chore(deps): bump the minor-patch group across 1 directory with 5 updates

Bumps the minor-patch group with 5 updates in the /frontend directory: | Package | From | To | | --- | --- | --- | | [i18next](https://github.com/i18next/i18next) | `25.8.14` | `25.8.17` | | [react-i18next](https://github.com/i18next/react-i18next) | `16.5.5` | `16.5.6` | | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.3.5` | `25.4.0` | | [eslint](https://github.com/eslint/eslint) | `10.0.2` | `10.0.3` | | [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.56.1` | `8.57.0` | Updates `i18next` from 25.8.14 to 25.8.17 - [Release notes](https://github.com/i18next/i18next/releases) - [Changelog](https://github.com/i18next/i18next/blob/master/CHANGELOG.md) - [Commits](https://github.com/i18next/i18next/compare/v25.8.14...v25.8.17) Updates `react-i18next` from 16.5.5 to 16.5.6 - [Changelog](https://github.com/i18next/react-i18next/blob/master/CHANGELOG.md) - [Commits](https://github.com/i18next/react-i18next/compare/v16.5.5...v16.5.6) Updates `@types/node` from 25.3.5 to 25.4.0 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `eslint` from 10.0.2 to 10.0.3 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](https://github.com/eslint/eslint/compare/v10.0.2...v10.0.3) Updates `typescript-eslint` from 8.56.1 to 8.57.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.57.0/packages/typescript-eslint) --- updated-dependencies: - dependency-name: i18next dependency-version: 25.8.17 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: react-i18next dependency-version: 16.5.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: "@types/node" dependency-version: 25.4.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-patch - dependency-name: eslint dependency-version: 10.0.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: typescript-eslint dependency-version: 8.57.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-patch ... Signed-off-by: dependabot[bot] <support@github.com>
2026-06-10 13:30:18 +00:00 · 2026-03-11 08:18:08 +00:00
236 changed files with 7619 additions and 20508 deletions
@@ -7,9 +7,7 @@ TINYAUTH_APPURL=

 # database config

-# The database driver to use. Valid values: sqlite, postgres, memory.
-TINYAUTH_DATABASE_DRIVER="sqlite"
-# The path to the SQLite database file, or connection URL when driver is postgres.
+# The path to the database, including file name.
 TINYAUTH_DATABASE_PATH="./tinyauth.db"

 # analytics config
@@ -32,8 +30,6 @@ TINYAUTH_SERVER_PORT=3000
 TINYAUTH_SERVER_ADDRESS="0.0.0.0"
 # The path to the Unix socket.
 TINYAUTH_SERVER_SOCKETPATH=
-# Enable listening on both TCP and Unix socket at the same time.
-TINYAUTH_SERVER_CONCURRENTLISTENERSENABLED=false

 # auth config

@@ -41,52 +37,8 @@ TINYAUTH_SERVER_CONCURRENTLISTENERSENABLED=false
 TINYAUTH_AUTH_IP_ALLOW=
 # List of blocked IPs or CIDR ranges.
 TINYAUTH_AUTH_IP_BLOCK=
-# List of IPs or CIDR ranges that bypass authentication entirely.
-TINYAUTH_AUTH_IP_BYPASS=
 # Comma-separated list of users (username:hashed_password).
 TINYAUTH_AUTH_USERS=
-# Enable subdomains support.
-TINYAUTH_AUTH_SUBDOMAINSENABLED=true
-# Full name of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_NAME=
-# Given (first) name of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_GIVENNAME=
-# Family (last) name of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_FAMILYNAME=
-# Middle name of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_MIDDLENAME=
-# Nickname of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_NICKNAME=
-# URL of the user's profile page.
-TINYAUTH_AUTH_USERATTRIBUTES_name_PROFILE=
-# URL of the user's profile picture.
-TINYAUTH_AUTH_USERATTRIBUTES_name_PICTURE=
-# URL of the user's website.
-TINYAUTH_AUTH_USERATTRIBUTES_name_WEBSITE=
-# Email address of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_EMAIL=
-# Gender of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_GENDER=
-# Birthdate of the user (YYYY-MM-DD).
-TINYAUTH_AUTH_USERATTRIBUTES_name_BIRTHDATE=
-# Time zone of the user (e.g. Europe/Athens).
-TINYAUTH_AUTH_USERATTRIBUTES_name_ZONEINFO=
-# Locale of the user (e.g. en-US).
-TINYAUTH_AUTH_USERATTRIBUTES_name_LOCALE=
-# Phone number of the user.
-TINYAUTH_AUTH_USERATTRIBUTES_name_PHONENUMBER=
-# Full mailing address, formatted for display.
-TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_FORMATTED=
-# Street address.
-TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_STREETADDRESS=
-# City or locality.
-TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_LOCALITY=
-# State, province, or region.
-TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_REGION=
-# Zip or postal code.
-TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_POSTALCODE=
-# Country.
-TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_COUNTRY=
 # Path to the users file.
 TINYAUTH_AUTH_USERSFILE=
 # Enable secure cookies.
@@ -101,8 +53,6 @@ TINYAUTH_AUTH_LOGINTIMEOUT=300
 TINYAUTH_AUTH_LOGINMAXRETRIES=3
 # Comma-separated list of trusted proxy addresses.
 TINYAUTH_AUTH_TRUSTEDPROXIES=
-# ACL policy for allow-by-default or deny-by-default, available options are allow and deny, default is allow.
-TINYAUTH_AUTH_ACLS_POLICY="allow"

 # apps config

@@ -141,8 +91,6 @@ TINYAUTH_APPS_name_LDAP_GROUPS=

 # Comma-separated list of allowed OAuth domains.
 TINYAUTH_OAUTH_WHITELIST=
-# Path to the OAuth whitelist file.
-TINYAUTH_OAUTH_WHITELISTFILE=
 # The OAuth provider to use for automatic redirection.
 TINYAUTH_OAUTH_AUTOREDIRECT=
 # OAuth client ID.
@@ -151,10 +99,6 @@ TINYAUTH_OAUTH_PROVIDERS_name_CLIENTID=
 TINYAUTH_OAUTH_PROVIDERS_name_CLIENTSECRET=
 # Path to the file containing the OAuth client secret.
 TINYAUTH_OAUTH_PROVIDERS_name_CLIENTSECRETFILE=
-# Comma-separated list of allowed OAuth domains for this provider.
-TINYAUTH_OAUTH_PROVIDERS_name_WHITELIST=
-# Path to the OAuth whitelist file for this provider.
-TINYAUTH_OAUTH_PROVIDERS_name_WHITELISTFILE=
 # OAuth scopes.
 TINYAUTH_OAUTH_PROVIDERS_name_SCOPES=
 # OAuth redirect URL.
@@ -218,8 +162,6 @@ TINYAUTH_LDAP_AUTHCERT=
 TINYAUTH_LDAP_AUTHKEY=
 # Cache duration for LDAP group membership in seconds.
 TINYAUTH_LDAP_GROUPCACHETTL=900
-# Label provider to use for ACLs (auto, docker, kubernetes or none to disable). auto detects the environment.
-TINYAUTH_LABELPROVIDER="auto"

 # log config

@@ -239,16 +181,3 @@ TINYAUTH_LOG_STREAMS_APP_LEVEL=
 TINYAUTH_LOG_STREAMS_AUDIT_ENABLED=false
 # Log level for this stream. Use global if empty.
 TINYAUTH_LOG_STREAMS_AUDIT_LEVEL=
-
-# tailscale config
-
-# Enable Tailscale integration.
-TINYAUTH_TAILSCALE_ENABLED=false
-# Tailscale state directory.
-TINYAUTH_TAILSCALE_DIR="./tailscale_state"
-# Tailscale hostname.
-TINYAUTH_TAILSCALE_HOSTNAME=
-# Tailscale auth key.
-TINYAUTH_TAILSCALE_AUTHKEY=
-# Use ephemeral Tailscale node.
-TINYAUTH_TAILSCALE_EPHEMERAL=false
@@ -0,0 +1,37 @@
+---
+name: Bug report
+about: Create a report to help improve Tinyauth
+title: "[BUG]"
+labels: bug
+assignees: steveiliop56
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Logs**
+Please include the Tinyauth logs below, make sure to not include sensitive info.
+
+**Device (please complete the following information):**
+ - OS: [e.g. iOS]
+ - Browser [e.g. chrome, safari]
+ - Tinyauth [e.g. v2.1.1]
+ - Docker [e.g. 27.3.1]
+
+**
+**Additional context**
+Add any other context about the problem here.
@@ -1,89 +0,0 @@
-name: Bug Report
-description: Create a report to help us improve this project
-title: "[BUG]"
-labels: bug
-assignees:
-  - steveiliop56
-
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for reporting a bug! Please provide detailed information below.
-
-  - type: textarea
-    id: description
-    attributes:
-      label: Describe the Bug
-      description: "A clear and concise description of what the bug is."
-    validations:
-      required: true
-
-  - type: textarea
-    id: reproduce
-    attributes:
-      label: How to Reproduce
-      description: Steps to reproduce the behavior.
-      value: |
-        1. Go to '...'
-        2. Click on '....'
-        3. Scroll down to '....'
-        4. See error
-    validations:
-      required: false
-
-  - type: textarea
-    id: expected
-    attributes:
-      label: Expected Behavior
-      description: "A clear and concise description of what you expected to happen."
-    validations:
-      required: true
-
-  - type: textarea
-    id: context
-    attributes:
-      label: "Additional Context"
-      description: "If applicable add screenshots to help explain your problem."
-    validations:
-      required: false
-
-  - type: textarea
-    id: logs
-    attributes:
-      label: "Logs"
-      description: "Please include the Tinyauth logs, make sure to not include sensitive info."
-    validations:
-      required: false
-
-  - type: input
-    id: os
-    attributes:
-      label: Operating System
-      placeholder: "e.g. iOS, Android, Windows, Linux, etc"
-
-  - type: input
-    id: browser
-    attributes:
-      label: Browser
-      placeholder: "e.g. Chrome, Firefox, Safari, Edge, etc"
-
-  - type: input
-    id: tinyauth
-    attributes:
-      label: Tinyauth Version
-      placeholder: "e.g. v5.0.0"
-
-  - type: input
-    id: docker
-    attributes:
-      label: Docker Version (if applicable)
-      placeholder: "e.g. 27.3.1"
-
-  - type: checkboxes
-    id: not-llm
-    attributes:
-      label: Human Written Confirmation
-      options:
-        - label: I confirm this issue was written by me and not generated by an LLM or AI assistant.
-          required: true
@@ -1,8 +0,0 @@
-blank_issues_enabled: true
-contact_links:
-  - name: Tinyauth Community Support on Discord
-    url: https://discord.gg/eHzVaCzRRd
-    about: Please ask and answer questions here.
-  - name: Tinyauth Documentation
-    url: https://tinyauth.app/docs/getting-started/
-    about: Please check the documentation here.
@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: "[FEATURE]"
+labels: enhancement
+assignees: steveiliop56
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.
@@ -1,52 +0,0 @@
-name: Feature request
-description: Suggest an idea for this project
-title: "[FEATURE]"
-labels: enhancement
-assignees:
-  - steveiliop56
-
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for suggesting a feature! Please provide detailed information below.
-
-  - type: textarea
-    id: problem
-    attributes:
-      label: Is your feature request related to a problem? Please describe.
-      description: "A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]"
-    validations:
-      required: false
-
-  - type: textarea
-    id: solution
-    attributes:
-      label: Describe the solution you'd like.
-      description: "A clear and concise description of what you want to happen."
-    validations:
-      required: true
-
-  - type: textarea
-    id: alternatives
-    attributes:
-      label: Describe alternatives you've considered.
-      description: "A clear and concise description of any alternative solutions or features you've considered."
-    validations:
-      required: false
-
-  - type: textarea
-    id: context
-    attributes:
-      label: Additional context
-      description: "Add any other context or screenshots about the feature request here."
-    validations:
-      required: false
-
-  - type: checkboxes
-    id: not-llm
-    attributes:
-      label: Human Written Confirmation
-      options:
-        - label: I confirm this request was written by me and not generated by an LLM or AI assistant.
-          required: true
@@ -1,6 +1,6 @@
 version: 2
 updates:
-  - package-ecosystem: "npm"
+  - package-ecosystem: "bun"
    directory: "/frontend"
    groups:
      minor-patch:
@@ -24,8 +24,3 @@ updates:
    directory: "/"
    schedule:
      interval: "daily"
-
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "daily"
@@ -5,63 +5,57 @@ on:
      - main
  pull_request:

-permissions:
-  contents: read
-
 jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v4

-      - name: Setup pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
-        with:
-          package_json_file: ./frontend/package.json
+      - name: Setup bun
+        uses: oven-sh/setup-bun@v2

      - name: Setup go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        uses: actions/setup-go@v5
        with:
-          go-version: "^1.26.0"
+          go-version: "^1.24.0"

-      - name: Go dependencies
-        run: go mod download
-
-      - name: Setup sqlc
-        uses: sqlc-dev/setup-sqlc@v5
-        with:
-          sqlc-version: "1.31.1"
-
-      - name: Check codegen is up to date
+      - name: Initialize submodules
        run: |
-          sqlc generate
-          go generate ./internal/repository/...
-          git diff --exit-code -- internal/repository/
-          git status --porcelain -- internal/repository/ | grep -q . && echo "untracked files in internal/repository/" && exit 1 || true
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff

      - name: Install frontend dependencies
-        working-directory: ./frontend
-        run: pnpm ci
+        run: |
+          cd frontend
+          bun install --frozen-lockfile

      - name: Set version
-        run: echo testing > internal/assets/version
+        run: |
+          echo testing > internal/assets/version

      - name: Lint frontend
-        working-directory: ./frontend
-        run: pnpm run lint
+        run: |
+          cd frontend
+          bun run lint

      - name: Build frontend
-        working-directory: ./frontend
-        run: pnpm run build
+        run: |
+          cd frontend
+          bun run build

      - name: Copy frontend
-        run: cp -r frontend/dist internal/assets/dist
+        run: |
+          cp -r frontend/dist internal/assets/dist

      - name: Run tests
        run: go test -coverprofile=coverage.txt -v ./...

      - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6
+        uses: codecov/codecov-action@v5
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
@@ -4,16 +4,12 @@ on:
  schedule:
    - cron: "0 0 * * *"

-permissions:
-  contents: write
-  packages: write
-
 jobs:
  create-release:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v4

      - name: Delete old release
        run: gh release delete --cleanup-tag --yes nightly || echo release not found
@@ -23,7 +19,7 @@ jobs:
          REPO: ${{ github.event.repository.name }}

      - name: Create release
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
+        uses: softprops/action-gh-release@v2
        with:
          prerelease: true
          tag_name: nightly
@@ -37,7 +33,7 @@ jobs:
      BUILD_TIMESTAMP: ${{ steps.metadata.outputs.BUILD_TIMESTAMP }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v4
        with:
          ref: nightly

@@ -55,40 +51,50 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v4
        with:
          ref: nightly

-      - name: Setup pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
-        with:
-          package_json_file: ./frontend/package.json
+      - name: Install bun
+        uses: oven-sh/setup-bun@v2

      - name: Install go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        uses: actions/setup-go@v5
        with:
-          go-version: "^1.26.0"
+          go-version: "^1.24.0"
+
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff

      - name: Install frontend dependencies
-        working-directory: ./frontend
-        run: pnpm ci
+        run: |
+          cd frontend
+          bun install --frozen-lockfile

      - name: Install backend dependencies
-        run: go mod download
+        run: |
+          go mod download

      - name: Build frontend
-        working-directory: ./frontend
-        run: pnpm run build
+        run: |
+          cd frontend
+          bun run build

      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
+          go build -ldflags "-s -w -X github.com/steveiliop56/tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0

      - name: Upload artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: tinyauth-amd64
          path: tinyauth-amd64
@@ -100,40 +106,50 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v4
        with:
          ref: nightly

-      - name: Setup pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
-        with:
-          package_json_file: ./frontend/package.json
+      - name: Install bun
+        uses: oven-sh/setup-bun@v2

      - name: Install go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        uses: actions/setup-go@v5
        with:
-          go-version: "^1.26.0"
+          go-version: "^1.24.0"
+
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff

      - name: Install frontend dependencies
-        working-directory: ./frontend
-        run: pnpm ci
+        run: |
+          cd frontend
+          bun install --frozen-lockfile

      - name: Install backend dependencies
-        run: go mod download
+        run: |
+          go mod download

      - name: Build frontend
-        working-directory: ./frontend
-        run: pnpm run build
+        run: |
+          cd frontend
+          bun run build

      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
+          go build -ldflags "-s -w -X github.com/steveiliop56/tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0

      - name: Upload artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: tinyauth-arm64
          path: tinyauth-arm64
@@ -145,28 +161,37 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v4
        with:
          ref: nightly

+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff
+
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@v3

      - name: Build and push
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
+        uses: docker/build-push-action@v6
        id: build
        with:
          platforms: linux/amd64
@@ -188,7 +213,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"

      - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: digests-linux-amd64
          path: ${{ runner.temp }}/digests/*
@@ -203,28 +228,37 @@ jobs:
      - image-build
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v4
        with:
          ref: nightly

+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff
+
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@v3

      - name: Build and push
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
+        uses: docker/build-push-action@v6
        id: build
        with:
          platforms: linux/amd64
@@ -247,7 +281,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"

      - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: digests-distroless-linux-amd64
          path: ${{ runner.temp }}/digests/*
@@ -261,28 +295,37 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v4
        with:
          ref: nightly

+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff
+
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@v3

      - name: Build and push
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
+        uses: docker/build-push-action@v6
        id: build
        with:
          platforms: linux/arm64
@@ -304,7 +347,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"

      - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: digests-linux-arm64
          path: ${{ runner.temp }}/digests/*
@@ -319,28 +362,37 @@ jobs:
      - image-build-arm
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v4
        with:
          ref: nightly

+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff
+
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@v3

      - name: Build and push
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
+        uses: docker/build-push-action@v6
        id: build
        with:
          platforms: linux/arm64
@@ -363,7 +415,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"

      - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: digests-distroless-linux-arm64
          path: ${{ runner.temp }}/digests/*
@@ -377,25 +429,25 @@ jobs:
      - image-build-arm
    steps:
      - name: Download digests
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v4
        with:
          path: ${{ runner.temp }}/digests
          pattern: digests-*
          merge-multiple: true

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@v3

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
          flavor: |
@@ -416,25 +468,25 @@ jobs:
      - image-build-arm-distroless
    steps:
      - name: Download digests
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v4
        with:
          path: ${{ runner.temp }}/digests
          pattern: digests-distroless-*
          merge-multiple: true

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@v3

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
          flavor: |
@@ -454,14 +506,14 @@ jobs:
      - binary-build
      - binary-build-arm
    steps:
-      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+      - uses: actions/download-artifact@v4
        with:
          pattern: tinyauth-*
          path: binaries
          merge-multiple: true

      - name: Release
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
+        uses: softprops/action-gh-release@v2
        with:
          files: binaries/*
          tag_name: nightly
@@ -5,10 +5,6 @@ on:
    tags:
      - "v*"

-permissions:
-  contents: write
-  packages: write
-
 jobs:
  generate-metadata:
    runs-on: ubuntu-latest
@@ -18,7 +14,9 @@ jobs:
      BUILD_TIMESTAMP: ${{ steps.metadata.outputs.BUILD_TIMESTAMP }}
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v4
+        with:
+          ref: nightly

      - name: Generate metadata
        id: metadata
@@ -33,38 +31,48 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v4

-      - name: Setup pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
-        with:
-          package_json_file: ./frontend/package.json
+      - name: Install bun
+        uses: oven-sh/setup-bun@v2

      - name: Install go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        uses: actions/setup-go@v5
        with:
-          go-version: "^1.26.0"
+          go-version: "^1.24.0"
+
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff

      - name: Install frontend dependencies
-        working-directory: ./frontend
-        run: pnpm ci
+        run: |
+          cd frontend
+          bun install --frozen-lockfile

      - name: Install backend dependencies
-        run: go mod download
+        run: |
+          go mod download

      - name: Build frontend
-        working-directory: ./frontend
-        run: pnpm run build
+        run: |
+          cd frontend
+          bun run build

      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
+          go build -ldflags "-s -w -X github.com/steveiliop56/tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0

      - name: Upload artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: tinyauth-amd64
          path: tinyauth-amd64
@@ -75,38 +83,48 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v4

-      - name: Setup pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
-        with:
-          package_json_file: ./frontend/package.json
+      - name: Install bun
+        uses: oven-sh/setup-bun@v2

      - name: Install go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        uses: actions/setup-go@v5
        with:
-          go-version: "^1.26.0"
+          go-version: "^1.24.0"
+
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff

      - name: Install frontend dependencies
-        working-directory: ./frontend
-        run: pnpm ci
+        run: |
+          cd frontend
+          bun install --frozen-lockfile

      - name: Install backend dependencies
-        run: go mod download
+        run: |
+          go mod download

      - name: Build frontend
-        working-directory: ./frontend
-        run: pnpm run build
+        run: |
+          cd frontend
+          bun run build

      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
+          go build -ldflags "-s -w -X github.com/steveiliop56/tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0

      - name: Upload artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: tinyauth-arm64
          path: tinyauth-arm64
@@ -117,26 +135,35 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v4
+
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@v3

      - name: Build and push
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
+        uses: docker/build-push-action@v6
        id: build
        with:
          platforms: linux/amd64
@@ -150,7 +177,6 @@ jobs:
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
-            LDFLAGS="-s -w"

      - name: Export digest
        run: |
@@ -159,7 +185,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"

      - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: digests-linux-amd64
          path: ${{ runner.temp }}/digests/*
@@ -173,26 +199,35 @@ jobs:
      - image-build
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v4
+
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@v3

      - name: Build and push
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
+        uses: docker/build-push-action@v6
        id: build
        with:
          platforms: linux/amd64
@@ -207,7 +242,6 @@ jobs:
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
-            LDFLAGS="-s -w"

      - name: Export digest
        run: |
@@ -216,7 +250,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"

      - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: digests-distroless-linux-amd64
          path: ${{ runner.temp }}/digests/*
@@ -229,26 +263,35 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v4
+
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@v3

      - name: Build and push
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
+        uses: docker/build-push-action@v6
        id: build
        with:
          platforms: linux/arm64
@@ -262,7 +305,6 @@ jobs:
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
-            LDFLAGS="-s -w"

      - name: Export digest
        run: |
@@ -271,7 +313,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"

      - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: digests-linux-arm64
          path: ${{ runner.temp }}/digests/*
@@ -285,26 +327,35 @@ jobs:
      - image-build-arm
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v4
+
+      - name: Initialize submodules
+        run: |
+          git submodule init
+          git submodule update
+
+      - name: Apply patches
+        run: |
+          git apply --directory paerser/ patches/nested_maps.diff

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@v3

      - name: Build and push
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
+        uses: docker/build-push-action@v6
        id: build
        with:
          platforms: linux/arm64
@@ -319,7 +370,6 @@ jobs:
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
-            LDFLAGS="-s -w"

      - name: Export digest
        run: |
@@ -328,7 +378,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"

      - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: digests-distroless-linux-arm64
          path: ${{ runner.temp }}/digests/*
@@ -342,25 +392,25 @@ jobs:
      - image-build-arm
    steps:
      - name: Download digests
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v4
        with:
          path: ${{ runner.temp }}/digests
          pattern: digests-*
          merge-multiple: true

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@v3

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
          flavor: |
@@ -383,25 +433,25 @@ jobs:
      - image-build-arm-distroless
    steps:
      - name: Download digests
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v4
        with:
          path: ${{ runner.temp }}/digests
          pattern: digests-distroless-*
          merge-multiple: true

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
+        uses: docker/setup-buildx-action@v3

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
+        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
          flavor: |
@@ -425,13 +475,13 @@ jobs:
      - binary-build
      - binary-build-arm
    steps:
-      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+      - uses: actions/download-artifact@v4
        with:
          pattern: tinyauth-*
          path: binaries
          merge-multiple: true

      - name: Release
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
+        uses: softprops/action-gh-release@v2
        with:
          files: binaries/*
@@ -1,43 +0,0 @@
-name: Scorecard supply-chain security
-on:
-  branch_protection_rule:
-  schedule:
-    - cron: "31 17 * * 5"
-  push:
-    branches: ["main"]
-
-permissions: read-all
-
-jobs:
-  analysis:
-    name: Scorecard analysis
-    runs-on: ubuntu-latest
-    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
-    permissions:
-      security-events: write
-      id-token: write
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
-        with:
-          persist-credentials: false
-
-      - name: Run analysis
-        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a
-        with:
-          results_file: results.sarif
-          results_format: sarif
-          publish_results: true
-
-      - name: Upload artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
-        with:
-          name: SARIF file
-          path: results.sarif
-          retention-days: 5
-
-      - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4
-        with:
-          sarif_file: results.sarif
@@ -2,19 +2,15 @@ name: Generate Sponsors List
 on:
  workflow_dispatch:

-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
  generate-sponsors:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@v4

      - name: Generate Sponsors
-        uses: JamesIves/github-sponsors-readme-action@2fd9142e765f755780202122261dc85e78459405 # v1
+        uses: JamesIves/github-sponsors-readme-action@v1
        with:
          token: ${{ secrets.SPONSORS_GENERATOR_PAT }}
          active-only: false
@@ -22,7 +18,7 @@ jobs:
          template: '<a href="https://github.com/{{{ login }}}"><img src="{{{ avatarUrl }}}" width="64px" alt="User avatar: {{{ login }}}" /></a>&nbsp;&nbsp;'

      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8
+        uses: peter-evans/create-pull-request@v7
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          commit-message: |
@@ -0,0 +1,20 @@
+name: Close stale issues and PRs
+on:
+  schedule:
+    - cron: 0 10 * * *
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v9
+        with:
+          days-before-stale: 30
+          stale-pr-message: This PR has been inactive for 30 days and will be marked as stale.
+          stale-issue-message: This issue has been inactive for 30 days and will be marked as stale.
+          close-issue-message: Closed for inactivity.
+          close-pr-message: Closed for inactivity.
+          stale-issue-label: stale
+          stale-pr-label: stale
+          exempt-issue-labels: pinned
+          exempt-pr-labels: pinned
@@ -48,6 +48,3 @@ __debug_*

 # testing config
 config.certify.yml
-
-# deepsec
-/.deepsec
@@ -0,0 +1,4 @@
+[submodule "paerser"]
+	path = paerser
+	url = https://github.com/traefik/paerser
+	ignore = all
@@ -0,0 +1,15 @@
+{
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "name": "Connect to server",
+      "type": "go",
+      "request": "attach",
+      "mode": "remote",
+      "remotePath": "/tinyauth",
+      "port": 4000,
+      "host": "127.0.0.1",
+      "debugAdapter": "legacy"
+    }
+  ]
+}
@@ -1,27 +0,0 @@
-# AI Usage Policy
-
-> [!NOTE]
-> By Tinyauth, we refer to the entire Tinyauth ([tinyauthapp](https://github.com/tinyauthapp)) organization and all of the repositories under it.
-
-## How we utilize AI in Tinyauth
-
-In Tinyauth, we see AI as another tool designed to help developers accelerate their work, ***not*** as something that should be doing the development for them. The ways we utilize large language models in Tinyauth are the following:
-
- **Pull request reviews**: We utilize [CodeRabbit](https://www.coderabbit.ai/) for reviews in our pull requests which helps us find and fix issues faster, minimizing the time maintainers have to spend reviewing.
- **Documentation and Issues**: We use [Dosu](https://dosu.dev/) to help resolve duplicate issues faster and automatically update our documentation based on changes in the code base.
- **In-Line Suggestions**: GitHub's [Copilot](https://github.com/features/copilot) is partially used to fill in boilerplate code through in-line suggestions.
-
-## How we expect the community to use AI
-
-We expect the Tinyauth community to use AI as a tool for faster development and not as a way to implement entire features through prompts. For this reason, the following guidelines are in place for AI generated content:
-
- **All usage must be clearly labeled**: Any content generated by AI must be clearly labeled as such. In the case that a pull request is clearly generated by AI and the author fails to disclose its use, it will be rejected.
- **All generated content should be completely understood by the account holder**: The human who utilized the large language model to generate content must have a thorough understanding of it. This includes understanding the resulting output to the full extent and being able to explain it in detail in case it's needed.
- **Automated systems are not allowed**: All forms of automated systems that utilize large language models to generate content without human oversight are forbidden. This includes any system that generates content without a human being directly involved in the process like for example with OpenClaw.
- **No generated content other than text is allowed**: Images, videos, audio and any other form of content generated by AI other than text is not allowed in Tinyauth.
- **AI pull requests are not guaranteed to be accepted or prioritized**: Any pull request that contains AI generated content is not guaranteed to be accepted and/or prioritized. The maintainers are responsible for reviewing all pull requests and determining whether or not they meet the standards of the project. AI generated content will be reviewed with the same standards as any other content, and may be rejected if it does not meet those standards.
- **Large generated pull requests will be rejected**: Any pull request that contains a large amount of generated content will be rejected. This is because it is difficult for the maintainers to review and verify large amounts of generated content.
-
-## Tinyauth is developed by humans, for humans
-
-Please remember that Tinyauth is developed by humans. While AI can be a useful tool for **assisting** in the development process, it should not be used in place of the human brain. Moving forward, we are committed to ensuring that most, if not all the content in Tinyauth is created and reviewed by humans, and that AI is only used as a tool to assist in the development process.
@@ -2,12 +2,9 @@

 Contributing to Tinyauth is straightforward. Follow the steps below to set up a development server.

-> [!NOTE]
-> If you are using large language models to contribute to the project, please ensure that you have read and understood the [AI Policy](AI_POLICY.md).
-
 ## Requirements

- pnpm
+- Bun
 - Golang v1.24.0 or later
 - Git
 - Docker
@@ -18,13 +15,30 @@ Contributing to Tinyauth is straightforward. Follow the steps below to set up a
 Start by cloning the repository:

 ```sh
-git clone https://github.com/tinyauthapp/tinyauth
+git clone https://github.com/steveiliop56/tinyauth
 cd tinyauth
 ```

-## Installing Dependencies
+## Initialize Submodules

-While development occurs within Docker, installing the dependencies locally is recommended to avoid import errors. Install the Go dependencies:
+The project uses Git submodules for some dependencies, so you need to initialize them with:
+
+```sh
+git submodule init
+git submodule update
+```
+
+## Apply patches
+
+Some of the dependencies must be patched in order to work correctly with the project, you can apply the patches by running:
+
+```sh
+git apply --directory paerser/ patches/nested_maps.diff
+```
+
+## Installing Requirements
+
+While development occurs within Docker, installing the requirements locally is recommended to avoid import errors. Install the Go dependencies:

 ```sh
 go mod tidy
@@ -34,7 +48,7 @@ Frontend dependencies can be installed as follows:

 ```sh
 cd frontend/
-pnpm ci
+bun install
 ```

 ## Create the `.env` file
@@ -1,14 +1,12 @@
 # Site builder
-FROM node:26.3-alpine3.23 AS frontend-builder
+FROM oven/bun:1.3.10-alpine AS frontend-builder

 WORKDIR /frontend

-RUN npm install -g pnpm@11.1.2
-
 COPY ./frontend/package.json ./
-COPY ./frontend/pnpm-lock.yaml ./
+COPY ./frontend/bun.lock ./

-RUN pnpm ci
+RUN bun install --frozen-lockfile

 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -19,18 +17,19 @@ COPY ./frontend/tsconfig.app.json ./
 COPY ./frontend/tsconfig.node.json ./
 COPY ./frontend/vite.config.ts ./

-RUN pnpm run build
+RUN bun run build

 # Builder
-FROM golang:1.26-alpine3.23 AS builder
+FROM golang:1.25-alpine3.21 AS builder

 ARG VERSION
 ARG COMMIT_HASH
 ARG BUILD_TIMESTAMP
-ARG LDFLAGS

 WORKDIR /tinyauth

+COPY ./paerser ./paerser
+
 COPY go.mod ./
 COPY go.sum ./

@@ -40,10 +39,10 @@ COPY ./cmd ./cmd
 COPY ./internal ./internal
 COPY --from=frontend-builder /frontend/dist ./internal/assets/dist

-RUN CGO_ENABLED=0 go build -ldflags "${LDFLAGS} \
-    -X github.com/tinyauthapp/tinyauth/internal/model.Version=${VERSION} \
-    -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${COMMIT_HASH} \
-    -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
+RUN CGO_ENABLED=0 go build -ldflags "-s -w \
+    -X github.com/steveiliop56/tinyauth/internal/config.Version=${VERSION} \
+    -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${COMMIT_HASH} \
+    -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth

 # Runner
 FROM alpine:3.23 AS runner
@@ -1,14 +1,16 @@
-FROM golang:1.26-alpine3.23
+FROM golang:1.25-alpine3.21

 WORKDIR /tinyauth

+COPY ./paerser ./paerser
+
 COPY go.mod ./
 COPY go.sum ./

 RUN go mod download

 RUN go install github.com/air-verse/air@v1.61.7
-RUN go install github.com/go-delve/delve/cmd/dlv@v1.26.3
+RUN go install github.com/go-delve/delve/cmd/dlv@latest

 COPY ./cmd ./cmd
 COPY ./internal ./internal
@@ -1,14 +1,12 @@
 # Site builder
-FROM node:26.3-alpine3.23 AS frontend-builder
+FROM oven/bun:1.3.10-alpine AS frontend-builder

 WORKDIR /frontend

-RUN npm install -g pnpm@11.1.2
-
 COPY ./frontend/package.json ./
-COPY ./frontend/pnpm-lock.yaml ./
+COPY ./frontend/bun.lock ./

-RUN pnpm ci
+RUN bun install --frozen-lockfile

 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -19,18 +17,19 @@ COPY ./frontend/tsconfig.app.json ./
 COPY ./frontend/tsconfig.node.json ./
 COPY ./frontend/vite.config.ts ./

-RUN pnpm run build
+RUN bun run build

 # Builder
-FROM golang:1.26-alpine3.23 AS builder
+FROM golang:1.25-alpine3.21 AS builder

 ARG VERSION
 ARG COMMIT_HASH
 ARG BUILD_TIMESTAMP
-ARG LDFLAGS

 WORKDIR /tinyauth

+COPY ./paerser ./paerser
+
 COPY go.mod ./
 COPY go.sum ./

@@ -42,10 +41,10 @@ COPY --from=frontend-builder /frontend/dist ./internal/assets/dist

 RUN mkdir -p data

-RUN CGO_ENABLED=0 go build -ldflags "${LDFLAGS} \
-    -X github.com/tinyauthapp/tinyauth/internal/model.Version=${VERSION} \
-    -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${COMMIT_HASH} \
-    -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
+RUN CGO_ENABLED=0 go build -ldflags "-s -w \
+    -X github.com/steveiliop56/tinyauth/internal/config.Version=${VERSION} \
+    -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${COMMIT_HASH} \
+    -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth

 # Runner
 FROM gcr.io/distroless/static-debian12:latest AS runner
@@ -1,5 +1,5 @@
-                    GNU AFFERO GENERAL PUBLIC LICENSE
-                       Version 3, 19 November 2007
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007

 Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
 Everyone is permitted to copy and distribute verbatim copies
@@ -7,15 +7,17 @@

                            Preamble

-  The GNU Affero General Public License is a free, copyleft license for
-software and other kinds of works, specifically designed to ensure
-cooperation with the community in the case of network server software.
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.

  The licenses for most software and other practical works are designed
 to take away your freedom to share and change the works.  By contrast,
-our General Public Licenses are intended to guarantee your freedom to
+the GNU General Public License is intended to guarantee your freedom to
 share and change all versions of a program--to make sure it remains free
-software for all its users.
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.

  When we speak of free software, we are referring to freedom, not
 price.  Our General Public Licenses are designed to make sure that you
@@ -24,34 +26,44 @@ them if you wish), that you receive source code or can get it if you
 want it, that you can change the software or use pieces of it in new
 free programs, and that you know you can do these things.

-  Developers that use our General Public Licenses protect your rights
-with two steps: (1) assert copyright on the software, and (2) offer
-you this License which gives you legal permission to copy, distribute
-and/or modify the software.
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.

-  A secondary benefit of defending all users' freedom is that
-improvements made in alternate versions of the program, if they
-receive widespread use, become available for other developers to
-incorporate.  Many developers of free software are heartened and
-encouraged by the resulting cooperation.  However, in the case of
-software used on network servers, this result may fail to come about.
-The GNU General Public License permits making a modified version and
-letting the public access it on a server without ever releasing its
-source code to the public.
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.

-  The GNU Affero General Public License is designed specifically to
-ensure that, in such cases, the modified source code becomes available
-to the community.  It requires the operator of a network server to
-provide the source code of the modified version running there to the
-users of that server.  Therefore, public use of a modified version, on
-a publicly accessible server, gives the public access to the source
-code of the modified version.
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.

-  An older license, called the Affero General Public License and
-published by Affero, was designed to accomplish similar goals.  This is
-a different license, not a version of the Affero GPL, but Affero has
-released a new version of the Affero GPL which permits relicensing under
-this license.
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.

  The precise terms and conditions for copying, distribution and
 modification follow.
@@ -60,7 +72,7 @@ modification follow.

  0. Definitions.

-  "This License" refers to version 3 of the GNU Affero General Public License.
+  "This License" refers to version 3 of the GNU General Public License.

  "Copyright" also means copyright-like laws that apply to other kinds of
 works, such as semiconductor masks.
@@ -537,45 +549,35 @@ to collect a royalty for further conveying from those to whom you convey
 the Program, the only way you could satisfy both those terms and this
 License would be to refrain entirely from conveying the Program.

-  13. Remote Network Interaction; Use with the GNU General Public License.
-
-  Notwithstanding any other provision of this License, if you modify the
-Program, your modified version must prominently offer all users
-interacting with it remotely through a computer network (if your version
-supports such interaction) an opportunity to receive the Corresponding
-Source of your version by providing access to the Corresponding Source
-from a network server at no charge, through some standard or customary
-means of facilitating copying of software.  This Corresponding Source
-shall include the Corresponding Source for any work covered by version 3
-of the GNU General Public License that is incorporated pursuant to the
-following paragraph.
+  13. Use with the GNU Affero General Public License.

  Notwithstanding any other provision of this License, you have
 permission to link or combine any covered work with a work licensed
-under version 3 of the GNU General Public License into a single
+under version 3 of the GNU Affero General Public License into a single
 combined work, and to convey the resulting work.  The terms of this
 License will continue to apply to the part which is the covered work,
-but the work with which it is combined will remain governed by version
-3 of the GNU General Public License.
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.

  14. Revised Versions of this License.

  The Free Software Foundation may publish revised and/or new versions of
-the GNU Affero General Public License from time to time.  Such new versions
-will be similar in spirit to the present version, but may differ in detail to
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
 address new problems or concerns.

  Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU Affero General
+Program specifies that a certain numbered version of the GNU General
 Public License "or any later version" applies to it, you have the
 option of following the terms and conditions either of that numbered
 version or of any later version published by the Free Software
 Foundation.  If the Program does not specify a version number of the
-GNU Affero General Public License, you may choose any version ever published
+GNU General Public License, you may choose any version ever published
 by the Free Software Foundation.

  If the Program specifies that a proxy can decide which future
-versions of the GNU Affero General Public License can be used, that proxy's
+versions of the GNU General Public License can be used, that proxy's
 public statement of acceptance of a version permanently authorizes you
 to choose that version for the Program.

@@ -633,29 +635,40 @@ the "copyright" line and a pointer to where the full notice is found.
    Copyright (C) <year>  <name of author>

    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU Affero General Public License as published by
+    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU Affero General Public License for more details.
+    GNU General Public License for more details.

-    You should have received a copy of the GNU Affero General Public License
+    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <https://www.gnu.org/licenses/>.

 Also add information on how to contact you by electronic and paper mail.

-  If your software can interact with users remotely through a computer
-network, you should also make sure that it provides a way for users to
-get its source.  For example, if your program is a web application, its
-interface could display a "Source" link that leads users to an archive
-of the code.  There are many ways you could offer source, and different
-solutions will be better for different programs; see section 13 for the
-specific requirements.
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    <program>  Copyright (C) <year>  <name of author>
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".

  You should also get your employer (if you work as a programmer) or school,
 if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU AGPL, see
+For more information on this, and how to apply and follow the GNU GPL, see
 <https://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<https://www.gnu.org/licenses/why-not-lgpl.html>.
@@ -8,17 +8,14 @@ TAG_NAME := $(shell git describe --abbrev=0 --exact-match 2> /dev/null || echo "
 COMMIT_HASH := $(shell git rev-parse HEAD)
 BUILD_TIMESTAMP := $(shell date '+%Y-%m-%dT%H:%M:%S')
 BIN_NAME := tinyauth-$(GOARCH)
-LDFLAGS := -s -w

 # Development vars
 DEV_COMPOSE := $(shell test -f "docker-compose.test.yml" && echo "docker-compose.test.yml" || echo "docker-compose.dev.yml" )
 PROD_COMPOSE := $(shell test -f "docker-compose.test.prod.yml" && echo "docker-compose.test.prod.yml" || echo "docker-compose.example.yml" )

-.DEFAULT_GOAL := binary
-
 # Deps
 deps:
-	cd frontend && pnpm ci
+	bun install --cwd frontend
 	go mod download

 # Clean data
@@ -32,15 +29,15 @@ clean-webui:

 # Build the web UI
 webui: clean-webui
-	cd frontend && pnpm run build
+	bun run --cwd frontend build
 	cp -r frontend/dist internal/assets

 # Build the binary
 binary: webui
-	CGO_ENABLED=$(CGO_ENABLED) go build -ldflags "${LDFLAGS} \
-	-X github.com/tinyauthapp/tinyauth/internal/model.Version=${TAG_NAME} \
-	-X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${COMMIT_HASH} \
-	-X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" \
+	CGO_ENABLED=$(CGO_ENABLED) go build -ldflags "-s -w \
+	-X github.com/steveiliop56/tinyauth/internal/config.Version=${TAG_NAME} \
+	-X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${COMMIT_HASH} \
+	-X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" \
 	-o ${BIN_NAME} ./cmd/tinyauth

 # Build for amd64
@@ -62,15 +59,6 @@ binary-linux-arm64:
 test:
 	go test -v ./...

-# Go vet
-.PHONY: vet
-vet:
-	go vet ./...
-
-# Go race
-test-race:
-	go test -race ./...
-
 # Development
 dev:
 	docker compose -f $(DEV_COMPOSE) up --force-recreate --pull=always --remove-orphans --build
@@ -95,4 +83,3 @@ sql:
 # Go gen
 generate:
 	go run ./gen
-	go generate ./internal/repository/...
@@ -5,15 +5,11 @@
 </div>

 <div align="center">
-    <img alt="License" src="https://img.shields.io/github/license/tinyauthapp/tinyauth">
-    <img alt="Release" src="https://img.shields.io/github/v/release/tinyauthapp/tinyauth">
-    <img alt="Issues" src="https://img.shields.io/github/issues/tinyauthapp/tinyauth">
-    <img alt="Tinyauth CI" src="https://github.com/tinyauthapp/tinyauth/actions/workflows/ci.yml/badge.svg">
+    <img alt="License" src="https://img.shields.io/github/license/steveiliop56/tinyauth">
+    <img alt="Release" src="https://img.shields.io/github/v/release/steveiliop56/tinyauth">
+    <img alt="Issues" src="https://img.shields.io/github/issues/steveiliop56/tinyauth">
+    <img alt="Tinyauth CI" src="https://github.com/steveiliop56/tinyauth/actions/workflows/ci.yml/badge.svg">
    <a title="Crowdin" target="_blank" href="https://crowdin.com/project/tinyauth"><img src="https://badges.crowdin.net/tinyauth/localized.svg"></a>
-    <a href="https://scorecard.dev/viewer/?uri=github.com/tinyauthapp/tinyauth" target="_blank" title="OpenSSF Scorecard">
-      <img src="https://api.scorecard.dev/projects/github.com/tinyauthapp/tinyauth/badge">
-    </a>
-    <a href="https://www.bestpractices.dev/projects/12681" target="_blank" title="OSSF Best Practices"><img src="https://www.bestpractices.dev/projects/12681/baseline"></a>
 </div>

 <br />
@@ -40,7 +36,7 @@ If you are still not sure if Tinyauth suits your needs you can try out the [demo

 You can find documentation and guides on all of the available configuration of Tinyauth in the [website](https://tinyauth.app).

-If you wish to contribute to the documentation head over to the [repository](https://github.com/tinyauthapp/docs).
+If you wish to contribute to the documentation head over to the [repository](https://github.com/steveiliop56/tinyauth-docs).

 ## Discord

@@ -48,7 +44,7 @@ Tinyauth has a [Discord](https://discord.gg/eHzVaCzRRd) server. Feel free to hop

 ## Contributing

-All contributions to the codebase are welcome! If you have any free time, feel free to pick up an [issue](https://github.com/tinyauthapp/tinyauth/issues) or add your own missing features. Make sure to check out the [contributing guide](./CONTRIBUTING.md) for instructions on how to get the development server up and running.
+All contributions to the codebase are welcome! If you have any free time, feel free to pick up an [issue](https://github.com/steveiliop56/tinyauth/issues) or add your own missing features. Make sure to check out the [contributing guide](./CONTRIBUTING.md) for instructions on how to get the development server up and running.

 ## Localization

@@ -56,13 +52,13 @@ If you like, you can help translate Tinyauth into more languages by visiting the

 ## License

-Tinyauth is licensed under the GNU Affero General Public License v3.0. TL;DR — You may copy, distribute and modify the software as long as you track changes/dates in source files. Any modifications to or software including (via compiler) AGPL-licensed code must also be made available under the AGPL along with build & install instructions. If you run a modified version over a network, you must also make the source available to the users of that service. For more information about the license check the [license](LICENSE) file.
+Tinyauth is licensed under the GNU General Public License v3.0. TL;DR — You may copy, distribute and modify the software as long as you track changes/dates in source files. Any modifications to or software including (via compiler) GPL-licensed code must also be made available under the GPL along with build & install instructions. For more information about the license check the [license](./LICENSE) file.

 ## Sponsors

 A big thank you to the following people for providing me with more coffee:

-<!-- sponsors --><a href="https://github.com/erwinkramer"><img src="https:&#x2F;&#x2F;github.com&#x2F;erwinkramer.png" width="64px" alt="User avatar: erwinkramer" /></a>&nbsp;&nbsp;<a href="https://github.com/nicotsx"><img src="https:&#x2F;&#x2F;github.com&#x2F;nicotsx.png" width="64px" alt="User avatar: nicotsx" /></a>&nbsp;&nbsp;<a href="https://github.com/SimpleHomelab"><img src="https:&#x2F;&#x2F;github.com&#x2F;SimpleHomelab.png" width="64px" alt="User avatar: SimpleHomelab" /></a>&nbsp;&nbsp;<a href="https://github.com/jmadden91"><img src="https:&#x2F;&#x2F;github.com&#x2F;jmadden91.png" width="64px" alt="User avatar: jmadden91" /></a>&nbsp;&nbsp;<a href="https://github.com/tribor"><img src="https:&#x2F;&#x2F;github.com&#x2F;tribor.png" width="64px" alt="User avatar: tribor" /></a>&nbsp;&nbsp;<a href="https://github.com/eliasbenb"><img src="https:&#x2F;&#x2F;github.com&#x2F;eliasbenb.png" width="64px" alt="User avatar: eliasbenb" /></a>&nbsp;&nbsp;<a href="https://github.com/afunworm"><img src="https:&#x2F;&#x2F;github.com&#x2F;afunworm.png" width="64px" alt="User avatar: afunworm" /></a>&nbsp;&nbsp;<a href="https://github.com/chip-well"><img src="https:&#x2F;&#x2F;github.com&#x2F;chip-well.png" width="64px" alt="User avatar: chip-well" /></a>&nbsp;&nbsp;<a href="https://github.com/Lancelot-Enguerrand"><img src="https:&#x2F;&#x2F;github.com&#x2F;Lancelot-Enguerrand.png" width="64px" alt="User avatar: Lancelot-Enguerrand" /></a>&nbsp;&nbsp;<a href="https://github.com/allgoewer"><img src="https:&#x2F;&#x2F;github.com&#x2F;allgoewer.png" width="64px" alt="User avatar: allgoewer" /></a>&nbsp;&nbsp;<a href="https://github.com/NEANC"><img src="https:&#x2F;&#x2F;github.com&#x2F;NEANC.png" width="64px" alt="User avatar: NEANC" /></a>&nbsp;&nbsp;<a href="https://github.com/ax-mad"><img src="https:&#x2F;&#x2F;github.com&#x2F;ax-mad.png" width="64px" alt="User avatar: ax-mad" /></a>&nbsp;&nbsp;<a href="https://github.com/stegratech"><img src="https:&#x2F;&#x2F;github.com&#x2F;stegratech.png" width="64px" alt="User avatar: stegratech" /></a>&nbsp;&nbsp;<a href="https://github.com/apearson"><img src="https:&#x2F;&#x2F;github.com&#x2F;apearson.png" width="64px" alt="User avatar: apearson" /></a>&nbsp;&nbsp;<!-- sponsors -->
+<!-- sponsors --><a href="https://github.com/erwinkramer"><img src="https:&#x2F;&#x2F;github.com&#x2F;erwinkramer.png" width="64px" alt="User avatar: erwinkramer" /></a>&nbsp;&nbsp;<a href="https://github.com/nicotsx"><img src="https:&#x2F;&#x2F;github.com&#x2F;nicotsx.png" width="64px" alt="User avatar: nicotsx" /></a>&nbsp;&nbsp;<a href="https://github.com/SimpleHomelab"><img src="https:&#x2F;&#x2F;github.com&#x2F;SimpleHomelab.png" width="64px" alt="User avatar: SimpleHomelab" /></a>&nbsp;&nbsp;<a href="https://github.com/jmadden91"><img src="https:&#x2F;&#x2F;github.com&#x2F;jmadden91.png" width="64px" alt="User avatar: jmadden91" /></a>&nbsp;&nbsp;<a href="https://github.com/tribor"><img src="https:&#x2F;&#x2F;github.com&#x2F;tribor.png" width="64px" alt="User avatar: tribor" /></a>&nbsp;&nbsp;<a href="https://github.com/eliasbenb"><img src="https:&#x2F;&#x2F;github.com&#x2F;eliasbenb.png" width="64px" alt="User avatar: eliasbenb" /></a>&nbsp;&nbsp;<a href="https://github.com/afunworm"><img src="https:&#x2F;&#x2F;github.com&#x2F;afunworm.png" width="64px" alt="User avatar: afunworm" /></a>&nbsp;&nbsp;<a href="https://github.com/chip-well"><img src="https:&#x2F;&#x2F;github.com&#x2F;chip-well.png" width="64px" alt="User avatar: chip-well" /></a>&nbsp;&nbsp;<a href="https://github.com/Lancelot-Enguerrand"><img src="https:&#x2F;&#x2F;github.com&#x2F;Lancelot-Enguerrand.png" width="64px" alt="User avatar: Lancelot-Enguerrand" /></a>&nbsp;&nbsp;<a href="https://github.com/allgoewer"><img src="https:&#x2F;&#x2F;github.com&#x2F;allgoewer.png" width="64px" alt="User avatar: allgoewer" /></a>&nbsp;&nbsp;<a href="https://github.com/NEANC"><img src="https:&#x2F;&#x2F;github.com&#x2F;NEANC.png" width="64px" alt="User avatar: NEANC" /></a>&nbsp;&nbsp;<a href="https://github.com/algorist-ahmad"><img src="https:&#x2F;&#x2F;github.com&#x2F;algorist-ahmad.png" width="64px" alt="User avatar: algorist-ahmad" /></a>&nbsp;&nbsp;<!-- sponsors -->

 ## Acknowledgements

@@ -73,4 +69,4 @@ A big thank you to the following people for providing me with more coffee:

 ## Star History

-[![Star History Chart](https://api.star-history.com/svg?repos=tinyauthapp/tinyauth&type=Date)](https://www.star-history.com/#tinyauthapp/tinyauth&Date)
+[![Star History Chart](https://api.star-history.com/svg?repos=steveiliop56/tinyauth&type=Date)](https://www.star-history.com/#steveiliop56/tinyauth&Date)
@@ -2,56 +2,8 @@

 ## Supported Versions

-It is recommended to use the [latest](https://github.com/tinyauthapp/tinyauth/releases/latest) available version of Tinyauth. This is because it includes security fixes, new features and dependency updates. Older versions, especially major ones, are not supported and won't receive security or patch updates.
+It is recommended to use the [latest](https://github.com/steveiliop56/tinyauth/releases/latest) available version of tinyauth. This is because it includes security fixes, new features and dependency updates. Older versions, especially major ones, are not supported and won't receive security or patch updates.

 ## Reporting a Vulnerability

-Please **do not** report security vulnerabilities through public GitHub issues, discussions, or pull requests as I won't be able to patch them in time and they may get exploited by malicious actors.
-
-Instead, report them privately using [GitHub's Private Vulnerability Reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) via the **Security** tab of this repository.
-
-Or send us an email at <security@tinyauth.app>.
-
-### A note on AI-assisted reports
-
-If AI tooling (LLMs, automated scanners, agentic assistants, etc.) helped you discover, analyse, or write up this issue, please say so in your report. This isn't a judgement - AI-assisted findings are welcome - but disclosing it up front helps maintainers calibrate how much additional verification a report needs, and tends to make the report itself clearer.
-
-When submitting a report, please use the structure below so it can be triaged quickly.
-
---
-
-### 1. Summary
-
-A short, one-paragraph description of the vulnerability and its impact (e.g. what an attacker can achieve, who is affected, and under what conditions).
-
-### 2. Steps to Reproduce / Proof of Concept
-
-Provide a minimal, reliable reproduction:
-
-1. Step one
-2. Step two
-3. Step three
-
-Include any required input, payloads, configuration, or code snippets. Attach a PoC script or screenshots where helpful.
-
-### 3. Expected vs. Actual Behaviour
-
- **Expected:** what *should* happen
- **Actual:** what *does* happen, and why it's a security issue
-
-### 4. Suggested Fix or Mitigation *(optional)*
-
-If you have an idea for how to address the issue, describe it here. A private gist link is welcome but not required.
-
- **Have you tested this fix?** Yes / No
- **If yes,** briefly describe how it was tested and what was verified.
-
---
-
-## What to Expect
-
- **Acknowledgement** within a reasonable timeframe after receiving your report
- **Updates** as the issue is investigated and addressed
- **Public credit** in the resulting advisory, along with any **CVE assigned**, unless you'd prefer to stay anonymous
-
-We follow a **90-day coordinated disclosure** window: please allow up to 90 days from the date of your report for the issue to be investigated and patched before publicly disclosing it. The publication date - whether earlier if a fix lands sooner, or later if more time is genuinely needed - will be agreed with you in advance.
+Due to the nature of this app, it needs to be secure. If you discover any security issues or vulnerabilities in the app please contact me as soon as possible at <steve@doesmycode.work>. Please do not use the issues section to report security issues as I won't be able to patch them in time and they may get exploited by malicious actors.
@@ -3,7 +3,7 @@
  "embeds": [
    {
      "title": "Welcome to Tinyauth Discord!",
-      "description": "Tinyauth is a simple authentication middleware that adds a simple login screen or OAuth with Google, Github and any provider to all of your docker apps. It supports all the popular proxies like Traefik, Nginx and Caddy.\n\n**Information**\n\n• Github: <https://github.com/tinyauthapp/tinyauth>\n• Website: <https://tinyauth.app>",
+      "description": "Tinyauth is a simple authentication middleware that adds a simple login screen or OAuth with Google, Github and any provider to all of your docker apps. It supports all the popular proxies like Traefik, Nginx and Caddy.\n\n**Information**\n\n• Github: <https://github.com/steveiliop56/tinyauth>\n• Website: <https://tinyauth.app>",
      "url": "https://tinyauth.app",
      "color": 7002085,
      "author": {
@@ -14,9 +14,9 @@
      },
      "timestamp": "2025-06-06T12:25:27.629Z",
      "thumbnail": {
-        "url": "https://github.com/tinyauthapp/tinyauth/blob/main/assets/logo.png?raw=true"
+        "url": "https://github.com/steveiliop56/tinyauth/blob/main/assets/logo.png?raw=true"
      }
    }
  ],
  "attachments": []
-}
+}
@@ -7,8 +7,8 @@ import (
 	"strings"

 	"github.com/google/uuid"
-	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/paerser/cli"
+	"github.com/steveiliop56/tinyauth/internal/utils"
+	"github.com/traefik/paerser/cli"
 )

 func createOidcClientCmd() *cli.Command {
@@ -5,9 +5,9 @@ import (
 	"fmt"
 	"strings"

-	"charm.land/huh/v2"
-	"github.com/tinyauthapp/paerser/cli"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/charmbracelet/huh"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
+	"github.com/traefik/paerser/cli"
 	"golang.org/x/crypto/bcrypt"
 )

@@ -40,8 +40,7 @@ func createUserCmd() *cli.Command {
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
-			log := logger.NewLogger().WithSimpleConfig()
-			log.Init()
+			tlog.NewSimpleLogger().Init()

 			if tCfg.Interactive {
 				form := huh.NewForm(
@@ -62,8 +61,9 @@ func createUserCmd() *cli.Command {
 					),
 				)

-				theme := new(themeBase)
-				err := form.WithTheme(theme).Run()
+				var baseTheme *huh.Theme = huh.ThemeBase()
+
+				err := form.WithTheme(baseTheme).Run()

 				if err != nil {
 					return fmt.Errorf("failed to run interactive prompt: %w", err)
@@ -74,7 +74,7 @@ func createUserCmd() *cli.Command {
 				return errors.New("username and password cannot be empty")
 			}

-			log.App.Info().Str("username", tCfg.Username).Msg("Creating user")
+			tlog.App.Info().Str("username", tCfg.Username).Msg("Creating user")

 			passwd, err := bcrypt.GenerateFromPassword([]byte(tCfg.Password), bcrypt.DefaultCost)
 			if err != nil {
@@ -87,7 +87,7 @@ func createUserCmd() *cli.Command {
 				passwdStr = strings.ReplaceAll(passwdStr, "$", "$$")
 			}

-			log.App.Info().Str("user", fmt.Sprintf("%s:%s", tCfg.Username, passwdStr)).Msg("User created")
+			tlog.App.Info().Str("user", fmt.Sprintf("%s:%s", tCfg.Username, passwdStr)).Msg("User created")

 			return nil
 		},
@@ -6,13 +6,13 @@ import (
 	"os"
 	"strings"

-	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/steveiliop56/tinyauth/internal/utils"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"

-	"charm.land/huh/v2"
+	"github.com/charmbracelet/huh"
 	"github.com/mdp/qrterminal/v3"
 	"github.com/pquerna/otp/totp"
-	"github.com/tinyauthapp/paerser/cli"
+	"github.com/traefik/paerser/cli"
 )

 type GenerateTotpConfig struct {
@@ -40,8 +40,7 @@ func generateTotpCmd() *cli.Command {
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
-			log := logger.NewLogger().WithSimpleConfig()
-			log.Init()
+			tlog.NewSimpleLogger().Init()

 			if tCfg.Interactive {
 				form := huh.NewForm(
@@ -55,8 +54,9 @@ func generateTotpCmd() *cli.Command {
 					),
 				)

-				theme := new(themeBase)
-				err := form.WithTheme(theme).Run()
+				var baseTheme *huh.Theme = huh.ThemeBase()
+
+				err := form.WithTheme(baseTheme).Run()

 				if err != nil {
 					return fmt.Errorf("failed to run interactive prompt: %w", err)
@@ -74,7 +74,7 @@ func generateTotpCmd() *cli.Command {
 				docker = true
 			}

-			if user.TOTPSecret != "" {
+			if user.TotpSecret != "" {
 				return fmt.Errorf("user already has a TOTP secret")
 			}

@@ -89,9 +89,9 @@ func generateTotpCmd() *cli.Command {

 			secret := key.Secret()

-			log.App.Info().Str("secret", secret).Msg("Generated TOTP secret")
+			tlog.App.Info().Str("secret", secret).Msg("Generated TOTP secret")

-			log.App.Info().Msg("Generated QR code")
+			tlog.App.Info().Msg("Generated QR code")

 			config := qrterminal.Config{
 				Level:     qrterminal.L,
@@ -103,14 +103,14 @@ func generateTotpCmd() *cli.Command {

 			qrterminal.GenerateWithConfig(key.URL(), config)

-			user.TOTPSecret = secret
+			user.TotpSecret = secret

 			// If using docker escape re-escape it
 			if docker {
 				user.Password = strings.ReplaceAll(user.Password, "$", "$$")
 			}

-			log.App.Info().Str("user", fmt.Sprintf("%s:%s:%s", user.Username, user.Password, user.TOTPSecret)).Msg("Add the totp secret to your authenticator app then use the verify command to ensure everything is working correctly.")
+			tlog.App.Info().Str("user", fmt.Sprintf("%s:%s:%s", user.Username, user.Password, user.TotpSecret)).Msg("Add the totp secret to your authenticator app then use the verify command to ensure everything is working correctly.")

 			return nil
 		},
@@ -9,12 +9,12 @@ import (
 	"os"
 	"time"

-	"github.com/tinyauthapp/paerser/cli"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
+	"github.com/traefik/paerser/cli"
 )

 type healthzResponse struct {
-	Status  int    `json:"status"`
+	Status  string `json:"status"`
 	Message string `json:"message"`
 }

@@ -26,8 +26,7 @@ func healthcheckCmd() *cli.Command {
 		Resources:     nil,
 		AllowArg:      true,
 		Run: func(args []string) error {
-			log := logger.NewLogger().WithSimpleConfig()
-			log.Init()
+			tlog.NewSimpleLogger().Init()

 			srvAddr := os.Getenv("TINYAUTH_SERVER_ADDRESS")
 			if srvAddr == "" {
@@ -49,7 +48,7 @@ func healthcheckCmd() *cli.Command {
 				return errors.New("Could not determine app URL")
 			}

-			log.App.Info().Str("app_url", appUrl).Msg("Performing health check")
+			tlog.App.Info().Str("app_url", appUrl).Msg("Performing health check")

 			client := http.Client{
 				Timeout: 30 * time.Second,
@@ -87,7 +86,7 @@ func healthcheckCmd() *cli.Command {
 				return fmt.Errorf("failed to decode response: %w", err)
 			}

-			log.App.Info().Interface("response", healthResp).Msg("Tinyauth is healthy")
+			tlog.App.Info().Interface("response", healthResp).Msg("Tinyauth is healthy")

 			return nil
 		},
@@ -3,17 +3,17 @@ package main
 import (
 	"fmt"

-	"charm.land/huh/v2"
-	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
-	"github.com/tinyauthapp/tinyauth/internal/model"
-	"github.com/tinyauthapp/tinyauth/internal/utils/loaders"
+	"github.com/steveiliop56/tinyauth/internal/bootstrap"
+	"github.com/steveiliop56/tinyauth/internal/config"
+	"github.com/steveiliop56/tinyauth/internal/utils/loaders"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"

 	"github.com/rs/zerolog/log"
-	"github.com/tinyauthapp/paerser/cli"
+	"github.com/traefik/paerser/cli"
 )

 func main() {
-	tConfig := model.NewDefaultConfiguration()
+	tConfig := config.NewDefaultConfiguration()

 	loaders := []cli.ResourceLoader{
 		&loaders.FileLoader{},
@@ -107,7 +107,12 @@ func main() {
 	}
 }

-func runCmd(cfg model.Config) error {
+func runCmd(cfg config.Config) error {
+	logger := tlog.NewLogger(cfg.Log)
+	logger.Init()
+
+	tlog.App.Info().Str("version", config.Version).Msg("Starting tinyauth")
+
 	app := bootstrap.NewBootstrapApp(cfg)

 	err := app.Setup()
@@ -118,9 +123,3 @@ func runCmd(cfg model.Config) error {

 	return nil
 }
-
-type themeBase struct{}
-
-func (t *themeBase) Theme(isDark bool) *huh.Styles {
-	return huh.ThemeBase(isDark)
-}
@@ -4,12 +4,12 @@ import (
 	"errors"
 	"fmt"

-	"github.com/tinyauthapp/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"github.com/steveiliop56/tinyauth/internal/utils"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"

-	"charm.land/huh/v2"
+	"github.com/charmbracelet/huh"
 	"github.com/pquerna/otp/totp"
-	"github.com/tinyauthapp/paerser/cli"
+	"github.com/traefik/paerser/cli"
 	"golang.org/x/crypto/bcrypt"
 )

@@ -44,8 +44,7 @@ func verifyUserCmd() *cli.Command {
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
-			log := logger.NewLogger().WithSimpleConfig()
-			log.Init()
+			tlog.NewSimpleLogger().Init()

 			if tCfg.Interactive {
 				form := huh.NewForm(
@@ -72,8 +71,9 @@ func verifyUserCmd() *cli.Command {
 					),
 				)

-				theme := new(themeBase)
-				err := form.WithTheme(theme).Run()
+				var baseTheme *huh.Theme = huh.ThemeBase()
+
+				err := form.WithTheme(baseTheme).Run()

 				if err != nil {
 					return fmt.Errorf("failed to run interactive prompt: %w", err)
@@ -96,21 +96,21 @@ func verifyUserCmd() *cli.Command {
 				return fmt.Errorf("password is incorrect: %w", err)
 			}

-			if user.TOTPSecret == "" {
+			if user.TotpSecret == "" {
 				if tCfg.Totp != "" {
-					log.App.Warn().Msg("User does not have TOTP secret")
+					tlog.App.Warn().Msg("User does not have TOTP secret")
 				}
-				log.App.Info().Msg("User verified")
+				tlog.App.Info().Msg("User verified")
 				return nil
 			}

-			ok := totp.Validate(tCfg.Totp, user.TOTPSecret)
+			ok := totp.Validate(tCfg.Totp, user.TotpSecret)

 			if !ok {
 				return fmt.Errorf("TOTP code incorrect")
 			}

-			log.App.Info().Msg("User verified")
+			tlog.App.Info().Msg("User verified")

 			return nil
 		},
@@ -3,8 +3,9 @@ package main
 import (
 	"fmt"

-	"github.com/tinyauthapp/paerser/cli"
-	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/steveiliop56/tinyauth/internal/config"
+
+	"github.com/traefik/paerser/cli"
 )

 func versionCmd() *cli.Command {
@@ -14,9 +15,9 @@ func versionCmd() *cli.Command {
 		Configuration: nil,
 		Resources:     nil,
 		Run: func(_ []string) error {
-			fmt.Printf("Version: %s\n", model.Version)
-			fmt.Printf("Commit Hash: %s\n", model.CommitHash)
-			fmt.Printf("Build Timestamp: %s\n", model.BuildTimestamp)
+			fmt.Printf("Version: %s\n", config.Version)
+			fmt.Printf("Commit Hash: %s\n", config.CommitHash)
+			fmt.Printf("Build Timestamp: %s\n", config.BuildTimestamp)
 			return nil
 		},
 	}
@@ -1,14 +1,15 @@
 services:
  traefik:
+    container_name: traefik
    image: traefik:v3.6
-    command: --api.insecure=true --providers.docker --entrypoints.web.address=:80 --entrypoints.websecure.address=:443
+    command: --api.insecure=true --providers.docker
    ports:
      - 80:80
-      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

  whoami:
+    container_name: whoami
    image: traefik/whoami:latest
    labels:
      traefik.enable: true
@@ -16,6 +17,7 @@ services:
      traefik.http.routers.whoami.middlewares: tinyauth

  tinyauth-frontend:
+    container_name: tinyauth-frontend
    build:
      context: .
      dockerfile: frontend/Dockerfile.dev
@@ -26,10 +28,9 @@ services:
    labels:
      traefik.enable: true
      traefik.http.routers.tinyauth.rule: Host(`tinyauth.127.0.0.1.sslip.io`)
-      traefik.http.routers.tinyauth.entrypoints: websecure
-      traefik.http.routers.tinyauth.tls: true

  tinyauth-backend:
+    container_name: tinyauth-backend
    build:
      context: .
      dockerfile: Dockerfile.dev
@@ -1,5 +1,6 @@
 services:
  traefik:
+    container_name: traefik
    image: traefik:v3.6
    command: --api.insecure=true --providers.docker
    ports:
@@ -8,6 +9,7 @@ services:
      - /var/run/docker.sock:/var/run/docker.sock

  whoami:
+    container_name: whoami
    image: traefik/whoami:latest
    labels:
      traefik.enable: true
@@ -15,7 +17,8 @@ services:
      traefik.http.routers.whoami.middlewares: tinyauth

  tinyauth:
-    image: ghcr.io/tinyauthapp/tinyauth:v5
+    container_name: tinyauth
+    image: ghcr.io/steveiliop56/tinyauth:v3
    environment:
      - TINYAUTH_APPURL=https://tinyauth.example.com
      - TINYAUTH_AUTH_USERS=user:$$2a$$10$$UdLYoJ5lgPsC0RKqYH/jMua7zIn0g9kPqWmhYayJYLaZQ/FTmH2/u # user:password
@@ -0,0 +1,6 @@
+# Ignore artifacts:
+dist
+node_modules
+bun.lock
+package.json
+src/lib/i18n/locales
@@ -0,0 +1 @@
+{}
@@ -1,13 +1,11 @@
-FROM node:26.1-alpine3.23
-
-RUN npm install -g pnpm@11.1.2
+FROM oven/bun:1.2.16-alpine

 WORKDIR /frontend

 COPY ./frontend/package.json ./
-COPY ./frontend/pnpm-lock.yaml ./
+COPY ./frontend/bun.lock ./

-RUN pnpm ci
+RUN bun install

 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -21,4 +19,4 @@ COPY ./frontend/vite.config.ts ./

 EXPOSE 5173

-ENTRYPOINT ["pnpm", "run", "dev"]
+ENTRYPOINT ["bun", "run", "dev"]
@@ -9,10 +9,6 @@
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />
    <meta name="apple-mobile-web-app-title" content="Tinyauth" />
    <meta name="robots" content="nofollow, noindex" />
-    <meta
-      name="description"
-      content="The tiniest authentication and authorization server you have ever seen."
-    />
    <link rel="manifest" href="/site.webmanifest" />
    <title>Tinyauth</title>
  </head>
@@ -10,7 +10,6 @@
    "preview": "vite preview",
    "tsc": "tsc -b"
  },
-  "packageManager": "pnpm@11.1.2",
  "dependencies": {
    "@hookform/resolvers": "^5.2.2",
    "@radix-ui/react-dropdown-menu": "^2.1.16",
@@ -18,44 +17,45 @@
    "@radix-ui/react-select": "^2.2.6",
    "@radix-ui/react-separator": "^1.1.8",
    "@radix-ui/react-slot": "^1.2.4",
-    "@tailwindcss/vite": "^4.2.2",
-    "@tanstack/react-query": "^5.99.0",
-    "axios": "^1.15.0",
+    "@tailwindcss/vite": "^4.2.1",
+    "@tanstack/react-query": "^5.90.21",
+    "axios": "^1.13.6",
    "class-variance-authority": "^0.7.1",
    "clsx": "^2.1.1",
-    "i18next": "^26.0.4",
+    "i18next": "^25.8.17",
    "i18next-browser-languagedetector": "^8.2.1",
    "i18next-resources-to-backend": "^1.2.1",
-    "lucide-react": "^1.8.0",
+    "input-otp": "^1.4.2",
+    "lucide-react": "^0.577.0",
    "next-themes": "^0.4.6",
    "radix-ui": "^1.4.3",
-    "react": "^19.2.5",
-    "react-dom": "^19.2.5",
-    "react-hook-form": "^7.72.1",
-    "react-i18next": "^17.0.2",
+    "react": "^19.2.4",
+    "react-dom": "^19.2.4",
+    "react-hook-form": "^7.71.2",
+    "react-i18next": "^16.5.6",
    "react-markdown": "^10.1.0",
-    "react-router": "^7.14.0",
+    "react-router": "^7.13.1",
    "sonner": "^2.0.7",
    "tailwind-merge": "^3.5.0",
-    "tailwindcss": "^4.2.2",
+    "tailwindcss": "^4.2.1",
    "zod": "^4.3.6"
  },
  "devDependencies": {
    "@eslint/js": "^10.0.1",
-    "@tanstack/eslint-plugin-query": "^5.99.0",
-    "@types/node": "^25.6.0",
+    "@tanstack/eslint-plugin-query": "^5.91.4",
+    "@types/node": "^25.4.0",
    "@types/react": "^19.2.14",
    "@types/react-dom": "^19.2.3",
-    "@vitejs/plugin-react": "^6.0.1",
-    "eslint": "^10.2.0",
+    "@vitejs/plugin-react": "^5.1.4",
+    "eslint": "^10.0.3",
    "eslint-plugin-react-hooks": "^7.0.1",
    "eslint-plugin-react-refresh": "^0.5.2",
-    "globals": "^17.5.0",
-    "prettier": "3.8.2",
+    "globals": "^17.4.0",
+    "prettier": "3.8.1",
    "rollup-plugin-visualizer": "^7.0.1",
    "tw-animate-css": "^1.4.0",
-    "typescript": "~6.0.2",
-    "typescript-eslint": "^8.58.1",
-    "vite": "^8.0.8"
+    "typescript": "~5.9.3",
+    "typescript-eslint": "^8.57.0",
+    "vite": "^7.3.1"
  }
 }
@@ -1,4 +0,0 @@
-dangerouslyAllowAllBuilds: false
-blockExoticSubdeps: true
-minimumReleaseAge: 1440 # 1 day
-trustPolicy: no-downgrade
@@ -2,9 +2,9 @@ import { Navigate } from "react-router";
 import { useUserContext } from "./context/user-context";

 export const App = () => {
-  const { auth } = useUserContext();
+  const { isLoggedIn } = useUserContext();

-  if (auth.authenticated) {
+  if (isLoggedIn) {
    return <Navigate to="/logout" replace />;
  }

@@ -17,7 +17,6 @@ interface Props {
  onSubmit: (data: LoginSchema) => void;
  loading?: boolean;
  formId?: string;
-  params?: string;
 }

 export const LoginForm = (props: Props) => {
@@ -72,12 +71,6 @@ export const LoginForm = (props: Props) => {
                </FormControl>
                <a
                  href="/forgot-password"
-                  onClick={(e) => {
-                    e.preventDefault();
-                    window.location.replace(
-                      `/forgot-password${props.params ? `${props.params}` : ""}`,
-                    );
-                  }}
                  className="text-muted-foreground hover:text-muted-foreground/80 text-sm absolute right-0 bottom-[2.565rem]" // 2.565 is *just* perfect
                >
                  {t("forgotPasswordTitle")}
@@ -1,10 +1,14 @@
 import { Form, FormControl, FormField, FormItem } from "../ui/form";
-import { Input } from "../ui/input";
+import {
+  InputOTP,
+  InputOTPGroup,
+  InputOTPSeparator,
+  InputOTPSlot,
+} from "../ui/input-otp";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { useForm } from "react-hook-form";
 import { totpSchema, TotpSchema } from "@/schemas/totp-schema";
 import { useTranslation } from "react-i18next";
-import { useRef } from "react";
 import z from "zod";

 interface Props {
@@ -15,7 +19,6 @@ interface Props {
 export const TotpForm = (props: Props) => {
  const { formId, onSubmit } = props;
  const { t } = useTranslation();
-  const autoSubmittedRef = useRef(false);

  z.config({
    customError: (iss) =>
@@ -26,19 +29,14 @@ export const TotpForm = (props: Props) => {
    resolver: zodResolver(totpSchema),
  });

-  const handleChange = (e: React.ChangeEvent<HTMLInputElement>) => {
-    const value = e.target.value.replace(/\D/g, "").slice(0, 6);
-    form.setValue("code", value, { shouldDirty: true, shouldValidate: false });
-    if (value.length === 6 && !autoSubmittedRef.current) {
-      autoSubmittedRef.current = true;
-      form.handleSubmit(onSubmit)();
-      return;
+  const handleChange = (value: string) => {
+    form.setValue("code", value, { shouldDirty: true, shouldValidate: true });
+
+    if (value.length === 6) {
+      onSubmit({ code: value });
    }
-    autoSubmittedRef.current = false;
  };

-  // Note: This is not the best UX, ideally we would want https://github.com/guilhermerodz/input-otp
-  // but some password managers cannot autofill the inputs (see #92) so, simple input it is
  return (
    <Form {...form}>
      <form id={formId} onSubmit={form.handleSubmit(onSubmit)}>
@@ -48,17 +46,25 @@ export const TotpForm = (props: Props) => {
          render={({ field }) => (
            <FormItem>
              <FormControl>
-                <Input
+                <InputOTP
+                  maxLength={6}
                  {...field}
-                  type="text"
-                  inputMode="numeric"
                  autoComplete="one-time-code"
                  autoFocus
-                  maxLength={6}
-                  placeholder="XXXXXX"
                  onChange={handleChange}
-                  className="text-center"
-                />
+                >
+                  <InputOTPGroup>
+                    <InputOTPSlot index={0} />
+                    <InputOTPSlot index={1} />
+                    <InputOTPSlot index={2} />
+                  </InputOTPGroup>
+                  <InputOTPSeparator />
+                  <InputOTPGroup>
+                    <InputOTPSlot index={3} />
+                    <InputOTPSlot index={4} />
+                    <InputOTPSlot index={5} />
+                  </InputOTPGroup>
+                </InputOTP>
              </FormControl>
            </FormItem>
          )}
@@ -0,0 +1,36 @@
+import { languages, SupportedLanguage } from "@/lib/i18n/locales";
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+} from "../ui/select";
+import { useState } from "react";
+import i18n from "@/lib/i18n/i18n";
+
+export const LanguageSelector = () => {
+  const [language, setLanguage] = useState<SupportedLanguage>(
+    i18n.language as SupportedLanguage,
+  );
+
+  const handleSelect = (option: string) => {
+    setLanguage(option as SupportedLanguage);
+    i18n.changeLanguage(option as SupportedLanguage);
+  };
+
+  return (
+    <Select onValueChange={handleSelect} value={language}>
+      <SelectTrigger>
+        <SelectValue placeholder="Select language" />
+      </SelectTrigger>
+      <SelectContent>
+        {Object.entries(languages).map(([key, value]) => (
+          <SelectItem key={key} value={key}>
+            {value}
+          </SelectItem>
+        ))}
+      </SelectContent>
+    </Select>
+  );
+};
@@ -1,27 +1,29 @@
 import { useAppContext } from "@/context/app-context";
+import { LanguageSelector } from "../language/language";
 import { Outlet } from "react-router";
 import { useCallback, useEffect, useState } from "react";
 import { DomainWarning } from "../domain-warning/domain-warning";
-import { QuickActions } from "../quick-actions/quick-actions";
+import { ThemeToggle } from "../theme-toggle/theme-toggle";

 const BaseLayout = ({ children }: { children: React.ReactNode }) => {
-  const { ui } = useAppContext();
+  const { backgroundImage, title } = useAppContext();

  useEffect(() => {
-    document.title = ui.title;
-  }, [ui.title]);
+    document.title = title;
+  }, [title]);

  return (
    <div
      className="flex flex-col justify-center items-center min-h-svh px-4"
      style={{
-        backgroundImage: `url(${ui.backgroundImage})`,
+        backgroundImage: `url(${backgroundImage})`,
        backgroundSize: "cover",
        backgroundPosition: "center",
      }}
    >
-      <div className="absolute top-4 right-4">
-        <QuickActions />
+      <div className="absolute top-4 right-4 flex flex-row gap-2">
+        <ThemeToggle />
+        <LanguageSelector />
      </div>
      <div className="max-w-sm md:min-w-sm min-w-xs">{children}</div>
    </div>
@@ -29,7 +31,7 @@ const BaseLayout = ({ children }: { children: React.ReactNode }) => {
 };

 export const Layout = () => {
-  const { app, ui } = useAppContext();
+  const { appUrl, warningsEnabled } = useAppContext();
  const [ignoreDomainWarning, setIgnoreDomainWarning] = useState(() => {
    return window.sessionStorage.getItem("ignoreDomainWarning") === "true";
  });
@@ -40,15 +42,11 @@ export const Layout = () => {
    setIgnoreDomainWarning(true);
  }, [setIgnoreDomainWarning]);

-  if (
-    !ignoreDomainWarning &&
-    ui.warningsEnabled &&
-    !app.trustedDomains.includes(currentUrl)
-  ) {
+  if (!ignoreDomainWarning && warningsEnabled && appUrl !== currentUrl) {
    return (
      <BaseLayout>
        <DomainWarning
-          appUrl={app.appUrl}
+          appUrl={appUrl}
          currentUrl={currentUrl}
          onClick={() => handleIgnore()}
        />
@@ -1,208 +0,0 @@
-import { languages, SupportedLanguage } from "@/lib/i18n/locales";
-import {
-  DropdownMenu,
-  DropdownMenuContent,
-  DropdownMenuItem,
-  DropdownMenuLabel,
-  DropdownMenuPortal,
-  DropdownMenuSeparator,
-  DropdownMenuSub,
-  DropdownMenuSubContent,
-  DropdownMenuSubTrigger,
-  DropdownMenuTrigger,
-} from "../ui/dropdown-menu";
-import { useState } from "react";
-import i18n from "@/lib/i18n/i18n";
-import { useUserContext } from "@/context/user-context";
-import { ScrollArea } from "../ui/scroll-area";
-import { useTheme } from "../providers/theme-provider";
-import {
-  Check,
-  DoorOpenIcon,
-  Languages,
-  Monitor,
-  Moon,
-  Palette,
-  Settings,
-  Sun,
-} from "lucide-react";
-import { useTranslation } from "react-i18next";
-import { useLocation } from "react-router";
-import { useRef } from "react";
-import {
-  useScreenParams,
-  recompileScreenParams,
-} from "@/lib/hooks/screen-params";
-import { useMutation } from "@tanstack/react-query";
-import axios from "axios";
-import { toast } from "sonner";
-import { useEffect } from "react";
-
-function Avatar({ initial }: { initial: string }) {
-  return (
-    <span className="group relative grid size-10 place-items-center rounded-full">
-      <span className="absolute inset-0 overflow-hidden rounded-full bg-linear-to-b from-neutral-50 to-neutral-100 dark:from-neutral-700 dark:to-neutral-950 shadow-lg"></span>
-      <span className="relative text-sm font-semibold text-primary">
-        {initial}
-      </span>
-    </span>
-  );
-}
-
-export const QuickActions = () => {
-  const { auth } = useUserContext();
-  const { theme, setTheme } = useTheme();
-  const { t } = useTranslation();
-  const { search } = useLocation();
-
-  const [language, setLanguage] = useState<SupportedLanguage>(
-    i18n.language as SupportedLanguage,
-  );
-
-  const redirectTimer = useRef<number | null>(null);
-  const searchParams = new URLSearchParams(search);
-  const screenParams = useScreenParams(searchParams);
-  const compiledParams = recompileScreenParams(screenParams);
-
-  const logoutMutation = useMutation({
-    mutationFn: () => axios.post("/api/user/logout"),
-    mutationKey: ["logout"],
-    onSuccess: () => {
-      toast.success(t("logoutSuccessTitle"), {
-        description: t("logoutSuccessSubtitle"),
-      });
-
-      redirectTimer.current = window.setTimeout(() => {
-        window.location.replace(`/login${compiledParams}`);
-      }, 500);
-    },
-    onError: () => {
-      toast.error(t("logoutFailTitle"), {
-        description: t("logoutFailSubtitle"),
-      });
-    },
-  });
-
-  useEffect(() => {
-    return () => {
-      if (redirectTimer.current) {
-        clearTimeout(redirectTimer.current);
-      }
-    };
-  }, [redirectTimer]);
-
-  const initial = auth.authenticated
-    ? (auth.name[0] || "U").toUpperCase()
-    : null;
-
-  const handleSelect = (option: string) => {
-    setLanguage(option as SupportedLanguage);
-    i18n.changeLanguage(option as SupportedLanguage);
-  };
-
-  const themes = [
-    { key: "light", label: t("quickActionsThemeLight"), icon: Sun },
-    { key: "dark", label: t("quickActionsThemeDark"), icon: Moon },
-    { key: "system", label: t("quickActionsThemeSystem"), icon: Monitor },
-  ] as const;
-
-  return (
-    <DropdownMenu>
-      <DropdownMenuTrigger asChild>
-        <button
-          aria-label={t("quickActionsTitle")}
-          className="rounded-full transition-transform duration-200 will-change-transform hover:scale-105 hover:cursor-pointer focus:ring-0 focus:outline-3 focus:outline-ring/50"
-        >
-          {auth.authenticated ? (
-            <Avatar initial={initial!} />
-          ) : (
-            <span className="bg-card text-primary border-border size-10 flex items-center justify-center rounded-full border shadow-lg">
-              <Settings className="size-4" />
-            </span>
-          )}
-        </button>
-      </DropdownMenuTrigger>
-
-      <DropdownMenuContent
-        align="end"
-        sideOffset={8}
-        className="rounded-xl p-1"
-      >
-        {auth.authenticated && (
-          <>
-            <DropdownMenuLabel className="flex items-center gap-3 p-2">
-              <div className="bg-foreground text-background flex size-9 shrink-0 items-center justify-center rounded-full text-sm font-medium">
-                {initial}
-              </div>
-              <div className="flex min-w-0 flex-col">
-                <span className="truncate text-sm font-medium">
-                  {auth.name}
-                </span>
-                <span className="text-muted-foreground truncate text-xs font-normal">
-                  {auth.email}
-                </span>
-              </div>
-            </DropdownMenuLabel>
-
-            <DropdownMenuSeparator />
-          </>
-        )}
-
-        <DropdownMenuSub>
-          <DropdownMenuSubTrigger>
-            <Languages className="size-4" />
-            {t("quickActionsLanguage")}
-          </DropdownMenuSubTrigger>
-          <DropdownMenuPortal>
-            <DropdownMenuSubContent sideOffset={8} className="rounded-xl p-1">
-              <ScrollArea className="h-80">
-                {Object.entries(languages).map(([key, value]) => (
-                  <DropdownMenuItem
-                    key={key}
-                    onSelect={() => handleSelect(key)}
-                  >
-                    {value}
-                    {language === key && <Check className="size-4" />}
-                  </DropdownMenuItem>
-                ))}
-              </ScrollArea>
-            </DropdownMenuSubContent>
-          </DropdownMenuPortal>
-        </DropdownMenuSub>
-
-        <DropdownMenuSub>
-          <DropdownMenuSubTrigger>
-            <Palette className="size-4" />
-            {t("quickActionsTheme")}
-          </DropdownMenuSubTrigger>
-          <DropdownMenuPortal>
-            <DropdownMenuSubContent className="rounded-xl p-1" sideOffset={8}>
-              {themes.map(({ key, label, icon: Icon }) => (
-                <DropdownMenuItem key={key} onClick={() => setTheme(key)}>
-                  <span className="flex items-center gap-2">
-                    <Icon className="size-4" />
-                    {label}
-                  </span>
-                  {theme === key && <Check className="size-4" />}
-                </DropdownMenuItem>
-              ))}
-            </DropdownMenuSubContent>
-          </DropdownMenuPortal>
-        </DropdownMenuSub>
-
-        {auth.authenticated && (
-          <>
-            <DropdownMenuSeparator />
-            <DropdownMenuItem
-              onSelect={() => logoutMutation.mutate()}
-              className="text-destructive"
-            >
-              <DoorOpenIcon className="size-4" />
-              {t("quickActionsLogout")}
-            </DropdownMenuItem>
-          </>
-        )}
-      </DropdownMenuContent>
-    </DropdownMenu>
-  );
-};
@@ -0,0 +1,40 @@
+import { Moon, Sun } from "lucide-react";
+
+import { Button } from "@/components/ui/button";
+import {
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuTrigger,
+} from "@/components/ui/dropdown-menu";
+import { useTheme } from "@/components/providers/theme-provider";
+
+export function ThemeToggle() {
+  const { setTheme } = useTheme();
+
+  return (
+    <DropdownMenu>
+      <DropdownMenuTrigger asChild>
+        <Button
+          className="bg-card text-card-foreground hover:bg-card/90"
+          size="icon"
+        >
+          <Sun className="h-[1.2rem] w-[1.2rem] scale-100 rotate-0 transition-all dark:scale-0 dark:-rotate-90" />
+          <Moon className="absolute h-[1.2rem] w-[1.2rem] scale-0 rotate-90 transition-all dark:scale-100 dark:rotate-0" />
+          <span className="sr-only">Toggle theme</span>
+        </Button>
+      </DropdownMenuTrigger>
+      <DropdownMenuContent align="end">
+        <DropdownMenuItem onClick={() => setTheme("light")}>
+          Light
+        </DropdownMenuItem>
+        <DropdownMenuItem onClick={() => setTheme("dark")}>
+          Dark
+        </DropdownMenuItem>
+        <DropdownMenuItem onClick={() => setTheme("system")}>
+          System
+        </DropdownMenuItem>
+      </DropdownMenuContent>
+    </DropdownMenu>
+  );
+}
@@ -0,0 +1,75 @@
+import * as React from "react";
+import { OTPInput, OTPInputContext } from "input-otp";
+import { MinusIcon } from "lucide-react";
+
+import { cn } from "@/lib/utils";
+
+function InputOTP({
+  className,
+  containerClassName,
+  ...props
+}: React.ComponentProps<typeof OTPInput> & {
+  containerClassName?: string;
+}) {
+  return (
+    <OTPInput
+      data-slot="input-otp"
+      containerClassName={cn(
+        "flex items-center gap-2 has-disabled:opacity-50",
+        containerClassName,
+      )}
+      className={cn("disabled:cursor-not-allowed", className)}
+      {...props}
+    />
+  );
+}
+
+function InputOTPGroup({ className, ...props }: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="input-otp-group"
+      className={cn("flex items-center", className)}
+      {...props}
+    />
+  );
+}
+
+function InputOTPSlot({
+  index,
+  className,
+  ...props
+}: React.ComponentProps<"div"> & {
+  index: number;
+}) {
+  const inputOTPContext = React.useContext(OTPInputContext);
+  const { char, hasFakeCaret, isActive } = inputOTPContext?.slots[index] ?? {};
+
+  return (
+    <div
+      data-slot="input-otp-slot"
+      data-active={isActive}
+      className={cn(
+        "data-[active=true]:border-ring data-[active=true]:ring-ring/50 data-[active=true]:aria-invalid:ring-destructive/20 dark:data-[active=true]:aria-invalid:ring-destructive/40 aria-invalid:border-destructive data-[active=true]:aria-invalid:border-destructive dark:bg-input/30 border-input relative flex h-9 w-9 items-center justify-center border-y border-r text-sm shadow-xs transition-all outline-none first:rounded-l-md first:border-l last:rounded-r-md data-[active=true]:z-10 data-[active=true]:ring-[3px]",
+        className,
+      )}
+      {...props}
+    >
+      {char}
+      {hasFakeCaret && (
+        <div className="pointer-events-none absolute inset-0 flex items-center justify-center">
+          <div className="animate-caret-blink bg-foreground h-4 w-px duration-1000" />
+        </div>
+      )}
+    </div>
+  );
+}
+
+function InputOTPSeparator({ ...props }: React.ComponentProps<"div">) {
+  return (
+    <div data-slot="input-otp-separator" role="separator" {...props}>
+      <MinusIcon />
+    </div>
+  );
+}
+
+export { InputOTP, InputOTPGroup, InputOTPSlot, InputOTPSeparator };
@@ -1,56 +0,0 @@
-import * as React from "react"
-import { ScrollArea as ScrollAreaPrimitive } from "radix-ui"
-
-import { cn } from "@/lib/utils"
-
-function ScrollArea({
-  className,
-  children,
-  ...props
-}: React.ComponentProps<typeof ScrollAreaPrimitive.Root>) {
-  return (
-    <ScrollAreaPrimitive.Root
-      data-slot="scroll-area"
-      className={cn("relative", className)}
-      {...props}
-    >
-      <ScrollAreaPrimitive.Viewport
-        data-slot="scroll-area-viewport"
-        className="size-full rounded-[inherit] transition-[color,box-shadow] outline-none focus-visible:ring-[3px] focus-visible:ring-ring/50 focus-visible:outline-1"
-      >
-        {children}
-      </ScrollAreaPrimitive.Viewport>
-      <ScrollBar />
-      <ScrollAreaPrimitive.Corner />
-    </ScrollAreaPrimitive.Root>
-  )
-}
-
-function ScrollBar({
-  className,
-  orientation = "vertical",
-  ...props
-}: React.ComponentProps<typeof ScrollAreaPrimitive.ScrollAreaScrollbar>) {
-  return (
-    <ScrollAreaPrimitive.ScrollAreaScrollbar
-      data-slot="scroll-area-scrollbar"
-      orientation={orientation}
-      className={cn(
-        "flex touch-none p-px transition-colors select-none",
-        orientation === "vertical" &&
-          "h-full w-2.5 border-l border-l-transparent",
-        orientation === "horizontal" &&
-          "h-2.5 flex-col border-t border-t-transparent",
-        className
-      )}
-      {...props}
-    >
-      <ScrollAreaPrimitive.ScrollAreaThumb
-        data-slot="scroll-area-thumb"
-        className="relative flex-1 rounded-full bg-border"
-      />
-    </ScrollAreaPrimitive.ScrollAreaScrollbar>
-  )
-}
-
-export { ScrollArea, ScrollBar }
@@ -1,17 +0,0 @@
-type UseLoginForProps = {
-  login_for?: "oidc" | "app";
-  compiledParams: string;
-};
-
-export const useLoginFor = (props: UseLoginForProps): string => {
-  const { login_for, compiledParams } = props;
-
-  switch (login_for) {
-    case "oidc":
-      return "/oidc/authorize" + compiledParams;
-    case "app":
-      return "/continue" + compiledParams;
-    default:
-      return "/logout";
-  }
-};
@@ -0,0 +1,55 @@
+export type OIDCValues = {
+  scope: string;
+  response_type: string;
+  client_id: string;
+  redirect_uri: string;
+  state: string;
+  nonce: string;
+};
+
+interface IuseOIDCParams {
+  values: OIDCValues;
+  compiled: string;
+  isOidc: boolean;
+  missingParams: string[];
+}
+
+const optionalParams: string[] = ["state", "nonce"];
+
+export function useOIDCParams(params: URLSearchParams): IuseOIDCParams {
+  let compiled: string = "";
+  let isOidc = false;
+  const missingParams: string[] = [];
+
+  const values: OIDCValues = {
+    scope: params.get("scope") ?? "",
+    response_type: params.get("response_type") ?? "",
+    client_id: params.get("client_id") ?? "",
+    redirect_uri: params.get("redirect_uri") ?? "",
+    state: params.get("state") ?? "",
+    nonce: params.get("nonce") ?? "",
+  };
+
+  for (const key of Object.keys(values)) {
+    if (!values[key as keyof OIDCValues]) {
+      if (!optionalParams.includes(key)) {
+        missingParams.push(key);
+      }
+    }
+  }
+
+  if (missingParams.length === 0) {
+    isOidc = true;
+  }
+
+  if (isOidc) {
+    compiled = new URLSearchParams(values).toString();
+  }
+
+  return {
+    values,
+    compiled,
+    isOidc,
+    missingParams,
+  };
+}
@@ -7,7 +7,7 @@ type IuseRedirectUri = {
 };

 export const useRedirectUri = (
-  redirect_uri: string | undefined,
+  redirect_uri: string | null,
  cookieDomain: string,
 ): IuseRedirectUri => {
  let isValid = false;
@@ -15,7 +15,7 @@ export const useRedirectUri = (
  let isAllowedProto = false;
  let isHttpsDowngrade = false;

-  if (redirect_uri === undefined) {
+  if (!redirect_uri) {
    return {
      valid: isValid,
      trusted: isTrusted,
@@ -1,40 +0,0 @@
-import { z } from "zod";
-
-type ScreenParams = {
-  login_for?: "oidc" | "app";
-  redirect_uri?: string;
-  oidc_ticket?: string;
-  oidc_scope?: string;
-  oidc_name?: string;
-};
-
-const zodScreenParams = z.object({
-  login_for: z.enum(["oidc", "app"]).optional(),
-  redirect_uri: z.string().optional(),
-  oidc_ticket: z.string().optional(),
-  oidc_scope: z.string().optional(),
-  oidc_name: z.string().optional(),
-});
-
-export function useScreenParams(params: URLSearchParams): ScreenParams {
-  const paramsObj = Object.fromEntries(params.entries());
-  const parsed = zodScreenParams.safeParse(paramsObj);
-  if (!parsed.success) {
-    return {};
-  }
-  return parsed.data;
-}
-
-export function recompileScreenParams(params: ScreenParams): string {
-  const p = new URLSearchParams(
-    Object.fromEntries(
-      Object.entries(params).filter(([, v]) => v !== undefined),
-    ) as Record<string, string>,
-  ).toString();
-
-  if (p.length > 0) {
-    return "?" + p;
-  }
-
-  return "";
-}
@@ -57,7 +57,7 @@
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
@@ -57,7 +57,7 @@
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "تجاهل",
@@ -57,7 +57,7 @@
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
@@ -57,7 +57,7 @@
    "fieldRequired": "Toto pole je povinné",
    "invalidInput": "Neplatný údaj",
    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
@@ -57,7 +57,7 @@
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
@@ -57,7 +57,7 @@
    "fieldRequired": "Dieses Feld ist notwendig",
    "invalidInput": "Ungültige Eingabe",
    "domainWarningTitle": "Ungültige Domain",
-    "domainWarningSubtitle": "Sie greifen von einer falschen Domäne aus auf diese Instanz zu. Wenn Sie fortfahren, können Probleme mit der Authentifizierung auftreten.",
+    "domainWarningSubtitle": "Diese Instanz ist so konfiguriert, dass sie von <code>{{appUrl}}</code> aufgerufen werden kann, aber <code>{{currentUrl}}</code> wird verwendet. Wenn Sie fortfahren, können Probleme bei der Authentifizierung auftreten.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignorieren",
@@ -1,103 +1,83 @@
 {
-  "loginTitle": "Welcome back, login with",
-  "loginTitleSimple": "Welcome back, please login",
-  "loginDivider": "Or",
-  "loginUsername": "Username",
-  "loginPassword": "Password",
-  "loginSubmit": "Login",
-  "loginFailTitle": "Failed to log in",
-  "loginFailSubtitle": "Please check your username and password",
-  "loginFailRateLimit": "You failed to login too many times. Please try again later",
-  "loginSuccessTitle": "Logged in",
-  "loginSuccessSubtitle": "Welcome back!",
-  "loginOauthFailTitle": "An error occurred",
-  "loginOauthFailSubtitle": "Failed to get OAuth URL",
-  "loginOauthSuccessTitle": "Redirecting",
-  "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-  "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-  "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-  "loginOauthAutoRedirectButton": "Redirect now",
-  "continueTitle": "Continue",
-  "continueRedirectingTitle": "Redirecting...",
-  "continueRedirectingSubtitle": "You should be redirected to the app soon",
-  "continueRedirectManually": "Redirect me manually",
-  "continueInsecureRedirectTitle": "Insecure redirect",
-  "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
-  "continueUntrustedRedirectTitle": "Untrusted redirect",
-  "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
-  "logoutFailTitle": "Failed to log out",
-  "logoutFailSubtitle": "Please try again",
-  "logoutSuccessTitle": "Logged out",
-  "logoutSuccessSubtitle": "You have been logged out",
-  "logoutTitle": "Logout",
-  "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
-  "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
-  "notFoundTitle": "Page not found",
-  "notFoundSubtitle": "The page you are looking for does not exist.",
-  "notFoundButton": "Go home",
-  "totpFailTitle": "Failed to verify code",
-  "totpFailSubtitle": "Please check your code and try again",
-  "totpSuccessTitle": "Verified",
-  "totpSuccessSubtitle": "Redirecting to your app",
-  "totpTitle": "Enter your TOTP code",
-  "totpSubtitle": "Please enter the code from your authenticator app.",
-  "unauthorizedTitle": "Unauthorized",
-  "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-  "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
-  "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
-  "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-  "unauthorizedButton": "Try again",
-  "cancelTitle": "Cancel",
-  "forgotPasswordTitle": "Forgot your password?",
-  "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
-  "errorTitle": "An error occurred",
-  "errorSubtitleInfo": "The following error occurred while processing your request:",
-  "errorSubtitle": "An error occurred while trying to perform this action. Please check your browser console or the app logs for more information.",
-  "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
-  "fieldRequired": "This field is required",
-  "invalidInput": "Invalid input",
-  "domainWarningTitle": "Invalid Domain",
-  "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
-  "domainWarningCurrent": "Current:",
-  "domainWarningExpected": "Expected:",
-  "ignoreTitle": "Ignore",
-  "goToCorrectDomainTitle": "Go to correct domain",
-  "authorizeTitle": "Authorize",
-  "authorizeCardTitle": "Continue to {{app}}?",
-  "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
-  "authorizeSubtitleOAuth": "Would you like to continue to this app?",
-  "authorizeLoadingTitle": "Loading...",
-  "authorizeLoadingSubtitle": "Please wait while we load the client information.",
-  "authorizeSuccessTitle": "Authorized",
-  "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
-  "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
-  "authorizeErrorInvalidParams": "The request is missing required parameters or has invalid parameters. Please check the URL and try again.",
-  "openidScopeName": "OpenID Connect",
-  "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
-  "emailScopeName": "Email",
-  "emailScopeDescription": "Allows the app to access your email address.",
-  "profileScopeName": "Profile",
-  "profileScopeDescription": "Allows the app to access your profile information.",
-  "groupsScopeName": "Groups",
-  "groupsScopeDescription": "Allows the app to access your group information.",
-  "backToLoginButton": "Back to login",
-  "phoneScopeName": "Phone",
-  "phoneScopeDescription": "Allows the app to access your phone number.",
-  "addressScopeName": "Address",
-  "addressScopeDescription": "Allows the app to access your address.",
-  "loginTailscaleTitle": "Continue with Tailscale",
-  "loginTailscaleDescription": "You appear to be accessing Tinyauth from an authorized Tailscale device. Would you like to continue with your Tailscale connection?",
-  "loginTailscaleDeviceName": "Device name:",
-  "loginTailscaleSubmit": "Continue with Tailscale",
-  "loginTailscaleOtherMethod": "Login with another method",
-  "loginTailscaleSuccess": "Successfully authenticated with Tailscale.",
-  "loginTailscaleFail": "Failed to authenticate with Tailscale. Please try again or use another login method.",
-  "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout.",
-  "quickActionsLanguage": "Language",
-  "quickActionsTheme": "Theme",
-  "quickActionsThemeLight": "Light",
-  "quickActionsThemeDark": "Dark",
-  "quickActionsThemeSystem": "System",
-  "quickActionsLogout": "Logout",
-  "quickActionsTitle": "Quick Actions"
+    "loginTitle": "Welcome back, login with",
+    "loginTitleSimple": "Welcome back, please login",
+    "loginDivider": "Or",
+    "loginUsername": "Username",
+    "loginPassword": "Password",
+    "loginSubmit": "Login",
+    "loginFailTitle": "Failed to log in",
+    "loginFailSubtitle": "Please check your username and password",
+    "loginFailRateLimit": "You failed to login too many times. Please try again later",
+    "loginSuccessTitle": "Logged in",
+    "loginSuccessSubtitle": "Welcome back!",
+    "loginOauthFailTitle": "An error occurred",
+    "loginOauthFailSubtitle": "Failed to get OAuth URL",
+    "loginOauthSuccessTitle": "Redirecting",
+    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
+    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectButton": "Redirect now",
+    "continueTitle": "Continue",
+    "continueRedirectingTitle": "Redirecting...",
+    "continueRedirectingSubtitle": "You should be redirected to the app soon",
+    "continueRedirectManually": "Redirect me manually",
+    "continueInsecureRedirectTitle": "Insecure redirect",
+    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
+    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "logoutFailTitle": "Failed to log out",
+    "logoutFailSubtitle": "Please try again",
+    "logoutSuccessTitle": "Logged out",
+    "logoutSuccessSubtitle": "You have been logged out",
+    "logoutTitle": "Logout",
+    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
+    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
+    "notFoundTitle": "Page not found",
+    "notFoundSubtitle": "The page you are looking for does not exist.",
+    "notFoundButton": "Go home",
+    "totpFailTitle": "Failed to verify code",
+    "totpFailSubtitle": "Please check your code and try again",
+    "totpSuccessTitle": "Verified",
+    "totpSuccessSubtitle": "Redirecting to your app",
+    "totpTitle": "Enter your TOTP code",
+    "totpSubtitle": "Please enter the code from your authenticator app.",
+    "unauthorizedTitle": "Unauthorized",
+    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedButton": "Try again",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?",
+    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
+    "errorTitle": "An error occurred",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
+    "errorSubtitle": "An error occurred while trying to perform this action. Please check your browser console or the app logs for more information.",
+    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
+    "fieldRequired": "This field is required",
+    "invalidInput": "Invalid input",
+    "domainWarningTitle": "Invalid Domain",
+    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningCurrent": "Current:",
+    "domainWarningExpected": "Expected:",
+    "ignoreTitle": "Ignore",
+    "goToCorrectDomainTitle": "Go to correct domain",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
 }
@@ -1,103 +1,83 @@
 {
-  "loginTitle": "Welcome back, login with",
-  "loginTitleSimple": "Welcome back, please login",
-  "loginDivider": "Or",
-  "loginUsername": "Username",
-  "loginPassword": "Password",
-  "loginSubmit": "Login",
-  "loginFailTitle": "Failed to log in",
-  "loginFailSubtitle": "Please check your username and password",
-  "loginFailRateLimit": "You failed to login too many times. Please try again later",
-  "loginSuccessTitle": "Logged in",
-  "loginSuccessSubtitle": "Welcome back!",
-  "loginOauthFailTitle": "An error occurred",
-  "loginOauthFailSubtitle": "Failed to get OAuth URL",
-  "loginOauthSuccessTitle": "Redirecting",
-  "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-  "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
-  "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
-  "loginOauthAutoRedirectButton": "Redirect now",
-  "continueTitle": "Continue",
-  "continueRedirectingTitle": "Redirecting...",
-  "continueRedirectingSubtitle": "You should be redirected to the app soon",
-  "continueRedirectManually": "Redirect me manually",
-  "continueInsecureRedirectTitle": "Insecure redirect",
-  "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
-  "continueUntrustedRedirectTitle": "Untrusted redirect",
-  "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
-  "logoutFailTitle": "Failed to log out",
-  "logoutFailSubtitle": "Please try again",
-  "logoutSuccessTitle": "Logged out",
-  "logoutSuccessSubtitle": "You have been logged out",
-  "logoutTitle": "Logout",
-  "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
-  "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
-  "notFoundTitle": "Page not found",
-  "notFoundSubtitle": "The page you are looking for does not exist.",
-  "notFoundButton": "Go home",
-  "totpFailTitle": "Failed to verify code",
-  "totpFailSubtitle": "Please check your code and try again",
-  "totpSuccessTitle": "Verified",
-  "totpSuccessSubtitle": "Redirecting to your app",
-  "totpTitle": "Enter your TOTP code",
-  "totpSubtitle": "Please enter the code from your authenticator app.",
-  "unauthorizedTitle": "Unauthorized",
-  "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-  "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
-  "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
-  "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-  "unauthorizedButton": "Try again",
-  "cancelTitle": "Cancel",
-  "forgotPasswordTitle": "Forgot your password?",
-  "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
-  "errorTitle": "An error occurred",
-  "errorSubtitleInfo": "The following error occurred while processing your request:",
-  "errorSubtitle": "An error occurred while trying to perform this action. Please check your browser console or the app logs for more information.",
-  "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
-  "fieldRequired": "This field is required",
-  "invalidInput": "Invalid input",
-  "domainWarningTitle": "Invalid Domain",
-  "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
-  "domainWarningCurrent": "Current:",
-  "domainWarningExpected": "Expected:",
-  "ignoreTitle": "Ignore",
-  "goToCorrectDomainTitle": "Go to correct domain",
-  "authorizeTitle": "Authorize",
-  "authorizeCardTitle": "Continue to {{app}}?",
-  "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
-  "authorizeSubtitleOAuth": "Would you like to continue to this app?",
-  "authorizeLoadingTitle": "Loading...",
-  "authorizeLoadingSubtitle": "Please wait while we load the client information.",
-  "authorizeSuccessTitle": "Authorized",
-  "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
-  "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
-  "authorizeErrorInvalidParams": "The request is missing required parameters or has invalid parameters. Please check the URL and try again.",
-  "openidScopeName": "OpenID Connect",
-  "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
-  "emailScopeName": "Email",
-  "emailScopeDescription": "Allows the app to access your email address.",
-  "profileScopeName": "Profile",
-  "profileScopeDescription": "Allows the app to access your profile information.",
-  "groupsScopeName": "Groups",
-  "groupsScopeDescription": "Allows the app to access your group information.",
-  "backToLoginButton": "Back to login",
-  "phoneScopeName": "Phone",
-  "phoneScopeDescription": "Allows the app to access your phone number.",
-  "addressScopeName": "Address",
-  "addressScopeDescription": "Allows the app to access your address.",
-  "loginTailscaleTitle": "Continue with Tailscale",
-  "loginTailscaleDescription": "You appear to be accessing Tinyauth from an authorized Tailscale device. Would you like to continue with your Tailscale connection?",
-  "loginTailscaleDeviceName": "Device name:",
-  "loginTailscaleSubmit": "Continue with Tailscale",
-  "loginTailscaleOtherMethod": "Login with another method",
-  "loginTailscaleSuccess": "Successfully authenticated with Tailscale.",
-  "loginTailscaleFail": "Failed to authenticate with Tailscale. Please try again or use another login method.",
-  "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout.",
-  "quickActionsLanguage": "Language",
-  "quickActionsTheme": "Theme",
-  "quickActionsThemeLight": "Light",
-  "quickActionsThemeDark": "Dark",
-  "quickActionsThemeSystem": "System",
-  "quickActionsLogout": "Logout",
-  "quickActionsTitle": "Quick Actions"
+    "loginTitle": "Welcome back, login with",
+    "loginTitleSimple": "Welcome back, please login",
+    "loginDivider": "Or",
+    "loginUsername": "Username",
+    "loginPassword": "Password",
+    "loginSubmit": "Login",
+    "loginFailTitle": "Failed to log in",
+    "loginFailSubtitle": "Please check your username and password",
+    "loginFailRateLimit": "You failed to login too many times. Please try again later",
+    "loginSuccessTitle": "Logged in",
+    "loginSuccessSubtitle": "Welcome back!",
+    "loginOauthFailTitle": "An error occurred",
+    "loginOauthFailSubtitle": "Failed to get OAuth URL",
+    "loginOauthSuccessTitle": "Redirecting",
+    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
+    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectButton": "Redirect now",
+    "continueTitle": "Continue",
+    "continueRedirectingTitle": "Redirecting...",
+    "continueRedirectingSubtitle": "You should be redirected to the app soon",
+    "continueRedirectManually": "Redirect me manually",
+    "continueInsecureRedirectTitle": "Insecure redirect",
+    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
+    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "logoutFailTitle": "Failed to log out",
+    "logoutFailSubtitle": "Please try again",
+    "logoutSuccessTitle": "Logged out",
+    "logoutSuccessSubtitle": "You have been logged out",
+    "logoutTitle": "Logout",
+    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
+    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
+    "notFoundTitle": "Page not found",
+    "notFoundSubtitle": "The page you are looking for does not exist.",
+    "notFoundButton": "Go home",
+    "totpFailTitle": "Failed to verify code",
+    "totpFailSubtitle": "Please check your code and try again",
+    "totpSuccessTitle": "Verified",
+    "totpSuccessSubtitle": "Redirecting to your app",
+    "totpTitle": "Enter your TOTP code",
+    "totpSubtitle": "Please enter the code from your authenticator app.",
+    "unauthorizedTitle": "Unauthorized",
+    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedButton": "Try again",
+    "cancelTitle": "Cancel",
+    "forgotPasswordTitle": "Forgot your password?",
+    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
+    "errorTitle": "An error occurred",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
+    "errorSubtitle": "An error occurred while trying to perform this action. Please check your browser console or the app logs for more information.",
+    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
+    "fieldRequired": "This field is required",
+    "invalidInput": "Invalid input",
+    "domainWarningTitle": "Invalid Domain",
+    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningCurrent": "Current:",
+    "domainWarningExpected": "Expected:",
+    "ignoreTitle": "Ignore",
+    "goToCorrectDomainTitle": "Go to correct domain",
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
 }
@@ -57,7 +57,7 @@
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "Estás accediendo a esta instancia desde un dominio incorrecto. Si sigues, puedes encontrar problemas con la autenticación.",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
@@ -57,7 +57,7 @@
    "fieldRequired": "Tämä kenttä on pakollinen",
    "invalidInput": "Virheellinen syöte",
    "domainWarningTitle": "Virheellinen verkkotunnus",
-    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "Tämä instanssi on määritelty käyttämään osoitetta <code>{{appUrl}}</code>, mutta nykyinen osoite on <code>{{currentUrl}}</code>. Jos jatkat, saatat törmätä ongelmiin autentikoinnissa.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Jätä huomiotta",
@@ -58,8 +58,8 @@
    "invalidInput": "Saisie non valide",
    "domainWarningTitle": "Domaine invalide",
    "domainWarningSubtitle": "Cette instance est configurée pour être accédée depuis <code>{{appUrl}}</code>, mais <code>{{currentUrl}}</code> est utilisé. Si vous continuez, vous pourriez rencontrer des problèmes d'authentification.",
-    "domainWarningCurrent": "Actuellement :",
-    "domainWarningExpected": "Attendu :",
+    "domainWarningCurrent": "Current:",
+    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignorer",
    "goToCorrectDomainTitle": "Aller au bon domaine",
    "authorizeTitle": "Autoriser",
@@ -57,7 +57,7 @@
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
@@ -57,9 +57,9 @@
    "fieldRequired": "Questo campo è obbligatorio",
    "invalidInput": "Input non valido",
    "domainWarningTitle": "Dominio non valido",
-    "domainWarningSubtitle": "Stai accedendo a questa istanza da un dominio errato. Scegliendo di procedere, potresti incontrare problemi con l'autenticazione.",
-    "domainWarningCurrent": "Attuale:",
-    "domainWarningExpected": "Previsto:",
+    "domainWarningSubtitle": "Questa istanza è configurata per essere accessibile da <code>{{appUrl}}</code>, ma la stai visitando da <code>{{currentUrl}}</code>. Se procedi, potresti incorrere in problemi di autenticazione.",
+    "domainWarningCurrent": "Current:",
+    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignora",
    "goToCorrectDomainTitle": "Vai al dominio corretto",
    "authorizeTitle": "Autorizza",
@@ -57,7 +57,7 @@
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "不正なドメインからこのインスタンスにアクセスしています。続行すると、認証に問題が発生する可能性があります。",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
@@ -30,7 +30,7 @@
    "logoutSuccessTitle": "로그아웃 완료",
    "logoutSuccessSubtitle": "로그아웃되었습니다",
    "logoutTitle": "로그아웃",
-    "logoutUsernameSubtitle": "현재 <code>{{username}}</code>로 로그인되어 있습니다. 아래 버튼을 클릭하여 로그아웃하세요.",
+    "logoutUsernameSubtitle": "현재 <code>{{username}}</code>(으)로 로그인되어 있습니다. 아래 버튼을 클릭하여 로그아웃하세요.",
    "logoutOauthSubtitle": "현재 {{provider}} OAuth 제공자를 통해 <code>{{username}}</code>(으)로 로그인되어 있습니다. 아래 버튼을 클릭하여 로그아웃하세요.",
    "notFoundTitle": "페이지를 찾을 수 없습니다",
    "notFoundSubtitle": "찾으시는 페이지가 존재하지 않습니다.",
@@ -57,7 +57,7 @@
    "fieldRequired": "Dit veld is verplicht",
    "invalidInput": "Ongeldige invoer",
    "domainWarningTitle": "Ongeldig domein",
-    "domainWarningSubtitle": "U benadert deze instantie vanuit een onjuist domein. Als u doorgaat, kunt u problemen ondervinden met authenticatie.",
+    "domainWarningSubtitle": "Deze instantie is geconfigureerd voor toegang tot <code>{{appUrl}}</code>, maar <code>{{currentUrl}}</code> wordt gebruikt. Als je doorgaat, kun je problemen ondervinden met authenticatie.",
    "domainWarningCurrent": "Huidig:",
    "domainWarningExpected": "Verwacht:",
    "ignoreTitle": "Negeren",
@@ -57,7 +57,7 @@
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "Du bruker denne forekomsten fra et feil domene. Dersom du fortsetter kan du få problemer med autentiseringen.",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
@@ -57,7 +57,7 @@
    "fieldRequired": "To pole jest wymagane",
    "invalidInput": "Nieprawidłowe dane wejściowe",
    "domainWarningTitle": "Nieprawidłowa domena",
-    "domainWarningSubtitle": "Masz dostęp do tej instancji z nieprawidłowej domeny. Jeśli kontynuujesz, możesz napotkać problemy z uwierzytelnianiem.",
+    "domainWarningSubtitle": "Ta instancja jest skonfigurowana do uzyskania dostępu z <code>{{appUrl}}</code>, ale <code>{{currentUrl}}</code> jest w użyciu. Jeśli będziesz kontynuować, mogą wystąpić problemy z uwierzytelnianiem.",
    "domainWarningCurrent": "Bieżąca:",
    "domainWarningExpected": "Oczekiwana:",
    "ignoreTitle": "Zignoruj",
@@ -57,7 +57,7 @@
    "fieldRequired": "Este campo é obrigatório",
    "invalidInput": "Entrada Inválida",
    "domainWarningTitle": "Domínio inválido",
-    "domainWarningSubtitle": "Você está acessando essa instância de um domínio incorreto. Se você continuar, você pode encontrar problemas com a autenticação.",
+    "domainWarningSubtitle": "Esta instância está configurada para ser acessada de <code>{{appUrl}}</code>, mas <code>{{currentUrl}}</code> está sendo usado. Se você continuar, você pode encontrar problemas com a autenticação.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignorar",
@@ -57,7 +57,7 @@
    "fieldRequired": "Este campo é obrigatório",
    "invalidInput": "Entrada inválida",
    "domainWarningTitle": "Domínio inválido",
-    "domainWarningSubtitle": "Acessa essa instância de um domínio incorreto. Se você continuar, você pode encontrar problemas com a autenticação.",
+    "domainWarningSubtitle": "Esta instância está configurada para ser acedida a partir de <code>{{appUrl}}</code>, mas está a ser usado <code>{{currentUrl}}</code>. Se continuares, poderás ter problemas de autenticação.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignorar",
@@ -57,7 +57,7 @@
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
@@ -51,33 +51,33 @@
    "forgotPasswordTitle": "Забыли пароль?",
    "failedToFetchProvidersTitle": "Не удалось загрузить поставщика авторизации. Пожалуйста, проверьте конфигурацию.",
    "errorTitle": "Произошла ошибка",
-    "errorSubtitleInfo": "При обработке вашего запроса произошла следующая ошибка:",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "Произошла ошибка при попытке выполнить это действие. Проверьте консоль для дополнительной информации.",
    "forgotPasswordMessage": "Вы можете сбросить свой пароль, изменив переменную окружения `USERS`.",
    "fieldRequired": "Это поле является обязательным",
    "invalidInput": "Недопустимый ввод",
    "domainWarningTitle": "Неверный домен",
-    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
-    "domainWarningCurrent": "Текущий:",
-    "domainWarningExpected": "Ожидается:",
+    "domainWarningSubtitle": "Этот экземпляр настроен на доступ к нему из <code>{{appUrl}}</code>, но <code>{{currentUrl}}</code> в настоящее время используется. Если вы продолжите, то могут возникнуть проблемы с авторизацией.",
+    "domainWarningCurrent": "Current:",
+    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Игнорировать",
    "goToCorrectDomainTitle": "Перейти к правильному домену",
-    "authorizeTitle": "Разрешить",
-    "authorizeCardTitle": "Продолжить с {{app}}?",
-    "authorizeSubtitle": "Вы хотите продолжить работу с этим приложением? Внимательно проверьте запрашиваемые приложением разрешения.",
-    "authorizeSubtitleOAuth": "Вы хотите продолжить работу с этим приложением?",
-    "authorizeLoadingTitle": "Загрузка...",
-    "authorizeLoadingSubtitle": "Пожалуйста, подождите, пока мы загрузим информацию о клиенте.",
-    "authorizeSuccessTitle": "Разрешено",
-    "authorizeSuccessSubtitle": "Вы будете перенаправлены в приложение через несколько секунд.",
-    "authorizeErrorClientInfo": "Произошла ошибка при загрузке информации о клиенте. Пожалуйста, повторите попытку позже.",
-    "authorizeErrorMissingParams": "Отсутствуют следующие параметры: {{missingParams}}",
-    "openidScopeName": "Подключение OpenID",
-    "openidScopeDescription": "Приложение сможет получить доступ к информации подключённого OpenID.",
-    "emailScopeName": "Эл. Почта",
-    "emailScopeDescription": "Приложение сможет получить доступ к вашему электронному адресу.",
-    "profileScopeName": "Профиль",
-    "profileScopeDescription": "Приложение сможет получить доступ к информации вашего профиля.",
-    "groupsScopeName": "Группы",
-    "groupsScopeDescription": "Приложение сможет получать доступ к информации о вашей группе."
+    "authorizeTitle": "Authorize",
+    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "openidScopeName": "OpenID Connect",
+    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "emailScopeName": "Email",
+    "emailScopeDescription": "Allows the app to access your email address.",
+    "profileScopeName": "Profile",
+    "profileScopeDescription": "Allows the app to access your profile information.",
+    "groupsScopeName": "Groups",
+    "groupsScopeDescription": "Allows the app to access your group information."
 }
@@ -57,7 +57,7 @@
    "fieldRequired": "Ово поље је неопходно",
    "invalidInput": "Неисправан унос",
    "domainWarningTitle": "Неисправан домен",
-    "domainWarningSubtitle": "Приступате овој инстанци са неисправног домена. Ако наставите, можете наићи на проблеме са аутентификацијом.",
+    "domainWarningSubtitle": "Ова инстанца је подешена да јој се приступа са <code>{{appUrl}}</code>, али се користи <code>{{currentUrl}}</code>. Ако наставите, можете искусити проблеме са аутентификацијом.",
    "domainWarningCurrent": "Тренутни:",
    "domainWarningExpected": "Очекивани:",
    "ignoreTitle": "Игнориши",
@@ -57,7 +57,7 @@
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "Du kommer åt den här instansen från en felaktig domän. Om du fortsätter kan du stöta på problem med autentisering.",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
@@ -57,7 +57,7 @@
    "fieldRequired": "Bu alan zorunludur",
    "invalidInput": "Geçersiz girdi",
    "domainWarningTitle": "Geçersiz alan adı",
-    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "Bu örnek, <code>{{appUrl}}</code> adresinden erişilecek şekilde yapılandırılmıştır, ancak <code>{{currentUrl}}</code> kullanılmaktadır. Devam ederseniz, kimlik doğrulama ile ilgili sorunlarla karşılaşabilirsiniz.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Yoksay",
@@ -57,9 +57,9 @@
    "fieldRequired": "Це поле обов'язкове для заповнення",
    "invalidInput": "Невірне введення",
    "domainWarningTitle": "Невірний домен",
-    "domainWarningSubtitle": "Ви отримуєте доступ до даного екземпляра з неправильного домену. Якщо ви продовжите, у вас можуть виникнути проблеми з автентифікацією.",
-    "domainWarningCurrent": "Поточний:",
-    "domainWarningExpected": "Очікувалося:",
+    "domainWarningSubtitle": "Даний ресурс налаштований для доступу з <code>{{appUrl}}</code>, але використовується <code>{{currentUrl}}</code>. Якщо ви продовжите, можуть виникнути проблеми з автентифікацією.",
+    "domainWarningCurrent": "Current:",
+    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ігнорувати",
    "goToCorrectDomainTitle": "Перейти за коректним доменом",
    "authorizeTitle": "Авторизуватись",
@@ -57,7 +57,7 @@
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
-    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "Ignore",
@@ -57,7 +57,7 @@
    "fieldRequired": "此為必填欄位",
    "invalidInput": "無效的輸入",
    "domainWarningTitle": "無效的網域",
-    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "此服務設定為透過 <code>{{appUrl}}</code> 存取，但目前使用的是 <code>{{currentUrl}}</code>。若繼續操作，可能會遇到驗證問題。",
    "domainWarningCurrent": "Current:",
    "domainWarningExpected": "Expected:",
    "ignoreTitle": "忽略",
@@ -23,44 +23,39 @@ import { TooltipProvider } from "@/components/ui/tooltip";
 const queryClient = new QueryClient();

 createRoot(document.getElementById("root")!).render(
-  <main>
-    <StrictMode>
-      <QueryClientProvider client={queryClient}>
-        <AppContextProvider>
-          <UserContextProvider>
-            <TooltipProvider>
-              <ThemeProvider defaultTheme="system" storageKey="tinyauth-theme">
-                <BrowserRouter>
-                  <Routes>
-                    <Route element={<Layout />} errorElement={<ErrorPage />}>
-                      <Route path="/" element={<App />} />
-                      <Route path="/login" element={<LoginPage />} />
-                      <Route
-                        path="/oidc/authorize"
-                        element={<AuthorizePage />}
-                      />
-                      <Route path="/logout" element={<LogoutPage />} />
-                      <Route path="/continue" element={<ContinuePage />} />
-                      <Route path="/totp" element={<TotpPage />} />
-                      <Route
-                        path="/forgot-password"
-                        element={<ForgotPasswordPage />}
-                      />
-                      <Route
-                        path="/unauthorized"
-                        element={<UnauthorizedPage />}
-                      />
-                      <Route path="/error" element={<ErrorPage />} />
-                      <Route path="*" element={<NotFoundPage />} />
-                    </Route>
-                  </Routes>
-                </BrowserRouter>
-                <Toaster />
-              </ThemeProvider>
-            </TooltipProvider>
-          </UserContextProvider>
-        </AppContextProvider>
-      </QueryClientProvider>
-    </StrictMode>
-  </main>,
+  <StrictMode>
+    <QueryClientProvider client={queryClient}>
+      <AppContextProvider>
+        <UserContextProvider>
+          <TooltipProvider>
+            <ThemeProvider defaultTheme="system" storageKey="tinyauth-theme">
+              <BrowserRouter>
+                <Routes>
+                  <Route element={<Layout />} errorElement={<ErrorPage />}>
+                    <Route path="/" element={<App />} />
+                    <Route path="/login" element={<LoginPage />} />
+                    <Route path="/authorize" element={<AuthorizePage />} />
+                    <Route path="/logout" element={<LogoutPage />} />
+                    <Route path="/continue" element={<ContinuePage />} />
+                    <Route path="/totp" element={<TotpPage />} />
+                    <Route
+                      path="/forgot-password"
+                      element={<ForgotPasswordPage />}
+                    />
+                    <Route
+                      path="/unauthorized"
+                      element={<UnauthorizedPage />}
+                    />
+                    <Route path="/error" element={<ErrorPage />} />
+                    <Route path="*" element={<NotFoundPage />} />
+                  </Route>
+                </Routes>
+              </BrowserRouter>
+              <Toaster />
+            </ThemeProvider>
+          </TooltipProvider>
+        </UserContextProvider>
+      </AppContextProvider>
+    </QueryClientProvider>
+  </StrictMode>,
 );
@@ -1,5 +1,5 @@
 import { useUserContext } from "@/context/user-context";
-import { useMutation } from "@tanstack/react-query";
+import { useMutation, useQuery } from "@tanstack/react-query";
 import { Navigate, useNavigate } from "react-router";
 import { useLocation } from "react-router";
 import {
@@ -10,21 +10,19 @@ import {
  CardFooter,
  CardContent,
 } from "@/components/ui/card";
+import { getOidcClientInfoSchema } from "@/schemas/oidc-schemas";
 import { Button } from "@/components/ui/button";
 import axios from "axios";
 import { toast } from "sonner";
+import { useOIDCParams } from "@/lib/hooks/oidc";
 import { useTranslation } from "react-i18next";
 import { TFunction } from "i18next";
-import { Mail, MapPin, Phone, Shield, User, Users } from "lucide-react";
+import { Mail, Shield, User, Users } from "lucide-react";
 import {
  Tooltip,
  TooltipContent,
  TooltipTrigger,
 } from "@/components/ui/tooltip";
-import {
-  recompileScreenParams,
-  useScreenParams,
-} from "@/lib/hooks/screen-params";

 type Scope = {
  id: string;
@@ -63,40 +61,47 @@ const createScopeMap = (t: TFunction<"translation", undefined>): Scope[] => {
      description: t("groupsScopeDescription"),
      icon: <Users {...scopeMapIconProps} />,
    },
-    {
-      id: "phone",
-      name: t("phoneScopeName"),
-      description: t("phoneScopeDescription"),
-      icon: <Phone {...scopeMapIconProps} />,
-    },
-    {
-      id: "address",
-      name: t("addressScopeName"),
-      description: t("addressScopeDescription"),
-      icon: <MapPin {...scopeMapIconProps} />,
-    },
  ];
 };

 export const AuthorizePage = () => {
-  const { auth } = useUserContext();
+  const { isLoggedIn } = useUserContext();
  const { search } = useLocation();
  const { t } = useTranslation();
  const navigate = useNavigate();
  const scopeMap = createScopeMap(t);

  const searchParams = new URLSearchParams(search);
-  const screenParams = useScreenParams(searchParams);
-  const isOidc = screenParams.login_for === "oidc";
-  const compiledParams = recompileScreenParams(screenParams);
+  const {
+    values: props,
+    missingParams,
+    isOidc,
+    compiled: compiledOIDCParams,
+  } = useOIDCParams(searchParams);
+  const scopes = props.scope ? props.scope.split(" ").filter(Boolean) : [];
+
+  const getClientInfo = useQuery({
+    queryKey: ["client", props.client_id],
+    queryFn: async () => {
+      const res = await fetch(`/api/oidc/clients/${props.client_id}`);
+      const data = await getOidcClientInfoSchema.parseAsync(await res.json());
+      return data;
+    },
+    enabled: isOidc,
+  });

  const authorizeMutation = useMutation({
    mutationFn: () => {
-      return axios.post("/api/oidc/authorize-complete", {
-        ticket: screenParams.oidc_ticket,
+      return axios.post("/api/oidc/authorize", {
+        scope: props.scope,
+        response_type: props.response_type,
+        client_id: props.client_id,
+        redirect_uri: props.redirect_uri,
+        state: props.state,
+        nonce: props.nonce,
      });
    },
-    mutationKey: ["authorize", screenParams.oidc_ticket],
+    mutationKey: ["authorize", props.client_id],
    onSuccess: (data) => {
      toast.info(t("authorizeSuccessTitle"), {
        description: t("authorizeSuccessSubtitle"),
@@ -110,36 +115,53 @@ export const AuthorizePage = () => {
    },
  });

-  if (
-    !isOidc ||
-    screenParams.oidc_ticket === undefined ||
-    screenParams.oidc_scope === undefined
-  ) {
+  if (missingParams.length > 0) {
    return (
      <Navigate
-        to={`/error?error=${encodeURIComponent(t("authorizeErrorInvalidParams"))}`}
+        to={`/error?error=${encodeURIComponent(t("authorizeErrorMissingParams", { missingParams: missingParams.join(", ") }))}`}
        replace
      />
    );
  }

-  if (!auth.authenticated) {
-    return <Navigate to={`/login${compiledParams}`} replace />;
+  if (!isLoggedIn) {
+    return <Navigate to={`/login?${compiledOIDCParams}`} replace />;
  }

-  const scopes =
-    screenParams.oidc_scope.split(" ").filter((s) => s.trim() !== "") || [];
+  if (getClientInfo.isLoading) {
+    return (
+      <Card className="gap-0">
+        <CardHeader>
+          <CardTitle className="text-xl">
+            {t("authorizeLoadingTitle")}
+          </CardTitle>
+        </CardHeader>
+        <CardContent>
+          <CardDescription>{t("authorizeLoadingSubtitle")}</CardDescription>
+        </CardContent>
+      </Card>
+    );
+  }
+
+  if (getClientInfo.isError) {
+    return (
+      <Navigate
+        to={`/error?error=${encodeURIComponent(t("authorizeErrorClientInfo"))}`}
+        replace
+      />
+    );
+  }

  return (
    <Card>
      <CardHeader className="mb-2">
        <div className="flex flex-col gap-3 items-center justify-center text-center">
          <div className="bg-accent-foreground box-content text-muted text-xl font-bold font-sans rounded-lg size-8 p-2 flex items-center justify-center">
-            {screenParams.oidc_name ? screenParams.oidc_name.slice(0, 1) : "U"}
+            {getClientInfo.data?.name.slice(0, 1) || "U"}
          </div>
          <CardTitle className="text-xl">
            {t("authorizeCardTitle", {
-              app: screenParams.oidc_name || "Unknown",
+              app: getClientInfo.data?.name || "Unknown",
            })}
          </CardTitle>
          <CardDescription className="text-sm max-w-sm">
@@ -178,7 +200,7 @@ export const AuthorizePage = () => {
          {t("authorizeTitle")}
        </Button>
        <Button
-          onClick={() => navigate(`/logout${compiledParams}`)}
+          onClick={() => navigate("/")}
          disabled={authorizeMutation.isPending}
          variant="outline"
        >
@@ -12,14 +12,10 @@ import { Trans, useTranslation } from "react-i18next";
 import { Navigate, useLocation, useNavigate } from "react-router";
 import { useCallback, useEffect, useRef, useState } from "react";
 import { useRedirectUri } from "@/lib/hooks/redirect-uri";
-import {
-  recompileScreenParams,
-  useScreenParams,
-} from "@/lib/hooks/screen-params";

 export const ContinuePage = () => {
-  const { app, ui } = useAppContext();
-  const { auth } = useUserContext();
+  const { cookieDomain, warningsEnabled } = useAppContext();
+  const { isLoggedIn } = useUserContext();
  const { search } = useLocation();
  const { t } = useTranslation();
  const navigate = useNavigate();
@@ -29,29 +25,24 @@ export const ContinuePage = () => {
  const hasRedirected = useRef(false);

  const searchParams = new URLSearchParams(search);
-  const screenParams = useScreenParams(searchParams);
-  const redirectUri = screenParams.redirect_uri;
-  const isAppLogin = screenParams.login_for === "app";
-  const recompiledParams = recompileScreenParams(screenParams);
+  const redirectUri = searchParams.get("redirect_uri");

  const { url, valid, trusted, allowedProto, httpsDowngrade } = useRedirectUri(
    redirectUri,
-    app.cookieDomain,
+    cookieDomain,
  );

  const urlHref = url?.href;

  const hasValidRedirect = valid && allowedProto;
-  const showUntrustedWarning =
-    hasValidRedirect && !trusted && ui.warningsEnabled;
+  const showUntrustedWarning = hasValidRedirect && !trusted && warningsEnabled;
  const showInsecureWarning =
-    hasValidRedirect && httpsDowngrade && ui.warningsEnabled;
+    hasValidRedirect && httpsDowngrade && warningsEnabled;
  const shouldAutoRedirect =
-    auth.authenticated &&
+    isLoggedIn &&
    hasValidRedirect &&
    !showUntrustedWarning &&
-    !showInsecureWarning &&
-    isAppLogin;
+    !showInsecureWarning;

  const redirectToTarget = useCallback(() => {
    if (!urlHref || hasRedirected.current) {
@@ -86,11 +77,16 @@ export const ContinuePage = () => {
    };
  }, [shouldAutoRedirect, redirectToTarget]);

-  if (!auth.authenticated) {
-    return <Navigate to={`/login${recompiledParams}`} replace />;
+  if (!isLoggedIn) {
+    return (
+      <Navigate
+        to={`/login${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`}
+        replace
+      />
+    );
  }

-  if (!hasValidRedirect || !isAppLogin) {
+  if (!hasValidRedirect) {
    return <Navigate to="/logout" replace />;
  }

@@ -108,7 +104,7 @@ export const ContinuePage = () => {
              components={{
                code: <code />,
              }}
-              values={{ cookieDomain: app.cookieDomain }}
+              values={{ cookieDomain }}
              shouldUnescape={true}
            />
          </CardDescription>
@@ -10,19 +10,12 @@ import { Button } from "@/components/ui/button";
 import { useAppContext } from "@/context/app-context";
 import { useTranslation } from "react-i18next";
 import Markdown from "react-markdown";
-import { useLocation } from "react-router";
-import {
-  recompileScreenParams,
-  useScreenParams,
-} from "@/lib/hooks/screen-params";
+import { useNavigate } from "react-router";

 export const ForgotPasswordPage = () => {
-  const { ui } = useAppContext();
+  const { forgotPasswordMessage } = useAppContext();
  const { t } = useTranslation();
-  const { search } = useLocation();
-  const searchParams = new URLSearchParams(search);
-  const screenParams = useScreenParams(searchParams);
-  const compiledParams = recompileScreenParams(screenParams);
+  const navigate = useNavigate();

  return (
    <Card>
@@ -32,8 +25,8 @@ export const ForgotPasswordPage = () => {
      <CardContent>
        <CardDescription>
          <Markdown>
-            {ui.forgotPasswordMessage !== ""
-              ? ui.forgotPasswordMessage
+            {forgotPasswordMessage !== ""
+              ? forgotPasswordMessage
              : t("forgotPasswordMessage")}
          </Markdown>
        </CardDescription>
@@ -43,10 +36,10 @@ export const ForgotPasswordPage = () => {
          className="w-full"
          variant="outline"
          onClick={() => {
-            window.location.replace(`/login${compiledParams}`);
+            navigate("/login");
          }}
        >
-          {t("backToLoginButton")}
+          {t("notFoundButton")}
        </Button>
      </CardFooter>
    </Card>
@@ -18,6 +18,7 @@ import { OAuthButton } from "@/components/ui/oauth-button";
 import { SeperatorWithChildren } from "@/components/ui/separator";
 import { useAppContext } from "@/context/app-context";
 import { useUserContext } from "@/context/user-context";
+import { useOIDCParams } from "@/lib/hooks/oidc";
 import { LoginSchema } from "@/schemas/login-schema";
 import { useMutation } from "@tanstack/react-query";
 import axios, { AxiosError } from "axios";
@@ -25,11 +26,6 @@ import { useEffect, useId, useRef, useState } from "react";
 import { useTranslation } from "react-i18next";
 import { Navigate, useLocation } from "react-router";
 import { toast } from "sonner";
-import {
-  recompileScreenParams,
-  useScreenParams,
-} from "@/lib/hooks/screen-params";
-import { useLoginFor } from "@/lib/hooks/login-for";

 const iconMap: Record<string, React.ReactNode> = {
  google: <GoogleIcon />,
@@ -40,19 +36,12 @@ const iconMap: Record<string, React.ReactNode> = {
 };

 export const LoginPage = () => {
-  const { auth, tailscale } = useUserContext();
-  const {
-    ui,
-    oauth,
-    auth: { providers },
-  } = useAppContext();
+  const { isLoggedIn } = useUserContext();
+  const { providers, title, oauthAutoRedirect } = useAppContext();
  const { search } = useLocation();
  const { t } = useTranslation();

  const [showRedirectButton, setShowRedirectButton] = useState(false);
-  const [useTailscale, setUseTailscale] = useState(
-    tailscale.nodeName !== undefined,
-  );

  const hasAutoRedirectedRef = useRef(false);

@@ -62,22 +51,20 @@ export const LoginPage = () => {
  const formId = useId();

  const searchParams = new URLSearchParams(search);
-  const screenParams = useScreenParams(searchParams);
-  const compiledParams = recompileScreenParams(screenParams);
-  const loginForUrl = useLoginFor({
-    login_for: screenParams.login_for,
-    compiledParams,
-  });
+  const {
+    values: props,
+    isOidc,
+    compiled: compiledOIDCParams,
+  } = useOIDCParams(searchParams);

  const [isOauthAutoRedirect, setIsOauthAutoRedirect] = useState(
-    providers.find((provider) => provider.id === oauth.autoRedirect) !==
-      undefined && screenParams.redirect_uri !== undefined,
+    providers.find((provider) => provider.id === oauthAutoRedirect) !==
+      undefined && props.redirect_uri,
  );

  const oauthProviders = providers.filter(
    (provider) => provider.id !== "local" && provider.id !== "ldap",
  );
-
  const userAuthConfigured =
    providers.find(
      (provider) => provider.id === "local" || provider.id === "ldap",
@@ -89,9 +76,10 @@ export const LoginPage = () => {
    isPending: oauthIsPending,
    variables: oauthVariables,
  } = useMutation({
-    mutationFn: (provider: string) => {
-      return axios.get(`/api/oauth/url/${provider}${compiledParams}`);
-    },
+    mutationFn: (provider: string) =>
+      axios.get(
+        `/api/oauth/url/${provider}${props.redirect_uri ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}` : ""}`,
+      ),
    mutationKey: ["oauth"],
    onSuccess: (data) => {
      toast.info(t("loginOauthSuccessTitle"), {
@@ -121,7 +109,9 @@ export const LoginPage = () => {
    mutationKey: ["login"],
    onSuccess: (data) => {
      if (data.data.totpPending) {
-        window.location.replace(`/totp${compiledParams}`);
+        window.location.replace(
+          `/totp${props.redirect_uri ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}` : ""}`,
+        );
        return;
      }

@@ -130,7 +120,13 @@ export const LoginPage = () => {
      });

      redirectTimer.current = window.setTimeout(() => {
-        window.location.replace(loginForUrl);
+        if (isOidc) {
+          window.location.replace(`/authorize?${compiledOIDCParams}`);
+          return;
+        }
+        window.location.replace(
+          `/continue${props.redirect_uri ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}` : ""}`,
+        );
      }, 500);
    },
    onError: (error: AxiosError) => {
@@ -143,43 +139,23 @@ export const LoginPage = () => {
    },
  });

-  const { mutate: tailscaleMutate, isPending: tailscaleIsPending } =
-    useMutation({
-      mutationFn: () => axios.post("/api/user/tailscale"),
-      mutationKey: ["tailscale"],
-      onSuccess: () => {
-        toast.success(t("loginSuccessTitle"), {
-          description: t("loginTailscaleSuccess"),
-        });
-
-        redirectTimer.current = window.setTimeout(() => {
-          window.location.replace(loginForUrl);
-        }, 500);
-      },
-      onError: () => {
-        toast.error(t("loginFailTitle"), {
-          description: t("loginTailscaleFail"),
-        });
-      },
-    });
-
  useEffect(() => {
    if (
-      !auth.authenticated &&
+      !isLoggedIn &&
      isOauthAutoRedirect &&
      !hasAutoRedirectedRef.current &&
-      screenParams.login_for !== undefined
+      props.redirect_uri
    ) {
      hasAutoRedirectedRef.current = true;
-      oauthMutate(oauth.autoRedirect);
+      oauthMutate(oauthAutoRedirect);
    }
  }, [
-    auth.authenticated,
+    isLoggedIn,
    oauthMutate,
    hasAutoRedirectedRef,
-    oauth.autoRedirect,
+    oauthAutoRedirect,
    isOauthAutoRedirect,
-    screenParams.login_for,
+    props.redirect_uri,
  ]);

  useEffect(() => {
@@ -194,8 +170,21 @@ export const LoginPage = () => {
    };
  }, [redirectTimer, redirectButtonTimer]);

-  if (auth.authenticated) {
-    return <Navigate to={loginForUrl} replace />;
+  if (isLoggedIn && isOidc) {
+    return <Navigate to={`/authorize?${compiledOIDCParams}`} replace />;
+  }
+
+  if (isLoggedIn && props.redirect_uri !== "") {
+    return (
+      <Navigate
+        to={`/continue${props.redirect_uri ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}` : ""}`}
+        replace
+      />
+    );
+  }
+
+  if (isLoggedIn) {
+    return <Navigate to="/logout" replace />;
  }

  if (isOauthAutoRedirect) {
@@ -230,49 +219,10 @@ export const LoginPage = () => {
      </Card>
    );
  }
-
-  if (useTailscale) {
-    return (
-      <Card>
-        <CardHeader className="gap-3">
-          <TailscaleIcon className="mx-auto h-8 w-8" />
-          <CardTitle className="text-center text-xl">
-            {t("loginTailscaleTitle")}
-          </CardTitle>
-        </CardHeader>
-        <CardContent className="flex flex-col gap-4">
-          <div className="text-muted-foreground text-sm">
-            {t("loginTailscaleDescription")}
-          </div>
-          <div className="text-muted-foreground text-sm">
-            {t("loginTailscaleDeviceName")} <code>{tailscale.nodeName}</code>
-          </div>
-        </CardContent>
-        <CardFooter className="flex flex-col items-stretch gap-3">
-          <Button
-            className="w-full"
-            onClick={() => tailscaleMutate()}
-            loading={tailscaleIsPending}
-          >
-            {t("loginTailscaleSubmit")}
-          </Button>
-          <Button
-            className="w-full"
-            variant="outline"
-            onClick={() => setUseTailscale(false)}
-            disabled={tailscaleIsPending}
-          >
-            {t("loginTailscaleOtherMethod")}
-          </Button>
-        </CardFooter>
-      </Card>
-    );
-  }
-
  return (
    <Card>
      <CardHeader className="gap-1.5">
-        <CardTitle className="text-center text-xl">{ui.title}</CardTitle>
+        <CardTitle className="text-center text-xl">{title}</CardTitle>
        {providers.length > 0 && (
          <CardDescription className="text-center">
            {oauthProviders.length !== 0
@@ -305,10 +255,6 @@ export const LoginPage = () => {
            onSubmit={(values) => loginMutate(values)}
            loading={loginIsPending || oauthIsPending}
            formId={formId}
-            params={(() => {
-              const eparams = searchParams.toString();
-              return eparams.length > 0 ? `?${eparams}` : "";
-            })()}
          />
        )}
        {providers.length == 0 && (
@@ -13,23 +13,12 @@ import { useEffect, useRef } from "react";
 import { Trans, useTranslation } from "react-i18next";
 import { Navigate } from "react-router";
 import { toast } from "sonner";
-import { type UseMutationResult } from "@tanstack/react-query";
-import { type AxiosResponse } from "axios";
-import { useLocation } from "react-router";
-import {
-  useScreenParams,
-  recompileScreenParams,
-} from "@/lib/hooks/screen-params";

 export const LogoutPage = () => {
-  const { auth, oauth, tailscale } = useUserContext();
+  const { provider, username, isLoggedIn, email, oauthName } = useUserContext();
  const { t } = useTranslation();
-  const { search } = useLocation();

  const redirectTimer = useRef<number | null>(null);
-  const searchParams = new URLSearchParams(search);
-  const screenParams = useScreenParams(searchParams);
-  const compiledParams = recompileScreenParams(screenParams);

  const logoutMutation = useMutation({
    mutationFn: () => axios.post("/api/user/logout"),
@@ -40,7 +29,7 @@ export const LogoutPage = () => {
      });

      redirectTimer.current = window.setTimeout(() => {
-        window.location.replace(`/login${compiledParams}`);
+        window.location.replace("/login");
      }, 500);
    },
    onError: () => {
@@ -58,82 +47,42 @@ export const LogoutPage = () => {
    };
  }, [redirectTimer]);

-  if (!auth.authenticated) {
-    return <Navigate to={`/login${compiledParams}`} replace />;
+  if (!isLoggedIn) {
+    return <Navigate to="/login" replace />;
  }

-  if (oauth.active) {
-    return (
-      <LogoutLayout logoutMutation={logoutMutation}>
-        <Trans
-          i18nKey="logoutOauthSubtitle"
-          t={t}
-          components={{
-            code: <code />,
-          }}
-          values={{
-            username: auth.email,
-            provider: oauth.displayName,
-          }}
-          shouldUnescape={true}
-        />
-      </LogoutLayout>
-    );
-  }
-
-  if (auth.providerId === "tailscale") {
-    return (
-      <LogoutLayout logoutMutation={logoutMutation}>
-        <Trans
-          i18nKey="logoutTailscaleSubtitle"
-          t={t}
-          components={{
-            code: <code />,
-          }}
-          values={{
-            deviceName: tailscale.nodeName,
-          }}
-          shouldUnescape={true}
-        />
-      </LogoutLayout>
-    );
-  }
-
-  return (
-    <LogoutLayout logoutMutation={logoutMutation}>
-      <Trans
-        i18nKey="logoutUsernameSubtitle"
-        t={t}
-        components={{
-          code: <code />,
-        }}
-        values={{
-          username: auth.username,
-        }}
-        shouldUnescape={true}
-      />
-    </LogoutLayout>
-  );
-};
-
-interface LogoutLayoutProps {
-  children: React.ReactNode;
-  logoutMutation: UseMutationResult<
-    //eslint-disable-next-line @typescript-eslint/no-explicit-any,@typescript-eslint/no-empty-object-type
-    AxiosResponse<any, any, {}>,
-    Error,
-    void,
-    unknown
-  >;
-}
-
-function LogoutLayout({ children, logoutMutation }: LogoutLayoutProps) {
-  const { t } = useTranslation();
  return (
    <Card>
      <CardHeader className="gap-1.5">
        <CardTitle className="text-xl">{t("logoutTitle")}</CardTitle>
-        <CardDescription>{children}</CardDescription>
+        <CardDescription>
+          {provider !== "local" && provider !== "ldap" ? (
+            <Trans
+              i18nKey="logoutOauthSubtitle"
+              t={t}
+              components={{
+                code: <code />,
+              }}
+              values={{
+                username: email,
+                provider: oauthName,
+              }}
+              shouldUnescape={true}
+            />
+          ) : (
+            <Trans
+              i18nKey="logoutUsernameSubtitle"
+              t={t}
+              components={{
+                code: <code />,
+              }}
+              values={{
+                username,
+              }}
+              shouldUnescape={true}
+            />
+          )}
+        </CardDescription>
      </CardHeader>
      <CardFooter>
        <Button
@@ -147,4 +96,4 @@ function LogoutLayout({ children, logoutMutation }: LogoutLayoutProps) {
      </CardFooter>
    </Card>
  );
-}
+};
@@ -16,14 +16,10 @@ import { useEffect, useId, useRef } from "react";
 import { useTranslation } from "react-i18next";
 import { Navigate, useLocation } from "react-router";
 import { toast } from "sonner";
-import {
-  recompileScreenParams,
-  useScreenParams,
-} from "@/lib/hooks/screen-params";
-import { useLoginFor } from "@/lib/hooks/login-for";
+import { useOIDCParams } from "@/lib/hooks/oidc";

 export const TotpPage = () => {
-  const { totp, auth } = useUserContext();
+  const { totpPending } = useUserContext();
  const { t } = useTranslation();
  const { search } = useLocation();
  const formId = useId();
@@ -31,12 +27,11 @@ export const TotpPage = () => {
  const redirectTimer = useRef<number | null>(null);

  const searchParams = new URLSearchParams(search);
-  const screenParams = useScreenParams(searchParams);
-  const compiledParams = recompileScreenParams(screenParams);
-  const loginForUrl = useLoginFor({
-    login_for: screenParams.login_for,
-    compiledParams,
-  });
+  const {
+    values: props,
+    isOidc,
+    compiled: compiledOIDCParams,
+  } = useOIDCParams(searchParams);

  const totpMutation = useMutation({
    mutationFn: (values: TotpSchema) => axios.post("/api/user/totp", values),
@@ -47,7 +42,14 @@ export const TotpPage = () => {
      });

      redirectTimer.current = window.setTimeout(() => {
-        window.location.replace(loginForUrl);
+        if (isOidc) {
+          window.location.replace(`/authorize?${compiledOIDCParams}`);
+          return;
+        }
+
+        window.location.replace(
+          `/continue${props.redirect_uri ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}` : ""}`,
+        );
      }, 500);
    },
    onError: () => {
@@ -65,11 +67,8 @@ export const TotpPage = () => {
    };
  }, [redirectTimer]);

-  if (!totp.pending) {
-    if (auth.authenticated) {
-      return <Navigate to={loginForUrl} replace />;
-    }
-    return <Navigate to={`/login${compiledParams}`} replace />;
+  if (!totpPending) {
+    return <Navigate to="/" replace />;
  }

  return (
@@ -78,7 +77,7 @@ export const TotpPage = () => {
        <CardTitle className="text-xl">{t("totpTitle")}</CardTitle>
        <CardDescription>{t("totpSubtitle")}</CardDescription>
      </CardHeader>
-      <CardContent>
+      <CardContent className="flex flex-col items-center">
        <TotpForm
          formId={formId}
          onSubmit={(values) => totpMutation.mutate(values)}
@@ -6,32 +6,15 @@ export const providerSchema = z.object({
  oauth: z.boolean(),
 });

-const authSchema = z.object({
+export const appContextSchema = z.object({
  providers: z.array(providerSchema),
-});
-
-const oauthSchema = z.object({
-  autoRedirect: z.string(),
-});
-
-const uiSchema = z.object({
  title: z.string(),
+  appUrl: z.string(),
+  cookieDomain: z.string(),
  forgotPasswordMessage: z.string(),
  backgroundImage: z.string(),
+  oauthAutoRedirect: z.string(),
  warningsEnabled: z.boolean(),
 });

-const appSchema = z.object({
-  appUrl: z.string(),
-  cookieDomain: z.string(),
-  trustedDomains: z.array(z.string()),
-});
-
-export const appContextSchema = z.object({
-  auth: authSchema,
-  oauth: oauthSchema,
-  ui: uiSchema,
-  app: appSchema,
-});
-
 export type AppContextSchema = z.infer<typeof appContextSchema>;
@@ -0,0 +1,5 @@
+import { z } from "zod";
+
+export const getOidcClientInfoSchema = z.object({
+  name: z.string(),
+});
@@ -1,31 +1,14 @@
 import { z } from "zod";

-const authSchema = z.object({
-  authenticated: z.boolean(),
+export const userContextSchema = z.object({
+  isLoggedIn: z.boolean(),
  username: z.string(),
  name: z.string(),
  email: z.string(),
-  providerId: z.string(),
-});
-
-const oauthSchema = z.object({
-  active: z.boolean(),
-  displayName: z.string(),
-});
-
-const totpSchema = z.object({
-  pending: z.boolean(),
-});
-
-const tailscaleSchema = z.object({
-  nodeName: z.string().optional(),
-});
-
-export const userContextSchema = z.object({
-  auth: authSchema,
-  oauth: oauthSchema,
-  totp: totpSchema,
-  tailscale: tailscaleSchema,
+  provider: z.string(),
+  oauth: z.boolean(),
+  totpPending: z.boolean(),
+  oauthName: z.string(),
 });

 export type UserContextSchema = z.infer<typeof userContextSchema>;
@@ -1,8 +1,9 @@
 {
  "compilerOptions": {
    // Resolve paths
+    "baseUrl": ".",
    "paths": {
-      "@/*": ["./src/*"],
+      "@/*": ["./src/*"]
    },

    "tsBuildInfoFile": "./node_modules/.tmp/tsconfig.app.tsbuildinfo",
@@ -25,7 +26,7 @@
    "noUnusedLocals": true,
    "noUnusedParameters": true,
    "noFallthroughCasesInSwitch": true,
-    "noUncheckedSideEffectImports": true,
+    "noUncheckedSideEffectImports": true
  },
-  "include": ["src"],
+  "include": ["src"]
 }
@@ -2,11 +2,12 @@
  "files": [],
  "references": [
    { "path": "./tsconfig.app.json" },
-    { "path": "./tsconfig.node.json" },
+    { "path": "./tsconfig.node.json" }
  ],
  "compilerOptions": {
+    "baseUrl": ".",
    "paths": {
-      "@/*": ["./src/*"],
-    },
-  },
+      "@/*": ["./src/*"]
+    }
+  }
 }
@@ -13,23 +13,27 @@ export default defineConfig({
    },
  },
  build: {
-    rolldownOptions: {
+    rollupOptions: {
      output: {
-        codeSplitting: {
-          groups: [
-            {
-              name: "ui",
-              test: "@radix-ui|input-otp|tailwindcss|tailwind-merge|sonner|lucide-react",
-            },
-            {
-              name: "i18n",
-              test: "i18next|i18next-browser-languagedetector|i18next-resources-to-backend",
-            },
-            {
-              name: "util",
-              test: "zod|axios|react-hook-form",
-            },
+        manualChunks: {
+          ui: [
+            "@radix-ui/react-dropdown-menu",
+            "@radix-ui/react-label",
+            "@radix-ui/react-select",
+            "@radix-ui/react-separator",
+            "@radix-ui/react-slot",
+            "input-otp",
+            "tailwindcss",
+            "tailwind-merge",
+            "sonner",
+            "lucide-react",
          ],
+          i18n: [
+            "i18next",
+            "i18next-browser-languagedetector",
+            "i18next-resources-to-backend",
+          ],
+          util: ["zod", "axios", "react-hook-form"],
        },
      },
    },
@@ -52,16 +56,6 @@ export default defineConfig({
        changeOrigin: true,
        rewrite: (path) => path.replace(/^\/\.well-known/, ""),
      },
-      "/robots.txt": {
-        target: "http://tinyauth-backend:3000/robots.txt",
-        changeOrigin: true,
-        rewrite: (path) => path.replace(/^\/robots.txt/, ""),
-      },
-      "/authorize": {
-        target: "http://tinyauth-backend:3000/authorize",
-        changeOrigin: true,
-        rewrite: (path) => path.replace(/^\/authorize/, ""),
-      },
    },
    allowedHosts: true,
  },
@@ -10,7 +10,7 @@ import (
 	"reflect"
 	"strings"

-	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/steveiliop56/tinyauth/internal/config"
 )

 type EnvEntry struct {
@@ -20,7 +20,7 @@ type EnvEntry struct {
 }

 func generateExampleEnv() {
-	cfg := model.NewDefaultConfiguration()
+	cfg := config.NewDefaultConfiguration()
 	entries := make([]EnvEntry, 0)

 	root := reflect.TypeOf(cfg).Elem()
@@ -10,7 +10,7 @@ import (
 	"reflect"
 	"strings"

-	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/steveiliop56/tinyauth/internal/config"
 )

 type MarkdownEntry struct {
@@ -21,7 +21,7 @@ type MarkdownEntry struct {
 }

 func generateMarkdown() {
-	cfg := model.NewDefaultConfiguration()
+	cfg := config.NewDefaultConfiguration()
 	entries := make([]MarkdownEntry, 0)

 	root := reflect.TypeOf(cfg).Elem()
@@ -1,473 +0,0 @@
-// gen/sqlc-wrapper generates store.go wrapper files for each sqlc driver package under
-// internal/repository/<driver>/. Run via:
-//
-//	go generate ./internal/repository/...
-//
-// The generator introspects *Queries methods and the model/params types in the
-// driver package, then emits a store.go that wraps *Queries so it satisfies
-// repository.Store using the canonical shared types in the parent package.
-// This generator is specific to sqlc-generated drivers. Non-sqlc drivers should
-// implement repository.Store directly by hand.
-package main
-
-import (
-	"bytes"
-	_ "embed"
-	"flag"
-	"fmt"
-	"go/format"
-	"go/types"
-	"log"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"sort"
-	"strings"
-	"text/template"
-
-	"golang.org/x/tools/go/packages"
-)
-
-//go:embed store.tmpl
-var storeSrc string
-
-func main() {
-	fmt.Println("sqlc-wrapper: generating store.go files for sqlc driver packages...")
-	if err := run(); err != nil {
-		log.Fatal(err)
-	}
-}
-
-func run() error {
-	driverPkg := flag.String("pkg", "", "import path of the driver package")
-	out := flag.String("out", "store.go", "output filename relative to driver package directory")
-	flag.Parse()
-
-	if *driverPkg == "" {
-		return fmt.Errorf("-pkg is required")
-	}
-
-	// Resolve the driver package directory so we can overlay the output file
-	// with a valid stub. This prevents a stale store.go from poisoning the
-	// type-checker and producing cryptic "undefined" errors.
-	driverDir, err := pkgDir(*driverPkg)
-	if err != nil {
-		return fmt.Errorf("resolve driver dir: %w", err)
-	}
-
-	outPath := filepath.Join(driverDir, *out)
-	if filepath.IsAbs(*out) {
-		outPath = *out
-	}
-
-	// Stub replaces the output file during load so stale generated code is ignored.
-	stub := []byte("package " + filepath.Base(driverDir) + "\n")
-	cfg := &packages.Config{
-		Mode:    packages.NeedName | packages.NeedTypes | packages.NeedSyntax | packages.NeedImports,
-		Overlay: map[string][]byte{outPath: stub},
-	}
-
-	driverTypePkg, err := loadOnePkg(cfg, *driverPkg)
-	if err != nil {
-		return fmt.Errorf("load driver package: %w", err)
-	}
-
-	repoPkgPath := parentPkg(*driverPkg)
-	repoTypePkg, err := loadOnePkg(cfg, repoPkgPath)
-	if err != nil {
-		return fmt.Errorf("load repo package: %w", err)
-	}
-
-	if err := validateStructShapes(driverTypePkg, repoTypePkg); err != nil {
-		return fmt.Errorf("struct shape mismatch: %w", err)
-	}
-	if err := validateStoreCoverage(driverTypePkg, repoTypePkg); err != nil {
-		return err
-	}
-
-	methods, err := collectMethods(driverTypePkg)
-	if err != nil {
-		return err
-	}
-
-	src, err := render(tmplData{
-		PkgName: driverTypePkg.Name(),
-		RepoPkg: repoPkgPath,
-		Methods: renderMethods(methods),
-	})
-	if err != nil {
-		return fmt.Errorf("render: %w", err)
-	}
-
-	if err := os.WriteFile(outPath, src, 0644); err != nil {
-		return fmt.Errorf("write %s: %w", outPath, err)
-	}
-	fmt.Printf("wrote %s\n", outPath)
-	return nil
-}
-
-// loadOnePkg loads a single package via cfg and returns its *types.Package,
-// or an error if the package fails to load or has type errors.
-func loadOnePkg(cfg *packages.Config, importPath string) (*types.Package, error) {
-	pkgs, err := packages.Load(cfg, importPath)
-	if err != nil {
-		return nil, fmt.Errorf("load %s: %w", importPath, err)
-	}
-	if len(pkgs) != 1 {
-		return nil, fmt.Errorf("expected 1 package for %s, got %d", importPath, len(pkgs))
-	}
-	pkg := pkgs[0]
-	if len(pkg.Errors) > 0 {
-		msgs := make([]string, len(pkg.Errors))
-		for i, e := range pkg.Errors {
-			msgs[i] = e.Error()
-		}
-		return nil, fmt.Errorf("package %s has errors:\n  %s", importPath, strings.Join(msgs, "\n  "))
-	}
-	return pkg.Types, nil
-}
-
-// parentPkg returns the parent import path (everything before the last /).
-// Panics if imp contains no slash — callers are expected to pass driver sub-packages.
-func parentPkg(imp string) string {
-	i := strings.LastIndex(imp, "/")
-	if i < 0 {
-		panic(fmt.Sprintf("parentPkg: import path %q has no parent", imp))
-	}
-	return imp[:i]
-}
-
-// pkgDir returns the on-disk directory for an import path using `go list`.
-func pkgDir(importPath string) (string, error) {
-	out, err := exec.Command("go", "list", "-f", "{{.Dir}}", importPath).Output()
-	if err != nil {
-		return "", fmt.Errorf("go list %s: %w", importPath, err)
-	}
-	return strings.TrimSpace(string(out)), nil
-}
-
-// scopeStructs returns all named struct types in pkg, excluding the internal
-// sqlc types Queries, DBTX, and Store. Names are returned in sorted order.
-func scopeStructs(pkg *types.Package) (names []string, byName map[string]*types.Struct) {
-	byName = make(map[string]*types.Struct)
-	for _, name := range pkg.Scope().Names() { // Names() is already sorted
-		switch name {
-		case "Queries", "DBTX", "Store":
-			continue
-		}
-		obj, ok := pkg.Scope().Lookup(name).(*types.TypeName)
-		if !ok {
-			continue
-		}
-		named, ok := obj.Type().(*types.Named)
-		if !ok {
-			continue
-		}
-		s, ok := named.Underlying().(*types.Struct)
-		if !ok {
-			continue
-		}
-		names = append(names, name)
-		byName[name] = s
-	}
-	return
-}
-
-// validateStoreCoverage checks that every method declared in repository.Store
-// exists on *Queries in the driver package. Missing methods are reported by
-// name so the developer knows exactly which SQL queries need to be added.
-func validateStoreCoverage(driverPkg, repoPkg *types.Package) error {
-	queriesObj := driverPkg.Scope().Lookup("Queries")
-	if queriesObj == nil {
-		return fmt.Errorf("queries type not found in driver package")
-	}
-	queriesNamed := queriesObj.Type().(*types.Named)
-	queriesMS := types.NewMethodSet(types.NewPointer(queriesNamed))
-	queriesMethods := make(map[string]bool)
-	for m := range queriesMS.Methods() {
-		queriesMethods[m.Obj().Name()] = true
-	}
-
-	storeObj := repoPkg.Scope().Lookup("Store")
-	if storeObj == nil {
-		return fmt.Errorf("store type not found in repository package")
-	}
-	storeIface, ok := storeObj.Type().Underlying().(*types.Interface)
-	if !ok {
-		return fmt.Errorf("repository.Store is not an interface")
-	}
-
-	var missing []string
-	for method := range storeIface.Methods() {
-		if name := method.Name(); !queriesMethods[name] {
-			missing = append(missing, name)
-		}
-	}
-	if len(missing) > 0 {
-		sort.Strings(missing)
-		return fmt.Errorf(
-			"driver *Queries is missing %d method(s) required by repository.Store:\n  - %s\n\nRun sqlc generate to regenerate query methods, or add the missing SQL queries",
-			len(missing), strings.Join(missing, "\n  - "),
-		)
-	}
-	return nil
-}
-
-// validateStructShapes checks that every model/params struct in the driver
-// package has fields that exactly match the corresponding type in the repo
-// (parent) package. This catches drift between sqlc-generated types and the
-// canonical repository types before a broken cast reaches the compiler.
-func validateStructShapes(driverPkg, repoPkg *types.Package) error {
-	_, repoStructs := scopeStructs(repoPkg)
-	driverNames, driverStructs := scopeStructs(driverPkg)
-
-	var errs []string
-	for _, name := range driverNames {
-		repoStruct, ok := repoStructs[name]
-		if !ok {
-			// Driver has a type not in repo — fine (e.g. internal helpers).
-			continue
-		}
-		if err := compareStructs(name, driverStructs[name], repoStruct); err != nil {
-			errs = append(errs, err.Error())
-		}
-	}
-	if len(errs) > 0 {
-		sort.Strings(errs)
-		return fmt.Errorf("%s", strings.Join(errs, "\n  "))
-	}
-	return nil
-}
-
-func compareStructs(name string, driver, repo *types.Struct) error {
-	if driver.NumFields() != repo.NumFields() {
-		return fmt.Errorf("%s: field count mismatch (driver=%d, repo=%d)",
-			name, driver.NumFields(), repo.NumFields())
-	}
-	for i := range driver.NumFields() {
-		df := driver.Field(i)
-		rf := repo.Field(i)
-		if df.Name() != rf.Name() {
-			return fmt.Errorf("%s: field %d name mismatch (driver=%q, repo=%q)",
-				name, i, df.Name(), rf.Name())
-		}
-		if !types.Identical(df.Type(), rf.Type()) {
-			return fmt.Errorf("%s.%s: type mismatch (driver=%s, repo=%s)",
-				name, df.Name(), df.Type(), rf.Type())
-		}
-	}
-	return nil
-}
-
-type methodInfo struct {
-	Name    string
-	Params  []paramInfo
-	Results []resultInfo
-}
-
-type paramInfo struct {
-	Name     string
-	TypeStr  string // local (unqualified) type name
-	RepoType string // "repository.X" if this is a driver model/params type; else ""
-}
-
-type resultInfo struct {
-	TypeStr  string
-	IsSlice  bool
-	RepoType string // "repository.X" if driver type; else ""
-}
-
-func collectMethods(pkg *types.Package) ([]methodInfo, error) {
-	obj := pkg.Scope().Lookup("Queries")
-	if obj == nil {
-		return nil, fmt.Errorf("queries type not found in %s", pkg.Path())
-	}
-	named, ok := obj.Type().(*types.Named)
-	if !ok {
-		return nil, fmt.Errorf("queries is not a named type")
-	}
-	ms := types.NewMethodSet(types.NewPointer(named))
-
-	var out []methodInfo
-	for method := range ms.Methods() {
-		fn, ok := method.Obj().(*types.Func)
-		if !ok || fn.Name() == "WithTx" {
-			continue
-		}
-		sig := fn.Type().(*types.Signature)
-		mi := methodInfo{Name: fn.Name()}
-
-		// params: skip receiver + first (context.Context)
-		for i := 1; i < sig.Params().Len(); i++ {
-			p := sig.Params().At(i)
-			mi.Params = append(mi.Params, makeParam(p.Name(), p.Type(), pkg.Path()))
-		}
-		// results: skip error
-		for r := range sig.Results().Variables() {
-			if r.Type().String() == "error" {
-				continue
-			}
-			mi.Results = append(mi.Results, makeResult(r.Type(), pkg.Path()))
-		}
-		out = append(out, mi)
-	}
-	return out, nil
-}
-
-func makeParam(name string, t types.Type, driverPath string) paramInfo {
-	return paramInfo{
-		Name:     name,
-		TypeStr:  localName(t, driverPath),
-		RepoType: repoName(t, driverPath),
-	}
-}
-
-func makeResult(t types.Type, driverPath string) resultInfo {
-	ri := resultInfo{}
-	if sl, ok := t.(*types.Slice); ok {
-		ri.IsSlice = true
-		t = sl.Elem()
-	}
-	ri.TypeStr = localName(t, driverPath)
-	ri.RepoType = repoName(t, driverPath)
-	return ri
-}
-
-func localName(t types.Type, driverPath string) string {
-	named, ok := t.(*types.Named)
-	if !ok {
-		return types.TypeString(t, nil)
-	}
-	if named.Obj().Pkg() != nil && named.Obj().Pkg().Path() == driverPath {
-		return named.Obj().Name()
-	}
-	return types.TypeString(t, func(p *types.Package) string { return p.Name() })
-}
-
-func repoName(t types.Type, driverPath string) string {
-	named, ok := t.(*types.Named)
-	if !ok {
-		return ""
-	}
-	if named.Obj().Pkg() != nil && named.Obj().Pkg().Path() == driverPath {
-		return "repository." + named.Obj().Name()
-	}
-	return ""
-}
-
-// renderedMethod holds pre-built signature and body strings passed to the template.
-type renderedMethod struct {
-	Signature string
-	Body      string
-}
-
-func renderMethods(methods []methodInfo) []renderedMethod {
-	out := make([]renderedMethod, len(methods))
-	for i, m := range methods {
-		out[i] = renderedMethod{
-			Signature: buildSig(m),
-			Body:      buildBody(m),
-		}
-	}
-	return out
-}
-
-func buildSig(m methodInfo) string {
-	var sb strings.Builder
-	sb.WriteString("func (s *Store) ")
-	sb.WriteString(m.Name)
-	sb.WriteString("(ctx context.Context")
-	for _, p := range m.Params {
-		sb.WriteString(", ")
-		sb.WriteString(p.Name)
-		sb.WriteString(" ")
-		if p.RepoType != "" {
-			sb.WriteString(p.RepoType)
-		} else {
-			sb.WriteString(p.TypeStr)
-		}
-	}
-	sb.WriteString(") (")
-	for _, r := range m.Results {
-		if r.IsSlice {
-			sb.WriteString("[]")
-		}
-		if r.RepoType != "" {
-			sb.WriteString(r.RepoType)
-		} else {
-			sb.WriteString(r.TypeStr)
-		}
-		sb.WriteString(", ")
-	}
-	sb.WriteString("error)")
-	return sb.String()
-}
-
-func callArgs(m methodInfo) string {
-	args := make([]string, 0, len(m.Params))
-	for _, p := range m.Params {
-		if p.RepoType != "" {
-			// convert repo type → driver type: DriverType(arg)
-			args = append(args, p.TypeStr+"("+p.Name+")")
-		} else {
-			args = append(args, p.Name)
-		}
-	}
-	if len(args) == 0 {
-		return "ctx"
-	}
-	return "ctx, " + strings.Join(args, ", ")
-}
-
-var bodyTmpl = template.Must(template.New("store").Parse(storeSrc))
-
-type bodyData struct {
-	Call     string
-	RepoType string
-}
-
-func buildBody(m methodInfo) string {
-	call := "s.q." + m.Name + "(" + callArgs(m) + ")"
-
-	var (
-		name string
-		data bodyData
-	)
-
-	switch {
-	case len(m.Results) == 0 || m.Results[0].RepoType == "":
-		name = "void"
-		data = bodyData{Call: call}
-	case m.Results[0].IsSlice:
-		name = "slice"
-		data = bodyData{Call: call, RepoType: m.Results[0].RepoType}
-	default:
-		name = "scalar"
-		data = bodyData{Call: call, RepoType: m.Results[0].RepoType}
-	}
-
-	var buf bytes.Buffer
-	if err := bodyTmpl.ExecuteTemplate(&buf, name, data); err != nil {
-		panic(fmt.Sprintf("buildBody %s: %v", name, err))
-	}
-	return buf.String()
-}
-
-type tmplData struct {
-	PkgName string
-	RepoPkg string
-	Methods []renderedMethod
-}
-
-func render(data tmplData) ([]byte, error) {
-	var buf bytes.Buffer
-	if err := bodyTmpl.Execute(&buf, data); err != nil {
-		return nil, fmt.Errorf("execute template: %w", err)
-	}
-
-	formatted, err := format.Source(buf.Bytes())
-	if err != nil {
-		return buf.Bytes(), fmt.Errorf("format source: %w\nraw:\n%s", err, buf.String())
-	}
-	return formatted, nil
-}
--- a/Show More
+++ b/Show More