chore: update contributing guide to reference ai policy

.github/workflows/ci.yml

@@ -5,21 +5,18 @@ on:
       - main
   pull_request:
 
-permissions:
-  contents: read
-
 jobs:
   ci:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.2
 
       - name: Setup bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: oven-sh/setup-bun@v2
 
       - name: Setup go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        uses: actions/setup-go@v6
         with:
           go-version: "^1.26.0"
 
@@ -53,6 +50,6 @@ jobs:
         run: go test -coverprofile=coverage.txt -v ./...
 
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
+        uses: codecov/codecov-action@v6
         with:
           token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/nightly.yml

@@ -4,16 +4,12 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
-permissions:
-  contents: write
-  packages: write
-
 jobs:
   create-release:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.2
 
       - name: Delete old release
         run: gh release delete --cleanup-tag --yes nightly || echo release not found
@@ -23,7 +19,7 @@ jobs:
           REPO: ${{ github.event.repository.name }}
 
       - name: Create release
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
+        uses: softprops/action-gh-release@v3
         with:
           prerelease: true
           tag_name: nightly
@@ -37,7 +33,7 @@ jobs:
       BUILD_TIMESTAMP: ${{ steps.metadata.outputs.BUILD_TIMESTAMP }}
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.2
         with:
           ref: nightly
 
@@ -55,15 +51,15 @@ jobs:
       - generate-metadata
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.2
         with:
           ref: nightly
 
       - name: Install bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: oven-sh/setup-bun@v2
 
       - name: Install go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        uses: actions/setup-go@v6
         with:
           go-version: "^1.26.0"
 
@@ -89,7 +85,7 @@ jobs:
           CGO_ENABLED: 0
 
       - name: Upload artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: tinyauth-amd64
           path: tinyauth-amd64
@@ -101,15 +97,15 @@ jobs:
       - generate-metadata
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.2
         with:
           ref: nightly
 
       - name: Install bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: oven-sh/setup-bun@v2
 
       - name: Install go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        uses: actions/setup-go@v6
         with:
           go-version: "^1.26.0"
 
@@ -135,7 +131,7 @@ jobs:
           CGO_ENABLED: 0
 
       - name: Upload artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: tinyauth-arm64
           path: tinyauth-arm64
@@ -147,28 +143,28 @@ jobs:
       - generate-metadata
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.2
         with:
           ref: nightly
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
         with:
           images: ghcr.io/${{ github.repository_owner }}/tinyauth
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
 
       - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@v7
         id: build
         with:
           platforms: linux/amd64
@@ -190,7 +186,7 @@ jobs:
           touch "${{ runner.temp }}/digests/${digest#sha256:}"
 
       - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: digests-linux-amd64
           path: ${{ runner.temp }}/digests/*
@@ -205,28 +201,28 @@ jobs:
       - image-build
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.2
         with:
           ref: nightly
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
         with:
           images: ghcr.io/${{ github.repository_owner }}/tinyauth
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
 
       - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@v7
         id: build
         with:
           platforms: linux/amd64
@@ -249,7 +245,7 @@ jobs:
           touch "${{ runner.temp }}/digests/${digest#sha256:}"
 
       - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: digests-distroless-linux-amd64
           path: ${{ runner.temp }}/digests/*
@@ -263,28 +259,28 @@ jobs:
       - generate-metadata
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.2
         with:
           ref: nightly
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
         with:
           images: ghcr.io/${{ github.repository_owner }}/tinyauth
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
 
       - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@v7
         id: build
         with:
           platforms: linux/arm64
@@ -306,7 +302,7 @@ jobs:
           touch "${{ runner.temp }}/digests/${digest#sha256:}"
 
       - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: digests-linux-arm64
           path: ${{ runner.temp }}/digests/*
@@ -321,28 +317,28 @@ jobs:
       - image-build-arm
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.2
         with:
           ref: nightly
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
         with:
           images: ghcr.io/${{ github.repository_owner }}/tinyauth
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
 
       - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@v7
         id: build
         with:
           platforms: linux/arm64
@@ -365,7 +361,7 @@ jobs:
           touch "${{ runner.temp }}/digests/${digest#sha256:}"
 
       - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: digests-distroless-linux-arm64
           path: ${{ runner.temp }}/digests/*
@@ -379,25 +375,25 @@ jobs:
       - image-build-arm
     steps:
       - name: Download digests
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
         with:
           path: ${{ runner.temp }}/digests
           pattern: digests-*
           merge-multiple: true
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
         with:
           images: ghcr.io/${{ github.repository_owner }}/tinyauth
           flavor: |
@@ -418,25 +414,25 @@ jobs:
       - image-build-arm-distroless
     steps:
       - name: Download digests
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
         with:
           path: ${{ runner.temp }}/digests
           pattern: digests-distroless-*
           merge-multiple: true
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
         with:
           images: ghcr.io/${{ github.repository_owner }}/tinyauth
           flavor: |
@@ -456,14 +452,14 @@ jobs:
       - binary-build
       - binary-build-arm
     steps:
-      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+      - uses: actions/download-artifact@v8
         with:
           pattern: tinyauth-*
           path: binaries
           merge-multiple: true
 
       - name: Release
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
+        uses: softprops/action-gh-release@v3
         with:
           files: binaries/*
           tag_name: nightly

.github/workflows/release.yml

@@ -5,10 +5,6 @@ on:
     tags:
       - "v*"
 
-permissions:
-  contents: write
-  packages: write
-
 jobs:
   generate-metadata:
     runs-on: ubuntu-latest
@@ -18,7 +14,7 @@ jobs:
       BUILD_TIMESTAMP: ${{ steps.metadata.outputs.BUILD_TIMESTAMP }}
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.2
 
       - name: Generate metadata
         id: metadata
@@ -33,13 +29,13 @@ jobs:
       - generate-metadata
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.2
 
       - name: Install bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: oven-sh/setup-bun@v2
 
       - name: Install go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        uses: actions/setup-go@v6
         with:
           go-version: "^1.26.0"
 
@@ -65,7 +61,7 @@ jobs:
           CGO_ENABLED: 0
 
       - name: Upload artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: tinyauth-amd64
           path: tinyauth-amd64
@@ -76,13 +72,13 @@ jobs:
       - generate-metadata
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.2
 
       - name: Install bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: oven-sh/setup-bun@v2
 
       - name: Install go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        uses: actions/setup-go@v6
         with:
           go-version: "^1.26.0"
 
@@ -108,7 +104,7 @@ jobs:
           CGO_ENABLED: 0
 
       - name: Upload artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: tinyauth-arm64
           path: tinyauth-arm64
@@ -119,26 +115,26 @@ jobs:
       - generate-metadata
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.2
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
         with:
           images: ghcr.io/${{ github.repository_owner }}/tinyauth
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
 
       - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@v7
         id: build
         with:
           platforms: linux/amd64
@@ -160,7 +156,7 @@ jobs:
           touch "${{ runner.temp }}/digests/${digest#sha256:}"
 
       - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: digests-linux-amd64
           path: ${{ runner.temp }}/digests/*
@@ -174,26 +170,26 @@ jobs:
       - image-build
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.2
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
         with:
           images: ghcr.io/${{ github.repository_owner }}/tinyauth
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
 
       - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@v7
         id: build
         with:
           platforms: linux/amd64
@@ -216,7 +212,7 @@ jobs:
           touch "${{ runner.temp }}/digests/${digest#sha256:}"
 
       - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: digests-distroless-linux-amd64
           path: ${{ runner.temp }}/digests/*
@@ -229,26 +225,26 @@ jobs:
       - generate-metadata
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.2
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
         with:
           images: ghcr.io/${{ github.repository_owner }}/tinyauth
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
 
       - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@v7
         id: build
         with:
           platforms: linux/arm64
@@ -270,7 +266,7 @@ jobs:
           touch "${{ runner.temp }}/digests/${digest#sha256:}"
 
       - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: digests-linux-arm64
           path: ${{ runner.temp }}/digests/*
@@ -284,26 +280,26 @@ jobs:
       - image-build-arm
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.2
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
         with:
           images: ghcr.io/${{ github.repository_owner }}/tinyauth
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
 
       - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@v7
         id: build
         with:
           platforms: linux/arm64
@@ -326,7 +322,7 @@ jobs:
           touch "${{ runner.temp }}/digests/${digest#sha256:}"
 
       - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: digests-distroless-linux-arm64
           path: ${{ runner.temp }}/digests/*
@@ -340,25 +336,25 @@ jobs:
       - image-build-arm
     steps:
       - name: Download digests
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
         with:
           path: ${{ runner.temp }}/digests
           pattern: digests-*
           merge-multiple: true
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
         with:
           images: ghcr.io/${{ github.repository_owner }}/tinyauth
           flavor: |
@@ -381,25 +377,25 @@ jobs:
       - image-build-arm-distroless
     steps:
       - name: Download digests
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
         with:
           path: ${{ runner.temp }}/digests
           pattern: digests-distroless-*
           merge-multiple: true
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
         with:
           images: ghcr.io/${{ github.repository_owner }}/tinyauth
           flavor: |
@@ -423,13 +419,13 @@ jobs:
       - binary-build
       - binary-build-arm
     steps:
-      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+      - uses: actions/download-artifact@v8
         with:
           pattern: tinyauth-*
           path: binaries
           merge-multiple: true
 
       - name: Release
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
+        uses: softprops/action-gh-release@v3
         with:
           files: binaries/*

.github/workflows/scorecard.yml

@@ -38,6 +38,6 @@ jobs:
           retention-days: 5
 
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: results.sarif

.github/workflows/sponsors.yml

@@ -2,19 +2,15 @@ name: Generate Sponsors List
 on:
   workflow_dispatch:
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   generate-sponsors:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6.0.2
 
       - name: Generate Sponsors
-        uses: JamesIves/github-sponsors-readme-action@2fd9142e765f755780202122261dc85e78459405 # v1
+        uses: JamesIves/github-sponsors-readme-action@v1
         with:
           token: ${{ secrets.SPONSORS_GENERATOR_PAT }}
           active-only: false
@@ -22,7 +18,7 @@ jobs:
           template: '<a href="https://github.com/{{{ login }}}"><img src="{{{ avatarUrl }}}" width="64px" alt="User avatar: {{{ login }}}" /></a>&nbsp;&nbsp;'
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8
+        uses: peter-evans/create-pull-request@v8
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: |

.github/workflows/stale.yml

@@ -3,15 +3,11 @@ on:
   schedule:
     - cron: 0 10 * * *
 
-permissions:
-  issues: write
-  pull-requests: write
-
 jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
+      - uses: actions/stale@v10
         with:
           days-before-stale: 30
           stale-pr-message: This PR has been inactive for 30 days and will be marked as stale.

frontend/src/lib/i18n/locales/en.json

@@ -80,9 +80,5 @@
     "profileScopeDescription": "Allows the app to access your profile information.",
     "groupsScopeName": "Groups",
     "groupsScopeDescription": "Allows the app to access your group information.",
-    "backToLoginButton": "Back to login",
+    "backToLoginButton": "Back to login"
-    "phoneScopeName": "Phone",
-    "phoneScopeDescription": "Allows the app to access your phone number.",
-    "addressScopeName": "Address",
-    "addressScopeDescription": "Allows the app to access your address."
 }

frontend/src/pages/authorize-page.tsx

@@ -17,7 +17,7 @@ import { toast } from "sonner";
 import { useOIDCParams } from "@/lib/hooks/oidc";
 import { useTranslation } from "react-i18next";
 import { TFunction } from "i18next";
-import { Mail, MapPin, Phone, Shield, User, Users } from "lucide-react";
+import { Mail, Shield, User, Users } from "lucide-react";
 import {
   Tooltip,
   TooltipContent,
@@ -61,18 +61,6 @@ const createScopeMap = (t: TFunction<"translation", undefined>): Scope[] => {
       description: t("groupsScopeDescription"),
       icon: <Users {...scopeMapIconProps} />,
     },
-    {
-      id: "phone",
-      name: t("phoneScopeName"),
-      description: t("phoneScopeDescription"),
-      icon: <Phone {...scopeMapIconProps} />,
-    },
-    {
-      id: "address",
-      name: t("addressScopeName"),
-      description: t("addressScopeDescription"),
-      icon: <MapPin {...scopeMapIconProps} />,
-    },
   ];
 };
 

internal/assets/migrations/000009_oidc_userinfo_profile.down.sql

@@ -1,13 +0,0 @@
-ALTER TABLE "oidc_userinfo" DROP COLUMN "given_name";
-ALTER TABLE "oidc_userinfo" DROP COLUMN "family_name";
-ALTER TABLE "oidc_userinfo" DROP COLUMN "middle_name";
-ALTER TABLE "oidc_userinfo" DROP COLUMN "nickname";
-ALTER TABLE "oidc_userinfo" DROP COLUMN "profile";
-ALTER TABLE "oidc_userinfo" DROP COLUMN "picture";
-ALTER TABLE "oidc_userinfo" DROP COLUMN "website";
-ALTER TABLE "oidc_userinfo" DROP COLUMN "gender";
-ALTER TABLE "oidc_userinfo" DROP COLUMN "birthdate";
-ALTER TABLE "oidc_userinfo" DROP COLUMN "zoneinfo";
-ALTER TABLE "oidc_userinfo" DROP COLUMN "locale";
-ALTER TABLE "oidc_userinfo" DROP COLUMN "phone_number";
-ALTER TABLE "oidc_userinfo" DROP COLUMN "address";

internal/assets/migrations/000009_oidc_userinfo_profile.up.sql

@@ -1,13 +0,0 @@
-ALTER TABLE "oidc_userinfo" ADD COLUMN "given_name"             TEXT    NOT NULL DEFAULT "";
-ALTER TABLE "oidc_userinfo" ADD COLUMN "family_name"            TEXT    NOT NULL DEFAULT "";
-ALTER TABLE "oidc_userinfo" ADD COLUMN "middle_name"            TEXT    NOT NULL DEFAULT "";
-ALTER TABLE "oidc_userinfo" ADD COLUMN "nickname"               TEXT    NOT NULL DEFAULT "";
-ALTER TABLE "oidc_userinfo" ADD COLUMN "profile"                TEXT    NOT NULL DEFAULT "";
-ALTER TABLE "oidc_userinfo" ADD COLUMN "picture"                TEXT    NOT NULL DEFAULT "";
-ALTER TABLE "oidc_userinfo" ADD COLUMN "website"                TEXT    NOT NULL DEFAULT "";
-ALTER TABLE "oidc_userinfo" ADD COLUMN "gender"                 TEXT    NOT NULL DEFAULT "";
-ALTER TABLE "oidc_userinfo" ADD COLUMN "birthdate"              TEXT    NOT NULL DEFAULT "";
-ALTER TABLE "oidc_userinfo" ADD COLUMN "zoneinfo"               TEXT    NOT NULL DEFAULT "";
-ALTER TABLE "oidc_userinfo" ADD COLUMN "locale"                 TEXT    NOT NULL DEFAULT "";
-ALTER TABLE "oidc_userinfo" ADD COLUMN "phone_number"           TEXT    NOT NULL DEFAULT "";
-ALTER TABLE "oidc_userinfo" ADD COLUMN "address"                TEXT    NOT NULL DEFAULT "{}";

internal/bootstrap/app_bootstrap.go

@@ -63,7 +63,7 @@ func (app *BootstrapApp) Setup() error {
 	}
 
 	// Parse users
-	users, err := utils.GetUsers(app.config.Auth.Users, app.config.Auth.UsersFile, app.config.Auth.UserAttributes)
+	users, err := utils.GetUsers(app.config.Auth.Users, app.config.Auth.UsersFile)
 
 	if err != nil {
 		return err

internal/config/config.go

@@ -113,43 +113,15 @@ type ServerConfig struct {
 }
 
 type AuthConfig struct {
-	IP                 IPConfig                  `description:"IP whitelisting config options." yaml:"ip"`
+	IP                 IPConfig `description:"IP whitelisting config options." yaml:"ip"`
-	Users              []string                  `description:"Comma-separated list of users (username:hashed_password)." yaml:"users"`
+	Users              []string `description:"Comma-separated list of users (username:hashed_password)." yaml:"users"`
-	UserAttributes     map[string]UserAttributes `description:"Map of per-user OIDC attributes (username -> attributes)." yaml:"userAttributes"`
+	UsersFile          string   `description:"Path to the users file." yaml:"usersFile"`
-	UsersFile          string                    `description:"Path to the users file." yaml:"usersFile"`
+	SecureCookie       bool     `description:"Enable secure cookies." yaml:"secureCookie"`
-	SecureCookie       bool                      `description:"Enable secure cookies." yaml:"secureCookie"`
+	SessionExpiry      int      `description:"Session expiry time in seconds." yaml:"sessionExpiry"`
-	SessionExpiry      int                       `description:"Session expiry time in seconds." yaml:"sessionExpiry"`
+	SessionMaxLifetime int      `description:"Maximum session lifetime in seconds." yaml:"sessionMaxLifetime"`
-	SessionMaxLifetime int                       `description:"Maximum session lifetime in seconds." yaml:"sessionMaxLifetime"`
+	LoginTimeout       int      `description:"Login timeout in seconds." yaml:"loginTimeout"`
-	LoginTimeout       int                       `description:"Login timeout in seconds." yaml:"loginTimeout"`
+	LoginMaxRetries    int      `description:"Maximum login retries." yaml:"loginMaxRetries"`
-	LoginMaxRetries    int                       `description:"Maximum login retries." yaml:"loginMaxRetries"`
+	TrustedProxies     []string `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
-	TrustedProxies     []string                  `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
-}
-
-type UserAttributes struct {
-	Name        string       `description:"Full name of the user." yaml:"name"`
-	GivenName   string       `description:"Given (first) name of the user." yaml:"givenName"`
-	FamilyName  string       `description:"Family (last) name of the user." yaml:"familyName"`
-	MiddleName  string       `description:"Middle name of the user." yaml:"middleName"`
-	Nickname    string       `description:"Nickname of the user." yaml:"nickname"`
-	Profile     string       `description:"URL of the user's profile page." yaml:"profile"`
-	Picture     string       `description:"URL of the user's profile picture." yaml:"picture"`
-	Website     string       `description:"URL of the user's website." yaml:"website"`
-	Email       string       `description:"Email address of the user." yaml:"email"`
-	Gender      string       `description:"Gender of the user." yaml:"gender"`
-	Birthdate   string       `description:"Birthdate of the user (YYYY-MM-DD)." yaml:"birthdate"`
-	Zoneinfo    string       `description:"Time zone of the user (e.g. Europe/Athens)." yaml:"zoneinfo"`
-	Locale      string       `description:"Locale of the user (e.g. en-US)." yaml:"locale"`
-	PhoneNumber string       `description:"Phone number of the user." yaml:"phoneNumber"`
-	Address     AddressClaim `description:"Address of the user." yaml:"address"`
-}
-
-type AddressClaim struct {
-	Formatted     string `description:"Full mailing address, formatted for display." yaml:"formatted" json:"formatted,omitempty"`
-	StreetAddress string `description:"Street address." yaml:"streetAddress" json:"street_address,omitempty"`
-	Locality      string `description:"City or locality." yaml:"locality" json:"locality,omitempty"`
-	Region        string `description:"State, province, or region." yaml:"region" json:"region,omitempty"`
-	PostalCode    string `description:"Zip or postal code." yaml:"postalCode" json:"postal_code,omitempty"`
-	Country       string `description:"Country." yaml:"country" json:"country,omitempty"`
 }
 
 type IPConfig struct {
@@ -256,7 +228,6 @@ type User struct {
 	Username   string
 	Password   string
 	TotpSecret string
-	Attributes UserAttributes
 }
 
 type LdapUser struct {
@@ -283,7 +254,6 @@ type UserContext struct {
 	OAuthName   string
 	OAuthSub    string
 	LdapGroups  string
-	Attributes  UserAttributes
 }
 
 // API responses and queries

internal/controller/user_controller.go

@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/tinyauthapp/tinyauth/internal/config"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
@@ -106,32 +105,16 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 
 	controller.auth.RecordLoginAttempt(req.Username, true)
 
-	var localUser *config.User
 	if userSearch.Type == "local" {
 		user := controller.auth.GetLocalUser(userSearch.Username)
-		localUser = &user
-	}
-
-	if userSearch.Type == "local" && localUser != nil {
-		user := *localUser
 
 		if user.TotpSecret != "" {
 			tlog.App.Debug().Str("username", req.Username).Msg("User has TOTP enabled, requiring TOTP verification")
 
-			name := user.Attributes.Name
-			if name == "" {
-				name = utils.Capitalize(user.Username)
-			}
-
-			email := user.Attributes.Email
-			if email == "" {
-				email = utils.CompileUserEmail(user.Username, controller.config.CookieDomain)
-			}
-
 			err := controller.auth.CreateSessionCookie(c, &repository.Session{
 				Username:    user.Username,
-				Name:        name,
+				Name:        utils.Capitalize(user.Username),
-				Email:       email,
+				Email:       utils.CompileUserEmail(user.Username, controller.config.CookieDomain),
 				Provider:    "local",
 				TotpPending: true,
 			})
@@ -161,15 +144,6 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		Provider: "local",
 	}
 
-	if userSearch.Type == "local" && localUser != nil {
-		if localUser.Attributes.Name != "" {
-			sessionCookie.Name = localUser.Attributes.Name
-		}
-		if localUser.Attributes.Email != "" {
-			sessionCookie.Email = localUser.Attributes.Email
-		}
-	}
-
 	if userSearch.Type == "ldap" {
 		sessionCookie.Provider = "ldap"
 	}
@@ -284,13 +258,6 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		Provider: "local",
 	}
 
-	if user.Attributes.Name != "" {
-		sessionCookie.Name = user.Attributes.Name
-	}
-	if user.Attributes.Email != "" {
-		sessionCookie.Email = user.Attributes.Email
-	}
-
 	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
 
 	err = controller.auth.CreateSessionCookie(c, &sessionCookie)

internal/controller/user_controller_test.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"net/http/httptest"
 	"path"
+	"slices"
 	"strings"
 	"testing"
 	"time"
@@ -35,23 +36,6 @@ func TestUserController(t *testing.T) {
 				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
 				TotpSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
 			},
-			{
-				Username: "attruser",
-				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-				Attributes: config.UserAttributes{
-					Name:  "Alice Smith",
-					Email: "alice@example.com",
-				},
-			},
-			{
-				Username:   "attrtotpuser",
-				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-				TotpSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
-				Attributes: config.UserAttributes{
-					Name:  "Bob Jones",
-					Email: "bob@example.com",
-				},
-			},
 		},
 		SessionExpiry:     10, // 10 seconds, useful for testing
 		CookieDomain:      "example.com",
@@ -289,64 +273,6 @@ func TestUserController(t *testing.T) {
 				assert.Contains(t, recorder.Body.String(), "Too many failed TOTP attempts.")
 			},
 		},
-		{
-			description: "Login uses name and email from user attributes",
-			middlewares: []gin.HandlerFunc{},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				loginReq := controller.LoginRequest{Username: "attruser", Password: "password"}
-				body, err := json.Marshal(loginReq)
-				require.NoError(t, err)
-
-				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(body)))
-				req.Header.Set("Content-Type", "application/json")
-				router.ServeHTTP(recorder, req)
-
-				require.Equal(t, 200, recorder.Code)
-				cookies := recorder.Result().Cookies()
-				require.Len(t, cookies, 1)
-				assert.Equal(t, "tinyauth-session", cookies[0].Name)
-			},
-		},
-		{
-			description: "Login with TOTP uses name and email from user attributes in pending session",
-			middlewares: []gin.HandlerFunc{},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				loginReq := controller.LoginRequest{Username: "attrtotpuser", Password: "password"}
-				body, err := json.Marshal(loginReq)
-				require.NoError(t, err)
-
-				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(body)))
-				req.Header.Set("Content-Type", "application/json")
-				router.ServeHTTP(recorder, req)
-
-				require.Equal(t, 200, recorder.Code)
-				var res map[string]any
-				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &res))
-				assert.Equal(t, true, res["totpPending"])
-				require.Len(t, recorder.Result().Cookies(), 1)
-			},
-		},
-		{
-			description: "TOTP completion uses name and email from user attributes",
-			middlewares: []gin.HandlerFunc{},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				code, err := totp.GenerateCode("JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK", time.Now())
-				require.NoError(t, err)
-
-				totpReq := controller.TotpRequest{Code: code}
-				body, err := json.Marshal(totpReq)
-				require.NoError(t, err)
-
-				req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(body)))
-				req.Header.Set("Content-Type", "application/json")
-				router.ServeHTTP(recorder, req)
-
-				require.Equal(t, 200, recorder.Code)
-				cookies := recorder.Result().Cookies()
-				require.Len(t, cookies, 1)
-				assert.Equal(t, "tinyauth-session", cookies[0].Name)
-			},
-		},
 	}
 
 	oauthBrokerCfgs := make(map[string]config.OAuthServiceConfig)
@@ -379,31 +305,9 @@ func TestUserController(t *testing.T) {
 		authService.ClearRateLimitsTestingOnly()
 	}
 
-	setTotpMiddlewareOverrides := map[string]config.UserContext{
+	setTotpMiddlewareOverrides := []string{
-		"Should be able to login with totp": {
+		"Should be able to login with totp",
-			Username:    "totpuser",
+		"Totp should rate limit on multiple invalid attempts",
-			Name:        "Totpuser",
-			Email:       "totpuser@example.com",
-			Provider:    "local",
-			TotpPending: true,
-			TotpEnabled: true,
-		},
-		"Totp should rate limit on multiple invalid attempts": {
-			Username:    "totpuser",
-			Name:        "Totpuser",
-			Email:       "totpuser@example.com",
-			Provider:    "local",
-			TotpPending: true,
-			TotpEnabled: true,
-		},
-		"TOTP completion uses name and email from user attributes": {
-			Username:    "attrtotpuser",
-			Name:        "Bob Jones",
-			Email:       "bob@example.com",
-			Provider:    "local",
-			TotpPending: true,
-			TotpEnabled: true,
-		},
 	}
 
 	for _, test := range tests {
@@ -417,10 +321,18 @@ func TestUserController(t *testing.T) {
 
 			// Gin is stupid and doesn't allow setting a middleware after the groups
 			// so we need to do some stupid overrides here
-			if ctx, ok := setTotpMiddlewareOverrides[test.description]; ok {
+			if slices.Contains(setTotpMiddlewareOverrides, test.description) {
-				ctx := ctx
+				// Assuming the cookie is set, it should be picked up by the
+				// context middleware
 				router.Use(func(c *gin.Context) {
-					c.Set("context", &ctx)
+					c.Set("context", &config.UserContext{
+						Username:    "totpuser",
+						Name:        "Totpuser",
+						Email:       "totpuser@example.com",
+						Provider:    "local",
+						TotpPending: true,
+						TotpEnabled: true,
+					})
 				})
 			}
 

internal/controller/well_known_controller.go

@@ -61,7 +61,7 @@ func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context
 		SubjectTypesSupported:                  []string{"pairwise"},
 		IDTokenSigningAlgValuesSupported:       []string{"RS256"},
 		TokenEndpointAuthMethodsSupported:      []string{"client_secret_basic", "client_secret_post"},
-		ClaimsSupported:                        []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups", "phone_number", "phone_number_verified", "address", "given_name", "family_name", "middle_name", "nickname", "profile", "picture", "website", "gender", "birthdate", "zoneinfo", "locale"},
+		ClaimsSupported:                        []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
 		ServiceDocumentation:                   "https://tinyauth.app/docs/guides/oidc",
 		RequestParameterSupported:              true,
 		RequestObjectSigningAlgValuesSupported: []string{"none"},

internal/controller/well_known_controller_test.go

@@ -67,7 +67,7 @@ func TestWellKnownController(t *testing.T) {
 					SubjectTypesSupported:                  []string{"pairwise"},
 					IDTokenSigningAlgValuesSupported:       []string{"RS256"},
 					TokenEndpointAuthMethodsSupported:      []string{"client_secret_basic", "client_secret_post"},
-					ClaimsSupported:                        []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups", "phone_number", "phone_number_verified", "address", "given_name", "family_name", "middle_name", "nickname", "profile", "picture", "website", "gender", "birthdate", "zoneinfo", "locale"},
+					ClaimsSupported:                        []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
 					ServiceDocumentation:                   "https://tinyauth.app/docs/guides/oidc",
 					RequestParameterSupported:              true,
 					RequestObjectSigningAlgValuesSupported: []string{"none"},

internal/middleware/context_middleware.go

@@ -99,7 +99,6 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			}
 
 			var ldapGroups []string
-			var localAttributes config.UserAttributes
 
 			if cookie.Provider == "ldap" {
 				ldapUser, err := m.auth.GetLdapUser(userSearch.Username)
@@ -113,11 +112,6 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 				ldapGroups = ldapUser.Groups
 			}
 
-			if cookie.Provider == "local" {
-				localUser := m.auth.GetLocalUser(cookie.Username)
-				localAttributes = localUser.Attributes
-			}
-
 			m.auth.RefreshSessionCookie(c)
 			c.Set("context", &config.UserContext{
 				Username:   cookie.Username,
@@ -126,7 +120,6 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 				Provider:   cookie.Provider,
 				IsLoggedIn: true,
 				LdapGroups: strings.Join(ldapGroups, ","),
-				Attributes: localAttributes,
 			})
 			c.Next()
 			return
@@ -209,23 +202,13 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 				return
 			}
 
-			name := utils.Capitalize(user.Username)
-			if user.Attributes.Name != "" {
-				name = user.Attributes.Name
-			}
-			email := utils.CompileUserEmail(user.Username, m.config.CookieDomain)
-			if user.Attributes.Email != "" {
-				email = user.Attributes.Email
-			}
-
 			c.Set("context", &config.UserContext{
 				Username:    user.Username,
-				Name:        name,
+				Name:        utils.Capitalize(user.Username),
-				Email:       email,
+				Email:       utils.CompileUserEmail(user.Username, m.config.CookieDomain),
 				Provider:    "local",
 				IsLoggedIn:  true,
 				IsBasicAuth: true,
-				Attributes:  user.Attributes,
 			})
 			c.Next()
 			return

internal/repository/models.go

@@ -34,19 +34,6 @@ type OidcUserinfo struct {
 	Email             string
 	Groups            string
 	UpdatedAt         int64
-	GivenName         string
-	FamilyName        string
-	MiddleName        string
-	Nickname          string
-	Profile           string
-	Picture           string
-	Website           string
-	Gender            string
-	Birthdate         string
-	Zoneinfo          string
-	Locale            string
-	PhoneNumber       string
-	Address           string
 }
 
 type Session struct {

internal/repository/oidc_queries.sql.go

@@ -124,24 +124,11 @@ INSERT INTO "oidc_userinfo" (
     "preferred_username",
     "email",
     "groups",
-    "updated_at",
+    "updated_at"
-    "given_name",
-    "family_name",
-    "middle_name",
-    "nickname",
-    "profile",
-    "picture",
-    "website",
-    "gender",
-    "birthdate",
-    "zoneinfo",
-    "locale",
-    "phone_number",
-    "address"
 ) VALUES (
-    ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?
+    ?, ?, ?, ?, ?, ?
 )
-RETURNING sub, name, preferred_username, email, "groups", updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address
+RETURNING sub, name, preferred_username, email, "groups", updated_at
 `
 
 type CreateOidcUserInfoParams struct {
@@ -151,19 +138,6 @@ type CreateOidcUserInfoParams struct {
 	Email             string
 	Groups            string
 	UpdatedAt         int64
-	GivenName         string
-	FamilyName        string
-	MiddleName        string
-	Nickname          string
-	Profile           string
-	Picture           string
-	Website           string
-	Gender            string
-	Birthdate         string
-	Zoneinfo          string
-	Locale            string
-	PhoneNumber       string
-	Address           string
 }
 
 func (q *Queries) CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfoParams) (OidcUserinfo, error) {
@@ -174,19 +148,6 @@ func (q *Queries) CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfo
 		arg.Email,
 		arg.Groups,
 		arg.UpdatedAt,
-		arg.GivenName,
-		arg.FamilyName,
-		arg.MiddleName,
-		arg.Nickname,
-		arg.Profile,
-		arg.Picture,
-		arg.Website,
-		arg.Gender,
-		arg.Birthdate,
-		arg.Zoneinfo,
-		arg.Locale,
-		arg.PhoneNumber,
-		arg.Address,
 	)
 	var i OidcUserinfo
 	err := row.Scan(
@@ -196,19 +157,6 @@ func (q *Queries) CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfo
 		&i.Email,
 		&i.Groups,
 		&i.UpdatedAt,
-		&i.GivenName,
-		&i.FamilyName,
-		&i.MiddleName,
-		&i.Nickname,
-		&i.Profile,
-		&i.Picture,
-		&i.Website,
-		&i.Gender,
-		&i.Birthdate,
-		&i.Zoneinfo,
-		&i.Locale,
-		&i.PhoneNumber,
-		&i.Address,
 	)
 	return i, err
 }
@@ -508,7 +456,7 @@ func (q *Queries) GetOidcTokenBySub(ctx context.Context, sub string) (OidcToken,
 }
 
 const getOidcUserInfo = `-- name: GetOidcUserInfo :one
-SELECT sub, name, preferred_username, email, "groups", updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address FROM "oidc_userinfo"
+SELECT sub, name, preferred_username, email, "groups", updated_at FROM "oidc_userinfo"
 WHERE "sub" = ?
 `
 
@@ -522,19 +470,6 @@ func (q *Queries) GetOidcUserInfo(ctx context.Context, sub string) (OidcUserinfo
 		&i.Email,
 		&i.Groups,
 		&i.UpdatedAt,
-		&i.GivenName,
-		&i.FamilyName,
-		&i.MiddleName,
-		&i.Nickname,
-		&i.Profile,
-		&i.Picture,
-		&i.Website,
-		&i.Gender,
-		&i.Birthdate,
-		&i.Zoneinfo,
-		&i.Locale,
-		&i.PhoneNumber,
-		&i.Address,
 	)
 	return i, err
 }

internal/service/oidc_service.go

@@ -28,7 +28,7 @@ import (
 )
 
 var (
-	SupportedScopes        = []string{"openid", "profile", "email", "phone", "address", "groups"}
+	SupportedScopes        = []string{"openid", "profile", "email", "groups"}
 	SupportedResponseTypes = []string{"code"}
 	SupportedGrantTypes    = []string{"authorization_code", "refresh_token"}
 )
@@ -48,17 +48,6 @@ type ClaimSet struct {
 	Iat               int64    `json:"iat"`
 	Exp               int64    `json:"exp"`
 	Name              string   `json:"name,omitempty"`
-	GivenName         string   `json:"given_name,omitempty"`
-	FamilyName        string   `json:"family_name,omitempty"`
-	MiddleName        string   `json:"middle_name,omitempty"`
-	Nickname          string   `json:"nickname,omitempty"`
-	Profile           string   `json:"profile,omitempty"`
-	Picture           string   `json:"picture,omitempty"`
-	Website           string   `json:"website,omitempty"`
-	Gender            string   `json:"gender,omitempty"`
-	Birthdate         string   `json:"birthdate,omitempty"`
-	Zoneinfo          string   `json:"zoneinfo,omitempty"`
-	Locale            string   `json:"locale,omitempty"`
 	Email             string   `json:"email,omitempty"`
 	EmailVerified     bool     `json:"email_verified,omitempty"`
 	PreferredUsername string   `json:"preferred_username,omitempty"`
@@ -67,27 +56,13 @@ type ClaimSet struct {
 }
 
 type UserinfoResponse struct {
-	Sub                 string               `json:"sub"`
+	Sub               string   `json:"sub"`
-	Name                string               `json:"name,omitempty"`
+	Name              string   `json:"name,omitempty"`
-	GivenName           string               `json:"given_name,omitempty"`
+	Email             string   `json:"email,omitempty"`
-	FamilyName          string               `json:"family_name,omitempty"`
+	PreferredUsername string   `json:"preferred_username,omitempty"`
-	MiddleName          string               `json:"middle_name,omitempty"`
+	Groups            []string `json:"groups,omitempty"`
-	Nickname            string               `json:"nickname,omitempty"`
+	EmailVerified     bool     `json:"email_verified,omitempty"`
-	Profile             string               `json:"profile,omitempty"`
+	UpdatedAt         int64    `json:"updated_at"`
-	Picture             string               `json:"picture,omitempty"`
-	Website             string               `json:"website,omitempty"`
-	Gender              string               `json:"gender,omitempty"`
-	Birthdate           string               `json:"birthdate,omitempty"`
-	Zoneinfo            string               `json:"zoneinfo,omitempty"`
-	Locale              string               `json:"locale,omitempty"`
-	Email               string               `json:"email,omitempty"`
-	PreferredUsername   string               `json:"preferred_username,omitempty"`
-	Groups              []string             `json:"groups,omitempty"`
-	EmailVerified       bool                 `json:"email_verified,omitempty"`
-	PhoneNumber         string               `json:"phone_number,omitempty"`
-	PhoneNumberVerified *bool                `json:"phone_number_verified,omitempty"`
-	Address             *config.AddressClaim `json:"address,omitempty"`
-	UpdatedAt           int64                `json:"updated_at"`
 }
 
 type TokenResponse struct {
@@ -367,30 +342,12 @@ func (service *OIDCService) StoreCode(c *gin.Context, sub string, code string, r
 }
 
 func (service *OIDCService) StoreUserinfo(c *gin.Context, sub string, userContext config.UserContext, req AuthorizeRequest) error {
-	addressJSON, err := json.Marshal(userContext.Attributes.Address)
-	if err != nil {
-		return err
-	}
-
 	userInfoParams := repository.CreateOidcUserInfoParams{
 		Sub:               sub,
 		Name:              userContext.Name,
 		Email:             userContext.Email,
 		PreferredUsername: userContext.Username,
 		UpdatedAt:         time.Now().Unix(),
-		GivenName:         userContext.Attributes.GivenName,
-		FamilyName:        userContext.Attributes.FamilyName,
-		MiddleName:        userContext.Attributes.MiddleName,
-		Nickname:          userContext.Attributes.Nickname,
-		Profile:           userContext.Attributes.Profile,
-		Picture:           userContext.Attributes.Picture,
-		Website:           userContext.Attributes.Website,
-		Gender:            userContext.Attributes.Gender,
-		Birthdate:         userContext.Attributes.Birthdate,
-		Zoneinfo:          userContext.Attributes.Zoneinfo,
-		Locale:            userContext.Attributes.Locale,
-		PhoneNumber:       userContext.Attributes.PhoneNumber,
-		Address:           string(addressJSON),
 	}
 
 	// Tinyauth will pass through the groups it got from an LDAP or an OIDC server
@@ -402,7 +359,7 @@ func (service *OIDCService) StoreUserinfo(c *gin.Context, sub string, userContex
 		userInfoParams.Groups = userContext.OAuthGroups
 	}
 
-	_, err = service.queries.CreateOidcUserInfo(c, userInfoParams)
+	_, err := service.queries.CreateOidcUserInfo(c, userInfoParams)
 
 	return err
 }
@@ -680,22 +637,12 @@ func (service *OIDCService) CompileUserinfo(user repository.OidcUserinfo, scope
 	if slices.Contains(scopes, "profile") {
 		userInfo.Name = user.Name
 		userInfo.PreferredUsername = user.PreferredUsername
-		userInfo.GivenName = user.GivenName
-		userInfo.FamilyName = user.FamilyName
-		userInfo.MiddleName = user.MiddleName
-		userInfo.Nickname = user.Nickname
-		userInfo.Profile = user.Profile
-		userInfo.Picture = user.Picture
-		userInfo.Website = user.Website
-		userInfo.Gender = user.Gender
-		userInfo.Birthdate = user.Birthdate
-		userInfo.Zoneinfo = user.Zoneinfo
-		userInfo.Locale = user.Locale
 	}
 
 	if slices.Contains(scopes, "email") {
 		userInfo.Email = user.Email
-		userInfo.EmailVerified = user.Email != ""
+		// We can set this as a configuration option in the future but for now it's a good idea to assume it's true
+		userInfo.EmailVerified = true
 	}
 
 	if slices.Contains(scopes, "groups") {
@@ -706,19 +653,6 @@ func (service *OIDCService) CompileUserinfo(user repository.OidcUserinfo, scope
 		}
 	}
 
-	if slices.Contains(scopes, "phone") {
-		userInfo.PhoneNumber = user.PhoneNumber
-		verified := user.PhoneNumber != ""
-		userInfo.PhoneNumberVerified = &verified
-	}
-
-	if slices.Contains(scopes, "address") {
-		var addr config.AddressClaim
-		if err := json.Unmarshal([]byte(user.Address), &addr); err == nil {
-			userInfo.Address = &addr
-		}
-	}
-
 	return userInfo
 }
 

internal/service/oidc_service_test.go

@@ -1,198 +0,0 @@
-package service_test
-
-import (
-	"encoding/json"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/tinyauthapp/tinyauth/internal/config"
-	"github.com/tinyauthapp/tinyauth/internal/repository"
-	"github.com/tinyauthapp/tinyauth/internal/service"
-)
-
-func newTestUser() repository.OidcUserinfo {
-	addr := config.AddressClaim{
-		Formatted:     "123 Main St",
-		StreetAddress: "123 Main St",
-		Locality:      "Springfield",
-		Region:        "IL",
-		PostalCode:    "62701",
-		Country:       "US",
-	}
-	addrJSON, _ := json.Marshal(addr)
-
-	return repository.OidcUserinfo{
-		Sub:               "test-sub",
-		Name:              "Test User",
-		PreferredUsername: "testuser",
-		Email:             "test@example.com",
-		Groups:            "admins,users",
-		UpdatedAt:         1234567890,
-		GivenName:         "Test",
-		FamilyName:        "User",
-		MiddleName:        "M",
-		Nickname:          "testy",
-		Profile:           "https://example.com/testuser",
-		Picture:           "https://example.com/testuser.jpg",
-		Website:           "https://testuser.example.com",
-		Gender:            "male",
-		Birthdate:         "1990-01-01",
-		Zoneinfo:          "America/Chicago",
-		Locale:            "en-US",
-		PhoneNumber:       "+15555550100",
-		Address:           string(addrJSON),
-	}
-}
-
-func TestCompileUserinfo(t *testing.T) {
-	dir := t.TempDir()
-	svc := service.NewOIDCService(service.OIDCServiceConfig{
-		PrivateKeyPath: dir + "/key.pem",
-		PublicKeyPath:  dir + "/key.pub",
-		Issuer:         "https://tinyauth.example.com",
-		SessionExpiry:  3600,
-	}, nil)
-	require.NoError(t, svc.Init())
-
-	type testCase struct {
-		description string
-		mutate      func(u *repository.OidcUserinfo)
-		scope       string
-		run         func(t *testing.T, info service.UserinfoResponse)
-	}
-
-	tests := []testCase{
-		{
-			description: "openid scope only returns sub and updated_at",
-			scope:       "openid",
-			run: func(t *testing.T, info service.UserinfoResponse) {
-				assert.Equal(t, "test-sub", info.Sub)
-				assert.Equal(t, int64(1234567890), info.UpdatedAt)
-				assert.Empty(t, info.Name)
-				assert.Empty(t, info.Email)
-				assert.Nil(t, info.Groups)
-				assert.Nil(t, info.PhoneNumberVerified)
-				assert.Nil(t, info.Address)
-			},
-		},
-		{
-			description: "profile scope returns all profile fields",
-			scope:       "openid,profile",
-			run: func(t *testing.T, info service.UserinfoResponse) {
-				assert.Equal(t, "Test User", info.Name)
-				assert.Equal(t, "testuser", info.PreferredUsername)
-				assert.Equal(t, "Test", info.GivenName)
-				assert.Equal(t, "User", info.FamilyName)
-				assert.Equal(t, "M", info.MiddleName)
-				assert.Equal(t, "testy", info.Nickname)
-				assert.Equal(t, "https://example.com/testuser", info.Profile)
-				assert.Equal(t, "https://example.com/testuser.jpg", info.Picture)
-				assert.Equal(t, "https://testuser.example.com", info.Website)
-				assert.Equal(t, "male", info.Gender)
-				assert.Equal(t, "1990-01-01", info.Birthdate)
-				assert.Equal(t, "America/Chicago", info.Zoneinfo)
-				assert.Equal(t, "en-US", info.Locale)
-				assert.Empty(t, info.Email)
-			},
-		},
-		{
-			description: "email scope sets email and email_verified true when email present",
-			scope:       "openid,email",
-			run: func(t *testing.T, info service.UserinfoResponse) {
-				assert.Equal(t, "test@example.com", info.Email)
-				assert.True(t, info.EmailVerified)
-				assert.Empty(t, info.Name)
-			},
-		},
-		{
-			description: "email scope sets email_verified false when email absent",
-			scope:       "openid,email",
-			mutate:      func(u *repository.OidcUserinfo) { u.Email = "" },
-			run: func(t *testing.T, info service.UserinfoResponse) {
-				assert.Empty(t, info.Email)
-				assert.False(t, info.EmailVerified)
-			},
-		},
-		{
-			description: "phone scope sets phone_number_verified true when phone present",
-			scope:       "openid,phone",
-			run: func(t *testing.T, info service.UserinfoResponse) {
-				assert.Equal(t, "+15555550100", info.PhoneNumber)
-				require.NotNil(t, info.PhoneNumberVerified)
-				assert.True(t, *info.PhoneNumberVerified)
-			},
-		},
-		{
-			description: "phone scope sets phone_number_verified false when phone absent",
-			scope:       "openid,phone",
-			mutate:      func(u *repository.OidcUserinfo) { u.PhoneNumber = "" },
-			run: func(t *testing.T, info service.UserinfoResponse) {
-				require.NotNil(t, info.PhoneNumberVerified)
-				assert.False(t, *info.PhoneNumberVerified)
-			},
-		},
-		{
-			description: "address scope returns parsed address",
-			scope:       "openid,address",
-			run: func(t *testing.T, info service.UserinfoResponse) {
-				require.NotNil(t, info.Address)
-				assert.Equal(t, "123 Main St", info.Address.Formatted)
-				assert.Equal(t, "123 Main St", info.Address.StreetAddress)
-				assert.Equal(t, "Springfield", info.Address.Locality)
-				assert.Equal(t, "IL", info.Address.Region)
-				assert.Equal(t, "62701", info.Address.PostalCode)
-				assert.Equal(t, "US", info.Address.Country)
-			},
-		},
-		{
-			description: "address scope with invalid JSON omits address",
-			scope:       "openid,address",
-			mutate:      func(u *repository.OidcUserinfo) { u.Address = "not-valid-json" },
-			run: func(t *testing.T, info service.UserinfoResponse) {
-				assert.Nil(t, info.Address)
-			},
-		},
-		{
-			description: "groups scope returns split groups",
-			scope:       "openid,groups",
-			run: func(t *testing.T, info service.UserinfoResponse) {
-				assert.Equal(t, []string{"admins", "users"}, info.Groups)
-			},
-		},
-		{
-			description: "groups scope returns empty slice when no groups",
-			scope:       "openid,groups",
-			mutate:      func(u *repository.OidcUserinfo) { u.Groups = "" },
-			run: func(t *testing.T, info service.UserinfoResponse) {
-				assert.Equal(t, []string{}, info.Groups)
-			},
-		},
-		{
-			description: "all scopes return all fields",
-			scope:       "openid,profile,email,phone,address,groups",
-			run: func(t *testing.T, info service.UserinfoResponse) {
-				assert.Equal(t, "Test User", info.Name)
-				assert.Equal(t, "test@example.com", info.Email)
-				assert.Equal(t, "+15555550100", info.PhoneNumber)
-				require.NotNil(t, info.PhoneNumberVerified)
-				assert.True(t, *info.PhoneNumberVerified)
-				require.NotNil(t, info.Address)
-				assert.Equal(t, "Springfield", info.Address.Locality)
-				assert.Equal(t, []string{"admins", "users"}, info.Groups)
-			},
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.description, func(t *testing.T) {
-			user := newTestUser()
-			if test.mutate != nil {
-				test.mutate(&user)
-			}
-			info := svc.CompileUserinfo(user, test.scope)
-			test.run(t, info)
-		})
-	}
-}

internal/utils/user_utils.go

@@ -9,7 +9,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/config"
 )
 
-func ParseUsers(usersStr []string, userAttributes map[string]config.UserAttributes) ([]config.User, error) {
+func ParseUsers(usersStr []string) ([]config.User, error) {
 	var users []config.User
 
 	if len(usersStr) == 0 {
@@ -24,16 +24,13 @@ func ParseUsers(usersStr []string, userAttributes map[string]config.UserAttribut
 		if err != nil {
 			return []config.User{}, err
 		}
-		if attrs, ok := userAttributes[parsed.Username]; ok {
-			parsed.Attributes = attrs
-		}
 		users = append(users, parsed)
 	}
 
 	return users, nil
 }
 
-func GetUsers(usersCfg []string, usersPath string, userAttributes map[string]config.UserAttributes) ([]config.User, error) {
+func GetUsers(usersCfg []string, usersPath string) ([]config.User, error) {
 	var usersStr []string
 
 	if len(usersCfg) == 0 && usersPath == "" {
@@ -62,7 +59,7 @@ func GetUsers(usersCfg []string, usersPath string, userAttributes map[string]con
 		}
 	}
 
-	return ParseUsers(usersStr, userAttributes)
+	return ParseUsers(usersStr)
 }
 
 func ParseUser(userStr string) (config.User, error) {

internal/utils/user_utils_test.go

@@ -4,117 +4,122 @@ import (
 	"os"
 	"testing"
 
-	"github.com/tinyauthapp/tinyauth/internal/config"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 
 	"gotest.tools/v3/assert"
 )
 
 func TestGetUsers(t *testing.T) {
-	hash := "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G"
-
 	// Setup
 	file, err := os.Create("/tmp/tinyauth_users_test.txt")
 	assert.NilError(t, err)
 
-	_, err = file.WriteString("      user1:" + hash + "        \n         user2:" + hash + "                    ") // Spacing is on purpose
+	_, err = file.WriteString("      user1:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G        \n         user2:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G                    ") // Spacing is on purpose
 	assert.NilError(t, err)
 
 	err = file.Close()
 	assert.NilError(t, err)
 	defer os.Remove("/tmp/tinyauth_users_test.txt")
 
-	noAttrs := map[string]config.UserAttributes{}
+	// Test file
-
+	users, err := utils.GetUsers([]string{}, "/tmp/tinyauth_users_test.txt")
-	// Test file only
-	users, err := utils.GetUsers([]string{}, "/tmp/tinyauth_users_test.txt", noAttrs)
 
 	assert.NilError(t, err)
 
 	assert.Equal(t, 2, len(users))
 
 	assert.Equal(t, "user1", users[0].Username)
-	assert.Equal(t, hash, users[0].Password)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[0].Password)
 	assert.Equal(t, "user2", users[1].Username)
-	assert.Equal(t, hash, users[1].Password)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[1].Password)
 
-	// Test inline config only
+	// Test config
-	users, err = utils.GetUsers([]string{"user3:" + hash, "user4:" + hash}, "", noAttrs)
+	users, err = utils.GetUsers([]string{"user3:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", "user4:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G"}, "")
 
 	assert.NilError(t, err)
 
 	assert.Equal(t, 2, len(users))
+
 	assert.Equal(t, "user3", users[0].Username)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[0].Password)
 	assert.Equal(t, "user4", users[1].Username)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[1].Password)
 
 	// Test both
-	users, err = utils.GetUsers([]string{"user5:" + hash}, "/tmp/tinyauth_users_test.txt", noAttrs)
+	users, err = utils.GetUsers([]string{"user5:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G"}, "/tmp/tinyauth_users_test.txt")
 
 	assert.NilError(t, err)
 
 	assert.Equal(t, 3, len(users))
 
-	usernames := map[string]bool{}
+	assert.Equal(t, "user5", users[0].Username)
-	for _, u := range users {
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[0].Password)
-		usernames[u.Username] = true
+	assert.Equal(t, "user1", users[1].Username)
-	}
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[1].Password)
-	assert.Assert(t, usernames["user1"])
+	assert.Equal(t, "user2", users[2].Username)
-	assert.Assert(t, usernames["user2"])
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[2].Password)
-	assert.Assert(t, usernames["user5"])
-
-	// Test attributes applied from userAttributes map
-	attrs := map[string]config.UserAttributes{
-		"user1": {Name: "User One", Email: "user1@example.com"},
-	}
-	users, err = utils.GetUsers([]string{}, "/tmp/tinyauth_users_test.txt", attrs)
-
-	assert.NilError(t, err)
-	assert.Equal(t, 2, len(users))
-
-	for _, u := range users {
-		if u.Username == "user1" {
-			assert.Equal(t, "User One", u.Attributes.Name)
-			assert.Equal(t, "user1@example.com", u.Attributes.Email)
-		}
-		if u.Username == "user2" {
-			assert.Equal(t, "", u.Attributes.Name)
-		}
-	}
 
 	// Test empty
-	users, err = utils.GetUsers([]string{}, "", noAttrs)
+	users, err = utils.GetUsers([]string{}, "")
 
 	assert.NilError(t, err)
 
 	assert.Equal(t, 0, len(users))
 
 	// Test non-existent file
-	users, err = utils.GetUsers([]string{}, "/tmp/non_existent_file.txt", noAttrs)
+	users, err = utils.GetUsers([]string{}, "/tmp/non_existent_file.txt")
 
 	assert.ErrorContains(t, err, "no such file or directory")
 
 	assert.Equal(t, 0, len(users))
 }
 
-func TestParseUser(t *testing.T) {
+func TestParseUsers(t *testing.T) {
-	hash := "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G"
+	// Valid users
+	users, err := utils.ParseUsers([]string{"user1:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", "user2:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G:ABCDEF"}) // user2 has TOTP
 
+	assert.NilError(t, err)
+
+	assert.Equal(t, 2, len(users))
+
+	assert.Equal(t, "user1", users[0].Username)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[0].Password)
+	assert.Equal(t, "", users[0].TotpSecret)
+	assert.Equal(t, "user2", users[1].Username)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[1].Password)
+	assert.Equal(t, "ABCDEF", users[1].TotpSecret)
+
+	// Valid weirdly spaced users
+	users, err = utils.ParseUsers([]string{"      user1:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G        ", "         user2:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G:ABCDEF                    "}) // Spacing is on purpose
+	assert.NilError(t, err)
+
+	assert.Equal(t, 2, len(users))
+
+	assert.Equal(t, "user1", users[0].Username)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[0].Password)
+	assert.Equal(t, "", users[0].TotpSecret)
+	assert.Equal(t, "user2", users[1].Username)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", users[1].Password)
+	assert.Equal(t, "ABCDEF", users[1].TotpSecret)
+}
+
+func TestParseUser(t *testing.T) {
 	// Valid user without TOTP
-	user, err := utils.ParseUser("user1:" + hash)
+	user, err := utils.ParseUser("user1:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G")
 
 	assert.NilError(t, err)
 
 	assert.Equal(t, "user1", user.Username)
-	assert.Equal(t, hash, user.Password)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", user.Password)
 	assert.Equal(t, "", user.TotpSecret)
 
 	// Valid user with TOTP
-	user, err = utils.ParseUser("user2:" + hash + ":ABCDEF")
+	user, err = utils.ParseUser("user2:$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G:ABCDEF")
 
 	assert.NilError(t, err)
 
 	assert.Equal(t, "user2", user.Username)
-	assert.Equal(t, hash, user.Password)
+	assert.Equal(t, "$2a$10$Mz5xhkfSJUtPWkzCd/TdaePh9CaXc5QcGII5wIMPLSR46eTwma30G", user.Password)
 	assert.Equal(t, "ABCDEF", user.TotpSecret)
 
 	// Valid user with $$ in password

sql/oidc_queries.sql

@@ -95,22 +95,9 @@ INSERT INTO "oidc_userinfo" (
     "preferred_username",
     "email",
     "groups",
-    "updated_at",
+    "updated_at"
-    "given_name",
-    "family_name",
-    "middle_name",
-    "nickname",
-    "profile",
-    "picture",
-    "website",
-    "gender",
-    "birthdate",
-    "zoneinfo",
-    "locale",
-    "phone_number",
-    "address"
 ) VALUES (
-    ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?
+    ?, ?, ?, ?, ?, ?
 )
 RETURNING *;
 

sql/oidc_schemas.sql

@@ -22,23 +22,10 @@ CREATE TABLE IF NOT EXISTS "oidc_tokens" (
 );
 
 CREATE TABLE IF NOT EXISTS "oidc_userinfo" (
-    "sub"                   TEXT    NOT NULL UNIQUE PRIMARY KEY,
+    "sub" TEXT NOT NULL UNIQUE PRIMARY KEY,
-    "name"                  TEXT    NOT NULL,
+    "name" TEXT NOT NULL,
-    "preferred_username"    TEXT    NOT NULL,
+    "preferred_username" TEXT NOT NULL,
-    "email"                 TEXT    NOT NULL,
+    "email" TEXT NOT NULL,
-    "groups"                TEXT    NOT NULL,
+    "groups" TEXT NOT NULL,
-    "updated_at"            INTEGER NOT NULL,
+    "updated_at" INTEGER NOT NULL
-    "given_name"            TEXT    NOT NULL,
-    "family_name"           TEXT    NOT NULL,
-    "middle_name"           TEXT    NOT NULL,
-    "nickname"              TEXT    NOT NULL,
-    "profile"               TEXT    NOT NULL,
-    "picture"               TEXT    NOT NULL,
-    "website"               TEXT    NOT NULL,
-    "gender"                TEXT    NOT NULL,
-    "birthdate"             TEXT    NOT NULL,
-    "zoneinfo"              TEXT    NOT NULL,
-    "locale"                TEXT    NOT NULL,
-    "phone_number"          TEXT    NOT NULL,
-    "address"               TEXT    NOT NULL
 );