Merge branch 'main' of github.com:nhost/nhost into timing

.github/PULL_REQUEST_TEMPLATE.md

@@ -32,7 +32,6 @@ Where `PKG` is:
 - `deps`: For changes to dependencies
 - `docs`: For changes to the documentation
 - `examples`: For changes to the examples
-- `internal/lib`: For changes to Nhost's common libraries (internal)
 - `mintlify-openapi`: For changes to the Mintlify OpenAPI tool
 - `nhost-js`: For changes to the Nhost JavaScript SDK
 - `nixops`: For changes to the NixOps

.github/actions/validate-pr-title/action.yaml

@@ -17,7 +17,7 @@ runs:
 
         # Define valid types and packages
         VALID_TYPES="feat|fix|chore"
-        VALID_PKGS="auth|ci|cli|codegen|dashboard|deps|docs|examples|internal\/lib|mintlify-openapi|nhost-js|nixops|storage"
+        VALID_PKGS="auth|ci|cli|codegen|dashboard|deps|docs|examples|mintlify-openapi|nhost-js|nixops|storage"
 
         # Check if title matches the pattern TYPE(PKG): SUMMARY
         if [[ ! "$PR_TITLE" =~ ^(${VALID_TYPES})\((${VALID_PKGS})\):\ .+ ]]; then

.github/workflows/auth_checks.yaml

@@ -17,7 +17,6 @@ on:
       - '.golangci.yaml'
       - 'go.mod'
       - 'go.sum'
-      - 'internal/lib/**'
       - 'vendor/**'
 
       # auth

.github/workflows/ci_update_changelog.yaml

@@ -40,7 +40,7 @@ jobs:
         cd ${{ matrix.project }}
         TAG_NAME=$(make release-tag-name)
         VERSION=$(nix develop .\#cliff -c make changelog-next-version)
-        if git tag | grep -qx "$TAG_NAME@$VERSION"; then
+        if git tag | grep -q "$TAG_NAME@$VERSION"; then
           echo "Tag $TAG_NAME@$VERSION already exists, skipping release preparation"
         else
           echo "Tag $TAG_NAME@$VERSION does not exist, proceeding with release preparation"

.github/workflows/dashboard_wf_release.yaml

@@ -88,7 +88,7 @@ jobs:
       - name: Bump version in source code
         run: |
           find cli -type f -exec sed -i 's/"nhost\/dashboard:[^"]*"/"nhost\/dashboard:${{ inputs.VERSION }}"/g' {} +
-          sed -i 's/nhost\/dashboard:[^)]*/nhost\/dashboard:${{ inputs.VERSION }}/g' docs/reference/cli/commands.mdx
+          sed -i 's/"nhost\/dashboard:[^"]*"/"nhost\/dashboard:${{ inputs.VERSION }}"/g' docs/reference/cli/commands.mdx
 
       - name: "Create Pull Request"
         uses: peter-evans/create-pull-request@v7

.github/workflows/storage_checks.yaml

@@ -17,7 +17,6 @@ on:
       - '.golangci.yaml'
       - 'go.mod'
       - 'go.sum'
-      - 'internal/lib/**'
       - 'vendor/**'
 
       # storage

cli/dockercompose/graphql.go

@@ -38,6 +38,8 @@ func graphql( //nolint:funlen
 		env[v.Name] = v.Value
 	}
 
+	env["HASURA_GRAPHQL_MIGRATIONS_SERVER_TIMEOUT"] = "600"
+
 	return &Service{
 		Image: "nhost/graphql-engine:" + *cfg.GetHasura().GetVersion(),
 		DependsOn: map[string]DependsOn{
@@ -54,7 +56,7 @@ func graphql( //nolint:funlen
 				"CMD-SHELL",
 				"curl http://localhost:8080/healthz > /dev/null 2>&1",
 			},
-			Timeout:     "60s",
+			Timeout:     "600s",
 			Interval:    "5s",
 			StartPeriod: "60s",
 		},
@@ -135,6 +137,8 @@ func console( //nolint:funlen
 		env[v.Name] = v.Value
 	}
 
+	env["HASURA_GRAPHQL_MIGRATIONS_SERVER_TIMEOUT"] = "600"
+
 	return &Service{
 		Image: fmt.Sprintf(
 			"nhost/graphql-engine:%s.cli-migrations-v3",
@@ -165,7 +169,7 @@ func console( //nolint:funlen
 				"CMD-SHELL",
 				"timeout 1s bash -c ':> /dev/tcp/127.0.0.1/9695' || exit 1",
 			},
-			Timeout:     "60s",
+			Timeout:     "600s",
 			Interval:    "5s",
 			StartPeriod: "60s",
 		},

cli/dockercompose/graphql_test.go

@@ -39,6 +39,7 @@ func expectedGraphql() *Service {
 			"HASURA_GRAPHQL_LIVE_QUERIES_MULTIPLEXED_BATCH_SIZE":       "100",
 			"HASURA_GRAPHQL_LIVE_QUERIES_MULTIPLEXED_REFETCH_INTERVAL": "1000",
 			"HASURA_GRAPHQL_LOG_LEVEL":                                 "info",
+			"HASURA_GRAPHQL_MIGRATIONS_SERVER_TIMEOUT":                 "600",
 			"HASURA_GRAPHQL_PG_CONNECTIONS":                            "50",
 			"HASURA_GRAPHQL_PG_TIMEOUT":                                "180",
 			"HASURA_GRAPHQL_STRINGIFY_NUMERIC_TYPES":                   "false",
@@ -77,7 +78,7 @@ func expectedGraphql() *Service {
 				"CMD-SHELL",
 				"curl http://localhost:8080/healthz > /dev/null 2>&1",
 			},
-			Timeout:     "60s",
+			Timeout:     "600s",
 			Interval:    "5s",
 			StartPeriod: "60s",
 		},
@@ -178,6 +179,7 @@ func expectedConsole() *Service {
 			"HASURA_GRAPHQL_LIVE_QUERIES_MULTIPLEXED_BATCH_SIZE":       "100",
 			"HASURA_GRAPHQL_LIVE_QUERIES_MULTIPLEXED_REFETCH_INTERVAL": "1000",
 			"HASURA_GRAPHQL_LOG_LEVEL":                                 "info",
+			"HASURA_GRAPHQL_MIGRATIONS_SERVER_TIMEOUT":                 "600",
 			"HASURA_GRAPHQL_PG_CONNECTIONS":                            "50",
 			"HASURA_GRAPHQL_PG_TIMEOUT":                                "180",
 			"HASURA_GRAPHQL_STRINGIFY_NUMERIC_TYPES":                   "false",
@@ -216,7 +218,7 @@ func expectedConsole() *Service {
 				"CMD-SHELL",
 				"timeout 1s bash -c ':> /dev/tcp/127.0.0.1/9695' || exit 1",
 			},
-			Timeout:     "60s",
+			Timeout:     "600s",
 			Interval:    "5s",
 			StartPeriod: "60s",
 		},

dashboard/CHANGELOG.md

@@ -1,15 +1,3 @@
-## [@nhost/dashboard@2.41.0] - 2025-11-04
-
-### 🚀 Features
-
-- *(auth)* Added endpoints to retrieve and refresh oauth2 providers' tokens (#3614)
-- *(dashboard)* Get github repositories from github itself (#3640)
-
-
-### 🐛 Bug Fixes
-
-- *(dashboard)* Update SQL editor to use correct hasura migrations API URL (#3645)
-
 # Changelog
 
 All notable changes to this project will be documented in this file.

dashboard/next.config.js

@@ -15,7 +15,7 @@ function getCspHeader() {
       return [
         "default-src 'self' *.nhost.run wss://*.nhost.run nhost.run wss://nhost.run",
         "script-src 'self' 'unsafe-eval' cdn.segment.com js.stripe.com challenges.cloudflare.com googletagmanager.com",
-        "connect-src 'self' *.nhost.run wss://*.nhost.run nhost.run wss://nhost.run discord.com api.segment.io api.segment.com cdn.segment.com nhost.zendesk.com api.github.com",
+        "connect-src 'self' *.nhost.run wss://*.nhost.run nhost.run wss://nhost.run discord.com api.segment.io api.segment.com cdn.segment.com nhost.zendesk.com",
         "style-src 'self' 'unsafe-inline'",
         "img-src 'self' blob: data: github.com avatars.githubusercontent.com s.gravatar.com *.nhost.run nhost.run",
         "font-src 'self' data:",
@@ -126,4 +126,4 @@ module.exports = withBundleAnalyzer({
       },
     ];
   },
-});
+});

dashboard/src/features/account/settings/components/SocialProvidersSettings/SocialProvidersSettings.tsx

@@ -23,7 +23,7 @@ export default function SocialProvidersSettings() {
       if (typeof window !== 'undefined') {
         return nhost.auth.signInProviderURL('github', {
           connect: token,
-          redirectTo: `${window.location.origin}/account?signinProvider=github`,
+          redirectTo: `${window.location.origin}/account`,
         });
       }
       return '';

dashboard/src/features/auth/AuthProviders/Github/components/GithubAuthButton/GithubAuthButton.tsx

@@ -3,21 +3,18 @@ import {
   useGithubAuthentication,
   type UseGithubAuthenticationHookProps,
 } from '@/features/auth/AuthProviders/Github/hooks/useGithubAuthentication';
-import { cn } from '@/lib/utils';
 import { SiGithub } from '@icons-pack/react-simple-icons';
 
 interface Props extends UseGithubAuthenticationHookProps {
   buttonText?: string;
   withAnonId?: boolean;
   redirectTo?: string;
-  className?: string;
 }
 
 function GithubAuthButton({
   buttonText = 'Continue with GitHub',
   withAnonId = false,
   redirectTo,
-  className,
 }: Props) {
   const { mutate: signInWithGithub, isLoading } = useGithubAuthentication({
     withAnonId,
@@ -25,10 +22,7 @@ function GithubAuthButton({
   });
   return (
     <Button
-      className={cn(
-        'gap-2 !bg-white text-sm+ !text-black hover:ring-2 hover:ring-white hover:ring-opacity-50 disabled:!text-black disabled:!text-opacity-60',
-        className,
-      )}
+      className="gap-2 !bg-white text-sm+ !text-black hover:ring-2 hover:ring-white hover:ring-opacity-50 disabled:!text-black disabled:!text-opacity-60"
       disabled={isLoading}
       loading={isLoading}
       onClick={() => signInWithGithub()}

dashboard/src/features/auth/AuthProviders/Github/hooks/useGithubAuthentication/useGithubAuthentication.ts

@@ -30,8 +30,8 @@ function useGithubAuthentication({
         };
       }
 
-      const redirectURL = nhost.auth.signInProviderURL('github', options);
-      window.location.href = redirectURL;
+      const redirectURl = nhost.auth.signInProviderURL('github', options);
+      window.location.href = redirectURl;
     },
     {
       onError: () => {

dashboard/src/features/auth/SignIn/SignInWithGithub/SignInWithGithub.tsx

@@ -2,7 +2,7 @@ import { GithubAuthButton } from '@/features/auth/AuthProviders/Github/component
 import { useHostName } from '@/features/orgs/projects/common/hooks/useHostName';
 
 function SignInWithGithub() {
-  const redirectTo = `${useHostName()}?signinProvider=github`;
+  const redirectTo = useHostName();
   return (
     <GithubAuthButton
       redirectTo={redirectTo}

dashboard/src/features/auth/SignUp/SignUpWithGithub/SignUpWithGithub.tsx

@@ -1,11 +1,8 @@
 import { GithubAuthButton } from '@/features/auth/AuthProviders/Github/components/GithubAuthButton';
-import { useHostName } from '@/features/orgs/projects/common/hooks/useHostName';
 
 function SignUpWithGithub() {
-  const redirectTo = `${useHostName()}?signinProvider=github`;
   return (
     <GithubAuthButton
-      redirectTo={redirectTo}
       buttonText="Sign Up with GitHub"
       errorText="An error occurred while trying to sign up using GitHub. Please try again."
     />

dashboard/src/features/orgs/projects/git/common/components/ConnectGitHubModal/ConnectGitHubModal.tsx

@@ -1,4 +1,3 @@
-import { ErrorMessage } from '@/components/presentational/ErrorMessage';
 import { RetryableErrorBoundary } from '@/components/presentational/RetryableErrorBoundary';
 import { ActivityIndicator } from '@/components/ui/v2/ActivityIndicator';
 import { Avatar } from '@/components/ui/v2/Avatar';
@@ -12,33 +11,14 @@ import { Link } from '@/components/ui/v2/Link';
 import { List } from '@/components/ui/v2/List';
 import { ListItem } from '@/components/ui/v2/ListItem';
 import { Text } from '@/components/ui/v2/Text';
-import { GithubAuthButton } from '@/features/auth/AuthProviders/Github/components/GithubAuthButton';
-import { useHostName } from '@/features/orgs/projects/common/hooks/useHostName';
 import { EditRepositorySettings } from '@/features/orgs/projects/git/common/components/EditRepositorySettings';
-import {
-  getGitHubToken,
-  saveGitHubToken,
-} from '@/features/orgs/projects/git/common/utils';
-import { useCurrentOrg } from '@/features/orgs/projects/hooks/useCurrentOrg';
-import { useProject } from '@/features/orgs/projects/hooks/useProject';
-import { useGetAuthUserProvidersQuery } from '@/generated/graphql';
-import { useAccessToken } from '@/hooks/useAccessToken';
-import { GitHubAPIError, listGitHubInstallationRepos } from '@/lib/github';
-import { isEmptyValue } from '@/lib/utils';
-import { getToastStyleProps } from '@/utils/constants/settings';
-import { nhost } from '@/utils/nhost';
+import { useGetGithubRepositoriesQuery } from '@/generated/graphql';
 import { Divider } from '@mui/material';
 import debounce from 'lodash.debounce';
-import NavLink from 'next/link';
 import type { ChangeEvent } from 'react';
 import { Fragment, useEffect, useMemo, useState } from 'react';
-import toast from 'react-hot-toast';
 
-export type ConnectGitHubModalState =
-  | 'CONNECTING'
-  | 'EDITING'
-  | 'EXPIRED_GITHUB_SESSION'
-  | 'GITHUB_CONNECTION_REQUIRED';
+export type ConnectGitHubModalState = 'CONNECTING' | 'EDITING';
 
 export interface ConnectGitHubModalProps {
   /**
@@ -48,153 +28,18 @@ export interface ConnectGitHubModalProps {
   close?: VoidFunction;
 }
 
-interface GitHubData {
-  githubAppInstallations: Array<{
-    id: number;
-    accountLogin?: string;
-    accountAvatarUrl?: string;
-  }>;
-  githubRepositories: Array<{
-    id: number;
-    node_id: string;
-    name: string;
-    fullName: string;
-    githubAppInstallation: {
-      accountLogin?: string;
-      accountAvatarUrl?: string;
-    };
-  }>;
-}
-
 export default function ConnectGitHubModal({ close }: ConnectGitHubModalProps) {
   const [filter, setFilter] = useState('');
   const [ConnectGitHubModalState, setConnectGitHubModalState] =
     useState<ConnectGitHubModalState>('CONNECTING');
   const [selectedRepoId, setSelectedRepoId] = useState<string | null>(null);
-  const [githubData, setGithubData] = useState<GitHubData | null>(null);
-  const [loading, setLoading] = useState(true);
-  const { project, loading: loadingProject } = useProject();
-  const { org, loading: loadingOrg } = useCurrentOrg();
-  const hostname = useHostName();
-  const token = useAccessToken();
-  const {
-    data,
-    loading: loadingGithubConnected,
-    error: errorGithubConnected,
-  } = useGetAuthUserProvidersQuery();
 
-  const githubProvider = data?.authUserProviders?.find(
-    (item) => item.providerId === 'github',
-  );
-
-  const getGitHubConnectUrl = () => {
-    if (typeof window !== 'undefined') {
-      return nhost.auth.signInProviderURL('github', {
-        connect: token,
-        redirectTo: `${window.location.origin}?signinProvider=github&state=signin-refresh:${org.slug}:${project?.subdomain}`,
-      });
-    }
-    return '';
-  };
+  const { data, loading, error, startPolling } =
+    useGetGithubRepositoriesQuery();
 
   useEffect(() => {
-    if (loadingGithubConnected) {
-      return;
-    }
-
-    const fetchGitHubData = async () => {
-      try {
-        setLoading(true);
-
-        if (isEmptyValue(githubProvider)) {
-          setConnectGitHubModalState('GITHUB_CONNECTION_REQUIRED');
-          setLoading(false);
-          return;
-        }
-        const githubToken = getGitHubToken();
-
-        if (
-          !githubToken?.authUserProviderId ||
-          githubProvider!.id !== githubToken.authUserProviderId
-        ) {
-          setConnectGitHubModalState('EXPIRED_GITHUB_SESSION');
-          setLoading(false);
-          return;
-        }
-
-        const { refreshToken, expiresAt: expiresAtString } = githubToken;
-        let accessToken = githubToken?.accessToken;
-
-        const expiresAt = new Date(expiresAtString).getTime();
-
-        const currentTime = Date.now();
-        const expiresAtMargin = 60 * 1000;
-        if (expiresAt - currentTime < expiresAtMargin) {
-          if (!refreshToken) {
-            setConnectGitHubModalState('EXPIRED_GITHUB_SESSION');
-            setLoading(false);
-            return;
-          }
-
-          const refreshResponse = await nhost.auth.refreshProviderToken(
-            'github',
-            { refreshToken },
-          );
-
-          if (!refreshResponse.body) {
-            setConnectGitHubModalState('EXPIRED_GITHUB_SESSION');
-            setLoading(false);
-            return;
-          }
-
-          saveGitHubToken({
-            ...refreshResponse.body,
-            authUserProviderId: githubProvider!.id,
-          });
-
-          accessToken = refreshResponse.body.accessToken;
-        }
-
-        const installations = await listGitHubInstallationRepos(accessToken);
-
-        const transformedData = {
-          githubAppInstallations: installations.map((item) => ({
-            id: item.installation.id,
-            accountLogin: item.installation.account?.login,
-            accountAvatarUrl: item.installation.account?.avatar_url,
-          })),
-          githubRepositories: installations.flatMap((item) =>
-            item.repositories.map((repo) => ({
-              id: repo.id,
-              node_id: repo.node_id,
-              name: repo.name,
-              fullName: repo.full_name,
-              githubAppInstallation: {
-                accountLogin: item.installation.account?.login,
-                accountAvatarUrl: item.installation.account?.avatar_url,
-              },
-            })),
-          ),
-        };
-
-        setGithubData(transformedData);
-        setLoading(false);
-      } catch (err) {
-        console.error('Error fetching GitHub data:', err);
-        if (err instanceof GitHubAPIError && err.status === 401) {
-          setConnectGitHubModalState('EXPIRED_GITHUB_SESSION');
-          setLoading(false);
-          return;
-        }
-
-        toast.error(err?.message, getToastStyleProps());
-        close?.();
-      }
-    };
-
-    fetchGitHubData();
-    // eslint-disable-next-line react-hooks/exhaustive-deps
-  }, [githubProvider, loadingGithubConnected]);
+    startPolling(2000);
+  }, [startPolling]);
 
   const handleSelectAnotherRepository = () => {
     setSelectedRepoId(null);
@@ -211,91 +56,13 @@ export default function ConnectGitHubModal({ close }: ConnectGitHubModalProps) {
 
   useEffect(() => () => handleFilterChange.cancel(), [handleFilterChange]);
 
-  if (errorGithubConnected instanceof Error) {
-    return (
-      <div className="px-1 md:w-[653px]">
-        <div className="flex flex-col">
-          <div className="mx-auto text-center">
-            <div className="mx-auto h-8 w-8">
-              <GitHubIcon className="h-8 w-8" />
-            </div>
-          </div>
-          <div className="flex flex-col gap-2">
-            <Text className="mt-2.5 text-center text-lg font-medium">
-              Error fetching GitHub data
-            </Text>
-            <ErrorMessage>{errorGithubConnected.message}</ErrorMessage>
-          </div>
-        </div>
-      </div>
-    );
+  if (error) {
+    throw error;
   }
 
-  if (loading || loadingProject || loadingOrg || loadingGithubConnected) {
+  if (loading) {
     return (
-      <div className="px-1 md:w-[653px]">
-        <div className="flex flex-col">
-          <div className="mx-auto text-center">
-            <div className="mx-auto h-8 w-8">
-              <GitHubIcon className="h-8 w-8" />
-            </div>
-          </div>
-          <div>
-            <Text className="mt-2.5 text-center text-lg font-medium">
-              Loading repositories...
-            </Text>
-            <Text className="text-center text-xs font-normal" color="secondary">
-              Fetching your GitHub repositories
-            </Text>
-            <div className="mb-2 mt-6 flex w-full">
-              <Input placeholder="Search..." fullWidth disabled value="" />
-            </div>
-          </div>
-          <div className="flex h-import items-center justify-center border-y">
-            <ActivityIndicator delay={0} label="" />
-          </div>
-        </div>
-      </div>
-    );
-  }
-
-  if (ConnectGitHubModalState === 'GITHUB_CONNECTION_REQUIRED') {
-    return (
-      <div className="flex flex-col items-center justify-center gap-5 px-1 py-1 md:w-[653px]">
-        <p className="text-center text-foreground">
-          You need to connect your GitHub account to continue.
-        </p>
-        <NavLink
-          href={getGitHubConnectUrl()}
-          passHref
-          rel="noreferrer noopener"
-          legacyBehavior
-        >
-          <Button
-            className="w-full max-w-72"
-            variant="outlined"
-            color="secondary"
-            startIcon={<GitHubIcon />}
-          >
-            Connect to GitHub
-          </Button>
-        </NavLink>
-      </div>
-    );
-  }
-
-  if (ConnectGitHubModalState === 'EXPIRED_GITHUB_SESSION') {
-    return (
-      <div className="flex w-full flex-col items-center justify-center gap-5 px-1 py-1 md:w-[653px]">
-        <p className="text-center text-foreground">
-          Please sign in with GitHub to continue.
-        </p>
-        <GithubAuthButton
-          redirectTo={`${hostname}?signinProvider=github&state=signin-refresh:${org.slug}:${project!.subdomain}`}
-          buttonText="Sign in with GitHub"
-          className="w-full max-w-72 gap-2 !bg-primary !text-white disabled:!text-white disabled:!text-opacity-60 dark:!bg-white dark:!text-black dark:disabled:!text-black"
-        />
-      </div>
+      <ActivityIndicator delay={500} label="Loading GitHub repositories..." />
     );
   }
 
@@ -311,27 +78,25 @@ export default function ConnectGitHubModal({ close }: ConnectGitHubModalProps) {
     );
   }
 
-  const { githubAppInstallations } = githubData || {};
+  const { githubAppInstallations } = data || {};
 
-  const filteredGitHubAppInstallations =
-    githubData?.githubAppInstallations.filter(
-      (githubApp) => !!githubApp.accountLogin,
-    );
+  const filteredGitHubAppInstallations = data?.githubAppInstallations.filter(
+    (githubApp) => !!githubApp.accountLogin,
+  );
 
-  const filteredGitHubRepositories = githubData?.githubRepositories.filter(
+  const filteredGitHubRepositories = data?.githubRepositories.filter(
     (repo) => !!repo.githubAppInstallation,
   );
 
   const filteredGitHubAppInstallationsNullValues =
-    githubData?.githubAppInstallations.filter(
-      (githubApp) => !!githubApp.accountLogin,
-    ).length === 0;
+    data?.githubAppInstallations.filter((githubApp) => !!githubApp.accountLogin)
+      .length === 0;
 
   const faultyGitHubInstallation =
     githubAppInstallations?.length === 0 ||
     filteredGitHubAppInstallationsNullValues;
 
-  const noRepositoriesAdded = githubData?.githubRepositories.length === 0;
+  const noRepositoriesAdded = data?.githubRepositories.length === 0;
 
   if (faultyGitHubInstallation) {
     return (
@@ -350,7 +115,11 @@ export default function ConnectGitHubModal({ close }: ConnectGitHubModalProps) {
         </div>
 
         <Button
-          href={`${process.env.NEXT_PUBLIC_GITHUB_APP_INSTALL_URL}?state=install-github-app:${org.slug}:${project!.subdomain}`}
+          href={process.env.NEXT_PUBLIC_GITHUB_APP_INSTALL_URL}
+          // Both `target` and `rel` are available when `href` is set. This is
+          // a limitation of MUI.
+          // @ts-ignore
+          target="_blank"
           rel="noreferrer noopener"
           endIcon={<ArrowSquareOutIcon className="h-4 w-4" />}
         >
@@ -410,7 +179,8 @@ export default function ConnectGitHubModal({ close }: ConnectGitHubModalProps) {
             </List>
 
             <Link
-              href={`${process.env.NEXT_PUBLIC_GITHUB_APP_INSTALL_URL}?state=install-github-app:${org.slug}:${project!.subdomain}`}
+              href={process.env.NEXT_PUBLIC_GITHUB_APP_INSTALL_URL}
+              target="_blank"
               rel="noreferrer noopener"
               underline="hover"
               className="grid grid-flow-col items-center justify-start gap-1"
@@ -429,8 +199,8 @@ export default function ConnectGitHubModal({ close }: ConnectGitHubModalProps) {
                 className="text-center text-xs font-normal"
                 color="secondary"
               >
-                Showing repositories from{' '}
-                {githubData?.githubAppInstallations.length} GitHub account(s)
+                Showing repositories from {data?.githubAppInstallations.length}{' '}
+                GitHub account(s)
               </Text>
               <div className="mb-2 mt-6 flex w-full">
                 <Input
@@ -456,7 +226,7 @@ export default function ConnectGitHubModal({ close }: ConnectGitHubModalProps) {
                           <Button
                             variant="borderless"
                             color="primary"
-                            onClick={() => setSelectedRepoId(repo.node_id)}
+                            onClick={() => setSelectedRepoId(repo.id)}
                           >
                             Connect
                           </Button>
@@ -498,7 +268,8 @@ export default function ConnectGitHubModal({ close }: ConnectGitHubModalProps) {
             Do you miss a repository, or do you need to connect another GitHub
             account?{' '}
             <Link
-              href={`${process.env.NEXT_PUBLIC_GITHUB_APP_INSTALL_URL}?state=install-github-app:${org.slug}:${project!.subdomain}`}
+              href={process.env.NEXT_PUBLIC_GITHUB_APP_INSTALL_URL}
+              target="_blank"
               rel="noreferrer noopener"
               className="text-xs font-medium"
               underline="hover"

dashboard/src/features/orgs/projects/git/common/components/EditRepositorySettings/EditRepositorySettings.tsx

@@ -6,7 +6,7 @@ import { FormProvider, useForm } from 'react-hook-form';
 export interface EditRepositorySettingsProps {
   close?: () => void;
   openConnectGithubModal?: () => void;
-  selectedRepoId: string;
+  selectedRepoId?: string;
   connectGithubModalState?: ConnectGitHubModalState;
   handleSelectAnotherRepository?: () => void;
 }

dashboard/src/features/orgs/projects/git/common/components/EditRepositorySettingsModal/EditRepositorySettingsModal.tsx

@@ -6,14 +6,14 @@ import { Text } from '@/components/ui/v2/Text';
 import { EditRepositoryAndBranchSettings } from '@/features/orgs/projects/git/common/components/EditRepositoryAndBranchSettings';
 import type { EditRepositorySettingsFormData } from '@/features/orgs/projects/git/common/components/EditRepositorySettings';
 import { useProject } from '@/features/orgs/projects/hooks/useProject';
-import { useConnectGithubRepoMutation } from '@/generated/graphql';
+import { useUpdateApplicationMutation } from '@/generated/graphql';
 import { analytics } from '@/lib/segment';
 import { discordAnnounce } from '@/utils/discordAnnounce';
 import { triggerToast } from '@/utils/toast';
 import { useFormContext } from 'react-hook-form';
 
 export interface EditRepositorySettingsModalProps {
-  selectedRepoId: string;
+  selectedRepoId?: string;
   close?: () => void;
   handleSelectAnotherRepository?: () => void;
 }
@@ -33,29 +33,45 @@ export default function EditRepositorySettingsModal({
 
   const { project, refetch: refetchProject } = useProject();
 
-  const [connectGithubRepo, { loading }] = useConnectGithubRepoMutation();
+  const [updateApp, { loading }] = useUpdateApplicationMutation();
 
   const handleEditGitHubIntegration = async (
     data: EditRepositorySettingsFormData,
   ) => {
     try {
-      await connectGithubRepo({
-        variables: {
-          appID: project?.id,
-          githubNodeID: selectedRepoId,
-          productionBranch: data.productionBranch,
-          baseFolder: data.repoBaseFolder,
-        },
-      });
+      if (!project?.githubRepository || selectedRepoId) {
+        await updateApp({
+          variables: {
+            appId: project?.id,
+            app: {
+              githubRepositoryId: selectedRepoId,
+              repositoryProductionBranch: data.productionBranch,
+              nhostBaseFolder: data.repoBaseFolder,
+            },
+          },
+        });
 
-      analytics.track('Project Connected to GitHub', {
-        projectId: project?.id,
-        projectName: project?.name,
-        projectSubdomain: project?.subdomain,
-        repositoryId: selectedRepoId,
-        productionBranch: data.productionBranch,
-        baseFolder: data.repoBaseFolder,
-      });
+        if (selectedRepoId) {
+          analytics.track('Project Connected to GitHub', {
+            projectId: project?.id,
+            projectName: project?.name,
+            projectSubdomain: project?.subdomain,
+            repositoryId: selectedRepoId,
+            productionBranch: data.productionBranch,
+            baseFolder: data.repoBaseFolder,
+          });
+        }
+      } else {
+        await updateApp({
+          variables: {
+            appId: project.id,
+            app: {
+              repositoryProductionBranch: data.productionBranch,
+              nhostBaseFolder: data.repoBaseFolder,
+            },
+          },
+        });
+      }
 
       await refetchProject();
 

dashboard/src/features/orgs/projects/git/common/gql/ConnectGithubRepo.gql

@@ -1,13 +0,0 @@
-mutation ConnectGithubRepo(
-  $appID: uuid!
-  $githubNodeID: String!
-  $productionBranch: String!
-  $baseFolder: String!
-) {
-  connectGithubRepo(
-    appID: $appID
-    githubNodeID: $githubNodeID
-    productionBranch: $productionBranch
-    baseFolder: $baseFolder
-  )
-}

dashboard/src/features/orgs/projects/git/common/hooks/useGitHubModal/useGitHubModal.tsx

@@ -2,12 +2,12 @@ import { useDialog } from '@/components/common/DialogProvider';
 import { ConnectGitHubModal } from '@/features/orgs/projects/git/common/components/ConnectGitHubModal';
 
 export default function useGitHubModal() {
-  const { openAlertDialog, closeAlertDialog } = useDialog();
+  const { openAlertDialog } = useDialog();
 
   function openGitHubModal() {
     openAlertDialog({
       title: 'Connect GitHub Repository',
-      payload: <ConnectGitHubModal close={closeAlertDialog} />,
+      payload: <ConnectGitHubModal />,
       props: {
         hidePrimaryAction: true,
         hideSecondaryAction: true,

dashboard/src/features/orgs/projects/git/common/utils/githubTokens.ts

@@ -1,23 +0,0 @@
-import { isNotEmptyValue } from '@/lib/utils';
-import type { ProviderSession } from '@nhost/nhost-js/auth';
-
-const githubProviderTokenKey = 'nhost_provider_tokens_github';
-
-export type GitHubProviderToken = ProviderSession & {
-  authUserProviderId?: string;
-};
-
-export function saveGitHubToken(token: GitHubProviderToken) {
-  localStorage.setItem(githubProviderTokenKey, JSON.stringify(token));
-}
-
-export function getGitHubToken() {
-  const token = localStorage.getItem(githubProviderTokenKey);
-  return isNotEmptyValue(token)
-    ? (JSON.parse(token) as GitHubProviderToken)
-    : null;
-}
-
-export function clearGitHubToken() {
-  localStorage.removeItem(githubProviderTokenKey);
-}

dashboard/src/features/orgs/projects/git/common/utils/index.ts

@@ -1 +0,0 @@
-export * from './githubTokens';

dashboard/src/lib/github.ts

@@ -1,99 +0,0 @@
-/**
- * Custom error class for GitHub API errors that preserves HTTP status codes
- */
-export class GitHubAPIError extends Error {
-  constructor(
-    message: string,
-    public status: number,
-    public statusText: string,
-  ) {
-    super(message);
-    this.name = 'GitHubAPIError';
-  }
-}
-
-interface GitHubAppInstallation {
-  id: number;
-  account?: {
-    login: string;
-    avatar_url: string;
-    [key: string]: unknown;
-  }
-  [key: string]: unknown;
-}
-
-/**
- * Lists all GitHub App installations accessible to the user
- * @param accessToken - The GitHub OAuth access token
- * @returns Array of app installations
- */
-export async function listGitHubAppInstallations(accessToken: string): Promise<GitHubAppInstallation[]> {
-  const response = await fetch('https://api.github.com/user/installations', {
-    headers: {
-      Authorization: `Bearer ${accessToken}`,
-      Accept: 'application/vnd.github+json',
-      'X-GitHub-Api-Version': '2022-11-28',
-    },
-    cache: 'no-cache',
-  });
-
-  if (!response.ok) {
-    throw new GitHubAPIError(
-      `Failed to list installations: ${response.statusText}`,
-      response.status,
-      response.statusText
-    );
-  }
-
-  const data = await response.json();
-  return data.installations;
-}
-
-interface  GitHubRepo {
-  id: number;
-  node_id: string;
-  name: string;
-  full_name: string;
-  [key: string]: unknown;
-}
-
-/**
- * Lists all repositories accessible through GitHub App installations
- * @param accessToken - The GitHub OAuth access token
- * @returns Array of repositories grouped by installation
- */
-export async function listGitHubInstallationRepos(accessToken: string) {
-  const installations = await listGitHubAppInstallations(accessToken);
-
-  const reposByInstallation = await Promise.all(
-    installations.map(async (installation) => {
-      const response = await fetch(
-        `https://api.github.com/user/installations/${installation.id}/repositories`,
-        {
-          headers: {
-            Authorization: `Bearer ${accessToken}`,
-            Accept: 'application/vnd.github+json',
-            'X-GitHub-Api-Version': '2022-11-28',
-          },
-          cache: 'no-cache',
-        }
-      );
-
-      if (!response.ok) {
-        throw new GitHubAPIError(
-          `Failed to list repos for installation ${installation.id}: ${response.statusText}`,
-          response.status,
-          response.statusText
-        );
-      }
-
-      const data = await response.json();
-      return {
-        installation,
-        repositories: data.repositories as GitHubRepo[],
-      };
-    })
-  );
-
-  return reposByInstallation;
-}

dashboard/src/pages/_app.tsx

@@ -77,12 +77,12 @@ function MyApp({
 
       <CacheProvider value={emotionCache}>
         <NhostProvider nhost={nhost}>
-          <NhostApolloProvider
-            fetchPolicy="cache-and-network"
-            nhost={nhost}
-            connectToDevTools={process.env.NEXT_PUBLIC_ENV === 'dev'}
-          >
-            <AuthProvider>
+          <AuthProvider>
+            <NhostApolloProvider
+              fetchPolicy="cache-and-network"
+              nhost={nhost}
+              connectToDevTools={process.env.NEXT_PUBLIC_ENV === 'dev'}
+            >
               <UIProvider>
                 <Toaster position="bottom-center" />
                 <ThemeProvider
@@ -106,8 +106,8 @@ function MyApp({
                   </RetryableErrorBoundary>
                 </ThemeProvider>
               </UIProvider>
-            </AuthProvider>
-          </NhostApolloProvider>
+            </NhostApolloProvider>
+          </AuthProvider>
         </NhostProvider>
       </CacheProvider>
     </QueryClientProvider>

dashboard/src/pages/github-app-installation/index.tsx

@@ -0,0 +1,87 @@
+import { LoadingScreen } from '@/components/presentational/LoadingScreen';
+import { ActivityIndicator } from '@/components/ui/v2/ActivityIndicator';
+import { nhost } from '@/utils/nhost';
+
+import { useAuth } from '@/providers/Auth';
+import { useRouter } from 'next/router';
+import type { ComponentType } from 'react';
+import { useEffect, useState } from 'react';
+
+export function authProtected<P extends JSX.IntrinsicAttributes>(
+  Comp: ComponentType<P>,
+) {
+  return function AuthProtected(props: P) {
+    const router = useRouter();
+    const { isAuthenticated, isLoading } = useAuth();
+
+    useEffect(() => {
+      if (isLoading || isAuthenticated) {
+        return;
+      }
+
+      router.push('/signin');
+    }, [isLoading, isAuthenticated, router]);
+
+    if (isLoading) {
+      return <LoadingScreen />;
+    }
+
+    return <Comp {...props} />;
+  };
+}
+
+function Page() {
+  const [state, setState] = useState({
+    error: null,
+    loading: true,
+  });
+
+  const router = useRouter();
+  const { installation_id: installationId } = router.query;
+
+  useEffect(() => {
+    async function installGithubApp() {
+      try {
+        await nhost.functions.fetch('/client/github-app-installation', {
+          method: 'POST',
+          body: JSON.stringify({
+            installationId,
+          }),
+          headers: {
+            'Content-Type': 'application/json',
+          },
+        });
+      } catch (error) {
+        setState({
+          error,
+          loading: false,
+        });
+
+        return;
+      }
+
+      setState({
+        error: null,
+        loading: false,
+      });
+
+      window.close();
+    }
+
+    // run in async manner
+    installGithubApp();
+  }, [installationId]);
+
+  if (state.loading) {
+    return <ActivityIndicator delay={500} label="Loading..." />;
+  }
+
+  if (state.error) {
+    // eslint-disable-next-line @typescript-eslint/no-throw-literal
+    throw state.error;
+  }
+
+  return <div>GitHub connection completed. You can close this tab.</div>;
+}
+
+export default authProtected(Page);

dashboard/src/pages/orgs/[orgSlug]/projects/[appSubdomain]/settings/git.tsx

@@ -1,38 +1,12 @@
 import { Container } from '@/components/layout/Container';
 import { OrgLayout } from '@/features/orgs/layout/OrgLayout';
 import { SettingsLayout } from '@/features/orgs/layout/SettingsLayout';
-import { useGitHubModal } from '@/features/orgs/projects/git/common/hooks/useGitHubModal';
 import { BaseDirectorySettings } from '@/features/orgs/projects/git/settings/components/BaseDirectorySettings';
 import { DeploymentBranchSettings } from '@/features/orgs/projects/git/settings/components/DeploymentBranchSettings';
 import { GitConnectionSettings } from '@/features/orgs/projects/git/settings/components/GitConnectionSettings';
-import { useRouter } from 'next/router';
-import { useCallback, useEffect, type ReactElement } from 'react';
+import type { ReactElement } from 'react';
 
 export default function GitSettingsPage() {
-  const router = useRouter();
-  const { pathname, replace, isReady: isRouterReady } = router;
-  const { 'github-modal': githubModal, ...remainingQuery } = router.query;
-  const { openGitHubModal } = useGitHubModal();
-
-  const removeQueryParamsFromURL = useCallback(() => {
-    replace({ pathname, query: remainingQuery }, undefined, {
-      shallow: true,
-    });
-  }, [replace, remainingQuery, pathname]);
-
-  useEffect(() => {
-    if (!isRouterReady) {
-      return;
-    }
-
-    if (typeof githubModal === 'string') {
-      removeQueryParamsFromURL();
-
-      openGitHubModal();
-    }
-    // eslint-disable-next-line react-hooks/exhaustive-deps
-  }, [githubModal, isRouterReady]);
-
   return (
     <Container
       className="grid max-w-5xl grid-flow-row gap-y-6 bg-transparent"

dashboard/src/providers/Auth/AuthProvider.tsx

@@ -1,27 +1,19 @@
-import {
-  clearGitHubToken,
-  saveGitHubToken,
-  type GitHubProviderToken,
-} from '@/features/orgs/projects/git/common/utils';
-import { isNotEmptyValue } from '@/lib/utils';
 import { useNhostClient } from '@/providers/nhost/';
-import { useGetAuthUserProvidersLazyQuery } from '@/utils/__generated__/graphql';
 import { getToastStyleProps } from '@/utils/constants/settings';
 import { type Session } from '@nhost/nhost-js/auth';
 import { useRouter } from 'next/router';
 import {
+  type PropsWithChildren,
   useCallback,
   useEffect,
   useMemo,
   useState,
-  type PropsWithChildren,
 } from 'react';
 import { toast } from 'react-hot-toast';
 import { AuthContext, type AuthContextType } from './AuthContext';
 
 function AuthProvider({ children }: PropsWithChildren) {
   const nhost = useNhostClient();
-  const [getAuthUserProviders] = useGetAuthUserProvidersLazyQuery();
   const {
     query,
     isReady: isRouterReady,
@@ -29,15 +21,7 @@ function AuthProvider({ children }: PropsWithChildren) {
     pathname,
     push,
   } = useRouter();
-  const {
-    refreshToken,
-    error,
-    errorDescription,
-    signinProvider,
-    state,
-    provider_state: providerState,
-    ...remainingQuery
-  } = query;
+  const { refreshToken, error, errorDescription, ...remainingQuery } = query;
   const [session, setSession] = useState<Session | null>(null);
   const [isLoading, setIsLoading] = useState(true);
   const [isSigningOut, setIsSigningOut] = useState(false);
@@ -71,6 +55,7 @@ function AuthProvider({ children }: PropsWithChildren) {
         return;
       }
       setIsLoading(true);
+      // reset state if we have just signed out
       setIsSigningOut(false);
       if (refreshToken && typeof refreshToken === 'string') {
         const sessionResponse = await nhost.auth.refreshToken({
@@ -78,84 +63,24 @@ function AuthProvider({ children }: PropsWithChildren) {
         });
         setSession(sessionResponse.body);
         removeQueryParamsFromURL();
-
-        if (sessionResponse.body && signinProvider === 'github') {
-          try {
-            const providerTokensResponse =
-              await nhost.auth.getProviderTokens(signinProvider);
-            if (providerTokensResponse.body) {
-              const { data } = await getAuthUserProviders();
-              const githubProvider = data?.authUserProviders?.find(
-                (provider) => provider.providerId === 'github',
-              );
-              const newGitHubToken: GitHubProviderToken =
-                providerTokensResponse.body;
-              if (isNotEmptyValue(githubProvider?.id)) {
-                newGitHubToken.authUserProviderId = githubProvider!.id;
-              }
-              saveGitHubToken(newGitHubToken);
-            }
-          } catch (err) {
-            console.error('Failed to fetch provider tokens:', err);
-          }
-        }
       } else {
         const currentSession = nhost.getUserSession();
         setSession(currentSession);
       }
 
-      if (
-        state &&
-        typeof state === 'string' &&
-        state.startsWith('signin-refresh:')
-      ) {
-        const [, orgSlug, projectSubdomain] = state.split(':');
-        removeQueryParamsFromURL();
-        await push(
-          `/orgs/${orgSlug}/projects/${projectSubdomain}/settings/git?github-modal`,
-        );
-      }
-
+      // handle OAuth redirect errors (e.g., error=unverified-user)
       if (typeof error === 'string') {
-        switch (error) {
-          case 'unverified-user': {
-            removeQueryParamsFromURL();
-            await push('/email/verify');
-            break;
-          }
-
-          /*
-           * If the state isn't handled by Hasura auth, it returns `invalid-state`.
-           * However, we check the provider_state search param to see if it has this format:
-           * `install-github-app:<org-slug>:<project-subdomain>`.
-           * If it has this format, that means that we connected to GitHub in `/settings/git`,
-           * thus we need to show the connect GitHub modal again.
-           * Otherwise, we fall through to default error handling.
-           */
-          case 'invalid-state': {
-            if (
-              isNotEmptyValue(providerState) &&
-              typeof providerState === 'string' &&
-              providerState.startsWith('install-github-app:')
-            ) {
-              const [, orgSlug, projectSubdomain] = providerState.split(':');
-              removeQueryParamsFromURL();
-              await push(
-                `/orgs/${orgSlug}/projects/${projectSubdomain}/settings/git?github-modal`,
-              );
-              break;
-            }
-            // Fall through to default error handling if state search param is invalid
-          }
-          default: {
-            const description =
-              typeof errorDescription === 'string'
-                ? errorDescription
-                : 'An error occurred during the sign-in process. Please try again.';
-            toast.error(description, getToastStyleProps());
-            removeQueryParamsFromURL();
-            await push('/signin');
-          }
+        if (error === 'unverified-user') {
+          removeQueryParamsFromURL();
+          await push('/email/verify');
+        } else {
+          const description =
+            typeof errorDescription === 'string'
+              ? errorDescription
+              : 'An error occurred during the sign-in process. Please try again.';
+          toast.error(description, getToastStyleProps());
+          removeQueryParamsFromURL();
+          await push('/signin');
         }
       }
 
@@ -178,7 +103,6 @@ function AuthProvider({ children }: PropsWithChildren) {
         nhost.auth.signOut({
           refreshToken: session!.refreshToken,
         });
-        clearGitHubToken();
 
         await push('/signin');
       },

dashboard/src/tests/testUtils.tsx

@@ -108,16 +108,16 @@ function Providers({ children }: PropsWithChildren<{}>) {
         <QueryClientProvider client={queryClient}>
           <CacheProvider value={emotionCache}>
             <NhostProvider nhost={nhost}>
-              <ApolloProvider client={mockClient}>
-                <AuthProvider>
+              <AuthProvider>
+                <ApolloProvider client={mockClient}>
                   <UIProvider>
                     <Toaster position="bottom-center" />
                     <ThemeProvider theme={theme}>
                       <DialogProvider>{children}</DialogProvider>
                     </ThemeProvider>
                   </UIProvider>
-                </AuthProvider>
-              </ApolloProvider>
+                </ApolloProvider>
+              </AuthProvider>
             </NhostProvider>
           </CacheProvider>
         </QueryClientProvider>

dashboard/src/utils/__generated__/graphql.ts

@@ -3118,9 +3118,7 @@ export type ConfigSystemConfigPostgres = {
   database: Scalars['String'];
   disk?: Maybe<ConfigSystemConfigPostgresDisk>;
   enabled?: Maybe<Scalars['Boolean']>;
-  encryptColumnKey?: Maybe<Scalars['String']>;
   majorVersion?: Maybe<Scalars['String']>;
-  oldEncryptColumnKey?: Maybe<Scalars['String']>;
 };
 
 export type ConfigSystemConfigPostgresComparisonExp = {
@@ -3131,9 +3129,7 @@ export type ConfigSystemConfigPostgresComparisonExp = {
   database?: InputMaybe<ConfigStringComparisonExp>;
   disk?: InputMaybe<ConfigSystemConfigPostgresDiskComparisonExp>;
   enabled?: InputMaybe<ConfigBooleanComparisonExp>;
-  encryptColumnKey?: InputMaybe<ConfigStringComparisonExp>;
   majorVersion?: InputMaybe<ConfigStringComparisonExp>;
-  oldEncryptColumnKey?: InputMaybe<ConfigStringComparisonExp>;
 };
 
 export type ConfigSystemConfigPostgresConnectionString = {
@@ -3197,9 +3193,7 @@ export type ConfigSystemConfigPostgresInsertInput = {
   database: Scalars['String'];
   disk?: InputMaybe<ConfigSystemConfigPostgresDiskInsertInput>;
   enabled?: InputMaybe<Scalars['Boolean']>;
-  encryptColumnKey?: InputMaybe<Scalars['String']>;
   majorVersion?: InputMaybe<Scalars['String']>;
-  oldEncryptColumnKey?: InputMaybe<Scalars['String']>;
 };
 
 export type ConfigSystemConfigPostgresUpdateInput = {
@@ -3207,9 +3201,7 @@ export type ConfigSystemConfigPostgresUpdateInput = {
   database?: InputMaybe<Scalars['String']>;
   disk?: InputMaybe<ConfigSystemConfigPostgresDiskUpdateInput>;
   enabled?: InputMaybe<Scalars['Boolean']>;
-  encryptColumnKey?: InputMaybe<Scalars['String']>;
   majorVersion?: InputMaybe<Scalars['String']>;
-  oldEncryptColumnKey?: InputMaybe<Scalars['String']>;
 };
 
 export type ConfigSystemConfigUpdateInput = {
@@ -4434,7 +4426,6 @@ export type Apps = {
   billingDedicatedCompute?: Maybe<Billing_Dedicated_Compute>;
   /** An object relationship */
   billingSubscriptions?: Maybe<Billing_Subscriptions>;
-  /** main entrypoint to the configuration */
   config?: Maybe<ConfigConfig>;
   createdAt: Scalars['timestamptz'];
   /** An object relationship */
@@ -11103,7 +11094,6 @@ export type Deployments = {
   commitSHA: Scalars['String'];
   commitUserAvatarUrl?: Maybe<Scalars['String']>;
   commitUserName?: Maybe<Scalars['String']>;
-  createdAt: Scalars['timestamptz'];
   deploymentEndedAt?: Maybe<Scalars['timestamptz']>;
   /** An array relationship */
   deploymentLogs: Array<DeploymentLogs>;
@@ -11201,7 +11191,6 @@ export type Deployments_Bool_Exp = {
   commitSHA?: InputMaybe<String_Comparison_Exp>;
   commitUserAvatarUrl?: InputMaybe<String_Comparison_Exp>;
   commitUserName?: InputMaybe<String_Comparison_Exp>;
-  createdAt?: InputMaybe<Timestamptz_Comparison_Exp>;
   deploymentEndedAt?: InputMaybe<Timestamptz_Comparison_Exp>;
   deploymentLogs?: InputMaybe<DeploymentLogs_Bool_Exp>;
   deploymentLogs_aggregate?: InputMaybe<DeploymentLogs_Aggregate_Bool_Exp>;
@@ -11233,7 +11222,6 @@ export type Deployments_Insert_Input = {
   commitSHA?: InputMaybe<Scalars['String']>;
   commitUserAvatarUrl?: InputMaybe<Scalars['String']>;
   commitUserName?: InputMaybe<Scalars['String']>;
-  createdAt?: InputMaybe<Scalars['timestamptz']>;
   deploymentEndedAt?: InputMaybe<Scalars['timestamptz']>;
   deploymentLogs?: InputMaybe<DeploymentLogs_Arr_Rel_Insert_Input>;
   deploymentStartedAt?: InputMaybe<Scalars['timestamptz']>;
@@ -11258,7 +11246,6 @@ export type Deployments_Max_Fields = {
   commitSHA?: Maybe<Scalars['String']>;
   commitUserAvatarUrl?: Maybe<Scalars['String']>;
   commitUserName?: Maybe<Scalars['String']>;
-  createdAt?: Maybe<Scalars['timestamptz']>;
   deploymentEndedAt?: Maybe<Scalars['timestamptz']>;
   deploymentStartedAt?: Maybe<Scalars['timestamptz']>;
   deploymentStatus?: Maybe<Scalars['String']>;
@@ -11281,7 +11268,6 @@ export type Deployments_Max_Order_By = {
   commitSHA?: InputMaybe<Order_By>;
   commitUserAvatarUrl?: InputMaybe<Order_By>;
   commitUserName?: InputMaybe<Order_By>;
-  createdAt?: InputMaybe<Order_By>;
   deploymentEndedAt?: InputMaybe<Order_By>;
   deploymentStartedAt?: InputMaybe<Order_By>;
   deploymentStatus?: InputMaybe<Order_By>;
@@ -11305,7 +11291,6 @@ export type Deployments_Min_Fields = {
   commitSHA?: Maybe<Scalars['String']>;
   commitUserAvatarUrl?: Maybe<Scalars['String']>;
   commitUserName?: Maybe<Scalars['String']>;
-  createdAt?: Maybe<Scalars['timestamptz']>;
   deploymentEndedAt?: Maybe<Scalars['timestamptz']>;
   deploymentStartedAt?: Maybe<Scalars['timestamptz']>;
   deploymentStatus?: Maybe<Scalars['String']>;
@@ -11328,7 +11313,6 @@ export type Deployments_Min_Order_By = {
   commitSHA?: InputMaybe<Order_By>;
   commitUserAvatarUrl?: InputMaybe<Order_By>;
   commitUserName?: InputMaybe<Order_By>;
-  createdAt?: InputMaybe<Order_By>;
   deploymentEndedAt?: InputMaybe<Order_By>;
   deploymentStartedAt?: InputMaybe<Order_By>;
   deploymentStatus?: InputMaybe<Order_By>;
@@ -11375,7 +11359,6 @@ export type Deployments_Order_By = {
   commitSHA?: InputMaybe<Order_By>;
   commitUserAvatarUrl?: InputMaybe<Order_By>;
   commitUserName?: InputMaybe<Order_By>;
-  createdAt?: InputMaybe<Order_By>;
   deploymentEndedAt?: InputMaybe<Order_By>;
   deploymentLogs_aggregate?: InputMaybe<DeploymentLogs_Aggregate_Order_By>;
   deploymentStartedAt?: InputMaybe<Order_By>;
@@ -11410,8 +11393,6 @@ export enum Deployments_Select_Column {
   /** column name */
   CommitUserName = 'commitUserName',
   /** column name */
-  CreatedAt = 'createdAt',
-  /** column name */
   DeploymentEndedAt = 'deploymentEndedAt',
   /** column name */
   DeploymentStartedAt = 'deploymentStartedAt',
@@ -11446,7 +11427,6 @@ export type Deployments_Set_Input = {
   commitSHA?: InputMaybe<Scalars['String']>;
   commitUserAvatarUrl?: InputMaybe<Scalars['String']>;
   commitUserName?: InputMaybe<Scalars['String']>;
-  createdAt?: InputMaybe<Scalars['timestamptz']>;
   deploymentEndedAt?: InputMaybe<Scalars['timestamptz']>;
   deploymentStartedAt?: InputMaybe<Scalars['timestamptz']>;
   deploymentStatus?: InputMaybe<Scalars['String']>;
@@ -11477,7 +11457,6 @@ export type Deployments_Stream_Cursor_Value_Input = {
   commitSHA?: InputMaybe<Scalars['String']>;
   commitUserAvatarUrl?: InputMaybe<Scalars['String']>;
   commitUserName?: InputMaybe<Scalars['String']>;
-  createdAt?: InputMaybe<Scalars['timestamptz']>;
   deploymentEndedAt?: InputMaybe<Scalars['timestamptz']>;
   deploymentStartedAt?: InputMaybe<Scalars['timestamptz']>;
   deploymentStatus?: InputMaybe<Scalars['String']>;
@@ -11506,8 +11485,6 @@ export enum Deployments_Update_Column {
   /** column name */
   CommitUserName = 'commitUserName',
   /** column name */
-  CreatedAt = 'createdAt',
-  /** column name */
   DeploymentEndedAt = 'deploymentEndedAt',
   /** column name */
   DeploymentStartedAt = 'deploymentStartedAt',
@@ -13090,7 +13067,6 @@ export type Mutation_Root = {
   billingUpgradeFreeOrganization: Scalars['String'];
   billingUploadReports: Scalars['Boolean'];
   changeDatabaseVersion: Scalars['Boolean'];
-  connectGithubRepo: Scalars['Boolean'];
   /** delete single row from the table: "announcements_read" */
   deleteAnnouncementRead?: Maybe<Announcements_Read>;
   /** delete data from the table: "announcements_read" */
@@ -13992,15 +13968,6 @@ export type Mutation_RootChangeDatabaseVersionArgs = {
 };
 
 
-/** mutation root */
-export type Mutation_RootConnectGithubRepoArgs = {
-  appID: Scalars['uuid'];
-  baseFolder: Scalars['String'];
-  githubNodeID: Scalars['String'];
-  productionBranch: Scalars['String'];
-};
-
-
 /** mutation root */
 export type Mutation_RootDeleteAnnouncementReadArgs = {
   id: Scalars['uuid'];
@@ -27550,16 +27517,6 @@ export type ResetDatabasePasswordMutationVariables = Exact<{
 
 export type ResetDatabasePasswordMutation = { __typename?: 'mutation_root', resetPostgresPassword: boolean };
 
-export type ConnectGithubRepoMutationVariables = Exact<{
-  appID: Scalars['uuid'];
-  githubNodeID: Scalars['String'];
-  productionBranch: Scalars['String'];
-  baseFolder: Scalars['String'];
-}>;
-
-
-export type ConnectGithubRepoMutation = { __typename?: 'mutation_root', connectGithubRepo: boolean };
-
 export type GetHasuraSettingsQueryVariables = Exact<{
   appId: Scalars['uuid'];
 }>;
@@ -29489,45 +29446,6 @@ export function useResetDatabasePasswordMutation(baseOptions?: Apollo.MutationHo
 export type ResetDatabasePasswordMutationHookResult = ReturnType<typeof useResetDatabasePasswordMutation>;
 export type ResetDatabasePasswordMutationResult = Apollo.MutationResult<ResetDatabasePasswordMutation>;
 export type ResetDatabasePasswordMutationOptions = Apollo.BaseMutationOptions<ResetDatabasePasswordMutation, ResetDatabasePasswordMutationVariables>;
-export const ConnectGithubRepoDocument = gql`
-    mutation ConnectGithubRepo($appID: uuid!, $githubNodeID: String!, $productionBranch: String!, $baseFolder: String!) {
-  connectGithubRepo(
-    appID: $appID
-    githubNodeID: $githubNodeID
-    productionBranch: $productionBranch
-    baseFolder: $baseFolder
-  )
-}
-    `;
-export type ConnectGithubRepoMutationFn = Apollo.MutationFunction<ConnectGithubRepoMutation, ConnectGithubRepoMutationVariables>;
-
-/**
- * __useConnectGithubRepoMutation__
- *
- * To run a mutation, you first call `useConnectGithubRepoMutation` within a React component and pass it any options that fit your needs.
- * When your component renders, `useConnectGithubRepoMutation` returns a tuple that includes:
- * - A mutate function that you can call at any time to execute the mutation
- * - An object with fields that represent the current status of the mutation's execution
- *
- * @param baseOptions options that will be passed into the mutation, supported options are listed on: https://www.apollographql.com/docs/react/api/react-hooks/#options-2;
- *
- * @example
- * const [connectGithubRepoMutation, { data, loading, error }] = useConnectGithubRepoMutation({
- *   variables: {
- *      appID: // value for 'appID'
- *      githubNodeID: // value for 'githubNodeID'
- *      productionBranch: // value for 'productionBranch'
- *      baseFolder: // value for 'baseFolder'
- *   },
- * });
- */
-export function useConnectGithubRepoMutation(baseOptions?: Apollo.MutationHookOptions<ConnectGithubRepoMutation, ConnectGithubRepoMutationVariables>) {
-        const options = {...defaultOptions, ...baseOptions}
-        return Apollo.useMutation<ConnectGithubRepoMutation, ConnectGithubRepoMutationVariables>(ConnectGithubRepoDocument, options);
-      }
-export type ConnectGithubRepoMutationHookResult = ReturnType<typeof useConnectGithubRepoMutation>;
-export type ConnectGithubRepoMutationResult = Apollo.MutationResult<ConnectGithubRepoMutation>;
-export type ConnectGithubRepoMutationOptions = Apollo.BaseMutationOptions<ConnectGithubRepoMutation, ConnectGithubRepoMutationVariables>;
 export const GetHasuraSettingsDocument = gql`
     query GetHasuraSettings($appId: uuid!) {
   config(appID: $appId, resolve: false) {

docs/reference/storage.yaml

@@ -206,7 +206,8 @@ paths:
             Last-Modified:
               description: "Date and time the file was last modified"
               schema:
-                $ref: '#/components/schemas/RFC2822Date'
+                type: string
+                format: date-time
             Surrogate-Key:
               description: "Cache key for surrogate caching"
               schema:
@@ -247,7 +248,8 @@ paths:
             Last-Modified:
               description: "Date and time the file was last modified"
               schema:
-                $ref: '#/components/schemas/RFC2822Date'
+                type: string
+                format: date-time
             Surrogate-Key:
               description: "Cache key for surrogate caching"
               schema:
@@ -389,7 +391,8 @@ paths:
             Last-Modified:
               description: "Date and time the file was last modified"
               schema:
-                $ref: '#/components/schemas/RFC2822Date'
+                type: string
+                format: date-time
             Accept-Ranges:
               description: "Always set to bytes. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Ranges"
               schema:
@@ -672,7 +675,8 @@ paths:
             Last-Modified:
               description: "Date and time the file was last modified"
               schema:
-                $ref: '#/components/schemas/RFC2822Date'
+                type: string
+                format: date-time
             Surrogate-Key:
               description: "Cache key for surrogate caching"
               schema:
@@ -713,7 +717,8 @@ paths:
             Last-Modified:
               description: "Date and time the file was last modified"
               schema:
-                $ref: '#/components/schemas/RFC2822Date'
+                type: string
+                format: date-time
             Surrogate-Key:
               description: "Cache key for surrogate caching"
               schema:

flake.nix

@@ -119,7 +119,6 @@
               gofumpt
               golangci-lint
               gqlgenc
-              oapi-codegen
 
               # internal packages
               self.packages.${system}.codegen

go.mod

@@ -16,6 +16,7 @@ require (
 	github.com/davidbyttow/govips/v2 v2.16.0
 	github.com/gabriel-vasile/mimetype v1.4.8
 	github.com/getkin/kin-openapi v0.133.0
+	github.com/gin-contrib/cors v1.7.3
 	github.com/gin-gonic/gin v1.11.0
 	github.com/go-git/go-git/v5 v5.16.2
 	github.com/go-webauthn/webauthn v0.12.2
@@ -29,6 +30,7 @@ require (
 	github.com/lmittmann/tint v1.0.7
 	github.com/mark3labs/mcp-go v0.41.1
 	github.com/nhost/be v0.0.0-20251021065906-8abc7d8dfa48
+	github.com/oapi-codegen/gin-middleware v1.0.2
 	github.com/oapi-codegen/runtime v1.1.1
 	github.com/pb33f/libopenapi v0.21.12
 	github.com/pelletier/go-toml/v2 v2.2.4
@@ -154,7 +156,7 @@ require (
 	github.com/prometheus/common v0.63.0 // indirect
 	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/quic-go/qpack v0.5.1 // indirect
-	github.com/quic-go/quic-go v0.54.1 // indirect
+	github.com/quic-go/quic-go v0.54.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rs/cors v1.11.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect

go.sum

@@ -162,6 +162,8 @@ github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3G
 github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
 github.com/getkin/kin-openapi v0.133.0 h1:pJdmNohVIJ97r4AUFtEXRXwESr8b0bD721u/Tz6k8PQ=
 github.com/getkin/kin-openapi v0.133.0/go.mod h1:boAciF6cXk5FhPqe/NQeBTeenbjqU4LhWBf09ILVvWE=
+github.com/gin-contrib/cors v1.7.3 h1:hV+a5xp8hwJoTw7OY+a70FsL8JkVVFTXw9EcfrYUdns=
+github.com/gin-contrib/cors v1.7.3/go.mod h1:M3bcKZhxzsvI+rlRSkkxHyljJt1ESd93COUvemZ79j4=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
 github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
 github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
@@ -339,6 +341,8 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+
 github.com/nhost/be v0.0.0-20251021065906-8abc7d8dfa48 h1:+Oh4Rbr1psWlBaQTakoBYFNB8jBioiXuimNMaNPLTHk=
 github.com/nhost/be v0.0.0-20251021065906-8abc7d8dfa48/go.mod h1:feVvqP3dft8hWbp9zNZExdGKbFEYv8aLYohfyAeINNQ=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
+github.com/oapi-codegen/gin-middleware v1.0.2 h1:/H99UzvHQAUxXK8pzdcGAZgjCVeXdFDAUUWaJT0k0eI=
+github.com/oapi-codegen/gin-middleware v1.0.2/go.mod h1:2HJDQjH8jzK2/k/VKcWl+/T41H7ai2bKa6dN3AA2GpA=
 github.com/oapi-codegen/runtime v1.1.1 h1:EXLHh0DXIJnWhdRPN2w4MXAzFyE4CskzhNLUmtpMYro=
 github.com/oapi-codegen/runtime v1.1.1/go.mod h1:SK9X900oXmPWilYR5/WKPzt3Kqxn/uS/+lbpREv+eCg=
 github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 h1:G7ERwszslrBzRxj//JalHPu/3yz+De2J+4aLtSRlHiY=
@@ -381,8 +385,8 @@ github.com/protocolbuffers/txtpbfmt v0.0.0-20241112170944-20d2c9ebc01d h1:HWfigq
 github.com/protocolbuffers/txtpbfmt v0.0.0-20241112170944-20d2c9ebc01d/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c=
 github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
 github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
-github.com/quic-go/quic-go v0.54.1 h1:4ZAWm0AhCb6+hE+l5Q1NAL0iRn/ZrMwqHRGQiFwj2eg=
-github.com/quic-go/quic-go v0.54.1/go.mod h1:e68ZEaCdyviluZmy44P6Iey98v/Wfz6HCjQEm+l8zTY=
+github.com/quic-go/quic-go v0.54.0 h1:6s1YB9QotYI6Ospeiguknbp2Znb/jZYjZLRXn9kMQBg=
+github.com/quic-go/quic-go v0.54.0/go.mod h1:e68ZEaCdyviluZmy44P6Iey98v/Wfz6HCjQEm+l8zTY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=

internal/lib/oapi/errors.go

@@ -1,13 +0,0 @@
-package oapi
-
-import "fmt"
-
-type AuthenticatorError struct {
-	Scheme  string
-	Code    string
-	Message string
-}
-
-func (e *AuthenticatorError) Error() string {
-	return fmt.Sprintf("security error [%s]: %s", e.Code, e.Message)
-}

internal/lib/oapi/example/api/api.go

@@ -1,10 +0,0 @@
-//go:generate oapi-codegen -config server.cfg.yaml openapi.yaml
-//go:generate oapi-codegen -config types.cfg.yaml openapi.yaml
-package api
-
-import (
-	_ "embed"
-)
-
-//go:embed openapi.yaml
-var OpenAPISchema []byte

internal/lib/oapi/example/api/openapi.yaml

@@ -1,200 +0,0 @@
-openapi: "3.0.0"
-
-paths:
-  /signin/email-password:
-    post:
-      summary: Sign in with email and password
-      description: Authenticate a user with their email and password. Returns a session object or MFA challenge if two-factor authentication is enabled.
-      operationId: signInEmailPassword
-      requestBody:
-        description: User credentials for email and password authentication
-        content:
-          application/json:
-            schema:
-              $ref: "#/components/schemas/SignInEmailPasswordRequest"
-        required: true
-      responses:
-        "200":
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/SignInEmailPasswordResponse"
-          description: "Authentication successful. If MFA is enabled, a challenge will be returned instead of a session."
-        default:
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/ErrorResponse"
-          description: "An error occurred while processing the request"
-
-  /user/email/change:
-    post:
-      summary: Change user email
-      description: Request to change the authenticated user's email address. A verification email will be sent to the new address to confirm the change. Requires elevated permissions.
-      operationId: changeUserEmail
-      tags:
-        - user
-      security:
-        - BearerAuthElevated: []
-      requestBody:
-        description: New email address and optional redirect URL for email change
-        content:
-          application/json:
-            schema:
-              $ref: "#/components/schemas/UserEmailChangeRequest"
-        required: true
-      responses:
-        "200":
-          description: >-
-            Email change requested. An email with a verification link has been sent to the new address
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/OKResponse"
-        default:
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/ErrorResponse"
-          description: "An error occurred while processing the request"
-
-components:
-  securitySchemes:
-    BearerAuth:
-      type: http
-      scheme: bearer
-      description: "Bearer authentication with JWT access token. Used to authenticate requests to protected endpoints."
-    BearerAuthElevated:
-      type: http
-      scheme: bearer
-      description: "Bearer authentication that requires elevated permissions. Used for sensitive operations that may require additional security measures such as recent authentication. For details see https://docs.nhost.io/products/auth/elevated-permissions"
-
-  schemas:
-    SignInEmailPasswordRequest:
-      type: object
-      description: "Request to authenticate using email and password"
-      additionalProperties: false
-      properties:
-        email:
-          description: "User's email address"
-          example: "john.smith@nhost.io"
-          format: email
-          type: string
-        password:
-          description: "User's password"
-          example: "Str0ngPassw#ord-94|%"
-          minLength: 3
-          maxLength: 50
-          type: string
-      required:
-        - email
-        - password
-
-    SignInEmailPasswordResponse:
-      type: object
-      description: "Response for email-password authentication that may include a session or MFA challenge"
-      additionalProperties: false
-      properties:
-        session:
-          $ref: "#/components/schemas/Session"
-
-    Session:
-      type: object
-      description: "User authentication session containing tokens and user information"
-      additionalProperties: false
-      properties:
-        accessToken:
-          type: string
-          description: "JWT token for authenticating API requests"
-          example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
-        accessTokenExpiresIn:
-          type: integer
-          format: int64
-          description: "Expiration time of the access token in seconds"
-          example: 900
-        refreshTokenId:
-          description: "Identifier for the refresh token"
-          example: "2c35b6f3-c4b9-48e3-978a-d4d0f1d42e24"
-          pattern: \b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b
-          type: string
-        refreshToken:
-          description: "Token used to refresh the access token"
-          example: "2c35b6f3-c4b9-48e3-978a-d4d0f1d42e24"
-          pattern: \b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b
-          type: string
-      required:
-        - accessToken
-        - accessTokenExpiresIn
-        - refreshToken
-        - refreshTokenId
-
-    UserEmailChangeRequest:
-      type: object
-      additionalProperties: false
-      properties:
-        newEmail:
-          description: A valid email
-          example: john.smith@nhost.io
-          format: email
-          type: string
-      required:
-        - newEmail
-
-    OKResponse:
-      type: string
-      additionalProperties: false
-      enum:
-        - OK
-
-    ErrorResponse:
-      type: object
-      description: "Standardized error response"
-      additionalProperties: false
-      properties:
-        status:
-          description: "HTTP status error code"
-          type: integer
-          example: 400
-        message:
-          description: "Human-friendly error message"
-          type: string
-          example: "Invalid email format"
-        error:
-          description: "Error code identifying the specific application error"
-          type: string
-          enum:
-            - default-role-must-be-in-allowed-roles
-            - disabled-endpoint
-            - disabled-user
-            - email-already-in-use
-            - email-already-verified
-            - forbidden-anonymous
-            - internal-server-error
-            - invalid-email-password
-            - invalid-request
-            - locale-not-allowed
-            - password-too-short
-            - password-in-hibp-database
-            - redirectTo-not-allowed
-            - role-not-allowed
-            - signup-disabled
-            - unverified-user
-            - user-not-anonymous
-            - invalid-pat
-            - invalid-refresh-token
-            - invalid-ticket
-            - disabled-mfa-totp
-            - no-totp-secret
-            - invalid-totp
-            - mfa-type-not-found
-            - totp-already-active
-            - invalid-state
-            - oauth-token-echange-failed
-            - oauth-profile-fetch-failed
-            - oauth-provider-error
-            - invalid-otp
-            - cannot-send-sms
-      required:
-        - status
-        - message
-        - error

internal/lib/oapi/example/api/server.cfg.yaml

@@ -1,6 +0,0 @@
-package: api
-generate:
-  gin-server: true
-  embedded-spec: true
-  strict-server: true
-output: server.gen.go

internal/lib/oapi/example/api/server.gen.go

@@ -1,351 +0,0 @@
-// Package api provides primitives to interact with the openapi HTTP API.
-//
-// Code generated by github.com/oapi-codegen/oapi-codegen/v2 version 2.5.0 DO NOT EDIT.
-package api
-
-import (
-	"bytes"
-	"compress/gzip"
-	"context"
-	"encoding/base64"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"net/url"
-	"path"
-	"strings"
-
-	"github.com/getkin/kin-openapi/openapi3"
-	"github.com/gin-gonic/gin"
-	strictgin "github.com/oapi-codegen/runtime/strictmiddleware/gin"
-)
-
-// ServerInterface represents all server handlers.
-type ServerInterface interface {
-	// Sign in with email and password
-	// (POST /signin/email-password)
-	SignInEmailPassword(c *gin.Context)
-	// Change user email
-	// (POST /user/email/change)
-	ChangeUserEmail(c *gin.Context)
-}
-
-// ServerInterfaceWrapper converts contexts to parameters.
-type ServerInterfaceWrapper struct {
-	Handler            ServerInterface
-	HandlerMiddlewares []MiddlewareFunc
-	ErrorHandler       func(*gin.Context, error, int)
-}
-
-type MiddlewareFunc func(c *gin.Context)
-
-// SignInEmailPassword operation middleware
-func (siw *ServerInterfaceWrapper) SignInEmailPassword(c *gin.Context) {
-
-	for _, middleware := range siw.HandlerMiddlewares {
-		middleware(c)
-		if c.IsAborted() {
-			return
-		}
-	}
-
-	siw.Handler.SignInEmailPassword(c)
-}
-
-// ChangeUserEmail operation middleware
-func (siw *ServerInterfaceWrapper) ChangeUserEmail(c *gin.Context) {
-
-	c.Set(BearerAuthElevatedScopes, []string{})
-
-	for _, middleware := range siw.HandlerMiddlewares {
-		middleware(c)
-		if c.IsAborted() {
-			return
-		}
-	}
-
-	siw.Handler.ChangeUserEmail(c)
-}
-
-// GinServerOptions provides options for the Gin server.
-type GinServerOptions struct {
-	BaseURL      string
-	Middlewares  []MiddlewareFunc
-	ErrorHandler func(*gin.Context, error, int)
-}
-
-// RegisterHandlers creates http.Handler with routing matching OpenAPI spec.
-func RegisterHandlers(router gin.IRouter, si ServerInterface) {
-	RegisterHandlersWithOptions(router, si, GinServerOptions{})
-}
-
-// RegisterHandlersWithOptions creates http.Handler with additional options
-func RegisterHandlersWithOptions(router gin.IRouter, si ServerInterface, options GinServerOptions) {
-	errorHandler := options.ErrorHandler
-	if errorHandler == nil {
-		errorHandler = func(c *gin.Context, err error, statusCode int) {
-			c.JSON(statusCode, gin.H{"msg": err.Error()})
-		}
-	}
-
-	wrapper := ServerInterfaceWrapper{
-		Handler:            si,
-		HandlerMiddlewares: options.Middlewares,
-		ErrorHandler:       errorHandler,
-	}
-
-	router.POST(options.BaseURL+"/signin/email-password", wrapper.SignInEmailPassword)
-	router.POST(options.BaseURL+"/user/email/change", wrapper.ChangeUserEmail)
-}
-
-type SignInEmailPasswordRequestObject struct {
-	Body *SignInEmailPasswordJSONRequestBody
-}
-
-type SignInEmailPasswordResponseObject interface {
-	VisitSignInEmailPasswordResponse(w http.ResponseWriter) error
-}
-
-type SignInEmailPassword200JSONResponse SignInEmailPasswordResponse
-
-func (response SignInEmailPassword200JSONResponse) VisitSignInEmailPasswordResponse(w http.ResponseWriter) error {
-	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(200)
-
-	return json.NewEncoder(w).Encode(response)
-}
-
-type SignInEmailPassworddefaultJSONResponse struct {
-	Body       ErrorResponse
-	StatusCode int
-}
-
-func (response SignInEmailPassworddefaultJSONResponse) VisitSignInEmailPasswordResponse(w http.ResponseWriter) error {
-	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(response.StatusCode)
-
-	return json.NewEncoder(w).Encode(response.Body)
-}
-
-type ChangeUserEmailRequestObject struct {
-	Body *ChangeUserEmailJSONRequestBody
-}
-
-type ChangeUserEmailResponseObject interface {
-	VisitChangeUserEmailResponse(w http.ResponseWriter) error
-}
-
-type ChangeUserEmail200JSONResponse OKResponse
-
-func (response ChangeUserEmail200JSONResponse) VisitChangeUserEmailResponse(w http.ResponseWriter) error {
-	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(200)
-
-	return json.NewEncoder(w).Encode(response)
-}
-
-type ChangeUserEmaildefaultJSONResponse struct {
-	Body       ErrorResponse
-	StatusCode int
-}
-
-func (response ChangeUserEmaildefaultJSONResponse) VisitChangeUserEmailResponse(w http.ResponseWriter) error {
-	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(response.StatusCode)
-
-	return json.NewEncoder(w).Encode(response.Body)
-}
-
-// StrictServerInterface represents all server handlers.
-type StrictServerInterface interface {
-	// Sign in with email and password
-	// (POST /signin/email-password)
-	SignInEmailPassword(ctx context.Context, request SignInEmailPasswordRequestObject) (SignInEmailPasswordResponseObject, error)
-	// Change user email
-	// (POST /user/email/change)
-	ChangeUserEmail(ctx context.Context, request ChangeUserEmailRequestObject) (ChangeUserEmailResponseObject, error)
-}
-
-type StrictHandlerFunc = strictgin.StrictGinHandlerFunc
-type StrictMiddlewareFunc = strictgin.StrictGinMiddlewareFunc
-
-func NewStrictHandler(ssi StrictServerInterface, middlewares []StrictMiddlewareFunc) ServerInterface {
-	return &strictHandler{ssi: ssi, middlewares: middlewares}
-}
-
-type strictHandler struct {
-	ssi         StrictServerInterface
-	middlewares []StrictMiddlewareFunc
-}
-
-// SignInEmailPassword operation middleware
-func (sh *strictHandler) SignInEmailPassword(ctx *gin.Context) {
-	var request SignInEmailPasswordRequestObject
-
-	var body SignInEmailPasswordJSONRequestBody
-	if err := ctx.ShouldBindJSON(&body); err != nil {
-		ctx.Status(http.StatusBadRequest)
-		ctx.Error(err)
-		return
-	}
-	request.Body = &body
-
-	handler := func(ctx *gin.Context, request interface{}) (interface{}, error) {
-		return sh.ssi.SignInEmailPassword(ctx, request.(SignInEmailPasswordRequestObject))
-	}
-	for _, middleware := range sh.middlewares {
-		handler = middleware(handler, "SignInEmailPassword")
-	}
-
-	response, err := handler(ctx, request)
-
-	if err != nil {
-		ctx.Error(err)
-		ctx.Status(http.StatusInternalServerError)
-	} else if validResponse, ok := response.(SignInEmailPasswordResponseObject); ok {
-		if err := validResponse.VisitSignInEmailPasswordResponse(ctx.Writer); err != nil {
-			ctx.Error(err)
-		}
-	} else if response != nil {
-		ctx.Error(fmt.Errorf("unexpected response type: %T", response))
-	}
-}
-
-// ChangeUserEmail operation middleware
-func (sh *strictHandler) ChangeUserEmail(ctx *gin.Context) {
-	var request ChangeUserEmailRequestObject
-
-	var body ChangeUserEmailJSONRequestBody
-	if err := ctx.ShouldBindJSON(&body); err != nil {
-		ctx.Status(http.StatusBadRequest)
-		ctx.Error(err)
-		return
-	}
-	request.Body = &body
-
-	handler := func(ctx *gin.Context, request interface{}) (interface{}, error) {
-		return sh.ssi.ChangeUserEmail(ctx, request.(ChangeUserEmailRequestObject))
-	}
-	for _, middleware := range sh.middlewares {
-		handler = middleware(handler, "ChangeUserEmail")
-	}
-
-	response, err := handler(ctx, request)
-
-	if err != nil {
-		ctx.Error(err)
-		ctx.Status(http.StatusInternalServerError)
-	} else if validResponse, ok := response.(ChangeUserEmailResponseObject); ok {
-		if err := validResponse.VisitChangeUserEmailResponse(ctx.Writer); err != nil {
-			ctx.Error(err)
-		}
-	} else if response != nil {
-		ctx.Error(fmt.Errorf("unexpected response type: %T", response))
-	}
-}
-
-// Base64 encoded, gzipped, json marshaled Swagger object
-var swaggerSpec = []string{
-
-	"H4sIAAAAAAAC/9RYUXPbuBH+KxhcO30RJMVW0lhP9WV8rXLXS8Z22s7YfoCApYiYBHhY0IrO1X/vLEBK",
-	"pEQ1vs5dp32yTBCL3f2+b3fBZ65cWTkLNiCfP3NUOZQy/rzy3vlrwMpZBHogtTbBOCuLj95V4IMB5PNM",
-	"FggjrgGVNxWt8zm/CdJq6bX5GTQDMsR8a2nEq872Zx6X6UffRDyeKaeBGQ02mGxj7IqFHBhWoExmFJNV",
-	"VRglaUc6hY842Lrk8zuuIZN1EYR3BYiyxiCWIIwVsijcGnR8jnzEtUG5LEALsLpyxobusxoh2iylKYQs",
-	"PEi9ISN1jKP/+Am8yQxoPuKZ80ujNVghrbOb0tV0krEBvJWFQPBP4EXrsbFPsjBaJHOVRFw7rzsLHn6q",
-	"AcmxwilZgLAutHFQOpsdIjgnMHc+dB8aK3KzrISWQS5l9NuDNh5UuHUHlmKu+o/QrGxdiTYjfMRr20ba",
-	"pof+pG29aJPzlQy9UDIPmIvgHsF2ngejHqGX+jKTIrhQ8RG3Lv4SCMpD11qzHl/dVMn1zNWW3Iw7Wmyk",
-	"CuYJOjsxyED/O1mHxhsBKpd2BSKTJkWaFivvMlOAyCCofGDxyegBMJNnSlryCcFqgSXyhxEnR/mcY/DG",
-	"rvh2xEtAlCs4VsBf6lJakXkDVhebRkbt2yMOX2RZFWRrkc5kkUAsc76MOT86iYKuceCg29uPLC02p5Ds",
-	"ukfMptOdPaLxCjzfbolJP9XGgybBNdb3AY0aae+DdsvPoAK58uH7F1eWVtAfvh9M3w0gxjB+UYH6hOAZ",
-	"IUiVpakgmCwx5WyQxsZqQ8RAJq1mRHJmbMouGTmsY1IpQLyNxD5K8fu/3yZjBE/vYLtilx8XrNE49oCF",
-	"zft8+WdlPpj3i08/L179aBa4sNev1bvFm8Vj9Y+/vXt/MR6Ph7DueHP1pTIecDHgVlxK0QdTAnNZLLBp",
-	"c+OwocwoZ3XPtwtiREO1yIk3M35MEWJIFPyJtMTHlFrNgmPNu0cu9HJyps5fL99k50LNlhdi9hbOxcUf",
-	"30qhZ3qavdKzMzibxfoXqNryOb+/X95NxYUU2cPz2+39/VLs/p1tT/7u7np1RtuGstyNbqGP41ukzmXA",
-	"R9wpsF2Q/8uRHUi7S+0T1DpA+ig1Q0Xgxqzswl5R1frYtKvrptX9MjU3u4hDHWkBq5HklcoiabjTWw9m",
-	"EHrlGD6qEn/A1oDWHrAv0M8ut2MsTcj/ZHOHYWwc78gimR3gzc6RU0d2PN2fdhP81K5iqr6h1n4x++fv",
-	"qd7KLz+AXYWcz19PR7w0tv33/GvAtg7ujnsxTP/RWNhui2LojzuHxTjkMrBSbpixqqg1MLmrz86zv353",
-	"yVQuiwLs6niixH1L+J2HjM/5N5P9mDtpZtxJ2zkoKUdBEw4x5HdxKHgpL/uOWFhfDTPrknVa9q9AqQNc",
-	"dwcf40lzAKjam7C5oUQkT78F6cFf1sSaQ1/T2iFAaxNyRm2tW6nH7FNTy3s6bJsbLVTeBVCB7gXNwI3U",
-	"wCIo5OcynraPMA+hIkD2Hl4V8CQD6Jd6GqnUZAcZNLtZBb40kQHYuE2sRLBoaFhkBGQ0gHsyNlbYngOs",
-	"TSYrQWJNJ2CtciaReVBgw4E3Y/ad80xDkKZAhgCMAsT5ZKKdwnEL+aTyTtcq4IS2T1qnRcfpryeNsKaJ",
-	"hc9tXRQj7iqwsjJ8zs/H0/E09ZI84j+hOd/YycEdZP7MK5dof8DfLrwyDUeRESEH4wdK7phdQ6g9DVN7",
-	"IUdKHumZmYyFtROZVMEdoWmQgY1XBKLNDiTqvkOViidhAIZvnd5QIDTegU1S3t8fJ58xVYxUHb5aO063",
-	"rpj2gWlTeYjTgCxwX/96OToIlXc1HXwNUeSpgkbQzqbT3zagpsgPRHR5MDrXsQhkdTFmiyzCucdpxGQH",
-	"3LUpCrakmkB0AM2MxQBS0+y5o8aYxxPjDf5XC7H/QWMoqOYrAnNK1d6DZuvcFEAli6JrPz/4HdAjjnVZ",
-	"Sr9puEezclTBwMhBb09IJ0ljk3TZPK2wzkyTXk1jcUd36U5yOJ+M2SVLF/T2w0hcbdOOVJKCi8YsrNtd",
-	"8RhnM+PLuJSOJNH+u7J5JMDULHe98zcS34nePIDoj7DuZydi4qqmdrcfQtin6x86mmyg+W/Kr3MfHgjj",
-	"quNWSz/QY3a5RzfkTPZxL4x9ZLlEtgSwp3D/v9FZ02X5/O55cBS4e9g+dOWYqJEa025mkiuk6Sh+tnrY",
-	"brfbfwUAAP//3ciGL/8UAAA=",
-}
-
-// GetSwagger returns the content of the embedded swagger specification file
-// or error if failed to decode
-func decodeSpec() ([]byte, error) {
-	zipped, err := base64.StdEncoding.DecodeString(strings.Join(swaggerSpec, ""))
-	if err != nil {
-		return nil, fmt.Errorf("error base64 decoding spec: %w", err)
-	}
-	zr, err := gzip.NewReader(bytes.NewReader(zipped))
-	if err != nil {
-		return nil, fmt.Errorf("error decompressing spec: %w", err)
-	}
-	var buf bytes.Buffer
-	_, err = buf.ReadFrom(zr)
-	if err != nil {
-		return nil, fmt.Errorf("error decompressing spec: %w", err)
-	}
-
-	return buf.Bytes(), nil
-}
-
-var rawSpec = decodeSpecCached()
-
-// a naive cached of a decoded swagger spec
-func decodeSpecCached() func() ([]byte, error) {
-	data, err := decodeSpec()
-	return func() ([]byte, error) {
-		return data, err
-	}
-}
-
-// Constructs a synthetic filesystem for resolving external references when loading openapi specifications.
-func PathToRawSpec(pathToFile string) map[string]func() ([]byte, error) {
-	res := make(map[string]func() ([]byte, error))
-	if len(pathToFile) > 0 {
-		res[pathToFile] = rawSpec
-	}
-
-	return res
-}
-
-// GetSwagger returns the Swagger specification corresponding to the generated code
-// in this file. The external references of Swagger specification are resolved.
-// The logic of resolving external references is tightly connected to "import-mapping" feature.
-// Externally referenced files must be embedded in the corresponding golang packages.
-// Urls can be supported but this task was out of the scope.
-func GetSwagger() (swagger *openapi3.T, err error) {
-	resolvePath := PathToRawSpec("")
-
-	loader := openapi3.NewLoader()
-	loader.IsExternalRefsAllowed = true
-	loader.ReadFromURIFunc = func(loader *openapi3.Loader, url *url.URL) ([]byte, error) {
-		pathToFile := url.String()
-		pathToFile = path.Clean(pathToFile)
-		getSpec, ok := resolvePath[pathToFile]
-		if !ok {
-			err1 := fmt.Errorf("path not found: %s", pathToFile)
-			return nil, err1
-		}
-		return getSpec()
-	}
-	var specData []byte
-	specData, err = rawSpec()
-	if err != nil {
-		return
-	}
-	swagger, err = loader.LoadFromData(specData)
-	if err != nil {
-		return
-	}
-	return
-}

internal/lib/oapi/example/api/types.cfg.yaml

@@ -1,4 +0,0 @@
-package: api
-generate:
-  models: true
-output: types.gen.go

internal/lib/oapi/example/api/types.gen.go

@@ -1,112 +0,0 @@
-// Package api provides primitives to interact with the openapi HTTP API.
-//
-// Code generated by github.com/oapi-codegen/oapi-codegen/v2 version 2.5.0 DO NOT EDIT.
-package api
-
-import (
-	openapi_types "github.com/oapi-codegen/runtime/types"
-)
-
-const (
-	BearerAuthElevatedScopes = "BearerAuthElevated.Scopes"
-)
-
-// Defines values for ErrorResponseError.
-const (
-	CannotSendSms                   ErrorResponseError = "cannot-send-sms"
-	DefaultRoleMustBeInAllowedRoles ErrorResponseError = "default-role-must-be-in-allowed-roles"
-	DisabledEndpoint                ErrorResponseError = "disabled-endpoint"
-	DisabledMfaTotp                 ErrorResponseError = "disabled-mfa-totp"
-	DisabledUser                    ErrorResponseError = "disabled-user"
-	EmailAlreadyInUse               ErrorResponseError = "email-already-in-use"
-	EmailAlreadyVerified            ErrorResponseError = "email-already-verified"
-	ForbiddenAnonymous              ErrorResponseError = "forbidden-anonymous"
-	InternalServerError             ErrorResponseError = "internal-server-error"
-	InvalidEmailPassword            ErrorResponseError = "invalid-email-password"
-	InvalidOtp                      ErrorResponseError = "invalid-otp"
-	InvalidPat                      ErrorResponseError = "invalid-pat"
-	InvalidRefreshToken             ErrorResponseError = "invalid-refresh-token"
-	InvalidRequest                  ErrorResponseError = "invalid-request"
-	InvalidState                    ErrorResponseError = "invalid-state"
-	InvalidTicket                   ErrorResponseError = "invalid-ticket"
-	InvalidTotp                     ErrorResponseError = "invalid-totp"
-	LocaleNotAllowed                ErrorResponseError = "locale-not-allowed"
-	MfaTypeNotFound                 ErrorResponseError = "mfa-type-not-found"
-	NoTotpSecret                    ErrorResponseError = "no-totp-secret"
-	OauthProfileFetchFailed         ErrorResponseError = "oauth-profile-fetch-failed"
-	OauthProviderError              ErrorResponseError = "oauth-provider-error"
-	OauthTokenEchangeFailed         ErrorResponseError = "oauth-token-echange-failed"
-	PasswordInHibpDatabase          ErrorResponseError = "password-in-hibp-database"
-	PasswordTooShort                ErrorResponseError = "password-too-short"
-	RedirectToNotAllowed            ErrorResponseError = "redirectTo-not-allowed"
-	RoleNotAllowed                  ErrorResponseError = "role-not-allowed"
-	SignupDisabled                  ErrorResponseError = "signup-disabled"
-	TotpAlreadyActive               ErrorResponseError = "totp-already-active"
-	UnverifiedUser                  ErrorResponseError = "unverified-user"
-	UserNotAnonymous                ErrorResponseError = "user-not-anonymous"
-)
-
-// Defines values for OKResponse.
-const (
-	OK OKResponse = "OK"
-)
-
-// ErrorResponse Standardized error response
-type ErrorResponse struct {
-	// Error Error code identifying the specific application error
-	Error ErrorResponseError `json:"error"`
-
-	// Message Human-friendly error message
-	Message string `json:"message"`
-
-	// Status HTTP status error code
-	Status int `json:"status"`
-}
-
-// ErrorResponseError Error code identifying the specific application error
-type ErrorResponseError string
-
-// OKResponse defines model for OKResponse.
-type OKResponse string
-
-// Session User authentication session containing tokens and user information
-type Session struct {
-	// AccessToken JWT token for authenticating API requests
-	AccessToken string `json:"accessToken"`
-
-	// AccessTokenExpiresIn Expiration time of the access token in seconds
-	AccessTokenExpiresIn int64 `json:"accessTokenExpiresIn"`
-
-	// RefreshToken Token used to refresh the access token
-	RefreshToken string `json:"refreshToken"`
-
-	// RefreshTokenId Identifier for the refresh token
-	RefreshTokenId string `json:"refreshTokenId"`
-}
-
-// SignInEmailPasswordRequest Request to authenticate using email and password
-type SignInEmailPasswordRequest struct {
-	// Email User's email address
-	Email openapi_types.Email `json:"email"`
-
-	// Password User's password
-	Password string `json:"password"`
-}
-
-// SignInEmailPasswordResponse Response for email-password authentication that may include a session or MFA challenge
-type SignInEmailPasswordResponse struct {
-	// Session User authentication session containing tokens and user information
-	Session *Session `json:"session,omitempty"`
-}
-
-// UserEmailChangeRequest defines model for UserEmailChangeRequest.
-type UserEmailChangeRequest struct {
-	// NewEmail A valid email
-	NewEmail openapi_types.Email `json:"newEmail"`
-}
-
-// SignInEmailPasswordJSONRequestBody defines body for SignInEmailPassword for application/json ContentType.
-type SignInEmailPasswordJSONRequestBody = SignInEmailPasswordRequest
-
-// ChangeUserEmailJSONRequestBody defines body for ChangeUserEmail for application/json ContentType.
-type ChangeUserEmailJSONRequestBody = UserEmailChangeRequest

internal/lib/oapi/example/controller/controller.go

@@ -1,49 +0,0 @@
-package controller
-
-import (
-	"context"
-	"errors"
-	"net/http"
-
-	"github.com/nhost/nhost/internal/lib/oapi/example/api"
-)
-
-type Controller struct{}
-
-func NewController() *Controller {
-	return &Controller{}
-}
-
-func (c *Controller) SignInEmailPassword( //nolint:ireturn
-	_ context.Context, req api.SignInEmailPasswordRequestObject,
-) (api.SignInEmailPasswordResponseObject, error) {
-	switch req.Body.Email {
-	case "bad@email.com":
-		return api.SignInEmailPassworddefaultJSONResponse{
-			Body: api.ErrorResponse{
-				Error:   api.DisabledUser,
-				Message: "The user account is disabled.",
-				Status:  http.StatusConflict,
-			},
-			StatusCode: http.StatusConflict,
-		}, nil
-	case "crash@email.com":
-		return nil, errors.New("simulated server crash") //nolint:err113
-	}
-
-	return api.SignInEmailPassword200JSONResponse{
-		Session: &api.Session{
-			AccessToken:          "access_token_example",
-			AccessTokenExpiresIn: 900, //nolint:mnd
-			RefreshToken:         "refresh_token_example",
-			RefreshTokenId:       "refresh_token_id_example",
-		},
-	}, nil
-}
-
-func (c *Controller) ChangeUserEmail( //nolint:ireturn
-	_ context.Context,
-	_ api.ChangeUserEmailRequestObject,
-) (api.ChangeUserEmailResponseObject, error) {
-	return api.ChangeUserEmail200JSONResponse(api.OK), nil
-}

internal/lib/oapi/example/main.go

@@ -1,109 +0,0 @@
-package main
-
-import (
-	"context"
-	"fmt"
-	"log/slog"
-	"net/http"
-	"os"
-	"time"
-
-	"github.com/getkin/kin-openapi/openapi3filter"
-	"github.com/gin-gonic/gin"
-	"github.com/lmittmann/tint"
-	"github.com/nhost/nhost/internal/lib/oapi"
-	"github.com/nhost/nhost/internal/lib/oapi/example/api"
-	"github.com/nhost/nhost/internal/lib/oapi/example/controller"
-	"github.com/nhost/nhost/internal/lib/oapi/middleware"
-)
-
-const apiPrefix = "/"
-
-func getLogger() *slog.Logger {
-	handler := tint.NewHandler(os.Stdout, &tint.Options{
-		AddSource:   true,
-		Level:       slog.LevelDebug,
-		TimeFormat:  time.StampMilli,
-		NoColor:     false,
-		ReplaceAttr: nil,
-	})
-
-	return slog.New(handler)
-}
-
-func authFn(
-	ctx context.Context,
-	input *openapi3filter.AuthenticationInput,
-) error {
-	_, ok := ctx.Value(oapi.GinContextKey).(*gin.Context)
-	if !ok {
-		return &oapi.AuthenticatorError{
-			Scheme:  input.SecuritySchemeName,
-			Code:    "unauthorized",
-			Message: "unable to get context",
-		}
-	}
-
-	return &oapi.AuthenticatorError{
-		Scheme:  input.SecuritySchemeName,
-		Code:    "unauthorized",
-		Message: "your access token is invalid",
-	}
-}
-
-func setupRouter(logger *slog.Logger) (*gin.Engine, error) {
-	ctrl := controller.NewController()
-	handler := api.NewStrictHandler(ctrl, []api.StrictMiddlewareFunc{})
-
-	router, mw, err := oapi.NewRouter(
-		api.OpenAPISchema,
-		apiPrefix,
-		authFn,
-		middleware.CORSOptions{ //nolint:exhaustruct
-			AllowedOrigins: []string{"*"},
-		},
-		logger,
-	)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create oapi router: %w", err)
-	}
-
-	api.RegisterHandlersWithOptions(
-		router,
-		handler,
-		api.GinServerOptions{
-			BaseURL:      apiPrefix,
-			Middlewares:  []api.MiddlewareFunc{mw},
-			ErrorHandler: nil,
-		},
-	)
-
-	return router, nil
-}
-
-func run(ctx context.Context) error {
-	logger := getLogger()
-
-	router, err := setupRouter(logger) //nolint:contextcheck
-	if err != nil {
-		return err
-	}
-
-	server := &http.Server{ //nolint:exhaustruct
-		Addr:              ":8080",
-		Handler:           router,
-		ReadHeaderTimeout: 5 * time.Second, //nolint:mnd
-	}
-
-	if err := server.ListenAndServe(); err != nil {
-		logger.ErrorContext(ctx, "server failed", slog.String("error", err.Error()))
-	}
-
-	return nil
-}
-
-func main() {
-	if err := run(context.Background()); err != nil {
-		panic(err)
-	}
-}

internal/lib/oapi/example/main_test.go

@@ -1,177 +0,0 @@
-package main
-
-import (
-	"io"
-	"net/http"
-	"net/http/httptest"
-	"strings"
-	"testing"
-
-	"github.com/gin-gonic/gin"
-	"github.com/google/go-cmp/cmp"
-)
-
-func makeRequest(
-	router *gin.Engine,
-	method, path string,
-	headers map[string]string,
-	body io.Reader,
-) *httptest.ResponseRecorder {
-	req := httptest.NewRequest(method, path, body)
-
-	for key, value := range headers {
-		req.Header.Set(key, value)
-	}
-
-	w := httptest.NewRecorder()
-	router.ServeHTTP(w, req)
-
-	return w
-}
-
-func TestRequests(t *testing.T) {
-	t.Parallel()
-
-	logger := getLogger()
-
-	router, err := setupRouter(logger)
-	if err != nil {
-		t.Fatalf("Failed to set up router: %v", err)
-	}
-
-	cases := []struct {
-		name             string
-		method           string
-		path             string
-		headers          map[string]string
-		body             io.Reader
-		expectedStatus   int
-		expectedResponse string
-	}{
-		{
-			name:   "success",
-			method: http.MethodPost,
-			path:   "/signin/email-password",
-			headers: map[string]string{
-				"Content-Type": "application/json",
-			},
-			body:             strings.NewReader(`{"email": "asd@asd.com", "password": "p4ssw0rd"}`),
-			expectedStatus:   http.StatusOK,
-			expectedResponse: "{\"session\":{\"accessToken\":\"access_token_example\",\"accessTokenExpiresIn\":900,\"refreshToken\":\"refresh_token_example\",\"refreshTokenId\":\"refresh_token_id_example\"}}\n", //nolint:lll
-		},
-
-		{
-			name:   "expected error",
-			method: http.MethodPost,
-			path:   "/signin/email-password",
-			headers: map[string]string{
-				"Content-Type": "application/json",
-			},
-			body: strings.NewReader(
-				`{"email": "bad@email.com", "password": "p4ssw0rd"}`,
-			),
-			expectedStatus:   http.StatusConflict,
-			expectedResponse: "{\"error\":\"disabled-user\",\"message\":\"The user account is disabled.\",\"status\":409}\n", //nolint:lll
-		},
-
-		{
-			name:   "unexpected error",
-			method: http.MethodPost,
-			path:   "/signin/email-password",
-			headers: map[string]string{
-				"Content-Type": "application/json",
-			},
-			body: strings.NewReader(
-				`{"email": "crash@email.com", "password": "p4ssw0rd"}`,
-			),
-			expectedStatus:   http.StatusInternalServerError,
-			expectedResponse: `{"errors":"internal-server-error","message":"simulated server crash"}`,
-		},
-
-		{
-			name:   "missing body",
-			method: http.MethodPost,
-			path:   "/signin/email-password",
-			headers: map[string]string{
-				"Content-Type": "application/json",
-			},
-			body:             nil,
-			expectedStatus:   http.StatusBadRequest,
-			expectedResponse: `{"error":"request-validation-error","reason":"value is required but missing"}`,
-		},
-
-		{
-			name:   "wrong param",
-			method: http.MethodPost,
-			path:   "/signin/email-password",
-			headers: map[string]string{
-				"Content-Type": "application/json",
-			},
-			body: strings.NewReader(
-				`{"wrong":"asd", "email": "asd@asd.com", "password": "p4ssw0rd"}`,
-			),
-			expectedStatus:   http.StatusBadRequest,
-			expectedResponse: `{"error":"schema-validation-error","reason":"property \"wrong\" is unsupported"}`,
-		},
-
-		{
-			name:   "missing param",
-			method: http.MethodPost,
-			path:   "/signin/email-password",
-			headers: map[string]string{
-				"Content-Type": "application/json",
-			},
-			body:             strings.NewReader(`{"email": "asd@asd.com"}`),
-			expectedStatus:   http.StatusBadRequest,
-			expectedResponse: `{"error":"schema-validation-error","reason":"property \"password\" is missing"}`,
-		},
-
-		{
-			name:   "invalid param",
-			method: http.MethodPost,
-			path:   "/signin/email-password",
-			headers: map[string]string{
-				"Content-Type": "application/json",
-			},
-			body:             strings.NewReader(`{"email": "asdasd.com", "password": "p4ssw0rd"}`),
-			expectedStatus:   http.StatusBadRequest,
-			expectedResponse: `{"errors":"bad-request","message":"email: failed to pass regex validation"}`,
-		},
-
-		{
-			name:   "needs security",
-			method: http.MethodPost,
-			path:   "/user/email/change",
-			headers: map[string]string{
-				"Content-Type": "application/json",
-			},
-			body:             strings.NewReader(`{"newEmail": "new@asd.com"`),
-			expectedStatus:   http.StatusUnauthorized,
-			expectedResponse: `{"error":"unauthorized","reason":"your access token is invalid","securityScheme":"BearerAuthElevated"}`, //nolint:lll
-		},
-	}
-
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			w := makeRequest(router, tc.method, tc.path, tc.headers, tc.body)
-
-			resp := w.Result()
-			defer resp.Body.Close()
-
-			body, err := io.ReadAll(resp.Body)
-			if err != nil {
-				t.Fatalf("Failed to read response body: %v", err)
-			}
-
-			if resp.StatusCode != tc.expectedStatus {
-				t.Errorf("Expected status %d, got %d", tc.expectedStatus, resp.StatusCode)
-			}
-
-			if diff := cmp.Diff(string(body), tc.expectedResponse); diff != "" {
-				t.Errorf("Response body mismatch (-want +got):\n%s", diff)
-			}
-		})
-	}
-}

internal/lib/oapi/middleware/cors.go

@@ -1,140 +0,0 @@
-package middleware
-
-import (
-	"net/http"
-	"slices"
-	"strings"
-
-	"github.com/gin-gonic/gin"
-)
-
-// CORSOptions configures the CORS middleware behavior.
-//
-// The middleware supports three strategies for handling Access-Control-Allow-Headers:
-//   - nil (default): Reflects the Access-Control-Request-Headers from the client
-//   - empty slice: Denies all headers (no Access-Control-Allow-Headers header is set)
-//   - non-empty slice: Uses the specified headers
-type CORSOptions struct {
-	// AllowedOrigins is a list of origins permitted to make cross-origin requests.
-	// Use "*" or nil slice to allow all origins.
-	AllowedOrigins []string
-
-	// AllowedMethods is a list of HTTP methods the client is permitted to use.
-	// Common values: GET, POST, PUT, DELETE, PATCH, OPTIONS.
-	AllowedMethods []string
-
-	// AllowedHeaders controls which headers clients can use in requests.
-	// - nil: reflects client's Access-Control-Request-Headers (permissive)
-	// - empty slice: denies all headers
-	// - non-empty: allows only specified headers
-	AllowedHeaders []string
-
-	// ExposedHeaders lists headers that browsers are allowed to access.
-	// By default, browsers only expose simple response headers.
-	ExposedHeaders []string
-
-	// AllowCredentials indicates whether the request can include credentials
-	// (cookies, authorization headers, or TLS client certificates).
-	AllowCredentials bool
-
-	// MaxAge indicates how long (in seconds) the results of a preflight request
-	// can be cached. Empty string means no caching directive is sent.
-	MaxAge string
-}
-
-// CORS returns a Gin middleware handler that implements Cross-Origin Resource Sharing (CORS).
-//
-// The middleware handles both preflight (OPTIONS) requests and actual requests, setting
-// appropriate CORS headers based on the provided configuration. It automatically adds
-// the "Vary: Origin, Access-Control-Request-Method" header for proper cache behavior.
-//
-// For preflight requests (OPTIONS), the middleware responds with 204 No Content and
-// prevents further request processing. For actual requests, it sets CORS headers and
-// continues the middleware chain.
-//
-// Example usage:
-//
-//	router.Use(middleware.CORS(middleware.CORSOptions{
-//		AllowedOrigins:   []string{"https://example.com", "https://app.example.com"},
-//		AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE"},
-//		AllowedHeaders:   nil, // reflects client headers
-//		AllowCredentials: true,
-//		MaxAge:           "3600",
-//	}))
-func CORS(opts CORSOptions) gin.HandlerFunc { //nolint:cyclop,funlen
-	allowedMethods := strings.Join(opts.AllowedMethods, ", ")
-	exposedHeaders := strings.Join(opts.ExposedHeaders, ", ")
-
-	allowCredentials := "false"
-	if opts.AllowCredentials {
-		allowCredentials = "true"
-	}
-
-	var (
-		headerStrategy string // "reflect", "specific", or "deny"
-		allowedHeaders string
-	)
-	switch {
-	case opts.AllowedHeaders == nil:
-		headerStrategy = "reflect"
-	case len(opts.AllowedHeaders) == 0:
-		headerStrategy = "deny"
-	default:
-		headerStrategy = "specific"
-		allowedHeaders = strings.Join(opts.AllowedHeaders, ", ")
-	}
-
-	f := func(c *gin.Context, origin string) {
-		if opts.AllowedOrigins != nil &&
-			!slices.Contains(opts.AllowedOrigins, origin) &&
-			!slices.Contains(opts.AllowedOrigins, "*") {
-			return
-		}
-
-		c.Header("Access-Control-Allow-Origin", origin)
-		c.Header("Access-Control-Allow-Methods", allowedMethods)
-
-		// Handle allowed headers based on strategy
-		switch headerStrategy {
-		case "specific":
-			c.Header("Access-Control-Allow-Headers", allowedHeaders)
-		case "reflect":
-			headers := c.Request.Header.Get("Access-Control-Request-Headers")
-			if headers != "" {
-				c.Header("Access-Control-Allow-Headers", headers)
-			}
-		case "deny":
-			// Don't set the header at all
-		}
-
-		if exposedHeaders != "" {
-			c.Header("Access-Control-Expose-Headers", exposedHeaders)
-		}
-
-		c.Header("Access-Control-Allow-Credentials", allowCredentials)
-
-		if opts.MaxAge != "" {
-			c.Header("Access-Control-Max-Age", opts.MaxAge)
-		}
-
-		c.Writer.Header().Add("Vary", "Origin, Access-Control-Request-Method")
-	}
-
-	return func(c *gin.Context) {
-		origin := c.Request.Header.Get("Origin")
-		if c.Request.Method == http.MethodOptions {
-			f(c, origin)
-
-			c.Header("Content-Length", "0")
-			c.AbortWithStatus(http.StatusNoContent)
-
-			return
-		}
-
-		if origin != "" {
-			f(c, origin)
-		}
-
-		c.Next()
-	}
-}

internal/lib/oapi/middleware/cors_test.go

@@ -1,323 +0,0 @@
-package middleware_test
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"github.com/gin-gonic/gin"
-	"github.com/google/go-cmp/cmp"
-	"github.com/nhost/nhost/internal/lib/oapi/middleware"
-)
-
-func TestCORS(t *testing.T) { //nolint:maintidx
-	t.Parallel()
-
-	gin.SetMode(gin.TestMode)
-
-	cases := []struct {
-		name           string
-		opts           middleware.CORSOptions
-		requestMethod  string
-		requestOrigin  string
-		requestHeaders map[string]string
-		wantStatus     int
-		wantHeaders    http.Header
-		expectNext     bool
-	}{
-		{
-			name: "OPTIONS request with allowed origin",
-			opts: middleware.CORSOptions{ //nolint:exhaustruct
-				AllowedOrigins: []string{"https://example.com"},
-				AllowedMethods: []string{"GET", "POST"},
-				AllowedHeaders: []string{"Content-Type", "Authorization"},
-			},
-			requestMethod:  "OPTIONS",
-			requestHeaders: map[string]string{},
-			requestOrigin:  "https://example.com",
-			wantStatus:     http.StatusNoContent,
-			wantHeaders: http.Header{
-				"Access-Control-Allow-Origin":      []string{"https://example.com"},
-				"Access-Control-Allow-Methods":     []string{"GET, POST"},
-				"Access-Control-Allow-Headers":     []string{"Content-Type, Authorization"},
-				"Access-Control-Allow-Credentials": []string{"false"},
-				"Vary": []string{
-					"Origin, Access-Control-Request-Method",
-				},
-				"Content-Length": []string{"0"},
-			},
-			expectNext: false,
-		},
-		{
-			name: "OPTIONS request with wildcard origin",
-			opts: middleware.CORSOptions{ //nolint:exhaustruct
-				AllowedOrigins: []string{"*"},
-				AllowedMethods: []string{"GET", "POST", "PUT", "DELETE"},
-			},
-			requestMethod:  "OPTIONS",
-			requestHeaders: map[string]string{},
-			requestOrigin:  "https://any-origin.com",
-			wantStatus:     http.StatusNoContent,
-			wantHeaders: http.Header{
-				"Access-Control-Allow-Origin":  []string{"https://any-origin.com"},
-				"Access-Control-Allow-Methods": []string{"GET, POST, PUT, DELETE"},
-			},
-			expectNext: false,
-		},
-		{
-			name: "OPTIONS request with disallowed origin",
-			opts: middleware.CORSOptions{ //nolint:exhaustruct
-				AllowedOrigins: []string{"https://example.com"},
-				AllowedMethods: []string{"GET", "POST"},
-			},
-			requestMethod:  "OPTIONS",
-			requestHeaders: map[string]string{},
-			requestOrigin:  "https://malicious.com",
-			wantStatus:     http.StatusNoContent,
-			wantHeaders:    http.Header{},
-			expectNext:     false,
-		},
-		{
-			name: "OPTIONS request with reflected headers (nil)",
-			opts: middleware.CORSOptions{ //nolint:exhaustruct
-				AllowedOrigins: []string{"https://example.com"},
-				AllowedMethods: []string{"POST"},
-				AllowedHeaders: nil,
-			},
-			requestMethod: "OPTIONS",
-			requestOrigin: "https://example.com",
-			requestHeaders: map[string]string{
-				"Access-Control-Request-Headers": "X-Custom-Header, X-Another-Header",
-			},
-			wantStatus: http.StatusNoContent,
-			wantHeaders: http.Header{
-				"Access-Control-Allow-Headers": []string{"X-Custom-Header, X-Another-Header"},
-			},
-			expectNext: false,
-		},
-		{
-			name: "OPTIONS request with denied headers (empty slice)",
-			opts: middleware.CORSOptions{ //nolint:exhaustruct
-				AllowedOrigins: []string{"https://example.com"},
-				AllowedMethods: []string{"POST"},
-				AllowedHeaders: []string{},
-			},
-			requestMethod: "OPTIONS",
-			requestOrigin: "https://example.com",
-			requestHeaders: map[string]string{
-				"Access-Control-Request-Headers": "X-Custom-Header, X-Another-Header",
-			},
-			wantStatus:  http.StatusNoContent,
-			wantHeaders: http.Header{},
-			expectNext:  false,
-		},
-		{
-			name: "OPTIONS request with nil headers and no request headers",
-			opts: middleware.CORSOptions{ //nolint:exhaustruct
-				AllowedOrigins: []string{"https://example.com"},
-				AllowedMethods: []string{"GET"},
-				AllowedHeaders: nil,
-			},
-			requestMethod:  "OPTIONS",
-			requestOrigin:  "https://example.com",
-			requestHeaders: map[string]string{},
-			wantStatus:     http.StatusNoContent,
-			wantHeaders:    http.Header{},
-			expectNext:     false,
-		},
-		{
-			name: "OPTIONS request with credentials enabled",
-			opts: middleware.CORSOptions{ //nolint:exhaustruct
-				AllowedOrigins:   []string{"https://example.com"},
-				AllowedMethods:   []string{"GET"},
-				AllowCredentials: true,
-			},
-			requestMethod:  "OPTIONS",
-			requestOrigin:  "https://example.com",
-			requestHeaders: map[string]string{},
-			wantStatus:     http.StatusNoContent,
-			wantHeaders: http.Header{
-				"Access-Control-Allow-Credentials": []string{"true"},
-			},
-			expectNext: false,
-		},
-		{
-			name: "OPTIONS request with MaxAge",
-			opts: middleware.CORSOptions{ //nolint:exhaustruct
-				AllowedOrigins: []string{"https://example.com"},
-				AllowedMethods: []string{"GET"},
-				MaxAge:         "3600",
-			},
-			requestMethod:  "OPTIONS",
-			requestOrigin:  "https://example.com",
-			requestHeaders: map[string]string{},
-			wantStatus:     http.StatusNoContent,
-			wantHeaders: http.Header{
-				"Access-Control-Max-Age": []string{"3600"},
-			},
-			expectNext: false,
-		},
-		{
-			name: "OPTIONS request with exposed headers",
-			opts: middleware.CORSOptions{ //nolint:exhaustruct
-				AllowedOrigins: []string{"https://example.com"},
-				AllowedMethods: []string{"GET"},
-				ExposedHeaders: []string{"X-Custom-Response", "X-Total-Count"},
-			},
-			requestMethod:  "OPTIONS",
-			requestOrigin:  "https://example.com",
-			requestHeaders: map[string]string{},
-			wantStatus:     http.StatusNoContent,
-			wantHeaders: http.Header{
-				"Access-Control-Expose-Headers": []string{"X-Custom-Response, X-Total-Count"},
-			},
-			expectNext: false,
-		},
-		{
-			name: "GET request with allowed origin",
-			opts: middleware.CORSOptions{ //nolint:exhaustruct
-				AllowedOrigins: []string{"https://example.com"},
-				AllowedMethods: []string{"GET", "POST"},
-				AllowedHeaders: []string{"Content-Type"},
-			},
-			requestMethod:  "GET",
-			requestOrigin:  "https://example.com",
-			requestHeaders: map[string]string{},
-			wantStatus:     http.StatusOK,
-			wantHeaders: http.Header{
-				"Access-Control-Allow-Origin":  []string{"https://example.com"},
-				"Access-Control-Allow-Methods": []string{"GET, POST"},
-				"Access-Control-Allow-Headers": []string{"Content-Type"},
-			},
-			expectNext: true,
-		},
-		{
-			name: "POST request with disallowed origin",
-			opts: middleware.CORSOptions{ //nolint:exhaustruct
-				AllowedOrigins: []string{"https://example.com"},
-				AllowedMethods: []string{"GET", "POST"},
-			},
-			requestMethod:  "POST",
-			requestOrigin:  "https://malicious.com",
-			requestHeaders: map[string]string{},
-			wantStatus:     http.StatusOK,
-			wantHeaders:    http.Header{},
-			expectNext:     true,
-		},
-		{
-			name: "GET request without origin header",
-			opts: middleware.CORSOptions{ //nolint:exhaustruct
-				AllowedOrigins: []string{"https://example.com"},
-				AllowedMethods: []string{"GET"},
-			},
-			requestMethod:  "GET",
-			requestOrigin:  "",
-			requestHeaders: map[string]string{},
-			wantStatus:     http.StatusOK,
-			wantHeaders:    http.Header{},
-			expectNext:     true,
-		},
-		{
-			name: "GET request with empty allowed origins (denies all)",
-			opts: middleware.CORSOptions{ //nolint:exhaustruct
-				AllowedOrigins: []string{},
-				AllowedMethods: []string{"GET"},
-			},
-			requestMethod:  "GET",
-			requestOrigin:  "https://any-origin.com",
-			requestHeaders: map[string]string{},
-			wantStatus:     http.StatusOK,
-			wantHeaders:    http.Header{},
-			expectNext:     true,
-		},
-		{
-			name: "GET request with nil allowed origins (allows all)",
-			opts: middleware.CORSOptions{ //nolint:exhaustruct
-				AllowedOrigins: nil,
-				AllowedMethods: []string{"GET"},
-			},
-			requestMethod:  "GET",
-			requestOrigin:  "https://any-origin.com",
-			requestHeaders: map[string]string{},
-			wantStatus:     http.StatusOK,
-			wantHeaders: http.Header{
-				"Access-Control-Allow-Origin": []string{"https://any-origin.com"},
-			},
-			expectNext: true,
-		},
-		{
-			name: "GET request with multiple allowed origins",
-			opts: middleware.CORSOptions{ //nolint:exhaustruct
-				AllowedOrigins: []string{
-					"https://example.com",
-					"https://another-example.com",
-					"https://third-example.com",
-				},
-				AllowedMethods: []string{"GET"},
-			},
-			requestMethod:  "GET",
-			requestHeaders: map[string]string{},
-			requestOrigin:  "https://another-example.com",
-			wantStatus:     http.StatusOK,
-			wantHeaders: http.Header{
-				"Access-Control-Allow-Origin": []string{"https://another-example.com"},
-			},
-			expectNext: true,
-		},
-	}
-
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			// Setup router with CORS middleware
-			router := gin.New()
-			nextCalled := false
-
-			router.Use(middleware.CORS(tc.opts))
-			router.Any("/test", func(c *gin.Context) {
-				nextCalled = true
-
-				c.Status(http.StatusOK)
-			})
-
-			// Create request
-			req := httptest.NewRequest(tc.requestMethod, "/test", nil)
-			if tc.requestOrigin != "" {
-				req.Header.Set("Origin", tc.requestOrigin)
-			}
-
-			// Add any additional request headers
-			for key, value := range tc.requestHeaders {
-				req.Header.Set(key, value)
-			}
-
-			// Record response
-			w := httptest.NewRecorder()
-			router.ServeHTTP(w, req)
-
-			// Check status code
-			if w.Code != tc.wantStatus {
-				t.Errorf("expected status %d, got %d", tc.wantStatus, w.Code)
-			}
-
-			// Check expected headers using cmp.Diff
-			// Only compare headers that are expected
-			gotHeaders := make(http.Header)
-			for key := range tc.wantHeaders {
-				if values := w.Header().Values(key); len(values) > 0 {
-					gotHeaders[key] = values
-				}
-			}
-
-			if diff := cmp.Diff(tc.wantHeaders, gotHeaders); diff != "" {
-				t.Errorf("response headers mismatch (-want +got):\n%s", diff)
-			}
-
-			// Check if Next() was called
-			if nextCalled != tc.expectNext {
-				t.Errorf("expected Next() called to be %v, got %v", tc.expectNext, nextCalled)
-			}
-		})
-	}
-}

internal/lib/oapi/oapi.go

@@ -1,69 +0,0 @@
-package oapi
-
-import (
-	"fmt"
-	"log/slog"
-	"net/http"
-
-	"github.com/getkin/kin-openapi/openapi3"
-	"github.com/getkin/kin-openapi/openapi3filter"
-	"github.com/gin-gonic/gin"
-	"github.com/nhost/nhost/internal/lib/oapi/example/api"
-	"github.com/nhost/nhost/internal/lib/oapi/middleware"
-)
-
-func surfaceErrorsMiddleWare(c *gin.Context) {
-	// this captures two cases as far as I can see:
-	// 1. request validation errors where the strict generated code fails
-	//    to bind the request to the struct (i.e. "invalid param" test)
-	// 2. when a handler returns an error instead of a response
-	c.Next()
-
-	if len(c.Errors) > 0 && !c.IsAborted() {
-		var errorCode string
-		switch c.Writer.Status() {
-		case http.StatusBadRequest:
-			errorCode = "bad-request"
-		default:
-			errorCode = "internal-server-error"
-		}
-
-		c.JSON(
-			c.Writer.Status(),
-			gin.H{"errors": errorCode, "message": c.Errors[0].Error()},
-		)
-	}
-}
-
-// NewRouter creates a Gin router with OpenAPI request validation middleware.
-func NewRouter(
-	schema []byte,
-	apiPrefix string,
-	authenticationFunc openapi3filter.AuthenticationFunc,
-	corsOptions middleware.CORSOptions,
-	logger *slog.Logger,
-) (*gin.Engine, func(c *gin.Context), error) {
-	router := gin.New()
-
-	loader := openapi3.NewLoader()
-
-	doc, err := loader.LoadFromData(schema)
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to load OpenAPI schema: %w", err)
-	}
-
-	doc.AddServer(&openapi3.Server{ //nolint:exhaustruct
-		URL: apiPrefix,
-	})
-
-	router.Use(
-		gin.Recovery(),
-		surfaceErrorsMiddleWare,
-		middleware.Logger(logger),
-		middleware.CORS(corsOptions),
-	)
-
-	mw := api.MiddlewareFunc(requestValidatorWithOptions(doc, authenticationFunc))
-
-	return router, mw, nil
-}

internal/lib/oapi/request.go

@@ -1,128 +0,0 @@
-package oapi
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net/http"
-
-	"github.com/getkin/kin-openapi/openapi3"
-	"github.com/getkin/kin-openapi/openapi3filter"
-	"github.com/getkin/kin-openapi/routers"
-	"github.com/getkin/kin-openapi/routers/gorillamux"
-	"github.com/gin-gonic/gin"
-)
-
-type ContextKey string
-
-const (
-	GinContextKey ContextKey = "nhost-oapi/gin-context"
-)
-
-func handleError(c *gin.Context, err error) {
-	var (
-		errReq    *openapi3filter.RequestError
-		errSchema *openapi3.SchemaError
-		errAuth   *AuthenticatorError
-		errSec    *openapi3filter.SecurityRequirementsError
-	)
-	switch {
-	case errors.As(err, &errSchema):
-		c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{
-			"error":  "schema-validation-error",
-			"reason": errSchema.Reason,
-		})
-	case errors.As(err, &errReq):
-		c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{
-			"error":  "request-validation-error",
-			"reason": errReq.Err.Error(),
-		})
-	case errors.As(err, &errAuth):
-		c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{
-			"error":          errAuth.Code,
-			"reason":         errAuth.Message,
-			"securityScheme": errAuth.Scheme,
-		})
-	case errors.As(err, &errSec):
-		c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{
-			"error":  "unauthorized",
-			"reason": errSec.Error(),
-		})
-	default:
-		c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-	}
-}
-
-func requestValidatorWithOptions(
-	swagger *openapi3.T,
-	authFn openapi3filter.AuthenticationFunc,
-) gin.HandlerFunc {
-	router, err := gorillamux.NewRouter(swagger)
-	if err != nil {
-		panic(err)
-	}
-
-	return func(c *gin.Context) {
-		if err := validateRequestFromContext(c, router, authFn); err != nil {
-			handleError(c, err)
-		}
-
-		c.Next()
-	}
-}
-
-func validateRequestFromContext(
-	c *gin.Context,
-	router routers.Router,
-	authFn openapi3filter.AuthenticationFunc,
-) error {
-	route, pathParams, err := router.FindRoute(c.Request)
-	if err != nil {
-		var e *routers.RouteError
-		switch {
-		case errors.As(err, &e):
-			return e
-		default:
-			return fmt.Errorf("error validating route: %w", err)
-		}
-	}
-
-	validationInput := &openapi3filter.RequestValidationInput{ //nolint:exhaustruct
-		Request:    c.Request,
-		PathParams: pathParams,
-		Route:      route,
-		Options: &openapi3filter.Options{
-			AuthenticationFunc:          authFn,
-			ExcludeRequestBody:          false,
-			ExcludeRequestQueryParams:   false,
-			ExcludeResponseBody:         false,
-			ExcludeReadOnlyValidations:  false,
-			ExcludeWriteOnlyValidations: false,
-			IncludeResponseStatus:       false,
-			MultiError:                  false,
-			RegexCompiler:               nil,
-			SkipSettingDefaults:         false,
-		},
-	}
-
-	requestContext := context.WithValue(c.Request.Context(), GinContextKey, c)
-	if err := openapi3filter.ValidateRequest(requestContext, validationInput); err != nil {
-		return err //nolint:wrapcheck
-	}
-
-	return nil
-}
-
-func GetGinContext(c context.Context) *gin.Context {
-	v := c.Value(GinContextKey)
-	if v == nil {
-		return nil
-	}
-
-	ginCtx, ok := v.(*gin.Context)
-	if !ok {
-		return nil
-	}
-
-	return ginCtx
-}

nixops/lib/go/go.nix

@@ -114,13 +114,13 @@ in
         echo "➜ Running golangci-lint"
         golangci-lint run \
           --timeout 600s \
-          ./...
+          ./${submodule}/...
 
         echo "➜ Running tests"
         richgo test \
           -tags="${pkgs.lib.strings.concatStringsSep " " tags}" \
           -ldflags="${pkgs.lib.strings.concatStringsSep " " ldflags}" \
-          -v ${goTestFlags} ./...
+          -v ${goTestFlags} ./${submodule}/...
 
         ${extraCheck}
 

packages/nhost-js/CHANGELOG.md

@@ -1,24 +1,3 @@
-## [@nhost/nhost-js@4.1.0] - 2025-11-04
-
-### 🚀 Features
-
-- *(nhost-js)* Added pushChainFunction to functions and graphql clients (#3610)
-- *(nhost-js)* Added various middlewares to work with headers and customizable createNhostClient (#3612)
-- *(auth)* Added endpoints to retrieve and refresh oauth2 providers' tokens (#3614)
-
-
-### 🐛 Bug Fixes
-
-- *(dashboard)* Run audit and lint in dashboard (#3578)
-- *(nhost-js)* Improvements to Session guard to avoid conflict with ProviderSession (#3662)
-
-
-### ⚙️ Miscellaneous Tasks
-
-- *(nhost-js)* Generate code from local API definitions (#3583)
-- *(docs)* Udpated README.md and CONTRIBUTING.md (#3587)
-- *(nhost-js)* Regenerate types (#3648)
-
 # Changelog
 
 All notable changes to this project will be documented in this file.

packages/nhost-js/src/fetch/middlewareUpdateSessionFromResponse.ts

@@ -46,7 +46,7 @@ export const updateSessionFromResponseMiddleware = (
       return body.session || null;
     }
 
-    if ("accessToken" in body && "refreshToken" in body && "user" in body) {
+    if ("accessToken" in body && "refreshToken" in body) {
       // Session
       return body;
     }

services/auth/CHANGELOG.md

@@ -1,23 +1,3 @@
-## [auth@0.43.0] - 2025-11-04
-
-### 🚀 Features
-
-- *(auth)* Encrypt TOTP secret (#3619)
-- *(auth)* Added endpoints to retrieve and refresh oauth2 providers' tokens (#3614)
-- *(auth)* If the callback state is wrong send back to the redirectTo as provider_state (#3649)
-- *(internal/lib)* Common oapi middleware for go services (#3663)
-
-
-### 🐛 Bug Fixes
-
-- *(auth)* Dont mutate client URL (#3660)
-
-
-### ⚙️ Miscellaneous Tasks
-
-- *(docs)* Fix broken link in openapi spec and minor mistakes in postmark integration info (#3621)
-- *(nixops)* Bump go to 1.25.3 and nixpkgs due to CVEs (#3652)
-
 # Changelog
 
 All notable changes to this project will be documented in this file.

services/auth/CLAUDE.md

@@ -115,13 +115,13 @@ import (
     "context"
 
     "github.com/nhost/nhost/services/auth/go/api"
-    oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
+    "github.com/nhost/nhost/services/auth/go/middleware"
 )
 
 func (ctrl *Controller) YourEndpoint( //nolint:ireturn
     ctx context.Context, request api.YourEndpointRequestObject,
 ) (api.YourEndpointResponseObject, error) {
-    logger := oapimw.LoggerFromContext(ctx)
+    logger := middleware.LoggerFromContext(ctx)
 
     // Validate inputs
     if apiErr := ctrl.wf.ValidateInput(request.Body.Field, logger); apiErr != nil {

services/auth/go/cmd/cors.go

@@ -0,0 +1,35 @@
+package cmd
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+)
+
+func cors() gin.HandlerFunc {
+	f := func(c *gin.Context, origin string) {
+		c.Header("Access-Control-Allow-Origin", origin)
+		c.Header("Access-Control-Allow-Methods", "POST, GET")
+		headers := c.Request.Header.Get("Access-Control-Request-Headers")
+		c.Header("Access-Control-Allow-Headers", headers)
+		c.Header("Access-Control-Allow-Credentials", "true")
+		c.Header("Access-Control-Max-Age", "86400")
+		c.Writer.Header().Add("Vary", "Origin, Access-Control-Request-Method")
+	}
+
+	return func(c *gin.Context) {
+		origin := c.Request.Header.Get("Origin")
+		if c.Request.Method == http.MethodOptions {
+			f(c, origin)
+
+			c.Header("Content-Length", "0")
+			c.AbortWithStatus(http.StatusNoContent)
+		}
+
+		if origin != "" {
+			f(c, origin)
+		}
+
+		c.Next()
+	}
+}

services/auth/go/cmd/serve.go

@@ -8,9 +8,9 @@ import (
 	"time"
 
 	"github.com/bradfitz/gomemcache/memcache"
+	"github.com/getkin/kin-openapi/openapi3"
+	"github.com/getkin/kin-openapi/openapi3filter"
 	"github.com/gin-gonic/gin"
-	"github.com/nhost/nhost/internal/lib/oapi"
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/docs"
 	"github.com/nhost/nhost/services/auth/go/api"
 	"github.com/nhost/nhost/services/auth/go/controller"
@@ -21,6 +21,7 @@ import (
 	"github.com/nhost/nhost/services/auth/go/oidc"
 	"github.com/nhost/nhost/services/auth/go/providers"
 	"github.com/nhost/nhost/services/auth/go/sql"
+	ginmiddleware "github.com/oapi-codegen/gin-middleware"
 	"github.com/urfave/cli/v3"
 )
 
@@ -1295,42 +1296,87 @@ func getDependencies( //nolint:ireturn
 	return emailer, sms, jwtGetter, idTokenValidator, nil
 }
 
-func getCORSOptions() oapimw.CORSOptions {
-	return oapimw.CORSOptions{
-		AllowedOrigins:   []string{"*"},
-		AllowedMethods:   []string{"POST", "GET"},
-		AllowedHeaders:   nil,
-		ExposedHeaders:   []string{},
-		AllowCredentials: true,
-		MaxAge:           "86400",
-	}
-}
-
-func getGoServer(
+func getGoServer( //nolint:funlen
 	ctx context.Context,
 	cmd *cli.Command,
 	db *sql.Queries,
 	encrypter *crypto.Encrypter,
 	logger *slog.Logger,
 ) (*http.Server, error) {
-	ctrl, jwtGetter, err := getController(ctx, cmd, db, encrypter, logger)
+	router := gin.New()
+
+	loader := openapi3.NewLoader()
+
+	doc, err := loader.LoadFromData(docs.OpenAPISchema)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load OpenAPI schema: %w", err)
+	}
+
+	doc.AddServer(&openapi3.Server{ //nolint:exhaustruct
+		URL: cmd.String(flagAPIPrefix),
+	})
+
+	handlers := []gin.HandlerFunc{
+		// ginmiddleware.OapiRequestValidator(doc),
+		gin.Recovery(),
+		cors(),
+		middleware.Logger(logger), //nolint:contextcheck
+	}
+
+	if cmd.Bool(flagRateLimitEnable) {
+		handlers = append(handlers, getRateLimiter(cmd, logger)) //nolint:contextcheck
+	}
+
+	if cmd.String(flagTurnstileSecret) != "" {
+		handlers = append(handlers, middleware.Tunrstile( //nolint:contextcheck
+			cmd.String(flagTurnstileSecret), cmd.String(flagAPIPrefix)),
+		)
+	}
+
+	router.Use(handlers...)
+
+	config, err := getConfig(cmd)
+	if err != nil {
+		return nil, fmt.Errorf("problem creating config: %w", err)
+	}
+
+	emailer, smsClient, jwtGetter, idTokenValidator, err := getDependencies(ctx, cmd, db, logger)
 	if err != nil {
 		return nil, err
 	}
 
-	handler := api.NewStrictHandler(ctrl, []api.StrictMiddlewareFunc{})
-
-	router, mw, err := oapi.NewRouter( //nolint:contextcheck
-		docs.OpenAPISchema,
-		cmd.String(flagAPIPrefix),
-		jwtGetter.MiddlewareFunc,
-		getCORSOptions(),
-		logger,
-	)
+	oauthProviders, err := getOauth2Providers(ctx, cmd, logger)
 	if err != nil {
-		return nil, fmt.Errorf("failed to create router: %w", err)
+		return nil, fmt.Errorf("problem creating oauth providers: %w", err)
 	}
 
+	ctrl, err := controller.New(
+		db,
+		config,
+		jwtGetter,
+		emailer,
+		smsClient,
+		hibp.NewClient(),
+		oauthProviders,
+		idTokenValidator,
+		controller.NewTotp(cmd.String(flagMfaTotpIssuer), time.Now),
+		encrypter,
+		cmd.Root().Version,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create controller: %w", err)
+	}
+
+	handler := api.NewStrictHandler(ctrl, []api.StrictMiddlewareFunc{})
+	mw := api.MiddlewareFunc(ginmiddleware.OapiRequestValidatorWithOptions(
+		doc,
+		&ginmiddleware.Options{ //nolint:exhaustruct
+			Options: openapi3filter.Options{ //nolint:exhaustruct
+				AuthenticationFunc: jwtGetter.MiddlewareFunc,
+			},
+			SilenceServersWarning: true,
+		},
+	))
 	api.RegisterHandlersWithOptions(
 		router,
 		handler,
@@ -1341,16 +1387,6 @@ func getGoServer(
 		},
 	)
 
-	if cmd.Bool(flagRateLimitEnable) {
-		router.Use(getRateLimiter(cmd, logger)) //nolint:contextcheck
-	}
-
-	if cmd.String(flagTurnstileSecret) != "" {
-		router.Use(middleware.Tunrstile( //nolint:contextcheck
-			cmd.String(flagTurnstileSecret), cmd.String(flagAPIPrefix),
-		))
-	}
-
 	if cmd.Bool(flagEnableChangeEnv) {
 		router.POST(cmd.String(flagAPIPrefix)+"/change-env", ctrl.PostChangeEnv)
 	}
@@ -1374,48 +1410,6 @@ func getGoServer(
 	return server, nil
 }
 
-func getController(
-	ctx context.Context,
-	cmd *cli.Command,
-	db *sql.Queries,
-	encrypter *crypto.Encrypter,
-	logger *slog.Logger,
-) (*controller.Controller, *controller.JWTGetter, error) {
-	config, err := getConfig(cmd)
-	if err != nil {
-		return nil, nil, fmt.Errorf("problem creating config: %w", err)
-	}
-
-	emailer, smsClient, jwtGetter, idTokenValidator, err := getDependencies(ctx, cmd, db, logger)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	oauthProviders, err := getOauth2Providers(ctx, cmd, logger)
-	if err != nil {
-		return nil, nil, fmt.Errorf("problem creating oauth providers: %w", err)
-	}
-
-	ctrl, err := controller.New(
-		db,
-		config,
-		jwtGetter,
-		emailer,
-		smsClient,
-		hibp.NewClient(),
-		oauthProviders,
-		idTokenValidator,
-		controller.NewTotp(cmd.String(flagMfaTotpIssuer), time.Now),
-		encrypter,
-		cmd.Root().Version,
-	)
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to create controller: %w", err)
-	}
-
-	return ctrl, jwtGetter, nil
-}
-
 func serve(ctx context.Context, cmd *cli.Command) error {
 	logger := getLogger(cmd.Bool(flagDebug), cmd.Bool(flagLogFormatTEXT))
 	logger.InfoContext(ctx, cmd.Root().Name+" v"+cmd.Root().Version)

services/auth/go/controller/add_security_key.go

@@ -6,15 +6,15 @@ import (
 
 	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/go-webauthn/webauthn/webauthn"
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 )
 
 func (ctrl *Controller) AddSecurityKey( //nolint:ireturn
 	ctx context.Context,
 	_ api.AddSecurityKeyRequestObject,
 ) (api.AddSecurityKeyResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	if !ctrl.config.WebauthnEnabled {
 		logger.ErrorContext(ctx, "webauthn is disabled")

services/auth/go/controller/change_user_email.go

@@ -3,15 +3,15 @@ package controller
 import (
 	"context"
 
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/notifications"
 )
 
 func (ctrl *Controller) ChangeUserEmail( //nolint:ireturn
 	ctx context.Context, request api.ChangeUserEmailRequestObject,
 ) (api.ChangeUserEmailResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	options, apiErr := ctrl.wf.ValidateOptionsRedirectTo(ctx, request.Body.Options, logger)
 	if apiErr != nil {

services/auth/go/controller/change_user_mfa_get.go

@@ -3,15 +3,15 @@ package controller
 import (
 	"context"
 
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/sql"
 )
 
 func (ctrl *Controller) ChangeUserMfa( //nolint:ireturn
 	ctx context.Context, _ api.ChangeUserMfaRequestObject,
 ) (api.ChangeUserMfaResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	if !ctrl.config.MfaEnabled {
 		logger.WarnContext(ctx, "mfa disabled")

services/auth/go/controller/change_user_password.go

@@ -5,8 +5,8 @@ import (
 	"log/slog"
 
 	"github.com/golang-jwt/jwt/v5"
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 )
 
 func (ctrl *Controller) postUserPasswordAuthenticated( //nolint:ireturn
@@ -61,7 +61,7 @@ func (ctrl *Controller) ChangeUserPassword( //nolint:ireturn
 	ctx context.Context,
 	request api.ChangeUserPasswordRequestObject,
 ) (api.ChangeUserPasswordResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	jwtToken, ok := ctrl.wf.jwtGetter.FromContext(ctx)
 	if ok {

services/auth/go/controller/create_pat.go

@@ -4,15 +4,15 @@ import (
 	"context"
 
 	"github.com/google/uuid"
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/sql"
 )
 
 func (ctrl *Controller) CreatePAT( //nolint:ireturn
 	ctx context.Context, request api.CreatePATRequestObject,
 ) (api.CreatePATResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	user, apiErr := ctrl.wf.GetUserFromJWTInContext(ctx, logger)
 	if apiErr != nil {

services/auth/go/controller/deanonymize_user.go

@@ -6,8 +6,8 @@ import (
 	"time"
 
 	"github.com/google/uuid"
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/notifications"
 )
 
@@ -77,7 +77,7 @@ func (ctrl *Controller) postUserDeanonymizeValidateRequest( //nolint:cyclop
 func (ctrl *Controller) DeanonymizeUser( //nolint:funlen
 	ctx context.Context, request api.DeanonymizeUserRequestObject,
 ) (api.DeanonymizeUserResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx).
+	logger := middleware.LoggerFromContext(ctx).
 		With(slog.String("email", string(request.Body.Email)))
 
 	userID, password, options, apiError := ctrl.postUserDeanonymizeValidateRequest(

services/auth/go/controller/elevate_webauthn.go

@@ -3,15 +3,15 @@ package controller
 import (
 	"context"
 
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 )
 
 func (ctrl *Controller) ElevateWebauthn( //nolint:ireturn
 	ctx context.Context,
 	_ api.ElevateWebauthnRequestObject,
 ) (api.ElevateWebauthnResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	if !ctrl.config.WebauthnEnabled {
 		logger.ErrorContext(ctx, "webauthn is disabled")

services/auth/go/controller/errors.go

@@ -21,6 +21,8 @@ func (e *APIError) Error() string {
 	return fmt.Sprintf("API error: %s", e.t)
 }
 
+var ErrElevatedClaimRequired = errors.New("elevated-claim-required")
+
 var (
 	ErrJWTConfiguration = errors.New("jwt-configuration")
 
@@ -523,7 +525,7 @@ func (ctrl *Controller) sendRedirectError(
 ) ErrorRedirectResponse {
 	errResponse := ctrl.getError(err)
 
-	redirectURL = appendURLValues(redirectURL, map[string]string{
+	redirectURL = generateRedirectURL(redirectURL, map[string]string{
 		"error":            string(errResponse.Error),
 		"errorDescription": errResponse.Message,
 	})
@@ -565,3 +567,17 @@ func sqlIsDuplcateError(err error, fkey string) bool {
 	return strings.Contains(err.Error(), "SQLSTATE 23505") &&
 		strings.Contains(err.Error(), fkey)
 }
+
+func generateRedirectURL(
+	redirectTo *url.URL,
+	opts map[string]string,
+) *url.URL {
+	q := redirectTo.Query()
+	for k, v := range opts {
+		q.Set(k, v)
+	}
+
+	redirectTo.RawQuery = q.Encode()
+
+	return redirectTo
+}

services/auth/go/controller/get_provider_tokens.go

@@ -7,8 +7,8 @@ import (
 	"time"
 
 	"github.com/jackc/pgx/v5"
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/sql"
 )
 
@@ -16,7 +16,7 @@ func (ctrl *Controller) GetProviderTokens( //nolint:ireturn
 	ctx context.Context,
 	req api.GetProviderTokensRequestObject,
 ) (api.GetProviderTokensResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 	logger = logger.With("provider", req.Provider)
 
 	user, apiErr := ctrl.wf.GetUserFromJWTInContext(ctx, logger)

services/auth/go/controller/get_user.go

@@ -4,15 +4,15 @@ import (
 	"context"
 	"encoding/json"
 
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/oapi-codegen/runtime/types"
 )
 
 func (ctrl *Controller) GetUser( //nolint:ireturn
 	ctx context.Context, _ api.GetUserRequestObject,
 ) (api.GetUserResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	// Get authenticated user from JWT
 	user, apiErr := ctrl.wf.GetUserFromJWTInContext(ctx, logger)

services/auth/go/controller/jwt.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"encoding/base64"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"log/slog"
 	"reflect"
@@ -16,8 +17,8 @@ import (
 	"github.com/getkin/kin-openapi/openapi3filter"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/google/uuid"
-	"github.com/nhost/nhost/internal/lib/oapi"
 	"github.com/nhost/nhost/services/auth/go/api"
+	ginmiddleware "github.com/oapi-codegen/gin-middleware"
 )
 
 const JWTContextKey = "nhost/auth/jwt"
@@ -339,7 +340,7 @@ func (j *JWTGetter) Validate(accessToken string) (*jwt.Token, error) {
 func (j *JWTGetter) FromContext(ctx context.Context) (*jwt.Token, bool) {
 	token, ok := ctx.Value(JWTContextKey).(*jwt.Token)
 	if !ok { //nolint:nestif
-		c := oapi.GetGinContext(ctx)
+		c := ginmiddleware.GetGinContext(ctx)
 		if c != nil {
 			a, ok := c.Get(JWTContextKey)
 			if !ok {
@@ -414,28 +415,16 @@ func (j *JWTGetter) MiddlewareFunc(
 
 	parts := strings.Split(authHeader, " ")
 	if len(parts) != 2 || parts[0] != "Bearer" {
-		return &oapi.AuthenticatorError{
-			Scheme:  input.SecuritySchemeName,
-			Code:    "unauthorized",
-			Message: "missing or malformed authorization header",
-		}
+		return errors.New("invalid authorization header") //nolint:err113
 	}
 
 	jwtToken, err := j.Validate(parts[1])
 	if err != nil {
-		return &oapi.AuthenticatorError{
-			Scheme:  input.SecuritySchemeName,
-			Code:    "unauthorized",
-			Message: fmt.Sprintf("error validating token: %s", err),
-		}
+		return fmt.Errorf("error validating token: %w", err)
 	}
 
 	if !jwtToken.Valid {
-		return &oapi.AuthenticatorError{
-			Scheme:  input.SecuritySchemeName,
-			Code:    "unauthorized",
-			Message: "invalid token",
-		}
+		return errors.New("invalid token") //nolint:err113
 	}
 
 	if input.SecuritySchemeName == "BearerAuthElevated" {
@@ -446,23 +435,15 @@ func (j *JWTGetter) MiddlewareFunc(
 
 		found, err := j.verifyElevatedClaim(ctx, jwtToken, requestPath)
 		if err != nil {
-			return &oapi.AuthenticatorError{
-				Scheme:  input.SecuritySchemeName,
-				Code:    "unauthorized",
-				Message: fmt.Sprintf("error verifying elevated claim: %s", err),
-			}
+			return fmt.Errorf("error verifying elevated claim: %w", err)
 		}
 
 		if !found {
-			return &oapi.AuthenticatorError{
-				Scheme:  input.SecuritySchemeName,
-				Code:    "unauthorized",
-				Message: "elevated claim required",
-			}
+			return ErrElevatedClaimRequired
 		}
 	}
 
-	c := oapi.GetGinContext(ctx)
+	c := ginmiddleware.GetGinContext(ctx)
 	c.Set(JWTContextKey, jwtToken)
 
 	return nil

services/auth/go/controller/jwt_test.go

@@ -3,6 +3,7 @@ package controller_test
 import (
 	"context"
 	"crypto"
+	"errors"
 	"log/slog"
 	"net/http"
 	"net/url"
@@ -15,9 +16,9 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/google/uuid"
-	"github.com/nhost/nhost/internal/lib/oapi"
 	"github.com/nhost/nhost/services/auth/go/controller"
 	"github.com/nhost/nhost/services/auth/go/controller/mock"
+	ginmiddleware "github.com/oapi-codegen/gin-middleware"
 	"go.uber.org/mock/gomock"
 )
 
@@ -534,12 +535,8 @@ func TestMiddlewareFunc(t *testing.T) { //nolint:maintidx
 				SecurityScheme:     nil,
 				Scopes:             []string{},
 			},
-			expected: nil,
-			expectedErr: &oapi.AuthenticatorError{
-				Scheme:  "BearerAuthElevated",
-				Code:    "unauthorized",
-				Message: "elevated claim required",
-			},
+			expected:    nil,
+			expectedErr: controller.ErrElevatedClaimRequired,
 		},
 
 		{
@@ -562,12 +559,8 @@ func TestMiddlewareFunc(t *testing.T) { //nolint:maintidx
 				SecurityScheme:     nil,
 				Scopes:             []string{},
 			},
-			expected: nil,
-			expectedErr: &oapi.AuthenticatorError{
-				Scheme:  "BearerAuthElevated",
-				Code:    "unauthorized",
-				Message: "elevated claim required",
-			},
+			expected:    nil,
+			expectedErr: controller.ErrElevatedClaimRequired,
 		},
 
 		{
@@ -770,13 +763,13 @@ func TestMiddlewareFunc(t *testing.T) { //nolint:maintidx
 			//nolint
 			ctx := context.WithValue(
 				context.Background(),
-				oapi.GinContextKey,
+				ginmiddleware.GinContextKey,
 				&gin.Context{},
 			)
 
 			err = jwtGetter.MiddlewareFunc(ctx, tc.request)
-			if diff := cmp.Diff(err, tc.expectedErr); diff != "" {
-				t.Errorf("err mismatch (-want +got):\n%s", diff)
+			if !errors.Is(err, tc.expectedErr) {
+				t.Errorf("err = %v; want %v", err, tc.expectedErr)
 			}
 
 			got, _ := jwtGetter.FromContext(ctx)

services/auth/go/controller/link_id_token.go

@@ -3,14 +3,14 @@ package controller
 import (
 	"context"
 
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 )
 
 func (ctrl *Controller) LinkIdToken( //nolint:ireturn,revive
 	ctx context.Context, req api.LinkIdTokenRequestObject,
 ) (api.LinkIdTokenResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	profile, apiErr := ctrl.wf.GetOIDCProfileFromIDToken(
 		ctx,

services/auth/go/controller/refresh_provider_token.go

@@ -3,15 +3,15 @@ package controller
 import (
 	"context"
 
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"golang.org/x/oauth2"
 )
 
 func (ctrl *Controller) RefreshProviderToken( //nolint:ireturn
 	ctx context.Context, req api.RefreshProviderTokenRequestObject,
 ) (api.RefreshProviderTokenResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 	logger = logger.With("provider", req.Provider)
 
 	provider := ctrl.Providers.Get(string(req.Provider))

services/auth/go/controller/refresh_token.go

@@ -4,15 +4,15 @@ import (
 	"context"
 	"errors"
 
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/sql"
 )
 
 func (ctrl *Controller) RefreshToken( //nolint:ireturn
 	ctx context.Context, request api.RefreshTokenRequestObject,
 ) (api.RefreshTokenResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	user, apiErr := ctrl.wf.GetUserByRefreshTokenHash(
 		ctx,

services/auth/go/controller/send_password_reset_email.go

@@ -6,8 +6,8 @@ import (
 	"log/slog"
 	"time"
 
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/notifications"
 )
 
@@ -15,7 +15,7 @@ func (ctrl *Controller) SendPasswordResetEmail( //nolint:ireturn
 	ctx context.Context,
 	request api.SendPasswordResetEmailRequestObject,
 ) (api.SendPasswordResetEmailResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx).
+	logger := middleware.LoggerFromContext(ctx).
 		With(slog.String("email", string(request.Body.Email)))
 
 	options, err := ctrl.wf.ValidateOptionsRedirectTo(ctx, request.Body.Options, logger)

services/auth/go/controller/send_verification_email.go

@@ -6,8 +6,8 @@ import (
 	"log/slog"
 	"time"
 
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/notifications"
 )
 
@@ -15,7 +15,7 @@ func (ctrl *Controller) SendVerificationEmail( //nolint:ireturn
 	ctx context.Context,
 	request api.SendVerificationEmailRequestObject,
 ) (api.SendVerificationEmailResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx).
+	logger := middleware.LoggerFromContext(ctx).
 		With(slog.String("email", string(request.Body.Email)))
 
 	options, apiErr := ctrl.wf.ValidateOptionsRedirectTo(ctx, request.Body.Options, logger)

services/auth/go/controller/sign_in_anonymous.go

@@ -5,8 +5,8 @@ import (
 	"log/slog"
 	"slices"
 
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 )
 
 func (ctrl *Controller) postSigninAnonymousValidateRequest(
@@ -49,7 +49,7 @@ func (ctrl *Controller) postSigninAnonymousValidateRequest(
 func (ctrl *Controller) SignInAnonymous( //nolint:ireturn
 	ctx context.Context, req api.SignInAnonymousRequestObject,
 ) (api.SignInAnonymousResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	req, apiErr := ctrl.postSigninAnonymousValidateRequest(ctx, req, logger)
 	if apiErr != nil {

services/auth/go/controller/sign_in_email_password.go

@@ -6,8 +6,8 @@ import (
 	"time"
 
 	"github.com/google/uuid"
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 )
 
 func (ctrl *Controller) postSigninEmailPasswordWithTOTP( //nolint:ireturn
@@ -33,7 +33,7 @@ func (ctrl *Controller) postSigninEmailPasswordWithTOTP( //nolint:ireturn
 func (ctrl *Controller) SignInEmailPassword( //nolint:ireturn
 	ctx context.Context, request api.SignInEmailPasswordRequestObject,
 ) (api.SignInEmailPasswordResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx).
+	logger := middleware.LoggerFromContext(ctx).
 		With(slog.String("email", string(request.Body.Email)))
 
 	user, apiErr := ctrl.wf.GetUserByEmail(ctx, string(request.Body.Email), logger)

services/auth/go/controller/sign_in_id_token.go

@@ -9,8 +9,8 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/jackc/pgx/v5/pgtype"
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/oidc"
 	"github.com/nhost/nhost/services/auth/go/sql"
 	"github.com/oapi-codegen/runtime/types"
@@ -45,7 +45,7 @@ func (ctrl *Controller) postSigninIdtokenCheckUserExists(
 func (ctrl *Controller) SignInIdToken( //nolint:ireturn,revive
 	ctx context.Context, req api.SignInIdTokenRequestObject,
 ) (api.SignInIdTokenResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	profile, apiError := ctrl.wf.GetOIDCProfileFromIDToken(
 		ctx,

services/auth/go/controller/sign_in_otp_email.go

@@ -8,8 +8,8 @@ import (
 	"math/big"
 	"time"
 
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/notifications"
 )
 
@@ -26,7 +26,7 @@ func (ctrl *Controller) SignInOTPEmail( //nolint:ireturn
 	ctx context.Context,
 	request api.SignInOTPEmailRequestObject,
 ) (api.SignInOTPEmailResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx).
+	logger := middleware.LoggerFromContext(ctx).
 		With(slog.String("email", string(request.Body.Email)))
 
 	if !ctrl.config.OTPEmailEnabled {

services/auth/go/controller/sign_in_passwordless_email.go

@@ -9,8 +9,8 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/jackc/pgx/v5/pgtype"
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/notifications"
 	"github.com/nhost/nhost/services/auth/go/sql"
 )
@@ -19,7 +19,7 @@ func (ctrl *Controller) SignInPasswordlessEmail( //nolint:ireturn
 	ctx context.Context,
 	request api.SignInPasswordlessEmailRequestObject,
 ) (api.SignInPasswordlessEmailResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx).
+	logger := middleware.LoggerFromContext(ctx).
 		With(slog.String("email", string(request.Body.Email)))
 
 	if !ctrl.config.EmailPasswordlessEnabled {

services/auth/go/controller/sign_in_passwordless_sms.go

@@ -9,8 +9,8 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/jackc/pgx/v5/pgtype"
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/sql"
 )
 
@@ -18,7 +18,7 @@ func (ctrl *Controller) SignInPasswordlessSms( //nolint:ireturn
 	ctx context.Context,
 	request api.SignInPasswordlessSmsRequestObject,
 ) (api.SignInPasswordlessSmsResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx).
+	logger := middleware.LoggerFromContext(ctx).
 		With(slog.String("phoneNumber", request.Body.PhoneNumber))
 
 	if !ctrl.config.SMSPasswordlessEnabled {

services/auth/go/controller/sign_in_pat.go

@@ -3,8 +3,8 @@ package controller
 import (
 	"context"
 
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/sql"
 )
 
@@ -12,7 +12,7 @@ func (ctrl *Controller) SignInPAT( //nolint:ireturn
 	ctx context.Context,
 	request api.SignInPATRequestObject,
 ) (api.SignInPATResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	user, apiErr := ctrl.wf.GetUserByRefreshTokenHash(
 		ctx,

services/auth/go/controller/sign_in_provider.go

@@ -7,8 +7,8 @@ import (
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 )
 
 func (ctrl *Controller) getSigninProviderValidateRequest(
@@ -42,7 +42,7 @@ func (ctrl *Controller) SignInProvider( //nolint:ireturn
 	ctx context.Context,
 	req api.SignInProviderRequestObject,
 ) (api.SignInProviderResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx).
+	logger := middleware.LoggerFromContext(ctx).
 		With(slog.String("provider", string(req.Provider)))
 
 	redirectTo, apiErr := ctrl.getSigninProviderValidateRequest(ctx, req, logger)

services/auth/go/controller/sign_in_provider_callback_get.go

@@ -9,8 +9,8 @@ import (
 
 	"golang.org/x/oauth2"
 
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/oidc"
 	"github.com/nhost/nhost/services/auth/go/providers"
 	"github.com/nhost/nhost/services/auth/go/sql"
@@ -47,18 +47,13 @@ func (ctrl *Controller) getStateData(
 	return stateData, nil
 }
 
-func appendURLValues(u *url.URL, values map[string]string) *url.URL {
-	n := *u
-	u = &n
-
+func attachURLValues(u *url.URL, values map[string]string) {
 	q := u.Query()
 	for k, v := range values {
 		q.Set(k, v)
 	}
 
 	u.RawQuery = q.Encode()
-
-	return u
 }
 
 func (ctrl *Controller) signinProviderProviderCallbackValidate(
@@ -70,7 +65,7 @@ func (ctrl *Controller) signinProviderProviderCallbackValidate(
 
 	stateData, apiErr := ctrl.getStateData(ctx, req.State, logger)
 	if apiErr != nil {
-		redirectTo = appendURLValues(redirectTo, map[string]string{
+		attachURLValues(redirectTo, map[string]string{
 			"provider_state": req.State,
 		})
 
@@ -100,7 +95,7 @@ func (ctrl *Controller) signinProviderProviderCallbackValidate(
 			values["state"] = *stateData.State
 		}
 
-		redirectTo = appendURLValues(redirectTo, values)
+		attachURLValues(redirectTo, values)
 
 		return nil, nil, redirectTo, ErrOauthProviderError
 	}
@@ -112,7 +107,7 @@ func (ctrl *Controller) signinProviderProviderCallbackValidate(
 	}
 
 	if stateData.State != nil && *stateData.State != "" {
-		optionsRedirectTo = appendURLValues(optionsRedirectTo, map[string]string{
+		attachURLValues(optionsRedirectTo, map[string]string{
 			"state": *stateData.State,
 		})
 	}
@@ -220,7 +215,7 @@ func (ctrl *Controller) signinProviderProviderCallback(
 	ctx context.Context,
 	req providerCallbackData,
 ) (*url.URL, *APIError) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	options, connnect, redirectTo, apiErr := ctrl.signinProviderProviderCallbackValidate(
 		ctx,

services/auth/go/controller/sign_in_webauthn.go

@@ -7,8 +7,8 @@ import (
 
 	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/go-webauthn/webauthn/webauthn"
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/sql"
 )
 
@@ -54,7 +54,7 @@ func (ctrl *Controller) SignInWebauthn( //nolint:ireturn
 	ctx context.Context,
 	request api.SignInWebauthnRequestObject,
 ) (api.SignInWebauthnResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	if !ctrl.config.WebauthnEnabled {
 		logger.ErrorContext(ctx, "webauthn is disabled")

services/auth/go/controller/sign_out.go

@@ -3,14 +3,14 @@ package controller
 import (
 	"context"
 
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 )
 
 func (ctrl *Controller) SignOut( //nolint:ireturn
 	ctx context.Context, request api.SignOutRequestObject,
 ) (api.SignOutResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	if deptr(request.Body.All) {
 		userID, apiErr := ctrl.wf.GetJWTInContext(ctx, logger)

services/auth/go/controller/sign_up_email_password.go

@@ -8,8 +8,8 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/jackc/pgx/v5/pgtype"
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/sql"
 )
 
@@ -45,7 +45,7 @@ func (ctrl *Controller) SignUpEmailPassword( //nolint:ireturn
 	ctx context.Context,
 	req api.SignUpEmailPasswordRequestObject,
 ) (api.SignUpEmailPasswordResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx).With(slog.String("email", string(req.Body.Email)))
+	logger := middleware.LoggerFromContext(ctx).With(slog.String("email", string(req.Body.Email)))
 
 	req, apiError := ctrl.postSignupEmailPasswordValidateRequest(ctx, req, logger)
 	if apiError != nil {

services/auth/go/controller/sign_up_webauthn.go

@@ -5,8 +5,8 @@ import (
 	"log/slog"
 
 	"github.com/google/uuid"
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 )
 
 func (ctrl *Controller) postSignupWebauthnValidateRequest(
@@ -42,7 +42,7 @@ func (ctrl *Controller) SignUpWebauthn( //nolint:ireturn
 	ctx context.Context,
 	request api.SignUpWebauthnRequestObject,
 ) (api.SignUpWebauthnResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx).
+	logger := middleware.LoggerFromContext(ctx).
 		With(slog.String("email", string(request.Body.Email)))
 
 	options, apiErr := ctrl.postSignupWebauthnValidateRequest(ctx, request, logger)

services/auth/go/controller/verify_add_security_key.go

@@ -5,8 +5,8 @@ import (
 	"encoding/base64"
 
 	"github.com/jackc/pgx/v5/pgtype"
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/sql"
 )
 
@@ -14,7 +14,7 @@ func (ctrl *Controller) VerifyAddSecurityKey( //nolint:ireturn
 	ctx context.Context,
 	request api.VerifyAddSecurityKeyRequestObject,
 ) (api.VerifyAddSecurityKeyResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	if !ctrl.config.WebauthnEnabled {
 		logger.ErrorContext(ctx, "webauthn is disabled")

services/auth/go/controller/verify_change_user_mfa.go

@@ -5,8 +5,8 @@ import (
 	"log/slog"
 
 	"github.com/jackc/pgx/v5/pgtype"
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/sql"
 )
 
@@ -99,7 +99,7 @@ func (ctrl *Controller) postUserMfaActivate( //nolint:ireturn
 func (ctrl *Controller) VerifyChangeUserMfa( //nolint:ireturn
 	ctx context.Context, req api.VerifyChangeUserMfaRequestObject,
 ) (api.VerifyChangeUserMfaResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	if !ctrl.config.MfaEnabled {
 		logger.WarnContext(ctx, "mfa disabled")

services/auth/go/controller/verify_elevate_webauthn.go

@@ -7,8 +7,8 @@ import (
 
 	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/go-webauthn/webauthn/webauthn"
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/sql"
 )
 
@@ -16,7 +16,7 @@ func (ctrl *Controller) VerifyElevateWebauthn( //nolint:ireturn
 	ctx context.Context,
 	request api.VerifyElevateWebauthnRequestObject,
 ) (api.VerifyElevateWebauthnResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	if !ctrl.config.WebauthnEnabled {
 		logger.ErrorContext(ctx, "webauthn is disabled")

services/auth/go/controller/verify_sign_in_mfa_totp.go

@@ -3,14 +3,14 @@ package controller
 import (
 	"context"
 
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 )
 
 func (ctrl *Controller) VerifySignInMfaTotp( //nolint:ireturn
 	ctx context.Context, req api.VerifySignInMfaTotpRequestObject,
 ) (api.VerifySignInMfaTotpResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	if !ctrl.config.MfaEnabled {
 		logger.WarnContext(ctx, "mfa disabled")

services/auth/go/controller/verify_sign_in_otp_email.go

@@ -4,15 +4,15 @@ import (
 	"context"
 	"log/slog"
 
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 )
 
 func (ctrl *Controller) VerifySignInOTPEmail( //nolint:ireturn
 	ctx context.Context,
 	request api.VerifySignInOTPEmailRequestObject,
 ) (api.VerifySignInOTPEmailResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx).
+	logger := middleware.LoggerFromContext(ctx).
 		With(slog.String("email", string(request.Body.Email)))
 
 	user, apiErr := ctrl.wf.GetUserByEmailAndTicket(

services/auth/go/controller/verify_sign_in_passwordless_sms.go

@@ -4,15 +4,15 @@ import (
 	"context"
 	"log/slog"
 
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 )
 
 func (ctrl *Controller) VerifySignInPasswordlessSms( //nolint:ireturn
 	ctx context.Context,
 	request api.VerifySignInPasswordlessSmsRequestObject,
 ) (api.VerifySignInPasswordlessSmsResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx).
+	logger := middleware.LoggerFromContext(ctx).
 		With(slog.String("phoneNumber", request.Body.PhoneNumber))
 
 	if !ctrl.config.SMSPasswordlessEnabled {

services/auth/go/controller/verify_sign_in_webauthn.go

@@ -10,8 +10,8 @@ import (
 	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/go-webauthn/webauthn/webauthn"
 	"github.com/google/uuid"
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 )
 
 func (ctrl *Controller) VerifySignInWebauthnUserHandle(
@@ -70,7 +70,7 @@ func (ctrl *Controller) VerifySignInWebauthn( //nolint:ireturn
 	ctx context.Context,
 	request api.VerifySignInWebauthnRequestObject,
 ) (api.VerifySignInWebauthnResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	if !ctrl.config.WebauthnEnabled {
 		logger.ErrorContext(ctx, "webauthn is disabled")

services/auth/go/controller/verify_sign_up_webauthn.go

@@ -11,8 +11,8 @@ import (
 	"github.com/go-webauthn/webauthn/webauthn"
 	"github.com/google/uuid"
 	"github.com/jackc/pgx/v5/pgtype"
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/sql"
 )
 
@@ -85,7 +85,7 @@ func (ctrl *Controller) VerifySignUpWebauthn( //nolint:ireturn
 	ctx context.Context,
 	request api.VerifySignUpWebauthnRequestObject,
 ) (api.VerifySignUpWebauthnResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	credData, options, nickname, apiErr := ctrl.postSignupWebauthnVerifyValidateRequest(
 		ctx,

services/auth/go/controller/verify_ticket.go

@@ -7,8 +7,8 @@ import (
 	"net/url"
 	"strings"
 
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 	"github.com/nhost/nhost/services/auth/go/sql"
 )
 
@@ -59,7 +59,7 @@ func (ctrl *Controller) getVerifyHandleTicketType(
 func (ctrl *Controller) VerifyTicket( //nolint:ireturn
 	ctx context.Context, req api.VerifyTicketRequestObject,
 ) (api.VerifyTicketResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	user, ticketType, redirectTo, apiErr := ctrl.getVerifyValidateRequest(ctx, req, logger)
 	switch {
@@ -80,7 +80,7 @@ func (ctrl *Controller) VerifyTicket( //nolint:ireturn
 		return ctrl.sendError(ErrInternalServerError), nil
 	}
 
-	redirectTo = appendURLValues(redirectTo, map[string]string{
+	redirectTo = generateRedirectURL(redirectTo, map[string]string{
 		"refreshToken": session.RefreshToken,
 		"type":         string(ticketType),
 	})

services/auth/go/controller/verify_token.go

@@ -3,14 +3,14 @@ package controller
 import (
 	"context"
 
-	oapimw "github.com/nhost/nhost/internal/lib/oapi/middleware"
 	"github.com/nhost/nhost/services/auth/go/api"
+	"github.com/nhost/nhost/services/auth/go/middleware"
 )
 
 func (ctrl *Controller) VerifyToken( //nolint:ireturn
 	ctx context.Context, request api.VerifyTokenRequestObject,
 ) (api.VerifyTokenResponseObject, error) {
-	logger := oapimw.LoggerFromContext(ctx)
+	logger := middleware.LoggerFromContext(ctx)
 
 	if request.Body != nil && request.Body.Token != nil {
 		if apiErr := ctrl.wf.VerifyJWTToken(ctx, *request.Body.Token, logger); apiErr != nil {

services/auth/go/middleware/logger.go

@@ -30,7 +30,6 @@ func LoggerFromContext(ctx context.Context) *slog.Logger { //nolint:contextcheck
 	return logger
 }
 
-// Logger is a Gin middleware that logs HTTP requests and responses using slog.
 func Logger(logger *slog.Logger) gin.HandlerFunc {
 	return func(ctx *gin.Context) {
 		startTime := time.Now()

services/auth/project.nix

@@ -24,8 +24,6 @@ let
       ./vacuum.yaml
       ./vacuum-ignore.yaml
 
-      (inDirectory ../../internal/lib/oapi)
-
       ./go/api/server.cfg.yaml
       ./go/api/types.cfg.yaml
       ./go/sql/schema.sh

services/auth/test/routes/pat/pat.test.ts

@@ -47,7 +47,7 @@ describe('personal access token', () => {
     await request
       .post('/pat')
       .send({ expiresAt: new Date() })
-      .expect(StatusCodes.UNAUTHORIZED);
+      .expect(StatusCodes.BAD_REQUEST);
   });
 
   test('should be able to add metadata to a personal access token', async () => {
@@ -65,6 +65,7 @@ describe('personal access token', () => {
         expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000),
         metadata: { name: 'Test PAT' },
       })
+      .expect(StatusCodes.OK);
 
     const { rows } = await client.query(
       'SELECT * FROM auth.refresh_tokens WHERE refresh_token_hash=$1;',

services/auth/test/routes/user/email.test.ts

@@ -69,7 +69,7 @@ describe('user email', () => {
       .post('/user/email/change')
       // .set('Authorization', `Bearer ${accessToken}`)
       .send({ newEmail })
-      .expect(StatusCodes.UNAUTHORIZED);
+      .expect(StatusCodes.BAD_REQUEST);
 
     await request
       .post('/user/email/change')

services/auth/test/routes/user/user.test.ts

@@ -27,7 +27,7 @@ describe('user password', () => {
   });
 
   it('should not get user data if not signed in', async () => {
-    await request.get('/user').expect(StatusCodes.UNAUTHORIZED);
+    await request.get('/user').expect(StatusCodes.BAD_REQUEST);
   });
 
   it('should get user data if signed in', async () => {