fix: fix gh codeql review

Co-authored-by: Claude <noreply@anthropic.com>

.env.example

@@ -206,8 +206,6 @@ TINYAUTH_LDAP_ADDRESS=
 TINYAUTH_LDAP_BINDDN=
 # Bind password for LDAP authentication.
 TINYAUTH_LDAP_BINDPASSWORD=
-# Path to the Bind password.
-TINYAUTH_LDAP_BINDPASSWORDFILE=
 # Base DN for LDAP searches.
 TINYAUTH_LDAP_BASEDN=
 # Allow insecure LDAP connections.

frontend/src/lib/hooks/redirect-uri.ts

@@ -15,7 +15,7 @@ export const useRedirectUri = (
   let isAllowedProto = false;
   let isHttpsDowngrade = false;
 
-  if (redirect_uri === undefined) {
+  if (!redirect_uri) {
     return {
       valid: isValid,
       trusted: isTrusted,

frontend/src/lib/hooks/screen-params.ts

@@ -6,7 +6,6 @@ type ScreenParams = {
   oidc_ticket?: string;
   oidc_scope?: string;
   oidc_name?: string;
-  oidc_show_consent?: boolean;
 };
 
 const zodScreenParams = z.object({
@@ -15,7 +14,6 @@ const zodScreenParams = z.object({
   oidc_ticket: z.string().optional(),
   oidc_scope: z.string().optional(),
   oidc_name: z.string().optional(),
-  oidc_show_consent: z.stringbool().optional(),
 });
 
 export function useScreenParams(params: URLSearchParams): ScreenParams {

frontend/src/pages/authorize-page.tsx

@@ -25,7 +25,6 @@ import {
   recompileScreenParams,
   useScreenParams,
 } from "@/lib/hooks/screen-params";
-import { useEffect } from "react";
 
 type Scope = {
   id: string;
@@ -91,54 +90,27 @@ export const AuthorizePage = () => {
   const isOidc = screenParams.login_for === "oidc";
   const compiledParams = recompileScreenParams(screenParams);
 
-  const { mutate: authorizeMutate, isPending: authorizeIsPending } =
-    useMutation({
-      mutationFn: () => {
-        return axios.post("/api/oidc/authorize-complete", {
-          ticket: screenParams.oidc_ticket,
-        });
-      },
-      mutationKey: ["authorize", screenParams.oidc_ticket],
-      onSuccess: (data) => {
-        toast.info(t("authorizeSuccessTitle"), {
-          description: t("authorizeSuccessSubtitle"),
-        });
-        window.location.replace(data.data.redirect_uri);
-      },
-      onError: (error) => {
-        window.location.replace(
-          `/error?error=${encodeURIComponent(error.message)}`,
-        );
-      },
-    });
+  const authorizeMutation = useMutation({
+    mutationFn: () => {
+      return axios.post("/api/oidc/authorize-complete", {
+        ticket: screenParams.oidc_ticket,
+      });
+    },
+    mutationKey: ["authorize", screenParams.oidc_ticket],
+    onSuccess: (data) => {
+      toast.info(t("authorizeSuccessTitle"), {
+        description: t("authorizeSuccessSubtitle"),
+      });
+      window.location.replace(data.data.redirect_uri);
+    },
+    onError: (error) => {
+      window.location.replace(
+        `/error?error=${encodeURIComponent(error.message)}`,
+      );
+    },
+  });
 
-  useEffect(() => {
-    if (
-      !isOidc ||
-      screenParams.oidc_ticket === undefined ||
-      screenParams.oidc_scope === undefined ||
-      !auth.authenticated
-    ) {
-      return;
-    }
-
-    if (screenParams.oidc_show_consent === false) {
-      authorizeMutate();
-    }
-  }, [
-    isOidc,
-    screenParams.oidc_ticket,
-    screenParams.oidc_scope,
-    screenParams.oidc_show_consent,
-    auth.authenticated,
-    authorizeMutate,
-  ]);
-
-  if (
-    !isOidc ||
-    screenParams.oidc_ticket === undefined ||
-    screenParams.oidc_scope === undefined
-  ) {
+  if (!isOidc || !screenParams.oidc_ticket || !screenParams.oidc_scope) {
     return (
       <Navigate
         to={`/error?error=${encodeURIComponent(t("authorizeErrorInvalidParams"))}`}
@@ -154,19 +126,6 @@ export const AuthorizePage = () => {
   const scopes =
     screenParams.oidc_scope.split(" ").filter((s) => s.trim() !== "") || [];
 
-  if (screenParams.oidc_show_consent === false) {
-    return (
-      <Card>
-        <CardHeader className="gap-1.5">
-          <CardTitle className="text-xl">Authorizing</CardTitle>
-          <CardDescription>
-            You will soon be redirected to your application...
-          </CardDescription>
-        </CardHeader>
-      </Card>
-    );
-  }
-
   return (
     <Card>
       <CardHeader className="mb-2">
@@ -208,12 +167,15 @@ export const AuthorizePage = () => {
         </CardContent>
       )}
       <CardFooter className="flex flex-col items-stretch gap-3">
-        <Button onClick={() => authorizeMutate()} loading={authorizeIsPending}>
+        <Button
+          onClick={() => authorizeMutation.mutate()}
+          loading={authorizeMutation.isPending}
+        >
           {t("authorizeTitle")}
         </Button>
         <Button
           onClick={() => navigate(`/logout${compiledParams}`)}
-          disabled={authorizeIsPending}
+          disabled={authorizeMutation.isPending}
           variant="outline"
         >
           {t("cancelTitle")}

frontend/src/pages/error-page.tsx

@@ -11,7 +11,7 @@ export const ErrorPage = () => {
   const { t } = useTranslation();
   const { search } = useLocation();
   const searchParams = new URLSearchParams(search);
-  const error = searchParams.get("error") ?? "";
+  const error = searchParams.get("error") || "";
 
   return (
     <Card>

frontend/src/pages/login-page.tsx

@@ -168,7 +168,8 @@ export const LoginPage = () => {
       !auth.authenticated &&
       isOauthAutoRedirect &&
       !hasAutoRedirectedRef.current &&
-      screenParams.login_for !== undefined
+      screenParams.redirect_uri &&
+      screenParams.login_for
     ) {
       hasAutoRedirectedRef.current = true;
       oauthMutate(oauth.autoRedirect);
@@ -180,6 +181,7 @@ export const LoginPage = () => {
     oauth.autoRedirect,
     isOauthAutoRedirect,
     screenParams.login_for,
+    screenParams.redirect_uri,
   ]);
 
   useEffect(() => {

gen/sqlc-wrapper/sqlc_wrapper.go

@@ -67,24 +67,15 @@ func run() error {
 		Overlay: map[string][]byte{outPath: stub},
 	}
 
-	repoPkgPath := parentPkg(*driverPkg)
-
-	pkgs, err := loadMultiplePkgs(cfg, *driverPkg, repoPkgPath)
-
+	driverTypePkg, err := loadOnePkg(cfg, *driverPkg)
 	if err != nil {
-		return fmt.Errorf("load packages: %w", err)
+		return fmt.Errorf("load driver package: %w", err)
 	}
 
-	driverTypePkg, ok := pkgs[*driverPkg]
-
-	if !ok {
-		return fmt.Errorf("driver package %s not found in loaded packages", *driverPkg)
-	}
-
-	repoTypePkg, ok := pkgs[repoPkgPath]
-
-	if !ok {
-		return fmt.Errorf("repository package %s not found in loaded packages", repoPkgPath)
+	repoPkgPath := parentPkg(*driverPkg)
+	repoTypePkg, err := loadOnePkg(cfg, repoPkgPath)
+	if err != nil {
+		return fmt.Errorf("load repo package: %w", err)
 	}
 
 	if err := validateStructShapes(driverTypePkg, repoTypePkg); err != nil {
@@ -115,25 +106,25 @@ func run() error {
 	return nil
 }
 
-// loadMultiplePkgs loads multiple packages via cfg and returns a map of import path → *types.Package,
-// or an error if any package fails to load or has type errors.
-func loadMultiplePkgs(cfg *packages.Config, importPaths ...string) (map[string]*types.Package, error) {
-	pkgs, err := packages.Load(cfg, importPaths...)
+// loadOnePkg loads a single package via cfg and returns its *types.Package,
+// or an error if the package fails to load or has type errors.
+func loadOnePkg(cfg *packages.Config, importPath string) (*types.Package, error) {
+	pkgs, err := packages.Load(cfg, importPath)
 	if err != nil {
-		return nil, fmt.Errorf("load %v: %w", importPaths, err)
+		return nil, fmt.Errorf("load %s: %w", importPath, err)
 	}
-	out := make(map[string]*types.Package)
-	for _, pkg := range pkgs {
-		if len(pkg.Errors) > 0 {
-			msgs := make([]string, len(pkg.Errors))
-			for i, e := range pkg.Errors {
-				msgs[i] = e.Error()
-			}
-			return nil, fmt.Errorf("package %s has errors:\n  %s", pkg.PkgPath, strings.Join(msgs, "\n  "))
+	if len(pkgs) != 1 {
+		return nil, fmt.Errorf("expected 1 package for %s, got %d", importPath, len(pkgs))
+	}
+	pkg := pkgs[0]
+	if len(pkg.Errors) > 0 {
+		msgs := make([]string, len(pkg.Errors))
+		for i, e := range pkg.Errors {
+			msgs[i] = e.Error()
 		}
-		out[pkg.PkgPath] = pkg.Types
+		return nil, fmt.Errorf("package %s has errors:\n  %s", importPath, strings.Join(msgs, "\n  "))
 	}
-	return out, nil
+	return pkg.Types, nil
 }
 
 // parentPkg returns the parent import path (everything before the last /).

go.mod

@@ -152,6 +152,7 @@ require (
 	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
 	go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect
 	go.opentelemetry.io/otel/trace v1.43.0 // indirect
+	go.uber.org/dig v1.19.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go4.org/mem v0.0.0-20240501181205-ae6ca9944745 // indirect
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect

go.sum

@@ -485,6 +485,8 @@ go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09
 go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
 go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpuCSL2g=
 go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk=
+go.uber.org/dig v1.19.0 h1:BACLhebsYdpQ7IROQ1AGPjrXcP5dF80U3gKoFzbaq/4=
+go.uber.org/dig v1.19.0/go.mod h1:Us0rSJiThwCv2GteUN0Q7OKvU7n5J4dxZ9JKUXozFdE=
 go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
 go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
 go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=

internal/assets/migrations/postgres/000003_oidc_consent.up.sql

@@ -1,7 +0,0 @@
-CREATE TABLE IF NOT EXISTS "oidc_consent" (
-    "uuid" TEXT NOT NULL UNIQUE PRIMARY KEY,
-    "client_id" TEXT NOT NULL,
-    "scopes" TEXT NOT NULL,
-    "created_at" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updated_at" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
-);

internal/assets/migrations/postgres/000003_oidc_consnet.down.sql

@@ -1 +0,0 @@
-DROP TABLE IF EXISTS "oidc_consent";

internal/assets/migrations/sqlite/000011_oidc_consent.down.sql

@@ -1 +0,0 @@
-DROP TABLE IF EXISTS "oidc_consent";

internal/assets/migrations/sqlite/000011_oidc_consent.up.sql

@@ -1,7 +0,0 @@
-CREATE TABLE IF NOT EXISTS "oidc_consent" (
-    "uuid" TEXT NOT NULL UNIQUE PRIMARY KEY,
-    "client_id" TEXT NOT NULL,
-    "scopes" TEXT NOT NULL,
-    "created_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updated_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
-);

internal/bootstrap/app_bootstrap.go

@@ -18,6 +18,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/steveiliop56/ding"
+	"go.uber.org/dig"
 
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
@@ -47,7 +48,6 @@ type Services struct {
 type BootstrapApp struct {
 	config    model.Config
 	runtime   model.RuntimeConfig
-	helpers   model.RuntimeHelpers
 	services  Services
 	log       *logger.Logger
 	ctx       context.Context
@@ -57,6 +57,7 @@ type BootstrapApp struct {
 	db        *sql.DB
 	ding      *ding.Ding
 	listeners []Listener
+	dig       *dig.Container
 }
 
 func NewBootstrapApp(config model.Config) *BootstrapApp {
@@ -71,7 +72,11 @@ func (app *BootstrapApp) Setup() error {
 	app.ctx = ctx
 	app.cancel = cancel
 
-	// Create a ding instance
+	// create the dig container
+	c := dig.New()
+	app.dig = c
+
+	// create a ding instance
 	dg := ding.New(ctx)
 	app.ding = dg
 
@@ -186,8 +191,9 @@ func (app *BootstrapApp) Setup() error {
 	cookieId := strings.Split(app.runtime.UUID, "-")[0] // first 8 characters of the uuid should be good enough
 
 	app.runtime.SessionCookieName = fmt.Sprintf("%s-%s", model.SessionCookieName, cookieId)
+	app.runtime.CSRFCookieName = fmt.Sprintf("%s-%s", model.CSRFCookieName, cookieId)
+	app.runtime.RedirectCookieName = fmt.Sprintf("%s-%s", model.RedirectCookieName, cookieId)
 	app.runtime.OAuthSessionCookieName = fmt.Sprintf("%s-%s", model.OAuthSessionCookieName, cookieId)
-	app.runtime.ConsentCookieName = fmt.Sprintf("%s-%s", model.ConsentCookieName, cookieId)
 
 	// database
 	store, err := app.SetupStore()
@@ -211,6 +217,33 @@ func (app *BootstrapApp) Setup() error {
 	// store
 	app.queries = store
 
+	// provide basic utilities to container
+	type utilityProvider struct {
+		dig.Out
+
+		Log     *logger.Logger
+		Config  *model.Config
+		Runtime *model.RuntimeConfig
+		Ding    *ding.Ding
+		Ctx     context.Context
+		Queries repository.Store
+	}
+
+	err = app.dig.Provide(func() utilityProvider {
+		return utilityProvider{
+			Log:     app.log,
+			Config:  &app.config,
+			Runtime: &app.runtime,
+			Ding:    app.ding,
+			Ctx:     app.ctx,
+			Queries: app.queries,
+		}
+	})
+
+	if err != nil {
+		return fmt.Errorf("failed to provide utilities to container: %w", err)
+	}
+
 	// services
 	err = app.setupServices()
 
@@ -264,9 +297,6 @@ func (app *BootstrapApp) Setup() error {
 		app.runtime.TrustedDomains = append(app.runtime.TrustedDomains, "https://"+app.services.tailscaleService.GetHostname())
 	}
 
-	// runtime helpers
-	app.helpers.GetCookieDomain = app.getCookieDomain
-
 	// setup router
 	err = app.setupRouter()
 

internal/bootstrap/app_helpers.go

@@ -1,55 +0,0 @@
-package bootstrap
-
-import (
-	"context"
-	"errors"
-	"fmt"
-
-	"github.com/tinyauthapp/tinyauth/internal/utils"
-)
-
-// Not really the best place for the helpers to be but it works because bootstrap app provides
-// them with everything they need
-
-func (app *BootstrapApp) getCookieDomain(ctx context.Context, ip string) (string, error) {
-	cookieDomain := app.runtime.CookieDomain
-
-	if app.isTailscaleRequest(ctx, ip) {
-		if app.services.tailscaleService == nil {
-			return "", errors.New("tailscale service is not configured")
-		}
-
-		tsCookieDomain, err := utils.GetCookieDomain(fmt.Sprintf("https://%s", app.services.tailscaleService.GetHostname()))
-
-		if err != nil {
-			return "", fmt.Errorf("failed to get cookie domain for tailscale user: %w", err)
-		}
-
-		cookieDomain = tsCookieDomain
-	}
-
-	if app.config.Auth.SubdomainsEnabled {
-		cookieDomain = "." + cookieDomain
-	}
-
-	return cookieDomain, nil
-}
-
-func (app *BootstrapApp) isTailscaleRequest(ctx context.Context, ip string) bool {
-	if app.services.tailscaleService == nil {
-		return false
-	}
-
-	whois, err := app.services.tailscaleService.Whois(ctx, ip)
-
-	if err != nil {
-		app.log.App.Error().Err(err).Msgf("Error performing Tailscale whois for IP %s: %v", ip, err)
-		return false
-	}
-
-	if whois == nil {
-		return false
-	}
-
-	return true
-}

internal/bootstrap/router_bootstrap.go

@@ -13,6 +13,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/middleware"
 	"github.com/tinyauthapp/tinyauth/internal/model"
+	"go.uber.org/dig"
 
 	"github.com/gin-gonic/gin"
 )
@@ -40,31 +41,119 @@ func (app *BootstrapApp) setupRouter() error {
 		}
 	}
 
-	contextMiddleware := middleware.NewContextMiddleware(app.log, app.runtime, app.services.authService, app.services.oauthBrokerService, app.services.tailscaleService)
-	engine.Use(contextMiddleware.Middleware())
-
-	uiMiddleware, err := middleware.NewUIMiddleware()
+	err := app.dig.Provide(middleware.NewContextMiddleware)
 
 	if err != nil {
-		return fmt.Errorf("failed to initialize UI middleware: %w", err)
+		return fmt.Errorf("failed to provide context middleware: %w", err)
 	}
 
-	engine.Use(uiMiddleware.Middleware())
+	err = app.dig.Provide(middleware.NewUIMiddleware)
 
-	zerologMiddleware := middleware.NewZerologMiddleware(app.log)
+	if err != nil {
+		return fmt.Errorf("failed to provide ui middleware: %w", err)
+	}
 
-	engine.Use(zerologMiddleware.Middleware())
+	err = app.dig.Provide(middleware.NewZerologMiddleware)
 
-	apiRouter := engine.Group("/api")
+	if err != nil {
+		return fmt.Errorf("failed to provide zerolog middleware: %w", err)
+	}
 
-	controller.NewContextController(app.log, app.config, app.runtime, apiRouter)
-	controller.NewOAuthController(app.log, app.config, app.runtime, &app.helpers, apiRouter, app.services.authService)
-	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, &app.helpers, app.config, apiRouter, &engine.RouterGroup)
-	controller.NewProxyController(app.log, app.runtime, apiRouter, app.services.accessControlService, app.services.authService, app.services.policyEngine)
-	controller.NewUserController(app.log, app.runtime, apiRouter, app.services.authService)
-	controller.NewResourcesController(app.config, &engine.RouterGroup)
-	controller.NewHealthController(apiRouter)
-	controller.NewWellKnownController(app.services.oidcService, &engine.RouterGroup)
+	type middlewareInput struct {
+		dig.In
+
+		ContextMiddleware *middleware.ContextMiddleware
+		UIMiddleware      *middleware.UIMiddleware
+		ZerologMiddleware *middleware.ZerologMiddleware
+	}
+
+	err = app.dig.Invoke(func(mi middlewareInput) {
+		engine.Use(mi.ContextMiddleware.Middleware())
+		engine.Use(mi.UIMiddleware.Middleware())
+		engine.Use(mi.ZerologMiddleware.Middleware())
+	})
+
+	if err != nil {
+		return fmt.Errorf("failed to invoke middleware: %w", err)
+	}
+
+	err = app.dig.Provide(func() *gin.RouterGroup {
+		return &engine.RouterGroup
+	}, dig.Name("mainRouterGroup"))
+
+	if err != nil {
+		return fmt.Errorf("failed to provide main router group: %w", err)
+	}
+
+	err = app.dig.Provide(func() *gin.RouterGroup {
+		return engine.Group("/api")
+	}, dig.Name("apiRouterGroup"))
+
+	if err != nil {
+		return fmt.Errorf("failed to provide api router group: %w", err)
+	}
+
+	err = app.dig.Provide(controller.NewContextController)
+	if err != nil {
+		return fmt.Errorf("failed to provide context controller: %w", err)
+	}
+
+	err = app.dig.Provide(controller.NewOAuthController)
+	if err != nil {
+		return fmt.Errorf("failed to provide oauth controller: %w", err)
+	}
+
+	err = app.dig.Provide(controller.NewOIDCController)
+	if err != nil {
+		return fmt.Errorf("failed to provide oidc controller: %w", err)
+	}
+
+	err = app.dig.Provide(controller.NewProxyController)
+	if err != nil {
+		return fmt.Errorf("failed to provide proxy controller: %w", err)
+	}
+
+	err = app.dig.Provide(controller.NewUserController)
+	if err != nil {
+		return fmt.Errorf("failed to provide user controller: %w", err)
+	}
+
+	err = app.dig.Provide(controller.NewResourcesController)
+	if err != nil {
+		return fmt.Errorf("failed to provide resources controller: %w", err)
+	}
+
+	err = app.dig.Provide(controller.NewHealthController)
+	if err != nil {
+		return fmt.Errorf("failed to provide health controller: %w", err)
+	}
+
+	err = app.dig.Provide(controller.NewWellKnownController)
+	if err != nil {
+		return fmt.Errorf("failed to provide well-known controller: %w", err)
+	}
+
+	type controllerInput struct {
+		dig.In
+
+		ContextController   *controller.ContextController
+		OAuthController     *controller.OAuthController
+		OIDCController      *controller.OIDCController
+		ProxyController     *controller.ProxyController
+		UserController      *controller.UserController
+		ResourcesController *controller.ResourcesController
+		HealthController    *controller.HealthController
+		WellKnownController *controller.WellKnownController
+	}
+
+	// force dig to build all controllers and register their routes
+	err = app.dig.Invoke(func(ci controllerInput) error {
+		return nil
+	})
+
+	if err != nil {
+		return fmt.Errorf("failed to invoke controllers: %w", err)
+	}
 
 	app.router = engine
 	return nil

internal/bootstrap/service_bootstrap.go

@@ -5,54 +5,86 @@ import (
 	"os"
 
 	"github.com/tinyauthapp/tinyauth/internal/service"
+	"go.uber.org/dig"
 )
 
 func (app *BootstrapApp) setupServices() error {
-	ldapService, err := service.NewLdapService(app.log, app.config, app.ding)
+	err := app.setupPolicyEngine()
 
 	if err != nil {
-		app.log.App.Warn().Err(err).Msg("Failed to initialize LDAP connection, will continue without it")
+		return fmt.Errorf("failed to setup policy engine: %w", err)
 	}
 
-	app.services.ldapService = ldapService
-
 	labelProvider, err := app.getLabelProvider()
 
 	if err != nil {
-		return fmt.Errorf("failed to initialize label provider: %w", err)
+		return fmt.Errorf("failed to get label provider: %w", err)
 	}
 
-	tailscaleService, err := service.NewTailscaleService(app.log, app.config, app.ctx, app.ding)
+	err = app.dig.Provide(func() service.LabelProvider {
+		return labelProvider
+	})
 
 	if err != nil {
-		app.log.App.Warn().Err(err).Msg("Failed to initialize Tailscale connection, will continue without it")
+		return fmt.Errorf("failed to provide label provider: %w", err)
 	}
 
-	app.services.tailscaleService = tailscaleService
+	err = app.dig.Provide(service.NewLdapService)
+	if err != nil {
+		return fmt.Errorf("failed to provide ldap service: %w", err)
+	}
 
-	accessControlsService := service.NewAccessControlsService(app.log, app.config, &labelProvider)
-	app.services.accessControlService = accessControlsService
+	err = app.dig.Provide(service.NewTailscaleService)
+	if err != nil {
+		return fmt.Errorf("failed to provide tailscale service: %w", err)
+	}
 
-	err = app.setupPolicyEngine()
+	err = app.dig.Provide(service.NewAccessControlsService)
+	if err != nil {
+		return fmt.Errorf("failed to provide access controls service: %w", err)
+	}
+
+	err = app.dig.Provide(service.NewOAuthBrokerService)
+	if err != nil {
+		return fmt.Errorf("failed to provide oauth broker service: %w", err)
+	}
+
+	err = app.dig.Provide(service.NewAuthService)
+	if err != nil {
+		return fmt.Errorf("failed to provide auth service: %w", err)
+	}
+
+	err = app.dig.Provide(service.NewOIDCService)
+	if err != nil {
+		return fmt.Errorf("failed to provide oidc service: %w", err)
+	}
+
+	type svcInput struct {
+		dig.In
+
+		AccessControlService *service.AccessControlsService
+		AuthService          *service.AuthService
+		LDAPService          *service.LdapService
+		OAuthBrokerService   *service.OAuthBrokerService
+		OIDCService          *service.OIDCService
+		TailscaleService     *service.TailscaleService
+	}
+
+	err = app.dig.Invoke(func(i svcInput) error {
+		app.services = Services{
+			accessControlService: i.AccessControlService,
+			authService:          i.AuthService,
+			ldapService:          i.LDAPService,
+			oauthBrokerService:   i.OAuthBrokerService,
+			tailscaleService:     i.TailscaleService,
+		}
+		return nil
+	})
 
 	if err != nil {
-		return fmt.Errorf("failed to initialize policy engine: %w", err)
+		return fmt.Errorf("failed to invoke services: %w", err)
 	}
 
-	oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
-	app.services.oauthBrokerService = oauthBrokerService
-
-	authService := service.NewAuthService(app.log, app.config, app.runtime, &app.helpers, app.ctx, app.ding, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService, app.services.policyEngine)
-	app.services.authService = authService
-
-	oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ding)
-
-	if err != nil {
-		return fmt.Errorf("failed to initialize oidc service: %w", err)
-	}
-
-	app.services.oidcService = oidcService
-
 	return nil
 }
 
@@ -69,66 +101,93 @@ func (app *BootstrapApp) getLabelProvider() (service.LabelProvider, error) {
 		if useKubernetes {
 			app.log.App.Debug().Msg("Using Kubernetes label provider")
 
-			kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, app.ding)
+			err := app.dig.Provide(service.NewKubernetesService)
 
 			if err != nil {
-				return nil, fmt.Errorf("failed to initialize kubernetes service: %w", err)
+				return nil, fmt.Errorf("failed to provide kubernetes service: %w", err)
 			}
 
-			app.services.kubernetesService = kubernetesService
-			return kubernetesService, nil
+			err = app.dig.Invoke(func(k *service.KubernetesService) error {
+				app.services.kubernetesService = k
+				return nil
+			})
+
+			if err != nil {
+				return nil, fmt.Errorf("failed to invoke kubernetes service: %w", err)
+			}
+
+			// Kubernetes will fail to initialize with an error if it cannot connect to the cluster
+			// but just to be safe, we check if the service is nil and log a warning if it is
+			if app.services.kubernetesService == nil {
+				if app.config.LabelProvider == "kubernetes" {
+					app.log.App.Warn().Msg("Kubernetes label provider selected but Kubernetes is not available, will continue without it")
+				}
+				return nil, nil
+			}
+
+			return app.services.kubernetesService, nil
 		}
 
 		app.log.App.Debug().Msg("Using Docker label provider")
 
-		dockerService, err := service.NewDockerService(app.log, app.ctx, app.ding)
+		err := app.dig.Provide(service.NewDockerService)
 
 		if err != nil {
-			return nil, fmt.Errorf("failed to initialize docker service: %w", err)
+			return nil, fmt.Errorf("failed to provide docker service: %w", err)
 		}
 
-		if dockerService == nil {
+		err = app.dig.Invoke(func(d *service.DockerService) error {
+			app.services.dockerService = d
+			return nil
+		})
+
+		if err != nil {
+			return nil, fmt.Errorf("failed to invoke docker service: %w", err)
+		}
+
+		if app.services.dockerService == nil {
 			if app.config.LabelProvider == "docker" {
 				app.log.App.Warn().Msg("Docker label provider selected but Docker is not available, will continue without it")
 			}
 			return nil, nil
 		}
 
-		app.services.dockerService = dockerService
-		return dockerService, nil
+		return app.services.dockerService, nil
 	default:
 		return nil, fmt.Errorf("invalid label provider: %s", app.config.LabelProvider)
 	}
 }
 
 func (app *BootstrapApp) setupPolicyEngine() error {
-	policyEngine, err := service.NewPolicyEngine(app.config, app.log)
+	err := app.dig.Provide(service.NewPolicyEngine)
 
 	if err != nil {
-		return fmt.Errorf("failed to initialize policy engine: %w", err)
+		return fmt.Errorf("failed to create policy engine: %w", err)
 	}
 
-	policyEngine.RegisterRule(service.RuleUserAllowed, &service.UserAllowedRule{
-		Log: app.log,
-	})
-	policyEngine.RegisterRule(service.RuleOAuthGroup, &service.OAuthGroupRule{
-		Log: app.log,
-	})
-	policyEngine.RegisterRule(service.RuleLDAPGroup, &service.LDAPGroupRule{
-		Log: app.log,
-	})
-	policyEngine.RegisterRule(service.RuleAuthEnabled, &service.AuthEnabledRule{
-		Log: app.log,
-	})
-	policyEngine.RegisterRule(service.RuleIPAllowed, &service.IPAllowedRule{
-		Log:    app.log,
-		Config: app.config,
-	})
-	policyEngine.RegisterRule(service.RuleIPBypassed, &service.IPBypassedRule{
-		Log:    app.log,
-		Config: app.config,
+	err = app.dig.Invoke(func(policyEngine *service.PolicyEngine) error {
+		policyEngine.RegisterRule(service.RuleUserAllowed, &service.UserAllowedRule{
+			Log: app.log,
+		})
+		policyEngine.RegisterRule(service.RuleOAuthGroup, &service.OAuthGroupRule{
+			Log: app.log,
+		})
+		policyEngine.RegisterRule(service.RuleLDAPGroup, &service.LDAPGroupRule{
+			Log: app.log,
+		})
+		policyEngine.RegisterRule(service.RuleAuthEnabled, &service.AuthEnabledRule{
+			Log: app.log,
+		})
+		policyEngine.RegisterRule(service.RuleIPAllowed, &service.IPAllowedRule{
+			Log:    app.log,
+			Config: app.config,
+		})
+		policyEngine.RegisterRule(service.RuleIPBypassed, &service.IPBypassedRule{
+			Log:    app.log,
+			Config: app.config,
+		})
+		return nil
 	})
 
-	app.services.policyEngine = policyEngine
-	return nil
+	return err
 }

internal/controller/context_controller.go

@@ -3,6 +3,7 @@ package controller
 import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"go.uber.org/dig"
 
 	"github.com/gin-gonic/gin"
 )
@@ -71,29 +72,33 @@ type AppContextResponse struct {
 	App     ACRApp   `json:"app"`
 }
 
-type ContextController struct {
-	log     *logger.Logger
-	config  model.Config
-	runtime model.RuntimeConfig
+type ContextControllerInput struct {
+	dig.In
+
+	Log         *logger.Logger
+	Config      *model.Config
+	Runtime     *model.RuntimeConfig
+	RouterGroup *gin.RouterGroup `name:"apiRouterGroup"`
 }
 
-func NewContextController(
-	log *logger.Logger,
-	config model.Config,
-	runtimeConfig model.RuntimeConfig,
-	router *gin.RouterGroup,
-) *ContextController {
+type ContextController struct {
+	log     *logger.Logger
+	config  *model.Config
+	runtime *model.RuntimeConfig
+}
+
+func NewContextController(i ContextControllerInput) *ContextController {
 	controller := &ContextController{
-		log:     log,
-		config:  config,
-		runtime: runtimeConfig,
+		log:     i.Log,
+		config:  i.Config,
+		runtime: i.Runtime,
 	}
 
-	if !config.UI.WarningsEnabled {
-		log.App.Warn().Msg("UI warnings are disabled. This may lead to security issues if you are not careful. Make sure to enable warnings in production environments.")
+	if !i.Config.UI.WarningsEnabled {
+		i.Log.App.Warn().Msg("UI warnings are disabled. This may lead to security issues if you are not careful. Make sure to enable warnings in production environments.")
 	}
 
-	contextGroup := router.Group("/context")
+	contextGroup := i.RouterGroup.Group("/context")
 	contextGroup.GET("/user", controller.userContextHandler)
 	contextGroup.GET("/app", controller.appContextHandler)
 

internal/controller/health_controller.go

@@ -1,15 +1,24 @@
 package controller
 
-import "github.com/gin-gonic/gin"
+import (
+	"github.com/gin-gonic/gin"
+	"go.uber.org/dig"
+)
 
 type HealthController struct {
 }
 
-func NewHealthController(router *gin.RouterGroup) *HealthController {
+type HealthControllerInput struct {
+	dig.In
+
+	RouterGroup *gin.RouterGroup `name:"apiRouterGroup"`
+}
+
+func NewHealthController(i HealthControllerInput) *HealthController {
 	controller := &HealthController{}
 
-	router.GET("/healthz", controller.healthHandler)
-	router.HEAD("/healthz", controller.healthHandler)
+	i.RouterGroup.GET("/healthz", controller.healthHandler)
+	i.RouterGroup.HEAD("/healthz", controller.healthHandler)
 
 	return controller
 }

internal/controller/oauth_controller.go

@@ -11,6 +11,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"go.uber.org/dig"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -22,29 +23,30 @@ type OAuthRequest struct {
 
 type OAuthController struct {
 	log     *logger.Logger
-	config  model.Config
-	runtime model.RuntimeConfig
-	helpers *model.RuntimeHelpers
+	config  *model.Config
+	runtime *model.RuntimeConfig
 	auth    *service.AuthService
 }
 
-func NewOAuthController(
-	log *logger.Logger,
-	config model.Config,
-	runtimeConfig model.RuntimeConfig,
-	helpers *model.RuntimeHelpers,
-	router *gin.RouterGroup,
-	auth *service.AuthService,
-) *OAuthController {
+type OAuthControllerInput struct {
+	dig.In
+
+	Log           *logger.Logger
+	Config        *model.Config
+	RuntimeConfig *model.RuntimeConfig
+	RouterGroup   *gin.RouterGroup `name:"apiRouterGroup"`
+	AuthService   *service.AuthService
+}
+
+func NewOAuthController(i OAuthControllerInput) *OAuthController {
 	controller := &OAuthController{
-		log:     log,
-		config:  config,
-		runtime: runtimeConfig,
-		helpers: helpers,
-		auth:    auth,
+		log:     i.Log,
+		config:  i.Config,
+		runtime: i.RuntimeConfig,
+		auth:    i.AuthService,
 	}
 
-	oauthGroup := router.Group("/oauth")
+	oauthGroup := i.RouterGroup.Group("/oauth")
 	oauthGroup.GET("/url/:provider", controller.oauthURLHandler)
 	oauthGroup.GET("/callback/:provider", controller.oauthCallbackHandler)
 
@@ -108,18 +110,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		return
 	}
 
-	cookieDomain, err := controller.helpers.GetCookieDomain(c, c.RemoteIP())
-
-	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to determine cookie domain")
-		c.JSON(500, gin.H{
-			"status":  500,
-			"message": "Internal Server Error",
-		})
-		return
-	}
-
-	c.SetCookie(controller.runtime.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", cookieDomain, controller.config.Auth.SecureCookie, true)
+	c.SetCookie(controller.runtime.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)
 
 	c.JSON(200, gin.H{
 		"status":  200,
@@ -149,15 +140,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}
 
-	cookieDomain, err := controller.helpers.GetCookieDomain(c, c.RemoteIP())
-
-	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to determine cookie domain")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
-		return
-	}
-
-	c.SetCookie(controller.runtime.OAuthSessionCookieName, "", -1, "/", cookieDomain, controller.config.Auth.SecureCookie, true)
+	c.SetCookie(controller.runtime.OAuthSessionCookieName, "", -1, "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)
 
 	oauthPendingSession, err := controller.auth.GetOAuthPendingSession(sessionIdCookie)
 
@@ -274,7 +257,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 
 	controller.log.App.Debug().Msg("Creating session cookie for user")
 
-	cookie, err := controller.auth.CreateSession(c, sessionCookie, c.RemoteIP())
+	cookie, err := controller.auth.CreateSession(c, sessionCookie)
 
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to create session cookie")
@@ -320,3 +303,10 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 func (controller *OAuthController) isOidcRequest(params service.OAuthCallbackParams) bool {
 	return params.LoginFor == string(FrontendLoginForOIDC)
 }
+
+func (controller *OAuthController) getCookieDomain() string {
+	if controller.config.Auth.SubdomainsEnabled {
+		return "." + controller.runtime.CookieDomain
+	}
+	return controller.runtime.CookieDomain
+}

internal/controller/oidc_controller.go

@@ -1,18 +1,17 @@
 package controller
 
 import (
-	"database/sql"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"slices"
 	"strings"
-	"time"
 
 	"github.com/gin-gonic/gin"
 	"github.com/gin-gonic/gin/binding"
 	"github.com/google/go-querystring/query"
+	"go.uber.org/dig"
 
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/service"
@@ -32,9 +31,7 @@ type authorizeErrorParams struct {
 type OIDCController struct {
 	log     *logger.Logger
 	oidc    *service.OIDCService
-	runtime model.RuntimeConfig
-	helpers *model.RuntimeHelpers
-	config  model.Config
+	runtime *model.RuntimeConfig
 }
 
 type AuthorizeCallback struct {
@@ -72,37 +69,37 @@ type ClientCredentials struct {
 }
 
 type AuthorizeScreenParams struct {
-	LoginFor        FrontendLoginFor `url:"login_for"`
-	OIDCTicket      string           `url:"oidc_ticket"`
-	OIDCScope       string           `url:"oidc_scope"`
-	OIDCName        string           `url:"oidc_name"`
-	OIDCShowConsent bool             `url:"oidc_show_consent"`
+	LoginFor   FrontendLoginFor `url:"login_for"`
+	OIDCTicket string           `url:"oidc_ticket"`
+	OIDCScope  string           `url:"oidc_scope"`
+	OIDCName   string           `url:"oidc_name"`
 }
 
 type AuthorizeCompleteRequest struct {
 	Ticket string `json:"ticket" binding:"required"`
 }
 
-func NewOIDCController(
-	log *logger.Logger,
-	oidcService *service.OIDCService,
-	runtimeConfig model.RuntimeConfig,
-	helpers *model.RuntimeHelpers,
-	config model.Config,
-	router *gin.RouterGroup,
-	mainRouter *gin.RouterGroup) *OIDCController {
+type OIDCControllerInput struct {
+	dig.In
+
+	Log           *logger.Logger
+	OIDCService   *service.OIDCService
+	RuntimeConfig *model.RuntimeConfig
+	RouterGroup   *gin.RouterGroup `name:"apiRouterGroup"`
+	MainRouter    *gin.RouterGroup `name:"mainRouterGroup"`
+}
+
+func NewOIDCController(i OIDCControllerInput) *OIDCController {
 	controller := &OIDCController{
-		log:     log,
-		oidc:    oidcService,
-		runtime: runtimeConfig,
-		helpers: helpers,
-		config:  config,
+		log:     i.Log,
+		oidc:    i.OIDCService,
+		runtime: i.RuntimeConfig,
 	}
 
-	mainRouter.POST("/authorize", controller.authorize)
-	mainRouter.GET("/authorize", controller.authorize)
+	i.MainRouter.POST("/authorize", controller.authorize)
+	i.MainRouter.GET("/authorize", controller.authorize)
 
-	oidcGroup := router.Group("/oidc")
+	oidcGroup := i.RouterGroup.Group("/oidc")
 	oidcGroup.POST("/authorize-complete", controller.authorizeComplete)
 	oidcGroup.POST("/token", controller.Token)
 	oidcGroup.GET("/userinfo", controller.Userinfo)
@@ -172,31 +169,11 @@ func (controller *OIDCController) authorize(c *gin.Context) {
 
 	ticket := controller.oidc.CreateAuthorizeRequestTicket(*req)
 
-	// Check if we have consented before for this client and scope
-	consnetCookie, err := c.Cookie(controller.runtime.ConsentCookieName)
-
-	showConsent := true
-
-	if err == nil {
-		consentEntry, err := controller.oidc.GetConsentEntry(c, consnetCookie)
-
-		if err == nil && consentEntry != nil {
-			if consentEntry.ClientID == req.ClientID && consentEntry.Scopes == req.Scope {
-				showConsent = false
-			}
-		} else {
-			if !errors.Is(err, sql.ErrNoRows) {
-				controller.log.App.Error().Err(err).Msg("Failed to get consent entry for consent cookie")
-			}
-		}
-	}
-
 	queries, err := query.Values(AuthorizeScreenParams{
-		LoginFor:        FrontendLoginForOIDC,
-		OIDCTicket:      ticket,
-		OIDCScope:       req.Scope,
-		OIDCName:        client.Name,
-		OIDCShowConsent: showConsent,
+		LoginFor:   FrontendLoginForOIDC,
+		OIDCTicket: ticket,
+		OIDCScope:  req.Scope,
+		OIDCName:   client.Name,
 	})
 
 	if err != nil {
@@ -318,33 +295,6 @@ func (controller *OIDCController) authorizeComplete(c *gin.Context) {
 		return
 	}
 
-	// Just before returning let's set the consent cookie
-	consnetUUID, err := controller.oidc.CreateConsentEntry(c, authorizeReq.ClientID, authorizeReq.Scope)
-
-	// If we fail to create the consent entry, we don't want to block the authorization flow,
-	// but we log the error and move on without setting the cookie
-	if err == nil {
-		cookieDomain, err := controller.helpers.GetCookieDomain(c.Request.Context(), c.RemoteIP())
-
-		if err == nil {
-			cookie := &http.Cookie{
-				Name:     controller.runtime.ConsentCookieName,
-				Value:    consnetUUID,
-				Path:     "/",
-				Domain:   cookieDomain,
-				Expires:  time.Now().Add(365 * 24 * time.Hour), // set consent cookie for 1 year
-				Secure:   controller.config.Auth.SecureCookie,
-				HttpOnly: true,
-				SameSite: http.SameSiteLaxMode,
-			}
-			http.SetCookie(c.Writer, cookie)
-		} else {
-			controller.log.App.Error().Err(err).Msg("Failed to determine cookie domain for consent cookie")
-		}
-	} else {
-		controller.log.App.Error().Err(err).Msg("Failed to create consent entry")
-	}
-
 	c.JSON(200, gin.H{
 		"status":       200,
 		"redirect_uri": fmt.Sprintf("%s?%s", authorizeReq.RedirectURI, queries.Encode()),

internal/controller/oidc_controller_test.go

@@ -30,8 +30,6 @@ func TestOIDCController(t *testing.T) {
 
 	cfg, runtime := test.CreateTestConfigs(t)
 
-	helpers := test.CreateTestHelpers()
-
 	ctx := context.TODO()
 	dg := ding.New(ctx)
 
@@ -833,7 +831,7 @@ func TestOIDCController(t *testing.T) {
 				svc = nil
 			}
 
-			controller.NewOIDCController(log, svc, runtime, helpers, cfg, group, &router.RouterGroup)
+			controller.NewOIDCController(log, svc, runtime, group, &router.RouterGroup)
 
 			recorder := httptest.NewRecorder()
 

internal/controller/proxy_controller.go

@@ -13,6 +13,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"go.uber.org/dig"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -53,29 +54,33 @@ type ProxyContext struct {
 
 type ProxyController struct {
 	log          *logger.Logger
-	runtime      model.RuntimeConfig
+	runtime      *model.RuntimeConfig
 	acls         *service.AccessControlsService
 	auth         *service.AuthService
 	policyEngine *service.PolicyEngine
 }
 
-func NewProxyController(
-	log *logger.Logger,
-	runtime model.RuntimeConfig,
-	router *gin.RouterGroup,
-	acls *service.AccessControlsService,
-	auth *service.AuthService,
-	policyEngine *service.PolicyEngine,
-) *ProxyController {
+type ProxyControllerInput struct {
+	dig.In
+
+	Log           *logger.Logger
+	RuntimeConfig *model.RuntimeConfig
+	RouterGroup   *gin.RouterGroup `name:"apiRouterGroup"`
+	ACLsService   *service.AccessControlsService
+	AuthService   *service.AuthService
+	PolicyEngine  *service.PolicyEngine
+}
+
+func NewProxyController(i ProxyControllerInput) *ProxyController {
 	controller := &ProxyController{
-		log:          log,
-		runtime:      runtime,
-		acls:         acls,
-		auth:         auth,
-		policyEngine: policyEngine,
+		log:          i.Log,
+		runtime:      i.RuntimeConfig,
+		acls:         i.ACLsService,
+		auth:         i.AuthService,
+		policyEngine: i.PolicyEngine,
 	}
 
-	proxyGroup := router.Group("/auth")
+	proxyGroup := i.RouterGroup.Group("/auth")
 	proxyGroup.Any("/:proxy", controller.proxyHandler)
 
 	return controller

internal/controller/proxy_controller_test.go

@@ -24,8 +24,6 @@ func TestProxyController(t *testing.T) {
 
 	cfg, runtime := test.CreateTestConfigs(t)
 
-	helpers := test.CreateTestHelpers()
-
 	const browserUserAgent = `
 	Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Mobile Safari/537.36`
 
@@ -397,7 +395,7 @@ func TestProxyController(t *testing.T) {
 		Log: log,
 	})
 
-	authService := service.NewAuthService(log, cfg, runtime, helpers, ctx, dg, nil, store, broker, nil, policyEngine)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
 
 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {

internal/controller/resources_controller.go

@@ -5,25 +5,30 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/tinyauthapp/tinyauth/internal/model"
+	"go.uber.org/dig"
 )
 
 type ResourcesController struct {
-	config     model.Config
+	config     *model.Config
 	fileServer http.Handler
 }
 
-func NewResourcesController(
-	config model.Config,
-	router *gin.RouterGroup,
-) *ResourcesController {
-	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(config.Resources.Path)))
+type ResourcesControllerInput struct {
+	dig.In
+
+	RouterGroup *gin.RouterGroup `name:"mainRouterGroup"`
+	Config      *model.Config
+}
+
+func NewResourcesController(i ResourcesControllerInput) *ResourcesController {
+	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(i.Config.Resources.Path)))
 
 	controller := &ResourcesController{
-		config:     config,
+		config:     i.Config,
 		fileServer: fileServer,
 	}
 
-	router.GET("/resources/*resource", controller.resourcesHandler)
+	i.RouterGroup.GET("/resources/*resource", controller.resourcesHandler)
 
 	return controller
 }

internal/controller/user_controller.go

@@ -11,6 +11,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"go.uber.org/dig"
 
 	"github.com/gin-gonic/gin"
 	"github.com/pquerna/otp/totp"
@@ -27,23 +28,27 @@ type TotpRequest struct {
 
 type UserController struct {
 	log     *logger.Logger
-	runtime model.RuntimeConfig
+	runtime *model.RuntimeConfig
 	auth    *service.AuthService
 }
 
-func NewUserController(
-	log *logger.Logger,
-	runtimeConfig model.RuntimeConfig,
-	router *gin.RouterGroup,
-	auth *service.AuthService,
-) *UserController {
+type UserControllerInput struct {
+	dig.In
+
+	Log           *logger.Logger
+	RuntimeConfig *model.RuntimeConfig
+	RouterGroup   *gin.RouterGroup `name:"apiRouterGroup"`
+	AuthService   *service.AuthService
+}
+
+func NewUserController(i UserControllerInput) *UserController {
 	controller := &UserController{
-		log:     log,
-		runtime: runtimeConfig,
-		auth:    auth,
+		log:     i.Log,
+		runtime: i.RuntimeConfig,
+		auth:    i.AuthService,
 	}
 
-	userGroup := router.Group("/user")
+	userGroup := i.RouterGroup.Group("/user")
 	userGroup.POST("/login", controller.loginHandler)
 	userGroup.POST("/logout", controller.logoutHandler)
 	userGroup.POST("/totp", controller.totpHandler)
@@ -150,7 +155,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 				Email:       email,
 				Provider:    "local",
 				TotpPending: true,
-			}, c.RemoteIP())
+			})
 
 			if err != nil {
 				controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Failed to create pending TOTP session")
@@ -195,7 +200,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		}
 	}
 
-	cookie, err := controller.auth.CreateSession(c, sessionCookie, c.RemoteIP())
+	cookie, err := controller.auth.CreateSession(c, sessionCookie)
 
 	if err != nil {
 		controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Failed to create session cookie after successful login")
@@ -246,7 +251,7 @@ func (controller *UserController) logoutHandler(c *gin.Context) {
 		return
 	}
 
-	cookie, err := controller.auth.DeleteSession(c, uuid, c.RemoteIP())
+	cookie, err := controller.auth.DeleteSession(c, uuid)
 
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Error deleting session on logout")
@@ -350,7 +355,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	uuid, err := c.Cookie(controller.runtime.SessionCookieName)
 
 	if err == nil {
-		_, err = controller.auth.DeleteSession(c, uuid, c.RemoteIP())
+		_, err = controller.auth.DeleteSession(c, uuid)
 		if err != nil {
 			controller.log.App.Error().Err(err).Msg("Failed to delete pending TOTP session after successful verification")
 		}
@@ -374,7 +379,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		sessionCookie.Email = user.Attributes.Email
 	}
 
-	cookie, err := controller.auth.CreateSession(c, sessionCookie, c.RemoteIP())
+	cookie, err := controller.auth.CreateSession(c, sessionCookie)
 
 	if err != nil {
 		controller.log.App.Error().Err(err).Str("username", context.GetUsername()).Msg("Failed to create session cookie after successful TOTP verification")
@@ -424,7 +429,7 @@ func (controller *UserController) tailscaleHandler(c *gin.Context) {
 		Provider: "tailscale",
 	}
 
-	cookie, err := controller.auth.CreateSession(c, sessionCookie, c.RemoteIP())
+	cookie, err := controller.auth.CreateSession(c, sessionCookie)
 
 	if err != nil {
 		controller.log.App.Error().Err(err).Str("username", context.GetUsername()).Msg("Failed to create session cookie after successful Tailscale login")

internal/controller/user_controller_test.go

@@ -29,8 +29,6 @@ func TestUserController(t *testing.T) {
 
 	cfg, runtime := test.CreateTestConfigs(t)
 
-	helpers := test.CreateTestHelpers()
-
 	totpCtx := func(c *gin.Context) {
 		c.Set("context", &model.UserContext{
 			Authenticated: false,
@@ -420,7 +418,7 @@ func TestUserController(t *testing.T) {
 	require.NoError(t, err)
 
 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, helpers, ctx, dg, nil, store, broker, nil, policyEngine)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
 
 	beforeEach := func() {
 		// Clear failed login attempts before each test

internal/controller/well_known_controller.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/tinyauthapp/tinyauth/internal/service"
+	"go.uber.org/dig"
 )
 
 type OpenIDConnectConfiguration struct {
@@ -30,13 +31,20 @@ type WellKnownController struct {
 	oidc *service.OIDCService
 }
 
-func NewWellKnownController(oidc *service.OIDCService, router *gin.RouterGroup) *WellKnownController {
+type WellKnownControllerInput struct {
+	dig.In
+
+	OIDCService *service.OIDCService
+	RouterGroup *gin.RouterGroup `name:"apiRouterGroup"`
+}
+
+func NewWellKnownController(i WellKnownControllerInput) *WellKnownController {
 	controller := &WellKnownController{
-		oidc: oidc,
+		oidc: i.OIDCService,
 	}
 
-	router.GET("/.well-known/openid-configuration", controller.OpenIDConnectConfiguration)
-	router.GET("/.well-known/jwks.json", controller.JWKS)
+	i.RouterGroup.GET("/.well-known/openid-configuration", controller.OpenIDConnectConfiguration)
+	i.RouterGroup.GET("/.well-known/jwks.json", controller.JWKS)
 
 	return controller
 }

internal/middleware/context_middleware.go

@@ -11,6 +11,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"go.uber.org/dig"
 
 	"github.com/gin-gonic/gin"
 )
@@ -37,25 +38,29 @@ var (
 
 type ContextMiddleware struct {
 	log       *logger.Logger
-	runtime   model.RuntimeConfig
+	runtime   *model.RuntimeConfig
 	auth      *service.AuthService
 	broker    *service.OAuthBrokerService
 	tailscale *service.TailscaleService
 }
 
-func NewContextMiddleware(
-	log *logger.Logger,
-	runtime model.RuntimeConfig,
-	auth *service.AuthService,
-	broker *service.OAuthBrokerService,
-	tailscale *service.TailscaleService,
-) *ContextMiddleware {
+type ContextMiddlewareInput struct {
+	dig.In
+
+	Log              *logger.Logger
+	RuntimeConfig    *model.RuntimeConfig
+	AuthService      *service.AuthService
+	BrokerService    *service.OAuthBrokerService
+	TailscaleService *service.TailscaleService
+}
+
+func NewContextMiddleware(i ContextMiddlewareInput) *ContextMiddleware {
 	return &ContextMiddleware{
-		log:       log,
-		runtime:   runtime,
-		auth:      auth,
-		broker:    broker,
-		tailscale: tailscale,
+		log:       i.Log,
+		runtime:   i.RuntimeConfig,
+		auth:      i.AuthService,
+		broker:    i.BrokerService,
+		tailscale: i.TailscaleService,
 	}
 }
 
@@ -206,12 +211,12 @@ func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string, ip stri
 		}
 
 		if !m.auth.IsEmailWhitelisted(userContext.OAuth.ID, userContext.OAuth.Email) {
-			m.auth.DeleteSession(ctx, uuid, ip)
+			m.auth.DeleteSession(ctx, uuid)
 			return nil, nil, fmt.Errorf("email from session cookie not whitelisted: %s", userContext.OAuth.Email)
 		}
 	}
 
-	cookie, err := m.auth.RefreshSession(ctx, uuid, ip)
+	cookie, err := m.auth.RefreshSession(ctx, uuid)
 
 	if err != nil {
 		return nil, nil, fmt.Errorf("error refreshing session: %w", err)

internal/middleware/context_middleware_test.go

@@ -27,8 +27,6 @@ func TestContextMiddleware(t *testing.T) {
 
 	cfg, runtime := test.CreateTestConfigs(t)
 
-	helpers := test.CreateTestHelpers()
-
 	basicAuthHeader := func(username, password string) string {
 		return "Basic " + base64.StdEncoding.EncodeToString([]byte(username+":"+password))
 	}
@@ -260,7 +258,7 @@ func TestContextMiddleware(t *testing.T) {
 	require.NoError(t, err)
 
 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, helpers, ctx, dg, nil, store, broker, nil, policyEngine)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
 
 	contextMiddleware := middleware.NewContextMiddleware(log, runtime, authService, broker, nil)
 

internal/middleware/ui_middleware.go

@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/tinyauthapp/tinyauth/internal/assets"
+	"go.uber.org/dig"
 
 	"github.com/gin-gonic/gin"
 )
@@ -18,7 +19,12 @@ type UIMiddleware struct {
 	uiFileServer http.Handler
 }
 
-func NewUIMiddleware() (*UIMiddleware, error) {
+// for future use if we need to inject dependencies into the middleware
+type UIMiddlewareInput struct {
+	dig.In
+}
+
+func NewUIMiddleware(_ UIMiddlewareInput) (*UIMiddleware, error) {
 	m := &UIMiddleware{}
 
 	ui, err := fs.Sub(assets.FrontendAssets, "dist")

internal/middleware/zerolog_middleware.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"go.uber.org/dig"
 )
 
 // See context middleware for explanation of why we have to do this
@@ -21,9 +22,15 @@ type ZerologMiddleware struct {
 	log *logger.Logger
 }
 
-func NewZerologMiddleware(log *logger.Logger) *ZerologMiddleware {
+type ZerologMiddlewareInput struct {
+	dig.In
+
+	Log *logger.Logger
+}
+
+func NewZerologMiddleware(i ZerologMiddlewareInput) *ZerologMiddleware {
 	return &ZerologMiddleware{
-		log: log,
+		log: i.Log,
 	}
 }
 

internal/model/constants.go

@@ -18,7 +18,8 @@ var OverrideProviders = map[string]string{
 }
 
 const SessionCookieName = "tinyauth-session"
+const CSRFCookieName = "tinyauth-csrf"
+const RedirectCookieName = "tinyauth-redirect"
 const OAuthSessionCookieName = "tinyauth-oauth"
-const ConsentCookieName = "tinyauth-consent"
 
 const GracefulShutdownTimeout = 5 // seconds

internal/model/runtime.go

@@ -1,14 +1,13 @@
 package model
 
-import "context"
-
 type RuntimeConfig struct {
 	AppURL                 string
 	UUID                   string
 	CookieDomain           string
 	SessionCookieName      string
+	CSRFCookieName         string
+	RedirectCookieName     string
 	OAuthSessionCookieName string
-	ConsentCookieName      string
 	LocalUsers             []LocalUser
 	OAuthProviders         map[string]OAuthServiceConfig
 	OAuthWhitelist         []string
@@ -17,10 +16,6 @@ type RuntimeConfig struct {
 	TrustedDomains         []string
 }
 
-type RuntimeHelpers struct {
-	GetCookieDomain func(ctx context.Context, ip string) (string, error)
-}
-
 type Provider struct {
 	Name  string `json:"name"`
 	ID    string `json:"id"`

internal/repository/memory/memory_test.go

@@ -277,78 +277,6 @@ func TestMemoryStore(t *testing.T) {
 				assert.NoError(t, err)
 			},
 		},
-		{
-			description: "Create and get OIDC consent",
-			run: func(t *testing.T, s repository.Store) {
-				consent, err := s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{
-					UUID:     "uuid-1",
-					ClientID: "client-1",
-					Scopes:   "openid profile",
-				})
-				require.NoError(t, err)
-				assert.Equal(t, "uuid-1", consent.UUID)
-				assert.Equal(t, "client-1", consent.ClientID)
-				assert.Equal(t, "openid profile", consent.Scopes)
-
-				got, err := s.GetOIDCConsentByUUID(ctx, "uuid-1")
-				require.NoError(t, err)
-				assert.Equal(t, consent, got)
-			},
-		},
-		{
-			description: "Get OIDC consent by UUID not found",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.GetOIDCConsentByUUID(ctx, "missing")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-		{
-			description: "Create OIDC consent unique UUID constraint",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{UUID: "uuid-1", ClientID: "client-1", Scopes: "openid"})
-				require.NoError(t, err)
-
-				_, err = s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{UUID: "uuid-1", ClientID: "client-2", Scopes: "profile"})
-				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_consent.uuid")
-			},
-		},
-		{
-			description: "Update OIDC consent",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{UUID: "uuid-1", ClientID: "client-1", Scopes: "openid"})
-				require.NoError(t, err)
-
-				updated, err := s.UpdateOIDCConsent(ctx, repository.UpdateOIDCConsentParams{
-					UUID:   "uuid-1",
-					Scopes: "profile email",
-				})
-				require.NoError(t, err)
-				assert.Equal(t, "profile email", updated.Scopes)
-
-				got, err := s.GetOIDCConsentByUUID(ctx, "uuid-1")
-				require.NoError(t, err)
-				assert.Equal(t, updated, got)
-			},
-		},
-		{
-			description: "Update OIDC consent not found",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.UpdateOIDCConsent(ctx, repository.UpdateOIDCConsentParams{UUID: "missing"})
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-		{
-			description: "Delete OIDC consent by UUID",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{UUID: "uuid-1", ClientID: "client-1", Scopes: "openid"})
-				require.NoError(t, err)
-
-				require.NoError(t, s.DeleteOIDCConsentByUUID(ctx, "uuid-1"))
-
-				_, err = s.GetOIDCConsentByUUID(ctx, "uuid-1")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
 	}
 
 	for _, test := range tests {

internal/repository/memory/oidc_queries.go

@@ -94,47 +94,3 @@ func (s *Store) DeleteExpiredOIDCSessions(_ context.Context, arg repository.Dele
 	}
 	return nil
 }
-
-func (s *Store) CreateOIDCConsent(_ context.Context, arg repository.CreateOIDCConsentParams) (repository.OidcConsent, error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if _, ok := s.oidcConsent[arg.UUID]; ok {
-		return repository.OidcConsent{}, fmt.Errorf("UNIQUE constraint failed: oidc_consent.uuid")
-	}
-	consent := repository.OidcConsent{
-		UUID:     arg.UUID,
-		ClientID: arg.ClientID,
-		Scopes:   arg.Scopes,
-	}
-	s.oidcConsent[arg.UUID] = consent
-	return consent, nil
-}
-
-func (s *Store) GetOIDCConsentByUUID(_ context.Context, uuid string) (repository.OidcConsent, error) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-	consent, ok := s.oidcConsent[uuid]
-	if !ok {
-		return repository.OidcConsent{}, repository.ErrNotFound
-	}
-	return consent, nil
-}
-
-func (s *Store) UpdateOIDCConsent(_ context.Context, arg repository.UpdateOIDCConsentParams) (repository.OidcConsent, error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	consent, ok := s.oidcConsent[arg.UUID]
-	if !ok {
-		return repository.OidcConsent{}, repository.ErrNotFound
-	}
-	consent.Scopes = arg.Scopes
-	s.oidcConsent[arg.UUID] = consent
-	return consent, nil
-}
-
-func (s *Store) DeleteOIDCConsentByUUID(_ context.Context, uuid string) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	delete(s.oidcConsent, uuid)
-	return nil
-}

internal/repository/memory/store.go

@@ -12,7 +12,6 @@ type Store struct {
 	mu           sync.RWMutex
 	sessions     map[string]repository.Session
 	oidcSessions map[string]repository.OidcSession
-	oidcConsent  map[string]repository.OidcConsent
 }
 
 // New returns a new empty in-memory Store.
@@ -20,6 +19,5 @@ func New() repository.Store {
 	return &Store{
 		sessions:     make(map[string]repository.Session),
 		oidcSessions: make(map[string]repository.OidcSession),
-		oidcConsent:  make(map[string]repository.OidcConsent),
 	}
 }

internal/repository/models.go

@@ -1,18 +1,8 @@
 package repository
 
-import "time"
-
 // Shared model and parameter types for all storage drivers.
 // sqlc-generated driver packages use these via the conversion layer in their store.go.
 
-type OidcConsent struct {
-	UUID      string
-	ClientID  string
-	Scopes    string
-	CreatedAt time.Time
-	UpdatedAt time.Time
-}
-
 type Session struct {
 	UUID        string
 	Username    string
@@ -94,14 +84,3 @@ type DeleteExpiredOIDCSessionsParams struct {
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 }
-
-type CreateOIDCConsentParams struct {
-	UUID     string
-	ClientID string
-	Scopes   string
-}
-
-type UpdateOIDCConsentParams struct {
-	Scopes string
-	UUID   string
-}

internal/repository/postgres/models.go

@@ -4,18 +4,6 @@
 
 package postgres
 
-import (
-	"time"
-)
-
-type OidcConsent struct {
-	UUID      string
-	ClientID  string
-	Scopes    string
-	CreatedAt time.Time
-	UpdatedAt time.Time
-}
-
 type OidcSession struct {
 	Sub                   string
 	AccessTokenHash       string

internal/repository/postgres/oidc_queries.sql.go

@@ -9,36 +9,6 @@ import (
 	"context"
 )
 
-const createOIDCConsent = `-- name: CreateOIDCConsent :one
-INSERT INTO "oidc_consent" (
-    "uuid",
-    "client_id",
-    "scopes"
-) VALUES (
-    $1, $2, $3
-)
-RETURNING uuid, client_id, scopes, created_at, updated_at
-`
-
-type CreateOIDCConsentParams struct {
-	UUID     string
-	ClientID string
-	Scopes   string
-}
-
-func (q *Queries) CreateOIDCConsent(ctx context.Context, arg CreateOIDCConsentParams) (OidcConsent, error) {
-	row := q.db.QueryRowContext(ctx, createOIDCConsent, arg.UUID, arg.ClientID, arg.Scopes)
-	var i OidcConsent
-	err := row.Scan(
-		&i.UUID,
-		&i.ClientID,
-		&i.Scopes,
-		&i.CreatedAt,
-		&i.UpdatedAt,
-	)
-	return i, err
-}
-
 const createOIDCSession = `-- name: CreateOIDCSession :one
 INSERT INTO "oidc_sessions" (
     "sub",
@@ -110,16 +80,6 @@ func (q *Queries) DeleteExpiredOIDCSessions(ctx context.Context, arg DeleteExpir
 	return err
 }
 
-const deleteOIDCConsentByUUID = `-- name: DeleteOIDCConsentByUUID :exec
-DELETE FROM "oidc_consent"
-WHERE "uuid" = $1
-`
-
-func (q *Queries) DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error {
-	_, err := q.db.ExecContext(ctx, deleteOIDCConsentByUUID, uuid)
-	return err
-}
-
 const deleteOIDCSessionBySub = `-- name: DeleteOIDCSessionBySub :exec
 DELETE FROM "oidc_sessions"
 WHERE "sub" = $1
@@ -130,24 +90,6 @@ func (q *Queries) DeleteOIDCSessionBySub(ctx context.Context, sub string) error
 	return err
 }
 
-const getOIDCConsentByUUID = `-- name: GetOIDCConsentByUUID :one
-SELECT uuid, client_id, scopes, created_at, updated_at FROM "oidc_consent"
-WHERE "uuid" = $1
-`
-
-func (q *Queries) GetOIDCConsentByUUID(ctx context.Context, uuid string) (OidcConsent, error) {
-	row := q.db.QueryRowContext(ctx, getOIDCConsentByUUID, uuid)
-	var i OidcConsent
-	err := row.Scan(
-		&i.UUID,
-		&i.ClientID,
-		&i.Scopes,
-		&i.CreatedAt,
-		&i.UpdatedAt,
-	)
-	return i, err
-}
-
 const getOIDCSessionByAccessTokenHash = `-- name: GetOIDCSessionByAccessTokenHash :one
 SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
 WHERE "access_token_hash" = $1
@@ -214,32 +156,6 @@ func (q *Queries) GetOIDCSessionBySub(ctx context.Context, sub string) (OidcSess
 	return i, err
 }
 
-const updateOIDCConsent = `-- name: UpdateOIDCConsent :one
-UPDATE "oidc_consent" SET
-    "scopes" = $1,
-    "updated_at" = CURRENT_TIMESTAMP
-WHERE "uuid" = $2
-RETURNING uuid, client_id, scopes, created_at, updated_at
-`
-
-type UpdateOIDCConsentParams struct {
-	Scopes string
-	UUID   string
-}
-
-func (q *Queries) UpdateOIDCConsent(ctx context.Context, arg UpdateOIDCConsentParams) (OidcConsent, error) {
-	row := q.db.QueryRowContext(ctx, updateOIDCConsent, arg.Scopes, arg.UUID)
-	var i OidcConsent
-	err := row.Scan(
-		&i.UUID,
-		&i.ClientID,
-		&i.Scopes,
-		&i.CreatedAt,
-		&i.UpdatedAt,
-	)
-	return i, err
-}
-
 const updateOIDCSession = `-- name: UpdateOIDCSession :one
 UPDATE "oidc_sessions" SET
     "access_token_hash" = $1,

internal/repository/postgres/store.go

@@ -32,14 +32,6 @@ func mapErr(err error) error {
 	return err
 }
 
-func (s *Store) CreateOIDCConsent(ctx context.Context, arg repository.CreateOIDCConsentParams) (repository.OidcConsent, error) {
-	r, err := s.q.CreateOIDCConsent(ctx, CreateOIDCConsentParams(arg))
-	if err != nil {
-		return repository.OidcConsent{}, mapErr(err)
-	}
-	return repository.OidcConsent(r), nil
-}
-
 func (s *Store) CreateOIDCSession(ctx context.Context, arg repository.CreateOIDCSessionParams) (repository.OidcSession, error) {
 	r, err := s.q.CreateOIDCSession(ctx, CreateOIDCSessionParams(arg))
 	if err != nil {
@@ -64,10 +56,6 @@ func (s *Store) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
 	return mapErr(s.q.DeleteExpiredSessions(ctx, expiry))
 }
 
-func (s *Store) DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error {
-	return mapErr(s.q.DeleteOIDCConsentByUUID(ctx, uuid))
-}
-
 func (s *Store) DeleteOIDCSessionBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOIDCSessionBySub(ctx, sub))
 }
@@ -76,14 +64,6 @@ func (s *Store) DeleteSession(ctx context.Context, uuid string) error {
 	return mapErr(s.q.DeleteSession(ctx, uuid))
 }
 
-func (s *Store) GetOIDCConsentByUUID(ctx context.Context, uuid string) (repository.OidcConsent, error) {
-	r, err := s.q.GetOIDCConsentByUUID(ctx, uuid)
-	if err != nil {
-		return repository.OidcConsent{}, mapErr(err)
-	}
-	return repository.OidcConsent(r), nil
-}
-
 func (s *Store) GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (repository.OidcSession, error) {
 	r, err := s.q.GetOIDCSessionByAccessTokenHash(ctx, accessTokenHash)
 	if err != nil {
@@ -116,14 +96,6 @@ func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session
 	return repository.Session(r), nil
 }
 
-func (s *Store) UpdateOIDCConsent(ctx context.Context, arg repository.UpdateOIDCConsentParams) (repository.OidcConsent, error) {
-	r, err := s.q.UpdateOIDCConsent(ctx, UpdateOIDCConsentParams(arg))
-	if err != nil {
-		return repository.OidcConsent{}, mapErr(err)
-	}
-	return repository.OidcConsent(r), nil
-}
-
 func (s *Store) UpdateOIDCSession(ctx context.Context, arg repository.UpdateOIDCSessionParams) (repository.OidcSession, error) {
 	r, err := s.q.UpdateOIDCSession(ctx, UpdateOIDCSessionParams(arg))
 	if err != nil {

internal/repository/sqlite/models.go

@@ -4,18 +4,6 @@
 
 package sqlite
 
-import (
-	"time"
-)
-
-type OidcConsent struct {
-	UUID      string
-	ClientID  string
-	Scopes    string
-	CreatedAt time.Time
-	UpdatedAt time.Time
-}
-
 type OidcSession struct {
 	Sub                   string
 	AccessTokenHash       string

internal/repository/sqlite/oidc_queries.sql.go

@@ -9,36 +9,6 @@ import (
 	"context"
 )
 
-const createOIDCConsent = `-- name: CreateOIDCConsent :one
-INSERT INTO "oidc_consent" (
-    "uuid",
-    "client_id",
-    "scopes"
-) VALUES (
-    ?, ?, ?
-)
-RETURNING uuid, client_id, scopes, created_at, updated_at
-`
-
-type CreateOIDCConsentParams struct {
-	UUID     string
-	ClientID string
-	Scopes   string
-}
-
-func (q *Queries) CreateOIDCConsent(ctx context.Context, arg CreateOIDCConsentParams) (OidcConsent, error) {
-	row := q.db.QueryRowContext(ctx, createOIDCConsent, arg.UUID, arg.ClientID, arg.Scopes)
-	var i OidcConsent
-	err := row.Scan(
-		&i.UUID,
-		&i.ClientID,
-		&i.Scopes,
-		&i.CreatedAt,
-		&i.UpdatedAt,
-	)
-	return i, err
-}
-
 const createOIDCSession = `-- name: CreateOIDCSession :one
 INSERT INTO "oidc_sessions" (
     "sub",
@@ -110,16 +80,6 @@ func (q *Queries) DeleteExpiredOIDCSessions(ctx context.Context, arg DeleteExpir
 	return err
 }
 
-const deleteOIDCConsentByUUID = `-- name: DeleteOIDCConsentByUUID :exec
-DELETE FROM "oidc_consent"
-WHERE "uuid" = ?
-`
-
-func (q *Queries) DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error {
-	_, err := q.db.ExecContext(ctx, deleteOIDCConsentByUUID, uuid)
-	return err
-}
-
 const deleteOIDCSessionBySub = `-- name: DeleteOIDCSessionBySub :exec
 DELETE FROM "oidc_sessions"
 WHERE "sub" = ?
@@ -130,24 +90,6 @@ func (q *Queries) DeleteOIDCSessionBySub(ctx context.Context, sub string) error
 	return err
 }
 
-const getOIDCConsentByUUID = `-- name: GetOIDCConsentByUUID :one
-SELECT uuid, client_id, scopes, created_at, updated_at FROM "oidc_consent"
-WHERE "uuid" = ?
-`
-
-func (q *Queries) GetOIDCConsentByUUID(ctx context.Context, uuid string) (OidcConsent, error) {
-	row := q.db.QueryRowContext(ctx, getOIDCConsentByUUID, uuid)
-	var i OidcConsent
-	err := row.Scan(
-		&i.UUID,
-		&i.ClientID,
-		&i.Scopes,
-		&i.CreatedAt,
-		&i.UpdatedAt,
-	)
-	return i, err
-}
-
 const getOIDCSessionByAccessTokenHash = `-- name: GetOIDCSessionByAccessTokenHash :one
 SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
 WHERE "access_token_hash" = ?
@@ -214,32 +156,6 @@ func (q *Queries) GetOIDCSessionBySub(ctx context.Context, sub string) (OidcSess
 	return i, err
 }
 
-const updateOIDCConsent = `-- name: UpdateOIDCConsent :one
-UPDATE "oidc_consent" SET
-    "scopes" = ?,
-    "updated_at" = CURRENT_TIMESTAMP
-WHERE "uuid" = ?
-RETURNING uuid, client_id, scopes, created_at, updated_at
-`
-
-type UpdateOIDCConsentParams struct {
-	Scopes string
-	UUID   string
-}
-
-func (q *Queries) UpdateOIDCConsent(ctx context.Context, arg UpdateOIDCConsentParams) (OidcConsent, error) {
-	row := q.db.QueryRowContext(ctx, updateOIDCConsent, arg.Scopes, arg.UUID)
-	var i OidcConsent
-	err := row.Scan(
-		&i.UUID,
-		&i.ClientID,
-		&i.Scopes,
-		&i.CreatedAt,
-		&i.UpdatedAt,
-	)
-	return i, err
-}
-
 const updateOIDCSession = `-- name: UpdateOIDCSession :one
 UPDATE "oidc_sessions" SET
     "access_token_hash" = ?,

internal/repository/sqlite/store.go

@@ -32,14 +32,6 @@ func mapErr(err error) error {
 	return err
 }
 
-func (s *Store) CreateOIDCConsent(ctx context.Context, arg repository.CreateOIDCConsentParams) (repository.OidcConsent, error) {
-	r, err := s.q.CreateOIDCConsent(ctx, CreateOIDCConsentParams(arg))
-	if err != nil {
-		return repository.OidcConsent{}, mapErr(err)
-	}
-	return repository.OidcConsent(r), nil
-}
-
 func (s *Store) CreateOIDCSession(ctx context.Context, arg repository.CreateOIDCSessionParams) (repository.OidcSession, error) {
 	r, err := s.q.CreateOIDCSession(ctx, CreateOIDCSessionParams(arg))
 	if err != nil {
@@ -64,10 +56,6 @@ func (s *Store) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
 	return mapErr(s.q.DeleteExpiredSessions(ctx, expiry))
 }
 
-func (s *Store) DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error {
-	return mapErr(s.q.DeleteOIDCConsentByUUID(ctx, uuid))
-}
-
 func (s *Store) DeleteOIDCSessionBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOIDCSessionBySub(ctx, sub))
 }
@@ -76,14 +64,6 @@ func (s *Store) DeleteSession(ctx context.Context, uuid string) error {
 	return mapErr(s.q.DeleteSession(ctx, uuid))
 }
 
-func (s *Store) GetOIDCConsentByUUID(ctx context.Context, uuid string) (repository.OidcConsent, error) {
-	r, err := s.q.GetOIDCConsentByUUID(ctx, uuid)
-	if err != nil {
-		return repository.OidcConsent{}, mapErr(err)
-	}
-	return repository.OidcConsent(r), nil
-}
-
 func (s *Store) GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (repository.OidcSession, error) {
 	r, err := s.q.GetOIDCSessionByAccessTokenHash(ctx, accessTokenHash)
 	if err != nil {
@@ -116,14 +96,6 @@ func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session
 	return repository.Session(r), nil
 }
 
-func (s *Store) UpdateOIDCConsent(ctx context.Context, arg repository.UpdateOIDCConsentParams) (repository.OidcConsent, error) {
-	r, err := s.q.UpdateOIDCConsent(ctx, UpdateOIDCConsentParams(arg))
-	if err != nil {
-		return repository.OidcConsent{}, mapErr(err)
-	}
-	return repository.OidcConsent(r), nil
-}
-
 func (s *Store) UpdateOIDCSession(ctx context.Context, arg repository.UpdateOIDCSessionParams) (repository.OidcSession, error) {
 	r, err := s.q.UpdateOIDCSession(ctx, UpdateOIDCSessionParams(arg))
 	if err != nil {

internal/repository/store.go

@@ -27,10 +27,4 @@ type Store interface {
 	GetOIDCSessionByRefreshTokenHash(ctx context.Context, refreshTokenHash string) (OidcSession, error)
 	GetOIDCSessionBySub(ctx context.Context, sub string) (OidcSession, error)
 	UpdateOIDCSession(ctx context.Context, arg UpdateOIDCSessionParams) (OidcSession, error)
-
-	// OIDC consents
-	CreateOIDCConsent(ctx context.Context, arg CreateOIDCConsentParams) (OidcConsent, error)
-	DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error
-	GetOIDCConsentByUUID(ctx context.Context, uuid string) (OidcConsent, error)
-	UpdateOIDCConsent(ctx context.Context, arg UpdateOIDCConsentParams) (OidcConsent, error)
 }

internal/service/access_controls_service.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"go.uber.org/dig"
 )
 
 type LabelProvider interface {
@@ -13,19 +14,24 @@ type LabelProvider interface {
 
 type AccessControlsService struct {
 	log           *logger.Logger
-	config        model.Config
-	labelProvider *LabelProvider
+	config        *model.Config
+	labelProvider LabelProvider
 }
 
-func NewAccessControlsService(
-	log *logger.Logger,
-	config model.Config,
-	labelProvider *LabelProvider) *AccessControlsService {
+type AccessControlServiceInput struct {
+	dig.In
+
+	Log           *logger.Logger
+	Config        *model.Config
+	LabelProvider LabelProvider `optional:"true"`
+}
+
+func NewAccessControlsService(i AccessControlServiceInput) *AccessControlsService {
 
 	return &AccessControlsService{
-		log:           log,
-		config:        config,
-		labelProvider: labelProvider,
+		log:           i.Log,
+		config:        i.Config,
+		labelProvider: i.LabelProvider,
 	}
 }
 
@@ -57,8 +63,8 @@ func (service *AccessControlsService) GetAccessControls(domain string) (*model.A
 	}
 
 	// If we have a label provider configured, try to get ACLs from it
-	if service.labelProvider != nil && *service.labelProvider != nil {
-		return (*service.labelProvider).GetLabels(domain)
+	if service.labelProvider != nil {
+		return service.labelProvider.GetLabels(domain)
 	}
 
 	// no labels

internal/service/auth_service.go

@@ -14,6 +14,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"go.uber.org/dig"
 
 	"github.com/google/uuid"
 	"golang.org/x/crypto/bcrypt"
@@ -57,9 +58,8 @@ type LoginAttempt struct {
 
 type AuthService struct {
 	log     *logger.Logger
-	config  model.Config
-	runtime model.RuntimeConfig
-	helpers *model.RuntimeHelpers
+	config  *model.Config
+	runtime *model.RuntimeConfig
 	ctx     context.Context
 
 	ldap         *LdapService
@@ -83,30 +83,32 @@ type AuthService struct {
 	}
 }
 
-func NewAuthService(
-	log *logger.Logger,
-	config model.Config,
-	runtime model.RuntimeConfig,
-	helpers *model.RuntimeHelpers,
-	ctx context.Context,
-	dg *ding.Ding,
-	ldap *LdapService,
-	queries repository.Store,
-	oauthBroker *OAuthBrokerService,
-	tailscale *TailscaleService,
-	policy *PolicyEngine,
-) *AuthService {
+type AuthServiceInput struct {
+	dig.In
+
+	Log          *logger.Logger
+	Config       *model.Config
+	Runtime      *model.RuntimeConfig
+	Ctx          context.Context
+	Ding         *ding.Ding
+	LDAP         *LdapService `optional:"true"`
+	Queries      repository.Store
+	OAuthBroker  *OAuthBrokerService
+	Tailscale    *TailscaleService `optional:"true"`
+	PolicyEngine *PolicyEngine
+}
+
+func NewAuthService(i AuthServiceInput) *AuthService {
 	service := &AuthService{
-		log:          log,
-		runtime:      runtime,
-		helpers:      helpers,
-		ctx:          ctx,
-		config:       config,
-		ldap:         ldap,
-		queries:      queries,
-		oauthBroker:  oauthBroker,
-		tailscale:    tailscale,
-		policyEngine: policy,
+		log:          i.Log,
+		runtime:      i.Runtime,
+		ctx:          i.Ctx,
+		config:       i.Config,
+		ldap:         i.LDAP,
+		queries:      i.Queries,
+		oauthBroker:  i.OAuthBroker,
+		tailscale:    i.Tailscale,
+		policyEngine: i.PolicyEngine,
 	}
 
 	// caches setup
@@ -118,7 +120,7 @@ func NewAuthService(
 	service.caches.login = loginCache
 	service.caches.ldap = ldapCache
 
-	dg.Go(func(ctx context.Context) {
+	i.Ding.Go(func(ctx context.Context) {
 		ticker := time.NewTicker(1 * time.Minute)
 		defer ticker.Stop()
 
@@ -325,7 +327,7 @@ func (auth *AuthService) IsEmailWhitelisted(provider string, email string) bool
 	})
 }
 
-func (auth *AuthService) CreateSession(ctx context.Context, data repository.Session, ip string) (*http.Cookie, error) {
+func (auth *AuthService) CreateSession(ctx context.Context, data repository.Session) (*http.Cookie, error) {
 	if data.Provider == "tailscale" && auth.tailscale == nil {
 		return nil, fmt.Errorf("tailscale service not configured, cannot create session for tailscale user")
 	}
@@ -366,17 +368,33 @@ func (auth *AuthService) CreateSession(ctx context.Context, data repository.Sess
 		return nil, fmt.Errorf("failed to create session entry: %w", err)
 	}
 
-	cookieDomain, err := auth.helpers.GetCookieDomain(ctx, ip)
+	if data.Provider == "tailscale" {
+		auth.log.App.Trace().Str("url", fmt.Sprintf("https://%s", auth.tailscale.GetHostname())).Msg("Extracting root domain from Tailscale hostname")
 
-	if err != nil {
-		return nil, fmt.Errorf("failed to determine cookie domain: %w", err)
+		tsCookieDomain, err := utils.GetCookieDomain(fmt.Sprintf("https://%s", auth.tailscale.GetHostname()))
+
+		if err != nil {
+			return nil, fmt.Errorf("failed to get cookie domain for tailscale user: %w", err)
+		}
+
+		return &http.Cookie{
+			Name:     auth.runtime.SessionCookieName,
+			Value:    session.UUID,
+			Path:     "/",
+			Domain:   fmt.Sprintf(".%s", tsCookieDomain),
+			Expires:  expiresAt,
+			MaxAge:   int(time.Until(expiresAt).Seconds()),
+			Secure:   auth.config.Auth.SecureCookie,
+			HttpOnly: true,
+			SameSite: http.SameSiteLaxMode,
+		}, nil
 	}
 
 	return &http.Cookie{
 		Name:     auth.runtime.SessionCookieName,
 		Value:    session.UUID,
 		Path:     "/",
-		Domain:   cookieDomain,
+		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
 		Expires:  expiresAt,
 		MaxAge:   int(time.Until(expiresAt).Seconds()),
 		Secure:   auth.config.Auth.SecureCookie,
@@ -385,17 +403,13 @@ func (auth *AuthService) CreateSession(ctx context.Context, data repository.Sess
 	}, nil
 }
 
-func (auth *AuthService) RefreshSession(ctx context.Context, uuid string, ip string) (*http.Cookie, error) {
+func (auth *AuthService) RefreshSession(ctx context.Context, uuid string) (*http.Cookie, error) {
 	session, err := auth.queries.GetSession(ctx, uuid)
 
 	if err != nil {
 		return nil, fmt.Errorf("failed to retrieve session: %w", err)
 	}
 
-	if session.Provider == "tailscale" && auth.tailscale == nil {
-		return nil, fmt.Errorf("tailscale service not configured, cannot create session for tailscale user")
-	}
-
 	currentTime := time.Now().Unix()
 
 	var refreshThreshold int64
@@ -429,17 +443,11 @@ func (auth *AuthService) RefreshSession(ctx context.Context, uuid string, ip str
 		return nil, fmt.Errorf("failed to update session expiry: %w", err)
 	}
 
-	cookieDomain, err := auth.helpers.GetCookieDomain(ctx, ip)
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to determine cookie domain: %w", err)
-	}
-
 	return &http.Cookie{
 		Name:     auth.runtime.SessionCookieName,
 		Value:    session.UUID,
 		Path:     "/",
-		Domain:   cookieDomain,
+		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
 		Expires:  time.Now().Add(time.Duration(newExpiry-currentTime) * time.Second),
 		MaxAge:   int(newExpiry - currentTime),
 		Secure:   auth.config.Auth.SecureCookie,
@@ -449,24 +457,18 @@ func (auth *AuthService) RefreshSession(ctx context.Context, uuid string, ip str
 
 }
 
-func (auth *AuthService) DeleteSession(ctx context.Context, uuid string, ip string) (*http.Cookie, error) {
+func (auth *AuthService) DeleteSession(ctx context.Context, uuid string) (*http.Cookie, error) {
 	err := auth.queries.DeleteSession(ctx, uuid)
 
 	if err != nil {
 		auth.log.App.Error().Err(err).Str("uuid", uuid).Msg("Failed to delete session from database")
 	}
 
-	cookieDomain, err := auth.helpers.GetCookieDomain(ctx, ip)
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to determine cookie domain: %w", err)
-	}
-
 	return &http.Cookie{
 		Name:     auth.runtime.SessionCookieName,
 		Value:    "",
 		Path:     "/",
-		Domain:   cookieDomain,
+		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
 		Expires:  time.Now(),
 		MaxAge:   -1,
 		Secure:   auth.config.Auth.SecureCookie,

internal/service/docker_service.go

@@ -8,6 +8,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/decoders"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"go.uber.org/dig"
 
 	container "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
@@ -21,36 +22,40 @@ type DockerService struct {
 	isConnected bool
 }
 
-func NewDockerService(
-	log *logger.Logger,
-	ctx context.Context,
-	dg *ding.Ding,
-) (*DockerService, error) {
+type DockerServiceInput struct {
+	dig.In
+
+	Log  *logger.Logger
+	Ctx  context.Context
+	Ding *ding.Ding
+}
+
+func NewDockerService(i DockerServiceInput) (*DockerService, error) {
 
 	client, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		return nil, err
 	}
 
-	client.NegotiateAPIVersion(ctx)
+	client.NegotiateAPIVersion(i.Ctx)
 
-	_, err = client.Ping(ctx)
+	_, err = client.Ping(i.Ctx)
 
 	if err != nil {
-		log.App.Debug().Err(err).Msg("Docker not connected")
+		i.Log.App.Debug().Err(err).Msg("Docker not connected")
 		return nil, nil
 	}
 
 	service := &DockerService{
-		log:     log,
+		log:     i.Log,
 		client:  client,
-		context: ctx,
+		context: i.Ctx,
 	}
 
 	service.isConnected = true
 	service.log.App.Debug().Msg("Docker connected successfully")
 
-	dg.Go(service.watchAndClose, ding.RingMajor)
+	i.Ding.Go(service.watchAndClose, ding.RingMajor)
 
 	return service, nil
 }

internal/service/kubernetes_service.go

@@ -12,6 +12,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/decoders"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"go.uber.org/dig"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -48,11 +49,15 @@ type KubernetesService struct {
 	appNameIndex map[string]ingressAppKey
 }
 
-func NewKubernetesService(
-	log *logger.Logger,
-	ctx context.Context,
-	dg *ding.Ding,
-) (*KubernetesService, error) {
+type KubernetesServiceInput struct {
+	dig.In
+
+	Log  *logger.Logger
+	Ctx  context.Context
+	Ding *ding.Ding
+}
+
+func NewKubernetesService(i KubernetesServiceInput) (*KubernetesService, error) {
 	cfg, err := rest.InClusterConfig()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get in-cluster kubernetes config: %w", err)
@@ -69,31 +74,31 @@ func NewKubernetesService(
 		Resource: "ingresses",
 	}
 
-	accessCtx, accessCancel := context.WithTimeout(ctx, 5*time.Second)
+	accessCtx, accessCancel := context.WithTimeout(i.Ctx, 5*time.Second)
 	defer accessCancel()
 
 	_, err = client.Resource(gvr).List(accessCtx, metav1.ListOptions{Limit: 1})
 	if err != nil {
-		log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to access Ingress API, Kubernetes label provider will be disabled")
+		i.Log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to access Ingress API, Kubernetes label provider will be disabled")
 		return nil, fmt.Errorf("failed to access ingress api: %w", err)
 	}
 
-	log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Successfully accessed Ingress API, starting watcher")
+	i.Log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Successfully accessed Ingress API, starting watcher")
 
 	service := &KubernetesService{
-		log:          log,
+		log:          i.Log,
 		client:       client,
 		ingressApps:  make(map[ingressKey][]ingressApp),
 		domainIndex:  make(map[string]ingressAppKey),
 		appNameIndex: make(map[string]ingressAppKey),
 	}
 
-	dg.Go(func(ctx context.Context) {
+	i.Ding.Go(func(ctx context.Context) {
 		service.watchGVR(gvr, ctx)
 	}, ding.RingMajor)
 
 	service.started = true
-	log.App.Debug().Msg("Kubernetes label provider started successfully")
+	i.Log.App.Debug().Msg("Kubernetes label provider started successfully")
 
 	return service, nil
 }

internal/service/ldap_service.go

@@ -13,44 +13,48 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"go.uber.org/dig"
 )
 
 type LdapService struct {
 	log    *logger.Logger
-	config model.Config
+	config *model.Config
 
-	conn  *ldapgo.Conn
-	mutex sync.RWMutex
-	cert  *tls.Certificate
+	conn   *ldapgo.Conn
+	mutex  sync.RWMutex
+	cert   *tls.Certificate
+	bindPw string
 }
 
-func NewLdapService(
-	log *logger.Logger,
-	config model.Config,
-	dg *ding.Ding,
-) (*LdapService, error) {
-	if config.LDAP.Address == "" {
+type LdapServiceInput struct {
+	dig.In
+
+	Log    *logger.Logger
+	Config *model.Config
+	Ding   *ding.Ding
+}
+
+func NewLdapService(i LdapServiceInput) (*LdapService, error) {
+	if i.Config.LDAP.Address == "" {
 		return nil, nil
 	}
 
-	secret := utils.GetSecret(config.LDAP.BindPassword, config.LDAP.BindPasswordFile)
-	config.LDAP.BindPassword = secret
-	config.LDAP.BindPasswordFile = ""
-
 	ldap := &LdapService{
-		log:    log,
-		config: config,
+		log:    i.Log,
+		config: i.Config,
 	}
 
+	ldap.bindPw = utils.GetSecret(i.Config.LDAP.BindPassword, i.Config.LDAP.BindPasswordFile)
+
 	// Check whether authentication with client certificate is possible
-	if config.LDAP.AuthCert != "" && config.LDAP.AuthKey != "" {
-		cert, err := tls.LoadX509KeyPair(config.LDAP.AuthCert, config.LDAP.AuthKey)
+	if i.Config.LDAP.AuthCert != "" && i.Config.LDAP.AuthKey != "" {
+		cert, err := tls.LoadX509KeyPair(i.Config.LDAP.AuthCert, i.Config.LDAP.AuthKey)
 
 		if err != nil {
 			return nil, fmt.Errorf("failed to initialize LDAP with mTLS authentication: %w", err)
 		}
 
-		log.App.Info().Msg("LDAP mTLS authentication configured successfully")
+		i.Log.App.Info().Msg("LDAP mTLS authentication configured successfully")
 
 		ldap.cert = &cert
 
@@ -72,7 +76,7 @@ func NewLdapService(
 		return nil, fmt.Errorf("failed to connect to ldap server: %w", err)
 	}
 
-	dg.Go(func(ctx context.Context) {
+	i.Ding.Go(func(ctx context.Context) {
 		ldap.log.App.Debug().Msg("Starting LDAP connection heartbeat routine")
 
 		ticker := time.NewTicker(5 * time.Minute)
@@ -217,7 +221,7 @@ func (ldap *LdapService) BindService(rebind bool) error {
 	if ldap.cert != nil {
 		return ldap.conn.ExternalBind()
 	}
-	return ldap.conn.Bind(ldap.config.LDAP.BindDN, ldap.config.LDAP.BindPassword)
+	return ldap.conn.Bind(ldap.config.LDAP.BindDN, ldap.bindPw)
 }
 
 func (ldap *LdapService) Bind(userDN string, password string) error {

internal/service/oauth_broker_service.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"go.uber.org/dig"
 
 	"slices"
 
@@ -32,23 +33,27 @@ var presets = map[string]func(config model.OAuthServiceConfig, ctx context.Conte
 	"google": newGoogleOAuthService,
 }
 
-func NewOAuthBrokerService(
-	log *logger.Logger,
-	configs map[string]model.OAuthServiceConfig,
-	ctx context.Context,
-) *OAuthBrokerService {
+type OAuthBrokerServiceInput struct {
+	dig.In
+
+	Log     *logger.Logger
+	Runtime *model.RuntimeConfig
+	Ctx     context.Context
+}
+
+func NewOAuthBrokerService(i OAuthBrokerServiceInput) *OAuthBrokerService {
 	service := &OAuthBrokerService{
-		log:      log,
+		log:      i.Log,
 		services: make(map[string]OAuthServiceImpl),
-		configs:  configs,
+		configs:  i.Runtime.OAuthProviders,
 	}
 
-	for name, cfg := range configs {
+	for name, cfg := range service.configs {
 		if presetFunc, exists := presets[name]; exists {
-			service.services[name] = presetFunc(cfg, ctx)
+			service.services[name] = presetFunc(cfg, i.Ctx)
 			service.log.App.Debug().Str("service", name).Msg("Loaded OAuth service from preset")
 		} else {
-			service.services[name] = NewOAuthService(cfg, name, ctx)
+			service.services[name] = NewOAuthService(cfg, name, i.Ctx)
 			service.log.App.Debug().Str("service", name).Msg("Loaded OAuth service from custom config")
 		}
 	}

internal/service/oidc_service.go

@@ -14,6 +14,7 @@ import (
 	"fmt"
 	"net/url"
 	"os"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -21,12 +22,12 @@ import (
 
 	"github.com/go-jose/go-jose/v4"
 	"github.com/golang-jwt/jwt/v5"
-	"github.com/google/uuid"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"go.uber.org/dig"
 )
 
 var (
@@ -108,7 +109,6 @@ type TokenResponse struct {
 }
 
 type AuthorizeRequest struct {
-	jwt.Claims
 	Scope               string `form:"scope" json:"scope" url:"scope"`
 	ResponseType        string `form:"response_type" json:"response_type" url:"response_type"`
 	ClientID            string `form:"client_id" json:"client_id" url:"client_id"`
@@ -135,8 +135,8 @@ type UsedCodeEntry struct {
 
 type OIDCService struct {
 	log     *logger.Logger
-	config  model.Config
-	runtime model.RuntimeConfig
+	config  *model.Config
+	runtime *model.RuntimeConfig
 	queries repository.Store
 
 	clients    map[string]model.OIDCClientConfig
@@ -151,19 +151,24 @@ type OIDCService struct {
 	}
 }
 
-func NewOIDCService(
-	log *logger.Logger,
-	config model.Config,
-	runtime model.RuntimeConfig,
-	queries repository.Store,
-	dg *ding.Ding) (*OIDCService, error) {
+type OIDCServiceInput struct {
+	dig.In
+
+	Log     *logger.Logger
+	Config  *model.Config
+	Runtime *model.RuntimeConfig
+	Queries repository.Store
+	Ding    *ding.Ding
+}
+
+func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 	// If not configured, skip init
-	if len(runtime.OIDCClients) == 0 {
+	if len(i.Runtime.OIDCClients) == 0 {
 		return nil, nil
 	}
 
 	// Ensure issuer is https
-	uissuer, err := url.Parse(runtime.AppURL)
+	uissuer, err := url.Parse(i.Runtime.AppURL)
 
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse app url: %w", err)
@@ -176,14 +181,14 @@ func NewOIDCService(
 	issuer := fmt.Sprintf("%s://%s", uissuer.Scheme, uissuer.Host)
 
 	// Create/load private and public keys
-	if strings.TrimSpace(config.OIDC.PrivateKeyPath) == "" ||
-		strings.TrimSpace(config.OIDC.PublicKeyPath) == "" {
+	if strings.TrimSpace(i.Config.OIDC.PrivateKeyPath) == "" ||
+		strings.TrimSpace(i.Config.OIDC.PublicKeyPath) == "" {
 		return nil, errors.New("private key path and public key path are required")
 	}
 
 	var privateKey *rsa.PrivateKey
 
-	fprivateKey, err := os.ReadFile(config.OIDC.PrivateKeyPath)
+	fprivateKey, err := os.ReadFile(i.Config.OIDC.PrivateKeyPath)
 
 	if err != nil && !errors.Is(err, os.ErrNotExist) {
 		return nil, err
@@ -202,8 +207,12 @@ func NewOIDCService(
 			Type:  "RSA PRIVATE KEY",
 			Bytes: der,
 		})
-		log.App.Trace().Str("type", "RSA PRIVATE KEY").Msg("Generated private RSA key")
-		err = os.WriteFile(config.OIDC.PrivateKeyPath, encoded, 0600)
+		i.Log.App.Trace().Str("type", "RSA PRIVATE KEY").Msg("Generated private RSA key")
+		err := os.MkdirAll(filepath.Dir(i.Config.OIDC.PrivateKeyPath), 0700)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create directory for private key: %w", err)
+		}
+		err = os.WriteFile(i.Config.OIDC.PrivateKeyPath, encoded, 0600)
 		if err != nil {
 			return nil, fmt.Errorf("failed to write private key to file: %w", err)
 		}
@@ -212,7 +221,7 @@ func NewOIDCService(
 		if block == nil {
 			return nil, errors.New("failed to decode private key")
 		}
-		log.App.Trace().Str("type", block.Type).Msg("Loaded private key")
+		i.Log.App.Trace().Str("type", block.Type).Msg("Loaded private key")
 		privateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse private key: %w", err)
@@ -221,7 +230,7 @@ func NewOIDCService(
 
 	var publicKey crypto.PublicKey
 
-	fpublicKey, err := os.ReadFile(config.OIDC.PublicKeyPath)
+	fpublicKey, err := os.ReadFile(i.Config.OIDC.PublicKeyPath)
 
 	if err != nil && !errors.Is(err, os.ErrNotExist) {
 		return nil, fmt.Errorf("failed to read public key: %w", err)
@@ -237,8 +246,12 @@ func NewOIDCService(
 			Type:  "RSA PUBLIC KEY",
 			Bytes: der,
 		})
-		log.App.Trace().Str("type", "RSA PUBLIC KEY").Msg("Generated public RSA key")
-		err = os.WriteFile(config.OIDC.PublicKeyPath, encoded, 0644)
+		i.Log.App.Trace().Str("type", "RSA PUBLIC KEY").Msg("Generated public RSA key")
+		err := os.MkdirAll(filepath.Dir(i.Config.OIDC.PublicKeyPath), 0700)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create directory for public key: %w", err)
+		}
+		err = os.WriteFile(i.Config.OIDC.PublicKeyPath, encoded, 0644)
 		if err != nil {
 			return nil, err
 		}
@@ -247,7 +260,7 @@ func NewOIDCService(
 		if block == nil {
 			return nil, errors.New("failed to decode public key")
 		}
-		log.App.Trace().Str("type", block.Type).Msg("Loaded public key")
+		i.Log.App.Trace().Str("type", block.Type).Msg("Loaded public key")
 		switch block.Type {
 		case "RSA PUBLIC KEY":
 			publicKey, err = x509.ParsePKCS1PublicKey(block.Bytes)
@@ -277,7 +290,7 @@ func NewOIDCService(
 	// We will reorganize the client into a map with the client ID as the key
 	clients := make(map[string]model.OIDCClientConfig)
 
-	for id, client := range config.OIDC.Clients {
+	for id, client := range i.Config.OIDC.Clients {
 		client.ID = id
 		if client.Name == "" {
 			client.Name = utils.Capitalize(client.ID)
@@ -293,15 +306,15 @@ func NewOIDCService(
 		}
 		client.ClientSecretFile = ""
 		clients[id] = client
-		log.App.Debug().Str("clientId", client.ClientID).Msg("Loaded OIDC client configuration")
+		i.Log.App.Debug().Str("clientId", client.ClientID).Msg("Loaded OIDC client configuration")
 	}
 
 	// Initialize the service
 	service := &OIDCService{
-		log:     log,
-		config:  config,
-		runtime: runtime,
-		queries: queries,
+		log:     i.Log,
+		config:  i.Config,
+		runtime: i.Runtime,
+		queries: i.Queries,
 
 		clients:    clients,
 		privateKey: privateKey,
@@ -310,7 +323,7 @@ func NewOIDCService(
 	}
 
 	// Start cleanup routine
-	dg.Go(service.cleanupRoutine, ding.RingMinor)
+	i.Ding.Go(service.cleanupRoutine, ding.RingMinor)
 
 	// Create caches
 	codeCash := NewCacheStore[AuthorizeCodeEntry](256)
@@ -322,7 +335,7 @@ func NewOIDCService(
 	service.caches.authorize = authorize
 
 	// Start cache cleanup routine
-	dg.Go(func(ctx context.Context) {
+	i.Ding.Go(func(ctx context.Context) {
 		ticker := time.NewTicker(1 * time.Minute)
 		defer ticker.Stop()
 
@@ -889,63 +902,32 @@ func (service *OIDCService) DeleteAuthorizeRequestTicket(ticket string) {
 
 // TODO: support signed request objects in the future
 func (service *OIDCService) DecodeAuthorizeJWT(tokenString string) (*AuthorizeRequest, error) {
-	var req AuthorizeRequest
-
-	token, _, err := jwt.NewParser().ParseUnverified(tokenString, &req)
+	var claims jwt.MapClaims
 
+	token, _, err := jwt.NewParser().ParseUnverified(tokenString, &claims)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse authorize request jwt: %w", err)
 	}
 
-	claims, ok := token.Claims.(*AuthorizeRequest)
+	alg, ok := token.Header["alg"].(string)
 
-	if !ok {
-		return nil, errors.New("failed to parse claims from authorize request jwt")
+	if !ok || alg != "none" || string(token.Signature) != "" {
+		return nil, fmt.Errorf("only unsigned jwts are supported for authorize requests")
 	}
 
-	return claims, nil
-}
-
-func (service *OIDCService) CreateConsentEntry(ctx context.Context, clientId string, scope string) (string, error) {
-	u := uuid.New()
-
-	entry := repository.CreateOIDCConsentParams{
-		UUID:     u.String(),
-		ClientID: clientId,
-		Scopes:   scope,
+	get := func(k string) string {
+		v, _ := claims[k].(string)
+		return v
 	}
 
-	_, err := service.queries.CreateOIDCConsent(ctx, entry)
-
-	if err != nil {
-		return "", err
-	}
-
-	return entry.UUID, nil
-}
-
-func (service *OIDCService) GetConsentEntry(ctx context.Context, uuid string) (*repository.OidcConsent, error) {
-	entry, err := service.queries.GetOIDCConsentByUUID(ctx, uuid)
-
-	if err != nil {
-		if errors.Is(err, repository.ErrNotFound) {
-			return nil, nil
-		}
-		return nil, err
-	}
-
-	return &entry, nil
-}
-
-func (service *OIDCService) DeleteConsentEntry(ctx context.Context, uuid string) error {
-	return service.queries.DeleteOIDCConsentByUUID(ctx, uuid)
-}
-
-func (service *OIDCService) UpdateConsentEntry(ctx context.Context, uuid string, scopes string) error {
-	_, err := service.queries.UpdateOIDCConsent(ctx, repository.UpdateOIDCConsentParams{
-		UUID:   uuid,
-		Scopes: scopes,
-	})
-
-	return err
+	return &AuthorizeRequest{
+		Scope:               get("scope"),
+		ResponseType:        get("response_type"),
+		ClientID:            get("client_id"),
+		RedirectURI:         get("redirect_uri"),
+		State:               get("state"),
+		Nonce:               get("nonce"),
+		CodeChallenge:       get("code_challenge"),
+		CodeChallengeMethod: get("code_challenge_method"),
+	}, nil
 }

internal/service/policy_engine.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"go.uber.org/dig"
 )
 
 type Policy string
@@ -40,21 +41,28 @@ type PolicyEngine struct {
 	policy Policy
 }
 
-func NewPolicyEngine(config model.Config, log *logger.Logger) (*PolicyEngine, error) {
+type PolicyEngineInput struct {
+	dig.In
+
+	Log    *logger.Logger
+	Config *model.Config
+}
+
+func NewPolicyEngine(i PolicyEngineInput) (*PolicyEngine, error) {
 	engine := PolicyEngine{
-		log:   log,
+		log:   i.Log,
 		rules: make(map[RuleName]Rule),
 	}
 
-	switch config.Auth.ACLs.Policy {
+	switch i.Config.Auth.ACLs.Policy {
 	case string(PolicyAllow):
-		log.App.Debug().Msg("Using 'allow' ACL policy: access to apps will be allowed by default unless explicitly blocked")
+		i.Log.App.Debug().Msg("Using 'allow' ACL policy: access to apps will be allowed by default unless explicitly blocked")
 		engine.policy = PolicyAllow
 	case string(PolicyDeny):
-		log.App.Debug().Msg("Using 'deny' ACL policy: access to apps will be blocked by default unless explicitly allowed")
+		i.Log.App.Debug().Msg("Using 'deny' ACL policy: access to apps will be blocked by default unless explicitly allowed")
 		engine.policy = PolicyDeny
 	default:
-		return nil, fmt.Errorf("invalid acl policy: %s", config.Auth.ACLs.Policy)
+		return nil, fmt.Errorf("invalid acl policy: %s", i.Config.Auth.ACLs.Policy)
 	}
 
 	return &engine, nil

internal/service/tailscale_service.go

@@ -12,6 +12,7 @@ import (
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"go.uber.org/dig"
 	"tailscale.com/client/local"
 	"tailscale.com/tsnet"
 )
@@ -25,7 +26,7 @@ type TailscaleWhoisResponse struct {
 
 type TailscaleService struct {
 	log    *logger.Logger
-	config model.Config
+	config *model.Config
 	ctx    context.Context
 
 	srv *tsnet.Server
@@ -34,22 +35,31 @@ type TailscaleService struct {
 	mu  sync.Mutex
 }
 
-func NewTailscaleService(log *logger.Logger, config model.Config, ctx context.Context, dg *ding.Ding) (*TailscaleService, error) {
-	if !config.Tailscale.Enabled {
+type TailscaleServiceInput struct {
+	dig.In
+
+	Log    *logger.Logger
+	Config *model.Config
+	Ctx    context.Context
+	Ding   *ding.Ding
+}
+
+func NewTailscaleService(i TailscaleServiceInput) (*TailscaleService, error) {
+	if !i.Config.Tailscale.Enabled {
 		return nil, nil
 	}
 
 	srv := new(tsnet.Server)
 
 	// node options
-	srv.Dir = config.Tailscale.Dir
-	srv.Hostname = config.Tailscale.Hostname
-	srv.AuthKey = config.Tailscale.AuthKey
-	srv.Ephemeral = config.Tailscale.Ephemeral
+	srv.Dir = i.Config.Tailscale.Dir
+	srv.Hostname = i.Config.Tailscale.Hostname
+	srv.AuthKey = i.Config.Tailscale.AuthKey
+	srv.Ephemeral = i.Config.Tailscale.Ephemeral
 
 	// redirect logs to zerolog
-	srv.Logf = log.App.Printf
-	srv.UserLogf = log.App.Printf
+	srv.Logf = i.Log.App.Printf
+	srv.UserLogf = i.Log.App.Printf
 
 	err := srv.Start()
 
@@ -65,14 +75,14 @@ func NewTailscaleService(log *logger.Logger, config model.Config, ctx context.Co
 	}
 
 	service := &TailscaleService{
-		log:    log,
-		config: config,
-		ctx:    ctx,
+		log:    i.Log,
+		config: i.Config,
+		ctx:    i.Ctx,
 		srv:    srv,
 		lc:     lc,
 	}
 
-	connectCtx, cancel := context.WithTimeout(ctx, 2*time.Minute) // large enough timeout to allow for user to manually authenticate with link if needed
+	connectCtx, cancel := context.WithTimeout(i.Ctx, 2*time.Minute) // large enough timeout to allow for user to manually authenticate with link if needed
 	defer cancel()
 
 	err = service.waitForConn(connectCtx)
@@ -82,7 +92,7 @@ func NewTailscaleService(log *logger.Logger, config model.Config, ctx context.Co
 		return nil, fmt.Errorf("failed to connect to tailscale network: %w", err)
 	}
 
-	dg.Go(service.watchAndClose, ding.RingMajor)
+	i.Ding.Go(service.watchAndClose, ding.RingMajor)
 
 	return service, nil
 }

internal/test/test.go

@@ -1,7 +1,6 @@
 package test
 
 import (
-	"context"
 	"path/filepath"
 	"testing"
 
@@ -134,11 +133,3 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
 
 	return config, runtime
 }
-
-func CreateTestHelpers() *model.RuntimeHelpers {
-	return &model.RuntimeHelpers{
-		GetCookieDomain: func(ctx context.Context, ip string) (string, error) {
-			return "example.com", nil
-		},
-	}
-}

sql/postgres/oidc_queries.sql

@@ -46,28 +46,3 @@ UPDATE "oidc_sessions" SET
     "userinfo_json" = $8
 WHERE "sub" = $9
 RETURNING *;
-
--- name: CreateOIDCConsent :one
-INSERT INTO "oidc_consent" (
-    "uuid",
-    "client_id",
-    "scopes"
-) VALUES (
-    $1, $2, $3
-)
-RETURNING *;
-
--- name: GetOIDCConsentByUUID :one
-SELECT * FROM "oidc_consent"
-WHERE "uuid" = $1;
-
--- name: UpdateOIDCConsent :one
-UPDATE "oidc_consent" SET
-    "scopes" = $1,
-    "updated_at" = CURRENT_TIMESTAMP
-WHERE "uuid" = $2
-RETURNING *;
-
--- name: DeleteOIDCConsentByUUID :exec
-DELETE FROM "oidc_consent"
-WHERE "uuid" = $1;

sql/postgres/oidc_schemas.sql

@@ -9,11 +9,3 @@ CREATE TABLE IF NOT EXISTS "oidc_sessions" (
     "nonce" TEXT NOT NULL DEFAULT '',
     "userinfo_json" TEXT NOT NULL
 );
-
-CREATE TABLE IF NOT EXISTS "oidc_consent" (
-    "uuid" TEXT NOT NULL UNIQUE PRIMARY KEY,
-    "client_id" TEXT NOT NULL,
-    "scopes" TEXT NOT NULL,
-    "created_at" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updated_at" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
-);

sql/sqlite/oidc_queries.sql

@@ -46,28 +46,3 @@ UPDATE "oidc_sessions" SET
     "userinfo_json" = ?
 WHERE "sub" = ?
 RETURNING *;
-
--- name: CreateOIDCConsent :one
-INSERT INTO "oidc_consent" (
-    "uuid",
-    "client_id",
-    "scopes"
-) VALUES (
-    ?, ?, ?
-)
-RETURNING *;
-
--- name: GetOIDCConsentByUUID :one
-SELECT * FROM "oidc_consent"
-WHERE "uuid" = ?;
-
--- name: UpdateOIDCConsent :one
-UPDATE "oidc_consent" SET
-    "scopes" = ?,
-    "updated_at" = CURRENT_TIMESTAMP
-WHERE "uuid" = ?
-RETURNING *;
-
--- name: DeleteOIDCConsentByUUID :exec
-DELETE FROM "oidc_consent"
-WHERE "uuid" = ?;

sql/sqlite/oidc_schemas.sql

@@ -9,11 +9,3 @@ CREATE TABLE IF NOT EXISTS "oidc_sessions" (
     "nonce" TEXT NOT NULL DEFAULT "",
     "userinfo_json" TEXT NOT NULL
 );
-
-CREATE TABLE IF NOT EXISTS "oidc_consent" (
-    "uuid" TEXT NOT NULL UNIQUE PRIMARY KEY,
-    "client_id" TEXT NOT NULL,
-    "scopes" TEXT NOT NULL,
-    "created_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updated_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
-);