New Crowdin updates (#674)

* New translations en.json (French)

* New translations en.json (Ukrainian)

CONTRIBUTING.md

@@ -1,24 +1,25 @@
 # Contributing
 
-Contributing is relatively easy, you just need to follow the steps below and you will be up and running with a development server in less than five minutes.
+Contributing to Tinyauth is straightforward. Follow the steps below to set up a development server.
 
 ## Requirements
 
 - Bun
-- Golang 1.24.0+
+- Golang v1.24.0 or later
 - Git
 - Docker
+- Make
 
-## Cloning the repository
+## Cloning the Repository
 
-You firstly need to clone the repository with:
+Start by cloning the repository:
 
 ```sh
 git clone https://github.com/steveiliop56/tinyauth
 cd tinyauth
 ```
 
-## Initialize submodules
+## Initialize Submodules
 
 The project uses Git submodules for some dependencies, so you need to initialize them with:
 
@@ -27,50 +28,58 @@ git submodule init
 git submodule update
 ```
 
-## Install requirements
+## Apply patches
 
-Although you will not need the requirements in your machine since the development will happen in Docker, I still recommend to install them because this way you will not have import errors. To install the Go requirements run:
+Some of the dependencies must be patched in order to work correctly with the project, you can apply the patches by running:
 
 ```sh
-go mod download
+git apply --directory paerser/ patches/nested_maps.diff
 ```
 
-You also need to download the frontend dependencies, this can be done like so:
+## Installing Requirements
+
+While development occurs within Docker, installing the requirements locally is recommended to avoid import errors. Install the Go dependencies:
+
+```sh
+go mod tidy
+```
+
+Frontend dependencies can be installed as follows:
 
 ```sh
 cd frontend/
 bun install
 ```
 
-## Apply patches
+## Create the `.env` file
 
-Some of the dependencies need to be patched in order to work correctly with the project, you can apply the patches by running:
+Configuration requires an environment file. Copy the `.env.example` file to `.env` and adjust the environment variables as needed.
 
-```sh
-git apply --directory paerser/ patches/nested_maps.diff
-```
+## Development Workflow
 
-## Create your `.env` file
-
-In order to configure the app you need to create an environment file, this can be done by copying the `.env.example` file to `.env` and modifying the environment variables to suit your needs.
-
-## Developing
-
-I have designed the development workflow to be entirely in Docker, this is because it will directly work with Traefik and you will not need to do any building in your host machine. The recommended development setup is to have a subdomain pointing to your machine like this:
+The development workflow is designed to run entirely within Docker, ensuring compatibility with Traefik and eliminating the need for local builds. A recommended setup involves pointing a subdomain to the local machine:
 
 ```
 *.dev.example.com -> 127.0.0.1
 dev.example.com -> 127.0.0.1
 ```
 
-> [!TIP]
-> You can use [sslip.io](https://sslip.io) as a domain if you don't have one to develop with.
+> [!NOTE]
+> A domain from [sslip.io](https://sslip.io) can be used if a custom domain is
+  unavailable. For example, set the Tinyauth domain to `tinyauth.127.0.0.1.sslip.io` and the whoami domain to `whoami.127.0.0.1.sslip.io`.
 
-Then you can just make sure the domains are correct in the development Docker compose file and run:
+Ensure the domains are correctly configured in the development Docker Compose file, then start the development environment:
 
 ```sh
-docker compose -f docker-compose.dev.yml up --build
+make dev
+```
+
+In case you need to build the binary locally, you can run:
+
+```sh
+make binary
 ```
 
 > [!NOTE]
-> I recommend copying the example `docker-compose.dev.yml` into a `docker-compose.test.yml` file, so as you don't accidentally commit any sensitive information.
+> Copying the example `docker-compose.dev.yml` file to `docker-compose.test.yml`
+  is recommended to prevent accidental commits of sensitive information. The make recipe will automatically use `docker-compose.test.yml` as well as `docker-compose.test.prod.yml` (for the `make prod` recipe) if it exists.

Dockerfile

@@ -1,5 +1,5 @@
 # Site builder
-FROM oven/bun:1.3.9-alpine AS frontend-builder
+FROM oven/bun:1.3.10-alpine AS frontend-builder
 
 WORKDIR /frontend
 

Dockerfile.distroless

@@ -1,5 +1,5 @@
 # Site builder
-FROM oven/bun:1.3.9-alpine AS frontend-builder
+FROM oven/bun:1.3.10-alpine AS frontend-builder
 
 WORKDIR /frontend
 

README.md

@@ -21,6 +21,9 @@ Tinyauth is a simple authentication middleware that adds a simple login screen o
 > [!WARNING]
 > Tinyauth is in active development and configuration may change often. Please make sure to carefully read the release notes before updating.
 
+> [!NOTE]
+> This is the main development branch. For the latest stable release, see the [documentation](https://tinyauth.app) or the latest stable tag.
+
 ## Getting Started
 
 You can easily get started with Tinyauth by following the guide in the [documentation](https://tinyauth.app/docs/getting-started). There is also an available [docker compose](./docker-compose.example.yml) file that has Traefik, Whoami and Tinyauth to demonstrate its capabilities.

cmd/tinyauth/create_oidc_client.go

@@ -0,0 +1,72 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"regexp"
+	"strings"
+
+	"github.com/google/uuid"
+	"github.com/steveiliop56/tinyauth/internal/utils"
+	"github.com/traefik/paerser/cli"
+)
+
+func createOidcClientCmd() *cli.Command {
+	return &cli.Command{
+		Name:          "create",
+		Description:   "Create a new OIDC Client",
+		Configuration: nil,
+		Resources:     nil,
+		AllowArg:      true,
+		Run: func(args []string) error {
+			if len(args) == 0 {
+				return errors.New("client name is required. use tinyauth oidc create <name>")
+			}
+
+			clientName := args[0]
+
+			match, err := regexp.MatchString("^[a-zA-Z0-9-]*$", clientName)
+
+			if !match || err != nil {
+				return errors.New("client name can only contain alphanumeric characters and hyphens")
+			}
+
+			uuid := uuid.New()
+			clientId := uuid.String()
+			clientSecret := "ta-" + utils.GenerateString(61)
+
+			uclientName := strings.ToUpper(clientName)
+			lclientName := strings.ToLower(clientName)
+
+			builder := strings.Builder{}
+
+			// header
+			fmt.Fprintf(&builder, "Created credentials for client %s\n\n", clientName)
+
+			// credentials
+			fmt.Fprintf(&builder, "Client Name: %s\n", clientName)
+			fmt.Fprintf(&builder, "Client ID: %s\n", clientId)
+			fmt.Fprintf(&builder, "Client Secret: %s\n\n", clientSecret)
+
+			// env variables
+			fmt.Fprint(&builder, "Environment variables:\n\n")
+			fmt.Fprintf(&builder, "TINYAUTH_OIDC_CLIENTS_%s_CLIENTID=%s\n", uclientName, clientId)
+			fmt.Fprintf(&builder, "TINYAUTH_OIDC_CLIENTS_%s_CLIENTSECRET=%s\n", uclientName, clientSecret)
+			fmt.Fprintf(&builder, "TINYAUTH_OIDC_CLIENTS_%s_NAME=%s\n\n", uclientName, utils.Capitalize(lclientName))
+
+			// cli flags
+			fmt.Fprint(&builder, "CLI flags:\n\n")
+			fmt.Fprintf(&builder, "--oidc.clients.%s.clientid=%s\n", lclientName, clientId)
+			fmt.Fprintf(&builder, "--oidc.clients.%s.clientsecret=%s\n", lclientName, clientSecret)
+			fmt.Fprintf(&builder, "--oidc.clients.%s.name=%s\n\n", lclientName, utils.Capitalize(lclientName))
+
+			// footer
+			fmt.Fprintln(&builder, "You can use either option to configure your OIDC client. Make sure to save these credentials as there is no way to regenerate them.")
+
+			// print
+			out := builder.String()
+			fmt.Print(out)
+			return nil
+		},
+	}
+}

cmd/tinyauth/tinyauth.go

@@ -23,7 +23,7 @@ func main() {
 
 	cmdTinyauth := &cli.Command{
 		Name:          "tinyauth",
-		Description:   "The simplest way to protect your apps with a login screen.",
+		Description:   "The simplest way to protect your apps with a login screen",
 		Configuration: tConfig,
 		Resources:     loaders,
 		Run: func(_ []string) error {
@@ -33,12 +33,17 @@ func main() {
 
 	cmdUser := &cli.Command{
 		Name:        "user",
-		Description: "Utilities for creating and verifying Tinyauth users.",
+		Description: "Manage Tinyauth users",
 	}
 
 	cmdTotp := &cli.Command{
 		Name:        "totp",
-		Description: "Utilities for creating Tinyauth TOTP users.",
+		Description: "Manage Tinyauth TOTP users",
+	}
+
+	cmdOidc := &cli.Command{
+		Name:        "oidc",
+		Description: "Manage Tinyauth OIDC clients",
 	}
 
 	err := cmdTinyauth.AddCommand(versionCmd())
@@ -71,6 +76,12 @@ func main() {
 		log.Fatal().Err(err).Msg("Failed to add create command")
 	}
 
+	err = cmdOidc.AddCommand(createOidcClientCmd())
+
+	if err != nil {
+		log.Fatal().Err(err).Msg("Failed to add create command")
+	}
+
 	err = cmdTinyauth.AddCommand(cmdUser)
 
 	if err != nil {
@@ -83,6 +94,12 @@ func main() {
 		log.Fatal().Err(err).Msg("Failed to add totp command")
 	}
 
+	err = cmdTinyauth.AddCommand(cmdOidc)
+
+	if err != nil {
+		log.Fatal().Err(err).Msg("Failed to add oidc command")
+	}
+
 	err = cli.Execute(cmdTinyauth)
 
 	if err != nil {

cmd/tinyauth/verify_user.go

@@ -40,7 +40,7 @@ func verifyUserCmd() *cli.Command {
 
 	return &cli.Command{
 		Name:          "verify",
-		Description:   "Verify a user is set up correctly.",
+		Description:   "Verify a user is set up correctly",
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {

cmd/tinyauth/version.go

@@ -11,7 +11,7 @@ import (
 func versionCmd() *cli.Command {
 	return &cli.Command{
 		Name:          "version",
-		Description:   "Print the version number of Tinyauth.",
+		Description:   "Print the version number of Tinyauth",
 		Configuration: nil,
 		Resources:     nil,
 		Run: func(_ []string) error {

frontend/bun.lock

@@ -36,7 +36,7 @@
       "devDependencies": {
         "@eslint/js": "^10.0.1",
         "@tanstack/eslint-plugin-query": "^5.91.4",
-        "@types/node": "^25.3.0",
+        "@types/node": "^25.3.2",
         "@types/react": "^19.2.14",
         "@types/react-dom": "^19.2.3",
         "@vitejs/plugin-react": "^5.1.4",
@@ -360,7 +360,7 @@
 
     "@types/ms": ["@types/ms@2.1.0", "", {}, "sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA=="],
 
-    "@types/node": ["@types/node@25.3.0", "", { "dependencies": { "undici-types": "~7.18.0" } }, "sha512-4K3bqJpXpqfg2XKGK9bpDTc6xO/xoUP/RBWS7AtRMug6zZFaRekiLzjVtAoZMquxoAbzBvy5nxQ7veS5eYzf8A=="],
+    "@types/node": ["@types/node@25.3.2", "", { "dependencies": { "undici-types": "~7.18.0" } }, "sha512-RpV6r/ij22zRRdyBPcxDeKAzH43phWVKEjL2iksqo1Vz3CuBUrgmPpPhALKiRfU7OMCmeeO9vECBMsV0hMTG8Q=="],
 
     "@types/react": ["@types/react@19.2.14", "", { "dependencies": { "csstype": "^3.2.2" } }, "sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w=="],
 

frontend/package.json

@@ -42,7 +42,7 @@
   "devDependencies": {
     "@eslint/js": "^10.0.1",
     "@tanstack/eslint-plugin-query": "^5.91.4",
-    "@types/node": "^25.3.0",
+    "@types/node": "^25.3.2",
     "@types/react": "^19.2.14",
     "@types/react-dom": "^19.2.3",
     "@vitejs/plugin-react": "^5.1.4",

frontend/src/lib/i18n/locales/fr-FR.json

@@ -71,7 +71,7 @@
     "authorizeErrorClientInfo": "Une erreur est survenue lors du chargement des informations du client. Veuillez réessayer plus tard.",
     "authorizeErrorMissingParams": "Les paramètres suivants sont manquants : {{missingParams}}",
     "openidScopeName": "Connexion OpenID",
-    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "openidScopeDescription": "Autorise l'application à accéder à vos informations \"OpenID Connect\".",
     "emailScopeName": "Email",
     "emailScopeDescription": "Autorise l'application à accéder à votre adresse e-mail.",
     "profileScopeName": "Profil",

frontend/src/lib/i18n/locales/sr-SP.json

@@ -14,17 +14,17 @@
     "loginOauthFailSubtitle": "Неуспело преузимање OAuth адресе",
     "loginOauthSuccessTitle": "Преусмеравање",
     "loginOauthSuccessSubtitle": "Преусмеравање на вашег OAuth провајдера",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-    "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectTitle": "OAuth аутоматско преусмерење",
+    "loginOauthAutoRedirectSubtitle": "Бићете аутоматски преусмерени на вашег OAuth провајдера за аутентификацију.",
+    "loginOauthAutoRedirectButton": "Преусмери сада",
     "continueTitle": "Настави",
     "continueRedirectingTitle": "Преусмеравање...",
     "continueRedirectingSubtitle": "Требали би сте ускоро да будете преусмерени на апликацију",
-    "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "Преусмери ме ручно",
     "continueInsecureRedirectTitle": "Небезбедно преусмеравање",
     "continueInsecureRedirectSubtitle": "Покушавате да преусмерите са <code>https</code> на <code>http</code> што није безбедно. Да ли желите да наставите?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectTitle": "Неповерљиво преусмерење",
+    "continueUntrustedRedirectSubtitle": "Покушавате да преусмерите на домен који се не поклапа са вашим подешеним доменом (<code>{{cookieDomain}}</code>). Да ли заиста желите да наставите?",
     "logoutFailTitle": "Неуспешно одјављивање",
     "logoutFailSubtitle": "Молим вас покушајте поново",
     "logoutSuccessTitle": "Одјављени",
@@ -51,31 +51,31 @@
     "forgotPasswordTitle": "Заборавили сте лозинку?",
     "failedToFetchProvidersTitle": "Није успело учитавање провајдера аутентификације. Молим вас проверите ваша подешавања.",
     "errorTitle": "Појавила се грешка",
-    "errorSubtitleInfo": "The following error occurred while processing your request:",
+    "errorSubtitleInfo": "Појавила се следећа грешка током обраде вашег захтева:",
     "errorSubtitle": "Појавила се грешка при покушају извршавања ове радње. Молим вас проверите конзолу за додатне информације.",
     "forgotPasswordMessage": "Можете поништити вашу лозинку променом `USERS` променљиве окружења.",
-    "fieldRequired": "This field is required",
-    "invalidInput": "Invalid input",
-    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
-    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain",
-    "authorizeTitle": "Authorize",
-    "authorizeCardTitle": "Continue to {{app}}?",
-    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
-    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
-    "authorizeLoadingTitle": "Loading...",
-    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
-    "authorizeSuccessTitle": "Authorized",
-    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
-    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
-    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
-    "openidScopeName": "OpenID Connect",
-    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
-    "emailScopeName": "Email",
-    "emailScopeDescription": "Allows the app to access your email address.",
-    "profileScopeName": "Profile",
-    "profileScopeDescription": "Allows the app to access your profile information.",
-    "groupsScopeName": "Groups",
-    "groupsScopeDescription": "Allows the app to access your group information."
+    "fieldRequired": "Ово поље је неопходно",
+    "invalidInput": "Неисправан унос",
+    "domainWarningTitle": "Неисправан домен",
+    "domainWarningSubtitle": "Ова инстанца је подешена да јој се приступа са <code>{{appUrl}}</code>, али се користи <code>{{currentUrl}}</code>. Ако наставите, можете искусити проблеме са аутентификацијом.",
+    "ignoreTitle": "Игнориши",
+    "goToCorrectDomainTitle": "Иди на исправан домен",
+    "authorizeTitle": "Ауторизуј",
+    "authorizeCardTitle": "Наставити на {{app}}?",
+    "authorizeSubtitle": "Да ли желите да наставите на ову апликацију? Пажљиво проверите дозволе које вам тражи апликација.",
+    "authorizeSubtitleOAuth": "Да ли желите да наставите на ову апликацију?",
+    "authorizeLoadingTitle": "Учитавање...",
+    "authorizeLoadingSubtitle": "Молим вас сачекајте док ми учитамо информације о клијенту.",
+    "authorizeSuccessTitle": "Ауторизован",
+    "authorizeSuccessSubtitle": "Бићете преусмерени на апликацију за неколико секунди.",
+    "authorizeErrorClientInfo": "Појавила се грешка током учитавања информација о клијенту. Молим вас покушајте поново касније.",
+    "authorizeErrorMissingParams": "Следећи параметри недостају: {{missingParams}}",
+    "openidScopeName": "OpenID повезивање",
+    "openidScopeDescription": "Омогућава апликацији да приступа информацији о вашој OpenID вези.",
+    "emailScopeName": "Е-пошта",
+    "emailScopeDescription": "Омогућава апликацији да приступа вашој адреси е-поште.",
+    "profileScopeName": "Профил",
+    "profileScopeDescription": "Омогућава апликацији да приступа информацијама о вашем профилу.",
+    "groupsScopeName": "Групе",
+    "groupsScopeDescription": "Омогућава апликацији да приступа информацијама о вашој групи."
 }

frontend/src/lib/i18n/locales/uk-UA.json

@@ -51,7 +51,7 @@
     "forgotPasswordTitle": "Забули пароль?",
     "failedToFetchProvidersTitle": "Не вдалося завантажити провайдерів автентифікації. Будь ласка, перевірте вашу конфігурацію.",
     "errorTitle": "Виникла помилка",
-    "errorSubtitleInfo": "The following error occurred while processing your request:",
+    "errorSubtitleInfo": "Під час обробки запиту сталась помилка:",
     "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
     "forgotPasswordMessage": "Ви можете скинути пароль, змінивши змінну середовища \"USERS\".",
     "fieldRequired": "Це поле обов'язкове для заповнення",
@@ -60,22 +60,22 @@
     "domainWarningSubtitle": "Даний ресурс налаштований для доступу з <code>{{appUrl}}</code>, але використовується <code>{{currentUrl}}</code>. Якщо ви продовжите, можуть виникнути проблеми з автентифікацією.",
     "ignoreTitle": "Ігнорувати",
     "goToCorrectDomainTitle": "Перейти за коректним доменом",
-    "authorizeTitle": "Authorize",
-    "authorizeCardTitle": "Continue to {{app}}?",
-    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
-    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
-    "authorizeLoadingTitle": "Loading...",
-    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
-    "authorizeSuccessTitle": "Authorized",
-    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
-    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
-    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "authorizeTitle": "Авторизуватись",
+    "authorizeCardTitle": "Перейти до {{app}}?",
+    "authorizeSubtitle": "Чи хочете ви продовжити роботу з цим додатком? Будь ласка, уважно перегляньте дозволи, які вимагає додаток.",
+    "authorizeSubtitleOAuth": "Бажаєте продовжити роботу з цим додатком?",
+    "authorizeLoadingTitle": "Завантаження...",
+    "authorizeLoadingSubtitle": "Будь ласка, зачекайте, поки ми завантажуємо клієнтську інформацію.",
+    "authorizeSuccessTitle": "Авторизовано",
+    "authorizeSuccessSubtitle": "Вас буде перенаправлено до програми за декілька секунд.",
+    "authorizeErrorClientInfo": "Під час завантаження даних клієнта сталася помилка. Будь ласка, спробуйте ще раз пізніше.",
+    "authorizeErrorMissingParams": "Відсутні наступні параметри: {{missingParams}}",
     "openidScopeName": "OpenID Connect",
-    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
-    "emailScopeName": "Email",
-    "emailScopeDescription": "Allows the app to access your email address.",
-    "profileScopeName": "Profile",
-    "profileScopeDescription": "Allows the app to access your profile information.",
-    "groupsScopeName": "Groups",
-    "groupsScopeDescription": "Allows the app to access your group information."
+    "openidScopeDescription": "Дозволяє програмі отримувати доступ до вашої інформації OpenID Connect.",
+    "emailScopeName": "Електронна пошта",
+    "emailScopeDescription": "Дозволяє програмі отримувати доступ до вашої адреси електронної пошти.",
+    "profileScopeName": "Профіль",
+    "profileScopeDescription": "Дозволяє програмі отримувати доступ до інформації вашого профілю.",
+    "groupsScopeName": "Групи",
+    "groupsScopeDescription": "Дозволяє програмі отримувати доступ до інформації про групу."
 }

internal/controller/oidc_controller.go

@@ -1,7 +1,6 @@
 package controller
 
 import (
-	"crypto/rand"
 	"errors"
 	"fmt"
 	"net/http"
@@ -145,7 +144,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 
 	// WARNING: Since Tinyauth is stateless, we cannot have a sub that never changes. We will just create a uuid out of the username and client name which remains stable, but if username or client name changes then sub changes too.
 	sub := utils.GenerateUUID(fmt.Sprintf("%s:%s", userContext.Username, client.ID))
-	code := rand.Text()
+	code := utils.GenerateString(32)
 
 	// Before storing the code, delete old session
 	err = controller.oidc.DeleteOldSession(c, sub)

internal/controller/well_known_controller.go

@@ -60,7 +60,7 @@ func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context
 		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
 		TokenEndpointAuthMethodsSupported: []string{"client_secret_basic", "client_secret_post"},
 		ClaimsSupported:                   []string{"sub", "updated_at", "name", "preferred_username", "email", "groups"},
-		ServiceDocumentation:              "https://tinyauth.app/docs/reference/openid",
+		ServiceDocumentation:              "https://tinyauth.app/docs/guides/oidc",
 	})
 }
 

internal/service/oidc_service.go

@@ -403,8 +403,8 @@ func (service *OIDCService) GenerateAccessToken(c *gin.Context, client config.OI
 		return TokenResponse{}, err
 	}
 
-	accessToken := rand.Text()
-	refreshToken := rand.Text()
+	accessToken := utils.GenerateString(32)
+	refreshToken := utils.GenerateString(32)
 
 	tokenExpiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry) * time.Second).Unix()
 
@@ -464,8 +464,8 @@ func (service *OIDCService) RefreshAccessToken(c *gin.Context, refreshToken stri
 		return TokenResponse{}, err
 	}
 
-	accessToken := rand.Text()
-	newRefreshToken := rand.Text()
+	accessToken := utils.GenerateString(32)
+	newRefreshToken := utils.GenerateString(32)
 
 	tokenExpiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry) * time.Second).Unix()
 	refrshTokenExpiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry*2) * time.Second).Unix()

internal/utils/security_utils.go

@@ -1,6 +1,7 @@
 package utils
 
 import (
+	"crypto/rand"
 	"encoding/base64"
 	"errors"
 	"net"
@@ -105,3 +106,9 @@ func GenerateUUID(str string) string {
 	uuid := uuid.NewSHA1(uuid.NameSpaceURL, []byte(str))
 	return uuid.String()
 }
+
+func GenerateString(length int) string {
+	src := make([]byte, length)
+	rand.Read(src)
+	return base64.RawURLEncoding.EncodeToString(src)[:length]
+}