From 4caf83b87b842128fd50b679f1a3134a1c240dc5 Mon Sep 17 00:00:00 2001
From: k8ie <k8ie@mcld.eu>
Date: Sun, 1 Mar 2026 20:54:40 +0100
Subject: [PATCH 01/19] Rewrite for LNURL-auth

---
 pyproject.toml                  |   5 +-
 quorra/classes.py               |  21 +----
 quorra/fe/auth/auth.js          |   8 +-
 quorra/fe/onboard/onboarding.js |   8 +-
 quorra/fe/style.css             |   2 +-
 quorra/main.py                  |  29 +++----
 quorra/routers/lnurlauth.py     | 143 ++++++++++++++++++++++++++++++++
 quorra/routers/login.py         |  29 ++-----
 quorra/routers/mobile.py        | 117 --------------------------
 quorra/routers/oidc.py          |  12 +--
 quorra/routers/onboarding.py    |  42 +++-------
 quorra/routers/tx.py            |   6 --
 12 files changed, 198 insertions(+), 224 deletions(-)
 create mode 100644 quorra/routers/lnurlauth.py
 delete mode 100644 quorra/routers/mobile.py

diff --git a/pyproject.toml b/pyproject.toml
index 3d8899b..91b9a66 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -5,7 +5,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = 'quorra'
 dynamic = ["version"]
-description = 'Quorra API server'
+description = 'Quorra server'
 readme = 'README.md'
 requires-python = '>=3.8'
 license = {file = 'LICENSE'}
@@ -24,7 +24,8 @@ dependencies = [
     "pillow",
     "python-multipart",
     "deepmerge",
-    "python-jose"
+    "python-jose",
+    "git+https://github.com/quorra-Auth/bech32"
 ]
 
 [tool.setuptools]
diff --git a/quorra/classes.py b/quorra/classes.py
index ddabf48..15eb9f4 100644
--- a/quorra/classes.py
+++ b/quorra/classes.py
@@ -34,7 +34,7 @@ class QRDataResponse(BaseModel):
     qr_image: str
 
 class DeviceRegistrationRequest(SQLModel):
-    pubkey: str
+    pubkey: str = Field(unique=True)
     name: str | None = None
 
 class Device(DeviceRegistrationRequest, table=True):
@@ -42,21 +42,6 @@ class Device(DeviceRegistrationRequest, table=True):
     user_id: str = Field(default=None, foreign_key="user.id")
 
 
-class AQRMobileStateEnum(str, Enum):
-    accepted = "accepted"
-    rejected = "rejected"
-
-# TODO: Send a device UUID as well so that the server can get a hint
-class AQRMobileIdentifyRequest(BaseModel):
-    signature: str
-    message: str
-
-class AQRMobileAuthenticateRequest(BaseModel):
-    state: AQRMobileStateEnum
-    signature: str
-    message: str
-
-
 class TokenResponse(BaseModel):
     access_token: str
     token_type: Literal["Bearer"] = "Bearer"
@@ -65,7 +50,7 @@ class TokenResponse(BaseModel):
 
 class TransactionTypes(str, Enum):
     onboarding = "onboarding"
-    aqr_oidc_login = "aqr-oidc-login"
+    ln_oidc_login = "ln-oidc-login"
 
 class TransactionGetRequest(BaseModel):
     tx_type: TransactionTypes
@@ -155,7 +140,7 @@ class OnboardingTransaction(Transaction):
     tx_type: TransactionTypes = TransactionTypes.onboarding
 
 class AqrOIDCLoginTransaction(Transaction):
-    tx_type: TransactionTypes = TransactionTypes.aqr_oidc_login
+    tx_type: TransactionTypes = TransactionTypes.ln_oidc_login
 
 class AqrOIDCLoginTransactionStates(str, Enum):
     created = "created"
diff --git a/quorra/fe/auth/auth.js b/quorra/fe/auth/auth.js
index ca10de0..5652260 100644
--- a/quorra/fe/auth/auth.js
+++ b/quorra/fe/auth/auth.js
@@ -12,7 +12,7 @@ async function startAqr() {
   if (params.nonce) {
     args = args + `&nonce=${params.nonce}`
   }
-  const response = await fetch(`/login/start?${args}`);
+  const response = await fetch(`/processes/login/start?${args}`);
   if (!response.ok) throw new Error("Request failed");
   data = await response.json();
   txId = data.tx_id;
@@ -21,8 +21,8 @@ async function startAqr() {
 }
 
 async function showQrCode() {
-  const payload = { "tx_type": "aqr-oidc-login", "tx_id": txId };
-  const response = await fetch("/login/qr", {
+  const payload = { "tx_type": "ln-oidc-login", "tx_id": txId };
+  const response = await fetch("/lnurl-auth/qr", {
     method: "POST",
     headers: {
       "Content-Type": "application/json"
@@ -36,7 +36,7 @@ async function showQrCode() {
 
 function startPolling() {
   const pollingUrl = `/tx/transaction`;
-  const payload = { "tx_id": txId, "tx_type": "aqr-oidc-login" }
+  const payload = { "tx_id": txId, "tx_type": "ln-oidc-login" }
 
   const encodeGetParams = p =>
     Object.entries(p).map(kv => kv.map(encodeURIComponent).join("=")).join("&");
diff --git a/quorra/fe/onboard/onboarding.js b/quorra/fe/onboard/onboarding.js
index eb0c663..03cfbb6 100644
--- a/quorra/fe/onboard/onboarding.js
+++ b/quorra/fe/onboard/onboarding.js
@@ -6,7 +6,7 @@ async function getLink() {
 }
 
 async function createOnboardingLink() {
-  const response = await fetch("/onboarding/create", {
+  const response = await fetch("/processes/onboarding/create", {
     method: "GET",
     headers: {
       "Content-Type": "application/json"
@@ -22,7 +22,7 @@ async function createOnboardingLink() {
 async function startOnboardingTransaction(onboardingLink) {
   const payload = { "link_id": onboardingLink };
 
-  const response = await fetch("/onboarding/init", {
+  const response = await fetch("/processes/onboarding/init", {
     method: "POST",
     headers: {
       "Content-Type": "application/json"
@@ -39,7 +39,7 @@ async function startOnboardingTransaction(onboardingLink) {
 async function getOnboardingData() {
   const payload = { "tx_type": "onboarding", "tx_id": txId };
 
-  const response = await fetch("/onboarding/qr", {
+  const response = await fetch("/lnurl-auth/qr", {
     method: "POST",
     headers: {
       "Content-Type": "application/json"
@@ -69,7 +69,7 @@ function startOnboarding() {
     const payload = { "tx_id": txId, "data": { "username": name, "email": email }, "tx_type": "onboarding" };
 
     try {
-      const response = await fetch("/onboarding/entry", {
+      const response = await fetch("/processes/onboarding/entry", {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify(payload),
diff --git a/quorra/fe/style.css b/quorra/fe/style.css
index c2ba4cd..76a1f0b 100644
--- a/quorra/fe/style.css
+++ b/quorra/fe/style.css
@@ -38,7 +38,7 @@ input {
   margin-bottom: 1rem;
 }
 #qr {
-  max-width: 100%;
+  max-width: 25%;
   height: auto;
   margin: 1rem 0;
   border-radius: 8px;
diff --git a/quorra/main.py b/quorra/main.py
index a542f7f..c58fe5b 100644
--- a/quorra/main.py
+++ b/quorra/main.py
@@ -9,15 +9,12 @@
 
 from . import __version__
 
-from .routers import onboarding
-from .routers import mobile
-from .routers import login
-from .routers import oidc
-from .routers import tx
+from .routers import (
+    onboarding, login,
+    lnurlauth, oidc, tx
+)
 
-from .database import engine
-from .database import SessionDep
-from .database import vk
+from .database import engine, SessionDep, vk
 
 from valkey.exceptions import ResponseError
 from valkey.commands.search.field import TagField
@@ -35,15 +32,15 @@ async def prep_valkey():
     await create_oidc_at_index()
 
 async def create_drt_index():
-    idx = vk.ft("idx:device_registration_token")
-    schema = (TagField("$.data.device_registration.token", as_name="device_registration_token"))
+    idx = vk.ft("idx:ln_k1")
+    schema = (TagField("$.data.ln.k1", as_name="ln_k1"))
     try:
         idx.info()
     except ResponseError:
         idx.create_index(
             schema,
             definition=IndexDefinition(
-                prefix=["onboarding:"],
+                prefix=["ln-oidc-login:", "onboarding:"],
                 index_type=IndexType.JSON
             )
         )
@@ -59,7 +56,7 @@ async def create_oidc_code_index():
         idx.create_index(
             schema,
             definition=IndexDefinition(
-                prefix=["aqr-oidc-login:"],
+                prefix=["ln-oidc-login:"],
                 index_type=IndexType.JSON
             )
         )
@@ -75,7 +72,7 @@ async def create_oidc_at_index():
         idx.create_index(
             schema,
             definition=IndexDefinition(
-                prefix=["aqr-oidc-login:"],
+                prefix=["ln-oidc-login:"],
                 index_type=IndexType.JSON
             )
         )
@@ -103,9 +100,9 @@ async def healthcheck(session: SessionDep):
     return {"health": "ok"}
 
 
-app.include_router(onboarding.router, prefix="/onboarding", tags=["New user onboarding"])
-app.include_router(login.router, prefix="/login", tags=["Login session management"])
-app.include_router(mobile.router, prefix="/mobile", tags=["Mobile endpoints"])
+app.include_router(onboarding.router, prefix="/processes/onboarding", tags=["Onboarding process endpoints"])
+app.include_router(login.router, prefix="/processes/login", tags=["Login process endpoints"])
+app.include_router(lnurlauth.router, prefix="/lnurl-auth", tags=["Lightning login endpoints"])
 app.include_router(oidc.router, prefix="/oidc", tags=["OIDC"])
 app.include_router(tx.router, prefix="/tx", tags=["Transaction management"])
 
diff --git a/quorra/routers/lnurlauth.py b/quorra/routers/lnurlauth.py
new file mode 100644
index 0000000..b38377a
--- /dev/null
+++ b/quorra/routers/lnurlauth.py
@@ -0,0 +1,143 @@
+from typing import Annotated
+
+from fastapi import APIRouter, Header
+from sqlmodel import select
+
+from fastapi import HTTPException
+
+from uuid import uuid4
+import json
+import base64
+import bech32
+import random
+
+from sqlalchemy.exc import IntegrityError
+
+from ..classes import (
+    User, Device,
+    Transaction, TransactionTypes,
+    ErrorResponse, QRDataResponse
+)
+
+from cryptography.hazmat.primitives.asymmetric.ec import (
+    ECDSA,
+    SECP256K1,
+    EllipticCurvePublicKey,
+)
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature, Prehashed
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat
+from cryptography.exceptions import InvalidSignature
+
+from valkey.commands.search.query import Query
+
+from .oidc import store_oidc_code
+
+from ..database import SessionDep
+from ..database import vk
+
+from ..utils import generate_qr
+from ..utils import escape_valkey_tag
+from ..utils import generate_qr
+from ..config import server_url
+
+router = APIRouter()
+
+async def verify_signature(k1: str, sig: str, key: str) -> bool:
+    pubkey_bytes = bytes.fromhex(key)
+    pubkey = EllipticCurvePublicKey.from_encoded_point(SECP256K1(), pubkey_bytes)
+    k1_bytes = bytes.fromhex(k1)
+    signature_bytes = bytes.fromhex(sig)
+    try:
+        pubkey.verify(signature_bytes, k1_bytes, ECDSA(Prehashed(hashes.SHA256())))
+    except InvalidSignature:
+        return False
+    return True
+
+
+@router.get("/register", response_model=None, responses={403: {"model": ErrorResponse}})
+async def ln_register(session: SessionDep, k1: str, tag: str, sig: str, key: str, action: str | None = None):
+    """Finishes device registration."""
+    if not await verify_signature(k1, sig, key):
+        raise HTTPException(status_code=403, detail="Invalid signature")
+    safe_k1 = escape_valkey_tag(k1)
+    q = Query(f"@ln_k1:{{{safe_k1}}}")
+    res = vk.ft("idx:ln_k1").search(q)
+    if res.total == 1:
+        tx_id = res.docs[0]["id"].split(":")[-1]
+        tx = Transaction.load(TransactionTypes.onboarding.value, tx_id)
+        # OPTION 1 - new user registration - transaction data contains the entry object
+        if "entry" in tx._private_data:
+            user_details = tx._private_data["entry"]
+            u: User = User(id=str(uuid4()), username=user_details["username"], email=user_details["email"])
+            session.add(u)
+            session.commit()
+            session.refresh(u)
+            uid: int = u.id
+    # TODO: OPTION 2 - user exists, only register device - the transaction should contain an existing user ID
+    else:
+        raise HTTPException(status_code=403, detail="Token invalid")
+    d: Device = Device(pubkey=key, user_id=uid, id=str(uuid4()))
+    session.add(d)
+    try:
+        session.commit()
+    except IntegrityError:
+        # TODO: Proper status code
+        raise HTTPException(status_code=403, detail="This public key already exists in a different device")
+    session.refresh(d)
+    # TODO: Pass the error back into the transaction if anything fails
+    tx.set_state("finished")
+    return None
+
+
+# TODO: Implement for LN
+# @router.post("/aqr/identify", response_model=None, responses={403: {"model": ErrorResponse}})
+# async def aqr_identify(db_session: SessionDep):
+#     return None
+
+
+@router.get("/authenticate", response_model=None, responses={404: {"model": ErrorResponse}})
+async def ln_authenticate(session: SessionDep, k1: str, tag: str, sig: str, key: str, action: str | None = None):
+    if not await verify_signature(k1, sig, key):
+        raise HTTPException(status_code=403, detail="Invalid signature")
+    safe_k1 = escape_valkey_tag(k1)
+    q = Query(f"@ln_k1:{{{safe_k1}}}")
+    res = vk.ft("idx:ln_k1").search(q)
+    if res.total == 1:
+        tx_id = res.docs[0]["id"].split(":")[-1]
+        tx = Transaction.load(TransactionTypes.ln_oidc_login.value, tx_id)
+        # TODO: Exception handling here
+        # could be that a valid signature is presented but the device doesn't exist
+        device = session.exec(select(Device).where(Device.pubkey == key)).one()
+        user = session.exec(select(User).where(User.id == device.user_id)).one()
+        tx.add_private_data(".user", {"uid": user.id, "device-id": device.id})
+        await store_oidc_code(tx)
+        tx.set_state("confirmed")
+    return None
+
+
+@router.post("/qr", responses={404: {"model": ErrorResponse}})
+def qr_gen(rq: Transaction) -> QRDataResponse:
+    """Generates a QR code for the frontend"""
+    tx = Transaction.load(rq.tx_type.value, rq.tx_id)
+    # TODO: Fill in the appropriate action based on the transaction type
+    # TODO: Select the right endpoint based on the TX type
+    if tx.tx_type is TransactionTypes.ln_oidc_login:
+        endpoint = "authenticate"
+        action = "login"
+    elif tx.tx_type is TransactionTypes.onboarding:
+        endpoint = "register"
+        action = "register"
+    else:
+        # TODO: Proper status code
+        raise HTTPException(status_code=404, detail="Invalid transaction type")
+    if tx is None:
+        raise HTTPException(status_code=404, detail="Transaction not found")
+    elif "ln" not in tx.data or "k1" not in tx.data["ln"]:
+        # TODO: Choose a more suitable status code
+        raise HTTPException(status_code=404, detail="k1 not present in transaction")
+    link = "{}/lnurl-auth/{}?k1={}&tag={}&action={}".format(server_url, endpoint, tx.data["ln"]["k1"], "login", action)
+    qr_content = "lightning:{}".format(bech32.encode_bytes("lnurl", link.encode()))
+    qr_image = generate_qr(qr_content)
+    return QRDataResponse(link=qr_content, qr_image=qr_image)
diff --git a/quorra/routers/login.py b/quorra/routers/login.py
index e1a53af..c3d705b 100644
--- a/quorra/routers/login.py
+++ b/quorra/routers/login.py
@@ -6,16 +6,17 @@
 from fastapi import HTTPException
 
 import json
+import random
 
-from ..classes import Device
-from ..classes import ErrorResponse
-from ..classes import QRDataResponse, Transaction, AqrOIDCLoginTransaction
-from ..classes import TransactionTypes
+from ..classes import (
+    Device,
+    Transaction, TransactionTypes,
+    ErrorResponse, QRDataResponse
+)
 
 from ..database import SessionDep
 from ..database import vk
 
-from ..utils import generate_qr
 from ..config import server_url
 
 
@@ -25,25 +26,13 @@
 @router.get("/start", status_code=201)
 async def login_start(client_id: str, scope: str, nonce: str | None = None) -> Transaction:
     """Starts a new login session."""
-    tx = Transaction.new("aqr-oidc-login")
+    tx = Transaction.new("ln-oidc-login")
     tx_id = tx.tx_id
-    qr_content = "quorra+{}/mobile/login?s={}".format(server_url, tx_id)
-    qr_image = generate_qr(qr_content)
+    k1 = random.randbytes(32).hex()
+    tx.add_data(".ln", {"k1": k1})
     oidc_context = {"client-id": client_id, "scope": scope}
     if nonce is not None:
         oidc_context["nonce"] = nonce
     tx.add_data(".oidc_data", oidc_context)
     return tx
 
-# TODO: Rotating login codes
-@router.post("/qr", responses={404: {"model": ErrorResponse}})
-def qr_gen(rq: Transaction) -> QRDataResponse:
-    """Generates an AQR for the frontend"""
-    tx = Transaction.load(TransactionTypes.aqr_oidc_login.value, rq.tx_id)
-    if tx is None:
-        raise HTTPException(status_code=404, detail="Transaction not found")
-    if "oidc_data" not in tx.data:
-        raise HTTPException(status_code=404, detail="OIDC data is missing in transaction data")
-    link = "quorra+{}/mobile/login?s={}".format(server_url, tx.tx_id)
-    qr_image = generate_qr(link)
-    return QRDataResponse(link=link, qr_image=qr_image)
diff --git a/quorra/routers/mobile.py b/quorra/routers/mobile.py
deleted file mode 100644
index 6b5f3b4..0000000
--- a/quorra/routers/mobile.py
+++ /dev/null
@@ -1,117 +0,0 @@
-from typing import Annotated
-
-from fastapi import APIRouter, Header
-from sqlmodel import select
-
-from fastapi import HTTPException
-
-from uuid import uuid4
-import json
-import base64
-
-from ..classes import DeviceRegistrationRequest, User, Device, Transaction
-from ..classes import AQRMobileIdentifyRequest, AQRMobileAuthenticateRequest
-from ..classes import ErrorResponse, AqrOIDCLoginTransactionStates
-
-from cryptography.hazmat.primitives.asymmetric import ed25519
-from cryptography.hazmat.primitives import serialization
-from cryptography.exceptions import InvalidSignature
-
-from valkey.commands.search.query import Query
-
-from .oidc import store_oidc_code
-
-from ..database import SessionDep
-from ..database import vk
-
-from ..utils import generate_qr
-from ..utils import escape_valkey_tag
-from ..config import server_url
-
-router = APIRouter()
-
-# TODO: Return the device ID for future use as a hint for the server
-@router.post("/register", status_code=201, response_model=None, responses={403: {"model": ErrorResponse}})
-async def register_device(rq: DeviceRegistrationRequest, session: SessionDep, x_registration_token: Annotated[str, Header()]):
-    """Finishes device registration.
-
-    Can either use a user or a device registration token.
-
-    If a device registration token is used, a user ID is also required.
-    The device will be added to the matched user.
-
-    If a user registration token is used, a new user is created.
-    """
-    # OPTION 1 - new user registration
-    safe_token = escape_valkey_tag(x_registration_token)
-    q = Query(f"@device_registration_token:{{{safe_token}}}")
-    res = vk.ft("idx:device_registration_token").search(q)
-    if res.total == 1:
-        # Finds the matching transaction
-        tx_id = res.docs[0]["id"].split(":")[-1]
-        tx = Transaction.load("onboarding", tx_id)
-        user_details = tx._private_data["entry"]
-        u: User = User(id=str(uuid4()), username=user_details["username"], email=user_details["email"])
-        session.add(u)
-        session.commit()
-        session.refresh(u)
-        tx.set_state("finished")
-        uid: int = u.id
-    # TODO: Adding a new device to an existing user
-    # TODO: OPTION 2 - user exists, only register device
-    # TODO: Fill with logic to find the user ID
-    else:
-        raise HTTPException(status_code=403, detail="Token invalid")
-    d: Device = Device(**rq.dict(), user_id=uid, id=str(uuid4()))
-    session.add(d)
-    session.commit()
-    session.refresh(d)
-    return None
-
-
-# TODO: Use UUID hints from the device
-@router.post("/aqr/identify", response_model=None, responses={403: {"model": ErrorResponse}})
-async def aqr_identify(rq: AQRMobileIdentifyRequest, db_session: SessionDep, session: str):
-    tx = Transaction.load("aqr-oidc-login", session)
-    if tx.state != AqrOIDCLoginTransactionStates.created.value:
-        raise HTTPException(status_code=403, detail="Session already identified")
-    devices = db_session.exec(select(Device)).all()
-    device_found = False
-    for device in devices:
-        key = ed25519.Ed25519PublicKey.from_public_bytes(base64.b64decode(device.pubkey))
-        try:
-            key.verify(base64.b64decode(rq.signature), rq.message.encode('utf-8'))
-        except InvalidSignature:
-            pass
-        else:
-            device_found = True
-            matched_device = device
-            break
-    if device_found:
-        tx.add_private_data(".user", {"device-id": matched_device.id})
-        tx.set_state("identified")
-    else:
-        raise HTTPException(status_code=403, detail="No matching device")
-    return None
-
-
-@router.post("/aqr/authenticate", response_model=None, responses={404: {"model": ErrorResponse}})
-async def aqr_authenticate(rq: AQRMobileAuthenticateRequest, db_session: SessionDep, session: str):
-    tx = Transaction.load("aqr-oidc-login", session)
-    device_id = tx._private_data["user"]["device-id"]
-    device = db_session.exec(select(Device).where(Device.id == device_id)).one()
-    key = ed25519.Ed25519PublicKey.from_public_bytes(base64.b64decode(device.pubkey))
-    try:
-        key.verify(base64.b64decode(rq.signature), rq.message.encode('utf-8'))
-    except InvalidSignature:
-        raise HTTPException(status_code=403, detail="Signature invalid")
-    else:
-        if rq.state == "accepted":
-            user = db_session.exec(select(User).where(User.id == device.user_id)).one()
-            tx.add_private_data(".user", {"uid": user.id})
-            await store_oidc_code(tx)
-            tx.set_state("confirmed")
-        elif rq.state == "rejected":
-            pass
-            # TODO: Figure out what to do here
-    return None
diff --git a/quorra/routers/oidc.py b/quorra/routers/oidc.py
index 318cd88..051fe34 100644
--- a/quorra/routers/oidc.py
+++ b/quorra/routers/oidc.py
@@ -10,9 +10,10 @@
 
 from ..config import server_url, oidc_clients
 
-from ..classes import ErrorResponse
-from ..classes import TokenResponse
-from ..classes import User, Transaction
+from ..classes import (
+    User, Transaction,
+    TokenResponse, ErrorResponse
+)
 
 from valkey.commands.search.query import Query
 
@@ -96,9 +97,10 @@ async def token(db_session: SessionDep, request: Request, grant_type: str = Form
     safe_code = escape_valkey_tag(code)
     q = Query(f"@oidc_code:{{{safe_code}}}")
     res = vk.ft("idx:oidc_code").search(q)
+    print(res.total)
     if res.total == 1:
         tx_id = res.docs[0]["id"].split(":")[-1]
-        tx = Transaction.load("aqr-oidc-login", tx_id)
+        tx = Transaction.load("ln-oidc-login", tx_id)
     else:
         raise HTTPException(status_code=400, detail="invalid_grant")
     # Final checks before issuing the ID token
@@ -137,7 +139,7 @@ def userinfo(authorization: Annotated[str | None, Header(alias="Authorization")]
     res = vk.ft("idx:oidc_at").search(q)
     if res.total == 1:
         tx_id = res.docs[0]["id"].split(":")[-1]
-        tx = Transaction.load("aqr-oidc-login", tx_id)
+        tx = Transaction.load("ln-oidc-login", tx_id)
     else:
         raise HTTPException(status_code=401, detail="unauthorized")
     user = tx._private_data["user"]["uid"]
diff --git a/quorra/routers/onboarding.py b/quorra/routers/onboarding.py
index ff355af..36332d9 100644
--- a/quorra/routers/onboarding.py
+++ b/quorra/routers/onboarding.py
@@ -7,18 +7,18 @@
 
 from uuid import uuid4
 import json
+import random
 
-from ..classes import OnboardingLink, User
-from ..classes import OnboardingTransaction, OnboardingTransactionStates
-from ..classes import RegistrationRequest, QRDataResponse
-from ..classes import TransactionTypes, Transaction, TransactionUpdateRequest
-from ..classes import ErrorResponse
+from ..classes import (
+    OnboardingLink, User,
+    OnboardingTransaction, OnboardingTransactionStates,
+    RegistrationRequest,
+    TransactionTypes, Transaction, TransactionUpdateRequest,
+    ErrorResponse
+)
 
-from ..database import SessionDep
-from ..database import vk
+from ..database import SessionDep, vk
 
-from ..utils import generate_qr
-from ..config import server_url
 from ..config import config
 
 router = APIRouter()
@@ -60,7 +60,7 @@ async def init(req: RegistrationRequest, session: SessionDep) -> OnboardingTrans
 @router.post("/entry", responses={404: {"model": ErrorResponse}})
 def entry(rq: TransactionUpdateRequest) -> Transaction:
     """Adds the user context to the onboarding transaction"""
-    token: str = str(uuid4())
+    k1: str = str(random.randbytes(32).hex())
     tx = Transaction.load(TransactionTypes.onboarding.value, rq.tx_id)
     if tx is None:
         raise HTTPException(status_code=404, detail="Transaction not found")
@@ -68,28 +68,8 @@ def entry(rq: TransactionUpdateRequest) -> Transaction:
         raise HTTPException(status_code=403, detail="Transaction has already been filled")
     if "username" in rq.data and "email" in rq.data:
         entry_data = {"username": rq.data["username"], "email": rq.data["email"]}
-        tx.add_data(".device_registration", {"token": token})
+        tx.add_data(".ln", {"k1": k1})
         tx.add_private_data(".entry", entry_data)
         tx.set_state(OnboardingTransactionStates.filled.value)
     return tx
 
-# TODO: Rotating device registration tokens
-@router.post("/qr", responses={404: {"model": ErrorResponse}})
-def qr_gen(rq: Transaction) -> QRDataResponse:
-    """Generates an onboarding QR code for the frontend"""
-    tx = Transaction.load(TransactionTypes.onboarding.value, rq.tx_id)
-    if tx is None:
-        raise HTTPException(status_code=404, detail="Transaction not found")
-    if "device_registration" not in tx.data or "token" not in tx.data["device_registration"]:
-        raise HTTPException(status_code=404, detail="Mobile token is missing in transaction data")
-    token = tx.data["device_registration"]["token"]
-    link = "quorra+{}/mobile/register?t={}".format(server_url, token)
-    qr_image = generate_qr(link)
-    return QRDataResponse(link=link, qr_image=qr_image)
-
-@router.post("/finish", responses={404: {"model": ErrorResponse}})
-def finish(rq: TransactionUpdateRequest) -> Transaction:
-    """Debug only - finish a transaction"""
-    tx = Transaction.load(TransactionTypes.onboarding.value, rq.tx_id)
-    tx.set_state(OnboardingTransactionStates.finished.value)
-    return tx
diff --git a/quorra/routers/tx.py b/quorra/routers/tx.py
index 331caf9..7d4ad6c 100644
--- a/quorra/routers/tx.py
+++ b/quorra/routers/tx.py
@@ -37,9 +37,3 @@ async def get_transaction(rq: TransactionGetRequest) -> Transaction:
     if tx.state != "finished":
         tx.prolong()
     return tx
-
-@router.post("/create_transaction", status_code=201, response_model=Transaction, responses={401: {"model": ErrorResponse}, 403: {"model": ErrorResponse}, 404: {"model": ErrorResponse}})
-async def create_transaction(rq: TransactionCreateRequest, session: SessionDep):
-    """Start a new transaction."""
-    tx = Transaction.new(rq.tx_type.value)
-    return tx

From 424695a8a69da50d0bbd62c8fcbbada7a17f819e Mon Sep 17 00:00:00 2001
From: k8ie <k8ie@mcld.eu>
Date: Sun, 1 Mar 2026 20:56:50 +0100
Subject: [PATCH 02/19] Remove todo

---
 quorra/routers/lnurlauth.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/quorra/routers/lnurlauth.py b/quorra/routers/lnurlauth.py
index b38377a..eb3e7ee 100644
--- a/quorra/routers/lnurlauth.py
+++ b/quorra/routers/lnurlauth.py
@@ -121,8 +121,6 @@ async def ln_authenticate(session: SessionDep, k1: str, tag: str, sig: str, key:
 def qr_gen(rq: Transaction) -> QRDataResponse:
     """Generates a QR code for the frontend"""
     tx = Transaction.load(rq.tx_type.value, rq.tx_id)
-    # TODO: Fill in the appropriate action based on the transaction type
-    # TODO: Select the right endpoint based on the TX type
     if tx.tx_type is TransactionTypes.ln_oidc_login:
         endpoint = "authenticate"
         action = "login"

From 4ed71704e6dd96786f864d6265d9ed5d263b741d Mon Sep 17 00:00:00 2001
From: k8ie <k8ie@mcld.eu>
Date: Sun, 1 Mar 2026 21:01:33 +0100
Subject: [PATCH 03/19] Fix PEP 508

---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 91b9a66..bc4911c 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -25,7 +25,7 @@ dependencies = [
     "python-multipart",
     "deepmerge",
     "python-jose",
-    "git+https://github.com/quorra-Auth/bech32"
+    "bech32 @ git+https://github.com/Quorra-Auth/bech32.git"
 ]
 
 [tool.setuptools]

From c06b0801c0cdf3de2ec0c43b9a61fea026ec8834 Mon Sep 17 00:00:00 2001
From: k8ie <k8ie@mcld.eu>
Date: Sun, 1 Mar 2026 21:31:07 +0100
Subject: [PATCH 04/19] Better LN status handling

---
 quorra/classes.py           |  9 +++++++++
 quorra/routers/lnurlauth.py | 12 +++++++-----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/quorra/classes.py b/quorra/classes.py
index 15eb9f4..4dde046 100644
--- a/quorra/classes.py
+++ b/quorra/classes.py
@@ -148,3 +148,12 @@ class AqrOIDCLoginTransactionStates(str, Enum):
     confirmed = "confirmed"
     rejected = "rejected"
     token_issued = "token-issued"
+
+
+class LNStatusEnum(str, Enum):
+    ok = "OK"
+    error = "error"
+
+class LNStatusResponse(BaseModel):
+    status: LNStatusEnum
+    reason: str | None = None
diff --git a/quorra/routers/lnurlauth.py b/quorra/routers/lnurlauth.py
index eb3e7ee..04d6f97 100644
--- a/quorra/routers/lnurlauth.py
+++ b/quorra/routers/lnurlauth.py
@@ -16,7 +16,7 @@
 from ..classes import (
     User, Device,
     Transaction, TransactionTypes,
-    ErrorResponse, QRDataResponse
+    ErrorResponse, QRDataResponse, LNStatusResponse, LNStatusEnum
 )
 
 from cryptography.hazmat.primitives.asymmetric.ec import (
@@ -56,8 +56,9 @@ async def verify_signature(k1: str, sig: str, key: str) -> bool:
     return True
 
 
+# TODO: Correct error response
 @router.get("/register", response_model=None, responses={403: {"model": ErrorResponse}})
-async def ln_register(session: SessionDep, k1: str, tag: str, sig: str, key: str, action: str | None = None):
+async def ln_register(session: SessionDep, k1: str, tag: str, sig: str, key: str, action: str | None = None) -> LNStatusResponse:
     """Finishes device registration."""
     if not await verify_signature(k1, sig, key):
         raise HTTPException(status_code=403, detail="Invalid signature")
@@ -88,7 +89,7 @@ async def ln_register(session: SessionDep, k1: str, tag: str, sig: str, key: str
     session.refresh(d)
     # TODO: Pass the error back into the transaction if anything fails
     tx.set_state("finished")
-    return None
+    return LNStatusResponse(status=LNStatusEnum.ok)
 
 
 # TODO: Implement for LN
@@ -97,8 +98,9 @@ async def ln_register(session: SessionDep, k1: str, tag: str, sig: str, key: str
 #     return None
 
 
+# TODO: Correct error response
 @router.get("/authenticate", response_model=None, responses={404: {"model": ErrorResponse}})
-async def ln_authenticate(session: SessionDep, k1: str, tag: str, sig: str, key: str, action: str | None = None):
+async def ln_authenticate(session: SessionDep, k1: str, tag: str, sig: str, key: str, action: str | None = None) -> LNStatusResponse:
     if not await verify_signature(k1, sig, key):
         raise HTTPException(status_code=403, detail="Invalid signature")
     safe_k1 = escape_valkey_tag(k1)
@@ -114,7 +116,7 @@ async def ln_authenticate(session: SessionDep, k1: str, tag: str, sig: str, key:
         tx.add_private_data(".user", {"uid": user.id, "device-id": device.id})
         await store_oidc_code(tx)
         tx.set_state("confirmed")
-    return None
+    return LNStatusResponse(status=LNStatusEnum.ok)
 
 
 @router.post("/qr", responses={404: {"model": ErrorResponse}})

From 2d6aa424ae5ea2108b31f60deb995916d646e614 Mon Sep 17 00:00:00 2001
From: k8ie <k8ie@mcld.eu>
Date: Sun, 1 Mar 2026 21:56:42 +0100
Subject: [PATCH 05/19] Stop the leaks lol

---
 quorra/routers/oidc.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/quorra/routers/oidc.py b/quorra/routers/oidc.py
index 051fe34..c32959c 100644
--- a/quorra/routers/oidc.py
+++ b/quorra/routers/oidc.py
@@ -97,7 +97,6 @@ async def token(db_session: SessionDep, request: Request, grant_type: str = Form
     safe_code = escape_valkey_tag(code)
     q = Query(f"@oidc_code:{{{safe_code}}}")
     res = vk.ft("idx:oidc_code").search(q)
-    print(res.total)
     if res.total == 1:
         tx_id = res.docs[0]["id"].split(":")[-1]
         tx = Transaction.load("ln-oidc-login", tx_id)
@@ -130,7 +129,6 @@ async def token(db_session: SessionDep, request: Request, grant_type: str = Form
 # TODO: Implement checking scopes
 @router.get("/userinfo", responses={401: {"model": ErrorResponse}})
 def userinfo(authorization: Annotated[str | None, Header(alias="Authorization")] = None):
-    print(authorization)
     if not authorization.startswith("Bearer "):
         raise HTTPException(status_code=401, detail="unauthorized")
     access_token = authorization.removeprefix("Bearer ")

From 245eb78b77d7a9658831d58f20135b8644cad06b Mon Sep 17 00:00:00 2001
From: k8ie <k8ie@mcld.eu>
Date: Wed, 4 Mar 2026 15:44:26 +0100
Subject: [PATCH 06/19] Try adding a custom parameter

---
 quorra/routers/lnurlauth.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/quorra/routers/lnurlauth.py b/quorra/routers/lnurlauth.py
index 04d6f97..0acd5be 100644
--- a/quorra/routers/lnurlauth.py
+++ b/quorra/routers/lnurlauth.py
@@ -137,7 +137,7 @@ def qr_gen(rq: Transaction) -> QRDataResponse:
     elif "ln" not in tx.data or "k1" not in tx.data["ln"]:
         # TODO: Choose a more suitable status code
         raise HTTPException(status_code=404, detail="k1 not present in transaction")
-    link = "{}/lnurl-auth/{}?k1={}&tag={}&action={}".format(server_url, endpoint, tx.data["ln"]["k1"], "login", action)
+    link = "{}/lnurl-auth/{}?k1={}&tag={}&action={}&server=quorra".format(server_url, endpoint, tx.data["ln"]["k1"], "login", action)
     qr_content = "lightning:{}".format(bech32.encode_bytes("lnurl", link.encode()))
     qr_image = generate_qr(qr_content)
     return QRDataResponse(link=qr_content, qr_image=qr_image)

From 0a38201e558cab2446bc69dca573b59a515c4185 Mon Sep 17 00:00:00 2001
From: k8ie <k8ie@mcld.eu>
Date: Wed, 4 Mar 2026 19:34:03 +0100
Subject: [PATCH 07/19] Give the onboarding FE a nice overhaul

---
 quorra/fe/onboard/index.html |  42 ++++++++------
 quorra/fe/style.css          | 109 +++++++++++++++++++++++++++++------
 2 files changed, 116 insertions(+), 35 deletions(-)

diff --git a/quorra/fe/onboard/index.html b/quorra/fe/onboard/index.html
index e423d11..2dabda3 100644
--- a/quorra/fe/onboard/index.html
+++ b/quorra/fe/onboard/index.html
@@ -3,24 +3,30 @@
 <head>
   <meta charset="UTF-8"/>
   <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
-  <link rel="stylesheet" href="/fe/style.css"/>
+  <link rel="stylesheet" href="../style.css"/>
   <title>Quorra Onboarding</title>
 </head>
 <body>
-  <h1 id="welcome_h1">Welcome to Quorra!</h1>
-  <div id="status_container"></div>
-  <div id="initial">
-    <h2>Quorra uses a mobile token to sign you in</h2>
-    <h3>Download one of our apps to get started</h3>
+  <div id="initial" class="step_div">
+    <h1 id="welcome_h1">Welcome to Quorra!</h1>
+    <h3>Quorra allows you to sign in using QR codes</h3>
+    <p>Download one of our apps to get started:</p>
     <p><a href="https://github.com/k8ieone/voucher">Voucher</a> for Linux</p>
     <p><a href="https://github.com/Quorra-Auth/flare">Flare</a> for Android</p>
-    <button id="start_b" onclick="startOnboarding()">Proceed</button>
+    <div class="hr-text"><span>OR</span></div>
+    <p>
+      You can use your Lightning wallet, <br>
+      Quorra is powered by <a href=https://lightninglogin.live/learn>Lightning</a> ⚡
+    </p>
+    <button id="start_b" onclick="startOnboarding()">Let's get started!</button>
   </div>
 
-  <div id="details_form_div" class="hidden">
-    <h2>Please fill in your details</h2>
+  <div id="details_form_div" class="hidden step_div">
+    <h1>First, tell us a bit about you</h1>
+    <h3>Some services like to display a name and email</h3>
+    <p>Providing this information allows Quorra to pass this information along to your applications.</p>
     <form id="details_form">
-      <label for="username">Name:</label>
+      <label for="username">Username:</label>
       <input id="username_input" name="username" type="text" required />
 
       <label for="email">Email:</label>
@@ -30,17 +36,19 @@ <h2>Please fill in your details</h2>
     </form>
   </div>
 
-  <div id="qr_div" class="hidden">
-    <h2>Almost there!</h2>
-    <h3>Finish your registration by scanning this code with your mobile token</h3>
+  <div id="qr_div" class="hidden step_div">
+    <h1>Almost there!</h1>
+    <h3>Finish your registration by adding your first device</h3>
+    <p>Scan the below code using your chosen application</p>
     <img id="qr"/>
     <div class="hr-text"><span>OR</span></div>
-    <a id="local_link">Use a local install</a>
+    <a id="local_link">Use a local application</a>
   </div>
 
-  <div id="finished_div" class="hidden">
-    <h1>And you're done!</h1>
-    <h2>You can now start using your newly registered device to sign in with Quorra!</h2>
+  <div id="finished_div" class="hidden step_div">
+    <h1>Amazing!</h1>
+    <h3>✨ You're good to go ✨</h3>
+    <p>You can now start using your newly registered device to sign in with Quorra!</p>
   </div>
 
   <script src="onboarding.js"></script>
diff --git a/quorra/fe/style.css b/quorra/fe/style.css
index 76a1f0b..8902286 100644
--- a/quorra/fe/style.css
+++ b/quorra/fe/style.css
@@ -1,28 +1,52 @@
+:root {
+  color-scheme: light dark;
+  accent-color: var(--accent);
+
+  --bg: #f5f5f5;
+  --text: #111;
+  --card: #ffffff;
+  --muted: #666;
+  --border: #ccc;
+  --shadow: 0 2px 10px rgba(0, 0, 0, 0.1);
+  --button: #007BFF;
+  --button-hover: #0056b3;
+  --accent: #007BFF;
+  --accent-text: #ffffff;
+  --accent-hover: #0056b3;
+}
+
 body {
   font-family: Arial, sans-serif;
-  padding: 40px;
-  background-color: #f5f5f5;
+  margin: 0;
+  min-height: 100dvh;
+
+  /* center the page content */
+  display: grid;
+  place-content: center;
+  justify-items: center;
+  gap: 1.25rem;
+
+  background-color: var(--bg);
+  color: var(--text);
   text-align: center;
 }
 button {
   font-size: 18px;
   padding: 10px 20px;
-  background-color: #007BFF;
-  color: white;
+  background-color: var(--accent);
+  color: var(--accent-text);
   border: none;
   border-radius: 8px;
   cursor: pointer;
+  margin: 1rem auto;
 }
 button:hover {
-  background-color: #0056b3;
+  background-color: var(--accent-hover);
+}
+a {
+  color: var(--accent);
 }
 form {
-  max-width: 400px;
-  margin: auto;
-  padding: 2rem;
-  background: white;
-  border-radius: 12px;
-  box-shadow: 0 2px 10px rgba(0, 0, 0, 0.1);
   display: flex;
   flex-direction: column;
 }
@@ -33,14 +57,26 @@ label {
 input {
   padding: 0.75rem;
   font-size: 1rem;
+  background: var(--card);
+  color: var(--text);
   border-radius: 8px;
-  border: 1px solid #ccc;
+  border: 1px solid var(--border);
   margin-bottom: 1rem;
 }
+.step_div {
+  max-width: 400px;
+  width: min(400px, 100%);
+  margin: 0;
+  padding: 2rem;
+  background: var(--card);
+  box-shadow: var(--shadow);
+  border-radius: 12px;
+}
 #qr {
-  max-width: 25%;
+  width: clamp(220px, 70vw, 340px);
   height: auto;
-  margin: 1rem 0;
+  display: block;
+  margin: 1rem auto;
   border-radius: 8px;
 }
 .hr-text {
@@ -48,20 +84,57 @@ input {
   align-items: center;
   text-align: center;
   width: 30%;
-  margin: 2rem auto;
-  color: #666;
+  margin: 1rem auto;
+  color: var(--muted);
 }
 .hr-text::before,
 .hr-text::after {
   content: "";
   flex: 1;
-  border-top: 1px solid #ccc;
+  border-top: 1px solid var(--border);
 }
 .hr-text span {
   padding: 0 0.5em;
-  background: #f5f5f5;
+  background: var(--card);
   font-size: 0.9rem;
 }
 .hidden {
   display: none;
 }
+
+/* Dark mode overrides based on OS preference */
+@media (prefers-color-scheme: dark) {
+  :root {
+    --bg: #0f1115;
+    --text: #e8eaf0;
+    --card: #171a21;
+    --muted: #a7adbb;
+    --border: #2a2f3a;
+    --shadow: 0 2px 14px rgba(0, 0, 0, 0.55);
+    --button: #3b82f6;
+    --button-hover: #2563eb;
+  }
+}
+
+/* Prefer the OS accent color when supported */
+@supports (color: AccentColor) {
+  :root {
+    --accent: AccentColor;
+    --accent-text: AccentColorText;
+  }
+}
+
+/* Nice automatic hover color derived from the accent (when supported) */
+@supports (background: color-mix(in srgb, black, white)) {
+  :root {
+    --accent-hover: color-mix(in srgb, var(--accent), black 18%);
+  }
+}
+
+/* Optional: focus ring that also follows the accent */
+button:focus-visible,
+a:focus-visible,
+input:focus-visible {
+  outline: 3px solid color-mix(in srgb, var(--accent), transparent 55%);
+  outline-offset: 3px;
+}

From 627736bad7d0a93b0762bb9b41b60156035cbe51 Mon Sep 17 00:00:00 2001
From: k8ie <k8ie@mcld.eu>
Date: Wed, 4 Mar 2026 19:34:44 +0100
Subject: [PATCH 08/19] Add animations

---
 quorra/fe/onboard/index.html    |  1 +
 quorra/fe/onboard/onboarding.js | 10 ++----
 quorra/fe/style.css             | 20 +++++++++++
 quorra/fe/transitions.js        | 60 +++++++++++++++++++++++++++++++++
 4 files changed, 84 insertions(+), 7 deletions(-)
 create mode 100644 quorra/fe/transitions.js

diff --git a/quorra/fe/onboard/index.html b/quorra/fe/onboard/index.html
index 2dabda3..e567796 100644
--- a/quorra/fe/onboard/index.html
+++ b/quorra/fe/onboard/index.html
@@ -52,6 +52,7 @@ <h3>✨ You're good to go ✨</h3>
   </div>
 
   <script src="onboarding.js"></script>
+  <script src="../transitions.js"></script>
 </body>
 </html>
 
diff --git a/quorra/fe/onboard/onboarding.js b/quorra/fe/onboard/onboarding.js
index 03cfbb6..132840f 100644
--- a/quorra/fe/onboard/onboarding.js
+++ b/quorra/fe/onboard/onboarding.js
@@ -57,8 +57,7 @@ function startOnboarding() {
   const params = new Proxy(new URLSearchParams(window.location.search), {
     get: (searchParams, prop) => searchParams.get(prop),
   });
-  document.getElementById("initial").classList.add("hidden");
-  document.getElementById("details_form_div").classList.remove("hidden");
+  showStep("details_form_div");
 
   document.getElementById("details_form").addEventListener("submit", async function(e) {
     e.preventDefault();
@@ -80,10 +79,9 @@ function startOnboarding() {
       const result = await response.json();
       const onboardingData = await getOnboardingData();
 
-      document.getElementById("details_form_div").classList.add("hidden");
-      document.getElementById("qr_div").classList.remove("hidden");
       document.getElementById("qr").src = onboardingData.qr_image;
       document.getElementById("local_link").href = onboardingData.link;
+      showStep("qr_div");
 
     } catch (error) {
       console.error(error);
@@ -112,9 +110,7 @@ function startPolling() {
         if (data.state == "finished") {
           // Hide qr_code_div and show identified_div
           clearInterval(intervalId);
-          document.getElementById("qr_div").classList.add("hidden");
-          document.getElementById("welcome_h1").classList.add("hidden");
-          document.getElementById("finished_div").classList.remove("hidden");
+          showStep("finished_div");
         }
       })
       .catch(error => {
diff --git a/quorra/fe/style.css b/quorra/fe/style.css
index 8902286..1e8730e 100644
--- a/quorra/fe/style.css
+++ b/quorra/fe/style.css
@@ -71,6 +71,19 @@ input {
   background: var(--card);
   box-shadow: var(--shadow);
   border-radius: 12px;
+  transition: opacity 220ms ease, transform 220ms ease;
+  will-change: opacity, transform;
+}
+/* Exit animation */
+.step_div.is-exiting {
+  opacity: 0;
+  transform: translateY(-10px);
+}
+
+/* Enter animation (starts hidden-looking, then animates to normal) */
+.step_div.is-entering {
+  opacity: 0;
+  transform: translateY(10px);
 }
 #qr {
   width: clamp(220px, 70vw, 340px);
@@ -138,3 +151,10 @@ input:focus-visible {
   outline: 3px solid color-mix(in srgb, var(--accent), transparent 55%);
   outline-offset: 3px;
 }
+
+/* Respect users who prefer reduced motion */
+@media (prefers-reduced-motion: reduce) {
+  .step_div {
+    transition: none;
+  }
+}
diff --git a/quorra/fe/transitions.js b/quorra/fe/transitions.js
new file mode 100644
index 0000000..b5af51f
--- /dev/null
+++ b/quorra/fe/transitions.js
@@ -0,0 +1,60 @@
+function forceReflow(el) {
+  // Forces the browser to apply the current styles immediately
+  el.getBoundingClientRect();
+}
+
+async function waitForTransition(el) {
+  const { transitionDuration, transitionDelay } = getComputedStyle(el);
+
+  const toMs = (s) =>
+    s.split(",")
+      .map(v => v.trim())
+      .map(v => v.endsWith("ms") ? parseFloat(v) : parseFloat(v) * 1000);
+
+  const durations = toMs(transitionDuration);
+  const delays = toMs(transitionDelay);
+
+  const totalMs = Math.max(
+    ...durations.map((d, i) => d + (delays[i] ?? delays[0] ?? 0)),
+    0
+  );
+
+  if (totalMs === 0) return Promise.resolve();
+
+  return new Promise((resolve) => {
+    const done = () => resolve();
+    el.addEventListener("transitionend", done, { once: true });
+    setTimeout(done, totalMs + 50);
+  });
+}
+
+async function showStep(nextId) {
+  const next = document.getElementById(nextId);
+  if (!next) return;
+
+  const current = document.querySelector(".step_div:not(.hidden)");
+  if (current === next) return;
+
+  // Exit current
+  if (current) {
+    current.classList.add("is-exiting");
+    await waitForTransition(current);
+
+    current.classList.add("hidden");
+    current.classList.remove("is-exiting");
+    current.setAttribute("aria-hidden", "true");
+  }
+
+  // Enter next (important order)
+  next.classList.add("is-entering");   // 1) set start state (opacity 0, translated)
+  next.classList.remove("hidden");     // 2) make it participate in layout/paint
+  next.setAttribute("aria-hidden", "false");
+
+  forceReflow(next);                  // 3) ensure start state is committed
+
+  requestAnimationFrame(() => {       // 4) transition to final state
+    next.classList.remove("is-entering");
+  });
+}
+
+window.showStep = showStep;

From 76d1a11a544258d043c4106902571f18e29f54ea Mon Sep 17 00:00:00 2001
From: k8ie <k8ie@mcld.eu>
Date: Wed, 4 Mar 2026 19:51:29 +0100
Subject: [PATCH 09/19] Update the auth FE

---
 quorra/fe/auth/auth.js       | 16 ++--------------
 quorra/fe/auth/index.html    | 17 +++++++++--------
 quorra/fe/onboard/index.html |  2 +-
 3 files changed, 12 insertions(+), 23 deletions(-)

diff --git a/quorra/fe/auth/auth.js b/quorra/fe/auth/auth.js
index 5652260..52e5305 100644
--- a/quorra/fe/auth/auth.js
+++ b/quorra/fe/auth/auth.js
@@ -59,24 +59,12 @@ function startPolling() {
         if (data.state == "identified") {
           // Hide qr_code_div and show identified_div
           if (!qr_div.classList.contains("hidden")) {
-            qr_div.classList.add("hidden");
-          }
-          if (identified_div.classList.contains("hidden")) {
-            identified_div.classList.remove("hidden");
+            showStep("identified_div");
           }
         }
         // TODO: rejected state
         else if (data.state == "confirmed") {
-          // Hide identified_div and qr_code_div, show finished_div
-          if (!qr_div.classList.contains("hidden")) {
-            qr_div.classList.add("hidden");
-          }
-          if (!identified_div.classList.contains("hidden")) {
-            identified_div.classList.add("hidden");
-          }
-          if (finished_div.classList.contains("hidden")) {
-            finished_div.classList.remove("hidden");
-          }
+          showStep("finished_div");
 
           clearInterval(intervalId);
           redirectParams = {"code": data.data.oidc_data.code, "state": params.state, "nonce": params.nonce};
diff --git a/quorra/fe/auth/index.html b/quorra/fe/auth/index.html
index 59736b7..e1b0aae 100644
--- a/quorra/fe/auth/index.html
+++ b/quorra/fe/auth/index.html
@@ -3,29 +3,30 @@
 <head>
   <meta charset="UTF-8"/>
   <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
-  <link rel="stylesheet" href="/fe/style.css"/>
+  <link rel="stylesheet" href="../style.css"/>
   <title>Quorra</title>
 </head>
 <body>
 
-  <h1>Quorra</h1>
-  <div id="qr_div">
-    <h2>Scan this QR code on your device</h2>
+  <div id="qr_div" class="step_div">
+    <h1>Welcome back to Quorra</h1>
+    <p>Scan the below code using your device</p>
     <img alt="AQR Code" id="qr"></img>
     <div class="hr-text"><span>OR</span></div>
     <a id="local_link">Use a local install</a>
   </div>
 
-  <div id="identified_div" class="hidden">
+  <div id="identified_div" class="hidden step_div">
     <h2>Waiting for confirmation on your device...</h2>
   </div>
 
-  <div id="finished_div" class="hidden">
-    <h2>And you're logged in!</h2>
-    <h3>We're redirecting you back to the application</h3>
+  <div id="finished_div" class="hidden step_div">
+    <h2>✨ And you're logged in! ✨</h2>
+    <p>We're redirecting you back to the application...</p>
   </div>
 
   <script src="auth.js"></script>
+  <script src="../transitions.js"></script>
 </body>
 </html>
 
diff --git a/quorra/fe/onboard/index.html b/quorra/fe/onboard/index.html
index e567796..bee6994 100644
--- a/quorra/fe/onboard/index.html
+++ b/quorra/fe/onboard/index.html
@@ -8,7 +8,7 @@
 </head>
 <body>
   <div id="initial" class="step_div">
-    <h1 id="welcome_h1">Welcome to Quorra!</h1>
+    <h1>Welcome to Quorra!</h1>
     <h3>Quorra allows you to sign in using QR codes</h3>
     <p>Download one of our apps to get started:</p>
     <p><a href="https://github.com/k8ieone/voucher">Voucher</a> for Linux</p>

From 05654b678d5af5fcdc0402d3d50a0ed4853837ea Mon Sep 17 00:00:00 2001
From: k8ie <k8ie@mcld.eu>
Date: Wed, 4 Mar 2026 20:12:32 +0100
Subject: [PATCH 10/19] Use relative URLs in JS

---
 pyproject.toml                  |  1 -
 quorra/fe/auth/auth.js          |  6 +++---
 quorra/fe/onboard/onboarding.js | 10 +++++-----
 3 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index bc4911c..c678e99 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -31,7 +31,6 @@ dependencies = [
 [tool.setuptools]
 packages = ["quorra", "quorra.routers"]
 
-# Doesn't work, need to figure out how to add static files to Python project
 [tool.setuptools.package-data]
 "quorra" = ["fe/**"]
 
diff --git a/quorra/fe/auth/auth.js b/quorra/fe/auth/auth.js
index 52e5305..857f927 100644
--- a/quorra/fe/auth/auth.js
+++ b/quorra/fe/auth/auth.js
@@ -12,7 +12,7 @@ async function startAqr() {
   if (params.nonce) {
     args = args + `&nonce=${params.nonce}`
   }
-  const response = await fetch(`/processes/login/start?${args}`);
+  const response = await fetch(`../../processes/login/start?${args}`);
   if (!response.ok) throw new Error("Request failed");
   data = await response.json();
   txId = data.tx_id;
@@ -22,7 +22,7 @@ async function startAqr() {
 
 async function showQrCode() {
   const payload = { "tx_type": "ln-oidc-login", "tx_id": txId };
-  const response = await fetch("/lnurl-auth/qr", {
+  const response = await fetch("../../lnurl-auth/qr", {
     method: "POST",
     headers: {
       "Content-Type": "application/json"
@@ -35,7 +35,7 @@ async function showQrCode() {
 }
 
 function startPolling() {
-  const pollingUrl = `/tx/transaction`;
+  const pollingUrl = `../../tx/transaction`;
   const payload = { "tx_id": txId, "tx_type": "ln-oidc-login" }
 
   const encodeGetParams = p =>
diff --git a/quorra/fe/onboard/onboarding.js b/quorra/fe/onboard/onboarding.js
index 132840f..2f1fbe4 100644
--- a/quorra/fe/onboard/onboarding.js
+++ b/quorra/fe/onboard/onboarding.js
@@ -6,7 +6,7 @@ async function getLink() {
 }
 
 async function createOnboardingLink() {
-  const response = await fetch("/processes/onboarding/create", {
+  const response = await fetch("../../processes/onboarding/create", {
     method: "GET",
     headers: {
       "Content-Type": "application/json"
@@ -22,7 +22,7 @@ async function createOnboardingLink() {
 async function startOnboardingTransaction(onboardingLink) {
   const payload = { "link_id": onboardingLink };
 
-  const response = await fetch("/processes/onboarding/init", {
+  const response = await fetch("../../processes/onboarding/init", {
     method: "POST",
     headers: {
       "Content-Type": "application/json"
@@ -39,7 +39,7 @@ async function startOnboardingTransaction(onboardingLink) {
 async function getOnboardingData() {
   const payload = { "tx_type": "onboarding", "tx_id": txId };
 
-  const response = await fetch("/lnurl-auth/qr", {
+  const response = await fetch("../../lnurl-auth/qr", {
     method: "POST",
     headers: {
       "Content-Type": "application/json"
@@ -68,7 +68,7 @@ function startOnboarding() {
     const payload = { "tx_id": txId, "data": { "username": name, "email": email }, "tx_type": "onboarding" };
 
     try {
-      const response = await fetch("/processes/onboarding/entry", {
+      const response = await fetch("../../processes/onboarding/entry", {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify(payload),
@@ -92,7 +92,7 @@ function startOnboarding() {
 }
 
 function startPolling() {
-  const pollingUrl = `/tx/transaction`;
+  const pollingUrl = `../../tx/transaction`;
   const payload = { "tx_id": txId, "tx_type": "onboarding" }
 
   const intervalId = setInterval(() => {

From 7f94a2cf37e6d512186954a999bf59346ba17c0c Mon Sep 17 00:00:00 2001
From: k8ie <k8ie@mcld.eu>
Date: Wed, 4 Mar 2026 20:25:57 +0100
Subject: [PATCH 11/19] Stop the need for adding .html to addresses

---
 quorra/main.py               | 4 ++--
 quorra/routers/oidc.py       | 2 +-
 quorra/routers/onboarding.py | 2 --
 3 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/quorra/main.py b/quorra/main.py
index c58fe5b..66681e6 100644
--- a/quorra/main.py
+++ b/quorra/main.py
@@ -107,8 +107,8 @@ async def healthcheck(session: SessionDep):
 app.include_router(tx.router, prefix="/tx", tags=["Transaction management"])
 
 fe_dir = importlib.resources.files("quorra") / "fe"
-app.mount("/fe", StaticFiles(directory=fe_dir), name="static")
+app.mount("/fe", StaticFiles(directory=fe_dir, html=True), name="static")
 
 @app.get("/", include_in_schema=False)
 async def root_redirect():
-    return RedirectResponse(url="/fe/onboard/index.html")
+    return RedirectResponse(url="/fe/onboard/")
diff --git a/quorra/routers/oidc.py b/quorra/routers/oidc.py
index c32959c..f267a55 100644
--- a/quorra/routers/oidc.py
+++ b/quorra/routers/oidc.py
@@ -64,7 +64,7 @@ async def authorize(client_id: str, redirect_uri: str, state: str, scope: str, n
     args = {"client_id": client_id, "redirect_uri": redirect_uri, "state": state, "scope": scope}
     if nonce is not None:
         args["nonce"] = nonce
-    redirect_url = url_encoder("/fe/auth/index.html", **args)
+    redirect_url = url_encoder("/fe/auth/", **args)
     return RedirectResponse(url=redirect_url)
 
 
diff --git a/quorra/routers/onboarding.py b/quorra/routers/onboarding.py
index 36332d9..53d136e 100644
--- a/quorra/routers/onboarding.py
+++ b/quorra/routers/onboarding.py
@@ -42,8 +42,6 @@ async def create(session: SessionDep, x_self_service_token: Annotated[str | None
     session.add(link)
     session.commit()
     session.refresh(link)
-    print("Debug only!!!")
-    print("http://localhost:8080/fe/onboard/index.html?link={}".format(link.link_id))
     return link
 
 @router.post("/init", responses={404: {"model": ErrorResponse}})

From b4a9c911b529c31bc28a6e6f3df7fecf93914b72 Mon Sep 17 00:00:00 2001
From: k8ie <k8ie@mcld.eu>
Date: Wed, 4 Mar 2026 21:28:41 +0100
Subject: [PATCH 12/19] Fix the scaling on small screens

---
 quorra/fe/style.css | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/quorra/fe/style.css b/quorra/fe/style.css
index 1e8730e..18cc169 100644
--- a/quorra/fe/style.css
+++ b/quorra/fe/style.css
@@ -65,8 +65,7 @@ input {
 }
 .step_div {
   max-width: 400px;
-  width: min(400px, 100%);
-  margin: 0;
+  margin: 20%;
   padding: 2rem;
   background: var(--card);
   box-shadow: var(--shadow);

From 35f88e6b30117f28907c73d6ca9f1e63cc0853ee Mon Sep 17 00:00:00 2001
From: k8ie <k8ie@mcld.eu>
Date: Wed, 4 Mar 2026 21:30:50 +0100
Subject: [PATCH 13/19] Display application name and URL in auth FE

---
 quorra/fe/auth/auth.js    | 18 ++++++++++++++++--
 quorra/fe/auth/index.html |  9 ++++++---
 quorra/routers/oidc.py    |  2 +-
 3 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/quorra/fe/auth/auth.js b/quorra/fe/auth/auth.js
index 857f927..7e53dbc 100644
--- a/quorra/fe/auth/auth.js
+++ b/quorra/fe/auth/auth.js
@@ -4,6 +4,12 @@ window.onload = async function() {
   await startAqr();
 };
 
+async function findReplace(objClass, text) {
+  document.querySelectorAll(`.${objClass}`).forEach(el => {
+    el.textContent = text;
+  });
+}
+
 async function startAqr() {
   const params = new Proxy(new URLSearchParams(window.location.search), {
   get: (searchParams, prop) => searchParams.get(prop),
@@ -16,6 +22,13 @@ async function startAqr() {
   if (!response.ok) throw new Error("Request failed");
   data = await response.json();
   txId = data.tx_id;
+  await findReplace("clientName", params.client_name);
+  const url = new URL(params.redirect_uri);
+  var urlString = url.origin
+  if (url.protocol !== "https:") {
+    urlString = `⚠️ ${url.origin} ⚠️`
+  }
+  await findReplace("redirectURI", urlString);
   await showQrCode();
   startPolling();
 }
@@ -55,7 +68,6 @@ function startPolling() {
         return response.json();
       })
       .then(data => {
-        console.log("Polling data:", data);
         if (data.state == "identified") {
           // Hide qr_code_div and show identified_div
           if (!qr_div.classList.contains("hidden")) {
@@ -68,7 +80,9 @@ function startPolling() {
 
           clearInterval(intervalId);
           redirectParams = {"code": data.data.oidc_data.code, "state": params.state, "nonce": params.nonce};
-          window.location.href = params.redirect_uri + "?" + encodeGetParams(redirectParams);
+          const redirectAddress = params.redirect_uri + "?" + encodeGetParams(redirectParams);
+          manual_redirect.href = redirectAddress;
+          window.location.href = redirectAddress;
         }
       })
       .catch(error => {
diff --git a/quorra/fe/auth/index.html b/quorra/fe/auth/index.html
index e1b0aae..948c472 100644
--- a/quorra/fe/auth/index.html
+++ b/quorra/fe/auth/index.html
@@ -9,8 +9,10 @@
 <body>
 
   <div id="qr_div" class="step_div">
-    <h1>Welcome back to Quorra</h1>
-    <p>Scan the below code using your device</p>
+    <h2>You're signing into</h2>
+    <h1><span class="clientName"></span></h1>
+    <small class="redirectURI"></small>
+    <p>Scan the below code using your device to proceed</p>
     <img alt="AQR Code" id="qr"></img>
     <div class="hr-text"><span>OR</span></div>
     <a id="local_link">Use a local install</a>
@@ -22,7 +24,8 @@ <h2>Waiting for confirmation on your device...</h2>
 
   <div id="finished_div" class="hidden step_div">
     <h2>✨ And you're logged in! ✨</h2>
-    <p>We're redirecting you back to the application...</p>
+    <p>We're redirecting you back to <span class="clientName">the application</span>...</p>
+    <small>If the redirect doesn't work, click <a id="manual_redirect">here</a></small>
   </div>
 
   <script src="auth.js"></script>
diff --git a/quorra/routers/oidc.py b/quorra/routers/oidc.py
index f267a55..4e57e11 100644
--- a/quorra/routers/oidc.py
+++ b/quorra/routers/oidc.py
@@ -61,7 +61,7 @@ async def authorize(client_id: str, redirect_uri: str, state: str, scope: str, n
         raise HTTPException(status_code=400, detail="Invalid client")
     if redirect_uri not in client["redirect_uris"]:
         raise HTTPException(status_code=400, detail="Invalid client")
-    args = {"client_id": client_id, "redirect_uri": redirect_uri, "state": state, "scope": scope}
+    args = {"client_id": client_id, "redirect_uri": redirect_uri, "state": state, "scope": scope, "client_name": client["friendly_name"]}
     if nonce is not None:
         args["nonce"] = nonce
     redirect_url = url_encoder("/fe/auth/", **args)

From 3ebe775d8f24115c9becb6bcca26081e617b05fc Mon Sep 17 00:00:00 2001
From: k8ie <k8ie@mcld.eu>
Date: Wed, 4 Mar 2026 21:43:17 +0100
Subject: [PATCH 14/19] Shorten transaction expiry

---
 quorra/classes.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/quorra/classes.py b/quorra/classes.py
index 4dde046..0be98dc 100644
--- a/quorra/classes.py
+++ b/quorra/classes.py
@@ -69,7 +69,7 @@ class Transaction(BaseModel):
     tx_id: str | None = None
 
     # TODO: shorten
-    _expiry: int = 500
+    _expiry: int = 30
     _key_name: str | None = None
 
     def __init__(self, **data):

From bef92f2750c0db8cb6b214a00f2508f658f37ae6 Mon Sep 17 00:00:00 2001
From: k8ie <k8ie@mcld.eu>
Date: Wed, 4 Mar 2026 22:07:32 +0100
Subject: [PATCH 15/19] Tweak for smaller screens

---
 quorra/fe/style.css | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/quorra/fe/style.css b/quorra/fe/style.css
index 18cc169..3bebc64 100644
--- a/quorra/fe/style.css
+++ b/quorra/fe/style.css
@@ -65,8 +65,9 @@ input {
 }
 .step_div {
   max-width: 400px;
-  margin: 20%;
-  padding: 2rem;
+  min-width: 320px;
+  margin: 10%;
+  padding: 1.25rem;
   background: var(--card);
   box-shadow: var(--shadow);
   border-radius: 12px;
@@ -85,7 +86,7 @@ input {
   transform: translateY(10px);
 }
 #qr {
-  width: clamp(220px, 70vw, 340px);
+  width: 90%;
   height: auto;
   display: block;
   margin: 1rem auto;

From 37de1a4846b0a0b56b5a1990a123fdb16f1b418c Mon Sep 17 00:00:00 2001
From: k8ie <k8ie@mcld.eu>
Date: Wed, 4 Mar 2026 22:47:41 +0100
Subject: [PATCH 16/19] Small but important OIDC transaction tweaks

- Make transactions private after the the code has been exchanged for
access/ID tokens
- Prolong OIDC transactions to 30 minutes after they're finished. This
effectively gives ATs a 30 minute validity
---
 quorra/classes.py      | 13 +++++++------
 quorra/routers/oidc.py |  7 +++++--
 quorra/routers/tx.py   |  5 +++--
 3 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/quorra/classes.py b/quorra/classes.py
index 0be98dc..764d59c 100644
--- a/quorra/classes.py
+++ b/quorra/classes.py
@@ -124,8 +124,10 @@ def add_private_data(self, path, data):
     def set_contents(self, contents):
         vk.json().set(self._key_name, Path.root_path(), contents)
 
-    def prolong(self):
-        vk.expire(self._key_name, self._expiry)
+    def prolong(self, expiry: int | None = None):
+        if expiry is None:
+            expiry = self._expiry
+        vk.expire(self._key_name, expiry)
 
     def delete(self):
         vk.delete(self._key_name)
@@ -139,15 +141,14 @@ class OnboardingTransaction(Transaction):
     # TODO: Move transition checks here
     tx_type: TransactionTypes = TransactionTypes.onboarding
 
-class AqrOIDCLoginTransaction(Transaction):
+class LnOIDCLoginTransaction(Transaction):
     tx_type: TransactionTypes = TransactionTypes.ln_oidc_login
 
-class AqrOIDCLoginTransactionStates(str, Enum):
+class LnOIDCLoginTransactionStates(str, Enum):
     created = "created"
     identified = "identified"
     confirmed = "confirmed"
-    rejected = "rejected"
-    token_issued = "token-issued"
+    finished = "finished"
 
 
 class LNStatusEnum(str, Enum):
diff --git a/quorra/routers/oidc.py b/quorra/routers/oidc.py
index 4e57e11..dc7e2a5 100644
--- a/quorra/routers/oidc.py
+++ b/quorra/routers/oidc.py
@@ -108,6 +108,8 @@ async def token(db_session: SessionDep, request: Request, grant_type: str = Form
         raise HTTPException(status_code=400, detail="invalid_client")
     elif client_secret != client["client_secret"]:
         raise HTTPException(status_code=401, detail="unauthorized_client")
+    if tx.state != "confirmed":
+        raise HTTPException(status_code=401, detail="Transaction state invalid")
     user: str = tx._private_data["user"]["uid"]
     token_claims = {"sub": user, "aud": client_id, "iss": issuer}
     if "nonce" in tx.data["oidc_data"]:
@@ -121,8 +123,9 @@ async def token(db_session: SessionDep, request: Request, grant_type: str = Form
     id_token = generate_token(token_claims)
     access_token = str(uuid4())
     tx.add_private_data(".oidc_data", {"access_token": access_token})
-    tx.set_state("token-issued")
-    # TODO: Real access-tokens
+    tx.set_state("finished")
+    # TODO: Configurable AT expiry
+    tx.prolong(1500)
     return TokenResponse(id_token=id_token, access_token=access_token)
 
 
diff --git a/quorra/routers/tx.py b/quorra/routers/tx.py
index 7d4ad6c..69981d3 100644
--- a/quorra/routers/tx.py
+++ b/quorra/routers/tx.py
@@ -34,6 +34,7 @@ async def get_transaction(rq: TransactionGetRequest) -> Transaction:
     tx = Transaction.load(rq.tx_type.value, rq.tx_id)
     if tx is None:
         raise HTTPException(status_code=404, detail="Transaction not found")
-    if tx.state != "finished":
-        tx.prolong()
+    if tx.state == "finished":
+        raise HTTPException(status_code=403, detail="Transaction private")
+    tx.prolong()
     return tx

From 67bdbc2f697538ec4f2ea5d2eef1c1f2b4dd1084 Mon Sep 17 00:00:00 2001
From: k8ie <k8ie@mcld.eu>
Date: Wed, 4 Mar 2026 22:51:21 +0100
Subject: [PATCH 17/19] 30 instead of 25 minutes

---
 quorra/routers/oidc.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/quorra/routers/oidc.py b/quorra/routers/oidc.py
index dc7e2a5..e607cc3 100644
--- a/quorra/routers/oidc.py
+++ b/quorra/routers/oidc.py
@@ -125,7 +125,7 @@ async def token(db_session: SessionDep, request: Request, grant_type: str = Form
     tx.add_private_data(".oidc_data", {"access_token": access_token})
     tx.set_state("finished")
     # TODO: Configurable AT expiry
-    tx.prolong(1500)
+    tx.prolong(1800)
     return TokenResponse(id_token=id_token, access_token=access_token)
 
 

From c1a3633453421d08e8703d1e4e52fefe506feab2 Mon Sep 17 00:00:00 2001
From: k8ie <k8ie@mcld.eu>
Date: Wed, 4 Mar 2026 23:10:12 +0100
Subject: [PATCH 18/19] Fix using the wrong text

---
 quorra/fe/auth/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/quorra/fe/auth/index.html b/quorra/fe/auth/index.html
index 948c472..1aaeae1 100644
--- a/quorra/fe/auth/index.html
+++ b/quorra/fe/auth/index.html
@@ -15,7 +15,7 @@ <h1><span class="clientName"></span></h1>
     <p>Scan the below code using your device to proceed</p>
     <img alt="AQR Code" id="qr"></img>
     <div class="hr-text"><span>OR</span></div>
-    <a id="local_link">Use a local install</a>
+    <a id="local_link">Use a local application</a>
   </div>
 
   <div id="identified_div" class="hidden step_div">

From 2bbbda947d25fd848ff5e0b80025d1803fa3f41e Mon Sep 17 00:00:00 2001
From: k8ie <k8ie@mcld.eu>
Date: Wed, 4 Mar 2026 23:59:02 +0100
Subject: [PATCH 19/19] Fix onboarding transactions

---
 quorra/routers/tx.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/quorra/routers/tx.py b/quorra/routers/tx.py
index 69981d3..678c723 100644
--- a/quorra/routers/tx.py
+++ b/quorra/routers/tx.py
@@ -34,7 +34,7 @@ async def get_transaction(rq: TransactionGetRequest) -> Transaction:
     tx = Transaction.load(rq.tx_type.value, rq.tx_id)
     if tx is None:
         raise HTTPException(status_code=404, detail="Transaction not found")
-    if tx.state == "finished":
+    if tx.tx_type == "ln-oidc-login" and tx.state == "finished":
         raise HTTPException(status_code=403, detail="Transaction private")
     tx.prolong()
     return tx