CodeRabbit Generated Unit Tests: Add unit tests

2026-05-27 14:40:14 +00:00 · 2026-05-25 17:11:30 +00:00
49 changed files with 714 additions and 1949 deletions
@@ -7,9 +7,7 @@ TINYAUTH_APPURL=

 # database config

-# The database driver to use. Valid values: sqlite, memory.
-TINYAUTH_DATABASE_DRIVER="sqlite"
-# The path to the SQLite database, including file name. Only used when driver is sqlite.
+# The path to the database, including file name.
 TINYAUTH_DATABASE_PATH="./tinyauth.db"

 # analytics config
@@ -32,8 +30,6 @@ TINYAUTH_SERVER_PORT=3000
 TINYAUTH_SERVER_ADDRESS="0.0.0.0"
 # The path to the Unix socket.
 TINYAUTH_SERVER_SOCKETPATH=
-# Enable listening on both TCP and Unix socket at the same time.
-TINYAUTH_SERVER_CONCURRENTLISTENERSENABLED=false

 # auth config

@@ -41,52 +37,8 @@ TINYAUTH_SERVER_CONCURRENTLISTENERSENABLED=false
 TINYAUTH_AUTH_IP_ALLOW=
 # List of blocked IPs or CIDR ranges.
 TINYAUTH_AUTH_IP_BLOCK=
-# List of IPs or CIDR ranges that bypass authentication entirely.
-TINYAUTH_AUTH_IP_BYPASS=
 # Comma-separated list of users (username:hashed_password).
 TINYAUTH_AUTH_USERS=
-# Enable subdomains support.
-TINYAUTH_AUTH_SUBDOMAINSENABLED=true
-# Full name of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_NAME=
-# Given (first) name of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_GIVENNAME=
-# Family (last) name of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_FAMILYNAME=
-# Middle name of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_MIDDLENAME=
-# Nickname of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_NICKNAME=
-# URL of the user's profile page.
-TINYAUTH_AUTH_USERATTRIBUTES_name_PROFILE=
-# URL of the user's profile picture.
-TINYAUTH_AUTH_USERATTRIBUTES_name_PICTURE=
-# URL of the user's website.
-TINYAUTH_AUTH_USERATTRIBUTES_name_WEBSITE=
-# Email address of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_EMAIL=
-# Gender of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_GENDER=
-# Birthdate of the user (YYYY-MM-DD).
-TINYAUTH_AUTH_USERATTRIBUTES_name_BIRTHDATE=
-# Time zone of the user (e.g. Europe/Athens).
-TINYAUTH_AUTH_USERATTRIBUTES_name_ZONEINFO=
-# Locale of the user (e.g. en-US).
-TINYAUTH_AUTH_USERATTRIBUTES_name_LOCALE=
-# Phone number of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_PHONENUMBER=
-# Full mailing address, formatted for display.
-TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_FORMATTED=
-# Street address.
-TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_STREETADDRESS=
-# City or locality.
-TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_LOCALITY=
-# State, province, or region.
-TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_REGION=
-# Zip or postal code.
-TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_POSTALCODE=
-# Country.
-TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_COUNTRY=
 # Path to the users file.
 TINYAUTH_AUTH_USERSFILE=
 # Enable secure cookies.
@@ -101,8 +53,6 @@ TINYAUTH_AUTH_LOGINTIMEOUT=300
 TINYAUTH_AUTH_LOGINMAXRETRIES=3
 # Comma-separated list of trusted proxy addresses.
 TINYAUTH_AUTH_TRUSTEDPROXIES=
-# ACL policy for allow-by-default or deny-by-default, available options are allow and deny, default is allow.
-TINYAUTH_AUTH_ACLS_POLICY="allow"

 # apps config

@@ -218,8 +168,6 @@ TINYAUTH_LDAP_AUTHCERT=
 TINYAUTH_LDAP_AUTHKEY=
 # Cache duration for LDAP group membership in seconds.
 TINYAUTH_LDAP_GROUPCACHETTL=900
-# Label provider to use for ACLs (auto, docker, kubernetes or none to disable). auto detects the environment.
-TINYAUTH_LABELPROVIDER="auto"

 # log config

@@ -239,16 +187,3 @@ TINYAUTH_LOG_STREAMS_APP_LEVEL=
 TINYAUTH_LOG_STREAMS_AUDIT_ENABLED=false
 # Log level for this stream. Use global if empty.
 TINYAUTH_LOG_STREAMS_AUDIT_LEVEL=
-
-# tailscale config
-
-# Enable Tailscale integration.
-TINYAUTH_TAILSCALE_ENABLED=false
-# Tailscale state directory.
-TINYAUTH_TAILSCALE_DIR="./tailscale_state"
-# Tailscale hostname.
-TINYAUTH_TAILSCALE_HOSTNAME=
-# Tailscale auth key.
-TINYAUTH_TAILSCALE_AUTHKEY=
-# Use ephemeral Tailscale node.
-TINYAUTH_TAILSCALE_EPHEMERAL=false
@@ -83,7 +83,7 @@ jobs:
      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
+          go build -ldflags "-s -w -X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0

@@ -128,7 +128,7 @@ jobs:
      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
+          go build -ldflags "-s -w -X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0

@@ -150,7 +150,6 @@ jobs:
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
-            LDFLAGS="-s -w"

      - name: Export digest
        run: |
@@ -207,7 +206,6 @@ jobs:
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
-            LDFLAGS="-s -w"

      - name: Export digest
        run: |
@@ -262,7 +260,6 @@ jobs:
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
-            LDFLAGS="-s -w"

      - name: Export digest
        run: |
@@ -319,7 +316,6 @@ jobs:
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
-            LDFLAGS="-s -w"

      - name: Export digest
        run: |
@@ -27,7 +27,6 @@ FROM golang:1.26-alpine3.23 AS builder
 ARG VERSION
 ARG COMMIT_HASH
 ARG BUILD_TIMESTAMP
-ARG LDFLAGS

 WORKDIR /tinyauth

@@ -40,7 +39,7 @@ COPY ./cmd ./cmd
 COPY ./internal ./internal
 COPY --from=frontend-builder /frontend/dist ./internal/assets/dist

-RUN CGO_ENABLED=0 go build -ldflags "${LDFLAGS} \
+RUN CGO_ENABLED=0 go build -ldflags "-s -w \
    -X github.com/tinyauthapp/tinyauth/internal/model.Version=${VERSION} \
    -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${COMMIT_HASH} \
    -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
@@ -27,7 +27,6 @@ FROM golang:1.26-alpine3.23 AS builder
 ARG VERSION
 ARG COMMIT_HASH
 ARG BUILD_TIMESTAMP
-ARG LDFLAGS

 WORKDIR /tinyauth

@@ -42,7 +41,7 @@ COPY --from=frontend-builder /frontend/dist ./internal/assets/dist

 RUN mkdir -p data

-RUN CGO_ENABLED=0 go build -ldflags "${LDFLAGS} \
+RUN CGO_ENABLED=0 go build -ldflags "-s -w \
    -X github.com/tinyauthapp/tinyauth/internal/model.Version=${VERSION} \
    -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${COMMIT_HASH} \
    -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
@@ -8,7 +8,6 @@ TAG_NAME := $(shell git describe --abbrev=0 --exact-match 2> /dev/null || echo "
 COMMIT_HASH := $(shell git rev-parse HEAD)
 BUILD_TIMESTAMP := $(shell date '+%Y-%m-%dT%H:%M:%S')
 BIN_NAME := tinyauth-$(GOARCH)
-LDFLAGS := -s -w

 # Development vars
 DEV_COMPOSE := $(shell test -f "docker-compose.test.yml" && echo "docker-compose.test.yml" || echo "docker-compose.dev.yml" )
@@ -37,7 +36,7 @@ webui: clean-webui

 # Build the binary
 binary: webui
-	CGO_ENABLED=$(CGO_ENABLED) go build -ldflags "${LDFLAGS} \
+	CGO_ENABLED=$(CGO_ENABLED) go build -ldflags "-s -w \
 	-X github.com/tinyauthapp/tinyauth/internal/model.Version=${TAG_NAME} \
 	-X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${COMMIT_HASH} \
 	-X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" \
@@ -12,11 +12,9 @@ require (
 	github.com/golang-migrate/migrate/v4 v4.19.1
 	github.com/google/go-querystring v1.2.0
 	github.com/google/uuid v1.6.0
-	github.com/jackc/pgx/v5 v5.9.2
 	github.com/mdp/qrterminal/v3 v3.2.1
 	github.com/pquerna/otp v1.5.0
 	github.com/rs/zerolog v1.35.1
-	github.com/steveiliop56/ding v0.2.0
 	github.com/stretchr/testify v1.11.1
 	github.com/tinyauthapp/paerser v0.0.0-20260410140347-85c3740d6298
 	github.com/weppos/publicsuffix-go v0.50.3
@@ -92,10 +90,6 @@ require (
 	github.com/hdevalence/ed25519consensus v0.2.0 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/huin/goupnp v1.3.0 // indirect
-	github.com/jackc/pgerrcode v0.0.0-20220416144525-469b46aa5efa // indirect
-	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
-	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jsimonetti/rtnetlink v1.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.18.5 // indirect
@@ -143,8 +143,6 @@ github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa h1:h8TfIT1xc8FWbww
 github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa/go.mod h1:Nx87SkVqTKd8UtT+xu7sM/l+LgXs6c0aHrlKusR+2EQ=
 github.com/dgryski/go-metro v0.0.0-20180109044635-280f6062b5bc h1:8WFBn63wegobsYAX0YjD+8suexZDga5CctH4CCTx2+8=
 github.com/dgryski/go-metro v0.0.0-20180109044635-280f6062b5bc/go.mod h1:c9O8+fpSOX1DM8cPNSkX/qsBWdkD4yd2dpciOWQjpBw=
-github.com/dhui/dktest v0.4.6 h1:+DPKyScKSEp3VLtbMDHcUq6V5Lm5zfZZVb0Sk7Ahom4=
-github.com/dhui/dktest v0.4.6/go.mod h1:JHTSYDtKkvFNFHJKqCzVzqXecyv+tKt8EzceOmQOgbU=
 github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e h1:vUmf0yezR0y7jJ5pceLHthLaYf4bA5T14B6q39S4q2Q=
 github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e/go.mod h1:YTIHhz/QFSYnu/EhlF2SpU2Uk+32abacUYA5ZPljz1A=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
@@ -253,16 +251,6 @@ github.com/illarion/gonotify/v3 v3.0.2 h1:O7S6vcopHexutmpObkeWsnzMJt/r1hONIEogeV
 github.com/illarion/gonotify/v3 v3.0.2/go.mod h1:HWGPdPe817GfvY3w7cx6zkbzNZfi3QjcBm/wgVvEL1U=
 github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 h1:9K06NfxkBh25x56yVhWWlKFE8YpicaSfHwoV8SFbueA=
 github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
-github.com/jackc/pgerrcode v0.0.0-20220416144525-469b46aa5efa h1:s+4MhCQ6YrzisK6hFJUX53drDT4UsSW3DEhKn0ifuHw=
-github.com/jackc/pgerrcode v0.0.0-20220416144525-469b46aa5efa/go.mod h1:a/s9Lp5W7n/DD0VrVoyJ00FbP2ytTPDVOivvn2bMlds=
-github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
-github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
-github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
-github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw=
-github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
-github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
-github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
 github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
@@ -402,15 +390,12 @@ github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
 github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
 github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/steveiliop56/ding v0.2.0 h1:m/Fj99wBpVVLHlpqb2RDJkWubOc5cWJ11ZYCHya3Sk0=
-github.com/steveiliop56/ding v0.2.0/go.mod h1:bE2u2XH7CjhPzbb/0Ems+D8YZlf2Ae+eKhj00UR1iAY=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
@@ -11,5 +11,5 @@ var FrontendAssets embed.FS

 // Migrations
 //
-//go:embed migrations/sqlite/*.sql migrations/postgres/*.sql
+//go:embed migrations/sqlite/*.sql
 var Migrations embed.FS
@@ -1,4 +0,0 @@
-DROP TABLE IF EXISTS "oidc_tokens";
-DROP TABLE IF EXISTS "oidc_userinfo";
-DROP TABLE IF EXISTS "oidc_codes";
-DROP TABLE IF EXISTS "sessions";
@@ -1,60 +0,0 @@
-CREATE TABLE "sessions" (
-    "uuid"         TEXT    NOT NULL PRIMARY KEY,
-    "username"     TEXT    NOT NULL,
-    "email"        TEXT    NOT NULL,
-    "name"         TEXT    NOT NULL,
-    "provider"     TEXT    NOT NULL,
-    "totp_pending" BOOLEAN NOT NULL,
-    "oauth_groups" TEXT    NOT NULL DEFAULT '',
-    "expiry"       BIGINT  NOT NULL,
-    "created_at"   BIGINT  NOT NULL,
-    "oauth_name"   TEXT    NOT NULL DEFAULT '',
-    "oauth_sub"    TEXT    NOT NULL DEFAULT ''
-);
-
-CREATE TABLE "oidc_codes" (
-    "sub"            TEXT   NOT NULL UNIQUE,
-    "code_hash"      TEXT   NOT NULL PRIMARY KEY,
-    "scope"          TEXT   NOT NULL,
-    "redirect_uri"   TEXT   NOT NULL,
-    "client_id"      TEXT   NOT NULL,
-    "expires_at"     BIGINT NOT NULL,
-    "nonce"          TEXT   NOT NULL DEFAULT '',
-    "code_challenge" TEXT   NOT NULL DEFAULT ''
-);
-
-CREATE TABLE "oidc_tokens" (
-    "sub"                      TEXT   NOT NULL UNIQUE,
-    "access_token_hash"        TEXT   NOT NULL PRIMARY KEY,
-    "refresh_token_hash"       TEXT   NOT NULL,
-    "code_hash"                TEXT   NOT NULL,
-    "scope"                    TEXT   NOT NULL,
-    "client_id"                TEXT   NOT NULL,
-    "token_expires_at"         BIGINT NOT NULL,
-    "refresh_token_expires_at" BIGINT NOT NULL,
-    "nonce"                    TEXT   NOT NULL DEFAULT ''
-);
-
-CREATE TABLE "oidc_userinfo" (
-    "sub"                TEXT   NOT NULL PRIMARY KEY,
-    "name"               TEXT   NOT NULL,
-    "preferred_username" TEXT   NOT NULL,
-    "email"              TEXT   NOT NULL,
-    "groups"             TEXT   NOT NULL,
-    "updated_at"         BIGINT NOT NULL,
-    "given_name"         TEXT   NOT NULL,
-    "family_name"        TEXT   NOT NULL,
-    "middle_name"        TEXT   NOT NULL,
-    "nickname"           TEXT   NOT NULL,
-    "profile"            TEXT   NOT NULL,
-    "picture"            TEXT   NOT NULL,
-    "website"            TEXT   NOT NULL,
-    "gender"             TEXT   NOT NULL,
-    "birthdate"          TEXT   NOT NULL,
-    "zoneinfo"           TEXT   NOT NULL,
-    "locale"             TEXT   NOT NULL,
-    "phone_number"       TEXT   NOT NULL,
-    "address"            TEXT   NOT NULL
-);
-
-CREATE INDEX idx_sessions_expiry ON "sessions" ("expiry");
@@ -13,11 +13,11 @@ import (
 	"os/signal"
 	"sort"
 	"strings"
+	"sync"
 	"syscall"
 	"time"

 	"github.com/gin-gonic/gin"
-	"github.com/steveiliop56/ding"

 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
@@ -26,12 +26,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )

-// Shutdown order for go routines
-// 1. Janitor routines (e.g. database cleanup, heartbeat) - ding.RingMinor
-// 2. HTTP server listeners - ding.RingNormal
-// 3. Networking layers, user and label providers (e.g. ailscale service, kubernetes service) - ding.RingMajor
-// 4. Database connection - ding.RingCritical
-
 type Services struct {
 	accessControlService *service.AccessControlsService
 	authService          *service.AuthService
@@ -54,7 +48,7 @@ type BootstrapApp struct {
 	queries   repository.Store
 	router    *gin.Engine
 	db        *sql.DB
-	ding      *ding.Ding
+	wg        sync.WaitGroup
 	listeners []Listener
 }

@@ -70,10 +64,6 @@ func (app *BootstrapApp) Setup() error {
 	app.ctx = ctx
 	app.cancel = cancel

-	// Create a ding instance
-	dg := ding.New(ctx)
-	app.ding = dg
-
 	// setup logger
 	log := logger.NewLogger().WithConfig(app.config.Log)
 	log.Init()
@@ -196,17 +186,15 @@ func (app *BootstrapApp) Setup() error {
 		return fmt.Errorf("failed to setup database: %w", err)
 	}

-	app.ding.Go(func(ctx context.Context) {
-		<-ctx.Done()
-		app.log.App.Debug().Msg("Shutting down database connection")
-		if app.db == nil {
-			// using memory store, no db instance
-			return
+	// after this point, we start initializing dependencies so it's a good time to setup a defer
+	// to ensure that resources are cleaned up properly in case of an error during initialization
+	defer func() {
+		app.cancel()
+		app.wg.Wait()
+		if app.db != nil {
+			app.db.Close()
 		}
-		if err := app.db.Close(); err != nil {
-			app.log.App.Error().Err(err).Msg("Failed to close database connection")
-		}
-	}, ding.RingCritical)
+	}()

 	// store
 	app.queries = store
@@ -273,12 +261,12 @@ func (app *BootstrapApp) Setup() error {

 	// start db cleanup routine
 	app.log.App.Debug().Msg("Starting database cleanup routine")
-	app.ding.Go(app.dbCleanupRoutine, ding.RingMinor)
+	app.wg.Go(app.dbCleanupRoutine)

 	// if analytics are not disabled, start heartbeat
 	if app.config.Analytics.Enabled {
 		app.log.App.Debug().Msg("Starting heartbeat routine")
-		app.ding.Go(app.heartbeatRoutine, ding.RingMinor)
+		app.wg.Go(app.heartbeatRoutine)
 	}

 	// setup listeners
@@ -299,7 +287,6 @@ func (app *BootstrapApp) Setup() error {
 	for {
 		select {
 		case <-app.ctx.Done():
-			app.ding.Wait()
 			app.log.App.Info().Msg("Oh, it's time for me to go, bye!")
 			return nil
 		case err := <-lec:
@@ -310,7 +297,7 @@ func (app *BootstrapApp) Setup() error {
 	}
 }

-func (app *BootstrapApp) heartbeatRoutine(ctx context.Context) {
+func (app *BootstrapApp) heartbeatRoutine() {
 	ticker := time.NewTicker(time.Duration(12) * time.Hour)
 	defer ticker.Stop()

@@ -363,7 +350,7 @@ func (app *BootstrapApp) heartbeatRoutine(ctx context.Context) {
 			if res.StatusCode != 200 && res.StatusCode != 201 {
 				app.log.App.Debug().Str("status", res.Status).Msg("Heartbeat returned non-200/201 status")
 			}
-		case <-ctx.Done():
+		case <-app.ctx.Done():
 			app.log.App.Debug().Msg("Stopping heartbeat routine")
 			ticker.Stop()
 			return
@@ -371,7 +358,7 @@ func (app *BootstrapApp) heartbeatRoutine(ctx context.Context) {
 	}
 }

-func (app *BootstrapApp) dbCleanupRoutine(ctx context.Context) {
+func (app *BootstrapApp) dbCleanupRoutine() {
 	ticker := time.NewTicker(time.Duration(30) * time.Minute)
 	defer ticker.Stop()

@@ -380,14 +367,14 @@ func (app *BootstrapApp) dbCleanupRoutine(ctx context.Context) {
 		case <-ticker.C:
 			app.log.App.Debug().Msg("Running database cleanup")

-			err := app.queries.DeleteExpiredSessions(ctx, time.Now().Unix())
+			err := app.queries.DeleteExpiredSessions(app.ctx, time.Now().Unix())

 			if err != nil {
 				app.log.App.Error().Err(err).Msg("Failed to delete expired sessions")
 			}

 			app.log.App.Debug().Msg("Database cleanup completed")
-		case <-ctx.Done():
+		case <-app.ctx.Done():
 			app.log.App.Debug().Msg("Stopping database cleanup routine")
 			ticker.Stop()
 			return
@@ -6,18 +6,15 @@ import (
 	"os"
 	"path/filepath"

-	"github.com/golang-migrate/migrate/v4"
-	pgxmigrate "github.com/golang-migrate/migrate/v4/database/pgx/v5"
-	"github.com/golang-migrate/migrate/v4/database/sqlite3"
-	"github.com/golang-migrate/migrate/v4/source/iofs"
-	_ "github.com/jackc/pgx/v5/stdlib"
-	_ "modernc.org/sqlite"
-
 	"github.com/tinyauthapp/tinyauth/internal/assets"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
-	"github.com/tinyauthapp/tinyauth/internal/repository/postgres"
 	"github.com/tinyauthapp/tinyauth/internal/repository/sqlite"
+
+	"github.com/golang-migrate/migrate/v4"
+	"github.com/golang-migrate/migrate/v4/database/sqlite3"
+	"github.com/golang-migrate/migrate/v4/source/iofs"
+	_ "modernc.org/sqlite"
 )

 func (app *BootstrapApp) SetupStore() (repository.Store, error) {
@@ -26,10 +23,8 @@ func (app *BootstrapApp) SetupStore() (repository.Store, error) {
 		return memory.New(), nil
 	case "sqlite", "":
 		return app.setupSQLite(app.config.Database.Path)
-	case "postgres":
-		return app.setupPostgres(app.config.Database.Path)
 	default:
-		return nil, fmt.Errorf("unknown database driver %q: valid values are sqlite, postgres, memory", app.config.Database.Driver)
+		return nil, fmt.Errorf("unknown database driver %q: valid values are sqlite, memory", app.config.Database.Driver)
 	}
 }

@@ -46,9 +41,9 @@ func (app *BootstrapApp) setupSQLite(databasePath string) (repository.Store, err
 		return nil, fmt.Errorf("failed to open database: %w", err)
 	}

-	cleanup := true
+	// Close the database if there is an error during migration
 	defer func() {
-		if cleanup {
+		if err != nil {
 			db.Close()
 		}
 	}()
@@ -75,54 +70,11 @@ func (app *BootstrapApp) setupSQLite(databasePath string) (repository.Store, err
 		return nil, fmt.Errorf("failed to create migrator: %w", err)
 	}

-	if err = migrator.Up(); err != nil && err != migrate.ErrNoChange {
+	if err := migrator.Up(); err != nil && err != migrate.ErrNoChange {
 		return nil, fmt.Errorf("failed to migrate database: %w", err)
 	}

-	cleanup = false
 	app.db = db

 	return sqlite.NewStore(sqlite.New(db)), nil
 }
-
-func (app *BootstrapApp) setupPostgres(databaseURL string) (repository.Store, error) {
-	db, err := sql.Open("pgx", databaseURL)
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to open database: %w", err)
-	}
-
-	cleanup := true
-	defer func() {
-		if cleanup {
-			db.Close()
-		}
-	}()
-
-	migrations, err := iofs.New(assets.Migrations, "migrations/postgres")
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to create migrations: %w", err)
-	}
-
-	target, err := pgxmigrate.WithInstance(db, &pgxmigrate.Config{})
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to create postgres instance: %w", err)
-	}
-
-	migrator, err := migrate.NewWithInstance("iofs", migrations, "pgx", target)
-
-	if err != nil {
-		return nil, fmt.Errorf("failed to create migrator: %w", err)
-	}
-
-	if err = migrator.Up(); err != nil && err != migrate.ErrNoChange {
-		return nil, fmt.Errorf("failed to migrate database: %w", err)
-	}
-
-	cleanup = false
-	app.db = db
-
-	return postgres.NewStore(postgres.New(db)), nil
-}
@@ -0,0 +1,117 @@
+package bootstrap
+
+import (
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+)
+
+func TestSetupStore_UnknownDriver(t *testing.T) {
+	tests := []struct {
+		driver  string
+		wantErr string
+	}{
+		{
+			driver:  "mysql",
+			wantErr: `unknown database driver "mysql": valid values are sqlite, postgres, memory`,
+		},
+		{
+			driver:  "redis",
+			wantErr: `unknown database driver "redis": valid values are sqlite, postgres, memory`,
+		},
+		{
+			driver:  "baddriver",
+			wantErr: `unknown database driver "baddriver": valid values are sqlite, postgres, memory`,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run("driver_"+tt.driver, func(t *testing.T) {
+			app := NewBootstrapApp(model.Config{
+				Database: model.DatabaseConfig{
+					Driver: tt.driver,
+				},
+			})
+			store, err := app.SetupStore()
+			assert.Nil(t, store)
+			require.Error(t, err)
+			assert.Equal(t, tt.wantErr, err.Error())
+		})
+	}
+}
+
+func TestSetupStore_Memory(t *testing.T) {
+	app := NewBootstrapApp(model.Config{
+		Database: model.DatabaseConfig{
+			Driver: "memory",
+		},
+	})
+	store, err := app.SetupStore()
+	require.NoError(t, err)
+	assert.NotNil(t, store)
+}
+
+func TestSetupStore_SQLite_ExplicitDriver(t *testing.T) {
+	dir := t.TempDir()
+	dbPath := filepath.Join(dir, "test.db")
+
+	app := NewBootstrapApp(model.Config{
+		Database: model.DatabaseConfig{
+			Driver: "sqlite",
+			Path:   dbPath,
+		},
+	})
+	store, err := app.SetupStore()
+	require.NoError(t, err)
+	assert.NotNil(t, store)
+}
+
+func TestSetupStore_SQLite_DefaultDriver(t *testing.T) {
+	dir := t.TempDir()
+	dbPath := filepath.Join(dir, "default.db")
+
+	app := NewBootstrapApp(model.Config{
+		Database: model.DatabaseConfig{
+			Driver: "",
+			Path:   dbPath,
+		},
+	})
+	store, err := app.SetupStore()
+	require.NoError(t, err)
+	assert.NotNil(t, store)
+}
+
+func TestSetupStore_Postgres_InvalidURL(t *testing.T) {
+	app := NewBootstrapApp(model.Config{
+		Database: model.DatabaseConfig{
+			Driver: "postgres",
+			Path:   "not-a-valid-postgres-url",
+		},
+	})
+	store, err := app.SetupStore()
+	// sql.Open does not fail on a bad URL for pgx — it only fails on first use.
+	// The error should come from pgxmigrate.WithInstance when the DB is actually
+	// pinged / connected, so we expect either success-with-error or an error here.
+	// What matters is that the postgres case is reached (i.e., no "unknown driver" error).
+	if err != nil {
+		assert.False(t, strings.Contains(err.Error(), "unknown database driver"))
+		assert.Nil(t, store)
+	}
+}
+
+func TestSetupStore_ErrorMessageIncludesPostgres(t *testing.T) {
+	app := NewBootstrapApp(model.Config{
+		Database: model.DatabaseConfig{
+			Driver: "oracle",
+		},
+	})
+	_, err := app.SetupStore()
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "postgres")
+	assert.Contains(t, err.Error(), "sqlite")
+	assert.Contains(t, err.Error(), "memory")
+}
@@ -9,7 +9,6 @@ import (
 	"os"
 	"time"

-	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/middleware"
 	"github.com/tinyauthapp/tinyauth/internal/model"
@@ -81,9 +80,9 @@ func (app *BootstrapApp) runListeners() (chan error, error) {
 			return nil, fmt.Errorf("failed to get listener function: %w", err)
 		}

-		app.ding.Go(func(ctx context.Context) {
-			lec <- listenerFunc(ctx)
-		}, ding.RingNormal)
+		app.wg.Go(func() {
+			lec <- listenerFunc()
+		})
 	}

 	return lec, nil
@@ -126,7 +125,7 @@ func (app *BootstrapApp) calculateListenerPolicy() []Listener {
 	return l
 }

-func (app *BootstrapApp) listenerFromType(listenerType Listener) (func(ctx context.Context) error, error) {
+func (app *BootstrapApp) listenerFromType(listenerType Listener) (func() error, error) {
 	switch listenerType {
 	case ListenerHTTP:
 		return app.serveHTTP, nil
@@ -139,7 +138,7 @@ func (app *BootstrapApp) listenerFromType(listenerType Listener) (func(ctx conte
 	}
 }

-func (app *BootstrapApp) serveHTTP(ctx context.Context) error {
+func (app *BootstrapApp) serveHTTP() error {
 	address := fmt.Sprintf("%s:%d", app.config.Server.Address, app.config.Server.Port)

 	app.log.App.Info().Msgf("Starting server on %s", address)
@@ -155,10 +154,10 @@ func (app *BootstrapApp) serveHTTP(ctx context.Context) error {
 		Handler: app.router.Handler(),
 	}

-	return app.serve(listener, server, ctx, "http")
+	return app.serve(listener, server, "http")
 }

-func (app *BootstrapApp) serveUnix(ctx context.Context) error {
+func (app *BootstrapApp) serveUnix() error {
 	_, err := os.Stat(app.config.Server.SocketPath)

 	if err == nil {
@@ -182,10 +181,10 @@ func (app *BootstrapApp) serveUnix(ctx context.Context) error {
 		Handler: app.router.Handler(),
 	}

-	return app.serve(listener, server, ctx, "unix socket")
+	return app.serve(listener, server, "unix socket")
 }

-func (app *BootstrapApp) serveTailscale(ctx context.Context) error {
+func (app *BootstrapApp) serveTailscale() error {
 	app.log.App.Info().Msgf("Starting Tailscale server on %s", fmt.Sprintf("https://%s", app.services.tailscaleService.GetHostname()))

 	listener, err := app.services.tailscaleService.CreateListener()
@@ -198,23 +197,27 @@ func (app *BootstrapApp) serveTailscale(ctx context.Context) error {
 		Handler: app.router.Handler(),
 	}

-	return app.serve(listener, server, ctx, "tailscale")
+	return app.serve(listener, server, "tailscale")
 }

-func (app *BootstrapApp) serve(listener net.Listener, server *http.Server, ctx context.Context, name string) error {
+func (app *BootstrapApp) serve(listener net.Listener, server *http.Server, name string) error {
 	shutdown := func() {
-		// we use a new context for the shutdown since the main one is cancelled
-		sctx, cancel := context.WithTimeout(context.Background(), model.GracefulShutdownTimeout*time.Second)
+		ctx, cancel := context.WithTimeout(context.Background(), model.GracefulShutdownTimeout*time.Second)
 		defer cancel()
-		err := server.Shutdown(sctx)
-		if err != nil {
+		err := server.Shutdown(ctx)
+		if err != nil &&
+			// With tailscale, the goroutine for shutting down the tailscale connection
+			// runs first and causes the connection the tailscale listener is running on to close
+			// first so, the shutdown fails
+			// TODO: add priority to the goroutine shutdowns
+			!errors.Is(err, net.ErrClosed) {
 			app.log.App.Error().Err(err).Msgf("Failed to shutdown %s listener gracefully", name)
 		}
 		listener.Close()
 	}

 	go func() {
-		<-ctx.Done()
+		<-app.ctx.Done()
 		app.log.App.Debug().Msgf("Shutting down %s listener", name)
 		shutdown()
 	}()
@@ -8,7 +8,7 @@ import (
 )

 func (app *BootstrapApp) setupServices() error {
-	ldapService, err := service.NewLdapService(app.log, app.config, app.ding)
+	ldapService, err := service.NewLdapService(app.log, app.config, app.ctx, &app.wg)

 	if err != nil {
 		app.log.App.Warn().Err(err).Msg("Failed to initialize LDAP connection, will continue without it")
@@ -22,7 +22,7 @@ func (app *BootstrapApp) setupServices() error {
 		return fmt.Errorf("failed to initialize label provider: %w", err)
 	}

-	tailscaleService, err := service.NewTailscaleService(app.log, app.config, app.ctx, app.ding)
+	tailscaleService, err := service.NewTailscaleService(app.log, app.config, app.ctx, &app.wg)

 	if err != nil {
 		app.log.App.Warn().Err(err).Msg("Failed to initialize Tailscale connection, will continue without it")
@@ -42,10 +42,10 @@ func (app *BootstrapApp) setupServices() error {
 	oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
 	app.services.oauthBrokerService = oauthBrokerService

-	authService := service.NewAuthService(app.log, app.config, app.runtime, app.ctx, app.ding, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService, app.services.policyEngine)
+	authService := service.NewAuthService(app.log, app.config, app.runtime, app.ctx, &app.wg, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService)
 	app.services.authService = authService

-	oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ding)
+	oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ctx, &app.wg)

 	if err != nil {
 		return fmt.Errorf("failed to initialize oidc service: %w", err)
@@ -69,7 +69,7 @@ func (app *BootstrapApp) getLabelProvider() (service.LabelProvider, error) {
 		if useKubernetes {
 			app.log.App.Debug().Msg("Using Kubernetes label provider")

-			kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, app.ding)
+			kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, &app.wg)

 			if err != nil {
 				return nil, fmt.Errorf("failed to initialize kubernetes service: %w", err)
@@ -81,7 +81,7 @@ func (app *BootstrapApp) getLabelProvider() (service.LabelProvider, error) {

 		app.log.App.Debug().Msg("Using Docker label provider")

-		dockerService, err := service.NewDockerService(app.log, app.ctx, app.ding)
+		dockerService, err := service.NewDockerService(app.log, app.ctx, &app.wg)

 		if err != nil {
 			return nil, fmt.Errorf("failed to initialize docker service: %w", err)
@@ -16,15 +16,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )

-type authorizeErrorParams struct {
-	err           error
-	reason        string
-	reasonPublic  string
-	callback      string
-	callbackError string
-	state         string
-}
-
 type OIDCController struct {
 	log     *logger.Logger
 	oidc    *service.OIDCService
@@ -128,55 +119,34 @@ func (controller *OIDCController) GetClientInfo(c *gin.Context) {

 func (controller *OIDCController) Authorize(c *gin.Context) {
 	if controller.oidc == nil {
-		controller.authorizeError(c, authorizeErrorParams{
-			err:          errors.New("err_oidc_not_configured"),
-			reason:       "OIDC not configured",
-			reasonPublic: "This instance is not configured for OIDC",
-		})
+		controller.authorizeError(c, errors.New("err_oidc_not_configured"), "OIDC not configured", "This instance is not configured for OIDC", "", "", "")
 		return
 	}

 	userContext, err := new(model.UserContext).NewFromGin(c)

 	if err != nil {
-		controller.authorizeError(c, authorizeErrorParams{
-			err:          err,
-			reason:       "Failed to get user context",
-			reasonPublic: "User is not logged in or the session is invalid",
-		})
+		controller.authorizeError(c, err, "Failed to get user context", "User is not logged in or the session is invalid", "", "", "")
 		return
 	}

 	if !userContext.Authenticated {
-		controller.authorizeError(c, authorizeErrorParams{
-			err:          errors.New("err user not logged in"),
-			reason:       "User not logged in",
-			reasonPublic: "The user is not logged in",
-		})
+		controller.authorizeError(c, errors.New("err user not logged in"), "User not logged in", "The user is not logged in", "", "", "")
 		return
 	}

 	var req service.AuthorizeRequest

-	err = c.Bind(&req)
-
+	err = c.BindJSON(&req)
 	if err != nil {
-		controller.authorizeError(c, authorizeErrorParams{
-			err:          err,
-			reason:       "Failed to bind JSON",
-			reasonPublic: "The client provided an invalid authorization request",
-		})
+		controller.authorizeError(c, err, "Failed to bind JSON", "The client provided an invalid authorization request", "", "", "")
 		return
 	}

 	client, ok := controller.oidc.GetClient(req.ClientID)

 	if !ok {
-		controller.authorizeError(c, authorizeErrorParams{
-			err:          fmt.Errorf("client not found: %s", req.ClientID),
-			reason:       "Client not found",
-			reasonPublic: "The client ID is invalid",
-		})
+		controller.authorizeError(c, fmt.Errorf("client not found: %s", req.ClientID), "Client not found", "The client ID is invalid", "", "", "")
 		return
 	}

@@ -185,21 +155,10 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 	if err != nil {
 		controller.log.App.Warn().Err(err).Msg("Failed to validate authorize params")
 		if err.Error() != "invalid_request_uri" {
-			controller.authorizeError(c, authorizeErrorParams{
-				err:           err,
-				reason:        "Failed validate authorize params",
-				reasonPublic:  "Invalid request parameters",
-				callback:      req.RedirectURI,
-				callbackError: err.Error(),
-				state:         req.State,
-			})
+			controller.authorizeError(c, err, "Failed validate authorize params", "Invalid request parameters", req.RedirectURI, err.Error(), req.State)
 			return
 		}
-		controller.authorizeError(c, authorizeErrorParams{
-			err:          err,
-			reason:       "Redirect URI not trusted",
-			reasonPublic: "The provided redirect URI is not trusted",
-		})
+		controller.authorizeError(c, err, "Redirect URI not trusted", "The provided redirect URI is not trusted", "", "", "")
 		return
 	}

@@ -210,28 +169,14 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 	// Before storing the code, delete old session
 	err = controller.oidc.DeleteOldSession(c, sub)
 	if err != nil {
-		controller.authorizeError(c, authorizeErrorParams{
-			err:           err,
-			reason:        "Failed to delete old sessions",
-			reasonPublic:  "Failed to delete old sessions",
-			callback:      req.RedirectURI,
-			callbackError: "server_error",
-			state:         req.State,
-		})
+		controller.authorizeError(c, err, "Failed to delete old sessions", "Failed to delete old sessions", req.RedirectURI, "server_error", req.State)
 		return
 	}

 	err = controller.oidc.StoreCode(c, sub, code, req)

 	if err != nil {
-		controller.authorizeError(c, authorizeErrorParams{
-			err:           err,
-			reason:        "Failed to store code",
-			reasonPublic:  "Failed to store code",
-			callback:      req.RedirectURI,
-			callbackError: "server_error",
-			state:         req.State,
-		})
+		controller.authorizeError(c, err, "Failed to store code", "Failed to store code", req.RedirectURI, "server_error", req.State)
 		return
 	}

@@ -241,14 +186,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {

 		if err != nil {
 			controller.log.App.Error().Err(err).Msg("Failed to store user info")
-			controller.authorizeError(c, authorizeErrorParams{
-				err:           err,
-				reason:        "Failed to store user info",
-				reasonPublic:  "Failed to store user info",
-				callback:      req.RedirectURI,
-				callbackError: "server_error",
-				state:         req.State,
-			})
+			controller.authorizeError(c, err, "Failed to store user info", "Failed to store user info", req.RedirectURI, "server_error", req.State)
 			return
 		}
 	}
@@ -259,14 +197,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 	})

 	if err != nil {
-		controller.authorizeError(c, authorizeErrorParams{
-			err:           err,
-			reason:        "Failed to build query",
-			reasonPublic:  "Failed to build query",
-			callback:      req.RedirectURI,
-			callbackError: "server_error",
-			state:         req.State,
-		})
+		controller.authorizeError(c, err, "Failed to build query", "Failed to build query", req.RedirectURI, "server_error", req.State)
 		return
 	}

@@ -547,20 +478,20 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 	c.JSON(200, controller.oidc.CompileUserinfo(user, entry.Scope))
 }

-func (controller *OIDCController) authorizeError(c *gin.Context, params authorizeErrorParams) {
-	controller.log.App.Error().Err(params.err).Str("reason", params.reason).Msg("Authorization error")
+func (controller *OIDCController) authorizeError(c *gin.Context, err error, reason string, reasonUser string, callback string, callbackError string, state string) {
+	controller.log.App.Warn().Err(err).Str("reason", reason).Msg("Authorization error")

-	if params.callback != "" {
+	if callback != "" {
 		errorQueries := CallbackError{
-			Error: params.callbackError,
+			Error: callbackError,
 		}

-		if params.reasonPublic != "" {
-			errorQueries.ErrorDescription = params.reasonPublic
+		if reasonUser != "" {
+			errorQueries.ErrorDescription = reasonUser
 		}

-		if params.state != "" {
-			errorQueries.State = params.state
+		if state != "" {
+			errorQueries.State = state
 		}

 		queries, err := query.Values(errorQueries)
@@ -572,13 +503,13 @@ func (controller *OIDCController) authorizeError(c *gin.Context, params authoriz

 		c.JSON(200, gin.H{
 			"status":       200,
-			"redirect_uri": fmt.Sprintf("%s?%s", params.callback, queries.Encode()),
+			"redirect_uri": fmt.Sprintf("%s?%s", callback, queries.Encode()),
 		})
 		return
 	}

 	errorQueries := ErrorScreen{
-		Error: params.reasonPublic,
+		Error: reasonUser,
 	}

 	queries, err := query.Values(errorQueries)
@@ -8,11 +8,11 @@ import (
 	"net/http/httptest"
 	"net/url"
 	"strings"
+	"sync"
 	"testing"

 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
-	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
@@ -840,9 +840,9 @@ func TestOIDCController(t *testing.T) {

 	store := memory.New()

-	dg := ding.New(context.TODO())
+	wg := &sync.WaitGroup{}

-	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, dg)
+	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, context.TODO(), wg)
 	require.NoError(t, err)

 	for _, test := range tests {
@@ -3,10 +3,10 @@ package controller_test
 import (
 	"context"
 	"net/http/httptest"
+	"sync"
 	"testing"

 	"github.com/gin-gonic/gin"
-	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
@@ -353,10 +353,11 @@ func TestProxyController(t *testing.T) {

 	store := memory.New()

+	wg := &sync.WaitGroup{}
 	ctx := context.TODO()
-	dg := ding.New(ctx)

 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker, nil)
 	aclsService := service.NewAccessControlsService(log, cfg, nil)

 	policyEngine, err := service.NewPolicyEngine(cfg, log)
@@ -382,8 +383,6 @@ func TestProxyController(t *testing.T) {
 		Log: log,
 	})

-	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
-
 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
 			router := gin.Default()
@@ -6,12 +6,12 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"strings"
+	"sync"
 	"testing"
 	"time"

 	"github.com/gin-gonic/gin"
 	"github.com/pquerna/otp/totp"
-	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
@@ -412,13 +412,10 @@ func TestUserController(t *testing.T) {
 	}

 	ctx := context.TODO()
-	dg := ding.New(ctx)
-
-	policyEngine, err := service.NewPolicyEngine(cfg, log)
-	require.NoError(t, err)
+	wg := &sync.WaitGroup{}

 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker, nil)

 	beforeEach := func() {
 		// Clear failed login attempts before each test
@@ -5,10 +5,10 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http/httptest"
+	"sync"
 	"testing"

 	"github.com/gin-gonic/gin"
-	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
@@ -89,11 +89,11 @@ func TestWellKnownController(t *testing.T) {
 	}

 	ctx := context.TODO()
-	dg := ding.New(ctx)
+	wg := &sync.WaitGroup{}

 	store := memory.New()

-	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, dg)
+	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, ctx, wg)
 	require.NoError(t, err)

 	for _, test := range tests {
@@ -5,11 +5,11 @@ import (
 	"encoding/base64"
 	"net/http"
 	"net/http/httptest"
+	"sync"
 	"testing"
 	"time"

 	"github.com/gin-gonic/gin"
-	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/middleware"
@@ -250,15 +250,12 @@ func TestContextMiddleware(t *testing.T) {
 	}

 	ctx := context.TODO()
-	dg := ding.New(ctx)
+	wg := &sync.WaitGroup{}

 	store := memory.New()

-	policyEngine, err := service.NewPolicyEngine(cfg, log)
-	require.NoError(t, err)
-
 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker, nil)

 	contextMiddleware := middleware.NewContextMiddleware(log, runtime, authService, broker, nil)

@@ -62,6 +62,9 @@ func NewDefaultConfiguration() *Config {
 			PrivateKeyPath: "./tinyauth_oidc_key",
 			PublicKeyPath:  "./tinyauth_oidc_key.pub",
 		},
+		Experimental: ExperimentalConfig{
+			ConfigFile: "",
+		},
 		Tailscale: TailscaleConfig{
 			Dir: "./tailscale_state",
 		},
@@ -85,12 +88,11 @@ type Config struct {
 	LabelProvider string             `description:"Label provider to use for ACLs (auto, docker, kubernetes or none to disable). auto detects the environment." yaml:"labelProvider"`
 	Log           LogConfig          `description:"Logging configuration." yaml:"log"`
 	Tailscale     TailscaleConfig    `description:"Tailscale configuration." yaml:"tailscale"`
-	ConfigFile    string             `description:"Path to config file." yaml:"-"`
 }

 type DatabaseConfig struct {
-	Driver string `description:"The database driver to use. Valid values: sqlite, postgres, memory." yaml:"driver"`
-	Path   string `description:"The path to the SQLite database file, or connection URL when driver is postgres." yaml:"path"`
+	Driver string `description:"The database driver to use. Valid values: sqlite, memory." yaml:"driver"`
+	Path   string `description:"The path to the SQLite database, including file name. Only used when driver is sqlite." yaml:"path"`
 }

 type AnalyticsConfig struct {
@@ -206,8 +208,9 @@ type LogStreamConfig struct {
 	Level   string `description:"Log level for this stream. Use global if empty." yaml:"level"`
 }

-// no experimental features
-type ExperimentalConfig struct{}
+type ExperimentalConfig struct {
+	ConfigFile string `description:"Path to config file." yaml:"-"`
+}

 type TailscaleConfig struct {
 	Enabled   bool   `description:"Enable Tailscale integration." yaml:"enabled"`
@@ -0,0 +1,90 @@
+package model
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// TestDatabaseConfig_DescriptionMentionsPostgres verifies that the DatabaseConfig
+// Driver field description explicitly lists "postgres" as a valid value, reflecting
+// the newly added PostgreSQL support.
+func TestDatabaseConfig_DescriptionMentionsPostgres(t *testing.T) {
+	rt := reflect.TypeOf(DatabaseConfig{})
+
+	driverField, ok := rt.FieldByName("Driver")
+	assert.True(t, ok, "DatabaseConfig should have a Driver field")
+
+	description := driverField.Tag.Get("description")
+	assert.Contains(t, description, "postgres", "DatabaseConfig.Driver description should mention postgres as a valid value")
+	assert.Contains(t, description, "sqlite", "DatabaseConfig.Driver description should mention sqlite as a valid value")
+	assert.Contains(t, description, "memory", "DatabaseConfig.Driver description should mention memory as a valid value")
+}
+
+// TestDatabaseConfig_PathDescriptionMentionsConnectionURL verifies that the Path
+// field description covers both SQLite file path and PostgreSQL connection URL usage.
+func TestDatabaseConfig_PathDescriptionMentionsConnectionURL(t *testing.T) {
+	rt := reflect.TypeOf(DatabaseConfig{})
+
+	pathField, ok := rt.FieldByName("Path")
+	assert.True(t, ok, "DatabaseConfig should have a Path field")
+
+	description := pathField.Tag.Get("description")
+	assert.Contains(t, description, "postgres",
+		"DatabaseConfig.Path description should mention postgres to clarify connection URL usage")
+}
+
+// TestIPConfig_NoBypassField verifies that the Bypass field has been removed
+// from IPConfig as part of the PR changes. IP bypass lists are now only
+// configured at the per-app ACL level.
+func TestIPConfig_NoBypassField(t *testing.T) {
+	rt := reflect.TypeOf(IPConfig{})
+
+	_, hasBypass := rt.FieldByName("Bypass")
+	assert.False(t, hasBypass, "IPConfig should not have a Bypass field after PR changes")
+}
+
+// TestIPConfig_HasAllowAndBlock ensures the remaining Allow and Block fields
+// are still present in IPConfig after the Bypass removal.
+func TestIPConfig_HasAllowAndBlock(t *testing.T) {
+	rt := reflect.TypeOf(IPConfig{})
+
+	_, hasAllow := rt.FieldByName("Allow")
+	assert.True(t, hasAllow, "IPConfig should still have an Allow field")
+
+	_, hasBlock := rt.FieldByName("Block")
+	assert.True(t, hasBlock, "IPConfig should still have a Block field")
+}
+
+// TestOAuthServiceConfig_NoWhitelistField verifies that the per-provider Whitelist
+// and WhitelistFile fields have been removed from OAuthServiceConfig. The global
+// OAuthWhitelist on OAuthConfig/RuntimeConfig is now the only whitelist.
+func TestOAuthServiceConfig_NoWhitelistField(t *testing.T) {
+	rt := reflect.TypeOf(OAuthServiceConfig{})
+
+	_, hasWhitelist := rt.FieldByName("Whitelist")
+	assert.False(t, hasWhitelist, "OAuthServiceConfig should not have a Whitelist field after PR changes")
+
+	_, hasWhitelistFile := rt.FieldByName("WhitelistFile")
+	assert.False(t, hasWhitelistFile, "OAuthServiceConfig should not have a WhitelistFile field after PR changes")
+}
+
+// TestOAuthServiceConfig_CoreFieldsPreserved ensures that removing the whitelist
+// fields did not inadvertently drop unrelated fields.
+func TestOAuthServiceConfig_CoreFieldsPreserved(t *testing.T) {
+	rt := reflect.TypeOf(OAuthServiceConfig{})
+
+	for _, fieldName := range []string{"ClientID", "ClientSecret", "ClientSecretFile", "Scopes", "RedirectURL", "AuthURL", "TokenURL", "UserinfoURL"} {
+		_, ok := rt.FieldByName(fieldName)
+		assert.True(t, ok, "OAuthServiceConfig should still have a %s field", fieldName)
+	}
+}
+
+// TestDatabaseConfig_ZeroValue ensures DatabaseConfig is usable as a zero value
+// with the expected default (empty string) driver, which falls back to sqlite.
+func TestDatabaseConfig_ZeroValue(t *testing.T) {
+	var cfg DatabaseConfig
+	assert.Equal(t, "", cfg.Driver, "zero-value Driver should be an empty string (defaults to sqlite)")
+	assert.Equal(t, "", cfg.Path, "zero-value Path should be an empty string")
+}
@@ -1,31 +0,0 @@
-// Code generated by sqlc. DO NOT EDIT.
-// versions:
-//   sqlc v1.31.1
-
-package postgres
-
-import (
-	"context"
-	"database/sql"
-)
-
-type DBTX interface {
-	ExecContext(context.Context, string, ...interface{}) (sql.Result, error)
-	PrepareContext(context.Context, string) (*sql.Stmt, error)
-	QueryContext(context.Context, string, ...interface{}) (*sql.Rows, error)
-	QueryRowContext(context.Context, string, ...interface{}) *sql.Row
-}
-
-func New(db DBTX) *Queries {
-	return &Queries{db: db}
-}
-
-type Queries struct {
-	db DBTX
-}
-
-func (q *Queries) WithTx(tx *sql.Tx) *Queries {
-	return &Queries{
-		db: tx,
-	}
-}
@@ -1,3 +0,0 @@
-package postgres
-
-//go:generate go run github.com/tinyauthapp/tinyauth/gen/sqlc-wrapper -pkg github.com/tinyauthapp/tinyauth/internal/repository/postgres
@@ -1,64 +0,0 @@
-// Code generated by sqlc. DO NOT EDIT.
-// versions:
-//   sqlc v1.31.1
-
-package postgres
-
-type OidcCode struct {
-	Sub           string
-	CodeHash      string
-	Scope         string
-	RedirectURI   string
-	ClientID      string
-	ExpiresAt     int64
-	Nonce         string
-	CodeChallenge string
-}
-
-type OidcToken struct {
-	Sub                   string
-	AccessTokenHash       string
-	RefreshTokenHash      string
-	CodeHash              string
-	Scope                 string
-	ClientID              string
-	TokenExpiresAt        int64
-	RefreshTokenExpiresAt int64
-	Nonce                 string
-}
-
-type OidcUserinfo struct {
-	Sub               string
-	Name              string
-	PreferredUsername string
-	Email             string
-	Groups            string
-	UpdatedAt         int64
-	GivenName         string
-	FamilyName        string
-	MiddleName        string
-	Nickname          string
-	Profile           string
-	Picture           string
-	Website           string
-	Gender            string
-	Birthdate         string
-	Zoneinfo          string
-	Locale            string
-	PhoneNumber       string
-	Address           string
-}
-
-type Session struct {
-	UUID        string
-	Username    string
-	Email       string
-	Name        string
-	Provider    string
-	TotpPending bool
-	OAuthGroups string
-	Expiry      int64
-	CreatedAt   int64
-	OAuthName   string
-	OAuthSub    string
-}
@@ -1,581 +0,0 @@
-// Code generated by sqlc. DO NOT EDIT.
-// versions:
-//   sqlc v1.31.1
-// source: oidc_queries.sql
-
-package postgres
-
-import (
-	"context"
-)
-
-const createOidcCode = `-- name: CreateOidcCode :one
-INSERT INTO "oidc_codes" (
-    "sub",
-    "code_hash",
-    "scope",
-    "redirect_uri",
-    "client_id",
-    "expires_at",
-    "nonce",
-    "code_challenge"
-) VALUES (
-    $1, $2, $3, $4, $5, $6, $7, $8
-)
-RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
-`
-
-type CreateOidcCodeParams struct {
-	Sub           string
-	CodeHash      string
-	Scope         string
-	RedirectURI   string
-	ClientID      string
-	ExpiresAt     int64
-	Nonce         string
-	CodeChallenge string
-}
-
-func (q *Queries) CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams) (OidcCode, error) {
-	row := q.db.QueryRowContext(ctx, createOidcCode,
-		arg.Sub,
-		arg.CodeHash,
-		arg.Scope,
-		arg.RedirectURI,
-		arg.ClientID,
-		arg.ExpiresAt,
-		arg.Nonce,
-		arg.CodeChallenge,
-	)
-	var i OidcCode
-	err := row.Scan(
-		&i.Sub,
-		&i.CodeHash,
-		&i.Scope,
-		&i.RedirectURI,
-		&i.ClientID,
-		&i.ExpiresAt,
-		&i.Nonce,
-		&i.CodeChallenge,
-	)
-	return i, err
-}
-
-const createOidcToken = `-- name: CreateOidcToken :one
-INSERT INTO "oidc_tokens" (
-    "sub",
-    "access_token_hash",
-    "refresh_token_hash",
-    "scope",
-    "client_id",
-    "token_expires_at",
-    "refresh_token_expires_at",
-    "code_hash",
-    "nonce"
-) VALUES (
-    $1, $2, $3, $4, $5, $6, $7, $8, $9
-)
-RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
-`
-
-type CreateOidcTokenParams struct {
-	Sub                   string
-	AccessTokenHash       string
-	RefreshTokenHash      string
-	Scope                 string
-	ClientID              string
-	TokenExpiresAt        int64
-	RefreshTokenExpiresAt int64
-	CodeHash              string
-	Nonce                 string
-}
-
-func (q *Queries) CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams) (OidcToken, error) {
-	row := q.db.QueryRowContext(ctx, createOidcToken,
-		arg.Sub,
-		arg.AccessTokenHash,
-		arg.RefreshTokenHash,
-		arg.Scope,
-		arg.ClientID,
-		arg.TokenExpiresAt,
-		arg.RefreshTokenExpiresAt,
-		arg.CodeHash,
-		arg.Nonce,
-	)
-	var i OidcToken
-	err := row.Scan(
-		&i.Sub,
-		&i.AccessTokenHash,
-		&i.RefreshTokenHash,
-		&i.CodeHash,
-		&i.Scope,
-		&i.ClientID,
-		&i.TokenExpiresAt,
-		&i.RefreshTokenExpiresAt,
-		&i.Nonce,
-	)
-	return i, err
-}
-
-const createOidcUserInfo = `-- name: CreateOidcUserInfo :one
-INSERT INTO "oidc_userinfo" (
-    "sub",
-    "name",
-    "preferred_username",
-    "email",
-    "groups",
-    "updated_at",
-    "given_name",
-    "family_name",
-    "middle_name",
-    "nickname",
-    "profile",
-    "picture",
-    "website",
-    "gender",
-    "birthdate",
-    "zoneinfo",
-    "locale",
-    "phone_number",
-    "address"
-) VALUES (
-    $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19
-)
-RETURNING sub, name, preferred_username, email, groups, updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address
-`
-
-type CreateOidcUserInfoParams struct {
-	Sub               string
-	Name              string
-	PreferredUsername string
-	Email             string
-	Groups            string
-	UpdatedAt         int64
-	GivenName         string
-	FamilyName        string
-	MiddleName        string
-	Nickname          string
-	Profile           string
-	Picture           string
-	Website           string
-	Gender            string
-	Birthdate         string
-	Zoneinfo          string
-	Locale            string
-	PhoneNumber       string
-	Address           string
-}
-
-func (q *Queries) CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfoParams) (OidcUserinfo, error) {
-	row := q.db.QueryRowContext(ctx, createOidcUserInfo,
-		arg.Sub,
-		arg.Name,
-		arg.PreferredUsername,
-		arg.Email,
-		arg.Groups,
-		arg.UpdatedAt,
-		arg.GivenName,
-		arg.FamilyName,
-		arg.MiddleName,
-		arg.Nickname,
-		arg.Profile,
-		arg.Picture,
-		arg.Website,
-		arg.Gender,
-		arg.Birthdate,
-		arg.Zoneinfo,
-		arg.Locale,
-		arg.PhoneNumber,
-		arg.Address,
-	)
-	var i OidcUserinfo
-	err := row.Scan(
-		&i.Sub,
-		&i.Name,
-		&i.PreferredUsername,
-		&i.Email,
-		&i.Groups,
-		&i.UpdatedAt,
-		&i.GivenName,
-		&i.FamilyName,
-		&i.MiddleName,
-		&i.Nickname,
-		&i.Profile,
-		&i.Picture,
-		&i.Website,
-		&i.Gender,
-		&i.Birthdate,
-		&i.Zoneinfo,
-		&i.Locale,
-		&i.PhoneNumber,
-		&i.Address,
-	)
-	return i, err
-}
-
-const deleteExpiredOidcCodes = `-- name: DeleteExpiredOidcCodes :many
-DELETE FROM "oidc_codes"
-WHERE "expires_at" < $1
-RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
-`
-
-func (q *Queries) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]OidcCode, error) {
-	rows, err := q.db.QueryContext(ctx, deleteExpiredOidcCodes, expiresAt)
-	if err != nil {
-		return nil, err
-	}
-	defer rows.Close()
-	var items []OidcCode
-	for rows.Next() {
-		var i OidcCode
-		if err := rows.Scan(
-			&i.Sub,
-			&i.CodeHash,
-			&i.Scope,
-			&i.RedirectURI,
-			&i.ClientID,
-			&i.ExpiresAt,
-			&i.Nonce,
-			&i.CodeChallenge,
-		); err != nil {
-			return nil, err
-		}
-		items = append(items, i)
-	}
-	if err := rows.Close(); err != nil {
-		return nil, err
-	}
-	if err := rows.Err(); err != nil {
-		return nil, err
-	}
-	return items, nil
-}
-
-const deleteExpiredOidcTokens = `-- name: DeleteExpiredOidcTokens :many
-DELETE FROM "oidc_tokens"
-WHERE "token_expires_at" < $1 AND "refresh_token_expires_at" < $2
-RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
-`
-
-type DeleteExpiredOidcTokensParams struct {
-	TokenExpiresAt        int64
-	RefreshTokenExpiresAt int64
-}
-
-func (q *Queries) DeleteExpiredOidcTokens(ctx context.Context, arg DeleteExpiredOidcTokensParams) ([]OidcToken, error) {
-	rows, err := q.db.QueryContext(ctx, deleteExpiredOidcTokens, arg.TokenExpiresAt, arg.RefreshTokenExpiresAt)
-	if err != nil {
-		return nil, err
-	}
-	defer rows.Close()
-	var items []OidcToken
-	for rows.Next() {
-		var i OidcToken
-		if err := rows.Scan(
-			&i.Sub,
-			&i.AccessTokenHash,
-			&i.RefreshTokenHash,
-			&i.CodeHash,
-			&i.Scope,
-			&i.ClientID,
-			&i.TokenExpiresAt,
-			&i.RefreshTokenExpiresAt,
-			&i.Nonce,
-		); err != nil {
-			return nil, err
-		}
-		items = append(items, i)
-	}
-	if err := rows.Close(); err != nil {
-		return nil, err
-	}
-	if err := rows.Err(); err != nil {
-		return nil, err
-	}
-	return items, nil
-}
-
-const deleteOidcCode = `-- name: DeleteOidcCode :exec
-DELETE FROM "oidc_codes"
-WHERE "code_hash" = $1
-`
-
-func (q *Queries) DeleteOidcCode(ctx context.Context, codeHash string) error {
-	_, err := q.db.ExecContext(ctx, deleteOidcCode, codeHash)
-	return err
-}
-
-const deleteOidcCodeBySub = `-- name: DeleteOidcCodeBySub :exec
-DELETE FROM "oidc_codes"
-WHERE "sub" = $1
-`
-
-func (q *Queries) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
-	_, err := q.db.ExecContext(ctx, deleteOidcCodeBySub, sub)
-	return err
-}
-
-const deleteOidcToken = `-- name: DeleteOidcToken :exec
-DELETE FROM "oidc_tokens"
-WHERE "access_token_hash" = $1
-`
-
-func (q *Queries) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
-	_, err := q.db.ExecContext(ctx, deleteOidcToken, accessTokenHash)
-	return err
-}
-
-const deleteOidcTokenByCodeHash = `-- name: DeleteOidcTokenByCodeHash :exec
-DELETE FROM "oidc_tokens"
-WHERE "code_hash" = $1
-`
-
-func (q *Queries) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
-	_, err := q.db.ExecContext(ctx, deleteOidcTokenByCodeHash, codeHash)
-	return err
-}
-
-const deleteOidcTokenBySub = `-- name: DeleteOidcTokenBySub :exec
-DELETE FROM "oidc_tokens"
-WHERE "sub" = $1
-`
-
-func (q *Queries) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
-	_, err := q.db.ExecContext(ctx, deleteOidcTokenBySub, sub)
-	return err
-}
-
-const deleteOidcUserInfo = `-- name: DeleteOidcUserInfo :exec
-DELETE FROM "oidc_userinfo"
-WHERE "sub" = $1
-`
-
-func (q *Queries) DeleteOidcUserInfo(ctx context.Context, sub string) error {
-	_, err := q.db.ExecContext(ctx, deleteOidcUserInfo, sub)
-	return err
-}
-
-const getOidcCode = `-- name: GetOidcCode :one
-DELETE FROM "oidc_codes"
-WHERE "code_hash" = $1
-RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
-`
-
-func (q *Queries) GetOidcCode(ctx context.Context, codeHash string) (OidcCode, error) {
-	row := q.db.QueryRowContext(ctx, getOidcCode, codeHash)
-	var i OidcCode
-	err := row.Scan(
-		&i.Sub,
-		&i.CodeHash,
-		&i.Scope,
-		&i.RedirectURI,
-		&i.ClientID,
-		&i.ExpiresAt,
-		&i.Nonce,
-		&i.CodeChallenge,
-	)
-	return i, err
-}
-
-const getOidcCodeBySub = `-- name: GetOidcCodeBySub :one
-DELETE FROM "oidc_codes"
-WHERE "sub" = $1
-RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
-`
-
-func (q *Queries) GetOidcCodeBySub(ctx context.Context, sub string) (OidcCode, error) {
-	row := q.db.QueryRowContext(ctx, getOidcCodeBySub, sub)
-	var i OidcCode
-	err := row.Scan(
-		&i.Sub,
-		&i.CodeHash,
-		&i.Scope,
-		&i.RedirectURI,
-		&i.ClientID,
-		&i.ExpiresAt,
-		&i.Nonce,
-		&i.CodeChallenge,
-	)
-	return i, err
-}
-
-const getOidcCodeBySubUnsafe = `-- name: GetOidcCodeBySubUnsafe :one
-SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge FROM "oidc_codes"
-WHERE "sub" = $1
-`
-
-func (q *Queries) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (OidcCode, error) {
-	row := q.db.QueryRowContext(ctx, getOidcCodeBySubUnsafe, sub)
-	var i OidcCode
-	err := row.Scan(
-		&i.Sub,
-		&i.CodeHash,
-		&i.Scope,
-		&i.RedirectURI,
-		&i.ClientID,
-		&i.ExpiresAt,
-		&i.Nonce,
-		&i.CodeChallenge,
-	)
-	return i, err
-}
-
-const getOidcCodeUnsafe = `-- name: GetOidcCodeUnsafe :one
-SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge FROM "oidc_codes"
-WHERE "code_hash" = $1
-`
-
-func (q *Queries) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (OidcCode, error) {
-	row := q.db.QueryRowContext(ctx, getOidcCodeUnsafe, codeHash)
-	var i OidcCode
-	err := row.Scan(
-		&i.Sub,
-		&i.CodeHash,
-		&i.Scope,
-		&i.RedirectURI,
-		&i.ClientID,
-		&i.ExpiresAt,
-		&i.Nonce,
-		&i.CodeChallenge,
-	)
-	return i, err
-}
-
-const getOidcToken = `-- name: GetOidcToken :one
-SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
-WHERE "access_token_hash" = $1
-`
-
-func (q *Queries) GetOidcToken(ctx context.Context, accessTokenHash string) (OidcToken, error) {
-	row := q.db.QueryRowContext(ctx, getOidcToken, accessTokenHash)
-	var i OidcToken
-	err := row.Scan(
-		&i.Sub,
-		&i.AccessTokenHash,
-		&i.RefreshTokenHash,
-		&i.CodeHash,
-		&i.Scope,
-		&i.ClientID,
-		&i.TokenExpiresAt,
-		&i.RefreshTokenExpiresAt,
-		&i.Nonce,
-	)
-	return i, err
-}
-
-const getOidcTokenByRefreshToken = `-- name: GetOidcTokenByRefreshToken :one
-SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
-WHERE "refresh_token_hash" = $1
-`
-
-func (q *Queries) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (OidcToken, error) {
-	row := q.db.QueryRowContext(ctx, getOidcTokenByRefreshToken, refreshTokenHash)
-	var i OidcToken
-	err := row.Scan(
-		&i.Sub,
-		&i.AccessTokenHash,
-		&i.RefreshTokenHash,
-		&i.CodeHash,
-		&i.Scope,
-		&i.ClientID,
-		&i.TokenExpiresAt,
-		&i.RefreshTokenExpiresAt,
-		&i.Nonce,
-	)
-	return i, err
-}
-
-const getOidcTokenBySub = `-- name: GetOidcTokenBySub :one
-SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
-WHERE "sub" = $1
-`
-
-func (q *Queries) GetOidcTokenBySub(ctx context.Context, sub string) (OidcToken, error) {
-	row := q.db.QueryRowContext(ctx, getOidcTokenBySub, sub)
-	var i OidcToken
-	err := row.Scan(
-		&i.Sub,
-		&i.AccessTokenHash,
-		&i.RefreshTokenHash,
-		&i.CodeHash,
-		&i.Scope,
-		&i.ClientID,
-		&i.TokenExpiresAt,
-		&i.RefreshTokenExpiresAt,
-		&i.Nonce,
-	)
-	return i, err
-}
-
-const getOidcUserInfo = `-- name: GetOidcUserInfo :one
-SELECT sub, name, preferred_username, email, groups, updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address FROM "oidc_userinfo"
-WHERE "sub" = $1
-`
-
-func (q *Queries) GetOidcUserInfo(ctx context.Context, sub string) (OidcUserinfo, error) {
-	row := q.db.QueryRowContext(ctx, getOidcUserInfo, sub)
-	var i OidcUserinfo
-	err := row.Scan(
-		&i.Sub,
-		&i.Name,
-		&i.PreferredUsername,
-		&i.Email,
-		&i.Groups,
-		&i.UpdatedAt,
-		&i.GivenName,
-		&i.FamilyName,
-		&i.MiddleName,
-		&i.Nickname,
-		&i.Profile,
-		&i.Picture,
-		&i.Website,
-		&i.Gender,
-		&i.Birthdate,
-		&i.Zoneinfo,
-		&i.Locale,
-		&i.PhoneNumber,
-		&i.Address,
-	)
-	return i, err
-}
-
-const updateOidcTokenByRefreshToken = `-- name: UpdateOidcTokenByRefreshToken :one
-UPDATE "oidc_tokens" SET
-    "access_token_hash"        = $1,
-    "refresh_token_hash"       = $2,
-    "token_expires_at"         = $3,
-    "refresh_token_expires_at" = $4
-WHERE "refresh_token_hash" = $5
-RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
-`
-
-type UpdateOidcTokenByRefreshTokenParams struct {
-	AccessTokenHash       string
-	RefreshTokenHash      string
-	TokenExpiresAt        int64
-	RefreshTokenExpiresAt int64
-	RefreshTokenHash_2    string
-}
-
-func (q *Queries) UpdateOidcTokenByRefreshToken(ctx context.Context, arg UpdateOidcTokenByRefreshTokenParams) (OidcToken, error) {
-	row := q.db.QueryRowContext(ctx, updateOidcTokenByRefreshToken,
-		arg.AccessTokenHash,
-		arg.RefreshTokenHash,
-		arg.TokenExpiresAt,
-		arg.RefreshTokenExpiresAt,
-		arg.RefreshTokenHash_2,
-	)
-	var i OidcToken
-	err := row.Scan(
-		&i.Sub,
-		&i.AccessTokenHash,
-		&i.RefreshTokenHash,
-		&i.CodeHash,
-		&i.Scope,
-		&i.ClientID,
-		&i.TokenExpiresAt,
-		&i.RefreshTokenExpiresAt,
-		&i.Nonce,
-	)
-	return i, err
-}
@@ -1,176 +0,0 @@
-// Code generated by sqlc. DO NOT EDIT.
-// versions:
-//   sqlc v1.31.1
-// source: session_queries.sql
-
-package postgres
-
-import (
-	"context"
-)
-
-const createSession = `-- name: CreateSession :one
-INSERT INTO "sessions" (
-    "uuid",
-    "username",
-    "email",
-    "name",
-    "provider",
-    "totp_pending",
-    "oauth_groups",
-    "expiry",
-    "created_at",
-    "oauth_name",
-    "oauth_sub"
-) VALUES (
-    $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11
-)
-RETURNING uuid, username, email, name, provider, totp_pending, oauth_groups, expiry, created_at, oauth_name, oauth_sub
-`
-
-type CreateSessionParams struct {
-	UUID        string
-	Username    string
-	Email       string
-	Name        string
-	Provider    string
-	TotpPending bool
-	OAuthGroups string
-	Expiry      int64
-	CreatedAt   int64
-	OAuthName   string
-	OAuthSub    string
-}
-
-func (q *Queries) CreateSession(ctx context.Context, arg CreateSessionParams) (Session, error) {
-	row := q.db.QueryRowContext(ctx, createSession,
-		arg.UUID,
-		arg.Username,
-		arg.Email,
-		arg.Name,
-		arg.Provider,
-		arg.TotpPending,
-		arg.OAuthGroups,
-		arg.Expiry,
-		arg.CreatedAt,
-		arg.OAuthName,
-		arg.OAuthSub,
-	)
-	var i Session
-	err := row.Scan(
-		&i.UUID,
-		&i.Username,
-		&i.Email,
-		&i.Name,
-		&i.Provider,
-		&i.TotpPending,
-		&i.OAuthGroups,
-		&i.Expiry,
-		&i.CreatedAt,
-		&i.OAuthName,
-		&i.OAuthSub,
-	)
-	return i, err
-}
-
-const deleteExpiredSessions = `-- name: DeleteExpiredSessions :exec
-DELETE FROM "sessions"
-WHERE "expiry" < $1
-`
-
-func (q *Queries) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
-	_, err := q.db.ExecContext(ctx, deleteExpiredSessions, expiry)
-	return err
-}
-
-const deleteSession = `-- name: DeleteSession :exec
-DELETE FROM "sessions"
-WHERE "uuid" = $1
-`
-
-func (q *Queries) DeleteSession(ctx context.Context, uuid string) error {
-	_, err := q.db.ExecContext(ctx, deleteSession, uuid)
-	return err
-}
-
-const getSession = `-- name: GetSession :one
-SELECT uuid, username, email, name, provider, totp_pending, oauth_groups, expiry, created_at, oauth_name, oauth_sub FROM "sessions"
-WHERE "uuid" = $1
-`
-
-func (q *Queries) GetSession(ctx context.Context, uuid string) (Session, error) {
-	row := q.db.QueryRowContext(ctx, getSession, uuid)
-	var i Session
-	err := row.Scan(
-		&i.UUID,
-		&i.Username,
-		&i.Email,
-		&i.Name,
-		&i.Provider,
-		&i.TotpPending,
-		&i.OAuthGroups,
-		&i.Expiry,
-		&i.CreatedAt,
-		&i.OAuthName,
-		&i.OAuthSub,
-	)
-	return i, err
-}
-
-const updateSession = `-- name: UpdateSession :one
-UPDATE "sessions" SET
-    "username"     = $1,
-    "email"        = $2,
-    "name"         = $3,
-    "provider"     = $4,
-    "totp_pending" = $5,
-    "oauth_groups" = $6,
-    "expiry"       = $7,
-    "oauth_name"   = $8,
-    "oauth_sub"    = $9
-WHERE "uuid" = $10
-RETURNING uuid, username, email, name, provider, totp_pending, oauth_groups, expiry, created_at, oauth_name, oauth_sub
-`
-
-type UpdateSessionParams struct {
-	Username    string
-	Email       string
-	Name        string
-	Provider    string
-	TotpPending bool
-	OAuthGroups string
-	Expiry      int64
-	OAuthName   string
-	OAuthSub    string
-	UUID        string
-}
-
-func (q *Queries) UpdateSession(ctx context.Context, arg UpdateSessionParams) (Session, error) {
-	row := q.db.QueryRowContext(ctx, updateSession,
-		arg.Username,
-		arg.Email,
-		arg.Name,
-		arg.Provider,
-		arg.TotpPending,
-		arg.OAuthGroups,
-		arg.Expiry,
-		arg.OAuthName,
-		arg.OAuthSub,
-		arg.UUID,
-	)
-	var i Session
-	err := row.Scan(
-		&i.UUID,
-		&i.Username,
-		&i.Email,
-		&i.Name,
-		&i.Provider,
-		&i.TotpPending,
-		&i.OAuthGroups,
-		&i.Expiry,
-		&i.CreatedAt,
-		&i.OAuthName,
-		&i.OAuthSub,
-	)
-	return i, err
-}
@@ -1,209 +0,0 @@
-// Code generated by cmd/gen/sqlc-wrapper. DO NOT EDIT.
-package postgres
-
-import (
-	"context"
-	"database/sql"
-	"errors"
-
-	"github.com/tinyauthapp/tinyauth/internal/repository"
-)
-
-// Store wraps *Queries and implements repository.Store.
-type Store struct {
-	q *Queries
-}
-
-// NewStore wraps a *Queries to satisfy repository.Store.
-func NewStore(q *Queries) repository.Store {
-	return &Store{q: q}
-}
-
-var errorMap = map[error]error{
-	sql.ErrNoRows: repository.ErrNotFound,
-}
-
-func mapErr(err error) error {
-	for from, to := range errorMap {
-		if errors.Is(err, from) {
-			return to
-		}
-	}
-	return err
-}
-
-func (s *Store) CreateOidcCode(ctx context.Context, arg repository.CreateOidcCodeParams) (repository.OidcCode, error) {
-	r, err := s.q.CreateOidcCode(ctx, CreateOidcCodeParams(arg))
-	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
-	}
-	return repository.OidcCode(r), nil
-}
-
-func (s *Store) CreateOidcToken(ctx context.Context, arg repository.CreateOidcTokenParams) (repository.OidcToken, error) {
-	r, err := s.q.CreateOidcToken(ctx, CreateOidcTokenParams(arg))
-	if err != nil {
-		return repository.OidcToken{}, mapErr(err)
-	}
-	return repository.OidcToken(r), nil
-}
-
-func (s *Store) CreateOidcUserInfo(ctx context.Context, arg repository.CreateOidcUserInfoParams) (repository.OidcUserinfo, error) {
-	r, err := s.q.CreateOidcUserInfo(ctx, CreateOidcUserInfoParams(arg))
-	if err != nil {
-		return repository.OidcUserinfo{}, mapErr(err)
-	}
-	return repository.OidcUserinfo(r), nil
-}
-
-func (s *Store) CreateSession(ctx context.Context, arg repository.CreateSessionParams) (repository.Session, error) {
-	r, err := s.q.CreateSession(ctx, CreateSessionParams(arg))
-	if err != nil {
-		return repository.Session{}, mapErr(err)
-	}
-	return repository.Session(r), nil
-}
-
-func (s *Store) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]repository.OidcCode, error) {
-	rows, err := s.q.DeleteExpiredOidcCodes(ctx, expiresAt)
-	if err != nil {
-		return nil, mapErr(err)
-	}
-	out := make([]repository.OidcCode, len(rows))
-	for i, row := range rows {
-		out[i] = repository.OidcCode(row)
-	}
-	return out, nil
-}
-
-func (s *Store) DeleteExpiredOidcTokens(ctx context.Context, arg repository.DeleteExpiredOidcTokensParams) ([]repository.OidcToken, error) {
-	rows, err := s.q.DeleteExpiredOidcTokens(ctx, DeleteExpiredOidcTokensParams(arg))
-	if err != nil {
-		return nil, mapErr(err)
-	}
-	out := make([]repository.OidcToken, len(rows))
-	for i, row := range rows {
-		out[i] = repository.OidcToken(row)
-	}
-	return out, nil
-}
-
-func (s *Store) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
-	return mapErr(s.q.DeleteExpiredSessions(ctx, expiry))
-}
-
-func (s *Store) DeleteOidcCode(ctx context.Context, codeHash string) error {
-	return mapErr(s.q.DeleteOidcCode(ctx, codeHash))
-}
-
-func (s *Store) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
-	return mapErr(s.q.DeleteOidcCodeBySub(ctx, sub))
-}
-
-func (s *Store) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
-	return mapErr(s.q.DeleteOidcToken(ctx, accessTokenHash))
-}
-
-func (s *Store) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
-	return mapErr(s.q.DeleteOidcTokenByCodeHash(ctx, codeHash))
-}
-
-func (s *Store) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
-	return mapErr(s.q.DeleteOidcTokenBySub(ctx, sub))
-}
-
-func (s *Store) DeleteOidcUserInfo(ctx context.Context, sub string) error {
-	return mapErr(s.q.DeleteOidcUserInfo(ctx, sub))
-}
-
-func (s *Store) DeleteSession(ctx context.Context, uuid string) error {
-	return mapErr(s.q.DeleteSession(ctx, uuid))
-}
-
-func (s *Store) GetOidcCode(ctx context.Context, codeHash string) (repository.OidcCode, error) {
-	r, err := s.q.GetOidcCode(ctx, codeHash)
-	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
-	}
-	return repository.OidcCode(r), nil
-}
-
-func (s *Store) GetOidcCodeBySub(ctx context.Context, sub string) (repository.OidcCode, error) {
-	r, err := s.q.GetOidcCodeBySub(ctx, sub)
-	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
-	}
-	return repository.OidcCode(r), nil
-}
-
-func (s *Store) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (repository.OidcCode, error) {
-	r, err := s.q.GetOidcCodeBySubUnsafe(ctx, sub)
-	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
-	}
-	return repository.OidcCode(r), nil
-}
-
-func (s *Store) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (repository.OidcCode, error) {
-	r, err := s.q.GetOidcCodeUnsafe(ctx, codeHash)
-	if err != nil {
-		return repository.OidcCode{}, mapErr(err)
-	}
-	return repository.OidcCode(r), nil
-}
-
-func (s *Store) GetOidcToken(ctx context.Context, accessTokenHash string) (repository.OidcToken, error) {
-	r, err := s.q.GetOidcToken(ctx, accessTokenHash)
-	if err != nil {
-		return repository.OidcToken{}, mapErr(err)
-	}
-	return repository.OidcToken(r), nil
-}
-
-func (s *Store) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (repository.OidcToken, error) {
-	r, err := s.q.GetOidcTokenByRefreshToken(ctx, refreshTokenHash)
-	if err != nil {
-		return repository.OidcToken{}, mapErr(err)
-	}
-	return repository.OidcToken(r), nil
-}
-
-func (s *Store) GetOidcTokenBySub(ctx context.Context, sub string) (repository.OidcToken, error) {
-	r, err := s.q.GetOidcTokenBySub(ctx, sub)
-	if err != nil {
-		return repository.OidcToken{}, mapErr(err)
-	}
-	return repository.OidcToken(r), nil
-}
-
-func (s *Store) GetOidcUserInfo(ctx context.Context, sub string) (repository.OidcUserinfo, error) {
-	r, err := s.q.GetOidcUserInfo(ctx, sub)
-	if err != nil {
-		return repository.OidcUserinfo{}, mapErr(err)
-	}
-	return repository.OidcUserinfo(r), nil
-}
-
-func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session, error) {
-	r, err := s.q.GetSession(ctx, uuid)
-	if err != nil {
-		return repository.Session{}, mapErr(err)
-	}
-	return repository.Session(r), nil
-}
-
-func (s *Store) UpdateOidcTokenByRefreshToken(ctx context.Context, arg repository.UpdateOidcTokenByRefreshTokenParams) (repository.OidcToken, error) {
-	r, err := s.q.UpdateOidcTokenByRefreshToken(ctx, UpdateOidcTokenByRefreshTokenParams(arg))
-	if err != nil {
-		return repository.OidcToken{}, mapErr(err)
-	}
-	return repository.OidcToken(r), nil
-}
-
-func (s *Store) UpdateSession(ctx context.Context, arg repository.UpdateSessionParams) (repository.Session, error) {
-	r, err := s.q.UpdateSession(ctx, UpdateSessionParams(arg))
-	if err != nil {
-		return repository.Session{}, mapErr(err)
-	}
-	return repository.Session(r), nil
-}
@@ -0,0 +1,162 @@
+package postgres
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/repository"
+)
+
+// TestMapErr verifies that mapErr translates known sentinel errors and
+// passes through all other errors unchanged.
+func TestMapErr(t *testing.T) {
+	sentinel := errors.New("some other error")
+
+	tests := []struct {
+		name    string
+		input   error
+		want    error
+		isWant  bool // use errors.Is check
+	}{
+		{
+			name:   "nil passes through unchanged",
+			input:  nil,
+			want:   nil,
+			isWant: false,
+		},
+		{
+			name:   "sql.ErrNoRows maps to repository.ErrNotFound",
+			input:  sql.ErrNoRows,
+			want:   repository.ErrNotFound,
+			isWant: true,
+		},
+		{
+			name:   "wrapped sql.ErrNoRows maps to repository.ErrNotFound",
+			input:  fmt.Errorf("wrapped: %w", sql.ErrNoRows),
+			want:   repository.ErrNotFound,
+			isWant: true,
+		},
+		{
+			name:   "arbitrary error passes through unchanged",
+			input:  sentinel,
+			want:   sentinel,
+			isWant: true,
+		},
+		{
+			name:   "wrapped arbitrary error passes through unchanged",
+			input:  fmt.Errorf("outer: %w", sentinel),
+			want:   fmt.Errorf("outer: %w", sentinel),
+			isWant: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := mapErr(tt.input)
+			if tt.input == nil {
+				assert.Nil(t, got)
+				return
+			}
+			if tt.isWant {
+				assert.True(t, errors.Is(got, tt.want), "expected errors.Is(%v, %v) to be true, got %v", got, tt.want, got)
+			} else {
+				// For wrapped-arbitrary-error passthrough: the original wrapped error is returned as-is
+				assert.Equal(t, tt.input, got)
+			}
+		})
+	}
+}
+
+// TestMapErr_ErrNoRows_IsRepositoryErrNotFound specifically asserts the contract
+// that callers outside the package can detect repository.ErrNotFound using errors.Is.
+func TestMapErr_ErrNoRows_IsRepositoryErrNotFound(t *testing.T) {
+	result := mapErr(sql.ErrNoRows)
+	require.NotNil(t, result)
+	assert.True(t, errors.Is(result, repository.ErrNotFound))
+	// Must NOT still be sql.ErrNoRows after mapping
+	assert.False(t, errors.Is(result, sql.ErrNoRows))
+}
+
+// TestMapErr_OtherError_IsNotRepositoryErrNotFound ensures unrecognised errors
+// are NOT silently converted to ErrNotFound.
+func TestMapErr_OtherError_IsNotRepositoryErrNotFound(t *testing.T) {
+	someErr := errors.New("connection refused")
+	result := mapErr(someErr)
+	require.NotNil(t, result)
+	assert.False(t, errors.Is(result, repository.ErrNotFound))
+	assert.True(t, errors.Is(result, someErr))
+}
+
+// TestNewStore ensures that NewStore returns a value satisfying the
+// repository.Store interface (compile-time verified) and is not nil.
+func TestNewStore(t *testing.T) {
+	q := New(nil) // Queries with a nil DBTX — adequate for construction checks
+	var store repository.Store = NewStore(q)
+	assert.NotNil(t, store)
+}
+
+// mockDBTX is a minimal DBTX implementation that returns a configurable error.
+type mockDBTX struct {
+	err    error
+	rowErr error
+}
+
+func (m *mockDBTX) ExecContext(_ context.Context, _ string, _ ...interface{}) (sql.Result, error) {
+	return nil, m.err
+}
+
+func (m *mockDBTX) PrepareContext(_ context.Context, _ string) (*sql.Stmt, error) {
+	return nil, m.err
+}
+
+func (m *mockDBTX) QueryContext(_ context.Context, _ string, _ ...interface{}) (*sql.Rows, error) {
+	return nil, m.err
+}
+
+func (m *mockDBTX) QueryRowContext(_ context.Context, _ string, _ ...interface{}) *sql.Row {
+	// *sql.Row cannot be constructed without internals; returning nil causes a
+	// nil-dereference in callers, so we can only test ExecContext-backed methods.
+	return nil
+}
+
+// TestStore_DeleteSession_PropagatesError verifies that an error returned by the
+// underlying DBTX is forwarded (possibly mapped) by the Store wrapper.
+func TestStore_DeleteSession_PropagatesError(t *testing.T) {
+	customErr := errors.New("exec error")
+	mock := &mockDBTX{err: customErr}
+	store := NewStore(New(mock))
+
+	err := store.DeleteSession(context.Background(), "some-uuid")
+	require.Error(t, err)
+	// The error is not ErrNoRows, so it must be passed through as-is.
+	assert.True(t, errors.Is(err, customErr))
+}
+
+// TestStore_DeleteOidcCode_PropagatesError verifies error propagation for a
+// different delete method.
+func TestStore_DeleteOidcCode_PropagatesError(t *testing.T) {
+	customErr := errors.New("exec error")
+	mock := &mockDBTX{err: customErr}
+	store := NewStore(New(mock))
+
+	err := store.DeleteOidcCode(context.Background(), "some-hash")
+	require.Error(t, err)
+	assert.True(t, errors.Is(err, customErr))
+}
+
+// TestStore_DeleteExpiredSessions_PropagatesErrNoRowsAsNotFound verifies that
+// sql.ErrNoRows is mapped to repository.ErrNotFound through the Store wrapper.
+func TestStore_DeleteExpiredSessions_PropagatesError(t *testing.T) {
+	customErr := errors.New("db unavailable")
+	mock := &mockDBTX{err: customErr}
+	store := NewStore(New(mock))
+
+	err := store.DeleteExpiredSessions(context.Background(), 0)
+	require.Error(t, err)
+	assert.True(t, errors.Is(err, customErr))
+}
@@ -9,12 +9,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )

-// For LDAP and OAuth groups and IP allow/deny, we default to allow even with a deny policy.
-// This is because we can't force the user to use groups in LDAP and OAuth if they would like to use
-// a deny policy. As for IP checks, we can't reliably get the client IP (most of Tinyauth instances are
-// behind a Docker bridge network) so to make it easier for users to use a deny policy without
-// issues with IPs we allow by default.
-
 type RuleName string

 const (
@@ -31,11 +25,7 @@ type UserAllowedRule struct {
 }

 func (rule *UserAllowedRule) Evaluate(ctx *ACLContext) Effect {
-	if ctx.UserContext == nil {
-		return EffectDeny
-	}
-
-	if ctx.ACLs == nil {
+	if ctx.ACLs == nil || ctx.UserContext == nil {
 		return EffectAbstain
 	}

@@ -44,7 +34,7 @@ func (rule *UserAllowedRule) Evaluate(ctx *ACLContext) Effect {
 		match, err := utils.CheckFilter(ctx.ACLs.OAuth.Whitelist, ctx.UserContext.OAuth.Email)
 		if err != nil {
 			rule.Log.App.Warn().Err(err).Str("item", ctx.UserContext.OAuth.Email).Msg("Invalid entry in OAuth whitelist")
-			return EffectDeny
+			return EffectAbstain
 		}
 		if match {
 			rule.Log.App.Debug().Str("email", ctx.UserContext.OAuth.Email).Msg("User is in OAuth whitelist, allowing access")
@@ -58,7 +48,7 @@ func (rule *UserAllowedRule) Evaluate(ctx *ACLContext) Effect {
 		match, err := utils.CheckFilter(ctx.ACLs.Users.Block, ctx.UserContext.GetUsername())
 		if err != nil {
 			rule.Log.App.Warn().Err(err).Str("item", ctx.UserContext.GetUsername()).Msg("Invalid entry in users block list")
-			return EffectDeny
+			return EffectAbstain
 		}
 		if match {
 			rule.Log.App.Debug().Str("username", ctx.UserContext.GetUsername()).Msg("User is in users block list, denying access")
@@ -72,11 +62,8 @@ func (rule *UserAllowedRule) Evaluate(ctx *ACLContext) Effect {
 	match, err := utils.CheckFilter(ctx.ACLs.Users.Allow, ctx.UserContext.GetUsername())

 	if err != nil {
-		if err == utils.ErrFilterEmpty {
-			return EffectAbstain
-		}
 		rule.Log.App.Warn().Err(err).Str("item", ctx.UserContext.GetUsername()).Msg("Invalid entry in users allow list")
-		return EffectDeny
+		return EffectAbstain
 	}

 	if match {
@@ -93,22 +80,13 @@ type OAuthGroupRule struct {
 }

 func (rule *OAuthGroupRule) Evaluate(ctx *ACLContext) Effect {
-	if ctx.UserContext == nil {
-		return EffectDeny
-	}
-
-	if ctx.ACLs == nil {
-		return EffectAllow
+	if ctx.ACLs == nil || ctx.UserContext == nil {
+		return EffectAbstain
 	}

 	if !ctx.UserContext.IsOAuth() {
 		rule.Log.App.Debug().Msg("User is not an OAuth user, skipping OAuth group check")
-		return EffectAllow
-	}
-
-	if len(ctx.ACLs.OAuth.Groups) == 0 {
-		rule.Log.App.Debug().Msg("No OAuth groups specified in ACLs, allowing access")
-		return EffectAllow
+		return EffectAbstain
 	}

 	if _, ok := model.OverrideProviders[ctx.UserContext.OAuth.ID]; ok {
@@ -119,8 +97,7 @@ func (rule *OAuthGroupRule) Evaluate(ctx *ACLContext) Effect {
 	for _, group := range ctx.UserContext.OAuth.Groups {
 		match, err := utils.CheckFilter(ctx.ACLs.OAuth.Groups, strings.TrimSpace(group))
 		if err != nil {
-			rule.Log.App.Warn().Err(err).Str("item", group).Msg("Invalid entry in OAuth groups ACL")
-			return EffectDeny
+			return EffectAbstain
 		}
 		if match {
 			rule.Log.App.Trace().Str("group", group).Str("required", ctx.ACLs.OAuth.Groups).Msg("User group matched, allowing access")
@@ -137,29 +114,19 @@ type LDAPGroupRule struct {
 }

 func (rule *LDAPGroupRule) Evaluate(ctx *ACLContext) Effect {
-	if ctx.UserContext == nil {
-		return EffectDeny
-	}
-
-	if ctx.ACLs == nil {
-		return EffectAllow
+	if ctx == nil || ctx.UserContext == nil || ctx.ACLs == nil {
+		return EffectAbstain
 	}

 	if !ctx.UserContext.IsLDAP() {
 		rule.Log.App.Debug().Msg("User is not an LDAP user, skipping LDAP group check")
-		return EffectAllow
-	}
-
-	if len(ctx.ACLs.LDAP.Groups) == 0 {
-		rule.Log.App.Debug().Msg("No LDAP groups specified in ACLs, allowing access")
-		return EffectAllow
+		return EffectAbstain
 	}

 	for _, group := range ctx.UserContext.LDAP.Groups {
 		match, err := utils.CheckFilter(ctx.ACLs.LDAP.Groups, strings.TrimSpace(group))
 		if err != nil {
-			rule.Log.App.Warn().Err(err).Str("item", group).Msg("Invalid entry in LDAP groups ACL")
-			return EffectDeny
+			return EffectAbstain
 		}
 		if match {
 			rule.Log.App.Trace().Str("group", group).Str("required", ctx.ACLs.LDAP.Groups).Msg("User group matched, allowing access")
@@ -21,16 +21,6 @@ func TestUserAllowedRule(t *testing.T) {
 		ctx      *ACLContext
 		expected Effect
 	}{
-		{
-			name: "denies when user context is nil",
-			ctx: &ACLContext{
-				ACLs: &model.App{
-					OAuth: model.AppOAuth{Whitelist: "alice"},
-				},
-				UserContext: nil,
-			},
-			expected: EffectDeny,
-		},
 		{
 			name: "abstains when ACLs are nil",
 			ctx: &ACLContext{
@@ -44,6 +34,16 @@ func TestUserAllowedRule(t *testing.T) {
 			},
 			expected: EffectAbstain,
 		},
+		{
+			name: "abstains when user context is nil",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					OAuth: model.AppOAuth{Whitelist: "alice"},
+				},
+				UserContext: nil,
+			},
+			expected: EffectAbstain,
+		},
 		{
 			name: "allows OAuth user when email matches whitelist",
 			ctx: &ACLContext{
@@ -78,7 +78,7 @@ func TestUserAllowedRule(t *testing.T) {
 			expected: EffectDeny,
 		},
 		{
-			name: "denies for OAuth user when whitelist filter is invalid",
+			name: "abstains for OAuth user when whitelist filter is invalid",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Whitelist: "/[/"},
@@ -90,7 +90,7 @@ func TestUserAllowedRule(t *testing.T) {
 					},
 				},
 			},
-			expected: EffectDeny,
+			expected: EffectAbstain,
 		},
 		{
 			name: "denies local user when username matches block list",
@@ -123,7 +123,7 @@ func TestUserAllowedRule(t *testing.T) {
 			expected: EffectAllow,
 		},
 		{
-			name: "denies when block list filter is invalid",
+			name: "abstains when block list filter is invalid",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					Users: model.AppUsers{Block: "/[/"},
@@ -135,21 +135,6 @@ func TestUserAllowedRule(t *testing.T) {
 					},
 				},
 			},
-			expected: EffectDeny,
-		},
-		{
-			name: "abstains when allow list is empty",
-			ctx: &ACLContext{
-				ACLs: &model.App{
-					Users: model.AppUsers{Allow: ""},
-				},
-				UserContext: &model.UserContext{
-					Provider: model.ProviderLocal,
-					Local: &model.LocalContext{
-						BaseContext: model.BaseContext{Username: "alice"},
-					},
-				},
-			},
 			expected: EffectAbstain,
 		},
 		{
@@ -183,7 +168,7 @@ func TestUserAllowedRule(t *testing.T) {
 			expected: EffectDeny,
 		},
 		{
-			name: "denies when allow list filter is invalid",
+			name: "abstains when allow list filter is invalid",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					Users: model.AppUsers{Allow: "/[/"},
@@ -195,7 +180,7 @@ func TestUserAllowedRule(t *testing.T) {
 					},
 				},
 			},
-			expected: EffectDeny,
+			expected: EffectAbstain,
 		},
 	}

@@ -218,17 +203,7 @@ func TestOAuthGroupRule(t *testing.T) {
 		expected Effect
 	}{
 		{
-			name: "denies when user context is nil",
-			ctx: &ACLContext{
-				ACLs: &model.App{
-					OAuth: model.AppOAuth{Whitelist: "alice"},
-				},
-				UserContext: nil,
-			},
-			expected: EffectDeny,
-		},
-		{
-			name: "allows when ACLs are nil",
+			name: "abstains when ACLs are nil",
 			ctx: &ACLContext{
 				ACLs: nil,
 				UserContext: &model.UserContext{
@@ -238,10 +213,20 @@ func TestOAuthGroupRule(t *testing.T) {
 					},
 				},
 			},
-			expected: EffectAllow,
+			expected: EffectAbstain,
 		},
 		{
-			name: "allows when user is not OAuth",
+			name: "abstains when user context is nil",
+			ctx: &ACLContext{
+				ACLs: &model.App{
+					OAuth: model.AppOAuth{Whitelist: "alice"},
+				},
+				UserContext: nil,
+			},
+			expected: EffectAbstain,
+		},
+		{
+			name: "abstains when user is not OAuth",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Groups: "admins"},
@@ -253,22 +238,7 @@ func TestOAuthGroupRule(t *testing.T) {
 					},
 				},
 			},
-			expected: EffectAllow,
-		},
-		{
-			name: "allows when group filter is empty",
-			ctx: &ACLContext{
-				ACLs: &model.App{
-					OAuth: model.AppOAuth{Groups: ""},
-				},
-				UserContext: &model.UserContext{
-					Provider: model.ProviderOAuth,
-					OAuth: &model.OAuthContext{
-						BaseContext: model.BaseContext{Username: "alice"},
-					},
-				},
-			},
-			expected: EffectAllow,
+			expected: EffectAbstain,
 		},
 		{
 			name: "allows when provider is an override provider regardless of groups",
@@ -335,7 +305,7 @@ func TestOAuthGroupRule(t *testing.T) {
 			expected: EffectDeny,
 		},
 		{
-			name: "denies when groups filter is invalid",
+			name: "abstains when groups filter is invalid",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Groups: "/[/"},
@@ -348,7 +318,7 @@ func TestOAuthGroupRule(t *testing.T) {
 					},
 				},
 			},
-			expected: EffectDeny,
+			expected: EffectAbstain,
 		},
 	}

@@ -371,30 +341,22 @@ func TestLDAPGroupRule(t *testing.T) {
 		expected Effect
 	}{
 		{
-			name: "denies when user context is nil",
+			name:     "abstains when context is nil",
+			ctx:      nil,
+			expected: EffectAbstain,
+		},
+		{
+			name: "abstains when user context is nil",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Whitelist: "alice"},
 				},
 				UserContext: nil,
 			},
-			expected: EffectDeny,
+			expected: EffectAbstain,
 		},
 		{
-			name: "allows when acls are nil",
-			ctx: &ACLContext{
-				ACLs: nil,
-				UserContext: &model.UserContext{
-					Provider: model.ProviderLocal,
-					Local: &model.LocalContext{
-						BaseContext: model.BaseContext{Username: "alice"},
-					},
-				},
-			},
-			expected: EffectAllow,
-		},
-		{
-			name: "allows when user is not LDAP",
+			name: "abstains when user is not LDAP",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					LDAP: model.AppLDAP{Groups: "admins"},
@@ -406,22 +368,7 @@ func TestLDAPGroupRule(t *testing.T) {
 					},
 				},
 			},
-			expected: EffectAllow,
-		},
-		{
-			name: "allows when group filter is empty",
-			ctx: &ACLContext{
-				ACLs: &model.App{
-					LDAP: model.AppLDAP{Groups: ""},
-				},
-				UserContext: &model.UserContext{
-					Provider: model.ProviderLDAP,
-					LDAP: &model.LDAPContext{
-						BaseContext: model.BaseContext{Username: "alice"},
-					},
-				},
-			},
-			expected: EffectAllow,
+			expected: EffectAbstain,
 		},
 		{
 			name: "allows LDAP user when a group matches",
@@ -469,7 +416,7 @@ func TestLDAPGroupRule(t *testing.T) {
 			expected: EffectDeny,
 		},
 		{
-			name: "denies when groups filter is invalid",
+			name: "abstains when groups filter is invalid",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					LDAP: model.AppLDAP{Groups: "/[/"},
@@ -481,7 +428,7 @@ func TestLDAPGroupRule(t *testing.T) {
 					},
 				},
 			},
-			expected: EffectDeny,
+			expected: EffectAbstain,
 		},
 	}

@@ -9,7 +9,6 @@ import (
 	"sync"
 	"time"

-	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
@@ -80,7 +79,6 @@ type AuthService struct {
 	queries     repository.Store
 	oauthBroker *OAuthBrokerService
 	tailscale   *TailscaleService
-	policyEngine *PolicyEngine

 	loginAttempts        map[string]*LoginAttempt
 	ldapGroupsCache      map[string]*LdapGroupsCache
@@ -98,12 +96,11 @@ func NewAuthService(
 	config model.Config,
 	runtime model.RuntimeConfig,
 	ctx context.Context,
-	dg *ding.Ding,
+	wg *sync.WaitGroup,
 	ldap *LdapService,
 	queries repository.Store,
 	oauthBroker *OAuthBrokerService,
 	tailscale *TailscaleService,
-	policy *PolicyEngine,
 ) *AuthService {
 	service := &AuthService{
 		log:                  log,
@@ -117,10 +114,9 @@ func NewAuthService(
 		queries:              queries,
 		oauthBroker:          oauthBroker,
 		tailscale:            tailscale,
-		policyEngine:         policy,
 	}

-	dg.Go(service.cleanupOAuthSessions, ding.RingMinor)
+	wg.Go(service.CleanupOAuthSessionsRoutine)

 	return service
 }
@@ -289,27 +285,18 @@ func (auth *AuthService) RecordLoginAttempt(identifier string, success bool) {
 	}
 }

-// We could also directly access the policyEngine.effectToAccess but
-// I believe it's better to use the exported functions instead
 func (auth *AuthService) IsEmailWhitelisted(provider string, email string) bool {
-	return auth.policyEngine.EvaluateFunc(func() Effect {
 	whitelist := auth.runtime.OAuthWhitelist
 	if providerConfig, ok := auth.runtime.OAuthProviders[provider]; ok && len(providerConfig.Whitelist) > 0 {
 		whitelist = providerConfig.Whitelist
 	}
+
 	match, err := utils.CheckFilter(strings.Join(whitelist, ","), email)
 	if err != nil {
-			if err == utils.ErrFilterEmpty {
-				return EffectAbstain
+		auth.log.App.Warn().Err(err).Str("provider", provider).Str("email", email).Msg("Invalid email filter pattern")
+		return false
 	}
-			auth.log.App.Error().Err(err).Str("email", email).Msg("Failed to evaluate email whitelist filter, defaulting to deny")
-			return EffectDeny
-		}
-		if match {
-			return EffectAllow
-		}
-		return EffectDeny
-	})
+	return match
 }

 func (auth *AuthService) CreateSession(ctx context.Context, data repository.Session) (*http.Cookie, error) {
@@ -602,7 +589,7 @@ func (auth *AuthService) EndOAuthSession(sessionId string) {
 	auth.oauthMutex.Unlock()
 }

-func (auth *AuthService) cleanupOAuthSessions(ctx context.Context) {
+func (auth *AuthService) CleanupOAuthSessionsRoutine() {
 	auth.log.App.Debug().Msg("Starting OAuth session cleanup routine")

 	ticker := time.NewTicker(30 * time.Minute)
@@ -625,7 +612,7 @@ func (auth *AuthService) cleanupOAuthSessions(ctx context.Context) {

 			auth.oauthMutex.Unlock()
 			auth.log.App.Debug().Msg("OAuth session cleanup completed")
-		case <-ctx.Done():
+		case <-auth.context.Done():
 			auth.log.App.Debug().Msg("Stopping OAuth session cleanup routine")
 			return
 		}
@@ -8,7 +8,105 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )

-func TestIsEmailWhitelistedUsesProviderSpecificList(t *testing.T) {
+func newTestAuthService(whitelist []string) *AuthService {
+	log := logger.NewLogger().WithTestConfig()
+	log.Init()
+	return &AuthService{
+		log: log,
+		runtime: model.RuntimeConfig{
+			OAuthWhitelist: whitelist,
+		},
+	}
+}
+
+func TestIsEmailWhitelisted(t *testing.T) {
+	tests := []struct {
+		name      string
+		whitelist []string
+		email     string
+		expected  bool
+	}{
+		{
+			name:      "empty whitelist denies all",
+			whitelist: []string{},
+			email:     "user@example.com",
+			expected:  false,
+		},
+		{
+			name:      "nil whitelist denies all",
+			whitelist: nil,
+			email:     "user@example.com",
+			expected:  false,
+		},
+		{
+			name:      "matching email is allowed",
+			whitelist: []string{"user@example.com"},
+			email:     "user@example.com",
+			expected:  true,
+		},
+		{
+			name:      "non-matching email is denied",
+			whitelist: []string{"user@example.com"},
+			email:     "other@example.com",
+			expected:  false,
+		},
+		{
+			name:      "multiple entries, matching email is allowed",
+			whitelist: []string{"alice@example.com", "bob@example.com"},
+			email:     "bob@example.com",
+			expected:  true,
+		},
+		{
+			name:      "multiple entries, non-matching email is denied",
+			whitelist: []string{"alice@example.com", "bob@example.com"},
+			email:     "charlie@example.com",
+			expected:  false,
+		},
+		{
+			name:      "regex pattern matches email",
+			whitelist: []string{"/@example\\.com$/"},
+			email:     "anyone@example.com",
+			expected:  true,
+		},
+		{
+			name:      "regex pattern does not match different domain",
+			whitelist: []string{"/@example\\.com$/"},
+			email:     "anyone@other.com",
+			expected:  false,
+		},
+		{
+			name:      "wildcard domain pattern with regex",
+			whitelist: []string{"/^.+@mycompany\\.org$/"},
+			email:     "employee@mycompany.org",
+			expected:  true,
+		},
+		{
+			name:      "only global whitelist is used, not any per-provider list",
+			whitelist: []string{"global@example.com"},
+			email:     "global@example.com",
+			expected:  true,
+		},
+		{
+			name:      "whitespace-only entries are handled gracefully",
+			whitelist: []string{"  "},
+			email:     "user@example.com",
+			expected:  false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			auth := newTestAuthService(tt.whitelist)
+			result := auth.IsEmailWhitelisted(tt.email)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
+
+// TestIsEmailWhitelistedNoPerProviderList verifies the new behaviour where
+// per-provider whitelist overrides are no longer applied; only the global
+// OAuthWhitelist is consulted regardless of which OAuth provider was used.
+func TestIsEmailWhitelistedNoPerProviderList(t *testing.T) {
 	log := logger.NewLogger().WithTestConfig()
 	log.Init()

@@ -16,24 +114,18 @@ func TestIsEmailWhitelistedUsesProviderSpecificList(t *testing.T) {
 		log: log,
 		runtime: model.RuntimeConfig{
 			OAuthWhitelist: []string{"global@example.com"},
+			// OAuthProviders still present but their Whitelist field has been removed
 			OAuthProviders: map[string]model.OAuthServiceConfig{
 				"github": {
-					Whitelist: []string{"github@example.com"},
-				},
-				"pocketid": {
-					Whitelist: []string{"pocket@example.com"},
-				},
-				"gitlab": {
-					Whitelist: []string{},
+					ClientID: "github-client-id",
 				},
 			},
 		},
 	}

-	assert.True(t, auth.IsEmailWhitelisted("github", "github@example.com"))
-	assert.False(t, auth.IsEmailWhitelisted("github", "pocket@example.com"))
-	assert.True(t, auth.IsEmailWhitelisted("pocketid", "pocket@example.com"))
-	assert.True(t, auth.IsEmailWhitelisted("google", "global@example.com"))
-	assert.True(t, auth.IsEmailWhitelisted("gitlab", "global@example.com"))
-	assert.False(t, auth.IsEmailWhitelisted("gitlab", "unknown@example.com"))
+	// Global whitelist allows this email regardless of provider
+	assert.True(t, auth.IsEmailWhitelisted("global@example.com"))
+	// Global whitelist denies this email even though it was previously
+	// allowed by a provider-specific list in the old implementation
+	assert.False(t, auth.IsEmailWhitelisted("provider-only@example.com"))
 }
@@ -3,8 +3,8 @@ package service
 import (
 	"context"
 	"strings"
+	"sync"

-	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/decoders"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
@@ -24,7 +24,7 @@ type DockerService struct {
 func NewDockerService(
 	log *logger.Logger,
 	ctx context.Context,
-	dg *ding.Ding,
+	wg *sync.WaitGroup,
 ) (*DockerService, error) {

 	client, err := client.NewClientWithOpts(client.FromEnv)
@@ -50,7 +50,7 @@ func NewDockerService(
 	service.isConnected = true
 	service.log.App.Debug().Msg("Docker connected successfully")

-	dg.Go(service.watchAndClose, ding.RingMajor)
+	wg.Go(service.watchAndClose)

 	return service, nil
 }
@@ -108,8 +108,8 @@ func (docker *DockerService) GetLabels(appDomain string) (*model.App, error) {
 	return nil, nil
 }

-func (docker *DockerService) watchAndClose(ctx context.Context) {
-	<-ctx.Done()
+func (docker *DockerService) watchAndClose() {
+	<-docker.context.Done()
 	docker.log.App.Debug().Msg("Closing Docker client")
 	if docker.client != nil {
 		err := docker.client.Close()
@@ -8,7 +8,6 @@ import (
 	"sync"
 	"time"

-	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/decoders"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
@@ -39,6 +38,7 @@ type ingressApp struct {

 type KubernetesService struct {
 	log *logger.Logger
+	ctx context.Context

 	client       dynamic.Interface
 	started      bool
@@ -51,7 +51,7 @@ type KubernetesService struct {
 func NewKubernetesService(
 	log *logger.Logger,
 	ctx context.Context,
-	dg *ding.Ding,
+	wg *sync.WaitGroup,
 ) (*KubernetesService, error) {
 	cfg, err := rest.InClusterConfig()
 	if err != nil {
@@ -82,15 +82,16 @@ func NewKubernetesService(

 	service := &KubernetesService{
 		log:          log,
+		ctx:          ctx,
 		client:       client,
 		ingressApps:  make(map[ingressKey][]ingressApp),
 		domainIndex:  make(map[string]ingressAppKey),
 		appNameIndex: make(map[string]ingressAppKey),
 	}

-	dg.Go(func(ctx context.Context) {
-		service.watchGVR(gvr, ctx)
-	}, ding.RingMajor)
+	wg.Go(func() {
+		service.watchGVR(gvr)
+	})

 	service.started = true
 	log.App.Debug().Msg("Kubernetes label provider started successfully")
@@ -270,8 +271,8 @@ func (k *KubernetesService) updateFromItem(item *unstructured.Unstructured) {
 	}
 }

-func (k *KubernetesService) resyncGVR(gvr schema.GroupVersionResource, ctx context.Context) error {
-	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
+func (k *KubernetesService) resyncGVR(gvr schema.GroupVersionResource) error {
+	ctx, cancel := context.WithTimeout(k.ctx, 30*time.Second)
 	defer cancel()

 	list, err := k.client.Resource(gvr).List(ctx, metav1.ListOptions{})
@@ -288,10 +289,10 @@ func (k *KubernetesService) resyncGVR(gvr schema.GroupVersionResource, ctx conte

 // runWatcher drains events from an active watcher until it closes or the context is done.
 // Returns true if the caller should restart the watcher, false if it should exit.
-func (k *KubernetesService) runWatcher(gvr schema.GroupVersionResource, w watch.Interface, resyncTicker *time.Ticker, ctx context.Context) bool {
+func (k *KubernetesService) runWatcher(gvr schema.GroupVersionResource, w watch.Interface, resyncTicker *time.Ticker) bool {
 	for {
 		select {
-		case <-ctx.Done():
+		case <-k.ctx.Done():
 			w.Stop()
 			return false
 		case event, ok := <-w.ResultChan():
@@ -313,33 +314,33 @@ func (k *KubernetesService) runWatcher(gvr schema.GroupVersionResource, w watch.
 				k.removeIngress(item.GetNamespace(), item.GetName())
 			}
 		case <-resyncTicker.C:
-			if err := k.resyncGVR(gvr, ctx); err != nil {
+			if err := k.resyncGVR(gvr); err != nil {
 				k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Periodic resync failed during watcher run")
 			}
 		}
 	}
 }

-func (k *KubernetesService) watchGVR(gvr schema.GroupVersionResource, ctx context.Context) {
+func (k *KubernetesService) watchGVR(gvr schema.GroupVersionResource) {
 	resyncTicker := time.NewTicker(5 * time.Minute)
 	defer resyncTicker.Stop()

-	if err := k.resyncGVR(gvr, ctx); err != nil {
+	if err := k.resyncGVR(gvr); err != nil {
 		k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Initial resync failed, will retry")
 		time.Sleep(30 * time.Second)
 	}

 	for {
 		select {
-		case <-ctx.Done():
+		case <-k.ctx.Done():
 			k.log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Shutting down kubernetes watcher")
 			return
 		case <-resyncTicker.C:
-			if err := k.resyncGVR(gvr, ctx); err != nil {
+			if err := k.resyncGVR(gvr); err != nil {
 				k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Periodic resync failed, will retry")
 			}
 		default:
-			ctx, cancel := context.WithCancel(ctx)
+			ctx, cancel := context.WithCancel(k.ctx)
 			watcher, err := k.client.Resource(gvr).Watch(ctx, metav1.ListOptions{})
 			if err != nil {
 				k.log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to start watcher, will retry")
@@ -348,7 +349,7 @@ func (k *KubernetesService) watchGVR(gvr schema.GroupVersionResource, ctx contex
 				continue
 			}
 			k.log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Watcher started successfully")
-			if !k.runWatcher(gvr, watcher, resyncTicker, ctx) {
+			if !k.runWatcher(gvr, watcher, resyncTicker) {
 				cancel()
 				return
 			}
@@ -9,7 +9,6 @@ import (

 	"github.com/cenkalti/backoff/v5"
 	ldapgo "github.com/go-ldap/ldap/v3"
-	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
@@ -17,6 +16,7 @@ import (
 type LdapService struct {
 	log     *logger.Logger
 	config  model.Config
+	context context.Context

 	conn  *ldapgo.Conn
 	mutex sync.RWMutex
@@ -26,7 +26,8 @@ type LdapService struct {
 func NewLdapService(
 	log *logger.Logger,
 	config model.Config,
-	dg *ding.Ding,
+	ctx context.Context,
+	wg *sync.WaitGroup,
 ) (*LdapService, error) {
 	if config.LDAP.Address == "" {
 		return nil, nil
@@ -35,6 +36,7 @@ func NewLdapService(
 	ldap := &LdapService{
 		log:     log,
 		config:  config,
+		context: ctx,
 	}

 	// Check whether authentication with client certificate is possible
@@ -67,7 +69,7 @@ func NewLdapService(
 		return nil, fmt.Errorf("failed to connect to ldap server: %w", err)
 	}

-	dg.Go(func(ctx context.Context) {
+	wg.Go(func() {
 		ldap.log.App.Debug().Msg("Starting LDAP connection heartbeat routine")

 		ticker := time.NewTicker(5 * time.Minute)
@@ -85,12 +87,12 @@ func NewLdapService(
 					}
 					ldap.log.App.Info().Msg("Successfully reconnected to LDAP server")
 				}
-			case <-ctx.Done():
+			case <-ldap.context.Done():
 				ldap.log.App.Debug().Msg("LDAP service context cancelled, stopping heartbeat")
 				return
 			}
 		}
-	}, ding.RingMajor)
+	})

 	return ldap, nil
 }
@@ -15,13 +15,13 @@ import (
 	"net/url"
 	"os"
 	"strings"
+	"sync"
 	"time"

 	"slices"

 	"github.com/gin-gonic/gin"
 	"github.com/go-jose/go-jose/v4"
-	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
@@ -116,6 +116,7 @@ type OIDCService struct {
 	config  model.Config
 	runtime model.RuntimeConfig
 	queries repository.Store
+	context context.Context

 	clients    map[string]model.OIDCClientConfig
 	privateKey *rsa.PrivateKey
@@ -128,7 +129,8 @@ func NewOIDCService(
 	config model.Config,
 	runtime model.RuntimeConfig,
 	queries repository.Store,
-	dg *ding.Ding) (*OIDCService, error) {
+	ctx context.Context,
+	wg *sync.WaitGroup) (*OIDCService, error) {
 	// If not configured, skip init
 	if len(runtime.OIDCClients) == 0 {
 		return nil, nil
@@ -274,6 +276,7 @@ func NewOIDCService(
 		config:  config,
 		runtime: runtime,
 		queries: queries,
+		context: ctx,

 		clients:    clients,
 		privateKey: privateKey,
@@ -282,7 +285,7 @@ func NewOIDCService(
 	}

 	// Start cleanup routine
-	dg.Go(service.cleanupRoutine, ding.RingMinor)
+	wg.Go(service.cleanupRoutine)

 	return service, nil
 }
@@ -756,7 +759,7 @@ func (service *OIDCService) DeleteOldSession(ctx context.Context, sub string) er
 }

 // Cleanup routine - Resource heavy due to the linked tables
-func (service *OIDCService) cleanupRoutine(ctx context.Context) {
+func (service *OIDCService) cleanupRoutine() {
 	service.log.App.Debug().Msg("Starting OIDC cleanup routine")
 	ticker := time.NewTicker(time.Duration(30) * time.Minute)
 	defer ticker.Stop()
@@ -769,7 +772,7 @@ func (service *OIDCService) cleanupRoutine(ctx context.Context) {
 			currentTime := time.Now().Unix()

 			// For the OIDC tokens, if they are expired we delete the userinfo and codes
-			expiredTokens, err := service.queries.DeleteExpiredOidcTokens(ctx, repository.DeleteExpiredOidcTokensParams{
+			expiredTokens, err := service.queries.DeleteExpiredOidcTokens(service.context, repository.DeleteExpiredOidcTokensParams{
 				TokenExpiresAt:        currentTime,
 				RefreshTokenExpiresAt: currentTime,
 			})
@@ -779,21 +782,21 @@ func (service *OIDCService) cleanupRoutine(ctx context.Context) {
 			}

 			for _, expiredToken := range expiredTokens {
-				err := service.DeleteOldSession(ctx, expiredToken.Sub)
+				err := service.DeleteOldSession(service.context, expiredToken.Sub)
 				if err != nil {
 					service.log.App.Warn().Err(err).Msg("Failed to delete session for expired token")
 				}
 			}

 			// For expired codes, we need to get the sub, check if tokens are expired and if they are remove everything
-			expiredCodes, err := service.queries.DeleteExpiredOidcCodes(ctx, currentTime)
+			expiredCodes, err := service.queries.DeleteExpiredOidcCodes(service.context, currentTime)

 			if err != nil {
 			service.log.App.Warn().Err(err).Msg("Failed to delete expired codes")
 			}

 			for _, expiredCode := range expiredCodes {
-				token, err := service.queries.GetOidcTokenBySub(ctx, expiredCode.Sub)
+				token, err := service.queries.GetOidcTokenBySub(service.context, expiredCode.Sub)

 				if err != nil {
 					if !errors.Is(err, repository.ErrNotFound) {
@@ -803,7 +806,7 @@ func (service *OIDCService) cleanupRoutine(ctx context.Context) {
 				}

 				if token.TokenExpiresAt < currentTime && token.RefreshTokenExpiresAt < currentTime {
-					err := service.DeleteOldSession(ctx, expiredCode.Sub)
+					err := service.DeleteOldSession(service.context, expiredCode.Sub)
 					if err != nil {
 						service.log.App.Warn().Err(err).Msg("Failed to delete session for expired code")
 					}
@@ -811,7 +814,7 @@ func (service *OIDCService) cleanupRoutine(ctx context.Context) {
 			}

 			service.log.App.Debug().Msg("Finished OIDC cleanup routine")
-		case <-ctx.Done():
+		case <-service.context.Done():
 			service.log.App.Debug().Msg("Stopping OIDC cleanup routine")
 			return
 		}
@@ -3,9 +3,9 @@ package service_test
 import (
 	"context"
 	"encoding/json"
+	"sync"
 	"testing"

-	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

@@ -70,9 +70,9 @@ func TestCompileUserinfo(t *testing.T) {
 	log.Init()

 	ctx := context.TODO()
-	dg := ding.New(ctx)
+	wg := &sync.WaitGroup{}

-	svc, err := service.NewOIDCService(log, cfg, runtime, nil, dg)
+	svc, err := service.NewOIDCService(log, cfg, runtime, nil, ctx, wg)
 	require.NoError(t, err)

 	type testCase struct {
@@ -108,7 +108,3 @@ func (engine *PolicyEngine) Policy() Policy {
 func (engine *PolicyEngine) Rules() map[RuleName]Rule {
 	return engine.rules
 }
-
-func (engine *PolicyEngine) EvaluateFunc(f func() Effect) bool {
-	return engine.effectToAccess(f())
-}
@@ -9,7 +9,6 @@ import (
 	"sync"
 	"time"

-	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"tailscale.com/client/local"
@@ -26,6 +25,7 @@ type TailscaleWhoisResponse struct {

 type TailscaleService struct {
 	log    *logger.Logger
+	wg     *sync.WaitGroup
 	config model.Config
 	ctx    context.Context

@@ -35,7 +35,7 @@ type TailscaleService struct {
 	mu  sync.Mutex
 }

-func NewTailscaleService(log *logger.Logger, config model.Config, ctx context.Context, dg *ding.Ding) (*TailscaleService, error) {
+func NewTailscaleService(log *logger.Logger, config model.Config, ctx context.Context, wg *sync.WaitGroup) (*TailscaleService, error) {
 	if !config.Tailscale.Enabled {
 		return nil, nil
 	}
@@ -67,6 +67,7 @@ func NewTailscaleService(log *logger.Logger, config model.Config, ctx context.Co

 	service := &TailscaleService{
 		log:    log,
+		wg:     wg,
 		config: config,
 		ctx:    ctx,
 		srv:    srv,
@@ -83,13 +84,13 @@ func NewTailscaleService(log *logger.Logger, config model.Config, ctx context.Co
 		return nil, fmt.Errorf("failed to connect to tailscale network: %w", err)
 	}

-	dg.Go(service.watchAndClose, ding.RingMajor)
+	wg.Go(service.watchAndClose)

 	return service, nil
 }

-func (ts *TailscaleService) watchAndClose(ctx context.Context) {
-	<-ctx.Done()
+func (ts *TailscaleService) watchAndClose() {
+	<-ts.ctx.Done()
 	ts.log.App.Debug().Msg("Shutting down Tailscale service")
 	ts.mu.Lock()
 	srv := ts.srv
@@ -3,6 +3,7 @@ package loaders
 import (
 	"os"

+	"github.com/rs/zerolog/log"
 	"github.com/tinyauthapp/paerser/cli"
 	"github.com/tinyauthapp/paerser/file"
 	"github.com/tinyauthapp/paerser/flag"
@@ -18,8 +19,8 @@ func (f *FileLoader) Load(args []string, cmd *cli.Command) (bool, error) {
 	}

 	// I guess we are using traefik as the root name (we can't change it)
-	configFileFlag := "traefik.configfile"
-	envVar := "TINYAUTH_CONFIGFILE"
+	configFileFlag := "traefik.experimental.configfile"
+	envVar := "TINYAUTH_EXPERIMENTAL_CONFIGFILE"

 	if _, ok := flags[configFileFlag]; !ok {
 		if value := os.Getenv(envVar); value != "" {
@@ -29,6 +30,8 @@ func (f *FileLoader) Load(args []string, cmd *cli.Command) (bool, error) {
 		}
 	}

+	log.Warn().Msg("Using experimental file config loader, this feature is experimental and may change or be removed in future releases")
+
 	err = file.Decode(flags[configFileFlag], cmd.Configuration)

 	if err != nil {
@@ -3,7 +3,6 @@ package utils
 import (
 	"crypto/rand"
 	"encoding/base64"
-	"errors"
 	"fmt"
 	"net"
 	"regexp"
@@ -12,10 +11,6 @@ import (
 	"github.com/google/uuid"
 )

-var (
-	ErrFilterEmpty = errors.New("filter is empty")
-)
-
 func GetSecret(conf string, file string) string {
 	if conf == "" && file == "" {
 		return ""
@@ -83,7 +78,7 @@ func CheckIPFilter(filter string, ip string) (bool, error) {

 func CheckFilter(filter string, input string) (bool, error) {
 	if len(strings.TrimSpace(filter)) == 0 {
-		return false, ErrFilterEmpty
+		return false, fmt.Errorf("filter is empty")
 	}

 	if strings.HasPrefix(filter, "/") && strings.HasSuffix(filter, "/") {
@@ -1,133 +0,0 @@
-- name: CreateOidcCode :one
-INSERT INTO "oidc_codes" (
-    "sub",
-    "code_hash",
-    "scope",
-    "redirect_uri",
-    "client_id",
-    "expires_at",
-    "nonce",
-    "code_challenge"
-) VALUES (
-    $1, $2, $3, $4, $5, $6, $7, $8
-)
-RETURNING *;
-
-- name: GetOidcCodeUnsafe :one
-SELECT * FROM "oidc_codes"
-WHERE "code_hash" = $1;
-
-- name: GetOidcCode :one
-DELETE FROM "oidc_codes"
-WHERE "code_hash" = $1
-RETURNING *;
-
-- name: GetOidcCodeBySubUnsafe :one
-SELECT * FROM "oidc_codes"
-WHERE "sub" = $1;
-
-- name: GetOidcCodeBySub :one
-DELETE FROM "oidc_codes"
-WHERE "sub" = $1
-RETURNING *;
-
-- name: DeleteOidcCode :exec
-DELETE FROM "oidc_codes"
-WHERE "code_hash" = $1;
-
-- name: DeleteOidcCodeBySub :exec
-DELETE FROM "oidc_codes"
-WHERE "sub" = $1;
-
-- name: CreateOidcToken :one
-INSERT INTO "oidc_tokens" (
-    "sub",
-    "access_token_hash",
-    "refresh_token_hash",
-    "scope",
-    "client_id",
-    "token_expires_at",
-    "refresh_token_expires_at",
-    "code_hash",
-    "nonce"
-) VALUES (
-    $1, $2, $3, $4, $5, $6, $7, $8, $9
-)
-RETURNING *;
-
-- name: UpdateOidcTokenByRefreshToken :one
-UPDATE "oidc_tokens" SET
-    "access_token_hash"        = $1,
-    "refresh_token_hash"       = $2,
-    "token_expires_at"         = $3,
-    "refresh_token_expires_at" = $4
-WHERE "refresh_token_hash" = $5
-RETURNING *;
-
-- name: GetOidcToken :one
-SELECT * FROM "oidc_tokens"
-WHERE "access_token_hash" = $1;
-
-- name: GetOidcTokenByRefreshToken :one
-SELECT * FROM "oidc_tokens"
-WHERE "refresh_token_hash" = $1;
-
-- name: GetOidcTokenBySub :one
-SELECT * FROM "oidc_tokens"
-WHERE "sub" = $1;
-
-- name: DeleteOidcTokenByCodeHash :exec
-DELETE FROM "oidc_tokens"
-WHERE "code_hash" = $1;
-
-- name: DeleteOidcToken :exec
-DELETE FROM "oidc_tokens"
-WHERE "access_token_hash" = $1;
-
-- name: DeleteOidcTokenBySub :exec
-DELETE FROM "oidc_tokens"
-WHERE "sub" = $1;
-
-- name: CreateOidcUserInfo :one
-INSERT INTO "oidc_userinfo" (
-    "sub",
-    "name",
-    "preferred_username",
-    "email",
-    "groups",
-    "updated_at",
-    "given_name",
-    "family_name",
-    "middle_name",
-    "nickname",
-    "profile",
-    "picture",
-    "website",
-    "gender",
-    "birthdate",
-    "zoneinfo",
-    "locale",
-    "phone_number",
-    "address"
-) VALUES (
-    $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19
-)
-RETURNING *;
-
-- name: GetOidcUserInfo :one
-SELECT * FROM "oidc_userinfo"
-WHERE "sub" = $1;
-
-- name: DeleteOidcUserInfo :exec
-DELETE FROM "oidc_userinfo"
-WHERE "sub" = $1;
-
-- name: DeleteExpiredOidcCodes :many
-DELETE FROM "oidc_codes"
-WHERE "expires_at" < $1
-RETURNING *;
-
-- name: DeleteExpiredOidcTokens :many
-DELETE FROM "oidc_tokens"
-WHERE "token_expires_at" < $1 AND "refresh_token_expires_at" < $2
-RETURNING *;
@@ -1,44 +0,0 @@
-CREATE TABLE IF NOT EXISTS "oidc_codes" (
-    "sub"            TEXT   NOT NULL UNIQUE,
-    "code_hash"      TEXT   NOT NULL PRIMARY KEY,
-    "scope"          TEXT   NOT NULL,
-    "redirect_uri"   TEXT   NOT NULL,
-    "client_id"      TEXT   NOT NULL,
-    "expires_at"     BIGINT NOT NULL,
-    "nonce"          TEXT   NOT NULL DEFAULT '',
-    "code_challenge" TEXT   NOT NULL DEFAULT ''
-);
-
-CREATE TABLE IF NOT EXISTS "oidc_tokens" (
-    "sub"                      TEXT   NOT NULL UNIQUE,
-    "access_token_hash"        TEXT   NOT NULL PRIMARY KEY,
-    "refresh_token_hash"       TEXT   NOT NULL,
-    "code_hash"                TEXT   NOT NULL,
-    "scope"                    TEXT   NOT NULL,
-    "client_id"                TEXT   NOT NULL,
-    "token_expires_at"         BIGINT NOT NULL,
-    "refresh_token_expires_at" BIGINT NOT NULL,
-    "nonce"                    TEXT   NOT NULL DEFAULT ''
-);
-
-CREATE TABLE IF NOT EXISTS "oidc_userinfo" (
-    "sub"                TEXT   NOT NULL PRIMARY KEY,
-    "name"               TEXT   NOT NULL,
-    "preferred_username" TEXT   NOT NULL,
-    "email"              TEXT   NOT NULL,
-    "groups"             TEXT   NOT NULL,
-    "updated_at"         BIGINT NOT NULL,
-    "given_name"         TEXT   NOT NULL,
-    "family_name"        TEXT   NOT NULL,
-    "middle_name"        TEXT   NOT NULL,
-    "nickname"           TEXT   NOT NULL,
-    "profile"            TEXT   NOT NULL,
-    "picture"            TEXT   NOT NULL,
-    "website"            TEXT   NOT NULL,
-    "gender"             TEXT   NOT NULL,
-    "birthdate"          TEXT   NOT NULL,
-    "zoneinfo"           TEXT   NOT NULL,
-    "locale"             TEXT   NOT NULL,
-    "phone_number"       TEXT   NOT NULL,
-    "address"            TEXT   NOT NULL
-);
@@ -1,43 +0,0 @@
-- name: CreateSession :one
-INSERT INTO "sessions" (
-    "uuid",
-    "username",
-    "email",
-    "name",
-    "provider",
-    "totp_pending",
-    "oauth_groups",
-    "expiry",
-    "created_at",
-    "oauth_name",
-    "oauth_sub"
-) VALUES (
-    $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11
-)
-RETURNING *;
-
-- name: GetSession :one
-SELECT * FROM "sessions"
-WHERE "uuid" = $1;
-
-- name: DeleteSession :exec
-DELETE FROM "sessions"
-WHERE "uuid" = $1;
-
-- name: UpdateSession :one
-UPDATE "sessions" SET
-    "username"     = $1,
-    "email"        = $2,
-    "name"         = $3,
-    "provider"     = $4,
-    "totp_pending" = $5,
-    "oauth_groups" = $6,
-    "expiry"       = $7,
-    "oauth_name"   = $8,
-    "oauth_sub"    = $9
-WHERE "uuid" = $10
-RETURNING *;
-
-- name: DeleteExpiredSessions :exec
-DELETE FROM "sessions"
-WHERE "expiry" < $1;
@@ -1,13 +0,0 @@
-CREATE TABLE IF NOT EXISTS "sessions" (
-    "uuid"         TEXT    NOT NULL PRIMARY KEY,
-    "username"     TEXT    NOT NULL,
-    "email"        TEXT    NOT NULL,
-    "name"         TEXT    NOT NULL,
-    "provider"     TEXT    NOT NULL,
-    "totp_pending" BOOLEAN NOT NULL,
-    "oauth_groups" TEXT    NOT NULL DEFAULT '',
-    "expiry"       BIGINT  NOT NULL,
-    "created_at"   BIGINT  NOT NULL,
-    "oauth_name"   TEXT    NOT NULL DEFAULT '',
-    "oauth_sub"    TEXT    NOT NULL DEFAULT ''
-);
@@ -28,16 +28,3 @@ sql:
            go_type: "string"
          - column: "oidc_codes.code_challenge"
            go_type: "string"
-  - engine: "postgresql"
-    queries: "sql/postgres/*_queries.sql"
-    schema: "sql/postgres/*_schemas.sql"
-    gen:
-      go:
-        package: "postgres"
-        out: "internal/repository/postgres"
-        rename:
-          uuid: "UUID"
-          oauth_groups: "OAuthGroups"
-          oauth_name: "OAuthName"
-          oauth_sub: "OAuthSub"
-          redirect_uri: "RedirectURI"