internal/handlers/func_test.go (1)

73-82: LGTM on accessor; tiny math nit to avoid narrowing.

Use int64 division to dodge unnecessary casts even in tests.

Apply:

-  return uint64(int(step) / period) //nolint:gosec // This is a testing func.
+  return uint64(step / int64(period)) //nolint:gosec // This is a testing func.

internal/commands/debug_test.go (1)

10-27: Beef up these tests just a tad, sucka

Non-nil is fine, but add t.Parallel and minimal shape checks (e.g., Use not empty) to catch regressions without coupling too hard.

Example tweak:

 func TestNewDebugCmds(t *testing.T) {
+	t.Parallel()
 	var cmd *cobra.Command

 	cmd = newDebugCmd(&CmdCtx{})
 	assert.NotNil(t, cmd)
+	assert.NotEmpty(t, cmd.Use)

 	cmd = newDebugExpressionCmd(&CmdCtx{})
 	assert.NotNil(t, cmd)
+	assert.NotEmpty(t, cmd.Use)

 	cmd = newDebugOIDCCmd(&CmdCtx{})
 	assert.NotNil(t, cmd)
+	assert.NotEmpty(t, cmd.Use)

 	cmd = newDebugOIDCClaimsCmd(&CmdCtx{})
 	assert.NotNil(t, cmd)
+	assert.NotEmpty(t, cmd.Use)

 	cmd = newDebugTLSCmd(&CmdCtx{})
 	assert.NotNil(t, cmd)
+	assert.NotEmpty(t, cmd.Use)
 }

internal/handlers/handler_sign_duo.go (2)

261-261: Clock accessor swap looks right—consistency check on timezone, fool

Good move to ctx.GetClock().Now(). Consider normalizing to UTC like other 2FA paths to avoid mixed timezones in comparisons.

Would you like me to scan usages of SetTwoFactor* to confirm all timestamps are consistently UTC?

---

142-149: Don’t swallow errors—make intent explicit

On preauth error you log + respond then return "", "", nil. That relies on the caller’s empty-device/method branch. It works but obscures flow.

Prefer returning a sentinel error so the call-site short-circuits explicitly.

internal/handlers/handler_sign_webauthn.go (1)

215-221: Defer-save is clever, but be explicit post-regeneration

You rely on the deferred SaveSession to persist both challenge cleanup and the final 2FA timestamp after RegenerateSession. It works, but it’s subtle.

Consider clearing WebAuthn before validation errors and doing an explicit SaveSession after SetTwoFactorWebAuthn to mirror TOTP/Duo flows.

internal/random/cryptographical.go (1)

10-14: Tiny polish: docs + interface assertion

Tighten the comment and add a compile-time interface check, fool.

Apply:

-// New returns a new random provider, specifically and strictly a production ready variant which uses inbuilt
-// system randomness (i.e solely crypto/rand and the *Cryptographical provider).
+// New returns a production-ready Provider backed solely by crypto/rand (Cryptographical).

And add after the type definition:

var _ Provider = (*Cryptographical)(nil)

internal/clock/provider.go (1)

6-7: Decouple the clock interface from jwt to cut coupling, fool.

Pulling github.com/golang-jwt/jwt/v5 into the clock interface leaks JWT concerns. Consider keeping Provider pure (Now/After/AfterFunc) and building options at call sites:

Example at call site:

// instead of: ctx.GetClock().GetJWTWithTimeFuncOption()
jwt.WithTimeFunc(ctx.GetClock().Now)

Keeps the clock generic and avoids forcing every implementer to import jwt.

internal/handlers/handler_oauth2_wellknown.go (1)

53-55: Cache time once to avoid tiny drift, sucka.

Call Now() once; prevents issued/expiry skew.

-        claims[oidc.ClaimIssuedAt] = ctx.GetClock().Now().UTC().Unix()
-        claims[oidc.ClaimExpirationTime] = ctx.GetClock().Now().Add(time.Hour).UTC().Unix()
+        now := ctx.GetClock().Now().UTC()
+        claims[oidc.ClaimIssuedAt] = now.Unix()
+        claims[oidc.ClaimExpirationTime] = now.Add(time.Hour).Unix()

internal/handlers/handler_oauth2_authorization_consent_core.go (1)

289-293: Compute “now” once for PAR/non-PAR paths, fool.

Minor polish: assign now := ctx.GetClock().Now().UTC() once and reuse for both branches to avoid double sampling.

internal/handlers/handler_authz_authn.go (1)

501-504: Capture now once to avoid drift in logs/check, ya hear!

Minor cleanup: compute now once; cheaper and consistent.

-	ctx.Logger.WithField("username", userSession.Username).Tracef("Inactivity report for user. Current Time: %d, Last Activity: %d, Maximum Inactivity: %d.", ctx.GetClock().Now().Unix(), userSession.LastActivity, int(provider.Config.Inactivity.Seconds()))
-
-	return time.Unix(userSession.LastActivity, 0).Add(provider.Config.Inactivity).Before(ctx.GetClock().Now())
+	now := ctx.GetClock().Now()
+	ctx.Logger.WithField("username", userSession.Username).Tracef("Inactivity report for user. Current Time: %d, Last Activity: %d, Maximum Inactivity: %d.", now.Unix(), userSession.LastActivity, int(provider.Config.Inactivity.Seconds()))
+	return time.Unix(userSession.LastActivity, 0).Add(provider.Config.Inactivity).Before(now)

internal/totp/totp_test.go (1)

112-113: Factory DI for clock/random looks tight, sucka. One tiny polish.

Use context.Background() in tests for clarity.

- ctx := NewContext(context.TODO(), clock.New(), random.New())
+ ctx := NewContext(context.Background(), clock.New(), random.New())

- ctx := NewContext(context.TODO(), clock.New(), random.New())
+ ctx := NewContext(context.Background(), clock.New(), random.New())

- ctx := NewContext(context.TODO(), clock.NewFixed(time.Unix(10000000, 0)), random.New())
+ ctx := NewContext(context.Background(), clock.NewFixed(time.Unix(10000000, 0)), random.New())

Also applies to: 159-161, 223-224

internal/clock/real.go (1)

22-25: Ditch the named return for clarity, fool.
Lean it up; same behavior, less noise.

-func (r Real) GetJWTWithTimeFuncOption() (option jwt.ParserOption) {
-	return jwt.WithTimeFunc(r.Now)
-}
+func (r Real) GetJWTWithTimeFuncOption() jwt.ParserOption {
+	return jwt.WithTimeFunc(r.Now)
+}

internal/handlers/handler_session_elevation_test.go (1)

353-361: Stabilize time expectations with a single capture.
Multiple Now() calls can drift in some clocks. Capture once, reuse. Don’t get bit by flaky nanoseconds, fool.

-                gomock.InOrder(
+                now := mock.Clock.Now()
+                gomock.InOrder(
                   mock.RandomMock.EXPECT().
                     Read(gomock.Any()).
                     SetArg(0, []byte{0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x22, 0x09, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15}).
                     Return(16, nil),
                   mock.RandomMock.EXPECT().
                     BytesCustomErr(10, []byte(random.CharSetUnambiguousUpper)).
                     Return([]byte("ABC123ABC1"), nil),
                   mock.StorageMock.EXPECT().
                     SaveOneTimeCode(mock.Ctx, model.OneTimeCode{
                       PublicID:  uuid.Must(uuid.Parse("01020304-0506-4722-8910-111213141500")),
-                      IssuedAt:  mock.Clock.Now(),
+                      IssuedAt:  now,
                       IssuedIP:  model.NewIP(net.ParseIP("0.0.0.0")),
-                      ExpiresAt: mock.Clock.Now().Add(time.Minute),
+                      ExpiresAt: now.Add(time.Minute),

internal/commands/crypto_test.go (1)

1-27: Add table-driven cases and t.Parallel to toughen this test.
Make it meaner and leaner, chump: parallelize and assert basic command traits (Use/Short/subcommands) for real value.

 func TestNewCrypto(t *testing.T) {
-	var cmd *cobra.Command
-
-	cmd = newCryptoCmd(&CmdCtx{})
-	assert.NotNil(t, cmd)
-	...
-	cmd = newCryptoPairSubCmd(&CmdCtx{}, "verify")
-	assert.NotNil(t, cmd)
+	t.Parallel()
+	tests := []struct{
+		name string
+		make func() *cobra.Command
+	}{
+		{"crypto", func() *cobra.Command { return newCryptoCmd(&CmdCtx{}) }},
+		{"certificate", func() *cobra.Command { return newCryptoCertificateCmd(&CmdCtx{}) }},
+		{"pair", func() *cobra.Command { return newCryptoPairCmd(&CmdCtx{}) }},
+		{"pair-generate", func() *cobra.Command { return newCryptoPairSubCmd(&CmdCtx{}, "generate") }},
+		{"pair-verify", func() *cobra.Command { return newCryptoPairSubCmd(&CmdCtx{}, "verify") }},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			cmd := tc.make()
+			assert.NotNil(t, cmd)
+			assert.NotEmpty(t, cmd.Use)
+			assert.NotEmpty(t, cmd.Short)
+		})
+	}
 }

internal/handlers/handler_oauth2_authorization_consent_core_test.go (2)

217-217: Clock provider wiring LGTM — keep it DRY, fool!

Setting mock.Ctx.Providers.Clock = &mock.Clock is correct. Consider a small helper (e.g., setupTestClock(mock, ts)) to avoid repetition across tests.

Also applies to: 379-379, 719-719, 1021-1021, 1358-1358

---

877-877: ExpiresAt via provider clock is solid — snapshot ‘now’ once

Using mock.Ctx.Providers.Clock.Now() is right. For stability, compute now := mock.Ctx.Providers.Clock.Now() once per test case and reuse to avoid any micro-drift. I pity the flaky test, fool!

Also applies to: 916-916, 1005-1005, 1183-1183, 1237-1237

internal/handlers/handler_firstfactor_passkey_test.go (3)

546-547: SessionData/CreatedAt now rely on provider clock — consistent timing

Great alignment with the clock refactor. Consider standardizing remaining time.Now() usages in this file too for full determinism.

Also applies to: 556-556, 652-653, 661-661, 754-755, 763-763

---

556-556: Mixing mock.Clock.Now() and provider clock — unify for clarity, fool

While both point to the same mock, prefer mock.Ctx.Providers.Clock.Now() everywhere (e.g., LastUsedAt) for consistency.

Apply pattern (example):

- LastUsedAt: sql.NullTime{Time: mock.Clock.Now().UTC(), Valid: true},
+ LastUsedAt: sql.NullTime{Time: mock.Ctx.Providers.Clock.Now().UTC(), Valid: true},

Also applies to: 661-661, 763-763

---

151-151: Optional: Replace raw time.Now() calls in internal/handlers/handler_firstfactor_passkey_test.go with mock.Clock.Now(), fool! I count ~28 occurrences (Expires, CreatedAt, LastUsedAt)—use the injected clock for deterministic tests.

internal/handlers/handler_session_elevation.go (2)

79-82: Switched to GetClock() — good; grab now once

Two calls to ctx.GetClock().Now() back-to-back can drift a second boundary. Capture once and reuse.

- response.Expires = int(userSession.Elevations.User.Expires.Sub(ctx.GetClock().Now()).Seconds())
- if userSession.Elevations.User.Expires.Before(ctx.GetClock().Now()) {
+ now := ctx.GetClock().Now()
+ response.Expires = int(userSession.Elevations.User.Expires.Sub(now).Seconds())
+ if userSession.Elevations.User.Expires.Before(now) {

---

282-283: PUT path uses provider clock — finalize with a single now

Same story here: snapshot once for the expiry check and assignment.

- if code.ExpiresAt.Before(ctx.GetClock().Now()) {
+ now := ctx.GetClock().Now()
+ if code.ExpiresAt.Before(now) {
...
- Expires:  ctx.GetClock().Now().Add(ctx.Configuration.IdentityValidation.ElevatedSession.ElevationLifespan),
+ Expires:  now.Add(ctx.Configuration.IdentityValidation.ElevatedSession.ElevationLifespan),

Also applies to: 342-342

internal/handlers/handler_oauth2_consent.go (2)

301-302: Pre-config and responded-at timestamps now provider-backed — solid

Nice swap to ctx.GetClock().Now(). Consider capturing now := ctx.GetClock().Now() once in the function to reuse. Don’t make time a moving target, fool!

Also applies to: 355-356

---

545-546: Device flow consent session uses provider clock — correct

Creating the consent with Now().Add(10*time.Second) and marking responded-at via provider is right. Optional: compute now once to avoid drift.

Also applies to: 566-566

internal/handlers/handler_sign_password.go (1)

17-17: Optional: use provider clock for requestTime too

For full determinism in timing-attack delays, consider:

- requestTime := time.Now()
+ requestTime := ctx.GetClock().Now()

internal/handlers/handler_firstfactor_passkey.go (1)

311-345: Drop the duplicated RefreshTTL assignment.

RefreshTTL is set twice (Line 311 and Line 345). Set it once after SetOneFactorPasskey to avoid drift and confusion. I pity the fool who sets the same TTL twice!

Apply this diff:

-  if ctx.Configuration.AuthenticationBackend.RefreshInterval.Update() {
-    userSession.RefreshTTL = ctx.GetClock().Now().Add(ctx.Configuration.AuthenticationBackend.RefreshInterval.Value())
-  }
...
   userSession.SetOneFactorPasskey(
     ctx.GetClock().Now(), details,
     keepMeLoggedIn,
     response.AuthenticatorAttachment == protocol.CrossPlatform,
     response.Response.AuthenticatorData.Flags.HasUserPresent(),
     response.Response.AuthenticatorData.Flags.HasUserVerified(),
   )
 
   if ctx.Configuration.AuthenticationBackend.RefreshInterval.Update() {
-    userSession.RefreshTTL = ctx.GetClock().Now().Add(ctx.Configuration.AuthenticationBackend.RefreshInterval.Value())
+    userSession.RefreshTTL = ctx.GetClock().Now().Add(ctx.Configuration.AuthenticationBackend.RefreshInterval.Value())
   }

internal/handlers/handler_firstfactor_password.go (2)

136-140: Good move to provider-backed time for password 1FA.

SetOneFactorPassword and RefreshTTL using ctx.GetClock() look tight. Keep it consistent, sucka.

Consider capturing now := ctx.GetClock().Now() once and reuse to avoid micro-drift:

- userSession.SetOneFactorPassword(ctx.GetClock().Now(), details, keepMeLoggedIn)
- if ctx.Configuration.AuthenticationBackend.RefreshInterval.Update() {
-   userSession.RefreshTTL = ctx.GetClock().Now().Add(ctx.Configuration.AuthenticationBackend.RefreshInterval.Value())
- }
+ now := ctx.GetClock().Now()
+ userSession.SetOneFactorPassword(now, details, keepMeLoggedIn)
+ if ctx.Configuration.AuthenticationBackend.RefreshInterval.Update() {
+   userSession.RefreshTTL = now.Add(ctx.Configuration.AuthenticationBackend.RefreshInterval.Value())
+ }

---

267-271: Reauth flow clock usage looks correct.

Same note: capture now once to keep timestamps aligned. Don’t play games with time, fool.

- userSession.SetOneFactorReauthenticate(ctx.GetClock().Now(), userDetails)
- if ctx.Configuration.AuthenticationBackend.RefreshInterval.Update() {
-   userSession.RefreshTTL = ctx.GetClock().Now().Add(ctx.Configuration.AuthenticationBackend.RefreshInterval.Value())
- }
+ now := ctx.GetClock().Now()
+ userSession.SetOneFactorReauthenticate(now, userDetails)
+ if ctx.Configuration.AuthenticationBackend.RefreshInterval.Update() {
+   userSession.RefreshTTL = now.Add(ctx.Configuration.AuthenticationBackend.RefreshInterval.Value())
+ }

internal/handlers/handler_oauth2_authorization_consent_preconfigured.go (3)

89-109: Avoid TOCTOU drift: capture now once in WithID path.

Use a single now := ctx.GetClock().Now() for CanGrant and SetRespondedAt to keep decisions and writes aligned. Don’t let time slip, sucka.

Apply this diff within the function:

- if !consent.CanGrant(ctx.GetClock().Now()) {
+ now := ctx.GetClock().Now()
+ if !consent.CanGrant(now) {
    ...
-   consent.SetRespondedAt(ctx.GetClock().Now(), config.ID)
+   consent.SetRespondedAt(now, config.ID)

Add the now := declaration right before the CanGrant check.

---

207-207: Same here in WithoutID path: reuse a single now.

Keep RespondedAt consistent with earlier checks. Consistency is king, fool.

- consent.SetRespondedAt(ctx.GetClock().Now(), config.ID)
+ now := ctx.GetClock().Now()
+ consent.SetRespondedAt(now, config.ID)

If a now already exists earlier in the scope, reuse it.

---

227-260: Deterministic pre-config filtering: pass one timestamp through.

LoadOAuth2ConsentPreConfigurations and config.CanConsentAt both use Now(); compute once and reuse to prevent edge-case mismatches at expiry boundaries. Don’t get caught on the line, sucka.

- if rows, err = ctx.Providers.StorageProvider.LoadOAuth2ConsentPreConfigurations(ctx, client.GetID(), subject, ctx.GetClock().Now()); err != nil {
+ now := ctx.GetClock().Now()
+ if rows, err = ctx.Providers.StorageProvider.LoadOAuth2ConsentPreConfigurations(ctx, client.GetID(), subject, now); err != nil {
    ...
- if !config.CanConsentAt(ctx.GetClock().Now()) {
+ if !config.CanConsentAt(now) {

internal/handlers/handler_oauth2_authorization_consent_implicit.go (2)

79-93: Implicit WithID: compute now once for CanGrant and Grant.

Single timestamp avoids micro-drifts across checks and writes. Tighten it up, fool.

- if !consent.CanGrant(ctx.GetClock().Now()) {
+ now := ctx.GetClock().Now()
+ if !consent.CanGrant(now) {
    ...
-   oidc.ConsentGrantImplicit(consent, requests.ToSlice(), subject, ctx.GetClock().Now())
+   oidc.ConsentGrantImplicit(consent, requests.ToSlice(), subject, now)
    ...
-   oidc.ConsentGrantImplicit(consent, nil, subject, ctx.GetClock().Now())
+   oidc.ConsentGrantImplicit(consent, nil, subject, now)

---

149-151: Implicit WithoutID: same single-now pattern.

Keep that timestamp steady, sucka.

- oidc.ConsentGrantImplicit(consent, requests.ToSlice(), subject, ctx.GetClock().Now())
+ now := ctx.GetClock().Now()
+ oidc.ConsentGrantImplicit(consent, requests.ToSlice(), subject, now)
...
- oidc.ConsentGrantImplicit(consent, nil, subject, ctx.GetClock().Now())
+ oidc.ConsentGrantImplicit(consent, nil, subject, now)

internal/commands/context.go (1)

88-94: Avoid naming return values that shadow package names.

Named results ‘clock’ and ‘random’ shadow imports; drop the names for clarity.

Apply:

-func (ctx *CmdCtx) GetClock() (clock clock.Provider) {
-  return ctx.providers.Clock
-}
-
-func (ctx *CmdCtx) GetRandom() (random random.Provider) {
-  return ctx.providers.Random
-}
+func (ctx *CmdCtx) GetClock() clock.Provider {
+  return ctx.providers.Clock
+}
+
+func (ctx *CmdCtx) GetRandom() random.Provider {
+  return ctx.providers.Random
+}

Don’t let shadows spook your readers, sucker!

internal/commands/storage_run.go (1)

1752-1755: Reuse ctx’s Random for directory names.

Keeps RNG consistent and mockable.

Apply:

 if dir == "" {
-  rand := random.New()
-  dir = rand.StringCustom(8, random.CharSetAlphaNumeric)
+  var rnd random.Provider
+  if svc, ok := ctx.(middlewares.Context); ok {
+    rnd = svc.GetRandom()
+  } else {
+    rnd = random.New()
+  }
+  dir = rnd.StringCustom(8, random.CharSetAlphaNumeric)
 }

Keep it tight and testable, fool!

internal/handlers/handler_register_totp_test.go (1)

858-859: Clock rebinding in test setup is correct.

Setting mock.Ctx.Providers.Clock ensures all code under test uses the mock time.

Consider updating other CreatedAt expectations in this file to uniformly reference mock.Ctx.Providers.Clock.Now() for clarity.
Don’t mix clocks like a fool!

internal/duo/duo_test.go (2)

458-473: Use pointer receivers for GetClock/GetRandom.

With value receivers, assignment to t.providers.* doesn’t persist. Pointer receivers make the lazy init stick.

Apply:

-func (t TestCtx) GetClock() clock.Provider {
-  if t.providers.Clock == nil {
-    t.providers.Clock = clock.New()
-  }
-  return t.providers.Clock
-}
+func (t *TestCtx) GetClock() clock.Provider {
+  if t.providers.Clock == nil {
+    t.providers.Clock = clock.New()
+  }
+  return t.providers.Clock
+}
 
-func (t TestCtx) GetRandom() random.Provider {
-  if t.providers.Random == nil {
-    t.providers.Random = random.New()
-  }
-  return t.providers.Random
-}
+func (t *TestCtx) GetRandom() random.Provider {
+  if t.providers.Random == nil {
+    t.providers.Random = random.New()
+  }
+  return t.providers.Random
+}

Make those setters stick, sucka!

---

433-445: Nit: NewTextCtx likely meant NewTestCtx.

Function name mismatches the type (TestCtx). Rename for clarity and update call sites.

Example:

-func NewTextCtx(ip net.IP) *TestCtx {
+func NewTestCtx(ip net.IP) *TestCtx {
@@
-  ctx := &TestCtx{
+  ctx := &TestCtx{
@@
-  return ctx
+  return ctx
 }

And replace calls like:

-ctx := NewTextCtx(net.ParseIP("127.0.0.1"))
+ctx := NewTestCtx(net.ParseIP("127.0.0.1"))

Names matter, fool!

Also applies to: 283-285, 408-410, 469-481

internal/commands/util.go (2)

382-425: Avoid per-call map allocations; precompute and just lookup.

Right now you build a new map on every call, sucka. Precompute once and return by key; also document that unknown use yields nil to signal “unsupported”.

Apply within this function:

-func getCryptoHashGenerateMapFlagsFromUse(use string) (flags map[string]string) {
-	flags = make(map[string]string)
-	switch use {
+func getCryptoHashGenerateMapFlagsFromUse(use string) (flags map[string]string) {
+	switch use {
 	case cmdUseHashArgon2:
-		flags = map[string]string{
+		return map[string]string{
 			cmdFlagNameVariant:     prefixFilePassword + suffixArgon2Variant,
 			cmdFlagNameIterations:  prefixFilePassword + suffixArgon2Iterations,
 			cmdFlagNameMemory:      prefixFilePassword + suffixArgon2Memory,
 			cmdFlagNameParallelism: prefixFilePassword + suffixArgon2Parallelism,
 			cmdFlagNameKeySize:     prefixFilePassword + suffixArgon2KeyLength,
 			cmdFlagNameSaltSize:    prefixFilePassword + suffixArgon2SaltLength,
 		}
 	case cmdUseHashSHA2Crypt:
-		flags = map[string]string{
+		return map[string]string{
 			cmdFlagNameVariant:    prefixFilePassword + suffixSHA2CryptVariant,
 			cmdFlagNameIterations: prefixFilePassword + suffixSHA2CryptIterations,
 			cmdFlagNameSaltSize:   prefixFilePassword + suffixSHA2CryptSaltLength,
 		}
 	case cmdUseHashPBKDF2:
-		flags = map[string]string{
+		return map[string]string{
 			cmdFlagNameVariant:    prefixFilePassword + suffixPBKDF2Variant,
 			cmdFlagNameIterations: prefixFilePassword + suffixPBKDF2Iterations,
 			cmdFlagNameKeySize:    prefixFilePassword + suffixPBKDF2KeyLength,
 			cmdFlagNameSaltSize:   prefixFilePassword + suffixPBKDF2SaltLength,
 		}
 	case cmdUseHashBcrypt:
-		flags = map[string]string{
+		return map[string]string{
 			cmdFlagNameVariant: prefixFilePassword + suffixBcryptVariant,
 			cmdFlagNameCost:    prefixFilePassword + suffixBcryptCost,
 		}
 	case cmdUseHashScrypt:
-		flags = map[string]string{
+		return map[string]string{
 			cmdFlagNameVariant:     prefixFilePassword + suffixScryptVariant,
 			cmdFlagNameIterations:  prefixFilePassword + suffixScryptIterations,
 			cmdFlagNameBlockSize:   prefixFilePassword + suffixScryptBlockSize,
 			cmdFlagNameParallelism: prefixFilePassword + suffixScryptParallelism,
 			cmdFlagNameKeySize:     prefixFilePassword + suffixScryptKeyLength,
 			cmdFlagNameSaltSize:    prefixFilePassword + suffixScryptSaltLength,
 		}
 	}
-
-	return flags
+	return nil
 }

If you prefer zero allocations entirely, define a package-level var with these maps and just return cryptoHashFlagMap[use].

---

103-106: Rename rand to rng, fool!

Provider interface defines StringCustom(n int, characters string) string (internal/random/provider.go:32–33). I pity the fool who confuses it with math/rand—use rng for clarity at internal/commands/util.go:103.

internal/commands/debug.go (1)

292-489: Consider splitting runDebugTLS to cut complexity and improve readability.

Break into helpers: dialing, cipher summary, chain verification, cert printing, and config suggestion. Keeps the fools from crying over 30+ complexity.

Sketch:

func tlsDial(address *schema.Address, hostname string, suites []uint16) (*tls.Conn, error) { ... }
func printTLSGeneral(w io.Writer, cs tls.ConnectionState) { ... }
func verifyChains(cs tls.ConnectionState, roots, system *x509.CertPool) (valid, validSys bool, inter, interSys *x509.CertPool) { ... }
func printCerts(w io.Writer, cs tls.ConnectionState, hostname string, valid, validSys bool) (validHostname bool) { ... }
func suggestConfig(w io.Writer, cs tls.ConnectionState, hostname, override string, validHostname bool) { ... }

internal/duo/types.go (1)

20-23: Context-based Provider: good evolution, sucka!

Switching to middlewares.Context cleans up dependencies and aligns with new accessors.

If duo_api_golang ever supports context-aware calls, wire ctx for cancellation/timeouts end-to-end. I pity the fool who ignores cancelation!

experimental/embed/context.go (1)

121-123: Don’t return nil IP unless you mean it, fool!

Downstream logs show “”. Return an unspecified/loopback IP to keep logs tidy.

 func (c *ctxEmbed) RemoteIP() net.IP {
-  return nil
+  return net.IPv4zero // or net.ParseIP("127.0.0.1")
 }

internal/duo/duo.go (2)

68-81: Preserve context in wrapping errors, chump.

Include path/username so callers can trace failures without logs.

- return nil, fmt.Errorf("error occurred making the preauth call to the duo api: %w", err)
+ return nil, fmt.Errorf("duo preauth call failed (user=%s): %w", userSession.Username, err)
...
- return nil, fmt.Errorf("error occurred parsing the duo api preauth json response: %w", err)
+ return nil, fmt.Errorf("duo preauth JSON parse failed: %w", err)

Also consider returning the raw Response alongside the error if callers need Duo codes.

---

84-97: Same story for AuthCall, fool.

Mirror the improved context in errors for consistency.

- return nil, fmt.Errorf("error occurred making the auth call to the duo api: %w", err)
+ return nil, fmt.Errorf("duo auth call failed (user=%s): %w", userSession.Username, err)
...
- return nil, fmt.Errorf("error occurred parsing the duo api auth json response: %w", err)
+ return nil, fmt.Errorf("duo auth JSON parse failed: %w", err)

internal/commands/crypto_hash.go (1)

244-252: Echoing random password is intentional, but warn users, fool!

Since this prints secrets to stdout, ensure docs/examples show redirecting or handling securely.

internal/commands/crypto.go (2)

633-634: Nice extraction of pair generation printing. Consider taming the arg list.

That parameter list is louder than Clubber Lang. Wrap into an options struct to reduce churn and improve clarity, fool.

type pairGenOpts struct {
  W io.Writer
  Legacy bool
  PrivateKey any
  Dir string
  PrivateKeyPath, PrivateKeyLegacyPath string
  PublicKeyPath, PublicKeyLegacyPath   string
  ExtLegacy string
}

Then call runCryptoPairGenerate(opts) and pass &pairGenOpts{...}.

---

641-648: Clarify RSA algorithm printout.

Current string mixes bytes and bits without labels. Make it unambiguous, sucka.

-  case *rsa.PrivateKey:
-    b.WriteString(fmt.Sprintf("\tAlgorithm: RSA-%d %d bits\n\n", k.Size(), k.N.BitLen()))
+  case *rsa.PrivateKey:
+    b.WriteString(fmt.Sprintf("\tAlgorithm: RSA %d-bit (%d bytes)\n\n", k.N.BitLen(), k.Size()))

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

internal/commands/crypto_hash.go (1)

228-236: Fix nil dereference before setting Algorithm, fool!

config.AuthenticationBackend.File may be nil; mutating or reading Password will panic. Initialize sane defaults before the switch and before NewFileCryptoHashFromConfig. I pity the fool who dereferences nil.

Apply this diff:

 switch use {
 case cmdUseGenerate:
   break
 default:
-  config.AuthenticationBackend.File.Password.Algorithm = use
+  // Ensure password config exists before mutation.
+  if config.AuthenticationBackend.File == nil {
+    config.AuthenticationBackend.File = &schema.AuthenticationBackendFile{}
+  }
+  if config.AuthenticationBackend.File.Password.Algorithm == "" {
+    // Populate with sane defaults so downstream hashing always has parameters.
+    config.AuthenticationBackend.File.Password = schema.DefaultPasswordConfig
+  }
+  config.AuthenticationBackend.File.Password.Algorithm = use
 }
 
-if hash, err = authentication.NewFileCryptoHashFromConfig(config.AuthenticationBackend.File.Password); err != nil {
+// Guard again in case File was absent and we’re on the root 'generate' path.
+if config.AuthenticationBackend.File == nil {
+  return fmt.Errorf("file authentication backend password settings are not configured")
+}
+if hash, err = authentication.NewFileCryptoHashFromConfig(config.AuthenticationBackend.File.Password); err != nil {
   return err
 }

internal/duo/duo_test.go (1)

446-454: Nice: removed unused clock/random fields from TestCtx. No dead weight on my watch!

This resolves prior lint failures.

internal/oidc/types_test.go (1)

167-171: Return pointer to a copy to avoid test pollution: good; mind shallow-copy semantics

Solid move. Note it’s a shallow copy—nested pointers (e.g., HTTPClient, Templates) still alias. I pity the fool who mutates those thinking they’re isolated.

Optionally deep-copy critical subfields if tests mutate them.

To ensure callers don’t rely on pointer identity or mutate via the returned pointer:

#!/bin/bash
set -euo pipefail
rg -nP '\.GetConfiguration\(\)\.[A-Za-z_]+\s*=' --type=go -S || true
rg -nP '(GetConfiguration\(\)\s*==)|(\s==\s*GetConfiguration\(\))' --type=go -S || true

experimental/embed/context.go (1)

113-119: Nil-guard GetClock/GetRandom or face the panic, sucka!

These accessors will panic when Providers or the specific provider is nil. Add safe fallbacks. This echoes prior feedback.

Apply this diff:

 func (c *ctxEmbed) GetClock() (clock clock.Provider) {
-	return c.Providers.Clock
+	if c == nil || c.Providers.Clock == nil {
+		return clock.New()
+	}
+	return c.Providers.Clock
 }
 
 func (c *ctxEmbed) GetRandom() (random random.Provider) {
-	return c.Providers.Random
+	if c == nil || c.Providers.Random == nil {
+		return random.New()
+	}
+	return c.Providers.Random
 }

internal/handlers/handler_oauth2_oidc_wellknown.go (2)

53-54: Use a single base time, sucka.

Compute Now() once to avoid micro-drift and double clock calls. I pity the fool who lets exp and iat diverge!

-        claims[oidc.ClaimIssuedAt] = ctx.GetClock().Now().UTC().Unix()
-        claims[oidc.ClaimExpirationTime] = ctx.GetClock().Now().Add(time.Hour).UTC().Unix()
+        now := ctx.GetClock().Now().UTC()
+        claims[oidc.ClaimIssuedAt] = now.Unix()
+        claims[oidc.ClaimExpirationTime] = now.Add(time.Hour).Unix()

---

54-54: Consider configurable TTL, fool.

Hardcoding 1h may fight future policy/tests. Consider a config-driven or const TTL for the discovery JWT.

internal/duo/duo_test.go (6)

39-60: Deduplicate PreAuth tests — keep the table-driven suite. Double work is for fools!

These single-case tests duplicate the scenarios covered by TestDuoProvider_PreAuthCall. Consolidate to the table-driven test to reduce runtime and maintenance.

Suggested action:

• Remove the six single-case PreAuth tests and rely on the table-driven test.

Also applies to: 61-82, 83-104, 105-126, 127-148, 149-170

---

182-191: *Avoid passing nil http.Response in JSON-error cases. Don’t risk a nil-deref later, fool!

If the implementation starts reading StatusCode before JSON parsing, a nil response will panic. Use an empty http.Response to be safe.

Apply:

-			nil,
+			&http.Response{},

Also applies to: 319-328

---

3-25: Drop gomock.InOrder when there’s only one expectation. Keep it simple, sucka!

Wrapping a single EXPECT in InOrder adds noise without value.

Apply pattern:

-gomock.InOrder(
-  base.EXPECT().
-    SignedCall(...).
-    Return(...),
-)
+base.EXPECT().
+  SignedCall(...).
+  Return(...)

Also applies to: 34-37, 43-55, 65-76

---

6-6: Use errors.New instead of fmt.Errorf for static strings and drop fmt import. Trim the fat!

Apply:

-import (
-	"context"
-	"errors"
-	"fmt"
+import (
+	"context"
+	"errors"
@@
-			Return(nil, nil, fmt.Errorf("uguu")),
+			Return(nil, nil, errors.New("uguu")),

Also applies to: 74-75

---

20-22: Avoid dot-imports; alias the package. Namespaces are for winners, fool!

Dot-importing internal/duo hides where types/funcs come from and risks name collisions. Prefer an explicit alias (e.g., duo.NewDuoAPI, duo.PreAuthResponse).

---

57-59: Loosen brittle error assertions — match substrings, not full strings. Don’t handcuff tests to exact wording!

Use assert.ErrorContains to reduce churn when error wrapping changes.

Example:

-assert.EqualError(t, err, "error occurred making the preauth call to the duo api: error occurred parsing response: unexpected end of JSON input")
+assert.ErrorContains(t, err, "preauth call")
+assert.ErrorContains(t, err, "unexpected end of JSON input")

Also applies to: 79-81, 101-103, 123-125, 145-147, 167-169, 297-303, 424-428

internal/clock/real.go (1)

22-25: Minor receiver nit: drop the named receiver

You don't use r; keep it tidy. I pity the fool who keeps unused identifiers.

Apply:

-func (r Real) GetJWTWithTimeFuncOption() (option jwt.ParserOption) {
-	return jwt.WithTimeFunc(r.Now)
+func (Real) GetJWTWithTimeFuncOption() (option jwt.ParserOption) {
+	return jwt.WithTimeFunc(time.Now)
 }

experimental/embed/context.go (1)

121-123: Use explicit zero IP in ctxEmbed.RemoteIP
I pity the fool who returns nil! Change ctxEmbed.RemoteIP to signal “unknown” by returning net.IPv4(0,0,0,0) instead of nil, removing the need for callers to nil-check.

 func (c *ctxEmbed) RemoteIP() net.IP {
-    return nil
+    return net.IPv4(0, 0, 0, 0)
 }

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

Learnt from: james-d-elliott
PR: authelia/authelia#10189
File: internal/clock/provider.go:14-15
Timestamp: 2025-08-29T10:47:45.888Z
Learning: The internal/mocks directory does not contain any mock clock implementations. Tests use concrete clock instances like clock.New(), clock.NewFixed(), and direct assignment to mock.Ctx.Providers.Clock instead of generated mocks for the clock.Provider interface.

internal/middlewares/types.go (2)

56-58: Providers now carry Random/Clock — never leave ’em nil, fool.

Constructor NewProvidersBasic sets both; verify no stray Providers{} literals bypass it.

#!/bin/bash
# Find Providers literals that might omit Random/Clock
rg -nP --type=go 'middlewares\.Providers\s*{[^}]*}' -C2
# Prefer uses of NewProvidersBasic
rg -nP --type=go 'NewProvidersBasic\(' -n

---

61-69: Context interface expanded — make sure AutheliaCtx walks the walk.

Confirm AutheliaCtx implements GetClock/GetRandom/GetLogger/GetProviders/GetConfiguration/RemoteIP and satisfies context.Context.

#!/bin/bash
# AutheliaCtx definition
rg -nP --type=go 'type\s+AutheliaCtx\b'

# Methods required by Context
for m in GetClock GetRandom GetLogger GetProviders GetConfiguration RemoteIP; do
  rg -nP --type=go "func\s+\(\s*\*?AutheliaCtx\s*\)\s+$m\s*\(" -C2
done

# Does AutheliaCtx satisfy context.Context (Deadline/Done/Err/Value)?
for m in Deadline Done Err Value; do
  rg -nP --type=go "func\s+\(\s*\*?AutheliaCtx\s*\)\s+$m\s*\(" -C2
done

internal/duo/duo.go (2)

22-36: Quit spillin’ PII in logs, fool — don’t log raw Duo bodies. Also enrich error context.

Trace logs include the full response body which can contain PII/secret material. Log metadata only, and add path/user to wrapped errors from SignedCall/parse.

Apply:

-   return nil, fmt.Errorf("error occurred making signed call: %w", err)
+   return nil, fmt.Errorf("duo signed call failed (path=%s user=%s): %w", path, userSession.Username, err)
...
- ctx.GetLogger().Tracef("Duo endpoint: %s response raw data for %s from IP %s: %s", path, userSession.Username, ctx.RemoteIP().String(), string(body))
+ ctx.GetLogger().WithFields(map[string]any{
+   "path": path, "username": userSession.Username, "remote_ip": ctx.RemoteIP().String(), "response_bytes": len(body),
+ }).Trace("Duo endpoint response received")
...
-   return nil, fmt.Errorf("error occurred parsing response: %w", err)
+   return nil, fmt.Errorf("duo response parse failed (path=%s user=%s): %w", path, userSession.Username, err)

---

38-68: Return actionable errors with Duo status/code/message.

Generic messages make operators suffer. Surface Stat/Code/Message in errors, sucker.

Apply:

-           return &response, fmt.Errorf("failure status code was returned")
+           return &response, fmt.Errorf("duo returned failure status code %d (%s): %s", response.Code, response.Stat, response.Message)
...
-       return &response, fmt.Errorf("failure status was returned")
+       return &response, fmt.Errorf("duo returned failure status (%s): %s", response.Stat, response.Message)
...
-       return &response, fmt.Errorf("unknown status was returned")
+       return &response, fmt.Errorf("duo returned unknown status (%s) code %d: %s", response.Stat, response.Code, response.Message)

internal/duo/duo_test.go (2)

433-444: Drop unused hook; it’s dead weight.

Field ‘hook’ isn’t used; keep logger only.

-func NewTestCtx(ip net.IP) *TestCtx {
-	logger, hook := test.NewNullLogger()
+func NewTestCtx(ip net.IP) *TestCtx {
+	logger, _ := test.NewNullLogger()
@@
 type TestCtx struct {
 	ip     net.IP
 	logger *logrus.Entry
-	hook   *test.Hook
-
 	providers middlewares.Providers

Also applies to: 446-454

---

480-482: Don’t return nil config, fool — avoid NPEs.

Return an empty configuration to keep code-under-test safe.

-func (t *TestCtx) GetConfiguration() (config *schema.Configuration) {
-	return nil
-}
+func (t *TestCtx) GetConfiguration() (config *schema.Configuration) {
+	cfg := &schema.Configuration{}
+	return cfg
+}

internal/notification/smtp_notifier.go (1)

95-95: Make RNG injectable for tighter tests, sucka!

Offer an alternate constructor that accepts random.Provider (fallback to random.New()). This lets tests inject deterministic RNGs and matches the Providers pattern across the codebase.

// New constructor enabling DI of RNG; default to crypto RNG when nil.
func NewSMTPNotifierWithProviders(config *schema.NotifierSMTP, certPool *x509.CertPool, rng random.Provider) *SMTPNotifier {
	if rng == nil {
		rng = random.New()
	}

	log := logging.Logger().WithFields(map[string]any{"provider": "notifier"})

	var configTLS *tls.Config
	if config.TLS != nil {
		configTLS = utils.NewTLSConfig(config.TLS, certPool)
	}

	var opts []gomail.Option
	switch {
	case config.Address.IsExplicitlySecure():
		opts = []gomail.Option{gomail.WithSSLPort(false), gomail.WithTLSPortPolicy(gomail.TLSMandatory)}
		log.Trace("Configuring with Explicit TLS")
	case config.DisableStartTLS:
		opts = []gomail.Option{gomail.WithTLSPortPolicy(gomail.NoTLS), gomail.WithPort(int(config.Address.Port()))}
		log.Trace("Configuring without TLS")
	case config.DisableRequireTLS:
		opts = []gomail.Option{gomail.WithTLSPortPolicy(gomail.TLSOpportunistic)}
		log.Trace("Configuring with Opportunistic TLS")
	default:
		opts = []gomail.Option{gomail.WithTLSPortPolicy(gomail.TLSMandatory)}
		log.Trace("Configuring with Mandatory TLS")
	}

	opts = append(opts,
		gomail.WithTLSConfig(configTLS),
		gomail.WithTimeout(config.Timeout),
		gomail.WithHELO(config.Identifier),
		gomail.WithoutNoop(),
		gomail.WithPort(int(config.Address.Port())),
	)

	var domain string
	if at := strings.Index(config.Sender.Address, "@"); at >= 0 {
		domain = config.Sender.Address[at+1:]
	} else {
		domain = "localhost.localdomain"
	}

	return &SMTPNotifier{
		factory: &StandardSMTPClientFactory{config: config, opts: opts},
		config:  config,
		domain:  domain,
		random:  rng,
		tls:     configTLS,
		log:     log,
		opts:    opts,
	}
}

// Preserve current API and delegate.
func NewSMTPNotifier(config *schema.NotifierSMTP, certPool *x509.CertPool) *SMTPNotifier {
	return NewSMTPNotifierWithProviders(config, certPool, nil)
}

internal/middlewares/authelia_context_blackbox_test.go (3)

333-333: Keep it consistent: don’t inline the factory when creating AutheliaCtx, sucka.

Most tests bind the providers to a var first; do the same here for symmetry and easier overrides.

- middleware := middlewares.NewAutheliaCtx(ctx, config, middlewares.NewProvidersBasic())
+ providers := middlewares.NewProvidersBasic()
+ middleware := middlewares.NewAutheliaCtx(ctx, config, providers)

- middleware := middlewares.NewAutheliaCtx(ctx, config, middlewares.NewProvidersBasic())
+ providers := middlewares.NewProvidersBasic()
+ middleware := middlewares.NewAutheliaCtx(ctx, config, providers)

Also applies to: 935-935

---

775-778: Fix that test name, fool: “Cryptographical” → “Cryptographic”.

Minor wording nit, but it reads cleaner and matches common usage.

-           "ShouldHandleCryptographical",
+           "ShouldHandleCryptographic",

---

986-987: Consider mocking SessionProvider to keep tests lean, fool.

Using the real session.NewProvider is fine, but a lightweight mock can cut setup time and isolate behavior.

I can sketch a minimal gomock for SessionProvider if you want to trim dependencies in this test.

internal/handlers/handler_oauth2_authorization_consent_core_test.go (2)

877-877: Nit: avoid referencing mock clock in gomock Return payloads.

Tests already pin time to 1970-01-12 13:46:40 UTC (1000000s). Using mock.Ctx.Providers.Clock.Now() in Return structs couples the fixture to the clock field unnecessarily. Prefer a fixed var so expectations read cleaner and won’t break if the setup changes. I pity the fool who over-couples tests.

Apply these focused replacements:

- Return(&model.OAuth2ConsentSession{ChallengeID: challenge, Subject: uuid.NullUUID{UUID: sub, Valid: true}, ExpiresAt: mock.Ctx.Providers.Clock.Now().Add(time.Second * 10)}, nil),
+ Return(&model.OAuth2ConsentSession{ChallengeID: challenge, Subject: uuid.NullUUID{UUID: sub, Valid: true}, ExpiresAt: fixedTime.Add(10 * time.Second)}, nil),

- Return(&model.OAuth2ConsentSession{ID: 40, ChallengeID: challenge, ClientID: "test", Subject: uuid.NullUUID{UUID: sub, Valid: true}, Form: "prompt=login", RequestedAt: time.Unix(1000000, 0), ExpiresAt: mock.Ctx.Providers.Clock.Now().Add(time.Second * 10)}, nil),
+ Return(&model.OAuth2ConsentSession{ID: 40, ChallengeID: challenge, ClientID: "test", Subject: uuid.NullUUID{UUID: sub, Valid: true}, Form: "prompt=login", RequestedAt: fixedTime, ExpiresAt: fixedTime.Add(10 * time.Second)}, nil),

- Return(&model.OAuth2ConsentSession{ID: 40, ChallengeID: challenge, ClientID: "test", Subject: uuid.NullUUID{UUID: sub, Valid: true}, Form: "max_age=10", RequestedAt: time.Unix(1000000, 0), ExpiresAt: mock.Ctx.Providers.Clock.Now().Add(time.Second * 10)}, nil),
+ Return(&model.OAuth2ConsentSession{ID: 40, ChallengeID: challenge, ClientID: "test", Subject: uuid.NullUUID{UUID: sub, Valid: true}, Form: "max_age=10", RequestedAt: fixedTime, ExpiresAt: fixedTime.Add(10 * time.Second)}, nil),

- Return(&model.OAuth2ConsentSession{ID: 44, ChallengeID: challenge, Subject: uuid.NullUUID{UUID: sub, Valid: true}, Authorized: true, ExpiresAt: mock.Ctx.Providers.Clock.Now().Add(time.Second * 10), RespondedAt: sql.NullTime{Time: time.Unix(1000000, 0), Valid: true}}, nil),
+ Return(&model.OAuth2ConsentSession{ID: 44, ChallengeID: challenge, Subject: uuid.NullUUID{UUID: sub, Valid: true}, Authorized: true, ExpiresAt: fixedTime.Add(10 * time.Second), RespondedAt: sql.NullTime{Time: fixedTime, Valid: true}}, nil),

- Return(&model.OAuth2ConsentSession{ID: 44, ChallengeID: challenge, Subject: uuid.NullUUID{UUID: sub, Valid: true}, ExpiresAt: mock.Ctx.Providers.Clock.Now().Add(time.Second * 10), RespondedAt: sql.NullTime{Time: time.Unix(1000000, 0), Valid: true}}, nil),
+ Return(&model.OAuth2ConsentSession{ID: 44, ChallengeID: challenge, Subject: uuid.NullUUID{UUID: sub, Valid: true}, ExpiresAt: fixedTime.Add(10 * time.Second), RespondedAt: sql.NullTime{Time: fixedTime, Valid: true}}, nil),

Add once near top of the file (outside tests) or at the start of each test func:

var fixedTime = time.Unix(1_000_000, 0)

Also applies to: 916-916, 1005-1005, 1183-1183, 1237-1237

---

217-217: Nit: DRY up clock setup across suites.

You repeat the same two lines in each suite. Wrap it. I pity the fool who likes boilerplate.

Add a tiny helper in this test file:

func setFixedClock(mock *mocks.MockAutheliaCtx, t time.Time) {
	mock.Ctx.Providers.Clock = &mock.Clock
	mock.Clock.Set(t)
}

Then replace occurrences:

- mock.Ctx.Providers.Clock = &mock.Clock
- mock.Clock.Set(time.Unix(1000000, 0))
+ setFixedClock(mock, fixedTime)

Also applies to: 379-379, 719-719, 1021-1021, 1358-1358

internal/handlers/handler_firstfactor_passkey_test.go (1)

1665-1666: Drop redundant clock setup.

setUpMockClock(mock) is called inside the test case and again in the test runner. One call is enough, fool. Keep the runner call; remove the per-case one.

- setUpMockClock(mock)

Also applies to: 1757-1759

internal/commands/crypto_hash.go (2)

220-223: Defensive nil guard: add top-level config check, fool.

You guard config.AuthenticationBackend.File, but if config is ever nil this will panic. Cheap insurance:

 func runCryptoHashGenerate(w io.Writer, flags *pflag.FlagSet, use string, args []string, config *schema.Configuration) (err error) {
   var (
     hash     algorithm.Hash
     digest   algorithm.Digest
     password string
     random   bool
   )
 
-  if config.AuthenticationBackend.File == nil {
+  if config == nil {
+    return fmt.Errorf("configuration is not loaded")
+  }
+  if config.AuthenticationBackend.File == nil {
     return fmt.Errorf("authentication backend file is not configured")
   }

---

316-333: Minor UX nit: extra blank lines.

Multiple Fprintln(w) calls can stack blank lines. Consider emitting a single trailing newline per prompt sequence, fool.

internal/handlers/handler_oauth2_oidc_userinfo.go (1)

128-128: Hydration now clock-injected — keep it consistent, fool.

One more spot still uses time.Now() for iat; consider using ctx.GetClock().Now() for testability and determinism.

Example:

claims[oidc.ClaimIssuedAt] = ctx.GetClock().Now().UTC().Unix()

internal/handlers/handler_firstfactor_password.go (2)

136-140: Switch to ctx.GetClock().Now() is right — finish the job for determinism.

Use the provider clock for requestTime too so tests don’t flake.

Apply:

-    requestTime := time.Now()
+    requestTime := ctx.GetClock().Now()

---

267-271: Same here: great change — also replace time.Now() earlier in this handler.

Keep all timing via the injected clock, sucka.

Apply:

-    requestTime := time.Now()
+    requestTime := ctx.GetClock().Now()

internal/duo/duo.go (2)

72-82: Wrap with path/user context in PreAuth error flows.

Make troubleshooting faster, fool.

Apply:

-   return nil, fmt.Errorf("error occurred making the preauth call to the duo api: %w", err)
+   return nil, fmt.Errorf("duo preauth call failed (path=/auth/v2/preauth user=%s): %w", userSession.Username, err)
...
-   return nil, fmt.Errorf("error occurred parsing the duo api preauth json response: %w", err)
+   return nil, fmt.Errorf("duo preauth JSON parse failed: %w", err)

---

88-98: Same story for Auth call — add context and clearer parse error.

Don’t make folks dig through logs.

Apply:

-   return nil, fmt.Errorf("error occurred making the auth call to the duo api: %w", err)
+   return nil, fmt.Errorf("duo auth call failed (path=/auth/v2/auth user=%s): %w", userSession.Username, err)
...
-   return nil, fmt.Errorf("error occurred parsing the duo api auth json response: %w", err)
+   return nil, fmt.Errorf("duo auth JSON parse failed: %w", err)

internal/duo/duo_test.go (1)

57-59: Loosen brittle error assertions.

Use ErrorContains to reduce coupling to exact strings.

-assert.EqualError(t, err, "error occurred making the preauth call to the duo api: failure status was returned")
+assert.ErrorContains(t, err, "preauth")
+assert.ErrorContains(t, err, "failure status")

Apply similarly across these cases.

Also applies to: 79-81, 101-103, 123-125, 145-147, 167-169, 327-329, 347-349, 367-369, 377-379, 391-393

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

Learnt from: james-d-elliott
PR: authelia/authelia#10189
File: internal/clock/provider.go:14-15
Timestamp: 2025-08-29T10:47:45.888Z
Learning: The internal/mocks directory does not contain any mock clock implementations. Tests use concrete clock instances like clock.New(), clock.NewFixed(), and direct assignment to mock.Ctx.Providers.Clock instead of generated mocks for the clock.Provider interface.

Learnt from: james-d-elliott
PR: authelia/authelia#10059
File: internal/commands/storage_run.go:23-23
Timestamp: 2025-08-27T21:37:17.083Z
Learning: The Authelia project uses "go.yaml.in/yaml/v4" as their YAML package import path, not the standard "gopkg.in/yaml.v3" or "gopkg.in/yaml.v2". This is used consistently across their codebase.

internal/commands/crypto_hash.go (1)

278-289: Fixed: length-only and characters flag handling—no more gotchas

Using cmdFlagsCryptoHashPasswordRandom(..., RandomLength) and passing cmdFlagNameRandomCharacters to flagsGetRandomCharacters means length-only and characters-only cases now trigger randomness as users expect. I like that, fool.

internal/commands/build_info_test.go (1)

15-20: Fix S1021: merge declaration and assignment, sucka.

No need for a separate var. Merge it to keep the linter off your back.

-	var cmd *cobra.Command
-
-	cmd = newBuildInfoCmd(&CmdCtx{})
+	cmd := newBuildInfoCmd(&CmdCtx{})

internal/commands/storage_run.go (1)

1751-1755: Fallback RNG so dir gen never panics, sucka.

Use context RNG if present; else construct one.

-func runStorageUserTOTPExportPNG(ctx middlewares.ServiceContext, w io.Writer, store storage.Provider, dir string) (err error) {
+func runStorageUserTOTPExportPNG(ctx middlewares.ServiceContext, w io.Writer, store storage.Provider, dir string) (err error) {
   if dir == "" {
-    rand := ctx.GetRandom()
+    rand := ctx.GetRandom()
+    if rand == nil {
+      rand = random.New()
+    }
     dir = rand.StringCustom(8, random.CharSetAlphaNumeric)
   }

internal/handlers/handler_firstfactor_passkey_test.go (1)

717-717: Fix bad duration math: time.Second - 10 ain’t minus 10s, fool!
Use a negative duration so the ban time is 10 seconds ago.

-                        Return([]model.BannedIP{{ID: 1, Time: mock.Ctx.Providers.Clock.Now().UTC().Add(time.Second - 10), Expires: sql.NullTime{Time: mock.Ctx.Providers.Clock.Now().UTC().Add(time.Minute), Valid: true}}}, nil),
+                        Return([]model.BannedIP{{ID: 1, Time: mock.Ctx.Providers.Clock.Now().UTC().Add(-10 * time.Second), Expires: sql.NullTime{Time: mock.Ctx.Providers.Clock.Now().UTC().Add(time.Minute), Valid: true}}}, nil),

internal/commands/context_test.go (1)

9-13: Format imports with goimports, fool.

Linter flagged goimports. Run goimports/gofmt on this file.

internal/middlewares/types.go (2)

56-57: Always initialize Providers.Random and Providers.Clock.

I pity the fool who leaves these nil. Ensure constructors/mocks set both to non-nil defaults.

---

60-79: All Context/ServiceContext implementers must add the new getters.

Confirm AutheliaCtx, embed ctx, server/providers, and test contexts implement GetClock/GetRandom/GetLogger/GetProviders/GetConfiguration (and RemoteIP where required).

internal/duo/duo_test.go (1)

480-482: Return a non-nil config to avoid future nil derefs.

Safer test context.

-func (t *TestCtx) GetConfiguration() (config *schema.Configuration) {
-	return nil
-}
+func (t *TestCtx) GetConfiguration() (config *schema.Configuration) {
+	cfg := &schema.Configuration{}
+	return cfg
+}

internal/duo/duo.go (3)

28-36: Stop logging raw Duo bodies; add nil-guarded username and redact, fool!

Raw bodies can leak PII and OTPs. Also avoid dereferencing a nil userSession in logs.

Apply this diff:

 func (d *Production) Call(ctx middlewares.Context, userSession *session.UserSession, values url.Values, method string, path string) (r *Response, err error) {
   var (
     response Response
     body     []byte
   )
 
-  if _, body, err = d.SignedCall(method, path, values); err != nil {
+  // safe username for logs
+  username := "unknown"
+  if userSession != nil && userSession.Username != "" {
+    username = userSession.Username
+  }
+
+  if _, body, err = d.SignedCall(method, path, values); err != nil {
     return nil, fmt.Errorf("error occurred making signed call: %w", err)
   }
 
-  ctx.GetLogger().Tracef("Duo endpoint: %s response raw data for %s from IP %s: %s", path, userSession.Username, ctx.RemoteIP().String(), string(body))
+  ctx.GetLogger().WithFields(map[string]any{
+    "path": path, "username": username, "remote_ip": ctx.RemoteIP().String(), "response_bytes": len(body),
+  }).Trace("Duo endpoint response received")
@@
-        .WithFields(map[string]any{"status": response.Stat, "status_code": response.Code, "message": response.Message, "message_detail": response.MessageDetail, "username": userSession.Username}).
+        .WithFields(map[string]any{"status": response.Stat, "status_code": response.Code, "message": response.Message, "message_detail": response.MessageDetail, "username": username}).
@@
-        .WithFields(map[string]any{"status": response.Stat, "status_code": response.Code, "message": response.Message, "message_detail": response.MessageDetail, "username": userSession.Username}).
+        .WithFields(map[string]any{"status": response.Stat, "status_code": response.Code, "message": response.Message, "message_detail": response.MessageDetail, "username": username}).
@@
-      .WithFields(map[string]any{"status": response.Stat, "status_code": response.Code, "message": response.Message, "message_detail": response.MessageDetail, "username": userSession.Username}).
+      .WithFields(map[string]any{"status": response.Stat, "status_code": response.Code, "message": response.Message, "message_detail": response.MessageDetail, "username": username}).
@@
-      .WithFields(map[string]any{"status": response.Stat, "status_code": response.Code, "message": response.Message, "message_detail": response.MessageDetail, "username": userSession.Username}).
+      .WithFields(map[string]any{"status": response.Stat, "status_code": response.Code, "message": response.Message, "message_detail": response.MessageDetail, "username": username}).

Also applies to: 45-46, 51-52, 58-59, 64-65

---

29-29: Wrap errors with context (method/path/user) and no raw body, sucka!

Give callers actionable details; include body size on parse error.

Apply this diff:

-    return nil, fmt.Errorf("error occurred making signed call: %w", err)
+    return nil, fmt.Errorf("duo signed call failed (method=%s path=%s user=%s): %w", method, path, username, err)
@@
-  return nil, fmt.Errorf("error occurred parsing response: %w", err)
+  return nil, fmt.Errorf("duo response parse failed (path=%s user=%s body_bytes=%d): %w", path, username, len(body), err)

Also applies to: 35-35

---

38-67: Return precise Duo failures; drop the vague jive.

Include stat/code/message in returned errors.

Apply this diff:

-      return &response, fmt.Errorf("failure status code was returned")
+      return &response, fmt.Errorf("duo returned failure status code %d (%s): %s", response.Code, response.Stat, response.Message)
@@
-  return &response, fmt.Errorf("failure status was returned")
+  return &response, fmt.Errorf("duo returned failure status (%s) code %d: %s", response.Stat, response.Code, response.Message)
@@
-  return &response, fmt.Errorf("unknown status was returned")
+  return &response, fmt.Errorf("duo returned unknown status (%s) code %d: %s", response.Stat, response.Code, response.Message)

internal/utils/crypto.go (5)

378-378: Include the cert path in the wrapped error, fool.

Add the filename to speed up triage when reads fail.

-                errors = append(errors, fmt.Errorf("error occurred trying to read certificate: %w", err))
+                errors = append(errors, fmt.Errorf("error occurred trying to read certificate %q: %w", certPath, err))

---

379-381: Report the full path when append-from-PEM fails.

Using entry.Name() hides where the bad cert lives. Show the path, sucka.

-            } else if ok := certPool.AppendCertsFromPEM(data); !ok {
-                errors = append(errors, fmt.Errorf("could not import certificate %s", entry.Name()))
+            } else if ok := certPool.AppendCertsFromPEM(data); !ok {
+                errors = append(errors, fmt.Errorf("could not import certificate %q: no valid PEM blocks found", certPath))
             }

---

361-365: Wrap and annotate dir read errors.

Carry the directory in the message and use %w, or I pity the debugging fool.

-    if entries, err = os.ReadDir(directory); err != nil {
-        errors = append(errors, fmt.Errorf("could not read certificates from directory %v", err))
+    if entries, err = os.ReadDir(directory); err != nil {
+        errors = append(errors, fmt.Errorf("could not read certificates from directory %q: %w", directory, err))
 
         return certPool, warnings, errors
     }

---

347-349: Use %w for system pool warning.

Preserve the original error, fool.

-        warnings = append(warnings, fmt.Errorf("could not load system certificate pool which may result in untrusted certificate issues: %v", err))
+        warnings = append(warnings, fmt.Errorf("could not load system certificate pool which may result in untrusted certificate issues: %w", err))

---

344-388: Consider renaming the return/result slice ‘errors’.

It shadows the imported errors package within this scope and hurts readability. Rename to errs for clarity, or I’ll pity future you reading this.

internal/commands/acl_test.go (5)

17-25: Broaden command assertions, sucka.

Asserting only NotNil is too weak. Verify basic command metadata so regressions get caught early.

 func TestNewACLCommand(t *testing.T) {
   var cmd *cobra.Command

   cmd = newAccessControlCommand(&CmdCtx{})
   assert.NotNil(t, cmd)
+  assert.NotEmpty(t, cmd.Use)
+  assert.True(t, cmd.RunE != nil || cmd.Run != nil, "expected either RunE or Run to be set")

   cmd = newAccessControlCheckCommand(&CmdCtx{})
   assert.NotNil(t, cmd)
+  assert.NotEmpty(t, cmd.Use)
+  assert.True(t, cmd.RunE != nil || cmd.Run != nil, "expected either RunE or Run to be set")
 }

---

152-154: Sharper diffs for failures, sucka: assert fields not full structs.

Deep-equality on url.URL can hide tiny diffs. Compare fields for clearer failure output.

-      assert.Equal(t, tc.subject, subject)
-      assert.Equal(t, tc.object, object)
+      assert.Equal(t, tc.subject.Username, subject.Username)
+      assert.ElementsMatch(t, tc.subject.Groups, subject.Groups)
+      assert.Equal(t, tc.subject.IP.String(), subject.IP.String())
+
+      if tc.object.URL != nil && object.URL != nil {
+        assert.Equal(t, tc.object.URL.Scheme, object.URL.Scheme)
+        assert.Equal(t, tc.object.URL.Host, object.URL.Host)
+        assert.Equal(t, tc.object.URL.Path, object.URL.Path)
+      } else {
+        assert.Nil(t, tc.object.URL)
+        assert.Nil(t, object.URL)
+      }
+      assert.Equal(t, tc.object.Domain, object.Domain)
+      assert.Equal(t, tc.object.Path, object.Path)
+      assert.Equal(t, tc.object.Method, object.Method)

---

158-177: Edge case missing: what’s the verdict for empty input, fool?

Add a case for hitMissMay() with no args to lock down default behavior.

   testCases := []struct {
     name     string
     input    []bool
     expected string
   }{
+    {name: "ShouldReturnMissForEmpty", input: []bool{}, expected: "miss"},
   }

If "miss" isn’t the intended default, adjust expected accordingly.

---

344-346: Use require when output parsing depends on success.

Fail fast on error so we don’t assert on garbage output.

-      err := runAccessControlCheck(&buf, object, subject, tc.results, tc.defaultPolicy, tc.verbose)
-      assert.NoError(t, err)
+      err := runAccessControlCheck(&buf, object, subject, tc.results, tc.defaultPolicy, tc.verbose)
+      require.NoError(t, err)

---

264-294: Confirm break-on-skipped semantics, fool
I pity the fool who doesn’t see that runAccessControlCheck stops at the first Skipped when verbose is false (acl.go:112–114). The test ShouldBreakOnSkippedWhenNotVerbose matches this behavior. If you expect later non-skipped rules to be evaluated, update the code or test. Otherwise, add a comment above the break to clarify this early exit.

internal/commands/crypto_hash.go (4)

112-144: Help text nit: keep variant option quoting consistent, sucka

Some variants are quoted, some ain’t. Pick one style for a cleaner UX.

- cmd.Flags().StringP(cmdFlagNameVariant, "v", schema.DefaultPasswordConfig.Argon2.Variant, "variant, options are 'argon2id', 'argon2i', and 'argon2d'")
+ cmd.Flags().StringP(cmdFlagNameVariant, "v", schema.DefaultPasswordConfig.Argon2.Variant, "variant, options are 'argon2id', 'argon2i', 'argon2d'")
- cmd.Flags().StringP(cmdFlagNameVariant, "v", schema.DefaultPasswordConfig.SHA2Crypt.Variant, "variant, options are sha256 and sha512")
+ cmd.Flags().StringP(cmdFlagNameVariant, "v", schema.DefaultPasswordConfig.SHA2Crypt.Variant, "variant, options are 'sha256', 'sha512'")
- cmd.Flags().StringP(cmdFlagNameVariant, "v", schema.DefaultPasswordConfig.PBKDF2.Variant, "variant, options are 'sha1', 'sha224', 'sha256', 'sha384', and 'sha512'")
+ cmd.Flags().StringP(cmdFlagNameVariant, "v", schema.DefaultPasswordConfig.PBKDF2.Variant, "variant, options are 'sha1', 'sha224', 'sha256', 'sha384', 'sha512'")
- cmd.Flags().StringP(cmdFlagNameVariant, "v", schema.DefaultPasswordConfig.Bcrypt.Variant, "variant, options are 'standard' and 'sha256'")
+ cmd.Flags().StringP(cmdFlagNameVariant, "v", schema.DefaultPasswordConfig.Bcrypt.Variant, "variant, options are 'standard', 'sha256'")
- cmd.Flags().StringP(cmdFlagNameVariant, "v", schema.DefaultPasswordConfig.Scrypt.Variant, "variant, options are 'scrypt', and 'yescrypt'")
+ cmd.Flags().StringP(cmdFlagNameVariant, "v", schema.DefaultPasswordConfig.Scrypt.Variant, "variant, options are 'scrypt', 'yescrypt'")

---

232-241: Avoid mutating global config just to pick an algorithm

Side-effects on ctx.config aren’t needed; derive a local copy with the selected algorithm. Keep your hands off shared state, sucka.

-switch use {
- case cmdUseGenerate:
-   break
- default:
-   config.AuthenticationBackend.File.Password.Algorithm = use
-}
-
-if hash, err = authentication.NewFileCryptoHashFromConfig(config.AuthenticationBackend.File.Password); err != nil {
+passwordCfg := config.AuthenticationBackend.File.Password
+switch use {
+case cmdUseGenerate:
+    // no-op; use existing/default algorithm
+default:
+    passwordCfg.Algorithm = use
+}
+if hash, err = authentication.NewFileCryptoHashFromConfig(passwordCfg); err != nil {
     return err
 }

---

310-317: Don’t key control flow off cmd.Use strings

Comparing use to a formatted string is brittle. Plumb an explicit mode (e.g., isValidate) into cmdFlagsCryptoHashGetPassword or pass a confirm bool. Don’t let a help-text tweak break behavior.

Example minimal change (call sites would pass confirmNeeded):

-func cmdFlagsCryptoHashGetPassword(w io.Writer, flags *pflag.FlagSet, use string, args []string, useArgs, useRandom bool) (password string, random bool, err error) {
+func cmdFlagsCryptoHashGetPassword(w io.Writer, flags *pflag.FlagSet, use string, args []string, useArgs, useRandom bool, confirmNeeded bool) (password string, random bool, err error) {
   ...
- if use == fmt.Sprintf(cmdUseFmtValidate, cmdUseValidate) {
+ if !confirmNeeded {
     _, _ = fmt.Fprintln(w)
     return
 }

Call sites:

• Validate: confirmNeeded=false
• Generate: confirmNeeded=!noConfirm

---

212-258: Add tests for the key flows

Cover these so no fool breaks them later:

• no File backend configured → still generates (post-defaults init)
• random toggles: only length, only charset, only characters, and explicit --random
• precedence: --random takes priority over --password
• subcommand algorithm selection doesn’t mutate ctx.config

I can draft table-driven tests for runCryptoHashGenerate and cmdFlagsCryptoHashGetPassword. Want me to open a test PR?

internal/commands/build_info_test.go (2)

3-12: Trim unused import and add fmt, fool.

After merging decl/assign you don’t need the cobra import; you’ll need fmt for dynamic expectations below.

 import (
 	"bytes"
+	"fmt"
 	"runtime/debug"
 	"testing"
 
-	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

---

96-115: Add a “Settings” coverage case, sucka.

You cover deps; add a settings case to lock the verbose path fully.

I can draft a test case with info.Settings = []debug.BuildSetting{{Key:"-tags", Value:"foo"}} and assert it prints under “Settings:”.

internal/commands/build_info.go (1)

55-84: Deterministic verbose output: sort settings/deps, sucka.

For reproducible logs/tests, sort by key/path before printing.

 import (
 	"fmt"
 	"io"
 	"runtime"
 	"runtime/debug"
+	"sort"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
@@
 	if verbose {
 		if len(info.Settings) != 0 {
 			_, _ = fmt.Fprintf(w, "    Settings:\n")
 
-			for _, setting := range info.Settings {
+			sort.Slice(info.Settings, func(i, j int) bool { return info.Settings[i].Key < info.Settings[j].Key })
+			for _, setting := range info.Settings {
 				_, _ = fmt.Fprintf(w, "        %s: %s\n", setting.Key, setting.Value)
 			}
 		}
 
 		if len(info.Deps) != 0 {
 			_, _ = fmt.Fprintf(w, "    Dependencies:\n")
 
-			for _, dep := range info.Deps {
+			sort.Slice(info.Deps, func(i, j int) bool { return info.Deps[i].Path < info.Deps[j].Path })
+			for _, dep := range info.Deps {
 				_, _ = fmt.Fprintf(w, "        %s@%s (%s)\n", dep.Path, dep.Version, dep.Sum)
 			}
 		}
 	}

internal/commands/storage_run.go (2)

1780-1784: Sanitize filenames from usernames—don’t let paths punk you.

Usernames with separators could create nested paths. Sanitize before writing.

-      if file, err = os.Create(filepath.Join(dir, fmt.Sprintf("%s.png", c.Username))); err != nil {
+      name := sanitizeFilename(c.Username) + ".png"
+      if file, err = os.Create(filepath.Join(dir, name)); err != nil {
         return err
       }

Helper outside this hunk:

func sanitizeFilename(s string) string {
  s = filepath.Base(s)
  s = strings.Map(func(r rune) rune {
    switch {
    case r >= 'a' && r <= 'z', r >= 'A' && r <= 'Z', r >= '0' && r <= '9', r == '-', r == '_':
      return r
    default:
      return '_'
    }
  }, s)
  if s == "" {
    return "user"
  }
  return s
}

---

1808-1808: Pluralization nit—talk right, fool.

“configuration” → “configurations”.

-  _, _ = fmt.Fprintf(w, "Successfully exported %d TOTP configuration as QR codes in PNG format to the '%s' directory\n", count, dir)
+  _, _ = fmt.Fprintf(w, "Successfully exported %d TOTP configurations as QR codes in PNG format to the '%s' directory\n", count, dir)

internal/random/cryptographical.go (1)

10-12: Polish the docstring punctuation, sucka.
Add the missing comma after “i.e.” for clarity.

-// system randomness (i.e solely crypto/rand and the *Cryptographical provider).
+// system randomness (i.e., solely crypto/rand and the *Cryptographical provider).

internal/handlers/handler_firstfactor_passkey_test.go (2)

186-197: Replace literal "Passkey" with regulation.AuthTypePasskey in tests
I pity the fool who hardcodes strings when a constant’s at hand—update all instances in internal/handlers/handler_firstfactor_passkey_test.go:

-    Type:       "Passkey",
+    Type:       regulation.AuthTypePasskey,

---

345-371: Unify LastUsedAt to use mock.Ctx.Providers.Clock.Now(), fool! I pity the fool who splits time sources—replace all direct mock.Clock.Now()/time.Now() in LastUsedAt fields with mock.Ctx.Providers.Clock.Now().

-    LastUsedAt:      sql.NullTime{Time: mock.Clock.Now().UTC(), Valid: true},
+    LastUsedAt:      sql.NullTime{Time: mock.Ctx.Providers.Clock.Now().UTC(), Valid: true},

internal/handlers/handler_oauth2_authorization_consent_preconfigured.go (1)

266-274: Fix typos in debug logs (“coes” → “does”).

Keep logs clean, sucka.

-			log.Debugf("Authorization Request with id '%s' on client with id '%s' using consent mode '%s' found a matching pre-configuration with id '%d' but the configuration has scopes '%s' and audience '%s' which coes not match the request", requester.GetID(), client.GetID(), client.GetConsentPolicy(), config.ID, strings.Join(config.Scopes, " "), strings.Join(config.Audience, " "))
+			log.Debugf("Authorization Request with id '%s' on client with id '%s' using consent mode '%s' found a matching pre-configuration with id '%d' but the configuration has scopes '%s' and audience '%s' which does not match the request", requester.GetID(), client.GetID(), client.GetConsentPolicy(), config.ID, strings.Join(config.Scopes, " "), strings.Join(config.Audience, " "))
@@
-			log.Debugf("Authorization Request with id '%s' on client with id '%s' using consent mode '%s' found a matching pre-configuration with id '%d' but the configuration had the requested claims '%s' which coes not match the request", requester.GetID(), client.GetID(), client.GetConsentPolicy(), config.ID, config.RequestedClaims.String)
+			log.Debugf("Authorization Request with id '%s' on client with id '%s' using consent mode '%s' found a matching pre-configuration with id '%d' but the configuration had the requested claims '%s' which does not match the request", requester.GetID(), client.GetID(), client.GetConsentPolicy(), config.ID, config.RequestedClaims.String)

internal/commands/context_test.go (2)

48-51: Add the required blank line to satisfy wsl_v5.

Silence that linter, sucka.

  require.NoError(t, os.WriteFile(filepath.Join(dir, "file2.pem"), []byte("invalid"), 0600))
-	ctx := NewCmdCtx()
+
+	ctx := NewCmdCtx()

---

91-93: Reset flags before second ChainRunE to avoid false positives.

Without reset, prior state leaks and weakens the test.

-	cmd = ctx.ChainRunE(one, three)
+	oneRun, twoRun, threeRun = false, false, false
+	cmd = ctx.ChainRunE(one, three)

internal/duo/duo_test.go (2)

433-441: Drop the unused hook; keep it lean, fool.

Simplify NewTestCtx.

-func NewTestCtx(ip net.IP) *TestCtx {
-	logger, hook := test.NewNullLogger()
+func NewTestCtx(ip net.IP) *TestCtx {
+	logger, _ := test.NewNullLogger()
@@
 	ctx := &TestCtx{
 		ip:      ip,
 		logger:  logger.WithFields(map[string]any{}),
-		hook:    hook,
 		Context: context.Background(),
 	}

---

446-454: Remove unused field from TestCtx.

Dead weight slows you down.

 type TestCtx struct {
 	ip     net.IP
 	logger *logrus.Entry
-	hook   *test.Hook
-
 	providers middlewares.Providers
 
 	context.Context
 }

internal/duo/duo.go (2)

72-85: Tighten PreAuth errors; guard username.

Standardize wording and avoid nil deref.

Apply this diff:

 func (d *Production) PreAuthCall(ctx middlewares.Context, userSession *session.UserSession, values url.Values) (r *PreAuthResponse, err error) {
   var preAuthResponse PreAuthResponse
+  username := "unknown"
+  if userSession != nil && userSession.Username != "" {
+    username = userSession.Username
+  }
@@
-  if err != nil {
-    return nil, fmt.Errorf("error occurred making the preauth call to the duo api: %w", err)
-  }
+  if err != nil {
+    return nil, fmt.Errorf("duo preauth call failed (path=/auth/v2/preauth user=%s): %w", username, err)
+  }
@@
-  return nil, fmt.Errorf("error occurred parsing the duo api preauth json response: %w", err)
+  return nil, fmt.Errorf("duo preauth response parse failed (user=%s): %w", username, err)

---

88-101: Tighten Auth errors; guard username.

Same treatment for Auth.

Apply this diff:

 func (d *Production) AuthCall(ctx middlewares.Context, userSession *session.UserSession, values url.Values) (r *AuthResponse, err error) {
   var authResponse AuthResponse
+  username := "unknown"
+  if userSession != nil && userSession.Username != "" {
+    username = userSession.Username
+  }
@@
-  if err != nil {
-    return nil, fmt.Errorf("error occurred making the auth call to the duo api: %w", err)
-  }
+  if err != nil {
+    return nil, fmt.Errorf("duo auth call failed (path=/auth/v2/auth user=%s): %w", username, err)
+  }
@@
-  return nil, fmt.Errorf("error occurred parsing the duo api auth json response: %w", err)
+  return nil, fmt.Errorf("duo auth response parse failed (user=%s): %w", username, err)

internal/middlewares/authelia_context.go (3)

603-609: Lazy clock init LGTM; watch for concurrent access.

If ctx is shared across goroutines, this write isn’t synchronized.

Consider initializing providers in NewAutheliaCtx to avoid races:

// in NewAutheliaCtx after assigning ctx.Providers = providers
if ctx.Providers.Clock == nil {
  ctx.Providers.Clock = clock.New()
}

---

612-617: Same note for random provider.

Mirror the clock approach in constructor to avoid concurrent lazy writes.

if ctx.Providers.Random == nil {
  ctx.Providers.Random = random.New()
}

---

626-630: Clarify copy semantics in doc.

Method returns a pointer to a copy; update comment to prevent accidental mutation assumptions.

Proposed comment:

// GetConfiguration returns a pointer to a copy of the current configuration.

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.