Merge branch 'lib' of github.com:nhost/nhost into lib

Co-authored-by: dbarrosop <dbarrosop@users.noreply.github.com>

.github/PULL_REQUEST_TEMPLATE.md

@@ -32,6 +32,7 @@ Where `PKG` is:
 - `deps`: For changes to dependencies
 - `docs`: For changes to the documentation
 - `examples`: For changes to the examples
+- `internal/lib`: For changes to Nhost's common libraries (internal)
 - `mintlify-openapi`: For changes to the Mintlify OpenAPI tool
 - `nhost-js`: For changes to the Nhost JavaScript SDK
 - `nixops`: For changes to the NixOps

.github/actions/validate-pr-title/action.yaml

@@ -17,7 +17,7 @@ runs:
 
         # Define valid types and packages
         VALID_TYPES="feat|fix|chore"
-        VALID_PKGS="auth|ci|cli|codegen|dashboard|deps|docs|examples|mintlify-openapi|nhost-js|nixops|storage"
+        VALID_PKGS="auth|ci|cli|codegen|dashboard|deps|docs|examples|internal\/lib|mintlify-openapi|nhost-js|nixops|storage"
 
         # Check if title matches the pattern TYPE(PKG): SUMMARY
         if [[ ! "$PR_TITLE" =~ ^(${VALID_TYPES})\((${VALID_PKGS})\):\ .+ ]]; then

.github/workflows/auth_checks.yaml

@@ -17,6 +17,7 @@ on:
       - '.golangci.yaml'
       - 'go.mod'
       - 'go.sum'
+      - 'internal/lib/**'
       - 'vendor/**'
 
       # auth
@@ -48,7 +49,7 @@ jobs:
     with:
       NAME: auth
       PATH: services/auth
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
 
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
@@ -63,7 +64,7 @@ jobs:
     with:
       NAME: auth
       PATH: services/auth
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       VERSION: 0.0.0-dev # we use a fixed version here to avoid unnecessary rebuilds
       DOCKER: true
     secrets:

.github/workflows/cli_checks.yaml

@@ -49,7 +49,7 @@ jobs:
     with:
       NAME: cli
       PATH: cli
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
 
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
@@ -64,7 +64,7 @@ jobs:
     with:
       NAME: cli
       PATH: cli
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       VERSION: 0.0.0-dev # we use a fixed version here to avoid unnecessary rebuilds
       DOCKER: true
     secrets:
@@ -80,7 +80,7 @@ jobs:
     with:
       NAME: cli
       PATH: cli
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
 
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}

.github/workflows/codegen_checks.yaml

@@ -47,7 +47,7 @@ jobs:
     with:
       NAME: codegen
       PATH: tools/codegen
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
 
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
@@ -61,7 +61,7 @@ jobs:
     with:
       NAME: codegen
       PATH: tools/codegen
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       VERSION: 0.0.0-dev # we use a fixed version here to avoid unnecessary rebuilds
       DOCKER: false
     secrets:

.github/workflows/dashboard_checks.yaml

@@ -54,7 +54,7 @@ jobs:
       - check-permissions
     with:
       NAME: dashboard
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       ENVIRONMENT: preview
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
@@ -73,7 +73,7 @@ jobs:
     with:
       NAME: dashboard
       PATH: dashboard
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       VERSION: 0.0.0-dev # we use a fixed version here to avoid unnecessary rebuilds
       DOCKER: true
       OS_MATRIX: '["blacksmith-2vcpu-ubuntu-2404"]'
@@ -91,7 +91,7 @@ jobs:
     with:
       NAME: dashboard
       PATH: dashboard
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
       NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }}
@@ -107,7 +107,7 @@ jobs:
     with:
       NAME: dashboard
       PATH: dashboard
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       NHOST_TEST_DASHBOARD_URL: ${{ needs.deploy-vercel.outputs.preview-url }}
       NHOST_TEST_PROJECT_NAME: ${{ vars.NHOST_TEST_PROJECT_NAME }}
       NHOST_TEST_ORGANIZATION_NAME: ${{ vars.NHOST_TEST_ORGANIZATION_NAME }}

.github/workflows/docs_checks.yaml

@@ -62,7 +62,7 @@ jobs:
     with:
       NAME: docs
       PATH: docs
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
       NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }}

.github/workflows/examples_demos_checks.yaml

@@ -63,7 +63,7 @@ jobs:
     with:
       NAME: demos
       PATH: examples/demos
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
 
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
@@ -77,7 +77,7 @@ jobs:
     with:
       NAME: demos
       PATH: examples/demos
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       VERSION: 0.0.0-dev # we use a fixed version here to avoid unnecessary rebuilds
       DOCKER: false
       OS_MATRIX: '["blacksmith-2vcpu-ubuntu-2404"]'

.github/workflows/examples_guides_checks.yaml

@@ -63,7 +63,7 @@ jobs:
     with:
       NAME: guides
       PATH: examples/guides
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
 
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
@@ -77,7 +77,7 @@ jobs:
     with:
       NAME: guides
       PATH: examples/guides
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       VERSION: 0.0.0-dev # we use a fixed version here to avoid unnecessary rebuilds
       DOCKER: false
       OS_MATRIX: '["blacksmith-2vcpu-ubuntu-2404"]'

.github/workflows/examples_tutorials_checks.yaml

@@ -63,7 +63,7 @@ jobs:
     with:
       NAME: tutorials
       PATH: examples/tutorials
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
 
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
@@ -77,7 +77,7 @@ jobs:
     with:
       NAME: tutorials
       PATH: examples/tutorials
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       VERSION: 0.0.0-dev # we use a fixed version here to avoid unnecessary rebuilds
       DOCKER: false
       OS_MATRIX: '["blacksmith-2vcpu-ubuntu-2404"]'

.github/workflows/nhost-js_checks.yaml

@@ -64,7 +64,7 @@ jobs:
     with:
       NAME: nhost-js
       PATH: packages/nhost-js
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
 
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
@@ -78,7 +78,7 @@ jobs:
     with:
       NAME: nhost-js
       PATH: packages/nhost-js
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       VERSION: 0.0.0-dev # we use a fixed version here to avoid unnecessary rebuilds
       DOCKER: false
     secrets:

.github/workflows/nixops_checks.yaml

@@ -39,7 +39,7 @@ jobs:
     with:
       NAME: nixops
       PATH: nixops
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
 
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
@@ -53,7 +53,7 @@ jobs:
     with:
       NAME: nixops
       PATH: nixops
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       VERSION: 0.0.0-dev # we use a fixed version here to avoid unnecessary rebuilds
       DOCKER: true
     secrets:

.github/workflows/storage_checks.yaml

@@ -17,6 +17,7 @@ on:
       - '.golangci.yaml'
       - 'go.mod'
       - 'go.sum'
+      - 'internal/lib/**'
       - 'vendor/**'
 
       # storage
@@ -48,7 +49,7 @@ jobs:
     with:
       NAME: storage
       PATH: services/storage
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
 
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
@@ -63,7 +64,7 @@ jobs:
     with:
       NAME: storage
       PATH: services/storage
-      GIT_REF: ${{ github.sha }}
+      GIT_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
       VERSION: 0.0.0-dev # we use a fixed version here to avoid unnecessary rebuilds
       DOCKER: true
     secrets:

cli/CHANGELOG.md

@@ -2,6 +2,12 @@
 
 All notable changes to this project will be documented in this file.
 
+## [cli@1.34.4] - 2025-10-28
+
+### 🐛 Bug Fixes
+
+- *(cli)* Update NEXT_PUBLIC_NHOST_HASURA_MIGRATIONS_API_URL correctly (#3643)
+
 ## [cli@1.34.3] - 2025-10-27
 
 ### ⚙️ Miscellaneous Tasks

cli/dockercompose/compose.go

@@ -344,7 +344,7 @@ func dashboard(
 				subdomain, "hasura", httpPort, useTLS,
 			) + "/console",
 			"NEXT_PUBLIC_NHOST_HASURA_MIGRATIONS_API_URL": URL(
-				subdomain, "hasura", httpPort, useTLS),
+				subdomain, "hasura", httpPort, useTLS) + "/apis/migrate",
 			"NEXT_PUBLIC_NHOST_STORAGE_URL": URL(
 				subdomain, "storage", httpPort, useTLS) + "/v1",
 		},

cli/mcp/nhost/auth/auth.gen.go

@@ -1,6 +1,6 @@
 // Package auth provides primitives to interact with the openapi HTTP API.
 //
-// Code generated by github.com/oapi-codegen/oapi-codegen/v2 version 2.4.1 DO NOT EDIT.
+// Code generated by github.com/oapi-codegen/oapi-codegen/v2 version 2.5.0 DO NOT EDIT.
 package auth
 
 import (

cli/mcp/nhost/graphql/graphql.gen.go

@@ -1,6 +1,6 @@
 // Package graphql provides primitives to interact with the openapi HTTP API.
 //
-// Code generated by github.com/oapi-codegen/oapi-codegen/v2 version 2.4.1 DO NOT EDIT.
+// Code generated by github.com/oapi-codegen/oapi-codegen/v2 version 2.5.0 DO NOT EDIT.
 package graphql
 
 import (

cli/nhostclient/graphql/models_gen.go

@@ -2823,6 +2823,7 @@ type Deployments struct {
 	CommitSha           string     `json:"commitSHA"`
 	CommitUserAvatarURL *string    `json:"commitUserAvatarUrl,omitempty"`
 	CommitUserName      *string    `json:"commitUserName,omitempty"`
+	CreatedAt           time.Time  `json:"createdAt"`
 	DeploymentEndedAt   *time.Time `json:"deploymentEndedAt,omitempty"`
 	// An array relationship
 	DeploymentLogs      []*DeploymentLogs `json:"deploymentLogs"`
@@ -2865,6 +2866,7 @@ type DeploymentsBoolExp struct {
 	CommitSha           *StringComparisonExp      `json:"commitSHA,omitempty"`
 	CommitUserAvatarURL *StringComparisonExp      `json:"commitUserAvatarUrl,omitempty"`
 	CommitUserName      *StringComparisonExp      `json:"commitUserName,omitempty"`
+	CreatedAt           *TimestamptzComparisonExp `json:"createdAt,omitempty"`
 	DeploymentEndedAt   *TimestamptzComparisonExp `json:"deploymentEndedAt,omitempty"`
 	DeploymentLogs      *DeploymentLogsBoolExp    `json:"deploymentLogs,omitempty"`
 	DeploymentStartedAt *TimestamptzComparisonExp `json:"deploymentStartedAt,omitempty"`
@@ -2899,6 +2901,7 @@ type DeploymentsMaxOrderBy struct {
 	CommitSha           *OrderBy `json:"commitSHA,omitempty"`
 	CommitUserAvatarURL *OrderBy `json:"commitUserAvatarUrl,omitempty"`
 	CommitUserName      *OrderBy `json:"commitUserName,omitempty"`
+	CreatedAt           *OrderBy `json:"createdAt,omitempty"`
 	DeploymentEndedAt   *OrderBy `json:"deploymentEndedAt,omitempty"`
 	DeploymentStartedAt *OrderBy `json:"deploymentStartedAt,omitempty"`
 	DeploymentStatus    *OrderBy `json:"deploymentStatus,omitempty"`
@@ -2921,6 +2924,7 @@ type DeploymentsMinOrderBy struct {
 	CommitSha           *OrderBy `json:"commitSHA,omitempty"`
 	CommitUserAvatarURL *OrderBy `json:"commitUserAvatarUrl,omitempty"`
 	CommitUserName      *OrderBy `json:"commitUserName,omitempty"`
+	CreatedAt           *OrderBy `json:"createdAt,omitempty"`
 	DeploymentEndedAt   *OrderBy `json:"deploymentEndedAt,omitempty"`
 	DeploymentStartedAt *OrderBy `json:"deploymentStartedAt,omitempty"`
 	DeploymentStatus    *OrderBy `json:"deploymentStatus,omitempty"`
@@ -2959,6 +2963,7 @@ type DeploymentsOrderBy struct {
 	CommitSha               *OrderBy                        `json:"commitSHA,omitempty"`
 	CommitUserAvatarURL     *OrderBy                        `json:"commitUserAvatarUrl,omitempty"`
 	CommitUserName          *OrderBy                        `json:"commitUserName,omitempty"`
+	CreatedAt               *OrderBy                        `json:"createdAt,omitempty"`
 	DeploymentEndedAt       *OrderBy                        `json:"deploymentEndedAt,omitempty"`
 	DeploymentLogsAggregate *DeploymentLogsAggregateOrderBy `json:"deploymentLogs_aggregate,omitempty"`
 	DeploymentStartedAt     *OrderBy                        `json:"deploymentStartedAt,omitempty"`
@@ -2990,6 +2995,7 @@ type DeploymentsStreamCursorValueInput struct {
 	CommitSha           *string    `json:"commitSHA,omitempty"`
 	CommitUserAvatarURL *string    `json:"commitUserAvatarUrl,omitempty"`
 	CommitUserName      *string    `json:"commitUserName,omitempty"`
+	CreatedAt           *time.Time `json:"createdAt,omitempty"`
 	DeploymentEndedAt   *time.Time `json:"deploymentEndedAt,omitempty"`
 	DeploymentStartedAt *time.Time `json:"deploymentStartedAt,omitempty"`
 	DeploymentStatus    *string    `json:"deploymentStatus,omitempty"`
@@ -6983,6 +6989,8 @@ const (
 	// column name
 	DeploymentsSelectColumnCommitUserName DeploymentsSelectColumn = "commitUserName"
 	// column name
+	DeploymentsSelectColumnCreatedAt DeploymentsSelectColumn = "createdAt"
+	// column name
 	DeploymentsSelectColumnDeploymentEndedAt DeploymentsSelectColumn = "deploymentEndedAt"
 	// column name
 	DeploymentsSelectColumnDeploymentStartedAt DeploymentsSelectColumn = "deploymentStartedAt"
@@ -7016,6 +7024,7 @@ var AllDeploymentsSelectColumn = []DeploymentsSelectColumn{
 	DeploymentsSelectColumnCommitSha,
 	DeploymentsSelectColumnCommitUserAvatarURL,
 	DeploymentsSelectColumnCommitUserName,
+	DeploymentsSelectColumnCreatedAt,
 	DeploymentsSelectColumnDeploymentEndedAt,
 	DeploymentsSelectColumnDeploymentStartedAt,
 	DeploymentsSelectColumnDeploymentStatus,
@@ -7033,7 +7042,7 @@ var AllDeploymentsSelectColumn = []DeploymentsSelectColumn{
 
 func (e DeploymentsSelectColumn) IsValid() bool {
 	switch e {
-	case DeploymentsSelectColumnAppID, DeploymentsSelectColumnCommitMessage, DeploymentsSelectColumnCommitSha, DeploymentsSelectColumnCommitUserAvatarURL, DeploymentsSelectColumnCommitUserName, DeploymentsSelectColumnDeploymentEndedAt, DeploymentsSelectColumnDeploymentStartedAt, DeploymentsSelectColumnDeploymentStatus, DeploymentsSelectColumnFunctionsEndedAt, DeploymentsSelectColumnFunctionsStartedAt, DeploymentsSelectColumnFunctionsStatus, DeploymentsSelectColumnID, DeploymentsSelectColumnMetadataEndedAt, DeploymentsSelectColumnMetadataStartedAt, DeploymentsSelectColumnMetadataStatus, DeploymentsSelectColumnMigrationsEndedAt, DeploymentsSelectColumnMigrationsStartedAt, DeploymentsSelectColumnMigrationsStatus:
+	case DeploymentsSelectColumnAppID, DeploymentsSelectColumnCommitMessage, DeploymentsSelectColumnCommitSha, DeploymentsSelectColumnCommitUserAvatarURL, DeploymentsSelectColumnCommitUserName, DeploymentsSelectColumnCreatedAt, DeploymentsSelectColumnDeploymentEndedAt, DeploymentsSelectColumnDeploymentStartedAt, DeploymentsSelectColumnDeploymentStatus, DeploymentsSelectColumnFunctionsEndedAt, DeploymentsSelectColumnFunctionsStartedAt, DeploymentsSelectColumnFunctionsStatus, DeploymentsSelectColumnID, DeploymentsSelectColumnMetadataEndedAt, DeploymentsSelectColumnMetadataStartedAt, DeploymentsSelectColumnMetadataStatus, DeploymentsSelectColumnMigrationsEndedAt, DeploymentsSelectColumnMigrationsStartedAt, DeploymentsSelectColumnMigrationsStatus:
 		return true
 	}
 	return false

dashboard/.env.example

@@ -3,12 +3,13 @@ NEXT_PUBLIC_ENV=dev
 NEXT_PUBLIC_NHOST_PLATFORM=false
 
 # Environment Variables for Self Hosting and Local Development
-NEXT_PUBLIC_NHOST_AUTH_URL=https://local.auth.nhost.local.run/v1
+NEXT_PUBLIC_NHOST_AUTH_URL=https://local.auth.local.nhost.run/v1
+NEXT_PUBLIC_NHOST_CONFIGSERVER_URL=https://local.dashboard.local.nhost.run/v1/configserver/graphql
 NEXT_PUBLIC_NHOST_FUNCTIONS_URL=https://local.functions.local.nhost.run/v1
 NEXT_PUBLIC_NHOST_GRAPHQL_URL=https://local.graphql.local.nhost.run/v1
 NEXT_PUBLIC_NHOST_STORAGE_URL=https://local.storage.local.nhost.run/v1
-NEXT_PUBLIC_NHOST_HASURA_CONSOLE_URL=https://local.hasura.local.nhost.run
-NEXT_PUBLIC_NHOST_HASURA_MIGRATIONS_API_URL=https://local.hasura.local.nhost.run/v1/migrations
+NEXT_PUBLIC_NHOST_HASURA_CONSOLE_URL=https://local.hasura.local.nhost.run/console
+NEXT_PUBLIC_NHOST_HASURA_MIGRATIONS_API_URL=https://local.hasura.local.nhost.run/apis/migrate
 NEXT_PUBLIC_NHOST_HASURA_API_URL=https://local.hasura.local.nhost.run
 
 # Environment Variables when running the Nhost Dashboard against the Nhost Backend

dashboard/src/features/orgs/projects/authentication/settings/components/AppleProviderSettings/AppleProviderSettings.tsx

@@ -176,7 +176,7 @@ export default function AppleProviderSettings() {
               loading: formState.isSubmitting,
             },
           }}
-          docsLink="https://docs.nhost.io/products/auth/social/sign-in-apple"
+          docsLink="https://docs.nhost.io/products/auth/providers/sign-in-apple"
           docsTitle="how to sign in users with Apple"
           icon={
             theme.palette.mode === 'dark'

dashboard/src/features/orgs/projects/authentication/settings/components/DiscordProviderSettings/DiscordProviderSettings.tsx

@@ -141,7 +141,7 @@ export default function DiscordProviderSettings() {
               loading: formState.isSubmitting,
             },
           }}
-          docsLink="https://docs.nhost.io/products/auth/social/sign-in-discord"
+          docsLink="https://docs.nhost.io/products/auth/providers/sign-in-discord"
           docsTitle="how to sign in users with Discord"
           icon="/assets/brands/discord.svg"
           switchId="enabled"

dashboard/src/features/orgs/projects/authentication/settings/components/FacebookProviderSettings/FacebookProviderSettings.tsx

@@ -142,7 +142,7 @@ export default function FacebookProviderSettings() {
               loading: formState.isSubmitting,
             },
           }}
-          docsLink="https://docs.nhost.io/products/auth/social/sign-in-facebook"
+          docsLink="https://docs.nhost.io/products/auth/providers/sign-in-facebook"
           docsTitle="how to sign in users with Facebook"
           icon="/assets/brands/facebook.svg"
           switchId="enabled"

dashboard/src/features/orgs/projects/authentication/settings/components/GitHubProviderSettings/GitHubProviderSettings.tsx

@@ -144,7 +144,7 @@ export default function GitHubProviderSettings() {
               loading: formState.isSubmitting,
             },
           }}
-          docsLink="https://docs.nhost.io/products/auth/social/sign-in-github"
+          docsLink="https://docs.nhost.io/products/auth/providers/sign-in-github"
           docsTitle="how to sign in users with GitHub"
           icon={
             theme.palette.mode === 'dark'

dashboard/src/features/orgs/projects/authentication/settings/components/GoogleProviderSettings/GoogleProviderSettings.tsx

@@ -162,7 +162,7 @@ export default function GoogleProviderSettings() {
               loading: formState.isSubmitting,
             },
           }}
-          docsLink="https://docs.nhost.io/products/auth/social/sign-in-google"
+          docsLink="https://docs.nhost.io/products/auth/providers/sign-in-google"
           docsTitle="how to sign in users with Google"
           icon="/assets/brands/google.svg"
           switchId="enabled"

dashboard/src/features/orgs/projects/authentication/settings/components/LinkedInProviderSettings/LinkedInProviderSettings.tsx

@@ -142,7 +142,7 @@ export default function LinkedInProviderSettings() {
               loading: formState.isSubmitting,
             },
           }}
-          docsLink="https://docs.nhost.io/products/auth/social/sign-in-linkedin"
+          docsLink="https://docs.nhost.io/products/auth/providers/sign-in-linkedin"
           docsTitle="how to sign in users with LinkedIn"
           icon="/assets/brands/linkedin.svg"
           switchId="enabled"

dashboard/src/features/orgs/projects/authentication/settings/components/SpotifyProviderSettings/SpotifyProviderSettings.tsx

@@ -142,7 +142,7 @@ export default function SpotifyProviderSettings() {
               loading: formState.isSubmitting,
             },
           }}
-          docsLink="https://docs.nhost.io/products/auth/social/sign-in-spotify"
+          docsLink="https://docs.nhost.io/products/auth/providers/sign-in-spotify"
           docsTitle="how to sign in users with Spotify"
           icon="/assets/brands/spotify.svg"
           switchId="enabled"

dashboard/src/features/orgs/projects/authentication/settings/components/TwitchProviderSettings/TwitchProviderSettings.tsx

@@ -144,7 +144,7 @@ export default function TwitchProviderSettings() {
               loading: formState.isSubmitting,
             },
           }}
-          docsLink="https://docs.nhost.io/products/auth/social/sign-in-twitch"
+          docsLink="https://docs.nhost.io/products/auth/providers/sign-in-twitch"
           docsTitle="how to sign in users with Twitch"
           icon={
             theme.palette.mode === 'dark'

dashboard/src/features/orgs/projects/authentication/settings/components/WorkOsProviderSettings/WorkOsProviderSettings.tsx

@@ -177,7 +177,7 @@ export default function WorkOsProviderSettings() {
               loading: formState.isSubmitting,
             },
           }}
-          docsLink="https://docs.nhost.io/products/auth/social/sign-in-workos"
+          docsLink="https://docs.nhost.io/products/auth/providers/sign-in-workos"
           docsTitle="how to sign in users with WorkOS"
           icon="/assets/brands/workos.svg"
           switchId="enabled"

dashboard/src/features/orgs/projects/database/dataGrid/hooks/useRunSQL/useRunSQL.ts

@@ -3,7 +3,7 @@ import { generateAppServiceUrl } from '@/features/orgs/projects/common/utils/gen
 import { useDatabaseQuery } from '@/features/orgs/projects/database/dataGrid/hooks/useDatabaseQuery';
 import { useProject } from '@/features/orgs/projects/hooks/useProject';
 import { getToastStyleProps } from '@/utils/constants/settings';
-import { getHasuraAdminSecret } from '@/utils/env';
+import { getHasuraAdminSecret, getHasuraMigrationsApiUrl } from '@/utils/env';
 import { parseIdentifiersFromSQL } from '@/utils/sql';
 import { useRouter } from 'next/router';
 import { useState } from 'react';
@@ -53,7 +53,10 @@ export default function useRunSQL(
     isCascade: boolean,
   ) => {
     try {
-      const migrationApiResponse = await fetch(`${appUrl}/apis/migrate`, {
+      const url = isPlatform
+        ? `${appUrl}/apis/migrate`
+        : getHasuraMigrationsApiUrl();
+      const migrationApiResponse = await fetch(url, {
         method: 'POST',
         headers: { 'x-hasura-admin-secret': adminSecret },
         body: JSON.stringify({

docs/docs.json

@@ -122,29 +122,37 @@
                 "group": "Sign In Methods",
                 "pages": [
                   {
-                    "group": "Social Providers",
+                    "group": "Providers",
                     "icon": "at",
                     "pages": [
-                      "products/auth/social/sign-in-apple",
-                      "products/auth/social/sign-in-azuread",
-                      "products/auth/social/sign-in-discord",
-                      "products/auth/social/sign-in-entraid",
-                      "products/auth/social/sign-in-facebook",
-                      "products/auth/social/sign-in-github",
-                      "products/auth/social/sign-in-google",
-                      "products/auth/social/sign-in-linkedin",
-                      "products/auth/social/sign-in-spotify",
-                      "products/auth/social/sign-in-twitch",
-                      "products/auth/social/sign-in-workos"
+                      "products/auth/providers/overview",
+                      "products/auth/providers/tokens",
+                      "products/auth/providers/connect",
+                      "products/auth/providers/idtokens",
+                      {
+                        "group": "Configuration",
+                        "icon": "gear",
+                        "pages": [
+                          "products/auth/providers/sign-in-apple",
+                          "products/auth/providers/sign-in-azuread",
+                          "products/auth/providers/sign-in-discord",
+                          "products/auth/providers/sign-in-entraid",
+                          "products/auth/providers/sign-in-facebook",
+                          "products/auth/providers/sign-in-github",
+                          "products/auth/providers/sign-in-google",
+                          "products/auth/providers/sign-in-linkedin",
+                          "products/auth/providers/sign-in-spotify",
+                          "products/auth/providers/sign-in-twitch",
+                          "products/auth/providers/sign-in-workos"
+                        ]
+                      }
                     ]
                   },
-                  "/products/auth/social-connect",
                   "/products/auth/sign-in-email-password",
                   "/products/auth/sign-in-otp",
                   "/products/auth/sign-in-magic-link",
                   "/products/auth/sign-in-sms-otp",
-                  "/products/auth/webauthn",
-                  "/products/auth/idtokens"
+                  "/products/auth/webauthn"
                 ]
               },
               {
@@ -152,7 +160,6 @@
                 "icon": "diagram-project",
                 "pages": [
                   "/products/auth/workflows/email-password",
-                  "/products/auth/workflows/oauth-providers",
                   "/products/auth/workflows/passwordless-email",
                   "/products/auth/workflows/passwordless-sms",
                   "/products/auth/workflows/webauthn",
@@ -352,6 +359,7 @@
                     "reference/auth/post-signin-pat",
                     "reference/auth/get-signin-provider-{provider}",
                     "reference/auth/get-signin-provider-{provider}-callback",
+                    "reference/auth/get-signin-provider-{provider}-callback-tokens",
                     "reference/auth/post-signin-provider-{provider}-callback",
                     "reference/auth/post-signin-webauthn",
                     "reference/auth/post-signin-webauthn-verify",
@@ -360,6 +368,7 @@
                     "reference/auth/post-signup-webauthn",
                     "reference/auth/post-signup-webauthn-verify",
                     "reference/auth/post-token",
+                    "reference/auth/post-token-provider-{provider}",
                     "reference/auth/post-token-verify",
                     "reference/auth/get-user",
                     "reference/auth/post-user-deanonymize",
@@ -704,6 +713,20 @@
       }
     ]
   },
+  "redirects": [
+    {
+      "source": "/products/auth/social/:slug*",
+      "destination": "/products/auth/providers/:slug*"
+    },
+    {
+      "source": "/products/auth/social-connect",
+      "destination": "products/auth/providers/connect"
+    },
+    {
+      "source": "/products/auth/idtokens",
+      "destination": "products/auth/providers/idtokens"
+    }
+  ],
   "logo": {
     "light": "/images/logo/light.svg",
     "dark": "/images/logo/dark.svg"

docs/gen.sh

@@ -62,6 +62,7 @@ function build_typedoc() {
 function build_cli_docs() {
     echo "⚒️⚒️⚒️ Building CLI documentation..."
     cli docs > reference/cli/commands.mdx
+    cat reference/cli/commands.mdx
 }
 
 build_openapi

docs/products/auth/overview.mdx

@@ -19,7 +19,7 @@ Nhost Auth is a ready-to-use authentication service seamlessly integrated with t
   </Card>
   <Card title="Security Keys (WebAuthn)" icon="square-5" href="/products/auth/webauthn">
   </Card>
-  <Card title="ID Tokens" icon="square-6" href="/products/auth/idtokens">
+  <Card title="ID Tokens" icon="square-6" href="/products/auth/providers/idtokens">
   </Card>
   <Card title="Elevated Permissions" icon="square-7" href="/products/auth/elevated-permissions">
   </Card>
@@ -28,24 +28,24 @@ Nhost Auth is a ready-to-use authentication service seamlessly integrated with t
 ### OAuth Providers
 
 <CardGroup cols={4}>
-  <Card title="Apple" icon="apple" href="/products/auth/social/sign-in-apple">
+  <Card title="Apple" icon="apple" href="/products/auth/providers/sign-in-apple">
   </Card>
-  <Card title="Discord" icon="discord" href="/products/auth/social/sign-in-discord">
+  <Card title="Discord" icon="discord" href="/products/auth/providers/sign-in-discord">
   </Card>
-  <Card title="Entra ID" icon="microsoft" href="/products/auth/social/sign-in-entraid">
+  <Card title="Entra ID" icon="microsoft" href="/products/auth/providers/sign-in-entraid">
   </Card>
-  <Card title="Facebook" icon="facebook" href="/products/auth/social/sign-in-facebook">
+  <Card title="Facebook" icon="facebook" href="/products/auth/providers/sign-in-facebook">
   </Card>
-  <Card title="GitHub" icon="github" href="/products/auth/social/sign-in-github">
+  <Card title="GitHub" icon="github" href="/products/auth/providers/sign-in-github">
   </Card>
-  <Card title="Google" icon="google" href="/products/auth/social/sign-in-google">
+  <Card title="Google" icon="google" href="/products/auth/providers/sign-in-google">
   </Card>
-  <Card title="Linkedin" icon="linkedin" href="/products/auth/social/sign-in-linkedin">
+  <Card title="Linkedin" icon="linkedin" href="/products/auth/providers/sign-in-linkedin">
   </Card>
-  <Card title="Spotify" icon="spotify" href="/products/auth/social/sign-in-spotify">
+  <Card title="Spotify" icon="spotify" href="/products/auth/providers/sign-in-spotify">
   </Card>
-  <Card title="Twitch" icon="twitch" href="/products/auth/social/sign-in-twitch">
+  <Card title="Twitch" icon="twitch" href="/products/auth/providers/sign-in-twitch">
   </Card>
-  <Card title="WorkOS" icon="square-9" href="/products/auth/social/sign-in-workos">
+  <Card title="WorkOS" icon="square-9" href="/products/auth/providers/sign-in-workos">
   </Card>
 </CardGroup>

docs/products/auth/providers/connect.mdx

@@ -0,0 +1,41 @@
+---
+title: Connecting existing users
+sidebarTitle: Connecting existing users
+description: Connect a provider to existing user accounts
+icon: link
+---
+
+With the provider connect feature, users can link configured providers with their account, regardless of the initial sign-up method. It enables users to link different providers to their accounts, even if the email addresses do not match (e.g., linking a GitHub profile to an account registered with a different email). This feature offers flexibility, allowing users to streamline their login process by connecting multiple authentication methods.
+
+To add a provider authentication method to an existing user you need to call the url `https://${subdomain}.auth.${region}.nhost.run/v1/signin/provider/${provider}?connect=${jwt}`. This is very easy to achieve with our SDK:
+
+``` js
+nhost.auth.connectProvider({
+  provider: 'github'
+})
+```
+
+<Note>
+Keep in mind that as we need a `JWT` the user needs to be logged in.
+</Note>
+
+## Viewing and Deleting Provider Authentication Mechanisms
+
+If you want to allow your users to view and/or delete provider authentication mechanisms, you can provide the necessary permissions to the table `auth.user_providers` (i.e. `select` and/or `delete`) and then use the appropriate GraphQL query. For example, the following permissions should allow users to list their own providers:
+
+![provider connect permissions](/images/auth/provider-connect-permissions.png)
+
+Using the following GraphQL query:
+
+``` js
+const { error, data } = await nhost.graphql.request(
+  gql`
+    query getAuthUserProviders {
+      authUserProviders {
+        id
+        providerId
+      }
+    }
+  `,
+)
+```

docs/products/auth/providers/idtokens.mdx

@@ -13,7 +13,9 @@ ID tokens serve as a secure proof that a user has already been authenticated by
 
 ## Usage
 
-To use ID tokens, you need to configure supported identity providers (currently [apple](/products/auth/social/sign-in-apple) and [google](/products/auth/social/sign-in-google)) and make sure the `audience` is set correctly.
+<Note>
+To use ID tokens, you need to configure supported identity providers (currently [apple](/products/auth/providers/sign-in-apple) and [google](/products/auth/providers/sign-in-google)) and make sure the `audience` is set correctly.
+</Note>
 
 ### Sign in
 
@@ -41,7 +43,7 @@ Once everything is configured you can use an ID token to authenticate users with
 
 ### Link Provider to existing user
 
-Similarly to the [Social Connect](/products/auth/social-connect) feature, you can link an identity provider to an existing user:
+Similarly to the [Provider Connect](/products/auth/providers/connect) feature, you can link an identity provider to an existing user:
 
 <Tabs>
   <Tab title="javascript">
@@ -69,10 +71,4 @@ Below you can find some examples on how to extract an ID Token from various iden
 
 ### React Native
 
-#### Apple
-
-For an example on how to authenticate using "Sign in with Apple" on iOS using React Native you can refer to our [sample component](https://github.com/nhost/nhost/blob/main/examples/react_native/src/components/SignInWithAppleButton.tsx).
-
-#### Google
-
-For an example on how to authenticate using "Sign in with Google" on Android using React Native you can refer to our [sample component](https://github.com/nhost/nhost/blob/main/examples/react_native/src/components/SignInWithGoogleButton.tsx).
+Please, refer to our [React Native Tutorial](/getting-started/tutorials/reactnative/1-introduction) on how to implement Sign in with Apple and Google Sign-In in your React Native app.

docs/products/auth/providers/overview.mdx

@@ -0,0 +1,61 @@
+---
+title: Overview
+sidebarTitle: Overview
+description: Learn how OAuth2 authentication works with Nhost
+icon: at
+---
+
+OAuth2 providers allow users to sign in to your Nhost application using their existing accounts from popular services like Google, GitHub, Apple, and many others. This eliminates the need for users to create and remember new credentials while providing a secure authentication method.
+
+## How OAuth2 Authentication Works
+
+When a user authenticates with an OAuth2 provider through Nhost, the following workflow occurs:
+
+```mermaid
+sequenceDiagram
+	autonumber
+	actor U as User
+	participant A as Auth
+	participant P as Oauth Provider
+	participant F as Frontend
+	U->>+A: HTTP GET /signin/provider/{provider}
+	A->>+P: Provider's authentication
+	deactivate A
+	P->>-A: HTTP GET /signin/provider/{provider}/callback
+	activate A
+	opt No user found
+		A->>A: Create user
+	end
+	A->>A: Flag user email as verified
+	A->>+F: HTTP redirect with refresh token
+	deactivate A
+	F->>-U: HTTP OK response
+	opt
+		U->>+A: HTTP POST /token
+		A->>-U: HTTP OK response
+		Note left of A: Refresh token + access token
+	end
+```
+
+<Snippet file="workflows/oauth-providers.mdx" />
+
+### The Authentication Flow
+
+1. **Initiation**: The user starts the authentication process by making a request to `/signin/provider/{provider}` (e.g., `/signin/provider/google`)
+
+2. **Provider Authentication**: Auth redirects the user to the OAuth2 provider's authentication page where they log in and grant permissions
+
+3. **Callback**: After successful authentication, the provider redirects back to Auth at `/signin/provider/{provider}/callback` with an authorization code
+
+4. **User Management**: Auth processes the callback:
+   - If this is a new user, a user account is automatically created
+   - The user's email is flagged as verified (since the OAuth2 provider has already verified it)
+
+5. **Token Issuance**: The user is redirected back to your frontend application with a refresh token
+
+## Benefits of OAuth2 Authentication
+
+- **Improved User Experience**: Users can sign in with accounts they already have
+- **Enhanced Security**: No need to manage passwords; authentication is handled by established providers
+- **Verified Emails**: Email addresses are automatically verified through the OAuth2 provider
+- **Reduced Registration Friction**: Faster onboarding with one-click sign-in

docs/products/auth/providers/sign-in-workos.mdx

@@ -1,7 +1,7 @@
 ---
 title: Sign In with WorkOS
 description: Follow this guide to sign in users with WorkOS.
-icon: workos
+icon: W
 ---
 
 

docs/products/auth/providers/tokens.mdx

@@ -0,0 +1,137 @@
+---
+title: OAuth Provider Access Tokens
+sidebarTitle: Tokens
+description: Access and refresh OAuth provider tokens to interact with external APIs
+icon: key
+---
+
+When users authenticate with OAuth providers through Nhost, you can access the provider's access and refresh tokens. This enables your application to make API calls directly to external services (like Google Drive, GitHub repositories, or Spotify playlists) on behalf of your users.
+
+## How Provider Token Management Works
+
+After a user completes OAuth authentication, you can retrieve and manage the provider's tokens to interact with their external accounts:
+
+```mermaid
+sequenceDiagram
+	autonumber
+	actor U as User
+	participant F as Frontend
+	participant A as Auth
+	participant P as OAuth Provider
+	Note over U,P: Initial OAuth Sign-In
+	U->>+F: Complete OAuth sign-in
+	F->>+A: GET /signin/provider/{provider}/callback/tokens
+	Note right of A: Bearer token required
+	A->>A: Retrieve stored provider session
+	A->>-F: Provider tokens (access, refresh, expiresIn)
+	F->>F: Store tokens securely
+	deactivate F
+	Note over U,P: Using Provider Access Token
+	U->>+F: Request action requiring provider API
+	F->>+P: API call with provider access token
+	P->>-F: API response
+	F->>-U: Result
+	Note over U,P: Refreshing Expired Token
+	F->>F: Detect token expiration
+	F->>+A: POST /token/provider/{provider}
+	Note right of A: Include refresh token
+	A->>+P: Request new access token
+	P->>-A: New access token (+ optional new refresh token)
+	A->>-F: Updated tokens
+	F->>F: Update stored tokens
+```
+
+### The Token Flow
+
+1. **OAuth Completion**: After the user successfully authenticates with an OAuth provider, they are redirected back to your application
+
+2. **Token Retrieval**: Your frontend immediately calls `/signin/provider/{provider}/callback/tokens` with the user's Nhost authentication token to retrieve the provider's tokens
+
+3. **Secure Storage**: The provider's access token, refresh token, and expiration time are stored securely in your application
+
+4. **Provider API Calls**: Your application uses the provider's access token to make API calls to the external service on behalf of the user
+
+5. **Token Refresh**: When the access token expires, your application uses the refresh token to obtain a new access token without requiring the user to re-authenticate
+
+## Retrieving Provider Tokens
+
+After a successful OAuth sign-in, retrieve the provider's session to access their tokens.
+
+```javascript
+import { createClient } from '@nhost/nhost-js'
+
+const nhost = createClient({
+  subdomain: 'myapp',
+  region: 'us-east-1'
+})
+
+// Immediately after OAuth callback completes
+const resp = await nhost.auth.getProviderTokens('google')
+
+// Store tokens securely
+localStorage.setItem('google_access_token', resp.body.accessToken)
+if (resp.body.refreshToken) {
+  localStorage.setItem('google_refresh_token', resp.body.refreshToken)
+}
+
+// Use provider token to call Google APIs
+const userInfo = await fetch('https://www.googleapis.com/oauth2/v2/userinfo', {
+  headers: {
+    'Authorization': `Bearer ${resp.body.accessToken}`
+  }
+})
+```
+
+**Important Notes:**
+- This method must be called **immediately** after the OAuth callback completes
+- The provider session is stored temporarily and is cleared during this call
+- Subsequent calls will fail without re-authenticating with the provider
+- Requires the user to be authenticated with Nhost
+
+## Refreshing Provider Tokens
+
+Provider access tokens typically expire after a short period (often 1 hour). Use the refresh token to obtain a new access token without user interaction.
+
+```javascript
+import { createClient } from '@nhost/nhost-js'
+
+const nhost = createClient({
+  subdomain: 'myapp',
+  region: 'us-east-1'
+})
+
+// Retrieve stored refresh token
+const storedRefreshToken = localStorage.getItem('google_refresh_token')
+
+// Refresh the provider tokens
+const resp = await nhost.auth.refreshProviderToken('google', {
+  refreshToken: storedRefreshToken
+})
+
+// Update stored tokens
+localStorage.setItem('google_access_token', resp.body.accessToken)
+if (resp.body.refreshToken) {
+  // Some providers rotate refresh tokens
+  localStorage.setItem('google_refresh_token', resp.body.refreshToken)
+}
+```
+
+**Important Notes:**
+- Some providers (like Google) rotate refresh tokens, returning a new one in the response
+- Always update your stored refresh token with the new value if provided
+- Token refresh can fail if the user revokes access or the refresh token expires
+- Handle these cases by prompting the user to re-authenticate
+
+## Best Practices
+
+**Immediate Retrieval** - Call the tokens endpoint immediately after OAuth callback to prevent session loss
+
+**Secure Storage** - Store provider tokens in secure storage appropriate for your platform (encrypted storage for mobile, httpOnly cookies or secure localStorage for web)
+
+**Proactive Refresh** - Use the `expiresIn` value to refresh tokens before they expire, preventing API call failures
+
+**Handle Rotation** - Always update your stored refresh token when a new one is returned, as some providers invalidate old refresh tokens
+
+**Graceful Errors** - Handle token refresh failures by prompting users to re-authenticate, as they may have revoked access through the provider's settings
+
+**Token Isolation** - Store tokens per provider and per user to support multiple OAuth connections

docs/products/auth/social-connect.mdx

@@ -1,43 +0,0 @@
----
-title: Social Provider Connect
-sidebarTitle: Social Provider Connect
-description: Add social sign in mechanism to existing users
-icon: link
----
-
-With the social provider connect feature, users can link their social authentication method to their account, regardless of the initial sign-up method. It enables users to link different social authentication providers to their accounts, even if the email addresses do not match (e.g., linking a GitHub profile to an account registered with a different email). This feature offers flexibility, allowing users to streamline their login process by connecting multiple authentication methods.
-
-To add a social authentication method to an existing user you need to call the url `https://${subdomain}.auth.${region}.nhost.run/v1/signin/provider/${provider}?connect=${jwt}`. This is very easy to achieve with our SDK:
-
-``` js
-nhost.auth.connectProvider({
-  provider: 'github'
-})
-```
-
-In addition, hooks for react, vue and other frameworks may be provided. Check our [reference](/reference/overview#client-libraries) documentation for more details.
-
-<Note>
-Keep in mind that as we need a `JWT` the user needs to be logged in.
-</Note>
-
-## Viewing and Deleting Social Provider Authentication Mechanisms
-
-If you want to allow your users to view and/or delete social provider authentication mechanisms, you can provide the necessary permissions to the table `auth.user_providers` (i.e. `select` and/or `delete`) and then use the appropriate GraphQL query. For example, the following permissions should allow users to list their own social providers:
-
-![social connect permissions](/images/auth/social-connect-permissions.png)
-
-Using the following GraphQL query:
-
-``` js
-const { error, data } = await nhost.graphql.request(
-  gql`
-    query getAuthUserProviders {
-      authUserProviders {
-        id
-        providerId
-      }
-    }
-  `,
-)
-```

docs/products/auth/workflows/oauth-providers.mdx

@@ -1,25 +0,0 @@
-```mermaid
-sequenceDiagram
-	autonumber
-	actor U as User
-	participant A as Hasura Auth
-	participant P as Oauth Provider
-	participant F as Frontend
-	U->>+A: HTTP GET /signin/provider/{provider}
-	A->>+P: Provider's authentication
-	deactivate A
-	P->>-A: HTTP GET /signin/provider/{provider}/callback
-	activate A
-	opt No user found
-		A->>A: Create user
-	end
-	A->>A: Flag user email as verified
-	A->>+F: HTTP redirect with refresh token
-	deactivate A
-	F->>-U: HTTP OK response
-	opt
-		U->>+A: HTTP POST /token
-		A->>-U: HTTP OK response
-		Note left of A: Refresh token + access token
-	end
-```

docs/reference/auth.yaml

@@ -592,6 +592,12 @@ paths:
             If set, this means that the user is already authenticated and wants to link their account. This needs to be a valid JWT access token.
           schema:
             type: string
+        - name: state
+          in: query
+          required: false
+          description: Opaque state value to be returned by the provider
+          schema:
+            type: string
 
       responses:
         "302":
@@ -738,6 +744,31 @@ paths:
                 $ref: "#/components/schemas/ErrorResponse"
           description: "An error occurred while processing the request"
 
+  /signin/provider/{provider}/callback/tokens:
+    get:
+      summary: Retrieve OAuth2 provider tokens from callback
+      description: After successful OAuth2 authentication, retrieve the provider session containing access token, refresh token, and expiration information for the specified provider. To ensure the data isn't stale this endpoint must be called immediately after the OAuth callback to obtain the tokens. The session is cleared from the database during this call, so subsequent calls will fail without going through the sign-in flow again. It is the user's responsibility to store the session safely (e.g., in browser local storage).
+      operationId: getProviderTokens
+      tags:
+        - authentication
+      security:
+        - BearerAuth: []
+      parameters:
+        - $ref: "#/components/parameters/SignInProvider"
+      responses:
+        "200":
+          description: Successfully retrieved provider session
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ProviderSession"
+        default:
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ErrorResponse"
+          description: "An error occurred while processing the request"
+
   /signin/webauthn:
     post:
       summary: Sign in with Webauthn
@@ -954,6 +985,38 @@ paths:
                 $ref: "#/components/schemas/ErrorResponse"
           description: "An error occurred while processing the request"
 
+  /token/provider/{provider}:
+    post:
+      summary: Refresh OAuth2 provider tokens
+      description: Refresh the OAuth2 provider access token using a valid refresh token. Returns a new provider session with updated access token, refresh token (if rotated by provider), and expiration information. This endpoint allows maintaining long-lived access to provider APIs without requiring the user to re-authenticate.
+      operationId: refreshProviderToken
+      tags:
+        - authentication
+      security:
+        - BearerAuth: []
+      parameters:
+        - $ref: "#/components/parameters/SignInProvider"
+      requestBody:
+        description: Provider refresh token to exchange for a new access token
+        content:
+          application/json:
+            schema:
+              $ref: "#/components/schemas/RefreshProviderTokenRequest"
+        required: true
+      responses:
+        "200":
+          description: Successfully refreshed provider tokens
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ProviderSession"
+        default:
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ErrorResponse"
+          description: "An error occurred while processing the request"
+
   /token/verify:
     post:
       summary: Verify JWT token
@@ -1814,6 +1877,46 @@ components:
       required:
         - challenge
 
+    ProviderSession:
+      type: object
+      description: "OAuth2 provider session containing access and refresh tokens"
+      additionalProperties: false
+      properties:
+        accessToken:
+          type: string
+          description: "OAuth2 provider access token for API calls"
+          example: "ya29.a0AfH6SMBx..."
+        expiresIn:
+          type: integer
+          description: "Number of seconds until the access token expires"
+          example: 3599
+        expiresAt:
+          type: string
+          format: date-time
+          description: "Timestamp when the access token expires"
+          example: "2024-12-31T23:59:59Z"
+        refreshToken:
+          type: string
+          nullable: true
+          description: "OAuth2 provider refresh token for obtaining new access tokens (if provided by the provider)"
+          example: "1//0gK8..."
+      required:
+        - accessToken
+        - expiresIn
+        - expiresAt
+
+    RefreshProviderTokenRequest:
+      type: object
+      description: "Request to refresh OAuth2 provider tokens"
+      additionalProperties: false
+      properties:
+        refreshToken:
+          type: string
+          description: "OAuth2 provider refresh token obtained from previous authentication"
+          example: "1//0gK8..."
+      required:
+        - refreshToken
+
     RefreshTokenRequest:
       type: object
       description: "Request to refresh an access token"
@@ -2512,7 +2615,6 @@ components:
           - facebook
           - windowslive
           - twitter
-      deprecated: true
 
     TicketQuery:
       in: query

docs/reference/auth/get-signin-provider-{provider}-callback-tokens.mdx

@@ -0,0 +1,5 @@
+---
+title: "getProviderTokens"
+openapi: get /signin/provider/{provider}/callback/tokens
+sidebarTitle: /signin/provider/{provider}/callback/tokens
+---

docs/reference/auth/post-token-provider-{provider}.mdx

@@ -0,0 +1,5 @@
+---
+title: "refreshProviderToken"
+openapi: post /token/provider/{provider}
+sidebarTitle: /token/provider/{provider}
+---

docs/reference/cli/commands.mdx

@@ -254,7 +254,7 @@ Start local development environment
 
 **--ca-certificates**="": Mounts and everrides path to CA certificates in the containers
 
-**--dashboard-version**="": Dashboard version to use (default: nhost/dashboard:2.38.4)
+**--dashboard-version**="": Dashboard version to use (default: nhost/dashboard:2.40.0)
 
 **--disable-tls**: Disable TLS
 
@@ -284,7 +284,7 @@ Start local development environment connected to an Nhost Cloud project (BETA)
 
 **--ca-certificates**="": Mounts and everrides path to CA certificates in the containers
 
-**--dashboard-version**="": Dashboard version to use (default: nhost/dashboard:2.38.4)
+**--dashboard-version**="": Dashboard version to use (default: nhost/dashboard:2.40.0)
 
 **--disable-tls**: Disable TLS
 

docs/reference/javascript/nhost-js/auth.mdx

@@ -468,6 +468,30 @@ This method may return different T based on the response code:
 
 `Promise`<[`FetchResponse`](./fetch#fetchresponse)<[`JWKSet`](#jwkset)>>
 
+#### getProviderTokens()
+
+```ts
+getProviderTokens(provider: SignInProvider, options?: RequestInit): Promise<FetchResponse<ProviderSession>>;
+```
+
+Summary: Retrieve OAuth2 provider tokens from callback
+After successful OAuth2 authentication, retrieve the provider session containing access token, refresh token, and expiration information for the specified provider. To ensure the data isn't stale this endpoint must be called immediately after the OAuth callback to obtain the tokens. The session is cleared from the database during this call, so subsequent calls will fail without going through the sign-in flow again. It is the user's responsibility to store the session safely (e.g., in browser local storage).
+
+This method may return different T based on the response code:
+
+- 200: ProviderSession
+
+##### Parameters
+
+| Parameter  | Type                                |
+| ---------- | ----------------------------------- |
+| `provider` | [`SignInProvider`](#signinprovider) |
+| `options?` | `RequestInit`                       |
+
+##### Returns
+
+`Promise`&lt;[`FetchResponse`](./fetch#fetchresponse)&lt;[`ProviderSession`](#providersession)&gt;&gt;
+
 #### getUser()
 
 ```ts
@@ -602,6 +626,34 @@ Add a middleware function to the fetch chain
 
 `void`
 
+#### refreshProviderToken()
+
+```ts
+refreshProviderToken(
+   provider: SignInProvider,
+   body: RefreshProviderTokenRequest,
+   options?: RequestInit): Promise<FetchResponse<ProviderSession>>;
+```
+
+Summary: Refresh OAuth2 provider tokens
+Refresh the OAuth2 provider access token using a valid refresh token. Returns a new provider session with updated access token, refresh token (if rotated by provider), and expiration information. This endpoint allows maintaining long-lived access to provider APIs without requiring the user to re-authenticate.
+
+This method may return different T based on the response code:
+
+- 200: ProviderSession
+
+##### Parameters
+
+| Parameter  | Type                                                          |
+| ---------- | ------------------------------------------------------------- |
+| `provider` | [`SignInProvider`](#signinprovider)                           |
+| `body`     | [`RefreshProviderTokenRequest`](#refreshprovidertokenrequest) |
+| `options?` | `RequestInit`                                                 |
+
+##### Returns
+
+`Promise`&lt;[`FetchResponse`](./fetch#fetchresponse)&lt;[`ProviderSession`](#providersession)&gt;&gt;
+
 #### refreshToken()
 
 ```ts
@@ -1605,6 +1657,54 @@ Format - uri
 
 ---
 
+## ProviderSession
+
+OAuth2 provider session containing access and refresh tokens
+
+### Properties
+
+#### accessToken
+
+```ts
+accessToken: string
+```
+
+(`string`) - OAuth2 provider access token for API calls
+
+- Example - `"ya29.a0AfH6SMBx..."`
+
+#### expiresAt
+
+```ts
+expiresAt: string
+```
+
+(`string`) - Timestamp when the access token expires
+
+- Example - `"2024-12-31T23:59:59Z"`
+- Format - date-time
+
+#### expiresIn
+
+```ts
+expiresIn: number
+```
+
+(`number`) - Number of seconds until the access token expires
+
+- Example - `3599`
+
+#### refreshToken?
+
+```ts
+optional refreshToken: string;
+```
+
+OAuth2 provider refresh token for obtaining new access tokens (if provided by the provider)
+Example - `"1//0gK8..."`
+
+---
+
 ## PublicKeyCredentialCreationOptions
 
 ### Properties
@@ -1795,6 +1895,24 @@ A requirement for user verification for the operation
 
 ---
 
+## RefreshProviderTokenRequest
+
+Request to refresh OAuth2 provider tokens
+
+### Properties
+
+#### refreshToken
+
+```ts
+refreshToken: string
+```
+
+(`string`) - OAuth2 provider refresh token obtained from previous authentication
+
+- Example - `"1//0gK8..."`
+
+---
+
 ## RefreshTokenRequest
 
 Request to refresh an access token
@@ -2295,6 +2413,14 @@ optional redirectTo: string;
 
 URI to redirect to
 
+#### state?
+
+```ts
+optional state: string;
+```
+
+Opaque state value to be returned by the provider
+
 ---
 
 ## SignInWebauthnRequest

docs/reference/javascript/nhost-js/session.mdx

@@ -454,7 +454,7 @@ Example - `"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."`
 
 ##### Inherited from
 
-[`Session`](./auth#session).[`accessToken`](./auth#accesstoken)
+[`Session`](./auth#session).[`accessToken`](./auth#accesstoken-1)
 
 #### accessTokenExpiresIn
 
@@ -490,7 +490,7 @@ Pattern - \b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b
 
 ##### Inherited from
 
-[`Session`](./auth#session).[`refreshToken`](./auth#refreshtoken-3)
+[`Session`](./auth#session).[`refreshToken`](./auth#refreshtoken-5)
 
 #### refreshTokenId
 

flake.lock

@@ -20,11 +20,11 @@
   },
   "nix-filter": {
   "locked": {
-  "lastModified": 1731533336,
-  "narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=",
+  "lastModified": 1757882181,
+  "narHash": "sha256-+cCxYIh2UNalTz364p+QYmWHs0P+6wDhiWR4jDIKQIU=",
   "owner": "numtide",
   "repo": "nix-filter",
-  "rev": "f7653272fd234696ae94229839a99b73c9ab7de0",
+  "rev": "59c44d1909c72441144b93cf0f054be7fe764de5",
   "type": "github"
   },
   "original": {
@@ -40,11 +40,11 @@
   ]
   },
   "locked": {
-  "lastModified": 1752002763,
-  "narHash": "sha256-JYAkdZvpdSx9GUoHPArctYMypSONob4DYKRkOubUWtY=",
+  "lastModified": 1761716996,
+  "narHash": "sha256-vdOuy2pid2/DasUgb08lDOswdPJkN5qjXfBYItVy/R4=",
   "owner": "nlewo",
   "repo": "nix2container",
-  "rev": "4f2437f6a1844b843b380d483087ae6d461240ee",
+  "rev": "e5496ab66e9de9e3f67dc06f692dfbc471b6316e",
   "type": "github"
   },
   "original": {
@@ -55,11 +55,11 @@
   },
   "nixpkgs": {
   "locked": {
-  "lastModified": 1753399495,
-  "narHash": "sha256-7XG/QBqhrYOyA2houjRTL2NMa7IKZZ/somBqr+Q/6Wo=",
+  "lastModified": 1761656231,
+  "narHash": "sha256-EiED5k6gXTWoAIS8yQqi5mAX6ojnzpHwAQTS3ykeYMg=",
   "owner": "NixOS",
   "repo": "nixpkgs",
-  "rev": "0d00f23f023b7215b3f1035adb5247c8ec180dbc",
+  "rev": "e99366c665bdd53b7b500ccdc5226675cfc51f45",
   "type": "github"
   },
   "original": {

flake.nix

@@ -119,6 +119,7 @@
               gofumpt
               golangci-lint
               gqlgenc
+              oapi-codegen
 
               # internal packages
               self.packages.${system}.codegen

go.mod

@@ -1,6 +1,6 @@
 module github.com/nhost/nhost
 
-go 1.24.2
+go 1.25.3
 
 require (
 	github.com/99designs/gqlgen v0.17.80
@@ -16,7 +16,6 @@ require (
 	github.com/davidbyttow/govips/v2 v2.16.0
 	github.com/gabriel-vasile/mimetype v1.4.8
 	github.com/getkin/kin-openapi v0.133.0
-	github.com/gin-contrib/cors v1.7.3
 	github.com/gin-gonic/gin v1.11.0
 	github.com/go-git/go-git/v5 v5.16.2
 	github.com/go-webauthn/webauthn v0.12.2
@@ -30,7 +29,6 @@ require (
 	github.com/lmittmann/tint v1.0.7
 	github.com/mark3labs/mcp-go v0.41.1
 	github.com/nhost/be v0.0.0-20251021065906-8abc7d8dfa48
-	github.com/oapi-codegen/gin-middleware v1.0.2
 	github.com/oapi-codegen/runtime v1.1.1
 	github.com/pb33f/libopenapi v0.21.12
 	github.com/pelletier/go-toml/v2 v2.2.4

go.sum

@@ -162,8 +162,6 @@ github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3G
 github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
 github.com/getkin/kin-openapi v0.133.0 h1:pJdmNohVIJ97r4AUFtEXRXwESr8b0bD721u/Tz6k8PQ=
 github.com/getkin/kin-openapi v0.133.0/go.mod h1:boAciF6cXk5FhPqe/NQeBTeenbjqU4LhWBf09ILVvWE=
-github.com/gin-contrib/cors v1.7.3 h1:hV+a5xp8hwJoTw7OY+a70FsL8JkVVFTXw9EcfrYUdns=
-github.com/gin-contrib/cors v1.7.3/go.mod h1:M3bcKZhxzsvI+rlRSkkxHyljJt1ESd93COUvemZ79j4=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
 github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
 github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
@@ -338,19 +336,9 @@ github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/nhost/be v0.0.0-20250929153845-6db3e5249d33 h1:BNFN3Mw4zY6LEmVc7RXkHSVvHtovDSm7Oesb7IUt27o=
-github.com/nhost/be v0.0.0-20250929153845-6db3e5249d33/go.mod h1:feVvqP3dft8hWbp9zNZExdGKbFEYv8aLYohfyAeINNQ=
-github.com/nhost/be v0.0.0-20251015125528-facecfb60cea h1:QQMCKMdkOkVN5PlZB/iiBSdQL6u84JIVppWf7hC5OoU=
-github.com/nhost/be v0.0.0-20251015125528-facecfb60cea/go.mod h1:feVvqP3dft8hWbp9zNZExdGKbFEYv8aLYohfyAeINNQ=
-github.com/nhost/be v0.0.0-20251020104454-acc8934d2c11 h1:5uPnBt2gjVkRpjUEJ8uS/q+FpvpTQJ+CN6zLCBYcfPA=
-github.com/nhost/be v0.0.0-20251020104454-acc8934d2c11/go.mod h1:feVvqP3dft8hWbp9zNZExdGKbFEYv8aLYohfyAeINNQ=
-github.com/nhost/be v0.0.0-20251020115144-85e0542ecec0 h1:MRWnaC1Aoir6JPr4v4C2TAVG5KBIgsOdWiDeII5HQYg=
-github.com/nhost/be v0.0.0-20251020115144-85e0542ecec0/go.mod h1:feVvqP3dft8hWbp9zNZExdGKbFEYv8aLYohfyAeINNQ=
 github.com/nhost/be v0.0.0-20251021065906-8abc7d8dfa48 h1:+Oh4Rbr1psWlBaQTakoBYFNB8jBioiXuimNMaNPLTHk=
 github.com/nhost/be v0.0.0-20251021065906-8abc7d8dfa48/go.mod h1:feVvqP3dft8hWbp9zNZExdGKbFEYv8aLYohfyAeINNQ=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/oapi-codegen/gin-middleware v1.0.2 h1:/H99UzvHQAUxXK8pzdcGAZgjCVeXdFDAUUWaJT0k0eI=
-github.com/oapi-codegen/gin-middleware v1.0.2/go.mod h1:2HJDQjH8jzK2/k/VKcWl+/T41H7ai2bKa6dN3AA2GpA=
 github.com/oapi-codegen/runtime v1.1.1 h1:EXLHh0DXIJnWhdRPN2w4MXAzFyE4CskzhNLUmtpMYro=
 github.com/oapi-codegen/runtime v1.1.1/go.mod h1:SK9X900oXmPWilYR5/WKPzt3Kqxn/uS/+lbpREv+eCg=
 github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 h1:G7ERwszslrBzRxj//JalHPu/3yz+De2J+4aLtSRlHiY=

internal/lib/oapi/errors.go

@@ -0,0 +1,13 @@
+package oapi
+
+import "fmt"
+
+type AuthenticatorError struct {
+	Scheme  string
+	Code    string
+	Message string
+}
+
+func (e *AuthenticatorError) Error() string {
+	return fmt.Sprintf("security error [%s]: %s", e.Code, e.Message)
+}

internal/lib/oapi/example/api/api.go

@@ -0,0 +1,10 @@
+//go:generate oapi-codegen -config server.cfg.yaml openapi.yaml
+//go:generate oapi-codegen -config types.cfg.yaml openapi.yaml
+package api
+
+import (
+	_ "embed"
+)
+
+//go:embed openapi.yaml
+var OpenAPISchema []byte

internal/lib/oapi/example/api/openapi.yaml

@@ -0,0 +1,200 @@
+openapi: "3.0.0"
+
+paths:
+  /signin/email-password:
+    post:
+      summary: Sign in with email and password
+      description: Authenticate a user with their email and password. Returns a session object or MFA challenge if two-factor authentication is enabled.
+      operationId: signInEmailPassword
+      requestBody:
+        description: User credentials for email and password authentication
+        content:
+          application/json:
+            schema:
+              $ref: "#/components/schemas/SignInEmailPasswordRequest"
+        required: true
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/SignInEmailPasswordResponse"
+          description: "Authentication successful. If MFA is enabled, a challenge will be returned instead of a session."
+        default:
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ErrorResponse"
+          description: "An error occurred while processing the request"
+
+  /user/email/change:
+    post:
+      summary: Change user email
+      description: Request to change the authenticated user's email address. A verification email will be sent to the new address to confirm the change. Requires elevated permissions.
+      operationId: changeUserEmail
+      tags:
+        - user
+      security:
+        - BearerAuthElevated: []
+      requestBody:
+        description: New email address and optional redirect URL for email change
+        content:
+          application/json:
+            schema:
+              $ref: "#/components/schemas/UserEmailChangeRequest"
+        required: true
+      responses:
+        "200":
+          description: >-
+            Email change requested. An email with a verification link has been sent to the new address
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/OKResponse"
+        default:
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ErrorResponse"
+          description: "An error occurred while processing the request"
+
+components:
+  securitySchemes:
+    BearerAuth:
+      type: http
+      scheme: bearer
+      description: "Bearer authentication with JWT access token. Used to authenticate requests to protected endpoints."
+    BearerAuthElevated:
+      type: http
+      scheme: bearer
+      description: "Bearer authentication that requires elevated permissions. Used for sensitive operations that may require additional security measures such as recent authentication. For details see https://docs.nhost.io/products/auth/elevated-permissions"
+
+  schemas:
+    SignInEmailPasswordRequest:
+      type: object
+      description: "Request to authenticate using email and password"
+      additionalProperties: false
+      properties:
+        email:
+          description: "User's email address"
+          example: "john.smith@nhost.io"
+          format: email
+          type: string
+        password:
+          description: "User's password"
+          example: "Str0ngPassw#ord-94|%"
+          minLength: 3
+          maxLength: 50
+          type: string
+      required:
+        - email
+        - password
+
+    SignInEmailPasswordResponse:
+      type: object
+      description: "Response for email-password authentication that may include a session or MFA challenge"
+      additionalProperties: false
+      properties:
+        session:
+          $ref: "#/components/schemas/Session"
+
+    Session:
+      type: object
+      description: "User authentication session containing tokens and user information"
+      additionalProperties: false
+      properties:
+        accessToken:
+          type: string
+          description: "JWT token for authenticating API requests"
+          example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
+        accessTokenExpiresIn:
+          type: integer
+          format: int64
+          description: "Expiration time of the access token in seconds"
+          example: 900
+        refreshTokenId:
+          description: "Identifier for the refresh token"
+          example: "2c35b6f3-c4b9-48e3-978a-d4d0f1d42e24"
+          pattern: \b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b
+          type: string
+        refreshToken:
+          description: "Token used to refresh the access token"
+          example: "2c35b6f3-c4b9-48e3-978a-d4d0f1d42e24"
+          pattern: \b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b
+          type: string
+      required:
+        - accessToken
+        - accessTokenExpiresIn
+        - refreshToken
+        - refreshTokenId
+
+    UserEmailChangeRequest:
+      type: object
+      additionalProperties: false
+      properties:
+        newEmail:
+          description: A valid email
+          example: john.smith@nhost.io
+          format: email
+          type: string
+      required:
+        - newEmail
+
+    OKResponse:
+      type: string
+      additionalProperties: false
+      enum:
+        - OK
+
+    ErrorResponse:
+      type: object
+      description: "Standardized error response"
+      additionalProperties: false
+      properties:
+        status:
+          description: "HTTP status error code"
+          type: integer
+          example: 400
+        message:
+          description: "Human-friendly error message"
+          type: string
+          example: "Invalid email format"
+        error:
+          description: "Error code identifying the specific application error"
+          type: string
+          enum:
+            - default-role-must-be-in-allowed-roles
+            - disabled-endpoint
+            - disabled-user
+            - email-already-in-use
+            - email-already-verified
+            - forbidden-anonymous
+            - internal-server-error
+            - invalid-email-password
+            - invalid-request
+            - locale-not-allowed
+            - password-too-short
+            - password-in-hibp-database
+            - redirectTo-not-allowed
+            - role-not-allowed
+            - signup-disabled
+            - unverified-user
+            - user-not-anonymous
+            - invalid-pat
+            - invalid-refresh-token
+            - invalid-ticket
+            - disabled-mfa-totp
+            - no-totp-secret
+            - invalid-totp
+            - mfa-type-not-found
+            - totp-already-active
+            - invalid-state
+            - oauth-token-echange-failed
+            - oauth-profile-fetch-failed
+            - oauth-provider-error
+            - invalid-otp
+            - cannot-send-sms
+      required:
+        - status
+        - message
+        - error

internal/lib/oapi/example/api/server.cfg.yaml

@@ -0,0 +1,6 @@
+package: api
+generate:
+  gin-server: true
+  embedded-spec: true
+  strict-server: true
+output: server.gen.go

internal/lib/oapi/example/api/server.gen.go

@@ -0,0 +1,351 @@
+// Package api provides primitives to interact with the openapi HTTP API.
+//
+// Code generated by github.com/oapi-codegen/oapi-codegen/v2 version 2.5.0 DO NOT EDIT.
+package api
+
+import (
+	"bytes"
+	"compress/gzip"
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/url"
+	"path"
+	"strings"
+
+	"github.com/getkin/kin-openapi/openapi3"
+	"github.com/gin-gonic/gin"
+	strictgin "github.com/oapi-codegen/runtime/strictmiddleware/gin"
+)
+
+// ServerInterface represents all server handlers.
+type ServerInterface interface {
+	// Sign in with email and password
+	// (POST /signin/email-password)
+	SignInEmailPassword(c *gin.Context)
+	// Change user email
+	// (POST /user/email/change)
+	ChangeUserEmail(c *gin.Context)
+}
+
+// ServerInterfaceWrapper converts contexts to parameters.
+type ServerInterfaceWrapper struct {
+	Handler            ServerInterface
+	HandlerMiddlewares []MiddlewareFunc
+	ErrorHandler       func(*gin.Context, error, int)
+}
+
+type MiddlewareFunc func(c *gin.Context)
+
+// SignInEmailPassword operation middleware
+func (siw *ServerInterfaceWrapper) SignInEmailPassword(c *gin.Context) {
+
+	for _, middleware := range siw.HandlerMiddlewares {
+		middleware(c)
+		if c.IsAborted() {
+			return
+		}
+	}
+
+	siw.Handler.SignInEmailPassword(c)
+}
+
+// ChangeUserEmail operation middleware
+func (siw *ServerInterfaceWrapper) ChangeUserEmail(c *gin.Context) {
+
+	c.Set(BearerAuthElevatedScopes, []string{})
+
+	for _, middleware := range siw.HandlerMiddlewares {
+		middleware(c)
+		if c.IsAborted() {
+			return
+		}
+	}
+
+	siw.Handler.ChangeUserEmail(c)
+}
+
+// GinServerOptions provides options for the Gin server.
+type GinServerOptions struct {
+	BaseURL      string
+	Middlewares  []MiddlewareFunc
+	ErrorHandler func(*gin.Context, error, int)
+}
+
+// RegisterHandlers creates http.Handler with routing matching OpenAPI spec.
+func RegisterHandlers(router gin.IRouter, si ServerInterface) {
+	RegisterHandlersWithOptions(router, si, GinServerOptions{})
+}
+
+// RegisterHandlersWithOptions creates http.Handler with additional options
+func RegisterHandlersWithOptions(router gin.IRouter, si ServerInterface, options GinServerOptions) {
+	errorHandler := options.ErrorHandler
+	if errorHandler == nil {
+		errorHandler = func(c *gin.Context, err error, statusCode int) {
+			c.JSON(statusCode, gin.H{"msg": err.Error()})
+		}
+	}
+
+	wrapper := ServerInterfaceWrapper{
+		Handler:            si,
+		HandlerMiddlewares: options.Middlewares,
+		ErrorHandler:       errorHandler,
+	}
+
+	router.POST(options.BaseURL+"/signin/email-password", wrapper.SignInEmailPassword)
+	router.POST(options.BaseURL+"/user/email/change", wrapper.ChangeUserEmail)
+}
+
+type SignInEmailPasswordRequestObject struct {
+	Body *SignInEmailPasswordJSONRequestBody
+}
+
+type SignInEmailPasswordResponseObject interface {
+	VisitSignInEmailPasswordResponse(w http.ResponseWriter) error
+}
+
+type SignInEmailPassword200JSONResponse SignInEmailPasswordResponse
+
+func (response SignInEmailPassword200JSONResponse) VisitSignInEmailPasswordResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(200)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type SignInEmailPassworddefaultJSONResponse struct {
+	Body       ErrorResponse
+	StatusCode int
+}
+
+func (response SignInEmailPassworddefaultJSONResponse) VisitSignInEmailPasswordResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(response.StatusCode)
+
+	return json.NewEncoder(w).Encode(response.Body)
+}
+
+type ChangeUserEmailRequestObject struct {
+	Body *ChangeUserEmailJSONRequestBody
+}
+
+type ChangeUserEmailResponseObject interface {
+	VisitChangeUserEmailResponse(w http.ResponseWriter) error
+}
+
+type ChangeUserEmail200JSONResponse OKResponse
+
+func (response ChangeUserEmail200JSONResponse) VisitChangeUserEmailResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(200)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type ChangeUserEmaildefaultJSONResponse struct {
+	Body       ErrorResponse
+	StatusCode int
+}
+
+func (response ChangeUserEmaildefaultJSONResponse) VisitChangeUserEmailResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(response.StatusCode)
+
+	return json.NewEncoder(w).Encode(response.Body)
+}
+
+// StrictServerInterface represents all server handlers.
+type StrictServerInterface interface {
+	// Sign in with email and password
+	// (POST /signin/email-password)
+	SignInEmailPassword(ctx context.Context, request SignInEmailPasswordRequestObject) (SignInEmailPasswordResponseObject, error)
+	// Change user email
+	// (POST /user/email/change)
+	ChangeUserEmail(ctx context.Context, request ChangeUserEmailRequestObject) (ChangeUserEmailResponseObject, error)
+}
+
+type StrictHandlerFunc = strictgin.StrictGinHandlerFunc
+type StrictMiddlewareFunc = strictgin.StrictGinMiddlewareFunc
+
+func NewStrictHandler(ssi StrictServerInterface, middlewares []StrictMiddlewareFunc) ServerInterface {
+	return &strictHandler{ssi: ssi, middlewares: middlewares}
+}
+
+type strictHandler struct {
+	ssi         StrictServerInterface
+	middlewares []StrictMiddlewareFunc
+}
+
+// SignInEmailPassword operation middleware
+func (sh *strictHandler) SignInEmailPassword(ctx *gin.Context) {
+	var request SignInEmailPasswordRequestObject
+
+	var body SignInEmailPasswordJSONRequestBody
+	if err := ctx.ShouldBindJSON(&body); err != nil {
+		ctx.Status(http.StatusBadRequest)
+		ctx.Error(err)
+		return
+	}
+	request.Body = &body
+
+	handler := func(ctx *gin.Context, request interface{}) (interface{}, error) {
+		return sh.ssi.SignInEmailPassword(ctx, request.(SignInEmailPasswordRequestObject))
+	}
+	for _, middleware := range sh.middlewares {
+		handler = middleware(handler, "SignInEmailPassword")
+	}
+
+	response, err := handler(ctx, request)
+
+	if err != nil {
+		ctx.Error(err)
+		ctx.Status(http.StatusInternalServerError)
+	} else if validResponse, ok := response.(SignInEmailPasswordResponseObject); ok {
+		if err := validResponse.VisitSignInEmailPasswordResponse(ctx.Writer); err != nil {
+			ctx.Error(err)
+		}
+	} else if response != nil {
+		ctx.Error(fmt.Errorf("unexpected response type: %T", response))
+	}
+}
+
+// ChangeUserEmail operation middleware
+func (sh *strictHandler) ChangeUserEmail(ctx *gin.Context) {
+	var request ChangeUserEmailRequestObject
+
+	var body ChangeUserEmailJSONRequestBody
+	if err := ctx.ShouldBindJSON(&body); err != nil {
+		ctx.Status(http.StatusBadRequest)
+		ctx.Error(err)
+		return
+	}
+	request.Body = &body
+
+	handler := func(ctx *gin.Context, request interface{}) (interface{}, error) {
+		return sh.ssi.ChangeUserEmail(ctx, request.(ChangeUserEmailRequestObject))
+	}
+	for _, middleware := range sh.middlewares {
+		handler = middleware(handler, "ChangeUserEmail")
+	}
+
+	response, err := handler(ctx, request)
+
+	if err != nil {
+		ctx.Error(err)
+		ctx.Status(http.StatusInternalServerError)
+	} else if validResponse, ok := response.(ChangeUserEmailResponseObject); ok {
+		if err := validResponse.VisitChangeUserEmailResponse(ctx.Writer); err != nil {
+			ctx.Error(err)
+		}
+	} else if response != nil {
+		ctx.Error(fmt.Errorf("unexpected response type: %T", response))
+	}
+}
+
+// Base64 encoded, gzipped, json marshaled Swagger object
+var swaggerSpec = []string{
+
+	"H4sIAAAAAAAC/9RYUXPbuBH+KxhcO30RJMVW0lhP9WV8rXLXS8Z22s7YfoCApYiYBHhY0IrO1X/vLEBK",
+	"pEQ1vs5dp32yTBCL3f2+b3fBZ65cWTkLNiCfP3NUOZQy/rzy3vlrwMpZBHogtTbBOCuLj95V4IMB5PNM",
+	"FggjrgGVNxWt8zm/CdJq6bX5GTQDMsR8a2nEq872Zx6X6UffRDyeKaeBGQ02mGxj7IqFHBhWoExmFJNV",
+	"VRglaUc6hY842Lrk8zuuIZN1EYR3BYiyxiCWIIwVsijcGnR8jnzEtUG5LEALsLpyxobusxoh2iylKYQs",
+	"PEi9ISN1jKP/+Am8yQxoPuKZ80ujNVghrbOb0tV0krEBvJWFQPBP4EXrsbFPsjBaJHOVRFw7rzsLHn6q",
+	"AcmxwilZgLAutHFQOpsdIjgnMHc+dB8aK3KzrISWQS5l9NuDNh5UuHUHlmKu+o/QrGxdiTYjfMRr20ba",
+	"pof+pG29aJPzlQy9UDIPmIvgHsF2ngejHqGX+jKTIrhQ8RG3Lv4SCMpD11qzHl/dVMn1zNWW3Iw7Wmyk",
+	"CuYJOjsxyED/O1mHxhsBKpd2BSKTJkWaFivvMlOAyCCofGDxyegBMJNnSlryCcFqgSXyhxEnR/mcY/DG",
+	"rvh2xEtAlCs4VsBf6lJakXkDVhebRkbt2yMOX2RZFWRrkc5kkUAsc76MOT86iYKuceCg29uPLC02p5Ds",
+	"ukfMptOdPaLxCjzfbolJP9XGgybBNdb3AY0aae+DdsvPoAK58uH7F1eWVtAfvh9M3w0gxjB+UYH6hOAZ",
+	"IUiVpakgmCwx5WyQxsZqQ8RAJq1mRHJmbMouGTmsY1IpQLyNxD5K8fu/3yZjBE/vYLtilx8XrNE49oCF",
+	"zft8+WdlPpj3i08/L179aBa4sNev1bvFm8Vj9Y+/vXt/MR6Ph7DueHP1pTIecDHgVlxK0QdTAnNZLLBp",
+	"c+OwocwoZ3XPtwtiREO1yIk3M35MEWJIFPyJtMTHlFrNgmPNu0cu9HJyps5fL99k50LNlhdi9hbOxcUf",
+	"30qhZ3qavdKzMzibxfoXqNryOb+/X95NxYUU2cPz2+39/VLs/p1tT/7u7np1RtuGstyNbqGP41ukzmXA",
+	"R9wpsF2Q/8uRHUi7S+0T1DpA+ig1Q0Xgxqzswl5R1frYtKvrptX9MjU3u4hDHWkBq5HklcoiabjTWw9m",
+	"EHrlGD6qEn/A1oDWHrAv0M8ut2MsTcj/ZHOHYWwc78gimR3gzc6RU0d2PN2fdhP81K5iqr6h1n4x++fv",
+	"qd7KLz+AXYWcz19PR7w0tv33/GvAtg7ujnsxTP/RWNhui2LojzuHxTjkMrBSbpixqqg1MLmrz86zv353",
+	"yVQuiwLs6niixH1L+J2HjM/5N5P9mDtpZtxJ2zkoKUdBEw4x5HdxKHgpL/uOWFhfDTPrknVa9q9AqQNc",
+	"dwcf40lzAKjam7C5oUQkT78F6cFf1sSaQ1/T2iFAaxNyRm2tW6nH7FNTy3s6bJsbLVTeBVCB7gXNwI3U",
+	"wCIo5OcynraPMA+hIkD2Hl4V8CQD6Jd6GqnUZAcZNLtZBb40kQHYuE2sRLBoaFhkBGQ0gHsyNlbYngOs",
+	"TSYrQWJNJ2CtciaReVBgw4E3Y/ad80xDkKZAhgCMAsT5ZKKdwnEL+aTyTtcq4IS2T1qnRcfpryeNsKaJ",
+	"hc9tXRQj7iqwsjJ8zs/H0/E09ZI84j+hOd/YycEdZP7MK5dof8DfLrwyDUeRESEH4wdK7phdQ6g9DVN7",
+	"IUdKHumZmYyFtROZVMEdoWmQgY1XBKLNDiTqvkOViidhAIZvnd5QIDTegU1S3t8fJ58xVYxUHb5aO063",
+	"rpj2gWlTeYjTgCxwX/96OToIlXc1HXwNUeSpgkbQzqbT3zagpsgPRHR5MDrXsQhkdTFmiyzCucdpxGQH",
+	"3LUpCrakmkB0AM2MxQBS0+y5o8aYxxPjDf5XC7H/QWMoqOYrAnNK1d6DZuvcFEAli6JrPz/4HdAjjnVZ",
+	"Sr9puEezclTBwMhBb09IJ0ljk3TZPK2wzkyTXk1jcUd36U5yOJ+M2SVLF/T2w0hcbdOOVJKCi8YsrNtd",
+	"8RhnM+PLuJSOJNH+u7J5JMDULHe98zcS34nePIDoj7DuZydi4qqmdrcfQtin6x86mmyg+W/Kr3MfHgjj",
+	"quNWSz/QY3a5RzfkTPZxL4x9ZLlEtgSwp3D/v9FZ02X5/O55cBS4e9g+dOWYqJEa025mkiuk6Sh+tnrY",
+	"brfbfwUAAP//3ciGL/8UAAA=",
+}
+
+// GetSwagger returns the content of the embedded swagger specification file
+// or error if failed to decode
+func decodeSpec() ([]byte, error) {
+	zipped, err := base64.StdEncoding.DecodeString(strings.Join(swaggerSpec, ""))
+	if err != nil {
+		return nil, fmt.Errorf("error base64 decoding spec: %w", err)
+	}
+	zr, err := gzip.NewReader(bytes.NewReader(zipped))
+	if err != nil {
+		return nil, fmt.Errorf("error decompressing spec: %w", err)
+	}
+	var buf bytes.Buffer
+	_, err = buf.ReadFrom(zr)
+	if err != nil {
+		return nil, fmt.Errorf("error decompressing spec: %w", err)
+	}
+
+	return buf.Bytes(), nil
+}
+
+var rawSpec = decodeSpecCached()
+
+// a naive cached of a decoded swagger spec
+func decodeSpecCached() func() ([]byte, error) {
+	data, err := decodeSpec()
+	return func() ([]byte, error) {
+		return data, err
+	}
+}
+
+// Constructs a synthetic filesystem for resolving external references when loading openapi specifications.
+func PathToRawSpec(pathToFile string) map[string]func() ([]byte, error) {
+	res := make(map[string]func() ([]byte, error))
+	if len(pathToFile) > 0 {
+		res[pathToFile] = rawSpec
+	}
+
+	return res
+}
+
+// GetSwagger returns the Swagger specification corresponding to the generated code
+// in this file. The external references of Swagger specification are resolved.
+// The logic of resolving external references is tightly connected to "import-mapping" feature.
+// Externally referenced files must be embedded in the corresponding golang packages.
+// Urls can be supported but this task was out of the scope.
+func GetSwagger() (swagger *openapi3.T, err error) {
+	resolvePath := PathToRawSpec("")
+
+	loader := openapi3.NewLoader()
+	loader.IsExternalRefsAllowed = true
+	loader.ReadFromURIFunc = func(loader *openapi3.Loader, url *url.URL) ([]byte, error) {
+		pathToFile := url.String()
+		pathToFile = path.Clean(pathToFile)
+		getSpec, ok := resolvePath[pathToFile]
+		if !ok {
+			err1 := fmt.Errorf("path not found: %s", pathToFile)
+			return nil, err1
+		}
+		return getSpec()
+	}
+	var specData []byte
+	specData, err = rawSpec()
+	if err != nil {
+		return
+	}
+	swagger, err = loader.LoadFromData(specData)
+	if err != nil {
+		return
+	}
+	return
+}

internal/lib/oapi/example/api/types.cfg.yaml

@@ -0,0 +1,4 @@
+package: api
+generate:
+  models: true
+output: types.gen.go

internal/lib/oapi/example/api/types.gen.go

@@ -0,0 +1,112 @@
+// Package api provides primitives to interact with the openapi HTTP API.
+//
+// Code generated by github.com/oapi-codegen/oapi-codegen/v2 version 2.5.0 DO NOT EDIT.
+package api
+
+import (
+	openapi_types "github.com/oapi-codegen/runtime/types"
+)
+
+const (
+	BearerAuthElevatedScopes = "BearerAuthElevated.Scopes"
+)
+
+// Defines values for ErrorResponseError.
+const (
+	CannotSendSms                   ErrorResponseError = "cannot-send-sms"
+	DefaultRoleMustBeInAllowedRoles ErrorResponseError = "default-role-must-be-in-allowed-roles"
+	DisabledEndpoint                ErrorResponseError = "disabled-endpoint"
+	DisabledMfaTotp                 ErrorResponseError = "disabled-mfa-totp"
+	DisabledUser                    ErrorResponseError = "disabled-user"
+	EmailAlreadyInUse               ErrorResponseError = "email-already-in-use"
+	EmailAlreadyVerified            ErrorResponseError = "email-already-verified"
+	ForbiddenAnonymous              ErrorResponseError = "forbidden-anonymous"
+	InternalServerError             ErrorResponseError = "internal-server-error"
+	InvalidEmailPassword            ErrorResponseError = "invalid-email-password"
+	InvalidOtp                      ErrorResponseError = "invalid-otp"
+	InvalidPat                      ErrorResponseError = "invalid-pat"
+	InvalidRefreshToken             ErrorResponseError = "invalid-refresh-token"
+	InvalidRequest                  ErrorResponseError = "invalid-request"
+	InvalidState                    ErrorResponseError = "invalid-state"
+	InvalidTicket                   ErrorResponseError = "invalid-ticket"
+	InvalidTotp                     ErrorResponseError = "invalid-totp"
+	LocaleNotAllowed                ErrorResponseError = "locale-not-allowed"
+	MfaTypeNotFound                 ErrorResponseError = "mfa-type-not-found"
+	NoTotpSecret                    ErrorResponseError = "no-totp-secret"
+	OauthProfileFetchFailed         ErrorResponseError = "oauth-profile-fetch-failed"
+	OauthProviderError              ErrorResponseError = "oauth-provider-error"
+	OauthTokenEchangeFailed         ErrorResponseError = "oauth-token-echange-failed"
+	PasswordInHibpDatabase          ErrorResponseError = "password-in-hibp-database"
+	PasswordTooShort                ErrorResponseError = "password-too-short"
+	RedirectToNotAllowed            ErrorResponseError = "redirectTo-not-allowed"
+	RoleNotAllowed                  ErrorResponseError = "role-not-allowed"
+	SignupDisabled                  ErrorResponseError = "signup-disabled"
+	TotpAlreadyActive               ErrorResponseError = "totp-already-active"
+	UnverifiedUser                  ErrorResponseError = "unverified-user"
+	UserNotAnonymous                ErrorResponseError = "user-not-anonymous"
+)
+
+// Defines values for OKResponse.
+const (
+	OK OKResponse = "OK"
+)
+
+// ErrorResponse Standardized error response
+type ErrorResponse struct {
+	// Error Error code identifying the specific application error
+	Error ErrorResponseError `json:"error"`
+
+	// Message Human-friendly error message
+	Message string `json:"message"`
+
+	// Status HTTP status error code
+	Status int `json:"status"`
+}
+
+// ErrorResponseError Error code identifying the specific application error
+type ErrorResponseError string
+
+// OKResponse defines model for OKResponse.
+type OKResponse string
+
+// Session User authentication session containing tokens and user information
+type Session struct {
+	// AccessToken JWT token for authenticating API requests
+	AccessToken string `json:"accessToken"`
+
+	// AccessTokenExpiresIn Expiration time of the access token in seconds
+	AccessTokenExpiresIn int64 `json:"accessTokenExpiresIn"`
+
+	// RefreshToken Token used to refresh the access token
+	RefreshToken string `json:"refreshToken"`
+
+	// RefreshTokenId Identifier for the refresh token
+	RefreshTokenId string `json:"refreshTokenId"`
+}
+
+// SignInEmailPasswordRequest Request to authenticate using email and password
+type SignInEmailPasswordRequest struct {
+	// Email User's email address
+	Email openapi_types.Email `json:"email"`
+
+	// Password User's password
+	Password string `json:"password"`
+}
+
+// SignInEmailPasswordResponse Response for email-password authentication that may include a session or MFA challenge
+type SignInEmailPasswordResponse struct {
+	// Session User authentication session containing tokens and user information
+	Session *Session `json:"session,omitempty"`
+}
+
+// UserEmailChangeRequest defines model for UserEmailChangeRequest.
+type UserEmailChangeRequest struct {
+	// NewEmail A valid email
+	NewEmail openapi_types.Email `json:"newEmail"`
+}
+
+// SignInEmailPasswordJSONRequestBody defines body for SignInEmailPassword for application/json ContentType.
+type SignInEmailPasswordJSONRequestBody = SignInEmailPasswordRequest
+
+// ChangeUserEmailJSONRequestBody defines body for ChangeUserEmail for application/json ContentType.
+type ChangeUserEmailJSONRequestBody = UserEmailChangeRequest

internal/lib/oapi/example/controller/controller.go

@@ -0,0 +1,49 @@
+package controller
+
+import (
+	"context"
+	"errors"
+	"net/http"
+
+	"github.com/nhost/nhost/internal/lib/oapi/example/api"
+)
+
+type Controller struct{}
+
+func NewController() *Controller {
+	return &Controller{}
+}
+
+func (c *Controller) SignInEmailPassword( //nolint:ireturn
+	_ context.Context, req api.SignInEmailPasswordRequestObject,
+) (api.SignInEmailPasswordResponseObject, error) {
+	switch req.Body.Email {
+	case "bad@email.com":
+		return api.SignInEmailPassworddefaultJSONResponse{
+			Body: api.ErrorResponse{
+				Error:   api.DisabledUser,
+				Message: "The user account is disabled.",
+				Status:  http.StatusConflict,
+			},
+			StatusCode: http.StatusConflict,
+		}, nil
+	case "crash@email.com":
+		return nil, errors.New("simulated server crash") //nolint:err113
+	}
+
+	return api.SignInEmailPassword200JSONResponse{
+		Session: &api.Session{
+			AccessToken:          "access_token_example",
+			AccessTokenExpiresIn: 900, //nolint:mnd
+			RefreshToken:         "refresh_token_example",
+			RefreshTokenId:       "refresh_token_id_example",
+		},
+	}, nil
+}
+
+func (c *Controller) ChangeUserEmail( //nolint:ireturn
+	_ context.Context,
+	_ api.ChangeUserEmailRequestObject,
+) (api.ChangeUserEmailResponseObject, error) {
+	return api.ChangeUserEmail200JSONResponse(api.OK), nil
+}

internal/lib/oapi/example/main.go

@@ -0,0 +1,109 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/getkin/kin-openapi/openapi3filter"
+	"github.com/gin-gonic/gin"
+	"github.com/lmittmann/tint"
+	"github.com/nhost/nhost/internal/lib/oapi"
+	"github.com/nhost/nhost/internal/lib/oapi/example/api"
+	"github.com/nhost/nhost/internal/lib/oapi/example/controller"
+	"github.com/nhost/nhost/internal/lib/oapi/middleware"
+)
+
+const apiPrefix = "/"
+
+func getLogger() *slog.Logger {
+	handler := tint.NewHandler(os.Stdout, &tint.Options{
+		AddSource:   true,
+		Level:       slog.LevelDebug,
+		TimeFormat:  time.StampMilli,
+		NoColor:     false,
+		ReplaceAttr: nil,
+	})
+
+	return slog.New(handler)
+}
+
+func authFn(
+	ctx context.Context,
+	input *openapi3filter.AuthenticationInput,
+) error {
+	_, ok := ctx.Value(oapi.GinContextKey).(*gin.Context)
+	if !ok {
+		return &oapi.AuthenticatorError{
+			Scheme:  input.SecuritySchemeName,
+			Code:    "unauthorized",
+			Message: "unable to get context",
+		}
+	}
+
+	return &oapi.AuthenticatorError{
+		Scheme:  input.SecuritySchemeName,
+		Code:    "unauthorized",
+		Message: "your access token is invalid",
+	}
+}
+
+func setupRouter(logger *slog.Logger) (*gin.Engine, error) {
+	ctrl := controller.NewController()
+	handler := api.NewStrictHandler(ctrl, []api.StrictMiddlewareFunc{})
+
+	router, mw, err := oapi.NewRouter(
+		api.OpenAPISchema,
+		apiPrefix,
+		authFn,
+		middleware.CORSOptions{ //nolint:exhaustruct
+			AllowedOrigins: []string{"*"},
+		},
+		logger,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create oapi router: %w", err)
+	}
+
+	api.RegisterHandlersWithOptions(
+		router,
+		handler,
+		api.GinServerOptions{
+			BaseURL:      apiPrefix,
+			Middlewares:  []api.MiddlewareFunc{mw},
+			ErrorHandler: nil,
+		},
+	)
+
+	return router, nil
+}
+
+func run(ctx context.Context) error {
+	logger := getLogger()
+
+	router, err := setupRouter(logger) //nolint:contextcheck
+	if err != nil {
+		return err
+	}
+
+	server := &http.Server{ //nolint:exhaustruct
+		Addr:              ":8080",
+		Handler:           router,
+		ReadHeaderTimeout: 5 * time.Second, //nolint:mnd
+	}
+
+	if err := server.ListenAndServe(); err != nil {
+		logger.ErrorContext(ctx, "server failed", slog.String("error", err.Error()))
+	}
+
+	return nil
+}
+
+func main() {
+	if err := run(context.Background()); err != nil {
+		panic(err)
+	}
+}

internal/lib/oapi/example/main_test.go

@@ -0,0 +1,177 @@
+package main
+
+import (
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/go-cmp/cmp"
+)
+
+func makeRequest(
+	router *gin.Engine,
+	method, path string,
+	headers map[string]string,
+	body io.Reader,
+) *httptest.ResponseRecorder {
+	req := httptest.NewRequest(method, path, body)
+
+	for key, value := range headers {
+		req.Header.Set(key, value)
+	}
+
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	return w
+}
+
+func TestRequests(t *testing.T) {
+	t.Parallel()
+
+	logger := getLogger()
+
+	router, err := setupRouter(logger)
+	if err != nil {
+		t.Fatalf("Failed to set up router: %v", err)
+	}
+
+	cases := []struct {
+		name             string
+		method           string
+		path             string
+		headers          map[string]string
+		body             io.Reader
+		expectedStatus   int
+		expectedResponse string
+	}{
+		{
+			name:   "success",
+			method: http.MethodPost,
+			path:   "/signin/email-password",
+			headers: map[string]string{
+				"Content-Type": "application/json",
+			},
+			body:             strings.NewReader(`{"email": "asd@asd.com", "password": "p4ssw0rd"}`),
+			expectedStatus:   http.StatusOK,
+			expectedResponse: "{\"session\":{\"accessToken\":\"access_token_example\",\"accessTokenExpiresIn\":900,\"refreshToken\":\"refresh_token_example\",\"refreshTokenId\":\"refresh_token_id_example\"}}\n", //nolint:lll
+		},
+
+		{
+			name:   "expected error",
+			method: http.MethodPost,
+			path:   "/signin/email-password",
+			headers: map[string]string{
+				"Content-Type": "application/json",
+			},
+			body: strings.NewReader(
+				`{"email": "bad@email.com", "password": "p4ssw0rd"}`,
+			),
+			expectedStatus:   http.StatusConflict,
+			expectedResponse: "{\"error\":\"disabled-user\",\"message\":\"The user account is disabled.\",\"status\":409}\n", //nolint:lll
+		},
+
+		{
+			name:   "unexpected error",
+			method: http.MethodPost,
+			path:   "/signin/email-password",
+			headers: map[string]string{
+				"Content-Type": "application/json",
+			},
+			body: strings.NewReader(
+				`{"email": "crash@email.com", "password": "p4ssw0rd"}`,
+			),
+			expectedStatus:   http.StatusInternalServerError,
+			expectedResponse: `{"errors":"internal-server-error","message":"simulated server crash"}`,
+		},
+
+		{
+			name:   "missing body",
+			method: http.MethodPost,
+			path:   "/signin/email-password",
+			headers: map[string]string{
+				"Content-Type": "application/json",
+			},
+			body:             nil,
+			expectedStatus:   http.StatusBadRequest,
+			expectedResponse: `{"error":"request-validation-error","reason":"value is required but missing"}`,
+		},
+
+		{
+			name:   "wrong param",
+			method: http.MethodPost,
+			path:   "/signin/email-password",
+			headers: map[string]string{
+				"Content-Type": "application/json",
+			},
+			body: strings.NewReader(
+				`{"wrong":"asd", "email": "asd@asd.com", "password": "p4ssw0rd"}`,
+			),
+			expectedStatus:   http.StatusBadRequest,
+			expectedResponse: `{"error":"schema-validation-error","reason":"property \"wrong\" is unsupported"}`,
+		},
+
+		{
+			name:   "missing param",
+			method: http.MethodPost,
+			path:   "/signin/email-password",
+			headers: map[string]string{
+				"Content-Type": "application/json",
+			},
+			body:             strings.NewReader(`{"email": "asd@asd.com"}`),
+			expectedStatus:   http.StatusBadRequest,
+			expectedResponse: `{"error":"schema-validation-error","reason":"property \"password\" is missing"}`,
+		},
+
+		{
+			name:   "invalid param",
+			method: http.MethodPost,
+			path:   "/signin/email-password",
+			headers: map[string]string{
+				"Content-Type": "application/json",
+			},
+			body:             strings.NewReader(`{"email": "asdasd.com", "password": "p4ssw0rd"}`),
+			expectedStatus:   http.StatusBadRequest,
+			expectedResponse: `{"errors":"bad-request","message":"email: failed to pass regex validation"}`,
+		},
+
+		{
+			name:   "needs security",
+			method: http.MethodPost,
+			path:   "/user/email/change",
+			headers: map[string]string{
+				"Content-Type": "application/json",
+			},
+			body:             strings.NewReader(`{"newEmail": "new@asd.com"`),
+			expectedStatus:   http.StatusUnauthorized,
+			expectedResponse: `{"error":"unauthorized","reason":"your access token is invalid","securityScheme":"BearerAuthElevated"}`, //nolint:lll
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			w := makeRequest(router, tc.method, tc.path, tc.headers, tc.body)
+
+			resp := w.Result()
+			defer resp.Body.Close()
+
+			body, err := io.ReadAll(resp.Body)
+			if err != nil {
+				t.Fatalf("Failed to read response body: %v", err)
+			}
+
+			if resp.StatusCode != tc.expectedStatus {
+				t.Errorf("Expected status %d, got %d", tc.expectedStatus, resp.StatusCode)
+			}
+
+			if diff := cmp.Diff(string(body), tc.expectedResponse); diff != "" {
+				t.Errorf("Response body mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}

internal/lib/oapi/middleware/cors.go

@@ -0,0 +1,140 @@
+package middleware
+
+import (
+	"net/http"
+	"slices"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+)
+
+// CORSOptions configures the CORS middleware behavior.
+//
+// The middleware supports three strategies for handling Access-Control-Allow-Headers:
+//   - nil (default): Reflects the Access-Control-Request-Headers from the client
+//   - empty slice: Denies all headers (no Access-Control-Allow-Headers header is set)
+//   - non-empty slice: Uses the specified headers
+type CORSOptions struct {
+	// AllowedOrigins is a list of origins permitted to make cross-origin requests.
+	// Use "*" or nil slice to allow all origins.
+	AllowedOrigins []string
+
+	// AllowedMethods is a list of HTTP methods the client is permitted to use.
+	// Common values: GET, POST, PUT, DELETE, PATCH, OPTIONS.
+	AllowedMethods []string
+
+	// AllowedHeaders controls which headers clients can use in requests.
+	// - nil: reflects client's Access-Control-Request-Headers (permissive)
+	// - empty slice: denies all headers
+	// - non-empty: allows only specified headers
+	AllowedHeaders []string
+
+	// ExposedHeaders lists headers that browsers are allowed to access.
+	// By default, browsers only expose simple response headers.
+	ExposedHeaders []string
+
+	// AllowCredentials indicates whether the request can include credentials
+	// (cookies, authorization headers, or TLS client certificates).
+	AllowCredentials bool
+
+	// MaxAge indicates how long (in seconds) the results of a preflight request
+	// can be cached. Empty string means no caching directive is sent.
+	MaxAge string
+}
+
+// CORS returns a Gin middleware handler that implements Cross-Origin Resource Sharing (CORS).
+//
+// The middleware handles both preflight (OPTIONS) requests and actual requests, setting
+// appropriate CORS headers based on the provided configuration. It automatically adds
+// the "Vary: Origin, Access-Control-Request-Method" header for proper cache behavior.
+//
+// For preflight requests (OPTIONS), the middleware responds with 204 No Content and
+// prevents further request processing. For actual requests, it sets CORS headers and
+// continues the middleware chain.
+//
+// Example usage:
+//
+//	router.Use(middleware.CORS(middleware.CORSOptions{
+//		AllowedOrigins:   []string{"https://example.com", "https://app.example.com"},
+//		AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE"},
+//		AllowedHeaders:   nil, // reflects client headers
+//		AllowCredentials: true,
+//		MaxAge:           "3600",
+//	}))
+func CORS(opts CORSOptions) gin.HandlerFunc { //nolint:cyclop,funlen
+	allowedMethods := strings.Join(opts.AllowedMethods, ", ")
+	exposedHeaders := strings.Join(opts.ExposedHeaders, ", ")
+
+	allowCredentials := "false"
+	if opts.AllowCredentials {
+		allowCredentials = "true"
+	}
+
+	var (
+		headerStrategy string // "reflect", "specific", or "deny"
+		allowedHeaders string
+	)
+	switch {
+	case opts.AllowedHeaders == nil:
+		headerStrategy = "reflect"
+	case len(opts.AllowedHeaders) == 0:
+		headerStrategy = "deny"
+	default:
+		headerStrategy = "specific"
+		allowedHeaders = strings.Join(opts.AllowedHeaders, ", ")
+	}
+
+	f := func(c *gin.Context, origin string) {
+		if opts.AllowedOrigins != nil &&
+			!slices.Contains(opts.AllowedOrigins, origin) &&
+			!slices.Contains(opts.AllowedOrigins, "*") {
+			return
+		}
+
+		c.Header("Access-Control-Allow-Origin", origin)
+		c.Header("Access-Control-Allow-Methods", allowedMethods)
+
+		// Handle allowed headers based on strategy
+		switch headerStrategy {
+		case "specific":
+			c.Header("Access-Control-Allow-Headers", allowedHeaders)
+		case "reflect":
+			headers := c.Request.Header.Get("Access-Control-Request-Headers")
+			if headers != "" {
+				c.Header("Access-Control-Allow-Headers", headers)
+			}
+		case "deny":
+			// Don't set the header at all
+		}
+
+		if exposedHeaders != "" {
+			c.Header("Access-Control-Expose-Headers", exposedHeaders)
+		}
+
+		c.Header("Access-Control-Allow-Credentials", allowCredentials)
+
+		if opts.MaxAge != "" {
+			c.Header("Access-Control-Max-Age", opts.MaxAge)
+		}
+
+		c.Writer.Header().Add("Vary", "Origin, Access-Control-Request-Method")
+	}
+
+	return func(c *gin.Context) {
+		origin := c.Request.Header.Get("Origin")
+		if c.Request.Method == http.MethodOptions {
+			f(c, origin)
+
+			c.Header("Content-Length", "0")
+			c.AbortWithStatus(http.StatusNoContent)
+
+			return
+		}
+
+		if origin != "" {
+			f(c, origin)
+		}
+
+		c.Next()
+	}
+}

internal/lib/oapi/middleware/cors_test.go

@@ -0,0 +1,323 @@
+package middleware_test
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/go-cmp/cmp"
+	"github.com/nhost/nhost/internal/lib/oapi/middleware"
+)
+
+func TestCORS(t *testing.T) { //nolint:maintidx
+	t.Parallel()
+
+	gin.SetMode(gin.TestMode)
+
+	cases := []struct {
+		name           string
+		opts           middleware.CORSOptions
+		requestMethod  string
+		requestOrigin  string
+		requestHeaders map[string]string
+		wantStatus     int
+		wantHeaders    http.Header
+		expectNext     bool
+	}{
+		{
+			name: "OPTIONS request with allowed origin",
+			opts: middleware.CORSOptions{ //nolint:exhaustruct
+				AllowedOrigins: []string{"https://example.com"},
+				AllowedMethods: []string{"GET", "POST"},
+				AllowedHeaders: []string{"Content-Type", "Authorization"},
+			},
+			requestMethod:  "OPTIONS",
+			requestHeaders: map[string]string{},
+			requestOrigin:  "https://example.com",
+			wantStatus:     http.StatusNoContent,
+			wantHeaders: http.Header{
+				"Access-Control-Allow-Origin":      []string{"https://example.com"},
+				"Access-Control-Allow-Methods":     []string{"GET, POST"},
+				"Access-Control-Allow-Headers":     []string{"Content-Type, Authorization"},
+				"Access-Control-Allow-Credentials": []string{"false"},
+				"Vary": []string{
+					"Origin, Access-Control-Request-Method",
+				},
+				"Content-Length": []string{"0"},
+			},
+			expectNext: false,
+		},
+		{
+			name: "OPTIONS request with wildcard origin",
+			opts: middleware.CORSOptions{ //nolint:exhaustruct
+				AllowedOrigins: []string{"*"},
+				AllowedMethods: []string{"GET", "POST", "PUT", "DELETE"},
+			},
+			requestMethod:  "OPTIONS",
+			requestHeaders: map[string]string{},
+			requestOrigin:  "https://any-origin.com",
+			wantStatus:     http.StatusNoContent,
+			wantHeaders: http.Header{
+				"Access-Control-Allow-Origin":  []string{"https://any-origin.com"},
+				"Access-Control-Allow-Methods": []string{"GET, POST, PUT, DELETE"},
+			},
+			expectNext: false,
+		},
+		{
+			name: "OPTIONS request with disallowed origin",
+			opts: middleware.CORSOptions{ //nolint:exhaustruct
+				AllowedOrigins: []string{"https://example.com"},
+				AllowedMethods: []string{"GET", "POST"},
+			},
+			requestMethod:  "OPTIONS",
+			requestHeaders: map[string]string{},
+			requestOrigin:  "https://malicious.com",
+			wantStatus:     http.StatusNoContent,
+			wantHeaders:    http.Header{},
+			expectNext:     false,
+		},
+		{
+			name: "OPTIONS request with reflected headers (nil)",
+			opts: middleware.CORSOptions{ //nolint:exhaustruct
+				AllowedOrigins: []string{"https://example.com"},
+				AllowedMethods: []string{"POST"},
+				AllowedHeaders: nil,
+			},
+			requestMethod: "OPTIONS",
+			requestOrigin: "https://example.com",
+			requestHeaders: map[string]string{
+				"Access-Control-Request-Headers": "X-Custom-Header, X-Another-Header",
+			},
+			wantStatus: http.StatusNoContent,
+			wantHeaders: http.Header{
+				"Access-Control-Allow-Headers": []string{"X-Custom-Header, X-Another-Header"},
+			},
+			expectNext: false,
+		},
+		{
+			name: "OPTIONS request with denied headers (empty slice)",
+			opts: middleware.CORSOptions{ //nolint:exhaustruct
+				AllowedOrigins: []string{"https://example.com"},
+				AllowedMethods: []string{"POST"},
+				AllowedHeaders: []string{},
+			},
+			requestMethod: "OPTIONS",
+			requestOrigin: "https://example.com",
+			requestHeaders: map[string]string{
+				"Access-Control-Request-Headers": "X-Custom-Header, X-Another-Header",
+			},
+			wantStatus:  http.StatusNoContent,
+			wantHeaders: http.Header{},
+			expectNext:  false,
+		},
+		{
+			name: "OPTIONS request with nil headers and no request headers",
+			opts: middleware.CORSOptions{ //nolint:exhaustruct
+				AllowedOrigins: []string{"https://example.com"},
+				AllowedMethods: []string{"GET"},
+				AllowedHeaders: nil,
+			},
+			requestMethod:  "OPTIONS",
+			requestOrigin:  "https://example.com",
+			requestHeaders: map[string]string{},
+			wantStatus:     http.StatusNoContent,
+			wantHeaders:    http.Header{},
+			expectNext:     false,
+		},
+		{
+			name: "OPTIONS request with credentials enabled",
+			opts: middleware.CORSOptions{ //nolint:exhaustruct
+				AllowedOrigins:   []string{"https://example.com"},
+				AllowedMethods:   []string{"GET"},
+				AllowCredentials: true,
+			},
+			requestMethod:  "OPTIONS",
+			requestOrigin:  "https://example.com",
+			requestHeaders: map[string]string{},
+			wantStatus:     http.StatusNoContent,
+			wantHeaders: http.Header{
+				"Access-Control-Allow-Credentials": []string{"true"},
+			},
+			expectNext: false,
+		},
+		{
+			name: "OPTIONS request with MaxAge",
+			opts: middleware.CORSOptions{ //nolint:exhaustruct
+				AllowedOrigins: []string{"https://example.com"},
+				AllowedMethods: []string{"GET"},
+				MaxAge:         "3600",
+			},
+			requestMethod:  "OPTIONS",
+			requestOrigin:  "https://example.com",
+			requestHeaders: map[string]string{},
+			wantStatus:     http.StatusNoContent,
+			wantHeaders: http.Header{
+				"Access-Control-Max-Age": []string{"3600"},
+			},
+			expectNext: false,
+		},
+		{
+			name: "OPTIONS request with exposed headers",
+			opts: middleware.CORSOptions{ //nolint:exhaustruct
+				AllowedOrigins: []string{"https://example.com"},
+				AllowedMethods: []string{"GET"},
+				ExposedHeaders: []string{"X-Custom-Response", "X-Total-Count"},
+			},
+			requestMethod:  "OPTIONS",
+			requestOrigin:  "https://example.com",
+			requestHeaders: map[string]string{},
+			wantStatus:     http.StatusNoContent,
+			wantHeaders: http.Header{
+				"Access-Control-Expose-Headers": []string{"X-Custom-Response, X-Total-Count"},
+			},
+			expectNext: false,
+		},
+		{
+			name: "GET request with allowed origin",
+			opts: middleware.CORSOptions{ //nolint:exhaustruct
+				AllowedOrigins: []string{"https://example.com"},
+				AllowedMethods: []string{"GET", "POST"},
+				AllowedHeaders: []string{"Content-Type"},
+			},
+			requestMethod:  "GET",
+			requestOrigin:  "https://example.com",
+			requestHeaders: map[string]string{},
+			wantStatus:     http.StatusOK,
+			wantHeaders: http.Header{
+				"Access-Control-Allow-Origin":  []string{"https://example.com"},
+				"Access-Control-Allow-Methods": []string{"GET, POST"},
+				"Access-Control-Allow-Headers": []string{"Content-Type"},
+			},
+			expectNext: true,
+		},
+		{
+			name: "POST request with disallowed origin",
+			opts: middleware.CORSOptions{ //nolint:exhaustruct
+				AllowedOrigins: []string{"https://example.com"},
+				AllowedMethods: []string{"GET", "POST"},
+			},
+			requestMethod:  "POST",
+			requestOrigin:  "https://malicious.com",
+			requestHeaders: map[string]string{},
+			wantStatus:     http.StatusOK,
+			wantHeaders:    http.Header{},
+			expectNext:     true,
+		},
+		{
+			name: "GET request without origin header",
+			opts: middleware.CORSOptions{ //nolint:exhaustruct
+				AllowedOrigins: []string{"https://example.com"},
+				AllowedMethods: []string{"GET"},
+			},
+			requestMethod:  "GET",
+			requestOrigin:  "",
+			requestHeaders: map[string]string{},
+			wantStatus:     http.StatusOK,
+			wantHeaders:    http.Header{},
+			expectNext:     true,
+		},
+		{
+			name: "GET request with empty allowed origins (denies all)",
+			opts: middleware.CORSOptions{ //nolint:exhaustruct
+				AllowedOrigins: []string{},
+				AllowedMethods: []string{"GET"},
+			},
+			requestMethod:  "GET",
+			requestOrigin:  "https://any-origin.com",
+			requestHeaders: map[string]string{},
+			wantStatus:     http.StatusOK,
+			wantHeaders:    http.Header{},
+			expectNext:     true,
+		},
+		{
+			name: "GET request with nil allowed origins (allows all)",
+			opts: middleware.CORSOptions{ //nolint:exhaustruct
+				AllowedOrigins: nil,
+				AllowedMethods: []string{"GET"},
+			},
+			requestMethod:  "GET",
+			requestOrigin:  "https://any-origin.com",
+			requestHeaders: map[string]string{},
+			wantStatus:     http.StatusOK,
+			wantHeaders: http.Header{
+				"Access-Control-Allow-Origin": []string{"https://any-origin.com"},
+			},
+			expectNext: true,
+		},
+		{
+			name: "GET request with multiple allowed origins",
+			opts: middleware.CORSOptions{ //nolint:exhaustruct
+				AllowedOrigins: []string{
+					"https://example.com",
+					"https://another-example.com",
+					"https://third-example.com",
+				},
+				AllowedMethods: []string{"GET"},
+			},
+			requestMethod:  "GET",
+			requestHeaders: map[string]string{},
+			requestOrigin:  "https://another-example.com",
+			wantStatus:     http.StatusOK,
+			wantHeaders: http.Header{
+				"Access-Control-Allow-Origin": []string{"https://another-example.com"},
+			},
+			expectNext: true,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Setup router with CORS middleware
+			router := gin.New()
+			nextCalled := false
+
+			router.Use(middleware.CORS(tc.opts))
+			router.Any("/test", func(c *gin.Context) {
+				nextCalled = true
+
+				c.Status(http.StatusOK)
+			})
+
+			// Create request
+			req := httptest.NewRequest(tc.requestMethod, "/test", nil)
+			if tc.requestOrigin != "" {
+				req.Header.Set("Origin", tc.requestOrigin)
+			}
+
+			// Add any additional request headers
+			for key, value := range tc.requestHeaders {
+				req.Header.Set(key, value)
+			}
+
+			// Record response
+			w := httptest.NewRecorder()
+			router.ServeHTTP(w, req)
+
+			// Check status code
+			if w.Code != tc.wantStatus {
+				t.Errorf("expected status %d, got %d", tc.wantStatus, w.Code)
+			}
+
+			// Check expected headers using cmp.Diff
+			// Only compare headers that are expected
+			gotHeaders := make(http.Header)
+			for key := range tc.wantHeaders {
+				if values := w.Header().Values(key); len(values) > 0 {
+					gotHeaders[key] = values
+				}
+			}
+
+			if diff := cmp.Diff(tc.wantHeaders, gotHeaders); diff != "" {
+				t.Errorf("response headers mismatch (-want +got):\n%s", diff)
+			}
+
+			// Check if Next() was called
+			if nextCalled != tc.expectNext {
+				t.Errorf("expected Next() called to be %v, got %v", tc.expectNext, nextCalled)
+			}
+		})
+	}
+}

internal/lib/oapi/middleware/logger.go

@@ -30,6 +30,7 @@ func LoggerFromContext(ctx context.Context) *slog.Logger { //nolint:contextcheck
 	return logger
 }
 
+// Logger is a Gin middleware that logs HTTP requests and responses using slog.
 func Logger(logger *slog.Logger) gin.HandlerFunc {
 	return func(ctx *gin.Context) {
 		startTime := time.Now()

internal/lib/oapi/oapi.go

@@ -0,0 +1,69 @@
+package oapi
+
+import (
+	"fmt"
+	"log/slog"
+	"net/http"
+
+	"github.com/getkin/kin-openapi/openapi3"
+	"github.com/getkin/kin-openapi/openapi3filter"
+	"github.com/gin-gonic/gin"
+	"github.com/nhost/nhost/internal/lib/oapi/example/api"
+	"github.com/nhost/nhost/internal/lib/oapi/middleware"
+)
+
+func surfaceErrorsMiddleWare(c *gin.Context) {
+	// this captures two cases as far as I can see:
+	// 1. request validation errors where the strict generated code fails
+	//    to bind the request to the struct (i.e. "invalid param" test)
+	// 2. when a handler returns an error instead of a response
+	c.Next()
+
+	if len(c.Errors) > 0 && !c.IsAborted() {
+		var errorCode string
+		switch c.Writer.Status() {
+		case http.StatusBadRequest:
+			errorCode = "bad-request"
+		default:
+			errorCode = "internal-server-error"
+		}
+
+		c.JSON(
+			c.Writer.Status(),
+			gin.H{"errors": errorCode, "message": c.Errors[0].Error()},
+		)
+	}
+}
+
+// NewRouter creates a Gin router with OpenAPI request validation middleware.
+func NewRouter(
+	schema []byte,
+	apiPrefix string,
+	authenticationFunc openapi3filter.AuthenticationFunc,
+	corsOptions middleware.CORSOptions,
+	logger *slog.Logger,
+) (*gin.Engine, func(c *gin.Context), error) {
+	router := gin.New()
+
+	loader := openapi3.NewLoader()
+
+	doc, err := loader.LoadFromData(schema)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to load OpenAPI schema: %w", err)
+	}
+
+	doc.AddServer(&openapi3.Server{ //nolint:exhaustruct
+		URL: apiPrefix,
+	})
+
+	router.Use(
+		gin.Recovery(),
+		surfaceErrorsMiddleWare,
+		middleware.Logger(logger),
+		middleware.CORS(corsOptions),
+	)
+
+	mw := api.MiddlewareFunc(requestValidatorWithOptions(doc, authenticationFunc))
+
+	return router, mw, nil
+}

internal/lib/oapi/request.go

@@ -0,0 +1,128 @@
+package oapi
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+
+	"github.com/getkin/kin-openapi/openapi3"
+	"github.com/getkin/kin-openapi/openapi3filter"
+	"github.com/getkin/kin-openapi/routers"
+	"github.com/getkin/kin-openapi/routers/gorillamux"
+	"github.com/gin-gonic/gin"
+)
+
+type ContextKey string
+
+const (
+	GinContextKey ContextKey = "nhost-oapi/gin-context"
+)
+
+func handleError(c *gin.Context, err error) {
+	var (
+		errReq    *openapi3filter.RequestError
+		errSchema *openapi3.SchemaError
+		errAuth   *AuthenticatorError
+		errSec    *openapi3filter.SecurityRequirementsError
+	)
+	switch {
+	case errors.As(err, &errSchema):
+		c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{
+			"error":  "schema-validation-error",
+			"reason": errSchema.Reason,
+		})
+	case errors.As(err, &errReq):
+		c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{
+			"error":  "request-validation-error",
+			"reason": errReq.Err.Error(),
+		})
+	case errors.As(err, &errAuth):
+		c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{
+			"error":          errAuth.Code,
+			"reason":         errAuth.Message,
+			"securityScheme": errAuth.Scheme,
+		})
+	case errors.As(err, &errSec):
+		c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{
+			"error":  "unauthorized",
+			"reason": errSec.Error(),
+		})
+	default:
+		c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+	}
+}
+
+func requestValidatorWithOptions(
+	swagger *openapi3.T,
+	authFn openapi3filter.AuthenticationFunc,
+) gin.HandlerFunc {
+	router, err := gorillamux.NewRouter(swagger)
+	if err != nil {
+		panic(err)
+	}
+
+	return func(c *gin.Context) {
+		if err := validateRequestFromContext(c, router, authFn); err != nil {
+			handleError(c, err)
+		}
+
+		c.Next()
+	}
+}
+
+func validateRequestFromContext(
+	c *gin.Context,
+	router routers.Router,
+	authFn openapi3filter.AuthenticationFunc,
+) error {
+	route, pathParams, err := router.FindRoute(c.Request)
+	if err != nil {
+		var e *routers.RouteError
+		switch {
+		case errors.As(err, &e):
+			return e
+		default:
+			return fmt.Errorf("error validating route: %w", err)
+		}
+	}
+
+	validationInput := &openapi3filter.RequestValidationInput{ //nolint:exhaustruct
+		Request:    c.Request,
+		PathParams: pathParams,
+		Route:      route,
+		Options: &openapi3filter.Options{
+			AuthenticationFunc:          authFn,
+			ExcludeRequestBody:          false,
+			ExcludeRequestQueryParams:   false,
+			ExcludeResponseBody:         false,
+			ExcludeReadOnlyValidations:  false,
+			ExcludeWriteOnlyValidations: false,
+			IncludeResponseStatus:       false,
+			MultiError:                  false,
+			RegexCompiler:               nil,
+			SkipSettingDefaults:         false,
+		},
+	}
+
+	requestContext := context.WithValue(c.Request.Context(), GinContextKey, c)
+	if err := openapi3filter.ValidateRequest(requestContext, validationInput); err != nil {
+		return err //nolint:wrapcheck
+	}
+
+	return nil
+}
+
+func GetGinContext(c context.Context) *gin.Context {
+	v := c.Value(GinContextKey)
+	if v == nil {
+		return nil
+	}
+
+	ginCtx, ok := v.(*gin.Context)
+	if !ok {
+		return nil
+	}
+
+	return ginCtx
+}

nixops/lib/go/go.nix

@@ -56,12 +56,17 @@ in
     { buildInputs ? [ ]
     , shellHook ? ""
     }: pkgs.mkShell {
-      inherit shellHook;
-
       buildInputs = with pkgs; [
         gnumake
         nixpkgs-fmt
       ] ++ goCheckDeps ++ buildInputs;
+
+      shellHook = shellHook + pkgs.lib.optionalString pkgs.stdenv.isDarwin ''
+        export SDKROOT=${pkgs.apple-sdk_12}
+        export SDKROOT_FOR_TARGET=${pkgs.apple-sdk_12}
+        export DEVELOPER_DIR=${pkgs.apple-sdk_12}
+        export DEVELOPER_DIR_FOR_TARGET=${pkgs.apple-sdk_12}
+      '';
     };
 
   check =
@@ -109,13 +114,13 @@ in
         echo "➜ Running golangci-lint"
         golangci-lint run \
           --timeout 600s \
-          ./${submodule}/...
+          ./...
 
         echo "➜ Running tests"
         richgo test \
           -tags="${pkgs.lib.strings.concatStringsSep " " tags}" \
           -ldflags="${pkgs.lib.strings.concatStringsSep " " ldflags}" \
-          -v ${goTestFlags} ./${submodule}/...
+          -v ${goTestFlags} ./...
 
         ${extraCheck}
 

nixops/overlays/default.nix

@@ -4,8 +4,13 @@ final: prev:
     doCheck = false;
   });
 
+  linux-pam = prev.linux-pam.overrideAttrs (oldAttrs: {
+    outputs = [ "out" "scripts" ];
+  });
+
   nhost-cli = final.callPackage ./nhost-cli.nix { inherit final; };
 }
 // import ./go.nix final prev
 // import ./js.nix final prev
   // import ./postgres.nix final prev
+

nixops/overlays/go.nix

@@ -1,11 +1,11 @@
 final: prev: rec {
-  go = prev.go_1_24.overrideAttrs
+  go = prev.go_1_25.overrideAttrs
     (finalAttrs: previousAttrs: rec {
-      version = "1.24.6";
+      version = "1.25.3";
 
       src = final.fetchurl {
         url = "https://go.dev/dl/go${version}.src.tar.gz";
-        sha256 = "sha256-4ctVgqq1iGaLwEwH3hhogHD2uMmyqvNh+CHhm9R8/b0=";
+        sha256 = "sha256-qBpLpZPQAV4QxR4mfeP/B8eskU38oDfZUX0ClRcJd5U=";
       };
 
     });
@@ -30,16 +30,16 @@ final: prev: rec {
     ];
   });
 
-  golines = final.buildGoModule rec {
+  golines = final.buildGoModule {
     pname = "golines";
-    version = "0.13.0-beta";
+    version = "0.14.0-beta";
     src = final.fetchFromGitHub {
       owner = "segmentio";
       repo = "golines";
-      rev = "fc305205784a70b4cfc17397654f4c94e3153ce4";
-      sha256 = "sha256-ZdCR4ZC1+Llyt/rcX0RGisM98u6rq9/ECUuHEMV+Kkc=";
+      rev = "8f32f0f7e89c30f572c7f2cd3b2a48016b9d8bbf";
+      sha256 = "sha256-Y4q3xpGw8bAi87zJ48+LVbdgOc7HB1lRdYhlsF1YcVA=";
     };
-    vendorHash = "sha256-mmdaHm3YL/2eB/r3Sskd9liljKAe3/c8T0z5KIUHeK0=";
+    vendorHash = "sha256-94IXh9iBAE0jJXovaElY8oFdXE6hxYg0Ww0ZEHLnEwc=";
     meta = with final.lib; {
       description = "A golang formatter that fixes long lines";
       homepage = "https://github.com/segmentio/golines";
@@ -92,7 +92,7 @@ final: prev: rec {
     };
   };
 
-  oapi-codegen = prev.oapi-codegen.overrideAttrs (oldAttrs: rec {
+  oapi-codegen = prev.oapi-codegen.overrideAttrs (oldAttrs: {
     version = "2.6.0-beta0";
     src = final.fetchFromGitHub {
       owner = "dbarrosop";

nixops/overlays/nhost-cli.nix

@@ -1,22 +1,22 @@
 { final }:
 let
-  version = "1.33.0";
+  version = "1.34.4";
   dist = {
     aarch64-darwin = {
       url = "https://github.com/nhost/nhost/releases/download/cli%40${version}/cli-${version}-darwin-arm64.tar.gz";
-      sha256 = "0d4l4pmcz79147xyc1ag6zahl5jbmwl6a86cccnx13axbf0gxh2b";
+      sha256 = "1pqyk9ny9gznh0q3v9lk4pd9aai0ysnzwx4cr1dh98rkf0504gic";
     };
     x86_64-darwin = {
       url = "https://github.com/nhost/nhost/releases/download/cli%40${version}/cli-${version}-darwin-amd64.tar.gz";
-      sha256 = "16n1j1ml7p9m00mhs0wzxfj27x951xx70q6hp6j6m9s3m0y7wbgz";
+      sha256 = "19l61bli8nxljnfmlizdbs95ddmzyl0f0h8m35lw708cfyvj83n9";
     };
     aarch64-linux = {
       url = "https://github.com/nhost/nhost/releases/download/cli%40${version}/cli-${version}-linux-arm64.tar.gz";
-      sha256 = "1z0vi2yb932yk4y7v1xwwbxx4h582mk5pd0j2fv7nvw23rgxmcd7";
+      sha256 = "0gicakx28aj3bpcgyqaq2y22kqkr90vvk25lnpinb0y04kggnla6";
     };
     x86_64-linux = {
       url = "https://github.com/nhost/nhost/releases/download/cli%40${version}/cli-${version}-linux-amd64.tar.gz";
-      sha256 = "1q3pg5kdwdphdfpwzpnn41hdzdxy2l5l0vw23xwjqjand68cpyip";
+      sha256 = "1jlcqizlwa3z2lld1c1wdcm0vxc2vij0l6zdddrh2s0adbprsarr";
     };
   };
 

nixops/project.nix

@@ -133,7 +133,7 @@ in
               name = "root";
               paths = with pkgs; [
                 coreutils
-                nix
+                nixVersions.nix_2_28
                 bash
                 gnugrep
                 gnumake

packages/nhost-js/src/auth/client.ts

@@ -610,6 +610,53 @@ export interface PublicKeyCredentialRequestOptions {
   extensions?: Record<string, unknown>;
 }
 
+/**
+ * OAuth2 provider session containing access and refresh tokens
+ @property accessToken (`string`) - OAuth2 provider access token for API calls
+    *    Example - `"ya29.a0AfH6SMBx..."`
+ @property expiresIn (`number`) - Number of seconds until the access token expires
+    *    Example - `3599`
+ @property expiresAt (`string`) - Timestamp when the access token expires
+    *    Example - `"2024-12-31T23:59:59Z"`
+    *    Format - date-time
+ @property refreshToken? (`string`) - OAuth2 provider refresh token for obtaining new access tokens (if provided by the provider)
+    *    Example - `"1//0gK8..."`*/
+export interface ProviderSession {
+  /**
+   * OAuth2 provider access token for API calls
+   *    Example - `"ya29.a0AfH6SMBx..."`
+   */
+  accessToken: string;
+  /**
+   * Number of seconds until the access token expires
+   *    Example - `3599`
+   */
+  expiresIn: number;
+  /**
+   * Timestamp when the access token expires
+   *    Example - `"2024-12-31T23:59:59Z"`
+   *    Format - date-time
+   */
+  expiresAt: string;
+  /**
+   * OAuth2 provider refresh token for obtaining new access tokens (if provided by the provider)
+   *    Example - `"1//0gK8..."`
+   */
+  refreshToken?: string;
+}
+
+/**
+ * Request to refresh OAuth2 provider tokens
+ @property refreshToken (`string`) - OAuth2 provider refresh token obtained from previous authentication
+    *    Example - `"1//0gK8..."`*/
+export interface RefreshProviderTokenRequest {
+  /**
+   * OAuth2 provider refresh token obtained from previous authentication
+   *    Example - `"1//0gK8..."`
+   */
+  refreshToken: string;
+}
+
 /**
  * Request to refresh an access token
  @property refreshToken (`string`) - Refresh token used to generate a new access token
@@ -1537,6 +1584,8 @@ export interface GetVersionResponse200 {
     @property redirectTo? (string) - URI to redirect to
   
     @property connect? (string) - If set, this means that the user is already authenticated and wants to link their account. This needs to be a valid JWT access token.
+  
+    @property state? (string) - Opaque state value to be returned by the provider
   */
 export interface SignInProviderParams {
   /**
@@ -1574,6 +1623,11 @@ export interface SignInProviderParams {
   
    */
   connect?: string;
+  /**
+   * Opaque state value to be returned by the provider
+  
+   */
+  state?: string;
 }
 /**
  * Parameters for the verifyTicket method.
@@ -1831,6 +1885,18 @@ export interface Client {
     options?: RequestInit,
   ): string;
 
+  /**
+     Summary: Retrieve OAuth2 provider tokens from callback
+     After successful OAuth2 authentication, retrieve the provider session containing access token, refresh token, and expiration information for the specified provider. To ensure the data isn't stale this endpoint must be called immediately after the OAuth callback to obtain the tokens. The session is cleared from the database during this call, so subsequent calls will fail without going through the sign-in flow again. It is the user's responsibility to store the session safely (e.g., in browser local storage).
+
+     This method may return different T based on the response code:
+     - 200: ProviderSession
+     */
+  getProviderTokens(
+    provider: SignInProvider,
+    options?: RequestInit,
+  ): Promise<FetchResponse<ProviderSession>>;
+
   /**
      Summary: Sign in with Webauthn
      Initiate a Webauthn sign-in process by sending a challenge to the user's device. The user must have previously registered a Webauthn credential.
@@ -1915,6 +1981,19 @@ export interface Client {
     options?: RequestInit,
   ): Promise<FetchResponse<Session>>;
 
+  /**
+     Summary: Refresh OAuth2 provider tokens
+     Refresh the OAuth2 provider access token using a valid refresh token. Returns a new provider session with updated access token, refresh token (if rotated by provider), and expiration information. This endpoint allows maintaining long-lived access to provider APIs without requiring the user to re-authenticate.
+
+     This method may return different T based on the response code:
+     - 200: ProviderSession
+     */
+  refreshProviderToken(
+    provider: SignInProvider,
+    body: RefreshProviderTokenRequest,
+    options?: RequestInit,
+  ): Promise<FetchResponse<ProviderSession>>;
+
   /**
      Summary: Verify JWT token
      Verify the validity of a JWT access token. If no request body is provided, the Authorization header will be used for verification.
@@ -2682,6 +2761,39 @@ export const createAPIClient = (
     return url;
   };
 
+  const getProviderTokens = async (
+    provider: SignInProvider,
+    options?: RequestInit,
+  ): Promise<FetchResponse<ProviderSession>> => {
+    const url = `${baseURL}/signin/provider/${provider}/callback/tokens`;
+    const res = await fetch(url, {
+      ...options,
+      method: "GET",
+      headers: {
+        ...options?.headers,
+      },
+    });
+
+    if (res.status >= 300) {
+      const responseBody = [412].includes(res.status) ? null : await res.text();
+      const payload: unknown = responseBody ? JSON.parse(responseBody) : {};
+      throw new FetchError(payload, res.status, res.headers);
+    }
+
+    const responseBody = [204, 205, 304].includes(res.status)
+      ? null
+      : await res.text();
+    const payload: ProviderSession = responseBody
+      ? JSON.parse(responseBody)
+      : {};
+
+    return {
+      body: payload,
+      status: res.status,
+      headers: res.headers,
+    } as FetchResponse<ProviderSession>;
+  };
+
   const signInWebauthn = async (
     body?: SignInWebauthnRequest,
     options?: RequestInit,
@@ -2923,6 +3035,42 @@ export const createAPIClient = (
     } as FetchResponse<Session>;
   };
 
+  const refreshProviderToken = async (
+    provider: SignInProvider,
+    body: RefreshProviderTokenRequest,
+    options?: RequestInit,
+  ): Promise<FetchResponse<ProviderSession>> => {
+    const url = `${baseURL}/token/provider/${provider}`;
+    const res = await fetch(url, {
+      ...options,
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        ...options?.headers,
+      },
+      body: JSON.stringify(body),
+    });
+
+    if (res.status >= 300) {
+      const responseBody = [412].includes(res.status) ? null : await res.text();
+      const payload: unknown = responseBody ? JSON.parse(responseBody) : {};
+      throw new FetchError(payload, res.status, res.headers);
+    }
+
+    const responseBody = [204, 205, 304].includes(res.status)
+      ? null
+      : await res.text();
+    const payload: ProviderSession = responseBody
+      ? JSON.parse(responseBody)
+      : {};
+
+    return {
+      body: payload,
+      status: res.status,
+      headers: res.headers,
+    } as FetchResponse<ProviderSession>;
+  };
+
   const verifyToken = async (
     body?: VerifyTokenRequest,
     options?: RequestInit,
@@ -3325,6 +3473,7 @@ export const createAPIClient = (
     verifySignInPasswordlessSms,
     signInPAT,
     signInProviderURL,
+    getProviderTokens,
     signInWebauthn,
     verifySignInWebauthn,
     signOut,
@@ -3332,6 +3481,7 @@ export const createAPIClient = (
     signUpWebauthn,
     verifySignUpWebauthn,
     refreshToken,
+    refreshProviderToken,
     verifyToken,
     getUser,
     deanonymizeUser,

packages/nhost-js/src/fetch/middlewareUpdateSessionFromResponse.ts

@@ -46,7 +46,7 @@ export const updateSessionFromResponseMiddleware = (
       return body.session || null;
     }
 
-    if ("accessToken" in body && "refreshToken" in body) {
+    if ("accessToken" in body && "refreshToken" in body && "user" in body) {
       // Session
       return body;
     }

services/auth/CLAUDE.md

@@ -115,13 +115,13 @@ import (
     "context"
 
     "github.com/nhost/nhost/services/auth/go/api"
-    "github.com/nhost/nhost/services/auth/go/middleware"
+    oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 )
 
 func (ctrl *Controller) YourEndpoint( //nolint:ireturn
     ctx context.Context, request api.YourEndpointRequestObject,
 ) (api.YourEndpointResponseObject, error) {
-    logger := middleware.LoggerFromContext(ctx)
+    logger := oapimw.LoggerFromContext(ctx)
 
     // Validate inputs
     if apiErr := ctrl.wf.ValidateInput(request.Body.Field, logger); apiErr != nil {

services/auth/docs/openapi.yaml

@@ -592,6 +592,12 @@ paths:
             If set, this means that the user is already authenticated and wants to link their account. This needs to be a valid JWT access token.
           schema:
             type: string
+        - name: state
+          in: query
+          required: false
+          description: Opaque state value to be returned by the provider
+          schema:
+            type: string
 
       responses:
         "302":
@@ -738,6 +744,31 @@ paths:
                 $ref: "#/components/schemas/ErrorResponse"
           description: "An error occurred while processing the request"
 
+  /signin/provider/{provider}/callback/tokens:
+    get:
+      summary: Retrieve OAuth2 provider tokens from callback
+      description: After successful OAuth2 authentication, retrieve the provider session containing access token, refresh token, and expiration information for the specified provider. To ensure the data isn't stale this endpoint must be called immediately after the OAuth callback to obtain the tokens. The session is cleared from the database during this call, so subsequent calls will fail without going through the sign-in flow again. It is the user's responsibility to store the session safely (e.g., in browser local storage).
+      operationId: getProviderTokens
+      tags:
+        - authentication
+      security:
+        - BearerAuth: []
+      parameters:
+        - $ref: "#/components/parameters/SignInProvider"
+      responses:
+        "200":
+          description: Successfully retrieved provider session
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ProviderSession"
+        default:
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ErrorResponse"
+          description: "An error occurred while processing the request"
+
   /signin/webauthn:
     post:
       summary: Sign in with Webauthn
@@ -954,6 +985,38 @@ paths:
                 $ref: "#/components/schemas/ErrorResponse"
           description: "An error occurred while processing the request"
 
+  /token/provider/{provider}:
+    post:
+      summary: Refresh OAuth2 provider tokens
+      description: Refresh the OAuth2 provider access token using a valid refresh token. Returns a new provider session with updated access token, refresh token (if rotated by provider), and expiration information. This endpoint allows maintaining long-lived access to provider APIs without requiring the user to re-authenticate.
+      operationId: refreshProviderToken
+      tags:
+        - authentication
+      security:
+        - BearerAuth: []
+      parameters:
+        - $ref: "#/components/parameters/SignInProvider"
+      requestBody:
+        description: Provider refresh token to exchange for a new access token
+        content:
+          application/json:
+            schema:
+              $ref: "#/components/schemas/RefreshProviderTokenRequest"
+        required: true
+      responses:
+        "200":
+          description: Successfully refreshed provider tokens
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ProviderSession"
+        default:
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ErrorResponse"
+          description: "An error occurred while processing the request"
+
   /token/verify:
     post:
       summary: Verify JWT token
@@ -1814,6 +1877,46 @@ components:
       required:
         - challenge
 
+    ProviderSession:
+      type: object
+      description: "OAuth2 provider session containing access and refresh tokens"
+      additionalProperties: false
+      properties:
+        accessToken:
+          type: string
+          description: "OAuth2 provider access token for API calls"
+          example: "ya29.a0AfH6SMBx..."
+        expiresIn:
+          type: integer
+          description: "Number of seconds until the access token expires"
+          example: 3599
+        expiresAt:
+          type: string
+          format: date-time
+          description: "Timestamp when the access token expires"
+          example: "2024-12-31T23:59:59Z"
+        refreshToken:
+          type: string
+          nullable: true
+          description: "OAuth2 provider refresh token for obtaining new access tokens (if provided by the provider)"
+          example: "1//0gK8..."
+      required:
+        - accessToken
+        - expiresIn
+        - expiresAt
+
+    RefreshProviderTokenRequest:
+      type: object
+      description: "Request to refresh OAuth2 provider tokens"
+      additionalProperties: false
+      properties:
+        refreshToken:
+          type: string
+          description: "OAuth2 provider refresh token obtained from previous authentication"
+          example: "1//0gK8..."
+      required:
+        - refreshToken
+
     RefreshTokenRequest:
       type: object
       description: "Request to refresh an access token"
@@ -2512,7 +2615,6 @@ components:
           - facebook
           - windowslive
           - twitter
-      deprecated: true
 
     TicketQuery:
       in: query

services/auth/go/api/server.gen.go

@@ -1,6 +1,6 @@
 // Package api provides primitives to interact with the openapi HTTP API.
 //
-// Code generated by github.com/oapi-codegen/oapi-codegen/v2 version 2.4.1 DO NOT EDIT.
+// Code generated by github.com/oapi-codegen/oapi-codegen/v2 version 2.5.0 DO NOT EDIT.
 package api
 
 import (
@@ -88,6 +88,9 @@ type ServerInterface interface {
 	// OAuth2 provider callback endpoint (form_post)
 	// (POST /signin/provider/{provider}/callback)
 	SignInProviderCallbackPost(c *gin.Context, provider SignInProviderCallbackPostParamsProvider)
+	// Retrieve OAuth2 provider tokens from callback
+	// (GET /signin/provider/{provider}/callback/tokens)
+	GetProviderTokens(c *gin.Context, provider GetProviderTokensParamsProvider)
 	// Sign in with Webauthn
 	// (POST /signin/webauthn)
 	SignInWebauthn(c *gin.Context)
@@ -109,6 +112,9 @@ type ServerInterface interface {
 	// Refresh access token
 	// (POST /token)
 	RefreshToken(c *gin.Context)
+	// Refresh OAuth2 provider tokens
+	// (POST /token/provider/{provider})
+	RefreshProviderToken(c *gin.Context, provider RefreshProviderTokenParamsProvider)
 	// Verify JWT token
 	// (POST /token/verify)
 	VerifyToken(c *gin.Context)
@@ -480,6 +486,14 @@ func (siw *ServerInterfaceWrapper) SignInProvider(c *gin.Context) {
 		return
 	}
 
+	// ------------- Optional query parameter "state" -------------
+
+	err = runtime.BindQueryParameter("form", true, false, "state", c.Request.URL.Query(), &params.State)
+	if err != nil {
+		siw.ErrorHandler(c, fmt.Errorf("Invalid format for parameter state: %w", err), http.StatusBadRequest)
+		return
+	}
+
 	for _, middleware := range siw.HandlerMiddlewares {
 		middleware(c)
 		if c.IsAborted() {
@@ -612,6 +626,32 @@ func (siw *ServerInterfaceWrapper) SignInProviderCallbackPost(c *gin.Context) {
 	siw.Handler.SignInProviderCallbackPost(c, provider)
 }
 
+// GetProviderTokens operation middleware
+func (siw *ServerInterfaceWrapper) GetProviderTokens(c *gin.Context) {
+
+	var err error
+
+	// ------------- Path parameter "provider" -------------
+	var provider GetProviderTokensParamsProvider
+
+	err = runtime.BindStyledParameterWithOptions("simple", "provider", c.Param("provider"), &provider, runtime.BindStyledParameterOptions{Explode: false, Required: true})
+	if err != nil {
+		siw.ErrorHandler(c, fmt.Errorf("Invalid format for parameter provider: %w", err), http.StatusBadRequest)
+		return
+	}
+
+	c.Set(BearerAuthScopes, []string{})
+
+	for _, middleware := range siw.HandlerMiddlewares {
+		middleware(c)
+		if c.IsAborted() {
+			return
+		}
+	}
+
+	siw.Handler.GetProviderTokens(c, provider)
+}
+
 // SignInWebauthn operation middleware
 func (siw *ServerInterfaceWrapper) SignInWebauthn(c *gin.Context) {
 
@@ -705,6 +745,32 @@ func (siw *ServerInterfaceWrapper) RefreshToken(c *gin.Context) {
 	siw.Handler.RefreshToken(c)
 }
 
+// RefreshProviderToken operation middleware
+func (siw *ServerInterfaceWrapper) RefreshProviderToken(c *gin.Context) {
+
+	var err error
+
+	// ------------- Path parameter "provider" -------------
+	var provider RefreshProviderTokenParamsProvider
+
+	err = runtime.BindStyledParameterWithOptions("simple", "provider", c.Param("provider"), &provider, runtime.BindStyledParameterOptions{Explode: false, Required: true})
+	if err != nil {
+		siw.ErrorHandler(c, fmt.Errorf("Invalid format for parameter provider: %w", err), http.StatusBadRequest)
+		return
+	}
+
+	c.Set(BearerAuthScopes, []string{})
+
+	for _, middleware := range siw.HandlerMiddlewares {
+		middleware(c)
+		if c.IsAborted() {
+			return
+		}
+	}
+
+	siw.Handler.RefreshProviderToken(c, provider)
+}
+
 // VerifyToken operation middleware
 func (siw *ServerInterfaceWrapper) VerifyToken(c *gin.Context) {
 
@@ -968,6 +1034,7 @@ func RegisterHandlersWithOptions(router gin.IRouter, si ServerInterface, options
 	router.GET(options.BaseURL+"/signin/provider/:provider", wrapper.SignInProvider)
 	router.GET(options.BaseURL+"/signin/provider/:provider/callback", wrapper.SignInProviderCallbackGet)
 	router.POST(options.BaseURL+"/signin/provider/:provider/callback", wrapper.SignInProviderCallbackPost)
+	router.GET(options.BaseURL+"/signin/provider/:provider/callback/tokens", wrapper.GetProviderTokens)
 	router.POST(options.BaseURL+"/signin/webauthn", wrapper.SignInWebauthn)
 	router.POST(options.BaseURL+"/signin/webauthn/verify", wrapper.VerifySignInWebauthn)
 	router.POST(options.BaseURL+"/signout", wrapper.SignOut)
@@ -975,6 +1042,7 @@ func RegisterHandlersWithOptions(router gin.IRouter, si ServerInterface, options
 	router.POST(options.BaseURL+"/signup/webauthn", wrapper.SignUpWebauthn)
 	router.POST(options.BaseURL+"/signup/webauthn/verify", wrapper.VerifySignUpWebauthn)
 	router.POST(options.BaseURL+"/token", wrapper.RefreshToken)
+	router.POST(options.BaseURL+"/token/provider/:provider", wrapper.RefreshProviderToken)
 	router.POST(options.BaseURL+"/token/verify", wrapper.VerifyToken)
 	router.GET(options.BaseURL+"/user", wrapper.GetUser)
 	router.POST(options.BaseURL+"/user/deanonymize", wrapper.DeanonymizeUser)
@@ -1610,6 +1678,35 @@ func (response SignInProviderCallbackPostdefaultJSONResponse) VisitSignInProvide
 	return json.NewEncoder(w).Encode(response.Body)
 }
 
+type GetProviderTokensRequestObject struct {
+	Provider GetProviderTokensParamsProvider `json:"provider"`
+}
+
+type GetProviderTokensResponseObject interface {
+	VisitGetProviderTokensResponse(w http.ResponseWriter) error
+}
+
+type GetProviderTokens200JSONResponse ProviderSession
+
+func (response GetProviderTokens200JSONResponse) VisitGetProviderTokensResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(200)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type GetProviderTokensdefaultJSONResponse struct {
+	Body       ErrorResponse
+	StatusCode int
+}
+
+func (response GetProviderTokensdefaultJSONResponse) VisitGetProviderTokensResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(response.StatusCode)
+
+	return json.NewEncoder(w).Encode(response.Body)
+}
+
 type SignInWebauthnRequestObject struct {
 	Body *SignInWebauthnJSONRequestBody
 }
@@ -1813,6 +1910,36 @@ func (response RefreshTokendefaultJSONResponse) VisitRefreshTokenResponse(w http
 	return json.NewEncoder(w).Encode(response.Body)
 }
 
+type RefreshProviderTokenRequestObject struct {
+	Provider RefreshProviderTokenParamsProvider `json:"provider"`
+	Body     *RefreshProviderTokenJSONRequestBody
+}
+
+type RefreshProviderTokenResponseObject interface {
+	VisitRefreshProviderTokenResponse(w http.ResponseWriter) error
+}
+
+type RefreshProviderToken200JSONResponse ProviderSession
+
+func (response RefreshProviderToken200JSONResponse) VisitRefreshProviderTokenResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(200)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type RefreshProviderTokendefaultJSONResponse struct {
+	Body       ErrorResponse
+	StatusCode int
+}
+
+func (response RefreshProviderTokendefaultJSONResponse) VisitRefreshProviderTokenResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(response.StatusCode)
+
+	return json.NewEncoder(w).Encode(response.Body)
+}
+
 type VerifyTokenRequestObject struct {
 	Body *VerifyTokenJSONRequestBody
 }
@@ -2231,6 +2358,9 @@ type StrictServerInterface interface {
 	// OAuth2 provider callback endpoint (form_post)
 	// (POST /signin/provider/{provider}/callback)
 	SignInProviderCallbackPost(ctx context.Context, request SignInProviderCallbackPostRequestObject) (SignInProviderCallbackPostResponseObject, error)
+	// Retrieve OAuth2 provider tokens from callback
+	// (GET /signin/provider/{provider}/callback/tokens)
+	GetProviderTokens(ctx context.Context, request GetProviderTokensRequestObject) (GetProviderTokensResponseObject, error)
 	// Sign in with Webauthn
 	// (POST /signin/webauthn)
 	SignInWebauthn(ctx context.Context, request SignInWebauthnRequestObject) (SignInWebauthnResponseObject, error)
@@ -2252,6 +2382,9 @@ type StrictServerInterface interface {
 	// Refresh access token
 	// (POST /token)
 	RefreshToken(ctx context.Context, request RefreshTokenRequestObject) (RefreshTokenResponseObject, error)
+	// Refresh OAuth2 provider tokens
+	// (POST /token/provider/{provider})
+	RefreshProviderToken(ctx context.Context, request RefreshProviderTokenRequestObject) (RefreshProviderTokenResponseObject, error)
 	// Verify JWT token
 	// (POST /token/verify)
 	VerifyToken(ctx context.Context, request VerifyTokenRequestObject) (VerifyTokenResponseObject, error)
@@ -2952,6 +3085,33 @@ func (sh *strictHandler) SignInProviderCallbackPost(ctx *gin.Context, provider S
 	}
 }
 
+// GetProviderTokens operation middleware
+func (sh *strictHandler) GetProviderTokens(ctx *gin.Context, provider GetProviderTokensParamsProvider) {
+	var request GetProviderTokensRequestObject
+
+	request.Provider = provider
+
+	handler := func(ctx *gin.Context, request interface{}) (interface{}, error) {
+		return sh.ssi.GetProviderTokens(ctx, request.(GetProviderTokensRequestObject))
+	}
+	for _, middleware := range sh.middlewares {
+		handler = middleware(handler, "GetProviderTokens")
+	}
+
+	response, err := handler(ctx, request)
+
+	if err != nil {
+		ctx.Error(err)
+		ctx.Status(http.StatusInternalServerError)
+	} else if validResponse, ok := response.(GetProviderTokensResponseObject); ok {
+		if err := validResponse.VisitGetProviderTokensResponse(ctx.Writer); err != nil {
+			ctx.Error(err)
+		}
+	} else if response != nil {
+		ctx.Error(fmt.Errorf("unexpected response type: %T", response))
+	}
+}
+
 // SignInWebauthn operation middleware
 func (sh *strictHandler) SignInWebauthn(ctx *gin.Context) {
 	var request SignInWebauthnRequestObject
@@ -3185,6 +3345,41 @@ func (sh *strictHandler) RefreshToken(ctx *gin.Context) {
 	}
 }
 
+// RefreshProviderToken operation middleware
+func (sh *strictHandler) RefreshProviderToken(ctx *gin.Context, provider RefreshProviderTokenParamsProvider) {
+	var request RefreshProviderTokenRequestObject
+
+	request.Provider = provider
+
+	var body RefreshProviderTokenJSONRequestBody
+	if err := ctx.ShouldBindJSON(&body); err != nil {
+		ctx.Status(http.StatusBadRequest)
+		ctx.Error(err)
+		return
+	}
+	request.Body = &body
+
+	handler := func(ctx *gin.Context, request interface{}) (interface{}, error) {
+		return sh.ssi.RefreshProviderToken(ctx, request.(RefreshProviderTokenRequestObject))
+	}
+	for _, middleware := range sh.middlewares {
+		handler = middleware(handler, "RefreshProviderToken")
+	}
+
+	response, err := handler(ctx, request)
+
+	if err != nil {
+		ctx.Error(err)
+		ctx.Status(http.StatusInternalServerError)
+	} else if validResponse, ok := response.(RefreshProviderTokenResponseObject); ok {
+		if err := validResponse.VisitRefreshProviderTokenResponse(ctx.Writer); err != nil {
+			ctx.Error(err)
+		}
+	} else if response != nil {
+		ctx.Error(fmt.Errorf("unexpected response type: %T", response))
+	}
+}
+
 // VerifyToken operation middleware
 func (sh *strictHandler) VerifyToken(ctx *gin.Context) {
 	var request VerifyTokenRequestObject
@@ -3556,171 +3751,181 @@ func (sh *strictHandler) GetVersion(ctx *gin.Context) {
 // Base64 encoded, gzipped, json marshaled Swagger object
 var swaggerSpec = []string{
 
-	"H4sIAAAAAAAC/+x96XbbOLrgq+Do3jmVzCXlJU66yvNnVFmdzW7bqdwzqUwfiIQklEmADYB2VBm/+xxs",
-	"JECCFCUvsV3VP7pikcTy4ds3fB8lNC8oQUTw0f730QLBFDH1z2OUYoYS8Z4mUGBK5G8p4gnDhf5z9On4",
-	"PRAUMPMiEHQUjRj6d4kZSkf7gpUoGvFkgXIoP55RlkMx2h+VDI+ikVgWaLQ/4oJhMh9dXl5GowIymCPR",
-	"WMAp/WeJ2LI9/ylkcySAXMaMMiAWqFrLKBph+cq/1ZfRiMBcTsaqIXtXus406BvMi0wOvhCi4PtbW/ky",
-	"hkUxTmi+lUCRLGL7thwuWgWGaHSC5+SAHDF6jlPE9HoKhhIo6rU2VrhAQO4Q0JlaHqcJhhko7BAGGAUU",
-	"ixoWztNuSCBS5qP9LyNYyD1GozkWi3Iq/0HpXP2SYXKGUix3lmKeUJaOohEvqMAzCXhxgUWy0F9mUH45",
-	"xWJaJmdIAu+CsjPKR9EI/lkyBOWniAgGsRpEMHgOJcRggqaUnskPMEnpBc/wOTKDC8RGX0NgPMVyki7U",
-	"wWYFISwR9uFgDLEf1MhwjhieLV/mEGf738z/Rt3LPF0WyFnqiuNeFtVR67WOwYvqmwgQCjJK5oiBkqO0",
-	"a5NyJT1bas2hzkZjA5Lb+k3tUP4q/3pOyQyz/PkCkrkaF88JJkeQ8wvK0gxxecqF+fMYcSTkqdXw8ocM",
-	"8Aa9UMUYJkIgLhRTemWI6XuAImD9GpD/RTkiAhjyqzdTwORMQUkUucREkjKK0/gMLZ2/OJwhsSQKCjOc",
-	"0rjcncnHhiwIJSiAhdFoUooFIgJrFvrym0CEY0rUNmCaYvkrzI4YLRATGPHwgU+qN0HNIoHETsQFJnMA",
-	"nRcYTRDn8tfpUh1fkmG5cUhSAOvlUFbDmU7/kMysZ73P1RiHpShKsebiP8BCIhKyYwGqRwEzRnNngRI/",
-	"nKG+S+DitH20k6LIzPoATuViZxix1vj17qaUZggSub2EoVSuV43/nwzNRvuj/9iqReCWwbKt5wypod3t",
-	"6d3LYRY5TJ4zBAU6QQlDAfx782HyHHD1cMjKLvuPgrIJ53IRlBwjXlDCUfcZzGDGUQuW7mAvoAhQ/K+Q",
-	"o2d7JcsAIglNUQNbQCq/CqC4Pj055tuTw49DxjUIKQcE6pvAqJJ/QFEyNGihFjqg/iwwZskRewNJmg0a",
-	"VL4NFvr1aETKLINT+aXG8TYjr4XFlyZMogD83S1+XXn8QsBkIflXB6vzTgpWb4OcpjDDYunyuwwKyQRH",
-	"khwo53H1wwoGppZhOeqmeFiPcKi3uoIQPx2/f6kPRJ+QXFMQmdcdpI22645QlNMMJ+/Q8kofT7I5ZVgs",
-	"8vDJ6vfAGVoCaN902J6rT2Iinu3VeI+JQHPE5GSCQcILyjTrXoU+ztvRCAuUq69amGF+gIzB5QACaB38",
-	"SqQ/QZlRmq/A63zK6TulLoKrd3aMuIK8OXIfjp8XSCyQNg98eOYlFyBR4gJAw/xiOVLMzIDuKSeV5AGc",
-	"lixBQUHG/KX07ctZ9bHeh92W5HBK5cK1hdeLx433veFWirBTi1br4SAQCyhAAgmYIqvPWlZWcmlQkFki",
-	"zQrFpnkOmYgTqKyQxXLKsNZ/BWIEZkEO95ySc7SEJEFHDM0QQyQx8mEGy0wSltLuohUaZlINA4p6nHqt",
-	"ZhBMKsuxNiHl8gqGeViH1JrG0eT0WCt8a5ID+lZghvgkAPeX8pFefiqx0+j7R5NTl6/IR7HAeVCm5kjA",
-	"1LDgPp2w0vS/WwMkX8aFUsTlocbTpf4JFkWcZHjURqcGh6m3FWIkDsw2klMhxfPghQ+g2njZTZ48nT6b",
-	"PYmTvekv8d7P6En8yz9+hnG6l27PdtK9XbS7p8wfaa3KoX7/ffplO/4FxrOv33++/P33aVz9uXfZ+W/3",
-	"q51d+VnoRArEuNzjJJF2wCk9QwHXzR3eQeOcFQGH9tRx7IZ5XqvCvKn61a0uV5bVMeJlJvgawqnHLruM",
-	"gogrl1iLlZ+4rz+0VsjgxUG6iU7DHFAPl7Stg6pIv38fQL4EGCoY4pKDptrexRwYfBiEWcYNovfsbKGF",
-	"XdHoWzynsfmxYFTQhGbjPoxzPolxbkVf7X5TI2iqWoz2jW9N+Q3nNL5AU4lWZKv6R/XFpYfpitX9jeh3",
-	"H9EDxtM9RfUWyt0Oph9Z39e6KJ7NuyC8LASdM1gscNJlXwXMKXNkwxxIp/Lt5oGYs5Ar65djLffTqq37",
-	"u6wHAjVMQh4pH2LsLKD+kFQiMuIAay3IwU/MAQSVNaNdp0N8XA0oBQ/pHGY4bRIDdx0aynhSDtuQ+vyS",
-	"McoGM0d//hMBSQpZiv9EKUByIMBqnG/o2fJxQMdWX0kGYtFqiclch2kKlEhjCkDHpamHqXdnzJCY0QzF",
-	"0pSMpyjGJIZZRi9Qqn7nOvgCpxlKY0TSgmIi3N+kpWc99THMGILpUg5Sqn34P6vIBVZ21oyyKU5TRGJI",
-	"KFnmtOSONRVzxM4Ri+2KMVFHFevhrK/feWAc1qNolNEEZigmVNh9ONGBWFAa84VkIs6PmMQLPC1iaWxM",
-	"oVp3Hc1rjKRg5f/E8ZyURWwhIs0OYndqwSP/oz/zdqsXr22VeiszhvgiFkoVrX+vQiUV6PMZjAUVhYoS",
-	"qH/F2i/sfqWfq1clC5VrmNGSKK4tv7BnAxOhI1/2SxXXGEUjKhmnXk2MEhWEiWcQ653qhwWjM5yheIZE",
-	"sgg8VMHA1mHqlSWQyDVxRNKY5zxIZzniHM4DRPymzCGJZwwjkmZLQ0b2bdcIOdBzAoVAdaCm7RsWUJQB",
-	"V9ab09MjoB+aWSTZuVPsbW+3GXqDNZvR6w1FhrRDjPogVcaIG6ztZS+teKoOo4bg+fbzuzW51duTw4/g",
-	"M5qCd2ipQtVvP5+Cc9fBM0gyVh5J5W4BF1gstLKh+Xp9Xscnu0+fhQ4ogATHJxPr5ULftLD0xpr8c/Jr",
-	"aKizkJ4n93fwwvv+DC1jnMY7wTHEMjyGkcLujiahAUh4PzlNy0yhSj0CnCbpzu6TvfF43BGCCC+lbFED",
-	"x/OVep08PwluDSe9U7lcPVEIYd9+fneCxFUQ6wSpIKpGLCXLJJpVwQzeQrIztAwQ64QxuAR05vg+PX9z",
-	"n3IlSWOVB1qNF4LAe0zODNlu5lDDaYdTZSKJGhy8AFYqtBGJVs5F98OP8mdNbWkp31XgBJjYaG7Qz+Pw",
-	"nD5gNVlUE1Bulkja7Vr58GryfAGzDJE5OoLLjMJ0XV3Ufg4K/b1Co7zMBI5nMFEWpWf9tTDJSNeO/Asg",
-	"qIQhuFggAiQgMiSsqvXh1QQkdn6PzPIZPKWi2IfTZGf3SYpmeyGe1lTf9UJCcDp8N1jXtMLg8F1QAByq",
-	"7fE6DWpNPGXeh9efp9Ta+pGNabUtRbOXzaOFK+2tkBf/0os76VyRjhCY9tkzlPamjQzmUO0UlRa/asQx",
-	"vWjXYKdC/dVlNKoRfAOfBvqWZGWK6qML8WyQYS4k0w4c9QvzKmXGK8Frj4Ukw2CMy4R3IEOAUAFgkqBC",
-	"SMVZErMyMuWW2FCw9y4rdATIy8jZxDGl8kEwCeHVG/mz3MgCZQWYlzhFak8qs0AsGC3nC/UD+lYgqR6r",
-	"gNGmG1WzhfZYlFPzonKgdBBAirjkbi1DW+UNiQXC2vRFygJpeE6cvM2B6w85dQJLZ8Xq6GYmdZAjyMTy",
-	"JRFYqO8EzhEtRQiD5aNIitYcZxnmKKEk5ZFGwxrhAObgQr4g5QcFFxCLKvlTviF/NCIGBX1EyqQcEE+1",
-	"a24IGFYYe3TkknXgLIc67wbw5pt04vUT5iaxuXX526Y5EKH48zAREA5+B7D8+vyJOA3qJJ3c4ppYllVk",
-	"OEpKhsXSJE+aVIcUnWP1monHh3SdwAqNcr6h5pBl9GKgLLuyCLt1qXVFQf/wRR4rDjrCQ8dHykDz3dd8",
-	"QcsslQTOE1qgVFcytDOe7oRUuc6MHS9lq0KqK8iUBtHepEg51i7YtQz5hg9Hf6VrWNRgABJFzZxXNnzT",
-	"pqonDTiFzCjqW23PCwrmiCCmk78IumiOfx9yMLxdhwRMQAu7er7NBJQE/7tEbpa3pRYzIVAzAqSmjMDF",
-	"AicLwJGS2obWg24YhYDt+RbKU13ADGpurmpq7JR6kpWwUmN3SuKOZDwv3UyV0ZQMzpWu0WZhbpwNMGcU",
-	"J2jkDVHZtm5JS0gKnyDOh+RbNsrAJG/3PTeA65FAQomAmGiGd4aINieUNMBE29RBv3Rf7tLbz6eGwmYN",
-	"lxGZg8nRgS2M8B2zaPl2MX2d4EP89uDTnwc7H/EBPyDHT5PnB88Ozor//u352186nLbOal7qrLMD0ptM",
-	"J6WBzRVzyV0KCCMb3LX9sr09KI23n/mcekzHMrTmEu5u3pq7u5D0PmhzAeby27u7s6G2YNu975BBBxo2",
-	"sKIFxhATMmS+oRdXU7Q5BUvnfcTMa67SBwHLfIKuRV0TObFx2c0c9ynmRQaXHw33r7HlLV0QcJJjVR7Z",
-	"Oj4drA5qfRc0ThaQwUQVZJkXPa4jwZHDb+8RmUsVZzca5Zg4f11HQu0MMy70rtRWRtEog9Uvel/BfNoO",
-	"MKuqxaOqVu+KqpXDoKUdIJm0DvBKSeBkCTSyKeQrgZJjjthP3A6QpkwHR2qA/0EXZMzllv83WVAuxpi6",
-	"vmw9bCiaYhfSNaWz0nq2E8G2pdrD+cV/UJbGv+z9v//hH/jTbe/En6xSH+wCq+m+Dj2mjRJc7GeKmP3E",
-	"jaZIV7ZMDpcAE+UpBrCifspaARb/NPPZyhqdUHzpMrpG5vEQYn60dob0QgPPyafCGmG3HyvUAP+gI2ub",
-	"AZyKog2zQ4K0buUQY8BK7wsSekL//9rg3/h//ufQmF+klta968PTI0WYGxZrhNneBDiZMdfC7zbDpCCz",
-	"Wg0LXdd91yGyIcY1YKITptaFzEap29fHGzcuLnpgxSZD60wM1JzuBn/TfAAoJzk/vG4BEHvkCBhKED7X",
-	"GfEnH06Cqt2CEvSxzKcokJ57JB8Cop5ak91my1YA/6+d3Sd7T5/94+dfVmOQM9kqUREC1UaM4C6oV43N",
-	"bHjom+o3P+qIuw/3s3Fa32mecLly+VcR3XWEZXh0M1gO5kCjvzOOB58VTXGuAXZe+KTebBdSHJbCAWQr",
-	"YOl5gcPlCNJCoKXQrVNgloGEEoISIY0IFWXlHdXiw6MWVTyqZAwRYW284bjzqbhe/wFDc8wFYiZ8onzH",
-	"Kid5cy/CS9d9UO24Gh0mCS0b+cm3K3P7/BEWsMPW/QM9FPV+Nojdo/RYFba4frovIxVaUbz76/DWFJGl",
-	"Kjmi7/gzYqA1wDBPoQPEJ7ueXfnl99+L7+8v5f9/VP9/cgmi8U/x1//6z7+QhzG6/RRUjXf3Qvbeij5e",
-	"w+K2BXmrRvQyGhGcnIVjrx/Nk4qp2VQiv5jwmmG3QmafUlG8NsH7q/pXnUDo6eHpEeBIlIUbNlE7//Bq",
-	"0pJhOIdz9Illnf03/3lsygvlizoqk0CiplJyEpJm3XZRePgrmcG++nqrIPP/NVWpQhH+7dfD44vtd6/n",
-	"HWFRQUXR1f/M7FH1Pzsz1Ug5JCXMzM6HrWzy6/MXL1+9fnPw9p1Sz1cXOltgecsLHW4rNaq7JVhsW4JN",
-	"MYFsaTuhVQQ+XYpgb5RPfEBFWCCWbir1dMc+LdNXRMsFPkcfZjBcRDvRKbsfXk10HbklMSP8VnQ2i0bw",
-	"HArI+jDQjvYTr9Ze4MS0YQtxfcv09dB8S368s/tk/EcxD7YSUN1c0knQq5sjLmBe6LKPKtfMwu0CctN7",
-	"ydf5d7d3n8TbO/HO09Od3f0ne/tPn/2fwU1vGvqEv6IX+qHCbMrwn5q6Gc1akF9bDwkGpsw7wCSeDI1q",
-	"3naArW7wiVHa3z6rdNewgBxMESLAqUuuVuNhrGPwhNKJPnUmE7WO405lD2Behb37wIa5qsInoCpe7jQK",
-	"DOdpg61LD7Uh0KpGRr8IHmWQzEspdSR/fHxLemkjH6HkgubAfgwgV92PRV252j7gzRXaXkeTBZPjb2r6",
-	"mLZ3nz59ur2z+2SFo3ItQnEn7KeXzpNn1tjyJ3tvUqTVYwlaPCc6vygE1i9VxYI6k/WstGbqSyV0XPbv",
-	"s16fPzZZTKS7nrjkU2G4g2xhsFuIBDUHjtgLpMkM/4k2VKm146bqq97v13IdWRc4y8AUATwnVOf0DeXt",
-	"d8WC6fNuTGrXPp2BHBOclzl4Amoj+LrdG7o3xAH5gMSCBglOJZXiOYkxkXxmQVNTatpsie02vSjc1tdf",
-	"V+mt3hL6woeqZkg13FZNHjZDPoIuXt4xFGkXu7YSa+2ie8FygkjqZrw/oLjcahCtQJtNErN7NdAVGdOu",
-	"/hEBTAQi0oqiJNMGoRk7qPR0lG84TZndUE6l7nclad9KzrcvjToywOVJfJjBq6fVSatONe1kIEXVX+uU",
-	"06+wG+0VAMpwrCccg08cAZQXYgk0PORT0+9Gvjx22KLpbOP3+jc/ts08mgaW4VKzdnRUjeNbzgNtBJqV",
-	"ypVph0o99c4wN4JaSdfprRvZaPHeozsl/VY3VWCII13GZFcX2bqD1DYD0yn9XFdxOxmfqZ9w5d0A8fvv",
-	"gxKvXIitPhOOxN/svq/uy6s1cUtDmvt2SksUQ1RH7LYTqtikBKNlMZbyq4X69SduZUqoBEW7qSdpemIc",
-	"wKZS5i46rfUJwQyQ9bzX63mhwxC5tq7GUqrWnY0JusiWAKZSTjc24TFRtPf02T9i9PMv03hnN30Sw72n",
-	"z+K93WfPdvZ2/rG3vb0dFMGdkFQXGFkg2kuMnOkllzG5p+mQZpfdcLxCDrBYVY4kqGmKNCRWpZJv9A5P",
-	"JB7qOX5FkCE2KSWzbvmj1bNmWrZycsg1uFU+Skanrex7WxglHxSMCp05YBsG8rG9D0g5B9Rs9U4WQhQS",
-	"jPUKX2boXJusw1aqEsjNQXGAzNegQCzHKseAm2XrwhLCsfJbV8yF1ynoZhT33psKXXIEeSln4GWyAJCr",
-	"FDEiGqsZg1dKcRIQZxxwhID1Tqc04WPL0LcKRtMyEXxLfr5lFx07i14NNHnWmMyosfsF1NdeGIEz4mVR",
-	"UCZcIWIqZD/KX8CJfj6KRiXLHDd69f5lu0YnLxhaSBCeo3ZpHjvHCbIhGTiXepIW34oNSXSPbNoHj5r3",
-	"BskhtBGs/Ck4QYYPmTV/ODgF782vzRXTAhF9qcGYsvmW+ZhvfTg41ZqIyOpt+9XnYHJ0MIpG54jpfLXR",
-	"znh7vK3FKSKwwKP90RP1k64mVtS0Nb5AWRafEXpBtv64OOPjP7h2uMxDGs8xEgyjc12x3up59ujt53cn",
-	"j91AntO5rKq70wyg0RJtDE4XmFeEJvUk9f50aa6DUBSp9AxVJ+xQsiLKigQO0tH+6DUSbz+/404LX7XZ",
-	"3e1ti2BGzDttRbfsxuv7vlY0WDtBQmNu350kHGAC3n5+Z5vCmUZHlX5xTcvxW7gGVjUxfVMBTVTeUgou",
-	"FioKVV+GpesFNd9XzLfMc8iWGp7elkKdEwP7jEYCzrly3iy5QPnoqxzWsoiqaF2lelEeQLfXdV24DdLX",
-	"JTS6IEeNVdGnz3R8pDDM2A50k8ixuuw/cEJ18zdu9UmzO9276l6gjBExo/0vvqT+8vXyq4tR5jAsIasy",
-	"ZQJME1dgnOiY6FPVJXGvDl4c7gLn+CrkspOG0WvLaBydWPbc9JOocayCu+Q/dRfHhkGtgpZ1r2Mf27Qu",
-	"FcI5Ba1fabq8tpPsy0cNnOtnNJ1oUqr7e9T3gzGv3q0CRKNJqn/v4+UN0lKjFDewH6tlSXVGYtOszLLl",
-	"g6MYfawNKmiio6aUut2324Vs2WApnQS0QDATiz87lQCzEuPW6NCdMK/VUpiZhb1+eWo0oxa9vFGTPl+g",
-	"5Oy1uVn0hhDKaT8ZOMKTev0aDkul3jl7uX/iW8MWJBK44NHrl6ePQ6I5UlcbX+dxv3k5eTHgvN/oa21D",
-	"B/5XOxsJscddelOGydkWTisjOyzN3mNy1jwpc1fjT7xO+jHJZeib7lQPDiXXqe5Drt7TBwlJVb87Bse9",
-	"9mnroJ1mwjck/gLtigOnZDeg0+HtPpvphXbfEtaYzG9V0vUzJt3cQyyBvk76IQm72k3SFHoKmWEjX83m",
-	"rNhDdNC6Qlec1uXmYSmXz+CWoKLYss2nOuWdY4Wc4hzFUygt00OCYvknqKoNHp0enh49tjmd2kUjtG1S",
-	"rIg6+SSjA9cmDHaTojCYvhsyaZ1cVRfvqsZd6YNTt6pDd/buIJOusFCIVOjbtVdasARdgCNTPQt0+Sw4",
-	"rQqKCia1tFyyokS1aNKW0RgcTU656v6bUTKPM1XJaRpFNftuAky4QFBFxhialxlseRhNPyiaa4VZiRe+",
-	"Nk+v7g68IY7eus8xcPhhUCYmPGEP3dRB1Y2nJPd3Mptuj7u371sMaZ8ucZmkLgDDaPNgmf5zexFs+Igf",
-	"HU18Bdbn6/pa/S3oZoR22P1mnlZCqG3aInGHlsIIGrk3p6fpGEy8r7ilRHXNKRO2yZgmQ/1GBgVi4BxD",
-	"BaS0zpCrHJ9tWmv0dbpRF0Kre1QAA6qQXukm4rf0qAo2Ji1s9GN9BB5hVe6l+2cunJgOOBV8s6VDCg29",
-	"wiOIRvpdJ1VM3HAYdIpJdYfzdkmplB6iZIS77Y5UCK/V9UgZkRc0rAYB5f9XV0J1UYFXNnujlBAs0A0c",
-	"pqpGcTsdV12iPBi1Nb5bdKD1tMIKoWfDwK8IZwwOdKZTfU4RgM7h2rRbptDBV0cq1BjfX5rrLqkeQn8r",
-	"DfdJuwucY3ebgnZgQqHSAPEt9ke6zxZl4LW6MevxGGgBx92y8KpYagYoQSCliJOfBEDfMO+UPTdrvQdb",
-	"j21uv/9AOvvLCSHrRHJ7uw2gBGt5D4jIyDX0WM5+eGaQeR6SVnhmI8tGDDlMryOw4/Vvu1HKaPSIC5yl",
-	"yj7VqYiSNpTBqrNA+y+PussxHbknL7pcH0lUt042VYv3joCMS12dVF3UPIR2qCi2qjTMMPEcECywlCFa",
-	"49PkQFttoZrJPieIpKo6Ti7KlC+Z61dR6lc7Kk2gSmn1ZEhUt3A3zjqtE1hbtum8S4HJ9ewSPrYN3I3S",
-	"WLMjYSjI6DVE0WEH1xAy21DHKSH4AwVRvx9Zu7OIvQuuLiO9lw7lPiXt8PRoXaoanitQTdErklTqb5P0",
-	"rlUE3Sp9rEwtqESPJBDU6iH04wROX0vJkPiBc5yoSMtDpBUjftalErdeb7AQcj8KkApHJNW6W16D3O+X",
-	"YDqV3Z7IaTWtvFHa6myReUUh5MDzzsoih8wMXal+ag9HEOWNDW5CaTzn10lnbU2w0Z7EKZX/UVR3kvNb",
-	"ozmnE2coyuQ2DugnuJMPJ/dO8/P6IjwgujNnsSG5bQ1zTngkJ2f8sZrgDySgw17/RIuGPAeFBNwP1gt7",
-	"ugx3ufy9LAi/mvO+qoPr0oxYz5Udjuaul9/QSpSo6kDU9iZHB53S5cZyFVrt4QfnKvztr/4RomFYUkEv",
-	"6pvgw9Z3+6/LztyxSj9T0ZrdVjpORi+MGx2opkxZFdqQskHXNXPnflDaynzzeqgVcI46SaC+mcS5jXr/",
-	"S/hk6le2Gp9fRi1yZwwuVZRP96U1zZBazcOKTLUvMKWjWH767xKxZV3O5zW2jRzkuXqHWy6WqnRuRlke",
-	"2IPtSRfqQhdaqd9lKbDQjo51gZmd7nSDZvZ6aIRmvokWvIFT72y9G1p19TC04HU7ocnFDOY7N3tFWJtT",
-	"1QW3Vcc1r93LI1U3aRtm6i097oBalanWBv+n4wOdYKSZhL6QNzSG02E4DP1rajXcYn0zwJGIdOO9HEEr",
-	"0N1eGLbgy89VlzriBTQ1n5nJZ8dV8NrUihKEUvXGFAFoWlC0qrw7YGJ6i3kAaW7oa0P2PtneDRXEVuBv",
-	"MvCRLqhQTPb76D3tv4/YvLplB6zeNyh2n+PDRvY5gNlQzG4lMMumMDnrlLdvVOMjXt0XLV/WqRONRXAA",
-	"ZwKZlh2eEB2DI71JM4wvYSvvdlIlV7g5g6uE73Ozptfmnq3rlcPtlVbel+kyVL7j3lYWJJMU9dJIm+ht",
-	"lsbVJsbpv2xGwRqTnwjtCTMQU80dzilOwfOT41cACgGTM94xI5fftvTvtabXCTn+HRF1eg4az8cR+O8u",
-	"Tk8lgDbZtJ7VtLJkm05sv19vbsVGQI44hzq5r6neQpzpPpOBiRV/WW++F6oZBUoNb3IebjT5v9zR11qI",
-	"FL7awUuZn/wKp7TUMs7ur3t6LUivUQLpVgnAkQuGy9XuirbF+RcVUg15UEsLm4rdLaak3qgu+MyRqpsM",
-	"O0GsKOqaiBvPiMSdf8kh6tLrnKbIdHqZLh2RleEzBHSen1KlOCKp6rWucsqPDk9O3ZxLhXM1O+RDZdOR",
-	"3M5VhdPXod6Wb/HFxUUsgRCXLDNq8XANvtkzNtQf70pycWXzd03n+xvzxmETeLxq/3oY48CZJZvavwoH",
-	"XDlPJe73r0GfWDmbFvX7m2oPnZeXN5peSSvPdH90OuI0L/YHj1SzzzpKRoCyRINNrBTpP169x2brXLXh",
-	"rwOM106mqJiMvtZYeXNbFBVVWaC6H1JYn7r8W6L9QIkGHlWy5vFQ6eYYZKv79VTeTqdfj20LbbbgB6Pr",
-	"4gE/CK2vapOGvvEV5CUXYAHPJSjQOVaFL9W9Z6pGrm4QVFVjdAm8W23HMqSUys+UEhQsUFbYexiWtcdE",
-	"KvdV95bGsV3e7X5G9zxqEGg71Oe7WL/3kFxHH834keS6SY9t9NsgnGuMK9/P5kUNuPh9kDWU7lq0zeBb",
-	"fS73NpTcROQhVEPLnoDyS5J6V256ZbrTJcDE4jaZA+be1snHwLJZE8T0rwc1l4KGRcVhKW4Q653LTjvQ",
-	"IZZLtTlGtfblbVB7y+2VJ7R7i3coEykUWJbn/wCaSETf/WJ2eyGtV7Cu74utcb8sBpfnHgfuevU6owwr",
-	"0MUz86LfwlF3J7doEgEqseoCc1vUyYG0PPqd3Y3bbW+QgDru0e3K2dHqIrPdKmsTrKYsBZPIaeLupfzZ",
-	"Yvdb7x2xWngcu3tr1OyGD7o+5LrdgU7hlEd8X8t07b2Jm5XplsVVjJyyuA4jRxKgMnRUdy7MlUizkc8O",
-	"grsFFa19ZewV89MrRc4ly1ulqoBVY7vbP3SzxpLJOmaNQxxXMWt8KvlRZs0t08xGZo3Ty8iApU1Rgf4r",
-	"d9GsKYuHZ9aURZ8PzUtp1kS0ov9Do1VYM5WlyqPVmS6eDaBliG8WqITZuiXHOT0zmTV6eErqhh2Y8zLU",
-	"dOVYD3iT3R/cKXrI49jbmqAAfUtUkzydRGsrUSpg/QgaCGKde4Bezrg5rPuYL24PowHwsHmjnq6UF4bA",
-	"5JwKvbHQ+aSBazsOZoDQqr3blKZLyfVt/CTSieBeeEL7+CtsrzLJXRLtkhU3ifuB61b6nMSBW1TAIzxT",
-	"CmO9/ZVbf3xlT3GdOXj4LpAI2NrBb1VqnngAfeuCVv5v9Z0W/eRgY4Wrb9cItu8NtVtz/EI0Qzyq0k4j",
-	"73p0LqAow3dlfNLJxjfGINX4XVa5q7k8vCaiohXwDTcRlf/cchoC9qnWqr1goG2hoAB6DQelgg3T2rHh",
-	"6Y/Zsq4A9dsagoSSGbbopb+0HETVD2J7/RQ712m86oN5yXTPw5QCTtuI5lwIXCHc9TPVjquHVzc6M9fW",
-	"mtTOqp+boLahYwDcLrDvkHtV0ZWDTA/8ZgTnuNtUscqyVYSne39ojbLP9VpdLWqUz04+3WiX0+hlFCAp",
-	"4xlSemwdBjaEqEMfasr1W/VWvaRvspVBx53LAUT4iC4a4W7PqK3KGT4dv3d6KZqjuTsk9tJZlsValI7B",
-	"pD5dVdTlnbsqZahun+8494fb1lcDS/HOZjOEpiTUBMkRSWMXgvGKriMnSCo8JOTxdhuLdLa1+uRfUeY9",
-	"NQVtTs8DDhr4GYoihi7bvmki7L3hez23bYse24zszlFlgNc+hL4iEreD0O8ionwGe0q0174cuyotaEu8",
-	"DuO5fY/BzSC9c1l41+UF560rsiWaf3g1qa7CVpfZqOsa7lKkXK5QW26++6gs0gd57cIHSOB81R3tHZ3f",
-	"FdKvjqA/r3U3a1VXgXI/FDdt4roOLQb0LqAbE5zjtK5FrKwrczm46tDZp6DdcMQ8dDF7h4JWN4n0wt+h",
-	"Df3oLgb95FM1f9UC+uHemtN0SLnKViAC3hQV9pUtdbSrTSDYRAbthnezUYbowiETKGRBaVvICSk2ZjfA",
-	"C6tf3sX3N61/BW/Zv6LK5W/2LlKXPoXKDLqPIQ2N1y1QdxFMFQmHaY+oORGQCVuOqYIYdGY9cjpoVcV9",
-	"vbvcfVKoCKqOfjspJerCbyOtLI1UVTI92a9rexL8+/VHdzgxw/agk8RjawRqkHuX9j9UY1snKWXKJabx",
-	"TYXT5P4vqii2C4h+rWqzxI/1kL7vql11kBqia+OttkUC2HtTET1/qutN+vAgRnByRnQbmNsTCeE99l2o",
-	"6qzYb5uWpvfegummQBMSvCL11fTWdxWvVsV5xfimy4ALLOpuCRuBlpphYYF4XyMqWBSMFkylQ6aIC0zM",
-	"PcSFl4Y6LNSuNrF24bH+7J+qvv4yGvj66bJAgz85rhromE/Wq8t3rgj/ixYmev2mVUzadywZ9HWoIJA9",
-	"dY4YN/DqD56bFztqksP3F4ei4r+ZCa/IS8PF66YHml+97myx4cJa1Nuis/591NkZO+Pd8ZPRquJgO+mQ",
-	"8uDfAqBtZDXpQ7iHJsBrJKrbrM+ro29fxKxkATu33KnhPFlQLkAjsjw5OgAn6pNRNCpZ5rTc+s7LaUpz",
-	"iMnlWJ7o+LvUVym5HBM50piVZOt8R3Ecs5LvoVhvAxkqVHaLhkwpVmSTF3V2yDlkmJatjtE6GM7BIx2I",
-	"qesh3J63kW5tEVX6XAQ+vJo8drr5NStUv3foBjFDmRJcwZUHOzbyelqQK6dhjoiIqnSX6p57PwumvtfZ",
-	"9v2x8ja0Op1iXA8fXp9OyjIJfVFD5qpaeFPK5c5qUgaj4HnaNB935atW4Z+UjUhF+gI+k5/hrMlOoR3J",
-	"vF6asnQDwFAEEJ564dxhzqMmFZn5lE2nlEBbju5Masgr0GGokhnG3eg5kZzVSFvPhMurNgsw0cZiNY0n",
-	"VtqTnS4QR+6gkCGVXocl90p1bNBmEGqxnCm7RXcp0H4cvqBllsrXTBl9qrPZTSeDkxfvnAXVlfaXXy//",
-	"fwAAAP//NPNLB2r4AAA=",
+	"H4sIAAAAAAAC/+x96XbbOLrgq+Do3jmVzBXlNemK58+osjqJY7etVO6ZqkwfiIQktEmABYB2VBm/+xxs",
+	"JECCFCUvsV3VP7pikcTy4ds3fB/ENMspQUTwwcH3wQLBBDH1z1OUYIZi8ZHGUGBK5G8J4jHDuf5z8Pn0",
+	"IxAUMPMiEHQwHDD0R4EZSgYHghVoOODxAmVQfjyjLINicDAoGB4MB2KZo8HBgAuGyXxwdXU1HOSQwQyJ",
+	"2gIm9J8FYsvm/BPI5kgAuYwZZUAsULmWwXCA5St/qC+HAwIzORkrh+xc6TrToG8wy1M5+EKInB9sbWXL",
+	"COb5KKbZVgxFvIjs23K44SowDAdneE4OyQmjFzhBLLCeBQJyP4DO1GI4jTFMQW4/MFvPoVhUO3eetu8b",
+	"kSIbHPw2gLnc0XAwx2JRTOU/KJ2rX1JMzlGC5T4SzGPKksFwwHMq8EyCWVxiES/0lymUX06xmBbxOZKg",
+	"uqTsnPLBcAD/LBiC8lNEBINYDSIYvIASPjBGU0rP5QeYJPSSp/gCmcEFYoOvIaBNsJykDVGwWUEIJ4R9",
+	"2Bsf7AfV0V8ghmfL1xnE6cE3879B+zInyxw5S80ZiqGoJq5Nt8zLo9ZrHYFX5TdDQChIKZkjBgqOkrZN",
+	"ypV0bKkxhzobjQ1IbutXtUP5q/zrJSUzzLKXC0jmalw8J5icQM4vKUtSxOUp5+bPU8SRkKdWwcsfMsAJ",
+	"9EIVGxgLgbhQLOiNIZ0QRcDqNSD/izJEBDDEVm0mh/G5gpLIM4mJJGEUJ9E5Wjp/cThDYkkUFGY4oVGx",
+	"O5OPDVkQSlAAC4eDcSEWiAisGebrbwIRjilR24BJguWvMD1hNEdMYMTDBz4u3wQVQwQSOxEXmMwBdF5g",
+	"NEacy1+nS3V8cYrlxiFJAKyWQ1kFZzr9t2RdHet9qcY4LkReiDUXfwRziUjIjgWoHgXMGM2cBUr8cIb6",
+	"LoGLk+bRjvM8NesDOJGLnWHEGuNXu5tSmiJI5PZihhK5XjX+fzI0GxwM/mOrEnhbBsu2XjKkhna3p3cv",
+	"h1lkMH7JEBToDMUMBfDv3dH4JeDqYZ+VXXUfBWVjzuUiKDlFPKeEo/YzmMGUowYs3cFeQRGg+F8gR8/3",
+	"C5YCRGKaoBq2gER+FUBxfXpyzPdnx5/6jGsQUg4I1DeBUSX/gKJgqNdCLXRA9VlgzIIj9g6SJO01qHwb",
+	"LPTrwwEp0hRO5Zcax5uMvBIWv9VhMgzA393i15XHLwSMF5J/tbA676Rg+TbIaAJTLJYuv0uhkExwIMmB",
+	"ch6VP6xgYGoZlqNuiofVCMd6qysI8fPpx9f6QPQJyTUFkXndQZpou+4IeTFNcfwBLa/18TidU4bFIguf",
+	"rH4PnKMlgPZNh+252iMm4vl+hfeYCDRHTE4mGCQ8p0yz7lXo47w9HGCBMvVVAzPMD5AxuOxBAI2DX4n0",
+	"Zyg1KvI1eJ1POV2n1EZw1c5OEVeQN0fuw/HLAokF0saAD8+s4ALESlwAaJhfJEeKmBnQPeW4lDyA04LF",
+	"KCjImL+Urn05qz7V+7DbkhxOqVy4suc68bj2vjfcShE2sWi1Hg4CsYACxJCAKbL6rGVlBZcGBZnF0qxQ",
+	"bJpnkIkohsoKWSynDGv9VyBGYBrkcC8puUBLSGJ0wtAMMURiIx9msEglYSntbrhCw4zLYUBejVOt1QyC",
+	"SWknVgajXF7OMA/rkFrTOBlPTrXCtyY5oG85ZoiPA3B/LR/p5ScSO42+fzKeuHxFPooEzoIyNUMCJoYF",
+	"d+mEpab/3Rog2TLKlSIuDzWaLvVPMM+jOMWDJjrVOEy1rRAjcWC2kZwKKZ6Hr3wAVcbLbrz3bPp8thfF",
+	"+9MX0f7PaC968Y+fYZTsJ9uznWR/F+3uK/NHWqtyqN9/n/62Hb2A0ezr95+vfv99GpV/7l+1/tv9amdX",
+	"fhY6kRwxLvc4jqUdMKHnKOCoucc7qJ2zIuDQnlqO3TDPG1WYN1W/2tXl0rI6RbxIBV9DOHXYZVfDIOLK",
+	"JVZi5Sfu6w+NFTJ4eZhsotMwB9T9JW3joErS794HkC8BhnKGuOSgibZ3MQcGH3phlnGD6D07W2hg13Dw",
+	"LZrTyPyYMypoTNNRF8Y5n0Q4s6Kvcr+pETRVLQYHxremvIRzGl2iqUQrslX+o/ziysN0xer+RvT7j+gB",
+	"4+mBonoD5e4G00+s72tdFE/nbRBe5oLOGcwXOG6zrwLmlDmyfg6kiXy7fiDmLOTKuuVYw/20auv+LquB",
+	"QAWTkEfKhxg7D6g/JJGIjDjAWgty8BNzAEFpzWjXaR8fVw1KwUO6gClO6sTAXYeGMp6UwzakPr9mjLLe",
+	"zNGf/0xAkkCW4D9RApAcCLAK52t6tnwc0LHVV5KBWLRaYjLXYZocxdKYAtBxaephqt0ZMyRiNEWRNCWj",
+	"KYowiWCa0kuUqN+5Dr7AaYqSCJEkp5gI9zdp6VlPfQRThmCylIMUah/+zypygZWdNaNsipMEkQgSSpYZ",
+	"LbhjTUUcsQvEIrtiTNRRRXo46+t3HhiH9WA4SGkMUxQRKuw+nOhAJCiN+EIyEedHTKIFnuaRNDamUK27",
+	"it3VRlKw8n/ieE6KPLIQkWYHsTu14JH/0Z95u9WL17ZKtZUZQ3wRCaWKVr+XoZIS9NkMRoKKXEUJ1L8i",
+	"7Rd2v9LP1auShco1zGhBFNeWX9izgbHQkS/7pYprDIYDKhmnXk2EYhWEiWYQ653qhzmjM5yiaIZEvAg8",
+	"VMHAxmHqlcWQyDVxRJKIZzxIZxniHM4DRPyuyCCJZgwjkqRLQ0b2bdcIOdRzAoVAVaCm6RsWUBQBV9a7",
+	"yeQE6IdmFkl27hT729tNhl5jzWb0akNDQ9ohRn2YKGPEDc12spdGPFWHUUPwfP/lw5rc6v3Z8SfwBU3B",
+	"B7RUgen3XybgwnXw9JKMpUdSuVvAJRYLrWxovl6d1+nZ7rPnoQMKIMHp2dh6udA3LSy9scb/HP8SGuo8",
+	"pOfJ/R2+8r4/R8sIJ9FOcAyxDI9hpLC7o3FoABLeT0aTIlWoUo0Ap3Gys7u3PxqNWkIQ4aUUDWrgeL5S",
+	"r5PnJ8Gt4aR3KperJwoh7PsvH86QuA5inSEVRNWIpWSZRLMymMEbSHaOlgFiHTMGl4DOHN+n52/uUq4k",
+	"aazyQKvxQhD4iMm5IdvNHGo4aXGqjCVRg8NXwEqFJiLR0rnofvhJ/qypLSnkuwqcABMbzQ36eRye0wWs",
+	"OouqA8rNEknaXStHb8YvFzBNEZmjE7hMKUzW1UXt5yDX3ys0yopU4GgGY2VRetZfA5OMdG3JvwCCShiC",
+	"ywUiQAIiRcKqWkdvxiC283tkls3ghIr8AE7jnd29BM32Qzytrr7rhYTgdPyht65phcHxh6AAOFbb41XS",
+	"05p4yrwPbz4rqbF1i2JniPM+YRv/EI+ltbxbJi0BrkcBMSUCYqLSHJT7T2UyGAVMk1qT58Au52d9JjOs",
+	"Gkrh5PjkEMQwTX3WvoS7L0Zwezx79/zs6JdvLRy+w90+wRniAma5RlEVKXKnNp/6jtnt3f1oZzfa25ns",
+	"7h08e3Hw7MX/6e2cNwMeBmDwqcimiEn+y1FMScJBQQROey1q79mLFyG72JxJT6h7J6jATqf2oAm69FbB",
+	"wRM8s58mNrHFDvXUg9jO1tb2/MPP+njWC9u7WONCb7gi2nBig7lNF4kh4s3D5CsdDaHw1ZUXcNVJUi2x",
+	"Xx2sYijpzJfqLZqbuVkNQV0L4Hth3t7etOqrq+Gg4uwbOPPQtzgtElQdXUhZASnmQlJL4KhfmVcVBkuU",
+	"4JWrTiJzMLhr4pqQIUCoUMieC4mpUoop74rcEusL9s5lhY4Aealom3hkVSIUJiG8eid/lhtZoDQH8wIn",
+	"SO1JpdSIBaPFfKF+QN9yJO1CFSnddKNqttAe82JqXlSewxYCSBCX9N/wMCkxIxYIa58PUqZ3zWXopCf3",
+	"XH/ImxlYOstXh/VTqXyfQCaWr4nAQn0nJQEtRAiD5aOh1CkznKbYcP2hRsMK4QDm4FK+IBUnCi4hFmWO",
+	"s3xD/mh0KxR0jipfSo9EArvmGgtmuXHEDFyyDpxlX691D958m97rbsLcJCi9Ln/bNPknlHjRTwSEsz4C",
+	"WH5zjnSc9BXM726SZVkNnqO4YFgsTdawyfFJ0AVWr5lElJCSH1ihsUo31BzSlF72lGXXFmF3LrWuKegf",
+	"v8hj+WFLXPT0RHkm/LgNX9AiTSSB85jmKNEFO81Uv3shVW4yVc3LVSyR6hoypUa0tylSTrXhZK3ttTxZ",
+	"NSem/kqXbGlrrG6ltdjX1zH1tJmHEl0AkDN0gWnBm76fFpOu24TzFhYSCafOCzcGNUg8c3VNcJ164FFu",
+	"QEHBHBHEdM5o3Rx+IKlbPc6iocNeP01vDAqC/yiQWxxieY2ZEKgZAVJTDsHlAscLwJHSeQynDHpvFfk2",
+	"51uoAFcOU6hloSrFs1PqSVbCSo3dqse05PB6Waqq+q5gcK40taYAcMPzgDmjOLFmb4jSM+BWwoV0mM38",
+	"fZJF14g+5PMz/h9pjClZion2SATDWV1ev/dfJo6vyZ2YzJXHz4Snff8bWr5fTN/G+Bi/P/z85+HOJ3zI",
+	"D8nps/jl4fPD8/y/f335/kWLJ9BZzet2R5yTgytlqU0x9XxwmFgvnbu2F9vbvbL/u5nPxGM6JaeuLeH+",
+	"pru6uwvpPodNLuCJo/u7s76W9Ao3ZhANa1jRAGOICRky3zD4oynanIKl8y5i5hVX6YKAZT7BiIQunB7b",
+	"dI7N4n0J5nkKl58M96+w5T1dEHCWYVVV3Tg+neMS1JkvaRQvIIOxquM0L3pcR4Ijg98+IjKXCuLucJBh",
+	"4vx1E3n4M8y40LtSWxkMByksf9H7Cqbht4BZFTuflCW+11StHAYtrSjJpHVeiJQETnJRLQlLvhLoS8AR",
+	"+4nbAZKE6ZhqBfB/0wUZcbnl/00WlIsRpm6URQ8bCsLahbRN6ay0mu1MsG2p9nB++R+UJdGL/f/3P/wD",
+	"f7btnfjeKvXBLrCc7mvfY9ooL85+pojZz/eqi3RlCWZwCTBRfnYAS+qnrBGX9U8zm60s7QuFpa+GN8g8",
+	"HkOqAK1cSZ3QwHPyObcm7N2nGGiAH+mA/GYApyIPmKMEad3KIcaAj6Mrt8AT+v/X5gyM/ud/9k0VGKql",
+	"te/6eHKiCHPDGq8w2xsDJ6HuRvjdZpgUZFarYaHbQdx3iGyIcTWY6DzLdSGzUcXHzfHGjWsSH1mNWt/y",
+	"NAM1pynK3zQfAMpZxo9vWgBEHjkChmKEL3QqydnRWVC1W1CCdJpMADflQ0DKJBrr6vcA/l87u3v7z57/",
+	"4+cXqzHImWyVqAiBaiNGcB/Uq9pmNjz0TfWbH3XE7Yf7xbj87zVPuFq5/OuI7io+1T82HKwidaDR3VDL",
+	"g8+KXlo3ADsv+FRttg0pjgvhALIR7vW8wOEqJmkh0ELogAtMUxBTQlAspBGhYtS8pclE/6hFGc0rGENE",
+	"WBuvP+58zm/Wf8DQHHOBmAmfKN+xKmXY3Ivw2nUflDsuR4dxTItaWcPdytwuf4QFbL91/0APRbWfDTIf",
+	"UHKq6uFcP91vAxVaUbz7a/+ONkNLVXJE3/FnxEBjgH6eQgeIe7ueXfnb77/n3z9eyf//pP7/7AoMRz9F",
+	"X//rP/9CHsbh3Weua7x7ELL3TvTxChZ3LcgbpeVXwwHB8Xk49vrJPCmZmk3E8muQbxh2K2T2hIr8rQne",
+	"X9e/6gRCJ8eTE8CRKHI3bKJ2fvRm3JBhOINz9JmlrU16/3lqqpLlizoqE0OiplJyEpJ6u4c89/BXMoMD",
+	"9fVWTub/a6oSrYb411+OTy+3P7ydt4RFBRV5W9tEs0fVNvHcFDFmkBQwNTvvt7LxLy9fvX7z9t3h+w9K",
+	"PV/dH8ECy1te6HAbiWXtnQQj20lwiglkS9tAsSTw6VIEqzY+8x6FpIFYuinw1Y0+tUxfES0X+AIdzWC4",
+	"9n6sE56P3ox1+wlLYkb4raisGA7gBRSQdWGgHe0nXq49x7Hp3hji+pbp66H5lvx4Z3dv9O98HuxAoppA",
+	"JT1LcVxdCFxCblq2JfVynL1oeyfaeTbZ2T3Y2z949rx/OU5Nn/BX9Eo/VJhNGf5TUzejaQPya+shwcCU",
+	"eQeYxJO+Uc27DrBVfYExSrq77hXuGhaQgylCBDjtDMrVeBjrGDyhdKLPrclEjeO4V9kDmJdh7y6wYa6a",
+	"dxBQ9jxoNQoM52mCrU0PtSHQssJIvwiepJDMCyl1JH98ekd6aS0foeCCZsB+DCBXTdNFVfDePODNFdpO",
+	"R5MFk+NvqvuYtnefPXu2vbO7t8JRuRahuBN200vryTNrbPmTfTQJ5uqxBC2eE51fFALrb2W9hzqT9ay0",
+	"eupLKXRc9u+zXp8/1lnMUDdLcsmnxHAH2cJgtxAJag4csVdIkxn+E22oUmvHTXn5Qrdfy3VkXeI0BVME",
+	"8JxQndPXl7ffFwumy7sxrlz7dAYyTHBWZGAPVEbwTbs3dEuZQ3KExIIGCU4lleI5iTCRfGZBE1OhXu+k",
+	"7/bKyd2O+V9X6a3eErrCh6riSvXpV71hNkM+gi5f3zMUadbINxJr7aI7wXKGSOLWCzyiuNxqEK1Am00S",
+	"szs10BUZ067+MQSYCESkFUVJqg1CM3ZQ6WkpfnF6ubuhnFLdb0vSvpOcb18atWSAy5M4msHrp9VJq071",
+	"+mUgQeVf63ThWGE32ptDlOFYTTgCnzkCKMvFEmh4yKemTZZ8eeSwRdMQy78ixPzYNPNoEliGS83a0VHe",
+	"N9FwHmgj0KxUrkw7VJwClH5uBLWSttNbN7LR4L0n90r6re7FwhBHugjMrm5o6w4S20NQp/RzXQPvZHwm",
+	"fsKVd3HM77/3SrxyIbb6TDgSf7P7rqo5r9bELQ2p79spLVEMUR2x24WsZJMSjGWxl6H8cqF+/YlbmRIq",
+	"QdFu6nGSnBkHsKmUuY9Oa31CMAVkPe/1el7oMERurBm6lKpVQ3SCLtMlgImU07VNeEwU7T97/o8I/fxi",
+	"Gu3sJnsR3H/2PNrfff58Z3/nH/vb29tBEdwKSXXvmQWivfvMmR44TWP69Mhth+M1coDFqnIkQU0vtT6x",
+	"KpV8o3d4JvFQz/ELggyxcSGZdcMfrZ7V07KVk0Ouwa3yUTI6aWTf28Io+SBnVOjMAdtnlI/sNWLKOaBm",
+	"q3ayECKXYKxW+DpFF9pk7bdSlUBuDooDZL4GOWIZVjkG3CxbF5YQjpXfumQuvEpBN6O412WV6JIhyAs5",
+	"Ay/iBYBcpYgRUVvNCLxRipOAOOWAIwSsdzqhMR9Zhr6VM5oUseBb8vMtu+jIWfRqoMmzxmRGjd0voL4t",
+	"xwicAS/ynDLhChFTX/xJ/gLO9PPBcFCw1HGjl+9fNWt0spyhhQThBWqW5rELHCMbkoFzqSdp8a3YkET3",
+	"oU374MP6dWNyCG0EK38KjpHhQ2bNR4cT8NH8Wl8xzRHRd6GMKJtvmY/51tHhRGsiIq227dfug/HJ4WA4",
+	"uEBM56sNdkbbo20tThGBOR4cDPbUT7oWW1HT1ugSpWl0Tugl2fr35Tkf/Ztrh8s8pPGcIsEwutD1/o1W",
+	"iU/ef/lw9tQN5DkND8u6O80Aap0UR2CywLwkNKknqfenS3OLjKJIpWeoOmG3YZYkypIEDpPBweAtEu+/",
+	"fOBO52+12d3tbYtgRsw73Yi37MarawJX9GU8Q0JjbtdVRhxgAt5/+WB7SZo2UaV+cUPL8Ts/B1Y1Nu2W",
+	"AY1V3lICLhcqClXdoafrBTXfV8y3yDLIlhqe3pZCDVcD+xwOBJxz5bxZcoGywVc5rGURZcm/SvWiPIBu",
+	"b6u6cBukr0podEGOGqukT5/p+EhhmLEd6DaRY3XThMAJVT0judUnze50568HgTJGxAwOfvMl9W9fr766",
+	"GGUOwxKyKlMmwPR+BsaJjok+VV0S9+bw1fEucI6vRC47aRi9tozG0YplL003jgrHSrhL/lM1f60Z1Cpo",
+	"WbVI97FN61IhnFPQ+oUmyxs7ya581MC5fkHTsSalqjtKda0g8+rdSkDUeiv718Ve3SIt1UpxA/uxWpZU",
+	"ZyQ2zYo0XT46itHHWqOCOjpqSqluCXB7uC1rLKWVgBYIpmLxZ6sSYFZi3BotuhPmlVoKU7Owt68nRjNq",
+	"0Ms7NenLBYrP35oLiW8JoZyutYEjPKvWr+GwVOqds5eHJ741bEEsgQuevH09eRoSzUN1//lNHve71+NX",
+	"Pc77nb4NO3Tgf7WzkRB72qY3pZicb+GkNLLD0uwjJuf1kzJXvP7Eq6Qfk1yGvukLLnQzJK9PsHpPHyQk",
+	"Zf3uCJx22qeNg3Z6kN+S+At0OQ+ckt2AToe3+6ynF9p9S1hjMr9TSdfNmHRzD7EE+hb6xyTsKjdJXegp",
+	"ZIa1fDWbs2IP0UHrEl1xUpWbh6VcNoNbgop8yzafapV3jhUywRmKplBapscERfJPUFYbPJkcT06e2pxO",
+	"7aIR2jbJV0SdfJLRgWsTBrtNURhM3w2ZtE6uqot3ZeOu5NGpW+WhO3t3kElXWChEyvWl/CstWIIuwYmp",
+	"ngW6fBZMyoKinEktLZOsKFYtmrRlNAIn4wlXvZNTSuZRqio5TaOoetdSgAkXCKrIGEPzIoUND6PpB0Uz",
+	"rTAr8cLX5unllaO3xNEb18AGDj8MytiEJ+yhmzqoqvGU5P5OZtPdcffmNa0h7dMlLpPUBWAYbR4t039p",
+	"748OH/GTk7GvwPp8neM5wWQLuhmhLXa/maeREGqbtkjcoYUwgkbuzekIOwJj7ytuKVHdjsyEbTKmyVC/",
+	"kUKBGLjAUAEpqTLkSsdnk9ZqfZ1u1YXQ6B4VwIAypFe4ifgNPaqEjUkLG/xYH4FHWKV76eGZC2emA04J",
+	"33TpkEJNr/AIopZ+10oVYzccBp1iUt0fvllSKqWHKBjhbrsjFcJrdD1SRuQlDatBQPn/1U1ybVTglc3e",
+	"KiUEC3QDh6mqUdw+0WWXKA9GTY3vDh1oHa2wQuhZM/BLwhmBQ53pVJ3TEEDncG3aLVPo4KsjJWqMHi7N",
+	"tZdU96G/lYb7uNkFzrG7TUE7MKFQaYD4FvsT3WeLMvBWXbT3dAS0gONuWXhZLDUDlCCQUMTJTwKgb5i3",
+	"yp7btd6Drcc2t99/IJ395YSQdSK5vd16UIK1vHtEZOQaOixnPzzTyzwPSSs8s5FlI4YcptcS2PH6t90q",
+	"ZdR6xAXOUmWf6lRESRvKYNVZoN13zt3nmI7ckxddro5kWLVONlWLD46AjEtdnVRV1NyHdqjIt8o0zDDx",
+	"HBIssJQhWuPT5EAbbaHqyT5niCSqOk4uypQvmVubUeJXOypNoExp9WTIsGrhbpx1WiewtmzdeZcAk+vZ",
+	"JnxsG7hbpbF6R8JQkNFriKLDDq4hZLahjlNC8AcKom4/snZnEXuFZFVG+iAdyl1K2vHkZF2q6p8rUE7R",
+	"KZJU6m+d9G5UBN0pfaxMLShFjyQQ1Ogh9OMETldLyZD4gXMcq0jLY6QVI37WpRK3Xq+3EHI/CpAKRyTR",
+	"ultWgdzvl2A6ld2dyGk0rbxV2mptkXlNIeTA897KIofMDF2pfmqPRxBltQ1uQmk84zdJZ01NsNaexCmV",
+	"/1FUd5bxO6M5pxNnKMrkNg7oJrizo7MHp/l5fREeEd2Zs9iQ3Lb6OSc8kpMz/lhN8AcS0HGnf6JBQ56D",
+	"QgLuB+uFHV2G21z+XhaEX835UNXBdWlGrOfKDkdz18tvaCRKlHUganvjk8NW6XJruQqN9vC9cxX+9lf/",
+	"CNHQL6mgE/VN8GHru/3XVWvuWKmfmXsi6+k4Kb00bnSgmjKlZWhDygZd18yd21VpI/PN66GWwzlqJYHq",
+	"ZhLnLu+D38InU72yVfv8atggd8bgUkX5dF9a0wyp0TwsT1X7AlM6iuWnfxSILatyPq+x7dBBnut3uOVi",
+	"qUrnZpRlgT3YnnShLnShlfpdlgILbelYF5jZ6U7Xa2avh0Zo5ttowRs49dbWu6FVlw9DC163E5pcTG++",
+	"c7tXhDU5VVVwW3Zc89q9PFF1k7Zhpt7S0xaolZlqTfB/Pj3UCUaaSejrjENjOB2Gw9C/oVbDDdY3AxyJ",
+	"oW68lyFoBbrbC8MWfPm56lJHvISm5jM1+ey4DF6bWlGCUKLemCIATQuKRpV3C0xMbzEPICs3dJzDPwoE",
+	"uJD8/AKmBTKzlwkP06XHnlsmVwN0Tv21Jvb3tndDtbjlyddlx0DXcij+/n3wkXZfJG1e3bIDlu8b7H7I",
+	"oena9cybS/itGKbpFMbnraL+neq5xMuLvuXLOmujtggO4Ewg0y3Ek98jcKI3aYbxhXvpWI/LvA43XXGV",
+	"3H9p1vTWXPF1sypAc6Wl48dQRU31WUEkqr/QWuRZJohcb2Kc/MsmM6wx+ZnQTjgDMdVX4oLiBLw8O30D",
+	"oBAwPucr+IGv+q/HmlQukH89RZUZhEbz0RD8d5uQoRJAm2xaz2q6aLJNJ7bfrze3YiMgQ5xDnVdY16wh",
+	"TnWLy8DEir+sN98r1QcDJYY3OQ83mvxf7uhrLUTKfe1bpszPu4VTWmjxavfXPr2W4TcogXSXBuDIBcPl",
+	"Kk9J09j9iwqpmjyopIXNAm8XU1JlVXeLZkiVbIb9L1YUtU3EjVNG4s6/5BBV1XdGE2SazEyXjshK8TkC",
+	"OsVQaXEckUS1eVfp7CfHZxM33VPhXMUOeV/ZdCK3c13h9LWvo+dbdHl5GUkgRAVLjUbe33iot6sNtea7",
+	"llxc2Xde0/nBxryx3wQerzq4GcbYc2bJpg6uwwFXzlOK+4Mb0CdWzqZF/cGm2kPrvem1flvSwDSNJ51m",
+	"PNrocsD1RPUZrQJ0BCgjONg/S5H+09V7rHftVRv+2sNubmWKisnoG5WVI7lBUcMyAVW3YgrrU1d/S7Qf",
+	"KNHAk1LWPO0r3XoaZFs6WtBql43rhxZ0xQ6lFV/1tip3UuaaVnTkOhjkZ87dcBoBnXLDen66n1VZ+Xon",
+	"FCDCC6Zn1yivgu1cQCVy3eZYWcGFirXDVDJenGUowVCgdGkwVI6hlfPyIAQFdCp3oB6axllgoroImsAj",
+	"B3GKoDz5sn2sXMgUcmQv4FbrkGMOAaeAF1Mu0YEI9RvXSQCSx5elc3OqP2O0mOt8ANsmXLm+4RxiMgKH",
+	"quGXk4RgKBVPcYrFUnk4BDXAsevlcCZ3bIwMTMCU0UvJ4pSrUX0A5+hpsDuYVRYmGnVuROO4rV5SZpbq",
+	"gtHuOI1F46SBw4+uRrvsRldnPyZ+qNC49Nv0c/2sbkpWhnScpmQWqc2u/IybqkLKz7TR91FqIlSyWdH1",
+	"Al5I6KALrKr7yssdVSFw1QWtLDlrU63vtOdUn3pRPx1UULBAaW4vm1lWbmHJJssWVbWjurrfTdseeGg0",
+	"0FutD6n0T5qW6+iiGT9dpupEZsVRjXBuMHnmYXZoq8HFb/auoXTfUgoMvlXn8mDzZeqI3IdqaNGRNfOa",
+	"JN69wl4vgukSYGJxm8x9tZOPgGWzJlPDvwPZ3HwcFhXHhbhFrHdudG5Bh0gu1SZSVnaet0EdErT3OtH2",
+	"Ld6jdMtQ9ow8/0eghQ2/+4qYvXXb68qhdc4K94u8dw+C08CF1l77p35dCPDMvOj3qdVXMFg0GQIqseoS",
+	"cxvI5YAUadodVqtd4X2LBNRyWXhbYqJWFwPWZ0VZCiZD56YKL6/ZdvS48wY5q4XHqbu3WmOC8EFXh1z1",
+	"dNF56vKIH2ovAns57Ga9CIr8OkZOkd+EkSMJUBk6qgUh5sL4VVR6RwvB3YGK1rwX+5pFOKUi55LlnVJV",
+	"wKqxV3g8drPGksk6Zo1DHNcxa3wq+VFmzR3TzEZmjdOwzYClSVGBJlP30awp8sdn1hR5l7feq9vQRLSi",
+	"yU2tH2I9X68sFtDpfJ4NoGWIbxaoqoCq79AFPTfpg3p4SqquRJjzItRZ6lQPeJstbtwpOsjj1NuaoAB9",
+	"i1UnUF0pYMvtSmD9CBoIYp17gNz3RasdPcSiGHsYNYCHzRv1tK0uoM3EMYe9aLqv+1NEJSokcjSCVkr8",
+	"FXmis2rbw1bgCZ4BRoV6z0n7eNoVz6pf2aJy9znIIC4jZU5JT1WpU65yfHLIy0CRxmR7JrbYgaHITQ1u",
+	"pV4vnnN3CSQbsQFvrV1FQxZO7D7zhfXDU4Yl1KM1jzA6pY8tHJxapYxqlrJKBTUyW65R8QcsdB1O4Lqz",
+	"wxkgtGyLO6XJUiqSNvljqAvovNwKnaBQCtCyAs+V+m3q522K08A1dV1xp8Dtc4rfSRu02v7KrT+9dvCp",
+	"qrg4/hAooGjs4NeypEE8gn6/Qcfhr9VdYN0S1iY6rb6VLHjtQahNreNqpiniw7Jcx1zoZvyNXEBRhO8Y",
+	"+6yLtG6Nt6rx2xx9rjH0+Jqvi0a2Wrj5uvznltNIuctaV22ZA+2eBQXQa9QsVSCYVL5SzyRNl1XnDL8d",
+	"NIgpmWGLXvpLy0FU3wVsr+1kF7r8SX0wL5juFZ1QwGkT0V5VuysR7uaZqhzamamDsY5DNx3aupSyD66g",
+	"thF2ANwusO9RxEbRlYNMj/xGKee4m1SxSj9RhKd7pmlltMvUKa9kN3prK5+utRms9YAMkJRxNisVuMos",
+	"MYSoo6lqyvWvOCjv4LjNFlDl+Hq6Dqr7hC5rGTSen6wsA/18+tHpQW2O5v6Q2GtnWRZrUTIC4+p0VTG8",
+	"d+6qBHQBOZgiRNrO/fFeh6CBpXhnvYlUXRJqguSIJJELwWhFt7YzJBUeEgqiuQ3ZWtuBfvavdvWemkYA",
+	"Tq8oDmr4GUpMQCRxr2e/EyIMTrpZJKhBj01Gdu+oMsBrH0M/NonbQei3EVE2gx2tbWKB1c2lKsMK2r+6",
+	"2izbvO+mxGsxnpv3P90O0h/NYAd2q+7EHuDKAuSjN2Ngtq4vAVTXXN2n5Bu5Qm25+R5p4wx9dLrcESRw",
+	"jlbcMtZyY45C+tVJOS8r3c1a1WXujR/dn9ZxXWcrBPQuoBs6XeCk6uFQWlcMcSRMZ/MuBe2Wk3DcKVYo",
+	"aFVzbS+jJrShH939qZt8yqb5WkA/3tsG6w4pV9kKJNXURYV9ZUsd7WoTCNaRQXvw3QS3PrpwyAQKWVDa",
+	"FnKyFGqzG+CF1S/nshgkblv/8ia7IZXL3+x9pC59CqUZ9BCjpBqvG6BuI5gyuQYmHaLmTEAmbB2eCmLQ",
+	"mfXI6XhXmUpiiRyco2WNFEqCqqKkTpbaAjqFdIZGyhLfjoT6tT0J4yQ5M4v8gJaDe5zrZXv3SuKxZUcV",
+	"yF1IP1pjW+c9psolpvFNhdPk/i/LxBgXEN1a1Wa5ZOshfSPBzMdai21r4622RQLYe1sRPX+qm80j8yBG",
+	"cHxOdPu8uxMJ4T12XUTvrNhvN5skD96CaadAExK8JvVV9BaMGNq4uVLFecn4psuAC2zY3kp/CBpqhoUF",
+	"4l0NPGGeM5ozlWGdIC4w0chb5F5me79Qu9rE2kkv+rN/quZAV8Oer0+WOer9yWnZeNB8sl5TIfvqX7er",
+	"gndPh4pJ+44lg74OFQQSMi8Q4wZe3cFz82JLQ5Xa1BwxU13YiIr/aia8Ji8Nd94xvWP91jvOFmsurEW1",
+	"LTrr3keVnbEz2h3tDVZ1NrGT9ult8msAtDxYtP/wTIC3SFgoWli7bFndMC5RUckCdmG5U815sqBcgFpk",
+	"eXxyCM7UJ4PhoGCp06r0Oy+mCc0gJlcjeaKj71JfpeRqRORII1aQrYsdxXHMSr6HYr01ZChR2a1DNNWd",
+	"Q5sPrbNDLiDDtGjctKGD4Rw80YGYqsTKvStgqFPChqU+NwRHb8ZPnS7I9aL37y26QcRQqgRXcOXBTte8",
+	"mhZkymmYISKGZbqL1g2VbHOzYKTwk1RQNS208ja0Op19Wg0fXp9OyjIJgcOazFWNfEx1qDur7WQRPE+b",
+	"5uOufNUq/JOyEamhvrjY5Gc4a7JTaEcyr5amLN0AMBQBhKdeIJiKBYgXKD7nwzoVmfmUTaeUQJtp60xq",
+	"yCvQHrGUGcbd6DmRnNVIW8+Ey8seUTDWxmI5jSdWmpNNFogjd1DIkEqvw5J7JTo2aDMItVhOld2iWyxp",
+	"Pw5f0CJN5GumB5BpQ2PaMJ29+uAsqGoTdPX16v8HAAD//7oaO/PHBQEA",
 }
 
 // GetSwagger returns the content of the embedded swagger specification file

services/auth/go/api/types.gen.go

@@ -1,6 +1,6 @@
 // Package api provides primitives to interact with the openapi HTTP API.
 //
-// Code generated by github.com/oapi-codegen/oapi-codegen/v2 version 2.4.1 DO NOT EDIT.
+// Code generated by github.com/oapi-codegen/oapi-codegen/v2 version 2.5.0 DO NOT EDIT.
 package api
 
 import (
@@ -206,22 +206,62 @@ const (
 
 // Defines values for SignInProviderCallbackPostParamsProvider.
 const (
-	Apple       SignInProviderCallbackPostParamsProvider = "apple"
-	Azuread     SignInProviderCallbackPostParamsProvider = "azuread"
-	Bitbucket   SignInProviderCallbackPostParamsProvider = "bitbucket"
-	Discord     SignInProviderCallbackPostParamsProvider = "discord"
-	Entraid     SignInProviderCallbackPostParamsProvider = "entraid"
-	Facebook    SignInProviderCallbackPostParamsProvider = "facebook"
-	Github      SignInProviderCallbackPostParamsProvider = "github"
-	Gitlab      SignInProviderCallbackPostParamsProvider = "gitlab"
-	Google      SignInProviderCallbackPostParamsProvider = "google"
-	Linkedin    SignInProviderCallbackPostParamsProvider = "linkedin"
-	Spotify     SignInProviderCallbackPostParamsProvider = "spotify"
-	Strava      SignInProviderCallbackPostParamsProvider = "strava"
-	Twitch      SignInProviderCallbackPostParamsProvider = "twitch"
-	Twitter     SignInProviderCallbackPostParamsProvider = "twitter"
-	Windowslive SignInProviderCallbackPostParamsProvider = "windowslive"
-	Workos      SignInProviderCallbackPostParamsProvider = "workos"
+	SignInProviderCallbackPostParamsProviderApple       SignInProviderCallbackPostParamsProvider = "apple"
+	SignInProviderCallbackPostParamsProviderAzuread     SignInProviderCallbackPostParamsProvider = "azuread"
+	SignInProviderCallbackPostParamsProviderBitbucket   SignInProviderCallbackPostParamsProvider = "bitbucket"
+	SignInProviderCallbackPostParamsProviderDiscord     SignInProviderCallbackPostParamsProvider = "discord"
+	SignInProviderCallbackPostParamsProviderEntraid     SignInProviderCallbackPostParamsProvider = "entraid"
+	SignInProviderCallbackPostParamsProviderFacebook    SignInProviderCallbackPostParamsProvider = "facebook"
+	SignInProviderCallbackPostParamsProviderGithub      SignInProviderCallbackPostParamsProvider = "github"
+	SignInProviderCallbackPostParamsProviderGitlab      SignInProviderCallbackPostParamsProvider = "gitlab"
+	SignInProviderCallbackPostParamsProviderGoogle      SignInProviderCallbackPostParamsProvider = "google"
+	SignInProviderCallbackPostParamsProviderLinkedin    SignInProviderCallbackPostParamsProvider = "linkedin"
+	SignInProviderCallbackPostParamsProviderSpotify     SignInProviderCallbackPostParamsProvider = "spotify"
+	SignInProviderCallbackPostParamsProviderStrava      SignInProviderCallbackPostParamsProvider = "strava"
+	SignInProviderCallbackPostParamsProviderTwitch      SignInProviderCallbackPostParamsProvider = "twitch"
+	SignInProviderCallbackPostParamsProviderTwitter     SignInProviderCallbackPostParamsProvider = "twitter"
+	SignInProviderCallbackPostParamsProviderWindowslive SignInProviderCallbackPostParamsProvider = "windowslive"
+	SignInProviderCallbackPostParamsProviderWorkos      SignInProviderCallbackPostParamsProvider = "workos"
+)
+
+// Defines values for GetProviderTokensParamsProvider.
+const (
+	GetProviderTokensParamsProviderApple       GetProviderTokensParamsProvider = "apple"
+	GetProviderTokensParamsProviderAzuread     GetProviderTokensParamsProvider = "azuread"
+	GetProviderTokensParamsProviderBitbucket   GetProviderTokensParamsProvider = "bitbucket"
+	GetProviderTokensParamsProviderDiscord     GetProviderTokensParamsProvider = "discord"
+	GetProviderTokensParamsProviderEntraid     GetProviderTokensParamsProvider = "entraid"
+	GetProviderTokensParamsProviderFacebook    GetProviderTokensParamsProvider = "facebook"
+	GetProviderTokensParamsProviderGithub      GetProviderTokensParamsProvider = "github"
+	GetProviderTokensParamsProviderGitlab      GetProviderTokensParamsProvider = "gitlab"
+	GetProviderTokensParamsProviderGoogle      GetProviderTokensParamsProvider = "google"
+	GetProviderTokensParamsProviderLinkedin    GetProviderTokensParamsProvider = "linkedin"
+	GetProviderTokensParamsProviderSpotify     GetProviderTokensParamsProvider = "spotify"
+	GetProviderTokensParamsProviderStrava      GetProviderTokensParamsProvider = "strava"
+	GetProviderTokensParamsProviderTwitch      GetProviderTokensParamsProvider = "twitch"
+	GetProviderTokensParamsProviderTwitter     GetProviderTokensParamsProvider = "twitter"
+	GetProviderTokensParamsProviderWindowslive GetProviderTokensParamsProvider = "windowslive"
+	GetProviderTokensParamsProviderWorkos      GetProviderTokensParamsProvider = "workos"
+)
+
+// Defines values for RefreshProviderTokenParamsProvider.
+const (
+	Apple       RefreshProviderTokenParamsProvider = "apple"
+	Azuread     RefreshProviderTokenParamsProvider = "azuread"
+	Bitbucket   RefreshProviderTokenParamsProvider = "bitbucket"
+	Discord     RefreshProviderTokenParamsProvider = "discord"
+	Entraid     RefreshProviderTokenParamsProvider = "entraid"
+	Facebook    RefreshProviderTokenParamsProvider = "facebook"
+	Github      RefreshProviderTokenParamsProvider = "github"
+	Gitlab      RefreshProviderTokenParamsProvider = "gitlab"
+	Google      RefreshProviderTokenParamsProvider = "google"
+	Linkedin    RefreshProviderTokenParamsProvider = "linkedin"
+	Spotify     RefreshProviderTokenParamsProvider = "spotify"
+	Strava      RefreshProviderTokenParamsProvider = "strava"
+	Twitch      RefreshProviderTokenParamsProvider = "twitch"
+	Twitter     RefreshProviderTokenParamsProvider = "twitter"
+	Windowslive RefreshProviderTokenParamsProvider = "windowslive"
+	Workos      RefreshProviderTokenParamsProvider = "workos"
 )
 
 // Defines values for VerifyTicketParamsType.
@@ -420,6 +460,21 @@ type OptionsRedirectTo struct {
 	RedirectTo *string `json:"redirectTo,omitempty"`
 }
 
+// ProviderSession OAuth2 provider session containing access and refresh tokens
+type ProviderSession struct {
+	// AccessToken OAuth2 provider access token for API calls
+	AccessToken string `json:"accessToken"`
+
+	// ExpiresAt Timestamp when the access token expires
+	ExpiresAt time.Time `json:"expiresAt"`
+
+	// ExpiresIn Number of seconds until the access token expires
+	ExpiresIn int `json:"expiresIn"`
+
+	// RefreshToken OAuth2 provider refresh token for obtaining new access tokens (if provided by the provider)
+	RefreshToken *string `json:"refreshToken"`
+}
+
 // PublicKeyCredentialCreationOptions defines model for PublicKeyCredentialCreationOptions.
 type PublicKeyCredentialCreationOptions = protocol.PublicKeyCredentialCreationOptions
 
@@ -441,6 +496,12 @@ type PublicKeyCredentialHints string
 // PublicKeyCredentialRequestOptions defines model for PublicKeyCredentialRequestOptions.
 type PublicKeyCredentialRequestOptions = protocol.PublicKeyCredentialRequestOptions
 
+// RefreshProviderTokenRequest Request to refresh OAuth2 provider tokens
+type RefreshProviderTokenRequest struct {
+	// RefreshToken OAuth2 provider refresh token obtained from previous authentication
+	RefreshToken string `json:"refreshToken"`
+}
+
 // RefreshTokenRequest Request to refresh an access token
 type RefreshTokenRequest struct {
 	// RefreshToken Refresh token used to generate a new access token
@@ -844,6 +905,9 @@ type SignInProviderParams struct {
 
 	// Connect If set, this means that the user is already authenticated and wants to link their account. This needs to be a valid JWT access token.
 	Connect *string `form:"connect,omitempty" json:"connect,omitempty"`
+
+	// State Opaque state value to be returned by the provider
+	State *string `form:"state,omitempty" json:"state,omitempty"`
 }
 
 // SignInProviderParamsProvider defines parameters for SignInProvider.
@@ -907,6 +971,12 @@ type SignInProviderCallbackPostFormdataBody struct {
 // SignInProviderCallbackPostParamsProvider defines parameters for SignInProviderCallbackPost.
 type SignInProviderCallbackPostParamsProvider string
 
+// GetProviderTokensParamsProvider defines parameters for GetProviderTokens.
+type GetProviderTokensParamsProvider string
+
+// RefreshProviderTokenParamsProvider defines parameters for RefreshProviderToken.
+type RefreshProviderTokenParamsProvider string
+
 // VerifyTicketParams defines parameters for VerifyTicket.
 type VerifyTicketParams struct {
 	// Ticket Ticket
@@ -985,6 +1055,9 @@ type VerifySignUpWebauthnJSONRequestBody = SignUpWebauthnVerifyRequest
 // RefreshTokenJSONRequestBody defines body for RefreshToken for application/json ContentType.
 type RefreshTokenJSONRequestBody = RefreshTokenRequest
 
+// RefreshProviderTokenJSONRequestBody defines body for RefreshProviderToken for application/json ContentType.
+type RefreshProviderTokenJSONRequestBody = RefreshProviderTokenRequest
+
 // VerifyTokenJSONRequestBody defines body for VerifyToken for application/json ContentType.
 type VerifyTokenJSONRequestBody = VerifyTokenRequest
 

services/auth/go/cmd/cors.go

@@ -1,35 +0,0 @@
-package cmd
-
-import (
-	"net/http"
-
-	"github.com/gin-gonic/gin"
-)
-
-func cors() gin.HandlerFunc {
-	f := func(c *gin.Context, origin string) {
-		c.Header("Access-Control-Allow-Origin", origin)
-		c.Header("Access-Control-Allow-Methods", "POST, GET")
-		headers := c.Request.Header.Get("Access-Control-Request-Headers")
-		c.Header("Access-Control-Allow-Headers", headers)
-		c.Header("Access-Control-Allow-Credentials", "true")
-		c.Header("Access-Control-Max-Age", "86400")
-		c.Writer.Header().Add("Vary", "Origin, Access-Control-Request-Method")
-	}
-
-	return func(c *gin.Context) {
-		origin := c.Request.Header.Get("Origin")
-		if c.Request.Method == http.MethodOptions {
-			f(c, origin)
-
-			c.Header("Content-Length", "0")
-			c.AbortWithStatus(http.StatusNoContent)
-		}
-
-		if origin != "" {
-			f(c, origin)
-		}
-
-		c.Next()
-	}
-}

services/auth/go/cmd/serve.go

@@ -8,9 +8,9 @@ import (
 	"time"
 
 	"github.com/bradfitz/gomemcache/memcache"
-	"github.com/getkin/kin-openapi/openapi3"
-	"github.com/getkin/kin-openapi/openapi3filter"
 	"github.com/gin-gonic/gin"
+	"github.com/nhost/nhost/internal/lib/oapi"
+	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/docs"
 	"github.com/nhost/nhost/services/auth/go/api"
 	"github.com/nhost/nhost/services/auth/go/controller"
@@ -21,7 +21,6 @@ import (
 	"github.com/nhost/nhost/services/auth/go/oidc"
 	"github.com/nhost/nhost/services/auth/go/providers"
 	"github.com/nhost/nhost/services/auth/go/sql"
-	ginmiddleware "github.com/oapi-codegen/gin-middleware"
 	"github.com/urfave/cli/v3"
 )
 
@@ -1296,87 +1295,42 @@ func getDependencies( //nolint:ireturn
 	return emailer, sms, jwtGetter, idTokenValidator, nil
 }
 
-func getGoServer( //nolint:funlen
+func getCORSOptions() oapimw.CORSOptions {
+	return oapimw.CORSOptions{
+		AllowedOrigins:   []string{"*"},
+		AllowedMethods:   []string{"POST", "GET"},
+		AllowedHeaders:   nil,
+		ExposedHeaders:   []string{},
+		AllowCredentials: true,
+		MaxAge:           "86400",
+	}
+}
+
+func getGoServer(
 	ctx context.Context,
 	cmd *cli.Command,
 	db *sql.Queries,
 	encrypter *crypto.Encrypter,
 	logger *slog.Logger,
 ) (*http.Server, error) {
-	router := gin.New()
-
-	loader := openapi3.NewLoader()
-
-	doc, err := loader.LoadFromData(docs.OpenAPISchema)
-	if err != nil {
-		return nil, fmt.Errorf("failed to load OpenAPI schema: %w", err)
-	}
-
-	doc.AddServer(&openapi3.Server{ //nolint:exhaustruct
-		URL: cmd.String(flagAPIPrefix),
-	})
-
-	handlers := []gin.HandlerFunc{
-		// ginmiddleware.OapiRequestValidator(doc),
-		gin.Recovery(),
-		cors(),
-		middleware.Logger(logger), //nolint:contextcheck
-	}
-
-	if cmd.Bool(flagRateLimitEnable) {
-		handlers = append(handlers, getRateLimiter(cmd, logger)) //nolint:contextcheck
-	}
-
-	if cmd.String(flagTurnstileSecret) != "" {
-		handlers = append(handlers, middleware.Tunrstile( //nolint:contextcheck
-			cmd.String(flagTurnstileSecret), cmd.String(flagAPIPrefix)),
-		)
-	}
-
-	router.Use(handlers...)
-
-	config, err := getConfig(cmd)
-	if err != nil {
-		return nil, fmt.Errorf("problem creating config: %w", err)
-	}
-
-	emailer, smsClient, jwtGetter, idTokenValidator, err := getDependencies(ctx, cmd, db, logger)
+	ctrl, jwtGetter, err := getController(ctx, cmd, db, encrypter, logger)
 	if err != nil {
 		return nil, err
 	}
 
-	oauthProviders, err := getOauth2Providers(ctx, cmd, logger)
-	if err != nil {
-		return nil, fmt.Errorf("problem creating oauth providers: %w", err)
-	}
+	handler := api.NewStrictHandler(ctrl, []api.StrictMiddlewareFunc{})
 
-	ctrl, err := controller.New(
-		db,
-		config,
-		jwtGetter,
-		emailer,
-		smsClient,
-		hibp.NewClient(),
-		oauthProviders,
-		idTokenValidator,
-		controller.NewTotp(cmd.String(flagMfaTotpIssuer), time.Now),
-		encrypter,
-		cmd.Root().Version,
+	router, mw, err := oapi.NewRouter( //nolint:contextcheck
+		docs.OpenAPISchema,
+		cmd.String(flagAPIPrefix),
+		jwtGetter.MiddlewareFunc,
+		getCORSOptions(),
+		logger,
 	)
 	if err != nil {
-		return nil, fmt.Errorf("failed to create controller: %w", err)
+		return nil, fmt.Errorf("failed to create router: %w", err)
 	}
 
-	handler := api.NewStrictHandler(ctrl, []api.StrictMiddlewareFunc{})
-	mw := api.MiddlewareFunc(ginmiddleware.OapiRequestValidatorWithOptions(
-		doc,
-		&ginmiddleware.Options{ //nolint:exhaustruct
-			Options: openapi3filter.Options{ //nolint:exhaustruct
-				AuthenticationFunc: jwtGetter.MiddlewareFunc,
-			},
-			SilenceServersWarning: true,
-		},
-	))
 	api.RegisterHandlersWithOptions(
 		router,
 		handler,
@@ -1387,6 +1341,16 @@ func getGoServer( //nolint:funlen
 		},
 	)
 
+	if cmd.Bool(flagRateLimitEnable) {
+		router.Use(getRateLimiter(cmd, logger)) //nolint:contextcheck
+	}
+
+	if cmd.String(flagTurnstileSecret) != "" {
+		router.Use(middleware.Tunrstile( //nolint:contextcheck
+			cmd.String(flagTurnstileSecret), cmd.String(flagAPIPrefix),
+		))
+	}
+
 	if cmd.Bool(flagEnableChangeEnv) {
 		router.POST(cmd.String(flagAPIPrefix)+"/change-env", ctrl.PostChangeEnv)
 	}
@@ -1410,6 +1374,48 @@ func getGoServer( //nolint:funlen
 	return server, nil
 }
 
+func getController(
+	ctx context.Context,
+	cmd *cli.Command,
+	db *sql.Queries,
+	encrypter *crypto.Encrypter,
+	logger *slog.Logger,
+) (*controller.Controller, *controller.JWTGetter, error) {
+	config, err := getConfig(cmd)
+	if err != nil {
+		return nil, nil, fmt.Errorf("problem creating config: %w", err)
+	}
+
+	emailer, smsClient, jwtGetter, idTokenValidator, err := getDependencies(ctx, cmd, db, logger)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	oauthProviders, err := getOauth2Providers(ctx, cmd, logger)
+	if err != nil {
+		return nil, nil, fmt.Errorf("problem creating oauth providers: %w", err)
+	}
+
+	ctrl, err := controller.New(
+		db,
+		config,
+		jwtGetter,
+		emailer,
+		smsClient,
+		hibp.NewClient(),
+		oauthProviders,
+		idTokenValidator,
+		controller.NewTotp(cmd.String(flagMfaTotpIssuer), time.Now),
+		encrypter,
+		cmd.Root().Version,
+	)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to create controller: %w", err)
+	}
+
+	return ctrl, jwtGetter, nil
+}
+
 func serve(ctx context.Context, cmd *cli.Command) error {
 	logger := getLogger(cmd.Bool(flagDebug), cmd.Bool(flagLogFormatTEXT))
 	logger.InfoContext(ctx, cmd.Root().Name+" v"+cmd.Root().Version)

services/auth/go/controller/add_security_key.go

@@ -6,15 +6,15 @@ import (
 
 	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/go-webauthn/webauthn/webauthn"
+	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
-	"github.com/nhost/nhost/services/auth/go/middleware"
 )
 
 func (ctrl *Controller) AddSecurityKey( //nolint:ireturn
 	ctx context.Context,
 	_ api.AddSecurityKeyRequestObject,
 ) (api.AddSecurityKeyResponseObject, error) {
-	logger := middleware.LoggerFromContext(ctx)
+	logger := oapimw.LoggerFromContext(ctx)
 
 	if !ctrl.config.WebauthnEnabled {
 		logger.ErrorContext(ctx, "webauthn is disabled")

services/auth/go/controller/change_user_email.go

@@ -3,15 +3,15 @@ package controller
 import (
 	"context"
 
+	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
-	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/notifications"
 )
 
 func (ctrl *Controller) ChangeUserEmail( //nolint:ireturn
 	ctx context.Context, request api.ChangeUserEmailRequestObject,
 ) (api.ChangeUserEmailResponseObject, error) {
-	logger := middleware.LoggerFromContext(ctx)
+	logger := oapimw.LoggerFromContext(ctx)
 
 	options, apiErr := ctrl.wf.ValidateOptionsRedirectTo(ctx, request.Body.Options, logger)
 	if apiErr != nil {

services/auth/go/controller/change_user_mfa_get.go

@@ -3,15 +3,15 @@ package controller
 import (
 	"context"
 
+	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
-	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/sql"
 )
 
 func (ctrl *Controller) ChangeUserMfa( //nolint:ireturn
 	ctx context.Context, _ api.ChangeUserMfaRequestObject,
 ) (api.ChangeUserMfaResponseObject, error) {
-	logger := middleware.LoggerFromContext(ctx)
+	logger := oapimw.LoggerFromContext(ctx)
 
 	if !ctrl.config.MfaEnabled {
 		logger.WarnContext(ctx, "mfa disabled")

services/auth/go/controller/change_user_password.go

@@ -5,8 +5,8 @@ import (
 	"log/slog"
 
 	"github.com/golang-jwt/jwt/v5"
+	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
-	"github.com/nhost/nhost/services/auth/go/middleware"
 )
 
 func (ctrl *Controller) postUserPasswordAuthenticated( //nolint:ireturn
@@ -61,7 +61,7 @@ func (ctrl *Controller) ChangeUserPassword( //nolint:ireturn
 	ctx context.Context,
 	request api.ChangeUserPasswordRequestObject,
 ) (api.ChangeUserPasswordResponseObject, error) {
-	logger := middleware.LoggerFromContext(ctx)
+	logger := oapimw.LoggerFromContext(ctx)
 
 	jwtToken, ok := ctrl.wf.jwtGetter.FromContext(ctx)
 	if ok {

services/auth/go/controller/controller.go

@@ -128,6 +128,9 @@ type DBClient interface { //nolint:interfacebloat
 		ctx context.Context,
 		arg sql.RefreshTokenAndGetUserRolesParams,
 	) ([]sql.RefreshTokenAndGetUserRolesRow, error)
+
+	GetProviderSession(ctx context.Context, arg sql.GetProviderSessionParams) (string, error)
+	UpdateProviderSession(ctx context.Context, arg sql.UpdateProviderSessionParams) error
 }
 
 type Encrypter interface {

services/auth/go/controller/create_pat.go

@@ -4,15 +4,15 @@ import (
 	"context"
 
 	"github.com/google/uuid"
+	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
-	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/sql"
 )
 
 func (ctrl *Controller) CreatePAT( //nolint:ireturn
 	ctx context.Context, request api.CreatePATRequestObject,
 ) (api.CreatePATResponseObject, error) {
-	logger := middleware.LoggerFromContext(ctx)
+	logger := oapimw.LoggerFromContext(ctx)
 
 	user, apiErr := ctrl.wf.GetUserFromJWTInContext(ctx, logger)
 	if apiErr != nil {

services/auth/go/controller/deanonymize_user.go

@@ -6,8 +6,8 @@ import (
 	"time"
 
 	"github.com/google/uuid"
+	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
-	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/notifications"
 )
 
@@ -77,7 +77,7 @@ func (ctrl *Controller) postUserDeanonymizeValidateRequest( //nolint:cyclop
 func (ctrl *Controller) DeanonymizeUser( //nolint:funlen
 	ctx context.Context, request api.DeanonymizeUserRequestObject,
 ) (api.DeanonymizeUserResponseObject, error) {
-	logger := middleware.LoggerFromContext(ctx).
+	logger := oapimw.LoggerFromContext(ctx).
 		With(slog.String("email", string(request.Body.Email)))
 
 	userID, password, options, apiError := ctrl.postUserDeanonymizeValidateRequest(