New translations en.json (Finnish)

2025-10-30 21:55:43 +00:00 · 2025-10-18 13:17:24 +03:00
22 changed files with 328 additions and 545 deletions
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -1,7 +1,6 @@
 package cmd
 import (
 	"os"
 	"strings"
 	"tinyauth/internal/bootstrap"
 	"tinyauth/internal/config"
@@ -15,16 +14,15 @@ import (
 )
 type rootCmd struct {
-	root     *cobra.Command
+	root *cobra.Command
-	cmd      *cobra.Command
+	cmd  *cobra.Command
-	viper    *viper.Viper
+
-	aclFlags map[string]string
+	viper *viper.Viper
 }
 func newRootCmd() *rootCmd {
 	return &rootCmd{
-		viper:    viper.New(),
+		viper: viper.New(),
 		aclFlags: make(map[string]string),
 	}
 }
@@ -34,9 +32,6 @@ func (c *rootCmd) Register() {
 		Short: "The simplest way to protect your apps with a login screen",
 		Long:  `Tinyauth is a simple authentication middleware that adds a simple login screen or OAuth with Google, Github or any other provider to all of your docker apps.`,
 		Run:   c.run,
 		FParseErrWhitelist: cobra.FParseErrWhitelist{
 			UnknownFlags: true,
 		},
 	}
 	c.viper.AutomaticEnv()
@@ -121,7 +116,7 @@ func (c *rootCmd) run(cmd *cobra.Command, args []string) {
 		log.Warn().Msg("Log level set to trace, this will log sensitive information!")
 	}
-	app := bootstrap.NewBootstrapApp(conf, c.aclFlags)
+	app := bootstrap.NewBootstrapApp(conf)
 	err = app.Setup()
 	if err != nil {
@@ -131,8 +126,6 @@ func (c *rootCmd) run(cmd *cobra.Command, args []string) {
 func Run() {
 	rootCmd := newRootCmd()
 	rootCmd.aclFlags = utils.ExtractACLFlags(os.Args[1:])
 	rootCmd.Register()
 	root := rootCmd.GetCmd()
--- a/frontend/src/lib/i18n/locales/fi-FI.json
+++ b/frontend/src/lib/i18n/locales/fi-FI.json
@@ -1,62 +1,62 @@
 {
-    "loginTitle": "Welcome back, login with",
+    "loginTitle": "Tervetuloa takaisin, kirjaudu sisään käyttäen",
-    "loginTitleSimple": "Welcome back, please login",
+    "loginTitleSimple": "Tervetuloa takaisin, ole hyvä ja kirjaudu",
-    "loginDivider": "Or",
+    "loginDivider": "Tai",
-    "loginUsername": "Username",
+    "loginUsername": "Käyttäjätunnus",
-    "loginPassword": "Password",
+    "loginPassword": "Salasana",
-    "loginSubmit": "Login",
+    "loginSubmit": "Kirjaudu",
-    "loginFailTitle": "Failed to log in",
+    "loginFailTitle": "Kirjautuminen epäonnistui",
-    "loginFailSubtitle": "Please check your username and password",
+    "loginFailSubtitle": "Tarkista käyttäjätunnuksesi ja salasanasi",
-    "loginFailRateLimit": "You failed to login too many times. Please try again later",
+    "loginFailRateLimit": "Kirjautuminen epäonnistui liian monta kertaa. Yritä myöhemmin uudelleen",
-    "loginSuccessTitle": "Logged in",
+    "loginSuccessTitle": "Olet kirjautunut sisään",
-    "loginSuccessSubtitle": "Welcome back!",
+    "loginSuccessSubtitle": "Tervetuloa takaisin!",
-    "loginOauthFailTitle": "An error occurred",
+    "loginOauthFailTitle": "Tapahtui virhe",
-    "loginOauthFailSubtitle": "Failed to get OAuth URL",
+    "loginOauthFailSubtitle": "OAuthin URL-osoitteen haku epäonnistui",
-    "loginOauthSuccessTitle": "Redirecting",
+    "loginOauthSuccessTitle": "Uudelleenohjataan",
-    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
+    "loginOauthSuccessSubtitle": "Uudelleenohjaus OAuth -palveluntarjoajallesi",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectTitle": "Automaattinen OAuth -uudelleenohjaus",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectSubtitle": "Sinut ohjataan automaattisesti OAuth -palveluntarjoajallesi todentamista varten.",
-    "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectButton": "Siirry nyt",
-    "continueTitle": "Continue",
+    "continueTitle": "Jatka",
-    "continueRedirectingTitle": "Redirecting...",
+    "continueRedirectingTitle": "Uudelleenohjataan...",
-    "continueRedirectingSubtitle": "You should be redirected to the app soon",
+    "continueRedirectingSubtitle": "Sinun pitäisi ohjautua sovellukseen pian",
-    "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "Siirrä minut manuaalisesti",
-    "continueInsecureRedirectTitle": "Insecure redirect",
+    "continueInsecureRedirectTitle": "Turvaton uudelleenohjaus",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
+    "continueInsecureRedirectSubtitle": "Yrität siirtyä suojatusta <code>https</code> -sivusta suojaamattomalle <code>http</code> -sivulle. Oletko varma, että haluat jatkaa?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectTitle": "Ei-luotettu uudelleenohjaus",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "Yrität uudelleenohjata domainiin, joka ei vastaa määritettyä verkkotunnusta (<code>{{cookieDomain}}</code>). Oletko varma, että haluat jatkaa?",
-    "logoutFailTitle": "Failed to log out",
+    "logoutFailTitle": "Uloskirjautuminen epäonnistui",
-    "logoutFailSubtitle": "Please try again",
+    "logoutFailSubtitle": "Ole hyvä ja yritä uudelleen",
-    "logoutSuccessTitle": "Logged out",
+    "logoutSuccessTitle": "Kirjauduttu ulos",
-    "logoutSuccessSubtitle": "You have been logged out",
+    "logoutSuccessSubtitle": "Sinut on kirjattu ulos",
-    "logoutTitle": "Logout",
+    "logoutTitle": "Kirjaudu ulos",
-    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
+    "logoutUsernameSubtitle": "Olet kirjautuneena sisään tunnuksella <code>{{username}}</code>. Kirjaudu ulos alla olevasta painikkeesta.",
-    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
+    "logoutOauthSubtitle": "Olet kirjautuneena sisään tunnuksella <code>{{username}}</code> OAuth palvelun {{provider}} kautta. Kirjaudu ulos alla olevasta painikkeesta.",
-    "notFoundTitle": "Page not found",
+    "notFoundTitle": "Sivua ei löydy",
-    "notFoundSubtitle": "The page you are looking for does not exist.",
+    "notFoundSubtitle": "Sivua, jota etsit ei ole olemassa.",
-    "notFoundButton": "Go home",
+    "notFoundButton": "Palaa kotinäkymään",
-    "totpFailTitle": "Failed to verify code",
+    "totpFailTitle": "Koodin vahvistus epäonnistui",
-    "totpFailSubtitle": "Please check your code and try again",
+    "totpFailSubtitle": "Tarkista koodisi ja yritä uudelleen",
-    "totpSuccessTitle": "Verified",
+    "totpSuccessTitle": "Vahvistettu",
-    "totpSuccessSubtitle": "Redirecting to your app",
+    "totpSuccessSubtitle": "Uudelleenohjataan sovelluksellesi",
-    "totpTitle": "Enter your TOTP code",
+    "totpTitle": "Syötä TOTP -koodisi",
-    "totpSubtitle": "Please enter the code from your authenticator app.",
+    "totpSubtitle": "Ole hyvä ja syötä koodi todennussovelluksestasi.",
-    "unauthorizedTitle": "Unauthorized",
+    "unauthorizedTitle": "Ei sallittu",
-    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedResourceSubtitle": "Käyttäjällä <code>{{username}}</code> ei ole pääsyä kohteeseen <code>{{resource}}</code>.",
-    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
+    "unauthorizedLoginSubtitle": "Käyttäjällä <code>{{username}}</code> ei ole lupaa kirjautua.",
-    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
+    "unauthorizedGroupsSubtitle": "Käyttäjä <code>{{username}}</code> ei ole ryhmässä, joka vaaditaan pääsyyn kohteeseen <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "IP osoitteestasi <code>{{ip}}</code> ei ole pääsyä kohteeseen <code>{{resource}}</code>.",
-    "unauthorizedButton": "Try again",
+    "unauthorizedButton": "Yritä uudelleen",
-    "cancelTitle": "Cancel",
+    "cancelTitle": "Peruuta",
-    "forgotPasswordTitle": "Forgot your password?",
+    "forgotPasswordTitle": "Unohditko salasanasi?",
-    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
+    "failedToFetchProvidersTitle": "Todennuspalvelujen tarjoajien lataaminen epäonnistui. Tarkista määrityksesi.",
-    "errorTitle": "An error occurred",
+    "errorTitle": "Tapahtui virhe",
-    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
+    "errorSubtitle": "Tapahtui virhe yritettäessä suorittaa tämä toiminto. Ole hyvä ja tarkista konsoli saadaksesi lisätietoja.",
-    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
+    "forgotPasswordMessage": "Voit nollata salasanasi vaihtamalla ympäristömuuttujan `USERS`.",
-    "fieldRequired": "This field is required",
+    "fieldRequired": "Tämä kenttä on pakollinen",
-    "invalidInput": "Invalid input",
+    "invalidInput": "Virheellinen syöte",
-    "domainWarningTitle": "Invalid Domain",
+    "domainWarningTitle": "Virheellinen verkkotunnus",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "Tämä instanssi on määritelty käyttämään osoitetta <code>{{appUrl}}</code>, mutta nykyinen osoite on <code>{{currentUrl}}</code>. Jos jatkat, saatat törmätä ongelmiin autentikoinnissa.",
-    "ignoreTitle": "Ignore",
+    "ignoreTitle": "Jätä huomiotta",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Siirry oikeaan verkkotunnukseen"
 }
--- a/go.mod
+++ b/go.mod
@@ -47,7 +47,6 @@ require (
 	github.com/quic-go/qpack v0.5.1 // indirect
 	github.com/quic-go/quic-go v0.54.1 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/stoewer/go-strcase v1.3.1 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -259,8 +259,6 @@ github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=
 github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=
 github.com/stoewer/go-strcase v1.3.1 h1:iS0MdW+kVTxgMoE1LAZyMiYJFKlOzLooE4MxjirtkAs=
 github.com/stoewer/go-strcase v1.3.1/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
--- a/internal/bootstrap/app_bootstrap.go
+++ b/internal/bootstrap/app_bootstrap.go
@@ -2,7 +2,6 @@ package bootstrap
 import (
 	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -14,13 +13,11 @@ import (
 	"tinyauth/internal/config"
 	"tinyauth/internal/controller"
 	"tinyauth/internal/middleware"
 	"tinyauth/internal/model"
 	"tinyauth/internal/service"
 	"tinyauth/internal/utils"
 	"github.com/gin-gonic/gin"
 	"github.com/rs/zerolog/log"
 	"gorm.io/gorm"
 )
 type Controller interface {
@@ -37,15 +34,13 @@ type Service interface {
 }
 type BootstrapApp struct {
-	config   config.Config
+	config config.Config
-	aclFlags map[string]string
+	uuid   string
 	uuid     string
 }
-func NewBootstrapApp(config config.Config, aclFlags map[string]string) *BootstrapApp {
+func NewBootstrapApp(config config.Config) *BootstrapApp {
 	return &BootstrapApp{
-		config:   config,
+		config: config,
 		aclFlags: aclFlags,
 	}
 }
@@ -141,15 +136,12 @@ func (app *BootstrapApp) Setup() error {
 	// Create services
 	dockerService := service.NewDockerService()
 	aclsService := service.NewAccessControlsService(dockerService)
 	aclsService.SetACLFlags(app.aclFlags)
 	authService := service.NewAuthService(authConfig, dockerService, ldapService, database)
 	oauthBrokerService := service.NewOAuthBrokerService(oauthProviders)
-	// Initialize services (order matters)
+	// Initialize services
 	services := []Service{
 		dockerService,
 		aclsService,
 		authService,
 		oauthBrokerService,
 	}
@@ -251,7 +243,7 @@ func (app *BootstrapApp) Setup() error {
 	proxyController := controller.NewProxyController(controller.ProxyControllerConfig{
 		AppURL: app.config.AppURL,
-	}, apiRouter, aclsService, authService)
+	}, apiRouter, dockerService, authService)
 	userController := controller.NewUserController(controller.UserControllerConfig{
 		CookieDomain: cookieDomain,
@@ -285,10 +277,6 @@ func (app *BootstrapApp) Setup() error {
 		go app.heartbeat()
 	}
 	// Start DB cleanup routine
 	log.Debug().Msg("Starting database cleanup routine")
 	go app.dbCleanup(database)
 	// Start server
 	address := fmt.Sprintf("%s:%d", app.config.Address, app.config.Port)
 	log.Info().Msgf("Starting server on %s", address)
@@ -350,17 +338,3 @@ func (app *BootstrapApp) heartbeat() {
 		}
 	}
 }
 func (app *BootstrapApp) dbCleanup(db *gorm.DB) {
 	ticker := time.NewTicker(time.Duration(30) * time.Minute)
 	defer ticker.Stop()
 	ctx := context.Background()
 	for ; true; <-ticker.C {
 		log.Debug().Msg("Cleaning up old database sessions")
 		_, err := gorm.G[model.Session](db).Where("expiry < ?", time.Now().UnixMilli()).Delete(ctx)
 		if err != nil {
 			log.Error().Err(err).Msg("Failed to cleanup old sessions")
 		}
 	}
 }
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -53,16 +53,16 @@ type Claims struct {
 }
 type OAuthServiceConfig struct {
-	ClientID           string `field:"client-id"`
+	ClientID           string   `key:"client-id"`
-	ClientSecret       string
+	ClientSecret       string   `key:"client-secret"`
-	ClientSecretFile   string
+	ClientSecretFile   string   `key:"client-secret-file"`
-	Scopes             []string
+	Scopes             []string `key:"scopes"`
-	RedirectURL        string `field:"redirect-url"`
+	RedirectURL        string   `key:"redirect-url"`
-	AuthURL            string `field:"auth-url"`
+	AuthURL            string   `key:"auth-url"`
-	TokenURL           string `field:"token-url"`
+	TokenURL           string   `key:"token-url"`
-	UserinfoURL        string `field:"user-info-url"`
+	UserinfoURL        string   `key:"user-info-url"`
-	InsecureSkipVerify bool
+	InsecureSkipVerify bool     `key:"insecure-skip-verify"`
-	Name               string
+	Name               string   `key:"name"`
 }
 var OverrideProviders = map[string]string{
--- a/internal/controller/oauth_controller.go
+++ b/internal/controller/oauth_controller.go
@@ -72,7 +72,6 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		return
 	}
 	service.GenerateVerifier()
 	state := service.GenerateState()
 	authURL := service.GetAuthURL(state)
 	c.SetCookie(controller.config.CSRFCookieName, state, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
--- a/internal/controller/proxy_controller.go
+++ b/internal/controller/proxy_controller.go
@@ -24,15 +24,15 @@ type ProxyControllerConfig struct {
 type ProxyController struct {
 	config ProxyControllerConfig
 	router *gin.RouterGroup
-	acls   *service.AccessControlsService
+	docker *service.DockerService
 	auth   *service.AuthService
 }
-func NewProxyController(config ProxyControllerConfig, router *gin.RouterGroup, acls *service.AccessControlsService, auth *service.AuthService) *ProxyController {
+func NewProxyController(config ProxyControllerConfig, router *gin.RouterGroup, docker *service.DockerService, auth *service.AuthService) *ProxyController {
 	return &ProxyController{
 		config: config,
 		router: router,
-		acls:   acls,
+		docker: docker,
 		auth:   auth,
 	}
 }
@@ -76,21 +76,20 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	proto := c.Request.Header.Get("X-Forwarded-Proto")
 	host := c.Request.Header.Get("X-Forwarded-Host")
-	// Get acls
+	labels, err := controller.docker.GetLabels(host)
 	acls, err := controller.acls.GetAccessControls(host)
 	if err != nil {
-		log.Error().Err(err).Msg("Failed to get access controls for resource")
+		log.Error().Err(err).Msg("Failed to get labels from Docker")
 		controller.handleError(c, req, isBrowser)
 		return
 	}
-	log.Trace().Interface("acls", acls).Msg("ACLs for resource")
+	log.Trace().Interface("labels", labels).Msg("Labels for resource")
 	clientIP := c.ClientIP()
-	if controller.auth.IsBypassedIP(acls.IP, clientIP) {
+	if controller.auth.IsBypassedIP(labels.IP, clientIP) {
-		controller.setHeaders(c, acls)
+		controller.setHeaders(c, labels)
 		c.JSON(200, gin.H{
 			"status":  200,
 			"message": "Authenticated",
@@ -98,7 +97,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
-	authEnabled, err := controller.auth.IsAuthEnabled(uri, acls.Path)
+	authEnabled, err := controller.auth.IsAuthEnabled(uri, labels.Path)
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to check if auth is enabled for resource")
@@ -108,7 +107,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	if !authEnabled {
 		log.Debug().Msg("Authentication disabled for resource, allowing access")
-		controller.setHeaders(c, acls)
+		controller.setHeaders(c, labels)
 		c.JSON(200, gin.H{
 			"status":  200,
 			"message": "Authenticated",
@@ -116,7 +115,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
-	if !controller.auth.CheckIP(acls.IP, clientIP) {
+	if !controller.auth.CheckIP(labels.IP, clientIP) {
 		if req.Proxy == "nginx" || !isBrowser {
 			c.JSON(401, gin.H{
 				"status":  401,
@@ -161,7 +160,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	}
 	if userContext.IsLoggedIn {
-		appAllowed := controller.auth.IsResourceAllowed(c, userContext, acls)
+		appAllowed := controller.auth.IsResourceAllowed(c, userContext, labels)
 		if !appAllowed {
 			log.Warn().Str("user", userContext.Username).Str("resource", strings.Split(host, ".")[0]).Msg("User not allowed to access resource")
@@ -195,7 +194,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		}
 		if userContext.OAuth {
-			groupOK := controller.auth.IsInOAuthGroup(c, userContext, acls.OAuth.Groups)
+			groupOK := controller.auth.IsInOAuthGroup(c, userContext, labels.OAuth.Groups)
 			if !groupOK {
 				log.Warn().Str("user", userContext.Username).Str("resource", strings.Split(host, ".")[0]).Msg("User OAuth groups do not match resource requirements")
@@ -235,7 +234,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email))
 		c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups))
-		controller.setHeaders(c, acls)
+		controller.setHeaders(c, labels)
 		c.JSON(200, gin.H{
 			"status":  200,
@@ -265,21 +264,21 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/login?%s", controller.config.AppURL, queries.Encode()))
 }
-func (controller *ProxyController) setHeaders(c *gin.Context, acls config.App) {
+func (controller *ProxyController) setHeaders(c *gin.Context, labels config.App) {
 	c.Header("Authorization", c.Request.Header.Get("Authorization"))
-	headers := utils.ParseHeaders(acls.Response.Headers)
+	headers := utils.ParseHeaders(labels.Response.Headers)
 	for key, value := range headers {
 		log.Debug().Str("header", key).Msg("Setting header")
 		c.Header(key, value)
 	}
-	basicPassword := utils.GetSecret(acls.Response.BasicAuth.Password, acls.Response.BasicAuth.PasswordFile)
+	basicPassword := utils.GetSecret(labels.Response.BasicAuth.Password, labels.Response.BasicAuth.PasswordFile)
-	if acls.Response.BasicAuth.Username != "" && basicPassword != "" {
+	if labels.Response.BasicAuth.Username != "" && basicPassword != "" {
-		log.Debug().Str("username", acls.Response.BasicAuth.Username).Msg("Setting basic auth header")
+		log.Debug().Str("username", labels.Response.BasicAuth.Username).Msg("Setting basic auth header")
-		c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(acls.Response.BasicAuth.Username, basicPassword)))
+		c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Response.BasicAuth.Username, basicPassword)))
 	}
 }
--- a/internal/controller/proxy_controller_test.go
+++ b/internal/controller/proxy_controller_test.go
@@ -39,11 +39,6 @@ func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.En
 	assert.NilError(t, dockerService.Init())
 	// Access controls
 	accessControlsService := service.NewAccessControlsService(dockerService)
 	assert.NilError(t, accessControlsService.Init())
 	// Auth service
 	authService := service.NewAuthService(service.AuthServiceConfig{
 		Users: []config.User{
@@ -64,7 +59,7 @@ func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.En
 	// Controller
 	ctrl := controller.NewProxyController(controller.ProxyControllerConfig{
 		AppURL: "http://localhost:8080",
-	}, group, accessControlsService, authService)
+	}, group, dockerService, authService)
 	ctrl.SetupRoutes()
 	return router, recorder, authService
--- a/internal/service/access_controls_service.go
+++ b/internal/service/access_controls_service.go
@@ -1,72 +0,0 @@
 package service
 import (
 	"os"
 	"strings"
 	"tinyauth/internal/config"
 	"tinyauth/internal/utils"
 	"github.com/rs/zerolog/log"
 )
 type AccessControlsService struct {
 	docker   *DockerService
 	envACLs  config.Apps
 	aclFlags map[string]string
 }
 func NewAccessControlsService(docker *DockerService) *AccessControlsService {
 	return &AccessControlsService{
 		docker:   docker,
 		aclFlags: make(map[string]string),
 	}
 }
 func (acls *AccessControlsService) SetACLFlags(flags map[string]string) {
 	acls.aclFlags = flags
 }
 func (acls *AccessControlsService) Init() error {
 	env := os.Environ()
 	apps, err := utils.GetACLsConfig(env, acls.aclFlags)
 	if err != nil {
 		return err
 	}
 	acls.envACLs = apps
 	return nil
 }
 func (acls *AccessControlsService) lookupEnvACLs(appDomain string) *config.App {
 	if len(acls.envACLs.Apps) == 0 {
 		return nil
 	}
 	for appName, appACLs := range acls.envACLs.Apps {
 		if appACLs.Config.Domain == appDomain {
 			return &appACLs
 		}
 		if strings.SplitN(appDomain, ".", 2)[0] == appName {
 			return &appACLs
 		}
 	}
 	return nil
 }
 func (acls *AccessControlsService) GetAccessControls(appDomain string) (config.App, error) {
 	// First check environment variables
 	envACLs := acls.lookupEnvACLs(appDomain)
 	if envACLs != nil {
 		log.Debug().Str("domain", appDomain).Msg("Found matching access controls in environment variables")
 		return *envACLs, nil
 	}
 	// Fallback to Docker labels
 	return acls.docker.GetLabels(appDomain)
 }
--- a/internal/service/auth_service.go
+++ b/internal/service/auth_service.go
@@ -1,8 +1,6 @@
 package service
 import (
 	"context"
 	"errors"
 	"fmt"
 	"regexp"
 	"strings"
@@ -43,7 +41,6 @@ type AuthService struct {
 	loginMutex    sync.RWMutex
 	ldap          *LdapService
 	database      *gorm.DB
 	ctx           context.Context
 }
 func NewAuthService(config AuthServiceConfig, docker *DockerService, ldap *LdapService, database *gorm.DB) *AuthService {
@@ -57,7 +54,6 @@ func NewAuthService(config AuthServiceConfig, docker *DockerService, ldap *LdapS
 }
 func (auth *AuthService) Init() error {
 	auth.ctx = context.Background()
 	return nil
 }
@@ -217,7 +213,7 @@ func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *config.Sessio
 		OAuthName:   data.OAuthName,
 	}
-	err = gorm.G[model.Session](auth.database).Create(auth.ctx, &session)
+	err = auth.database.Create(&session).Error
 	if err != nil {
 		return err
@@ -235,10 +231,10 @@ func (auth *AuthService) DeleteSessionCookie(c *gin.Context) error {
 		return err
 	}
-	_, err = gorm.G[model.Session](auth.database).Where("uuid = ?", cookie).Delete(auth.ctx)
+	res := auth.database.Unscoped().Where("uuid = ?", cookie).Delete(&model.Session{})
-	if err != nil {
+	if res.Error != nil {
-		return err
+		return res.Error
 	}
 	c.SetCookie(auth.config.SessionCookieName, "", -1, "/", fmt.Sprintf(".%s", auth.config.CookieDomain), auth.config.SecureCookie, true)
@@ -253,13 +249,15 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (config.SessionCookie,
 		return config.SessionCookie{}, err
 	}
-	session, err := gorm.G[model.Session](auth.database).Where("uuid = ?", cookie).First(auth.ctx)
+	var session model.Session
-	if err != nil {
+	res := auth.database.Unscoped().Where("uuid = ?", cookie).First(&session)
-		return config.SessionCookie{}, err
+
 	if res.Error != nil {
 		return config.SessionCookie{}, res.Error
 	}
-	if errors.Is(err, gorm.ErrRecordNotFound) {
+	if res.RowsAffected == 0 {
 		return config.SessionCookie{}, fmt.Errorf("session not found")
 	}
@@ -289,21 +287,21 @@ func (auth *AuthService) UserAuthConfigured() bool {
 	return len(auth.config.Users) > 0 || auth.ldap != nil
 }
-func (auth *AuthService) IsResourceAllowed(c *gin.Context, context config.UserContext, acls config.App) bool {
+func (auth *AuthService) IsResourceAllowed(c *gin.Context, context config.UserContext, labels config.App) bool {
 	if context.OAuth {
 		log.Debug().Msg("Checking OAuth whitelist")
-		return utils.CheckFilter(acls.OAuth.Whitelist, context.Email)
+		return utils.CheckFilter(labels.OAuth.Whitelist, context.Email)
 	}
-	if acls.Users.Block != "" {
+	if labels.Users.Block != "" {
 		log.Debug().Msg("Checking blocked users")
-		if utils.CheckFilter(acls.Users.Block, context.Username) {
+		if utils.CheckFilter(labels.Users.Block, context.Username) {
 			return false
 		}
 	}
 	log.Debug().Msg("Checking users")
-	return utils.CheckFilter(acls.Users.Allow, context.Username)
+	return utils.CheckFilter(labels.Users.Allow, context.Username)
 }
 func (auth *AuthService) IsInOAuthGroup(c *gin.Context, context config.UserContext, requiredGroups string) bool {
@@ -371,8 +369,8 @@ func (auth *AuthService) GetBasicAuth(c *gin.Context) *config.User {
 	}
 }
-func (auth *AuthService) CheckIP(acls config.AppIP, ip string) bool {
+func (auth *AuthService) CheckIP(labels config.AppIP, ip string) bool {
-	for _, blocked := range acls.Block {
+	for _, blocked := range labels.Block {
 		res, err := utils.FilterIP(blocked, ip)
 		if err != nil {
 			log.Warn().Err(err).Str("item", blocked).Msg("Invalid IP/CIDR in block list")
@@ -384,7 +382,7 @@ func (auth *AuthService) CheckIP(acls config.AppIP, ip string) bool {
 		}
 	}
-	for _, allowed := range acls.Allow {
+	for _, allowed := range labels.Allow {
 		res, err := utils.FilterIP(allowed, ip)
 		if err != nil {
 			log.Warn().Err(err).Str("item", allowed).Msg("Invalid IP/CIDR in allow list")
@@ -396,7 +394,7 @@ func (auth *AuthService) CheckIP(acls config.AppIP, ip string) bool {
 		}
 	}
-	if len(acls.Allow) > 0 {
+	if len(labels.Allow) > 0 {
 		log.Debug().Str("ip", ip).Msg("IP not in allow list, denying access")
 		return false
 	}
@@ -405,8 +403,8 @@ func (auth *AuthService) CheckIP(acls config.AppIP, ip string) bool {
 	return true
 }
-func (auth *AuthService) IsBypassedIP(acls config.AppIP, ip string) bool {
+func (auth *AuthService) IsBypassedIP(labels config.AppIP, ip string) bool {
-	for _, bypassed := range acls.Bypass {
+	for _, bypassed := range labels.Bypass {
 		res, err := utils.FilterIP(bypassed, ip)
 		if err != nil {
 			log.Warn().Err(err).Str("item", bypassed).Msg("Invalid IP/CIDR in bypass list")
--- a/internal/service/generic_oauth_service.go
+++ b/internal/service/generic_oauth_service.go
@@ -59,8 +59,10 @@ func (generic *GenericOAuthService) Init() error {
 	ctx := context.Background()
 	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
 	verifier := oauth2.GenerateVerifier()
 	generic.context = ctx
 	generic.verifier = verifier
 	return nil
 }
@@ -74,12 +76,6 @@ func (generic *GenericOAuthService) GenerateState() string {
 	return state
 }
 func (generic *GenericOAuthService) GenerateVerifier() string {
 	verifier := oauth2.GenerateVerifier()
 	generic.verifier = verifier
 	return verifier
 }
 func (generic *GenericOAuthService) GetAuthURL(state string) string {
 	return generic.config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(generic.verifier))
 }
--- a/internal/service/github_oauth_service.go
+++ b/internal/service/github_oauth_service.go
@@ -53,7 +53,10 @@ func (github *GithubOAuthService) Init() error {
 	httpClient := &http.Client{}
 	ctx := context.Background()
 	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
 	verifier := oauth2.GenerateVerifier()
 	github.context = ctx
 	github.verifier = verifier
 	return nil
 }
@@ -67,12 +70,6 @@ func (github *GithubOAuthService) GenerateState() string {
 	return state
 }
 func (github *GithubOAuthService) GenerateVerifier() string {
 	verifier := oauth2.GenerateVerifier()
 	github.verifier = verifier
 	return verifier
 }
 func (github *GithubOAuthService) GetAuthURL(state string) string {
 	return github.config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(github.verifier))
 }
--- a/internal/service/google_oauth_service.go
+++ b/internal/service/google_oauth_service.go
@@ -48,7 +48,10 @@ func (google *GoogleOAuthService) Init() error {
 	httpClient := &http.Client{}
 	ctx := context.Background()
 	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
 	verifier := oauth2.GenerateVerifier()
 	google.context = ctx
 	google.verifier = verifier
 	return nil
 }
@@ -62,12 +65,6 @@ func (oauth *GoogleOAuthService) GenerateState() string {
 	return state
 }
 func (google *GoogleOAuthService) GenerateVerifier() string {
 	verifier := oauth2.GenerateVerifier()
 	google.verifier = verifier
 	return verifier
 }
 func (google *GoogleOAuthService) GetAuthURL(state string) string {
 	return google.config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(google.verifier))
 }
--- a/internal/service/oauth_broker_service.go
+++ b/internal/service/oauth_broker_service.go
@@ -11,7 +11,6 @@ import (
 type OAuthService interface {
 	Init() error
 	GenerateState() string
 	GenerateVerifier() string
 	GetAuthURL(state string) string
 	VerifyCode(code string) error
 	Userinfo() (config.Claims, error)
--- a/internal/utils/app_utils.go
+++ b/internal/utils/app_utils.go
@@ -147,7 +147,7 @@ func GetOAuthProvidersConfig(env []string, args []string, appUrl string) (map[st
 		}
 	}
-	envProviders, err := decoders.DecodeEnv[config.Providers, config.OAuthServiceConfig](envMap, "providers")
+	envProviders, err := decoders.DecodeEnv(envMap)
 	if err != nil {
 		return nil, err
@@ -167,7 +167,7 @@ func GetOAuthProvidersConfig(env []string, args []string, appUrl string) (map[st
 		}
 	}
-	flagProviders, err := decoders.DecodeFlags[config.Providers, config.OAuthServiceConfig](flagsMap, "providers")
+	flagProviders, err := decoders.DecodeFlags(flagsMap)
 	if err != nil {
 		return nil, err
@@ -208,53 +208,3 @@ func GetOAuthProvidersConfig(env []string, args []string, appUrl string) (map[st
 	// Return combined providers
 	return providers, nil
 }
 func GetACLsConfig(env []string, flagsMap map[string]string) (config.Apps, error) {
 	apps := config.Apps{Apps: make(map[string]config.App)}
 	envMap := make(map[string]string)
 	for _, e := range env {
 		pair := strings.SplitN(e, "=", 2)
 		if len(pair) == 2 {
 			envMap[pair[0]] = pair[1]
 		}
 	}
 	envApps, err := decoders.DecodeACLEnv[config.Apps](envMap, "apps")
 	if err != nil {
 		return config.Apps{}, err
 	}
 	if envApps.Apps != nil {
 		maps.Copy(apps.Apps, envApps.Apps)
 	}
 	flagApps, err := decoders.DecodeACLFlags[config.Apps](flagsMap, "apps")
 	if err != nil {
 		return config.Apps{}, err
 	}
 	if flagApps.Apps != nil {
 		maps.Copy(apps.Apps, flagApps.Apps)
 	}
 	return apps, nil
 }
 func ExtractACLFlags(args []string) map[string]string {
 	aclFlags := make(map[string]string)
 	for _, arg := range args {
 		if strings.HasPrefix(arg, "--apps-") || strings.HasPrefix(arg, "--tinyauth-apps-") {
 			pair := strings.SplitN(arg[2:], "=", 2)
 			if len(pair) == 2 {
 				aclFlags[pair[0]] = pair[1]
 			}
 		}
 	}
 	return aclFlags
 }
--- a/internal/utils/decoders/decoders.go
+++ b/internal/utils/decoders/decoders.go
@@ -3,89 +3,29 @@ package decoders
 import (
 	"reflect"
 	"strings"
-
+	"tinyauth/internal/config"
 	"github.com/stoewer/go-strcase"
 )
-func ParsePath(parts []string, idx int, t reflect.Type) []string {
+func NormalizeKeys(keys map[string]string, rootName string, sep string) map[string]string {
 	if idx >= len(parts) {
 		return []string{}
 	}
 	if t.Kind() == reflect.Map {
 		if idx >= len(parts) {
 			return []string{}
 		}
 		elemType := t.Elem()
 		keyEndIdx := idx + 1
 		if elemType.Kind() == reflect.Struct {
 			for i := idx + 1; i < len(parts); i++ {
 				found := false
 				for j := 0; j < elemType.NumField(); j++ {
 					field := elemType.Field(j)
 					if strings.EqualFold(parts[i], field.Name) {
 						keyEndIdx = i
 						found = true
 						break
 					}
 				}
 				if found {
 					break
 				}
 			}
 		}
 		keyParts := parts[idx:keyEndIdx]
 		keyName := strings.ToLower(strings.Join(keyParts, "_"))
 		rest := ParsePath(parts, keyEndIdx, elemType)
 		result := append([]string{keyName}, rest...)
 		return result
 	}
 	if t.Kind() == reflect.Struct {
 		for i := 0; i < t.NumField(); i++ {
 			field := t.Field(i)
 			if field.Type.Kind() == reflect.Map {
 				rest := ParsePath(parts, idx, field.Type)
 				if len(rest) > 0 {
 					return rest
 				}
 			}
 		}
 		for i := 0; i < t.NumField(); i++ {
 			field := t.Field(i)
 			if strings.EqualFold(parts[idx], field.Name) {
 				rest := ParsePath(parts, idx+1, field.Type)
 				result := append([]string{strings.ToLower(field.Name)}, rest...)
 				return result
 			}
 		}
 	}
 	return []string{}
 }
 func normalizeKeys[T any](input map[string]string, root string, sep string) map[string]string {
 	knownKeys := getKnownKeys[T]()
 	normalized := make(map[string]string)
 	knownKeys := getKnownKeys()
-	for k, v := range input {
+	for k, v := range keys {
-		parts := []string{"tinyauth"}
+		var finalKey []string
 		var suffix string
 		var camelClientName string
 		var camelField string
-		key := strings.ToLower(k)
+		finalKey = append(finalKey, rootName)
-		key = strings.ReplaceAll(key, sep, "-")
+		finalKey = append(finalKey, "providers")
 		lowerKey := strings.ToLower(k)
-		suffix := ""
+		if !strings.HasPrefix(lowerKey, "providers"+sep) {
 			continue
 		}
 		for _, known := range knownKeys {
-			if strings.HasSuffix(key, known) {
+			if strings.HasSuffix(lowerKey, strings.ReplaceAll(known, "-", sep)) {
 				suffix = known
 				break
 			}
@@ -95,101 +35,55 @@ func normalizeKeys[T any](input map[string]string, root string, sep string) map[
 			continue
 		}
-		parts = append(parts, root)
+		if strings.TrimSpace(strings.TrimSuffix(strings.TrimPrefix(lowerKey, "providers"+sep), strings.ReplaceAll(suffix, "-", sep))) == "" {
 		id := strings.TrimPrefix(key, root+"-")
 		id = strings.TrimSuffix(id, "-"+suffix)
 		if id == "" {
 			continue
 		}
-		parts = append(parts, id)
+		clientNameParts := strings.Split(strings.TrimPrefix(strings.TrimSuffix(lowerKey, sep+strings.ReplaceAll(suffix, "-", sep)), "providers"+sep), sep)
 		parts = append(parts, suffix)
-		final := ""
+		for i, p := range clientNameParts {
-
+			if i == 0 {
-		for i, part := range parts {
+				camelClientName += p
-			if i > 0 {
+				continue
 				final += "."
 			}
-			final += strcase.LowerCamelCase(part)
+			if p == "" {
 				continue
 			}
 			camelClientName += strings.ToUpper(string([]rune(p)[0])) + string([]rune(p)[1:])
 		}
-		normalized[final] = v
+		finalKey = append(finalKey, camelClientName)
 		fieldParts := strings.Split(suffix, "-")
 		for i, p := range fieldParts {
 			if i == 0 {
 				camelField += p
 				continue
 			}
 			if p == "" {
 				continue
 			}
 			camelField += strings.ToUpper(string([]rune(p)[0])) + string([]rune(p)[1:])
 		}
 		finalKey = append(finalKey, camelField)
 		normalized[strings.Join(finalKey, ".")] = v
 	}
 	return normalized
 }
-func getKnownKeys[T any]() []string {
+func getKnownKeys() []string {
-	var keys []string
+	var known []string
 	var t T
-	v := reflect.ValueOf(t)
+	p := config.OAuthServiceConfig{}
-	typeOfT := v.Type()
+	v := reflect.ValueOf(p)
 	typeOfP := v.Type()
-	for field := range typeOfT.NumField() {
+	for field := range typeOfP.NumField() {
-		if typeOfT.Field(field).Tag.Get("field") != "" {
+		known = append(known, typeOfP.Field(field).Tag.Get("key"))
 			keys = append(keys, typeOfT.Field(field).Tag.Get("field"))
 			continue
 		}
 		keys = append(keys, strcase.KebabCase(typeOfT.Field(field).Name))
 	}
-	return keys
+	return known
 }
 func normalizeACLKeys[T any](input map[string]string, root string, sep string) map[string]string {
 	normalized := make(map[string]string)
 	var t T
 	rootType := reflect.TypeOf(t)
 	for k, v := range input {
 		parts := strings.Split(strings.ToLower(k), sep)
 		if len(parts) < 2 {
 			continue
 		}
 		// Two cases:
 		// 1. Keys starting with "tinyauth" (env vars): tinyauth_apps_...
 		// 2. Keys starting with root directly (flags): apps-...
 		startIdx := 0
 		if parts[0] == "tinyauth" {
 			if len(parts) < 3 {
 				continue
 			}
 			if parts[1] != root {
 				continue
 			}
 			startIdx = 2 // Skip "tinyauth" and root
 		} else if parts[0] == root {
 			startIdx = 1 // Skip root only
 		} else {
 			continue
 		}
 		if startIdx < len(parts) {
 			parsedParts := ParsePath(parts[startIdx:], 0, rootType)
 			if len(parsedParts) == 0 {
 				continue
 			}
 			final := "tinyauth." + root
 			for _, part := range parsedParts {
 				if strings.Contains(part, "_") {
 					final += "." + part
 				} else {
 					final += "." + strcase.LowerCamelCase(part)
 				}
 			}
 			normalized[final] = v
 		}
 	}
 	return normalized
 }
--- a/internal/utils/decoders/decoders_test.go
+++ b/internal/utils/decoders/decoders_test.go
@@ -0,0 +1,49 @@
 package decoders_test
 import (
 	"testing"
 	"tinyauth/internal/utils/decoders"
 	"gotest.tools/v3/assert"
 )
 func TestNormalizeKeys(t *testing.T) {
 	// Test with env
 	test := map[string]string{
 		"PROVIDERS_CLIENT1_CLIENT_ID":                    "my-client-id",
 		"PROVIDERS_CLIENT1_CLIENT_SECRET":                "my-client-secret",
 		"PROVIDERS_MY_AWESOME_CLIENT_CLIENT_ID":          "my-awesome-client-id",
 		"PROVIDERS_MY_AWESOME_CLIENT_CLIENT_SECRET_FILE": "/path/to/secret",
 		"I_LOOK_LIKE_A_KEY_CLIENT_ID":                    "should-not-appear",
 		"PROVIDERS_CLIENT_ID":                            "should-not-appear",
 	}
 	expected := map[string]string{
 		"tinyauth.providers.client1.clientId":                 "my-client-id",
 		"tinyauth.providers.client1.clientSecret":             "my-client-secret",
 		"tinyauth.providers.myAwesomeClient.clientId":         "my-awesome-client-id",
 		"tinyauth.providers.myAwesomeClient.clientSecretFile": "/path/to/secret",
 	}
 	normalized := decoders.NormalizeKeys(test, "tinyauth", "_")
 	assert.DeepEqual(t, normalized, expected)
 	// Test with flags (assume -- is already stripped)
 	test = map[string]string{
 		"providers-client1-client-id":                    "my-client-id",
 		"providers-client1-client-secret":                "my-client-secret",
 		"providers-my-awesome-client-client-id":          "my-awesome-client-id",
 		"providers-my-awesome-client-client-secret-file": "/path/to/secret",
 		"providers-should-not-appear-client":             "should-not-appear",
 		"i-look-like-a-key-client-id":                    "should-not-appear",
 		"providers-client-id":                            "should-not-appear",
 	}
 	expected = map[string]string{
 		"tinyauth.providers.client1.clientId":                 "my-client-id",
 		"tinyauth.providers.client1.clientSecret":             "my-client-secret",
 		"tinyauth.providers.myAwesomeClient.clientId":         "my-awesome-client-id",
 		"tinyauth.providers.myAwesomeClient.clientSecretFile": "/path/to/secret",
 	}
 	normalized = decoders.NormalizeKeys(test, "tinyauth", "-")
 	assert.DeepEqual(t, normalized, expected)
 }
--- a/internal/utils/decoders/env_decoder.go
+++ b/internal/utils/decoders/env_decoder.go
@@ -1,33 +1,20 @@
 package decoders
 import (
 	"tinyauth/internal/config"
 	"github.com/traefik/paerser/parser"
 )
-func DecodeEnv[T any, C any](env map[string]string, subName string) (T, error) {
+func DecodeEnv(env map[string]string) (config.Providers, error) {
-	var result T
+	normalized := NormalizeKeys(env, "tinyauth", "_")
 	var providers config.Providers
-	normalized := normalizeKeys[C](env, subName, "_")
+	err := parser.Decode(normalized, &providers, "tinyauth", "tinyauth.providers")
 	err := parser.Decode(normalized, &result, "tinyauth", "tinyauth."+subName)
 	if err != nil {
-		return result, err
+		return config.Providers{}, err
 	}
-	return result, nil
+	return providers, nil
 }
 func DecodeACLEnv[T any](env map[string]string, subName string) (T, error) {
 	var result T
 	normalized := normalizeACLKeys[T](env, subName, "_")
 	err := parser.Decode(normalized, &result, "tinyauth", "tinyauth."+subName)
 	if err != nil {
 		return result, err
 	}
 	return result, nil
 }
--- a/internal/utils/decoders/env_decoder_test.go
+++ b/internal/utils/decoders/env_decoder_test.go
@@ -9,29 +9,52 @@ import (
 )
 func TestDecodeEnv(t *testing.T) {
-	// Setup
+	// Variables
 	env := map[string]string{
 		"PROVIDERS_GOOGLE_CLIENT_ID":        "google-client-id",
 		"PROVIDERS_GOOGLE_CLIENT_SECRET":    "google-client-secret",
 		"PROVIDERS_MY_GITHUB_CLIENT_ID":     "github-client-id",
 		"PROVIDERS_MY_GITHUB_CLIENT_SECRET": "github-client-secret",
 	}
 	expected := config.Providers{
 		Providers: map[string]config.OAuthServiceConfig{
-			"google": {
+			"client1": {
-				ClientID:     "google-client-id",
+				ClientID:           "client1-id",
-				ClientSecret: "google-client-secret",
+				ClientSecret:       "client1-secret",
 				Scopes:             []string{"client1-scope1", "client1-scope2"},
 				RedirectURL:        "client1-redirect-url",
 				AuthURL:            "client1-auth-url",
 				UserinfoURL:        "client1-user-info-url",
 				Name:               "Client1",
 				InsecureSkipVerify: false,
 			},
-			"myGithub": {
+			"client2": {
-				ClientID:     "github-client-id",
+				ClientID:           "client2-id",
-				ClientSecret: "github-client-secret",
+				ClientSecret:       "client2-secret",
 				Scopes:             []string{"client2-scope1", "client2-scope2"},
 				RedirectURL:        "client2-redirect-url",
 				AuthURL:            "client2-auth-url",
 				UserinfoURL:        "client2-user-info-url",
 				Name:               "My Awesome Client2",
 				InsecureSkipVerify: false,
 			},
 		},
 	}
 	test := map[string]string{
 		"PROVIDERS_CLIENT1_CLIENT_ID":            "client1-id",
 		"PROVIDERS_CLIENT1_CLIENT_SECRET":        "client1-secret",
 		"PROVIDERS_CLIENT1_SCOPES":               "client1-scope1,client1-scope2",
 		"PROVIDERS_CLIENT1_REDIRECT_URL":         "client1-redirect-url",
 		"PROVIDERS_CLIENT1_AUTH_URL":             "client1-auth-url",
 		"PROVIDERS_CLIENT1_USER_INFO_URL":        "client1-user-info-url",
 		"PROVIDERS_CLIENT1_NAME":                 "Client1",
 		"PROVIDERS_CLIENT1_INSECURE_SKIP_VERIFY": "false",
 		"PROVIDERS_CLIENT2_CLIENT_ID":            "client2-id",
 		"PROVIDERS_CLIENT2_CLIENT_SECRET":        "client2-secret",
 		"PROVIDERS_CLIENT2_SCOPES":               "client2-scope1,client2-scope2",
 		"PROVIDERS_CLIENT2_REDIRECT_URL":         "client2-redirect-url",
 		"PROVIDERS_CLIENT2_AUTH_URL":             "client2-auth-url",
 		"PROVIDERS_CLIENT2_USER_INFO_URL":        "client2-user-info-url",
 		"PROVIDERS_CLIENT2_NAME":                 "My Awesome Client2",
 		"PROVIDERS_CLIENT2_INSECURE_SKIP_VERIFY": "false",
 	}
-	// Execute
+	// Test
-	result, err := decoders.DecodeEnv[config.Providers, config.OAuthServiceConfig](env, "providers")
+	res, err := decoders.DecodeEnv(test)
 	assert.NilError(t, err)
-	assert.DeepEqual(t, result, expected)
+	assert.DeepEqual(t, expected, res)
 }
--- a/internal/utils/decoders/flags_decoder.go
+++ b/internal/utils/decoders/flags_decoder.go
@@ -2,38 +2,23 @@ package decoders
 import (
 	"strings"
 	"tinyauth/internal/config"
 	"github.com/traefik/paerser/parser"
 )
-func DecodeFlags[T any, C any](flags map[string]string, subName string) (T, error) {
+func DecodeFlags(flags map[string]string) (config.Providers, error) {
 	var result T
 	filtered := filterFlags(flags)
-	normalized := normalizeKeys[C](filtered, subName, "_")
+	normalized := NormalizeKeys(filtered, "tinyauth", "-")
 	var providers config.Providers
-	err := parser.Decode(normalized, &result, "tinyauth", "tinyauth."+subName)
+	err := parser.Decode(normalized, &providers, "tinyauth", "tinyauth.providers")
 	if err != nil {
-		return result, err
+		return config.Providers{}, err
 	}
-	return result, nil
+	return providers, nil
 }
 func DecodeACLFlags[T any](flags map[string]string, subName string) (T, error) {
 	var result T
 	filtered := filterFlags(flags)
 	normalized := normalizeACLKeys[T](filtered, subName, "-")
 	err := parser.Decode(normalized, &result, "tinyauth", "tinyauth."+subName)
 	if err != nil {
 		return result, err
 	}
 	return result, nil
 }
 func filterFlags(flags map[string]string) map[string]string {
--- a/internal/utils/decoders/flags_decoder_test.go
+++ b/internal/utils/decoders/flags_decoder_test.go
@@ -9,29 +9,52 @@ import (
 )
 func TestDecodeFlags(t *testing.T) {
-	// Setup
+	// Variables
 	flags := map[string]string{
 		"--providers-google-client-id":        "google-client-id",
 		"--providers-google-client-secret":    "google-client-secret",
 		"--providers-my-github-client-id":     "github-client-id",
 		"--providers-my-github-client-secret": "github-client-secret",
 	}
 	expected := config.Providers{
 		Providers: map[string]config.OAuthServiceConfig{
-			"google": {
+			"client1": {
-				ClientID:     "google-client-id",
+				ClientID:           "client1-id",
-				ClientSecret: "google-client-secret",
+				ClientSecret:       "client1-secret",
 				Scopes:             []string{"client1-scope1", "client1-scope2"},
 				RedirectURL:        "client1-redirect-url",
 				AuthURL:            "client1-auth-url",
 				UserinfoURL:        "client1-user-info-url",
 				Name:               "Client1",
 				InsecureSkipVerify: false,
 			},
-			"myGithub": {
+			"client2": {
-				ClientID:     "github-client-id",
+				ClientID:           "client2-id",
-				ClientSecret: "github-client-secret",
+				ClientSecret:       "client2-secret",
 				Scopes:             []string{"client2-scope1", "client2-scope2"},
 				RedirectURL:        "client2-redirect-url",
 				AuthURL:            "client2-auth-url",
 				UserinfoURL:        "client2-user-info-url",
 				Name:               "My Awesome Client2",
 				InsecureSkipVerify: false,
 			},
 		},
 	}
 	test := map[string]string{
 		"--providers-client1-client-id":            "client1-id",
 		"--providers-client1-client-secret":        "client1-secret",
 		"--providers-client1-scopes":               "client1-scope1,client1-scope2",
 		"--providers-client1-redirect-url":         "client1-redirect-url",
 		"--providers-client1-auth-url":             "client1-auth-url",
 		"--providers-client1-user-info-url":        "client1-user-info-url",
 		"--providers-client1-name":                 "Client1",
 		"--providers-client1-insecure-skip-verify": "false",
 		"--providers-client2-client-id":            "client2-id",
 		"--providers-client2-client-secret":        "client2-secret",
 		"--providers-client2-scopes":               "client2-scope1,client2-scope2",
 		"--providers-client2-redirect-url":         "client2-redirect-url",
 		"--providers-client2-auth-url":             "client2-auth-url",
 		"--providers-client2-user-info-url":        "client2-user-info-url",
 		"--providers-client2-name":                 "My Awesome Client2",
 		"--providers-client2-insecure-skip-verify": "false",
 	}
-	// Execute
+	// Test
-	result, err := decoders.DecodeFlags[config.Providers, config.OAuthServiceConfig](flags, "providers")
+	res, err := decoders.DecodeFlags(test)
 	assert.NilError(t, err)
-	assert.DeepEqual(t, result, expected)
+	assert.DeepEqual(t, expected, res)
 }