {
-	userGroup := controller.router.Group("/user")
+	userGroup := router.Group("/user")
 	userGroup.POST("/login", controller.loginHandler)
 	userGroup.POST("/logout", controller.logoutHandler)
 	userGroup.POST("/totp", controller.totpHandler)
+
+	return controller
 }
 
 func (controller *UserController) loginHandler(c *gin.Context) {
@@ -53,7 +56,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 
 	err := c.ShouldBindJSON(&req)
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind JSON")
+		controller.log.App.Error().Err(err).Msg("Failed to bind JSON")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -61,13 +64,13 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		return
 	}
 
-	tlog.App.Debug().Str("username", req.Username).Msg("Login attempt")
+	controller.log.App.Debug().Str("username", req.Username).Msg("Login attempt")
 
 	isLocked, remaining := controller.auth.IsAccountLocked(req.Username)
 
 	if isLocked {
-		tlog.App.Warn().Str("username", req.Username).Msg("Account is locked due to too many failed login attempts")
-		tlog.AuditLoginFailure(c, req.Username, "username", "account locked")
+		controller.log.App.Warn().Str("username", req.Username).Msg("Account is locked due to too many failed login attempts")
+		controller.log.AuditLoginFailure(req.Username, "local", c.ClientIP(), "account locked")
 		c.Writer.Header().Add("x-tinyauth-lock-locked", "true")
 		c.Writer.Header().Add("x-tinyauth-lock-reset", time.Now().Add(time.Duration(remaining)*time.Second).Format(time.RFC3339))
 		c.JSON(429, gin.H{
@@ -77,12 +80,35 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		return
 	}
 
-	userSearch := controller.auth.SearchUser(req.Username)
+	search, err := controller.auth.SearchUser(req.Username)
 
-	if userSearch.Type == "unknown" {
-		tlog.App.Warn().Str("username", req.Username).Msg("User not found")
+	if err != nil {
+		if errors.Is(err, service.ErrUserNotFound) {
+			controller.log.App.Warn().Str("username", req.Username).Msg("User not found during login attempt")
 			controller.auth.RecordLoginAttempt(req.Username, false)
-		tlog.AuditLoginFailure(c, req.Username, "username", "user not found")
+			controller.log.AuditLoginFailure(req.Username, "unknown", c.ClientIP(), "user not found")
+			c.JSON(401, gin.H{
+				"status":  401,
+				"message": "Unauthorized",
+			})
+			return
+		}
+		controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Error searching for user during login attempt")
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "Internal Server Error",
+		})
+		return
+	}
+
+	if err := controller.auth.CheckUserPassword(*search, req.Password); err != nil {
+		controller.log.App.Warn().Str("username", req.Username).Msg("Invalid password during login attempt")
+		controller.auth.RecordLoginAttempt(req.Username, false)
+		if search.Type == model.UserLocal {
+			controller.log.AuditLoginFailure(req.Username, "local", c.ClientIP(), "invalid password")
+		} else {
+			controller.log.AuditLoginFailure(req.Username, "ldap", c.ClientIP(), "invalid password")
+		}
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -90,10 +116,13 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		return
 	}
 
-	if !controller.auth.VerifyUser(userSearch, req.Password) {
-		tlog.App.Warn().Str("username", req.Username).Msg("Invalid password")
-		controller.auth.RecordLoginAttempt(req.Username, false)
-		tlog.AuditLoginFailure(c, req.Username, "username", "invalid password")
+	var localUser *model.LocalUser
+
+	if search.Type == model.UserLocal {
+		localUser = controller.auth.GetLocalUser(req.Username)
+
+		if localUser == nil {
+			controller.log.App.Error().Str("username", req.Username).Msg("Local user not found after successful password verification")
 			c.JSON(401, gin.H{
 				"status":  401,
 				"message": "Unauthorized",
@@ -101,35 +130,21 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 			return
 		}
 
-	tlog.App.Info().Str("username", req.Username).Msg("Login successful")
-	tlog.AuditLoginSuccess(c, req.Username, "username")
+		if localUser.TOTPSecret != "" {
+			controller.log.App.Debug().Str("username", req.Username).Msg("TOTP required for user, creating pending TOTP session")
 
-	controller.auth.RecordLoginAttempt(req.Username, true)
-
-	var localUser *config.User
-	if userSearch.Type == "local" {
-		user := controller.auth.GetLocalUser(userSearch.Username)
-		localUser = &user
-	}
-
-	if userSearch.Type == "local" && localUser != nil {
-		user := *localUser
-
-		if user.TotpSecret != "" {
-			tlog.App.Debug().Str("username", req.Username).Msg("User has TOTP enabled, requiring TOTP verification")
-
-			name := user.Attributes.Name
+			name := localUser.Attributes.Name
 			if name == "" {
-				name = utils.Capitalize(user.Username)
+				name = utils.Capitalize(localUser.Username)
 			}
 
-			email := user.Attributes.Email
+			email := localUser.Attributes.Email
 			if email == "" {
-				email = utils.CompileUserEmail(user.Username, controller.config.CookieDomain)
+				email = utils.CompileUserEmail(localUser.Username, controller.runtime.CookieDomain)
 			}
 
-			err := controller.auth.CreateSessionCookie(c, &repository.Session{
-				Username:    user.Username,
+			cookie, err := controller.auth.CreateSession(c, repository.Session{
+				Username:    localUser.Username,
 				Name:        name,
 				Email:       email,
 				Provider:    "local",
@@ -137,7 +152,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 			})
 
 			if err != nil {
-				tlog.App.Error().Err(err).Msg("Failed to create session cookie")
+				controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Failed to create pending TOTP session")
 				c.JSON(500, gin.H{
 					"status":  500,
 					"message": "Internal Server Error",
@@ -145,6 +160,8 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 				return
 			}
 
+			http.SetCookie(c.Writer, cookie)
+
 			c.JSON(200, gin.H{
 				"status":      200,
 				"message":     "TOTP required",
@@ -157,11 +174,11 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 	sessionCookie := repository.Session{
 		Username: req.Username,
 		Name:     utils.Capitalize(req.Username),
-		Email:    utils.CompileUserEmail(req.Username, controller.config.CookieDomain),
+		Email:    utils.CompileUserEmail(req.Username, controller.runtime.CookieDomain),
 		Provider: "local",
 	}
 
-	if userSearch.Type == "local" && localUser != nil {
+	if search.Type == model.UserLocal {
 		if localUser.Attributes.Name != "" {
 			sessionCookie.Name = localUser.Attributes.Name
 		}
@@ -170,16 +187,17 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		}
 	}
 
-	if userSearch.Type == "ldap" {
+	if search.Type == model.UserLDAP {
 		sessionCookie.Provider = "ldap"
+		if search.Email != "" {
+			sessionCookie.Email = search.Email
+		}
 	}
 
-	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
-
-	err = controller.auth.CreateSessionCookie(c, &sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to create session cookie")
+		controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Failed to create session cookie after successful login")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -187,6 +205,18 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		return
 	}
 
+	http.SetCookie(c.Writer, cookie)
+
+	controller.log.App.Info().Str("username", req.Username).Msg("Login successful")
+
+	if search.Type == model.UserLocal {
+		controller.log.AuditLoginSuccess(req.Username, "local", c.ClientIP())
+	} else {
+		controller.log.AuditLoginSuccess(req.Username, "ldap", c.ClientIP())
+	}
+
+	controller.auth.RecordLoginAttempt(req.Username, true)
+
 	c.JSON(200, gin.H{
 		"status":  200,
 		"message": "Login successful",
@@ -194,14 +224,48 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 }
 
 func (controller *UserController) logoutHandler(c *gin.Context) {
-	tlog.App.Debug().Msg("Logout request received")
+	controller.log.App.Debug().Msg("Logout attempt")
 
-	controller.auth.DeleteSessionCookie(c)
+	uuid, err := c.Cookie(controller.runtime.SessionCookieName)
 
-	context, err := utils.GetContext(c)
-	if err == nil && context.IsLoggedIn {
-		tlog.AuditLogout(c, context.Username, context.Provider)
+	if err != nil {
+		if errors.Is(err, http.ErrNoCookie) {
+			controller.log.App.Warn().Msg("Logout attempt without session cookie, treating as successful logout")
+			c.JSON(200, gin.H{
+				"status":  200,
+				"message": "Logout successful",
+			})
+			return
 		}
+		controller.log.App.Error().Err(err).Msg("Error retrieving session cookie on logout")
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "Internal Server Error",
+		})
+		return
+	}
+
+	cookie, err := controller.auth.DeleteSession(c, uuid)
+
+	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Error deleting session on logout")
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "Internal Server Error",
+		})
+		return
+	}
+
+	context, err := new(model.UserContext).NewFromGin(c)
+
+	if err == nil {
+		controller.log.AuditLogout(context.GetUsername(), context.GetProviderID(), c.ClientIP())
+	} else {
+		controller.log.App.Warn().Err(err).Msg("Failed to get user context during logout, logging audit with unknown user")
+		controller.log.AuditLogout("unknown", "unknown", c.ClientIP())
+	}
+
+	http.SetCookie(c.Writer, cookie)
 
 	c.JSON(200, gin.H{
 		"status":  200,
@@ -214,7 +278,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 
 	err := c.ShouldBindJSON(&req)
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind JSON")
+		controller.log.App.Error().Err(err).Msg("Failed to bind JSON for TOTP verification")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -222,10 +286,10 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}
 
-	context, err := utils.GetContext(c)
+	context, err := new(model.UserContext).NewFromGin(c)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to get user context")
+		controller.log.App.Error().Err(err).Msg("Failed to create user context from request for TOTP verification")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -233,8 +297,8 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}
 
-	if !context.TotpPending {
-		tlog.App.Warn().Msg("TOTP attempt without a pending TOTP session")
+	if !context.TOTPPending() {
+		controller.log.App.Warn().Str("username", context.GetUsername()).Msg("TOTP verification attempt without pending TOTP session")
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -242,12 +306,13 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}
 
-	tlog.App.Debug().Str("username", context.Username).Msg("TOTP verification attempt")
+	controller.log.App.Debug().Str("username", context.GetUsername()).Msg("TOTP verification attempt")
 
-	isLocked, remaining := controller.auth.IsAccountLocked(context.Username)
+	isLocked, remaining := controller.auth.IsAccountLocked(context.GetUsername())
 
 	if isLocked {
-		tlog.App.Warn().Str("username", context.Username).Msg("Account is locked due to too many failed TOTP attempts")
+		controller.log.App.Warn().Str("username", context.GetUsername()).Msg("Account is locked due to too many failed TOTP attempts")
+		controller.log.AuditLoginFailure(context.GetUsername(), "local", c.ClientIP(), "account locked")
 		c.Writer.Header().Add("x-tinyauth-lock-locked", "true")
 		c.Writer.Header().Add("x-tinyauth-lock-reset", time.Now().Add(time.Duration(remaining)*time.Second).Format(time.RFC3339))
 		c.JSON(429, gin.H{
@@ -257,14 +322,10 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}
 
-	user := controller.auth.GetLocalUser(context.Username)
+	user := controller.auth.GetLocalUser(context.GetUsername())
 
-	ok := totp.Validate(req.Code, user.TotpSecret)
-
-	if !ok {
-		tlog.App.Warn().Str("username", context.Username).Msg("Invalid TOTP code")
-		controller.auth.RecordLoginAttempt(context.Username, false)
-		tlog.AuditLoginFailure(c, context.Username, "totp", "invalid totp code")
+	if user == nil {
+		controller.log.App.Error().Str("username", context.GetUsername()).Msg("Local user not found during TOTP verification")
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -272,15 +333,36 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}
 
-	tlog.App.Info().Str("username", context.Username).Msg("TOTP verification successful")
-	tlog.AuditLoginSuccess(c, context.Username, "totp")
+	ok := totp.Validate(req.Code, user.TOTPSecret)
 
-	controller.auth.RecordLoginAttempt(context.Username, true)
+	if !ok {
+		controller.log.App.Warn().Str("username", context.GetUsername()).Msg("Invalid TOTP code during verification attempt")
+		controller.auth.RecordLoginAttempt(context.GetUsername(), false)
+		controller.log.AuditLoginFailure(context.GetUsername(), "local", c.ClientIP(), "invalid TOTP code")
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	uuid, err := c.Cookie(controller.runtime.SessionCookieName)
+
+	if err == nil {
+		_, err = controller.auth.DeleteSession(c, uuid)
+		if err != nil {
+			controller.log.App.Error().Err(err).Msg("Failed to delete pending TOTP session after successful verification")
+		}
+	} else {
+		controller.log.App.Warn().Err(err).Msg("Failed to retrieve session cookie for pending TOTP session, cannot delete it")
+	}
+
+	controller.auth.RecordLoginAttempt(context.GetUsername(), true)
 
 	sessionCookie := repository.Session{
 		Username: user.Username,
 		Name:     utils.Capitalize(user.Username),
-		Email:    utils.CompileUserEmail(user.Username, controller.config.CookieDomain),
+		Email:    utils.CompileUserEmail(user.Username, controller.runtime.CookieDomain),
 		Provider: "local",
 	}
 
@@ -291,12 +373,10 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		sessionCookie.Email = user.Attributes.Email
 	}
 
-	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
-
-	err = controller.auth.CreateSessionCookie(c, &sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie)
 
 	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to create session cookie")
+		controller.log.App.Error().Err(err).Str("username", context.GetUsername()).Msg("Failed to create session cookie after successful TOTP verification")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -304,6 +384,11 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}
 
+	http.SetCookie(c.Writer, cookie)
+
+	controller.log.App.Info().Str("username", context.GetUsername()).Msg("TOTP verification successful, login complete")
+	controller.log.AuditLoginSuccess(context.GetUsername(), "local", c.ClientIP())
+
 	c.JSON(200, gin.H{
 		"status":  200,
 		"message": "Login successful",

internal/controller/user_controller_test.go

@@ -1,69 +1,80 @@
 package controller_test
 
 import (
+	"context"
 	"encoding/json"
+	"net/http"
 	"net/http/httptest"
-	"path"
 	"strings"
+	"sync"
 	"testing"
 	"time"
 
 	"github.com/gin-gonic/gin"
 	"github.com/pquerna/otp/totp"
-	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
-	"github.com/tinyauthapp/tinyauth/internal/config"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/repository"
-	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/repository"
+	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
+	"github.com/tinyauthapp/tinyauth/internal/service"
+	"github.com/tinyauthapp/tinyauth/internal/test"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
 func TestUserController(t *testing.T) {
-	tlog.NewTestLogger().Init()
-	tempDir := t.TempDir()
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
 
-	authServiceCfg := service.AuthServiceConfig{
-		Users: []config.User{
-			{
-				Username: "testuser",
-				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-			},
-			{
+	cfg, runtime := test.CreateTestConfigs(t)
+
+	totpCtx := func(c *gin.Context) {
+		c.Set("context", &model.UserContext{
+			Authenticated: false,
+			Provider:      model.ProviderLocal,
+			Local: &model.LocalContext{
+				BaseContext: model.BaseContext{
 					Username: "totpuser",
-				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-				TotpSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
+					Name:     "Totpuser",
+					Email:    "totpuser@example.com",
 				},
-			{
-				Username: "attruser",
-				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-				Attributes: config.UserAttributes{
-					Name:  "Alice Smith",
-					Email: "alice@example.com",
+				TOTPPending: true,
 			},
-			},
-			{
+		})
+	}
+
+	totpAttrCtx := func(c *gin.Context) {
+		c.Set("context", &model.UserContext{
+			Authenticated: false,
+			Provider:      model.ProviderLocal,
+			Local: &model.LocalContext{
+				BaseContext: model.BaseContext{
 					Username: "attrtotpuser",
-				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-				TotpSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
-				Attributes: config.UserAttributes{
 					Name:     "Bob Jones",
 					Email:    "bob@example.com",
 				},
+				TOTPPending: true,
 			},
-		},
-		SessionExpiry:     10, // 10 seconds, useful for testing
-		CookieDomain:      "example.com",
-		LoginTimeout:      10, // 10 seconds, useful for testing
-		LoginMaxRetries:   3,
-		SessionCookieName: "tinyauth-session",
+		})
 	}
 
-	userControllerCfg := controller.UserControllerConfig{
-		CookieDomain: "example.com",
+	simpleCtx := func(c *gin.Context) {
+		c.Set("context", &model.UserContext{
+			Authenticated: true,
+			Provider:      model.ProviderLocal,
+			Local: &model.LocalContext{
+				BaseContext: model.BaseContext{
+					Username: "testuser",
+					Name:     "Test User",
+					Email:    "testuser@example.com",
+				},
+			},
+		})
 	}
 
+	store := memory.New()
+
 	type testCase struct {
 		description string
 		middlewares []gin.HandlerFunc
@@ -80,7 +91,7 @@ func TestUserController(t *testing.T) {
 					Password: "password",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
@@ -88,13 +99,15 @@ func TestUserController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 
 				assert.Equal(t, 200, recorder.Code)
-				assert.Len(t, recorder.Result().Cookies(), 1)
+				require.Len(t, recorder.Result().Cookies(), 1)
 
 				cookie := recorder.Result().Cookies()[0]
 				assert.Equal(t, "tinyauth-session", cookie.Name)
 				assert.True(t, cookie.HttpOnly)
 				assert.Equal(t, "example.com", cookie.Domain)
-				assert.Equal(t, 10, cookie.MaxAge)
+				// 3 seconds should be more than enough for even slow test environments
+				assert.GreaterOrEqual(t, cookie.MaxAge, 7)
+				assert.LessOrEqual(t, cookie.MaxAge, 10)
 			},
 		},
 		{
@@ -106,7 +119,7 @@ func TestUserController(t *testing.T) {
 					Password: "wrongpassword",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
@@ -127,7 +140,7 @@ func TestUserController(t *testing.T) {
 					Password: "wrongpassword",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				for range 3 {
 					recorder := httptest.NewRecorder()
@@ -162,7 +175,7 @@ func TestUserController(t *testing.T) {
 					Password: "password",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
@@ -173,22 +186,25 @@ func TestUserController(t *testing.T) {
 
 				decodedBody := make(map[string]any)
 				err = json.Unmarshal(recorder.Body.Bytes(), &decodedBody)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				assert.Equal(t, decodedBody["totpPending"], true)
 
 				// should set the session cookie
-				assert.Len(t, recorder.Result().Cookies(), 1)
+				require.Len(t, recorder.Result().Cookies(), 1)
 				cookie := recorder.Result().Cookies()[0]
 				assert.Equal(t, "tinyauth-session", cookie.Name)
 				assert.True(t, cookie.HttpOnly)
 				assert.Equal(t, "example.com", cookie.Domain)
-				assert.Equal(t, 3600, cookie.MaxAge) // 1 hour, default for totp pending sessions
+				assert.GreaterOrEqual(t, cookie.MaxAge, 3597)
+				assert.LessOrEqual(t, cookie.MaxAge, 3600)
 			},
 		},
 		{
 			description: "Should be able to logout",
-			middlewares: []gin.HandlerFunc{},
+			middlewares: []gin.HandlerFunc{
+				simpleCtx,
+			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				// First login to get a session cookie
 				loginReq := controller.LoginRequest{
@@ -196,7 +212,7 @@ func TestUserController(t *testing.T) {
 					Password: "password",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
@@ -204,9 +220,10 @@ func TestUserController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 
 				assert.Equal(t, 200, recorder.Code)
-				assert.Len(t, recorder.Result().Cookies(), 1)
+				cookies := recorder.Result().Cookies()
+				require.Len(t, cookies, 1)
 
-				cookie := recorder.Result().Cookies()[0]
+				cookie := cookies[0]
 				assert.Equal(t, "tinyauth-session", cookie.Name)
 
 				// Now logout using the session cookie
@@ -217,48 +234,72 @@ func TestUserController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 
 				assert.Equal(t, 200, recorder.Code)
-				assert.Len(t, recorder.Result().Cookies(), 1)
+				cookies = recorder.Result().Cookies()
+				require.Len(t, cookies, 1)
 
-				logoutCookie := recorder.Result().Cookies()[0]
-				assert.Equal(t, "tinyauth-session", logoutCookie.Name)
-				assert.Equal(t, "", logoutCookie.Value)
-				assert.Equal(t, -1, logoutCookie.MaxAge) // MaxAge -1 means delete cookie
+				cookie = cookies[0]
+				assert.Equal(t, "tinyauth-session", cookie.Name)
+				assert.Equal(t, "", cookie.Value)
+				assert.Equal(t, -1, cookie.MaxAge) // MaxAge -1 means delete cookie
 			},
 		},
 		{
 			description: "Should be able to login with totp",
-			middlewares: []gin.HandlerFunc{},
+			middlewares: []gin.HandlerFunc{
+				totpCtx,
+			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				_, err := store.CreateSession(context.TODO(), repository.CreateSessionParams{
+					UUID:        "test-totp-login-uuid",
+					Username:    "test",
+					Email:       "test@example.com",
+					Name:        "Test",
+					Provider:    "local",
+					TotpPending: true,
+					Expiry:      time.Now().Add(1 * time.Hour).Unix(),
+					CreatedAt:   time.Now().Unix(),
+				})
+				require.NoError(t, err)
+
 				code, err := totp.GenerateCode("JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK", time.Now())
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				totpReq := controller.TotpRequest{
 					Code: code,
 				}
 
 				totpReqBody, err := json.Marshal(totpReq)
-				assert.NoError(t, err)
+				require.NoError(t, err)
 
 				recorder = httptest.NewRecorder()
 				req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqBody)))
 				req.Header.Set("Content-Type", "application/json")
-
+				req.AddCookie(&http.Cookie{
+					Name:     "tinyauth-session",
+					Value:    "test-totp-login-uuid",
+					HttpOnly: true,
+					MaxAge:   3600,
+					Expires:  time.Now().Add(1 * time.Hour),
+				})
 				router.ServeHTTP(recorder, req)
 
 				assert.Equal(t, 200, recorder.Code)
-				assert.Len(t, recorder.Result().Cookies(), 1)
+				require.Len(t, recorder.Result().Cookies(), 1)
 
 				// should set a new session cookie with totp pending removed
 				totpCookie := recorder.Result().Cookies()[0]
 				assert.Equal(t, "tinyauth-session", totpCookie.Name)
 				assert.True(t, totpCookie.HttpOnly)
 				assert.Equal(t, "example.com", totpCookie.Domain)
-				assert.Equal(t, 10, totpCookie.MaxAge) // should use the regular session expiry time
+				assert.GreaterOrEqual(t, totpCookie.MaxAge, 7)
+				assert.LessOrEqual(t, totpCookie.MaxAge, 10)
 			},
 		},
 		{
 			description: "Totp should rate limit on multiple invalid attempts",
-			middlewares: []gin.HandlerFunc{},
+			middlewares: []gin.HandlerFunc{
+				totpCtx,
+			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				for range 3 {
 					totpReq := controller.TotpRequest{
@@ -266,7 +307,7 @@ func TestUserController(t *testing.T) {
 					}
 
 					totpReqBody, err := json.Marshal(totpReq)
-					assert.NoError(t, err)
+					require.NoError(t, err)
 
 					recorder = httptest.NewRecorder()
 					req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqBody)))
@@ -328,8 +369,22 @@ func TestUserController(t *testing.T) {
 		},
 		{
 			description: "TOTP completion uses name and email from user attributes",
-			middlewares: []gin.HandlerFunc{},
+			middlewares: []gin.HandlerFunc{
+				totpAttrCtx,
+			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				_, err := store.CreateSession(context.TODO(), repository.CreateSessionParams{
+					UUID:        "test-totp-login-attributes-uuid",
+					Username:    "test",
+					Email:       "test@example.com",
+					Name:        "Test",
+					Provider:    "local",
+					TotpPending: true,
+					Expiry:      time.Now().Add(1 * time.Hour).Unix(),
+					CreatedAt:   time.Now().Unix(),
+				})
+				require.NoError(t, err)
+
 				code, err := totp.GenerateCode("JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK", time.Now())
 				require.NoError(t, err)
 
@@ -339,6 +394,13 @@ func TestUserController(t *testing.T) {
 
 				req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(body)))
 				req.Header.Set("Content-Type", "application/json")
+				req.AddCookie(&http.Cookie{
+					Name:     "tinyauth-session",
+					Value:    "test-totp-login-attributes-uuid",
+					HttpOnly: true,
+					MaxAge:   3600,
+					Expires:  time.Now().Add(1 * time.Hour),
+				})
 				router.ServeHTTP(recorder, req)
 
 				require.Equal(t, 200, recorder.Code)
@@ -349,63 +411,17 @@ func TestUserController(t *testing.T) {
 		},
 	}
 
-	oauthBrokerCfgs := make(map[string]config.OAuthServiceConfig)
+	ctx := context.TODO()
+	wg := &sync.WaitGroup{}
 
-	app := bootstrap.NewBootstrapApp(config.Config{})
-
-	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
-	require.NoError(t, err)
-
-	queries := repository.New(db)
-
-	docker := service.NewDockerService()
-	err = docker.Init()
-	require.NoError(t, err)
-
-	ldap := service.NewLdapService(service.LdapServiceConfig{})
-	err = ldap.Init()
-	require.NoError(t, err)
-
-	broker := service.NewOAuthBrokerService(oauthBrokerCfgs)
-	err = broker.Init()
-	require.NoError(t, err)
-
-	authService := service.NewAuthService(authServiceCfg, docker, ldap, queries, broker)
-	err = authService.Init()
-	require.NoError(t, err)
+	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker)
 
 	beforeEach := func() {
 		// Clear failed login attempts before each test
 		authService.ClearRateLimitsTestingOnly()
 	}
 
-	setTotpMiddlewareOverrides := map[string]config.UserContext{
-		"Should be able to login with totp": {
-			Username:    "totpuser",
-			Name:        "Totpuser",
-			Email:       "totpuser@example.com",
-			Provider:    "local",
-			TotpPending: true,
-			TotpEnabled: true,
-		},
-		"Totp should rate limit on multiple invalid attempts": {
-			Username:    "totpuser",
-			Name:        "Totpuser",
-			Email:       "totpuser@example.com",
-			Provider:    "local",
-			TotpPending: true,
-			TotpEnabled: true,
-		},
-		"TOTP completion uses name and email from user attributes": {
-			Username:    "attrtotpuser",
-			Name:        "Bob Jones",
-			Email:       "bob@example.com",
-			Provider:    "local",
-			TotpPending: true,
-			TotpEnabled: true,
-		},
-	}
-
 	for _, test := range tests {
 		beforeEach()
 		t.Run(test.description, func(t *testing.T) {
@@ -415,29 +431,14 @@ func TestUserController(t *testing.T) {
 				router.Use(middleware)
 			}
 
-			// Gin is stupid and doesn't allow setting a middleware after the groups
-			// so we need to do some stupid overrides here
-			if ctx, ok := setTotpMiddlewareOverrides[test.description]; ok {
-				ctx := ctx
-				router.Use(func(c *gin.Context) {
-					c.Set("context", &ctx)
-				})
-			}
-
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
 
-			userController := controller.NewUserController(userControllerCfg, group, authService)
-			userController.SetupRoutes()
+			controller.NewUserController(log, runtime, group, authService)
 
 			recorder := httptest.NewRecorder()
 
 			test.run(t, router, recorder)
 		})
 	}
-
-	t.Cleanup(func() {
-		err = db.Close()
-		require.NoError(t, err)
-	})
 }

internal/controller/well_known_controller.go

@@ -26,28 +26,30 @@ type OpenIDConnectConfiguration struct {
 	RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported"`
 }
 
-type WellKnownControllerConfig struct{}
-
 type WellKnownController struct {
-	config WellKnownControllerConfig
-	engine *gin.Engine
 	oidc *service.OIDCService
 }
 
-func NewWellKnownController(config WellKnownControllerConfig, oidc *service.OIDCService, engine *gin.Engine) *WellKnownController {
-	return &WellKnownController{
-		config: config,
+func NewWellKnownController(oidc *service.OIDCService, router *gin.RouterGroup) *WellKnownController {
+	controller := &WellKnownController{
 		oidc: oidc,
-		engine: engine,
-	}
 	}
 
-func (controller *WellKnownController) SetupRoutes() {
-	controller.engine.GET("/.well-known/openid-configuration", controller.OpenIDConnectConfiguration)
-	controller.engine.GET("/.well-known/jwks.json", controller.JWKS)
+	router.GET("/.well-known/openid-configuration", controller.OpenIDConnectConfiguration)
+	router.GET("/.well-known/jwks.json", controller.JWKS)
+
+	return controller
 }
 
 func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context) {
+	if controller.oidc == nil {
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "OIDC service not configured",
+		})
+		return
+	}
+
 	issuer := controller.oidc.GetIssuer()
 	c.JSON(200, OpenIDConnectConfiguration{
 		Issuer:                                 issuer,
@@ -69,11 +71,19 @@ func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context
 }
 
 func (controller *WellKnownController) JWKS(c *gin.Context) {
+	if controller.oidc == nil {
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "OIDC service not configured",
+		})
+		return
+	}
+
 	jwks, err := controller.oidc.GetJWK()
 
 	if err != nil {
 		c.JSON(500, gin.H{
-			"status":  "500",
+			"status":  500,
 			"message": "failed to get JWK",
 		})
 		return

internal/controller/well_known_controller_test.go

@@ -1,41 +1,28 @@
 package controller_test
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"net/http/httptest"
-	"path"
+	"sync"
 	"testing"
 
 	"github.com/gin-gonic/gin"
-	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
-	"github.com/tinyauthapp/tinyauth/internal/config"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/repository"
-	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
+	"github.com/tinyauthapp/tinyauth/internal/service"
+	"github.com/tinyauthapp/tinyauth/internal/test"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
 func TestWellKnownController(t *testing.T) {
-	tlog.NewTestLogger().Init()
-	tempDir := t.TempDir()
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
 
-	oidcServiceCfg := service.OIDCServiceConfig{
-		Clients: map[string]config.OIDCClientConfig{
-			"test": {
-				ClientID:            "some-client-id",
-				ClientSecret:        "some-client-secret",
-				TrustedRedirectURIs: []string{"https://test.example.com/callback"},
-				Name:                "Test Client",
-			},
-		},
-		PrivateKeyPath: path.Join(tempDir, "key.pem"),
-		PublicKeyPath:  path.Join(tempDir, "key.pub"),
-		Issuer:         "https://tinyauth.example.com",
-		SessionExpiry:  500,
-	}
+	cfg, runtime := test.CreateTestConfigs(t)
 
 	type testCase struct {
 		description string
@@ -56,11 +43,11 @@ func TestWellKnownController(t *testing.T) {
 				assert.NoError(t, err)
 
 				expected := controller.OpenIDConnectConfiguration{
-					Issuer:                                 oidcServiceCfg.Issuer,
-					AuthorizationEndpoint:                  fmt.Sprintf("%s/authorize", oidcServiceCfg.Issuer),
-					TokenEndpoint:                          fmt.Sprintf("%s/api/oidc/token", oidcServiceCfg.Issuer),
-					UserinfoEndpoint:                       fmt.Sprintf("%s/api/oidc/userinfo", oidcServiceCfg.Issuer),
-					JwksUri:                                fmt.Sprintf("%s/.well-known/jwks.json", oidcServiceCfg.Issuer),
+					Issuer:                                 runtime.AppURL,
+					AuthorizationEndpoint:                  fmt.Sprintf("%s/authorize", runtime.AppURL),
+					TokenEndpoint:                          fmt.Sprintf("%s/api/oidc/token", runtime.AppURL),
+					UserinfoEndpoint:                       fmt.Sprintf("%s/api/oidc/userinfo", runtime.AppURL),
+					JwksUri:                                fmt.Sprintf("%s/.well-known/jwks.json", runtime.AppURL),
 					ScopesSupported:                        service.SupportedScopes,
 					ResponseTypesSupported:                 service.SupportedResponseTypes,
 					GrantTypesSupported:                    service.SupportedGrantTypes,
@@ -101,15 +88,12 @@ func TestWellKnownController(t *testing.T) {
 		},
 	}
 
-	app := bootstrap.NewBootstrapApp(config.Config{})
+	ctx := context.TODO()
+	wg := &sync.WaitGroup{}
 
-	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
-	require.NoError(t, err)
+	store := memory.New()
 
-	queries := repository.New(db)
-
-	oidcService := service.NewOIDCService(oidcServiceCfg, queries)
-	err = oidcService.Init()
+	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, ctx, wg)
 	require.NoError(t, err)
 
 	for _, test := range tests {
@@ -119,15 +103,9 @@ func TestWellKnownController(t *testing.T) {
 
 			recorder := httptest.NewRecorder()
 
-			wellKnownController := controller.NewWellKnownController(controller.WellKnownControllerConfig{}, oidcService, router)
-			wellKnownController.SetupRoutes()
+			controller.NewWellKnownController(oidcService, &router.RouterGroup)
 
 			test.run(t, router, recorder)
 		})
 	}
-
-	t.Cleanup(func() {
-		err = db.Close()
-		require.NoError(t, err)
-	})
 }

internal/middleware/context_middleware.go

@@ -1,13 +1,16 @@
 package middleware
 
 import (
+	"context"
+	"fmt"
+	"net/http"
 	"strings"
 	"time"
 
-	"github.com/tinyauthapp/tinyauth/internal/config"
+	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 
 	"github.com/gin-gonic/gin"
 )
@@ -32,28 +35,27 @@ var (
 	}
 )
 
-type ContextMiddlewareConfig struct {
-	CookieDomain string
-}
-
 type ContextMiddleware struct {
-	config ContextMiddlewareConfig
+	log     *logger.Logger
+	runtime model.RuntimeConfig
 	auth    *service.AuthService
 	broker  *service.OAuthBrokerService
 }
 
-func NewContextMiddleware(config ContextMiddlewareConfig, auth *service.AuthService, broker *service.OAuthBrokerService) *ContextMiddleware {
+func NewContextMiddleware(
+	log *logger.Logger,
+	runtime model.RuntimeConfig,
+	auth *service.AuthService,
+	broker *service.OAuthBrokerService,
+) *ContextMiddleware {
 	return &ContextMiddleware{
-		config: config,
+		log:     log,
+		runtime: runtime,
 		auth:    auth,
 		broker:  broker,
 	}
 }
 
-func (m *ContextMiddleware) Init() error {
-	return nil
-}
-
 func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if m.isIgnorePath(c.Request.Method + " " + c.Request.URL.Path) {
@@ -61,200 +63,199 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			return
 		}
 
-		cookie, err := m.auth.GetSessionCookie(c)
+		uuid, err := c.Cookie(m.runtime.SessionCookieName)
+
+		if err == nil {
+			userContext, cookie, err := m.cookieAuth(c.Request.Context(), uuid)
+
+			if err == nil {
+				if cookie != nil {
+					http.SetCookie(c.Writer, cookie)
+				}
+
+				m.log.App.Debug().Msgf("Authenticated user %s via session cookie", userContext.GetUsername())
+				c.Set("context", userContext)
+				c.Next()
+				return
+			} else {
+				m.log.App.Debug().Msgf("Error authenticating session cookie: %v", err)
+			}
+		}
+
+		username, password, ok := c.Request.BasicAuth()
+
+		if ok {
+			userContext, headers, err := m.basicAuth(username, password)
 
 			if err != nil {
-			tlog.App.Debug().Err(err).Msg("No valid session cookie found")
-			goto basic
-		}
-
-		if cookie.TotpPending {
-			c.Set("context", &config.UserContext{
-				Username:    cookie.Username,
-				Name:        cookie.Name,
-				Email:       cookie.Email,
-				Provider:    "local",
-				TotpPending: true,
-				TotpEnabled: true,
-			})
+				m.log.App.Error().Msgf("Error authenticating basic auth: %v", err)
 				c.Next()
 				return
 			}
 
-		switch cookie.Provider {
-		case "local", "ldap":
-			userSearch := m.auth.SearchUser(cookie.Username)
-
-			if userSearch.Type == "unknown" {
-				tlog.App.Debug().Msg("User from session cookie not found")
-				m.auth.DeleteSessionCookie(c)
-				goto basic
+			for k, v := range headers {
+				c.Header(k, v)
 			}
 
-			if userSearch.Type != cookie.Provider {
-				tlog.App.Warn().Msg("User type from session cookie does not match user search type")
-				m.auth.DeleteSessionCookie(c)
+			c.Set("context", userContext)
 			c.Next()
 			return
 		}
 
-			var ldapGroups []string
-			var localAttributes config.UserAttributes
+		c.Next()
+	}
+}
 
-			if cookie.Provider == "ldap" {
-				ldapUser, err := m.auth.GetLdapUser(userSearch.Username)
+func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string) (*model.UserContext, *http.Cookie, error) {
+	session, err := m.auth.GetSession(ctx, uuid)
 
 	if err != nil {
-					tlog.App.Error().Err(err).Msg("Error retrieving LDAP user details")
-					c.Next()
-					return
+		return nil, nil, fmt.Errorf("error retrieving session: %w", err)
 	}
 
-				ldapGroups = ldapUser.Groups
+	userContext, err := new(model.UserContext).NewFromSession(session)
+
+	if err != nil {
+		return nil, nil, fmt.Errorf("error creating user context from session: %w", err)
 	}
 
-			if cookie.Provider == "local" {
-				localUser := m.auth.GetLocalUser(cookie.Username)
-				localAttributes = localUser.Attributes
+	if userContext.Provider == model.ProviderLocal &&
+		userContext.Local.TOTPPending {
+		return userContext, nil, nil
 	}
 
-			m.auth.RefreshSessionCookie(c)
-			c.Set("context", &config.UserContext{
-				Username:   cookie.Username,
-				Name:       cookie.Name,
-				Email:      cookie.Email,
-				Provider:   cookie.Provider,
-				IsLoggedIn: true,
-				LdapGroups: strings.Join(ldapGroups, ","),
-				Attributes: localAttributes,
-			})
-			c.Next()
-			return
-		default:
-			_, exists := m.broker.GetService(cookie.Provider)
+	switch userContext.Provider {
+	case model.ProviderLocal:
+		user := m.auth.GetLocalUser(userContext.Local.Username)
+
+		if user == nil {
+			return nil, nil, fmt.Errorf("local user not found")
+		}
+
+		userContext.Local.Attributes = user.Attributes
+
+		if userContext.Local.Attributes.Name == "" {
+			userContext.Local.Attributes.Name = utils.Capitalize(user.Username)
+		}
+
+		if userContext.Local.Attributes.Email == "" {
+			userContext.Local.Attributes.Email = utils.CompileUserEmail(user.Username, m.runtime.CookieDomain)
+		}
+	case model.ProviderLDAP:
+		search, err := m.auth.SearchUser(userContext.LDAP.Username)
+
+		if err != nil {
+			return nil, nil, fmt.Errorf("error searching for ldap user: %w", err)
+		}
+
+		if search.Type != model.UserLDAP {
+			return nil, nil, fmt.Errorf("user from session cookie is not ldap")
+		}
+
+		user, err := m.auth.GetLDAPUser(search.Username)
+
+		if err != nil {
+			return nil, nil, fmt.Errorf("error retrieving ldap user details: %w", err)
+		}
+
+		userContext.LDAP.Groups = user.Groups
+		userContext.LDAP.Name = utils.Capitalize(userContext.LDAP.Username)
+
+		userContext.LDAP.Email = utils.CompileUserEmail(userContext.LDAP.Username, m.runtime.CookieDomain)
+		if search.Email != "" {
+			userContext.LDAP.Email = search.Email
+		}
+
+	case model.ProviderOAuth:
+		_, exists := m.broker.GetService(userContext.OAuth.ID)
 
 		if !exists {
-				tlog.App.Debug().Msg("OAuth provider from session cookie not found")
-				m.auth.DeleteSessionCookie(c)
-				goto basic
+			return nil, nil, fmt.Errorf("oauth provider from session cookie not found: %s", userContext.OAuth.ID)
 		}
 
-			if !m.auth.IsEmailWhitelisted(cookie.Email) {
-				tlog.App.Debug().Msg("Email from session cookie not whitelisted")
-				m.auth.DeleteSessionCookie(c)
-				goto basic
+		if !m.auth.IsEmailWhitelisted(userContext.OAuth.Email) {
+			m.auth.DeleteSession(ctx, uuid)
+			return nil, nil, fmt.Errorf("email from session cookie not whitelisted: %s", userContext.OAuth.Email)
+		}
 	}
 
-			m.auth.RefreshSessionCookie(c)
-			c.Set("context", &config.UserContext{
-				Username:    cookie.Username,
-				Name:        cookie.Name,
-				Email:       cookie.Email,
-				Provider:    cookie.Provider,
-				OAuthGroups: cookie.OAuthGroups,
-				OAuthName:   cookie.OAuthName,
-				OAuthSub:    cookie.OAuthSub,
-				IsLoggedIn:  true,
-				OAuth:       true,
-			})
-			c.Next()
-			return
-		}
-
-	basic:
-		basic := m.auth.GetBasicAuth(c)
-
-		if basic == nil {
-			tlog.App.Debug().Msg("No basic auth provided")
-			c.Next()
-			return
-		}
-
-		locked, remaining := m.auth.IsAccountLocked(basic.Username)
-
-		if locked {
-			tlog.App.Debug().Msgf("Account for user %s is locked for %d seconds, denying auth", basic.Username, remaining)
-			c.Writer.Header().Add("x-tinyauth-lock-locked", "true")
-			c.Writer.Header().Add("x-tinyauth-lock-reset", time.Now().Add(time.Duration(remaining)*time.Second).Format(time.RFC3339))
-			c.Next()
-			return
-		}
-
-		userSearch := m.auth.SearchUser(basic.Username)
-
-		if userSearch.Type == "unknown" || userSearch.Type == "error" {
-			m.auth.RecordLoginAttempt(basic.Username, false)
-			tlog.App.Debug().Msg("User from basic auth not found")
-			c.Next()
-			return
-		}
-
-		if !m.auth.VerifyUser(userSearch, basic.Password) {
-			m.auth.RecordLoginAttempt(basic.Username, false)
-			tlog.App.Debug().Msg("Invalid password for basic auth user")
-			c.Next()
-			return
-		}
-
-		m.auth.RecordLoginAttempt(basic.Username, true)
-
-		switch userSearch.Type {
-		case "local":
-			tlog.App.Debug().Msg("Basic auth user is local")
-
-			user := m.auth.GetLocalUser(basic.Username)
-
-			if user.TotpSecret != "" {
-				tlog.App.Debug().Msg("User with TOTP not allowed to login via basic auth")
-				return
-			}
-
-			name := utils.Capitalize(user.Username)
-			if user.Attributes.Name != "" {
-				name = user.Attributes.Name
-			}
-			email := utils.CompileUserEmail(user.Username, m.config.CookieDomain)
-			if user.Attributes.Email != "" {
-				email = user.Attributes.Email
-			}
-
-			c.Set("context", &config.UserContext{
-				Username:    user.Username,
-				Name:        name,
-				Email:       email,
-				Provider:    "local",
-				IsLoggedIn:  true,
-				IsBasicAuth: true,
-				Attributes:  user.Attributes,
-			})
-			c.Next()
-			return
-		case "ldap":
-			tlog.App.Debug().Msg("Basic auth user is LDAP")
-
-			ldapUser, err := m.auth.GetLdapUser(basic.Username)
+	cookie, err := m.auth.RefreshSession(ctx, uuid)
 
 	if err != nil {
-				tlog.App.Debug().Err(err).Msg("Error retrieving LDAP user details")
-				c.Next()
-				return
+		return nil, nil, fmt.Errorf("error refreshing session: %w", err)
 	}
 
-			c.Set("context", &config.UserContext{
-				Username:    basic.Username,
-				Name:        utils.Capitalize(basic.Username),
-				Email:       utils.CompileUserEmail(basic.Username, m.config.CookieDomain),
-				Provider:    "ldap",
-				IsLoggedIn:  true,
-				LdapGroups:  strings.Join(ldapUser.Groups, ","),
-				IsBasicAuth: true,
-			})
-			c.Next()
-			return
+	return userContext, cookie, nil
 }
 
-		c.Next()
+func (m *ContextMiddleware) basicAuth(username string, password string) (*model.UserContext, map[string]string, error) {
+	headers := make(map[string]string)
+	userContext := new(model.UserContext)
+	locked, remaining := m.auth.IsAccountLocked(username)
+
+	if locked {
+		m.log.App.Debug().Msgf("Account for user %s is locked for %d seconds, denying auth", username, remaining)
+		headers["x-tinyauth-lock-locked"] = "true"
+		headers["x-tinyauth-lock-reset"] = time.Now().Add(time.Duration(remaining) * time.Second).Format(time.RFC3339)
+		return nil, headers, nil
 	}
+
+	search, err := m.auth.SearchUser(username)
+
+	if err != nil {
+		return nil, nil, fmt.Errorf("error searching for user: %w", err)
+	}
+
+	err = m.auth.CheckUserPassword(*search, password)
+
+	if err != nil {
+		m.auth.RecordLoginAttempt(username, false)
+		return nil, nil, fmt.Errorf("invalid password for basic auth user: %w", err)
+	}
+
+	m.auth.RecordLoginAttempt(username, true)
+
+	switch search.Type {
+	case model.UserLocal:
+		user := m.auth.GetLocalUser(username)
+
+		if user.TOTPSecret != "" {
+			return nil, nil, fmt.Errorf("user with totp not allowed to login via basic auth: %s", username)
+		}
+
+		userContext.Local = &model.LocalContext{
+			BaseContext: model.BaseContext{
+				Username: user.Username,
+				Name:     utils.Capitalize(user.Username),
+				Email:    utils.CompileUserEmail(user.Username, m.runtime.CookieDomain),
+			},
+			Attributes: user.Attributes,
+		}
+		userContext.Provider = model.ProviderLocal
+	case model.UserLDAP:
+		user, err := m.auth.GetLDAPUser(username)
+
+		if err != nil {
+			return nil, nil, fmt.Errorf("error retrieving ldap user details: %w", err)
+		}
+
+		userContext.LDAP = &model.LDAPContext{
+			BaseContext: model.BaseContext{
+				Username: username,
+				Name:     utils.Capitalize(username),
+			},
+			Groups: user.Groups,
+		}
+		userContext.Provider = model.ProviderLDAP
+
+		userContext.LDAP.Email = utils.CompileUserEmail(username, m.runtime.CookieDomain)
+		if search.Email != "" {
+			userContext.LDAP.Email = search.Email
+		}
+	}
+
+	userContext.Authenticated = true
+	return userContext, nil, nil
 }
 
 func (m *ContextMiddleware) isIgnorePath(path string) bool {

internal/middleware/context_middleware_test.go

@@ -0,0 +1,287 @@
+package middleware_test
+
+import (
+	"context"
+	"encoding/base64"
+	"net/http"
+	"net/http/httptest"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/middleware"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/repository"
+	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
+	"github.com/tinyauthapp/tinyauth/internal/service"
+	"github.com/tinyauthapp/tinyauth/internal/test"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+)
+
+func TestContextMiddleware(t *testing.T) {
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
+
+	cfg, runtime := test.CreateTestConfigs(t)
+
+	basicAuthHeader := func(username, password string) string {
+		return "Basic " + base64.StdEncoding.EncodeToString([]byte(username+":"+password))
+	}
+
+	seedSession := func(t *testing.T, queries repository.Store, params repository.CreateSessionParams) {
+		t.Helper()
+		_, err := queries.CreateSession(context.Background(), params)
+		require.NoError(t, err)
+	}
+
+	type runArgs struct {
+		do      func(req *http.Request) (*model.UserContext, *httptest.ResponseRecorder)
+		queries repository.Store
+	}
+
+	type testCase struct {
+		description string
+		run         func(t *testing.T, args runArgs)
+	}
+
+	tests := []testCase{
+		{
+			description: "Skip path bypasses auth processing",
+			run: func(t *testing.T, args runArgs) {
+				req := httptest.NewRequest("GET", "/api/healthz", nil)
+				req.Header.Set("Authorization", basicAuthHeader("testuser", "password"))
+				userCtx, _ := args.do(req)
+
+				assert.Nil(t, userCtx)
+			},
+		},
+		{
+			description: "No credentials yields no context",
+			run: func(t *testing.T, args runArgs) {
+				req := httptest.NewRequest("GET", "/api/test", nil)
+				userCtx, _ := args.do(req)
+
+				assert.Nil(t, userCtx)
+			},
+		},
+		{
+			description: "Valid session cookie sets authenticated local context",
+			run: func(t *testing.T, args runArgs) {
+				uuid := "session-valid-local"
+				seedSession(t, args.queries, repository.CreateSessionParams{
+					UUID:      uuid,
+					Username:  "testuser",
+					Provider:  "local",
+					Expiry:    time.Now().Add(10 * time.Second).Unix(),
+					CreatedAt: time.Now().Unix(),
+				})
+
+				req := httptest.NewRequest("GET", "/api/test", nil)
+				req.AddCookie(&http.Cookie{Name: "tinyauth-session", Value: uuid})
+				userCtx, _ := args.do(req)
+
+				require.NotNil(t, userCtx)
+				assert.Equal(t, model.ProviderLocal, userCtx.Provider)
+				assert.Equal(t, "testuser", userCtx.GetUsername())
+				assert.True(t, userCtx.Authenticated)
+				require.NotNil(t, userCtx.Local)
+			},
+		},
+		{
+			description: "Session cookie with totp pending sets unauthenticated context with totp enabled",
+			run: func(t *testing.T, args runArgs) {
+				uuid := "session-totp-pending"
+				seedSession(t, args.queries, repository.CreateSessionParams{
+					UUID:        uuid,
+					Username:    "totpuser",
+					Provider:    "local",
+					TotpPending: true,
+					Expiry:      time.Now().Add(60 * time.Second).Unix(),
+					CreatedAt:   time.Now().Unix(),
+				})
+
+				req := httptest.NewRequest("GET", "/api/test", nil)
+				req.AddCookie(&http.Cookie{Name: "tinyauth-session", Value: uuid})
+				userCtx, _ := args.do(req)
+
+				require.NotNil(t, userCtx)
+				assert.Equal(t, "totpuser", userCtx.GetUsername())
+				assert.False(t, userCtx.Authenticated)
+				require.NotNil(t, userCtx.Local)
+				assert.True(t, userCtx.Local.TOTPPending)
+			},
+		},
+		{
+			description: "Unknown session cookie yields no context",
+			run: func(t *testing.T, args runArgs) {
+				req := httptest.NewRequest("GET", "/api/test", nil)
+				req.AddCookie(&http.Cookie{Name: "tinyauth-session", Value: "does-not-exist"})
+				userCtx, _ := args.do(req)
+
+				assert.Nil(t, userCtx)
+			},
+		},
+		{
+			description: "Session for missing local user yields no context",
+			run: func(t *testing.T, args runArgs) {
+				uuid := "session-deleted-user"
+				seedSession(t, args.queries, repository.CreateSessionParams{
+					UUID:      uuid,
+					Username:  "ghostuser",
+					Provider:  "local",
+					Expiry:    time.Now().Add(10 * time.Second).Unix(),
+					CreatedAt: time.Now().Unix(),
+				})
+
+				req := httptest.NewRequest("GET", "/api/test", nil)
+				req.AddCookie(&http.Cookie{Name: "tinyauth-session", Value: uuid})
+				userCtx, _ := args.do(req)
+
+				assert.Nil(t, userCtx)
+			},
+		},
+		{
+			description: "Expired session cookie yields no context",
+			run: func(t *testing.T, args runArgs) {
+				uuid := "session-expired"
+				seedSession(t, args.queries, repository.CreateSessionParams{
+					UUID:      uuid,
+					Username:  "testuser",
+					Provider:  "local",
+					Expiry:    time.Now().Add(-1 * time.Second).Unix(),
+					CreatedAt: time.Now().Add(-10 * time.Second).Unix(),
+				})
+
+				req := httptest.NewRequest("GET", "/api/test", nil)
+				req.AddCookie(&http.Cookie{Name: "tinyauth-session", Value: uuid})
+				userCtx, _ := args.do(req)
+
+				assert.Nil(t, userCtx)
+			},
+		},
+		{
+			description: "Valid basic auth sets authenticated local context",
+			run: func(t *testing.T, args runArgs) {
+				req := httptest.NewRequest("GET", "/api/test", nil)
+				req.Header.Set("Authorization", basicAuthHeader("testuser", "password"))
+				userCtx, _ := args.do(req)
+
+				require.NotNil(t, userCtx)
+				assert.Equal(t, model.ProviderLocal, userCtx.Provider)
+				assert.Equal(t, "testuser", userCtx.GetUsername())
+				assert.True(t, userCtx.Authenticated)
+			},
+		},
+		{
+			description: "Invalid basic auth password yields no context",
+			run: func(t *testing.T, args runArgs) {
+				req := httptest.NewRequest("GET", "/api/test", nil)
+				req.Header.Set("Authorization", basicAuthHeader("testuser", "wrongpassword"))
+				userCtx, _ := args.do(req)
+
+				assert.Nil(t, userCtx)
+			},
+		},
+		{
+			description: "Basic auth is rejected for users with totp",
+			run: func(t *testing.T, args runArgs) {
+				req := httptest.NewRequest("GET", "/api/test", nil)
+				req.Header.Set("Authorization", basicAuthHeader("totpuser", "password"))
+				userCtx, _ := args.do(req)
+
+				assert.Nil(t, userCtx)
+			},
+		},
+		{
+			description: "Locked account on basic auth sets lock headers",
+			run: func(t *testing.T, args runArgs) {
+				for range 3 {
+					req := httptest.NewRequest("GET", "/api/test", nil)
+					req.Header.Set("Authorization", basicAuthHeader("testuser", "wrongpassword"))
+					args.do(req)
+				}
+
+				req := httptest.NewRequest("GET", "/api/test", nil)
+				req.Header.Set("Authorization", basicAuthHeader("testuser", "password"))
+				userCtx, recorder := args.do(req)
+
+				assert.Nil(t, userCtx)
+				assert.Equal(t, "true", recorder.Header().Get("x-tinyauth-lock-locked"))
+				assert.NotEmpty(t, recorder.Header().Get("x-tinyauth-lock-reset"))
+			},
+		},
+		{
+			description: "Cookie auth takes precedence over basic auth",
+			run: func(t *testing.T, args runArgs) {
+				uuid := "session-precedence"
+				seedSession(t, args.queries, repository.CreateSessionParams{
+					UUID:      uuid,
+					Username:  "testuser",
+					Provider:  "local",
+					Expiry:    time.Now().Add(10 * time.Second).Unix(),
+					CreatedAt: time.Now().Unix(),
+				})
+
+				req := httptest.NewRequest("GET", "/api/test", nil)
+				req.AddCookie(&http.Cookie{Name: "tinyauth-session", Value: uuid})
+				req.Header.Set("Authorization", basicAuthHeader("totpuser", "password"))
+				userCtx, _ := args.do(req)
+
+				require.NotNil(t, userCtx)
+				assert.Equal(t, "testuser", userCtx.GetUsername())
+				assert.True(t, userCtx.Authenticated)
+			},
+		},
+		{
+			description: "Ensure fallback to basic auth when cookie is missing",
+			run: func(t *testing.T, args runArgs) {
+				req := httptest.NewRequest("GET", "/api/test", nil)
+				req.Header.Set("Authorization", basicAuthHeader("testuser", "password"))
+				userCtx, _ := args.do(req)
+
+				require.NotNil(t, userCtx)
+				assert.Equal(t, "testuser", userCtx.GetUsername())
+				assert.True(t, userCtx.Authenticated)
+			},
+		},
+	}
+
+	ctx := context.TODO()
+	wg := &sync.WaitGroup{}
+
+	store := memory.New()
+
+	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker)
+
+	contextMiddleware := middleware.NewContextMiddleware(log, runtime, authService, broker)
+
+	for _, test := range tests {
+		authService.ClearRateLimitsTestingOnly()
+		t.Run(test.description, func(t *testing.T) {
+			gin.SetMode(gin.TestMode)
+
+			do := func(req *http.Request) (*model.UserContext, *httptest.ResponseRecorder) {
+				var captured *model.UserContext
+				router := gin.New()
+				router.Use(contextMiddleware.Middleware())
+				handler := func(c *gin.Context) {
+					if val, exists := c.Get("context"); exists {
+						captured, _ = val.(*model.UserContext)
+					}
+				}
+				router.GET("/api/test", handler)
+				router.GET("/api/healthz", handler)
+
+				recorder := httptest.NewRecorder()
+				router.ServeHTTP(recorder, req)
+				return captured, recorder
+			}
+
+			test.run(t, runArgs{do: do, queries: store})
+		})
+	}
+}

internal/middleware/ui_middleware.go

@@ -9,7 +9,6 @@ import (
 	"time"
 
 	"github.com/tinyauthapp/tinyauth/internal/assets"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 
 	"github.com/gin-gonic/gin"
 )
@@ -19,29 +18,25 @@ type UIMiddleware struct {
 	uiFileServer http.Handler
 }
 
-func NewUIMiddleware() *UIMiddleware {
-	return &UIMiddleware{}
-}
+func NewUIMiddleware() (*UIMiddleware, error) {
+	m := &UIMiddleware{}
 
-func (m *UIMiddleware) Init() error {
 	ui, err := fs.Sub(assets.FrontendAssets, "dist")
 
 	if err != nil {
-		return err
+		return nil, fmt.Errorf("failed to load ui assets: %w", err)
 	}
 
 	m.uiFs = ui
 	m.uiFileServer = http.FileServerFS(ui)
 
-	return nil
+	return m, nil
 }
 
 func (m *UIMiddleware) Middleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		path := strings.TrimPrefix(c.Request.URL.Path, "/")
 
-		tlog.App.Debug().Str("path", path).Msg("path")
-
 		switch strings.SplitN(path, "/", 2)[0] {
 		case "api", "resources", ".well-known":
 			c.Next()

internal/middleware/zerolog_middleware.go

@@ -5,7 +5,7 @@ import (
 	"time"
 
 	"github.com/gin-gonic/gin"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
 // See context middleware for explanation of why we have to do this
@@ -17,14 +17,14 @@ var (
 	}
 )
 
-type ZerologMiddleware struct{}
-
-func NewZerologMiddleware() *ZerologMiddleware {
-	return &ZerologMiddleware{}
+type ZerologMiddleware struct {
+	log *logger.Logger
 }
 
-func (m *ZerologMiddleware) Init() error {
-	return nil
+func NewZerologMiddleware(log *logger.Logger) *ZerologMiddleware {
+	return &ZerologMiddleware{
+		log: log,
+	}
 }
 
 func (m *ZerologMiddleware) logPath(path string) bool {
@@ -50,7 +50,7 @@ func (m *ZerologMiddleware) Middleware() gin.HandlerFunc {
 
 		latency := time.Since(tStart).String()
 
-		subLogger := tlog.HTTP.With().Str("method", method).
+		subLogger := m.log.HTTP.With().Str("method", method).
 			Str("path", path).
 			Str("address", address).
 			Str("client_ip", clientIP).

internal/model/config.go

@@ -1,9 +1,10 @@
-package config
+package model
 
 // Default configuration
 func NewDefaultConfiguration() *Config {
 	return &Config{
 		Database: DatabaseConfig{
+			Driver: "sqlite",
 			Path:   "./tinyauth.db",
 		},
 		Analytics: AnalyticsConfig{
@@ -16,8 +17,10 @@ func NewDefaultConfiguration() *Config {
 		Server: ServerConfig{
 			Port:                       3000,
 			Address:                    "0.0.0.0",
+			ConcurrentListenersEnabled: false,
 		},
 		Auth: AuthConfig{
+			SubdomainsEnabled:  true,
 			SessionExpiry:      86400, // 1 day
 			SessionMaxLifetime: 0,     // disabled
 			LoginTimeout:       300,   // 5 minutes
@@ -29,7 +32,7 @@ func NewDefaultConfiguration() *Config {
 			BackgroundImage:       "/background.jpg",
 			WarningsEnabled:       true,
 		},
-		Ldap: LdapConfig{
+		LDAP: LDAPConfig{
 			Insecure:      false,
 			SearchFilter:  "(uid=%s)",
 			GroupCacheTTL: 900, // 15 minutes
@@ -59,24 +62,10 @@ func NewDefaultConfiguration() *Config {
 		Experimental: ExperimentalConfig{
 			ConfigFile: "",
 		},
+		LabelProvider: "auto",
 	}
 }
 
-// Version information, set at build time
-
-var Version = "development"
-var CommitHash = "development"
-var BuildTimestamp = "0000-00-00T00:00:00Z"
-
-// Cookie name templates
-
-var SessionCookieName = "tinyauth-session"
-var CSRFCookieName = "tinyauth-csrf"
-var RedirectCookieName = "tinyauth-redirect"
-var OAuthSessionCookieName = "tinyauth-oauth"
-
-// Main app config
-
 type Config struct {
 	AppURL        string             `description:"The base URL where the app is hosted." yaml:"appUrl"`
 	Database      DatabaseConfig     `description:"Database configuration." yaml:"database"`
@@ -88,13 +77,15 @@ type Config struct {
 	OAuth         OAuthConfig        `description:"OAuth configuration." yaml:"oauth"`
 	OIDC          OIDCConfig         `description:"OIDC configuration." yaml:"oidc"`
 	UI            UIConfig           `description:"UI customization." yaml:"ui"`
-	Ldap         LdapConfig         `description:"LDAP configuration." yaml:"ldap"`
+	LDAP          LDAPConfig         `description:"LDAP configuration." yaml:"ldap"`
 	Experimental  ExperimentalConfig `description:"Experimental features, use with caution." yaml:"experimental"`
+	LabelProvider string             `description:"Label provider to use for ACLs (auto, docker, or kubernetes). auto detects the environment." yaml:"labelProvider"`
 	Log           LogConfig          `description:"Logging configuration." yaml:"log"`
 }
 
 type DatabaseConfig struct {
-	Path string `description:"The path to the database, including file name." yaml:"path"`
+	Driver string `description:"The database driver to use. Valid values: sqlite, memory." yaml:"driver"`
+	Path   string `description:"The path to the SQLite database, including file name. Only used when driver is sqlite." yaml:"path"`
 }
 
 type AnalyticsConfig struct {
@@ -110,11 +101,13 @@ type ServerConfig struct {
 	Port                       int    `description:"The port on which the server listens." yaml:"port"`
 	Address                    string `description:"The address on which the server listens." yaml:"address"`
 	SocketPath                 string `description:"The path to the Unix socket." yaml:"socketPath"`
+	ConcurrentListenersEnabled bool   `description:"Enable listening on both TCP and Unix socket at the same time." yaml:"concurrentListenersEnabled"`
 }
 
 type AuthConfig struct {
 	IP                 IPConfig                  `description:"IP whitelisting config options." yaml:"ip"`
 	Users              []string                  `description:"Comma-separated list of users (username:hashed_password)." yaml:"users"`
+	SubdomainsEnabled  bool                      `description:"Enable subdomains support." yaml:"subdomainsEnabled"`
 	UserAttributes     map[string]UserAttributes `description:"Map of per-user OIDC attributes (username -> attributes)." yaml:"userAttributes"`
 	UsersFile          string                    `description:"Path to the users file." yaml:"usersFile"`
 	SecureCookie       bool                      `description:"Enable secure cookies." yaml:"secureCookie"`
@@ -159,6 +152,7 @@ type IPConfig struct {
 
 type OAuthConfig struct {
 	Whitelist     []string                      `description:"Comma-separated list of allowed OAuth domains." yaml:"whitelist"`
+	WhitelistFile string                        `description:"Path to the OAuth whitelist file." yaml:"whitelistFile"`
 	AutoRedirect  string                        `description:"The OAuth provider to use for automatic redirection." yaml:"autoRedirect"`
 	Providers     map[string]OAuthServiceConfig `description:"OAuth providers configuration." yaml:"providers"`
 }
@@ -176,7 +170,7 @@ type UIConfig struct {
 	WarningsEnabled       bool   `description:"Enable UI warnings." yaml:"warningsEnabled"`
 }
 
-type LdapConfig struct {
+type LDAPConfig struct {
 	Address       string `description:"LDAP server address." yaml:"address"`
 	BindDN        string `description:"Bind DN for LDAP authentication." yaml:"bindDn"`
 	BindPassword  string `description:"Bind password for LDAP authentication." yaml:"bindPassword"`
@@ -209,20 +203,6 @@ type ExperimentalConfig struct {
 	ConfigFile string `description:"Path to config file." yaml:"-"`
 }
 
-// Config loader options
-
-const DefaultNamePrefix = "TINYAUTH_"
-
-// OAuth/OIDC config
-
-type Claims struct {
-	Sub               string `json:"sub"`
-	Name              string `json:"name"`
-	Email             string `json:"email"`
-	PreferredUsername string `json:"preferred_username"`
-	Groups            any    `json:"groups"`
-}
-
 type OAuthServiceConfig struct {
 	ClientID         string   `description:"OAuth client ID." yaml:"clientId"`
 	ClientSecret     string   `description:"OAuth client secret." yaml:"clientSecret"`
@@ -245,60 +225,6 @@ type OIDCClientConfig struct {
 	Name                string   `description:"Client name in UI." yaml:"name"`
 }
 
-var OverrideProviders = map[string]string{
-	"google": "Google",
-	"github": "GitHub",
-}
-
-// User/session related stuff
-
-type User struct {
-	Username   string
-	Password   string
-	TotpSecret string
-	Attributes UserAttributes
-}
-
-type LdapUser struct {
-	DN     string
-	Groups []string
-}
-
-type UserSearch struct {
-	Username string
-	Type     string // local, ldap or unknown
-}
-
-type UserContext struct {
-	Username    string
-	Name        string
-	Email       string
-	IsLoggedIn  bool
-	IsBasicAuth bool
-	OAuth       bool
-	Provider    string
-	TotpPending bool
-	OAuthGroups string
-	TotpEnabled bool
-	OAuthName   string
-	OAuthSub    string
-	LdapGroups  string
-	Attributes  UserAttributes
-}
-
-// API responses and queries
-
-type UnauthorizedQuery struct {
-	Username string `url:"username"`
-	Resource string `url:"resource"`
-	GroupErr bool   `url:"groupErr"`
-	IP       string `url:"ip"`
-}
-
-type RedirectQuery struct {
-	RedirectURI string `url:"redirect_uri"`
-}
-
 // ACLs
 
 type Apps struct {
@@ -354,7 +280,3 @@ type AppPath struct {
 	Allow string `description:"Comma-separated list of allowed paths." yaml:"allow"`
 	Block string `description:"Comma-separated list of blocked paths." yaml:"block"`
 }
-
-// API server
-
-var ApiServer = "https://api.tinyauth.app"

internal/model/constants.go

@@ -0,0 +1,23 @@
+package model
+
+const DefaultNamePrefix = "TINYAUTH_"
+
+const APIServer = "https://api.tinyauth.app"
+
+type Claims struct {
+	Sub               string `json:"sub"`
+	Name              string `json:"name"`
+	Email             string `json:"email"`
+	PreferredUsername string `json:"preferred_username"`
+	Groups            any    `json:"groups"`
+}
+
+var OverrideProviders = map[string]string{
+	"google": "Google",
+	"github": "GitHub",
+}
+
+const SessionCookieName = "tinyauth-session"
+const CSRFCookieName = "tinyauth-csrf"
+const RedirectCookieName = "tinyauth-redirect"
+const OAuthSessionCookieName = "tinyauth-oauth"

internal/model/context.go

@@ -0,0 +1,254 @@
+package model
+
+import (
+	"errors"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+	"github.com/tinyauthapp/tinyauth/internal/repository"
+)
+
+var (
+	ErrUserContextNotFound = errors.New("user context not found")
+)
+
+type ProviderType int
+
+const (
+	ProviderLocal ProviderType = iota
+	ProviderBasicAuth
+	ProviderOAuth
+	ProviderLDAP
+)
+
+type UserContext struct {
+	Authenticated bool
+	Provider      ProviderType
+	Local         *LocalContext
+	OAuth         *OAuthContext
+	LDAP          *LDAPContext
+}
+
+type BaseContext struct {
+	Username string
+	Name     string
+	Email    string
+}
+
+type LocalContext struct {
+	BaseContext
+	TOTPPending bool
+	Attributes  UserAttributes
+}
+
+type OAuthContext struct {
+	BaseContext
+	Groups      []string
+	Sub         string
+	DisplayName string
+	ID          string
+}
+
+type LDAPContext struct {
+	BaseContext
+	Groups []string
+}
+
+func (c *UserContext) IsAuthenticated() bool {
+	return c.Authenticated
+}
+
+func (c *UserContext) IsLocal() bool {
+	return c.Provider == ProviderLocal && c.Local != nil
+}
+
+func (c *UserContext) IsOAuth() bool {
+	return c.Provider == ProviderOAuth && c.OAuth != nil
+}
+
+func (c *UserContext) IsLDAP() bool {
+	return c.Provider == ProviderLDAP && c.LDAP != nil
+}
+
+func (c *UserContext) IsBasicAuth() bool {
+	return c.Provider == ProviderBasicAuth && c.Local != nil
+}
+
+func (c *UserContext) NewFromGin(ginctx *gin.Context) (*UserContext, error) {
+	userContextValue, exists := ginctx.Get("context")
+
+	if !exists {
+		return nil, ErrUserContextNotFound
+	}
+
+	userContext, ok := userContextValue.(*UserContext)
+
+	if !ok || userContext == nil {
+		return nil, errors.New("invalid user context type")
+	}
+
+	if userContext.LDAP == nil && userContext.Local == nil && userContext.OAuth == nil {
+		return nil, errors.New("incomplete user context")
+	}
+
+	*c = *userContext
+	return c, nil
+}
+
+// Compatability layer until we get an excuse to drop in database migrations
+func (c *UserContext) NewFromSession(session *repository.Session) (*UserContext, error) {
+	*c = UserContext{
+		Authenticated: !session.TotpPending,
+	}
+
+	switch session.Provider {
+	case "local":
+		c.Provider = ProviderLocal
+		c.Local = &LocalContext{
+			BaseContext: BaseContext{
+				Username: session.Username,
+				Name:     session.Name,
+				Email:    session.Email,
+			},
+			TOTPPending: session.TotpPending,
+		}
+	case "ldap":
+		c.Provider = ProviderLDAP
+		c.LDAP = &LDAPContext{
+			BaseContext: BaseContext{
+				Username: session.Username,
+				Name:     session.Name,
+				Email:    session.Email,
+			},
+		}
+	// By default we assume an unknown name which is oauth
+	default:
+		c.Provider = ProviderOAuth
+		c.OAuth = &OAuthContext{
+			BaseContext: BaseContext{
+				Username: session.Username,
+				Name:     session.Name,
+				Email:    session.Email,
+			},
+			Groups: func() []string {
+				if session.OAuthGroups == "" {
+					return nil
+				}
+				return strings.Split(session.OAuthGroups, ",")
+			}(),
+			Sub:         session.OAuthSub,
+			DisplayName: session.OAuthName,
+			ID:          session.Provider,
+		}
+	}
+
+	return c, nil
+}
+
+func (c *UserContext) GetUsername() string {
+	switch c.Provider {
+	case ProviderLocal:
+		if c.Local == nil {
+			return ""
+		}
+		return c.Local.Username
+	case ProviderLDAP:
+		if c.LDAP == nil {
+			return ""
+		}
+		return c.LDAP.Username
+	case ProviderBasicAuth:
+		if c.Local == nil {
+			return ""
+		}
+		return c.Local.Username
+	case ProviderOAuth:
+		if c.OAuth == nil {
+			return ""
+		}
+		return c.OAuth.Username
+	default:
+		return ""
+	}
+}
+
+func (c *UserContext) GetEmail() string {
+	switch c.Provider {
+	case ProviderLocal:
+		if c.Local == nil {
+			return ""
+		}
+		return c.Local.Email
+	case ProviderLDAP:
+		if c.LDAP == nil {
+			return ""
+		}
+		return c.LDAP.Email
+	case ProviderBasicAuth:
+		if c.Local == nil {
+			return ""
+		}
+		return c.Local.Email
+	case ProviderOAuth:
+		if c.OAuth == nil {
+			return ""
+		}
+		return c.OAuth.Email
+	default:
+		return ""
+	}
+}
+
+func (c *UserContext) GetName() string {
+	switch c.Provider {
+	case ProviderLocal:
+		if c.Local == nil {
+			return ""
+		}
+		return c.Local.Name
+	case ProviderLDAP:
+		if c.LDAP == nil {
+			return ""
+		}
+		return c.LDAP.Name
+	case ProviderBasicAuth:
+		if c.Local == nil {
+			return ""
+		}
+		return c.Local.Name
+	case ProviderOAuth:
+		if c.OAuth == nil {
+			return ""
+		}
+		return c.OAuth.Name
+	default:
+		return ""
+	}
+}
+
+func (c *UserContext) GetProviderID() string {
+	switch c.Provider {
+	case ProviderBasicAuth, ProviderLocal:
+		return "local"
+	case ProviderLDAP:
+		return "ldap"
+	case ProviderOAuth:
+		return c.OAuth.ID
+	default:
+		return "unknown"
+	}
+}
+
+func (c *UserContext) TOTPPending() bool {
+	if c.Provider == ProviderLocal && c.Local != nil {
+		return c.Local.TOTPPending
+	}
+	return false
+}
+
+func (c *UserContext) OAuthName() string {
+	if c.Provider == ProviderOAuth && c.OAuth != nil {
+		return c.OAuth.DisplayName
+	}
+	return ""
+}

internal/model/context_test.go

@@ -0,0 +1,276 @@
+package model_test
+
+import (
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/repository"
+)
+
+func TestContext(t *testing.T) {
+	newGinCtx := func(value any, set bool) *gin.Context {
+		c, _ := gin.CreateTestContext(httptest.NewRecorder())
+		if set {
+			c.Set("context", value)
+		}
+		return c
+	}
+
+	tests := []struct {
+		description string
+		context     *model.UserContext
+		run         func(*testing.T, *model.UserContext) any
+		expected    any
+	}{
+		{
+			description: "IsAuthenticated reflects Authenticated field",
+			context:     &model.UserContext{Authenticated: true},
+			run:         func(t *testing.T, c *model.UserContext) any { return c.IsAuthenticated() },
+			expected:    true,
+		},
+		{
+			description: "IsLocal returns true for ProviderLocal",
+			context:     &model.UserContext{Provider: model.ProviderLocal, Local: &model.LocalContext{}},
+			run:         func(t *testing.T, c *model.UserContext) any { return c.IsLocal() },
+			expected:    true,
+		},
+		{
+			description: "IsOAuth returns true for ProviderOAuth",
+			context:     &model.UserContext{Provider: model.ProviderOAuth, OAuth: &model.OAuthContext{}},
+			run:         func(t *testing.T, c *model.UserContext) any { return c.IsOAuth() },
+			expected:    true,
+		},
+		{
+			description: "IsLDAP returns true for ProviderLDAP",
+			context:     &model.UserContext{Provider: model.ProviderLDAP, LDAP: &model.LDAPContext{}},
+			run:         func(t *testing.T, c *model.UserContext) any { return c.IsLDAP() },
+			expected:    true,
+		},
+		{
+			description: "IsBasicAuth returns true for ProviderBasicAuth",
+			context:     &model.UserContext{Provider: model.ProviderBasicAuth, Local: &model.LocalContext{}},
+			run:         func(t *testing.T, c *model.UserContext) any { return c.IsBasicAuth() },
+			expected:    true,
+		},
+		{
+			description: "NewFromSession local session is authenticated and ProviderLocal",
+			context:     &model.UserContext{},
+			run: func(t *testing.T, c *model.UserContext) any {
+				got, err := c.NewFromSession(&repository.Session{
+					Username: "alice", Email: "alice@example.com", Name: "Alice",
+					Provider: "local",
+				})
+				require.NoError(t, err)
+				return [2]any{got.Provider, got.Authenticated}
+			},
+			expected: [2]any{model.ProviderLocal, true},
+		},
+		{
+			description: "NewFromSession local session with TotpPending is not authenticated",
+			context:     &model.UserContext{},
+			run: func(t *testing.T, c *model.UserContext) any {
+				got, err := c.NewFromSession(&repository.Session{
+					Username: "bob", Provider: "local", TotpPending: true,
+				})
+				require.NoError(t, err)
+				return got.Authenticated
+			},
+			expected: false,
+		},
+		{
+			description: "NewFromSession ldap session is ProviderLDAP",
+			context:     &model.UserContext{},
+			run: func(t *testing.T, c *model.UserContext) any {
+				got, err := c.NewFromSession(&repository.Session{
+					Username: "carol", Provider: "ldap",
+				})
+				require.NoError(t, err)
+				return got.Provider
+			},
+			expected: model.ProviderLDAP,
+		},
+		{
+			description: "NewFromSession unknown provider defaults to OAuth and populates oauth fields",
+			context:     &model.UserContext{},
+			run: func(t *testing.T, c *model.UserContext) any {
+				got, err := c.NewFromSession(&repository.Session{
+					Username: "dave", Provider: "github",
+					OAuthGroups: "devs,admins", OAuthSub: "sub-123", OAuthName: "GitHub",
+				})
+				require.NoError(t, err)
+				return [5]any{got.Provider, got.OAuth.ID, got.OAuth.Sub, got.OAuth.DisplayName, got.OAuth.Groups}
+			},
+			expected: [5]any{model.ProviderOAuth, "github", "sub-123", "GitHub", []string{"devs", "admins"}},
+		},
+		{
+			description: "Local getters return BaseContext fields",
+			context: &model.UserContext{
+				Provider: model.ProviderLocal,
+				Local:    &model.LocalContext{BaseContext: model.BaseContext{Username: "alice", Email: "alice@example.com", Name: "Alice"}},
+			},
+			run: func(t *testing.T, c *model.UserContext) any {
+				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
+			},
+			expected: [3]string{"alice", "alice@example.com", "Alice"},
+		},
+		{
+			description: "BasicAuth getters fall back to local fields",
+			context: &model.UserContext{
+				Provider: model.ProviderBasicAuth,
+				Local:    &model.LocalContext{BaseContext: model.BaseContext{Username: "bob", Email: "bob@example.com", Name: "Bob"}},
+			},
+			run: func(t *testing.T, c *model.UserContext) any {
+				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
+			},
+			expected: [3]string{"bob", "bob@example.com", "Bob"},
+		},
+		{
+			description: "LDAP getters return LDAP fields",
+			context: &model.UserContext{
+				Provider: model.ProviderLDAP,
+				LDAP:     &model.LDAPContext{BaseContext: model.BaseContext{Username: "carol", Email: "carol@example.com", Name: "Carol"}},
+			},
+			run: func(t *testing.T, c *model.UserContext) any {
+				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
+			},
+			expected: [3]string{"carol", "carol@example.com", "Carol"},
+		},
+		{
+			description: "OAuth getters return OAuth fields",
+			context: &model.UserContext{
+				Provider: model.ProviderOAuth,
+				OAuth:    &model.OAuthContext{BaseContext: model.BaseContext{Username: "dave", Email: "dave@example.com", Name: "Dave"}},
+			},
+			run: func(t *testing.T, c *model.UserContext) any {
+				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
+			},
+			expected: [3]string{"dave", "dave@example.com", "Dave"},
+		},
+		{
+			description: "ProviderName returns 'local' for ProviderLocal",
+			context:     &model.UserContext{Provider: model.ProviderLocal},
+			run:         func(t *testing.T, c *model.UserContext) any { return c.GetProviderID() },
+			expected:    "local",
+		},
+		{
+			description: "ProviderName returns 'local' for ProviderBasicAuth",
+			context:     &model.UserContext{Provider: model.ProviderBasicAuth},
+			run:         func(t *testing.T, c *model.UserContext) any { return c.GetProviderID() },
+			expected:    "local",
+		},
+		{
+			description: "ProviderName returns 'ldap' for ProviderLDAP",
+			context:     &model.UserContext{Provider: model.ProviderLDAP},
+			run:         func(t *testing.T, c *model.UserContext) any { return c.GetProviderID() },
+			expected:    "ldap",
+		},
+		{
+			description: "ProviderName returns OAuth provider ID for ProviderOAuth",
+			context: &model.UserContext{
+				Provider: model.ProviderOAuth,
+				OAuth:    &model.OAuthContext{ID: "github"},
+			},
+			run:      func(t *testing.T, c *model.UserContext) any { return c.GetProviderID() },
+			expected: "github",
+		},
+		{
+			description: "TOTPPending returns true when local context is pending",
+			context: &model.UserContext{
+				Provider: model.ProviderLocal,
+				Local:    &model.LocalContext{TOTPPending: true},
+			},
+			run:      func(t *testing.T, c *model.UserContext) any { return c.TOTPPending() },
+			expected: true,
+		},
+		{
+			description: "TOTPPending returns false when local context is not pending",
+			context: &model.UserContext{
+				Provider: model.ProviderLocal,
+				Local:    &model.LocalContext{TOTPPending: false},
+			},
+			run:      func(t *testing.T, c *model.UserContext) any { return c.TOTPPending() },
+			expected: false,
+		},
+		{
+			description: "TOTPPending returns false for non-local providers",
+			context:     &model.UserContext{Provider: model.ProviderOAuth, OAuth: &model.OAuthContext{}},
+			run:         func(t *testing.T, c *model.UserContext) any { return c.TOTPPending() },
+			expected:    false,
+		},
+		{
+			description: "OAuthName returns DisplayName for ProviderOAuth",
+			context: &model.UserContext{
+				Provider: model.ProviderOAuth,
+				OAuth:    &model.OAuthContext{DisplayName: "Google"},
+			},
+			run:      func(t *testing.T, c *model.UserContext) any { return c.OAuthName() },
+			expected: "Google",
+		},
+		{
+			description: "OAuthName returns empty string for non-oauth providers",
+			context:     &model.UserContext{Provider: model.ProviderLocal, Local: &model.LocalContext{}},
+			run:         func(t *testing.T, c *model.UserContext) any { return c.OAuthName() },
+			expected:    "",
+		},
+		{
+			description: "NewFromGin populates context from gin value",
+			context:     &model.UserContext{},
+			run: func(t *testing.T, c *model.UserContext) any {
+				stored := &model.UserContext{
+					Authenticated: true,
+					Provider:      model.ProviderLocal,
+					Local:         &model.LocalContext{BaseContext: model.BaseContext{Username: "alice"}},
+				}
+				got, err := c.NewFromGin(newGinCtx(stored, true))
+				require.NoError(t, err)
+				return [2]any{got.Authenticated, got.GetUsername()}
+			},
+			expected: [2]any{true, "alice"},
+		},
+		{
+			description: "NewFromGin returns error when context value is missing",
+			context:     &model.UserContext{},
+			run: func(t *testing.T, c *model.UserContext) any {
+				_, err := c.NewFromGin(newGinCtx(nil, false))
+				return err.Error()
+			},
+			expected: model.ErrUserContextNotFound.Error(),
+		},
+		{
+			description: "NewFromGin returns error when context value has wrong type",
+			context:     &model.UserContext{},
+			run: func(t *testing.T, c *model.UserContext) any {
+				_, err := c.NewFromGin(newGinCtx("not a user context", true))
+				return err.Error()
+			},
+			expected: "invalid user context type",
+		},
+		{
+			description: "NewFromGin returns an error when context doesn't include user information",
+			context:     &model.UserContext{},
+			run: func(t *testing.T, c *model.UserContext) any {
+				_, err := c.NewFromGin(newGinCtx(&model.UserContext{Provider: model.ProviderLocal}, true))
+				return err.Error()
+			},
+			expected: "incomplete user context",
+		},
+		{
+			description: "Getters should not panic if provider context is empty",
+			context:     &model.UserContext{Provider: model.ProviderLocal},
+			run: func(t *testing.T, c *model.UserContext) any {
+				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
+			},
+			expected: [3]string{"", "", ""},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.description, func(t *testing.T) {
+			assert.Equal(t, test.expected, test.run(t, test.context))
+		})
+	}
+}

internal/model/runtime.go

@@ -0,0 +1,22 @@
+package model
+
+type RuntimeConfig struct {
+	AppURL                 string
+	UUID                   string
+	CookieDomain           string
+	SessionCookieName      string
+	CSRFCookieName         string
+	RedirectCookieName     string
+	OAuthSessionCookieName string
+	LocalUsers             []LocalUser
+	OAuthProviders         map[string]OAuthServiceConfig
+	OAuthWhitelist         []string
+	ConfiguredProviders    []Provider
+	OIDCClients            []OIDCClientConfig
+}
+
+type Provider struct {
+	Name  string `json:"name"`
+	ID    string `json:"id"`
+	OAuth bool   `json:"oauth"`
+}

internal/model/users.go

@@ -0,0 +1,26 @@
+package model
+
+type UserSearchType int
+
+const (
+	UserLocal UserSearchType = iota
+	UserLDAP
+)
+
+type LDAPUser struct {
+	DN     string
+	Groups []string
+}
+
+type LocalUser struct {
+	Username   string
+	Password   string
+	TOTPSecret string
+	Attributes UserAttributes
+}
+
+type UserSearch struct {
+	Username string
+	Email    string // used for LDAP, we can't throw it to LDAPUser because it would need another cache or an LDAP lookup every time
+	Type     UserSearchType
+}

internal/model/version.go

@@ -0,0 +1,5 @@
+package model
+
+var Version = "development"
+var CommitHash = "development"
+var BuildTimestamp = "0000-00-00T00:00:00Z"

internal/repository/memory/memory_test.go

@@ -0,0 +1,472 @@
+package memory_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/tinyauthapp/tinyauth/internal/repository"
+	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
+)
+
+var ctx = context.Background()
+
+func TestMemoryStore(t *testing.T) {
+	type testCase struct {
+		description string
+		run         func(t *testing.T, s repository.Store)
+	}
+
+	tests := []testCase{
+		{
+			description: "Create and get session",
+			run: func(t *testing.T, s repository.Store) {
+				sess, err := s.CreateSession(ctx, repository.CreateSessionParams{
+					UUID:     "uuid-1",
+					Username: "alice",
+					Expiry:   9999,
+				})
+				require.NoError(t, err)
+				assert.Equal(t, "uuid-1", sess.UUID)
+				assert.Equal(t, "alice", sess.Username)
+
+				got, err := s.GetSession(ctx, "uuid-1")
+				require.NoError(t, err)
+				assert.Equal(t, sess, got)
+			},
+		},
+		{
+			description: "Get session not found",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.GetSession(ctx, "missing")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Update session",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateSession(ctx, repository.CreateSessionParams{UUID: "uuid-1", Username: "alice"})
+				require.NoError(t, err)
+
+				updated, err := s.UpdateSession(ctx, repository.UpdateSessionParams{
+					UUID:     "uuid-1",
+					Username: "bob",
+					Email:    "bob@example.com",
+				})
+				require.NoError(t, err)
+				assert.Equal(t, "bob", updated.Username)
+				assert.Equal(t, "bob@example.com", updated.Email)
+
+				got, err := s.GetSession(ctx, "uuid-1")
+				require.NoError(t, err)
+				assert.Equal(t, updated, got)
+			},
+		},
+		{
+			description: "Update session not found",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.UpdateSession(ctx, repository.UpdateSessionParams{UUID: "missing"})
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Delete session",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateSession(ctx, repository.CreateSessionParams{UUID: "uuid-1"})
+				require.NoError(t, err)
+
+				require.NoError(t, s.DeleteSession(ctx, "uuid-1"))
+
+				_, err = s.GetSession(ctx, "uuid-1")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Delete expired sessions",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateSession(ctx, repository.CreateSessionParams{UUID: "expired", Expiry: 10})
+				require.NoError(t, err)
+				_, err = s.CreateSession(ctx, repository.CreateSessionParams{UUID: "valid", Expiry: 100})
+				require.NoError(t, err)
+
+				require.NoError(t, s.DeleteExpiredSessions(ctx, 50))
+
+				_, err = s.GetSession(ctx, "expired")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+
+				_, err = s.GetSession(ctx, "valid")
+				assert.NoError(t, err)
+			},
+		},
+		{
+			description: "Create and get OIDC code",
+			run: func(t *testing.T, s repository.Store) {
+				code, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{
+					Sub:      "sub-1",
+					CodeHash: "hash-1",
+					Scope:    "openid",
+				})
+				require.NoError(t, err)
+				assert.Equal(t, "sub-1", code.Sub)
+
+				// destructive read removes the record
+				got, err := s.GetOidcCode(ctx, "hash-1")
+				require.NoError(t, err)
+				assert.Equal(t, code, got)
+
+				_, err = s.GetOidcCode(ctx, "hash-1")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Get OIDC code not found",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.GetOidcCode(ctx, "missing")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Get OIDC code by sub",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
+				require.NoError(t, err)
+
+				got, err := s.GetOidcCodeBySub(ctx, "sub-1")
+				require.NoError(t, err)
+				assert.Equal(t, "sub-1", got.Sub)
+
+				// destructive — gone after read
+				_, err = s.GetOidcCodeBySub(ctx, "sub-1")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Get OIDC code by sub not found",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.GetOidcCodeBySub(ctx, "missing")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Get OIDC code unsafe",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
+				require.NoError(t, err)
+
+				got, err := s.GetOidcCodeUnsafe(ctx, "hash-1")
+				require.NoError(t, err)
+				assert.Equal(t, "sub-1", got.Sub)
+
+				// non-destructive — still present
+				_, err = s.GetOidcCodeUnsafe(ctx, "hash-1")
+				assert.NoError(t, err)
+			},
+		},
+		{
+			description: "Get OIDC code unsafe not found",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.GetOidcCodeUnsafe(ctx, "missing")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Get OIDC code by sub unsafe",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
+				require.NoError(t, err)
+
+				got, err := s.GetOidcCodeBySubUnsafe(ctx, "sub-1")
+				require.NoError(t, err)
+				assert.Equal(t, "hash-1", got.CodeHash)
+
+				// non-destructive — still present
+				_, err = s.GetOidcCodeBySubUnsafe(ctx, "sub-1")
+				assert.NoError(t, err)
+			},
+		},
+		{
+			description: "Get OIDC code by sub unsafe not found",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.GetOidcCodeBySubUnsafe(ctx, "missing")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Create OIDC code unique sub constraint",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
+				require.NoError(t, err)
+
+				_, err = s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-2"})
+				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_codes.sub")
+			},
+		},
+		{
+			description: "Delete OIDC code",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
+				require.NoError(t, err)
+
+				require.NoError(t, s.DeleteOidcCode(ctx, "hash-1"))
+
+				_, err = s.GetOidcCodeUnsafe(ctx, "hash-1")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Delete OIDC code by sub",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
+				require.NoError(t, err)
+
+				require.NoError(t, s.DeleteOidcCodeBySub(ctx, "sub-1"))
+
+				_, err = s.GetOidcCodeUnsafe(ctx, "hash-1")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Delete expired OIDC codes",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1", ExpiresAt: 10})
+				require.NoError(t, err)
+				_, err = s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-2", CodeHash: "hash-2", ExpiresAt: 100})
+				require.NoError(t, err)
+
+				deleted, err := s.DeleteExpiredOidcCodes(ctx, 50)
+				require.NoError(t, err)
+				require.Len(t, deleted, 1)
+				assert.Equal(t, "hash-1", deleted[0].CodeHash)
+
+				_, err = s.GetOidcCodeUnsafe(ctx, "hash-2")
+				assert.NoError(t, err)
+			},
+		},
+		{
+			description: "Create and get OIDC token",
+			run: func(t *testing.T, s repository.Store) {
+				tok, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
+					Sub:             "sub-1",
+					AccessTokenHash: "at-hash-1",
+					CodeHash:        "code-hash-1",
+				})
+				require.NoError(t, err)
+				assert.Equal(t, "sub-1", tok.Sub)
+
+				got, err := s.GetOidcToken(ctx, "at-hash-1")
+				require.NoError(t, err)
+				assert.Equal(t, tok, got)
+			},
+		},
+		{
+			description: "Get OIDC token not found",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.GetOidcToken(ctx, "missing")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Create OIDC token unique sub constraint",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-1"})
+				require.NoError(t, err)
+
+				_, err = s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-2"})
+				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_tokens.sub")
+			},
+		},
+		{
+			description: "Get OIDC token by refresh token",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
+					Sub:              "sub-1",
+					AccessTokenHash:  "at-1",
+					RefreshTokenHash: "rt-1",
+				})
+				require.NoError(t, err)
+
+				got, err := s.GetOidcTokenByRefreshToken(ctx, "rt-1")
+				require.NoError(t, err)
+				assert.Equal(t, "sub-1", got.Sub)
+			},
+		},
+		{
+			description: "Get OIDC token by refresh token not found",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.GetOidcTokenByRefreshToken(ctx, "missing")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Get OIDC token by sub",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
+					Sub:             "sub-1",
+					AccessTokenHash: "at-1",
+				})
+				require.NoError(t, err)
+
+				got, err := s.GetOidcTokenBySub(ctx, "sub-1")
+				require.NoError(t, err)
+				assert.Equal(t, "at-1", got.AccessTokenHash)
+			},
+		},
+		{
+			description: "Get OIDC token by sub not found",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.GetOidcTokenBySub(ctx, "missing")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Update OIDC token by refresh token",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
+					Sub:              "sub-1",
+					AccessTokenHash:  "at-1",
+					RefreshTokenHash: "rt-1",
+				})
+				require.NoError(t, err)
+
+				updated, err := s.UpdateOidcTokenByRefreshToken(ctx, repository.UpdateOidcTokenByRefreshTokenParams{
+					RefreshTokenHash_2:    "rt-1",
+					AccessTokenHash:       "at-2",
+					RefreshTokenHash:      "rt-2",
+					TokenExpiresAt:        200,
+					RefreshTokenExpiresAt: 400,
+				})
+				require.NoError(t, err)
+				assert.Equal(t, "at-2", updated.AccessTokenHash)
+				assert.Equal(t, "rt-2", updated.RefreshTokenHash)
+
+				// old key gone, new key present
+				_, err = s.GetOidcToken(ctx, "at-1")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+
+				got, err := s.GetOidcToken(ctx, "at-2")
+				require.NoError(t, err)
+				assert.Equal(t, "sub-1", got.Sub)
+			},
+		},
+		{
+			description: "Update OIDC token by refresh token not found",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.UpdateOidcTokenByRefreshToken(ctx, repository.UpdateOidcTokenByRefreshTokenParams{
+					RefreshTokenHash_2: "missing",
+				})
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Delete OIDC token",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-1"})
+				require.NoError(t, err)
+
+				require.NoError(t, s.DeleteOidcToken(ctx, "at-1"))
+
+				_, err = s.GetOidcToken(ctx, "at-1")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Delete OIDC token by sub",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-1"})
+				require.NoError(t, err)
+
+				require.NoError(t, s.DeleteOidcTokenBySub(ctx, "sub-1"))
+
+				_, err = s.GetOidcToken(ctx, "at-1")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Delete OIDC token by code hash",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
+					Sub:             "sub-1",
+					AccessTokenHash: "at-1",
+					CodeHash:        "code-1",
+				})
+				require.NoError(t, err)
+
+				require.NoError(t, s.DeleteOidcTokenByCodeHash(ctx, "code-1"))
+
+				_, err = s.GetOidcToken(ctx, "at-1")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Delete expired OIDC tokens",
+			run: func(t *testing.T, s repository.Store) {
+				// both expiries past
+				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
+					Sub: "sub-1", AccessTokenHash: "at-1",
+					TokenExpiresAt: 10, RefreshTokenExpiresAt: 10,
+				})
+				require.NoError(t, err)
+				// valid
+				_, err = s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
+					Sub: "sub-3", AccessTokenHash: "at-3",
+					TokenExpiresAt: 100, RefreshTokenExpiresAt: 100,
+				})
+				require.NoError(t, err)
+
+				deleted, err := s.DeleteExpiredOidcTokens(ctx, repository.DeleteExpiredOidcTokensParams{
+					TokenExpiresAt:        50,
+					RefreshTokenExpiresAt: 50,
+				})
+				require.NoError(t, err)
+				assert.Len(t, deleted, 1)
+
+				_, err = s.GetOidcToken(ctx, "at-3")
+				assert.NoError(t, err)
+			},
+		},
+		{
+			description: "Create and get OIDC user info",
+			run: func(t *testing.T, s repository.Store) {
+				u, err := s.CreateOidcUserInfo(ctx, repository.CreateOidcUserInfoParams{
+					Sub:   "sub-1",
+					Name:  "Alice",
+					Email: "alice@example.com",
+				})
+				require.NoError(t, err)
+				assert.Equal(t, "sub-1", u.Sub)
+
+				got, err := s.GetOidcUserInfo(ctx, "sub-1")
+				require.NoError(t, err)
+				assert.Equal(t, u, got)
+			},
+		},
+		{
+			description: "Get OIDC user info not found",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.GetOidcUserInfo(ctx, "missing")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Delete OIDC user info",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOidcUserInfo(ctx, repository.CreateOidcUserInfoParams{Sub: "sub-1"})
+				require.NoError(t, err)
+
+				require.NoError(t, s.DeleteOidcUserInfo(ctx, "sub-1"))
+
+				_, err = s.GetOidcUserInfo(ctx, "sub-1")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.description, func(t *testing.T) {
+			s := memory.New()
+			test.run(t, s)
+		})
+	}
+}

internal/repository/memory/oidc_queries.go

@@ -0,0 +1,241 @@
+package memory
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/tinyauthapp/tinyauth/internal/repository"
+)
+
+func (s *Store) CreateOidcCode(_ context.Context, arg repository.CreateOidcCodeParams) (repository.OidcCode, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	// Enforce sub UNIQUE constraint
+	for _, c := range s.oidcCodes {
+		if c.Sub == arg.Sub {
+			return repository.OidcCode{}, fmt.Errorf("UNIQUE constraint failed: oidc_codes.sub")
+		}
+	}
+	code := repository.OidcCode(arg)
+	s.oidcCodes[arg.CodeHash] = code
+	return code, nil
+}
+
+// GetOidcCode is a destructive read: it deletes and returns the code (mirrors SQLite's DELETE...RETURNING).
+func (s *Store) GetOidcCode(_ context.Context, codeHash string) (repository.OidcCode, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	c, ok := s.oidcCodes[codeHash]
+	if !ok {
+		return repository.OidcCode{}, repository.ErrNotFound
+	}
+	delete(s.oidcCodes, codeHash)
+	return c, nil
+}
+
+// GetOidcCodeBySub is a destructive read: it deletes and returns the code (mirrors SQLite's DELETE...RETURNING).
+func (s *Store) GetOidcCodeBySub(_ context.Context, sub string) (repository.OidcCode, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	for k, c := range s.oidcCodes {
+		if c.Sub == sub {
+			delete(s.oidcCodes, k)
+			return c, nil
+		}
+	}
+	return repository.OidcCode{}, repository.ErrNotFound
+}
+
+// GetOidcCodeUnsafe is a non-destructive read (mirrors SQLite's SELECT).
+func (s *Store) GetOidcCodeUnsafe(_ context.Context, codeHash string) (repository.OidcCode, error) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	c, ok := s.oidcCodes[codeHash]
+	if !ok {
+		return repository.OidcCode{}, repository.ErrNotFound
+	}
+	return c, nil
+}
+
+// GetOidcCodeBySubUnsafe is a non-destructive read (mirrors SQLite's SELECT).
+func (s *Store) GetOidcCodeBySubUnsafe(_ context.Context, sub string) (repository.OidcCode, error) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	for _, c := range s.oidcCodes {
+		if c.Sub == sub {
+			return c, nil
+		}
+	}
+	return repository.OidcCode{}, repository.ErrNotFound
+}
+
+func (s *Store) DeleteOidcCode(_ context.Context, codeHash string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	delete(s.oidcCodes, codeHash)
+	return nil
+}
+
+func (s *Store) DeleteOidcCodeBySub(_ context.Context, sub string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	for k, c := range s.oidcCodes {
+		if c.Sub == sub {
+			delete(s.oidcCodes, k)
+		}
+	}
+	return nil
+}
+
+func (s *Store) DeleteExpiredOidcCodes(_ context.Context, expiresAt int64) ([]repository.OidcCode, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	var deleted []repository.OidcCode
+	for k, c := range s.oidcCodes {
+		if c.ExpiresAt < expiresAt {
+			deleted = append(deleted, c)
+			delete(s.oidcCodes, k)
+		}
+	}
+	return deleted, nil
+}
+
+func (s *Store) CreateOidcToken(_ context.Context, arg repository.CreateOidcTokenParams) (repository.OidcToken, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	// Enforce sub UNIQUE constraint
+	for _, t := range s.oidcTokens {
+		if t.Sub == arg.Sub {
+			return repository.OidcToken{}, fmt.Errorf("UNIQUE constraint failed: oidc_tokens.sub")
+		}
+	}
+	tok := repository.OidcToken{
+		Sub:                   arg.Sub,
+		AccessTokenHash:       arg.AccessTokenHash,
+		RefreshTokenHash:      arg.RefreshTokenHash,
+		CodeHash:              arg.CodeHash,
+		Scope:                 arg.Scope,
+		ClientID:              arg.ClientID,
+		TokenExpiresAt:        arg.TokenExpiresAt,
+		RefreshTokenExpiresAt: arg.RefreshTokenExpiresAt,
+		Nonce:                 arg.Nonce,
+	}
+	s.oidcTokens[arg.AccessTokenHash] = tok
+	return tok, nil
+}
+
+func (s *Store) GetOidcToken(_ context.Context, accessTokenHash string) (repository.OidcToken, error) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	t, ok := s.oidcTokens[accessTokenHash]
+	if !ok {
+		return repository.OidcToken{}, repository.ErrNotFound
+	}
+	return t, nil
+}
+
+func (s *Store) GetOidcTokenByRefreshToken(_ context.Context, refreshTokenHash string) (repository.OidcToken, error) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	for _, t := range s.oidcTokens {
+		if t.RefreshTokenHash == refreshTokenHash {
+			return t, nil
+		}
+	}
+	return repository.OidcToken{}, repository.ErrNotFound
+}
+
+func (s *Store) GetOidcTokenBySub(_ context.Context, sub string) (repository.OidcToken, error) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	for _, t := range s.oidcTokens {
+		if t.Sub == sub {
+			return t, nil
+		}
+	}
+	return repository.OidcToken{}, repository.ErrNotFound
+}
+
+func (s *Store) UpdateOidcTokenByRefreshToken(_ context.Context, arg repository.UpdateOidcTokenByRefreshTokenParams) (repository.OidcToken, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	for k, t := range s.oidcTokens {
+		if t.RefreshTokenHash == arg.RefreshTokenHash_2 {
+			delete(s.oidcTokens, k)
+			t.AccessTokenHash = arg.AccessTokenHash
+			t.RefreshTokenHash = arg.RefreshTokenHash
+			t.TokenExpiresAt = arg.TokenExpiresAt
+			t.RefreshTokenExpiresAt = arg.RefreshTokenExpiresAt
+			s.oidcTokens[arg.AccessTokenHash] = t
+			return t, nil
+		}
+	}
+	return repository.OidcToken{}, repository.ErrNotFound
+}
+
+func (s *Store) DeleteOidcToken(_ context.Context, accessTokenHash string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	delete(s.oidcTokens, accessTokenHash)
+	return nil
+}
+
+func (s *Store) DeleteOidcTokenBySub(_ context.Context, sub string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	for k, t := range s.oidcTokens {
+		if t.Sub == sub {
+			delete(s.oidcTokens, k)
+		}
+	}
+	return nil
+}
+
+func (s *Store) DeleteOidcTokenByCodeHash(_ context.Context, codeHash string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	for k, t := range s.oidcTokens {
+		if t.CodeHash == codeHash {
+			delete(s.oidcTokens, k)
+		}
+	}
+	return nil
+}
+
+func (s *Store) DeleteExpiredOidcTokens(_ context.Context, arg repository.DeleteExpiredOidcTokensParams) ([]repository.OidcToken, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	var deleted []repository.OidcToken
+	for k, t := range s.oidcTokens {
+		if t.TokenExpiresAt < arg.TokenExpiresAt && t.RefreshTokenExpiresAt < arg.RefreshTokenExpiresAt {
+			deleted = append(deleted, t)
+			delete(s.oidcTokens, k)
+		}
+	}
+	return deleted, nil
+}
+
+func (s *Store) CreateOidcUserInfo(_ context.Context, arg repository.CreateOidcUserInfoParams) (repository.OidcUserinfo, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	u := repository.OidcUserinfo(arg)
+	s.oidcUsers[arg.Sub] = u
+	return u, nil
+}
+
+func (s *Store) GetOidcUserInfo(_ context.Context, sub string) (repository.OidcUserinfo, error) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	u, ok := s.oidcUsers[sub]
+	if !ok {
+		return repository.OidcUserinfo{}, repository.ErrNotFound
+	}
+	return u, nil
+}
+
+func (s *Store) DeleteOidcUserInfo(_ context.Context, sub string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	delete(s.oidcUsers, sub)
+	return nil
+}

internal/repository/memory/session_queries.go

@@ -0,0 +1,63 @@
+package memory
+
+import (
+	"context"
+
+	"github.com/tinyauthapp/tinyauth/internal/repository"
+)
+
+func (s *Store) CreateSession(_ context.Context, arg repository.CreateSessionParams) (repository.Session, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	sess := repository.Session(arg)
+	s.sessions[arg.UUID] = sess
+	return sess, nil
+}
+
+func (s *Store) GetSession(_ context.Context, uuid string) (repository.Session, error) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	sess, ok := s.sessions[uuid]
+	if !ok {
+		return repository.Session{}, repository.ErrNotFound
+	}
+	return sess, nil
+}
+
+func (s *Store) UpdateSession(_ context.Context, arg repository.UpdateSessionParams) (repository.Session, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	sess, ok := s.sessions[arg.UUID]
+	if !ok {
+		return repository.Session{}, repository.ErrNotFound
+	}
+	sess.Username = arg.Username
+	sess.Email = arg.Email
+	sess.Name = arg.Name
+	sess.Provider = arg.Provider
+	sess.TotpPending = arg.TotpPending
+	sess.OAuthGroups = arg.OAuthGroups
+	sess.Expiry = arg.Expiry
+	sess.OAuthName = arg.OAuthName
+	sess.OAuthSub = arg.OAuthSub
+	s.sessions[arg.UUID] = sess
+	return sess, nil
+}
+
+func (s *Store) DeleteSession(_ context.Context, uuid string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	delete(s.sessions, uuid)
+	return nil
+}
+
+func (s *Store) DeleteExpiredSessions(_ context.Context, expiry int64) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	for k, v := range s.sessions {
+		if v.Expiry < expiry {
+			delete(s.sessions, k)
+		}
+	}
+	return nil
+}

internal/repository/memory/store.go

@@ -0,0 +1,27 @@
+// Package memory provides an in-memory implementation of repository.Store for use in tests.
+package memory
+
+import (
+	"sync"
+
+	"github.com/tinyauthapp/tinyauth/internal/repository"
+)
+
+// Store is a thread-safe in-memory implementation of repository.Store.
+type Store struct {
+	mu         sync.RWMutex
+	sessions   map[string]repository.Session
+	oidcCodes  map[string]repository.OidcCode
+	oidcTokens map[string]repository.OidcToken
+	oidcUsers  map[string]repository.OidcUserinfo
+}
+
+// New returns a new empty in-memory Store.
+func New() repository.Store {
+	return &Store{
+		sessions:   make(map[string]repository.Session),
+		oidcCodes:  make(map[string]repository.OidcCode),
+		oidcTokens: make(map[string]repository.OidcToken),
+		oidcUsers:  make(map[string]repository.OidcUserinfo),
+	}
+}

internal/repository/models.go

@@ -1,9 +1,22 @@
-// Code generated by sqlc. DO NOT EDIT.
-// versions:
-//   sqlc v1.30.0
-
 package repository
 
+// Shared model and parameter types for all storage drivers.
+// sqlc-generated driver packages use these via the conversion layer in their store.go.
+
+type Session struct {
+	UUID        string
+	Username    string
+	Email       string
+	Name        string
+	Provider    string
+	TotpPending bool
+	OAuthGroups string
+	Expiry      int64
+	CreatedAt   int64
+	OAuthName   string
+	OAuthSub    string
+}
+
 type OidcCode struct {
 	Sub           string
 	CodeHash      string
@@ -49,7 +62,7 @@ type OidcUserinfo struct {
 	Address           string
 }
 
-type Session struct {
+type CreateSessionParams struct {
 	UUID        string
 	Username    string
 	Email       string
@@ -62,3 +75,74 @@ type Session struct {
 	OAuthName   string
 	OAuthSub    string
 }
+
+type UpdateSessionParams struct {
+	Username    string
+	Email       string
+	Name        string
+	Provider    string
+	TotpPending bool
+	OAuthGroups string
+	Expiry      int64
+	OAuthName   string
+	OAuthSub    string
+	UUID        string
+}
+
+type CreateOidcCodeParams struct {
+	Sub           string
+	CodeHash      string
+	Scope         string
+	RedirectURI   string
+	ClientID      string
+	ExpiresAt     int64
+	Nonce         string
+	CodeChallenge string
+}
+
+type CreateOidcTokenParams struct {
+	Sub                   string
+	AccessTokenHash       string
+	RefreshTokenHash      string
+	Scope                 string
+	ClientID              string
+	TokenExpiresAt        int64
+	RefreshTokenExpiresAt int64
+	CodeHash              string
+	Nonce                 string
+}
+
+type UpdateOidcTokenByRefreshTokenParams struct {
+	AccessTokenHash       string
+	RefreshTokenHash      string
+	TokenExpiresAt        int64
+	RefreshTokenExpiresAt int64
+	RefreshTokenHash_2    string
+}
+
+type DeleteExpiredOidcTokensParams struct {
+	TokenExpiresAt        int64
+	RefreshTokenExpiresAt int64
+}
+
+type CreateOidcUserInfoParams struct {
+	Sub               string
+	Name              string
+	PreferredUsername string
+	Email             string
+	Groups            string
+	UpdatedAt         int64
+	GivenName         string
+	FamilyName        string
+	MiddleName        string
+	Nickname          string
+	Profile           string
+	Picture           string
+	Website           string
+	Gender            string
+	Birthdate         string
+	Zoneinfo          string
+	Locale            string
+	PhoneNumber       string
+	Address           string
+}

internal/repository/sqlite/db.go

@@ -1,8 +1,8 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.1
 
-package repository
+package sqlite
 
 import (
 	"context"

internal/repository/sqlite/generate.go

@@ -0,0 +1,3 @@
+package sqlite
+
+//go:generate go run github.com/tinyauthapp/tinyauth/gen/sqlc-wrapper -pkg github.com/tinyauthapp/tinyauth/internal/repository/sqlite

internal/repository/sqlite/models.go

@@ -0,0 +1,64 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.31.1
+
+package sqlite
+
+type OidcCode struct {
+	Sub           string
+	CodeHash      string
+	Scope         string
+	RedirectURI   string
+	ClientID      string
+	ExpiresAt     int64
+	Nonce         string
+	CodeChallenge string
+}
+
+type OidcToken struct {
+	Sub                   string
+	AccessTokenHash       string
+	RefreshTokenHash      string
+	CodeHash              string
+	Scope                 string
+	ClientID              string
+	TokenExpiresAt        int64
+	RefreshTokenExpiresAt int64
+	Nonce                 string
+}
+
+type OidcUserinfo struct {
+	Sub               string
+	Name              string
+	PreferredUsername string
+	Email             string
+	Groups            string
+	UpdatedAt         int64
+	GivenName         string
+	FamilyName        string
+	MiddleName        string
+	Nickname          string
+	Profile           string
+	Picture           string
+	Website           string
+	Gender            string
+	Birthdate         string
+	Zoneinfo          string
+	Locale            string
+	PhoneNumber       string
+	Address           string
+}
+
+type Session struct {
+	UUID        string
+	Username    string
+	Email       string
+	Name        string
+	Provider    string
+	TotpPending bool
+	OAuthGroups string
+	Expiry      int64
+	CreatedAt   int64
+	OAuthName   string
+	OAuthSub    string
+}

internal/repository/sqlite/oidc_queries.sql.go

@@ -1,9 +1,9 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.1
 // source: oidc_queries.sql
 
-package repository
+package sqlite
 
 import (
 	"context"

internal/repository/sqlite/session_queries.sql.go

@@ -1,9 +1,9 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.1
 // source: session_queries.sql
 
-package repository
+package sqlite
 
 import (
 	"context"

internal/repository/sqlite/store.go

@@ -0,0 +1,209 @@
+// Code generated by cmd/gen/sqlc-wrapper. DO NOT EDIT.
+package sqlite
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+
+	"github.com/tinyauthapp/tinyauth/internal/repository"
+)
+
+// Store wraps *Queries and implements repository.Store.
+type Store struct {
+	q *Queries
+}
+
+// NewStore wraps a *Queries to satisfy repository.Store.
+func NewStore(q *Queries) repository.Store {
+	return &Store{q: q}
+}
+
+var errorMap = map[error]error{
+	sql.ErrNoRows: repository.ErrNotFound,
+}
+
+func mapErr(err error) error {
+	for from, to := range errorMap {
+		if errors.Is(err, from) {
+			return to
+		}
+	}
+	return err
+}
+
+func (s *Store) CreateOidcCode(ctx context.Context, arg repository.CreateOidcCodeParams) (repository.OidcCode, error) {
+	r, err := s.q.CreateOidcCode(ctx, CreateOidcCodeParams(arg))
+	if err != nil {
+		return repository.OidcCode{}, mapErr(err)
+	}
+	return repository.OidcCode(r), nil
+}
+
+func (s *Store) CreateOidcToken(ctx context.Context, arg repository.CreateOidcTokenParams) (repository.OidcToken, error) {
+	r, err := s.q.CreateOidcToken(ctx, CreateOidcTokenParams(arg))
+	if err != nil {
+		return repository.OidcToken{}, mapErr(err)
+	}
+	return repository.OidcToken(r), nil
+}
+
+func (s *Store) CreateOidcUserInfo(ctx context.Context, arg repository.CreateOidcUserInfoParams) (repository.OidcUserinfo, error) {
+	r, err := s.q.CreateOidcUserInfo(ctx, CreateOidcUserInfoParams(arg))
+	if err != nil {
+		return repository.OidcUserinfo{}, mapErr(err)
+	}
+	return repository.OidcUserinfo(r), nil
+}
+
+func (s *Store) CreateSession(ctx context.Context, arg repository.CreateSessionParams) (repository.Session, error) {
+	r, err := s.q.CreateSession(ctx, CreateSessionParams(arg))
+	if err != nil {
+		return repository.Session{}, mapErr(err)
+	}
+	return repository.Session(r), nil
+}
+
+func (s *Store) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]repository.OidcCode, error) {
+	rows, err := s.q.DeleteExpiredOidcCodes(ctx, expiresAt)
+	if err != nil {
+		return nil, mapErr(err)
+	}
+	out := make([]repository.OidcCode, len(rows))
+	for i, row := range rows {
+		out[i] = repository.OidcCode(row)
+	}
+	return out, nil
+}
+
+func (s *Store) DeleteExpiredOidcTokens(ctx context.Context, arg repository.DeleteExpiredOidcTokensParams) ([]repository.OidcToken, error) {
+	rows, err := s.q.DeleteExpiredOidcTokens(ctx, DeleteExpiredOidcTokensParams(arg))
+	if err != nil {
+		return nil, mapErr(err)
+	}
+	out := make([]repository.OidcToken, len(rows))
+	for i, row := range rows {
+		out[i] = repository.OidcToken(row)
+	}
+	return out, nil
+}
+
+func (s *Store) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
+	return mapErr(s.q.DeleteExpiredSessions(ctx, expiry))
+}
+
+func (s *Store) DeleteOidcCode(ctx context.Context, codeHash string) error {
+	return mapErr(s.q.DeleteOidcCode(ctx, codeHash))
+}
+
+func (s *Store) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
+	return mapErr(s.q.DeleteOidcCodeBySub(ctx, sub))
+}
+
+func (s *Store) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
+	return mapErr(s.q.DeleteOidcToken(ctx, accessTokenHash))
+}
+
+func (s *Store) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
+	return mapErr(s.q.DeleteOidcTokenByCodeHash(ctx, codeHash))
+}
+
+func (s *Store) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
+	return mapErr(s.q.DeleteOidcTokenBySub(ctx, sub))
+}
+
+func (s *Store) DeleteOidcUserInfo(ctx context.Context, sub string) error {
+	return mapErr(s.q.DeleteOidcUserInfo(ctx, sub))
+}
+
+func (s *Store) DeleteSession(ctx context.Context, uuid string) error {
+	return mapErr(s.q.DeleteSession(ctx, uuid))
+}
+
+func (s *Store) GetOidcCode(ctx context.Context, codeHash string) (repository.OidcCode, error) {
+	r, err := s.q.GetOidcCode(ctx, codeHash)
+	if err != nil {
+		return repository.OidcCode{}, mapErr(err)
+	}
+	return repository.OidcCode(r), nil
+}
+
+func (s *Store) GetOidcCodeBySub(ctx context.Context, sub string) (repository.OidcCode, error) {
+	r, err := s.q.GetOidcCodeBySub(ctx, sub)
+	if err != nil {
+		return repository.OidcCode{}, mapErr(err)
+	}
+	return repository.OidcCode(r), nil
+}
+
+func (s *Store) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (repository.OidcCode, error) {
+	r, err := s.q.GetOidcCodeBySubUnsafe(ctx, sub)
+	if err != nil {
+		return repository.OidcCode{}, mapErr(err)
+	}
+	return repository.OidcCode(r), nil
+}
+
+func (s *Store) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (repository.OidcCode, error) {
+	r, err := s.q.GetOidcCodeUnsafe(ctx, codeHash)
+	if err != nil {
+		return repository.OidcCode{}, mapErr(err)
+	}
+	return repository.OidcCode(r), nil
+}
+
+func (s *Store) GetOidcToken(ctx context.Context, accessTokenHash string) (repository.OidcToken, error) {
+	r, err := s.q.GetOidcToken(ctx, accessTokenHash)
+	if err != nil {
+		return repository.OidcToken{}, mapErr(err)
+	}
+	return repository.OidcToken(r), nil
+}
+
+func (s *Store) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (repository.OidcToken, error) {
+	r, err := s.q.GetOidcTokenByRefreshToken(ctx, refreshTokenHash)
+	if err != nil {
+		return repository.OidcToken{}, mapErr(err)
+	}
+	return repository.OidcToken(r), nil
+}
+
+func (s *Store) GetOidcTokenBySub(ctx context.Context, sub string) (repository.OidcToken, error) {
+	r, err := s.q.GetOidcTokenBySub(ctx, sub)
+	if err != nil {
+		return repository.OidcToken{}, mapErr(err)
+	}
+	return repository.OidcToken(r), nil
+}
+
+func (s *Store) GetOidcUserInfo(ctx context.Context, sub string) (repository.OidcUserinfo, error) {
+	r, err := s.q.GetOidcUserInfo(ctx, sub)
+	if err != nil {
+		return repository.OidcUserinfo{}, mapErr(err)
+	}
+	return repository.OidcUserinfo(r), nil
+}
+
+func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session, error) {
+	r, err := s.q.GetSession(ctx, uuid)
+	if err != nil {
+		return repository.Session{}, mapErr(err)
+	}
+	return repository.Session(r), nil
+}
+
+func (s *Store) UpdateOidcTokenByRefreshToken(ctx context.Context, arg repository.UpdateOidcTokenByRefreshTokenParams) (repository.OidcToken, error) {
+	r, err := s.q.UpdateOidcTokenByRefreshToken(ctx, UpdateOidcTokenByRefreshTokenParams(arg))
+	if err != nil {
+		return repository.OidcToken{}, mapErr(err)
+	}
+	return repository.OidcToken(r), nil
+}
+
+func (s *Store) UpdateSession(ctx context.Context, arg repository.UpdateSessionParams) (repository.Session, error) {
+	r, err := s.q.UpdateSession(ctx, UpdateSessionParams(arg))
+	if err != nil {
+		return repository.Session{}, mapErr(err)
+	}
+	return repository.Session(r), nil
+}