feat: add frontend

.env.example

@@ -206,6 +206,8 @@ TINYAUTH_LDAP_ADDRESS=
 TINYAUTH_LDAP_BINDDN=
 # Bind password for LDAP authentication.
 TINYAUTH_LDAP_BINDPASSWORD=
+# Path to the Bind password.
+TINYAUTH_LDAP_BINDPASSWORDFILE=
 # Base DN for LDAP searches.
 TINYAUTH_LDAP_BASEDN=
 # Allow insecure LDAP connections.

.github/workflows/ci.yml

@@ -16,7 +16,7 @@ jobs:
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
         with:
           package_json_file: ./frontend/package.json
 

.github/workflows/nightly.yml

@@ -60,7 +60,7 @@ jobs:
           ref: nightly
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
         with:
           package_json_file: ./frontend/package.json
 
@@ -105,7 +105,7 @@ jobs:
           ref: nightly
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
         with:
           package_json_file: ./frontend/package.json
 
@@ -173,8 +173,8 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           tags: ghcr.io/${{ github.repository_owner }}/tinyauth
           outputs: type=image,push-by-digest=true,name-canonical=true,push=true
-          cache-from: type=gha,scope=buildkit-amd64
+          cache-from: type=gha
-          cache-to: type=gha,mode=max,scope=buildkit-amd64
+          cache-to: type=gha,mode=max
           github-token: ${{ secrets.GITHUB_TOKEN }}
           build-args: |
             VERSION=${{ needs.generate-metadata.outputs.VERSION }}
@@ -232,8 +232,8 @@ jobs:
           tags: ghcr.io/${{ github.repository_owner }}/tinyauth
           outputs: type=image,push-by-digest=true,name-canonical=true,push=true
           file: Dockerfile.distroless
-          cache-from: type=gha,scope=buildkit-distroless-amd64
+          cache-from: type=gha
-          cache-to: type=gha,mode=max,scope=buildkit-distroless-amd64
+          cache-to: type=gha,mode=max
           github-token: ${{ secrets.GITHUB_TOKEN }}
           build-args: |
             VERSION=${{ needs.generate-metadata.outputs.VERSION }}
@@ -289,8 +289,8 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           tags: ghcr.io/${{ github.repository_owner }}/tinyauth
           outputs: type=image,push-by-digest=true,name-canonical=true,push=true
-          cache-from: type=gha,scope=buildkit-arm64
+          cache-from: type=gha
-          cache-to: type=gha,mode=max,scope=buildkit-arm64
+          cache-to: type=gha,mode=max
           github-token: ${{ secrets.GITHUB_TOKEN }}
           build-args: |
             VERSION=${{ needs.generate-metadata.outputs.VERSION }}
@@ -348,8 +348,8 @@ jobs:
           tags: ghcr.io/${{ github.repository_owner }}/tinyauth
           outputs: type=image,push-by-digest=true,name-canonical=true,push=true
           file: Dockerfile.distroless
-          cache-from: type=gha,scope=buildkit-distroless-arm64
+          cache-from: type=gha
-          cache-to: type=gha,mode=max,scope=buildkit-distroless-arm64
+          cache-to: type=gha,mode=max
           github-token: ${{ secrets.GITHUB_TOKEN }}
           build-args: |
             VERSION=${{ needs.generate-metadata.outputs.VERSION }}

.github/workflows/release.yml

@@ -36,7 +36,7 @@ jobs:
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
         with:
           package_json_file: ./frontend/package.json
 
@@ -78,7 +78,7 @@ jobs:
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
         with:
           package_json_file: ./frontend/package.json
 
@@ -143,14 +143,14 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           tags: ghcr.io/${{ github.repository_owner }}/tinyauth
           outputs: type=image,push-by-digest=true,name-canonical=true,push=true
-          cache-from: type=gha,scope=buildkit-amd64
+          cache-from: type=gha
-          cache-to: type=gha,mode=max,scope=buildkit-amd64
+          cache-to: type=gha,mode=max
           github-token: ${{ secrets.GITHUB_TOKEN }}
           build-args: |
             VERSION=${{ needs.generate-metadata.outputs.VERSION }}
             COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
             BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
-            LDFLAGS=-s -w
+            LDFLAGS="-s -w"
 
       - name: Export digest
         run: |
@@ -200,14 +200,14 @@ jobs:
           tags: ghcr.io/${{ github.repository_owner }}/tinyauth
           outputs: type=image,push-by-digest=true,name-canonical=true,push=true
           file: Dockerfile.distroless
-          cache-from: type=gha,scope=buildkit-distroless-amd64
+          cache-from: type=gha
-          cache-to: type=gha,mode=max,scope=buildkit-distroless-amd64
+          cache-to: type=gha,mode=max
           github-token: ${{ secrets.GITHUB_TOKEN }}
           build-args: |
             VERSION=${{ needs.generate-metadata.outputs.VERSION }}
             COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
             BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
-            LDFLAGS=-s -w
+            LDFLAGS="-s -w"
 
       - name: Export digest
         run: |
@@ -255,14 +255,14 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           tags: ghcr.io/${{ github.repository_owner }}/tinyauth
           outputs: type=image,push-by-digest=true,name-canonical=true,push=true
-          cache-from: type=gha,scope=buildkit-arm64
+          cache-from: type=gha
-          cache-to: type=gha,mode=max,scope=buildkit-arm64
+          cache-to: type=gha,mode=max
           github-token: ${{ secrets.GITHUB_TOKEN }}
           build-args: |
             VERSION=${{ needs.generate-metadata.outputs.VERSION }}
             COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
             BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
-            LDFLAGS=-s -w
+            LDFLAGS="-s -w"
 
       - name: Export digest
         run: |
@@ -312,14 +312,14 @@ jobs:
           tags: ghcr.io/${{ github.repository_owner }}/tinyauth
           outputs: type=image,push-by-digest=true,name-canonical=true,push=true
           file: Dockerfile.distroless
-          cache-from: type=gha,scope=buildkit-distroless-arm64
+          cache-from: type=gha
-          cache-to: type=gha,mode=max,scope=buildkit-distroless-arm64
+          cache-to: type=gha,mode=max
           github-token: ${{ secrets.GITHUB_TOKEN }}
           build-args: |
             VERSION=${{ needs.generate-metadata.outputs.VERSION }}
             COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
             BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
-            LDFLAGS=-s -w
+            LDFLAGS="-s -w"
 
       - name: Export digest
         run: |

.github/workflows/scorecard.yml

@@ -38,6 +38,6 @@ jobs:
           retention-days: 5
 
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
+        uses: github/codeql-action/upload-sarif@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4
         with:
           sarif_file: results.sarif

Dockerfile

@@ -46,7 +46,7 @@ RUN CGO_ENABLED=0 go build -ldflags "${LDFLAGS} \
     -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
 
 # Runner
-FROM alpine:3.24 AS runner
+FROM alpine:3.23 AS runner
 
 WORKDIR /tinyauth
 

frontend/src/lib/hooks/redirect-uri.ts

@@ -15,7 +15,7 @@ export const useRedirectUri = (
   let isAllowedProto = false;
   let isHttpsDowngrade = false;
 
-  if (!redirect_uri) {
+  if (redirect_uri === undefined) {
     return {
       valid: isValid,
       trusted: isTrusted,

frontend/src/lib/hooks/screen-params.ts

@@ -6,6 +6,7 @@ type ScreenParams = {
   oidc_ticket?: string;
   oidc_scope?: string;
   oidc_name?: string;
+  oidc_show_consent?: boolean;
 };
 
 const zodScreenParams = z.object({
@@ -14,6 +15,7 @@ const zodScreenParams = z.object({
   oidc_ticket: z.string().optional(),
   oidc_scope: z.string().optional(),
   oidc_name: z.string().optional(),
+  oidc_show_consent: z.stringbool().optional(),
 });
 
 export function useScreenParams(params: URLSearchParams): ScreenParams {

frontend/src/pages/authorize-page.tsx

@@ -25,6 +25,7 @@ import {
   recompileScreenParams,
   useScreenParams,
 } from "@/lib/hooks/screen-params";
+import { useEffect } from "react";
 
 type Scope = {
   id: string;
@@ -90,7 +91,8 @@ export const AuthorizePage = () => {
   const isOidc = screenParams.login_for === "oidc";
   const compiledParams = recompileScreenParams(screenParams);
 
-  const authorizeMutation = useMutation({
+  const { mutate: authorizeMutate, isPending: authorizeIsPending } =
+    useMutation({
       mutationFn: () => {
         return axios.post("/api/oidc/authorize-complete", {
           ticket: screenParams.oidc_ticket,
@@ -110,7 +112,33 @@ export const AuthorizePage = () => {
       },
     });
 
-  if (!isOidc || !screenParams.oidc_ticket || !screenParams.oidc_scope) {
+  useEffect(() => {
+    if (
+      !isOidc ||
+      screenParams.oidc_ticket === undefined ||
+      screenParams.oidc_scope === undefined ||
+      !auth.authenticated
+    ) {
+      return;
+    }
+
+    if (screenParams.oidc_show_consent === false) {
+      authorizeMutate();
+    }
+  }, [
+    isOidc,
+    screenParams.oidc_ticket,
+    screenParams.oidc_scope,
+    screenParams.oidc_show_consent,
+    auth.authenticated,
+    authorizeMutate,
+  ]);
+
+  if (
+    !isOidc ||
+    screenParams.oidc_ticket === undefined ||
+    screenParams.oidc_scope === undefined
+  ) {
     return (
       <Navigate
         to={`/error?error=${encodeURIComponent(t("authorizeErrorInvalidParams"))}`}
@@ -126,6 +154,19 @@ export const AuthorizePage = () => {
   const scopes =
     screenParams.oidc_scope.split(" ").filter((s) => s.trim() !== "") || [];
 
+  if (screenParams.oidc_show_consent === false) {
+    return (
+      <Card>
+        <CardHeader className="gap-1.5">
+          <CardTitle className="text-xl">Authorizing</CardTitle>
+          <CardDescription>
+            You will soon be redirected to your application...
+          </CardDescription>
+        </CardHeader>
+      </Card>
+    );
+  }
+
   return (
     <Card>
       <CardHeader className="mb-2">
@@ -167,15 +208,12 @@ export const AuthorizePage = () => {
         </CardContent>
       )}
       <CardFooter className="flex flex-col items-stretch gap-3">
-        <Button
+        <Button onClick={() => authorizeMutate()} loading={authorizeIsPending}>
-          onClick={() => authorizeMutation.mutate()}
-          loading={authorizeMutation.isPending}
-        >
           {t("authorizeTitle")}
         </Button>
         <Button
           onClick={() => navigate(`/logout${compiledParams}`)}
-          disabled={authorizeMutation.isPending}
+          disabled={authorizeIsPending}
           variant="outline"
         >
           {t("cancelTitle")}

frontend/src/pages/error-page.tsx

@@ -11,7 +11,7 @@ export const ErrorPage = () => {
   const { t } = useTranslation();
   const { search } = useLocation();
   const searchParams = new URLSearchParams(search);
-  const error = searchParams.get("error") || "";
+  const error = searchParams.get("error") ?? "";
 
   return (
     <Card>

frontend/src/pages/login-page.tsx

@@ -168,8 +168,7 @@ export const LoginPage = () => {
       !auth.authenticated &&
       isOauthAutoRedirect &&
       !hasAutoRedirectedRef.current &&
-      screenParams.redirect_uri &&
+      screenParams.login_for !== undefined
-      screenParams.login_for
     ) {
       hasAutoRedirectedRef.current = true;
       oauthMutate(oauth.autoRedirect);
@@ -181,7 +180,6 @@ export const LoginPage = () => {
     oauth.autoRedirect,
     isOauthAutoRedirect,
     screenParams.login_for,
-    screenParams.redirect_uri,
   ]);
 
   useEffect(() => {

gen/sqlc-wrapper/sqlc_wrapper.go

@@ -67,15 +67,24 @@ func run() error {
 		Overlay: map[string][]byte{outPath: stub},
 	}
 
-	driverTypePkg, err := loadOnePkg(cfg, *driverPkg)
+	repoPkgPath := parentPkg(*driverPkg)
+
+	pkgs, err := loadMultiplePkgs(cfg, *driverPkg, repoPkgPath)
+
 	if err != nil {
-		return fmt.Errorf("load driver package: %w", err)
+		return fmt.Errorf("load packages: %w", err)
 	}
 
-	repoPkgPath := parentPkg(*driverPkg)
+	driverTypePkg, ok := pkgs[*driverPkg]
-	repoTypePkg, err := loadOnePkg(cfg, repoPkgPath)
+
-	if err != nil {
+	if !ok {
-		return fmt.Errorf("load repo package: %w", err)
+		return fmt.Errorf("driver package %s not found in loaded packages", *driverPkg)
+	}
+
+	repoTypePkg, ok := pkgs[repoPkgPath]
+
+	if !ok {
+		return fmt.Errorf("repository package %s not found in loaded packages", repoPkgPath)
 	}
 
 	if err := validateStructShapes(driverTypePkg, repoTypePkg); err != nil {
@@ -106,25 +115,25 @@ func run() error {
 	return nil
 }
 
-// loadOnePkg loads a single package via cfg and returns its *types.Package,
+// loadMultiplePkgs loads multiple packages via cfg and returns a map of import path → *types.Package,
-// or an error if the package fails to load or has type errors.
+// or an error if any package fails to load or has type errors.
-func loadOnePkg(cfg *packages.Config, importPath string) (*types.Package, error) {
+func loadMultiplePkgs(cfg *packages.Config, importPaths ...string) (map[string]*types.Package, error) {
-	pkgs, err := packages.Load(cfg, importPath)
+	pkgs, err := packages.Load(cfg, importPaths...)
 	if err != nil {
-		return nil, fmt.Errorf("load %s: %w", importPath, err)
+		return nil, fmt.Errorf("load %v: %w", importPaths, err)
 	}
-	if len(pkgs) != 1 {
+	out := make(map[string]*types.Package)
-		return nil, fmt.Errorf("expected 1 package for %s, got %d", importPath, len(pkgs))
+	for _, pkg := range pkgs {
-	}
-	pkg := pkgs[0]
 		if len(pkg.Errors) > 0 {
 			msgs := make([]string, len(pkg.Errors))
 			for i, e := range pkg.Errors {
 				msgs[i] = e.Error()
 			}
-		return nil, fmt.Errorf("package %s has errors:\n  %s", importPath, strings.Join(msgs, "\n  "))
+			return nil, fmt.Errorf("package %s has errors:\n  %s", pkg.PkgPath, strings.Join(msgs, "\n  "))
 		}
-	return pkg.Types, nil
+		out[pkg.PkgPath] = pkg.Types
+	}
+	return out, nil
 }
 
 // parentPkg returns the parent import path (everything before the last /).

go.mod

@@ -21,7 +21,6 @@ require (
 	github.com/stretchr/testify v1.11.1
 	github.com/tinyauthapp/paerser v0.0.0-20260410140347-85c3740d6298
 	github.com/weppos/publicsuffix-go v0.50.3
-	go.uber.org/dig v1.19.0
 	golang.org/x/crypto v0.52.0
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/tools v0.45.0

go.sum

@@ -485,8 +485,6 @@ go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09
 go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
 go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpuCSL2g=
 go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk=
-go.uber.org/dig v1.19.0 h1:BACLhebsYdpQ7IROQ1AGPjrXcP5dF80U3gKoFzbaq/4=
-go.uber.org/dig v1.19.0/go.mod h1:Us0rSJiThwCv2GteUN0Q7OKvU7n5J4dxZ9JKUXozFdE=
 go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
 go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
 go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=

internal/assets/migrations/postgres/000003_oidc_consent.up.sql

@@ -0,0 +1,7 @@
+CREATE TABLE IF NOT EXISTS "oidc_consent" (
+    "uuid" TEXT NOT NULL UNIQUE PRIMARY KEY,
+    "client_id" TEXT NOT NULL,
+    "scopes" TEXT NOT NULL,
+    "created_at" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
+);

internal/assets/migrations/postgres/000003_oidc_consnet.down.sql

@@ -0,0 +1 @@
+DROP TABLE IF EXISTS "oidc_consent";

internal/assets/migrations/sqlite/000011_oidc_consent.down.sql

@@ -0,0 +1 @@
+DROP TABLE IF EXISTS "oidc_consent";

internal/assets/migrations/sqlite/000011_oidc_consent.up.sql

@@ -0,0 +1,7 @@
+CREATE TABLE IF NOT EXISTS "oidc_consent" (
+    "uuid" TEXT NOT NULL UNIQUE PRIMARY KEY,
+    "client_id" TEXT NOT NULL,
+    "scopes" TEXT NOT NULL,
+    "created_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+);

internal/bootstrap/app_bootstrap.go

@@ -18,7 +18,6 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/steveiliop56/ding"
-	"go.uber.org/dig"
 
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
@@ -48,6 +47,7 @@ type Services struct {
 type BootstrapApp struct {
 	config    model.Config
 	runtime   model.RuntimeConfig
+	helpers   model.RuntimeHelpers
 	services  Services
 	log       *logger.Logger
 	ctx       context.Context
@@ -57,7 +57,6 @@ type BootstrapApp struct {
 	db        *sql.DB
 	ding      *ding.Ding
 	listeners []Listener
-	dig       *dig.Container
 }
 
 func NewBootstrapApp(config model.Config) *BootstrapApp {
@@ -72,11 +71,7 @@ func (app *BootstrapApp) Setup() error {
 	app.ctx = ctx
 	app.cancel = cancel
 
-	// create the dig container
+	// Create a ding instance
-	c := dig.New()
-	app.dig = c
-
-	// create a ding instance
 	dg := ding.New(ctx)
 	app.ding = dg
 
@@ -163,6 +158,12 @@ func (app *BootstrapApp) Setup() error {
 		app.runtime.OAuthProviders[id] = provider
 	}
 
+	// setup oidc clients
+	for id, client := range app.config.OIDC.Clients {
+		client.ID = id
+		app.runtime.OIDCClients = append(app.runtime.OIDCClients, client)
+	}
+
 	// cookie domain
 	cookieDomainResolver := utils.GetCookieDomain
 
@@ -185,9 +186,8 @@ func (app *BootstrapApp) Setup() error {
 	cookieId := strings.Split(app.runtime.UUID, "-")[0] // first 8 characters of the uuid should be good enough
 
 	app.runtime.SessionCookieName = fmt.Sprintf("%s-%s", model.SessionCookieName, cookieId)
-	app.runtime.CSRFCookieName = fmt.Sprintf("%s-%s", model.CSRFCookieName, cookieId)
-	app.runtime.RedirectCookieName = fmt.Sprintf("%s-%s", model.RedirectCookieName, cookieId)
 	app.runtime.OAuthSessionCookieName = fmt.Sprintf("%s-%s", model.OAuthSessionCookieName, cookieId)
+	app.runtime.ConsentCookieName = fmt.Sprintf("%s-%s", model.ConsentCookieName, cookieId)
 
 	// database
 	store, err := app.SetupStore()
@@ -211,33 +211,6 @@ func (app *BootstrapApp) Setup() error {
 	// store
 	app.queries = store
 
-	// provide basic utilities to container
-	type utilityProvider struct {
-		dig.Out
-
-		Log     *logger.Logger
-		Config  *model.Config
-		Runtime *model.RuntimeConfig
-		Ding    *ding.Ding
-		Ctx     context.Context
-		Queries repository.Store
-	}
-
-	err = app.dig.Provide(func() utilityProvider {
-		return utilityProvider{
-			Log:     app.log,
-			Config:  &app.config,
-			Runtime: &app.runtime,
-			Ding:    app.ding,
-			Ctx:     app.ctx,
-			Queries: app.queries,
-		}
-	})
-
-	if err != nil {
-		return fmt.Errorf("failed to provide utilities to container: %w", err)
-	}
-
 	// services
 	err = app.setupServices()
 
@@ -291,6 +264,9 @@ func (app *BootstrapApp) Setup() error {
 		app.runtime.TrustedDomains = append(app.runtime.TrustedDomains, "https://"+app.services.tailscaleService.GetHostname())
 	}
 
+	// runtime helpers
+	app.helpers.GetCookieDomain = app.getCookieDomain
+
 	// setup router
 	err = app.setupRouter()
 

internal/bootstrap/app_helpers.go

@@ -0,0 +1,55 @@
+package bootstrap
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/tinyauthapp/tinyauth/internal/utils"
+)
+
+// Not really the best place for the helpers to be but it works because bootstrap app provides
+// them with everything they need
+
+func (app *BootstrapApp) getCookieDomain(ctx context.Context, ip string) (string, error) {
+	cookieDomain := app.runtime.CookieDomain
+
+	if app.isTailscaleRequest(ctx, ip) {
+		if app.services.tailscaleService == nil {
+			return "", errors.New("tailscale service is not configured")
+		}
+
+		tsCookieDomain, err := utils.GetCookieDomain(fmt.Sprintf("https://%s", app.services.tailscaleService.GetHostname()))
+
+		if err != nil {
+			return "", fmt.Errorf("failed to get cookie domain for tailscale user: %w", err)
+		}
+
+		cookieDomain = tsCookieDomain
+	}
+
+	if app.config.Auth.SubdomainsEnabled {
+		cookieDomain = "." + cookieDomain
+	}
+
+	return cookieDomain, nil
+}
+
+func (app *BootstrapApp) isTailscaleRequest(ctx context.Context, ip string) bool {
+	if app.services.tailscaleService == nil {
+		return false
+	}
+
+	whois, err := app.services.tailscaleService.Whois(ctx, ip)
+
+	if err != nil {
+		app.log.App.Error().Err(err).Msgf("Error performing Tailscale whois for IP %s: %v", ip, err)
+		return false
+	}
+
+	if whois == nil {
+		return false
+	}
+
+	return true
+}

internal/bootstrap/router_bootstrap.go

@@ -13,7 +13,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/middleware"
 	"github.com/tinyauthapp/tinyauth/internal/model"
-	"go.uber.org/dig"
 
 	"github.com/gin-gonic/gin"
 )
@@ -41,94 +40,31 @@ func (app *BootstrapApp) setupRouter() error {
 		}
 	}
 
-	middlewareProvideFor := []any{
+	contextMiddleware := middleware.NewContextMiddleware(app.log, app.runtime, app.services.authService, app.services.oauthBrokerService, app.services.tailscaleService)
-		middleware.NewContextMiddleware,
+	engine.Use(contextMiddleware.Middleware())
-		middleware.NewUIMiddleware,
-		middleware.NewZerologMiddleware,
-	}
 
-	for _, provider := range middlewareProvideFor {
+	uiMiddleware, err := middleware.NewUIMiddleware()
-		err := app.dig.Provide(provider)
 
 	if err != nil {
-			return fmt.Errorf("failed to provide middleware: %w", err)
+		return fmt.Errorf("failed to initialize UI middleware: %w", err)
-		}
 	}
 
-	type middlewareInput struct {
+	engine.Use(uiMiddleware.Middleware())
-		dig.In
 
-		ContextMiddleware *middleware.ContextMiddleware
+	zerologMiddleware := middleware.NewZerologMiddleware(app.log)
-		UIMiddleware      *middleware.UIMiddleware
-		ZerologMiddleware *middleware.ZerologMiddleware
-	}
 
-	err := app.dig.Invoke(func(mi middlewareInput) {
+	engine.Use(zerologMiddleware.Middleware())
-		engine.Use(mi.ContextMiddleware.Middleware())
-		engine.Use(mi.UIMiddleware.Middleware())
-		engine.Use(mi.ZerologMiddleware.Middleware())
-	})
 
-	if err != nil {
+	apiRouter := engine.Group("/api")
-		return fmt.Errorf("failed to invoke middleware: %w", err)
-	}
 
-	err = app.dig.Provide(func() *gin.RouterGroup {
+	controller.NewContextController(app.log, app.config, app.runtime, apiRouter)
-		return &engine.RouterGroup
+	controller.NewOAuthController(app.log, app.config, app.runtime, &app.helpers, apiRouter, app.services.authService)
-	}, dig.Name("mainRouterGroup"))
+	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, &app.helpers, app.config, apiRouter, &engine.RouterGroup)
-
+	controller.NewProxyController(app.log, app.runtime, apiRouter, app.services.accessControlService, app.services.authService, app.services.policyEngine)
-	if err != nil {
+	controller.NewUserController(app.log, app.runtime, apiRouter, app.services.authService)
-		return fmt.Errorf("failed to provide main router group: %w", err)
+	controller.NewResourcesController(app.config, &engine.RouterGroup)
-	}
+	controller.NewHealthController(apiRouter)
-
+	controller.NewWellKnownController(app.services.oidcService, &engine.RouterGroup)
-	err = app.dig.Provide(func() *gin.RouterGroup {
-		return engine.Group("/api")
-	}, dig.Name("apiRouterGroup"))
-
-	if err != nil {
-		return fmt.Errorf("failed to provide api router group: %w", err)
-	}
-
-	controllerProvideFor := []any{
-		controller.NewContextController,
-		controller.NewOAuthController,
-		controller.NewOIDCController,
-		controller.NewProxyController,
-		controller.NewUserController,
-		controller.NewResourcesController,
-		controller.NewHealthController,
-		controller.NewWellKnownController,
-	}
-
-	for _, provider := range controllerProvideFor {
-		err := app.dig.Provide(provider)
-
-		if err != nil {
-			return fmt.Errorf("failed to provide controller: %w", err)
-		}
-	}
-
-	type controllerInput struct {
-		dig.In
-
-		ContextController   *controller.ContextController
-		OAuthController     *controller.OAuthController
-		OIDCController      *controller.OIDCController
-		ProxyController     *controller.ProxyController
-		UserController      *controller.UserController
-		ResourcesController *controller.ResourcesController
-		HealthController    *controller.HealthController
-		WellKnownController *controller.WellKnownController
-	}
-
-	// force dig to build all controllers and register their routes
-	err = app.dig.Invoke(func(ci controllerInput) error {
-		return nil
-	})
-
-	if err != nil {
-		return fmt.Errorf("failed to invoke controllers: %w", err)
-	}
 
 	app.router = engine
 	return nil

internal/bootstrap/service_bootstrap.go

@@ -5,67 +5,54 @@ import (
 	"os"
 
 	"github.com/tinyauthapp/tinyauth/internal/service"
-	"go.uber.org/dig"
 )
 
 func (app *BootstrapApp) setupServices() error {
-	err := app.setupPolicyEngine()
+	ldapService, err := service.NewLdapService(app.log, app.config, app.ding)
 
 	if err != nil {
-		return fmt.Errorf("failed to setup policy engine: %w", err)
+		app.log.App.Warn().Err(err).Msg("Failed to initialize LDAP connection, will continue without it")
 	}
 
+	app.services.ldapService = ldapService
+
 	labelProvider, err := app.getLabelProvider()
 
 	if err != nil {
-		return fmt.Errorf("failed to get label provider: %w", err)
+		return fmt.Errorf("failed to initialize label provider: %w", err)
 	}
 
-	serviceProvideFor := []any{
+	tailscaleService, err := service.NewTailscaleService(app.log, app.config, app.ctx, app.ding)
-		func() service.LabelProvider {
-			return labelProvider
-		},
-		service.NewLdapService,
-		service.NewTailscaleService,
-		service.NewAccessControlsService,
-		service.NewOAuthBrokerService,
-		service.NewAuthService,
-		service.NewOIDCService,
-	}
-
-	for _, provider := range serviceProvideFor {
-		err = app.dig.Provide(provider)
 
 	if err != nil {
-			return fmt.Errorf("failed to provide service: %w", err)
+		app.log.App.Warn().Err(err).Msg("Failed to initialize Tailscale connection, will continue without it")
-		}
 	}
 
-	type svcInput struct {
+	app.services.tailscaleService = tailscaleService
-		dig.In
 
-		AccessControlService *service.AccessControlsService
+	accessControlsService := service.NewAccessControlsService(app.log, app.config, &labelProvider)
-		AuthService          *service.AuthService
+	app.services.accessControlService = accessControlsService
-		LDAPService          *service.LdapService
-		OAuthBrokerService   *service.OAuthBrokerService
-		OIDCService          *service.OIDCService
-		TailscaleService     *service.TailscaleService
-	}
 
-	err = app.dig.Invoke(func(i svcInput) error {
+	err = app.setupPolicyEngine()
-		app.services.accessControlService = i.AccessControlService
-		app.services.authService = i.AuthService
-		app.services.ldapService = i.LDAPService
-		app.services.oauthBrokerService = i.OAuthBrokerService
-		app.services.oidcService = i.OIDCService
-		app.services.tailscaleService = i.TailscaleService
-		return nil
-	})
 
 	if err != nil {
-		return fmt.Errorf("failed to invoke services: %w", err)
+		return fmt.Errorf("failed to initialize policy engine: %w", err)
 	}
 
+	oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
+	app.services.oauthBrokerService = oauthBrokerService
+
+	authService := service.NewAuthService(app.log, app.config, app.runtime, &app.helpers, app.ctx, app.ding, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService, app.services.policyEngine)
+	app.services.authService = authService
+
+	oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ding)
+
+	if err != nil {
+		return fmt.Errorf("failed to initialize oidc service: %w", err)
+	}
+
+	app.services.oidcService = oidcService
+
 	return nil
 }
 
@@ -82,71 +69,45 @@ func (app *BootstrapApp) getLabelProvider() (service.LabelProvider, error) {
 		if useKubernetes {
 			app.log.App.Debug().Msg("Using Kubernetes label provider")
 
-			err := app.dig.Provide(service.NewKubernetesService)
+			kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, app.ding)
 
 			if err != nil {
-				return nil, fmt.Errorf("failed to provide kubernetes service: %w", err)
+				return nil, fmt.Errorf("failed to initialize kubernetes service: %w", err)
 			}
 
-			err = app.dig.Invoke(func(k *service.KubernetesService) error {
+			app.services.kubernetesService = kubernetesService
-				app.services.kubernetesService = k
+			return kubernetesService, nil
-				return nil
-			})
-
-			if err != nil {
-				return nil, fmt.Errorf("failed to invoke kubernetes service: %w", err)
-			}
-
-			// Kubernetes will fail to initialize with an error if it cannot connect to the cluster
-			// but just to be safe, we check if the service is nil and log a warning if it is
-			if app.services.kubernetesService == nil {
-				if app.config.LabelProvider == "kubernetes" {
-					app.log.App.Warn().Msg("Kubernetes label provider selected but Kubernetes is not available, will continue without it")
-				}
-				return nil, nil
-			}
-
-			return app.services.kubernetesService, nil
 		}
 
 		app.log.App.Debug().Msg("Using Docker label provider")
 
-		err := app.dig.Provide(service.NewDockerService)
+		dockerService, err := service.NewDockerService(app.log, app.ctx, app.ding)
 
 		if err != nil {
-			return nil, fmt.Errorf("failed to provide docker service: %w", err)
+			return nil, fmt.Errorf("failed to initialize docker service: %w", err)
 		}
 
-		err = app.dig.Invoke(func(d *service.DockerService) error {
+		if dockerService == nil {
-			app.services.dockerService = d
-			return nil
-		})
-
-		if err != nil {
-			return nil, fmt.Errorf("failed to invoke docker service: %w", err)
-		}
-
-		if app.services.dockerService == nil {
 			if app.config.LabelProvider == "docker" {
 				app.log.App.Warn().Msg("Docker label provider selected but Docker is not available, will continue without it")
 			}
 			return nil, nil
 		}
 
-		return app.services.dockerService, nil
+		app.services.dockerService = dockerService
+		return dockerService, nil
 	default:
 		return nil, fmt.Errorf("invalid label provider: %s", app.config.LabelProvider)
 	}
 }
 
 func (app *BootstrapApp) setupPolicyEngine() error {
-	err := app.dig.Provide(service.NewPolicyEngine)
+	policyEngine, err := service.NewPolicyEngine(app.config, app.log)
 
 	if err != nil {
-		return fmt.Errorf("failed to create policy engine: %w", err)
+		return fmt.Errorf("failed to initialize policy engine: %w", err)
 	}
 
-	err = app.dig.Invoke(func(policyEngine *service.PolicyEngine) error {
 	policyEngine.RegisterRule(service.RuleUserAllowed, &service.UserAllowedRule{
 		Log: app.log,
 	})
@@ -167,8 +128,7 @@ func (app *BootstrapApp) setupPolicyEngine() error {
 		Log:    app.log,
 		Config: app.config,
 	})
-		return nil
-	})
 
-	return err
+	app.services.policyEngine = policyEngine
+	return nil
 }

internal/controller/context_controller.go

@@ -3,7 +3,6 @@ package controller
 import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-	"go.uber.org/dig"
 
 	"github.com/gin-gonic/gin"
 )
@@ -72,33 +71,29 @@ type AppContextResponse struct {
 	App     ACRApp   `json:"app"`
 }
 
-type ContextControllerInput struct {
-	dig.In
-
-	Log         *logger.Logger
-	Config      *model.Config
-	Runtime     *model.RuntimeConfig
-	RouterGroup *gin.RouterGroup `name:"apiRouterGroup"`
-}
-
 type ContextController struct {
 	log     *logger.Logger
-	config  *model.Config
+	config  model.Config
-	runtime *model.RuntimeConfig
+	runtime model.RuntimeConfig
 }
 
-func NewContextController(i ContextControllerInput) *ContextController {
+func NewContextController(
+	log *logger.Logger,
+	config model.Config,
+	runtimeConfig model.RuntimeConfig,
+	router *gin.RouterGroup,
+) *ContextController {
 	controller := &ContextController{
-		log:     i.Log,
+		log:     log,
-		config:  i.Config,
+		config:  config,
-		runtime: i.Runtime,
+		runtime: runtimeConfig,
 	}
 
-	if !i.Config.UI.WarningsEnabled {
+	if !config.UI.WarningsEnabled {
-		i.Log.App.Warn().Msg("UI warnings are disabled. This may lead to security issues if you are not careful. Make sure to enable warnings in production environments.")
+		log.App.Warn().Msg("UI warnings are disabled. This may lead to security issues if you are not careful. Make sure to enable warnings in production environments.")
 	}
 
-	contextGroup := i.RouterGroup.Group("/context")
+	contextGroup := router.Group("/context")
 	contextGroup.GET("/user", controller.userContextHandler)
 	contextGroup.GET("/app", controller.appContextHandler)
 

internal/controller/context_controller_test.go

@@ -1,4 +1,4 @@
-package controller
+package controller_test
 
 import (
 	"encoding/json"
@@ -9,6 +9,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/test"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
@@ -32,22 +33,22 @@ func TestContextController(t *testing.T) {
 			middlewares: []gin.HandlerFunc{},
 			path:        "/api/context/app",
 			expected: func() string {
-				expectedAppContextResponse := AppContextResponse{
+				expectedAppContextResponse := controller.AppContextResponse{
 					Status:  200,
 					Message: "Success",
-					Auth: ACRAuth{
+					Auth: controller.ACRAuth{
 						Providers: runtime.ConfiguredProviders,
 					},
-					OAuth: ACROAuth{
+					OAuth: controller.ACROAuth{
 						AutoRedirect: cfg.OAuth.AutoRedirect,
 					},
-					UI: ACRUI{
+					UI: controller.ACRUI{
 						Title:                 cfg.UI.Title,
 						ForgotPasswordMessage: cfg.UI.ForgotPasswordMessage,
 						BackgroundImage:       cfg.UI.BackgroundImage,
 						WarningsEnabled:       cfg.UI.WarningsEnabled,
 					},
-					App: ACRApp{
+					App: controller.ACRApp{
 						AppURL:         runtime.AppURL,
 						CookieDomain:   runtime.CookieDomain,
 						TrustedDomains: runtime.TrustedDomains,
@@ -63,7 +64,7 @@ func TestContextController(t *testing.T) {
 			middlewares: []gin.HandlerFunc{},
 			path:        "/api/context/user",
 			expected: func() string {
-				expectedUserContextResponse := UserContextResponse{
+				expectedUserContextResponse := controller.UserContextResponse{
 					Status:  401,
 					Message: "Unauthorized",
 				}
@@ -91,10 +92,10 @@ func TestContextController(t *testing.T) {
 			},
 			path: "/api/context/user",
 			expected: func() string {
-				expectedUserContextResponse := UserContextResponse{
+				expectedUserContextResponse := controller.UserContextResponse{
 					Status:  200,
 					Message: "Success",
-					Auth: UCRAuth{
+					Auth: controller.UCRAuth{
 						Authenticated: true,
 						Username:      "johndoe",
 						Name:          "John Doe",
@@ -120,12 +121,7 @@ func TestContextController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
 
-			NewContextController(ContextControllerInput{
+			controller.NewContextController(log, cfg, runtime, group)
-				Log:         log,
-				Config:      &cfg,
-				Runtime:     &runtime,
-				RouterGroup: group,
-			})
 
 			recorder := httptest.NewRecorder()
 

internal/controller/health_controller.go

@@ -1,24 +1,15 @@
 package controller
 
-import (
+import "github.com/gin-gonic/gin"
-	"github.com/gin-gonic/gin"
-	"go.uber.org/dig"
-)
 
 type HealthController struct {
 }
 
-type HealthControllerInput struct {
+func NewHealthController(router *gin.RouterGroup) *HealthController {
-	dig.In
-
-	RouterGroup *gin.RouterGroup `name:"apiRouterGroup"`
-}
-
-func NewHealthController(i HealthControllerInput) *HealthController {
 	controller := &HealthController{}
 
-	i.RouterGroup.GET("/healthz", controller.healthHandler)
+	router.GET("/healthz", controller.healthHandler)
-	i.RouterGroup.HEAD("/healthz", controller.healthHandler)
+	router.HEAD("/healthz", controller.healthHandler)
 
 	return controller
 }

internal/controller/health_controller_test.go

@@ -1,4 +1,4 @@
-package controller
+package controller_test
 
 import (
 	"encoding/json"
@@ -9,6 +9,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
 )
 
 func TestHealthController(t *testing.T) {
@@ -54,9 +55,7 @@ func TestHealthController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
 
-			NewHealthController(HealthControllerInput{
+			controller.NewHealthController(group)
-				RouterGroup: group,
-			})
 
 			recorder := httptest.NewRecorder()
 

internal/controller/oauth_controller.go

@@ -3,7 +3,6 @@ package controller
 import (
 	"fmt"
 	"net/http"
-	"net/url"
 	"strings"
 	"time"
 
@@ -12,8 +11,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-	"github.com/weppos/publicsuffix-go/publicsuffix"
-	"go.uber.org/dig"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -25,30 +22,29 @@ type OAuthRequest struct {
 
 type OAuthController struct {
 	log     *logger.Logger
-	config  *model.Config
+	config  model.Config
-	runtime *model.RuntimeConfig
+	runtime model.RuntimeConfig
+	helpers *model.RuntimeHelpers
 	auth    *service.AuthService
 }
 
-type OAuthControllerInput struct {
+func NewOAuthController(
-	dig.In
+	log *logger.Logger,
-
+	config model.Config,
-	Log           *logger.Logger
+	runtimeConfig model.RuntimeConfig,
-	Config        *model.Config
+	helpers *model.RuntimeHelpers,
-	RuntimeConfig *model.RuntimeConfig
+	router *gin.RouterGroup,
-	RouterGroup   *gin.RouterGroup `name:"apiRouterGroup"`
+	auth *service.AuthService,
-	AuthService   *service.AuthService
+) *OAuthController {
-}
-
-func NewOAuthController(i OAuthControllerInput) *OAuthController {
 	controller := &OAuthController{
-		log:     i.Log,
+		log:     log,
-		config:  i.Config,
+		config:  config,
-		runtime: i.RuntimeConfig,
+		runtime: runtimeConfig,
-		auth:    i.AuthService,
+		helpers: helpers,
+		auth:    auth,
 	}
 
-	oauthGroup := i.RouterGroup.Group("/oauth")
+	oauthGroup := router.Group("/oauth")
 	oauthGroup.GET("/url/:provider", controller.oauthURLHandler)
 	oauthGroup.GET("/callback/:provider", controller.oauthCallbackHandler)
 
@@ -82,7 +78,9 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	}
 
 	if !controller.isOidcRequest(reqParams) {
-		if !controller.isRedirectSafe(reqParams.RedirectURI) {
+		isRedirectSafe := utils.IsRedirectSafe(reqParams.RedirectURI, controller.runtime.CookieDomain)
+
+		if !isRedirectSafe {
 			controller.log.App.Warn().Str("redirectUri", reqParams.RedirectURI).Msg("Unsafe redirect URI, ignoring")
 			reqParams.RedirectURI = ""
 		}
@@ -110,7 +108,18 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		return
 	}
 
-	c.SetCookie(controller.runtime.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)
+	cookieDomain, err := controller.helpers.GetCookieDomain(c, c.RemoteIP())
+
+	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Failed to determine cookie domain")
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "Internal Server Error",
+		})
+		return
+	}
+
+	c.SetCookie(controller.runtime.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", cookieDomain, controller.config.Auth.SecureCookie, true)
 
 	c.JSON(200, gin.H{
 		"status":  200,
@@ -140,7 +149,15 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}
 
-	c.SetCookie(controller.runtime.OAuthSessionCookieName, "", -1, "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)
+	cookieDomain, err := controller.helpers.GetCookieDomain(c, c.RemoteIP())
+
+	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Failed to determine cookie domain")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		return
+	}
+
+	c.SetCookie(controller.runtime.OAuthSessionCookieName, "", -1, "/", cookieDomain, controller.config.Auth.SecureCookie, true)
 
 	oauthPendingSession, err := controller.auth.GetOAuthPendingSession(sessionIdCookie)
 
@@ -257,7 +274,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 
 	controller.log.App.Debug().Msg("Creating session cookie for user")
 
-	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie, c.RemoteIP())
 
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to create session cookie")
@@ -303,63 +320,3 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 func (controller *OAuthController) isOidcRequest(params service.OAuthCallbackParams) bool {
 	return params.LoginFor == string(FrontendLoginForOIDC)
 }
-
-func (controller *OAuthController) getCookieDomain() string {
-	if controller.config.Auth.SubdomainsEnabled {
-		return "." + controller.runtime.CookieDomain
-	}
-	return controller.runtime.CookieDomain
-}
-
-func (controller *OAuthController) isRedirectSafe(redirectURI string) bool {
-	u, err := url.Parse(redirectURI)
-
-	if err != nil || u.Host == "" || u.Scheme == "" {
-		return false
-	}
-
-	for _, allowed := range controller.runtime.TrustedDomains {
-		tu, err := url.Parse(allowed)
-		if err != nil {
-			controller.log.App.Error().Err(err).Str("allowed", allowed).Msg("Failed to parse trusted domain")
-			continue
-		}
-
-		if tu.Scheme != u.Scheme {
-			continue
-		}
-
-		// exact match
-		if strings.EqualFold(u.Host, tu.Host) {
-			return true
-		}
-
-		// if subdomains are disabled, end here
-		if !controller.config.Auth.SubdomainsEnabled {
-			continue
-		}
-
-		// get the root domain (e.g. tinyauth.example.com -> example.com or
-		// tinyauth.sub.example.com -> sub.example.com)
-		_, root, ok := strings.Cut(tu.Host, ".")
-		if !ok {
-			continue
-		}
-
-		root = strings.ToLower(root)
-
-		// check if the root domain is in the psl
-		_, err = publicsuffix.DomainFromListWithOptions(publicsuffix.DefaultList, root, nil)
-
-		if err != nil {
-			continue
-		}
-
-		// subdomain match
-		if strings.HasSuffix(strings.ToLower(u.Host), "."+root) {
-			return true
-		}
-	}
-
-	return false
-}

internal/controller/oauth_controller_test.go

@@ -1,161 +0,0 @@
-package controller
-
-import (
-	"testing"
-
-	"github.com/gin-gonic/gin"
-	"github.com/stretchr/testify/assert"
-	"github.com/tinyauthapp/tinyauth/internal/test"
-	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-)
-
-func TestOAuthController(t *testing.T) {
-	log := logger.NewLogger().WithTestConfig()
-	log.Init()
-
-	cfg, runtime := test.CreateTestConfigs(t)
-
-	type testCase struct {
-		description       string
-		run               func(ctrl *OAuthController)
-		trustedDomains    []string
-		subdomainsEnabled bool
-	}
-
-	tests := []testCase{
-		{
-			description:       "Test exact match of redirect URI",
-			trustedDomains:    []string{"https://tinyauth.example.com"},
-			subdomainsEnabled: true,
-			run: func(ctrl *OAuthController) {
-				redirectUri := "https://tinyauth.example.com"
-				assert.True(t, ctrl.isRedirectSafe(redirectUri))
-			},
-		},
-		{
-			description:       "Test subdomain match of redirect URI",
-			trustedDomains:    []string{"https://tinyauth.example.com"},
-			subdomainsEnabled: true,
-			run: func(ctrl *OAuthController) {
-				redirectUri := "https://sub.example.com"
-				assert.True(t, ctrl.isRedirectSafe(redirectUri))
-			},
-		},
-		{
-			description:       "Test different trusted domain",
-			trustedDomains:    []string{"https://tinyauth.example.com", "https://tinyauth.foo.com"},
-			subdomainsEnabled: true,
-			run: func(ctrl *OAuthController) {
-				redirectUri := "https://app.foo.com"
-				assert.True(t, ctrl.isRedirectSafe(redirectUri))
-			},
-		},
-		{
-			description: "Test invalid redirect URI",
-			run: func(ctrl *OAuthController) {
-				redirectUri := "https:/malicious"
-				assert.False(t, ctrl.isRedirectSafe(redirectUri))
-			},
-		},
-		{
-			description: "Test empty redirect URI",
-			run: func(ctrl *OAuthController) {
-				redirectUri := ""
-				assert.False(t, ctrl.isRedirectSafe(redirectUri))
-			},
-		},
-		{
-			description:       "Test redirect URI with different scheme",
-			trustedDomains:    []string{"https://tinyauth.example.com"},
-			subdomainsEnabled: true,
-			run: func(ctrl *OAuthController) {
-				redirectUri := "http://tinyauth.example.com"
-				assert.False(t, ctrl.isRedirectSafe(redirectUri))
-			},
-		},
-		{
-			description:       "Test redirect URI with different port",
-			trustedDomains:    []string{"https://tinyauth.example.com"},
-			subdomainsEnabled: true,
-			run: func(ctrl *OAuthController) {
-				redirectUri := "https://tinyauth.example.com:8080"
-				assert.False(t, ctrl.isRedirectSafe(redirectUri))
-			},
-		},
-		{
-			// weird case, subdomains enabled and domain without subdomain can't happen
-			description:    "Test with trusted domain that's in PSL when split",
-			trustedDomains: []string{"https://example.com"}, // will become .com which we
-			// obviously don't want to allow
-			subdomainsEnabled: true,
-			run: func(ctrl *OAuthController) {
-				redirectUri := "https://sub.example.com"
-				assert.False(t, ctrl.isRedirectSafe(redirectUri))
-			},
-		},
-		{
-			description:       "Test subdomain redirect URI when subdomains are disabled",
-			trustedDomains:    []string{"https://tinyauth.example.com"},
-			subdomainsEnabled: false,
-			run: func(ctrl *OAuthController) {
-				redirectUri := "https://sub.tinyauth.example.com"
-				assert.False(t, ctrl.isRedirectSafe(redirectUri))
-			},
-		},
-		{
-			description:       "Test domain like the .co.uk",
-			trustedDomains:    []string{"https://example.co.uk"},
-			subdomainsEnabled: true,
-			run: func(ctrl *OAuthController) {
-				redirectUri := "https://sub.example.co.uk"
-				assert.False(t, ctrl.isRedirectSafe(redirectUri))
-			},
-		},
-		{
-			description:       "Test domain like the .co.uk with subdomains disabled",
-			trustedDomains:    []string{"https://example.co.uk"},
-			subdomainsEnabled: false,
-			run: func(ctrl *OAuthController) {
-				redirectUri := "https://example.co.uk"
-				assert.True(t, ctrl.isRedirectSafe(redirectUri))
-			},
-		},
-		{
-			description:       "Test caps domain",
-			trustedDomains:    []string{"https://TINYAUTH.ExAmpLe.com"},
-			subdomainsEnabled: true,
-			run: func(ctrl *OAuthController) {
-				redirectUri := "https://sUb.ExAmPle.com"
-				assert.True(t, ctrl.isRedirectSafe(redirectUri))
-			},
-		},
-		{
-			description:       "Test edge case with @",
-			trustedDomains:    []string{"https://tinyauth.example.com"},
-			subdomainsEnabled: true,
-			run: func(ctrl *OAuthController) {
-				redirectUri := "https://malicious.example.com@evil.com"
-				assert.False(t, ctrl.isRedirectSafe(redirectUri))
-			},
-		},
-	}
-
-	// TODO: add auth service
-	for _, tc := range tests {
-		t.Run(tc.description, func(t *testing.T) {
-			router := gin.Default()
-			group := router.Group("/api")
-			gin.SetMode(gin.TestMode)
-			// overwrite the trusted domains and subdomain setting for each test case
-			runtime.TrustedDomains = tc.trustedDomains
-			cfg.Auth.SubdomainsEnabled = tc.subdomainsEnabled
-			ctrl := NewOAuthController(OAuthControllerInput{
-				Log:           log,
-				Config:        &cfg,
-				RuntimeConfig: &runtime,
-				RouterGroup:   group,
-			})
-			tc.run(ctrl)
-		})
-	}
-}

internal/controller/oidc_controller.go

@@ -1,17 +1,18 @@
 package controller
 
 import (
+	"database/sql"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"slices"
 	"strings"
+	"time"
 
 	"github.com/gin-gonic/gin"
 	"github.com/gin-gonic/gin/binding"
 	"github.com/google/go-querystring/query"
-	"go.uber.org/dig"
 
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/service"
@@ -31,7 +32,9 @@ type authorizeErrorParams struct {
 type OIDCController struct {
 	log     *logger.Logger
 	oidc    *service.OIDCService
-	runtime *model.RuntimeConfig
+	runtime model.RuntimeConfig
+	helpers *model.RuntimeHelpers
+	config  model.Config
 }
 
 type AuthorizeCallback struct {
@@ -73,33 +76,33 @@ type AuthorizeScreenParams struct {
 	OIDCTicket      string           `url:"oidc_ticket"`
 	OIDCScope       string           `url:"oidc_scope"`
 	OIDCName        string           `url:"oidc_name"`
+	OIDCShowConsent bool             `url:"oidc_show_consent"`
 }
 
 type AuthorizeCompleteRequest struct {
 	Ticket string `json:"ticket" binding:"required"`
 }
 
-type OIDCControllerInput struct {
+func NewOIDCController(
-	dig.In
+	log *logger.Logger,
-
+	oidcService *service.OIDCService,
-	Log           *logger.Logger
+	runtimeConfig model.RuntimeConfig,
-	OIDCService   *service.OIDCService
+	helpers *model.RuntimeHelpers,
-	RuntimeConfig *model.RuntimeConfig
+	config model.Config,
-	RouterGroup   *gin.RouterGroup `name:"apiRouterGroup"`
+	router *gin.RouterGroup,
-	MainRouter    *gin.RouterGroup `name:"mainRouterGroup"`
+	mainRouter *gin.RouterGroup) *OIDCController {
-}
-
-func NewOIDCController(i OIDCControllerInput) *OIDCController {
 	controller := &OIDCController{
-		log:     i.Log,
+		log:     log,
-		oidc:    i.OIDCService,
+		oidc:    oidcService,
-		runtime: i.RuntimeConfig,
+		runtime: runtimeConfig,
+		helpers: helpers,
+		config:  config,
 	}
 
-	i.MainRouter.POST("/authorize", controller.authorize)
+	mainRouter.POST("/authorize", controller.authorize)
-	i.MainRouter.GET("/authorize", controller.authorize)
+	mainRouter.GET("/authorize", controller.authorize)
 
-	oidcGroup := i.RouterGroup.Group("/oidc")
+	oidcGroup := router.Group("/oidc")
 	oidcGroup.POST("/authorize-complete", controller.authorizeComplete)
 	oidcGroup.POST("/token", controller.Token)
 	oidcGroup.GET("/userinfo", controller.Userinfo)
@@ -169,11 +172,31 @@ func (controller *OIDCController) authorize(c *gin.Context) {
 
 	ticket := controller.oidc.CreateAuthorizeRequestTicket(*req)
 
+	// Check if we have consented before for this client and scope
+	consnetCookie, err := c.Cookie(controller.runtime.ConsentCookieName)
+
+	showConsent := true
+
+	if err == nil {
+		consentEntry, err := controller.oidc.GetConsentEntry(c, consnetCookie)
+
+		if err == nil && consentEntry != nil {
+			if consentEntry.ClientID == req.ClientID && consentEntry.Scopes == req.Scope {
+				showConsent = false
+			}
+		} else {
+			if !errors.Is(err, sql.ErrNoRows) {
+				controller.log.App.Error().Err(err).Msg("Failed to get consent entry for consent cookie")
+			}
+		}
+	}
+
 	queries, err := query.Values(AuthorizeScreenParams{
 		LoginFor:        FrontendLoginForOIDC,
 		OIDCTicket:      ticket,
 		OIDCScope:       req.Scope,
 		OIDCName:        client.Name,
+		OIDCShowConsent: showConsent,
 	})
 
 	if err != nil {
@@ -295,6 +318,33 @@ func (controller *OIDCController) authorizeComplete(c *gin.Context) {
 		return
 	}
 
+	// Just before returning let's set the consent cookie
+	consnetUUID, err := controller.oidc.CreateConsentEntry(c, authorizeReq.ClientID, authorizeReq.Scope)
+
+	// If we fail to create the consent entry, we don't want to block the authorization flow,
+	// but we log the error and move on without setting the cookie
+	if err == nil {
+		cookieDomain, err := controller.helpers.GetCookieDomain(c.Request.Context(), c.RemoteIP())
+
+		if err == nil {
+			cookie := &http.Cookie{
+				Name:     controller.runtime.ConsentCookieName,
+				Value:    consnetUUID,
+				Path:     "/",
+				Domain:   cookieDomain,
+				Expires:  time.Now().Add(365 * 24 * time.Hour), // set consent cookie for 1 year
+				Secure:   controller.config.Auth.SecureCookie,
+				HttpOnly: true,
+				SameSite: http.SameSiteLaxMode,
+			}
+			http.SetCookie(c.Writer, cookie)
+		} else {
+			controller.log.App.Error().Err(err).Msg("Failed to determine cookie domain for consent cookie")
+		}
+	} else {
+		controller.log.App.Error().Err(err).Msg("Failed to create consent entry")
+	}
+
 	c.JSON(200, gin.H{
 		"status":       200,
 		"redirect_uri": fmt.Sprintf("%s?%s", authorizeReq.RedirectURI, queries.Encode()),

internal/controller/oidc_controller_test.go

@@ -1,4 +1,4 @@
-package controller
+package controller_test
 
 import (
 	"context"
@@ -15,6 +15,7 @@ import (
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
@@ -29,22 +30,18 @@ func TestOIDCController(t *testing.T) {
 
 	cfg, runtime := test.CreateTestConfigs(t)
 
+	helpers := test.CreateTestHelpers()
+
 	ctx := context.TODO()
 	dg := ding.New(ctx)
 
 	store := memory.New()
 
-	oidcService, err := service.NewOIDCService(service.OIDCServiceInput{
+	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, dg)
-		Log:     log,
-		Config:  &cfg,
-		Runtime: &runtime,
-		Queries: store,
-		Ding:    dg,
-	})
 	require.NoError(t, err)
 
 	// Middleware that injects an authenticated local user into the gin context,
-	// mimicking the context middleware that runs before the OIDC
+	// mimicking the context middleware that runs before the OIDC controller.
 	authedUser := func(c *gin.Context) {
 		c.Set("context", &model.UserContext{
 			Authenticated: true,
@@ -209,30 +206,10 @@ func TestOIDCController(t *testing.T) {
 		},
 
 		// --- authorize-complete ---
-		{
-			description:  "Should fail if oidc is disabled",
-			oidcDisabled: true,
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				body, err := json.Marshal(AuthorizeCompleteRequest{Ticket: "some-ticket"})
-				require.NoError(t, err)
-
-				req := httptest.NewRequest("POST", "/api/oidc/authorize-complete", strings.NewReader(string(body)))
-				req.Header.Set("Content-Type", "application/json")
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, http.StatusOK, recorder.Code)
-
-				var res map[string]any
-				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &res))
-				redirectURI, ok := res["redirect_uri"].(string)
-				require.True(t, ok)
-				assert.Contains(t, redirectURI, oidcService.GetIssuer()+"/error")
-			},
-		},
 		{
 			description: "Authorize complete returns a JSON error when the user context is missing",
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				body, err := json.Marshal(AuthorizeCompleteRequest{Ticket: "some-ticket"})
+				body, err := json.Marshal(controller.AuthorizeCompleteRequest{Ticket: "some-ticket"})
 				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize-complete", strings.NewReader(string(body)))
@@ -262,7 +239,7 @@ func TestOIDCController(t *testing.T) {
 				},
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				body, err := json.Marshal(AuthorizeCompleteRequest{Ticket: "some-ticket"})
+				body, err := json.Marshal(controller.AuthorizeCompleteRequest{Ticket: "some-ticket"})
 				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize-complete", strings.NewReader(string(body)))
@@ -282,7 +259,7 @@ func TestOIDCController(t *testing.T) {
 			description: "Authorize complete returns a JSON error when the ticket is invalid",
 			middlewares: []gin.HandlerFunc{authedUser},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				body, err := json.Marshal(AuthorizeCompleteRequest{Ticket: "nonexistent-ticket"})
+				body, err := json.Marshal(controller.AuthorizeCompleteRequest{Ticket: "nonexistent-ticket"})
 				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize-complete", strings.NewReader(string(body)))
@@ -310,7 +287,7 @@ func TestOIDCController(t *testing.T) {
 					State:        "state-123",
 				})
 
-				body, err := json.Marshal(AuthorizeCompleteRequest{Ticket: ticket})
+				body, err := json.Marshal(controller.AuthorizeCompleteRequest{Ticket: ticket})
 				require.NoError(t, err)
 
 				req := httptest.NewRequest("POST", "/api/oidc/authorize-complete", strings.NewReader(string(body)))
@@ -856,13 +833,7 @@ func TestOIDCController(t *testing.T) {
 				svc = nil
 			}
 
-			NewOIDCController(OIDCControllerInput{
+			controller.NewOIDCController(log, svc, runtime, helpers, cfg, group, &router.RouterGroup)
-				Log:           log,
-				OIDCService:   svc,
-				RuntimeConfig: &runtime,
-				RouterGroup:   group,
-				MainRouter:    &router.RouterGroup,
-			})
 
 			recorder := httptest.NewRecorder()
 

internal/controller/proxy_controller.go

@@ -13,7 +13,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-	"go.uber.org/dig"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
@@ -54,33 +53,29 @@ type ProxyContext struct {
 
 type ProxyController struct {
 	log          *logger.Logger
-	runtime      *model.RuntimeConfig
+	runtime      model.RuntimeConfig
 	acls         *service.AccessControlsService
 	auth         *service.AuthService
 	policyEngine *service.PolicyEngine
 }
 
-type ProxyControllerInput struct {
+func NewProxyController(
-	dig.In
+	log *logger.Logger,
-
+	runtime model.RuntimeConfig,
-	Log           *logger.Logger
+	router *gin.RouterGroup,
-	RuntimeConfig *model.RuntimeConfig
+	acls *service.AccessControlsService,
-	RouterGroup   *gin.RouterGroup `name:"apiRouterGroup"`
+	auth *service.AuthService,
-	ACLsService   *service.AccessControlsService
+	policyEngine *service.PolicyEngine,
-	AuthService   *service.AuthService
+) *ProxyController {
-	PolicyEngine  *service.PolicyEngine
-}
-
-func NewProxyController(i ProxyControllerInput) *ProxyController {
 	controller := &ProxyController{
-		log:          i.Log,
+		log:          log,
-		runtime:      i.RuntimeConfig,
+		runtime:      runtime,
-		acls:         i.ACLsService,
+		acls:         acls,
-		auth:         i.AuthService,
+		auth:         auth,
-		policyEngine: i.PolicyEngine,
+		policyEngine: policyEngine,
 	}
 
-	proxyGroup := i.RouterGroup.Group("/auth")
+	proxyGroup := router.Group("/auth")
 	proxyGroup.Any("/:proxy", controller.proxyHandler)
 
 	return controller
@@ -158,7 +153,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			return
 		}
 
-		c.Redirect(http.StatusFound, redirectURL)
+		c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 		return
 	}
 
@@ -207,7 +202,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 				return
 			}
 
-			c.Redirect(http.StatusFound, redirectURL)
+			c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 			return
 		}
 
@@ -251,7 +246,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 					return
 				}
 
-				c.Redirect(http.StatusFound, redirectURL)
+				c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 				return
 			}
 		}
@@ -300,7 +295,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	c.Redirect(http.StatusFound, redirectURL)
+	c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 }
 
 func (controller *ProxyController) setHeaders(c *gin.Context, acls *model.App) {
@@ -336,7 +331,7 @@ func (controller *ProxyController) handleError(c *gin.Context, proxyCtx ProxyCon
 		return
 	}
 
-	c.Redirect(http.StatusFound, redirectURL)
+	c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 }
 
 func (controller *ProxyController) getHeader(c *gin.Context, header string) (string, bool) {

internal/controller/proxy_controller_test.go

@@ -1,10 +1,7 @@
-package controller
+package controller_test
 
 import (
 	"context"
-	"encoding/base64"
-	"fmt"
-	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"testing"
@@ -13,6 +10,7 @@ import (
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/service"
@@ -26,6 +24,8 @@ func TestProxyController(t *testing.T) {
 
 	cfg, runtime := test.CreateTestConfigs(t)
 
+	helpers := test.CreateTestHelpers()
+
 	const browserUserAgent = `
 	Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Mobile Safari/537.36`
 
@@ -66,17 +66,6 @@ func TestProxyController(t *testing.T) {
 	}
 
 	tests := []testCase{
-		{
-			description: "Should get bad request on invalid proxy",
-			middlewares: []gin.HandlerFunc{},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/api/auth/invalid", nil)
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, http.StatusBadRequest, recorder.Code)
-				assert.Contains(t, recorder.Body.String(), "Bad request")
-			},
-		},
 		{
 			description: "Default forward auth should be detected and used for traefik",
 			middlewares: []gin.HandlerFunc{},
@@ -88,7 +77,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("user-agent", browserUserAgent)
 				router.ServeHTTP(recorder, req)
 
-				assert.Equal(t, http.StatusFound, recorder.Code)
+				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
 				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
 				assert.Contains(t, location, "login_for=app")
@@ -103,7 +92,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-original-url", "https://test.example.com/")
 				req.Header.Set("user-agent", browserUserAgent)
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusUnauthorized, recorder.Code)
+				assert.Equal(t, 401, recorder.Code)
 				location := recorder.Header().Get("x-tinyauth-location")
 				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
 				assert.Contains(t, location, "login_for=app")
@@ -119,7 +108,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-proto", "https")
 				req.Header.Set("user-agent", browserUserAgent)
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusFound, recorder.Code)
+				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
 				assert.Contains(t, location, url.QueryEscape("https://test.example.com/hello"))
 				assert.Contains(t, location, "login_for=app")
@@ -137,7 +126,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("user-agent", browserUserAgent)
 				router.ServeHTTP(recorder, req)
 
-				assert.Equal(t, http.StatusFound, recorder.Code)
+				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
 				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
 				assert.Contains(t, location, "login_for=app")
@@ -154,7 +143,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-uri", "/")
 				req.Header.Set("user-agent", browserUserAgent)
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusUnauthorized, recorder.Code)
+				assert.Equal(t, 401, recorder.Code)
 				location := recorder.Header().Get("x-tinyauth-location")
 				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
 				assert.Contains(t, location, "login_for=app")
@@ -172,7 +161,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-uri", "/hello")
 				req.Header.Set("user-agent", browserUserAgent)
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusFound, recorder.Code)
+				assert.Equal(t, 307, recorder.Code)
 				location := recorder.Header().Get("Location")
 				assert.Contains(t, location, url.QueryEscape("https://test.example.com/"))
 				assert.Contains(t, location, "login_for=app")
@@ -189,7 +178,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-uri", "/")
 				router.ServeHTTP(recorder, req)
 
-				assert.Equal(t, http.StatusUnauthorized, recorder.Code)
+				assert.Equal(t, 401, recorder.Code)
 				assert.Contains(t, recorder.Body.String(), `"status":401`)
 				assert.Contains(t, recorder.Body.String(), `"message":"Unauthorized"`)
 			},
@@ -204,7 +193,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-uri", "/")
 				router.ServeHTTP(recorder, req)
 
-				assert.Equal(t, http.StatusUnauthorized, recorder.Code)
+				assert.Equal(t, 401, recorder.Code)
 				assert.Contains(t, recorder.Body.String(), `"status":401`)
 				assert.Contains(t, recorder.Body.String(), `"message":"Unauthorized"`)
 			},
@@ -219,7 +208,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-uri", "/hello")
 				router.ServeHTTP(recorder, req)
 
-				assert.Equal(t, http.StatusUnauthorized, recorder.Code)
+				assert.Equal(t, 401, recorder.Code)
 				assert.Contains(t, recorder.Body.String(), `"status":401`)
 				assert.Contains(t, recorder.Body.String(), `"message":"Unauthorized"`)
 			},
@@ -236,7 +225,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-uri", "/")
 				router.ServeHTTP(recorder, req)
 
-				assert.Equal(t, http.StatusOK, recorder.Code)
+				assert.Equal(t, 200, recorder.Code)
 				assert.Equal(t, "testuser", recorder.Header().Get("remote-user"))
 				assert.Equal(t, "Testuser", recorder.Header().Get("remote-name"))
 				assert.Equal(t, "testuser@example.com", recorder.Header().Get("remote-email"))
@@ -252,7 +241,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-original-url", "https://test.example.com/")
 				router.ServeHTTP(recorder, req)
 
-				assert.Equal(t, http.StatusOK, recorder.Code)
+				assert.Equal(t, 200, recorder.Code)
 				assert.Equal(t, "testuser", recorder.Header().Get("remote-user"))
 				assert.Equal(t, "Testuser", recorder.Header().Get("remote-name"))
 				assert.Equal(t, "testuser@example.com", recorder.Header().Get("remote-email"))
@@ -269,7 +258,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-proto", "https")
 				router.ServeHTTP(recorder, req)
 
-				assert.Equal(t, http.StatusOK, recorder.Code)
+				assert.Equal(t, 200, recorder.Code)
 				assert.Equal(t, "testuser", recorder.Header().Get("remote-user"))
 				assert.Equal(t, "Testuser", recorder.Header().Get("remote-name"))
 				assert.Equal(t, "testuser@example.com", recorder.Header().Get("remote-email"))
@@ -284,7 +273,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-proto", "https")
 				req.Header.Set("x-forwarded-uri", "/allowed")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusOK, recorder.Code)
+				assert.Equal(t, 200, recorder.Code)
 			},
 		},
 		{
@@ -294,7 +283,7 @@ func TestProxyController(t *testing.T) {
 				req := httptest.NewRequest("GET", "/api/auth/nginx", nil)
 				req.Header.Set("x-original-url", "https://path-allow.example.com/allowed")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusOK, recorder.Code)
+				assert.Equal(t, 200, recorder.Code)
 			},
 		},
 		{
@@ -305,7 +294,7 @@ func TestProxyController(t *testing.T) {
 				req.Host = "path-allow.example.com"
 				req.Header.Set("x-forwarded-proto", "https")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusOK, recorder.Code)
+				assert.Equal(t, 200, recorder.Code)
 			},
 		},
 		{
@@ -318,7 +307,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-uri", "/")
 				req.Header.Set("x-forwarded-for", "10.10.10.10")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusOK, recorder.Code)
+				assert.Equal(t, 200, recorder.Code)
 			},
 		},
 		{
@@ -329,7 +318,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-original-url", "https://ip-bypass.example.com/")
 				req.Header.Set("x-forwarded-for", "10.10.10.10")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusOK, recorder.Code)
+				assert.Equal(t, 200, recorder.Code)
 			},
 		},
 		{
@@ -341,7 +330,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-proto", "https")
 				req.Header.Set("x-forwarded-for", "10.10.10.10")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusOK, recorder.Code)
+				assert.Equal(t, 200, recorder.Code)
 			},
 		},
 		{
@@ -355,7 +344,7 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-proto", "https")
 				req.Header.Set("x-forwarded-uri", "/")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusOK, recorder.Code)
+				assert.Equal(t, 200, recorder.Code)
 			},
 		},
 		{
@@ -369,301 +358,12 @@ func TestProxyController(t *testing.T) {
 				req.Header.Set("x-forwarded-proto", "https")
 				req.Header.Set("x-forwarded-uri", "/")
 				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusForbidden, recorder.Code)
+				assert.Equal(t, 403, recorder.Code)
 				assert.Equal(t, "", recorder.Header().Get("remote-user"))
 				assert.Equal(t, "", recorder.Header().Get("remote-name"))
 				assert.Equal(t, "", recorder.Header().Get("remote-email"))
 			},
 		},
-		{
-			description: "Test IP block rule, with non browser user agent",
-			middlewares: []gin.HandlerFunc{},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
-				req.Header.Set("x-forwarded-host", "ip-block.example.com")
-				req.Header.Set("x-forwarded-proto", "https")
-				req.Header.Set("x-forwarded-uri", "/")
-				req.Header.Set("x-forwarded-for", "10.10.10.10")
-				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusForbidden, recorder.Code)
-				assert.Contains(t, recorder.Header().Get("x-tinyauth-location"), runtime.AppURL)
-				assert.Contains(t, recorder.Header().Get("x-tinyauth-location"), "ip=10.10.10.10")
-				assert.Contains(t, recorder.Header().Get("x-tinyauth-location"), "ip-block")
-
-			},
-		},
-		{
-			description: "Test IP block rule, with browser user agent",
-			middlewares: []gin.HandlerFunc{},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
-				req.Header.Set("x-forwarded-host", "ip-block.example.com")
-				req.Header.Set("x-forwarded-proto", "https")
-				req.Header.Set("x-forwarded-uri", "/")
-				req.Header.Set("x-forwarded-for", "10.10.10.10")
-				req.Header.Set("user-agent", browserUserAgent)
-				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusFound, recorder.Code)
-				location := recorder.Header().Get("Location")
-				assert.Contains(t, location, url.QueryEscape("10.10.10.10"))
-				assert.Contains(t, location, url.QueryEscape("ip-block"))
-				assert.Contains(t, location, runtime.AppURL)
-			},
-		},
-		{
-			description: "OAuth allowed group",
-			middlewares: []gin.HandlerFunc{
-				func(ctx *gin.Context) {
-					ctx.Set("context", &model.UserContext{
-						Authenticated: true,
-						Provider:      model.ProviderOAuth,
-						OAuth: &model.OAuthContext{
-							BaseContext: model.BaseContext{
-								Username: "testuser",
-								Name:     "Testuser",
-								Email:    "testuser@example.com",
-							},
-							Groups: []string{"group1"},
-						},
-					})
-					ctx.Next()
-				},
-			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
-				req.Header.Set("x-forwarded-host", "oauth-group.example.com")
-				req.Header.Set("x-forwarded-proto", "https")
-				req.Header.Set("x-forwarded-uri", "/")
-				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusOK, recorder.Code)
-				assert.Equal(t, "testuser", recorder.Header().Get("remote-user"))
-				assert.Equal(t, "Testuser", recorder.Header().Get("remote-name"))
-				assert.Equal(t, "testuser@example.com", recorder.Header().Get("remote-email"))
-				assert.Equal(t, "group1", recorder.Header().Get("remote-groups"))
-			},
-		},
-		{
-			description: "OAuth not in required groups and non browser",
-			middlewares: []gin.HandlerFunc{
-				func(ctx *gin.Context) {
-					ctx.Set("context", &model.UserContext{
-						Authenticated: true,
-						Provider:      model.ProviderOAuth,
-						OAuth: &model.OAuthContext{
-							BaseContext: model.BaseContext{
-								Username: "testuser",
-								Name:     "Testuser",
-								Email:    "testuser@example.com",
-							},
-							Groups: []string{"group3"},
-						},
-					})
-					ctx.Next()
-				},
-			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
-				req.Header.Set("x-forwarded-host", "oauth-group.example.com")
-				req.Header.Set("x-forwarded-proto", "https")
-				req.Header.Set("x-forwarded-uri", "/")
-				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusForbidden, recorder.Code)
-				assert.Equal(t, "", recorder.Header().Get("remote-user"))
-				assert.Equal(t, "", recorder.Header().Get("remote-name"))
-				assert.Equal(t, "", recorder.Header().Get("remote-email"))
-				assert.Equal(t, "", recorder.Header().Get("remote-groups"))
-				assert.Contains(t, recorder.Header().Get("x-tinyauth-location"), runtime.AppURL)
-				assert.Contains(t, recorder.Header().Get("x-tinyauth-location"), "groupErr=true")
-				assert.Contains(t, recorder.Header().Get("x-tinyauth-location"), "oauth-group")
-			},
-		},
-		{
-			description: "OAuth not in required groups and browser",
-			middlewares: []gin.HandlerFunc{
-				func(ctx *gin.Context) {
-					ctx.Set("context", &model.UserContext{
-						Authenticated: true,
-						Provider:      model.ProviderOAuth,
-						OAuth: &model.OAuthContext{
-							BaseContext: model.BaseContext{
-								Username: "testuser",
-								Name:     "Testuser",
-								Email:    "testuser@example.com",
-							},
-							Groups: []string{"group3"},
-						},
-					})
-					ctx.Next()
-				},
-			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
-				req.Header.Set("x-forwarded-host", "oauth-group.example.com")
-				req.Header.Set("x-forwarded-proto", "https")
-				req.Header.Set("x-forwarded-uri", "/")
-				req.Header.Set("user-agent", browserUserAgent)
-				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusFound, recorder.Code)
-				location := recorder.Header().Get("Location")
-				assert.Contains(t, location, "groupErr=true")
-				assert.Contains(t, location, "oauth-group")
-				assert.Contains(t, location, runtime.AppURL)
-			},
-		},
-		{
-			description: "LDAP allowed group",
-			middlewares: []gin.HandlerFunc{
-				func(ctx *gin.Context) {
-					ctx.Set("context", &model.UserContext{
-						Authenticated: true,
-						Provider:      model.ProviderLDAP,
-						LDAP: &model.LDAPContext{
-							BaseContext: model.BaseContext{
-								Username: "testuser",
-								Name:     "Testuser",
-								Email:    "testuser@example.com",
-							},
-							Groups: []string{"group1"},
-						},
-					})
-					ctx.Next()
-				},
-			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
-				req.Header.Set("x-forwarded-host", "ldap-group.example.com")
-				req.Header.Set("x-forwarded-proto", "https")
-				req.Header.Set("x-forwarded-uri", "/")
-				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusOK, recorder.Code)
-				assert.Equal(t, "testuser", recorder.Header().Get("remote-user"))
-				assert.Equal(t, "Testuser", recorder.Header().Get("remote-name"))
-				assert.Equal(t, "testuser@example.com", recorder.Header().Get("remote-email"))
-				assert.Equal(t, "group1", recorder.Header().Get("remote-groups"))
-			},
-		},
-		{
-			description: "LDAP not in required groups and non browser",
-			middlewares: []gin.HandlerFunc{
-				func(ctx *gin.Context) {
-					ctx.Set("context", &model.UserContext{
-						Authenticated: true,
-						Provider:      model.ProviderLDAP,
-						LDAP: &model.LDAPContext{
-							BaseContext: model.BaseContext{
-								Username: "testuser",
-								Name:     "Testuser",
-								Email:    "testuser@example.com",
-							},
-							Groups: []string{"group3"},
-						},
-					})
-					ctx.Next()
-				},
-			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
-				req.Header.Set("x-forwarded-host", "ldap-group.example.com")
-				req.Header.Set("x-forwarded-proto", "https")
-				req.Header.Set("x-forwarded-uri", "/")
-				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusForbidden, recorder.Code)
-				assert.Equal(t, "", recorder.Header().Get("remote-user"))
-				assert.Equal(t, "", recorder.Header().Get("remote-name"))
-				assert.Equal(t, "", recorder.Header().Get("remote-email"))
-				assert.Equal(t, "", recorder.Header().Get("remote-groups"))
-				assert.Contains(t, recorder.Header().Get("x-tinyauth-location"), runtime.AppURL)
-				assert.Contains(t, recorder.Header().Get("x-tinyauth-location"), "groupErr=true")
-				assert.Contains(t, recorder.Header().Get("x-tinyauth-location"), "ldap-group")
-			},
-		},
-		{
-			description: "LDAP not in required groups and browser",
-			middlewares: []gin.HandlerFunc{
-				func(ctx *gin.Context) {
-					ctx.Set("context", &model.UserContext{
-						Authenticated: true,
-						Provider:      model.ProviderLDAP,
-						LDAP: &model.LDAPContext{
-							BaseContext: model.BaseContext{
-								Username: "testuser",
-								Name:     "Testuser",
-								Email:    "testuser@example.com",
-							},
-							Groups: []string{"group3"},
-						},
-					})
-					ctx.Next()
-				},
-			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
-				req.Header.Set("x-forwarded-host", "ldap-group.example.com")
-				req.Header.Set("x-forwarded-proto", "https")
-				req.Header.Set("x-forwarded-uri", "/")
-				req.Header.Set("user-agent", browserUserAgent)
-				router.ServeHTTP(recorder, req)
-				assert.Equal(t, http.StatusFound, recorder.Code)
-				location := recorder.Header().Get("Location")
-				assert.Contains(t, location, "groupErr=true")
-				assert.Contains(t, location, "ldap-group")
-				assert.Contains(t, location, runtime.AppURL)
-			},
-		},
-		{
-			description: "Should add basic auth if it's in ACLs",
-			middlewares: []gin.HandlerFunc{
-				simpleCtx,
-			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
-				req.Header.Set("x-forwarded-host", "basic-auth.example.com")
-				req.Header.Set("x-forwarded-proto", "https")
-				req.Header.Set("x-forwarded-uri", "/")
-				req.Header.Set("authorization", "foo") // should be overridden by basic auth
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, http.StatusOK, recorder.Code)
-				authorizationHeader := recorder.Header().Get("Authorization")
-				assert.NotEmpty(t, authorizationHeader)
-				assert.Equal(t, fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte("test:password"))), authorizationHeader)
-			},
-		},
-		{
-			description: "Authorization header should be preserved when not basic auth acls",
-			middlewares: []gin.HandlerFunc{
-				simpleCtx,
-			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
-				req.Header.Set("x-forwarded-host", "test.example.com")
-				req.Header.Set("x-forwarded-proto", "https")
-				req.Header.Set("x-forwarded-uri", "/")
-				req.Header.Set("authorization", "Bearer mytoken")
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, http.StatusOK, recorder.Code)
-				authorizationHeader := recorder.Header().Get("Authorization")
-				assert.NotEmpty(t, authorizationHeader)
-				assert.Equal(t, "Bearer mytoken", authorizationHeader)
-			},
-		},
-		{
-			description: "Should add response headers if present",
-			middlewares: []gin.HandlerFunc{
-				simpleCtx,
-			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/api/auth/traefik", nil)
-				req.Header.Set("x-forwarded-host", "response-headers.example.com")
-				req.Header.Set("x-forwarded-proto", "https")
-				req.Header.Set("x-forwarded-uri", "/")
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, http.StatusOK, recorder.Code)
-				assert.Equal(t, "bar", recorder.Header().Get("x-foo"))
-			},
-		},
 	}
 
 	store := memory.New()
@@ -671,21 +371,10 @@ func TestProxyController(t *testing.T) {
 	ctx := context.TODO()
 	dg := ding.New(ctx)
 
-	broker := service.NewOAuthBrokerService(service.OAuthBrokerServiceInput{
+	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-		Log:     log,
+	aclsService := service.NewAccessControlsService(log, cfg, nil)
-		Runtime: &runtime,
-		Ctx:     ctx,
-	})
-	aclsService := service.NewAccessControlsService(service.AccessControlServiceInput{
-		Log:           log,
-		Config:        &cfg,
-		LabelProvider: nil,
-	})
 
-	policyEngine, err := service.NewPolicyEngine(service.PolicyEngineInput{
+	policyEngine, err := service.NewPolicyEngine(cfg, log)
-		Log:    log,
-		Config: &cfg,
-	})
 	require.NoError(t, err)
 
 	policyEngine.RegisterRule(service.RuleUserAllowed, &service.UserAllowedRule{
@@ -708,18 +397,7 @@ func TestProxyController(t *testing.T) {
 		Log: log,
 	})
 
-	authService := service.NewAuthService(service.AuthServiceInput{
+	authService := service.NewAuthService(log, cfg, runtime, helpers, ctx, dg, nil, store, broker, nil, policyEngine)
-		Log:          log,
-		Config:       &cfg,
-		Runtime:      &runtime,
-		Ctx:          ctx,
-		Ding:         dg,
-		LDAP:         nil,
-		Queries:      store,
-		OAuthBroker:  broker,
-		Tailscale:    nil,
-		PolicyEngine: policyEngine,
-	})
 
 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
@@ -734,14 +412,7 @@ func TestProxyController(t *testing.T) {
 
 			recorder := httptest.NewRecorder()
 
-			NewProxyController(ProxyControllerInput{
+			controller.NewProxyController(log, runtime, group, aclsService, authService, policyEngine)
-				Log:           log,
-				RuntimeConfig: &runtime,
-				RouterGroup:   group,
-				ACLsService:   aclsService,
-				AuthService:   authService,
-				PolicyEngine:  policyEngine,
-			})
 
 			test.run(t, router, recorder)
 		})

internal/controller/resources_controller.go

@@ -5,30 +5,25 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/tinyauthapp/tinyauth/internal/model"
-	"go.uber.org/dig"
 )
 
 type ResourcesController struct {
-	config     *model.Config
+	config     model.Config
 	fileServer http.Handler
 }
 
-type ResourcesControllerInput struct {
+func NewResourcesController(
-	dig.In
+	config model.Config,
-
+	router *gin.RouterGroup,
-	RouterGroup *gin.RouterGroup `name:"mainRouterGroup"`
+) *ResourcesController {
-	Config      *model.Config
+	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(config.Resources.Path)))
-}
-
-func NewResourcesController(i ResourcesControllerInput) *ResourcesController {
-	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(i.Config.Resources.Path)))
 
 	controller := &ResourcesController{
-		config:     i.Config,
+		config:     config,
 		fileServer: fileServer,
 	}
 
-	i.RouterGroup.GET("/resources/*resource", controller.resourcesHandler)
+	router.GET("/resources/*resource", controller.resourcesHandler)
 
 	return controller
 }

internal/controller/resources_controller_test.go

@@ -1,4 +1,4 @@
-package controller
+package controller_test
 
 import (
 	"net/http/httptest"
@@ -9,7 +9,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/test"
 )
 
@@ -19,12 +19,8 @@ func TestResourcesController(t *testing.T) {
 	err := os.MkdirAll(cfg.Resources.Path, 0777)
 	require.NoError(t, err)
 
-	// create a "backup" of the original configuration to restore after each test
-	originalCfg := cfg.Resources
-
 	type testCase struct {
 		description string
-		customCfg   *model.ResourcesConfig
 		run         func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder)
 	}
 
@@ -57,32 +53,6 @@ func TestResourcesController(t *testing.T) {
 				assert.Equal(t, 404, recorder.Code)
 			},
 		},
-		{
-			description: "Ensure resources controller returns 404 when resources path is empty",
-			customCfg: &model.ResourcesConfig{
-				Path:    "",
-				Enabled: true,
-			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/resources/testfile.txt", nil)
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, 404, recorder.Code)
-			},
-		},
-		{
-			description: "Ensure resources controller returns 403 when resources are disabled",
-			customCfg: &model.ResourcesConfig{
-				Path:    cfg.Resources.Path,
-				Enabled: false,
-			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/resources/testfile.txt", nil)
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, 403, recorder.Code)
-			},
-		},
 	}
 
 	testFilePath := cfg.Resources.Path + "/testfile.txt"
@@ -99,18 +69,7 @@ func TestResourcesController(t *testing.T) {
 			group := router.Group("/")
 			gin.SetMode(gin.TestMode)
 
-			// if custom configuration is provided, override the default config
+			controller.NewResourcesController(cfg, group)
-			if test.customCfg != nil {
-				cfg.Resources = *test.customCfg
-			} else {
-				// Reset to default configuration for each test
-				cfg.Resources = originalCfg
-			}
-
-			NewResourcesController(ResourcesControllerInput{
-				RouterGroup: group,
-				Config:      &cfg,
-			})
 
 			recorder := httptest.NewRecorder()
 			test.run(t, router, recorder)

internal/controller/user_controller.go

@@ -11,7 +11,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-	"go.uber.org/dig"
 
 	"github.com/gin-gonic/gin"
 	"github.com/pquerna/otp/totp"
@@ -28,27 +27,23 @@ type TotpRequest struct {
 
 type UserController struct {
 	log     *logger.Logger
-	runtime *model.RuntimeConfig
+	runtime model.RuntimeConfig
 	auth    *service.AuthService
 }
 
-type UserControllerInput struct {
+func NewUserController(
-	dig.In
+	log *logger.Logger,
-
+	runtimeConfig model.RuntimeConfig,
-	Log           *logger.Logger
+	router *gin.RouterGroup,
-	RuntimeConfig *model.RuntimeConfig
+	auth *service.AuthService,
-	RouterGroup   *gin.RouterGroup `name:"apiRouterGroup"`
+) *UserController {
-	AuthService   *service.AuthService
-}
-
-func NewUserController(i UserControllerInput) *UserController {
 	controller := &UserController{
-		log:     i.Log,
+		log:     log,
-		runtime: i.RuntimeConfig,
+		runtime: runtimeConfig,
-		auth:    i.AuthService,
+		auth:    auth,
 	}
 
-	userGroup := i.RouterGroup.Group("/user")
+	userGroup := router.Group("/user")
 	userGroup.POST("/login", controller.loginHandler)
 	userGroup.POST("/logout", controller.logoutHandler)
 	userGroup.POST("/totp", controller.totpHandler)
@@ -155,7 +150,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 				Email:       email,
 				Provider:    "local",
 				TotpPending: true,
-			})
+			}, c.RemoteIP())
 
 			if err != nil {
 				controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Failed to create pending TOTP session")
@@ -200,7 +195,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		}
 	}
 
-	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie, c.RemoteIP())
 
 	if err != nil {
 		controller.log.App.Error().Err(err).Str("username", req.Username).Msg("Failed to create session cookie after successful login")
@@ -251,7 +246,7 @@ func (controller *UserController) logoutHandler(c *gin.Context) {
 		return
 	}
 
-	cookie, err := controller.auth.DeleteSession(c, uuid)
+	cookie, err := controller.auth.DeleteSession(c, uuid, c.RemoteIP())
 
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Error deleting session on logout")
@@ -355,7 +350,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	uuid, err := c.Cookie(controller.runtime.SessionCookieName)
 
 	if err == nil {
-		_, err = controller.auth.DeleteSession(c, uuid)
+		_, err = controller.auth.DeleteSession(c, uuid, c.RemoteIP())
 		if err != nil {
 			controller.log.App.Error().Err(err).Msg("Failed to delete pending TOTP session after successful verification")
 		}
@@ -379,7 +374,7 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		sessionCookie.Email = user.Attributes.Email
 	}
 
-	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie, c.RemoteIP())
 
 	if err != nil {
 		controller.log.App.Error().Err(err).Str("username", context.GetUsername()).Msg("Failed to create session cookie after successful TOTP verification")
@@ -429,7 +424,7 @@ func (controller *UserController) tailscaleHandler(c *gin.Context) {
 		Provider: "tailscale",
 	}
 
-	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie, c.RemoteIP())
 
 	if err != nil {
 		controller.log.App.Error().Err(err).Str("username", context.GetUsername()).Msg("Failed to create session cookie after successful Tailscale login")

internal/controller/user_controller_test.go

@@ -1,4 +1,4 @@
-package controller
+package controller_test
 
 import (
 	"context"
@@ -14,6 +14,7 @@ import (
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
@@ -28,6 +29,8 @@ func TestUserController(t *testing.T) {
 
 	cfg, runtime := test.CreateTestConfigs(t)
 
+	helpers := test.CreateTestHelpers()
+
 	totpCtx := func(c *gin.Context) {
 		c.Set("context", &model.UserContext{
 			Authenticated: false,
@@ -41,7 +44,6 @@ func TestUserController(t *testing.T) {
 				TOTPPending: true,
 			},
 		})
-		c.Next()
 	}
 
 	totpAttrCtx := func(c *gin.Context) {
@@ -57,7 +59,6 @@ func TestUserController(t *testing.T) {
 				TOTPPending: true,
 			},
 		})
-		c.Next()
 	}
 
 	simpleCtx := func(c *gin.Context) {
@@ -72,7 +73,6 @@ func TestUserController(t *testing.T) {
 				},
 			},
 		})
-		c.Next()
 	}
 
 	store := memory.New()
@@ -84,45 +84,11 @@ func TestUserController(t *testing.T) {
 	}
 
 	tests := []testCase{
-		{
-			description: "Login should fail gracefully on invalid json",
-			middlewares: []gin.HandlerFunc{},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(`{"username": "testuser", "password":`))
-				req.Header.Set("Content-Type", "application/json")
-
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, 400, recorder.Code)
-				assert.Contains(t, recorder.Body.String(), "Bad Request")
-			},
-		},
-		{
-			description: "Should fail on missing user",
-			middlewares: []gin.HandlerFunc{},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				loginReq := LoginRequest{
-					Username: "nonexistentuser",
-					Password: "password",
-				}
-				loginReqBody, err := json.Marshal(loginReq)
-				require.NoError(t, err)
-
-				req := httptest.NewRequest("POST", "/api/user/login", strings.NewReader(string(loginReqBody)))
-				req.Header.Set("Content-Type", "application/json")
-
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, 401, recorder.Code)
-				assert.Len(t, recorder.Result().Cookies(), 0)
-				assert.Contains(t, recorder.Body.String(), "Unauthorized")
-			},
-		},
 		{
 			description: "Should be able to login with valid credentials",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				loginReq := LoginRequest{
+				loginReq := controller.LoginRequest{
 					Username: "testuser",
 					Password: "password",
 				}
@@ -150,7 +116,7 @@ func TestUserController(t *testing.T) {
 			description: "Should reject login with invalid credentials",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				loginReq := LoginRequest{
+				loginReq := controller.LoginRequest{
 					Username: "testuser",
 					Password: "wrongpassword",
 				}
@@ -171,7 +137,7 @@ func TestUserController(t *testing.T) {
 			description: "Should rate limit on 3 invalid attempts",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				loginReq := LoginRequest{
+				loginReq := controller.LoginRequest{
 					Username: "testuser",
 					Password: "wrongpassword",
 				}
@@ -206,7 +172,7 @@ func TestUserController(t *testing.T) {
 			description: "Should not allow full login with totp",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				loginReq := LoginRequest{
+				loginReq := controller.LoginRequest{
 					Username: "totpuser",
 					Password: "password",
 				}
@@ -243,7 +209,7 @@ func TestUserController(t *testing.T) {
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				// First login to get a session cookie
-				loginReq := LoginRequest{
+				loginReq := controller.LoginRequest{
 					Username: "testuser",
 					Password: "password",
 				}
@@ -279,87 +245,6 @@ func TestUserController(t *testing.T) {
 				assert.Equal(t, -1, cookie.MaxAge) // MaxAge -1 means delete cookie
 			},
 		},
-		{
-			description: "Logout should be treated as valid without a session cookie",
-			middlewares: []gin.HandlerFunc{},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("POST", "/api/user/logout", nil)
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, 200, recorder.Code)
-			},
-		},
-		{
-			description: "TOTP should gracefully reject invalid json",
-			middlewares: []gin.HandlerFunc{},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(`{"code":`))
-				req.Header.Set("Content-Type", "application/json")
-
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, 400, recorder.Code)
-				assert.Contains(t, recorder.Body.String(), "Bad Request")
-			},
-		},
-		{
-			description: "TOTP should fail on non-totp context",
-			middlewares: []gin.HandlerFunc{
-				simpleCtx,
-			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				totpReq := TotpRequest{
-					Code: "123456",
-				}
-
-				totpReqBody, err := json.Marshal(totpReq)
-				require.NoError(t, err)
-
-				recorder = httptest.NewRecorder()
-				req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqBody)))
-				req.Header.Set("Content-Type", "application/json")
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, 401, recorder.Code)
-				assert.Contains(t, recorder.Body.String(), "Unauthorized")
-			},
-		},
-		{
-			description: "TOTP should fail when user in context doesn't exist",
-			middlewares: []gin.HandlerFunc{
-				func(ctx *gin.Context) {
-					ctx.Set("context", &model.UserContext{
-						Authenticated: false,
-						Provider:      model.ProviderLocal,
-						Local: &model.LocalContext{
-							BaseContext: model.BaseContext{
-								Username: "idontexist",
-								Name:     "Totpuser",
-								Email:    "totpuser@example.com",
-							},
-							TOTPPending: true,
-						},
-					})
-					ctx.Next()
-				},
-			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				totpReq := TotpRequest{
-					Code: "123456",
-				}
-
-				totpReqBody, err := json.Marshal(totpReq)
-				require.NoError(t, err)
-
-				recorder = httptest.NewRecorder()
-				req := httptest.NewRequest("POST", "/api/user/totp", strings.NewReader(string(totpReqBody)))
-				req.Header.Set("Content-Type", "application/json")
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, 401, recorder.Code)
-				assert.Contains(t, recorder.Body.String(), "Unauthorized")
-			},
-		},
 		{
 			description: "Should be able to login with totp",
 			middlewares: []gin.HandlerFunc{
@@ -381,7 +266,7 @@ func TestUserController(t *testing.T) {
 				code, err := totp.GenerateCode("JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK", time.Now())
 				require.NoError(t, err)
 
-				totpReq := TotpRequest{
+				totpReq := controller.TotpRequest{
 					Code: code,
 				}
 
@@ -419,7 +304,7 @@ func TestUserController(t *testing.T) {
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				for range 3 {
-					totpReq := TotpRequest{
+					totpReq := controller.TotpRequest{
 						Code: "000000", // invalid code
 					}
 
@@ -451,7 +336,7 @@ func TestUserController(t *testing.T) {
 			description: "Login uses name and email from user attributes",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				loginReq := LoginRequest{Username: "attruser", Password: "password"}
+				loginReq := controller.LoginRequest{Username: "attruser", Password: "password"}
 				body, err := json.Marshal(loginReq)
 				require.NoError(t, err)
 
@@ -469,7 +354,7 @@ func TestUserController(t *testing.T) {
 			description: "Login with TOTP uses name and email from user attributes in pending session",
 			middlewares: []gin.HandlerFunc{},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				loginReq := LoginRequest{Username: "attrtotpuser", Password: "password"}
+				loginReq := controller.LoginRequest{Username: "attrtotpuser", Password: "password"}
 				body, err := json.Marshal(loginReq)
 				require.NoError(t, err)
 
@@ -505,7 +390,7 @@ func TestUserController(t *testing.T) {
 				code, err := totp.GenerateCode("JPIEBDKJH6UGWJMX66RR3S55UFP2SGKK", time.Now())
 				require.NoError(t, err)
 
-				totpReq := TotpRequest{Code: code}
+				totpReq := controller.TotpRequest{Code: code}
 				body, err := json.Marshal(totpReq)
 				require.NoError(t, err)
 
@@ -531,29 +416,11 @@ func TestUserController(t *testing.T) {
 	ctx := context.TODO()
 	dg := ding.New(ctx)
 
-	policyEngine, err := service.NewPolicyEngine(service.PolicyEngineInput{
+	policyEngine, err := service.NewPolicyEngine(cfg, log)
-		Log:    log,
-		Config: &cfg,
-	})
 	require.NoError(t, err)
 
-	broker := service.NewOAuthBrokerService(service.OAuthBrokerServiceInput{
+	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-		Log:     log,
+	authService := service.NewAuthService(log, cfg, runtime, helpers, ctx, dg, nil, store, broker, nil, policyEngine)
-		Runtime: &runtime,
-		Ctx:     ctx,
-	})
-	authService := service.NewAuthService(service.AuthServiceInput{
-		Log:          log,
-		Config:       &cfg,
-		Runtime:      &runtime,
-		Ctx:          ctx,
-		Ding:         dg,
-		LDAP:         nil,
-		Queries:      store,
-		OAuthBroker:  broker,
-		Tailscale:    nil,
-		PolicyEngine: policyEngine,
-	})
 
 	beforeEach := func() {
 		// Clear failed login attempts before each test
@@ -572,12 +439,7 @@ func TestUserController(t *testing.T) {
 			group := router.Group("/api")
 			gin.SetMode(gin.TestMode)
 
-			NewUserController(UserControllerInput{
+			controller.NewUserController(log, runtime, group, authService)
-				Log:           log,
-				RuntimeConfig: &runtime,
-				RouterGroup:   group,
-				AuthService:   authService,
-			})
 
 			recorder := httptest.NewRecorder()
 

internal/controller/well_known_controller.go

@@ -3,27 +3,11 @@ package controller
 import (
 	"fmt"
 	"net/http"
-	"net/url"
-	"slices"
-	"strings"
 
 	"github.com/gin-gonic/gin"
 	"github.com/tinyauthapp/tinyauth/internal/service"
-	"go.uber.org/dig"
 )
 
-const OpenIDConnectRel = "http://openid.net/specs/connect/1.0/issuer"
-
-type WebfingerResponseLink struct {
-	Rel  string `json:"rel,omitempty"`
-	Href string `json:"href"`
-}
-
-type WebfingerResponse struct {
-	Subject string                  `json:"subject"`
-	Links   []WebfingerResponseLink `json:"links"`
-}
-
 type OpenIDConnectConfiguration struct {
 	Issuer                                 string   `json:"issuer"`
 	AuthorizationEndpoint                  string   `json:"authorization_endpoint"`
@@ -46,21 +30,13 @@ type WellKnownController struct {
 	oidc *service.OIDCService
 }
 
-type WellKnownControllerInput struct {
+func NewWellKnownController(oidc *service.OIDCService, router *gin.RouterGroup) *WellKnownController {
-	dig.In
-
-	OIDCService *service.OIDCService
-	RouterGroup *gin.RouterGroup `name:"mainRouterGroup"`
-}
-
-func NewWellKnownController(i WellKnownControllerInput) *WellKnownController {
 	controller := &WellKnownController{
-		oidc: i.OIDCService,
+		oidc: oidc,
 	}
 
-	i.RouterGroup.GET("/.well-known/openid-configuration", controller.OpenIDConnectConfiguration)
+	router.GET("/.well-known/openid-configuration", controller.OpenIDConnectConfiguration)
-	i.RouterGroup.GET("/.well-known/jwks.json", controller.JWKS)
+	router.GET("/.well-known/jwks.json", controller.JWKS)
-	i.RouterGroup.GET("/.well-known/webfinger", controller.WebFinger)
 
 	return controller
 }
@@ -121,62 +97,3 @@ func (controller *WellKnownController) JWKS(c *gin.Context) {
 
 	c.Status(http.StatusOK)
 }
-
-func (controller *WellKnownController) WebFinger(c *gin.Context) {
-	c.Header("Content-Type", "application/jrd+json")
-	c.Header("Access-Control-Allow-Origin", "*")
-
-	resource := c.Query("resource")
-
-	if !controller.validateWebFingerResource(resource) {
-		c.JSON(400, gin.H{
-			"status":  400,
-			"message": "invalid resource",
-		})
-		return
-	}
-
-	res := WebfingerResponse{
-		Subject: resource,
-		Links:   []WebfingerResponseLink{},
-	}
-
-	rel := c.Request.URL.Query()["rel"]
-
-	if controller.oidc != nil && (len(rel) == 0 || slices.Contains(rel, OpenIDConnectRel)) {
-		res.Links = append(res.Links, WebfingerResponseLink{Rel: OpenIDConnectRel, Href: controller.oidc.GetIssuer()})
-	}
-
-	c.JSON(200, res)
-}
-
-func (controller *WellKnownController) validateWebFingerResource(resource string) bool {
-	prefix, suffix, found := strings.Cut(resource, ":")
-
-	if !found {
-		return false
-	}
-
-	switch prefix {
-	case "acct":
-		if strings.Count(suffix, "@") != 1 {
-			return false
-		}
-		username, domain, found := strings.Cut(suffix, "@")
-		if !found || username == "" || domain == "" {
-			return false
-		}
-	case "https", "http":
-		u, err := url.Parse(resource)
-		if err != nil {
-			return false
-		}
-		if u.Host == "" {
-			return false
-		}
-	default:
-		return false
-	}
-
-	return true
-}

internal/controller/well_known_controller_test.go

@@ -1,17 +1,17 @@
-package controller
+package controller_test
 
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"net/http/httptest"
-	"net/url"
 	"testing"
 
 	"github.com/gin-gonic/gin"
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/test"
@@ -26,25 +26,23 @@ func TestWellKnownController(t *testing.T) {
 
 	type testCase struct {
 		description string
-		oidcEnabled bool
 		run         func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder)
 	}
 
 	tests := []testCase{
 		{
 			description: "Ensure well-known endpoint returns correct OIDC configuration",
-			oidcEnabled: true,
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/.well-known/openid-configuration", nil)
 				router.ServeHTTP(recorder, req)
 
 				assert.Equal(t, 200, recorder.Code)
 
-				res := OpenIDConnectConfiguration{}
+				res := controller.OpenIDConnectConfiguration{}
 				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
-				expected := OpenIDConnectConfiguration{
+				expected := controller.OpenIDConnectConfiguration{
 					Issuer:                                 runtime.AppURL,
 					AuthorizationEndpoint:                  fmt.Sprintf("%s/authorize", runtime.AppURL),
 					TokenEndpoint:                          fmt.Sprintf("%s/api/oidc/token", runtime.AppURL),
@@ -58,8 +56,8 @@ func TestWellKnownController(t *testing.T) {
 					TokenEndpointAuthMethodsSupported:      []string{"client_secret_basic", "client_secret_post"},
 					ClaimsSupported:                        []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups", "phone_number", "phone_number_verified", "address", "given_name", "family_name", "middle_name", "nickname", "profile", "picture", "website", "gender", "birthdate", "zoneinfo", "locale"},
 					ServiceDocumentation:                   "https://tinyauth.app/docs/guides/oidc",
-					RequestObjectSigningAlgValuesSupported: []string{"none"},
 					RequestParameterSupported:              true,
+					RequestObjectSigningAlgValuesSupported: []string{"none"},
 				}
 
 				assert.Equal(t, expected, res)
@@ -67,7 +65,6 @@ func TestWellKnownController(t *testing.T) {
 		},
 		{
 			description: "Ensure well-known endpoint returns correct JWKS",
-			oidcEnabled: true,
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
 				req := httptest.NewRequest("GET", "/.well-known/jwks.json", nil)
 				router.ServeHTTP(recorder, req)
@@ -76,204 +73,19 @@ func TestWellKnownController(t *testing.T) {
 
 				decodedBody := make(map[string]any)
 				err := json.Unmarshal(recorder.Body.Bytes(), &decodedBody)
-				require.NoError(t, err)
+				assert.NoError(t, err)
 
 				keys, ok := decodedBody["keys"].([]any)
-				require.True(t, ok)
+				assert.True(t, ok)
 				assert.Len(t, keys, 1)
 
 				keyData, ok := keys[0].(map[string]any)
-				require.True(t, ok)
+				assert.True(t, ok)
 				assert.Equal(t, "RSA", keyData["kty"])
 				assert.Equal(t, "sig", keyData["use"])
 				assert.Equal(t, "RS256", keyData["alg"])
 			},
 		},
-		{
-			description: "Ensure openid configuration returns 500 on nil oidc service",
-			oidcEnabled: false,
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/.well-known/openid-configuration", nil)
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, 500, recorder.Code)
-
-				decodedBody := make(map[string]any)
-				err := json.Unmarshal(recorder.Body.Bytes(), &decodedBody)
-				require.NoError(t, err)
-
-				assert.Equal(t, "OIDC service not configured", decodedBody["message"])
-			},
-		},
-		{
-			description: "Ensure jwks endpoint returns 500 on nil oidc service",
-			oidcEnabled: false,
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/.well-known/jwks.json", nil)
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, 500, recorder.Code)
-
-				decodedBody := make(map[string]any)
-				err := json.Unmarshal(recorder.Body.Bytes(), &decodedBody)
-				require.NoError(t, err)
-
-				assert.Equal(t, "OIDC service not configured", decodedBody["message"])
-			},
-		},
-		{
-			description: "Ensure webfinger returns 400 on invalid resource",
-			oidcEnabled: true,
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/.well-known/webfinger?resource=invalid-resource", nil)
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, 400, recorder.Code)
-				assert.Equal(t, "application/jrd+json", recorder.Header().Get("content-type"))
-				assert.Equal(t, "*", recorder.Header().Get("access-control-allow-origin"))
-
-				decodedBody := make(map[string]any)
-				err := json.Unmarshal(recorder.Body.Bytes(), &decodedBody)
-				require.NoError(t, err)
-
-				assert.Equal(t, "invalid resource", decodedBody["message"])
-			},
-		},
-		{
-			description: "Ensure webfinger resource validator allows acct",
-			oidcEnabled: true,
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				resource := "acct:testuser@example.com"
-				req := httptest.NewRequest("GET", fmt.Sprintf("/.well-known/webfinger?resource=%s", url.QueryEscape(resource)), nil)
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, 200, recorder.Code)
-				assert.Equal(t, "application/jrd+json", recorder.Header().Get("content-type"))
-				assert.Equal(t, "*", recorder.Header().Get("access-control-allow-origin"))
-			},
-		},
-		{
-			description: "Ensure webfinger resource validator allows https",
-			oidcEnabled: true,
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				resource := "https://example.com/testuser"
-				req := httptest.NewRequest("GET", fmt.Sprintf("/.well-known/webfinger?resource=%s", url.QueryEscape(resource)), nil)
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, 200, recorder.Code)
-				assert.Equal(t, "application/jrd+json", recorder.Header().Get("content-type"))
-				assert.Equal(t, "*", recorder.Header().Get("access-control-allow-origin"))
-			},
-		},
-		{
-			description: "Ensure webfinger resource validator allows http",
-			oidcEnabled: true,
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				resource := "http://example.com/testuser"
-				req := httptest.NewRequest("GET", fmt.Sprintf("/.well-known/webfinger?resource=%s", url.QueryEscape(resource)), nil)
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, 200, recorder.Code)
-				assert.Equal(t, "application/jrd+json", recorder.Header().Get("content-type"))
-				assert.Equal(t, "*", recorder.Header().Get("access-control-allow-origin"))
-			},
-		},
-		{
-			description: "Webfinger should return no links when oidc is nil",
-			oidcEnabled: false,
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				resource := "acct:testuser@example.com"
-				req := httptest.NewRequest("GET", fmt.Sprintf("/.well-known/webfinger?resource=%s", url.QueryEscape(resource)), nil)
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, 200, recorder.Code)
-				assert.Equal(t, "application/jrd+json", recorder.Header().Get("content-type"))
-				assert.Equal(t, "*", recorder.Header().Get("access-control-allow-origin"))
-
-				decodedBody := make(map[string]any)
-				err := json.Unmarshal(recorder.Body.Bytes(), &decodedBody)
-				require.NoError(t, err)
-
-				links, ok := decodedBody["links"].([]any)
-				require.True(t, ok)
-				assert.Len(t, links, 0)
-			},
-		},
-		{
-			description: "Webfinger should return links when oidc is configured and no rel is provided",
-			oidcEnabled: true,
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				resource := "acct:testuser@example.com"
-				req := httptest.NewRequest("GET", fmt.Sprintf("/.well-known/webfinger?resource=%s", url.QueryEscape(resource)), nil)
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, 200, recorder.Code)
-				assert.Equal(t, "application/jrd+json", recorder.Header().Get("content-type"))
-				assert.Equal(t, "*", recorder.Header().Get("access-control-allow-origin"))
-
-				decodedBody := make(map[string]any)
-				err := json.Unmarshal(recorder.Body.Bytes(), &decodedBody)
-				require.NoError(t, err)
-
-				links, ok := decodedBody["links"].([]any)
-				require.True(t, ok)
-				assert.Len(t, links, 1)
-
-				linkData, ok := links[0].(map[string]any)
-				require.True(t, ok)
-				assert.Equal(t, "http://openid.net/specs/connect/1.0/issuer", linkData["rel"])
-				assert.Equal(t, runtime.AppURL, linkData["href"])
-			},
-		},
-		{
-			description: "Webfinger should return links when oidc is configured and rel is provided",
-			oidcEnabled: true,
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				resource := fmt.Sprintf("acct:%s@%s", "testuser", runtime.AppURL)
-				rel := "http://openid.net/specs/connect/1.0/issuer"
-				req := httptest.NewRequest("GET", fmt.Sprintf("/.well-known/webfinger?resource=%s&rel=%s", url.QueryEscape(resource), url.QueryEscape(rel)), nil)
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, 200, recorder.Code)
-				assert.Equal(t, "application/jrd+json", recorder.Header().Get("content-type"))
-				assert.Equal(t, "*", recorder.Header().Get("access-control-allow-origin"))
-
-				decodedBody := make(map[string]any)
-				err := json.Unmarshal(recorder.Body.Bytes(), &decodedBody)
-				require.NoError(t, err)
-
-				links, ok := decodedBody["links"].([]any)
-				require.True(t, ok)
-				assert.Len(t, links, 1)
-
-				linkData, ok := links[0].(map[string]any)
-				require.True(t, ok)
-				assert.Equal(t, rel, linkData["rel"])
-				assert.Equal(t, runtime.AppURL, linkData["href"])
-			},
-		},
-		{
-			description: "Webfinger should return no links when oidc is configured and rel is provided but does not match",
-			oidcEnabled: true,
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				resource := "acct:testuser@example.com"
-				rel := "http://example.com/does-not-exist"
-				req := httptest.NewRequest("GET", fmt.Sprintf("/.well-known/webfinger?resource=%s&rel=%s", url.QueryEscape(resource), url.QueryEscape(rel)), nil)
-				router.ServeHTTP(recorder, req)
-
-				assert.Equal(t, 200, recorder.Code)
-				assert.Equal(t, "application/jrd+json", recorder.Header().Get("content-type"))
-				assert.Equal(t, "*", recorder.Header().Get("access-control-allow-origin"))
-
-				decodedBody := make(map[string]any)
-				err := json.Unmarshal(recorder.Body.Bytes(), &decodedBody)
-				require.NoError(t, err)
-
-				links, ok := decodedBody["links"].([]any)
-				require.True(t, ok)
-				assert.Len(t, links, 0)
-			},
-		},
 	}
 
 	ctx := context.TODO()
@@ -281,13 +93,7 @@ func TestWellKnownController(t *testing.T) {
 
 	store := memory.New()
 
-	oidcService, err := service.NewOIDCService(service.OIDCServiceInput{
+	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, dg)
-		Log:     log,
-		Config:  &cfg,
-		Runtime: &runtime,
-		Queries: store,
-		Ding:    dg,
-	})
 	require.NoError(t, err)
 
 	for _, test := range tests {
@@ -297,15 +103,7 @@ func TestWellKnownController(t *testing.T) {
 
 			recorder := httptest.NewRecorder()
 
-			wellKnownControllerInput := WellKnownControllerInput{
+			controller.NewWellKnownController(oidcService, &router.RouterGroup)
-				RouterGroup: &router.RouterGroup,
-			}
-
-			if test.oidcEnabled {
-				wellKnownControllerInput.OIDCService = oidcService
-			}
-
-			NewWellKnownController(wellKnownControllerInput)
 
 			test.run(t, router, recorder)
 		})

internal/middleware/context_middleware.go

@@ -11,7 +11,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-	"go.uber.org/dig"
 
 	"github.com/gin-gonic/gin"
 )
@@ -38,29 +37,25 @@ var (
 
 type ContextMiddleware struct {
 	log       *logger.Logger
-	runtime   *model.RuntimeConfig
+	runtime   model.RuntimeConfig
 	auth      *service.AuthService
 	broker    *service.OAuthBrokerService
 	tailscale *service.TailscaleService
 }
 
-type ContextMiddlewareInput struct {
+func NewContextMiddleware(
-	dig.In
+	log *logger.Logger,
-
+	runtime model.RuntimeConfig,
-	Log              *logger.Logger
+	auth *service.AuthService,
-	RuntimeConfig    *model.RuntimeConfig
+	broker *service.OAuthBrokerService,
-	AuthService      *service.AuthService
+	tailscale *service.TailscaleService,
-	BrokerService    *service.OAuthBrokerService
+) *ContextMiddleware {
-	TailscaleService *service.TailscaleService
-}
-
-func NewContextMiddleware(i ContextMiddlewareInput) *ContextMiddleware {
 	return &ContextMiddleware{
-		log:       i.Log,
+		log:       log,
-		runtime:   i.RuntimeConfig,
+		runtime:   runtime,
-		auth:      i.AuthService,
+		auth:      auth,
-		broker:    i.BrokerService,
+		broker:    broker,
-		tailscale: i.TailscaleService,
+		tailscale: tailscale,
 	}
 }
 
@@ -211,12 +206,12 @@ func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string, ip stri
 		}
 
 		if !m.auth.IsEmailWhitelisted(userContext.OAuth.ID, userContext.OAuth.Email) {
-			m.auth.DeleteSession(ctx, uuid)
+			m.auth.DeleteSession(ctx, uuid, ip)
 			return nil, nil, fmt.Errorf("email from session cookie not whitelisted: %s", userContext.OAuth.Email)
 		}
 	}
 
-	cookie, err := m.auth.RefreshSession(ctx, uuid)
+	cookie, err := m.auth.RefreshSession(ctx, uuid, ip)
 
 	if err != nil {
 		return nil, nil, fmt.Errorf("error refreshing session: %w", err)

internal/middleware/context_middleware_test.go

@@ -1,4 +1,4 @@
-package middleware
+package middleware_test
 
 import (
 	"context"
@@ -12,6 +12,7 @@ import (
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/middleware"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
@@ -26,6 +27,8 @@ func TestContextMiddleware(t *testing.T) {
 
 	cfg, runtime := test.CreateTestConfigs(t)
 
+	helpers := test.CreateTestHelpers()
+
 	basicAuthHeader := func(username, password string) string {
 		return "Basic " + base64.StdEncoding.EncodeToString([]byte(username+":"+password))
 	}
@@ -253,37 +256,13 @@ func TestContextMiddleware(t *testing.T) {
 
 	store := memory.New()
 
-	policyEngine, err := service.NewPolicyEngine(service.PolicyEngineInput{
+	policyEngine, err := service.NewPolicyEngine(cfg, log)
-		Log:    log,
-		Config: &cfg,
-	})
 	require.NoError(t, err)
 
-	broker := service.NewOAuthBrokerService(service.OAuthBrokerServiceInput{
+	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-		Log:     log,
+	authService := service.NewAuthService(log, cfg, runtime, helpers, ctx, dg, nil, store, broker, nil, policyEngine)
-		Runtime: &runtime,
-		Ctx:     ctx,
-	})
-	authService := service.NewAuthService(service.AuthServiceInput{
-		Log:          log,
-		Config:       &cfg,
-		Runtime:      &runtime,
-		Ctx:          ctx,
-		Ding:         dg,
-		LDAP:         nil,
-		Queries:      store,
-		OAuthBroker:  broker,
-		Tailscale:    nil,
-		PolicyEngine: policyEngine,
-	})
 
-	contextMiddleware := NewContextMiddleware(ContextMiddlewareInput{
+	contextMiddleware := middleware.NewContextMiddleware(log, runtime, authService, broker, nil)
-		Log:              log,
-		RuntimeConfig:    &runtime,
-		AuthService:      authService,
-		BrokerService:    broker,
-		TailscaleService: nil,
-	})
 
 	for _, test := range tests {
 		authService.ClearLoginAttempts()

internal/middleware/ui_middleware.go

@@ -9,7 +9,6 @@ import (
 	"time"
 
 	"github.com/tinyauthapp/tinyauth/internal/assets"
-	"go.uber.org/dig"
 
 	"github.com/gin-gonic/gin"
 )
@@ -19,12 +18,7 @@ type UIMiddleware struct {
 	uiFileServer http.Handler
 }
 
-// for future use if we need to inject dependencies into the middleware
+func NewUIMiddleware() (*UIMiddleware, error) {
-type UIMiddlewareInput struct {
-	dig.In
-}
-
-func NewUIMiddleware(_ UIMiddlewareInput) (*UIMiddleware, error) {
 	m := &UIMiddleware{}
 
 	ui, err := fs.Sub(assets.FrontendAssets, "dist")

internal/middleware/zerolog_middleware.go

@@ -6,7 +6,6 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-	"go.uber.org/dig"
 )
 
 // See context middleware for explanation of why we have to do this
@@ -22,15 +21,9 @@ type ZerologMiddleware struct {
 	log *logger.Logger
 }
 
-type ZerologMiddlewareInput struct {
+func NewZerologMiddleware(log *logger.Logger) *ZerologMiddleware {
-	dig.In
-
-	Log *logger.Logger
-}
-
-func NewZerologMiddleware(i ZerologMiddlewareInput) *ZerologMiddleware {
 	return &ZerologMiddleware{
-		log: i.Log,
+		log: log,
 	}
 }
 

internal/model/config.go

@@ -28,7 +28,6 @@ func NewDefaultConfiguration() *Config {
 			ACLs: ACLsConfig{
 				Policy: "allow",
 			},
-			LockdownEnabled: true,
 		},
 		UI: UIConfig{
 			Title:                 "Tinyauth",
@@ -121,7 +120,6 @@ type AuthConfig struct {
 	SessionMaxLifetime int                       `description:"Maximum session lifetime in seconds." yaml:"sessionMaxLifetime"`
 	LoginTimeout       int                       `description:"Login timeout in seconds." yaml:"loginTimeout"`
 	LoginMaxRetries    int                       `description:"Maximum login retries." yaml:"loginMaxRetries"`
-	LockdownEnabled    bool                      `description:"Enable lockdown mode after maximum login retries. Lockdown mode limit is calculated automatically." yaml:"lockdownEnabled"`
 	TrustedProxies     []string                  `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
 	ACLs               ACLsConfig                `description:"ACLs configuration." yaml:"acls"`
 }

internal/model/constants.go

@@ -18,8 +18,7 @@ var OverrideProviders = map[string]string{
 }
 
 const SessionCookieName = "tinyauth-session"
-const CSRFCookieName = "tinyauth-csrf"
-const RedirectCookieName = "tinyauth-redirect"
 const OAuthSessionCookieName = "tinyauth-oauth"
+const ConsentCookieName = "tinyauth-consent"
 
 const GracefulShutdownTimeout = 5 // seconds

internal/model/context_test.go

@@ -1,4 +1,4 @@
-package model
+package model_test
 
 import (
 	"net/http/httptest"
@@ -7,6 +7,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 )
 
@@ -21,44 +22,44 @@ func TestContext(t *testing.T) {
 
 	tests := []struct {
 		description string
-		context     *UserContext
+		context     *model.UserContext
-		run         func(*testing.T, *UserContext) any
+		run         func(*testing.T, *model.UserContext) any
 		expected    any
 	}{
 		{
 			description: "IsAuthenticated reflects Authenticated field",
-			context:     &UserContext{Authenticated: true},
+			context:     &model.UserContext{Authenticated: true},
-			run:         func(t *testing.T, c *UserContext) any { return c.IsAuthenticated() },
+			run:         func(t *testing.T, c *model.UserContext) any { return c.IsAuthenticated() },
 			expected:    true,
 		},
 		{
 			description: "IsLocal returns true for ProviderLocal",
-			context:     &UserContext{Provider: ProviderLocal, Local: &LocalContext{}},
+			context:     &model.UserContext{Provider: model.ProviderLocal, Local: &model.LocalContext{}},
-			run:         func(t *testing.T, c *UserContext) any { return c.IsLocal() },
+			run:         func(t *testing.T, c *model.UserContext) any { return c.IsLocal() },
 			expected:    true,
 		},
 		{
 			description: "IsOAuth returns true for ProviderOAuth",
-			context:     &UserContext{Provider: ProviderOAuth, OAuth: &OAuthContext{}},
+			context:     &model.UserContext{Provider: model.ProviderOAuth, OAuth: &model.OAuthContext{}},
-			run:         func(t *testing.T, c *UserContext) any { return c.IsOAuth() },
+			run:         func(t *testing.T, c *model.UserContext) any { return c.IsOAuth() },
 			expected:    true,
 		},
 		{
 			description: "IsLDAP returns true for ProviderLDAP",
-			context:     &UserContext{Provider: ProviderLDAP, LDAP: &LDAPContext{}},
+			context:     &model.UserContext{Provider: model.ProviderLDAP, LDAP: &model.LDAPContext{}},
-			run:         func(t *testing.T, c *UserContext) any { return c.IsLDAP() },
+			run:         func(t *testing.T, c *model.UserContext) any { return c.IsLDAP() },
 			expected:    true,
 		},
 		{
 			description: "IsBasicAuth returns true for ProviderBasicAuth",
-			context:     &UserContext{Provider: ProviderBasicAuth, Local: &LocalContext{}},
+			context:     &model.UserContext{Provider: model.ProviderBasicAuth, Local: &model.LocalContext{}},
-			run:         func(t *testing.T, c *UserContext) any { return c.IsBasicAuth() },
+			run:         func(t *testing.T, c *model.UserContext) any { return c.IsBasicAuth() },
 			expected:    true,
 		},
 		{
 			description: "NewFromSession local session is authenticated and ProviderLocal",
-			context:     &UserContext{},
+			context:     &model.UserContext{},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				got, err := c.NewFromSession(&repository.Session{
 					Username: "alice", Email: "alice@example.com", Name: "Alice",
 					Provider: "local",
@@ -66,12 +67,12 @@ func TestContext(t *testing.T) {
 				require.NoError(t, err)
 				return [2]any{got.Provider, got.Authenticated}
 			},
-			expected: [2]any{ProviderLocal, true},
+			expected: [2]any{model.ProviderLocal, true},
 		},
 		{
 			description: "NewFromSession local session with TotpPending is not authenticated",
-			context:     &UserContext{},
+			context:     &model.UserContext{},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				got, err := c.NewFromSession(&repository.Session{
 					Username: "bob", Provider: "local", TotpPending: true,
 				})
@@ -82,20 +83,20 @@ func TestContext(t *testing.T) {
 		},
 		{
 			description: "NewFromSession ldap session is ProviderLDAP",
-			context:     &UserContext{},
+			context:     &model.UserContext{},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				got, err := c.NewFromSession(&repository.Session{
 					Username: "carol", Provider: "ldap",
 				})
 				require.NoError(t, err)
 				return got.Provider
 			},
-			expected: ProviderLDAP,
+			expected: model.ProviderLDAP,
 		},
 		{
 			description: "NewFromSession unknown provider defaults to OAuth and populates oauth fields",
-			context:     &UserContext{},
+			context:     &model.UserContext{},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				got, err := c.NewFromSession(&repository.Session{
 					Username: "dave", Provider: "github",
 					OAuthGroups: "devs,admins", OAuthSub: "sub-123", OAuthName: "GitHub",
@@ -103,126 +104,126 @@ func TestContext(t *testing.T) {
 				require.NoError(t, err)
 				return [5]any{got.Provider, got.OAuth.ID, got.OAuth.Sub, got.OAuth.DisplayName, got.OAuth.Groups}
 			},
-			expected: [5]any{ProviderOAuth, "github", "sub-123", "GitHub", []string{"devs", "admins"}},
+			expected: [5]any{model.ProviderOAuth, "github", "sub-123", "GitHub", []string{"devs", "admins"}},
 		},
 		{
 			description: "Local getters return BaseContext fields",
-			context: &UserContext{
+			context: &model.UserContext{
-				Provider: ProviderLocal,
+				Provider: model.ProviderLocal,
-				Local:    &LocalContext{BaseContext: BaseContext{Username: "alice", Email: "alice@example.com", Name: "Alice"}},
+				Local:    &model.LocalContext{BaseContext: model.BaseContext{Username: "alice", Email: "alice@example.com", Name: "Alice"}},
 			},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
 			},
 			expected: [3]string{"alice", "alice@example.com", "Alice"},
 		},
 		{
 			description: "BasicAuth getters fall back to local fields",
-			context: &UserContext{
+			context: &model.UserContext{
-				Provider: ProviderBasicAuth,
+				Provider: model.ProviderBasicAuth,
-				Local:    &LocalContext{BaseContext: BaseContext{Username: "bob", Email: "bob@example.com", Name: "Bob"}},
+				Local:    &model.LocalContext{BaseContext: model.BaseContext{Username: "bob", Email: "bob@example.com", Name: "Bob"}},
 			},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
 			},
 			expected: [3]string{"bob", "bob@example.com", "Bob"},
 		},
 		{
 			description: "LDAP getters return LDAP fields",
-			context: &UserContext{
+			context: &model.UserContext{
-				Provider: ProviderLDAP,
+				Provider: model.ProviderLDAP,
-				LDAP:     &LDAPContext{BaseContext: BaseContext{Username: "carol", Email: "carol@example.com", Name: "Carol"}},
+				LDAP:     &model.LDAPContext{BaseContext: model.BaseContext{Username: "carol", Email: "carol@example.com", Name: "Carol"}},
 			},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
 			},
 			expected: [3]string{"carol", "carol@example.com", "Carol"},
 		},
 		{
 			description: "OAuth getters return OAuth fields",
-			context: &UserContext{
+			context: &model.UserContext{
-				Provider: ProviderOAuth,
+				Provider: model.ProviderOAuth,
-				OAuth:    &OAuthContext{BaseContext: BaseContext{Username: "dave", Email: "dave@example.com", Name: "Dave"}},
+				OAuth:    &model.OAuthContext{BaseContext: model.BaseContext{Username: "dave", Email: "dave@example.com", Name: "Dave"}},
 			},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
 			},
 			expected: [3]string{"dave", "dave@example.com", "Dave"},
 		},
 		{
 			description: "ProviderName returns 'local' for ProviderLocal",
-			context:     &UserContext{Provider: ProviderLocal},
+			context:     &model.UserContext{Provider: model.ProviderLocal},
-			run:         func(t *testing.T, c *UserContext) any { return c.GetProviderID() },
+			run:         func(t *testing.T, c *model.UserContext) any { return c.GetProviderID() },
 			expected:    "local",
 		},
 		{
 			description: "ProviderName returns 'local' for ProviderBasicAuth",
-			context:     &UserContext{Provider: ProviderBasicAuth},
+			context:     &model.UserContext{Provider: model.ProviderBasicAuth},
-			run:         func(t *testing.T, c *UserContext) any { return c.GetProviderID() },
+			run:         func(t *testing.T, c *model.UserContext) any { return c.GetProviderID() },
 			expected:    "local",
 		},
 		{
 			description: "ProviderName returns 'ldap' for ProviderLDAP",
-			context:     &UserContext{Provider: ProviderLDAP},
+			context:     &model.UserContext{Provider: model.ProviderLDAP},
-			run:         func(t *testing.T, c *UserContext) any { return c.GetProviderID() },
+			run:         func(t *testing.T, c *model.UserContext) any { return c.GetProviderID() },
 			expected:    "ldap",
 		},
 		{
 			description: "ProviderName returns OAuth provider ID for ProviderOAuth",
-			context: &UserContext{
+			context: &model.UserContext{
-				Provider: ProviderOAuth,
+				Provider: model.ProviderOAuth,
-				OAuth:    &OAuthContext{ID: "github"},
+				OAuth:    &model.OAuthContext{ID: "github"},
 			},
-			run:      func(t *testing.T, c *UserContext) any { return c.GetProviderID() },
+			run:      func(t *testing.T, c *model.UserContext) any { return c.GetProviderID() },
 			expected: "github",
 		},
 		{
 			description: "TOTPPending returns true when local context is pending",
-			context: &UserContext{
+			context: &model.UserContext{
-				Provider: ProviderLocal,
+				Provider: model.ProviderLocal,
-				Local:    &LocalContext{TOTPPending: true},
+				Local:    &model.LocalContext{TOTPPending: true},
 			},
-			run:      func(t *testing.T, c *UserContext) any { return c.TOTPPending() },
+			run:      func(t *testing.T, c *model.UserContext) any { return c.TOTPPending() },
 			expected: true,
 		},
 		{
 			description: "TOTPPending returns false when local context is not pending",
-			context: &UserContext{
+			context: &model.UserContext{
-				Provider: ProviderLocal,
+				Provider: model.ProviderLocal,
-				Local:    &LocalContext{TOTPPending: false},
+				Local:    &model.LocalContext{TOTPPending: false},
 			},
-			run:      func(t *testing.T, c *UserContext) any { return c.TOTPPending() },
+			run:      func(t *testing.T, c *model.UserContext) any { return c.TOTPPending() },
 			expected: false,
 		},
 		{
 			description: "TOTPPending returns false for non-local providers",
-			context:     &UserContext{Provider: ProviderOAuth, OAuth: &OAuthContext{}},
+			context:     &model.UserContext{Provider: model.ProviderOAuth, OAuth: &model.OAuthContext{}},
-			run:         func(t *testing.T, c *UserContext) any { return c.TOTPPending() },
+			run:         func(t *testing.T, c *model.UserContext) any { return c.TOTPPending() },
 			expected:    false,
 		},
 		{
 			description: "OAuthName returns DisplayName for ProviderOAuth",
-			context: &UserContext{
+			context: &model.UserContext{
-				Provider: ProviderOAuth,
+				Provider: model.ProviderOAuth,
-				OAuth:    &OAuthContext{DisplayName: "Google"},
+				OAuth:    &model.OAuthContext{DisplayName: "Google"},
 			},
-			run:      func(t *testing.T, c *UserContext) any { return c.OAuthName() },
+			run:      func(t *testing.T, c *model.UserContext) any { return c.OAuthName() },
 			expected: "Google",
 		},
 		{
 			description: "OAuthName returns empty string for non-oauth providers",
-			context:     &UserContext{Provider: ProviderLocal, Local: &LocalContext{}},
+			context:     &model.UserContext{Provider: model.ProviderLocal, Local: &model.LocalContext{}},
-			run:         func(t *testing.T, c *UserContext) any { return c.OAuthName() },
+			run:         func(t *testing.T, c *model.UserContext) any { return c.OAuthName() },
 			expected:    "",
 		},
 		{
 			description: "NewFromGin populates context from gin value",
-			context:     &UserContext{},
+			context:     &model.UserContext{},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
-				stored := &UserContext{
+				stored := &model.UserContext{
 					Authenticated: true,
-					Provider:      ProviderLocal,
+					Provider:      model.ProviderLocal,
-					Local:         &LocalContext{BaseContext: BaseContext{Username: "alice"}},
+					Local:         &model.LocalContext{BaseContext: model.BaseContext{Username: "alice"}},
 				}
 				got, err := c.NewFromGin(newGinCtx(stored, true))
 				require.NoError(t, err)
@@ -232,17 +233,17 @@ func TestContext(t *testing.T) {
 		},
 		{
 			description: "NewFromGin returns error when context value is missing",
-			context:     &UserContext{},
+			context:     &model.UserContext{},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				_, err := c.NewFromGin(newGinCtx(nil, false))
 				return err.Error()
 			},
-			expected: ErrUserContextNotFound.Error(),
+			expected: model.ErrUserContextNotFound.Error(),
 		},
 		{
 			description: "NewFromGin returns error when context value has wrong type",
-			context:     &UserContext{},
+			context:     &model.UserContext{},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				_, err := c.NewFromGin(newGinCtx("not a user context", true))
 				return err.Error()
 			},
@@ -250,17 +251,17 @@ func TestContext(t *testing.T) {
 		},
 		{
 			description: "NewFromGin returns an error when context doesn't include user information",
-			context:     &UserContext{},
+			context:     &model.UserContext{},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
-				_, err := c.NewFromGin(newGinCtx(&UserContext{Provider: ProviderLocal}, true))
+				_, err := c.NewFromGin(newGinCtx(&model.UserContext{Provider: model.ProviderLocal}, true))
 				return err.Error()
 			},
 			expected: "incomplete user context",
 		},
 		{
 			description: "Getters should not panic if provider context is empty",
-			context:     &UserContext{Provider: ProviderLocal},
+			context:     &model.UserContext{Provider: model.ProviderLocal},
-			run: func(t *testing.T, c *UserContext) any {
+			run: func(t *testing.T, c *model.UserContext) any {
 				return [3]string{c.GetUsername(), c.GetEmail(), c.GetName()}
 			},
 			expected: [3]string{"", "", ""},

internal/model/runtime.go

@@ -1,20 +1,26 @@
 package model
 
+import "context"
+
 type RuntimeConfig struct {
 	AppURL                 string
 	UUID                   string
 	CookieDomain           string
 	SessionCookieName      string
-	CSRFCookieName         string
-	RedirectCookieName     string
 	OAuthSessionCookieName string
+	ConsentCookieName      string
 	LocalUsers             []LocalUser
 	OAuthProviders         map[string]OAuthServiceConfig
 	OAuthWhitelist         []string
 	ConfiguredProviders    []Provider
+	OIDCClients            []OIDCClientConfig
 	TrustedDomains         []string
 }
 
+type RuntimeHelpers struct {
+	GetCookieDomain func(ctx context.Context, ip string) (string, error)
+}
+
 type Provider struct {
 	Name  string `json:"name"`
 	ID    string `json:"id"`

internal/repository/memory/memory_test.go

@@ -277,6 +277,78 @@ func TestMemoryStore(t *testing.T) {
 				assert.NoError(t, err)
 			},
 		},
+		{
+			description: "Create and get OIDC consent",
+			run: func(t *testing.T, s repository.Store) {
+				consent, err := s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{
+					UUID:     "uuid-1",
+					ClientID: "client-1",
+					Scopes:   "openid profile",
+				})
+				require.NoError(t, err)
+				assert.Equal(t, "uuid-1", consent.UUID)
+				assert.Equal(t, "client-1", consent.ClientID)
+				assert.Equal(t, "openid profile", consent.Scopes)
+
+				got, err := s.GetOIDCConsentByUUID(ctx, "uuid-1")
+				require.NoError(t, err)
+				assert.Equal(t, consent, got)
+			},
+		},
+		{
+			description: "Get OIDC consent by UUID not found",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.GetOIDCConsentByUUID(ctx, "missing")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Create OIDC consent unique UUID constraint",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{UUID: "uuid-1", ClientID: "client-1", Scopes: "openid"})
+				require.NoError(t, err)
+
+				_, err = s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{UUID: "uuid-1", ClientID: "client-2", Scopes: "profile"})
+				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_consent.uuid")
+			},
+		},
+		{
+			description: "Update OIDC consent",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{UUID: "uuid-1", ClientID: "client-1", Scopes: "openid"})
+				require.NoError(t, err)
+
+				updated, err := s.UpdateOIDCConsent(ctx, repository.UpdateOIDCConsentParams{
+					UUID:   "uuid-1",
+					Scopes: "profile email",
+				})
+				require.NoError(t, err)
+				assert.Equal(t, "profile email", updated.Scopes)
+
+				got, err := s.GetOIDCConsentByUUID(ctx, "uuid-1")
+				require.NoError(t, err)
+				assert.Equal(t, updated, got)
+			},
+		},
+		{
+			description: "Update OIDC consent not found",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.UpdateOIDCConsent(ctx, repository.UpdateOIDCConsentParams{UUID: "missing"})
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
+		{
+			description: "Delete OIDC consent by UUID",
+			run: func(t *testing.T, s repository.Store) {
+				_, err := s.CreateOIDCConsent(ctx, repository.CreateOIDCConsentParams{UUID: "uuid-1", ClientID: "client-1", Scopes: "openid"})
+				require.NoError(t, err)
+
+				require.NoError(t, s.DeleteOIDCConsentByUUID(ctx, "uuid-1"))
+
+				_, err = s.GetOIDCConsentByUUID(ctx, "uuid-1")
+				assert.ErrorIs(t, err, repository.ErrNotFound)
+			},
+		},
 	}
 
 	for _, test := range tests {

internal/repository/memory/oidc_queries.go

@@ -94,3 +94,47 @@ func (s *Store) DeleteExpiredOIDCSessions(_ context.Context, arg repository.Dele
 	}
 	return nil
 }
+
+func (s *Store) CreateOIDCConsent(_ context.Context, arg repository.CreateOIDCConsentParams) (repository.OidcConsent, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if _, ok := s.oidcConsent[arg.UUID]; ok {
+		return repository.OidcConsent{}, fmt.Errorf("UNIQUE constraint failed: oidc_consent.uuid")
+	}
+	consent := repository.OidcConsent{
+		UUID:     arg.UUID,
+		ClientID: arg.ClientID,
+		Scopes:   arg.Scopes,
+	}
+	s.oidcConsent[arg.UUID] = consent
+	return consent, nil
+}
+
+func (s *Store) GetOIDCConsentByUUID(_ context.Context, uuid string) (repository.OidcConsent, error) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	consent, ok := s.oidcConsent[uuid]
+	if !ok {
+		return repository.OidcConsent{}, repository.ErrNotFound
+	}
+	return consent, nil
+}
+
+func (s *Store) UpdateOIDCConsent(_ context.Context, arg repository.UpdateOIDCConsentParams) (repository.OidcConsent, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	consent, ok := s.oidcConsent[arg.UUID]
+	if !ok {
+		return repository.OidcConsent{}, repository.ErrNotFound
+	}
+	consent.Scopes = arg.Scopes
+	s.oidcConsent[arg.UUID] = consent
+	return consent, nil
+}
+
+func (s *Store) DeleteOIDCConsentByUUID(_ context.Context, uuid string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	delete(s.oidcConsent, uuid)
+	return nil
+}

internal/repository/memory/store.go

@@ -12,6 +12,7 @@ type Store struct {
 	mu           sync.RWMutex
 	sessions     map[string]repository.Session
 	oidcSessions map[string]repository.OidcSession
+	oidcConsent  map[string]repository.OidcConsent
 }
 
 // New returns a new empty in-memory Store.
@@ -19,5 +20,6 @@ func New() repository.Store {
 	return &Store{
 		sessions:     make(map[string]repository.Session),
 		oidcSessions: make(map[string]repository.OidcSession),
+		oidcConsent:  make(map[string]repository.OidcConsent),
 	}
 }

internal/repository/models.go

@@ -1,8 +1,18 @@
 package repository
 
+import "time"
+
 // Shared model and parameter types for all storage drivers.
 // sqlc-generated driver packages use these via the conversion layer in their store.go.
 
+type OidcConsent struct {
+	UUID      string
+	ClientID  string
+	Scopes    string
+	CreatedAt time.Time
+	UpdatedAt time.Time
+}
+
 type Session struct {
 	UUID        string
 	Username    string
@@ -84,3 +94,14 @@ type DeleteExpiredOIDCSessionsParams struct {
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 }
+
+type CreateOIDCConsentParams struct {
+	UUID     string
+	ClientID string
+	Scopes   string
+}
+
+type UpdateOIDCConsentParams struct {
+	Scopes string
+	UUID   string
+}

internal/repository/postgres/models.go

@@ -4,6 +4,18 @@
 
 package postgres
 
+import (
+	"time"
+)
+
+type OidcConsent struct {
+	UUID      string
+	ClientID  string
+	Scopes    string
+	CreatedAt time.Time
+	UpdatedAt time.Time
+}
+
 type OidcSession struct {
 	Sub                   string
 	AccessTokenHash       string

internal/repository/postgres/oidc_queries.sql.go

@@ -9,6 +9,36 @@ import (
 	"context"
 )
 
+const createOIDCConsent = `-- name: CreateOIDCConsent :one
+INSERT INTO "oidc_consent" (
+    "uuid",
+    "client_id",
+    "scopes"
+) VALUES (
+    $1, $2, $3
+)
+RETURNING uuid, client_id, scopes, created_at, updated_at
+`
+
+type CreateOIDCConsentParams struct {
+	UUID     string
+	ClientID string
+	Scopes   string
+}
+
+func (q *Queries) CreateOIDCConsent(ctx context.Context, arg CreateOIDCConsentParams) (OidcConsent, error) {
+	row := q.db.QueryRowContext(ctx, createOIDCConsent, arg.UUID, arg.ClientID, arg.Scopes)
+	var i OidcConsent
+	err := row.Scan(
+		&i.UUID,
+		&i.ClientID,
+		&i.Scopes,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
 const createOIDCSession = `-- name: CreateOIDCSession :one
 INSERT INTO "oidc_sessions" (
     "sub",
@@ -80,6 +110,16 @@ func (q *Queries) DeleteExpiredOIDCSessions(ctx context.Context, arg DeleteExpir
 	return err
 }
 
+const deleteOIDCConsentByUUID = `-- name: DeleteOIDCConsentByUUID :exec
+DELETE FROM "oidc_consent"
+WHERE "uuid" = $1
+`
+
+func (q *Queries) DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error {
+	_, err := q.db.ExecContext(ctx, deleteOIDCConsentByUUID, uuid)
+	return err
+}
+
 const deleteOIDCSessionBySub = `-- name: DeleteOIDCSessionBySub :exec
 DELETE FROM "oidc_sessions"
 WHERE "sub" = $1
@@ -90,6 +130,24 @@ func (q *Queries) DeleteOIDCSessionBySub(ctx context.Context, sub string) error
 	return err
 }
 
+const getOIDCConsentByUUID = `-- name: GetOIDCConsentByUUID :one
+SELECT uuid, client_id, scopes, created_at, updated_at FROM "oidc_consent"
+WHERE "uuid" = $1
+`
+
+func (q *Queries) GetOIDCConsentByUUID(ctx context.Context, uuid string) (OidcConsent, error) {
+	row := q.db.QueryRowContext(ctx, getOIDCConsentByUUID, uuid)
+	var i OidcConsent
+	err := row.Scan(
+		&i.UUID,
+		&i.ClientID,
+		&i.Scopes,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
 const getOIDCSessionByAccessTokenHash = `-- name: GetOIDCSessionByAccessTokenHash :one
 SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
 WHERE "access_token_hash" = $1
@@ -156,6 +214,32 @@ func (q *Queries) GetOIDCSessionBySub(ctx context.Context, sub string) (OidcSess
 	return i, err
 }
 
+const updateOIDCConsent = `-- name: UpdateOIDCConsent :one
+UPDATE "oidc_consent" SET
+    "scopes" = $1,
+    "updated_at" = CURRENT_TIMESTAMP
+WHERE "uuid" = $2
+RETURNING uuid, client_id, scopes, created_at, updated_at
+`
+
+type UpdateOIDCConsentParams struct {
+	Scopes string
+	UUID   string
+}
+
+func (q *Queries) UpdateOIDCConsent(ctx context.Context, arg UpdateOIDCConsentParams) (OidcConsent, error) {
+	row := q.db.QueryRowContext(ctx, updateOIDCConsent, arg.Scopes, arg.UUID)
+	var i OidcConsent
+	err := row.Scan(
+		&i.UUID,
+		&i.ClientID,
+		&i.Scopes,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
 const updateOIDCSession = `-- name: UpdateOIDCSession :one
 UPDATE "oidc_sessions" SET
     "access_token_hash" = $1,

internal/repository/postgres/store.go

@@ -32,6 +32,14 @@ func mapErr(err error) error {
 	return err
 }
 
+func (s *Store) CreateOIDCConsent(ctx context.Context, arg repository.CreateOIDCConsentParams) (repository.OidcConsent, error) {
+	r, err := s.q.CreateOIDCConsent(ctx, CreateOIDCConsentParams(arg))
+	if err != nil {
+		return repository.OidcConsent{}, mapErr(err)
+	}
+	return repository.OidcConsent(r), nil
+}
+
 func (s *Store) CreateOIDCSession(ctx context.Context, arg repository.CreateOIDCSessionParams) (repository.OidcSession, error) {
 	r, err := s.q.CreateOIDCSession(ctx, CreateOIDCSessionParams(arg))
 	if err != nil {
@@ -56,6 +64,10 @@ func (s *Store) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
 	return mapErr(s.q.DeleteExpiredSessions(ctx, expiry))
 }
 
+func (s *Store) DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error {
+	return mapErr(s.q.DeleteOIDCConsentByUUID(ctx, uuid))
+}
+
 func (s *Store) DeleteOIDCSessionBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOIDCSessionBySub(ctx, sub))
 }
@@ -64,6 +76,14 @@ func (s *Store) DeleteSession(ctx context.Context, uuid string) error {
 	return mapErr(s.q.DeleteSession(ctx, uuid))
 }
 
+func (s *Store) GetOIDCConsentByUUID(ctx context.Context, uuid string) (repository.OidcConsent, error) {
+	r, err := s.q.GetOIDCConsentByUUID(ctx, uuid)
+	if err != nil {
+		return repository.OidcConsent{}, mapErr(err)
+	}
+	return repository.OidcConsent(r), nil
+}
+
 func (s *Store) GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (repository.OidcSession, error) {
 	r, err := s.q.GetOIDCSessionByAccessTokenHash(ctx, accessTokenHash)
 	if err != nil {
@@ -96,6 +116,14 @@ func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session
 	return repository.Session(r), nil
 }
 
+func (s *Store) UpdateOIDCConsent(ctx context.Context, arg repository.UpdateOIDCConsentParams) (repository.OidcConsent, error) {
+	r, err := s.q.UpdateOIDCConsent(ctx, UpdateOIDCConsentParams(arg))
+	if err != nil {
+		return repository.OidcConsent{}, mapErr(err)
+	}
+	return repository.OidcConsent(r), nil
+}
+
 func (s *Store) UpdateOIDCSession(ctx context.Context, arg repository.UpdateOIDCSessionParams) (repository.OidcSession, error) {
 	r, err := s.q.UpdateOIDCSession(ctx, UpdateOIDCSessionParams(arg))
 	if err != nil {

internal/repository/sqlite/models.go

@@ -4,6 +4,18 @@
 
 package sqlite
 
+import (
+	"time"
+)
+
+type OidcConsent struct {
+	UUID      string
+	ClientID  string
+	Scopes    string
+	CreatedAt time.Time
+	UpdatedAt time.Time
+}
+
 type OidcSession struct {
 	Sub                   string
 	AccessTokenHash       string

internal/repository/sqlite/oidc_queries.sql.go

@@ -9,6 +9,36 @@ import (
 	"context"
 )
 
+const createOIDCConsent = `-- name: CreateOIDCConsent :one
+INSERT INTO "oidc_consent" (
+    "uuid",
+    "client_id",
+    "scopes"
+) VALUES (
+    ?, ?, ?
+)
+RETURNING uuid, client_id, scopes, created_at, updated_at
+`
+
+type CreateOIDCConsentParams struct {
+	UUID     string
+	ClientID string
+	Scopes   string
+}
+
+func (q *Queries) CreateOIDCConsent(ctx context.Context, arg CreateOIDCConsentParams) (OidcConsent, error) {
+	row := q.db.QueryRowContext(ctx, createOIDCConsent, arg.UUID, arg.ClientID, arg.Scopes)
+	var i OidcConsent
+	err := row.Scan(
+		&i.UUID,
+		&i.ClientID,
+		&i.Scopes,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
 const createOIDCSession = `-- name: CreateOIDCSession :one
 INSERT INTO "oidc_sessions" (
     "sub",
@@ -80,6 +110,16 @@ func (q *Queries) DeleteExpiredOIDCSessions(ctx context.Context, arg DeleteExpir
 	return err
 }
 
+const deleteOIDCConsentByUUID = `-- name: DeleteOIDCConsentByUUID :exec
+DELETE FROM "oidc_consent"
+WHERE "uuid" = ?
+`
+
+func (q *Queries) DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error {
+	_, err := q.db.ExecContext(ctx, deleteOIDCConsentByUUID, uuid)
+	return err
+}
+
 const deleteOIDCSessionBySub = `-- name: DeleteOIDCSessionBySub :exec
 DELETE FROM "oidc_sessions"
 WHERE "sub" = ?
@@ -90,6 +130,24 @@ func (q *Queries) DeleteOIDCSessionBySub(ctx context.Context, sub string) error
 	return err
 }
 
+const getOIDCConsentByUUID = `-- name: GetOIDCConsentByUUID :one
+SELECT uuid, client_id, scopes, created_at, updated_at FROM "oidc_consent"
+WHERE "uuid" = ?
+`
+
+func (q *Queries) GetOIDCConsentByUUID(ctx context.Context, uuid string) (OidcConsent, error) {
+	row := q.db.QueryRowContext(ctx, getOIDCConsentByUUID, uuid)
+	var i OidcConsent
+	err := row.Scan(
+		&i.UUID,
+		&i.ClientID,
+		&i.Scopes,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
 const getOIDCSessionByAccessTokenHash = `-- name: GetOIDCSessionByAccessTokenHash :one
 SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce, userinfo_json FROM "oidc_sessions"
 WHERE "access_token_hash" = ?
@@ -156,6 +214,32 @@ func (q *Queries) GetOIDCSessionBySub(ctx context.Context, sub string) (OidcSess
 	return i, err
 }
 
+const updateOIDCConsent = `-- name: UpdateOIDCConsent :one
+UPDATE "oidc_consent" SET
+    "scopes" = ?,
+    "updated_at" = CURRENT_TIMESTAMP
+WHERE "uuid" = ?
+RETURNING uuid, client_id, scopes, created_at, updated_at
+`
+
+type UpdateOIDCConsentParams struct {
+	Scopes string
+	UUID   string
+}
+
+func (q *Queries) UpdateOIDCConsent(ctx context.Context, arg UpdateOIDCConsentParams) (OidcConsent, error) {
+	row := q.db.QueryRowContext(ctx, updateOIDCConsent, arg.Scopes, arg.UUID)
+	var i OidcConsent
+	err := row.Scan(
+		&i.UUID,
+		&i.ClientID,
+		&i.Scopes,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
 const updateOIDCSession = `-- name: UpdateOIDCSession :one
 UPDATE "oidc_sessions" SET
     "access_token_hash" = ?,

internal/repository/sqlite/store.go

@@ -32,6 +32,14 @@ func mapErr(err error) error {
 	return err
 }
 
+func (s *Store) CreateOIDCConsent(ctx context.Context, arg repository.CreateOIDCConsentParams) (repository.OidcConsent, error) {
+	r, err := s.q.CreateOIDCConsent(ctx, CreateOIDCConsentParams(arg))
+	if err != nil {
+		return repository.OidcConsent{}, mapErr(err)
+	}
+	return repository.OidcConsent(r), nil
+}
+
 func (s *Store) CreateOIDCSession(ctx context.Context, arg repository.CreateOIDCSessionParams) (repository.OidcSession, error) {
 	r, err := s.q.CreateOIDCSession(ctx, CreateOIDCSessionParams(arg))
 	if err != nil {
@@ -56,6 +64,10 @@ func (s *Store) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
 	return mapErr(s.q.DeleteExpiredSessions(ctx, expiry))
 }
 
+func (s *Store) DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error {
+	return mapErr(s.q.DeleteOIDCConsentByUUID(ctx, uuid))
+}
+
 func (s *Store) DeleteOIDCSessionBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOIDCSessionBySub(ctx, sub))
 }
@@ -64,6 +76,14 @@ func (s *Store) DeleteSession(ctx context.Context, uuid string) error {
 	return mapErr(s.q.DeleteSession(ctx, uuid))
 }
 
+func (s *Store) GetOIDCConsentByUUID(ctx context.Context, uuid string) (repository.OidcConsent, error) {
+	r, err := s.q.GetOIDCConsentByUUID(ctx, uuid)
+	if err != nil {
+		return repository.OidcConsent{}, mapErr(err)
+	}
+	return repository.OidcConsent(r), nil
+}
+
 func (s *Store) GetOIDCSessionByAccessTokenHash(ctx context.Context, accessTokenHash string) (repository.OidcSession, error) {
 	r, err := s.q.GetOIDCSessionByAccessTokenHash(ctx, accessTokenHash)
 	if err != nil {
@@ -96,6 +116,14 @@ func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session
 	return repository.Session(r), nil
 }
 
+func (s *Store) UpdateOIDCConsent(ctx context.Context, arg repository.UpdateOIDCConsentParams) (repository.OidcConsent, error) {
+	r, err := s.q.UpdateOIDCConsent(ctx, UpdateOIDCConsentParams(arg))
+	if err != nil {
+		return repository.OidcConsent{}, mapErr(err)
+	}
+	return repository.OidcConsent(r), nil
+}
+
 func (s *Store) UpdateOIDCSession(ctx context.Context, arg repository.UpdateOIDCSessionParams) (repository.OidcSession, error) {
 	r, err := s.q.UpdateOIDCSession(ctx, UpdateOIDCSessionParams(arg))
 	if err != nil {

internal/repository/store.go

@@ -27,4 +27,10 @@ type Store interface {
 	GetOIDCSessionByRefreshTokenHash(ctx context.Context, refreshTokenHash string) (OidcSession, error)
 	GetOIDCSessionBySub(ctx context.Context, sub string) (OidcSession, error)
 	UpdateOIDCSession(ctx context.Context, arg UpdateOIDCSessionParams) (OidcSession, error)
+
+	// OIDC consents
+	CreateOIDCConsent(ctx context.Context, arg CreateOIDCConsentParams) (OidcConsent, error)
+	DeleteOIDCConsentByUUID(ctx context.Context, uuid string) error
+	GetOIDCConsentByUUID(ctx context.Context, uuid string) (OidcConsent, error)
+	UpdateOIDCConsent(ctx context.Context, arg UpdateOIDCConsentParams) (OidcConsent, error)
 }

internal/service/access_controls_service.go

@@ -5,7 +5,6 @@ import (
 
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-	"go.uber.org/dig"
 )
 
 type LabelProvider interface {
@@ -14,24 +13,19 @@ type LabelProvider interface {
 
 type AccessControlsService struct {
 	log           *logger.Logger
-	config        *model.Config
+	config        model.Config
-	labelProvider LabelProvider
+	labelProvider *LabelProvider
 }
 
-type AccessControlServiceInput struct {
+func NewAccessControlsService(
-	dig.In
+	log *logger.Logger,
-
+	config model.Config,
-	Log           *logger.Logger
+	labelProvider *LabelProvider) *AccessControlsService {
-	Config        *model.Config
-	LabelProvider LabelProvider `optional:"true"`
-}
-
-func NewAccessControlsService(i AccessControlServiceInput) *AccessControlsService {
 
 	return &AccessControlsService{
-		log:           i.Log,
+		log:           log,
-		config:        i.Config,
+		config:        config,
-		labelProvider: i.LabelProvider,
+		labelProvider: labelProvider,
 	}
 }
 
@@ -63,8 +57,8 @@ func (service *AccessControlsService) GetAccessControls(domain string) (*model.A
 	}
 
 	// If we have a label provider configured, try to get ACLs from it
-	if service.labelProvider != nil {
+	if service.labelProvider != nil && *service.labelProvider != nil {
-		return service.labelProvider.GetLabels(domain)
+		return (*service.labelProvider).GetLabels(domain)
 	}
 
 	// no labels

internal/service/access_controls_service_test.go

@@ -87,11 +87,7 @@ func TestLookupStaticACLs(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			svc := NewAccessControlsService(AccessControlServiceInput{
+			svc := NewAccessControlsService(log, model.Config{Apps: tt.apps}, nil)
-				Log:           log,
-				Config:        &model.Config{Apps: tt.apps},
-				LabelProvider: nil,
-			})
 			got := svc.lookupStaticACLs(tt.domain)
 			if tt.expectNil {
 				assert.Nil(t, got)
@@ -116,11 +112,7 @@ func TestGetAccessControls(t *testing.T) {
 				},
 			},
 		}
-		svc := NewAccessControlsService(AccessControlServiceInput{
+		svc := NewAccessControlsService(log, config, nil)
-			Log:           log,
-			Config:        &config,
-			LabelProvider: nil,
-		})
 
 		got, err := svc.GetAccessControls("foo.example.com")
 
@@ -131,11 +123,7 @@ func TestGetAccessControls(t *testing.T) {
 	})
 
 	t.Run("returns nil when no static match and no label provider", func(t *testing.T) {
-		svc := NewAccessControlsService(AccessControlServiceInput{
+		svc := NewAccessControlsService(log, model.Config{}, nil)
-			Log:           log,
-			Config:        &model.Config{},
-			LabelProvider: nil,
-		})
 
 		got, err := svc.GetAccessControls("unknown.example.com")
 
@@ -145,11 +133,7 @@ func TestGetAccessControls(t *testing.T) {
 
 	t.Run("returns nil when label provider pointer wraps a nil interface", func(t *testing.T) {
 		var provider LabelProvider
-		svc := NewAccessControlsService(AccessControlServiceInput{
+		svc := NewAccessControlsService(log, model.Config{}, &provider)
-			Log:           log,
-			Config:        &model.Config{},
-			LabelProvider: provider, // nil provider
-		})
 
 		got, err := svc.GetAccessControls("unknown.example.com")
 
@@ -168,11 +152,7 @@ func TestGetAccessControls(t *testing.T) {
 			},
 		}
 		var provider LabelProvider = mock
-		svc := NewAccessControlsService(AccessControlServiceInput{
+		svc := NewAccessControlsService(log, model.Config{}, &provider)
-			Log:           log,
-			Config:        &model.Config{},
-			LabelProvider: provider,
-		})
 
 		got, err := svc.GetAccessControls("dynamic.example.com")
 
@@ -190,11 +170,7 @@ func TestGetAccessControls(t *testing.T) {
 				"foo": {Config: model.AppConfig{Domain: "foo.example.com"}},
 			},
 		}
-		svc := NewAccessControlsService(AccessControlServiceInput{
+		svc := NewAccessControlsService(log, config, &provider)
-			Log:           log,
-			Config:        &config,
-			LabelProvider: provider,
-		})
 
 		got, err := svc.GetAccessControls("foo.example.com")
 
@@ -212,11 +188,7 @@ func TestGetAccessControls(t *testing.T) {
 			},
 		}
 		var provider LabelProvider = mock
-		svc := NewAccessControlsService(AccessControlServiceInput{
+		svc := NewAccessControlsService(log, model.Config{}, &provider)
-			Log:           log,
-			Config:        &model.Config{},
-			LabelProvider: provider,
-		})
 
 		got, err := svc.GetAccessControls("dynamic.example.com")
 

internal/service/auth_service.go

@@ -2,10 +2,8 @@ package service
 
 import (
 	"context"
-	"crypto/rand"
 	"errors"
 	"fmt"
-	"math/big"
 	"net/http"
 	"strings"
 	"sync"
@@ -16,7 +14,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-	"go.uber.org/dig"
 
 	"github.com/google/uuid"
 	"golang.org/x/crypto/bcrypt"
@@ -27,6 +24,7 @@ import (
 // but for now these are just safety limits to prevent unbounded memory usage
 const MaxOAuthPendingSessions = 256
 const OAuthCleanupCount = 16
+const MaxLoginAttemptRecords = 256
 
 var (
 	ErrUserNotFound = errors.New("user not found")
@@ -59,8 +57,9 @@ type LoginAttempt struct {
 
 type AuthService struct {
 	log     *logger.Logger
-	config  *model.Config
+	config  model.Config
-	runtime *model.RuntimeConfig
+	runtime model.RuntimeConfig
+	helpers *model.RuntimeHelpers
 	ctx     context.Context
 
 	ldap         *LdapService
@@ -82,57 +81,44 @@ type AuthService struct {
 		oauth *CacheStore[OAuthPendingSession]
 		ldap  *CacheStore[[]string]
 	}
-
-	maxLoginLimits int
 }
 
-type AuthServiceInput struct {
+func NewAuthService(
-	dig.In
+	log *logger.Logger,
-
+	config model.Config,
-	Log          *logger.Logger
+	runtime model.RuntimeConfig,
-	Config       *model.Config
+	helpers *model.RuntimeHelpers,
-	Runtime      *model.RuntimeConfig
+	ctx context.Context,
-	Ctx          context.Context
+	dg *ding.Ding,
-	Ding         *ding.Ding
+	ldap *LdapService,
-	LDAP         *LdapService `optional:"true"`
+	queries repository.Store,
-	Queries      repository.Store
+	oauthBroker *OAuthBrokerService,
-	OAuthBroker  *OAuthBrokerService
+	tailscale *TailscaleService,
-	Tailscale    *TailscaleService `optional:"true"`
+	policy *PolicyEngine,
-	PolicyEngine *PolicyEngine
+) *AuthService {
-}
-
-func NewAuthService(i AuthServiceInput) *AuthService {
 	service := &AuthService{
-		log:          i.Log,
+		log:          log,
-		runtime:      i.Runtime,
+		runtime:      runtime,
-		ctx:          i.Ctx,
+		helpers:      helpers,
-		config:       i.Config,
+		ctx:          ctx,
-		ldap:         i.LDAP,
+		config:       config,
-		queries:      i.Queries,
+		ldap:         ldap,
-		oauthBroker:  i.OAuthBroker,
+		queries:      queries,
-		tailscale:    i.Tailscale,
+		oauthBroker:  oauthBroker,
-		policyEngine: i.PolicyEngine,
+		tailscale:    tailscale,
-	}
+		policyEngine: policy,
-
-	// get the max login limits based on the number of users and the configured max retries
-	service.maxLoginLimits = service.calculateLockdownLimit()
-
-	loginCacheSize := 0
-
-	if !service.config.Auth.LockdownEnabled {
-		loginCacheSize = service.maxLoginLimits
 	}
 
 	// caches setup
 	oauthCache := NewCacheStore[OAuthPendingSession](256)
-	loginCache := NewCacheStore[LoginAttempt](loginCacheSize)
+	loginCache := NewCacheStore[LoginAttempt](1024)
 	ldapCache := NewCacheStore[[]string](1024)
 
 	service.caches.oauth = oauthCache
 	service.caches.login = loginCache
 	service.caches.ldap = ldapCache
 
-	i.Ding.Go(func(ctx context.Context) {
+	dg.Go(func(ctx context.Context) {
 		ticker := time.NewTicker(1 * time.Minute)
 		defer ticker.Stop()
 
@@ -271,7 +257,7 @@ func (auth *AuthService) RecordLoginAttempt(identifier string, success bool) {
 		return
 	}
 
-	if !success && auth.config.Auth.LockdownEnabled && auth.caches.login.Size() >= auth.maxLoginLimits {
+	if auth.caches.login.Size() >= MaxLoginAttemptRecords {
 		if locked, _ := auth.IsInLockdown(); locked {
 			return
 		}
@@ -339,7 +325,7 @@ func (auth *AuthService) IsEmailWhitelisted(provider string, email string) bool
 	})
 }
 
-func (auth *AuthService) CreateSession(ctx context.Context, data repository.Session) (*http.Cookie, error) {
+func (auth *AuthService) CreateSession(ctx context.Context, data repository.Session, ip string) (*http.Cookie, error) {
 	if data.Provider == "tailscale" && auth.tailscale == nil {
 		return nil, fmt.Errorf("tailscale service not configured, cannot create session for tailscale user")
 	}
@@ -380,33 +366,17 @@ func (auth *AuthService) CreateSession(ctx context.Context, data repository.Sess
 		return nil, fmt.Errorf("failed to create session entry: %w", err)
 	}
 
-	if data.Provider == "tailscale" {
+	cookieDomain, err := auth.helpers.GetCookieDomain(ctx, ip)
-		auth.log.App.Trace().Str("url", fmt.Sprintf("https://%s", auth.tailscale.GetHostname())).Msg("Extracting root domain from Tailscale hostname")
-
-		tsCookieDomain, err := utils.GetCookieDomain(fmt.Sprintf("https://%s", auth.tailscale.GetHostname()))
 
 	if err != nil {
-			return nil, fmt.Errorf("failed to get cookie domain for tailscale user: %w", err)
+		return nil, fmt.Errorf("failed to determine cookie domain: %w", err)
 	}
 
 	return &http.Cookie{
 		Name:     auth.runtime.SessionCookieName,
 		Value:    session.UUID,
 		Path:     "/",
-			Domain:   fmt.Sprintf(".%s", tsCookieDomain),
+		Domain:   cookieDomain,
-			Expires:  expiresAt,
-			MaxAge:   int(time.Until(expiresAt).Seconds()),
-			Secure:   auth.config.Auth.SecureCookie,
-			HttpOnly: true,
-			SameSite: http.SameSiteLaxMode,
-		}, nil
-	}
-
-	return &http.Cookie{
-		Name:     auth.runtime.SessionCookieName,
-		Value:    session.UUID,
-		Path:     "/",
-		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
 		Expires:  expiresAt,
 		MaxAge:   int(time.Until(expiresAt).Seconds()),
 		Secure:   auth.config.Auth.SecureCookie,
@@ -415,13 +385,17 @@ func (auth *AuthService) CreateSession(ctx context.Context, data repository.Sess
 	}, nil
 }
 
-func (auth *AuthService) RefreshSession(ctx context.Context, uuid string) (*http.Cookie, error) {
+func (auth *AuthService) RefreshSession(ctx context.Context, uuid string, ip string) (*http.Cookie, error) {
 	session, err := auth.queries.GetSession(ctx, uuid)
 
 	if err != nil {
 		return nil, fmt.Errorf("failed to retrieve session: %w", err)
 	}
 
+	if session.Provider == "tailscale" && auth.tailscale == nil {
+		return nil, fmt.Errorf("tailscale service not configured, cannot create session for tailscale user")
+	}
+
 	currentTime := time.Now().Unix()
 
 	var refreshThreshold int64
@@ -455,11 +429,17 @@ func (auth *AuthService) RefreshSession(ctx context.Context, uuid string) (*http
 		return nil, fmt.Errorf("failed to update session expiry: %w", err)
 	}
 
+	cookieDomain, err := auth.helpers.GetCookieDomain(ctx, ip)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to determine cookie domain: %w", err)
+	}
+
 	return &http.Cookie{
 		Name:     auth.runtime.SessionCookieName,
 		Value:    session.UUID,
 		Path:     "/",
-		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
+		Domain:   cookieDomain,
 		Expires:  time.Now().Add(time.Duration(newExpiry-currentTime) * time.Second),
 		MaxAge:   int(newExpiry - currentTime),
 		Secure:   auth.config.Auth.SecureCookie,
@@ -469,18 +449,24 @@ func (auth *AuthService) RefreshSession(ctx context.Context, uuid string) (*http
 
 }
 
-func (auth *AuthService) DeleteSession(ctx context.Context, uuid string) (*http.Cookie, error) {
+func (auth *AuthService) DeleteSession(ctx context.Context, uuid string, ip string) (*http.Cookie, error) {
 	err := auth.queries.DeleteSession(ctx, uuid)
 
 	if err != nil {
 		auth.log.App.Error().Err(err).Str("uuid", uuid).Msg("Failed to delete session from database")
 	}
 
+	cookieDomain, err := auth.helpers.GetCookieDomain(ctx, ip)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to determine cookie domain: %w", err)
+	}
+
 	return &http.Cookie{
 		Name:     auth.runtime.SessionCookieName,
 		Value:    "",
 		Path:     "/",
-		Domain:   fmt.Sprintf(".%s", auth.runtime.CookieDomain),
+		Domain:   cookieDomain,
 		Expires:  time.Now(),
 		MaxAge:   -1,
 		Secure:   auth.config.Auth.SecureCookie,
@@ -646,17 +632,16 @@ func (auth *AuthService) lockdownMode() {
 		return
 	}
 
-	ctx, cancel := context.WithCancel(auth.ctx)
+	ctx, cancel := context.WithCancel(context.Background())
 
 	auth.log.App.Warn().Msg("Too many failed login attempts, entering lockdown mode")
 
 	auth.lockdown.active = true
 	auth.lockdown.ctx = ctx
 	auth.lockdown.cancelFunc = cancel
+	auth.lockdown.until = time.Now().Add(time.Duration(auth.config.Auth.LoginTimeout) * time.Second)
 
-	d := time.Duration(auth.config.Auth.LoginTimeout) * time.Second
+	timer := time.NewTimer(time.Until(auth.lockdown.until))
-	auth.lockdown.until = time.Now().Add(d)
-	timer := time.NewTimer(d)
 
 	auth.lockdown.mu.Unlock()
 
@@ -668,13 +653,14 @@ func (auth *AuthService) lockdownMode() {
 		// Timer expired, end lockdown
 	case <-ctx.Done():
 		// Context cancelled, end lockdown
+	case <-auth.ctx.Done():
+		// Service is shutting down, end lockdown
 	}
 
 	auth.lockdown.mu.Lock()
 
 	auth.log.App.Info().Msg("Exiting lockdown mode")
 
-	auth.caches.login.Clear()
 	auth.lockdown.active = false
 	auth.lockdown.until = time.Time{}
 	auth.lockdown.ctx = nil
@@ -697,32 +683,3 @@ func (auth *AuthService) IsInLockdown() (bool, int) {
 func (auth *AuthService) ClearLoginAttempts() {
 	auth.caches.login.Clear()
 }
-
-func (auth *AuthService) calculateLockdownLimit() int {
-	userCount := len(auth.runtime.LocalUsers)
-
-	if auth.ldap != nil {
-		ldapUsers, err := auth.ldap.GetUserCount()
-		if err != nil {
-			auth.log.App.Warn().Err(err).Msg("Failed to get LDAP user count")
-		} else {
-			userCount += ldapUsers
-		}
-	}
-
-	limit := userCount * auth.config.Auth.LoginMaxRetries
-
-	jitter, err := rand.Int(rand.Reader, big.NewInt(64))
-
-	if err != nil {
-		auth.log.App.Warn().Err(err).Msg("Failed to generate jitter for lockdown limit")
-	} else {
-		limit += int(jitter.Int64())
-	}
-
-	if limit < 256 {
-		limit = 256
-	}
-
-	return limit
-}

internal/service/auth_service_test.go

@@ -4,7 +4,6 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
@@ -13,22 +12,9 @@ func TestIsEmailWhitelistedUsesProviderSpecificList(t *testing.T) {
 	log := logger.NewLogger().WithTestConfig()
 	log.Init()
 
-	policyEngine, err := NewPolicyEngine(PolicyEngineInput{
-		Log: log,
-		Config: &model.Config{
-			Auth: model.AuthConfig{
-				ACLs: model.ACLsConfig{
-					Policy: string(PolicyAllow),
-				},
-			},
-		},
-	})
-
-	require.NoError(t, err)
-
 	auth := &AuthService{
 		log: log,
-		runtime: &model.RuntimeConfig{
+		runtime: model.RuntimeConfig{
 			OAuthWhitelist: []string{"global@example.com"},
 			OAuthProviders: map[string]model.OAuthServiceConfig{
 				"github": {
@@ -42,7 +28,6 @@ func TestIsEmailWhitelistedUsesProviderSpecificList(t *testing.T) {
 				},
 			},
 		},
-		policyEngine: policyEngine,
 	}
 
 	assert.True(t, auth.IsEmailWhitelisted("github", "github@example.com"))

internal/service/docker_service.go

@@ -8,7 +8,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/decoders"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-	"go.uber.org/dig"
 
 	container "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
@@ -22,40 +21,36 @@ type DockerService struct {
 	isConnected bool
 }
 
-type DockerServiceInput struct {
+func NewDockerService(
-	dig.In
+	log *logger.Logger,
-
+	ctx context.Context,
-	Log  *logger.Logger
+	dg *ding.Ding,
-	Ctx  context.Context
+) (*DockerService, error) {
-	Ding *ding.Ding
-}
-
-func NewDockerService(i DockerServiceInput) (*DockerService, error) {
 
 	client, err := client.NewClientWithOpts(client.FromEnv)
 	if err != nil {
 		return nil, err
 	}
 
-	client.NegotiateAPIVersion(i.Ctx)
+	client.NegotiateAPIVersion(ctx)
 
-	_, err = client.Ping(i.Ctx)
+	_, err = client.Ping(ctx)
 
 	if err != nil {
-		i.Log.App.Debug().Err(err).Msg("Docker not connected")
+		log.App.Debug().Err(err).Msg("Docker not connected")
 		return nil, nil
 	}
 
 	service := &DockerService{
-		log:     i.Log,
+		log:     log,
 		client:  client,
-		context: i.Ctx,
+		context: ctx,
 	}
 
 	service.isConnected = true
 	service.log.App.Debug().Msg("Docker connected successfully")
 
-	i.Ding.Go(service.watchAndClose, ding.RingMajor)
+	dg.Go(service.watchAndClose, ding.RingMajor)
 
 	return service, nil
 }

internal/service/kubernetes_service.go

@@ -12,7 +12,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/decoders"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-	"go.uber.org/dig"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -49,15 +48,11 @@ type KubernetesService struct {
 	appNameIndex map[string]ingressAppKey
 }
 
-type KubernetesServiceInput struct {
+func NewKubernetesService(
-	dig.In
+	log *logger.Logger,
-
+	ctx context.Context,
-	Log  *logger.Logger
+	dg *ding.Ding,
-	Ctx  context.Context
+) (*KubernetesService, error) {
-	Ding *ding.Ding
-}
-
-func NewKubernetesService(i KubernetesServiceInput) (*KubernetesService, error) {
 	cfg, err := rest.InClusterConfig()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get in-cluster kubernetes config: %w", err)
@@ -74,31 +69,31 @@ func NewKubernetesService(i KubernetesServiceInput) (*KubernetesService, error)
 		Resource: "ingresses",
 	}
 
-	accessCtx, accessCancel := context.WithTimeout(i.Ctx, 5*time.Second)
+	accessCtx, accessCancel := context.WithTimeout(ctx, 5*time.Second)
 	defer accessCancel()
 
 	_, err = client.Resource(gvr).List(accessCtx, metav1.ListOptions{Limit: 1})
 	if err != nil {
-		i.Log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to access Ingress API, Kubernetes label provider will be disabled")
+		log.App.Warn().Err(err).Str("api", gvr.GroupVersion().String()).Msg("Failed to access Ingress API, Kubernetes label provider will be disabled")
 		return nil, fmt.Errorf("failed to access ingress api: %w", err)
 	}
 
-	i.Log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Successfully accessed Ingress API, starting watcher")
+	log.App.Debug().Str("api", gvr.GroupVersion().String()).Msg("Successfully accessed Ingress API, starting watcher")
 
 	service := &KubernetesService{
-		log:          i.Log,
+		log:          log,
 		client:       client,
 		ingressApps:  make(map[ingressKey][]ingressApp),
 		domainIndex:  make(map[string]ingressAppKey),
 		appNameIndex: make(map[string]ingressAppKey),
 	}
 
-	i.Ding.Go(func(ctx context.Context) {
+	dg.Go(func(ctx context.Context) {
 		service.watchGVR(gvr, ctx)
 	}, ding.RingMajor)
 
 	service.started = true
-	i.Log.App.Debug().Msg("Kubernetes label provider started successfully")
+	log.App.Debug().Msg("Kubernetes label provider started successfully")
 
 	return service, nil
 }

internal/service/ldap_service.go

@@ -13,48 +13,44 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-	"go.uber.org/dig"
 )
 
 type LdapService struct {
 	log    *logger.Logger
-	config *model.Config
+	config model.Config
 
 	conn  *ldapgo.Conn
 	mutex sync.RWMutex
 	cert  *tls.Certificate
-	bindPw string
 }
 
-type LdapServiceInput struct {
+func NewLdapService(
-	dig.In
+	log *logger.Logger,
-
+	config model.Config,
-	Log    *logger.Logger
+	dg *ding.Ding,
-	Config *model.Config
+) (*LdapService, error) {
-	Ding   *ding.Ding
+	if config.LDAP.Address == "" {
-}
-
-func NewLdapService(i LdapServiceInput) (*LdapService, error) {
-	if i.Config.LDAP.Address == "" {
 		return nil, nil
 	}
 
+	secret := utils.GetSecret(config.LDAP.BindPassword, config.LDAP.BindPasswordFile)
+	config.LDAP.BindPassword = secret
+	config.LDAP.BindPasswordFile = ""
+
 	ldap := &LdapService{
-		log:    i.Log,
+		log:    log,
-		config: i.Config,
+		config: config,
 	}
 
-	ldap.bindPw = utils.GetSecret(i.Config.LDAP.BindPassword, i.Config.LDAP.BindPasswordFile)
-
 	// Check whether authentication with client certificate is possible
-	if i.Config.LDAP.AuthCert != "" && i.Config.LDAP.AuthKey != "" {
+	if config.LDAP.AuthCert != "" && config.LDAP.AuthKey != "" {
-		cert, err := tls.LoadX509KeyPair(i.Config.LDAP.AuthCert, i.Config.LDAP.AuthKey)
+		cert, err := tls.LoadX509KeyPair(config.LDAP.AuthCert, config.LDAP.AuthKey)
 
 		if err != nil {
 			return nil, fmt.Errorf("failed to initialize LDAP with mTLS authentication: %w", err)
 		}
 
-		i.Log.App.Info().Msg("LDAP mTLS authentication configured successfully")
+		log.App.Info().Msg("LDAP mTLS authentication configured successfully")
 
 		ldap.cert = &cert
 
@@ -76,7 +72,7 @@ func NewLdapService(i LdapServiceInput) (*LdapService, error) {
 		return nil, fmt.Errorf("failed to connect to ldap server: %w", err)
 	}
 
-	i.Ding.Go(func(ctx context.Context) {
+	dg.Go(func(ctx context.Context) {
 		ldap.log.App.Debug().Msg("Starting LDAP connection heartbeat routine")
 
 		ticker := time.NewTicker(5 * time.Minute)
@@ -169,26 +165,6 @@ func (ldap *LdapService) GetUserInfo(username string) (dn string, email string,
 	return entry.DN, entry.GetAttributeValue("mail"), nil
 }
 
-func (ldap *LdapService) GetUserCount() (int, error) {
-	searchRequest := ldapgo.NewSearchRequest(
-		ldap.config.LDAP.BaseDN,
-		ldapgo.ScopeWholeSubtree, ldapgo.NeverDerefAliases, 0, 0, false,
-		"(objectClass=person)",
-		[]string{"dn"},
-		nil,
-	)
-
-	ldap.mutex.Lock()
-	defer ldap.mutex.Unlock()
-
-	searchResult, err := ldap.conn.Search(searchRequest)
-	if err != nil {
-		return 0, err
-	}
-
-	return len(searchResult.Entries), nil
-}
-
 func (ldap *LdapService) GetUserGroups(userDN string) ([]string, error) {
 	escapedUserDN := ldapgo.EscapeFilter(userDN)
 
@@ -241,7 +217,7 @@ func (ldap *LdapService) BindService(rebind bool) error {
 	if ldap.cert != nil {
 		return ldap.conn.ExternalBind()
 	}
-	return ldap.conn.Bind(ldap.config.LDAP.BindDN, ldap.bindPw)
+	return ldap.conn.Bind(ldap.config.LDAP.BindDN, ldap.config.LDAP.BindPassword)
 }
 
 func (ldap *LdapService) Bind(userDN string, password string) error {

internal/service/oauth_broker_service.go

@@ -5,7 +5,6 @@ import (
 
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-	"go.uber.org/dig"
 
 	"slices"
 
@@ -33,27 +32,23 @@ var presets = map[string]func(config model.OAuthServiceConfig, ctx context.Conte
 	"google": newGoogleOAuthService,
 }
 
-type OAuthBrokerServiceInput struct {
+func NewOAuthBrokerService(
-	dig.In
+	log *logger.Logger,
-
+	configs map[string]model.OAuthServiceConfig,
-	Log     *logger.Logger
+	ctx context.Context,
-	Runtime *model.RuntimeConfig
+) *OAuthBrokerService {
-	Ctx     context.Context
-}
-
-func NewOAuthBrokerService(i OAuthBrokerServiceInput) *OAuthBrokerService {
 	service := &OAuthBrokerService{
-		log:      i.Log,
+		log:      log,
 		services: make(map[string]OAuthServiceImpl),
-		configs:  i.Runtime.OAuthProviders,
+		configs:  configs,
 	}
 
-	for name, cfg := range service.configs {
+	for name, cfg := range configs {
 		if presetFunc, exists := presets[name]; exists {
-			service.services[name] = presetFunc(cfg, i.Ctx)
+			service.services[name] = presetFunc(cfg, ctx)
 			service.log.App.Debug().Str("service", name).Msg("Loaded OAuth service from preset")
 		} else {
-			service.services[name] = NewOAuthService(cfg, name, i.Ctx)
+			service.services[name] = NewOAuthService(cfg, name, ctx)
 			service.log.App.Debug().Str("service", name).Msg("Loaded OAuth service from custom config")
 		}
 	}

internal/service/oidc_service.go

@@ -14,7 +14,6 @@ import (
 	"fmt"
 	"net/url"
 	"os"
-	"path/filepath"
 	"strings"
 	"time"
 
@@ -22,12 +21,12 @@ import (
 
 	"github.com/go-jose/go-jose/v4"
 	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/uuid"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-	"go.uber.org/dig"
 )
 
 var (
@@ -109,6 +108,7 @@ type TokenResponse struct {
 }
 
 type AuthorizeRequest struct {
+	jwt.Claims
 	Scope               string `form:"scope" json:"scope" url:"scope"`
 	ResponseType        string `form:"response_type" json:"response_type" url:"response_type"`
 	ClientID            string `form:"client_id" json:"client_id" url:"client_id"`
@@ -135,8 +135,8 @@ type UsedCodeEntry struct {
 
 type OIDCService struct {
 	log     *logger.Logger
-	config  *model.Config
+	config  model.Config
-	runtime *model.RuntimeConfig
+	runtime model.RuntimeConfig
 	queries repository.Store
 
 	clients    map[string]model.OIDCClientConfig
@@ -151,24 +151,19 @@ type OIDCService struct {
 	}
 }
 
-type OIDCServiceInput struct {
+func NewOIDCService(
-	dig.In
+	log *logger.Logger,
-
+	config model.Config,
-	Log     *logger.Logger
+	runtime model.RuntimeConfig,
-	Config  *model.Config
+	queries repository.Store,
-	Runtime *model.RuntimeConfig
+	dg *ding.Ding) (*OIDCService, error) {
-	Queries repository.Store
-	Ding    *ding.Ding
-}
-
-func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 	// If not configured, skip init
-	if len(i.Config.OIDC.Clients) == 0 {
+	if len(runtime.OIDCClients) == 0 {
 		return nil, nil
 	}
 
 	// Ensure issuer is https
-	uissuer, err := url.Parse(i.Runtime.AppURL)
+	uissuer, err := url.Parse(runtime.AppURL)
 
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse app url: %w", err)
@@ -181,14 +176,14 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 	issuer := fmt.Sprintf("%s://%s", uissuer.Scheme, uissuer.Host)
 
 	// Create/load private and public keys
-	if strings.TrimSpace(i.Config.OIDC.PrivateKeyPath) == "" ||
+	if strings.TrimSpace(config.OIDC.PrivateKeyPath) == "" ||
-		strings.TrimSpace(i.Config.OIDC.PublicKeyPath) == "" {
+		strings.TrimSpace(config.OIDC.PublicKeyPath) == "" {
 		return nil, errors.New("private key path and public key path are required")
 	}
 
 	var privateKey *rsa.PrivateKey
 
-	fprivateKey, err := os.ReadFile(i.Config.OIDC.PrivateKeyPath)
+	fprivateKey, err := os.ReadFile(config.OIDC.PrivateKeyPath)
 
 	if err != nil && !errors.Is(err, os.ErrNotExist) {
 		return nil, err
@@ -207,12 +202,8 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 			Type:  "RSA PRIVATE KEY",
 			Bytes: der,
 		})
-		i.Log.App.Trace().Str("type", "RSA PRIVATE KEY").Msg("Generated private RSA key")
+		log.App.Trace().Str("type", "RSA PRIVATE KEY").Msg("Generated private RSA key")
-		err := os.MkdirAll(filepath.Dir(i.Config.OIDC.PrivateKeyPath), 0700)
+		err = os.WriteFile(config.OIDC.PrivateKeyPath, encoded, 0600)
-		if err != nil {
-			return nil, fmt.Errorf("failed to create directory for private key: %w", err)
-		}
-		err = os.WriteFile(i.Config.OIDC.PrivateKeyPath, encoded, 0600)
 		if err != nil {
 			return nil, fmt.Errorf("failed to write private key to file: %w", err)
 		}
@@ -221,7 +212,7 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 		if block == nil {
 			return nil, errors.New("failed to decode private key")
 		}
-		i.Log.App.Trace().Str("type", block.Type).Msg("Loaded private key")
+		log.App.Trace().Str("type", block.Type).Msg("Loaded private key")
 		privateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse private key: %w", err)
@@ -230,7 +221,7 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 
 	var publicKey crypto.PublicKey
 
-	fpublicKey, err := os.ReadFile(i.Config.OIDC.PublicKeyPath)
+	fpublicKey, err := os.ReadFile(config.OIDC.PublicKeyPath)
 
 	if err != nil && !errors.Is(err, os.ErrNotExist) {
 		return nil, fmt.Errorf("failed to read public key: %w", err)
@@ -246,12 +237,8 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 			Type:  "RSA PUBLIC KEY",
 			Bytes: der,
 		})
-		i.Log.App.Trace().Str("type", "RSA PUBLIC KEY").Msg("Generated public RSA key")
+		log.App.Trace().Str("type", "RSA PUBLIC KEY").Msg("Generated public RSA key")
-		err := os.MkdirAll(filepath.Dir(i.Config.OIDC.PublicKeyPath), 0700)
+		err = os.WriteFile(config.OIDC.PublicKeyPath, encoded, 0644)
-		if err != nil {
-			return nil, fmt.Errorf("failed to create directory for public key: %w", err)
-		}
-		err = os.WriteFile(i.Config.OIDC.PublicKeyPath, encoded, 0644)
 		if err != nil {
 			return nil, err
 		}
@@ -260,7 +247,7 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 		if block == nil {
 			return nil, errors.New("failed to decode public key")
 		}
-		i.Log.App.Trace().Str("type", block.Type).Msg("Loaded public key")
+		log.App.Trace().Str("type", block.Type).Msg("Loaded public key")
 		switch block.Type {
 		case "RSA PUBLIC KEY":
 			publicKey, err = x509.ParsePKCS1PublicKey(block.Bytes)
@@ -290,7 +277,7 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 	// We will reorganize the client into a map with the client ID as the key
 	clients := make(map[string]model.OIDCClientConfig)
 
-	for id, client := range i.Config.OIDC.Clients {
+	for id, client := range config.OIDC.Clients {
 		client.ID = id
 		if client.Name == "" {
 			client.Name = utils.Capitalize(client.ID)
@@ -306,15 +293,15 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 		}
 		client.ClientSecretFile = ""
 		clients[id] = client
-		i.Log.App.Debug().Str("clientId", client.ClientID).Msg("Loaded OIDC client configuration")
+		log.App.Debug().Str("clientId", client.ClientID).Msg("Loaded OIDC client configuration")
 	}
 
 	// Initialize the service
 	service := &OIDCService{
-		log:     i.Log,
+		log:     log,
-		config:  i.Config,
+		config:  config,
-		runtime: i.Runtime,
+		runtime: runtime,
-		queries: i.Queries,
+		queries: queries,
 
 		clients:    clients,
 		privateKey: privateKey,
@@ -323,7 +310,7 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 	}
 
 	// Start cleanup routine
-	i.Ding.Go(service.cleanupRoutine, ding.RingMinor)
+	dg.Go(service.cleanupRoutine, ding.RingMinor)
 
 	// Create caches
 	codeCash := NewCacheStore[AuthorizeCodeEntry](256)
@@ -335,7 +322,7 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
 	service.caches.authorize = authorize
 
 	// Start cache cleanup routine
-	i.Ding.Go(func(ctx context.Context) {
+	dg.Go(func(ctx context.Context) {
 		ticker := time.NewTicker(1 * time.Minute)
 		defer ticker.Stop()
 
@@ -902,32 +889,63 @@ func (service *OIDCService) DeleteAuthorizeRequestTicket(ticket string) {
 
 // TODO: support signed request objects in the future
 func (service *OIDCService) DecodeAuthorizeJWT(tokenString string) (*AuthorizeRequest, error) {
-	var claims jwt.MapClaims
+	var req AuthorizeRequest
+
+	token, _, err := jwt.NewParser().ParseUnverified(tokenString, &req)
 
-	token, _, err := jwt.NewParser().ParseUnverified(tokenString, &claims)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse authorize request jwt: %w", err)
 	}
 
-	alg, ok := token.Header["alg"].(string)
+	claims, ok := token.Claims.(*AuthorizeRequest)
 
-	if !ok || alg != "none" || string(token.Signature) != "" {
+	if !ok {
-		return nil, fmt.Errorf("only unsigned jwts are supported for authorize requests")
+		return nil, errors.New("failed to parse claims from authorize request jwt")
 	}
 
-	get := func(k string) string {
+	return claims, nil
-		v, _ := claims[k].(string)
+}
-		return v
+
-	}
+func (service *OIDCService) CreateConsentEntry(ctx context.Context, clientId string, scope string) (string, error) {
-
+	u := uuid.New()
-	return &AuthorizeRequest{
+
-		Scope:               get("scope"),
+	entry := repository.CreateOIDCConsentParams{
-		ResponseType:        get("response_type"),
+		UUID:     u.String(),
-		ClientID:            get("client_id"),
+		ClientID: clientId,
-		RedirectURI:         get("redirect_uri"),
+		Scopes:   scope,
-		State:               get("state"),
+	}
-		Nonce:               get("nonce"),
+
-		CodeChallenge:       get("code_challenge"),
+	_, err := service.queries.CreateOIDCConsent(ctx, entry)
-		CodeChallengeMethod: get("code_challenge_method"),
+
-	}, nil
+	if err != nil {
+		return "", err
+	}
+
+	return entry.UUID, nil
+}
+
+func (service *OIDCService) GetConsentEntry(ctx context.Context, uuid string) (*repository.OidcConsent, error) {
+	entry, err := service.queries.GetOIDCConsentByUUID(ctx, uuid)
+
+	if err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			return nil, nil
+		}
+		return nil, err
+	}
+
+	return &entry, nil
+}
+
+func (service *OIDCService) DeleteConsentEntry(ctx context.Context, uuid string) error {
+	return service.queries.DeleteOIDCConsentByUUID(ctx, uuid)
+}
+
+func (service *OIDCService) UpdateConsentEntry(ctx context.Context, uuid string, scopes string) error {
+	_, err := service.queries.UpdateOIDCConsent(ctx, repository.UpdateOIDCConsentParams{
+		UUID:   uuid,
+		Scopes: scopes,
+	})
+
+	return err
 }

internal/service/oidc_service_test.go

@@ -1,4 +1,4 @@
-package service
+package service_test
 
 import (
 	"context"
@@ -9,12 +9,12 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/tinyauthapp/tinyauth/internal/model"
-	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
+	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 
-func newTestUser() UserinfoResponse {
+func newTestUser() service.UserinfoResponse {
-	return UserinfoResponse{
+	return service.UserinfoResponse{
 		Sub:               "test-sub",
 		Name:              "Test User",
 		PreferredUsername: "testuser",
@@ -67,29 +67,21 @@ func TestCompileUserinfo(t *testing.T) {
 	ctx := context.TODO()
 	dg := ding.New(ctx)
 
-	store := memory.New()
+	svc, err := service.NewOIDCService(log, cfg, runtime, nil, dg)
-
-	svc, err := NewOIDCService(OIDCServiceInput{
-		Log:     log,
-		Config:  &cfg,
-		Runtime: &runtime,
-		Queries: store,
-		Ding:    dg,
-	})
 	require.NoError(t, err)
 
 	type testCase struct {
 		description string
-		mutate      func(u *UserinfoResponse)
+		mutate      func(u *service.UserinfoResponse)
 		scope       string
-		run         func(t *testing.T, info UserinfoResponse)
+		run         func(t *testing.T, info service.UserinfoResponse)
 	}
 
 	tests := []testCase{
 		{
 			description: "openid scope only returns sub and updated_at",
 			scope:       "openid",
-			run: func(t *testing.T, info UserinfoResponse) {
+			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, "test-sub", info.Sub)
 				assert.Equal(t, int64(1234567890), info.UpdatedAt)
 				assert.Empty(t, info.Name)
@@ -102,7 +94,7 @@ func TestCompileUserinfo(t *testing.T) {
 		{
 			description: "profile scope returns all profile fields",
 			scope:       "openid profile",
-			run: func(t *testing.T, info UserinfoResponse) {
+			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, "Test User", info.Name)
 				assert.Equal(t, "testuser", info.PreferredUsername)
 				assert.Equal(t, "Test", info.GivenName)
@@ -122,7 +114,7 @@ func TestCompileUserinfo(t *testing.T) {
 		{
 			description: "email scope sets email and email_verified true when email present",
 			scope:       "openid email",
-			run: func(t *testing.T, info UserinfoResponse) {
+			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, "test@example.com", info.Email)
 				assert.True(t, info.EmailVerified)
 				assert.Empty(t, info.Name)
@@ -131,8 +123,8 @@ func TestCompileUserinfo(t *testing.T) {
 		{
 			description: "email scope sets email_verified false when email absent",
 			scope:       "openid email",
-			mutate:      func(u *UserinfoResponse) { u.Email = "" },
+			mutate:      func(u *service.UserinfoResponse) { u.Email = "" },
-			run: func(t *testing.T, info UserinfoResponse) {
+			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Empty(t, info.Email)
 				assert.False(t, info.EmailVerified)
 			},
@@ -140,7 +132,7 @@ func TestCompileUserinfo(t *testing.T) {
 		{
 			description: "phone scope sets phone_number_verified true when phone present",
 			scope:       "openid phone",
-			run: func(t *testing.T, info UserinfoResponse) {
+			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, "+15555550100", info.PhoneNumber)
 				require.NotNil(t, info.PhoneNumberVerified)
 				assert.True(t, *info.PhoneNumberVerified)
@@ -149,8 +141,8 @@ func TestCompileUserinfo(t *testing.T) {
 		{
 			description: "phone scope sets phone_number_verified false when phone absent",
 			scope:       "openid phone",
-			mutate:      func(u *UserinfoResponse) { u.PhoneNumber = "" },
+			mutate:      func(u *service.UserinfoResponse) { u.PhoneNumber = "" },
-			run: func(t *testing.T, info UserinfoResponse) {
+			run: func(t *testing.T, info service.UserinfoResponse) {
 				require.NotNil(t, info.PhoneNumberVerified)
 				assert.False(t, *info.PhoneNumberVerified)
 			},
@@ -158,7 +150,7 @@ func TestCompileUserinfo(t *testing.T) {
 		{
 			description: "address scope returns parsed address",
 			scope:       "openid address",
-			run: func(t *testing.T, info UserinfoResponse) {
+			run: func(t *testing.T, info service.UserinfoResponse) {
 				require.NotNil(t, info.Address)
 				assert.Equal(t, "123 Main St", info.Address.Formatted)
 				assert.Equal(t, "123 Main St", info.Address.StreetAddress)
@@ -171,14 +163,14 @@ func TestCompileUserinfo(t *testing.T) {
 		{
 			description: "groups scope returns split groups",
 			scope:       "openid groups",
-			run: func(t *testing.T, info UserinfoResponse) {
+			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, []string{"admins", "users"}, info.Groups)
 			},
 		},
 		{
 			description: "all scopes return all fields",
 			scope:       "openid profile email phone address groups",
-			run: func(t *testing.T, info UserinfoResponse) {
+			run: func(t *testing.T, info service.UserinfoResponse) {
 				assert.Equal(t, "Test User", info.Name)
 				assert.Equal(t, "test@example.com", info.Email)
 				assert.Equal(t, "+15555550100", info.PhoneNumber)

internal/service/policy_engine.go

@@ -6,7 +6,6 @@ import (
 
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-	"go.uber.org/dig"
 )
 
 type Policy string
@@ -41,28 +40,21 @@ type PolicyEngine struct {
 	policy Policy
 }
 
-type PolicyEngineInput struct {
+func NewPolicyEngine(config model.Config, log *logger.Logger) (*PolicyEngine, error) {
-	dig.In
-
-	Log    *logger.Logger
-	Config *model.Config
-}
-
-func NewPolicyEngine(i PolicyEngineInput) (*PolicyEngine, error) {
 	engine := PolicyEngine{
-		log:   i.Log,
+		log:   log,
 		rules: make(map[RuleName]Rule),
 	}
 
-	switch i.Config.Auth.ACLs.Policy {
+	switch config.Auth.ACLs.Policy {
 	case string(PolicyAllow):
-		i.Log.App.Debug().Msg("Using 'allow' ACL policy: access to apps will be allowed by default unless explicitly blocked")
+		log.App.Debug().Msg("Using 'allow' ACL policy: access to apps will be allowed by default unless explicitly blocked")
 		engine.policy = PolicyAllow
 	case string(PolicyDeny):
-		i.Log.App.Debug().Msg("Using 'deny' ACL policy: access to apps will be blocked by default unless explicitly allowed")
+		log.App.Debug().Msg("Using 'deny' ACL policy: access to apps will be blocked by default unless explicitly allowed")
 		engine.policy = PolicyDeny
 	default:
-		return nil, fmt.Errorf("invalid acl policy: %s", i.Config.Auth.ACLs.Policy)
+		return nil, fmt.Errorf("invalid acl policy: %s", config.Auth.ACLs.Policy)
 	}
 
 	return &engine, nil

internal/service/policy_engine_test.go

@@ -1,9 +1,10 @@
-package service
+package service_test
 
 import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/test"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
@@ -11,14 +12,14 @@ import (
 // Create test rule
 type TestRule struct{}
 
-func (rule *TestRule) Evaluate(ctx *ACLContext) Effect {
+func (rule *TestRule) Evaluate(ctx *service.ACLContext) service.Effect {
 	switch ctx.Path {
 	case "/allowed":
-		return EffectAllow
+		return service.EffectAllow
 	case "/denied":
-		return EffectDeny
+		return service.EffectDeny
 	default:
-		return EffectAbstain
+		return service.EffectAbstain
 	}
 }
 
@@ -32,51 +33,36 @@ func TestPolicyEngine(t *testing.T) {
 
 	// Engine should fail with invalid policy
 	cfg.Auth.ACLs.Policy = "invalid_policy"
-	_, err := NewPolicyEngine(PolicyEngineInput{
+	_, err := service.NewPolicyEngine(cfg, log)
-		Log:    log,
-		Config: &cfg,
-	})
 	assert.Error(t, err)
 
 	// Engine should initialize with 'allow' policy
-	cfg.Auth.ACLs.Policy = string(PolicyAllow)
+	cfg.Auth.ACLs.Policy = string(service.PolicyAllow)
-	engine, err := NewPolicyEngine(PolicyEngineInput{
+	engine, err := service.NewPolicyEngine(cfg, log)
-		Log:    log,
-		Config: &cfg,
-	})
 	assert.NoError(t, err)
-	assert.Equal(t, PolicyAllow, engine.Policy())
+	assert.Equal(t, service.PolicyAllow, engine.Policy())
 
 	// Engine should initialize with 'deny' policy
-	cfg.Auth.ACLs.Policy = string(PolicyDeny)
+	cfg.Auth.ACLs.Policy = string(service.PolicyDeny)
-	engine, err = NewPolicyEngine(PolicyEngineInput{
+	engine, err = service.NewPolicyEngine(cfg, log)
-		Log:    log,
-		Config: &cfg,
-	})
 	assert.NoError(t, err)
-	assert.Equal(t, PolicyDeny, engine.Policy())
+	assert.Equal(t, service.PolicyDeny, engine.Policy())
 
 	// Engine should allow adding rules
-	engine, err = NewPolicyEngine(PolicyEngineInput{
+	engine, err = service.NewPolicyEngine(cfg, log)
-		Log:    log,
-		Config: &cfg,
-	})
 	assert.NoError(t, err)
 	engine.RegisterRule("test-rule", testRule)
 	_, ok := engine.Rules()["test-rule"]
 	assert.True(t, ok)
 
 	// Begin allow policy tests
-	cfg.Auth.ACLs.Policy = string(PolicyAllow)
+	cfg.Auth.ACLs.Policy = string(service.PolicyAllow)
-	engine, err = NewPolicyEngine(PolicyEngineInput{
+	engine, err = service.NewPolicyEngine(cfg, log)
-		Log:    log,
-		Config: &cfg,
-	})
 	assert.NoError(t, err)
 	engine.RegisterRule("test-rule", testRule)
 
 	// With allow policy, if rule allows, access should be allowed
-	ctx := &ACLContext{Path: "/allowed"}
+	ctx := &service.ACLContext{Path: "/allowed"}
 	assert.Equal(t, true, engine.Evaluate("test-rule", ctx))
 
 	// With allow policy, if rule denies, access should be denied
@@ -88,11 +74,8 @@ func TestPolicyEngine(t *testing.T) {
 	assert.Equal(t, true, engine.Evaluate("test-rule", ctx))
 
 	// Begin deny policy tests
-	cfg.Auth.ACLs.Policy = string(PolicyDeny)
+	cfg.Auth.ACLs.Policy = string(service.PolicyDeny)
-	engine, err = NewPolicyEngine(PolicyEngineInput{
+	engine, err = service.NewPolicyEngine(cfg, log)
-		Log:    log,
-		Config: &cfg,
-	})
 	assert.NoError(t, err)
 	engine.RegisterRule("test-rule", testRule)
 

internal/service/tailscale_service.go

@@ -12,7 +12,6 @@ import (
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-	"go.uber.org/dig"
 	"tailscale.com/client/local"
 	"tailscale.com/tsnet"
 )
@@ -26,7 +25,7 @@ type TailscaleWhoisResponse struct {
 
 type TailscaleService struct {
 	log    *logger.Logger
-	config *model.Config
+	config model.Config
 	ctx    context.Context
 
 	srv *tsnet.Server
@@ -35,31 +34,22 @@ type TailscaleService struct {
 	mu  sync.Mutex
 }
 
-type TailscaleServiceInput struct {
+func NewTailscaleService(log *logger.Logger, config model.Config, ctx context.Context, dg *ding.Ding) (*TailscaleService, error) {
-	dig.In
+	if !config.Tailscale.Enabled {
-
-	Log    *logger.Logger
-	Config *model.Config
-	Ctx    context.Context
-	Ding   *ding.Ding
-}
-
-func NewTailscaleService(i TailscaleServiceInput) (*TailscaleService, error) {
-	if !i.Config.Tailscale.Enabled {
 		return nil, nil
 	}
 
 	srv := new(tsnet.Server)
 
 	// node options
-	srv.Dir = i.Config.Tailscale.Dir
+	srv.Dir = config.Tailscale.Dir
-	srv.Hostname = i.Config.Tailscale.Hostname
+	srv.Hostname = config.Tailscale.Hostname
-	srv.AuthKey = i.Config.Tailscale.AuthKey
+	srv.AuthKey = config.Tailscale.AuthKey
-	srv.Ephemeral = i.Config.Tailscale.Ephemeral
+	srv.Ephemeral = config.Tailscale.Ephemeral
 
 	// redirect logs to zerolog
-	srv.Logf = i.Log.App.Printf
+	srv.Logf = log.App.Printf
-	srv.UserLogf = i.Log.App.Printf
+	srv.UserLogf = log.App.Printf
 
 	err := srv.Start()
 
@@ -75,14 +65,14 @@ func NewTailscaleService(i TailscaleServiceInput) (*TailscaleService, error) {
 	}
 
 	service := &TailscaleService{
-		log:    i.Log,
+		log:    log,
-		config: i.Config,
+		config: config,
-		ctx:    i.Ctx,
+		ctx:    ctx,
 		srv:    srv,
 		lc:     lc,
 	}
 
-	connectCtx, cancel := context.WithTimeout(i.Ctx, 2*time.Minute) // large enough timeout to allow for user to manually authenticate with link if needed
+	connectCtx, cancel := context.WithTimeout(ctx, 2*time.Minute) // large enough timeout to allow for user to manually authenticate with link if needed
 	defer cancel()
 
 	err = service.waitForConn(connectCtx)
@@ -92,7 +82,7 @@ func NewTailscaleService(i TailscaleServiceInput) (*TailscaleService, error) {
 		return nil, fmt.Errorf("failed to connect to tailscale network: %w", err)
 	}
 
-	i.Ding.Go(service.watchAndClose, ding.RingMajor)
+	dg.Go(service.watchAndClose, ding.RingMajor)
 
 	return service, nil
 }
@@ -138,6 +128,8 @@ func (ts *TailscaleService) Whois(ctx context.Context, addr string) (*TailscaleW
 		NodeName:    strings.TrimSuffix(who.Node.Name, "."),
 	}
 
+	ts.log.App.Debug().Interface("res", res).Msg("tailscale")
+
 	return &res, nil
 }
 

internal/test/test.go

@@ -1,6 +1,7 @@
 package test
 
 import (
+	"context"
 	"path/filepath"
 	"testing"
 
@@ -76,50 +77,6 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
 					Bypass: []string{"10.10.10.10"},
 				},
 			},
-			"ip_block": {
-				Config: model.AppConfig{
-					Domain: "ip-block.example.com",
-				},
-				IP: model.AppIP{
-					Block: []string{"10.10.10.10"},
-				},
-			},
-			"oauth_group": {
-				Config: model.AppConfig{
-					Domain: "oauth-group.example.com",
-				},
-				OAuth: model.AppOAuth{
-					Whitelist: "testuser@example.com",
-					Groups:    "group1,group2",
-				},
-			},
-			"ldap_group": {
-				Config: model.AppConfig{
-					Domain: "ldap-group.example.com",
-				},
-				LDAP: model.AppLDAP{
-					Groups: "group1,group2",
-				},
-			},
-			"basic_auth": {
-				Config: model.AppConfig{
-					Domain: "basic-auth.example.com",
-				},
-				Response: model.AppResponse{
-					BasicAuth: model.AppBasicAuth{
-						Username: "test",
-						Password: "password",
-					},
-				},
-			},
-			"response_headers": {
-				Config: model.AppConfig{
-					Domain: "response-headers.example.com",
-				},
-				Response: model.AppResponse{
-					Headers: []string{"x-foo=bar"},
-				},
-			},
 		},
 	}
 
@@ -165,11 +122,23 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
 		CookieDomain:      "example.com",
 		AppURL:            "https://tinyauth.example.com",
 		SessionCookieName: "tinyauth-session",
-		TrustedDomains: []string{
+		OIDCClients: func() []model.OIDCClientConfig {
-			"https://tinyauth.example.com",
+			var clients []model.OIDCClientConfig
-			"https://tinyauth.foo.com",
+			for id, client := range config.OIDC.Clients {
-		},
+				client.ID = id
+				clients = append(clients, client)
+			}
+			return clients
+		}(),
 	}
 
 	return config, runtime
 }
+
+func CreateTestHelpers() *model.RuntimeHelpers {
+	return &model.RuntimeHelpers{
+		GetCookieDomain: func(ctx context.Context, ip string) (string, error) {
+			return "example.com", nil
+		},
+	}
+}

internal/utils/app_utils.go

@@ -2,6 +2,7 @@ package utils
 
 import (
 	"errors"
+	"fmt"
 	"net"
 	"net/url"
 	"strings"
@@ -87,3 +88,23 @@ func Filter[T any](slice []T, test func(T) bool) (res []T) {
 	}
 	return res
 }
+
+func IsRedirectSafe(redirectURL string, domain string) bool {
+	if redirectURL == "" {
+		return false
+	}
+
+	parsed, err := url.Parse(redirectURL)
+
+	if err != nil {
+		return false
+	}
+
+	hostname := parsed.Hostname()
+
+	if strings.HasSuffix(hostname, fmt.Sprintf(".%s", domain)) {
+		return true
+	}
+
+	return hostname == domain
+}

internal/utils/app_utils_test.go

@@ -126,6 +126,61 @@ func TestFilter(t *testing.T) {
 	assert.Equal(t, expectedStr, resultStr)
 }
 
+func TestIsRedirectSafe(t *testing.T) {
+	// Setup
+	domain := "example.com"
+
+	// Case with no subdomain
+	redirectURL := "http://example.com/welcome"
+	result := utils.IsRedirectSafe(redirectURL, domain)
+	assert.True(t, result)
+
+	// Case with different domain
+	redirectURL = "http://malicious.com/phishing"
+	result = utils.IsRedirectSafe(redirectURL, domain)
+	assert.False(t, result)
+
+	// Case with subdomain
+	redirectURL = "http://sub.example.com/page"
+	result = utils.IsRedirectSafe(redirectURL, domain)
+	assert.True(t, result)
+
+	// Case with sub-subdomain
+	redirectURL = "http://a.b.example.com/home"
+	result = utils.IsRedirectSafe(redirectURL, domain)
+	assert.True(t, result)
+
+	// Case with empty redirect URL
+	redirectURL = ""
+	result = utils.IsRedirectSafe(redirectURL, domain)
+	assert.False(t, result)
+
+	// Case with invalid URL
+	redirectURL = "http://[::1]:namedport"
+	result = utils.IsRedirectSafe(redirectURL, domain)
+	assert.False(t, result)
+
+	// Case with URL having port
+	redirectURL = "http://sub.example.com:8080/page"
+	result = utils.IsRedirectSafe(redirectURL, domain)
+	assert.True(t, result)
+
+	// Case with URL having different subdomain
+	redirectURL = "http://another.example.com/page"
+	result = utils.IsRedirectSafe(redirectURL, domain)
+	assert.True(t, result)
+
+	// Case with URL having different TLD
+	redirectURL = "http://example.org/page"
+	result = utils.IsRedirectSafe(redirectURL, domain)
+	assert.False(t, result)
+
+	// Case with malicious domain
+	redirectURL = "https://malicious-example.com/yoyo"
+	result = utils.IsRedirectSafe(redirectURL, domain)
+	assert.False(t, result)
+}
+
 func TestGetStandaloneCookieDomain(t *testing.T) {
 	// Normal case
 	domain := "http://tinyauth.app"

sql/postgres/oidc_queries.sql

@@ -46,3 +46,28 @@ UPDATE "oidc_sessions" SET
     "userinfo_json" = $8
 WHERE "sub" = $9
 RETURNING *;
+
+-- name: CreateOIDCConsent :one
+INSERT INTO "oidc_consent" (
+    "uuid",
+    "client_id",
+    "scopes"
+) VALUES (
+    $1, $2, $3
+)
+RETURNING *;
+
+-- name: GetOIDCConsentByUUID :one
+SELECT * FROM "oidc_consent"
+WHERE "uuid" = $1;
+
+-- name: UpdateOIDCConsent :one
+UPDATE "oidc_consent" SET
+    "scopes" = $1,
+    "updated_at" = CURRENT_TIMESTAMP
+WHERE "uuid" = $2
+RETURNING *;
+
+-- name: DeleteOIDCConsentByUUID :exec
+DELETE FROM "oidc_consent"
+WHERE "uuid" = $1;

sql/postgres/oidc_schemas.sql

@@ -9,3 +9,11 @@ CREATE TABLE IF NOT EXISTS "oidc_sessions" (
     "nonce" TEXT NOT NULL DEFAULT '',
     "userinfo_json" TEXT NOT NULL
 );
+
+CREATE TABLE IF NOT EXISTS "oidc_consent" (
+    "uuid" TEXT NOT NULL UNIQUE PRIMARY KEY,
+    "client_id" TEXT NOT NULL,
+    "scopes" TEXT NOT NULL,
+    "created_at" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
+);

sql/sqlite/oidc_queries.sql

@@ -46,3 +46,28 @@ UPDATE "oidc_sessions" SET
     "userinfo_json" = ?
 WHERE "sub" = ?
 RETURNING *;
+
+-- name: CreateOIDCConsent :one
+INSERT INTO "oidc_consent" (
+    "uuid",
+    "client_id",
+    "scopes"
+) VALUES (
+    ?, ?, ?
+)
+RETURNING *;
+
+-- name: GetOIDCConsentByUUID :one
+SELECT * FROM "oidc_consent"
+WHERE "uuid" = ?;
+
+-- name: UpdateOIDCConsent :one
+UPDATE "oidc_consent" SET
+    "scopes" = ?,
+    "updated_at" = CURRENT_TIMESTAMP
+WHERE "uuid" = ?
+RETURNING *;
+
+-- name: DeleteOIDCConsentByUUID :exec
+DELETE FROM "oidc_consent"
+WHERE "uuid" = ?;

sql/sqlite/oidc_schemas.sql

@@ -9,3 +9,11 @@ CREATE TABLE IF NOT EXISTS "oidc_sessions" (
     "nonce" TEXT NOT NULL DEFAULT "",
     "userinfo_json" TEXT NOT NULL
 );
+
+CREATE TABLE IF NOT EXISTS "oidc_consent" (
+    "uuid" TEXT NOT NULL UNIQUE PRIMARY KEY,
+    "client_id" TEXT NOT NULL,
+    "scopes" TEXT NOT NULL,
+    "created_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+);