release: 0.44.0

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.devcontainer/devcontainer.json

@@ -0,0 +1,32 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/typescript-node
+{
+  "name": "pocket-id",
+  // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+  "image": "mcr.microsoft.com/devcontainers/typescript-node:1-22-bookworm",
+  "features": {
+    "ghcr.io/devcontainers/features/go:1": {},
+    "ghcr.io/devcontainers-extra/features/caddy:1": {}
+  },
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "golang.go",
+        "svelte.svelte-vscode"
+      ]
+    }
+  },
+  // Use 'postCreateCommand' to run commands after the container is created.
+  // Install npm dependencies for the frontend.
+  "postCreateCommand": "npm install --prefix frontend"
+
+
+  // Features to add to the dev container. More info: https://containers.dev/features.
+  // "features": {},
+  // Use 'forwardPorts' to make a list of ports inside the container available locally.
+  // "forwardPorts": [],
+  // Configure tool-specific properties.
+  // "customizations": {},
+  // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+  // "remoteUser": "root"
+}

.dockerignore

@@ -0,0 +1,18 @@
+node_modules
+
+# Output
+.output
+.vercel
+/frontend/.svelte-kit
+/frontend/build
+/backend/bin
+
+
+# Env
+.env
+.env.*
+
+
+# Application specific
+data
+/scripts/development

.env.example

@@ -1 +1,6 @@
+# See the README for more information: https://github.com/pocket-id/pocket-id?tab=readme-ov-file#environment-variables
 PUBLIC_APP_URL=http://localhost
+TRUST_PROXY=false
+MAXMIND_LICENSE_KEY=
+PUID=1000
+PGID=1000

.env.test

@@ -1,2 +0,0 @@
-APP_ENV=test
-PUBLIC_APP_URL=http://localhost

.github/ISSUE_TEMPLATE/bug.yml

@@ -34,4 +34,23 @@ body:
   - type: markdown
     attributes:
       value: |
-        Before submitting, please check if the issues hasn't been raised before.
+        ### Additional Information
+  - type: textarea
+    id: extra-information
+    validations:
+      required: true
+    attributes:
+      label: "Version and Environment"
+      description: "Please specify the version of Pocket ID, along with any environment-specific configurations, such your reverse proxy, that might be relevant."
+      placeholder: "e.g., v0.24.1"
+  - type: textarea
+    id: log-files
+    validations:
+      required: false
+    attributes:
+      label: "Log Output"
+      description: "Output of log files when the issue occurred to help us diagnose the issue."
+  - type: markdown
+    attributes:
+      value: |
+        **Before submitting, please check if the issue hasn't been raised before.**

.github/ISSUE_TEMPLATE/config.yml

@@ -1 +1,5 @@
-blank_issues_enabled: false
+blank_issues_enabled: false
+contact_links:
+  - name: 💬 Discord
+    url: https://discord.gg/8wudU9KaxM
+    about: For help and chatting with the community

.github/ISSUE_TEMPLATE/language-request.yml

@@ -0,0 +1,20 @@
+name: "🌐 Language request"
+description: "You want to contribute to a language that isn't on Crowdin yet?"
+title: "🌐 Language Request: <language name in english>"
+labels: [language-request]
+body:
+  - type: input
+    id: language-name-native
+    attributes:
+      label: "🌐 Language Name (native)"
+      placeholder: "Schweizerdeutsch"
+    validations:
+      required: true
+  - type: input
+    id: language-code
+    attributes:
+      label: "🌐 ISO 639-1 Language Code"
+      description: "You can find your language code [here](https://www.andiamo.co.uk/resources/iso-language-codes/)."
+      placeholder: "de-CH"
+    validations:
+      required: true

.github/dependabot.yml

@@ -0,0 +1,12 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for more information:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+# https://containers.dev/guide/dependabot
+
+version: 2
+updates:
+ - package-ecosystem: "devcontainers"
+   directory: "/"
+   schedule:
+     interval: weekly

.github/workflows/build-and-push-docker-image.yml

@@ -6,29 +6,45 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04 # Using an older version because of https://github.com/actions/runner-images/issues/11471
+    permissions:
+      contents: read
+      packages: write      
     steps:
       - name: checkout code
         uses: actions/checkout@v3
 
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}
+          tags: |
+            type=semver,pattern={{version}},prefix=v
+            type=semver,pattern={{major}}.{{minor}},prefix=v
+
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
-      - name: Login to Docker registry
-        uses: docker/login-action@v2
+
+      - name: 'Login to GitHub Container Registry'
+        uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
-          password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
-
+            registry: ghcr.io
+            username: ${{github.repository_owner}}
+            password: ${{secrets.GITHUB_TOKEN}}    
+    
       - name: Build and push
         uses: docker/build-push-action@v4
         with:
           context: .
           platforms: linux/amd64,linux/arm64
           push: true
-          tags: stonith404/pocket-id:latest,stonith404/pocket-id:${{  github.ref_name }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max

.github/workflows/e2e-tests.yml

@@ -2,24 +2,57 @@ name: E2E Tests
 on:
   push:
     branches: [main]
+    paths-ignore:
+      - "docs/**"
+      - "**.md"
+      - ".github/**"
   pull_request:
     branches: [main]
+    paths-ignore:
+      - "docs/**"
+      - "**.md"
+      - ".github/**"
+
 jobs:
-  build-and-test:
+  build:
+    if: github.event.pull_request.head.ref != 'i18n_crowdin'
     timeout-minutes: 20
     runs-on: ubuntu-latest
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and export
+        uses: docker/build-push-action@v6
+        with:
+          tags: pocket-id/pocket-id:test
+          outputs: type=docker,dest=/tmp/docker-image.tar
+
+      - name: Upload Docker image artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: docker-image
+          path: /tmp/docker-image.tar
+
+  test-sqlite:
+    if: github.event.pull_request.head.ref != 'i18n_crowdin'
+    runs-on: ubuntu-latest
+    needs: build
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
           node-version: lts/*
-          cache: 'npm'
+          cache: "npm"
           cache-dependency-path: frontend/package-lock.json
-      
-      - name: Build Docker Image
-        run: docker build -t stonith404/pocket-id .
-      - name: Run Docker Container
-        run: docker run -d --name pocket-id -p 80:80 --env-file .env.test stonith404/pocket-id
+
+      - name: Download Docker image artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: docker-image
+          path: /tmp
+      - name: Load Docker Image
+        run: docker load -i /tmp/docker-image.tar
 
       - name: Install frontend dependencies
         working-directory: ./frontend
@@ -29,17 +62,95 @@ jobs:
         working-directory: ./frontend
         run: npx playwright install --with-deps chromium
 
+      - name: Run Docker Container with Sqlite DB
+        run: |
+          docker run -d --name pocket-id-sqlite \
+          -p 80:80 \
+          -e APP_ENV=test \
+          pocket-id/pocket-id:test
+
       - name: Run Playwright tests
         working-directory: ./frontend
         run: npx playwright test
 
-      - name: Get container logs
-        if: always()
-        run: docker logs pocket-id
-
       - uses: actions/upload-artifact@v4
         if: always()
         with:
-          name: playwright-report
-          path: frontend/tests/.output
+          name: playwright-report-sqlite
+          path: frontend/tests/.report
+          include-hidden-files: true
+          retention-days: 15
+
+  test-postgres:
+    if: github.event.pull_request.head.ref != 'i18n_crowdin'
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+          cache: "npm"
+          cache-dependency-path: frontend/package-lock.json
+
+      - name: Download Docker image artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: docker-image
+          path: /tmp
+      - name: Load Docker Image
+        run: docker load -i /tmp/docker-image.tar
+
+      - name: Install frontend dependencies
+        working-directory: ./frontend
+        run: npm ci
+
+      - name: Install Playwright Browsers
+        working-directory: ./frontend
+        run: npx playwright install --with-deps chromium
+
+      - name: Create Docker network
+        run: docker network create pocket-id-network
+
+      - name: Start Postgres DB
+        run: |
+          docker run -d --name pocket-id-db \
+          --network pocket-id-network \
+          -e POSTGRES_USER=postgres \
+          -e POSTGRES_PASSWORD=postgres \
+          -e POSTGRES_DB=pocket-id \
+          -p 5432:5432 \
+          postgres:17
+
+      - name: Wait for Postgres to start
+        run: |
+          for i in {1..10}; do
+            if docker exec pocket-id-db pg_isready -U postgres; then
+              echo "Postgres is ready"
+              break
+            fi
+            echo "Waiting for Postgres..."
+            sleep 2
+          done
+
+      - name: Run Docker Container with Postgres DB
+        run: |
+          docker run -d --name pocket-id-postgres \
+          --network pocket-id-network \
+          -p 80:80 \
+          -e APP_ENV=test \
+          -e DB_PROVIDER=postgres \
+          -e POSTGRES_CONNECTION_STRING=postgresql://postgres:postgres@pocket-id-db:5432/pocket-id \
+          pocket-id/pocket-id:test
+
+      - name: Run Playwright tests
+        working-directory: ./frontend
+        run: npx playwright test
+
+      - uses: actions/upload-artifact@v4
+        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
+        with:
+          name: playwright-report-postgres
+          path: frontend/tests/.report
+          include-hidden-files: true
           retention-days: 15

.github/workflows/unit-tests.yml

@@ -0,0 +1,34 @@
+name: Unit Tests
+on:
+  push:
+    branches: [main]
+    paths: 
+      - "backend/**"
+  pull_request:
+    branches: [main]
+    paths: 
+      - "backend/**"
+
+jobs:
+  test-backend:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: 'backend/go.mod'
+          cache-dependency-path: 'backend/go.sum'
+      - name: Install dependencies
+        working-directory: backend
+        run: |
+          go get ./...
+      - name: Run backend unit tests
+        working-directory: backend
+        run: |
+          go test -v ./... | tee /tmp/TestResults.log
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: backend-unit-tests
+          path: /tmp/TestResults.log
+          retention-days: 15

.github/workflows/update-aaguids.yml

@@ -0,0 +1,34 @@
+name: Update AAGUIDs
+
+on:
+  schedule:
+    - cron: "0 0 * * 1" # Runs every Monday at midnight
+  workflow_dispatch: # Allows manual triggering of the workflow
+
+permissions: 
+    contents: write
+    
+jobs:
+  update-aaguids:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Fetch JSON data
+        run: |
+          curl -o data.json https://raw.githubusercontent.com/pocket-id/passkey-aaguids/refs/heads/main/combined_aaguid.json
+
+      - name: Process JSON data
+        run: |
+          mkdir -p backend/resources
+          jq -c 'map_values(.name)' data.json > backend/resources/aaguids.json
+
+      - name: Commit changes
+        run: |
+          git config --local user.email "action@github.com"
+          git config --local user.name "GitHub Action"
+          git add backend/resources/aaguids.json
+          git diff --staged --quiet || git commit -m "chore: update AAGUIDs"
+          git push

.gitignore

@@ -34,4 +34,20 @@ vite.config.ts.timestamp-*
 # Application specific
 data
 /frontend/tests/.auth
-pocket-id-backend
+/frontend/tests/.report
+pocket-id-backend
+/backend/GeoLite2-City.mmdb
+
+# Misc
+.DS_Store
+.env.local
+.env.development.local
+.env.test.local
+.env.production.local
+
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+#Debug
+backend/cmd/__debug_*

.version

@@ -1 +1 @@
-0.1.1
+0.44.0

.vscode/extensions.json

@@ -0,0 +1,5 @@
+{
+  "recommendations": [
+    "inlang.vs-code-extension"
+  ]
+}

.vscode/launch.json

@@ -0,0 +1,42 @@
+{
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "name": "Backend",
+      "type": "go",
+      "request": "launch",
+      "envFile": "${workspaceFolder}/backend/.env.example",
+      "env": {
+        "APP_ENV": "development"
+      },
+      "mode": "debug",
+      "program": "${workspaceFolder}/backend/cmd/main.go",
+    },
+    {
+      "name": "Frontend",
+      "type": "node",
+      "request": "launch",
+      "envFile": "${workspaceFolder}/frontend/.env.example",
+      "cwd": "${workspaceFolder}/frontend",
+      "runtimeExecutable": "npm",
+      "runtimeArgs": [
+        "run",
+        "dev"
+      ]
+    }
+  ],
+  "compounds": [
+    {
+      "name": "Development",
+      "configurations": [
+        "Backend",
+        "Frontend"
+      ],
+      "presentation": {
+        "hidden": false,
+        "group": "",
+        "order": 1
+      }
+    }
+  ],
+}

.vscode/tasks.json

@@ -0,0 +1,37 @@
+{
+  // See https://go.microsoft.com/fwlink/?LinkId=733558
+  // for the documentation about the tasks.json format
+  "version": "2.0.0",
+  "tasks": [
+    {
+      "label": "Run Caddy",
+      "type": "shell",
+      "command": "caddy run --config reverse-proxy/Caddyfile",
+      "isBackground": true,
+      "problemMatcher": {
+        "owner": "custom",
+        "pattern": [
+          {
+            "regexp": ".",
+            "file": 1,
+            "location": 2,
+            "message": 3
+          }
+        ],
+        "background": {
+          "activeOnStart": true,
+          "beginsPattern": ".*",
+          "endsPattern": "Caddyfile.*"
+        }
+      },
+      "presentation": {
+        "reveal": "always",
+        "panel": "new"
+      },
+      "runOptions": {
+        "runOn": "folderOpen",
+        "instanceLimit": 1
+      }
+    }
+  ]
+}

CHANGELOG.md

@@ -1,3 +1,720 @@
+## [](https://github.com/pocket-id/pocket-id/compare/v0.43.1...v) (2025-03-25)
+
+
+### Features
+
+* add OIDC refresh_token support ([#325](https://github.com/pocket-id/pocket-id/issues/325)) ([b8dcda8](https://github.com/pocket-id/pocket-id/commit/b8dcda80497e554d163a370eff81fe000f8831f4))
+
+
+### Bug Fixes
+
+* hash the refresh token in the DB (security) ([#379](https://github.com/pocket-id/pocket-id/issues/379)) ([8c96381](https://github.com/pocket-id/pocket-id/commit/8c963818bb90c84dac04018eec93790900d4b0ce))
+* skip ldap objects without a valid unique id ([#376](https://github.com/pocket-id/pocket-id/issues/376)) ([cdfe816](https://github.com/pocket-id/pocket-id/commit/cdfe8161d4429bdfe879887fe0b563a67c14f50b))
+* stop container if Caddy, the frontend or the backend fails ([e6f5019](https://github.com/pocket-id/pocket-id/commit/e6f50191cf05a5d0ac0e0000cf66423646f1920e))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.43.0...v) (2025-03-20)
+
+
+### Bug Fixes
+
+* wrong base locale causes crash ([3120ebf](https://github.com/pocket-id/pocket-id/commit/3120ebf239b90f0bc0a0af33f30622e034782398))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.42.1...v) (2025-03-20)
+
+
+### Features
+
+* add support for translations ([#349](https://github.com/pocket-id/pocket-id/issues/349)) ([269b5a3](https://github.com/pocket-id/pocket-id/commit/269b5a3c9249bb8081c74741141d3d5a69ea42a2))
+* **passkeys:** name new passkeys based on agguids ([#332](https://github.com/pocket-id/pocket-id/issues/332)) ([041c565](https://github.com/pocket-id/pocket-id/commit/041c565dc10f15edb3e8ab58e9a4df5e48a2a6d3))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.42.0...v) (2025-03-18)
+
+
+### Bug Fixes
+
+* kid not added to JWTs ([f7e36a4](https://github.com/pocket-id/pocket-id/commit/f7e36a422ea6b5327360c9a13308ae408ff7fffe))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.41.0...v) (2025-03-18)
+
+
+### Features
+
+* store keys as JWK on disk ([#339](https://github.com/pocket-id/pocket-id/issues/339)) ([a7c9741](https://github.com/pocket-id/pocket-id/commit/a7c9741802667811c530ef4e6313b71615ec6a9b))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.40.1...v) (2025-03-18)
+
+
+### Features
+
+* **profile-picture:** allow reset of profile picture ([#355](https://github.com/pocket-id/pocket-id/issues/355)) ([8f14618](https://github.com/pocket-id/pocket-id/commit/8f146188d57b5c08a4c6204674c15379232280d8))
+
+
+### Bug Fixes
+
+* own avatar not loading ([#351](https://github.com/pocket-id/pocket-id/issues/351)) ([0423d35](https://github.com/pocket-id/pocket-id/commit/0423d354f533d2ff4fd431859af3eea7d4d7044f))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.40.0...v) (2025-03-16)
+
+
+### Bug Fixes
+
+* API keys not working if sqlite is used ([8ead0be](https://github.com/pocket-id/pocket-id/commit/8ead0be8cd0cfb542fe488b7251cfd5274975ae1))
+* caching for own profile picture ([e45d9e9](https://github.com/pocket-id/pocket-id/commit/e45d9e970d327a5120ff9fb0c8d42df8af69bb38))
+* email logo icon displaying too big ([#336](https://github.com/pocket-id/pocket-id/issues/336)) ([b483e2e](https://github.com/pocket-id/pocket-id/commit/b483e2e92fdb528e7de026350a727d6970227426))
+* emails are considered as medium spam by rspamd ([#337](https://github.com/pocket-id/pocket-id/issues/337)) ([39b7f66](https://github.com/pocket-id/pocket-id/commit/39b7f6678c98cadcdc3abfbcb447d8eb0daa9eb0))
+* Fixes and performance improvements in utils package ([#331](https://github.com/pocket-id/pocket-id/issues/331)) ([348192b](https://github.com/pocket-id/pocket-id/commit/348192b9d7e2698add97810f8fba53d13d0df018))
+* remove custom claim key restrictions ([9f28503](https://github.com/pocket-id/pocket-id/commit/9f28503d6c73d3521d1309bee055704a0507e9b5))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.39.0...v) (2025-03-13)
+
+
+### Features
+
+* allow setting path where keys are stored ([#327](https://github.com/pocket-id/pocket-id/issues/327)) ([7b654c6](https://github.com/pocket-id/pocket-id/commit/7b654c6bd111ddcddd5e3450cbf326d9cf1777b6))
+
+
+### Bug Fixes
+
+* **docker:** missing write permissions on scripts ([ec4b41a](https://github.com/pocket-id/pocket-id/commit/ec4b41a1d26ea00bb4a95f654ac4cc745b2ce2e8))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.38.0...v) (2025-03-11)
+
+
+### Features
+
+* api key authentication ([#291](https://github.com/pocket-id/pocket-id/issues/291)) ([62915d8](https://github.com/pocket-id/pocket-id/commit/62915d863a4adc09cf467b75c414a045be43c2bb))
+
+
+### Bug Fixes
+
+* alternative login method link on mobile ([9ef2ddf](https://github.com/pocket-id/pocket-id/commit/9ef2ddf7963c6959992f3a5d6816840534e926e9))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.37.0...v) (2025-03-10)
+
+
+### Features
+
+* add env variable to disable update check ([31198fe](https://github.com/pocket-id/pocket-id/commit/31198feec2ae77dd6673c42b42002871ddd02d37))
+
+
+### Bug Fixes
+
+* redirection not correctly if signing in with email code ([e5ec264](https://github.com/pocket-id/pocket-id/commit/e5ec264bfd535752565bcc107099a9df5cb8aba7))
+* typo in account settings ([#307](https://github.com/pocket-id/pocket-id/issues/307)) ([c822192](https://github.com/pocket-id/pocket-id/commit/c8221921245deb3008f655740d1a9460dcdab2fc))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.36.0...v) (2025-03-10)
+
+
+### Features
+
+* **account:** add ability to sign in with login code ([#271](https://github.com/pocket-id/pocket-id/issues/271)) ([eb1426e](https://github.com/pocket-id/pocket-id/commit/eb1426ed2684b5ddd185db247a8e082b28dfd014))
+* increase default item count per page ([a9713cf](https://github.com/pocket-id/pocket-id/commit/a9713cf6a1e3c879dc773889b7983e51bbe3c45b))
+
+
+### Bug Fixes
+
+* add back setup page ([6a8dd84](https://github.com/pocket-id/pocket-id/commit/6a8dd84ca9396ff3369385af22f7e1f081bec2b2))
+* add timeout to update check ([04efc36](https://github.com/pocket-id/pocket-id/commit/04efc3611568a0b0127b542b8cc252d9e783af46))
+* make sorting consistent around tables ([8e344f1](https://github.com/pocket-id/pocket-id/commit/8e344f1151628581b637692a1de0e48e7235a22d))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.6...v) (2025-03-06)
+
+
+### Features
+
+* display groups on the account page ([#296](https://github.com/pocket-id/pocket-id/issues/296)) ([0f14a93](https://github.com/pocket-id/pocket-id/commit/0f14a93e1d6a723b0994ba475b04702646f04464))
+* enable sd_notify support ([#277](https://github.com/pocket-id/pocket-id/issues/277)) ([91f254c](https://github.com/pocket-id/pocket-id/commit/91f254c7bb067646c42424c5c62ebcd90a0c8792))
+
+
+### Bug Fixes
+
+* default sorting on tables ([#299](https://github.com/pocket-id/pocket-id/issues/299)) ([ff34e3b](https://github.com/pocket-id/pocket-id/commit/ff34e3b925321c80e9d7d42d0fd50e397d198435))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.5...v) (2025-03-03)
+
+
+### Bug Fixes
+
+* support `LOGIN` authentication method for SMTP ([#292](https://github.com/pocket-id/pocket-id/issues/292)) ([2d733fc](https://github.com/pocket-id/pocket-id/commit/2d733fc79faefca23d54b22768029c3ba3427410))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.4...v) (2025-03-03)
+
+
+### Bug Fixes
+
+* profile picture orientation if image is rotated with EXIF ([1026ee4](https://github.com/pocket-id/pocket-id/commit/1026ee4f5b5c7fda78b65c94a5d0f899525defd1))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.3...v) (2025-03-01)
+
+
+### Bug Fixes
+
+* add `groups` scope and claim to well known endpoint ([4bafee4](https://github.com/pocket-id/pocket-id/commit/4bafee4f58f5a76898cf66d6192916d405eea389))
+* profile picture of other user can't be updated ([#273](https://github.com/pocket-id/pocket-id/issues/273)) ([ef25f6b](https://github.com/pocket-id/pocket-id/commit/ef25f6b6b84b52f1310d366d40aa3769a6fe9bef))
+* support POST for OIDC userinfo endpoint ([1652cc6](https://github.com/pocket-id/pocket-id/commit/1652cc65f3f966d018d81a1ae22abb5ff1b4c47b))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.2...v) (2025-02-25)
+
+
+### Bug Fixes
+
+* add option to manually select SMTP TLS method ([#268](https://github.com/pocket-id/pocket-id/issues/268)) ([01a9de0](https://github.com/pocket-id/pocket-id/commit/01a9de0b04512c62d0f223de33d711f93c49b9cc))
+* **ldap:** sync error if LDAP user collides with an existing user ([fde951b](https://github.com/pocket-id/pocket-id/commit/fde951b543281fedf9f602abae26b50881e3d157))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.1...v) (2025-02-24)
+
+
+### Bug Fixes
+
+* delete profile picture if user gets deleted ([9a167d4](https://github.com/pocket-id/pocket-id/commit/9a167d4076872e5e3e5d78d2a66ef7203ca5261b))
+* updating profile picture of other user updates own profile picture ([887c5e4](https://github.com/pocket-id/pocket-id/commit/887c5e462a50c8fb579ca6804f1a643d8af78fe8))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.0...v) (2025-02-22)
+
+
+### Bug Fixes
+
+* add validation that `PUBLIC_APP_URL` can't contain a path ([a6ae7ae](https://github.com/pocket-id/pocket-id/commit/a6ae7ae28713f7fc8018ae2aa7572986df3e1a5b))
+* binary profile picture can't be imported from LDAP ([840a672](https://github.com/pocket-id/pocket-id/commit/840a672fc35ca8476caf86d7efaba9d54bce86aa))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.34.0...v) (2025-02-19)
+
+
+### Features
+
+* add ability to upload a profile picture ([#244](https://github.com/pocket-id/pocket-id/issues/244)) ([652ee6a](https://github.com/pocket-id/pocket-id/commit/652ee6ad5d6c46f0d35c955ff7bb9bdac6240ca6))
+
+
+### Bug Fixes
+
+* app config strings starting with a number are parsed incorrectly ([816c198](https://github.com/pocket-id/pocket-id/commit/816c198a42c189cb1f2d94885d2e3623e47e2848))
+* emails do not get rendered correctly in Gmail ([dca9e7a](https://github.com/pocket-id/pocket-id/commit/dca9e7a11a3ba5d3b43a937f11cb9d16abad2db5))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.33.0...v) (2025-02-16)
+
+
+### Features
+
+* add LDAP group membership attribute ([#236](https://github.com/pocket-id/pocket-id/issues/236)) ([39b46e9](https://github.com/pocket-id/pocket-id/commit/39b46e99a9b930ea39cf640c3080530cfff5be6e))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.32.0...v) (2025-02-14)
+
+
+### Features
+
+* add end session endpoint ([#232](https://github.com/pocket-id/pocket-id/issues/232)) ([7550333](https://github.com/pocket-id/pocket-id/commit/7550333fe2ff6424f3168f63c5179d76767532fd))
+
+
+### Bug Fixes
+
+* alignment of OIDC client details ([c3980d3](https://github.com/pocket-id/pocket-id/commit/c3980d3d28a7158a4dc9369af41f185b891e485e))
+* layout of OIDC client details page on mobile ([3de1301](https://github.com/pocket-id/pocket-id/commit/3de1301fa84b3ab4fff4242d827c7794d44910f2))
+* show  "Sync Now" and "Test Email" button even if UI config is disabled ([4d0fff8](https://github.com/pocket-id/pocket-id/commit/4d0fff821e2245050ce631b4465969510466dfae))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.31.0...v) (2025-02-13)
+
+
+### Features
+
+* add ability to set custom Geolite DB URL ([2071d00](https://github.com/pocket-id/pocket-id/commit/2071d002fc5c3b5ff7a3fca6a5c99f5517196853))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.30.0...v) (2025-02-12)
+
+
+### Features
+
+* add ability to override the UI configuration with environment variables ([4e85842](https://github.com/pocket-id/pocket-id/commit/4e858420e9d9713e19f3b35c45c882403717f72f))
+* add warning for only having one passkey configured ([#220](https://github.com/pocket-id/pocket-id/issues/220)) ([39e403d](https://github.com/pocket-id/pocket-id/commit/39e403d00f3870f9e960427653a1d9697da27a6f))
+* display source in user and group table ([#225](https://github.com/pocket-id/pocket-id/issues/225)) ([9ed2adb](https://github.com/pocket-id/pocket-id/commit/9ed2adb0f8da13725fd9a4ef6a7798c377d13513))
+
+
+### Bug Fixes
+
+* user linking in ldap group sync ([#222](https://github.com/pocket-id/pocket-id/issues/222)) ([2d78349](https://github.com/pocket-id/pocket-id/commit/2d78349b381d7ca10f47d3c03cef685a576b1b49))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.29.0...v) (2025-02-08)
+
+
+### Features
+
+* add custom ldap search filters ([#216](https://github.com/pocket-id/pocket-id/issues/216)) ([626f87d](https://github.com/pocket-id/pocket-id/commit/626f87d59211f4129098b91dc1d020edb4aca692))
+* update host configuration to allow external access ([#218](https://github.com/pocket-id/pocket-id/issues/218)) ([bea1158](https://github.com/pocket-id/pocket-id/commit/bea115866fd8e4b15d3281c422d2fb72312758b1))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.28.1...v) (2025-02-05)
+
+
+### Features
+
+* add JSON support in custom claims ([15cde6a](https://github.com/pocket-id/pocket-id/commit/15cde6ac66bc857ac28df545a37c1f4341977595))
+* add option to disable Caddy in the Docker container ([e864d5d](https://github.com/pocket-id/pocket-id/commit/e864d5dcbff1ef28dc6bf120e4503093a308c5c8))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.28.0...v) (2025-02-04)
+
+
+### Bug Fixes
+
+* don't return error page if version info fetching failed ([d06257e](https://github.com/stonith404/pocket-id/commit/d06257ec9b5e46e25e40c174b4bef02dca0a1ea3))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.27.2...v) (2025-02-03)
+
+
+### Features
+
+* allow LDAP users and groups to be deleted if LDAP gets disabled ([9ab1787](https://github.com/stonith404/pocket-id/commit/9ab178712aa3cc71546a89226e67b7ba91245251))
+* map allowed groups to OIDC clients ([#202](https://github.com/stonith404/pocket-id/issues/202)) ([13b02a0](https://github.com/stonith404/pocket-id/commit/13b02a072f20ce10e12fd8b897cbf42a908f3291))
+
+
+### Bug Fixes
+
+* **caddy:** trusted_proxies for IPv6 enabled hosts ([#189](https://github.com/stonith404/pocket-id/issues/189)) ([37a835b](https://github.com/stonith404/pocket-id/commit/37a835b44e308622f6862de494738dd2bfb58ef0))
+* missing user service dependency ([61e71ad](https://github.com/stonith404/pocket-id/commit/61e71ad43b8f0f498133d3eb2381382e7bc642b9))
+* non LDAP user group can't be updated after update ([ecd74b7](https://github.com/stonith404/pocket-id/commit/ecd74b794f1ffb7da05bce0046fb8d096b039409))
+* use cursor pointer on clickable elements ([7798580](https://github.com/stonith404/pocket-id/commit/77985800ae9628104e03e7f2e803b7ed9eaaf4e0))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.27.1...v) (2025-01-27)
+
+
+### Bug Fixes
+
+* smtp hello for tls connections ([#180](https://github.com/stonith404/pocket-id/issues/180)) ([781ff7a](https://github.com/stonith404/pocket-id/commit/781ff7ae7b84b13892e7a565b7a78f20c52ee2c9))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.27.0...v) (2025-01-24)
+
+
+### Bug Fixes
+
+* add `__HOST` prefix to cookies ([#175](https://github.com/stonith404/pocket-id/issues/175)) ([164ce6a](https://github.com/stonith404/pocket-id/commit/164ce6a3d7fa8ae5275c94302952cf318e3b3113))
+* send hostname derived from `PUBLIC_APP_URL` with SMTP EHLO command ([397544c](https://github.com/stonith404/pocket-id/commit/397544c0f3f2b49f1f34ae53e6b9daf194d1ae28))
+* use OS hostname for SMTP EHLO message ([47c39f6](https://github.com/stonith404/pocket-id/commit/47c39f6d382c496cb964262adcf76cc8dbb96da3))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.26.0...v) (2025-01-22)
+
+
+### Features
+
+* display private IP ranges correctly in audit log ([#139](https://github.com/stonith404/pocket-id/issues/139)) ([72923bb](https://github.com/stonith404/pocket-id/commit/72923bb86dc5d07d56aea98cf03320667944b553))
+
+
+### Bug Fixes
+
+* add save changes dialog before sending test email ([#165](https://github.com/stonith404/pocket-id/issues/165)) ([d02f475](https://github.com/stonith404/pocket-id/commit/d02f4753f3fbda75cd415ebbfe0702765c38c144))
+* ensure the downloaded GeoLite2 DB is not corrupted & prevent RW race condition ([#138](https://github.com/stonith404/pocket-id/issues/138)) ([f7710f2](https://github.com/stonith404/pocket-id/commit/f7710f298898d322885c1c83680e26faaa0bb800))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.25.1...v) (2025-01-20)
+
+
+### Features
+
+* support wildcard callback URLs ([8a1db0c](https://github.com/stonith404/pocket-id/commit/8a1db0cb4a5d4b32b4fdc19d41fff688a7c71a56))
+
+
+### Bug Fixes
+
+* non LDAP users get created with a empty LDAP ID string ([3f02d08](https://github.com/stonith404/pocket-id/commit/3f02d081098ad2caaa60a56eea4705639f80d01f))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.25.0...v) (2025-01-19)
+
+
+### Bug Fixes
+
+* disable account details inputs if user is imported from LDAP ([a8b9d60](https://github.com/stonith404/pocket-id/commit/a8b9d60a86e80c10d6fba07072b1d32cec400ecb))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.24.1...v) (2025-01-19)
+
+
+### Features
+
+* add LDAP sync ([#106](https://github.com/stonith404/pocket-id/issues/106)) ([5101b14](https://github.com/stonith404/pocket-id/commit/5101b14eec68a9507e1730994178d0ebe8185876))
+* allow sign in with email ([#100](https://github.com/stonith404/pocket-id/issues/100)) ([06b90ed](https://github.com/stonith404/pocket-id/commit/06b90eddd645cce57813f2536e4a6a8836548f2b))
+* automatically authorize client if signed in ([d5dd118](https://github.com/stonith404/pocket-id/commit/d5dd118a3f4ad6eed9ca496c458201bb10f148a0))
+
+
+### Bug Fixes
+
+* always set secure on cookie ([#130](https://github.com/stonith404/pocket-id/issues/130)) ([fda08ac](https://github.com/stonith404/pocket-id/commit/fda08ac1cd88842e25dc47395ed1288a5cfac4f8))
+* don't panic if LDAP sync fails on startup ([e284e35](https://github.com/stonith404/pocket-id/commit/e284e352e2b95fac1d098de3d404e8531de4b869))
+* improve spacing of checkboxes on application configuration page ([090eca2](https://github.com/stonith404/pocket-id/commit/090eca202d198852e6fbf4e6bebaf3b5ada13944))
+* search input not displayed if response hasn't any items ([05a98eb](https://github.com/stonith404/pocket-id/commit/05a98ebe87d7a88e8b96b144c53250a40d724ec3))
+* session duration ignored in cookie expiration ([bc8f454](https://github.com/stonith404/pocket-id/commit/bc8f454ea173ecc60e06450a1d22e24207f76714))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.24.0...v) (2025-01-13)
+
+
+### Bug Fixes
+
+* audit log table overflow if row data is long ([4d337a2](https://github.com/stonith404/pocket-id/commit/4d337a20c5cb92ef80bb7402f9b99b08e3ad0b6b))
+* optional arguments not working with `create-one-time-access-token.sh` ([8885571](https://github.com/stonith404/pocket-id/commit/888557171d61589211b10f70dce405126216ad61))
+* remove restrictive validation for group names ([be6e25a](https://github.com/stonith404/pocket-id/commit/be6e25a167de8bf07075b46f09d9fc1fa6c74426))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.23.0...v) (2025-01-11)
+
+
+### Features
+
+* add sorting for tables ([fd69830](https://github.com/stonith404/pocket-id/commit/fd69830c2681985e4fd3c5336a2b75c9fb7bc5d4))
+
+
+### Bug Fixes
+
+* pkce state not correctly reflected in oidc client info ([61d18a9](https://github.com/stonith404/pocket-id/commit/61d18a9d1b167ff59a59523ff00d00ca8f23258d))
+* send test email to the user that has requested it ([a649c4b](https://github.com/stonith404/pocket-id/commit/a649c4b4a543286123f4d1f3c411fe1a7e2c6d71))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.22.0...v) (2025-01-03)
+
+
+### Features
+
+* add PKCE for non public clients ([adcf3dd](https://github.com/stonith404/pocket-id/commit/adcf3ddc6682794e136a454ef9e69ddd130626a8))
+* use same table component for OIDC client list as all other lists ([2d31fc2](https://github.com/stonith404/pocket-id/commit/2d31fc2cc9201bb93d296faae622f52c6dcdfebc))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.21.0...v) (2025-01-01)
+
+
+### Features
+
+* add warning if passkeys missing ([2d0bd8d](https://github.com/stonith404/pocket-id/commit/2d0bd8dcbfb73650b7829cb66f40decb284bd73b))
+
+
+### Bug Fixes
+
+* allow first and last name of user to be between 1 and 50 characters ([1ff20ca](https://github.com/stonith404/pocket-id/commit/1ff20caa3ccd651f9fb30f958ffb807dfbbcbd8a))
+* hash in callback url is incorrectly appended ([f6f2736](https://github.com/stonith404/pocket-id/commit/f6f2736bba65eee017f2d8cdaa70621574092869))
+* make user validation consistent between pages ([333a1a1](https://github.com/stonith404/pocket-id/commit/333a1a18d59f675111f4ed106fa5614ef563c6f4))
+* passkey can't be added if `PUBLIC_APP_URL` includes a port ([0729ce9](https://github.com/stonith404/pocket-id/commit/0729ce9e1a8dab9912900a01dcd0fbd892718a1a))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.20.1...v) (2024-12-17)
+
+
+### Features
+
+* improve error state design for login page ([0716c38](https://github.com/stonith404/pocket-id/commit/0716c38fb8ce7fa719c7fe0df750bdb213786c21))
+
+
+### Bug Fixes
+
+* OIDC client logo gets removed if other properties get updated ([789d939](https://github.com/stonith404/pocket-id/commit/789d9394a533831e7e2fb8dc3f6b338787336ad8))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.20.0...v) (2024-12-13)
+
+
+### Bug Fixes
+
+* `create-one-time-access-token.sh` script not compatible with postgres ([34e3519](https://github.com/stonith404/pocket-id/commit/34e35193f9f3813f6248e60f15080d753e8da7ae))
+* wrong date time datatype used for read operations with Postgres ([bad901e](https://github.com/stonith404/pocket-id/commit/bad901ea2b661aadd286e5e4bed317e73bd8a70d))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.19.0...v) (2024-12-12)
+
+
+### Features
+
+* add support for Postgres database provider ([#79](https://github.com/stonith404/pocket-id/issues/79)) ([9d20a98](https://github.com/stonith404/pocket-id/commit/9d20a98dbbc322fa6f0644e8b31e6b97769887ce))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.18.0...v) (2024-11-29)
+
+
+### Features
+
+* **geolite:** add Tailscale IP detection with CGNAT range check  ([#77](https://github.com/stonith404/pocket-id/issues/77)) ([edce3d3](https://github.com/stonith404/pocket-id/commit/edce3d337129c9c6e8a60df2122745984ba0f3e0))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.17.0...v) (2024-11-28)
+
+
+### Features
+
+* add option to disable TLS for email sending ([f9fa2c6](https://github.com/stonith404/pocket-id/commit/f9fa2c6706a8bf949fe5efd6664dec8c80e18659))
+* allow empty user and password in SMTP configuration ([a9f4dad](https://github.com/stonith404/pocket-id/commit/a9f4dada321841d3611b15775307228b34e7793f))
+
+
+### Bug Fixes
+
+* email save toast shows two times ([f2bfc73](https://github.com/stonith404/pocket-id/commit/f2bfc731585ad7424eb8c4c41c18368fc0f75ffc))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.16.0...v) (2024-11-26)
+
+
+### ⚠ BREAKING CHANGES
+
+* add option to specify the Max Mind license key for the Geolite2 db
+
+### Features
+
+* add option to specify the Max Mind license key for the Geolite2 db ([fcf08a4](https://github.com/stonith404/pocket-id/commit/fcf08a4d898160426442bd80830f4431988f4313))
+
+
+### Bug Fixes
+
+* don't try to create a new user if the Docker user is not root ([#71](https://github.com/stonith404/pocket-id/issues/71)) ([0e95e9c](https://github.com/stonith404/pocket-id/commit/0e95e9c56f4c3f84982f508fdb6894ba747952b4))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.15.0...v) (2024-11-24)
+
+
+### Features
+
+* add health check ([058084e](https://github.com/stonith404/pocket-id/commit/058084ed64816b12108e25bf04af988fc97772ed))
+* improve error message for invalid callback url ([f637a89](https://github.com/stonith404/pocket-id/commit/f637a89f579aefb8dc3c3c16a27ef0bc453dfe40))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.14.0...v) (2024-11-21)
+
+
+### Features
+
+* add option to skip TLS certificate check and ability to send test email ([653d948](https://github.com/stonith404/pocket-id/commit/653d948f73b61e6d1fd3484398fef1a2a37e6d92))
+* add PKCE support ([3613ac2](https://github.com/stonith404/pocket-id/commit/3613ac261cf65a2db0620ff16dc6df239f6e5ecd))
+
+
+### Bug Fixes
+
+* mobile layout overflow on application configuration page ([e784093](https://github.com/stonith404/pocket-id/commit/e784093342f9977ea08cac65ff0c3de4d2644872))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.13.1...v) (2024-11-11)
+
+
+### Features
+
+* add audit log event for one time access token sign in ([aca2240](https://github.com/stonith404/pocket-id/commit/aca2240a50a12e849cfb6e1aa56390b000aebae0))
+
+
+### Bug Fixes
+
+* overflow of pagination control on mobile ([de45398](https://github.com/stonith404/pocket-id/commit/de4539890349153c467013c24c4d6b30feb8fed8))
+* time displayed incorrectly in audit log ([3d3fb4d](https://github.com/stonith404/pocket-id/commit/3d3fb4d855ef510f2292e98fcaaaf83debb5d3e0))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.13.0...v) (2024-11-01)
+
+
+### Features
+
+* add list empty indicator ([becfc00](https://github.com/stonith404/pocket-id/commit/becfc0004a87c01e18eb92ac85bf4e33f105b6a3))
+
+
+### Bug Fixes
+
+* errors in middleware do not abort the request ([376d747](https://github.com/stonith404/pocket-id/commit/376d747616b1e835f252d20832c5ae42b8b0b737))
+* typo in Self-Account Editing description ([5b9f4d7](https://github.com/stonith404/pocket-id/commit/5b9f4d732615f428c13d3317da96a86c5daebd89))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.12.0...v) (2024-10-31)
+
+
+### Features
+
+* add ability to define expiration of one time link ([2ccabf8](https://github.com/stonith404/pocket-id/commit/2ccabf835c2c923d6986d9cafb4e878f5110b91a))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.11.0...v) (2024-10-28)
+
+
+### Features
+
+* add option to disable self-account editing ([8304065](https://github.com/stonith404/pocket-id/commit/83040656525cf7b6c8f2acf416c5f8f3288f3d48))
+* add validation to custom claim input ([7bfc3f4](https://github.com/stonith404/pocket-id/commit/7bfc3f43a591287c038187ed5e782de6b9dd738b))
+* custom claims ([#53](https://github.com/stonith404/pocket-id/issues/53)) ([c056089](https://github.com/stonith404/pocket-id/commit/c056089c6043a825aaaaecf0c57454892a108f1d))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.10.0...v) (2024-10-25)
+
+
+### Features
+
+* add `email_verified` claim ([5565f60](https://github.com/stonith404/pocket-id/commit/5565f60d6d62ca24bedea337e21effc13e5853a5))
+
+
+### Bug Fixes
+
+* powered by link text color in light mode ([18c5103](https://github.com/stonith404/pocket-id/commit/18c5103c20ce79abdc0f724cdedd642c09269e78))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.9.0...v) (2024-10-23)
+
+
+### Features
+
+* add script for creating one time access token ([a1985ce](https://github.com/stonith404/pocket-id/commit/a1985ce1b200550e91c5cb42a8d19899dcec831e))
+* add version information to footer and update link if new update is available ([70ad0b4](https://github.com/stonith404/pocket-id/commit/70ad0b4f39699fd81ffdfd5c8d6839f49348be78))
+
+
+### Bug Fixes
+
+* cache version information for 3 hours ([29d632c](https://github.com/stonith404/pocket-id/commit/29d632c1514d6edacdfebe6deae4c95fc5a0f621))
+* improve text for initial admin account setup ([0a07344](https://github.com/stonith404/pocket-id/commit/0a0734413943b1fff27d8f4ccf07587e207e2189))
+* increase callback url count ([f3f0e1d](https://github.com/stonith404/pocket-id/commit/f3f0e1d56d7656bdabbd745a4eaf967f63193b6c))
+* no DTO was returned from exchange one time access token endpoint ([824c5cb](https://github.com/stonith404/pocket-id/commit/824c5cb4f3d6be7f940c1758112fbe9322df5768))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.8.1...v) (2024-10-18)
+
+
+### Features
+
+* add environment variable to change the caddy port in Docker ([ff06bf0](https://github.com/stonith404/pocket-id/commit/ff06bf0b34496ce472ba6d3ebd4ea249f21c0ec3))
+* use improve table for users and audit logs ([11ed661](https://github.com/stonith404/pocket-id/commit/11ed661f86a512f78f66d604a10c1d47d39f2c39))
+
+
+### Bug Fixes
+
+* allow copy to clipboard for client secret ([29748cc](https://github.com/stonith404/pocket-id/commit/29748cc6c7b7e5a6b54bfe837e0b1a98fa1ad594))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.8.0...v) (2024-10-11)
+
+
+### Bug Fixes
+
+* add key id to JWK ([282ff82](https://github.com/stonith404/pocket-id/commit/282ff82b0c7e2414b3528c8ca325758245b8ae61))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.7.1...v) (2024-10-04)
+
+
+### Features
+
+* add location based on ip to the audit log ([025378d](https://github.com/stonith404/pocket-id/commit/025378d14edd2d72da76e90799a0ccdd42cf672c))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.7.0...v) (2024-10-03)
+
+
+### Bug Fixes
+
+* initials don't get displayed if Gravatar avatar doesn't exist ([e095628](https://github.com/stonith404/pocket-id/commit/e09562824a794bc7d240e9d229709d4b389db7d5))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.6.0...v) (2024-10-03)
+
+
+### ⚠ BREAKING CHANGES
+
+* add ability to set light and dark mode logo
+
+### Features
+
+* add ability to set light and dark mode logo ([be45eed](https://github.com/stonith404/pocket-id/commit/be45eed125e33e9930572660a034d5f12dc310ce))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.5.3...v) (2024-10-02)
+
+
+### Features
+
+* add copy to clipboard option for OIDC client information ([f82020c](https://github.com/stonith404/pocket-id/commit/f82020ccfb0d4fbaa1dd98182188149d8085252a))
+* add gravatar profile picture integration ([365734e](https://github.com/stonith404/pocket-id/commit/365734ec5d8966c2ab877c60cfb176b9cdc36880))
+* add user groups ([24c948e](https://github.com/stonith404/pocket-id/commit/24c948e6a66f283866f6c8369c16fa6cbcfa626c))
+
+
+### Bug Fixes
+
+* only return user groups if it is explicitly requested ([a4a90a1](https://github.com/stonith404/pocket-id/commit/a4a90a16a9726569a22e42560184319b25fd7ca6))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.5.2...v) (2024-09-26)
+
+
+### Bug Fixes
+
+* add space to "Firstname" and "Lastname" label ([#31](https://github.com/stonith404/pocket-id/issues/31)) ([d6a9bb4](https://github.com/stonith404/pocket-id/commit/d6a9bb4c09efb8102da172e49c36c070b341f0fc))
+* port environment variables get ignored in caddyfile ([3c67765](https://github.com/stonith404/pocket-id/commit/3c67765992d7369a79812bc8cd216c9ba12fd96e))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.5.1...v) (2024-09-19)
+
+
+### Bug Fixes
+
+* updated application name doesn't apply to webauthn credential ([924bb14](https://github.com/stonith404/pocket-id/commit/924bb1468bbd8e42fa6a530ef740be73ce3b3914))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.5.0...v) (2024-09-16)
+
+
+### Features
+
+* **email:** improve email templating ([#27](https://github.com/stonith404/pocket-id/issues/27)) ([64cf562](https://github.com/stonith404/pocket-id/commit/64cf56276a07169bc601a11be905c1eea67c4750))
+
+
+### Bug Fixes
+
+* debounce oidc client and user search ([9c2848d](https://github.com/stonith404/pocket-id/commit/9c2848db1d93c230afc6c5f64e498e9f6df8c8a7))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.4.1...v) (2024-09-09)
+
+
+### Features
+
+* add audit log with email notification ([#26](https://github.com/stonith404/pocket-id/issues/26)) ([9121239](https://github.com/stonith404/pocket-id/commit/9121239dd7c14a2107a984f9f94f54227489a63a))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.4.0...v) (2024-09-06)
+
+
+### Features
+
+* add name claim to userinfo endpoint and id token ([4e7574a](https://github.com/stonith404/pocket-id/commit/4e7574a297307395603267c7a3285d538d4111d8))
+
+
+### Bug Fixes
+
+* limit width of content on large screens ([c6f83a5](https://github.com/stonith404/pocket-id/commit/c6f83a581ad385391d77fec7eeb385060742f097))
+* show error message if error occurs while authorizing new client ([8038a11](https://github.com/stonith404/pocket-id/commit/8038a111dd7fa8f5d421b29c3bc0c11d865dc71b))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.3.1...v) (2024-09-03)
+
+
+### Features
+
+* add setup details to oidc client details ([fd21ce5](https://github.com/stonith404/pocket-id/commit/fd21ce5aac1daeba04e4e7399a0720338ea710c2))
+* add support for more username formats ([903b0b3](https://github.com/stonith404/pocket-id/commit/903b0b39181c208e9411ee61849d2671e7c56dc5))
+
+
+### Bug Fixes
+
+* non pointer passed to create user ([e7861df](https://github.com/stonith404/pocket-id/commit/e7861df95a6beecab359d1c56f4383373f74bb73))
+* oidc client logo not displayed on authorize page ([28ed064](https://github.com/stonith404/pocket-id/commit/28ed064668afeec8f80adda59ba94f1fc2fbce17))
+* typo in hasLogo property of oidc dto ([2b9413c](https://github.com/stonith404/pocket-id/commit/2b9413c7575e1322f8547490a9b02a1836bad549))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.3.0...v) (2024-08-24)
+
+
+### Bug Fixes
+
+* empty lists don't get returned correctly from the api ([97f7fc4](https://github.com/stonith404/pocket-id/commit/97f7fc4e288c2bb49210072a7a151b58ef44f5b5))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.2.1...v) (2024-08-23)
+
+
+### Features
+
+* add support for multiple callback urls ([8166e2e](https://github.com/stonith404/pocket-id/commit/8166e2ead7fc71a0b7a45950b05c5c65a60833b6))
+
+
+### Bug Fixes
+
+* db migration for multiple callback urls ([552d7cc](https://github.com/stonith404/pocket-id/commit/552d7ccfa58d7922ecb94bdfe6a86651b4cf2745))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.2.0...v) (2024-08-19)
+
+
+### Bug Fixes
+
+* session duration can't be updated ([4780548](https://github.com/stonith404/pocket-id/commit/478054884389ed8a08d707fd82da7b31177a67e5))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.1.3...v) (2024-08-19)
+
+
+### Features
+
+* add `INTERNAL_BACKEND_URL` env variable ([0595d73](https://github.com/stonith404/pocket-id/commit/0595d73ea5afbd7937b8f292ffe624139f818f41))
+* add user info endpoint to support more oidc clients ([fdc1921](https://github.com/stonith404/pocket-id/commit/fdc1921f5dcb5ac6beef8d1c9b1b7c53f514cce5))
+* change default logo ([9eec7a3](https://github.com/stonith404/pocket-id/commit/9eec7a3e9eb7f690099f38a5d4cf7c2516ea9ef9))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.1.2...v) (2024-08-13)
+
+
+### Bug Fixes
+
+* add missing passkey flags to make icloud passkeys work ([cc407e1](https://github.com/stonith404/pocket-id/commit/cc407e17d409041ed88b959ce13bd581663d55c3))
+* logo not white in dark mode ([5749d05](https://github.com/stonith404/pocket-id/commit/5749d0532fc38bf2fc66571878b7c71643895c9e))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.1.1...v) (2024-08-13)
+
+
+### Features
+
+* add option to change session duration ([475b932](https://github.com/stonith404/pocket-id/commit/475b932f9d0ec029ada844072e9d89bebd4e902c))
+
+
+### Bug Fixes
+
+* a non admin user was able to make himself an admin ([df0cd38](https://github.com/stonith404/pocket-id/commit/df0cd38deeea516c47b26a080eed522f19f7290f))
+* background image not loading ([7b44189](https://github.com/stonith404/pocket-id/commit/7b4418958ebfffffd216ef5ba7313cfaad9bc9fa))
+* background image on mobile ([4a808c8](https://github.com/stonith404/pocket-id/commit/4a808c86ac204f9b58cfa02f5ceb064162a87076))
+* disable search engine indexing ([8395492](https://github.com/stonith404/pocket-id/commit/83954926f5ee328ebf75a75bb47b380ec0680378))
+
 ## [](https://github.com/stonith404/pocket-id/compare/v0.1.0...v) (2024-08-12)
 
 

CONTRIBUTING.md

@@ -31,8 +31,15 @@ Before you submit the pull request for review please ensure that
 - You run `npm run format` to format the code
 
 ## Setup project
+Pocket ID consists of a frontend, backend and a reverse proxy. There are two ways to get the development environment setup:
 
-Pocket ID consists of a frontend, backend and a reverse proxy.
+## 1. Using DevContainers
+1. Make sure you have [Dev Containers](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers) extension installed
+2. Clone and open the repo in VS Code
+3. VS Code will detect .devcontainer and will prompt you to open the folder in devcontainer
+4. If the auto prompt does not work, hit `F1` and select `Dev Containers: Open Folder in Container.`, then select the pocket-id repo root folder and it'll open in container.
+
+## 2. Manual
 
 ### Backend
 
@@ -55,13 +62,17 @@ The frontend is built with [SvelteKit](https://kit.svelte.dev) and written in Ty
 3. Install the dependencies with `npm install`
 4. Start the frontend with `npm run dev`
 
-You're all set!
-
 ### Reverse Proxy
 We use [Caddy](https://caddyserver.com) as a reverse proxy. You can use any other reverse proxy if you want but you have to configure it yourself.
 
 #### Setup
-Run `caddy run --config Caddyfile` in the root folder.
+Run `caddy run --config reverse-proxy/Caddyfile` in the root folder.
+
+You're all set!
+
+## Debugging
+1. The VS Code is currently setup to auto launch caddy on opening the folder. (Defined in [tasks.json](.vscode/tasks.json))
+2. Press `F5` to start a debug session. This will launch both frontend and backend and attach debuggers to those process. (Defined in [launch.json](.vscode/launch.json))
 
 ### Testing
 
@@ -69,5 +80,5 @@ We are using [Playwright](https://playwright.dev) for end-to-end testing.
 
 The tests can be run like this:
 1. Start the backend normally
-2. Start the frontend in production mode with `npm run build && node build/index.js`
+2. Start the frontend in production mode with `npm run build && node --env-file=.env build/index.js`
 3. Run the tests with `npm run test`

Caddyfile

@@ -1,10 +0,0 @@
-:80 {
-    reverse_proxy /api/* http://localhost:8080
-    reverse_proxy /.well-known/* http://localhost:8080
-    reverse_proxy /* http://localhost:3000
-
-    log {
-        output file /var/log/caddy/access.log
-        level WARN
-    }
-}

Dockerfile

@@ -1,5 +1,5 @@
 # Stage 1: Build Frontend
-FROM node:20-alpine AS frontend-builder
+FROM node:22-alpine AS frontend-builder
 WORKDIR /app/frontend
 COPY ./frontend/package*.json ./
 RUN npm ci
@@ -8,7 +8,7 @@ RUN npm run build
 RUN npm prune --production
 
 # Stage 2: Build Backend
-FROM golang:1.22-alpine AS backend-builder
+FROM golang:1.23-alpine AS backend-builder
 WORKDIR /app/backend
 COPY ./backend/go.mod ./backend/go.sum ./
 RUN go mod download
@@ -20,9 +20,12 @@ WORKDIR /app/backend/cmd
 RUN CGO_ENABLED=1 GOOS=linux go build -o /app/backend/pocket-id-backend .
 
 # Stage 3: Production Image
-FROM node:20-alpine
-RUN apk add --no-cache caddy
-COPY ./Caddyfile /etc/caddy/Caddyfile
+FROM node:22-alpine
+# Delete default node user
+RUN deluser --remove-home node
+
+RUN apk add --no-cache caddy curl su-exec
+COPY ./reverse-proxy /etc/caddy/
 
 WORKDIR /app
 COPY --from=frontend-builder /app/frontend/build ./frontend/build
@@ -30,13 +33,12 @@ COPY --from=frontend-builder /app/frontend/node_modules ./frontend/node_modules
 COPY --from=frontend-builder /app/frontend/package.json ./frontend/package.json
 
 COPY --from=backend-builder /app/backend/pocket-id-backend ./backend/pocket-id-backend
-COPY --from=backend-builder /app/backend/migrations ./backend/migrations
-COPY --from=backend-builder /app/backend/images ./backend/images
 
 COPY ./scripts ./scripts
+RUN chmod +x ./scripts/**/*.sh
 
-EXPOSE 3000
+EXPOSE 80
 ENV APP_ENV=production
 
-# Use a shell form to run both the frontend and backend
-CMD ["sh", "./scripts/docker-entrypoint.sh"]
+ENTRYPOINT ["sh", "./scripts/docker/create-user.sh"]
+CMD ["sh", "./scripts/docker/entrypoint.sh"]

README.md

@@ -1,138 +1,20 @@
-# <div align="center"><img  src="https://github.com/user-attachments/assets/5b5e0d42-e2b4-4523-add5-ac87042a72f1" width="100"/> </br>Pocket ID</div>
+# <div align="center"><img  src="https://github.com/user-attachments/assets/4ceb2708-9f29-4694-b797-be833efce17d" width="100"/> </br>Pocket ID</div>
 
 Pocket ID is a simple OIDC provider that allows users to authenticate with their passkeys to your services.
 
-<img src="https://github.com/user-attachments/assets/953c534c-b667-44e5-b976-a59142f1efb8" width="1200"/>
+→ Try out the [Demo](https://demo.pocket-id.org)
 
-The goal of Pocket ID is to be a simple and easy-to-use. There are other self-hosted OIDC providers like [Keycloak](https://www.keycloak.org/) or [ORY Hydra](https://www.ory.sh/hydra/) but they are often too complex for simple use cases. Additionally, Pocket ID only support passkey authentication which is a passwordless authentication method.
+<img src="https://github.com/user-attachments/assets/96ac549d-b897-404a-8811-f42b16ea58e2" width="1200"/>
+
+The goal of Pocket ID is to be a simple and easy-to-use. There are other self-hosted OIDC providers like [Keycloak](https://www.keycloak.org/) or [ORY Hydra](https://www.ory.sh/hydra/) but they are often too complex for simple use cases.
+
+Additionally, what makes Pocket ID special is that it only supports [passkey](https://www.passkeys.io/) authentication, which means you don’t need a password. Some people might not like this idea at first, but I believe passkeys are the future, and once you try them, you’ll love them. For example, you can now use a physical Yubikey to sign in to all your self-hosted services easily and securely.
 
 ## Setup
 
-> [!WARNING]  
-> Pocket ID is in its early stages and may contain bugs.
+Pocket ID can be set up in multiple ways. The easiest and recommended way is to use Docker.
 
-### Installation with Docker (recommended)
-
-1. Download the `docker-compose.yml` and `.env` file:
-
-   ```bash
-    curl -O https://raw.githubusercontent.com/stonith404/pocket-id/main/docker-compose.yml
-
-    curl -o .env https://raw.githubusercontent.com/stonith404/pocket-id/main/.env.example
-   ```
-
-2. Edit the `.env` file so that it fits your needs. See the [environment variables](#environment-variables) section for more information.
-3. Run `docker compose up -d`
-
-You can now sign in with the admin account on `http://localhost/login/setup`.
-
-### Stand-alone Installation
-
-Required tools:
-
-- [Node.js](https://nodejs.org/en/download/) >= 20
-- [Go](https://golang.org/doc/install) >= 1.22
-- [Git](https://git-scm.com/downloads)
-- [PM2](https://pm2.keymetrics.io/)
-- [Caddy](https://caddyserver.com/docs/install) (optional)
-
-1. Copy the `.env.example` file in the `frontend` and `backend` folder to `.env` and change it so that it fits your needs.
-   
-   ```bash
-   cp frontend/.env.example frontend/.env
-   cp backend/.env.example backend/.env
-   ```
-2. Run the following commands:
-
-    ```bash
-    git clone https://github.com/stonith404/pocket-id
-    cd pocket-id
-
-    # Checkout the latest version
-    git fetch --tags && git checkout $(git describe --tags `git rev-list --tags --max-count=1`)
-
-    # Start the backend
-    cd backend/cmd
-    go build -o ../pocket-id-backend
-    cd ..
-    pm2 start pocket-id-backend --name pocket-id-backend
-
-    # Start the frontend
-    cd ../frontend
-    npm install
-    npm run build
-    pm2 start --name pocket-id-frontend --node-args="--env-file .env" build/index.js
-
-    # Optional: Start Caddy (You can use any other reverse proxy)
-    cd ..
-    pm2 start --name pocket-id-caddy caddy -- run --config Caddyfile
-    ```
-
-You can now sign in with the admin account on `http://localhost/login/setup`.
-
-### Add Pocket ID as an OIDC provider
-
-You can add a new OIDC client on `https://<your-domain>/settings/admin/oidc-clients`
-
-After you have added the client, you can obtain the client ID and client secret.
-
-You may need the following information:
-
-- **Authorization URL**: `https://<your-domain>/authorize`
-- **Token URL**: `https://<your-domain>/api/oidc/token`
-- **Certificate URL**: `https://<your-domain>/.well-known/jwks.json`
-- **OIDC Discovery URL**: `https://<your-domain>/.well-known/openid-configuration`
-- **PKCE**: `false` as this is not supported yet.
-
-### Update
-
-#### Docker
-
-```bash
-docker compose pull
-docker compose up -d
-```
-
-#### Stand-alone
-
-1. Stop the running services:
-   ```bash
-   pm2 delete pocket-id-backend pocket-id-frontend pocket-id-caddy
-   ```
-2. Run the following commands:
-
-   ```bash
-   cd pocket-id
-
-   # Checkout the latest version
-   git fetch --tags && git checkout $(git describe --tags `git rev-list --tags --max-count=1`)
-
-   # Start the backend
-   cd backend/cmd
-   go build -o ../pocket-id-backend
-   cd ..
-   pm2 start pocket-id-backend --name pocket-id-backend
-
-   # Start the frontend
-   cd ../frontend
-   npm install
-   npm run build
-   pm2 start build/index.js --name pocket-id-frontend
-
-   # Optional: Start Caddy (You can use any other reverse proxy)
-   cd ..
-   pm2 start caddy --name pocket-id-caddy -- run --config Caddyfile
-   ```
-
-### Environment variables
-
-| Variable         | Default Value       | Recommended to change | Description                                   |
-| ---------------- | ------------------- | --------------------- | --------------------------------------------- |
-| `PUBLIC_APP_URL` | `http://localhost`  | yes                   | The URL where you will access the app.        |
-| `DB_PATH`        | `data/pocket-id.db` | no                    | The path to the SQLite database.              |
-| `UPLOAD_PATH`    | `data/uploads`      | no                    | The path where the uploaded files are stored. |
-| `PORT`           | `3000`              | no                    | The port on which the frontend should listen. |
-| `BACKEND_PORT`   | `8080`              | no                    | The port on which the backend should listen.  |
+Visit the [documentation](https://docs.pocket-id.org) for the setup guide and more information.
 
 ## Contribute
 

backend/.env.example

@@ -1,6 +1,10 @@
 APP_ENV=production
 PUBLIC_APP_URL=http://localhost
-DB_PATH=data/pocket-id.db
+# /!\ If PUBLIC_APP_URL is not a localhost address, it must be HTTPS
+DB_PROVIDER=sqlite
+# MAXMIND_LICENSE_KEY=fixme # needed for IP geolocation in the audit log
+SQLITE_DB_PATH=data/pocket-id.db
+POSTGRES_CONNECTION_STRING=postgresql://postgres:postgres@localhost:5432/pocket-id
 UPLOAD_PATH=data/uploads
 PORT=8080
-HOST=localhost
+HOST=0.0.0.0

backend/.gitignore

@@ -13,4 +13,5 @@
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
-./data
+./data
+.env

backend/cmd/main.go

@@ -1,7 +1,7 @@
 package main
 
 import (
-	"golang-rest-api-template/internal/bootstrap"
+	"github.com/pocket-id/pocket-id/backend/internal/bootstrap"
 )
 
 func main() {

backend/go.mod

@@ -1,63 +1,88 @@
-module golang-rest-api-template
+module github.com/pocket-id/pocket-id/backend
 
-go 1.22
+go 1.23.1
 
 require (
-	github.com/caarlos0/env/v11 v11.2.0
+	github.com/caarlos0/env/v11 v11.3.1
+	github.com/disintegration/imageorient v0.0.0-20180920195336-8147d86e83ec
+	github.com/disintegration/imaging v1.6.2
+	github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21
+	github.com/emersion/go-smtp v0.21.3
 	github.com/fxamacker/cbor/v2 v2.7.0
-	github.com/gin-contrib/cors v1.7.2
 	github.com/gin-gonic/gin v1.10.0
-	github.com/go-co-op/gocron/v2 v2.11.0
-	github.com/go-webauthn/webauthn v0.11.0
-	github.com/golang-jwt/jwt/v5 v5.2.1
-	github.com/golang-migrate/migrate/v4 v4.17.1
+	github.com/go-co-op/gocron/v2 v2.15.0
+	github.com/go-ldap/ldap/v3 v3.4.10
+	github.com/go-playground/validator/v10 v10.24.0
+	github.com/go-webauthn/webauthn v0.11.2
+	github.com/golang-jwt/jwt/v5 v5.2.2
+	github.com/golang-migrate/migrate/v4 v4.18.2
 	github.com/google/uuid v1.6.0
 	github.com/joho/godotenv v1.5.1
-	golang.org/x/crypto v0.25.0
-	golang.org/x/time v0.6.0
-	gorm.io/driver/sqlite v1.5.6
-	gorm.io/gorm v1.25.11
+	github.com/lestrrat-go/jwx/v3 v3.0.0-alpha3
+	github.com/mileusna/useragent v1.3.5
+	github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2
+	github.com/stretchr/testify v1.10.0
+	golang.org/x/crypto v0.36.0
+	golang.org/x/image v0.24.0
+	golang.org/x/time v0.9.0
+	gorm.io/driver/postgres v1.5.11
+	gorm.io/driver/sqlite v1.5.7
+	gorm.io/gorm v1.25.12
 )
 
 require (
-	github.com/bytedance/sonic v1.12.1 // indirect
-	github.com/bytedance/sonic/loader v0.2.0 // indirect
-	github.com/cloudwego/base64x v0.1.4 // indirect
-	github.com/cloudwego/iasm v0.2.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.5 // indirect
-	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
+	github.com/bytedance/sonic v1.12.8 // indirect
+	github.com/bytedance/sonic/loader v0.2.3 // indirect
+	github.com/cloudwego/base64x v0.1.5 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
+	github.com/disintegration/gift v1.1.2 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
+	github.com/gin-contrib/sse v1.0.0 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.22.0 // indirect
-	github.com/go-webauthn/x v0.1.12 // indirect
-	github.com/goccy/go-json v0.10.3 // indirect
-	github.com/google/go-tpm v0.9.1 // indirect
+	github.com/go-webauthn/x v0.1.16 // indirect
+	github.com/goccy/go-json v0.10.4 // indirect
+	github.com/google/go-tpm v0.9.3 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+	github.com/jackc/pgx/v5 v5.7.2 // indirect
+	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
-	github.com/jonboulle/clockwork v0.4.0 // indirect
+	github.com/jonboulle/clockwork v0.5.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.8 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/httprc/v3 v3.0.0-beta1 // indirect
+	github.com/lestrrat-go/option v1.0.1 // indirect
+	github.com/lib/pq v1.10.9 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-sqlite3 v1.14.22 // indirect
+	github.com/mattn/go-sqlite3 v1.14.24 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
-	github.com/rogpeppe/go-internal v1.11.0 // indirect
+	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.12 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/arch v0.9.0 // indirect
-	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/net v0.27.0 // indirect
-	golang.org/x/sys v0.23.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
-	google.golang.org/protobuf v1.34.2 // indirect
+	golang.org/x/arch v0.13.0 // indirect
+	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 // indirect
+	golang.org/x/net v0.36.0 // indirect
+	golang.org/x/sync v0.12.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
+	google.golang.org/protobuf v1.36.4 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

backend/go.sum

@@ -1,73 +1,137 @@
-github.com/bytedance/sonic v1.12.1 h1:jWl5Qz1fy7X1ioY74WqO0KjAMtAGQs4sYnjiEBiyX24=
-github.com/bytedance/sonic v1.12.1/go.mod h1:B8Gt/XvtZ3Fqj+iSKMypzymZxw/FVwgIGKzMzT9r/rk=
+github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
+github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
+github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/bytedance/sonic v1.12.8 h1:4xYRVRlXIgvSZ4e8iVTlMF5szgpXd4AfvuWgA8I8lgs=
+github.com/bytedance/sonic v1.12.8/go.mod h1:uVvFidNmlt9+wa31S1urfwwthTWteBgG0hWuoKAXTx8=
 github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
-github.com/bytedance/sonic/loader v0.2.0 h1:zNprn+lsIP06C/IqCHs3gPQIvnvpKbbxyXQP1iU4kWM=
-github.com/bytedance/sonic/loader v0.2.0/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
-github.com/caarlos0/env/v11 v11.2.0 h1:kvB1ZmwdWgI3JsuuVUE7z4cY/6Ujr03D0w2WkOOH4Xs=
-github.com/caarlos0/env/v11 v11.2.0/go.mod h1:LwgkYk1kDvfGpHthrWWLof3Ny7PezzFwS4QrsJdHTMo=
-github.com/cloudwego/base64x v0.1.4 h1:jwCgWpFanWmN8xoIUHa2rtzmkd5J2plF/dnLS6Xd/0Y=
-github.com/cloudwego/base64x v0.1.4/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
-github.com/cloudwego/iasm v0.2.0 h1:1KNIy1I1H9hNNFEEH3DVnI4UujN+1zjpuk6gwHLTssg=
+github.com/bytedance/sonic/loader v0.2.3 h1:yctD0Q3v2NOGfSWPLPvG2ggA2kV6TS6s4wioyEqssH0=
+github.com/bytedance/sonic/loader v0.2.3/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
+github.com/caarlos0/env/v11 v11.3.1 h1:cArPWC15hWmEt+gWk7YBi7lEXTXCvpaSdCiZE2X5mCA=
+github.com/caarlos0/env/v11 v11.3.1/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U=
+github.com/cloudwego/base64x v0.1.5 h1:XPciSp1xaq2VCSt6lF0phncD4koWyULpl5bUxbfCyP4=
+github.com/cloudwego/base64x v0.1.5/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
 github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
+github.com/dhui/dktest v0.4.4 h1:+I4s6JRE1yGuqflzwqG+aIaMdgXIorCf5P98JnaAWa8=
+github.com/dhui/dktest v0.4.4/go.mod h1:4+22R4lgsdAXrDyaH4Nqx2JEz2hLp49MqQmm9HLCQhM=
+github.com/disintegration/gift v1.1.2 h1:9ZyHJr+kPamiH10FX3Pynt1AxFUob812bU9Wt4GMzhs=
+github.com/disintegration/gift v1.1.2/go.mod h1:Jh2i7f7Q2BM7Ezno3PhfezbR1xpUg9dUg3/RlKGr4HI=
+github.com/disintegration/imageorient v0.0.0-20180920195336-8147d86e83ec h1:YrB6aVr9touOt75I9O1SiancmR2GMg45U9UYf0gtgWg=
+github.com/disintegration/imageorient v0.0.0-20180920195336-8147d86e83ec/go.mod h1:K0KBFIr1gWu/C1Gp10nFAcAE4hsB7JxE6OgLijrJ8Sk=
+github.com/disintegration/imaging v1.6.2 h1:w1LecBlG2Lnp8B3jk5zSuNqd7b4DXhcjwek1ei82L+c=
+github.com/disintegration/imaging v1.6.2/go.mod h1:44/5580QXChDfwIclfc/PCwrr44amcmDAg8hxG0Ewe4=
+github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
+github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/docker/docker v27.2.0+incompatible h1:Rk9nIVdfH3+Vz4cyI/uhbINhEZ/oLmc+CBXmH6fbNk4=
+github.com/docker/docker v27.2.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
+github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21 h1:OJyUGMJTzHTd1XQp98QTaHernxMYzRaOasRir9hUlFQ=
+github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21/go.mod h1:iL2twTeMvZnrg54ZoPDNfJaJaqy0xIQFuBdrLsmspwQ=
+github.com/emersion/go-smtp v0.21.3 h1:7uVwagE8iPYE48WhNsng3RRpCUpFvNl39JGNSIyGVMY=
+github.com/emersion/go-smtp v0.21.3/go.mod h1:qm27SGYgoIPRot6ubfQ/GpiPy/g3PaZAVRxiO/sDUgQ=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
-github.com/gabriel-vasile/mimetype v1.4.5 h1:J7wGKdGu33ocBOhGy0z653k/lFKLFDPJMG8Gql0kxn4=
-github.com/gabriel-vasile/mimetype v1.4.5/go.mod h1:ibHel+/kbxn9x2407k1izTA1S81ku1z/DlgOW2QE0M4=
-github.com/gin-contrib/cors v1.7.2 h1:oLDHxdg8W/XDoN/8zamqk/Drgt4oVZDvaV0YmvVICQw=
-github.com/gin-contrib/cors v1.7.2/go.mod h1:SUJVARKgQ40dmrzgXEVxj2m7Ig1v1qIboQkPDTQ9t2E=
-github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
-github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
+github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
+github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
+github.com/gin-contrib/sse v1.0.0 h1:y3bT1mUWUxDpW4JLQg/HnTqV4rozuW4tC9eFKTxYI9E=
+github.com/gin-contrib/sse v1.0.0/go.mod h1:zNuFdwarAygJBht0NTKiSi3jRf6RbqeILZ9Sp6Slhe0=
 github.com/gin-gonic/gin v1.10.0 h1:nTuyha1TYqgedzytsKYqna+DfLos46nTv2ygFy86HFU=
 github.com/gin-gonic/gin v1.10.0/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
-github.com/go-co-op/gocron/v2 v2.11.0 h1:IOowNA6SzwdRFnD4/Ol3Kj6G2xKfsoiiGq2Jhhm9bvE=
-github.com/go-co-op/gocron/v2 v2.11.0/go.mod h1:xY7bJxGazKam1cz04EebrlP4S9q4iWdiAylMGP3jY9w=
+github.com/go-asn1-ber/asn1-ber v1.5.7 h1:DTX+lbVTWaTw1hQ+PbZPlnDZPEIs0SS/GCZAl535dDk=
+github.com/go-asn1-ber/asn1-ber v1.5.7/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-co-op/gocron/v2 v2.15.0 h1:Kpvo71VSihE+RImmpA+3ta5CcMhoRzMGw4dJawrj4zo=
+github.com/go-co-op/gocron/v2 v2.15.0/go.mod h1:ZF70ZwEqz0OO4RBXE1sNxnANy/zvwLcattWEFsqpKig=
+github.com/go-ldap/ldap/v3 v3.4.10 h1:ot/iwPOhfpNVgB1o+AVXljizWZ9JTp7YF5oeyONmcJU=
+github.com/go-ldap/ldap/v3 v3.4.10/go.mod h1:JXh4Uxgi40P6E9rdsYqpUtbW46D9UTjJ9QSwGRznplY=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
 github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.22.0 h1:k6HsTZ0sTnROkhS//R0O+55JgM8C4Bx7ia+JlgcnOao=
-github.com/go-playground/validator/v10 v10.22.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
-github.com/go-webauthn/webauthn v0.11.0 h1:2U0jWuGeoiI+XSZkHPFRtwaYtqmMUsqABtlfSq1rODo=
-github.com/go-webauthn/webauthn v0.11.0/go.mod h1:57ZrqsZzD/eboQDVtBkvTdfqFYAh/7IwzdPT+sPWqB0=
-github.com/go-webauthn/x v0.1.12 h1:RjQ5cvApzyU/xLCiP+rub0PE4HBZsLggbxGR5ZpUf/A=
-github.com/go-webauthn/x v0.1.12/go.mod h1:XlRcGkNH8PT45TfeJYc6gqpOtiOendHhVmnOxh+5yHs=
-github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
-github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
-github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
-github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
-github.com/golang-migrate/migrate/v4 v4.17.1 h1:4zQ6iqL6t6AiItphxJctQb3cFqWiSpMnX7wLTPnnYO4=
-github.com/golang-migrate/migrate/v4 v4.17.1/go.mod h1:m8hinFyWBn0SA4QKHuKh175Pm9wjmxj3S2Mia7dbXzM=
+github.com/go-playground/validator/v10 v10.24.0 h1:KHQckvo8G6hlWnrPX4NJJ+aBfWNAE/HH+qdL2cBpCmg=
+github.com/go-playground/validator/v10 v10.24.0/go.mod h1:GGzBIJMuE98Ic/kJsBXbz1x/7cByt++cQ+YOuDM5wus=
+github.com/go-webauthn/webauthn v0.11.2 h1:Fgx0/wlmkClTKlnOsdOQ+K5HcHDsDcYIvtYmfhEOSUc=
+github.com/go-webauthn/webauthn v0.11.2/go.mod h1:aOtudaF94pM71g3jRwTYYwQTG1KyTILTcZqN1srkmD0=
+github.com/go-webauthn/x v0.1.16 h1:EaVXZntpyHviN9ykjdRBQIw9B0Ed3LO5FW7mDiMQEa8=
+github.com/go-webauthn/x v0.1.16/go.mod h1:jhYjfwe/AVYaUs2mUXArj7vvZj+SpooQPyyQGNab+Us=
+github.com/goccy/go-json v0.10.4 h1:JSwxQzIqKfmFX1swYPpUThQZp/Ka4wzJdK0LWVytLPM=
+github.com/goccy/go-json v0.10.4/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-migrate/migrate/v4 v4.18.2 h1:2VSCMz7x7mjyTXx3m2zPokOY82LTRgxK1yQYKo6wWQ8=
+github.com/golang-migrate/migrate/v4 v4.18.2/go.mod h1:2CM6tJvn2kqPXwnXO/d3rAQYiyoIm180VsO8PRX6Rpk=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-tpm v0.9.1 h1:0pGc4X//bAlmZzMKf8iz6IsDo1nYTbYJ6FZN/rg4zdM=
-github.com/google/go-tpm v0.9.1/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
+github.com/google/go-tpm v0.9.3 h1:+yx0/anQuGzi+ssRqeD6WpXjW2L/V0dItUayO0i9sRc=
+github.com/google/go-tpm v0.9.3/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
+github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
+github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
+github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
+github.com/jackc/pgx/v5 v5.7.2 h1:mLoDLV6sonKlvjIEsV56SkWNCnuNv531l94GaIzO+XI=
+github.com/jackc/pgx/v5 v5.7.2/go.mod h1:ncY89UGWxg82EykZUwSpUKEfccBGGYq1xjrOpsbsfGQ=
+github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
+github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
+github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
+github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
+github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
+github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg=
+github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=
+github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
+github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
+github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8=
+github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
+github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
+github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
 github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
-github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4=
-github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc=
+github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
+github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.2.8 h1:+StwCXwm9PdpiEkPyzBXIy+M9KUb4ODm0Zarf1kS5BM=
-github.com/klauspost/cpuid/v2 v2.2.8/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
+github.com/klauspost/cpuid/v2 v2.2.9 h1:66ze0taIn2H33fBvCkXuv9BmCwDfafmiIVpKV9kKGuY=
+github.com/klauspost/cpuid/v2 v2.2.9/go.mod h1:rqkxqrZ1EhYM9G+hXH7YdowN5R5RGN6NK4QwQ3WMXF8=
 github.com/knz/go-libedit v1.10.1/go.mod h1:MZTVkCWyz0oBc7JOWP3wNAzd002ZbM/5hgShxwh4x8M=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -75,77 +139,189 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
+github.com/lestrrat-go/blackmagic v1.0.2 h1:Cg2gVSc9h7sz9NOByczrbUvLopQmXrfFx//N+AkAr5k=
+github.com/lestrrat-go/blackmagic v1.0.2/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU=
+github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
+github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
+github.com/lestrrat-go/httprc/v3 v3.0.0-beta1 h1:pzDjP9dSONCFQC/AE3mWUnHILGiYPiMKzQIS+weKJXA=
+github.com/lestrrat-go/httprc/v3 v3.0.0-beta1/go.mod h1:wdsgouffPvWPEYh8t7PRH/PidR5sfVqt0na4Nhj60Ms=
+github.com/lestrrat-go/jwx/v3 v3.0.0-alpha3 h1:HHT8iW+UcPBgBr5A3soZQQsL5cBor/u6BkLB+wzY/R0=
+github.com/lestrrat-go/jwx/v3 v3.0.0-alpha3/go.mod h1:ak32WoNtHE0aLowVWBcCvXngcAnW4tuC0YhFwOr/kwc=
+github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
+github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
-github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
+github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mileusna/useragent v1.3.5 h1:SJM5NzBmh/hO+4LGeATKpaEX9+b4vcGg2qXGLiNGDws=
+github.com/mileusna/useragent v1.3.5/go.mod h1:3d8TOmwL/5I8pJjyVDteHtgDGcefrFUX4ccGOMKNYYc=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
+github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=
-github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
+github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
+github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
+github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2 h1:jG+FaCBv3h6GD5F+oenTfe3+0NmX8sCKjni5k3A5Dek=
+github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2/go.mod h1:rHaQJ5SjfCdL4sqCKa3FhklRcaXga2/qyvmQuA+ZJ6M=
+github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
+github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
-github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
-github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
+github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
 github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8=
+go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw=
+go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8=
+go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc=
+go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8=
+go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4=
+go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-golang.org/x/arch v0.9.0 h1:ub9TgUInamJ8mrZIGlBG6/4TqWeMszd4N8lNorbrr6k=
-golang.org/x/arch v0.9.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
-golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
-golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
-golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
-golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
+golang.org/x/arch v0.13.0 h1:KCkqVVV1kGg0X87TFysjCJ8MxtZEIU4Ja/yXGeoECdA=
+golang.org/x/arch v0.13.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 h1:yqrTHse8TCMW1M1ZCP+VAR/l0kKxwaAIqN/il7x4voA=
+golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU=
+golang.org/x/image v0.0.0-20191009234506-e7c1f5e7dbb8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/image v0.24.0 h1:AN7zRgVsbvmTfNyqIbbOraYL8mSwcKncEj8ofjgzcMQ=
+golang.org/x/image v0.24.0/go.mod h1:4b/ITuLfqYq1hqZcjofwctIhi7sZh2WaCjvsBNjjya8=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA=
+golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
-golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
-golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
-golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
+golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/protobuf v1.36.4 h1:6A3ZDJHn/eNqc1i+IdefRzy/9PokBTPvcqMySR7NNIM=
+google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gorm.io/driver/sqlite v1.5.6 h1:fO/X46qn5NUEEOZtnjJRWRzZMe8nqJiQ9E+0hi+hKQE=
-gorm.io/driver/sqlite v1.5.6/go.mod h1:U+J8craQU6Fzkcvu8oLeAQmi50TkwPEhHDEjQZXDah4=
-gorm.io/gorm v1.25.11 h1:/Wfyg1B/je1hnDx3sMkX+gAlxrlZpn6X0BXRlwXlvHg=
-gorm.io/gorm v1.25.11/go.mod h1:xh7N7RHfYlNc5EmcI/El95gXusucDrQnHXe0+CgWcLQ=
+gorm.io/driver/postgres v1.5.11 h1:ubBVAfbKEUld/twyKZ0IYn9rSQh448EdelLYk9Mv314=
+gorm.io/driver/postgres v1.5.11/go.mod h1:DX3GReXH+3FPWGrrgffdvCk3DQ1dwDPdmbenSkweRGI=
+gorm.io/driver/sqlite v1.5.7 h1:8NvsrhP0ifM7LX9G4zPB97NwovUakUxc+2V2uuf3Z1I=
+gorm.io/driver/sqlite v1.5.7/go.mod h1:U+J8craQU6Fzkcvu8oLeAQmi50TkwPEhHDEjQZXDah4=
+gorm.io/gorm v1.25.12 h1:I0u8i2hWQItBq1WfE0o2+WuL9+8L21K9e2HHSTE/0f8=
+gorm.io/gorm v1.25.12/go.mod h1:xh7N7RHfYlNc5EmcI/El95gXusucDrQnHXe0+CgWcLQ=
 nullprogram.com/x/optparse v1.0.0/go.mod h1:KdyPE+Igbe0jQUrVfMqDMeJQIJZEuyV7pjYmp6pbG50=

backend/images/logo.svg

@@ -1,17 +0,0 @@
-<svg id="a"
-    xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1015 1015">
-    <path d="M838.28,380.27c-13.38-135.36-124.37-245.08-263.77-257.28h-299.08c-26.25,0-47.57,21.21-47.7,47.46-1.2,233.2-2.39,466.4-3.59,699.61-.14,26.44,21.26,47.95,47.7,47.95h102.86c24.66,0,45.25-18.79,47.5-43.35,11.45-124.75,22.89-249.51,34.34-374.26-43.84-29.69-66.46-88.34-40.37-148.47,10.44-24.06,29.57-43.41,53.58-53.98,86.02-37.84,169.22,24.14,169.22,105.56,0,40.38-20.47,75.98-51.6,96.99,6.71,56.71,13.42,113.43,20.14,170.14,1.2,10.14,11.21,16.74,21.03,13.93,134.16-38.42,223.25-167.79,209.75-304.31Z"/>
-    <style>
-     @media (prefers-color-scheme: dark) {
-            #a path {
-                fill: #ffffff;
-            }
-        }
-
-        @media (prefers-color-scheme: light) {
-            #a path {
-                fill: #000000;
-            }
-        }
-    </style>
-</svg>

backend/internal/bootstrap/application_images_bootstrap.go

@@ -0,0 +1,60 @@
+package bootstrap
+
+import (
+	"log"
+	"os"
+	"path"
+	"strings"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/resources"
+)
+
+// initApplicationImages copies the images from the images directory to the application-images directory
+func initApplicationImages() {
+	dirPath := common.EnvConfig.UploadPath + "/application-images"
+
+	sourceFiles, err := resources.FS.ReadDir("images")
+	if err != nil && !os.IsNotExist(err) {
+		log.Fatalf("Error reading directory: %v", err)
+	}
+
+	destinationFiles, err := os.ReadDir(dirPath)
+	if err != nil && !os.IsNotExist(err) {
+		log.Fatalf("Error reading directory: %v", err)
+	}
+
+	// Copy images from the images directory to the application-images directory if they don't already exist
+	for _, sourceFile := range sourceFiles {
+		if sourceFile.IsDir() || imageAlreadyExists(sourceFile.Name(), destinationFiles) {
+			continue
+		}
+		srcFilePath := path.Join("images", sourceFile.Name())
+		destFilePath := path.Join(dirPath, sourceFile.Name())
+
+		err := utils.CopyEmbeddedFileToDisk(srcFilePath, destFilePath)
+		if err != nil {
+			log.Fatalf("Error copying file: %v", err)
+		}
+	}
+
+}
+
+func imageAlreadyExists(fileName string, destinationFiles []os.DirEntry) bool {
+	for _, destinationFile := range destinationFiles {
+		sourceFileWithoutExtension := getImageNameWithoutExtension(fileName)
+		destinationFileWithoutExtension := getImageNameWithoutExtension(destinationFile.Name())
+
+		if sourceFileWithoutExtension == destinationFileWithoutExtension {
+			return true
+		}
+	}
+
+	return false
+}
+
+func getImageNameWithoutExtension(fileName string) string {
+	splitted := strings.Split(fileName, ".")
+	return strings.Join(splitted[:len(splitted)-1], ".")
+}

backend/internal/bootstrap/bootstrap.go

@@ -1,78 +1,17 @@
 package bootstrap
 
 import (
-	"github.com/gin-gonic/gin"
 	_ "github.com/golang-migrate/migrate/v4/source/file"
-	"golang-rest-api-template/internal/common"
-	"golang-rest-api-template/internal/common/middleware"
-	"golang-rest-api-template/internal/handler"
-	"golang-rest-api-template/internal/job"
-	"golang-rest-api-template/internal/utils"
-	"golang.org/x/time/rate"
-	"log"
-	"os"
-	"time"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
 
 func Bootstrap() {
-	common.InitDatabase()
-	common.InitDbConfig()
 	initApplicationImages()
-	job.RegisterJobs()
-	initRouter()
-}
-
-func initRouter() {
-	switch common.EnvConfig.AppEnv {
-	case "production":
-		gin.SetMode(gin.ReleaseMode)
-	case "development":
-		gin.SetMode(gin.DebugMode)
-	case "test":
-		gin.SetMode(gin.TestMode)
-	}
-
-	r := gin.Default()
-
-	r.Use(gin.Logger())
-
-	r.Use(middleware.Cors())
-	r.Use(middleware.RateLimiter(rate.Every(time.Second), 60))
-
-	apiGroup := r.Group("/api")
-	handler.RegisterRoutes(apiGroup)
-	handler.RegisterOIDCRoutes(apiGroup)
-	handler.RegisterUserRoutes(apiGroup)
-	handler.RegisterConfigurationRoutes(apiGroup)
-	if common.EnvConfig.AppEnv != "production" {
-		handler.RegisterTestRoutes(apiGroup)
-	}
-
-	baseGroup := r.Group("/")
-	handler.RegisterWellKnownRoutes(baseGroup)
-
-	if err := r.Run(common.EnvConfig.Host + ":" + common.EnvConfig.Port); err != nil {
-		log.Fatal(err)
-	}
-
-}
-
-func initApplicationImages() {
-	dirPath := common.EnvConfig.UploadPath + "/application-images"
-
-	files, err := os.ReadDir(dirPath)
-	if err != nil && !os.IsNotExist(err) {
-		log.Fatalf("Error reading directory: %v", err)
-	}
-
-	// Skip if files already exist
-	if len(files) > 1 {
-		return
-	}
-
-	// Copy files from source to destination
-	err = utils.CopyDirectory("./images", dirPath)
-	if err != nil {
-		log.Fatalf("Error copying directory: %v", err)
-	}
+
+	db := newDatabase()
+	appConfigService := service.NewAppConfigService(db)
+
+	migrateKey()
+
+	initRouter(db, appConfigService)
 }

backend/internal/bootstrap/db_bootstrap.go

@@ -0,0 +1,124 @@
+package bootstrap
+
+import (
+	"errors"
+	"fmt"
+	"log"
+	"os"
+	"time"
+
+	"github.com/golang-migrate/migrate/v4"
+	"github.com/golang-migrate/migrate/v4/database"
+	postgresMigrate "github.com/golang-migrate/migrate/v4/database/postgres"
+	sqliteMigrate "github.com/golang-migrate/migrate/v4/database/sqlite3"
+	"github.com/golang-migrate/migrate/v4/source/iofs"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/resources"
+	"gorm.io/driver/postgres"
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
+	"gorm.io/gorm/logger"
+)
+
+func newDatabase() (db *gorm.DB) {
+	db, err := connectDatabase()
+	if err != nil {
+		log.Fatalf("failed to connect to database: %v", err)
+	}
+	sqlDb, err := db.DB()
+	if err != nil {
+		log.Fatalf("failed to get sql.DB: %v", err)
+	}
+
+	// Choose the correct driver for the database provider
+	var driver database.Driver
+	switch common.EnvConfig.DbProvider {
+	case common.DbProviderSqlite:
+		driver, err = sqliteMigrate.WithInstance(sqlDb, &sqliteMigrate.Config{})
+	case common.DbProviderPostgres:
+		driver, err = postgresMigrate.WithInstance(sqlDb, &postgresMigrate.Config{})
+	default:
+		log.Fatalf("unsupported database provider: %s", common.EnvConfig.DbProvider)
+	}
+	if err != nil {
+		log.Fatalf("failed to create migration driver: %v", err)
+	}
+
+	// Run migrations
+	if err := migrateDatabase(driver); err != nil {
+		log.Fatalf("failed to run migrations: %v", err)
+	}
+
+	return db
+}
+
+func migrateDatabase(driver database.Driver) error {
+	// Use the embedded migrations
+	source, err := iofs.New(resources.FS, "migrations/"+string(common.EnvConfig.DbProvider))
+	if err != nil {
+		return fmt.Errorf("failed to create embedded migration source: %v", err)
+	}
+
+	m, err := migrate.NewWithInstance("iofs", source, "pocket-id", driver)
+	if err != nil {
+		return fmt.Errorf("failed to create migration instance: %v", err)
+	}
+
+	err = m.Up()
+	if err != nil && !errors.Is(err, migrate.ErrNoChange) {
+		return fmt.Errorf("failed to apply migrations: %v", err)
+	}
+
+	return nil
+}
+
+func connectDatabase() (db *gorm.DB, err error) {
+	var dialector gorm.Dialector
+
+	// Choose the correct database provider
+	switch common.EnvConfig.DbProvider {
+	case common.DbProviderSqlite:
+		dialector = sqlite.Open(common.EnvConfig.SqliteDBPath)
+	case common.DbProviderPostgres:
+		dialector = postgres.Open(common.EnvConfig.PostgresConnectionString)
+	default:
+		return nil, fmt.Errorf("unsupported database provider: %s", common.EnvConfig.DbProvider)
+	}
+
+	for i := 1; i <= 3; i++ {
+		db, err = gorm.Open(dialector, &gorm.Config{
+			TranslateError: true,
+			Logger:         getLogger(),
+		})
+		if err == nil {
+			break
+		} else {
+			log.Printf("Attempt %d: Failed to initialize database. Retrying...", i)
+			time.Sleep(3 * time.Second)
+		}
+	}
+
+	return db, err
+}
+
+func getLogger() logger.Interface {
+	isProduction := common.EnvConfig.AppEnv == "production"
+
+	var logLevel logger.LogLevel
+	if isProduction {
+		logLevel = logger.Error
+	} else {
+		logLevel = logger.Info
+	}
+
+	return logger.New(
+		log.New(os.Stdout, "\r\n", log.LstdFlags),
+		logger.Config{
+			SlowThreshold:             200 * time.Millisecond,
+			LogLevel:                  logLevel,
+			IgnoreRecordNotFoundError: isProduction,
+			ParameterizedQueries:      isProduction,
+			Colorful:                  !isProduction,
+		},
+	)
+}

backend/internal/bootstrap/jwk_migration.go

@@ -0,0 +1,133 @@
+package bootstrap
+
+import (
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/base64"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+
+	"github.com/lestrrat-go/jwx/v3/jwk"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
+
+const (
+	privateKeyFilePem = "jwt_private_key.pem"
+)
+
+func migrateKey() {
+	err := migrateKeyInternal(common.EnvConfig.KeysPath)
+	if err != nil {
+		log.Fatalf("failed to perform migration of keys: %v", err)
+	}
+}
+
+func migrateKeyInternal(basePath string) error {
+	// First, check if there's already a JWK stored
+	jwkPath := filepath.Join(basePath, service.PrivateKeyFile)
+	ok, err := utils.FileExists(jwkPath)
+	if err != nil {
+		return fmt.Errorf("failed to check if private key file (JWK) exists at path '%s': %w", jwkPath, err)
+	}
+	if ok {
+		// There's already a key as JWK, so we don't do anything else here
+		return nil
+	}
+
+	// Check if there's a PEM file
+	pemPath := filepath.Join(basePath, privateKeyFilePem)
+	ok, err = utils.FileExists(pemPath)
+	if err != nil {
+		return fmt.Errorf("failed to check if private key file (PEM) exists at path '%s': %w", pemPath, err)
+	}
+	if !ok {
+		// No file to migrate, return
+		return nil
+	}
+
+	// Load and validate the key
+	key, err := loadKeyPEM(pemPath)
+	if err != nil {
+		return fmt.Errorf("failed to load private key file (PEM) at path '%s': %w", pemPath, err)
+	}
+	err = service.ValidateKey(key)
+	if err != nil {
+		return fmt.Errorf("key object is invalid: %w", err)
+	}
+
+	// Save the key as JWK
+	err = service.SaveKeyJWK(key, jwkPath)
+	if err != nil {
+		return fmt.Errorf("failed to save private key file at path '%s': %w", jwkPath, err)
+	}
+
+	// Finally, delete the PEM file
+	err = os.Remove(pemPath)
+	if err != nil {
+		return fmt.Errorf("failed to remove migrated key at path '%s': %w", pemPath, err)
+	}
+
+	return nil
+}
+
+func loadKeyPEM(path string) (jwk.Key, error) {
+	// Load the key from disk and parse it
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read key data: %w", err)
+	}
+
+	key, err := jwk.ParseKey(data, jwk.WithPEM(true))
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse key: %w", err)
+	}
+
+	// Populate the key ID using the "legacy" algorithm
+	keyId, err := generateKeyID(key)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate key ID: %w", err)
+	}
+	key.Set(jwk.KeyIDKey, keyId)
+
+	// Populate other required fields
+	_ = key.Set(jwk.KeyUsageKey, service.KeyUsageSigning)
+	service.EnsureAlgInKey(key)
+
+	return key, nil
+}
+
+// generateKeyID generates a Key ID for the public key using the first 8 bytes of the SHA-256 hash of the public key's PKIX-serialized structure.
+// This is used for legacy keys, imported from PEM.
+func generateKeyID(key jwk.Key) (string, error) {
+	// Export the public key and serialize it to PKIX (not in a PEM block)
+	// This is for backwards-compatibility with the algorithm used before the switch to JWK
+	pubKey, err := key.PublicKey()
+	if err != nil {
+		return "", fmt.Errorf("failed to get public key: %w", err)
+	}
+	var pubKeyRaw any
+	err = jwk.Export(pubKey, &pubKeyRaw)
+	if err != nil {
+		return "", fmt.Errorf("failed to export public key: %w", err)
+	}
+	pubASN1, err := x509.MarshalPKIXPublicKey(pubKeyRaw)
+	if err != nil {
+		return "", fmt.Errorf("failed to marshal public key: %w", err)
+	}
+
+	// Compute SHA-256 hash of the public key
+	hash := sha256.New()
+	hash.Write(pubASN1)
+	hashed := hash.Sum(nil)
+
+	// Truncate the hash to the first 8 bytes for a shorter Key ID
+	shortHash := hashed[:8]
+
+	// Return Base64 encoded truncated hash as Key ID
+	return base64.RawURLEncoding.EncodeToString(shortHash), nil
+}

backend/internal/bootstrap/jwk_migration_test.go

@@ -0,0 +1,190 @@
+package bootstrap
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/lestrrat-go/jwx/v3/jwa"
+	"github.com/lestrrat-go/jwx/v3/jwk"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
+
+func TestMigrateKey(t *testing.T) {
+	// Create a temporary directory for testing
+	tempDir := t.TempDir()
+
+	t.Run("no keys exist", func(t *testing.T) {
+		// Test when no keys exist
+		err := migrateKeyInternal(tempDir)
+		require.NoError(t, err)
+	})
+
+	t.Run("jwk already exists", func(t *testing.T) {
+		// Create a JWK file
+		jwkPath := filepath.Join(tempDir, service.PrivateKeyFile)
+		key, err := createTestRSAKey()
+		require.NoError(t, err)
+		err = service.SaveKeyJWK(key, jwkPath)
+		require.NoError(t, err)
+
+		// Run migration - should do nothing
+		err = migrateKeyInternal(tempDir)
+		require.NoError(t, err)
+
+		// Check the file still exists
+		exists, err := utils.FileExists(jwkPath)
+		require.NoError(t, err)
+		assert.True(t, exists)
+
+		// Delete for next test
+		err = os.Remove(jwkPath)
+		require.NoError(t, err)
+	})
+
+	t.Run("migrate pem to jwk", func(t *testing.T) {
+		// Create a PEM file
+		pemPath := filepath.Join(tempDir, privateKeyFilePem)
+		jwkPath := filepath.Join(tempDir, service.PrivateKeyFile)
+
+		// Generate RSA key and save as PEM
+		createRSAPrivateKeyPEM(t, pemPath)
+
+		// Run migration
+		err := migrateKeyInternal(tempDir)
+		require.NoError(t, err)
+
+		// Check PEM file is gone
+		exists, err := utils.FileExists(pemPath)
+		require.NoError(t, err)
+		assert.False(t, exists)
+
+		// Check JWK file exists
+		exists, err = utils.FileExists(jwkPath)
+		require.NoError(t, err)
+		assert.True(t, exists)
+
+		// Verify the JWK can be loaded
+		data, err := os.ReadFile(jwkPath)
+		require.NoError(t, err)
+
+		_, err = jwk.ParseKey(data)
+		require.NoError(t, err)
+	})
+}
+
+func TestLoadKeyPEM(t *testing.T) {
+	// Create a temporary directory for testing
+	tempDir := t.TempDir()
+
+	t.Run("successfully load PEM key", func(t *testing.T) {
+		pemPath := filepath.Join(tempDir, "test_key.pem")
+
+		// Generate RSA key and save as PEM
+		createRSAPrivateKeyPEM(t, pemPath)
+
+		// Load the key
+		key, err := loadKeyPEM(pemPath)
+		require.NoError(t, err)
+
+		// Verify key properties
+		assert.NotEmpty(t, key)
+
+		// Check key ID is set
+		var keyID string
+		err = key.Get(jwk.KeyIDKey, &keyID)
+		assert.NoError(t, err)
+		assert.NotEmpty(t, keyID)
+
+		// Check algorithm is set
+		var alg jwa.SignatureAlgorithm
+		err = key.Get(jwk.AlgorithmKey, &alg)
+		assert.NoError(t, err)
+		assert.NotEmpty(t, alg)
+
+		// Check key usage is set
+		var keyUsage string
+		err = key.Get(jwk.KeyUsageKey, &keyUsage)
+		assert.NoError(t, err)
+		assert.Equal(t, service.KeyUsageSigning, keyUsage)
+	})
+
+	t.Run("file not found", func(t *testing.T) {
+		key, err := loadKeyPEM(filepath.Join(tempDir, "nonexistent.pem"))
+		assert.Error(t, err)
+		assert.Nil(t, key)
+	})
+
+	t.Run("invalid file content", func(t *testing.T) {
+		invalidPath := filepath.Join(tempDir, "invalid.pem")
+		err := os.WriteFile(invalidPath, []byte("not a valid PEM"), 0600)
+		require.NoError(t, err)
+
+		key, err := loadKeyPEM(invalidPath)
+		assert.Error(t, err)
+		assert.Nil(t, key)
+	})
+}
+
+func TestGenerateKeyID(t *testing.T) {
+	key, err := createTestRSAKey()
+	require.NoError(t, err)
+
+	keyID, err := generateKeyID(key)
+	require.NoError(t, err)
+
+	// Key ID should be non-empty
+	assert.NotEmpty(t, keyID)
+
+	// Generate another key ID to prove it depends on the key
+	key2, err := createTestRSAKey()
+	require.NoError(t, err)
+
+	keyID2, err := generateKeyID(key2)
+	require.NoError(t, err)
+
+	// The two key IDs should be different
+	assert.NotEqual(t, keyID, keyID2)
+}
+
+// Helper functions
+
+func createTestRSAKey() (jwk.Key, error) {
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, err
+	}
+
+	key, err := jwk.Import(privateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return key, nil
+}
+
+// createRSAPrivateKeyPEM generates an RSA private key and returns its PEM-encoded form
+func createRSAPrivateKeyPEM(t *testing.T, pemPath string) ([]byte, *rsa.PrivateKey) {
+	// Generate RSA key
+	privKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NoError(t, err)
+
+	// Encode to PEM format
+	pemData := pem.EncodeToMemory(&pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(privKey),
+	})
+
+	err = os.WriteFile(pemPath, pemData, 0600)
+	require.NoError(t, err)
+
+	return pemData, privKey
+}

backend/internal/bootstrap/router_bootstrap.go

@@ -0,0 +1,101 @@
+package bootstrap
+
+import (
+	"log"
+	"net"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/controller"
+	"github.com/pocket-id/pocket-id/backend/internal/job"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/systemd"
+	"golang.org/x/time/rate"
+	"gorm.io/gorm"
+)
+
+func initRouter(db *gorm.DB, appConfigService *service.AppConfigService) {
+	// Set the appropriate Gin mode based on the environment
+	switch common.EnvConfig.AppEnv {
+	case "production":
+		gin.SetMode(gin.ReleaseMode)
+	case "development":
+		gin.SetMode(gin.DebugMode)
+	case "test":
+		gin.SetMode(gin.TestMode)
+	}
+
+	r := gin.Default()
+	r.Use(gin.Logger())
+
+	// Initialize services
+	emailService, err := service.NewEmailService(appConfigService, db)
+	if err != nil {
+		log.Fatalf("Unable to create email service: %s", err)
+	}
+
+	geoLiteService := service.NewGeoLiteService()
+	auditLogService := service.NewAuditLogService(db, appConfigService, emailService, geoLiteService)
+	jwtService := service.NewJwtService(appConfigService)
+	webauthnService := service.NewWebAuthnService(db, jwtService, auditLogService, appConfigService)
+	userService := service.NewUserService(db, jwtService, auditLogService, emailService, appConfigService)
+	customClaimService := service.NewCustomClaimService(db)
+	oidcService := service.NewOidcService(db, jwtService, appConfigService, auditLogService, customClaimService)
+	testService := service.NewTestService(db, appConfigService, jwtService)
+	userGroupService := service.NewUserGroupService(db, appConfigService)
+	ldapService := service.NewLdapService(db, appConfigService, userService, userGroupService)
+	apiKeyService := service.NewApiKeyService(db)
+
+	rateLimitMiddleware := middleware.NewRateLimitMiddleware()
+
+	// Setup global middleware
+	r.Use(middleware.NewCorsMiddleware().Add())
+	r.Use(middleware.NewErrorHandlerMiddleware().Add())
+	r.Use(rateLimitMiddleware.Add(rate.Every(time.Second), 60))
+
+	job.RegisterLdapJobs(ldapService, appConfigService)
+	job.RegisterDbCleanupJobs(db)
+
+	// Initialize middleware for specific routes
+	authMiddleware := middleware.NewAuthMiddleware(apiKeyService, jwtService)
+	fileSizeLimitMiddleware := middleware.NewFileSizeLimitMiddleware()
+
+	// Set up API routes
+	apiGroup := r.Group("/api")
+	controller.NewApiKeyController(apiGroup, authMiddleware, apiKeyService)
+	controller.NewWebauthnController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), webauthnService, appConfigService)
+	controller.NewOidcController(apiGroup, authMiddleware, fileSizeLimitMiddleware, oidcService, jwtService)
+	controller.NewUserController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), userService, appConfigService)
+	controller.NewAppConfigController(apiGroup, authMiddleware, appConfigService, emailService, ldapService)
+	controller.NewAuditLogController(apiGroup, auditLogService, authMiddleware)
+	controller.NewUserGroupController(apiGroup, authMiddleware, userGroupService)
+	controller.NewCustomClaimController(apiGroup, authMiddleware, customClaimService)
+
+	// Add test controller in non-production environments
+	if common.EnvConfig.AppEnv != "production" {
+		controller.NewTestController(apiGroup, testService)
+	}
+
+	// Set up base routes
+	baseGroup := r.Group("/")
+	controller.NewWellKnownController(baseGroup, jwtService)
+
+	// Get the listener
+	l, err := net.Listen("tcp", common.EnvConfig.Host+":"+common.EnvConfig.Port)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Notify systemd that we are ready
+	if err := systemd.SdNotifyReady(); err != nil {
+		log.Println("Unable to notify systemd that the service is ready: ", err)
+		// continue to serve anyway since it's not that important
+	}
+
+	// Serve requests
+	if err := r.RunListener(l); err != nil {
+		log.Fatal(err)
+	}
+}

backend/internal/common/config.go

@@ -1,133 +0,0 @@
-package common
-
-import (
-	"github.com/caarlos0/env/v11"
-	_ "github.com/joho/godotenv/autoload"
-	"golang-rest-api-template/internal/model"
-	"log"
-	"reflect"
-)
-
-type EnvConfigSchema struct {
-	AppEnv     string `env:"APP_ENV"`
-	AppURL     string `env:"PUBLIC_APP_URL"`
-	DBPath     string `env:"DB_PATH"`
-	UploadPath string `env:"UPLOAD_PATH"`
-	Port       string `env:"BACKEND_PORT"`
-	Host       string `env:"HOST"`
-}
-
-var EnvConfig = &EnvConfigSchema{
-	AppEnv:     "production",
-	DBPath:     "data/pocket-id.db",
-	UploadPath: "data/uploads",
-	AppURL:     "http://localhost",
-	Port:       "8080",
-	Host:       "localhost",
-}
-
-var DbConfig = NewDefaultDbConfig()
-
-func NewDefaultDbConfig() model.ApplicationConfiguration {
-	return model.ApplicationConfiguration{
-		AppName: model.ApplicationConfigurationVariable{
-			Key:      "appName",
-			Type:     "string",
-			IsPublic: true,
-			Value:    "Pocket ID",
-		},
-		BackgroundImageType: model.ApplicationConfigurationVariable{
-			Key:        "backgroundImageType",
-			Type:       "string",
-			IsInternal: true,
-			Value:      "jpg",
-		},
-		LogoImageType: model.ApplicationConfigurationVariable{
-			Key:        "logoImageType",
-			Type:       "string",
-			IsInternal: true,
-			Value:      "svg",
-		},
-	}
-}
-
-// LoadDbConfigFromDb refreshes the database configuration by loading the current values
-// from the database and updating the DbConfig struct.
-func LoadDbConfigFromDb() error {
-	dbConfigReflectValue := reflect.ValueOf(&DbConfig).Elem()
-
-	for i := 0; i < dbConfigReflectValue.NumField(); i++ {
-		dbConfigField := dbConfigReflectValue.Field(i)
-		currentConfigVar := dbConfigField.Interface().(model.ApplicationConfigurationVariable)
-		var storedConfigVar model.ApplicationConfigurationVariable
-		if err := DB.First(&storedConfigVar, "key = ?", currentConfigVar.Key).Error; err != nil {
-			return err
-		}
-
-		dbConfigField.Set(reflect.ValueOf(storedConfigVar))
-	}
-
-	return nil
-}
-
-// InitDbConfig creates the default configuration values in the database if they do not exist,
-// updates existing configurations if they differ from the default, and deletes any configurations
-// that are not in the default configuration.
-func InitDbConfig() {
-	// Reflect to get the underlying value of DbConfig and its default configuration
-	dbConfigReflectValue := reflect.ValueOf(&DbConfig).Elem()
-	defaultDbConfig := NewDefaultDbConfig()
-	defaultConfigReflectValue := reflect.ValueOf(&defaultDbConfig).Elem()
-	defaultKeys := make(map[string]struct{})
-
-	// Iterate over the fields of DbConfig
-	for i := 0; i < dbConfigReflectValue.NumField(); i++ {
-		dbConfigField := dbConfigReflectValue.Field(i)
-		currentConfigVar := dbConfigField.Interface().(model.ApplicationConfigurationVariable)
-		defaultConfigVar := defaultConfigReflectValue.Field(i).Interface().(model.ApplicationConfigurationVariable)
-		defaultKeys[currentConfigVar.Key] = struct{}{}
-
-		var storedConfigVar model.ApplicationConfigurationVariable
-		if err := DB.First(&storedConfigVar, "key = ?", currentConfigVar.Key).Error; err != nil {
-			// If the configuration does not exist, create it
-			if err := DB.Create(&defaultConfigVar).Error; err != nil {
-				log.Fatalf("Failed to create default configuration: %v", err)
-			}
-			dbConfigField.Set(reflect.ValueOf(defaultConfigVar))
-			continue
-		}
-
-		// Update existing configuration if it differs from the default
-		if storedConfigVar.Type != defaultConfigVar.Type || storedConfigVar.IsPublic != defaultConfigVar.IsPublic || storedConfigVar.IsInternal != defaultConfigVar.IsInternal {
-			storedConfigVar.Type = defaultConfigVar.Type
-			storedConfigVar.IsPublic = defaultConfigVar.IsPublic
-			storedConfigVar.IsInternal = defaultConfigVar.IsInternal
-			if err := DB.Save(&storedConfigVar).Error; err != nil {
-				log.Fatalf("Failed to update configuration: %v", err)
-			}
-		}
-
-		// Set the value in DbConfig
-		dbConfigField.Set(reflect.ValueOf(storedConfigVar))
-	}
-
-	// Delete any configurations not in the default keys
-	var allConfigVars []model.ApplicationConfigurationVariable
-	if err := DB.Find(&allConfigVars).Error; err != nil {
-		log.Fatalf("Failed to retrieve existing configurations: %v", err)
-	}
-
-	for _, config := range allConfigVars {
-		if _, exists := defaultKeys[config.Key]; !exists {
-			if err := DB.Delete(&config).Error; err != nil {
-				log.Fatalf("Failed to delete outdated configuration: %v", err)
-			}
-		}
-	}
-}
-
-func init() {
-	if err := env.ParseWithOptions(EnvConfig, env.Options{}); err != nil {
-		log.Fatal(err)
-	}
-}

backend/internal/common/db.go

@@ -1,84 +0,0 @@
-package common
-
-import (
-	"errors"
-	"github.com/golang-migrate/migrate/v4"
-	"github.com/golang-migrate/migrate/v4/database/sqlite3"
-	"gorm.io/gorm/logger"
-	"log"
-	"os"
-	"time"
-
-	"gorm.io/driver/sqlite"
-	"gorm.io/gorm"
-)
-
-var DB *gorm.DB
-
-func InitDatabase() {
-	connectDatabase()
-	sqlDb, err := DB.DB()
-	if err != nil {
-		log.Fatal("failed to get sql db", err)
-	}
-	driver, err := sqlite3.WithInstance(sqlDb, &sqlite3.Config{})
-	m, err := migrate.NewWithDatabaseInstance(
-		"file://migrations",
-		"postgres", driver)
-	if err != nil {
-		log.Fatal("failed to create migration instance", err)
-	}
-
-	err = m.Up()
-	if err != nil && !errors.Is(err, migrate.ErrNoChange) {
-		log.Fatal("failed to run migrations", err)
-	}
-}
-
-func connectDatabase() {
-	var database *gorm.DB
-	var err error
-
-	dbPath := EnvConfig.DBPath
-	if EnvConfig.AppEnv == "test" {
-		dbPath = "file::memory:?cache=shared"
-	}
-
-	for i := 1; i <= 3; i++ {
-		database, err = gorm.Open(sqlite.Open(dbPath), &gorm.Config{
-			TranslateError: true,
-			Logger:         getLogger(),
-		})
-		if err == nil {
-			break
-		} else {
-			log.Printf("Attempt %d: Failed to initialize database. Retrying...", i)
-			time.Sleep(3 * time.Second)
-		}
-	}
-
-	DB = database
-}
-
-func getLogger() logger.Interface {
-	isProduction := EnvConfig.AppEnv == "production"
-
-	var logLevel logger.LogLevel
-	if isProduction {
-		logLevel = logger.Error
-	} else {
-		logLevel = logger.Info
-	}
-
-	// Create the GORM logger
-	return logger.New(
-		log.New(os.Stdout, "\r\n", log.LstdFlags),
-		logger.Config{
-			SlowThreshold:             200 * time.Millisecond,
-			LogLevel:                  logLevel,
-			IgnoreRecordNotFoundError: isProduction,
-			ParameterizedQueries:      isProduction,
-			Colorful:                  !isProduction,
-		},
-	)
-}

backend/internal/common/env_config.go

@@ -0,0 +1,77 @@
+package common
+
+import (
+	"log"
+	"net/url"
+
+	"github.com/caarlos0/env/v11"
+	_ "github.com/joho/godotenv/autoload"
+)
+
+type DbProvider string
+
+const (
+	DbProviderSqlite      DbProvider = "sqlite"
+	DbProviderPostgres    DbProvider = "postgres"
+	MaxMindGeoLiteCityUrl string     = "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=%s&suffix=tar.gz"
+)
+
+type EnvConfigSchema struct {
+	AppEnv                   string     `env:"APP_ENV"`
+	AppURL                   string     `env:"PUBLIC_APP_URL"`
+	DbProvider               DbProvider `env:"DB_PROVIDER"`
+	SqliteDBPath             string     `env:"SQLITE_DB_PATH"`
+	PostgresConnectionString string     `env:"POSTGRES_CONNECTION_STRING"`
+	UploadPath               string     `env:"UPLOAD_PATH"`
+	KeysPath                 string     `env:"KEYS_PATH"`
+	Port                     string     `env:"BACKEND_PORT"`
+	Host                     string     `env:"HOST"`
+	MaxMindLicenseKey        string     `env:"MAXMIND_LICENSE_KEY"`
+	GeoLiteDBPath            string     `env:"GEOLITE_DB_PATH"`
+	GeoLiteDBUrl             string     `env:"GEOLITE_DB_URL"`
+	UiConfigDisabled         bool       `env:"PUBLIC_UI_CONFIG_DISABLED"`
+}
+
+var EnvConfig = &EnvConfigSchema{
+	AppEnv:                   "production",
+	DbProvider:               "sqlite",
+	SqliteDBPath:             "data/pocket-id.db",
+	PostgresConnectionString: "",
+	UploadPath:               "data/uploads",
+	KeysPath:                 "data/keys",
+	AppURL:                   "http://localhost",
+	Port:                     "8080",
+	Host:                     "0.0.0.0",
+	MaxMindLicenseKey:        "",
+	GeoLiteDBPath:            "data/GeoLite2-City.mmdb",
+	GeoLiteDBUrl:             MaxMindGeoLiteCityUrl,
+	UiConfigDisabled:         false,
+}
+
+func init() {
+	if err := env.ParseWithOptions(EnvConfig, env.Options{}); err != nil {
+		log.Fatal(err)
+	}
+
+	// Validate the environment variables
+	switch EnvConfig.DbProvider {
+	case DbProviderSqlite:
+		if EnvConfig.SqliteDBPath == "" {
+			log.Fatal("Missing SQLITE_DB_PATH environment variable")
+		}
+	case DbProviderPostgres:
+		if EnvConfig.PostgresConnectionString == "" {
+			log.Fatal("Missing POSTGRES_CONNECTION_STRING environment variable")
+		}
+	default:
+		log.Fatal("Invalid DB_PROVIDER value. Must be 'sqlite' or 'postgres'")
+	}
+
+	parsedAppUrl, err := url.Parse(EnvConfig.AppURL)
+	if err != nil {
+		log.Fatal("PUBLIC_APP_URL is not a valid URL")
+	}
+	if parsedAppUrl.Path != "" {
+		log.Fatal("PUBLIC_APP_URL must not contain a path")
+	}
+}

backend/internal/common/errors.go

@@ -0,0 +1,287 @@
+package common
+
+import (
+	"fmt"
+	"net/http"
+)
+
+type AppError interface {
+	error
+	HttpStatusCode() int
+}
+
+// Custom error types for various conditions
+
+type AlreadyInUseError struct {
+	Property string
+}
+
+func (e *AlreadyInUseError) Error() string {
+	return fmt.Sprintf("%s is already in use", e.Property)
+}
+func (e *AlreadyInUseError) HttpStatusCode() int { return 400 }
+
+type SetupAlreadyCompletedError struct{}
+
+func (e *SetupAlreadyCompletedError) Error() string       { return "setup already completed" }
+func (e *SetupAlreadyCompletedError) HttpStatusCode() int { return 400 }
+
+type TokenInvalidOrExpiredError struct{}
+
+func (e *TokenInvalidOrExpiredError) Error() string       { return "token is invalid or expired" }
+func (e *TokenInvalidOrExpiredError) HttpStatusCode() int { return 400 }
+
+type TokenInvalidError struct{}
+
+func (e *TokenInvalidError) Error() string {
+	return "Token is invalid"
+}
+func (e *TokenInvalidError) HttpStatusCode() int { return 400 }
+
+type OidcMissingAuthorizationError struct{}
+
+func (e *OidcMissingAuthorizationError) Error() string       { return "missing authorization" }
+func (e *OidcMissingAuthorizationError) HttpStatusCode() int { return http.StatusForbidden }
+
+type OidcGrantTypeNotSupportedError struct{}
+
+func (e *OidcGrantTypeNotSupportedError) Error() string       { return "grant type not supported" }
+func (e *OidcGrantTypeNotSupportedError) HttpStatusCode() int { return 400 }
+
+type OidcMissingClientCredentialsError struct{}
+
+func (e *OidcMissingClientCredentialsError) Error() string       { return "client id or secret not provided" }
+func (e *OidcMissingClientCredentialsError) HttpStatusCode() int { return 400 }
+
+type OidcClientSecretInvalidError struct{}
+
+func (e *OidcClientSecretInvalidError) Error() string       { return "invalid client secret" }
+func (e *OidcClientSecretInvalidError) HttpStatusCode() int { return 400 }
+
+type OidcInvalidAuthorizationCodeError struct{}
+
+func (e *OidcInvalidAuthorizationCodeError) Error() string       { return "invalid authorization code" }
+func (e *OidcInvalidAuthorizationCodeError) HttpStatusCode() int { return 400 }
+
+type OidcInvalidCallbackURLError struct{}
+
+func (e *OidcInvalidCallbackURLError) Error() string {
+	return "invalid callback URL, it might be necessary for an admin to fix this"
+}
+func (e *OidcInvalidCallbackURLError) HttpStatusCode() int { return 400 }
+
+type FileTypeNotSupportedError struct{}
+
+func (e *FileTypeNotSupportedError) Error() string       { return "file type not supported" }
+func (e *FileTypeNotSupportedError) HttpStatusCode() int { return 400 }
+
+type InvalidCredentialsError struct{}
+
+func (e *InvalidCredentialsError) Error() string       { return "no user found with provided credentials" }
+func (e *InvalidCredentialsError) HttpStatusCode() int { return 400 }
+
+type FileTooLargeError struct {
+	MaxSize string
+}
+
+func (e *FileTooLargeError) Error() string {
+	return fmt.Sprintf("The file can't be larger than %s", e.MaxSize)
+}
+func (e *FileTooLargeError) HttpStatusCode() int { return http.StatusRequestEntityTooLarge }
+
+type NotSignedInError struct{}
+
+func (e *NotSignedInError) Error() string       { return "You are not signed in" }
+func (e *NotSignedInError) HttpStatusCode() int { return http.StatusUnauthorized }
+
+type MissingAccessToken struct{}
+
+func (e *MissingAccessToken) Error() string       { return "Missing access token" }
+func (e *MissingAccessToken) HttpStatusCode() int { return http.StatusUnauthorized }
+
+type MissingPermissionError struct{}
+
+func (e *MissingPermissionError) Error() string {
+	return "You don't have permission to perform this action"
+}
+func (e *MissingPermissionError) HttpStatusCode() int { return http.StatusForbidden }
+
+type TooManyRequestsError struct{}
+
+func (e *TooManyRequestsError) Error() string {
+	return "Too many requests"
+}
+func (e *TooManyRequestsError) HttpStatusCode() int { return http.StatusTooManyRequests }
+
+type ClientIdOrSecretNotProvidedError struct{}
+
+func (e *ClientIdOrSecretNotProvidedError) Error() string {
+	return "Client id or secret not provided"
+}
+func (e *ClientIdOrSecretNotProvidedError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type WrongFileTypeError struct {
+	ExpectedFileType string
+}
+
+func (e *WrongFileTypeError) Error() string {
+	return fmt.Sprintf("File must be of type %s", e.ExpectedFileType)
+}
+func (e *WrongFileTypeError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type MissingSessionIdError struct{}
+
+func (e *MissingSessionIdError) Error() string {
+	return "Missing session id"
+}
+func (e *MissingSessionIdError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type ReservedClaimError struct {
+	Key string
+}
+
+func (e *ReservedClaimError) Error() string {
+	return fmt.Sprintf("Claim %s is reserved and can't be used", e.Key)
+}
+func (e *ReservedClaimError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type DuplicateClaimError struct {
+	Key string
+}
+
+func (e *DuplicateClaimError) Error() string {
+	return fmt.Sprintf("Claim %s is already defined", e.Key)
+}
+func (e *DuplicateClaimError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type AccountEditNotAllowedError struct{}
+
+func (e *AccountEditNotAllowedError) Error() string {
+	return "You are not allowed to edit your account"
+}
+func (e *AccountEditNotAllowedError) HttpStatusCode() int { return http.StatusForbidden }
+
+type OidcInvalidCodeVerifierError struct{}
+
+func (e *OidcInvalidCodeVerifierError) Error() string {
+	return "Invalid code verifier"
+}
+func (e *OidcInvalidCodeVerifierError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type OidcMissingCodeChallengeError struct{}
+
+func (e *OidcMissingCodeChallengeError) Error() string {
+	return "Missing code challenge"
+}
+func (e *OidcMissingCodeChallengeError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type LdapUserUpdateError struct{}
+
+func (e *LdapUserUpdateError) Error() string {
+	return "LDAP users can't be updated"
+}
+func (e *LdapUserUpdateError) HttpStatusCode() int { return http.StatusForbidden }
+
+type LdapUserGroupUpdateError struct{}
+
+func (e *LdapUserGroupUpdateError) Error() string {
+	return "LDAP user groups can't be updated"
+}
+func (e *LdapUserGroupUpdateError) HttpStatusCode() int { return http.StatusForbidden }
+
+type OidcAccessDeniedError struct{}
+
+func (e *OidcAccessDeniedError) Error() string {
+	return "You're not allowed to access this service"
+}
+func (e *OidcAccessDeniedError) HttpStatusCode() int { return http.StatusForbidden }
+
+type OidcClientIdNotMatchingError struct{}
+
+func (e *OidcClientIdNotMatchingError) Error() string {
+	return "Client id in request doesn't match client id in token"
+}
+func (e *OidcClientIdNotMatchingError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type OidcNoCallbackURLError struct{}
+
+func (e *OidcNoCallbackURLError) Error() string {
+	return "No callback URL provided"
+}
+func (e *OidcNoCallbackURLError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type UiConfigDisabledError struct{}
+
+func (e *UiConfigDisabledError) Error() string {
+	return "The configuration can't be changed since the UI configuration is disabled"
+}
+func (e *UiConfigDisabledError) HttpStatusCode() int { return http.StatusForbidden }
+
+type InvalidUUIDError struct{}
+
+func (e *InvalidUUIDError) Error() string {
+	return "Invalid UUID"
+}
+
+type InvalidEmailError struct{}
+
+type OneTimeAccessDisabledError struct{}
+
+func (e *OneTimeAccessDisabledError) Error() string {
+	return "One-time access is disabled"
+}
+func (e *OneTimeAccessDisabledError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type InvalidAPIKeyError struct{}
+
+func (e *InvalidAPIKeyError) Error() string {
+	return "Invalid Api Key"
+}
+
+type NoAPIKeyProvidedError struct{}
+
+func (e *NoAPIKeyProvidedError) Error() string {
+	return "No API Key Provided"
+}
+
+type APIKeyNotFoundError struct{}
+
+func (e *APIKeyNotFoundError) Error() string {
+	return "API Key Not Found"
+}
+
+type APIKeyExpirationDateError struct{}
+
+func (e *APIKeyExpirationDateError) Error() string {
+	return "API Key expiration time must be in the future"
+}
+
+type OidcInvalidRefreshTokenError struct{}
+
+func (e *OidcInvalidRefreshTokenError) Error() string {
+	return "refresh token is invalid or expired"
+}
+
+func (e *OidcInvalidRefreshTokenError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}
+
+type OidcMissingRefreshTokenError struct{}
+
+func (e *OidcMissingRefreshTokenError) Error() string {
+	return "refresh token is required"
+}
+
+func (e *OidcMissingRefreshTokenError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}
+
+type OidcMissingAuthorizationCodeError struct{}
+
+func (e *OidcMissingAuthorizationCodeError) Error() string {
+	return "authorization code is required"
+}
+
+func (e *OidcMissingAuthorizationCodeError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}

backend/internal/common/jwt.go

@@ -1,207 +0,0 @@
-package common
-
-import (
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/pem"
-	"errors"
-	"github.com/golang-jwt/jwt/v5"
-	"golang-rest-api-template/internal/model"
-	"golang-rest-api-template/internal/utils"
-	"log"
-	"math/big"
-	"os"
-	"path/filepath"
-	"slices"
-	"strings"
-	"time"
-)
-
-var (
-	PrivateKey *rsa.PrivateKey
-	PublicKey  *rsa.PublicKey
-)
-
-const (
-	privateKeyPath = "data/keys/jwt_private_key.pem"
-	publicKeyPath  = "data/keys/jwt_public_key.pem"
-)
-
-type accessTokenJWTClaims struct {
-	jwt.RegisteredClaims
-	IsAdmin bool `json:"isAdmin,omitempty"`
-}
-
-// GenerateIDToken generates an ID token for the given user, clientID, scope and nonce.
-func GenerateIDToken(user model.User, clientID string, scope string, nonce string) (tokenString string, err error) {
-	profileClaims := map[string]interface{}{
-		"given_name":         user.FirstName,
-		"family_name":        user.LastName,
-		"email":              user.Email,
-		"preferred_username": user.Username,
-	}
-
-	claims := jwt.MapClaims{
-		"sub": user.ID,
-		"aud": clientID,
-		"exp": jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),
-		"iat": jwt.NewNumericDate(time.Now()),
-	}
-
-	if nonce != "" {
-		claims["nonce"] = nonce
-	}
-	if strings.Contains(scope, "profile") {
-		for k, v := range profileClaims {
-			claims[k] = v
-		}
-	}
-	if strings.Contains(scope, "email") {
-		claims["email"] = user.Email
-	}
-
-	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
-	signedToken, err := token.SignedString(PrivateKey)
-	if err != nil {
-		return "", err
-	}
-
-	return signedToken, nil
-}
-
-// GenerateAccessToken generates an access token for the given user.
-func GenerateAccessToken(user model.User) (tokenString string, err error) {
-	claim := accessTokenJWTClaims{
-		RegisteredClaims: jwt.RegisteredClaims{
-			Subject:   user.ID,
-			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),
-			IssuedAt:  jwt.NewNumericDate(time.Now()),
-			Audience:  jwt.ClaimStrings{utils.GetHostFromURL(EnvConfig.AppURL)},
-		},
-		IsAdmin: user.IsAdmin,
-	}
-	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claim)
-	tokenString, err = token.SignedString(PrivateKey)
-	return tokenString, err
-}
-
-// VerifyAccessToken verifies the given access token and returns the claims if the token is valid.
-func VerifyAccessToken(tokenString string) (*accessTokenJWTClaims, error) {
-	token, err := jwt.ParseWithClaims(tokenString, &accessTokenJWTClaims{}, func(token *jwt.Token) (interface{}, error) {
-		return PublicKey, nil
-	})
-	if err != nil || !token.Valid {
-		return nil, errors.New("couldn't handle this token")
-	}
-
-	claims, isValid := token.Claims.(*accessTokenJWTClaims)
-	if !isValid {
-		return nil, errors.New("can't parse claims")
-	}
-
-	if !slices.Contains(claims.Audience, utils.GetHostFromURL(EnvConfig.AppURL)) {
-		return nil, errors.New("audience doesn't match")
-	}
-	return claims, nil
-}
-
-type JWK struct {
-	Kty string `json:"kty"`
-	Use string `json:"use"`
-	Kid string `json:"kid"`
-	Alg string `json:"alg"`
-	N   string `json:"n"`
-	E   string `json:"e"`
-}
-
-// GetJWK returns the JSON Web Key (JWK) for the public key.
-func GetJWK() (JWK, error) {
-	if PublicKey == nil {
-		return JWK{}, errors.New("public key is not initialized")
-	}
-
-	// Create JWK from RSA public key
-	jwk := JWK{
-		Kty: "RSA",
-		Use: "sig",
-		Kid: "1", // Key ID can be set to any identifier. Here it's statically set to "1"
-		Alg: "RS256",
-		N:   base64.RawURLEncoding.EncodeToString(PublicKey.N.Bytes()),
-		E:   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(PublicKey.E)).Bytes()),
-	}
-
-	return jwk, nil
-}
-
-// generateKeys generates a new RSA key pair and saves the private and public keys to the data folder.
-func generateKeys() {
-	if err := os.MkdirAll(filepath.Dir(privateKeyPath), 0700); err != nil {
-		log.Fatal("Failed to create directories for keys", err)
-	}
-
-	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		log.Fatal("Failed to generate private key", err)
-	}
-
-	privateKeyFile, err := os.Create(privateKeyPath)
-	if err != nil {
-		log.Fatal("Failed to create private key file", err)
-	}
-	defer privateKeyFile.Close()
-
-	privateKeyPEM := pem.EncodeToMemory(
-		&pem.Block{
-			Type:  "RSA PRIVATE KEY",
-			Bytes: x509.MarshalPKCS1PrivateKey(privateKey),
-		},
-	)
-	_, err = privateKeyFile.Write(privateKeyPEM)
-	if err != nil {
-		log.Fatal("Failed to write private key file", err)
-	}
-
-	publicKey := &privateKey.PublicKey
-	publicKeyFile, err := os.Create(publicKeyPath)
-	if err != nil {
-		log.Fatal("Failed to create public key file", err)
-	}
-	defer publicKeyFile.Close()
-
-	publicKeyPEM := pem.EncodeToMemory(
-		&pem.Block{
-			Type:  "RSA PUBLIC KEY",
-			Bytes: x509.MarshalPKCS1PublicKey(publicKey),
-		},
-	)
-	_, err = publicKeyFile.Write(publicKeyPEM)
-	if err != nil {
-		log.Fatal("Failed to write public key file", err)
-	}
-}
-
-func init() {
-	if _, err := os.Stat(privateKeyPath); os.IsNotExist(err) {
-		generateKeys()
-	}
-
-	privateKeyBytes, err := os.ReadFile(privateKeyPath)
-	if err != nil {
-		log.Fatal("Can't read jwt private key", err)
-	}
-	PrivateKey, err = jwt.ParseRSAPrivateKeyFromPEM(privateKeyBytes)
-	if err != nil {
-		log.Fatal("Can't parse jwt private key", err)
-	}
-
-	publicKeyBytes, err := os.ReadFile(publicKeyPath)
-	if err != nil {
-		log.Fatal("Can't read jwt public key", err)
-	}
-	PublicKey, err = jwt.ParseRSAPublicKeyFromPEM(publicKeyBytes)
-	if err != nil {
-		log.Fatal("Can't parse jwt public key", err)
-	}
-}

backend/internal/common/middleware/cors.go

@@ -1,18 +0,0 @@
-package middleware
-
-import (
-	"golang-rest-api-template/internal/common"
-	"time"
-
-	"github.com/gin-contrib/cors"
-	"github.com/gin-gonic/gin"
-)
-
-func Cors() gin.HandlerFunc {
-	return cors.New(cors.Config{
-		AllowOrigins: []string{common.EnvConfig.AppURL},
-		AllowMethods: []string{"*"},
-		AllowHeaders: []string{"*"},
-		MaxAge:       12 * time.Hour,
-	})
-}

backend/internal/common/middleware/jwt_auth.go

@@ -1,47 +0,0 @@
-package middleware
-
-import (
-	"github.com/gin-gonic/gin"
-	"golang-rest-api-template/internal/common"
-	"golang-rest-api-template/internal/utils"
-	"net/http"
-	"strings"
-)
-
-func JWTAuth(adminOnly bool) gin.HandlerFunc {
-	return func(c *gin.Context) {
-
-		// Extract the token from the cookie or the Authorization header
-		token, err := c.Cookie("access_token")
-		if err != nil {
-			authorizationHeaderSplitted := strings.Split(c.GetHeader("Authorization"), " ")
-			if len(authorizationHeaderSplitted) == 2 {
-				token = authorizationHeaderSplitted[1]
-			} else {
-				utils.HandlerError(c, http.StatusUnauthorized, "You're not signed in")
-				c.Abort()
-				return
-			}
-
-		}
-
-		// Verify the token
-		claims, err := common.VerifyAccessToken(token)
-		if err != nil {
-			utils.HandlerError(c, http.StatusUnauthorized, "You're not signed in")
-			c.Abort()
-			return
-		}
-
-		// Check if the user is an admin
-		if adminOnly && !claims.IsAdmin {
-			utils.HandlerError(c, http.StatusForbidden, "You don't have permission to access this resource")
-			c.Abort()
-			return
-		}
-
-		c.Set("userID", claims.Subject)
-		c.Set("userIsAdmin", claims.IsAdmin)
-		c.Next()
-	}
-}

backend/internal/common/webauthn.go

@@ -1,37 +0,0 @@
-package common
-
-import (
-	"github.com/go-webauthn/webauthn/webauthn"
-	"golang-rest-api-template/internal/utils"
-	"log"
-	"time"
-)
-
-var (
-	WebAuthn *webauthn.WebAuthn
-	err      error
-)
-
-func init() {
-	config := &webauthn.Config{
-		RPDisplayName: DbConfig.AppName.Value,
-		RPID:          utils.GetHostFromURL(EnvConfig.AppURL),
-		RPOrigins:     []string{EnvConfig.AppURL},
-		Timeouts: webauthn.TimeoutsConfig{
-			Login: webauthn.TimeoutConfig{
-				Enforce:    true,
-				Timeout:    time.Second * 60,
-				TimeoutUVD: time.Second * 60,
-			},
-			Registration: webauthn.TimeoutConfig{
-				Enforce:    true,
-				Timeout:    time.Second * 60,
-				TimeoutUVD: time.Second * 60,
-			},
-		},
-	}
-
-	if WebAuthn, err = webauthn.New(config); err != nil {
-		log.Fatal(err)
-	}
-}

backend/internal/controller/api_key_controller.go

@@ -0,0 +1,125 @@
+package controller
+
+import (
+	"net/http"
+
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+// swag init -g cmd/main.go -o ./docs/swagger --parseDependency
+
+// ApiKeyController manages API keys for authenticated users
+type ApiKeyController struct {
+	apiKeyService *service.ApiKeyService
+}
+
+// NewApiKeyController creates a new controller for API key management
+// @Summary API key management controller
+// @Description Initializes API endpoints for managing API keys
+// @Tags API Keys
+func NewApiKeyController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, apiKeyService *service.ApiKeyService) {
+	uc := &ApiKeyController{apiKeyService: apiKeyService}
+
+	apiKeyGroup := group.Group("/api-keys")
+	apiKeyGroup.Use(authMiddleware.WithAdminNotRequired().Add())
+	{
+		apiKeyGroup.GET("", uc.listApiKeysHandler)
+		apiKeyGroup.POST("", uc.createApiKeyHandler)
+		apiKeyGroup.DELETE("/:id", uc.revokeApiKeyHandler)
+	}
+}
+
+// listApiKeysHandler godoc
+// @Summary List API keys
+// @Description Get a paginated list of API keys belonging to the current user
+// @Tags API Keys
+// @Param page query int false "Page number, starting from 1" default(1)
+// @Param limit query int false "Number of items per page" default(10)
+// @Param sort_column query string false "Column to sort by" default("created_at")
+// @Param sort_direction query string false "Sort direction (asc or desc)" default("desc")
+// @Success 200 {object} dto.Paginated[dto.ApiKeyDto]
+// @Router /api/api-keys [get]
+func (c *ApiKeyController) listApiKeysHandler(ctx *gin.Context) {
+	userID := ctx.GetString("userID")
+
+	var sortedPaginationRequest utils.SortedPaginationRequest
+	if err := ctx.ShouldBindQuery(&sortedPaginationRequest); err != nil {
+		ctx.Error(err)
+		return
+	}
+
+	apiKeys, pagination, err := c.apiKeyService.ListApiKeys(userID, sortedPaginationRequest)
+	if err != nil {
+		ctx.Error(err)
+		return
+	}
+
+	var apiKeysDto []dto.ApiKeyDto
+	if err := dto.MapStructList(apiKeys, &apiKeysDto); err != nil {
+		ctx.Error(err)
+		return
+	}
+
+	ctx.JSON(http.StatusOK, dto.Paginated[dto.ApiKeyDto]{
+		Data:       apiKeysDto,
+		Pagination: pagination,
+	})
+}
+
+// createApiKeyHandler godoc
+// @Summary Create API key
+// @Description Create a new API key for the current user
+// @Tags API Keys
+// @Param api_key body dto.ApiKeyCreateDto true "API key information"
+// @Success 201 {object} dto.ApiKeyResponseDto "Created API key with token"
+// @Router /api/api-keys [post]
+func (c *ApiKeyController) createApiKeyHandler(ctx *gin.Context) {
+	userID := ctx.GetString("userID")
+
+	var input dto.ApiKeyCreateDto
+	if err := ctx.ShouldBindJSON(&input); err != nil {
+		ctx.Error(err)
+		return
+	}
+
+	apiKey, token, err := c.apiKeyService.CreateApiKey(userID, input)
+	if err != nil {
+		ctx.Error(err)
+		return
+	}
+
+	var apiKeyDto dto.ApiKeyDto
+	if err := dto.MapStruct(apiKey, &apiKeyDto); err != nil {
+		ctx.Error(err)
+		return
+	}
+
+	ctx.JSON(http.StatusCreated, dto.ApiKeyResponseDto{
+		ApiKey: apiKeyDto,
+		Token:  token,
+	})
+}
+
+// revokeApiKeyHandler godoc
+// @Summary Revoke API key
+// @Description Revoke (delete) an existing API key by ID
+// @Tags API Keys
+// @Param id path string true "API Key ID"
+// @Success 204 "No Content"
+// @Router /api/api-keys/{id} [delete]
+func (c *ApiKeyController) revokeApiKeyHandler(ctx *gin.Context) {
+	userID := ctx.GetString("userID")
+	apiKeyID := ctx.Param("id")
+
+	if err := c.apiKeyService.RevokeApiKey(userID, apiKeyID); err != nil {
+		ctx.Error(err)
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}

backend/internal/controller/app_config_controller.go

@@ -0,0 +1,313 @@
+package controller
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
+
+// NewAppConfigController creates a new controller for application configuration endpoints
+// @Summary Create a new application configuration controller
+// @Description Initialize routes for application configuration
+// @Tags Application Configuration
+func NewAppConfigController(
+	group *gin.RouterGroup,
+	authMiddleware *middleware.AuthMiddleware,
+	appConfigService *service.AppConfigService,
+	emailService *service.EmailService,
+	ldapService *service.LdapService,
+) {
+
+	acc := &AppConfigController{
+		appConfigService: appConfigService,
+		emailService:     emailService,
+		ldapService:      ldapService,
+	}
+	group.GET("/application-configuration", acc.listAppConfigHandler)
+	group.GET("/application-configuration/all", authMiddleware.Add(), acc.listAllAppConfigHandler)
+	group.PUT("/application-configuration", authMiddleware.Add(), acc.updateAppConfigHandler)
+
+	group.GET("/application-configuration/logo", acc.getLogoHandler)
+	group.GET("/application-configuration/background-image", acc.getBackgroundImageHandler)
+	group.GET("/application-configuration/favicon", acc.getFaviconHandler)
+	group.PUT("/application-configuration/logo", authMiddleware.Add(), acc.updateLogoHandler)
+	group.PUT("/application-configuration/favicon", authMiddleware.Add(), acc.updateFaviconHandler)
+	group.PUT("/application-configuration/background-image", authMiddleware.Add(), acc.updateBackgroundImageHandler)
+
+	group.POST("/application-configuration/test-email", authMiddleware.Add(), acc.testEmailHandler)
+	group.POST("/application-configuration/sync-ldap", authMiddleware.Add(), acc.syncLdapHandler)
+}
+
+type AppConfigController struct {
+	appConfigService *service.AppConfigService
+	emailService     *service.EmailService
+	ldapService      *service.LdapService
+}
+
+// listAppConfigHandler godoc
+// @Summary List public application configurations
+// @Description Get all public application configurations
+// @Tags Application Configuration
+// @Accept json
+// @Produce json
+// @Success 200 {array} dto.PublicAppConfigVariableDto
+// @Failure 500 {object} object "{"error": "error message"}"
+// @Router /application-configuration [get]
+func (acc *AppConfigController) listAppConfigHandler(c *gin.Context) {
+	configuration, err := acc.appConfigService.ListAppConfig(false)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var configVariablesDto []dto.PublicAppConfigVariableDto
+	if err := dto.MapStructList(configuration, &configVariablesDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(200, configVariablesDto)
+}
+
+// listAllAppConfigHandler godoc
+// @Summary List all application configurations
+// @Description Get all application configurations including private ones
+// @Tags Application Configuration
+// @Accept json
+// @Produce json
+// @Success 200 {array} dto.AppConfigVariableDto
+// @Security BearerAuth
+// @Router /application-configuration/all [get]
+func (acc *AppConfigController) listAllAppConfigHandler(c *gin.Context) {
+	configuration, err := acc.appConfigService.ListAppConfig(true)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var configVariablesDto []dto.AppConfigVariableDto
+	if err := dto.MapStructList(configuration, &configVariablesDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(200, configVariablesDto)
+}
+
+// updateAppConfigHandler godoc
+// @Summary Update application configurations
+// @Description Update application configuration settings
+// @Tags Application Configuration
+// @Accept json
+// @Produce json
+// @Param body body dto.AppConfigUpdateDto true "Application Configuration"
+// @Success 200 {array} dto.AppConfigVariableDto
+// @Security BearerAuth
+// @Router /api/application-configuration [put]
+func (acc *AppConfigController) updateAppConfigHandler(c *gin.Context) {
+	var input dto.AppConfigUpdateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.Error(err)
+		return
+	}
+
+	savedConfigVariables, err := acc.appConfigService.UpdateAppConfig(input)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var configVariablesDto []dto.AppConfigVariableDto
+	if err := dto.MapStructList(savedConfigVariables, &configVariablesDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, configVariablesDto)
+}
+
+// getLogoHandler godoc
+// @Summary Get logo image
+// @Description Get the logo image for the application
+// @Tags Application Configuration
+// @Param light query boolean false "Light mode logo (true) or dark mode logo (false)"
+// @Produce image/png
+// @Produce image/jpeg
+// @Produce image/svg+xml
+// @Success 200 {file} binary "Logo image"
+// @Router /api/application-configuration/logo [get]
+func (acc *AppConfigController) getLogoHandler(c *gin.Context) {
+	lightLogo := c.DefaultQuery("light", "true") == "true"
+
+	var imageName string
+	var imageType string
+
+	if lightLogo {
+		imageName = "logoLight"
+		imageType = acc.appConfigService.DbConfig.LogoLightImageType.Value
+	} else {
+		imageName = "logoDark"
+		imageType = acc.appConfigService.DbConfig.LogoDarkImageType.Value
+	}
+
+	acc.getImage(c, imageName, imageType)
+}
+
+// getFaviconHandler godoc
+// @Summary Get favicon
+// @Description Get the favicon for the application
+// @Tags Application Configuration
+// @Produce image/x-icon
+// @Success 200 {file} binary "Favicon image"
+// @Failure 404 {object} object "{"error": "File not found"}"
+// @Router /api/application-configuration/favicon [get]
+func (acc *AppConfigController) getFaviconHandler(c *gin.Context) {
+	acc.getImage(c, "favicon", "ico")
+}
+
+// getBackgroundImageHandler godoc
+// @Summary Get background image
+// @Description Get the background image for the application
+// @Tags Application Configuration
+// @Produce image/png
+// @Produce image/jpeg
+// @Success 200 {file} binary "Background image"
+// @Failure 404 {object} object "{"error": "File not found"}"
+// @Router /api/application-configuration/background-image [get]
+func (acc *AppConfigController) getBackgroundImageHandler(c *gin.Context) {
+	imageType := acc.appConfigService.DbConfig.BackgroundImageType.Value
+	acc.getImage(c, "background", imageType)
+}
+
+// updateLogoHandler godoc
+// @Summary Update logo
+// @Description Update the application logo
+// @Tags Application Configuration
+// @Accept multipart/form-data
+// @Param light query boolean false "Light mode logo (true) or dark mode logo (false)"
+// @Param file formData file true "Logo image file"
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/application-configuration/logo [put]
+func (acc *AppConfigController) updateLogoHandler(c *gin.Context) {
+	lightLogo := c.DefaultQuery("light", "true") == "true"
+
+	var imageName string
+	var imageType string
+
+	if lightLogo {
+		imageName = "logoLight"
+		imageType = acc.appConfigService.DbConfig.LogoLightImageType.Value
+	} else {
+		imageName = "logoDark"
+		imageType = acc.appConfigService.DbConfig.LogoDarkImageType.Value
+	}
+
+	acc.updateImage(c, imageName, imageType)
+}
+
+// updateFaviconHandler godoc
+// @Summary Update favicon
+// @Description Update the application favicon
+// @Tags Application Configuration
+// @Accept multipart/form-data
+// @Param file formData file true "Favicon file (.ico)"
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/application-configuration/favicon [put]
+func (acc *AppConfigController) updateFaviconHandler(c *gin.Context) {
+	file, err := c.FormFile("file")
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	fileType := utils.GetFileExtension(file.Filename)
+	if fileType != "ico" {
+		c.Error(&common.WrongFileTypeError{ExpectedFileType: ".ico"})
+		return
+	}
+	acc.updateImage(c, "favicon", "ico")
+}
+
+// updateBackgroundImageHandler godoc
+// @Summary Update background image
+// @Description Update the application background image
+// @Tags Application Configuration
+// @Accept multipart/form-data
+// @Param file formData file true "Background image file"
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/application-configuration/background-image [put]
+func (acc *AppConfigController) updateBackgroundImageHandler(c *gin.Context) {
+	imageType := acc.appConfigService.DbConfig.BackgroundImageType.Value
+	acc.updateImage(c, "background", imageType)
+}
+
+// getImage is a helper function to serve image files
+func (acc *AppConfigController) getImage(c *gin.Context, name string, imageType string) {
+	imagePath := fmt.Sprintf("%s/application-images/%s.%s", common.EnvConfig.UploadPath, name, imageType)
+	mimeType := utils.GetImageMimeType(imageType)
+
+	c.Header("Content-Type", mimeType)
+	c.File(imagePath)
+}
+
+// updateImage is a helper function to update image files
+func (acc *AppConfigController) updateImage(c *gin.Context, imageName string, oldImageType string) {
+	file, err := c.FormFile("file")
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	err = acc.appConfigService.UpdateImage(file, imageName, oldImageType)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// syncLdapHandler godoc
+// @Summary Synchronize LDAP
+// @Description Manually trigger LDAP synchronization
+// @Tags Application Configuration
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/application-configuration/sync-ldap [post]
+func (acc *AppConfigController) syncLdapHandler(c *gin.Context) {
+	err := acc.ldapService.SyncAll()
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// testEmailHandler godoc
+// @Summary Send test email
+// @Description Send a test email to verify email configuration
+// @Tags Application Configuration
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/application-configuration/test-email [post]
+func (acc *AppConfigController) testEmailHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+
+	err := acc.emailService.SendTestEmail(userID)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}

backend/internal/controller/audit_log_controller.go

@@ -0,0 +1,74 @@
+package controller
+
+import (
+	"net/http"
+
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+// NewAuditLogController creates a new controller for audit log management
+// @Summary Audit log controller
+// @Description Initializes API endpoints for accessing audit logs
+// @Tags Audit Logs
+func NewAuditLogController(group *gin.RouterGroup, auditLogService *service.AuditLogService, authMiddleware *middleware.AuthMiddleware) {
+	alc := AuditLogController{
+		auditLogService: auditLogService,
+	}
+
+	group.GET("/audit-logs", authMiddleware.WithAdminNotRequired().Add(), alc.listAuditLogsForUserHandler)
+}
+
+type AuditLogController struct {
+	auditLogService *service.AuditLogService
+}
+
+// listAuditLogsForUserHandler godoc
+// @Summary List audit logs
+// @Description Get a paginated list of audit logs for the current user
+// @Tags Audit Logs
+// @Param page query int false "Page number, starting from 1" default(1)
+// @Param limit query int false "Number of items per page" default(10)
+// @Param sort_column query string false "Column to sort by" default("created_at")
+// @Param sort_direction query string false "Sort direction (asc or desc)" default("desc")
+// @Success 200 {object} dto.Paginated[dto.AuditLogDto]
+// @Router /api/audit-logs [get]
+func (alc *AuditLogController) listAuditLogsForUserHandler(c *gin.Context) {
+	var sortedPaginationRequest utils.SortedPaginationRequest
+	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
+		c.Error(err)
+		return
+	}
+
+	userID := c.GetString("userID")
+
+	// Fetch audit logs for the user
+	logs, pagination, err := alc.auditLogService.ListAuditLogsForUser(userID, sortedPaginationRequest)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	// Map the audit logs to DTOs
+	var logsDtos []dto.AuditLogDto
+	err = dto.MapStructList(logs, &logsDtos)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	// Add device information to the logs
+	for i, logsDto := range logsDtos {
+		logsDto.Device = alc.auditLogService.DeviceStringFromUserAgent(logs[i].UserAgent)
+		logsDtos[i] = logsDto
+	}
+
+	c.JSON(http.StatusOK, dto.Paginated[dto.AuditLogDto]{
+		Data:       logsDtos,
+		Pagination: pagination,
+	})
+}

backend/internal/controller/custom_claim_controller.go

@@ -0,0 +1,120 @@
+package controller
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+// NewCustomClaimController creates a new controller for custom claim management
+// @Summary Custom claim management controller
+// @Description Initializes all custom claim-related API endpoints
+// @Tags Custom Claims
+func NewCustomClaimController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, customClaimService *service.CustomClaimService) {
+	wkc := &CustomClaimController{customClaimService: customClaimService}
+
+	customClaimsGroup := group.Group("/custom-claims")
+	customClaimsGroup.Use(authMiddleware.Add())
+	{
+		customClaimsGroup.GET("/suggestions", wkc.getSuggestionsHandler)
+		customClaimsGroup.PUT("/user/:userId", wkc.UpdateCustomClaimsForUserHandler)
+		customClaimsGroup.PUT("/user-group/:userGroupId", wkc.UpdateCustomClaimsForUserGroupHandler)
+	}
+}
+
+type CustomClaimController struct {
+	customClaimService *service.CustomClaimService
+}
+
+// getSuggestionsHandler godoc
+// @Summary Get custom claim suggestions
+// @Description Get a list of suggested custom claim names
+// @Tags Custom Claims
+// @Produce json
+// @Success 200 {array} string "List of suggested custom claim names"
+// @Failure 401 {object} object "Unauthorized"
+// @Failure 403 {object} object "Forbidden"
+// @Failure 500 {object} object "Internal server error"
+// @Security BearerAuth
+// @Router /api/custom-claims/suggestions [get]
+func (ccc *CustomClaimController) getSuggestionsHandler(c *gin.Context) {
+	claims, err := ccc.customClaimService.GetSuggestions()
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, claims)
+}
+
+// UpdateCustomClaimsForUserHandler godoc
+// @Summary Update custom claims for a user
+// @Description Update or create custom claims for a specific user
+// @Tags Custom Claims
+// @Accept json
+// @Produce json
+// @Param userId path string true "User ID"
+// @Param claims body []dto.CustomClaimCreateDto true "List of custom claims to set for the user"
+// @Success 200 {array} dto.CustomClaimDto "Updated custom claims"
+// @Router /api/custom-claims/user/{userId} [put]
+func (ccc *CustomClaimController) UpdateCustomClaimsForUserHandler(c *gin.Context) {
+	var input []dto.CustomClaimCreateDto
+
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.Error(err)
+		return
+	}
+
+	userId := c.Param("userId")
+	claims, err := ccc.customClaimService.UpdateCustomClaimsForUser(userId, input)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var customClaimsDto []dto.CustomClaimDto
+	if err := dto.MapStructList(claims, &customClaimsDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, customClaimsDto)
+}
+
+// UpdateCustomClaimsForUserGroupHandler godoc
+// @Summary Update custom claims for a user group
+// @Description Update or create custom claims for a specific user group
+// @Tags Custom Claims
+// @Accept json
+// @Produce json
+// @Param userGroupId path string true "User Group ID"
+// @Param claims body []dto.CustomClaimCreateDto true "List of custom claims to set for the user group"
+// @Success 200 {array} dto.CustomClaimDto "Updated custom claims"
+// @Security BearerAuth
+// @Router /api/custom-claims/user-group/{userGroupId} [put]
+func (ccc *CustomClaimController) UpdateCustomClaimsForUserGroupHandler(c *gin.Context) {
+	var input []dto.CustomClaimCreateDto
+
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.Error(err)
+		return
+	}
+
+	userGroupId := c.Param("userGroupId")
+	claims, err := ccc.customClaimService.UpdateCustomClaimsForUserGroup(userGroupId, input)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var customClaimsDto []dto.CustomClaimDto
+	if err := dto.MapStructList(claims, &customClaimsDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, customClaimsDto)
+}

backend/internal/controller/oidc_controller.go

@@ -0,0 +1,588 @@
+package controller
+
+import (
+	"log"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
+
+// NewOidcController creates a new controller for OIDC related endpoints
+// @Summary OIDC controller
+// @Description Initializes all OIDC-related API endpoints for authentication and client management
+// @Tags OIDC
+func NewOidcController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, fileSizeLimitMiddleware *middleware.FileSizeLimitMiddleware, oidcService *service.OidcService, jwtService *service.JwtService) {
+	oc := &OidcController{oidcService: oidcService, jwtService: jwtService}
+
+	group.POST("/oidc/authorize", authMiddleware.WithAdminNotRequired().Add(), oc.authorizeHandler)
+	group.POST("/oidc/authorization-required", authMiddleware.WithAdminNotRequired().Add(), oc.authorizationConfirmationRequiredHandler)
+
+	group.POST("/oidc/token", oc.createTokensHandler)
+	group.GET("/oidc/userinfo", oc.userInfoHandler)
+	group.POST("/oidc/userinfo", oc.userInfoHandler)
+	group.POST("/oidc/end-session", authMiddleware.WithSuccessOptional().Add(), oc.EndSessionHandler)
+	group.GET("/oidc/end-session", authMiddleware.WithSuccessOptional().Add(), oc.EndSessionHandler)
+
+	group.GET("/oidc/clients", authMiddleware.Add(), oc.listClientsHandler)
+	group.POST("/oidc/clients", authMiddleware.Add(), oc.createClientHandler)
+	group.GET("/oidc/clients/:id", authMiddleware.Add(), oc.getClientHandler)
+	group.GET("/oidc/clients/:id/meta", oc.getClientMetaDataHandler)
+	group.PUT("/oidc/clients/:id", authMiddleware.Add(), oc.updateClientHandler)
+	group.DELETE("/oidc/clients/:id", authMiddleware.Add(), oc.deleteClientHandler)
+
+	group.PUT("/oidc/clients/:id/allowed-user-groups", authMiddleware.Add(), oc.updateAllowedUserGroupsHandler)
+	group.POST("/oidc/clients/:id/secret", authMiddleware.Add(), oc.createClientSecretHandler)
+
+	group.GET("/oidc/clients/:id/logo", oc.getClientLogoHandler)
+	group.DELETE("/oidc/clients/:id/logo", oc.deleteClientLogoHandler)
+	group.POST("/oidc/clients/:id/logo", authMiddleware.Add(), fileSizeLimitMiddleware.Add(2<<20), oc.updateClientLogoHandler)
+}
+
+type OidcController struct {
+	oidcService *service.OidcService
+	jwtService  *service.JwtService
+}
+
+// authorizeHandler godoc
+// @Summary Authorize OIDC client
+// @Description Start the OIDC authorization process for a client
+// @Tags OIDC
+// @Accept json
+// @Produce json
+// @Param request body dto.AuthorizeOidcClientRequestDto true "Authorization request parameters"
+// @Success 200 {object} dto.AuthorizeOidcClientResponseDto "Authorization code and callback URL"
+// @Security BearerAuth
+// @Router /api/oidc/authorize [post]
+func (oc *OidcController) authorizeHandler(c *gin.Context) {
+	var input dto.AuthorizeOidcClientRequestDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.Error(err)
+		return
+	}
+
+	code, callbackURL, err := oc.oidcService.Authorize(input, c.GetString("userID"), c.ClientIP(), c.Request.UserAgent())
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	response := dto.AuthorizeOidcClientResponseDto{
+		Code:        code,
+		CallbackURL: callbackURL,
+	}
+
+	c.JSON(http.StatusOK, response)
+}
+
+// authorizationConfirmationRequiredHandler godoc
+// @Summary Check if authorization confirmation is required
+// @Description Check if the user needs to confirm authorization for the client
+// @Tags OIDC
+// @Accept json
+// @Produce json
+// @Param request body dto.AuthorizationRequiredDto true "Authorization check parameters"
+// @Success 200 {object} object "{ \"authorizationRequired\": true/false }"
+// @Security BearerAuth
+// @Router /api/oidc/authorization-required [post]
+func (oc *OidcController) authorizationConfirmationRequiredHandler(c *gin.Context) {
+	var input dto.AuthorizationRequiredDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.Error(err)
+		return
+	}
+
+	hasAuthorizedClient, err := oc.oidcService.HasAuthorizedClient(input.ClientID, c.GetString("userID"), input.Scope)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"authorizationRequired": !hasAuthorizedClient})
+}
+
+// createTokensHandler godoc
+// @Summary Create OIDC tokens
+// @Description Exchange authorization code or refresh token for access tokens
+// @Tags OIDC
+// @Produce json
+// @Param client_id formData string false "Client ID (if not using Basic Auth)"
+// @Param client_secret formData string false "Client secret (if not using Basic Auth)"
+// @Param code formData string false "Authorization code (required for 'authorization_code' grant)"
+// @Param grant_type formData string true "Grant type ('authorization_code' or 'refresh_token')"
+// @Param code_verifier formData string false "PKCE code verifier (for authorization_code with PKCE)"
+// @Param refresh_token formData string false "Refresh token (required for 'refresh_token' grant)"
+// @Success 200 {object} dto.OidcTokenResponseDto "Token response with access_token and optional id_token and refresh_token"
+// @Router /api/oidc/token [post]
+func (oc *OidcController) createTokensHandler(c *gin.Context) {
+	// Disable cors for this endpoint
+	c.Writer.Header().Set("Access-Control-Allow-Origin", "*")
+
+	var input dto.OidcCreateTokensDto
+	if err := c.ShouldBind(&input); err != nil {
+		c.Error(err)
+		return
+	}
+
+	// Validate that code is provided for authorization_code grant type
+	if input.GrantType == "authorization_code" && input.Code == "" {
+		c.Error(&common.OidcMissingAuthorizationCodeError{})
+		return
+	}
+
+	// Validate that refresh_token is provided for refresh_token grant type
+	if input.GrantType == "refresh_token" && input.RefreshToken == "" {
+		c.Error(&common.OidcMissingRefreshTokenError{})
+		return
+	}
+
+	clientID := input.ClientID
+	clientSecret := input.ClientSecret
+
+	// Client id and secret can also be passed over the Authorization header
+	if clientID == "" && clientSecret == "" {
+		clientID, clientSecret, _ = c.Request.BasicAuth()
+	}
+
+	idToken, accessToken, refreshToken, expiresIn, err := oc.oidcService.CreateTokens(
+		input.Code,
+		input.GrantType,
+		clientID,
+		clientSecret,
+		input.CodeVerifier,
+		input.RefreshToken,
+	)
+
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	response := dto.OidcTokenResponseDto{
+		AccessToken: accessToken,
+		TokenType:   "Bearer",
+		ExpiresIn:   expiresIn,
+	}
+
+	// Include ID token only for authorization_code grant
+	if idToken != "" {
+		response.IdToken = idToken
+	}
+
+	// Include refresh token if generated
+	if refreshToken != "" {
+		response.RefreshToken = refreshToken
+	}
+
+	c.JSON(http.StatusOK, response)
+}
+
+// userInfoHandler godoc
+// @Summary Get user information
+// @Description Get user information based on the access token
+// @Tags OIDC
+// @Accept json
+// @Produce json
+// @Success 200 {object} object "User claims based on requested scopes"
+// @Security OAuth2AccessToken
+// @Router /api/oidc/userinfo [get]
+func (oc *OidcController) userInfoHandler(c *gin.Context) {
+	authHeaderSplit := strings.Split(c.GetHeader("Authorization"), " ")
+	if len(authHeaderSplit) != 2 {
+		c.Error(&common.MissingAccessToken{})
+		return
+	}
+
+	token := authHeaderSplit[1]
+
+	jwtClaims, err := oc.jwtService.VerifyOauthAccessToken(token)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+	userID := jwtClaims.Subject
+	clientId := jwtClaims.Audience[0]
+	claims, err := oc.oidcService.GetUserClaimsForClient(userID, clientId)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, claims)
+}
+
+// userInfoHandler godoc (POST method)
+// @Summary Get user information (POST method)
+// @Description Get user information based on the access token using POST
+// @Tags OIDC
+// @Accept json
+// @Produce json
+// @Success 200 {object} object "User claims based on requested scopes"
+// @Security OAuth2AccessToken
+// @Router /api/oidc/userinfo [post]
+func (oc *OidcController) userInfoHandlerPost(c *gin.Context) {
+	// Implementation is the same as GET
+}
+
+// EndSessionHandler godoc
+// @Summary End OIDC session
+// @Description End user session and handle OIDC logout
+// @Tags OIDC
+// @Accept application/x-www-form-urlencoded
+// @Produce html
+// @Param id_token_hint query string false "ID token"
+// @Param post_logout_redirect_uri query string false "URL to redirect to after logout"
+// @Param state query string false "State parameter to include in the redirect"
+// @Success 302 "Redirect to post-logout URL or application logout page"
+// @Router /api/oidc/end-session [get]
+func (oc *OidcController) EndSessionHandler(c *gin.Context) {
+	var input dto.OidcLogoutDto
+
+	// Bind query parameters to the struct
+	if c.Request.Method == http.MethodGet {
+		if err := c.ShouldBindQuery(&input); err != nil {
+			c.Error(err)
+			return
+		}
+	} else if c.Request.Method == http.MethodPost {
+		// Bind form parameters to the struct
+		if err := c.ShouldBind(&input); err != nil {
+			c.Error(err)
+			return
+		}
+	}
+
+	callbackURL, err := oc.oidcService.ValidateEndSession(input, c.GetString("userID"))
+	if err != nil {
+		// If the validation fails, the user has to confirm the logout manually and doesn't get redirected
+		log.Printf("Error getting logout callback URL, the user has to confirm the logout manually: %v", err)
+		c.Redirect(http.StatusFound, common.EnvConfig.AppURL+"/logout")
+		return
+	}
+
+	// The validation was successful, so we can log out and redirect the user to the callback URL without confirmation
+	cookie.AddAccessTokenCookie(c, 0, "")
+
+	logoutCallbackURL, _ := url.Parse(callbackURL)
+	if input.State != "" {
+		q := logoutCallbackURL.Query()
+		q.Set("state", input.State)
+		logoutCallbackURL.RawQuery = q.Encode()
+	}
+
+	c.Redirect(http.StatusFound, logoutCallbackURL.String())
+}
+
+// EndSessionHandler godoc (POST method)
+// @Summary End OIDC session (POST method)
+// @Description End user session and handle OIDC logout using POST
+// @Tags OIDC
+// @Accept application/x-www-form-urlencoded
+// @Produce html
+// @Param id_token_hint formData string false "ID token"
+// @Param post_logout_redirect_uri formData string false "URL to redirect to after logout"
+// @Param state formData string false "State parameter to include in the redirect"
+// @Success 302 "Redirect to post-logout URL or application logout page"
+// @Router /api/oidc/end-session [post]
+func (oc *OidcController) EndSessionHandlerPost(c *gin.Context) {
+	// Implementation is the same as GET
+}
+
+// getClientMetaDataHandler godoc
+// @Summary Get client metadata
+// @Description Get OIDC client metadata for discovery and configuration
+// @Tags OIDC
+// @Produce json
+// @Param id path string true "Client ID"
+// @Success 200 {object} dto.OidcClientMetaDataDto "Client metadata"
+// @Router /api/oidc/clients/{id}/meta [get]
+func (oc *OidcController) getClientMetaDataHandler(c *gin.Context) {
+	clientId := c.Param("id")
+	client, err := oc.oidcService.GetClient(clientId)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	clientDto := dto.OidcClientMetaDataDto{}
+	err = dto.MapStruct(client, &clientDto)
+	if err == nil {
+		c.JSON(http.StatusOK, clientDto)
+		return
+	}
+
+	c.Error(err)
+}
+
+// getClientHandler godoc
+// @Summary Get OIDC client
+// @Description Get detailed information about an OIDC client
+// @Tags OIDC
+// @Produce json
+// @Param id path string true "Client ID"
+// @Success 200 {object} dto.OidcClientWithAllowedUserGroupsDto "Client information"
+// @Security BearerAuth
+// @Router /api/oidc/clients/{id} [get]
+func (oc *OidcController) getClientHandler(c *gin.Context) {
+	clientId := c.Param("id")
+	client, err := oc.oidcService.GetClient(clientId)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	clientDto := dto.OidcClientWithAllowedUserGroupsDto{}
+	err = dto.MapStruct(client, &clientDto)
+	if err == nil {
+		c.JSON(http.StatusOK, clientDto)
+		return
+	}
+
+	c.Error(err)
+}
+
+// listClientsHandler godoc
+// @Summary List OIDC clients
+// @Description Get a paginated list of OIDC clients with optional search and sorting
+// @Tags OIDC
+// @Param search query string false "Search term to filter clients by name"
+// @Param page query int false "Page number, starting from 1" default(1)
+// @Param limit query int false "Number of items per page" default(10)
+// @Param sort_column query string false "Column to sort by" default("name")
+// @Param sort_direction query string false "Sort direction (asc or desc)" default("asc")
+// @Success 200 {object} dto.Paginated[dto.OidcClientDto]
+// @Security BearerAuth
+// @Router /api/oidc/clients [get]
+func (oc *OidcController) listClientsHandler(c *gin.Context) {
+	searchTerm := c.Query("search")
+	var sortedPaginationRequest utils.SortedPaginationRequest
+	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
+		c.Error(err)
+		return
+	}
+
+	clients, pagination, err := oc.oidcService.ListClients(searchTerm, sortedPaginationRequest)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var clientsDto []dto.OidcClientDto
+	if err := dto.MapStructList(clients, &clientsDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, dto.Paginated[dto.OidcClientDto]{
+		Data:       clientsDto,
+		Pagination: pagination,
+	})
+}
+
+// createClientHandler godoc
+// @Summary Create OIDC client
+// @Description Create a new OIDC client
+// @Tags OIDC
+// @Accept json
+// @Produce json
+// @Param client body dto.OidcClientCreateDto true "Client information"
+// @Success 201 {object} dto.OidcClientWithAllowedUserGroupsDto "Created client"
+// @Security BearerAuth
+// @Router /api/oidc/clients [post]
+func (oc *OidcController) createClientHandler(c *gin.Context) {
+	var input dto.OidcClientCreateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.Error(err)
+		return
+	}
+
+	client, err := oc.oidcService.CreateClient(input, c.GetString("userID"))
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var clientDto dto.OidcClientWithAllowedUserGroupsDto
+	if err := dto.MapStruct(client, &clientDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusCreated, clientDto)
+}
+
+// deleteClientHandler godoc
+// @Summary Delete OIDC client
+// @Description Delete an OIDC client by ID
+// @Tags OIDC
+// @Param id path string true "Client ID"
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/oidc/clients/{id} [delete]
+func (oc *OidcController) deleteClientHandler(c *gin.Context) {
+	err := oc.oidcService.DeleteClient(c.Param("id"))
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// updateClientHandler godoc
+// @Summary Update OIDC client
+// @Description Update an existing OIDC client
+// @Tags OIDC
+// @Accept json
+// @Produce json
+// @Param id path string true "Client ID"
+// @Param client body dto.OidcClientCreateDto true "Client information"
+// @Success 200 {object} dto.OidcClientWithAllowedUserGroupsDto "Updated client"
+// @Security BearerAuth
+// @Router /api/oidc/clients/{id} [put]
+func (oc *OidcController) updateClientHandler(c *gin.Context) {
+	var input dto.OidcClientCreateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.Error(err)
+		return
+	}
+
+	client, err := oc.oidcService.UpdateClient(c.Param("id"), input)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var clientDto dto.OidcClientWithAllowedUserGroupsDto
+	if err := dto.MapStruct(client, &clientDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, clientDto)
+}
+
+// createClientSecretHandler godoc
+// @Summary Create client secret
+// @Description Generate a new secret for an OIDC client
+// @Tags OIDC
+// @Produce json
+// @Param id path string true "Client ID"
+// @Success 200 {object} object "{ \"secret\": \"string\" }"
+// @Security BearerAuth
+// @Router /api/oidc/clients/{id}/secret [post]
+func (oc *OidcController) createClientSecretHandler(c *gin.Context) {
+	secret, err := oc.oidcService.CreateClientSecret(c.Param("id"))
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"secret": secret})
+}
+
+// getClientLogoHandler godoc
+// @Summary Get client logo
+// @Description Get the logo image for an OIDC client
+// @Tags OIDC
+// @Produce image/png
+// @Produce image/jpeg
+// @Produce image/svg+xml
+// @Param id path string true "Client ID"
+// @Success 200 {file} binary "Logo image"
+// @Router /api/oidc/clients/{id}/logo [get]
+func (oc *OidcController) getClientLogoHandler(c *gin.Context) {
+	imagePath, mimeType, err := oc.oidcService.GetClientLogo(c.Param("id"))
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Header("Content-Type", mimeType)
+	c.File(imagePath)
+}
+
+// updateClientLogoHandler godoc
+// @Summary Update client logo
+// @Description Upload or update the logo for an OIDC client
+// @Tags OIDC
+// @Accept multipart/form-data
+// @Param id path string true "Client ID"
+// @Param file formData file true "Logo image file (PNG, JPG, or SVG, max 2MB)"
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/oidc/clients/{id}/logo [post]
+func (oc *OidcController) updateClientLogoHandler(c *gin.Context) {
+	file, err := c.FormFile("file")
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	err = oc.oidcService.UpdateClientLogo(c.Param("id"), file)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// deleteClientLogoHandler godoc
+// @Summary Delete client logo
+// @Description Delete the logo for an OIDC client
+// @Tags OIDC
+// @Param id path string true "Client ID"
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/oidc/clients/{id}/logo [delete]
+func (oc *OidcController) deleteClientLogoHandler(c *gin.Context) {
+	err := oc.oidcService.DeleteClientLogo(c.Param("id"))
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// updateAllowedUserGroupsHandler godoc
+// @Summary Update allowed user groups
+// @Description Update the user groups allowed to access an OIDC client
+// @Tags OIDC
+// @Accept json
+// @Produce json
+// @Param id path string true "Client ID"
+// @Param groups body dto.OidcUpdateAllowedUserGroupsDto true "User group IDs"
+// @Success 200 {object} dto.OidcClientDto "Updated client"
+// @Security BearerAuth
+// @Router /api/oidc/clients/{id}/allowed-user-groups [put]
+func (oc *OidcController) updateAllowedUserGroupsHandler(c *gin.Context) {
+	var input dto.OidcUpdateAllowedUserGroupsDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.Error(err)
+		return
+	}
+
+	oidcClient, err := oc.oidcService.UpdateAllowedUserGroups(c.Param("id"), input)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var oidcClientDto dto.OidcClientDto
+	if err := dto.MapStruct(oidcClient, &oidcClientDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, oidcClientDto)
+}

backend/internal/controller/test_controller.go

@@ -0,0 +1,44 @@
+package controller
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+func NewTestController(group *gin.RouterGroup, testService *service.TestService) {
+	testController := &TestController{TestService: testService}
+
+	group.POST("/test/reset", testController.resetAndSeedHandler)
+}
+
+type TestController struct {
+	TestService *service.TestService
+}
+
+func (tc *TestController) resetAndSeedHandler(c *gin.Context) {
+	if err := tc.TestService.ResetDatabase(); err != nil {
+		c.Error(err)
+		return
+	}
+
+	if err := tc.TestService.ResetApplicationImages(); err != nil {
+		c.Error(err)
+		return
+	}
+
+	if err := tc.TestService.SeedDatabase(); err != nil {
+		c.Error(err)
+		return
+	}
+
+	if err := tc.TestService.ResetAppConfig(); err != nil {
+		c.Error(err)
+		return
+	}
+
+	tc.TestService.SetJWTKeys()
+
+	c.Status(http.StatusNoContent)
+}

backend/internal/controller/user_controller.go

@@ -0,0 +1,522 @@
+package controller
+
+import (
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"golang.org/x/time/rate"
+)
+
+// NewUserController creates a new controller for user management endpoints
+// @Summary User management controller
+// @Description Initializes all user-related API endpoints
+// @Tags Users
+func NewUserController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, userService *service.UserService, appConfigService *service.AppConfigService) {
+	uc := UserController{
+		userService:      userService,
+		appConfigService: appConfigService,
+	}
+
+	group.GET("/users", authMiddleware.Add(), uc.listUsersHandler)
+	group.GET("/users/me", authMiddleware.WithAdminNotRequired().Add(), uc.getCurrentUserHandler)
+	group.GET("/users/:id", authMiddleware.Add(), uc.getUserHandler)
+	group.POST("/users", authMiddleware.Add(), uc.createUserHandler)
+	group.PUT("/users/:id", authMiddleware.Add(), uc.updateUserHandler)
+	group.GET("/users/:id/groups", authMiddleware.Add(), uc.getUserGroupsHandler)
+	group.PUT("/users/me", authMiddleware.WithAdminNotRequired().Add(), uc.updateCurrentUserHandler)
+	group.DELETE("/users/:id", authMiddleware.Add(), uc.deleteUserHandler)
+
+	group.PUT("/users/:id/user-groups", authMiddleware.Add(), uc.updateUserGroups)
+
+	group.GET("/users/:id/profile-picture.png", uc.getUserProfilePictureHandler)
+
+	group.PUT("/users/:id/profile-picture", authMiddleware.Add(), uc.updateUserProfilePictureHandler)
+	group.PUT("/users/me/profile-picture", authMiddleware.WithAdminNotRequired().Add(), uc.updateCurrentUserProfilePictureHandler)
+
+	group.POST("/users/me/one-time-access-token", authMiddleware.WithAdminNotRequired().Add(), uc.createOwnOneTimeAccessTokenHandler)
+	group.POST("/users/:id/one-time-access-token", authMiddleware.Add(), uc.createAdminOneTimeAccessTokenHandler)
+	group.POST("/one-time-access-token/:token", rateLimitMiddleware.Add(rate.Every(10*time.Second), 5), uc.exchangeOneTimeAccessTokenHandler)
+	group.POST("/one-time-access-token/setup", uc.getSetupAccessTokenHandler)
+	group.POST("/one-time-access-email", rateLimitMiddleware.Add(rate.Every(10*time.Minute), 3), uc.requestOneTimeAccessEmailHandler)
+
+	group.DELETE("/users/:id/profile-picture", authMiddleware.Add(), uc.resetUserProfilePictureHandler)
+	group.DELETE("/users/me/profile-picture", authMiddleware.WithAdminNotRequired().Add(), uc.resetCurrentUserProfilePictureHandler)
+}
+
+type UserController struct {
+	userService      *service.UserService
+	appConfigService *service.AppConfigService
+}
+
+// getUserGroupsHandler godoc
+// @Summary Get user groups
+// @Description Retrieve all groups a specific user belongs to
+// @Tags Users,User Groups
+// @Param id path string true "User ID"
+// @Success 200 {array} dto.UserGroupDtoWithUsers
+// @Router /api/users/{id}/groups [get]
+func (uc *UserController) getUserGroupsHandler(c *gin.Context) {
+	userID := c.Param("id")
+	groups, err := uc.userService.GetUserGroups(userID)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var groupsDto []dto.UserGroupDtoWithUsers
+	if err := dto.MapStructList(groups, &groupsDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, groupsDto)
+}
+
+// listUsersHandler godoc
+// @Summary List users
+// @Description Get a paginated list of users with optional search and sorting
+// @Tags Users
+// @Param search query string false "Search term to filter users"
+// @Param page query int false "Page number, starting from 1" default(1)
+// @Param limit query int false "Number of items per page" default(10)
+// @Param sort_column query string false "Column to sort by" default("created_at")
+// @Param sort_direction query string false "Sort direction (asc or desc)" default("desc")
+// @Success 200 {object} dto.Paginated[dto.UserDto]
+// @Router /api/users [get]
+func (uc *UserController) listUsersHandler(c *gin.Context) {
+	searchTerm := c.Query("search")
+	var sortedPaginationRequest utils.SortedPaginationRequest
+	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
+		c.Error(err)
+		return
+	}
+
+	users, pagination, err := uc.userService.ListUsers(searchTerm, sortedPaginationRequest)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var usersDto []dto.UserDto
+	if err := dto.MapStructList(users, &usersDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, dto.Paginated[dto.UserDto]{
+		Data:       usersDto,
+		Pagination: pagination,
+	})
+}
+
+// getUserHandler godoc
+// @Summary Get user by ID
+// @Description Retrieve detailed information about a specific user
+// @Tags Users
+// @Param id path string true "User ID"
+// @Success 200 {object} dto.UserDto
+// @Router /api/users/{id} [get]
+func (uc *UserController) getUserHandler(c *gin.Context) {
+	user, err := uc.userService.GetUser(c.Param("id"))
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var userDto dto.UserDto
+	if err := dto.MapStruct(user, &userDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, userDto)
+}
+
+// getCurrentUserHandler godoc
+// @Summary Get current user
+// @Description Retrieve information about the currently authenticated user
+// @Tags Users
+// @Success 200 {object} dto.UserDto
+// @Router /api/users/me [get]
+func (uc *UserController) getCurrentUserHandler(c *gin.Context) {
+	user, err := uc.userService.GetUser(c.GetString("userID"))
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var userDto dto.UserDto
+	if err := dto.MapStruct(user, &userDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, userDto)
+}
+
+// deleteUserHandler godoc
+// @Summary Delete user
+// @Description Delete a specific user by ID
+// @Tags Users
+// @Param id path string true "User ID"
+// @Success 204 "No Content"
+// @Router /api/users/{id} [delete]
+func (uc *UserController) deleteUserHandler(c *gin.Context) {
+	if err := uc.userService.DeleteUser(c.Param("id")); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// createUserHandler godoc
+// @Summary Create user
+// @Description Create a new user
+// @Tags Users
+// @Param user body dto.UserCreateDto true "User information"
+// @Success 201 {object} dto.UserDto
+// @Router /api/users [post]
+func (uc *UserController) createUserHandler(c *gin.Context) {
+	var input dto.UserCreateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.Error(err)
+		return
+	}
+
+	user, err := uc.userService.CreateUser(input)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var userDto dto.UserDto
+	if err := dto.MapStruct(user, &userDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusCreated, userDto)
+}
+
+// updateUserHandler godoc
+// @Summary Update user
+// @Description Update an existing user by ID
+// @Tags Users
+// @Param id path string true "User ID"
+// @Param user body dto.UserCreateDto true "User information"
+// @Success 200 {object} dto.UserDto
+// @Router /api/users/{id} [put]
+func (uc *UserController) updateUserHandler(c *gin.Context) {
+	uc.updateUser(c, false)
+}
+
+// updateCurrentUserHandler godoc
+// @Summary Update current user
+// @Description Update the currently authenticated user's information
+// @Tags Users
+// @Param user body dto.UserCreateDto true "User information"
+// @Success 200 {object} dto.UserDto
+// @Router /api/users/me [put]
+func (uc *UserController) updateCurrentUserHandler(c *gin.Context) {
+	if uc.appConfigService.DbConfig.AllowOwnAccountEdit.Value != "true" {
+		c.Error(&common.AccountEditNotAllowedError{})
+		return
+	}
+	uc.updateUser(c, true)
+}
+
+// getUserProfilePictureHandler godoc
+// @Summary Get user profile picture
+// @Description Retrieve a specific user's profile picture
+// @Tags Users
+// @Produce image/png
+// @Param id path string true "User ID"
+// @Success 200 {file} binary "PNG image"
+// @Router /api/users/{id}/profile-picture.png [get]
+func (uc *UserController) getUserProfilePictureHandler(c *gin.Context) {
+	userID := c.Param("id")
+
+	picture, size, err := uc.userService.GetProfilePicture(userID)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Header("Cache-Control", "public, max-age=300")
+
+	c.DataFromReader(http.StatusOK, size, "image/png", picture, nil)
+}
+
+// updateUserProfilePictureHandler godoc
+// @Summary Update user profile picture
+// @Description Update a specific user's profile picture
+// @Tags Users
+// @Accept multipart/form-data
+// @Produce json
+// @Param id path string true "User ID"
+// @Param file formData file true "Profile picture image file (PNG, JPG, or JPEG)"
+// @Success 204 "No Content"
+// @Router /api/users/{id}/profile-picture [put]
+func (uc *UserController) updateUserProfilePictureHandler(c *gin.Context) {
+	userID := c.Param("id")
+	fileHeader, err := c.FormFile("file")
+	if err != nil {
+		c.Error(err)
+		return
+	}
+	file, err := fileHeader.Open()
+	if err != nil {
+		c.Error(err)
+		return
+	}
+	defer file.Close()
+
+	if err := uc.userService.UpdateProfilePicture(userID, file); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// updateCurrentUserProfilePictureHandler godoc
+// @Summary Update current user's profile picture
+// @Description Update the currently authenticated user's profile picture
+// @Tags Users
+// @Accept multipart/form-data
+// @Produce json
+// @Param file formData file true "Profile picture image file (PNG, JPG, or JPEG)"
+// @Success 204 "No Content"
+// @Router /api/users/me/profile-picture [put]
+func (uc *UserController) updateCurrentUserProfilePictureHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+	fileHeader, err := c.FormFile("file")
+	if err != nil {
+		c.Error(err)
+		return
+	}
+	file, err := fileHeader.Open()
+	if err != nil {
+		c.Error(err)
+		return
+	}
+	defer file.Close()
+
+	if err := uc.userService.UpdateProfilePicture(userID, file); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+func (uc *UserController) createOneTimeAccessTokenHandler(c *gin.Context, own bool) {
+	var input dto.OneTimeAccessTokenCreateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.Error(err)
+		return
+	}
+
+	if own {
+		input.UserID = c.GetString("userID")
+	}
+	token, err := uc.userService.CreateOneTimeAccessToken(input.UserID, input.ExpiresAt)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusCreated, gin.H{"token": token})
+}
+
+// createOwnOneTimeAccessTokenHandler godoc
+// @Summary Create one-time access token for current user
+// @Description Generate a one-time access token for the currently authenticated user
+// @Tags Users
+// @Param id path string true "User ID"
+// @Param body body dto.OneTimeAccessTokenCreateDto true "Token options"
+// @Success 201 {object} object "{ \"token\": \"string\" }"
+// @Router /api/users/{id}/one-time-access-token [post]
+func (uc *UserController) createOwnOneTimeAccessTokenHandler(c *gin.Context) {
+	uc.createOneTimeAccessTokenHandler(c, true)
+}
+
+func (uc *UserController) createAdminOneTimeAccessTokenHandler(c *gin.Context) {
+	uc.createOneTimeAccessTokenHandler(c, false)
+}
+
+func (uc *UserController) requestOneTimeAccessEmailHandler(c *gin.Context) {
+	var input dto.OneTimeAccessEmailDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.Error(err)
+		return
+	}
+
+	err := uc.userService.RequestOneTimeAccessEmail(input.Email, input.RedirectPath)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// exchangeOneTimeAccessTokenHandler godoc
+// @Summary Exchange one-time access token
+// @Description Exchange a one-time access token for a session token
+// @Tags Users
+// @Param token path string true "One-time access token"
+// @Success 200 {object} dto.UserDto
+// @Router /api/one-time-access-token/{token} [post]
+func (uc *UserController) exchangeOneTimeAccessTokenHandler(c *gin.Context) {
+	user, token, err := uc.userService.ExchangeOneTimeAccessToken(c.Param("token"), c.ClientIP(), c.Request.UserAgent())
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var userDto dto.UserDto
+	if err := dto.MapStruct(user, &userDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	sessionDurationInMinutesParsed, _ := strconv.Atoi(uc.appConfigService.DbConfig.SessionDuration.Value)
+	maxAge := sessionDurationInMinutesParsed * 60
+	cookie.AddAccessTokenCookie(c, maxAge, token)
+
+	c.JSON(http.StatusOK, userDto)
+}
+
+// getSetupAccessTokenHandler godoc
+// @Summary Setup initial admin
+// @Description Generate setup access token for initial admin user configuration
+// @Tags Users
+// @Success 200 {object} dto.UserDto
+// @Router /api/one-time-access-token/setup [post]
+func (uc *UserController) getSetupAccessTokenHandler(c *gin.Context) {
+	user, token, err := uc.userService.SetupInitialAdmin()
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var userDto dto.UserDto
+	if err := dto.MapStruct(user, &userDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	sessionDurationInMinutesParsed, _ := strconv.Atoi(uc.appConfigService.DbConfig.SessionDuration.Value)
+	maxAge := sessionDurationInMinutesParsed * 60
+	cookie.AddAccessTokenCookie(c, maxAge, token)
+
+	c.JSON(http.StatusOK, userDto)
+}
+
+// updateUserGroups godoc
+// @Summary Update user groups
+// @Description Update the groups a specific user belongs to
+// @Tags Users
+// @Param id path string true "User ID"
+// @Param groups body dto.UserUpdateUserGroupDto true "User group IDs"
+// @Success 200 {object} dto.UserDto
+// @Router /api/users/{id}/user-groups [put]
+func (uc *UserController) updateUserGroups(c *gin.Context) {
+	var input dto.UserUpdateUserGroupDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.Error(err)
+		return
+	}
+
+	user, err := uc.userService.UpdateUserGroups(c.Param("id"), input.UserGroupIds)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var userDto dto.UserDto
+	if err := dto.MapStruct(user, &userDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, userDto)
+}
+
+// updateUser is an internal helper method, not exposed as an API endpoint
+func (uc *UserController) updateUser(c *gin.Context, updateOwnUser bool) {
+	var input dto.UserCreateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.Error(err)
+		return
+	}
+
+	var userID string
+	if updateOwnUser {
+		userID = c.GetString("userID")
+	} else {
+		userID = c.Param("id")
+	}
+
+	user, err := uc.userService.UpdateUser(userID, input, updateOwnUser, false)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var userDto dto.UserDto
+	if err := dto.MapStruct(user, &userDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, userDto)
+}
+
+// resetUserProfilePictureHandler godoc
+// @Summary Reset user profile picture
+// @Description Reset a specific user's profile picture to the default
+// @Tags Users
+// @Produce json
+// @Param id path string true "User ID"
+// @Success 204 "No Content"
+// @Router /api/users/{id}/profile-picture [delete]
+func (uc *UserController) resetUserProfilePictureHandler(c *gin.Context) {
+	userID := c.Param("id")
+
+	if err := uc.userService.ResetProfilePicture(userID); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// resetCurrentUserProfilePictureHandler godoc
+// @Summary Reset current user's profile picture
+// @Description Reset the currently authenticated user's profile picture to the default
+// @Tags Users
+// @Produce json
+// @Success 204 "No Content"
+// @Router /api/users/me/profile-picture [delete]
+func (uc *UserController) resetCurrentUserProfilePictureHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+
+	if err := uc.userService.ResetProfilePicture(userID); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}

backend/internal/controller/user_group_controller.go

@@ -0,0 +1,226 @@
+package controller
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
+
+// NewUserGroupController creates a new controller for user group management
+// @Summary User group management controller
+// @Description Initializes all user group-related API endpoints
+// @Tags User Groups
+func NewUserGroupController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, userGroupService *service.UserGroupService) {
+	ugc := UserGroupController{
+		UserGroupService: userGroupService,
+	}
+
+	userGroupsGroup := group.Group("/user-groups")
+	userGroupsGroup.Use(authMiddleware.Add())
+	{
+		userGroupsGroup.GET("", ugc.list)
+		userGroupsGroup.GET("/:id", ugc.get)
+		userGroupsGroup.POST("", ugc.create)
+		userGroupsGroup.PUT("/:id", ugc.update)
+		userGroupsGroup.DELETE("/:id", ugc.delete)
+		userGroupsGroup.PUT("/:id/users", ugc.updateUsers)
+	}
+}
+
+type UserGroupController struct {
+	UserGroupService *service.UserGroupService
+}
+
+// list godoc
+// @Summary List user groups
+// @Description Get a paginated list of user groups with optional search and sorting
+// @Tags User Groups
+// @Param search query string false "Search term to filter user groups by name"
+// @Param page query int false "Page number, starting from 1" default(1)
+// @Param limit query int false "Number of items per page" default(10)
+// @Param sort_column query string false "Column to sort by" default("name")
+// @Param sort_direction query string false "Sort direction (asc or desc)" default("asc")
+// @Success 200 {object} dto.Paginated[dto.UserGroupDtoWithUserCount]
+// @Router /api/user-groups [get]
+func (ugc *UserGroupController) list(c *gin.Context) {
+	searchTerm := c.Query("search")
+	var sortedPaginationRequest utils.SortedPaginationRequest
+	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
+		c.Error(err)
+		return
+	}
+
+	groups, pagination, err := ugc.UserGroupService.List(searchTerm, sortedPaginationRequest)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	// Map the user groups to DTOs
+	var groupsDto = make([]dto.UserGroupDtoWithUserCount, len(groups))
+	for i, group := range groups {
+		var groupDto dto.UserGroupDtoWithUserCount
+		if err := dto.MapStruct(group, &groupDto); err != nil {
+			c.Error(err)
+			return
+		}
+		groupDto.UserCount, err = ugc.UserGroupService.GetUserCountOfGroup(group.ID)
+		if err != nil {
+			c.Error(err)
+			return
+		}
+		groupsDto[i] = groupDto
+	}
+
+	c.JSON(http.StatusOK, dto.Paginated[dto.UserGroupDtoWithUserCount]{
+		Data:       groupsDto,
+		Pagination: pagination,
+	})
+}
+
+// get godoc
+// @Summary Get user group by ID
+// @Description Retrieve detailed information about a specific user group including its users
+// @Tags User Groups
+// @Accept json
+// @Produce json
+// @Param id path string true "User Group ID"
+// @Success 200 {object} dto.UserGroupDtoWithUsers
+// @Security BearerAuth
+// @Router /api/user-groups/{id} [get]
+func (ugc *UserGroupController) get(c *gin.Context) {
+	group, err := ugc.UserGroupService.Get(c.Param("id"))
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var groupDto dto.UserGroupDtoWithUsers
+	if err := dto.MapStruct(group, &groupDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, groupDto)
+}
+
+// create godoc
+// @Summary Create user group
+// @Description Create a new user group
+// @Tags User Groups
+// @Accept json
+// @Produce json
+// @Param userGroup body dto.UserGroupCreateDto true "User group information"
+// @Success 201 {object} dto.UserGroupDtoWithUsers "Created user group"
+// @Security BearerAuth
+// @Router /api/user-groups [post]
+func (ugc *UserGroupController) create(c *gin.Context) {
+	var input dto.UserGroupCreateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.Error(err)
+		return
+	}
+
+	group, err := ugc.UserGroupService.Create(input)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var groupDto dto.UserGroupDtoWithUsers
+	if err := dto.MapStruct(group, &groupDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusCreated, groupDto)
+}
+
+// update godoc
+// @Summary Update user group
+// @Description Update an existing user group by ID
+// @Tags User Groups
+// @Accept json
+// @Produce json
+// @Param id path string true "User Group ID"
+// @Param userGroup body dto.UserGroupCreateDto true "User group information"
+// @Success 200 {object} dto.UserGroupDtoWithUsers "Updated user group"
+// @Security BearerAuth
+// @Router /api/user-groups/{id} [put]
+func (ugc *UserGroupController) update(c *gin.Context) {
+	var input dto.UserGroupCreateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.Error(err)
+		return
+	}
+
+	group, err := ugc.UserGroupService.Update(c.Param("id"), input, false)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var groupDto dto.UserGroupDtoWithUsers
+	if err := dto.MapStruct(group, &groupDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, groupDto)
+}
+
+// delete godoc
+// @Summary Delete user group
+// @Description Delete a specific user group by ID
+// @Tags User Groups
+// @Accept json
+// @Produce json
+// @Param id path string true "User Group ID"
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/user-groups/{id} [delete]
+func (ugc *UserGroupController) delete(c *gin.Context) {
+	if err := ugc.UserGroupService.Delete(c.Param("id")); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// updateUsers godoc
+// @Summary Update users in a group
+// @Description Update the list of users belonging to a specific user group
+// @Tags User Groups
+// @Accept json
+// @Produce json
+// @Param id path string true "User Group ID"
+// @Param users body dto.UserGroupUpdateUsersDto true "List of user IDs to assign to this group"
+// @Success 200 {object} dto.UserGroupDtoWithUsers
+// @Security BearerAuth
+// @Router /api/user-groups/{id}/users [put]
+func (ugc *UserGroupController) updateUsers(c *gin.Context) {
+	var input dto.UserGroupUpdateUsersDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.Error(err)
+		return
+	}
+
+	group, err := ugc.UserGroupService.UpdateUsers(c.Param("id"), input.UserIDs)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var groupDto dto.UserGroupDtoWithUsers
+	if err := dto.MapStruct(group, &groupDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, groupDto)
+}

backend/internal/controller/webauthn_controller.go

@@ -0,0 +1,175 @@
+package controller
+
+import (
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"golang.org/x/time/rate"
+)
+
+func NewWebauthnController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, webauthnService *service.WebAuthnService, appConfigService *service.AppConfigService) {
+	wc := &WebauthnController{webAuthnService: webauthnService, appConfigService: appConfigService}
+	group.GET("/webauthn/register/start", authMiddleware.WithAdminNotRequired().Add(), wc.beginRegistrationHandler)
+	group.POST("/webauthn/register/finish", authMiddleware.WithAdminNotRequired().Add(), wc.verifyRegistrationHandler)
+
+	group.GET("/webauthn/login/start", wc.beginLoginHandler)
+	group.POST("/webauthn/login/finish", rateLimitMiddleware.Add(rate.Every(10*time.Second), 5), wc.verifyLoginHandler)
+
+	group.POST("/webauthn/logout", authMiddleware.WithAdminNotRequired().Add(), wc.logoutHandler)
+
+	group.GET("/webauthn/credentials", authMiddleware.WithAdminNotRequired().Add(), wc.listCredentialsHandler)
+	group.PATCH("/webauthn/credentials/:id", authMiddleware.WithAdminNotRequired().Add(), wc.updateCredentialHandler)
+	group.DELETE("/webauthn/credentials/:id", authMiddleware.WithAdminNotRequired().Add(), wc.deleteCredentialHandler)
+}
+
+type WebauthnController struct {
+	webAuthnService  *service.WebAuthnService
+	appConfigService *service.AppConfigService
+}
+
+func (wc *WebauthnController) beginRegistrationHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+	options, err := wc.webAuthnService.BeginRegistration(userID)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	cookie.AddSessionIdCookie(c, int(options.Timeout.Seconds()), options.SessionID)
+	c.JSON(http.StatusOK, options.Response)
+}
+
+func (wc *WebauthnController) verifyRegistrationHandler(c *gin.Context) {
+	sessionID, err := c.Cookie(cookie.SessionIdCookieName)
+	if err != nil {
+		c.Error(&common.MissingSessionIdError{})
+		return
+	}
+
+	userID := c.GetString("userID")
+	credential, err := wc.webAuthnService.VerifyRegistration(sessionID, userID, c.Request)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var credentialDto dto.WebauthnCredentialDto
+	if err := dto.MapStruct(credential, &credentialDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, credentialDto)
+}
+
+func (wc *WebauthnController) beginLoginHandler(c *gin.Context) {
+	options, err := wc.webAuthnService.BeginLogin()
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	cookie.AddSessionIdCookie(c, int(options.Timeout.Seconds()), options.SessionID)
+	c.JSON(http.StatusOK, options.Response)
+}
+
+func (wc *WebauthnController) verifyLoginHandler(c *gin.Context) {
+	sessionID, err := c.Cookie(cookie.SessionIdCookieName)
+	if err != nil {
+		c.Error(&common.MissingSessionIdError{})
+		return
+	}
+
+	credentialAssertionData, err := protocol.ParseCredentialRequestResponseBody(c.Request.Body)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	user, token, err := wc.webAuthnService.VerifyLogin(sessionID, credentialAssertionData, c.ClientIP(), c.Request.UserAgent())
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var userDto dto.UserDto
+	if err := dto.MapStruct(user, &userDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	sessionDurationInMinutesParsed, _ := strconv.Atoi(wc.appConfigService.DbConfig.SessionDuration.Value)
+	maxAge := sessionDurationInMinutesParsed * 60
+	cookie.AddAccessTokenCookie(c, maxAge, token)
+
+	c.JSON(http.StatusOK, userDto)
+}
+
+func (wc *WebauthnController) listCredentialsHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+	credentials, err := wc.webAuthnService.ListCredentials(userID)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var credentialDtos []dto.WebauthnCredentialDto
+	if err := dto.MapStructList(credentials, &credentialDtos); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, credentialDtos)
+}
+
+func (wc *WebauthnController) deleteCredentialHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+	credentialID := c.Param("id")
+
+	err := wc.webAuthnService.DeleteCredential(userID, credentialID)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+func (wc *WebauthnController) updateCredentialHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+	credentialID := c.Param("id")
+
+	var input dto.WebauthnCredentialUpdateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.Error(err)
+		return
+	}
+
+	credential, err := wc.webAuthnService.UpdateCredential(userID, credentialID, input.Name)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var credentialDto dto.WebauthnCredentialDto
+	if err := dto.MapStruct(credential, &credentialDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, credentialDto)
+}
+
+func (wc *WebauthnController) logoutHandler(c *gin.Context) {
+	cookie.AddAccessTokenCookie(c, 0, "")
+	c.Status(http.StatusNoContent)
+}

backend/internal/controller/well_known_controller.go

@@ -0,0 +1,65 @@
+package controller
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+// NewWellKnownController creates a new controller for OIDC discovery endpoints
+// @Summary OIDC Discovery controller
+// @Description Initializes OIDC discovery and JWKS endpoints
+// @Tags Well Known
+func NewWellKnownController(group *gin.RouterGroup, jwtService *service.JwtService) {
+	wkc := &WellKnownController{jwtService: jwtService}
+	group.GET("/.well-known/jwks.json", wkc.jwksHandler)
+	group.GET("/.well-known/openid-configuration", wkc.openIDConfigurationHandler)
+}
+
+type WellKnownController struct {
+	jwtService *service.JwtService
+}
+
+// jwksHandler godoc
+// @Summary Get JSON Web Key Set (JWKS)
+// @Description Returns the JSON Web Key Set used for token verification
+// @Tags Well Known
+// @Produce json
+// @Success 200 {object} object "{ \"keys\": []interface{} }"
+// @Router /.well-known/jwks.json [get]
+func (wkc *WellKnownController) jwksHandler(c *gin.Context) {
+	jwks, err := wkc.jwtService.GetPublicJWKSAsJSON()
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Data(http.StatusOK, "application/json; charset=utf-8", jwks)
+}
+
+// openIDConfigurationHandler godoc
+// @Summary Get OpenID Connect discovery configuration
+// @Description Returns the OpenID Connect discovery document with endpoints and capabilities
+// @Tags Well Known
+// @Success 200 {object} object "OpenID Connect configuration"
+// @Router /.well-known/openid-configuration [get]
+func (wkc *WellKnownController) openIDConfigurationHandler(c *gin.Context) {
+	appUrl := common.EnvConfig.AppURL
+	config := map[string]interface{}{
+		"issuer":                                appUrl,
+		"authorization_endpoint":                appUrl + "/authorize",
+		"token_endpoint":                        appUrl + "/api/oidc/token",
+		"userinfo_endpoint":                     appUrl + "/api/oidc/userinfo",
+		"end_session_endpoint":                  appUrl + "/api/oidc/end-session",
+		"jwks_uri":                              appUrl + "/.well-known/jwks.json",
+		"grant_types_supported":                 []string{"authorization_code", "refresh_token"},
+		"scopes_supported":                      []string{"openid", "profile", "email", "groups"},
+		"claims_supported":                      []string{"sub", "given_name", "family_name", "name", "email", "email_verified", "preferred_username", "picture", "groups"},
+		"response_types_supported":              []string{"code", "id_token"},
+		"subject_types_supported":               []string{"public"},
+		"id_token_signing_alg_values_supported": []string{"RS256"},
+	}
+	c.JSON(http.StatusOK, config)
+}

backend/internal/dto/api_key_dto.go

@@ -0,0 +1,25 @@
+package dto
+
+import (
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+)
+
+type ApiKeyCreateDto struct {
+	Name        string            `json:"name" binding:"required,min=3,max=50"`
+	Description string            `json:"description"`
+	ExpiresAt   datatype.DateTime `json:"expiresAt" binding:"required"`
+}
+
+type ApiKeyDto struct {
+	ID          string             `json:"id"`
+	Name        string             `json:"name"`
+	Description string             `json:"description"`
+	ExpiresAt   datatype.DateTime  `json:"expiresAt"`
+	LastUsedAt  *datatype.DateTime `json:"lastUsedAt"`
+	CreatedAt   datatype.DateTime  `json:"createdAt"`
+}
+
+type ApiKeyResponseDto struct {
+	ApiKey ApiKeyDto `json:"apiKey"`
+	Token  string    `json:"token"`
+}

backend/internal/dto/app_config_dto.go

@@ -0,0 +1,46 @@
+package dto
+
+type PublicAppConfigVariableDto struct {
+	Key   string `json:"key"`
+	Type  string `json:"type"`
+	Value string `json:"value"`
+}
+
+type AppConfigVariableDto struct {
+	PublicAppConfigVariableDto
+	IsPublic bool `json:"isPublic"`
+}
+
+type AppConfigUpdateDto struct {
+	AppName                            string `json:"appName" binding:"required,min=1,max=30"`
+	SessionDuration                    string `json:"sessionDuration" binding:"required"`
+	EmailsVerified                     string `json:"emailsVerified" binding:"required"`
+	AllowOwnAccountEdit                string `json:"allowOwnAccountEdit" binding:"required"`
+	SmtHost                            string `json:"smtpHost"`
+	SmtpPort                           string `json:"smtpPort"`
+	SmtpFrom                           string `json:"smtpFrom" binding:"omitempty,email"`
+	SmtpUser                           string `json:"smtpUser"`
+	SmtpPassword                       string `json:"smtpPassword"`
+	SmtpTls                            string `json:"smtpTls" binding:"required,oneof=none starttls tls"`
+	SmtpSkipCertVerify                 string `json:"smtpSkipCertVerify"`
+	LdapEnabled                        string `json:"ldapEnabled" binding:"required"`
+	LdapUrl                            string `json:"ldapUrl"`
+	LdapBindDn                         string `json:"ldapBindDn"`
+	LdapBindPassword                   string `json:"ldapBindPassword"`
+	LdapBase                           string `json:"ldapBase"`
+	LdapUserSearchFilter               string `json:"ldapUserSearchFilter"`
+	LdapUserGroupSearchFilter          string `json:"ldapUserGroupSearchFilter"`
+	LdapSkipCertVerify                 string `json:"ldapSkipCertVerify"`
+	LdapAttributeUserUniqueIdentifier  string `json:"ldapAttributeUserUniqueIdentifier"`
+	LdapAttributeUserUsername          string `json:"ldapAttributeUserUsername"`
+	LdapAttributeUserEmail             string `json:"ldapAttributeUserEmail"`
+	LdapAttributeUserFirstName         string `json:"ldapAttributeUserFirstName"`
+	LdapAttributeUserLastName          string `json:"ldapAttributeUserLastName"`
+	LdapAttributeUserProfilePicture    string `json:"ldapAttributeUserProfilePicture"`
+	LdapAttributeGroupMember           string `json:"ldapAttributeGroupMember"`
+	LdapAttributeGroupUniqueIdentifier string `json:"ldapAttributeGroupUniqueIdentifier"`
+	LdapAttributeGroupName             string `json:"ldapAttributeGroupName"`
+	LdapAttributeAdminGroup            string `json:"ldapAttributeAdminGroup"`
+	EmailOneTimeAccessEnabled          string `json:"emailOneTimeAccessEnabled" binding:"required"`
+	EmailLoginNotificationEnabled      string `json:"emailLoginNotificationEnabled" binding:"required"`
+}

backend/internal/dto/audit_log_dto.go

@@ -0,0 +1,19 @@
+package dto
+
+import (
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+)
+
+type AuditLogDto struct {
+	ID        string            `json:"id"`
+	CreatedAt datatype.DateTime `json:"createdAt"`
+
+	Event     model.AuditLogEvent `json:"event"`
+	IpAddress string              `json:"ipAddress"`
+	Country   string              `json:"country"`
+	City      string              `json:"city"`
+	Device    string              `json:"device"`
+	UserID    string              `json:"userID"`
+	Data      model.AuditLogData  `json:"data"`
+}

backend/internal/dto/custom_claim_dto.go

@@ -0,0 +1,11 @@
+package dto
+
+type CustomClaimDto struct {
+	Key   string `json:"key"`
+	Value string `json:"value"`
+}
+
+type CustomClaimCreateDto struct {
+	Key   string `json:"key" binding:"required"`
+	Value string `json:"value" binding:"required"`
+}

backend/internal/dto/dto_mapper.go

@@ -0,0 +1,117 @@
+package dto
+
+import (
+	"errors"
+	"reflect"
+	"time"
+
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+)
+
+// MapStructList maps a list of source structs to a list of destination structs
+func MapStructList[S any, D any](source []S, destination *[]D) error {
+	*destination = make([]D, 0, len(source))
+
+	for _, item := range source {
+		var destItem D
+		if err := MapStruct(item, &destItem); err != nil {
+			return err
+		}
+		*destination = append(*destination, destItem)
+	}
+	return nil
+}
+
+// MapStruct maps a source struct to a destination struct
+func MapStruct[S any, D any](source S, destination *D) error {
+	// Ensure destination is a non-nil pointer
+	destValue := reflect.ValueOf(destination)
+	if destValue.Kind() != reflect.Ptr || destValue.IsNil() {
+		return errors.New("destination must be a non-nil pointer to a struct")
+	}
+
+	// Ensure source is a struct
+	sourceValue := reflect.ValueOf(source)
+	if sourceValue.Kind() != reflect.Struct {
+		return errors.New("source must be a struct")
+	}
+
+	return mapStructInternal(sourceValue, destValue.Elem())
+}
+
+func mapStructInternal(sourceVal reflect.Value, destVal reflect.Value) error {
+	// Loop through the fields of the destination struct
+	for i := 0; i < destVal.NumField(); i++ {
+		destField := destVal.Field(i)
+		destFieldType := destVal.Type().Field(i)
+
+		if destFieldType.Anonymous {
+			// Recursively handle embedded structs
+			if err := mapStructInternal(sourceVal, destField); err != nil {
+				return err
+			}
+			continue
+		}
+
+		sourceField := sourceVal.FieldByName(destFieldType.Name)
+
+		// If the source field is valid and can be assigned to the destination field
+		if sourceField.IsValid() && destField.CanSet() {
+			// Handle direct assignment for simple types
+			if sourceField.Type() == destField.Type() {
+				destField.Set(sourceField)
+
+			} else if sourceField.Kind() == reflect.Slice && destField.Kind() == reflect.Slice {
+				// Handle slices
+				if sourceField.Type().Elem() == destField.Type().Elem() {
+					// Direct assignment for slices of primitive types or non-struct elements
+					newSlice := reflect.MakeSlice(destField.Type(), sourceField.Len(), sourceField.Cap())
+
+					for j := 0; j < sourceField.Len(); j++ {
+						newSlice.Index(j).Set(sourceField.Index(j))
+					}
+
+					destField.Set(newSlice)
+
+				} else if sourceField.Type().Elem().Kind() == reflect.Struct && destField.Type().Elem().Kind() == reflect.Struct {
+					// Recursively map slices of structs
+					newSlice := reflect.MakeSlice(destField.Type(), sourceField.Len(), sourceField.Cap())
+
+					for j := 0; j < sourceField.Len(); j++ {
+						// Get the element from both source and destination slice
+						sourceElem := sourceField.Index(j)
+						destElem := reflect.New(destField.Type().Elem()).Elem()
+
+						// Recursively map the struct elements
+						if err := mapStructInternal(sourceElem, destElem); err != nil {
+							return err
+						}
+
+						// Set the mapped element in the new slice
+						newSlice.Index(j).Set(destElem)
+					}
+
+					destField.Set(newSlice)
+				}
+			} else if sourceField.Kind() == reflect.Struct && destField.Kind() == reflect.Struct {
+				// Recursively map nested structs
+				if err := mapStructInternal(sourceField, destField); err != nil {
+					return err
+				}
+			} else {
+				// Type switch for specific type conversions
+				switch sourceField.Interface().(type) {
+				case datatype.DateTime:
+					// Convert datatype.DateTime to time.Time
+					if sourceField.Type() == reflect.TypeOf(datatype.DateTime{}) && destField.Type() == reflect.TypeOf(time.Time{}) {
+						dateValue := sourceField.Interface().(datatype.DateTime)
+						destField.Set(reflect.ValueOf(dateValue.ToTime()))
+					}
+				}
+			}
+
+		}
+	}
+
+	return nil
+}

backend/internal/dto/oidc_dto.go

@@ -0,0 +1,75 @@
+package dto
+
+type OidcClientMetaDataDto struct {
+	ID      string `json:"id"`
+	Name    string `json:"name"`
+	HasLogo bool   `json:"hasLogo"`
+}
+
+type OidcClientDto struct {
+	OidcClientMetaDataDto
+	CallbackURLs       []string `json:"callbackURLs"`
+	LogoutCallbackURLs []string `json:"logoutCallbackURLs"`
+	IsPublic           bool     `json:"isPublic"`
+	PkceEnabled        bool     `json:"pkceEnabled"`
+}
+
+type OidcClientWithAllowedUserGroupsDto struct {
+	OidcClientDto
+	AllowedUserGroups []UserGroupDtoWithUserCount `json:"allowedUserGroups"`
+}
+
+type OidcClientCreateDto struct {
+	Name               string   `json:"name" binding:"required,max=50"`
+	CallbackURLs       []string `json:"callbackURLs" binding:"required"`
+	LogoutCallbackURLs []string `json:"logoutCallbackURLs"`
+	IsPublic           bool     `json:"isPublic"`
+	PkceEnabled        bool     `json:"pkceEnabled"`
+}
+
+type AuthorizeOidcClientRequestDto struct {
+	ClientID            string `json:"clientID" binding:"required"`
+	Scope               string `json:"scope" binding:"required"`
+	CallbackURL         string `json:"callbackURL"`
+	Nonce               string `json:"nonce"`
+	CodeChallenge       string `json:"codeChallenge"`
+	CodeChallengeMethod string `json:"codeChallengeMethod"`
+}
+
+type AuthorizeOidcClientResponseDto struct {
+	Code        string `json:"code"`
+	CallbackURL string `json:"callbackURL"`
+}
+
+type AuthorizationRequiredDto struct {
+	ClientID string `json:"clientID" binding:"required"`
+	Scope    string `json:"scope" binding:"required"`
+}
+
+type OidcCreateTokensDto struct {
+	GrantType    string `form:"grant_type" binding:"required"`
+	Code         string `form:"code"`
+	ClientID     string `form:"client_id"`
+	ClientSecret string `form:"client_secret"`
+	CodeVerifier string `form:"code_verifier"`
+	RefreshToken string `form:"refresh_token"`
+}
+
+type OidcUpdateAllowedUserGroupsDto struct {
+	UserGroupIDs []string `json:"userGroupIds" binding:"required"`
+}
+
+type OidcLogoutDto struct {
+	IdTokenHint           string `form:"id_token_hint"`
+	ClientId              string `form:"client_id"`
+	PostLogoutRedirectUri string `form:"post_logout_redirect_uri"`
+	State                 string `form:"state"`
+}
+
+type OidcTokenResponseDto struct {
+	AccessToken  string `json:"access_token"`
+	TokenType    string `json:"token_type"`
+	IdToken      string `json:"id_token,omitempty"`
+	RefreshToken string `json:"refresh_token,omitempty"`
+	ExpiresIn    int    `json:"expires_in"`
+}

backend/internal/dto/pagination_dto.go

@@ -0,0 +1,10 @@
+package dto
+
+import "github.com/pocket-id/pocket-id/backend/internal/utils"
+
+type Pagination = utils.PaginationResponse
+
+type Paginated[T any] struct {
+	Data       []T        `json:"data"`
+	Pagination Pagination `json:"pagination"`
+}

backend/internal/dto/user_dto.go

@@ -0,0 +1,40 @@
+package dto
+
+import "time"
+
+type UserDto struct {
+	ID           string           `json:"id"`
+	Username     string           `json:"username"`
+	Email        string           `json:"email" `
+	FirstName    string           `json:"firstName"`
+	LastName     string           `json:"lastName"`
+	IsAdmin      bool             `json:"isAdmin"`
+	Locale       *string          `json:"locale"`
+	CustomClaims []CustomClaimDto `json:"customClaims"`
+	UserGroups   []UserGroupDto   `json:"userGroups"`
+	LdapID       *string          `json:"ldapId"`
+}
+
+type UserCreateDto struct {
+	Username  string  `json:"username" binding:"required,username,min=2,max=50"`
+	Email     string  `json:"email" binding:"required,email"`
+	FirstName string  `json:"firstName" binding:"required,min=1,max=50"`
+	LastName  string  `json:"lastName" binding:"required,min=1,max=50"`
+	IsAdmin   bool    `json:"isAdmin"`
+	Locale    *string `json:"locale"`
+	LdapID    string  `json:"-"`
+}
+
+type OneTimeAccessTokenCreateDto struct {
+	UserID    string    `json:"userId"`
+	ExpiresAt time.Time `json:"expiresAt" binding:"required"`
+}
+
+type OneTimeAccessEmailDto struct {
+	Email        string `json:"email" binding:"required,email"`
+	RedirectPath string `json:"redirectPath"`
+}
+
+type UserUpdateUserGroupDto struct {
+	UserGroupIds []string `json:"userGroupIds" binding:"required"`
+}

backend/internal/dto/user_group_dto.go

@@ -0,0 +1,44 @@
+package dto
+
+import (
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+)
+
+type UserGroupDto struct {
+	ID           string            `json:"id"`
+	FriendlyName string            `json:"friendlyName"`
+	Name         string            `json:"name"`
+	CustomClaims []CustomClaimDto  `json:"customClaims"`
+	LdapID       *string           `json:"ldapId"`
+	CreatedAt    datatype.DateTime `json:"createdAt"`
+}
+
+type UserGroupDtoWithUsers struct {
+	ID           string            `json:"id"`
+	FriendlyName string            `json:"friendlyName"`
+	Name         string            `json:"name"`
+	CustomClaims []CustomClaimDto  `json:"customClaims"`
+	Users        []UserDto         `json:"users"`
+	LdapID       *string           `json:"ldapId"`
+	CreatedAt    datatype.DateTime `json:"createdAt"`
+}
+
+type UserGroupDtoWithUserCount struct {
+	ID           string            `json:"id"`
+	FriendlyName string            `json:"friendlyName"`
+	Name         string            `json:"name"`
+	CustomClaims []CustomClaimDto  `json:"customClaims"`
+	UserCount    int64             `json:"userCount"`
+	LdapID       *string           `json:"ldapId"`
+	CreatedAt    datatype.DateTime `json:"createdAt"`
+}
+
+type UserGroupCreateDto struct {
+	FriendlyName string `json:"friendlyName" binding:"required,min=2,max=50"`
+	Name         string `json:"name" binding:"required,min=2,max=255"`
+	LdapID       string `json:"-"`
+}
+
+type UserGroupUpdateUsersDto struct {
+	UserIDs []string `json:"userIds" binding:"required"`
+}

backend/internal/dto/validations.go

@@ -0,0 +1,25 @@
+package dto
+
+import (
+	"github.com/gin-gonic/gin/binding"
+	"github.com/go-playground/validator/v10"
+	"log"
+	"regexp"
+)
+
+var validateUsername validator.Func = func(fl validator.FieldLevel) bool {
+	// [a-zA-Z0-9]      : The username must start with an alphanumeric character
+	// [a-zA-Z0-9_.@-]* : The rest of the username can contain alphanumeric characters, dots, underscores, hyphens, and "@" symbols
+	// [a-zA-Z0-9]$     : The username must end with an alphanumeric character
+	regex := "^[a-zA-Z0-9][a-zA-Z0-9_.@-]*[a-zA-Z0-9]$"
+	matched, _ := regexp.MatchString(regex, fl.Field().String())
+	return matched
+}
+
+func init() {
+	if v, ok := binding.Validator.Engine().(*validator.Validate); ok {
+		if err := v.RegisterValidation("username", validateUsername); err != nil {
+			log.Fatalf("Failed to register custom validation: %v", err)
+		}
+	}
+}

backend/internal/dto/webauthn_dto.go

@@ -0,0 +1,23 @@
+package dto
+
+import (
+	"github.com/go-webauthn/webauthn/protocol"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+)
+
+type WebauthnCredentialDto struct {
+	ID              string                            `json:"id"`
+	Name            string                            `json:"name"`
+	CredentialID    string                            `json:"credentialID"`
+	AttestationType string                            `json:"attestationType"`
+	Transport       []protocol.AuthenticatorTransport `json:"transport"`
+
+	BackupEligible bool `json:"backupEligible"`
+	BackupState    bool `json:"backupState"`
+
+	CreatedAt datatype.DateTime `json:"createdAt"`
+}
+
+type WebauthnCredentialUpdateDto struct {
+	Name string `json:"name" binding:"required,min=1,max=30"`
+}

backend/internal/handler/application_configuration.go

@@ -1,190 +0,0 @@
-package handler
-
-import (
-	"errors"
-	"fmt"
-	"github.com/gin-gonic/gin"
-	"golang-rest-api-template/internal/common"
-	"golang-rest-api-template/internal/common/middleware"
-	"golang-rest-api-template/internal/model"
-	"golang-rest-api-template/internal/utils"
-	"gorm.io/gorm"
-	"net/http"
-	"os"
-	"reflect"
-)
-
-func RegisterConfigurationRoutes(group *gin.RouterGroup) {
-	group.GET("/application-configuration", listApplicationConfigurationHandler)
-	group.PUT("/application-configuration", updateApplicationConfigurationHandler)
-
-	group.GET("/application-configuration/logo", getLogoHandler)
-	group.GET("/application-configuration/background-image", getBackgroundImageHandler)
-	group.GET("/application-configuration/favicon", getFaviconHandler)
-	group.PUT("/application-configuration/logo", middleware.JWTAuth(true), updateLogoHandler)
-	group.PUT("/application-configuration/favicon", middleware.JWTAuth(true), updateFaviconHandler)
-	group.PUT("/application-configuration/background-image", middleware.JWTAuth(true), updateBackgroundImageHandler)
-}
-
-func listApplicationConfigurationHandler(c *gin.Context) {
-	// Return also the private configuration variables if the user is admin and showAll is true
-	showAll := c.GetBool("userIsAdmin") && c.DefaultQuery("showAll", "false") == "true"
-
-	var configuration []model.ApplicationConfigurationVariable
-	var err error
-
-	if showAll {
-		err = common.DB.Find(&configuration).Error
-	} else {
-		err = common.DB.Find(&configuration, "is_public = true").Error
-	}
-
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.JSON(200, configuration)
-}
-
-func updateApplicationConfigurationHandler(c *gin.Context) {
-	var input model.ApplicationConfigurationUpdateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, "invalid request body")
-		return
-	}
-
-	savedConfigVariables := make([]model.ApplicationConfigurationVariable, 10)
-
-	tx := common.DB.Begin()
-	rt := reflect.ValueOf(input).Type()
-	rv := reflect.ValueOf(input)
-
-	// Loop over the input struct fields and update the related configuration variables
-	for i := 0; i < rt.NumField(); i++ {
-		field := rt.Field(i)
-		key := field.Tag.Get("json")
-		value := rv.FieldByName(field.Name).String()
-
-		// Get the existing configuration variable from the db
-		var applicationConfigurationVariable model.ApplicationConfigurationVariable
-		if err := tx.First(&applicationConfigurationVariable, "key = ? AND is_internal = false", key).Error; err != nil {
-			tx.Rollback()
-			if errors.Is(err, gorm.ErrRecordNotFound) {
-				utils.HandlerError(c, http.StatusNotFound, fmt.Sprintf("Invalid configuration variable '%s'", value))
-			} else {
-				utils.UnknownHandlerError(c, err)
-			}
-			return
-		}
-
-		// Update the value of the existing configuration variable and save it
-		applicationConfigurationVariable.Value = value
-		if err := tx.Save(&applicationConfigurationVariable).Error; err != nil {
-			tx.Rollback()
-			utils.UnknownHandlerError(c, err)
-			return
-		}
-
-		savedConfigVariables[i] = applicationConfigurationVariable
-	}
-
-	tx.Commit()
-
-	if err := common.LoadDbConfigFromDb(); err != nil {
-		utils.UnknownHandlerError(c, err)
-	}
-
-	c.JSON(http.StatusOK, savedConfigVariables)
-
-}
-
-func getLogoHandler(c *gin.Context) {
-	imagType := common.DbConfig.LogoImageType.Value
-	getImage(c, "logo", imagType)
-}
-
-func getFaviconHandler(c *gin.Context) {
-	getImage(c, "favicon", "ico")
-}
-
-func getBackgroundImageHandler(c *gin.Context) {
-	imageType := common.DbConfig.BackgroundImageType.Value
-	getImage(c, "background", imageType)
-}
-
-func updateLogoHandler(c *gin.Context) {
-	imageType := common.DbConfig.LogoImageType.Value
-	updateImage(c, "logo", imageType)
-}
-
-func updateFaviconHandler(c *gin.Context) {
-	file, err := c.FormFile("file")
-	if err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, "invalid request body")
-		return
-	}
-	fileType := utils.GetFileExtension(file.Filename)
-	if fileType != "ico" {
-		utils.HandlerError(c, http.StatusBadRequest, "File must be of type .ico")
-		return
-	}
-	updateImage(c, "favicon", "ico")
-}
-
-func updateBackgroundImageHandler(c *gin.Context) {
-	imagType := common.DbConfig.BackgroundImageType.Value
-	updateImage(c, "background", imagType)
-}
-
-func getImage(c *gin.Context, name string, imageType string) {
-	imagePath := fmt.Sprintf("%s/application-images/%s.%s", common.EnvConfig.UploadPath, name, imageType)
-	mimeType := utils.GetImageMimeType(imageType)
-
-	c.Header("Content-Type", mimeType)
-	c.File(imagePath)
-}
-
-func updateImage(c *gin.Context, imageName string, oldImageType string) {
-	file, err := c.FormFile("file")
-	if err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, "invalid request body")
-		return
-	}
-
-	fileType := utils.GetFileExtension(file.Filename)
-	if mimeType := utils.GetImageMimeType(fileType); mimeType == "" {
-		utils.HandlerError(c, http.StatusBadRequest, "File type not supported")
-		return
-	}
-
-	// Delete the old image if it has a different file type
-	if fileType != oldImageType {
-		oldImagePath := fmt.Sprintf("%s/application-images/%s.%s", common.EnvConfig.UploadPath, imageName, oldImageType)
-		if err := os.Remove(oldImagePath); err != nil {
-			utils.UnknownHandlerError(c, err)
-			return
-		}
-	}
-
-	imagePath := fmt.Sprintf("%s/application-images/%s.%s", common.EnvConfig.UploadPath, imageName, fileType)
-	err = c.SaveUploadedFile(file, imagePath)
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	// Update the file type in the database
-	key := fmt.Sprintf("%sImageType", imageName)
-	err = common.DB.Model(&model.ApplicationConfigurationVariable{}).Where("key = ?", key).Update("value", fileType).Error
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	if err := common.LoadDbConfigFromDb(); err != nil {
-		utils.UnknownHandlerError(c, err)
-	}
-
-	c.Status(http.StatusNoContent)
-}

backend/internal/handler/oidc.go

@@ -1,415 +0,0 @@
-package handler
-
-import (
-	"errors"
-	"fmt"
-	"github.com/gin-gonic/gin"
-	"golang-rest-api-template/internal/common"
-	"golang-rest-api-template/internal/common/middleware"
-	"golang-rest-api-template/internal/model"
-	"golang-rest-api-template/internal/utils"
-	"golang.org/x/crypto/bcrypt"
-	"gorm.io/gorm"
-	"net/http"
-	"os"
-	"time"
-)
-
-func RegisterOIDCRoutes(group *gin.RouterGroup) {
-	group.POST("/oidc/authorize", middleware.JWTAuth(false), authorizeHandler)
-	group.POST("/oidc/authorize/new-client", middleware.JWTAuth(false), authorizeNewClientHandler)
-	group.POST("/oidc/token", createIDTokenHandler)
-
-	group.GET("/oidc/clients", middleware.JWTAuth(true), listClientsHandler)
-	group.POST("/oidc/clients", middleware.JWTAuth(true), createClientHandler)
-	group.GET("/oidc/clients/:id", getClientHandler)
-	group.PUT("/oidc/clients/:id", middleware.JWTAuth(true), updateClientHandler)
-	group.DELETE("/oidc/clients/:id", middleware.JWTAuth(true), deleteClientHandler)
-
-	group.POST("/oidc/clients/:id/secret", middleware.JWTAuth(true), createClientSecretHandler)
-
-	group.GET("/oidc/clients/:id/logo", getClientLogoHandler)
-	group.DELETE("/oidc/clients/:id/logo", deleteClientLogoHandler)
-	group.POST("/oidc/clients/:id/logo", middleware.JWTAuth(true), middleware.LimitFileSize(2<<20), updateClientLogoHandler)
-}
-
-type AuthorizeRequest struct {
-	ClientID string `json:"clientID" binding:"required"`
-	Scope    string `json:"scope" binding:"required"`
-	Nonce    string `json:"nonce"`
-}
-
-func authorizeHandler(c *gin.Context) {
-	var parsedBody AuthorizeRequest
-	if err := c.ShouldBindJSON(&parsedBody); err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, "invalid request body")
-		return
-	}
-
-	var userAuthorizedOIDCClient model.UserAuthorizedOidcClient
-	common.DB.First(&userAuthorizedOIDCClient, "client_id = ? AND user_id = ?", parsedBody.ClientID, c.GetString("userID"))
-
-	// If the record isn't found or the scope is different return an error
-	// The client will have to call the authorizeNewClientHandler
-	if userAuthorizedOIDCClient.Scope != parsedBody.Scope {
-		utils.HandlerError(c, http.StatusForbidden, "missing authorization")
-		return
-	}
-
-	authorizationCode, err := createAuthorizationCode(parsedBody.ClientID, c.GetString("userID"), parsedBody.Scope, parsedBody.Nonce)
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"code": authorizationCode})
-}
-
-// authorizeNewClientHandler authorizes a new client for the user
-// a new client is a new client when the user has not authorized the client before
-func authorizeNewClientHandler(c *gin.Context) {
-	var parsedBody model.AuthorizeNewClientDto
-	if err := c.ShouldBindJSON(&parsedBody); err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, "invalid request body")
-		return
-	}
-
-	userAuthorizedClient := model.UserAuthorizedOidcClient{
-		UserID:   c.GetString("userID"),
-		ClientID: parsedBody.ClientID,
-		Scope:    parsedBody.Scope,
-	}
-	err := common.DB.Create(&userAuthorizedClient).Error
-
-	if err != nil && errors.Is(err, gorm.ErrDuplicatedKey) {
-		err = common.DB.Model(&userAuthorizedClient).Update("scope", parsedBody.Scope).Error
-	}
-
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	authorizationCode, err := createAuthorizationCode(parsedBody.ClientID, c.GetString("userID"), parsedBody.Scope, parsedBody.Nonce)
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"code": authorizationCode})
-
-}
-
-func createIDTokenHandler(c *gin.Context) {
-	var body model.OidcIdTokenDto
-
-	if err := c.ShouldBind(&body); err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, "invalid request body")
-		return
-	}
-
-	// Currently only authorization_code grant type is supported
-	if body.GrantType != "authorization_code" {
-		utils.HandlerError(c, http.StatusBadRequest, "grant type not supported")
-		return
-	}
-
-	clientID := body.ClientID
-	clientSecret := body.ClientSecret
-
-	// Client id and secret can also be passed over the Authorization header
-	if clientID == "" || clientSecret == "" {
-		var ok bool
-		clientID, clientSecret, ok = c.Request.BasicAuth()
-		if !ok {
-			utils.HandlerError(c, http.StatusBadRequest, "Client id and secret not provided")
-			return
-		}
-	}
-
-	// Get the client
-	var client model.OidcClient
-	err := common.DB.First(&client, "id = ?", clientID, clientSecret).Error
-	if err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, "OIDC OIDC client not found")
-		return
-	}
-
-	// Check if client secret is correct
-	err = bcrypt.CompareHashAndPassword([]byte(client.Secret), []byte(clientSecret))
-	if err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, "invalid client secret")
-		return
-	}
-
-	var authorizationCodeMetaData model.OidcAuthorizationCode
-	err = common.DB.Preload("User").First(&authorizationCodeMetaData, "code = ?", body.Code).Error
-	if err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, "invalid authorization code")
-		return
-	}
-
-	// Check if the client id matches the client id in the authorization code and if the code has expired
-	if authorizationCodeMetaData.ClientID != clientID && authorizationCodeMetaData.ExpiresAt.Before(time.Now()) {
-		utils.HandlerError(c, http.StatusBadRequest, "invalid authorization code")
-		return
-	}
-
-	idToken, e := common.GenerateIDToken(authorizationCodeMetaData.User, clientID, authorizationCodeMetaData.Scope, authorizationCodeMetaData.Nonce)
-	if e != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	// Delete the authorization code after it has been used
-	common.DB.Delete(&authorizationCodeMetaData)
-
-	c.JSON(http.StatusOK, gin.H{"id_token": idToken})
-}
-
-func getClientHandler(c *gin.Context) {
-	clientId := c.Param("id")
-
-	var client model.OidcClient
-	err := common.DB.First(&client, "id = ?", clientId).Error
-	if err != nil {
-		utils.HandlerError(c, http.StatusNotFound, "OIDC client not found")
-		return
-	}
-
-	c.JSON(http.StatusOK, client)
-}
-
-func listClientsHandler(c *gin.Context) {
-	var clients []model.OidcClient
-	searchTerm := c.Query("search")
-
-	query := common.DB.Model(&model.OidcClient{})
-
-	if searchTerm != "" {
-		searchPattern := "%" + searchTerm + "%"
-		query = query.Where("name LIKE ?", searchPattern)
-	}
-
-	pagination, err := utils.Paginate(c, query, &clients)
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{
-		"data":       clients,
-		"pagination": pagination,
-	})
-}
-
-func createClientHandler(c *gin.Context) {
-	var input model.OidcClientCreateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, "invalid request body")
-		return
-	}
-
-	client := model.OidcClient{
-		Name:        input.Name,
-		CallbackURL: input.CallbackURL,
-		CreatedByID: c.GetString("userID"),
-	}
-
-	if err := common.DB.Create(&client).Error; err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.JSON(http.StatusCreated, client)
-}
-
-func deleteClientHandler(c *gin.Context) {
-	var client model.OidcClient
-	if err := common.DB.First(&client, "id = ?", c.Param("id")).Error; err != nil {
-		utils.HandlerError(c, http.StatusNotFound, "OIDC OIDC client not found")
-		return
-	}
-
-	if err := common.DB.Delete(&client).Error; err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.Status(http.StatusNoContent)
-}
-
-func updateClientHandler(c *gin.Context) {
-	var input model.OidcClientCreateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, "invalid request body")
-		return
-	}
-
-	var client model.OidcClient
-	if err := common.DB.First(&client, "id = ?", c.Param("id")).Error; err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			utils.HandlerError(c, http.StatusNotFound, "OIDC client not found")
-			return
-		}
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	client.Name = input.Name
-	client.CallbackURL = input.CallbackURL
-
-	if err := common.DB.Save(&client).Error; err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.JSON(http.StatusNoContent, client)
-}
-
-// createClientSecretHandler creates a new secret for the client and revokes the old one
-func createClientSecretHandler(c *gin.Context) {
-	var client model.OidcClient
-	if err := common.DB.First(&client, "id = ?", c.Param("id")).Error; err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			utils.HandlerError(c, http.StatusNotFound, "OIDC client not found")
-			return
-		}
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	clientSecret, err := utils.GenerateRandomAlphanumericString(32)
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	hashedSecret, err := bcrypt.GenerateFromPassword([]byte(clientSecret), bcrypt.DefaultCost)
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	client.Secret = string(hashedSecret)
-	if err := common.DB.Save(&client).Error; err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"secret": clientSecret})
-}
-
-func getClientLogoHandler(c *gin.Context) {
-	var client model.OidcClient
-	if err := common.DB.First(&client, "id = ?", c.Param("id")).Error; err != nil {
-		utils.HandlerError(c, http.StatusNotFound, "OIDC client not found")
-		return
-	}
-
-	if client.ImageType == nil {
-		utils.HandlerError(c, http.StatusNotFound, "image not found")
-		return
-	}
-
-	imageType := *client.ImageType
-
-	imagePath := fmt.Sprintf("%s/oidc-client-images/%s.%s", common.EnvConfig.UploadPath, client.ID, imageType)
-	mimeType := utils.GetImageMimeType(imageType)
-
-	c.Header("Content-Type", mimeType)
-	c.File(imagePath)
-}
-
-func updateClientLogoHandler(c *gin.Context) {
-	file, err := c.FormFile("file")
-	if err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, "invalid request body")
-		return
-	}
-
-	fileType := utils.GetFileExtension(file.Filename)
-	if mimeType := utils.GetImageMimeType(fileType); mimeType == "" {
-		utils.HandlerError(c, http.StatusBadRequest, "file type not supported")
-		return
-	}
-
-	imagePath := fmt.Sprintf("%s/oidc-client-images/%s.%s", common.EnvConfig.UploadPath, c.Param("id"), fileType)
-	err = c.SaveUploadedFile(file, imagePath)
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	var client model.OidcClient
-	if err := common.DB.First(&client, "id = ?", c.Param("id")).Error; err != nil {
-		utils.HandlerError(c, http.StatusNotFound, "OIDC client not found")
-		return
-	}
-
-	// Delete the old image if it has a different file type
-	if client.ImageType != nil && fileType != *client.ImageType {
-		oldImagePath := fmt.Sprintf("%s/oidc-client-images/%s.%s", common.EnvConfig.UploadPath, client.ID, *client.ImageType)
-		if err := os.Remove(oldImagePath); err != nil {
-			utils.UnknownHandlerError(c, err)
-			return
-		}
-	}
-
-	client.ImageType = &fileType
-	if err := common.DB.Save(&client).Error; err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.Status(http.StatusNoContent)
-}
-
-func deleteClientLogoHandler(c *gin.Context) {
-	var client model.OidcClient
-	if err := common.DB.First(&client, "id = ?", c.Param("id")).Error; err != nil {
-		utils.HandlerError(c, http.StatusNotFound, "OIDC client not found")
-		return
-	}
-
-	if client.ImageType == nil {
-		utils.HandlerError(c, http.StatusNotFound, "image not found")
-		return
-	}
-
-	imagePath := fmt.Sprintf("%s/oidc-client-images/%s.%s", common.EnvConfig.UploadPath, client.ID, *client.ImageType)
-	if err := os.Remove(imagePath); err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	client.ImageType = nil
-	if err := common.DB.Save(&client).Error; err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.Status(http.StatusNoContent)
-}
-
-func createAuthorizationCode(clientID string, userID string, scope string, nonce string) (string, error) {
-	randomString, err := utils.GenerateRandomAlphanumericString(32)
-	if err != nil {
-		return "", err
-	}
-
-	oidcAuthorizationCode := model.OidcAuthorizationCode{
-		ExpiresAt: time.Now().Add(15 * time.Minute),
-		Code:      randomString,
-		ClientID:  clientID,
-		UserID:    userID,
-		Scope:     scope,
-		Nonce:     nonce,
-	}
-
-	if err := common.DB.Create(&oidcAuthorizationCode).Error; err != nil {
-		return "", err
-	}
-
-	return randomString, nil
-}

backend/internal/handler/test.go

@@ -1,237 +0,0 @@
-package handler
-
-import (
-	"crypto/ecdsa"
-	"crypto/x509"
-	"encoding/base64"
-	"log"
-	"os"
-	"time"
-
-	"github.com/fxamacker/cbor/v2"
-	"github.com/gin-gonic/gin"
-	"github.com/go-webauthn/webauthn/protocol"
-	"golang-rest-api-template/internal/common"
-	"golang-rest-api-template/internal/model"
-	"golang-rest-api-template/internal/utils"
-	"gorm.io/gorm"
-)
-
-func RegisterTestRoutes(group *gin.RouterGroup) {
-	group.POST("/test/reset", resetAndSeedHandler)
-}
-
-func resetAndSeedHandler(c *gin.Context) {
-	if err := resetDatabase(); err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	if err := resetApplicationImages(); err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	if err := seedDatabase(); err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.JSON(200, gin.H{"message": "Database reset and seeded"})
-}
-
-// seedDatabase seeds the database with initial data and uses a transaction to ensure atomicity.
-func seedDatabase() error {
-	return common.DB.Transaction(func(tx *gorm.DB) error {
-		users := []model.User{
-			{
-				Base: model.Base{
-					ID: "f4b89dc2-62fb-46bf-9f5f-c34f4eafe93e",
-				},
-				Username:  "tim",
-				Email:     "tim.cook@test.com",
-				FirstName: "Tim",
-				LastName:  "Cook",
-				IsAdmin:   true,
-			},
-			{
-				Base: model.Base{
-					ID: "1cd19686-f9a6-43f4-a41f-14a0bf5b4036",
-				},
-				Username:  "craig",
-				Email:     "craig.federighi@test.com",
-				FirstName: "Craig",
-				LastName:  "Federighi",
-				IsAdmin:   false,
-			},
-		}
-		for _, user := range users {
-			if err := tx.Create(&user).Error; err != nil {
-				return err
-			}
-		}
-
-		oidcClients := []model.OidcClient{
-			{
-				Base: model.Base{
-					ID: "3654a746-35d4-4321-ac61-0bdcff2b4055",
-				},
-				Name:        "Nextcloud",
-				Secret:      "$2a$10$9dypwot8nGuCjT6wQWWpJOckZfRprhe2EkwpKizxS/fpVHrOLEJHC", // w2mUeZISmEvIDMEDvpY0PnxQIpj1m3zY
-				CallbackURL: "http://nextcloud/auth/callback",
-				ImageType:   utils.StringPointer("png"),
-				CreatedByID: users[0].ID,
-			},
-			{
-				Base: model.Base{
-					ID: "606c7782-f2b1-49e5-8ea9-26eb1b06d018",
-				},
-				Name:        "Immich",
-				Secret:      "$2a$10$Ak.FP8riD1ssy2AGGbG.gOpnp/rBpymd74j0nxNMtW0GG1Lb4gzxe", // PYjrE9u4v9GVqXKi52eur0eb2Ci4kc0x
-				CallbackURL: "http://immich/auth/callback",
-				CreatedByID: users[0].ID,
-			},
-		}
-		for _, client := range oidcClients {
-			if err := tx.Create(&client).Error; err != nil {
-				return err
-			}
-		}
-
-		authCode := model.OidcAuthorizationCode{
-			Code:      "auth-code",
-			Scope:     "openid profile",
-			Nonce:     "nonce",
-			ExpiresAt: time.Now().Add(1 * time.Hour),
-			UserID:    users[0].ID,
-			ClientID:  oidcClients[0].ID,
-		}
-		if err := tx.Create(&authCode).Error; err != nil {
-			return err
-		}
-
-		accessToken := model.OneTimeAccessToken{
-			Token:     "one-time-token",
-			ExpiresAt: time.Now().Add(1 * time.Hour),
-			UserID:    users[0].ID,
-		}
-		if err := tx.Create(&accessToken).Error; err != nil {
-			return err
-		}
-
-		userAuthorizedClient := model.UserAuthorizedOidcClient{
-			Scope:    "openid profile email",
-			UserID:   users[0].ID,
-			ClientID: oidcClients[0].ID,
-		}
-		if err := tx.Create(&userAuthorizedClient).Error; err != nil {
-			return err
-		}
-
-		webauthnCredentials := []model.WebauthnCredential{
-			{
-				Name:            "Passkey 1",
-				CredentialID:    "test-credential-1",
-				PublicKey:       getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwcOo5KV169KR67QEHrcYkeXE3CCxv2BgwnSq4VYTQxyLtdmKxegexa8JdwFKhKXa2BMI9xaN15BoL6wSCRFJhg=="),
-				AttestationType: "none",
-				Transport:       model.AuthenticatorTransportList{protocol.Internal},
-				UserID:          users[0].ID,
-			},
-			{
-				Name:            "Passkey 2",
-				CredentialID:    "test-credential-2",
-				PublicKey:       getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESq/wR8QbBu3dKnpaw/v0mDxFFDwnJ/L5XHSg2tAmq5x1BpSMmIr3+DxCbybVvGRmWGh8kKhy7SMnK91M6rFHTA=="),
-				AttestationType: "none",
-				Transport:       model.AuthenticatorTransportList{protocol.Internal},
-				UserID:          users[0].ID,
-			},
-		}
-		for _, credential := range webauthnCredentials {
-			if err := tx.Create(&credential).Error; err != nil {
-				return err
-			}
-		}
-
-		webauthnSession := model.WebauthnSession{
-			Challenge:        "challenge",
-			ExpiresAt:        time.Now().Add(1 * time.Hour),
-			UserVerification: "preferred",
-		}
-		if err := tx.Create(&webauthnSession).Error; err != nil {
-			return err
-		}
-
-		return nil
-	})
-}
-
-// resetDatabase resets the database by deleting all rows from each table.
-func resetDatabase() error {
-	err := common.DB.Transaction(func(tx *gorm.DB) error {
-		var tables []string
-		if err := tx.Raw("SELECT name FROM sqlite_master WHERE type='table' AND name NOT LIKE 'sqlite_%' AND name != 'schema_migrations';").Scan(&tables).Error; err != nil {
-			return err
-		}
-
-		for _, table := range tables {
-			if err := tx.Exec("DELETE FROM " + table).Error; err != nil {
-				return err
-			}
-		}
-		return nil
-	})
-	if err != nil {
-		return err
-	}
-	common.InitDbConfig()
-	return nil
-}
-
-// resetApplicationImages resets the application images by removing existing images and replacing them with the default ones
-func resetApplicationImages() error {
-
-	if err := os.RemoveAll(common.EnvConfig.UploadPath); err != nil {
-		log.Printf("Error removing directory: %v", err)
-		return err
-	}
-
-	if err := utils.CopyDirectory("./images", common.EnvConfig.UploadPath+"/application-images"); err != nil {
-		log.Printf("Error copying directory: %v", err)
-		return err
-	}
-
-	return nil
-}
-
-// getCborPublicKey decodes a Base64 encoded public key and returns the CBOR encoded COSE key
-func getCborPublicKey(base64PublicKey string) []byte {
-	decodedKey, err := base64.StdEncoding.DecodeString(base64PublicKey)
-	if err != nil {
-		log.Fatalf("Failed to decode base64 key: %v", err)
-	}
-
-	pubKey, err := x509.ParsePKIXPublicKey(decodedKey)
-	if err != nil {
-		log.Fatalf("Failed to parse public key: %v", err)
-	}
-
-	ecdsaPubKey, ok := pubKey.(*ecdsa.PublicKey)
-	if !ok {
-		log.Fatalf("Not an ECDSA public key")
-	}
-
-	coseKey := map[int]interface{}{
-		1:  2,                     // Key type: EC2
-		3:  -7,                    // Algorithm: ECDSA with SHA-256
-		-1: 1,                     // Curve: P-256
-		-2: ecdsaPubKey.X.Bytes(), // X coordinate
-		-3: ecdsaPubKey.Y.Bytes(), // Y coordinate
-	}
-
-	cborPublicKey, err := cbor.Marshal(coseKey)
-	if err != nil {
-		log.Fatalf("Failed to encode CBOR: %v", err)
-	}
-
-	return cborPublicKey
-}

backend/internal/handler/user.go

@@ -1,269 +0,0 @@
-package handler
-
-import (
-	"errors"
-	"github.com/gin-gonic/gin"
-	"golang-rest-api-template/internal/common"
-	"golang-rest-api-template/internal/common/middleware"
-	"golang-rest-api-template/internal/model"
-	"golang-rest-api-template/internal/utils"
-	"golang.org/x/time/rate"
-	"gorm.io/gorm"
-	"log"
-	"net/http"
-	"time"
-)
-
-func RegisterUserRoutes(group *gin.RouterGroup) {
-	group.GET("/users", middleware.JWTAuth(true), listUsersHandler)
-	group.GET("/users/me", middleware.JWTAuth(false), getCurrentUserHandler)
-	group.GET("/users/:id", middleware.JWTAuth(true), getUserHandler)
-	group.POST("/users", middleware.JWTAuth(true), createUserHandler)
-	group.PUT("/users/:id", middleware.JWTAuth(true), updateUserHandler)
-	group.PUT("/users/me", middleware.JWTAuth(false), updateCurrentUserHandler)
-	group.DELETE("/users/:id", middleware.JWTAuth(true), deleteUserHandler)
-
-	group.POST("/users/:id/one-time-access-token", middleware.JWTAuth(true), createOneTimeAccessTokenHandler)
-	group.POST("/one-time-access-token/:token", middleware.RateLimiter(rate.Every(10*time.Second), 5), exchangeOneTimeAccessTokenHandler)
-	group.POST("/one-time-access-token/setup", getSetupAccessTokenHandler)
-}
-
-func listUsersHandler(c *gin.Context) {
-	var users []model.User
-	searchTerm := c.Query("search")
-
-	query := common.DB.Model(&model.User{})
-
-	if searchTerm != "" {
-		searchPattern := "%" + searchTerm + "%"
-		query = query.Where("email LIKE ? OR first_name LIKE ? OR username LIKE ?", searchPattern, searchPattern, searchPattern)
-	}
-
-	pagination, err := utils.Paginate(c, query, &users)
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{
-		"data":       users,
-		"pagination": pagination,
-	})
-}
-
-func getUserHandler(c *gin.Context) {
-	var user model.User
-	if err := common.DB.Where("id = ?", c.Param("id")).First(&user).Error; err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			utils.HandlerError(c, http.StatusNotFound, "User not found")
-			return
-		}
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.JSON(http.StatusOK, user)
-}
-
-func getCurrentUserHandler(c *gin.Context) {
-	var user model.User
-	if err := common.DB.Where("id = ?", c.GetString("userID")).First(&user).Error; err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-	c.JSON(http.StatusOK, user)
-
-}
-
-func deleteUserHandler(c *gin.Context) {
-	var user model.User
-	if err := common.DB.Where("id = ?", c.Param("id")).First(&user).Error; err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			utils.HandlerError(c, http.StatusNotFound, "User not found")
-			return
-		}
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	if err := common.DB.Delete(&user).Error; err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.Status(http.StatusNoContent)
-}
-
-func createUserHandler(c *gin.Context) {
-	var user model.User
-	if err := c.ShouldBindJSON(&user); err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, "invalid request body")
-		return
-	}
-
-	if err := common.DB.Create(&user).Error; err != nil {
-		if errors.Is(err, gorm.ErrDuplicatedKey) {
-			if err := checkDuplicatedFields(user); err != nil {
-				utils.HandlerError(c, http.StatusBadRequest, err.Error())
-				return
-			}
-		} else {
-			utils.UnknownHandlerError(c, err)
-			return
-		}
-	}
-
-	c.JSON(http.StatusCreated, user)
-}
-
-func updateUserHandler(c *gin.Context) {
-	updateUser(c, c.Param("id"))
-}
-
-func updateCurrentUserHandler(c *gin.Context) {
-	updateUser(c, c.GetString("userID"))
-}
-
-func createOneTimeAccessTokenHandler(c *gin.Context) {
-	var input model.OneTimeAccessTokenCreateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, "invalid request body")
-		return
-	}
-
-	randomString, err := utils.GenerateRandomAlphanumericString(16)
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	oneTimeAccessToken := model.OneTimeAccessToken{
-		UserID:    input.UserID,
-		ExpiresAt: input.ExpiresAt,
-		Token:     randomString,
-	}
-
-	if err := common.DB.Create(&oneTimeAccessToken).Error; err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.JSON(http.StatusCreated, gin.H{"token": oneTimeAccessToken.Token})
-}
-
-func exchangeOneTimeAccessTokenHandler(c *gin.Context) {
-	var oneTimeAccessToken model.OneTimeAccessToken
-	if err := common.DB.Where("token = ? AND expires_at > ?", c.Param("token"), utils.FormatDateForDb(time.Now())).Preload("User").First(&oneTimeAccessToken).Error; err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			utils.HandlerError(c, http.StatusForbidden, "Token is invalid or expired")
-			return
-		}
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	token, err := common.GenerateAccessToken(oneTimeAccessToken.User)
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		log.Println(err)
-		return
-	}
-
-	if err := common.DB.Delete(&oneTimeAccessToken).Error; err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", false, true)
-
-	c.JSON(http.StatusOK, oneTimeAccessToken.User)
-}
-
-// getSetupAccessTokenHandler creates the initial admin user and returns an access token for the user
-// This handler is only available if there are no users in the database
-func getSetupAccessTokenHandler(c *gin.Context) {
-	var userCount int64
-	if err := common.DB.Model(&model.User{}).Count(&userCount).Error; err != nil {
-		log.Fatal("failed to count users", err)
-	}
-
-	// If there are more than one user, we don't need to create the admin user
-	if userCount > 1 {
-		utils.HandlerError(c, http.StatusForbidden, "Setup already completed")
-		return
-	}
-
-	var user = model.User{
-		FirstName: "Admin",
-		LastName:  "Admin",
-		Username:  "admin",
-		Email:     "admin@admin.com",
-		IsAdmin:   true,
-	}
-
-	// Create the initial admin user if it doesn't exist
-	if err := common.DB.Model(&model.User{}).Preload("Credentials").FirstOrCreate(&user).Error; err != nil {
-		log.Fatal("failed to create admin user", err)
-	}
-
-	// If the user already has credentials, the setup is already completed
-	if len(user.Credentials) > 0 {
-		utils.HandlerError(c, http.StatusForbidden, "Setup already completed")
-		return
-	}
-
-	token, err := common.GenerateAccessToken(user)
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		log.Println(err)
-		return
-	}
-	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", false, true)
-	c.JSON(http.StatusOK, user)
-}
-
-func updateUser(c *gin.Context, userID string) {
-	var user model.User
-	if err := common.DB.Where("id = ?", userID).First(&user).Error; err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			utils.HandlerError(c, http.StatusNotFound, "User not found")
-			return
-		}
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	var updatedUser model.User
-	if err := c.ShouldBindJSON(&updatedUser); err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, "invalid request body")
-		return
-	}
-
-	if err := common.DB.Model(&user).Updates(&updatedUser).Error; err != nil {
-		if errors.Is(err, gorm.ErrDuplicatedKey) {
-			if err := checkDuplicatedFields(user); err != nil {
-				utils.HandlerError(c, http.StatusBadRequest, err.Error())
-				return
-			}
-		} else {
-			utils.UnknownHandlerError(c, err)
-			return
-		}
-	}
-
-	c.JSON(http.StatusOK, updatedUser)
-}
-
-func checkDuplicatedFields(user model.User) error {
-	var existingUser model.User
-
-	if common.DB.Where("id != ? AND email = ?", user.ID, user.Email).First(&existingUser).Error == nil {
-		return errors.New("email is already taken")
-	}
-
-	if common.DB.Where("id != ? AND username = ?", user.ID, user.Username).First(&existingUser).Error == nil {
-		return errors.New("username is already taken")
-	}
-
-	return nil
-}

backend/internal/handler/webauthn.go

@@ -1,255 +0,0 @@
-package handler
-
-import (
-	"github.com/gin-gonic/gin"
-	"github.com/go-webauthn/webauthn/protocol"
-	"github.com/go-webauthn/webauthn/webauthn"
-	"golang-rest-api-template/internal/common"
-	"golang-rest-api-template/internal/common/middleware"
-	"golang-rest-api-template/internal/model"
-	"golang-rest-api-template/internal/utils"
-	"golang.org/x/time/rate"
-	"gorm.io/gorm"
-	"log"
-	"net/http"
-	"strings"
-	"time"
-)
-
-func RegisterRoutes(group *gin.RouterGroup) {
-	group.GET("/webauthn/register/start", middleware.JWTAuth(false), beginRegistrationHandler)
-	group.POST("/webauthn/register/finish", middleware.JWTAuth(false), verifyRegistrationHandler)
-
-	group.GET("/webauthn/login/start", beginLoginHandler)
-	group.POST("/webauthn/login/finish", middleware.RateLimiter(rate.Every(10*time.Second), 5), verifyLoginHandler)
-
-	group.POST("/webauthn/logout", middleware.JWTAuth(false), logoutHandler)
-
-	group.GET("/webauthn/credentials", middleware.JWTAuth(false), listCredentialsHandler)
-	group.PATCH("/webauthn/credentials/:id", middleware.JWTAuth(false), updateCredentialHandler)
-	group.DELETE("/webauthn/credentials/:id", middleware.JWTAuth(false), deleteCredentialHandler)
-}
-
-func beginRegistrationHandler(c *gin.Context) {
-	var user model.User
-	err := common.DB.Preload("Credentials").Find(&user, "id = ?", c.GetString("userID")).Error
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		log.Println(err)
-		return
-	}
-
-	options, session, err := common.WebAuthn.BeginRegistration(&user, webauthn.WithResidentKeyRequirement(protocol.ResidentKeyRequirementRequired), webauthn.WithExclusions(user.WebAuthnCredentialDescriptors()))
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	// Save the webauthn session so we can retrieve it in the verifyRegistrationHandler
-	sessionToStore := &model.WebauthnSession{
-		ExpiresAt:        session.Expires,
-		Challenge:        session.Challenge,
-		UserVerification: string(session.UserVerification),
-	}
-
-	if err = common.DB.Create(&sessionToStore).Error; err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.SetCookie("session_id", sessionToStore.ID, int(common.WebAuthn.Config.Timeouts.Registration.Timeout.Seconds()), "/", "", false, true)
-	c.JSON(http.StatusOK, options.Response)
-}
-
-func verifyRegistrationHandler(c *gin.Context) {
-	sessionID, err := c.Cookie("session_id")
-	if err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, "Session ID missing")
-		return
-	}
-
-	// Retrieve the session that was previously created by the beginRegistrationHandler
-	var storedSession model.WebauthnSession
-	err = common.DB.First(&storedSession, "id = ?", sessionID).Error
-
-	session := webauthn.SessionData{
-		Challenge: storedSession.Challenge,
-		Expires:   storedSession.ExpiresAt,
-		UserID:    []byte(c.GetString("userID")),
-	}
-
-	var user model.User
-	err = common.DB.Find(&user, "id = ?", c.GetString("userID")).Error
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	credential, err := common.WebAuthn.FinishRegistration(&user, session, c.Request)
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	credentialToStore := model.WebauthnCredential{
-		Name:            "New Passkey",
-		CredentialID:    string(credential.ID),
-		AttestationType: credential.AttestationType,
-		PublicKey:       credential.PublicKey,
-		Transport:       credential.Transport,
-		UserID:          user.ID,
-	}
-	if err := common.DB.Create(&credentialToStore).Error; err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.JSON(http.StatusOK, credentialToStore)
-}
-
-func beginLoginHandler(c *gin.Context) {
-	options, session, err := common.WebAuthn.BeginDiscoverableLogin()
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	// Save the webauthn session so we can retrieve it in the verifyLoginHandler
-	sessionToStore := &model.WebauthnSession{
-		ExpiresAt:        session.Expires,
-		Challenge:        session.Challenge,
-		UserVerification: string(session.UserVerification),
-	}
-
-	if err = common.DB.Create(&sessionToStore).Error; err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.SetCookie("session_id", sessionToStore.ID, int(common.WebAuthn.Config.Timeouts.Registration.Timeout.Seconds()), "/", "", false, true)
-	c.JSON(http.StatusOK, options.Response)
-}
-
-func verifyLoginHandler(c *gin.Context) {
-	sessionID, err := c.Cookie("session_id")
-	if err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, "Session ID missing")
-		return
-	}
-
-	credentialAssertionData, err := protocol.ParseCredentialRequestResponseBody(c.Request.Body)
-	if err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, "Invalid body")
-		return
-	}
-
-	// Retrieve the session that was previously created by the beginLoginHandler
-	var storedSession model.WebauthnSession
-	if err := common.DB.First(&storedSession, "id = ?", sessionID).Error; err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	session := webauthn.SessionData{
-		Challenge: storedSession.Challenge,
-		Expires:   storedSession.ExpiresAt,
-	}
-
-	var user *model.User
-	_, err = common.WebAuthn.ValidateDiscoverableLogin(func(_, userHandle []byte) (webauthn.User, error) {
-		if err := common.DB.Preload("Credentials").First(&user, "id = ?", string(userHandle)).Error; err != nil {
-			return nil, err
-		}
-		return user, nil
-	}, session, credentialAssertionData)
-
-	if err != nil {
-		if strings.Contains(err.Error(), gorm.ErrRecordNotFound.Error()) {
-			utils.HandlerError(c, http.StatusBadRequest, "no user with this passkey exists")
-		} else {
-			utils.UnknownHandlerError(c, err)
-		}
-		return
-	}
-
-	err = common.DB.Find(&user, "id = ?", c.GetString("userID")).Error
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	token, err := common.GenerateAccessToken(*user)
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", false, true)
-	c.JSON(http.StatusOK, user)
-}
-
-func listCredentialsHandler(c *gin.Context) {
-	var credentials []model.WebauthnCredential
-	if err := common.DB.Find(&credentials, "user_id = ?", c.GetString("userID")).Error; err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.JSON(http.StatusOK, credentials)
-}
-
-func deleteCredentialHandler(c *gin.Context) {
-	var passkeyCount int64
-	if err := common.DB.Model(&model.WebauthnCredential{}).Where("user_id = ?", c.GetString("userID")).Count(&passkeyCount).Error; err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	if passkeyCount == 1 {
-		utils.HandlerError(c, http.StatusBadRequest, "You must have at least one passkey")
-		return
-	}
-
-	var credential model.WebauthnCredential
-	if err := common.DB.First(&credential, "id = ? AND user_id = ?", c.Param("id"), c.GetString("userID")).Error; err != nil {
-		utils.HandlerError(c, http.StatusNotFound, "Credential not found")
-		return
-	}
-
-	if err := common.DB.Delete(&credential).Error; err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.Status(http.StatusNoContent)
-}
-
-func updateCredentialHandler(c *gin.Context) {
-	var credential model.WebauthnCredential
-	if err := common.DB.Where("id = ? AND user_id = ?", c.Param("id"), c.GetString("userID")).First(&credential).Error; err != nil {
-		utils.HandlerError(c, http.StatusNotFound, "Credential not found")
-		return
-	}
-
-	var input struct {
-		Name string `json:"name"`
-	}
-	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, "invalid request body")
-		return
-	}
-
-	credential.Name = input.Name
-
-	if err := common.DB.Save(&credential).Error; err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.Status(http.StatusNoContent)
-}
-
-func logoutHandler(c *gin.Context) {
-	c.SetCookie("access_token", "", 0, "/", "", false, true)
-	c.Status(http.StatusNoContent)
-}

backend/internal/handler/well_known.go

@@ -1,39 +0,0 @@
-package handler
-
-import (
-	"github.com/gin-gonic/gin"
-	"golang-rest-api-template/internal/common"
-	"golang-rest-api-template/internal/utils"
-	"net/http"
-)
-
-func RegisterWellKnownRoutes(group *gin.RouterGroup) {
-	group.GET("/.well-known/jwks.json", jwks)
-	group.GET("/.well-known/openid-configuration", openIDConfiguration)
-}
-
-func jwks(c *gin.Context) {
-	jwk, err := common.GetJWK()
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"keys": []interface{}{jwk}})
-}
-
-func openIDConfiguration(c *gin.Context) {
-	appUrl := common.EnvConfig.AppURL
-	config := map[string]interface{}{
-		"issuer":                                appUrl,
-		"authorization_endpoint":                appUrl + "/authorize",
-		"token_endpoint":                        appUrl + "/api/oidc/token",
-		"jwks_uri":                              appUrl + "/.well-known/jwks.json",
-		"scopes_supported":                      []string{"openid", "profile", "email"},
-		"claims_supported":                      []string{"sub", "given_name", "family_name", "email", "preferred_username"},
-		"response_types_supported":              []string{"code", "id_token"},
-		"subject_types_supported":               []string{"public"},
-		"id_token_signing_alg_values_supported": []string{"RS256"},
-	}
-	c.JSON(http.StatusOK, config)
-}

backend/internal/job/db_cleanup.go

@@ -1,30 +1,61 @@
 package job
 
 import (
-	"github.com/go-co-op/gocron/v2"
-	"github.com/google/uuid"
-	"golang-rest-api-template/internal/common"
-	"golang-rest-api-template/internal/model"
-	"golang-rest-api-template/internal/utils"
 	"log"
 	"time"
+
+	"github.com/go-co-op/gocron/v2"
+	"github.com/google/uuid"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"gorm.io/gorm"
 )
 
-func RegisterJobs() {
+func RegisterDbCleanupJobs(db *gorm.DB) {
 	scheduler, err := gocron.NewScheduler()
 	if err != nil {
 		log.Fatalf("Failed to create a new scheduler: %s", err)
 	}
 
-	registerJob(scheduler, "ClearWebauthnSessions", "0 3 * * *", clearWebauthnSessions)
-	registerJob(scheduler, "ClearOneTimeAccessTokens", "0 3 * * *", clearOneTimeAccessTokens)
-	registerJob(scheduler, "ClearOidcAuthorizationCodes", "0 3 * * *", clearOidcAuthorizationCodes)
+	jobs := &Jobs{db: db}
 
+	registerJob(scheduler, "ClearWebauthnSessions", "0 3 * * *", jobs.clearWebauthnSessions)
+	registerJob(scheduler, "ClearOneTimeAccessTokens", "0 3 * * *", jobs.clearOneTimeAccessTokens)
+	registerJob(scheduler, "ClearOidcAuthorizationCodes", "0 3 * * *", jobs.clearOidcAuthorizationCodes)
+	registerJob(scheduler, "ClearOidcRefreshTokens", "0 3 * * *", jobs.clearOidcRefreshTokens)
 	scheduler.Start()
 }
 
-func registerJob(scheduler gocron.Scheduler, name string, interval string, job func() error) {
+type Jobs struct {
+	db *gorm.DB
+}
 
+// ClearWebauthnSessions deletes WebAuthn sessions that have expired
+func (j *Jobs) clearWebauthnSessions() error {
+	return j.db.Delete(&model.WebauthnSession{}, "expires_at < ?", datatype.DateTime(time.Now())).Error
+}
+
+// ClearOneTimeAccessTokens deletes one-time access tokens that have expired
+func (j *Jobs) clearOneTimeAccessTokens() error {
+	return j.db.Debug().Delete(&model.OneTimeAccessToken{}, "expires_at < ?", datatype.DateTime(time.Now())).Error
+}
+
+// ClearOidcAuthorizationCodes deletes OIDC authorization codes that have expired
+func (j *Jobs) clearOidcAuthorizationCodes() error {
+	return j.db.Delete(&model.OidcAuthorizationCode{}, "expires_at < ?", datatype.DateTime(time.Now())).Error
+}
+
+// ClearOidcAuthorizationCodes deletes OIDC authorization codes that have expired
+func (j *Jobs) clearOidcRefreshTokens() error {
+	return j.db.Delete(&model.OidcRefreshToken{}, "expires_at < ?", datatype.DateTime(time.Now())).Error
+}
+
+// ClearAuditLogs deletes audit logs older than 90 days
+func (j *Jobs) clearAuditLogs() error {
+	return j.db.Delete(&model.AuditLog{}, "created_at < ?", datatype.DateTime(time.Now().AddDate(0, 0, -90))).Error
+}
+
+func registerJob(scheduler gocron.Scheduler, name string, interval string, job func() error) {
 	_, err := scheduler.NewJob(
 		gocron.CronJob(interval, false),
 		gocron.NewTask(job),
@@ -42,16 +73,3 @@ func registerJob(scheduler gocron.Scheduler, name string, interval string, job f
 		log.Fatalf("Failed to register job %q: %v", name, err)
 	}
 }
-
-func clearWebauthnSessions() error {
-	return common.DB.Delete(&model.WebauthnSession{}, "expires_at < ?", utils.FormatDateForDb(time.Now())).Error
-}
-
-func clearOneTimeAccessTokens() error {
-	return common.DB.Debug().Delete(&model.OneTimeAccessToken{}, "expires_at < ?", utils.FormatDateForDb(time.Now())).Error
-}
-
-func clearOidcAuthorizationCodes() error {
-	return common.DB.Delete(&model.OidcAuthorizationCode{}, "expires_at < ?", utils.FormatDateForDb(time.Now())).Error
-
-}

backend/internal/job/ldap_job.go

@@ -0,0 +1,39 @@
+package job
+
+import (
+	"log"
+
+	"github.com/go-co-op/gocron/v2"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+type LdapJobs struct {
+	ldapService      *service.LdapService
+	appConfigService *service.AppConfigService
+}
+
+func RegisterLdapJobs(ldapService *service.LdapService, appConfigService *service.AppConfigService) {
+	jobs := &LdapJobs{ldapService: ldapService, appConfigService: appConfigService}
+
+	scheduler, err := gocron.NewScheduler()
+	if err != nil {
+		log.Fatalf("Failed to create a new scheduler: %s", err)
+	}
+
+	// Register the job to run every hour
+	registerJob(scheduler, "SyncLdap", "0 * * * *", jobs.syncLdap)
+
+	// Run the job immediately on startup
+	if err := jobs.syncLdap(); err != nil {
+		log.Printf("Failed to sync LDAP: %s", err)
+	}
+
+	scheduler.Start()
+}
+
+func (j *LdapJobs) syncLdap() error {
+	if j.appConfigService.DbConfig.LdapEnabled.Value == "true" {
+		return j.ldapService.SyncAll()
+	}
+	return nil
+}

backend/internal/middleware/api_key_auth.go

@@ -0,0 +1,50 @@
+package middleware
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+type ApiKeyAuthMiddleware struct {
+	apiKeyService *service.ApiKeyService
+	jwtService    *service.JwtService
+}
+
+func NewApiKeyAuthMiddleware(apiKeyService *service.ApiKeyService, jwtService *service.JwtService) *ApiKeyAuthMiddleware {
+	return &ApiKeyAuthMiddleware{
+		apiKeyService: apiKeyService,
+		jwtService:    jwtService,
+	}
+}
+
+func (m *ApiKeyAuthMiddleware) Add(adminRequired bool) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		userID, isAdmin, err := m.Verify(c, adminRequired)
+		if err != nil {
+			c.Abort()
+			c.Error(err)
+			return
+		}
+
+		c.Set("userID", userID)
+		c.Set("userIsAdmin", isAdmin)
+		c.Next()
+	}
+}
+
+func (m *ApiKeyAuthMiddleware) Verify(c *gin.Context, adminRequired bool) (userID string, isAdmin bool, err error) {
+	apiKey := c.GetHeader("X-API-KEY")
+
+	user, err := m.apiKeyService.ValidateApiKey(apiKey)
+	if err != nil {
+		return "", false, &common.NotSignedInError{}
+	}
+
+	// Check if the user is an admin
+	if adminRequired && !user.IsAdmin {
+		return "", false, &common.MissingPermissionError{}
+	}
+
+	return user.ID, user.IsAdmin, nil
+}

backend/internal/middleware/auth_middleware.go

@@ -0,0 +1,89 @@
+package middleware
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+// AuthMiddleware is a wrapper middleware that delegates to either API key or JWT authentication
+type AuthMiddleware struct {
+	apiKeyMiddleware *ApiKeyAuthMiddleware
+	jwtMiddleware    *JwtAuthMiddleware
+	options          AuthOptions
+}
+
+type AuthOptions struct {
+	AdminRequired   bool
+	SuccessOptional bool
+}
+
+func NewAuthMiddleware(
+	apiKeyService *service.ApiKeyService,
+	jwtService *service.JwtService,
+) *AuthMiddleware {
+	return &AuthMiddleware{
+		apiKeyMiddleware: NewApiKeyAuthMiddleware(apiKeyService, jwtService),
+		jwtMiddleware:    NewJwtAuthMiddleware(jwtService),
+		options: AuthOptions{
+			AdminRequired:   true,
+			SuccessOptional: false,
+		},
+	}
+}
+
+// WithAdminNotRequired allows the middleware to continue with the request even if the user is not an admin
+func (m *AuthMiddleware) WithAdminNotRequired() *AuthMiddleware {
+	// Create a new instance to avoid modifying the original
+	clone := &AuthMiddleware{
+		apiKeyMiddleware: m.apiKeyMiddleware,
+		jwtMiddleware:    m.jwtMiddleware,
+		options:          m.options,
+	}
+	clone.options.AdminRequired = false
+	return clone
+}
+
+// WithSuccessOptional allows the middleware to continue with the request even if authentication fails
+func (m *AuthMiddleware) WithSuccessOptional() *AuthMiddleware {
+	// Create a new instance to avoid modifying the original
+	clone := &AuthMiddleware{
+		apiKeyMiddleware: m.apiKeyMiddleware,
+		jwtMiddleware:    m.jwtMiddleware,
+		options:          m.options,
+	}
+	clone.options.SuccessOptional = true
+	return clone
+}
+
+func (m *AuthMiddleware) Add() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// First try JWT auth
+		userID, isAdmin, err := m.jwtMiddleware.Verify(c, m.options.AdminRequired)
+		if err == nil {
+			// JWT auth succeeded, continue with the request
+			c.Set("userID", userID)
+			c.Set("userIsAdmin", isAdmin)
+			c.Next()
+			return
+		}
+
+		// JWT auth failed, try API key auth
+		userID, isAdmin, err = m.apiKeyMiddleware.Verify(c, m.options.AdminRequired)
+		if err == nil {
+			// API key auth succeeded, continue with the request
+			c.Set("userID", userID)
+			c.Set("userIsAdmin", isAdmin)
+			c.Next()
+			return
+		}
+
+		if m.options.SuccessOptional {
+			c.Next()
+			return
+		}
+
+		// Both JWT and API key auth failed
+		c.Abort()
+		c.Error(err)
+	}
+}

backend/internal/middleware/cors.go

@@ -0,0 +1,33 @@
+package middleware
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+)
+
+type CorsMiddleware struct{}
+
+func NewCorsMiddleware() *CorsMiddleware {
+	return &CorsMiddleware{}
+}
+
+func (m *CorsMiddleware) Add() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// Allow all origins for the token endpoint
+		if c.FullPath() == "/api/oidc/token" {
+			c.Writer.Header().Set("Access-Control-Allow-Origin", "*")
+		} else {
+			c.Writer.Header().Set("Access-Control-Allow-Origin", common.EnvConfig.AppURL)
+		}
+
+		c.Writer.Header().Set("Access-Control-Allow-Headers", "*")
+		c.Writer.Header().Set("Access-Control-Allow-Methods", "POST, OPTIONS, GET, PUT")
+
+		if c.Request.Method == "OPTIONS" {
+			c.AbortWithStatus(204)
+			return
+		}
+
+		c.Next()
+	}
+}

backend/internal/middleware/error_handler.go

@@ -0,0 +1,98 @@
+package middleware
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+	"github.com/gin-gonic/gin/binding"
+	"github.com/go-playground/validator/v10"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"gorm.io/gorm"
+)
+
+type ErrorHandlerMiddleware struct{}
+
+func NewErrorHandlerMiddleware() *ErrorHandlerMiddleware {
+	return &ErrorHandlerMiddleware{}
+}
+
+func (m *ErrorHandlerMiddleware) Add() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		c.Next()
+		for _, err := range c.Errors {
+
+			// Check for record not found errors
+			if errors.Is(err, gorm.ErrRecordNotFound) {
+				errorResponse(c, http.StatusNotFound, "Record not found")
+				return
+			}
+
+			// Check for validation errors
+			var validationErrors validator.ValidationErrors
+			if errors.As(err, &validationErrors) {
+				message := handleValidationError(validationErrors)
+				errorResponse(c, http.StatusBadRequest, message)
+				return
+			}
+
+			// Check for slice validation errors
+			var sliceValidationErrors binding.SliceValidationError
+			if errors.As(err, &sliceValidationErrors) {
+				if errors.As(sliceValidationErrors[0], &validationErrors) {
+					message := handleValidationError(validationErrors)
+					errorResponse(c, http.StatusBadRequest, message)
+					return
+				}
+			}
+
+			var appErr common.AppError
+			if errors.As(err, &appErr) {
+				errorResponse(c, appErr.HttpStatusCode(), appErr.Error())
+				return
+			}
+
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "Something went wrong"})
+		}
+	}
+}
+
+func errorResponse(c *gin.Context, statusCode int, message string) {
+	// Capitalize the first letter of the message
+	message = strings.ToUpper(message[:1]) + message[1:]
+	c.JSON(statusCode, gin.H{"error": message})
+}
+
+func handleValidationError(validationErrors validator.ValidationErrors) string {
+	var errorMessages []string
+
+	for _, ve := range validationErrors {
+		fieldName := ve.Field()
+		var errorMessage string
+		switch ve.Tag() {
+		case "required":
+			errorMessage = fmt.Sprintf("%s is required", fieldName)
+		case "email":
+			errorMessage = fmt.Sprintf("%s must be a valid email address", fieldName)
+		case "username":
+			errorMessage = fmt.Sprintf("%s must only contain lowercase letters, numbers, underscores, dots, hyphens, and '@' symbols and not start or end with a special character", fieldName)
+		case "url":
+			errorMessage = fmt.Sprintf("%s must be a valid URL", fieldName)
+		case "min":
+			errorMessage = fmt.Sprintf("%s must be at least %s characters long", fieldName, ve.Param())
+		case "max":
+			errorMessage = fmt.Sprintf("%s must be at most %s characters long", fieldName, ve.Param())
+		default:
+			errorMessage = fmt.Sprintf("%s is invalid", fieldName)
+		}
+
+		errorMessages = append(errorMessages, errorMessage)
+	}
+
+	// Join all the error messages into a single string
+	combinedErrors := strings.Join(errorMessages, ", ")
+
+	return combinedErrors
+}

backend/internal/middleware/file_size_limit.go

@@ -2,16 +2,24 @@ package middleware
 
 import (
 	"fmt"
-	"github.com/gin-gonic/gin"
-	"golang-rest-api-template/internal/utils"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 )
 
-func LimitFileSize(maxSize int64) gin.HandlerFunc {
+type FileSizeLimitMiddleware struct{}
+
+func NewFileSizeLimitMiddleware() *FileSizeLimitMiddleware {
+	return &FileSizeLimitMiddleware{}
+}
+
+func (m *FileSizeLimitMiddleware) Add(maxSize int64) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		c.Request.Body = http.MaxBytesReader(c.Writer, c.Request.Body, maxSize)
 		if err := c.Request.ParseMultipartForm(maxSize); err != nil {
-			utils.HandlerError(c, http.StatusRequestEntityTooLarge, fmt.Sprintf("The file can't be larger than %s bytes", formatFileSize(maxSize)))
+			err = &common.FileTooLargeError{MaxSize: formatFileSize(maxSize)}
+			c.Error(err)
 			c.Abort()
 			return
 		}

backend/internal/middleware/jwt_auth.go

@@ -0,0 +1,59 @@
+package middleware
+
+import (
+	"strings"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
+)
+
+type JwtAuthMiddleware struct {
+	jwtService *service.JwtService
+}
+
+func NewJwtAuthMiddleware(jwtService *service.JwtService) *JwtAuthMiddleware {
+	return &JwtAuthMiddleware{jwtService: jwtService}
+}
+
+func (m *JwtAuthMiddleware) Add(adminRequired bool) gin.HandlerFunc {
+	return func(c *gin.Context) {
+
+		userID, isAdmin, err := m.Verify(c, adminRequired)
+		if err != nil {
+			c.Abort()
+			c.Error(err)
+			return
+		}
+
+		c.Set("userID", userID)
+		c.Set("userIsAdmin", isAdmin)
+		c.Next()
+	}
+}
+
+func (m *JwtAuthMiddleware) Verify(c *gin.Context, adminRequired bool) (userID string, isAdmin bool, err error) {
+	// Extract the token from the cookie
+	token, err := c.Cookie(cookie.AccessTokenCookieName)
+	if err != nil {
+		// Try to extract the token from the Authorization header if it's not in the cookie
+		authorizationHeaderSplit := strings.Split(c.GetHeader("Authorization"), " ")
+		if len(authorizationHeaderSplit) != 2 {
+			return "", false, &common.NotSignedInError{}
+		}
+		token = authorizationHeaderSplit[1]
+	}
+
+	claims, err := m.jwtService.VerifyAccessToken(token)
+	if err != nil {
+		return "", false, &common.NotSignedInError{}
+	}
+
+	// Check if the user is an admin
+	if adminRequired && !claims.IsAdmin {
+		return "", false, &common.MissingPermissionError{}
+	}
+
+	return claims.Subject, claims.IsAdmin, nil
+}

backend/internal/middleware/rate_limit.go

@@ -1,20 +1,28 @@
 package middleware
 
 import (
-	"golang-rest-api-template/internal/common"
-	"golang-rest-api-template/internal/utils"
-	"net/http"
 	"sync"
 	"time"
 
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+
 	"github.com/gin-gonic/gin"
 	"golang.org/x/time/rate"
 )
 
-// RateLimiter is a Gin middleware for rate limiting based on client IP
-func RateLimiter(limit rate.Limit, burst int) gin.HandlerFunc {
+type RateLimitMiddleware struct{}
+
+func NewRateLimitMiddleware() *RateLimitMiddleware {
+	return &RateLimitMiddleware{}
+}
+
+func (m *RateLimitMiddleware) Add(limit rate.Limit, burst int) gin.HandlerFunc {
+	// Map to store the rate limiters per IP
+	var clients = make(map[string]*client)
+	var mu sync.Mutex
+
 	// Start the cleanup routine
-	go cleanupClients()
+	go cleanupClients(&mu, clients)
 
 	return func(c *gin.Context) {
 		ip := c.ClientIP()
@@ -26,9 +34,9 @@ func RateLimiter(limit rate.Limit, burst int) gin.HandlerFunc {
 			return
 		}
 
-		limiter := getLimiter(ip, limit, burst)
+		limiter := getLimiter(ip, limit, burst, &mu, clients)
 		if !limiter.Allow() {
-			utils.HandlerError(c, http.StatusTooManyRequests, "Too many requests. Please wait a while before trying again.")
+			c.Error(&common.TooManyRequestsError{})
 			c.Abort()
 			return
 		}
@@ -42,12 +50,8 @@ type client struct {
 	lastSeen time.Time
 }
 
-// Map to store the rate limiters per IP
-var clients = make(map[string]*client)
-var mu sync.Mutex
-
 // Cleanup routine to remove stale clients that haven't been seen for a while
-func cleanupClients() {
+func cleanupClients(mu *sync.Mutex, clients map[string]*client) {
 	for {
 		time.Sleep(time.Minute)
 		mu.Lock()
@@ -61,7 +65,7 @@ func cleanupClients() {
 }
 
 // getLimiter retrieves the rate limiter for a given IP address, creating one if it doesn't exist
-func getLimiter(ip string, limit rate.Limit, burst int) *rate.Limiter {
+func getLimiter(ip string, limit rate.Limit, burst int, mu *sync.Mutex, clients map[string]*client) *rate.Limiter {
 	mu.Lock()
 	defer mu.Unlock()
 

backend/internal/model/api_key.go

@@ -0,0 +1,18 @@
+package model
+
+import (
+	"github.com/pocket-id/pocket-id/backend/internal/model/types"
+)
+
+type ApiKey struct {
+	Base
+
+	Name        string `sortable:"true"`
+	Key         string
+	Description *string
+	ExpiresAt   datatype.DateTime  `sortable:"true"`
+	LastUsedAt  *datatype.DateTime `sortable:"true"`
+
+	UserID string
+	User   User
+}

backend/internal/model/app_config.go

@@ -0,0 +1,60 @@
+package model
+
+import (
+	"strconv"
+)
+
+type AppConfigVariable struct {
+	Key          string `gorm:"primaryKey;not null"`
+	Type         string
+	IsPublic     bool
+	IsInternal   bool
+	Value        string
+	DefaultValue string
+}
+
+func (a *AppConfigVariable) IsTrue() bool {
+	ok, _ := strconv.ParseBool(a.Value)
+	return ok
+}
+
+type AppConfig struct {
+	// General
+	AppName             AppConfigVariable
+	SessionDuration     AppConfigVariable
+	EmailsVerified      AppConfigVariable
+	AllowOwnAccountEdit AppConfigVariable
+	// Internal
+	BackgroundImageType AppConfigVariable
+	LogoLightImageType  AppConfigVariable
+	LogoDarkImageType   AppConfigVariable
+	// Email
+	SmtpHost                      AppConfigVariable
+	SmtpPort                      AppConfigVariable
+	SmtpFrom                      AppConfigVariable
+	SmtpUser                      AppConfigVariable
+	SmtpPassword                  AppConfigVariable
+	SmtpTls                       AppConfigVariable
+	SmtpSkipCertVerify            AppConfigVariable
+	EmailLoginNotificationEnabled AppConfigVariable
+	EmailOneTimeAccessEnabled     AppConfigVariable
+	// LDAP
+	LdapEnabled                        AppConfigVariable
+	LdapUrl                            AppConfigVariable
+	LdapBindDn                         AppConfigVariable
+	LdapBindPassword                   AppConfigVariable
+	LdapBase                           AppConfigVariable
+	LdapUserSearchFilter               AppConfigVariable
+	LdapUserGroupSearchFilter          AppConfigVariable
+	LdapSkipCertVerify                 AppConfigVariable
+	LdapAttributeUserUniqueIdentifier  AppConfigVariable
+	LdapAttributeUserUsername          AppConfigVariable
+	LdapAttributeUserEmail             AppConfigVariable
+	LdapAttributeUserFirstName         AppConfigVariable
+	LdapAttributeUserLastName          AppConfigVariable
+	LdapAttributeUserProfilePicture    AppConfigVariable
+	LdapAttributeGroupMember           AppConfigVariable
+	LdapAttributeGroupUniqueIdentifier AppConfigVariable
+	LdapAttributeGroupName             AppConfigVariable
+	LdapAttributeAdminGroup            AppConfigVariable
+}

backend/internal/model/application_configuration.go

@@ -1,19 +0,0 @@
-package model
-
-type ApplicationConfigurationVariable struct {
-	Key        string `gorm:"primaryKey;not null" json:"key"`
-	Type       string `json:"type"`
-	IsPublic   bool   `json:"-"`
-	IsInternal bool   `json:"-"`
-	Value      string `json:"value"`
-}
-
-type ApplicationConfiguration struct {
-	AppName             ApplicationConfigurationVariable
-	BackgroundImageType ApplicationConfigurationVariable
-	LogoImageType       ApplicationConfigurationVariable
-}
-
-type ApplicationConfigurationUpdateDto struct {
-	AppName string `json:"appName" binding:"required"`
-}

backend/internal/model/audit_log.go

@@ -0,0 +1,53 @@
+package model
+
+import (
+	"database/sql/driver"
+	"encoding/json"
+	"errors"
+)
+
+type AuditLog struct {
+	Base
+
+	Event     AuditLogEvent `sortable:"true"`
+	IpAddress string        `sortable:"true"`
+	Country   string        `sortable:"true"`
+	City      string        `sortable:"true"`
+	UserAgent string        `sortable:"true"`
+	UserID    string
+	Data      AuditLogData
+}
+
+type AuditLogData map[string]string
+
+type AuditLogEvent string
+
+const (
+	AuditLogEventSignIn                   AuditLogEvent = "SIGN_IN"
+	AuditLogEventOneTimeAccessTokenSignIn AuditLogEvent = "TOKEN_SIGN_IN"
+	AuditLogEventClientAuthorization      AuditLogEvent = "CLIENT_AUTHORIZATION"
+	AuditLogEventNewClientAuthorization   AuditLogEvent = "NEW_CLIENT_AUTHORIZATION"
+)
+
+// Scan and Value methods for GORM to handle the custom type
+
+func (e *AuditLogEvent) Scan(value interface{}) error {
+	*e = AuditLogEvent(value.(string))
+	return nil
+}
+
+func (e AuditLogEvent) Value() (driver.Value, error) {
+	return string(e), nil
+}
+
+func (d *AuditLogData) Scan(value interface{}) error {
+	if v, ok := value.([]byte); ok {
+		return json.Unmarshal(v, d)
+	} else {
+		return errors.New("type assertion to []byte failed")
+	}
+}
+
+func (d AuditLogData) Value() (driver.Value, error) {
+	return json.Marshal(d)
+}

backend/internal/model/base.go

@@ -1,20 +1,23 @@
 package model
 
 import (
-	"github.com/google/uuid"
-	"gorm.io/gorm"
 	"time"
+
+	"github.com/google/uuid"
+	"github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"gorm.io/gorm"
 )
 
 // Base contains common columns for all tables.
 type Base struct {
-	ID        string    `gorm:"primaryKey;not null" json:"id"`
-	CreatedAt time.Time `json:"createdAt"`
+	ID        string            `gorm:"primaryKey;not null"`
+	CreatedAt datatype.DateTime `sortable:"true"`
 }
 
-func (b *Base) BeforeCreate(db *gorm.DB) (err error) {
+func (b *Base) BeforeCreate(_ *gorm.DB) (err error) {
 	if b.ID == "" {
 		b.ID = uuid.New().String()
 	}
+	b.CreatedAt = datatype.DateTime(time.Now())
 	return
 }

backend/internal/model/custom_claim.go

@@ -0,0 +1,11 @@
+package model
+
+type CustomClaim struct {
+	Base
+
+	Key   string
+	Value string
+
+	UserID      *string
+	UserGroupID *string
+}

backend/internal/model/oidc.go

@@ -1,29 +1,68 @@
 package model
 
 import (
+	"database/sql/driver"
+	"encoding/json"
+	"errors"
+
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 	"gorm.io/gorm"
-	"time"
 )
 
 type UserAuthorizedOidcClient struct {
 	Scope  string
-	UserID string `json:"userId" gorm:"primary_key;"`
+	UserID string `gorm:"primary_key;"`
+	User   User
 
-	ClientID string `json:"clientId" gorm:"primary_key;"`
+	ClientID string `gorm:"primary_key;"`
 	Client   OidcClient
 }
 
+type OidcAuthorizationCode struct {
+	Base
+
+	Code                      string
+	Scope                     string
+	Nonce                     string
+	CodeChallenge             *string
+	CodeChallengeMethodSha256 *bool
+	ExpiresAt                 datatype.DateTime
+
+	UserID string
+	User   User
+
+	ClientID string
+}
+
 type OidcClient struct {
 	Base
 
-	Name        string  `json:"name"`
-	Secret      string  `json:"-"`
-	CallbackURL string  `json:"callbackURL"`
-	ImageType   *string `json:"-"`
-	HasLogo     bool    `gorm:"-" json:"hasLogo"`
+	Name               string `sortable:"true"`
+	Secret             string
+	CallbackURLs       UrlList
+	LogoutCallbackURLs UrlList
+	ImageType          *string
+	HasLogo            bool `gorm:"-"`
+	IsPublic           bool
+	PkceEnabled        bool
 
-	CreatedByID string
-	CreatedBy   User
+	AllowedUserGroups []UserGroup `gorm:"many2many:oidc_clients_allowed_user_groups;"`
+	CreatedByID       string
+	CreatedBy         User
+}
+
+type OidcRefreshToken struct {
+	Base
+
+	Token     string
+	ExpiresAt datatype.DateTime
+	Scope     string
+
+	UserID string
+	User   User
+
+	ClientID string
+	Client   OidcClient
 }
 
 func (c *OidcClient) AfterFind(_ *gorm.DB) (err error) {
@@ -32,34 +71,16 @@ func (c *OidcClient) AfterFind(_ *gorm.DB) (err error) {
 	return nil
 }
 
-type OidcAuthorizationCode struct {
-	Base
+type UrlList []string
 
-	Code      string
-	Scope     string
-	Nonce     string
-	ExpiresAt time.Time
-
-	UserID string
-	User   User
-
-	ClientID string
+func (cu *UrlList) Scan(value interface{}) error {
+	if v, ok := value.([]byte); ok {
+		return json.Unmarshal(v, cu)
+	} else {
+		return errors.New("type assertion to []byte failed")
+	}
 }
 
-type OidcClientCreateDto struct {
-	Name        string `json:"name" binding:"required"`
-	CallbackURL string `json:"callbackURL" binding:"required"`
-}
-
-type AuthorizeNewClientDto struct {
-	ClientID string `json:"clientID" binding:"required"`
-	Scope    string `json:"scope" binding:"required"`
-	Nonce    string `json:"nonce"`
-}
-
-type OidcIdTokenDto struct {
-	GrantType    string `form:"grant_type" binding:"required"`
-	Code         string `form:"code" binding:"required"`
-	ClientID     string `form:"client_id"`
-	ClientSecret string `form:"client_secret"`
+func (cu UrlList) Value() (driver.Value, error) {
+	return json.Marshal(cu)
 }

backend/internal/model/types/date_time.go

@@ -0,0 +1,53 @@
+package datatype
+
+import (
+	"database/sql/driver"
+	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+)
+
+// DateTime custom type for time.Time to store date as unix timestamp for sqlite and as date for postgres
+type DateTime time.Time
+
+func (date *DateTime) Scan(value interface{}) (err error) {
+	*date = DateTime(value.(time.Time))
+	return
+}
+
+func (date DateTime) Value() (driver.Value, error) {
+	if common.EnvConfig.DbProvider == common.DbProviderSqlite {
+		return time.Time(date).Unix(), nil
+	} else {
+		return time.Time(date), nil
+	}
+}
+
+func (date DateTime) UTC() time.Time {
+	return time.Time(date).UTC()
+}
+
+func (date DateTime) ToTime() time.Time {
+	return time.Time(date)
+}
+
+// GormDataType gorm common data type
+func (date DateTime) GormDataType() string {
+	return "date"
+}
+
+func (date DateTime) GobEncode() ([]byte, error) {
+	return time.Time(date).GobEncode()
+}
+
+func (date *DateTime) GobDecode(b []byte) error {
+	return (*time.Time)(date).GobDecode(b)
+}
+
+func (date DateTime) MarshalJSON() ([]byte, error) {
+	return time.Time(date).MarshalJSON()
+}
+
+func (date *DateTime) UnmarshalJSON(b []byte) error {
+	return (*time.Time)(date).UnmarshalJSON(b)
+}

backend/internal/model/user.go

@@ -3,19 +3,23 @@ package model
 import (
 	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/go-webauthn/webauthn/webauthn"
-	"time"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )
 
 type User struct {
 	Base
 
-	Username  string `json:"username"`
-	Email     string `json:"email" `
-	FirstName string `json:"firstName"`
-	LastName  string `json:"lastName"`
-	IsAdmin   bool   `json:"isAdmin"`
+	Username  string `sortable:"true"`
+	Email     string `sortable:"true"`
+	FirstName string `sortable:"true"`
+	LastName  string `sortable:"true"`
+	IsAdmin   bool   `sortable:"true"`
+	Locale    *string
+	LdapID    *string
 
-	Credentials []WebauthnCredential `json:"-"`
+	CustomClaims []CustomClaim
+	UserGroups   []UserGroup `gorm:"many2many:user_groups_users;"`
+	Credentials  []WebauthnCredential
 }
 
 func (u User) WebAuthnID() []byte { return []byte(u.ID) }
@@ -31,10 +35,14 @@ func (u User) WebAuthnCredentials() []webauthn.Credential {
 
 	for i, credential := range u.Credentials {
 		credentials[i] = webauthn.Credential{
-			ID:              []byte(credential.CredentialID),
+			ID:              credential.CredentialID,
 			AttestationType: credential.AttestationType,
 			PublicKey:       credential.PublicKey,
 			Transport:       credential.Transport,
+			Flags: webauthn.CredentialFlags{
+				BackupState:    credential.BackupState,
+				BackupEligible: credential.BackupEligible,
+			},
 		}
 
 	}
@@ -53,21 +61,13 @@ func (u User) WebAuthnCredentialDescriptors() (descriptors []protocol.Credential
 	return descriptors
 }
 
+func (u User) FullName() string { return u.FirstName + " " + u.LastName }
+
 type OneTimeAccessToken struct {
 	Base
-	Token     string    `json:"token"`
-	ExpiresAt time.Time `json:"expiresAt"`
+	Token     string
+	ExpiresAt datatype.DateTime
 
-	UserID string `json:"userId"`
+	UserID string
 	User   User
 }
-
-type OneTimeAccessTokenCreateDto struct {
-	UserID    string    `json:"userId" binding:"required"`
-	ExpiresAt time.Time `json:"expiresAt" binding:"required"`
-}
-
-type LoginUserDto struct {
-	Username string `json:"username" binding:"required"`
-	Password string `json:"password" binding:"required"`
-}

backend/internal/model/user_group.go

@@ -0,0 +1,10 @@
+package model
+
+type UserGroup struct {
+	Base
+	FriendlyName string `sortable:"true"`
+	Name         string `sortable:"true"`
+	LdapID       *string
+	Users        []User `gorm:"many2many:user_groups_users;"`
+	CustomClaims []CustomClaim
+}

backend/internal/model/webauthn.go

@@ -4,30 +4,47 @@ import (
 	"database/sql/driver"
 	"encoding/json"
 	"errors"
-	"github.com/go-webauthn/webauthn/protocol"
 	"time"
+
+	"github.com/go-webauthn/webauthn/protocol"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )
 
 type WebauthnSession struct {
 	Base
 
 	Challenge        string
-	ExpiresAt        time.Time
+	ExpiresAt        datatype.DateTime
 	UserVerification string
 }
 
 type WebauthnCredential struct {
 	Base
 
-	Name            string                     `json:"name"`
-	CredentialID    string                     `json:"credentialID"`
-	PublicKey       []byte                     `json:"publicKey"`
-	AttestationType string                     `json:"attestationType"`
-	Transport       AuthenticatorTransportList `json:"-"`
+	Name            string
+	CredentialID    []byte
+	PublicKey       []byte
+	AttestationType string
+	Transport       AuthenticatorTransportList
+
+	BackupEligible bool `json:"backupEligible"`
+	BackupState    bool `json:"backupState"`
 
 	UserID string
 }
 
+type PublicKeyCredentialCreationOptions struct {
+	Response  protocol.PublicKeyCredentialCreationOptions
+	SessionID string
+	Timeout   time.Duration
+}
+
+type PublicKeyCredentialRequestOptions struct {
+	Response  protocol.PublicKeyCredentialRequestOptions
+	SessionID string
+	Timeout   time.Duration
+}
+
 type AuthenticatorTransportList []protocol.AuthenticatorTransport
 
 // Scan and Value methods for GORM to handle the custom type

backend/internal/service/api_key_service.go

@@ -0,0 +1,102 @@
+package service
+
+import (
+	"errors"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"log"
+	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"gorm.io/gorm"
+)
+
+type ApiKeyService struct {
+	db *gorm.DB
+}
+
+func NewApiKeyService(db *gorm.DB) *ApiKeyService {
+	return &ApiKeyService{db: db}
+}
+
+func (s *ApiKeyService) ListApiKeys(userID string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.ApiKey, utils.PaginationResponse, error) {
+	query := s.db.Where("user_id = ?", userID).Model(&model.ApiKey{})
+
+	var apiKeys []model.ApiKey
+	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &apiKeys)
+	if err != nil {
+		return nil, utils.PaginationResponse{}, err
+	}
+
+	return apiKeys, pagination, nil
+}
+
+func (s *ApiKeyService) CreateApiKey(userID string, input dto.ApiKeyCreateDto) (model.ApiKey, string, error) {
+	// Check if expiration is in the future
+	if !input.ExpiresAt.ToTime().After(time.Now()) {
+		return model.ApiKey{}, "", &common.APIKeyExpirationDateError{}
+	}
+
+	// Generate a secure random API key
+	token, err := utils.GenerateRandomAlphanumericString(32)
+	if err != nil {
+		return model.ApiKey{}, "", err
+	}
+
+	apiKey := model.ApiKey{
+		Name:        input.Name,
+		Key:         utils.CreateSha256Hash(token), // Hash the token for storage
+		Description: &input.Description,
+		ExpiresAt:   datatype.DateTime(input.ExpiresAt),
+		UserID:      userID,
+	}
+
+	if err := s.db.Create(&apiKey).Error; err != nil {
+		return model.ApiKey{}, "", err
+	}
+
+	// Return the raw token only once - it cannot be retrieved later
+	return apiKey, token, nil
+}
+
+func (s *ApiKeyService) RevokeApiKey(userID, apiKeyID string) error {
+	var apiKey model.ApiKey
+	if err := s.db.Where("id = ? AND user_id = ?", apiKeyID, userID).First(&apiKey).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return &common.APIKeyNotFoundError{}
+		}
+		return err
+	}
+
+	return s.db.Delete(&apiKey).Error
+}
+
+func (s *ApiKeyService) ValidateApiKey(apiKey string) (model.User, error) {
+	if apiKey == "" {
+		return model.User{}, &common.NoAPIKeyProvidedError{}
+	}
+
+	var key model.ApiKey
+	hashedKey := utils.CreateSha256Hash(apiKey)
+
+	if err := s.db.Preload("User").Where("key = ? AND expires_at > ?",
+		hashedKey, datatype.DateTime(time.Now())).Preload("User").First(&key).Error; err != nil {
+
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return model.User{}, &common.InvalidAPIKeyError{}
+		}
+
+		return model.User{}, err
+	}
+
+	// Update last used time
+	now := datatype.DateTime(time.Now())
+	key.LastUsedAt = &now
+	if err := s.db.Save(&key).Error; err != nil {
+		log.Printf("Failed to update last used time: %v", err)
+	}
+
+	return key.User, nil
+}

backend/internal/service/app_config_service.go

@@ -0,0 +1,396 @@
+package service
+
+import (
+	"fmt"
+	"log"
+	"mime/multipart"
+	"os"
+	"reflect"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"gorm.io/gorm"
+)
+
+type AppConfigService struct {
+	DbConfig *model.AppConfig
+	db       *gorm.DB
+}
+
+func NewAppConfigService(db *gorm.DB) *AppConfigService {
+	service := &AppConfigService{
+		DbConfig: &defaultDbConfig,
+		db:       db,
+	}
+	if err := service.InitDbConfig(); err != nil {
+		log.Fatalf("Failed to initialize app config service: %v", err)
+	}
+
+	return service
+}
+
+var defaultDbConfig = model.AppConfig{
+	// General
+	AppName: model.AppConfigVariable{
+		Key:          "appName",
+		Type:         "string",
+		IsPublic:     true,
+		DefaultValue: "Pocket ID",
+	},
+	SessionDuration: model.AppConfigVariable{
+		Key:          "sessionDuration",
+		Type:         "number",
+		DefaultValue: "60",
+	},
+	EmailsVerified: model.AppConfigVariable{
+		Key:          "emailsVerified",
+		Type:         "bool",
+		DefaultValue: "false",
+	},
+	AllowOwnAccountEdit: model.AppConfigVariable{
+		Key:          "allowOwnAccountEdit",
+		Type:         "bool",
+		IsPublic:     true,
+		DefaultValue: "true",
+	},
+	// Internal
+	BackgroundImageType: model.AppConfigVariable{
+		Key:          "backgroundImageType",
+		Type:         "string",
+		IsInternal:   true,
+		DefaultValue: "jpg",
+	},
+	LogoLightImageType: model.AppConfigVariable{
+		Key:          "logoLightImageType",
+		Type:         "string",
+		IsInternal:   true,
+		DefaultValue: "svg",
+	},
+	LogoDarkImageType: model.AppConfigVariable{
+		Key:          "logoDarkImageType",
+		Type:         "string",
+		IsInternal:   true,
+		DefaultValue: "svg",
+	},
+	// Email
+	SmtpHost: model.AppConfigVariable{
+		Key:  "smtpHost",
+		Type: "string",
+	},
+	SmtpPort: model.AppConfigVariable{
+		Key:  "smtpPort",
+		Type: "number",
+	},
+	SmtpFrom: model.AppConfigVariable{
+		Key:  "smtpFrom",
+		Type: "string",
+	},
+	SmtpUser: model.AppConfigVariable{
+		Key:  "smtpUser",
+		Type: "string",
+	},
+	SmtpPassword: model.AppConfigVariable{
+		Key:  "smtpPassword",
+		Type: "string",
+	},
+	SmtpTls: model.AppConfigVariable{
+		Key:          "smtpTls",
+		Type:         "string",
+		DefaultValue: "none",
+	},
+	SmtpSkipCertVerify: model.AppConfigVariable{
+		Key:          "smtpSkipCertVerify",
+		Type:         "bool",
+		DefaultValue: "false",
+	},
+	EmailLoginNotificationEnabled: model.AppConfigVariable{
+		Key:          "emailLoginNotificationEnabled",
+		Type:         "bool",
+		DefaultValue: "false",
+	},
+	EmailOneTimeAccessEnabled: model.AppConfigVariable{
+		Key:          "emailOneTimeAccessEnabled",
+		Type:         "bool",
+		IsPublic:     true,
+		DefaultValue: "false",
+	},
+	// LDAP
+	LdapEnabled: model.AppConfigVariable{
+		Key:          "ldapEnabled",
+		Type:         "bool",
+		IsPublic:     true,
+		DefaultValue: "false",
+	},
+	LdapUrl: model.AppConfigVariable{
+		Key:  "ldapUrl",
+		Type: "string",
+	},
+	LdapBindDn: model.AppConfigVariable{
+		Key:  "ldapBindDn",
+		Type: "string",
+	},
+	LdapBindPassword: model.AppConfigVariable{
+		Key:  "ldapBindPassword",
+		Type: "string",
+	},
+	LdapBase: model.AppConfigVariable{
+		Key:  "ldapBase",
+		Type: "string",
+	},
+	LdapUserSearchFilter: model.AppConfigVariable{
+		Key:          "ldapUserSearchFilter",
+		Type:         "string",
+		DefaultValue: "(objectClass=person)",
+	},
+	LdapUserGroupSearchFilter: model.AppConfigVariable{
+		Key:          "ldapUserGroupSearchFilter",
+		Type:         "string",
+		DefaultValue: "(objectClass=groupOfNames)",
+	},
+	LdapSkipCertVerify: model.AppConfigVariable{
+		Key:          "ldapSkipCertVerify",
+		Type:         "bool",
+		DefaultValue: "false",
+	},
+	LdapAttributeUserUniqueIdentifier: model.AppConfigVariable{
+		Key:  "ldapAttributeUserUniqueIdentifier",
+		Type: "string",
+	},
+	LdapAttributeUserUsername: model.AppConfigVariable{
+		Key:  "ldapAttributeUserUsername",
+		Type: "string",
+	},
+	LdapAttributeUserEmail: model.AppConfigVariable{
+		Key:  "ldapAttributeUserEmail",
+		Type: "string",
+	},
+	LdapAttributeUserFirstName: model.AppConfigVariable{
+		Key:  "ldapAttributeUserFirstName",
+		Type: "string",
+	},
+	LdapAttributeUserLastName: model.AppConfigVariable{
+		Key:  "ldapAttributeUserLastName",
+		Type: "string",
+	},
+	LdapAttributeUserProfilePicture: model.AppConfigVariable{
+		Key:  "ldapAttributeUserProfilePicture",
+		Type: "string",
+	},
+	LdapAttributeGroupMember: model.AppConfigVariable{
+		Key:          "ldapAttributeGroupMember",
+		Type:         "string",
+		DefaultValue: "member",
+	},
+	LdapAttributeGroupUniqueIdentifier: model.AppConfigVariable{
+		Key:  "ldapAttributeGroupUniqueIdentifier",
+		Type: "string",
+	},
+	LdapAttributeGroupName: model.AppConfigVariable{
+		Key:  "ldapAttributeGroupName",
+		Type: "string",
+	},
+	LdapAttributeAdminGroup: model.AppConfigVariable{
+		Key:  "ldapAttributeAdminGroup",
+		Type: "string",
+	},
+}
+
+func (s *AppConfigService) UpdateAppConfig(input dto.AppConfigUpdateDto) ([]model.AppConfigVariable, error) {
+	if common.EnvConfig.UiConfigDisabled {
+		return nil, &common.UiConfigDisabledError{}
+	}
+
+	tx := s.db.Begin()
+	rt := reflect.ValueOf(input).Type()
+	rv := reflect.ValueOf(input)
+
+	var savedConfigVariables []model.AppConfigVariable
+	for i := 0; i < rt.NumField(); i++ {
+		field := rt.Field(i)
+		key := field.Tag.Get("json")
+		value := rv.FieldByName(field.Name).String()
+
+		// If the emailEnabled is set to false, disable the emailOneTimeAccessEnabled
+		if key == s.DbConfig.EmailOneTimeAccessEnabled.Key {
+			if rv.FieldByName("EmailEnabled").String() == "false" {
+				value = "false"
+			}
+		}
+
+		var appConfigVariable model.AppConfigVariable
+		if err := tx.First(&appConfigVariable, "key = ? AND is_internal = false", key).Error; err != nil {
+			tx.Rollback()
+			return nil, err
+		}
+
+		appConfigVariable.Value = value
+		if err := tx.Save(&appConfigVariable).Error; err != nil {
+			tx.Rollback()
+			return nil, err
+		}
+
+		savedConfigVariables = append(savedConfigVariables, appConfigVariable)
+	}
+
+	tx.Commit()
+
+	if err := s.LoadDbConfigFromDb(); err != nil {
+		return nil, err
+	}
+
+	return savedConfigVariables, nil
+}
+
+func (s *AppConfigService) UpdateImageType(imageName string, fileType string) error {
+	key := fmt.Sprintf("%sImageType", imageName)
+	err := s.db.Model(&model.AppConfigVariable{}).Where("key = ?", key).Update("value", fileType).Error
+	if err != nil {
+		return err
+	}
+
+	return s.LoadDbConfigFromDb()
+}
+
+func (s *AppConfigService) ListAppConfig(showAll bool) ([]model.AppConfigVariable, error) {
+	var configuration []model.AppConfigVariable
+	var err error
+
+	if showAll {
+		err = s.db.Find(&configuration).Error
+	} else {
+		err = s.db.Find(&configuration, "is_public = true").Error
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	for i := range configuration {
+		if common.EnvConfig.UiConfigDisabled {
+			// Set the value to the environment variable if the UI config is disabled
+			configuration[i].Value = s.getConfigVariableFromEnvironmentVariable(configuration[i].Key, configuration[i].DefaultValue)
+
+		} else if configuration[i].Value == "" && configuration[i].DefaultValue != "" {
+			// Set the value to the default value if it is empty
+			configuration[i].Value = configuration[i].DefaultValue
+		}
+	}
+
+	return configuration, nil
+}
+
+func (s *AppConfigService) UpdateImage(uploadedFile *multipart.FileHeader, imageName string, oldImageType string) error {
+	fileType := utils.GetFileExtension(uploadedFile.Filename)
+	mimeType := utils.GetImageMimeType(fileType)
+	if mimeType == "" {
+		return &common.FileTypeNotSupportedError{}
+	}
+
+	// Delete the old image if it has a different file type
+	if fileType != oldImageType {
+		oldImagePath := fmt.Sprintf("%s/application-images/%s.%s", common.EnvConfig.UploadPath, imageName, oldImageType)
+		if err := os.Remove(oldImagePath); err != nil {
+			return err
+		}
+	}
+
+	imagePath := fmt.Sprintf("%s/application-images/%s.%s", common.EnvConfig.UploadPath, imageName, fileType)
+	if err := utils.SaveFile(uploadedFile, imagePath); err != nil {
+		return err
+	}
+
+	// Update the file type in the database
+	if err := s.UpdateImageType(imageName, fileType); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// InitDbConfig creates the default configuration values in the database if they do not exist,
+// updates existing configurations if they differ from the default, and deletes any configurations
+// that are not in the default configuration.
+func (s *AppConfigService) InitDbConfig() error {
+	// Reflect to get the underlying value of DbConfig and its default configuration
+	defaultConfigReflectValue := reflect.ValueOf(defaultDbConfig)
+	defaultKeys := make(map[string]struct{})
+
+	// Iterate over the fields of DbConfig
+	for i := 0; i < defaultConfigReflectValue.NumField(); i++ {
+		defaultConfigVar := defaultConfigReflectValue.Field(i).Interface().(model.AppConfigVariable)
+
+		defaultKeys[defaultConfigVar.Key] = struct{}{}
+
+		var storedConfigVar model.AppConfigVariable
+		if err := s.db.First(&storedConfigVar, "key = ?", defaultConfigVar.Key).Error; err != nil {
+			// If the configuration does not exist, create it
+			if err := s.db.Create(&defaultConfigVar).Error; err != nil {
+				return err
+			}
+			continue
+		}
+
+		// Update existing configuration if it differs from the default
+		if storedConfigVar.Type != defaultConfigVar.Type || storedConfigVar.IsPublic != defaultConfigVar.IsPublic || storedConfigVar.IsInternal != defaultConfigVar.IsInternal || storedConfigVar.DefaultValue != defaultConfigVar.DefaultValue {
+			storedConfigVar.Type = defaultConfigVar.Type
+			storedConfigVar.IsPublic = defaultConfigVar.IsPublic
+			storedConfigVar.IsInternal = defaultConfigVar.IsInternal
+			storedConfigVar.DefaultValue = defaultConfigVar.DefaultValue
+			if err := s.db.Save(&storedConfigVar).Error; err != nil {
+				return err
+			}
+		}
+	}
+
+	// Delete any configurations not in the default keys
+	var allConfigVars []model.AppConfigVariable
+	if err := s.db.Find(&allConfigVars).Error; err != nil {
+		return err
+	}
+
+	for _, config := range allConfigVars {
+		if _, exists := defaultKeys[config.Key]; !exists {
+			if err := s.db.Delete(&config).Error; err != nil {
+				return err
+			}
+		}
+	}
+	return s.LoadDbConfigFromDb()
+}
+
+// LoadDbConfigFromDb loads the configuration values from the database into the DbConfig struct.
+func (s *AppConfigService) LoadDbConfigFromDb() error {
+	dbConfigReflectValue := reflect.ValueOf(s.DbConfig).Elem()
+
+	for i := 0; i < dbConfigReflectValue.NumField(); i++ {
+		dbConfigField := dbConfigReflectValue.Field(i)
+		currentConfigVar := dbConfigField.Interface().(model.AppConfigVariable)
+		var storedConfigVar model.AppConfigVariable
+		if err := s.db.First(&storedConfigVar, "key = ?", currentConfigVar.Key).Error; err != nil {
+			return err
+		}
+
+		if common.EnvConfig.UiConfigDisabled {
+			storedConfigVar.Value = s.getConfigVariableFromEnvironmentVariable(currentConfigVar.Key, storedConfigVar.DefaultValue)
+		} else if storedConfigVar.Value == "" && storedConfigVar.DefaultValue != "" {
+			storedConfigVar.Value = storedConfigVar.DefaultValue
+		}
+
+		dbConfigField.Set(reflect.ValueOf(storedConfigVar))
+
+	}
+
+	return nil
+}
+
+func (s *AppConfigService) getConfigVariableFromEnvironmentVariable(key, fallbackValue string) string {
+	environmentVariableName := utils.CamelCaseToScreamingSnakeCase(key)
+
+	if value, exists := os.LookupEnv(environmentVariableName); exists {
+		return value
+	}
+
+	return fallbackValue
+}

backend/internal/service/audit_log_service.go

@@ -0,0 +1,99 @@
+package service
+
+import (
+	"log"
+
+	userAgentParser "github.com/mileusna/useragent"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
+	"gorm.io/gorm"
+)
+
+type AuditLogService struct {
+	db               *gorm.DB
+	appConfigService *AppConfigService
+	emailService     *EmailService
+	geoliteService   *GeoLiteService
+}
+
+func NewAuditLogService(db *gorm.DB, appConfigService *AppConfigService, emailService *EmailService, geoliteService *GeoLiteService) *AuditLogService {
+	return &AuditLogService{db: db, appConfigService: appConfigService, emailService: emailService, geoliteService: geoliteService}
+}
+
+// Create creates a new audit log entry in the database
+func (s *AuditLogService) Create(event model.AuditLogEvent, ipAddress, userAgent, userID string, data model.AuditLogData) model.AuditLog {
+	country, city, err := s.geoliteService.GetLocationByIP(ipAddress)
+	if err != nil {
+		log.Printf("Failed to get IP location: %v\n", err)
+	}
+
+	auditLog := model.AuditLog{
+		Event:     event,
+		IpAddress: ipAddress,
+		Country:   country,
+		City:      city,
+		UserAgent: userAgent,
+		UserID:    userID,
+		Data:      data,
+	}
+
+	// Save the audit log in the database
+	if err := s.db.Create(&auditLog).Error; err != nil {
+		log.Printf("Failed to create audit log: %v\n", err)
+		return model.AuditLog{}
+	}
+
+	return auditLog
+}
+
+// CreateNewSignInWithEmail creates a new audit log entry in the database and sends an email if the device hasn't been used before
+func (s *AuditLogService) CreateNewSignInWithEmail(ipAddress, userAgent, userID string) model.AuditLog {
+	createdAuditLog := s.Create(model.AuditLogEventSignIn, ipAddress, userAgent, userID, model.AuditLogData{})
+
+	// Count the number of times the user has logged in from the same device
+	var count int64
+	err := s.db.Model(&model.AuditLog{}).Where("user_id = ? AND ip_address = ? AND user_agent = ?", userID, ipAddress, userAgent).Count(&count).Error
+	if err != nil {
+		log.Printf("Failed to count audit logs: %v\n", err)
+		return createdAuditLog
+	}
+
+	// If the user hasn't logged in from the same device before and email notifications are enabled, send an email
+	if s.appConfigService.DbConfig.EmailLoginNotificationEnabled.Value == "true" && count <= 1 {
+		go func() {
+			var user model.User
+			s.db.Where("id = ?", userID).First(&user)
+
+			err := SendEmail(s.emailService, email.Address{
+				Name:  user.Username,
+				Email: user.Email,
+			}, NewLoginTemplate, &NewLoginTemplateData{
+				IPAddress: ipAddress,
+				Country:   createdAuditLog.Country,
+				City:      createdAuditLog.City,
+				Device:    s.DeviceStringFromUserAgent(userAgent),
+				DateTime:  createdAuditLog.CreatedAt.UTC(),
+			})
+			if err != nil {
+				log.Printf("Failed to send email to '%s': %v\n", user.Email, err)
+			}
+		}()
+	}
+
+	return createdAuditLog
+}
+
+// ListAuditLogsForUser retrieves all audit logs for a given user ID
+func (s *AuditLogService) ListAuditLogsForUser(userID string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.AuditLog, utils.PaginationResponse, error) {
+	var logs []model.AuditLog
+	query := s.db.Model(&model.AuditLog{}).Where("user_id = ?", userID)
+
+	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &logs)
+	return logs, pagination, err
+}
+
+func (s *AuditLogService) DeviceStringFromUserAgent(userAgent string) string {
+	ua := userAgentParser.Parse(userAgent)
+	return ua.Name + " on " + ua.OS + " " + ua.OSVersion
+}

backend/internal/service/custom_claim_service.go

@@ -0,0 +1,197 @@
+package service
+
+import (
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"gorm.io/gorm"
+)
+
+// Reserved claims
+var reservedClaims = map[string]struct{}{
+	"given_name":         {},
+	"family_name":        {},
+	"name":               {},
+	"email":              {},
+	"preferred_username": {},
+	"groups":             {},
+	"sub":                {},
+	"iss":                {},
+	"aud":                {},
+	"exp":                {},
+	"iat":                {},
+	"auth_time":          {},
+	"nonce":              {},
+	"acr":                {},
+	"amr":                {},
+	"azp":                {},
+	"nbf":                {},
+	"jti":                {},
+}
+
+type CustomClaimService struct {
+	db *gorm.DB
+}
+
+func NewCustomClaimService(db *gorm.DB) *CustomClaimService {
+	return &CustomClaimService{db: db}
+}
+
+// isReservedClaim checks if a claim key is reserved e.g. email, preferred_username
+func isReservedClaim(key string) bool {
+	_, ok := reservedClaims[key]
+	return ok
+}
+
+// idType is the type of the id used to identify the user or user group
+type idType string
+
+const (
+	UserID      idType = "user_id"
+	UserGroupID idType = "user_group_id"
+)
+
+// UpdateCustomClaimsForUser updates the custom claims for a user
+func (s *CustomClaimService) UpdateCustomClaimsForUser(userID string, claims []dto.CustomClaimCreateDto) ([]model.CustomClaim, error) {
+	return s.updateCustomClaims(UserID, userID, claims)
+}
+
+// UpdateCustomClaimsForUserGroup updates the custom claims for a user group
+func (s *CustomClaimService) UpdateCustomClaimsForUserGroup(userGroupID string, claims []dto.CustomClaimCreateDto) ([]model.CustomClaim, error) {
+	return s.updateCustomClaims(UserGroupID, userGroupID, claims)
+}
+
+// updateCustomClaims updates the custom claims for a user or user group
+func (s *CustomClaimService) updateCustomClaims(idType idType, value string, claims []dto.CustomClaimCreateDto) ([]model.CustomClaim, error) {
+	// Check for duplicate keys in the claims slice
+	seenKeys := make(map[string]bool)
+	for _, claim := range claims {
+		if seenKeys[claim.Key] {
+			return nil, &common.DuplicateClaimError{Key: claim.Key}
+		}
+		seenKeys[claim.Key] = true
+	}
+
+	var existingClaims []model.CustomClaim
+	err := s.db.Where(string(idType), value).Find(&existingClaims).Error
+	if err != nil {
+		return nil, err
+	}
+
+	// Delete claims that are not in the new list
+	for _, existingClaim := range existingClaims {
+		found := false
+		for _, claim := range claims {
+			if claim.Key == existingClaim.Key {
+				found = true
+				break
+			}
+		}
+		if !found {
+			err = s.db.Delete(&existingClaim).Error
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	// Add or update claims
+	for _, claim := range claims {
+		if isReservedClaim(claim.Key) {
+			return nil, &common.ReservedClaimError{Key: claim.Key}
+		}
+		customClaim := model.CustomClaim{
+			Key:   claim.Key,
+			Value: claim.Value,
+		}
+
+		if idType == UserID {
+			customClaim.UserID = &value
+		} else if idType == UserGroupID {
+			customClaim.UserGroupID = &value
+		}
+
+		// Update the claim if it already exists or create a new one
+		err = s.db.Where(string(idType)+" = ? AND key = ?", value, claim.Key).Assign(&customClaim).FirstOrCreate(&model.CustomClaim{}).Error
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// Get the updated claims
+	var updatedClaims []model.CustomClaim
+	err = s.db.Where(string(idType)+" = ?", value).Find(&updatedClaims).Error
+	if err != nil {
+		return nil, err
+	}
+
+	return updatedClaims, nil
+}
+
+func (s *CustomClaimService) GetCustomClaimsForUser(userID string) ([]model.CustomClaim, error) {
+	var customClaims []model.CustomClaim
+	err := s.db.Where("user_id = ?", userID).Find(&customClaims).Error
+	return customClaims, err
+}
+
+func (s *CustomClaimService) GetCustomClaimsForUserGroup(userGroupID string) ([]model.CustomClaim, error) {
+	var customClaims []model.CustomClaim
+	err := s.db.Where("user_group_id = ?", userGroupID).Find(&customClaims).Error
+	return customClaims, err
+}
+
+// GetCustomClaimsForUserWithUserGroups returns the custom claims of a user and all user groups the user is a member of,
+// prioritizing the user's claims over user group claims with the same key.
+func (s *CustomClaimService) GetCustomClaimsForUserWithUserGroups(userID string) ([]model.CustomClaim, error) {
+	// Get the custom claims of the user
+	customClaims, err := s.GetCustomClaimsForUser(userID)
+	if err != nil {
+		return nil, err
+	}
+
+	// Store user's claims in a map to prioritize and prevent duplicates
+	claimsMap := make(map[string]model.CustomClaim)
+	for _, claim := range customClaims {
+		claimsMap[claim.Key] = claim
+	}
+
+	// Get all user groups of the user
+	var userGroupsOfUser []model.UserGroup
+	err = s.db.Preload("CustomClaims").
+		Joins("JOIN user_groups_users ON user_groups_users.user_group_id = user_groups.id").
+		Where("user_groups_users.user_id = ?", userID).
+		Find(&userGroupsOfUser).Error
+	if err != nil {
+		return nil, err
+	}
+
+	// Add only non-duplicate custom claims from user groups
+	for _, userGroup := range userGroupsOfUser {
+		for _, groupClaim := range userGroup.CustomClaims {
+			// Only add claim if it does not exist in the user's claims
+			if _, exists := claimsMap[groupClaim.Key]; !exists {
+				claimsMap[groupClaim.Key] = groupClaim
+			}
+		}
+	}
+
+	// Convert the claimsMap back to a slice
+	finalClaims := make([]model.CustomClaim, 0, len(claimsMap))
+	for _, claim := range claimsMap {
+		finalClaims = append(finalClaims, claim)
+	}
+
+	return finalClaims, nil
+}
+
+// GetSuggestions returns a list of custom claim keys that have been used before
+func (s *CustomClaimService) GetSuggestions() ([]string, error) {
+	var customClaimsKeys []string
+
+	err := s.db.Model(&model.CustomClaim{}).
+		Group("key").
+		Order("COUNT(*) DESC").
+		Pluck("key", &customClaimsKeys).Error
+
+	return customClaimsKeys, err
+}

backend/internal/service/email_service.go

@@ -0,0 +1,270 @@
+package service
+
+import (
+	"bytes"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"github.com/emersion/go-sasl"
+	"github.com/emersion/go-smtp"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
+	"gorm.io/gorm"
+	htemplate "html/template"
+	"mime/multipart"
+	"mime/quotedprintable"
+	"net/textproto"
+	"os"
+	ttemplate "text/template"
+	"time"
+	"github.com/google/uuid"
+	"strings"
+)
+
+type EmailService struct {
+	appConfigService *AppConfigService
+	db               *gorm.DB
+	htmlTemplates    map[string]*htemplate.Template
+	textTemplates    map[string]*ttemplate.Template
+}
+
+func NewEmailService(appConfigService *AppConfigService, db *gorm.DB) (*EmailService, error) {
+	htmlTemplates, err := email.PrepareHTMLTemplates(emailTemplatesPaths)
+	if err != nil {
+		return nil, fmt.Errorf("prepare html templates: %w", err)
+	}
+
+	textTemplates, err := email.PrepareTextTemplates(emailTemplatesPaths)
+	if err != nil {
+		return nil, fmt.Errorf("prepare html templates: %w", err)
+	}
+
+	return &EmailService{
+		appConfigService: appConfigService,
+		db:               db,
+		htmlTemplates:    htmlTemplates,
+		textTemplates:    textTemplates,
+	}, nil
+}
+
+func (srv *EmailService) SendTestEmail(recipientUserId string) error {
+	var user model.User
+	if err := srv.db.First(&user, "id = ?", recipientUserId).Error; err != nil {
+		return err
+	}
+
+	return SendEmail(srv,
+		email.Address{
+			Email: user.Email,
+			Name:  user.FullName(),
+		}, TestTemplate, nil)
+}
+
+func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.Template[V], tData *V) error {
+	data := &email.TemplateData[V]{
+		AppName: srv.appConfigService.DbConfig.AppName.Value,
+		LogoURL: common.EnvConfig.AppURL + "/api/application-configuration/logo",
+		Data:    tData,
+	}
+
+	body, boundary, err := prepareBody(srv, template, data)
+	if err != nil {
+		return fmt.Errorf("prepare email body for '%s': %w", template.Path, err)
+	}
+
+	// Construct the email message
+	c := email.NewComposer()
+	c.AddHeader("Subject", template.Title(data))
+	c.AddAddressHeader("From", []email.Address{
+		{
+			Email: srv.appConfigService.DbConfig.SmtpFrom.Value,
+			Name:  srv.appConfigService.DbConfig.AppName.Value,
+		},
+	})
+	c.AddAddressHeader("To", []email.Address{toEmail})
+	c.AddHeaderRaw("Content-Type",
+		fmt.Sprintf("multipart/alternative;\n boundary=%s;\n charset=UTF-8", boundary),
+	)
+
+	c.AddHeader("MIME-Version", "1.0")
+	c.AddHeader("Date", time.Now().Format(time.RFC1123Z))
+
+	// to create a message-id, we need the FQDN of the sending server, but that may be a docker hostname or localhost
+	// so we use the domain of the from address instead (the same as Thunderbird does)
+	// if the address does not have an @ (which would be unusual), we use hostname
+
+	from_address := srv.appConfigService.DbConfig.SmtpFrom.Value
+	domain := ""
+	if strings.Contains(from_address, "@") {
+		domain = strings.Split(from_address, "@")[1]
+	} else {
+		hostname, err := os.Hostname()
+		if err != nil {
+			// can that happen? we just give up
+			return fmt.Errorf("failed to get own hostname: %w", err)
+		} else {
+			domain = hostname
+		}
+	}
+	c.AddHeader("Message-ID", "<" + uuid.New().String() + "@" + domain + ">")
+
+	c.Body(body)
+
+	// Connect to the SMTP server
+	client, err := srv.getSmtpClient()
+	if err != nil {
+		return fmt.Errorf("failed to connect to SMTP server: %w", err)
+	}
+	defer client.Close()
+
+	// Send the email
+	if err := srv.sendEmailContent(client, toEmail, c); err != nil {
+		return fmt.Errorf("send email content: %w", err)
+	}
+
+	return nil
+}
+
+func (srv *EmailService) getSmtpClient() (client *smtp.Client, err error) {
+	port := srv.appConfigService.DbConfig.SmtpPort.Value
+	smtpAddress := srv.appConfigService.DbConfig.SmtpHost.Value + ":" + port
+
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: srv.appConfigService.DbConfig.SmtpSkipCertVerify.Value == "true",
+		ServerName:         srv.appConfigService.DbConfig.SmtpHost.Value,
+	}
+
+	// Connect to the SMTP server based on TLS setting
+	switch srv.appConfigService.DbConfig.SmtpTls.Value {
+	case "none":
+		client, err = smtp.Dial(smtpAddress)
+	case "tls":
+		client, err = smtp.DialTLS(smtpAddress, tlsConfig)
+	case "starttls":
+		client, err = smtp.DialStartTLS(
+			smtpAddress,
+			tlsConfig,
+		)
+	default:
+		return nil, fmt.Errorf("invalid SMTP TLS setting: %s", srv.appConfigService.DbConfig.SmtpTls.Value)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to SMTP server: %w", err)
+	}
+
+	client.CommandTimeout = 10 * time.Second
+
+	// Send the HELO command
+	if err := srv.sendHelloCommand(client); err != nil {
+		return nil, fmt.Errorf("failed to send HELO command: %w", err)
+	}
+
+	// Set up the authentication if user or password are set
+	smtpUser := srv.appConfigService.DbConfig.SmtpUser.Value
+	smtpPassword := srv.appConfigService.DbConfig.SmtpPassword.Value
+
+	if smtpUser != "" || smtpPassword != "" {
+		// Authenticate with plain auth
+		auth := sasl.NewPlainClient("", smtpUser, smtpPassword)
+		if err := client.Auth(auth); err != nil {
+			// If the server does not support plain auth, try login auth
+			var smtpErr *smtp.SMTPError
+			ok := errors.As(err, &smtpErr)
+			if ok && smtpErr.Code == smtp.ErrAuthUnknownMechanism.Code {
+				auth = sasl.NewLoginClient(smtpUser, smtpPassword)
+				err = client.Auth(auth)
+			}
+			// Both plain and login auth failed
+			if err != nil {
+				return nil, fmt.Errorf("failed to authenticate: %w", err)
+			}
+
+		}
+	}
+
+	return client, err
+}
+
+func (srv *EmailService) sendHelloCommand(client *smtp.Client) error {
+	hostname, err := os.Hostname()
+	if err == nil {
+		if err := client.Hello(hostname); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (srv *EmailService) sendEmailContent(client *smtp.Client, toEmail email.Address, c *email.Composer) error {
+	// Set the sender
+	if err := client.Mail(srv.appConfigService.DbConfig.SmtpFrom.Value, nil); err != nil {
+		return fmt.Errorf("failed to set sender: %w", err)
+	}
+
+	// Set the recipient
+	if err := client.Rcpt(toEmail.Email, nil); err != nil {
+		return fmt.Errorf("failed to set recipient: %w", err)
+	}
+
+	// Get a writer to write the email data
+	w, err := client.Data()
+	if err != nil {
+		return fmt.Errorf("failed to start data: %w", err)
+	}
+
+	// Write the email content
+	_, err = w.Write([]byte(c.String()))
+	if err != nil {
+		return fmt.Errorf("failed to write email data: %w", err)
+	}
+
+	// Close the writer
+	if err := w.Close(); err != nil {
+		return fmt.Errorf("failed to close data writer: %w", err)
+	}
+
+	return nil
+}
+
+func prepareBody[V any](srv *EmailService, template email.Template[V], data *email.TemplateData[V]) (string, string, error) {
+	body := bytes.NewBuffer(nil)
+	mpart := multipart.NewWriter(body)
+
+	// prepare text part
+	var textHeader = textproto.MIMEHeader{}
+	textHeader.Add("Content-Type", "text/plain;\n charset=UTF-8")
+	textHeader.Add("Content-Transfer-Encoding", "quoted-printable")
+	textPart, err := mpart.CreatePart(textHeader)
+	if err != nil {
+		return "", "", fmt.Errorf("create text part: %w", err)
+	}
+
+	textQp := quotedprintable.NewWriter(textPart)
+	err = email.GetTemplate(srv.textTemplates, template).ExecuteTemplate(textQp, "root", data)
+	if err != nil {
+		return "", "", fmt.Errorf("execute text template: %w", err)
+	}
+
+	// prepare html part
+	var htmlHeader = textproto.MIMEHeader{}
+	htmlHeader.Add("Content-Type", "text/html;\n charset=UTF-8")
+	htmlHeader.Add("Content-Transfer-Encoding", "quoted-printable")
+	htmlPart, err := mpart.CreatePart(htmlHeader)
+	if err != nil {
+		return "", "", fmt.Errorf("create html part: %w", err)
+	}
+
+	htmlQp := quotedprintable.NewWriter(htmlPart)
+	err = email.GetTemplate(srv.htmlTemplates, template).ExecuteTemplate(htmlQp, "root", data)
+	if err != nil {
+		return "", "", fmt.Errorf("execute html template: %w", err)
+	}
+
+	err = mpart.Close()
+	if err != nil {
+		return "", "", fmt.Errorf("close multipart: %w", err)
+	}
+
+	return body.String(), mpart.Boundary(), nil
+}

backend/internal/service/email_service_templates.go

@@ -0,0 +1,60 @@
+package service
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
+)
+
+/**
+How to add new template:
+- pick unique and descriptive template ${name} (for example "login-with-new-device")
+- in backend/resources/email-templates/ create "${name}_html.tmpl" and "${name}_text.tmpl"
+- create xxxxTemplate and xxxxTemplateData (for example NewLoginTemplate and NewLoginTemplateData)
+  - Path *must* be ${name}
+- add xxxTemplate.Path to "emailTemplatePaths" at the end
+
+Notes:
+- backend app must be restarted to reread all the template files
+- root "." object in templates is `email.TemplateData`
+- xxxxTemplateData structure is visible under .Data in templates
+*/
+
+var NewLoginTemplate = email.Template[NewLoginTemplateData]{
+	Path: "login-with-new-device",
+	Title: func(data *email.TemplateData[NewLoginTemplateData]) string {
+		return fmt.Sprintf("New device login with %s", data.AppName)
+	},
+}
+
+var OneTimeAccessTemplate = email.Template[OneTimeAccessTemplateData]{
+	Path: "one-time-access",
+	Title: func(data *email.TemplateData[OneTimeAccessTemplateData]) string {
+		return "Login Code"
+	},
+}
+
+var TestTemplate = email.Template[struct{}]{
+	Path: "test",
+	Title: func(data *email.TemplateData[struct{}]) string {
+		return "Test email"
+	},
+}
+
+type NewLoginTemplateData struct {
+	IPAddress string
+	Country   string
+	City      string
+	Device    string
+	DateTime  time.Time
+}
+
+type OneTimeAccessTemplateData = struct {
+	Code              string
+	LoginLink         string
+	LoginLinkWithCode string
+}
+
+// this is list of all template paths used for preloading templates
+var emailTemplatesPaths = []string{NewLoginTemplate.Path, OneTimeAccessTemplate.Path, TestTemplate.Path}

backend/internal/service/geolite_service.go

@@ -0,0 +1,222 @@
+package service
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"net/netip"
+	"os"
+	"path/filepath"
+	"sync"
+	"time"
+
+	"github.com/oschwald/maxminddb-golang/v2"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+)
+
+type GeoLiteService struct {
+	disableUpdater bool
+	mutex          sync.Mutex
+}
+
+var localhostIPNets = []*net.IPNet{
+	{IP: net.IPv4(127, 0, 0, 0), Mask: net.CIDRMask(8, 32)}, // 127.0.0.0/8
+	{IP: net.IPv6loopback, Mask: net.CIDRMask(128, 128)},    // ::1/128
+}
+
+var privateLanIPNets = []*net.IPNet{
+	{IP: net.IPv4(10, 0, 0, 0), Mask: net.CIDRMask(8, 32)},     // 10.0.0.0/8
+	{IP: net.IPv4(172, 16, 0, 0), Mask: net.CIDRMask(12, 32)},  // 172.16.0.0/12
+	{IP: net.IPv4(192, 168, 0, 0), Mask: net.CIDRMask(16, 32)}, // 192.168.0.0/16
+}
+
+var tailscaleIPNets = []*net.IPNet{
+	{IP: net.IPv4(100, 64, 0, 0), Mask: net.CIDRMask(10, 32)}, // 100.64.0.0/10
+}
+
+// NewGeoLiteService initializes a new GeoLiteService instance and starts a goroutine to update the GeoLite2 City database.
+func NewGeoLiteService() *GeoLiteService {
+	service := &GeoLiteService{}
+
+	if common.EnvConfig.MaxMindLicenseKey == "" && common.EnvConfig.GeoLiteDBUrl == common.MaxMindGeoLiteCityUrl {
+		// Warn the user, and disable the updater.
+		log.Println("MAXMIND_LICENSE_KEY environment variable is empty. The GeoLite2 City database won't be updated.")
+		service.disableUpdater = true
+	}
+
+	go func() {
+		if err := service.updateDatabase(); err != nil {
+			log.Printf("Failed to update GeoLite2 City database: %v\n", err)
+		}
+	}()
+
+	return service
+}
+
+// GetLocationByIP returns the country and city of the given IP address.
+func (s *GeoLiteService) GetLocationByIP(ipAddress string) (country, city string, err error) {
+	// Check the IP address against known private IP ranges
+	if ip := net.ParseIP(ipAddress); ip != nil {
+		for _, ipNet := range tailscaleIPNets {
+			if ipNet.Contains(ip) {
+				return "Internal Network", "Tailscale", nil
+			}
+		}
+		for _, ipNet := range privateLanIPNets {
+			if ipNet.Contains(ip) {
+				return "Internal Network", "LAN/Docker/k8s", nil
+			}
+		}
+		for _, ipNet := range localhostIPNets {
+			if ipNet.Contains(ip) {
+				return "Internal Network", "localhost", nil
+			}
+		}
+	}
+
+	// Race condition between reading and writing the database.
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	db, err := maxminddb.Open(common.EnvConfig.GeoLiteDBPath)
+	if err != nil {
+		return "", "", err
+	}
+	defer db.Close()
+
+	addr := netip.MustParseAddr(ipAddress)
+
+	var record struct {
+		City struct {
+			Names map[string]string `maxminddb:"names"`
+		} `maxminddb:"city"`
+		Country struct {
+			Names map[string]string `maxminddb:"names"`
+		} `maxminddb:"country"`
+	}
+
+	err = db.Lookup(addr).Decode(&record)
+	if err != nil {
+		return "", "", err
+	}
+
+	return record.Country.Names["en"], record.City.Names["en"], nil
+}
+
+// UpdateDatabase checks the age of the database and updates it if it's older than 14 days.
+func (s *GeoLiteService) updateDatabase() error {
+	if s.disableUpdater {
+		// Avoid updating the GeoLite2 City database.
+		return nil
+	}
+
+	if s.isDatabaseUpToDate() {
+		log.Println("GeoLite2 City database is up-to-date.")
+		return nil
+	}
+
+	log.Println("Updating GeoLite2 City database...")
+	downloadUrl := fmt.Sprintf(common.EnvConfig.GeoLiteDBUrl, common.EnvConfig.MaxMindLicenseKey)
+
+	// Download the database tar.gz file
+	resp, err := http.Get(downloadUrl)
+	if err != nil {
+		return fmt.Errorf("failed to download database: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("failed to download database, received HTTP %d", resp.StatusCode)
+	}
+
+	// Extract the database file directly to the target path
+	if err := s.extractDatabase(resp.Body); err != nil {
+		return fmt.Errorf("failed to extract database: %w", err)
+	}
+
+	log.Println("GeoLite2 City database successfully updated.")
+	return nil
+}
+
+// isDatabaseUpToDate checks if the database file is older than 14 days.
+func (s *GeoLiteService) isDatabaseUpToDate() bool {
+	info, err := os.Stat(common.EnvConfig.GeoLiteDBPath)
+	if err != nil {
+		// If the file doesn't exist, treat it as not up-to-date
+		return false
+	}
+	return time.Since(info.ModTime()) < 14*24*time.Hour
+}
+
+// extractDatabase extracts the database file from the tar.gz archive directly to the target location.
+func (s *GeoLiteService) extractDatabase(reader io.Reader) error {
+	gzr, err := gzip.NewReader(reader)
+	if err != nil {
+		return fmt.Errorf("failed to create gzip reader: %w", err)
+	}
+	defer gzr.Close()
+
+	tarReader := tar.NewReader(gzr)
+
+	// Iterate over the files in the tar archive
+	for {
+		header, err := tarReader.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return fmt.Errorf("failed to read tar archive: %w", err)
+		}
+
+		// Check if the file is the GeoLite2-City.mmdb file
+		if header.Typeflag == tar.TypeReg && filepath.Base(header.Name) == "GeoLite2-City.mmdb" {
+			// extract to a temporary file to avoid having a corrupted db in case of write failure.
+			baseDir := filepath.Dir(common.EnvConfig.GeoLiteDBPath)
+			tmpFile, err := os.CreateTemp(baseDir, "geolite.*.mmdb.tmp")
+			if err != nil {
+				return fmt.Errorf("failed to create temporary database file: %w", err)
+			}
+			tempName := tmpFile.Name()
+
+			// Write the file contents directly to the target location
+			if _, err := io.Copy(tmpFile, tarReader); err != nil {
+				// if fails to write, then cleanup and throw an error
+				tmpFile.Close()
+				os.Remove(tempName)
+				return fmt.Errorf("failed to write database file: %w", err)
+			}
+			tmpFile.Close()
+
+			// ensure the database is not corrupted
+			db, err := maxminddb.Open(tempName)
+			if err != nil {
+				// if fails to write, then cleanup and throw an error
+				os.Remove(tempName)
+				return fmt.Errorf("failed to open downloaded database file: %w", err)
+			}
+			db.Close()
+
+			// ensure we lock the structure before we overwrite the database
+			// to prevent race conditions between reading and writing the mmdb.
+			s.mutex.Lock()
+			// replace the old file with the new file
+			err = os.Rename(tempName, common.EnvConfig.GeoLiteDBPath)
+			s.mutex.Unlock()
+
+			if err != nil {
+				// if cannot overwrite via rename, then cleanup and throw an error
+				os.Remove(tempName)
+				return fmt.Errorf("failed to replace database file: %w", err)
+			}
+			return nil
+		}
+	}
+
+	return errors.New("GeoLite2-City.mmdb not found in archive")
+}

backend/internal/service/jwt_service.go

@@ -0,0 +1,440 @@
+package service
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"os"
+	"path/filepath"
+	"slices"
+	"strconv"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/lestrrat-go/jwx/v3/jwa"
+	"github.com/lestrrat-go/jwx/v3/jwk"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
+
+const (
+	// PrivateKeyFile is the path in the data/keys folder where the key is stored
+	// This is a JSON file containing a key encoded as JWK
+	PrivateKeyFile = "jwt_private_key.json"
+
+	// RsaKeySize is the size, in bits, of the RSA key to generate if none is found
+	RsaKeySize = 2048
+
+	// KeyUsageSigning is the usage for the private keys, for the "use" property
+	KeyUsageSigning = "sig"
+)
+
+type JwtService struct {
+	privateKey       jwk.Key
+	keyId            string
+	appConfigService *AppConfigService
+	jwksEncoded      []byte
+}
+
+func NewJwtService(appConfigService *AppConfigService) *JwtService {
+	service := &JwtService{}
+
+	// Ensure keys are generated or loaded
+	if err := service.init(appConfigService, common.EnvConfig.KeysPath); err != nil {
+		log.Fatalf("Failed to initialize jwt service: %v", err)
+	}
+
+	return service
+}
+
+func (s *JwtService) init(appConfigService *AppConfigService, keysPath string) error {
+	s.appConfigService = appConfigService
+
+	// Ensure keys are generated or loaded
+	return s.loadOrGenerateKey(keysPath)
+}
+
+type AccessTokenJWTClaims struct {
+	jwt.RegisteredClaims
+	IsAdmin bool `json:"isAdmin,omitempty"`
+}
+
+// loadOrGenerateKey loads the private key from the given path or generates it if not existing.
+func (s *JwtService) loadOrGenerateKey(keysPath string) error {
+	var key jwk.Key
+
+	// First, check if we have a JWK file
+	// If we do, then we just load that
+	jwkPath := filepath.Join(keysPath, PrivateKeyFile)
+	ok, err := utils.FileExists(jwkPath)
+	if err != nil {
+		return fmt.Errorf("failed to check if private key file (JWK) exists at path '%s': %w", jwkPath, err)
+	}
+	if ok {
+		key, err = s.loadKeyJWK(jwkPath)
+		if err != nil {
+			return fmt.Errorf("failed to load private key file (JWK) at path '%s': %w", jwkPath, err)
+		}
+
+		// Set the key, and we are done
+		err = s.SetKey(key)
+		if err != nil {
+			return fmt.Errorf("failed to set private key: %w", err)
+		}
+
+		return nil
+	}
+
+	// If we are here, we need to generate a new key
+	key, err = s.generateNewRSAKey()
+	if err != nil {
+		return fmt.Errorf("failed to generate new private key: %w", err)
+	}
+
+	// Set the key in the object, which also validates it
+	err = s.SetKey(key)
+	if err != nil {
+		return fmt.Errorf("failed to set private key: %w", err)
+	}
+
+	// Save the key as JWK
+	err = SaveKeyJWK(s.privateKey, jwkPath)
+	if err != nil {
+		return fmt.Errorf("failed to save private key file at path '%s': %w", jwkPath, err)
+	}
+
+	return nil
+}
+
+func ValidateKey(privateKey jwk.Key) error {
+	// Validate the loaded key
+	err := privateKey.Validate()
+	if err != nil {
+		return fmt.Errorf("key object is invalid: %w", err)
+	}
+	keyID, ok := privateKey.KeyID()
+	if !ok || keyID == "" {
+		return errors.New("key object does not contain a key ID")
+	}
+	usage, ok := privateKey.KeyUsage()
+	if !ok || usage != KeyUsageSigning {
+		return errors.New("key object is not valid for signing")
+	}
+	ok, err = jwk.IsPrivateKey(privateKey)
+	if err != nil || !ok {
+		return errors.New("key object is not a private key")
+	}
+
+	return nil
+}
+
+func (s *JwtService) SetKey(privateKey jwk.Key) error {
+	// Validate the loaded key
+	err := ValidateKey(privateKey)
+	if err != nil {
+		return fmt.Errorf("private key is not valid: %w", err)
+	}
+
+	// Set the private key and key id in the object
+	s.privateKey = privateKey
+
+	keyId, ok := privateKey.KeyID()
+	if !ok {
+		return errors.New("key object does not contain a key ID")
+	}
+	s.keyId = keyId
+
+	// Create and encode a JWKS containing the public key
+	publicKey, err := s.GetPublicJWK()
+	if err != nil {
+		return fmt.Errorf("failed to get public JWK: %w", err)
+	}
+	jwks := jwk.NewSet()
+	err = jwks.AddKey(publicKey)
+	if err != nil {
+		return fmt.Errorf("failed to add public key to JWKS: %w", err)
+	}
+	s.jwksEncoded, err = json.Marshal(jwks)
+	if err != nil {
+		return fmt.Errorf("failed to encode JWKS to JSON: %w", err)
+	}
+
+	return nil
+}
+
+func (s *JwtService) GenerateAccessToken(user model.User) (string, error) {
+	sessionDurationInMinutes, _ := strconv.Atoi(s.appConfigService.DbConfig.SessionDuration.Value)
+	claim := AccessTokenJWTClaims{
+		RegisteredClaims: jwt.RegisteredClaims{
+			Subject:   user.ID,
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Duration(sessionDurationInMinutes) * time.Minute)),
+			IssuedAt:  jwt.NewNumericDate(time.Now()),
+			Audience:  jwt.ClaimStrings{common.EnvConfig.AppURL},
+		},
+		IsAdmin: user.IsAdmin,
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claim)
+	token.Header["kid"] = s.keyId
+
+	var privateKeyRaw any
+	err := jwk.Export(s.privateKey, &privateKeyRaw)
+	if err != nil {
+		return "", fmt.Errorf("failed to export private key object: %w", err)
+	}
+
+	signed, err := token.SignedString(privateKeyRaw)
+	if err != nil {
+		return "", fmt.Errorf("failed to sign token: %w", err)
+	}
+
+	return signed, nil
+}
+
+func (s *JwtService) VerifyAccessToken(tokenString string) (*AccessTokenJWTClaims, error) {
+	token, err := jwt.ParseWithClaims(tokenString, &AccessTokenJWTClaims{}, func(token *jwt.Token) (any, error) {
+		return s.getPublicKeyRaw()
+	})
+	if err != nil || !token.Valid {
+		return nil, errors.New("couldn't handle this token")
+	}
+
+	claims, isValid := token.Claims.(*AccessTokenJWTClaims)
+	if !isValid {
+		return nil, errors.New("can't parse claims")
+	}
+
+	if !slices.Contains(claims.Audience, common.EnvConfig.AppURL) {
+		return nil, errors.New("audience doesn't match")
+	}
+	return claims, nil
+}
+
+func (s *JwtService) GenerateIDToken(userClaims map[string]interface{}, clientID string, nonce string) (string, error) {
+	// Initialize with capacity for userClaims, + 4 fixed claims, + 2 claims which may be set in some cases, to avoid re-allocations
+	claims := make(jwt.MapClaims, len(userClaims)+6)
+	claims["aud"] = clientID
+	claims["exp"] = jwt.NewNumericDate(time.Now().Add(1 * time.Hour))
+	claims["iat"] = jwt.NewNumericDate(time.Now())
+	claims["iss"] = common.EnvConfig.AppURL
+
+	for k, v := range userClaims {
+		claims[k] = v
+	}
+
+	if nonce != "" {
+		claims["nonce"] = nonce
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	token.Header["kid"] = s.keyId
+
+	var privateKeyRaw any
+	err := jwk.Export(s.privateKey, &privateKeyRaw)
+	if err != nil {
+		return "", fmt.Errorf("failed to export private key object: %w", err)
+	}
+
+	return token.SignedString(privateKeyRaw)
+}
+
+func (s *JwtService) VerifyIdToken(tokenString string) (*jwt.RegisteredClaims, error) {
+	token, err := jwt.ParseWithClaims(tokenString, &jwt.RegisteredClaims{}, func(token *jwt.Token) (any, error) {
+		return s.getPublicKeyRaw()
+	}, jwt.WithIssuer(common.EnvConfig.AppURL))
+
+	if err != nil && !errors.Is(err, jwt.ErrTokenExpired) {
+		return nil, errors.New("couldn't handle this token")
+	}
+
+	claims, isValid := token.Claims.(*jwt.RegisteredClaims)
+	if !isValid {
+		return nil, errors.New("can't parse claims")
+	}
+
+	return claims, nil
+}
+
+func (s *JwtService) GenerateOauthAccessToken(user model.User, clientID string) (string, error) {
+	claim := jwt.RegisteredClaims{
+		Subject:   user.ID,
+		ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),
+		IssuedAt:  jwt.NewNumericDate(time.Now()),
+		Audience:  jwt.ClaimStrings{clientID},
+		Issuer:    common.EnvConfig.AppURL,
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claim)
+	token.Header["kid"] = s.keyId
+
+	var privateKeyRaw any
+	err := jwk.Export(s.privateKey, &privateKeyRaw)
+	if err != nil {
+		return "", fmt.Errorf("failed to export private key object: %w", err)
+	}
+
+	return token.SignedString(privateKeyRaw)
+}
+
+func (s *JwtService) VerifyOauthAccessToken(tokenString string) (*jwt.RegisteredClaims, error) {
+	token, err := jwt.ParseWithClaims(tokenString, &jwt.RegisteredClaims{}, func(token *jwt.Token) (any, error) {
+		return s.getPublicKeyRaw()
+	})
+	if err != nil || !token.Valid {
+		return nil, errors.New("couldn't handle this token")
+	}
+
+	claims, isValid := token.Claims.(*jwt.RegisteredClaims)
+	if !isValid {
+		return nil, errors.New("can't parse claims")
+	}
+
+	return claims, nil
+}
+
+// GetPublicJWK returns the JSON Web Key (JWK) for the public key.
+func (s *JwtService) GetPublicJWK() (jwk.Key, error) {
+	if s.privateKey == nil {
+		return nil, errors.New("key is not initialized")
+	}
+
+	pubKey, err := s.privateKey.PublicKey()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get public key: %w", err)
+	}
+
+	EnsureAlgInKey(pubKey)
+
+	return pubKey, nil
+}
+
+// GetPublicJWKSAsJSON returns the JSON Web Key Set (JWKS) for the public key, encoded as JSON.
+// The value is cached since the key is static.
+func (s *JwtService) GetPublicJWKSAsJSON() ([]byte, error) {
+	if len(s.jwksEncoded) == 0 {
+		return nil, errors.New("key is not initialized")
+	}
+
+	return s.jwksEncoded, nil
+}
+
+func (s *JwtService) getPublicKeyRaw() (any, error) {
+	pubKey, err := s.privateKey.PublicKey()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get public key: %w", err)
+	}
+	var pubKeyRaw any
+	err = jwk.Export(pubKey, &pubKeyRaw)
+	if err != nil {
+		return nil, fmt.Errorf("failed to export raw public key: %w", err)
+	}
+	return pubKeyRaw, nil
+}
+
+func (s *JwtService) loadKeyJWK(path string) (jwk.Key, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read key data: %w", err)
+	}
+
+	key, err := jwk.ParseKey(data)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse key: %w", err)
+	}
+
+	return key, nil
+}
+
+// EnsureAlgInKey ensures that the key contains an "alg" parameter, set depending on the key type
+func EnsureAlgInKey(key jwk.Key) {
+	_, ok := key.Algorithm()
+	if ok {
+		// Algorithm is already set
+		return
+	}
+
+	switch key.KeyType() {
+	case jwa.RSA():
+		// Default to RS256 for RSA keys
+		_ = key.Set(jwk.AlgorithmKey, jwa.RS256())
+	case jwa.EC():
+		// Default to ES256 for ECDSA keys
+		_ = key.Set(jwk.AlgorithmKey, jwa.ES256())
+	case jwa.OKP():
+		// Default to EdDSA for OKP keys
+		_ = key.Set(jwk.AlgorithmKey, jwa.EdDSA())
+	}
+}
+
+func (s *JwtService) generateNewRSAKey() (jwk.Key, error) {
+	// We generate RSA keys only
+	rawKey, err := rsa.GenerateKey(rand.Reader, RsaKeySize)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate RSA private key: %w", err)
+	}
+
+	// Import the raw key
+	return importRawKey(rawKey)
+}
+
+func importRawKey(rawKey any) (jwk.Key, error) {
+	key, err := jwk.Import(rawKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to import generated private key: %w", err)
+	}
+
+	// Generate the key ID
+	kid, err := generateRandomKeyID()
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate key ID: %w", err)
+	}
+	_ = key.Set(jwk.KeyIDKey, kid)
+
+	// Set other required fields
+	_ = key.Set(jwk.KeyUsageKey, KeyUsageSigning)
+	EnsureAlgInKey(key)
+
+	return key, err
+}
+
+// SaveKeyJWK saves a JWK to a file
+func SaveKeyJWK(key jwk.Key, path string) error {
+	dir := filepath.Dir(path)
+	err := os.MkdirAll(dir, 0700)
+	if err != nil {
+		return fmt.Errorf("failed to create directory '%s' for key file: %w", dir, err)
+	}
+
+	keyFile, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return fmt.Errorf("failed to create key file: %w", err)
+	}
+	defer keyFile.Close()
+
+	// Write the JSON file to disk
+	enc := json.NewEncoder(keyFile)
+	enc.SetEscapeHTML(false)
+	err = enc.Encode(key)
+	if err != nil {
+		return fmt.Errorf("failed to write key file: %w", err)
+	}
+
+	return nil
+}
+
+// generateRandomKeyID generates a random key ID.
+func generateRandomKeyID() (string, error) {
+	buf := make([]byte, 8)
+	_, err := io.ReadFull(rand.Reader, buf)
+	if err != nil {
+		return "", fmt.Errorf("failed to read random bytes: %w", err)
+	}
+	return base64.RawURLEncoding.EncodeToString(buf), nil
+}

backend/internal/service/jwt_service_test.go

@@ -0,0 +1,546 @@
+package service
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/lestrrat-go/jwx/v3/jwa"
+	"github.com/lestrrat-go/jwx/v3/jwk"
+	"github.com/lestrrat-go/jwx/v3/jwt"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+)
+
+func TestJwtService_Init(t *testing.T) {
+	t.Run("should generate new key when none exists", func(t *testing.T) {
+		// Create a temporary directory for the test
+		tempDir := t.TempDir()
+
+		// Create a mock AppConfigService
+		appConfigService := &AppConfigService{}
+
+		// Initialize the JWT service
+		service := &JwtService{}
+		err := service.init(appConfigService, tempDir)
+		require.NoError(t, err, "Failed to initialize JWT service")
+
+		// Verify the private key was set
+		require.NotNil(t, service.privateKey, "Private key should be set")
+
+		// Verify the key has been saved to disk as JWK
+		jwkPath := filepath.Join(tempDir, PrivateKeyFile)
+		_, err = os.Stat(jwkPath)
+		assert.NoError(t, err, "JWK file should exist")
+
+		// Verify the generated key is valid
+		keyData, err := os.ReadFile(jwkPath)
+		require.NoError(t, err)
+		key, err := jwk.ParseKey(keyData)
+		require.NoError(t, err)
+
+		// Key should have required properties
+		keyID, ok := key.KeyID()
+		assert.True(t, ok, "Key should have a key ID")
+		assert.NotEmpty(t, keyID)
+
+		keyUsage, ok := key.KeyUsage()
+		assert.True(t, ok, "Key should have a key usage")
+		assert.Equal(t, "sig", keyUsage)
+	})
+
+	t.Run("should load existing JWK key", func(t *testing.T) {
+		// Create a temporary directory for the test
+		tempDir := t.TempDir()
+
+		// First create a service to generate a key
+		firstService := &JwtService{}
+		err := firstService.init(&AppConfigService{}, tempDir)
+		require.NoError(t, err)
+
+		// Get the key ID of the first service
+		origKeyID, ok := firstService.privateKey.KeyID()
+		require.True(t, ok)
+
+		// Now create a new service that should load the existing key
+		secondService := &JwtService{}
+		err = secondService.init(&AppConfigService{}, tempDir)
+		require.NoError(t, err)
+
+		// Verify the loaded key has the same ID as the original
+		loadedKeyID, ok := secondService.privateKey.KeyID()
+		require.True(t, ok)
+		assert.Equal(t, origKeyID, loadedKeyID, "Loaded key should have the same ID as the original")
+	})
+
+	t.Run("should load existing JWK for EC keys", func(t *testing.T) {
+		// Create a temporary directory for the test
+		tempDir := t.TempDir()
+
+		// Create a new JWK and save it to disk
+		origKeyID := createECKeyJWK(t, tempDir)
+
+		// Now create a new service that should load the existing key
+		svc := &JwtService{}
+		err := svc.init(&AppConfigService{}, tempDir)
+		require.NoError(t, err)
+
+		// Verify the loaded key has the same ID as the original
+		loadedKeyID, ok := svc.privateKey.KeyID()
+		require.True(t, ok)
+		assert.Equal(t, origKeyID, loadedKeyID, "Loaded key should have the same ID as the original")
+	})
+}
+
+func TestJwtService_GetPublicJWK(t *testing.T) {
+	t.Run("returns public key when private key is initialized", func(t *testing.T) {
+		// Create a temporary directory for the test
+		tempDir := t.TempDir()
+
+		// Create a JWT service with initialized key
+		service := &JwtService{}
+		err := service.init(&AppConfigService{}, tempDir)
+		require.NoError(t, err, "Failed to initialize JWT service")
+
+		// Get the JWK (public key)
+		publicKey, err := service.GetPublicJWK()
+		require.NoError(t, err, "GetPublicJWK should not return an error when private key is initialized")
+
+		// Verify the returned key is valid
+		require.NotNil(t, publicKey, "Public key should not be nil")
+
+		// Validate it's actually a public key
+		isPrivate, err := jwk.IsPrivateKey(publicKey)
+		require.NoError(t, err)
+		assert.False(t, isPrivate, "Returned key should be a public key")
+
+		// Check that key has required properties
+		keyID, ok := publicKey.KeyID()
+		require.True(t, ok, "Public key should have a key ID")
+		assert.NotEmpty(t, keyID, "Key ID should not be empty")
+
+		alg, ok := publicKey.Algorithm()
+		require.True(t, ok, "Public key should have an algorithm")
+		assert.Equal(t, "RS256", alg.String(), "Algorithm should be RS256")
+	})
+
+	t.Run("returns public key when ECDSA private key is initialized", func(t *testing.T) {
+		// Create a temporary directory for the test
+		tempDir := t.TempDir()
+
+		// Create an ECDSA key and save it as JWK
+		originalKeyID := createECKeyJWK(t, tempDir)
+
+		// Create a JWT service that loads the ECDSA key
+		service := &JwtService{}
+		err := service.init(&AppConfigService{}, tempDir)
+		require.NoError(t, err, "Failed to initialize JWT service")
+
+		// Get the JWK (public key)
+		publicKey, err := service.GetPublicJWK()
+		require.NoError(t, err, "GetPublicJWK should not return an error when private key is initialized")
+
+		// Verify the returned key is valid
+		require.NotNil(t, publicKey, "Public key should not be nil")
+
+		// Validate it's actually a public key
+		isPrivate, err := jwk.IsPrivateKey(publicKey)
+		require.NoError(t, err)
+		assert.False(t, isPrivate, "Returned key should be a public key")
+
+		// Check that key has required properties
+		keyID, ok := publicKey.KeyID()
+		require.True(t, ok, "Public key should have a key ID")
+		assert.Equal(t, originalKeyID, keyID, "Key ID should match the original key ID")
+
+		// Check that the key type is EC
+		assert.Equal(t, "EC", publicKey.KeyType().String(), "Key type should be EC")
+
+		// Check that the algorithm is ES256
+		alg, ok := publicKey.Algorithm()
+		require.True(t, ok, "Public key should have an algorithm")
+		assert.Equal(t, "ES256", alg.String(), "Algorithm should be ES256")
+	})
+
+	t.Run("returns error when private key is not initialized", func(t *testing.T) {
+		// Create a service with nil private key
+		service := &JwtService{
+			privateKey: nil,
+		}
+
+		// Try to get the JWK
+		publicKey, err := service.GetPublicJWK()
+
+		// Verify it returns an error
+		require.Error(t, err, "GetPublicJWK should return an error when private key is nil")
+		assert.Contains(t, err.Error(), "key is not initialized", "Error message should indicate key is not initialized")
+		assert.Nil(t, publicKey, "Public key should be nil when there's an error")
+	})
+}
+
+func TestGenerateVerifyAccessToken(t *testing.T) {
+	// Create a temporary directory for the test
+	tempDir := t.TempDir()
+
+	// Initialize the JWT service with a mock AppConfigService
+	mockConfig := &AppConfigService{
+		DbConfig: &model.AppConfig{
+			SessionDuration: model.AppConfigVariable{Value: "60"}, // 60 minutes
+		},
+	}
+
+	// Setup the environment variable required by the token verification
+	originalAppURL := common.EnvConfig.AppURL
+	common.EnvConfig.AppURL = "https://test.example.com"
+	defer func() {
+		common.EnvConfig.AppURL = originalAppURL
+	}()
+
+	t.Run("generates token for regular user", func(t *testing.T) {
+		// Create a JWT service
+		service := &JwtService{}
+		err := service.init(mockConfig, tempDir)
+		require.NoError(t, err, "Failed to initialize JWT service")
+
+		// Create a test user
+		user := model.User{
+			Base: model.Base{
+				ID: "user123",
+			},
+			Email:   "user@example.com",
+			IsAdmin: false,
+		}
+
+		// Generate a token
+		tokenString, err := service.GenerateAccessToken(user)
+		require.NoError(t, err, "Failed to generate access token")
+		assert.NotEmpty(t, tokenString, "Token should not be empty")
+
+		// Verify the token
+		claims, err := service.VerifyAccessToken(tokenString)
+		require.NoError(t, err, "Failed to verify generated token")
+
+		// Check the claims
+		assert.Equal(t, user.ID, claims.Subject, "Token subject should match user ID")
+		assert.Equal(t, false, claims.IsAdmin, "IsAdmin should be false")
+		assert.Contains(t, claims.Audience, "https://test.example.com", "Audience should contain the app URL")
+
+		// Check token expiration time is approximately 60 minutes from now
+		expectedExp := time.Now().Add(60 * time.Minute)
+		tokenExp := claims.ExpiresAt.Time
+		timeDiff := expectedExp.Sub(tokenExp).Minutes()
+		assert.InDelta(t, 0, timeDiff, 1.0, "Token should expire in approximately 60 minutes")
+	})
+
+	t.Run("generates token for admin user", func(t *testing.T) {
+		// Create a JWT service
+		service := &JwtService{}
+		err := service.init(mockConfig, tempDir)
+		require.NoError(t, err, "Failed to initialize JWT service")
+
+		// Create a test admin user
+		adminUser := model.User{
+			Base: model.Base{
+				ID: "admin123",
+			},
+			Email:   "admin@example.com",
+			IsAdmin: true,
+		}
+
+		// Generate a token
+		tokenString, err := service.GenerateAccessToken(adminUser)
+		require.NoError(t, err, "Failed to generate access token")
+
+		// Verify the token
+		claims, err := service.VerifyAccessToken(tokenString)
+		require.NoError(t, err, "Failed to verify generated token")
+
+		// Check the IsAdmin claim is true
+		assert.Equal(t, true, claims.IsAdmin, "IsAdmin should be true for admin users")
+		assert.Equal(t, adminUser.ID, claims.Subject, "Token subject should match admin ID")
+	})
+
+	t.Run("uses session duration from config", func(t *testing.T) {
+		// Create a JWT service with a different session duration
+		customMockConfig := &AppConfigService{
+			DbConfig: &model.AppConfig{
+				SessionDuration: model.AppConfigVariable{Value: "30"}, // 30 minutes
+			},
+		}
+
+		service := &JwtService{}
+		err := service.init(customMockConfig, tempDir)
+		require.NoError(t, err, "Failed to initialize JWT service")
+
+		// Create a test user
+		user := model.User{
+			Base: model.Base{
+				ID: "user456",
+			},
+		}
+
+		// Generate a token
+		tokenString, err := service.GenerateAccessToken(user)
+		require.NoError(t, err, "Failed to generate access token")
+
+		// Verify the token
+		claims, err := service.VerifyAccessToken(tokenString)
+		require.NoError(t, err, "Failed to verify generated token")
+
+		// Check token expiration time is approximately 30 minutes from now
+		expectedExp := time.Now().Add(30 * time.Minute)
+		tokenExp := claims.ExpiresAt.Time
+		timeDiff := expectedExp.Sub(tokenExp).Minutes()
+		assert.InDelta(t, 0, timeDiff, 1.0, "Token should expire in approximately 30 minutes")
+	})
+}
+
+func TestGenerateVerifyIdToken(t *testing.T) {
+	// Create a temporary directory for the test
+	tempDir := t.TempDir()
+
+	// Initialize the JWT service with a mock AppConfigService
+	mockConfig := &AppConfigService{
+		DbConfig: &model.AppConfig{
+			SessionDuration: model.AppConfigVariable{Value: "60"}, // 60 minutes
+		},
+	}
+
+	// Setup the environment variable required by the token verification
+	originalAppURL := common.EnvConfig.AppURL
+	common.EnvConfig.AppURL = "https://test.example.com"
+	defer func() {
+		common.EnvConfig.AppURL = originalAppURL
+	}()
+
+	t.Run("generates and verifies ID token with standard claims", func(t *testing.T) {
+		// Create a JWT service
+		service := &JwtService{}
+		err := service.init(mockConfig, tempDir)
+		require.NoError(t, err, "Failed to initialize JWT service")
+
+		// Create test claims
+		userClaims := map[string]interface{}{
+			"sub":   "user123",
+			"name":  "Test User",
+			"email": "user@example.com",
+		}
+		const clientID = "test-client-123"
+
+		// Generate a token
+		tokenString, err := service.GenerateIDToken(userClaims, clientID, "")
+		require.NoError(t, err, "Failed to generate ID token")
+		assert.NotEmpty(t, tokenString, "Token should not be empty")
+
+		// Verify the token
+		claims, err := service.VerifyIdToken(tokenString)
+		require.NoError(t, err, "Failed to verify generated ID token")
+
+		// Check the claims
+		assert.Equal(t, "user123", claims.Subject, "Token subject should match user ID")
+		assert.Contains(t, claims.Audience, clientID, "Audience should contain the client ID")
+		assert.Equal(t, common.EnvConfig.AppURL, claims.Issuer, "Issuer should match app URL")
+
+		// Check token expiration time is approximately 1 hour from now
+		expectedExp := time.Now().Add(1 * time.Hour)
+		tokenExp := claims.ExpiresAt.Time
+		timeDiff := expectedExp.Sub(tokenExp).Minutes()
+		assert.InDelta(t, 0, timeDiff, 1.0, "Token should expire in approximately 1 hour")
+	})
+
+	t.Run("generates and verifies ID token with nonce", func(t *testing.T) {
+		// Create a JWT service
+		service := &JwtService{}
+		err := service.init(mockConfig, tempDir)
+		require.NoError(t, err, "Failed to initialize JWT service")
+
+		// Create test claims with nonce
+		userClaims := map[string]interface{}{
+			"sub":  "user456",
+			"name": "Another User",
+		}
+		const clientID = "test-client-456"
+		nonce := "random-nonce-value"
+
+		// Generate a token with nonce
+		tokenString, err := service.GenerateIDToken(userClaims, clientID, nonce)
+		require.NoError(t, err, "Failed to generate ID token with nonce")
+
+		// Parse the token manually to check nonce
+		publicKey, err := service.GetPublicJWK()
+		require.NoError(t, err, "Failed to get public key")
+		token, err := jwt.Parse([]byte(tokenString), jwt.WithKey(jwa.RS256(), publicKey))
+		require.NoError(t, err, "Failed to parse token")
+
+		var tokenNonce string
+		err = token.Get("nonce", &tokenNonce)
+		require.NoError(t, err, "Failed to get claims")
+
+		assert.Equal(t, nonce, tokenNonce, "Token should contain the correct nonce")
+	})
+
+	t.Run("fails verification with incorrect issuer", func(t *testing.T) {
+		// Create a JWT service
+		service := &JwtService{}
+		err := service.init(mockConfig, tempDir)
+		require.NoError(t, err, "Failed to initialize JWT service")
+
+		// Generate a token with standard claims
+		userClaims := map[string]interface{}{
+			"sub": "user789",
+		}
+		tokenString, err := service.GenerateIDToken(userClaims, "client-789", "")
+		require.NoError(t, err, "Failed to generate ID token")
+
+		// Temporarily change the app URL to simulate wrong issuer
+		common.EnvConfig.AppURL = "https://wrong-issuer.com"
+
+		// Verify should fail due to issuer mismatch
+		_, err = service.VerifyIdToken(tokenString)
+		assert.Error(t, err, "Verification should fail with incorrect issuer")
+		assert.Contains(t, err.Error(), "couldn't handle this token", "Error message should indicate token verification failure")
+	})
+}
+
+func TestGenerateVerifyOauthAccessToken(t *testing.T) {
+	// Create a temporary directory for the test
+	tempDir := t.TempDir()
+
+	// Initialize the JWT service with a mock AppConfigService
+	mockConfig := &AppConfigService{
+		DbConfig: &model.AppConfig{
+			SessionDuration: model.AppConfigVariable{Value: "60"}, // 60 minutes
+		},
+	}
+
+	// Setup the environment variable required by the token verification
+	originalAppURL := common.EnvConfig.AppURL
+	common.EnvConfig.AppURL = "https://test.example.com"
+	defer func() {
+		common.EnvConfig.AppURL = originalAppURL
+	}()
+
+	t.Run("generates and verifies OAuth access token with standard claims", func(t *testing.T) {
+		// Create a JWT service
+		service := &JwtService{}
+		err := service.init(mockConfig, tempDir)
+		require.NoError(t, err, "Failed to initialize JWT service")
+
+		// Create a test user
+		user := model.User{
+			Base: model.Base{
+				ID: "user123",
+			},
+			Email: "user@example.com",
+		}
+		const clientID = "test-client-123"
+
+		// Generate a token
+		tokenString, err := service.GenerateOauthAccessToken(user, clientID)
+		require.NoError(t, err, "Failed to generate OAuth access token")
+		assert.NotEmpty(t, tokenString, "Token should not be empty")
+
+		// Verify the token
+		claims, err := service.VerifyOauthAccessToken(tokenString)
+		require.NoError(t, err, "Failed to verify generated OAuth access token")
+
+		// Check the claims
+		assert.Equal(t, user.ID, claims.Subject, "Token subject should match user ID")
+		assert.Contains(t, claims.Audience, clientID, "Audience should contain the client ID")
+		assert.Equal(t, common.EnvConfig.AppURL, claims.Issuer, "Issuer should match app URL")
+
+		// Check token expiration time is approximately 1 hour from now
+		expectedExp := time.Now().Add(1 * time.Hour)
+		tokenExp := claims.ExpiresAt.Time
+		timeDiff := expectedExp.Sub(tokenExp).Minutes()
+		assert.InDelta(t, 0, timeDiff, 1.0, "Token should expire in approximately 1 hour")
+	})
+
+	t.Run("fails verification for expired token", func(t *testing.T) {
+		// Create a JWT service with a mock function to generate an expired token
+		service := &JwtService{}
+		err := service.init(mockConfig, tempDir)
+		require.NoError(t, err, "Failed to initialize JWT service")
+
+		// Create a test user
+		user := model.User{
+			Base: model.Base{
+				ID: "user456",
+			},
+		}
+		const clientID = "test-client-456"
+
+		// Generate a token using JWT directly to create an expired token
+		token, err := jwt.NewBuilder().
+			Subject(user.ID).
+			Expiration(time.Now().Add(-1 * time.Hour)). // Expired 1 hour ago
+			IssuedAt(time.Now().Add(-2 * time.Hour)).
+			Audience([]string{clientID}).
+			Issuer(common.EnvConfig.AppURL).
+			Build()
+		require.NoError(t, err, "Failed to build token")
+
+		signed, err := jwt.Sign(token, jwt.WithKey(jwa.RS256(), service.privateKey))
+		require.NoError(t, err, "Failed to sign token")
+
+		// Verify should fail due to expiration
+		_, err = service.VerifyOauthAccessToken(string(signed))
+		assert.Error(t, err, "Verification should fail with expired token")
+		assert.Contains(t, err.Error(), "couldn't handle this token", "Error message should indicate token verification failure")
+	})
+
+	t.Run("fails verification with invalid signature", func(t *testing.T) {
+		// Create two JWT services with different keys
+		service1 := &JwtService{}
+		err := service1.init(mockConfig, t.TempDir()) // Use a different temp dir
+		require.NoError(t, err, "Failed to initialize first JWT service")
+
+		service2 := &JwtService{}
+		err = service2.init(mockConfig, t.TempDir()) // Use a different temp dir
+		require.NoError(t, err, "Failed to initialize second JWT service")
+
+		// Create a test user
+		user := model.User{
+			Base: model.Base{
+				ID: "user789",
+			},
+		}
+		const clientID = "test-client-789"
+
+		// Generate a token with the first service
+		tokenString, err := service1.GenerateOauthAccessToken(user, clientID)
+		require.NoError(t, err, "Failed to generate OAuth access token")
+
+		// Verify with the second service should fail due to different keys
+		_, err = service2.VerifyOauthAccessToken(tokenString)
+		assert.Error(t, err, "Verification should fail with invalid signature")
+		assert.Contains(t, err.Error(), "couldn't handle this token", "Error message should indicate token verification failure")
+	})
+}
+
+func createECKeyJWK(t *testing.T, path string) string {
+	t.Helper()
+
+	// Generate a new P-256 ECDSA key
+	privateKeyRaw, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err, "Failed to generate ECDSA key")
+
+	// Import as JWK and save to disk
+	privateKey, err := importRawKey(privateKeyRaw)
+	require.NoError(t, err, "Failed to import private key")
+
+	err = SaveKeyJWK(privateKey, filepath.Join(path, PrivateKeyFile))
+	require.NoError(t, err, "Failed to save key")
+
+	kid, _ := privateKey.KeyID()
+	require.NotEmpty(t, kid, "Key ID must be set")
+
+	return kid
+}