release: 0.8.0

Co-authored-by: Elias Schneider <login@eliasschneider.com>

.env.example

@@ -1 +1,2 @@
 PUBLIC_APP_URL=http://localhost
+TRUST_PROXY=false

.github/workflows/build-and-push-docker-image.yml

@@ -23,6 +23,9 @@ jobs:
           username: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
           password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
 
+      - name: Download GeoLite2 City database
+        run: MAXMIND_LICENSE_KEY=${{ secrets.MAXMIND_LICENSE_KEY }} sh scripts/download-ip-database.sh
+    
       - name: Build and push
         uses: docker/build-push-action@v4
         with:

.gitignore

@@ -35,3 +35,4 @@ vite.config.ts.timestamp-*
 data
 /frontend/tests/.auth
 pocket-id-backend
+/backend/GeoLite2-City.mmdb

.version

@@ -1 +1 @@
-0.2.1
+0.8.0

CHANGELOG.md

@@ -1,3 +1,123 @@
+## [](https://github.com/stonith404/pocket-id/compare/v0.7.1...v) (2024-10-04)
+
+
+### Features
+
+* add location based on ip to the audit log ([025378d](https://github.com/stonith404/pocket-id/commit/025378d14edd2d72da76e90799a0ccdd42cf672c))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.7.0...v) (2024-10-03)
+
+
+### Bug Fixes
+
+* initials don't get displayed if Gravatar avatar doesn't exist ([e095628](https://github.com/stonith404/pocket-id/commit/e09562824a794bc7d240e9d229709d4b389db7d5))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.6.0...v) (2024-10-03)
+
+
+### ⚠ BREAKING CHANGES
+
+* add ability to set light and dark mode logo
+
+### Features
+
+* add ability to set light and dark mode logo ([be45eed](https://github.com/stonith404/pocket-id/commit/be45eed125e33e9930572660a034d5f12dc310ce))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.5.3...v) (2024-10-02)
+
+
+### Features
+
+* add copy to clipboard option for OIDC client information ([f82020c](https://github.com/stonith404/pocket-id/commit/f82020ccfb0d4fbaa1dd98182188149d8085252a))
+* add gravatar profile picture integration ([365734e](https://github.com/stonith404/pocket-id/commit/365734ec5d8966c2ab877c60cfb176b9cdc36880))
+* add user groups ([24c948e](https://github.com/stonith404/pocket-id/commit/24c948e6a66f283866f6c8369c16fa6cbcfa626c))
+
+
+### Bug Fixes
+
+* only return user groups if it is explicitly requested ([a4a90a1](https://github.com/stonith404/pocket-id/commit/a4a90a16a9726569a22e42560184319b25fd7ca6))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.5.2...v) (2024-09-26)
+
+
+### Bug Fixes
+
+* add space to "Firstname" and "Lastname" label ([#31](https://github.com/stonith404/pocket-id/issues/31)) ([d6a9bb4](https://github.com/stonith404/pocket-id/commit/d6a9bb4c09efb8102da172e49c36c070b341f0fc))
+* port environment variables get ignored in caddyfile ([3c67765](https://github.com/stonith404/pocket-id/commit/3c67765992d7369a79812bc8cd216c9ba12fd96e))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.5.1...v) (2024-09-19)
+
+
+### Bug Fixes
+
+* updated application name doesn't apply to webauthn credential ([924bb14](https://github.com/stonith404/pocket-id/commit/924bb1468bbd8e42fa6a530ef740be73ce3b3914))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.5.0...v) (2024-09-16)
+
+
+### Features
+
+* **email:** improve email templating ([#27](https://github.com/stonith404/pocket-id/issues/27)) ([64cf562](https://github.com/stonith404/pocket-id/commit/64cf56276a07169bc601a11be905c1eea67c4750))
+
+
+### Bug Fixes
+
+* debounce oidc client and user search ([9c2848d](https://github.com/stonith404/pocket-id/commit/9c2848db1d93c230afc6c5f64e498e9f6df8c8a7))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.4.1...v) (2024-09-09)
+
+
+### Features
+
+* add audit log with email notification ([#26](https://github.com/stonith404/pocket-id/issues/26)) ([9121239](https://github.com/stonith404/pocket-id/commit/9121239dd7c14a2107a984f9f94f54227489a63a))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.4.0...v) (2024-09-06)
+
+
+### Features
+
+* add name claim to userinfo endpoint and id token ([4e7574a](https://github.com/stonith404/pocket-id/commit/4e7574a297307395603267c7a3285d538d4111d8))
+
+
+### Bug Fixes
+
+* limit width of content on large screens ([c6f83a5](https://github.com/stonith404/pocket-id/commit/c6f83a581ad385391d77fec7eeb385060742f097))
+* show error message if error occurs while authorizing new client ([8038a11](https://github.com/stonith404/pocket-id/commit/8038a111dd7fa8f5d421b29c3bc0c11d865dc71b))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.3.1...v) (2024-09-03)
+
+
+### Features
+
+* add setup details to oidc client details ([fd21ce5](https://github.com/stonith404/pocket-id/commit/fd21ce5aac1daeba04e4e7399a0720338ea710c2))
+* add support for more username formats ([903b0b3](https://github.com/stonith404/pocket-id/commit/903b0b39181c208e9411ee61849d2671e7c56dc5))
+
+
+### Bug Fixes
+
+* non pointer passed to create user ([e7861df](https://github.com/stonith404/pocket-id/commit/e7861df95a6beecab359d1c56f4383373f74bb73))
+* oidc client logo not displayed on authorize page ([28ed064](https://github.com/stonith404/pocket-id/commit/28ed064668afeec8f80adda59ba94f1fc2fbce17))
+* typo in hasLogo property of oidc dto ([2b9413c](https://github.com/stonith404/pocket-id/commit/2b9413c7575e1322f8547490a9b02a1836bad549))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.3.0...v) (2024-08-24)
+
+
+### Bug Fixes
+
+* empty lists don't get returned correctly from the api ([97f7fc4](https://github.com/stonith404/pocket-id/commit/97f7fc4e288c2bb49210072a7a151b58ef44f5b5))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.2.1...v) (2024-08-23)
+
+
+### Features
+
+* add support for multiple callback urls ([8166e2e](https://github.com/stonith404/pocket-id/commit/8166e2ead7fc71a0b7a45950b05c5c65a60833b6))
+
+
+### Bug Fixes
+
+* db migration for multiple callback urls ([552d7cc](https://github.com/stonith404/pocket-id/commit/552d7ccfa58d7922ecb94bdfe6a86651b4cf2745))
+
 ## [](https://github.com/stonith404/pocket-id/compare/v0.2.0...v) (2024-08-19)
 
 

CONTRIBUTING.md

@@ -61,7 +61,7 @@ You're all set!
 We use [Caddy](https://caddyserver.com) as a reverse proxy. You can use any other reverse proxy if you want but you have to configure it yourself.
 
 #### Setup
-Run `caddy run --config Caddyfile` in the root folder.
+Run `caddy run --config reverse-proxy/Caddyfile` in the root folder.
 
 ### Testing
 

Caddyfile

@@ -1,10 +0,0 @@
-:80 {
-    reverse_proxy /api/* http://localhost:8080
-    reverse_proxy /.well-known/* http://localhost:8080
-    reverse_proxy /* http://localhost:3000
-
-    log {
-        output file /var/log/caddy/access.log
-        level WARN
-    }
-}

Dockerfile

@@ -8,7 +8,7 @@ RUN npm run build
 RUN npm prune --production
 
 # Stage 2: Build Backend
-FROM golang:1.22-alpine AS backend-builder
+FROM golang:1.23-alpine AS backend-builder
 WORKDIR /app/backend
 COPY ./backend/go.mod ./backend/go.sum ./
 RUN go mod download
@@ -22,7 +22,7 @@ RUN CGO_ENABLED=1 GOOS=linux go build -o /app/backend/pocket-id-backend .
 # Stage 3: Production Image
 FROM node:20-alpine
 RUN apk add --no-cache caddy
-COPY ./Caddyfile /etc/caddy/Caddyfile
+COPY ./reverse-proxy /etc/caddy/
 
 WORKDIR /app
 COPY --from=frontend-builder /app/frontend/build ./frontend/build
@@ -31,6 +31,8 @@ COPY --from=frontend-builder /app/frontend/package.json ./frontend/package.json
 
 COPY --from=backend-builder /app/backend/pocket-id-backend ./backend/pocket-id-backend
 COPY --from=backend-builder /app/backend/migrations ./backend/migrations
+COPY --from=backend-builder /app/backend/GeoLite2-City.mmdb ./backend/GeoLite2-City.mmdb
+COPY --from=backend-builder /app/backend/email-templates ./backend/email-templates
 COPY --from=backend-builder /app/backend/images ./backend/images
 
 COPY ./scripts ./scripts

README.md

@@ -2,7 +2,7 @@
 
 Pocket ID is a simple OIDC provider that allows users to authenticate with their passkeys to your services.
 
-<img src="https://github.com/user-attachments/assets/783dc0c1-1580-476b-9bb1-d9ef1077bc1e" width="1200"/>
+<img src="https://github.com/user-attachments/assets/96ac549d-b897-404a-8811-f42b16ea58e2" width="1200"/>
 
 The goal of Pocket ID is to be a simple and easy-to-use. There are other self-hosted OIDC providers like [Keycloak](https://www.keycloak.org/) or [ORY Hydra](https://www.ory.sh/hydra/) but they are often too complex for simple use cases.
 
@@ -41,7 +41,7 @@ Pocket ID is available as a template on the Community Apps store.
 Required tools:
 
 - [Node.js](https://nodejs.org/en/download/) >= 20
-- [Go](https://golang.org/doc/install) >= 1.22
+- [Go](https://golang.org/doc/install) >= 1.23
 - [Git](https://git-scm.com/downloads)
 - [PM2](https://pm2.keymetrics.io/)
 - [Caddy](https://caddyserver.com/docs/install) (optional)
@@ -68,6 +68,10 @@ Required tools:
    cd ..
    pm2 start pocket-id-backend --name pocket-id-backend
 
+   # Optional: Download the GeoLite2 city database. 
+   # If not downloaded the ip location in the audit log will be empty.
+   MAXMIND_LICENSE_KEY=<your-key> sh scripts/download-ip-database.sh
+
    # Start the frontend
    cd ../frontend
    npm install
@@ -91,9 +95,16 @@ You may need the following information:
 
 - **Authorization URL**: `https://<your-domain>/authorize`
 - **Token URL**: `https://<your-domain>/api/oidc/token`
+- **Userinfo URL**: `https://<your-domain>/api/oidc/userinfo`
 - **Certificate URL**: `https://<your-domain>/.well-known/jwks.json`
 - **OIDC Discovery URL**: `https://<your-domain>/.well-known/openid-configuration`
-- **PKCE**: `false` as this is not supported yet.
+- **Scopes**: At least `openid email`. Optionally you can add `profile` and `groups`.
+
+### Proxy Services with Pocket ID
+
+As the goal of Pocket ID is to stay simple, we don't have a built-in proxy provider. However, you can use [OAuth2 Proxy](https://oauth2-proxy.github.io/) to add authentication to your services that don't support OIDC.
+
+See the [guide](docs/proxy-services.md) for more information.
 
 ### Update
 
@@ -124,6 +135,9 @@ docker compose up -d
    cd ..
    pm2 start pocket-id-backend --name pocket-id-backend
 
+   # Optional: Update the GeoLite2 city database
+   MAXMIND_LICENSE_KEY=<your-key> sh scripts/download-ip-database.sh
+
    # Start the frontend
    cd ../frontend
    npm install
@@ -140,6 +154,7 @@ docker compose up -d
 | Variable               | Default Value           | Recommended to change | Description                                   |
 | ---------------------- | ----------------------- | --------------------- | --------------------------------------------- |
 | `PUBLIC_APP_URL`       | `http://localhost`      | yes                   | The URL where you will access the app.        |
+| `TRUST_PROXY`          | `false`                 | yes                   | Whether the app is behind a reverse proxy.    |
 | `DB_PATH`              | `data/pocket-id.db`     | no                    | The path to the SQLite database.              |
 | `UPLOAD_PATH`          | `data/uploads`          | no                    | The path where the uploaded files are stored. |
 | `INTERNAL_BACKEND_URL` | `http://localhost:8080` | no                    | The URL where the backend is accessible.      |

backend/email-templates/components/email_html.tmpl

@@ -0,0 +1,14 @@
+{{ define "root" }}
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    {{ template "style" . }}
+</head>
+<body>
+    <div class="container">
+        {{ template "base" . }}
+    </div>
+</body>
+</html>
+{{ end }}

backend/email-templates/components/email_text.tmpl

@@ -0,0 +1,7 @@
+{{- define "root" -}}
+{{- template "base" . -}}
+{{- end }}
+
+
+--
+This is automatically sent email from {{.AppName}}.

backend/email-templates/components/style_html.tmpl

@@ -0,0 +1,80 @@
+{{ define "style" }}
+<style>
+  body {
+    font-family: Arial, sans-serif;
+    background-color: #f0f0f0;
+    color: #333;
+    margin: 0;
+    padding: 0;
+  }
+  .container {
+    background-color: #fff;
+    color: #333;
+    padding: 32px;
+    border-radius: 10px;
+    max-width: 600px;
+    margin: 40px auto;
+    box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
+  }
+  .header {
+    display: flex;
+    justify-content: space-between;
+    align-items: center;
+    margin-bottom: 24px;
+  }
+  .header .logo {
+    display: flex;
+    align-items: center;
+    gap: 8px;
+  }
+  .header .logo img {
+    width: 32px;
+    height: 32px;
+    object-fit: cover;
+  }
+  .header h1 {
+    font-size: 1.5rem;
+    font-weight: bold;
+  }
+  .warning {
+    background-color: #ffd966;
+    color: #7f6000;
+    padding: 4px 12px;
+    border-radius: 50px;
+    font-size: 0.875rem;
+  }
+  .content {
+    background-color: #fafafa;
+    color: #333;
+    padding: 24px;
+    border-radius: 10px;
+  }
+  .content h2 {
+    font-size: 1.25rem;
+    font-weight: bold;
+    margin-bottom: 16px;
+  }
+  .grid {
+    display: grid;
+    grid-template-columns: 1fr 1fr;
+    gap: 16px;
+    margin-bottom: 16px;
+  }
+  .grid div {
+    display: flex;
+    flex-direction: column;
+  }
+  .grid p {
+    margin: 0;
+  }
+  .label {
+    color: #888;
+    font-size: 0.875rem;
+    margin-bottom: 4px;
+  }
+  .message {
+    font-size: 1rem;
+    line-height: 1.5;
+  }
+</style>
+{{ end }}

backend/email-templates/login-with-new-device_html.tmpl

@@ -0,0 +1,36 @@
+{{ define "base" }}
+    <div class="header">
+        <div class="logo">
+            <img src="{{ .LogoURL }}" alt="Pocket ID"/>
+            <h1>{{ .AppName }}</h1>
+        </div>
+        <div class="warning">Warning</div>
+    </div>
+    <div class="content">
+        <h2>New Sign-In Detected</h2>
+        <div class="grid">
+            {{ if and .Data.City .Data.Country }}
+            <div>
+                <p class="label">Approximate Location</p>
+                <p>{{ .Data.City }}, {{ .Data.Country }}</p>
+            </div>
+            {{ end }}
+            <div>
+                <p class="label">IP Address</p>
+                <p>{{ .Data.IPAddress }}</p>
+            </div>
+            <div>
+                <p class="label">Device</p>
+                <p>{{ .Data.Device }}</p>
+            </div>
+            <div>
+                <p class="label">Sign-In Time</p>
+                <p>{{ .Data.DateTime.Format "2006-01-02 15:04:05 UTC" }}</p>
+            </div>
+        </div>
+        <p class="message">
+            This sign-in was detected from a new device or location. If you recognize this activity, you can
+            safely ignore this message. If not, please review your account and security settings.
+        </p>
+    </div>
+{{ end -}}

backend/email-templates/login-with-new-device_text.tmpl

@@ -0,0 +1,15 @@
+{{ define "base" -}}
+New Sign-In Detected
+====================
+
+{{ if and .Data.City .Data.Country }}
+Approximate Location: {{ .Data.City }}, {{ .Data.Country }}
+{{ end }}
+IP Address: {{ .Data.IPAddress }}
+Device:     {{ .Data.Device }}
+Time:       {{ .Data.DateTime.Format "2006-01-02 15:04:05 UTC"}}
+
+This sign-in was detected from a new device or location. If you recognize
+this activity, you can safely ignore this message. If not, please review
+your account and security settings.
+{{ end -}}

backend/go.mod

@@ -1,19 +1,22 @@
 module github.com/stonith404/pocket-id/backend
 
-go 1.22
+go 1.23.1
 
 require (
-	github.com/caarlos0/env/v11 v11.2.0
+	github.com/caarlos0/env/v11 v11.2.2
 	github.com/fxamacker/cbor/v2 v2.7.0
 	github.com/gin-contrib/cors v1.7.2
 	github.com/gin-gonic/gin v1.10.0
 	github.com/go-co-op/gocron/v2 v2.11.0
-	github.com/go-webauthn/webauthn v0.11.0
+	github.com/go-playground/validator/v10 v10.22.0
+	github.com/go-webauthn/webauthn v0.11.1
 	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/golang-migrate/migrate/v4 v4.17.1
 	github.com/google/uuid v1.6.0
 	github.com/joho/godotenv v1.5.1
-	golang.org/x/crypto v0.25.0
+	github.com/mileusna/useragent v1.3.4
+	github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.1
+	golang.org/x/crypto v0.26.0
 	golang.org/x/time v0.6.0
 	gorm.io/driver/sqlite v1.5.6
 	gorm.io/gorm v1.25.11
@@ -28,7 +31,6 @@ require (
 	github.com/gin-contrib/sse v0.1.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.22.0 // indirect
 	github.com/go-webauthn/x v0.1.12 // indirect
 	github.com/goccy/go-json v0.10.3 // indirect
 	github.com/google/go-tpm v0.9.1 // indirect
@@ -57,7 +59,7 @@ require (
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/net v0.27.0 // indirect
 	golang.org/x/sys v0.23.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/text v0.17.0 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

backend/go.sum

@@ -3,8 +3,8 @@ github.com/bytedance/sonic v1.12.1/go.mod h1:B8Gt/XvtZ3Fqj+iSKMypzymZxw/FVwgIGKz
 github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
 github.com/bytedance/sonic/loader v0.2.0 h1:zNprn+lsIP06C/IqCHs3gPQIvnvpKbbxyXQP1iU4kWM=
 github.com/bytedance/sonic/loader v0.2.0/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
-github.com/caarlos0/env/v11 v11.2.0 h1:kvB1ZmwdWgI3JsuuVUE7z4cY/6Ujr03D0w2WkOOH4Xs=
-github.com/caarlos0/env/v11 v11.2.0/go.mod h1:LwgkYk1kDvfGpHthrWWLof3Ny7PezzFwS4QrsJdHTMo=
+github.com/caarlos0/env/v11 v11.2.2 h1:95fApNrUyueipoZN/EhA8mMxiNxrBwDa+oAZrMWl3Kg=
+github.com/caarlos0/env/v11 v11.2.2/go.mod h1:JBfcdeQiBoI3Zh1QRAWfe+tpiNTmDtcCj/hHHHMx0vc=
 github.com/cloudwego/base64x v0.1.4 h1:jwCgWpFanWmN8xoIUHa2rtzmkd5J2plF/dnLS6Xd/0Y=
 github.com/cloudwego/base64x v0.1.4/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
 github.com/cloudwego/iasm v0.2.0 h1:1KNIy1I1H9hNNFEEH3DVnI4UujN+1zjpuk6gwHLTssg=
@@ -33,8 +33,8 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
 github.com/go-playground/validator/v10 v10.22.0 h1:k6HsTZ0sTnROkhS//R0O+55JgM8C4Bx7ia+JlgcnOao=
 github.com/go-playground/validator/v10 v10.22.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
-github.com/go-webauthn/webauthn v0.11.0 h1:2U0jWuGeoiI+XSZkHPFRtwaYtqmMUsqABtlfSq1rODo=
-github.com/go-webauthn/webauthn v0.11.0/go.mod h1:57ZrqsZzD/eboQDVtBkvTdfqFYAh/7IwzdPT+sPWqB0=
+github.com/go-webauthn/webauthn v0.11.1 h1:5G/+dg91/VcaJHTtJUfwIlNJkLwbJCcnUc4W8VtkpzA=
+github.com/go-webauthn/webauthn v0.11.1/go.mod h1:YXRm1WG0OtUyDFaVAgB5KG7kVqW+6dYCJ7FTQH4SxEE=
 github.com/go-webauthn/x v0.1.12 h1:RjQ5cvApzyU/xLCiP+rub0PE4HBZsLggbxGR5ZpUf/A=
 github.com/go-webauthn/x v0.1.12/go.mod h1:XlRcGkNH8PT45TfeJYc6gqpOtiOendHhVmnOxh+5yHs=
 github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
@@ -81,6 +81,8 @@ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWE
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
 github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mileusna/useragent v1.3.4 h1:MiuRRuvGjEie1+yZHO88UBYg8YBC/ddF6T7F56i3PCk=
+github.com/mileusna/useragent v1.3.4/go.mod h1:3d8TOmwL/5I8pJjyVDteHtgDGcefrFUX4ccGOMKNYYc=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -88,6 +90,8 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.1 h1:UihPOz+oIJ5X0JsO7wEkL50fheCODsoZ9r86mJWfNMc=
+github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.1/go.mod h1:vPpFrres6g9B5+meBwAd9xnp335KFcLEFW7EqJxBHy0=
 github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=
 github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
@@ -122,8 +126,8 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 golang.org/x/arch v0.9.0 h1:ub9TgUInamJ8mrZIGlBG6/4TqWeMszd4N8lNorbrr6k=
 golang.org/x/arch v0.9.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
-golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
-golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
+golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw=
+golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
@@ -132,8 +136,8 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
 golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
+golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
 golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=

backend/images/logo.svg

@@ -1,17 +1 @@
-<svg id="a"
-    xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1015 1015">
-    <path d="M506.6,0c209.52,0,379.98,170.45,379.98,379.96,0,82.33-25.9,160.68-74.91,226.54-48.04,64.59-113.78,111.51-190.13,135.71l-21.1,6.7-50.29-248.04,13.91-6.73c45.41-21.95,74.76-68.71,74.76-119.11,0-72.91-59.31-132.23-132.21-132.23s-132.23,59.32-132.23,132.23c0,50.4,29.36,97.16,74.77,119.11l13.65,6.61-81.01,499.24h-226.36V0h351.18Z" />
-    <style>
-     @media (prefers-color-scheme: dark) {
-            #a path {
-                fill: #ffffff;
-            }
-        }
-
-        @media (prefers-color-scheme: light) {
-            #a path {
-                fill: #000000;
-            }
-        }
-    </style>
-</svg>
+<svg xmlns="http://www.w3.org/2000/svg" id="a" viewBox="0 0 1015 1015"><path d="M506.6,0c209.52,0,379.98,170.45,379.98,379.96,0,82.33-25.9,160.68-74.91,226.54-48.04,64.59-113.78,111.51-190.13,135.71l-21.1,6.7-50.29-248.04,13.91-6.73c45.41-21.95,74.76-68.71,74.76-119.11,0-72.91-59.31-132.23-132.21-132.23s-132.23,59.32-132.23,132.23c0,50.4,29.36,97.16,74.77,119.11l13.65,6.61-81.01,499.24h-226.36V0h351.18Z"/><style>@media (prefers-color-scheme:dark){#a path{fill:#fff}}@media (prefers-color-scheme:light){#a path{fill:#000}}</style></svg>

backend/images/logoDark.svg

@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" id="a" viewBox="0 0 1015 1015">
+    <path fill="white" d="M506.6,0c209.52,0,379.98,170.45,379.98,379.96,0,82.33-25.9,160.68-74.91,226.54-48.04,64.59-113.78,111.51-190.13,135.71l-21.1,6.7-50.29-248.04,13.91-6.73c45.41-21.95,74.76-68.71,74.76-119.11,0-72.91-59.31-132.23-132.21-132.23s-132.23,59.32-132.23,132.23c0,50.4,29.36,97.16,74.77,119.11l13.65,6.61-81.01,499.24h-226.36V0h351.18Z"/>
+</svg>

backend/images/logoLight.svg

@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" id="a" viewBox="0 0 1015 1015">
+    <path fill="black" d="M506.6,0c209.52,0,379.98,170.45,379.98,379.96,0,82.33-25.9,160.68-74.91,226.54-48.04,64.59-113.78,111.51-190.13,135.71l-21.1,6.7-50.29-248.04,13.91-6.73c45.41-21.95,74.76-68.71,74.76-119.11,0-72.91-59.31-132.23-132.21-132.23s-132.23,59.32-132.23,132.23c0,50.4,29.36,97.16,74.77,119.11l13.65,6.61-81.01,499.24h-226.36V0h351.18Z"/>
+</svg>

backend/internal/bootstrap/application_images_bootstrap.go

@@ -5,24 +5,53 @@ import (
 	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"log"
 	"os"
+	"strings"
 )
 
+// initApplicationImages copies the images from the images directory to the application-images directory
 func initApplicationImages() {
 	dirPath := common.EnvConfig.UploadPath + "/application-images"
 
-	files, err := os.ReadDir(dirPath)
+	sourceFiles, err := os.ReadDir("./images")
 	if err != nil && !os.IsNotExist(err) {
 		log.Fatalf("Error reading directory: %v", err)
 	}
 
-	// Skip if files already exist
-	if len(files) > 1 {
-		return
+	destinationFiles, err := os.ReadDir(dirPath)
+	if err != nil && !os.IsNotExist(err) {
+		log.Fatalf("Error reading directory: %v", err)
 	}
 
-	// Copy files from source to destination
-	err = utils.CopyDirectory("./images", dirPath)
-	if err != nil {
-		log.Fatalf("Error copying directory: %v", err)
+	// Copy images from the images directory to the application-images directory if they don't already exist
+	for _, sourceFile := range sourceFiles {
+		if sourceFile.IsDir() || imageAlreadyExists(sourceFile.Name(), destinationFiles) {
+			continue
 		}
+		srcFilePath := "./images/" + sourceFile.Name()
+		destFilePath := dirPath + "/" + sourceFile.Name()
+
+		err := utils.CopyFile(srcFilePath, destFilePath)
+		if err != nil {
+			log.Fatalf("Error copying file: %v", err)
+		}
+	}
+
+}
+
+func imageAlreadyExists(fileName string, destinationFiles []os.DirEntry) bool {
+	for _, destinationFile := range destinationFiles {
+		sourceFileWithoutExtension := getImageNameWithoutExtension(fileName)
+		destinationFileWithoutExtension := getImageNameWithoutExtension(destinationFile.Name())
+
+		if sourceFileWithoutExtension == destinationFileWithoutExtension {
+			return true
+		}
+	}
+
+	return false
+}
+
+func getImageNameWithoutExtension(fileName string) string {
+	splitted := strings.Split(fileName, ".")
+	return strings.Join(splitted[:len(splitted)-1], ".")
 }

backend/internal/bootstrap/router_bootstrap.go

@@ -2,6 +2,7 @@ package bootstrap
 
 import (
 	"log"
+	"os"
 	"time"
 
 	"github.com/gin-gonic/gin"
@@ -27,29 +28,37 @@ func initRouter(db *gorm.DB, appConfigService *service.AppConfigService) {
 	r := gin.Default()
 	r.Use(gin.Logger())
 
-	// Add middleware
-	r.Use(
-		middleware.NewCorsMiddleware().Add(),
-		middleware.NewRateLimitMiddleware().Add(rate.Every(time.Second), 60),
-	)
-
 	// Initialize services
-	webauthnService := service.NewWebAuthnService(db, appConfigService)
+	templateDir := os.DirFS(common.EnvConfig.EmailTemplatesPath)
+	emailService, err := service.NewEmailService(appConfigService, templateDir)
+	if err != nil {
+		log.Fatalf("Unable to create email service: %s", err)
+	}
+
+	auditLogService := service.NewAuditLogService(db, appConfigService, emailService)
 	jwtService := service.NewJwtService(appConfigService)
+	webauthnService := service.NewWebAuthnService(db, jwtService, auditLogService, appConfigService)
 	userService := service.NewUserService(db, jwtService)
-	oidcService := service.NewOidcService(db, jwtService)
+	oidcService := service.NewOidcService(db, jwtService, appConfigService, auditLogService)
 	testService := service.NewTestService(db, appConfigService)
+	userGroupService := service.NewUserGroupService(db)
+
+	r.Use(middleware.NewCorsMiddleware().Add())
+	r.Use(middleware.NewRateLimitMiddleware().Add(rate.Every(time.Second), 60))
+	r.Use(middleware.NewJwtAuthMiddleware(jwtService, true).Add(false))
 
 	// Initialize middleware
-	jwtAuthMiddleware := middleware.NewJwtAuthMiddleware(jwtService)
+	jwtAuthMiddleware := middleware.NewJwtAuthMiddleware(jwtService, false)
 	fileSizeLimitMiddleware := middleware.NewFileSizeLimitMiddleware()
 
 	// Set up API routes
 	apiGroup := r.Group("/api")
-	controller.NewWebauthnController(apiGroup, jwtAuthMiddleware, middleware.NewRateLimitMiddleware(), webauthnService, jwtService)
+	controller.NewWebauthnController(apiGroup, jwtAuthMiddleware, middleware.NewRateLimitMiddleware(), webauthnService)
 	controller.NewOidcController(apiGroup, jwtAuthMiddleware, fileSizeLimitMiddleware, oidcService, jwtService)
 	controller.NewUserController(apiGroup, jwtAuthMiddleware, middleware.NewRateLimitMiddleware(), userService)
-	controller.NewApplicationConfigurationController(apiGroup, jwtAuthMiddleware, appConfigService)
+	controller.NewAppConfigController(apiGroup, jwtAuthMiddleware, appConfigService)
+	controller.NewAuditLogController(apiGroup, auditLogService, jwtAuthMiddleware)
+	controller.NewUserGroupController(apiGroup, jwtAuthMiddleware, userGroupService)
 
 	// Add test controller in non-production environments
 	if common.EnvConfig.AppEnv != "production" {

backend/internal/common/env_config.go

@@ -13,6 +13,7 @@ type EnvConfigSchema struct {
 	UploadPath         string `env:"UPLOAD_PATH"`
 	Port               string `env:"BACKEND_PORT"`
 	Host               string `env:"HOST"`
+	EmailTemplatesPath string `env:"EMAIL_TEMPLATES_PATH"`
 }
 
 var EnvConfig = &EnvConfigSchema{
@@ -22,6 +23,7 @@ var EnvConfig = &EnvConfigSchema{
 	AppURL:             "http://localhost",
 	Port:               "8080",
 	Host:               "localhost",
+	EmailTemplatesPath: "./email-templates",
 }
 
 func init() {

backend/internal/common/errors.go

@@ -6,13 +6,14 @@ var (
 	ErrUsernameTaken                = errors.New("username is already taken")
 	ErrEmailTaken                   = errors.New("email is already taken")
 	ErrSetupAlreadyCompleted        = errors.New("setup already completed")
-	ErrInvalidBody                  = errors.New("invalid request body")
 	ErrTokenInvalidOrExpired        = errors.New("token is invalid or expired")
 	ErrOidcMissingAuthorization     = errors.New("missing authorization")
 	ErrOidcGrantTypeNotSupported    = errors.New("grant type not supported")
 	ErrOidcMissingClientCredentials = errors.New("client id or secret not provided")
 	ErrOidcClientSecretInvalid      = errors.New("invalid client secret")
 	ErrOidcInvalidAuthorizationCode = errors.New("invalid authorization code")
+	ErrOidcInvalidCallbackURL       = errors.New("invalid callback URL")
 	ErrFileTypeNotSupported         = errors.New("file type not supported")
 	ErrInvalidCredentials           = errors.New("no user found with provided credentials")
+	ErrNameAlreadyInUse             = errors.New("name is already in use")
 )

backend/internal/controller/app_config_controller.go

@@ -5,24 +5,24 @@ import (
 	"fmt"
 	"github.com/gin-gonic/gin"
 	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/stonith404/pocket-id/backend/internal/dto"
 	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/model"
 	"github.com/stonith404/pocket-id/backend/internal/service"
 	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"net/http"
 )
 
-func NewApplicationConfigurationController(
+func NewAppConfigController(
 	group *gin.RouterGroup,
 	jwtAuthMiddleware *middleware.JwtAuthMiddleware,
 	appConfigService *service.AppConfigService) {
 
-	acc := &ApplicationConfigurationController{
+	acc := &AppConfigController{
 		appConfigService: appConfigService,
 	}
-	group.GET("/application-configuration", acc.listApplicationConfigurationHandler)
-	group.GET("/application-configuration/all", jwtAuthMiddleware.Add(true), acc.listAllApplicationConfigurationHandler)
-	group.PUT("/application-configuration", acc.updateApplicationConfigurationHandler)
+	group.GET("/application-configuration", acc.listAppConfigHandler)
+	group.GET("/application-configuration/all", jwtAuthMiddleware.Add(true), acc.listAllAppConfigHandler)
+	group.PUT("/application-configuration", acc.updateAppConfigHandler)
 
 	group.GET("/application-configuration/logo", acc.getLogoHandler)
 	group.GET("/application-configuration/background-image", acc.getBackgroundImageHandler)
@@ -32,86 +32,128 @@ func NewApplicationConfigurationController(
 	group.PUT("/application-configuration/background-image", jwtAuthMiddleware.Add(true), acc.updateBackgroundImageHandler)
 }
 
-type ApplicationConfigurationController struct {
+type AppConfigController struct {
 	appConfigService *service.AppConfigService
 }
 
-func (acc *ApplicationConfigurationController) listApplicationConfigurationHandler(c *gin.Context) {
-	configuration, err := acc.appConfigService.ListApplicationConfiguration(false)
+func (acc *AppConfigController) listAppConfigHandler(c *gin.Context) {
+	configuration, err := acc.appConfigService.ListAppConfig(false)
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
 
-	c.JSON(200, configuration)
-}
-
-func (acc *ApplicationConfigurationController) listAllApplicationConfigurationHandler(c *gin.Context) {
-	configuration, err := acc.appConfigService.ListApplicationConfiguration(true)
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
+	var configVariablesDto []dto.PublicAppConfigVariableDto
+	if err := dto.MapStructList(configuration, &configVariablesDto); err != nil {
+		utils.ControllerError(c, err)
 		return
 	}
 
-	c.JSON(200, configuration)
+	c.JSON(200, configVariablesDto)
 }
 
-func (acc *ApplicationConfigurationController) updateApplicationConfigurationHandler(c *gin.Context) {
-	var input model.AppConfigUpdateDto
+func (acc *AppConfigController) listAllAppConfigHandler(c *gin.Context) {
+	configuration, err := acc.appConfigService.ListAppConfig(true)
+	if err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	var configVariablesDto []dto.AppConfigVariableDto
+	if err := dto.MapStructList(configuration, &configVariablesDto); err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	c.JSON(200, configVariablesDto)
+}
+
+func (acc *AppConfigController) updateAppConfigHandler(c *gin.Context) {
+	var input dto.AppConfigUpdateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		utils.ControllerError(c, err)
 		return
 	}
 
-	savedConfigVariables, err := acc.appConfigService.UpdateApplicationConfiguration(input)
+	savedConfigVariables, err := acc.appConfigService.UpdateAppConfig(input)
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
 
-	c.JSON(http.StatusOK, savedConfigVariables)
+	var configVariablesDto []dto.AppConfigVariableDto
+	if err := dto.MapStructList(savedConfigVariables, &configVariablesDto); err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, configVariablesDto)
 }
 
-func (acc *ApplicationConfigurationController) getLogoHandler(c *gin.Context) {
-	imageType := acc.appConfigService.DbConfig.LogoImageType.Value
-	acc.getImage(c, "logo", imageType)
+func (acc *AppConfigController) getLogoHandler(c *gin.Context) {
+	lightLogo := c.DefaultQuery("light", "true") == "true"
+
+	var imageName string
+	var imageType string
+
+	if lightLogo {
+		imageName = "logoLight"
+		imageType = acc.appConfigService.DbConfig.LogoLightImageType.Value
+	} else {
+		imageName = "logoDark"
+		imageType = acc.appConfigService.DbConfig.LogoDarkImageType.Value
+	}
+
+	acc.getImage(c, imageName, imageType)
 }
 
-func (acc *ApplicationConfigurationController) getFaviconHandler(c *gin.Context) {
+func (acc *AppConfigController) getFaviconHandler(c *gin.Context) {
 	acc.getImage(c, "favicon", "ico")
 }
 
-func (acc *ApplicationConfigurationController) getBackgroundImageHandler(c *gin.Context) {
+func (acc *AppConfigController) getBackgroundImageHandler(c *gin.Context) {
 	imageType := acc.appConfigService.DbConfig.BackgroundImageType.Value
 	acc.getImage(c, "background", imageType)
 }
 
-func (acc *ApplicationConfigurationController) updateLogoHandler(c *gin.Context) {
-	imageType := acc.appConfigService.DbConfig.LogoImageType.Value
-	acc.updateImage(c, "logo", imageType)
+func (acc *AppConfigController) updateLogoHandler(c *gin.Context) {
+	lightLogo := c.DefaultQuery("light", "true") == "true"
+
+	var imageName string
+	var imageType string
+
+	if lightLogo {
+		imageName = "logoLight"
+		imageType = acc.appConfigService.DbConfig.LogoLightImageType.Value
+	} else {
+		imageName = "logoDark"
+		imageType = acc.appConfigService.DbConfig.LogoDarkImageType.Value
+	}
+
+	acc.updateImage(c, imageName, imageType)
 }
 
-func (acc *ApplicationConfigurationController) updateFaviconHandler(c *gin.Context) {
+func (acc *AppConfigController) updateFaviconHandler(c *gin.Context) {
 	file, err := c.FormFile("file")
 	if err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		utils.ControllerError(c, err)
 		return
 	}
 
 	fileType := utils.GetFileExtension(file.Filename)
 	if fileType != "ico" {
-		utils.HandlerError(c, http.StatusBadRequest, "File must be of type .ico")
+		utils.CustomControllerError(c, http.StatusBadRequest, "File must be of type .ico")
 		return
 	}
 	acc.updateImage(c, "favicon", "ico")
 }
 
-func (acc *ApplicationConfigurationController) updateBackgroundImageHandler(c *gin.Context) {
+func (acc *AppConfigController) updateBackgroundImageHandler(c *gin.Context) {
 	imageType := acc.appConfigService.DbConfig.BackgroundImageType.Value
 	acc.updateImage(c, "background", imageType)
 }
 
-func (acc *ApplicationConfigurationController) getImage(c *gin.Context, name string, imageType string) {
+func (acc *AppConfigController) getImage(c *gin.Context, name string, imageType string) {
 	imagePath := fmt.Sprintf("%s/application-images/%s.%s", common.EnvConfig.UploadPath, name, imageType)
 	mimeType := utils.GetImageMimeType(imageType)
 
@@ -119,19 +161,19 @@ func (acc *ApplicationConfigurationController) getImage(c *gin.Context, name str
 	c.File(imagePath)
 }
 
-func (acc *ApplicationConfigurationController) updateImage(c *gin.Context, imageName string, oldImageType string) {
+func (acc *AppConfigController) updateImage(c *gin.Context, imageName string, oldImageType string) {
 	file, err := c.FormFile("file")
 	if err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		utils.ControllerError(c, err)
 		return
 	}
 
 	err = acc.appConfigService.UpdateImage(file, imageName, oldImageType)
 	if err != nil {
 		if errors.Is(err, common.ErrFileTypeNotSupported) {
-			utils.HandlerError(c, http.StatusBadRequest, err.Error())
+			utils.CustomControllerError(c, http.StatusBadRequest, err.Error())
 		} else {
-			utils.UnknownHandlerError(c, err)
+			utils.ControllerError(c, err)
 		}
 		return
 	}

backend/internal/controller/audit_log_controller.go

@@ -0,0 +1,56 @@
+package controller
+
+import (
+	"github.com/stonith404/pocket-id/backend/internal/dto"
+	"github.com/stonith404/pocket-id/backend/internal/middleware"
+	"net/http"
+	"strconv"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/stonith404/pocket-id/backend/internal/utils"
+)
+
+func NewAuditLogController(group *gin.RouterGroup, auditLogService *service.AuditLogService, jwtAuthMiddleware *middleware.JwtAuthMiddleware) {
+	alc := AuditLogController{
+		auditLogService: auditLogService,
+	}
+
+	group.GET("/audit-logs", jwtAuthMiddleware.Add(false), alc.listAuditLogsForUserHandler)
+}
+
+type AuditLogController struct {
+	auditLogService *service.AuditLogService
+}
+
+func (alc *AuditLogController) listAuditLogsForUserHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+	page, _ := strconv.Atoi(c.DefaultQuery("page", "1"))
+	pageSize, _ := strconv.Atoi(c.DefaultQuery("limit", "10"))
+
+	// Fetch audit logs for the user
+	logs, pagination, err := alc.auditLogService.ListAuditLogsForUser(userID, page, pageSize)
+	if err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	// Map the audit logs to DTOs
+	var logsDtos []dto.AuditLogDto
+	err = dto.MapStructList(logs, &logsDtos)
+	if err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	// Add device information to the logs
+	for i, logsDto := range logsDtos {
+		logsDto.Device = alc.auditLogService.DeviceStringFromUserAgent(logs[i].UserAgent)
+		logsDtos[i] = logsDto
+	}
+
+	c.JSON(http.StatusOK, gin.H{
+		"data":       logsDtos,
+		"pagination": pagination,
+	})
+}

backend/internal/controller/oidc_controller.go

@@ -4,8 +4,8 @@ import (
 	"errors"
 	"github.com/gin-gonic/gin"
 	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/stonith404/pocket-id/backend/internal/dto"
 	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/model"
 	"github.com/stonith404/pocket-id/backend/internal/service"
 	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"net/http"
@@ -40,71 +40,87 @@ type OidcController struct {
 }
 
 func (oc *OidcController) authorizeHandler(c *gin.Context) {
-	var parsedBody model.AuthorizeRequest
-	if err := c.ShouldBindJSON(&parsedBody); err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+	var input dto.AuthorizeOidcClientRequestDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		utils.ControllerError(c, err)
 		return
 	}
 
-	code, err := oc.oidcService.Authorize(parsedBody, c.GetString("userID"))
+	code, callbackURL, err := oc.oidcService.Authorize(input, c.GetString("userID"), c.ClientIP(), c.Request.UserAgent())
 	if err != nil {
 		if errors.Is(err, common.ErrOidcMissingAuthorization) {
-			utils.HandlerError(c, http.StatusForbidden, err.Error())
+			utils.CustomControllerError(c, http.StatusForbidden, err.Error())
+		} else if errors.Is(err, common.ErrOidcInvalidCallbackURL) {
+			utils.CustomControllerError(c, http.StatusBadRequest, err.Error())
 		} else {
-			utils.UnknownHandlerError(c, err)
+			utils.ControllerError(c, err)
 		}
 		return
 	}
 
-	c.JSON(http.StatusOK, gin.H{"code": code})
+	response := dto.AuthorizeOidcClientResponseDto{
+		Code:        code,
+		CallbackURL: callbackURL,
+	}
+
+	c.JSON(http.StatusOK, response)
 }
 
 func (oc *OidcController) authorizeNewClientHandler(c *gin.Context) {
-	var parsedBody model.AuthorizeNewClientDto
-	if err := c.ShouldBindJSON(&parsedBody); err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+	var input dto.AuthorizeOidcClientRequestDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		utils.ControllerError(c, err)
 		return
 	}
 
-	code, err := oc.oidcService.AuthorizeNewClient(parsedBody, c.GetString("userID"))
+	code, callbackURL, err := oc.oidcService.AuthorizeNewClient(input, c.GetString("userID"), c.ClientIP(), c.Request.UserAgent())
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
+		if errors.Is(err, common.ErrOidcInvalidCallbackURL) {
+			utils.CustomControllerError(c, http.StatusBadRequest, err.Error())
+		} else {
+			utils.ControllerError(c, err)
+		}
 		return
 	}
 
-	c.JSON(http.StatusOK, gin.H{"code": code})
+	response := dto.AuthorizeOidcClientResponseDto{
+		Code:        code,
+		CallbackURL: callbackURL,
+	}
+
+	c.JSON(http.StatusOK, response)
 }
 
 func (oc *OidcController) createIDTokenHandler(c *gin.Context) {
-	var body model.OidcIdTokenDto
+	var input dto.OidcIdTokenDto
 
-	if err := c.ShouldBind(&body); err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+	if err := c.ShouldBind(&input); err != nil {
+		utils.ControllerError(c, err)
 		return
 	}
 
-	clientID := body.ClientID
-	clientSecret := body.ClientSecret
+	clientID := input.ClientID
+	clientSecret := input.ClientSecret
 
 	// Client id and secret can also be passed over the Authorization header
 	if clientID == "" || clientSecret == "" {
 		var ok bool
 		clientID, clientSecret, ok = c.Request.BasicAuth()
 		if !ok {
-			utils.HandlerError(c, http.StatusBadRequest, "Client id and secret not provided")
+			utils.CustomControllerError(c, http.StatusBadRequest, "Client id and secret not provided")
 			return
 		}
 	}
 
-	idToken, accessToken, err := oc.oidcService.CreateTokens(body.Code, body.GrantType, clientID, clientSecret)
+	idToken, accessToken, err := oc.oidcService.CreateTokens(input.Code, input.GrantType, clientID, clientSecret)
 	if err != nil {
 		if errors.Is(err, common.ErrOidcGrantTypeNotSupported) ||
 			errors.Is(err, common.ErrOidcMissingClientCredentials) ||
 			errors.Is(err, common.ErrOidcClientSecretInvalid) ||
 			errors.Is(err, common.ErrOidcInvalidAuthorizationCode) {
-			utils.HandlerError(c, http.StatusBadRequest, err.Error())
+			utils.CustomControllerError(c, http.StatusBadRequest, err.Error())
 		} else {
-			utils.UnknownHandlerError(c, err)
+			utils.ControllerError(c, err)
 		}
 		return
 	}
@@ -116,14 +132,14 @@ func (oc *OidcController) userInfoHandler(c *gin.Context) {
 	token := strings.Split(c.GetHeader("Authorization"), " ")[1]
 	jwtClaims, err := oc.jwtService.VerifyOauthAccessToken(token)
 	if err != nil {
-		utils.HandlerError(c, http.StatusUnauthorized, common.ErrTokenInvalidOrExpired.Error())
+		utils.CustomControllerError(c, http.StatusUnauthorized, common.ErrTokenInvalidOrExpired.Error())
 		return
 	}
 	userID := jwtClaims.Subject
 	clientId := jwtClaims.Audience[0]
 	claims, err := oc.oidcService.GetUserClaimsForClient(userID, clientId)
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
 
@@ -134,11 +150,28 @@ func (oc *OidcController) getClientHandler(c *gin.Context) {
 	clientId := c.Param("id")
 	client, err := oc.oidcService.GetClient(clientId)
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
 
-	c.JSON(http.StatusOK, client)
+	// Return a different DTO based on the user's role
+	if c.GetBool("userIsAdmin") {
+		clientDto := dto.OidcClientDto{}
+		err = dto.MapStruct(client, &clientDto)
+		if err == nil {
+			c.JSON(http.StatusOK, clientDto)
+			return
+		}
+	} else {
+		clientDto := dto.PublicOidcClientDto{}
+		err = dto.MapStruct(client, &clientDto)
+		if err == nil {
+			c.JSON(http.StatusOK, clientDto)
+			return
+		}
+	}
+
+	utils.ControllerError(c, err)
 }
 
 func (oc *OidcController) listClientsHandler(c *gin.Context) {
@@ -148,36 +181,48 @@ func (oc *OidcController) listClientsHandler(c *gin.Context) {
 
 	clients, pagination, err := oc.oidcService.ListClients(searchTerm, page, pageSize)
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
+		return
+	}
+
+	var clientsDto []dto.OidcClientDto
+	if err := dto.MapStructList(clients, &clientsDto); err != nil {
+		utils.ControllerError(c, err)
 		return
 	}
 
 	c.JSON(http.StatusOK, gin.H{
-		"data":       clients,
+		"data":       clientsDto,
 		"pagination": pagination,
 	})
 }
 
 func (oc *OidcController) createClientHandler(c *gin.Context) {
-	var input model.OidcClientCreateDto
+	var input dto.OidcClientCreateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		utils.ControllerError(c, err)
 		return
 	}
 
 	client, err := oc.oidcService.CreateClient(input, c.GetString("userID"))
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
 
-	c.JSON(http.StatusCreated, client)
+	var clientDto dto.OidcClientDto
+	if err := dto.MapStruct(client, &clientDto); err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusCreated, clientDto)
 }
 
 func (oc *OidcController) deleteClientHandler(c *gin.Context) {
 	err := oc.oidcService.DeleteClient(c.Param("id"))
 	if err != nil {
-		utils.HandlerError(c, http.StatusNotFound, "OIDC client not found")
+		utils.ControllerError(c, err)
 		return
 	}
 
@@ -185,25 +230,31 @@ func (oc *OidcController) deleteClientHandler(c *gin.Context) {
 }
 
 func (oc *OidcController) updateClientHandler(c *gin.Context) {
-	var input model.OidcClientCreateDto
+	var input dto.OidcClientCreateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		utils.ControllerError(c, err)
 		return
 	}
 
 	client, err := oc.oidcService.UpdateClient(c.Param("id"), input)
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
 
-	c.JSON(http.StatusNoContent, client)
+	var clientDto dto.OidcClientDto
+	if err := dto.MapStruct(client, &clientDto); err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, clientDto)
 }
 
 func (oc *OidcController) createClientSecretHandler(c *gin.Context) {
 	secret, err := oc.oidcService.CreateClientSecret(c.Param("id"))
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
 
@@ -213,7 +264,7 @@ func (oc *OidcController) createClientSecretHandler(c *gin.Context) {
 func (oc *OidcController) getClientLogoHandler(c *gin.Context) {
 	imagePath, mimeType, err := oc.oidcService.GetClientLogo(c.Param("id"))
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
 
@@ -224,16 +275,16 @@ func (oc *OidcController) getClientLogoHandler(c *gin.Context) {
 func (oc *OidcController) updateClientLogoHandler(c *gin.Context) {
 	file, err := c.FormFile("file")
 	if err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		utils.ControllerError(c, err)
 		return
 	}
 
 	err = oc.oidcService.UpdateClientLogo(c.Param("id"), file)
 	if err != nil {
 		if errors.Is(err, common.ErrFileTypeNotSupported) {
-			utils.HandlerError(c, http.StatusBadRequest, err.Error())
+			utils.CustomControllerError(c, http.StatusBadRequest, err.Error())
 		} else {
-			utils.UnknownHandlerError(c, err)
+			utils.ControllerError(c, err)
 		}
 		return
 	}
@@ -244,7 +295,7 @@ func (oc *OidcController) updateClientLogoHandler(c *gin.Context) {
 func (oc *OidcController) deleteClientLogoHandler(c *gin.Context) {
 	err := oc.oidcService.DeleteClientLogo(c.Param("id"))
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
 

backend/internal/controller/test_controller.go

@@ -4,6 +4,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/stonith404/pocket-id/backend/internal/service"
 	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"net/http"
 )
 
 func NewTestController(group *gin.RouterGroup, testService *service.TestService) {
@@ -18,19 +19,19 @@ type TestController struct {
 
 func (tc *TestController) resetAndSeedHandler(c *gin.Context) {
 	if err := tc.TestService.ResetDatabase(); err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
 
 	if err := tc.TestService.ResetApplicationImages(); err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
 
 	if err := tc.TestService.SeedDatabase(); err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
 
-	c.JSON(200, gin.H{"message": "Database reset and seeded"})
+	c.Status(http.StatusNoContent)
 }

backend/internal/controller/user_controller.go

@@ -4,8 +4,8 @@ import (
 	"errors"
 	"github.com/gin-gonic/gin"
 	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/stonith404/pocket-id/backend/internal/dto"
 	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/model"
 	"github.com/stonith404/pocket-id/backend/internal/service"
 	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"golang.org/x/time/rate"
@@ -43,12 +43,18 @@ func (uc *UserController) listUsersHandler(c *gin.Context) {
 
 	users, pagination, err := uc.UserService.ListUsers(searchTerm, page, pageSize)
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
+		return
+	}
+
+	var usersDto []dto.UserDto
+	if err := dto.MapStructList(users, &usersDto); err != nil {
+		utils.ControllerError(c, err)
 		return
 	}
 
 	c.JSON(http.StatusOK, gin.H{
-		"data":       users,
+		"data":       usersDto,
 		"pagination": pagination,
 	})
 }
@@ -56,25 +62,38 @@ func (uc *UserController) listUsersHandler(c *gin.Context) {
 func (uc *UserController) getUserHandler(c *gin.Context) {
 	user, err := uc.UserService.GetUser(c.Param("id"))
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
 
-	c.JSON(http.StatusOK, user)
+	var userDto dto.UserDto
+	if err := dto.MapStruct(user, &userDto); err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, userDto)
 }
 
 func (uc *UserController) getCurrentUserHandler(c *gin.Context) {
 	user, err := uc.UserService.GetUser(c.GetString("userID"))
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
-	c.JSON(http.StatusOK, user)
+
+	var userDto dto.UserDto
+	if err := dto.MapStruct(user, &userDto); err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, userDto)
 }
 
 func (uc *UserController) deleteUserHandler(c *gin.Context) {
 	if err := uc.UserService.DeleteUser(c.Param("id")); err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
 
@@ -82,22 +101,29 @@ func (uc *UserController) deleteUserHandler(c *gin.Context) {
 }
 
 func (uc *UserController) createUserHandler(c *gin.Context) {
-	var user model.User
-	if err := c.ShouldBindJSON(&user); err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+	var input dto.UserCreateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		utils.ControllerError(c, err)
 		return
 	}
 
-	if err := uc.UserService.CreateUser(&user); err != nil {
+	user, err := uc.UserService.CreateUser(input)
+	if err != nil {
 		if errors.Is(err, common.ErrEmailTaken) || errors.Is(err, common.ErrUsernameTaken) {
-			utils.HandlerError(c, http.StatusConflict, err.Error())
+			utils.CustomControllerError(c, http.StatusConflict, err.Error())
 		} else {
-			utils.UnknownHandlerError(c, err)
+			utils.ControllerError(c, err)
 		}
 		return
 	}
 
-	c.JSON(http.StatusCreated, user)
+	var userDto dto.UserDto
+	if err := dto.MapStruct(user, &userDto); err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusCreated, userDto)
 }
 
 func (uc *UserController) updateUserHandler(c *gin.Context) {
@@ -109,15 +135,15 @@ func (uc *UserController) updateCurrentUserHandler(c *gin.Context) {
 }
 
 func (uc *UserController) createOneTimeAccessTokenHandler(c *gin.Context) {
-	var input model.OneTimeAccessTokenCreateDto
+	var input dto.OneTimeAccessTokenCreateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		utils.ControllerError(c, err)
 		return
 	}
 
 	token, err := uc.UserService.CreateOneTimeAccessToken(input.UserID, input.ExpiresAt)
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
 
@@ -128,9 +154,9 @@ func (uc *UserController) exchangeOneTimeAccessTokenHandler(c *gin.Context) {
 	user, token, err := uc.UserService.ExchangeOneTimeAccessToken(c.Param("token"))
 	if err != nil {
 		if errors.Is(err, common.ErrTokenInvalidOrExpired) {
-			utils.HandlerError(c, http.StatusUnauthorized, err.Error())
+			utils.CustomControllerError(c, http.StatusUnauthorized, err.Error())
 		} else {
-			utils.UnknownHandlerError(c, err)
+			utils.ControllerError(c, err)
 		}
 		return
 	}
@@ -143,21 +169,27 @@ func (uc *UserController) getSetupAccessTokenHandler(c *gin.Context) {
 	user, token, err := uc.UserService.SetupInitialAdmin()
 	if err != nil {
 		if errors.Is(err, common.ErrSetupAlreadyCompleted) {
-			utils.HandlerError(c, http.StatusBadRequest, err.Error())
+			utils.CustomControllerError(c, http.StatusBadRequest, err.Error())
 		} else {
-			utils.UnknownHandlerError(c, err)
+			utils.ControllerError(c, err)
 		}
 		return
 	}
 
+	var userDto dto.UserDto
+	if err := dto.MapStruct(user, &userDto); err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
 	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", false, true)
-	c.JSON(http.StatusOK, user)
+	c.JSON(http.StatusOK, userDto)
 }
 
 func (uc *UserController) updateUser(c *gin.Context, updateOwnUser bool) {
-	var updatedUser model.User
-	if err := c.ShouldBindJSON(&updatedUser); err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+	var input dto.UserCreateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		utils.ControllerError(c, err)
 		return
 	}
 
@@ -168,15 +200,21 @@ func (uc *UserController) updateUser(c *gin.Context, updateOwnUser bool) {
 		userID = c.Param("id")
 	}
 
-	user, err := uc.UserService.UpdateUser(userID, updatedUser, updateOwnUser)
+	user, err := uc.UserService.UpdateUser(userID, input, updateOwnUser)
 	if err != nil {
 		if errors.Is(err, common.ErrEmailTaken) || errors.Is(err, common.ErrUsernameTaken) {
-			utils.HandlerError(c, http.StatusConflict, err.Error())
+			utils.CustomControllerError(c, http.StatusConflict, err.Error())
 		} else {
-			utils.UnknownHandlerError(c, err)
+			utils.ControllerError(c, err)
 		}
 		return
 	}
 
-	c.JSON(http.StatusOK, user)
+	var userDto dto.UserDto
+	if err := dto.MapStruct(user, &userDto); err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, userDto)
 }

backend/internal/controller/user_group_controller.go

@@ -0,0 +1,162 @@
+package controller
+
+import (
+	"errors"
+	"net/http"
+	"strconv"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/stonith404/pocket-id/backend/internal/dto"
+	"github.com/stonith404/pocket-id/backend/internal/middleware"
+	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/stonith404/pocket-id/backend/internal/utils"
+)
+
+func NewUserGroupController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, userGroupService *service.UserGroupService) {
+	ugc := UserGroupController{
+		UserGroupService: userGroupService,
+	}
+
+	group.GET("/user-groups", jwtAuthMiddleware.Add(true), ugc.list)
+	group.GET("/user-groups/:id", jwtAuthMiddleware.Add(true), ugc.get)
+	group.POST("/user-groups", jwtAuthMiddleware.Add(true), ugc.create)
+	group.PUT("/user-groups/:id", jwtAuthMiddleware.Add(true), ugc.update)
+	group.DELETE("/user-groups/:id", jwtAuthMiddleware.Add(true), ugc.delete)
+	group.PUT("/user-groups/:id/users", jwtAuthMiddleware.Add(true), ugc.updateUsers)
+}
+
+type UserGroupController struct {
+	UserGroupService *service.UserGroupService
+}
+
+func (ugc *UserGroupController) list(c *gin.Context) {
+	page, _ := strconv.Atoi(c.DefaultQuery("page", "1"))
+	pageSize, _ := strconv.Atoi(c.DefaultQuery("limit", "10"))
+	searchTerm := c.Query("search")
+
+	groups, pagination, err := ugc.UserGroupService.List(searchTerm, page, pageSize)
+	if err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	var groupsDto = make([]dto.UserGroupDtoWithUserCount, len(groups))
+	for i, group := range groups {
+		var groupDto dto.UserGroupDtoWithUserCount
+		if err := dto.MapStruct(group, &groupDto); err != nil {
+			utils.ControllerError(c, err)
+			return
+		}
+		groupDto.UserCount, err = ugc.UserGroupService.GetUserCountOfGroup(group.ID)
+		if err != nil {
+			utils.ControllerError(c, err)
+			return
+		}
+		groupsDto[i] = groupDto
+	}
+
+	c.JSON(http.StatusOK, gin.H{
+		"data":       groupsDto,
+		"pagination": pagination,
+	})
+}
+
+func (ugc *UserGroupController) get(c *gin.Context) {
+	group, err := ugc.UserGroupService.Get(c.Param("id"))
+	if err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	var groupDto dto.UserGroupDtoWithUsers
+	if err := dto.MapStruct(group, &groupDto); err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, groupDto)
+}
+
+func (ugc *UserGroupController) create(c *gin.Context) {
+	var input dto.UserGroupCreateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	group, err := ugc.UserGroupService.Create(input)
+	if err != nil {
+		if errors.Is(err, common.ErrNameAlreadyInUse) {
+			utils.CustomControllerError(c, http.StatusConflict, err.Error())
+		} else {
+			utils.ControllerError(c, err)
+		}
+		return
+	}
+
+	var groupDto dto.UserGroupDtoWithUsers
+	if err := dto.MapStruct(group, &groupDto); err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusCreated, groupDto)
+}
+
+func (ugc *UserGroupController) update(c *gin.Context) {
+	var input dto.UserGroupCreateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	group, err := ugc.UserGroupService.Update(c.Param("id"), input)
+	if err != nil {
+		if errors.Is(err, common.ErrNameAlreadyInUse) {
+			utils.CustomControllerError(c, http.StatusConflict, err.Error())
+		} else {
+			utils.ControllerError(c, err)
+		}
+		return
+	}
+
+	var groupDto dto.UserGroupDtoWithUsers
+	if err := dto.MapStruct(group, &groupDto); err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, groupDto)
+}
+
+func (ugc *UserGroupController) delete(c *gin.Context) {
+	if err := ugc.UserGroupService.Delete(c.Param("id")); err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+func (ugc *UserGroupController) updateUsers(c *gin.Context) {
+	var input dto.UserGroupUpdateUsersDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	group, err := ugc.UserGroupService.UpdateUsers(c.Param("id"), input)
+	if err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	var groupDto dto.UserGroupDtoWithUsers
+	if err := dto.MapStruct(group, &groupDto); err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, groupDto)
+}

backend/internal/controller/webauthn_controller.go

@@ -3,9 +3,8 @@ package controller
 import (
 	"errors"
 	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/stonith404/pocket-id/backend/internal/dto"
 	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"log"
 	"net/http"
 	"time"
 
@@ -16,8 +15,8 @@ import (
 	"golang.org/x/time/rate"
 )
 
-func NewWebauthnController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, webauthnService *service.WebAuthnService, jwtService *service.JwtService) {
-	wc := &WebauthnController{webAuthnService: webauthnService, jwtService: jwtService}
+func NewWebauthnController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, webauthnService *service.WebAuthnService) {
+	wc := &WebauthnController{webAuthnService: webauthnService}
 	group.GET("/webauthn/register/start", jwtAuthMiddleware.Add(false), wc.beginRegistrationHandler)
 	group.POST("/webauthn/register/finish", jwtAuthMiddleware.Add(false), wc.verifyRegistrationHandler)
 
@@ -33,15 +32,13 @@ func NewWebauthnController(group *gin.RouterGroup, jwtAuthMiddleware *middleware
 
 type WebauthnController struct {
 	webAuthnService *service.WebAuthnService
-	jwtService      *service.JwtService
 }
 
 func (wc *WebauthnController) beginRegistrationHandler(c *gin.Context) {
 	userID := c.GetString("userID")
 	options, err := wc.webAuthnService.BeginRegistration(userID)
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
-		log.Println(err)
+		utils.ControllerError(c, err)
 		return
 	}
 
@@ -52,24 +49,30 @@ func (wc *WebauthnController) beginRegistrationHandler(c *gin.Context) {
 func (wc *WebauthnController) verifyRegistrationHandler(c *gin.Context) {
 	sessionID, err := c.Cookie("session_id")
 	if err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, "Session ID missing")
+		utils.CustomControllerError(c, http.StatusBadRequest, "Session ID missing")
 		return
 	}
 
 	userID := c.GetString("userID")
 	credential, err := wc.webAuthnService.VerifyRegistration(sessionID, userID, c.Request)
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
 
-	c.JSON(http.StatusOK, credential)
+	var credentialDto dto.WebauthnCredentialDto
+	if err := dto.MapStruct(credential, &credentialDto); err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, credentialDto)
 }
 
 func (wc *WebauthnController) beginLoginHandler(c *gin.Context) {
 	options, err := wc.webAuthnService.BeginLogin()
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
 
@@ -80,46 +83,53 @@ func (wc *WebauthnController) beginLoginHandler(c *gin.Context) {
 func (wc *WebauthnController) verifyLoginHandler(c *gin.Context) {
 	sessionID, err := c.Cookie("session_id")
 	if err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, "Session ID missing")
+		utils.CustomControllerError(c, http.StatusBadRequest, "Session ID missing")
 		return
 	}
 
 	credentialAssertionData, err := protocol.ParseCredentialRequestResponseBody(c.Request.Body)
 	if err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		utils.ControllerError(c, err)
 		return
 	}
 
 	userID := c.GetString("userID")
-	user, err := wc.webAuthnService.VerifyLogin(sessionID, userID, credentialAssertionData)
+
+	user, token, err := wc.webAuthnService.VerifyLogin(sessionID, userID, credentialAssertionData, c.ClientIP(), c.Request.UserAgent())
 	if err != nil {
 		if errors.Is(err, common.ErrInvalidCredentials) {
-			utils.HandlerError(c, http.StatusUnauthorized, err.Error())
+			utils.CustomControllerError(c, http.StatusUnauthorized, err.Error())
 		} else {
-			utils.UnknownHandlerError(c, err)
+			utils.ControllerError(c, err)
 		}
 		return
 	}
 
-	token, err := wc.jwtService.GenerateAccessToken(*user)
-	if err != nil {
-		utils.UnknownHandlerError(c, err)
+	var userDto dto.UserDto
+	if err := dto.MapStruct(user, &userDto); err != nil {
+		utils.ControllerError(c, err)
 		return
 	}
 
 	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", false, true)
-	c.JSON(http.StatusOK, user)
+	c.JSON(http.StatusOK, userDto)
 }
 
 func (wc *WebauthnController) listCredentialsHandler(c *gin.Context) {
 	userID := c.GetString("userID")
 	credentials, err := wc.webAuthnService.ListCredentials(userID)
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
 
-	c.JSON(http.StatusOK, credentials)
+	var credentialDtos []dto.WebauthnCredentialDto
+	if err := dto.MapStructList(credentials, &credentialDtos); err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, credentialDtos)
 }
 
 func (wc *WebauthnController) deleteCredentialHandler(c *gin.Context) {
@@ -128,7 +138,7 @@ func (wc *WebauthnController) deleteCredentialHandler(c *gin.Context) {
 
 	err := wc.webAuthnService.DeleteCredential(userID, credentialID)
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
 
@@ -139,19 +149,25 @@ func (wc *WebauthnController) updateCredentialHandler(c *gin.Context) {
 	userID := c.GetString("userID")
 	credentialID := c.Param("id")
 
-	var input model.WebauthnCredentialUpdateDto
+	var input dto.WebauthnCredentialUpdateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		utils.ControllerError(c, err)
 		return
 	}
 
-	err := wc.webAuthnService.UpdateCredential(userID, credentialID, input.Name)
+	credential, err := wc.webAuthnService.UpdateCredential(userID, credentialID, input.Name)
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
 
-	c.Status(http.StatusNoContent)
+	var credentialDto dto.WebauthnCredentialDto
+	if err := dto.MapStruct(credential, &credentialDto); err != nil {
+		utils.ControllerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, credentialDto)
 }
 
 func (wc *WebauthnController) logoutHandler(c *gin.Context) {

backend/internal/controller/well_known_controller.go

@@ -21,7 +21,7 @@ type WellKnownController struct {
 func (wkc *WellKnownController) jwksHandler(c *gin.Context) {
 	jwk, err := wkc.jwtService.GetJWK()
 	if err != nil {
-		utils.UnknownHandlerError(c, err)
+		utils.ControllerError(c, err)
 		return
 	}
 
@@ -37,7 +37,7 @@ func (wkc *WellKnownController) openIDConfigurationHandler(c *gin.Context) {
 		"userinfo_endpoint":                     appUrl + "/api/oidc/userinfo",
 		"jwks_uri":                              appUrl + "/.well-known/jwks.json",
 		"scopes_supported":                      []string{"openid", "profile", "email"},
-		"claims_supported":                      []string{"sub", "given_name", "family_name", "email", "preferred_username"},
+		"claims_supported":                      []string{"sub", "given_name", "family_name", "name", "email", "preferred_username"},
 		"response_types_supported":              []string{"code", "id_token"},
 		"subject_types_supported":               []string{"public"},
 		"id_token_signing_alg_values_supported": []string{"RS256"},

backend/internal/dto/app_config_dto.go

@@ -0,0 +1,23 @@
+package dto
+
+type PublicAppConfigVariableDto struct {
+	Key   string `json:"key"`
+	Type  string `json:"type"`
+	Value string `json:"value"`
+}
+
+type AppConfigVariableDto struct {
+	PublicAppConfigVariableDto
+	IsPublic bool `json:"isPublic"`
+}
+
+type AppConfigUpdateDto struct {
+	AppName         string `json:"appName" binding:"required,min=1,max=30"`
+	SessionDuration string `json:"sessionDuration" binding:"required"`
+	EmailEnabled    string `json:"emailEnabled" binding:"required"`
+	SmtHost         string `json:"smtpHost"`
+	SmtpPort        string `json:"smtpPort"`
+	SmtpFrom        string `json:"smtpFrom" binding:"omitempty,email"`
+	SmtpUser        string `json:"smtpUser"`
+	SmtpPassword    string `json:"smtpPassword"`
+}

backend/internal/dto/audit_log_dto.go

@@ -0,0 +1,19 @@
+package dto
+
+import (
+	"github.com/stonith404/pocket-id/backend/internal/model"
+	"time"
+)
+
+type AuditLogDto struct {
+	ID        string    `json:"id"`
+	CreatedAt time.Time `json:"createdAt"`
+
+	Event     model.AuditLogEvent `json:"event"`
+	IpAddress string              `json:"ipAddress"`
+	Country   string              `json:"country"`
+	City      string              `json:"city"`
+	Device    string              `json:"device"`
+	UserID    string              `json:"userID"`
+	Data      model.AuditLogData  `json:"data"`
+}

backend/internal/dto/dto_mapper.go

@@ -0,0 +1,103 @@
+package dto
+
+import (
+	"errors"
+	"reflect"
+)
+
+// MapStructList maps a list of source structs to a list of destination structs
+func MapStructList[S any, D any](source []S, destination *[]D) error {
+	*destination = make([]D, 0, len(source))
+
+	for _, item := range source {
+		var destItem D
+		if err := MapStruct(item, &destItem); err != nil {
+			return err
+		}
+		*destination = append(*destination, destItem)
+	}
+	return nil
+}
+
+// MapStruct maps a source struct to a destination struct
+func MapStruct[S any, D any](source S, destination *D) error {
+	// Ensure destination is a non-nil pointer
+	destValue := reflect.ValueOf(destination)
+	if destValue.Kind() != reflect.Ptr || destValue.IsNil() {
+		return errors.New("destination must be a non-nil pointer to a struct")
+	}
+
+	// Ensure source is a struct
+	sourceValue := reflect.ValueOf(source)
+	if sourceValue.Kind() != reflect.Struct {
+		return errors.New("source must be a struct")
+	}
+
+	return mapStructInternal(sourceValue, destValue.Elem())
+}
+
+func mapStructInternal(sourceVal reflect.Value, destVal reflect.Value) error {
+	// Loop through the fields of the destination struct
+	for i := 0; i < destVal.NumField(); i++ {
+		destField := destVal.Field(i)
+		destFieldType := destVal.Type().Field(i)
+
+		if destFieldType.Anonymous {
+			// Recursively handle embedded structs
+			if err := mapStructInternal(sourceVal, destField); err != nil {
+				return err
+			}
+			continue
+		}
+
+		sourceField := sourceVal.FieldByName(destFieldType.Name)
+
+		// If the source field is valid and can be assigned to the destination field
+		if sourceField.IsValid() && destField.CanSet() {
+			// Handle direct assignment for simple types
+			if sourceField.Type() == destField.Type() {
+				destField.Set(sourceField)
+
+			} else if sourceField.Kind() == reflect.Slice && destField.Kind() == reflect.Slice {
+				// Handle slices
+				if sourceField.Type().Elem() == destField.Type().Elem() {
+					// Direct assignment for slices of primitive types or non-struct elements
+					newSlice := reflect.MakeSlice(destField.Type(), sourceField.Len(), sourceField.Cap())
+
+					for j := 0; j < sourceField.Len(); j++ {
+						newSlice.Index(j).Set(sourceField.Index(j))
+					}
+
+					destField.Set(newSlice)
+
+				} else if sourceField.Type().Elem().Kind() == reflect.Struct && destField.Type().Elem().Kind() == reflect.Struct {
+					// Recursively map slices of structs
+					newSlice := reflect.MakeSlice(destField.Type(), sourceField.Len(), sourceField.Cap())
+
+					for j := 0; j < sourceField.Len(); j++ {
+						// Get the element from both source and destination slice
+						sourceElem := sourceField.Index(j)
+						destElem := reflect.New(destField.Type().Elem()).Elem()
+
+						// Recursively map the struct elements
+						if err := mapStructInternal(sourceElem, destElem); err != nil {
+							return err
+						}
+
+						// Set the mapped element in the new slice
+						newSlice.Index(j).Set(destElem)
+					}
+
+					destField.Set(newSlice)
+				}
+			} else if sourceField.Kind() == reflect.Struct && destField.Kind() == reflect.Struct {
+				// Recursively map nested structs
+				if err := mapStructInternal(sourceField, destField); err != nil {
+					return err
+				}
+			}
+		}
+	}
+
+	return nil
+}

backend/internal/dto/oidc_dto.go

@@ -0,0 +1,37 @@
+package dto
+
+type PublicOidcClientDto struct {
+	ID      string `json:"id"`
+	Name    string `json:"name"`
+	HasLogo bool   `json:"hasLogo"`
+}
+
+type OidcClientDto struct {
+	PublicOidcClientDto
+	CallbackURLs []string `json:"callbackURLs"`
+	CreatedBy    UserDto  `json:"createdBy"`
+}
+
+type OidcClientCreateDto struct {
+	Name         string   `json:"name" binding:"required,max=50"`
+	CallbackURLs []string `json:"callbackURLs" binding:"required,urlList"`
+}
+
+type AuthorizeOidcClientRequestDto struct {
+	ClientID    string `json:"clientID" binding:"required"`
+	Scope       string `json:"scope" binding:"required"`
+	CallbackURL string `json:"callbackURL"`
+	Nonce       string `json:"nonce"`
+}
+
+type AuthorizeOidcClientResponseDto struct {
+	Code        string `json:"code"`
+	CallbackURL string `json:"callbackURL"`
+}
+
+type OidcIdTokenDto struct {
+	GrantType    string `form:"grant_type" binding:"required"`
+	Code         string `form:"code" binding:"required"`
+	ClientID     string `form:"client_id"`
+	ClientSecret string `form:"client_secret"`
+}

backend/internal/dto/user_dto.go

@@ -0,0 +1,25 @@
+package dto
+
+import "time"
+
+type UserDto struct {
+	ID        string `json:"id"`
+	Username  string `json:"username"`
+	Email     string `json:"email" `
+	FirstName string `json:"firstName"`
+	LastName  string `json:"lastName"`
+	IsAdmin   bool   `json:"isAdmin"`
+}
+
+type UserCreateDto struct {
+	Username  string `json:"username" binding:"required,username,min=3,max=20"`
+	Email     string `json:"email" binding:"required,email"`
+	FirstName string `json:"firstName" binding:"required,min=3,max=30"`
+	LastName  string `json:"lastName" binding:"required,min=3,max=30"`
+	IsAdmin   bool   `json:"isAdmin"`
+}
+
+type OneTimeAccessTokenCreateDto struct {
+	UserID    string    `json:"userId" binding:"required"`
+	ExpiresAt time.Time `json:"expiresAt" binding:"required"`
+}

backend/internal/dto/user_group_dto.go

@@ -0,0 +1,32 @@
+package dto
+
+import "time"
+
+type UserGroupDtoWithUsers struct {
+	ID           string    `json:"id"`
+	FriendlyName string    `json:"friendlyName"`
+	Name         string    `json:"name"`
+	Users        []UserDto `json:"users"`
+	CreatedAt    time.Time `json:"createdAt"`
+}
+
+type UserGroupDtoWithUserCount struct {
+	ID           string    `json:"id"`
+	FriendlyName string    `json:"friendlyName"`
+	Name         string    `json:"name"`
+	UserCount    int64     `json:"userCount"`
+	CreatedAt    time.Time `json:"createdAt"`
+}
+
+type UserGroupCreateDto struct {
+	FriendlyName string `json:"friendlyName" binding:"required,min=3,max=30"`
+	Name         string `json:"name" binding:"required,min=3,max=30,userGroupName"`
+}
+
+type UserGroupUpdateUsersDto struct {
+	UserIDs []string `json:"userIds" binding:"required"`
+}
+
+type AssignUserToGroupDto struct {
+	UserID string `json:"userId" binding:"required"`
+}

backend/internal/dto/validations.go

@@ -0,0 +1,55 @@
+package dto
+
+import (
+	"github.com/gin-gonic/gin/binding"
+	"github.com/go-playground/validator/v10"
+	"log"
+	"net/url"
+	"regexp"
+)
+
+var validateUrlList validator.Func = func(fl validator.FieldLevel) bool {
+	urls := fl.Field().Interface().([]string)
+	for _, u := range urls {
+		_, err := url.ParseRequestURI(u)
+		if err != nil {
+			return false
+		}
+	}
+	return true
+}
+
+var validateUsername validator.Func = func(fl validator.FieldLevel) bool {
+	// [a-zA-Z0-9]      : The username must start with an alphanumeric character
+	// [a-zA-Z0-9_.@-]* : The rest of the username can contain alphanumeric characters, dots, underscores, hyphens, and "@" symbols
+	// [a-zA-Z0-9]$     : The username must end with an alphanumeric character
+	regex := "^[a-zA-Z0-9][a-zA-Z0-9_.@-]*[a-zA-Z0-9]$"
+	matched, _ := regexp.MatchString(regex, fl.Field().String())
+	return matched
+}
+
+var validateUserGroupName validator.Func = func(fl validator.FieldLevel) bool {
+	// [a-z0-9_] : The group name can only contain lowercase letters, numbers, and underscores
+	regex := "^[a-z0-9_]+$"
+	matched, _ := regexp.MatchString(regex, fl.Field().String())
+	return matched
+}
+
+func init() {
+	if v, ok := binding.Validator.Engine().(*validator.Validate); ok {
+		if err := v.RegisterValidation("urlList", validateUrlList); err != nil {
+			log.Fatalf("Failed to register custom validation: %v", err)
+		}
+	}
+	if v, ok := binding.Validator.Engine().(*validator.Validate); ok {
+		if err := v.RegisterValidation("username", validateUsername); err != nil {
+			log.Fatalf("Failed to register custom validation: %v", err)
+		}
+	}
+
+	if v, ok := binding.Validator.Engine().(*validator.Validate); ok {
+		if err := v.RegisterValidation("userGroupName", validateUserGroupName); err != nil {
+			log.Fatalf("Failed to register custom validation: %v", err)
+		}
+	}
+}

backend/internal/dto/webauthn_dto.go

@@ -0,0 +1,23 @@
+package dto
+
+import (
+	"github.com/go-webauthn/webauthn/protocol"
+	"time"
+)
+
+type WebauthnCredentialDto struct {
+	ID              string                            `json:"id"`
+	Name            string                            `json:"name"`
+	CredentialID    string                            `json:"credentialID"`
+	AttestationType string                            `json:"attestationType"`
+	Transport       []protocol.AuthenticatorTransport `json:"transport"`
+
+	BackupEligible bool `json:"backupEligible"`
+	BackupState    bool `json:"backupState"`
+
+	CreatedAt time.Time `json:"createdAt"`
+}
+
+type WebauthnCredentialUpdateDto struct {
+	Name string `json:"name" binding:"required,min=1,max=30"`
+}

backend/internal/job/db_cleanup.go

@@ -21,7 +21,6 @@ func RegisterJobs(db *gorm.DB) {
 	registerJob(scheduler, "ClearWebauthnSessions", "0 3 * * *", jobs.clearWebauthnSessions)
 	registerJob(scheduler, "ClearOneTimeAccessTokens", "0 3 * * *", jobs.clearOneTimeAccessTokens)
 	registerJob(scheduler, "ClearOidcAuthorizationCodes", "0 3 * * *", jobs.clearOidcAuthorizationCodes)
-
 	scheduler.Start()
 }
 
@@ -29,17 +28,24 @@ type Jobs struct {
 	db *gorm.DB
 }
 
+// ClearWebauthnSessions deletes WebAuthn sessions that have expired
 func (j *Jobs) clearWebauthnSessions() error {
 	return j.db.Delete(&model.WebauthnSession{}, "expires_at < ?", utils.FormatDateForDb(time.Now())).Error
 }
 
+// ClearOneTimeAccessTokens deletes one-time access tokens that have expired
 func (j *Jobs) clearOneTimeAccessTokens() error {
 	return j.db.Debug().Delete(&model.OneTimeAccessToken{}, "expires_at < ?", utils.FormatDateForDb(time.Now())).Error
 }
 
+// ClearOidcAuthorizationCodes deletes OIDC authorization codes that have expired
 func (j *Jobs) clearOidcAuthorizationCodes() error {
 	return j.db.Delete(&model.OidcAuthorizationCode{}, "expires_at < ?", utils.FormatDateForDb(time.Now())).Error
+}
 
+// ClearAuditLogs deletes audit logs older than 90 days
+func (j *Jobs) clearAuditLogs() error {
+	return j.db.Delete(&model.AuditLog{}, "created_at < ?", utils.FormatDateForDb(time.Now().AddDate(0, 0, -90))).Error
 }
 
 func registerJob(scheduler gocron.Scheduler, name string, interval string, job func() error) {

backend/internal/middleware/file_size_limit.go

@@ -17,7 +17,7 @@ func (m *FileSizeLimitMiddleware) Add(maxSize int64) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		c.Request.Body = http.MaxBytesReader(c.Writer, c.Request.Body, maxSize)
 		if err := c.Request.ParseMultipartForm(maxSize); err != nil {
-			utils.HandlerError(c, http.StatusRequestEntityTooLarge, fmt.Sprintf("The file can't be larger than %s bytes", formatFileSize(maxSize)))
+			utils.CustomControllerError(c, http.StatusRequestEntityTooLarge, fmt.Sprintf("The file can't be larger than %s bytes", formatFileSize(maxSize)))
 			c.Abort()
 			return
 		}

backend/internal/middleware/jwt_auth.go

@@ -10,10 +10,11 @@ import (
 
 type JwtAuthMiddleware struct {
 	jwtService            *service.JwtService
+	ignoreUnauthenticated bool
 }
 
-func NewJwtAuthMiddleware(jwtService *service.JwtService) *JwtAuthMiddleware {
-	return &JwtAuthMiddleware{jwtService: jwtService}
+func NewJwtAuthMiddleware(jwtService *service.JwtService, ignoreUnauthenticated bool) *JwtAuthMiddleware {
+	return &JwtAuthMiddleware{jwtService: jwtService, ignoreUnauthenticated: ignoreUnauthenticated}
 }
 
 func (m *JwtAuthMiddleware) Add(adminOnly bool) gin.HandlerFunc {
@@ -24,23 +25,29 @@ func (m *JwtAuthMiddleware) Add(adminOnly bool) gin.HandlerFunc {
 			authorizationHeaderSplitted := strings.Split(c.GetHeader("Authorization"), " ")
 			if len(authorizationHeaderSplitted) == 2 {
 				token = authorizationHeaderSplitted[1]
+			} else if m.ignoreUnauthenticated {
+				c.Next()
+				return
 			} else {
-				utils.HandlerError(c, http.StatusUnauthorized, "You're not signed in")
+				utils.CustomControllerError(c, http.StatusUnauthorized, "You're not signed in")
 				c.Abort()
 				return
 			}
 		}
 
 		claims, err := m.jwtService.VerifyAccessToken(token)
-		if err != nil {
-			utils.HandlerError(c, http.StatusUnauthorized, "You're not signed in")
+		if err != nil && m.ignoreUnauthenticated {
+			c.Next()
+			return
+		} else if err != nil {
+			utils.CustomControllerError(c, http.StatusUnauthorized, "You're not signed in")
 			c.Abort()
 			return
 		}
 
 		// Check if the user is an admin
 		if adminOnly && !claims.IsAdmin {
-			utils.HandlerError(c, http.StatusForbidden, "You don't have permission to access this resource")
+			utils.CustomControllerError(c, http.StatusForbidden, "You don't have permission to access this resource")
 			c.Abort()
 			return
 		}

backend/internal/middleware/rate_limit.go

@@ -33,7 +33,7 @@ func (m *RateLimitMiddleware) Add(limit rate.Limit, burst int) gin.HandlerFunc {
 
 		limiter := getLimiter(ip, limit, burst)
 		if !limiter.Allow() {
-			utils.HandlerError(c, http.StatusTooManyRequests, "Too many requests. Please wait a while before trying again.")
+			utils.CustomControllerError(c, http.StatusTooManyRequests, "Too many requests. Please wait a while before trying again.")
 			c.Abort()
 			return
 		}

backend/internal/model/app_config.go

@@ -1,21 +1,24 @@
 package model
 
 type AppConfigVariable struct {
-	Key        string `gorm:"primaryKey;not null" json:"key"`
-	Type       string `json:"type"`
-	IsPublic   bool   `json:"-"`
-	IsInternal bool   `json:"-"`
-	Value      string `json:"value"`
+	Key        string `gorm:"primaryKey;not null"`
+	Type       string
+	IsPublic   bool
+	IsInternal bool
+	Value      string
 }
 
 type AppConfig struct {
 	AppName             AppConfigVariable
 	BackgroundImageType AppConfigVariable
-	LogoImageType       AppConfigVariable
+	LogoLightImageType  AppConfigVariable
+	LogoDarkImageType   AppConfigVariable
 	SessionDuration     AppConfigVariable
-}
 
-type AppConfigUpdateDto struct {
-	AppName         string `json:"appName" binding:"required"`
-	SessionDuration string `json:"sessionDuration" binding:"required"`
+	EmailEnabled AppConfigVariable
+	SmtpHost     AppConfigVariable
+	SmtpPort     AppConfigVariable
+	SmtpFrom     AppConfigVariable
+	SmtpUser     AppConfigVariable
+	SmtpPassword AppConfigVariable
 }

backend/internal/model/audit_log.go

@@ -0,0 +1,52 @@
+package model
+
+import (
+	"database/sql/driver"
+	"encoding/json"
+	"errors"
+)
+
+type AuditLog struct {
+	Base
+
+	Event     AuditLogEvent
+	IpAddress string
+	Country   string
+	City      string
+	UserAgent string
+	UserID    string
+	Data      AuditLogData
+}
+
+type AuditLogData map[string]string
+
+type AuditLogEvent string
+
+const (
+	AuditLogEventSignIn                 AuditLogEvent = "SIGN_IN"
+	AuditLogEventClientAuthorization    AuditLogEvent = "CLIENT_AUTHORIZATION"
+	AuditLogEventNewClientAuthorization AuditLogEvent = "NEW_CLIENT_AUTHORIZATION"
+)
+
+// Scan and Value methods for GORM to handle the custom type
+
+func (e *AuditLogEvent) Scan(value interface{}) error {
+	*e = AuditLogEvent(value.(string))
+	return nil
+}
+
+func (e AuditLogEvent) Value() (driver.Value, error) {
+	return string(e), nil
+}
+
+func (d *AuditLogData) Scan(value interface{}) error {
+	if v, ok := value.([]byte); ok {
+		return json.Unmarshal(v, d)
+	} else {
+		return errors.New("type assertion to []byte failed")
+	}
+}
+
+func (d AuditLogData) Value() (driver.Value, error) {
+	return json.Marshal(d)
+}

backend/internal/model/base.go

@@ -8,8 +8,8 @@ import (
 
 // Base contains common columns for all tables.
 type Base struct {
-	ID        string    `gorm:"primaryKey;not null" json:"id"`
-	CreatedAt time.Time `json:"createdAt"`
+	ID        string `gorm:"primaryKey;not null"`
+	CreatedAt time.Time
 }
 
 func (b *Base) BeforeCreate(_ *gorm.DB) (err error) {

backend/internal/model/oidc.go

@@ -1,38 +1,22 @@
 package model
 
 import (
+	"database/sql/driver"
+	"encoding/json"
+	"errors"
 	"gorm.io/gorm"
 	"time"
 )
 
 type UserAuthorizedOidcClient struct {
 	Scope  string
-	UserID string `json:"userId" gorm:"primary_key;"`
+	UserID string `gorm:"primary_key;"`
 	User   User
 
-	ClientID string `json:"clientId" gorm:"primary_key;"`
+	ClientID string `gorm:"primary_key;"`
 	Client   OidcClient
 }
 
-type OidcClient struct {
-	Base
-
-	Name        string  `json:"name"`
-	Secret      string  `json:"-"`
-	CallbackURL string  `json:"callbackURL"`
-	ImageType   *string `json:"-"`
-	HasLogo     bool    `gorm:"-" json:"hasLogo"`
-
-	CreatedByID string
-	CreatedBy   User
-}
-
-func (c *OidcClient) AfterFind(_ *gorm.DB) (err error) {
-	// Compute HasLogo field
-	c.HasLogo = c.ImageType != nil && *c.ImageType != ""
-	return nil
-}
-
 type OidcAuthorizationCode struct {
 	Base
 
@@ -47,26 +31,35 @@ type OidcAuthorizationCode struct {
 	ClientID string
 }
 
-type OidcClientCreateDto struct {
-	Name        string `json:"name" binding:"required"`
-	CallbackURL string `json:"callbackURL" binding:"required"`
+type OidcClient struct {
+	Base
+
+	Name         string
+	Secret       string
+	CallbackURLs CallbackURLs
+	ImageType    *string
+	HasLogo      bool `gorm:"-"`
+
+	CreatedByID string
+	CreatedBy   User
 }
 
-type AuthorizeNewClientDto struct {
-	ClientID string `json:"clientID" binding:"required"`
-	Scope    string `json:"scope" binding:"required"`
-	Nonce    string `json:"nonce"`
+func (c *OidcClient) AfterFind(_ *gorm.DB) (err error) {
+	// Compute HasLogo field
+	c.HasLogo = c.ImageType != nil && *c.ImageType != ""
+	return nil
 }
 
-type OidcIdTokenDto struct {
-	GrantType    string `form:"grant_type" binding:"required"`
-	Code         string `form:"code" binding:"required"`
-	ClientID     string `form:"client_id"`
-	ClientSecret string `form:"client_secret"`
+type CallbackURLs []string
+
+func (cu *CallbackURLs) Scan(value interface{}) error {
+	if v, ok := value.([]byte); ok {
+		return json.Unmarshal(v, cu)
+	} else {
+		return errors.New("type assertion to []byte failed")
+	}
 }
 
-type AuthorizeRequest struct {
-	ClientID string `json:"clientID" binding:"required"`
-	Scope    string `json:"scope" binding:"required"`
-	Nonce    string `json:"nonce"`
+func (cu CallbackURLs) Value() (driver.Value, error) {
+	return json.Marshal(cu)
 }

backend/internal/model/user.go

@@ -9,13 +9,14 @@ import (
 type User struct {
 	Base
 
-	Username  string `json:"username"`
-	Email     string `json:"email" `
-	FirstName string `json:"firstName"`
-	LastName  string `json:"lastName"`
-	IsAdmin   bool   `json:"isAdmin"`
+	Username  string
+	Email     string
+	FirstName string
+	LastName  string
+	IsAdmin   bool
 
-	Credentials []WebauthnCredential `json:"-"`
+	UserGroups  []UserGroup `gorm:"many2many:user_groups_users;"`
+	Credentials []WebauthnCredential
 }
 
 func (u User) WebAuthnID() []byte { return []byte(u.ID) }
@@ -59,19 +60,9 @@ func (u User) WebAuthnCredentialDescriptors() (descriptors []protocol.Credential
 
 type OneTimeAccessToken struct {
 	Base
-	Token     string    `json:"token"`
-	ExpiresAt time.Time `json:"expiresAt"`
+	Token     string
+	ExpiresAt time.Time
 
-	UserID string `json:"userId"`
+	UserID string
 	User   User
 }
-
-type OneTimeAccessTokenCreateDto struct {
-	UserID    string    `json:"userId" binding:"required"`
-	ExpiresAt time.Time `json:"expiresAt" binding:"required"`
-}
-
-type LoginUserDto struct {
-	Username string `json:"username" binding:"required"`
-	Password string `json:"password" binding:"required"`
-}

backend/internal/model/user_group.go

@@ -0,0 +1,8 @@
+package model
+
+type UserGroup struct {
+	Base
+	FriendlyName string
+	Name         string `gorm:"unique"`
+	Users        []User `gorm:"many2many:user_groups_users;"`
+}

backend/internal/model/webauthn.go

@@ -19,11 +19,11 @@ type WebauthnSession struct {
 type WebauthnCredential struct {
 	Base
 
-	Name            string                     `json:"name"`
-	CredentialID    string                     `json:"credentialID"`
-	PublicKey       []byte                     `json:"-"`
-	AttestationType string                     `json:"attestationType"`
-	Transport       AuthenticatorTransportList `json:"-"`
+	Name            string
+	CredentialID    string
+	PublicKey       []byte
+	AttestationType string
+	Transport       AuthenticatorTransportList
 
 	BackupEligible bool `json:"backupEligible"`
 	BackupState    bool `json:"backupState"`
@@ -32,15 +32,15 @@ type WebauthnCredential struct {
 }
 
 type PublicKeyCredentialCreationOptions struct {
-	Response  protocol.PublicKeyCredentialCreationOptions `json:"response"`
-	SessionID string                                      `json:"session_id"`
-	Timeout   time.Duration                               `json:"timeout"`
+	Response  protocol.PublicKeyCredentialCreationOptions
+	SessionID string
+	Timeout   time.Duration
 }
 
 type PublicKeyCredentialRequestOptions struct {
-	Response  protocol.PublicKeyCredentialRequestOptions `json:"response"`
-	SessionID string                                     `json:"session_id"`
-	Timeout   time.Duration                              `json:"timeout"`
+	Response  protocol.PublicKeyCredentialRequestOptions
+	SessionID string
+	Timeout   time.Duration
 }
 
 type AuthenticatorTransportList []protocol.AuthenticatorTransport
@@ -58,7 +58,3 @@ func (atl *AuthenticatorTransportList) Scan(value interface{}) error {
 func (atl AuthenticatorTransportList) Value() (driver.Value, error) {
 	return json.Marshal(atl)
 }
-
-type WebauthnCredentialUpdateDto struct {
-	Name string `json:"name"`
-}

backend/internal/service/app_config_service.go

@@ -3,6 +3,7 @@ package service
 import (
 	"fmt"
 	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/stonith404/pocket-id/backend/internal/dto"
 	"github.com/stonith404/pocket-id/backend/internal/model"
 	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"gorm.io/gorm"
@@ -46,15 +47,46 @@ var defaultDbConfig = model.AppConfig{
 		IsInternal: true,
 		Value:      "jpg",
 	},
-	LogoImageType: model.AppConfigVariable{
-		Key:        "logoImageType",
+	LogoLightImageType: model.AppConfigVariable{
+		Key:        "logoLightImageType",
 		Type:       "string",
 		IsInternal: true,
 		Value:      "svg",
 	},
+	LogoDarkImageType: model.AppConfigVariable{
+		Key:        "logoDarkImageType",
+		Type:       "string",
+		IsInternal: true,
+		Value:      "svg",
+	},
+	EmailEnabled: model.AppConfigVariable{
+		Key:   "emailEnabled",
+		Type:  "bool",
+		Value: "false",
+	},
+	SmtpHost: model.AppConfigVariable{
+		Key:  "smtpHost",
+		Type: "string",
+	},
+	SmtpPort: model.AppConfigVariable{
+		Key:  "smtpPort",
+		Type: "number",
+	},
+	SmtpFrom: model.AppConfigVariable{
+		Key:  "smtpFrom",
+		Type: "string",
+	},
+	SmtpUser: model.AppConfigVariable{
+		Key:  "smtpUser",
+		Type: "string",
+	},
+	SmtpPassword: model.AppConfigVariable{
+		Key:  "smtpPassword",
+		Type: "string",
+	},
 }
 
-func (s *AppConfigService) UpdateApplicationConfiguration(input model.AppConfigUpdateDto) ([]model.AppConfigVariable, error) {
+func (s *AppConfigService) UpdateAppConfig(input dto.AppConfigUpdateDto) ([]model.AppConfigVariable, error) {
 	var savedConfigVariables []model.AppConfigVariable
 
 	tx := s.db.Begin()
@@ -66,19 +98,19 @@ func (s *AppConfigService) UpdateApplicationConfiguration(input model.AppConfigU
 		key := field.Tag.Get("json")
 		value := rv.FieldByName(field.Name).String()
 
-		var applicationConfigurationVariable model.AppConfigVariable
-		if err := tx.First(&applicationConfigurationVariable, "key = ? AND is_internal = false", key).Error; err != nil {
+		var appConfigVariable model.AppConfigVariable
+		if err := tx.First(&appConfigVariable, "key = ? AND is_internal = false", key).Error; err != nil {
 			tx.Rollback()
 			return nil, err
 		}
 
-		applicationConfigurationVariable.Value = value
-		if err := tx.Save(&applicationConfigurationVariable).Error; err != nil {
+		appConfigVariable.Value = value
+		if err := tx.Save(&appConfigVariable).Error; err != nil {
 			tx.Rollback()
 			return nil, err
 		}
 
-		savedConfigVariables = append(savedConfigVariables, applicationConfigurationVariable)
+		savedConfigVariables = append(savedConfigVariables, appConfigVariable)
 	}
 
 	tx.Commit()
@@ -100,7 +132,7 @@ func (s *AppConfigService) UpdateImageType(imageName string, fileType string) er
 	return s.loadDbConfigFromDb()
 }
 
-func (s *AppConfigService) ListApplicationConfiguration(showAll bool) ([]model.AppConfigVariable, error) {
+func (s *AppConfigService) ListAppConfig(showAll bool) ([]model.AppConfigVariable, error) {
 	var configuration []model.AppConfigVariable
 	var err error
 

backend/internal/service/audit_log_service.go

@@ -0,0 +1,125 @@
+package service
+
+import (
+	userAgentParser "github.com/mileusna/useragent"
+	"github.com/oschwald/maxminddb-golang/v2"
+	"github.com/stonith404/pocket-id/backend/internal/model"
+	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"github.com/stonith404/pocket-id/backend/internal/utils/email"
+	"gorm.io/gorm"
+	"log"
+	"net/netip"
+)
+
+type AuditLogService struct {
+	db               *gorm.DB
+	appConfigService *AppConfigService
+	emailService     *EmailService
+}
+
+func NewAuditLogService(db *gorm.DB, appConfigService *AppConfigService, emailService *EmailService) *AuditLogService {
+	return &AuditLogService{db: db, appConfigService: appConfigService, emailService: emailService}
+}
+
+// Create creates a new audit log entry in the database
+func (s *AuditLogService) Create(event model.AuditLogEvent, ipAddress, userAgent, userID string, data model.AuditLogData) model.AuditLog {
+	country, city, err := s.GetIpLocation(ipAddress)
+	if err != nil {
+		log.Printf("Failed to get IP location: %v\n", err)
+	}
+
+	auditLog := model.AuditLog{
+		Event:     event,
+		IpAddress: ipAddress,
+		Country:   country,
+		City:      city,
+		UserAgent: userAgent,
+		UserID:    userID,
+		Data:      data,
+	}
+
+	// Save the audit log in the database
+	if err := s.db.Create(&auditLog).Error; err != nil {
+		log.Printf("Failed to create audit log: %v\n", err)
+		return model.AuditLog{}
+	}
+
+	return auditLog
+}
+
+// CreateNewSignInWithEmail creates a new audit log entry in the database and sends an email if the device hasn't been used before
+func (s *AuditLogService) CreateNewSignInWithEmail(ipAddress, userAgent, userID string, data model.AuditLogData) model.AuditLog {
+	createdAuditLog := s.Create(model.AuditLogEventSignIn, ipAddress, userAgent, userID, data)
+
+	// Count the number of times the user has logged in from the same device
+	var count int64
+	err := s.db.Model(&model.AuditLog{}).Where("user_id = ? AND ip_address = ? AND user_agent = ?", userID, ipAddress, userAgent).Count(&count).Error
+	if err != nil {
+		log.Printf("Failed to count audit logs: %v\n", err)
+		return createdAuditLog
+	}
+
+	// If the user hasn't logged in from the same device before, send an email
+	if count <= 1 {
+		go func() {
+			var user model.User
+			s.db.Where("id = ?", userID).First(&user)
+
+			err := SendEmail(s.emailService, email.Address{
+				Name:  user.Username,
+				Email: user.Email,
+			}, NewLoginTemplate, &NewLoginTemplateData{
+				IPAddress: ipAddress,
+				Country:   createdAuditLog.Country,
+				City:      createdAuditLog.City,
+				Device:    s.DeviceStringFromUserAgent(userAgent),
+				DateTime:  createdAuditLog.CreatedAt.UTC(),
+			})
+			if err != nil {
+				log.Printf("Failed to send email to '%s': %v\n", user.Email, err)
+			}
+		}()
+	}
+
+	return createdAuditLog
+}
+
+// ListAuditLogsForUser retrieves all audit logs for a given user ID
+func (s *AuditLogService) ListAuditLogsForUser(userID string, page int, pageSize int) ([]model.AuditLog, utils.PaginationResponse, error) {
+	var logs []model.AuditLog
+	query := s.db.Model(&model.AuditLog{}).Where("user_id = ?", userID).Order("created_at desc")
+
+	pagination, err := utils.Paginate(page, pageSize, query, &logs)
+	return logs, pagination, err
+}
+
+func (s *AuditLogService) DeviceStringFromUserAgent(userAgent string) string {
+	ua := userAgentParser.Parse(userAgent)
+	return ua.Name + " on " + ua.OS + " " + ua.OSVersion
+}
+
+func (s *AuditLogService) GetIpLocation(ipAddress string) (country, city string, err error) {
+	db, err := maxminddb.Open("GeoLite2-City.mmdb")
+	if err != nil {
+		return "", "", err
+	}
+	defer db.Close()
+
+	addr := netip.MustParseAddr(ipAddress)
+
+	var record struct {
+		City struct {
+			Names map[string]string `maxminddb:"names"`
+		} `maxminddb:"city"`
+		Country struct {
+			Names map[string]string `maxminddb:"names"`
+		} `maxminddb:"country"`
+	}
+
+	err = db.Lookup(addr).Decode(&record)
+	if err != nil {
+		return "", "", err
+	}
+
+	return record.Country.Names["en"], record.City.Names["en"], nil
+}

backend/internal/service/email_service.go

@@ -0,0 +1,137 @@
+package service
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/stonith404/pocket-id/backend/internal/utils/email"
+	htemplate "html/template"
+	"io/fs"
+	"mime/multipart"
+	"mime/quotedprintable"
+	"net/smtp"
+	"net/textproto"
+	ttemplate "text/template"
+)
+
+type EmailService struct {
+	appConfigService *AppConfigService
+	htmlTemplates    map[string]*htemplate.Template
+	textTemplates    map[string]*ttemplate.Template
+}
+
+func NewEmailService(appConfigService *AppConfigService, templateDir fs.FS) (*EmailService, error) {
+	htmlTemplates, err := email.PrepareHTMLTemplates(templateDir, emailTemplatesPaths)
+	if err != nil {
+		return nil, fmt.Errorf("prepare html templates: %w", err)
+	}
+
+	textTemplates, err := email.PrepareTextTemplates(templateDir, emailTemplatesPaths)
+	if err != nil {
+		return nil, fmt.Errorf("prepare html templates: %w", err)
+	}
+
+	return &EmailService{
+		appConfigService: appConfigService,
+		htmlTemplates:    htmlTemplates,
+		textTemplates:    textTemplates,
+	}, nil
+}
+
+func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.Template[V], tData *V) error {
+	// Check if SMTP settings are set
+	if srv.appConfigService.DbConfig.EmailEnabled.Value != "true" {
+		return errors.New("email not enabled")
+	}
+
+	data := &email.TemplateData[V]{
+		AppName: srv.appConfigService.DbConfig.AppName.Value,
+		LogoURL: common.EnvConfig.AppURL + "/api/application-configuration/logo",
+		Data:    tData,
+	}
+
+	body, boundary, err := prepareBody(srv, template, data)
+	if err != nil {
+		return fmt.Errorf("prepare email body for '%s': %w", template.Path, err)
+	}
+
+	// Construct the email message
+	c := email.NewComposer()
+	c.AddHeader("Subject", template.Title(data))
+	c.AddAddressHeader("From", []email.Address{
+		{
+			Email: srv.appConfigService.DbConfig.SmtpFrom.Value,
+			Name:  srv.appConfigService.DbConfig.AppName.Value,
+		},
+	})
+	c.AddAddressHeader("To", []email.Address{toEmail})
+	c.AddHeaderRaw("Content-Type",
+		fmt.Sprintf("multipart/alternative;\n boundary=%s;\n charset=UTF-8", boundary),
+	)
+	c.Body(body)
+
+	// Set up the authentication information.
+	auth := smtp.PlainAuth("",
+		srv.appConfigService.DbConfig.SmtpUser.Value,
+		srv.appConfigService.DbConfig.SmtpPassword.Value,
+		srv.appConfigService.DbConfig.SmtpHost.Value,
+	)
+
+	// Send the email
+	err = smtp.SendMail(
+		srv.appConfigService.DbConfig.SmtpHost.Value+":"+srv.appConfigService.DbConfig.SmtpPort.Value,
+		auth,
+		srv.appConfigService.DbConfig.SmtpFrom.Value,
+		[]string{toEmail.Email},
+		[]byte(c.String()),
+	)
+
+	if err != nil {
+		return fmt.Errorf("failed to send email: %w", err)
+	}
+
+	return nil
+}
+
+func prepareBody[V any](srv *EmailService, template email.Template[V], data *email.TemplateData[V]) (string, string, error) {
+	body := bytes.NewBuffer(nil)
+	mpart := multipart.NewWriter(body)
+
+	// prepare text part
+	var textHeader = textproto.MIMEHeader{}
+	textHeader.Add("Content-Type", "text/plain;\n charset=UTF-8")
+	textHeader.Add("Content-Transfer-Encoding", "quoted-printable")
+	textPart, err := mpart.CreatePart(textHeader)
+	if err != nil {
+		return "", "", fmt.Errorf("create text part: %w", err)
+	}
+
+	textQp := quotedprintable.NewWriter(textPart)
+	err = email.GetTemplate(srv.textTemplates, template).ExecuteTemplate(textQp, "root", data)
+	if err != nil {
+		return "", "", fmt.Errorf("execute text template: %w", err)
+	}
+
+	// prepare html part
+	var htmlHeader = textproto.MIMEHeader{}
+	htmlHeader.Add("Content-Type", "text/html;\n charset=UTF-8")
+	htmlHeader.Add("Content-Transfer-Encoding", "quoted-printable")
+	htmlPart, err := mpart.CreatePart(htmlHeader)
+	if err != nil {
+		return "", "", fmt.Errorf("create html part: %w", err)
+	}
+
+	htmlQp := quotedprintable.NewWriter(htmlPart)
+	err = email.GetTemplate(srv.htmlTemplates, template).ExecuteTemplate(htmlQp, "root", data)
+	if err != nil {
+		return "", "", fmt.Errorf("execute html template: %w", err)
+	}
+
+	err = mpart.Close()
+	if err != nil {
+		return "", "", fmt.Errorf("close multipart: %w", err)
+	}
+
+	return body.String(), mpart.Boundary(), nil
+}

backend/internal/service/email_service_templates.go

@@ -0,0 +1,39 @@
+package service
+
+import (
+	"fmt"
+	"github.com/stonith404/pocket-id/backend/internal/utils/email"
+	"time"
+)
+
+/**
+How to add new template:
+- pick unique and descriptive template ${name} (for example "login-with-new-device")
+- in backend/email-templates/ create "${name}_html.tmpl" and "${name}_text.tmpl"
+- create xxxxTemplate and xxxxTemplateData (for example NewLoginTemplate and NewLoginTemplateData)
+  - Path *must* be ${name}
+- add xxxTemplate.Path to "emailTemplatePaths" at the end
+
+Notes:
+- backend app must be restarted to reread all the template files
+- root "." object in templates is `email.TemplateData`
+- xxxxTemplateData structure is visible under .Data in templates
+*/
+
+var NewLoginTemplate = email.Template[NewLoginTemplateData]{
+	Path: "login-with-new-device",
+	Title: func(data *email.TemplateData[NewLoginTemplateData]) string {
+		return fmt.Sprintf("New device login with %s", data.AppName)
+	},
+}
+
+type NewLoginTemplateData struct {
+	IPAddress string
+	Country   string
+	City      string
+	Device    string
+	DateTime  time.Time
+}
+
+// this is list of all template paths used for preloading templates
+var emailTemplatesPaths = []string{NewLoginTemplate.Path}

backend/internal/service/oidc_service.go

@@ -4,12 +4,14 @@ import (
 	"errors"
 	"fmt"
 	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/stonith404/pocket-id/backend/internal/dto"
 	"github.com/stonith404/pocket-id/backend/internal/model"
 	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"golang.org/x/crypto/bcrypt"
 	"gorm.io/gorm"
 	"mime/multipart"
 	"os"
+	"slices"
 	"strings"
 	"time"
 )
@@ -17,42 +19,75 @@ import (
 type OidcService struct {
 	db               *gorm.DB
 	jwtService       *JwtService
+	appConfigService *AppConfigService
+	auditLogService  *AuditLogService
 }
 
-func NewOidcService(db *gorm.DB, jwtService *JwtService) *OidcService {
+func NewOidcService(db *gorm.DB, jwtService *JwtService, appConfigService *AppConfigService, auditLogService *AuditLogService) *OidcService {
 	return &OidcService{
 		db:               db,
 		jwtService:       jwtService,
+		appConfigService: appConfigService,
+		auditLogService:  auditLogService,
 	}
 }
 
-func (s *OidcService) Authorize(req model.AuthorizeRequest, userID string) (string, error) {
+func (s *OidcService) Authorize(input dto.AuthorizeOidcClientRequestDto, userID, ipAddress, userAgent string) (string, string, error) {
 	var userAuthorizedOIDCClient model.UserAuthorizedOidcClient
-	s.db.First(&userAuthorizedOIDCClient, "client_id = ? AND user_id = ?", req.ClientID, userID)
+	s.db.Preload("Client").First(&userAuthorizedOIDCClient, "client_id = ? AND user_id = ?", input.ClientID, userID)
 
-	if userAuthorizedOIDCClient.Scope != req.Scope {
-		return "", common.ErrOidcMissingAuthorization
+	if userAuthorizedOIDCClient.Scope != input.Scope {
+		return "", "", common.ErrOidcMissingAuthorization
 	}
 
-	return s.createAuthorizationCode(req.ClientID, userID, req.Scope, req.Nonce)
+	callbackURL, err := getCallbackURL(userAuthorizedOIDCClient.Client, input.CallbackURL)
+	if err != nil {
+		return "", "", err
+	}
+
+	code, err := s.createAuthorizationCode(input.ClientID, userID, input.Scope, input.Nonce)
+	if err != nil {
+		return "", "", err
+	}
+
+	s.auditLogService.Create(model.AuditLogEventClientAuthorization, ipAddress, userAgent, userID, model.AuditLogData{"clientName": userAuthorizedOIDCClient.Client.Name})
+
+	return code, callbackURL, nil
 }
 
-func (s *OidcService) AuthorizeNewClient(req model.AuthorizeNewClientDto, userID string) (string, error) {
+func (s *OidcService) AuthorizeNewClient(input dto.AuthorizeOidcClientRequestDto, userID, ipAddress, userAgent string) (string, string, error) {
+	var client model.OidcClient
+	if err := s.db.First(&client, "id = ?", input.ClientID).Error; err != nil {
+		return "", "", err
+	}
+
+	callbackURL, err := getCallbackURL(client, input.CallbackURL)
+	if err != nil {
+		return "", "", err
+	}
+
 	userAuthorizedClient := model.UserAuthorizedOidcClient{
 		UserID:   userID,
-		ClientID: req.ClientID,
-		Scope:    req.Scope,
+		ClientID: input.ClientID,
+		Scope:    input.Scope,
 	}
 
 	if err := s.db.Create(&userAuthorizedClient).Error; err != nil {
 		if errors.Is(err, gorm.ErrDuplicatedKey) {
-			err = s.db.Model(&userAuthorizedClient).Update("scope", req.Scope).Error
+			err = s.db.Model(&userAuthorizedClient).Update("scope", input.Scope).Error
 		} else {
-			return "", err
+			return "", "", err
 		}
 	}
 
-	return s.createAuthorizationCode(req.ClientID, userID, req.Scope, req.Nonce)
+	code, err := s.createAuthorizationCode(input.ClientID, userID, input.Scope, input.Nonce)
+	if err != nil {
+		return "", "", err
+	}
+
+	s.auditLogService.Create(model.AuditLogEventNewClientAuthorization, ipAddress, userAgent, userID, model.AuditLogData{"clientName": client.Name})
+
+	return code, callbackURL, nil
 }
 
 func (s *OidcService) CreateTokens(code, grantType, clientID, clientSecret string) (string, string, error) {
@@ -101,18 +136,18 @@ func (s *OidcService) CreateTokens(code, grantType, clientID, clientSecret strin
 	return idToken, accessToken, nil
 }
 
-func (s *OidcService) GetClient(clientID string) (*model.OidcClient, error) {
+func (s *OidcService) GetClient(clientID string) (model.OidcClient, error) {
 	var client model.OidcClient
-	if err := s.db.First(&client, "id = ?", clientID).Error; err != nil {
-		return nil, err
+	if err := s.db.Preload("CreatedBy").First(&client, "id = ?", clientID).Error; err != nil {
+		return model.OidcClient{}, err
 	}
-	return &client, nil
+	return client, nil
 }
 
 func (s *OidcService) ListClients(searchTerm string, page int, pageSize int) ([]model.OidcClient, utils.PaginationResponse, error) {
 	var clients []model.OidcClient
 
-	query := s.db.Model(&model.OidcClient{})
+	query := s.db.Preload("CreatedBy").Model(&model.OidcClient{})
 	if searchTerm != "" {
 		searchPattern := "%" + searchTerm + "%"
 		query = query.Where("name LIKE ?", searchPattern)
@@ -126,34 +161,34 @@ func (s *OidcService) ListClients(searchTerm string, page int, pageSize int) ([]
 	return clients, pagination, nil
 }
 
-func (s *OidcService) CreateClient(input model.OidcClientCreateDto, userID string) (*model.OidcClient, error) {
+func (s *OidcService) CreateClient(input dto.OidcClientCreateDto, userID string) (model.OidcClient, error) {
 	client := model.OidcClient{
 		Name:         input.Name,
-		CallbackURL: input.CallbackURL,
+		CallbackURLs: input.CallbackURLs,
 		CreatedByID:  userID,
 	}
 
 	if err := s.db.Create(&client).Error; err != nil {
-		return nil, err
+		return model.OidcClient{}, err
 	}
 
-	return &client, nil
+	return client, nil
 }
 
-func (s *OidcService) UpdateClient(clientID string, input model.OidcClientCreateDto) (*model.OidcClient, error) {
+func (s *OidcService) UpdateClient(clientID string, input dto.OidcClientCreateDto) (model.OidcClient, error) {
 	var client model.OidcClient
-	if err := s.db.First(&client, "id = ?", clientID).Error; err != nil {
-		return nil, err
+	if err := s.db.Preload("CreatedBy").First(&client, "id = ?", clientID).Error; err != nil {
+		return model.OidcClient{}, err
 	}
 
 	client.Name = input.Name
-	client.CallbackURL = input.CallbackURL
+	client.CallbackURLs = input.CallbackURLs
 
 	if err := s.db.Save(&client).Error; err != nil {
-		return nil, err
+		return model.OidcClient{}, err
 	}
 
-	return &client, nil
+	return client, nil
 }
 
 func (s *OidcService) DeleteClient(clientID string) error {
@@ -266,7 +301,7 @@ func (s *OidcService) DeleteClientLogo(clientID string) error {
 
 func (s *OidcService) GetUserClaimsForClient(userID string, clientID string) (map[string]interface{}, error) {
 	var authorizedOidcClient model.UserAuthorizedOidcClient
-	if err := s.db.Preload("User").First(&authorizedOidcClient, "user_id = ? AND client_id = ?", userID, clientID).Error; err != nil {
+	if err := s.db.Preload("User.UserGroups").First(&authorizedOidcClient, "user_id = ? AND client_id = ?", userID, clientID).Error; err != nil {
 		return nil, err
 	}
 
@@ -281,9 +316,18 @@ func (s *OidcService) GetUserClaimsForClient(userID string, clientID string) (ma
 		claims["email"] = user.Email
 	}
 
+	if strings.Contains(scope, "groups") {
+		userGroups := make([]string, len(user.UserGroups))
+		for i, group := range user.UserGroups {
+			userGroups[i] = group.Name
+		}
+		claims["groups"] = userGroups
+	}
+
 	profileClaims := map[string]interface{}{
 		"given_name":         user.FirstName,
 		"family_name":        user.LastName,
+		"name":               user.FirstName + " " + user.LastName,
 		"preferred_username": user.Username,
 	}
 
@@ -320,3 +364,14 @@ func (s *OidcService) createAuthorizationCode(clientID string, userID string, sc
 
 	return randomString, nil
 }
+
+func getCallbackURL(client model.OidcClient, inputCallbackURL string) (callbackURL string, err error) {
+	if inputCallbackURL == "" {
+		return client.CallbackURLs[0], nil
+	}
+	if slices.Contains(client.CallbackURLs, inputCallbackURL) {
+		return inputCallbackURL, nil
+	}
+
+	return "", common.ErrOidcInvalidCallbackURL
+}

backend/internal/service/test_service.go

@@ -56,6 +56,30 @@ func (s *TestService) SeedDatabase() error {
 			}
 		}
 
+		userGroups := []model.UserGroup{
+			{
+				Base: model.Base{
+					ID: "4110f814-56f1-4b28-8998-752b69bc97c0e",
+				},
+				Name:         "developers",
+				FriendlyName: "Developers",
+				Users:        []model.User{users[0], users[1]},
+			},
+			{
+				Base: model.Base{
+					ID: "adab18bf-f89d-4087-9ee1-70ff15b48211",
+				},
+				Name:         "designers",
+				FriendlyName: "Designers",
+				Users:        []model.User{users[0]},
+			},
+		}
+		for _, group := range userGroups {
+			if err := tx.Create(&group).Error; err != nil {
+				return err
+			}
+		}
+
 		oidcClients := []model.OidcClient{
 			{
 				Base: model.Base{
@@ -63,7 +87,7 @@ func (s *TestService) SeedDatabase() error {
 				},
 				Name:         "Nextcloud",
 				Secret:       "$2a$10$9dypwot8nGuCjT6wQWWpJOckZfRprhe2EkwpKizxS/fpVHrOLEJHC", // w2mUeZISmEvIDMEDvpY0PnxQIpj1m3zY
-				CallbackURL: "http://nextcloud/auth/callback",
+				CallbackURLs: model.CallbackURLs{"http://nextcloud/auth/callback"},
 				ImageType:    utils.StringPointer("png"),
 				CreatedByID:  users[0].ID,
 			},
@@ -73,7 +97,7 @@ func (s *TestService) SeedDatabase() error {
 				},
 				Name:         "Immich",
 				Secret:       "$2a$10$Ak.FP8riD1ssy2AGGbG.gOpnp/rBpymd74j0nxNMtW0GG1Lb4gzxe", // PYjrE9u4v9GVqXKi52eur0eb2Ci4kc0x
-				CallbackURL: "http://immich/auth/callback",
+				CallbackURLs: model.CallbackURLs{"http://immich/auth/callback"},
 				CreatedByID:  users[0].ID,
 			},
 		}

backend/internal/service/user_group_service.go

@@ -0,0 +1,111 @@
+package service
+
+import (
+	"errors"
+	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/stonith404/pocket-id/backend/internal/dto"
+	"github.com/stonith404/pocket-id/backend/internal/model"
+	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"gorm.io/gorm"
+)
+
+type UserGroupService struct {
+	db *gorm.DB
+}
+
+func NewUserGroupService(db *gorm.DB) *UserGroupService {
+	return &UserGroupService{db: db}
+}
+
+func (s *UserGroupService) List(name string, page int, pageSize int) (groups []model.UserGroup, response utils.PaginationResponse, err error) {
+	query := s.db.Model(&model.UserGroup{})
+
+	if name != "" {
+		query = query.Where("name LIKE ?", "%"+name+"%")
+	}
+
+	response, err = utils.Paginate(page, pageSize, query, &groups)
+	return groups, response, err
+}
+
+func (s *UserGroupService) Get(id string) (group model.UserGroup, err error) {
+	err = s.db.Where("id = ?", id).Preload("Users").First(&group).Error
+	return group, err
+}
+
+func (s *UserGroupService) Delete(id string) error {
+	var group model.UserGroup
+	if err := s.db.Where("id = ?", id).First(&group).Error; err != nil {
+		return err
+	}
+
+	return s.db.Delete(&group).Error
+}
+
+func (s *UserGroupService) Create(input dto.UserGroupCreateDto) (group model.UserGroup, err error) {
+	group = model.UserGroup{
+		FriendlyName: input.FriendlyName,
+		Name:         input.Name,
+	}
+
+	if err := s.db.Preload("Users").Create(&group).Error; err != nil {
+		if errors.Is(err, gorm.ErrDuplicatedKey) {
+			return model.UserGroup{}, common.ErrNameAlreadyInUse
+		}
+		return model.UserGroup{}, err
+	}
+	return group, nil
+}
+
+func (s *UserGroupService) Update(id string, input dto.UserGroupCreateDto) (group model.UserGroup, err error) {
+	group, err = s.Get(id)
+	if err != nil {
+		return model.UserGroup{}, err
+	}
+
+	group.Name = input.Name
+	group.FriendlyName = input.FriendlyName
+
+	if err := s.db.Preload("Users").Save(&group).Error; err != nil {
+		if errors.Is(err, gorm.ErrDuplicatedKey) {
+			return model.UserGroup{}, common.ErrNameAlreadyInUse
+		}
+		return model.UserGroup{}, err
+	}
+	return group, nil
+}
+
+func (s *UserGroupService) UpdateUsers(id string, input dto.UserGroupUpdateUsersDto) (group model.UserGroup, err error) {
+	group, err = s.Get(id)
+	if err != nil {
+		return model.UserGroup{}, err
+	}
+
+	// Fetch the users based on UserIDs in input
+	var users []model.User
+	if len(input.UserIDs) > 0 {
+		if err := s.db.Where("id IN (?)", input.UserIDs).Find(&users).Error; err != nil {
+			return model.UserGroup{}, err
+		}
+	}
+
+	// Replace the current users with the new set of users
+	if err := s.db.Model(&group).Association("Users").Replace(users); err != nil {
+		return model.UserGroup{}, err
+	}
+
+	// Save the updated group
+	if err := s.db.Save(&group).Error; err != nil {
+		return model.UserGroup{}, err
+	}
+
+	return group, nil
+}
+
+func (s *UserGroupService) GetUserCountOfGroup(id string) (int64, error) {
+	var group model.UserGroup
+	if err := s.db.Preload("Users").Where("id = ?", id).First(&group).Error; err != nil {
+		return 0, err
+	}
+	return s.db.Model(&group).Association("Users").Count(), nil
+}

backend/internal/service/user_service.go

@@ -3,6 +3,7 @@ package service
 import (
 	"errors"
 	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/stonith404/pocket-id/backend/internal/dto"
 	"github.com/stonith404/pocket-id/backend/internal/model"
 	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"gorm.io/gorm"
@@ -46,17 +47,24 @@ func (s *UserService) DeleteUser(userID string) error {
 	return s.db.Delete(&user).Error
 }
 
-func (s *UserService) CreateUser(user *model.User) error {
-	if err := s.db.Create(user).Error; err != nil {
+func (s *UserService) CreateUser(input dto.UserCreateDto) (model.User, error) {
+	user := model.User{
+		FirstName: input.FirstName,
+		LastName:  input.LastName,
+		Email:     input.Email,
+		Username:  input.Username,
+		IsAdmin:   input.IsAdmin,
+	}
+	if err := s.db.Create(&user).Error; err != nil {
 		if errors.Is(err, gorm.ErrDuplicatedKey) {
-			return s.checkDuplicatedFields(*user)
+			return model.User{}, s.checkDuplicatedFields(user)
 		}
-		return err
+		return model.User{}, err
 	}
-	return nil
+	return user, nil
 }
 
-func (s *UserService) UpdateUser(userID string, updatedUser model.User, updateOwnUser bool) (model.User, error) {
+func (s *UserService) UpdateUser(userID string, updatedUser dto.UserCreateDto, updateOwnUser bool) (model.User, error) {
 	var user model.User
 	if err := s.db.Where("id = ?", userID).First(&user).Error; err != nil {
 		return model.User{}, err

backend/internal/service/webauthn_service.go

@@ -14,9 +14,12 @@ import (
 type WebAuthnService struct {
 	db               *gorm.DB
 	webAuthn         *webauthn.WebAuthn
+	jwtService       *JwtService
+	auditLogService  *AuditLogService
+	appConfigService *AppConfigService
 }
 
-func NewWebAuthnService(db *gorm.DB, appConfigService *AppConfigService) *WebAuthnService {
+func NewWebAuthnService(db *gorm.DB, jwtService *JwtService, auditLogService *AuditLogService, appConfigService *AppConfigService) *WebAuthnService {
 	webauthnConfig := &webauthn.Config{
 		RPDisplayName: appConfigService.DbConfig.AppName.Value,
 		RPID:          utils.GetHostFromURL(common.EnvConfig.AppURL),
@@ -34,12 +37,13 @@ func NewWebAuthnService(db *gorm.DB, appConfigService *AppConfigService) *WebAut
 			},
 		},
 	}
-
 	wa, _ := webauthn.New(webauthnConfig)
-	return &WebAuthnService{db: db, webAuthn: wa}
+	return &WebAuthnService{db: db, webAuthn: wa, jwtService: jwtService, auditLogService: auditLogService, appConfigService: appConfigService}
 }
 
 func (s *WebAuthnService) BeginRegistration(userID string) (*model.PublicKeyCredentialCreationOptions, error) {
+	s.updateWebAuthnConfig()
+
 	var user model.User
 	if err := s.db.Preload("Credentials").Find(&user, "id = ?", userID).Error; err != nil {
 		return nil, err
@@ -67,10 +71,10 @@ func (s *WebAuthnService) BeginRegistration(userID string) (*model.PublicKeyCred
 	}, nil
 }
 
-func (s *WebAuthnService) VerifyRegistration(sessionID, userID string, r *http.Request) (*model.WebauthnCredential, error) {
+func (s *WebAuthnService) VerifyRegistration(sessionID, userID string, r *http.Request) (model.WebauthnCredential, error) {
 	var storedSession model.WebauthnSession
 	if err := s.db.First(&storedSession, "id = ?", sessionID).Error; err != nil {
-		return nil, err
+		return model.WebauthnCredential{}, err
 	}
 
 	session := webauthn.SessionData{
@@ -81,12 +85,12 @@ func (s *WebAuthnService) VerifyRegistration(sessionID, userID string, r *http.R
 
 	var user model.User
 	if err := s.db.Find(&user, "id = ?", userID).Error; err != nil {
-		return nil, err
+		return model.WebauthnCredential{}, err
 	}
 
 	credential, err := s.webAuthn.FinishRegistration(&user, session, r)
 	if err != nil {
-		return nil, err
+		return model.WebauthnCredential{}, err
 	}
 
 	credentialToStore := model.WebauthnCredential{
@@ -100,10 +104,10 @@ func (s *WebAuthnService) VerifyRegistration(sessionID, userID string, r *http.R
 		BackupState:     credential.Flags.BackupState,
 	}
 	if err := s.db.Create(&credentialToStore).Error; err != nil {
-		return nil, err
+		return model.WebauthnCredential{}, err
 	}
 
-	return &credentialToStore, nil
+	return credentialToStore, nil
 }
 
 func (s *WebAuthnService) BeginLogin() (*model.PublicKeyCredentialRequestOptions, error) {
@@ -129,10 +133,10 @@ func (s *WebAuthnService) BeginLogin() (*model.PublicKeyCredentialRequestOptions
 	}, nil
 }
 
-func (s *WebAuthnService) VerifyLogin(sessionID, userID string, credentialAssertionData *protocol.ParsedCredentialAssertionData) (*model.User, error) {
+func (s *WebAuthnService) VerifyLogin(sessionID, userID string, credentialAssertionData *protocol.ParsedCredentialAssertionData, ipAddress, userAgent string) (model.User, string, error) {
 	var storedSession model.WebauthnSession
 	if err := s.db.First(&storedSession, "id = ?", sessionID).Error; err != nil {
-		return nil, err
+		return model.User{}, "", err
 	}
 
 	session := webauthn.SessionData{
@@ -149,14 +153,21 @@ func (s *WebAuthnService) VerifyLogin(sessionID, userID string, credentialAssert
 	}, session, credentialAssertionData)
 
 	if err != nil {
-		return nil, common.ErrInvalidCredentials
+		return model.User{}, "", err
 	}
 
 	if err := s.db.Find(&user, "id = ?", userID).Error; err != nil {
-		return nil, err
+		return model.User{}, "", err
 	}
 
-	return user, nil
+	token, err := s.jwtService.GenerateAccessToken(*user)
+	if err != nil {
+		return model.User{}, "", err
+	}
+
+	s.auditLogService.CreateNewSignInWithEmail(ipAddress, userAgent, user.ID, model.AuditLogData{})
+
+	return *user, token, nil
 }
 
 func (s *WebAuthnService) ListCredentials(userID string) ([]model.WebauthnCredential, error) {
@@ -180,17 +191,22 @@ func (s *WebAuthnService) DeleteCredential(userID, credentialID string) error {
 	return nil
 }
 
-func (s *WebAuthnService) UpdateCredential(userID, credentialID, name string) error {
+func (s *WebAuthnService) UpdateCredential(userID, credentialID, name string) (model.WebauthnCredential, error) {
 	var credential model.WebauthnCredential
 	if err := s.db.Where("id = ? AND user_id = ?", credentialID, userID).First(&credential).Error; err != nil {
-		return err
+		return credential, err
 	}
 
 	credential.Name = name
 
 	if err := s.db.Save(&credential).Error; err != nil {
-		return err
+		return credential, err
 	}
 
-	return nil
+	return credential, nil
+}
+
+// updateWebAuthnConfig updates the WebAuthn configuration with the app name as it can change during runtime
+func (s *WebAuthnService) updateWebAuthnConfig() {
+	s.webAuthn.Config.RPDisplayName = s.appConfigService.DbConfig.AppName.Value
 }

backend/internal/utils/controller_error_util.go

@@ -0,0 +1,75 @@
+package utils
+
+import (
+	"errors"
+	"github.com/gin-gonic/gin"
+	"github.com/go-playground/validator/v10"
+	"gorm.io/gorm"
+	"log"
+	"net/http"
+	"strings"
+)
+
+import (
+	"fmt"
+)
+
+func ControllerError(c *gin.Context, err error) {
+	// Check for record not found errors
+	if errors.Is(err, gorm.ErrRecordNotFound) {
+		CustomControllerError(c, http.StatusNotFound, "Record not found")
+		return
+	}
+
+	// Check for validation errors
+	var validationErrors validator.ValidationErrors
+	if errors.As(err, &validationErrors) {
+		message := handleValidationError(validationErrors)
+		CustomControllerError(c, http.StatusBadRequest, message)
+		return
+
+	}
+
+	log.Println(err)
+	c.JSON(http.StatusInternalServerError, gin.H{"error": "Something went wrong"})
+}
+
+func handleValidationError(validationErrors validator.ValidationErrors) string {
+	var errorMessages []string
+
+	for _, ve := range validationErrors {
+		fieldName := ve.Field()
+		var errorMessage string
+		switch ve.Tag() {
+		case "required":
+			errorMessage = fmt.Sprintf("%s is required", fieldName)
+		case "email":
+			errorMessage = fmt.Sprintf("%s must be a valid email address", fieldName)
+		case "username":
+			errorMessage = fmt.Sprintf("%s must only contain lowercase letters, numbers, underscores, dots, hyphens, and '@' symbols and not start or end with a special character", fieldName)
+		case "url":
+			errorMessage = fmt.Sprintf("%s must be a valid URL", fieldName)
+		case "min":
+			errorMessage = fmt.Sprintf("%s must be at least %s characters long", fieldName, ve.Param())
+		case "max":
+			errorMessage = fmt.Sprintf("%s must be at most %s characters long", fieldName, ve.Param())
+		case "urlList":
+			errorMessage = fmt.Sprintf("%s must be a list of valid URLs", fieldName)
+		default:
+			errorMessage = fmt.Sprintf("%s is invalid", fieldName)
+		}
+
+		errorMessages = append(errorMessages, errorMessage)
+	}
+
+	// Join all the error messages into a single string
+	combinedErrors := strings.Join(errorMessages, ", ")
+
+	return combinedErrors
+}
+
+func CustomControllerError(c *gin.Context, statusCode int, message string) {
+	// Capitalize the first letter of the message
+	message = strings.ToUpper(message[:1]) + message[1:]
+	c.JSON(statusCode, gin.H{"error": message})
+}

backend/internal/utils/email/composer.go

@@ -0,0 +1,213 @@
+package email
+
+import (
+	"fmt"
+	"strings"
+	"unicode"
+)
+
+const maxLineLength = 78
+const continuePrefix = "    "
+const addressSeparator = ", "
+
+type Composer struct {
+	isClosed bool
+	content  strings.Builder
+}
+
+func NewComposer() *Composer {
+	return &Composer{}
+}
+
+type Address struct {
+	Name  string
+	Email string
+}
+
+func (c *Composer) AddAddressHeader(name string, addresses []Address) {
+	c.content.WriteString(genAddressHeader(name, addresses, maxLineLength))
+	c.content.WriteString("\n")
+}
+
+func genAddressHeader(name string, addresses []Address, maxLength int) string {
+	hl := &headerLine{
+		maxLineLength:  maxLength,
+		continuePrefix: continuePrefix,
+	}
+
+	hl.Write(name)
+	hl.Write(": ")
+
+	for i, addr := range addresses {
+		var email string
+		if i < len(addresses)-1 {
+			email = fmt.Sprintf("<%s>%s", addr.Email, addressSeparator)
+		} else {
+			email = fmt.Sprintf("<%s>", addr.Email)
+		}
+		writeHeaderQ(hl, addr.Name)
+		writeHeaderAtom(hl, " ")
+		writeHeaderAtom(hl, email)
+	}
+	hl.EndLine()
+	return hl.String()
+}
+
+func (c *Composer) AddHeader(name, value string) {
+	if isPrintableASCII(value) && len(value)+len(name)+len(": ") < maxLineLength {
+		c.AddHeaderRaw(name, value)
+		return
+	}
+
+	c.content.WriteString(genHeader(name, value, maxLineLength))
+	c.content.WriteString("\n")
+}
+
+func genHeader(name, value string, maxLength int) string {
+	// add content as raw header when it is printable ASCII and shorter than maxLineLength
+	hl := &headerLine{
+		maxLineLength:  maxLength,
+		continuePrefix: continuePrefix,
+	}
+
+	hl.Write(name)
+	hl.Write(": ")
+	writeHeaderQ(hl, value)
+	hl.EndLine()
+	return hl.String()
+}
+
+const qEncStart = "=?utf-8?q?"
+const qEncEnd = "?="
+
+type headerLine struct {
+	buffer         strings.Builder
+	line           strings.Builder
+	maxLineLength  int
+	continuePrefix string
+}
+
+func (h *headerLine) FitsLine(length int) bool {
+	return h.line.Len()+len(h.continuePrefix)+length+2 < h.maxLineLength
+}
+
+func (h *headerLine) Write(str string) {
+	h.line.WriteString(str)
+}
+
+func (h *headerLine) EndLineWith(str string) {
+	h.line.WriteString(str)
+	h.EndLine()
+}
+
+func (h *headerLine) EndLine() {
+	if h.line.Len() == 0 {
+		return
+	}
+
+	if h.buffer.Len() != 0 {
+		h.buffer.WriteString("\n")
+		h.buffer.WriteString(h.continuePrefix)
+	}
+	h.buffer.WriteString(h.line.String())
+	h.line.Reset()
+}
+
+func (h *headerLine) String() string {
+	return h.buffer.String()
+}
+
+func writeHeaderQ(header *headerLine, value string) {
+
+	// current line does not fit event the first character - do \n
+	if !header.FitsLine(len(qEncStart) + len(convertRunes(value[0:1])[0]) + len(qEncEnd)) {
+		header.EndLineWith("")
+	}
+
+	header.Write(qEncStart)
+
+	for _, token := range convertRunes(value) {
+		if header.FitsLine(len(token) + len(qEncEnd)) {
+			header.Write(token)
+		} else {
+			header.EndLineWith(qEncEnd)
+			header.Write(qEncStart)
+			header.Write(token)
+		}
+	}
+
+	header.Write(qEncEnd)
+}
+
+func writeHeaderAtom(header *headerLine, value string) {
+	if !header.FitsLine(len(value)) {
+		header.EndLine()
+	}
+	header.Write(value)
+}
+
+func (c *Composer) AddHeaderRaw(name, value string) {
+	if c.isClosed {
+		panic("composer had already written body!")
+	}
+	header := fmt.Sprintf("%s: %s\n", name, value)
+	c.content.WriteString(header)
+}
+
+func (c *Composer) Body(body string) {
+	c.content.WriteString("\n")
+	c.content.WriteString(body)
+	c.isClosed = true
+}
+
+func (c *Composer) String() string {
+	return c.content.String()
+}
+
+func convertRunes(str string) []string {
+	var enc = make([]string, 0, len(str))
+	for _, r := range []rune(str) {
+		if r == ' ' {
+			enc = append(enc, "_")
+		} else if isPrintableASCIIRune(r) &&
+			r != '=' &&
+			r != '?' &&
+			r != '_' {
+			enc = append(enc, string(r))
+		} else {
+			enc = append(enc, string(toHex([]byte(string(r)))))
+		}
+	}
+	return enc
+}
+
+func toHex(in []byte) []byte {
+	enc := make([]byte, 0, len(in)*2)
+	for _, b := range in {
+		enc = append(enc, '=')
+		enc = append(enc, hex(b/16))
+		enc = append(enc, hex(b%16))
+	}
+	return enc
+}
+
+func hex(n byte) byte {
+	if n > 9 {
+		return n + (65 - 10)
+	} else {
+		return n + 48
+	}
+}
+
+func isPrintableASCII(str string) bool {
+	for _, r := range []rune(str) {
+		if !unicode.IsPrint(r) || r >= unicode.MaxASCII {
+			return false
+		}
+	}
+	return true
+}
+
+func isPrintableASCIIRune(r rune) bool {
+	return r > 31 && r < 127
+}

backend/internal/utils/email/composer_test.go

@@ -0,0 +1,92 @@
+package email
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestConvertRunes(t *testing.T) {
+	var testData = map[string]string{
+		"=??=_.": "=3D=3F=3F=3D=5F.",
+		"Příšerně žluťoučký kůn úpěl ďábelské ódy 🐎": "P=C5=99=C3=AD=C5=A1ern=C4=9B_=C5=BElu=C5=A5ou=C4=8Dk=C3=BD_k=C5=AFn_=C3=BAp=C4=9Bl_=C4=8F=C3=A1belsk=C3=A9_=C3=B3dy_=F0=9F=90=8E",
+	}
+	for input, expected := range testData {
+		got := strings.Join(convertRunes(input), "")
+		if got != expected {
+			t.Errorf("Input: '%s', expected '%s', got: '%s'", input, expected, got)
+		}
+	}
+}
+
+type genHeaderTestData struct {
+	name     string
+	value    string
+	expected string
+	maxWidth int
+}
+
+func TestGenHeaderQ(t *testing.T) {
+	var testData = []genHeaderTestData{
+		{
+			name:  "Subject",
+			value: "Příšerně žluťoučký kůn úpěl ďábelské ódy 🐎",
+			expected: "Subject: =?utf-8?q?P=C5=99=C3=AD=C5=A1ern=C4=9B_=C5=BElu=C5=A5ou=C4=8Dk?=\n" +
+				"    =?utf-8?q?=C3=BD_k=C5=AFn_=C3=BAp=C4=9Bl_=C4=8F=C3=A1belsk=C3=A9_=C3=B3?=\n" +
+				"    =?utf-8?q?dy_=F0=9F=90=8E?=",
+			maxWidth: 80,
+		},
+	}
+	for _, data := range testData {
+		got := genHeader(data.name, data.value, data.maxWidth)
+		if got != data.expected {
+			t.Errorf("Input: '%s', expected \n===\n%s\n===, got: \n===\n%s\n==='", data.value, data.expected, got)
+		}
+
+	}
+}
+
+type genAddressHeaderTestData struct {
+	name      string
+	addresses []Address
+	expected  string
+	maxLength int
+}
+
+func TestGenAddressHeader(t *testing.T) {
+	var testData = []genAddressHeaderTestData{
+		{
+			name: "To",
+			addresses: []Address{
+				{
+					Name:  "Oldřich Jánský",
+					Email: "olrd@example.com",
+				},
+			},
+			expected:  "To: =?utf-8?q?Old=C5=99ich_J=C3=A1nsk=C3=BD?= <olrd@example.com>",
+			maxLength: 80,
+		},
+		{
+			name: "Subject",
+			addresses: []Address{
+				{
+					Name:  "Oldřich Jánský",
+					Email: "olrd@example.com",
+				},
+				{
+					Name:  "Jan Novák",
+					Email: "novak@example.com",
+				},
+			},
+			expected: "Subject: =?utf-8?q?Old=C5=99ich_J=C3=A1nsk=C3=BD?= <olrd@example.com>, \n" +
+				"    =?utf-8?q?Jan_Nov=C3=A1k?= <novak@example.com>",
+			maxLength: 80,
+		},
+	}
+	for _, data := range testData {
+		got := genAddressHeader(data.name, data.addresses, data.maxLength)
+		if got != data.expected {
+			t.Errorf("Test: '%s', expected \n===\n%s\n===, got: \n===\n%s\n==='", data.name, data.expected, got)
+		}
+
+	}
+}

backend/internal/utils/email/email_service_templates.go

@@ -0,0 +1,97 @@
+package email
+
+import (
+	"fmt"
+	htemplate "html/template"
+	"io/fs"
+	"path"
+	ttemplate "text/template"
+)
+
+const templateComponentsDir = "components"
+
+type Template[V any] struct {
+	Path  string
+	Title func(data *TemplateData[V]) string
+}
+
+type TemplateData[V any] struct {
+	AppName string
+	LogoURL string
+	Data    *V
+}
+
+type TemplateMap[V any] map[string]*V
+
+func GetTemplate[U any, V any](templateMap TemplateMap[U], template Template[V]) *U {
+	return templateMap[template.Path]
+}
+
+type clonable[V pareseable[V]] interface {
+	Clone() (V, error)
+}
+
+type pareseable[V any] interface {
+	ParseFS(fs.FS, ...string) (V, error)
+}
+
+func prepareTemplate[V pareseable[V]](template string, rootTemplate clonable[V], templateDir fs.FS, suffix string) (V, error) {
+	tmpl, err := rootTemplate.Clone()
+	if err != nil {
+		return *new(V), fmt.Errorf("clone root html template: %w", err)
+	}
+
+	filename := fmt.Sprintf("%s%s", template, suffix)
+	_, err = tmpl.ParseFS(templateDir, filename)
+	if err != nil {
+		return *new(V), fmt.Errorf("parsing html template '%s': %w", template, err)
+	}
+
+	return tmpl, nil
+}
+
+func PrepareTextTemplates(templateDir fs.FS, templates []string) (map[string]*ttemplate.Template, error) {
+	components := path.Join(templateComponentsDir, "*_text.tmpl")
+	rootTmpl, err := ttemplate.ParseFS(templateDir, components)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse templates '%s': %w", components, err)
+	}
+
+	var textTemplates = make(map[string]*ttemplate.Template, len(templates))
+	for _, tmpl := range templates {
+		rootTmplClone, err := rootTmpl.Clone()
+		if err != nil {
+			return nil, fmt.Errorf("clone root template: %w", err)
+		}
+
+		textTemplates[tmpl], err = prepareTemplate[*ttemplate.Template](tmpl, rootTmplClone, templateDir, "_text.tmpl")
+		if err != nil {
+			return nil, fmt.Errorf("parse '%s': %w", tmpl, err)
+		}
+	}
+
+	return textTemplates, nil
+}
+
+func PrepareHTMLTemplates(templateDir fs.FS, templates []string) (map[string]*htemplate.Template, error) {
+	components := path.Join(templateComponentsDir, "*_html.tmpl")
+	rootTmpl, err := htemplate.ParseFS(templateDir, components)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse templates '%s': %w", components, err)
+	}
+
+	var htmlTemplates = make(map[string]*htemplate.Template, len(templates))
+	for _, tmpl := range templates {
+		rootTmplClone, err := rootTmpl.Clone()
+		if err != nil {
+			return nil, fmt.Errorf("clone root template: %w", err)
+		}
+
+		htmlTemplates[tmpl], err = prepareTemplate[*htemplate.Template](tmpl, rootTmplClone, templateDir, "_html.tmpl")
+		if err != nil {
+			return nil, fmt.Errorf("parse '%s': %w", tmpl, err)
+		}
+	}
+
+	return htmlTemplates, nil
+}

backend/internal/utils/file_util.go

@@ -38,7 +38,7 @@ func CopyDirectory(srcDir, destDir string) error {
 		srcFilePath := filepath.Join(srcDir, file.Name())
 		destFilePath := filepath.Join(destDir, file.Name())
 
-		err := copyFile(srcFilePath, destFilePath)
+		err := CopyFile(srcFilePath, destFilePath)
 		if err != nil {
 			return err
 		}
@@ -47,7 +47,7 @@ func CopyDirectory(srcDir, destDir string) error {
 	return nil
 }
 
-func copyFile(srcFilePath, destFilePath string) error {
+func CopyFile(srcFilePath, destFilePath string) error {
 	srcFile, err := os.Open(srcFilePath)
 	if err != nil {
 		return err

backend/internal/utils/handler_error_util.go

@@ -1,27 +0,0 @@
-package utils
-
-import (
-	"errors"
-	"github.com/gin-gonic/gin"
-	"gorm.io/gorm"
-	"log"
-	"net/http"
-	"strings"
-)
-
-func UnknownHandlerError(c *gin.Context, err error) {
-	if errors.Is(err, gorm.ErrRecordNotFound) {
-		HandlerError(c, http.StatusNotFound, "Record not found")
-		return
-	} else {
-		log.Println(err)
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Something went wrong"})
-	}
-
-}
-
-func HandlerError(c *gin.Context, statusCode int, message string) {
-	// Capitalize the first letter of the message
-	message = strings.ToUpper(message[:1]) + message[1:]
-	c.JSON(statusCode, gin.H{"error": message})
-}

backend/internal/utils/paging_util.go

@@ -8,6 +8,7 @@ type PaginationResponse struct {
 	TotalPages   int64 `json:"totalPages"`
 	TotalItems   int64 `json:"totalItems"`
 	CurrentPage  int   `json:"currentPage"`
+	ItemsPerPage int   `json:"itemsPerPage"`
 }
 
 func Paginate(page int, pageSize int, db *gorm.DB, result interface{}) (PaginationResponse, error) {
@@ -36,5 +37,6 @@ func Paginate(page int, pageSize int, db *gorm.DB, result interface{}) (Paginati
 		TotalPages:   (totalItems + int64(pageSize) - 1) / int64(pageSize),
 		TotalItems:   totalItems,
 		CurrentPage:  page,
+		ItemsPerPage: pageSize,
 	}, nil
 }

backend/migrations/20240731203656_init.up.sql

@@ -57,7 +57,7 @@ CREATE TABLE webauthn_credentials
     credential_id    TEXT NOT NULL UNIQUE,
     public_key       BLOB NOT NULL,
     attestation_type TEXT NOT NULL,
-    transport        TEXT NOT NULL,
+    transport        BLOB NOT NULL,
     user_id          TEXT REFERENCES users
 );
 

backend/migrations/20240820205521_multiple_callback_urls.down.sql

@@ -0,0 +1,23 @@
+create table oidc_clients
+(
+    id            TEXT not null primary key,
+    created_at    DATETIME,
+    name          TEXT,
+    secret        TEXT,
+    callback_url  TEXT,
+    image_type    TEXT,
+    created_by_id TEXT
+        references users
+);
+
+insert into oidc_clients(id, created_at, name, secret, callback_url, image_type, created_by_id)
+select id,
+       created_at,
+       name,
+       secret,
+       json_extract(callback_urls, '$[0]'),
+       image_type,
+       created_by_id
+from oidc_clients_dg_tmp;
+
+drop table oidc_clients_dg_tmp;

backend/migrations/20240820205521_multiple_callback_urls.up.sql

@@ -0,0 +1,26 @@
+create table oidc_clients_dg_tmp
+(
+    id            TEXT not null primary key,
+    created_at    DATETIME,
+    name          TEXT,
+    secret        TEXT,
+    callback_urls BLOB,
+    image_type    TEXT,
+    created_by_id TEXT
+        references users
+);
+
+insert into oidc_clients_dg_tmp(id, created_at, name, secret, callback_urls, image_type, created_by_id)
+select id,
+       created_at,
+       name,
+       secret,
+       CAST('["' || callback_url || '"]' AS BLOB),
+       image_type,
+       created_by_id
+from oidc_clients;
+
+drop table oidc_clients;
+
+alter table oidc_clients_dg_tmp
+    rename to oidc_clients;

backend/migrations/20240908123031_audit_log.down.sql

@@ -0,0 +1 @@
+DROP TABLE audit_logs;

backend/migrations/20240908123031_audit_log.up.sql

@@ -0,0 +1,10 @@
+CREATE TABLE audit_logs
+(
+    id               TEXT NOT NULL PRIMARY KEY,
+    created_at       DATETIME,
+    event            TEXT NOT NULL,
+    ip_address       TEXT NOT NULL,
+    user_agent       TEXT NOT NULL,
+    data             BLOB NOT NULL,
+    user_id          TEXT REFERENCES users
+);

backend/migrations/20240924202721_user_groups.down.sql

@@ -0,0 +1,2 @@
+DROP TABLE user_groups;
+DROP TABLE user_groups_users;

backend/migrations/20240924202721_user_groups.up.sql

@@ -0,0 +1,16 @@
+CREATE TABLE user_groups
+(
+    id           TEXT NOT NULL PRIMARY KEY,
+    created_at   DATETIME,
+    friendly_name TEXT NOT NULL,
+    name        TEXT NOT NULL UNIQUE
+);
+
+CREATE TABLE user_groups_users
+(
+    user_id  TEXT NOT NULL,
+    user_group_id TEXT NOT NULL,
+    PRIMARY KEY (user_id, user_group_id),
+    FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE,
+    FOREIGN KEY (user_group_id) REFERENCES user_groups (id) ON DELETE CASCADE
+);

backend/migrations/20241004092030_audit_log_location.down.sql

@@ -0,0 +1,2 @@
+ALTER TABLE audit_logs DROP COLUMN country;
+ALTER TABLE audit_logs DROP COLUMN city;

backend/migrations/20241004092030_audit_log_location.up.sql

@@ -0,0 +1,2 @@
+ALTER TABLE audit_logs ADD COLUMN country TEXT;
+ALTER TABLE audit_logs ADD COLUMN city TEXT;

docs/proxy-services.md

@@ -0,0 +1,81 @@
+# Proxy Services through Pocket ID
+
+The goal of Pocket ID is to stay simple. Because of that we don't have a built-in proxy provider. However, you can use [OAuth2 Proxy](https://oauth2-proxy.github.io/) to add authentication to your services that don't support OIDC. This guide will show you how to set up OAuth2 Proxy with Pocket ID.
+
+## Docker Setup
+
+#### 1. Add OAuth2 proxy to the service that should be proxied.
+
+To configure OAuth2 Proxy with Pocket ID, you have to add the following service to the service that should be proxied. E.g., [Uptime Kuma](https://github.com/louislam/uptime-kuma) should be proxied, you can add the following service to the `docker-compose.yml` of Uptime Kuma:
+
+```yaml
+# Example with Uptime Kuma
+# uptime-kuma:
+#  image: louislam/uptime-kuma
+oauth2-proxy:
+  image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+  command: --config /oauth2-proxy.cfg
+  volumes:
+    - "./oauth2-proxy.cfg:/oauth2-proxy.cfg"
+  ports:
+    - 4180:4180
+```
+
+#### 2. Create a new OIDC client in Pocket ID.
+
+Create a new OIDC client in Pocket ID by navigating to `https://<your-domain>/settings/admin/oidc-clients`. After adding the client, you will obtain the client ID and client secret.
+
+#### 3. Create a configuration file for OAuth2 Proxy.
+
+Create a configuration file named `oauth2-proxy.cfg` in the same directory as your `docker-compose.yml` file of the service that should be proxied (e.g. Uptime Kuma). This file will contain the necessary configurations for OAuth2 Proxy to work with Pocket ID.
+
+Here is the recommend `oauth2-proxy.cfg` configuration:
+
+```cfg
+# Replace with your own credentials
+client_id="client-id-from-pocket-id"
+client_secret="client-secret-from-pocket-id"
+oidc_issuer_url="https://<your-pocket-id-domain>"
+
+# Replace with a secure random string
+cookie_secret="random-string"
+
+# Upstream servers (e.g http://uptime-kuma:3001)
+upstreams="http://<service-to-be-proxied>:<port>"
+
+# Additional Configuration
+provider="oidc"
+scope = "openid email profile"
+
+# If you are using a reverse proxy in front of OAuth2 Proxy
+reverse_proxy = true
+
+# Email domains allowed for authentication
+email_domains = ["*"]
+
+# If you are using HTTPS
+cookie_secure="true"
+
+# Listen on all interfaces
+http_address="0.0.0.0:4180"
+```
+
+For additional configuration options, refer to the official [OAuth2 Proxy documentation](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview).
+
+#### 4. Start the services.
+
+After creating the configuration file, you can start the services using Docker Compose:
+
+```bash
+docker compose up -d
+```
+
+#### 5. Access the service.
+
+You can now access the service through OAuth2 Proxy by visiting `http://localhost:4180`.
+
+## Standalone Installation
+
+Setting up OAuth2 Proxy with Pocket ID without Docker is similar to the Docker setup. As the setup depends on your environment, you have to adjust the steps accordingly but is should be similar to the Docker setup.
+
+You can visit the official [OAuth2 Proxy documentation](https://oauth2-proxy.github.io/oauth2-proxy/installation) for more information.

frontend/package.json

@@ -12,46 +12,46 @@
     "format": "prettier --write ."
   },
   "devDependencies": {
-    "@playwright/test": "^1.46.0",
-    "@sveltejs/adapter-auto": "^3.0.0",
-    "@sveltejs/adapter-node": "^5.2.0",
-    "@sveltejs/kit": "^2.0.0",
-    "@sveltejs/vite-plugin-svelte": "^3.0.0",
-    "@types/eslint": "^8.56.7",
+    "@playwright/test": "^1.46.1",
+    "@sveltejs/adapter-auto": "^3.2.4",
+    "@sveltejs/adapter-node": "^5.2.2",
+    "@sveltejs/kit": "^2.5.24",
+    "@sveltejs/vite-plugin-svelte": "^3.1.2",
+    "@types/eslint": "^9.6.0",
     "@types/jsonwebtoken": "^9.0.6",
-    "@types/node": "^22.1.0",
-    "autoprefixer": "^10.4.19",
+    "@types/node": "^22.5.0",
+    "autoprefixer": "^10.4.20",
     "cbor-js": "^0.1.0",
-    "eslint": "^9.0.0",
+    "eslint": "^9.9.1",
     "eslint-config-prettier": "^9.1.0",
-    "eslint-plugin-svelte": "^2.36.0",
-    "globals": "^15.0.0",
-    "postcss": "^8.4.38",
-    "prettier": "^3.1.1",
-    "prettier-plugin-svelte": "^3.1.2",
-    "prettier-plugin-tailwindcss": "^0.6.4",
+    "eslint-plugin-svelte": "^2.40.0",
+    "globals": "^15.9.0",
+    "postcss": "^8.4.41",
+    "prettier": "^3.3.3",
+    "prettier-plugin-svelte": "^3.2.6",
+    "prettier-plugin-tailwindcss": "^0.6.6",
     "svelte": "^5.0.0-next.1",
-    "svelte-check": "^3.6.0",
-    "tailwindcss": "^3.4.4",
-    "tslib": "^2.4.1",
-    "typescript": "^5.0.0",
-    "typescript-eslint": "^8.0.0-alpha.20",
-    "vite": "^5.0.3"
+    "svelte-check": "^3.8.6",
+    "tailwindcss": "^3.4.10",
+    "tslib": "^2.7.0",
+    "typescript": "^5.5.4",
+    "typescript-eslint": "^8.2.0",
+    "vite": "^5.4.2"
   },
   "type": "module",
   "dependencies": {
     "@simplewebauthn/browser": "^10.0.0",
-    "axios": "^1.7.2",
-    "bits-ui": "^0.21.12",
+    "axios": "^1.7.5",
+    "bits-ui": "^0.21.15",
     "clsx": "^2.1.1",
     "crypto": "^1.0.1",
     "formsnap": "^1.0.1",
     "jsonwebtoken": "^9.0.2",
-    "lucide-svelte": "^0.399.0",
+    "lucide-svelte": "^0.435.0",
     "mode-watcher": "^0.4.1",
     "svelte-sonner": "^0.3.27",
-    "sveltekit-superforms": "^2.16.1",
-    "tailwind-merge": "^2.3.0",
+    "sveltekit-superforms": "^2.17.0",
+    "tailwind-merge": "^2.5.2",
     "tailwind-variants": "^0.2.1",
     "zod": "^3.23.8"
   }

frontend/src/app.css

@@ -98,15 +98,3 @@
 		src: url('/fonts/PlayfairDisplay-Bold.woff') format('woff');
 	}
 }
-@layer components {
-	.application-images-grid {
-		@apply flex flex-wrap justify-between gap-x-5 gap-y-8;
-	}
-
-	@media (max-width: 1127px) {
-		.application-images-grid {
-			justify-content: flex-start;
-			@apply gap-x-20;
-		}
-	}
-}

frontend/src/lib/components/advanced-table.svelte

@@ -0,0 +1,154 @@
+<script lang="ts" generics="T extends {id:string}">
+	import Checkbox from '$lib/components/ui/checkbox/checkbox.svelte';
+	import { Input } from '$lib/components/ui/input/index.js';
+	import * as Pagination from '$lib/components/ui/pagination';
+	import * as Select from '$lib/components/ui/select';
+	import * as Table from '$lib/components/ui/table/index.js';
+	import type { Paginated } from '$lib/types/pagination.type';
+	import { debounced } from '$lib/utils/debounce-util';
+	import type { Snippet } from 'svelte';
+
+	let {
+		items,
+		selectedIds = $bindable(),
+		fetchItems,
+		columns,
+		rows
+	}: {
+		items: Paginated<T>;
+		selectedIds?: string[];
+		fetchItems: (search: string, page: number, limit: number) => Promise<Paginated<T>>;
+		columns: (string | { label: string; hidden?: boolean })[];
+		rows: Snippet<[{ item: T }]>;
+	} = $props();
+
+	let availablePageSizes: number[] = [10, 20, 50, 100];
+
+	let allChecked = $derived.by(() => {
+		if (!selectedIds || items.data.length === 0) return false;
+		for (const item of items.data) {
+			if (!selectedIds.includes(item.id)) {
+				return false;
+			}
+		}
+		return true;
+	});
+
+	const onSearch = debounced(async (searchValue: string) => {
+		items = await fetchItems(searchValue, 1, items.pagination.itemsPerPage);
+	}, 300);
+
+	async function onAllCheck(checked: boolean) {
+		if (checked) {
+			selectedIds = items.data.map((item) => item.id);
+		} else {
+			selectedIds = [];
+		}
+	}
+
+	async function onCheck(checked: boolean, id: string) {
+		if (!selectedIds) return;
+		if (checked) {
+			selectedIds = [...selectedIds, id];
+		} else {
+			selectedIds = selectedIds.filter((selectedId) => selectedId !== id);
+		}
+	}
+
+	async function onPageChange(page: number) {
+		items = await fetchItems('', page, items.pagination.itemsPerPage);
+	}
+
+	async function onPageSizeChange(size: number) {
+		items = await fetchItems('', 1, size);
+	}
+</script>
+
+<div class="w-full">
+	<Input
+		class="mb-4 max-w-sm"
+		placeholder={'Search...'}
+		type="text"
+		oninput={(e) => onSearch((e.target as HTMLInputElement).value)}
+	/>
+	<Table.Root>
+		<Table.Header>
+			<Table.Row>
+				{#if selectedIds}
+					<Table.Head>
+						<Checkbox checked={allChecked} onCheckedChange={(c) => onAllCheck(c as boolean)} />
+					</Table.Head>
+				{/if}
+				{#each columns as column}
+					{#if typeof column === 'string'}
+						<Table.Head>{column}</Table.Head>
+					{:else}
+						<Table.Head class={column.hidden ? 'sr-only' : ''}>{column.label}</Table.Head>
+					{/if}
+				{/each}
+			</Table.Row>
+		</Table.Header>
+		<Table.Body>
+			{#each items.data as item}
+				<Table.Row class={selectedIds?.includes(item.id) ? 'bg-muted/20' : ''}>
+					{#if selectedIds}
+						<Table.Cell>
+							<Checkbox
+								checked={selectedIds.includes(item.id)}
+								onCheckedChange={(c) => onCheck(c as boolean, item.id)}
+							/>
+						</Table.Cell>
+					{/if}
+					{@render rows({ item })}
+				</Table.Row>
+			{/each}
+		</Table.Body>
+	</Table.Root>
+	<div class="mt-5 flex items-center justify-between space-x-2">
+		<div class="flex items-center space-x-2">
+			<p class="text-sm font-medium">Items per page</p>
+			<Select.Root
+				selected={{
+					label: items.pagination.itemsPerPage.toString(),
+					value: items.pagination.itemsPerPage
+				}}
+				onSelectedChange={(v) => onPageSizeChange(v?.value as number)}
+			>
+				<Select.Trigger class="h-9 w-[80px]">
+					<Select.Value>{items.pagination.itemsPerPage}</Select.Value>
+				</Select.Trigger>
+				<Select.Content>
+					{#each availablePageSizes as size}
+						<Select.Item value={size}>{size}</Select.Item>
+					{/each}
+				</Select.Content>
+			</Select.Root>
+		</div>
+		<Pagination.Root
+			class="mx-0 w-auto"
+			count={items.pagination.totalItems}
+			perPage={items.pagination.itemsPerPage}
+			{onPageChange}
+			page={items.pagination.currentPage}
+			let:pages
+		>
+			<Pagination.Content class="flex justify-end">
+				<Pagination.Item>
+					<Pagination.PrevButton />
+				</Pagination.Item>
+				{#each pages as page (page.key)}
+					{#if page.type !== 'ellipsis'}
+						<Pagination.Item>
+							<Pagination.Link {page} isActive={items.pagination.currentPage === page.value}>
+								{page.value}
+							</Pagination.Link>
+						</Pagination.Item>
+					{/if}
+				{/each}
+				<Pagination.Item>
+					<Pagination.NextButton />
+				</Pagination.Item>
+			</Pagination.Content>
+		</Pagination.Root>
+	</div>
+</div>

frontend/src/lib/components/copy-to-clipboard.svelte

@@ -0,0 +1,41 @@
+<script lang="ts">
+	import * as Tooltip from '$lib/components/ui/tooltip';
+	import { LucideCheck } from 'lucide-svelte';
+	import type { Snippet } from 'svelte';
+
+	let { value, children }: { value: string; children: Snippet } = $props();
+
+	let open = $state(false);
+	let copied = $state(false);
+
+	function onClick() {
+		open = true;
+		copyToClipboard();
+	}
+
+	function onOpenChange(state: boolean) {
+		open = state;
+		if (!state) {
+			copied = false;
+		}
+	}
+
+	function copyToClipboard() {
+		navigator.clipboard.writeText(value);
+		copied = true;
+		setTimeout(() => onOpenChange(false), 1000);
+	}
+</script>
+
+<button onclick={onClick}>
+	<Tooltip.Root closeOnPointerDown={false} {onOpenChange} {open}>
+		<Tooltip.Trigger>{@render children()}</Tooltip.Trigger>
+		<Tooltip.Content onclick={copyToClipboard}>
+			{#if copied}
+				<span class="flex items-center"><LucideCheck class="mr-1 h-4 w-4" /> Copied</span>
+			{:else}
+				<span>Click to copy</span>
+			{/if}
+		</Tooltip.Content>
+	</Tooltip.Root>
+</button>

frontend/src/lib/components/form-input.svelte

@@ -2,36 +2,44 @@
 	import { Label } from '$lib/components/ui/label';
 	import type { FormInput } from '$lib/utils/form-util';
 	import type { Snippet } from 'svelte';
-	import { Input } from './ui/input';
+	import type { HTMLAttributes } from 'svelte/elements';
+	import { Input, type FormInputEvent } from './ui/input';
 
 	let {
 		input = $bindable(),
 		label,
 		description,
-		children
-	}: {
-		input: FormInput<string | boolean | number>;
+		disabled = false,
+		type = 'text',
+		children,
+		onInput,
+		...restProps
+	}: HTMLAttributes<HTMLDivElement> & {
+		input?: FormInput<string | boolean | number>;
 		label: string;
 		description?: string;
+		disabled?: boolean;
+		type?: 'text' | 'password' | 'email' | 'number' | 'checkbox';
+		onInput?: (e: FormInputEvent) => void;
 		children?: Snippet;
 	} = $props();
 
 	const id = label.toLowerCase().replace(/ /g, '-');
 </script>
 
-<div>
+<div {...restProps}>
 	<Label class="mb-0" for={id}>{label}</Label>
 	{#if description}
-		<p class="text-muted-foreground text-xs mt-1">{description}</p>
+		<p class="text-muted-foreground mt-1 text-xs">{description}</p>
 	{/if}
 	<div class="mt-2">
 		{#if children}
 			{@render children()}
-		{:else}
-			<Input {id} bind:value={input.value} />
+		{:else if input}
+			<Input {id} {type} bind:value={input.value} {disabled} on:input={(e) => onInput?.(e)} />
 		{/if}
-		{#if input.error}
-			<p class="text-sm text-red-500">{input.error}</p>
+		{#if input?.error}
+			<p class="mt-1 text-sm text-red-500">{input.error}</p>
 		{/if}
 	</div>
 </div>

frontend/src/lib/components/header/header-avatar.svelte

@@ -3,6 +3,7 @@
 	import * as DropdownMenu from '$lib/components/ui/dropdown-menu';
 	import WebAuthnService from '$lib/services/webauthn-service';
 	import userStore from '$lib/stores/user-store';
+	import { createSHA256hash } from '$lib/utils/crypto-util';
 	import { LucideLogOut, LucideUser } from 'lucide-svelte';
 
 	const webauthnService = new WebAuthnService();
@@ -11,6 +12,13 @@
 		($userStore!.firstName.charAt(0) + $userStore!.lastName?.charAt(0)).toUpperCase()
 	);
 
+	let gravatarURL: string | undefined = $state();
+	if ($userStore) {
+		createSHA256hash($userStore.email).then((email) => {
+			gravatarURL = `https://www.gravatar.com/avatar/${email}?d=404`;
+		});
+	}
+
 	async function logout() {
 		await webauthnService.logout();
 		window.location.reload();
@@ -19,11 +27,12 @@
 
 <DropdownMenu.Root>
 	<DropdownMenu.Trigger
-		><Avatar.Root>
+		><Avatar.Root class="h-9 w-9">
+			<Avatar.Image src={gravatarURL} />
 			<Avatar.Fallback>{initials}</Avatar.Fallback>
 		</Avatar.Root></DropdownMenu.Trigger
 	>
-	<DropdownMenu.Content class="w-40" align="start">
+	<DropdownMenu.Content class="min-w-40" align="start">
 		<DropdownMenu.Label class="font-normal">
 			<div class="flex flex-col space-y-1">
 				<p class="text-sm font-medium leading-none">

frontend/src/lib/components/header/header.svelte

@@ -1,22 +1,27 @@
 <script lang="ts">
 	import { page } from '$app/stores';
-	import applicationConfigurationStore from '$lib/stores/application-configuration-store';
+	import appConfigStore from '$lib/stores/application-configuration-store';
 	import userStore from '$lib/stores/user-store';
 	import Logo from '../logo.svelte';
 	import HeaderAvatar from './header-avatar.svelte';
 
 	let isAuthPage = $derived(
-		!$page.error && ($page.url.pathname.startsWith('/authorize') || $page.url.pathname.startsWith('/login'))
+		!$page.error &&
+			($page.url.pathname.startsWith('/authorize') || $page.url.pathname.startsWith('/login'))
 	);
 </script>
 
 <div class=" w-full {isAuthPage ? 'absolute top-0 z-10 mt-4' : 'border-b'}">
-	<div class="mx-auto flex w-full max-w-[1520px] items-center justify-between px-4 md:px-10">
+	<div
+		class="{!isAuthPage
+			? 'max-w-[1640px]'
+			: ''} mx-auto flex w-full items-center justify-between px-4 md:px-10"
+	>
 		<div class="flex h-16 items-center">
 			{#if !isAuthPage}
 				<Logo class="mr-3 h-10 w-10" />
 				<h1 class="text-lg font-medium" data-testid="application-name">
-					{$applicationConfigurationStore.appName}
+					{$appConfigStore.appName}
 				</h1>
 			{/if}
 		</div>

frontend/src/lib/components/logo.svelte

@@ -1 +1,10 @@
-<img class={$$restProps.class} src="/api/application-configuration/logo" alt="Logo" />
+<script lang="ts">
+	import { mode } from 'mode-watcher';
+	import type { HTMLAttributes } from 'svelte/elements';
+
+	let { ...props }: HTMLAttributes<HTMLImageElement> = $props();
+
+	const isDarkMode = $derived($mode === 'dark');
+</script>
+
+<img {...props} src="/api/application-configuration/logo?light={!isDarkMode}" alt="Logo" />

frontend/src/lib/components/ui/select/index.ts

@@ -0,0 +1,34 @@
+import { Select as SelectPrimitive } from "bits-ui";
+
+import Label from "./select-label.svelte";
+import Item from "./select-item.svelte";
+import Content from "./select-content.svelte";
+import Trigger from "./select-trigger.svelte";
+import Separator from "./select-separator.svelte";
+
+const Root = SelectPrimitive.Root;
+const Group = SelectPrimitive.Group;
+const Input = SelectPrimitive.Input;
+const Value = SelectPrimitive.Value;
+
+export {
+	Root,
+	Group,
+	Input,
+	Label,
+	Item,
+	Value,
+	Content,
+	Trigger,
+	Separator,
+	//
+	Root as Select,
+	Group as SelectGroup,
+	Input as SelectInput,
+	Label as SelectLabel,
+	Item as SelectItem,
+	Value as SelectValue,
+	Content as SelectContent,
+	Trigger as SelectTrigger,
+	Separator as SelectSeparator,
+};

frontend/src/lib/components/ui/select/select-content.svelte

@@ -0,0 +1,39 @@
+<script lang="ts">
+	import { Select as SelectPrimitive } from "bits-ui";
+	import { scale } from "svelte/transition";
+	import { cn, flyAndScale } from "$lib/utils/style.js";
+
+	type $$Props = SelectPrimitive.ContentProps;
+	type $$Events = SelectPrimitive.ContentEvents;
+
+	export let sideOffset: $$Props["sideOffset"] = 4;
+	export let inTransition: $$Props["inTransition"] = flyAndScale;
+	export let inTransitionConfig: $$Props["inTransitionConfig"] = undefined;
+	export let outTransition: $$Props["outTransition"] = scale;
+	export let outTransitionConfig: $$Props["outTransitionConfig"] = {
+		start: 0.95,
+		opacity: 0,
+		duration: 50,
+	};
+
+	let className: $$Props["class"] = undefined;
+	export { className as class };
+</script>
+
+<SelectPrimitive.Content
+	{inTransition}
+	{inTransitionConfig}
+	{outTransition}
+	{outTransitionConfig}
+	{sideOffset}
+	class={cn(
+		"bg-popover text-popover-foreground relative z-50 min-w-[8rem] overflow-hidden rounded-md border shadow-md outline-none",
+		className
+	)}
+	{...$$restProps}
+	on:keydown
+>
+	<div class="w-full p-1">
+		<slot />
+	</div>
+</SelectPrimitive.Content>

frontend/src/lib/components/ui/select/select-item.svelte

@@ -0,0 +1,40 @@
+<script lang="ts">
+	import Check from "lucide-svelte/icons/check";
+	import { Select as SelectPrimitive } from "bits-ui";
+	import { cn } from "$lib/utils/style.js";
+
+	type $$Props = SelectPrimitive.ItemProps;
+	type $$Events = SelectPrimitive.ItemEvents;
+
+	let className: $$Props["class"] = undefined;
+	export let value: $$Props["value"];
+	export let label: $$Props["label"] = undefined;
+	export let disabled: $$Props["disabled"] = undefined;
+	export { className as class };
+</script>
+
+<SelectPrimitive.Item
+	{value}
+	{disabled}
+	{label}
+	class={cn(
+		"data-[highlighted]:bg-accent data-[highlighted]:text-accent-foreground relative flex w-full cursor-default select-none items-center rounded-sm py-1.5 pl-8 pr-2 text-sm outline-none data-[disabled]:pointer-events-none data-[disabled]:opacity-50",
+		className
+	)}
+	{...$$restProps}
+	on:click
+	on:keydown
+	on:focusin
+	on:focusout
+	on:pointerleave
+	on:pointermove
+>
+	<span class="absolute left-2 flex h-3.5 w-3.5 items-center justify-center">
+		<SelectPrimitive.ItemIndicator>
+			<Check class="h-4 w-4" />
+		</SelectPrimitive.ItemIndicator>
+	</span>
+	<slot>
+		{label || value}
+	</slot>
+</SelectPrimitive.Item>

frontend/src/lib/components/ui/select/select-label.svelte

@@ -0,0 +1,16 @@
+<script lang="ts">
+	import { Select as SelectPrimitive } from "bits-ui";
+	import { cn } from "$lib/utils/style.js";
+
+	type $$Props = SelectPrimitive.LabelProps;
+
+	let className: $$Props["class"] = undefined;
+	export { className as class };
+</script>
+
+<SelectPrimitive.Label
+	class={cn("py-1.5 pl-8 pr-2 text-sm font-semibold", className)}
+	{...$$restProps}
+>
+	<slot />
+</SelectPrimitive.Label>

frontend/src/lib/components/ui/select/select-separator.svelte

@@ -0,0 +1,11 @@
+<script lang="ts">
+	import { Select as SelectPrimitive } from "bits-ui";
+	import { cn } from "$lib/utils/style.js";
+
+	type $$Props = SelectPrimitive.SeparatorProps;
+
+	let className: $$Props["class"] = undefined;
+	export { className as class };
+</script>
+
+<SelectPrimitive.Separator class={cn("bg-muted -mx-1 my-1 h-px", className)} {...$$restProps} />

frontend/src/lib/components/ui/select/select-trigger.svelte

@@ -0,0 +1,27 @@
+<script lang="ts">
+	import { Select as SelectPrimitive } from "bits-ui";
+	import ChevronDown from "lucide-svelte/icons/chevron-down";
+	import { cn } from "$lib/utils/style.js";
+
+	type $$Props = SelectPrimitive.TriggerProps;
+	type $$Events = SelectPrimitive.TriggerEvents;
+
+	let className: $$Props["class"] = undefined;
+	export { className as class };
+</script>
+
+<SelectPrimitive.Trigger
+	class={cn(
+		"border-input bg-background ring-offset-background focus-visible:ring-ring aria-[invalid]:border-destructive data-[placeholder]:[&>span]:text-muted-foreground flex h-10 w-full items-center justify-between rounded-md border px-3 py-2 text-sm focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-50 [&>span]:line-clamp-1",
+		className
+	)}
+	{...$$restProps}
+	let:builder
+	on:click
+	on:keydown
+>
+	<slot {builder} />
+	<div>
+		<ChevronDown class="h-4 w-4 opacity-50" />
+	</div>
+</SelectPrimitive.Trigger>

frontend/src/lib/components/ui/table/table-row.svelte

@@ -12,7 +12,7 @@
 
 <tr
 	class={cn(
-		"border-b transition-colors hover:bg-muted/50 data-[state=selected]:bg-muted",
+		"border-b transition-colors data-[state=selected]:bg-muted",
 		className
 	)}
 	{...$$restProps}

frontend/src/lib/components/ui/tooltip/index.ts

@@ -0,0 +1,15 @@
+import { Tooltip as TooltipPrimitive } from "bits-ui";
+import Content from "./tooltip-content.svelte";
+
+const Root = TooltipPrimitive.Root;
+const Trigger = TooltipPrimitive.Trigger;
+
+export {
+	Root,
+	Trigger,
+	Content,
+	//
+	Root as Tooltip,
+	Content as TooltipContent,
+	Trigger as TooltipTrigger,
+};

frontend/src/lib/components/ui/tooltip/tooltip-content.svelte

@@ -0,0 +1,28 @@
+<script lang="ts">
+	import { Tooltip as TooltipPrimitive } from "bits-ui";
+	import { cn, flyAndScale } from "$lib/utils/style.js";
+
+	type $$Props = TooltipPrimitive.ContentProps;
+
+	let className: $$Props["class"] = undefined;
+	export let sideOffset: $$Props["sideOffset"] = 4;
+	export let transition: $$Props["transition"] = flyAndScale;
+	export let transitionConfig: $$Props["transitionConfig"] = {
+		y: 8,
+		duration: 150,
+	};
+	export { className as class };
+</script>
+
+<TooltipPrimitive.Content
+	{transition}
+	{transitionConfig}
+	{sideOffset}
+	class={cn(
+		"bg-popover text-popover-foreground z-50 overflow-hidden rounded-md border px-3 py-1.5 text-sm shadow-md",
+		className
+	)}
+	{...$$restProps}
+>
+	<slot />
+</TooltipPrimitive.Content>

frontend/src/lib/services/api-service.ts

@@ -13,7 +13,7 @@ abstract class APIService {
 		if (browser) {
 			this.api.defaults.baseURL = '/api';
 		} else {
-			this.api.defaults.baseURL = process?.env?.INTERNAL_BACKEND_URL + '/api';
+			this.api.defaults.baseURL = process!.env!.INTERNAL_BACKEND_URL + '/api';
 		}
 	}
 }

frontend/src/lib/services/app-config-service.ts

@@ -1,29 +1,26 @@
-import type {
-	AllApplicationConfiguration,
-	ApplicationConfigurationRawResponse
-} from '$lib/types/application-configuration';
+import type { AllAppConfig, AppConfigRawResponse } from '$lib/types/application-configuration';
 import APIService from './api-service';
 
-export default class ApplicationConfigurationService extends APIService {
+export default class AppConfigService extends APIService {
 	async list(showAll = false) {
 		let url = '/application-configuration';
 		if (showAll) {
 			url += '/all';
 		}
 
-		const { data } = await this.api.get<ApplicationConfigurationRawResponse>(url);
+		const { data } = await this.api.get<AppConfigRawResponse>(url);
 
-		const applicationConfiguration: Partial<AllApplicationConfiguration> = {};
+		const appConfig: Partial<AllAppConfig> = {};
 		data.forEach(({ key, value }) => {
-			(applicationConfiguration as any)[key] = value;
+			(appConfig as any)[key] = value;
 		});
 
-		return applicationConfiguration as AllApplicationConfiguration;
+		return appConfig as AllAppConfig;
 	}
 
-	async update(applicationConfiguration: AllApplicationConfiguration) {
-		const res = await this.api.put('/application-configuration', applicationConfiguration);
-		return res.data as AllApplicationConfiguration;
+	async update(appConfig: AllAppConfig) {
+		const res = await this.api.put('/application-configuration', appConfig);
+		return res.data as AllAppConfig;
 	}
 
 	async updateFavicon(favicon: File) {
@@ -33,11 +30,13 @@ export default class ApplicationConfigurationService extends APIService {
 		await this.api.put(`/application-configuration/favicon`, formData);
 	}
 
-	async updateLogo(logo: File) {
+	async updateLogo(logo: File, light = true) {
 		const formData = new FormData();
 		formData.append('file', logo!);
 
-		await this.api.put(`/application-configuration/logo`, formData);
+		await this.api.put(`/application-configuration/logo`, formData, {
+			params: { light }
+		});
 	}
 
 	async updateBackgroundImage(backgroundImage: File) {

frontend/src/lib/services/audit-log-service.ts

@@ -0,0 +1,14 @@
+import type { AuditLog } from '$lib/types/audit-log.type';
+import type { Paginated, PaginationRequest } from '$lib/types/pagination.type';
+import APIService from './api-service';
+
+class AuditLogService extends APIService {
+	async list(pagination?: PaginationRequest) {
+		const res = await this.api.get('/audit-logs', {
+			params: pagination
+		});
+		return res.data as Paginated<AuditLog>;
+	}
+}
+
+export default AuditLogService;

frontend/src/lib/services/oidc-service.ts

@@ -1,37 +1,35 @@
-import type { OidcClient, OidcClientCreate } from '$lib/types/oidc.type';
+import type { AuthorizeResponse, OidcClient, OidcClientCreate } from '$lib/types/oidc.type';
 import type { Paginated, PaginationRequest } from '$lib/types/pagination.type';
 import APIService from './api-service';
 
 class OidcService extends APIService {
-	async authorize(clientId: string, scope: string, nonce?: string) {
+	async authorize(clientId: string, scope: string, callbackURL: string, nonce?: string) {
 		const res = await this.api.post('/oidc/authorize', {
 			scope,
 			nonce,
+			callbackURL,
 			clientId
 		});
 
-		return res.data.code as string;
+		return res.data as AuthorizeResponse;
 	}
 
-	async authorizeNewClient(clientId: string, scope: string, nonce?: string) {
+	async authorizeNewClient(clientId: string, scope: string, callbackURL: string, nonce?: string) {
 		const res = await this.api.post('/oidc/authorize/new-client', {
 			scope,
 			nonce,
+			callbackURL,
 			clientId
 		});
 
-		return res.data.code as string;
+		return res.data as AuthorizeResponse;
 	}
 
 	async listClients(search?: string, pagination?: PaginationRequest) {
-		const page = pagination?.page || 1;
-		const limit = pagination?.limit || 10;
-
 		const res = await this.api.get('/oidc/clients', {
 			params: {
 				search,
-				page,
-				limit
+				...pagination
 			}
 		});
 		return res.data as Paginated<OidcClient>;

frontend/src/lib/services/user-group-service.ts

@@ -0,0 +1,43 @@
+import type { Paginated, PaginationRequest } from '$lib/types/pagination.type';
+import type {
+	UserGroupCreate,
+	UserGroupWithUserCount,
+	UserGroupWithUsers
+} from '$lib/types/user-group.type';
+import APIService from './api-service';
+
+export default class UserGroupService extends APIService {
+	async list(search?: string, pagination?: PaginationRequest) {
+		const res = await this.api.get('/user-groups', {
+			params: {
+				search,
+				...pagination
+			}
+		});
+		return res.data as Paginated<UserGroupWithUserCount>;
+	}
+
+	async get(id: string) {
+		const res = await this.api.get(`/user-groups/${id}`);
+		return res.data as UserGroupWithUsers;
+	}
+
+	async create(user: UserGroupCreate) {
+		const res = await this.api.post('/user-groups', user);
+		return res.data as UserGroupWithUsers;
+	}
+
+	async update(id: string, user: UserGroupCreate) {
+		const res = await this.api.put(`/user-groups/${id}`, user);
+		return res.data as UserGroupWithUsers;
+	}
+
+	async remove(id: string) {
+		await this.api.delete(`/user-groups/${id}`);
+	}
+
+	async updateUsers(id: string, userIds: string[]) {
+		const res = await this.api.put(`/user-groups/${id}/users`, { userIds });
+		return res.data as UserGroupWithUsers;
+	}
+}