chore: update readme

fix: fix typo in public key loading
chore(deps): bump the minor-patch group across 1 directory with 3 updates (#693 )
2026-03-10 16:52:00 +00:00 · 2026-03-10 17:57:49 +02:00 · 2026-03-08 15:54:50 +02:00 · 2026-03-08 11:41:14 +02:00 · 2026-03-08 11:39:16 +02:00 · 2026-03-08 11:17:55 +02:00
41 changed files with 459 additions and 300 deletions
--- a/.env.example
+++ b/.env.example
@@ -4,14 +4,23 @@
 # The base URL where the app is hosted.
 TINYAUTH_APPURL=
 # database config
 # The path to the database, including file name.
 TINYAUTH_DATABASE_PATH="./tinyauth.db"
 # analytics config
 # Enable periodic version information collection.
 TINYAUTH_ANALYTICS_ENABLED=true
 # resources config
 # Enable the resources server.
 TINYAUTH_RESOURCES_ENABLED=true
 # The directory where resources are stored.
-TINYAUTH_RESOURCESDIR="./resources"
+TINYAUTH_RESOURCES_PATH="./resources"
 # The path to the database file.
 TINYAUTH_DATABASEPATH="./tinyauth.db"
 # Disable analytics.
 TINYAUTH_DISABLEANALYTICS=false
 # Disable resources server.
 TINYAUTH_DISABLERESOURCES=false
 # server config
@@ -107,9 +116,9 @@ TINYAUTH_OAUTH_PROVIDERS_name_NAME=
 # oidc config
-# Path to the private key file.
+# Path to the private key file, including file name.
 TINYAUTH_OIDC_PRIVATEKEYPATH="./tinyauth_oidc_key"
-# Path to the public key file.
+# Path to the public key file, including file name.
 TINYAUTH_OIDC_PUBLICKEYPATH="./tinyauth_oidc_key.pub"
 # OIDC client ID.
 TINYAUTH_OIDC_CLIENTS_name_CLIENTID=
@@ -130,8 +139,8 @@ TINYAUTH_UI_TITLE="Tinyauth"
 TINYAUTH_UI_FORGOTPASSWORDMESSAGE="You can change your password by changing the configuration."
 # Path to the background image.
 TINYAUTH_UI_BACKGROUNDIMAGE="/background.jpg"
-# Disable UI warnings.
+# Enable UI warnings.
-TINYAUTH_UI_DISABLEWARNINGS=false
+TINYAUTH_UI_WARNINGSENABLED=true
 # ldap config
--- a/.gitignore
+++ b/.gitignore
@@ -45,3 +45,6 @@ __debug_*
 # generated markdown (for docs)
 /config.gen.md
 # testing config
 config.certify.yml
--- a/4
+++ b/4
@@ -57,9 +57,9 @@ EXPOSE 3000
 VOLUME ["/data"]
-ENV TINYAUTH_DATABASEPATH=/data/tinyauth.db
+ENV TINYAUTH_DATABASE_PATH=/data/tinyauth.db
-ENV TINYAUTH_RESOURCESDIR=/data/resources
+ENV TINYAUTH_RESOURCES_PATH=/data/resources
 ENV PATH=$PATH:/tinyauth
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@@ -18,8 +18,8 @@ COPY ./air.toml ./
 EXPOSE 3000
-ENV TINYAUTH_DATABASEPATH=/data/tinyauth.db
+ENV TINYAUTH_DATABASE_PATH=/data/tinyauth.db
-ENV TINYAUTH_RESOURCESDIR=/data/resources
+ENV TINYAUTH_RESOURCES_PATH=/data/resources
 ENTRYPOINT ["air", "-c", "air.toml"]
--- a/Dockerfile.distroless
+++ b/Dockerfile.distroless
@@ -60,9 +60,9 @@ EXPOSE 3000
 VOLUME ["/data"]
-ENV TINYAUTH_DATABASEPATH=/data/tinyauth.db
+ENV TINYAUTH_DATABASE_PATH=/data/tinyauth.db
-ENV TINYAUTH_RESOURCESDIR=/data/resources
+ENV TINYAUTH_RESOURCES_PATH=/data/resources
 ENV PATH=$PATH:/tinyauth
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 <div align="center">
    <img alt="Tinyauth" title="Tinyauth" width="96" src="assets/logo-rounded.png">
    <h1>Tinyauth</h1>
-    <p>The simplest way to protect your apps with a login screen.</p>
+    <p>The tiniest authentication and authorization server you have ever seen.</p>
 </div>
 <div align="center">
@@ -14,7 +14,7 @@
 <br />
-Tinyauth is a simple authentication middleware that adds a simple login screen or OAuth with Google, Github or any other provider to all of your apps. It supports all the popular proxies like Traefik, Nginx and Caddy.
+Tinyauth is the simplest and tiniest authentication and authorization server you have ever seen. It is designed to both work as an authentication middleware for your apps, offering support for OAuth, LDAP and access-controls, and as a standalone authentication server. It supports all the popular proxies like Traefik, Nginx and Caddy.
 ![Screenshot](assets/screenshot.png)
@@ -26,7 +26,7 @@ Tinyauth is a simple authentication middleware that adds a simple login screen o
 ## Getting Started
-You can easily get started with Tinyauth by following the guide in the [documentation](https://tinyauth.app/docs/getting-started). There is also an available [docker compose](./docker-compose.example.yml) file that has Traefik, Whoami and Tinyauth to demonstrate its capabilities.
+You can get started with Tinyauth by following the guide in the [documentation](https://tinyauth.app/docs/getting-started). There is also an available [docker-compose](./docker-compose.example.yml) file that has Traefik, Whoami and Tinyauth to demonstrate its capabilities (keep in mind that this file lives in the development branch so it may have updates that are not yet released).
 ## Demo
@@ -40,15 +40,15 @@ If you wish to contribute to the documentation head over to the [repository](htt
 ## Discord
-Tinyauth has a [discord](https://discord.gg/eHzVaCzRRd) server. Feel free to hop in to chat about self-hosting, homelabs and of course Tinyauth. See you there!
+Tinyauth has a [Discord](https://discord.gg/eHzVaCzRRd) server. Feel free to hop in to chat about self-hosting, homelabs and of course Tinyauth. See you there!
 ## Contributing
-All contributions to the codebase are welcome! If you have any free time feel free to pick up an [issue](https://github.com/steveiliop56/tinyauth/issues) or add your own missing features. Make sure to check out the [contributing guide](./CONTRIBUTING.md) for instructions on how to get the development server up and running.
+All contributions to the codebase are welcome! If you have any free time, feel free to pick up an [issue](https://github.com/steveiliop56/tinyauth/issues) or add your own missing features. Make sure to check out the [contributing guide](./CONTRIBUTING.md) for instructions on how to get the development server up and running.
 ## Localization
-If you would like to help translate Tinyauth into more languages, visit the [Crowdin](https://crowdin.com/project/tinyauth) page.
+If you like, you can help translate Tinyauth into more languages by visiting the [Crowdin](https://crowdin.com/project/tinyauth) page.
 ## License
--- a/cmd/tinyauth/healthcheck.go
+++ b/cmd/tinyauth/healthcheck.go
@@ -28,15 +28,18 @@ func healthcheckCmd() *cli.Command {
 		Run: func(args []string) error {
 			tlog.NewSimpleLogger().Init()
 			appUrl := "http://127.0.0.1:3000"
 			srvAddr := os.Getenv("TINYAUTH_SERVER_ADDRESS")
-			srvPort := os.Getenv("TINYAUTH_SERVER_PORT")
+			if srvAddr == "" {
-
+				srvAddr = "127.0.0.1"
 			if srvAddr != "" && srvPort != "" {
 				appUrl = fmt.Sprintf("http://%s:%s", srvAddr, srvPort)
 			}
 			srvPort := os.Getenv("TINYAUTH_SERVER_PORT")
 			if srvPort == "" {
 				srvPort = "3000"
 			}
 			appUrl := fmt.Sprintf("http://%s:%s", srvAddr, srvPort)
 			if len(args) > 0 {
 				appUrl = args[0]
 			}
--- a/frontend/bun.lock
+++ b/frontend/bun.lock
@@ -13,20 +13,20 @@
        "@radix-ui/react-slot": "^1.2.4",
        "@tailwindcss/vite": "^4.2.1",
        "@tanstack/react-query": "^5.90.21",
-        "axios": "^1.13.5",
+        "axios": "^1.13.6",
        "class-variance-authority": "^0.7.1",
        "clsx": "^2.1.1",
-        "i18next": "^25.8.13",
+        "i18next": "^25.8.14",
        "i18next-browser-languagedetector": "^8.2.1",
        "i18next-resources-to-backend": "^1.2.1",
        "input-otp": "^1.4.2",
-        "lucide-react": "^0.575.0",
+        "lucide-react": "^0.577.0",
        "next-themes": "^0.4.6",
        "radix-ui": "^1.4.3",
        "react": "^19.2.4",
        "react-dom": "^19.2.4",
        "react-hook-form": "^7.71.2",
-        "react-i18next": "^16.5.4",
+        "react-i18next": "^16.5.5",
        "react-markdown": "^10.1.0",
        "react-router": "^7.13.1",
        "sonner": "^2.0.7",
@@ -37,16 +37,16 @@
      "devDependencies": {
        "@eslint/js": "^10.0.1",
        "@tanstack/eslint-plugin-query": "^5.91.4",
-        "@types/node": "^25.3.2",
+        "@types/node": "^25.3.5",
        "@types/react": "^19.2.14",
        "@types/react-dom": "^19.2.3",
        "@vitejs/plugin-react": "^5.1.4",
        "eslint": "^10.0.2",
        "eslint-plugin-react-hooks": "^7.0.1",
        "eslint-plugin-react-refresh": "^0.5.2",
-        "globals": "^17.3.0",
+        "globals": "^17.4.0",
        "prettier": "3.8.1",
-        "rollup-plugin-visualizer": "^7.0.0",
+        "rollup-plugin-visualizer": "^7.0.1",
        "tw-animate-css": "^1.4.0",
        "typescript": "~5.9.3",
        "typescript-eslint": "^8.56.1",
@@ -417,7 +417,7 @@
    "@types/ms": ["@types/ms@2.1.0", "", {}, "sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA=="],
-    "@types/node": ["@types/node@25.3.2", "", { "dependencies": { "undici-types": "~7.18.0" } }, "sha512-RpV6r/ij22zRRdyBPcxDeKAzH43phWVKEjL2iksqo1Vz3CuBUrgmPpPhALKiRfU7OMCmeeO9vECBMsV0hMTG8Q=="],
+    "@types/node": ["@types/node@25.3.5", "", { "dependencies": { "undici-types": "~7.18.0" } }, "sha512-oX8xrhvpiyRCQkG1MFchB09f+cXftgIXb3a7UUa4Y3wpmZPw5tyZGTLWhlESOLq1Rq6oDlc8npVU2/9xiCuXMA=="],
    "@types/react": ["@types/react@19.2.14", "", { "dependencies": { "csstype": "^3.2.2" } }, "sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w=="],
@@ -463,7 +463,7 @@
    "asynckit": ["asynckit@0.4.0", "", {}, "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q=="],
-    "axios": ["axios@1.13.5", "", { "dependencies": { "follow-redirects": "^1.15.11", "form-data": "^4.0.5", "proxy-from-env": "^1.1.0" } }, "sha512-cz4ur7Vb0xS4/KUN0tPWe44eqxrIu31me+fbang3ijiNscE129POzipJJA6zniq2C/Z6sJCjMimjS8Lc/GAs8Q=="],
+    "axios": ["axios@1.13.6", "", { "dependencies": { "follow-redirects": "^1.15.11", "form-data": "^4.0.5", "proxy-from-env": "^1.1.0" } }, "sha512-ChTCHMouEe2kn713WHbQGcuYrr6fXTBiu460OTwWrWob16g1bXn4vtz07Ope7ewMozJAnEquLk5lWQWtBig9DQ=="],
    "bail": ["bail@2.0.2", "", {}, "sha512-0xO6mYd7JB2YesxDKplafRpsiOzPt9V02ddPCLbY1xYGPOX24NTyN50qnUxgCPcSoYMhKpAuBTjQoRZCAkUDRw=="],
@@ -613,7 +613,7 @@
    "glob-parent": ["glob-parent@6.0.2", "", { "dependencies": { "is-glob": "^4.0.3" } }, "sha512-XxwI8EOhVQgWp6iDL+3b0r86f4d6AX6zSU55HfB4ydCEuXLXc5FcYeOu+nnGftS4TEju/11rt4KJPTMgbfmv4A=="],
-    "globals": ["globals@17.3.0", "", {}, "sha512-yMqGUQVVCkD4tqjOJf3TnrvaaHDMYp4VlUSObbkIiuCPe/ofdMBFIAcBbCSRFWOnos6qRiTVStDwqPLUclaxIw=="],
+    "globals": ["globals@17.4.0", "", {}, "sha512-hjrNztw/VajQwOLsMNT1cbJiH2muO3OROCHnbehc8eY5JyD2gqz4AcMHPqgaOR59DjgUjYAYLeH699g/eWi2jw=="],
    "gopd": ["gopd@1.2.0", "", {}, "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg=="],
@@ -637,7 +637,7 @@
    "html-url-attributes": ["html-url-attributes@3.0.1", "", {}, "sha512-ol6UPyBWqsrO6EJySPz2O7ZSr856WDrEzM5zMqp+FJJLGMW35cLYmmZnl0vztAZxRUoNZJFTCohfjuIJ8I4QBQ=="],
-    "i18next": ["i18next@25.8.13", "", { "dependencies": { "@babel/runtime": "^7.28.4" }, "peerDependencies": { "typescript": "^5" }, "optionalPeers": ["typescript"] }, "sha512-E0vzjBY1yM+nsFrtgkjLhST2NBkirkvOVoQa0MSldhsuZ3jUge7ZNpuwG0Cfc74zwo5ZwRzg3uOgT+McBn32iA=="],
+    "i18next": ["i18next@25.8.14", "", { "dependencies": { "@babel/runtime": "^7.28.4" }, "peerDependencies": { "typescript": "^5" }, "optionalPeers": ["typescript"] }, "sha512-paMUYkfWJMsWPeE/Hejcw+XLhHrQPehem+4wMo+uELnvIwvCG019L9sAIljwjCmEMtFQQO3YeitJY8Kctei3iA=="],
    "i18next-browser-languagedetector": ["i18next-browser-languagedetector@8.2.1", "", { "dependencies": { "@babel/runtime": "^7.23.2" } }, "sha512-bZg8+4bdmaOiApD7N7BPT9W8MLZG+nPTOFlLiJiT8uzKXFjhxw4v2ierCXOwB5sFDMtuA5G4kgYZ0AznZxQ/cw=="],
@@ -723,7 +723,7 @@
    "lru-cache": ["lru-cache@5.1.1", "", { "dependencies": { "yallist": "^3.0.2" } }, "sha512-KpNARQA3Iwv+jTA0utUVVbrh+Jlrr1Fv0e56GGzAFOXN7dk/FviaDW8LHmK52DlcH4WP2n6gI8vN1aesBFgo9w=="],
-    "lucide-react": ["lucide-react@0.575.0", "", { "peerDependencies": { "react": "^16.5.1 || ^17.0.0 || ^18.0.0 || ^19.0.0" } }, "sha512-VuXgKZrk0uiDlWjGGXmKV6MSk9Yy4l10qgVvzGn2AWBx1Ylt0iBexKOAoA6I7JO3m+M9oeovJd3yYENfkUbOeg=="],
+    "lucide-react": ["lucide-react@0.577.0", "", { "peerDependencies": { "react": "^16.5.1 || ^17.0.0 || ^18.0.0 || ^19.0.0" } }, "sha512-4LjoFv2eEPwYDPg/CUdBJQSDfPyzXCRrVW1X7jrx/trgxnxkHFjnVZINbzvzxjN70dxychOfg+FTYwBiS3pQ5A=="],
    "magic-string": ["magic-string@0.30.21", "", { "dependencies": { "@jridgewell/sourcemap-codec": "^1.5.5" } }, "sha512-vd2F4YUyEXKGcLHoq+TEyCjxueSeHnFxyyjNp80yg0XV4vUhnDer/lvvlqM/arB5bXQN5K2/3oinyCRyx8T2CQ=="],
@@ -843,7 +843,7 @@
    "react-hook-form": ["react-hook-form@7.71.2", "", { "peerDependencies": { "react": "^16.8.0 || ^17 || ^18 || ^19" } }, "sha512-1CHvcDYzuRUNOflt4MOq3ZM46AronNJtQ1S7tnX6YN4y72qhgiUItpacZUAQ0TyWYci3yz1X+rXaSxiuEm86PA=="],
-    "react-i18next": ["react-i18next@16.5.4", "", { "dependencies": { "@babel/runtime": "^7.28.4", "html-parse-stringify": "^3.0.1", "use-sync-external-store": "^1.6.0" }, "peerDependencies": { "i18next": ">= 25.6.2", "react": ">= 16.8.0", "typescript": "^5" }, "optionalPeers": ["typescript"] }, "sha512-6yj+dcfMncEC21QPhOTsW8mOSO+pzFmT6uvU7XXdvM/Cp38zJkmTeMeKmTrmCMD5ToT79FmiE/mRWiYWcJYW4g=="],
+    "react-i18next": ["react-i18next@16.5.5", "", { "dependencies": { "@babel/runtime": "^7.28.4", "html-parse-stringify": "^3.0.1", "use-sync-external-store": "^1.6.0" }, "peerDependencies": { "i18next": ">= 25.6.2", "react": ">= 16.8.0", "typescript": "^5" }, "optionalPeers": ["typescript"] }, "sha512-5Z35e2JMALNR16FK/LDNQoAatQTVuO/4m4uHrIzewOPXIyf75gAHzuNLSWwmj5lRDJxDvXRJDECThkxWSAReng=="],
    "react-markdown": ["react-markdown@10.1.0", "", { "dependencies": { "@types/hast": "^3.0.0", "@types/mdast": "^4.0.0", "devlop": "^1.0.0", "hast-util-to-jsx-runtime": "^2.0.0", "html-url-attributes": "^3.0.0", "mdast-util-to-hast": "^13.0.0", "remark-parse": "^11.0.0", "remark-rehype": "^11.0.0", "unified": "^11.0.0", "unist-util-visit": "^5.0.0", "vfile": "^6.0.0" }, "peerDependencies": { "@types/react": ">=18", "react": ">=18" } }, "sha512-qKxVopLT/TyA6BX3Ue5NwabOsAzm0Q7kAPwq6L+wWDwisYs7R8vZ0nRXqq6rkueboxpkjvLGU9fWifiX/ZZFxQ=="],
@@ -863,7 +863,7 @@
    "rollup": ["rollup@4.46.2", "", { "dependencies": { "@types/estree": "1.0.8" }, "optionalDependencies": { "@rollup/rollup-android-arm-eabi": "4.46.2", "@rollup/rollup-android-arm64": "4.46.2", "@rollup/rollup-darwin-arm64": "4.46.2", "@rollup/rollup-darwin-x64": "4.46.2", "@rollup/rollup-freebsd-arm64": "4.46.2", "@rollup/rollup-freebsd-x64": "4.46.2", "@rollup/rollup-linux-arm-gnueabihf": "4.46.2", "@rollup/rollup-linux-arm-musleabihf": "4.46.2", "@rollup/rollup-linux-arm64-gnu": "4.46.2", "@rollup/rollup-linux-arm64-musl": "4.46.2", "@rollup/rollup-linux-loongarch64-gnu": "4.46.2", "@rollup/rollup-linux-ppc64-gnu": "4.46.2", "@rollup/rollup-linux-riscv64-gnu": "4.46.2", "@rollup/rollup-linux-riscv64-musl": "4.46.2", "@rollup/rollup-linux-s390x-gnu": "4.46.2", "@rollup/rollup-linux-x64-gnu": "4.46.2", "@rollup/rollup-linux-x64-musl": "4.46.2", "@rollup/rollup-win32-arm64-msvc": "4.46.2", "@rollup/rollup-win32-ia32-msvc": "4.46.2", "@rollup/rollup-win32-x64-msvc": "4.46.2", "fsevents": "~2.3.2" }, "bin": { "rollup": "dist/bin/rollup" } }, "sha512-WMmLFI+Boh6xbop+OAGo9cQ3OgX9MIg7xOQjn+pTCwOkk+FNDAeAemXkJ3HzDJrVXleLOFVa1ipuc1AmEx1Dwg=="],
-    "rollup-plugin-visualizer": ["rollup-plugin-visualizer@7.0.0", "", { "dependencies": { "open": "^11.0.0", "picomatch": "^4.0.2", "source-map": "^0.7.4", "yargs": "^18.0.0" }, "peerDependencies": { "rolldown": "1.x || ^1.0.0-beta || ^1.0.0-rc", "rollup": "2.x || 3.x || 4.x" }, "optionalPeers": ["rolldown", "rollup"], "bin": { "rollup-plugin-visualizer": "dist/bin/cli.js" } }, "sha512-loo4kmhTg7GMO0hqaUv/azvLPUT2B4jXU3gNMG35gm1mWKpOzhV6rspb/Mqmsfg7oOTdkzdmOckCIwGB5Ca1CA=="],
+    "rollup-plugin-visualizer": ["rollup-plugin-visualizer@7.0.1", "", { "dependencies": { "open": "^11.0.0", "picomatch": "^4.0.2", "source-map": "^0.7.4", "yargs": "^18.0.0" }, "peerDependencies": { "rolldown": "1.x || ^1.0.0-beta || ^1.0.0-rc", "rollup": "2.x || 3.x || 4.x" }, "optionalPeers": ["rolldown", "rollup"], "bin": { "rollup-plugin-visualizer": "dist/bin/cli.js" } }, "sha512-UJUT4+1Ho4OcWmPYU3sYXgUqI8B8Ayfe06MX7y0qCJ1K8aGoKtR/NDd/2nZqM7ADkrzny+I99Ul7GgyoiVNAgg=="],
    "run-applescript": ["run-applescript@7.1.0", "", {}, "sha512-DPe5pVFaAsinSaV6QjQ6gdiedWDcRCbUuiQfQa2wmWV7+xC9bGulGI8+TdRmoFkAPaBXk8CrAbnlY2ISniJ47Q=="],
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -19,20 +19,20 @@
    "@radix-ui/react-slot": "^1.2.4",
    "@tailwindcss/vite": "^4.2.1",
    "@tanstack/react-query": "^5.90.21",
-    "axios": "^1.13.5",
+    "axios": "^1.13.6",
    "class-variance-authority": "^0.7.1",
    "clsx": "^2.1.1",
-    "i18next": "^25.8.13",
+    "i18next": "^25.8.14",
    "i18next-browser-languagedetector": "^8.2.1",
    "i18next-resources-to-backend": "^1.2.1",
    "input-otp": "^1.4.2",
-    "lucide-react": "^0.575.0",
+    "lucide-react": "^0.577.0",
    "next-themes": "^0.4.6",
    "radix-ui": "^1.4.3",
    "react": "^19.2.4",
    "react-dom": "^19.2.4",
    "react-hook-form": "^7.71.2",
-    "react-i18next": "^16.5.4",
+    "react-i18next": "^16.5.5",
    "react-markdown": "^10.1.0",
    "react-router": "^7.13.1",
    "sonner": "^2.0.7",
@@ -43,16 +43,16 @@
  "devDependencies": {
    "@eslint/js": "^10.0.1",
    "@tanstack/eslint-plugin-query": "^5.91.4",
-    "@types/node": "^25.3.2",
+    "@types/node": "^25.3.5",
    "@types/react": "^19.2.14",
    "@types/react-dom": "^19.2.3",
    "@vitejs/plugin-react": "^5.1.4",
    "eslint": "^10.0.2",
    "eslint-plugin-react-hooks": "^7.0.1",
    "eslint-plugin-react-refresh": "^0.5.2",
-    "globals": "^17.3.0",
+    "globals": "^17.4.0",
    "prettier": "3.8.1",
-    "rollup-plugin-visualizer": "^7.0.0",
+    "rollup-plugin-visualizer": "^7.0.1",
    "tw-animate-css": "^1.4.0",
    "typescript": "~5.9.3",
    "typescript-eslint": "^8.56.1",
--- a/frontend/src/components/auth/login-form.tsx
+++ b/frontend/src/components/auth/login-form.tsx
@@ -43,7 +43,7 @@ export const LoginForm = (props: Props) => {
              <FormLabel className="mb-2">{t("loginUsername")}</FormLabel>
              <FormControl className="mb-1">
                <Input
-                  placeholder={t("loginUsername")}
+                  placeholder={t("loginUsername").toLocaleLowerCase()}
                  disabled={loading}
                  autoComplete="username"
                  {...field}
@@ -62,7 +62,7 @@ export const LoginForm = (props: Props) => {
                <FormLabel className="mb-2">{t("loginPassword")}</FormLabel>
                <FormControl>
                  <Input
-                    placeholder={t("loginPassword")}
+                    placeholder={t("loginPassword").toLowerCase()}
                    type="password"
                    disabled={loading}
                    autoComplete="current-password"
--- a/frontend/src/components/layout/layout.tsx
+++ b/frontend/src/components/layout/layout.tsx
@@ -31,7 +31,7 @@ const BaseLayout = ({ children }: { children: React.ReactNode }) => {
 };
 export const Layout = () => {
-  const { appUrl, disableUiWarnings } = useAppContext();
+  const { appUrl, warningsEnabled } = useAppContext();
  const [ignoreDomainWarning, setIgnoreDomainWarning] = useState(() => {
    return window.sessionStorage.getItem("ignoreDomainWarning") === "true";
  });
@@ -42,7 +42,7 @@ export const Layout = () => {
    setIgnoreDomainWarning(true);
  }, [setIgnoreDomainWarning]);
-  if (!ignoreDomainWarning && !disableUiWarnings && appUrl !== currentUrl) {
+  if (!ignoreDomainWarning && warningsEnabled && appUrl !== currentUrl) {
    return (
      <BaseLayout>
        <DomainWarning
--- a/frontend/src/lib/hooks/oidc.ts
+++ b/frontend/src/lib/hooks/oidc.ts
@@ -4,6 +4,7 @@ export type OIDCValues = {
  client_id: string;
  redirect_uri: string;
  state: string;
  nonce: string;
 };
 interface IuseOIDCParams {
@@ -13,7 +14,7 @@ interface IuseOIDCParams {
  missingParams: string[];
 }
-const optionalParams: string[] = ["state"];
+const optionalParams: string[] = ["state", "nonce"];
 export function useOIDCParams(params: URLSearchParams): IuseOIDCParams {
  let compiled: string = "";
@@ -26,6 +27,7 @@ export function useOIDCParams(params: URLSearchParams): IuseOIDCParams {
    client_id: params.get("client_id") ?? "",
    redirect_uri: params.get("redirect_uri") ?? "",
    state: params.get("state") ?? "",
    nonce: params.get("nonce") ?? "",
  };
  for (const key of Object.keys(values)) {
--- a/frontend/src/lib/i18n/locales/ko-KR.json
+++ b/frontend/src/lib/i18n/locales/ko-KR.json
@@ -1,83 +1,83 @@
 {
-    "loginTitle": "Welcome back, login with",
+    "loginTitle": "다시 오신 것을 환영합니다. 아래 방법으로 로그인하세요",
-    "loginTitleSimple": "Welcome back, please login",
+    "loginTitleSimple": "다시 오신 것을 환영합니다. 로그인해 주세요",
-    "loginDivider": "Or",
+    "loginDivider": "또는",
-    "loginUsername": "Username",
+    "loginUsername": "사용자 이름",
-    "loginPassword": "Password",
+    "loginPassword": "비밀번호",
-    "loginSubmit": "Login",
+    "loginSubmit": "로그인",
-    "loginFailTitle": "Failed to log in",
+    "loginFailTitle": "로그인 실패",
-    "loginFailSubtitle": "Please check your username and password",
+    "loginFailSubtitle": "사용자 이름과 비밀번호를 확인해 주세요",
-    "loginFailRateLimit": "You failed to login too many times. Please try again later",
+    "loginFailRateLimit": "로그인을 너무 많이 시도했습니다. 나중에 다시 시도해 주세요",
-    "loginSuccessTitle": "Logged in",
+    "loginSuccessTitle": "로그인 성공",
-    "loginSuccessSubtitle": "Welcome back!",
+    "loginSuccessSubtitle": "다시 오신 것을 환영합니다!",
-    "loginOauthFailTitle": "An error occurred",
+    "loginOauthFailTitle": "오류가 발생했습니다",
-    "loginOauthFailSubtitle": "Failed to get OAuth URL",
+    "loginOauthFailSubtitle": "OAuth URL을 가져오는 데 실패했습니다",
-    "loginOauthSuccessTitle": "Redirecting",
+    "loginOauthSuccessTitle": "리디렉션 중",
-    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
+    "loginOauthSuccessSubtitle": "OAuth 제공자로 리디렉션 중입니다",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectTitle": "OAuth 자동 리디렉션",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectSubtitle": "인증을 위해 OAuth 제공자로 자동 리디렉션됩니다.",
-    "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectButton": "지금 리디렉션",
-    "continueTitle": "Continue",
+    "continueTitle": "계속",
-    "continueRedirectingTitle": "Redirecting...",
+    "continueRedirectingTitle": "리디렉션 중...",
-    "continueRedirectingSubtitle": "You should be redirected to the app soon",
+    "continueRedirectingSubtitle": "곧 앱으로 리디렉션됩니다",
-    "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "직접 리디렉션하기",
-    "continueInsecureRedirectTitle": "Insecure redirect",
+    "continueInsecureRedirectTitle": "안전하지 않은 리디렉션",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
+    "continueInsecureRedirectSubtitle": "<code>https</code>에서 <code>http</code>로 리디렉션하려고 합니다. 이는 안전하지 않습니다. 계속하시겠습니까?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectTitle": "신뢰할 수 없는 리디렉션",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "설정된 도메인(<code>{{cookieDomain}}</code>)과 일치하지 않는 도메인으로 리디렉션하려고 합니다. 계속하시겠습니까?",
-    "logoutFailTitle": "Failed to log out",
+    "logoutFailTitle": "로그아웃 실패",
-    "logoutFailSubtitle": "Please try again",
+    "logoutFailSubtitle": "다시 시도해 주세요",
-    "logoutSuccessTitle": "Logged out",
+    "logoutSuccessTitle": "로그아웃 완료",
-    "logoutSuccessSubtitle": "You have been logged out",
+    "logoutSuccessSubtitle": "로그아웃되었습니다",
-    "logoutTitle": "Logout",
+    "logoutTitle": "로그아웃",
-    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
+    "logoutUsernameSubtitle": "현재 <code>{{username}}</code>(으)로 로그인되어 있습니다. 아래 버튼을 클릭하여 로그아웃하세요.",
-    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
+    "logoutOauthSubtitle": "현재 {{provider}} OAuth 제공자를 통해 <code>{{username}}</code>(으)로 로그인되어 있습니다. 아래 버튼을 클릭하여 로그아웃하세요.",
-    "notFoundTitle": "Page not found",
+    "notFoundTitle": "페이지를 찾을 수 없습니다",
-    "notFoundSubtitle": "The page you are looking for does not exist.",
+    "notFoundSubtitle": "찾으시는 페이지가 존재하지 않습니다.",
-    "notFoundButton": "Go home",
+    "notFoundButton": "홈으로 가기",
-    "totpFailTitle": "Failed to verify code",
+    "totpFailTitle": "코드 확인 실패",
-    "totpFailSubtitle": "Please check your code and try again",
+    "totpFailSubtitle": "코드를 확인하고 다시 시도해 주세요",
-    "totpSuccessTitle": "Verified",
+    "totpSuccessTitle": "확인 완료",
-    "totpSuccessSubtitle": "Redirecting to your app",
+    "totpSuccessSubtitle": "앱으로 리디렉션 중입니다",
-    "totpTitle": "Enter your TOTP code",
+    "totpTitle": "TOTP 코드 입력",
-    "totpSubtitle": "Please enter the code from your authenticator app.",
+    "totpSubtitle": "인증 앱의 코드를 입력해 주세요.",
-    "unauthorizedTitle": "Unauthorized",
+    "unauthorizedTitle": "권한 없음",
-    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedResourceSubtitle": "사용자 이름 <code>{{username}}</code>은(는) 리소스 <code>{{resource}}</code>에 접근할 권한이 없습니다.",
-    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
+    "unauthorizedLoginSubtitle": "사용자 이름 <code>{{username}}</code>은(는) 로그인할 권한이 없습니다.",
-    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
+    "unauthorizedGroupsSubtitle": "사용자 이름 <code>{{username}}</code>은(는) 리소스 <code>{{resource}}</code>에서 요구하는 그룹에 속해 있지 않습니다.",
-    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "IP 주소 <code>{{ip}}</code>는 리소스 <code>{{resource}}</code>에 접근할 권한이 없습니다.",
-    "unauthorizedButton": "Try again",
+    "unauthorizedButton": "다시 시도",
-    "cancelTitle": "Cancel",
+    "cancelTitle": "취소",
-    "forgotPasswordTitle": "Forgot your password?",
+    "forgotPasswordTitle": "비밀번호를 잊으셨나요?",
-    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
+    "failedToFetchProvidersTitle": "인증 제공자를 불러오는 데 실패했습니다. 설정을 확인해 주세요.",
-    "errorTitle": "An error occurred",
+    "errorTitle": "오류가 발생했습니다",
-    "errorSubtitleInfo": "The following error occurred while processing your request:",
+    "errorSubtitleInfo": "요청 처리 중 다음 오류가 발생했습니다:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
-    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
+    "forgotPasswordMessage": "USERS 환경 변수를 변경하여 비밀번호를 재설정할 수 있습니다.",
-    "fieldRequired": "This field is required",
+    "fieldRequired": "필수 입력 항목입니다",
-    "invalidInput": "Invalid input",
+    "invalidInput": "잘못된 입력입니다",
-    "domainWarningTitle": "Invalid Domain",
+    "domainWarningTitle": "잘못된 도메인",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "잘못된 도메인에서 이 인스턴스에 접근하고 있습니다. 계속 진행하면 인증 문제가 발생할 수 있습니다.",
-    "domainWarningCurrent": "Current:",
+    "domainWarningCurrent": "현재:",
-    "domainWarningExpected": "Expected:",
+    "domainWarningExpected": "예상:",
-    "ignoreTitle": "Ignore",
+    "ignoreTitle": "무시",
-    "goToCorrectDomainTitle": "Go to correct domain",
+    "goToCorrectDomainTitle": "올바른 도메인으로 이동",
-    "authorizeTitle": "Authorize",
+    "authorizeTitle": "권한 부여",
-    "authorizeCardTitle": "Continue to {{app}}?",
+    "authorizeCardTitle": "{{app}}(으)로 계속하시겠습니까?",
-    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
+    "authorizeSubtitle": "이 앱으로 계속하시겠습니까? 앱에서 요청한 권한을 주의 깊게 검토해 주세요.",
-    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
+    "authorizeSubtitleOAuth": "이 앱으로 계속하시겠습니까?",
-    "authorizeLoadingTitle": "Loading...",
+    "authorizeLoadingTitle": "로딩 중...",
-    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
+    "authorizeLoadingSubtitle": "클라이언트 정보를 불러오는 동안 기다려 주세요.",
-    "authorizeSuccessTitle": "Authorized",
+    "authorizeSuccessTitle": "권한 부여 완료",
-    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
+    "authorizeSuccessSubtitle": "몇 초 후에 앱으로 리디렉션됩니다.",
-    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
+    "authorizeErrorClientInfo": "클라이언트 정보를 불러오는 중 오류가 발생했습니다. 나중에 다시 시도해 주세요.",
-    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
+    "authorizeErrorMissingParams": "다음 매개변수가 누락되었습니다: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
-    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
+    "openidScopeDescription": "앱이 OpenID Connect 정보에 접근할 수 있도록 허용합니다.",
-    "emailScopeName": "Email",
+    "emailScopeName": "이메일",
-    "emailScopeDescription": "Allows the app to access your email address.",
+    "emailScopeDescription": "앱이 이메일 주소에 접근할 수 있도록 허용합니다.",
-    "profileScopeName": "Profile",
+    "profileScopeName": "프로필",
-    "profileScopeDescription": "Allows the app to access your profile information.",
+    "profileScopeDescription": "앱이 프로필 정보에 접근할 수 있도록 허용합니다.",
-    "groupsScopeName": "Groups",
+    "groupsScopeName": "그룹",
-    "groupsScopeDescription": "Allows the app to access your group information."
+    "groupsScopeDescription": "앱이 그룹 정보에 접근할 수 있도록 허용합니다."
 }
--- a/frontend/src/lib/i18n/locales/nl-NL.json
+++ b/frontend/src/lib/i18n/locales/nl-NL.json
@@ -58,8 +58,8 @@
    "invalidInput": "Ongeldige invoer",
    "domainWarningTitle": "Ongeldig domein",
    "domainWarningSubtitle": "Deze instantie is geconfigureerd voor toegang tot <code>{{appUrl}}</code>, maar <code>{{currentUrl}}</code> wordt gebruikt. Als je doorgaat, kun je problemen ondervinden met authenticatie.",
-    "domainWarningCurrent": "Current:",
+    "domainWarningCurrent": "Huidig:",
-    "domainWarningExpected": "Expected:",
+    "domainWarningExpected": "Verwacht:",
    "ignoreTitle": "Negeren",
    "goToCorrectDomainTitle": "Ga naar het juiste domein",
    "authorizeTitle": "Autoriseren",
--- a/frontend/src/lib/i18n/locales/pl-PL.json
+++ b/frontend/src/lib/i18n/locales/pl-PL.json
@@ -58,8 +58,8 @@
    "invalidInput": "Nieprawidłowe dane wejściowe",
    "domainWarningTitle": "Nieprawidłowa domena",
    "domainWarningSubtitle": "Ta instancja jest skonfigurowana do uzyskania dostępu z <code>{{appUrl}}</code>, ale <code>{{currentUrl}}</code> jest w użyciu. Jeśli będziesz kontynuować, mogą wystąpić problemy z uwierzytelnianiem.",
-    "domainWarningCurrent": "Current:",
+    "domainWarningCurrent": "Bieżąca:",
-    "domainWarningExpected": "Expected:",
+    "domainWarningExpected": "Oczekiwana:",
    "ignoreTitle": "Zignoruj",
    "goToCorrectDomainTitle": "Przejdź do prawidłowej domeny",
    "authorizeTitle": "Autoryzuj",
--- a/frontend/src/lib/i18n/locales/sr-SP.json
+++ b/frontend/src/lib/i18n/locales/sr-SP.json
@@ -58,8 +58,8 @@
    "invalidInput": "Неисправан унос",
    "domainWarningTitle": "Неисправан домен",
    "domainWarningSubtitle": "Ова инстанца је подешена да јој се приступа са <code>{{appUrl}}</code>, али се користи <code>{{currentUrl}}</code>. Ако наставите, можете искусити проблеме са аутентификацијом.",
-    "domainWarningCurrent": "Current:",
+    "domainWarningCurrent": "Тренутни:",
-    "domainWarningExpected": "Expected:",
+    "domainWarningExpected": "Очекивани:",
    "ignoreTitle": "Игнориши",
    "goToCorrectDomainTitle": "Иди на исправан домен",
    "authorizeTitle": "Ауторизуј",
--- a/frontend/src/lib/i18n/locales/zh-CN.json
+++ b/frontend/src/lib/i18n/locales/zh-CN.json
@@ -54,12 +54,12 @@
    "errorSubtitleInfo": "处理您的请求时发生了以下错误：",
    "errorSubtitle": "执行此操作时发生错误，请检查控制台以获取更多信息。",
    "forgotPasswordMessage": "您可以通过更改 `USERS ` 环境变量重置您的密码。",
-    "fieldRequired": "必添字段",
+    "fieldRequired": "必填字段",
    "invalidInput": "无效的输入",
    "domainWarningTitle": "无效域名",
-    "domainWarningSubtitle": "当前实例配置的访问地址为 <code>{{appUrl}}</code>，但您正在使用 <code>{{currentUrl}}</code>。若继续操作，可能会遇到身份验证问题。",
+    "domainWarningSubtitle": "您正在从一个错误的域名访问此实例。如继续，您可能会遇到身份验证问题。",
-    "domainWarningCurrent": "Current:",
+    "domainWarningCurrent": "当前：",
-    "domainWarningExpected": "Expected:",
+    "domainWarningExpected": "预期：",
    "ignoreTitle": "忽略",
    "goToCorrectDomainTitle": "转到正确的域名",
    "authorizeTitle": "授权",
--- a/frontend/src/pages/authorize-page.tsx
+++ b/frontend/src/pages/authorize-page.tsx
@@ -98,6 +98,7 @@ export const AuthorizePage = () => {
        client_id: props.client_id,
        redirect_uri: props.redirect_uri,
        state: props.state,
        nonce: props.nonce,
      });
    },
    mutationKey: ["authorize", props.client_id],
@@ -155,8 +156,8 @@ export const AuthorizePage = () => {
    <Card>
      <CardHeader className="mb-2">
        <div className="flex flex-col gap-3 items-center justify-center text-center">
-          <div className="bg-accent-foreground text-muted text-xl font-bold font-sans rounded-lg px-4 py-3">
+          <div className="bg-accent-foreground box-content text-muted text-xl font-bold font-sans rounded-lg size-8 p-2 flex items-center justify-center">
-            {getClientInfo.data?.name.slice(0, 1)}
+            {getClientInfo.data?.name.slice(0, 1) || "U"}
          </div>
          <CardTitle className="text-xl">
            {t("authorizeCardTitle", {
@@ -170,8 +171,8 @@ export const AuthorizePage = () => {
          </CardDescription>
        </div>
      </CardHeader>
      <CardContent className="mb-2">
      {scopes.includes("openid") && (
        <CardContent className="mb-2">
          <div className="flex flex-wrap gap-2 items-center justify-center">
            {scopes.map((id) => {
              const scope = scopeMap.find((s) => s.id === id);
@@ -189,8 +190,8 @@ export const AuthorizePage = () => {
              );
            })}
          </div>
        )}
        </CardContent>
      )}
      <CardFooter className="flex flex-col items-stretch gap-3">
        <Button
          onClick={() => authorizeMutation.mutate()}
--- a/frontend/src/pages/continue-page.tsx
+++ b/frontend/src/pages/continue-page.tsx
@@ -14,7 +14,7 @@ import { useCallback, useEffect, useRef, useState } from "react";
 import { useRedirectUri } from "@/lib/hooks/redirect-uri";
 export const ContinuePage = () => {
-  const { cookieDomain, disableUiWarnings } = useAppContext();
+  const { cookieDomain, warningsEnabled } = useAppContext();
  const { isLoggedIn } = useUserContext();
  const { search } = useLocation();
  const { t } = useTranslation();
@@ -35,10 +35,9 @@ export const ContinuePage = () => {
  const urlHref = url?.href;
  const hasValidRedirect = valid && allowedProto;
-  const showUntrustedWarning =
+  const showUntrustedWarning = hasValidRedirect && !trusted && warningsEnabled;
    hasValidRedirect && !trusted && !disableUiWarnings;
  const showInsecureWarning =
-    hasValidRedirect && httpsDowngrade && !disableUiWarnings;
+    hasValidRedirect && httpsDowngrade && warningsEnabled;
  const shouldAutoRedirect =
    isLoggedIn &&
    hasValidRedirect &&
--- a/frontend/src/pages/login-page.tsx
+++ b/frontend/src/pages/login-page.tsx
@@ -258,13 +258,13 @@ export const LoginPage = () => {
          />
        )}
        {providers.length == 0 && (
-          <p className="text-center text-red-600 max-w-sm">
+          <pre className="break-normal! text-sm text-red-600">
            {t("failedToFetchProvidersTitle")}
-          </p>
+          </pre>
        )}
      </CardContent>
      <CardFooter>
      {userAuthConfigured && (
        <CardFooter>
          <Button
            className="w-full"
            type="submit"
@@ -273,8 +273,8 @@ export const LoginPage = () => {
          >
            {t("loginSubmit")}
          </Button>
        )}
        </CardFooter>
      )}
    </Card>
  );
 };
--- a/frontend/src/schemas/app-context-schema.ts
+++ b/frontend/src/schemas/app-context-schema.ts
@@ -14,7 +14,7 @@ export const appContextSchema = z.object({
  forgotPasswordMessage: z.string(),
  backgroundImage: z.string(),
  oauthAutoRedirect: z.string(),
-  disableUiWarnings: z.boolean(),
+  warningsEnabled: z.boolean(),
 });
 export type AppContextSchema = z.infer<typeof appContextSchema>;
--- a/go.mod
+++ b/go.mod
@@ -1,8 +1,6 @@
 module github.com/steveiliop56/tinyauth
-go 1.24.0
+go 1.25.0
 toolchain go1.24.3
 replace github.com/traefik/paerser v0.2.2 => ./paerser
@@ -10,7 +8,7 @@ require (
 	github.com/cenkalti/backoff/v5 v5.0.3
 	github.com/charmbracelet/huh v0.8.0
 	github.com/docker/docker v28.5.2+incompatible
-	github.com/gin-gonic/gin v1.11.0
+	github.com/gin-gonic/gin v1.12.0
 	github.com/go-jose/go-jose/v4 v4.1.3
 	github.com/go-ldap/ldap/v3 v3.4.12
 	github.com/golang-migrate/migrate/v4 v4.19.1
@@ -20,7 +18,7 @@ require (
 	github.com/pquerna/otp v1.5.0
 	github.com/rs/zerolog v1.34.0
 	github.com/traefik/paerser v0.2.2
-	github.com/weppos/publicsuffix-go v0.50.2
+	github.com/weppos/publicsuffix-go v0.50.3
 	golang.org/x/crypto v0.48.0
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
 	golang.org/x/oauth2 v0.35.0
@@ -38,8 +36,9 @@ require (
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/boombuler/barcode v1.0.2 // indirect
-	github.com/bytedance/sonic v1.14.0 // indirect
+	github.com/bytedance/gopkg v0.1.3 // indirect
-	github.com/bytedance/sonic/loader v0.3.0 // indirect
+	github.com/bytedance/sonic v1.15.0 // indirect
 	github.com/bytedance/sonic/loader v0.5.0 // indirect
 	github.com/catppuccin/go v0.3.0 // indirect
 	github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7 // indirect
 	github.com/charmbracelet/bubbletea v1.3.6 // indirect
@@ -59,16 +58,16 @@ require (
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.10 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.28.0 // indirect
+	github.com/go-playground/validator/v10 v10.30.1 // indirect
-	github.com/goccy/go-json v0.10.4 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
-	github.com/goccy/go-yaml v1.18.0 // indirect
+	github.com/goccy/go-yaml v1.19.2 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/imdario/mergo v0.3.11 // indirect
@@ -98,27 +97,28 @@ require (
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
-	github.com/quic-go/quic-go v0.57.0 // indirect
+	github.com/quic-go/quic-go v0.59.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/spf13/cast v1.10.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
-	github.com/ugorji/go/codec v1.3.0 // indirect
+	github.com/ugorji/go/codec v1.3.1 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.mongodb.org/mongo-driver/v2 v2.5.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
 	go.opentelemetry.io/otel v1.37.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0 // indirect
 	go.opentelemetry.io/otel/metric v1.37.0 // indirect
 	go.opentelemetry.io/otel/trace v1.37.0 // indirect
-	golang.org/x/arch v0.20.0 // indirect
+	golang.org/x/arch v0.22.0 // indirect
-	golang.org/x/net v0.49.0 // indirect
+	golang.org/x/net v0.51.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
 	golang.org/x/sys v0.41.0 // indirect
 	golang.org/x/term v0.40.0 // indirect
 	golang.org/x/text v0.34.0 // indirect
-	google.golang.org/protobuf v1.36.9 // indirect
+	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	modernc.org/libc v1.67.6 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
--- a/go.sum
+++ b/go.sum
@@ -26,10 +26,12 @@ github.com/aymanbagabas/go-udiff v0.3.1/go.mod h1:G0fsKmG+P6ylD0r6N/KgQD/nWzgfnl
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/boombuler/barcode v1.0.2 h1:79yrbttoZrLGkL/oOI8hBrUKucwOL0oOjUgEguGMcJ4=
 github.com/boombuler/barcode v1.0.2/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
-github.com/bytedance/sonic v1.14.0 h1:/OfKt8HFw0kh2rj8N0F6C/qPGRESq0BbaNZgcNXXzQQ=
+github.com/bytedance/gopkg v0.1.3 h1:TPBSwH8RsouGCBcMBktLt1AymVo2TVsBVCY4b6TnZ/M=
-github.com/bytedance/sonic v1.14.0/go.mod h1:WoEbx8WTcFJfzCe0hbmyTGrfjt8PzNEBdxlNUO24NhA=
+github.com/bytedance/gopkg v0.1.3/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM=
-github.com/bytedance/sonic/loader v0.3.0 h1:dskwH8edlzNMctoruo8FPTJDF3vLtDT0sXZwvZJyqeA=
+github.com/bytedance/sonic v1.15.0 h1:/PXeWFaR5ElNcVE84U0dOHjiMHQOwNIx3K4ymzh/uSE=
-github.com/bytedance/sonic/loader v0.3.0/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
+github.com/bytedance/sonic v1.15.0/go.mod h1:tFkWrPz0/CUCLEF4ri4UkHekCIcdnkqXw9VduqpJh0k=
 github.com/bytedance/sonic/loader v0.5.0 h1:gXH3KVnatgY7loH5/TkeVyXPfESoqSBSBEiDd5VjlgE=
 github.com/bytedance/sonic/loader v0.5.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
 github.com/catppuccin/go v0.3.0 h1:d+0/YicIq+hSTo5oPuRi5kOpqkVA5tAsU6dNhvRu+aY=
 github.com/catppuccin/go v0.3.0/go.mod h1:8IHJuMGaUUjQM82qBrGNBv7LFq6JI3NnQCF6MOlZjpc=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
@@ -95,12 +97,12 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
-github.com/gabriel-vasile/mimetype v1.4.10 h1:zyueNbySn/z8mJZHLt6IPw0KoZsiQNszIpU+bX4+ZK0=
+github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
-github.com/gabriel-vasile/mimetype v1.4.10/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
 github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
-github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
+github.com/gin-gonic/gin v1.12.0 h1:b3YAbrZtnf8N//yjKeU2+MQsh2mY5htkZidOM7O0wG8=
-github.com/gin-gonic/gin v1.11.0/go.mod h1:+iq/FyxlGzII0KHiBGjuNn4UNENUlKbGlNmc+W50Dls=
+github.com/gin-gonic/gin v1.12.0/go.mod h1:VxccKfsSllpKshkBWgVgRniFFAzFb9csfngsqANjnLc=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
@@ -118,12 +120,12 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.28.0 h1:Q7ibns33JjyW48gHkuFT91qX48KG0ktULL6FgHdG688=
+github.com/go-playground/validator/v10 v10.30.1 h1:f3zDSN/zOma+w6+1Wswgd9fLkdwy06ntQJp0BBvFG0w=
-github.com/go-playground/validator/v10 v10.28.0/go.mod h1:GoI6I1SjPBh9p7ykNE/yj3fFYbyDOpwMn5KXd+m2hUU=
+github.com/go-playground/validator/v10 v10.30.1/go.mod h1:oSuBIQzuJxL//3MelwSLD5hc2Tu889bF0Idm9Dg26cM=
-github.com/goccy/go-json v0.10.4 h1:JSwxQzIqKfmFX1swYPpUThQZp/Ka4wzJdK0LWVytLPM=
+github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
-github.com/goccy/go-json v0.10.4/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
-github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
+github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
-github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/golang-migrate/migrate/v4 v4.19.1 h1:OCyb44lFuQfYXYLx1SCxPZQGU7mcaZ7gH9yH4jSFbBA=
 github.com/golang-migrate/migrate/v4 v4.19.1/go.mod h1:CTcgfjxhaUtsLipnLoQRWCrjYXycRz/g5+RWDuYgPrE=
@@ -236,8 +238,8 @@ github.com/pquerna/otp v1.5.0 h1:NMMR+WrmaqXU4EzdGJEE1aUUI0AMRzsp96fFFWNPwxs=
 github.com/pquerna/otp v1.5.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
 github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
-github.com/quic-go/quic-go v0.57.0 h1:AsSSrrMs4qI/hLrKlTH/TGQeTMY0ib1pAOX7vA3AdqE=
+github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SAw=
-github.com/quic-go/quic-go v0.57.0/go.mod h1:ly4QBAjHA2VhdnxhojRsCUOeJwKYg+taDlos92xb1+s=
+github.com/quic-go/quic-go v0.59.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
@@ -259,23 +261,27 @@ github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qq
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
-github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA=
+github.com/ugorji/go/codec v1.3.1 h1:waO7eEiFDwidsBN6agj1vJQ4AG7lh2yqXyOXqhgQuyY=
-github.com/ugorji/go/codec v1.3.0/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
+github.com/ugorji/go/codec v1.3.1/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
-github.com/weppos/publicsuffix-go v0.50.2 h1:KsJFc8IEKTJovM46SRCnGNsM+rFShxcs6VEHjOJcXzE=
+github.com/weppos/publicsuffix-go v0.50.3 h1:eT5dcjHQcVDNc0igpFEsGHKIip30feuB2zuuI9eJxiE=
-github.com/weppos/publicsuffix-go v0.50.2/go.mod h1:CbQCKDtXF8UcT7hrxeMa0MDjwhpOI9iYOU7cfq+yo8k=
+github.com/weppos/publicsuffix-go v0.50.3/go.mod h1:/rOa781xBykZhHK/I3QeHo92qdDKVmKZKF7s8qAEM/4=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.mongodb.org/mongo-driver/v2 v2.5.0 h1:yXUhImUjjAInNcpTcAlPHiT7bIXhshCTL3jVBkF3xaE=
 go.mongodb.org/mongo-driver/v2 v2.5.0/go.mod h1:yOI9kBsufol30iFsl1slpdq1I0eHPzybRWdyYUs8K/0=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
@@ -296,10 +302,10 @@ go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mx
 go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
-go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
+go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
-go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
+go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
-golang.org/x/arch v0.20.0 h1:dx1zTU0MAE98U+TQ8BLl7XsJbgze2WnNKF/8tGp/Q6c=
+golang.org/x/arch v0.22.0 h1:c/Zle32i5ttqRXjdLyyHZESLD/bB90DCU1g9l/0YBDI=
-golang.org/x/arch v0.20.0/go.mod h1:bdwinDaKcfZUGpH09BB7ZmOfhalA8lQdzl62l8gGWsk=
+golang.org/x/arch v0.22.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
@@ -314,8 +320,8 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
-golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
 golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ=
 golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -360,8 +366,8 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c h1:
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c/go.mod h1:gw1tLEfykwDz2ET4a12jcXt4couGAm7IwsVaTy0Sflo=
 google.golang.org/grpc v1.74.2 h1:WoosgB65DlWVC9FqI82dGsZhWFNBSLjQ84bjROOpMu4=
 google.golang.org/grpc v1.74.2/go.mod h1:CtQ+BGjaAIXHs/5YS3i473GqwBBa1zGQNevxdeBEXrM=
-google.golang.org/protobuf v1.36.9 h1:w2gp2mA27hUeUzj9Ex9FBjsBm40zfaDtEWow293U7Iw=
+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
-google.golang.org/protobuf v1.36.9/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
--- a/internal/assets/migrations/000006_oidc_nonce.down.sql
+++ b/internal/assets/migrations/000006_oidc_nonce.down.sql
@@ -0,0 +1,2 @@
 ALTER TABLE "oidc_codes" DROP COLUMN "nonce";
 ALTER TABLE "oidc_tokens" DROP COLUMN "nonce";
--- a/internal/assets/migrations/000006_oidc_nonce.up.sql
+++ b/internal/assets/migrations/000006_oidc_nonce.up.sql
@@ -0,0 +1,2 @@
 ALTER TABLE "oidc_codes" ADD COLUMN "nonce" TEXT DEFAULT "";
 ALTER TABLE "oidc_tokens" ADD COLUMN "nonce" TEXT DEFAULT "";
--- a/internal/bootstrap/app_bootstrap.go
+++ b/internal/bootstrap/app_bootstrap.go
@@ -124,7 +124,7 @@ func (app *BootstrapApp) Setup() error {
 	tlog.App.Trace().Str("redirectCookieName", app.context.redirectCookieName).Msg("Redirect cookie name")
 	// Database
-	db, err := app.SetupDatabase(app.config.DatabasePath)
+	db, err := app.SetupDatabase(app.config.Database.Path)
 	if err != nil {
 		return fmt.Errorf("failed to setup database: %w", err)
@@ -193,7 +193,7 @@ func (app *BootstrapApp) Setup() error {
 	go app.dbCleanup(queries)
 	// If analytics are not disabled, start heartbeat
-	if !app.config.DisableAnalytics {
+	if app.config.Analytics.Enabled {
 		tlog.App.Debug().Msg("Starting heartbeat routine")
 		go app.heartbeat()
 	}
--- a/internal/bootstrap/router_bootstrap.go
+++ b/internal/bootstrap/router_bootstrap.go
@@ -71,7 +71,7 @@ func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
 		ForgotPasswordMessage: app.config.UI.ForgotPasswordMessage,
 		BackgroundImage:       app.config.UI.BackgroundImage,
 		OAuthAutoRedirect:     app.config.OAuth.AutoRedirect,
-		DisableUIWarnings:     app.config.UI.DisableWarnings,
+		WarningsEnabled:       app.config.UI.WarningsEnabled,
 	}, apiRouter)
 	contextController.SetupRoutes()
@@ -103,8 +103,8 @@ func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
 	userController.SetupRoutes()
 	resourcesController := controller.NewResourcesController(controller.ResourcesControllerConfig{
-		ResourcesDir:      app.config.ResourcesDir,
+		Path:    app.config.Resources.Path,
-		ResourcesDisabled: app.config.DisableResources,
+		Enabled: app.config.Resources.Enabled,
 	}, &engine.RouterGroup)
 	resourcesController.SetupRoutes()
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -3,8 +3,16 @@ package config
 // Default configuration
 func NewDefaultConfiguration() *Config {
 	return &Config{
-		ResourcesDir: "./resources",
+		Database: DatabaseConfig{
-		DatabasePath: "./tinyauth.db",
+			Path: "./tinyauth.db",
 		},
 		Analytics: AnalyticsConfig{
 			Enabled: true,
 		},
 		Resources: ResourcesConfig{
 			Enabled: true,
 			Path:    "./resources",
 		},
 		Server: ServerConfig{
 			Port:    3000,
 			Address: "0.0.0.0",
@@ -19,6 +27,7 @@ func NewDefaultConfiguration() *Config {
 			Title:                 "Tinyauth",
 			ForgotPasswordMessage: "You can change your password by changing the configuration.",
 			BackgroundImage:       "/background.jpg",
 			WarningsEnabled:       true,
 		},
 		Ldap: LdapConfig{
 			Insecure:      false,
@@ -69,10 +78,9 @@ var RedirectCookieName = "tinyauth-redirect"
 type Config struct {
 	AppURL       string             `description:"The base URL where the app is hosted." yaml:"appUrl"`
-	ResourcesDir     string             `description:"The directory where resources are stored." yaml:"resourcesDir"`
+	Database     DatabaseConfig     `description:"Database configuration." yaml:"database"`
-	DatabasePath     string             `description:"The path to the database file." yaml:"databasePath"`
+	Analytics    AnalyticsConfig    `description:"Analytics configuration." yaml:"analytics"`
-	DisableAnalytics bool               `description:"Disable analytics." yaml:"disableAnalytics"`
+	Resources    ResourcesConfig    `description:"Resources configuration." yaml:"resources"`
 	DisableResources bool               `description:"Disable resources server." yaml:"disableResources"`
 	Server       ServerConfig       `description:"Server configuration." yaml:"server"`
 	Auth         AuthConfig         `description:"Authentication configuration." yaml:"auth"`
 	Apps         map[string]App     `description:"Application ACLs configuration." yaml:"apps"`
@@ -84,6 +92,19 @@ type Config struct {
 	Log          LogConfig          `description:"Logging configuration." yaml:"log"`
 }
 type DatabaseConfig struct {
 	Path string `description:"The path to the database, including file name." yaml:"path"`
 }
 type AnalyticsConfig struct {
 	Enabled bool `description:"Enable periodic version information collection." yaml:"enabled"`
 }
 type ResourcesConfig struct {
 	Enabled bool   `description:"Enable the resources server." yaml:"enabled"`
 	Path    string `description:"The directory where resources are stored." yaml:"path"`
 }
 type ServerConfig struct {
 	Port       int    `description:"The port on which the server listens." yaml:"port"`
 	Address    string `description:"The address on which the server listens." yaml:"address"`
@@ -114,8 +135,8 @@ type OAuthConfig struct {
 }
 type OIDCConfig struct {
-	PrivateKeyPath string                      `description:"Path to the private key file." yaml:"privateKeyPath"`
+	PrivateKeyPath string                      `description:"Path to the private key file, including file name." yaml:"privateKeyPath"`
-	PublicKeyPath  string                      `description:"Path to the public key file." yaml:"publicKeyPath"`
+	PublicKeyPath  string                      `description:"Path to the public key file, including file name." yaml:"publicKeyPath"`
 	Clients        map[string]OIDCClientConfig `description:"OIDC clients configuration." yaml:"clients"`
 }
@@ -123,7 +144,7 @@ type UIConfig struct {
 	Title                 string `description:"The title of the UI." yaml:"title"`
 	ForgotPasswordMessage string `description:"Message displayed on the forgot password page." yaml:"forgotPasswordMessage"`
 	BackgroundImage       string `description:"Path to the background image." yaml:"backgroundImage"`
-	DisableWarnings       bool   `description:"Disable UI warnings." yaml:"disableWarnings"`
+	WarningsEnabled       bool   `description:"Enable UI warnings." yaml:"warningsEnabled"`
 }
 type LdapConfig struct {
--- a/internal/controller/context_controller.go
+++ b/internal/controller/context_controller.go
@@ -33,7 +33,7 @@ type AppContextResponse struct {
 	ForgotPasswordMessage string     `json:"forgotPasswordMessage"`
 	BackgroundImage       string     `json:"backgroundImage"`
 	OAuthAutoRedirect     string     `json:"oauthAutoRedirect"`
-	DisableUIWarnings     bool       `json:"disableUiWarnings"`
+	WarningsEnabled       bool       `json:"warningsEnabled"`
 }
 type Provider struct {
@@ -50,7 +50,7 @@ type ContextControllerConfig struct {
 	ForgotPasswordMessage string
 	BackgroundImage       string
 	OAuthAutoRedirect     string
-	DisableUIWarnings     bool
+	WarningsEnabled       bool
 }
 type ContextController struct {
@@ -59,7 +59,7 @@ type ContextController struct {
 }
 func NewContextController(config ContextControllerConfig, router *gin.RouterGroup) *ContextController {
-	if config.DisableUIWarnings {
+	if !config.WarningsEnabled {
 		tlog.App.Warn().Msg("UI warnings are disabled. This may expose users to security risks. Proceed with caution.")
 	}
@@ -124,6 +124,6 @@ func (controller *ContextController) appContextHandler(c *gin.Context) {
 		ForgotPasswordMessage: controller.config.ForgotPasswordMessage,
 		BackgroundImage:       controller.config.BackgroundImage,
 		OAuthAutoRedirect:     controller.config.OAuthAutoRedirect,
-		DisableUIWarnings:     controller.config.DisableUIWarnings,
+		WarningsEnabled:       controller.config.WarningsEnabled,
 	})
 }
--- a/internal/controller/context_controller_test.go
+++ b/internal/controller/context_controller_test.go
@@ -32,7 +32,7 @@ var contextControllerCfg = controller.ContextControllerConfig{
 	ForgotPasswordMessage: "Contact admin to reset your password.",
 	BackgroundImage:       "/assets/bg.jpg",
 	OAuthAutoRedirect:     "google",
-	DisableUIWarnings:     false,
+	WarningsEnabled:       true,
 }
 var contextCtrlTestContext = config.UserContext{
@@ -82,7 +82,7 @@ func TestAppContextHandler(t *testing.T) {
 		ForgotPasswordMessage: contextControllerCfg.ForgotPasswordMessage,
 		BackgroundImage:       contextControllerCfg.BackgroundImage,
 		OAuthAutoRedirect:     contextControllerCfg.OAuthAutoRedirect,
-		DisableUIWarnings:     contextControllerCfg.DisableUIWarnings,
+		WarningsEnabled:       contextControllerCfg.WarningsEnabled,
 	}
 	router, recorder := setupContextController(nil)
--- a/internal/controller/oidc_controller.go
+++ b/internal/controller/oidc_controller.go
@@ -24,7 +24,7 @@ type OIDCController struct {
 type AuthorizeCallback struct {
 	Code  string `url:"code"`
-	State string `url:"state"`
+	State string `url:"state,omitempty"`
 }
 type TokenRequest struct {
@@ -231,7 +231,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		if !ok {
 			tlog.App.Error().Msg("Missing authorization header")
 			c.Header("www-authenticate", "basic")
-			c.JSON(401, gin.H{
+			c.JSON(400, gin.H{
 				"error": "invalid_client",
 			})
 			return
@@ -296,7 +296,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			return
 		}
-		tokenRes, err := controller.oidc.GenerateAccessToken(c, client, entry.Sub, entry.Scope)
+		tokenRes, err := controller.oidc.GenerateAccessToken(c, client, entry)
 		if err != nil {
 			tlog.App.Error().Err(err).Msg("Failed to generate access token")
@@ -313,7 +313,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		if err != nil {
 			if errors.Is(err, service.ErrTokenExpired) {
 				tlog.App.Error().Err(err).Msg("Refresh token expired")
-				c.JSON(401, gin.H{
+				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
@@ -321,7 +321,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			if errors.Is(err, service.ErrInvalidClient) {
 				tlog.App.Error().Err(err).Msg("Invalid client")
-				c.JSON(401, gin.H{
+				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
@@ -337,6 +337,9 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		tokenResponse = tokenRes
 	}
 	c.Header("cache-control", "no-store")
 	c.Header("pragma", "no-cache")
 	c.JSON(200, tokenResponse)
 }
--- a/internal/controller/resources_controller.go
+++ b/internal/controller/resources_controller.go
@@ -7,8 +7,8 @@ import (
 )
 type ResourcesControllerConfig struct {
-	ResourcesDir      string
+	Path    string
-	ResourcesDisabled bool
+	Enabled bool
 }
 type ResourcesController struct {
@@ -18,7 +18,7 @@ type ResourcesController struct {
 }
 func NewResourcesController(config ResourcesControllerConfig, router *gin.RouterGroup) *ResourcesController {
-	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(config.ResourcesDir)))
+	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(config.Path)))
 	return &ResourcesController{
 		config:     config,
@@ -32,14 +32,14 @@ func (controller *ResourcesController) SetupRoutes() {
 }
 func (controller *ResourcesController) resourcesHandler(c *gin.Context) {
-	if controller.config.ResourcesDir == "" {
+	if controller.config.Path == "" {
 		c.JSON(404, gin.H{
 			"status":  404,
 			"message": "Resources not found",
 		})
 		return
 	}
-	if controller.config.ResourcesDisabled {
+	if !controller.config.Enabled {
 		c.JSON(403, gin.H{
 			"status":  403,
 			"message": "Resources are disabled",
--- a/internal/controller/resources_controller_test.go
+++ b/internal/controller/resources_controller_test.go
@@ -18,7 +18,8 @@ func TestResourcesHandler(t *testing.T) {
 	group := router.Group("/")
 	ctrl := controller.NewResourcesController(controller.ResourcesControllerConfig{
-		ResourcesDir: "/tmp/tinyauth",
+		Path:    "/tmp/tinyauth",
 		Enabled: true,
 	}, group)
 	ctrl.SetupRoutes()
--- a/internal/controller/well_known_controller.go
+++ b/internal/controller/well_known_controller.go
@@ -59,7 +59,7 @@ func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context
 		SubjectTypesSupported:             []string{"pairwise"},
 		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
 		TokenEndpointAuthMethodsSupported: []string{"client_secret_basic", "client_secret_post"},
-		ClaimsSupported:                   []string{"sub", "updated_at", "name", "preferred_username", "email", "groups"},
+		ClaimsSupported:                   []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
 		ServiceDocumentation:              "https://tinyauth.app/docs/guides/oidc",
 	})
 }
--- a/internal/repository/models.go
+++ b/internal/repository/models.go
@@ -11,6 +11,7 @@ type OidcCode struct {
 	RedirectURI string
 	ClientID    string
 	ExpiresAt   int64
 	Nonce       string
 }
 type OidcToken struct {
@@ -21,6 +22,7 @@ type OidcToken struct {
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	Nonce                 string
 }
 type OidcUserinfo struct {
--- a/internal/repository/oidc_queries.sql.go
+++ b/internal/repository/oidc_queries.sql.go
@@ -16,11 +16,12 @@ INSERT INTO "oidc_codes" (
    "scope",
    "redirect_uri",
    "client_id",
-    "expires_at"
+    "expires_at",
    "nonce"
 ) VALUES (
-    ?, ?, ?, ?, ?, ?
+    ?, ?, ?, ?, ?, ?, ?
 )
-RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at
+RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce
 `
 type CreateOidcCodeParams struct {
@@ -30,6 +31,7 @@ type CreateOidcCodeParams struct {
 	RedirectURI string
 	ClientID    string
 	ExpiresAt   int64
 	Nonce       string
 }
 func (q *Queries) CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams) (OidcCode, error) {
@@ -40,6 +42,7 @@ func (q *Queries) CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams)
 		arg.RedirectURI,
 		arg.ClientID,
 		arg.ExpiresAt,
 		arg.Nonce,
 	)
 	var i OidcCode
 	err := row.Scan(
@@ -49,6 +52,7 @@ func (q *Queries) CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams)
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
@@ -61,11 +65,12 @@ INSERT INTO "oidc_tokens" (
    "scope",
    "client_id",
    "token_expires_at",
-    "refresh_token_expires_at"
+    "refresh_token_expires_at",
    "nonce"
 ) VALUES (
-    ?, ?, ?, ?, ?, ?, ?
+    ?, ?, ?, ?, ?, ?, ?, ?
 )
-RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at
+RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 `
 type CreateOidcTokenParams struct {
@@ -76,6 +81,7 @@ type CreateOidcTokenParams struct {
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	Nonce                 string
 }
 func (q *Queries) CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams) (OidcToken, error) {
@@ -87,6 +93,7 @@ func (q *Queries) CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams
 		arg.ClientID,
 		arg.TokenExpiresAt,
 		arg.RefreshTokenExpiresAt,
 		arg.Nonce,
 	)
 	var i OidcToken
 	err := row.Scan(
@@ -97,6 +104,7 @@ func (q *Queries) CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
@@ -148,7 +156,7 @@ func (q *Queries) CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfo
 const deleteExpiredOidcCodes = `-- name: DeleteExpiredOidcCodes :many
 DELETE FROM "oidc_codes"
 WHERE "expires_at" < ?
-RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at
+RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce
 `
 func (q *Queries) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]OidcCode, error) {
@@ -167,6 +175,7 @@ func (q *Queries) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) (
 			&i.RedirectURI,
 			&i.ClientID,
 			&i.ExpiresAt,
 			&i.Nonce,
 		); err != nil {
 			return nil, err
 		}
@@ -184,7 +193,7 @@ func (q *Queries) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) (
 const deleteExpiredOidcTokens = `-- name: DeleteExpiredOidcTokens :many
 DELETE FROM "oidc_tokens"
 WHERE "token_expires_at" < ? AND "refresh_token_expires_at" < ?
-RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at
+RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 `
 type DeleteExpiredOidcTokensParams struct {
@@ -209,6 +218,7 @@ func (q *Queries) DeleteExpiredOidcTokens(ctx context.Context, arg DeleteExpired
 			&i.ClientID,
 			&i.TokenExpiresAt,
 			&i.RefreshTokenExpiresAt,
 			&i.Nonce,
 		); err != nil {
 			return nil, err
 		}
@@ -276,7 +286,7 @@ func (q *Queries) DeleteOidcUserInfo(ctx context.Context, sub string) error {
 const getOidcCode = `-- name: GetOidcCode :one
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = ?
-RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at
+RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce
 `
 func (q *Queries) GetOidcCode(ctx context.Context, codeHash string) (OidcCode, error) {
@@ -289,6 +299,7 @@ func (q *Queries) GetOidcCode(ctx context.Context, codeHash string) (OidcCode, e
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
@@ -296,7 +307,7 @@ func (q *Queries) GetOidcCode(ctx context.Context, codeHash string) (OidcCode, e
 const getOidcCodeBySub = `-- name: GetOidcCodeBySub :one
 DELETE FROM "oidc_codes"
 WHERE "sub" = ?
-RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at
+RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce
 `
 func (q *Queries) GetOidcCodeBySub(ctx context.Context, sub string) (OidcCode, error) {
@@ -309,12 +320,13 @@ func (q *Queries) GetOidcCodeBySub(ctx context.Context, sub string) (OidcCode, e
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
 const getOidcCodeBySubUnsafe = `-- name: GetOidcCodeBySubUnsafe :one
-SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at FROM "oidc_codes"
+SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce FROM "oidc_codes"
 WHERE "sub" = ?
 `
@@ -328,12 +340,13 @@ func (q *Queries) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (OidcC
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
 const getOidcCodeUnsafe = `-- name: GetOidcCodeUnsafe :one
-SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at FROM "oidc_codes"
+SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce FROM "oidc_codes"
 WHERE "code_hash" = ?
 `
@@ -347,12 +360,13 @@ func (q *Queries) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (OidcC
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
 const getOidcToken = `-- name: GetOidcToken :one
-SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at FROM "oidc_tokens"
+SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "access_token_hash" = ?
 `
@@ -367,12 +381,13 @@ func (q *Queries) GetOidcToken(ctx context.Context, accessTokenHash string) (Oid
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
 const getOidcTokenByRefreshToken = `-- name: GetOidcTokenByRefreshToken :one
-SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at FROM "oidc_tokens"
+SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "refresh_token_hash" = ?
 `
@@ -387,12 +402,13 @@ func (q *Queries) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHa
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
 const getOidcTokenBySub = `-- name: GetOidcTokenBySub :one
-SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at FROM "oidc_tokens"
+SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "sub" = ?
 `
@@ -407,6 +423,7 @@ func (q *Queries) GetOidcTokenBySub(ctx context.Context, sub string) (OidcToken,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
@@ -437,7 +454,7 @@ UPDATE "oidc_tokens" SET
    "token_expires_at" = ?,
    "refresh_token_expires_at" = ?
 WHERE "refresh_token_hash" = ?
-RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at
+RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 `
 type UpdateOidcTokenByRefreshTokenParams struct {
@@ -465,6 +482,7 @@ func (q *Queries) UpdateOidcTokenByRefreshToken(ctx context.Context, arg UpdateO
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
--- a/internal/service/oidc_service.go
+++ b/internal/service/oidc_service.go
@@ -8,6 +8,7 @@ import (
 	"crypto/sha256"
 	"crypto/x509"
 	"database/sql"
 	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
 	"errors"
@@ -46,14 +47,21 @@ type ClaimSet struct {
 	Sub               string   `json:"sub"`
 	Iat               int64    `json:"iat"`
 	Exp               int64    `json:"exp"`
 	Name              string   `json:"name,omitempty"`
 	Email             string   `json:"email,omitempty"`
 	EmailVerified     bool     `json:"email_verified,omitempty"`
 	PreferredUsername string   `json:"preferred_username,omitempty"`
 	Groups            []string `json:"groups,omitempty"`
 	Nonce             string   `json:"nonce,omitempty"`
 }
 type UserinfoResponse struct {
 	Sub               string   `json:"sub"`
-	Name              string   `json:"name"`
+	Name              string   `json:"name,omitempty"`
-	Email             string   `json:"email"`
+	Email             string   `json:"email,omitempty"`
-	PreferredUsername string   `json:"preferred_username"`
+	PreferredUsername string   `json:"preferred_username,omitempty"`
-	Groups            []string `json:"groups"`
+	Groups            []string `json:"groups,omitempty"`
 	EmailVerified     bool     `json:"email_verified,omitempty"`
 	UpdatedAt         int64    `json:"updated_at"`
 }
@@ -71,7 +79,8 @@ type AuthorizeRequest struct {
 	ResponseType string `json:"response_type" binding:"required"`
 	ClientID     string `json:"client_id" binding:"required"`
 	RedirectURI  string `json:"redirect_uri" binding:"required"`
-	State        string `json:"state" binding:"required"`
+	State        string `json:"state"`
 	Nonce        string `json:"nonce"`
 }
 type OIDCServiceConfig struct {
@@ -152,6 +161,7 @@ func (service *OIDCService) Init() error {
 			Type:  "RSA PRIVATE KEY",
 			Bytes: der,
 		})
 		tlog.App.Trace().Str("type", "RSA PRIVATE KEY").Msg("Generated private RSA key")
 		err = os.WriteFile(service.config.PrivateKeyPath, encoded, 0600)
 		if err != nil {
 			return err
@@ -162,6 +172,7 @@ func (service *OIDCService) Init() error {
 		if block == nil {
 			return errors.New("failed to decode private key")
 		}
 		tlog.App.Trace().Str("type", block.Type).Msg("Loaded private key")
 		privateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes)
 		if err != nil {
 			return err
@@ -185,6 +196,7 @@ func (service *OIDCService) Init() error {
 			Type:  "RSA PUBLIC KEY",
 			Bytes: der,
 		})
 		tlog.App.Trace().Str("type", "RSA PUBLIC KEY").Msg("Generated public RSA key")
 		err = os.WriteFile(service.config.PublicKeyPath, encoded, 0644)
 		if err != nil {
 			return err
@@ -195,11 +207,23 @@ func (service *OIDCService) Init() error {
 		if block == nil {
 			return errors.New("failed to decode public key")
 		}
 		tlog.App.Trace().Str("type", block.Type).Msg("Loaded public key")
 		switch block.Type {
 		case "RSA PUBLIC KEY":
 			publicKey, err := x509.ParsePKCS1PublicKey(block.Bytes)
 			if err != nil {
 				return err
 			}
 			service.publicKey = publicKey
 		case "PUBLIC KEY":
 			publicKey, err := x509.ParsePKIXPublicKey(block.Bytes)
 			if err != nil {
 				return err
 			}
 			service.publicKey = publicKey.(crypto.PublicKey)
 		default:
 			return fmt.Errorf("unsupported public key type: %s", block.Type)
 		}
 	}
 	// We will reorganize the client into a map with the client ID as the key
@@ -207,6 +231,9 @@ func (service *OIDCService) Init() error {
 	for id, client := range service.config.Clients {
 		client.ID = id
 		if client.Name == "" {
 			client.Name = utils.Capitalize(client.ID)
 		}
 		service.clients[client.ClientID] = client
 	}
@@ -288,6 +315,7 @@ func (service *OIDCService) StoreCode(c *gin.Context, sub string, code string, r
 		RedirectURI: req.RedirectURI,
 		ClientID:    req.ClientID,
 		ExpiresAt:   expiresAt,
 		Nonce:       req.Nonce,
 	})
 	return err
@@ -349,10 +377,20 @@ func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string) (repos
 	return oidcCode, nil
 }
-func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, sub string) (string, error) {
+func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, user repository.OidcUserinfo, scope string, nonce string) (string, error) {
 	createdAt := time.Now().Unix()
 	expiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry) * time.Second).Unix()
 	hasher := sha256.New()
 	der := x509.MarshalPKCS1PublicKey(&service.privateKey.PublicKey)
 	if der == nil {
 		return "", errors.New("failed to marshal public key")
 	}
 	hasher.Write(der)
 	signer, err := jose.NewSigner(jose.SigningKey{
 		Algorithm: jose.RS256,
 		Key:       service.privateKey,
@@ -360,6 +398,7 @@ func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, sub
 		ExtraHeaders: map[jose.HeaderKey]any{
 			"typ": "jwt",
 			"jku": fmt.Sprintf("%s/.well-known/jwks.json", service.issuer),
 			"kid": base64.URLEncoding.EncodeToString(hasher.Sum(nil)),
 		},
 	})
@@ -367,12 +406,20 @@ func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, sub
 		return "", err
 	}
 	userInfo := service.CompileUserinfo(user, scope)
 	claims := ClaimSet{
 		Iss:               service.issuer,
 		Aud:               client.ClientID,
-		Sub: sub,
+		Sub:               user.Sub,
 		Iat:               createdAt,
 		Exp:               expiresAt,
 		Name:              userInfo.Name,
 		Email:             userInfo.Email,
 		EmailVerified:     userInfo.EmailVerified,
 		PreferredUsername: userInfo.PreferredUsername,
 		Groups:            userInfo.Groups,
 		Nonce:             nonce,
 	}
 	payload, err := json.Marshal(claims)
@@ -396,8 +443,14 @@ func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, sub
 	return token, nil
 }
-func (service *OIDCService) GenerateAccessToken(c *gin.Context, client config.OIDCClientConfig, sub string, scope string) (TokenResponse, error) {
+func (service *OIDCService) GenerateAccessToken(c *gin.Context, client config.OIDCClientConfig, codeEntry repository.OidcCode) (TokenResponse, error) {
-	idToken, err := service.generateIDToken(client, sub)
+	user, err := service.GetUserinfo(c, codeEntry.Sub)
 	if err != nil {
 		return TokenResponse{}, err
 	}
 	idToken, err := service.generateIDToken(client, user, codeEntry.Scope, codeEntry.Nonce)
 	if err != nil {
 		return TokenResponse{}, err
@@ -417,17 +470,18 @@ func (service *OIDCService) GenerateAccessToken(c *gin.Context, client config.OI
 		TokenType:    "Bearer",
 		ExpiresIn:    int64(service.config.SessionExpiry),
 		IDToken:      idToken,
-		Scope:        strings.ReplaceAll(scope, ",", " "),
+		Scope:        strings.ReplaceAll(codeEntry.Scope, ",", " "),
 	}
 	_, err = service.queries.CreateOidcToken(c, repository.CreateOidcTokenParams{
-		Sub:                   sub,
+		Sub:                   codeEntry.Sub,
 		AccessTokenHash:       service.Hash(accessToken),
 		RefreshTokenHash:      service.Hash(refreshToken),
 		ClientID:              client.ClientID,
-		Scope:                 scope,
+		Scope:                 codeEntry.Scope,
 		TokenExpiresAt:        tokenExpiresAt,
 		RefreshTokenExpiresAt: refrshTokenExpiresAt,
 		Nonce:                 codeEntry.Nonce,
 	})
 	if err != nil {
@@ -456,9 +510,15 @@ func (service *OIDCService) RefreshAccessToken(c *gin.Context, refreshToken stri
 		return TokenResponse{}, ErrInvalidClient
 	}
 	user, err := service.GetUserinfo(c, entry.Sub)
 	if err != nil {
 		return TokenResponse{}, err
 	}
 	idToken, err := service.generateIDToken(config.OIDCClientConfig{
 		ClientID: entry.ClientID,
-	}, entry.Sub)
+	}, user, entry.Scope, entry.Nonce)
 	if err != nil {
 		return TokenResponse{}, err
@@ -552,6 +612,8 @@ func (service *OIDCService) CompileUserinfo(user repository.OidcUserinfo, scope
 	if slices.Contains(scopes, "email") {
 		userInfo.Email = user.Email
 		// We can set this as a configuration option in the future but for now it's a good idea to assume it's true
 		userInfo.EmailVerified = true
 	}
 	if slices.Contains(scopes, "groups") {
@@ -643,10 +705,21 @@ func (service *OIDCService) Cleanup() {
 }
 func (service *OIDCService) GetJWK() ([]byte, error) {
 	hasher := sha256.New()
 	der := x509.MarshalPKCS1PublicKey(&service.privateKey.PublicKey)
 	if der == nil {
 		return nil, errors.New("failed to marshal public key")
 	}
 	hasher.Write(der)
 	jwk := jose.JSONWebKey{
 		Key:       service.privateKey,
 		Algorithm: string(jose.RS256),
 		Use:       "sig",
 		KeyID:     base64.URLEncoding.EncodeToString(hasher.Sum(nil)),
 	}
 	return jwk.Public().MarshalJSON()
--- a/internal/utils/loaders/loader_file.go
+++ b/internal/utils/loaders/loader_file.go
@@ -1,6 +1,8 @@
 package loaders
 import (
 	"os"
 	"github.com/rs/zerolog/log"
 	"github.com/traefik/paerser/cli"
 	"github.com/traefik/paerser/file"
@@ -16,12 +18,17 @@ func (f *FileLoader) Load(args []string, cmd *cli.Command) (bool, error) {
 		return false, err
 	}
-	// I guess we are using traefik as the root name
+	// I guess we are using traefik as the root name (we can't change it)
-	configFileFlag := "traefik.experimental.configFile"
+	configFileFlag := "traefik.experimental.configfile"
 	envVar := "TINYAUTH_EXPERIMENTAL_CONFIGFILE"
 	if _, ok := flags[configFileFlag]; !ok {
 		if value := os.Getenv(envVar); value != "" {
 			flags[configFileFlag] = value
 		} else {
 			return false, nil
 		}
 	}
 	log.Warn().Msg("Using experimental file config loader, this feature is experimental and may change or be removed in future releases")
--- a/sql/oidc_queries.sql
+++ b/sql/oidc_queries.sql
@@ -5,9 +5,10 @@ INSERT INTO "oidc_codes" (
    "scope",
    "redirect_uri",
    "client_id",
-    "expires_at"
+    "expires_at",
    "nonce"
 ) VALUES (
-    ?, ?, ?, ?, ?, ?
+    ?, ?, ?, ?, ?, ?, ?
 )
 RETURNING *;
@@ -45,9 +46,10 @@ INSERT INTO "oidc_tokens" (
    "scope",
    "client_id",
    "token_expires_at",
-    "refresh_token_expires_at"
+    "refresh_token_expires_at",
    "nonce"
 ) VALUES (
-    ?, ?, ?, ?, ?, ?, ?
+    ?, ?, ?, ?, ?, ?, ?, ?
 )
 RETURNING *;
@@ -72,7 +74,6 @@ WHERE "refresh_token_hash" = ?;
 SELECT * FROM "oidc_tokens"
 WHERE "sub" = ?;
 -- name: DeleteOidcToken :exec
 DELETE FROM "oidc_tokens"
 WHERE "access_token_hash" = ?;
--- a/sql/oidc_schemas.sql
+++ b/sql/oidc_schemas.sql
@@ -4,7 +4,8 @@ CREATE TABLE IF NOT EXISTS "oidc_codes" (
    "scope" TEXT NOT NULL,
    "redirect_uri" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
-    "expires_at" INTEGER NOT NULL
+    "expires_at" INTEGER NOT NULL,
    "nonce" TEXT DEFAULT ""
 );
 CREATE TABLE IF NOT EXISTS "oidc_tokens" (
@@ -14,7 +15,8 @@ CREATE TABLE IF NOT EXISTS "oidc_tokens" (
    "scope" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "token_expires_at" INTEGER NOT NULL,
-    "refresh_token_expires_at" INTEGER NOT NULL
+    "refresh_token_expires_at" INTEGER NOT NULL,
    "nonce" TEXT DEFAULT ""
 );
 CREATE TABLE IF NOT EXISTS "oidc_userinfo" (
--- a/sqlc.yml
+++ b/sqlc.yml
@@ -22,3 +22,7 @@ sql:
            go_type: "string"
          - column: "sessions.ldap_groups"
            go_type: "string"
          - column: "oidc_codes.nonce"
            go_type: "string"
          - column: "oidc_tokens.nonce"
            go_type: "string"
Author	SHA1	Message	Date
Stavros	55c33f7a8e	chore: update readme	2026-03-10 17:57:49 +02:00
Stavros	b6eb902d47	fix: fix typo in public key loading	2026-03-08 15:54:50 +02:00
dependabot[bot]	88de8856b2	chore(deps): bump the minor-patch group across 1 directory with 3 updates (#693 ) Bumps the minor-patch group with 3 updates in the /frontend directory: [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react), [react-i18next](https://github.com/i18next/react-i18next) and [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node). Updates `lucide-react` from 0.576.0 to 0.577.0 - [Release notes](https://github.com/lucide-icons/lucide/releases) - [Commits](https://github.com/lucide-icons/lucide/commits/0.577.0/packages/lucide-react) Updates `react-i18next` from 16.5.4 to 16.5.5 - [Changelog](https://github.com/i18next/react-i18next/blob/master/CHANGELOG.md) - [Commits](https://github.com/i18next/react-i18next/compare/v16.5.4...v16.5.5) Updates `@types/node` from 25.3.3 to 25.3.5 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: lucide-react dependency-version: 0.577.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-patch - dependency-name: react-i18next dependency-version: 16.5.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: "@types/node" dependency-version: 25.3.5 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-03-08 11:41:14 +02:00
Stavros	e3bd834b85	fix: support pkix public keys in oidc	2026-03-08 11:39:16 +02:00
Luiz Felipe Fontes Botelho	f80be1ca61	fix: update healthcheck to use server address and port individually (#698 )	2026-03-08 11:17:55 +02:00
Stavros	d7d540000f	fix: state should not be a required field in oidc	2026-03-08 11:17:44 +02:00
Stavros	766270f5d6	fix: add kid header to id token	2026-03-08 11:07:15 +02:00
Stavros	1d76cb84b9	New Crowdin updates (#684 ) * New translations en.json (Korean) * New translations en.json (Dutch) * New translations en.json (Chinese Simplified)	2026-03-04 19:41:21 +02:00
dependabot[bot]	e8c8343fcf	chore(deps): bump the minor-patch group in /frontend with 2 updates (#688 ) Bumps the minor-patch group in /frontend with 2 updates: [i18next](https://github.com/i18next/i18next) and [rollup-plugin-visualizer](https://github.com/btd/rollup-plugin-visualizer). Updates `i18next` from 25.8.13 to 25.8.14 - [Release notes](https://github.com/i18next/i18next/releases) - [Changelog](https://github.com/i18next/i18next/blob/master/CHANGELOG.md) - [Commits](https://github.com/i18next/i18next/compare/v25.8.13...v25.8.14) Updates `rollup-plugin-visualizer` from 7.0.0 to 7.0.1 - [Changelog](https://github.com/btd/rollup-plugin-visualizer/blob/master/CHANGELOG.md) - [Commits](https://github.com/btd/rollup-plugin-visualizer/compare/v7.0.0...v7.0.1) --- updated-dependencies: - dependency-name: i18next dependency-version: 25.8.14 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: rollup-plugin-visualizer dependency-version: 7.0.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-03-04 19:40:40 +02:00
dependabot[bot]	a7d7959a82	chore(deps): bump github.com/weppos/publicsuffix-go (#687 ) Bumps the minor-patch group with 1 update: [github.com/weppos/publicsuffix-go](https://github.com/weppos/publicsuffix-go). Updates `github.com/weppos/publicsuffix-go` from 0.50.2 to 0.50.3 - [Changelog](https://github.com/weppos/publicsuffix-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/weppos/publicsuffix-go/compare/v0.50.2...v0.50.3) --- updated-dependencies: - dependency-name: github.com/weppos/publicsuffix-go dependency-version: 0.50.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-03-04 19:40:11 +02:00
Stavros	69c6c0ba1d	fix: add cache control header to token response	2026-03-04 19:38:52 +02:00
Stavros	a71f61df8d	feat: add email verified claim	2026-03-04 15:52:31 +02:00
Stavros	6bf444010b	feat: add nonce claim support to oidc server (#686 ) * feat: add nonce claim support to oidc server * fix: review feedback	2026-03-04 15:34:11 +02:00
Stavros	0e6bcf9713	fix: lookup config file options correctly in file loader	2026-03-03 22:48:44 +02:00
Stavros	af5a8bc452	fix: handle empty client name in authorize page	2026-03-03 22:48:44 +02:00
Stavros	de980815ce	fix: include kid in jwks response	2026-03-03 22:48:44 +02:00
Stavros	189ad7115a	New translations en.json (Serbian (Cyrillic)) (#683 )	2026-03-02 20:17:41 +02:00
Stavros	2f2556d480	fix: set correct paths in dockerfiles	2026-03-02 20:15:51 +02:00
Stavros	f1512f45b7	chore: update example env	2026-03-02 19:53:17 +02:00
Stavros	cd410b6cdf	refactor: categorize leftover config options (#682 ) * refactor: categorize leftover config options * chore: update config description	2026-03-02 19:49:59 +02:00
Stavros	24c5b35bdf	feat: add user info claims to id token (#681 ) * feat: add user info claims to id token * fix: omit empty user info values	2026-03-02 16:08:17 +02:00
dependabot[bot]	0d7daafa35	chore(deps): bump the minor-patch group in /frontend with 4 updates (#680 ) Bumps the minor-patch group in /frontend with 4 updates: [axios](https://github.com/axios/axios), [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react), [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) and [globals](https://github.com/sindresorhus/globals). Updates `axios` from 1.13.5 to 1.13.6 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](https://github.com/axios/axios/compare/v1.13.5...v1.13.6) Updates `lucide-react` from 0.575.0 to 0.576.0 - [Release notes](https://github.com/lucide-icons/lucide/releases) - [Commits](https://github.com/lucide-icons/lucide/commits/0.576.0/packages/lucide-react) Updates `@types/node` from 25.3.2 to 25.3.3 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `globals` from 17.3.0 to 17.4.0 - [Release notes](https://github.com/sindresorhus/globals/releases) - [Commits](https://github.com/sindresorhus/globals/compare/v17.3.0...v17.4.0) --- updated-dependencies: - dependency-name: axios dependency-version: 1.13.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: lucide-react dependency-version: 0.576.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-patch - dependency-name: "@types/node" dependency-version: 25.3.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: minor-patch - dependency-name: globals dependency-version: 17.4.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-03-02 16:05:25 +02:00
Stavros	414fab11fb	New Crowdin updates (#678 ) * New translations en.json (Polish) * New translations en.json (Dutch)	2026-03-02 16:03:43 +02:00
dependabot[bot]	ced28a0045	chore(deps): bump github.com/gin-gonic/gin in the minor-patch group (#679 ) Bumps the minor-patch group with 1 update: [github.com/gin-gonic/gin](https://github.com/gin-gonic/gin). Updates `github.com/gin-gonic/gin` from 1.11.0 to 1.12.0 - [Release notes](https://github.com/gin-gonic/gin/releases) - [Changelog](https://github.com/gin-gonic/gin/blob/master/CHANGELOG.md) - [Commits](https://github.com/gin-gonic/gin/compare/v1.11.0...v1.12.0) --- updated-dependencies: - dependency-name: github.com/gin-gonic/gin dependency-version: 1.12.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-03-02 16:02:32 +02:00
Stavros	c48181a8d8	refactor: use lowercase translated placeholders in login form	2026-03-02 15:58:52 +02:00
Stavros	06a26e976b	fix: fix authorize app initial box not being a box	2026-03-02 15:50:08 +02:00
		`@@ -0,0 +1,2 @@`
							`ALTER TABLE "oidc_codes" DROP COLUMN "nonce";`
							`ALTER TABLE "oidc_tokens" DROP COLUMN "nonce";`
		`@@ -0,0 +1,2 @@`
							`ALTER TABLE "oidc_codes" ADD COLUMN "nonce" TEXT DEFAULT "";`
							`ALTER TABLE "oidc_tokens" ADD COLUMN "nonce" TEXT DEFAULT "";`