Merge pull request 'chore(release): prepare for 0.7.1' (#244 ) from next-release into main

Reviewed-on: #244
chore(release): prepare for 0.7.1
2026-01-13 16:51:52 +00:00 · 2026-01-13 16:35:49 +00:00 · 2026-01-13 16:35:44 +00:00 · 2026-01-13 16:32:57 +00:00 · 2026-01-13 17:20:50 +01:00 · 2026-01-13 15:03:15 +00:00
30 changed files with 2053 additions and 1966 deletions
@@ -0,0 +1,20 @@
+name: auth0mock
+
+on:
+  push:
+    branches: [main]
+    tags: ['*']
+  pull_request:
+    branches: [main]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env:
+      BUILDTOOLS_CONTENT: ${{ secrets.BUILDTOOLS_CONTENT }}
+      GITEA_REPOSITORY: ${{ gitea.repository }}
+    steps:
+      - uses: actions/checkout@v6
+      - uses: buildtool/setup-buildtools-action@v1
+      - name: Build and push
+        run: unset GITEA_TOKEN && build && push
@@ -0,0 +1,9 @@
+name: Release
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  release:
+    uses: unboundsoftware/shared-workflows/.gitea/workflows/Release.yml@main
@@ -1,3 +1,13 @@
-node_modules/
+# IDE
 .idea/
+.vscode/
+
+# Claude
 .claude/
+
+# Go
+auth0mock
+*.exe
+*.test
+*.out
+coverage.txt
@@ -1 +0,0 @@
-24
@@ -1,2 +0,0 @@
-*.yaml
-*.yml
@@ -1,9 +0,0 @@
-{
-  "semi": false,
-  "singleQuote": true,
-  "trailingComma": "none",
-  "arrowParens": "always",
-  "quoteProps": "as-needed",
-  "bracketSpacing": true,
-  "bracketSameLine": false
-}
@@ -1 +1,3 @@
-{"version":"0.3.0"}
+{
+  "version": "0.7.1"
+}
@@ -1,3 +1,42 @@
+## [0.7.1] - 2026-01-13
+
+### 🐛 Bug Fixes
+
+- Change CI tag pattern to match all tags
+## [0.7.0] - 2026-01-13
+
+### 🚀 Features
+
+- Add tag trigger for CI build and push
+
+### 🐛 Bug Fixes
+
+- *(deps)* Update module github.com/lestrrat-go/jwx/v3 to v3.0.13 (#239)
+## [0.6.0] - 2026-01-09
+
+### 🚀 Features
+
+- Migrate from GitLab CI to Gitea Actions
+- Add release workflow using shared workflow
+
+### 🐛 Bug Fixes
+
+- Remove incorrect digest pinning from image reference
+## [0.5.1] - 2025-12-29
+
+### 🐛 Bug Fixes
+
+- *(deps)* Update module github.com/lestrrat-go/jwx/v2 to v3
+## [0.5.0] - 2025-12-29
+
+### 🚀 Features
+
+- Migrate auth0mock from Node.js to Go
+## [0.4.0] - 2025-12-29
+
+### 🚀 Features
+
+- *(session-cleanup)* Implement session expiration cleanup
 ## [0.3.0] - 2025-12-28

 ### 🚀 Features
@@ -4,64 +4,88 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co

 ## Project Overview

-auth0mock is a Node.js/Express application that simulates an Auth0 authentication server for local development. It provides OAuth 2.0 and OpenID Connect (OIDC) endpoints compatible with the Auth0 API, allowing developers to test authentication flows without connecting to the actual Auth0 service.
+auth0mock is a Go application that simulates an Auth0 authentication server for local development. It provides OAuth 2.0 and OpenID Connect (OIDC) endpoints compatible with the Auth0 API, allowing developers to test authentication flows without connecting to the actual Auth0 service.

 ## Development Commands

 ```bash
-# Install dependencies
-yarn install
+# Build the service
+go build -o auth0mock ./cmd/service

-# Start production server (port 3333)
-yarn start
+# Run the service
+go run ./cmd/service

-# Development with auto-reload (nodemon)
-yarn dev
+# Run tests
+go test ./... -v
+
+# Run tests with coverage
+go test ./... -coverprofile=coverage.txt -covermode=atomic

 # Format code
-yarn lintfix
+gofumpt -w .
+goimports -w .

-# Check formatting
-yarn lint
+# Run pre-commit hooks
+pre-commit run --all-files
 ```

 ## Architecture

-This is a single-file Express application (`app.js`) that implements:
+```
+auth0mock/
+├── cmd/service/         # Entry point, HTTP server setup, configuration
+├── auth/                # JWT/JWK generation and signing, PKCE verification
+├── handlers/            # HTTP handlers for all endpoints
+│   └── templates/       # Embedded HTML templates (login form)
+├── store/               # In-memory session and user storage
+├── public/              # Static files (favicon)
+├── k8s/                 # Kubernetes deployment manifests
+└── Dockerfile           # Multi-stage Go build
+```

-**Authentication Endpoints:**
+**Key Packages:**
+- `auth/jwt.go` - RSA key generation, JWT signing using lestrrat-go/jwx/v2
+- `auth/pkce.go` - PKCE verification (S256 and plain methods)
+- `store/sessions.go` - Thread-safe session storage with TTL and cleanup
+- `store/users.go` - Thread-safe user storage with JSON file loading
+- `handlers/oauth.go` - OAuth token exchange, authorization, code generation
+- `handlers/discovery.go` - OIDC discovery and JWKS endpoints
+- `handlers/management.go` - Auth0 Management API endpoints

- `POST /oauth/token` - Token exchange (OAuth 2.0 authorization code flow)
+## HTTP Endpoints
+
+**Authentication:**
+- `POST /oauth/token` - Token exchange (authorization code and client_credentials)
 - `GET /authorize` - Authorization endpoint with HTML login form
 - `POST /code` - Code generation for PKCE flow

-**Discovery Endpoints:**
-
+**Discovery:**
 - `GET /.well-known/openid-configuration` - OIDC discovery document
- `GET /.well-known/jwks.json` - JSON Web Key Set for token verification
-
-**Management API (Auth0-compatible):**
+- `GET /.well-known/jwks.json` - JSON Web Key Set

+**Management API:**
 - `GET /api/v2/users-by-email` - Get user by email
 - `POST /api/v2/users` - Create user
- `PATCH /api/v2/users/:userid` - Update user
+- `PATCH /api/v2/users/{userid}` - Update user
 - `POST /api/v2/tickets/password-change` - Password change ticket

-**Key Implementation Details:**
-
- RSA 2048-bit key pair generated at startup using `node-jose`
- In-memory session and user storage (not persistent)
- PKCE support with code challenge verification
- Custom claims for admin (`https://unbound.se/admin`) and email (`https://unbound.se/email`)
+**Session:**
+- `GET /userinfo` - User information
+- `POST /tokeninfo` - Decode JWT token
+- `GET /v2/logout` - Logout and session cleanup

 ## Environment Variables

-| Variable     | Default                    | Purpose                          |
-| ------------ | -------------------------- | -------------------------------- |
-| `ISSUER`     | `localhost:3333`           | JWT issuer claim                 |
-| `AUDIENCE`   | `https://generic-audience` | JWT audience claim               |
-| `USERS_FILE` | `./users.json`             | Path to initial users JSON file  |
-| `DEBUG`      | (unset)                    | Debug logging (`app*` to enable) |
+| Variable | Default | Purpose |
+|----------|---------|---------|
+| `PORT` | `3333` | HTTP listen port |
+| `ISSUER` | `localhost:3333` | JWT issuer (without https://) |
+| `AUDIENCE` | `https://generic-audience` | JWT audience |
+| `USERS_FILE` | `./users.json` | Path to initial users JSON file |
+| `ADMIN_CUSTOM_CLAIM` | `https://unbound.se/admin` | Admin custom claim key |
+| `EMAIL_CUSTOM_CLAIM` | `https://unbound.se/email` | Email custom claim key |
+| `LOG_LEVEL` | `info` | Log level (debug, info, warn, error) |
+| `LOG_FORMAT` | `text` | Log format (text, json) |

 ## Initial Users

@@ -78,6 +102,14 @@ Create a `users.json` file to seed users on startup:
 }
 ```

+## Key Implementation Details
+
+- RSA 2048-bit key pair generated at startup using `lestrrat-go/jwx/v2`
+- In-memory session storage with 5-minute TTL and automatic cleanup
+- Proper PKCE verification (S256 method with SHA256 hash)
+- Thread-safe stores using `sync.RWMutex`
+- Graceful shutdown with signal handling
+
 ## Integration with Shiny

 This service is used for local development and acceptance testing of the Shiny platform. The gateway and frontend services are configured to accept tokens signed by this mock server when running locally.
@@ -1,12 +1,26 @@
-FROM amd64/node:24.12.0@sha256:e8bb5aafe1964147c8344b1ea7698218e3675340407a07a14c49901df97455f6
+FROM golang:1.25@sha256:0f406d34b7cb7255d0700af02ec28a2c88f1e00701055f4c282aa4c3ec0b3245 AS build
+
+ARG GITLAB_USER
+ARG GITLAB_TOKEN
+
+WORKDIR /build
+ENV CGO_ENABLED=0
+ENV GOPRIVATE=gitlab.com/unboundsoftware/*
+
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . .
+RUN go build -ldflags="-s -w" -o /release/service ./cmd/service
+
+FROM gcr.io/distroless/static-debian12@sha256:cd64bec9cec257044ce3a8dd3620cf83b387920100332f2b041f19c4d2febf93
+
+ENV TZ=Europe/Stockholm
 ENV AUDIENCE="https://shiny.unbound.se"
-ENV ORIGIN_HOST="auth0mock"
-ENV ORIGIN="https://auth0mock:3333"
+
+COPY --from=build /release/service /service
+COPY public /public
+
 EXPOSE 3333
-WORKDIR /app
-ADD package.json yarn.lock /app/
-RUN yarn install --frozen-lockfile
-ADD *.js /app/
-ADD public /app/public
-RUN mkdir -p /root/.config
-ENTRYPOINT ["yarn", "start"]
+
+ENTRYPOINT ["/service"]
@@ -1,435 +0,0 @@
-process.env.DEBUG = 'app*'
-
-const express = require('express')
-const cookieParser = require('cookie-parser')
-const app = express()
-const jwt = require('jsonwebtoken')
-const Debug = require('debug')
-const path = require('path')
-const cors = require('cors')
-const bodyParser = require('body-parser')
-const jose = require('node-jose')
-const favicon = require('serve-favicon')
-const initialUsers = require('./users')
-
-const issuer = process.env.ISSUER || 'localhost:3333'
-const jwksOrigin = `https://${issuer}/`
-const audience = process.env.AUDIENCE || 'https://generic-audience'
-const adminCustomClaim =
-  process.env.ADMIN_CUSTOM_CLAIM || 'https://unbound.se/admin'
-const emailCustomClaim =
-  process.env.EMAIL_CUSTOM_CLAIM || 'https://unbound.se/email'
-
-const debug = Debug('app')
-
-const keyStore = jose.JWK.createKeyStore()
-keyStore.generate('RSA', 2048, { alg: 'RS256', use: 'sig' })
-// let { privateKey, certDer, thumbprint, exponent, modulus } = cert(jwksOrigin)
-const users = initialUsers(process.env.USERS_FILE || './users.json')
-const sessions = {}
-const challenges = {}
-
-const corsOpts = (req, cb) => {
-  cb(null, { origin: req.headers.origin })
-}
-
-const addCustomClaims = (email, customClaims, token) => {
-  const emailClaim = {}
-  emailClaim[emailCustomClaim] = email
-  return [...customClaims, emailClaim].reduce((acc, claim) => {
-    return {
-      ...acc,
-      ...claim
-    }
-  }, token)
-}
-
-const signToken = async (token) => {
-  const [key] = keyStore.all({ use: 'sig' })
-  const opt = { compact: true, jwk: key, fields: { typ: 'jwt' } }
-  return await jose.JWS.createSign(opt, key)
-    .update(JSON.stringify(token))
-    .final()
-}
-
-// Configure our small auth0-mock-server
-app
-  .options('*all', cors(corsOpts))
-  .use(cors())
-  .use(bodyParser.json({ strict: false }))
-  .use(bodyParser.urlencoded({ extended: true }))
-  .use(cookieParser())
-  .use(express.static(`${__dirname}/public`))
-  .use(favicon(path.join(__dirname, 'public', 'favicon.ico')))
-
-// This route can be used to generate a valid jwt-token.
-app.post('/oauth/token', async (req, res) => {
-  const date = Math.floor(Date.now() / 1000)
-  if (req.body.grant_type === 'client_credentials' && req.body.client_id) {
-    const accessToken = await signToken({
-      iss: jwksOrigin,
-      aud: [audience],
-      sub: 'auth0|management',
-      iat: date,
-      exp: date + 7200,
-      azp: req.body.client_id
-    })
-
-    const idToken = await signToken({
-      iss: jwksOrigin,
-      aud: req.body.client_id,
-      sub: 'auth0|management',
-      iat: date,
-      exp: date + 7200,
-      azp: req.body.client_id,
-      name: 'Management API'
-    })
-
-    debug('Signed token for management API')
-
-    res.json({
-      access_token: accessToken,
-      id_token: idToken,
-      scope: 'openid%20profile%20email',
-      expires_in: 7200,
-      token_type: 'Bearer'
-    })
-  } else if (req.body.code) {
-    const code = req.body.code
-    const session = sessions[code]
-    const accessToken = await signToken(
-      addCustomClaims(session.email, session.customClaims, {
-        iss: jwksOrigin,
-        aud: [audience],
-        sub: 'auth0|' + session.email,
-        iat: date,
-        exp: date + 7200,
-        azp: session.clientId
-      })
-    )
-
-    const idToken = await signToken(
-      addCustomClaims(session.email, session.customClaims, {
-        iss: jwksOrigin,
-        aud: session.clientId,
-        nonce: session.nonce,
-        sub: 'auth0|' + session.email,
-        iat: date,
-        exp: date + 7200,
-        azp: session.clientId,
-        name: 'Example Person',
-        given_name: 'Example',
-        family_name: 'Person',
-        email: session.email,
-        picture:
-          'https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg'
-      })
-    )
-
-    debug('Signed token for ' + session.email)
-
-    // Clean up session and challenge after successful token exchange
-    delete sessions[code]
-    delete challenges[code]
-
-    res.json({
-      access_token: accessToken,
-      id_token: idToken,
-      scope: 'openid%20profile%20email',
-      expires_in: 7200,
-      token_type: 'Bearer'
-    })
-  } else {
-    res.status(401)
-    res.send('Missing client_id or client_secret')
-  }
-})
-
-app.post('/code', (req, res) => {
-  if (!req.body.email || !req.body.password || !req.body.codeChallenge) {
-    debug('Body is invalid!', req.body)
-    return res.status(400).send('Email or password is missing!')
-  }
-
-  const code = req.body.codeChallenge
-  challenges[req.body.codeChallenge] = code
-  const state = req.body.state
-  const claim = {}
-  claim[adminCustomClaim] = req.body.admin === 'true'
-  sessions[code] = {
-    email: req.body.email,
-    password: req.body.password,
-    state: req.body.state,
-    nonce: req.body.nonce,
-    clientId: req.body.clientId,
-    codeChallenge: req.body.codeChallenge,
-    customClaims: [claim]
-  }
-  res.redirect(
-    `${req.body.redirect}?code=${code}&state=${encodeURIComponent(state)}`
-  )
-})
-
-app.get('/authorize', (req, res) => {
-  const redirect = req.query.redirect_uri
-  const state = req.query.state
-  const nonce = req.query.nonce
-  const clientId = req.query.client_id
-  const codeChallenge = req.query.code_challenge
-  const prompt = req.query.prompt
-  const responseMode = req.query.response_mode
-  if (responseMode === 'query') {
-    const code = req.cookies['auth0']
-    const session = sessions[code]
-    if (session) {
-      session.nonce = nonce
-      session.state = state
-      session.codeChallenge = codeChallenge
-      sessions[codeChallenge] = session
-      res.redirect(`${redirect}?code=${codeChallenge}&state=${state}`)
-      return
-    }
-  }
-  if (prompt === 'none' && responseMode === 'web_message') {
-    const code = req.cookies['auth0']
-    const session = sessions[code]
-    if (session) {
-      session.nonce = nonce
-      session.state = state
-      session.codeChallenge = codeChallenge
-      res.send(`
-<!DOCTYPE html>
-<html>
-  <body>
-  <script type="text/javascript">
-(() => {
-      const msg = {
-        type: 'authorization_response',
-        response: {
-          code: '${code}',
-          state: '${state}'
-        }
-      }
-      parent.postMessage(msg, "*")
-})()
-  </script>
-  </body>
-</html>`)
-      return
-    }
-  }
-
-  res.cookie('auth0', codeChallenge, {
-    sameSite: 'None',
-    secure: true,
-    httpOnly: true
-  })
-  res.send(`
-<html lang='en'>
-  <head>
-    <meta charset='utf-8'>
-    <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'>
-    <title>Auth</title>
-    <link rel='stylesheet' href='https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css' integrity='sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh' crossorigin='anonymous'>
-  </head>
-  <body>
-    <div class='container'>
-      <form method='post' action='/code'>
-        <div class='card' style='width: 18rem;'>
-          <div class='card-body'>
-            <h5 class='card-title'>Login</h5>
-            <div class='form-group'>
-              <label for='email'>Email</label>
-              <input type='text' name='email' id='email' class='form-control'>
-            </div>
-            <div class='form-group'>
-              <label for='password'>Password</label>
-              <input type='password' name='password' id='password' class='form-control'>
-            </div>
-            <div class='form-check'>
-              <input class='form-check-input' type='checkbox' name='admin' value='true' id='admin'>
-              <label class='form-check-label' for='admin'>
-                Admin
-              </label>
-            </div>
-            <button type='submit' class='btn btn-primary'>Login</button>
-            <input type='hidden' value='${redirect}' name='redirect'>
-            <input type='hidden' value='${state}' name='state'>
-            <input type='hidden' value='${nonce}' name='nonce'>
-            <input type='hidden' value='${clientId}' name='clientId'>
-            <input type='hidden' value='${codeChallenge}' name='codeChallenge'>
-          </div>
-        </div>
-      </form>
-    </div>
-  </body>
-</html>
-`)
-})
-
-app.get('/userinfo', (req, res) => {
-  res.contentType('application/json').send(
-    JSON.stringify({
-      picture:
-        'https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg'
-    })
-  )
-})
-
-app.get('/v2/logout', (req, res) => {
-  const code = req.cookies['auth0']
-  const session = sessions[code]
-  if (session) {
-    delete sessions[code]
-  }
-  res.redirect(req.query.returnTo)
-})
-
-app.get('/.well-known/openid-configuration', (req, res) => {
-  debug('Fetching OpenID configuration')
-  res.contentType('application/json').send(
-    JSON.stringify({
-      issuer: `${jwksOrigin}`,
-      authorization_endpoint: `${jwksOrigin}authorize`,
-      token_endpoint: `${jwksOrigin}oauth/token`,
-      token_endpoint_auth_methods_supported: [
-        'client_secret_basic',
-        'private_key_jwt'
-      ],
-      token_endpoint_auth_signing_alg_values_supported: ['RS256'],
-      userinfo_endpoint: `${jwksOrigin}userinfo`,
-      check_session_iframe: `${jwksOrigin}check_session`,
-      end_session_endpoint: `${jwksOrigin}end_session`,
-      jwks_uri: `${jwksOrigin}.well-known/jwks.json`,
-      registration_endpoint: `${jwksOrigin}register`,
-      scopes_supported: [
-        'openid',
-        'profile',
-        'email',
-        'address',
-        'phone',
-        'offline_access'
-      ],
-      response_types_supported: [
-        'code',
-        'code id_token',
-        'id_token',
-        'id_token token'
-      ],
-      acr_values_supported: [],
-      subject_types_supported: ['public', 'pairwise'],
-      userinfo_signing_alg_values_supported: ['RS256', 'ES256', 'HS256'],
-      userinfo_encryption_alg_values_supported: ['RSA-OAEP-256', 'A128KW'],
-      userinfo_encryption_enc_values_supported: ['A128CBC-HS256', 'A128GCM'],
-      id_token_signing_alg_values_supported: ['RS256', 'ES256', 'HS256'],
-      id_token_encryption_alg_values_supported: ['RSA-OAEP-256', 'A128KW'],
-      id_token_encryption_enc_values_supported: ['A128CBC-HS256', 'A128GCM'],
-      request_object_signing_alg_values_supported: ['none', 'RS256', 'ES256'],
-      display_values_supported: ['page', 'popup'],
-      claim_types_supported: ['normal', 'distributed'],
-      claims_supported: [
-        'sub',
-        'iss',
-        'auth_time',
-        'acr',
-        'name',
-        'given_name',
-        'family_name',
-        'nickname',
-        'profile',
-        'picture',
-        'website',
-        'email',
-        'email_verified',
-        'locale',
-        'zoneinfo',
-        'https://unbound.se/email',
-        'https://unbound.se/admin'
-      ],
-      claims_parameter_supported: true,
-      service_documentation: 'http://auth0/',
-      ui_locales_supported: ['en-US']
-    })
-  )
-})
-
-app.get('/.well-known/jwks.json', (req, res) => {
-  debug('Fetching JWKS')
-  res.contentType('application/json').send(keyStore.toJSON())
-})
-
-// This route returns the inside of a jwt-token. Your main application
-// should use this route to keep the auth0-flow
-app.post('/tokeninfo', (req, res) => {
-  if (!req.body.id_token) {
-    debug('No token given in the body!')
-    return res.status(401).send('missing id_token')
-  }
-  const data = jwt.decode(req.body.id_token)
-  if (data) {
-    debug('Return token data from ' + data.user_id)
-    res.json(data)
-  } else {
-    debug('The token was invalid and could not be decoded!')
-    res.status(401).send('invalid id_token')
-  }
-})
-
-app.get('/api/v2/users-by-email', (req, res) => {
-  const email = req.query.email
-  console.log('users', users)
-  const user = users[email]
-  if (user === undefined) {
-    res.json([])
-  } else {
-    res.json([user])
-  }
-})
-
-app.patch('/api/v2/users/:userid', (req, res) => {
-  const email = req.params.userid.slice(6)
-  console.log('patching user with id', email)
-  const user = users[email]
-  if (!user) {
-    res.sendStatus(404)
-    return
-  }
-  users[email] = {
-    email: email,
-    given_name: req.body.given_name || user.given_name,
-    family_name: req.body.family_name || user.family_name,
-    user_id: email,
-    picture: req.body.picture || user.picture
-  }
-  res.json({
-    user_id: `auth0|${email}`
-  })
-})
-
-app.post('/api/v2/users', (req, res) => {
-  const email = req.body.email
-  users[email] = {
-    email: email,
-    given_name: 'Given',
-    family_name: 'Last',
-    user_id: email
-  }
-  res.json({
-    user_id: `auth0|${email}`
-  })
-})
-
-app.post('/api/v2/tickets/password-change', (req, res) => {
-  res.json({
-    ticket: `https://some-url`
-  })
-})
-
-app.use(function (req, res, next) {
-  console.log('404', req.path)
-  res.status(404).send('error: 404 Not Found ' + req.path)
-})
-
-app.listen(3333, () => {
-  debug('Auth0-Mock-Server listening on port 3333!')
-})
@@ -0,0 +1,212 @@
+package auth
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/lestrrat-go/jwx/v3/jwa"
+	"github.com/lestrrat-go/jwx/v3/jwk"
+	"github.com/lestrrat-go/jwx/v3/jws"
+	"github.com/lestrrat-go/jwx/v3/jwt"
+)
+
+const (
+	// TokenExpiry is the default token expiration time
+	TokenExpiry = 2 * time.Hour
+)
+
+// JWTService handles JWT signing and JWKS generation
+type JWTService struct {
+	privateKey *rsa.PrivateKey
+	jwkSet     jwk.Set
+	issuer     string
+	audience   string
+	adminClaim string
+	emailClaim string
+}
+
+// NewJWTService creates a new JWT service with a generated RSA key pair
+func NewJWTService(issuer, audience, adminClaim, emailClaim string) (*JWTService, error) {
+	// Generate RSA 2048-bit key pair
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, fmt.Errorf("generate RSA key: %w", err)
+	}
+
+	// Create JWK from private key
+	key, err := jwk.Import(privateKey)
+	if err != nil {
+		return nil, fmt.Errorf("create JWK from private key: %w", err)
+	}
+
+	// Set key metadata
+	keyID := uuid.New().String()
+	if err := key.Set(jwk.KeyIDKey, keyID); err != nil {
+		return nil, fmt.Errorf("set key ID: %w", err)
+	}
+	if err := key.Set(jwk.AlgorithmKey, jwa.RS256()); err != nil {
+		return nil, fmt.Errorf("set algorithm: %w", err)
+	}
+	if err := key.Set(jwk.KeyUsageKey, "sig"); err != nil {
+		return nil, fmt.Errorf("set key usage: %w", err)
+	}
+
+	// Create public key for JWKS
+	publicKey, err := key.PublicKey()
+	if err != nil {
+		return nil, fmt.Errorf("get public key: %w", err)
+	}
+
+	// Create JWKS with public key
+	jwkSet := jwk.NewSet()
+	if err := jwkSet.AddKey(publicKey); err != nil {
+		return nil, fmt.Errorf("add key to set: %w", err)
+	}
+
+	return &JWTService{
+		privateKey: privateKey,
+		jwkSet:     jwkSet,
+		issuer:     issuer,
+		audience:   audience,
+		adminClaim: adminClaim,
+		emailClaim: emailClaim,
+	}, nil
+}
+
+// SignToken creates a signed JWT with the given claims
+func (s *JWTService) SignToken(claims map[string]interface{}) (string, error) {
+	// Build JWT token
+	builder := jwt.NewBuilder()
+
+	now := time.Now()
+	builder.Issuer(s.issuer)
+	builder.IssuedAt(now)
+	builder.Expiration(now.Add(TokenExpiry))
+
+	// Add all claims
+	for key, value := range claims {
+		builder.Claim(key, value)
+	}
+
+	token, err := builder.Build()
+	if err != nil {
+		return "", fmt.Errorf("build token: %w", err)
+	}
+
+	// Create JWK from private key for signing
+	key, err := jwk.Import(s.privateKey)
+	if err != nil {
+		return "", fmt.Errorf("create signing key: %w", err)
+	}
+
+	// Get key ID from JWKS
+	pubKey, _ := s.jwkSet.Key(0)
+	keyID, _ := pubKey.KeyID()
+	if err := key.Set(jwk.KeyIDKey, keyID); err != nil {
+		return "", fmt.Errorf("set key ID: %w", err)
+	}
+
+	// Sign the token
+	signed, err := jwt.Sign(token, jwt.WithKey(jwa.RS256(), key))
+	if err != nil {
+		return "", fmt.Errorf("sign token: %w", err)
+	}
+
+	return string(signed), nil
+}
+
+// SignAccessToken creates an access token for the given subject
+func (s *JWTService) SignAccessToken(subject, clientID, email string, customClaims []map[string]interface{}) (string, error) {
+	claims := map[string]interface{}{
+		"sub": subject,
+		"aud": []string{s.audience},
+		"azp": clientID,
+	}
+
+	// Add custom claims
+	for _, cc := range customClaims {
+		for k, v := range cc {
+			claims[k] = v
+		}
+	}
+
+	// Add email claim
+	claims[s.emailClaim] = email
+
+	return s.SignToken(claims)
+}
+
+// SignIDToken creates an ID token for the given subject
+func (s *JWTService) SignIDToken(subject, clientID, nonce, email, name, givenName, familyName, picture string, customClaims []map[string]interface{}) (string, error) {
+	claims := map[string]interface{}{
+		"sub":         subject,
+		"aud":         clientID,
+		"azp":         clientID,
+		"name":        name,
+		"given_name":  givenName,
+		"family_name": familyName,
+		"email":       email,
+		"picture":     picture,
+	}
+
+	if nonce != "" {
+		claims["nonce"] = nonce
+	}
+
+	// Add custom claims
+	for _, cc := range customClaims {
+		for k, v := range cc {
+			claims[k] = v
+		}
+	}
+
+	// Add email claim
+	claims[s.emailClaim] = email
+
+	return s.SignToken(claims)
+}
+
+// GetJWKS returns the JSON Web Key Set as JSON bytes
+func (s *JWTService) GetJWKS() ([]byte, error) {
+	return json.Marshal(s.jwkSet)
+}
+
+// DecodeToken decodes a JWT without verifying the signature
+func (s *JWTService) DecodeToken(tokenString string) (map[string]interface{}, error) {
+	// Parse without verification
+	msg, err := jws.Parse([]byte(tokenString))
+	if err != nil {
+		return nil, fmt.Errorf("parse token: %w", err)
+	}
+
+	var claims map[string]interface{}
+	if err := json.Unmarshal(msg.Payload(), &claims); err != nil {
+		return nil, fmt.Errorf("unmarshal claims: %w", err)
+	}
+
+	return claims, nil
+}
+
+// Issuer returns the issuer URL
+func (s *JWTService) Issuer() string {
+	return s.issuer
+}
+
+// Audience returns the audience
+func (s *JWTService) Audience() string {
+	return s.audience
+}
+
+// AdminClaim returns the admin custom claim key
+func (s *JWTService) AdminClaim() string {
+	return s.adminClaim
+}
+
+// EmailClaim returns the email custom claim key
+func (s *JWTService) EmailClaim() string {
+	return s.emailClaim
+}
@@ -0,0 +1,151 @@
+package auth
+
+import (
+	"encoding/json"
+	"testing"
+)
+
+func TestNewJWTService(t *testing.T) {
+	service, err := NewJWTService("https://test.example.com/", "https://audience", "https://admin", "https://email")
+	if err != nil {
+		t.Fatalf("failed to create JWT service: %v", err)
+	}
+
+	if service.Issuer() != "https://test.example.com/" {
+		t.Errorf("expected issuer https://test.example.com/, got %s", service.Issuer())
+	}
+
+	if service.Audience() != "https://audience" {
+		t.Errorf("expected audience https://audience, got %s", service.Audience())
+	}
+}
+
+func TestSignToken(t *testing.T) {
+	service, err := NewJWTService("https://test.example.com/", "https://audience", "https://admin", "https://email")
+	if err != nil {
+		t.Fatalf("failed to create JWT service: %v", err)
+	}
+
+	claims := map[string]interface{}{
+		"sub": "test-subject",
+		"aud": "test-audience",
+	}
+
+	token, err := service.SignToken(claims)
+	if err != nil {
+		t.Fatalf("failed to sign token: %v", err)
+	}
+
+	if token == "" {
+		t.Error("expected non-empty token")
+	}
+
+	// Verify token can be decoded
+	decoded, err := service.DecodeToken(token)
+	if err != nil {
+		t.Fatalf("failed to decode token: %v", err)
+	}
+
+	if decoded["sub"] != "test-subject" {
+		t.Errorf("expected sub=test-subject, got %v", decoded["sub"])
+	}
+}
+
+func TestSignAccessToken(t *testing.T) {
+	service, err := NewJWTService("https://test.example.com/", "https://audience", "https://admin", "https://email")
+	if err != nil {
+		t.Fatalf("failed to create JWT service: %v", err)
+	}
+
+	customClaims := []map[string]interface{}{
+		{"https://admin": true},
+	}
+
+	token, err := service.SignAccessToken("auth0|user@example.com", "client-id", "user@example.com", customClaims)
+	if err != nil {
+		t.Fatalf("failed to sign access token: %v", err)
+	}
+
+	decoded, err := service.DecodeToken(token)
+	if err != nil {
+		t.Fatalf("failed to decode token: %v", err)
+	}
+
+	if decoded["sub"] != "auth0|user@example.com" {
+		t.Errorf("expected sub=auth0|user@example.com, got %v", decoded["sub"])
+	}
+
+	if decoded["https://email"] != "user@example.com" {
+		t.Errorf("expected email claim, got %v", decoded["https://email"])
+	}
+}
+
+func TestSignIDToken(t *testing.T) {
+	service, err := NewJWTService("https://test.example.com/", "https://audience", "https://admin", "https://email")
+	if err != nil {
+		t.Fatalf("failed to create JWT service: %v", err)
+	}
+
+	token, err := service.SignIDToken(
+		"auth0|user@example.com",
+		"client-id",
+		"test-nonce",
+		"user@example.com",
+		"Test User",
+		"Test",
+		"User",
+		"https://example.com/picture.jpg",
+		nil,
+	)
+	if err != nil {
+		t.Fatalf("failed to sign ID token: %v", err)
+	}
+
+	decoded, err := service.DecodeToken(token)
+	if err != nil {
+		t.Fatalf("failed to decode token: %v", err)
+	}
+
+	if decoded["name"] != "Test User" {
+		t.Errorf("expected name=Test User, got %v", decoded["name"])
+	}
+
+	if decoded["nonce"] != "test-nonce" {
+		t.Errorf("expected nonce=test-nonce, got %v", decoded["nonce"])
+	}
+}
+
+func TestGetJWKS(t *testing.T) {
+	service, err := NewJWTService("https://test.example.com/", "https://audience", "https://admin", "https://email")
+	if err != nil {
+		t.Fatalf("failed to create JWT service: %v", err)
+	}
+
+	jwks, err := service.GetJWKS()
+	if err != nil {
+		t.Fatalf("failed to get JWKS: %v", err)
+	}
+
+	var result map[string]interface{}
+	if err := json.Unmarshal(jwks, &result); err != nil {
+		t.Fatalf("failed to parse JWKS: %v", err)
+	}
+
+	keys, ok := result["keys"].([]interface{})
+	if !ok {
+		t.Fatal("expected keys array in JWKS")
+	}
+
+	if len(keys) != 1 {
+		t.Errorf("expected 1 key, got %d", len(keys))
+	}
+
+	key := keys[0].(map[string]interface{})
+	if key["kty"] != "RSA" {
+		t.Errorf("expected kty=RSA, got %v", key["kty"])
+	}
+
+	if key["use"] != "sig" {
+		t.Errorf("expected use=sig, got %v", key["use"])
+	}
+}
@@ -0,0 +1,49 @@
+package auth
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"strings"
+)
+
+// PKCEMethod represents the code challenge method
+type PKCEMethod string
+
+const (
+	// PKCEMethodPlain uses the verifier directly as the challenge
+	PKCEMethodPlain PKCEMethod = "plain"
+	// PKCEMethodS256 uses SHA256 hash of the verifier
+	PKCEMethodS256 PKCEMethod = "S256"
+)
+
+// VerifyPKCE verifies that the code verifier matches the code challenge
+func VerifyPKCE(verifier, challenge string, method PKCEMethod) bool {
+	if verifier == "" || challenge == "" {
+		return false
+	}
+
+	switch method {
+	case PKCEMethodPlain, "":
+		// Plain method or no method specified - direct comparison
+		return verifier == challenge
+	case PKCEMethodS256:
+		// S256 method - SHA256 hash, base64url encoded
+		computed := ComputeS256Challenge(verifier)
+		return computed == challenge
+	default:
+		return false
+	}
+}
+
+// ComputeS256Challenge computes the S256 code challenge from a verifier
+func ComputeS256Challenge(verifier string) string {
+	hash := sha256.Sum256([]byte(verifier))
+	return base64URLEncode(hash[:])
+}
+
+// base64URLEncode encodes bytes to base64url without padding
+func base64URLEncode(data []byte) string {
+	encoded := base64.URLEncoding.EncodeToString(data)
+	// Remove padding
+	return strings.TrimRight(encoded, "=")
+}
@@ -0,0 +1,74 @@
+package auth
+
+import (
+	"testing"
+)
+
+func TestVerifyPKCE_Plain(t *testing.T) {
+	verifier := "test-verifier-12345"
+	challenge := "test-verifier-12345"
+
+	if !VerifyPKCE(verifier, challenge, PKCEMethodPlain) {
+		t.Error("expected plain PKCE verification to succeed")
+	}
+
+	if VerifyPKCE("wrong-verifier", challenge, PKCEMethodPlain) {
+		t.Error("expected plain PKCE verification to fail with wrong verifier")
+	}
+}
+
+func TestVerifyPKCE_S256(t *testing.T) {
+	// Test vector from RFC 7636
+	verifier := "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
+	challenge := ComputeS256Challenge(verifier)
+
+	if !VerifyPKCE(verifier, challenge, PKCEMethodS256) {
+		t.Error("expected S256 PKCE verification to succeed")
+	}
+
+	if VerifyPKCE("wrong-verifier", challenge, PKCEMethodS256) {
+		t.Error("expected S256 PKCE verification to fail with wrong verifier")
+	}
+}
+
+func TestVerifyPKCE_EmptyValues(t *testing.T) {
+	if VerifyPKCE("", "challenge", PKCEMethodS256) {
+		t.Error("expected PKCE verification to fail with empty verifier")
+	}
+
+	if VerifyPKCE("verifier", "", PKCEMethodS256) {
+		t.Error("expected PKCE verification to fail with empty challenge")
+	}
+}
+
+func TestVerifyPKCE_DefaultMethod(t *testing.T) {
+	verifier := "test-verifier"
+	challenge := "test-verifier"
+
+	// Empty method should default to plain
+	if !VerifyPKCE(verifier, challenge, "") {
+		t.Error("expected PKCE verification with empty method to use plain")
+	}
+}
+
+func TestComputeS256Challenge(t *testing.T) {
+	// Known test case
+	verifier := "abc123"
+	challenge := ComputeS256Challenge(verifier)
+
+	// Challenge should be base64url encoded without padding
+	if challenge == "" {
+		t.Error("expected non-empty challenge")
+	}
+
+	// Should not contain padding
+	if len(challenge) > 0 && challenge[len(challenge)-1] == '=' {
+		t.Error("challenge should not have padding")
+	}
+
+	// Same verifier should produce same challenge
+	challenge2 := ComputeS256Challenge(verifier)
+	if challenge != challenge2 {
+		t.Error("same verifier should produce same challenge")
+	}
+}
@@ -0,0 +1,194 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"os"
+	"os/signal"
+	"sync"
+	"syscall"
+	"time"
+
+	"github.com/alecthomas/kong"
+	"github.com/rs/cors"
+
+	"gitlab.com/unboundsoftware/auth0mock/auth"
+	"gitlab.com/unboundsoftware/auth0mock/handlers"
+	"gitlab.com/unboundsoftware/auth0mock/store"
+)
+
+var (
+	buildVersion = "dev"
+	serviceName  = "auth0mock"
+)
+
+// CLI defines the command-line interface
+type CLI struct {
+	Port        int    `name:"port" env:"PORT" help:"Listen port" default:"3333"`
+	Issuer      string `name:"issuer" env:"ISSUER" help:"JWT issuer (without https://)" default:"localhost:3333"`
+	Audience    string `name:"audience" env:"AUDIENCE" help:"JWT audience" default:"https://generic-audience"`
+	UsersFile   string `name:"users-file" env:"USERS_FILE" help:"Path to initial users JSON file" default:"./users.json"`
+	AdminClaim  string `name:"admin-claim" env:"ADMIN_CUSTOM_CLAIM" help:"Admin custom claim key" default:"https://unbound.se/admin"`
+	EmailClaim  string `name:"email-claim" env:"EMAIL_CUSTOM_CLAIM" help:"Email custom claim key" default:"https://unbound.se/email"`
+	LogLevel    string `name:"log-level" env:"LOG_LEVEL" help:"Log level" default:"info" enum:"debug,info,warn,error"`
+	LogFormat   string `name:"log-format" env:"LOG_FORMAT" help:"Log format" default:"text" enum:"json,text"`
+}
+
+func main() {
+	var cli CLI
+	_ = kong.Parse(&cli)
+
+	// Setup logger
+	logger := setupLogger(cli.LogLevel, cli.LogFormat)
+	logger.Info("starting auth0mock",
+		"version", buildVersion,
+		"port", cli.Port,
+		"issuer", cli.Issuer,
+	)
+
+	// Initialize stores
+	userStore := store.NewUserStore()
+	if err := userStore.LoadFromFile(cli.UsersFile); err != nil {
+		logger.Warn("failed to load users file", "path", cli.UsersFile, "error", err)
+	}
+
+	sessionStore := store.NewSessionStore(logger)
+
+	// Initialize JWT service
+	issuerURL := fmt.Sprintf("https://%s/", cli.Issuer)
+	jwtService, err := auth.NewJWTService(issuerURL, cli.Audience, cli.AdminClaim, cli.EmailClaim)
+	if err != nil {
+		logger.Error("failed to create JWT service", "error", err)
+		os.Exit(1)
+	}
+
+	// Initialize handlers
+	discoveryHandler := handlers.NewDiscoveryHandler(jwtService)
+	oauthHandler, err := handlers.NewOAuthHandler(jwtService, sessionStore, logger)
+	if err != nil {
+		logger.Error("failed to create OAuth handler", "error", err)
+		os.Exit(1)
+	}
+	managementHandler := handlers.NewManagementHandler(userStore, logger)
+	sessionHandler := handlers.NewSessionHandler(jwtService, sessionStore, logger)
+
+	// Setup routes
+	mux := http.NewServeMux()
+
+	// CORS middleware
+	corsHandler := cors.New(cors.Options{
+		AllowedOrigins:   []string{"*"},
+		AllowedMethods:   []string{"GET", "POST", "PATCH", "OPTIONS"},
+		AllowedHeaders:   []string{"*"},
+		AllowCredentials: true,
+	})
+
+	// Discovery endpoints
+	mux.HandleFunc("GET /.well-known/openid-configuration", discoveryHandler.OpenIDConfiguration)
+	mux.HandleFunc("GET /.well-known/jwks.json", discoveryHandler.JWKS)
+
+	// OAuth endpoints
+	mux.HandleFunc("POST /oauth/token", oauthHandler.Token)
+	mux.HandleFunc("GET /authorize", oauthHandler.Authorize)
+	mux.HandleFunc("POST /code", oauthHandler.Code)
+
+	// Session endpoints
+	mux.HandleFunc("GET /userinfo", sessionHandler.UserInfo)
+	mux.HandleFunc("POST /tokeninfo", sessionHandler.TokenInfo)
+	mux.HandleFunc("GET /v2/logout", sessionHandler.Logout)
+
+	// Management API endpoints
+	mux.HandleFunc("GET /api/v2/users-by-email", managementHandler.GetUsersByEmail)
+	mux.HandleFunc("POST /api/v2/users", managementHandler.CreateUser)
+	mux.HandleFunc("PATCH /api/v2/users/", managementHandler.UpdateUser)
+	mux.HandleFunc("POST /api/v2/tickets/password-change", managementHandler.PasswordChangeTicket)
+
+	// Health check
+	mux.HandleFunc("GET /health", func(w http.ResponseWriter, r *http.Request) {
+		w.Write([]byte("OK"))
+	})
+
+	// Static files
+	mux.Handle("GET /favicon.ico", http.FileServer(http.Dir("public")))
+
+	// Create HTTP server
+	httpSrv := &http.Server{
+		Addr:    fmt.Sprintf(":%d", cli.Port),
+		Handler: corsHandler.Handler(mux),
+	}
+
+	// Start session cleanup
+	rootCtx, rootCancel := context.WithCancel(context.Background())
+	sessionStore.StartCleanup(rootCtx)
+
+	// Graceful shutdown
+	wg := sync.WaitGroup{}
+	sigint := make(chan os.Signal, 1)
+	signal.Notify(sigint, os.Interrupt, syscall.SIGTERM)
+
+	// Signal handler goroutine
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		sig := <-sigint
+		if sig != nil {
+			signal.Reset(os.Interrupt, syscall.SIGTERM)
+			logger.Info("received shutdown signal")
+			rootCancel()
+		}
+	}()
+
+	// Shutdown handler goroutine
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		<-rootCtx.Done()
+
+		shutdownCtx, shutdownRelease := context.WithTimeout(context.Background(), 10*time.Second)
+		defer shutdownRelease()
+
+		if err := httpSrv.Shutdown(shutdownCtx); err != nil {
+			logger.Error("failed to shutdown HTTP server", "error", err)
+		}
+		close(sigint)
+	}()
+
+	// HTTP server goroutine
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		defer rootCancel()
+
+		logger.Info("listening", "port", cli.Port)
+		if err := httpSrv.ListenAndServe(); !errors.Is(err, http.ErrServerClosed) {
+			logger.Error("HTTP server error", "error", err)
+		}
+	}()
+
+	wg.Wait()
+	logger.Info("shutdown complete")
+}
+
+func setupLogger(level, format string) *slog.Logger {
+	var leveler slog.LevelVar
+	if err := leveler.UnmarshalText([]byte(level)); err != nil {
+		leveler.Set(slog.LevelInfo)
+	}
+
+	handlerOpts := &slog.HandlerOptions{
+		Level: leveler.Level(),
+	}
+
+	var handler slog.Handler
+	switch format {
+	case "json":
+		handler = slog.NewJSONHandler(os.Stdout, handlerOpts)
+	default:
+		handler = slog.NewTextHandler(os.Stdout, handlerOpts)
+	}
+
+	return slog.New(handler).With("service", serviceName, "version", buildVersion)
+}
@@ -0,0 +1,25 @@
+module gitlab.com/unboundsoftware/auth0mock
+
+go 1.24.0
+
+require (
+	github.com/alecthomas/kong v1.13.0
+	github.com/google/uuid v1.6.0
+	github.com/lestrrat-go/jwx/v3 v3.0.13
+	github.com/rs/cors v1.11.1
+)
+
+require (
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.4 // indirect
+	github.com/lestrrat-go/dsig v1.0.0 // indirect
+	github.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/httprc/v3 v3.0.2 // indirect
+	github.com/lestrrat-go/option/v2 v2.0.0 // indirect
+	github.com/segmentio/asm v1.2.1 // indirect
+	github.com/valyala/fastjson v1.6.7 // indirect
+	golang.org/x/crypto v0.46.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+)
@@ -0,0 +1,51 @@
+github.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0=
+github.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
+github.com/alecthomas/kong v1.13.0 h1:5e/7XC3ugvhP1DQBmTS+WuHtCbcv44hsohMgcvVxSrA=
+github.com/alecthomas/kong v1.13.0/go.mod h1:wrlbXem1CWqUV5Vbmss5ISYhsVPkBb1Yo7YKJghju2I=
+github.com/alecthomas/repr v0.5.2 h1:SU73FTI9D1P5UNtvseffFSGmdNci/O6RsqzeXJtP0Qs=
+github.com/alecthomas/repr v0.5.2/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
+github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
+github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
+github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg=
+github.com/lestrrat-go/blackmagic v1.0.4 h1:IwQibdnf8l2KoO+qC3uT4OaTWsW7tuRQXy9TRN9QanA=
+github.com/lestrrat-go/blackmagic v1.0.4/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw=
+github.com/lestrrat-go/dsig v1.0.0 h1:OE09s2r9Z81kxzJYRn07TFM9XA4akrUdoMwr0L8xj38=
+github.com/lestrrat-go/dsig v1.0.0/go.mod h1:dEgoOYYEJvW6XGbLasr8TFcAxoWrKlbQvmJgCR0qkDo=
+github.com/lestrrat-go/dsig-secp256k1 v1.0.0 h1:JpDe4Aybfl0soBvoVwjqDbp+9S1Y2OM7gcrVVMFPOzY=
+github.com/lestrrat-go/dsig-secp256k1 v1.0.0/go.mod h1:CxUgAhssb8FToqbL8NjSPoGQlnO4w3LG1P0qPWQm/NU=
+github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
+github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
+github.com/lestrrat-go/httprc/v3 v3.0.2 h1:7u4HUaD0NQbf2/n5+fyp+T10hNCsAnwKfqn4A4Baif0=
+github.com/lestrrat-go/httprc/v3 v3.0.2/go.mod h1:mSMtkZW92Z98M5YoNNztbRGxbXHql7tSitCvaxvo9l0=
+github.com/lestrrat-go/jwx/v3 v3.0.13 h1:AdHKiPIYeCSnOJtvdpipPg/0SuFh9rdkN+HF3O0VdSk=
+github.com/lestrrat-go/jwx/v3 v3.0.13/go.mod h1:2m0PV1A9tM4b/jVLMx8rh6rBl7F6WGb3EG2hufN9OQU=
+github.com/lestrrat-go/option/v2 v2.0.0 h1:XxrcaJESE1fokHy3FpaQ/cXW8ZsIdWcdFzzLOcID3Ss=
+github.com/lestrrat-go/option/v2 v2.0.0/go.mod h1:oSySsmzMoR0iRzCDCaUfsCzxQHUEuhOViQObyy7S6Vg=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA=
+github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
+github.com/segmentio/asm v1.2.1 h1:DTNbBqs57ioxAD4PrArqftgypG4/qNpXoJx8TVXxPR0=
+github.com/segmentio/asm v1.2.1/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/valyala/fastjson v1.6.7 h1:ZE4tRy0CIkh+qDc5McjatheGX2czdn8slQjomexVpBM=
+github.com/valyala/fastjson v1.6.7/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -0,0 +1,77 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"gitlab.com/unboundsoftware/auth0mock/auth"
+)
+
+// DiscoveryHandler handles OIDC discovery endpoints
+type DiscoveryHandler struct {
+	jwtService *auth.JWTService
+}
+
+// NewDiscoveryHandler creates a new discovery handler
+func NewDiscoveryHandler(jwtService *auth.JWTService) *DiscoveryHandler {
+	return &DiscoveryHandler{
+		jwtService: jwtService,
+	}
+}
+
+// OpenIDConfiguration returns the OIDC discovery document
+func (h *DiscoveryHandler) OpenIDConfiguration(w http.ResponseWriter, r *http.Request) {
+	issuer := h.jwtService.Issuer()
+
+	config := map[string]interface{}{
+		"issuer":                                issuer,
+		"authorization_endpoint":               issuer + "authorize",
+		"token_endpoint":                        issuer + "oauth/token",
+		"token_endpoint_auth_methods_supported": []string{"client_secret_basic", "private_key_jwt"},
+		"token_endpoint_auth_signing_alg_values_supported": []string{"RS256"},
+		"userinfo_endpoint":                     issuer + "userinfo",
+		"check_session_iframe":                  issuer + "check_session",
+		"end_session_endpoint":                  issuer + "end_session",
+		"jwks_uri":                              issuer + ".well-known/jwks.json",
+		"registration_endpoint":                 issuer + "register",
+		"scopes_supported":                      []string{"openid", "profile", "email", "address", "phone", "offline_access"},
+		"response_types_supported":              []string{"code", "code id_token", "id_token", "id_token token"},
+		"acr_values_supported":                  []string{},
+		"subject_types_supported":               []string{"public", "pairwise"},
+		"userinfo_signing_alg_values_supported": []string{"RS256", "ES256", "HS256"},
+		"userinfo_encryption_alg_values_supported": []string{"RSA-OAEP-256", "A128KW"},
+		"userinfo_encryption_enc_values_supported": []string{"A128CBC-HS256", "A128GCM"},
+		"id_token_signing_alg_values_supported":    []string{"RS256", "ES256", "HS256"},
+		"id_token_encryption_alg_values_supported": []string{"RSA-OAEP-256", "A128KW"},
+		"id_token_encryption_enc_values_supported": []string{"A128CBC-HS256", "A128GCM"},
+		"request_object_signing_alg_values_supported": []string{"none", "RS256", "ES256"},
+		"display_values_supported":              []string{"page", "popup"},
+		"claim_types_supported":                 []string{"normal", "distributed"},
+		"claims_supported": []string{
+			"sub", "iss", "auth_time", "acr",
+			"name", "given_name", "family_name", "nickname",
+			"profile", "picture", "website",
+			"email", "email_verified", "locale", "zoneinfo",
+			h.jwtService.EmailClaim(), h.jwtService.AdminClaim(),
+		},
+		"claims_parameter_supported": true,
+		"service_documentation":      "http://auth0/",
+		"ui_locales_supported":       []string{"en-US"},
+		"code_challenge_methods_supported": []string{"plain", "S256"},
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(config)
+}
+
+// JWKS returns the JSON Web Key Set
+func (h *DiscoveryHandler) JWKS(w http.ResponseWriter, r *http.Request) {
+	jwks, err := h.jwtService.GetJWKS()
+	if err != nil {
+		http.Error(w, "Failed to get JWKS", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.Write(jwks)
+}
@@ -0,0 +1,154 @@
+package handlers
+
+import (
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"strings"
+
+	"gitlab.com/unboundsoftware/auth0mock/store"
+)
+
+// ManagementHandler handles Auth0 Management API endpoints
+type ManagementHandler struct {
+	userStore *store.UserStore
+	logger    *slog.Logger
+}
+
+// NewManagementHandler creates a new management handler
+func NewManagementHandler(userStore *store.UserStore, logger *slog.Logger) *ManagementHandler {
+	return &ManagementHandler{
+		userStore: userStore,
+		logger:    logger,
+	}
+}
+
+// UserResponse represents the user response format
+type UserResponse struct {
+	Email      string `json:"email,omitempty"`
+	GivenName  string `json:"given_name,omitempty"`
+	FamilyName string `json:"family_name,omitempty"`
+	UserID     string `json:"user_id"`
+	Picture    string `json:"picture,omitempty"`
+}
+
+// GetUsersByEmail handles GET /api/v2/users-by-email
+func (h *ManagementHandler) GetUsersByEmail(w http.ResponseWriter, r *http.Request) {
+	email := r.URL.Query().Get("email")
+
+	h.logger.Debug("getting user by email", "email", email)
+
+	user, ok := h.userStore.GetByEmail(email)
+	if !ok {
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode([]interface{}{})
+		return
+	}
+
+	response := []UserResponse{
+		{
+			Email:      user.Email,
+			GivenName:  user.GivenName,
+			FamilyName: user.FamilyName,
+			UserID:     fmt.Sprintf("auth0|%s", user.UserID),
+			Picture:    user.Picture,
+		},
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(response)
+}
+
+// CreateUser handles POST /api/v2/users
+func (h *ManagementHandler) CreateUser(w http.ResponseWriter, r *http.Request) {
+	var req struct {
+		Email      string `json:"email"`
+		GivenName  string `json:"given_name"`
+		FamilyName string `json:"family_name"`
+	}
+
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+
+	if req.Email == "" {
+		http.Error(w, "Email is required", http.StatusBadRequest)
+		return
+	}
+
+	user := &store.User{
+		Email:      req.Email,
+		GivenName:  req.GivenName,
+		FamilyName: req.FamilyName,
+		UserID:     req.Email,
+	}
+
+	// Set defaults if not provided
+	if user.GivenName == "" {
+		user.GivenName = "Given"
+	}
+	if user.FamilyName == "" {
+		user.FamilyName = "Last"
+	}
+
+	h.userStore.Create(req.Email, user)
+
+	h.logger.Info("created user", "email", req.Email)
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]string{
+		"user_id": fmt.Sprintf("auth0|%s", req.Email),
+	})
+}
+
+// UpdateUser handles PATCH /api/v2/users/{userid}
+func (h *ManagementHandler) UpdateUser(w http.ResponseWriter, r *http.Request) {
+	// Extract user ID from path - format: /api/v2/users/auth0|email@example.com
+	path := r.URL.Path
+	userID := strings.TrimPrefix(path, "/api/v2/users/")
+
+	// Strip "auth0|" prefix to get email
+	email := strings.TrimPrefix(userID, "auth0|")
+
+	h.logger.Debug("patching user", "userid", userID, "email", email)
+
+	var req struct {
+		GivenName  string `json:"given_name"`
+		FamilyName string `json:"family_name"`
+		Picture    string `json:"picture"`
+	}
+
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+
+	updates := &store.User{
+		GivenName:  req.GivenName,
+		FamilyName: req.FamilyName,
+		Picture:    req.Picture,
+	}
+
+	_, ok := h.userStore.Update(email, updates)
+	if !ok {
+		http.Error(w, "User not found", http.StatusNotFound)
+		return
+	}
+
+	h.logger.Info("updated user", "email", email)
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]string{
+		"user_id": fmt.Sprintf("auth0|%s", email),
+	})
+}
+
+// PasswordChangeTicket handles POST /api/v2/tickets/password-change
+func (h *ManagementHandler) PasswordChangeTicket(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]string{
+		"ticket": "https://some-url",
+	})
+}
@@ -0,0 +1,337 @@
+package handlers
+
+import (
+	"embed"
+	"encoding/json"
+	"fmt"
+	"html/template"
+	"log/slog"
+	"net/http"
+	"net/url"
+
+	"gitlab.com/unboundsoftware/auth0mock/auth"
+	"gitlab.com/unboundsoftware/auth0mock/store"
+)
+
+//go:embed templates/login.html
+var templateFS embed.FS
+
+// OAuthHandler handles OAuth/OIDC endpoints
+type OAuthHandler struct {
+	jwtService    *auth.JWTService
+	sessionStore  *store.SessionStore
+	loginTemplate *template.Template
+	logger        *slog.Logger
+}
+
+// NewOAuthHandler creates a new OAuth handler
+func NewOAuthHandler(jwtService *auth.JWTService, sessionStore *store.SessionStore, logger *slog.Logger) (*OAuthHandler, error) {
+	tmpl, err := template.ParseFS(templateFS, "templates/login.html")
+	if err != nil {
+		return nil, fmt.Errorf("parse login template: %w", err)
+	}
+
+	return &OAuthHandler{
+		jwtService:    jwtService,
+		sessionStore:  sessionStore,
+		loginTemplate: tmpl,
+		logger:        logger,
+	}, nil
+}
+
+// TokenRequest represents the token endpoint request body
+type TokenRequest struct {
+	GrantType    string `json:"grant_type"`
+	ClientID     string `json:"client_id"`
+	ClientSecret string `json:"client_secret"`
+	Code         string `json:"code"`
+	CodeVerifier string `json:"code_verifier"`
+	RedirectURI  string `json:"redirect_uri"`
+}
+
+// TokenResponse represents the token endpoint response
+type TokenResponse struct {
+	AccessToken string `json:"access_token"`
+	IDToken     string `json:"id_token"`
+	Scope       string `json:"scope"`
+	ExpiresIn   int    `json:"expires_in"`
+	TokenType   string `json:"token_type"`
+}
+
+// Token handles the POST /oauth/token endpoint
+func (h *OAuthHandler) Token(w http.ResponseWriter, r *http.Request) {
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+
+	grantType := r.FormValue("grant_type")
+	clientID := r.FormValue("client_id")
+	code := r.FormValue("code")
+	codeVerifier := r.FormValue("code_verifier")
+
+	w.Header().Set("Content-Type", "application/json")
+
+	switch grantType {
+	case "client_credentials":
+		h.handleClientCredentials(w, clientID)
+	case "authorization_code", "":
+		if code != "" {
+			h.handleAuthorizationCode(w, code, codeVerifier, clientID)
+		} else {
+			w.WriteHeader(http.StatusUnauthorized)
+			json.NewEncoder(w).Encode(map[string]string{"error": "Missing code"})
+		}
+	default:
+		w.WriteHeader(http.StatusBadRequest)
+		json.NewEncoder(w).Encode(map[string]string{"error": "Unsupported grant type"})
+	}
+}
+
+func (h *OAuthHandler) handleClientCredentials(w http.ResponseWriter, clientID string) {
+	if clientID == "" {
+		w.WriteHeader(http.StatusUnauthorized)
+		json.NewEncoder(w).Encode(map[string]string{"error": "Missing client_id"})
+		return
+	}
+
+	adminClaim := map[string]interface{}{
+		h.jwtService.AdminClaim(): true,
+	}
+
+	accessToken, err := h.jwtService.SignAccessToken(
+		"auth0|management",
+		clientID,
+		"management@example.org",
+		[]map[string]interface{}{adminClaim},
+	)
+	if err != nil {
+		h.logger.Error("failed to sign access token", "error", err)
+		http.Error(w, "Failed to generate token", http.StatusInternalServerError)
+		return
+	}
+
+	idToken, err := h.jwtService.SignIDToken(
+		"auth0|management",
+		clientID,
+		"",
+		"management@example.org",
+		"Management API",
+		"Management",
+		"API",
+		"",
+		[]map[string]interface{}{adminClaim},
+	)
+	if err != nil {
+		h.logger.Error("failed to sign ID token", "error", err)
+		http.Error(w, "Failed to generate token", http.StatusInternalServerError)
+		return
+	}
+
+	h.logger.Info("signed token for management API")
+
+	json.NewEncoder(w).Encode(TokenResponse{
+		AccessToken: accessToken,
+		IDToken:     idToken,
+		Scope:       "openid%20profile%20email",
+		ExpiresIn:   7200,
+		TokenType:   "Bearer",
+	})
+}
+
+func (h *OAuthHandler) handleAuthorizationCode(w http.ResponseWriter, code, codeVerifier, clientID string) {
+	session, ok := h.sessionStore.Get(code)
+	if !ok {
+		w.WriteHeader(http.StatusUnauthorized)
+		json.NewEncoder(w).Encode(map[string]string{"error": "Invalid code"})
+		return
+	}
+
+	// Verify PKCE if code_verifier is provided
+	if codeVerifier != "" && session.CodeChallenge != "" {
+		// Determine method - default to S256 if challenge looks like a hash
+		method := auth.PKCEMethodS256
+		if len(session.CodeChallenge) < 43 {
+			method = auth.PKCEMethodPlain
+		}
+
+		if !auth.VerifyPKCE(codeVerifier, session.CodeChallenge, method) {
+			w.WriteHeader(http.StatusUnauthorized)
+			json.NewEncoder(w).Encode(map[string]string{"error": "Invalid code_verifier"})
+			return
+		}
+	}
+
+	accessToken, err := h.jwtService.SignAccessToken(
+		"auth0|"+session.Email,
+		session.ClientID,
+		session.Email,
+		session.CustomClaims,
+	)
+	if err != nil {
+		h.logger.Error("failed to sign access token", "error", err)
+		http.Error(w, "Failed to generate token", http.StatusInternalServerError)
+		return
+	}
+
+	idToken, err := h.jwtService.SignIDToken(
+		"auth0|"+session.Email,
+		session.ClientID,
+		session.Nonce,
+		session.Email,
+		"Example Person",
+		"Example",
+		"Person",
+		"https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg",
+		session.CustomClaims,
+	)
+	if err != nil {
+		h.logger.Error("failed to sign ID token", "error", err)
+		http.Error(w, "Failed to generate token", http.StatusInternalServerError)
+		return
+	}
+
+	h.logger.Info("signed token", "email", session.Email)
+
+	// Clean up session after successful token exchange
+	h.sessionStore.Delete(code)
+
+	json.NewEncoder(w).Encode(TokenResponse{
+		AccessToken: accessToken,
+		IDToken:     idToken,
+		Scope:       "openid%20profile%20email",
+		ExpiresIn:   7200,
+		TokenType:   "Bearer",
+	})
+}
+
+// Code handles the POST /code endpoint (form submission from login page)
+func (h *OAuthHandler) Code(w http.ResponseWriter, r *http.Request) {
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+
+	email := r.FormValue("email")
+	password := r.FormValue("password")
+	codeChallenge := r.FormValue("codeChallenge")
+	redirect := r.FormValue("redirect")
+	state := r.FormValue("state")
+	nonce := r.FormValue("nonce")
+	clientID := r.FormValue("clientId")
+	admin := r.FormValue("admin") == "true"
+
+	if email == "" || password == "" || codeChallenge == "" {
+		h.logger.Debug("invalid code request", "email", email, "hasPassword", password != "", "hasChallenge", codeChallenge != "")
+		http.Error(w, "Email, password, or code challenge is missing", http.StatusBadRequest)
+		return
+	}
+
+	adminClaim := map[string]interface{}{
+		h.jwtService.AdminClaim(): admin,
+	}
+
+	session := &store.Session{
+		Email:         email,
+		Password:      password,
+		State:         state,
+		Nonce:         nonce,
+		ClientID:      clientID,
+		CodeChallenge: codeChallenge,
+		CustomClaims:  []map[string]interface{}{adminClaim},
+	}
+
+	h.sessionStore.Create(codeChallenge, session)
+
+	redirectURL := fmt.Sprintf("%s?code=%s&state=%s", redirect, codeChallenge, url.QueryEscape(state))
+	http.Redirect(w, r, redirectURL, http.StatusFound)
+}
+
+// Authorize handles the GET /authorize endpoint
+func (h *OAuthHandler) Authorize(w http.ResponseWriter, r *http.Request) {
+	redirect := r.URL.Query().Get("redirect_uri")
+	state := r.URL.Query().Get("state")
+	nonce := r.URL.Query().Get("nonce")
+	clientID := r.URL.Query().Get("client_id")
+	codeChallenge := r.URL.Query().Get("code_challenge")
+	prompt := r.URL.Query().Get("prompt")
+	responseMode := r.URL.Query().Get("response_mode")
+
+	// Try to get existing session from cookie
+	cookie, err := r.Cookie("auth0")
+	var existingCode string
+	if err == nil {
+		existingCode = cookie.Value
+	}
+
+	// Handle response_mode=query with existing session
+	if responseMode == "query" && existingCode != "" {
+		if h.sessionStore.Update(existingCode, codeChallenge, func(s *store.Session) {
+			s.Nonce = nonce
+			s.State = state
+			s.CodeChallenge = codeChallenge
+		}) {
+			redirectURL := fmt.Sprintf("%s?code=%s&state=%s", redirect, codeChallenge, state)
+			http.Redirect(w, r, redirectURL, http.StatusFound)
+			return
+		}
+	}
+
+	// Handle prompt=none with response_mode=web_message (silent auth)
+	if prompt == "none" && responseMode == "web_message" && existingCode != "" {
+		session, ok := h.sessionStore.Get(existingCode)
+		if ok {
+			h.sessionStore.Update(existingCode, existingCode, func(s *store.Session) {
+				s.Nonce = nonce
+				s.State = state
+				s.CodeChallenge = codeChallenge
+			})
+
+			// Send postMessage response
+			w.Header().Set("Content-Type", "text/html")
+			fmt.Fprintf(w, `<!DOCTYPE html>
+<html>
+  <body>
+  <script type="text/javascript">
+(() => {
+    const msg = {
+      type: 'authorization_response',
+      response: {
+        code: '%s',
+        state: '%s'
+      }
+    }
+    parent.postMessage(msg, "*")
+})()
+  </script>
+  </body>
+</html>`, existingCode, session.State)
+			return
+		}
+	}
+
+	// Set cookie for session tracking
+	http.SetCookie(w, &http.Cookie{
+		Name:     "auth0",
+		Value:    codeChallenge,
+		Path:     "/",
+		SameSite: http.SameSiteNoneMode,
+		Secure:   true,
+		HttpOnly: true,
+	})
+
+	// Render login form
+	w.Header().Set("Content-Type", "text/html")
+	data := map[string]string{
+		"Redirect":      redirect,
+		"State":         state,
+		"Nonce":         nonce,
+		"ClientID":      clientID,
+		"CodeChallenge": codeChallenge,
+	}
+
+	if err := h.loginTemplate.Execute(w, data); err != nil {
+		h.logger.Error("failed to render login template", "error", err)
+		http.Error(w, "Internal server error", http.StatusInternalServerError)
+	}
+}
@@ -0,0 +1,97 @@
+package handlers
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+
+	"gitlab.com/unboundsoftware/auth0mock/auth"
+	"gitlab.com/unboundsoftware/auth0mock/store"
+)
+
+// SessionHandler handles session-related endpoints
+type SessionHandler struct {
+	jwtService   *auth.JWTService
+	sessionStore *store.SessionStore
+	logger       *slog.Logger
+}
+
+// NewSessionHandler creates a new session handler
+func NewSessionHandler(jwtService *auth.JWTService, sessionStore *store.SessionStore, logger *slog.Logger) *SessionHandler {
+	return &SessionHandler{
+		jwtService:   jwtService,
+		sessionStore: sessionStore,
+		logger:       logger,
+	}
+}
+
+// UserInfo handles GET /userinfo
+func (h *SessionHandler) UserInfo(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]string{
+		"picture": "https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg",
+	})
+}
+
+// TokenInfo handles POST /tokeninfo
+func (h *SessionHandler) TokenInfo(w http.ResponseWriter, r *http.Request) {
+	var req struct {
+		IDToken string `json:"id_token"`
+	}
+
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+
+	if req.IDToken == "" {
+		h.logger.Debug("no token given in body")
+		http.Error(w, "missing id_token", http.StatusUnauthorized)
+		return
+	}
+
+	claims, err := h.jwtService.DecodeToken(req.IDToken)
+	if err != nil {
+		h.logger.Debug("failed to decode token", "error", err)
+		http.Error(w, "invalid id_token", http.StatusUnauthorized)
+		return
+	}
+
+	if userID, ok := claims["sub"].(string); ok {
+		h.logger.Debug("returning token data", "user_id", userID)
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(claims)
+}
+
+// Logout handles GET /v2/logout
+func (h *SessionHandler) Logout(w http.ResponseWriter, r *http.Request) {
+	returnTo := r.URL.Query().Get("returnTo")
+
+	// Try to get session from cookie
+	cookie, err := r.Cookie("auth0")
+	if err == nil && cookie.Value != "" {
+		h.sessionStore.Delete(cookie.Value)
+		h.logger.Debug("deleted session", "code", cookie.Value)
+	}
+
+	// Clear the cookie
+	http.SetCookie(w, &http.Cookie{
+		Name:     "auth0",
+		Value:    "",
+		Path:     "/",
+		MaxAge:   -1,
+		SameSite: http.SameSiteNoneMode,
+		Secure:   true,
+		HttpOnly: true,
+	})
+
+	if returnTo != "" {
+		http.Redirect(w, r, returnTo, http.StatusFound)
+		return
+	}
+
+	w.WriteHeader(http.StatusOK)
+	w.Write([]byte("Logged out"))
+}
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <title>Auth</title>
+    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css" integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh" crossorigin="anonymous">
+  </head>
+  <body>
+    <div class="container">
+      <form method="post" action="/code">
+        <div class="card" style="width: 18rem; margin-top: 2rem;">
+          <div class="card-body">
+            <h5 class="card-title">Login</h5>
+            <div class="form-group">
+              <label for="email">Email</label>
+              <input type="text" name="email" id="email" class="form-control">
+            </div>
+            <div class="form-group">
+              <label for="password">Password</label>
+              <input type="password" name="password" id="password" class="form-control">
+            </div>
+            <div class="form-check">
+              <input class="form-check-input" type="checkbox" name="admin" value="true" id="admin">
+              <label class="form-check-label" for="admin">
+                Admin
+              </label>
+            </div>
+            <button type="submit" class="btn btn-primary mt-3">Login</button>
+            <input type="hidden" value="{{.Redirect}}" name="redirect">
+            <input type="hidden" value="{{.State}}" name="state">
+            <input type="hidden" value="{{.Nonce}}" name="nonce">
+            <input type="hidden" value="{{.ClientID}}" name="clientId">
+            <input type="hidden" value="{{.CodeChallenge}}" name="codeChallenge">
+          </div>
+        </div>
+      </form>
+    </div>
+  </body>
+</html>
@@ -14,7 +14,7 @@ spec:
    spec:
      containers:
        - name: auth0mock
-          image: registry.gitlab.com/unboundsoftware/auth0mock:${COMMIT}
+          image: oci.unbound.se/unboundsoftware/auth0mock:${COMMIT}
          imagePullPolicy: "IfNotPresent"
          resources:
            requests:
@@ -1,31 +0,0 @@
-{
-  "name": "auth0-mock-server",
-  "version": "1.0.0",
-  "description": "Helps us to develop locally with seeded data and keep the flow of auth0.",
-  "main": "app.js",
-  "scripts": {
-    "test": "echo \"Error: no test specified\" && exit 1",
-    "dev": "nodemon ./app.js",
-    "start": "node ./app.js",
-    "lint:prettier": "prettier --check .",
-    "lint": "yarn lint:prettier",
-    "lintfix": "prettier --write --list-different ."
-  },
-  "author": "",
-  "license": "MIT",
-  "dependencies": {
-    "body-parser": "2.2.1",
-    "cookie-parser": "1.4.7",
-    "cors": "2.8.5",
-    "debug": "4.4.3",
-    "express": "5.2.1",
-    "https-localhost": "4.7.1",
-    "jsonwebtoken": "9.0.3",
-    "node-jose": "2.2.0",
-    "nodemon": "3.1.11",
-    "serve-favicon": "2.5.1"
-  },
-  "devDependencies": {
-    "prettier": "3.7.4"
-  }
-}
@@ -0,0 +1,133 @@
+package store
+
+import (
+	"context"
+	"log/slog"
+	"sync"
+	"time"
+)
+
+const (
+	// SessionTTL is the time-to-live for sessions
+	SessionTTL = 5 * time.Minute
+	// CleanupInterval is how often expired sessions are cleaned up
+	CleanupInterval = 60 * time.Second
+)
+
+// Session represents an OAuth session
+type Session struct {
+	Email         string
+	Password      string
+	State         string
+	Nonce         string
+	ClientID      string
+	CodeChallenge string
+	CodeVerifier  string
+	CustomClaims  []map[string]interface{}
+	CreatedAt     time.Time
+}
+
+// SessionStore provides thread-safe session storage with TTL
+type SessionStore struct {
+	mu         sync.RWMutex
+	sessions   map[string]*Session
+	challenges map[string]string
+	logger     *slog.Logger
+}
+
+// NewSessionStore creates a new session store
+func NewSessionStore(logger *slog.Logger) *SessionStore {
+	return &SessionStore{
+		sessions:   make(map[string]*Session),
+		challenges: make(map[string]string),
+		logger:     logger,
+	}
+}
+
+// Create stores a new session
+func (s *SessionStore) Create(code string, session *Session) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	session.CreatedAt = time.Now()
+	s.sessions[code] = session
+	s.challenges[code] = code
+}
+
+// Get retrieves a session by code
+func (s *SessionStore) Get(code string) (*Session, bool) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	session, ok := s.sessions[code]
+	return session, ok
+}
+
+// Update updates an existing session and optionally re-indexes it
+func (s *SessionStore) Update(oldCode, newCode string, updateFn func(*Session)) bool {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	session, ok := s.sessions[oldCode]
+	if !ok {
+		return false
+	}
+
+	updateFn(session)
+	session.CreatedAt = time.Now() // Refresh timestamp
+
+	if oldCode != newCode {
+		s.sessions[newCode] = session
+		s.challenges[newCode] = newCode
+		delete(s.sessions, oldCode)
+		delete(s.challenges, oldCode)
+	}
+
+	return true
+}
+
+// Delete removes a session
+func (s *SessionStore) Delete(code string) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	delete(s.sessions, code)
+	delete(s.challenges, code)
+}
+
+// Cleanup removes expired sessions
+func (s *SessionStore) Cleanup() int {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	now := time.Now()
+	cleaned := 0
+
+	for code, session := range s.sessions {
+		if now.Sub(session.CreatedAt) > SessionTTL {
+			delete(s.sessions, code)
+			delete(s.challenges, code)
+			cleaned++
+		}
+	}
+
+	return cleaned
+}
+
+// StartCleanup starts a background goroutine to clean up expired sessions
+func (s *SessionStore) StartCleanup(ctx context.Context) {
+	ticker := time.NewTicker(CleanupInterval)
+	go func() {
+		for {
+			select {
+			case <-ctx.Done():
+				ticker.Stop()
+				return
+			case <-ticker.C:
+				if cleaned := s.Cleanup(); cleaned > 0 {
+					s.logger.Info("cleaned up expired sessions", "count", cleaned)
+				}
+			}
+		}
+	}()
+}
@@ -0,0 +1,161 @@
+package store
+
+import (
+	"log/slog"
+	"os"
+	"testing"
+	"time"
+)
+
+func TestSessionStore_CreateAndGet(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	store := NewSessionStore(logger)
+
+	session := &Session{
+		Email:         "test@example.com",
+		ClientID:      "client-123",
+		CodeChallenge: "challenge-abc",
+	}
+
+	store.Create("code-123", session)
+
+	retrieved, ok := store.Get("code-123")
+	if !ok {
+		t.Fatal("expected to find session")
+	}
+
+	if retrieved.Email != "test@example.com" {
+		t.Errorf("expected email test@example.com, got %s", retrieved.Email)
+	}
+
+	if retrieved.CreatedAt.IsZero() {
+		t.Error("expected CreatedAt to be set")
+	}
+}
+
+func TestSessionStore_Delete(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	store := NewSessionStore(logger)
+
+	session := &Session{Email: "test@example.com"}
+	store.Create("code-123", session)
+
+	store.Delete("code-123")
+
+	_, ok := store.Get("code-123")
+	if ok {
+		t.Error("expected session to be deleted")
+	}
+}
+
+func TestSessionStore_Update(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	store := NewSessionStore(logger)
+
+	session := &Session{
+		Email: "test@example.com",
+		Nonce: "old-nonce",
+	}
+	store.Create("old-code", session)
+
+	// Update and re-index
+	ok := store.Update("old-code", "new-code", func(s *Session) {
+		s.Nonce = "new-nonce"
+	})
+
+	if !ok {
+		t.Fatal("expected update to succeed")
+	}
+
+	// Old code should not exist
+	_, ok = store.Get("old-code")
+	if ok {
+		t.Error("expected old code to be removed")
+	}
+
+	// New code should exist
+	retrieved, ok := store.Get("new-code")
+	if !ok {
+		t.Fatal("expected to find session with new code")
+	}
+
+	if retrieved.Nonce != "new-nonce" {
+		t.Errorf("expected nonce new-nonce, got %s", retrieved.Nonce)
+	}
+}
+
+func TestSessionStore_UpdateSameCode(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	store := NewSessionStore(logger)
+
+	session := &Session{
+		Email: "test@example.com",
+		Nonce: "old-nonce",
+	}
+	store.Create("code-123", session)
+
+	originalTime := session.CreatedAt
+	time.Sleep(10 * time.Millisecond)
+
+	// Update without re-indexing
+	store.Update("code-123", "code-123", func(s *Session) {
+		s.Nonce = "new-nonce"
+	})
+
+	retrieved, _ := store.Get("code-123")
+	if retrieved.Nonce != "new-nonce" {
+		t.Errorf("expected nonce new-nonce, got %s", retrieved.Nonce)
+	}
+
+	// CreatedAt should be refreshed
+	if !retrieved.CreatedAt.After(originalTime) {
+		t.Error("expected CreatedAt to be refreshed")
+	}
+}
+
+func TestSessionStore_UpdateNotFound(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	store := NewSessionStore(logger)
+
+	ok := store.Update("nonexistent", "new-code", func(s *Session) {})
+	if ok {
+		t.Error("expected update to fail for nonexistent session")
+	}
+}
+
+func TestSessionStore_Cleanup(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	store := NewSessionStore(logger)
+
+	// Create an expired session
+	session := &Session{Email: "test@example.com"}
+	store.Create("code-123", session)
+
+	// Manually set CreatedAt to expired time
+	store.mu.Lock()
+	store.sessions["code-123"].CreatedAt = time.Now().Add(-10 * time.Minute)
+	store.mu.Unlock()
+
+	// Create a valid session
+	validSession := &Session{Email: "valid@example.com"}
+	store.Create("code-456", validSession)
+
+	// Run cleanup
+	cleaned := store.Cleanup()
+
+	if cleaned != 1 {
+		t.Errorf("expected 1 session cleaned, got %d", cleaned)
+	}
+
+	// Expired session should be gone
+	_, ok := store.Get("code-123")
+	if ok {
+		t.Error("expected expired session to be cleaned up")
+	}
+
+	// Valid session should still exist
+	_, ok = store.Get("code-456")
+	if !ok {
+		t.Error("expected valid session to still exist")
+	}
+}
@@ -0,0 +1,128 @@
+package store
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"sync"
+)
+
+// User represents a user in the system
+type User struct {
+	Email      string `json:"email"`
+	GivenName  string `json:"given_name"`
+	FamilyName string `json:"family_name"`
+	UserID     string `json:"user_id"`
+	Picture    string `json:"picture,omitempty"`
+}
+
+// UserStore provides thread-safe user storage
+type UserStore struct {
+	mu    sync.RWMutex
+	users map[string]*User
+}
+
+// NewUserStore creates a new user store
+func NewUserStore() *UserStore {
+	return &UserStore{
+		users: make(map[string]*User),
+	}
+}
+
+// LoadFromFile loads users from a JSON file
+func (s *UserStore) LoadFromFile(path string) error {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil // File doesn't exist, start with empty store
+		}
+		return fmt.Errorf("read users file: %w", err)
+	}
+
+	var rawUsers map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawUsers); err != nil {
+		return fmt.Errorf("parse users file: %w", err)
+	}
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	for email, raw := range rawUsers {
+		var user User
+		if err := json.Unmarshal(raw, &user); err != nil {
+			return fmt.Errorf("parse user %s: %w", email, err)
+		}
+		user.Email = email // Ensure email is set
+		if user.UserID == "" {
+			user.UserID = email
+		}
+		s.users[email] = &user
+	}
+
+	return nil
+}
+
+// GetByEmail retrieves a user by email
+func (s *UserStore) GetByEmail(email string) (*User, bool) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	user, ok := s.users[email]
+	if !ok {
+		return nil, false
+	}
+	// Return a copy to prevent external modification
+	userCopy := *user
+	return &userCopy, true
+}
+
+// Create adds a new user
+func (s *UserStore) Create(email string, user *User) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	user.Email = email
+	if user.UserID == "" {
+		user.UserID = email
+	}
+	s.users[email] = user
+}
+
+// Update modifies an existing user
+func (s *UserStore) Update(email string, updates *User) (*User, bool) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	existing, ok := s.users[email]
+	if !ok {
+		return nil, false
+	}
+
+	// Apply updates (only non-empty fields)
+	if updates.GivenName != "" {
+		existing.GivenName = updates.GivenName
+	}
+	if updates.FamilyName != "" {
+		existing.FamilyName = updates.FamilyName
+	}
+	if updates.Picture != "" {
+		existing.Picture = updates.Picture
+	}
+
+	// Return a copy
+	userCopy := *existing
+	return &userCopy, true
+}
+
+// List returns all users
+func (s *UserStore) List() []*User {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	users := make([]*User, 0, len(s.users))
+	for _, user := range s.users {
+		userCopy := *user
+		users = append(users, &userCopy)
+	}
+	return users
+}
@@ -1,18 +0,0 @@
-const fs = require('fs')
-
-const setup = (usersFile) => {
-  let users = {}
-  if (fs.existsSync(usersFile)) {
-    console.log(`initial users file "${usersFile}" exists, reading`)
-    const read = fs.readFileSync(usersFile, { encoding: 'utf8', flag: 'r' })
-    users = JSON.parse(read)
-    for (let key of Object.keys(users)) {
-      users[key] = { ...users[key], email: key }
-    }
-    console.log('users:', users)
-  } else {
-    console.log(`initial users file "${usersFile}" missing`)
-  }
-  return users
-}
-module.exports = setup
Author	SHA1	Message	Date
argoyle	d8022f79d9	Merge pull request 'chore(release): prepare for 0.7.1' (#244 ) from next-release into main Release / release (push) Successful in 46s Details auth0mock / build (push) Successful in 1m5s Details Reviewed-on: #244	2026-01-13 16:51:52 +00:00
releaser	d70b97b415	chore(release): prepare for 0.7.1 auth0mock / build (pull_request) Successful in 1m3s Details	2026-01-13 16:35:49 +00:00
releaser	c3b0c8d1a7	chore(release): prepare for 0.7.1	2026-01-13 16:35:44 +00:00
argoyle	7c650e7a65	Merge pull request 'fix: change CI tag pattern to match all tags' (#243 ) from fix/ci-tag-pattern into main auth0mock / build (push) Successful in 2m21s Details Release / release (push) Successful in 1m43s Details Reviewed-on: #243	2026-01-13 16:32:57 +00:00
argoyle	17e661fb96	fix: change CI tag pattern to match all tags auth0mock / build (pull_request) Successful in 1m15s Details	2026-01-13 17:20:50 +01:00
argoyle	9be6275047	Merge pull request 'chore(release): prepare for 0.7.0' (#240 ) from next-release into main Release / release (push) Successful in 33s Details auth0mock / build (push) Successful in 1m1s Details Reviewed-on: #240	2026-01-13 15:03:15 +00:00
releaser	231e864b41	chore(release): prepare for 0.7.0 auth0mock / build (pull_request) Successful in 59s Details	2026-01-13 15:01:00 +00:00
releaser	f6a58358c7	chore(release): prepare for 0.7.0	2026-01-13 15:00:49 +00:00
releaser	5ca6b9f528	chore(release): prepare for 0.6.1 auth0mock / build (pull_request) Successful in 1m7s Details	2026-01-13 14:57:44 +00:00
releaser	9945b98c6d	chore(release): prepare for 0.6.1	2026-01-13 14:57:44 +00:00
releaser	8e4b6598fd	chore(release): prepare for 0.6.1	2026-01-13 14:57:44 +00:00
argoyle	581e325b7f	Merge pull request 'feat: add tag trigger for CI build and push' (#242 ) from feat/ci-build-on-tags into main auth0mock / build (push) Successful in 1m4s Details Release / release (push) Successful in 57s Details Reviewed-on: #242	2026-01-13 14:56:18 +00:00
argoyle	0d7be1c47e	feat: add tag trigger for CI build and push auth0mock / build (pull_request) Successful in 1m11s Details	2026-01-13 15:50:09 +01:00
renovate	6c52b7b084	chore(deps): update golang:1.25 docker digest to 0f406d3 (#241 ) Release / release (push) Failing after 1m32s Details auth0mock / build (push) Successful in 5m53s Details	2026-01-13 07:09:07 +00:00
renovate	58c0e1f9d1	fix(deps): update module github.com/lestrrat-go/jwx/v3 to v3.0.13 (#239 ) Release / release (push) Successful in 1m18s Details auth0mock / build (push) Successful in 1m46s Details	2026-01-12 07:06:53 +00:00
renovate	34e19d6f74	chore(deps): update gcr.io/distroless/static-debian12 docker digest to cd64bec (#238 ) Release / release (push) Successful in 49s Details auth0mock / build (push) Successful in 1m14s Details	2026-01-11 22:03:16 +00:00
argoyle	edef584a85	Merge pull request 'chore(release): prepare for 0.6.0' (#237 ) from next-release into main Release / release (push) Successful in 30s Details auth0mock / build (push) Successful in 2m17s Details Reviewed-on: #237	2026-01-09 16:13:13 +00:00
releaser	28135f06d6	chore(release): prepare for 0.6.0 auth0mock / build (pull_request) Successful in 1m45s Details	2026-01-09 16:10:21 +00:00
releaser	5079c57a05	chore(release): prepare for 0.6.0	2026-01-09 16:10:15 +00:00
argoyle	241309537a	Merge pull request 'feat: add release workflow using shared workflow' (#236 ) from feat/add-release-workflow into main Release / release (push) Successful in 1m13s Details auth0mock / build (push) Successful in 1m26s Details Reviewed-on: #236	2026-01-09 16:09:17 +00:00
argoyle	bcbe17f010	feat: add release workflow using shared workflow auth0mock / build (pull_request) Successful in 2m4s Details	2026-01-09 16:56:10 +01:00
argoyle	0bf64d97bf	Merge pull request 'fix: remove incorrect digest pinning from image reference' (#235 ) from fix/remove-digest-pinning into main auth0mock / build (push) Successful in 6m39s Details Reviewed-on: #235	2026-01-09 12:01:31 +00:00
argoyle	941b2b4158	fix: remove incorrect digest pinning from image reference auth0mock / build (pull_request) Successful in 4m29s Details	2026-01-09 11:56:10 +01:00
renovate	6533f064d5	chore(deps): update oci.unbound.se/unboundsoftware/auth0mock docker digest to c9d60b4 (#234 ) auth0mock / build (push) Successful in 2m3s Details	2026-01-09 09:01:47 +00:00
renovate	64e0405e68	chore(deps): pin dependencies (#233 ) auth0mock / build (push) Successful in 5m27s Details	2026-01-09 08:01:09 +00:00
argoyle	ec3ea75db5	Merge pull request 'chore(deps): update actions/checkout action to v6' (#232 ) from renovate/actions-checkout-6.x into main auth0mock / build (push) Successful in 1m30s Details Reviewed-on: #232	2026-01-08 15:06:22 +00:00
renovate	ce6c0e3d93	chore(deps): update actions/checkout action to v6 auth0mock / build (pull_request) Successful in 1m3s Details	2026-01-08 15:00:48 +00:00
argoyle	a93952408b	Merge pull request 'feat: migrate from GitLab CI to Gitea Actions' (#231 ) from feat/gitea-migration into main auth0mock / build (push) Successful in 2m33s Details Reviewed-on: #231	2026-01-08 14:02:59 +00:00
argoyle	0db830b3b1	feat: migrate from GitLab CI to Gitea Actions auth0mock / build (pull_request) Successful in 1m17s Details	2026-01-08 14:42:25 +01:00
argoyle	64cfb98016	Merge branch 'renovate/golang-1.25' into 'main' chore(deps): update golang:1.25 docker digest to 6cc2338 See merge request unboundsoftware/auth0mock!225	2026-01-03 14:51:37 +01:00
Renovate	222b5aaafb	chore(deps): update golang:1.25 docker digest to 6cc2338	2026-01-02 22:02:04 +00:00
argoyle	773c6acc1b	Merge branch 'renovate/golang-1.25' into 'main' chore(deps): update golang:1.25 docker digest to 31c1e53 See merge request unboundsoftware/auth0mock!224	2025-12-30 16:01:27 +01:00
Renovate	be19c98a02	chore(deps): update golang:1.25 docker digest to 31c1e53	2025-12-30 13:01:43 +00:00
argoyle	4b04ca638f	Merge branch 'next-release' into 'main' chore(release): prepare for 0.5.1 See merge request unboundsoftware/auth0mock!223	2025-12-29 19:12:22 +01:00
Unbound Release	f6171bb2c1	chore(release): prepare for 0.5.1	2025-12-29 19:12:22 +01:00
argoyle	84f3ce58b4	Merge branch 'renovate/github.com-lestrrat-go-jwx-v2-3.x' into 'main' fix(deps): update module github.com/lestrrat-go/jwx/v2 to v3 See merge request unboundsoftware/auth0mock!222	2025-12-29 17:16:41 +01:00
Renovate	058c818246	fix(deps): update module github.com/lestrrat-go/jwx/v2 to v3	2025-12-29 17:15:10 +01:00
argoyle	c951b8b2a6	Merge branch 'renovate/golang-1.x' into 'main' chore(deps): update golang docker tag to v1.25 See merge request unboundsoftware/auth0mock!221	2025-12-29 17:05:37 +01:00
Renovate	20f643451b	chore(deps): update golang docker tag to v1.25	2025-12-29 16:03:34 +00:00
argoyle	7dc063d57e	Merge branch 'next-release' into 'main' chore(release): prepare for 0.5.0 See merge request unboundsoftware/auth0mock!219	2025-12-29 16:54:06 +01:00
Unbound Release	0789e3e3fb	chore(release): prepare for 0.5.0	2025-12-29 16:54:06 +01:00
argoyle	0e85cfff29	Merge branch 'migrate-auth0mock-node-go' into 'main' feat: migrate auth0mock from Node.js to Go See merge request unboundsoftware/auth0mock!218	2025-12-29 16:49:36 +01:00
argoyle	9992fb4ef1	feat: migrate auth0mock from Node.js to Go Refactor the application to a Go-based architecture for improved performance and maintainability. Replace the Dockerfile to utilize a multi-stage build process, enhancing image efficiency. Implement comprehensive session store tests to ensure reliability and create new OAuth handlers for managing authentication efficiently. Update documentation to reflect these structural changes.	2025-12-29 16:30:37 +01:00
argoyle	96453e1d15	Merge branch 'next-release' into 'main' chore(release): prepare for 0.4.0 See merge request unboundsoftware/auth0mock!217	2025-12-29 13:19:27 +01:00
Unbound Release	fd4f9c4052	chore(release): prepare for 0.4.0	2025-12-29 13:19:26 +01:00
argoyle	ce5fd95bed	Merge branch 'feat/session-expiration-cleanup' into 'main' feat(session-cleanup): implement session expiration cleanup See merge request unboundsoftware/auth0mock!216	2025-12-29 13:17:53 +01:00
argoyle	972cf3ba45	feat(session-cleanup): implement session expiration cleanup adds a cleanup mechanism for expired sessions to prevent memory leaks by deleting sessions and challenges that exceed the defined TTL. Each session is assigned a creation timestamp, which is updated upon activity, and the cleanup process runs every minute to maintain optimal memory usage.	2025-12-29 13:14:46 +01:00