New translations en.json (Serbian (Cyrillic))

2026-05-10 06:18:11 +00:00 · 2026-04-16 00:58:09 +03:00
131 changed files with 1474 additions and 5555 deletions
@@ -91,8 +91,6 @@ TINYAUTH_APPS_name_LDAP_GROUPS=
 # Comma-separated list of allowed OAuth domains.
 TINYAUTH_OAUTH_WHITELIST=
 # Path to the OAuth whitelist file.
 TINYAUTH_OAUTH_WHITELISTFILE=
 # The OAuth provider to use for automatic redirection.
 TINYAUTH_OAUTH_AUTOREDIRECT=
 # OAuth client ID.
@@ -3,8 +3,7 @@ name: Bug report
 about: Create a report to help improve Tinyauth
 title: "[BUG]"
 labels: bug
-assignees:
+assignees: steveiliop56
  - steveiliop56
 ---
@@ -3,8 +3,7 @@ name: Feature request
 about: Suggest an idea for this project
 title: "[FEATURE]"
 labels: enhancement
-assignees:
+assignees: steveiliop56
  - steveiliop56
 ---
@@ -5,33 +5,24 @@ on:
      - main
  pull_request:
 permissions:
  contents: read
 jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
      - name: Setup bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: oven-sh/setup-bun@v2
      - name: Setup go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        uses: actions/setup-go@v6
        with:
          go-version: "^1.26.0"
      - name: Go dependencies
        run: go mod download
      - name: Check codegen is up to date
        run: |
          go generate ./internal/repository/...
          git diff --exit-code -- internal/repository/
          git status --porcelain -- internal/repository/ | grep -q . && echo "untracked files in internal/repository/" && exit 1 || true
      - name: Install frontend dependencies
        run: |
          cd frontend
@@ -59,6 +50,6 @@ jobs:
        run: go test -coverprofile=coverage.txt -v ./...
      - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
+        uses: codecov/codecov-action@v6
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
@@ -4,16 +4,12 @@ on:
  schedule:
    - cron: "0 0 * * *"
 permissions:
  contents: write
  packages: write
 jobs:
  create-release:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
      - name: Delete old release
        run: gh release delete --cleanup-tag --yes nightly || echo release not found
@@ -23,7 +19,7 @@ jobs:
          REPO: ${{ github.event.repository.name }}
      - name: Create release
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
+        uses: softprops/action-gh-release@v3
        with:
          prerelease: true
          tag_name: nightly
@@ -37,7 +33,7 @@ jobs:
      BUILD_TIMESTAMP: ${{ steps.metadata.outputs.BUILD_TIMESTAMP }}
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
        with:
          ref: nightly
@@ -55,15 +51,15 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
        with:
          ref: nightly
      - name: Install bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: oven-sh/setup-bun@v2
      - name: Install go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        uses: actions/setup-go@v6
        with:
          go-version: "^1.26.0"
@@ -84,12 +80,12 @@ jobs:
      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
+          go build -ldflags "-s -w -X github.com/steveiliop56/tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0
      - name: Upload artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: tinyauth-amd64
          path: tinyauth-amd64
@@ -101,15 +97,15 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
        with:
          ref: nightly
      - name: Install bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: oven-sh/setup-bun@v2
      - name: Install go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        uses: actions/setup-go@v6
        with:
          go-version: "^1.26.0"
@@ -130,12 +126,12 @@ jobs:
      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
+          go build -ldflags "-s -w -X github.com/steveiliop56/tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0
      - name: Upload artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: tinyauth-arm64
          path: tinyauth-arm64
@@ -147,28 +143,28 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
        with:
          ref: nightly
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@v7
        id: build
        with:
          platforms: linux/amd64
@@ -190,7 +186,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"
      - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: digests-linux-amd64
          path: ${{ runner.temp }}/digests/*
@@ -205,28 +201,28 @@ jobs:
      - image-build
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
        with:
          ref: nightly
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@v7
        id: build
        with:
          platforms: linux/amd64
@@ -249,7 +245,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"
      - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: digests-distroless-linux-amd64
          path: ${{ runner.temp }}/digests/*
@@ -263,28 +259,28 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
        with:
          ref: nightly
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@v7
        id: build
        with:
          platforms: linux/arm64
@@ -306,7 +302,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"
      - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: digests-linux-arm64
          path: ${{ runner.temp }}/digests/*
@@ -321,28 +317,28 @@ jobs:
      - image-build-arm
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
        with:
          ref: nightly
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@v7
        id: build
        with:
          platforms: linux/arm64
@@ -365,7 +361,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"
      - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: digests-distroless-linux-arm64
          path: ${{ runner.temp }}/digests/*
@@ -379,25 +375,25 @@ jobs:
      - image-build-arm
    steps:
      - name: Download digests
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          path: ${{ runner.temp }}/digests
          pattern: digests-*
          merge-multiple: true
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
          flavor: |
@@ -418,25 +414,25 @@ jobs:
      - image-build-arm-distroless
    steps:
      - name: Download digests
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          path: ${{ runner.temp }}/digests
          pattern: digests-distroless-*
          merge-multiple: true
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
          flavor: |
@@ -456,14 +452,14 @@ jobs:
      - binary-build
      - binary-build-arm
    steps:
-      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+      - uses: actions/download-artifact@v8
        with:
          pattern: tinyauth-*
          path: binaries
          merge-multiple: true
      - name: Release
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
+        uses: softprops/action-gh-release@v3
        with:
          files: binaries/*
          tag_name: nightly
@@ -5,10 +5,6 @@ on:
    tags:
      - "v*"
 permissions:
  contents: write
  packages: write
 jobs:
  generate-metadata:
    runs-on: ubuntu-latest
@@ -18,7 +14,7 @@ jobs:
      BUILD_TIMESTAMP: ${{ steps.metadata.outputs.BUILD_TIMESTAMP }}
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
      - name: Generate metadata
        id: metadata
@@ -33,13 +29,13 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
      - name: Install bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: oven-sh/setup-bun@v2
      - name: Install go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        uses: actions/setup-go@v6
        with:
          go-version: "^1.26.0"
@@ -60,12 +56,12 @@ jobs:
      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
+          go build -ldflags "-s -w -X github.com/steveiliop56/tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0
      - name: Upload artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: tinyauth-amd64
          path: tinyauth-amd64
@@ -76,13 +72,13 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
      - name: Install bun
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: oven-sh/setup-bun@v2
      - name: Install go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        uses: actions/setup-go@v6
        with:
          go-version: "^1.26.0"
@@ -103,12 +99,12 @@ jobs:
      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
+          go build -ldflags "-s -w -X github.com/steveiliop56/tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0
      - name: Upload artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: tinyauth-arm64
          path: tinyauth-arm64
@@ -119,26 +115,26 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@v7
        id: build
        with:
          platforms: linux/amd64
@@ -160,7 +156,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"
      - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: digests-linux-amd64
          path: ${{ runner.temp }}/digests/*
@@ -174,26 +170,26 @@ jobs:
      - image-build
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@v7
        id: build
        with:
          platforms: linux/amd64
@@ -216,7 +212,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"
      - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: digests-distroless-linux-amd64
          path: ${{ runner.temp }}/digests/*
@@ -229,26 +225,26 @@ jobs:
      - generate-metadata
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@v7
        id: build
        with:
          platforms: linux/arm64
@@ -270,7 +266,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"
      - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: digests-linux-arm64
          path: ${{ runner.temp }}/digests/*
@@ -284,26 +280,26 @@ jobs:
      - image-build-arm
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@v7
        id: build
        with:
          platforms: linux/arm64
@@ -326,7 +322,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"
      - name: Upload digest
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@v7
        with:
          name: digests-distroless-linux-arm64
          path: ${{ runner.temp }}/digests/*
@@ -340,25 +336,25 @@ jobs:
      - image-build-arm
    steps:
      - name: Download digests
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          path: ${{ runner.temp }}/digests
          pattern: digests-*
          merge-multiple: true
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
          flavor: |
@@ -381,25 +377,25 @@ jobs:
      - image-build-arm-distroless
    steps:
      - name: Download digests
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        uses: actions/download-artifact@v8
        with:
          path: ${{ runner.temp }}/digests
          pattern: digests-distroless-*
          merge-multiple: true
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@v4
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
+        uses: docker/metadata-action@v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
          flavor: |
@@ -423,13 +419,13 @@ jobs:
      - binary-build
      - binary-build-arm
    steps:
-      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+      - uses: actions/download-artifact@v8
        with:
          pattern: tinyauth-*
          path: binaries
          merge-multiple: true
      - name: Release
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
+        uses: softprops/action-gh-release@v3
        with:
          files: binaries/*
@@ -1,43 +0,0 @@
 name: Scorecard supply-chain security
 on:
  branch_protection_rule:
  schedule:
    - cron: "31 17 * * 5"
  push:
    branches: ["main"]
 permissions: read-all
 jobs:
  analysis:
    name: Scorecard analysis
    runs-on: ubuntu-latest
    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
    permissions:
      security-events: write
      id-token: write
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
        with:
          persist-credentials: false
      - name: Run analysis
        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a
        with:
          results_file: results.sarif
          results_format: sarif
          publish_results: true
      - name: Upload artifact
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5
      - name: Upload to code-scanning
        uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4
        with:
          sarif_file: results.sarif
@@ -2,19 +2,15 @@ name: Generate Sponsors List
 on:
  workflow_dispatch:
 permissions:
  contents: write
  pull-requests: write
 jobs:
  generate-sponsors:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v6
      - name: Generate Sponsors
-        uses: JamesIves/github-sponsors-readme-action@2fd9142e765f755780202122261dc85e78459405 # v1
+        uses: JamesIves/github-sponsors-readme-action@v1
        with:
          token: ${{ secrets.SPONSORS_GENERATOR_PAT }}
          active-only: false
@@ -22,7 +18,7 @@ jobs:
          template: '<a href="https://github.com/{{{ login }}}"><img src="{{{ avatarUrl }}}" width="64px" alt="User avatar: {{{ login }}}" /></a>&nbsp;&nbsp;'
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8
+        uses: peter-evans/create-pull-request@v8
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          commit-message: |
@@ -3,15 +3,11 @@ on:
  schedule:
    - cron: 0 10 * * *
 permissions:
  issues: write
  pull-requests: write
 jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
+      - uses: actions/stale@v10
        with:
          days-before-stale: 30
          stale-pr-message: This PR has been inactive for 30 days and will be marked as stale.
@@ -0,0 +1,15 @@
 {
  "version": "0.2.0",
  "configurations": [
    {
      "name": "Connect to server",
      "type": "go",
      "request": "attach",
      "mode": "remote",
      "remotePath": "/tinyauth",
      "port": 4000,
      "host": "127.0.0.1",
      "debugAdapter": "legacy"
    }
  ]
 }
@@ -1,27 +0,0 @@
 # AI Usage Policy
 > [!NOTE]
 > By Tinyauth, we refer to the entire Tinyauth ([tinyauthapp](https://github.com/tinyauthapp)) organization and all of the repositories under it.
 ## How we utilize AI in Tinyauth
 In Tinyauth, we see AI as another tool designed to help developers accelerate their work, ***not*** as something that should be doing the development for them. The ways we utilize large language models in Tinyauth are the following:
 - **Pull request reviews**: We utilize [CodeRabbit](https://www.coderabbit.ai/) for reviews in our pull requests which helps us find and fix issues faster, minimizing the time maintainers have to spend reviewing.
 - **Documentation and Issues**: We use [Dosu](https://dosu.dev/) to help resolve duplicate issues faster and automatically update our documentation based on changes in the code base.
 - **In-Line Suggestions**: GitHub's [Copilot](https://github.com/features/copilot) is partially used to fill in boilerplate code through in-line suggestions.
 ## How we expect the community to use AI
 We expect the Tinyauth community to use AI as a tool for faster development and not as a way to implement entire features through prompts. For this reason, the following guidelines are in place for AI generated content:
 - **All usage must be clearly labeled**: Any content generated by AI must be clearly labeled as such. In the case that a pull request is clearly generated by AI and the author fails to disclose its use, it will be rejected.
 - **All generated content should be completely understood by the account holder**: The human who utilized the large language model to generate content must have a thorough understanding of it. This includes understanding the resulting output to the full extent and being able to explain it in detail in case it's needed.
 - **Automated systems are not allowed**: All forms of automated systems that utilize large language models to generate content without human oversight are forbidden. This includes any system that generates content without a human being directly involved in the process like for example with OpenClaw.
 - **No generated content other than text is allowed**: Images, videos, audio and any other form of content generated by AI other than text is not allowed in Tinyauth.
 - **AI pull requests are not guaranteed to be accepted or prioritized**: Any pull request that contains AI generated content is not guaranteed to be accepted and/or prioritized. The maintainers are responsible for reviewing all pull requests and determining whether or not they meet the standards of the project. AI generated content will be reviewed with the same standards as any other content, and may be rejected if it does not meet those standards.
 - **Large generated pull requests will be rejected**: Any pull request that contains a large amount of generated content will be rejected. This is because it is difficult for the maintainers to review and verify large amounts of generated content.
 ## Tinyauth is developed by humans, for humans
 Please remember that Tinyauth is developed by humans. While AI can be a useful tool for **assisting** in the development process, it should not be used in place of the human brain. Moving forward, we are committed to ensuring that most, if not all the content in Tinyauth is created and reviewed by humans, and that AI is only used as a tool to assist in the development process.
@@ -2,9 +2,6 @@
 Contributing to Tinyauth is straightforward. Follow the steps below to set up a development server.
 > [!NOTE]
 > If you are using large language models to contribute to the project, please ensure that you have read and understood the [AI Policy](AI_POLICY.md).
 ## Requirements
 - Bun
@@ -18,7 +15,7 @@ Contributing to Tinyauth is straightforward. Follow the steps below to set up a
 Start by cloning the repository:
 ```sh
-git clone https://github.com/tinyauthapp/tinyauth
+git clone https://github.com/steveiliop56/tinyauth
 cd tinyauth
 ```
@@ -1,5 +1,5 @@
 # Site builder
-FROM oven/bun:1.3.13-alpine AS frontend-builder
+FROM oven/bun:1.3.12-alpine AS frontend-builder
 WORKDIR /frontend
@@ -38,9 +38,9 @@ COPY ./internal ./internal
 COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
 RUN CGO_ENABLED=0 go build -ldflags "-s -w \
-    -X github.com/tinyauthapp/tinyauth/internal/model.Version=${VERSION} \
+    -X github.com/steveiliop56/tinyauth/internal/config.Version=${VERSION} \
-    -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${COMMIT_HASH} \
+    -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${COMMIT_HASH} \
-    -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
+    -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
 # Runner
 FROM alpine:3.23 AS runner
@@ -1,5 +1,5 @@
 # Site builder
-FROM oven/bun:1.3.13-alpine AS frontend-builder
+FROM oven/bun:1.3.12-alpine AS frontend-builder
 WORKDIR /frontend
@@ -40,9 +40,9 @@ COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
 RUN mkdir -p data
 RUN CGO_ENABLED=0 go build -ldflags "-s -w \
-    -X github.com/tinyauthapp/tinyauth/internal/model.Version=${VERSION} \
+    -X github.com/steveiliop56/tinyauth/internal/config.Version=${VERSION} \
-    -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${COMMIT_HASH} \
+    -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${COMMIT_HASH} \
-    -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
+    -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
 # Runner
 FROM gcr.io/distroless/static-debian12:latest AS runner
@@ -17,7 +17,7 @@ PROD_COMPOSE := $(shell test -f "docker-compose.test.prod.yml" && echo "docker-c
 # Deps
 deps:
-	bun install --frozen-lockfile --cwd frontend
+	bun install --cwd frontend
 	go mod download
 # Clean data
@@ -37,9 +37,9 @@ webui: clean-webui
 # Build the binary
 binary: webui
 	CGO_ENABLED=$(CGO_ENABLED) go build -ldflags "-s -w \
-	-X github.com/tinyauthapp/tinyauth/internal/model.Version=${TAG_NAME} \
+	-X github.com/steveiliop56/tinyauth/internal/config.Version=${TAG_NAME} \
-	-X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${COMMIT_HASH} \
+	-X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${COMMIT_HASH} \
-	-X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" \
+	-X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" \
 	-o ${BIN_NAME} ./cmd/tinyauth
 # Build for amd64
@@ -84,4 +84,4 @@ sql:
 # Go gen
 generate:
-	go generate ./internal/repository/...
+	go run ./gen
@@ -5,15 +5,11 @@
 </div>
 <div align="center">
-    <img alt="License" src="https://img.shields.io/github/license/tinyauthapp/tinyauth">
+    <img alt="License" src="https://img.shields.io/github/license/steveiliop56/tinyauth">
-    <img alt="Release" src="https://img.shields.io/github/v/release/tinyauthapp/tinyauth">
+    <img alt="Release" src="https://img.shields.io/github/v/release/steveiliop56/tinyauth">
-    <img alt="Issues" src="https://img.shields.io/github/issues/tinyauthapp/tinyauth">
+    <img alt="Issues" src="https://img.shields.io/github/issues/steveiliop56/tinyauth">
-    <img alt="Tinyauth CI" src="https://github.com/tinyauthapp/tinyauth/actions/workflows/ci.yml/badge.svg">
+    <img alt="Tinyauth CI" src="https://github.com/steveiliop56/tinyauth/actions/workflows/ci.yml/badge.svg">
    <a title="Crowdin" target="_blank" href="https://crowdin.com/project/tinyauth"><img src="https://badges.crowdin.net/tinyauth/localized.svg"></a>
    <a href="https://scorecard.dev/viewer/?uri=github.com/tinyauthapp/tinyauth" target="_blank" title="OpenSSF Scorecard">
      <img src="https://api.scorecard.dev/projects/github.com/tinyauthapp/tinyauth/badge">
    </a>
    <a href="https://www.bestpractices.dev/projects/12681" target="_blank" title="OSSF Best Practices"><img src="https://www.bestpractices.dev/projects/12681/baseline"></a>
 </div>
 <br />
@@ -43,7 +39,7 @@ If you are still not sure if Tinyauth suits your needs you can try out the [demo
 You can find documentation and guides on all of the available configuration of Tinyauth in the [website](https://tinyauth.app).
-If you wish to contribute to the documentation head over to the [repository](https://github.com/tinyauthapp/docs).
+If you wish to contribute to the documentation head over to the [repository](https://github.com/steveiliop56/tinyauth-docs).
 ## Discord
@@ -51,7 +47,7 @@ Tinyauth has a [Discord](https://discord.gg/eHzVaCzRRd) server. Feel free to hop
 ## Contributing
-All contributions to the codebase are welcome! If you have any free time, feel free to pick up an [issue](https://github.com/tinyauthapp/tinyauth/issues) or add your own missing features. Make sure to check out the [contributing guide](./CONTRIBUTING.md) for instructions on how to get the development server up and running.
+All contributions to the codebase are welcome! If you have any free time, feel free to pick up an [issue](https://github.com/steveiliop56/tinyauth/issues) or add your own missing features. Make sure to check out the [contributing guide](./CONTRIBUTING.md) for instructions on how to get the development server up and running.
 ## Localization
@@ -65,7 +61,7 @@ Tinyauth is licensed under the GNU General Public License v3.0. TL;DR — You ma
 A big thank you to the following people for providing me with more coffee:
-<!-- sponsors --><a href="https://github.com/erwinkramer"><img src="https:&#x2F;&#x2F;github.com&#x2F;erwinkramer.png" width="64px" alt="User avatar: erwinkramer" /></a>&nbsp;&nbsp;<a href="https://github.com/nicotsx"><img src="https:&#x2F;&#x2F;github.com&#x2F;nicotsx.png" width="64px" alt="User avatar: nicotsx" /></a>&nbsp;&nbsp;<a href="https://github.com/SimpleHomelab"><img src="https:&#x2F;&#x2F;github.com&#x2F;SimpleHomelab.png" width="64px" alt="User avatar: SimpleHomelab" /></a>&nbsp;&nbsp;<a href="https://github.com/jmadden91"><img src="https:&#x2F;&#x2F;github.com&#x2F;jmadden91.png" width="64px" alt="User avatar: jmadden91" /></a>&nbsp;&nbsp;<a href="https://github.com/tribor"><img src="https:&#x2F;&#x2F;github.com&#x2F;tribor.png" width="64px" alt="User avatar: tribor" /></a>&nbsp;&nbsp;<a href="https://github.com/eliasbenb"><img src="https:&#x2F;&#x2F;github.com&#x2F;eliasbenb.png" width="64px" alt="User avatar: eliasbenb" /></a>&nbsp;&nbsp;<a href="https://github.com/afunworm"><img src="https:&#x2F;&#x2F;github.com&#x2F;afunworm.png" width="64px" alt="User avatar: afunworm" /></a>&nbsp;&nbsp;<a href="https://github.com/chip-well"><img src="https:&#x2F;&#x2F;github.com&#x2F;chip-well.png" width="64px" alt="User avatar: chip-well" /></a>&nbsp;&nbsp;<a href="https://github.com/Lancelot-Enguerrand"><img src="https:&#x2F;&#x2F;github.com&#x2F;Lancelot-Enguerrand.png" width="64px" alt="User avatar: Lancelot-Enguerrand" /></a>&nbsp;&nbsp;<a href="https://github.com/allgoewer"><img src="https:&#x2F;&#x2F;github.com&#x2F;allgoewer.png" width="64px" alt="User avatar: allgoewer" /></a>&nbsp;&nbsp;<a href="https://github.com/NEANC"><img src="https:&#x2F;&#x2F;github.com&#x2F;NEANC.png" width="64px" alt="User avatar: NEANC" /></a>&nbsp;&nbsp;<a href="https://github.com/ax-mad"><img src="https:&#x2F;&#x2F;github.com&#x2F;ax-mad.png" width="64px" alt="User avatar: ax-mad" /></a>&nbsp;&nbsp;<a href="https://github.com/stegratech"><img src="https:&#x2F;&#x2F;github.com&#x2F;stegratech.png" width="64px" alt="User avatar: stegratech" /></a>&nbsp;&nbsp;<a href="https://github.com/apearson"><img src="https:&#x2F;&#x2F;github.com&#x2F;apearson.png" width="64px" alt="User avatar: apearson" /></a>&nbsp;&nbsp;<!-- sponsors -->
+<!-- sponsors --><a href="https://github.com/erwinkramer"><img src="https:&#x2F;&#x2F;github.com&#x2F;erwinkramer.png" width="64px" alt="User avatar: erwinkramer" /></a>&nbsp;&nbsp;<a href="https://github.com/nicotsx"><img src="https:&#x2F;&#x2F;github.com&#x2F;nicotsx.png" width="64px" alt="User avatar: nicotsx" /></a>&nbsp;&nbsp;<a href="https://github.com/SimpleHomelab"><img src="https:&#x2F;&#x2F;github.com&#x2F;SimpleHomelab.png" width="64px" alt="User avatar: SimpleHomelab" /></a>&nbsp;&nbsp;<a href="https://github.com/jmadden91"><img src="https:&#x2F;&#x2F;github.com&#x2F;jmadden91.png" width="64px" alt="User avatar: jmadden91" /></a>&nbsp;&nbsp;<a href="https://github.com/tribor"><img src="https:&#x2F;&#x2F;github.com&#x2F;tribor.png" width="64px" alt="User avatar: tribor" /></a>&nbsp;&nbsp;<a href="https://github.com/eliasbenb"><img src="https:&#x2F;&#x2F;github.com&#x2F;eliasbenb.png" width="64px" alt="User avatar: eliasbenb" /></a>&nbsp;&nbsp;<a href="https://github.com/afunworm"><img src="https:&#x2F;&#x2F;github.com&#x2F;afunworm.png" width="64px" alt="User avatar: afunworm" /></a>&nbsp;&nbsp;<a href="https://github.com/chip-well"><img src="https:&#x2F;&#x2F;github.com&#x2F;chip-well.png" width="64px" alt="User avatar: chip-well" /></a>&nbsp;&nbsp;<a href="https://github.com/Lancelot-Enguerrand"><img src="https:&#x2F;&#x2F;github.com&#x2F;Lancelot-Enguerrand.png" width="64px" alt="User avatar: Lancelot-Enguerrand" /></a>&nbsp;&nbsp;<a href="https://github.com/allgoewer"><img src="https:&#x2F;&#x2F;github.com&#x2F;allgoewer.png" width="64px" alt="User avatar: allgoewer" /></a>&nbsp;&nbsp;<a href="https://github.com/NEANC"><img src="https:&#x2F;&#x2F;github.com&#x2F;NEANC.png" width="64px" alt="User avatar: NEANC" /></a>&nbsp;&nbsp;<a href="https://github.com/ax-mad"><img src="https:&#x2F;&#x2F;github.com&#x2F;ax-mad.png" width="64px" alt="User avatar: ax-mad" /></a>&nbsp;&nbsp;<a href="https://github.com/stegratech"><img src="https:&#x2F;&#x2F;github.com&#x2F;stegratech.png" width="64px" alt="User avatar: stegratech" /></a>&nbsp;&nbsp;<!-- sponsors -->
 ## Acknowledgements
@@ -76,4 +72,4 @@ A big thank you to the following people for providing me with more coffee:
 ## Star History
-[![Star History Chart](https://api.star-history.com/svg?repos=tinyauthapp/tinyauth&type=Date)](https://www.star-history.com/#tinyauthapp/tinyauth&Date)
+[![Star History Chart](https://api.star-history.com/svg?repos=steveiliop56/tinyauth&type=Date)](https://www.star-history.com/#steveiliop56/tinyauth&Date)
@@ -2,8 +2,8 @@
 ## Supported Versions
-It is recommended to use the [latest](https://github.com/tinyauthapp/tinyauth/releases/latest) available version of tinyauth. This is because it includes security fixes, new features and dependency updates. Older versions, especially major ones, are not supported and won't receive security or patch updates.
+It is recommended to use the [latest](https://github.com/steveiliop56/tinyauth/releases/latest) available version of tinyauth. This is because it includes security fixes, new features and dependency updates. Older versions, especially major ones, are not supported and won't receive security or patch updates.
 ## Reporting a Vulnerability
-Due to the nature of this app, it needs to be secure. If you discover any security issues or vulnerabilities in the app please contact me as soon as possible at <security@tinyauth.app>. Please do not use the issues section to report security issues as I won't be able to patch them in time and they may get exploited by malicious actors.
+Due to the nature of this app, it needs to be secure. If you discover any security issues or vulnerabilities in the app please contact me as soon as possible at <steve@doesmycode.work>. Please do not use the issues section to report security issues as I won't be able to patch them in time and they may get exploited by malicious actors.
@@ -3,7 +3,7 @@
  "embeds": [
    {
      "title": "Welcome to Tinyauth Discord!",
-      "description": "Tinyauth is a simple authentication middleware that adds a simple login screen or OAuth with Google, Github and any provider to all of your docker apps. It supports all the popular proxies like Traefik, Nginx and Caddy.\n\n**Information**\n\n• Github: <https://github.com/tinyauthapp/tinyauth>\n• Website: <https://tinyauth.app>",
+      "description": "Tinyauth is a simple authentication middleware that adds a simple login screen or OAuth with Google, Github and any provider to all of your docker apps. It supports all the popular proxies like Traefik, Nginx and Caddy.\n\n**Information**\n\n• Github: <https://github.com/steveiliop56/tinyauth>\n• Website: <https://tinyauth.app>",
      "url": "https://tinyauth.app",
      "color": 7002085,
      "author": {
@@ -14,7 +14,7 @@
      },
      "timestamp": "2025-06-06T12:25:27.629Z",
      "thumbnail": {
-        "url": "https://github.com/tinyauthapp/tinyauth/blob/main/assets/logo.png?raw=true"
+        "url": "https://github.com/steveiliop56/tinyauth/blob/main/assets/logo.png?raw=true"
      }
    }
  ],
@@ -1,527 +0,0 @@
 // gen/sqlc-wrapper generates store.go wrapper files for each sqlc driver package under
 // internal/repository/<driver>/. Run via:
 //
 //	go generate ./internal/repository/...
 //
 // The generator introspects *Queries methods and the model/params types in the
 // driver package, then emits a store.go that wraps *Queries so it satisfies
 // repository.Store using the canonical shared types in the parent package.
 // This generator is specific to sqlc-generated drivers. Non-sqlc drivers should
 // implement repository.Store directly by hand.
 package main
 import (
 	"bytes"
 	_ "embed"
 	"flag"
 	"fmt"
 	"go/format"
 	"go/types"
 	"log"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"sort"
 	"strings"
 	"text/template"
 	"golang.org/x/tools/go/packages"
 )
 //go:embed store.tmpl
 var storeSrc string
 func main() {
 	if err := run(); err != nil {
 		log.Fatal(err)
 	}
 }
 func run() error {
 	driverPkg := flag.String("pkg", "", "import path of the driver package")
 	out := flag.String("out", "store.go", "output filename relative to driver package directory")
 	flag.Parse()
 	if *driverPkg == "" {
 		return fmt.Errorf("-pkg is required")
 	}
 	// Resolve the driver package directory so we can overlay the output file
 	// with a valid stub. This prevents a stale store.go from poisoning the
 	// type-checker and producing cryptic "undefined" errors.
 	driverDir, err := pkgDir(*driverPkg)
 	if err != nil {
 		return fmt.Errorf("resolve driver dir: %w", err)
 	}
 	outPath := filepath.Join(driverDir, *out)
 	if filepath.IsAbs(*out) {
 		outPath = *out
 	}
 	// Stub replaces the output file during load so stale generated code is ignored.
 	stub := []byte("package " + filepath.Base(driverDir) + "\n")
 	cfg := &packages.Config{
 		Mode:    packages.NeedName | packages.NeedTypes | packages.NeedSyntax | packages.NeedImports,
 		Overlay: map[string][]byte{outPath: stub},
 	}
 	driverTypePkg, err := loadOnePkg(cfg, *driverPkg)
 	if err != nil {
 		return fmt.Errorf("load driver package: %w", err)
 	}
 	repoPkgPath := parentPkg(*driverPkg)
 	repoTypePkg, err := loadOnePkg(cfg, repoPkgPath)
 	if err != nil {
 		return fmt.Errorf("load repo package: %w", err)
 	}
 	if err := validateStructShapes(driverTypePkg, repoTypePkg); err != nil {
 		return fmt.Errorf("struct shape mismatch: %w", err)
 	}
 	if err := validateStoreCoverage(driverTypePkg, repoTypePkg); err != nil {
 		return err
 	}
 	methods, err := collectMethods(driverTypePkg)
 	if err != nil {
 		return err
 	}
 	models, _ := collectTypes(driverTypePkg)
 	src, err := render(tmplData{
 		PkgName:    driverTypePkg.Name(),
 		RepoPkg:    repoPkgPath,
 		ModelTypes: models,
 		Methods:    renderMethods(methods),
 	})
 	if err != nil {
 		return fmt.Errorf("render: %w", err)
 	}
 	if err := os.WriteFile(outPath, src, 0644); err != nil {
 		return fmt.Errorf("write %s: %w", outPath, err)
 	}
 	fmt.Printf("wrote %s\n", outPath)
 	return nil
 }
 // loadOnePkg loads a single package via cfg and returns its *types.Package,
 // or an error if the package fails to load or has type errors.
 func loadOnePkg(cfg *packages.Config, importPath string) (*types.Package, error) {
 	pkgs, err := packages.Load(cfg, importPath)
 	if err != nil {
 		return nil, fmt.Errorf("load %s: %w", importPath, err)
 	}
 	if len(pkgs) != 1 {
 		return nil, fmt.Errorf("expected 1 package for %s, got %d", importPath, len(pkgs))
 	}
 	pkg := pkgs[0]
 	if len(pkg.Errors) > 0 {
 		msgs := make([]string, len(pkg.Errors))
 		for i, e := range pkg.Errors {
 			msgs[i] = e.Error()
 		}
 		return nil, fmt.Errorf("package %s has errors:\n  %s", importPath, strings.Join(msgs, "\n  "))
 	}
 	return pkg.Types, nil
 }
 // parentPkg returns the parent import path (everything before the last /).
 // Panics if imp contains no slash — callers are expected to pass driver sub-packages.
 func parentPkg(imp string) string {
 	i := strings.LastIndex(imp, "/")
 	if i < 0 {
 		panic(fmt.Sprintf("parentPkg: import path %q has no parent", imp))
 	}
 	return imp[:i]
 }
 // pkgDir returns the on-disk directory for an import path using `go list`.
 func pkgDir(importPath string) (string, error) {
 	out, err := exec.Command("go", "list", "-f", "{{.Dir}}", importPath).Output()
 	if err != nil {
 		return "", fmt.Errorf("go list %s: %w", importPath, err)
 	}
 	return strings.TrimSpace(string(out)), nil
 }
 // scopeStructs returns all named struct types in pkg, excluding the internal
 // sqlc types Queries, DBTX, and Store. Names are returned in sorted order.
 func scopeStructs(pkg *types.Package) (names []string, byName map[string]*types.Struct) {
 	byName = make(map[string]*types.Struct)
 	for _, name := range pkg.Scope().Names() { // Names() is already sorted
 		switch name {
 		case "Queries", "DBTX", "Store":
 			continue
 		}
 		obj, ok := pkg.Scope().Lookup(name).(*types.TypeName)
 		if !ok {
 			continue
 		}
 		named, ok := obj.Type().(*types.Named)
 		if !ok {
 			continue
 		}
 		s, ok := named.Underlying().(*types.Struct)
 		if !ok {
 			continue
 		}
 		names = append(names, name)
 		byName[name] = s
 	}
 	return
 }
 // validateStoreCoverage checks that every method declared in repository.Store
 // exists on *Queries in the driver package. Missing methods are reported by
 // name so the developer knows exactly which SQL queries need to be added.
 func validateStoreCoverage(driverPkg, repoPkg *types.Package) error {
 	queriesObj := driverPkg.Scope().Lookup("Queries")
 	if queriesObj == nil {
 		return fmt.Errorf("queries type not found in driver package")
 	}
 	queriesNamed := queriesObj.Type().(*types.Named)
 	queriesMS := types.NewMethodSet(types.NewPointer(queriesNamed))
 	queriesMethods := make(map[string]bool)
 	for m := range queriesMS.Methods() {
 		queriesMethods[m.Obj().Name()] = true
 	}
 	storeObj := repoPkg.Scope().Lookup("Store")
 	if storeObj == nil {
 		return fmt.Errorf("store type not found in repository package")
 	}
 	storeIface, ok := storeObj.Type().Underlying().(*types.Interface)
 	if !ok {
 		return fmt.Errorf("repository.Store is not an interface")
 	}
 	var missing []string
 	for method := range storeIface.Methods() {
 		if name := method.Name(); !queriesMethods[name] {
 			missing = append(missing, name)
 		}
 	}
 	if len(missing) > 0 {
 		sort.Strings(missing)
 		return fmt.Errorf(
 			"driver *Queries is missing %d method(s) required by repository.Store:\n  - %s\n\nRun sqlc generate to regenerate query methods, or add the missing SQL queries",
 			len(missing), strings.Join(missing, "\n  - "),
 		)
 	}
 	return nil
 }
 // validateStructShapes checks that every model/params struct in the driver
 // package has fields that exactly match the corresponding type in the repo
 // (parent) package. This catches drift between sqlc-generated types and the
 // canonical repository types before a broken cast reaches the compiler.
 func validateStructShapes(driverPkg, repoPkg *types.Package) error {
 	_, repoStructs := scopeStructs(repoPkg)
 	driverNames, driverStructs := scopeStructs(driverPkg)
 	var errs []string
 	for _, name := range driverNames {
 		repoStruct, ok := repoStructs[name]
 		if !ok {
 			// Driver has a type not in repo — fine (e.g. internal helpers).
 			continue
 		}
 		if err := compareStructs(name, driverStructs[name], repoStruct); err != nil {
 			errs = append(errs, err.Error())
 		}
 	}
 	if len(errs) > 0 {
 		sort.Strings(errs)
 		return fmt.Errorf("%s", strings.Join(errs, "\n  "))
 	}
 	return nil
 }
 func compareStructs(name string, driver, repo *types.Struct) error {
 	if driver.NumFields() != repo.NumFields() {
 		return fmt.Errorf("%s: field count mismatch (driver=%d, repo=%d)",
 			name, driver.NumFields(), repo.NumFields())
 	}
 	for i := range driver.NumFields() {
 		df := driver.Field(i)
 		rf := repo.Field(i)
 		if df.Name() != rf.Name() {
 			return fmt.Errorf("%s: field %d name mismatch (driver=%q, repo=%q)",
 				name, i, df.Name(), rf.Name())
 		}
 		if !types.Identical(df.Type(), rf.Type()) {
 			return fmt.Errorf("%s.%s: type mismatch (driver=%s, repo=%s)",
 				name, df.Name(), df.Type(), rf.Type())
 		}
 	}
 	return nil
 }
 // collectTypes returns model and params struct names from the driver package.
 func collectTypes(pkg *types.Package) (models []string, params []string) {
 	names, _ := scopeStructs(pkg)
 	for _, name := range names {
 		if strings.HasSuffix(name, "Params") {
 			params = append(params, name)
 		} else {
 			models = append(models, name)
 		}
 	}
 	return
 }
 type methodInfo struct {
 	Name    string
 	Params  []paramInfo
 	Results []resultInfo
 }
 type paramInfo struct {
 	Name     string
 	TypeStr  string // local (unqualified) type name
 	RepoType string // "repository.X" if this is a driver model/params type; else ""
 }
 type resultInfo struct {
 	TypeStr  string
 	IsSlice  bool
 	RepoType string // "repository.X" if driver type; else ""
 }
 func collectMethods(pkg *types.Package) ([]methodInfo, error) {
 	obj := pkg.Scope().Lookup("Queries")
 	if obj == nil {
 		return nil, fmt.Errorf("queries type not found in %s", pkg.Path())
 	}
 	named, ok := obj.Type().(*types.Named)
 	if !ok {
 		return nil, fmt.Errorf("queries is not a named type")
 	}
 	ms := types.NewMethodSet(types.NewPointer(named))
 	var out []methodInfo
 	for method := range ms.Methods() {
 		fn, ok := method.Obj().(*types.Func)
 		if !ok || fn.Name() == "WithTx" {
 			continue
 		}
 		sig := fn.Type().(*types.Signature)
 		mi := methodInfo{Name: fn.Name()}
 		// params: skip receiver + first (context.Context)
 		for i := 1; i < sig.Params().Len(); i++ {
 			p := sig.Params().At(i)
 			mi.Params = append(mi.Params, makeParam(p.Name(), p.Type(), pkg.Path()))
 		}
 		// results: skip error
 		for r := range sig.Results().Variables() {
 			if r.Type().String() == "error" {
 				continue
 			}
 			mi.Results = append(mi.Results, makeResult(r.Type(), pkg.Path()))
 		}
 		out = append(out, mi)
 	}
 	return out, nil
 }
 func makeParam(name string, t types.Type, driverPath string) paramInfo {
 	return paramInfo{
 		Name:     name,
 		TypeStr:  localName(t, driverPath),
 		RepoType: repoName(t, driverPath),
 	}
 }
 func makeResult(t types.Type, driverPath string) resultInfo {
 	ri := resultInfo{}
 	if sl, ok := t.(*types.Slice); ok {
 		ri.IsSlice = true
 		t = sl.Elem()
 	}
 	ri.TypeStr = localName(t, driverPath)
 	ri.RepoType = repoName(t, driverPath)
 	return ri
 }
 func localName(t types.Type, driverPath string) string {
 	named, ok := t.(*types.Named)
 	if !ok {
 		return types.TypeString(t, nil)
 	}
 	if named.Obj().Pkg() != nil && named.Obj().Pkg().Path() == driverPath {
 		return named.Obj().Name()
 	}
 	return types.TypeString(t, func(p *types.Package) string { return p.Name() })
 }
 func repoName(t types.Type, driverPath string) string {
 	named, ok := t.(*types.Named)
 	if !ok {
 		return ""
 	}
 	if named.Obj().Pkg() != nil && named.Obj().Pkg().Path() == driverPath {
 		return "repository." + named.Obj().Name()
 	}
 	return ""
 }
 // converterFn maps a type name to its converter function name: "Session" → "sessionToRepo".
 func converterFn(s string) string {
 	if s == "" {
 		return ""
 	}
 	return strings.ToLower(s[:1]) + s[1:] + "ToRepo"
 }
 // renderedMethod holds pre-built signature and body strings passed to the template.
 type renderedMethod struct {
 	Signature string
 	Body      string
 }
 func renderMethods(methods []methodInfo) []renderedMethod {
 	out := make([]renderedMethod, len(methods))
 	for i, m := range methods {
 		out[i] = renderedMethod{
 			Signature: buildSig(m),
 			Body:      buildBody(m),
 		}
 	}
 	return out
 }
 func buildSig(m methodInfo) string {
 	var sb strings.Builder
 	sb.WriteString("func (s *Store) ")
 	sb.WriteString(m.Name)
 	sb.WriteString("(ctx context.Context")
 	for _, p := range m.Params {
 		sb.WriteString(", ")
 		sb.WriteString(p.Name)
 		sb.WriteString(" ")
 		if p.RepoType != "" {
 			sb.WriteString(p.RepoType)
 		} else {
 			sb.WriteString(p.TypeStr)
 		}
 	}
 	sb.WriteString(") (")
 	for _, r := range m.Results {
 		if r.IsSlice {
 			sb.WriteString("[]")
 		}
 		if r.RepoType != "" {
 			sb.WriteString(r.RepoType)
 		} else {
 			sb.WriteString(r.TypeStr)
 		}
 		sb.WriteString(", ")
 	}
 	sb.WriteString("error)")
 	return sb.String()
 }
 func callArgs(m methodInfo) string {
 	args := make([]string, 0, len(m.Params))
 	for _, p := range m.Params {
 		if p.RepoType != "" {
 			// convert repo type → driver type: DriverType(arg)
 			args = append(args, p.TypeStr+"("+p.Name+")")
 		} else {
 			args = append(args, p.Name)
 		}
 	}
 	if len(args) == 0 {
 		return "ctx"
 	}
 	return "ctx, " + strings.Join(args, ", ")
 }
 // bodyTemplates holds the per-shape method body templates, parsed once at init.
 var bodyTemplates = template.Must(
 	template.New("bodies").Parse(`
 {{define "void"}}	return mapErr({{.Call}})
 {{end}}
 {{define "scalar"}}	r, err := {{.Call}}
 	if err != nil {
 		return {{.RepoType}}{}, mapErr(err)
 	}
 	return {{.Converter}}(r), nil
 {{end}}
 {{define "slice"}}	rows, err := {{.Call}}
 	if err != nil {
 		return nil, mapErr(err)
 	}
 	out := make([]{{.RepoType}}, len(rows))
 	for i, row := range rows {
 		out[i] = {{.Converter}}(row)
 	}
 	return out, nil
 {{end}}`),
 )
 type bodyData struct {
 	Call      string
 	RepoType  string
 	Converter string
 }
 func buildBody(m methodInfo) string {
 	call := "s.q." + m.Name + "(" + callArgs(m) + ")"
 	var (
 		name string
 		data bodyData
 	)
 	switch {
 	case len(m.Results) == 0 || m.Results[0].RepoType == "":
 		name = "void"
 		data = bodyData{Call: call}
 	case m.Results[0].IsSlice:
 		name = "slice"
 		data = bodyData{Call: call, RepoType: m.Results[0].RepoType, Converter: converterFn(m.Results[0].TypeStr)}
 	default:
 		name = "scalar"
 		data = bodyData{Call: call, RepoType: m.Results[0].RepoType, Converter: converterFn(m.Results[0].TypeStr)}
 	}
 	var buf bytes.Buffer
 	if err := bodyTemplates.ExecuteTemplate(&buf, name, data); err != nil {
 		panic(fmt.Sprintf("buildBody %s: %v", name, err))
 	}
 	return buf.String()
 }
 type tmplData struct {
 	PkgName    string
 	RepoPkg    string
 	ModelTypes []string
 	Methods    []renderedMethod
 }
 func render(data tmplData) ([]byte, error) {
 	t, err := template.New("store").Funcs(template.FuncMap{
 		"converterFn": converterFn,
 	}).Parse(storeSrc)
 	if err != nil {
 		return nil, fmt.Errorf("parse template: %w", err)
 	}
 	var buf bytes.Buffer
 	if err := t.Execute(&buf, data); err != nil {
 		return nil, fmt.Errorf("execute template: %w", err)
 	}
 	formatted, err := format.Source(buf.Bytes())
 	if err != nil {
 		return buf.Bytes(), fmt.Errorf("format source: %w\nraw:\n%s", err, buf.String())
 	}
 	return formatted, nil
 }
@@ -1,46 +0,0 @@
 // Code generated by cmd/gen/sqlc-wrapper. DO NOT EDIT.
 package {{.PkgName}}
 import (
 	"context"
 	"database/sql"
 	"errors"
 	"{{.RepoPkg}}"
 )
 // Store wraps *Queries and implements repository.Store.
 type Store struct {
 	q *Queries
 }
 // NewStore wraps a *Queries to satisfy repository.Store.
 func NewStore(q *Queries) repository.Store {
 	return &Store{q: q}
 }
 var errMap = []struct {
 	from error
 	to   error
 }{
 	{sql.ErrNoRows, repository.ErrNotFound},
 }
 func mapErr(err error) error {
 	for _, e := range errMap {
 		if errors.Is(err, e.from) {
 			return e.to
 		}
 	}
 	return err
 }
 {{range .ModelTypes -}}
 func {{converterFn .}}(v {{.}}) repository.{{.}} {
 	return repository.{{.}}(v)
 }
 {{end -}}
 {{range .Methods}}{{.Signature}} {
 {{.Body}}}
 {{end}}
@@ -7,7 +7,7 @@ import (
 	"strings"
 	"github.com/google/uuid"
-	"github.com/tinyauthapp/tinyauth/internal/utils"
+	"github.com/steveiliop56/tinyauth/internal/utils"
 	"github.com/tinyauthapp/paerser/cli"
 )
@@ -6,7 +6,7 @@ import (
 	"strings"
 	"charm.land/huh/v2"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/tinyauthapp/paerser/cli"
 	"golang.org/x/crypto/bcrypt"
 )
@@ -6,8 +6,8 @@ import (
 	"os"
 	"strings"
-	"github.com/tinyauthapp/tinyauth/internal/utils"
+	"github.com/steveiliop56/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"charm.land/huh/v2"
 	"github.com/mdp/qrterminal/v3"
@@ -73,7 +73,7 @@ func generateTotpCmd() *cli.Command {
 				docker = true
 			}
-			if user.TOTPSecret != "" {
+			if user.TotpSecret != "" {
 				return fmt.Errorf("user already has a TOTP secret")
 			}
@@ -102,14 +102,14 @@ func generateTotpCmd() *cli.Command {
 			qrterminal.GenerateWithConfig(key.URL(), config)
-			user.TOTPSecret = secret
+			user.TotpSecret = secret
 			// If using docker escape re-escape it
 			if docker {
 				user.Password = strings.ReplaceAll(user.Password, "$", "$$")
 			}
-			tlog.App.Info().Str("user", fmt.Sprintf("%s:%s:%s", user.Username, user.Password, user.TOTPSecret)).Msg("Add the totp secret to your authenticator app then use the verify command to ensure everything is working correctly.")
+			tlog.App.Info().Str("user", fmt.Sprintf("%s:%s:%s", user.Username, user.Password, user.TotpSecret)).Msg("Add the totp secret to your authenticator app then use the verify command to ensure everything is working correctly.")
 			return nil
 		},
@@ -9,7 +9,7 @@ import (
 	"os"
 	"time"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/tinyauthapp/paerser/cli"
 )
@@ -4,17 +4,17 @@ import (
 	"fmt"
 	"charm.land/huh/v2"
-	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
+	"github.com/steveiliop56/tinyauth/internal/bootstrap"
-	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/steveiliop56/tinyauth/internal/config"
-	"github.com/tinyauthapp/tinyauth/internal/utils/loaders"
+	"github.com/steveiliop56/tinyauth/internal/utils/loaders"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/rs/zerolog/log"
 	"github.com/tinyauthapp/paerser/cli"
 )
 func main() {
-	tConfig := model.NewDefaultConfiguration()
+	tConfig := config.NewDefaultConfiguration()
 	loaders := []cli.ResourceLoader{
 		&loaders.FileLoader{},
@@ -108,11 +108,11 @@ func main() {
 	}
 }
-func runCmd(cfg model.Config) error {
+func runCmd(cfg config.Config) error {
 	logger := tlog.NewLogger(cfg.Log)
 	logger.Init()
-	tlog.App.Info().Str("version", model.Version).Msg("Starting tinyauth")
+	tlog.App.Info().Str("version", config.Version).Msg("Starting tinyauth")
 	app := bootstrap.NewBootstrapApp(cfg)
@@ -4,8 +4,8 @@ import (
 	"errors"
 	"fmt"
-	"github.com/tinyauthapp/tinyauth/internal/utils"
+	"github.com/steveiliop56/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"charm.land/huh/v2"
 	"github.com/pquerna/otp/totp"
@@ -95,7 +95,7 @@ func verifyUserCmd() *cli.Command {
 				return fmt.Errorf("password is incorrect: %w", err)
 			}
-			if user.TOTPSecret == "" {
+			if user.TotpSecret == "" {
 				if tCfg.Totp != "" {
 					tlog.App.Warn().Msg("User does not have TOTP secret")
 				}
@@ -103,7 +103,7 @@ func verifyUserCmd() *cli.Command {
 				return nil
 			}
-			ok := totp.Validate(tCfg.Totp, user.TOTPSecret)
+			ok := totp.Validate(tCfg.Totp, user.TotpSecret)
 			if !ok {
 				return fmt.Errorf("TOTP code incorrect")
@@ -3,8 +3,9 @@ package main
 import (
 	"fmt"
 	"github.com/steveiliop56/tinyauth/internal/config"
 	"github.com/tinyauthapp/paerser/cli"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 )
 func versionCmd() *cli.Command {
@@ -14,9 +15,9 @@ func versionCmd() *cli.Command {
 		Configuration: nil,
 		Resources:     nil,
 		Run: func(_ []string) error {
-			fmt.Printf("Version: %s\n", model.Version)
+			fmt.Printf("Version: %s\n", config.Version)
-			fmt.Printf("Commit Hash: %s\n", model.CommitHash)
+			fmt.Printf("Commit Hash: %s\n", config.CommitHash)
-			fmt.Printf("Build Timestamp: %s\n", model.BuildTimestamp)
+			fmt.Printf("Build Timestamp: %s\n", config.BuildTimestamp)
 			return nil
 		},
 	}
@@ -15,7 +15,7 @@ services:
      traefik.http.routers.whoami.middlewares: tinyauth
  tinyauth:
-    image: ghcr.io/tinyauthapp/tinyauth:v5
+    image: ghcr.io/steveiliop56/tinyauth:v5
    environment:
      - TINYAUTH_APPURL=https://tinyauth.example.com
      - TINYAUTH_AUTH_USERS=user:$$2a$$10$$UdLYoJ5lgPsC0RKqYH/jMua7zIn0g9kPqWmhYayJYLaZQ/FTmH2/u # user:password
@@ -5,7 +5,7 @@ WORKDIR /frontend
 COPY ./frontend/package.json ./
 COPY ./frontend/bun.lock ./
-RUN bun install --frozen-lockfile
+RUN bun install
 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -17,7 +17,6 @@ interface Props {
  onSubmit: (data: LoginSchema) => void;
  loading?: boolean;
  formId?: string;
  params?: string;
 }
 export const LoginForm = (props: Props) => {
@@ -72,12 +71,6 @@ export const LoginForm = (props: Props) => {
                </FormControl>
                <a
                  href="/forgot-password"
                  onClick={(e) => {
                    e.preventDefault();
                    window.location.replace(
                      `/forgot-password${props.params ? `${props.params}` : ""}`,
                    );
                  }}
                  className="text-muted-foreground hover:text-muted-foreground/80 text-sm absolute right-0 bottom-[2.565rem]" // 2.565 is *just* perfect
                >
                  {t("forgotPasswordTitle")}
@@ -79,6 +79,5 @@
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
-    "groupsScopeDescription": "Allows the app to access your group information.",
+    "groupsScopeDescription": "Allows the app to access your group information."
    "backToLoginButton": "Back to login"
 }
@@ -79,10 +79,5 @@
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
-    "groupsScopeDescription": "Allows the app to access your group information.",
+    "groupsScopeDescription": "Allows the app to access your group information."
    "backToLoginButton": "Back to login",
    "phoneScopeName": "Phone",
    "phoneScopeDescription": "Allows the app to access your phone number.",
    "addressScopeName": "Address",
    "addressScopeDescription": "Allows the app to access your address."
 }
@@ -57,7 +57,7 @@
    "fieldRequired": "Ово поље је неопходно",
    "invalidInput": "Неисправан унос",
    "domainWarningTitle": "Неисправан домен",
-    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "Приступате овој инстанци са неисправног домена. Ако наставите, можете наићи на проблеме са аутентификацијом.",
    "domainWarningCurrent": "Тренутни:",
    "domainWarningExpected": "Очекивани:",
    "ignoreTitle": "Игнориши",
@@ -17,7 +17,7 @@ import { toast } from "sonner";
 import { useOIDCParams } from "@/lib/hooks/oidc";
 import { useTranslation } from "react-i18next";
 import { TFunction } from "i18next";
-import { Mail, MapPin, Phone, Shield, User, Users } from "lucide-react";
+import { Mail, Shield, User, Users } from "lucide-react";
 import {
  Tooltip,
  TooltipContent,
@@ -61,18 +61,6 @@ const createScopeMap = (t: TFunction<"translation", undefined>): Scope[] => {
      description: t("groupsScopeDescription"),
      icon: <Users {...scopeMapIconProps} />,
    },
    {
      id: "phone",
      name: t("phoneScopeName"),
      description: t("phoneScopeDescription"),
      icon: <Phone {...scopeMapIconProps} />,
    },
    {
      id: "address",
      name: t("addressScopeName"),
      description: t("addressScopeDescription"),
      icon: <MapPin {...scopeMapIconProps} />,
    },
  ];
 };
@@ -10,13 +10,12 @@ import { Button } from "@/components/ui/button";
 import { useAppContext } from "@/context/app-context";
 import { useTranslation } from "react-i18next";
 import Markdown from "react-markdown";
-import { useLocation } from "react-router";
+import { useNavigate } from "react-router";
 export const ForgotPasswordPage = () => {
  const { forgotPasswordMessage } = useAppContext();
  const { t } = useTranslation();
-  const { search } = useLocation();
+  const navigate = useNavigate();
  const searchParams = new URLSearchParams(search);
  return (
    <Card>
@@ -37,13 +36,10 @@ export const ForgotPasswordPage = () => {
          className="w-full"
          variant="outline"
          onClick={() => {
-            const eparams = searchParams.toString();
+            navigate("/login");
            window.location.replace(
              `/login${eparams.length > 0 ? `?${eparams}` : ""}`,
            );
          }}
        >
-          {t("backToLoginButton")}
+          {t("notFoundButton")}
        </Button>
      </CardFooter>
    </Card>
@@ -264,10 +264,6 @@ export const LoginPage = () => {
            onSubmit={(values) => loginMutate(values)}
            loading={loginIsPending || oauthIsPending}
            formId={formId}
            params={(() => {
              const eparams = searchParams.toString();
              return eparams.length > 0 ? `?${eparams}` : "";
            })()}
          />
        )}
        {providers.length == 0 && (
@@ -10,7 +10,7 @@ import (
 	"reflect"
 	"strings"
-	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/steveiliop56/tinyauth/internal/config"
 )
 type EnvEntry struct {
@@ -20,7 +20,7 @@ type EnvEntry struct {
 }
 func generateExampleEnv() {
-	cfg := model.NewDefaultConfiguration()
+	cfg := config.NewDefaultConfiguration()
 	entries := make([]EnvEntry, 0)
 	root := reflect.TypeOf(cfg).Elem()
@@ -10,7 +10,7 @@ import (
 	"reflect"
 	"strings"
-	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/steveiliop56/tinyauth/internal/config"
 )
 type MarkdownEntry struct {
@@ -21,7 +21,7 @@ type MarkdownEntry struct {
 }
 func generateMarkdown() {
-	cfg := model.NewDefaultConfiguration()
+	cfg := config.NewDefaultConfiguration()
 	entries := make([]MarkdownEntry, 0)
 	root := reflect.TypeOf(cfg).Elem()
@@ -1,4 +1,4 @@
-module github.com/tinyauthapp/tinyauth
+module github.com/steveiliop56/tinyauth
 go 1.26.0
@@ -14,16 +14,15 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/mdp/qrterminal/v3 v3.2.1
 	github.com/pquerna/otp v1.5.0
-	github.com/rs/zerolog v1.35.1
+	github.com/rs/zerolog v1.35.0
 	github.com/stretchr/testify v1.11.1
 	github.com/tinyauthapp/paerser v0.0.0-20260410140347-85c3740d6298
 	github.com/weppos/publicsuffix-go v0.50.3
 	golang.org/x/crypto v0.50.0
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
 	golang.org/x/oauth2 v0.36.0
-	golang.org/x/tools v0.43.0
+	gotest.tools/v3 v3.5.2
-	k8s.io/apimachinery v0.36.0
+	modernc.org/sqlite v1.48.2
 	k8s.io/client-go v0.36.0
 	modernc.org/sqlite v1.50.0
 )
 require (
@@ -31,7 +30,7 @@ require (
 	charm.land/bubbletea/v2 v2.0.2 // indirect
 	charm.land/lipgloss/v2 v2.0.1 // indirect
 	dario.cat/mergo v1.0.1 // indirect
-	github.com/Azure/go-ntlmssp v0.1.1 // indirect
+	github.com/Azure/go-ntlmssp v0.1.0 // indirect
 	github.com/BurntSushi/toml v1.6.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.3.0 // indirect
@@ -64,7 +63,6 @@ require (
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
@@ -75,6 +73,7 @@ require (
 	github.com/go-playground/validator/v10 v10.30.1 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/goccy/go-yaml v1.19.2 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
@@ -91,9 +90,8 @@ require (
 	github.com/moby/sys/atomicwriter v0.1.0 // indirect
 	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/ncruces/go-strftime v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
@@ -108,7 +106,6 @@ require (
 	github.com/spf13/cast v1.10.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.1 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.mongodb.org/mongo-driver/v2 v2.5.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
@@ -119,29 +116,16 @@ require (
 	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
 	go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect
 	go.opentelemetry.io/otel/trace v1.43.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	golang.org/x/arch v0.22.0 // indirect
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
 	golang.org/x/mod v0.34.0 // indirect
 	golang.org/x/net v0.52.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/sys v0.43.0 // indirect
 	golang.org/x/term v0.42.0 // indirect
 	golang.org/x/text v0.36.0 // indirect
-	golang.org/x/time v0.14.0 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 	google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	gotest.tools/v3 v3.5.2 // indirect
+	modernc.org/libc v1.70.0 // indirect
 	k8s.io/klog/v2 v2.140.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a // indirect
 	k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 // indirect
 	modernc.org/libc v1.72.0 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 	rsc.io/qr v0.2.0 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
@@ -10,8 +10,8 @@ dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
 dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
-github.com/Azure/go-ntlmssp v0.1.1 h1:l+FM/EEMb0U9QZE7mKNEDw5Mu3mFiaa2GKOoTSsNDPw=
+github.com/Azure/go-ntlmssp v0.1.0 h1:DjFo6YtWzNqNvQdrwEyr/e4nhU3vRiwenz5QX7sFz+A=
-github.com/Azure/go-ntlmssp v0.1.1/go.mod h1:NYqdhxd/8aAct/s4qSYZEerdPuH1liG2/X9DiVTbhpk=
+github.com/Azure/go-ntlmssp v0.1.0/go.mod h1:NYqdhxd/8aAct/s4qSYZEerdPuH1liG2/X9DiVTbhpk=
 github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
 github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
@@ -97,14 +97,10 @@ github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes=
 github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
 github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
@@ -122,12 +118,6 @@ github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
 github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
 github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
 github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
 github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
@@ -142,8 +132,6 @@ github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
 github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/golang-migrate/migrate/v4 v4.19.1 h1:OCyb44lFuQfYXYLx1SCxPZQGU7mcaZ7gH9yH4jSFbBA=
 github.com/golang-migrate/migrate/v4 v4.19.1/go.mod h1:CTcgfjxhaUtsLipnLoQRWCrjYXycRz/g5+RWDuYgPrE=
 github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
 github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
@@ -174,8 +162,6 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
@@ -190,8 +176,6 @@ github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lucasb-eyer/go-colorful v1.3.0 h1:2/yBRLdWBZKrf7gB40FoiKfAWYQ0lqNcbuQwVHXptag=
 github.com/lucasb-eyer/go-colorful v1.3.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
@@ -219,15 +203,12 @@ github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFL
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
 github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=
 github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
 github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
@@ -253,20 +234,17 @@ github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
-github.com/rs/zerolog v1.35.1 h1:m7xQeoiLIiV0BCEY4Hs+j2NG4Gp2o2KPKmhnnLiazKI=
+github.com/rs/zerolog v1.35.0 h1:VD0ykx7HMiMJytqINBsKcbLS+BJ4WYjz+05us+LRTdI=
-github.com/rs/zerolog v1.35.1/go.mod h1:EjML9kdfa/RMA7h/6z6pYmq1ykOuA8/mjWaEvGI+jcw=
+github.com/rs/zerolog v1.35.0/go.mod h1:EjML9kdfa/RMA7h/6z6pYmq1ykOuA8/mjWaEvGI+jcw=
 github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
 github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
 github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
 github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
 github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -283,8 +261,6 @@ github.com/ugorji/go/codec v1.3.1 h1:waO7eEiFDwidsBN6agj1vJQ4AG7lh2yqXyOXqhgQuyY
 github.com/ugorji/go/codec v1.3.1/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
 github.com/weppos/publicsuffix-go v0.50.3 h1:eT5dcjHQcVDNc0igpFEsGHKIip30feuB2zuuI9eJxiE=
 github.com/weppos/publicsuffix-go v0.50.3/go.mod h1:/rOa781xBykZhHK/I3QeHo92qdDKVmKZKF7s8qAEM/4=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 go.mongodb.org/mongo-driver/v2 v2.5.0 h1:yXUhImUjjAInNcpTcAlPHiT7bIXhshCTL3jVBkF3xaE=
@@ -311,10 +287,6 @@ go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpu
 go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk=
 go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
 go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
 go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
 go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/arch v0.22.0 h1:c/Zle32i5ttqRXjdLyyHZESLD/bB90DCU1g9l/0YBDI=
 golang.org/x/arch v0.22.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
 golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
@@ -336,8 +308,8 @@ golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
 golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
 golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
 golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
-golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
-golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
+golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
 golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
 google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
@@ -347,36 +319,20 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 h1:
 google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
 google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM=
 google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4=
-google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af h1:+5/Sw3GsDNlEmu7TfklWKPdQ0Ykja5VEmq2i817+jbI=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
-google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
 gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
-k8s.io/api v0.36.0 h1:SgqDhZzHdOtMk40xVSvCXkP9ME0H05hPM3p9AB1kL80=
+modernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis=
-k8s.io/api v0.36.0/go.mod h1:m1LVrGPNYax5NBHdO+QuAedXyuzTt4RryI/qnmNvs34=
+modernc.org/cc/v4 v4.27.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
-k8s.io/apimachinery v0.36.0 h1:jZyPzhd5Z+3h9vJLt0z9XdzW9VzNzWAUw+P1xZ9PXtQ=
+modernc.org/ccgo/v4 v4.32.0 h1:hjG66bI/kqIPX1b2yT6fr/jt+QedtP2fqojG2VrFuVw=
-k8s.io/apimachinery v0.36.0/go.mod h1:FklypaRJt6n5wUIwWXIP6GJlIpUizTgfo1T/As+Tyxc=
+modernc.org/ccgo/v4 v4.32.0/go.mod h1:6F08EBCx5uQc38kMGl+0Nm0oWczoo1c7cgpzEry7Uc0=
 k8s.io/client-go v0.36.0 h1:pOYi7C4RHChYjMiHpZSpSbIM6ZxVbRXBy7CuiIwqA3c=
 k8s.io/client-go v0.36.0/go.mod h1:ZKKcpwF0aLYfkHFCjillCKaTK/yBkEDHTDXCFY6AS9Y=
 k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc=
 k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0=
 k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a h1:xCeOEAOoGYl2jnJoHkC3hkbPJgdATINPMAxaynU2Ovg=
 k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a/go.mod h1:uGBT7iTA6c6MvqUvSXIaYZo9ukscABYi2btjhvgKGZ0=
 k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 h1:AZYQSJemyQB5eRxqcPky+/7EdBj0xi3g0ZcxxJ7vbWU=
 k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk=
 modernc.org/cc/v4 v4.27.3 h1:uNCgn37E5U09mTv1XgskEVUJ8ADKpmFMPxzGJ0TSo+U=
 modernc.org/cc/v4 v4.27.3/go.mod h1:3YjcbCqhoTTHPycJDRl2WZKKFj0nwcOIPBfEZK0Hdk8=
 modernc.org/ccgo/v4 v4.32.4 h1:L5OB8rpEX4ZsXEQwGozRfJyJSFHbbNVOoQ59DU9/KuU=
 modernc.org/ccgo/v4 v4.32.4/go.mod h1:lY7f+fiTDHfcv6YlRgSkxYfhs+UvOEEzj49jAn2TOx0=
 modernc.org/fileutil v1.4.0 h1:j6ZzNTftVS054gi281TyLjHPp6CPHr2KCxEXjEbD6SM=
 modernc.org/fileutil v1.4.0/go.mod h1:EqdKFDxiByqxLk8ozOxObDSfcVOv/54xDs/DUHdvCUU=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
@@ -385,8 +341,8 @@ modernc.org/gc/v3 v3.1.2 h1:ZtDCnhonXSZexk/AYsegNRV1lJGgaNZJuKjJSWKyEqo=
 modernc.org/gc/v3 v3.1.2/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
 modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
 modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
-modernc.org/libc v1.72.0 h1:IEu559v9a0XWjw0DPoVKtXpO2qt5NVLAnFaBbjq+n8c=
+modernc.org/libc v1.70.0 h1:U58NawXqXbgpZ/dcdS9kMshu08aiA6b7gusEusqzNkw=
-modernc.org/libc v1.72.0/go.mod h1:tTU8DL8A+XLVkEY3x5E/tO7s2Q/q42EtnNWda/L5QhQ=
+modernc.org/libc v1.70.0/go.mod h1:OVmxFGP1CI/Z4L3E0Q3Mf1PDE0BucwMkcXjjLntvHJo=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
@@ -395,19 +351,11 @@ modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
 modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.50.0 h1:eMowQSWLK0MeiQTdmz3lqoF5dqclujdlIKeJA11+7oM=
+modernc.org/sqlite v1.48.2 h1:5CnW4uP8joZtA0LedVqLbZV5GD7F/0x91AXeSyjoh5c=
-modernc.org/sqlite v1.50.0/go.mod h1:m0w8xhwYUVY3H6pSDwc3gkJ/irZT/0YEXwBlhaxQEew=
+modernc.org/sqlite v1.48.2/go.mod h1:hWjRO6Tj/5Ik8ieqxQybiEOUXy0NJFNp2tpvVpKlvig=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
 modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
 rsc.io/qr v0.2.0 h1:6vBLea5/NRMVTz8V66gipeLycZMl/+UlFmk8DvqQ6WY=
 rsc.io/qr v0.2.0/go.mod h1:IF+uZjkb9fqyeF/4tlBoynqmQxUoPfWEKh921coOuXs=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.2 h1:kwVWMx5yS1CrnFWA/2QHyRVJ8jM6dBA80uLmm0wJkk8=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.2/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
 sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
@@ -11,5 +11,5 @@ var FrontendAssets embed.FS
 // Migrations
 //
-//go:embed migrations/sqlite/*.sql
+//go:embed migrations/*.sql
 var Migrations embed.FS
@@ -1,13 +0,0 @@
 ALTER TABLE "oidc_userinfo" DROP COLUMN "given_name";
 ALTER TABLE "oidc_userinfo" DROP COLUMN "family_name";
 ALTER TABLE "oidc_userinfo" DROP COLUMN "middle_name";
 ALTER TABLE "oidc_userinfo" DROP COLUMN "nickname";
 ALTER TABLE "oidc_userinfo" DROP COLUMN "profile";
 ALTER TABLE "oidc_userinfo" DROP COLUMN "picture";
 ALTER TABLE "oidc_userinfo" DROP COLUMN "website";
 ALTER TABLE "oidc_userinfo" DROP COLUMN "gender";
 ALTER TABLE "oidc_userinfo" DROP COLUMN "birthdate";
 ALTER TABLE "oidc_userinfo" DROP COLUMN "zoneinfo";
 ALTER TABLE "oidc_userinfo" DROP COLUMN "locale";
 ALTER TABLE "oidc_userinfo" DROP COLUMN "phone_number";
 ALTER TABLE "oidc_userinfo" DROP COLUMN "address";
@@ -1,13 +0,0 @@
 ALTER TABLE "oidc_userinfo" ADD COLUMN "given_name"             TEXT    NOT NULL DEFAULT "";
 ALTER TABLE "oidc_userinfo" ADD COLUMN "family_name"            TEXT    NOT NULL DEFAULT "";
 ALTER TABLE "oidc_userinfo" ADD COLUMN "middle_name"            TEXT    NOT NULL DEFAULT "";
 ALTER TABLE "oidc_userinfo" ADD COLUMN "nickname"               TEXT    NOT NULL DEFAULT "";
 ALTER TABLE "oidc_userinfo" ADD COLUMN "profile"                TEXT    NOT NULL DEFAULT "";
 ALTER TABLE "oidc_userinfo" ADD COLUMN "picture"                TEXT    NOT NULL DEFAULT "";
 ALTER TABLE "oidc_userinfo" ADD COLUMN "website"                TEXT    NOT NULL DEFAULT "";
 ALTER TABLE "oidc_userinfo" ADD COLUMN "gender"                 TEXT    NOT NULL DEFAULT "";
 ALTER TABLE "oidc_userinfo" ADD COLUMN "birthdate"              TEXT    NOT NULL DEFAULT "";
 ALTER TABLE "oidc_userinfo" ADD COLUMN "zoneinfo"               TEXT    NOT NULL DEFAULT "";
 ALTER TABLE "oidc_userinfo" ADD COLUMN "locale"                 TEXT    NOT NULL DEFAULT "";
 ALTER TABLE "oidc_userinfo" ADD COLUMN "phone_number"           TEXT    NOT NULL DEFAULT "";
 ALTER TABLE "oidc_userinfo" ADD COLUMN "address"                TEXT    NOT NULL DEFAULT "{}";
@@ -12,15 +12,15 @@ import (
 	"strings"
 	"time"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/steveiliop56/tinyauth/internal/config"
-	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/steveiliop56/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/repository"
+	"github.com/steveiliop56/tinyauth/internal/repository"
-	"github.com/tinyauthapp/tinyauth/internal/utils"
+	"github.com/steveiliop56/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 )
 type BootstrapApp struct {
-	config  model.Config
+	config  config.Config
 	context struct {
 		appUrl                 string
 		uuid                   string
@@ -29,27 +29,24 @@ type BootstrapApp struct {
 		csrfCookieName         string
 		redirectCookieName     string
 		oauthSessionCookieName string
-		localUsers             *[]model.LocalUser
+		users                  []config.User
-		oauthProviders         map[string]model.OAuthServiceConfig
+		oauthProviders         map[string]config.OAuthServiceConfig
 		oauthWhitelist         []string
 		configuredProviders    []controller.Provider
-		oidcClients            []model.OIDCClientConfig
+		oidcClients            []config.OIDCClientConfig
 	}
 	services Services
 }
-func NewBootstrapApp(config model.Config) *BootstrapApp {
+func NewBootstrapApp(config config.Config) *BootstrapApp {
 	return &BootstrapApp{
 		config: config,
 	}
 }
 func (app *BootstrapApp) Setup() error {
-	// get app url
+	fmt.Println("Tinyauth is moving to an organization! All versions after v5.0.7 will be released under ghcr.io/tinyauthapp/tinyauth. Existing images will continue to work but new features and updates (including security ones) will only be released under the new image path.")
 	if app.config.AppURL == "" {
 		return fmt.Errorf("app URL cannot be empty, perhaps config loading failed")
 	}
 	// get app url
 	appUrl, err := url.Parse(app.config.AppURL)
 	if err != nil {
@@ -64,20 +61,13 @@ func (app *BootstrapApp) Setup() error {
 	}
 	// Parse users
-	users, err := utils.GetUsers(app.config.Auth.Users, app.config.Auth.UsersFile, app.config.Auth.UserAttributes)
+	users, err := utils.GetUsers(app.config.Auth.Users, app.config.Auth.UsersFile)
 	if err != nil {
 		return err
 	}
-	app.context.localUsers = users
+	app.context.users = users
 	oauthWhitelist, err := utils.GetStringList(app.config.OAuth.Whitelist, app.config.OAuth.WhitelistFile)
 	if err != nil {
 		return err
 	}
 	app.context.oauthWhitelist = oauthWhitelist
 	// Setup OAuth providers
 	app.context.oauthProviders = app.config.OAuth.Providers
@@ -96,7 +86,7 @@ func (app *BootstrapApp) Setup() error {
 	for id, provider := range app.context.oauthProviders {
 		if provider.Name == "" {
-			if name, ok := model.OverrideProviders[id]; ok {
+			if name, ok := config.OverrideProviders[id]; ok {
 				provider.Name = name
 			} else {
 				provider.Name = utils.Capitalize(id)
@@ -112,13 +102,7 @@ func (app *BootstrapApp) Setup() error {
 	}
 	// Get cookie domain
-	cookieDomainResolver := utils.GetCookieDomain
+	cookieDomain, err := utils.GetCookieDomain(app.context.appUrl)
 	if !app.config.Auth.SubdomainsEnabled {
 		tlog.App.Info().Msg("Subdomains disabled, automatic authentication for proxied apps will not work")
 		cookieDomainResolver = utils.GetStandaloneCookieDomain
 	}
 	cookieDomain, err := cookieDomainResolver(app.context.appUrl)
 	if err != nil {
 		return err
@@ -129,14 +113,14 @@ func (app *BootstrapApp) Setup() error {
 	// Cookie names
 	app.context.uuid = utils.GenerateUUID(appUrl.Hostname())
 	cookieId := strings.Split(app.context.uuid, "-")[0]
-	app.context.sessionCookieName = fmt.Sprintf("%s-%s", model.SessionCookieName, cookieId)
+	app.context.sessionCookieName = fmt.Sprintf("%s-%s", config.SessionCookieName, cookieId)
-	app.context.csrfCookieName = fmt.Sprintf("%s-%s", model.CSRFCookieName, cookieId)
+	app.context.csrfCookieName = fmt.Sprintf("%s-%s", config.CSRFCookieName, cookieId)
-	app.context.redirectCookieName = fmt.Sprintf("%s-%s", model.RedirectCookieName, cookieId)
+	app.context.redirectCookieName = fmt.Sprintf("%s-%s", config.RedirectCookieName, cookieId)
-	app.context.oauthSessionCookieName = fmt.Sprintf("%s-%s", model.OAuthSessionCookieName, cookieId)
+	app.context.oauthSessionCookieName = fmt.Sprintf("%s-%s", config.OAuthSessionCookieName, cookieId)
 	// Dumps
 	tlog.App.Trace().Interface("config", app.config).Msg("Config dump")
-	tlog.App.Trace().Interface("users", app.context.localUsers).Msg("Users dump")
+	tlog.App.Trace().Interface("users", app.context.users).Msg("Users dump")
 	tlog.App.Trace().Interface("oauthProviders", app.context.oauthProviders).Msg("OAuth providers dump")
 	tlog.App.Trace().Str("cookieDomain", app.context.cookieDomain).Msg("Cookie domain")
 	tlog.App.Trace().Str("sessionCookieName", app.context.sessionCookieName).Msg("Session cookie name")
@@ -144,14 +128,17 @@ func (app *BootstrapApp) Setup() error {
 	tlog.App.Trace().Str("redirectCookieName", app.context.redirectCookieName).Msg("Redirect cookie name")
 	// Database
-	store, err := app.SetupStore()
+	db, err := app.SetupDatabase(app.config.Database.Path)
 	if err != nil {
 		return fmt.Errorf("failed to setup database: %w", err)
 	}
 	// Queries
 	queries := repository.New(db)
 	// Services
-	services, err := app.initServices(store)
+	services, err := app.initServices(queries)
 	if err != nil {
 		return fmt.Errorf("failed to initialize services: %w", err)
@@ -182,7 +169,7 @@ func (app *BootstrapApp) Setup() error {
 		})
 	}
-	if services.authService.LDAPAuthConfigured() {
+	if services.authService.LdapAuthConfigured() {
 		configuredProviders = append(configuredProviders, controller.Provider{
 			Name:  "LDAP",
 			ID:    "ldap",
@@ -207,7 +194,7 @@ func (app *BootstrapApp) Setup() error {
 	// Start db cleanup routine
 	tlog.App.Debug().Msg("Starting database cleanup routine")
-	go app.dbCleanupRoutine(store)
+	go app.dbCleanupRoutine(queries)
 	// If analytics are not disabled, start heartbeat
 	if app.config.Analytics.Enabled {
@@ -255,7 +242,7 @@ func (app *BootstrapApp) heartbeatRoutine() {
 	var body heartbeat
 	body.UUID = app.context.uuid
-	body.Version = model.Version
+	body.Version = config.Version
 	bodyJson, err := json.Marshal(body)
@@ -268,7 +255,7 @@ func (app *BootstrapApp) heartbeatRoutine() {
 		Timeout: 30 * time.Second, // The server should never take more than 30 seconds to respond
 	}
-	heartbeatURL := model.APIServer + "/v1/instances/heartbeat"
+	heartbeatURL := config.ApiServer + "/v1/instances/heartbeat"
 	for range ticker.C {
 		tlog.App.Debug().Msg("Sending heartbeat")
@@ -297,7 +284,7 @@ func (app *BootstrapApp) heartbeatRoutine() {
 	}
 }
-func (app *BootstrapApp) dbCleanupRoutine(queries repository.Store) {
+func (app *BootstrapApp) dbCleanupRoutine(queries *repository.Queries) {
 	ticker := time.NewTicker(time.Duration(30) * time.Minute)
 	defer ticker.Stop()
 	ctx := context.Background()
@@ -6,10 +6,7 @@ import (
 	"os"
 	"path/filepath"
-	"github.com/tinyauthapp/tinyauth/internal/assets"
+	"github.com/steveiliop56/tinyauth/internal/assets"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/repository/sqlite"
 	"github.com/golang-migrate/migrate/v4"
 	"github.com/golang-migrate/migrate/v4/database/sqlite3"
@@ -17,18 +14,7 @@ import (
 	_ "modernc.org/sqlite"
 )
-func (app *BootstrapApp) SetupStore() (repository.Store, error) {
+func (app *BootstrapApp) SetupDatabase(databasePath string) (*sql.DB, error) {
 	switch app.config.Database.Driver {
 	case "memory":
 		return memory.New(), nil
 	case "sqlite", "":
 		return app.setupSQLite(app.config.Database.Path)
 	default:
 		return nil, fmt.Errorf("unknown database driver %q: valid values are sqlite, memory", app.config.Database.Driver)
 	}
 }
 func (app *BootstrapApp) setupSQLite(databasePath string) (repository.Store, error) {
 	dir := filepath.Dir(databasePath)
 	if err := os.MkdirAll(dir, 0750); err != nil {
@@ -45,7 +31,7 @@ func (app *BootstrapApp) setupSQLite(databasePath string) (repository.Store, err
 	// if the sqlite connection starts being a bottleneck
 	db.SetMaxOpenConns(1)
-	migrations, err := iofs.New(assets.Migrations, "migrations/sqlite")
+	migrations, err := iofs.New(assets.Migrations, "migrations")
 	if err != nil {
 		return nil, fmt.Errorf("failed to create migrations: %w", err)
@@ -67,5 +53,5 @@ func (app *BootstrapApp) setupSQLite(databasePath string) (repository.Store, err
 		return nil, fmt.Errorf("failed to migrate database: %w", err)
 	}
-	return sqlite.NewStore(sqlite.New(db)), nil
+	return db, nil
 }
@@ -4,9 +4,9 @@ import (
 	"fmt"
 	"slices"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/steveiliop56/tinyauth/internal/config"
-	"github.com/tinyauthapp/tinyauth/internal/middleware"
+	"github.com/steveiliop56/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/steveiliop56/tinyauth/internal/middleware"
 	"github.com/gin-gonic/gin"
 )
@@ -14,7 +14,7 @@ import (
 var DEV_MODES = []string{"main", "test", "development"}
 func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
-	if !slices.Contains(DEV_MODES, model.Version) {
+	if !slices.Contains(DEV_MODES, config.Version) {
 		gin.SetMode(gin.ReleaseMode)
 	}
@@ -30,8 +30,7 @@ func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
 	}
 	contextMiddleware := middleware.NewContextMiddleware(middleware.ContextMiddlewareConfig{
-		CookieDomain:      app.context.cookieDomain,
+		CookieDomain: app.context.cookieDomain,
 		SessionCookieName: app.context.sessionCookieName,
 	}, app.services.authService, app.services.oauthBrokerService)
 	err := contextMiddleware.Init()
@@ -84,7 +83,6 @@ func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
 		RedirectCookieName:     app.context.redirectCookieName,
 		CookieDomain:           app.context.cookieDomain,
 		OAuthSessionCookieName: app.context.oauthSessionCookieName,
 		SubdomainsEnabled:      app.config.Auth.SubdomainsEnabled,
 	}, apiRouter, app.services.authService)
 	oauthController.SetupRoutes()
@@ -100,8 +98,7 @@ func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
 	proxyController.SetupRoutes()
 	userController := controller.NewUserController(controller.UserControllerConfig{
-		CookieDomain:      app.context.cookieDomain,
+		CookieDomain: app.context.cookieDomain,
 		SessionCookieName: app.context.sessionCookieName,
 	}, apiRouter, app.services.authService)
 	userController.SetupRoutes()
@@ -1,35 +1,32 @@
 package bootstrap
 import (
-	"os"
+	"github.com/steveiliop56/tinyauth/internal/repository"
-
+	"github.com/steveiliop56/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/repository"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )
 type Services struct {
 	accessControlService *service.AccessControlsService
 	authService          *service.AuthService
 	dockerService        *service.DockerService
 	kubernetesService    *service.KubernetesService
 	ldapService          *service.LdapService
 	oauthBrokerService   *service.OAuthBrokerService
 	oidcService          *service.OIDCService
 }
-func (app *BootstrapApp) initServices(queries repository.Store) (Services, error) {
+func (app *BootstrapApp) initServices(queries *repository.Queries) (Services, error) {
 	services := Services{}
 	ldapService := service.NewLdapService(service.LdapServiceConfig{
-		Address:      app.config.LDAP.Address,
+		Address:      app.config.Ldap.Address,
-		BindDN:       app.config.LDAP.BindDN,
+		BindDN:       app.config.Ldap.BindDN,
-		BindPassword: app.config.LDAP.BindPassword,
+		BindPassword: app.config.Ldap.BindPassword,
-		BaseDN:       app.config.LDAP.BaseDN,
+		BaseDN:       app.config.Ldap.BaseDN,
-		Insecure:     app.config.LDAP.Insecure,
+		Insecure:     app.config.Ldap.Insecure,
-		SearchFilter: app.config.LDAP.SearchFilter,
+		SearchFilter: app.config.Ldap.SearchFilter,
-		AuthCert:     app.config.LDAP.AuthCert,
+		AuthCert:     app.config.Ldap.AuthCert,
-		AuthKey:      app.config.LDAP.AuthKey,
+		AuthKey:      app.config.Ldap.AuthKey,
 	})
 	err := ldapService.Init()
@@ -41,34 +38,17 @@ func (app *BootstrapApp) initServices(queries repository.Store) (Services, error
 	services.ldapService = ldapService
-	var labelProvider service.LabelProvider
+	dockerService := service.NewDockerService()
 	var dockerService *service.DockerService
 	var kubernetesService *service.KubernetesService
-	useKubernetes := app.config.LabelProvider == "kubernetes" ||
+	err = dockerService.Init()
 		(app.config.LabelProvider == "auto" && os.Getenv("KUBERNETES_SERVICE_HOST") != "")
-	if useKubernetes {
+	if err != nil {
-		tlog.App.Debug().Msg("Using Kubernetes label provider")
+		return Services{}, err
 		kubernetesService = service.NewKubernetesService()
 		err = kubernetesService.Init()
 		if err != nil {
 			return Services{}, err
 		}
 		services.kubernetesService = kubernetesService
 		labelProvider = kubernetesService
 	} else {
 		tlog.App.Debug().Msg("Using Docker label provider")
 		dockerService = service.NewDockerService()
 		err = dockerService.Init()
 		if err != nil {
 			return Services{}, err
 		}
 		services.dockerService = dockerService
 		labelProvider = dockerService
 	}
-	accessControlsService := service.NewAccessControlsService(labelProvider, app.config.Apps)
+	services.dockerService = dockerService
 	accessControlsService := service.NewAccessControlsService(dockerService, app.config.Apps)
 	err = accessControlsService.Init()
@@ -89,8 +69,8 @@ func (app *BootstrapApp) initServices(queries repository.Store) (Services, error
 	services.oauthBrokerService = oauthBrokerService
 	authService := service.NewAuthService(service.AuthServiceConfig{
-		LocalUsers:         app.context.localUsers,
+		Users:              app.context.users,
-		OauthWhitelist:     app.context.oauthWhitelist,
+		OauthWhitelist:     app.config.OAuth.Whitelist,
 		SessionExpiry:      app.config.Auth.SessionExpiry,
 		SessionMaxLifetime: app.config.Auth.SessionMaxLifetime,
 		SecureCookie:       app.config.Auth.SecureCookie,
@@ -99,9 +79,8 @@ func (app *BootstrapApp) initServices(queries repository.Store) (Services, error
 		LoginMaxRetries:    app.config.Auth.LoginMaxRetries,
 		SessionCookieName:  app.context.sessionCookieName,
 		IP:                 app.config.Auth.IP,
-		LDAPGroupsCacheTTL: app.config.LDAP.GroupCacheTTL,
+		LDAPGroupsCacheTTL: app.config.Ldap.GroupCacheTTL,
-		SubdomainsEnabled:  app.config.Auth.SubdomainsEnabled,
+	}, dockerService, services.ldapService, queries, services.oauthBrokerService)
 	}, services.ldapService, queries, services.oauthBrokerService)
 	err = authService.Init()
@@ -1,11 +1,10 @@
-package model
+package config
 // Default configuration
 func NewDefaultConfiguration() *Config {
 	return &Config{
 		Database: DatabaseConfig{
-			Driver: "sqlite",
+			Path: "./tinyauth.db",
 			Path:   "./tinyauth.db",
 		},
 		Analytics: AnalyticsConfig{
 			Enabled: true,
@@ -19,7 +18,6 @@ func NewDefaultConfiguration() *Config {
 			Address: "0.0.0.0",
 		},
 		Auth: AuthConfig{
 			SubdomainsEnabled:  true,
 			SessionExpiry:      86400, // 1 day
 			SessionMaxLifetime: 0,     // disabled
 			LoginTimeout:       300,   // 5 minutes
@@ -31,7 +29,7 @@ func NewDefaultConfiguration() *Config {
 			BackgroundImage:       "/background.jpg",
 			WarningsEnabled:       true,
 		},
-		LDAP: LDAPConfig{
+		Ldap: LdapConfig{
 			Insecure:      false,
 			SearchFilter:  "(uid=%s)",
 			GroupCacheTTL: 900, // 15 minutes
@@ -61,30 +59,42 @@ func NewDefaultConfiguration() *Config {
 		Experimental: ExperimentalConfig{
 			ConfigFile: "",
 		},
 		LabelProvider: "auto",
 	}
 }
 // Version information, set at build time
 var Version = "development"
 var CommitHash = "development"
 var BuildTimestamp = "0000-00-00T00:00:00Z"
 // Cookie name templates
 var SessionCookieName = "tinyauth-session"
 var CSRFCookieName = "tinyauth-csrf"
 var RedirectCookieName = "tinyauth-redirect"
 var OAuthSessionCookieName = "tinyauth-oauth"
 // Main app config
 type Config struct {
-	AppURL        string             `description:"The base URL where the app is hosted." yaml:"appUrl"`
+	AppURL       string             `description:"The base URL where the app is hosted." yaml:"appUrl"`
-	Database      DatabaseConfig     `description:"Database configuration." yaml:"database"`
+	Database     DatabaseConfig     `description:"Database configuration." yaml:"database"`
-	Analytics     AnalyticsConfig    `description:"Analytics configuration." yaml:"analytics"`
+	Analytics    AnalyticsConfig    `description:"Analytics configuration." yaml:"analytics"`
-	Resources     ResourcesConfig    `description:"Resources configuration." yaml:"resources"`
+	Resources    ResourcesConfig    `description:"Resources configuration." yaml:"resources"`
-	Server        ServerConfig       `description:"Server configuration." yaml:"server"`
+	Server       ServerConfig       `description:"Server configuration." yaml:"server"`
-	Auth          AuthConfig         `description:"Authentication configuration." yaml:"auth"`
+	Auth         AuthConfig         `description:"Authentication configuration." yaml:"auth"`
-	Apps          map[string]App     `description:"Application ACLs configuration." yaml:"apps"`
+	Apps         map[string]App     `description:"Application ACLs configuration." yaml:"apps"`
-	OAuth         OAuthConfig        `description:"OAuth configuration." yaml:"oauth"`
+	OAuth        OAuthConfig        `description:"OAuth configuration." yaml:"oauth"`
-	OIDC          OIDCConfig         `description:"OIDC configuration." yaml:"oidc"`
+	OIDC         OIDCConfig         `description:"OIDC configuration." yaml:"oidc"`
-	UI            UIConfig           `description:"UI customization." yaml:"ui"`
+	UI           UIConfig           `description:"UI customization." yaml:"ui"`
-	LDAP          LDAPConfig         `description:"LDAP configuration." yaml:"ldap"`
+	Ldap         LdapConfig         `description:"LDAP configuration." yaml:"ldap"`
-	Experimental  ExperimentalConfig `description:"Experimental features, use with caution." yaml:"experimental"`
+	Experimental ExperimentalConfig `description:"Experimental features, use with caution." yaml:"experimental"`
-	LabelProvider string             `description:"Label provider to use for ACLs (auto, docker, or kubernetes). auto detects the environment." yaml:"labelProvider"`
+	Log          LogConfig          `description:"Logging configuration." yaml:"log"`
 	Log           LogConfig          `description:"Logging configuration." yaml:"log"`
 }
 type DatabaseConfig struct {
-	Driver string `description:"The database driver to use. Valid values: sqlite, memory." yaml:"driver"`
+	Path string `description:"The path to the database, including file name." yaml:"path"`
 	Path   string `description:"The path to the SQLite database, including file name. Only used when driver is sqlite." yaml:"path"`
 }
 type AnalyticsConfig struct {
@@ -103,44 +113,15 @@ type ServerConfig struct {
 }
 type AuthConfig struct {
-	IP                 IPConfig                  `description:"IP whitelisting config options." yaml:"ip"`
+	IP                 IPConfig `description:"IP whitelisting config options." yaml:"ip"`
-	Users              []string                  `description:"Comma-separated list of users (username:hashed_password)." yaml:"users"`
+	Users              []string `description:"Comma-separated list of users (username:hashed_password)." yaml:"users"`
-	SubdomainsEnabled  bool                      `description:"Enable subdomains support." yaml:"subdomainsEnabled"`
+	UsersFile          string   `description:"Path to the users file." yaml:"usersFile"`
-	UserAttributes     map[string]UserAttributes `description:"Map of per-user OIDC attributes (username -> attributes)." yaml:"userAttributes"`
+	SecureCookie       bool     `description:"Enable secure cookies." yaml:"secureCookie"`
-	UsersFile          string                    `description:"Path to the users file." yaml:"usersFile"`
+	SessionExpiry      int      `description:"Session expiry time in seconds." yaml:"sessionExpiry"`
-	SecureCookie       bool                      `description:"Enable secure cookies." yaml:"secureCookie"`
+	SessionMaxLifetime int      `description:"Maximum session lifetime in seconds." yaml:"sessionMaxLifetime"`
-	SessionExpiry      int                       `description:"Session expiry time in seconds." yaml:"sessionExpiry"`
+	LoginTimeout       int      `description:"Login timeout in seconds." yaml:"loginTimeout"`
-	SessionMaxLifetime int                       `description:"Maximum session lifetime in seconds." yaml:"sessionMaxLifetime"`
+	LoginMaxRetries    int      `description:"Maximum login retries." yaml:"loginMaxRetries"`
-	LoginTimeout       int                       `description:"Login timeout in seconds." yaml:"loginTimeout"`
+	TrustedProxies     []string `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
 	LoginMaxRetries    int                       `description:"Maximum login retries." yaml:"loginMaxRetries"`
 	TrustedProxies     []string                  `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
 }
 type UserAttributes struct {
 	Name        string       `description:"Full name of the user." yaml:"name"`
 	GivenName   string       `description:"Given (first) name of the user." yaml:"givenName"`
 	FamilyName  string       `description:"Family (last) name of the user." yaml:"familyName"`
 	MiddleName  string       `description:"Middle name of the user." yaml:"middleName"`
 	Nickname    string       `description:"Nickname of the user." yaml:"nickname"`
 	Profile     string       `description:"URL of the user's profile page." yaml:"profile"`
 	Picture     string       `description:"URL of the user's profile picture." yaml:"picture"`
 	Website     string       `description:"URL of the user's website." yaml:"website"`
 	Email       string       `description:"Email address of the user." yaml:"email"`
 	Gender      string       `description:"Gender of the user." yaml:"gender"`
 	Birthdate   string       `description:"Birthdate of the user (YYYY-MM-DD)." yaml:"birthdate"`
 	Zoneinfo    string       `description:"Time zone of the user (e.g. Europe/Athens)." yaml:"zoneinfo"`
 	Locale      string       `description:"Locale of the user (e.g. en-US)." yaml:"locale"`
 	PhoneNumber string       `description:"Phone number of the user." yaml:"phoneNumber"`
 	Address     AddressClaim `description:"Address of the user." yaml:"address"`
 }
 type AddressClaim struct {
 	Formatted     string `description:"Full mailing address, formatted for display." yaml:"formatted" json:"formatted,omitempty"`
 	StreetAddress string `description:"Street address." yaml:"streetAddress" json:"street_address,omitempty"`
 	Locality      string `description:"City or locality." yaml:"locality" json:"locality,omitempty"`
 	Region        string `description:"State, province, or region." yaml:"region" json:"region,omitempty"`
 	PostalCode    string `description:"Zip or postal code." yaml:"postalCode" json:"postal_code,omitempty"`
 	Country       string `description:"Country." yaml:"country" json:"country,omitempty"`
 }
 type IPConfig struct {
@@ -150,7 +131,6 @@ type IPConfig struct {
 type OAuthConfig struct {
 	Whitelist    []string                      `description:"Comma-separated list of allowed OAuth domains." yaml:"whitelist"`
 	WhitelistFile string                       `description:"Path to the OAuth whitelist file." yaml:"whitelistFile"`
 	AutoRedirect string                        `description:"The OAuth provider to use for automatic redirection." yaml:"autoRedirect"`
 	Providers    map[string]OAuthServiceConfig `description:"OAuth providers configuration." yaml:"providers"`
 }
@@ -168,7 +148,7 @@ type UIConfig struct {
 	WarningsEnabled       bool   `description:"Enable UI warnings." yaml:"warningsEnabled"`
 }
-type LDAPConfig struct {
+type LdapConfig struct {
 	Address       string `description:"LDAP server address." yaml:"address"`
 	BindDN        string `description:"Bind DN for LDAP authentication." yaml:"bindDn"`
 	BindPassword  string `description:"Bind password for LDAP authentication." yaml:"bindPassword"`
@@ -201,6 +181,20 @@ type ExperimentalConfig struct {
 	ConfigFile string `description:"Path to config file." yaml:"-"`
 }
 // Config loader options
 const DefaultNamePrefix = "TINYAUTH_"
 // OAuth/OIDC config
 type Claims struct {
 	Sub               string `json:"sub"`
 	Name              string `json:"name"`
 	Email             string `json:"email"`
 	PreferredUsername string `json:"preferred_username"`
 	Groups            any    `json:"groups"`
 }
 type OAuthServiceConfig struct {
 	ClientID         string   `description:"OAuth client ID." yaml:"clientId"`
 	ClientSecret     string   `description:"OAuth client secret." yaml:"clientSecret"`
@@ -223,6 +217,58 @@ type OIDCClientConfig struct {
 	Name                string   `description:"Client name in UI." yaml:"name"`
 }
 var OverrideProviders = map[string]string{
 	"google": "Google",
 	"github": "GitHub",
 }
 // User/session related stuff
 type User struct {
 	Username   string
 	Password   string
 	TotpSecret string
 }
 type LdapUser struct {
 	DN     string
 	Groups []string
 }
 type UserSearch struct {
 	Username string
 	Type     string // local, ldap or unknown
 }
 type UserContext struct {
 	Username    string
 	Name        string
 	Email       string
 	IsLoggedIn  bool
 	IsBasicAuth bool
 	OAuth       bool
 	Provider    string
 	TotpPending bool
 	OAuthGroups string
 	TotpEnabled bool
 	OAuthName   string
 	OAuthSub    string
 	LdapGroups  string
 }
 // API responses and queries
 type UnauthorizedQuery struct {
 	Username string `url:"username"`
 	Resource string `url:"resource"`
 	GroupErr bool   `url:"groupErr"`
 	IP       string `url:"ip"`
 }
 type RedirectQuery struct {
 	RedirectURI string `url:"redirect_uri"`
 }
 // ACLs
 type Apps struct {
@@ -278,3 +324,7 @@ type AppPath struct {
 	Allow string `description:"Comma-separated list of allowed paths." yaml:"allow"`
 	Block string `description:"Comma-separated list of blocked paths." yaml:"block"`
 }
 // API server
 var ApiServer = "https://api.tinyauth.app"
@@ -4,8 +4,8 @@ import (
 	"fmt"
 	"net/url"
-	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/steveiliop56/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/gin-gonic/gin"
 )
@@ -19,7 +19,7 @@ type UserContextResponse struct {
 	Email       string `json:"email"`
 	Provider    string `json:"provider"`
 	OAuth       bool   `json:"oauth"`
-	TOTPPending bool   `json:"totpPending"`
+	TotpPending bool   `json:"totpPending"`
 	OAuthName   string `json:"oauthName"`
 }
@@ -76,29 +76,28 @@ func (controller *ContextController) SetupRoutes() {
 }
 func (controller *ContextController) userContextHandler(c *gin.Context) {
-	context, err := new(model.UserContext).NewFromGin(c)
+	context, err := utils.GetContext(c)
 	if err != nil {
 		tlog.App.Debug().Err(err).Msg("No user context found in request")
 		c.JSON(200, UserContextResponse{
 			Status:     401,
 			Message:    "Unauthorized",
 			IsLoggedIn: false,
 		})
 		return
 	}
 	userContext := UserContextResponse{
 		Status:      200,
 		Message:     "Success",
-		IsLoggedIn:  context.Authenticated,
+		IsLoggedIn:  context.IsLoggedIn,
-		Username:    context.GetUsername(),
+		Username:    context.Username,
-		Name:        context.GetName(),
+		Name:        context.Name,
-		Email:       context.GetEmail(),
+		Email:       context.Email,
-		Provider:    context.GetProviderID(),
+		Provider:    context.Provider,
-		OAuth:       context.IsOAuth(),
+		OAuth:       context.OAuth,
-		TOTPPending: context.TOTPPending(),
+		TotpPending: context.TotpPending,
-		OAuthName:   context.OAuthName(),
+		OAuthName:   context.OAuthName,
 	}
 	if err != nil {
 		tlog.App.Debug().Err(err).Msg("No user context found in request")
 		userContext.Status = 401
 		userContext.Message = "Unauthorized"
 		userContext.IsLoggedIn = false
 		c.JSON(200, userContext)
 		return
 	}
 	c.JSON(200, userContext)
@@ -7,11 +7,11 @@ import (
 	"testing"
 	"github.com/gin-gonic/gin"
 	"github.com/steveiliop56/tinyauth/internal/config"
 	"github.com/steveiliop56/tinyauth/internal/controller"
 	"github.com/steveiliop56/tinyauth/internal/utils"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )
 func TestContextController(t *testing.T) {
@@ -79,16 +79,12 @@ func TestContextController(t *testing.T) {
 			description: "Ensure user context returns when authorized",
 			middlewares: []gin.HandlerFunc{
 				func(c *gin.Context) {
-					c.Set("context", &model.UserContext{
+					c.Set("context", &config.UserContext{
-						Authenticated: true,
+						Username:   "johndoe",
-						Provider:      model.ProviderLocal,
+						Name:       "John Doe",
-						Local: &model.LocalContext{
+						Email:      utils.CompileUserEmail("johndoe", controllerConfig.CookieDomain),
-							BaseContext: model.BaseContext{
+						Provider:   "local",
-								Username: "johndoe",
+						IsLoggedIn: true,
 								Name:     "John Doe",
 								Email:    utils.CompileUserEmail("johndoe", controllerConfig.CookieDomain),
 							},
 						},
 					})
 				},
 			},
@@ -1,12 +0,0 @@
 package controller
 type UnauthorizedQuery struct {
 	Username string `url:"username"`
 	Resource string `url:"resource"`
 	GroupErr bool   `url:"groupErr"`
 	IP       string `url:"ip"`
 }
 type RedirectQuery struct {
 	RedirectURI string `url:"redirect_uri"`
 }
@@ -7,8 +7,8 @@ import (
 	"testing"
 	"github.com/gin-gonic/gin"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/steveiliop56/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
 )
@@ -6,10 +6,11 @@ import (
 	"strings"
 	"time"
-	"github.com/tinyauthapp/tinyauth/internal/repository"
+	"github.com/steveiliop56/tinyauth/internal/config"
-	"github.com/tinyauthapp/tinyauth/internal/service"
+	"github.com/steveiliop56/tinyauth/internal/repository"
-	"github.com/tinyauthapp/tinyauth/internal/utils"
+	"github.com/steveiliop56/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/steveiliop56/tinyauth/internal/utils"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -26,7 +27,6 @@ type OAuthControllerConfig struct {
 	SecureCookie           bool
 	AppURL                 string
 	CookieDomain           string
 	SubdomainsEnabled      bool
 }
 type OAuthController struct {
@@ -106,7 +106,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		return
 	}
-	c.SetCookie(controller.config.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", controller.getCookieDomain(), controller.config.SecureCookie, true)
+	c.SetCookie(controller.config.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 	c.JSON(200, gin.H{
 		"status":  200,
@@ -136,7 +136,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}
-	c.SetCookie(controller.config.OAuthSessionCookieName, "", -1, "/", controller.getCookieDomain(), controller.config.SecureCookie, true)
+	c.SetCookie(controller.config.OAuthSessionCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 	oauthPendingSession, err := controller.auth.GetOAuthPendingSession(sessionIdCookie)
@@ -176,7 +176,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		tlog.App.Warn().Str("email", user.Email).Msg("Email not whitelisted")
 		tlog.AuditLoginFailure(c, user.Email, req.Provider, "email not whitelisted")
-		queries, err := query.Values(UnauthorizedQuery{
+		queries, err := query.Values(config.UnauthorizedQuery{
 			Username: user.Email,
 		})
@@ -236,7 +236,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
-	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+	err = controller.auth.CreateSessionCookie(c, &sessionCookie)
 	if err != nil {
 		tlog.App.Error().Err(err).Msg("Failed to create session cookie")
@@ -244,8 +244,6 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}
 	http.SetCookie(c.Writer, cookie)
 	tlog.AuditLoginSuccess(c, sessionCookie.Username, sessionCookie.Provider)
 	if controller.isOidcRequest(oauthPendingSession.CallbackParams) {
@@ -261,7 +259,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	}
 	if oauthPendingSession.CallbackParams.RedirectURI != "" {
-		queries, err := query.Values(RedirectQuery{
+		queries, err := query.Values(config.RedirectQuery{
 			RedirectURI: oauthPendingSession.CallbackParams.RedirectURI,
 		})
@@ -284,10 +282,3 @@ func (controller *OAuthController) isOidcRequest(params service.OAuthURLParams)
 		params.ClientID != "" &&
 		params.RedirectURI != ""
 }
 func (controller *OAuthController) getCookieDomain() string {
 	if controller.config.SubdomainsEnabled {
 		return "." + controller.config.CookieDomain
 	}
 	return controller.config.CookieDomain
 }
@@ -10,10 +10,9 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
-	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/steveiliop56/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/service"
+	"github.com/steveiliop56/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )
 type OIDCControllerConfig struct{}
@@ -112,14 +111,14 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 		return
 	}
-	userContext, err := new(model.UserContext).NewFromGin(c)
+	userContext, err := utils.GetContext(c)
 	if err != nil {
 		controller.authorizeError(c, err, "Failed to get user context", "User is not logged in or the session is invalid", "", "", "")
 		return
 	}
-	if !userContext.Authenticated {
+	if !userContext.IsLoggedIn {
 		controller.authorizeError(c, errors.New("err user not logged in"), "User not logged in", "The user is not logged in", "", "", "")
 		return
 	}
@@ -152,7 +151,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 	}
 	// WARNING: Since Tinyauth is stateless, we cannot have a sub that never changes. We will just create a uuid out of the username and client name which remains stable, but if username or client name changes then sub changes too.
-	sub := utils.GenerateUUID(fmt.Sprintf("%s:%s", userContext.GetUsername(), client.ID))
+	sub := utils.GenerateUUID(fmt.Sprintf("%s:%s", userContext.Username, client.ID))
 	code := utils.GenerateString(32)
 	// Before storing the code, delete old session
@@ -171,7 +170,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 	// We also need a snapshot of the user that authorized this (skip if no openid scope)
 	if slices.Contains(strings.Fields(req.Scope), "openid") {
-		err = controller.oidc.StoreUserinfo(c, sub, *userContext, req)
+		err = controller.oidc.StoreUserinfo(c, sub, userContext, req)
 		if err != nil {
 			tlog.App.Error().Err(err).Msg("Failed to insert user info into database")
@@ -430,7 +429,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 	entry, err := controller.oidc.GetAccessToken(c, controller.oidc.Hash(token))
 	if err != nil {
-		if errors.Is(err, service.ErrTokenNotFound) {
+		if err == service.ErrTokenNotFound {
 			tlog.App.Warn().Msg("OIDC userinfo accessed with invalid token")
 			c.JSON(401, gin.H{
 				"error": "invalid_grant",
@@ -12,13 +12,14 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
 	"github.com/steveiliop56/tinyauth/internal/bootstrap"
 	"github.com/steveiliop56/tinyauth/internal/config"
 	"github.com/steveiliop56/tinyauth/internal/controller"
 	"github.com/steveiliop56/tinyauth/internal/repository"
 	"github.com/steveiliop56/tinyauth/internal/service"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )
 func TestOIDCController(t *testing.T) {
@@ -26,7 +27,7 @@ func TestOIDCController(t *testing.T) {
 	tempDir := t.TempDir()
 	oidcServiceCfg := service.OIDCServiceConfig{
-		Clients: map[string]model.OIDCClientConfig{
+		Clients: map[string]config.OIDCClientConfig{
 			"test": {
 				ClientID:            "some-client-id",
 				ClientSecret:        "some-client-secret",
@@ -43,16 +44,12 @@ func TestOIDCController(t *testing.T) {
 	controllerCfg := controller.OIDCControllerConfig{}
 	simpleCtx := func(c *gin.Context) {
-		c.Set("context", &model.UserContext{
+		c.Set("context", &config.UserContext{
-			Authenticated: true,
+			Username:   "test",
-			Provider:      model.ProviderLocal,
+			Name:       "Test User",
-			Local: &model.LocalContext{
+			Email:      "test@example.com",
-				BaseContext: model.BaseContext{
+			IsLoggedIn: true,
-					Username: "test",
+			Provider:   "local",
 					Name:     "Test User",
 					Email:    "test@example.com",
 				},
 			},
 		})
 		c.Next()
 	}
@@ -851,10 +848,14 @@ func TestOIDCController(t *testing.T) {
 		},
 	}
-	store := memory.New()
+	app := bootstrap.NewBootstrapApp(config.Config{})
-	oidcService := service.NewOIDCService(oidcServiceCfg, store)
+	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
-	err := oidcService.Init()
+	require.NoError(t, err)
 	queries := repository.New(db)
 	oidcService := service.NewOIDCService(oidcServiceCfg, queries)
 	err = oidcService.Init()
 	require.NoError(t, err)
 	for _, test := range tests {
@@ -876,4 +877,9 @@ func TestOIDCController(t *testing.T) {
 			test.run(t, router, recorder)
 		})
 	}
 	t.Cleanup(func() {
 		err = db.Close()
 		require.NoError(t, err)
 	})
 }
@@ -8,10 +8,10 @@ import (
 	"regexp"
 	"strings"
-	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/steveiliop56/tinyauth/internal/config"
-	"github.com/tinyauthapp/tinyauth/internal/service"
+	"github.com/steveiliop56/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/utils"
+	"github.com/steveiliop56/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -103,7 +103,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	clientIP := c.ClientIP()
-	if controller.auth.IsBypassedIP(clientIP, acls) {
+	if controller.auth.IsBypassedIP(acls.IP, clientIP) {
 		controller.setHeaders(c, acls)
 		c.JSON(200, gin.H{
 			"status":  200,
@@ -112,7 +112,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
-	authEnabled, err := controller.auth.IsAuthEnabled(proxyCtx.Path, acls)
+	authEnabled, err := controller.auth.IsAuthEnabled(proxyCtx.Path, acls.Path)
 	if err != nil {
 		tlog.App.Error().Err(err).Msg("Failed to check if auth is enabled for resource")
@@ -130,8 +130,8 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
-	if !controller.auth.CheckIP(clientIP, acls) {
+	if !controller.auth.CheckIP(acls.IP, clientIP) {
-		queries, err := query.Values(UnauthorizedQuery{
+		queries, err := query.Values(config.UnauthorizedQuery{
 			Resource: strings.Split(proxyCtx.Host, ".")[0],
 			IP:       clientIP,
 		})
@@ -157,24 +157,28 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
-	userContext, err := new(model.UserContext).NewFromGin(c)
+	var userContext config.UserContext
 	context, err := utils.GetContext(c)
 	if err != nil {
-		tlog.App.Debug().Err(err).Msg("No user context found in request, treating as unauthenticated")
+		tlog.App.Debug().Msg("No user context found in request, treating as not logged in")
-		userContext = &model.UserContext{
+		userContext = config.UserContext{
-			Authenticated: false,
+			IsLoggedIn: false,
 		}
 	} else {
 		userContext = context
 	}
 	tlog.App.Trace().Interface("context", userContext).Msg("User context from request")
-	if userContext.Authenticated {
+	if userContext.IsLoggedIn {
-		userAllowed := controller.auth.IsUserAllowed(c, *userContext, acls)
+		userAllowed := controller.auth.IsUserAllowed(c, userContext, acls)
 		if !userAllowed {
-			tlog.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User not allowed to access resource")
+			tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User not allowed to access resource")
-			queries, err := query.Values(UnauthorizedQuery{
+			queries, err := query.Values(config.UnauthorizedQuery{
 				Resource: strings.Split(proxyCtx.Host, ".")[0],
 			})
@@ -184,10 +188,10 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 				return
 			}
-			if userContext.IsOAuth() {
+			if userContext.OAuth {
-				queries.Set("username", userContext.GetEmail())
+				queries.Set("username", userContext.Email)
 			} else {
-				queries.Set("username", userContext.GetUsername())
+				queries.Set("username", userContext.Username)
 			}
 			redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())
@@ -205,19 +209,19 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			return
 		}
-		if userContext.IsOAuth() || userContext.IsLDAP() {
+		if userContext.OAuth || userContext.Provider == "ldap" {
 			var groupOK bool
-			if userContext.IsOAuth() {
+			if userContext.OAuth {
-				groupOK = controller.auth.IsInOAuthGroup(c, *userContext, acls)
+				groupOK = controller.auth.IsInOAuthGroup(c, userContext, acls.OAuth.Groups)
 			} else {
-				groupOK = controller.auth.IsInLDAPGroup(c, *userContext, acls)
+				groupOK = controller.auth.IsInLdapGroup(c, userContext, acls.LDAP.Groups)
 			}
 			if !groupOK {
-				tlog.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User groups do not match resource requirements")
+				tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User groups do not match resource requirements")
-				queries, err := query.Values(UnauthorizedQuery{
+				queries, err := query.Values(config.UnauthorizedQuery{
 					Resource: strings.Split(proxyCtx.Host, ".")[0],
 					GroupErr: true,
 				})
@@ -228,10 +232,10 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 					return
 				}
-				if userContext.IsOAuth() {
+				if userContext.OAuth {
-					queries.Set("username", userContext.GetEmail())
+					queries.Set("username", userContext.Email)
 				} else {
-					queries.Set("username", userContext.GetUsername())
+					queries.Set("username", userContext.Username)
 				}
 				redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())
@@ -250,18 +254,17 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			}
 		}
-		c.Header("Remote-User", utils.SanitizeHeader(userContext.GetUsername()))
+		c.Header("Remote-User", utils.SanitizeHeader(userContext.Username))
-		c.Header("Remote-Name", utils.SanitizeHeader(userContext.GetName()))
+		c.Header("Remote-Name", utils.SanitizeHeader(userContext.Name))
-		c.Header("Remote-Email", utils.SanitizeHeader(userContext.GetEmail()))
+		c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email))
-		if userContext.IsLDAP() {
+		if userContext.Provider == "ldap" {
-			c.Header("Remote-Groups", utils.SanitizeHeader(strings.Join(userContext.LDAP.Groups, ",")))
+			c.Header("Remote-Groups", utils.SanitizeHeader(userContext.LdapGroups))
 		} else if userContext.Provider != "local" {
 			c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups))
 		}
-		if userContext.IsOAuth() {
+		c.Header("Remote-Sub", utils.SanitizeHeader(userContext.OAuthSub))
 			c.Header("Remote-Groups", utils.SanitizeHeader(strings.Join(userContext.OAuth.Groups, ",")))
 			c.Header("Remote-Sub", utils.SanitizeHeader(userContext.OAuth.Sub))
 		}
 		controller.setHeaders(c, acls)
@@ -272,7 +275,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
-	queries, err := query.Values(RedirectQuery{
+	queries, err := query.Values(config.RedirectQuery{
 		RedirectURI: fmt.Sprintf("%s://%s%s", proxyCtx.Proto, proxyCtx.Host, proxyCtx.Path),
 	})
@@ -296,13 +299,9 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 }
-func (controller *ProxyController) setHeaders(c *gin.Context, acls *model.App) {
+func (controller *ProxyController) setHeaders(c *gin.Context, acls config.App) {
 	c.Header("Authorization", c.Request.Header.Get("Authorization"))
 	if acls == nil {
 		return
 	}
 	headers := utils.ParseHeaders(acls.Response.Headers)
 	for key, value := range headers {
@@ -314,7 +313,7 @@ func (controller *ProxyController) setHeaders(c *gin.Context, acls *model.App) {
 	if acls.Response.BasicAuth.Username != "" && basicPassword != "" {
 		tlog.App.Debug().Str("username", acls.Response.BasicAuth.Username).Msg("Setting basic auth header")
-		c.Header("Authorization", fmt.Sprintf("Basic %s", utils.EncodeBasicAuth(acls.Response.BasicAuth.Username, basicPassword)))
+		c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(acls.Response.BasicAuth.Username, basicPassword)))
 	}
 }
@@ -2,23 +2,26 @@ package controller_test
 import (
 	"net/http/httptest"
 	"path"
 	"testing"
 	"github.com/gin-gonic/gin"
 	"github.com/steveiliop56/tinyauth/internal/bootstrap"
 	"github.com/steveiliop56/tinyauth/internal/config"
 	"github.com/steveiliop56/tinyauth/internal/controller"
 	"github.com/steveiliop56/tinyauth/internal/repository"
 	"github.com/steveiliop56/tinyauth/internal/service"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )
 func TestProxyController(t *testing.T) {
 	tlog.NewTestLogger().Init()
 	tempDir := t.TempDir()
 	authServiceCfg := service.AuthServiceConfig{
-		LocalUsers: &[]model.LocalUser{
+		Users: []config.User{
 			{
 				Username: "testuser",
 				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
@@ -26,7 +29,7 @@ func TestProxyController(t *testing.T) {
 			{
 				Username:   "totpuser",
 				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-				TOTPSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
+				TotpSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
 			},
 		},
 		SessionExpiry:     10, // 10 seconds, useful for testing
@@ -40,28 +43,28 @@ func TestProxyController(t *testing.T) {
 		AppURL: "https://tinyauth.example.com",
 	}
-	acls := map[string]model.App{
+	acls := map[string]config.App{
 		"app_path_allow": {
-			Config: model.AppConfig{
+			Config: config.AppConfig{
 				Domain: "path-allow.example.com",
 			},
-			Path: model.AppPath{
+			Path: config.AppPath{
 				Allow: "/allowed",
 			},
 		},
 		"app_user_allow": {
-			Config: model.AppConfig{
+			Config: config.AppConfig{
 				Domain: "user-allow.example.com",
 			},
-			Users: model.AppUsers{
+			Users: config.AppUsers{
 				Allow: "testuser",
 			},
 		},
 		"ip_bypass": {
-			Config: model.AppConfig{
+			Config: config.AppConfig{
 				Domain: "ip-bypass.example.com",
 			},
-			IP: model.AppIP{
+			IP: config.AppIP{
 				Bypass: []string{"10.10.10.10"},
 			},
 		},
@@ -71,31 +74,24 @@ func TestProxyController(t *testing.T) {
 	Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Mobile Safari/537.36`
 	simpleCtx := func(c *gin.Context) {
-		c.Set("context", &model.UserContext{
+		c.Set("context", &config.UserContext{
-			Authenticated: true,
+			Username:   "testuser",
-			Provider:      model.ProviderLocal,
+			Name:       "Testuser",
-			Local: &model.LocalContext{
+			Email:      "testuser@example.com",
-				BaseContext: model.BaseContext{
+			IsLoggedIn: true,
-					Username: "testuser",
+			Provider:   "local",
 					Name:     "Testuser",
 					Email:    "testuser@example.com",
 				},
 			},
 		})
 		c.Next()
 	}
 	simpleCtxTotp := func(c *gin.Context) {
-		c.Set("context", &model.UserContext{
+		c.Set("context", &config.UserContext{
-			Authenticated: true,
+			Username:    "totpuser",
-			Provider:      model.ProviderLocal,
+			Name:        "Totpuser",
-			Local: &model.LocalContext{
+			Email:       "totpuser@example.com",
-				BaseContext: model.BaseContext{
+			IsLoggedIn:  true,
-					Username: "totpuser",
+			Provider:    "local",
-					Name:     "Totpuser",
+			TotpEnabled: true,
 					Email:    "totpuser@example.com",
 				},
 			},
 		})
 		c.Next()
 	}
@@ -395,12 +391,17 @@ func TestProxyController(t *testing.T) {
 		},
 	}
-	oauthBrokerCfgs := make(map[string]model.OAuthServiceConfig)
+	oauthBrokerCfgs := make(map[string]config.OAuthServiceConfig)
-	store := memory.New()
+	app := bootstrap.NewBootstrapApp(config.Config{})
 	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
 	require.NoError(t, err)
 	queries := repository.New(db)
 	docker := service.NewDockerService()
-	err := docker.Init()
+	err = docker.Init()
 	require.NoError(t, err)
 	ldap := service.NewLdapService(service.LdapServiceConfig{})
@@ -411,7 +412,7 @@ func TestProxyController(t *testing.T) {
 	err = broker.Init()
 	require.NoError(t, err)
-	authService := service.NewAuthService(authServiceCfg, ldap, store, broker)
+	authService := service.NewAuthService(authServiceCfg, docker, ldap, queries, broker)
 	err = authService.Init()
 	require.NoError(t, err)
@@ -436,4 +437,9 @@ func TestProxyController(t *testing.T) {
 			test.run(t, router, recorder)
 		})
 	}
 	t.Cleanup(func() {
 		err = db.Close()
 		require.NoError(t, err)
 	})
 }
@@ -7,8 +7,8 @@ import (
 	"testing"
 	"github.com/gin-gonic/gin"
-	"github.com/tinyauthapp/tinyauth/internal/controller"
+	"github.com/steveiliop56/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -1,16 +1,13 @@
 package controller
 import (
 	"errors"
 	"fmt"
 	"net/http"
 	"time"
-	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/steveiliop56/tinyauth/internal/repository"
-	"github.com/tinyauthapp/tinyauth/internal/repository"
+	"github.com/steveiliop56/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/service"
+	"github.com/steveiliop56/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 	"github.com/gin-gonic/gin"
 	"github.com/pquerna/otp/totp"
@@ -26,8 +23,7 @@ type TotpRequest struct {
 }
 type UserControllerConfig struct {
-	CookieDomain      string
+	CookieDomain string
 	SessionCookieName string
 }
 type UserController struct {
@@ -80,29 +76,21 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		return
 	}
-	search, err := controller.auth.SearchUser(req.Username)
+	userSearch := controller.auth.SearchUser(req.Username)
-	if err != nil {
+	if userSearch.Type == "unknown" {
-		if errors.Is(err, service.ErrUserNotFound) {
+		tlog.App.Warn().Str("username", req.Username).Msg("User not found")
-			tlog.App.Warn().Str("username", req.Username).Msg("User not found")
+		controller.auth.RecordLoginAttempt(req.Username, false)
-			controller.auth.RecordLoginAttempt(req.Username, false)
+		tlog.AuditLoginFailure(c, req.Username, "username", "user not found")
-			tlog.AuditLoginFailure(c, req.Username, "username", "user not found")
+		c.JSON(401, gin.H{
-			c.JSON(401, gin.H{
+			"status":  401,
-				"status":  401,
+			"message": "Unauthorized",
 				"message": "Unauthorized",
 			})
 			return
 		}
 		tlog.App.Error().Err(err).Str("username", req.Username).Msg("Error searching for user")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
 		})
 		return
 	}
-	if err := controller.auth.CheckUserPassword(*search, req.Password); err != nil {
+	if !controller.auth.VerifyUser(userSearch, req.Password) {
-		tlog.App.Warn().Err(err).Str("username", req.Username).Msg("Failed to verify password")
+		tlog.App.Warn().Str("username", req.Username).Msg("Invalid password")
 		controller.auth.RecordLoginAttempt(req.Username, false)
 		tlog.AuditLoginFailure(c, req.Username, "username", "invalid password")
 		c.JSON(401, gin.H{
@@ -112,37 +100,21 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		return
 	}
-	var localUser *model.LocalUser
+	tlog.App.Info().Str("username", req.Username).Msg("Login successful")
 	tlog.AuditLoginSuccess(c, req.Username, "username")
-	if search.Type == model.UserLocal {
+	controller.auth.RecordLoginAttempt(req.Username, true)
 		localUser = controller.auth.GetLocalUser(req.Username)
-		if localUser == nil {
+	if userSearch.Type == "local" {
-			tlog.App.Warn().Str("username", req.Username).Msg("User disappeared during login")
+		user := controller.auth.GetLocalUser(userSearch.Username)
 			c.JSON(401, gin.H{
 				"status":  401,
 				"message": "Unauthorized",
 			})
 			return
 		}
-		if localUser.TOTPSecret != "" {
+		if user.TotpSecret != "" {
 			tlog.App.Debug().Str("username", req.Username).Msg("User has TOTP enabled, requiring TOTP verification")
-			name := localUser.Attributes.Name
+			err := controller.auth.CreateSessionCookie(c, &repository.Session{
-			if name == "" {
+				Username:    user.Username,
-				name = utils.Capitalize(localUser.Username)
+				Name:        utils.Capitalize(user.Username),
-			}
+				Email:       utils.CompileUserEmail(user.Username, controller.config.CookieDomain),
 			email := localUser.Attributes.Email
 			if email == "" {
 				email = utils.CompileUserEmail(localUser.Username, controller.config.CookieDomain)
 			}
 			cookie, err := controller.auth.CreateSession(c, repository.Session{
 				Username:    localUser.Username,
 				Name:        name,
 				Email:       email,
 				Provider:    "local",
 				TotpPending: true,
 			})
@@ -156,8 +128,6 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 				return
 			}
 			http.SetCookie(c.Writer, cookie)
 			c.JSON(200, gin.H{
 				"status":      200,
 				"message":     "TOTP required",
@@ -174,22 +144,13 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		Provider: "local",
 	}
-	if search.Type == model.UserLocal {
+	if userSearch.Type == "ldap" {
 		if localUser.Attributes.Name != "" {
 			sessionCookie.Name = localUser.Attributes.Name
 		}
 		if localUser.Attributes.Email != "" {
 			sessionCookie.Email = localUser.Attributes.Email
 		}
 	}
 	if search.Type == model.UserLDAP {
 		sessionCookie.Provider = "ldap"
 	}
 	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
-	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+	err = controller.auth.CreateSessionCookie(c, &sessionCookie)
 	if err != nil {
 		tlog.App.Error().Err(err).Msg("Failed to create session cookie")
@@ -200,13 +161,6 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		return
 	}
 	http.SetCookie(c.Writer, cookie)
 	tlog.App.Info().Str("username", req.Username).Msg("Login successful")
 	tlog.AuditLoginSuccess(c, req.Username, "username")
 	controller.auth.RecordLoginAttempt(req.Username, true)
 	c.JSON(200, gin.H{
 		"status":  200,
 		"message": "Login successful",
@@ -216,47 +170,13 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 func (controller *UserController) logoutHandler(c *gin.Context) {
 	tlog.App.Debug().Msg("Logout request received")
-	uuid, err := c.Cookie(controller.config.SessionCookieName)
+	controller.auth.DeleteSessionCookie(c)
-	if err != nil {
+	context, err := utils.GetContext(c)
-		if errors.Is(err, http.ErrNoCookie) {
+	if err == nil && context.IsLoggedIn {
-			tlog.App.Warn().Msg("No session cookie found on logout request")
+		tlog.AuditLogout(c, context.Username, context.Provider)
 			c.JSON(200, gin.H{
 				"status":  200,
 				"message": "Logout successful",
 			})
 			return
 		}
 		tlog.App.Error().Err(err).Msg("Error retrieving session cookie on logout")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
 		})
 		return
 	}
 	cookie, err := controller.auth.DeleteSession(c, uuid)
 	if err != nil {
 		tlog.App.Error().Err(err).Msg("Error deleting session on logout")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
 		})
 		return
 	}
 	context, err := new(model.UserContext).NewFromGin(c)
 	if err == nil {
 		tlog.AuditLogout(c, context.GetUsername(), context.GetProviderID())
 	} else {
 		tlog.App.Warn().Err(err).Msg("Failed to get user context for logout audit, proceeding without username")
 		tlog.AuditLogout(c, "unknown", "unknown")
 	}
 	http.SetCookie(c.Writer, cookie)
 	c.JSON(200, gin.H{
 		"status":  200,
 		"message": "Logout successful",
@@ -276,7 +196,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}
-	context, err := new(model.UserContext).NewFromGin(c)
+	context, err := utils.GetContext(c)
 	if err != nil {
 		tlog.App.Error().Err(err).Msg("Failed to get user context")
@@ -287,7 +207,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}
-	if !context.TOTPPending() {
+	if !context.TotpPending {
 		tlog.App.Warn().Msg("TOTP attempt without a pending TOTP session")
 		c.JSON(401, gin.H{
 			"status":  401,
@@ -296,12 +216,12 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}
-	tlog.App.Debug().Str("username", context.GetUsername()).Msg("TOTP verification attempt")
+	tlog.App.Debug().Str("username", context.Username).Msg("TOTP verification attempt")
-	isLocked, remaining := controller.auth.IsAccountLocked(context.GetUsername())
+	isLocked, remaining := controller.auth.IsAccountLocked(context.Username)
 	if isLocked {
-		tlog.App.Warn().Str("username", context.GetUsername()).Msg("Account is locked due to too many failed TOTP attempts")
+		tlog.App.Warn().Str("username", context.Username).Msg("Account is locked due to too many failed TOTP attempts")
 		c.Writer.Header().Add("x-tinyauth-lock-locked", "true")
 		c.Writer.Header().Add("x-tinyauth-lock-reset", time.Now().Add(time.Duration(remaining)*time.Second).Format(time.RFC3339))
 		c.JSON(429, gin.H{
@@ -311,23 +231,14 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}
-	user := controller.auth.GetLocalUser(context.GetUsername())
+	user := controller.auth.GetLocalUser(context.Username)
-	if user == nil {
+	ok := totp.Validate(req.Code, user.TotpSecret)
 		tlog.App.Error().Str("username", context.GetUsername()).Msg("User not found in TOTP handler")
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
 		})
 		return
 	}
 	ok := totp.Validate(req.Code, user.TOTPSecret)
 	if !ok {
-		tlog.App.Warn().Str("username", context.GetUsername()).Msg("Invalid TOTP code")
+		tlog.App.Warn().Str("username", context.Username).Msg("Invalid TOTP code")
-		controller.auth.RecordLoginAttempt(context.GetUsername(), false)
+		controller.auth.RecordLoginAttempt(context.Username, false)
-		tlog.AuditLoginFailure(c, context.GetUsername(), "totp", "invalid totp code")
+		tlog.AuditLoginFailure(c, context.Username, "totp", "invalid totp code")
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -335,18 +246,10 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}
-	uuid, err := c.Cookie(controller.config.SessionCookieName)
+	tlog.App.Info().Str("username", context.Username).Msg("TOTP verification successful")
 	tlog.AuditLoginSuccess(c, context.Username, "totp")
-	if err == nil {
+	controller.auth.RecordLoginAttempt(context.Username, true)
 		_, err = controller.auth.DeleteSession(c, uuid)
 		if err != nil {
 			tlog.App.Warn().Err(err).Msg("Failed to delete pending TOTP session")
 		}
 	} else {
 		tlog.App.Warn().Err(err).Msg("Failed to retrieve session cookie for pending TOTP session, proceeding without deleting it")
 	}
 	controller.auth.RecordLoginAttempt(context.GetUsername(), true)
 	sessionCookie := repository.Session{
 		Username: user.Username,
@@ -355,16 +258,9 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		Provider: "local",
 	}
 	if user.Attributes.Name != "" {
 		sessionCookie.Name = user.Attributes.Name
 	}
 	if user.Attributes.Email != "" {
 		sessionCookie.Email = user.Attributes.Email
 	}
 	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
-	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+	err = controller.auth.CreateSessionCookie(c, &sessionCookie)
 	if err != nil {
 		tlog.App.Error().Err(err).Msg("Failed to create session cookie")
@@ -375,11 +271,6 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}
 	http.SetCookie(c.Writer, cookie)
 	tlog.App.Info().Str("username", context.GetUsername()).Msg("TOTP verification successful")
 	tlog.AuditLoginSuccess(c, context.GetUsername(), "totp")
 	c.JSON(200, gin.H{
 		"status":  200,
 		"message": "Login successful",
@@ -1,31 +1,32 @@
 package controller_test
 import (
 	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"path"
 	"slices"
 	"strings"
 	"testing"
 	"time"
 	"github.com/gin-gonic/gin"
 	"github.com/pquerna/otp/totp"
 	"github.com/steveiliop56/tinyauth/internal/bootstrap"
 	"github.com/steveiliop56/tinyauth/internal/config"
 	"github.com/steveiliop56/tinyauth/internal/controller"
 	"github.com/steveiliop56/tinyauth/internal/repository"
 	"github.com/steveiliop56/tinyauth/internal/service"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )
 func TestUserController(t *testing.T) {
 	tlog.NewTestLogger().Init()
 	tempDir := t.TempDir()
 	authServiceCfg := service.AuthServiceConfig{
-		LocalUsers: &[]model.LocalUser{
+		Users: []config.User{
 			{
 				Username: "testuser",
 				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
@@ -33,24 +34,7 @@ func TestUserController(t *testing.T) {
 			{
 				Username:   "totpuser",
 				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
-				TOTPSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
+				TotpSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
 			},
 			{
 				Username: "attruser",
 				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
 				Attributes: model.UserAttributes{
 					Name:  "Alice Smith",
 					Email: "alice@example.com",
 				},
 			},
 			{
 				Username:   "attrtotpuser",
 				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
 				TOTPSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
 				Attributes: model.UserAttributes{
 					Name:  "Bob Jones",
 					Email: "bob@example.com",
 				},
 			},
 		},
 		SessionExpiry:     10, // 10 seconds, useful for testing
@@ -61,52 +45,7 @@ func TestUserController(t *testing.T) {
 	}
 	userControllerCfg := controller.UserControllerConfig{
-		CookieDomain:      "example.com",
+		CookieDomain: "example.com",
 		SessionCookieName: "tinyauth-session",
 	}
 	totpCtx := func(c *gin.Context) {
 		c.Set("context", &model.UserContext{
 			Authenticated: false,
 			Provider:      model.ProviderLocal,
 			Local: &model.LocalContext{
 				BaseContext: model.BaseContext{
 					Username: "totpuser",
 					Name:     "Totpuser",
 					Email:    "totpuser@example.com",
 				},
 				TOTPPending: true,
 			},
 		})
 	}
 	totpAttrCtx := func(c *gin.Context) {
 		c.Set("context", &model.UserContext{
 			Authenticated: false,
 			Provider:      model.ProviderLocal,
 			Local: &model.LocalContext{
 				BaseContext: model.BaseContext{
 					Username: "attrtotpuser",
 					Name:     "Bob Jones",
 					Email:    "bob@example.com",
 				},
 				TOTPPending: true,
 			},
 		})
 	}
 	simpleCtx := func(c *gin.Context) {
 		c.Set("context", &model.UserContext{
 			Authenticated: true,
 			Provider:      model.ProviderLocal,
 			Local: &model.LocalContext{
 				BaseContext: model.BaseContext{
 					Username: "testuser",
 					Name:     "Test User",
 					Email:    "testuser@example.com",
 				},
 			},
 		})
 	}
 	type testCase struct {
@@ -115,8 +54,6 @@ func TestUserController(t *testing.T) {
 		run         func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder)
 	}
 	store := memory.New()
 	tests := []testCase{
 		{
 			description: "Should be able to login with valid credentials",
@@ -141,9 +78,7 @@ func TestUserController(t *testing.T) {
 				assert.Equal(t, "tinyauth-session", cookie.Name)
 				assert.True(t, cookie.HttpOnly)
 				assert.Equal(t, "example.com", cookie.Domain)
-				// 3 seconds should be more than enough for even slow test environments
+				assert.Equal(t, 10, cookie.MaxAge)
 				assert.GreaterOrEqual(t, cookie.MaxAge, 7)
 				assert.LessOrEqual(t, cookie.MaxAge, 10)
 			},
 		},
 		{
@@ -232,15 +167,12 @@ func TestUserController(t *testing.T) {
 				assert.Equal(t, "tinyauth-session", cookie.Name)
 				assert.True(t, cookie.HttpOnly)
 				assert.Equal(t, "example.com", cookie.Domain)
-				assert.GreaterOrEqual(t, cookie.MaxAge, 3597)
+				assert.Equal(t, 3600, cookie.MaxAge) // 1 hour, default for totp pending sessions
 				assert.LessOrEqual(t, cookie.MaxAge, 3600)
 			},
 		},
 		{
 			description: "Should be able to logout",
-			middlewares: []gin.HandlerFunc{
+			middlewares: []gin.HandlerFunc{},
 				simpleCtx,
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				// First login to get a session cookie
 				loginReq := controller.LoginRequest{
@@ -256,10 +188,9 @@ func TestUserController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 200, recorder.Code)
-				cookies := recorder.Result().Cookies()
+				assert.Len(t, recorder.Result().Cookies(), 1)
 				assert.Len(t, cookies, 1)
-				cookie := cookies[0]
+				cookie := recorder.Result().Cookies()[0]
 				assert.Equal(t, "tinyauth-session", cookie.Name)
 				// Now logout using the session cookie
@@ -270,33 +201,18 @@ func TestUserController(t *testing.T) {
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 200, recorder.Code)
-				cookies = recorder.Result().Cookies()
+				assert.Len(t, recorder.Result().Cookies(), 1)
 				assert.Len(t, cookies, 1)
-				cookie = cookies[0]
+				logoutCookie := recorder.Result().Cookies()[0]
-				assert.Equal(t, "tinyauth-session", cookie.Name)
+				assert.Equal(t, "tinyauth-session", logoutCookie.Name)
-				assert.Equal(t, "", cookie.Value)
+				assert.Equal(t, "", logoutCookie.Value)
-				assert.Equal(t, -1, cookie.MaxAge) // MaxAge -1 means delete cookie
+				assert.Equal(t, -1, logoutCookie.MaxAge) // MaxAge -1 means delete cookie
 			},
 		},
 		{
 			description: "Should be able to login with totp",
-			middlewares: []gin.HandlerFunc{
+			middlewares: []gin.HandlerFunc{},
 				totpCtx,
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				_, err := store.CreateSession(context.TODO(), repository.CreateSessionParams{
 					UUID:        "test-totp-login-uuid",
 					Username:    "test",
 					Email:       "test@example.com",
 					Name:        "Test",
 					Provider:    "local",
 					TotpPending: true,
 					Expiry:      time.Now().Add(1 * time.Hour).Unix(),
 					CreatedAt:   time.Now().Unix(),
 				})
 				require.NoError(t, err)
 				code, err := totp.GenerateCode("JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK", time.Now())
 				assert.NoError(t, err)
@@ -310,13 +226,7 @@ func TestUserController(t *testing.T) {
 				recorder = httptest.NewRecorder()
 				req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqBody)))
 				req.Header.Set("Content-Type", "application/json")
-				req.AddCookie(&http.Cookie{
+
 					Name:     "tinyauth-session",
 					Value:    "test-totp-login-uuid",
 					HttpOnly: true,
 					MaxAge:   3600,
 					Expires:  time.Now().Add(1 * time.Hour),
 				})
 				router.ServeHTTP(recorder, req)
 				assert.Equal(t, 200, recorder.Code)
@@ -327,15 +237,12 @@ func TestUserController(t *testing.T) {
 				assert.Equal(t, "tinyauth-session", totpCookie.Name)
 				assert.True(t, totpCookie.HttpOnly)
 				assert.Equal(t, "example.com", totpCookie.Domain)
-				assert.GreaterOrEqual(t, totpCookie.MaxAge, 7)
+				assert.Equal(t, 10, totpCookie.MaxAge) // should use the regular session expiry time
 				assert.LessOrEqual(t, totpCookie.MaxAge, 10)
 			},
 		},
 		{
 			description: "Totp should rate limit on multiple invalid attempts",
-			middlewares: []gin.HandlerFunc{
+			middlewares: []gin.HandlerFunc{},
 				totpCtx,
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				for range 3 {
 					totpReq := controller.TotpRequest{
@@ -366,91 +273,19 @@ func TestUserController(t *testing.T) {
 				assert.Contains(t, recorder.Body.String(), "Too many failed TOTP attempts.")
 			},
 		},
 		{
 			description: "Login uses name and email from user attributes",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				loginReq := controller.LoginRequest{Username: "attruser", Password: "password"}
 				body, err := json.Marshal(loginReq)
 				require.NoError(t, err)
 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(body)))
 				req.Header.Set("Content-Type", "application/json")
 				router.ServeHTTP(recorder, req)
 				require.Equal(t, 200, recorder.Code)
 				cookies := recorder.Result().Cookies()
 				require.Len(t, cookies, 1)
 				assert.Equal(t, "tinyauth-session", cookies[0].Name)
 			},
 		},
 		{
 			description: "Login with TOTP uses name and email from user attributes in pending session",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				loginReq := controller.LoginRequest{Username: "attrtotpuser", Password: "password"}
 				body, err := json.Marshal(loginReq)
 				require.NoError(t, err)
 				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(body)))
 				req.Header.Set("Content-Type", "application/json")
 				router.ServeHTTP(recorder, req)
 				require.Equal(t, 200, recorder.Code)
 				var res map[string]any
 				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &res))
 				assert.Equal(t, true, res["totpPending"])
 				require.Len(t, recorder.Result().Cookies(), 1)
 			},
 		},
 		{
 			description: "TOTP completion uses name and email from user attributes",
 			middlewares: []gin.HandlerFunc{
 				totpAttrCtx,
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				_, err := store.CreateSession(context.TODO(), repository.CreateSessionParams{
 					UUID:        "test-totp-login-attributes-uuid",
 					Username:    "test",
 					Email:       "test@example.com",
 					Name:        "Test",
 					Provider:    "local",
 					TotpPending: true,
 					Expiry:      time.Now().Add(1 * time.Hour).Unix(),
 					CreatedAt:   time.Now().Unix(),
 				})
 				require.NoError(t, err)
 				code, err := totp.GenerateCode("JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK", time.Now())
 				require.NoError(t, err)
 				totpReq := controller.TotpRequest{Code: code}
 				body, err := json.Marshal(totpReq)
 				require.NoError(t, err)
 				req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(body)))
 				req.Header.Set("Content-Type", "application/json")
 				req.AddCookie(&http.Cookie{
 					Name:     "tinyauth-session",
 					Value:    "test-totp-login-attributes-uuid",
 					HttpOnly: true,
 					MaxAge:   3600,
 					Expires:  time.Now().Add(1 * time.Hour),
 				})
 				router.ServeHTTP(recorder, req)
 				require.Equal(t, 200, recorder.Code)
 				cookies := recorder.Result().Cookies()
 				require.Len(t, cookies, 1)
 				assert.Equal(t, "tinyauth-session", cookies[0].Name)
 			},
 		},
 	}
-	oauthBrokerCfgs := make(map[string]model.OAuthServiceConfig)
+	oauthBrokerCfgs := make(map[string]config.OAuthServiceConfig)
 	app := bootstrap.NewBootstrapApp(config.Config{})
 	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
 	require.NoError(t, err)
 	queries := repository.New(db)
 	docker := service.NewDockerService()
-	err := docker.Init()
+	err = docker.Init()
 	require.NoError(t, err)
 	ldap := service.NewLdapService(service.LdapServiceConfig{})
@@ -461,7 +296,7 @@ func TestUserController(t *testing.T) {
 	err = broker.Init()
 	require.NoError(t, err)
-	authService := service.NewAuthService(authServiceCfg, ldap, store, broker)
+	authService := service.NewAuthService(authServiceCfg, docker, ldap, queries, broker)
 	err = authService.Init()
 	require.NoError(t, err)
@@ -470,6 +305,11 @@ func TestUserController(t *testing.T) {
 		authService.ClearRateLimitsTestingOnly()
 	}
 	setTotpMiddlewareOverrides := []string{
 		"Should be able to login with totp",
 		"Totp should rate limit on multiple invalid attempts",
 	}
 	for _, test := range tests {
 		beforeEach()
 		t.Run(test.description, func(t *testing.T) {
@@ -479,6 +319,23 @@ func TestUserController(t *testing.T) {
 				router.Use(middleware)
 			}
 			// Gin is stupid and doesn't allow setting a middleware after the groups
 			// so we need to do some stupid overrides here
 			if slices.Contains(setTotpMiddlewareOverrides, test.description) {
 				// Assuming the cookie is set, it should be picked up by the
 				// context middleware
 				router.Use(func(c *gin.Context) {
 					c.Set("context", &config.UserContext{
 						Username:    "totpuser",
 						Name:        "Totpuser",
 						Email:       "totpuser@example.com",
 						Provider:    "local",
 						TotpPending: true,
 						TotpEnabled: true,
 					})
 				})
 			}
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
@@ -490,4 +347,9 @@ func TestUserController(t *testing.T) {
 			test.run(t, router, recorder)
 		})
 	}
 	t.Cleanup(func() {
 		err = db.Close()
 		require.NoError(t, err)
 	})
 }
@@ -5,7 +5,7 @@ import (
 	"net/http"
 	"github.com/gin-gonic/gin"
-	"github.com/tinyauthapp/tinyauth/internal/service"
+	"github.com/steveiliop56/tinyauth/internal/service"
 )
 type OpenIDConnectConfiguration struct {
@@ -61,7 +61,7 @@ func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context
 		SubjectTypesSupported:                  []string{"pairwise"},
 		IDTokenSigningAlgValuesSupported:       []string{"RS256"},
 		TokenEndpointAuthMethodsSupported:      []string{"client_secret_basic", "client_secret_post"},
-		ClaimsSupported:                        []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups", "phone_number", "phone_number_verified", "address", "given_name", "family_name", "middle_name", "nickname", "profile", "picture", "website", "gender", "birthdate", "zoneinfo", "locale"},
+		ClaimsSupported:                        []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
 		ServiceDocumentation:                   "https://tinyauth.app/docs/guides/oidc",
 		RequestParameterSupported:              true,
 		RequestObjectSigningAlgValuesSupported: []string{"none"},
@@ -8,13 +8,14 @@ import (
 	"testing"
 	"github.com/gin-gonic/gin"
 	"github.com/steveiliop56/tinyauth/internal/bootstrap"
 	"github.com/steveiliop56/tinyauth/internal/config"
 	"github.com/steveiliop56/tinyauth/internal/controller"
 	"github.com/steveiliop56/tinyauth/internal/repository"
 	"github.com/steveiliop56/tinyauth/internal/service"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )
 func TestWellKnownController(t *testing.T) {
@@ -22,7 +23,7 @@ func TestWellKnownController(t *testing.T) {
 	tempDir := t.TempDir()
 	oidcServiceCfg := service.OIDCServiceConfig{
-		Clients: map[string]model.OIDCClientConfig{
+		Clients: map[string]config.OIDCClientConfig{
 			"test": {
 				ClientID:            "some-client-id",
 				ClientSecret:        "some-client-secret",
@@ -66,7 +67,7 @@ func TestWellKnownController(t *testing.T) {
 					SubjectTypesSupported:                  []string{"pairwise"},
 					IDTokenSigningAlgValuesSupported:       []string{"RS256"},
 					TokenEndpointAuthMethodsSupported:      []string{"client_secret_basic", "client_secret_post"},
-					ClaimsSupported:                        []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups", "phone_number", "phone_number_verified", "address", "given_name", "family_name", "middle_name", "nickname", "profile", "picture", "website", "gender", "birthdate", "zoneinfo", "locale"},
+					ClaimsSupported:                        []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
 					ServiceDocumentation:                   "https://tinyauth.app/docs/guides/oidc",
 					RequestParameterSupported:              true,
 					RequestObjectSigningAlgValuesSupported: []string{"none"},
@@ -100,10 +101,15 @@ func TestWellKnownController(t *testing.T) {
 		},
 	}
-	store := memory.New()
+	app := bootstrap.NewBootstrapApp(config.Config{})
-	oidcService := service.NewOIDCService(oidcServiceCfg, store)
+	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
-	err := oidcService.Init()
+	require.NoError(t, err)
 	queries := repository.New(db)
 	oidcService := service.NewOIDCService(oidcServiceCfg, queries)
 	err = oidcService.Init()
 	require.NoError(t, err)
 	for _, test := range tests {
@@ -119,4 +125,9 @@ func TestWellKnownController(t *testing.T) {
 			test.run(t, router, recorder)
 		})
 	}
 	t.Cleanup(func() {
 		err = db.Close()
 		require.NoError(t, err)
 	})
 }
@@ -1,16 +1,13 @@
 package middleware
 import (
 	"context"
 	"fmt"
 	"net/http"
 	"strings"
 	"time"
-	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/steveiliop56/tinyauth/internal/config"
-	"github.com/tinyauthapp/tinyauth/internal/service"
+	"github.com/steveiliop56/tinyauth/internal/service"
-	"github.com/tinyauthapp/tinyauth/internal/utils"
+	"github.com/steveiliop56/tinyauth/internal/utils"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/gin-gonic/gin"
 )
@@ -36,8 +33,7 @@ var (
 )
 type ContextMiddlewareConfig struct {
-	CookieDomain      string
+	CookieDomain string
 	SessionCookieName string
 }
 type ContextMiddleware struct {
@@ -65,41 +61,177 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			return
 		}
-		uuid, err := c.Cookie(m.config.SessionCookieName)
+		cookie, err := m.auth.GetSessionCookie(c)
-		if err == nil {
+		if err != nil {
-			userContext, cookie, err := m.cookieAuth(c.Request.Context(), uuid)
+			tlog.App.Debug().Err(err).Msg("No valid session cookie found")
-
+			goto basic
 			if err == nil {
 				if cookie != nil {
 					http.SetCookie(c.Writer, cookie)
 				}
 				tlog.App.Trace().Msgf("Authenticated user from session cookie: %s", userContext.GetUsername())
 				c.Set("context", userContext)
 				c.Next()
 				return
 			} else {
 				tlog.App.Error().Msgf("Error authenticating session cookie: %v", err)
 			}
 		}
-		username, password, ok := c.Request.BasicAuth()
+		if cookie.TotpPending {
 			c.Set("context", &config.UserContext{
 				Username:    cookie.Username,
 				Name:        cookie.Name,
 				Email:       cookie.Email,
 				Provider:    "local",
 				TotpPending: true,
 				TotpEnabled: true,
 			})
 			c.Next()
 			return
 		}
-		if ok {
+		switch cookie.Provider {
-			userContext, headers, err := m.basicAuth(username, password)
+		case "local", "ldap":
 			userSearch := m.auth.SearchUser(cookie.Username)
-			if err != nil {
+			if userSearch.Type == "unknown" {
-				tlog.App.Error().Msgf("Error authenticating basic auth: %v", err)
+				tlog.App.Debug().Msg("User from session cookie not found")
 				m.auth.DeleteSessionCookie(c)
 				goto basic
 			}
 			if userSearch.Type != cookie.Provider {
 				tlog.App.Warn().Msg("User type from session cookie does not match user search type")
 				m.auth.DeleteSessionCookie(c)
 				c.Next()
 				return
 			}
-			for k, v := range headers {
+			var ldapGroups []string
-				c.Header(k, v)
+
 			if cookie.Provider == "ldap" {
 				ldapUser, err := m.auth.GetLdapUser(userSearch.Username)
 				if err != nil {
 					tlog.App.Error().Err(err).Msg("Error retrieving LDAP user details")
 					c.Next()
 					return
 				}
 				ldapGroups = ldapUser.Groups
 			}
-			c.Set("context", userContext)
+			m.auth.RefreshSessionCookie(c)
 			c.Set("context", &config.UserContext{
 				Username:   cookie.Username,
 				Name:       cookie.Name,
 				Email:      cookie.Email,
 				Provider:   cookie.Provider,
 				IsLoggedIn: true,
 				LdapGroups: strings.Join(ldapGroups, ","),
 			})
 			c.Next()
 			return
 		default:
 			_, exists := m.broker.GetService(cookie.Provider)
 			if !exists {
 				tlog.App.Debug().Msg("OAuth provider from session cookie not found")
 				m.auth.DeleteSessionCookie(c)
 				goto basic
 			}
 			if !m.auth.IsEmailWhitelisted(cookie.Email) {
 				tlog.App.Debug().Msg("Email from session cookie not whitelisted")
 				m.auth.DeleteSessionCookie(c)
 				goto basic
 			}
 			m.auth.RefreshSessionCookie(c)
 			c.Set("context", &config.UserContext{
 				Username:    cookie.Username,
 				Name:        cookie.Name,
 				Email:       cookie.Email,
 				Provider:    cookie.Provider,
 				OAuthGroups: cookie.OAuthGroups,
 				OAuthName:   cookie.OAuthName,
 				OAuthSub:    cookie.OAuthSub,
 				IsLoggedIn:  true,
 				OAuth:       true,
 			})
 			c.Next()
 			return
 		}
 	basic:
 		basic := m.auth.GetBasicAuth(c)
 		if basic == nil {
 			tlog.App.Debug().Msg("No basic auth provided")
 			c.Next()
 			return
 		}
 		locked, remaining := m.auth.IsAccountLocked(basic.Username)
 		if locked {
 			tlog.App.Debug().Msgf("Account for user %s is locked for %d seconds, denying auth", basic.Username, remaining)
 			c.Writer.Header().Add("x-tinyauth-lock-locked", "true")
 			c.Writer.Header().Add("x-tinyauth-lock-reset", time.Now().Add(time.Duration(remaining)*time.Second).Format(time.RFC3339))
 			c.Next()
 			return
 		}
 		userSearch := m.auth.SearchUser(basic.Username)
 		if userSearch.Type == "unknown" || userSearch.Type == "error" {
 			m.auth.RecordLoginAttempt(basic.Username, false)
 			tlog.App.Debug().Msg("User from basic auth not found")
 			c.Next()
 			return
 		}
 		if !m.auth.VerifyUser(userSearch, basic.Password) {
 			m.auth.RecordLoginAttempt(basic.Username, false)
 			tlog.App.Debug().Msg("Invalid password for basic auth user")
 			c.Next()
 			return
 		}
 		m.auth.RecordLoginAttempt(basic.Username, true)
 		switch userSearch.Type {
 		case "local":
 			tlog.App.Debug().Msg("Basic auth user is local")
 			user := m.auth.GetLocalUser(basic.Username)
 			if user.TotpSecret != "" {
 				tlog.App.Debug().Msg("User with TOTP not allowed to login via basic auth")
 				return
 			}
 			c.Set("context", &config.UserContext{
 				Username:    user.Username,
 				Name:        utils.Capitalize(user.Username),
 				Email:       utils.CompileUserEmail(user.Username, m.config.CookieDomain),
 				Provider:    "local",
 				IsLoggedIn:  true,
 				IsBasicAuth: true,
 			})
 			c.Next()
 			return
 		case "ldap":
 			tlog.App.Debug().Msg("Basic auth user is LDAP")
 			ldapUser, err := m.auth.GetLdapUser(basic.Username)
 			if err != nil {
 				tlog.App.Debug().Err(err).Msg("Error retrieving LDAP user details")
 				c.Next()
 				return
 			}
 			c.Set("context", &config.UserContext{
 				Username:    basic.Username,
 				Name:        utils.Capitalize(basic.Username),
 				Email:       utils.CompileUserEmail(basic.Username, m.config.CookieDomain),
 				Provider:    "ldap",
 				IsLoggedIn:  true,
 				LdapGroups:  strings.Join(ldapUser.Groups, ","),
 				IsBasicAuth: true,
 			})
 			c.Next()
 			return
 		}
@@ -108,149 +240,6 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 	}
 }
 func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string) (*model.UserContext, *http.Cookie, error) {
 	session, err := m.auth.GetSession(ctx, uuid)
 	if err != nil {
 		return nil, nil, fmt.Errorf("error retrieving session: %w", err)
 	}
 	userContext, err := new(model.UserContext).NewFromSession(session)
 	if err != nil {
 		return nil, nil, fmt.Errorf("error creating user context from session: %w", err)
 	}
 	if userContext.Provider == model.ProviderLocal &&
 		userContext.Local.TOTPPending {
 		return userContext, nil, nil
 	}
 	switch userContext.Provider {
 	case model.ProviderLocal:
 		user := m.auth.GetLocalUser(userContext.Local.Username)
 		if user == nil {
 			return nil, nil, fmt.Errorf("local user not found")
 		}
 		userContext.Local.Attributes = user.Attributes
 		if userContext.Local.Attributes.Name == "" {
 			userContext.Local.Attributes.Name = utils.Capitalize(user.Username)
 		}
 		if userContext.Local.Attributes.Email == "" {
 			userContext.Local.Attributes.Email = utils.CompileUserEmail(user.Username, m.config.CookieDomain)
 		}
 	case model.ProviderLDAP:
 		search, err := m.auth.SearchUser(userContext.LDAP.Username)
 		if err != nil {
 			return nil, nil, fmt.Errorf("error searching for ldap user: %w", err)
 		}
 		if search.Type != model.UserLDAP {
 			return nil, nil, fmt.Errorf("user from session cookie is not ldap")
 		}
 		user, err := m.auth.GetLDAPUser(search.Username)
 		if err != nil {
 			return nil, nil, fmt.Errorf("error retrieving ldap user details: %w", err)
 		}
 		userContext.LDAP.Groups = user.Groups
 		userContext.LDAP.Name = utils.Capitalize(userContext.LDAP.Username)
 		userContext.LDAP.Email = utils.CompileUserEmail(userContext.LDAP.Username, m.config.CookieDomain)
 	case model.ProviderOAuth:
 		_, exists := m.broker.GetService(userContext.OAuth.ID)
 		if !exists {
 			return nil, nil, fmt.Errorf("oauth provider from session cookie not found: %s", userContext.OAuth.ID)
 		}
 		if !m.auth.IsEmailWhitelisted(userContext.OAuth.Email) {
 			m.auth.DeleteSession(ctx, uuid)
 			return nil, nil, fmt.Errorf("email from session cookie not whitelisted: %s", userContext.OAuth.Email)
 		}
 	}
 	cookie, err := m.auth.RefreshSession(ctx, uuid)
 	if err != nil {
 		return nil, nil, fmt.Errorf("error refreshing session: %w", err)
 	}
 	return userContext, cookie, nil
 }
 func (m *ContextMiddleware) basicAuth(username string, password string) (*model.UserContext, map[string]string, error) {
 	headers := make(map[string]string)
 	userContext := new(model.UserContext)
 	locked, remaining := m.auth.IsAccountLocked(username)
 	if locked {
 		tlog.App.Debug().Msgf("Account for user %s is locked for %d seconds, denying auth", username, remaining)
 		headers["x-tinyauth-lock-locked"] = "true"
 		headers["x-tinyauth-lock-reset"] = time.Now().Add(time.Duration(remaining) * time.Second).Format(time.RFC3339)
 		return nil, headers, nil
 	}
 	search, err := m.auth.SearchUser(username)
 	if err != nil {
 		return nil, nil, fmt.Errorf("error searching for user: %w", err)
 	}
 	err = m.auth.CheckUserPassword(*search, password)
 	if err != nil {
 		m.auth.RecordLoginAttempt(username, false)
 		return nil, nil, fmt.Errorf("invalid password for basic auth user: %w", err)
 	}
 	m.auth.RecordLoginAttempt(username, true)
 	switch search.Type {
 	case model.UserLocal:
 		user := m.auth.GetLocalUser(username)
 		if user.TOTPSecret != "" {
 			return nil, nil, fmt.Errorf("user with totp not allowed to login via basic auth: %s", username)
 		}
 		userContext.Local = &model.LocalContext{
 			BaseContext: model.BaseContext{
 				Username: user.Username,
 				Name:     utils.Capitalize(user.Username),
 				Email:    utils.CompileUserEmail(user.Username, m.config.CookieDomain),
 			},
 			Attributes: user.Attributes,
 		}
 		userContext.Provider = model.ProviderLocal
 	case model.UserLDAP:
 		user, err := m.auth.GetLDAPUser(username)
 		if err != nil {
 			return nil, nil, fmt.Errorf("error retrieving ldap user details: %w", err)
 		}
 		userContext.LDAP = &model.LDAPContext{
 			BaseContext: model.BaseContext{
 				Username: username,
 				Name:     utils.Capitalize(username),
 				Email:    utils.CompileUserEmail(username, m.config.CookieDomain),
 			},
 			Groups: user.Groups,
 		}
 		userContext.Provider = model.ProviderLDAP
 	}
 	userContext.Authenticated = true
 	return userContext, nil, nil
 }
 func (m *ContextMiddleware) isIgnorePath(path string) bool {
 	for _, prefix := range contextSkipPathsPrefix {
 		if strings.HasPrefix(path, prefix) {
@@ -1,316 +0,0 @@
 package middleware_test
 import (
 	"context"
 	"encoding/base64"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"time"
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/middleware"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
 )
 func TestContextMiddleware(t *testing.T) {
 	tlog.NewTestLogger().Init()
 	authServiceCfg := service.AuthServiceConfig{
 		LocalUsers: &[]model.LocalUser{
 			{
 				Username: "testuser",
 				Password: "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
 			},
 			{
 				Username:   "totpuser",
 				Password:   "$2a$10$ZwVYQH07JX2zq7Fjkt3gU.BjwvvwPeli4OqOno04RQIv0P7usBrXa", // password
 				TOTPSecret: "JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK",
 			},
 		},
 		SessionExpiry:     10, // 10 seconds, useful for testing
 		CookieDomain:      "example.com",
 		LoginTimeout:      10, // 10 seconds, useful for testing
 		LoginMaxRetries:   3,
 		SessionCookieName: "tinyauth-session",
 	}
 	middlewareCfg := middleware.ContextMiddlewareConfig{
 		CookieDomain:      "example.com",
 		SessionCookieName: "tinyauth-session",
 	}
 	basicAuthHeader := func(username, password string) string {
 		return "Basic " + base64.StdEncoding.EncodeToString([]byte(username+":"+password))
 	}
 	seedSession := func(t *testing.T, queries repository.Store, params repository.CreateSessionParams) {
 		t.Helper()
 		_, err := queries.CreateSession(context.Background(), params)
 		require.NoError(t, err)
 	}
 	type runArgs struct {
 		do      func(req *http.Request) (*model.UserContext, *httptest.ResponseRecorder)
 		queries repository.Store
 	}
 	type testCase struct {
 		description string
 		run         func(t *testing.T, args runArgs)
 	}
 	tests := []testCase{
 		{
 			description: "Skip path bypasses auth processing",
 			run: func(t *testing.T, args runArgs) {
 				req := httptest.NewRequest("GET", "/api/healthz", nil)
 				req.Header.Set("Authorization", basicAuthHeader("testuser", "password"))
 				userCtx, _ := args.do(req)
 				assert.Nil(t, userCtx)
 			},
 		},
 		{
 			description: "No credentials yields no context",
 			run: func(t *testing.T, args runArgs) {
 				req := httptest.NewRequest("GET", "/api/test", nil)
 				userCtx, _ := args.do(req)
 				assert.Nil(t, userCtx)
 			},
 		},
 		{
 			description: "Valid session cookie sets authenticated local context",
 			run: func(t *testing.T, args runArgs) {
 				uuid := "session-valid-local"
 				seedSession(t, args.queries, repository.CreateSessionParams{
 					UUID:      uuid,
 					Username:  "testuser",
 					Provider:  "local",
 					Expiry:    time.Now().Add(10 * time.Second).Unix(),
 					CreatedAt: time.Now().Unix(),
 				})
 				req := httptest.NewRequest("GET", "/api/test", nil)
 				req.AddCookie(&http.Cookie{Name: "tinyauth-session", Value: uuid})
 				userCtx, _ := args.do(req)
 				require.NotNil(t, userCtx)
 				assert.Equal(t, model.ProviderLocal, userCtx.Provider)
 				assert.Equal(t, "testuser", userCtx.GetUsername())
 				assert.True(t, userCtx.Authenticated)
 				require.NotNil(t, userCtx.Local)
 			},
 		},
 		{
 			description: "Session cookie with totp pending sets unauthenticated context with totp enabled",
 			run: func(t *testing.T, args runArgs) {
 				uuid := "session-totp-pending"
 				seedSession(t, args.queries, repository.CreateSessionParams{
 					UUID:        uuid,
 					Username:    "totpuser",
 					Provider:    "local",
 					TotpPending: true,
 					Expiry:      time.Now().Add(60 * time.Second).Unix(),
 					CreatedAt:   time.Now().Unix(),
 				})
 				req := httptest.NewRequest("GET", "/api/test", nil)
 				req.AddCookie(&http.Cookie{Name: "tinyauth-session", Value: uuid})
 				userCtx, _ := args.do(req)
 				require.NotNil(t, userCtx)
 				assert.Equal(t, "totpuser", userCtx.GetUsername())
 				assert.False(t, userCtx.Authenticated)
 				require.NotNil(t, userCtx.Local)
 				assert.True(t, userCtx.Local.TOTPPending)
 			},
 		},
 		{
 			description: "Unknown session cookie yields no context",
 			run: func(t *testing.T, args runArgs) {
 				req := httptest.NewRequest("GET", "/api/test", nil)
 				req.AddCookie(&http.Cookie{Name: "tinyauth-session", Value: "does-not-exist"})
 				userCtx, _ := args.do(req)
 				assert.Nil(t, userCtx)
 			},
 		},
 		{
 			description: "Session for missing local user yields no context",
 			run: func(t *testing.T, args runArgs) {
 				uuid := "session-deleted-user"
 				seedSession(t, args.queries, repository.CreateSessionParams{
 					UUID:      uuid,
 					Username:  "ghostuser",
 					Provider:  "local",
 					Expiry:    time.Now().Add(10 * time.Second).Unix(),
 					CreatedAt: time.Now().Unix(),
 				})
 				req := httptest.NewRequest("GET", "/api/test", nil)
 				req.AddCookie(&http.Cookie{Name: "tinyauth-session", Value: uuid})
 				userCtx, _ := args.do(req)
 				assert.Nil(t, userCtx)
 			},
 		},
 		{
 			description: "Expired session cookie yields no context",
 			run: func(t *testing.T, args runArgs) {
 				uuid := "session-expired"
 				seedSession(t, args.queries, repository.CreateSessionParams{
 					UUID:      uuid,
 					Username:  "testuser",
 					Provider:  "local",
 					Expiry:    time.Now().Add(-1 * time.Second).Unix(),
 					CreatedAt: time.Now().Add(-10 * time.Second).Unix(),
 				})
 				req := httptest.NewRequest("GET", "/api/test", nil)
 				req.AddCookie(&http.Cookie{Name: "tinyauth-session", Value: uuid})
 				userCtx, _ := args.do(req)
 				assert.Nil(t, userCtx)
 			},
 		},
 		{
 			description: "Valid basic auth sets authenticated local context",
 			run: func(t *testing.T, args runArgs) {
 				req := httptest.NewRequest("GET", "/api/test", nil)
 				req.Header.Set("Authorization", basicAuthHeader("testuser", "password"))
 				userCtx, _ := args.do(req)
 				require.NotNil(t, userCtx)
 				assert.Equal(t, model.ProviderLocal, userCtx.Provider)
 				assert.Equal(t, "testuser", userCtx.GetUsername())
 				assert.True(t, userCtx.Authenticated)
 			},
 		},
 		{
 			description: "Invalid basic auth password yields no context",
 			run: func(t *testing.T, args runArgs) {
 				req := httptest.NewRequest("GET", "/api/test", nil)
 				req.Header.Set("Authorization", basicAuthHeader("testuser", "wrongpassword"))
 				userCtx, _ := args.do(req)
 				assert.Nil(t, userCtx)
 			},
 		},
 		{
 			description: "Basic auth is rejected for users with totp",
 			run: func(t *testing.T, args runArgs) {
 				req := httptest.NewRequest("GET", "/api/test", nil)
 				req.Header.Set("Authorization", basicAuthHeader("totpuser", "password"))
 				userCtx, _ := args.do(req)
 				assert.Nil(t, userCtx)
 			},
 		},
 		{
 			description: "Locked account on basic auth sets lock headers",
 			run: func(t *testing.T, args runArgs) {
 				for range 3 {
 					req := httptest.NewRequest("GET", "/api/test", nil)
 					req.Header.Set("Authorization", basicAuthHeader("testuser", "wrongpassword"))
 					args.do(req)
 				}
 				req := httptest.NewRequest("GET", "/api/test", nil)
 				req.Header.Set("Authorization", basicAuthHeader("testuser", "password"))
 				userCtx, recorder := args.do(req)
 				assert.Nil(t, userCtx)
 				assert.Equal(t, "true", recorder.Header().Get("x-tinyauth-lock-locked"))
 				assert.NotEmpty(t, recorder.Header().Get("x-tinyauth-lock-reset"))
 			},
 		},
 		{
 			description: "Cookie auth takes precedence over basic auth",
 			run: func(t *testing.T, args runArgs) {
 				uuid := "session-precedence"
 				seedSession(t, args.queries, repository.CreateSessionParams{
 					UUID:      uuid,
 					Username:  "testuser",
 					Provider:  "local",
 					Expiry:    time.Now().Add(10 * time.Second).Unix(),
 					CreatedAt: time.Now().Unix(),
 				})
 				req := httptest.NewRequest("GET", "/api/test", nil)
 				req.AddCookie(&http.Cookie{Name: "tinyauth-session", Value: uuid})
 				req.Header.Set("Authorization", basicAuthHeader("totpuser", "password"))
 				userCtx, _ := args.do(req)
 				require.NotNil(t, userCtx)
 				assert.Equal(t, "testuser", userCtx.GetUsername())
 				assert.True(t, userCtx.Authenticated)
 			},
 		},
 		{
 			description: "Ensure fallback to basic auth when cookie is missing",
 			run: func(t *testing.T, args runArgs) {
 				req := httptest.NewRequest("GET", "/api/test", nil)
 				req.Header.Set("Authorization", basicAuthHeader("testuser", "password"))
 				userCtx, _ := args.do(req)
 				require.NotNil(t, userCtx)
 				assert.Equal(t, "testuser", userCtx.GetUsername())
 				assert.True(t, userCtx.Authenticated)
 			},
 		},
 	}
 	oauthBrokerCfgs := make(map[string]model.OAuthServiceConfig)
 	store := memory.New()
 	ldap := service.NewLdapService(service.LdapServiceConfig{})
 	err := ldap.Init()
 	require.NoError(t, err)
 	broker := service.NewOAuthBrokerService(oauthBrokerCfgs)
 	err = broker.Init()
 	require.NoError(t, err)
 	authService := service.NewAuthService(authServiceCfg, ldap, store, broker)
 	err = authService.Init()
 	require.NoError(t, err)
 	contextMiddleware := middleware.NewContextMiddleware(middlewareCfg, authService, broker)
 	err = contextMiddleware.Init()
 	require.NoError(t, err)
 	for _, test := range tests {
 		authService.ClearRateLimitsTestingOnly()
 		t.Run(test.description, func(t *testing.T) {
 			gin.SetMode(gin.TestMode)
 			do := func(req *http.Request) (*model.UserContext, *httptest.ResponseRecorder) {
 				var captured *model.UserContext
 				router := gin.New()
 				router.Use(contextMiddleware.Middleware())
 				handler := func(c *gin.Context) {
 					if val, exists := c.Get("context"); exists {
 						captured, _ = val.(*model.UserContext)
 					}
 				}
 				router.GET("/api/test", handler)
 				router.GET("/api/healthz", handler)
 				recorder := httptest.NewRecorder()
 				router.ServeHTTP(recorder, req)
 				return captured, recorder
 			}
 			test.run(t, runArgs{do: do, queries: store})
 		})
 	}
 }
@@ -8,8 +8,8 @@ import (
 	"strings"
 	"time"
-	"github.com/tinyauthapp/tinyauth/internal/assets"
+	"github.com/steveiliop56/tinyauth/internal/assets"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/gin-gonic/gin"
 )
@@ -5,7 +5,7 @@ import (
 	"time"
 	"github.com/gin-gonic/gin"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 )
 // See context middleware for explanation of why we have to do this
@@ -1,23 +0,0 @@
 package model
 const DefaultNamePrefix = "TINYAUTH_"
 const APIServer = "https://api.tinyauth.app"
 type Claims struct {
 	Sub               string `json:"sub"`
 	Name              string `json:"name"`
 	Email             string `json:"email"`
 	PreferredUsername string `json:"preferred_username"`
 	Groups            any    `json:"groups"`
 }
 var OverrideProviders = map[string]string{
 	"google": "Google",
 	"github": "GitHub",
 }
 const SessionCookieName = "tinyauth-session"
 const CSRFCookieName = "tinyauth-csrf"
 const RedirectCookieName = "tinyauth-redirect"
 const OAuthSessionCookieName = "tinyauth-oauth"
@@ -1,250 +0,0 @@
 package model
 import (
 	"errors"
 	"strings"
 	"github.com/gin-gonic/gin"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 )
 type ProviderType int
 const (
 	ProviderLocal ProviderType = iota
 	ProviderBasicAuth
 	ProviderOAuth
 	ProviderLDAP
 )
 type UserContext struct {
 	Authenticated bool
 	Provider      ProviderType
 	Local         *LocalContext
 	OAuth         *OAuthContext
 	LDAP          *LDAPContext
 }
 type BaseContext struct {
 	Username string
 	Name     string
 	Email    string
 }
 type LocalContext struct {
 	BaseContext
 	TOTPPending bool
 	Attributes  UserAttributes
 }
 type OAuthContext struct {
 	BaseContext
 	Groups      []string
 	Sub         string
 	DisplayName string
 	ID          string
 }
 type LDAPContext struct {
 	BaseContext
 	Groups []string
 }
 func (c *UserContext) IsAuthenticated() bool {
 	return c.Authenticated
 }
 func (c *UserContext) IsLocal() bool {
 	return c.Provider == ProviderLocal && c.Local != nil
 }
 func (c *UserContext) IsOAuth() bool {
 	return c.Provider == ProviderOAuth && c.OAuth != nil
 }
 func (c *UserContext) IsLDAP() bool {
 	return c.Provider == ProviderLDAP && c.LDAP != nil
 }
 func (c *UserContext) IsBasicAuth() bool {
 	return c.Provider == ProviderBasicAuth && c.Local != nil
 }
 func (c *UserContext) NewFromGin(ginctx *gin.Context) (*UserContext, error) {
 	userContextValue, exists := ginctx.Get("context")
 	if !exists {
 		return nil, errors.New("failed to get user context")
 	}
 	userContext, ok := userContextValue.(*UserContext)
 	if !ok || userContext == nil {
 		return nil, errors.New("invalid user context type")
 	}
 	if userContext.LDAP == nil && userContext.Local == nil && userContext.OAuth == nil {
 		return nil, errors.New("incomplete user context")
 	}
 	*c = *userContext
 	return c, nil
 }
 // Compatability layer until we get an excuse to drop in database migrations
 func (c *UserContext) NewFromSession(session *repository.Session) (*UserContext, error) {
 	*c = UserContext{
 		Authenticated: !session.TotpPending,
 	}
 	switch session.Provider {
 	case "local":
 		c.Provider = ProviderLocal
 		c.Local = &LocalContext{
 			BaseContext: BaseContext{
 				Username: session.Username,
 				Name:     session.Name,
 				Email:    session.Email,
 			},
 			TOTPPending: session.TotpPending,
 		}
 	case "ldap":
 		c.Provider = ProviderLDAP
 		c.LDAP = &LDAPContext{
 			BaseContext: BaseContext{
 				Username: session.Username,
 				Name:     session.Name,
 				Email:    session.Email,
 			},
 		}
 	// By default we assume an unkown name which is oauth
 	default:
 		c.Provider = ProviderOAuth
 		c.OAuth = &OAuthContext{
 			BaseContext: BaseContext{
 				Username: session.Username,
 				Name:     session.Name,
 				Email:    session.Email,
 			},
 			Groups: func() []string {
 				if session.OAuthGroups == "" {
 					return nil
 				}
 				return strings.Split(session.OAuthGroups, ",")
 			}(),
 			Sub:         session.OAuthSub,
 			DisplayName: session.OAuthName,
 			ID:          session.Provider,
 		}
 	}
 	return c, nil
 }
 func (c *UserContext) GetUsername() string {
 	switch c.Provider {
 	case ProviderLocal:
 		if c.Local == nil {
 			return ""
 		}
 		return c.Local.Username
 	case ProviderLDAP:
 		if c.LDAP == nil {
 			return ""
 		}
 		return c.LDAP.Username
 	case ProviderBasicAuth:
 		if c.Local == nil {
 			return ""
 		}
 		return c.Local.Username
 	case ProviderOAuth:
 		if c.OAuth == nil {
 			return ""
 		}
 		return c.OAuth.Username
 	default:
 		return ""
 	}
 }
 func (c *UserContext) GetEmail() string {
 	switch c.Provider {
 	case ProviderLocal:
 		if c.Local == nil {
 			return ""
 		}
 		return c.Local.Email
 	case ProviderLDAP:
 		if c.LDAP == nil {
 			return ""
 		}
 		return c.LDAP.Email
 	case ProviderBasicAuth:
 		if c.Local == nil {
 			return ""
 		}
 		return c.Local.Email
 	case ProviderOAuth:
 		if c.OAuth == nil {
 			return ""
 		}
 		return c.OAuth.Email
 	default:
 		return ""
 	}
 }
 func (c *UserContext) GetName() string {
 	switch c.Provider {
 	case ProviderLocal:
 		if c.Local == nil {
 			return ""
 		}
 		return c.Local.Name
 	case ProviderLDAP:
 		if c.LDAP == nil {
 			return ""
 		}
 		return c.LDAP.Name
 	case ProviderBasicAuth:
 		if c.Local == nil {
 			return ""
 		}
 		return c.Local.Name
 	case ProviderOAuth:
 		if c.OAuth == nil {
 			return ""
 		}
 		return c.OAuth.Name
 	default:
 		return ""
 	}
 }
 func (c *UserContext) GetProviderID() string {
 	switch c.Provider {
 	case ProviderBasicAuth, ProviderLocal:
 		return "local"
 	case ProviderLDAP:
 		return "ldap"
 	case ProviderOAuth:
 		return c.OAuth.ID
 	default:
 		return "unknown"
 	}
 }
 func (c *UserContext) TOTPPending() bool {
 	if c.Provider == ProviderLocal && c.Local != nil {
 		return c.Local.TOTPPending
 	}
 	return false
 }
 func (c *UserContext) OAuthName() string {
 	if c.Provider == ProviderOAuth && c.OAuth != nil {
 		return c.OAuth.DisplayName
 	}
 	return ""
 }
@@ -1,276 +0,0 @@
 package model_test
 import (
 	"net/http/httptest"
 	"testing"
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 )
 func TestContext(t *testing.T) {
 	newGinCtx := func(value any, set bool) *gin.Context {
 		c, _ := gin.CreateTestContext(httptest.NewRecorder())
 		if set {
 			c.Set("context", value)
 		}
 		return c
 	}
 	tests := []struct {
 		description string
 		context     *model.UserContext
 		run         func(*testing.T, *model.UserContext) any
 		expected    any
 	}{
 		{
 			description: "IsAuthenticated reflects Authenticated field",
 			context:     &model.UserContext{Authenticated: true},
 			run:         func(t *testing.T, c *model.UserContext) any { return c.IsAuthenticated() },
 			expected:    true,
 		},
 		{
 			description: "IsLocal returns true for ProviderLocal",
 			context:     &model.UserContext{Provider: model.ProviderLocal, Local: &model.LocalContext{}},
 			run:         func(t *testing.T, c *model.UserContext) any { return c.IsLocal() },
 			expected:    true,
 		},
 		{
 			description: "IsOAuth returns true for ProviderOAuth",
 			context:     &model.UserContext{Provider: model.ProviderOAuth, OAuth: &model.OAuthContext{}},
 			run:         func(t *testing.T, c *model.UserContext) any { return c.IsOAuth() },
 			expected:    true,
 		},
 		{
 			description: "IsLDAP returns true for ProviderLDAP",
 			context:     &model.UserContext{Provider: model.ProviderLDAP, LDAP: &model.LDAPContext{}},
 			run:         func(t *testing.T, c *model.UserContext) any { return c.IsLDAP() },
 			expected:    true,
 		},
 		{
 			description: "IsBasicAuth returns true for ProviderBasicAuth",
 			context:     &model.UserContext{Provider: model.ProviderBasicAuth, Local: &model.LocalContext{}},
 			run:         func(t *testing.T, c *model.UserContext) any { return c.IsBasicAuth() },
 			expected:    true,
 		},
 		{
 			description: "NewFromSession local session is authenticated and ProviderLocal",
 			context:     &model.UserContext{},
 			run: func(t *testing.T, c *model.UserContext) any {
 				got, err := c.NewFromSession(&repository.Session{
 					Username: "alice", Email: "alice@example.com", Name: "Alice",
 					Provider: "local",
 				})
 				require.NoError(t, err)
 				return [2]any{got.Provider, got.Authenticated}
 			},
 			expected: [2]any{model.ProviderLocal, true},
 		},
 		{
 			description: "NewFromSession local session with TotpPending is not authenticated",
 			context:     &model.UserContext{},
 			run: func(t *testing.T, c *model.UserContext) any {
 				got, err := c.NewFromSession(&repository.Session{
 					Username: "bob", Provider: "local", TotpPending: true,
 				})
 				require.NoError(t, err)
 				return got.Authenticated
 			},
 			expected: false,
 		},
 		{
 			description: "NewFromSession ldap session is ProviderLDAP",
 			context:     &model.UserContext{},
 			run: func(t *testing.T, c *model.UserContext) any {
 				got, err := c.NewFromSession(&repository.Session{
 					Username: "carol", Provider: "ldap",
 				})
 				require.NoError(t, err)
 				return got.Provider
 			},
 			expected: model.ProviderLDAP,
 		},
 		{
 			description: "NewFromSession unknown provider defaults to OAuth and populates oauth fields",
 			context:     &model.UserContext{},
 			run: func(t *testing.T, c *model.UserContext) any {
 				got, err := c.NewFromSession(&repository.Session{
 					Username: "dave", Provider: "github",
 					OAuthGroups: "devs,admins", OAuthSub: "sub-123", OAuthName: "GitHub",
 				})
 				require.NoError(t, err)
 				return [5]any{got.Provider, got.OAuth.ID, got.OAuth.Sub, got.OAuth.DisplayName, got.OAuth.Groups}
 			},
 			expected: [5]any{model.ProviderOAuth, "github", "sub-123", "GitHub", []string{"devs", "admins"}},
 		},
 		{
 			description: "Local getters return BaseContext fields",
 			context: &model.UserContext{
 				Provider: model.ProviderLocal,
 				Local:    &model.LocalContext{BaseContext: model.BaseContext{Username: "alice", Email: "alice@example.com", Name: "Alice"}},
 			},
 			run: func(t *testing.T, c *model.UserContext) any {
 				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
 			},
 			expected: [3]string{"alice", "alice@example.com", "Alice"},
 		},
 		{
 			description: "BasicAuth getters fall back to local fields",
 			context: &model.UserContext{
 				Provider: model.ProviderBasicAuth,
 				Local:    &model.LocalContext{BaseContext: model.BaseContext{Username: "bob", Email: "bob@example.com", Name: "Bob"}},
 			},
 			run: func(t *testing.T, c *model.UserContext) any {
 				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
 			},
 			expected: [3]string{"bob", "bob@example.com", "Bob"},
 		},
 		{
 			description: "LDAP getters return LDAP fields",
 			context: &model.UserContext{
 				Provider: model.ProviderLDAP,
 				LDAP:     &model.LDAPContext{BaseContext: model.BaseContext{Username: "carol", Email: "carol@example.com", Name: "Carol"}},
 			},
 			run: func(t *testing.T, c *model.UserContext) any {
 				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
 			},
 			expected: [3]string{"carol", "carol@example.com", "Carol"},
 		},
 		{
 			description: "OAuth getters return OAuth fields",
 			context: &model.UserContext{
 				Provider: model.ProviderOAuth,
 				OAuth:    &model.OAuthContext{BaseContext: model.BaseContext{Username: "dave", Email: "dave@example.com", Name: "Dave"}},
 			},
 			run: func(t *testing.T, c *model.UserContext) any {
 				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
 			},
 			expected: [3]string{"dave", "dave@example.com", "Dave"},
 		},
 		{
 			description: "ProviderName returns 'local' for ProviderLocal",
 			context:     &model.UserContext{Provider: model.ProviderLocal},
 			run:         func(t *testing.T, c *model.UserContext) any { return c.GetProviderID() },
 			expected:    "local",
 		},
 		{
 			description: "ProviderName returns 'local' for ProviderBasicAuth",
 			context:     &model.UserContext{Provider: model.ProviderBasicAuth},
 			run:         func(t *testing.T, c *model.UserContext) any { return c.GetProviderID() },
 			expected:    "local",
 		},
 		{
 			description: "ProviderName returns 'ldap' for ProviderLDAP",
 			context:     &model.UserContext{Provider: model.ProviderLDAP},
 			run:         func(t *testing.T, c *model.UserContext) any { return c.GetProviderID() },
 			expected:    "ldap",
 		},
 		{
 			description: "ProviderName returns OAuth provider ID for ProviderOAuth",
 			context: &model.UserContext{
 				Provider: model.ProviderOAuth,
 				OAuth:    &model.OAuthContext{ID: "github"},
 			},
 			run:      func(t *testing.T, c *model.UserContext) any { return c.GetProviderID() },
 			expected: "github",
 		},
 		{
 			description: "TOTPPending returns true when local context is pending",
 			context: &model.UserContext{
 				Provider: model.ProviderLocal,
 				Local:    &model.LocalContext{TOTPPending: true},
 			},
 			run:      func(t *testing.T, c *model.UserContext) any { return c.TOTPPending() },
 			expected: true,
 		},
 		{
 			description: "TOTPPending returns false when local context is not pending",
 			context: &model.UserContext{
 				Provider: model.ProviderLocal,
 				Local:    &model.LocalContext{TOTPPending: false},
 			},
 			run:      func(t *testing.T, c *model.UserContext) any { return c.TOTPPending() },
 			expected: false,
 		},
 		{
 			description: "TOTPPending returns false for non-local providers",
 			context:     &model.UserContext{Provider: model.ProviderOAuth, OAuth: &model.OAuthContext{}},
 			run:         func(t *testing.T, c *model.UserContext) any { return c.TOTPPending() },
 			expected:    false,
 		},
 		{
 			description: "OAuthName returns DisplayName for ProviderOAuth",
 			context: &model.UserContext{
 				Provider: model.ProviderOAuth,
 				OAuth:    &model.OAuthContext{DisplayName: "Google"},
 			},
 			run:      func(t *testing.T, c *model.UserContext) any { return c.OAuthName() },
 			expected: "Google",
 		},
 		{
 			description: "OAuthName returns empty string for non-oauth providers",
 			context:     &model.UserContext{Provider: model.ProviderLocal, Local: &model.LocalContext{}},
 			run:         func(t *testing.T, c *model.UserContext) any { return c.OAuthName() },
 			expected:    "",
 		},
 		{
 			description: "NewFromGin populates context from gin value",
 			context:     &model.UserContext{},
 			run: func(t *testing.T, c *model.UserContext) any {
 				stored := &model.UserContext{
 					Authenticated: true,
 					Provider:      model.ProviderLocal,
 					Local:         &model.LocalContext{BaseContext: model.BaseContext{Username: "alice"}},
 				}
 				got, err := c.NewFromGin(newGinCtx(stored, true))
 				require.NoError(t, err)
 				return [2]any{got.Authenticated, got.GetUsername()}
 			},
 			expected: [2]any{true, "alice"},
 		},
 		{
 			description: "NewFromGin returns error when context value is missing",
 			context:     &model.UserContext{},
 			run: func(t *testing.T, c *model.UserContext) any {
 				_, err := c.NewFromGin(newGinCtx(nil, false))
 				return err.Error()
 			},
 			expected: "failed to get user context",
 		},
 		{
 			description: "NewFromGin returns error when context value has wrong type",
 			context:     &model.UserContext{},
 			run: func(t *testing.T, c *model.UserContext) any {
 				_, err := c.NewFromGin(newGinCtx("not a user context", true))
 				return err.Error()
 			},
 			expected: "invalid user context type",
 		},
 		{
 			description: "NewFromGin returns an error when context doesn't include user information",
 			context:     &model.UserContext{},
 			run: func(t *testing.T, c *model.UserContext) any {
 				_, err := c.NewFromGin(newGinCtx(&model.UserContext{Provider: model.ProviderLocal}, true))
 				return err.Error()
 			},
 			expected: "incomplete user context",
 		},
 		{
 			description: "Getters should not panic if provider context is empty",
 			context:     &model.UserContext{Provider: model.ProviderLocal},
 			run: func(t *testing.T, c *model.UserContext) any {
 				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
 			},
 			expected: [3]string{"", "", ""},
 		},
 	}
 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
 			assert.Equal(t, test.expected, test.run(t, test.context))
 		})
 	}
 }
@@ -1,25 +0,0 @@
 package model
 type UserSearchType int
 const (
 	UserLocal UserSearchType = iota
 	UserLDAP
 )
 type LDAPUser struct {
 	DN     string
 	Groups []string
 }
 type LocalUser struct {
 	Username   string
 	Password   string
 	TOTPSecret string
 	Attributes UserAttributes
 }
 type UserSearch struct {
 	Username string
 	Type     UserSearchType
 }
@@ -1,5 +0,0 @@
 package model
 var Version = "development"
 var CommitHash = "development"
 var BuildTimestamp = "0000-00-00T00:00:00Z"
@@ -1,8 +1,8 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.31.1
+//   sqlc v1.30.0
-package sqlite
+package repository
 import (
 	"context"
@@ -1,427 +0,0 @@
 package memory_test
 import (
 	"context"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 )
 var ctx = context.Background()
 func TestCreateAndGetSession(t *testing.T) {
 	s := memory.New()
 	sess, err := s.CreateSession(ctx, repository.CreateSessionParams{
 		UUID:     "uuid-1",
 		Username: "alice",
 		Expiry:   9999,
 	})
 	require.NoError(t, err)
 	assert.Equal(t, "uuid-1", sess.UUID)
 	assert.Equal(t, "alice", sess.Username)
 	got, err := s.GetSession(ctx, "uuid-1")
 	require.NoError(t, err)
 	assert.Equal(t, sess, got)
 }
 func TestGetSession_NotFound(t *testing.T) {
 	s := memory.New()
 	_, err := s.GetSession(ctx, "missing")
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 }
 func TestUpdateSession(t *testing.T) {
 	s := memory.New()
 	_, err := s.CreateSession(ctx, repository.CreateSessionParams{UUID: "uuid-1", Username: "alice"})
 	require.NoError(t, err)
 	updated, err := s.UpdateSession(ctx, repository.UpdateSessionParams{
 		UUID:     "uuid-1",
 		Username: "bob",
 		Email:    "bob@example.com",
 	})
 	require.NoError(t, err)
 	assert.Equal(t, "bob", updated.Username)
 	assert.Equal(t, "bob@example.com", updated.Email)
 	got, err := s.GetSession(ctx, "uuid-1")
 	require.NoError(t, err)
 	assert.Equal(t, updated, got)
 }
 func TestUpdateSession_NotFound(t *testing.T) {
 	s := memory.New()
 	_, err := s.UpdateSession(ctx, repository.UpdateSessionParams{UUID: "missing"})
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 }
 func TestDeleteSession(t *testing.T) {
 	s := memory.New()
 	_, err := s.CreateSession(ctx, repository.CreateSessionParams{UUID: "uuid-1"})
 	require.NoError(t, err)
 	require.NoError(t, s.DeleteSession(ctx, "uuid-1"))
 	_, err = s.GetSession(ctx, "uuid-1")
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 }
 func TestDeleteExpiredSessions(t *testing.T) {
 	s := memory.New()
 	_, err := s.CreateSession(ctx, repository.CreateSessionParams{UUID: "expired", Expiry: 10})
 	require.NoError(t, err)
 	_, err = s.CreateSession(ctx, repository.CreateSessionParams{UUID: "valid", Expiry: 100})
 	require.NoError(t, err)
 	require.NoError(t, s.DeleteExpiredSessions(ctx, 50))
 	_, err = s.GetSession(ctx, "expired")
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 	_, err = s.GetSession(ctx, "valid")
 	assert.NoError(t, err)
 }
 func TestCreateAndGetOidcCode(t *testing.T) {
 	s := memory.New()
 	code, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{
 		Sub:      "sub-1",
 		CodeHash: "hash-1",
 		Scope:    "openid",
 	})
 	require.NoError(t, err)
 	assert.Equal(t, "sub-1", code.Sub)
 	// destructive read removes the record
 	got, err := s.GetOidcCode(ctx, "hash-1")
 	require.NoError(t, err)
 	assert.Equal(t, code, got)
 	_, err = s.GetOidcCode(ctx, "hash-1")
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 }
 func TestGetOidcCode_NotFound(t *testing.T) {
 	s := memory.New()
 	_, err := s.GetOidcCode(ctx, "missing")
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 }
 func TestGetOidcCodeBySub(t *testing.T) {
 	s := memory.New()
 	_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 	require.NoError(t, err)
 	got, err := s.GetOidcCodeBySub(ctx, "sub-1")
 	require.NoError(t, err)
 	assert.Equal(t, "sub-1", got.Sub)
 	// destructive — gone after read
 	_, err = s.GetOidcCodeBySub(ctx, "sub-1")
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 }
 func TestGetOidcCodeBySub_NotFound(t *testing.T) {
 	s := memory.New()
 	_, err := s.GetOidcCodeBySub(ctx, "missing")
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 }
 func TestGetOidcCodeUnsafe(t *testing.T) {
 	s := memory.New()
 	_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 	require.NoError(t, err)
 	got, err := s.GetOidcCodeUnsafe(ctx, "hash-1")
 	require.NoError(t, err)
 	assert.Equal(t, "sub-1", got.Sub)
 	// non-destructive — still present
 	_, err = s.GetOidcCodeUnsafe(ctx, "hash-1")
 	assert.NoError(t, err)
 }
 func TestGetOidcCodeUnsafe_NotFound(t *testing.T) {
 	s := memory.New()
 	_, err := s.GetOidcCodeUnsafe(ctx, "missing")
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 }
 func TestGetOidcCodeBySubUnsafe(t *testing.T) {
 	s := memory.New()
 	_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 	require.NoError(t, err)
 	got, err := s.GetOidcCodeBySubUnsafe(ctx, "sub-1")
 	require.NoError(t, err)
 	assert.Equal(t, "hash-1", got.CodeHash)
 	// non-destructive — still present
 	_, err = s.GetOidcCodeBySubUnsafe(ctx, "sub-1")
 	assert.NoError(t, err)
 }
 func TestGetOidcCodeBySubUnsafe_NotFound(t *testing.T) {
 	s := memory.New()
 	_, err := s.GetOidcCodeBySubUnsafe(ctx, "missing")
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 }
 func TestCreateOidcCode_UniqueSubConstraint(t *testing.T) {
 	s := memory.New()
 	_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 	require.NoError(t, err)
 	_, err = s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-2"})
 	assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_codes.sub")
 }
 func TestDeleteOidcCode(t *testing.T) {
 	s := memory.New()
 	_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 	require.NoError(t, err)
 	require.NoError(t, s.DeleteOidcCode(ctx, "hash-1"))
 	_, err = s.GetOidcCodeUnsafe(ctx, "hash-1")
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 }
 func TestDeleteOidcCodeBySub(t *testing.T) {
 	s := memory.New()
 	_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 	require.NoError(t, err)
 	require.NoError(t, s.DeleteOidcCodeBySub(ctx, "sub-1"))
 	_, err = s.GetOidcCodeUnsafe(ctx, "hash-1")
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 }
 func TestDeleteExpiredOidcCodes(t *testing.T) {
 	s := memory.New()
 	_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1", ExpiresAt: 10})
 	require.NoError(t, err)
 	_, err = s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-2", CodeHash: "hash-2", ExpiresAt: 100})
 	require.NoError(t, err)
 	deleted, err := s.DeleteExpiredOidcCodes(ctx, 50)
 	require.NoError(t, err)
 	require.Len(t, deleted, 1)
 	assert.Equal(t, "hash-1", deleted[0].CodeHash)
 	_, err = s.GetOidcCodeUnsafe(ctx, "hash-2")
 	assert.NoError(t, err)
 }
 func TestCreateAndGetOidcToken(t *testing.T) {
 	s := memory.New()
 	tok, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 		Sub:             "sub-1",
 		AccessTokenHash: "at-hash-1",
 		CodeHash:        "code-hash-1",
 	})
 	require.NoError(t, err)
 	assert.Equal(t, "sub-1", tok.Sub)
 	got, err := s.GetOidcToken(ctx, "at-hash-1")
 	require.NoError(t, err)
 	assert.Equal(t, tok, got)
 }
 func TestGetOidcToken_NotFound(t *testing.T) {
 	s := memory.New()
 	_, err := s.GetOidcToken(ctx, "missing")
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 }
 func TestCreateOidcToken_UniqueSubConstraint(t *testing.T) {
 	s := memory.New()
 	_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-1"})
 	require.NoError(t, err)
 	_, err = s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-2"})
 	assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_tokens.sub")
 }
 func TestGetOidcTokenByRefreshToken(t *testing.T) {
 	s := memory.New()
 	_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 		Sub:              "sub-1",
 		AccessTokenHash:  "at-1",
 		RefreshTokenHash: "rt-1",
 	})
 	require.NoError(t, err)
 	got, err := s.GetOidcTokenByRefreshToken(ctx, "rt-1")
 	require.NoError(t, err)
 	assert.Equal(t, "sub-1", got.Sub)
 }
 func TestGetOidcTokenByRefreshToken_NotFound(t *testing.T) {
 	s := memory.New()
 	_, err := s.GetOidcTokenByRefreshToken(ctx, "missing")
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 }
 func TestGetOidcTokenBySub(t *testing.T) {
 	s := memory.New()
 	_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 		Sub:             "sub-1",
 		AccessTokenHash: "at-1",
 	})
 	require.NoError(t, err)
 	got, err := s.GetOidcTokenBySub(ctx, "sub-1")
 	require.NoError(t, err)
 	assert.Equal(t, "at-1", got.AccessTokenHash)
 }
 func TestGetOidcTokenBySub_NotFound(t *testing.T) {
 	s := memory.New()
 	_, err := s.GetOidcTokenBySub(ctx, "missing")
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 }
 func TestUpdateOidcTokenByRefreshToken(t *testing.T) {
 	s := memory.New()
 	_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 		Sub:              "sub-1",
 		AccessTokenHash:  "at-1",
 		RefreshTokenHash: "rt-1",
 	})
 	require.NoError(t, err)
 	updated, err := s.UpdateOidcTokenByRefreshToken(ctx, repository.UpdateOidcTokenByRefreshTokenParams{
 		RefreshTokenHash_2:    "rt-1",
 		AccessTokenHash:       "at-2",
 		RefreshTokenHash:      "rt-2",
 		TokenExpiresAt:        200,
 		RefreshTokenExpiresAt: 400,
 	})
 	require.NoError(t, err)
 	assert.Equal(t, "at-2", updated.AccessTokenHash)
 	assert.Equal(t, "rt-2", updated.RefreshTokenHash)
 	// old key gone, new key present
 	_, err = s.GetOidcToken(ctx, "at-1")
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 	got, err := s.GetOidcToken(ctx, "at-2")
 	require.NoError(t, err)
 	assert.Equal(t, "sub-1", got.Sub)
 }
 func TestUpdateOidcTokenByRefreshToken_NotFound(t *testing.T) {
 	s := memory.New()
 	_, err := s.UpdateOidcTokenByRefreshToken(ctx, repository.UpdateOidcTokenByRefreshTokenParams{
 		RefreshTokenHash_2: "missing",
 	})
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 }
 func TestDeleteOidcToken(t *testing.T) {
 	s := memory.New()
 	_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-1"})
 	require.NoError(t, err)
 	require.NoError(t, s.DeleteOidcToken(ctx, "at-1"))
 	_, err = s.GetOidcToken(ctx, "at-1")
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 }
 func TestDeleteOidcTokenBySub(t *testing.T) {
 	s := memory.New()
 	_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-1"})
 	require.NoError(t, err)
 	require.NoError(t, s.DeleteOidcTokenBySub(ctx, "sub-1"))
 	_, err = s.GetOidcToken(ctx, "at-1")
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 }
 func TestDeleteOidcTokenByCodeHash(t *testing.T) {
 	s := memory.New()
 	_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 		Sub:             "sub-1",
 		AccessTokenHash: "at-1",
 		CodeHash:        "code-1",
 	})
 	require.NoError(t, err)
 	require.NoError(t, s.DeleteOidcTokenByCodeHash(ctx, "code-1"))
 	_, err = s.GetOidcToken(ctx, "at-1")
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 }
 func TestDeleteExpiredOidcTokens(t *testing.T) {
 	s := memory.New()
 	// expired by TokenExpiresAt
 	_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 		Sub: "sub-1", AccessTokenHash: "at-1",
 		TokenExpiresAt: 10, RefreshTokenExpiresAt: 100,
 	})
 	require.NoError(t, err)
 	// expired by RefreshTokenExpiresAt
 	_, err = s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 		Sub: "sub-2", AccessTokenHash: "at-2",
 		TokenExpiresAt: 100, RefreshTokenExpiresAt: 10,
 	})
 	require.NoError(t, err)
 	// valid
 	_, err = s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 		Sub: "sub-3", AccessTokenHash: "at-3",
 		TokenExpiresAt: 100, RefreshTokenExpiresAt: 100,
 	})
 	require.NoError(t, err)
 	deleted, err := s.DeleteExpiredOidcTokens(ctx, repository.DeleteExpiredOidcTokensParams{
 		TokenExpiresAt:        50,
 		RefreshTokenExpiresAt: 50,
 	})
 	require.NoError(t, err)
 	assert.Len(t, deleted, 2)
 	_, err = s.GetOidcToken(ctx, "at-3")
 	assert.NoError(t, err)
 }
 func TestCreateAndGetOidcUserInfo(t *testing.T) {
 	s := memory.New()
 	u, err := s.CreateOidcUserInfo(ctx, repository.CreateOidcUserInfoParams{
 		Sub:   "sub-1",
 		Name:  "Alice",
 		Email: "alice@example.com",
 	})
 	require.NoError(t, err)
 	assert.Equal(t, "sub-1", u.Sub)
 	got, err := s.GetOidcUserInfo(ctx, "sub-1")
 	require.NoError(t, err)
 	assert.Equal(t, u, got)
 }
 func TestGetOidcUserInfo_NotFound(t *testing.T) {
 	s := memory.New()
 	_, err := s.GetOidcUserInfo(ctx, "missing")
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 }
 func TestDeleteOidcUserInfo(t *testing.T) {
 	s := memory.New()
 	_, err := s.CreateOidcUserInfo(ctx, repository.CreateOidcUserInfoParams{Sub: "sub-1"})
 	require.NoError(t, err)
 	require.NoError(t, s.DeleteOidcUserInfo(ctx, "sub-1"))
 	_, err = s.GetOidcUserInfo(ctx, "sub-1")
 	assert.ErrorIs(t, err, repository.ErrNotFound)
 }
@@ -1,241 +0,0 @@
 package memory
 import (
 	"context"
 	"fmt"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 )
 func (s *Store) CreateOidcCode(_ context.Context, arg repository.CreateOidcCodeParams) (repository.OidcCode, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	// Enforce sub UNIQUE constraint
 	for _, c := range s.oidcCodes {
 		if c.Sub == arg.Sub {
 			return repository.OidcCode{}, fmt.Errorf("UNIQUE constraint failed: oidc_codes.sub")
 		}
 	}
 	code := repository.OidcCode(arg)
 	s.oidcCodes[arg.CodeHash] = code
 	return code, nil
 }
 // GetOidcCode is a destructive read: it deletes and returns the code (mirrors SQLite's DELETE...RETURNING).
 func (s *Store) GetOidcCode(_ context.Context, codeHash string) (repository.OidcCode, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	c, ok := s.oidcCodes[codeHash]
 	if !ok {
 		return repository.OidcCode{}, repository.ErrNotFound
 	}
 	delete(s.oidcCodes, codeHash)
 	return c, nil
 }
 // GetOidcCodeBySub is a destructive read: it deletes and returns the code (mirrors SQLite's DELETE...RETURNING).
 func (s *Store) GetOidcCodeBySub(_ context.Context, sub string) (repository.OidcCode, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, c := range s.oidcCodes {
 		if c.Sub == sub {
 			delete(s.oidcCodes, k)
 			return c, nil
 		}
 	}
 	return repository.OidcCode{}, repository.ErrNotFound
 }
 // GetOidcCodeUnsafe is a non-destructive read (mirrors SQLite's SELECT).
 func (s *Store) GetOidcCodeUnsafe(_ context.Context, codeHash string) (repository.OidcCode, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	c, ok := s.oidcCodes[codeHash]
 	if !ok {
 		return repository.OidcCode{}, repository.ErrNotFound
 	}
 	return c, nil
 }
 // GetOidcCodeBySubUnsafe is a non-destructive read (mirrors SQLite's SELECT).
 func (s *Store) GetOidcCodeBySubUnsafe(_ context.Context, sub string) (repository.OidcCode, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	for _, c := range s.oidcCodes {
 		if c.Sub == sub {
 			return c, nil
 		}
 	}
 	return repository.OidcCode{}, repository.ErrNotFound
 }
 func (s *Store) DeleteOidcCode(_ context.Context, codeHash string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	delete(s.oidcCodes, codeHash)
 	return nil
 }
 func (s *Store) DeleteOidcCodeBySub(_ context.Context, sub string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, c := range s.oidcCodes {
 		if c.Sub == sub {
 			delete(s.oidcCodes, k)
 		}
 	}
 	return nil
 }
 func (s *Store) DeleteExpiredOidcCodes(_ context.Context, expiresAt int64) ([]repository.OidcCode, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	var deleted []repository.OidcCode
 	for k, c := range s.oidcCodes {
 		if c.ExpiresAt < expiresAt {
 			deleted = append(deleted, c)
 			delete(s.oidcCodes, k)
 		}
 	}
 	return deleted, nil
 }
 func (s *Store) CreateOidcToken(_ context.Context, arg repository.CreateOidcTokenParams) (repository.OidcToken, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	// Enforce sub UNIQUE constraint
 	for _, t := range s.oidcTokens {
 		if t.Sub == arg.Sub {
 			return repository.OidcToken{}, fmt.Errorf("UNIQUE constraint failed: oidc_tokens.sub")
 		}
 	}
 	tok := repository.OidcToken{
 		Sub:                   arg.Sub,
 		AccessTokenHash:       arg.AccessTokenHash,
 		RefreshTokenHash:      arg.RefreshTokenHash,
 		CodeHash:              arg.CodeHash,
 		Scope:                 arg.Scope,
 		ClientID:              arg.ClientID,
 		TokenExpiresAt:        arg.TokenExpiresAt,
 		RefreshTokenExpiresAt: arg.RefreshTokenExpiresAt,
 		Nonce:                 arg.Nonce,
 	}
 	s.oidcTokens[arg.AccessTokenHash] = tok
 	return tok, nil
 }
 func (s *Store) GetOidcToken(_ context.Context, accessTokenHash string) (repository.OidcToken, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	t, ok := s.oidcTokens[accessTokenHash]
 	if !ok {
 		return repository.OidcToken{}, repository.ErrNotFound
 	}
 	return t, nil
 }
 func (s *Store) GetOidcTokenByRefreshToken(_ context.Context, refreshTokenHash string) (repository.OidcToken, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	for _, t := range s.oidcTokens {
 		if t.RefreshTokenHash == refreshTokenHash {
 			return t, nil
 		}
 	}
 	return repository.OidcToken{}, repository.ErrNotFound
 }
 func (s *Store) GetOidcTokenBySub(_ context.Context, sub string) (repository.OidcToken, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	for _, t := range s.oidcTokens {
 		if t.Sub == sub {
 			return t, nil
 		}
 	}
 	return repository.OidcToken{}, repository.ErrNotFound
 }
 func (s *Store) UpdateOidcTokenByRefreshToken(_ context.Context, arg repository.UpdateOidcTokenByRefreshTokenParams) (repository.OidcToken, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, t := range s.oidcTokens {
 		if t.RefreshTokenHash == arg.RefreshTokenHash_2 {
 			delete(s.oidcTokens, k)
 			t.AccessTokenHash = arg.AccessTokenHash
 			t.RefreshTokenHash = arg.RefreshTokenHash
 			t.TokenExpiresAt = arg.TokenExpiresAt
 			t.RefreshTokenExpiresAt = arg.RefreshTokenExpiresAt
 			s.oidcTokens[arg.AccessTokenHash] = t
 			return t, nil
 		}
 	}
 	return repository.OidcToken{}, repository.ErrNotFound
 }
 func (s *Store) DeleteOidcToken(_ context.Context, accessTokenHash string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	delete(s.oidcTokens, accessTokenHash)
 	return nil
 }
 func (s *Store) DeleteOidcTokenBySub(_ context.Context, sub string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, t := range s.oidcTokens {
 		if t.Sub == sub {
 			delete(s.oidcTokens, k)
 		}
 	}
 	return nil
 }
 func (s *Store) DeleteOidcTokenByCodeHash(_ context.Context, codeHash string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, t := range s.oidcTokens {
 		if t.CodeHash == codeHash {
 			delete(s.oidcTokens, k)
 		}
 	}
 	return nil
 }
 func (s *Store) DeleteExpiredOidcTokens(_ context.Context, arg repository.DeleteExpiredOidcTokensParams) ([]repository.OidcToken, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	var deleted []repository.OidcToken
 	for k, t := range s.oidcTokens {
 		if t.TokenExpiresAt < arg.TokenExpiresAt || t.RefreshTokenExpiresAt < arg.RefreshTokenExpiresAt {
 			deleted = append(deleted, t)
 			delete(s.oidcTokens, k)
 		}
 	}
 	return deleted, nil
 }
 func (s *Store) CreateOidcUserInfo(_ context.Context, arg repository.CreateOidcUserInfoParams) (repository.OidcUserinfo, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	u := repository.OidcUserinfo(arg)
 	s.oidcUsers[arg.Sub] = u
 	return u, nil
 }
 func (s *Store) GetOidcUserInfo(_ context.Context, sub string) (repository.OidcUserinfo, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	u, ok := s.oidcUsers[sub]
 	if !ok {
 		return repository.OidcUserinfo{}, repository.ErrNotFound
 	}
 	return u, nil
 }
 func (s *Store) DeleteOidcUserInfo(_ context.Context, sub string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	delete(s.oidcUsers, sub)
 	return nil
 }
@@ -1,63 +0,0 @@
 package memory
 import (
 	"context"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 )
 func (s *Store) CreateSession(_ context.Context, arg repository.CreateSessionParams) (repository.Session, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	sess := repository.Session(arg)
 	s.sessions[arg.UUID] = sess
 	return sess, nil
 }
 func (s *Store) GetSession(_ context.Context, uuid string) (repository.Session, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	sess, ok := s.sessions[uuid]
 	if !ok {
 		return repository.Session{}, repository.ErrNotFound
 	}
 	return sess, nil
 }
 func (s *Store) UpdateSession(_ context.Context, arg repository.UpdateSessionParams) (repository.Session, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	sess, ok := s.sessions[arg.UUID]
 	if !ok {
 		return repository.Session{}, repository.ErrNotFound
 	}
 	sess.Username = arg.Username
 	sess.Email = arg.Email
 	sess.Name = arg.Name
 	sess.Provider = arg.Provider
 	sess.TotpPending = arg.TotpPending
 	sess.OAuthGroups = arg.OAuthGroups
 	sess.Expiry = arg.Expiry
 	sess.OAuthName = arg.OAuthName
 	sess.OAuthSub = arg.OAuthSub
 	s.sessions[arg.UUID] = sess
 	return sess, nil
 }
 func (s *Store) DeleteSession(_ context.Context, uuid string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	delete(s.sessions, uuid)
 	return nil
 }
 func (s *Store) DeleteExpiredSessions(_ context.Context, expiry int64) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, v := range s.sessions {
 		if v.Expiry < expiry {
 			delete(s.sessions, k)
 		}
 	}
 	return nil
 }
@@ -1,27 +0,0 @@
 // Package memory provides an in-memory implementation of repository.Store for use in tests.
 package memory
 import (
 	"sync"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 )
 // Store is a thread-safe in-memory implementation of repository.Store.
 type Store struct {
 	mu         sync.RWMutex
 	sessions   map[string]repository.Session
 	oidcCodes  map[string]repository.OidcCode
 	oidcTokens map[string]repository.OidcToken
 	oidcUsers  map[string]repository.OidcUserinfo
 }
 // New returns a new empty in-memory Store.
 func New() repository.Store {
 	return &Store{
 		sessions:   make(map[string]repository.Session),
 		oidcCodes:  make(map[string]repository.OidcCode),
 		oidcTokens: make(map[string]repository.OidcToken),
 		oidcUsers:  make(map[string]repository.OidcUserinfo),
 	}
 }
@@ -1,22 +1,9 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
 //   sqlc v1.30.0
 package repository
 // Shared model and parameter types for all storage drivers.
 // sqlc-generated driver packages use these via the conversion layer in their store.go.
 type Session struct {
 	UUID        string
 	Username    string
 	Email       string
 	Name        string
 	Provider    string
 	TotpPending bool
 	OAuthGroups string
 	Expiry      int64
 	CreatedAt   int64
 	OAuthName   string
 	OAuthSub    string
 }
 type OidcCode struct {
 	Sub           string
 	CodeHash      string
@@ -47,22 +34,9 @@ type OidcUserinfo struct {
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
-type CreateSessionParams struct {
+type Session struct {
 	UUID        string
 	Username    string
 	Email       string
@@ -75,74 +49,3 @@ type CreateSessionParams struct {
 	OAuthName   string
 	OAuthSub    string
 }
 type UpdateSessionParams struct {
 	Username    string
 	Email       string
 	Name        string
 	Provider    string
 	TotpPending bool
 	OAuthGroups string
 	Expiry      int64
 	OAuthName   string
 	OAuthSub    string
 	UUID        string
 }
 type CreateOidcCodeParams struct {
 	Sub           string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	ExpiresAt     int64
 	Nonce         string
 	CodeChallenge string
 }
 type CreateOidcTokenParams struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	CodeHash              string
 	Nonce                 string
 }
 type UpdateOidcTokenByRefreshTokenParams struct {
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	RefreshTokenHash_2    string
 }
 type DeleteExpiredOidcTokensParams struct {
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 }
 type CreateOidcUserInfoParams struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
@@ -1,9 +1,9 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.31.1
+//   sqlc v1.30.0
 // source: oidc_queries.sql
-package sqlite
+package repository
 import (
 	"context"
@@ -124,24 +124,11 @@ INSERT INTO "oidc_userinfo" (
    "preferred_username",
    "email",
    "groups",
-    "updated_at",
+    "updated_at"
    "given_name",
    "family_name",
    "middle_name",
    "nickname",
    "profile",
    "picture",
    "website",
    "gender",
    "birthdate",
    "zoneinfo",
    "locale",
    "phone_number",
    "address"
 ) VALUES (
-    ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?
+    ?, ?, ?, ?, ?, ?
 )
-RETURNING sub, name, preferred_username, email, "groups", updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address
+RETURNING sub, name, preferred_username, email, "groups", updated_at
 `
 type CreateOidcUserInfoParams struct {
@@ -151,19 +138,6 @@ type CreateOidcUserInfoParams struct {
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
 func (q *Queries) CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfoParams) (OidcUserinfo, error) {
@@ -174,19 +148,6 @@ func (q *Queries) CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfo
 		arg.Email,
 		arg.Groups,
 		arg.UpdatedAt,
 		arg.GivenName,
 		arg.FamilyName,
 		arg.MiddleName,
 		arg.Nickname,
 		arg.Profile,
 		arg.Picture,
 		arg.Website,
 		arg.Gender,
 		arg.Birthdate,
 		arg.Zoneinfo,
 		arg.Locale,
 		arg.PhoneNumber,
 		arg.Address,
 	)
 	var i OidcUserinfo
 	err := row.Scan(
@@ -196,19 +157,6 @@ func (q *Queries) CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfo
 		&i.Email,
 		&i.Groups,
 		&i.UpdatedAt,
 		&i.GivenName,
 		&i.FamilyName,
 		&i.MiddleName,
 		&i.Nickname,
 		&i.Profile,
 		&i.Picture,
 		&i.Website,
 		&i.Gender,
 		&i.Birthdate,
 		&i.Zoneinfo,
 		&i.Locale,
 		&i.PhoneNumber,
 		&i.Address,
 	)
 	return i, err
 }
@@ -508,7 +456,7 @@ func (q *Queries) GetOidcTokenBySub(ctx context.Context, sub string) (OidcToken,
 }
 const getOidcUserInfo = `-- name: GetOidcUserInfo :one
-SELECT sub, name, preferred_username, email, "groups", updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address FROM "oidc_userinfo"
+SELECT sub, name, preferred_username, email, "groups", updated_at FROM "oidc_userinfo"
 WHERE "sub" = ?
 `
@@ -522,19 +470,6 @@ func (q *Queries) GetOidcUserInfo(ctx context.Context, sub string) (OidcUserinfo
 		&i.Email,
 		&i.Groups,
 		&i.UpdatedAt,
 		&i.GivenName,
 		&i.FamilyName,
 		&i.MiddleName,
 		&i.Nickname,
 		&i.Profile,
 		&i.Picture,
 		&i.Website,
 		&i.Gender,
 		&i.Birthdate,
 		&i.Zoneinfo,
 		&i.Locale,
 		&i.PhoneNumber,
 		&i.Address,
 	)
 	return i, err
 }
@@ -1,9 +1,9 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.31.1
+//   sqlc v1.30.0
 // source: session_queries.sql
-package sqlite
+package repository
 import (
 	"context"
@@ -1,3 +0,0 @@
 package sqlite
 //go:generate go run github.com/tinyauthapp/tinyauth/cmd/gen/sqlc-wrapper -pkg github.com/tinyauthapp/tinyauth/internal/repository/sqlite
@@ -1,64 +0,0 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
 //   sqlc v1.31.1
 package sqlite
 type OidcCode struct {
 	Sub           string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	ExpiresAt     int64
 	Nonce         string
 	CodeChallenge string
 }
 type OidcToken struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	CodeHash              string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	Nonce                 string
 }
 type OidcUserinfo struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
 type Session struct {
 	UUID        string
 	Username    string
 	Email       string
 	Name        string
 	Provider    string
 	TotpPending bool
 	OAuthGroups string
 	Expiry      int64
 	CreatedAt   int64
 	OAuthName   string
 	OAuthSub    string
 }
@@ -1,224 +0,0 @@
 // Code generated by cmd/gen/sqlc-wrapper. DO NOT EDIT.
 package sqlite
 import (
 	"context"
 	"database/sql"
 	"errors"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 )
 // Store wraps *Queries and implements repository.Store.
 type Store struct {
 	q *Queries
 }
 // NewStore wraps a *Queries to satisfy repository.Store.
 func NewStore(q *Queries) repository.Store {
 	return &Store{q: q}
 }
 var errMap = []struct {
 	from error
 	to   error
 }{
 	{sql.ErrNoRows, repository.ErrNotFound},
 }
 func mapErr(err error) error {
 	for _, e := range errMap {
 		if errors.Is(err, e.from) {
 			return e.to
 		}
 	}
 	return err
 }
 func oidcCodeToRepo(v OidcCode) repository.OidcCode {
 	return repository.OidcCode(v)
 }
 func oidcTokenToRepo(v OidcToken) repository.OidcToken {
 	return repository.OidcToken(v)
 }
 func oidcUserinfoToRepo(v OidcUserinfo) repository.OidcUserinfo {
 	return repository.OidcUserinfo(v)
 }
 func sessionToRepo(v Session) repository.Session {
 	return repository.Session(v)
 }
 func (s *Store) CreateOidcCode(ctx context.Context, arg repository.CreateOidcCodeParams) (repository.OidcCode, error) {
 	r, err := s.q.CreateOidcCode(ctx, CreateOidcCodeParams(arg))
 	if err != nil {
 		return repository.OidcCode{}, mapErr(err)
 	}
 	return oidcCodeToRepo(r), nil
 }
 func (s *Store) CreateOidcToken(ctx context.Context, arg repository.CreateOidcTokenParams) (repository.OidcToken, error) {
 	r, err := s.q.CreateOidcToken(ctx, CreateOidcTokenParams(arg))
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return oidcTokenToRepo(r), nil
 }
 func (s *Store) CreateOidcUserInfo(ctx context.Context, arg repository.CreateOidcUserInfoParams) (repository.OidcUserinfo, error) {
 	r, err := s.q.CreateOidcUserInfo(ctx, CreateOidcUserInfoParams(arg))
 	if err != nil {
 		return repository.OidcUserinfo{}, mapErr(err)
 	}
 	return oidcUserinfoToRepo(r), nil
 }
 func (s *Store) CreateSession(ctx context.Context, arg repository.CreateSessionParams) (repository.Session, error) {
 	r, err := s.q.CreateSession(ctx, CreateSessionParams(arg))
 	if err != nil {
 		return repository.Session{}, mapErr(err)
 	}
 	return sessionToRepo(r), nil
 }
 func (s *Store) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]repository.OidcCode, error) {
 	rows, err := s.q.DeleteExpiredOidcCodes(ctx, expiresAt)
 	if err != nil {
 		return nil, mapErr(err)
 	}
 	out := make([]repository.OidcCode, len(rows))
 	for i, row := range rows {
 		out[i] = oidcCodeToRepo(row)
 	}
 	return out, nil
 }
 func (s *Store) DeleteExpiredOidcTokens(ctx context.Context, arg repository.DeleteExpiredOidcTokensParams) ([]repository.OidcToken, error) {
 	rows, err := s.q.DeleteExpiredOidcTokens(ctx, DeleteExpiredOidcTokensParams(arg))
 	if err != nil {
 		return nil, mapErr(err)
 	}
 	out := make([]repository.OidcToken, len(rows))
 	for i, row := range rows {
 		out[i] = oidcTokenToRepo(row)
 	}
 	return out, nil
 }
 func (s *Store) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
 	return mapErr(s.q.DeleteExpiredSessions(ctx, expiry))
 }
 func (s *Store) DeleteOidcCode(ctx context.Context, codeHash string) error {
 	return mapErr(s.q.DeleteOidcCode(ctx, codeHash))
 }
 func (s *Store) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcCodeBySub(ctx, sub))
 }
 func (s *Store) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
 	return mapErr(s.q.DeleteOidcToken(ctx, accessTokenHash))
 }
 func (s *Store) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
 	return mapErr(s.q.DeleteOidcTokenByCodeHash(ctx, codeHash))
 }
 func (s *Store) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcTokenBySub(ctx, sub))
 }
 func (s *Store) DeleteOidcUserInfo(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcUserInfo(ctx, sub))
 }
 func (s *Store) DeleteSession(ctx context.Context, uuid string) error {
 	return mapErr(s.q.DeleteSession(ctx, uuid))
 }
 func (s *Store) GetOidcCode(ctx context.Context, codeHash string) (repository.OidcCode, error) {
 	r, err := s.q.GetOidcCode(ctx, codeHash)
 	if err != nil {
 		return repository.OidcCode{}, mapErr(err)
 	}
 	return oidcCodeToRepo(r), nil
 }
 func (s *Store) GetOidcCodeBySub(ctx context.Context, sub string) (repository.OidcCode, error) {
 	r, err := s.q.GetOidcCodeBySub(ctx, sub)
 	if err != nil {
 		return repository.OidcCode{}, mapErr(err)
 	}
 	return oidcCodeToRepo(r), nil
 }
 func (s *Store) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (repository.OidcCode, error) {
 	r, err := s.q.GetOidcCodeBySubUnsafe(ctx, sub)
 	if err != nil {
 		return repository.OidcCode{}, mapErr(err)
 	}
 	return oidcCodeToRepo(r), nil
 }
 func (s *Store) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (repository.OidcCode, error) {
 	r, err := s.q.GetOidcCodeUnsafe(ctx, codeHash)
 	if err != nil {
 		return repository.OidcCode{}, mapErr(err)
 	}
 	return oidcCodeToRepo(r), nil
 }
 func (s *Store) GetOidcToken(ctx context.Context, accessTokenHash string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcToken(ctx, accessTokenHash)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return oidcTokenToRepo(r), nil
 }
 func (s *Store) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcTokenByRefreshToken(ctx, refreshTokenHash)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return oidcTokenToRepo(r), nil
 }
 func (s *Store) GetOidcTokenBySub(ctx context.Context, sub string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcTokenBySub(ctx, sub)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return oidcTokenToRepo(r), nil
 }
 func (s *Store) GetOidcUserInfo(ctx context.Context, sub string) (repository.OidcUserinfo, error) {
 	r, err := s.q.GetOidcUserInfo(ctx, sub)
 	if err != nil {
 		return repository.OidcUserinfo{}, mapErr(err)
 	}
 	return oidcUserinfoToRepo(r), nil
 }
 func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session, error) {
 	r, err := s.q.GetSession(ctx, uuid)
 	if err != nil {
 		return repository.Session{}, mapErr(err)
 	}
 	return sessionToRepo(r), nil
 }
 func (s *Store) UpdateOidcTokenByRefreshToken(ctx context.Context, arg repository.UpdateOidcTokenByRefreshTokenParams) (repository.OidcToken, error) {
 	r, err := s.q.UpdateOidcTokenByRefreshToken(ctx, UpdateOidcTokenByRefreshTokenParams(arg))
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return oidcTokenToRepo(r), nil
 }
 func (s *Store) UpdateSession(ctx context.Context, arg repository.UpdateSessionParams) (repository.Session, error) {
 	r, err := s.q.UpdateSession(ctx, UpdateSessionParams(arg))
 	if err != nil {
 		return repository.Session{}, mapErr(err)
 	}
 	return sessionToRepo(r), nil
 }
@@ -1,47 +0,0 @@
 package repository
 import (
 	"context"
 	"errors"
 )
 // ErrNotFound is returned by Store methods when the requested record does not exist.
 var ErrNotFound = errors.New("not found")
 // Store is the interface that all storage drivers must implement.
 // The sqlc-generated *Queries struct satisfies this interface for SQLite.
 // Future drivers (postgres, etc.) must return the shared types defined in this package.
 type Store interface {
 	// Sessions
 	CreateSession(ctx context.Context, arg CreateSessionParams) (Session, error)
 	GetSession(ctx context.Context, uuid string) (Session, error)
 	UpdateSession(ctx context.Context, arg UpdateSessionParams) (Session, error)
 	DeleteSession(ctx context.Context, uuid string) error
 	DeleteExpiredSessions(ctx context.Context, expiry int64) error
 	// OIDC codes
 	CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams) (OidcCode, error)
 	GetOidcCode(ctx context.Context, codeHash string) (OidcCode, error)
 	GetOidcCodeBySub(ctx context.Context, sub string) (OidcCode, error)
 	GetOidcCodeUnsafe(ctx context.Context, codeHash string) (OidcCode, error)
 	GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (OidcCode, error)
 	DeleteOidcCode(ctx context.Context, codeHash string) error
 	DeleteOidcCodeBySub(ctx context.Context, sub string) error
 	DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]OidcCode, error)
 	// OIDC tokens
 	CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams) (OidcToken, error)
 	GetOidcToken(ctx context.Context, accessTokenHash string) (OidcToken, error)
 	GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (OidcToken, error)
 	GetOidcTokenBySub(ctx context.Context, sub string) (OidcToken, error)
 	UpdateOidcTokenByRefreshToken(ctx context.Context, arg UpdateOidcTokenByRefreshTokenParams) (OidcToken, error)
 	DeleteOidcToken(ctx context.Context, accessTokenHash string) error
 	DeleteOidcTokenBySub(ctx context.Context, sub string) error
 	DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error
 	DeleteExpiredOidcTokens(ctx context.Context, arg DeleteExpiredOidcTokensParams) ([]OidcToken, error)
 	// OIDC userinfo
 	CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfoParams) (OidcUserinfo, error)
 	GetOidcUserInfo(ctx context.Context, sub string) (OidcUserinfo, error)
 	DeleteOidcUserInfo(ctx context.Context, sub string) error
 }
@@ -1,25 +1,22 @@
 package service
 import (
 	"errors"
 	"strings"
-	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/steveiliop56/tinyauth/internal/config"
-	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 )
 type LabelProvider interface {
 	GetLabels(appDomain string) (*model.App, error)
 }
 type AccessControlsService struct {
-	labelProvider LabelProvider
+	docker *DockerService
-	static        map[string]model.App
+	static map[string]config.App
 }
-func NewAccessControlsService(labelProvider LabelProvider, static map[string]model.App) *AccessControlsService {
+func NewAccessControlsService(docker *DockerService, static map[string]config.App) *AccessControlsService {
 	return &AccessControlsService{
-		labelProvider: labelProvider,
+		docker: docker,
-		static:        static,
+		static: static,
 	}
 }
@@ -27,34 +24,31 @@ func (acls *AccessControlsService) Init() error {
 	return nil // No initialization needed
 }
-func (acls *AccessControlsService) lookupStaticACLs(domain string) *model.App {
+func (acls *AccessControlsService) lookupStaticACLs(domain string) (config.App, error) {
 	var appAcls *model.App
 	for app, config := range acls.static {
 		if config.Config.Domain == domain {
 			tlog.App.Debug().Str("name", app).Msg("Found matching container by domain")
-			appAcls = &config
+			return config, nil
 			break // If we find a match by domain, we can stop searching
 		}
 		if strings.SplitN(domain, ".", 2)[0] == app {
 			tlog.App.Debug().Str("name", app).Msg("Found matching container by app name")
-			appAcls = &config
+			return config, nil
 			break // If we find a match by app name, we can stop searching
 		}
 	}
-	return appAcls
+	return config.App{}, errors.New("no results")
 }
-func (acls *AccessControlsService) GetAccessControls(domain string) (*model.App, error) {
+func (acls *AccessControlsService) GetAccessControls(domain string) (config.App, error) {
 	// First check in the static config
-	app := acls.lookupStaticACLs(domain)
+	app, err := acls.lookupStaticACLs(domain)
-	if app != nil {
+	if err == nil {
 		tlog.App.Debug().Msg("Using ACls from static configuration")
 		return app, nil
 	}
-	// Fallback to label provider
+	// Fallback to Docker labels
-	tlog.App.Debug().Msg("Falling back to label provider for ACLs")
+	tlog.App.Debug().Msg("Falling back to Docker labels for ACLs")
-	return acls.labelProvider.GetLabels(domain)
+	return acls.docker.GetLabels(domain)
 }
--- a/Show More
+++ b/Show More
		`@@ -1,3 +0,0 @@`
			`package sqlite`

			`//go:generate go run github.com/tinyauthapp/tinyauth/cmd/gen/sqlc-wrapper -pkg github.com/tinyauthapp/tinyauth/internal/repository/sqlite`