Refactor internal/auth/ package

Following the logic in the auth package is quite complicated.

Related to #404