fix: fix conflicts

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,38 @@
+---
+name: Bug report
+about: Create a report to help improve Tinyauth
+title: "[BUG]"
+labels: bug
+assignees:
+  - steveiliop56
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Logs**
+Please include the Tinyauth logs below, make sure to not include sensitive info.
+
+**Device (please complete the following information):**
+ - OS: [e.g. iOS]
+ - Browser [e.g. chrome, safari]
+ - Tinyauth [e.g. v2.1.1]
+ - Docker [e.g. 27.3.1]
+
+**
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,89 +0,0 @@
-name: Bug Report
-description: Create a report to help us improve this project
-title: "[BUG]"
-labels: bug
-assignees:
-  - steveiliop56
-
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for reporting a bug! Please provide detailed information below.
-
-  - type: textarea
-    id: description
-    attributes:
-      label: Describe the Bug
-      description: "A clear and concise description of what the bug is."
-    validations:
-      required: true
-
-  - type: textarea
-    id: reproduce
-    attributes:
-      label: How to Reproduce
-      description: Steps to reproduce the behavior.
-      value: |
-        1. Go to '...'
-        2. Click on '....'
-        3. Scroll down to '....'
-        4. See error
-    validations:
-      required: false
-
-  - type: textarea
-    id: expected
-    attributes:
-      label: Expected Behavior
-      description: "A clear and concise description of what you expected to happen."
-    validations:
-      required: true
-
-  - type: textarea
-    id: context
-    attributes:
-      label: "Additional Context"
-      description: "If applicable add screenshots to help explain your problem."
-    validations:
-      required: false
-
-  - type: textarea
-    id: logs
-    attributes:
-      label: "Logs"
-      description: "Please include the Tinyauth logs, make sure to not include sensitive info."
-    validations:
-      required: false
-
-  - type: input
-    id: os
-    attributes:
-      label: Operating System
-      placeholder: "e.g. iOS, Android, Windows, Linux, etc"
-
-  - type: input
-    id: browser
-    attributes:
-      label: Browser
-      placeholder: "e.g. Chrome, Firefox, Safari, Edge, etc"
-
-  - type: input
-    id: tinyauth
-    attributes:
-      label: Tinyauth Version
-      placeholder: "e.g. v5.0.0"
-
-  - type: input
-    id: docker
-    attributes:
-      label: Docker Version (if applicable)
-      placeholder: "e.g. 27.3.1"
-
-  - type: checkboxes
-    id: not-llm
-    attributes:
-      label: Human Written Confirmation
-      options:
-        - label: I confirm this issue was written by me and not generated by an LLM or AI assistant.
-          required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -1,8 +0,0 @@
-blank_issues_enabled: true
-contact_links:
-  - name: Tinyauth Community Support on Discord
-    url: https://discord.gg/eHzVaCzRRd
-    about: Please ask and answer questions here.
-  - name: Tinyauth Documentation
-    url: https://tinyauth.app/docs/getting-started/
-    about: Please check the documentation here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,21 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: "[FEATURE]"
+labels: enhancement
+assignees:
+  - steveiliop56
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -1,52 +0,0 @@
-name: Feature request
-description: Suggest an idea for this project
-title: "[FEATURE]"
-labels: enhancement
-assignees:
-  - steveiliop56
-
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for suggesting a feature! Please provide detailed information below.
-
-  - type: textarea
-    id: problem
-    attributes:
-      label: Is your feature request related to a problem? Please describe.
-      description: "A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]"
-    validations:
-      required: false
-
-  - type: textarea
-    id: solution
-    attributes:
-      label: Describe the solution you'd like.
-      description: "A clear and concise description of what you want to happen."
-    validations:
-      required: true
-
-  - type: textarea
-    id: alternatives
-    attributes:
-      label: Describe alternatives you've considered.
-      description: "A clear and concise description of any alternative solutions or features you've considered."
-    validations:
-      required: false
-
-  - type: textarea
-    id: context
-    attributes:
-      label: Additional context
-      description: "Add any other context or screenshots about the feature request here."
-    validations:
-      required: false
-
-  - type: checkboxes
-    id: not-llm
-    attributes:
-      label: Human Written Confirmation
-      options:
-        - label: I confirm this request was written by me and not generated by an LLM or AI assistant.
-          required: true

.github/dependabot.yml

@@ -1,6 +1,6 @@
 version: 2
 updates:
-  - package-ecosystem: "npm"
+  - package-ecosystem: "bun"
     directory: "/frontend"
     groups:
       minor-patch:

.github/workflows/ci.yml

@@ -15,10 +15,8 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Setup pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
-        with:
-          package_json_file: ./frontend/package.json
+      - name: Setup bun
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
 
       - name: Setup go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -28,35 +26,28 @@ jobs:
       - name: Go dependencies
         run: go mod download
 
-      - name: Setup sqlc
-        uses: sqlc-dev/setup-sqlc@v4
-        with:
-          sqlc-version: "1.31.1"
-
-      - name: Check codegen is up to date
-        run: |
-          sqlc generate
-          go generate ./internal/repository/...
-          git diff --exit-code -- internal/repository/
-          git status --porcelain -- internal/repository/ | grep -q . && echo "untracked files in internal/repository/" && exit 1 || true
-
       - name: Install frontend dependencies
-        working-directory: ./frontend
-        run: pnpm ci
+        run: |
+          cd frontend
+          bun install --frozen-lockfile
 
       - name: Set version
-        run: echo testing > internal/assets/version
+        run: |
+          echo testing > internal/assets/version
 
       - name: Lint frontend
-        working-directory: ./frontend
-        run: pnpm run lint
+        run: |
+          cd frontend
+          bun run lint
 
       - name: Build frontend
-        working-directory: ./frontend
-        run: pnpm run build
+        run: |
+          cd frontend
+          bun run build
 
       - name: Copy frontend
-        run: cp -r frontend/dist internal/assets/dist
+        run: |
+          cp -r frontend/dist internal/assets/dist
 
       - name: Run tests
         run: go test -coverprofile=coverage.txt -v ./...

.github/workflows/nightly.yml

@@ -59,10 +59,8 @@ jobs:
         with:
           ref: nightly
 
-      - name: Setup pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
-        with:
-          package_json_file: ./frontend/package.json
+      - name: Install bun
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
 
       - name: Install go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -70,15 +68,18 @@ jobs:
           go-version: "^1.26.0"
 
       - name: Install frontend dependencies
-        working-directory: ./frontend
-        run: pnpm ci
+        run: |
+          cd frontend
+          bun install --frozen-lockfile
 
       - name: Install backend dependencies
-        run: go mod download
+        run: |
+          go mod download
 
       - name: Build frontend
-        working-directory: ./frontend
-        run: pnpm run build
+        run: |
+          cd frontend
+          bun run build
 
       - name: Build
         run: |
@@ -104,10 +105,8 @@ jobs:
         with:
           ref: nightly
 
-      - name: Setup pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
-        with:
-          package_json_file: ./frontend/package.json
+      - name: Install bun
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
 
       - name: Install go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -115,15 +114,18 @@ jobs:
           go-version: "^1.26.0"
 
       - name: Install frontend dependencies
-        working-directory: ./frontend
-        run: pnpm ci
+        run: |
+          cd frontend
+          bun install --frozen-lockfile
 
       - name: Install backend dependencies
-        run: go mod download
+        run: |
+          go mod download
 
       - name: Build frontend
-        working-directory: ./frontend
-        run: pnpm run build
+        run: |
+          cd frontend
+          bun run build
 
       - name: Build
         run: |

.github/workflows/release.yml

@@ -35,10 +35,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Setup pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
-        with:
-          package_json_file: ./frontend/package.json
+      - name: Install bun
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
 
       - name: Install go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -46,15 +44,18 @@ jobs:
           go-version: "^1.26.0"
 
       - name: Install frontend dependencies
-        working-directory: ./frontend
-        run: pnpm ci
+        run: |
+          cd frontend
+          bun install --frozen-lockfile
 
       - name: Install backend dependencies
-        run: go mod download
+        run: |
+          go mod download
 
       - name: Build frontend
-        working-directory: ./frontend
-        run: pnpm run build
+        run: |
+          cd frontend
+          bun run build
 
       - name: Build
         run: |
@@ -77,10 +78,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Setup pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
-        with:
-          package_json_file: ./frontend/package.json
+      - name: Install bun
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
 
       - name: Install go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -88,15 +87,18 @@ jobs:
           go-version: "^1.26.0"
 
       - name: Install frontend dependencies
-        working-directory: ./frontend
-        run: pnpm ci
+        run: |
+          cd frontend
+          bun install --frozen-lockfile
 
       - name: Install backend dependencies
-        run: go mod download
+        run: |
+          go mod download
 
       - name: Build frontend
-        working-directory: ./frontend
-        run: pnpm run build
+        run: |
+          cd frontend
+          bun run build
 
       - name: Build
         run: |

.github/workflows/scorecard.yml

@@ -38,6 +38,6 @@ jobs:
           retention-days: 5
 
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
+        uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4
         with:
           sarif_file: results.sarif

.github/workflows/stale.yml

@@ -0,0 +1,24 @@
+name: Close stale issues and PRs
+on:
+  schedule:
+    - cron: 0 10 * * *
+
+permissions:
+  issues: write
+  pull-requests: write
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
+        with:
+          days-before-stale: 30
+          stale-pr-message: This PR has been inactive for 30 days and will be marked as stale.
+          stale-issue-message: This issue has been inactive for 30 days and will be marked as stale.
+          close-issue-message: Closed for inactivity.
+          close-pr-message: Closed for inactivity.
+          stale-issue-label: stale
+          stale-pr-label: stale
+          exempt-issue-labels: pinned
+          exempt-pr-labels: pinned

.gitignore

@@ -48,6 +48,3 @@ __debug_*
 
 # testing config
 config.certify.yml
-
-# deepsec
-/.deepsec

CONTRIBUTING.md

@@ -7,7 +7,7 @@ Contributing to Tinyauth is straightforward. Follow the steps below to set up a
 
 ## Requirements
 
-- pnpm
+- Bun
 - Golang v1.24.0 or later
 - Git
 - Docker
@@ -34,7 +34,7 @@ Frontend dependencies can be installed as follows:
 
 ```sh
 cd frontend/
-pnpm ci
+bun install
 ```
 
 ## Create the `.env` file

Dockerfile

@@ -1,14 +1,12 @@
 # Site builder
-FROM node:26.1-alpine3.23 AS frontend-builder
+FROM oven/bun:1.3.13-alpine AS frontend-builder
 
 WORKDIR /frontend
 
-RUN npm install -g pnpm@11.1.2
-
 COPY ./frontend/package.json ./
-COPY ./frontend/pnpm-lock.yaml ./
+COPY ./frontend/bun.lock ./
 
-RUN pnpm ci
+RUN bun install --frozen-lockfile
 
 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -19,7 +17,7 @@ COPY ./frontend/tsconfig.app.json ./
 COPY ./frontend/tsconfig.node.json ./
 COPY ./frontend/vite.config.ts ./
 
-RUN pnpm run build
+RUN bun run build
 
 # Builder
 FROM golang:1.26-alpine3.23 AS builder

Dockerfile.dev

@@ -8,7 +8,7 @@ COPY go.sum ./
 RUN go mod download
 
 RUN go install github.com/air-verse/air@v1.61.7
-RUN go install github.com/go-delve/delve/cmd/dlv@v1.26.3
+RUN go install github.com/go-delve/delve/cmd/dlv@latest
 
 COPY ./cmd ./cmd
 COPY ./internal ./internal

Dockerfile.distroless

@@ -1,14 +1,12 @@
 # Site builder
-FROM node:26.1-alpine3.23 AS frontend-builder
+FROM oven/bun:1.3.13-alpine AS frontend-builder
 
 WORKDIR /frontend
 
-RUN npm install -g pnpm@11.1.2
-
 COPY ./frontend/package.json ./
-COPY ./frontend/pnpm-lock.yaml ./
+COPY ./frontend/bun.lock ./
 
-RUN pnpm ci
+RUN bun install --frozen-lockfile
 
 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -19,7 +17,7 @@ COPY ./frontend/tsconfig.app.json ./
 COPY ./frontend/tsconfig.node.json ./
 COPY ./frontend/vite.config.ts ./
 
-RUN pnpm run build
+RUN bun run build
 
 # Builder
 FROM golang:1.26-alpine3.23 AS builder

LICENSE

@@ -1,5 +1,5 @@
-                    GNU AFFERO GENERAL PUBLIC LICENSE
-                       Version 3, 19 November 2007
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
 
  Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
  Everyone is permitted to copy and distribute verbatim copies
@@ -7,15 +7,17 @@
 
                             Preamble
 
-  The GNU Affero General Public License is a free, copyleft license for
-software and other kinds of works, specifically designed to ensure
-cooperation with the community in the case of network server software.
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
 
   The licenses for most software and other practical works are designed
 to take away your freedom to share and change the works.  By contrast,
-our General Public Licenses are intended to guarantee your freedom to
+the GNU General Public License is intended to guarantee your freedom to
 share and change all versions of a program--to make sure it remains free
-software for all its users.
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
 
   When we speak of free software, we are referring to freedom, not
 price.  Our General Public Licenses are designed to make sure that you
@@ -24,34 +26,44 @@ them if you wish), that you receive source code or can get it if you
 want it, that you can change the software or use pieces of it in new
 free programs, and that you know you can do these things.
 
-  Developers that use our General Public Licenses protect your rights
-with two steps: (1) assert copyright on the software, and (2) offer
-you this License which gives you legal permission to copy, distribute
-and/or modify the software.
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
 
-  A secondary benefit of defending all users' freedom is that
-improvements made in alternate versions of the program, if they
-receive widespread use, become available for other developers to
-incorporate.  Many developers of free software are heartened and
-encouraged by the resulting cooperation.  However, in the case of
-software used on network servers, this result may fail to come about.
-The GNU General Public License permits making a modified version and
-letting the public access it on a server without ever releasing its
-source code to the public.
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
 
-  The GNU Affero General Public License is designed specifically to
-ensure that, in such cases, the modified source code becomes available
-to the community.  It requires the operator of a network server to
-provide the source code of the modified version running there to the
-users of that server.  Therefore, public use of a modified version, on
-a publicly accessible server, gives the public access to the source
-code of the modified version.
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
 
-  An older license, called the Affero General Public License and
-published by Affero, was designed to accomplish similar goals.  This is
-a different license, not a version of the Affero GPL, but Affero has
-released a new version of the Affero GPL which permits relicensing under
-this license.
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
 
   The precise terms and conditions for copying, distribution and
 modification follow.
@@ -60,7 +72,7 @@ modification follow.
 
   0. Definitions.
 
-  "This License" refers to version 3 of the GNU Affero General Public License.
+  "This License" refers to version 3 of the GNU General Public License.
 
   "Copyright" also means copyright-like laws that apply to other kinds of
 works, such as semiconductor masks.
@@ -537,45 +549,35 @@ to collect a royalty for further conveying from those to whom you convey
 the Program, the only way you could satisfy both those terms and this
 License would be to refrain entirely from conveying the Program.
 
-  13. Remote Network Interaction; Use with the GNU General Public License.
-
-  Notwithstanding any other provision of this License, if you modify the
-Program, your modified version must prominently offer all users
-interacting with it remotely through a computer network (if your version
-supports such interaction) an opportunity to receive the Corresponding
-Source of your version by providing access to the Corresponding Source
-from a network server at no charge, through some standard or customary
-means of facilitating copying of software.  This Corresponding Source
-shall include the Corresponding Source for any work covered by version 3
-of the GNU General Public License that is incorporated pursuant to the
-following paragraph.
+  13. Use with the GNU Affero General Public License.
 
   Notwithstanding any other provision of this License, you have
 permission to link or combine any covered work with a work licensed
-under version 3 of the GNU General Public License into a single
+under version 3 of the GNU Affero General Public License into a single
 combined work, and to convey the resulting work.  The terms of this
 License will continue to apply to the part which is the covered work,
-but the work with which it is combined will remain governed by version
-3 of the GNU General Public License.
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
 
   14. Revised Versions of this License.
 
   The Free Software Foundation may publish revised and/or new versions of
-the GNU Affero General Public License from time to time.  Such new versions
-will be similar in spirit to the present version, but may differ in detail to
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
 address new problems or concerns.
 
   Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU Affero General
+Program specifies that a certain numbered version of the GNU General
 Public License "or any later version" applies to it, you have the
 option of following the terms and conditions either of that numbered
 version or of any later version published by the Free Software
 Foundation.  If the Program does not specify a version number of the
-GNU Affero General Public License, you may choose any version ever published
+GNU General Public License, you may choose any version ever published
 by the Free Software Foundation.
 
   If the Program specifies that a proxy can decide which future
-versions of the GNU Affero General Public License can be used, that proxy's
+versions of the GNU General Public License can be used, that proxy's
 public statement of acceptance of a version permanently authorizes you
 to choose that version for the Program.
 
@@ -633,29 +635,40 @@ the "copyright" line and a pointer to where the full notice is found.
     Copyright (C) <year>  <name of author>
 
     This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU Affero General Public License as published by
+    it under the terms of the GNU General Public License as published by
     the Free Software Foundation, either version 3 of the License, or
     (at your option) any later version.
 
     This program is distributed in the hope that it will be useful,
     but WITHOUT ANY WARRANTY; without even the implied warranty of
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU Affero General Public License for more details.
+    GNU General Public License for more details.
 
-    You should have received a copy of the GNU Affero General Public License
+    You should have received a copy of the GNU General Public License
     along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
 Also add information on how to contact you by electronic and paper mail.
 
-  If your software can interact with users remotely through a computer
-network, you should also make sure that it provides a way for users to
-get its source.  For example, if your program is a web application, its
-interface could display a "Source" link that leads users to an archive
-of the code.  There are many ways you could offer source, and different
-solutions will be better for different programs; see section 13 for the
-specific requirements.
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    <program>  Copyright (C) <year>  <name of author>
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
 
   You should also get your employer (if you work as a programmer) or school,
 if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU AGPL, see
+For more information on this, and how to apply and follow the GNU GPL, see
 <https://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<https://www.gnu.org/licenses/why-not-lgpl.html>.

Makefile

@@ -17,7 +17,7 @@ PROD_COMPOSE := $(shell test -f "docker-compose.test.prod.yml" && echo "docker-c
 
 # Deps
 deps:
-	cd frontend && pnpm ci
+	bun install --frozen-lockfile --cwd frontend
 	go mod download
 
 # Clean data
@@ -31,7 +31,7 @@ clean-webui:
 
 # Build the web UI
 webui: clean-webui
-	cd frontend && pnpm run build
+	bun run --cwd frontend build
 	cp -r frontend/dist internal/assets
 
 # Build the binary
@@ -85,4 +85,3 @@ sql:
 # Go gen
 generate:
 	go run ./gen
-	go generate ./internal/repository/...

README.md

@@ -28,6 +28,9 @@ Tinyauth is the simplest and tiniest authentication and authorization server you
 > [!NOTE]
 > This is the main development branch. For the latest stable release, see the [documentation](https://tinyauth.app) or the latest stable tag.
 
+> [!NOTE]
+> Tinyauth is in the process of migrating to the new [tinyauthapp](https://github.com/tinyauthapp) organization. The organization **is official** and it will host all of the Tinyauth related repositories in the future.
+
 ## Getting Started
 
 You can get started with Tinyauth by following the guide in the [documentation](https://tinyauth.app/docs/getting-started). There is also an available [docker-compose](./docker-compose.example.yml) file that has Traefik, Whoami and Tinyauth to demonstrate its capabilities (keep in mind that this file lives in the development branch so it may have updates that are not yet released).
@@ -56,13 +59,13 @@ If you like, you can help translate Tinyauth into more languages by visiting the
 
 ## License
 
-Tinyauth is licensed under the GNU Affero General Public License v3.0. TL;DR — You may copy, distribute and modify the software as long as you track changes/dates in source files. Any modifications to or software including (via compiler) AGPL-licensed code must also be made available under the AGPL along with build & install instructions. If you run a modified version over a network, you must also make the source available to the users of that service. For more information about the license check the [license](LICENSE) file.
+Tinyauth is licensed under the GNU General Public License v3.0. TL;DR — You may copy, distribute and modify the software as long as you track changes/dates in source files. Any modifications to or software including (via compiler) GPL-licensed code must also be made available under the GPL along with build & install instructions. For more information about the license check the [license](./LICENSE) file.
 
 ## Sponsors
 
 A big thank you to the following people for providing me with more coffee:
 
-<!-- sponsors --><a href="https://github.com/erwinkramer"><img src="https:&#x2F;&#x2F;github.com&#x2F;erwinkramer.png" width="64px" alt="User avatar: erwinkramer" /></a>&nbsp;&nbsp;<a href="https://github.com/nicotsx"><img src="https:&#x2F;&#x2F;github.com&#x2F;nicotsx.png" width="64px" alt="User avatar: nicotsx" /></a>&nbsp;&nbsp;<a href="https://github.com/SimpleHomelab"><img src="https:&#x2F;&#x2F;github.com&#x2F;SimpleHomelab.png" width="64px" alt="User avatar: SimpleHomelab" /></a>&nbsp;&nbsp;<a href="https://github.com/jmadden91"><img src="https:&#x2F;&#x2F;github.com&#x2F;jmadden91.png" width="64px" alt="User avatar: jmadden91" /></a>&nbsp;&nbsp;<a href="https://github.com/tribor"><img src="https:&#x2F;&#x2F;github.com&#x2F;tribor.png" width="64px" alt="User avatar: tribor" /></a>&nbsp;&nbsp;<a href="https://github.com/eliasbenb"><img src="https:&#x2F;&#x2F;github.com&#x2F;eliasbenb.png" width="64px" alt="User avatar: eliasbenb" /></a>&nbsp;&nbsp;<a href="https://github.com/afunworm"><img src="https:&#x2F;&#x2F;github.com&#x2F;afunworm.png" width="64px" alt="User avatar: afunworm" /></a>&nbsp;&nbsp;<a href="https://github.com/chip-well"><img src="https:&#x2F;&#x2F;github.com&#x2F;chip-well.png" width="64px" alt="User avatar: chip-well" /></a>&nbsp;&nbsp;<a href="https://github.com/Lancelot-Enguerrand"><img src="https:&#x2F;&#x2F;github.com&#x2F;Lancelot-Enguerrand.png" width="64px" alt="User avatar: Lancelot-Enguerrand" /></a>&nbsp;&nbsp;<a href="https://github.com/allgoewer"><img src="https:&#x2F;&#x2F;github.com&#x2F;allgoewer.png" width="64px" alt="User avatar: allgoewer" /></a>&nbsp;&nbsp;<a href="https://github.com/NEANC"><img src="https:&#x2F;&#x2F;github.com&#x2F;NEANC.png" width="64px" alt="User avatar: NEANC" /></a>&nbsp;&nbsp;<a href="https://github.com/ax-mad"><img src="https:&#x2F;&#x2F;github.com&#x2F;ax-mad.png" width="64px" alt="User avatar: ax-mad" /></a>&nbsp;&nbsp;<a href="https://github.com/stegratech"><img src="https:&#x2F;&#x2F;github.com&#x2F;stegratech.png" width="64px" alt="User avatar: stegratech" /></a>&nbsp;&nbsp;<a href="https://github.com/apearson"><img src="https:&#x2F;&#x2F;github.com&#x2F;apearson.png" width="64px" alt="User avatar: apearson" /></a>&nbsp;&nbsp;<!-- sponsors -->
+<!-- sponsors --><a href="https://github.com/erwinkramer"><img src="https:&#x2F;&#x2F;github.com&#x2F;erwinkramer.png" width="64px" alt="User avatar: erwinkramer" /></a>&nbsp;&nbsp;<a href="https://github.com/nicotsx"><img src="https:&#x2F;&#x2F;github.com&#x2F;nicotsx.png" width="64px" alt="User avatar: nicotsx" /></a>&nbsp;&nbsp;<a href="https://github.com/SimpleHomelab"><img src="https:&#x2F;&#x2F;github.com&#x2F;SimpleHomelab.png" width="64px" alt="User avatar: SimpleHomelab" /></a>&nbsp;&nbsp;<a href="https://github.com/jmadden91"><img src="https:&#x2F;&#x2F;github.com&#x2F;jmadden91.png" width="64px" alt="User avatar: jmadden91" /></a>&nbsp;&nbsp;<a href="https://github.com/tribor"><img src="https:&#x2F;&#x2F;github.com&#x2F;tribor.png" width="64px" alt="User avatar: tribor" /></a>&nbsp;&nbsp;<a href="https://github.com/eliasbenb"><img src="https:&#x2F;&#x2F;github.com&#x2F;eliasbenb.png" width="64px" alt="User avatar: eliasbenb" /></a>&nbsp;&nbsp;<a href="https://github.com/afunworm"><img src="https:&#x2F;&#x2F;github.com&#x2F;afunworm.png" width="64px" alt="User avatar: afunworm" /></a>&nbsp;&nbsp;<a href="https://github.com/chip-well"><img src="https:&#x2F;&#x2F;github.com&#x2F;chip-well.png" width="64px" alt="User avatar: chip-well" /></a>&nbsp;&nbsp;<a href="https://github.com/Lancelot-Enguerrand"><img src="https:&#x2F;&#x2F;github.com&#x2F;Lancelot-Enguerrand.png" width="64px" alt="User avatar: Lancelot-Enguerrand" /></a>&nbsp;&nbsp;<a href="https://github.com/allgoewer"><img src="https:&#x2F;&#x2F;github.com&#x2F;allgoewer.png" width="64px" alt="User avatar: allgoewer" /></a>&nbsp;&nbsp;<a href="https://github.com/NEANC"><img src="https:&#x2F;&#x2F;github.com&#x2F;NEANC.png" width="64px" alt="User avatar: NEANC" /></a>&nbsp;&nbsp;<a href="https://github.com/ax-mad"><img src="https:&#x2F;&#x2F;github.com&#x2F;ax-mad.png" width="64px" alt="User avatar: ax-mad" /></a>&nbsp;&nbsp;<a href="https://github.com/stegratech"><img src="https:&#x2F;&#x2F;github.com&#x2F;stegratech.png" width="64px" alt="User avatar: stegratech" /></a>&nbsp;&nbsp;<!-- sponsors -->
 
 ## Acknowledgements
 

SECURITY.md

@@ -2,56 +2,8 @@
 
 ## Supported Versions
 
-It is recommended to use the [latest](https://github.com/tinyauthapp/tinyauth/releases/latest) available version of Tinyauth. This is because it includes security fixes, new features and dependency updates. Older versions, especially major ones, are not supported and won't receive security or patch updates.
+It is recommended to use the [latest](https://github.com/tinyauthapp/tinyauth/releases/latest) available version of tinyauth. This is because it includes security fixes, new features and dependency updates. Older versions, especially major ones, are not supported and won't receive security or patch updates.
 
 ## Reporting a Vulnerability
 
-Please **do not** report security vulnerabilities through public GitHub issues, discussions, or pull requests as I won't be able to patch them in time and they may get exploited by malicious actors.
-
-Instead, report them privately using [GitHub's Private Vulnerability Reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) via the **Security** tab of this repository.
-
-Or send us an email at <security@tinyauth.app>.
-
-### A note on AI-assisted reports
-
-If AI tooling (LLMs, automated scanners, agentic assistants, etc.) helped you discover, analyse, or write up this issue, please say so in your report. This isn't a judgement - AI-assisted findings are welcome - but disclosing it up front helps maintainers calibrate how much additional verification a report needs, and tends to make the report itself clearer.
-
-When submitting a report, please use the structure below so it can be triaged quickly.
-
----
-
-### 1. Summary
-
-A short, one-paragraph description of the vulnerability and its impact (e.g. what an attacker can achieve, who is affected, and under what conditions).
-
-### 2. Steps to Reproduce / Proof of Concept
-
-Provide a minimal, reliable reproduction:
-
-1. Step one
-2. Step two
-3. Step three
-
-Include any required input, payloads, configuration, or code snippets. Attach a PoC script or screenshots where helpful.
-
-### 3. Expected vs. Actual Behaviour
-
-- **Expected:** what *should* happen
-- **Actual:** what *does* happen, and why it's a security issue
-
-### 4. Suggested Fix or Mitigation *(optional)*
-
-If you have an idea for how to address the issue, describe it here. A private gist link is welcome but not required.
-
-- **Have you tested this fix?** Yes / No
-- **If yes,** briefly describe how it was tested and what was verified.
-
----
-
-## What to Expect
-
-- **Acknowledgement** within a reasonable timeframe after receiving your report
-- **Updates** as the issue is investigated and addressed
-- **Public credit** in the resulting advisory, along with any **CVE assigned**, unless you'd prefer to stay anonymous
-
-We follow a **90-day coordinated disclosure** window: please allow up to 90 days from the date of your report for the issue to be investigated and patched before publicly disclosing it. The publication date - whether earlier if a fix lands sooner, or later if more time is genuinely needed - will be agreed with you in advance.
+Due to the nature of this app, it needs to be secure. If you discover any security issues or vulnerabilities in the app please contact me as soon as possible at <security@tinyauth.app>. Please do not use the issues section to report security issues as I won't be able to patch them in time and they may get exploited by malicious actors.

cmd/tinyauth/create_user.go

@@ -6,8 +6,8 @@ import (
 	"strings"
 
 	"charm.land/huh/v2"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/tinyauthapp/paerser/cli"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 	"golang.org/x/crypto/bcrypt"
 )
 
@@ -40,8 +40,7 @@ func createUserCmd() *cli.Command {
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
-			log := logger.NewLogger().WithSimpleConfig()
-			log.Init()
+			tlog.NewSimpleLogger().Init()
 
 			if tCfg.Interactive {
 				form := huh.NewForm(
@@ -74,7 +73,7 @@ func createUserCmd() *cli.Command {
 				return errors.New("username and password cannot be empty")
 			}
 
-			log.App.Info().Str("username", tCfg.Username).Msg("Creating user")
+			tlog.App.Info().Str("username", tCfg.Username).Msg("Creating user")
 
 			passwd, err := bcrypt.GenerateFromPassword([]byte(tCfg.Password), bcrypt.DefaultCost)
 			if err != nil {
@@ -87,7 +86,7 @@ func createUserCmd() *cli.Command {
 				passwdStr = strings.ReplaceAll(passwdStr, "$", "$$")
 			}
 
-			log.App.Info().Str("user", fmt.Sprintf("%s:%s", tCfg.Username, passwdStr)).Msg("User created")
+			tlog.App.Info().Str("user", fmt.Sprintf("%s:%s", tCfg.Username, passwdStr)).Msg("User created")
 
 			return nil
 		},

cmd/tinyauth/generate_totp.go

@@ -7,7 +7,7 @@ import (
 	"strings"
 
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 
 	"charm.land/huh/v2"
 	"github.com/mdp/qrterminal/v3"
@@ -40,8 +40,7 @@ func generateTotpCmd() *cli.Command {
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
-			log := logger.NewLogger().WithSimpleConfig()
-			log.Init()
+			tlog.NewSimpleLogger().Init()
 
 			if tCfg.Interactive {
 				form := huh.NewForm(
@@ -89,9 +88,9 @@ func generateTotpCmd() *cli.Command {
 
 			secret := key.Secret()
 
-			log.App.Info().Str("secret", secret).Msg("Generated TOTP secret")
+			tlog.App.Info().Str("secret", secret).Msg("Generated TOTP secret")
 
-			log.App.Info().Msg("Generated QR code")
+			tlog.App.Info().Msg("Generated QR code")
 
 			config := qrterminal.Config{
 				Level:     qrterminal.L,
@@ -110,7 +109,7 @@ func generateTotpCmd() *cli.Command {
 				user.Password = strings.ReplaceAll(user.Password, "$", "$$")
 			}
 
-			log.App.Info().Str("user", fmt.Sprintf("%s:%s:%s", user.Username, user.Password, user.TOTPSecret)).Msg("Add the totp secret to your authenticator app then use the verify command to ensure everything is working correctly.")
+			tlog.App.Info().Str("user", fmt.Sprintf("%s:%s:%s", user.Username, user.Password, user.TOTPSecret)).Msg("Add the totp secret to your authenticator app then use the verify command to ensure everything is working correctly.")
 
 			return nil
 		},

cmd/tinyauth/healthcheck.go

@@ -9,8 +9,8 @@ import (
 	"os"
 	"time"
 
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/tinyauthapp/paerser/cli"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
 type healthzResponse struct {
@@ -26,8 +26,7 @@ func healthcheckCmd() *cli.Command {
 		Resources:     nil,
 		AllowArg:      true,
 		Run: func(args []string) error {
-			log := logger.NewLogger().WithSimpleConfig()
-			log.Init()
+			tlog.NewSimpleLogger().Init()
 
 			srvAddr := os.Getenv("TINYAUTH_SERVER_ADDRESS")
 			if srvAddr == "" {
@@ -49,7 +48,7 @@ func healthcheckCmd() *cli.Command {
 				return errors.New("Could not determine app URL")
 			}
 
-			log.App.Info().Str("app_url", appUrl).Msg("Performing health check")
+			tlog.App.Info().Str("app_url", appUrl).Msg("Performing health check")
 
 			client := http.Client{
 				Timeout: 30 * time.Second,
@@ -87,7 +86,7 @@ func healthcheckCmd() *cli.Command {
 				return fmt.Errorf("failed to decode response: %w", err)
 			}
 
-			log.App.Info().Interface("response", healthResp).Msg("Tinyauth is healthy")
+			tlog.App.Info().Interface("response", healthResp).Msg("Tinyauth is healthy")
 
 			return nil
 		},

cmd/tinyauth/tinyauth.go

@@ -7,6 +7,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/loaders"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 
 	"github.com/rs/zerolog/log"
 	"github.com/tinyauthapp/paerser/cli"
@@ -108,6 +109,11 @@ func main() {
 }
 
 func runCmd(cfg model.Config) error {
+	logger := tlog.NewLogger(cfg.Log)
+	logger.Init()
+
+	tlog.App.Info().Str("version", model.Version).Msg("Starting tinyauth")
+
 	app := bootstrap.NewBootstrapApp(cfg)
 
 	err := app.Setup()

cmd/tinyauth/verify_user.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 
 	"charm.land/huh/v2"
 	"github.com/pquerna/otp/totp"
@@ -44,8 +44,7 @@ func verifyUserCmd() *cli.Command {
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
-			log := logger.NewLogger().WithSimpleConfig()
-			log.Init()
+			tlog.NewSimpleLogger().Init()
 
 			if tCfg.Interactive {
 				form := huh.NewForm(
@@ -98,9 +97,9 @@ func verifyUserCmd() *cli.Command {
 
 			if user.TOTPSecret == "" {
 				if tCfg.Totp != "" {
-					log.App.Warn().Msg("User does not have TOTP secret")
+					tlog.App.Warn().Msg("User does not have TOTP secret")
 				}
-				log.App.Info().Msg("User verified")
+				tlog.App.Info().Msg("User verified")
 				return nil
 			}
 
@@ -110,7 +109,7 @@ func verifyUserCmd() *cli.Command {
 				return fmt.Errorf("TOTP code incorrect")
 			}
 
-			log.App.Info().Msg("User verified")
+			tlog.App.Info().Msg("User verified")
 
 			return nil
 		},

docker-compose.dev.yml

@@ -1,10 +1,9 @@
 services:
   traefik:
     image: traefik:v3.6
-    command: --api.insecure=true --providers.docker --entrypoints.web.address=:80 --entrypoints.websecure.address=:443
+    command: --api.insecure=true --providers.docker
     ports:
       - 80:80
-      - 443:443
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
 
@@ -26,8 +25,6 @@ services:
     labels:
       traefik.enable: true
       traefik.http.routers.tinyauth.rule: Host(`tinyauth.127.0.0.1.sslip.io`)
-      traefik.http.routers.tinyauth.entrypoints: websecure
-      traefik.http.routers.tinyauth.tls: true
 
   tinyauth-backend:
     build:

frontend/.prettierignore

@@ -0,0 +1,6 @@
+# Ignore artifacts:
+dist
+node_modules
+bun.lock
+package.json
+src/lib/i18n/locales

frontend/.prettierrc

@@ -0,0 +1 @@
+{}

frontend/Dockerfile.dev

@@ -1,13 +1,11 @@
-FROM node:26.1-alpine3.23
-
-RUN npm install -g pnpm@11.1.2
+FROM oven/bun:1.2.16-alpine
 
 WORKDIR /frontend
 
 COPY ./frontend/package.json ./
-COPY ./frontend/pnpm-lock.yaml ./
+COPY ./frontend/bun.lock ./
 
-RUN pnpm ci
+RUN bun install --frozen-lockfile
 
 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -21,4 +19,4 @@ COPY ./frontend/vite.config.ts ./
 
 EXPOSE 5173
 
-ENTRYPOINT ["pnpm", "run", "dev"]
+ENTRYPOINT ["bun", "run", "dev"]

frontend/package.json

@@ -10,7 +10,6 @@
     "preview": "vite preview",
     "tsc": "tsc -b"
   },
-  "packageManager": "pnpm@11.1.2",
   "dependencies": {
     "@hookform/resolvers": "^5.2.2",
     "@radix-ui/react-dropdown-menu": "^2.1.16",

frontend/pnpm-workspace.yaml

@@ -1,4 +0,0 @@
-dangerouslyAllowAllBuilds: false
-blockExoticSubdeps: true
-minimumReleaseAge: 1440 # 1 day
-trustPolicy: no-downgrade

frontend/src/App.tsx

@@ -2,9 +2,9 @@ import { Navigate } from "react-router";
 import { useUserContext } from "./context/user-context";
 
 export const App = () => {
-  const { auth } = useUserContext();
+  const { isLoggedIn } = useUserContext();
 
-  if (auth.authenticated) {
+  if (isLoggedIn) {
     return <Navigate to="/logout" replace />;
   }
 

frontend/src/components/layout/layout.tsx

@@ -6,17 +6,17 @@ import { DomainWarning } from "../domain-warning/domain-warning";
 import { ThemeToggle } from "../theme-toggle/theme-toggle";
 
 const BaseLayout = ({ children }: { children: React.ReactNode }) => {
-  const { ui } = useAppContext();
+  const { backgroundImage, title } = useAppContext();
 
   useEffect(() => {
-    document.title = ui.title;
-  }, [ui.title]);
+    document.title = title;
+  }, [title]);
 
   return (
     <div
       className="flex flex-col justify-center items-center min-h-svh px-4"
       style={{
-        backgroundImage: `url(${ui.backgroundImage})`,
+        backgroundImage: `url(${backgroundImage})`,
         backgroundSize: "cover",
         backgroundPosition: "center",
       }}
@@ -31,7 +31,7 @@ const BaseLayout = ({ children }: { children: React.ReactNode }) => {
 };
 
 export const Layout = () => {
-  const { app, ui } = useAppContext();
+  const { appUrl, warningsEnabled } = useAppContext();
   const [ignoreDomainWarning, setIgnoreDomainWarning] = useState(() => {
     return window.sessionStorage.getItem("ignoreDomainWarning") === "true";
   });
@@ -42,15 +42,11 @@ export const Layout = () => {
     setIgnoreDomainWarning(true);
   }, [setIgnoreDomainWarning]);
 
-  if (
-    !ignoreDomainWarning &&
-    ui.warningsEnabled &&
-    !app.trustedDomains.includes(currentUrl)
-  ) {
+  if (!ignoreDomainWarning && warningsEnabled && appUrl !== currentUrl) {
     return (
       <BaseLayout>
         <DomainWarning
-          appUrl={app.appUrl}
+          appUrl={appUrl}
           currentUrl={currentUrl}
           onClick={() => handleIgnore()}
         />

frontend/src/lib/i18n/locales/en-US.json

@@ -80,17 +80,5 @@
     "profileScopeDescription": "Allows the app to access your profile information.",
     "groupsScopeName": "Groups",
     "groupsScopeDescription": "Allows the app to access your group information.",
-    "backToLoginButton": "Back to login",
-    "phoneScopeName": "Phone",
-    "phoneScopeDescription": "Allows the app to access your phone number.",
-    "addressScopeName": "Address",
-    "addressScopeDescription": "Allows the app to access your address.",
-    "loginTailscaleTitle": "Continue with Tailscale",
-    "loginTailscaleDescription": "You appear to be accessing Tinyauth from an authorized Tailscale device. Would you like to continue with your Tailscale connection?",
-    "loginTailscaleDeviceName": "Device name:",
-    "loginTailscaleSubmit": "Continue with Tailscale",
-    "loginTailscaleOtherMethod": "Login with another method",
-    "loginTailscaleSuccess": "Successfully authenticated with Tailscale.",
-    "loginTailscaleFail": "Failed to authenticate with Tailscale. Please try again or use another login method.",
-    "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout."
+    "backToLoginButton": "Back to login"
 }

frontend/src/lib/i18n/locales/en.json

@@ -84,13 +84,5 @@
     "phoneScopeName": "Phone",
     "phoneScopeDescription": "Allows the app to access your phone number.",
     "addressScopeName": "Address",
-    "addressScopeDescription": "Allows the app to access your address.",
-    "loginTailscaleTitle": "Continue with Tailscale",
-    "loginTailscaleDescription": "You appear to be accessing Tinyauth from an authorized Tailscale device. Would you like to continue with your Tailscale connection?",
-    "loginTailscaleDeviceName": "Device name:",
-    "loginTailscaleSubmit": "Continue with Tailscale",
-    "loginTailscaleOtherMethod": "Login with another method",
-    "loginTailscaleSuccess": "Successfully authenticated with Tailscale.",
-    "loginTailscaleFail": "Failed to authenticate with Tailscale. Please try again or use another login method.",
-    "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout."
+    "addressScopeDescription": "Allows the app to access your address."
 }

frontend/src/pages/authorize-page.tsx

@@ -77,7 +77,7 @@ const createScopeMap = (t: TFunction<"translation", undefined>): Scope[] => {
 };
 
 export const AuthorizePage = () => {
-  const { auth } = useUserContext();
+  const { isLoggedIn } = useUserContext();
   const { search } = useLocation();
   const { t } = useTranslation();
   const navigate = useNavigate();
@@ -127,7 +127,7 @@ export const AuthorizePage = () => {
     );
   }
 
-  if (!auth.authenticated) {
+  if (!isLoggedIn) {
     return <Navigate to={`/login?${oidcParams.compiled}`} replace />;
   }
 

frontend/src/pages/continue-page.tsx

@@ -14,8 +14,8 @@ import { useCallback, useEffect, useRef, useState } from "react";
 import { useRedirectUri } from "@/lib/hooks/redirect-uri";
 
 export const ContinuePage = () => {
-  const { app, ui } = useAppContext();
-  const { auth } = useUserContext();
+  const { cookieDomain, warningsEnabled } = useAppContext();
+  const { isLoggedIn } = useUserContext();
   const { search } = useLocation();
   const { t } = useTranslation();
   const navigate = useNavigate();
@@ -29,18 +29,17 @@ export const ContinuePage = () => {
 
   const { url, valid, trusted, allowedProto, httpsDowngrade } = useRedirectUri(
     redirectUri,
-    app.cookieDomain,
+    cookieDomain,
   );
 
   const urlHref = url?.href;
 
   const hasValidRedirect = valid && allowedProto;
-  const showUntrustedWarning =
-    hasValidRedirect && !trusted && ui.warningsEnabled;
+  const showUntrustedWarning = hasValidRedirect && !trusted && warningsEnabled;
   const showInsecureWarning =
-    hasValidRedirect && httpsDowngrade && ui.warningsEnabled;
+    hasValidRedirect && httpsDowngrade && warningsEnabled;
   const shouldAutoRedirect =
-    auth.authenticated &&
+    isLoggedIn &&
     hasValidRedirect &&
     !showUntrustedWarning &&
     !showInsecureWarning;
@@ -78,7 +77,7 @@ export const ContinuePage = () => {
     };
   }, [shouldAutoRedirect, redirectToTarget]);
 
-  if (!auth.authenticated) {
+  if (!isLoggedIn) {
     return (
       <Navigate
         to={`/login${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`}
@@ -105,7 +104,7 @@ export const ContinuePage = () => {
               components={{
                 code: <code />,
               }}
-              values={{ cookieDomain: app.cookieDomain }}
+              values={{ cookieDomain }}
               shouldUnescape={true}
             />
           </CardDescription>

frontend/src/pages/forgot-password-page.tsx

@@ -13,7 +13,7 @@ import Markdown from "react-markdown";
 import { useLocation } from "react-router";
 
 export const ForgotPasswordPage = () => {
-  const { ui } = useAppContext();
+  const { forgotPasswordMessage } = useAppContext();
   const { t } = useTranslation();
   const { search } = useLocation();
   const searchParams = new URLSearchParams(search);
@@ -26,8 +26,8 @@ export const ForgotPasswordPage = () => {
       <CardContent>
         <CardDescription>
           <Markdown>
-            {ui.forgotPasswordMessage !== ""
-              ? ui.forgotPasswordMessage
+            {forgotPasswordMessage !== ""
+              ? forgotPasswordMessage
               : t("forgotPasswordMessage")}
           </Markdown>
         </CardDescription>

frontend/src/pages/login-page.tsx

@@ -36,17 +36,12 @@ const iconMap: Record<string, React.ReactNode> = {
 };
 
 export const LoginPage = () => {
-  const { auth, tailscale } = useUserContext();
-  const {
-    ui,
-    oauth,
-    auth: { providers },
-  } = useAppContext();
+  const { isLoggedIn } = useUserContext();
+  const { providers, title, oauthAutoRedirect } = useAppContext();
   const { search } = useLocation();
   const { t } = useTranslation();
 
   const [showRedirectButton, setShowRedirectButton] = useState(false);
-  const [useTailscale, setUseTailscale] = useState(tailscale.nodeName !== undefined);
 
   const hasAutoRedirectedRef = useRef(false);
 
@@ -60,7 +55,7 @@ export const LoginPage = () => {
   const oidcParams = useOIDCParams(searchParams);
 
   const [isOauthAutoRedirect, setIsOauthAutoRedirect] = useState(
-    providers.find((provider) => provider.id === oauth.autoRedirect) !==
+    providers.find((provider) => provider.id === oauthAutoRedirect) !==
       undefined && redirectUri !== undefined,
   );
 
@@ -153,47 +148,21 @@ export const LoginPage = () => {
     },
   });
 
-  const { mutate: tailscaleMutate, isPending: tailscaleIsPending } =
-    useMutation({
-      mutationFn: () => axios.post("/api/user/tailscale"),
-      mutationKey: ["tailscale"],
-      onSuccess: () => {
-        toast.success(t("loginSuccessTitle"), {
-          description: t("loginTailscaleSuccess"),
-        });
-
-        redirectTimer.current = window.setTimeout(() => {
-          if (oidcParams.isOidc) {
-            window.location.replace(`/authorize?${oidcParams.compiled}`);
-            return;
-          }
-          window.location.replace(
-            `/continue${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`,
-          );
-        }, 500);
-      },
-      onError: () => {
-        toast.error(t("loginFailTitle"), {
-          description: t("loginTailscaleFail"),
-        });
-      },
-    });
-
   useEffect(() => {
     if (
-      !auth.authenticated &&
+      !isLoggedIn &&
       isOauthAutoRedirect &&
       !hasAutoRedirectedRef.current &&
       redirectUri !== undefined
     ) {
       hasAutoRedirectedRef.current = true;
-      oauthMutate(oauth.autoRedirect);
+      oauthMutate(oauthAutoRedirect);
     }
   }, [
-    auth.authenticated,
+    isLoggedIn,
     oauthMutate,
     hasAutoRedirectedRef,
-    oauth.autoRedirect,
+    oauthAutoRedirect,
     isOauthAutoRedirect,
     redirectUri,
   ]);
@@ -210,11 +179,11 @@ export const LoginPage = () => {
     };
   }, [redirectTimer, redirectButtonTimer]);
 
-  if (auth.authenticated && oidcParams.isOidc) {
+  if (isLoggedIn && oidcParams.isOidc) {
     return <Navigate to={`/authorize?${oidcParams.compiled}`} replace />;
   }
 
-  if (auth.authenticated && redirectUri !== undefined) {
+  if (isLoggedIn && redirectUri !== undefined) {
     return (
       <Navigate
         to={`/continue${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`}
@@ -223,7 +192,7 @@ export const LoginPage = () => {
     );
   }
 
-  if (auth.authenticated) {
+  if (isLoggedIn) {
     return <Navigate to="/logout" replace />;
   }
 
@@ -259,49 +228,10 @@ export const LoginPage = () => {
       </Card>
     );
   }
-
-  if (useTailscale) {
-    return (
-      <Card>
-        <CardHeader className="gap-3">
-          <TailscaleIcon className="mx-auto h-8 w-8" />
-          <CardTitle className="text-center text-xl">
-            {t("loginTailscaleTitle")}
-          </CardTitle>
-        </CardHeader>
-        <CardContent className="flex flex-col gap-4">
-          <div className="text-muted-foreground text-sm">
-            {t("loginTailscaleDescription")}
-          </div>
-          <div className="text-muted-foreground text-sm">
-            {t("loginTailscaleDeviceName")} <code>{tailscale.nodeName}</code>
-          </div>
-        </CardContent>
-        <CardFooter className="flex flex-col items-stretch gap-3">
-          <Button
-            className="w-full"
-            onClick={() => tailscaleMutate()}
-            loading={tailscaleIsPending}
-          >
-            {t("loginTailscaleSubmit")}
-          </Button>
-          <Button
-            className="w-full"
-            variant="outline"
-            onClick={() => setUseTailscale(false)}
-            disabled={tailscaleIsPending}
-          >
-            {t("loginTailscaleOtherMethod")}
-          </Button>
-        </CardFooter>
-      </Card>
-    );
-  }
-
   return (
     <Card>
       <CardHeader className="gap-1.5">
-        <CardTitle className="text-center text-xl">{ui.title}</CardTitle>
+        <CardTitle className="text-center text-xl">{title}</CardTitle>
         {providers.length > 0 && (
           <CardDescription className="text-center">
             {oauthProviders.length !== 0

frontend/src/pages/logout-page.tsx

@@ -13,11 +13,9 @@ import { useEffect, useRef } from "react";
 import { Trans, useTranslation } from "react-i18next";
 import { Navigate } from "react-router";
 import { toast } from "sonner";
-import { type UseMutationResult } from "@tanstack/react-query";
-import { type AxiosResponse } from "axios";
 
 export const LogoutPage = () => {
-  const { auth, oauth, tailscale } = useUserContext();
+  const { provider, username, isLoggedIn, email, oauthName } = useUserContext();
   const { t } = useTranslation();
 
   const redirectTimer = useRef<number | null>(null);
@@ -49,82 +47,42 @@ export const LogoutPage = () => {
     };
   }, [redirectTimer]);
 
-  if (!auth.authenticated) {
+  if (!isLoggedIn) {
     return <Navigate to="/login" replace />;
   }
 
-  if (oauth.active) {
-    return (
-      <LogoutLayout logoutMutation={logoutMutation}>
-        <Trans
-          i18nKey="logoutOauthSubtitle"
-          t={t}
-          components={{
-            code: <code />,
-          }}
-          values={{
-            username: auth.email,
-            provider: oauth.displayName,
-          }}
-          shouldUnescape={true}
-        />
-      </LogoutLayout>
-    );
-  }
-
-  if (auth.providerId === "tailscale") {
-    return (
-      <LogoutLayout logoutMutation={logoutMutation}>
-        <Trans
-          i18nKey="logoutTailscaleSubtitle"
-          t={t}
-          components={{
-            code: <code />,
-          }}
-          values={{
-            deviceName: tailscale.nodeName,
-          }}
-          shouldUnescape={true}
-        />
-      </LogoutLayout>
-    );
-  }
-
-  return (
-    <LogoutLayout logoutMutation={logoutMutation}>
-      <Trans
-        i18nKey="logoutUsernameSubtitle"
-        t={t}
-        components={{
-          code: <code />,
-        }}
-        values={{
-          username: auth.username,
-        }}
-        shouldUnescape={true}
-      />
-    </LogoutLayout>
-  );
-};
-
-interface LogoutLayoutProps {
-  children: React.ReactNode;
-  logoutMutation: UseMutationResult<
-    //eslint-disable-next-line @typescript-eslint/no-explicit-any,@typescript-eslint/no-empty-object-type
-    AxiosResponse<any, any, {}>,
-    Error,
-    void,
-    unknown
-  >;
-}
-
-function LogoutLayout({ children, logoutMutation }: LogoutLayoutProps) {
-  const { t } = useTranslation();
   return (
     <Card>
       <CardHeader className="gap-1.5">
         <CardTitle className="text-xl">{t("logoutTitle")}</CardTitle>
-        <CardDescription>{children}</CardDescription>
+        <CardDescription>
+          {provider !== "local" && provider !== "ldap" ? (
+            <Trans
+              i18nKey="logoutOauthSubtitle"
+              t={t}
+              components={{
+                code: <code />,
+              }}
+              values={{
+                username: email,
+                provider: oauthName,
+              }}
+              shouldUnescape={true}
+            />
+          ) : (
+            <Trans
+              i18nKey="logoutUsernameSubtitle"
+              t={t}
+              components={{
+                code: <code />,
+              }}
+              values={{
+                username,
+              }}
+              shouldUnescape={true}
+            />
+          )}
+        </CardDescription>
       </CardHeader>
       <CardFooter>
         <Button
@@ -138,4 +96,4 @@ function LogoutLayout({ children, logoutMutation }: LogoutLayoutProps) {
       </CardFooter>
     </Card>
   );
-}
+};

frontend/src/pages/totp-page.tsx

@@ -19,7 +19,7 @@ import { toast } from "sonner";
 import { useOIDCParams } from "@/lib/hooks/oidc";
 
 export const TotpPage = () => {
-  const { totp } = useUserContext();
+  const { totpPending } = useUserContext();
   const { t } = useTranslation();
   const { search } = useLocation();
   const formId = useId();
@@ -64,7 +64,7 @@ export const TotpPage = () => {
     };
   }, [redirectTimer]);
 
-  if (!totp.pending) {
+  if (!totpPending) {
     return <Navigate to="/" replace />;
   }
 

frontend/src/schemas/app-context-schema.ts

@@ -6,32 +6,15 @@ export const providerSchema = z.object({
   oauth: z.boolean(),
 });
 
-const authSchema = z.object({
+export const appContextSchema = z.object({
   providers: z.array(providerSchema),
-});
-
-const oauthSchema = z.object({
-  autoRedirect: z.string(),
-});
-
-const uiSchema = z.object({
   title: z.string(),
+  appUrl: z.string(),
+  cookieDomain: z.string(),
   forgotPasswordMessage: z.string(),
   backgroundImage: z.string(),
+  oauthAutoRedirect: z.string(),
   warningsEnabled: z.boolean(),
 });
 
-const appSchema = z.object({
-  appUrl: z.string(),
-  cookieDomain: z.string(),
-  trustedDomains: z.array(z.string()),
-});
-
-export const appContextSchema = z.object({
-  auth: authSchema,
-  oauth: oauthSchema,
-  ui: uiSchema,
-  app: appSchema,
-});
-
 export type AppContextSchema = z.infer<typeof appContextSchema>;

frontend/src/schemas/user-context-schema.ts

@@ -1,31 +1,14 @@
 import { z } from "zod";
 
-const authSchema = z.object({
-  authenticated: z.boolean(),
+export const userContextSchema = z.object({
+  isLoggedIn: z.boolean(),
   username: z.string(),
   name: z.string(),
   email: z.string(),
-  providerId: z.string(),
-});
-
-const oauthSchema = z.object({
-  active: z.boolean(),
-  displayName: z.string(),
-});
-
-const totpSchema = z.object({
-  pending: z.boolean(),
-});
-
-const tailscaleSchema = z.object({
-  nodeName: z.string().optional(),
-});
-
-export const userContextSchema = z.object({
-  auth: authSchema,
-  oauth: oauthSchema,
-  totp: totpSchema,
-  tailscale: tailscaleSchema,
+  provider: z.string(),
+  oauth: z.boolean(),
+  totpPending: z.boolean(),
+  oauthName: z.string(),
 });
 
 export type UserContextSchema = z.infer<typeof userContextSchema>;

gen/sqlc-wrapper/sqlc_wrapper.go

@@ -1,473 +0,0 @@
-// gen/sqlc-wrapper generates store.go wrapper files for each sqlc driver package under
-// internal/repository/<driver>/. Run via:
-//
-//	go generate ./internal/repository/...
-//
-// The generator introspects *Queries methods and the model/params types in the
-// driver package, then emits a store.go that wraps *Queries so it satisfies
-// repository.Store using the canonical shared types in the parent package.
-// This generator is specific to sqlc-generated drivers. Non-sqlc drivers should
-// implement repository.Store directly by hand.
-package main
-
-import (
-	"bytes"
-	_ "embed"
-	"flag"
-	"fmt"
-	"go/format"
-	"go/types"
-	"log"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"sort"
-	"strings"
-	"text/template"
-
-	"golang.org/x/tools/go/packages"
-)
-
-//go:embed store.tmpl
-var storeSrc string
-
-func main() {
-	fmt.Println("sqlc-wrapper: generating store.go files for sqlc driver packages...")
-	if err := run(); err != nil {
-		log.Fatal(err)
-	}
-}
-
-func run() error {
-	driverPkg := flag.String("pkg", "", "import path of the driver package")
-	out := flag.String("out", "store.go", "output filename relative to driver package directory")
-	flag.Parse()
-
-	if *driverPkg == "" {
-		return fmt.Errorf("-pkg is required")
-	}
-
-	// Resolve the driver package directory so we can overlay the output file
-	// with a valid stub. This prevents a stale store.go from poisoning the
-	// type-checker and producing cryptic "undefined" errors.
-	driverDir, err := pkgDir(*driverPkg)
-	if err != nil {
-		return fmt.Errorf("resolve driver dir: %w", err)
-	}
-
-	outPath := filepath.Join(driverDir, *out)
-	if filepath.IsAbs(*out) {
-		outPath = *out
-	}
-
-	// Stub replaces the output file during load so stale generated code is ignored.
-	stub := []byte("package " + filepath.Base(driverDir) + "\n")
-	cfg := &packages.Config{
-		Mode:    packages.NeedName | packages.NeedTypes | packages.NeedSyntax | packages.NeedImports,
-		Overlay: map[string][]byte{outPath: stub},
-	}
-
-	driverTypePkg, err := loadOnePkg(cfg, *driverPkg)
-	if err != nil {
-		return fmt.Errorf("load driver package: %w", err)
-	}
-
-	repoPkgPath := parentPkg(*driverPkg)
-	repoTypePkg, err := loadOnePkg(cfg, repoPkgPath)
-	if err != nil {
-		return fmt.Errorf("load repo package: %w", err)
-	}
-
-	if err := validateStructShapes(driverTypePkg, repoTypePkg); err != nil {
-		return fmt.Errorf("struct shape mismatch: %w", err)
-	}
-	if err := validateStoreCoverage(driverTypePkg, repoTypePkg); err != nil {
-		return err
-	}
-
-	methods, err := collectMethods(driverTypePkg)
-	if err != nil {
-		return err
-	}
-
-	src, err := render(tmplData{
-		PkgName: driverTypePkg.Name(),
-		RepoPkg: repoPkgPath,
-		Methods: renderMethods(methods),
-	})
-	if err != nil {
-		return fmt.Errorf("render: %w", err)
-	}
-
-	if err := os.WriteFile(outPath, src, 0644); err != nil {
-		return fmt.Errorf("write %s: %w", outPath, err)
-	}
-	fmt.Printf("wrote %s\n", outPath)
-	return nil
-}
-
-// loadOnePkg loads a single package via cfg and returns its *types.Package,
-// or an error if the package fails to load or has type errors.
-func loadOnePkg(cfg *packages.Config, importPath string) (*types.Package, error) {
-	pkgs, err := packages.Load(cfg, importPath)
-	if err != nil {
-		return nil, fmt.Errorf("load %s: %w", importPath, err)
-	}
-	if len(pkgs) != 1 {
-		return nil, fmt.Errorf("expected 1 package for %s, got %d", importPath, len(pkgs))
-	}
-	pkg := pkgs[0]
-	if len(pkg.Errors) > 0 {
-		msgs := make([]string, len(pkg.Errors))
-		for i, e := range pkg.Errors {
-			msgs[i] = e.Error()
-		}
-		return nil, fmt.Errorf("package %s has errors:\n  %s", importPath, strings.Join(msgs, "\n  "))
-	}
-	return pkg.Types, nil
-}
-
-// parentPkg returns the parent import path (everything before the last /).
-// Panics if imp contains no slash — callers are expected to pass driver sub-packages.
-func parentPkg(imp string) string {
-	i := strings.LastIndex(imp, "/")
-	if i < 0 {
-		panic(fmt.Sprintf("parentPkg: import path %q has no parent", imp))
-	}
-	return imp[:i]
-}
-
-// pkgDir returns the on-disk directory for an import path using `go list`.
-func pkgDir(importPath string) (string, error) {
-	out, err := exec.Command("go", "list", "-f", "{{.Dir}}", importPath).Output()
-	if err != nil {
-		return "", fmt.Errorf("go list %s: %w", importPath, err)
-	}
-	return strings.TrimSpace(string(out)), nil
-}
-
-// scopeStructs returns all named struct types in pkg, excluding the internal
-// sqlc types Queries, DBTX, and Store. Names are returned in sorted order.
-func scopeStructs(pkg *types.Package) (names []string, byName map[string]*types.Struct) {
-	byName = make(map[string]*types.Struct)
-	for _, name := range pkg.Scope().Names() { // Names() is already sorted
-		switch name {
-		case "Queries", "DBTX", "Store":
-			continue
-		}
-		obj, ok := pkg.Scope().Lookup(name).(*types.TypeName)
-		if !ok {
-			continue
-		}
-		named, ok := obj.Type().(*types.Named)
-		if !ok {
-			continue
-		}
-		s, ok := named.Underlying().(*types.Struct)
-		if !ok {
-			continue
-		}
-		names = append(names, name)
-		byName[name] = s
-	}
-	return
-}
-
-// validateStoreCoverage checks that every method declared in repository.Store
-// exists on *Queries in the driver package. Missing methods are reported by
-// name so the developer knows exactly which SQL queries need to be added.
-func validateStoreCoverage(driverPkg, repoPkg *types.Package) error {
-	queriesObj := driverPkg.Scope().Lookup("Queries")
-	if queriesObj == nil {
-		return fmt.Errorf("queries type not found in driver package")
-	}
-	queriesNamed := queriesObj.Type().(*types.Named)
-	queriesMS := types.NewMethodSet(types.NewPointer(queriesNamed))
-	queriesMethods := make(map[string]bool)
-	for m := range queriesMS.Methods() {
-		queriesMethods[m.Obj().Name()] = true
-	}
-
-	storeObj := repoPkg.Scope().Lookup("Store")
-	if storeObj == nil {
-		return fmt.Errorf("store type not found in repository package")
-	}
-	storeIface, ok := storeObj.Type().Underlying().(*types.Interface)
-	if !ok {
-		return fmt.Errorf("repository.Store is not an interface")
-	}
-
-	var missing []string
-	for method := range storeIface.Methods() {
-		if name := method.Name(); !queriesMethods[name] {
-			missing = append(missing, name)
-		}
-	}
-	if len(missing) > 0 {
-		sort.Strings(missing)
-		return fmt.Errorf(
-			"driver *Queries is missing %d method(s) required by repository.Store:\n  - %s\n\nRun sqlc generate to regenerate query methods, or add the missing SQL queries",
-			len(missing), strings.Join(missing, "\n  - "),
-		)
-	}
-	return nil
-}
-
-// validateStructShapes checks that every model/params struct in the driver
-// package has fields that exactly match the corresponding type in the repo
-// (parent) package. This catches drift between sqlc-generated types and the
-// canonical repository types before a broken cast reaches the compiler.
-func validateStructShapes(driverPkg, repoPkg *types.Package) error {
-	_, repoStructs := scopeStructs(repoPkg)
-	driverNames, driverStructs := scopeStructs(driverPkg)
-
-	var errs []string
-	for _, name := range driverNames {
-		repoStruct, ok := repoStructs[name]
-		if !ok {
-			// Driver has a type not in repo — fine (e.g. internal helpers).
-			continue
-		}
-		if err := compareStructs(name, driverStructs[name], repoStruct); err != nil {
-			errs = append(errs, err.Error())
-		}
-	}
-	if len(errs) > 0 {
-		sort.Strings(errs)
-		return fmt.Errorf("%s", strings.Join(errs, "\n  "))
-	}
-	return nil
-}
-
-func compareStructs(name string, driver, repo *types.Struct) error {
-	if driver.NumFields() != repo.NumFields() {
-		return fmt.Errorf("%s: field count mismatch (driver=%d, repo=%d)",
-			name, driver.NumFields(), repo.NumFields())
-	}
-	for i := range driver.NumFields() {
-		df := driver.Field(i)
-		rf := repo.Field(i)
-		if df.Name() != rf.Name() {
-			return fmt.Errorf("%s: field %d name mismatch (driver=%q, repo=%q)",
-				name, i, df.Name(), rf.Name())
-		}
-		if !types.Identical(df.Type(), rf.Type()) {
-			return fmt.Errorf("%s.%s: type mismatch (driver=%s, repo=%s)",
-				name, df.Name(), df.Type(), rf.Type())
-		}
-	}
-	return nil
-}
-
-type methodInfo struct {
-	Name    string
-	Params  []paramInfo
-	Results []resultInfo
-}
-
-type paramInfo struct {
-	Name     string
-	TypeStr  string // local (unqualified) type name
-	RepoType string // "repository.X" if this is a driver model/params type; else ""
-}
-
-type resultInfo struct {
-	TypeStr  string
-	IsSlice  bool
-	RepoType string // "repository.X" if driver type; else ""
-}
-
-func collectMethods(pkg *types.Package) ([]methodInfo, error) {
-	obj := pkg.Scope().Lookup("Queries")
-	if obj == nil {
-		return nil, fmt.Errorf("queries type not found in %s", pkg.Path())
-	}
-	named, ok := obj.Type().(*types.Named)
-	if !ok {
-		return nil, fmt.Errorf("queries is not a named type")
-	}
-	ms := types.NewMethodSet(types.NewPointer(named))
-
-	var out []methodInfo
-	for method := range ms.Methods() {
-		fn, ok := method.Obj().(*types.Func)
-		if !ok || fn.Name() == "WithTx" {
-			continue
-		}
-		sig := fn.Type().(*types.Signature)
-		mi := methodInfo{Name: fn.Name()}
-
-		// params: skip receiver + first (context.Context)
-		for i := 1; i < sig.Params().Len(); i++ {
-			p := sig.Params().At(i)
-			mi.Params = append(mi.Params, makeParam(p.Name(), p.Type(), pkg.Path()))
-		}
-		// results: skip error
-		for r := range sig.Results().Variables() {
-			if r.Type().String() == "error" {
-				continue
-			}
-			mi.Results = append(mi.Results, makeResult(r.Type(), pkg.Path()))
-		}
-		out = append(out, mi)
-	}
-	return out, nil
-}
-
-func makeParam(name string, t types.Type, driverPath string) paramInfo {
-	return paramInfo{
-		Name:     name,
-		TypeStr:  localName(t, driverPath),
-		RepoType: repoName(t, driverPath),
-	}
-}
-
-func makeResult(t types.Type, driverPath string) resultInfo {
-	ri := resultInfo{}
-	if sl, ok := t.(*types.Slice); ok {
-		ri.IsSlice = true
-		t = sl.Elem()
-	}
-	ri.TypeStr = localName(t, driverPath)
-	ri.RepoType = repoName(t, driverPath)
-	return ri
-}
-
-func localName(t types.Type, driverPath string) string {
-	named, ok := t.(*types.Named)
-	if !ok {
-		return types.TypeString(t, nil)
-	}
-	if named.Obj().Pkg() != nil && named.Obj().Pkg().Path() == driverPath {
-		return named.Obj().Name()
-	}
-	return types.TypeString(t, func(p *types.Package) string { return p.Name() })
-}
-
-func repoName(t types.Type, driverPath string) string {
-	named, ok := t.(*types.Named)
-	if !ok {
-		return ""
-	}
-	if named.Obj().Pkg() != nil && named.Obj().Pkg().Path() == driverPath {
-		return "repository." + named.Obj().Name()
-	}
-	return ""
-}
-
-// renderedMethod holds pre-built signature and body strings passed to the template.
-type renderedMethod struct {
-	Signature string
-	Body      string
-}
-
-func renderMethods(methods []methodInfo) []renderedMethod {
-	out := make([]renderedMethod, len(methods))
-	for i, m := range methods {
-		out[i] = renderedMethod{
-			Signature: buildSig(m),
-			Body:      buildBody(m),
-		}
-	}
-	return out
-}
-
-func buildSig(m methodInfo) string {
-	var sb strings.Builder
-	sb.WriteString("func (s *Store) ")
-	sb.WriteString(m.Name)
-	sb.WriteString("(ctx context.Context")
-	for _, p := range m.Params {
-		sb.WriteString(", ")
-		sb.WriteString(p.Name)
-		sb.WriteString(" ")
-		if p.RepoType != "" {
-			sb.WriteString(p.RepoType)
-		} else {
-			sb.WriteString(p.TypeStr)
-		}
-	}
-	sb.WriteString(") (")
-	for _, r := range m.Results {
-		if r.IsSlice {
-			sb.WriteString("[]")
-		}
-		if r.RepoType != "" {
-			sb.WriteString(r.RepoType)
-		} else {
-			sb.WriteString(r.TypeStr)
-		}
-		sb.WriteString(", ")
-	}
-	sb.WriteString("error)")
-	return sb.String()
-}
-
-func callArgs(m methodInfo) string {
-	args := make([]string, 0, len(m.Params))
-	for _, p := range m.Params {
-		if p.RepoType != "" {
-			// convert repo type → driver type: DriverType(arg)
-			args = append(args, p.TypeStr+"("+p.Name+")")
-		} else {
-			args = append(args, p.Name)
-		}
-	}
-	if len(args) == 0 {
-		return "ctx"
-	}
-	return "ctx, " + strings.Join(args, ", ")
-}
-
-var bodyTmpl = template.Must(template.New("store").Parse(storeSrc))
-
-type bodyData struct {
-	Call     string
-	RepoType string
-}
-
-func buildBody(m methodInfo) string {
-	call := "s.q." + m.Name + "(" + callArgs(m) + ")"
-
-	var (
-		name string
-		data bodyData
-	)
-
-	switch {
-	case len(m.Results) == 0 || m.Results[0].RepoType == "":
-		name = "void"
-		data = bodyData{Call: call}
-	case m.Results[0].IsSlice:
-		name = "slice"
-		data = bodyData{Call: call, RepoType: m.Results[0].RepoType}
-	default:
-		name = "scalar"
-		data = bodyData{Call: call, RepoType: m.Results[0].RepoType}
-	}
-
-	var buf bytes.Buffer
-	if err := bodyTmpl.ExecuteTemplate(&buf, name, data); err != nil {
-		panic(fmt.Sprintf("buildBody %s: %v", name, err))
-	}
-	return buf.String()
-}
-
-type tmplData struct {
-	PkgName string
-	RepoPkg string
-	Methods []renderedMethod
-}
-
-func render(data tmplData) ([]byte, error) {
-	var buf bytes.Buffer
-	if err := bodyTmpl.Execute(&buf, data); err != nil {
-		return nil, fmt.Errorf("execute template: %w", err)
-	}
-
-	formatted, err := format.Source(buf.Bytes())
-	if err != nil {
-		return buf.Bytes(), fmt.Errorf("format source: %w\nraw:\n%s", err, buf.String())
-	}
-	return formatted, nil
-}

gen/sqlc-wrapper/store.tmpl

@@ -1,59 +0,0 @@
-// Code generated by cmd/gen/sqlc-wrapper. DO NOT EDIT.
-package {{.PkgName}}
-
-import (
-	"context"
-	"database/sql"
-	"errors"
-
-	"{{.RepoPkg}}"
-)
-
-// Store wraps *Queries and implements repository.Store.
-type Store struct {
-	q *Queries
-}
-
-// NewStore wraps a *Queries to satisfy repository.Store.
-func NewStore(q *Queries) repository.Store {
-	return &Store{q: q}
-}
-
-var errorMap = map[error]error{
-	sql.ErrNoRows: repository.ErrNotFound,
-}
-
-func mapErr(err error) error {
-	for from, to := range errorMap {
-		if errors.Is(err, from) {
-			return to
-		}
-	}
-	return err
-}
-
-{{range .Methods}}{{.Signature}} {
-{{.Body}}}
-
-{{end}}
-
-{{- define "void"}}	return mapErr({{.Call}})
-{{end}}
-
-{{- define "scalar"}}	r, err := {{.Call}}
-	if err != nil {
-		return {{.RepoType}}{}, mapErr(err)
-	}
-	return {{.RepoType}}(r), nil
-{{end}}
-
-{{- define "slice"}}	rows, err := {{.Call}}
-	if err != nil {
-		return nil, mapErr(err)
-	}
-	out := make([]{{.RepoType}}, len(rows))
-	for i, row := range rows {
-		out[i] = {{.RepoType}}(row)
-	}
-	return out, nil
-{{end}}

go.mod

@@ -1,6 +1,6 @@
 module github.com/tinyauthapp/tinyauth
 
-go 1.26.1
+go 1.26.0
 
 require (
 	charm.land/huh/v2 v2.0.3
@@ -20,11 +20,9 @@ require (
 	github.com/weppos/publicsuffix-go v0.50.3
 	golang.org/x/crypto v0.50.0
 	golang.org/x/oauth2 v0.36.0
-	golang.org/x/tools v0.43.0
 	k8s.io/apimachinery v0.36.0
 	k8s.io/client-go v0.36.0
 	modernc.org/sqlite v1.50.0
-	tailscale.com v1.96.5
 )
 
 require (
@@ -32,29 +30,13 @@ require (
 	charm.land/bubbletea/v2 v2.0.2 // indirect
 	charm.land/lipgloss/v2 v2.0.1 // indirect
 	dario.cat/mergo v1.0.1 // indirect
-	filippo.io/edwards25519 v1.2.0 // indirect
 	github.com/Azure/go-ntlmssp v0.1.1 // indirect
 	github.com/BurntSushi/toml v1.6.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver/v3 v3.4.0 // indirect
+	github.com/Masterminds/semver/v3 v3.3.0 // indirect
 	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/akutz/memconn v0.1.0 // indirect
-	github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.41.0 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.29.5 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.58 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.27 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.16 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.24.14 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.13 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.41.5 // indirect
-	github.com/aws/smithy-go v1.24.0 // indirect
 	github.com/boombuler/barcode v1.0.2 // indirect
 	github.com/bytedance/gopkg v0.1.3 // indirect
 	github.com/bytedance/sonic v1.15.0 // indirect
@@ -72,12 +54,10 @@ require (
 	github.com/clipperhouse/displaywidth v0.11.0 // indirect
 	github.com/clipperhouse/uax29/v2 v2.7.0 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
-	github.com/coder/websocket v1.8.12 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
-	github.com/creachadair/msync v0.7.1 // indirect
+	github.com/containerd/log v0.1.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
@@ -85,10 +65,8 @@ require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
-	github.com/gaissmai/bart v0.26.1 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
-	github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
@@ -96,16 +74,8 @@ require (
 	github.com/go-playground/validator/v10 v10.30.1 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/goccy/go-yaml v1.19.2 // indirect
-	github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 // indirect
-	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
-	github.com/google/btree v1.1.3 // indirect
-	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/hdevalence/ed25519consensus v0.2.0 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
-	github.com/huin/goupnp v1.3.0 // indirect
-	github.com/jsimonetti/rtnetlink v1.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.18.2 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.3.0 // indirect
@@ -113,46 +83,35 @@ require (
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.20 // indirect
 	github.com/mattn/go-sqlite3 v1.14.32 // indirect
-	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
-	github.com/mdlayher/socket v0.5.0 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
-	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/sys/atomicwriter v0.1.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/ncruces/go-strftime v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.1 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
-	github.com/pires/go-proxyproto v0.8.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus-community/pro-bing v0.4.0 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/quic-go/quic-go v0.59.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
-	github.com/safchain/ethtool v0.3.0 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/spf13/cast v1.10.0 // indirect
-	github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e // indirect
-	github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 // indirect
-	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a // indirect
-	github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc // indirect
-	github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 // indirect
-	github.com/tailscale/wireguard-go v0.0.0-20250716170648-1d0488a3d7da // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.1 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.mongodb.org/mongo-driver/v2 v2.5.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
 	go.opentelemetry.io/otel v1.43.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 // indirect
 	go.opentelemetry.io/otel/metric v1.43.0 // indirect
@@ -160,24 +119,18 @@ require (
 	go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect
 	go.opentelemetry.io/otel/trace v1.43.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
-	go4.org/mem v0.0.0-20240501181205-ae6ca9944745 // indirect
-	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
 	golang.org/x/arch v0.22.0 // indirect
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
-	golang.org/x/mod v0.34.0 // indirect
 	golang.org/x/net v0.52.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/sys v0.43.0 // indirect
 	golang.org/x/term v0.42.0 // indirect
 	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
-	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
-	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
 	google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.5.2 // indirect
-	gvisor.dev/gvisor v0.0.0-20260224225140-573d5e7127a8 // indirect
 	k8s.io/klog/v2 v2.140.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a // indirect
 	k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 // indirect

go.sum

@@ -1,5 +1,3 @@
-9fans.net/go v0.0.8-0.20250307142834-96bdba94b63f h1:1C7nZuxUMNz7eiQALRfiqNOm04+m3edWlRff/BYHf0Q=
-9fans.net/go v0.0.8-0.20250307142834-96bdba94b63f/go.mod h1:hHyrZRryGqVdqrknjq5OWDLGCTJ2NeEvtrpR96mjraM=
 charm.land/bubbles/v2 v2.0.0 h1:tE3eK/pHjmtrDiRdoC9uGNLgpopOd8fjhEe31B/ai5s=
 charm.land/bubbles/v2 v2.0.0/go.mod h1:rCHoleP2XhU8um45NTuOWBPNVHxnkXKTiZqcclL/qOI=
 charm.land/bubbletea/v2 v2.0.2 h1:4CRtRnuZOdFDTWSff9r8QFt/9+z6Emubz3aDMnf/dx0=
@@ -10,10 +8,6 @@ charm.land/lipgloss/v2 v2.0.1 h1:6Xzrn49+Py1Um5q/wZG1gWgER2+7dUyZ9XMEufqPSys=
 charm.land/lipgloss/v2 v2.0.1/go.mod h1:KjPle2Qd3YmvP1KL5OMHiHysGcNwq6u83MUjYkFvEkM=
 dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
 dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
-filippo.io/edwards25519 v1.2.0 h1:crnVqOiS4jqYleHd9vaKZ+HKtHfllngJIiOpNpoJsjo=
-filippo.io/edwards25519 v1.2.0/go.mod h1:xzAOLCNug/yB62zG1bQ8uziwrIqIuxhctzJT18Q77mc=
-filippo.io/mkcert v1.4.4 h1:8eVbbwfVlaqUM7OwuftKc2nuYOoTDQWqsoXmzoXZdbc=
-filippo.io/mkcert v1.4.4/go.mod h1:VyvOchVuAye3BoUsPUOOofKygVwLV2KQMVFJNRq+1dA=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-ntlmssp v0.1.1 h1:l+FM/EEMb0U9QZE7mKNEDw5Mu3mFiaa2GKOoTSsNDPw=
@@ -24,50 +18,16 @@ github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ
 github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
-github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
-github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
+github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0=
+github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs=
 github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/akutz/memconn v0.1.0 h1:NawI0TORU4hcOMsMr11g7vwlCdkYeLKXBcxWu2W/P8A=
-github.com/akutz/memconn v0.1.0/go.mod h1:Jo8rI7m0NieZyLI5e2CDlRdRqRRB4S7Xp77ukDjH+Fw=
 github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=
 github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
-github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
-github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4=
 github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI=
-github.com/aws/aws-sdk-go-v2 v1.41.0 h1:tNvqh1s+v0vFYdA1xq0aOJH+Y5cRyZ5upu6roPgPKd4=
-github.com/aws/aws-sdk-go-v2 v1.41.0/go.mod h1:MayyLB8y+buD9hZqkCW3kX1AKq07Y5pXxtgB+rRFhz0=
-github.com/aws/aws-sdk-go-v2/config v1.29.5 h1:4lS2IB+wwkj5J43Tq/AwvnscBerBJtQQ6YS7puzCI1k=
-github.com/aws/aws-sdk-go-v2/config v1.29.5/go.mod h1:SNzldMlDVbN6nWxM7XsUiNXPSa1LWlqiXtvh/1PrJGg=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.58 h1:/d7FUpAPU8Lf2KUdjniQvfNdlMID0Sd9pS23FJ3SS9Y=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.58/go.mod h1:aVYW33Ow10CyMQGFgC0ptMRIqJWvJ4nxZb0sUiuQT/A=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.27 h1:7lOW8NUwE9UZekS1DYoiPdVAqZ6A+LheHWb+mHbNOq8=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.27/go.mod h1:w1BASFIPOPUae7AgaH4SbjNbfdkxuggLyGfNFTn8ITY=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.16 h1:rgGwPzb82iBYSvHMHXc8h9mRoOUBZIGFgKb9qniaZZc=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.16/go.mod h1:L/UxsGeKpGoIj6DxfhOWHWQ/kGKcd4I1VncE4++IyKA=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16 h1:1jtGzuV7c82xnqOVfx2F0xmJcOw5374L7N6juGW6x6U=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16/go.mod h1:M2E5OQf+XLe+SZGmmpaI2yy+J326aFf6/+54PoxSANc=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 h1:Pg9URiobXy85kgFev3og2CuOZ8JZUBENF+dcgWBaYNk=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 h1:0ryTNEdJbzUCEWkVXEXoqlXV72J5keC1GvILMOuD00E=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4/go.mod h1:HQ4qwNZh32C3CBeO6iJLQlgtMzqeG17ziAA/3KDJFow=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16 h1:oHjJHeUy0ImIV0bsrX0X91GkV5nJAyv1l1CC9lnO0TI=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16/go.mod h1:iRSNGgOYmiYwSCXxXaKb9HfOEj40+oTKn8pTxMlYkRM=
-github.com/aws/aws-sdk-go-v2/service/ssm v1.44.7 h1:a8HvP/+ew3tKwSXqL3BCSjiuicr+XTU2eFYeogV9GJE=
-github.com/aws/aws-sdk-go-v2/service/ssm v1.44.7/go.mod h1:Q7XIWsMo0JcMpI/6TGD6XXcXcV1DbTj6e9BKNntIMIM=
-github.com/aws/aws-sdk-go-v2/service/sso v1.24.14 h1:c5WJ3iHz7rLIgArznb3JCSQT3uUMiz9DLZhIX+1G8ok=
-github.com/aws/aws-sdk-go-v2/service/sso v1.24.14/go.mod h1:+JJQTxB6N4niArC14YNtxcQtwEqzS3o9Z32n7q33Rfs=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.13 h1:f1L/JtUkVODD+k1+IiSJUUv8A++2qVr+Xvb3xWXETMU=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.13/go.mod h1:tvqlFoja8/s0o+UruA1Nrezo/df0PzdunMDDurUfg6U=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.5 h1:SciGFVNZ4mHdm7gpD1dgZYnCuVdX1s+lFTg4+4DOy70=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.5/go.mod h1:iW40X4QBmUxdP+fZNOpfmkdMZqsovezbAeO+Ubiv2pk=
-github.com/aws/smithy-go v1.24.0 h1:LpilSUItNPFr1eY85RYgTIg5eIEPtvFbskaFcmmIUnk=
-github.com/aws/smithy-go v1.24.0/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
-github.com/axiomhq/hyperloglog v0.0.0-20240319100328-84253e514e02 h1:bXAPYSbdYbS5VTy92NIUbeDI1qyggi+JYh5op9IFlcQ=
-github.com/axiomhq/hyperloglog v0.0.0-20240319100328-84253e514e02/go.mod h1:k08r+Yj1PRAmuayFiRK6MYuR5Ve4IuZtTfxErMIh0+c=
 github.com/aymanbagabas/go-udiff v0.4.1 h1:OEIrQ8maEeDBXQDoGCbbTTXYJMYRCRO1fnodZ12Gv5o=
 github.com/aymanbagabas/go-udiff v0.4.1/go.mod h1:0L9PGwj20lrtmEMeyw4WKJ/TMyDtvAoK9bf2u/mNo3w=
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
@@ -109,46 +69,26 @@ github.com/charmbracelet/x/windows v0.2.2 h1:IofanmuvaxnKHuV04sC0eBy/smG6kIKrWG2
 github.com/charmbracelet/x/windows v0.2.2/go.mod h1:/8XtdKZzedat74NQFn0NGlGL4soHB0YQZrETF96h75k=
 github.com/charmbracelet/x/xpty v0.1.3 h1:eGSitii4suhzrISYH50ZfufV3v085BXQwIytcOdFSsw=
 github.com/charmbracelet/x/xpty v0.1.3/go.mod h1:poPYpWuLDBFCKmKLDnhBp51ATa0ooD8FhypRwEFtH3Y=
-github.com/cilium/ebpf v0.16.0 h1:+BiEnHL6Z7lXnlGUsXQPPAE7+kenAd4ES8MQ5min0Ok=
-github.com/cilium/ebpf v0.16.0/go.mod h1:L7u2Blt2jMM/vLAVgjxluxtBKlz3/GWjB0dMOEngfwE=
 github.com/clipperhouse/displaywidth v0.11.0 h1:lBc6kY44VFw+TDx4I8opi/EtL9m20WSEFgwIwO+UVM8=
 github.com/clipperhouse/displaywidth v0.11.0/go.mod h1:bkrFNkf81G8HyVqmKGxsPufD3JhNl3dSqnGhOoSD/o0=
 github.com/clipperhouse/uax29/v2 v2.7.0 h1:+gs4oBZ2gPfVrKPthwbMzWZDaAFPGYK72F0NJv2v7Vk=
 github.com/clipperhouse/uax29/v2 v2.7.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=
 github.com/cloudwego/base64x v0.1.6 h1:t11wG9AECkCDk5fMSoxmufanudBtJ+/HemLstXDLI2M=
 github.com/cloudwego/base64x v0.1.6/go.mod h1:OFcloc187FXDaYHvrNIjxSe8ncn0OOM8gEHfghB2IPU=
-github.com/coder/websocket v1.8.12 h1:5bUXkEPPIbewrnkU8LTCLVaxi4N4J8ahufH2vlo4NAo=
-github.com/coder/websocket v1.8.12/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
 github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
 github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
 github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
 github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 h1:8h5+bWd7R6AYUslN6c6iuZWTKsKxUFDlpnmilO6R2n0=
-github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
-github.com/creachadair/mds v0.25.9 h1:080Hr8laN2h+l3NeVCGMBpXtIPnl9mz8e4HLraGPqtA=
-github.com/creachadair/mds v0.25.9/go.mod h1:4hatI3hRM+qhzuAmqPRFvaBM8mONkS7nsLxkcuTYUIs=
-github.com/creachadair/msync v0.7.1 h1:SeZmuEBXQPe5GqV/C94ER7QIZPwtvFbeQiykzt/7uho=
-github.com/creachadair/msync v0.7.1/go.mod h1:8CcFlLsSujfHE5wWm19uUBLHIPDAUr6LXDwneVMO008=
-github.com/creachadair/taskgroup v0.13.2 h1:3KyqakBuFsm3KkXi/9XIb0QcA8tEzLHLgaoidf0MdVc=
-github.com/creachadair/taskgroup v0.13.2/go.mod h1:i3V1Zx7H8RjwljUEeUWYT30Lmb9poewSb2XI1yTwD0g=
 github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
 github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa h1:h8TfIT1xc8FWbwwpmHn1J5i43Y0uZP97GqasGCzSRJk=
-github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa/go.mod h1:Nx87SkVqTKd8UtT+xu7sM/l+LgXs6c0aHrlKusR+2EQ=
-github.com/dgryski/go-metro v0.0.0-20180109044635-280f6062b5bc h1:8WFBn63wegobsYAX0YjD+8suexZDga5CctH4CCTx2+8=
-github.com/dgryski/go-metro v0.0.0-20180109044635-280f6062b5bc/go.mod h1:c9O8+fpSOX1DM8cPNSkX/qsBWdkD4yd2dpciOWQjpBw=
-github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e h1:vUmf0yezR0y7jJ5pceLHthLaYf4bA5T14B6q39S4q2Q=
-github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e/go.mod h1:YTIHhz/QFSYnu/EhlF2SpU2Uk+32abacUYA5ZPljz1A=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
-github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
 github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM=
 github.com/docker/docker v28.5.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
@@ -167,20 +107,14 @@ github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sa
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
 github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
-github.com/gaissmai/bart v0.26.1 h1:+w4rnLGNlA2GDVn382Tfe3jOsK5vOr5n4KmigJ9lbTo=
-github.com/gaissmai/bart v0.26.1/go.mod h1:GREWQfTLRWz/c5FTOsIw+KkscuFkIV5t8Rp7Nd1Td5c=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
 github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
 github.com/gin-gonic/gin v1.12.0 h1:b3YAbrZtnf8N//yjKeU2+MQsh2mY5htkZidOM7O0wG8=
 github.com/gin-gonic/gin v1.12.0/go.mod h1:VxccKfsSllpKshkBWgVgRniFFAzFb9csfngsqANjnLc=
-github.com/github/fakeca v0.1.0 h1:Km/MVOFvclqxPM9dZBC4+QE564nU4gz4iZ0D9pMw28I=
-github.com/github/fakeca v0.1.0/go.mod h1:+bormgoGMMuamOscx7N91aOuUST7wdaJ2rNjeohylyo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
 github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
-github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced h1:Q311OHjMh/u5E2TITc++WlTP5We0xNseRMkHDyvhW7I=
-github.com/go-json-experiment/json v0.0.0-20250813024750-ebf49471dced/go.mod h1:TiCD2a1pcmjd7YnhGH0f/zKNcCD06B029pHhzV23c2M=
 github.com/go-ldap/ldap/v3 v3.4.13 h1:+x1nG9h+MZN7h/lUi5Q3UZ0fJ1GyDQYbPvbuH38baDQ=
 github.com/go-ldap/ldap/v3 v3.4.13/go.mod h1:LxsGZV6vbaK0sIvYfsv47rfh4ca0JXokCoKjZxsszv0=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -188,12 +122,10 @@ github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
-github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
-github.com/go-openapi/jsonreference v0.20.4 h1:bKlDxQxQJgwpUSgOENiMPzCTBVuc7vTdXSSgNeAhojU=
-github.com/go-openapi/jsonreference v0.20.4/go.mod h1:5pZJyJP2MnYCpoeoMAql78cCHauHj0V9Lhc506VOpw4=
+github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
+github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
 github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
@@ -204,20 +136,12 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
 github.com/go-playground/validator/v10 v10.30.1 h1:f3zDSN/zOma+w6+1Wswgd9fLkdwy06ntQJp0BBvFG0w=
 github.com/go-playground/validator/v10 v10.30.1/go.mod h1:oSuBIQzuJxL//3MelwSLD5hc2Tu889bF0Idm9Dg26cM=
-github.com/go4org/plan9netshell v0.0.0-20250324183649-788daa080737 h1:cf60tHxREO3g1nroKr2osU3JWZsJzkfi7rEg+oAB0Lo=
-github.com/go4org/plan9netshell v0.0.0-20250324183649-788daa080737/go.mod h1:MIS0jDzbU/vuM9MC4YnBITCv+RYuTRq8dJzmCrFsK9g=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
 github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
-github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 h1:sQspH8M4niEijh3PFscJRLDnkL547IeP7kpPe3uUhEg=
-github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466/go.mod h1:ZiQxhyQ+bbbfxUKVvjfO498oPYvtYhZzycal3G/NHmU=
 github.com/golang-migrate/migrate/v4 v4.19.1 h1:OCyb44lFuQfYXYLx1SCxPZQGU7mcaZ7gH9yH4jSFbBA=
 github.com/golang-migrate/migrate/v4 v4.19.1/go.mod h1:CTcgfjxhaUtsLipnLoQRWCrjYXycRz/g5+RWDuYgPrE=
-github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
-github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
-github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
-github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
 github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -225,11 +149,7 @@ github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/go-querystring v1.2.0 h1:yhqkPbu2/OH+V9BfpCVPZkNmUXhb2gBxJArfhIxNtP0=
 github.com/google/go-querystring v1.2.0/go.mod h1:8IFJqpSRITyJ8QhQ13bmbeMBDfmeEJZD5A0egEOmkqU=
-github.com/google/go-tpm v0.9.4 h1:awZRf9FwOeTunQmHoDYSHJps3ie6f1UlhS1fOdPEt1I=
-github.com/google/go-tpm v0.9.4/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806 h1:wG8RYIyctLhdFk6Vl1yPGtSRtwGpVkWyZww1OCil2MI=
-github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806/go.mod h1:Beg6V6zZ3oEn0JuiUQ4wqwuyqqzasOltcoXPtgLbFp4=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -238,19 +158,10 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 h1:HWRh5R2+9EifMyIHV7ZV+MIZqgz
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0/go.mod h1:JfhWUomR1baixubs02l85lZYYOm7LV6om4ceouMv45c=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/golang-lru v0.6.0 h1:uL2shRDx7RTrOrTCUZEGP/wJUFiUI8QT6E7z5o8jga4=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
 github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
-github.com/hdevalence/ed25519consensus v0.2.0 h1:37ICyZqdyj0lAZ8P4D1d1id3HqbbG1N3iBb1Tb4rdcU=
-github.com/hdevalence/ed25519consensus v0.2.0/go.mod h1:w3BHWjwJbFU29IRHL1Iqkw3sus+7FctEyM4RqDxYNzo=
 github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
 github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
-github.com/huin/goupnp v1.3.0 h1:UvLUlWDNpoUdYzb2TCn+MuTWtcjXKSza2n6CBdQ0xXc=
-github.com/huin/goupnp v1.3.0/go.mod h1:gnGPsThkYa7bFi/KWmEysQRf48l2dvR5bxr2OFckNX8=
-github.com/illarion/gonotify/v3 v3.0.2 h1:O7S6vcopHexutmpObkeWsnzMJt/r1hONIEogeVNmJMk=
-github.com/illarion/gonotify/v3 v3.0.2/go.mod h1:HWGPdPe817GfvY3w7cx6zkbzNZfi3QjcBm/wgVvEL1U=
-github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 h1:9K06NfxkBh25x56yVhWWlKFE8YpicaSfHwoV8SFbueA=
-github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
 github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
@@ -263,24 +174,12 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
-github.com/jellydator/ttlcache/v3 v3.1.0 h1:0gPFG0IHHP6xyUyXq+JaD8fwkDCqgqwohXNJBcYE71g=
-github.com/jellydator/ttlcache/v3 v3.1.0/go.mod h1:hi7MGFdMAwZna5n2tuvh63DvFLzVKySzCVW6+0gA2n4=
-github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
-github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
-github.com/jsimonetti/rtnetlink v1.4.0 h1:Z1BF0fRgcETPEa0Kt0MRk3yV5+kF1FWTni6KUFKrq2I=
-github.com/jsimonetti/rtnetlink v1.4.0/go.mod h1:5W1jDvWdnthFJ7fxYX1GMK07BUpI4oskfOqvPteYS6E=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/klauspost/compress v1.18.2 h1:iiPHWW0YrcFgpBYhsA6D1+fqHssJscY/Tm/y2Uqnapk=
-github.com/klauspost/compress v1.18.2/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
-github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a h1:+RR6SqnTkDLWyICxS1xpjCi/3dhyV+TgZwA6Ww3KncQ=
-github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a/go.mod h1:YTtCCM3ryyfiu4F7t8HQ1mxvp1UBdWM2r6Xa+nGWvDk=
-github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
-github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -301,22 +200,10 @@ github.com/mattn/go-runewidth v0.0.20 h1:WcT52H91ZUAwy8+HUkdM3THM6gXqXuLJi9O3rjc
 github.com/mattn/go-runewidth v0.0.20/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
 github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuErjs=
 github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
-github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
-github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
-github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0tpKMbdCXCIfBclan4oHk1Jb+Hrejirg=
-github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42/go.mod h1:BB4YCPDOzfy7FniQ/lxuYQ3dgmM2cZumHbK8RpTjN2o=
-github.com/mdlayher/sdnotify v1.0.0 h1:Ma9XeLVN/l0qpyx1tNeMSeTjCPH6NtuD6/N9XdTlQ3c=
-github.com/mdlayher/sdnotify v1.0.0/go.mod h1:HQUmpM4XgYkhDLtd+Uad8ZFK1T9D5+pNxnXQjCeJlGE=
-github.com/mdlayher/socket v0.5.0 h1:ilICZmJcQz70vrWVes1MFera4jGiWNocSkykwwoy3XI=
-github.com/mdlayher/socket v0.5.0/go.mod h1:WkcBFfvyG8QENs5+hfQPl1X6Jpd2yeLIYgrGFmJiJxI=
 github.com/mdp/qrterminal/v3 v3.2.1 h1:6+yQjiiOsSuXT5n9/m60E54vdgFsw0zhADHhHLrFet4=
 github.com/mdp/qrterminal/v3 v3.2.1/go.mod h1:jOTmXvnBsMy5xqLniO0R++Jmjs2sTm9dFSuQ5kpz/SU=
-github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4=
-github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
-github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
-github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
 github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
 github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
@@ -343,33 +230,19 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
 github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
-github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 h1:zYyBkD/k9seD2A7fsi6Oo2LfFZAehjjQMERAvZLEDnQ=
-github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
-github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
+github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
-github.com/pierrec/lz4/v4 v4.1.25 h1:kocOqRffaIbU5djlIBr7Wh+cx82C0vtFb0fOurZHqD0=
-github.com/pierrec/lz4/v4 v4.1.25/go.mod h1:EoQMVJgeeEOMsCqCzqFm2O0cJvljX2nGZjcRIPL34O4=
-github.com/pires/go-proxyproto v0.8.1 h1:9KEixbdJfhrbtjpz/ZwCdWDD2Xem0NZ38qMYaASJgp0=
-github.com/pires/go-proxyproto v0.8.1/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/sftp v1.13.6 h1:JFZT4XbOU7l77xGSpOdW+pwIMqP044IyjXX6FGyEKFo=
-github.com/pkg/sftp v1.13.6/go.mod h1:tz1ryNURKu77RL+GuCzmoJYxQczL3wLNNpPWagdg4Qk=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/otp v1.5.0 h1:NMMR+WrmaqXU4EzdGJEE1aUUI0AMRzsp96fFFWNPwxs=
 github.com/pquerna/otp v1.5.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
-github.com/prometheus-community/pro-bing v0.4.0 h1:YMbv+i08gQz97OZZBwLyvmmQEEzyfyrrjEaAchdy3R4=
-github.com/prometheus-community/pro-bing v0.4.0/go.mod h1:b7wRYZtCcPmt4Sz319BykUU241rWLe1VFXyiyWK/dH4=
-github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
-github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
-github.com/prometheus/common v0.65.0 h1:QDwzd+G1twt//Kwj/Ww6E9FQq1iVMmODnILtW1t2VzE=
-github.com/prometheus/common v0.65.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8=
 github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
 github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
 github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SAw=
@@ -382,8 +255,6 @@ github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0t
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/zerolog v1.35.1 h1:m7xQeoiLIiV0BCEY4Hs+j2NG4Gp2o2KPKmhnnLiazKI=
 github.com/rs/zerolog v1.35.1/go.mod h1:EjML9kdfa/RMA7h/6z6pYmq1ykOuA8/mjWaEvGI+jcw=
-github.com/safchain/ethtool v0.3.0 h1:gimQJpsI6sc1yIqP/y8GYgiXn/NjgvpM0RNoWLVVmP0=
-github.com/safchain/ethtool v0.3.0/go.mod h1:SA9BwrgyAqNo7M+uaL6IYbxpm5wk3L7Mm6ocLW+CJUs=
 github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
 github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
@@ -404,40 +275,12 @@ github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXl
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e h1:PtWT87weP5LWHEY//SWsYkSO3RWRZo4OSWagh3YD2vQ=
-github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e/go.mod h1:XrBNfAFN+pwoWuksbFS9Ccxnopa15zJGgXRFN90l3K4=
-github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 h1:Gzfnfk2TWrk8Jj4P4c1a3CtQyMaTVCznlkLZI++hok4=
-github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55/go.mod h1:4k4QO+dQ3R5FofL+SanAUZe+/QfeK0+OIuwDIRu2vSg=
-github.com/tailscale/golang-x-crypto v0.0.0-20250404221719-a5573b049869 h1:SRL6irQkKGQKKLzvQP/ke/2ZuB7Py5+XuqtOgSj+iMM=
-github.com/tailscale/golang-x-crypto v0.0.0-20250404221719-a5573b049869/go.mod h1:ikbF+YT089eInTp9f2vmvy4+ZVnW5hzX1q2WknxSprQ=
-github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a h1:SJy1Pu0eH1C29XwJucQo73FrleVK6t4kYz4NVhp34Yw=
-github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a/go.mod h1:DFSS3NAGHthKo1gTlmEcSBiZrRJXi28rLNd/1udP1c8=
-github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 h1:uFsXVBE9Qr4ZoF094vE6iYTLDl0qCiKzYXlL6UeWObU=
-github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
-github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc h1:24heQPtnFR+yfntqhI3oAu9i27nEojcQ4NuBQOo5ZFA=
-github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc/go.mod h1:f93CXfllFsO9ZQVq+Zocb1Gp4G5Fz0b0rXHLOzt/Djc=
-github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 h1:UBPHPtv8+nEAy2PD8RyAhOYvau1ek0HDJqLS/Pysi14=
-github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
-github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6 h1:l10Gi6w9jxvinoiq15g8OToDdASBni4CyJOdHY1Hr8M=
-github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6/go.mod h1:ZXRML051h7o4OcI0d3AaILDIad/Xw0IkXaHM17dic1Y=
-github.com/tailscale/wireguard-go v0.0.0-20250716170648-1d0488a3d7da h1:jVRUZPRs9sqyKlYHHzHjAqKN+6e/Vog6NpHYeNPJqOw=
-github.com/tailscale/wireguard-go v0.0.0-20250716170648-1d0488a3d7da/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
-github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e h1:zOGKqN5D5hHhiYUp091JqK7DPCqSARyUfduhGUY8Bek=
-github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e/go.mod h1:orPd6JZXXRyuDusYilywte7k094d7dycXXU5YnWsrwg=
-github.com/tc-hib/winres v0.2.1 h1:YDE0FiP0VmtRaDn7+aaChp1KiF4owBiJa5l964l5ujA=
-github.com/tc-hib/winres v0.2.1/go.mod h1:C/JaNhH3KBvhNKVbvdlDWkbMDO9H4fKKDaN7/07SSuk=
 github.com/tinyauthapp/paerser v0.0.0-20260410140347-85c3740d6298 h1:EYSb5jv8ZL/0/NVFZtY7Ejplk0QG5+3lrdL3mSrjFZQ=
 github.com/tinyauthapp/paerser v0.0.0-20260410140347-85c3740d6298/go.mod h1:TlUDoCF66hMqFZqoBym9bUdJ0bKAWYMir6hLJeYN5z0=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
-github.com/u-root/u-root v0.14.0 h1:Ka4T10EEML7dQ5XDvO9c3MBN8z4nuSnGjcd1jmU2ivg=
-github.com/u-root/u-root v0.14.0/go.mod h1:hAyZorapJe4qzbLWlAkmSVCJGbfoU9Pu4jpJ1WMluqE=
-github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM=
-github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA=
 github.com/ugorji/go/codec v1.3.1 h1:waO7eEiFDwidsBN6agj1vJQ4AG7lh2yqXyOXqhgQuyY=
 github.com/ugorji/go/codec v1.3.1/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
-github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
-github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
 github.com/weppos/publicsuffix-go v0.50.3 h1:eT5dcjHQcVDNc0igpFEsGHKIip30feuB2zuuI9eJxiE=
 github.com/weppos/publicsuffix-go v0.50.3/go.mod h1:/rOa781xBykZhHK/I3QeHo92qdDKVmKZKF7s8qAEM/4=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
@@ -448,8 +291,8 @@ go.mongodb.org/mongo-driver/v2 v2.5.0 h1:yXUhImUjjAInNcpTcAlPHiT7bIXhshCTL3jVBkF
 go.mongodb.org/mongo-driver/v2 v2.5.0/go.mod h1:yOI9kBsufol30iFsl1slpdq1I0eHPzybRWdyYUs8K/0=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 h1:ssfIgGNANqpVFCndZvcuyKbl0g+UAVcbBcqGkG28H0Y=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0/go.mod h1:GQ/474YrbE4Jx8gZ4q5I4hrhUzM6UPzyrqJYV2AqPoQ=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
 go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
 go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 h1:88Y4s2C8oTui1LGM6bTWkw0ICGcOLCAI5l6zsD1j20k=
@@ -472,30 +315,20 @@ go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
 go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-go4.org/mem v0.0.0-20240501181205-ae6ca9944745 h1:Tl++JLUCe4sxGu8cTpDzRLd3tN7US4hOxG5YpKCzkek=
-go4.org/mem v0.0.0-20240501181205-ae6ca9944745/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
-go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
-go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/arch v0.22.0 h1:c/Zle32i5ttqRXjdLyyHZESLD/bB90DCU1g9l/0YBDI=
 golang.org/x/arch v0.22.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
 golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
 golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
-golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f h1:phY1HzDcf18Aq9A8KkmRtY9WvOFIxN8wgfvy6Zm1DV8=
-golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
-golang.org/x/image v0.27.0 h1:C8gA4oWU/tKkdCfYT6T2u4faJu3MeNS5O8UPWlPF61w=
-golang.org/x/image v0.27.0/go.mod h1:xbdrClrAUway1MUTEZDq9mz/UpRwYAkFFNUslZtcB+g=
 golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
 golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
 golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
 golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
-golang.org/x/sys v0.0.0-20220817070843-5a390386f1f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
 golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
@@ -507,10 +340,6 @@ golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
 golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
 golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
-golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
-golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
-golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
 google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 h1:VPWxll4HlMw1Vs/qXtN7BvhZqsS9cdAittCNvVENElA=
 google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:7QBABkRtR8z+TEnmXTqIqwJLlzrZKVfAUm7tY3yGv0M=
@@ -532,12 +361,6 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
-gvisor.dev/gvisor v0.0.0-20260224225140-573d5e7127a8 h1:Zy8IV/+FMLxy6j6p87vk/vQGKcdnbprwjTxc8UiUtsA=
-gvisor.dev/gvisor v0.0.0-20260224225140-573d5e7127a8/go.mod h1:QkHjoMIBaYtpVufgwv3keYAbln78mBoCuShZrPrer1Q=
-honnef.co/go/tools v0.7.0-0.dev.0.20251022135355-8273271481d0 h1:5SXjd4ET5dYijLaf0O3aOenC0Z4ZafIWSpjUzsQaNho=
-honnef.co/go/tools v0.7.0-0.dev.0.20251022135355-8273271481d0/go.mod h1:EPDDhEZqVHhWuPI5zPAsjU0U7v9xNIWjoOVyZ5ZcniQ=
-howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
-howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
 k8s.io/api v0.36.0 h1:SgqDhZzHdOtMk40xVSvCXkP9ME0H05hPM3p9AB1kL80=
 k8s.io/api v0.36.0/go.mod h1:m1LVrGPNYax5NBHdO+QuAedXyuzTt4RryI/qnmNvs34=
 k8s.io/apimachinery v0.36.0 h1:jZyPzhd5Z+3h9vJLt0z9XdzW9VzNzWAUw+P1xZ9PXtQ=
@@ -588,7 +411,3 @@ sigs.k8s.io/structured-merge-diff/v6 v6.3.2 h1:kwVWMx5yS1CrnFWA/2QHyRVJ8jM6dBA80
 sigs.k8s.io/structured-merge-diff/v6 v6.3.2/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
 sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
-software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k=
-software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
-tailscale.com v1.96.5 h1:gNkfA/KSZAl6jCH9cj8urq00HRWItDDTtGsyATI89jA=
-tailscale.com v1.96.5/go.mod h1:/3lnZBYb2UEwnN0MNu2SDXUtT06AGd5k0s+OWx3WmcY=

internal/assets/assets.go

@@ -11,5 +11,5 @@ var FrontendAssets embed.FS
 
 // Migrations
 //
-//go:embed migrations/sqlite/*.sql
+//go:embed migrations/*.sql
 var Migrations embed.FS

internal/bootstrap/app_bootstrap.go

@@ -3,53 +3,39 @@ package bootstrap
 import (
 	"bytes"
 	"context"
-	"database/sql"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
 	"os"
-	"os/signal"
 	"sort"
 	"strings"
-	"sync"
-	"syscall"
 	"time"
 
-	"github.com/gin-gonic/gin"
-
+	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
-	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )
 
-type Services struct {
-	accessControlService *service.AccessControlsService
-	authService          *service.AuthService
-	dockerService        *service.DockerService
-	kubernetesService    *service.KubernetesService
-	ldapService          *service.LdapService
-	oauthBrokerService   *service.OAuthBrokerService
-	oidcService          *service.OIDCService
-	tailscaleService     *service.TailscaleService
-	policyEngine         *service.PolicyEngine
-}
-
 type BootstrapApp struct {
-	config    model.Config
-	runtime   model.RuntimeConfig
-	services  Services
-	log       *logger.Logger
-	ctx       context.Context
-	cancel    context.CancelFunc
-	queries   repository.Store
-	router    *gin.Engine
-	db        *sql.DB
-	wg        sync.WaitGroup
-	listeners []Listener
+	config  model.Config
+	context struct {
+		appUrl                 string
+		uuid                   string
+		cookieDomain           string
+		sessionCookieName      string
+		csrfCookieName         string
+		redirectCookieName     string
+		oauthSessionCookieName string
+		localUsers             *[]model.LocalUser
+		oauthProviders         map[string]model.OAuthServiceConfig
+		oauthWhitelist         []string
+		configuredProviders    []controller.Provider
+		oidcClients            []model.OIDCClientConfig
+	}
+	services Services
 }
 
 func NewBootstrapApp(config model.Config) *BootstrapApp {
@@ -59,72 +45,56 @@ func NewBootstrapApp(config model.Config) *BootstrapApp {
 }
 
 func (app *BootstrapApp) Setup() error {
-	// create context
-	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
-	app.ctx = ctx
-	app.cancel = cancel
-
-	// setup logger
-	log := logger.NewLogger().WithConfig(app.config.Log)
-	log.Init()
-	app.log = log
-
-	app.log.App.Info().Msgf("Starting Tinyauth version: %s", model.Version)
-
 	// get app url
 	if app.config.AppURL == "" {
-		return errors.New("app url cannot be empty, perhaps config loading failed")
+		return fmt.Errorf("app URL cannot be empty, perhaps config loading failed")
 	}
 
 	appUrl, err := url.Parse(app.config.AppURL)
 
 	if err != nil {
-		return fmt.Errorf("failed to parse app url: %w", err)
+		return err
 	}
 
-	app.runtime.AppURL = appUrl.Scheme + "://" + appUrl.Host
-	app.runtime.TrustedDomains = append(app.runtime.TrustedDomains, app.runtime.AppURL)
+	app.context.appUrl = appUrl.Scheme + "://" + appUrl.Host
 
 	// validate session config
 	if app.config.Auth.SessionMaxLifetime != 0 && app.config.Auth.SessionMaxLifetime < app.config.Auth.SessionExpiry {
-		return errors.New("session max lifetime cannot be less than session expiry")
+		return fmt.Errorf("session max lifetime cannot be less than session expiry")
 	}
 
-	// parse users
+	// Parse users
 	users, err := utils.GetUsers(app.config.Auth.Users, app.config.Auth.UsersFile, app.config.Auth.UserAttributes)
 
 	if err != nil {
-		return fmt.Errorf("failed to load users: %w", err)
+		return err
 	}
 
-	app.runtime.LocalUsers = *users
+	app.context.localUsers = users
 
-	// load oauth whitelist
 	oauthWhitelist, err := utils.GetStringList(app.config.OAuth.Whitelist, app.config.OAuth.WhitelistFile)
-
 	if err != nil {
-		return fmt.Errorf("failed to load oauth whitelist: %w", err)
+		return err
 	}
 
-	app.runtime.OAuthWhitelist = oauthWhitelist
+	app.context.oauthWhitelist = oauthWhitelist
 
-	// setup oauth providers
-	app.runtime.OAuthProviders = app.config.OAuth.Providers
+	// Setup OAuth providers
+	app.context.oauthProviders = app.config.OAuth.Providers
 
-	for id, provider := range app.runtime.OAuthProviders {
+	for name, provider := range app.context.oauthProviders {
 		secret := utils.GetSecret(provider.ClientSecret, provider.ClientSecretFile)
 		provider.ClientSecret = secret
 		provider.ClientSecretFile = ""
 
 		if provider.RedirectURL == "" {
-			provider.RedirectURL = app.runtime.AppURL + "/api/oauth/callback/" + id
+			provider.RedirectURL = app.context.appUrl + "/api/oauth/callback/" + name
 		}
 
-		app.runtime.OAuthProviders[id] = provider
+		app.context.oauthProviders[name] = provider
 	}
 
-	// set presets for built-in providers
-	for id, provider := range app.runtime.OAuthProviders {
+	for id, provider := range app.context.oauthProviders {
 		if provider.Name == "" {
 			if name, ok := model.OverrideProviders[id]; ok {
 				provider.Name = name
@@ -132,73 +102,71 @@ func (app *BootstrapApp) Setup() error {
 				provider.Name = utils.Capitalize(id)
 			}
 		}
-		app.runtime.OAuthProviders[id] = provider
+		app.context.oauthProviders[id] = provider
 	}
 
-	// setup oidc clients
+	// Setup OIDC clients
 	for id, client := range app.config.OIDC.Clients {
 		client.ID = id
-		app.runtime.OIDCClients = append(app.runtime.OIDCClients, client)
+		app.context.oidcClients = append(app.context.oidcClients, client)
 	}
 
-	// cookie domain
+	// Get cookie domain
 	cookieDomainResolver := utils.GetCookieDomain
-
 	if !app.config.Auth.SubdomainsEnabled {
-		app.log.App.Warn().Msg("Subdomains are disabled, using standalone cookie domain resolver which will not work with subdomains")
+		tlog.App.Info().Msg("Subdomains disabled, automatic authentication for proxied apps will not work")
 		cookieDomainResolver = utils.GetStandaloneCookieDomain
 	}
 
-	cookieDomain, err := cookieDomainResolver(app.runtime.AppURL)
+	cookieDomain, err := cookieDomainResolver(app.context.appUrl)
 
 	if err != nil {
-		return fmt.Errorf("failed to get cookie domain: %w", err)
+		return err
 	}
 
-	app.runtime.CookieDomain = cookieDomain
+	app.context.cookieDomain = cookieDomain
 
-	// cookie names
-	app.runtime.UUID = utils.GenerateUUID(appUrl.Hostname())
+	// Cookie names
+	app.context.uuid = utils.GenerateUUID(appUrl.Hostname())
+	cookieId := strings.Split(app.context.uuid, "-")[0]
+	app.context.sessionCookieName = fmt.Sprintf("%s-%s", model.SessionCookieName, cookieId)
+	app.context.csrfCookieName = fmt.Sprintf("%s-%s", model.CSRFCookieName, cookieId)
+	app.context.redirectCookieName = fmt.Sprintf("%s-%s", model.RedirectCookieName, cookieId)
+	app.context.oauthSessionCookieName = fmt.Sprintf("%s-%s", model.OAuthSessionCookieName, cookieId)
 
-	cookieId := strings.Split(app.runtime.UUID, "-")[0] // first 8 characters of the uuid should be good enough
+	// Dumps
+	tlog.App.Trace().Interface("config", app.config).Msg("Config dump")
+	tlog.App.Trace().Interface("users", app.context.localUsers).Msg("Users dump")
+	tlog.App.Trace().Interface("oauthProviders", app.context.oauthProviders).Msg("OAuth providers dump")
+	tlog.App.Trace().Str("cookieDomain", app.context.cookieDomain).Msg("Cookie domain")
+	tlog.App.Trace().Str("sessionCookieName", app.context.sessionCookieName).Msg("Session cookie name")
+	tlog.App.Trace().Str("csrfCookieName", app.context.csrfCookieName).Msg("CSRF cookie name")
+	tlog.App.Trace().Str("redirectCookieName", app.context.redirectCookieName).Msg("Redirect cookie name")
 
-	app.runtime.SessionCookieName = fmt.Sprintf("%s-%s", model.SessionCookieName, cookieId)
-	app.runtime.CSRFCookieName = fmt.Sprintf("%s-%s", model.CSRFCookieName, cookieId)
-	app.runtime.RedirectCookieName = fmt.Sprintf("%s-%s", model.RedirectCookieName, cookieId)
-	app.runtime.OAuthSessionCookieName = fmt.Sprintf("%s-%s", model.OAuthSessionCookieName, cookieId)
-
-	// database
-	store, err := app.SetupStore()
+	// Database
+	db, err := app.SetupDatabase(app.config.Database.Path)
 
 	if err != nil {
 		return fmt.Errorf("failed to setup database: %w", err)
 	}
 
-	// after this point, we start initializing dependencies so it's a good time to setup a defer
-	// to ensure that resources are cleaned up properly in case of an error during initialization
-	defer func() {
-		app.cancel()
-		app.wg.Wait()
-		if app.db != nil {
-			app.db.Close()
-		}
-	}()
+	// Queries
+	queries := repository.New(db)
 
-	// store
-	app.queries = store
-
-	// services
-	err = app.setupServices()
+	// Services
+	services, err := app.initServices(queries)
 
 	if err != nil {
 		return fmt.Errorf("failed to initialize services: %w", err)
 	}
 
-	// configured providers
-	configuredProviders := make([]model.Provider, 0)
+	app.services = services
 
-	for id, provider := range app.runtime.OAuthProviders {
-		configuredProviders = append(configuredProviders, model.Provider{
+	// Configured providers
+	configuredProviders := make([]controller.Provider, 0)
+
+	for id, provider := range app.context.oauthProviders {
+		configuredProviders = append(configuredProviders, controller.Provider{
 			Name:  provider.Name,
 			ID:    id,
 			OAuth: true,
@@ -209,100 +177,93 @@ func (app *BootstrapApp) Setup() error {
 		return configuredProviders[i].Name < configuredProviders[j].Name
 	})
 
-	if app.services.authService.LocalAuthConfigured() {
-		configuredProviders = append(configuredProviders, model.Provider{
+	if services.authService.LocalAuthConfigured() {
+		configuredProviders = append(configuredProviders, controller.Provider{
 			Name:  "Local",
 			ID:    "local",
 			OAuth: false,
 		})
 	}
 
-	if app.services.authService.LDAPAuthConfigured() {
-		configuredProviders = append(configuredProviders, model.Provider{
+	if services.authService.LDAPAuthConfigured() {
+		configuredProviders = append(configuredProviders, controller.Provider{
 			Name:  "LDAP",
 			ID:    "ldap",
 			OAuth: false,
 		})
 	}
 
+	tlog.App.Debug().Interface("providers", configuredProviders).Msg("Authentication providers")
+
 	if len(configuredProviders) == 0 {
-		return errors.New("no authentication providers configured")
+		return fmt.Errorf("no authentication providers configured")
 	}
 
-	for _, provider := range configuredProviders {
-		app.log.App.Debug().Str("provider", provider.Name).Msg("Configured authentication provider")
-	}
+	app.context.configuredProviders = configuredProviders
 
-	app.runtime.ConfiguredProviders = configuredProviders
-
-	// throw in tailscale if it's configured just before setting up the controllers
-	if app.services.tailscaleService != nil {
-		app.runtime.TrustedDomains = append(app.runtime.TrustedDomains, "https://"+app.services.tailscaleService.GetHostname())
-	}
-
-	// setup router
-	err = app.setupRouter()
+	// Setup router
+	router, err := app.setupRouter()
 
 	if err != nil {
 		return fmt.Errorf("failed to setup routes: %w", err)
 	}
 
-	// start db cleanup routine
-	app.log.App.Debug().Msg("Starting database cleanup routine")
-	app.wg.Go(app.dbCleanupRoutine)
+	// Start db cleanup routine
+	tlog.App.Debug().Msg("Starting database cleanup routine")
+	go app.dbCleanupRoutine(queries)
 
-	// if analytics are not disabled, start heartbeat
+	// If analytics are not disabled, start heartbeat
 	if app.config.Analytics.Enabled {
-		app.log.App.Debug().Msg("Starting heartbeat routine")
-		app.wg.Go(app.heartbeatRoutine)
+		tlog.App.Debug().Msg("Starting heartbeat routine")
+		go app.heartbeatRoutine()
 	}
 
-	// setup listeners
-	app.listeners = app.calculateListenerPolicy()
-
-	if app.config.Server.ConcurrentListenersEnabled {
-		app.log.App.Info().Msg("Concurrent listeners enabled, will run on all available listeners")
-	}
-
-	// run listeners
-	lec, err := app.runListeners()
-
-	if err != nil {
-		return fmt.Errorf("failed to run listeners: %w", err)
-	}
-
-	// monitor cancellation and server errors
-	for {
-		select {
-		case <-app.ctx.Done():
-			app.log.App.Info().Msg("Oh, it's time for me to go, bye!")
-			return nil
-		case err := <-lec:
+	// If we have an socket path, bind to it
+	if app.config.Server.SocketPath != "" {
+		if _, err := os.Stat(app.config.Server.SocketPath); err == nil {
+			tlog.App.Info().Msgf("Removing existing socket file %s", app.config.Server.SocketPath)
+			err := os.Remove(app.config.Server.SocketPath)
 			if err != nil {
-				return fmt.Errorf("listener error: %w", err)
+				return fmt.Errorf("failed to remove existing socket file: %w", err)
 			}
 		}
+
+		tlog.App.Info().Msgf("Starting server on unix socket %s", app.config.Server.SocketPath)
+		if err := router.RunUnix(app.config.Server.SocketPath); err != nil {
+			tlog.App.Fatal().Err(err).Msg("Failed to start server")
+		}
+
+		return nil
 	}
+
+	// Start server
+	address := fmt.Sprintf("%s:%d", app.config.Server.Address, app.config.Server.Port)
+	tlog.App.Info().Msgf("Starting server on %s", address)
+	if err := router.Run(address); err != nil {
+		tlog.App.Fatal().Err(err).Msg("Failed to start server")
+	}
+
+	return nil
 }
 
 func (app *BootstrapApp) heartbeatRoutine() {
 	ticker := time.NewTicker(time.Duration(12) * time.Hour)
 	defer ticker.Stop()
 
-	type Heartbeat struct {
+	type heartbeat struct {
 		UUID    string `json:"uuid"`
 		Version string `json:"version"`
 	}
 
-	var body Heartbeat
+	var body heartbeat
 
-	body.UUID = app.runtime.UUID
+	body.UUID = app.context.uuid
 	body.Version = model.Version
 
 	bodyJson, err := json.Marshal(body)
 
 	if err != nil {
-		app.log.App.Error().Err(err).Msg("Failed to marshal heartbeat body, heartbeat routine will not start")
+		tlog.App.Error().Err(err).Msg("Failed to marshal heartbeat body")
 		return
 	}
 
@@ -312,60 +273,43 @@ func (app *BootstrapApp) heartbeatRoutine() {
 
 	heartbeatURL := model.APIServer + "/v1/instances/heartbeat"
 
-	for {
-		select {
-		case <-ticker.C:
-			app.log.App.Debug().Msg("Sending heartbeat")
+	for range ticker.C {
+		tlog.App.Debug().Msg("Sending heartbeat")
 
-			req, err := http.NewRequest(http.MethodPost, heartbeatURL, bytes.NewReader(bodyJson))
+		req, err := http.NewRequest(http.MethodPost, heartbeatURL, bytes.NewReader(bodyJson))
 
-			if err != nil {
-				app.log.App.Error().Err(err).Msg("Failed to create heartbeat request")
-				continue
-			}
+		if err != nil {
+			tlog.App.Error().Err(err).Msg("Failed to create heartbeat request")
+			continue
+		}
 
-			req.Header.Add("Content-Type", "application/json")
+		req.Header.Add("Content-Type", "application/json")
 
-			res, err := client.Do(req)
+		res, err := client.Do(req)
 
-			if err != nil {
-				app.log.App.Error().Err(err).Msg("Failed to send heartbeat")
-				continue
-			}
+		if err != nil {
+			tlog.App.Error().Err(err).Msg("Failed to send heartbeat")
+			continue
+		}
 
-			res.Body.Close()
+		res.Body.Close()
 
-			if res.StatusCode != 200 && res.StatusCode != 201 {
-				app.log.App.Debug().Str("status", res.Status).Msg("Heartbeat returned non-200/201 status")
-			}
-		case <-app.ctx.Done():
-			app.log.App.Debug().Msg("Stopping heartbeat routine")
-			ticker.Stop()
-			return
+		if res.StatusCode != 200 && res.StatusCode != 201 {
+			tlog.App.Debug().Str("status", res.Status).Msg("Heartbeat returned non-200/201 status")
 		}
 	}
 }
 
-func (app *BootstrapApp) dbCleanupRoutine() {
+func (app *BootstrapApp) dbCleanupRoutine(queries *repository.Queries) {
 	ticker := time.NewTicker(time.Duration(30) * time.Minute)
 	defer ticker.Stop()
+	ctx := context.Background()
 
-	for {
-		select {
-		case <-ticker.C:
-			app.log.App.Debug().Msg("Running database cleanup")
-
-			err := app.queries.DeleteExpiredSessions(app.ctx, time.Now().Unix())
-
-			if err != nil {
-				app.log.App.Error().Err(err).Msg("Failed to delete expired sessions")
-			}
-
-			app.log.App.Debug().Msg("Database cleanup completed")
-		case <-app.ctx.Done():
-			app.log.App.Debug().Msg("Stopping database cleanup routine")
-			ticker.Stop()
-			return
+	for range ticker.C {
+		tlog.App.Debug().Msg("Cleaning up old database sessions")
+		err := queries.DeleteExpiredSessions(ctx, time.Now().Unix())
+		if err != nil {
+			tlog.App.Error().Err(err).Msg("Failed to clean up old database sessions")
 		}
 	}
 }

internal/bootstrap/db_bootstrap.go

@@ -7,9 +7,6 @@ import (
 	"path/filepath"
 
 	"github.com/tinyauthapp/tinyauth/internal/assets"
-	"github.com/tinyauthapp/tinyauth/internal/repository"
-	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
-	"github.com/tinyauthapp/tinyauth/internal/repository/sqlite"
 
 	"github.com/golang-migrate/migrate/v4"
 	"github.com/golang-migrate/migrate/v4/database/sqlite3"
@@ -17,18 +14,7 @@ import (
 	_ "modernc.org/sqlite"
 )
 
-func (app *BootstrapApp) SetupStore() (repository.Store, error) {
-	switch app.config.Database.Driver {
-	case "memory":
-		return memory.New(), nil
-	case "sqlite", "":
-		return app.setupSQLite(app.config.Database.Path)
-	default:
-		return nil, fmt.Errorf("unknown database driver %q: valid values are sqlite, memory", app.config.Database.Driver)
-	}
-}
-
-func (app *BootstrapApp) setupSQLite(databasePath string) (repository.Store, error) {
+func (app *BootstrapApp) SetupDatabase(databasePath string) (*sql.DB, error) {
 	dir := filepath.Dir(databasePath)
 
 	if err := os.MkdirAll(dir, 0750); err != nil {
@@ -41,18 +27,11 @@ func (app *BootstrapApp) setupSQLite(databasePath string) (repository.Store, err
 		return nil, fmt.Errorf("failed to open database: %w", err)
 	}
 
-	// Close the database if there is an error during migration
-	defer func() {
-		if err != nil {
-			db.Close()
-		}
-	}()
-
 	// Limit to 1 connection to sequence writes, this may need to be revisited in the future
 	// if the sqlite connection starts being a bottleneck
 	db.SetMaxOpenConns(1)
 
-	migrations, err := iofs.New(assets.Migrations, "migrations/sqlite")
+	migrations, err := iofs.New(assets.Migrations, "migrations")
 
 	if err != nil {
 		return nil, fmt.Errorf("failed to create migrations: %w", err)
@@ -74,7 +53,5 @@ func (app *BootstrapApp) setupSQLite(databasePath string) (repository.Store, err
 		return nil, fmt.Errorf("failed to migrate database: %w", err)
 	}
 
-	app.db = db
-
-	return sqlite.NewStore(sqlite.New(db)), nil
+	return db, nil
 }

internal/bootstrap/router_bootstrap.go

@@ -1,13 +1,8 @@
 package bootstrap
 
 import (
-	"context"
-	"errors"
 	"fmt"
-	"net"
-	"net/http"
-	"os"
-	"time"
+	"slices"
 
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/middleware"
@@ -16,17 +11,12 @@ import (
 	"github.com/gin-gonic/gin"
 )
 
-type Listener int
+var DEV_MODES = []string{"main", "test", "development"}
 
-const (
-	ListenerHTTP Listener = iota
-	ListenerUnix
-	ListenerTailscale
-)
-
-func (app *BootstrapApp) setupRouter() error {
-	// we don't want gin debug mode
-	gin.SetMode(gin.ReleaseMode)
+func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
+	if !slices.Contains(DEV_MODES, model.Version) {
+		gin.SetMode(gin.ReleaseMode)
+	}
 
 	engine := gin.New()
 	engine.Use(gin.Recovery())
@@ -35,199 +25,101 @@ func (app *BootstrapApp) setupRouter() error {
 		err := engine.SetTrustedProxies(app.config.Auth.TrustedProxies)
 
 		if err != nil {
-			return fmt.Errorf("failed to set trusted proxies: %w", err)
+			return nil, fmt.Errorf("failed to set trusted proxies: %w", err)
 		}
 	}
 
-	contextMiddleware := middleware.NewContextMiddleware(app.log, app.runtime, app.services.authService, app.services.oauthBrokerService, app.services.tailscaleService)
-	engine.Use(contextMiddleware.Middleware())
+	contextMiddleware := middleware.NewContextMiddleware(middleware.ContextMiddlewareConfig{
+		CookieDomain:      app.context.cookieDomain,
+		SessionCookieName: app.context.sessionCookieName,
+	}, app.services.authService, app.services.oauthBrokerService)
 
-	uiMiddleware, err := middleware.NewUIMiddleware()
+	err := contextMiddleware.Init()
 
 	if err != nil {
-		return fmt.Errorf("failed to initialize UI middleware: %w", err)
+		return nil, fmt.Errorf("failed to initialize context middleware: %w", err)
+	}
+
+	engine.Use(contextMiddleware.Middleware())
+
+	uiMiddleware := middleware.NewUIMiddleware()
+
+	err = uiMiddleware.Init()
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize UI middleware: %w", err)
 	}
 
 	engine.Use(uiMiddleware.Middleware())
 
-	zerologMiddleware := middleware.NewZerologMiddleware(app.log)
+	zerologMiddleware := middleware.NewZerologMiddleware()
+
+	err = zerologMiddleware.Init()
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize zerolog middleware: %w", err)
+	}
 
 	engine.Use(zerologMiddleware.Middleware())
 
 	apiRouter := engine.Group("/api")
 
-	controller.NewContextController(app.log, app.config, app.runtime, apiRouter)
-	controller.NewOAuthController(app.log, app.config, app.runtime, apiRouter, app.services.authService)
-	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, apiRouter)
-	controller.NewProxyController(app.log, app.runtime, apiRouter, app.services.accessControlService, app.services.authService, app.services.policyEngine)
-	controller.NewUserController(app.log, app.runtime, apiRouter, app.services.authService)
-	controller.NewResourcesController(app.config, &engine.RouterGroup)
-	controller.NewHealthController(apiRouter)
-	controller.NewWellKnownController(app.services.oidcService, &engine.RouterGroup)
+	contextController := controller.NewContextController(controller.ContextControllerConfig{
+		Providers:             app.context.configuredProviders,
+		Title:                 app.config.UI.Title,
+		AppURL:                app.config.AppURL,
+		CookieDomain:          app.context.cookieDomain,
+		ForgotPasswordMessage: app.config.UI.ForgotPasswordMessage,
+		BackgroundImage:       app.config.UI.BackgroundImage,
+		OAuthAutoRedirect:     app.config.OAuth.AutoRedirect,
+		WarningsEnabled:       app.config.UI.WarningsEnabled,
+	}, apiRouter)
 
-	app.router = engine
-	return nil
-}
-
-func (app *BootstrapApp) runListeners() (chan error, error) {
-	// lec -> listener error channel
-	lec := make(chan error, len(app.listeners))
-
-	for _, listenerType := range app.listeners {
-		listenerFunc, err := app.listenerFromType(listenerType)
-
-		if err != nil {
-			return nil, fmt.Errorf("failed to get listener function: %w", err)
-		}
-
-		app.wg.Go(func() {
-			lec <- listenerFunc()
-		})
-	}
-
-	return lec, nil
-}
-
-// The way we calculate listeners is as follows:
-// If concurrent listeners are disabled, we pick the first available listener, so:
-// 1. If tailscale is enabled, we use tailscale
-// 2. If socket path is configured, we use unix socket
-// 3. Finally if none is configured we use http
-// If concurrent listeners are enabled, we add all available listeners in the following order
-func (app *BootstrapApp) calculateListenerPolicy() []Listener {
-	l := []Listener{}
-
-	if !app.config.Server.ConcurrentListenersEnabled {
-		if app.services.tailscaleService != nil {
-			l = append(l, ListenerTailscale)
-			return l
-		}
-
-		if app.config.Server.SocketPath != "" {
-			l = append(l, ListenerUnix)
-			return l
-		}
-
-		l = append(l, ListenerHTTP)
-		return l
-	}
-
-	if app.config.Server.SocketPath != "" {
-		l = append(l, ListenerUnix)
-	}
-
-	if app.services.tailscaleService != nil {
-		l = append(l, ListenerTailscale)
-	}
-
-	l = append(l, ListenerHTTP)
-
-	return l
-}
-
-func (app *BootstrapApp) listenerFromType(listenerType Listener) (func() error, error) {
-	switch listenerType {
-	case ListenerHTTP:
-		return app.serveHTTP, nil
-	case ListenerUnix:
-		return app.serveUnix, nil
-	case ListenerTailscale:
-		return app.serveTailscale, nil
-	default:
-		return nil, fmt.Errorf("invalid listener type: %d", listenerType)
-	}
-}
-
-func (app *BootstrapApp) serveHTTP() error {
-	address := fmt.Sprintf("%s:%d", app.config.Server.Address, app.config.Server.Port)
-
-	app.log.App.Info().Msgf("Starting server on %s", address)
-
-	listener, err := net.Listen("tcp", address)
-
-	if err != nil {
-		return fmt.Errorf("failed to create tcp listener: %w", err)
-	}
-
-	server := &http.Server{
-		Addr:    address,
-		Handler: app.router.Handler(),
-	}
-
-	return app.serve(listener, server, "http")
-}
-
-func (app *BootstrapApp) serveUnix() error {
-	_, err := os.Stat(app.config.Server.SocketPath)
-
-	if err == nil {
-		app.log.App.Info().Msgf("Removing existing socket file %s", app.config.Server.SocketPath)
-		err := os.Remove(app.config.Server.SocketPath)
-
-		if err != nil {
-			return fmt.Errorf("failed to remove existing socket file: %w", err)
-		}
-	}
-
-	app.log.App.Info().Msgf("Starting server on unix socket %s", app.config.Server.SocketPath)
-
-	listener, err := net.Listen("unix", app.config.Server.SocketPath)
-
-	if err != nil {
-		return fmt.Errorf("failed to create unix socket listener: %w", err)
-	}
-
-	server := &http.Server{
-		Handler: app.router.Handler(),
-	}
-
-	return app.serve(listener, server, "unix socket")
-}
-
-func (app *BootstrapApp) serveTailscale() error {
-	app.log.App.Info().Msgf("Starting Tailscale server on %s", fmt.Sprintf("https://%s", app.services.tailscaleService.GetHostname()))
-
-	listener, err := app.services.tailscaleService.CreateListener()
-
-	if err != nil {
-		return fmt.Errorf("failed to create tailscale listener: %w", err)
-	}
-
-	server := &http.Server{
-		Handler: app.router.Handler(),
-	}
-
-	return app.serve(listener, server, "tailscale")
-}
-
-func (app *BootstrapApp) serve(listener net.Listener, server *http.Server, name string) error {
-	shutdown := func() {
-		ctx, cancel := context.WithTimeout(context.Background(), model.GracefulShutdownTimeout*time.Second)
-		defer cancel()
-		err := server.Shutdown(ctx)
-		if err != nil &&
-			// With tailscale, the goroutine for shutting down the tailscale connection
-			// runs first and causes the connection the tailscale listener is running on to close
-			// first so, the shutdown fails
-			// TODO: add priority to the goroutine shutdowns
-			!errors.Is(err, net.ErrClosed) {
-			app.log.App.Error().Err(err).Msgf("Failed to shutdown %s listener gracefully", name)
-		}
-		listener.Close()
-	}
-
-	go func() {
-		<-app.ctx.Done()
-		app.log.App.Debug().Msgf("Shutting down %s listener", name)
-		shutdown()
-	}()
-
-	err := server.Serve(listener)
-
-	if err != nil && !errors.Is(err, http.ErrServerClosed) {
-		shutdown()
-		return fmt.Errorf("failed to start %s listener: %w", name, err)
-	}
-
-	return nil
+	contextController.SetupRoutes()
+
+	oauthController := controller.NewOAuthController(controller.OAuthControllerConfig{
+		AppURL:                 app.config.AppURL,
+		SecureCookie:           app.config.Auth.SecureCookie,
+		CSRFCookieName:         app.context.csrfCookieName,
+		RedirectCookieName:     app.context.redirectCookieName,
+		CookieDomain:           app.context.cookieDomain,
+		OAuthSessionCookieName: app.context.oauthSessionCookieName,
+		SubdomainsEnabled:      app.config.Auth.SubdomainsEnabled,
+	}, apiRouter, app.services.authService)
+
+	oauthController.SetupRoutes()
+
+	oidcController := controller.NewOIDCController(controller.OIDCControllerConfig{}, app.services.oidcService, apiRouter)
+
+	oidcController.SetupRoutes()
+
+	proxyController := controller.NewProxyController(controller.ProxyControllerConfig{
+		AppURL: app.config.AppURL,
+	}, apiRouter, app.services.accessControlService, app.services.authService)
+
+	proxyController.SetupRoutes()
+
+	userController := controller.NewUserController(controller.UserControllerConfig{
+		CookieDomain:      app.context.cookieDomain,
+		SessionCookieName: app.context.sessionCookieName,
+	}, apiRouter, app.services.authService)
+
+	userController.SetupRoutes()
+
+	resourcesController := controller.NewResourcesController(controller.ResourcesControllerConfig{
+		Path:    app.config.Resources.Path,
+		Enabled: app.config.Resources.Enabled,
+	}, &engine.RouterGroup)
+
+	resourcesController.SetupRoutes()
+
+	healthController := controller.NewHealthController(apiRouter)
+
+	healthController.SetupRoutes()
+
+	wellknownController := controller.NewWellKnownController(controller.WellKnownControllerConfig{}, app.services.oidcService, engine)
+
+	wellknownController.SetupRoutes()
+
+	return engine, nil
 }

internal/bootstrap/service_bootstrap.go

@@ -1,134 +1,131 @@
 package bootstrap
 
 import (
-	"fmt"
-
 	"os"
 
+	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )
 
-func (app *BootstrapApp) setupServices() error {
-	ldapService, err := service.NewLdapService(app.log, app.config, app.ctx, &app.wg)
-
-	if err != nil {
-		app.log.App.Warn().Err(err).Msg("Failed to initialize LDAP connection, will continue without it")
-	}
-
-	app.services.ldapService = ldapService
-
-	labelProvider, err := app.getLabelProvider()
-
-	if err != nil {
-		return fmt.Errorf("failed to initialize label provider: %w", err)
-	}
-
-	tailscaleService, err := service.NewTailscaleService(app.log, app.config, app.ctx, &app.wg)
-
-	if err != nil {
-		app.log.App.Warn().Err(err).Msg("Failed to initialize Tailscale connection, will continue without it")
-	}
-
-	app.services.tailscaleService = tailscaleService
-
-	accessControlsService := service.NewAccessControlsService(app.log, app.config, &labelProvider)
-	app.services.accessControlService = accessControlsService
-
-	err = app.setupPolicyEngine()
-
-	if err != nil {
-		return fmt.Errorf("failed to initialize policy engine: %w", err)
-	}
-
-	oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
-	app.services.oauthBrokerService = oauthBrokerService
-
-	authService := service.NewAuthService(app.log, app.config, app.runtime, app.ctx, &app.wg, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService)
-	app.services.authService = authService
-
-	oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ctx, &app.wg)
-
-	if err != nil {
-		return fmt.Errorf("failed to initialize oidc service: %w", err)
-	}
-
-	app.services.oidcService = oidcService
-
-	return nil
+type Services struct {
+	accessControlService *service.AccessControlsService
+	authService          *service.AuthService
+	dockerService        *service.DockerService
+	kubernetesService    *service.KubernetesService
+	ldapService          *service.LdapService
+	oauthBrokerService   *service.OAuthBrokerService
+	oidcService          *service.OIDCService
 }
 
-func (app *BootstrapApp) getLabelProvider() (service.LabelProvider, error) {
-	switch app.config.LabelProvider {
-	case "none", "docker", "kubernetes", "auto":
-		if app.config.LabelProvider == "none" {
-			return nil, nil
-		}
+func (app *BootstrapApp) initServices(queries *repository.Queries) (Services, error) {
+	services := Services{}
 
-		useKubernetes := app.config.LabelProvider == "kubernetes" ||
-			(app.config.LabelProvider == "auto" && os.Getenv("KUBERNETES_SERVICE_HOST") != "")
+	ldapService := service.NewLdapService(service.LdapServiceConfig{
+		Address:      app.config.LDAP.Address,
+		BindDN:       app.config.LDAP.BindDN,
+		BindPassword: app.config.LDAP.BindPassword,
+		BaseDN:       app.config.LDAP.BaseDN,
+		Insecure:     app.config.LDAP.Insecure,
+		SearchFilter: app.config.LDAP.SearchFilter,
+		AuthCert:     app.config.LDAP.AuthCert,
+		AuthKey:      app.config.LDAP.AuthKey,
+	})
 
-		if useKubernetes {
-			app.log.App.Debug().Msg("Using Kubernetes label provider")
+	err := ldapService.Init()
 
-			kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, &app.wg)
+	if err != nil {
+		tlog.App.Warn().Err(err).Msg("Failed to setup LDAP service, starting without it")
+		ldapService.Unconfigure()
+	}
 
-			if err != nil {
-				return nil, fmt.Errorf("failed to initialize kubernetes service: %w", err)
-			}
+	services.ldapService = ldapService
 
-			app.services.kubernetesService = kubernetesService
-			return kubernetesService, nil
-		}
+	var labelProvider service.LabelProvider
+	var dockerService *service.DockerService
+	var kubernetesService *service.KubernetesService
 
-		app.log.App.Debug().Msg("Using Docker label provider")
-
-		dockerService, err := service.NewDockerService(app.log, app.ctx, &app.wg)
+	useKubernetes := app.config.LabelProvider == "kubernetes" ||
+		(app.config.LabelProvider == "auto" && os.Getenv("KUBERNETES_SERVICE_HOST") != "")
 
+	if useKubernetes {
+		tlog.App.Debug().Msg("Using Kubernetes label provider")
+		kubernetesService = service.NewKubernetesService()
+		err = kubernetesService.Init()
 		if err != nil {
-			return nil, fmt.Errorf("failed to initialize docker service: %w", err)
+			return Services{}, err
 		}
-
-		if dockerService == nil {
-			if app.config.LabelProvider == "docker" {
-				app.log.App.Warn().Msg("Docker label provider selected but Docker is not available, will continue without it")
-			}
-			return nil, nil
+		services.kubernetesService = kubernetesService
+		labelProvider = kubernetesService
+	} else {
+		tlog.App.Debug().Msg("Using Docker label provider")
+		dockerService = service.NewDockerService()
+		err = dockerService.Init()
+		if err != nil {
+			return Services{}, err
 		}
-
-		app.services.dockerService = dockerService
-		return dockerService, nil
-	default:
-		return nil, fmt.Errorf("invalid label provider: %s", app.config.LabelProvider)
+		services.dockerService = dockerService
+		labelProvider = dockerService
 	}
-}
 
-func (app *BootstrapApp) setupPolicyEngine() error {
-	policyEngine, err := service.NewPolicyEngine(app.config, app.log)
+	accessControlsService := service.NewAccessControlsService(labelProvider, app.config.Apps)
+
+	err = accessControlsService.Init()
 
 	if err != nil {
-		return fmt.Errorf("failed to initialize policy engine: %w", err)
+		return Services{}, err
 	}
 
-	policyEngine.RegisterRule(service.RuleUserAllowed, &service.UserAllowedRule{
-		Log: app.log,
-	})
-	policyEngine.RegisterRule(service.RuleOAuthGroup, &service.OAuthGroupRule{
-		Log: app.log,
-	})
-	policyEngine.RegisterRule(service.RuleLDAPGroup, &service.LDAPGroupRule{
-		Log: app.log,
-	})
-	policyEngine.RegisterRule(service.RuleAuthEnabled, &service.AuthEnabledRule{
-		Log: app.log,
-	})
-	policyEngine.RegisterRule(service.RuleIPAllowed, &service.IPAllowedRule{
-		Log:    app.log,
-		Config: app.config,
-	})
-	policyEngine.RegisterRule(service.RuleIPBypassed, &service.IPBypassedRule{
-		Log: app.log,
-	})
+	services.accessControlService = accessControlsService
 
-	app.services.policyEngine = policyEngine
-	return nil
+	oauthBrokerService := service.NewOAuthBrokerService(app.context.oauthProviders)
+
+	err = oauthBrokerService.Init()
+
+	if err != nil {
+		return Services{}, err
+	}
+
+	services.oauthBrokerService = oauthBrokerService
+
+	authService := service.NewAuthService(service.AuthServiceConfig{
+		LocalUsers:         app.context.localUsers,
+		OauthWhitelist:     app.context.oauthWhitelist,
+		SessionExpiry:      app.config.Auth.SessionExpiry,
+		SessionMaxLifetime: app.config.Auth.SessionMaxLifetime,
+		SecureCookie:       app.config.Auth.SecureCookie,
+		CookieDomain:       app.context.cookieDomain,
+		LoginTimeout:       app.config.Auth.LoginTimeout,
+		LoginMaxRetries:    app.config.Auth.LoginMaxRetries,
+		SessionCookieName:  app.context.sessionCookieName,
+		IP:                 app.config.Auth.IP,
+		LDAPGroupsCacheTTL: app.config.LDAP.GroupCacheTTL,
+		SubdomainsEnabled:  app.config.Auth.SubdomainsEnabled,
+	}, services.ldapService, queries, services.oauthBrokerService)
+
+	err = authService.Init()
+
+	if err != nil {
+		return Services{}, err
+	}
+
+	services.authService = authService
+
+	oidcService := service.NewOIDCService(service.OIDCServiceConfig{
+		Clients:        app.config.OIDC.Clients,
+		PrivateKeyPath: app.config.OIDC.PrivateKeyPath,
+		PublicKeyPath:  app.config.OIDC.PublicKeyPath,
+		Issuer:         app.config.AppURL,
+		SessionExpiry:  app.config.Auth.SessionExpiry,
+	}, queries)
+
+	err = oidcService.Init()
+
+	if err != nil {
+		return Services{}, err
+	}
+
+	services.oidcService = oidcService
+
+	return services, nil
 }

internal/controller/context_controller.go

@@ -1,163 +1,130 @@
 package controller
 
 import (
+	"fmt"
+	"net/url"
+
 	"github.com/tinyauthapp/tinyauth/internal/model"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 
 	"github.com/gin-gonic/gin"
 )
 
-// UCR -> User Context Response
-
-type UCRAuth struct {
-	Authenticated bool   `json:"authenticated"`
-	Username      string `json:"username"`
-	Name          string `json:"name"`
-	Email         string `json:"email"`
-	ProviderID    string `json:"providerId"`
-}
-
-type UCROAuth struct {
-	Active      bool   `json:"active"`
-	DisplayName string `json:"displayName"`
-}
-
-type UCRTOTP struct {
-	Pending bool `json:"pending"`
-}
-
-type UCRTailscale struct {
-	NodeName string `json:"nodeName,omitempty"`
-}
-
 type UserContextResponse struct {
-	Status    int          `json:"status"`
-	Message   string       `json:"message"`
-	Auth      UCRAuth      `json:"auth"`
-	OAuth     UCROAuth     `json:"oauth"`
-	TOTP      UCRTOTP      `json:"totp"`
-	Tailscale UCRTailscale `json:"tailscale"`
-}
-
-// ACR -> App Context Response
-
-type ACRAuth struct {
-	Providers []model.Provider `json:"providers"`
-}
-
-type ACROAuth struct {
-	AutoRedirect string `json:"autoRedirect"`
-}
-
-type ACRUI struct {
-	Title                 string `json:"title"`
-	ForgotPasswordMessage string `json:"forgotPasswordMessage"`
-	BackgroundImage       string `json:"backgroundImage"`
-	WarningsEnabled       bool   `json:"warningsEnabled"`
-}
-
-type ACRApp struct {
-	AppURL         string   `json:"appUrl"`
-	CookieDomain   string   `json:"cookieDomain"`
-	TrustedDomains []string `json:"trustedDomains"`
+	Status      int    `json:"status"`
+	Message     string `json:"message"`
+	IsLoggedIn  bool   `json:"isLoggedIn"`
+	Username    string `json:"username"`
+	Name        string `json:"name"`
+	Email       string `json:"email"`
+	Provider    string `json:"provider"`
+	OAuth       bool   `json:"oauth"`
+	TOTPPending bool   `json:"totpPending"`
+	OAuthName   string `json:"oauthName"`
 }
 
 type AppContextResponse struct {
-	Status  int      `json:"status"`
-	Message string   `json:"message"`
-	Auth    ACRAuth  `json:"auth"`
-	OAuth   ACROAuth `json:"oauth"`
-	UI      ACRUI    `json:"ui"`
-	App     ACRApp   `json:"app"`
+	Status                int        `json:"status"`
+	Message               string     `json:"message"`
+	Providers             []Provider `json:"providers"`
+	Title                 string     `json:"title"`
+	AppURL                string     `json:"appUrl"`
+	CookieDomain          string     `json:"cookieDomain"`
+	ForgotPasswordMessage string     `json:"forgotPasswordMessage"`
+	BackgroundImage       string     `json:"backgroundImage"`
+	OAuthAutoRedirect     string     `json:"oauthAutoRedirect"`
+	WarningsEnabled       bool       `json:"warningsEnabled"`
+}
+
+type Provider struct {
+	Name  string `json:"name"`
+	ID    string `json:"id"`
+	OAuth bool   `json:"oauth"`
+}
+
+type ContextControllerConfig struct {
+	Providers             []Provider
+	Title                 string
+	AppURL                string
+	CookieDomain          string
+	ForgotPasswordMessage string
+	BackgroundImage       string
+	OAuthAutoRedirect     string
+	WarningsEnabled       bool
 }
 
 type ContextController struct {
-	log     *logger.Logger
-	config  model.Config
-	runtime model.RuntimeConfig
+	config ContextControllerConfig
+	router *gin.RouterGroup
 }
 
-func NewContextController(
-	log *logger.Logger,
-	config model.Config,
-	runtimeConfig model.RuntimeConfig,
-	router *gin.RouterGroup,
-) *ContextController {
-	controller := &ContextController{
-		log:     log,
-		config:  config,
-		runtime: runtimeConfig,
+func NewContextController(config ContextControllerConfig, router *gin.RouterGroup) *ContextController {
+	if !config.WarningsEnabled {
+		tlog.App.Warn().Msg("UI warnings are disabled. This may expose users to security risks. Proceed with caution.")
 	}
 
-	if !config.UI.WarningsEnabled {
-		log.App.Warn().Msg("UI warnings are disabled. This may lead to security issues if you are not careful. Make sure to enable warnings in production environments.")
+	return &ContextController{
+		config: config,
+		router: router,
 	}
+}
 
-	contextGroup := router.Group("/context")
+func (controller *ContextController) SetupRoutes() {
+	contextGroup := controller.router.Group("/context")
 	contextGroup.GET("/user", controller.userContextHandler)
 	contextGroup.GET("/app", controller.appContextHandler)
-
-	return controller
 }
 
 func (controller *ContextController) userContextHandler(c *gin.Context) {
 	context, err := new(model.UserContext).NewFromGin(c)
 
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to create user context from request")
+		tlog.App.Debug().Err(err).Msg("No user context found in request")
 		c.JSON(200, UserContextResponse{
-			Status:  401,
-			Message: "Unauthorized",
-			Auth:    UCRAuth{Authenticated: false},
+			Status:     401,
+			Message:    "Unauthorized",
+			IsLoggedIn: false,
 		})
 		return
 	}
 
 	userContext := UserContextResponse{
-		Status:  200,
-		Message: "Success",
-		Auth: UCRAuth{
-			Authenticated: context.Authenticated,
-			Username:      context.GetUsername(),
-			Name:          context.GetName(),
-			Email:         context.GetEmail(),
-			ProviderID:    context.GetProviderID(),
-		},
-		OAuth: UCROAuth{
-			Active:      context.IsOAuth(),
-			DisplayName: context.OAuthName(),
-		},
-		TOTP: UCRTOTP{
-			Pending: context.TOTPPending(),
-		},
-		Tailscale: UCRTailscale{
-			NodeName: context.TailscaleNodeName(),
-		},
+		Status:      200,
+		Message:     "Success",
+		IsLoggedIn:  context.Authenticated,
+		Username:    context.GetUsername(),
+		Name:        context.GetName(),
+		Email:       context.GetEmail(),
+		Provider:    context.GetProviderID(),
+		OAuth:       context.IsOAuth(),
+		TOTPPending: context.TOTPPending(),
+		OAuthName:   context.OAuthName(),
 	}
 
 	c.JSON(200, userContext)
 }
 
 func (controller *ContextController) appContextHandler(c *gin.Context) {
+	appUrl, err := url.Parse(controller.config.AppURL)
+	if err != nil {
+		tlog.App.Error().Err(err).Msg("Failed to parse app URL")
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "Internal Server Error",
+		})
+		return
+	}
+
 	c.JSON(200, AppContextResponse{
-		Status:  200,
-		Message: "Success",
-		Auth: ACRAuth{
-			Providers: controller.runtime.ConfiguredProviders,
-		},
-		OAuth: ACROAuth{
-			AutoRedirect: controller.config.OAuth.AutoRedirect,
-		},
-		UI: ACRUI{
-			Title:                 controller.config.UI.Title,
-			ForgotPasswordMessage: controller.config.UI.ForgotPasswordMessage,
-			BackgroundImage:       controller.config.UI.BackgroundImage,
-			WarningsEnabled:       controller.config.UI.WarningsEnabled,
-		},
-		App: ACRApp{
-			AppURL:         controller.runtime.AppURL,
-			CookieDomain:   controller.runtime.CookieDomain,
-			TrustedDomains: controller.runtime.TrustedDomains,
-		},
+		Status:                200,
+		Message:               "Success",
+		Providers:             controller.config.Providers,
+		Title:                 controller.config.Title,
+		AppURL:                fmt.Sprintf("%s://%s", appUrl.Scheme, appUrl.Host),
+		CookieDomain:          controller.config.CookieDomain,
+		ForgotPasswordMessage: controller.config.ForgotPasswordMessage,
+		BackgroundImage:       controller.config.BackgroundImage,
+		OAuthAutoRedirect:     controller.config.OAuthAutoRedirect,
+		WarningsEnabled:       controller.config.WarningsEnabled,
 	})
 }

internal/controller/context_controller_test.go

@@ -8,19 +8,30 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
-	"github.com/tinyauthapp/tinyauth/internal/test"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )
 
 func TestContextController(t *testing.T) {
-	log := logger.NewLogger().WithTestConfig()
-	log.Init()
-
-	cfg, runtime := test.CreateTestConfigs(t)
+	tlog.NewTestLogger().Init()
+	controllerConfig := controller.ContextControllerConfig{
+		Providers: []controller.Provider{
+			{
+				Name:  "Local",
+				ID:    "local",
+				OAuth: false,
+			},
+		},
+		Title:                 "Tinyauth",
+		AppURL:                "https://tinyauth.example.com",
+		CookieDomain:          "example.com",
+		ForgotPasswordMessage: "foo",
+		BackgroundImage:       "/background.jpg",
+		OAuthAutoRedirect:     "none",
+		WarningsEnabled:       true,
+	}
 
 	tests := []struct {
 		description string
@@ -34,28 +45,19 @@ func TestContextController(t *testing.T) {
 			path:        "/api/context/app",
 			expected: func() string {
 				expectedAppContextResponse := controller.AppContextResponse{
-					Status:  200,
-					Message: "Success",
-					Auth: controller.ACRAuth{
-						Providers: runtime.ConfiguredProviders,
-					},
-					OAuth: controller.ACROAuth{
-						AutoRedirect: cfg.OAuth.AutoRedirect,
-					},
-					UI: controller.ACRUI{
-						Title:                 cfg.UI.Title,
-						ForgotPasswordMessage: cfg.UI.ForgotPasswordMessage,
-						BackgroundImage:       cfg.UI.BackgroundImage,
-						WarningsEnabled:       cfg.UI.WarningsEnabled,
-					},
-					App: controller.ACRApp{
-						AppURL:         runtime.AppURL,
-						CookieDomain:   runtime.CookieDomain,
-						TrustedDomains: runtime.TrustedDomains,
-					},
+					Status:                200,
+					Message:               "Success",
+					Providers:             controllerConfig.Providers,
+					Title:                 controllerConfig.Title,
+					AppURL:                controllerConfig.AppURL,
+					CookieDomain:          controllerConfig.CookieDomain,
+					ForgotPasswordMessage: controllerConfig.ForgotPasswordMessage,
+					BackgroundImage:       controllerConfig.BackgroundImage,
+					OAuthAutoRedirect:     controllerConfig.OAuthAutoRedirect,
+					WarningsEnabled:       controllerConfig.WarningsEnabled,
 				}
 				bytes, err := json.Marshal(expectedAppContextResponse)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -69,7 +71,7 @@ func TestContextController(t *testing.T) {
 					Message: "Unauthorized",
 				}
 				bytes, err := json.Marshal(expectedUserContextResponse)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -84,7 +86,7 @@ func TestContextController(t *testing.T) {
 							BaseContext: model.BaseContext{
 								Username: "johndoe",
 								Name:     "John Doe",
-								Email:    utils.CompileUserEmail("johndoe", runtime.CookieDomain),
+								Email:    utils.CompileUserEmail("johndoe", controllerConfig.CookieDomain),
 							},
 						},
 					})
@@ -93,18 +95,16 @@ func TestContextController(t *testing.T) {
 			path: "/api/context/user",
 			expected: func() string {
 				expectedUserContextResponse := controller.UserContextResponse{
-					Status:  200,
-					Message: "Success",
-					Auth: controller.UCRAuth{
-						Authenticated: true,
-						Username:      "johndoe",
-						Name:          "John Doe",
-						Email:         utils.CompileUserEmail("johndoe", runtime.CookieDomain),
-						ProviderID:    "local",
-					},
+					Status:     200,
+					Message:    "Success",
+					IsLoggedIn: true,
+					Username:   "johndoe",
+					Name:       "John Doe",
+					Email:      utils.CompileUserEmail("johndoe", controllerConfig.CookieDomain),
+					Provider:   "local",
 				}
 				bytes, err := json.Marshal(expectedUserContextResponse)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -121,12 +121,13 @@ func TestContextController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
 
-			controller.NewContextController(log, cfg, runtime, group)
+			contextController := controller.NewContextController(controllerConfig, group)
+			contextController.SetupRoutes()
 
 			recorder := httptest.NewRecorder()
 
 			request, err := http.NewRequest("GET", test.path, nil)
-			require.NoError(t, err)
+			assert.NoError(t, err)
 
 			router.ServeHTTP(recorder, request)
 

internal/controller/health_controller.go

@@ -3,15 +3,18 @@ package controller
 import "github.com/gin-gonic/gin"
 
 type HealthController struct {
+	router *gin.RouterGroup
 }
 
 func NewHealthController(router *gin.RouterGroup) *HealthController {
-	controller := &HealthController{}
+	return &HealthController{
+		router: router,
+	}
+}
 
-	router.GET("/healthz", controller.healthHandler)
-	router.HEAD("/healthz", controller.healthHandler)
-
-	return controller
+func (controller *HealthController) SetupRoutes() {
+	controller.router.GET("/healthz", controller.healthHandler)
+	controller.router.HEAD("/healthz", controller.healthHandler)
 }
 
 func (controller *HealthController) healthHandler(c *gin.Context) {

internal/controller/health_controller_test.go

@@ -7,12 +7,13 @@ import (
 	"testing"
 
 	"github.com/gin-gonic/gin"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestHealthController(t *testing.T) {
+	tlog.NewTestLogger().Init()
 	tests := []struct {
 		description string
 		path        string
@@ -29,7 +30,7 @@ func TestHealthController(t *testing.T) {
 					"message": "Healthy",
 				}
 				bytes, err := json.Marshal(expectedHealthResponse)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -43,7 +44,7 @@ func TestHealthController(t *testing.T) {
 					"message": "Healthy",
 				}
 				bytes, err := json.Marshal(expectedHealthResponse)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				return string(bytes)
 			}(),
 		},
@@ -55,12 +56,13 @@ func TestHealthController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
 
-			controller.NewHealthController(group)
+			healthController := controller.NewHealthController(group)
+			healthController.SetupRoutes()
 
 			recorder := httptest.NewRecorder()
 
 			request, err := http.NewRequest(test.method, test.path, nil)
-			require.NoError(t, err)
+			assert.NoError(t, err)
 
 			router.ServeHTTP(recorder, request)
 

internal/controller/oauth_controller.go

@@ -6,11 +6,10 @@ import (
 	"strings"
 	"time"
 
-	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -20,32 +19,34 @@ type OAuthRequest struct {
 	Provider string `uri:"provider" binding:"required"`
 }
 
-type OAuthController struct {
-	log     *logger.Logger
-	config  model.Config
-	runtime model.RuntimeConfig
-	auth    *service.AuthService
+type OAuthControllerConfig struct {
+	CSRFCookieName         string
+	OAuthSessionCookieName string
+	RedirectCookieName     string
+	SecureCookie           bool
+	AppURL                 string
+	CookieDomain           string
+	SubdomainsEnabled      bool
 }
 
-func NewOAuthController(
-	log *logger.Logger,
-	config model.Config,
-	runtimeConfig model.RuntimeConfig,
-	router *gin.RouterGroup,
-	auth *service.AuthService,
-) *OAuthController {
-	controller := &OAuthController{
-		log:     log,
-		config:  config,
-		runtime: runtimeConfig,
-		auth:    auth,
-	}
+type OAuthController struct {
+	config OAuthControllerConfig
+	router *gin.RouterGroup
+	auth   *service.AuthService
+}
 
-	oauthGroup := router.Group("/oauth")
+func NewOAuthController(config OAuthControllerConfig, router *gin.RouterGroup, auth *service.AuthService) *OAuthController {
+	return &OAuthController{
+		config: config,
+		router: router,
+		auth:   auth,
+	}
+}
+
+func (controller *OAuthController) SetupRoutes() {
+	oauthGroup := controller.router.Group("/oauth")
 	oauthGroup.GET("/url/:provider", controller.oauthURLHandler)
 	oauthGroup.GET("/callback/:provider", controller.oauthCallbackHandler)
-
-	return controller
 }
 
 func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
@@ -53,7 +54,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 
 	err := c.BindUri(&req)
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to bind URI")
+		tlog.App.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -66,7 +67,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	err = c.BindQuery(&reqParams)
 
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to bind query parameters")
+		tlog.App.Error().Err(err).Msg("Failed to bind query parameters")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -75,10 +76,10 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	}
 
 	if !controller.isOidcRequest(reqParams) {
-		isRedirectSafe := utils.IsRedirectSafe(reqParams.RedirectURI, controller.runtime.CookieDomain)
+		isRedirectSafe := utils.IsRedirectSafe(reqParams.RedirectURI, controller.config.CookieDomain)
 
 		if !isRedirectSafe {
-			controller.log.App.Warn().Str("redirectUri", reqParams.RedirectURI).Msg("Unsafe redirect URI, ignoring")
+			tlog.App.Warn().Str("redirect_uri", reqParams.RedirectURI).Msg("Unsafe redirect URI detected, ignoring")
 			reqParams.RedirectURI = ""
 		}
 	}
@@ -86,7 +87,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	sessionId, _, err := controller.auth.NewOAuthSession(req.Provider, reqParams)
 
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to create new OAuth session")
+		tlog.App.Error().Err(err).Msg("Failed to create OAuth session")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -97,7 +98,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	authUrl, err := controller.auth.GetOAuthURL(sessionId)
 
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to get OAuth URL for session")
+		tlog.App.Error().Err(err).Msg("Failed to get OAuth URL")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -105,7 +106,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		return
 	}
 
-	c.SetCookie(controller.runtime.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)
+	c.SetCookie(controller.config.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", controller.getCookieDomain(), controller.config.SecureCookie, true)
 
 	c.JSON(200, gin.H{
 		"status":  200,
@@ -119,7 +120,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 
 	err := c.BindUri(&req)
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to bind URI")
+		tlog.App.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -127,21 +128,21 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}
 
-	sessionIdCookie, err := c.Cookie(controller.runtime.OAuthSessionCookieName)
+	sessionIdCookie, err := c.Cookie(controller.config.OAuthSessionCookieName)
 
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to get OAuth session cookie")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		tlog.App.Warn().Err(err).Msg("OAuth session cookie missing")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 
-	c.SetCookie(controller.runtime.OAuthSessionCookieName, "", -1, "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)
+	c.SetCookie(controller.config.OAuthSessionCookieName, "", -1, "/", controller.getCookieDomain(), controller.config.SecureCookie, true)
 
 	oauthPendingSession, err := controller.auth.GetOAuthPendingSession(sessionIdCookie)
 
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to get pending OAuth session")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		tlog.App.Error().Err(err).Msg("Failed to get OAuth pending session")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 
@@ -149,8 +150,8 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 
 	state := c.Query("state")
 	if state != oauthPendingSession.State {
-		controller.log.App.Warn().Msg("OAuth state mismatch")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		tlog.App.Warn().Err(err).Msg("CSRF token mismatch")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 
@@ -158,85 +159,68 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	_, err = controller.auth.GetOAuthToken(sessionIdCookie, code)
 
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to exchange code for token")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		tlog.App.Error().Err(err).Msg("Failed to exchange code for token")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 
 	user, err := controller.auth.GetOAuthUserinfo(sessionIdCookie)
 
-	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to get user info from OAuth provider")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
-		return
-	}
-
-	if user == nil {
-		controller.log.App.Warn().Msg("OAuth provider did not return user info")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
-		return
-	}
-
 	if user.Email == "" {
-		controller.log.App.Warn().Msg("OAuth provider did not return an email")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		tlog.App.Error().Msg("OAuth provider did not return an email")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 
 	if !controller.auth.IsEmailWhitelisted(user.Email) {
-		controller.log.App.Warn().Str("email", user.Email).Msg("Email not whitelisted, denying access")
-		controller.log.AuditLoginFailure(user.Email, req.Provider, c.ClientIP(), "email not whitelisted")
+		tlog.App.Warn().Str("email", user.Email).Msg("Email not whitelisted")
+		tlog.AuditLoginFailure(c, user.Email, req.Provider, "email not whitelisted")
 
 		queries, err := query.Values(UnauthorizedQuery{
 			Username: user.Email,
 		})
 
 		if err != nil {
-			controller.log.App.Error().Err(err).Msg("Failed to encode unauthorized query")
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+			tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 			return
 		}
 
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.runtime.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode()))
 		return
 	}
 
 	var name string
 
 	if strings.TrimSpace(user.Name) != "" {
-		controller.log.App.Debug().Msg("Using name from OAuth provider")
+		tlog.App.Debug().Msg("Using name from OAuth provider")
 		name = user.Name
 	} else {
-		controller.log.App.Debug().Msg("No name from OAuth provider, generating from email")
-		parts := strings.SplitN(user.Email, "@", 2)
-		if len(parts) == 2 {
-			name = fmt.Sprintf("%s (%s)", utils.Capitalize(parts[0]), parts[1])
-		} else {
-			name = utils.Capitalize(user.Email)
-		}
+		tlog.App.Debug().Msg("No name from OAuth provider, using pseudo name")
+		name = fmt.Sprintf("%s (%s)", utils.Capitalize(strings.Split(user.Email, "@")[0]), strings.Split(user.Email, "@")[1])
 	}
 
 	var username string
 
 	if strings.TrimSpace(user.PreferredUsername) != "" {
-		controller.log.App.Debug().Msg("Using preferred username from OAuth provider")
+		tlog.App.Debug().Msg("Using preferred username from OAuth provider")
 		username = user.PreferredUsername
 	} else {
-		controller.log.App.Debug().Msg("No preferred username from OAuth provider, generating from email")
+		tlog.App.Debug().Msg("No preferred username from OAuth provider, using pseudo username")
 		username = strings.Replace(user.Email, "@", "_", 1)
 	}
 
 	svc, err := controller.auth.GetOAuthService(sessionIdCookie)
 
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to get OAuth service for session")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		tlog.App.Error().Err(err).Msg("Failed to get OAuth service for session")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 
 	if svc.ID() != req.Provider {
-		controller.log.App.Warn().Msgf("OAuth provider mismatch: expected %s, got %s", req.Provider, svc.ID())
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		tlog.App.Error().Msgf("OAuth service ID mismatch: expected %s, got %s", svc.ID(), req.Provider)
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 
@@ -250,29 +234,29 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		OAuthSub:    user.Sub,
 	}
 
-	controller.log.App.Debug().Msg("Creating session cookie for user")
+	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
 
 	cookie, err := controller.auth.CreateSession(c, sessionCookie)
 
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to create session cookie")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		tlog.App.Error().Err(err).Msg("Failed to create session cookie")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 
 	http.SetCookie(c.Writer, cookie)
 
-	controller.log.AuditLoginSuccess(sessionCookie.Username, sessionCookie.Provider, c.ClientIP())
+	tlog.AuditLoginSuccess(c, sessionCookie.Username, sessionCookie.Provider)
 
 	if controller.isOidcRequest(oauthPendingSession.CallbackParams) {
-		controller.log.App.Debug().Msg("OIDC request detected, redirecting to authorization endpoint with callback params")
+		tlog.App.Debug().Msg("OIDC request, redirecting to authorize page")
 		queries, err := query.Values(oauthPendingSession.CallbackParams)
 		if err != nil {
-			controller.log.App.Error().Err(err).Msg("Failed to encode OIDC callback query")
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+			tlog.App.Error().Err(err).Msg("Failed to encode OIDC callback query")
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 			return
 		}
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/authorize?%s", controller.runtime.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/authorize?%s", controller.config.AppURL, queries.Encode()))
 		return
 	}
 
@@ -282,16 +266,16 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		})
 
 		if err != nil {
-			controller.log.App.Error().Err(err).Msg("Failed to encode redirect query")
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+			tlog.App.Error().Err(err).Msg("Failed to encode redirect URI query")
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 			return
 		}
 
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", controller.runtime.AppURL, queries.Encode()))
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", controller.config.AppURL, queries.Encode()))
 		return
 	}
 
-	c.Redirect(http.StatusTemporaryRedirect, controller.runtime.AppURL)
+	c.Redirect(http.StatusTemporaryRedirect, controller.config.AppURL)
 }
 
 func (controller *OAuthController) isOidcRequest(params service.OAuthURLParams) bool {
@@ -302,8 +286,8 @@ func (controller *OAuthController) isOidcRequest(params service.OAuthURLParams)
 }
 
 func (controller *OAuthController) getCookieDomain() string {
-	if controller.config.Auth.SubdomainsEnabled {
-		return "." + controller.runtime.CookieDomain
+	if controller.config.SubdomainsEnabled {
+		return "." + controller.config.CookieDomain
 	}
-	return controller.runtime.CookieDomain
+	return controller.config.CookieDomain
 }

internal/controller/oidc_controller.go

@@ -13,13 +13,15 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )
 
+type OIDCControllerConfig struct{}
+
 type OIDCController struct {
-	log     *logger.Logger
-	oidc    *service.OIDCService
-	runtime model.RuntimeConfig
+	config OIDCControllerConfig
+	router *gin.RouterGroup
+	oidc   *service.OIDCService
 }
 
 type AuthorizeCallback struct {
@@ -56,42 +58,29 @@ type ClientCredentials struct {
 	ClientSecret string
 }
 
-func NewOIDCController(
-	log *logger.Logger,
-	oidcService *service.OIDCService,
-	runtimeConfig model.RuntimeConfig,
-	router *gin.RouterGroup) *OIDCController {
-	controller := &OIDCController{
-		log:     log,
-		oidc:    oidcService,
-		runtime: runtimeConfig,
+func NewOIDCController(config OIDCControllerConfig, oidcService *service.OIDCService, router *gin.RouterGroup) *OIDCController {
+	return &OIDCController{
+		config: config,
+		oidc:   oidcService,
+		router: router,
 	}
+}
 
-	oidcGroup := router.Group("/oidc")
+func (controller *OIDCController) SetupRoutes() {
+	oidcGroup := controller.router.Group("/oidc")
 	oidcGroup.GET("/clients/:id", controller.GetClientInfo)
 	oidcGroup.POST("/authorize", controller.Authorize)
 	oidcGroup.POST("/token", controller.Token)
 	oidcGroup.GET("/userinfo", controller.Userinfo)
 	oidcGroup.POST("/userinfo", controller.Userinfo)
-
-	return controller
 }
 
 func (controller *OIDCController) GetClientInfo(c *gin.Context) {
-	if controller.oidc == nil {
-		controller.log.App.Warn().Msg("Received OIDC client info request but OIDC server is not configured")
-		c.JSON(500, gin.H{
-			"status":  500,
-			"message": "OIDC not configured",
-		})
-		return
-	}
-
 	var req ClientRequest
 
 	err := c.BindUri(&req)
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to bind URI")
+		tlog.App.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -102,7 +91,7 @@ func (controller *OIDCController) GetClientInfo(c *gin.Context) {
 	client, ok := controller.oidc.GetClient(req.ClientID)
 
 	if !ok {
-		controller.log.App.Warn().Str("clientId", req.ClientID).Msg("Client not found")
+		tlog.App.Warn().Str("client_id", req.ClientID).Msg("Client not found")
 		c.JSON(404, gin.H{
 			"status":  404,
 			"message": "Client not found",
@@ -118,7 +107,7 @@ func (controller *OIDCController) GetClientInfo(c *gin.Context) {
 }
 
 func (controller *OIDCController) Authorize(c *gin.Context) {
-	if controller.oidc == nil {
+	if !controller.oidc.IsConfigured() {
 		controller.authorizeError(c, errors.New("err_oidc_not_configured"), "OIDC not configured", "This instance is not configured for OIDC", "", "", "")
 		return
 	}
@@ -146,14 +135,14 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 	client, ok := controller.oidc.GetClient(req.ClientID)
 
 	if !ok {
-		controller.authorizeError(c, fmt.Errorf("client not found: %s", req.ClientID), "Client not found", "The client ID is invalid", "", "", "")
+		controller.authorizeError(c, err, "Client not found", "The client ID is invalid", "", "", "")
 		return
 	}
 
 	err = controller.oidc.ValidateAuthorizeParams(req)
 
 	if err != nil {
-		controller.log.App.Warn().Err(err).Msg("Failed to validate authorize params")
+		tlog.App.Error().Err(err).Msg("Failed to validate authorize params")
 		if err.Error() != "invalid_request_uri" {
 			controller.authorizeError(c, err, "Failed validate authorize params", "Invalid request parameters", req.RedirectURI, err.Error(), req.State)
 			return
@@ -185,7 +174,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 		err = controller.oidc.StoreUserinfo(c, sub, *userContext, req)
 
 		if err != nil {
-			controller.log.App.Error().Err(err).Msg("Failed to store user info")
+			tlog.App.Error().Err(err).Msg("Failed to insert user info into database")
 			controller.authorizeError(c, err, "Failed to store user info", "Failed to store user info", req.RedirectURI, "server_error", req.State)
 			return
 		}
@@ -208,10 +197,10 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 }
 
 func (controller *OIDCController) Token(c *gin.Context) {
-	if controller.oidc == nil {
-		controller.log.App.Warn().Msg("Received OIDC request but OIDC server is not configured")
-		c.JSON(500, gin.H{
-			"error": "server_error",
+	if !controller.oidc.IsConfigured() {
+		tlog.App.Warn().Msg("OIDC not configured")
+		c.JSON(404, gin.H{
+			"error": "not_found",
 		})
 		return
 	}
@@ -220,7 +209,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 
 	err := c.Bind(&req)
 	if err != nil {
-		controller.log.App.Warn().Err(err).Msg("Failed to bind token request")
+		tlog.App.Error().Err(err).Msg("Failed to bind token request")
 		c.JSON(400, gin.H{
 			"error": "invalid_request",
 		})
@@ -229,7 +218,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 
 	err = controller.oidc.ValidateGrantType(req.GrantType)
 	if err != nil {
-		controller.log.App.Warn().Err(err).Msg("Invalid grant type")
+		tlog.App.Warn().Str("grant_type", req.GrantType).Msg("Unsupported grant type")
 		c.JSON(400, gin.H{
 			"error": err.Error(),
 		})
@@ -244,12 +233,12 @@ func (controller *OIDCController) Token(c *gin.Context) {
 
 	// If it fails, we try basic auth
 	if creds.ClientID == "" || creds.ClientSecret == "" {
-		controller.log.App.Debug().Msg("Client credentials not found in form, trying basic auth")
+		tlog.App.Debug().Msg("Tried form values and they are empty, trying basic auth")
 
 		clientId, clientSecret, ok := c.Request.BasicAuth()
 
 		if !ok {
-			controller.log.App.Warn().Msg("Client credentials not found in basic auth")
+			tlog.App.Error().Msg("Missing authorization header")
 			c.Header("www-authenticate", `Basic realm="Tinyauth OIDC Token Endpoint"`)
 			c.JSON(400, gin.H{
 				"error": "invalid_client",
@@ -266,7 +255,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 	client, ok := controller.oidc.GetClient(creds.ClientID)
 
 	if !ok {
-		controller.log.App.Warn().Str("clientId", creds.ClientID).Msg("Client not found")
+		tlog.App.Warn().Str("client_id", creds.ClientID).Msg("Client not found")
 		c.JSON(400, gin.H{
 			"error": "invalid_client",
 		})
@@ -274,7 +263,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 	}
 
 	if client.ClientSecret != creds.ClientSecret {
-		controller.log.App.Warn().Str("clientId", creds.ClientID).Msg("Invalid client secret")
+		tlog.App.Warn().Str("client_id", creds.ClientID).Msg("Invalid client secret")
 		c.JSON(400, gin.H{
 			"error": "invalid_client",
 		})
@@ -288,30 +277,30 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code), client.ClientID)
 		if err != nil {
 			if err := controller.oidc.DeleteTokenByCodeHash(c, controller.oidc.Hash(req.Code)); err != nil {
-				controller.log.App.Error().Err(err).Msg("Failed to revoke tokens for replayed code")
+				tlog.App.Error().Err(err).Msg("Failed to delete access token by code hash")
 			}
 			if errors.Is(err, service.ErrCodeNotFound) {
-				controller.log.App.Warn().Msg("Code not found")
+				tlog.App.Warn().Msg("Code not found")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 			if errors.Is(err, service.ErrCodeExpired) {
-				controller.log.App.Warn().Msg("Code expired")
+				tlog.App.Warn().Msg("Code expired")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 			if errors.Is(err, service.ErrInvalidClient) {
-				controller.log.App.Warn().Msg("Code does not belong to client")
+				tlog.App.Warn().Msg("Invalid client ID")
 				c.JSON(400, gin.H{
 					"error": "invalid_client",
 				})
 				return
 			}
-			controller.log.App.Error().Err(err).Msg("Failed to get code entry")
+			tlog.App.Warn().Err(err).Msg("Failed to get OIDC code entry")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
@@ -319,7 +308,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		}
 
 		if entry.RedirectURI != req.RedirectURI {
-			controller.log.App.Warn().Msg("Redirect URI does not match")
+			tlog.App.Warn().Str("redirect_uri", req.RedirectURI).Msg("Redirect URI mismatch")
 			c.JSON(400, gin.H{
 				"error": "invalid_grant",
 			})
@@ -329,7 +318,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		ok := controller.oidc.ValidatePKCE(entry.CodeChallenge, req.CodeVerifier)
 
 		if !ok {
-			controller.log.App.Warn().Msg("PKCE validation failed")
+			tlog.App.Warn().Msg("PKCE validation failed")
 			c.JSON(400, gin.H{
 				"error": "invalid_grant",
 			})
@@ -339,7 +328,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		tokenRes, err := controller.oidc.GenerateAccessToken(c, client, entry)
 
 		if err != nil {
-			controller.log.App.Error().Err(err).Msg("Failed to generate access token")
+			tlog.App.Error().Err(err).Msg("Failed to generate access token")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
@@ -352,7 +341,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 
 		if err != nil {
 			if errors.Is(err, service.ErrTokenExpired) {
-				controller.log.App.Warn().Msg("Refresh token expired")
+				tlog.App.Error().Err(err).Msg("Refresh token expired")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
@@ -360,14 +349,14 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			}
 
 			if errors.Is(err, service.ErrInvalidClient) {
-				controller.log.App.Warn().Msg("Refresh token does not belong to client")
+				tlog.App.Error().Err(err).Msg("Invalid client")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 
-			controller.log.App.Error().Err(err).Msg("Failed to refresh access token")
+			tlog.App.Error().Err(err).Msg("Failed to refresh access token")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
@@ -384,10 +373,10 @@ func (controller *OIDCController) Token(c *gin.Context) {
 }
 
 func (controller *OIDCController) Userinfo(c *gin.Context) {
-	if controller.oidc == nil {
-		controller.log.App.Warn().Msg("Received OIDC userinfo request but OIDC server is not configured")
-		c.JSON(500, gin.H{
-			"error": "server_error",
+	if !controller.oidc.IsConfigured() {
+		tlog.App.Warn().Msg("OIDC not configured")
+		c.JSON(404, gin.H{
+			"error": "not_found",
 		})
 		return
 	}
@@ -398,7 +387,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 	if authorization != "" {
 		tokenType, bearerToken, ok := strings.Cut(authorization, " ")
 		if !ok {
-			controller.log.App.Warn().Msg("OIDC userinfo accessed with invalid authorization header")
+			tlog.App.Warn().Msg("OIDC userinfo accessed with malformed authorization header")
 			c.JSON(401, gin.H{
 				"error": "invalid_request",
 			})
@@ -406,7 +395,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		}
 
 		if strings.ToLower(tokenType) != "bearer" {
-			controller.log.App.Warn().Msg("OIDC userinfo accessed with non-bearer token")
+			tlog.App.Warn().Msg("OIDC userinfo accessed with invalid token type")
 			c.JSON(401, gin.H{
 				"error": "invalid_request",
 			})
@@ -416,7 +405,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		token = bearerToken
 	} else if c.Request.Method == http.MethodPost {
 		if c.ContentType() != "application/x-www-form-urlencoded" {
-			controller.log.App.Warn().Msg("OIDC userinfo POST accessed with invalid content type")
+			tlog.App.Warn().Msg("OIDC userinfo POST accessed with invalid content type")
 			c.JSON(400, gin.H{
 				"error": "invalid_request",
 			})
@@ -424,14 +413,14 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		}
 		token = c.PostForm("access_token")
 		if token == "" {
-			controller.log.App.Warn().Msg("OIDC userinfo POST accessed without access_token")
+			tlog.App.Warn().Msg("OIDC userinfo POST accessed without access_token in body")
 			c.JSON(401, gin.H{
 				"error": "invalid_request",
 			})
 			return
 		}
 	} else {
-		controller.log.App.Warn().Msg("OIDC userinfo accessed without authorization header or POST body")
+		tlog.App.Warn().Msg("OIDC userinfo accessed without authorization header")
 		c.JSON(401, gin.H{
 			"error": "invalid_request",
 		})
@@ -442,14 +431,14 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 
 	if err != nil {
 		if errors.Is(err, service.ErrTokenNotFound) {
-			controller.log.App.Warn().Msg("OIDC userinfo accessed with invalid token")
+			tlog.App.Warn().Msg("OIDC userinfo accessed with invalid token")
 			c.JSON(401, gin.H{
 				"error": "invalid_grant",
 			})
 			return
 		}
 
-		controller.log.App.Error().Err(err).Msg("Failed to get access token")
+		tlog.App.Err(err).Msg("Failed to get token entry")
 		c.JSON(401, gin.H{
 			"error": "server_error",
 		})
@@ -458,7 +447,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 
 	// If we don't have the openid scope, return an error
 	if !slices.Contains(strings.Split(entry.Scope, ","), "openid") {
-		controller.log.App.Warn().Msg("OIDC userinfo accessed with token missing openid scope")
+		tlog.App.Warn().Msg("OIDC userinfo accessed without openid scope")
 		c.JSON(401, gin.H{
 			"error": "invalid_scope",
 		})
@@ -468,7 +457,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 	user, err := controller.oidc.GetUserinfo(c, entry.Sub)
 
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to get user info")
+		tlog.App.Err(err).Msg("Failed to get user entry")
 		c.JSON(401, gin.H{
 			"error": "server_error",
 		})
@@ -479,7 +468,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 }
 
 func (controller *OIDCController) authorizeError(c *gin.Context, err error, reason string, reasonUser string, callback string, callbackError string, state string) {
-	controller.log.App.Warn().Err(err).Str("reason", reason).Msg("Authorization error")
+	tlog.App.Error().Err(err).Msg(reason)
 
 	if callback != "" {
 		errorQueries := CallbackError{
@@ -519,16 +508,8 @@ func (controller *OIDCController) authorizeError(c *gin.Context, err error, reas
 		return
 	}
 
-	redirectUrl := ""
-
-	if controller.oidc != nil {
-		redirectUrl = fmt.Sprintf("%s/error?%s", controller.oidc.GetIssuer(), queries.Encode())
-	} else {
-		redirectUrl = fmt.Sprintf("%s/error?%s", controller.runtime.AppURL, queries.Encode())
-	}
-
 	c.JSON(200, gin.H{
 		"status":       200,
-		"redirect_uri": redirectUrl,
+		"redirect_uri": fmt.Sprintf("%s/error?%s", controller.oidc.GetIssuer(), queries.Encode()),
 	})
 }

internal/controller/oidc_controller_test.go

@@ -1,33 +1,47 @@
 package controller_test
 
 import (
-	"context"
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/json"
 	"net/http/httptest"
 	"net/url"
+	"path"
 	"strings"
-	"sync"
 	"testing"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
-	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
+	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/test"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )
 
 func TestOIDCController(t *testing.T) {
-	log := logger.NewLogger().WithTestConfig()
-	log.Init()
+	tlog.NewTestLogger().Init()
+	tempDir := t.TempDir()
 
-	cfg, runtime := test.CreateTestConfigs(t)
+	oidcServiceCfg := service.OIDCServiceConfig{
+		Clients: map[string]model.OIDCClientConfig{
+			"test": {
+				ClientID:            "some-client-id",
+				ClientSecret:        "some-client-secret",
+				TrustedRedirectURIs: []string{"https://test.example.com/callback"},
+				Name:                "Test Client",
+			},
+		},
+		PrivateKeyPath: path.Join(tempDir, "key.pem"),
+		PublicKeyPath:  path.Join(tempDir, "key.pub"),
+		Issuer:         "https://tinyauth.example.com",
+		SessionExpiry:  500,
+	}
+
+	controllerCfg := controller.OIDCControllerConfig{}
 
 	simpleCtx := func(c *gin.Context) {
 		c.Set("context", &model.UserContext{
@@ -89,7 +103,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				assert.Equal(t, res["redirect_uri"], "https://tinyauth.example.com/error?error=User+is+not+logged+in+or+the+session+is+invalid")
 			},
@@ -109,7 +123,7 @@ func TestOIDCController(t *testing.T) {
 					Nonce:        "some-nonce",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -117,7 +131,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				assert.Equal(t, res["redirect_uri"], "https://test.example.com/callback?error=unsupported_response_type&error_description=Invalid+request+parameters&state=some-state")
 			},
@@ -137,7 +151,7 @@ func TestOIDCController(t *testing.T) {
 					Nonce:        "some-nonce",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -146,11 +160,11 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				queryParams := url.Query()
 				assert.Equal(t, queryParams.Get("state"), "some-state")
@@ -169,7 +183,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -177,7 +191,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				assert.Equal(t, res["error"], "unsupported_grant_type")
 			},
@@ -192,7 +206,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -230,7 +244,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -253,11 +267,11 @@ func TestOIDCController(t *testing.T) {
 
 				var authorizeRes map[string]any
 				err := json.Unmarshal(authorizeTestRecorder.Body.Bytes(), &authorizeRes)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				redirectURI := authorizeRes["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				queryParams := url.Query()
 				code := queryParams.Get("code")
@@ -269,7 +283,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -292,7 +306,7 @@ func TestOIDCController(t *testing.T) {
 
 				var tokenRes map[string]any
 				err := json.Unmarshal(tokenRecorder.Body.Bytes(), &tokenRes)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				_, ok := tokenRes["refresh_token"]
 				assert.True(t, ok, "Expected refresh token in response")
@@ -306,7 +320,7 @@ func TestOIDCController(t *testing.T) {
 					ClientSecret: "some-client-secret",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -318,7 +332,7 @@ func TestOIDCController(t *testing.T) {
 				assert.Equal(t, 200, recorder.Code)
 				var refreshRes map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &refreshRes)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				_, ok = refreshRes["access_token"]
 				assert.True(t, ok, "Expected access token in refresh response")
@@ -339,11 +353,11 @@ func TestOIDCController(t *testing.T) {
 
 				var authorizeRes map[string]any
 				err := json.Unmarshal(authorizeTestRecorder.Body.Bytes(), &authorizeRes)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				redirectURI := authorizeRes["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				queryParams := url.Query()
 				code := queryParams.Get("code")
@@ -355,7 +369,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -375,7 +389,7 @@ func TestOIDCController(t *testing.T) {
 
 				var secondRes map[string]any
 				err = json.Unmarshal(secondRecorder.Body.Bytes(), &secondRes)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				assert.Equal(t, "invalid_grant", secondRes["error"])
 			},
@@ -403,7 +417,7 @@ func TestOIDCController(t *testing.T) {
 
 				var tokenRes map[string]any
 				err := json.Unmarshal(tokenRecorder.Body.Bytes(), &tokenRes)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				accessToken := tokenRes["access_token"].(string)
 				assert.NotEmpty(t, accessToken)
@@ -415,7 +429,7 @@ func TestOIDCController(t *testing.T) {
 
 				var userInfoRes map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &userInfoRes)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				_, ok := userInfoRes["sub"]
 				assert.True(t, ok, "Expected sub claim in userinfo response")
@@ -435,7 +449,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -450,7 +464,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -465,7 +479,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -480,7 +494,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				assert.Equal(t, "invalid_grant", res["error"])
 			},
 		},
@@ -495,7 +509,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -510,7 +524,7 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				assert.Equal(t, "invalid_request", res["error"])
 			},
 		},
@@ -527,7 +541,7 @@ func TestOIDCController(t *testing.T) {
 
 				var tokenRes map[string]any
 				err := json.Unmarshal(tokenRecorder.Body.Bytes(), &tokenRes)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				accessToken := tokenRes["access_token"].(string)
 				assert.NotEmpty(t, accessToken)
@@ -541,7 +555,7 @@ func TestOIDCController(t *testing.T) {
 
 				var userInfoRes map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &userInfoRes)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				_, ok := userInfoRes["sub"]
 				assert.True(t, ok, "Expected sub claim in userinfo response")
@@ -565,7 +579,7 @@ func TestOIDCController(t *testing.T) {
 					CodeChallengeMethod: "",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -574,11 +588,11 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				queryParams := url.Query()
 				assert.Equal(t, queryParams.Get("state"), "some-state")
@@ -595,7 +609,7 @@ func TestOIDCController(t *testing.T) {
 					CodeVerifier: "some-challenge",
 				}
 				reqBodyEncoded, err := query.Values(tokenReqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				req = httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -626,7 +640,7 @@ func TestOIDCController(t *testing.T) {
 					CodeChallengeMethod: "S256",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -635,11 +649,11 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				queryParams := url.Query()
 				assert.Equal(t, queryParams.Get("state"), "some-state")
@@ -656,7 +670,7 @@ func TestOIDCController(t *testing.T) {
 					CodeVerifier: "some-challenge",
 				}
 				reqBodyEncoded, err := query.Values(tokenReqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				req = httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -687,7 +701,7 @@ func TestOIDCController(t *testing.T) {
 					CodeChallengeMethod: "S256",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -696,11 +710,11 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				queryParams := url.Query()
 				assert.Equal(t, queryParams.Get("state"), "some-state")
@@ -717,7 +731,7 @@ func TestOIDCController(t *testing.T) {
 					CodeVerifier: "some-challenge-1",
 				}
 				reqBodyEncoded, err := query.Values(tokenReqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				req = httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -748,7 +762,7 @@ func TestOIDCController(t *testing.T) {
 					CodeChallengeMethod: "foo",
 				}
 				reqBodyBytes, err := json.Marshal(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
 				req.Header.Set("Content-Type", "application/json")
@@ -757,11 +771,11 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				queryParams := url.Query()
 				error := queryParams.Get("error")
@@ -780,11 +794,11 @@ func TestOIDCController(t *testing.T) {
 
 				var res map[string]any
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				redirectURI := res["redirect_uri"].(string)
 				url, err := url.Parse(redirectURI)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				queryParams := url.Query()
 				code := queryParams.Get("code")
@@ -796,7 +810,7 @@ func TestOIDCController(t *testing.T) {
 					RedirectURI: "https://test.example.com/callback",
 				}
 				reqBodyEncoded, err := query.Values(reqBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
@@ -807,7 +821,7 @@ func TestOIDCController(t *testing.T) {
 				assert.Equal(t, 200, recorder.Code)
 
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				accessToken := res["access_token"].(string)
 				assert.NotEmpty(t, accessToken)
@@ -832,17 +846,20 @@ func TestOIDCController(t *testing.T) {
 				assert.Equal(t, 401, recorder.Code)
 
 				err = json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 				assert.Equal(t, "invalid_grant", res["error"])
 			},
 		},
 	}
 
-	store := memory.New()
+	app := bootstrap.NewBootstrapApp(model.Config{})
 
-	wg := &sync.WaitGroup{}
+	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
+	require.NoError(t, err)
 
-	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, context.TODO(), wg)
+	queries := repository.New(db)
+	oidcService := service.NewOIDCService(oidcServiceCfg, queries)
+	err = oidcService.Init()
 	require.NoError(t, err)
 
 	for _, test := range tests {
@@ -856,11 +873,17 @@ func TestOIDCController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
 
-			controller.NewOIDCController(log, oidcService, runtime, group)
+			oidcController := controller.NewOIDCController(controllerCfg, oidcService, group)
+			oidcController.SetupRoutes()
 
 			recorder := httptest.NewRecorder()
 
 			test.run(t, router, recorder)
 		})
 	}
+
+	t.Cleanup(func() {
+		err = db.Close()
+		require.NoError(t, err)
+	})
 }

internal/controller/proxy_controller.go

@@ -3,7 +3,6 @@ package controller
 import (
 	"errors"
 	"fmt"
-	"net"
 	"net/http"
 	"net/url"
 	"regexp"
@@ -12,7 +11,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -51,34 +50,29 @@ type ProxyContext struct {
 	ProxyType ProxyType
 }
 
-type ProxyController struct {
-	log          *logger.Logger
-	runtime      model.RuntimeConfig
-	acls         *service.AccessControlsService
-	auth         *service.AuthService
-	policyEngine *service.PolicyEngine
+type ProxyControllerConfig struct {
+	AppURL string
 }
 
-func NewProxyController(
-	log *logger.Logger,
-	runtime model.RuntimeConfig,
-	router *gin.RouterGroup,
-	acls *service.AccessControlsService,
-	auth *service.AuthService,
-	policyEngine *service.PolicyEngine,
-) *ProxyController {
-	controller := &ProxyController{
-		log:          log,
-		runtime:      runtime,
-		acls:         acls,
-		auth:         auth,
-		policyEngine: policyEngine,
+type ProxyController struct {
+	config ProxyControllerConfig
+	router *gin.RouterGroup
+	acls   *service.AccessControlsService
+	auth   *service.AuthService
+}
+
+func NewProxyController(config ProxyControllerConfig, router *gin.RouterGroup, acls *service.AccessControlsService, auth *service.AuthService) *ProxyController {
+	return &ProxyController{
+		config: config,
+		router: router,
+		acls:   acls,
+		auth:   auth,
 	}
+}
 
-	proxyGroup := router.Group("/auth")
+func (controller *ProxyController) SetupRoutes() {
+	proxyGroup := controller.router.Group("/auth")
 	proxyGroup.Any("/:proxy", controller.proxyHandler)
-
-	return controller
 }
 
 func (controller *ProxyController) proxyHandler(c *gin.Context) {
@@ -86,7 +80,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	proxyCtx, err := controller.getProxyContext(c)
 
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to get proxy context from request")
+		tlog.App.Warn().Err(err).Msg("Failed to get proxy context")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad request",
@@ -94,24 +88,22 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
+	tlog.App.Trace().Interface("ctx", proxyCtx).Msg("Got proxy context")
+
 	// Get acls
 	acls, err := controller.acls.GetAccessControls(proxyCtx.Host)
 
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to get ACLs for resource")
+		tlog.App.Error().Err(err).Msg("Failed to get access controls for resource")
 		controller.handleError(c, proxyCtx)
 		return
 	}
 
+	tlog.App.Trace().Interface("acls", acls).Msg("ACLs for resource")
+
 	clientIP := c.ClientIP()
 
-	aclsCtx := &service.ACLContext{
-		ACLs: acls,
-		IP:   net.ParseIP(clientIP),
-		Path: proxyCtx.Path,
-	}
-
-	if controller.policyEngine.Evaluate(service.RuleIPBypassed, aclsCtx) {
+	if controller.auth.IsBypassedIP(clientIP, acls) {
 		controller.setHeaders(c, acls)
 		c.JSON(200, gin.H{
 			"status":  200,
@@ -120,8 +112,16 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	if controller.policyEngine.Evaluate(service.RuleAuthEnabled, aclsCtx) {
-		controller.log.App.Debug().Msg("Authentication is disabled for this resource, allowing access without authentication")
+	authEnabled, err := controller.auth.IsAuthEnabled(proxyCtx.Path, acls)
+
+	if err != nil {
+		tlog.App.Error().Err(err).Msg("Failed to check if auth is enabled for resource")
+		controller.handleError(c, proxyCtx)
+		return
+	}
+
+	if !authEnabled {
+		tlog.App.Debug().Msg("Authentication disabled for resource, allowing access")
 		controller.setHeaders(c, acls)
 		c.JSON(200, gin.H{
 			"status":  200,
@@ -130,25 +130,25 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	if !controller.policyEngine.Evaluate(service.RuleIPAllowed, aclsCtx) {
+	if !controller.auth.CheckIP(clientIP, acls) {
 		queries, err := query.Values(UnauthorizedQuery{
 			Resource: strings.Split(proxyCtx.Host, ".")[0],
 			IP:       clientIP,
 		})
 
 		if err != nil {
-			controller.log.App.Error().Err(err).Msg("Failed to encode unauthorized query")
+			tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
 			controller.handleError(c, proxyCtx)
 			return
 		}
 
-		redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.runtime.AppURL, queries.Encode())
+		redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())
 
 		if !controller.useBrowserResponse(proxyCtx) {
 			c.Header("x-tinyauth-location", redirectURL)
-			c.JSON(403, gin.H{
-				"status":  403,
-				"message": "Forbidden",
+			c.JSON(401, gin.H{
+				"status":  401,
+				"message": "Unauthorized",
 			})
 			return
 		}
@@ -160,24 +160,26 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	userContext, err := new(model.UserContext).NewFromGin(c)
 
 	if err != nil {
-		controller.log.App.Debug().Err(err).Msg("Failed to create user context from request, treating as unauthenticated")
+		tlog.App.Debug().Err(err).Msg("No user context found in request, treating as unauthenticated")
 		userContext = &model.UserContext{
 			Authenticated: false,
 		}
 	}
 
-	aclsCtx.UserContext = userContext
+	tlog.App.Trace().Interface("context", userContext).Msg("User context from request")
 
 	if userContext.Authenticated {
-		if !controller.policyEngine.Evaluate(service.RuleUserAllowed, aclsCtx) {
-			controller.log.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User is not allowed to access resource")
+		userAllowed := controller.auth.IsUserAllowed(c, *userContext, acls)
+
+		if !userAllowed {
+			tlog.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User not allowed to access resource")
 
 			queries, err := query.Values(UnauthorizedQuery{
 				Resource: strings.Split(proxyCtx.Host, ".")[0],
 			})
 
 			if err != nil {
-				controller.log.App.Error().Err(err).Msg("Failed to encode unauthorized query")
+				tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
 				controller.handleError(c, proxyCtx)
 				return
 			}
@@ -188,7 +190,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 				queries.Set("username", userContext.GetUsername())
 			}
 
-			redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.runtime.AppURL, queries.Encode())
+			redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())
 
 			if !controller.useBrowserResponse(proxyCtx) {
 				c.Header("x-tinyauth-location", redirectURL)
@@ -207,13 +209,13 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			var groupOK bool
 
 			if userContext.IsOAuth() {
-				groupOK = controller.policyEngine.Evaluate(service.RuleOAuthGroup, aclsCtx)
+				groupOK = controller.auth.IsInOAuthGroup(c, *userContext, acls)
 			} else {
-				groupOK = controller.policyEngine.Evaluate(service.RuleLDAPGroup, aclsCtx)
+				groupOK = controller.auth.IsInLDAPGroup(c, *userContext, acls)
 			}
 
 			if !groupOK {
-				controller.log.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User is not in the required group to access resource")
+				tlog.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User groups do not match resource requirements")
 
 				queries, err := query.Values(UnauthorizedQuery{
 					Resource: strings.Split(proxyCtx.Host, ".")[0],
@@ -221,7 +223,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 				})
 
 				if err != nil {
-					controller.log.App.Error().Err(err).Msg("Failed to encode unauthorized query")
+					tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
 					controller.handleError(c, proxyCtx)
 					return
 				}
@@ -232,7 +234,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 					queries.Set("username", userContext.GetUsername())
 				}
 
-				redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.runtime.AppURL, queries.Encode())
+				redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())
 
 				if !controller.useBrowserResponse(proxyCtx) {
 					c.Header("x-tinyauth-location", redirectURL)
@@ -275,12 +277,12 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	})
 
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to encode redirect query")
+		tlog.App.Error().Err(err).Msg("Failed to encode redirect URI query")
 		controller.handleError(c, proxyCtx)
 		return
 	}
 
-	redirectURL := fmt.Sprintf("%s/login?%s", controller.runtime.AppURL, queries.Encode())
+	redirectURL := fmt.Sprintf("%s/login?%s", controller.config.AppURL, queries.Encode())
 
 	if !controller.useBrowserResponse(proxyCtx) {
 		c.Header("x-tinyauth-location", redirectURL)
@@ -304,19 +306,20 @@ func (controller *ProxyController) setHeaders(c *gin.Context, acls *model.App) {
 	headers := utils.ParseHeaders(acls.Response.Headers)
 
 	for key, value := range headers {
+		tlog.App.Debug().Str("header", key).Msg("Setting header")
 		c.Header(key, value)
 	}
 
 	basicPassword := utils.GetSecret(acls.Response.BasicAuth.Password, acls.Response.BasicAuth.PasswordFile)
 
 	if acls.Response.BasicAuth.Username != "" && basicPassword != "" {
-		controller.log.App.Debug().Msg("Setting basic auth header for response")
+		tlog.App.Debug().Str("username", acls.Response.BasicAuth.Username).Msg("Setting basic auth header")
 		c.Header("Authorization", fmt.Sprintf("Basic %s", utils.EncodeBasicAuth(acls.Response.BasicAuth.Username, basicPassword)))
 	}
 }
 
 func (controller *ProxyController) handleError(c *gin.Context, proxyCtx ProxyContext) {
-	redirectURL := fmt.Sprintf("%s/error", controller.runtime.AppURL)
+	redirectURL := fmt.Sprintf("%s/error", controller.config.AppURL)
 
 	if !controller.useBrowserResponse(proxyCtx) {
 		c.Header("x-tinyauth-location", redirectURL)
@@ -517,7 +520,7 @@ func (controller *ProxyController) getProxyContext(c *gin.Context) (ProxyContext
 		return ProxyContext{}, err
 	}
 
-	controller.log.App.Debug().Msgf("Determined proxy type: %v", proxy)
+	tlog.App.Debug().Msgf("Proxy: %v", req.Proxy)
 
 	authModules := controller.determineAuthModules(proxy)
 
@@ -528,13 +531,13 @@ func (controller *ProxyController) getProxyContext(c *gin.Context) (ProxyContext
 	var ctx ProxyContext
 
 	for _, module := range authModules {
-		controller.log.App.Debug().Msgf("Trying to get context from auth module %v", module)
+		tlog.App.Debug().Msgf("Trying auth module: %v", module)
 		ctx, err = controller.getContextFromAuthModule(c, module)
 		if err == nil {
-			controller.log.App.Debug().Msgf("Successfully got context from auth module %v", module)
+			tlog.App.Debug().Msgf("Auth module %v succeeded", module)
 			break
 		}
-		controller.log.App.Debug().Msgf("Failed to get context from auth module %v: %v", module, err)
+		tlog.App.Debug().Err(err).Msgf("Auth module %v failed", module)
 	}
 
 	if err != nil {
@@ -546,9 +549,9 @@ func (controller *ProxyController) getProxyContext(c *gin.Context) (ProxyContext
 	isBrowser := BrowserUserAgentRegex.MatchString(userAgent)
 
 	if isBrowser {
-		controller.log.App.Debug().Msg("Request identified as coming from a browser client")
+		tlog.App.Debug().Msg("Request identified as coming from a browser")
 	} else {
-		controller.log.App.Debug().Msg("Request identified as coming from a non-browser client")
+		tlog.App.Debug().Msg("Request identified as coming from a non-browser client")
 	}
 
 	ctx.IsBrowser = isBrowser

internal/controller/proxy_controller_test.go

@@ -1,27 +1,74 @@
 package controller_test
 
 import (
-	"context"
 	"net/http/httptest"
-	"sync"
+	"path"
 	"testing"
 
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
-	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
+	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/test"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )
 
 func TestProxyController(t *testing.T) {
-	log := logger.NewLogger().WithTestConfig()
-	log.Init()
+	tlog.NewTestLogger().Init()
+	tempDir := t.TempDir()
 
-	cfg, runtime := test.CreateTestConfigs(t)
+	authServiceCfg := service.AuthServiceConfig{
+		LocalUsers: &[]model.LocalUser{
+			{
+				Username: "testuser",
+				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
+			},
+			{
+				Username:   "totpuser",
+				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
+				TOTPSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
+			},
+		},
+		SessionExpiry:     10, // 10 seconds, useful for testing
+		CookieDomain:      "example.com",
+		LoginTimeout:      10, // 10 seconds, useful for testing
+		LoginMaxRetries:   3,
+		SessionCookieName: "tinyauth-session",
+	}
+
+	controllerCfg := controller.ProxyControllerConfig{
+		AppURL: "https://tinyauth.example.com",
+	}
+
+	acls := map[string]model.App{
+		"app_path_allow": {
+			Config: model.AppConfig{
+				Domain: "path-allow.example.com",
+			},
+			Path: model.AppPath{
+				Allow: "/allowed",
+			},
+		},
+		"app_user_allow": {
+			Config: model.AppConfig{
+				Domain: "user-allow.example.com",
+			},
+			Users: model.AppUsers{
+				Allow: "testuser",
+			},
+		},
+		"ip_bypass": {
+			Config: model.AppConfig{
+				Domain: "ip-bypass.example.com",
+			},
+			IP: model.AppIP{
+				Bypass: []string{"10.10.10.10"},
+			},
+		},
+	}
 
 	const browserUserAgent = `
 	Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Mobile Safari/537.36`
@@ -351,37 +398,32 @@ func TestProxyController(t *testing.T) {
 		},
 	}
 
-	store := memory.New()
+	oauthBrokerCfgs := make(map[string]model.OAuthServiceConfig)
 
-	wg := &sync.WaitGroup{}
-	ctx := context.TODO()
+	app := bootstrap.NewBootstrapApp(model.Config{})
 
-	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker, nil)
-	aclsService := service.NewAccessControlsService(log, cfg, nil)
-
-	policyEngine, err := service.NewPolicyEngine(cfg, log)
+	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
 	require.NoError(t, err)
 
-	policyEngine.RegisterRule(service.RuleUserAllowed, &service.UserAllowedRule{
-		Log: log,
-	})
-	policyEngine.RegisterRule(service.RuleOAuthGroup, &service.OAuthGroupRule{
-		Log: log,
-	})
-	policyEngine.RegisterRule(service.RuleLDAPGroup, &service.LDAPGroupRule{
-		Log: log,
-	})
-	policyEngine.RegisterRule(service.RuleAuthEnabled, &service.AuthEnabledRule{
-		Log: log,
-	})
-	policyEngine.RegisterRule(service.RuleIPAllowed, &service.IPAllowedRule{
-		Log:    log,
-		Config: cfg,
-	})
-	policyEngine.RegisterRule(service.RuleIPBypassed, &service.IPBypassedRule{
-		Log: log,
-	})
+	queries := repository.New(db)
+
+	docker := service.NewDockerService()
+	err = docker.Init()
+	require.NoError(t, err)
+
+	ldap := service.NewLdapService(service.LdapServiceConfig{})
+	err = ldap.Init()
+	require.NoError(t, err)
+
+	broker := service.NewOAuthBrokerService(oauthBrokerCfgs)
+	err = broker.Init()
+	require.NoError(t, err)
+
+	authService := service.NewAuthService(authServiceCfg, ldap, queries, broker)
+	err = authService.Init()
+	require.NoError(t, err)
+
+	aclsService := service.NewAccessControlsService(docker, acls)
 
 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
@@ -396,9 +438,15 @@ func TestProxyController(t *testing.T) {
 
 			recorder := httptest.NewRecorder()
 
-			controller.NewProxyController(log, runtime, group, aclsService, authService, policyEngine)
+			proxyController := controller.NewProxyController(controllerCfg, group, aclsService, authService)
+			proxyController.SetupRoutes()
 
 			test.run(t, router, recorder)
 		})
 	}
+
+	t.Cleanup(func() {
+		err = db.Close()
+		require.NoError(t, err)
+	})
 }

internal/controller/resources_controller.go

@@ -4,39 +4,42 @@ import (
 	"net/http"
 
 	"github.com/gin-gonic/gin"
-	"github.com/tinyauthapp/tinyauth/internal/model"
 )
 
+type ResourcesControllerConfig struct {
+	Path    string
+	Enabled bool
+}
+
 type ResourcesController struct {
-	config     model.Config
+	config     ResourcesControllerConfig
+	router     *gin.RouterGroup
 	fileServer http.Handler
 }
 
-func NewResourcesController(
-	config model.Config,
-	router *gin.RouterGroup,
-) *ResourcesController {
-	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(config.Resources.Path)))
+func NewResourcesController(config ResourcesControllerConfig, router *gin.RouterGroup) *ResourcesController {
+	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(config.Path)))
 
-	controller := &ResourcesController{
+	return &ResourcesController{
 		config:     config,
+		router:     router,
 		fileServer: fileServer,
 	}
+}
 
-	router.GET("/resources/*resource", controller.resourcesHandler)
-
-	return controller
+func (controller *ResourcesController) SetupRoutes() {
+	controller.router.GET("/resources/*resource", controller.resourcesHandler)
 }
 
 func (controller *ResourcesController) resourcesHandler(c *gin.Context) {
-	if controller.config.Resources.Path == "" {
+	if controller.config.Path == "" {
 		c.JSON(404, gin.H{
 			"status":  404,
-			"message": "Resource not found",
+			"message": "Resources not found",
 		})
 		return
 	}
-	if !controller.config.Resources.Enabled {
+	if !controller.config.Enabled {
 		c.JSON(403, gin.H{
 			"status":  403,
 			"message": "Resources are disabled",

internal/controller/resources_controller_test.go

@@ -3,20 +3,26 @@ package controller_test
 import (
 	"net/http/httptest"
 	"os"
-	"path/filepath"
+	"path"
 	"testing"
 
 	"github.com/gin-gonic/gin"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/test"
 )
 
 func TestResourcesController(t *testing.T) {
-	cfg, _ := test.CreateTestConfigs(t)
+	tlog.NewTestLogger().Init()
+	tempDir := t.TempDir()
 
-	err := os.MkdirAll(cfg.Resources.Path, 0777)
+	resourcesControllerCfg := controller.ResourcesControllerConfig{
+		Path:    path.Join(tempDir, "resources"),
+		Enabled: true,
+	}
+
+	err := os.Mkdir(resourcesControllerCfg.Path, 0777)
 	require.NoError(t, err)
 
 	type testCase struct {
@@ -55,11 +61,11 @@ func TestResourcesController(t *testing.T) {
 		},
 	}
 
-	testFilePath := cfg.Resources.Path + "/testfile.txt"
+	testFilePath := resourcesControllerCfg.Path + "/testfile.txt"
 	err = os.WriteFile(testFilePath, []byte("This is a test file."), 0777)
 	require.NoError(t, err)
 
-	testFilePathParent := filepath.Dir(cfg.Resources.Path) + "/somefile.txt"
+	testFilePathParent := tempDir + "/somefile.txt"
 	err = os.WriteFile(testFilePathParent, []byte("This file should not be accessible."), 0777)
 	require.NoError(t, err)
 
@@ -69,7 +75,8 @@ func TestResourcesController(t *testing.T) {
 			group := router.Group("/")
 			gin.SetMode(gin.TestMode)
 
-			controller.NewResourcesController(cfg, group)
+			resourcesController := controller.NewResourcesController(resourcesControllerCfg, group)
+			resourcesController.SetupRoutes()
 
 			recorder := httptest.NewRecorder()
 			test.run(t, router, recorder)

internal/controller/user_controller.go

@@ -10,7 +10,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 
 	"github.com/gin-gonic/gin"
 	"github.com/pquerna/otp/totp"
@@ -25,31 +25,30 @@ type TotpRequest struct {
 	Code string `json:"code"`
 }
 
-type UserController struct {
-	log     *logger.Logger
-	runtime model.RuntimeConfig
-	auth    *service.AuthService
+type UserControllerConfig struct {
+	CookieDomain      string
+	SessionCookieName string
 }
 
-func NewUserController(
-	log *logger.Logger,
-	runtimeConfig model.RuntimeConfig,
-	router *gin.RouterGroup,
-	auth *service.AuthService,
-) *UserController {
-	controller := &UserController{
-		log:     log,
-		runtime: runtimeConfig,
-		auth:    auth,
-	}
+type UserController struct {
+	config UserControllerConfig
+	router *gin.RouterGroup
+	auth   *service.AuthService
+}
 
-	userGroup := router.Group("/user")
+func NewUserController(config UserControllerConfig, router *gin.RouterGroup, auth *service.AuthService) *UserController {
+	return &UserController{
+		config: config,
+		router: router,
+		auth:   auth,
+	}
+}
+
+func (controller *UserController) SetupRoutes() {
+	userGroup := controller.router.Group("/user")
 	userGroup.POST("/login", controller.loginHandler)
 	userGroup.POST("/logout", controller.logoutHandler)
 	userGroup.POST("/totp", controller.totpHandler)
-	userGroup.POST("/tailscale", controller.tailscaleHandler)
-
-	return controller
 }
 
 func (controller *UserController) loginHandler(c *gin.Context) {
@@ -57,7 +56,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 
 	err := c.ShouldBindJSON(&req)
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to bind JSON")
+		tlog.App.Error().Err(err).Msg("Failed to bind JSON")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -65,13 +64,13 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		return
 	}
 
-	controller.log.App.Debug().Str("username", req.Username).Msg("Login attempt")
+	tlog.App.Debug().Str("username", req.Username).Msg("Login attempt")
 
 	isLocked, remaining := controller.auth.IsAccountLocked(req.Username)
 
 	if isLocked {
-		controller.log.App.Warn().Str("username", req.Username).Msg("Account is locked due to too many failed login attempts")
-		controller.log.AuditLoginFailure(req.Username, "local", c.ClientIP(), "account locked")
+		tlog.App.Warn().Str("username", req.Username).Msg("Account is locked due to too many failed login attempts")
+		tlog.AuditLoginFailure(c, req.Username, "username", "account locked")
 		c.Writer.Header().Add("x-tinyauth-lock-locked", "true")
 		c.Writer.Header().Add("x-tinyauth-lock-reset", time.Now().Add(time.Duration(remaining)*time.Second).Format(time.RFC3339))
 		c.JSON(429, gin.H{
@@ -85,16 +84,16 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 
 	if err != nil {
 		if errors.Is(err, service.ErrUserNotFound) {
-			controller.log.App.Warn().Str("username", req.Username).Msg("User not found during login attempt")
+			tlog.App.Warn().Str("username", req.Username).Msg("User not found")
 			controller.auth.RecordLoginAttempt(req.Username, false)
-			controller.log.AuditLoginFailure(req.Username, "unknown", c.ClientIP(), "user not found")
+			tlog.AuditLoginFailure(c, req.Username, "username", "user not found")
 			c.JSON(401, gin.H{
 				"status":  401,
 				"message": "Unauthorized",
 			})
 			return
 		}
-		controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Error searching for user during login attempt")
+		tlog.App.Error().Err(err).Str("username", req.Username).Msg("Error searching for user")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -103,13 +102,9 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 	}
 
 	if err := controller.auth.CheckUserPassword(*search, req.Password); err != nil {
-		controller.log.App.Warn().Str("username", req.Username).Msg("Invalid password during login attempt")
+		tlog.App.Warn().Err(err).Str("username", req.Username).Msg("Failed to verify password")
 		controller.auth.RecordLoginAttempt(req.Username, false)
-		if search.Type == model.UserLocal {
-			controller.log.AuditLoginFailure(req.Username, "local", c.ClientIP(), "invalid password")
-		} else {
-			controller.log.AuditLoginFailure(req.Username, "ldap", c.ClientIP(), "invalid password")
-		}
+		tlog.AuditLoginFailure(c, req.Username, "username", "invalid password")
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -123,7 +118,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		localUser = controller.auth.GetLocalUser(req.Username)
 
 		if localUser == nil {
-			controller.log.App.Error().Str("username", req.Username).Msg("Local user not found after successful password verification")
+			tlog.App.Warn().Str("username", req.Username).Msg("User disappeared during login")
 			c.JSON(401, gin.H{
 				"status":  401,
 				"message": "Unauthorized",
@@ -132,7 +127,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		}
 
 		if localUser.TOTPSecret != "" {
-			controller.log.App.Debug().Str("username", req.Username).Msg("TOTP required for user, creating pending TOTP session")
+			tlog.App.Debug().Str("username", req.Username).Msg("User has TOTP enabled, requiring TOTP verification")
 
 			name := localUser.Attributes.Name
 			if name == "" {
@@ -141,7 +136,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 
 			email := localUser.Attributes.Email
 			if email == "" {
-				email = utils.CompileUserEmail(localUser.Username, controller.runtime.CookieDomain)
+				email = utils.CompileUserEmail(localUser.Username, controller.config.CookieDomain)
 			}
 
 			cookie, err := controller.auth.CreateSession(c, repository.Session{
@@ -153,7 +148,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 			})
 
 			if err != nil {
-				controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Failed to create pending TOTP session")
+				tlog.App.Error().Err(err).Msg("Failed to create session cookie")
 				c.JSON(500, gin.H{
 					"status":  500,
 					"message": "Internal Server Error",
@@ -175,7 +170,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 	sessionCookie := repository.Session{
 		Username: req.Username,
 		Name:     utils.Capitalize(req.Username),
-		Email:    utils.CompileUserEmail(req.Username, controller.runtime.CookieDomain),
+		Email:    utils.CompileUserEmail(req.Username, controller.config.CookieDomain),
 		Provider: "local",
 	}
 
@@ -190,15 +185,14 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 
 	if search.Type == model.UserLDAP {
 		sessionCookie.Provider = "ldap"
-		if search.Email != "" {
-			sessionCookie.Email = search.Email
-		}
 	}
 
+	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
+
 	cookie, err := controller.auth.CreateSession(c, sessionCookie)
 
 	if err != nil {
-		controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Failed to create session cookie after successful login")
+		tlog.App.Error().Err(err).Msg("Failed to create session cookie")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -208,13 +202,8 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 
 	http.SetCookie(c.Writer, cookie)
 
-	controller.log.App.Info().Str("username", req.Username).Msg("Login successful")
-
-	if search.Type == model.UserLocal {
-		controller.log.AuditLoginSuccess(req.Username, "local", c.ClientIP())
-	} else {
-		controller.log.AuditLoginSuccess(req.Username, "ldap", c.ClientIP())
-	}
+	tlog.App.Info().Str("username", req.Username).Msg("Login successful")
+	tlog.AuditLoginSuccess(c, req.Username, "username")
 
 	controller.auth.RecordLoginAttempt(req.Username, true)
 
@@ -225,20 +214,20 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 }
 
 func (controller *UserController) logoutHandler(c *gin.Context) {
-	controller.log.App.Debug().Msg("Logout attempt")
+	tlog.App.Debug().Msg("Logout request received")
 
-	uuid, err := c.Cookie(controller.runtime.SessionCookieName)
+	uuid, err := c.Cookie(controller.config.SessionCookieName)
 
 	if err != nil {
 		if errors.Is(err, http.ErrNoCookie) {
-			controller.log.App.Warn().Msg("Logout attempt without session cookie, treating as successful logout")
+			tlog.App.Warn().Msg("No session cookie found on logout request")
 			c.JSON(200, gin.H{
 				"status":  200,
 				"message": "Logout successful",
 			})
 			return
 		}
-		controller.log.App.Error().Err(err).Msg("Error retrieving session cookie on logout")
+		tlog.App.Error().Err(err).Msg("Error retrieving session cookie on logout")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -249,7 +238,7 @@ func (controller *UserController) logoutHandler(c *gin.Context) {
 	cookie, err := controller.auth.DeleteSession(c, uuid)
 
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Error deleting session on logout")
+		tlog.App.Error().Err(err).Msg("Error deleting session on logout")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -260,10 +249,10 @@ func (controller *UserController) logoutHandler(c *gin.Context) {
 	context, err := new(model.UserContext).NewFromGin(c)
 
 	if err == nil {
-		controller.log.AuditLogout(context.GetUsername(), context.GetProviderID(), c.ClientIP())
+		tlog.AuditLogout(c, context.GetUsername(), context.GetProviderID())
 	} else {
-		controller.log.App.Warn().Err(err).Msg("Failed to get user context during logout, logging audit with unknown user")
-		controller.log.AuditLogout("unknown", "unknown", c.ClientIP())
+		tlog.App.Warn().Err(err).Msg("Failed to get user context for logout audit, proceeding without username")
+		tlog.AuditLogout(c, "unknown", "unknown")
 	}
 
 	http.SetCookie(c.Writer, cookie)
@@ -279,7 +268,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 
 	err := c.ShouldBindJSON(&req)
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to bind JSON for TOTP verification")
+		tlog.App.Error().Err(err).Msg("Failed to bind JSON")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -290,7 +279,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	context, err := new(model.UserContext).NewFromGin(c)
 
 	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to create user context from request for TOTP verification")
+		tlog.App.Error().Err(err).Msg("Failed to get user context")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -299,7 +288,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	}
 
 	if !context.TOTPPending() {
-		controller.log.App.Warn().Str("username", context.GetUsername()).Msg("TOTP verification attempt without pending TOTP session")
+		tlog.App.Warn().Msg("TOTP attempt without a pending TOTP session")
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -307,13 +296,12 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}
 
-	controller.log.App.Debug().Str("username", context.GetUsername()).Msg("TOTP verification attempt")
+	tlog.App.Debug().Str("username", context.GetUsername()).Msg("TOTP verification attempt")
 
 	isLocked, remaining := controller.auth.IsAccountLocked(context.GetUsername())
 
 	if isLocked {
-		controller.log.App.Warn().Str("username", context.GetUsername()).Msg("Account is locked due to too many failed TOTP attempts")
-		controller.log.AuditLoginFailure(context.GetUsername(), "local", c.ClientIP(), "account locked")
+		tlog.App.Warn().Str("username", context.GetUsername()).Msg("Account is locked due to too many failed TOTP attempts")
 		c.Writer.Header().Add("x-tinyauth-lock-locked", "true")
 		c.Writer.Header().Add("x-tinyauth-lock-reset", time.Now().Add(time.Duration(remaining)*time.Second).Format(time.RFC3339))
 		c.JSON(429, gin.H{
@@ -326,7 +314,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	user := controller.auth.GetLocalUser(context.GetUsername())
 
 	if user == nil {
-		controller.log.App.Error().Str("username", context.GetUsername()).Msg("Local user not found during TOTP verification")
+		tlog.App.Error().Str("username", context.GetUsername()).Msg("User not found in TOTP handler")
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -337,9 +325,9 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	ok := totp.Validate(req.Code, user.TOTPSecret)
 
 	if !ok {
-		controller.log.App.Warn().Str("username", context.GetUsername()).Msg("Invalid TOTP code during verification attempt")
+		tlog.App.Warn().Str("username", context.GetUsername()).Msg("Invalid TOTP code")
 		controller.auth.RecordLoginAttempt(context.GetUsername(), false)
-		controller.log.AuditLoginFailure(context.GetUsername(), "local", c.ClientIP(), "invalid TOTP code")
+		tlog.AuditLoginFailure(c, context.GetUsername(), "totp", "invalid totp code")
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -347,15 +335,15 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}
 
-	uuid, err := c.Cookie(controller.runtime.SessionCookieName)
+	uuid, err := c.Cookie(controller.config.SessionCookieName)
 
 	if err == nil {
 		_, err = controller.auth.DeleteSession(c, uuid)
 		if err != nil {
-			controller.log.App.Error().Err(err).Msg("Failed to delete pending TOTP session after successful verification")
+			tlog.App.Warn().Err(err).Msg("Failed to delete pending TOTP session")
 		}
 	} else {
-		controller.log.App.Warn().Err(err).Msg("Failed to retrieve session cookie for pending TOTP session, cannot delete it")
+		tlog.App.Warn().Err(err).Msg("Failed to retrieve session cookie for pending TOTP session, proceeding without deleting it")
 	}
 
 	controller.auth.RecordLoginAttempt(context.GetUsername(), true)
@@ -363,7 +351,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	sessionCookie := repository.Session{
 		Username: user.Username,
 		Name:     utils.Capitalize(user.Username),
-		Email:    utils.CompileUserEmail(user.Username, controller.runtime.CookieDomain),
+		Email:    utils.CompileUserEmail(user.Username, controller.config.CookieDomain),
 		Provider: "local",
 	}
 
@@ -374,10 +362,12 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		sessionCookie.Email = user.Attributes.Email
 	}
 
+	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
+
 	cookie, err := controller.auth.CreateSession(c, sessionCookie)
 
 	if err != nil {
-		controller.log.App.Error().Err(err).Str("username", context.GetUsername()).Msg("Failed to create session cookie after successful TOTP verification")
+		tlog.App.Error().Err(err).Msg("Failed to create session cookie")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -387,58 +377,8 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 
 	http.SetCookie(c.Writer, cookie)
 
-	controller.log.App.Info().Str("username", context.GetUsername()).Msg("TOTP verification successful, login complete")
-	controller.log.AuditLoginSuccess(context.GetUsername(), "local", c.ClientIP())
-
-	c.JSON(200, gin.H{
-		"status":  200,
-		"message": "Login successful",
-	})
-}
-
-func (controller *UserController) tailscaleHandler(c *gin.Context) {
-	context, err := new(model.UserContext).NewFromGin(c)
-
-	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to create user context from request")
-		c.JSON(401, gin.H{
-			"status":  401,
-			"message": "Unauthorized",
-		})
-		return
-	}
-
-	if context.Tailscale == nil {
-		controller.log.App.Warn().Msg("Tailscale login attempt without Tailscale context")
-		c.JSON(401, gin.H{
-			"status":  401,
-			"message": "Unauthorized",
-		})
-		return
-	}
-
-	sessionCookie := repository.Session{
-		Username: context.Tailscale.Username,
-		Name:     context.Tailscale.Name,
-		Email:    context.Tailscale.Email,
-		Provider: "tailscale",
-	}
-
-	cookie, err := controller.auth.CreateSession(c, sessionCookie)
-
-	if err != nil {
-		controller.log.App.Error().Err(err).Str("username", context.GetUsername()).Msg("Failed to create session cookie after successful Tailscale login")
-		c.JSON(500, gin.H{
-			"status":  500,
-			"message": "Internal Server Error",
-		})
-		return
-	}
-
-	http.SetCookie(c.Writer, cookie)
-
-	controller.log.App.Info().Str("username", context.GetUsername()).Msg("Tailscale login successful, login complete")
-	controller.log.AuditLoginSuccess(context.GetUsername(), "tailscale", c.ClientIP())
+	tlog.App.Info().Str("username", context.GetUsername()).Msg("TOTP verification successful")
+	tlog.AuditLoginSuccess(c, context.GetUsername(), "totp")
 
 	c.JSON(200, gin.H{
 		"status":  200,

internal/controller/user_controller_test.go

@@ -5,8 +5,8 @@ import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
+	"path"
 	"strings"
-	"sync"
 	"testing"
 	"time"
 
@@ -14,20 +14,58 @@ import (
 	"github.com/pquerna/otp/totp"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
-	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/test"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )
 
 func TestUserController(t *testing.T) {
-	log := logger.NewLogger().WithTestConfig()
-	log.Init()
+	tlog.NewTestLogger().Init()
+	tempDir := t.TempDir()
 
-	cfg, runtime := test.CreateTestConfigs(t)
+	authServiceCfg := service.AuthServiceConfig{
+		LocalUsers: &[]model.LocalUser{
+			{
+				Username: "testuser",
+				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
+			},
+			{
+				Username:   "totpuser",
+				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
+				TOTPSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
+			},
+			{
+				Username: "attruser",
+				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
+				Attributes: model.UserAttributes{
+					Name:  "Alice Smith",
+					Email: "alice@example.com",
+				},
+			},
+			{
+				Username:   "attrtotpuser",
+				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
+				TOTPSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
+				Attributes: model.UserAttributes{
+					Name:  "Bob Jones",
+					Email: "bob@example.com",
+				},
+			},
+		},
+		SessionExpiry:     10, // 10 seconds, useful for testing
+		CookieDomain:      "example.com",
+		LoginTimeout:      10, // 10 seconds, useful for testing
+		LoginMaxRetries:   3,
+		SessionCookieName: "tinyauth-session",
+	}
+
+	userControllerCfg := controller.UserControllerConfig{
+		CookieDomain:      "example.com",
+		SessionCookieName: "tinyauth-session",
+	}
 
 	totpCtx := func(c *gin.Context) {
 		c.Set("context", &model.UserContext{
@@ -73,7 +111,14 @@ func TestUserController(t *testing.T) {
 		})
 	}
 
-	store := memory.New()
+	oauthBrokerCfgs := make(map[string]model.OAuthServiceConfig)
+
+	app := bootstrap.NewBootstrapApp(model.Config{})
+
+	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
+	require.NoError(t, err)
+
+	queries := repository.New(db)
 
 	type testCase struct {
 		description string
@@ -91,7 +136,7 @@ func TestUserController(t *testing.T) {
 					Password: "password",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
@@ -99,7 +144,7 @@ func TestUserController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 
 				assert.Equal(t, 200, recorder.Code)
-				require.Len(t, recorder.Result().Cookies(), 1)
+				assert.Len(t, recorder.Result().Cookies(), 1)
 
 				cookie := recorder.Result().Cookies()[0]
 				assert.Equal(t, "tinyauth-session", cookie.Name)
@@ -119,7 +164,7 @@ func TestUserController(t *testing.T) {
 					Password: "wrongpassword",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
@@ -140,7 +185,7 @@ func TestUserController(t *testing.T) {
 					Password: "wrongpassword",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				for range 3 {
 					recorder := httptest.NewRecorder()
@@ -175,7 +220,7 @@ func TestUserController(t *testing.T) {
 					Password: "password",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
@@ -186,12 +231,12 @@ func TestUserController(t *testing.T) {
 
 				decodedBody := make(map[string]any)
 				err = json.Unmarshal(recorder.Body.Bytes(), &decodedBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				assert.Equal(t, decodedBody["totpPending"], true)
 
 				// should set the session cookie
-				require.Len(t, recorder.Result().Cookies(), 1)
+				assert.Len(t, recorder.Result().Cookies(), 1)
 				cookie := recorder.Result().Cookies()[0]
 				assert.Equal(t, "tinyauth-session", cookie.Name)
 				assert.True(t, cookie.HttpOnly)
@@ -212,7 +257,7 @@ func TestUserController(t *testing.T) {
 					Password: "password",
 				}
 				loginReqBody, err := json.Marshal(loginReq)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
 				req.Header.Set("Content-Type", "application/json")
@@ -221,7 +266,7 @@ func TestUserController(t *testing.T) {
 
 				assert.Equal(t, 200, recorder.Code)
 				cookies := recorder.Result().Cookies()
-				require.Len(t, cookies, 1)
+				assert.Len(t, cookies, 1)
 
 				cookie := cookies[0]
 				assert.Equal(t, "tinyauth-session", cookie.Name)
@@ -235,7 +280,7 @@ func TestUserController(t *testing.T) {
 
 				assert.Equal(t, 200, recorder.Code)
 				cookies = recorder.Result().Cookies()
-				require.Len(t, cookies, 1)
+				assert.Len(t, cookies, 1)
 
 				cookie = cookies[0]
 				assert.Equal(t, "tinyauth-session", cookie.Name)
@@ -249,7 +294,7 @@ func TestUserController(t *testing.T) {
 				totpCtx,
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				_, err := store.CreateSession(context.TODO(), repository.CreateSessionParams{
+				_, err := queries.CreateSession(context.TODO(), repository.CreateSessionParams{
 					UUID:        "test-totp-login-uuid",
 					Username:    "test",
 					Email:       "test@example.com",
@@ -262,14 +307,14 @@ func TestUserController(t *testing.T) {
 				require.NoError(t, err)
 
 				code, err := totp.GenerateCode("JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK", time.Now())
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				totpReq := controller.TotpRequest{
 					Code: code,
 				}
 
 				totpReqBody, err := json.Marshal(totpReq)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				recorder = httptest.NewRecorder()
 				req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqBody)))
@@ -284,7 +329,7 @@ func TestUserController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 
 				assert.Equal(t, 200, recorder.Code)
-				require.Len(t, recorder.Result().Cookies(), 1)
+				assert.Len(t, recorder.Result().Cookies(), 1)
 
 				// should set a new session cookie with totp pending removed
 				totpCookie := recorder.Result().Cookies()[0]
@@ -307,7 +352,7 @@ func TestUserController(t *testing.T) {
 					}
 
 					totpReqBody, err := json.Marshal(totpReq)
-					require.NoError(t, err)
+					assert.NoError(t, err)
 
 					recorder = httptest.NewRecorder()
 					req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqBody)))
@@ -373,7 +418,7 @@ func TestUserController(t *testing.T) {
 				totpAttrCtx,
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				_, err := store.CreateSession(context.TODO(), repository.CreateSessionParams{
+				_, err := queries.CreateSession(context.TODO(), repository.CreateSessionParams{
 					UUID:        "test-totp-login-attributes-uuid",
 					Username:    "test",
 					Email:       "test@example.com",
@@ -411,11 +456,21 @@ func TestUserController(t *testing.T) {
 		},
 	}
 
-	ctx := context.TODO()
-	wg := &sync.WaitGroup{}
+	docker := service.NewDockerService()
+	err = docker.Init()
+	require.NoError(t, err)
 
-	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker, nil)
+	ldap := service.NewLdapService(service.LdapServiceConfig{})
+	err = ldap.Init()
+	require.NoError(t, err)
+
+	broker := service.NewOAuthBrokerService(oauthBrokerCfgs)
+	err = broker.Init()
+	require.NoError(t, err)
+
+	authService := service.NewAuthService(authServiceCfg, ldap, queries, broker)
+	err = authService.Init()
+	require.NoError(t, err)
 
 	beforeEach := func() {
 		// Clear failed login attempts before each test
@@ -434,11 +489,17 @@ func TestUserController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
 
-			controller.NewUserController(log, runtime, group, authService)
+			userController := controller.NewUserController(userControllerCfg, group, authService)
+			userController.SetupRoutes()
 
 			recorder := httptest.NewRecorder()
 
 			test.run(t, router, recorder)
 		})
 	}
+
+	t.Cleanup(func() {
+		err = db.Close()
+		require.NoError(t, err)
+	})
 }

internal/controller/well_known_controller.go

@@ -26,30 +26,28 @@ type OpenIDConnectConfiguration struct {
 	RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported"`
 }
 
+type WellKnownControllerConfig struct{}
+
 type WellKnownController struct {
-	oidc *service.OIDCService
+	config WellKnownControllerConfig
+	engine *gin.Engine
+	oidc   *service.OIDCService
 }
 
-func NewWellKnownController(oidc *service.OIDCService, router *gin.RouterGroup) *WellKnownController {
-	controller := &WellKnownController{
-		oidc: oidc,
+func NewWellKnownController(config WellKnownControllerConfig, oidc *service.OIDCService, engine *gin.Engine) *WellKnownController {
+	return &WellKnownController{
+		config: config,
+		oidc:   oidc,
+		engine: engine,
 	}
+}
 
-	router.GET("/.well-known/openid-configuration", controller.OpenIDConnectConfiguration)
-	router.GET("/.well-known/jwks.json", controller.JWKS)
-
-	return controller
+func (controller *WellKnownController) SetupRoutes() {
+	controller.engine.GET("/.well-known/openid-configuration", controller.OpenIDConnectConfiguration)
+	controller.engine.GET("/.well-known/jwks.json", controller.JWKS)
 }
 
 func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context) {
-	if controller.oidc == nil {
-		c.JSON(500, gin.H{
-			"status":  500,
-			"message": "OIDC service not configured",
-		})
-		return
-	}
-
 	issuer := controller.oidc.GetIssuer()
 	c.JSON(200, OpenIDConnectConfiguration{
 		Issuer:                                 issuer,
@@ -71,19 +69,11 @@ func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context
 }
 
 func (controller *WellKnownController) JWKS(c *gin.Context) {
-	if controller.oidc == nil {
-		c.JSON(500, gin.H{
-			"status":  500,
-			"message": "OIDC service not configured",
-		})
-		return
-	}
-
 	jwks, err := controller.oidc.GetJWK()
 
 	if err != nil {
 		c.JSON(500, gin.H{
-			"status":  500,
+			"status":  "500",
 			"message": "failed to get JWK",
 		})
 		return

internal/controller/well_known_controller_test.go

@@ -1,28 +1,41 @@
 package controller_test
 
 import (
-	"context"
 	"encoding/json"
 	"fmt"
 	"net/http/httptest"
-	"sync"
+	"path"
 	"testing"
 
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/test"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )
 
 func TestWellKnownController(t *testing.T) {
-	log := logger.NewLogger().WithTestConfig()
-	log.Init()
+	tlog.NewTestLogger().Init()
+	tempDir := t.TempDir()
 
-	cfg, runtime := test.CreateTestConfigs(t)
+	oidcServiceCfg := service.OIDCServiceConfig{
+		Clients: map[string]model.OIDCClientConfig{
+			"test": {
+				ClientID:            "some-client-id",
+				ClientSecret:        "some-client-secret",
+				TrustedRedirectURIs: []string{"https://test.example.com/callback"},
+				Name:                "Test Client",
+			},
+		},
+		PrivateKeyPath: path.Join(tempDir, "key.pem"),
+		PublicKeyPath:  path.Join(tempDir, "key.pub"),
+		Issuer:         "https://tinyauth.example.com",
+		SessionExpiry:  500,
+	}
 
 	type testCase struct {
 		description string
@@ -43,11 +56,11 @@ func TestWellKnownController(t *testing.T) {
 				assert.NoError(t, err)
 
 				expected := controller.OpenIDConnectConfiguration{
-					Issuer:                                 runtime.AppURL,
-					AuthorizationEndpoint:                  fmt.Sprintf("%s/authorize", runtime.AppURL),
-					TokenEndpoint:                          fmt.Sprintf("%s/api/oidc/token", runtime.AppURL),
-					UserinfoEndpoint:                       fmt.Sprintf("%s/api/oidc/userinfo", runtime.AppURL),
-					JwksUri:                                fmt.Sprintf("%s/.well-known/jwks.json", runtime.AppURL),
+					Issuer:                                 oidcServiceCfg.Issuer,
+					AuthorizationEndpoint:                  fmt.Sprintf("%s/authorize", oidcServiceCfg.Issuer),
+					TokenEndpoint:                          fmt.Sprintf("%s/api/oidc/token", oidcServiceCfg.Issuer),
+					UserinfoEndpoint:                       fmt.Sprintf("%s/api/oidc/userinfo", oidcServiceCfg.Issuer),
+					JwksUri:                                fmt.Sprintf("%s/.well-known/jwks.json", oidcServiceCfg.Issuer),
 					ScopesSupported:                        service.SupportedScopes,
 					ResponseTypesSupported:                 service.SupportedResponseTypes,
 					GrantTypesSupported:                    service.SupportedGrantTypes,
@@ -88,12 +101,15 @@ func TestWellKnownController(t *testing.T) {
 		},
 	}
 
-	ctx := context.TODO()
-	wg := &sync.WaitGroup{}
+	app := bootstrap.NewBootstrapApp(model.Config{})
 
-	store := memory.New()
+	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
+	require.NoError(t, err)
 
-	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, ctx, wg)
+	queries := repository.New(db)
+
+	oidcService := service.NewOIDCService(oidcServiceCfg, queries)
+	err = oidcService.Init()
 	require.NoError(t, err)
 
 	for _, test := range tests {
@@ -103,9 +119,15 @@ func TestWellKnownController(t *testing.T) {
 
 			recorder := httptest.NewRecorder()
 
-			controller.NewWellKnownController(oidcService, &router.RouterGroup)
+			wellKnownController := controller.NewWellKnownController(controller.WellKnownControllerConfig{}, oidcService, router)
+			wellKnownController.SetupRoutes()
 
 			test.run(t, router, recorder)
 		})
 	}
+
+	t.Cleanup(func() {
+		err = db.Close()
+		require.NoError(t, err)
+	})
 }

internal/middleware/context_middleware.go

@@ -10,7 +10,7 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 
 	"github.com/gin-gonic/gin"
 )
@@ -35,30 +35,29 @@ var (
 	}
 )
 
-type ContextMiddleware struct {
-	log       *logger.Logger
-	runtime   model.RuntimeConfig
-	auth      *service.AuthService
-	broker    *service.OAuthBrokerService
-	tailscale *service.TailscaleService
+type ContextMiddlewareConfig struct {
+	CookieDomain      string
+	SessionCookieName string
 }
 
-func NewContextMiddleware(
-	log *logger.Logger,
-	runtime model.RuntimeConfig,
-	auth *service.AuthService,
-	broker *service.OAuthBrokerService,
-	tailscale *service.TailscaleService,
-) *ContextMiddleware {
+type ContextMiddleware struct {
+	config ContextMiddlewareConfig
+	auth   *service.AuthService
+	broker *service.OAuthBrokerService
+}
+
+func NewContextMiddleware(config ContextMiddlewareConfig, auth *service.AuthService, broker *service.OAuthBrokerService) *ContextMiddleware {
 	return &ContextMiddleware{
-		log:       log,
-		runtime:   runtime,
-		auth:      auth,
-		broker:    broker,
-		tailscale: tailscale,
+		config: config,
+		auth:   auth,
+		broker: broker,
 	}
 }
 
+func (m *ContextMiddleware) Init() error {
+	return nil
+}
+
 func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if m.isIgnorePath(c.Request.Method + " " + c.Request.URL.Path) {
@@ -66,22 +65,22 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			return
 		}
 
-		uuid, err := c.Cookie(m.runtime.SessionCookieName)
+		uuid, err := c.Cookie(m.config.SessionCookieName)
 
 		if err == nil {
-			userContext, cookie, err := m.cookieAuth(c.Request.Context(), uuid, c.RemoteIP())
+			userContext, cookie, err := m.cookieAuth(c.Request.Context(), uuid)
 
 			if err == nil {
 				if cookie != nil {
 					http.SetCookie(c.Writer, cookie)
 				}
 
-				m.log.App.Debug().Msgf("Authenticated user %s via session cookie", userContext.GetUsername())
+				tlog.App.Trace().Msgf("Authenticated user from session cookie: %s", userContext.GetUsername())
 				c.Set("context", userContext)
 				c.Next()
 				return
 			} else {
-				m.log.App.Debug().Msgf("Error authenticating session cookie: %v", err)
+				tlog.App.Error().Msgf("Error authenticating session cookie: %v", err)
 			}
 		}
 
@@ -91,7 +90,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			userContext, headers, err := m.basicAuth(username, password)
 
 			if err != nil {
-				m.log.App.Error().Msgf("Error authenticating basic auth: %v", err)
+				tlog.App.Error().Msgf("Error authenticating basic auth: %v", err)
 				c.Next()
 				return
 			}
@@ -105,28 +104,11 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			return
 		}
 
-		// Lastly check if we have a tailscale session to add
-		if m.tailscale != nil {
-			tailscaleContext, err := m.tailscaleWhois(c.Request.Context(), c.RemoteIP())
-
-			if err != nil {
-				m.log.App.Error().Err(err).Msgf("Error performing tailscale whois for IP %s: %v", c.RemoteIP(), err)
-			}
-
-			if tailscaleContext != nil {
-				c.Set("context", &model.UserContext{
-					Authenticated: false,
-					Provider:      model.ProviderTailscale,
-					Tailscale:     tailscaleContext,
-				})
-			}
-		}
-
 		c.Next()
 	}
 }
 
-func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string, ip string) (*model.UserContext, *http.Cookie, error) {
+func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string) (*model.UserContext, *http.Cookie, error) {
 	session, err := m.auth.GetSession(ctx, uuid)
 
 	if err != nil {
@@ -159,20 +141,8 @@ func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string, ip stri
 		}
 
 		if userContext.Local.Attributes.Email == "" {
-			userContext.Local.Attributes.Email = utils.CompileUserEmail(user.Username, m.runtime.CookieDomain)
+			userContext.Local.Attributes.Email = utils.CompileUserEmail(user.Username, m.config.CookieDomain)
 		}
-	case model.ProviderTailscale:
-		tailscaleContext, err := m.tailscaleWhois(ctx, ip)
-
-		if err != nil {
-			return nil, nil, fmt.Errorf("error performing tailscale whois: %w", err)
-		}
-
-		if tailscaleContext == nil {
-			return nil, nil, fmt.Errorf("tailscale whois returned no result for IP: %s", ip)
-		}
-
-		userContext.Tailscale = tailscaleContext
 	case model.ProviderLDAP:
 		search, err := m.auth.SearchUser(userContext.LDAP.Username)
 
@@ -192,12 +162,7 @@ func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string, ip stri
 
 		userContext.LDAP.Groups = user.Groups
 		userContext.LDAP.Name = utils.Capitalize(userContext.LDAP.Username)
-
-		userContext.LDAP.Email = utils.CompileUserEmail(userContext.LDAP.Username, m.runtime.CookieDomain)
-		if search.Email != "" {
-			userContext.LDAP.Email = search.Email
-		}
-
+		userContext.LDAP.Email = utils.CompileUserEmail(userContext.LDAP.Username, m.config.CookieDomain)
 	case model.ProviderOAuth:
 		_, exists := m.broker.GetService(userContext.OAuth.ID)
 
@@ -226,7 +191,7 @@ func (m *ContextMiddleware) basicAuth(username string, password string) (*model.
 	locked, remaining := m.auth.IsAccountLocked(username)
 
 	if locked {
-		m.log.App.Debug().Msgf("Account for user %s is locked for %d seconds, denying auth", username, remaining)
+		tlog.App.Debug().Msgf("Account for user %s is locked for %d seconds, denying auth", username, remaining)
 		headers["x-tinyauth-lock-locked"] = "true"
 		headers["x-tinyauth-lock-reset"] = time.Now().Add(time.Duration(remaining) * time.Second).Format(time.RFC3339)
 		return nil, headers, nil
@@ -259,7 +224,7 @@ func (m *ContextMiddleware) basicAuth(username string, password string) (*model.
 			BaseContext: model.BaseContext{
 				Username: user.Username,
 				Name:     utils.Capitalize(user.Username),
-				Email:    utils.CompileUserEmail(user.Username, m.runtime.CookieDomain),
+				Email:    utils.CompileUserEmail(user.Username, m.config.CookieDomain),
 			},
 			Attributes: user.Attributes,
 		}
@@ -275,15 +240,11 @@ func (m *ContextMiddleware) basicAuth(username string, password string) (*model.
 			BaseContext: model.BaseContext{
 				Username: username,
 				Name:     utils.Capitalize(username),
+				Email:    utils.CompileUserEmail(username, m.config.CookieDomain),
 			},
 			Groups: user.Groups,
 		}
 		userContext.Provider = model.ProviderLDAP
-
-		userContext.LDAP.Email = utils.CompileUserEmail(username, m.runtime.CookieDomain)
-		if search.Email != "" {
-			userContext.LDAP.Email = search.Email
-		}
 	}
 
 	userContext.Authenticated = true
@@ -298,36 +259,3 @@ func (m *ContextMiddleware) isIgnorePath(path string) bool {
 	}
 	return false
 }
-
-func (m *ContextMiddleware) tailscaleWhois(ctx context.Context, ip string) (*model.TailscaleContext, error) {
-	if m.tailscale == nil {
-		return nil, nil
-	}
-
-	whois, err := m.tailscale.Whois(ctx, ip)
-
-	if err != nil {
-		m.log.App.Error().Err(err).Msgf("Error performing Tailscale whois for IP %s: %v", ip, err)
-		return nil, err
-	}
-
-	if whois == nil {
-		return nil, nil
-	}
-
-	uctx := model.TailscaleContext{
-		BaseContext: model.BaseContext{
-			Username: whois.NodeName,
-			Email:    whois.LoginName,
-			Name:     whois.DisplayName,
-		},
-		UserID: whois.UserID,
-		Tags:   whois.Tags,
-	}
-
-	if !strings.ContainsAny(uctx.Email, "@") {
-		uctx.Email = utils.CompileUserEmail(uctx.Email+"-tailscale", m.runtime.CookieDomain)
-	}
-
-	return &uctx, nil
-}

internal/middleware/context_middleware_test.go

@@ -5,33 +5,54 @@ import (
 	"encoding/base64"
 	"net/http"
 	"net/http/httptest"
-	"sync"
+	"path"
 	"testing"
 	"time"
 
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
 	"github.com/tinyauthapp/tinyauth/internal/middleware"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
-	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/test"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )
 
 func TestContextMiddleware(t *testing.T) {
-	log := logger.NewLogger().WithTestConfig()
-	log.Init()
+	tlog.NewTestLogger().Init()
+	tempDir := t.TempDir()
 
-	cfg, runtime := test.CreateTestConfigs(t)
+	authServiceCfg := service.AuthServiceConfig{
+		LocalUsers: &[]model.LocalUser{
+			{
+				Username: "testuser",
+				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
+			},
+			{
+				Username:   "totpuser",
+				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
+				TOTPSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
+			},
+		},
+		SessionExpiry:     10, // 10 seconds, useful for testing
+		CookieDomain:      "example.com",
+		LoginTimeout:      10, // 10 seconds, useful for testing
+		LoginMaxRetries:   3,
+		SessionCookieName: "tinyauth-session",
+	}
+
+	middlewareCfg := middleware.ContextMiddlewareConfig{
+		CookieDomain:      "example.com",
+		SessionCookieName: "tinyauth-session",
+	}
 
 	basicAuthHeader := func(username, password string) string {
 		return "Basic " + base64.StdEncoding.EncodeToString([]byte(username+":"+password))
 	}
 
-	seedSession := func(t *testing.T, queries repository.Store, params repository.CreateSessionParams) {
+	seedSession := func(t *testing.T, queries *repository.Queries, params repository.CreateSessionParams) {
 		t.Helper()
 		_, err := queries.CreateSession(context.Background(), params)
 		require.NoError(t, err)
@@ -39,7 +60,7 @@ func TestContextMiddleware(t *testing.T) {
 
 	type runArgs struct {
 		do      func(req *http.Request) (*model.UserContext, *httptest.ResponseRecorder)
-		queries repository.Store
+		queries *repository.Queries
 	}
 
 	type testCase struct {
@@ -249,15 +270,30 @@ func TestContextMiddleware(t *testing.T) {
 		},
 	}
 
-	ctx := context.TODO()
-	wg := &sync.WaitGroup{}
+	oauthBrokerCfgs := make(map[string]model.OAuthServiceConfig)
 
-	store := memory.New()
+	app := bootstrap.NewBootstrapApp(model.Config{})
 
-	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker, nil)
+	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
+	require.NoError(t, err)
 
-	contextMiddleware := middleware.NewContextMiddleware(log, runtime, authService, broker, nil)
+	queries := repository.New(db)
+
+	ldap := service.NewLdapService(service.LdapServiceConfig{})
+	err = ldap.Init()
+	require.NoError(t, err)
+
+	broker := service.NewOAuthBrokerService(oauthBrokerCfgs)
+	err = broker.Init()
+	require.NoError(t, err)
+
+	authService := service.NewAuthService(authServiceCfg, ldap, queries, broker)
+	err = authService.Init()
+	require.NoError(t, err)
+
+	contextMiddleware := middleware.NewContextMiddleware(middlewareCfg, authService, broker)
+	err = contextMiddleware.Init()
+	require.NoError(t, err)
 
 	for _, test := range tests {
 		authService.ClearRateLimitsTestingOnly()
@@ -281,7 +317,12 @@ func TestContextMiddleware(t *testing.T) {
 				return captured, recorder
 			}
 
-			test.run(t, runArgs{do: do, queries: store})
+			test.run(t, runArgs{do: do, queries: queries})
 		})
 	}
+
+	t.Cleanup(func() {
+		err = db.Close()
+		require.NoError(t, err)
+	})
 }

internal/middleware/ui_middleware.go

@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/tinyauthapp/tinyauth/internal/assets"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 
 	"github.com/gin-gonic/gin"
 )
@@ -18,25 +19,29 @@ type UIMiddleware struct {
 	uiFileServer http.Handler
 }
 
-func NewUIMiddleware() (*UIMiddleware, error) {
-	m := &UIMiddleware{}
+func NewUIMiddleware() *UIMiddleware {
+	return &UIMiddleware{}
+}
 
+func (m *UIMiddleware) Init() error {
 	ui, err := fs.Sub(assets.FrontendAssets, "dist")
 
 	if err != nil {
-		return nil, fmt.Errorf("failed to load ui assets: %w", err)
+		return err
 	}
 
 	m.uiFs = ui
 	m.uiFileServer = http.FileServerFS(ui)
 
-	return m, nil
+	return nil
 }
 
 func (m *UIMiddleware) Middleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		path := strings.TrimPrefix(c.Request.URL.Path, "/")
 
+		tlog.App.Debug().Str("path", path).Msg("path")
+
 		switch strings.SplitN(path, "/", 2)[0] {
 		case "api", "resources", ".well-known":
 			c.Next()

internal/middleware/zerolog_middleware.go

@@ -5,7 +5,7 @@ import (
 	"time"
 
 	"github.com/gin-gonic/gin"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )
 
 // See context middleware for explanation of why we have to do this
@@ -17,14 +17,14 @@ var (
 	}
 )
 
-type ZerologMiddleware struct {
-	log *logger.Logger
+type ZerologMiddleware struct{}
+
+func NewZerologMiddleware() *ZerologMiddleware {
+	return &ZerologMiddleware{}
 }
 
-func NewZerologMiddleware(log *logger.Logger) *ZerologMiddleware {
-	return &ZerologMiddleware{
-		log: log,
-	}
+func (m *ZerologMiddleware) Init() error {
+	return nil
 }
 
 func (m *ZerologMiddleware) logPath(path string) bool {
@@ -50,7 +50,7 @@ func (m *ZerologMiddleware) Middleware() gin.HandlerFunc {
 
 		latency := time.Since(tStart).String()
 
-		subLogger := m.log.HTTP.With().Str("method", method).
+		subLogger := tlog.HTTP.With().Str("method", method).
 			Str("path", path).
 			Str("address", address).
 			Str("client_ip", clientIP).

internal/model/config.go

@@ -4,8 +4,7 @@ package model
 func NewDefaultConfiguration() *Config {
 	return &Config{
 		Database: DatabaseConfig{
-			Driver: "sqlite",
-			Path:   "./tinyauth.db",
+			Path: "./tinyauth.db",
 		},
 		Analytics: AnalyticsConfig{
 			Enabled: true,
@@ -15,9 +14,8 @@ func NewDefaultConfiguration() *Config {
 			Path:    "./resources",
 		},
 		Server: ServerConfig{
-			Port:                       3000,
-			Address:                    "0.0.0.0",
-			ConcurrentListenersEnabled: false,
+			Port:    3000,
+			Address: "0.0.0.0",
 		},
 		Auth: AuthConfig{
 			SubdomainsEnabled:  true,
@@ -25,9 +23,6 @@ func NewDefaultConfiguration() *Config {
 			SessionMaxLifetime: 0,     // disabled
 			LoginTimeout:       300,   // 5 minutes
 			LoginMaxRetries:    3,
-			ACLs: ACLsConfig{
-				Policy: "allow",
-			},
 		},
 		UI: UIConfig{
 			Title:                 "Tinyauth",
@@ -65,9 +60,6 @@ func NewDefaultConfiguration() *Config {
 		Experimental: ExperimentalConfig{
 			ConfigFile: "",
 		},
-		Tailscale: TailscaleConfig{
-			Dir: "./tailscale_state",
-		},
 		LabelProvider: "auto",
 	}
 }
@@ -85,14 +77,12 @@ type Config struct {
 	UI            UIConfig           `description:"UI customization." yaml:"ui"`
 	LDAP          LDAPConfig         `description:"LDAP configuration." yaml:"ldap"`
 	Experimental  ExperimentalConfig `description:"Experimental features, use with caution." yaml:"experimental"`
-	LabelProvider string             `description:"Label provider to use for ACLs (auto, docker, kubernetes or none to disable). auto detects the environment." yaml:"labelProvider"`
+	LabelProvider string             `description:"Label provider to use for ACLs (auto, docker, or kubernetes). auto detects the environment." yaml:"labelProvider"`
 	Log           LogConfig          `description:"Logging configuration." yaml:"log"`
-	Tailscale     TailscaleConfig    `description:"Tailscale configuration." yaml:"tailscale"`
 }
 
 type DatabaseConfig struct {
-	Driver string `description:"The database driver to use. Valid values: sqlite, memory." yaml:"driver"`
-	Path   string `description:"The path to the SQLite database, including file name. Only used when driver is sqlite." yaml:"path"`
+	Path string `description:"The path to the database, including file name." yaml:"path"`
 }
 
 type AnalyticsConfig struct {
@@ -105,10 +95,9 @@ type ResourcesConfig struct {
 }
 
 type ServerConfig struct {
-	Port                       int    `description:"The port on which the server listens." yaml:"port"`
-	Address                    string `description:"The address on which the server listens." yaml:"address"`
-	SocketPath                 string `description:"The path to the Unix socket." yaml:"socketPath"`
-	ConcurrentListenersEnabled bool   `description:"Enable listening on both TCP and Unix socket at the same time." yaml:"concurrentListenersEnabled"`
+	Port       int    `description:"The port on which the server listens." yaml:"port"`
+	Address    string `description:"The address on which the server listens." yaml:"address"`
+	SocketPath string `description:"The path to the Unix socket." yaml:"socketPath"`
 }
 
 type AuthConfig struct {
@@ -123,7 +112,6 @@ type AuthConfig struct {
 	LoginTimeout       int                       `description:"Login timeout in seconds." yaml:"loginTimeout"`
 	LoginMaxRetries    int                       `description:"Maximum login retries." yaml:"loginMaxRetries"`
 	TrustedProxies     []string                  `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
-	ACLs               ACLsConfig                `description:"ACLs configuration." yaml:"acls"`
 }
 
 type UserAttributes struct {
@@ -159,10 +147,10 @@ type IPConfig struct {
 }
 
 type OAuthConfig struct {
-	Whitelist     []string                      `description:"Comma-separated list of allowed OAuth domains." yaml:"whitelist"`
-	WhitelistFile string                        `description:"Path to the OAuth whitelist file." yaml:"whitelistFile"`
-	AutoRedirect  string                        `description:"The OAuth provider to use for automatic redirection." yaml:"autoRedirect"`
-	Providers     map[string]OAuthServiceConfig `description:"OAuth providers configuration." yaml:"providers"`
+	Whitelist    []string                      `description:"Comma-separated list of allowed OAuth domains." yaml:"whitelist"`
+	WhitelistFile string                       `description:"Path to the OAuth whitelist file." yaml:"whitelistFile"`
+	AutoRedirect string                        `description:"The OAuth provider to use for automatic redirection." yaml:"autoRedirect"`
+	Providers    map[string]OAuthServiceConfig `description:"OAuth providers configuration." yaml:"providers"`
 }
 
 type OIDCConfig struct {
@@ -211,16 +199,6 @@ type ExperimentalConfig struct {
 	ConfigFile string `description:"Path to config file." yaml:"-"`
 }
 
-type TailscaleConfig struct {
-	Enabled   bool   `description:"Enable Tailscale integration." yaml:"enabled"`
-	Dir       string `description:"Tailscale state directory." yaml:"dir"`
-	Hostname  string `description:"Tailscale hostname." yaml:"hostname"`
-	AuthKey   string `description:"Tailscale auth key." yaml:"authKey"`
-	Ephemeral bool   `description:"Use ephemeral Tailscale node." yaml:"ephemeral"`
-}
-
-// OAuth/OIDC config
-
 type OAuthServiceConfig struct {
 	ClientID         string   `description:"OAuth client ID." yaml:"clientId"`
 	ClientSecret     string   `description:"OAuth client secret." yaml:"clientSecret"`
@@ -243,10 +221,6 @@ type OIDCClientConfig struct {
 	Name                string   `description:"Client name in UI." yaml:"name"`
 }
 
-type ACLsConfig struct {
-	Policy string `description:"ACL policy for allow-by-default or deny-by-default, available options are allow and deny, default is allow." yaml:"policy"`
-}
-
 // ACLs
 
 type Apps struct {

internal/model/constants.go

@@ -21,5 +21,3 @@ const SessionCookieName = "tinyauth-session"
 const CSRFCookieName = "tinyauth-csrf"
 const RedirectCookieName = "tinyauth-redirect"
 const OAuthSessionCookieName = "tinyauth-oauth"
-
-const GracefulShutdownTimeout = 5 // seconds

internal/model/context.go

@@ -8,10 +8,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 )
 
-var (
-	ErrUserContextNotFound = errors.New("user context not found")
-)
-
 type ProviderType int
 
 const (
@@ -19,7 +15,6 @@ const (
 	ProviderBasicAuth
 	ProviderOAuth
 	ProviderLDAP
-	ProviderTailscale
 )
 
 type UserContext struct {
@@ -28,7 +23,6 @@ type UserContext struct {
 	Local         *LocalContext
 	OAuth         *OAuthContext
 	LDAP          *LDAPContext
-	Tailscale     *TailscaleContext
 }
 
 type BaseContext struct {
@@ -56,13 +50,6 @@ type LDAPContext struct {
 	Groups []string
 }
 
-type TailscaleContext struct {
-	BaseContext
-	UserID string
-	// for future use
-	Tags []string
-}
-
 func (c *UserContext) IsAuthenticated() bool {
 	return c.Authenticated
 }
@@ -83,15 +70,11 @@ func (c *UserContext) IsBasicAuth() bool {
 	return c.Provider == ProviderBasicAuth && c.Local != nil
 }
 
-func (c *UserContext) IsTailscale() bool {
-	return c.Provider == ProviderTailscale && c.Tailscale != nil
-}
-
 func (c *UserContext) NewFromGin(ginctx *gin.Context) (*UserContext, error) {
 	userContextValue, exists := ginctx.Get("context")
 
 	if !exists {
-		return nil, ErrUserContextNotFound
+		return nil, errors.New("failed to get user context")
 	}
 
 	userContext, ok := userContextValue.(*UserContext)
@@ -100,7 +83,7 @@ func (c *UserContext) NewFromGin(ginctx *gin.Context) (*UserContext, error) {
 		return nil, errors.New("invalid user context type")
 	}
 
-	if userContext.LDAP == nil && userContext.Local == nil && userContext.OAuth == nil && userContext.Tailscale == nil {
+	if userContext.LDAP == nil && userContext.Local == nil && userContext.OAuth == nil {
 		return nil, errors.New("incomplete user context")
 	}
 
@@ -134,16 +117,7 @@ func (c *UserContext) NewFromSession(session *repository.Session) (*UserContext,
 				Email:    session.Email,
 			},
 		}
-	case "tailscale":
-		c.Provider = ProviderTailscale
-		c.Tailscale = &TailscaleContext{
-			BaseContext: BaseContext{
-				Username: session.Username,
-				Name:     session.Name,
-				Email:    session.Email,
-			},
-		}
-	// By default we assume an unknown name which is oauth
+	// By default we assume an unkown name which is oauth
 	default:
 		c.Provider = ProviderOAuth
 		c.OAuth = &OAuthContext{
@@ -167,55 +141,85 @@ func (c *UserContext) NewFromSession(session *repository.Session) (*UserContext,
 	return c, nil
 }
 
-func (c *UserContext) getBaseContext() *BaseContext {
+func (c *UserContext) GetUsername() string {
 	switch c.Provider {
-	case ProviderLocal, ProviderBasicAuth:
+	case ProviderLocal:
 		if c.Local == nil {
-			return nil
+			return ""
 		}
-		return &c.Local.BaseContext
+		return c.Local.Username
 	case ProviderLDAP:
 		if c.LDAP == nil {
-			return nil
+			return ""
 		}
-		return &c.LDAP.BaseContext
+		return c.LDAP.Username
+	case ProviderBasicAuth:
+		if c.Local == nil {
+			return ""
+		}
+		return c.Local.Username
 	case ProviderOAuth:
 		if c.OAuth == nil {
-			return nil
+			return ""
 		}
-		return &c.OAuth.BaseContext
-	case ProviderTailscale:
-		if c.Tailscale == nil {
-			return nil
-		}
-		return &c.Tailscale.BaseContext
+		return c.OAuth.Username
 	default:
-		return nil
-	}
-}
-
-func (c *UserContext) GetUsername() string {
-	base := c.getBaseContext()
-	if base == nil {
 		return ""
 	}
-	return base.Username
 }
 
 func (c *UserContext) GetEmail() string {
-	base := c.getBaseContext()
-	if base == nil {
+	switch c.Provider {
+	case ProviderLocal:
+		if c.Local == nil {
+			return ""
+		}
+		return c.Local.Email
+	case ProviderLDAP:
+		if c.LDAP == nil {
+			return ""
+		}
+		return c.LDAP.Email
+	case ProviderBasicAuth:
+		if c.Local == nil {
+			return ""
+		}
+		return c.Local.Email
+	case ProviderOAuth:
+		if c.OAuth == nil {
+			return ""
+		}
+		return c.OAuth.Email
+	default:
 		return ""
 	}
-	return base.Email
 }
 
 func (c *UserContext) GetName() string {
-	base := c.getBaseContext()
-	if base == nil {
+	switch c.Provider {
+	case ProviderLocal:
+		if c.Local == nil {
+			return ""
+		}
+		return c.Local.Name
+	case ProviderLDAP:
+		if c.LDAP == nil {
+			return ""
+		}
+		return c.LDAP.Name
+	case ProviderBasicAuth:
+		if c.Local == nil {
+			return ""
+		}
+		return c.Local.Name
+	case ProviderOAuth:
+		if c.OAuth == nil {
+			return ""
+		}
+		return c.OAuth.Name
+	default:
 		return ""
 	}
-	return base.Name
 }
 
 func (c *UserContext) GetProviderID() string {
@@ -226,8 +230,6 @@ func (c *UserContext) GetProviderID() string {
 		return "ldap"
 	case ProviderOAuth:
 		return c.OAuth.ID
-	case ProviderTailscale:
-		return "tailscale"
 	default:
 		return "unknown"
 	}
@@ -246,10 +248,3 @@ func (c *UserContext) OAuthName() string {
 	}
 	return ""
 }
-
-func (c *UserContext) TailscaleNodeName() string {
-	if c.Tailscale != nil {
-		return c.Tailscale.Username
-	}
-	return ""
-}

internal/model/context_test.go

@@ -238,7 +238,7 @@ func TestContext(t *testing.T) {
 				_, err := c.NewFromGin(newGinCtx(nil, false))
 				return err.Error()
 			},
-			expected: model.ErrUserContextNotFound.Error(),
+			expected: "failed to get user context",
 		},
 		{
 			description: "NewFromGin returns error when context value has wrong type",

internal/model/runtime.go

@@ -1,23 +0,0 @@
-package model
-
-type RuntimeConfig struct {
-	AppURL                 string
-	UUID                   string
-	CookieDomain           string
-	SessionCookieName      string
-	CSRFCookieName         string
-	RedirectCookieName     string
-	OAuthSessionCookieName string
-	LocalUsers             []LocalUser
-	OAuthProviders         map[string]OAuthServiceConfig
-	OAuthWhitelist         []string
-	ConfiguredProviders    []Provider
-	OIDCClients            []OIDCClientConfig
-	TrustedDomains         []string
-}
-
-type Provider struct {
-	Name  string `json:"name"`
-	ID    string `json:"id"`
-	OAuth bool   `json:"oauth"`
-}

internal/model/users.go

@@ -21,6 +21,5 @@ type LocalUser struct {
 
 type UserSearch struct {
 	Username string
-	Email    string // used for LDAP, we can't throw it to LDAPUser because it would need another cache or an LDAP lookup every time
 	Type     UserSearchType
 }

internal/repository/db.go

@@ -1,8 +1,8 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.31.1
+//   sqlc v1.30.0
 
-package sqlite
+package repository
 
 import (
 	"context"

internal/repository/memory/memory_test.go

@@ -1,472 +0,0 @@
-package memory_test
-
-import (
-	"context"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/tinyauthapp/tinyauth/internal/repository"
-	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
-)
-
-var ctx = context.Background()
-
-func TestMemoryStore(t *testing.T) {
-	type testCase struct {
-		description string
-		run         func(t *testing.T, s repository.Store)
-	}
-
-	tests := []testCase{
-		{
-			description: "Create and get session",
-			run: func(t *testing.T, s repository.Store) {
-				sess, err := s.CreateSession(ctx, repository.CreateSessionParams{
-					UUID:     "uuid-1",
-					Username: "alice",
-					Expiry:   9999,
-				})
-				require.NoError(t, err)
-				assert.Equal(t, "uuid-1", sess.UUID)
-				assert.Equal(t, "alice", sess.Username)
-
-				got, err := s.GetSession(ctx, "uuid-1")
-				require.NoError(t, err)
-				assert.Equal(t, sess, got)
-			},
-		},
-		{
-			description: "Get session not found",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.GetSession(ctx, "missing")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-		{
-			description: "Update session",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateSession(ctx, repository.CreateSessionParams{UUID: "uuid-1", Username: "alice"})
-				require.NoError(t, err)
-
-				updated, err := s.UpdateSession(ctx, repository.UpdateSessionParams{
-					UUID:     "uuid-1",
-					Username: "bob",
-					Email:    "bob@example.com",
-				})
-				require.NoError(t, err)
-				assert.Equal(t, "bob", updated.Username)
-				assert.Equal(t, "bob@example.com", updated.Email)
-
-				got, err := s.GetSession(ctx, "uuid-1")
-				require.NoError(t, err)
-				assert.Equal(t, updated, got)
-			},
-		},
-		{
-			description: "Update session not found",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.UpdateSession(ctx, repository.UpdateSessionParams{UUID: "missing"})
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-		{
-			description: "Delete session",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateSession(ctx, repository.CreateSessionParams{UUID: "uuid-1"})
-				require.NoError(t, err)
-
-				require.NoError(t, s.DeleteSession(ctx, "uuid-1"))
-
-				_, err = s.GetSession(ctx, "uuid-1")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-		{
-			description: "Delete expired sessions",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateSession(ctx, repository.CreateSessionParams{UUID: "expired", Expiry: 10})
-				require.NoError(t, err)
-				_, err = s.CreateSession(ctx, repository.CreateSessionParams{UUID: "valid", Expiry: 100})
-				require.NoError(t, err)
-
-				require.NoError(t, s.DeleteExpiredSessions(ctx, 50))
-
-				_, err = s.GetSession(ctx, "expired")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-
-				_, err = s.GetSession(ctx, "valid")
-				assert.NoError(t, err)
-			},
-		},
-		{
-			description: "Create and get OIDC code",
-			run: func(t *testing.T, s repository.Store) {
-				code, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{
-					Sub:      "sub-1",
-					CodeHash: "hash-1",
-					Scope:    "openid",
-				})
-				require.NoError(t, err)
-				assert.Equal(t, "sub-1", code.Sub)
-
-				// destructive read removes the record
-				got, err := s.GetOidcCode(ctx, "hash-1")
-				require.NoError(t, err)
-				assert.Equal(t, code, got)
-
-				_, err = s.GetOidcCode(ctx, "hash-1")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-		{
-			description: "Get OIDC code not found",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.GetOidcCode(ctx, "missing")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-		{
-			description: "Get OIDC code by sub",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
-				require.NoError(t, err)
-
-				got, err := s.GetOidcCodeBySub(ctx, "sub-1")
-				require.NoError(t, err)
-				assert.Equal(t, "sub-1", got.Sub)
-
-				// destructive — gone after read
-				_, err = s.GetOidcCodeBySub(ctx, "sub-1")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-		{
-			description: "Get OIDC code by sub not found",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.GetOidcCodeBySub(ctx, "missing")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-		{
-			description: "Get OIDC code unsafe",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
-				require.NoError(t, err)
-
-				got, err := s.GetOidcCodeUnsafe(ctx, "hash-1")
-				require.NoError(t, err)
-				assert.Equal(t, "sub-1", got.Sub)
-
-				// non-destructive — still present
-				_, err = s.GetOidcCodeUnsafe(ctx, "hash-1")
-				assert.NoError(t, err)
-			},
-		},
-		{
-			description: "Get OIDC code unsafe not found",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.GetOidcCodeUnsafe(ctx, "missing")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-		{
-			description: "Get OIDC code by sub unsafe",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
-				require.NoError(t, err)
-
-				got, err := s.GetOidcCodeBySubUnsafe(ctx, "sub-1")
-				require.NoError(t, err)
-				assert.Equal(t, "hash-1", got.CodeHash)
-
-				// non-destructive — still present
-				_, err = s.GetOidcCodeBySubUnsafe(ctx, "sub-1")
-				assert.NoError(t, err)
-			},
-		},
-		{
-			description: "Get OIDC code by sub unsafe not found",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.GetOidcCodeBySubUnsafe(ctx, "missing")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-		{
-			description: "Create OIDC code unique sub constraint",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
-				require.NoError(t, err)
-
-				_, err = s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-2"})
-				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_codes.sub")
-			},
-		},
-		{
-			description: "Delete OIDC code",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
-				require.NoError(t, err)
-
-				require.NoError(t, s.DeleteOidcCode(ctx, "hash-1"))
-
-				_, err = s.GetOidcCodeUnsafe(ctx, "hash-1")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-		{
-			description: "Delete OIDC code by sub",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
-				require.NoError(t, err)
-
-				require.NoError(t, s.DeleteOidcCodeBySub(ctx, "sub-1"))
-
-				_, err = s.GetOidcCodeUnsafe(ctx, "hash-1")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-		{
-			description: "Delete expired OIDC codes",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1", ExpiresAt: 10})
-				require.NoError(t, err)
-				_, err = s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-2", CodeHash: "hash-2", ExpiresAt: 100})
-				require.NoError(t, err)
-
-				deleted, err := s.DeleteExpiredOidcCodes(ctx, 50)
-				require.NoError(t, err)
-				require.Len(t, deleted, 1)
-				assert.Equal(t, "hash-1", deleted[0].CodeHash)
-
-				_, err = s.GetOidcCodeUnsafe(ctx, "hash-2")
-				assert.NoError(t, err)
-			},
-		},
-		{
-			description: "Create and get OIDC token",
-			run: func(t *testing.T, s repository.Store) {
-				tok, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
-					Sub:             "sub-1",
-					AccessTokenHash: "at-hash-1",
-					CodeHash:        "code-hash-1",
-				})
-				require.NoError(t, err)
-				assert.Equal(t, "sub-1", tok.Sub)
-
-				got, err := s.GetOidcToken(ctx, "at-hash-1")
-				require.NoError(t, err)
-				assert.Equal(t, tok, got)
-			},
-		},
-		{
-			description: "Get OIDC token not found",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.GetOidcToken(ctx, "missing")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-		{
-			description: "Create OIDC token unique sub constraint",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-1"})
-				require.NoError(t, err)
-
-				_, err = s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-2"})
-				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_tokens.sub")
-			},
-		},
-		{
-			description: "Get OIDC token by refresh token",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
-					Sub:              "sub-1",
-					AccessTokenHash:  "at-1",
-					RefreshTokenHash: "rt-1",
-				})
-				require.NoError(t, err)
-
-				got, err := s.GetOidcTokenByRefreshToken(ctx, "rt-1")
-				require.NoError(t, err)
-				assert.Equal(t, "sub-1", got.Sub)
-			},
-		},
-		{
-			description: "Get OIDC token by refresh token not found",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.GetOidcTokenByRefreshToken(ctx, "missing")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-		{
-			description: "Get OIDC token by sub",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
-					Sub:             "sub-1",
-					AccessTokenHash: "at-1",
-				})
-				require.NoError(t, err)
-
-				got, err := s.GetOidcTokenBySub(ctx, "sub-1")
-				require.NoError(t, err)
-				assert.Equal(t, "at-1", got.AccessTokenHash)
-			},
-		},
-		{
-			description: "Get OIDC token by sub not found",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.GetOidcTokenBySub(ctx, "missing")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-		{
-			description: "Update OIDC token by refresh token",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
-					Sub:              "sub-1",
-					AccessTokenHash:  "at-1",
-					RefreshTokenHash: "rt-1",
-				})
-				require.NoError(t, err)
-
-				updated, err := s.UpdateOidcTokenByRefreshToken(ctx, repository.UpdateOidcTokenByRefreshTokenParams{
-					RefreshTokenHash_2:    "rt-1",
-					AccessTokenHash:       "at-2",
-					RefreshTokenHash:      "rt-2",
-					TokenExpiresAt:        200,
-					RefreshTokenExpiresAt: 400,
-				})
-				require.NoError(t, err)
-				assert.Equal(t, "at-2", updated.AccessTokenHash)
-				assert.Equal(t, "rt-2", updated.RefreshTokenHash)
-
-				// old key gone, new key present
-				_, err = s.GetOidcToken(ctx, "at-1")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-
-				got, err := s.GetOidcToken(ctx, "at-2")
-				require.NoError(t, err)
-				assert.Equal(t, "sub-1", got.Sub)
-			},
-		},
-		{
-			description: "Update OIDC token by refresh token not found",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.UpdateOidcTokenByRefreshToken(ctx, repository.UpdateOidcTokenByRefreshTokenParams{
-					RefreshTokenHash_2: "missing",
-				})
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-		{
-			description: "Delete OIDC token",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-1"})
-				require.NoError(t, err)
-
-				require.NoError(t, s.DeleteOidcToken(ctx, "at-1"))
-
-				_, err = s.GetOidcToken(ctx, "at-1")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-		{
-			description: "Delete OIDC token by sub",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-1"})
-				require.NoError(t, err)
-
-				require.NoError(t, s.DeleteOidcTokenBySub(ctx, "sub-1"))
-
-				_, err = s.GetOidcToken(ctx, "at-1")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-		{
-			description: "Delete OIDC token by code hash",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
-					Sub:             "sub-1",
-					AccessTokenHash: "at-1",
-					CodeHash:        "code-1",
-				})
-				require.NoError(t, err)
-
-				require.NoError(t, s.DeleteOidcTokenByCodeHash(ctx, "code-1"))
-
-				_, err = s.GetOidcToken(ctx, "at-1")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-		{
-			description: "Delete expired OIDC tokens",
-			run: func(t *testing.T, s repository.Store) {
-				// both expiries past
-				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
-					Sub: "sub-1", AccessTokenHash: "at-1",
-					TokenExpiresAt: 10, RefreshTokenExpiresAt: 10,
-				})
-				require.NoError(t, err)
-				// valid
-				_, err = s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
-					Sub: "sub-3", AccessTokenHash: "at-3",
-					TokenExpiresAt: 100, RefreshTokenExpiresAt: 100,
-				})
-				require.NoError(t, err)
-
-				deleted, err := s.DeleteExpiredOidcTokens(ctx, repository.DeleteExpiredOidcTokensParams{
-					TokenExpiresAt:        50,
-					RefreshTokenExpiresAt: 50,
-				})
-				require.NoError(t, err)
-				assert.Len(t, deleted, 1)
-
-				_, err = s.GetOidcToken(ctx, "at-3")
-				assert.NoError(t, err)
-			},
-		},
-		{
-			description: "Create and get OIDC user info",
-			run: func(t *testing.T, s repository.Store) {
-				u, err := s.CreateOidcUserInfo(ctx, repository.CreateOidcUserInfoParams{
-					Sub:   "sub-1",
-					Name:  "Alice",
-					Email: "alice@example.com",
-				})
-				require.NoError(t, err)
-				assert.Equal(t, "sub-1", u.Sub)
-
-				got, err := s.GetOidcUserInfo(ctx, "sub-1")
-				require.NoError(t, err)
-				assert.Equal(t, u, got)
-			},
-		},
-		{
-			description: "Get OIDC user info not found",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.GetOidcUserInfo(ctx, "missing")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-		{
-			description: "Delete OIDC user info",
-			run: func(t *testing.T, s repository.Store) {
-				_, err := s.CreateOidcUserInfo(ctx, repository.CreateOidcUserInfoParams{Sub: "sub-1"})
-				require.NoError(t, err)
-
-				require.NoError(t, s.DeleteOidcUserInfo(ctx, "sub-1"))
-
-				_, err = s.GetOidcUserInfo(ctx, "sub-1")
-				assert.ErrorIs(t, err, repository.ErrNotFound)
-			},
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.description, func(t *testing.T) {
-			s := memory.New()
-			test.run(t, s)
-		})
-	}
-}

internal/repository/memory/oidc_queries.go

@@ -1,241 +0,0 @@
-package memory
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/tinyauthapp/tinyauth/internal/repository"
-)
-
-func (s *Store) CreateOidcCode(_ context.Context, arg repository.CreateOidcCodeParams) (repository.OidcCode, error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	// Enforce sub UNIQUE constraint
-	for _, c := range s.oidcCodes {
-		if c.Sub == arg.Sub {
-			return repository.OidcCode{}, fmt.Errorf("UNIQUE constraint failed: oidc_codes.sub")
-		}
-	}
-	code := repository.OidcCode(arg)
-	s.oidcCodes[arg.CodeHash] = code
-	return code, nil
-}
-
-// GetOidcCode is a destructive read: it deletes and returns the code (mirrors SQLite's DELETE...RETURNING).
-func (s *Store) GetOidcCode(_ context.Context, codeHash string) (repository.OidcCode, error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	c, ok := s.oidcCodes[codeHash]
-	if !ok {
-		return repository.OidcCode{}, repository.ErrNotFound
-	}
-	delete(s.oidcCodes, codeHash)
-	return c, nil
-}
-
-// GetOidcCodeBySub is a destructive read: it deletes and returns the code (mirrors SQLite's DELETE...RETURNING).
-func (s *Store) GetOidcCodeBySub(_ context.Context, sub string) (repository.OidcCode, error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	for k, c := range s.oidcCodes {
-		if c.Sub == sub {
-			delete(s.oidcCodes, k)
-			return c, nil
-		}
-	}
-	return repository.OidcCode{}, repository.ErrNotFound
-}
-
-// GetOidcCodeUnsafe is a non-destructive read (mirrors SQLite's SELECT).
-func (s *Store) GetOidcCodeUnsafe(_ context.Context, codeHash string) (repository.OidcCode, error) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-	c, ok := s.oidcCodes[codeHash]
-	if !ok {
-		return repository.OidcCode{}, repository.ErrNotFound
-	}
-	return c, nil
-}
-
-// GetOidcCodeBySubUnsafe is a non-destructive read (mirrors SQLite's SELECT).
-func (s *Store) GetOidcCodeBySubUnsafe(_ context.Context, sub string) (repository.OidcCode, error) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-	for _, c := range s.oidcCodes {
-		if c.Sub == sub {
-			return c, nil
-		}
-	}
-	return repository.OidcCode{}, repository.ErrNotFound
-}
-
-func (s *Store) DeleteOidcCode(_ context.Context, codeHash string) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	delete(s.oidcCodes, codeHash)
-	return nil
-}
-
-func (s *Store) DeleteOidcCodeBySub(_ context.Context, sub string) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	for k, c := range s.oidcCodes {
-		if c.Sub == sub {
-			delete(s.oidcCodes, k)
-		}
-	}
-	return nil
-}
-
-func (s *Store) DeleteExpiredOidcCodes(_ context.Context, expiresAt int64) ([]repository.OidcCode, error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	var deleted []repository.OidcCode
-	for k, c := range s.oidcCodes {
-		if c.ExpiresAt < expiresAt {
-			deleted = append(deleted, c)
-			delete(s.oidcCodes, k)
-		}
-	}
-	return deleted, nil
-}
-
-func (s *Store) CreateOidcToken(_ context.Context, arg repository.CreateOidcTokenParams) (repository.OidcToken, error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	// Enforce sub UNIQUE constraint
-	for _, t := range s.oidcTokens {
-		if t.Sub == arg.Sub {
-			return repository.OidcToken{}, fmt.Errorf("UNIQUE constraint failed: oidc_tokens.sub")
-		}
-	}
-	tok := repository.OidcToken{
-		Sub:                   arg.Sub,
-		AccessTokenHash:       arg.AccessTokenHash,
-		RefreshTokenHash:      arg.RefreshTokenHash,
-		CodeHash:              arg.CodeHash,
-		Scope:                 arg.Scope,
-		ClientID:              arg.ClientID,
-		TokenExpiresAt:        arg.TokenExpiresAt,
-		RefreshTokenExpiresAt: arg.RefreshTokenExpiresAt,
-		Nonce:                 arg.Nonce,
-	}
-	s.oidcTokens[arg.AccessTokenHash] = tok
-	return tok, nil
-}
-
-func (s *Store) GetOidcToken(_ context.Context, accessTokenHash string) (repository.OidcToken, error) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-	t, ok := s.oidcTokens[accessTokenHash]
-	if !ok {
-		return repository.OidcToken{}, repository.ErrNotFound
-	}
-	return t, nil
-}
-
-func (s *Store) GetOidcTokenByRefreshToken(_ context.Context, refreshTokenHash string) (repository.OidcToken, error) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-	for _, t := range s.oidcTokens {
-		if t.RefreshTokenHash == refreshTokenHash {
-			return t, nil
-		}
-	}
-	return repository.OidcToken{}, repository.ErrNotFound
-}
-
-func (s *Store) GetOidcTokenBySub(_ context.Context, sub string) (repository.OidcToken, error) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-	for _, t := range s.oidcTokens {
-		if t.Sub == sub {
-			return t, nil
-		}
-	}
-	return repository.OidcToken{}, repository.ErrNotFound
-}
-
-func (s *Store) UpdateOidcTokenByRefreshToken(_ context.Context, arg repository.UpdateOidcTokenByRefreshTokenParams) (repository.OidcToken, error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	for k, t := range s.oidcTokens {
-		if t.RefreshTokenHash == arg.RefreshTokenHash_2 {
-			delete(s.oidcTokens, k)
-			t.AccessTokenHash = arg.AccessTokenHash
-			t.RefreshTokenHash = arg.RefreshTokenHash
-			t.TokenExpiresAt = arg.TokenExpiresAt
-			t.RefreshTokenExpiresAt = arg.RefreshTokenExpiresAt
-			s.oidcTokens[arg.AccessTokenHash] = t
-			return t, nil
-		}
-	}
-	return repository.OidcToken{}, repository.ErrNotFound
-}
-
-func (s *Store) DeleteOidcToken(_ context.Context, accessTokenHash string) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	delete(s.oidcTokens, accessTokenHash)
-	return nil
-}
-
-func (s *Store) DeleteOidcTokenBySub(_ context.Context, sub string) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	for k, t := range s.oidcTokens {
-		if t.Sub == sub {
-			delete(s.oidcTokens, k)
-		}
-	}
-	return nil
-}
-
-func (s *Store) DeleteOidcTokenByCodeHash(_ context.Context, codeHash string) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	for k, t := range s.oidcTokens {
-		if t.CodeHash == codeHash {
-			delete(s.oidcTokens, k)
-		}
-	}
-	return nil
-}
-
-func (s *Store) DeleteExpiredOidcTokens(_ context.Context, arg repository.DeleteExpiredOidcTokensParams) ([]repository.OidcToken, error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	var deleted []repository.OidcToken
-	for k, t := range s.oidcTokens {
-		if t.TokenExpiresAt < arg.TokenExpiresAt && t.RefreshTokenExpiresAt < arg.RefreshTokenExpiresAt {
-			deleted = append(deleted, t)
-			delete(s.oidcTokens, k)
-		}
-	}
-	return deleted, nil
-}
-
-func (s *Store) CreateOidcUserInfo(_ context.Context, arg repository.CreateOidcUserInfoParams) (repository.OidcUserinfo, error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	u := repository.OidcUserinfo(arg)
-	s.oidcUsers[arg.Sub] = u
-	return u, nil
-}
-
-func (s *Store) GetOidcUserInfo(_ context.Context, sub string) (repository.OidcUserinfo, error) {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-	u, ok := s.oidcUsers[sub]
-	if !ok {
-		return repository.OidcUserinfo{}, repository.ErrNotFound
-	}
-	return u, nil
-}
-
-func (s *Store) DeleteOidcUserInfo(_ context.Context, sub string) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	delete(s.oidcUsers, sub)
-	return nil
-}