Updated version and assets for release v23.08

Merge branch 'development' into release
Updated translations with latest Crowdin changes (#4462 )
2026-02-05 08:39:55 +03:00 · 2023-08-30 12:38:48 +01:00 · 2023-08-30 12:38:22 +01:00 · 2023-08-30 12:35:10 +01:00 · 2023-08-30 11:49:45 +01:00 · 2023-08-30 02:41:51 +01:00
1466 changed files with 46063 additions and 23458 deletions
--- a/.env.example
+++ b/.env.example
@@ -37,8 +37,10 @@ MAIL_FROM=bookstack@example.com
 # SMTP mail options
 # These settings can be checked using the "Send a Test Email"
 # feature found in the "Settings > Maintenance" area of the system.
+# For more detailed documentation on mail options, refer to:
+# https://www.bookstackapp.com/docs/admin/email-webhooks/#email-configuration
 MAIL_HOST=localhost
-MAIL_PORT=1025
+MAIL_PORT=587
 MAIL_USERNAME=null
 MAIL_PASSWORD=null
 MAIL_ENCRYPTION=null
--- a/.env.example.complete
+++ b/.env.example.complete
@@ -3,6 +3,10 @@
 # Each option is shown with it's default value.
 # Do not copy this whole file to use as your '.env' file.

+# The details here only serve as a quick reference.
+# Please refer to the BookStack documentation for full details:
+# https://www.bookstackapp.com/docs/
+
 # Application environment
 # Can be 'production', 'development', 'testing' or 'demo'
 APP_ENV=production
@@ -65,20 +69,20 @@ DB_PASSWORD=database_user_password
 # certificate itself (Common Name or Subject Alternative Name).
 MYSQL_ATTR_SSL_CA="/path/to/ca.pem"

-# Mail system to use
-# Can be 'smtp' or 'sendmail'
+# Mail configuration
+# Refer to https://www.bookstackapp.com/docs/admin/email-webhooks/#email-configuration
 MAIL_DRIVER=smtp
-
-# Mail sending options
 MAIL_FROM=mail@bookstackapp.com
 MAIL_FROM_NAME=BookStack

-# SMTP mail options
 MAIL_HOST=localhost
-MAIL_PORT=1025
+MAIL_PORT=587
 MAIL_USERNAME=null
 MAIL_PASSWORD=null
 MAIL_ENCRYPTION=null
+MAIL_VERIFY_SSL=true
+
+MAIL_SENDMAIL_COMMAND="/usr/sbin/sendmail -bs"

 # Cache & Session driver to use
 # Can be 'file', 'database', 'memcached' or 'redis'
@@ -268,6 +272,7 @@ OIDC_DUMP_USER_DETAILS=false
 OIDC_USER_TO_GROUPS=false
 OIDC_GROUPS_CLAIM=groups
 OIDC_REMOVE_FROM_GROUPS=false
+OIDC_EXTERNAL_ID_CLAIM=sub

 # Disable default third-party services such as Gravatar and Draw.IO
 # Service-specific options will override this option
@@ -318,6 +323,13 @@ FILE_UPLOAD_SIZE_LIMIT=50
 # Can be 'a4' or 'letter'.
 EXPORT_PAGE_SIZE=a4

+# Set path to wkhtmltopdf binary for PDF generation.
+# Can be 'false' or a path path like: '/home/bins/wkhtmltopdf'
+# When false, BookStack will attempt to find a wkhtmltopdf in the application
+# root folder then fall back to the default dompdf renderer if no binary exists.
+# Only used if 'ALLOW_UNTRUSTED_SERVER_FETCHING=true' which disables security protections.
+WKHTMLTOPDF=false
+
 # Allow <script> tags in page content
 # Note, if set to 'true' the page editor may still escape scripts.
 ALLOW_CONTENT_SCRIPTS=false
@@ -347,6 +359,15 @@ ALLOWED_IFRAME_HOSTS=null
 # Current host and source for the "DRAWIO" setting will be auto-appended to the sources configured.
 ALLOWED_IFRAME_SOURCES="https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com"

+# A list of the sources/hostnames that can be reached by application SSR calls.
+# This is used wherever users can provide URLs/hosts in-platform, like for webhooks.
+# Host-specific functionality (usually controlled via other options) like auth
+# or user avatars for example, won't use this list.
+# Space seperated if multiple. Can use '*' as a wildcard.
+# Values will be compared prefix-matched, case-insensitive, against called SSR urls.
+# Defaults to allow all hosts.
+ALLOWED_SSR_HOSTS="*"
+
 # The default and maximum item-counts for listing API requests.
 API_DEFAULT_ITEM_COUNT=100
 API_MAX_ITEM_COUNT=500
@@ -368,4 +389,4 @@ LOG_FAILED_LOGIN_CHANNEL=errorlog_plain_webserver
 # IP address '146.191.42.4' would result in '146.191.x.x' being logged.
 # For the IPv6 address '2001:db8:85a3:8d3:1319:8a2e:370:7348' this would result as:
 # '2001:db8:85a3:8d3:x:x:x:x'
-IP_ADDRESS_PRECISION=4
+IP_ADDRESS_PRECISION=4
--- a/.github/translators.txt
+++ b/.github/translators.txt
@@ -176,7 +176,7 @@ Alexander Predl (Harveyhase68) :: German
 Rem (Rem9000) :: Dutch
 Michał Stelmach (stelmach-web) :: Polish
 arniom :: French
-REMOVED_USER :: Dutch; Turkish
+REMOVED_USER :: ; French; Dutch; Turkish
 林祖年 (contagion) :: Chinese Traditional
 Siamak Guodarzi (siamakgoudarzi88) :: Persian
 Lis Maestrelo (lismtrl) :: Portuguese, Brazilian
@@ -274,3 +274,84 @@ Mihai Ochian (soulstorm19) :: Romanian
 HeartCore :: German Informal; German
 simon.pct :: French
 okaeiz :: Persian
+Naoto Ishikawa (na3shkw) :: Japanese
+sdhadi :: Persian
+DerLinkman (derlinkman) :: German; German Informal
+TurnArabic :: Arabic
+Martin Sebek (sebekmartin) :: Czech
+Kuchinashi Hoshikawa (kuchinashi) :: Chinese Simplified
+digilady :: Greek
+Linus (LinusOP) :: Swedish
+Felipe Cardoso (felipecardosoruff) :: Portuguese, Brazilian
+RandomUser0815 :: German Informal; German
+Ismael Mesquita (mesquitoliveira) :: Portuguese, Brazilian
+구인회 (laskdjlaskdj12) :: Korean
+LiZerui (CNLiZerui) :: Chinese Traditional
+Fabrice Boyer (FabriceBoyer) :: French
+mikael (bitcanon) :: Swedish
+Matthias Mai (schnapsidee) :: German; German Informal
+Ufuk Ayyıldız (ufukayyildiz) :: Turkish
+Jan Mitrof (jan.kachlik) :: Czech
+edwardsmirnov :: Russian
+Mr_OSS117 :: French
+shotu :: French
+Cesar_Lopez_Aguillon :: Spanish
+bdewoop :: German
+dina davoudi (dina.davoudi) :: Persian
+Angelos Chouvardas (achouvardas) :: Greek
+rndrss :: Portuguese, Brazilian
+rirac294 :: Russian
+David Furman (thefourCraft) :: Hebrew
+Pafzedog :: French
+Yllelder :: Spanish
+Adrian Ocneanu (aocneanu) :: Romanian
+Eduardo Castanho (EduardoCastanho) :: Portuguese
+VIET NAM VPS (vietnamvps) :: Vietnamese
+m4tthi4s :: French
+toras9000 :: Japanese
+pathab :: German
+MichelSchoon85 :: Dutch
+Jøran Haugli (haugli92) :: Norwegian Bokmal
+Vasileios Kouvelis (VasilisKouvelis) :: Greek
+Dremski :: Bulgarian
+Frédéric SENE (nothingfr) :: French
+bendem :: French
+kostasdizas :: Greek
+Ricardo Schroeder (brownstone666) :: Portuguese, Brazilian
+Eitan MG (EitanMG) :: Hebrew
+Robin Flikkema (RobinFlikkema) :: Dutch
+Michal Gurcik (mgurcik) :: Slovak
+Pooyan Arab (pooyanarab) :: Persian
+Ochi Darma Putra (troke12) :: Indonesian
+H.-H. Peng (Hsins) :: Chinese Traditional
+Mosi  Wang (mosiwang) :: Chinese Traditional
+骆言 (LawssssCat) :: Chinese Simplified
+Stickers Gaming Shøw (StickerSGSHOW) :: French
+Le Van Chinh (Chino) (lvanchinh86) :: Vietnamese
+Rubens nagios (rubenix) :: Catalan
+Patrick Dantas (pa-tiq) :: Portuguese, Brazilian
+Michal (michalgurcik) :: Slovak
+Nepomacs :: German
+Rubens (rubenix) :: Catalan
+m4z :: German; German Informal
+TheRazvy :: Romanian
+Yossi Zilber (lortens) :: Hebrew; Uzbek
+desdinova :: French
+Ingus Rūķis (ingus.rukis) :: Latvian
+Eugene Pershin (SilentEugene) :: Russian
+周盛道 (zhoushengdao) :: Chinese Simplified
+hamidreza amini (hamidrezaamini2022) :: Persian
+Tomislav Kraljević (tomislav.kraljevic) :: Croatian
+Taygun Yıldırım (yildirimtaygun) :: Turkish
+robing29 :: German
+Bruno Eduardo de Jesus Barroso (brunoejb) :: Portuguese, Brazilian
+Igor V Belousov (biv) :: Russian
+David Bauer (davbauer) :: German
+Guttorm Hveem (guttormhveem) :: Norwegian Bokmal
+Minh Giang Truong (minhgiang1204) :: Vietnamese
+Ioannis Ioannides (i.ioannides) :: Greek
+Vadim (vadrozh) :: Russian
+Flip333 :: German Informal; German
+Paulo Henrique (paulohsantos114) :: Portuguese, Brazilian
+Dženan (Dzenan) :: Swedish
+Péter Péli (peter.peli) :: Hungarian
--- a/.github/workflows/analyse-php.yml
+++ b/.github/workflows/analyse-php.yml
@@ -1,36 +1,34 @@
-name: phpstan
+name: analyse-php

 on: [push, pull_request]

 jobs:
  build:
    if: ${{ github.ref != 'refs/heads/l10n_development' }}
-    runs-on: ubuntu-20.04
-    strategy:
-      matrix:
-        php: ['7.4']
+    runs-on: ubuntu-22.04
    steps:
    - uses: actions/checkout@v1

    - name: Setup PHP
      uses: shivammathur/setup-php@v2
      with:
-        php-version: ${{ matrix.php }}
+        php-version: 8.1
        extensions: gd, mbstring, json, curl, xml, mysql, ldap

    - name: Get Composer Cache Directory
      id: composer-cache
      run: |
-        echo "::set-output name=dir::$(composer config cache-files-dir)"
+        echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT

    - name: Cache composer packages
-      uses: actions/cache@v1
+      uses: actions/cache@v3
      with:
        path: ${{ steps.composer-cache.outputs.dir }}
-        key: ${{ runner.os }}-composer-${{ matrix.php }}
+        key: ${{ runner.os }}-composer-8.1
+        restore-keys: ${{ runner.os }}-composer-

    - name: Install composer dependencies
      run: composer install --prefer-dist --no-interaction --ansi

-    - name: Run PHPStan
-      run: php${{ matrix.php }} ./vendor/bin/phpstan analyse --memory-limit=2G
+    - name: Run static analysis check
+      run: composer check-static
--- a/.github/workflows/lint-js.yml
+++ b/.github/workflows/lint-js.yml
@@ -0,0 +1,16 @@
+name: lint-js
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    if: ${{ github.ref != 'refs/heads/l10n_development' }}
+    runs-on: ubuntu-22.04
+    steps:
+    - uses: actions/checkout@v1
+
+    - name: Install NPM deps
+      run: npm ci
+
+    - name: Run formatting check
+      run: npm run lint
--- a/.github/workflows/lint-php.yml
+++ b/.github/workflows/lint-php.yml
@@ -0,0 +1,19 @@
+name: lint-php
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    if: ${{ github.ref != 'refs/heads/l10n_development' }}
+    runs-on: ubuntu-22.04
+    steps:
+    - uses: actions/checkout@v1
+
+    - name: Setup PHP
+      uses: shivammathur/setup-php@v2
+      with:
+        php-version: 8.1
+        tools: phpcs
+
+    - name: Run formatting check
+      run: composer lint
--- a/.github/workflows/test-migrations.yml
+++ b/.github/workflows/test-migrations.yml
@@ -5,10 +5,10 @@ on: [push, pull_request]
 jobs:
  build:
    if: ${{ github.ref != 'refs/heads/l10n_development' }}
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    strategy:
      matrix:
-        php: ['7.4', '8.0', '8.1']
+        php: ['8.0', '8.1', '8.2']
    steps:
      - uses: actions/checkout@v1

@@ -21,13 +21,14 @@ jobs:
      - name: Get Composer Cache Directory
        id: composer-cache
        run: |
-          echo "::set-output name=dir::$(composer config cache-files-dir)"
+          echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT

      - name: Cache composer packages
-        uses: actions/cache@v1
+        uses: actions/cache@v3
        with:
          path: ${{ steps.composer-cache.outputs.dir }}
          key: ${{ runner.os }}-composer-${{ matrix.php }}
+          restore-keys: ${{ runner.os }}-composer-

      - name: Start MySQL
        run: |
--- a/.github/workflows/test-php.yml
+++ b/.github/workflows/test-php.yml
@@ -1,14 +1,14 @@
-name: phpunit
+name: test-php

 on: [push, pull_request]

 jobs:
  build:
    if: ${{ github.ref != 'refs/heads/l10n_development' }}
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    strategy:
      matrix:
-        php: ['7.4', '8.0', '8.1']
+        php: ['8.0', '8.1', '8.2']
    steps:
    - uses: actions/checkout@v1

@@ -16,18 +16,19 @@ jobs:
      uses: shivammathur/setup-php@v2
      with:
        php-version: ${{ matrix.php }}
-        extensions: gd, mbstring, json, curl, xml, mysql, ldap
+        extensions: gd, mbstring, json, curl, xml, mysql, ldap, gmp

    - name: Get Composer Cache Directory
      id: composer-cache
      run: |
-        echo "::set-output name=dir::$(composer config cache-files-dir)"
+        echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT

    - name: Cache composer packages
-      uses: actions/cache@v1
+      uses: actions/cache@v3
      with:
        path: ${{ steps.composer-cache.outputs.dir }}
        key: ${{ runner.os }}-composer-${{ matrix.php }}
+        restore-keys: ${{ runner.os }}-composer-

    - name: Start Database
      run: |
@@ -48,5 +49,5 @@ jobs:
        php${{ matrix.php }} artisan migrate --force -n --database=mysql_testing
        php${{ matrix.php }} artisan db:seed --force -n --class=DummyContentSeeder --database=mysql_testing

-    - name: phpunit
+    - name: Run PHP tests
      run: php${{ matrix.php }} ./vendor/bin/phpunit
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,7 @@
 /vendor
 /node_modules
+/.vscode
+/composer
 Homestead.yaml
 .env
 .idea
@@ -11,6 +13,7 @@ yarn-error.log
 /public/js/*.map
 /public/bower
 /public/build/
+/public/favicon.ico
 /storage/images
 _ide_helper.php
 /storage/debugbar
@@ -20,8 +23,10 @@ yarn.lock
 nbproject
 .buildpath
 .project
+.nvmrc
 .settings/
 webpack-stats.json
 .phpunit.result.cache
 .DS_Store
-phpstan.neon
+phpstan.neon
+esbuild-meta.json
--- a/3
+++ b/3
@@ -1,7 +1,6 @@
 The MIT License (MIT)

-Copyright (c) 2015-present, Dan Brown and the BookStack Project contributors
-https://github.com/BookStackApp/BookStack/graphs/contributors
+Copyright (c) 2015-2023, Dan Brown and the BookStack Project contributors.

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/app/Http/Controllers/Auth/ConfirmEmailController.php
+++ b/app/Http/Controllers/Auth/ConfirmEmailController.php
@@ -1,34 +1,24 @@
 <?php

-namespace BookStack\Http\Controllers\Auth;
+namespace BookStack\Access\Controllers;

-use BookStack\Auth\Access\EmailConfirmationService;
-use BookStack\Auth\Access\LoginService;
-use BookStack\Auth\UserRepo;
+use BookStack\Access\EmailConfirmationService;
+use BookStack\Access\LoginService;
 use BookStack\Exceptions\ConfirmationEmailException;
 use BookStack\Exceptions\UserTokenExpiredException;
 use BookStack\Exceptions\UserTokenNotFoundException;
-use BookStack\Http\Controllers\Controller;
+use BookStack\Http\Controller;
+use BookStack\Users\UserRepo;
 use Exception;
 use Illuminate\Http\Request;

 class ConfirmEmailController extends Controller
 {
-    protected $emailConfirmationService;
-    protected $loginService;
-    protected $userRepo;
-
-    /**
-     * Create a new controller instance.
-     */
    public function __construct(
-        EmailConfirmationService $emailConfirmationService,
-        LoginService $loginService,
-        UserRepo $userRepo
+        protected EmailConfirmationService $emailConfirmationService,
+        protected LoginService $loginService,
+        protected UserRepo $userRepo
    ) {
-        $this->emailConfirmationService = $emailConfirmationService;
-        $this->loginService = $loginService;
-        $this->userRepo = $userRepo;
    }

    /**
@@ -51,14 +41,28 @@ class ConfirmEmailController extends Controller
        return view('auth.user-unconfirmed', ['user' => $user]);
    }

+    /**
+     * Show the form for a user to provide their positive confirmation of their email.
+     */
+    public function showAcceptForm(string $token)
+    {
+        return view('auth.register-confirm-accept', ['token' => $token]);
+    }
+
    /**
     * Confirms an email via a token and logs the user into the system.
     *
     * @throws ConfirmationEmailException
     * @throws Exception
     */
-    public function confirm(string $token)
+    public function confirm(Request $request)
    {
+        $validated = $this->validate($request, [
+            'token' => ['required', 'string']
+        ]);
+
+        $token = $validated['token'];
+
        try {
            $userId = $this->emailConfirmationService->checkTokenAndGetUserId($token);
        } catch (UserTokenNotFoundException $exception) {
--- a/app/Http/Controllers/Auth/ForgotPasswordController.php
+++ b/app/Http/Controllers/Auth/ForgotPasswordController.php
@@ -1,28 +1,14 @@
 <?php

-namespace BookStack\Http\Controllers\Auth;
+namespace BookStack\Access\Controllers;

-use BookStack\Actions\ActivityType;
-use BookStack\Http\Controllers\Controller;
-use Illuminate\Foundation\Auth\SendsPasswordResetEmails;
+use BookStack\Activity\ActivityType;
+use BookStack\Http\Controller;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Password;

 class ForgotPasswordController extends Controller
 {
-    /*
-    |--------------------------------------------------------------------------
-    | Password Reset Controller
-    |--------------------------------------------------------------------------
-    |
-    | This controller is responsible for handling password reset emails and
-    | includes a trait which assists in sending these notifications from
-    | your application to your users. Feel free to explore this trait.
-    |
-    */
-
-    use SendsPasswordResetEmails;
-
    /**
     * Create a new controller instance.
     *
@@ -34,6 +20,14 @@ class ForgotPasswordController extends Controller
        $this->middleware('guard:standard');
    }

+    /**
+     * Display the form to request a password reset link.
+     */
+    public function showLinkRequestForm()
+    {
+        return view('auth.passwords.email');
+    }
+
    /**
     * Send a reset link to the given user.
     *
@@ -50,7 +44,7 @@ class ForgotPasswordController extends Controller
        // We will send the password reset link to this user. Once we have attempted
        // to send the link, we will examine the response then see the message we
        // need to show to the user. Finally, we'll send out a proper response.
-        $response = $this->broker()->sendResetLink(
+        $response = Password::broker()->sendResetLink(
            $request->only('email')
        );

--- a/app/Http/Controllers/Auth/HandlesPartialLogins.php
+++ b/app/Http/Controllers/Auth/HandlesPartialLogins.php
@@ -1,10 +1,10 @@
 <?php

-namespace BookStack\Http\Controllers\Auth;
+namespace BookStack\Access\Controllers;

-use BookStack\Auth\Access\LoginService;
-use BookStack\Auth\User;
+use BookStack\Access\LoginService;
 use BookStack\Exceptions\NotFoundException;
+use BookStack\Users\Models\User;

 trait HandlesPartialLogins
 {
--- a/app/Http/Controllers/Auth/LoginController.php
+++ b/app/Http/Controllers/Auth/LoginController.php
@@ -1,37 +1,21 @@
 <?php

-namespace BookStack\Http\Controllers\Auth;
+namespace BookStack\Access\Controllers;

-use BookStack\Auth\Access\LoginService;
-use BookStack\Auth\Access\SocialAuthService;
+use BookStack\Access\LoginService;
+use BookStack\Access\SocialAuthService;
 use BookStack\Exceptions\LoginAttemptEmailNeededException;
 use BookStack\Exceptions\LoginAttemptException;
 use BookStack\Facades\Activity;
-use BookStack\Http\Controllers\Controller;
-use Illuminate\Foundation\Auth\AuthenticatesUsers;
+use BookStack\Http\Controller;
+use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
 use Illuminate\Validation\ValidationException;

 class LoginController extends Controller
 {
-    /*
-    |--------------------------------------------------------------------------
-    | Login Controller
-    |--------------------------------------------------------------------------
-    |
-    | This controller handles authenticating users for the application and
-    | redirecting them to your home screen. The controller uses a trait
-    | to conveniently provide its functionality to your applications.
-    |
-    */
-
-    use AuthenticatesUsers { logout as traitLogout; }
-
-    /**
-     * Redirection paths.
-     */
-    protected $redirectTo = '/';
-    protected $redirectPath = '/';
+    use ThrottlesLogins;

    protected SocialAuthService $socialAuthService;
    protected LoginService $loginService;
@@ -47,21 +31,6 @@ class LoginController extends Controller

        $this->socialAuthService = $socialAuthService;
        $this->loginService = $loginService;
-
-        $this->redirectPath = url('/');
-    }
-
-    public function username()
-    {
-        return config('auth.method') === 'standard' ? 'email' : 'username';
-    }
-
-    /**
-     * Get the needed authorization credentials from the request.
-     */
-    protected function credentials(Request $request)
-    {
-        return $request->only('username', 'email', 'password');
    }

    /**
@@ -97,27 +66,15 @@ class LoginController extends Controller

    /**
     * Handle a login request to the application.
-     *
-     * @param \Illuminate\Http\Request $request
-     *
-     * @throws \Illuminate\Validation\ValidationException
-     *
-     * @return \Illuminate\Http\RedirectResponse|\Illuminate\Http\Response|\Illuminate\Http\JsonResponse
     */
    public function login(Request $request)
    {
        $this->validateLogin($request);
        $username = $request->get($this->username());

-        // If the class is using the ThrottlesLogins trait, we can automatically throttle
-        // the login attempts for this application. We'll key this by the username and
-        // the IP address of the client making these requests into this application.
-        if (method_exists($this, 'hasTooManyLoginAttempts') &&
-            $this->hasTooManyLoginAttempts($request)) {
-            $this->fireLockoutEvent($request);
-
+        // Check login throttling attempts to see if they've gone over the limit
+        if ($this->hasTooManyLoginAttempts($request)) {
            Activity::logFailedLogin($username);
-
            return $this->sendLockoutResponse($request);
        }

@@ -131,24 +88,62 @@ class LoginController extends Controller
            return $this->sendLoginAttemptExceptionResponse($exception, $request);
        }

-        // If the login attempt was unsuccessful we will increment the number of attempts
-        // to login and redirect the user back to the login form. Of course, when this
-        // user surpasses their maximum number of attempts they will get locked out.
+        // On unsuccessful login attempt, Increment login attempts for throttling and log failed login.
        $this->incrementLoginAttempts($request);
-
        Activity::logFailedLogin($username);

-        return $this->sendFailedLoginResponse($request);
+        // Throw validation failure for failed login
+        throw ValidationException::withMessages([
+            $this->username() => [trans('auth.failed')],
+        ])->redirectTo('/login');
+    }
+
+    /**
+     * Logout user and perform subsequent redirect.
+     */
+    public function logout(Request $request)
+    {
+        Auth::guard()->logout();
+        $request->session()->invalidate();
+        $request->session()->regenerateToken();
+
+        $redirectUri = $this->shouldAutoInitiate() ? '/login?prevent_auto_init=true' : '/';
+
+        return redirect($redirectUri);
+    }
+
+    /**
+     * Get the expected username input based upon the current auth method.
+     */
+    protected function username(): string
+    {
+        return config('auth.method') === 'standard' ? 'email' : 'username';
+    }
+
+    /**
+     * Get the needed authorization credentials from the request.
+     */
+    protected function credentials(Request $request): array
+    {
+        return $request->only('username', 'email', 'password');
+    }
+
+    /**
+     * Send the response after the user was authenticated.
+     * @return RedirectResponse
+     */
+    protected function sendLoginResponse(Request $request)
+    {
+        $request->session()->regenerate();
+        $this->clearLoginAttempts($request);
+
+        return redirect()->intended('/');
    }

    /**
     * Attempt to log the user into the application.
-     *
-     * @param \Illuminate\Http\Request $request
-     *
-     * @return bool
     */
-    protected function attemptLogin(Request $request)
+    protected function attemptLogin(Request $request): bool
    {
        return $this->loginService->attempt(
            $this->credentials($request),
@@ -157,29 +152,12 @@ class LoginController extends Controller
        );
    }

-    /**
-     * The user has been authenticated.
-     *
-     * @param \Illuminate\Http\Request $request
-     * @param mixed                    $user
-     *
-     * @return mixed
-     */
-    protected function authenticated(Request $request, $user)
-    {
-        return redirect()->intended($this->redirectPath());
-    }

    /**
     * Validate the user login request.
-     *
-     * @param \Illuminate\Http\Request $request
-     *
-     * @throws \Illuminate\Validation\ValidationException
-     *
-     * @return void
+     * @throws ValidationException
     */
-    protected function validateLogin(Request $request)
+    protected function validateLogin(Request $request): void
    {
        $rules = ['password' => ['required', 'string']];
        $authMethod = config('auth.method');
@@ -213,22 +191,6 @@ class LoginController extends Controller
        return redirect('/login');
    }

-    /**
-     * Get the failed login response instance.
-     *
-     * @param \Illuminate\Http\Request $request
-     *
-     * @throws \Illuminate\Validation\ValidationException
-     *
-     * @return \Symfony\Component\HttpFoundation\Response
-     */
-    protected function sendFailedLoginResponse(Request $request)
-    {
-        throw ValidationException::withMessages([
-            $this->username() => [trans('auth.failed')],
-        ])->redirectTo('/login');
-    }
-
    /**
     * Update the intended URL location from their previous URL.
     * Ignores if not from the current app instance or if from certain
@@ -268,20 +230,4 @@ class LoginController extends Controller

        return $autoRedirect && count($socialDrivers) === 0 && in_array($authMethod, ['oidc', 'saml2']);
    }
-
-    /**
-     * Logout user and perform subsequent redirect.
-     *
-     * @param \Illuminate\Http\Request $request
-     *
-     * @return mixed
-     */
-    public function logout(Request $request)
-    {
-        $this->traitLogout($request);
-
-        $redirectUri = $this->shouldAutoInitiate() ? '/login?prevent_auto_init=true' : '/';
-
-        return redirect($redirectUri);
-    }
 }
--- a/app/Http/Controllers/Auth/MfaBackupCodesController.php
+++ b/app/Http/Controllers/Auth/MfaBackupCodesController.php
@@ -1,14 +1,14 @@
 <?php

-namespace BookStack\Http\Controllers\Auth;
+namespace BookStack\Access\Controllers;

-use BookStack\Actions\ActivityType;
-use BookStack\Auth\Access\LoginService;
-use BookStack\Auth\Access\Mfa\BackupCodeService;
-use BookStack\Auth\Access\Mfa\MfaSession;
-use BookStack\Auth\Access\Mfa\MfaValue;
+use BookStack\Access\LoginService;
+use BookStack\Access\Mfa\BackupCodeService;
+use BookStack\Access\Mfa\MfaSession;
+use BookStack\Access\Mfa\MfaValue;
+use BookStack\Activity\ActivityType;
 use BookStack\Exceptions\NotFoundException;
-use BookStack\Http\Controllers\Controller;
+use BookStack\Http\Controller;
 use Exception;
 use Illuminate\Http\Request;
 use Illuminate\Validation\ValidationException;
--- a/app/Http/Controllers/Auth/MfaController.php
+++ b/app/Http/Controllers/Auth/MfaController.php
@@ -1,10 +1,10 @@
 <?php

-namespace BookStack\Http\Controllers\Auth;
+namespace BookStack\Access\Controllers;

-use BookStack\Actions\ActivityType;
-use BookStack\Auth\Access\Mfa\MfaValue;
-use BookStack\Http\Controllers\Controller;
+use BookStack\Access\Mfa\MfaValue;
+use BookStack\Activity\ActivityType;
+use BookStack\Http\Controller;
 use Illuminate\Http\Request;

 class MfaController extends Controller
--- a/app/Http/Controllers/Auth/MfaTotpController.php
+++ b/app/Http/Controllers/Auth/MfaTotpController.php
@@ -1,15 +1,15 @@
 <?php

-namespace BookStack\Http\Controllers\Auth;
+namespace BookStack\Access\Controllers;

-use BookStack\Actions\ActivityType;
-use BookStack\Auth\Access\LoginService;
-use BookStack\Auth\Access\Mfa\MfaSession;
-use BookStack\Auth\Access\Mfa\MfaValue;
-use BookStack\Auth\Access\Mfa\TotpService;
-use BookStack\Auth\Access\Mfa\TotpValidationRule;
+use BookStack\Access\LoginService;
+use BookStack\Access\Mfa\MfaSession;
+use BookStack\Access\Mfa\MfaValue;
+use BookStack\Access\Mfa\TotpService;
+use BookStack\Access\Mfa\TotpValidationRule;
+use BookStack\Activity\ActivityType;
 use BookStack\Exceptions\NotFoundException;
-use BookStack\Http\Controllers\Controller;
+use BookStack\Http\Controller;
 use Illuminate\Http\Request;
 use Illuminate\Validation\ValidationException;

--- a/app/Http/Controllers/Auth/OidcController.php
+++ b/app/Http/Controllers/Auth/OidcController.php
@@ -1,10 +1,10 @@
 <?php

-namespace BookStack\Http\Controllers\Auth;
+namespace BookStack\Access\Controllers;

-use BookStack\Auth\Access\Oidc\OidcException;
-use BookStack\Auth\Access\Oidc\OidcService;
-use BookStack\Http\Controllers\Controller;
+use BookStack\Access\Oidc\OidcException;
+use BookStack\Access\Oidc\OidcService;
+use BookStack\Http\Controller;
 use Illuminate\Http\Request;

 class OidcController extends Controller
--- a/app/Http/Controllers/Auth/RegisterController.php
+++ b/app/Http/Controllers/Auth/RegisterController.php
@@ -1,47 +1,24 @@
 <?php

-namespace BookStack\Http\Controllers\Auth;
+namespace BookStack\Access\Controllers;

-use BookStack\Auth\Access\LoginService;
-use BookStack\Auth\Access\RegistrationService;
-use BookStack\Auth\Access\SocialAuthService;
-use BookStack\Auth\User;
+use BookStack\Access\LoginService;
+use BookStack\Access\RegistrationService;
+use BookStack\Access\SocialAuthService;
 use BookStack\Exceptions\StoppedAuthenticationException;
 use BookStack\Exceptions\UserRegistrationException;
-use BookStack\Http\Controllers\Controller;
-use Illuminate\Foundation\Auth\RegistersUsers;
+use BookStack\Http\Controller;
+use Illuminate\Contracts\Validation\Validator as ValidatorContract;
 use Illuminate\Http\Request;
-use Illuminate\Support\Facades\Hash;
 use Illuminate\Support\Facades\Validator;
 use Illuminate\Validation\Rules\Password;

 class RegisterController extends Controller
 {
-    /*
-    |--------------------------------------------------------------------------
-    | Register Controller
-    |--------------------------------------------------------------------------
-    |
-    | This controller handles the registration of new users as well as their
-    | validation and creation. By default this controller uses a trait to
-    | provide this functionality without requiring any additional code.
-    |
-    */
-
-    use RegistersUsers;
-
    protected SocialAuthService $socialAuthService;
    protected RegistrationService $registrationService;
    protected LoginService $loginService;

-    /**
-     * Where to redirect users after login / registration.
-     *
-     * @var string
-     */
-    protected $redirectTo = '/';
-    protected $redirectPath = '/';
-
    /**
     * Create a new controller instance.
     */
@@ -56,23 +33,6 @@ class RegisterController extends Controller
        $this->socialAuthService = $socialAuthService;
        $this->registrationService = $registrationService;
        $this->loginService = $loginService;
-
-        $this->redirectTo = url('/');
-        $this->redirectPath = url('/');
-    }
-
-    /**
-     * Get a validator for an incoming registration request.
-     *
-     * @return \Illuminate\Contracts\Validation\Validator
-     */
-    protected function validator(array $data)
-    {
-        return Validator::make($data, [
-            'name'     => ['required', 'min:2', 'max:100'],
-            'email'    => ['required', 'email', 'max:255', 'unique:users'],
-            'password' => ['required', Password::default()],
-        ]);
    }

    /**
@@ -115,22 +75,18 @@ class RegisterController extends Controller

        $this->showSuccessNotification(trans('auth.register_success'));

-        return redirect($this->redirectPath());
+        return redirect('/');
    }

    /**
-     * Create a new user instance after a valid registration.
-     *
-     * @param array $data
-     *
-     * @return User
+     * Get a validator for an incoming registration request.
     */
-    protected function create(array $data)
+    protected function validator(array $data): ValidatorContract
    {
-        return User::create([
-            'name'     => $data['name'],
-            'email'    => $data['email'],
-            'password' => Hash::make($data['password']),
+        return Validator::make($data, [
+            'name'     => ['required', 'min:2', 'max:100'],
+            'email'    => ['required', 'email', 'max:255', 'unique:users'],
+            'password' => ['required', Password::default()],
        ]);
    }
 }
--- a/app/Access/Controllers/ResetPasswordController.php
+++ b/app/Access/Controllers/ResetPasswordController.php
@@ -0,0 +1,98 @@
+<?php
+
+namespace BookStack\Access\Controllers;
+
+use BookStack\Access\LoginService;
+use BookStack\Activity\ActivityType;
+use BookStack\Http\Controller;
+use BookStack\Users\Models\User;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Password;
+use Illuminate\Support\Str;
+use Illuminate\Validation\Rules\Password as PasswordRule;
+
+class ResetPasswordController extends Controller
+{
+    protected LoginService $loginService;
+
+    public function __construct(LoginService $loginService)
+    {
+        $this->middleware('guest');
+        $this->middleware('guard:standard');
+
+        $this->loginService = $loginService;
+    }
+
+    /**
+     * Display the password reset view for the given token.
+     * If no token is present, display the link request form.
+     */
+    public function showResetForm(Request $request)
+    {
+        $token = $request->route()->parameter('token');
+
+        return view('auth.passwords.reset')->with(
+            ['token' => $token, 'email' => $request->email]
+        );
+    }
+
+    /**
+     * Reset the given user's password.
+     */
+    public function reset(Request $request)
+    {
+        $request->validate([
+            'token' => 'required',
+            'email' => 'required|email',
+            'password' => ['required', 'confirmed', PasswordRule::defaults()],
+        ]);
+
+        // Here we will attempt to reset the user's password. If it is successful we
+        // will update the password on an actual user model and persist it to the
+        // database. Otherwise we will parse the error and return the response.
+        $credentials = $request->only('email', 'password', 'password_confirmation', 'token');
+        $response = Password::broker()->reset($credentials, function (User $user, string $password) {
+            $user->password = Hash::make($password);
+            $user->setRememberToken(Str::random(60));
+            $user->save();
+
+            $this->loginService->login($user, auth()->getDefaultDriver());
+        });
+
+        // If the password was successfully reset, we will redirect the user back to
+        // the application's home authenticated view. If there is an error we can
+        // redirect them back to where they came from with their error message.
+        return $response === Password::PASSWORD_RESET
+            ? $this->sendResetResponse()
+            : $this->sendResetFailedResponse($request, $response);
+    }
+
+    /**
+     * Get the response for a successful password reset.
+     */
+    protected function sendResetResponse(): RedirectResponse
+    {
+        $this->showSuccessNotification(trans('auth.reset_password_success'));
+        $this->logActivity(ActivityType::AUTH_PASSWORD_RESET_UPDATE, user());
+
+        return redirect('/');
+    }
+
+    /**
+     * Get the response for a failed password reset.
+     */
+    protected function sendResetFailedResponse(Request $request, string $response): RedirectResponse
+    {
+        // We show invalid users as invalid tokens as to not leak what
+        // users may exist in the system.
+        if ($response === Password::INVALID_USER) {
+            $response = Password::INVALID_TOKEN;
+        }
+
+        return redirect()->back()
+            ->withInput($request->only('email'))
+            ->withErrors(['email' => trans($response)]);
+    }
+}
--- a/app/Http/Controllers/Auth/Saml2Controller.php
+++ b/app/Http/Controllers/Auth/Saml2Controller.php
@@ -1,15 +1,15 @@
 <?php

-namespace BookStack\Http\Controllers\Auth;
+namespace BookStack\Access\Controllers;

-use BookStack\Auth\Access\Saml2Service;
-use BookStack\Http\Controllers\Controller;
+use BookStack\Access\Saml2Service;
+use BookStack\Http\Controller;
 use Illuminate\Http\Request;
 use Illuminate\Support\Str;

 class Saml2Controller extends Controller
 {
-    protected $samlService;
+    protected Saml2Service $samlService;

    /**
     * Saml2Controller constructor.
--- a/app/Http/Controllers/Auth/SocialController.php
+++ b/app/Http/Controllers/Auth/SocialController.php
@@ -1,24 +1,24 @@
 <?php

-namespace BookStack\Http\Controllers\Auth;
+namespace BookStack\Access\Controllers;

-use BookStack\Auth\Access\LoginService;
-use BookStack\Auth\Access\RegistrationService;
-use BookStack\Auth\Access\SocialAuthService;
+use BookStack\Access\LoginService;
+use BookStack\Access\RegistrationService;
+use BookStack\Access\SocialAuthService;
 use BookStack\Exceptions\SocialDriverNotConfigured;
 use BookStack\Exceptions\SocialSignInAccountNotUsed;
 use BookStack\Exceptions\SocialSignInException;
 use BookStack\Exceptions\UserRegistrationException;
-use BookStack\Http\Controllers\Controller;
+use BookStack\Http\Controller;
 use Illuminate\Http\Request;
 use Illuminate\Support\Str;
 use Laravel\Socialite\Contracts\User as SocialUser;

 class SocialController extends Controller
 {
-    protected $socialAuthService;
-    protected $registrationService;
-    protected $loginService;
+    protected SocialAuthService $socialAuthService;
+    protected RegistrationService $registrationService;
+    protected LoginService $loginService;

    /**
     * SocialController constructor.
@@ -28,7 +28,7 @@ class SocialController extends Controller
        RegistrationService $registrationService,
        LoginService $loginService
    ) {
-        $this->middleware('guest')->only(['getRegister', 'postRegister']);
+        $this->middleware('guest')->only(['register']);
        $this->socialAuthService = $socialAuthService;
        $this->registrationService = $registrationService;
        $this->loginService = $loginService;
--- a/app/Access/Controllers/ThrottlesLogins.php
+++ b/app/Access/Controllers/ThrottlesLogins.php
@@ -0,0 +1,92 @@
+<?php
+
+namespace BookStack\Access\Controllers;
+
+use Illuminate\Cache\RateLimiter;
+use Illuminate\Http\Request;
+use Illuminate\Http\Response;
+use Illuminate\Support\Str;
+use Illuminate\Validation\ValidationException;
+
+trait ThrottlesLogins
+{
+    /**
+     * Determine if the user has too many failed login attempts.
+     */
+    protected function hasTooManyLoginAttempts(Request $request): bool
+    {
+        return $this->limiter()->tooManyAttempts(
+            $this->throttleKey($request),
+            $this->maxAttempts()
+        );
+    }
+
+    /**
+     * Increment the login attempts for the user.
+     */
+    protected function incrementLoginAttempts(Request $request): void
+    {
+        $this->limiter()->hit(
+            $this->throttleKey($request),
+            $this->decayMinutes() * 60
+        );
+    }
+
+    /**
+     * Redirect the user after determining they are locked out.
+     * @throws ValidationException
+     */
+    protected function sendLockoutResponse(Request $request): \Symfony\Component\HttpFoundation\Response
+    {
+        $seconds = $this->limiter()->availableIn(
+            $this->throttleKey($request)
+        );
+
+        throw ValidationException::withMessages([
+            $this->username() => [trans('auth.throttle', [
+                'seconds' => $seconds,
+                'minutes' => ceil($seconds / 60),
+            ])],
+        ])->status(Response::HTTP_TOO_MANY_REQUESTS);
+    }
+
+    /**
+     * Clear the login locks for the given user credentials.
+     */
+    protected function clearLoginAttempts(Request $request): void
+    {
+        $this->limiter()->clear($this->throttleKey($request));
+    }
+
+    /**
+     * Get the throttle key for the given request.
+     */
+    protected function throttleKey(Request $request): string
+    {
+        return Str::transliterate(Str::lower($request->input($this->username())) . '|' . $request->ip());
+    }
+
+    /**
+     * Get the rate limiter instance.
+     */
+    protected function limiter(): RateLimiter
+    {
+        return app(RateLimiter::class);
+    }
+
+    /**
+     * Get the maximum number of attempts to allow.
+     */
+    public function maxAttempts(): int
+    {
+        return 5;
+    }
+
+    /**
+     * Get the number of minutes to throttle for.
+     */
+    public function decayMinutes(): int
+    {
+        return 1;
+    }
+}
--- a/app/Http/Controllers/Auth/UserInviteController.php
+++ b/app/Http/Controllers/Auth/UserInviteController.php
@@ -1,22 +1,23 @@
 <?php

-namespace BookStack\Http\Controllers\Auth;
+namespace BookStack\Access\Controllers;

-use BookStack\Auth\Access\UserInviteService;
-use BookStack\Auth\UserRepo;
+use BookStack\Access\UserInviteService;
 use BookStack\Exceptions\UserTokenExpiredException;
 use BookStack\Exceptions\UserTokenNotFoundException;
-use BookStack\Http\Controllers\Controller;
+use BookStack\Http\Controller;
+use BookStack\Users\UserRepo;
 use Exception;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
 use Illuminate\Routing\Redirector;
+use Illuminate\Support\Facades\Hash;
 use Illuminate\Validation\Rules\Password;

 class UserInviteController extends Controller
 {
-    protected $inviteService;
-    protected $userRepo;
+    protected UserInviteService $inviteService;
+    protected UserRepo $userRepo;

    /**
     * Create a new controller instance.
@@ -66,7 +67,7 @@ class UserInviteController extends Controller
        }

        $user = $this->userRepo->getById($userId);
-        $user->password = bcrypt($request->get('password'));
+        $user->password = Hash::make($request->get('password'));
        $user->email_confirmed = true;
        $user->save();

--- a/app/Auth/Access/EmailConfirmationService.php
+++ b/app/Auth/Access/EmailConfirmationService.php
@@ -1,15 +1,15 @@
 <?php

-namespace BookStack\Auth\Access;
+namespace BookStack\Access;

-use BookStack\Auth\User;
 use BookStack\Exceptions\ConfirmationEmailException;
 use BookStack\Notifications\ConfirmEmail;
+use BookStack\Users\Models\User;

 class EmailConfirmationService extends UserTokenService
 {
-    protected $tokenTable = 'email_confirmations';
-    protected $expiryTime = 24;
+    protected string $tokenTable = 'email_confirmations';
+    protected int $expiryTime = 24;

    /**
     * Create new confirmation for a user,
--- a/app/Auth/Access/ExternalBaseUserProvider.php
+++ b/app/Auth/Access/ExternalBaseUserProvider.php
@@ -1,6 +1,6 @@
 <?php

-namespace BookStack\Auth\Access;
+namespace BookStack\Access;

 use Illuminate\Contracts\Auth\Authenticatable;
 use Illuminate\Contracts\Auth\UserProvider;
--- a/app/Auth/Access/GroupSyncService.php
+++ b/app/Auth/Access/GroupSyncService.php
@@ -1,9 +1,9 @@
 <?php

-namespace BookStack\Auth\Access;
+namespace BookStack\Access;

-use BookStack\Auth\Role;
-use BookStack\Auth\User;
+use BookStack\Users\Models\Role;
+use BookStack\Users\Models\User;
 use Illuminate\Support\Collection;

 class GroupSyncService
--- a/app/Auth/Access/Guards/AsyncExternalBaseSessionGuard.php
+++ b/app/Auth/Access/Guards/AsyncExternalBaseSessionGuard.php
@@ -1,6 +1,6 @@
 <?php

-namespace BookStack\Auth\Access\Guards;
+namespace BookStack\Access\Guards;

 /**
 * Saml2 Session Guard.
--- a/app/Auth/Access/Guards/ExternalBaseSessionGuard.php
+++ b/app/Auth/Access/Guards/ExternalBaseSessionGuard.php
@@ -1,8 +1,8 @@
 <?php

-namespace BookStack\Auth\Access\Guards;
+namespace BookStack\Access\Guards;

-use BookStack\Auth\Access\RegistrationService;
+use BookStack\Access\RegistrationService;
 use Illuminate\Auth\GuardHelpers;
 use Illuminate\Contracts\Auth\Authenticatable as AuthenticatableContract;
 use Illuminate\Contracts\Auth\StatefulGuard;
--- a/app/Auth/Access/Guards/LdapSessionGuard.php
+++ b/app/Auth/Access/Guards/LdapSessionGuard.php
@@ -1,15 +1,15 @@
 <?php

-namespace BookStack\Auth\Access\Guards;
+namespace BookStack\Access\Guards;

-use BookStack\Auth\Access\LdapService;
-use BookStack\Auth\Access\RegistrationService;
-use BookStack\Auth\User;
+use BookStack\Access\LdapService;
+use BookStack\Access\RegistrationService;
 use BookStack\Exceptions\JsonDebugException;
 use BookStack\Exceptions\LdapException;
 use BookStack\Exceptions\LoginAttemptEmailNeededException;
 use BookStack\Exceptions\LoginAttemptException;
 use BookStack\Exceptions\UserRegistrationException;
+use BookStack\Users\Models\User;
 use Illuminate\Contracts\Auth\UserProvider;
 use Illuminate\Contracts\Session\Session;
 use Illuminate\Support\Str;
--- a/app/Access/Ldap.php
+++ b/app/Access/Ldap.php
@@ -0,0 +1,110 @@
+<?php
+
+namespace BookStack\Access;
+
+/**
+ * Class Ldap
+ * An object-orientated thin abstraction wrapper for common PHP LDAP functions.
+ * Allows the standard LDAP functions to be mocked for testing.
+ */
+class Ldap
+{
+    /**
+     * Connect to an LDAP server.
+     *
+     * @return resource|\LDAP\Connection|false
+     */
+    public function connect(string $hostName)
+    {
+        return ldap_connect($hostName);
+    }
+
+    /**
+     * Set the value of an LDAP option for the given connection.
+     *
+     * @param resource|\LDAP\Connection|null $ldapConnection
+     */
+    public function setOption($ldapConnection, int $option, mixed $value): bool
+    {
+        return ldap_set_option($ldapConnection, $option, $value);
+    }
+
+    /**
+     * Start TLS on the given LDAP connection.
+     */
+    public function startTls($ldapConnection): bool
+    {
+        return ldap_start_tls($ldapConnection);
+    }
+
+    /**
+     * Set the version number for the given LDAP connection.
+     *
+     * @param resource|\LDAP\Connection $ldapConnection
+     */
+    public function setVersion($ldapConnection, int $version): bool
+    {
+        return $this->setOption($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, $version);
+    }
+
+    /**
+     * Search LDAP tree using the provided filter.
+     *
+     * @param resource|\LDAP\Connection   $ldapConnection
+     *
+     * @return resource|\LDAP\Result
+     */
+    public function search($ldapConnection, string $baseDn, string $filter, array $attributes = null)
+    {
+        return ldap_search($ldapConnection, $baseDn, $filter, $attributes);
+    }
+
+    /**
+     * Get entries from an LDAP search result.
+     *
+     * @param resource|\LDAP\Connection $ldapConnection
+     * @param resource|\LDAP\Result $ldapSearchResult
+     */
+    public function getEntries($ldapConnection, $ldapSearchResult): array|false
+    {
+        return ldap_get_entries($ldapConnection, $ldapSearchResult);
+    }
+
+    /**
+     * Search and get entries immediately.
+     *
+     * @param resource|\LDAP\Connection   $ldapConnection
+     */
+    public function searchAndGetEntries($ldapConnection, string $baseDn, string $filter, array $attributes = null): array|false
+    {
+        $search = $this->search($ldapConnection, $baseDn, $filter, $attributes);
+
+        return $this->getEntries($ldapConnection, $search);
+    }
+
+    /**
+     * Bind to LDAP directory.
+     *
+     * @param resource|\LDAP\Connection $ldapConnection
+     */
+    public function bind($ldapConnection, string $bindRdn = null, string $bindPassword = null): bool
+    {
+        return ldap_bind($ldapConnection, $bindRdn, $bindPassword);
+    }
+
+    /**
+     * Explode an LDAP dn string into an array of components.
+     */
+    public function explodeDn(string $dn, int $withAttrib): array|false
+    {
+        return ldap_explode_dn($dn, $withAttrib);
+    }
+
+    /**
+     * Escape a string for use in an LDAP filter.
+     */
+    public function escape(string $value, string $ignore = '', int $flags = 0): string
+    {
+        return ldap_escape($value, $ignore, $flags);
+    }
+}
--- a/app/Auth/Access/LdapService.php
+++ b/app/Auth/Access/LdapService.php
@@ -1,11 +1,11 @@
 <?php

-namespace BookStack\Auth\Access;
+namespace BookStack\Access;

-use BookStack\Auth\User;
 use BookStack\Exceptions\JsonDebugException;
 use BookStack\Exceptions\LdapException;
 use BookStack\Uploads\UserAvatars;
+use BookStack\Users\Models\User;
 use ErrorException;
 use Illuminate\Support\Facades\Log;

@@ -15,26 +15,19 @@ use Illuminate\Support\Facades\Log;
 */
 class LdapService
 {
-    protected Ldap $ldap;
-    protected GroupSyncService $groupSyncService;
-    protected UserAvatars $userAvatars;
-
    /**
-     * @var resource
+     * @var resource|\LDAP\Connection
     */
    protected $ldapConnection;

    protected array $config;
    protected bool $enabled;

-    /**
-     * LdapService constructor.
-     */
-    public function __construct(Ldap $ldap, UserAvatars $userAvatars, GroupSyncService $groupSyncService)
-    {
-        $this->ldap = $ldap;
-        $this->userAvatars = $userAvatars;
-        $this->groupSyncService = $groupSyncService;
+    public function __construct(
+        protected Ldap $ldap,
+        protected UserAvatars $userAvatars,
+        protected GroupSyncService $groupSyncService
+    ) {
        $this->config = config('services.ldap');
        $this->enabled = config('auth.method') === 'ldap';
    }
@@ -59,7 +52,7 @@ class LdapService

        // Clean attributes
        foreach ($attributes as $index => $attribute) {
-            if (strpos($attribute, 'BIN;') === 0) {
+            if (str_starts_with($attribute, 'BIN;')) {
                $attributes[$index] = substr($attribute, strlen('BIN;'));
            }
        }
@@ -82,7 +75,7 @@ class LdapService
     * Get the details of a user from LDAP using the given username.
     * User found via configurable user filter.
     *
-     * @throws LdapException
+     * @throws LdapException|JsonDebugException
     */
    public function getUserDetails(string $userName): ?array
    {
@@ -105,7 +98,7 @@ class LdapService
            'name'  => $this->getUserResponseProperty($user, $displayNameAttr, $userCn),
            'dn'    => $user['dn'],
            'email' => $this->getUserResponseProperty($user, $emailAttr, null),
-            'avatar'=> $thumbnailAttr ? $this->getUserResponseProperty($user, $thumbnailAttr, null) : null,
+            'avatar' => $thumbnailAttr ? $this->getUserResponseProperty($user, $thumbnailAttr, null) : null,
        ];

        if ($this->config['dump_user_details']) {
@@ -126,7 +119,7 @@ class LdapService
     */
    protected function getUserResponseProperty(array $userDetails, string $propertyKey, $defaultValue)
    {
-        $isBinary = strpos($propertyKey, 'BIN;') === 0;
+        $isBinary = str_starts_with($propertyKey, 'BIN;');
        $propertyKey = strtolower($propertyKey);
        $value = $defaultValue;

@@ -170,11 +163,11 @@ class LdapService
     * Bind the system user to the LDAP connection using the given credentials
     * otherwise anonymous access is attempted.
     *
-     * @param resource $connection
+     * @param resource|\LDAP\Connection $connection
     *
     * @throws LdapException
     */
-    protected function bindSystemUser($connection)
+    protected function bindSystemUser($connection): void
    {
        $ldapDn = $this->config['dn'];
        $ldapPass = $this->config['pass'];
@@ -197,7 +190,7 @@ class LdapService
     *
     * @throws LdapException
     *
-     * @return resource
+     * @return resource|\LDAP\Connection
     */
    protected function getConnection()
    {
@@ -216,8 +209,8 @@ class LdapService
            $this->ldap->setOption(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
        }

-        $serverDetails = $this->parseServerString($this->config['server']);
-        $ldapConnection = $this->ldap->connect($serverDetails['host'], $serverDetails['port']);
+        $ldapHost = $this->parseServerString($this->config['server']);
+        $ldapConnection = $this->ldap->connect($ldapHost);

        if ($ldapConnection === false) {
            throw new LdapException(trans('errors.ldap_cannot_connect'));
@@ -242,23 +235,16 @@ class LdapService
    }

    /**
-     * Parse a LDAP server string and return the host and port for a connection.
+     * Parse an LDAP server string and return the host suitable for a connection.
     * Is flexible to formats such as 'ldap.example.com:8069' or 'ldaps://ldap.example.com'.
     */
-    protected function parseServerString(string $serverString): array
+    protected function parseServerString(string $serverString): string
    {
-        $serverNameParts = explode(':', $serverString);
-
-        // If we have a protocol just return the full string since PHP will ignore a separate port.
-        if ($serverNameParts[0] === 'ldaps' || $serverNameParts[0] === 'ldap') {
-            return ['host' => $serverString, 'port' => 389];
+        if (str_starts_with($serverString, 'ldaps://') || str_starts_with($serverString, 'ldap://')) {
+            return $serverString;
        }

-        // Otherwise, extract the port out
-        $hostName = $serverNameParts[0];
-        $ldapPort = (count($serverNameParts) > 1) ? intval($serverNameParts[1]) : 389;
-
-        return ['host' => $hostName, 'port' => $ldapPort];
+        return "ldap://{$serverString}";
    }

    /**
@@ -386,7 +372,7 @@ class LdapService
     * @throws LdapException
     * @throws JsonDebugException
     */
-    public function syncGroups(User $user, string $username)
+    public function syncGroups(User $user, string $username): void
    {
        $userLdapGroups = $this->getUserGroups($username);
        $this->groupSyncService->syncUserWithFoundGroups($user, $userLdapGroups, $this->config['remove_from_groups']);
--- a/app/Auth/Access/LoginService.php
+++ b/app/Auth/Access/LoginService.php
@@ -1,14 +1,15 @@
 <?php

-namespace BookStack\Auth\Access;
+namespace BookStack\Access;

-use BookStack\Actions\ActivityType;
-use BookStack\Auth\Access\Mfa\MfaSession;
-use BookStack\Auth\User;
+use BookStack\Access\Mfa\MfaSession;
+use BookStack\Activity\ActivityType;
+use BookStack\Exceptions\LoginAttemptException;
 use BookStack\Exceptions\StoppedAuthenticationException;
 use BookStack\Facades\Activity;
 use BookStack\Facades\Theme;
 use BookStack\Theming\ThemeEvents;
+use BookStack\Users\Models\User;
 use Exception;

 class LoginService
@@ -149,6 +150,7 @@ class LoginService
     * May interrupt the flow if extra authentication requirements are imposed.
     *
     * @throws StoppedAuthenticationException
+     * @throws LoginAttemptException
     */
    public function attempt(array $credentials, string $method, bool $remember = false): bool
    {
--- a/app/Auth/Access/Mfa/BackupCodeService.php
+++ b/app/Auth/Access/Mfa/BackupCodeService.php
@@ -1,6 +1,6 @@
 <?php

-namespace BookStack\Auth\Access\Mfa;
+namespace BookStack\Access\Mfa;

 use Illuminate\Support\Str;

--- a/app/Auth/Access/Mfa/MfaSession.php
+++ b/app/Auth/Access/Mfa/MfaSession.php
@@ -1,8 +1,8 @@
 <?php

-namespace BookStack\Auth\Access\Mfa;
+namespace BookStack\Access\Mfa;

-use BookStack\Auth\User;
+use BookStack\Users\Models\User;

 class MfaSession
 {
--- a/app/Auth/Access/Mfa/MfaValue.php
+++ b/app/Auth/Access/Mfa/MfaValue.php
@@ -1,8 +1,8 @@
 <?php

-namespace BookStack\Auth\Access\Mfa;
+namespace BookStack\Access\Mfa;

-use BookStack\Auth\User;
+use BookStack\Users\Models\User;
 use Carbon\Carbon;
 use Illuminate\Database\Eloquent\Model;

--- a/app/Auth/Access/Mfa/TotpService.php
+++ b/app/Auth/Access/Mfa/TotpService.php
@@ -1,6 +1,6 @@
 <?php

-namespace BookStack\Auth\Access\Mfa;
+namespace BookStack\Access\Mfa;

 use BaconQrCode\Renderer\Color\Rgb;
 use BaconQrCode\Renderer\Image\SvgImageBackEnd;
@@ -8,7 +8,7 @@ use BaconQrCode\Renderer\ImageRenderer;
 use BaconQrCode\Renderer\RendererStyle\Fill;
 use BaconQrCode\Renderer\RendererStyle\RendererStyle;
 use BaconQrCode\Writer;
-use BookStack\Auth\User;
+use BookStack\Users\Models\User;
 use PragmaRX\Google2FA\Google2FA;
 use PragmaRX\Google2FA\Support\Constants;

--- a/app/Auth/Access/Mfa/TotpValidationRule.php
+++ b/app/Auth/Access/Mfa/TotpValidationRule.php
@@ -1,6 +1,6 @@
 <?php

-namespace BookStack\Auth\Access\Mfa;
+namespace BookStack\Access\Mfa;

 use Illuminate\Contracts\Validation\Rule;

--- a/app/Auth/Access/Oidc/OidcAccessToken.php
+++ b/app/Auth/Access/Oidc/OidcAccessToken.php
@@ -1,6 +1,6 @@
 <?php

-namespace BookStack\Auth\Access\Oidc;
+namespace BookStack\Access\Oidc;

 use InvalidArgumentException;
 use League\OAuth2\Client\Token\AccessToken;
--- a/app/Auth/Access/Oidc/OidcException.php
+++ b/app/Auth/Access/Oidc/OidcException.php
@@ -1,6 +1,6 @@
 <?php

-namespace BookStack\Auth\Access\Oidc;
+namespace BookStack\Access\Oidc;

 use Exception;

--- a/app/Auth/Access/Oidc/OidcIdToken.php
+++ b/app/Auth/Access/Oidc/OidcIdToken.php
@@ -1,38 +1,19 @@
 <?php

-namespace BookStack\Auth\Access\Oidc;
+namespace BookStack\Access\Oidc;

 class OidcIdToken
 {
-    /**
-     * @var array
-     */
-    protected $header;
-
-    /**
-     * @var array
-     */
-    protected $payload;
-
-    /**
-     * @var string
-     */
-    protected $signature;
+    protected array $header;
+    protected array $payload;
+    protected string $signature;
+    protected string $issuer;
+    protected array $tokenParts = [];

    /**
     * @var array[]|string[]
     */
-    protected $keys;
-
-    /**
-     * @var string
-     */
-    protected $issuer;
-
-    /**
-     * @var array
-     */
-    protected $tokenParts = [];
+    protected array $keys;

    public function __construct(string $token, string $issuer, array $keys)
    {
@@ -106,6 +87,14 @@ class OidcIdToken
        return $this->payload;
    }

+    /**
+     * Replace the existing claim data of this token with that provided.
+     */
+    public function replaceClaims(array $claims): void
+    {
+        $this->payload = $claims;
+    }
+
    /**
     * Validate the structure of the given token and ensure we have the required pieces.
     * As per https://datatracker.ietf.org/doc/html/rfc7519#section-7.2.
--- a/app/Auth/Access/Oidc/OidcInvalidKeyException.php
+++ b/app/Auth/Access/Oidc/OidcInvalidKeyException.php
@@ -1,6 +1,6 @@
 <?php

-namespace BookStack\Auth\Access\Oidc;
+namespace BookStack\Access\Oidc;

 class OidcInvalidKeyException extends \Exception
 {
--- a/app/Auth/Access/Oidc/OidcInvalidTokenException.php
+++ b/app/Auth/Access/Oidc/OidcInvalidTokenException.php
@@ -1,6 +1,6 @@
 <?php

-namespace BookStack\Auth\Access\Oidc;
+namespace BookStack\Access\Oidc;

 use Exception;

--- a/app/Auth/Access/Oidc/OidcIssuerDiscoveryException.php
+++ b/app/Auth/Access/Oidc/OidcIssuerDiscoveryException.php
@@ -1,6 +1,6 @@
 <?php

-namespace BookStack\Auth\Access\Oidc;
+namespace BookStack\Access\Oidc;

 use Exception;

--- a/app/Auth/Access/Oidc/OidcJwtSigningKey.php
+++ b/app/Auth/Access/Oidc/OidcJwtSigningKey.php
@@ -1,6 +1,6 @@
 <?php

-namespace BookStack\Auth\Access\Oidc;
+namespace BookStack\Access\Oidc;

 use phpseclib3\Crypt\Common\PublicKey;
 use phpseclib3\Crypt\PublicKeyLoader;
@@ -67,11 +67,10 @@ class OidcJwtSigningKey
            throw new OidcInvalidKeyException("Only RS256 keys are currently supported. Found key using {$alg}");
        }

-        if (empty($jwk['use'])) {
-            throw new OidcInvalidKeyException('A "use" parameter on the provided key is expected');
-        }
-
-        if ($jwk['use'] !== 'sig') {
+        // 'use' is optional for a JWK but we assume 'sig' where no value exists since that's what
+        // the OIDC discovery spec infers since 'sig' MUST be set if encryption keys come into play.
+        $use = $jwk['use'] ?? 'sig';
+        if ($use !== 'sig') {
            throw new OidcInvalidKeyException("Only signature keys are currently supported. Found key for use {$jwk['use']}");
        }

--- a/app/Auth/Access/Oidc/OidcOAuthProvider.php
+++ b/app/Auth/Access/Oidc/OidcOAuthProvider.php
@@ -1,6 +1,6 @@
 <?php

-namespace BookStack\Auth\Access\Oidc;
+namespace BookStack\Access\Oidc;

 use League\OAuth2\Client\Grant\AbstractGrant;
 use League\OAuth2\Client\Provider\AbstractProvider;
--- a/app/Auth/Access/Oidc/OidcProviderSettings.php
+++ b/app/Auth/Access/Oidc/OidcProviderSettings.php
@@ -1,6 +1,6 @@
 <?php

-namespace BookStack\Auth\Access\Oidc;
+namespace BookStack\Access\Oidc;

 use GuzzleHttp\Psr7\Request;
 use Illuminate\Contracts\Cache\Repository;
@@ -15,40 +15,17 @@ use Psr\Http\Client\ClientInterface;
 */
 class OidcProviderSettings
 {
-    /**
-     * @var string
-     */
-    public $issuer;
-
-    /**
-     * @var string
-     */
-    public $clientId;
-
-    /**
-     * @var string
-     */
-    public $clientSecret;
-
-    /**
-     * @var string
-     */
-    public $redirectUri;
-
-    /**
-     * @var string
-     */
-    public $authorizationEndpoint;
-
-    /**
-     * @var string
-     */
-    public $tokenEndpoint;
+    public string $issuer;
+    public string $clientId;
+    public string $clientSecret;
+    public ?string $redirectUri;
+    public ?string $authorizationEndpoint;
+    public ?string $tokenEndpoint;

    /**
     * @var string[]|array[]
     */
-    public $keys = [];
+    public ?array $keys = [];

    public function __construct(array $settings)
    {
@@ -164,9 +141,10 @@ class OidcProviderSettings
    protected function filterKeys(array $keys): array
    {
        return array_filter($keys, function (array $key) {
-            $alg = $key['alg'] ?? null;
+            $alg = $key['alg'] ?? 'RS256';
+            $use = $key['use'] ?? 'sig';

-            return $key['kty'] === 'RSA' && $key['use'] === 'sig' && (is_null($alg) || $alg === 'RS256');
+            return $key['kty'] === 'RSA' && $use === 'sig' && $alg === 'RS256';
        });
    }

--- a/app/Auth/Access/Oidc/OidcService.php
+++ b/app/Auth/Access/Oidc/OidcService.php
@@ -1,23 +1,21 @@
 <?php

-namespace BookStack\Auth\Access\Oidc;
+namespace BookStack\Access\Oidc;

-use function auth;
-use BookStack\Auth\Access\GroupSyncService;
-use BookStack\Auth\Access\LoginService;
-use BookStack\Auth\Access\RegistrationService;
-use BookStack\Auth\User;
+use BookStack\Access\GroupSyncService;
+use BookStack\Access\LoginService;
+use BookStack\Access\RegistrationService;
 use BookStack\Exceptions\JsonDebugException;
 use BookStack\Exceptions\StoppedAuthenticationException;
 use BookStack\Exceptions\UserRegistrationException;
-use function config;
+use BookStack\Facades\Theme;
+use BookStack\Theming\ThemeEvents;
+use BookStack\Users\Models\User;
 use Illuminate\Support\Arr;
 use Illuminate\Support\Facades\Cache;
 use League\OAuth2\Client\OptionProvider\HttpBasicAuthOptionProvider;
 use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
 use Psr\Http\Client\ClientInterface as HttpClient;
-use function trans;
-use function url;

 /**
 * Class OpenIdConnectService
@@ -25,24 +23,12 @@ use function url;
 */
 class OidcService
 {
-    protected RegistrationService $registrationService;
-    protected LoginService $loginService;
-    protected HttpClient $httpClient;
-    protected GroupSyncService $groupService;
-
-    /**
-     * OpenIdService constructor.
-     */
    public function __construct(
-        RegistrationService $registrationService,
-        LoginService $loginService,
-        HttpClient $httpClient,
-        GroupSyncService $groupService
+        protected RegistrationService $registrationService,
+        protected LoginService $loginService,
+        protected HttpClient $httpClient,
+        protected GroupSyncService $groupService
    ) {
-        $this->registrationService = $registrationService;
-        $this->loginService = $loginService;
-        $this->httpClient = $httpClient;
-        $this->groupService = $groupService;
    }

    /**
@@ -56,7 +42,6 @@ class OidcService
    {
        $settings = $this->getProviderSettings();
        $provider = $this->getProvider($settings);
-
        return [
            'url'   => $provider->getAuthorizationUrl(),
            'state' => $provider->getState(),
@@ -203,7 +188,8 @@ class OidcService
     */
    protected function getUserDetails(OidcIdToken $token): array
    {
-        $id = $token->getClaim('sub');
+        $idClaim = $this->config()['external_id_claim'];
+        $id = $token->getClaim($idClaim);

        return [
            'external_id' => $id,
@@ -230,6 +216,16 @@ class OidcService
            $settings->keys,
        );

+        $returnClaims = Theme::dispatch(ThemeEvents::OIDC_ID_TOKEN_PRE_VALIDATE, $idToken->getAllClaims(), [
+            'access_token' => $accessToken->getToken(),
+            'expires_in' => $accessToken->getExpires(),
+            'refresh_token' => $accessToken->getRefreshToken(),
+        ]);
+
+        if (!is_null($returnClaims)) {
+            $idToken->replaceClaims($returnClaims);
+        }
+
        if ($this->config()['dump_user_details']) {
            throw new JsonDebugException($idToken->getAllClaims());
        }
--- a/app/Auth/Access/RegistrationService.php
+++ b/app/Auth/Access/RegistrationService.php
@@ -1,15 +1,14 @@
 <?php

-namespace BookStack\Auth\Access;
+namespace BookStack\Access;

-use BookStack\Actions\ActivityType;
-use BookStack\Auth\SocialAccount;
-use BookStack\Auth\User;
-use BookStack\Auth\UserRepo;
+use BookStack\Activity\ActivityType;
 use BookStack\Exceptions\UserRegistrationException;
 use BookStack\Facades\Activity;
 use BookStack\Facades\Theme;
 use BookStack\Theming\ThemeEvents;
+use BookStack\Users\Models\User;
+use BookStack\Users\UserRepo;
 use Exception;
 use Illuminate\Support\Str;

--- a/app/Auth/Access/Saml2Service.php
+++ b/app/Auth/Access/Saml2Service.php
@@ -1,12 +1,12 @@
 <?php

-namespace BookStack\Auth\Access;
+namespace BookStack\Access;

-use BookStack\Auth\User;
 use BookStack\Exceptions\JsonDebugException;
 use BookStack\Exceptions\SamlException;
 use BookStack\Exceptions\StoppedAuthenticationException;
 use BookStack\Exceptions\UserRegistrationException;
+use BookStack\Users\Models\User;
 use Exception;
 use OneLogin\Saml2\Auth;
 use OneLogin\Saml2\Constants;
@@ -20,14 +20,11 @@ use OneLogin\Saml2\ValidationError;
 */
 class Saml2Service
 {
-    protected $config;
-    protected $registrationService;
-    protected $loginService;
-    protected $groupSyncService;
+    protected array $config;
+    protected RegistrationService $registrationService;
+    protected LoginService $loginService;
+    protected GroupSyncService $groupSyncService;

-    /**
-     * Saml2Service constructor.
-     */
    public function __construct(
        RegistrationService $registrationService,
        LoginService $loginService,
@@ -70,7 +67,7 @@ class Saml2Service
                $returnRoute,
                [],
                $user->email,
-                null,
+                session()->get('saml2_session_index'),
                true,
                Constants::NAMEID_EMAIL_ADDRESS
            );
@@ -109,9 +106,10 @@ class Saml2Service
        $errors = $toolkit->getErrors();

        if (!empty($errors)) {
-            throw new Error(
-                'Invalid ACS Response: ' . implode(', ', $errors)
-            );
+            $reason = $toolkit->getLastErrorReason();
+            $message = 'Invalid ACS Response; Errors: ' . implode(', ', $errors);
+            $message .= $reason ? "; Reason: {$reason}" : '';
+            throw new Error($message);
        }

        if (!$toolkit->isAuthenticated()) {
@@ -120,6 +118,7 @@ class Saml2Service

        $attrs = $toolkit->getAttributes();
        $id = $toolkit->getNameId();
+        session()->put('saml2_session_index', $toolkit->getSessionIndex());

        return $this->processLoginCallback($id, $attrs);
    }
@@ -168,7 +167,7 @@ class Saml2Service
     */
    public function metadata(): string
    {
-        $toolKit = $this->getToolkit();
+        $toolKit = $this->getToolkit(true);
        $settings = $toolKit->getSettings();
        $metadata = $settings->getSPMetadata();
        $errors = $settings->validateMetadata($metadata);
@@ -189,7 +188,7 @@ class Saml2Service
     * @throws Error
     * @throws Exception
     */
-    protected function getToolkit(): Auth
+    protected function getToolkit(bool $spOnly = false): Auth
    {
        $settings = $this->config['onelogin'];
        $overrides = $this->config['onelogin_overrides'] ?? [];
@@ -199,14 +198,14 @@ class Saml2Service
        }

        $metaDataSettings = [];
-        if ($this->config['autoload_from_metadata']) {
+        if (!$spOnly && $this->config['autoload_from_metadata']) {
            $metaDataSettings = IdPMetadataParser::parseRemoteXML($settings['idp']['entityId']);
        }

        $spSettings = $this->loadOneloginServiceProviderDetails();
        $settings = array_replace_recursive($settings, $spSettings, $metaDataSettings, $overrides);

-        return new Auth($settings);
+        return new Auth($settings, $spOnly);
    }

    /**
--- a/app/Access/SocialAccount.php
+++ b/app/Access/SocialAccount.php
@@ -1,9 +1,10 @@
 <?php

-namespace BookStack\Auth;
+namespace BookStack\Access;

-use BookStack\Interfaces\Loggable;
-use BookStack\Model;
+use BookStack\Activity\Models\Loggable;
+use BookStack\App\Model;
+use BookStack\Users\Models\User;

 /**
 * Class SocialAccount.
--- a/app/Auth/Access/SocialAuthService.php
+++ b/app/Auth/Access/SocialAuthService.php
@@ -1,12 +1,12 @@
 <?php

-namespace BookStack\Auth\Access;
+namespace BookStack\Access;

-use BookStack\Auth\SocialAccount;
-use BookStack\Auth\User;
+use BookStack\Auth\Access\handler;
 use BookStack\Exceptions\SocialDriverNotConfigured;
 use BookStack\Exceptions\SocialSignInAccountNotUsed;
 use BookStack\Exceptions\UserRegistrationException;
+use BookStack\Users\Models\User;
 use Illuminate\Support\Facades\Event;
 use Illuminate\Support\Str;
 use Laravel\Socialite\Contracts\Factory as Socialite;
--- a/app/Auth/Access/UserInviteService.php
+++ b/app/Auth/Access/UserInviteService.php
@@ -1,20 +1,18 @@
 <?php

-namespace BookStack\Auth\Access;
+namespace BookStack\Access;

-use BookStack\Auth\User;
 use BookStack\Notifications\UserInvite;
+use BookStack\Users\Models\User;

 class UserInviteService extends UserTokenService
 {
-    protected $tokenTable = 'user_invites';
-    protected $expiryTime = 336; // Two weeks
+    protected string $tokenTable = 'user_invites';
+    protected int $expiryTime = 336; // Two weeks

    /**
     * Send an invitation to a user to sign into BookStack
     * Removes existing invitation tokens.
-     *
-     * @param User $user
     */
    public function sendInvitation(User $user)
    {
--- a/app/Auth/Access/UserTokenService.php
+++ b/app/Auth/Access/UserTokenService.php
@@ -1,10 +1,10 @@
 <?php

-namespace BookStack\Auth\Access;
+namespace BookStack\Access;

-use BookStack\Auth\User;
 use BookStack\Exceptions\UserTokenExpiredException;
 use BookStack\Exceptions\UserTokenNotFoundException;
+use BookStack\Users\Models\User;
 use Carbon\Carbon;
 use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Str;
@@ -14,41 +14,29 @@ class UserTokenService
 {
    /**
     * Name of table where user tokens are stored.
-     *
-     * @var string
     */
-    protected $tokenTable = 'user_tokens';
+    protected string $tokenTable = 'user_tokens';

    /**
     * Token expiry time in hours.
-     *
-     * @var int
     */
-    protected $expiryTime = 24;
+    protected int $expiryTime = 24;

    /**
-     * Delete all email confirmations that belong to a user.
-     *
-     * @param User $user
-     *
-     * @return mixed
+     * Delete all tokens that belong to a user.
     */
-    public function deleteByUser(User $user)
+    public function deleteByUser(User $user): void
    {
-        return DB::table($this->tokenTable)
+        DB::table($this->tokenTable)
            ->where('user_id', '=', $user->id)
            ->delete();
    }

    /**
-     * Get the user id from a token, while check the token exists and has not expired.
-     *
-     * @param string $token
+     * Get the user id from a token, while checking the token exists and has not expired.
     *
     * @throws UserTokenNotFoundException
     * @throws UserTokenExpiredException
-     *
-     * @return int
     */
    public function checkTokenAndGetUserId(string $token): int
    {
@@ -67,8 +55,6 @@ class UserTokenService

    /**
     * Creates a unique token within the email confirmation database.
-     *
-     * @return string
     */
    protected function generateToken(): string
    {
@@ -82,10 +68,6 @@ class UserTokenService

    /**
     * Generate and store a token for the given user.
-     *
-     * @param User $user
-     *
-     * @return string
     */
    protected function createTokenForUser(User $user): string
    {
@@ -102,10 +84,6 @@ class UserTokenService

    /**
     * Check if the given token exists.
-     *
-     * @param string $token
-     *
-     * @return bool
     */
    protected function tokenExists(string $token): bool
    {
@@ -115,12 +93,8 @@ class UserTokenService

    /**
     * Get a token entry for the given token.
-     *
-     * @param string $token
-     *
-     * @return object|null
     */
-    protected function getEntryByToken(string $token)
+    protected function getEntryByToken(string $token): ?stdClass
    {
        return DB::table($this->tokenTable)
            ->where('token', '=', $token)
@@ -129,10 +103,6 @@ class UserTokenService

    /**
     * Check if the given token entry has expired.
-     *
-     * @param stdClass $tokenEntry
-     *
-     * @return bool
     */
    protected function entryExpired(stdClass $tokenEntry): bool
    {
--- a/app/Actions/Favourite.php
+++ b/app/Actions/Favourite.php
@@ -1,19 +0,0 @@
-<?php
-
-namespace BookStack\Actions;
-
-use BookStack\Model;
-use Illuminate\Database\Eloquent\Relations\MorphTo;
-
-class Favourite extends Model
-{
-    protected $fillable = ['user_id'];
-
-    /**
-     * Get the related model that can be favourited.
-     */
-    public function favouritable(): MorphTo
-    {
-        return $this->morphTo();
-    }
-}
--- a/app/Activity/ActivityQueries.php
+++ b/app/Activity/ActivityQueries.php
@@ -1,13 +1,14 @@
 <?php

-namespace BookStack\Actions;
+namespace BookStack\Activity;

-use BookStack\Auth\Permissions\PermissionApplicator;
-use BookStack\Auth\User;
+use BookStack\Activity\Models\Activity;
 use BookStack\Entities\Models\Book;
 use BookStack\Entities\Models\Chapter;
 use BookStack\Entities\Models\Entity;
 use BookStack\Entities\Models\Page;
+use BookStack\Permissions\PermissionApplicator;
+use BookStack\Users\Models\User;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Relations\Relation;

--- a/app/Activity/ActivityType.php
+++ b/app/Activity/ActivityType.php
@@ -1,6 +1,6 @@
 <?php

-namespace BookStack\Actions;
+namespace BookStack\Activity;

 class ActivityType
 {
@@ -27,6 +27,10 @@ class ActivityType
    const BOOKSHELF_DELETE = 'bookshelf_delete';

    const COMMENTED_ON = 'commented_on';
+    const COMMENT_CREATE = 'comment_create';
+    const COMMENT_UPDATE = 'comment_update';
+    const COMMENT_DELETE = 'comment_delete';
+
    const PERMISSIONS_UPDATE = 'permissions_update';

    const REVISION_RESTORE = 'revision_restore';
--- a/app/Activity/CommentRepo.php
+++ b/app/Activity/CommentRepo.php
@@ -1,32 +1,20 @@
 <?php

-namespace BookStack\Actions;
+namespace BookStack\Activity;

+use BookStack\Activity\Models\Comment;
 use BookStack\Entities\Models\Entity;
 use BookStack\Facades\Activity as ActivityService;
 use League\CommonMark\CommonMarkConverter;

-/**
- * Class CommentRepo.
- */
 class CommentRepo
 {
-    /**
-     * @var Comment
-     */
-    protected $comment;
-
-    public function __construct(Comment $comment)
-    {
-        $this->comment = $comment;
-    }
-
    /**
     * Get a comment by ID.
     */
    public function getById(int $id): Comment
    {
-        return $this->comment->newQuery()->findOrFail($id);
+        return Comment::query()->findOrFail($id);
    }

    /**
@@ -35,7 +23,7 @@ class CommentRepo
    public function create(Entity $entity, string $text, ?int $parent_id): Comment
    {
        $userId = user()->id;
-        $comment = $this->comment->newInstance();
+        $comment = new Comment();

        $comment->text = $text;
        $comment->html = $this->commentToHtml($text);
@@ -45,6 +33,7 @@ class CommentRepo
        $comment->parent_id = $parent_id;

        $entity->comments()->save($comment);
+        ActivityService::add(ActivityType::COMMENT_CREATE, $comment);
        ActivityService::add(ActivityType::COMMENTED_ON, $entity);

        return $comment;
@@ -60,6 +49,8 @@ class CommentRepo
        $comment->html = $this->commentToHtml($text);
        $comment->save();

+        ActivityService::add(ActivityType::COMMENT_UPDATE, $comment);
+
        return $comment;
    }

@@ -69,6 +60,8 @@ class CommentRepo
    public function delete(Comment $comment): void
    {
        $comment->delete();
+
+        ActivityService::add(ActivityType::COMMENT_DELETE, $comment);
    }

    /**
@@ -82,7 +75,7 @@ class CommentRepo
            'allow_unsafe_links' => false,
        ]);

-        return $converter->convertToHtml($commentText);
+        return $converter->convert($commentText);
    }

    /**
@@ -90,9 +83,8 @@ class CommentRepo
     */
    protected function getNextLocalId(Entity $entity): int
    {
-        /** @var Comment $comment */
-        $comment = $entity->comments(false)->orderBy('local_id', 'desc')->first();
+        $currentMaxId = $entity->comments()->max('local_id');

-        return ($comment->local_id ?? 0) + 1;
+        return $currentMaxId + 1;
    }
 }
--- a/app/Activity/Controllers/AuditLogController.php
+++ b/app/Activity/Controllers/AuditLogController.php
@@ -0,0 +1,70 @@
+<?php
+
+namespace BookStack\Activity\Controllers;
+
+use BookStack\Activity\ActivityType;
+use BookStack\Activity\Models\Activity;
+use BookStack\Http\Controller;
+use BookStack\Util\SimpleListOptions;
+use Illuminate\Http\Request;
+
+class AuditLogController extends Controller
+{
+    public function index(Request $request)
+    {
+        $this->checkPermission('settings-manage');
+        $this->checkPermission('users-manage');
+
+        $sort = $request->get('sort', 'activity_date');
+        $order = $request->get('order', 'desc');
+        $listOptions = (new SimpleListOptions('', $sort, $order))->withSortOptions([
+            'created_at' => trans('settings.audit_table_date'),
+            'type' => trans('settings.audit_table_event'),
+        ]);
+
+        $filters = [
+            'event'     => $request->get('event', ''),
+            'date_from' => $request->get('date_from', ''),
+            'date_to'   => $request->get('date_to', ''),
+            'user'      => $request->get('user', ''),
+            'ip'        => $request->get('ip', ''),
+        ];
+
+        $query = Activity::query()
+            ->with([
+                'entity' => fn ($query) => $query->withTrashed(),
+                'user',
+            ])
+            ->orderBy($listOptions->getSort(), $listOptions->getOrder());
+
+        if ($filters['event']) {
+            $query->where('type', '=', $filters['event']);
+        }
+        if ($filters['user']) {
+            $query->where('user_id', '=', $filters['user']);
+        }
+
+        if ($filters['date_from']) {
+            $query->where('created_at', '>=', $filters['date_from']);
+        }
+        if ($filters['date_to']) {
+            $query->where('created_at', '<=', $filters['date_to']);
+        }
+        if ($filters['ip']) {
+            $query->where('ip', 'like', $filters['ip'] . '%');
+        }
+
+        $activities = $query->paginate(100);
+        $activities->appends($request->all());
+
+        $types = ActivityType::all();
+        $this->setPageTitle(trans('settings.audit'));
+
+        return view('settings.audit', [
+            'activities'    => $activities,
+            'filters'       => $filters,
+            'listOptions'   => $listOptions,
+            'activityTypes' => $types,
+        ]);
+    }
+}
--- a/app/Activity/Controllers/CommentController.php
+++ b/app/Activity/Controllers/CommentController.php
@@ -1,19 +1,18 @@
 <?php

-namespace BookStack\Http\Controllers;
+namespace BookStack\Activity\Controllers;

-use BookStack\Actions\CommentRepo;
+use BookStack\Activity\CommentRepo;
 use BookStack\Entities\Models\Page;
+use BookStack\Http\Controller;
 use Illuminate\Http\Request;
 use Illuminate\Validation\ValidationException;

 class CommentController extends Controller
 {
-    protected $commentRepo;
-
-    public function __construct(CommentRepo $commentRepo)
-    {
-        $this->commentRepo = $commentRepo;
+    public function __construct(
+        protected CommentRepo $commentRepo
+    ) {
    }

    /**
@@ -42,7 +41,13 @@ class CommentController extends Controller
        $this->checkPermission('comment-create-all');
        $comment = $this->commentRepo->create($page, $request->get('text'), $request->get('parent_id'));

-        return view('comments.comment', ['comment' => $comment]);
+        return view('comments.comment-branch', [
+            'readOnly' => false,
+            'branch' => [
+                'comment' => $comment,
+                'children' => [],
+            ]
+        ]);
    }

    /**
@@ -62,7 +67,7 @@ class CommentController extends Controller

        $comment = $this->commentRepo->update($comment, $request->get('text'));

-        return view('comments.comment', ['comment' => $comment]);
+        return view('comments.comment', ['comment' => $comment, 'readOnly' => false]);
    }

    /**
--- a/app/Activity/Controllers/FavouriteController.php
+++ b/app/Activity/Controllers/FavouriteController.php
@@ -1,11 +1,12 @@
 <?php

-namespace BookStack\Http\Controllers;
+namespace BookStack\Activity\Controllers;

+use BookStack\Activity\Models\Favouritable;
+use BookStack\App\Model;
 use BookStack\Entities\Models\Entity;
 use BookStack\Entities\Queries\TopFavourites;
-use BookStack\Interfaces\Favouritable;
-use BookStack\Model;
+use BookStack\Http\Controller;
 use Illuminate\Http\Request;

 class FavouriteController extends Controller
@@ -87,7 +88,7 @@ class FavouriteController extends Controller

        $modelInstance = $model->newQuery()
            ->where('id', '=', $modelInfo['id'])
-            ->first(['id', 'name', 'restricted', 'owned_by']);
+            ->first(['id', 'name', 'owned_by']);

        $inaccessibleEntity = ($modelInstance instanceof Entity && !userCan('view', $modelInstance));
        if (is_null($modelInstance) || $inaccessibleEntity) {
--- a/app/Activity/Controllers/TagController.php
+++ b/app/Activity/Controllers/TagController.php
@@ -1,20 +1,17 @@
 <?php

-namespace BookStack\Http\Controllers;
+namespace BookStack\Activity\Controllers;

-use BookStack\Actions\TagRepo;
+use BookStack\Activity\TagRepo;
+use BookStack\Http\Controller;
+use BookStack\Util\SimpleListOptions;
 use Illuminate\Http\Request;

 class TagController extends Controller
 {
-    protected $tagRepo;
-
-    /**
-     * TagController constructor.
-     */
-    public function __construct(TagRepo $tagRepo)
-    {
-        $this->tagRepo = $tagRepo;
+    public function __construct(
+        protected TagRepo $tagRepo
+    ) {
    }

    /**
@@ -22,22 +19,25 @@ class TagController extends Controller
     */
    public function index(Request $request)
    {
-        $search = $request->get('search', '');
+        $listOptions = SimpleListOptions::fromRequest($request, 'tags')->withSortOptions([
+            'name' => trans('common.sort_name'),
+            'usages' => trans('entities.tags_usages'),
+        ]);
+
        $nameFilter = $request->get('name', '');
        $tags = $this->tagRepo
-            ->queryWithTotals($search, $nameFilter)
+            ->queryWithTotals($listOptions, $nameFilter)
            ->paginate(50)
-            ->appends(array_filter([
-                'search' => $search,
+            ->appends(array_filter(array_merge($listOptions->getPaginationAppends(), [
                'name'   => $nameFilter,
-            ]));
+            ])));

        $this->setPageTitle(trans('entities.tags'));

        return view('tags.index', [
-            'tags'       => $tags,
-            'search'     => $search,
-            'nameFilter' => $nameFilter,
+            'tags'        => $tags,
+            'nameFilter'  => $nameFilter,
+            'listOptions' => $listOptions,
        ]);
    }

@@ -46,7 +46,7 @@ class TagController extends Controller
     */
    public function getNameSuggestions(Request $request)
    {
-        $searchTerm = $request->get('search', null);
+        $searchTerm = $request->get('search', '');
        $suggestions = $this->tagRepo->getNameSuggestions($searchTerm);

        return response()->json($suggestions);
@@ -57,8 +57,8 @@ class TagController extends Controller
     */
    public function getValueSuggestions(Request $request)
    {
-        $searchTerm = $request->get('search', null);
-        $tagName = $request->get('name', null);
+        $searchTerm = $request->get('search', '');
+        $tagName = $request->get('name', '');
        $suggestions = $this->tagRepo->getValueSuggestions($searchTerm, $tagName);

        return response()->json($suggestions);
--- a/app/Activity/Controllers/WatchController.php
+++ b/app/Activity/Controllers/WatchController.php
@@ -0,0 +1,65 @@
+<?php
+
+namespace BookStack\Activity\Controllers;
+
+use BookStack\Activity\Tools\UserEntityWatchOptions;
+use BookStack\App\Model;
+use BookStack\Entities\Models\Entity;
+use BookStack\Http\Controller;
+use Exception;
+use Illuminate\Http\Request;
+use Illuminate\Validation\ValidationException;
+
+class WatchController extends Controller
+{
+    public function update(Request $request)
+    {
+        $this->checkPermission('receive-notifications');
+        $this->preventGuestAccess();
+
+        $requestData = $this->validate($request, [
+            'level' => ['required', 'string'],
+        ]);
+
+        $watchable = $this->getValidatedModelFromRequest($request);
+        $watchOptions = new UserEntityWatchOptions(user(), $watchable);
+        $watchOptions->updateLevelByName($requestData['level']);
+
+        $this->showSuccessNotification(trans('activities.watch_update_level_notification'));
+
+        return redirect()->back();
+    }
+
+    /**
+     * @throws ValidationException
+     * @throws Exception
+     */
+    protected function getValidatedModelFromRequest(Request $request): Entity
+    {
+        $modelInfo = $this->validate($request, [
+            'type' => ['required', 'string'],
+            'id'   => ['required', 'integer'],
+        ]);
+
+        if (!class_exists($modelInfo['type'])) {
+            throw new Exception('Model not found');
+        }
+
+        /** @var Model $model */
+        $model = new $modelInfo['type']();
+        if (!$model instanceof Entity) {
+            throw new Exception('Model not an entity');
+        }
+
+        $modelInstance = $model->newQuery()
+            ->where('id', '=', $modelInfo['id'])
+            ->first(['id', 'name', 'owned_by']);
+
+        $inaccessibleEntity = ($modelInstance instanceof Entity && !userCan('view', $modelInstance));
+        if (is_null($modelInstance) || $inaccessibleEntity) {
+            throw new Exception('Model instance not found');
+        }
+
+        return $modelInstance;
+    }
+}
--- a/app/Activity/Controllers/WebhookController.php
+++ b/app/Activity/Controllers/WebhookController.php
@@ -1,9 +1,12 @@
 <?php

-namespace BookStack\Http\Controllers;
+namespace BookStack\Activity\Controllers;

-use BookStack\Actions\ActivityType;
-use BookStack\Actions\Webhook;
+use BookStack\Activity\ActivityType;
+use BookStack\Activity\Models\Webhook;
+use BookStack\Activity\Queries\WebhooksAllPaginatedAndSorted;
+use BookStack\Http\Controller;
+use BookStack\Util\SimpleListOptions;
 use Illuminate\Http\Request;

 class WebhookController extends Controller
@@ -18,16 +21,25 @@ class WebhookController extends Controller
    /**
     * Show all webhooks configured in the system.
     */
-    public function index()
+    public function index(Request $request)
    {
-        $webhooks = Webhook::query()
-            ->orderBy('name', 'desc')
-            ->with('trackedEvents')
-            ->get();
+        $listOptions = SimpleListOptions::fromRequest($request, 'webhooks')->withSortOptions([
+            'name' => trans('common.sort_name'),
+            'endpoint'  => trans('settings.webhooks_endpoint'),
+            'created_at' => trans('common.sort_created_at'),
+            'updated_at' => trans('common.sort_updated_at'),
+            'active'     => trans('common.status'),
+        ]);
+
+        $webhooks = (new WebhooksAllPaginatedAndSorted())->run(20, $listOptions);
+        $webhooks->appends($listOptions->getPaginationAppends());

        $this->setPageTitle(trans('settings.webhooks'));

-        return view('settings.webhooks.index', ['webhooks' => $webhooks]);
+        return view('settings.webhooks.index', [
+            'webhooks'    => $webhooks,
+            'listOptions' => $listOptions,
+        ]);
    }

    /**
--- a/app/Activity/DispatchWebhookJob.php
+++ b/app/Activity/DispatchWebhookJob.php
@@ -1,11 +1,14 @@
 <?php

-namespace BookStack\Actions;
+namespace BookStack\Activity;

-use BookStack\Auth\User;
+use BookStack\Activity\Models\Loggable;
+use BookStack\Activity\Models\Webhook;
+use BookStack\Activity\Tools\WebhookFormatter;
 use BookStack\Facades\Theme;
-use BookStack\Interfaces\Loggable;
 use BookStack\Theming\ThemeEvents;
+use BookStack\Users\Models\User;
+use BookStack\Util\SsrUrlValidator;
 use Illuminate\Bus\Queueable;
 use Illuminate\Contracts\Queue\ShouldQueue;
 use Illuminate\Foundation\Bus\Dispatchable;
@@ -22,27 +25,23 @@ class DispatchWebhookJob implements ShouldQueue
    use SerializesModels;

    protected Webhook $webhook;
-    protected string $event;
    protected User $initiator;
    protected int $initiatedTime;
-
-    /**
-     * @var string|Loggable
-     */
-    protected $detail;
+    protected array $webhookData;

    /**
     * Create a new job instance.
     *
     * @return void
     */
-    public function __construct(Webhook $webhook, string $event, $detail)
+    public function __construct(Webhook $webhook, string $event, Loggable|string $detail)
    {
        $this->webhook = $webhook;
-        $this->event = $event;
-        $this->detail = $detail;
        $this->initiator = user();
        $this->initiatedTime = time();
+
+        $themeResponse = Theme::dispatch(ThemeEvents::WEBHOOK_CALL_BEFORE, $event, $this->webhook, $detail, $this->initiator, $this->initiatedTime);
+        $this->webhookData =  $themeResponse ?? WebhookFormatter::getDefault($event, $this->webhook, $detail, $this->initiator, $this->initiatedTime)->format();
    }

    /**
@@ -52,15 +51,15 @@ class DispatchWebhookJob implements ShouldQueue
     */
    public function handle()
    {
-        $themeResponse = Theme::dispatch(ThemeEvents::WEBHOOK_CALL_BEFORE, $this->event, $this->webhook, $this->detail, $this->initiator, $this->initiatedTime);
-        $webhookData = $themeResponse ?? WebhookFormatter::getDefault($this->event, $this->webhook, $this->detail, $this->initiator, $this->initiatedTime)->format();
        $lastError = null;

        try {
+            (new SsrUrlValidator())->ensureAllowed($this->webhook->endpoint);
+
            $response = Http::asJson()
                ->withOptions(['allow_redirects' => ['strict' => true]])
                ->timeout($this->webhook->timeout)
-                ->post($this->webhook->endpoint, $webhookData);
+                ->post($this->webhook->endpoint, $this->webhookData);
        } catch (\Exception $exception) {
            $lastError = $exception->getMessage();
            Log::error("Webhook call to endpoint {$this->webhook->endpoint} failed with error \"{$lastError}\"");
--- a/app/Activity/Models/Activity.php
+++ b/app/Activity/Models/Activity.php
@@ -1,11 +1,13 @@
 <?php

-namespace BookStack\Actions;
+namespace BookStack\Activity\Models;

-use BookStack\Auth\User;
+use BookStack\App\Model;
 use BookStack\Entities\Models\Entity;
-use BookStack\Model;
+use BookStack\Permissions\Models\JointPermission;
+use BookStack\Users\Models\User;
 use Illuminate\Database\Eloquent\Relations\BelongsTo;
+use Illuminate\Database\Eloquent\Relations\HasMany;
 use Illuminate\Database\Eloquent\Relations\MorphTo;
 use Illuminate\Support\Str;

@@ -17,6 +19,8 @@ use Illuminate\Support\Str;
 * @property string $entity_type
 * @property int    $entity_id
 * @property int    $user_id
+ * @property Carbon $created_at
+ * @property Carbon $updated_at
 */
 class Activity extends Model
 {
@@ -40,6 +44,12 @@ class Activity extends Model
        return $this->belongsTo(User::class);
    }

+    public function jointPermissions(): HasMany
+    {
+        return $this->hasMany(JointPermission::class, 'entity_id', 'entity_id')
+            ->whereColumn('activities.entity_type', '=', 'joint_permissions.entity_type');
+    }
+
    /**
     * Returns text from the language files, Looks up by using the activity key.
     */
--- a/app/Activity/Models/Comment.php
+++ b/app/Activity/Models/Comment.php
@@ -1,10 +1,11 @@
 <?php

-namespace BookStack\Actions;
+namespace BookStack\Activity\Models;

-use BookStack\Model;
-use BookStack\Traits\HasCreatorAndUpdater;
+use BookStack\App\Model;
+use BookStack\Users\Models\HasCreatorAndUpdater;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
 use Illuminate\Database\Eloquent\Relations\MorphTo;

 /**
@@ -13,8 +14,10 @@ use Illuminate\Database\Eloquent\Relations\MorphTo;
 * @property string   $html
 * @property int|null $parent_id
 * @property int      $local_id
+ * @property string   $entity_type
+ * @property int      $entity_id
 */
-class Comment extends Model
+class Comment extends Model implements Loggable
 {
    use HasFactory;
    use HasCreatorAndUpdater;
@@ -30,6 +33,14 @@ class Comment extends Model
        return $this->morphTo('entity');
    }

+    /**
+     * Get the parent comment this is in reply to (if existing).
+     */
+    public function parent(): BelongsTo
+    {
+        return $this->belongsTo(Comment::class);
+    }
+
    /**
     * Check if a comment has been updated since creation.
     */
@@ -40,21 +51,22 @@ class Comment extends Model

    /**
     * Get created date as a relative diff.
-     *
-     * @return mixed
     */
-    public function getCreatedAttribute()
+    public function getCreatedAttribute(): string
    {
        return $this->created_at->diffForHumans();
    }

    /**
     * Get updated date as a relative diff.
-     *
-     * @return mixed
     */
-    public function getUpdatedAttribute()
+    public function getUpdatedAttribute(): string
    {
        return $this->updated_at->diffForHumans();
    }
+
+    public function logDescriptor(): string
+    {
+        return "Comment #{$this->local_id} (ID: {$this->id}) for {$this->entity_type} (ID: {$this->entity_id})";
+    }
 }
--- a/app/Activity/Models/Favouritable.php
+++ b/app/Activity/Models/Favouritable.php
@@ -1,6 +1,6 @@
 <?php

-namespace BookStack\Interfaces;
+namespace BookStack\Activity\Models;

 use Illuminate\Database\Eloquent\Relations\MorphMany;

--- a/app/Activity/Models/Favourite.php
+++ b/app/Activity/Models/Favourite.php
@@ -0,0 +1,27 @@
+<?php
+
+namespace BookStack\Activity\Models;
+
+use BookStack\App\Model;
+use BookStack\Permissions\Models\JointPermission;
+use Illuminate\Database\Eloquent\Relations\HasMany;
+use Illuminate\Database\Eloquent\Relations\MorphTo;
+
+class Favourite extends Model
+{
+    protected $fillable = ['user_id'];
+
+    /**
+     * Get the related model that can be favourited.
+     */
+    public function favouritable(): MorphTo
+    {
+        return $this->morphTo();
+    }
+
+    public function jointPermissions(): HasMany
+    {
+        return $this->hasMany(JointPermission::class, 'entity_id', 'favouritable_id')
+            ->whereColumn('favourites.favouritable_type', '=', 'joint_permissions.entity_type');
+    }
+}
--- a/app/Activity/Models/Loggable.php
+++ b/app/Activity/Models/Loggable.php
@@ -1,6 +1,6 @@
 <?php

-namespace BookStack\Interfaces;
+namespace BookStack\Activity\Models;

 interface Loggable
 {
--- a/app/Activity/Models/Tag.php
+++ b/app/Activity/Models/Tag.php
@@ -1,9 +1,11 @@
 <?php

-namespace BookStack\Actions;
+namespace BookStack\Activity\Models;

-use BookStack\Model;
+use BookStack\App\Model;
+use BookStack\Permissions\Models\JointPermission;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
+use Illuminate\Database\Eloquent\Relations\HasMany;
 use Illuminate\Database\Eloquent\Relations\MorphTo;

 /**
@@ -27,6 +29,12 @@ class Tag extends Model
        return $this->morphTo('entity');
    }

+    public function jointPermissions(): HasMany
+    {
+        return $this->hasMany(JointPermission::class, 'entity_id', 'entity_id')
+            ->whereColumn('tags.entity_type', '=', 'joint_permissions.entity_type');
+    }
+
    /**
     * Get a full URL to start a tag name search for this tag name.
     */
--- a/app/Activity/Models/View.php
+++ b/app/Activity/Models/View.php
@@ -1,9 +1,10 @@
 <?php

-namespace BookStack\Actions;
+namespace BookStack\Activity\Models;

-use BookStack\Interfaces\Viewable;
-use BookStack\Model;
+use BookStack\App\Model;
+use BookStack\Permissions\Models\JointPermission;
+use Illuminate\Database\Eloquent\Relations\HasMany;
 use Illuminate\Database\Eloquent\Relations\MorphTo;

 /**
@@ -28,6 +29,12 @@ class View extends Model
        return $this->morphTo();
    }

+    public function jointPermissions(): HasMany
+    {
+        return $this->hasMany(JointPermission::class, 'entity_id', 'viewable_id')
+            ->whereColumn('views.viewable_type', '=', 'joint_permissions.entity_type');
+    }
+
    /**
     * Increment the current user's view count for the given viewable model.
     */
@@ -47,12 +54,4 @@ class View extends Model

        return $view->views;
    }
-
-    /**
-     * Clear all views from the system.
-     */
-    public static function clearAll()
-    {
-        static::query()->truncate();
-    }
 }
--- a/app/Activity/Models/Viewable.php
+++ b/app/Activity/Models/Viewable.php
@@ -1,6 +1,6 @@
 <?php

-namespace BookStack\Interfaces;
+namespace BookStack\Activity\Models;

 use Illuminate\Database\Eloquent\Relations\MorphMany;

--- a/app/Activity/Models/Watch.php
+++ b/app/Activity/Models/Watch.php
@@ -0,0 +1,45 @@
+<?php
+
+namespace BookStack\Activity\Models;
+
+use BookStack\Activity\WatchLevels;
+use BookStack\Permissions\Models\JointPermission;
+use Carbon\Carbon;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\HasMany;
+use Illuminate\Database\Eloquent\Relations\MorphTo;
+
+/**
+ * @property int $id
+ * @property int $user_id
+ * @property int $watchable_id
+ * @property string $watchable_type
+ * @property int $level
+ * @property Carbon $created_at
+ * @property Carbon $updated_at
+ */
+class Watch extends Model
+{
+    protected $guarded = [];
+
+    public function watchable(): MorphTo
+    {
+        return $this->morphTo();
+    }
+
+    public function jointPermissions(): HasMany
+    {
+        return $this->hasMany(JointPermission::class, 'entity_id', 'watchable_id')
+            ->whereColumn('watches.watchable_type', '=', 'joint_permissions.entity_type');
+    }
+
+    public function getLevelName(): string
+    {
+        return WatchLevels::levelValueToName($this->level);
+    }
+
+    public function ignoring(): bool
+    {
+        return $this->level === WatchLevels::IGNORE;
+    }
+}
--- a/app/Activity/Models/Webhook.php
+++ b/app/Activity/Models/Webhook.php
@@ -1,8 +1,8 @@
 <?php

-namespace BookStack\Actions;
+namespace BookStack\Activity\Models;

-use BookStack\Interfaces\Loggable;
+use BookStack\Activity\ActivityType;
 use Carbon\Carbon;
 use Illuminate\Database\Eloquent\Collection;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
@@ -22,10 +22,10 @@ use Illuminate\Database\Eloquent\Relations\HasMany;
 */
 class Webhook extends Model implements Loggable
 {
-    protected $fillable = ['name', 'endpoint', 'timeout'];
-
    use HasFactory;

+    protected $fillable = ['name', 'endpoint', 'timeout'];
+
    protected $casts = [
        'last_called_at'  => 'datetime',
        'last_errored_at' => 'datetime',
--- a/app/Activity/Models/WebhookTrackedEvent.php
+++ b/app/Activity/Models/WebhookTrackedEvent.php
@@ -1,6 +1,6 @@
 <?php

-namespace BookStack\Actions;
+namespace BookStack\Activity\Models;

 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
@@ -12,7 +12,7 @@ use Illuminate\Database\Eloquent\Model;
 */
 class WebhookTrackedEvent extends Model
 {
-    protected $fillable = ['event'];
-
    use HasFactory;
+
+    protected $fillable = ['event'];
 }
--- a/app/Activity/Notifications/Handlers/BaseNotificationHandler.php
+++ b/app/Activity/Notifications/Handlers/BaseNotificationHandler.php
@@ -0,0 +1,42 @@
+<?php
+
+namespace BookStack\Activity\Notifications\Handlers;
+
+use BookStack\Activity\Models\Loggable;
+use BookStack\Activity\Notifications\Messages\BaseActivityNotification;
+use BookStack\Entities\Models\Entity;
+use BookStack\Permissions\PermissionApplicator;
+use BookStack\Users\Models\User;
+
+abstract class BaseNotificationHandler implements NotificationHandler
+{
+    /**
+     * @param class-string<BaseActivityNotification> $notification
+     * @param int[] $userIds
+     */
+    protected function sendNotificationToUserIds(string $notification, array $userIds, User $initiator, string|Loggable $detail, Entity $relatedModel): void
+    {
+        $users = User::query()->whereIn('id', array_unique($userIds))->get();
+
+        foreach ($users as $user) {
+            // Prevent sending to the user that initiated the activity
+            if ($user->id === $initiator->id) {
+                continue;
+            }
+
+            // Prevent sending of the user does not have notification permissions
+            if (!$user->can('receive-notifications')) {
+                continue;
+            }
+
+            // Prevent sending if the user does not have access to the related content
+            $permissions = new PermissionApplicator($user);
+            if (!$permissions->checkOwnableUserAccess($relatedModel, 'view')) {
+                continue;
+            }
+
+            // Send the notification
+            $user->notify(new $notification($detail, $initiator));
+        }
+    }
+}
--- a/app/Activity/Notifications/Handlers/CommentCreationNotificationHandler.php
+++ b/app/Activity/Notifications/Handlers/CommentCreationNotificationHandler.php
@@ -0,0 +1,48 @@
+<?php
+
+namespace BookStack\Activity\Notifications\Handlers;
+
+use BookStack\Activity\Models\Activity;
+use BookStack\Activity\Models\Comment;
+use BookStack\Activity\Models\Loggable;
+use BookStack\Activity\Notifications\Messages\CommentCreationNotification;
+use BookStack\Activity\Tools\EntityWatchers;
+use BookStack\Activity\WatchLevels;
+use BookStack\Entities\Models\Page;
+use BookStack\Settings\UserNotificationPreferences;
+use BookStack\Users\Models\User;
+
+class CommentCreationNotificationHandler extends BaseNotificationHandler
+{
+    public function handle(Activity $activity, Loggable|string $detail, User $user): void
+    {
+        if (!($detail instanceof Comment)) {
+            throw new \InvalidArgumentException("Detail for comment creation notifications must be a comment");
+        }
+
+        // Main watchers
+        /** @var Page $page */
+        $page = $detail->entity;
+        $watchers = new EntityWatchers($page, WatchLevels::COMMENTS);
+        $watcherIds = $watchers->getWatcherUserIds();
+
+        // Page owner if user preferences allow
+        if (!$watchers->isUserIgnoring($page->owned_by) && $page->ownedBy) {
+            $userNotificationPrefs = new UserNotificationPreferences($page->ownedBy);
+            if ($userNotificationPrefs->notifyOnOwnPageComments()) {
+                $watcherIds[] = $page->owned_by;
+            }
+        }
+
+        // Parent comment creator if preferences allow
+        $parentComment = $detail->parent()->first();
+        if ($parentComment && !$watchers->isUserIgnoring($parentComment->created_by) && $parentComment->createdBy) {
+            $parentCommenterNotificationsPrefs = new UserNotificationPreferences($parentComment->createdBy);
+            if ($parentCommenterNotificationsPrefs->notifyOnCommentReplies()) {
+                $watcherIds[] = $parentComment->created_by;
+            }
+        }
+
+        $this->sendNotificationToUserIds(CommentCreationNotification::class, $watcherIds, $user, $detail, $page);
+    }
+}
--- a/app/Activity/Notifications/Handlers/NotificationHandler.php
+++ b/app/Activity/Notifications/Handlers/NotificationHandler.php
@@ -0,0 +1,17 @@
+<?php
+
+namespace BookStack\Activity\Notifications\Handlers;
+
+use BookStack\Activity\Models\Activity;
+use BookStack\Activity\Models\Loggable;
+use BookStack\Users\Models\User;
+
+interface NotificationHandler
+{
+    /**
+     * Run this handler.
+     * Provides the activity, related activity detail/model
+     * along with the user that triggered the activity.
+     */
+    public function handle(Activity $activity, string|Loggable $detail, User $user): void;
+}
--- a/app/Activity/Notifications/Handlers/PageCreationNotificationHandler.php
+++ b/app/Activity/Notifications/Handlers/PageCreationNotificationHandler.php
@@ -0,0 +1,24 @@
+<?php
+
+namespace BookStack\Activity\Notifications\Handlers;
+
+use BookStack\Activity\Models\Activity;
+use BookStack\Activity\Models\Loggable;
+use BookStack\Activity\Notifications\Messages\PageCreationNotification;
+use BookStack\Activity\Tools\EntityWatchers;
+use BookStack\Activity\WatchLevels;
+use BookStack\Entities\Models\Page;
+use BookStack\Users\Models\User;
+
+class PageCreationNotificationHandler extends BaseNotificationHandler
+{
+    public function handle(Activity $activity, Loggable|string $detail, User $user): void
+    {
+        if (!($detail instanceof Page)) {
+            throw new \InvalidArgumentException("Detail for page create notifications must be a page");
+        }
+
+        $watchers = new EntityWatchers($detail, WatchLevels::NEW);
+        $this->sendNotificationToUserIds(PageCreationNotification::class, $watchers->getWatcherUserIds(), $user, $detail, $detail);
+    }
+}
--- a/app/Activity/Notifications/Handlers/PageUpdateNotificationHandler.php
+++ b/app/Activity/Notifications/Handlers/PageUpdateNotificationHandler.php
@@ -0,0 +1,51 @@
+<?php
+
+namespace BookStack\Activity\Notifications\Handlers;
+
+use BookStack\Activity\ActivityType;
+use BookStack\Activity\Models\Activity;
+use BookStack\Activity\Models\Loggable;
+use BookStack\Activity\Notifications\Messages\PageUpdateNotification;
+use BookStack\Activity\Tools\EntityWatchers;
+use BookStack\Activity\WatchLevels;
+use BookStack\Entities\Models\Page;
+use BookStack\Settings\UserNotificationPreferences;
+use BookStack\Users\Models\User;
+
+class PageUpdateNotificationHandler extends BaseNotificationHandler
+{
+    public function handle(Activity $activity, Loggable|string $detail, User $user): void
+    {
+        if (!($detail instanceof Page)) {
+            throw new \InvalidArgumentException("Detail for page update notifications must be a page");
+        }
+
+        // Get last update from activity
+        $lastUpdate = $detail->activity()
+            ->where('type', '=', ActivityType::PAGE_UPDATE)
+            ->where('id', '!=', $activity->id)
+            ->latest('created_at')
+            ->first();
+
+        // Return if the same user has already updated the page in the last 15 mins
+        if ($lastUpdate && $lastUpdate->user_id === $user->id) {
+            if ($lastUpdate->created_at->gt(now()->subMinutes(15))) {
+                return;
+            }
+        }
+
+        // Get active watchers
+        $watchers = new EntityWatchers($detail, WatchLevels::UPDATES);
+        $watcherIds = $watchers->getWatcherUserIds();
+
+        // Add page owner if preferences allow
+        if (!$watchers->isUserIgnoring($detail->owned_by) && $detail->ownedBy) {
+            $userNotificationPrefs = new UserNotificationPreferences($detail->ownedBy);
+            if ($userNotificationPrefs->notifyOnOwnPageChanges()) {
+                $watcherIds[] = $detail->owned_by;
+            }
+        }
+
+        $this->sendNotificationToUserIds(PageUpdateNotification::class, $watcherIds, $user, $detail, $detail);
+    }
+}
--- a/app/Activity/Notifications/MessageParts/LinkedMailMessageLine.php
+++ b/app/Activity/Notifications/MessageParts/LinkedMailMessageLine.php
@@ -0,0 +1,26 @@
+<?php
+
+namespace BookStack\Activity\Notifications\MessageParts;
+
+use Illuminate\Contracts\Support\Htmlable;
+
+/**
+ * A line of text with linked text included, intended for use
+ * in MailMessages. The line should have a ':link' placeholder for
+ * where the link should be inserted within the line.
+ */
+class LinkedMailMessageLine implements Htmlable
+{
+    public function __construct(
+        protected string $url,
+        protected string $line,
+        protected string $linkText,
+    ) {
+    }
+
+    public function toHtml(): string
+    {
+        $link = '<a href="' . e($this->url) . '">' . e($this->linkText) . '</a>';
+        return str_replace(':link', $link, e($this->line));
+    }
+}
--- a/app/Activity/Notifications/MessageParts/ListMessageLine.php
+++ b/app/Activity/Notifications/MessageParts/ListMessageLine.php
@@ -0,0 +1,26 @@
+<?php
+
+namespace BookStack\Activity\Notifications\MessageParts;
+
+use Illuminate\Contracts\Support\Htmlable;
+
+/**
+ * A bullet point list of content, where the keys of the given list array
+ * are bolded header elements, and the values follow.
+ */
+class ListMessageLine implements Htmlable
+{
+    public function __construct(
+        protected array $list
+    ) {
+    }
+
+    public function toHtml(): string
+    {
+        $list = [];
+        foreach ($this->list as $header => $content) {
+            $list[] = '<strong>' . e($header) . '</strong> ' . e($content);
+        }
+        return implode("<br>\n", $list);
+    }
+}
--- a/app/Activity/Notifications/Messages/BaseActivityNotification.php
+++ b/app/Activity/Notifications/Messages/BaseActivityNotification.php
@@ -0,0 +1,63 @@
+<?php
+
+namespace BookStack\Activity\Notifications\Messages;
+
+use BookStack\Activity\Models\Loggable;
+use BookStack\Activity\Notifications\MessageParts\LinkedMailMessageLine;
+use BookStack\Users\Models\User;
+use Illuminate\Bus\Queueable;
+use Illuminate\Notifications\Messages\MailMessage;
+use Illuminate\Notifications\Notification;
+
+abstract class BaseActivityNotification extends Notification
+{
+    use Queueable;
+
+    public function __construct(
+        protected Loggable|string $detail,
+        protected User $user,
+    ) {
+    }
+
+    /**
+     * Get the notification's delivery channels.
+     *
+     * @param  mixed  $notifiable
+     * @return array
+     */
+    public function via($notifiable)
+    {
+        return ['mail'];
+    }
+
+    /**
+     * Get the mail representation of the notification.
+     */
+    abstract public function toMail(mixed $notifiable): MailMessage;
+
+    /**
+     * Get the array representation of the notification.
+     *
+     * @param  mixed  $notifiable
+     * @return array
+     */
+    public function toArray($notifiable)
+    {
+        return [
+            'activity_detail' => $this->detail,
+            'activity_creator' => $this->user,
+        ];
+    }
+
+    /**
+     * Build the common reason footer line used in mail messages.
+     */
+    protected function buildReasonFooterLine(): LinkedMailMessageLine
+    {
+        return new LinkedMailMessageLine(
+            url('/preferences/notifications'),
+            trans('notifications.footer_reason'),
+            trans('notifications.footer_reason_link'),
+        );
+    }
+}
--- a/app/Activity/Notifications/Messages/CommentCreationNotification.php
+++ b/app/Activity/Notifications/Messages/CommentCreationNotification.php
@@ -0,0 +1,30 @@
+<?php
+
+namespace BookStack\Activity\Notifications\Messages;
+
+use BookStack\Activity\Models\Comment;
+use BookStack\Activity\Notifications\MessageParts\ListMessageLine;
+use BookStack\Entities\Models\Page;
+use Illuminate\Notifications\Messages\MailMessage;
+
+class CommentCreationNotification extends BaseActivityNotification
+{
+    public function toMail(mixed $notifiable): MailMessage
+    {
+        /** @var Comment $comment */
+        $comment = $this->detail;
+        /** @var Page $page */
+        $page = $comment->entity;
+
+        return (new MailMessage())
+            ->subject(trans('notifications.new_comment_subject', ['pageName' => $page->getShortName()]))
+            ->line(trans('notifications.new_comment_intro', ['appName' => setting('app-name')]))
+            ->line(new ListMessageLine([
+                trans('notifications.detail_page_name') => $page->name,
+                trans('notifications.detail_commenter') => $this->user->name,
+                trans('notifications.detail_comment') => strip_tags($comment->html),
+            ]))
+            ->action(trans('notifications.action_view_comment'), $page->getUrl('#comment' . $comment->local_id))
+            ->line($this->buildReasonFooterLine());
+    }
+}
--- a/app/Activity/Notifications/Messages/PageCreationNotification.php
+++ b/app/Activity/Notifications/Messages/PageCreationNotification.php
@@ -0,0 +1,26 @@
+<?php
+
+namespace BookStack\Activity\Notifications\Messages;
+
+use BookStack\Activity\Notifications\MessageParts\ListMessageLine;
+use BookStack\Entities\Models\Page;
+use Illuminate\Notifications\Messages\MailMessage;
+
+class PageCreationNotification extends BaseActivityNotification
+{
+    public function toMail(mixed $notifiable): MailMessage
+    {
+        /** @var Page $page */
+        $page = $this->detail;
+
+        return (new MailMessage())
+            ->subject(trans('notifications.new_page_subject', ['pageName' => $page->getShortName()]))
+            ->line(trans('notifications.new_page_intro', ['appName' => setting('app-name')]))
+            ->line(new ListMessageLine([
+                trans('notifications.detail_page_name') => $page->name,
+                trans('notifications.detail_created_by') => $this->user->name,
+            ]))
+            ->action(trans('notifications.action_view_page'), $page->getUrl())
+            ->line($this->buildReasonFooterLine());
+    }
+}
--- a/app/Activity/Notifications/Messages/PageUpdateNotification.php
+++ b/app/Activity/Notifications/Messages/PageUpdateNotification.php
@@ -0,0 +1,27 @@
+<?php
+
+namespace BookStack\Activity\Notifications\Messages;
+
+use BookStack\Activity\Notifications\MessageParts\ListMessageLine;
+use BookStack\Entities\Models\Page;
+use Illuminate\Notifications\Messages\MailMessage;
+
+class PageUpdateNotification extends BaseActivityNotification
+{
+    public function toMail(mixed $notifiable): MailMessage
+    {
+        /** @var Page $page */
+        $page = $this->detail;
+
+        return (new MailMessage())
+            ->subject(trans('notifications.updated_page_subject', ['pageName' => $page->getShortName()]))
+            ->line(trans('notifications.updated_page_intro', ['appName' => setting('app-name')]))
+            ->line(new ListMessageLine([
+                trans('notifications.detail_page_name') => $page->name,
+                trans('notifications.detail_updated_by') => $this->user->name,
+            ]))
+            ->line(trans('notifications.updated_page_debounce'))
+            ->action(trans('notifications.action_view_page'), $page->getUrl())
+            ->line($this->buildReasonFooterLine());
+    }
+}
--- a/app/Activity/Notifications/NotificationManager.php
+++ b/app/Activity/Notifications/NotificationManager.php
@@ -0,0 +1,52 @@
+<?php
+
+namespace BookStack\Activity\Notifications;
+
+use BookStack\Activity\ActivityType;
+use BookStack\Activity\Models\Activity;
+use BookStack\Activity\Models\Loggable;
+use BookStack\Activity\Notifications\Handlers\CommentCreationNotificationHandler;
+use BookStack\Activity\Notifications\Handlers\NotificationHandler;
+use BookStack\Activity\Notifications\Handlers\PageCreationNotificationHandler;
+use BookStack\Activity\Notifications\Handlers\PageUpdateNotificationHandler;
+use BookStack\Users\Models\User;
+
+class NotificationManager
+{
+    /**
+     * @var class-string<NotificationHandler>[]
+     */
+    protected array $handlers = [];
+
+    public function handle(Activity $activity, string|Loggable $detail, User $user): void
+    {
+        $activityType = $activity->type;
+        $handlersToRun = $this->handlers[$activityType] ?? [];
+        foreach ($handlersToRun as $handlerClass) {
+            /** @var NotificationHandler $handler */
+            $handler = new $handlerClass();
+            $handler->handle($activity, $detail, $user);
+        }
+    }
+
+    /**
+     * @param class-string<NotificationHandler> $handlerClass
+     */
+    public function registerHandler(string $activityType, string $handlerClass): void
+    {
+        if (!isset($this->handlers[$activityType])) {
+            $this->handlers[$activityType] = [];
+        }
+
+        if (!in_array($handlerClass, $this->handlers[$activityType])) {
+            $this->handlers[$activityType][] = $handlerClass;
+        }
+    }
+
+    public function loadDefaultHandlers(): void
+    {
+        $this->registerHandler(ActivityType::PAGE_CREATE, PageCreationNotificationHandler::class);
+        $this->registerHandler(ActivityType::PAGE_UPDATE, PageUpdateNotificationHandler::class);
+        $this->registerHandler(ActivityType::COMMENT_CREATE, CommentCreationNotificationHandler::class);
+    }
+}
--- a/app/Activity/Queries/WebhooksAllPaginatedAndSorted.php
+++ b/app/Activity/Queries/WebhooksAllPaginatedAndSorted.php
@@ -0,0 +1,30 @@
+<?php
+
+namespace BookStack\Activity\Queries;
+
+use BookStack\Activity\Models\Webhook;
+use BookStack\Util\SimpleListOptions;
+use Illuminate\Pagination\LengthAwarePaginator;
+
+/**
+ * Get all the webhooks in the system in a paginated format.
+ */
+class WebhooksAllPaginatedAndSorted
+{
+    public function run(int $count, SimpleListOptions $listOptions): LengthAwarePaginator
+    {
+        $query = Webhook::query()->select(['*'])
+            ->withCount(['trackedEvents'])
+            ->orderBy($listOptions->getSort(), $listOptions->getOrder());
+
+        if ($listOptions->getSearch()) {
+            $term = '%' . $listOptions->getSearch() . '%';
+            $query->where(function ($query) use ($term) {
+                $query->where('name', 'like', $term)
+                    ->orWhere('endpoint', 'like', $term);
+            });
+        }
+
+        return $query->paginate($count);
+    }
+}
--- a/app/Activity/TagRepo.php
+++ b/app/Activity/TagRepo.php
@@ -1,27 +1,33 @@
 <?php

-namespace BookStack\Actions;
+namespace BookStack\Activity;

-use BookStack\Auth\Permissions\PermissionApplicator;
+use BookStack\Activity\Models\Tag;
 use BookStack\Entities\Models\Entity;
+use BookStack\Permissions\PermissionApplicator;
+use BookStack\Util\SimpleListOptions;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\DB;

 class TagRepo
 {
-    protected PermissionApplicator $permissions;
-
-    public function __construct(PermissionApplicator $permissions)
-    {
-        $this->permissions = $permissions;
+    public function __construct(
+        protected PermissionApplicator $permissions
+    ) {
    }

    /**
     * Start a query against all tags in the system.
     */
-    public function queryWithTotals(string $searchTerm, string $nameFilter): Builder
+    public function queryWithTotals(SimpleListOptions $listOptions, string $nameFilter): Builder
    {
+        $searchTerm = $listOptions->getSearch();
+        $sort = $listOptions->getSort();
+        if ($sort === 'name' && $nameFilter) {
+            $sort = 'value';
+        }
+
        $query = Tag::query()
            ->select([
                'name',
@@ -32,7 +38,7 @@ class TagRepo
                DB::raw('SUM(IF(entity_type = \'book\', 1, 0)) as book_count'),
                DB::raw('SUM(IF(entity_type = \'bookshelf\', 1, 0)) as shelf_count'),
            ])
-            ->orderBy($nameFilter ? 'value' : 'name');
+            ->orderBy($sort, $listOptions->getOrder());

        if ($nameFilter) {
            $query->where('name', '=', $nameFilter);
@@ -57,21 +63,21 @@ class TagRepo
     * Get tag name suggestions from scanning existing tag names.
     * If no search term is given the 50 most popular tag names are provided.
     */
-    public function getNameSuggestions(?string $searchTerm): Collection
+    public function getNameSuggestions(string $searchTerm): Collection
    {
        $query = Tag::query()
            ->select('*', DB::raw('count(*) as count'))
            ->groupBy('name');

        if ($searchTerm) {
-            $query = $query->where('name', 'LIKE', $searchTerm . '%')->orderBy('name', 'desc');
+            $query = $query->where('name', 'LIKE', $searchTerm . '%')->orderBy('name', 'asc');
        } else {
            $query = $query->orderBy('count', 'desc')->take(50);
        }

        $query = $this->permissions->restrictEntityRelationQuery($query, 'tags', 'entity_id', 'entity_type');

-        return $query->get(['name'])->pluck('name');
+        return $query->pluck('name');
    }

    /**
@@ -79,10 +85,11 @@ class TagRepo
     * If no search is given the 50 most popular values are provided.
     * Passing a tagName will only find values for a tags with a particular name.
     */
-    public function getValueSuggestions(?string $searchTerm, ?string $tagName): Collection
+    public function getValueSuggestions(string $searchTerm, string $tagName): Collection
    {
        $query = Tag::query()
            ->select('*', DB::raw('count(*) as count'))
+            ->where('value', '!=', '')
            ->groupBy('value');

        if ($searchTerm) {
@@ -97,7 +104,7 @@ class TagRepo

        $query = $this->permissions->restrictEntityRelationQuery($query, 'tags', 'entity_id', 'entity_type');

-        return $query->get(['value'])->pluck('value');
+        return $query->pluck('value');
    }

    /**
--- a/app/Activity/Tools/ActivityLogger.php
+++ b/app/Activity/Tools/ActivityLogger.php
@@ -1,22 +1,30 @@
 <?php

-namespace BookStack\Actions;
+namespace BookStack\Activity\Tools;

+use BookStack\Activity\DispatchWebhookJob;
+use BookStack\Activity\Models\Activity;
+use BookStack\Activity\Models\Loggable;
+use BookStack\Activity\Models\Webhook;
+use BookStack\Activity\Notifications\NotificationManager;
 use BookStack\Entities\Models\Entity;
 use BookStack\Facades\Theme;
-use BookStack\Interfaces\Loggable;
 use BookStack\Theming\ThemeEvents;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Support\Facades\Log;

 class ActivityLogger
 {
+    public function __construct(
+        protected NotificationManager $notifications
+    ) {
+        $this->notifications->loadDefaultHandlers();
+    }
+
    /**
     * Add a generic activity event to the database.
-     *
-     * @param string|Loggable $detail
     */
-    public function add(string $type, $detail = '')
+    public function add(string $type, string|Loggable $detail = ''): void
    {
        $detailToStore = ($detail instanceof Loggable) ? $detail->logDescriptor() : $detail;

@@ -32,6 +40,7 @@ class ActivityLogger

        $this->setNotification($type);
        $this->dispatchWebhooks($type, $detail);
+        $this->notifications->handle($activity, $detail, user());
        Theme::dispatch(ThemeEvents::ACTIVITY_LOGGED, $type, $detail);
    }

@@ -52,7 +61,7 @@ class ActivityLogger
     * and instead uses the 'extra' field with the entities name.
     * Used when an entity is deleted.
     */
-    public function removeEntity(Entity $entity)
+    public function removeEntity(Entity $entity): void
    {
        $entity->activity()->update([
            'detail'       => $entity->name,
@@ -73,10 +82,7 @@ class ActivityLogger
        }
    }

-    /**
-     * @param string|Loggable $detail
-     */
-    protected function dispatchWebhooks(string $type, $detail): void
+    protected function dispatchWebhooks(string $type, string|Loggable $detail): void
    {
        $webhooks = Webhook::query()
            ->whereHas('trackedEvents', function (Builder $query) use ($type) {
@@ -95,7 +101,7 @@ class ActivityLogger
     * Log out a failed login attempt, Providing the given username
     * as part of the message if the '%u' string is used.
     */
-    public function logFailedLogin(string $username)
+    public function logFailedLogin(string $username): void
    {
        $message = config('logging.failed_login.message');
        if (!$message) {
--- a/app/Activity/Tools/CommentTree.php
+++ b/app/Activity/Tools/CommentTree.php
@@ -0,0 +1,102 @@
+<?php
+
+namespace BookStack\Activity\Tools;
+
+use BookStack\Activity\Models\Comment;
+use BookStack\Entities\Models\Page;
+
+class CommentTree
+{
+    /**
+     * The built nested tree structure array.
+     * @var array{comment: Comment, depth: int, children: array}[]
+     */
+    protected array $tree;
+    protected array $comments;
+
+    public function __construct(
+        protected Page $page
+    ) {
+        $this->comments = $this->loadComments();
+        $this->tree = $this->createTree($this->comments);
+    }
+
+    public function enabled(): bool
+    {
+        return !setting('app-disable-comments');
+    }
+
+    public function empty(): bool
+    {
+        return count($this->tree) === 0;
+    }
+
+    public function count(): int
+    {
+        return count($this->comments);
+    }
+
+    public function get(): array
+    {
+        return $this->tree;
+    }
+
+    /**
+     * @param Comment[] $comments
+     */
+    protected function createTree(array $comments): array
+    {
+        $byId = [];
+        foreach ($comments as $comment) {
+            $byId[$comment->local_id] = $comment;
+        }
+
+        $childMap = [];
+        foreach ($comments as $comment) {
+            $parent = $comment->parent_id;
+            if (is_null($parent) || !isset($byId[$parent])) {
+                $parent = 0;
+            }
+
+            if (!isset($childMap[$parent])) {
+                $childMap[$parent] = [];
+            }
+            $childMap[$parent][] = $comment->local_id;
+        }
+
+        $tree = [];
+        foreach ($childMap[0] ?? [] as $childId) {
+            $tree[] = $this->createTreeForId($childId, 0, $byId, $childMap);
+        }
+
+        return $tree;
+    }
+
+    protected function createTreeForId(int $id, int $depth, array &$byId, array &$childMap): array
+    {
+        $childIds = $childMap[$id] ?? [];
+        $children = [];
+
+        foreach ($childIds as $childId) {
+            $children[] = $this->createTreeForId($childId, $depth + 1, $byId, $childMap);
+        }
+
+        return [
+            'comment' => $byId[$id],
+            'depth' => $depth,
+            'children' => $children,
+        ];
+    }
+
+    protected function loadComments(): array
+    {
+        if (!$this->enabled()) {
+            return [];
+        }
+
+        return $this->page->comments()
+            ->with('createdBy')
+            ->get()
+            ->all();
+    }
+}
--- a/app/Activity/Tools/EntityWatchers.php
+++ b/app/Activity/Tools/EntityWatchers.php
@@ -0,0 +1,86 @@
+<?php
+
+namespace BookStack\Activity\Tools;
+
+use BookStack\Activity\Models\Watch;
+use BookStack\Entities\Models\BookChild;
+use BookStack\Entities\Models\Entity;
+use BookStack\Entities\Models\Page;
+use Illuminate\Database\Eloquent\Builder;
+
+class EntityWatchers
+{
+    /**
+     * @var int[]
+     */
+    protected array $watchers = [];
+
+    /**
+     * @var int[]
+     */
+    protected array $ignorers = [];
+
+    public function __construct(
+        protected Entity $entity,
+        protected int $watchLevel,
+    ) {
+        $this->build();
+    }
+
+    public function getWatcherUserIds(): array
+    {
+        return $this->watchers;
+    }
+
+    public function isUserIgnoring(int $userId): bool
+    {
+        return in_array($userId, $this->ignorers);
+    }
+
+    protected function build(): void
+    {
+        $watches = $this->getRelevantWatches();
+
+        // Sort before de-duping, so that the order looped below follows book -> chapter -> page ordering
+        usort($watches, function (Watch $watchA, Watch $watchB) {
+            $entityTypeDiff = $watchA->watchable_type <=> $watchB->watchable_type;
+            return $entityTypeDiff === 0 ? ($watchA->user_id <=> $watchB->user_id) : $entityTypeDiff;
+        });
+
+        // De-dupe by user id to get their most relevant level
+        $levelByUserId = [];
+        foreach ($watches as $watch) {
+            $levelByUserId[$watch->user_id] = $watch->level;
+        }
+
+        // Populate the class arrays
+        $this->watchers = array_keys(array_filter($levelByUserId, fn(int $level) => $level >= $this->watchLevel));
+        $this->ignorers = array_keys(array_filter($levelByUserId, fn(int $level) => $level === 0));
+    }
+
+    /**
+     * @return Watch[]
+     */
+    protected function getRelevantWatches(): array
+    {
+        /** @var Entity[] $entitiesInvolved */
+        $entitiesInvolved = array_filter([
+            $this->entity,
+            $this->entity instanceof BookChild ? $this->entity->book : null,
+            $this->entity instanceof Page ? $this->entity->chapter : null,
+        ]);
+
+        $query = Watch::query()->where(function (Builder $query) use ($entitiesInvolved) {
+            foreach ($entitiesInvolved as $entity) {
+                $query->orWhere(function (Builder $query) use ($entity) {
+                    $query->where('watchable_type', '=', $entity->getMorphClass())
+                        ->where('watchable_id', '=', $entity->id);
+                });
+            }
+        });
+
+        return $query->get([
+            'level', 'watchable_id', 'watchable_type', 'user_id'
+        ])->all();
+    }
+}
--- a/app/Activity/Tools/IpFormatter.php
+++ b/app/Activity/Tools/IpFormatter.php
@@ -1,6 +1,6 @@
 <?php

-namespace BookStack\Actions;
+namespace BookStack\Activity\Tools;

 class IpFormatter
 {
--- a/app/Activity/Tools/TagClassGenerator.php
+++ b/app/Activity/Tools/TagClassGenerator.php
@@ -1,6 +1,8 @@
 <?php

-namespace BookStack\Actions;
+namespace BookStack\Activity\Tools;
+
+use BookStack\Activity\Models\Tag;

 class TagClassGenerator
 {
--- a/app/Activity/Tools/UserEntityWatchOptions.php
+++ b/app/Activity/Tools/UserEntityWatchOptions.php
@@ -0,0 +1,131 @@
+<?php
+
+namespace BookStack\Activity\Tools;
+
+use BookStack\Activity\Models\Watch;
+use BookStack\Activity\WatchLevels;
+use BookStack\Entities\Models\BookChild;
+use BookStack\Entities\Models\Entity;
+use BookStack\Entities\Models\Page;
+use BookStack\Users\Models\User;
+use Illuminate\Database\Eloquent\Builder;
+
+class UserEntityWatchOptions
+{
+    protected ?array $watchMap = null;
+
+    public function __construct(
+        protected User $user,
+        protected Entity $entity,
+    ) {
+    }
+
+    public function canWatch(): bool
+    {
+        return $this->user->can('receive-notifications') && !$this->user->isDefault();
+    }
+
+    public function getWatchLevel(): string
+    {
+        return WatchLevels::levelValueToName($this->getWatchLevelValue());
+    }
+
+    public function isWatching(): bool
+    {
+        return $this->getWatchLevelValue() !== WatchLevels::DEFAULT;
+    }
+
+    public function getWatchedParent(): ?WatchedParentDetails
+    {
+        $watchMap = $this->getWatchMap();
+        unset($watchMap[$this->entity->getMorphClass()]);
+
+        if (isset($watchMap['chapter'])) {
+            return new WatchedParentDetails('chapter', $watchMap['chapter']);
+        }
+
+        if (isset($watchMap['book'])) {
+            return new WatchedParentDetails('book', $watchMap['book']);
+        }
+
+        return null;
+    }
+
+    public function updateLevelByName(string $level): void
+    {
+        $levelValue = WatchLevels::levelNameToValue($level);
+        $this->updateLevelByValue($levelValue);
+    }
+
+    public function updateLevelByValue(int $level): void
+    {
+        if ($level < 0) {
+            $this->remove();
+            return;
+        }
+
+        $this->updateLevel($level);
+    }
+
+    public function getWatchMap(): array
+    {
+        if (!is_null($this->watchMap)) {
+            return $this->watchMap;
+        }
+
+        $entities = [$this->entity];
+        if ($this->entity instanceof BookChild) {
+            $entities[] = $this->entity->book;
+        }
+        if ($this->entity instanceof Page && $this->entity->chapter) {
+            $entities[] = $this->entity->chapter;
+        }
+
+        $query = Watch::query()
+            ->where('user_id', '=', $this->user->id)
+            ->where(function (Builder $subQuery) use ($entities) {
+                foreach ($entities as $entity) {
+                    $subQuery->orWhere(function (Builder $whereQuery) use ($entity) {
+                        $whereQuery->where('watchable_type', '=', $entity->getMorphClass())
+                        ->where('watchable_id', '=', $entity->id);
+                    });
+                }
+            });
+
+        $this->watchMap = $query->get(['watchable_type', 'level'])
+            ->pluck('level', 'watchable_type')
+            ->toArray();
+
+        return $this->watchMap;
+    }
+
+    protected function getWatchLevelValue()
+    {
+        return $this->getWatchMap()[$this->entity->getMorphClass()] ?? WatchLevels::DEFAULT;
+    }
+
+    protected function updateLevel(int $levelValue): void
+    {
+        Watch::query()->updateOrCreate([
+            'watchable_id' => $this->entity->id,
+            'watchable_type' => $this->entity->getMorphClass(),
+            'user_id' => $this->user->id,
+        ], [
+            'level' => $levelValue,
+        ]);
+        $this->watchMap = null;
+    }
+
+    protected function remove(): void
+    {
+        $this->entityQuery()->delete();
+        $this->watchMap = null;
+    }
+
+    protected function entityQuery(): Builder
+    {
+        return Watch::query()->where('watchable_id', '=', $this->entity->id)
+            ->where('watchable_type', '=', $this->entity->getMorphClass())
+            ->where('user_id', '=', $this->user->id);
+    }
+}
--- a/app/Activity/Tools/WatchedParentDetails.php
+++ b/app/Activity/Tools/WatchedParentDetails.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace BookStack\Activity\Tools;
+
+use BookStack\Activity\WatchLevels;
+
+class WatchedParentDetails
+{
+    public function __construct(
+        public string $type,
+        public int $level,
+    ) {
+    }
+
+    public function ignoring(): bool
+    {
+        return $this->level === WatchLevels::IGNORE;
+    }
+}
--- a/app/Activity/Tools/WebhookFormatter.php
+++ b/app/Activity/Tools/WebhookFormatter.php
@@ -1,12 +1,14 @@
 <?php

-namespace BookStack\Actions;
+namespace BookStack\Activity\Tools;

-use BookStack\Auth\User;
+use BookStack\Activity\ActivityType;
+use BookStack\Activity\Models\Loggable;
+use BookStack\Activity\Models\Webhook;
+use BookStack\App\Model;
 use BookStack\Entities\Models\Entity;
 use BookStack\Entities\Models\Page;
-use BookStack\Interfaces\Loggable;
-use BookStack\Model;
+use BookStack\Users\Models\User;
 use Illuminate\Support\Carbon;

 class WebhookFormatter
@@ -15,18 +17,14 @@ class WebhookFormatter
    protected string $event;
    protected User $initiator;
    protected int $initiatedTime;
-
-    /**
-     * @var string|Loggable
-     */
-    protected $detail;
+    protected string|Loggable $detail;

    /**
     * @var array{condition: callable(string, Model):bool, format: callable(Model):void}[]
     */
    protected $modelFormatters = [];

-    public function __construct(string $event, Webhook $webhook, $detail, User $initiator, int $initiatedTime)
+    public function __construct(string $event, Webhook $webhook, string|Loggable $detail, User $initiator, int $initiatedTime)
    {
        $this->webhook = $webhook;
        $this->event = $event;
--- a/app/Activity/WatchLevels.php
+++ b/app/Activity/WatchLevels.php
@@ -0,0 +1,91 @@
+<?php
+
+namespace BookStack\Activity;
+
+use BookStack\Entities\Models\Bookshelf;
+use BookStack\Entities\Models\Entity;
+use BookStack\Entities\Models\Page;
+
+class WatchLevels
+{
+    /**
+     * Default level, No specific option set
+     * Typically not a stored status
+     */
+    const DEFAULT = -1;
+
+    /**
+     * Ignore all notifications.
+     */
+    const IGNORE = 0;
+
+    /**
+     * Watch for new content.
+     */
+    const NEW = 1;
+
+    /**
+     * Watch for updates and new content
+     */
+    const UPDATES = 2;
+
+    /**
+     * Watch for comments, updates and new content.
+     */
+    const COMMENTS = 3;
+
+    /**
+     * Get all the possible values as an option_name => value array.
+     * @returns array<string, int>
+     */
+    public static function all(): array
+    {
+        $options = [];
+        foreach ((new \ReflectionClass(static::class))->getConstants() as $name => $value) {
+            $options[strtolower($name)] = $value;
+        }
+
+        return $options;
+    }
+
+    /**
+     * Get the watch options suited for the given entity.
+     * @returns array<string, int>
+     */
+    public static function allSuitedFor(Entity $entity): array
+    {
+        $options = static::all();
+
+        if ($entity instanceof Page) {
+            unset($options['new']);
+        } elseif ($entity instanceof Bookshelf) {
+            return [];
+        }
+
+        return $options;
+    }
+
+    /**
+     * Convert the given name to a level value.
+     * Defaults to default value if the level does not exist.
+     */
+    public static function levelNameToValue(string $level): int
+    {
+        return static::all()[$level] ?? static::DEFAULT;
+    }
+
+    /**
+     * Convert the given int level value to a level name.
+     * Defaults to 'default' level name if not existing.
+     */
+    public static function levelValueToName(int $level): string
+    {
+        foreach (static::all() as $name => $value) {
+            if ($level === $value) {
+                return $name;
+            }
+        }
+
+        return 'default';
+    }
+}
--- a/app/Http/Controllers/Api/ApiDocsController.php
+++ b/app/Http/Controllers/Api/ApiDocsController.php
@@ -1,8 +1,8 @@
 <?php

-namespace BookStack\Http\Controllers\Api;
+namespace BookStack\Api;

-use BookStack\Api\ApiDocsGenerator;
+use BookStack\Http\ApiController;

 class ApiDocsController extends ApiController
 {
@@ -28,4 +28,12 @@ class ApiDocsController extends ApiController

        return response()->json($docs);
    }
+
+    /**
+     * Redirect to the API docs page.
+     */
+    public function redirect()
+    {
+        return redirect('/api/docs');
+    }
 }
--- a/Show More
+++ b/Show More