refactor(api): ♻️ Rewrite full authentication code to go OpenID-only

2025-12-06 08:28:19 +01:00 · 2025-08-21 00:45:58 +02:00 · 2025-08-21 00:45:58 +02:00 · 4c430426d3
parent 132a3ed5ea
commit 4c430426d3
39 changed files with 3076 additions and 2009 deletions
--- a/bun.lock
+++ b/bun.lock
@ -39,7 +39,6 @@
        "ioredis": "catalog:",
        "ip-matching": "catalog:",
        "iso-639-1": "catalog:",
        "jose": "catalog:",
        "linkify-html": "catalog:",
        "linkify-string": "catalog:",
        "linkifyjs": "catalog:",
@ -51,7 +50,6 @@
        "markdown-it-toc-done-right": "catalog:",
        "mime-types": "catalog:",
        "mitata": "catalog:",
        "oauth4webapi": "catalog:",
        "ora": "catalog:",
        "qs": "catalog:",
        "sharp": "catalog:",
@ -108,8 +106,7 @@
        "hono-rate-limiter": "catalog:",
        "ip-matching": "catalog:",
        "iso-639-1": "catalog:",
-        "jose": "catalog:",
+        "openid-client": "catalog:",
        "oauth4webapi": "catalog:",
        "qs": "catalog:",
        "sharp": "catalog:",
        "string-comparison": "catalog:",
@ -270,7 +267,6 @@
    "ioredis": "^5.6.1",
    "ip-matching": "^2.1.2",
    "iso-639-1": "^3.1.5",
    "jose": "^6.0.11",
    "linkify-html": "^4.3.1",
    "linkify-string": "^4.3.1",
    "linkifyjs": "^4.3.1",
@ -284,7 +280,7 @@
    "mime-types": "^3.0.1",
    "mitata": "^1.0.34",
    "mitt": "^3.0.1",
-    "oauth4webapi": "^3.5.5",
+    "openid-client": "^6.6.3",
    "ora": "^8.2.0",
    "qs": "^6.14.0",
    "sharp": "^0.34.2",
@ -1133,7 +1129,7 @@
    "jake": ["jake@10.9.2", "", { "dependencies": { "async": "^3.2.3", "chalk": "^4.0.2", "filelist": "^1.0.4", "minimatch": "^3.1.2" }, "bin": { "jake": "bin/cli.js" } }, "sha512-2P4SQ0HrLQ+fw6llpLnOaGAvN2Zu6778SJMrCUwns4fOoG9ayrTiZk3VV8sCPkVZF8ab0zksVpS8FDY5pRCNBA=="],
-    "jose": ["jose@6.0.11", "", {}, "sha512-QxG7EaliDARm1O1S8BGakqncGT9s25bKL1WSf6/oa17Tkqwi8D2ZNglqCF+DsYF88/rV66Q/Q2mFAy697E1DUg=="],
+    "jose": ["jose@6.0.12", "", {}, "sha512-T8xypXs8CpmiIi78k0E+Lk7T2zlK4zDyg+o1CZ4AkOHgDg98ogdP2BeZ61lTFKFyoEwJ9RgAgN+SdM3iPgNonQ=="],
    "js-tokens": ["js-tokens@4.0.0", "", {}, "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ=="],
@ -1277,7 +1273,7 @@
    "nth-check": ["nth-check@2.1.1", "", { "dependencies": { "boolbase": "^1.0.0" } }, "sha512-lqjrjmaOoAnWfMmBPL+XNnynZh2+swxiX3WUE0s4yEHI6m+AwrK2UZOimIRl3X/4QctVqS8AiZjFqyOGrMXb/w=="],
-    "oauth4webapi": ["oauth4webapi@3.5.5", "", {}, "sha512-1K88D2GiAydGblHo39NBro5TebGXa+7tYoyIbxvqv3+haDDry7CBE1eSYuNbOSsYCCU6y0gdynVZAkm4YPw4hg=="],
+    "oauth4webapi": ["oauth4webapi@3.6.2", "", {}, "sha512-hwWLiyBYuqhVdcIUJMJVKdEvz+DCweOcbSfqDyIv9PuUwrNfqrzfHP2bypZgZdbYOS67QYqnAnvZa2BJwBBrHw=="],
    "object-inspect": ["object-inspect@1.13.4", "", {}, "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew=="],
@ -1287,6 +1283,8 @@
    "openapi-types": ["openapi-types@12.1.3", "", {}, "sha512-N4YtSYJqghVu4iek2ZUvcN/0aqH1kRDuNqzcycDxhOUpg7GdvLa2F3DgS6yBNhInhv2r/6I0Flkn7CqL8+nIcw=="],
    "openid-client": ["openid-client@6.6.3", "", { "dependencies": { "jose": "^6.0.12", "oauth4webapi": "^3.6.1" } }, "sha512-sYYFJsyN21bjf/QepIU/t6w22tEUT+rYVPf1VZOSQwC+s1hAkyZpvAbFNLMrnrYMS/H74MctEHna2jPLvWbkCA=="],
    "ora": ["ora@8.2.0", "", { "dependencies": { "chalk": "^5.3.0", "cli-cursor": "^5.0.0", "cli-spinners": "^2.9.2", "is-interactive": "^2.0.0", "is-unicode-supported": "^2.0.0", "log-symbols": "^6.0.0", "stdin-discarder": "^0.2.2", "string-width": "^7.2.0", "strip-ansi": "^7.1.0" } }, "sha512-weP+BZ8MVNnlCm8c0Qdc1WSWq4Qn7I+9CJGm7Qali6g44e/PUzbjNqJX5NJ9ljlNMosfJvg1fKEGILklK9cwnw=="],
    "package-json-from-dist": ["package-json-from-dist@1.0.1", "", {}, "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw=="],
--- a/cli/user/token.ts
+++ b/cli/user/token.ts
@ -1,4 +1,4 @@
-import { Token } from "@versia-server/kit/db";
+import { Application, Token } from "@versia-server/kit/db";
 import { randomUUIDv7 } from "bun";
 import chalk from "chalk";
 // @ts-expect-error - Root import is required or the Clec type definitions won't work
@ -22,13 +22,24 @@ export const generateTokenCommand = defineCommand(
            throw new Error(`User ${chalk.gray(username)} not found.`);
        }
        const application = await Application.insert({
            id:
                user.id +
                Buffer.from(
                    crypto.getRandomValues(new Uint8Array(32)),
                ).toString("base64"),
            name: "Versia",
            redirectUris: [],
            scopes: ["openid", "profile", "email"],
            secret: "",
        });
        const token = await Token.insert({
            id: randomUUIDv7(),
            accessToken: randomString(64, "base64url"),
-            code: null,
+            scopes: ["read", "write", "follow"],
            scope: "read write follow",
            tokenType: "Bearer",
            userId: user.id,
            clientId: application.id,
        });
        console.info(
--- a/drizzle.config.ts
+++ b/drizzle.config.ts
@ -1,4 +1,4 @@
-import { config } from "@versia-server/config";
+//import { config } from "@versia-server/config";
 import type { Config } from "drizzle-kit";
 /**
@ -7,19 +7,19 @@ import type { Config } from "drizzle-kit";
 */
 export default {
    dialect: "postgresql",
-    out: "./drizzle/migrations",
+    out: "./packages/kit/tables/migrations",
-    schema: "./drizzle/schema.ts",
+    schema: "./packages/kit/tables/schema.ts",
    dbCredentials: {
-        /* host: "localhost",
+        host: "localhost",
        port: 40000,
        user: "lysand",
        password: "lysand",
-        database: "lysand", */
+        database: "lysand",
-        host: config.postgres.host,
+        /* host: config.postgres.host,
        port: config.postgres.port,
        user: config.postgres.username,
        password: config.postgres.password,
-        database: config.postgres.database,
+        database: config.postgres.database, */
    },
    // Print all statements
    verbose: true,
--- a/package.json
+++ b/package.json
@ -58,6 +58,7 @@
            "@logtape/otel": "^1.0.0",
            "@scalar/hono-api-reference": "^0.9.7",
            "@sentry/bun": "^9.35.0",
            "openid-client": "^6.6.3",
            "altcha-lib": "^1.3.0",
            "blurhash": "^2.0.5",
            "bullmq": "^5.56.1",
@ -73,7 +74,6 @@
            "ioredis": "^5.6.1",
            "ip-matching": "^2.1.2",
            "iso-639-1": "^3.1.5",
            "jose": "^6.0.11",
            "linkify-html": "^4.3.1",
            "linkify-string": "^4.3.1",
            "linkifyjs": "^4.3.1",
@ -85,7 +85,6 @@
            "markdown-it-toc-done-right": "^4.2.0",
            "mime-types": "^3.0.1",
            "mitata": "^1.0.34",
            "oauth4webapi": "^3.5.5",
            "ora": "^8.2.0",
            "qs": "^6.14.0",
            "sharp": "^0.34.2",
@ -191,7 +190,6 @@
        "ioredis": "catalog:",
        "ip-matching": "catalog:",
        "iso-639-1": "catalog:",
        "jose": "catalog:",
        "linkify-html": "catalog:",
        "linkify-string": "catalog:",
        "linkifyjs": "catalog:",
@ -203,7 +201,6 @@
        "markdown-it-toc-done-right": "catalog:",
        "mime-types": "catalog:",
        "mitata": "catalog:",
        "oauth4webapi": "catalog:",
        "ora": "catalog:",
        "qs": "catalog:",
        "sharp": "catalog:",
--- a/packages/api/package.json
+++ b/packages/api/package.json
@ -55,6 +55,7 @@
        "@versia-server/logging": "workspace:*",
        "@versia/client": "workspace:*",
        "@versia/sdk": "workspace:*",
        "openid-client": "catalog:",
        "youch": "catalog:",
        "hono": "catalog:",
        "hono-openapi": "catalog:",
@ -66,7 +67,6 @@
        "unicode-emoji-json": "catalog:",
        "sharp": "catalog:",
        "iso-639-1": "catalog:",
        "jose": "catalog:",
        "zod-openapi": "catalog:",
        "@scalar/hono-api-reference": "catalog:",
        "hono-rate-limiter": "catalog:",
@ -75,7 +75,6 @@
        "altcha-lib": "catalog:",
        "@hono/standard-validator": "catalog:",
        "zod-validation-error": "catalog:",
-        "confbox": "catalog:",
+        "confbox": "catalog:"
        "oauth4webapi": "catalog:"
    }
 }
--- a/packages/api/plugins/openid/errors.ts
+++ b/packages/api/plugins/openid/errors.ts
@ -1,45 +0,0 @@
 import type { Context, TypedResponse } from "hono";
 export const errors = {
    InvalidJWT: ["invalid_request", "Invalid JWT: could not verify"],
    MissingJWTFields: [
        "invalid_request",
        "Invalid JWT: missing required fields (aud, sub, exp, iss)",
    ],
    InvalidSub: ["invalid_request", "Invalid JWT: sub is not a valid user ID"],
    UserNotFound: [
        "invalid_request",
        "Invalid JWT, could not find associated user",
    ],
    MissingOauthPermission: [
        "unauthorized",
        "User missing required 'oauth' permission",
    ],
    MissingApplication: [
        "invalid_request",
        "Invalid client_id: no associated API application found",
    ],
    InvalidRedirectUri: [
        "invalid_request",
        "Invalid redirect_uri: does not match API application's redirect_uri",
    ],
    InvalidScope: [
        "invalid_request",
        "Invalid scope: not a subset of the application's scopes",
    ],
 };
 export const errorRedirect = (
    context: Context,
    error: (typeof errors)[keyof typeof errors],
    extraParams?: URLSearchParams,
 ): Response & TypedResponse<undefined, 302, "redirect"> => {
    const errorSearchParams = new URLSearchParams(extraParams);
    errorSearchParams.append("error", error[0]);
    errorSearchParams.append("error_description", error[1]);
    return context.redirect(
        `${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
    );
 };
--- a/packages/api/plugins/openid/utils.ts
+++ b/packages/api/plugins/openid/utils.ts
@ -1,217 +0,0 @@
 import { type Application, db } from "@versia-server/kit/db";
 import type { OpenIdLoginFlows } from "@versia-server/kit/tables";
 import { eq, type InferSelectModel, type SQL } from "drizzle-orm";
 import {
    type AuthorizationResponseError,
    type AuthorizationServer,
    authorizationCodeGrantRequest,
    ClientSecretPost,
    discoveryRequest,
    expectNoState,
    getValidatedIdTokenClaims,
    processAuthorizationCodeResponse,
    processDiscoveryResponse,
    processUserInfoResponse,
    type ResponseBodyError,
    type TokenEndpointResponse,
    type UserInfoResponse,
    userInfoRequest,
    validateAuthResponse,
 } from "oauth4webapi";
 export const oauthDiscoveryRequest = (
    issuerUrl: URL,
 ): Promise<AuthorizationServer> => {
    return discoveryRequest(issuerUrl, {
        algorithm: "oidc",
    }).then((res) => processDiscoveryResponse(issuerUrl, res));
 };
 export const oauthRedirectUri = (baseUrl: URL, issuer: string): URL =>
    new URL(`/oauth/sso/${issuer}/callback`, baseUrl);
 const getFlow = (
    flowId: string,
 ): Promise<
    | (InferSelectModel<typeof OpenIdLoginFlows> & {
          application?: typeof Application.$type | null;
      })
    | undefined
 > => {
    return db.query.OpenIdLoginFlows.findFirst({
        where: (flow): SQL | undefined => eq(flow.id, flowId),
        with: {
            application: true,
        },
    });
 };
 const getAuthServer = (issuerUrl: URL): Promise<AuthorizationServer> => {
    return discoveryRequest(issuerUrl, {
        algorithm: "oidc",
    }).then((res) => processDiscoveryResponse(issuerUrl, res));
 };
 const getParameters = (
    authServer: AuthorizationServer,
    clientId: string,
    currentUrl: URL,
 ): URLSearchParams => {
    return validateAuthResponse(
        authServer,
        {
            client_id: clientId,
        },
        currentUrl,
        expectNoState,
    );
 };
 const getOIDCResponse = (
    authServer: AuthorizationServer,
    clientId: string,
    clientSecret: string,
    redirectUri: URL,
    codeVerifier: string,
    parameters: URLSearchParams,
 ): Promise<Response> => {
    return authorizationCodeGrantRequest(
        authServer,
        {
            client_id: clientId,
        },
        ClientSecretPost(clientSecret),
        parameters,
        redirectUri.toString(),
        codeVerifier,
    );
 };
 const processOIDCResponse = (
    authServer: AuthorizationServer,
    clientId: string,
    oidcResponse: Response,
 ): Promise<TokenEndpointResponse> => {
    return processAuthorizationCodeResponse(
        authServer,
        {
            client_id: clientId,
        },
        oidcResponse,
    );
 };
 const getUserInfo = (
    authServer: AuthorizationServer,
    clientId: string,
    accessToken: string,
    sub: string,
 ): Promise<UserInfoResponse> => {
    return userInfoRequest(
        authServer,
        {
            client_id: clientId,
        },
        accessToken,
    ).then(
        async (res) =>
            await processUserInfoResponse(
                authServer,
                {
                    client_id: clientId,
                },
                sub,
                res,
            ),
    );
 };
 export const automaticOidcFlow = async (
    issuer: {
        url: string;
        client_id: string;
        client_secret: string;
    },
    flowId: string,
    currentUrl: URL,
    redirectUrl: URL,
    errorFn: (
        error: string,
        message: string,
        flow:
            | (InferSelectModel<typeof OpenIdLoginFlows> & {
                  application?: typeof Application.$type | null;
              })
            | null,
    ) => Response,
 ): Promise<
    | Response
    | {
          userInfo: UserInfoResponse;
          flow: InferSelectModel<typeof OpenIdLoginFlows> & {
              application?: typeof Application.$type | null;
          };
          claims: Record<string, unknown>;
      }
 > => {
    const flow = await getFlow(flowId);
    if (!flow) {
        return errorFn("invalid_request", "Invalid flow", null);
    }
    try {
        const issuerUrl = new URL(issuer.url);
        const authServer = await getAuthServer(issuerUrl);
        const parameters = getParameters(
            authServer,
            issuer.client_id,
            currentUrl,
        );
        const oidcResponse = await getOIDCResponse(
            authServer,
            issuer.client_id,
            issuer.client_secret,
            redirectUrl,
            flow.codeVerifier,
            parameters,
        );
        const result = await processOIDCResponse(
            authServer,
            issuer.client_id,
            oidcResponse,
        );
        const { access_token } = result;
        const claims = getValidatedIdTokenClaims(result);
        if (!claims) {
            return errorFn("invalid_request", "Invalid claims", flow);
        }
        const { sub } = claims;
        // Validate `sub`
        // Later, we'll use this to automatically set the user's data
        const userInfo = await getUserInfo(
            authServer,
            issuer.client_id,
            access_token,
            sub,
        );
        return {
            userInfo,
            flow,
            claims,
        };
    } catch (e) {
        const error = e as ResponseBodyError | AuthorizationResponseError;
        return errorFn(error.error, error.error_description || "", flow);
    }
 };
--- a/packages/api/routes/api/auth/login/index.test.ts
+++ b/packages/api/routes/api/auth/login/index.test.ts
@ -2,19 +2,17 @@ import { afterAll, describe, expect, test } from "bun:test";
 import { config } from "@versia-server/config";
 import { Application } from "@versia-server/kit/db";
 import { fakeRequest, getTestUsers } from "@versia-server/tests";
 import { randomUUIDv7 } from "bun";
 import { randomString } from "@/math";
 const { users, deleteUsers, passwords } = await getTestUsers(1);
 // Create application
 const application = await Application.insert({
-    id: randomUUIDv7(),
+    id: randomString(32, "hex"),
    name: "Test Application",
    clientId: randomString(32, "hex"),
    secret: "test",
-    redirectUri: "https://example.com",
+    redirectUris: ["https://example.com"],
-    scopes: "read write",
+    scopes: ["read", "write"],
 });
 afterAll(async () => {
@ -31,7 +29,7 @@ describe("/api/auth/login", () => {
        formData.append("password", passwords[0]);
        const response = await fakeRequest(
-            `/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
+            `/api/auth/login?client_id=${application.data.id}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
            {
                method: "POST",
                body: formData,
@ -47,7 +45,7 @@ describe("/api/auth/login", () => {
        expect(locationHeader.pathname).toBe("/oauth/consent");
        expect(locationHeader.searchParams.get("client_id")).toBe(
-            application.data.clientId,
+            application.data.id,
        );
        expect(locationHeader.searchParams.get("redirect_uri")).toBe(
            "https://example.com",
@ -65,7 +63,7 @@ describe("/api/auth/login", () => {
        formData.append("password", passwords[0]);
        const response = await fakeRequest(
-            `/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
+            `/api/auth/login?client_id=${application.data.id}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
            {
                method: "POST",
                body: formData,
@ -81,7 +79,7 @@ describe("/api/auth/login", () => {
        expect(locationHeader.pathname).toBe("/oauth/consent");
        expect(locationHeader.searchParams.get("client_id")).toBe(
-            application.data.clientId,
+            application.data.id,
        );
        expect(locationHeader.searchParams.get("redirect_uri")).toBe(
            "https://example.com",
@ -99,7 +97,7 @@ describe("/api/auth/login", () => {
        formData.append("password", passwords[0]);
        const response = await fakeRequest(
-            `/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write&state=abc`,
+            `/api/auth/login?client_id=${application.data.id}&redirect_uri=https://example.com&response_type=code&scope=read+write&state=abc`,
            {
                method: "POST",
                body: formData,
@ -115,7 +113,7 @@ describe("/api/auth/login", () => {
        expect(locationHeader.pathname).toBe("/oauth/consent");
        expect(locationHeader.searchParams.get("client_id")).toBe(
-            application.data.clientId,
+            application.data.id,
        );
        expect(locationHeader.searchParams.get("redirect_uri")).toBe(
            "https://example.com",
@ -136,7 +134,7 @@ describe("/api/auth/login", () => {
            formData.append("password", "password");
            const response = await fakeRequest(
-                `/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
+                `/api/auth/login?client_id=${application.data.id}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
                {
                    method: "POST",
@ -169,7 +167,7 @@ describe("/api/auth/login", () => {
            formData.append("password", "password");
            const response = await fakeRequest(
-                `/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
+                `/api/auth/login?client_id=${application.data.id}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
                {
                    method: "POST",
                    body: formData,
@ -201,7 +199,7 @@ describe("/api/auth/login", () => {
            formData.append("password", "password");
            const response = await fakeRequest(
-                `/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
+                `/api/auth/login?client_id=${application.data.id}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
                {
                    method: "POST",
                    body: formData,
--- a/packages/api/routes/api/auth/login/index.ts
+++ b/packages/api/routes/api/auth/login/index.ts
@ -7,8 +7,8 @@ import { password as bunPassword } from "bun";
 import { eq, or } from "drizzle-orm";
 import type { Context } from "hono";
 import { setCookie } from "hono/cookie";
 import { sign } from "hono/jwt";
 import { describeRoute, validator } from "hono-openapi";
 import { SignJWT } from "jose";
 import { z } from "zod/v4";
 const returnError = (
@ -144,16 +144,17 @@ export default apiRoute((app) =>
            }
            // Generate JWT
-            const jwt = await new SignJWT({
+            const jwt = await sign(
                {
                    sub: user.id,
                    iss: config.http.base_url.origin,
                    aud: client_id,
                    exp: Math.floor(Date.now() / 1000) + 60 * 60,
                    iat: Math.floor(Date.now() / 1000),
                    nbf: Math.floor(Date.now() / 1000),
-            })
+                },
-                .setProtectedHeader({ alg: "EdDSA" })
+                config.authentication.keys.private,
-                .sign(config.authentication.keys.private);
+            );
            const application = await Application.fromClientId(client_id);
--- a/packages/api/routes/api/auth/redirect/index.ts
+++ b/packages/api/routes/api/auth/redirect/index.ts
@ -1,75 +0,0 @@
 import { config } from "@versia-server/config";
 import { apiRoute, handleZodError } from "@versia-server/kit/api";
 import { db } from "@versia-server/kit/db";
 import { Applications, Tokens } from "@versia-server/kit/tables";
 import { and, eq } from "drizzle-orm";
 import { describeRoute, validator } from "hono-openapi";
 import { z } from "zod/v4";
 /**
 * OAuth Code flow
 */
 export default apiRoute((app) =>
    app.get(
        "/api/auth/redirect",
        describeRoute({
            summary: "OAuth Code flow",
            description:
                "Redirects to the application, or back to login if the code is invalid",
            tags: ["OpenID"],
            responses: {
                302: {
                    description:
                        "Redirects to the application, or back to login if the code is invalid",
                },
            },
        }),
        validator(
            "query",
            z.object({
                redirect_uri: z.url(),
                client_id: z.string(),
                code: z.string(),
            }),
            handleZodError,
        ),
        async (context) => {
            const { redirect_uri, client_id, code } =
                context.req.valid("query");
            const redirectToLogin = (error: string): Response =>
                context.redirect(
                    `${config.frontend.routes.login}?${new URLSearchParams({
                        ...context.req.query,
                        error: encodeURIComponent(error),
                    }).toString()}`,
                );
            const foundToken = await db
                .select()
                .from(Tokens)
                .leftJoin(
                    Applications,
                    eq(Tokens.applicationId, Applications.id),
                )
                .where(
                    and(
                        eq(Tokens.code, code),
                        eq(Applications.clientId, client_id),
                    ),
                )
                .limit(1);
            if (!foundToken || foundToken.length <= 0) {
                return redirectToLogin("Invalid code");
            }
            // Redirect back to application
            return context.redirect(
                `${redirect_uri}?${new URLSearchParams({
                    code,
                }).toString()}`,
            );
        },
    ),
 );
--- a/packages/api/routes/api/auth/reset/index.test.ts
+++ b/packages/api/routes/api/auth/reset/index.test.ts
@ -1,124 +0,0 @@
 import { afterAll, describe, expect, test } from "bun:test";
 import { config } from "@versia-server/config";
 import { Application } from "@versia-server/kit/db";
 import { fakeRequest, getTestUsers } from "@versia-server/tests";
 import { randomUUIDv7 } from "bun";
 import { randomString } from "@/math";
 const { users, deleteUsers, passwords } = await getTestUsers(1);
 const token = randomString(32, "hex");
 const newPassword = randomString(16, "hex");
 // Create application
 const application = await Application.insert({
    id: randomUUIDv7(),
    name: "Test Application",
    clientId: randomString(32, "hex"),
    secret: "test",
    redirectUri: "https://example.com",
    scopes: "read write",
 });
 afterAll(async () => {
    await deleteUsers();
    await application.delete();
 });
 // /api/auth/reset
 describe("/api/auth/reset", () => {
    test("should login with normal password", async () => {
        const formData = new FormData();
        formData.append("identifier", users[0]?.data.username ?? "");
        formData.append("password", passwords[0]);
        const response = await fakeRequest(
            `/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
            {
                method: "POST",
                body: formData,
            },
        );
        expect(response.status).toBe(302);
        expect(response.headers.get("location")).toBeDefined();
    });
    test("should reset password and refuse login with old password", async () => {
        await users[0]?.update({
            passwordResetToken: token,
        });
        const formData = new FormData();
        formData.append("identifier", users[0]?.data.username ?? "");
        formData.append("password", passwords[0]);
        const response = await fakeRequest(
            `/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
            {
                method: "POST",
                body: formData,
            },
        );
        expect(response.status).toBe(302);
        expect(response.headers.get("location")).toBeDefined();
        const locationHeader = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        expect(locationHeader.pathname).toBe("/oauth/reset");
        expect(locationHeader.searchParams.get("token")).toBe(token);
    });
    test("should reset password and login with new password", async () => {
        const formData = new FormData();
        formData.append("token", token);
        formData.append("password", newPassword);
        formData.append("password2", newPassword);
        const response = await fakeRequest("/api/auth/reset", {
            method: "POST",
            body: formData,
        });
        expect(response.status).toBe(302);
        expect(response.headers.get("location")).toBeDefined();
        const loginFormData = new FormData();
        loginFormData.append("identifier", users[0]?.data.username ?? "");
        loginFormData.append("password", newPassword);
        const loginResponse = await fakeRequest(
            `/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
            {
                method: "POST",
                body: loginFormData,
            },
        );
        expect(loginResponse.status).toBe(302);
        expect(loginResponse.headers.get("location")).toBeDefined();
        const locationHeader = new URL(
            loginResponse.headers.get("Location") ?? "",
            config.http.base_url,
        );
        expect(locationHeader.pathname).toBe("/oauth/consent");
        expect(locationHeader.searchParams.get("client_id")).toBe(
            application.data.clientId,
        );
        expect(locationHeader.searchParams.get("redirect_uri")).toBe(
            "https://example.com",
        );
        expect(locationHeader.searchParams.get("response_type")).toBe("code");
        expect(locationHeader.searchParams.get("scope")).toBe("read write");
        expect(loginResponse.headers.get("Set-Cookie")).toMatch(/jwt=[^;]+;/);
    });
 });
--- a/packages/api/routes/api/auth/reset/index.ts
+++ b/packages/api/routes/api/auth/reset/index.ts
@ -1,80 +0,0 @@
 import { config } from "@versia-server/config";
 import { apiRoute, handleZodError } from "@versia-server/kit/api";
 import { User } from "@versia-server/kit/db";
 import { Users } from "@versia-server/kit/tables";
 import { password as bunPassword } from "bun";
 import { eq } from "drizzle-orm";
 import type { Context } from "hono";
 import { describeRoute, validator } from "hono-openapi";
 import { z } from "zod/v4";
 const returnError = (
    context: Context,
    token: string,
    error: string,
    description: string,
 ): Response => {
    const searchParams = new URLSearchParams();
    searchParams.append("error", error);
    searchParams.append("error_description", description);
    searchParams.append("token", token);
    return context.redirect(
        new URL(
            `${
                config.frontend.routes.password_reset
            }?${searchParams.toString()}`,
            config.http.base_url,
        ).toString(),
    );
 };
 export default apiRoute((app) =>
    app.post(
        "/api/auth/reset",
        describeRoute({
            summary: "Reset password",
            description: "Reset password",
            responses: {
                302: {
                    description:
                        "Redirect to the password reset page with a message",
                },
            },
        }),
        validator(
            "form",
            z.object({
                token: z.string().min(1),
                password: z.string().min(3).max(100),
            }),
            handleZodError,
        ),
        async (context) => {
            const { token, password } = context.req.valid("form");
            const user = await User.fromSql(
                eq(Users.passwordResetToken, token),
            );
            if (!user) {
                return returnError(
                    context,
                    token,
                    "invalid_token",
                    "Invalid token",
                );
            }
            await user.update({
                password: await bunPassword.hash(password),
                passwordResetToken: null,
            });
            return context.redirect(
                `${config.frontend.routes.password_reset}?success=true`,
            );
        },
    ),
 );
--- a/packages/api/routes/api/oauth/authorize.test.ts
+++ b/packages/api/routes/api/oauth/authorize.test.ts
@ -1,394 +0,0 @@
 import { afterAll, describe, expect, test } from "bun:test";
 import { RolePermission } from "@versia/client/schemas";
 import { config } from "@versia-server/config";
 import { Application } from "@versia-server/kit/db";
 import { fakeRequest, getTestUsers } from "@versia-server/tests";
 import { randomUUIDv7 } from "bun";
 import { SignJWT } from "jose";
 import { randomString } from "@/math";
 const { deleteUsers, tokens, users } = await getTestUsers(1);
 const application = await Application.insert({
    id: randomUUIDv7(),
    clientId: "test-client-id",
    redirectUri: "https://example.com/callback",
    scopes: "openid profile email",
    name: "Test Application",
    secret: "test-secret",
 });
 afterAll(async () => {
    await deleteUsers();
    await application.delete();
 });
 describe("/oauth/authorize", () => {
    test("should authorize and redirect with valid inputs", async () => {
        const jwt = await new SignJWT({
            sub: users[0].id,
            iss: config.http.base_url.origin,
            aud: application.data.clientId,
            exp: Math.floor(Date.now() / 1000) + 60 * 60,
            iat: Math.floor(Date.now() / 1000),
            nbf: Math.floor(Date.now() / 1000),
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(config.authentication.keys.private);
        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0].data.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt}`,
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });
        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(location.origin + location.pathname).toBe(
            application.data.redirectUri,
        );
        expect(params.get("code")).toBeTruthy();
        expect(params.get("state")).toBe("test-state");
    });
    test("should return error for invalid JWT", async () => {
        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0].data.accessToken}`,
                "Content-Type": "application/json",
                Cookie: "jwt=invalid-jwt",
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });
        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(params.get("error")).toBe("invalid_request");
        expect(params.get("error_description")).toBe(
            "Invalid JWT: could not verify",
        );
    });
    test("should return error for missing required fields in JWT", async () => {
        const jwt = await new SignJWT({
            sub: users[0].id,
            iss: config.http.base_url.origin,
            aud: application.data.clientId,
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(config.authentication.keys.private);
        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0].data.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt}`,
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });
        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(params.get("error")).toBe("invalid_request");
        expect(params.get("error_description")).toBe(
            "Invalid JWT: missing required fields (aud, sub, exp, iss)",
        );
    });
    test("should return error for user not found", async () => {
        const jwt = await new SignJWT({
            sub: "non-existent-user",
            aud: application.data.clientId,
            exp: Math.floor(Date.now() / 1000) + 60 * 60,
            iss: config.http.base_url.origin,
            iat: Math.floor(Date.now() / 1000),
            nbf: Math.floor(Date.now() / 1000),
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(config.authentication.keys.private);
        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0].data.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt}`,
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });
        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(params.get("error")).toBe("invalid_request");
        expect(params.get("error_description")).toBe(
            "Invalid JWT: sub is not a valid user ID",
        );
        const jwt2 = await new SignJWT({
            sub: "23e42862-d5df-49a8-95b5-52d8c6a11aea",
            aud: application.data.clientId,
            exp: Math.floor(Date.now() / 1000) + 60 * 60,
            iss: config.http.base_url.origin,
            iat: Math.floor(Date.now() / 1000),
            nbf: Math.floor(Date.now() / 1000),
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(config.authentication.keys.private);
        const response2 = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0].data.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt2}`,
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });
        expect(response2.status).toBe(302);
        const location2 = new URL(
            response2.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params2 = new URLSearchParams(location2.search);
        expect(params2.get("error")).toBe("invalid_request");
        expect(params2.get("error_description")).toBe(
            "Invalid JWT, could not find associated user",
        );
    });
    test("should return error for user missing required permissions", async () => {
        const oldPermissions = config.permissions.default;
        config.permissions.default = [];
        const jwt = await new SignJWT({
            sub: users[0].id,
            iss: config.http.base_url.origin,
            aud: application.data.clientId,
            exp: Math.floor(Date.now() / 1000) + 60 * 60,
            iat: Math.floor(Date.now() / 1000),
            nbf: Math.floor(Date.now() / 1000),
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(config.authentication.keys.private);
        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0].data.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt}`,
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });
        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(params.get("error")).toBe("unauthorized");
        expect(params.get("error_description")).toBe(
            `User missing required '${RolePermission.OAuth}' permission`,
        );
        config.permissions.default = oldPermissions;
    });
    test("should return error for invalid client_id", async () => {
        const jwt = await new SignJWT({
            sub: users[0].id,
            aud: "invalid-client-id",
            iss: config.http.base_url.origin,
            exp: Math.floor(Date.now() / 1000) + 60 * 60,
            iat: Math.floor(Date.now() / 1000),
            nbf: Math.floor(Date.now() / 1000),
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(config.authentication.keys.private);
        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0].data.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt}`,
            },
            body: JSON.stringify({
                client_id: "invalid-client-id",
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });
        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(params.get("error")).toBe("invalid_request");
        expect(params.get("error_description")).toBe(
            "Invalid client_id: no associated API application found",
        );
    });
    test("should return error for invalid redirect_uri", async () => {
        const jwt = await new SignJWT({
            sub: users[0].id,
            iss: config.http.base_url.origin,
            aud: application.data.clientId,
            exp: Math.floor(Date.now() / 1000) + 60 * 60,
            iat: Math.floor(Date.now() / 1000),
            nbf: Math.floor(Date.now() / 1000),
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(config.authentication.keys.private);
        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0].data.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt}`,
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: "https://invalid.com/callback",
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });
        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(params.get("error")).toBe("invalid_request");
        expect(params.get("error_description")).toBe(
            "Invalid redirect_uri: does not match API application's redirect_uri",
        );
    });
    test("should return error for invalid scope", async () => {
        const jwt = await new SignJWT({
            sub: users[0].id,
            iss: config.http.base_url.origin,
            aud: application.data.clientId,
            exp: Math.floor(Date.now() / 1000) + 60 * 60,
            iat: Math.floor(Date.now() / 1000),
            nbf: Math.floor(Date.now() / 1000),
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(config.authentication.keys.private);
        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0].data.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt}`,
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: "invalid-scope",
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });
        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(params.get("error")).toBe("invalid_request");
        expect(params.get("error_description")).toBe(
            "Invalid scope: not a subset of the application's scopes",
        );
    });
 });
--- a/packages/api/routes/api/oauth/authorize.ts
+++ b/packages/api/routes/api/oauth/authorize.ts
@ -1,277 +0,0 @@
 import { RolePermission } from "@versia/client/schemas";
 import { config } from "@versia-server/config";
 import {
    apiRoute,
    auth,
    handleZodError,
    jsonOrForm,
 } from "@versia-server/kit/api";
 import { Application, Token, User } from "@versia-server/kit/db";
 import { randomUUIDv7 } from "bun";
 import { describeRoute, validator } from "hono-openapi";
 import { type JWTPayload, jwtVerify, SignJWT } from "jose";
 import { JOSEError } from "jose/errors";
 import { z } from "zod/v4";
 import { randomString } from "@/math";
 import { errorRedirect, errors } from "../../../plugins/openid/errors.ts";
 export default apiRoute((app) =>
    app.post(
        "/oauth/authorize",
        describeRoute({
            summary: "Main OpenID authorization endpoint",
            tags: ["OpenID"],
            responses: {
                302: {
                    description: "Redirect to the application",
                },
            },
        }),
        auth({
            auth: false,
        }),
        jsonOrForm(),
        validator(
            "query",
            z.object({
                prompt: z
                    .enum(["none", "login", "consent", "select_account"])
                    .optional()
                    .default("none"),
                max_age: z.coerce
                    .number()
                    .int()
                    .optional()
                    .default(60 * 60 * 24 * 7),
            }),
            handleZodError,
        ),
        validator(
            "json",
            z
                .object({
                    scope: z.string().optional(),
                    redirect_uri: z
                        .url()
                        .optional()
                        .or(z.literal("urn:ietf:wg:oauth:2.0:oob")),
                    response_type: z.enum([
                        "code",
                        "token",
                        "none",
                        "id_token",
                        "code id_token",
                        "code token",
                        "token id_token",
                        "code token id_token",
                    ]),
                    client_id: z.string(),
                    state: z.string().optional(),
                    code_challenge: z.string().optional(),
                    code_challenge_method: z.enum(["plain", "S256"]).optional(),
                })
                .refine(
                    // Check if redirect_uri is valid for code flow
                    (data) =>
                        data.response_type.includes("code")
                            ? data.redirect_uri
                            : true,
                    "redirect_uri is required for code flow",
                ),
            // Disable for Mastodon API compatibility
            /* .refine(
                    // Check if code_challenge is valid for code flow
                    (data) =>
                        data.response_type.includes("code")
                            ? data.code_challenge
                            : true,
                    "code_challenge is required for code flow",
                ), */
            handleZodError,
        ),
        validator(
            "cookie",
            z.object({
                jwt: z.string(),
            }),
            handleZodError,
        ),
        async (context) => {
            const { scope, redirect_uri, client_id, state } =
                context.req.valid("json");
            const { jwt } = context.req.valid("cookie");
            const errorSearchParams = new URLSearchParams(
                context.req.valid("json"),
            );
            const result = await jwtVerify(
                jwt,
                config.authentication.keys.public,
                {
                    algorithms: ["EdDSA"],
                    audience: client_id,
                    issuer: new URL(context.get("config").http.base_url).origin,
                },
            ).catch((error) => {
                if (error instanceof JOSEError) {
                    return null;
                }
                throw error;
            });
            if (!result) {
                return errorRedirect(
                    context,
                    errors.InvalidJWT,
                    errorSearchParams,
                );
            }
            const {
                payload: { aud, sub, exp },
            } = result;
            if (!(aud && sub && exp)) {
                return errorRedirect(
                    context,
                    errors.MissingJWTFields,
                    errorSearchParams,
                );
            }
            if (!z.uuid().safeParse(sub).success) {
                return errorRedirect(
                    context,
                    errors.InvalidSub,
                    errorSearchParams,
                );
            }
            const user = await User.fromId(sub);
            if (!user) {
                return errorRedirect(
                    context,
                    errors.UserNotFound,
                    errorSearchParams,
                );
            }
            if (!user.hasPermission(RolePermission.OAuth)) {
                return errorRedirect(
                    context,
                    errors.MissingOauthPermission,
                    errorSearchParams,
                );
            }
            const application = await Application.fromClientId(client_id);
            if (!application) {
                return errorRedirect(
                    context,
                    errors.MissingApplication,
                    errorSearchParams,
                );
            }
            if (application.data.redirectUri !== redirect_uri) {
                return errorRedirect(
                    context,
                    errors.InvalidRedirectUri,
                    errorSearchParams,
                );
            }
            // Check that scopes are a subset of the application's scopes
            if (
                scope &&
                !scope
                    .split(" ")
                    .every((s) => application.data.scopes.includes(s))
            ) {
                return errorRedirect(
                    context,
                    errors.InvalidScope,
                    errorSearchParams,
                );
            }
            const code = randomString(256, "base64url");
            let payload: JWTPayload = {};
            if (scope) {
                if (scope.split(" ").includes("openid")) {
                    payload = {
                        ...payload,
                        sub: user.id,
                        iss: new URL(context.get("config").http.base_url)
                            .origin,
                        aud: client_id,
                        exp: Math.floor(Date.now() / 1000) + 60 * 60,
                        iat: Math.floor(Date.now() / 1000),
                        nbf: Math.floor(Date.now() / 1000),
                    };
                }
                if (scope.split(" ").includes("profile")) {
                    payload = {
                        ...payload,
                        name: user.data.displayName,
                        preferred_username: user.data.username,
                        picture: user.getAvatarUrl().href,
                        updated_at: new Date(user.data.updatedAt).toISOString(),
                    };
                }
                if (scope.split(" ").includes("email")) {
                    payload = {
                        ...payload,
                        email: user.data.email,
                        // TODO: Add verification system
                        email_verified: true,
                    };
                }
            }
            const idToken = await new SignJWT(payload)
                .setProtectedHeader({ alg: "EdDSA" })
                .sign(config.authentication.keys.private);
            await Token.insert({
                id: randomUUIDv7(),
                accessToken: randomString(64, "base64url"),
                code,
                scope: scope ?? application.data.scopes,
                tokenType: "Bearer",
                applicationId: application.id,
                redirectUri: redirect_uri ?? application.data.redirectUri,
                expiresAt: new Date(
                    Date.now() + 60 * 60 * 24 * 14,
                ).toISOString(),
                idToken: ["profile", "email", "openid"].some((s) =>
                    scope?.split(" ").includes(s),
                )
                    ? idToken
                    : null,
                clientId: client_id,
                userId: user.id,
            });
            const redirectUri =
                redirect_uri === "urn:ietf:wg:oauth:2.0:oob"
                    ? new URL(
                          "/oauth/code",
                          context.get("config").http.base_url,
                      )
                    : new URL(redirect_uri ?? application.data.redirectUri);
            redirectUri.searchParams.append("code", code);
            state && redirectUri.searchParams.append("state", state);
            return context.redirect(redirectUri.toString());
        },
    ),
 );
--- a/packages/api/routes/api/oauth/revoke.test.ts
+++ b/packages/api/routes/api/oauth/revoke.test.ts
@ -7,25 +7,20 @@ const { deleteUsers, users } = await getTestUsers(1);
 const application = await Application.insert({
    id: randomUUIDv7(),
-    clientId: "test-client-id",
+    redirectUris: ["https://example.com/callback"],
-    redirectUri: "https://example.com/callback",
+    scopes: ["openid", "profile", "email"],
    scopes: "openid profile email",
    secret: "test-secret",
    name: "Test Application",
 });
 const token = await Token.insert({
    id: randomUUIDv7(),
-    code: "test-code",
+    clientId: application.id,
    redirectUri: application.data.redirectUri,
    clientId: application.data.clientId,
    accessToken: "test-access-token",
    expiresAt: new Date(Date.now() + 3600 * 1000).toISOString(),
    createdAt: new Date().toISOString(),
-    tokenType: "Bearer",
+    scopes: application.data.scopes,
    scope: application.data.scopes,
    userId: users[0].id,
    applicationId: application.id,
 });
 afterAll(async () => {
@ -42,7 +37,7 @@ describe("/oauth/revoke", () => {
                "Content-Type": "application/json",
            },
            body: JSON.stringify({
-                client_id: application.data.clientId,
+                client_id: application.data.id,
                client_secret: application.data.secret,
                token: "test-access-token",
            }),
@ -60,7 +55,7 @@ describe("/oauth/revoke", () => {
                "Content-Type": "application/json",
            },
            body: JSON.stringify({
-                client_id: application.data.clientId,
+                client_id: application.data.id,
                client_secret: application.data.secret,
            }),
        });
@ -80,7 +75,7 @@ describe("/oauth/revoke", () => {
                "Content-Type": "application/json",
            },
            body: JSON.stringify({
-                client_id: application.data.clientId,
+                client_id: application.data.id,
                client_secret: "invalid-secret",
                token: "test-access-token",
            }),
@ -101,7 +96,7 @@ describe("/oauth/revoke", () => {
                "Content-Type": "application/json",
            },
            body: JSON.stringify({
-                client_id: application.data.clientId,
+                client_id: application.data.id,
                client_secret: application.data.secret,
                token: "invalid-token",
            }),
--- a/packages/api/routes/api/oauth/revoke.ts
+++ b/packages/api/routes/api/oauth/revoke.ts
@ -68,7 +68,7 @@ export default apiRoute((app) => {
            }
            // Check if the client secret is correct
-            if (foundToken.data.application?.secret !== client_secret) {
+            if (foundToken.data.client?.secret !== client_secret) {
                return context.json(
                    {
                        error: "unauthorized_client",
--- a/packages/api/routes/api/oauth/sso.ts
+++ b/packages/api/routes/api/oauth/sso.ts
@ -1,130 +0,0 @@
 import { config } from "@versia-server/config";
 import { apiRoute, handleZodError } from "@versia-server/kit/api";
 import { Application, db } from "@versia-server/kit/db";
 import { OpenIdLoginFlows } from "@versia-server/kit/tables";
 import { randomUUIDv7 } from "bun";
 import { describeRoute, validator } from "hono-openapi";
 import {
    calculatePKCECodeChallenge,
    discoveryRequest,
    generateRandomCodeVerifier,
    processDiscoveryResponse,
 } from "oauth4webapi";
 import { z } from "zod/v4";
 import { oauthRedirectUri } from "../../../plugins/openid/utils.ts";
 export default apiRoute((app) => {
    app.get(
        "/oauth/sso",
        describeRoute({
            summary: "Initiate SSO login flow",
            tags: ["OpenID"],
            responses: {
                302: {
                    description:
                        "Redirect to SSO login, or redirect to login page with error",
                },
            },
        }),
        validator(
            "query",
            z.object({
                issuer: z.string(),
                client_id: z.string().optional(),
                redirect_uri: z.url().optional(),
                scope: z.string().optional(),
                response_type: z.enum(["code"]).optional(),
            }),
            handleZodError,
        ),
        async (context) => {
            // This is the Versia client's client_id, not the external OAuth provider's client_id
            const { issuer: issuerId, client_id } = context.req.valid("query");
            const errorSearchParams = new URLSearchParams(
                context.req.valid("query"),
            );
            if (!client_id || client_id === "undefined") {
                errorSearchParams.append("error", "invalid_request");
                errorSearchParams.append(
                    "error_description",
                    "client_id is required",
                );
                return context.redirect(
                    `${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
                );
            }
            const issuer = config.authentication.openid_providers.find(
                (provider) => provider.id === issuerId,
            );
            if (!issuer) {
                errorSearchParams.append("error", "invalid_request");
                errorSearchParams.append(
                    "error_description",
                    "issuer is invalid",
                );
                return context.redirect(
                    `${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
                );
            }
            const issuerUrl = new URL(issuer.url);
            const authServer = await discoveryRequest(issuerUrl, {
                algorithm: "oidc",
            }).then((res) => processDiscoveryResponse(issuerUrl, res));
            const codeVerifier = generateRandomCodeVerifier();
            const application = await Application.fromClientId(client_id);
            if (!application) {
                errorSearchParams.append("error", "invalid_request");
                errorSearchParams.append(
                    "error_description",
                    "client_id is invalid",
                );
                return context.redirect(
                    `${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
                );
            }
            // Store into database
            const newFlow = (
                await db
                    .insert(OpenIdLoginFlows)
                    .values({
                        id: randomUUIDv7(),
                        codeVerifier,
                        applicationId: application.id,
                        issuerId,
                    })
                    .returning()
            )[0];
            const codeChallenge =
                await calculatePKCECodeChallenge(codeVerifier);
            return context.redirect(
                `${authServer.authorization_endpoint}?${new URLSearchParams({
                    client_id: issuer.client_id,
                    redirect_uri: `${oauthRedirectUri(
                        context.get("config").http.base_url,
                        issuerId,
                    )}?flow=${newFlow.id}`,
                    response_type: "code",
                    scope: "openid profile email",
                    // PKCE
                    code_challenge_method: "S256",
                    code_challenge: codeChallenge,
                }).toString()}`,
            );
        },
    );
 });
--- a/packages/api/routes/api/oauth/sso/[issuer]/callback.ts
+++ b/packages/api/routes/api/oauth/sso/[issuer]/callback.ts
@ -6,17 +6,21 @@ import {
 import { config } from "@versia-server/config";
 import { ApiError } from "@versia-server/kit";
 import { apiRoute, handleZodError } from "@versia-server/kit/api";
-import { db, Media, Token, User } from "@versia-server/kit/db";
+import { db, Media, User } from "@versia-server/kit/db";
 import { searchManager } from "@versia-server/kit/search";
-import { OpenIdAccounts, Users } from "@versia-server/kit/tables";
+import {
    AuthorizationCodes,
    OpenIdAccounts,
    Users,
 } from "@versia-server/kit/tables";
 import { randomUUIDv7 } from "bun";
 import { and, eq, isNull, type SQL } from "drizzle-orm";
 import { setCookie } from "hono/cookie";
 import { sign } from "hono/jwt";
 import { describeRoute, validator } from "hono-openapi";
-import { SignJWT } from "jose";
+import * as client from "openid-client";
 import { z } from "zod/v4";
 import { randomString } from "@/math.ts";
 import { automaticOidcFlow } from "../../../../../plugins/openid/utils.ts";
 export default apiRoute((app) => {
    app.get(
@ -31,6 +35,7 @@ export default apiRoute((app) => {
                    description:
                        "Redirect to frontend's consent route, or redirect to login page with error",
                },
                422: ApiError.validationFailed().schema,
            },
        }),
        validator(
@ -43,103 +48,94 @@ export default apiRoute((app) => {
        validator(
            "query",
            z.object({
                client_id: z.string().optional(),
                flow: z.string(),
-                link: zBoolean.optional(),
+                link: zBoolean.default(false),
                user_id: z.uuid().optional(),
            }),
            handleZodError,
        ),
        async (context) => {
-            const currentUrl = new URL(context.req.url);
+            const { issuer: issuerId } = context.req.valid("param");
            const redirectUrl = new URL(context.req.url);
            // Correct some reverse proxies incorrectly setting the protocol as http, even if the original request was https
            // Looking at you, Traefik
            if (
                new URL(context.get("config").http.base_url).protocol ===
                    "https:" &&
                currentUrl.protocol === "http:"
            ) {
                currentUrl.protocol = "https:";
                redirectUrl.protocol = "https:";
            }
            // Remove state query parameter from URL
            currentUrl.searchParams.delete("state");
            redirectUrl.searchParams.delete("state");
            // Remove issuer query parameter from URL (can cause redirect URI mismatches)
            redirectUrl.searchParams.delete("iss");
            redirectUrl.searchParams.delete("code");
            const { issuer: issuerParam } = context.req.valid("param");
            const { flow: flowId, user_id, link } = context.req.valid("query");
            const issuer = config.authentication.openid_providers.find(
-                (provider) => provider.id === issuerParam,
+                (provider) => provider.id === issuerId,
            );
            if (!issuer) {
-                throw new ApiError(404, "Issuer not found");
+                throw new ApiError(422, "Unknown or invalid issuer");
            }
-            const userInfo = await automaticOidcFlow(
+            const flow = await db.query.OpenIdLoginFlows.findFirst({
-                issuer,
+                where: (flow): SQL | undefined => eq(flow.id, flowId),
-                flowId,
+                with: {
-                currentUrl,
+                    application: true,
-                redirectUrl,
+                },
-                (error, message, flow) => {
+            });
-                    const errorSearchParams = new URLSearchParams(
+
-                        Object.entries({
+            const redirectWithMessage = (
-                            redirect_uri: flow?.application?.redirectUri,
+                parameters: Record<string, string | undefined>,
-                            client_id: flow?.application?.clientId,
+                route = config.frontend.routes.login,
-                            response_type: "code",
+            ) => {
-                            scope: flow?.application?.scopes,
+                const searchParams = new URLSearchParams(
-                        }).filter(([_, value]) => value !== undefined) as [
+                    Object.entries(parameters).filter(
-                            string,
+                        ([_, value]) => value !== undefined,
-                            string,
+                    ) as [string, string][],
                        ][],
                );
-                    errorSearchParams.append("error", error);
+                return context.redirect(`${route}?${searchParams.toString()}`);
-                    errorSearchParams.append("error_description", message);
+            };
-                    return context.redirect(
+            if (!flow) {
-                        `${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
+                return redirectWithMessage({
                    error: "invalid_request",
                    error_description: "Invalid flow",
                });
            }
            const oidcConfig = await client.discovery(
                issuer.url,
                issuer.client_id,
                issuer.client_secret,
            );
            const tokens = await client.authorizationCodeGrant(
                oidcConfig,
                context.req.raw,
                {
                    pkceCodeVerifier: flow.codeVerifier,
                    expectedState: flow.state ?? undefined,
                    idTokenExpected: true,
                },
            );
-            if (userInfo instanceof Response) {
+            const claims = tokens.claims();
-                return userInfo;
+
            if (!claims) {
                return redirectWithMessage({
                    error: "invalid_request",
                    error_description: "Missing or invalid ID token",
                });
            }
-            const { sub, email, preferred_username, picture } =
+            const userInfo = await client.fetchUserInfo(
-                userInfo.userInfo;
+                oidcConfig,
-            const flow = userInfo.flow;
+                tokens.access_token,
-
+                claims.sub,
            const errorSearchParams = new URLSearchParams(
                Object.entries({
                    redirect_uri: flow.application?.redirectUri,
                    client_id: flow.application?.clientId,
                    response_type: "code",
                    scope: flow.application?.scopes,
                }).filter(([_, value]) => value !== undefined) as [
                    string,
                    string,
                ][],
            );
            const { sub, email, preferred_username, picture } = userInfo;
            // If linking account
            if (link && user_id) {
                // Check if userId is equal to application.clientId
-                if (!flow.application?.clientId.startsWith(user_id)) {
+                if (!flow.application?.id.startsWith(user_id)) {
-                    return context.redirect(
+                    return redirectWithMessage(
-                        `${context.get("config").http.base_url}${
+                        {
                            context.get("config").frontend.routes.home
                        }?${new URLSearchParams({
                            oidc_account_linking_error: "Account linking error",
-                            oidc_account_linking_error_message: `User ID does not match application client ID (${user_id} != ${flow.application?.clientId})`,
+                            oidc_account_linking_error_message: `User ID does not match application client ID (${user_id} != ${flow.application?.id})`,
-                        })}`,
+                        },
                        config.frontend.routes.home,
                    );
                }
@ -153,15 +149,14 @@ export default apiRoute((app) => {
                });
                if (account) {
-                    return context.redirect(
+                    return redirectWithMessage(
-                        `${context.get("config").http.base_url}${
+                        {
                            context.get("config").frontend.routes.home
                        }?${new URLSearchParams({
                            oidc_account_linking_error:
                                "Account already linked",
                            oidc_account_linking_error_message:
                                "This account has already been linked to this OpenID Connect provider.",
-                        })}`,
+                        },
                        config.frontend.routes.home,
                    );
                }
@ -244,42 +239,27 @@ export default apiRoute((app) => {
                    userId = user.id;
                } else {
-                    errorSearchParams.append("error", "invalid_request");
+                    return redirectWithMessage({
-                    errorSearchParams.append(
+                        error: "invalid_request",
-                        "error_description",
+                        error_description: "No user found with that account",
-                        "No user found with that account",
+                    });
                    );
                    return context.redirect(
                        `${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
                    );
                }
            }
            const user = await User.fromId(userId);
            if (!user) {
-                errorSearchParams.append("error", "invalid_request");
+                return redirectWithMessage({
-                errorSearchParams.append(
+                    error: "invalid_request",
-                    "error_description",
+                    error_description: "No user found with that account",
-                    "No user found with that account",
+                });
                );
                return context.redirect(
                    `${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
                );
            }
            if (!user.hasPermission(RolePermission.OAuth)) {
-                errorSearchParams.append("error", "invalid_request");
+                return redirectWithMessage({
-                errorSearchParams.append(
+                    error: "invalid_request",
-                    "error_description",
+                    error_description: `User does not have the '${RolePermission.OAuth}' permission`,
-                    `User does not have the '${RolePermission.OAuth}' permission`,
+                });
                );
                return context.redirect(
                    `${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
                );
            }
            if (!flow.application) {
@ -288,27 +268,26 @@ export default apiRoute((app) => {
            const code = randomString(32, "hex");
-            await Token.insert({
+            await db.insert(AuthorizationCodes).values({
-                id: randomUUIDv7(),
+                clientId: flow.application.id,
                accessToken: randomString(64, "base64url"),
                code,
-                scope: flow.application.scopes,
+                expiresAt: new Date(Date.now() + 60 * 1000).toISOString(), // 1 minute
-                tokenType: "Bearer",
+                redirectUri: flow.clientRedirectUri ?? undefined,
                userId: user.id,
-                applicationId: flow.application.id,
+                scopes: flow.clientScopes ?? [],
            });
-            // Generate JWT
+            const jwt = await sign(
-            const jwt = await new SignJWT({
+                {
                    sub: user.id,
                    iss: new URL(context.get("config").http.base_url).origin,
-                aud: flow.application.clientId,
+                    aud: flow.application.id,
                    exp: Math.floor(Date.now() / 1000) + 60 * 60,
                    iat: Math.floor(Date.now() / 1000),
                    nbf: Math.floor(Date.now() / 1000),
-            })
+                },
-                .setProtectedHeader({ alg: "EdDSA" })
+                config.authentication.keys.private,
-                .sign(config.authentication.keys.private);
+            );
            // Redirect back to application
            setCookie(context, "jwt", jwt, {
@ -320,21 +299,17 @@ export default apiRoute((app) => {
                maxAge: 60 * 60 * 24 * 14,
            });
-            return context.redirect(
+            return redirectWithMessage(
                new URL(
                    `${context.get("config").frontend.routes.consent}?${new URLSearchParams(
                {
-                            redirect_uri: flow.application.redirectUri,
+                    redirect_uri: flow.clientRedirectUri ?? undefined,
                    code,
-                            client_id: flow.application.clientId,
+                    client_id: flow.application.id,
                    application: flow.application.name,
                    website: flow.application.website ?? "",
-                            scope: flow.application.scopes,
+                    scope: flow.clientScopes?.join(" "),
-                            response_type: "code",
+                    state: flow.clientState ?? undefined,
                },
-                    ).toString()}`,
+                config.frontend.routes.consent,
                    context.get("config").http.base_url,
                ).toString(),
            );
        },
    );
--- a/packages/api/routes/api/oauth/sso/[issuer]/index.ts
+++ b/packages/api/routes/api/oauth/sso/[issuer]/index.ts
@ -0,0 +1,122 @@
 import { config } from "@versia-server/config";
 import { ApiError } from "@versia-server/kit";
 import { apiRoute, handleZodError } from "@versia-server/kit/api";
 import { Application, db } from "@versia-server/kit/db";
 import { OpenIdLoginFlows } from "@versia-server/kit/tables";
 import { randomUUIDv7 } from "bun";
 import { describeRoute, validator } from "hono-openapi";
 import * as client from "openid-client";
 import { z } from "zod/v4";
 import { oauthRedirectUri } from "@/lib";
 export default apiRoute((app) => {
    app.post(
        "/oauth/sso/:issuer",
        describeRoute({
            summary: "Initiate SSO login flow",
            tags: ["OpenID"],
            responses: {
                302: {
                    description:
                        "Redirect to SSO provider's authorization endpoint",
                },
                422: ApiError.validationFailed().schema,
            },
        }),
        validator(
            "param",
            z.object({
                issuer: z.string(),
            }),
            handleZodError,
        ),
        validator(
            "json",
            z.object({
                client_id: z.string(),
                redirect_uri: z.url(),
                scopes: z.string().array().default(["read"]),
                state: z.string().optional(),
            }),
            handleZodError,
        ),
        async (context) => {
            // This is the Versia client's client_id, not the external OAuth provider's client_id
            const { client_id, redirect_uri, scopes, state } =
                context.req.valid("json");
            const { issuer: issuerId } = context.req.valid("param");
            const issuer = config.authentication.openid_providers.find(
                (provider) => provider.id === issuerId,
            );
            if (!issuer) {
                throw new ApiError(422, "Unknown or invalid issuer");
            }
            const application = await Application.fromClientId(client_id);
            if (!application) {
                throw new ApiError(422, "Unknown or invalid client_id");
            }
            if (!application.data.redirectUris.includes(redirect_uri)) {
                throw new ApiError(
                    422,
                    "redirect_uri is not a subset of application's redirect_uris",
                );
            }
            // TODO: Validate oauth scopes
            const oidcConfig = await client.discovery(
                issuer.url,
                issuer.client_id,
                issuer.client_secret,
            );
            const codeVerifier = client.randomPKCECodeVerifier();
            const codeChallenge =
                await client.calculatePKCECodeChallenge(codeVerifier);
            const parameters: Record<string, string> = {
                scope: "openid profile email",
                code_challenge: codeChallenge,
                code_challenge_method: "S256",
            };
            if (!oidcConfig.serverMetadata().supportsPKCE()) {
                parameters.state = client.randomState();
            }
            // Store into database
            const newFlow = (
                await db
                    .insert(OpenIdLoginFlows)
                    .values({
                        id: randomUUIDv7(),
                        codeVerifier,
                        state: parameters.state,
                        clientState: state,
                        clientRedirectUri: redirect_uri,
                        clientScopes: scopes,
                        applicationId: application.id,
                        issuerId,
                    })
                    .returning()
            )[0];
            parameters.redirect_uri = `${oauthRedirectUri(
                context.get("config").http.base_url,
                issuerId,
            )}?${new URLSearchParams({
                flow: newFlow.id,
            })}`;
            const redirectTo = client.buildAuthorizationUrl(
                oidcConfig,
                parameters,
            );
            return context.redirect(redirectTo);
        },
    );
 });
--- a/packages/api/routes/api/oauth/token.test.ts
+++ b/packages/api/routes/api/oauth/token.test.ts
@ -7,23 +7,18 @@ const { deleteUsers, users } = await getTestUsers(1);
 const application = await Application.insert({
    id: randomUUIDv7(),
-    clientId: "test-client-id",
+    redirectUris: ["https://example.com/callback"],
-    redirectUri: "https://example.com/callback",
+    scopes: ["openid", "profile", "email"],
    scopes: "openid profile email",
    secret: "test-secret",
    name: "Test Application",
 });
 const token = await Token.insert({
    id: randomUUIDv7(),
-    code: "test-code",
+    clientId: application.data.id,
    redirectUri: application.data.redirectUri,
    clientId: application.data.clientId,
    accessToken: "test-access-token",
    expiresAt: new Date(Date.now() + 3600 * 1000).toISOString(),
    createdAt: new Date().toISOString(),
    tokenType: "Bearer",
    scope: application.data.scopes,
    userId: users[0].id,
 });
@ -43,8 +38,8 @@ describe("/oauth/token", () => {
            body: JSON.stringify({
                grant_type: "authorization_code",
                code: "test-code",
-                redirect_uri: application.data.redirectUri,
+                redirect_uri: application.data.redirectUris[0],
-                client_id: application.data.clientId,
+                client_id: application.data.id,
                client_secret: application.data.secret,
            }),
        });
@ -64,8 +59,8 @@ describe("/oauth/token", () => {
            },
            body: JSON.stringify({
                grant_type: "authorization_code",
-                redirect_uri: application.data.redirectUri,
+                redirect_uri: application.data.redirectUris[0],
-                client_id: application.data.clientId,
+                client_id: application.data.id,
                client_secret: application.data.secret,
            }),
        });
@ -85,7 +80,7 @@ describe("/oauth/token", () => {
            body: JSON.stringify({
                grant_type: "authorization_code",
                code: "test-code",
-                client_id: application.data.clientId,
+                client_id: application.data.id,
                client_secret: application.data.secret,
            }),
        });
@ -105,7 +100,7 @@ describe("/oauth/token", () => {
            body: JSON.stringify({
                grant_type: "authorization_code",
                code: "test-code",
-                redirect_uri: application.data.redirectUri,
+                redirect_uri: application.data.redirectUris[0],
                client_secret: application.data.secret,
            }),
        });
@ -125,8 +120,8 @@ describe("/oauth/token", () => {
            body: JSON.stringify({
                grant_type: "authorization_code",
                code: "test-code",
-                redirect_uri: application.data.redirectUri,
+                redirect_uri: application.data.redirectUris[0],
-                client_id: application.data.clientId,
+                client_id: application.data.id,
                client_secret: "invalid-secret",
            }),
        });
@ -146,8 +141,8 @@ describe("/oauth/token", () => {
            body: JSON.stringify({
                grant_type: "authorization_code",
                code: "invalid-code",
-                redirect_uri: application.data.redirectUri,
+                redirect_uri: application.data.redirectUris[0],
-                client_id: application.data.clientId,
+                client_id: application.data.id,
                client_secret: application.data.secret,
            }),
        });
@ -167,8 +162,8 @@ describe("/oauth/token", () => {
            body: JSON.stringify({
                grant_type: "refresh_token",
                code: "test-code",
-                redirect_uri: application.data.redirectUri,
+                redirect_uri: application.data.redirectUris[0],
-                client_id: application.data.clientId,
+                client_id: application.data.id,
                client_secret: application.data.secret,
            }),
        });
--- a/packages/api/routes/api/oauth/token.ts
+++ b/packages/api/routes/api/oauth/token.ts
@ -1,43 +1,35 @@
 import { Token as TokenSchema } from "@versia/client/schemas";
 import { apiRoute, handleZodError, jsonOrForm } from "@versia-server/kit/api";
-import { Application, Token } from "@versia-server/kit/db";
+import { Application, db, Token } from "@versia-server/kit/db";
-import { Tokens } from "@versia-server/kit/tables";
+import { AuthorizationCodes } from "@versia-server/kit/tables";
 import { randomUUIDv7 } from "bun";
 import { and, eq } from "drizzle-orm";
 import { describeRoute, resolver, validator } from "hono-openapi";
 import { z } from "zod/v4";
 import { randomString } from "@/math";
 export default apiRoute((app) => {
    app.post(
        "/oauth/token",
        describeRoute({
-            summary: "Get token",
+            summary: "Obtain a token",
            description:
                "Obtain an access token, to be used during API calls that are not public.",
            externalDocs: {
                url: "https://docs.joinmastodon.org/methods/oauth/#token",
            },
            tags: ["OpenID"],
            responses: {
                200: {
                    description: "Token",
                    content: {
                        "application/json": {
-                            schema: resolver(
+                            schema: resolver(TokenSchema),
                                z.object({
                                    access_token: z.string(),
                                    token_type: z.string(),
                                    expires_in: z
                                        .number()
                                        .optional()
                                        .nullable(),
                                    id_token: z.string().optional().nullable(),
                                    refresh_token: z
                                        .string()
                                        .optional()
                                        .nullable(),
                                    scope: z.string().optional(),
                                    created_at: z.number(),
                                }),
                            ),
                        },
                    },
                },
                401: {
-                    description: "Authorization error",
+                    description: "Invalid grant",
                    content: {
                        "application/json": {
                            schema: resolver(
@ -55,73 +47,25 @@ export default apiRoute((app) => {
        validator(
            "json",
            z.object({
-                code: z.string().optional(),
+                code: z.string(),
-                code_verifier: z.string().optional(),
+                grant_type: z.enum([
                grant_type: z
                    .enum([
                    "authorization_code",
                    "refresh_token",
                    "client_credentials",
-                        "password",
+                ]),
-                        "urn:ietf:params:oauth:grant-type:device_code",
+                code_verifier: z.string().optional(),
-                        "urn:ietf:params:oauth:grant-type:token-exchange",
+                client_id: z.string(),
-                        "urn:ietf:params:oauth:grant-type:saml2-bearer",
+                client_secret: z.string(),
-                        "urn:openid:params:grant-type:ciba",
+                redirect_uri: z.url(),
                    ])
                    .default("authorization_code"),
                client_id: z.string().optional(),
                client_secret: z.string().optional(),
                username: z.string().trim().optional(),
                password: z.string().trim().optional(),
                redirect_uri: z.url().optional(),
                refresh_token: z.string().optional(),
-                scope: z.string().optional(),
+                scope: z.string().default("read"),
                assertion: z.string().optional(),
                audience: z.string().optional(),
                subject_token_type: z.string().optional(),
                subject_token: z.string().optional(),
                actor_token_type: z.string().optional(),
                actor_token: z.string().optional(),
                auth_req_id: z.string().optional(),
            }),
            handleZodError,
        ),
        async (context) => {
-            const { grant_type, code, redirect_uri, client_id, client_secret } =
+            const { code, client_id, client_secret, redirect_uri } =
                context.req.valid("json");
            switch (grant_type) {
                case "authorization_code": {
                    if (!code) {
                        return context.json(
                            {
                                error: "invalid_request",
                                error_description: "Code is required",
                            },
                            401,
                        );
                    }
                    if (!redirect_uri) {
                        return context.json(
                            {
                                error: "invalid_request",
                                error_description: "Redirect URI is required",
                            },
                            401,
                        );
                    }
                    if (!client_id) {
                        return context.json(
                            {
                                error: "invalid_request",
                                error_description: "Client ID is required",
                            },
                            401,
                        );
                    }
            // Verify the client_secret
            const client = await Application.fromClientId(client_id);
@ -135,56 +79,56 @@ export default apiRoute((app) => {
                );
            }
-                    const token = await Token.fromSql(
+            const authorizationCode =
                await db.query.AuthorizationCodes.findFirst({
                    where: (codeTable) =>
                        and(
-                            eq(Tokens.code, code),
+                            eq(codeTable.code, code),
-                            eq(Tokens.redirectUri, decodeURI(redirect_uri)),
+                            eq(codeTable.redirectUri, redirect_uri),
-                            eq(Tokens.clientId, client_id),
+                            eq(codeTable.clientId, client.id),
                        ),
-                    );
+                });
-                    if (!token) {
+            if (
                !authorizationCode ||
                new Date(authorizationCode.expiresAt).getTime() < Date.now()
            ) {
                return context.json(
                    {
                        error: "invalid_grant",
-                                error_description: "Code not found",
+                        error_description:
                            "Authorization code not found or expired",
                    },
-                            401,
+                    404,
                );
            }
            const token = await Token.insert({
                accessToken: randomString(64, "base64url"),
                clientId: client.id,
                id: randomUUIDv7(),
                userId: authorizationCode.userId,
            });
            // Invalidate the code
-                    await token.update({ code: null });
+            await db
                .delete(AuthorizationCodes)
                .where(eq(AuthorizationCodes.code, authorizationCode.code));
            return context.json(
                {
                    ...token.toApi(),
                    expires_in: token.data.expiresAt
                        ? Math.floor(
-                                      (new Date(
+                              (new Date(token.data.expiresAt).getTime() -
                                          token.data.expiresAt,
                                      ).getTime() -
                                  Date.now()) /
                                  1000,
                          )
                        : null,
                            id_token: token.data.idToken,
                    refresh_token: null,
                },
                200,
            );
                }
                default:
            }
            return context.json(
                {
                    error: "unsupported_grant_type",
                    error_description: "Unsupported grant type",
                },
                401,
            );
        },
    );
 });
--- a/packages/api/routes/api/v1/apps/index.ts
+++ b/packages/api/routes/api/v1/apps/index.ts
@ -5,7 +5,6 @@ import {
 import { ApiError } from "@versia-server/kit";
 import { apiRoute, handleZodError, jsonOrForm } from "@versia-server/kit/api";
 import { Application } from "@versia-server/kit/db";
 import { randomUUIDv7 } from "bun";
 import { describeRoute, resolver, validator } from "hono-openapi";
 import { z } from "zod/v4";
 import { randomString } from "@/math";
@ -64,14 +63,13 @@ export default apiRoute((app) =>
                context.req.valid("json");
            const app = await Application.insert({
-                id: randomUUIDv7(),
+                id: randomString(32, "base64url"),
                name: client_name,
-                redirectUri: Array.isArray(redirect_uris)
+                redirectUris: Array.isArray(redirect_uris)
-                    ? redirect_uris.join("\n")
+                    ? redirect_uris
-                    : redirect_uris,
+                    : [redirect_uris],
-                scopes,
+                scopes: scopes.split(" "),
                website: website || undefined,
                clientId: randomString(32, "base64url"),
                secret: randomString(64, "base64url"),
            });
--- a/packages/api/routes/api/v1/sso/index.ts
+++ b/packages/api/routes/api/v1/sso/index.ts
@ -6,15 +6,9 @@ import { Application, db } from "@versia-server/kit/db";
 import { OpenIdLoginFlows } from "@versia-server/kit/tables";
 import { randomUUIDv7 } from "bun";
 import { describeRoute, resolver, validator } from "hono-openapi";
-import {
+import * as client from "openid-client";
    calculatePKCECodeChallenge,
    generateRandomCodeVerifier,
 } from "oauth4webapi";
 import { z } from "zod/v4";
-import {
+import { oauthRedirectUri } from "@/lib";
    oauthDiscoveryRequest,
    oauthRedirectUri,
 } from "../../../../plugins/openid/utils.ts";
 export default apiRoute((app) => {
    app.get(
@ -105,9 +99,24 @@ export default apiRoute((app) => {
                );
            }
-            const authServer = await oauthDiscoveryRequest(new URL(issuer.url));
+            const oidcConfig = await client.discovery(
                issuer.url,
                issuer.client_id,
                issuer.client_secret,
            );
            const codeVerifier = client.randomPKCECodeVerifier();
            const codeChallenge =
                await client.calculatePKCECodeChallenge(codeVerifier);
-            const codeVerifier = generateRandomCodeVerifier();
+            const parameters: Record<string, string> = {
                scope: "openid profile email",
                code_challenge: codeChallenge,
                code_challenge_method: "S256",
            };
            if (!oidcConfig.serverMetadata().supportsPKCE()) {
                parameters.state = client.randomState();
            }
            const redirectUri = oauthRedirectUri(
                context.get("config").http.base_url,
@ -115,15 +124,14 @@ export default apiRoute((app) => {
            );
            const application = await Application.insert({
-                id: randomUUIDv7(),
+                id:
                clientId:
                    user.id +
                    Buffer.from(
                        crypto.getRandomValues(new Uint8Array(32)),
                    ).toString("base64"),
                name: "Versia",
-                redirectUri: redirectUri.toString(),
+                redirectUris: [redirectUri.href],
-                scopes: "openid profile email",
+                scopes: ["openid", "profile", "email"],
                secret: "",
            });
@ -134,30 +142,28 @@ export default apiRoute((app) => {
                    .values({
                        id: randomUUIDv7(),
                        codeVerifier,
                        state: parameters.state,
                        issuerId,
                        applicationId: application.id,
                    })
                    .returning()
            )[0];
-            const codeChallenge =
+            parameters.redirect_uri = `${oauthRedirectUri(
-                await calculatePKCECodeChallenge(codeVerifier);
+                config.http.base_url,
-
+                issuerId,
-            return context.redirect(
+            )}?${new URLSearchParams({
                `${authServer.authorization_endpoint}?${new URLSearchParams({
                    client_id: issuer.client_id,
                    redirect_uri: `${redirectUri}?${new URLSearchParams({
                flow: newFlow.id,
                link: "true",
                user_id: user.id,
-                    })}`,
+            })}`;
-                    response_type: "code",
+
-                    scope: "openid profile email",
+            const redirectTo = client.buildAuthorizationUrl(
-                    // PKCE
+                oidcConfig,
-                    code_challenge_method: "S256",
+                parameters,
                    code_challenge: codeChallenge,
                }).toString()}`,
            );
            return context.redirect(redirectTo);
        },
    );
 });
--- a/packages/api/routes/well-known/jwks.test.ts
+++ b/packages/api/routes/well-known/jwks.test.ts
@ -1,35 +0,0 @@
 import { afterAll, describe, expect, test } from "bun:test";
 import { Application } from "@versia-server/kit/db";
 import { fakeRequest } from "@versia-server/tests";
 import { randomUUIDv7 } from "bun";
 const application = await Application.insert({
    id: randomUUIDv7(),
    clientId: "test-client-id",
    redirectUri: "https://example.com/callback",
    scopes: "openid profile email",
    secret: "test-secret",
    name: "Test Application",
 });
 afterAll(async () => {
    await application.delete();
 });
 describe("/.well-known/jwks", () => {
    test("should return JWK set with valid inputs", async () => {
        const response = await fakeRequest("/.well-known/jwks", {
            method: "GET",
        });
        expect(response.status).toBe(200);
        const body = await response.json();
        expect(body.keys).toHaveLength(1);
        expect(body.keys[0].kty).toBe("OKP");
        expect(body.keys[0].use).toBe("sig");
        expect(body.keys[0].alg).toBe("EdDSA");
        expect(body.keys[0].kid).toBe("1");
        expect(body.keys[0].crv).toBe("Ed25519");
        expect(body.keys[0].x).toBeString();
    });
 });
--- a/packages/api/routes/well-known/jwks.ts
+++ b/packages/api/routes/well-known/jwks.ts
@ -1,62 +0,0 @@
 import { config } from "@versia-server/config";
 import { apiRoute, auth } from "@versia-server/kit/api";
 import { describeRoute, resolver } from "hono-openapi";
 import { exportJWK } from "jose";
 import { z } from "zod/v4";
 export default apiRoute((app) => {
    app.get(
        "/.well-known/jwks",
        describeRoute({
            summary: "JWK Set",
            tags: ["OpenID"],
            responses: {
                200: {
                    description: "JWK Set",
                    content: {
                        "application/json": {
                            schema: resolver(
                                z.object({
                                    keys: z.array(
                                        z.object({
                                            kty: z.string().optional(),
                                            use: z.string(),
                                            alg: z.string(),
                                            kid: z.string(),
                                            crv: z.string().optional(),
                                            x: z.string().optional(),
                                            y: z.string().optional(),
                                        }),
                                    ),
                                }),
                            ),
                        },
                    },
                },
            },
        }),
        auth({
            auth: false,
        }),
        async (context) => {
            const jwk = await exportJWK(config.authentication.keys.private);
            // Remove the private key 💀
            jwk.d = undefined;
            return context.json(
                {
                    keys: [
                        {
                            ...jwk,
                            use: "sig",
                            alg: "EdDSA",
                            kid: "1",
                        },
                    ],
                },
                200,
            );
        },
    );
 });
--- a/packages/api/routes/well-known/openid-configuration/index.ts
+++ b/packages/api/routes/well-known/openid-configuration/index.ts
@ -1,65 +0,0 @@
 import { config } from "@versia-server/config";
 import { apiRoute } from "@versia-server/kit/api";
 import { describeRoute, resolver } from "hono-openapi";
 import { z } from "zod/v4";
 export default apiRoute((app) =>
    app.get(
        "/.well-known/openid-configuration",
        describeRoute({
            summary: "OpenID Configuration",
            tags: ["OpenID"],
            responses: {
                200: {
                    description: "OpenID Configuration",
                    content: {
                        "application/json": {
                            schema: resolver(
                                z.object({
                                    issuer: z.string(),
                                    authorization_endpoint: z.string(),
                                    token_endpoint: z.string(),
                                    userinfo_endpoint: z.string(),
                                    jwks_uri: z.string(),
                                    response_types_supported: z.array(
                                        z.string(),
                                    ),
                                    subject_types_supported: z.array(
                                        z.string(),
                                    ),
                                    id_token_signing_alg_values_supported:
                                        z.array(z.string()),
                                    scopes_supported: z.array(z.string()),
                                    token_endpoint_auth_methods_supported:
                                        z.array(z.string()),
                                    claims_supported: z.array(z.string()),
                                }),
                            ),
                        },
                    },
                },
            },
        }),
        (context) => {
            const baseUrl = config.http.base_url;
            return context.json(
                {
                    issuer: baseUrl.origin.toString(),
                    authorization_endpoint: `${baseUrl.origin}/oauth/authorize`,
                    token_endpoint: `${baseUrl.origin}/oauth/token`,
                    userinfo_endpoint: `${baseUrl.origin}/api/v1/accounts/verify_credentials`,
                    jwks_uri: `${baseUrl.origin}/.well-known/jwks`,
                    response_types_supported: ["code"],
                    subject_types_supported: ["public"],
                    id_token_signing_alg_values_supported: ["EdDSA"],
                    scopes_supported: ["openid", "profile", "email"],
                    token_endpoint_auth_methods_supported: [
                        "client_secret_basic",
                    ],
                    claims_supported: ["sub"],
                },
                200,
            );
        },
    ),
 );
--- a/packages/config/index.ts
+++ b/packages/config/index.ts
@ -799,7 +799,7 @@ export const ConfigSchema = z
                    z.strictObject({
                        name: z.string().min(1),
                        id: z.string().min(1),
-                        url: z.string().min(1),
+                        url,
                        client_id: z.string().min(1),
                        client_secret: sensitiveString,
                        icon: url.optional(),
--- a/packages/kit/api.ts
+++ b/packages/kit/api.ts
@ -169,8 +169,8 @@ export const auth = <AuthRequired extends boolean>(options: {
        const auth: AuthData = {
            token,
-            application: token?.data.application
+            application: token?.data.client
-                ? new Application(token?.data.application)
+                ? new Application(token?.data.client)
                : null,
            user: (await token?.getUser()) ?? null,
        };
--- a/packages/kit/db/application.ts
+++ b/packages/kit/db/application.ts
@ -12,13 +12,13 @@ import {
 } from "drizzle-orm";
 import type { z } from "zod/v4";
 import { db } from "../tables/db.ts";
-import { Applications } from "../tables/schema.ts";
+import { Clients } from "../tables/schema.ts";
 import { BaseInterface } from "./base.ts";
 import { Token } from "./token.ts";
-type ApplicationType = InferSelectModel<typeof Applications>;
+type ApplicationType = InferSelectModel<typeof Clients>;
-export class Application extends BaseInterface<typeof Applications> {
+export class Application extends BaseInterface<typeof Clients> {
    public static $type: ApplicationType;
    public async reload(): Promise<void> {
@ -36,18 +36,18 @@ export class Application extends BaseInterface<typeof Applications> {
            return null;
        }
-        return await Application.fromSql(eq(Applications.id, id));
+        return await Application.fromSql(eq(Clients.id, id));
    }
    public static async fromIds(ids: string[]): Promise<Application[]> {
-        return await Application.manyFromSql(inArray(Applications.id, ids));
+        return await Application.manyFromSql(inArray(Clients.id, ids));
    }
    public static async fromSql(
        sql: SQL<unknown> | undefined,
-        orderBy: SQL<unknown> | undefined = desc(Applications.id),
+        orderBy: SQL<unknown> | undefined = desc(Clients.id),
    ): Promise<Application | null> {
-        const found = await db.query.Applications.findFirst({
+        const found = await db.query.Clients.findFirst({
            where: sql,
            orderBy,
        });
@ -60,12 +60,12 @@ export class Application extends BaseInterface<typeof Applications> {
    public static async manyFromSql(
        sql: SQL<unknown> | undefined,
-        orderBy: SQL<unknown> | undefined = desc(Applications.id),
+        orderBy: SQL<unknown> | undefined = desc(Clients.id),
        limit?: number,
        offset?: number,
-        extra?: Parameters<typeof db.query.Applications.findMany>[0],
+        extra?: Parameters<typeof db.query.Clients.findMany>[0],
    ): Promise<Application[]> {
-        const found = await db.query.Applications.findMany({
+        const found = await db.query.Clients.findMany({
            where: sql,
            orderBy,
            limit,
@ -81,22 +81,20 @@ export class Application extends BaseInterface<typeof Applications> {
    ): Promise<Application | null> {
        const result = await Token.fromAccessToken(token);
-        return result?.data.application
+        return result?.data.client ? new Application(result.data.client) : null;
            ? new Application(result.data.application)
            : null;
    }
    public static fromClientId(clientId: string): Promise<Application | null> {
-        return Application.fromSql(eq(Applications.clientId, clientId));
+        return Application.fromSql(eq(Clients.id, clientId));
    }
    public async update(
        newApplication: Partial<ApplicationType>,
    ): Promise<ApplicationType> {
        await db
-            .update(Applications)
+            .update(Clients)
            .set(newApplication)
-            .where(eq(Applications.id, this.id));
+            .where(eq(Clients.id, this.id));
        const updated = await Application.fromId(this.data.id);
@ -114,18 +112,16 @@ export class Application extends BaseInterface<typeof Applications> {
    public async delete(ids?: string[]): Promise<void> {
        if (Array.isArray(ids)) {
-            await db.delete(Applications).where(inArray(Applications.id, ids));
+            await db.delete(Clients).where(inArray(Clients.id, ids));
        } else {
-            await db.delete(Applications).where(eq(Applications.id, this.id));
+            await db.delete(Clients).where(eq(Clients.id, this.id));
        }
    }
    public static async insert(
-        data: InferInsertModel<typeof Applications>,
+        data: InferInsertModel<typeof Clients>,
    ): Promise<Application> {
-        const inserted = (
+        const inserted = (await db.insert(Clients).values(data).returning())[0];
            await db.insert(Applications).values(data).returning()
        )[0];
        const application = await Application.fromId(inserted.id);
@ -144,9 +140,9 @@ export class Application extends BaseInterface<typeof Applications> {
        return {
            name: this.data.name,
            website: this.data.website,
-            scopes: this.data.scopes.split(" "),
+            scopes: this.data.scopes,
-            redirect_uri: this.data.redirectUri,
+            redirect_uri: this.data.redirectUris.join(" "),
-            redirect_uris: this.data.redirectUri.split("\n"),
+            redirect_uris: this.data.redirectUris,
        };
    }
@ -154,12 +150,12 @@ export class Application extends BaseInterface<typeof Applications> {
        return {
            name: this.data.name,
            website: this.data.website,
-            client_id: this.data.clientId,
+            client_id: this.data.id,
            client_secret: this.data.secret,
            client_secret_expires_at: "0",
-            scopes: this.data.scopes.split(" "),
+            scopes: this.data.scopes,
-            redirect_uri: this.data.redirectUri,
+            redirect_uri: this.data.redirectUris.join(" "),
-            redirect_uris: this.data.redirectUri.split("\n"),
+            redirect_uris: this.data.redirectUris,
        };
    }
 }
--- a/packages/kit/db/index.ts
+++ b/packages/kit/db/index.ts
@ -12,4 +12,4 @@ export { Relationship } from "./relationship.ts";
 export { Role } from "./role.ts";
 export { Timeline } from "./timeline.ts";
 export { Token } from "./token.ts";
-export { User } from "./user.ts";
+export { transformOutputToUserWithRelations, User } from "./user.ts";
--- a/packages/kit/db/token.ts
+++ b/packages/kit/db/token.ts
@ -15,7 +15,7 @@ import { BaseInterface } from "./base.ts";
 import { User } from "./user.ts";
 type TokenType = InferSelectModel<typeof Tokens> & {
-    application: typeof Application.$type | null;
+    client: typeof Application.$type;
 };
 export class Token extends BaseInterface<typeof Tokens, TokenType> {
@ -51,7 +51,7 @@ export class Token extends BaseInterface<typeof Tokens, TokenType> {
            where: sql,
            orderBy,
            with: {
-                application: true,
+                client: true,
            },
        });
@ -74,7 +74,7 @@ export class Token extends BaseInterface<typeof Tokens, TokenType> {
            limit,
            offset,
            with: {
-                application: true,
+                client: true,
                ...extra?.with,
            },
        });
@ -159,7 +159,7 @@ export class Token extends BaseInterface<typeof Tokens, TokenType> {
        return {
            access_token: this.data.accessToken,
            token_type: "Bearer",
-            scope: this.data.scope,
+            scope: this.data.scopes.join(" "),
            created_at: Math.floor(
                new Date(this.data.createdAt).getTime() / 1000,
            ),
--- a/packages/kit/db/user.ts
+++ b/packages/kit/db/user.ts
@ -77,6 +77,7 @@ export const userRelations = {
    },
 } as const;
 // TODO: Remove this function and use what drizzle outputs directly instead of transforming it
 export const transformOutputToUserWithRelations = (
    user: Omit<InferSelectModel<typeof Users>, "endpoints"> & {
        followerCount: unknown;
@ -525,15 +526,15 @@ export class User extends BaseInterface<typeof Users, UserWithRelations> {
        providers: {
            id: string;
            name: string;
-            url: string;
+            url: ProxiableUrl;
            icon?: ProxiableUrl;
        }[],
    ): Promise<
        {
            id: string;
            name: string;
-            url: string;
+            url: ProxiableUrl;
-            icon?: string | undefined;
+            icon?: ProxiableUrl;
            server_id: string;
        }[]
    > {
@ -556,7 +557,7 @@ export class User extends BaseInterface<typeof Users, UserWithRelations> {
                    id: issuer.id,
                    name: issuer.name,
                    url: issuer.url,
-                    icon: issuer.icon?.proxied,
+                    icon: issuer.icon,
                    server_id: account.serverId,
                };
            })
--- a/packages/kit/tables/migrations/0051_stiff_morbius.sql
+++ b/packages/kit/tables/migrations/0051_stiff_morbius.sql
@ -0,0 +1,46 @@
 CREATE TABLE "AuthorizationCodes" (
 	"code" text PRIMARY KEY NOT NULL,
 	"scopes" text[] DEFAULT ARRAY[]::text[] NOT NULL,
 	"redirect_uri" text,
 	"expires_at" timestamp(3) NOT NULL,
 	"created_at" timestamp(3) DEFAULT now() NOT NULL,
 	"code_challenge" text,
 	"code_challenge_method" text,
 	"userId" uuid NOT NULL,
 	"clientId" text NOT NULL
 );
 --> statement-breakpoint
 ALTER TABLE "Tokens" RENAME COLUMN "applicationId" TO "clientId";--> statement-breakpoint
 --ALTER TABLE "Notes" DROP CONSTRAINT "Notes_applicationId_Applications_id_fk";
 --> statement-breakpoint
 --ALTER TABLE "OpenIdLoginFlows" DROP CONSTRAINT "OpenIdLoginFlows_applicationId_Applications_id_fk";
 --> statement-breakpoint
 --ALTER TABLE "Tokens" DROP CONSTRAINT "Tokens_applicationId_Applications_id_fk";
 --> statement-breakpoint
 DROP INDEX "Applications_client_id_index";--> statement-breakpoint
 ALTER TABLE "Applications" ADD PRIMARY KEY ("client_id");--> statement-breakpoint
 ALTER TABLE "Applications" ALTER COLUMN "scopes" SET DATA TYPE text[] USING (string_to_array("scopes", ' ')::text[]);--> statement-breakpoint
 ALTER TABLE "Applications" ALTER COLUMN "scopes" SET DEFAULT ARRAY[]::text[];--> statement-breakpoint
 ALTER TABLE "Notes" ALTER COLUMN "applicationId" SET DATA TYPE text;--> statement-breakpoint
 ALTER TABLE "OpenIdLoginFlows" ALTER COLUMN "applicationId" SET DATA TYPE text;--> statement-breakpoint
 ALTER TABLE "Applications" ADD COLUMN "redirect_uris" text[] DEFAULT ARRAY[]::text[] NOT NULL;--> statement-breakpoint
 ALTER TABLE "OpenIdLoginFlows" ADD COLUMN "state" text;--> statement-breakpoint
 ALTER TABLE "OpenIdLoginFlows" ADD COLUMN "client_state" text;--> statement-breakpoint
 ALTER TABLE "OpenIdLoginFlows" ADD COLUMN "client_redirect_uri" text;--> statement-breakpoint
 ALTER TABLE "OpenIdLoginFlows" ADD COLUMN "client_scopes" text[];--> statement-breakpoint
 ALTER TABLE "Tokens" ADD COLUMN "scopes" text[] DEFAULT ARRAY[]::text[] NOT NULL;--> statement-breakpoint
 ALTER TABLE "AuthorizationCodes" ADD CONSTRAINT "AuthorizationCodes_userId_Users_id_fk" FOREIGN KEY ("userId") REFERENCES "public"."Users"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
 ALTER TABLE "AuthorizationCodes" ADD CONSTRAINT "AuthorizationCodes_clientId_Applications_client_id_fk" FOREIGN KEY ("clientId") REFERENCES "public"."Applications"("client_id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
 ALTER TABLE "Notes" ADD CONSTRAINT "Notes_applicationId_Applications_client_id_fk" FOREIGN KEY ("applicationId") REFERENCES "public"."Applications"("client_id") ON DELETE set null ON UPDATE cascade;--> statement-breakpoint
 ALTER TABLE "OpenIdLoginFlows" ADD CONSTRAINT "OpenIdLoginFlows_applicationId_Applications_client_id_fk" FOREIGN KEY ("applicationId") REFERENCES "public"."Applications"("client_id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
 ALTER TABLE "Tokens" ALTER COLUMN "clientId" SET DATA TYPE text;--> statement-breakpoint
 ALTER TABLE "Tokens" ADD CONSTRAINT "Tokens_clientId_Applications_client_id_fk" FOREIGN KEY ("clientId") REFERENCES "public"."Applications"("client_id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
 ALTER TABLE "Applications" DROP COLUMN "id";--> statement-breakpoint
 ALTER TABLE "Applications" DROP COLUMN "vapid_key";--> statement-breakpoint
 ALTER TABLE "Applications" DROP COLUMN "redirect_uri";--> statement-breakpoint
 ALTER TABLE "Tokens" DROP COLUMN "token_type";--> statement-breakpoint
 ALTER TABLE "Tokens" DROP COLUMN "scope";--> statement-breakpoint
 ALTER TABLE "Tokens" DROP COLUMN "code";--> statement-breakpoint
 ALTER TABLE "Tokens" DROP COLUMN "client_id";--> statement-breakpoint
 ALTER TABLE "Tokens" DROP COLUMN "redirect_uri";--> statement-breakpoint
 ALTER TABLE "Tokens" DROP COLUMN "id_token";
--- a/packages/kit/tables/migrations/meta/0051_snapshot.json
+++ b/packages/kit/tables/migrations/meta/0051_snapshot.json
--- a/packages/kit/tables/migrations/meta/_journal.json
+++ b/packages/kit/tables/migrations/meta/_journal.json
@ -358,6 +358,13 @@
            "when": 1746368175263,
            "tag": "0050_thick_lester",
            "breakpoints": true
        },
        {
            "idx": 51,
            "version": "7",
            "when": 1755729662013,
            "tag": "0051_stiff_morbius",
            "breakpoints": true
        }
    ]
 }
--- a/packages/kit/tables/schema.ts
+++ b/packages/kit/tables/schema.ts
@ -28,6 +28,7 @@ import {
 import type { z } from "zod/v4";
 const createdAt = () =>
    // TODO: Change mode to Date
    timestamp("created_at", { precision: 3, mode: "string" })
        .defaultNow()
        .notNull();
@ -39,7 +40,7 @@ const updatedAt = () =>
 const uri = () => text("uri").unique();
-const id = () => uuid("id").primaryKey().notNull();
+const id = () => uuid("id").primaryKey();
 export const Challenges = pgTable("Challenges", {
    id: id(),
@ -308,47 +309,41 @@ export const RelationshipsRelations = relations(Relationships, ({ one }) => ({
    }),
 }));
-export const Applications = pgTable(
+export const Clients = pgTable("Applications", {
-    "Applications",
+    id: text("client_id").primaryKey(),
-    {
+    secret: text("secret").notNull(),
-        id: id(),
+    redirectUris: text("redirect_uris")
        .array()
        .notNull()
        .default(sql`ARRAY[]::text[]`),
    scopes: text("scopes").array().notNull().default(sql`ARRAY[]::text[]`),
    name: text("name").notNull(),
    website: text("website"),
-        vapidKey: text("vapid_key"),
+});
        clientId: text("client_id").notNull(),
        secret: text("secret").notNull(),
        scopes: text("scopes").notNull(),
        redirectUri: text("redirect_uri").notNull(),
    },
    (table) => [uniqueIndex().on(table.clientId)],
 );
-export const ApplicationsRelations = relations(Applications, ({ many }) => ({
+export const ClientsRelations = relations(Clients, ({ many }) => ({
    tokens: many(Tokens),
    loginFlows: many(OpenIdLoginFlows),
 }));
 export const Tokens = pgTable("Tokens", {
    id: id(),
-    tokenType: text("token_type").notNull(),
+    scopes: text("scopes").array().notNull().default(sql`ARRAY[]::text[]`),
    scope: text("scope").notNull(),
    accessToken: text("access_token").notNull(),
    code: text("code"),
    expiresAt: timestamp("expires_at", { precision: 3, mode: "string" }),
    createdAt: createdAt(),
    clientId: text("client_id").notNull().default(""),
    redirectUri: text("redirect_uri").notNull().default(""),
    idToken: text("id_token"),
    userId: uuid("userId")
        .references(() => Users.id, {
            onDelete: "cascade",
            onUpdate: "cascade",
        })
        .notNull(),
-    applicationId: uuid("applicationId").references(() => Applications.id, {
+    clientId: text("clientId")
        .references(() => Clients.id, {
            onDelete: "cascade",
            onUpdate: "cascade",
-    }),
+        })
        .notNull(),
 });
 export const TokensRelations = relations(Tokens, ({ one }) => ({
@ -356,12 +351,51 @@ export const TokensRelations = relations(Tokens, ({ one }) => ({
        fields: [Tokens.userId],
        references: [Users.id],
    }),
-    application: one(Applications, {
+    client: one(Clients, {
-        fields: [Tokens.applicationId],
+        fields: [Tokens.clientId],
-        references: [Applications.id],
+        references: [Clients.id],
    }),
 }));
 export const AuthorizationCodes = pgTable("AuthorizationCodes", {
    code: text("code").primaryKey(),
    scopes: text("scopes").array().notNull().default(sql`ARRAY[]::text[]`),
    redirectUri: text("redirect_uri"),
    expiresAt: timestamp("expires_at", {
        precision: 3,
        mode: "string",
    }).notNull(),
    createdAt: createdAt(),
    codeChallenge: text("code_challenge"),
    codeChallengeMethod: text("code_challenge_method"),
    userId: uuid("userId")
        .references(() => Users.id, {
            onDelete: "cascade",
            onUpdate: "cascade",
        })
        .notNull(),
    clientId: text("clientId")
        .references(() => Clients.id, {
            onDelete: "cascade",
            onUpdate: "cascade",
        })
        .notNull(),
 });
 export const AuthorizationCodesRelations = relations(
    AuthorizationCodes,
    ({ one }) => ({
        user: one(Users, {
            fields: [AuthorizationCodes.userId],
            references: [Users.id],
        }),
        client: one(Clients, {
            fields: [AuthorizationCodes.clientId],
            references: [Clients.id],
        }),
    }),
 );
 export const Medias = pgTable("Medias", {
    id: id(),
    content: jsonb("content")
@ -460,7 +494,7 @@ export const Notes = pgTable("Notes", {
    }),
    sensitive: boolean("sensitive").notNull().default(false),
    spoilerText: text("spoiler_text").default("").notNull(),
-    applicationId: uuid("applicationId").references(() => Applications.id, {
+    applicationId: text("applicationId").references(() => Clients.id, {
        onDelete: "set null",
        onUpdate: "cascade",
    }),
@ -494,9 +528,9 @@ export const NotesRelations = relations(Notes, ({ many, one }) => ({
        references: [Notes.id],
        relationName: "NoteToQuotes",
    }),
-    application: one(Applications, {
+    application: one(Clients, {
        fields: [Notes.applicationId],
-        references: [Applications.id],
+        references: [Clients.id],
    }),
    quotes: many(Notes, {
        relationName: "NoteToQuotes",
@ -665,7 +699,11 @@ export const UsersRelations = relations(Users, ({ many, one }) => ({
 export const OpenIdLoginFlows = pgTable("OpenIdLoginFlows", {
    id: id(),
    codeVerifier: text("code_verifier").notNull(),
-    applicationId: uuid("applicationId").references(() => Applications.id, {
+    state: text("state"),
    clientState: text("client_state"),
    clientRedirectUri: text("client_redirect_uri"),
    clientScopes: text("client_scopes").array(),
    applicationId: text("applicationId").references(() => Clients.id, {
        onDelete: "cascade",
        onUpdate: "cascade",
    }),
@ -675,9 +713,9 @@ export const OpenIdLoginFlows = pgTable("OpenIdLoginFlows", {
 export const OpenIdLoginFlowsRelations = relations(
    OpenIdLoginFlows,
    ({ one }) => ({
-        application: one(Applications, {
+        application: one(Clients, {
            fields: [OpenIdLoginFlows.applicationId],
-            references: [Applications.id],
+            references: [Clients.id],
        }),
    }),
 );
--- a/packages/tests/index.ts
+++ b/packages/tests/index.ts
@ -1,7 +1,14 @@
 import { mock } from "bun:test";
 import { Client as VersiaClient } from "@versia/client";
 import { config } from "@versia-server/config";
-import { db, Note, setupDatabase, Token, User } from "@versia-server/kit/db";
+import {
    Application,
    db,
    Note,
    setupDatabase,
    Token,
    User,
 } from "@versia-server/kit/db";
 import { searchManager } from "@versia-server/kit/search";
 import { Notes, Users } from "@versia-server/kit/tables";
 import { solveChallenge } from "altcha-lib";
@ -43,15 +50,21 @@ export const generateClient = async (
        dbToken: Token;
    }
 > => {
    const application = await Application.insert({
        id: randomUUIDv7(),
        name: "Versia",
        redirectUris: [],
        scopes: ["openid", "profile", "email"],
        secret: "",
    });
    const token = user
        ? await Token.insert({
              id: randomUUIDv7(),
              accessToken: randomString(32, "hex"),
              tokenType: "bearer",
              userId: user.id,
-              applicationId: null,
+              clientId: application.id,
-              code: randomString(32, "hex"),
+              scopes: ["read", "write", "follow", "push"],
              scope: "read write follow push",
          })
        : null;
@ -71,6 +84,7 @@ export const generateClient = async (
    // @ts-expect-error This is REAL monkeypatching done by REAL programmers, BITCH!
    client[Symbol.asyncDispose] = async (): Promise<void> => {
        await token?.delete();
        await application.delete();
    };
    // @ts-expect-error More monkeypatching
@ -97,6 +111,14 @@ export const getTestUsers = async (
    const users: User[] = [];
    const passwords: string[] = [];
    const application = await Application.insert({
        id: randomUUIDv7(),
        name: "Versia",
        redirectUris: [],
        scopes: ["openid", "profile", "email"],
        secret: "",
    });
    for (let i = 0; i < count; i++) {
        const password = randomString(32, "hex");
@ -119,9 +141,9 @@ export const getTestUsers = async (
            accessToken: randomString(32, "hex"),
            tokenType: "bearer",
            userId: u.id,
-            applicationId: null,
+            clientId: application.id,
            code: randomString(32, "hex"),
-            scope: "read write follow push",
+            scopes: ["read", "write", "follow", "push"],
        })),
    );
@ -140,6 +162,7 @@ export const getTestUsers = async (
                    users.map((u) => u.id),
                ),
            );
            await application.delete();
        },
    };
 };
--- a/utils/bull-board.ts
+++ b/utils/bull-board.ts
@ -14,8 +14,7 @@ import { relationshipQueue } from "@versia-server/kit/queues/relationships";
 import type { Hono } from "hono";
 import { serveStatic } from "hono/bun";
 import { getCookie } from "hono/cookie";
-import { jwtVerify } from "jose";
+import { verify } from "hono/jwt";
 import { JOSEError, JWTExpired } from "jose/errors";
 import type { HonoEnv } from "~/types/api";
 import pkg from "../package.json" with { type: "json" };
@ -58,38 +57,18 @@ export const applyToHono = (app: Hono<HonoEnv>): void => {
            throw new ApiError(401, "Missing JWT cookie");
        }
-        const result = await jwtVerify(
+        const result = await verify(
            jwtCookie,
            config.authentication.keys.public,
-            {
+        );
                algorithms: ["EdDSA"],
                issuer: new URL(context.get("config").http.base_url).origin,
            },
        ).catch((error) => {
            if (error instanceof JOSEError) {
                return error;
            }
-            throw error;
+        const { sub } = result;
        });
        if (result instanceof JOSEError) {
            if (result instanceof JWTExpired) {
                throw new ApiError(401, "JWT has expired");
            }
            throw new ApiError(401, "Invalid JWT");
        }
        const {
            payload: { sub },
        } = result;
        if (!sub) {
            throw new ApiError(401, "Invalid JWT (no sub)");
        }
-        const user = await User.fromId(sub);
+        const user = await User.fromId(sub as string);
        if (!user?.hasPermission(RolePermission.ManageInstanceFederation)) {
            throw new ApiError(
--- a/utils/lib.ts
+++ b/utils/lib.ts
@ -9,3 +9,6 @@ export const mergeAndDeduplicate = <T extends ElementWithId>(
            (element, index, self) =>
                index === self.findIndex((t) => t.id === element.id),
        );
 export const oauthRedirectUri = (baseUrl: URL, issuer: string): URL =>
    new URL(`/oauth/sso/${issuer}/callback`, baseUrl);