release: 0.29.0

Co-authored-by: Elias Schneider <login@eliasschneider.com>

.env.example

@@ -1,4 +1,4 @@
-# See the README for more information: https://github.com/stonith404/pocket-id?tab=readme-ov-file#environment-variables
+# See the README for more information: https://github.com/pocket-id/pocket-id?tab=readme-ov-file#environment-variables
 PUBLIC_APP_URL=http://localhost
 TRUST_PROXY=false
 MAXMIND_LICENSE_KEY=

.github/workflows/deploy-docs.yml

@@ -0,0 +1,51 @@
+name: Deploy Docs
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "docs/**"
+
+jobs:
+  build:
+    name: Build Docusaurus
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+          cache: "npm"
+          cache-dependency-path: docs/package-lock.json
+
+      - name: Install dependencies
+        run: npm install
+        working-directory: ./docs
+
+      - name: Build website
+        run: npm run build
+        working-directory: ./docs
+
+      - name: Upload Build Artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: docs/build
+
+  deploy:
+    name: Deploy to GitHub Pages
+    needs: build
+
+    permissions:
+      pages: write
+      id-token: write
+
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4

.github/workflows/e2e-tests.yml

@@ -2,8 +2,17 @@ name: E2E Tests
 on:
   push:
     branches: [main]
+    paths-ignore:
+      - "docs/**"
+      - "**.md"
+      - ".github/**"
   pull_request:
     branches: [main]
+    paths-ignore:
+      - "docs/**"
+      - "**.md"
+      - ".github/**"
+
 jobs:
   build:
     timeout-minutes: 20
@@ -15,7 +24,7 @@ jobs:
       - name: Build and export
         uses: docker/build-push-action@v6
         with:
-          tags: stonith404/pocket-id:test
+          tags: pocket-id/pocket-id:test
           outputs: type=docker,dest=/tmp/docker-image.tar
 
       - name: Upload Docker image artifact
@@ -56,7 +65,7 @@ jobs:
           docker run -d --name pocket-id-sqlite \
           -p 80:80 \
           -e APP_ENV=test \
-          stonith404/pocket-id:test
+          pocket-id/pocket-id:test
 
       - name: Run Playwright tests
         working-directory: ./frontend

.version

@@ -1 +1 @@
-0.27.1
+0.29.0

CHANGELOG.md

@@ -1,3 +1,41 @@
+## [](https://github.com/pocket-id/pocket-id/compare/v0.28.1...v) (2025-02-05)
+
+
+### Features
+
+* add JSON support in custom claims ([15cde6a](https://github.com/pocket-id/pocket-id/commit/15cde6ac66bc857ac28df545a37c1f4341977595))
+* add option to disable Caddy in the Docker container ([e864d5d](https://github.com/pocket-id/pocket-id/commit/e864d5dcbff1ef28dc6bf120e4503093a308c5c8))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.28.0...v) (2025-02-04)
+
+
+### Bug Fixes
+
+* don't return error page if version info fetching failed ([d06257e](https://github.com/stonith404/pocket-id/commit/d06257ec9b5e46e25e40c174b4bef02dca0a1ea3))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.27.2...v) (2025-02-03)
+
+
+### Features
+
+* allow LDAP users and groups to be deleted if LDAP gets disabled ([9ab1787](https://github.com/stonith404/pocket-id/commit/9ab178712aa3cc71546a89226e67b7ba91245251))
+* map allowed groups to OIDC clients ([#202](https://github.com/stonith404/pocket-id/issues/202)) ([13b02a0](https://github.com/stonith404/pocket-id/commit/13b02a072f20ce10e12fd8b897cbf42a908f3291))
+
+
+### Bug Fixes
+
+* **caddy:** trusted_proxies for IPv6 enabled hosts ([#189](https://github.com/stonith404/pocket-id/issues/189)) ([37a835b](https://github.com/stonith404/pocket-id/commit/37a835b44e308622f6862de494738dd2bfb58ef0))
+* missing user service dependency ([61e71ad](https://github.com/stonith404/pocket-id/commit/61e71ad43b8f0f498133d3eb2381382e7bc642b9))
+* non LDAP user group can't be updated after update ([ecd74b7](https://github.com/stonith404/pocket-id/commit/ecd74b794f1ffb7da05bce0046fb8d096b039409))
+* use cursor pointer on clickable elements ([7798580](https://github.com/stonith404/pocket-id/commit/77985800ae9628104e03e7f2e803b7ed9eaaf4e0))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.27.1...v) (2025-01-27)
+
+
+### Bug Fixes
+
+* smtp hello for tls connections ([#180](https://github.com/stonith404/pocket-id/issues/180)) ([781ff7a](https://github.com/stonith404/pocket-id/commit/781ff7ae7b84b13892e7a565b7a78f20c52ee2c9))
+
 ## [](https://github.com/stonith404/pocket-id/compare/v0.27.0...v) (2025-01-24)
 
 

CONTRIBUTING.md

@@ -69,5 +69,5 @@ We are using [Playwright](https://playwright.dev) for end-to-end testing.
 
 The tests can be run like this:
 1. Start the backend normally
-2. Start the frontend in production mode with `npm run build && node build/index.js`
+2. Start the frontend in production mode with `npm run build && node --env-file=.env build/index.js`
 3. Run the tests with `npm run test`

Dockerfile

@@ -1,5 +1,5 @@
 # Stage 1: Build Frontend
-FROM node:20-alpine AS frontend-builder
+FROM node:22-alpine AS frontend-builder
 WORKDIR /app/frontend
 COPY ./frontend/package*.json ./
 RUN npm ci
@@ -20,7 +20,7 @@ WORKDIR /app/backend/cmd
 RUN CGO_ENABLED=1 GOOS=linux go build -o /app/backend/pocket-id-backend .
 
 # Stage 3: Production Image
-FROM node:20-alpine
+FROM node:22-alpine
 # Delete default node user
 RUN deluser --remove-home node
 

README.md

@@ -2,7 +2,7 @@
 
 Pocket ID is a simple OIDC provider that allows users to authenticate with their passkeys to your services.
 
-→ Try out the [Demo](https://pocket-id.eliasschneider.com)
+→ Try out the [Demo](https://demo.pocket-id.org)
 
 <img src="https://github.com/user-attachments/assets/96ac549d-b897-404a-8811-f42b16ea58e2" width="1200"/>
 
@@ -14,7 +14,7 @@ Additionally, what makes Pocket ID special is that it only supports [passkey](ht
 
 Pocket ID can be set up in multiple ways. The easiest and recommended way is to use Docker.
 
-Visit the [documentation](https://stonith404.github.io/pocket-id) for the setup guide and more information.
+Visit the [documentation](https://docs.pocket-id.org) for the setup guide and more information.
 
 ## Contribute
 

backend/cmd/main.go

@@ -1,7 +1,7 @@
 package main
 
 import (
-	"github.com/stonith404/pocket-id/backend/internal/bootstrap"
+	"github.com/pocket-id/pocket-id/backend/internal/bootstrap"
 )
 
 func main() {

backend/go.mod

@@ -1,58 +1,57 @@
-module github.com/stonith404/pocket-id/backend
+module github.com/pocket-id/pocket-id/backend
 
 go 1.23.1
 
 require (
-	github.com/caarlos0/env/v11 v11.2.2
+	github.com/caarlos0/env/v11 v11.3.1
 	github.com/fxamacker/cbor/v2 v2.7.0
 	github.com/gin-gonic/gin v1.10.0
-	github.com/go-co-op/gocron/v2 v2.12.1
-	github.com/go-playground/validator/v10 v10.22.1
+	github.com/go-co-op/gocron/v2 v2.15.0
+	github.com/go-ldap/ldap/v3 v3.4.10
+	github.com/go-playground/validator/v10 v10.24.0
 	github.com/go-webauthn/webauthn v0.11.2
 	github.com/golang-jwt/jwt/v5 v5.2.1
-	github.com/golang-migrate/migrate/v4 v4.18.1
+	github.com/golang-migrate/migrate/v4 v4.18.2
 	github.com/google/uuid v1.6.0
 	github.com/joho/godotenv v1.5.1
 	github.com/mileusna/useragent v1.3.5
-	github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.1
-	golang.org/x/crypto v0.31.0
-	golang.org/x/time v0.6.0
+	github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2
+	golang.org/x/crypto v0.32.0
+	golang.org/x/time v0.9.0
 	gorm.io/driver/postgres v1.5.11
-	gorm.io/driver/sqlite v1.5.6
+	gorm.io/driver/sqlite v1.5.7
 	gorm.io/gorm v1.25.12
 )
 
 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
-	github.com/bytedance/sonic v1.12.3 // indirect
-	github.com/bytedance/sonic/loader v0.2.0 // indirect
-	github.com/cloudwego/base64x v0.1.4 // indirect
-	github.com/cloudwego/iasm v0.2.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.5 // indirect
-	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/bytedance/sonic v1.12.8 // indirect
+	github.com/bytedance/sonic/loader v0.2.3 // indirect
+	github.com/cloudwego/base64x v0.1.5 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
+	github.com/gin-contrib/sse v1.0.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
-	github.com/go-ldap/ldap/v3 v3.4.10 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-webauthn/x v0.1.14 // indirect
-	github.com/goccy/go-json v0.10.3 // indirect
-	github.com/google/go-tpm v0.9.1 // indirect
+	github.com/go-webauthn/x v0.1.16 // indirect
+	github.com/goccy/go-json v0.10.4 // indirect
+	github.com/google/go-tpm v0.9.3 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
-	github.com/jackc/pgx/v5 v5.5.5 // indirect
-	github.com/jackc/puddle/v2 v2.2.1 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+	github.com/jackc/pgx/v5 v5.7.2 // indirect
+	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
-	github.com/jonboulle/clockwork v0.4.0 // indirect
+	github.com/jonboulle/clockwork v0.5.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.8 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-sqlite3 v1.14.23 // indirect
+	github.com/mattn/go-sqlite3 v1.14.24 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
@@ -62,12 +61,12 @@ require (
 	github.com/ugorji/go/codec v1.2.12 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/arch v0.10.0 // indirect
-	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
-	golang.org/x/net v0.33.0 // indirect
+	golang.org/x/arch v0.13.0 // indirect
+	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 // indirect
+	golang.org/x/net v0.34.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
-	google.golang.org/protobuf v1.34.2 // indirect
+	google.golang.org/protobuf v1.36.4 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

backend/go.sum

@@ -4,24 +4,24 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
-github.com/bytedance/sonic v1.12.3 h1:W2MGa7RCU1QTeYRTPE3+88mVC0yXmsRQRChiyVocVjU=
-github.com/bytedance/sonic v1.12.3/go.mod h1:B8Gt/XvtZ3Fqj+iSKMypzymZxw/FVwgIGKzMzT9r/rk=
+github.com/bytedance/sonic v1.12.8 h1:4xYRVRlXIgvSZ4e8iVTlMF5szgpXd4AfvuWgA8I8lgs=
+github.com/bytedance/sonic v1.12.8/go.mod h1:uVvFidNmlt9+wa31S1urfwwthTWteBgG0hWuoKAXTx8=
 github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
-github.com/bytedance/sonic/loader v0.2.0 h1:zNprn+lsIP06C/IqCHs3gPQIvnvpKbbxyXQP1iU4kWM=
-github.com/bytedance/sonic/loader v0.2.0/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
-github.com/caarlos0/env/v11 v11.2.2 h1:95fApNrUyueipoZN/EhA8mMxiNxrBwDa+oAZrMWl3Kg=
-github.com/caarlos0/env/v11 v11.2.2/go.mod h1:JBfcdeQiBoI3Zh1QRAWfe+tpiNTmDtcCj/hHHHMx0vc=
-github.com/cloudwego/base64x v0.1.4 h1:jwCgWpFanWmN8xoIUHa2rtzmkd5J2plF/dnLS6Xd/0Y=
-github.com/cloudwego/base64x v0.1.4/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
-github.com/cloudwego/iasm v0.2.0 h1:1KNIy1I1H9hNNFEEH3DVnI4UujN+1zjpuk6gwHLTssg=
+github.com/bytedance/sonic/loader v0.2.3 h1:yctD0Q3v2NOGfSWPLPvG2ggA2kV6TS6s4wioyEqssH0=
+github.com/bytedance/sonic/loader v0.2.3/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
+github.com/caarlos0/env/v11 v11.3.1 h1:cArPWC15hWmEt+gWk7YBi7lEXTXCvpaSdCiZE2X5mCA=
+github.com/caarlos0/env/v11 v11.3.1/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U=
+github.com/cloudwego/base64x v0.1.5 h1:XPciSp1xaq2VCSt6lF0phncD4koWyULpl5bUxbfCyP4=
+github.com/cloudwego/base64x v0.1.5/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
 github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dhui/dktest v0.4.3 h1:wquqUxAFdcUgabAVLvSCOKOlag5cIZuaOjYIBOWdsR0=
-github.com/dhui/dktest v0.4.3/go.mod h1:zNK8IwktWzQRm6I/l2Wjp7MakiyaFWv4G1hjmodmMTs=
+github.com/dhui/dktest v0.4.4 h1:+I4s6JRE1yGuqflzwqG+aIaMdgXIorCf5P98JnaAWa8=
+github.com/dhui/dktest v0.4.4/go.mod h1:4+22R4lgsdAXrDyaH4Nqx2JEz2hLp49MqQmm9HLCQhM=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/docker/docker v27.2.0+incompatible h1:Rk9nIVdfH3+Vz4cyI/uhbINhEZ/oLmc+CBXmH6fbNk4=
@@ -34,16 +34,16 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
-github.com/gabriel-vasile/mimetype v1.4.5 h1:J7wGKdGu33ocBOhGy0z653k/lFKLFDPJMG8Gql0kxn4=
-github.com/gabriel-vasile/mimetype v1.4.5/go.mod h1:ibHel+/kbxn9x2407k1izTA1S81ku1z/DlgOW2QE0M4=
-github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
-github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
+github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
+github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
+github.com/gin-contrib/sse v1.0.0 h1:y3bT1mUWUxDpW4JLQg/HnTqV4rozuW4tC9eFKTxYI9E=
+github.com/gin-contrib/sse v1.0.0/go.mod h1:zNuFdwarAygJBht0NTKiSi3jRf6RbqeILZ9Sp6Slhe0=
 github.com/gin-gonic/gin v1.10.0 h1:nTuyha1TYqgedzytsKYqna+DfLos46nTv2ygFy86HFU=
 github.com/gin-gonic/gin v1.10.0/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
 github.com/go-asn1-ber/asn1-ber v1.5.7 h1:DTX+lbVTWaTw1hQ+PbZPlnDZPEIs0SS/GCZAl535dDk=
 github.com/go-asn1-ber/asn1-ber v1.5.7/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-co-op/gocron/v2 v2.12.1 h1:dCIIBFbzhWKdgXeEifBjHPzgQ1hoWhjS4289Hjjy1uw=
-github.com/go-co-op/gocron/v2 v2.12.1/go.mod h1:xY7bJxGazKam1cz04EebrlP4S9q4iWdiAylMGP3jY9w=
+github.com/go-co-op/gocron/v2 v2.15.0 h1:Kpvo71VSihE+RImmpA+3ta5CcMhoRzMGw4dJawrj4zo=
+github.com/go-co-op/gocron/v2 v2.15.0/go.mod h1:ZF70ZwEqz0OO4RBXE1sNxnANy/zvwLcattWEFsqpKig=
 github.com/go-ldap/ldap/v3 v3.4.10 h1:ot/iwPOhfpNVgB1o+AVXljizWZ9JTp7YF5oeyONmcJU=
 github.com/go-ldap/ldap/v3 v3.4.10/go.mod h1:JXh4Uxgi40P6E9rdsYqpUtbW46D9UTjJ9QSwGRznplY=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
@@ -56,24 +56,24 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.22.1 h1:40JcKH+bBNGFczGuoBYgX4I6m/i27HYW8P9FDk5PbgA=
-github.com/go-playground/validator/v10 v10.22.1/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
+github.com/go-playground/validator/v10 v10.24.0 h1:KHQckvo8G6hlWnrPX4NJJ+aBfWNAE/HH+qdL2cBpCmg=
+github.com/go-playground/validator/v10 v10.24.0/go.mod h1:GGzBIJMuE98Ic/kJsBXbz1x/7cByt++cQ+YOuDM5wus=
 github.com/go-webauthn/webauthn v0.11.2 h1:Fgx0/wlmkClTKlnOsdOQ+K5HcHDsDcYIvtYmfhEOSUc=
 github.com/go-webauthn/webauthn v0.11.2/go.mod h1:aOtudaF94pM71g3jRwTYYwQTG1KyTILTcZqN1srkmD0=
-github.com/go-webauthn/x v0.1.14 h1:1wrB8jzXAofojJPAaRxnZhRgagvLGnLjhCAwg3kTpT0=
-github.com/go-webauthn/x v0.1.14/go.mod h1:UuVvFZ8/NbOnkDz3y1NaxtUN87pmtpC1PQ+/5BBQRdc=
-github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
-github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/go-webauthn/x v0.1.16 h1:EaVXZntpyHviN9ykjdRBQIw9B0Ed3LO5FW7mDiMQEa8=
+github.com/go-webauthn/x v0.1.16/go.mod h1:jhYjfwe/AVYaUs2mUXArj7vvZj+SpooQPyyQGNab+Us=
+github.com/goccy/go-json v0.10.4 h1:JSwxQzIqKfmFX1swYPpUThQZp/Ka4wzJdK0LWVytLPM=
+github.com/goccy/go-json v0.10.4/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
 github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
-github.com/golang-migrate/migrate/v4 v4.18.1 h1:JML/k+t4tpHCpQTCAD62Nu43NUFzHY4CV3uAuvHGC+Y=
-github.com/golang-migrate/migrate/v4 v4.18.1/go.mod h1:HAX6m3sQgcdO81tdjn5exv20+3Kb13cmGli1hrD6hks=
+github.com/golang-migrate/migrate/v4 v4.18.2 h1:2VSCMz7x7mjyTXx3m2zPokOY82LTRgxK1yQYKo6wWQ8=
+github.com/golang-migrate/migrate/v4 v4.18.2/go.mod h1:2CM6tJvn2kqPXwnXO/d3rAQYiyoIm180VsO8PRX6Rpk=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-tpm v0.9.1 h1:0pGc4X//bAlmZzMKf8iz6IsDo1nYTbYJ6FZN/rg4zdM=
-github.com/google/go-tpm v0.9.1/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
+github.com/google/go-tpm v0.9.3 h1:+yx0/anQuGzi+ssRqeD6WpXjW2L/V0dItUayO0i9sRc=
+github.com/google/go-tpm v0.9.3/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -85,20 +85,27 @@ github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brv
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
-github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk=
-github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.5.5 h1:amBjrZVmksIdNjxGW/IiIMzxMKZFelXbUoPNb+8sjQw=
-github.com/jackc/pgx/v5 v5.5.5/go.mod h1:ez9gk+OAat140fv9ErkZDYFWmXLfV+++K0uAOiwgm1A=
-github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk=
-github.com/jackc/puddle/v2 v2.2.1/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
+github.com/jackc/pgx/v5 v5.7.2 h1:mLoDLV6sonKlvjIEsV56SkWNCnuNv531l94GaIzO+XI=
+github.com/jackc/pgx/v5 v5.7.2/go.mod h1:ncY89UGWxg82EykZUwSpUKEfccBGGYq1xjrOpsbsfGQ=
+github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
+github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
+github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
 github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
+github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg=
 github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=
+github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
 github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
+github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8=
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
+github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
@@ -106,13 +113,13 @@ github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
 github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
-github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4=
-github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc=
+github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
+github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.2.8 h1:+StwCXwm9PdpiEkPyzBXIy+M9KUb4ODm0Zarf1kS5BM=
-github.com/klauspost/cpuid/v2 v2.2.8/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
+github.com/klauspost/cpuid/v2 v2.2.9 h1:66ze0taIn2H33fBvCkXuv9BmCwDfafmiIVpKV9kKGuY=
+github.com/klauspost/cpuid/v2 v2.2.9/go.mod h1:rqkxqrZ1EhYM9G+hXH7YdowN5R5RGN6NK4QwQ3WMXF8=
 github.com/knz/go-libedit v1.10.1/go.mod h1:MZTVkCWyz0oBc7JOWP3wNAzd002ZbM/5hgShxwh4x8M=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -124,8 +131,8 @@ github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-sqlite3 v1.14.23 h1:gbShiuAP1W5j9UOksQ06aiiqPMxYecovVGwmTxWtuw0=
-github.com/mattn/go-sqlite3 v1.14.23/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
+github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mileusna/useragent v1.3.5 h1:SJM5NzBmh/hO+4LGeATKpaEX9+b4vcGg2qXGLiNGDws=
 github.com/mileusna/useragent v1.3.5/go.mod h1:3d8TOmwL/5I8pJjyVDteHtgDGcefrFUX4ccGOMKNYYc=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
@@ -145,8 +152,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
-github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.1 h1:UihPOz+oIJ5X0JsO7wEkL50fheCODsoZ9r86mJWfNMc=
-github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.1/go.mod h1:vPpFrres6g9B5+meBwAd9xnp335KFcLEFW7EqJxBHy0=
+github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2 h1:jG+FaCBv3h6GD5F+oenTfe3+0NmX8sCKjni5k3A5Dek=
+github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2/go.mod h1:rHaQJ5SjfCdL4sqCKa3FhklRcaXga2/qyvmQuA+ZJ6M=
 github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
 github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
@@ -162,14 +169,16 @@ github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
@@ -189,20 +198,19 @@ go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-golang.org/x/arch v0.10.0 h1:S3huipmSclq3PJMNe76NGwkBR504WFkQ5dhzWzP8ZW8=
-golang.org/x/arch v0.10.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
+golang.org/x/arch v0.13.0 h1:KCkqVVV1kGg0X87TFysjCJ8MxtZEIU4Ja/yXGeoECdA=
+golang.org/x/arch v0.13.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
-golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
-golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk=
-golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY=
+golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
+golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 h1:yqrTHse8TCMW1M1ZCP+VAR/l0kKxwaAIqN/il7x4voA=
+golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
@@ -218,18 +226,15 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
-golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
-golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
+golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -243,10 +248,9 @@ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
-golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -264,12 +268,10 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
-golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
-golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
+golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
@@ -277,8 +279,8 @@ golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+google.golang.org/protobuf v1.36.4 h1:6A3ZDJHn/eNqc1i+IdefRzy/9PokBTPvcqMySR7NNIM=
+google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
@@ -288,8 +290,8 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/driver/postgres v1.5.11 h1:ubBVAfbKEUld/twyKZ0IYn9rSQh448EdelLYk9Mv314=
 gorm.io/driver/postgres v1.5.11/go.mod h1:DX3GReXH+3FPWGrrgffdvCk3DQ1dwDPdmbenSkweRGI=
-gorm.io/driver/sqlite v1.5.6 h1:fO/X46qn5NUEEOZtnjJRWRzZMe8nqJiQ9E+0hi+hKQE=
-gorm.io/driver/sqlite v1.5.6/go.mod h1:U+J8craQU6Fzkcvu8oLeAQmi50TkwPEhHDEjQZXDah4=
+gorm.io/driver/sqlite v1.5.7 h1:8NvsrhP0ifM7LX9G4zPB97NwovUakUxc+2V2uuf3Z1I=
+gorm.io/driver/sqlite v1.5.7/go.mod h1:U+J8craQU6Fzkcvu8oLeAQmi50TkwPEhHDEjQZXDah4=
 gorm.io/gorm v1.25.12 h1:I0u8i2hWQItBq1WfE0o2+WuL9+8L21K9e2HHSTE/0f8=
 gorm.io/gorm v1.25.12/go.mod h1:xh7N7RHfYlNc5EmcI/El95gXusucDrQnHXe0+CgWcLQ=
 nullprogram.com/x/optparse v1.0.0/go.mod h1:KdyPE+Igbe0jQUrVfMqDMeJQIJZEuyV7pjYmp6pbG50=

backend/internal/bootstrap/application_images_bootstrap.go

@@ -1,13 +1,14 @@
 package bootstrap
 
 import (
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
-	"github.com/stonith404/pocket-id/backend/resources"
 	"log"
 	"os"
 	"path"
 	"strings"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/resources"
 )
 
 // initApplicationImages copies the images from the images directory to the application-images directory

backend/internal/bootstrap/bootstrap.go

@@ -2,7 +2,7 @@ package bootstrap
 
 import (
 	_ "github.com/golang-migrate/migrate/v4/source/file"
-	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
 
 func Bootstrap() {

backend/internal/bootstrap/db_bootstrap.go

@@ -3,20 +3,21 @@ package bootstrap
 import (
 	"errors"
 	"fmt"
+	"log"
+	"os"
+	"time"
+
 	"github.com/golang-migrate/migrate/v4"
 	"github.com/golang-migrate/migrate/v4/database"
 	postgresMigrate "github.com/golang-migrate/migrate/v4/database/postgres"
 	sqliteMigrate "github.com/golang-migrate/migrate/v4/database/sqlite3"
 	"github.com/golang-migrate/migrate/v4/source/iofs"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/resources"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/resources"
 	"gorm.io/driver/postgres"
 	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
 	"gorm.io/gorm/logger"
-	"log"
-	"os"
-	"time"
 )
 
 func newDatabase() (db *gorm.DB) {

backend/internal/bootstrap/router_bootstrap.go

@@ -5,11 +5,11 @@ import (
 	"time"
 
 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/controller"
-	"github.com/stonith404/pocket-id/backend/internal/job"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/controller"
+	"github.com/pocket-id/pocket-id/backend/internal/job"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 	"golang.org/x/time/rate"
 	"gorm.io/gorm"
 )
@@ -38,11 +38,11 @@ func initRouter(db *gorm.DB, appConfigService *service.AppConfigService) {
 	auditLogService := service.NewAuditLogService(db, appConfigService, emailService, geoLiteService)
 	jwtService := service.NewJwtService(appConfigService)
 	webauthnService := service.NewWebAuthnService(db, jwtService, auditLogService, appConfigService)
-	userService := service.NewUserService(db, jwtService, auditLogService, emailService)
+	userService := service.NewUserService(db, jwtService, auditLogService, emailService, appConfigService)
 	customClaimService := service.NewCustomClaimService(db)
 	oidcService := service.NewOidcService(db, jwtService, appConfigService, auditLogService, customClaimService)
 	testService := service.NewTestService(db, appConfigService)
-	userGroupService := service.NewUserGroupService(db)
+	userGroupService := service.NewUserGroupService(db, appConfigService)
 	ldapService := service.NewLdapService(db, appConfigService, userService, userGroupService)
 
 	rateLimitMiddleware := middleware.NewRateLimitMiddleware()

backend/internal/common/errors.go

@@ -176,3 +176,11 @@ func (e *LdapUserGroupUpdateError) Error() string {
 	return "LDAP user groups can't be updated"
 }
 func (e *LdapUserGroupUpdateError) HttpStatusCode() int { return http.StatusForbidden }
+
+type OidcAccessDeniedError struct{}
+
+func (e *OidcAccessDeniedError) Error() string {
+	return "You're not allowed to access this service"
+}
+
+func (e *OidcAccessDeniedError) HttpStatusCode() int { return http.StatusForbidden }

backend/internal/controller/app_config_controller.go

@@ -2,13 +2,14 @@ package controller
 
 import (
 	"fmt"
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )
 
 func NewAppConfigController(

backend/internal/controller/audit_log_controller.go

@@ -1,13 +1,14 @@
 package controller
 
 import (
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"net/http"
 
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+
 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
 
 func NewAuditLogController(group *gin.RouterGroup, auditLogService *service.AuditLogService, jwtAuthMiddleware *middleware.JwtAuthMiddleware) {

backend/internal/controller/custom_claim_controller.go

@@ -1,11 +1,12 @@
 package controller
 
 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
 
 func NewCustomClaimController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, customClaimService *service.CustomClaimService) {

backend/internal/controller/oidc_controller.go

@@ -1,20 +1,22 @@
 package controller
 
 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"net/http"
 	"strings"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )
 
 func NewOidcController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, fileSizeLimitMiddleware *middleware.FileSizeLimitMiddleware, oidcService *service.OidcService, jwtService *service.JwtService) {
 	oc := &OidcController{oidcService: oidcService, jwtService: jwtService}
 
 	group.POST("/oidc/authorize", jwtAuthMiddleware.Add(false), oc.authorizeHandler)
-	group.POST("/oidc/authorize/new-client", jwtAuthMiddleware.Add(false), oc.authorizeNewClientHandler)
+	group.POST("/oidc/authorization-required", jwtAuthMiddleware.Add(false), oc.authorizationConfirmationRequiredHandler)
+
 	group.POST("/oidc/token", oc.createTokensHandler)
 	group.GET("/oidc/userinfo", oc.userInfoHandler)
 
@@ -24,6 +26,7 @@ func NewOidcController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.Jwt
 	group.PUT("/oidc/clients/:id", jwtAuthMiddleware.Add(true), oc.updateClientHandler)
 	group.DELETE("/oidc/clients/:id", jwtAuthMiddleware.Add(true), oc.deleteClientHandler)
 
+	group.PUT("/oidc/clients/:id/allowed-user-groups", jwtAuthMiddleware.Add(true), oc.updateAllowedUserGroupsHandler)
 	group.POST("/oidc/clients/:id/secret", jwtAuthMiddleware.Add(true), oc.createClientSecretHandler)
 
 	group.GET("/oidc/clients/:id/logo", oc.getClientLogoHandler)
@@ -57,25 +60,20 @@ func (oc *OidcController) authorizeHandler(c *gin.Context) {
 	c.JSON(http.StatusOK, response)
 }
 
-func (oc *OidcController) authorizeNewClientHandler(c *gin.Context) {
-	var input dto.AuthorizeOidcClientRequestDto
+func (oc *OidcController) authorizationConfirmationRequiredHandler(c *gin.Context) {
+	var input dto.AuthorizationRequiredDto
 	if err := c.ShouldBindJSON(&input); err != nil {
 		c.Error(err)
 		return
 	}
 
-	code, callbackURL, err := oc.oidcService.AuthorizeNewClient(input, c.GetString("userID"), c.ClientIP(), c.Request.UserAgent())
+	hasAuthorizedClient, err := oc.oidcService.HasAuthorizedClient(input.ClientID, c.GetString("userID"), input.Scope)
 	if err != nil {
 		c.Error(err)
 		return
 	}
 
-	response := dto.AuthorizeOidcClientResponseDto{
-		Code:        code,
-		CallbackURL: callbackURL,
-	}
-
-	c.JSON(http.StatusOK, response)
+	c.JSON(http.StatusOK, gin.H{"authorizationRequired": !hasAuthorizedClient})
 }
 
 func (oc *OidcController) createTokensHandler(c *gin.Context) {
@@ -134,7 +132,7 @@ func (oc *OidcController) getClientHandler(c *gin.Context) {
 
 	// Return a different DTO based on the user's role
 	if c.GetBool("userIsAdmin") {
-		clientDto := dto.OidcClientDto{}
+		clientDto := dto.OidcClientWithAllowedUserGroupsDto{}
 		err = dto.MapStruct(client, &clientDto)
 		if err == nil {
 			c.JSON(http.StatusOK, clientDto)
@@ -191,7 +189,7 @@ func (oc *OidcController) createClientHandler(c *gin.Context) {
 		return
 	}
 
-	var clientDto dto.OidcClientDto
+	var clientDto dto.OidcClientWithAllowedUserGroupsDto
 	if err := dto.MapStruct(client, &clientDto); err != nil {
 		c.Error(err)
 		return
@@ -223,7 +221,7 @@ func (oc *OidcController) updateClientHandler(c *gin.Context) {
 		return
 	}
 
-	var clientDto dto.OidcClientDto
+	var clientDto dto.OidcClientWithAllowedUserGroupsDto
 	if err := dto.MapStruct(client, &clientDto); err != nil {
 		c.Error(err)
 		return
@@ -278,3 +276,25 @@ func (oc *OidcController) deleteClientLogoHandler(c *gin.Context) {
 
 	c.Status(http.StatusNoContent)
 }
+
+func (oc *OidcController) updateAllowedUserGroupsHandler(c *gin.Context) {
+	var input dto.OidcUpdateAllowedUserGroupsDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.Error(err)
+		return
+	}
+
+	oidcClient, err := oc.oidcService.UpdateAllowedUserGroups(c.Param("id"), input)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var oidcClientDto dto.OidcClientDto
+	if err := dto.MapStruct(oidcClient, &oidcClientDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, oidcClientDto)
+}

backend/internal/controller/test_controller.go

@@ -1,9 +1,10 @@
 package controller
 
 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/service"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
 
 func NewTestController(group *gin.RouterGroup, testService *service.TestService) {

backend/internal/controller/user_controller.go

@@ -1,17 +1,18 @@
 package controller
 
 import (
-	"github.com/stonith404/pocket-id/backend/internal/utils/cookie"
 	"net/http"
 	"strconv"
 	"time"
 
+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
+
 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"golang.org/x/time/rate"
 )
 

backend/internal/controller/user_group_controller.go

@@ -1,12 +1,13 @@
 package controller
 
 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )
 
 func NewUserGroupController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, userGroupService *service.UserGroupService) {

backend/internal/controller/webauthn_controller.go

@@ -1,17 +1,18 @@
 package controller
 
 import (
-	"github.com/go-webauthn/webauthn/protocol"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/utils/cookie"
 	"net/http"
 	"strconv"
 	"time"
 
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
+
 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 	"golang.org/x/time/rate"
 )
 

backend/internal/controller/well_known_controller.go

@@ -1,10 +1,11 @@
 package controller
 
 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/service"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
 
 func NewWellKnownController(group *gin.RouterGroup, jwtService *service.JwtService) {

backend/internal/dto/audit_log_dto.go

@@ -1,8 +1,8 @@
 package dto
 
 import (
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )
 
 type AuditLogDto struct {

backend/internal/dto/dto_mapper.go

@@ -2,9 +2,10 @@ package dto
 
 import (
 	"errors"
-	"github.com/stonith404/pocket-id/backend/internal/model/types"
 	"reflect"
 	"time"
+
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )
 
 // MapStructList maps a list of source structs to a list of destination structs

backend/internal/dto/oidc_dto.go

@@ -11,7 +11,14 @@ type OidcClientDto struct {
 	CallbackURLs []string `json:"callbackURLs"`
 	IsPublic     bool     `json:"isPublic"`
 	PkceEnabled  bool     `json:"pkceEnabled"`
-	CreatedBy    UserDto  `json:"createdBy"`
+}
+
+type OidcClientWithAllowedUserGroupsDto struct {
+	PublicOidcClientDto
+	CallbackURLs      []string                    `json:"callbackURLs"`
+	IsPublic          bool                        `json:"isPublic"`
+	PkceEnabled       bool                        `json:"pkceEnabled"`
+	AllowedUserGroups []UserGroupDtoWithUserCount `json:"allowedUserGroups"`
 }
 
 type OidcClientCreateDto struct {
@@ -35,6 +42,11 @@ type AuthorizeOidcClientResponseDto struct {
 	CallbackURL string `json:"callbackURL"`
 }
 
+type AuthorizationRequiredDto struct {
+	ClientID string `json:"clientID" binding:"required"`
+	Scope    string `json:"scope" binding:"required"`
+}
+
 type OidcCreateTokensDto struct {
 	GrantType    string `form:"grant_type" binding:"required"`
 	Code         string `form:"code" binding:"required"`
@@ -42,3 +54,7 @@ type OidcCreateTokensDto struct {
 	ClientSecret string `form:"client_secret"`
 	CodeVerifier string `form:"code_verifier"`
 }
+
+type OidcUpdateAllowedUserGroupsDto struct {
+	UserGroupIDs []string `json:"userGroupIds" binding:"required"`
+}

backend/internal/dto/user_group_dto.go

@@ -1,7 +1,7 @@
 package dto
 
 import (
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )
 
 type UserGroupDtoWithUsers struct {
@@ -33,7 +33,3 @@ type UserGroupCreateDto struct {
 type UserGroupUpdateUsersDto struct {
 	UserIDs []string `json:"userIds" binding:"required"`
 }
-
-type AssignUserToGroupDto struct {
-	UserID string `json:"userId" binding:"required"`
-}

backend/internal/dto/webauthn_dto.go

@@ -2,7 +2,7 @@ package dto
 
 import (
 	"github.com/go-webauthn/webauthn/protocol"
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )
 
 type WebauthnCredentialDto struct {

backend/internal/job/db_cleanup.go

@@ -1,13 +1,14 @@
 package job
 
 import (
-	"github.com/go-co-op/gocron/v2"
-	"github.com/google/uuid"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
-	"gorm.io/gorm"
 	"log"
 	"time"
+
+	"github.com/go-co-op/gocron/v2"
+	"github.com/google/uuid"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"gorm.io/gorm"
 )
 
 func RegisterDbCleanupJobs(db *gorm.DB) {

backend/internal/job/ldap_job.go

@@ -4,7 +4,7 @@ import (
 	"log"
 
 	"github.com/go-co-op/gocron/v2"
-	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
 
 type LdapJobs struct {

backend/internal/middleware/cors.go

@@ -2,7 +2,7 @@ package middleware
 
 import (
 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 )
 
 type CorsMiddleware struct{}

backend/internal/middleware/error_handler.go

@@ -3,13 +3,14 @@ package middleware
 import (
 	"errors"
 	"fmt"
+	"net/http"
+	"strings"
+
 	"github.com/gin-gonic/gin"
 	"github.com/gin-gonic/gin/binding"
 	"github.com/go-playground/validator/v10"
-	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"gorm.io/gorm"
-	"net/http"
-	"strings"
 )
 
 type ErrorHandlerMiddleware struct{}

backend/internal/middleware/file_size_limit.go

@@ -2,9 +2,10 @@ package middleware
 
 import (
 	"fmt"
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 )
 
 type FileSizeLimitMiddleware struct{}

backend/internal/middleware/jwt_auth.go

@@ -1,11 +1,12 @@
 package middleware
 
 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils/cookie"
 	"strings"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
 )
 
 type JwtAuthMiddleware struct {

backend/internal/middleware/rate_limit.go

@@ -1,10 +1,11 @@
 package middleware
 
 import (
-	"github.com/stonith404/pocket-id/backend/internal/common"
 	"sync"
 	"time"
 
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+
 	"github.com/gin-gonic/gin"
 	"golang.org/x/time/rate"
 )

backend/internal/model/base.go

@@ -1,10 +1,11 @@
 package model
 
 import (
-	"github.com/google/uuid"
-	model "github.com/stonith404/pocket-id/backend/internal/model/types"
-	"gorm.io/gorm"
 	"time"
+
+	"github.com/google/uuid"
+	model "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"gorm.io/gorm"
 )
 
 // Base contains common columns for all tables.

backend/internal/model/oidc.go

@@ -4,7 +4,8 @@ import (
 	"database/sql/driver"
 	"encoding/json"
 	"errors"
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
+
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 	"gorm.io/gorm"
 )
 
@@ -44,8 +45,9 @@ type OidcClient struct {
 	IsPublic     bool
 	PkceEnabled  bool
 
-	CreatedByID string
-	CreatedBy   User
+	AllowedUserGroups []UserGroup `gorm:"many2many:oidc_clients_allowed_user_groups;"`
+	CreatedByID       string
+	CreatedBy         User
 }
 
 func (c *OidcClient) AfterFind(_ *gorm.DB) (err error) {

backend/internal/model/types/date_time.go

@@ -2,8 +2,9 @@ package datatype
 
 import (
 	"database/sql/driver"
-	"github.com/stonith404/pocket-id/backend/internal/common"
 	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 )
 
 // DateTime custom type for time.Time to store date as unix timestamp for sqlite and as date for postgres

backend/internal/model/user.go

@@ -3,7 +3,7 @@ package model
 import (
 	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/go-webauthn/webauthn/webauthn"
-	"github.com/stonith404/pocket-id/backend/internal/model/types"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )
 
 type User struct {

backend/internal/model/webauthn.go

@@ -4,9 +4,10 @@ import (
 	"database/sql/driver"
 	"encoding/json"
 	"errors"
-	"github.com/go-webauthn/webauthn/protocol"
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
 	"time"
+
+	"github.com/go-webauthn/webauthn/protocol"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )
 
 type WebauthnSession struct {

backend/internal/service/app_config_service.go

@@ -7,10 +7,10 @@ import (
 	"os"
 	"reflect"
 
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"gorm.io/gorm"
 )
 
@@ -119,6 +119,7 @@ var defaultDbConfig = model.AppConfig{
 	LdapEnabled: model.AppConfigVariable{
 		Key:          "ldapEnabled",
 		Type:         "bool",
+		IsPublic:     true,
 		DefaultValue: "false",
 	},
 	LdapUrl: model.AppConfigVariable{

backend/internal/service/audit_log_service.go

@@ -1,12 +1,13 @@
 package service
 
 import (
-	userAgentParser "github.com/mileusna/useragent"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
-	"github.com/stonith404/pocket-id/backend/internal/utils/email"
-	"gorm.io/gorm"
 	"log"
+
+	userAgentParser "github.com/mileusna/useragent"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
+	"gorm.io/gorm"
 )
 
 type AuditLogService struct {

backend/internal/service/custom_claim_service.go

@@ -1,9 +1,9 @@
 package service
 
 import (
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
 	"gorm.io/gorm"
 )
 

backend/internal/service/email_service.go

@@ -4,10 +4,6 @@ import (
 	"bytes"
 	"crypto/tls"
 	"fmt"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"github.com/stonith404/pocket-id/backend/internal/utils/email"
-	"gorm.io/gorm"
 	htemplate "html/template"
 	"mime/multipart"
 	"mime/quotedprintable"
@@ -17,6 +13,11 @@ import (
 	"os"
 	ttemplate "text/template"
 	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
+	"gorm.io/gorm"
 )
 
 var netDialer = &net.Dialer{
@@ -89,16 +90,31 @@ func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.T
 	)
 	c.Body(body)
 
-	// Set up the TLS configuration
+	// Connect to the SMTP server
+	client, err := srv.getSmtpClient()
+	if err != nil {
+		return fmt.Errorf("failed to connect to SMTP server: %w", err)
+	}
+	defer client.Close()
+
+	// Send the email
+	if err := srv.sendEmailContent(client, toEmail, c); err != nil {
+		return fmt.Errorf("send email content: %w", err)
+	}
+
+	return nil
+}
+
+func (srv *EmailService) getSmtpClient() (client *smtp.Client, err error) {
+	port := srv.appConfigService.DbConfig.SmtpPort.Value
+	smtpAddress := srv.appConfigService.DbConfig.SmtpHost.Value + ":" + port
+
 	tlsConfig := &tls.Config{
 		InsecureSkipVerify: srv.appConfigService.DbConfig.SmtpSkipCertVerify.Value == "true",
 		ServerName:         srv.appConfigService.DbConfig.SmtpHost.Value,
 	}
 
 	// Connect to the SMTP server
-	port := srv.appConfigService.DbConfig.SmtpPort.Value
-	smtpAddress := srv.appConfigService.DbConfig.SmtpHost.Value + ":" + port
-	var client *smtp.Client
 	if srv.appConfigService.DbConfig.SmtpTls.Value == "false" {
 		client, err = srv.connectToSmtpServer(smtpAddress)
 	} else if port == "465" {
@@ -112,24 +128,14 @@ func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.T
 			tlsConfig,
 		)
 	}
-
 	if err != nil {
-		return fmt.Errorf("failed to connect to SMTP server: %w", err)
-	}
-	defer client.Close()
-
-	// Set the hello message manually as for example Google rejects the default "localhost" value
-	hostname, err := os.Hostname()
-	if err == nil {
-		if err := client.Hello(hostname); err != nil {
-			return fmt.Errorf("failed to say hello to SMTP server: %w", err)
-		}
+		return nil, fmt.Errorf("failed to connect to SMTP server: %w", err)
 	}
 
+	// Set up the authentication if user or password are set
 	smtpUser := srv.appConfigService.DbConfig.SmtpUser.Value
 	smtpPassword := srv.appConfigService.DbConfig.SmtpPassword.Value
 
-	// Set up the authentication if user or password are set
 	if smtpUser != "" || smtpPassword != "" {
 		auth := smtp.PlainAuth("",
 			srv.appConfigService.DbConfig.SmtpUser.Value,
@@ -137,16 +143,11 @@ func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.T
 			srv.appConfigService.DbConfig.SmtpHost.Value,
 		)
 		if err := client.Auth(auth); err != nil {
-			return fmt.Errorf("failed to authenticate SMTP client: %w", err)
+			return nil, fmt.Errorf("failed to authenticate SMTP client: %w", err)
 		}
 	}
 
-	// Send the email
-	if err := srv.sendEmailContent(client, toEmail, c); err != nil {
-		return fmt.Errorf("send email content: %w", err)
-	}
-
-	return nil
+	return client, err
 }
 
 func (srv *EmailService) connectToSmtpServer(serverAddr string) (*smtp.Client, error) {
@@ -155,6 +156,15 @@ func (srv *EmailService) connectToSmtpServer(serverAddr string) (*smtp.Client, e
 		return nil, fmt.Errorf("failed to connect to SMTP server: %w", err)
 	}
 	client, err := smtp.NewClient(conn, srv.appConfigService.DbConfig.SmtpHost.Value)
+	if err != nil {
+		conn.Close()
+		return nil, fmt.Errorf("failed to create SMTP client: %w", err)
+	}
+
+	if err := srv.sendHelloCommand(client); err != nil {
+		return nil, fmt.Errorf("failed to say hello to SMTP server: %w", err)
+	}
+
 	return client, err
 }
 
@@ -174,6 +184,10 @@ func (srv *EmailService) connectToSmtpServerUsingImplicitTLS(serverAddr string,
 		return nil, fmt.Errorf("failed to create SMTP client: %w", err)
 	}
 
+	if err := srv.sendHelloCommand(client); err != nil {
+		return nil, fmt.Errorf("failed to say hello to SMTP server: %w", err)
+	}
+
 	return client, nil
 }
 
@@ -189,12 +203,26 @@ func (srv *EmailService) connectToSmtpServerUsingStartTLS(serverAddr string, tls
 		return nil, fmt.Errorf("failed to create SMTP client: %w", err)
 	}
 
+	if err := srv.sendHelloCommand(client); err != nil {
+		return nil, fmt.Errorf("failed to say hello to SMTP server: %w", err)
+	}
+
 	if err := client.StartTLS(tlsConfig); err != nil {
 		return nil, fmt.Errorf("failed to start TLS: %w", err)
 	}
 	return client, nil
 }
 
+func (srv *EmailService) sendHelloCommand(client *smtp.Client) error {
+	hostname, err := os.Hostname()
+	if err == nil {
+		if err := client.Hello(hostname); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 func (srv *EmailService) sendEmailContent(client *smtp.Client, toEmail email.Address, c *email.Composer) error {
 	if err := client.Mail(srv.appConfigService.DbConfig.SmtpFrom.Value); err != nil {
 		return fmt.Errorf("failed to set sender: %w", err)

backend/internal/service/email_service_templates.go

@@ -2,8 +2,9 @@ package service
 
 import (
 	"fmt"
-	"github.com/stonith404/pocket-id/backend/internal/utils/email"
 	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
 )
 
 /**

backend/internal/service/geolite_service.go

@@ -17,7 +17,7 @@ import (
 
 	"github.com/oschwald/maxminddb-golang/v2"
 
-	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 )
 
 type GeoLiteService struct {

backend/internal/service/jwt_service.go

@@ -9,9 +9,6 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
-	"github.com/golang-jwt/jwt/v5"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/model"
 	"log"
 	"math/big"
 	"os"
@@ -19,6 +16,10 @@ import (
 	"slices"
 	"strconv"
 	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
 )
 
 const (

backend/internal/service/ldap_service.go

@@ -7,8 +7,8 @@ import (
 	"strings"
 
 	"github.com/go-ldap/ldap/v3"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
 	"gorm.io/gorm"
 )
 

backend/internal/service/oidc_service.go

@@ -3,20 +3,22 @@ package service
 import (
 	"crypto/sha256"
 	"encoding/base64"
+	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
-	"golang.org/x/crypto/bcrypt"
-	"gorm.io/gorm"
 	"mime/multipart"
 	"os"
 	"regexp"
 	"strings"
 	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"golang.org/x/crypto/bcrypt"
+	"gorm.io/gorm"
 )
 
 type OidcService struct {
@@ -38,71 +40,111 @@ func NewOidcService(db *gorm.DB, jwtService *JwtService, appConfigService *AppCo
 }
 
 func (s *OidcService) Authorize(input dto.AuthorizeOidcClientRequestDto, userID, ipAddress, userAgent string) (string, string, error) {
-	var userAuthorizedOIDCClient model.UserAuthorizedOidcClient
-	s.db.Preload("Client").First(&userAuthorizedOIDCClient, "client_id = ? AND user_id = ?", input.ClientID, userID)
-
-	if userAuthorizedOIDCClient.Client.IsPublic && input.CodeChallenge == "" {
-		return "", "", &common.OidcMissingCodeChallengeError{}
-	}
-
-	if userAuthorizedOIDCClient.Scope != input.Scope {
-		return "", "", &common.OidcMissingAuthorizationError{}
-	}
-
-	callbackURL, err := s.getCallbackURL(userAuthorizedOIDCClient.Client, input.CallbackURL)
-	if err != nil {
-		return "", "", err
-	}
-
-	code, err := s.createAuthorizationCode(input.ClientID, userID, input.Scope, input.Nonce, input.CodeChallenge, input.CodeChallengeMethod)
-	if err != nil {
-		return "", "", err
-	}
-
-	s.auditLogService.Create(model.AuditLogEventClientAuthorization, ipAddress, userAgent, userID, model.AuditLogData{"clientName": userAuthorizedOIDCClient.Client.Name})
-
-	return code, callbackURL, nil
-}
-
-func (s *OidcService) AuthorizeNewClient(input dto.AuthorizeOidcClientRequestDto, userID, ipAddress, userAgent string) (string, string, error) {
 	var client model.OidcClient
-	if err := s.db.First(&client, "id = ?", input.ClientID).Error; err != nil {
+	if err := s.db.Preload("AllowedUserGroups").First(&client, "id = ?", input.ClientID).Error; err != nil {
 		return "", "", err
 	}
 
+	// If the client is not public, the code challenge must be provided
 	if client.IsPublic && input.CodeChallenge == "" {
 		return "", "", &common.OidcMissingCodeChallengeError{}
 	}
 
+	// Get the callback URL of the client. Return an error if the provided callback URL is not allowed
 	callbackURL, err := s.getCallbackURL(client, input.CallbackURL)
 	if err != nil {
 		return "", "", err
 	}
 
-	userAuthorizedClient := model.UserAuthorizedOidcClient{
-		UserID:   userID,
-		ClientID: input.ClientID,
-		Scope:    input.Scope,
+	// Check if the user group is allowed to authorize the client
+	var user model.User
+	if err := s.db.Preload("UserGroups").First(&user, "id = ?", userID).Error; err != nil {
+		return "", "", err
 	}
 
-	if err := s.db.Create(&userAuthorizedClient).Error; err != nil {
-		if errors.Is(err, gorm.ErrDuplicatedKey) {
-			err = s.db.Model(&userAuthorizedClient).Update("scope", input.Scope).Error
-		} else {
-			return "", "", err
+	if !s.IsUserGroupAllowedToAuthorize(user, client) {
+		return "", "", &common.OidcAccessDeniedError{}
+	}
+
+	// Check if the user has already authorized the client with the given scope
+	hasAuthorizedClient, err := s.HasAuthorizedClient(input.ClientID, userID, input.Scope)
+	if err != nil {
+		return "", "", err
+	}
+
+	// If the user has not authorized the client, create a new authorization in the database
+	if !hasAuthorizedClient {
+		userAuthorizedClient := model.UserAuthorizedOidcClient{
+			UserID:   userID,
+			ClientID: input.ClientID,
+			Scope:    input.Scope,
+		}
+
+		if err := s.db.Create(&userAuthorizedClient).Error; err != nil {
+			if errors.Is(err, gorm.ErrDuplicatedKey) {
+				// The client has already been authorized but with a different scope so we need to update the scope
+				if err := s.db.Model(&userAuthorizedClient).Update("scope", input.Scope).Error; err != nil {
+					return "", "", err
+				}
+			} else {
+				return "", "", err
+			}
 		}
 	}
 
+	// Create the authorization code
 	code, err := s.createAuthorizationCode(input.ClientID, userID, input.Scope, input.Nonce, input.CodeChallenge, input.CodeChallengeMethod)
 	if err != nil {
 		return "", "", err
 	}
 
-	s.auditLogService.Create(model.AuditLogEventNewClientAuthorization, ipAddress, userAgent, userID, model.AuditLogData{"clientName": client.Name})
+	// Log the authorization event
+	if hasAuthorizedClient {
+		s.auditLogService.Create(model.AuditLogEventClientAuthorization, ipAddress, userAgent, userID, model.AuditLogData{"clientName": client.Name})
+	} else {
+		s.auditLogService.Create(model.AuditLogEventNewClientAuthorization, ipAddress, userAgent, userID, model.AuditLogData{"clientName": client.Name})
+
+	}
 
 	return code, callbackURL, nil
 }
 
+// HasAuthorizedClient checks if the user has already authorized the client with the given scope
+func (s *OidcService) HasAuthorizedClient(clientID, userID, scope string) (bool, error) {
+	var userAuthorizedOidcClient model.UserAuthorizedOidcClient
+	if err := s.db.First(&userAuthorizedOidcClient, "client_id = ? AND user_id = ?", clientID, userID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return false, nil
+		}
+		return false, err
+	}
+
+	if userAuthorizedOidcClient.Scope != scope {
+		return false, nil
+	}
+
+	return true, nil
+}
+
+// IsUserGroupAllowedToAuthorize checks if the user group of the user is allowed to authorize the client
+func (s *OidcService) IsUserGroupAllowedToAuthorize(user model.User, client model.OidcClient) bool {
+	if len(client.AllowedUserGroups) == 0 {
+		return true
+	}
+
+	isAllowedToAuthorize := false
+	for _, userGroup := range client.AllowedUserGroups {
+		for _, userGroupUser := range user.UserGroups {
+			if userGroup.ID == userGroupUser.ID {
+				isAllowedToAuthorize = true
+				break
+			}
+		}
+	}
+
+	return isAllowedToAuthorize
+}
+
 func (s *OidcService) CreateTokens(code, grantType, clientID, clientSecret, codeVerifier string) (string, string, error) {
 	if grantType != "authorization_code" {
 		return "", "", &common.OidcGrantTypeNotSupportedError{}
@@ -161,7 +203,7 @@ func (s *OidcService) CreateTokens(code, grantType, clientID, clientSecret, code
 
 func (s *OidcService) GetClient(clientID string) (model.OidcClient, error) {
 	var client model.OidcClient
-	if err := s.db.Preload("CreatedBy").First(&client, "id = ?", clientID).Error; err != nil {
+	if err := s.db.Preload("CreatedBy").Preload("AllowedUserGroups").First(&client, "id = ?", clientID).Error; err != nil {
 		return model.OidcClient{}, err
 	}
 	return client, nil
@@ -372,7 +414,16 @@ func (s *OidcService) GetUserClaimsForClient(userID string, clientID string) (ma
 		}
 
 		for _, customClaim := range customClaims {
-			claims[customClaim.Key] = customClaim.Value
+			// The value of the custom claim can be a JSON object or a string
+			var jsonValue interface{}
+			json.Unmarshal([]byte(customClaim.Value), &jsonValue)
+			if jsonValue != nil {
+				// It's JSON so we store it as an object
+				claims[customClaim.Key] = jsonValue
+			} else {
+				// Marshalling failed, so we store it as a string
+				claims[customClaim.Key] = customClaim.Value
+			}
 		}
 	}
 	if strings.Contains(scope, "email") {
@@ -382,6 +433,33 @@ func (s *OidcService) GetUserClaimsForClient(userID string, clientID string) (ma
 	return claims, nil
 }
 
+func (s *OidcService) UpdateAllowedUserGroups(id string, input dto.OidcUpdateAllowedUserGroupsDto) (client model.OidcClient, err error) {
+	client, err = s.GetClient(id)
+	if err != nil {
+		return model.OidcClient{}, err
+	}
+
+	// Fetch the user groups based on UserGroupIDs in input
+	var groups []model.UserGroup
+	if len(input.UserGroupIDs) > 0 {
+		if err := s.db.Where("id IN (?)", input.UserGroupIDs).Find(&groups).Error; err != nil {
+			return model.OidcClient{}, err
+		}
+	}
+
+	// Replace the current user groups with the new set of user groups
+	if err := s.db.Model(&client).Association("AllowedUserGroups").Replace(groups); err != nil {
+		return model.OidcClient{}, err
+	}
+
+	// Save the updated client
+	if err := s.db.Save(&client).Error; err != nil {
+		return model.OidcClient{}, err
+	}
+
+	return client, nil
+}
+
 func (s *OidcService) createAuthorizationCode(clientID string, userID string, scope string, nonce string, codeChallenge string, codeChallengeMethod string) (string, error) {
 	randomString, err := utils.GenerateRandomAlphanumericString(32)
 	if err != nil {

backend/internal/service/test_service.go

@@ -5,18 +5,19 @@ import (
 	"crypto/x509"
 	"encoding/base64"
 	"fmt"
-	"github.com/fxamacker/cbor/v2"
-	"github.com/stonith404/pocket-id/backend/internal/model/types"
-	"github.com/stonith404/pocket-id/backend/resources"
 	"log"
 	"os"
 	"path/filepath"
 	"time"
 
+	"github.com/fxamacker/cbor/v2"
+	"github.com/pocket-id/pocket-id/backend/resources"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+
 	"github.com/go-webauthn/webauthn/protocol"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"gorm.io/gorm"
 )
 
@@ -124,7 +125,10 @@ func (s *TestService) SeedDatabase() error {
 				Name:         "Immich",
 				Secret:       "$2a$10$Ak.FP8riD1ssy2AGGbG.gOpnp/rBpymd74j0nxNMtW0GG1Lb4gzxe", // PYjrE9u4v9GVqXKi52eur0eb2Ci4kc0x
 				CallbackURLs: model.CallbackURLs{"http://immich/auth/callback"},
-				CreatedByID:  users[0].ID,
+				CreatedByID:  users[1].ID,
+				AllowedUserGroups: []model.UserGroup{
+					userGroups[1],
+				},
 			},
 		}
 		for _, client := range oidcClients {
@@ -163,27 +167,31 @@ func (s *TestService) SeedDatabase() error {
 			return err
 		}
 
-		publicKey1, err := s.getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwcOo5KV169KR67QEHrcYkeXE3CCxv2BgwnSq4VYTQxyLtdmKxegexa8JdwFKhKXa2BMI9xaN15BoL6wSCRFJhg==")
-		publicKey2, err := s.getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESq/wR8QbBu3dKnpaw/v0mDxFFDwnJ/L5XHSg2tAmq5x1BpSMmIr3+DxCbybVvGRmWGh8kKhy7SMnK91M6rFHTA==")
+		// To generate a new key pair, run the following command:
+		// openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 | \
+		// openssl pkcs8 -topk8 -nocrypt | tee >(openssl pkey -pubout)
+
+		publicKeyPasskey1, err := s.getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwcOo5KV169KR67QEHrcYkeXE3CCxv2BgwnSq4VYTQxyLtdmKxegexa8JdwFKhKXa2BMI9xaN15BoL6wSCRFJhg==")
+		publicKeyPasskey2, err := s.getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEj4qA0PrZzg8Co1C27nyUbzrp8Ewjr7eOlGI2LfrzmbL5nPhZRAdJ3hEaqrHMSnJBhfMqtQGKwDYpaLIQFAKLhw==")
 		if err != nil {
 			return err
 		}
 		webauthnCredentials := []model.WebauthnCredential{
 			{
 				Name:            "Passkey 1",
-				CredentialID:    []byte("test-credential-1"),
-				PublicKey:       publicKey1,
+				CredentialID:    []byte("test-credential-tim"),
+				PublicKey:       publicKeyPasskey1,
 				AttestationType: "none",
 				Transport:       model.AuthenticatorTransportList{protocol.Internal},
 				UserID:          users[0].ID,
 			},
 			{
 				Name:            "Passkey 2",
-				CredentialID:    []byte("test-credential-2"),
-				PublicKey:       publicKey2,
+				CredentialID:    []byte("test-credential-craig"),
+				PublicKey:       publicKeyPasskey2,
 				AttestationType: "none",
 				Transport:       model.AuthenticatorTransportList{protocol.Internal},
-				UserID:          users[0].ID,
+				UserID:          users[1].ID,
 			},
 		}
 		for _, credential := range webauthnCredentials {

backend/internal/service/user_group_service.go

@@ -2,19 +2,21 @@ package service
 
 import (
 	"errors"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"gorm.io/gorm"
 )
 
 type UserGroupService struct {
-	db *gorm.DB
+	db               *gorm.DB
+	appConfigService *AppConfigService
 }
 
-func NewUserGroupService(db *gorm.DB) *UserGroupService {
-	return &UserGroupService{db: db}
+func NewUserGroupService(db *gorm.DB, appConfigService *AppConfigService) *UserGroupService {
+	return &UserGroupService{db: db, appConfigService: appConfigService}
 }
 
 func (s *UserGroupService) List(name string, sortedPaginationRequest utils.SortedPaginationRequest) (groups []model.UserGroup, response utils.PaginationResponse, err error) {
@@ -51,7 +53,8 @@ func (s *UserGroupService) Delete(id string) error {
 		return err
 	}
 
-	if group.LdapID != nil {
+	// Disallow deleting the group if it is an LDAP group and LDAP is enabled
+	if group.LdapID != nil && s.appConfigService.DbConfig.LdapEnabled.Value == "true" {
 		return &common.LdapUserGroupUpdateError{}
 	}
 
@@ -83,13 +86,13 @@ func (s *UserGroupService) Update(id string, input dto.UserGroupCreateDto, allow
 		return model.UserGroup{}, err
 	}
 
-	if group.LdapID != nil && !allowLdapUpdate {
+	// Disallow updating the group if it is an LDAP group and LDAP is enabled
+	if !allowLdapUpdate && group.LdapID != nil && s.appConfigService.DbConfig.LdapEnabled.Value == "true" {
 		return model.UserGroup{}, &common.LdapUserGroupUpdateError{}
 	}
 
 	group.Name = input.Name
 	group.FriendlyName = input.FriendlyName
-	group.LdapID = &input.LdapID
 
 	if err := s.db.Preload("Users").Save(&group).Error; err != nil {
 		if errors.Is(err, gorm.ErrDuplicatedKey) {

backend/internal/service/user_service.go

@@ -3,28 +3,30 @@ package service
 import (
 	"errors"
 	"fmt"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"github.com/stonith404/pocket-id/backend/internal/model/types"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
-	"github.com/stonith404/pocket-id/backend/internal/utils/email"
-	"gorm.io/gorm"
 	"log"
 	"net/url"
 	"strings"
 	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"gorm.io/gorm"
 )
 
 type UserService struct {
-	db              *gorm.DB
-	jwtService      *JwtService
-	auditLogService *AuditLogService
-	emailService    *EmailService
+	db               *gorm.DB
+	jwtService       *JwtService
+	auditLogService  *AuditLogService
+	emailService     *EmailService
+	appConfigService *AppConfigService
 }
 
-func NewUserService(db *gorm.DB, jwtService *JwtService, auditLogService *AuditLogService, emailService *EmailService) *UserService {
-	return &UserService{db: db, jwtService: jwtService, auditLogService: auditLogService, emailService: emailService}
+func NewUserService(db *gorm.DB, jwtService *JwtService, auditLogService *AuditLogService, emailService *EmailService, appConfigService *AppConfigService) *UserService {
+	return &UserService{db: db, jwtService: jwtService, auditLogService: auditLogService, emailService: emailService, appConfigService: appConfigService}
 }
 
 func (s *UserService) ListUsers(searchTerm string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.User, utils.PaginationResponse, error) {
@@ -52,7 +54,8 @@ func (s *UserService) DeleteUser(userID string) error {
 		return err
 	}
 
-	if user.LdapID != nil {
+	// Disallow deleting the user if it is an LDAP user and LDAP is enabled
+	if user.LdapID != nil && s.appConfigService.DbConfig.LdapEnabled.Value == "true" {
 		return &common.LdapUserUpdateError{}
 	}
 
@@ -86,7 +89,8 @@ func (s *UserService) UpdateUser(userID string, updatedUser dto.UserCreateDto, u
 		return model.User{}, err
 	}
 
-	if user.LdapID != nil && !allowLdapUpdate {
+	// Disallow updating the user if it is an LDAP group and LDAP is enabled
+	if !allowLdapUpdate && user.LdapID != nil && s.appConfigService.DbConfig.LdapEnabled.Value == "true" {
 		return model.User{}, &common.LdapUserUpdateError{}
 	}
 

backend/internal/service/webauthn_service.go

@@ -1,15 +1,16 @@
 package service
 
 import (
-	"github.com/go-webauthn/webauthn/protocol"
-	"github.com/go-webauthn/webauthn/webauthn"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
-	"gorm.io/gorm"
 	"net/http"
 	"time"
+
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/webauthn"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"gorm.io/gorm"
 )
 
 type WebAuthnService struct {

backend/internal/utils/cookie/cookie_names.go

@@ -1,8 +1,9 @@
 package cookie
 
 import (
-	"github.com/stonith404/pocket-id/backend/internal/common"
 	"strings"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 )
 
 var AccessTokenCookieName = "__Host-access_token"

backend/internal/utils/email/email_service_templates.go

@@ -2,11 +2,12 @@ package email
 
 import (
 	"fmt"
-	"github.com/stonith404/pocket-id/backend/resources"
 	htemplate "html/template"
 	"io/fs"
 	"path"
 	ttemplate "text/template"
+
+	"github.com/pocket-id/pocket-id/backend/resources"
 )
 
 type Template[V any] struct {

backend/internal/utils/file_util.go

@@ -1,12 +1,13 @@
 package utils
 
 import (
-	"github.com/stonith404/pocket-id/backend/resources"
 	"io"
 	"mime/multipart"
 	"os"
 	"path/filepath"
 	"strings"
+
+	"github.com/pocket-id/pocket-id/backend/resources"
 )
 
 func GetFileExtension(filename string) string {

backend/resources/migrations/postgres/20250131154719_oidc_user_group_restriction.down.sql

@@ -0,0 +1 @@
+DROP TABLE oidc_clients_allowed_user_groups;

backend/resources/migrations/postgres/20250131154719_oidc_user_group_restriction.up.sql

@@ -0,0 +1,8 @@
+CREATE TABLE oidc_clients_allowed_user_groups
+(
+    user_group_id  UUID NOT NULL REFERENCES user_groups ON DELETE CASCADE,
+    oidc_client_id UUID NOT NULL REFERENCES oidc_clients ON DELETE CASCADE,
+    PRIMARY KEY (oidc_client_id, user_group_id)
+);
+
+

backend/resources/migrations/postgres/20250203082527_fix_empty_user_group_ldap_id_string.down.sql

@@ -0,0 +1 @@
+UPDATE user_groups SET ldap_id = '' WHERE ldap_id IS NULL;

backend/resources/migrations/postgres/20250203082527_fix_empty_user_group_ldap_id_string.up.sql

@@ -0,0 +1 @@
+UPDATE user_groups SET ldap_id = null WHERE ldap_id = '';

backend/resources/migrations/sqlite/20250131154719_oidc_user_group_restriction.down.sql

@@ -0,0 +1 @@
+DROP TABLE oidc_clients_allowed_user_groups;

backend/resources/migrations/sqlite/20250131154719_oidc_user_group_restriction.up.sql

@@ -0,0 +1,8 @@
+CREATE TABLE oidc_clients_allowed_user_groups
+(
+    user_group_id  TEXT NOT NULL,
+    oidc_client_id TEXT NOT NULL,
+    PRIMARY KEY (oidc_client_id, user_group_id),
+    FOREIGN KEY (oidc_client_id) REFERENCES oidc_clients (id) ON DELETE CASCADE,
+    FOREIGN KEY (user_group_id) REFERENCES user_groups (id) ON DELETE CASCADE
+);

backend/resources/migrations/sqlite/20250203082527_fix_empty_user_group_ldap_id_string.down.sql

@@ -0,0 +1 @@
+UPDATE user_groups SET ldap_id = '' WHERE ldap_id IS NULL;

backend/resources/migrations/sqlite/20250203082527_fix_empty_user_group_ldap_id_string.up.sql

@@ -0,0 +1 @@
+UPDATE user_groups SET ldap_id = null WHERE ldap_id = '';

docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   pocket-id:
-    image: stonith404/pocket-id  # or ghcr.io/stonith404/pocket-id
+    image: ghcr.io/pocket-id/pocket-id
     restart: unless-stopped
     env_file: .env
     ports:

docs/docs/client-examples/freshrss.md

@@ -0,0 +1,63 @@
+---
+id: freshrss
+---
+
+# FreshRSS
+
+The following example variables are used, and should be replaced with your actual URLs.
+
+- `freshrss.example.com` (The URL of your Proxmox instance.)
+- `id.example.com` (The URL of your Pocket ID instance.)
+
+## Pocket ID Setup
+
+1. In Pocket ID create a new OIDC Client, name it, for example, `FreshRSS`.
+2. Set a logo for this OIDC Client if you would like to.
+3. Set the callback URL to: `https://freshrss.example.com`.
+4. Copy the `Client ID`, `Client Secret`, and `OIDC Discovery URL` for use in the next steps.
+
+## FreshRSS Setup
+
+See [FreshRSS’ OpenID Connect documentation](16_OpenID-Connect.md) for general OIDC settings.
+
+This is an example docker-compose file for FreshRSS with OIDC enabled.
+
+```yaml
+services:
+  freshrss:
+    image: freshrss/freshrss:1.25.0
+    container_name: freshrss
+    ports:
+      - 8080:80
+    volumes:
+      - /freshrss_data:/var/www/FreshRSS/data
+      - /freshrss_extensions:/var/www/FreshRSS/extensions
+    environment:
+      CRON_MIN: 1,31
+      TZ: Etc/UTC
+      OIDC_ENABLED: 1
+      OIDC_CLIENT_ID: <POCKET_ID_CLIENT_ID>
+      OIDC_CLIENT_SECRET: <POCKET_ID_SECRET>
+      OIDC_PROVIDER_METADATA_URL: https://id.example.com/.well-known/openid-configuration
+      OIDC_SCOPES: openid email profile
+      OIDC_X_FORWARDED_HEADERS: X-Forwarded-Proto X-Forwarded-Host
+      OIDC_REMOTE_USER_CLAIM: preferred_username
+    restart: unless-stopped
+    networks:
+      - freshrss
+networks:
+  freshrss:
+    name: freshrss
+```
+
+:::important
+The Username used in Pocket ID must match the Username used in FreshRSS **exactly**. This also applies to case sensitivity. As of version `0.24` of Pocket ID all Usernames are required to be entirely lowercase. FreshRSS allows for uppercase. If a Pocket ID Username is `amanda` and your FreshRSS Username is `Amanda`, you will get a 403 error in FreshRSS and be unable to login. As of version `1.25` of FreshRSS, you are unable to change your username in the GUI. To change your FreshRSS username to lowercase or to match your Pocket ID username, you must nagivate to your FreshRSS volume location. Go to `data/users/` and change the folder for your user to the matching username in Pocket ID, then restart the FreshRSS container to apply the changes.
+:::
+
+## Complete OIDC Setup
+
+If you are setting up a new instance of FreshRSS, simply start the container with the OIDC variables and navigate to your FreshRSS URL.
+
+If you are adding OIDC to an existing FreshRSS instance, recreate the container with the docker-compose file with the OIDC variables in it and navigate to your FreshRSS URL. Go to `Settings > Authentication` and change the Authentication method to **HTTP** and hit Submit. Logout to test your OIDC connection.
+
+If you have an error with Pocket ID or are unable to login to your FreshRSS account, you can revert to password login by editing your `config.php` file for FreshRSS. Find the value for `auth_type` and change from `http_auth` to `form`. Restart the FreshRSS container to revert to password login.

docs/docs/client-examples/gitea.md

@@ -0,0 +1,30 @@
+---
+id: gitea
+---
+
+# Gitea
+
+## Pocket ID Setup
+
+1. In Pocket ID, create a new OIDC client named `Gitea` (or any name you prefer).  
+2. (Optional) Set a logo for the OIDC client.  
+3. Set the callback URL to: `https://<Gitea Host>/user/oauth2/PocketID/callback`  
+4. Copy the `Client ID`, `Client Secret`, and `OIDC Discovery URL` for the next steps.  
+
+## Gitea Setup
+
+1. Log in to Gitea as an admin.  
+2. Go to **Site Administration → Identity & Access → Authentication Sources**.  
+3. Click **Add Authentication Source**.  
+4. Set **Authentication Type** to `OAuth2`.  
+5. Set **Authentication Name** to `PocketID`.  
+   :::important  
+   If you change this name, update the callback URL in Pocket ID to match.  
+   :::  
+6. Set **OAuth2 Provider** to `OpenID Connect`.  
+7. Enter the `Client ID` into the **Client ID (Key)** field.  
+8. Enter the `Client Secret` into the **Client Secret** field.  
+9. Enter the `OIDC Discovery URL` into the **OpenID Connect Auto Discovery URL** field.  
+10. Enable **Skip local 2FA**.  
+11. Set **Additional Scopes** to `openid email profile`.  
+12. Save the settings and test the OAuth login.  

docs/docs/client-examples/headscale.md

@@ -0,0 +1,34 @@
+---
+id: headscale
+---
+# Headscale
+
+## Create OIDC Client in Pocket ID
+1. Create a new OIDC Client in Pocket ID (e.g., `Headscale`).
+2. Set the callback URL:  `https://<HEADSCALE-DOMAIN>/oidc/callback`
+3. Enable `PKCE`.
+4. Copy the **Client ID** and **Client Secret**.
+
+## Configure Headscale
+> Refer to the example [`config.yaml`](https://github.com/juanfont/headscale/blob/main/config-example.yaml) for full OIDC configuration options.
+
+Add the following to `config.yaml`:
+
+```yaml
+oidc:
+  issuer: "https://<POCKET-ID-DOMAIN>"
+  client_id: "<CLIENT-ID>"
+  client_secret: "<CLIENT-SECRET>"
+  pkce:
+    enabled: true
+    method: S256
+```
+
+### (Optional) Restrict Access to Certain Groups
+To allow only specific groups, add:
+
+```yaml
+  scope: ["openid", "profile", "email", "groups"]
+  allowed_groups:
+    - <POCKET-ID-GROUP-NAME> #example: headscale 
+```

docs/docs/client-examples/immich.md

@@ -0,0 +1,26 @@
+---
+id: immich
+---
+# Immich
+
+## Create OIDC Client in Pocket ID
+1. Create a new OIDC Client in Pocket ID (e.g., `immich`).
+2. Set the callback URLs:  
+    ```
+    https://<IMMICH-DOMAIN>/auth/login
+    https://<IMMICH-DOMAIN>/user-settings
+    app.immich:///oauth-callback
+    ```
+4. Copy the **Client ID**, **Client Secret**, and **OIDC Discovery URL**.
+
+## Configure Immich
+1. Open Immich and navigate to:
+   **`Administration > Settings > Authentication Settings > OAuth`**
+2. Enable **Login with OAuth**.
+3. Fill in the required fields:
+   - **Issuer URL**: Paste the `Authorization URL` from Pocket ID.
+   - **Client ID**: Paste the `Client ID` from Pocket ID.
+   - **Client Secret**: Paste the `Client Secret` from Pocket ID.
+4. *(Optional)* Change `Button Text` to `Login with Pocket ID`.
+5. Save the settings.
+6. Test the OAuth login to ensure it works.

docs/docs/client-examples/memos.md

@@ -0,0 +1,28 @@
+---
+id: memos
+---
+
+# Memos
+
+## Pocket ID Setup
+
+1. In Pocket ID, create a new OIDC client named `Memos` (or any name you prefer).  
+2. (Optional) Set a logo for the OIDC client.  
+3. Set the callback URL to: `https://< Memos Host >/auth/callback`  
+4. Copy the `Client ID`, `Client Secret`, `Authorization endpoint`, `Token endpoint`, and `User endpoint` for the next steps.  
+
+## Gitea Setup
+
+1. Log in to Memos as an admin.
+2. Go to **Settings → SSO → Create**.  
+3. Set **Template** to `Custom`.   
+4. Enter the `Client ID` into the **Client ID** field.  
+5. Enter the `Client Secret` into the **Client secret** field.  
+6. Enter the `Authorization URL` into the **Authorization endpoint** field.
+7. Enter the `Token URL` into the **Token endpoint** field.
+8. Enter the `Userinfo URL` into the **User endpoint** field.
+11. Set **Scopes** to `openid email profile`.
+12. Set **Identifier** to `preferred_username`
+13. Set **Display Name** to `profile`.
+14. Set **Email** to `email`.
+15. Save the settings and test the OAuth login.  

docs/docs/client-examples/proxmox.md

@@ -4,27 +4,27 @@ id: proxmox
 
 # Proxmox
 
-The following example variables are used, and should be replaced with your actual URLS.
+The following example variables are used, and should be replaced with your actual URLs.
 
-- proxmox.example.com (The url of your proxmox instance.)
-- id.example.com (The url of your Pocket ID instance.)
+- `proxmox.example.com` (The URL of your Proxmox instance.)
+- `id.example.com` (The URL of your Pocket ID instance.)
 
 ## Pocket ID Setup
 
-1. In Pocket-ID create a new OIDC Client, name it i.e. `Proxmox`.
-2. Set a logo for this OIDC Client if you would like too.
+1. In Pocket ID create a new OIDC Client, name it, for example, `Proxmox`.
+2. Set a logo for this OIDC Client if you would like to.
 3. Set the callback URL to: `https://proxmox.example.com`.
 4. Copy the `Client ID`, and the `Client Secret` for use in the next steps.
 
 ## Proxmox Setup
 
-1. Open the Proxmox Console and navigate to: `Datacenter - Realms`
-2. Add a new `Open ID Connect Server` Realm
-3. Enter `https://id.example.com` for the `Issuer URL`
-4. Enter a name for the realm of your choice ie. `PocketID`
+1. Open the Proxmox console and navigate to: `Datacenter` -> `Permissions` -> `Realms`.
+2. Add a new `OpenID Connect Server` Realm.
+3. Enter `https://id.example.com` for the `Issuer URL`.
+4. Enter a name for the realm of your choice, for example, `PocketID`.
 5. Paste the `Client ID` from Pocket ID into the `Client ID` field in Proxmox.
 6. Paste the `Client Secret` from Pocket ID into the `Client Key` field in Proxmox.
-7. You can check the `Default` box if you want this to be the deafult realm proxmox uses when signing in.
-8. Check the `Autocreate Users` checkbox. (This will automaitcally create users in Proxmox if they dont exsist.)
-9. Select `username` for the `Username Claim` dropdown (This is personal preference and controls how the username is shown, ie: `username = username@PocketID` or `email = username@example@PocketID`).
+7. You can check the `Default` box if you want this to be the default realm Proxmox uses when signing in.
+8. Check the `Autocreate Users` checkbox. (This will automatically create users in Proxmox if they don't exist).
+9. Select `username` for the `Username Claim` dropdown. (This is a personal preference and controls how the username is shown, for example: `username = username@PocketID` or `email = username@example@PocketID`).
 10. Leave the rest as defaults and click `OK` to save the new realm.

docs/docs/configuration/allowed-groups.md

@@ -0,0 +1,15 @@
+---
+id: allowed-groups
+---
+
+# OIDC Client Allowed Groups
+
+Pocket ID allows you to restrict access to OIDC Clients to specific user groups. This can be useful when you want to restrict access to certain applications to specific users.
+
+By default, all users are allowed to access all OIDC Clients. To restrict access to specific user groups, follow the steps below:
+
+1. Navigate to the `OIDC Clients` section in the Pocket ID admin dashboard.
+2. Click the edit (pencil) icon on the OIDC client you wish to restrict.
+3. Expand the `Allowed User Groups` section.
+4. Select the Group(s) you want to allow access to this OIDC Client and save your changes.
+5. Now only users in the selected group(s) will be allowed to access that specific client.

docs/docs/configuration/environment-variables.md

@@ -4,7 +4,7 @@ id: environment-variables
 
 # Environment Variables
 
-Below are all the environment variables supported by Pocket ID. These should be configured in your `.env ` file. 
+Below are all the environment variables supported by Pocket ID. These should be configured in your `.env ` file.
 
 Be cautious when modifying environment variables that are not recommended to change.
 
@@ -21,5 +21,6 @@ Be cautious when modifying environment variables that are not recommended to cha
 | `INTERNAL_BACKEND_URL`       | `http://localhost:8080`   | no                    | The URL where the backend is accessible.                                                                                                                                                                                                                                                                                                                                  |
 | `GEOLITE_DB_PATH`            | `data/GeoLite2-City.mmdb` | no                    | The path where the GeoLite2 database should be stored.                                                                                                                                                                                                                                                                                                                    |
 | `CADDY_PORT`                 | `80`                      | no                    | The port on which Caddy should listen. Caddy is only active inside the Docker container. If you want to change the exposed port of the container then you sould change this variable.                                                                                                                                                                                     |
+| `CADDY_DISABLED`             | `false`                   | no                    | Whether Caddy should be disabled inside the Docker container. If disabled, you must configure your reverse proxy to correctly map all paths. Refer to the [official Caddyfile](https://github.com/pocket-id/pocket-id/blob/main/reverse-proxy/Caddyfile) for guidance.                                                                                                    |
 | `PORT`                       | `3000`                    | no                    | The port on which the frontend should listen.                                                                                                                                                                                                                                                                                                                             |
-| `BACKEND_PORT`               | `8080`                    | no                    | The port on which the backend should listen                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                                                                                                                                                                                                            |
+| `BACKEND_PORT`               | `8080`                    | no                    | The port on which the backend should listen                                                                                                                                                                                                                                                                                                                               |

docs/docs/configuration/ldap.md

@@ -13,7 +13,7 @@ Pocket ID can sync users and groups from an LDAP Source (lldap, OpenLDAP, Active
 
 ### Generic LDAP Setup
 
-1. Follow the installation guide [here](/pocket-id/setup/installation).
+1. Follow the installation guide [here](/setup/installation).
 2. Once you have signed in with the initial admin account, navigate to the Application Configuration section at `https://pocket.id/settings/admin/application-configuration`.
 3. Client Configuration Setup
 

docs/docs/guides/proxy-services.md

@@ -23,7 +23,7 @@ With [caddy-security](https://github.com/greenpau/caddy-security) you can easily
 
 #### 1. Create a new OIDC client in Pocket ID.
 
-Create a new OIDC client in Pocket ID by navigating to `https://<your-domain>/settings/admin/oidc-clients`. Now enter `https://<domain-of-proxied-service>/auth/oauth2/generic/authorization-code-callback` as the callback URL. After adding the client, you will obtain the client ID and client secret, which you will need in the next step.
+Create a new OIDC client in Pocket ID by navigating to `https://<your-domain>/settings/admin/oidc-clients`. Now enter `https://<domain-of-proxied-service>/caddy-security/oauth2/generic/authorization-code-callback` as the callback URL. After adding the client, you will obtain the client ID and client secret, which you will need in the next step.
 
 #### 2. Install caddy-security
 
@@ -66,7 +66,7 @@ caddy add-package github.com/greenpau/caddy-security
 		}
 
 		authorization policy mypolicy {
-			set auth url /auth/oauth2/generic
+			set auth url /caddy-security/oauth2/generic
 			allow roles user
 			inject headers with claims
 		}
@@ -75,8 +75,7 @@ caddy add-package github.com/greenpau/caddy-security
 
 https://<domain-of-your-service> {
 	@auth {
-		path /auth/oauth2/generic
-		path /auth/oauth2/generic/authorization-code-callback
+		path /caddy-security/*
     }
 
 	route @auth {

docs/docs/introduction.md

@@ -10,15 +10,15 @@ The goal of Pocket ID is to be a simple and easy-to-use. There are other self-ho
 
 Additionally, what makes Pocket ID special is that it only supports [passkey](https://www.passkeys.io/) authentication, which means you don’t need a password. Some people might not like this idea at first, but I believe passkeys are the future, and once you try them, you’ll love them. For example, you can now use a physical Yubikey to sign in to all your self-hosted services easily and securely.
 
-**_Pocket ID is in its early stages and may contain bugs. There might be OIDC features that are not yet implemented. If you encounter any issues, please open an issue_** [here](https://github.com/stonith404/pocket-id/issues/new?template=bug.yml).
+**_Pocket ID is in its early stages and may contain bugs. There might be OIDC features that are not yet implemented. If you encounter any issues, please open an issue_** [here](https://github.com/pocket-id/pocket-id/issues/new?template=bug.yml).
 
 ## Get to know Pocket ID
 
-→ [Try the Demo of Pocket ID](https://pocket-id.eliasschneider.com/)<br/>
+→ [Try the Demo of Pocket ID](https://demo.pocket-id.org)
 
 <img src="https://github.com/user-attachments/assets/96ac549d-b897-404a-8811-f42b16ea58e2" width="700"/>
 
 ## Useful Links
-- [Installation](/pocket-id/setup/installation)
-- [Proxy Services](/pocket-id/guides/proxy-services)
-- [Client Examples](/pocket-id/client-examples)
+- [Installation](/setup/installation)
+- [Proxy Services](/guides/proxy-services)
+- [Client Examples](/client-examples)

docs/docs/setup/installation.md

@@ -13,25 +13,37 @@ Pocket ID requires a [secure context](https://developer.mozilla.org/en-US/docs/W
 1. Download the `docker-compose.yml` and `.env` file:
 
    ```bash
-    curl -O https://raw.githubusercontent.com/stonith404/pocket-id/main/docker-compose.yml
+    curl -O https://raw.githubusercontent.com/pocket-id/pocket-id/main/docker-compose.yml
 
-    curl -o .env https://raw.githubusercontent.com/stonith404/pocket-id/main/.env.example
+    curl -o .env https://raw.githubusercontent.com/pocket-id/pocket-id/main/.env.example
    ```
 
-2. Edit the `.env` file so that it fits your needs. See the [environment variables](/pocket-id/configuration/environment-variables) section for more information.
+2. Edit the `.env` file so that it fits your needs. See the [environment variables](/configuration/environment-variables) section for more information.
 3. Run `docker compose up -d`
 
 You can now sign in with the admin account on `http://localhost/login/setup`.
 
+### Proxmox
+
+Run the [helper script](https://community-scripts.github.io/ProxmoxVE/scripts?id=pocketid) as root in your Proxmox shell. 
+
+**Configuration Paths**
+- /opt/pocket-id/backend/.env
+- /opt/pocket-id/frontend/.env
+
+```bash
+bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/pocketid.sh)"
+```
+
 ### Unraid
 
 Pocket ID is available as a template on the Community Apps store.
 
-### Stand-alone Installation
+### Stand-alone Installation (advanced)
 
 Required tools:
 
-- [Node.js](https://nodejs.org/en/download/) >= 20
+- [Node.js](https://nodejs.org/en/download/) >= 22
 - [Go](https://golang.org/doc/install) >= 1.23
 - [Git](https://git-scm.com/downloads)
 - [PM2](https://pm2.keymetrics.io/)
@@ -47,7 +59,7 @@ Required tools:
 2. Run the following commands:
 
    ```bash
-   git clone https://github.com/stonith404/pocket-id
+   git clone https://github.com/pocket-id/pocket-id
    cd pocket-id
 
    # Checkout the latest version

docs/docs/setup/upgrading.md

@@ -37,7 +37,7 @@ docker compose up -d
    cd ../frontend
    npm install
    npm run build
-   pm2 start build/index.js --name pocket-id-frontend
+   pm2 start --name pocket-id-frontend --node-args="--env-file .env" build/index.js
 
    # Optional: Start Caddy (You can use any other reverse proxy)
    cd ..

docs/docs/setup/user-management.md

@@ -0,0 +1,40 @@
+---
+id: user-management
+---
+
+# User Management
+
+Creating users in Pocket ID can be handled in two ways:
+
+1. Manually create users via the admin interface.
+2. Sync users from an [LDAP](/configuration/ldap) source.
+
+Once users have been created using one of the methods above, follow the steps below to help configure passkeys for them.
+
+## Setting Up User Passkeys
+
+> As the admin, you cannot add passkeys for users; end users must configure them on their own.
+
+> Passkeys can be stored in services like Bitwarden, LastPass, iCloud, or even locally on certain devices using platform authenticators.
+
+### One-Time Link
+
+1. Navigate to the **Users** page in the Pocket ID admin dashboard.
+2. Locate the user you want to set up a passkey for.
+3. Click the **three dots** on the right side of the user row.
+4. Click **One-Time Link**.
+5. Select an **Expiration Time** for the link.
+6. Click **Generate Link** and send it to the user to allow them to set up their new passkey.
+
+### One-Time Access Email
+
+> **This method requires a valid SMTP server set up in Pocket ID.**
+
+> **Allowing users to sign in with a link sent to their email significantly reduces security, as anyone with access to the user's email can gain entry.**
+
+1. Navigate to the **Application Configuration** section in the Pocket ID admin dashboard.
+2. Expand the **Email** section and enable the **Email One-Time Access** option.
+3. Instruct the user to navigate to Pocket ID, e.g., `https://id.example.com`.
+4. Have the user click on the **Don't have access to your passkey?** link at the bottom of the page.
+5. Have the user enter their email associated with their Pocket ID account and click **Submit**.
+6. The user will receive an email with a **One-Time Access** link to set up their passkey.

docs/docs/troubleshooting/common-issues.md

@@ -0,0 +1,29 @@
+---
+id: common-issues
+---
+
+# Common Issues
+
+## Unable to Add a Passkey
+
+Ensure that the `PUBLIC_APP_URL` is set correctly to the public URL of the Pocket ID instance.
+
+Example:
+
+```ini
+PUBLIC_APP_URL=https://id.example.com
+```
+
+## Unable to Access the Admin UI After Setup
+
+To set up the initial passkey for the admin user, navigate to:
+
+```
+https://id.example.com/login/setup
+```
+
+## Invalid Callback URL
+
+One of the most common issues with OIDC clients is a misconfigured `Callback URL`.
+
+If the `redirect_uri` URL parameter starts with `http` but `https` is expected, the client is the issue. If you can’t resolve the issue on the client side, you can add a secondary callback URL using both `http` and `https` versions.

docs/docusaurus.config.ts

@@ -8,9 +8,9 @@ const config: Config = {
     "Pocket ID is a simple OIDC provider that allows users to authenticate with their passkeys to your services.",
   favicon: "img/pocket-id.png",
 
-  url: "https://stonith404.github.io",
-  baseUrl: "/pocket-id/",
-  organizationName: "stonith404",
+  url: "https://docs.pocket-id.org",
+  baseUrl: "/",
+  organizationName: "pocket-id",
   projectName: "pocket-id",
 
   onBrokenLinks: "warn",
@@ -28,7 +28,7 @@ const config: Config = {
         docs: {
           routeBasePath: "/",
           sidebarPath: "./sidebars.ts",
-          editUrl: "https://github.com/stonith404/pocket-id/edit/main/docs",
+          editUrl: "https://github.com/pocket-id/pocket-id/edit/main/docs",
         },
         blog: false,
       } satisfies Preset.Options,
@@ -47,8 +47,14 @@ const config: Config = {
         src: "img/pocket-id.png",
       },
       items: [
+        // Version gets replaced by the version-label.ts script
         {
-          href: "https://github.com/stonith404/pocket-id",
+          to: "#version",
+          label: " ",
+          position: "right",
+        },
+        {
+          href: "https://github.com/pocket-id/pocket-id",
           label: "GitHub",
           position: "right",
         },
@@ -59,6 +65,7 @@ const config: Config = {
       darkTheme: prismThemes.dracula,
     },
   } satisfies Preset.ThemeConfig,
-};
 
+  clientModules: [require.resolve("./src/version-label.ts")],
+};
 export default config;

docs/sidebars.ts

@@ -14,6 +14,10 @@ const sidebars: SidebarsConfig = {
           type: "doc",
           id: "setup/installation",
         },
+        {
+          type: "doc",
+          id: "setup/user-management",
+        },
         {
           type: "doc",
           id: "setup/nginx-reverse-proxy",
@@ -28,6 +32,10 @@ const sidebars: SidebarsConfig = {
       type: "category",
       label: "Configuration",
       items: [
+        {
+          type: "doc",
+          id: "configuration/allowed-groups",
+        },
         {
           type: "doc",
           id: "configuration/environment-variables",
@@ -48,6 +56,20 @@ const sidebars: SidebarsConfig = {
         },
       ],
     },
+    {
+      type: "category",
+      label: "Troubleshooting",
+      items: [
+        {
+          type: "doc",
+          id: "troubleshooting/account-recovery",
+        },
+        {
+          type: "doc",
+          id: "troubleshooting/common-issues",
+        },
+      ],
+    },
     {
       type: "category",
       label: "Client Examples",
@@ -60,9 +82,14 @@ const sidebars: SidebarsConfig = {
       },
       items: [
         "client-examples/cloudflare-zero-trust",
+        "client-examples/freshrss",
+        "client-examples/gitea",
         "client-examples/grist",
+        "client-examples/headscale",
         "client-examples/hoarder",
+        "client-examples/immich",
         "client-examples/jellyfin",
+        "client-examples/memos",
         "client-examples/netbox",
         "client-examples/open-webui",
         "client-examples/pgadmin",
@@ -73,30 +100,14 @@ const sidebars: SidebarsConfig = {
       ],
     },
     {
-      type: "category",
-      label: "Troubleshooting",
-      items: [
-        {
-          type: "doc",
-          id: "troubleshooting/account-recovery",
-        },
-      ],
-    },
-    {
-      type: "category",
-      label: "Helping Out",
-      items: [
-        {
-          type: "link",
-          label: "Contributing",
-          href: "https://github.com/stonith404/pocket-id/blob/main/CONTRIBUTING.md",
-        },
-      ],
+      type: "link",
+      label: "Contributing",
+      href: "https://github.com/pocket-id/pocket-id/blob/main/CONTRIBUTING.md",
     },
     {
       type: "link",
       label: "Demo",
-      href: "https://pocket-id.eliasschneider.com/",
+      href: "https://demo.pocket-id.org",
     },
   ],
 };

docs/src/pages/index.tsx

@@ -1,6 +1,5 @@
-import React from "react";
 import { Redirect } from "react-router-dom";
 
 export default function Home() {
-  return <Redirect to="/pocket-id/introduction" />;
+  return <Redirect to="/introduction" />;
 }

docs/src/version-label.ts

@@ -0,0 +1,23 @@
+import ExecutionEnvironment from "@docusaurus/ExecutionEnvironment";
+
+if (ExecutionEnvironment.canUseDOM) {
+  function readVersionFile() {
+    return fetch(
+      "https://raw.githubusercontent.com/pocket-id/pocket-id/refs/heads/main/.version"
+    )
+      .then((response) => response.text())
+      .catch((error) => `Error reading version file: ${error}`);
+  }
+
+  function getVersion() {
+    readVersionFile()
+      .then((version) => {
+        const versionLabels = document.querySelectorAll('[href="#version"]');
+        versionLabels.forEach((label) => {
+          (label as HTMLElement).innerText = `v${version}`;
+        });
+      })
+      .catch((error) => console.error("Error fetching version:", error));
+  }
+  window.addEventListener("load", getVersion);
+}

docs/static/CNAME

@@ -0,0 +1 @@
+docs.pocket-id.org

frontend/package.json

@@ -1,7 +1,8 @@
 {
   "name": "pocket-id-frontend",
-  "version": "0.27.1",
+  "version": "0.29.0",
   "private": true,
+  "type": "module",
   "scripts": {
     "dev": "vite dev --port 3000",
     "build": "vite build",
@@ -11,48 +12,44 @@
     "lint": "prettier --check . && eslint .",
     "format": "prettier --write ."
   },
-  "devDependencies": {
-    "@playwright/test": "^1.48.1",
-    "@sveltejs/adapter-auto": "^3.3.0",
-    "@sveltejs/adapter-node": "^5.2.8",
-    "@sveltejs/kit": "^2.7.2",
-    "@sveltejs/vite-plugin-svelte": "^4.0.0",
-    "@types/eslint": "^9.6.1",
-    "@types/jsonwebtoken": "^9.0.7",
-    "@types/node": "^22.7.9",
-    "autoprefixer": "^10.4.20",
-    "cbor-js": "^0.1.0",
-    "eslint": "^9.13.0",
-    "eslint-config-prettier": "^9.1.0",
-    "eslint-plugin-svelte": "^2.46.0",
-    "globals": "^15.11.0",
-    "postcss": "^8.4.47",
-    "prettier": "^3.3.3",
-    "prettier-plugin-svelte": "^3.2.7",
-    "prettier-plugin-tailwindcss": "^0.6.8",
-    "svelte": "^5.0.5",
-    "svelte-check": "^4.0.5",
-    "tailwindcss": "^3.4.14",
-    "tslib": "^2.8.0",
-    "typescript": "^5.6.3",
-    "typescript-eslint": "^8.11.0",
-    "vite": "^5.4.10"
-  },
-  "type": "module",
   "dependencies": {
-    "@simplewebauthn/browser": "^10.0.0",
-    "axios": "^1.7.7",
-    "bits-ui": "^0.21.16",
+    "@simplewebauthn/browser": "^13.1.0",
+    "@tailwindcss/vite": "^4.0.0",
+    "axios": "^1.7.9",
+    "bits-ui": "^0.22.0",
     "clsx": "^2.1.1",
     "crypto": "^1.0.1",
     "formsnap": "^1.0.1",
-    "jsonwebtoken": "^9.0.2",
-    "lucide-svelte": "^0.453.0",
-    "mode-watcher": "^0.4.1",
+    "jose": "^5.9.6",
+    "lucide-svelte": "^0.474.0",
+    "mode-watcher": "^0.5.1",
     "svelte-sonner": "^0.3.28",
-    "sveltekit-superforms": "^2.20.0",
-    "tailwind-merge": "^2.5.4",
-    "tailwind-variants": "^0.2.1",
-    "zod": "^3.23.8"
+    "sveltekit-superforms": "^2.23.1",
+    "tailwind-merge": "^2.6.0",
+    "tailwind-variants": "^0.3.1",
+    "zod": "^3.24.1"
+  },
+  "devDependencies": {
+    "@playwright/test": "^1.50.0",
+    "@sveltejs/adapter-auto": "^4.0.0",
+    "@sveltejs/adapter-node": "^5.2.12",
+    "@sveltejs/kit": "^2.16.1",
+    "@sveltejs/vite-plugin-svelte": "^5.0.3",
+    "@types/eslint": "^9.6.1",
+    "@types/node": "^22.10.10",
+    "eslint": "^9.19.0",
+    "eslint-config-prettier": "^10.0.1",
+    "eslint-plugin-svelte": "^2.46.1",
+    "globals": "^15.14.0",
+    "prettier": "^3.4.2",
+    "prettier-plugin-svelte": "^3.3.3",
+    "prettier-plugin-tailwindcss": "^0.6.11",
+    "svelte": "^5.19.3",
+    "svelte-check": "^4.1.4",
+    "tailwindcss": "^4.0.0",
+    "tslib": "^2.8.1",
+    "typescript": "^5.7.3",
+    "typescript-eslint": "^8.21.0",
+    "vite": "^6.0.11"
   }
 }

frontend/postcss.config.js

@@ -1,6 +0,0 @@
-export default {
-	plugins: {
-		tailwindcss: {},
-		autoprefixer: {}
-	}
-};

frontend/src/app.css

@@ -1,6 +1,6 @@
-@tailwind base;
-@tailwind components;
-@tailwind utilities;
+@import "tailwindcss";
+
+@config '../tailwind.config.ts';
 
 @layer base {
 	:root {
@@ -77,6 +77,10 @@
 		@apply bg-background text-foreground;
 	}
 
+	button{
+		@apply cursor-pointer;
+	}
+
 	@font-face {
 		font-family: 'Playfair Display';
 		font-weight: 400;

frontend/src/hooks.server.ts

@@ -2,7 +2,7 @@ import { env } from '$env/dynamic/private';
 import { ACCESS_TOKEN_COOKIE_NAME } from '$lib/constants';
 import type { Handle, HandleServerError } from '@sveltejs/kit';
 import { AxiosError } from 'axios';
-import jwt from 'jsonwebtoken';
+import { decodeJwt } from 'jose';
 
 // Workaround so that we can also import this environment variable into client-side code
 // If we would directly import $env/dynamic/private into the api-service.ts file, it would throw an error
@@ -10,18 +10,7 @@ import jwt from 'jsonwebtoken';
 process.env.INTERNAL_BACKEND_URL = env.INTERNAL_BACKEND_URL ?? 'http://localhost:8080';
 
 export const handle: Handle = async ({ event, resolve }) => {
-	const accessToken = event.cookies.get(ACCESS_TOKEN_COOKIE_NAME);
-
-	let isSignedIn: boolean = false;
-	let isAdmin: boolean = false;
-
-	if (accessToken) {
-		const jwtPayload = jwt.decode(accessToken, { json: true });
-		if (jwtPayload?.exp && jwtPayload.exp * 1000 > Date.now()) {
-			isSignedIn = true;
-			isAdmin = jwtPayload?.isAdmin || false;
-		}
-	}
+	const { isSignedIn, isAdmin } = verifyJwt(event.cookies.get(ACCESS_TOKEN_COOKIE_NAME));
 
 	if (event.url.pathname.startsWith('/settings') && !event.url.pathname.startsWith('/login')) {
 		if (!isSignedIn) {
@@ -66,3 +55,18 @@ export const handleError: HandleServerError = async ({ error, message, status })
 		status
 	};
 };
+
+function verifyJwt(accessToken: string | undefined) {
+	let isSignedIn = false;
+	let isAdmin = false;
+
+	if (accessToken) {
+		const jwtPayload = decodeJwt<{ isAdmin: boolean }>(accessToken);
+		if (jwtPayload?.exp && jwtPayload.exp * 1000 > Date.now()) {
+			isSignedIn = true;
+			isAdmin = jwtPayload?.isAdmin || false;
+		}
+	}
+
+	return { isSignedIn, isAdmin };
+}

frontend/src/lib/components/collapsible-card.svelte

@@ -0,0 +1,75 @@
+<script lang="ts">
+	import { cn } from '$lib/utils/style';
+	import { LucideChevronDown } from 'lucide-svelte';
+	import { onMount, type Snippet } from 'svelte';
+	import { slide } from 'svelte/transition';
+	import { Button } from './ui/button';
+	import * as Card from './ui/card';
+
+	let {
+		id,
+		title,
+		description,
+		defaultExpanded = false,
+		children
+	}: {
+		id: string;
+		title: string;
+		description?: string;
+		defaultExpanded?: boolean;
+		children: Snippet;
+	} = $props();
+
+	let expanded = $state(defaultExpanded);
+
+	function loadExpandedState() {
+		const state = JSON.parse(localStorage.getItem('collapsible-cards-expanded') || '{}');
+		expanded = state[id] || false;
+	}
+
+	function saveExpandedState() {
+		const state = JSON.parse(localStorage.getItem('collapsible-cards-expanded') || '{}');
+		state[id] = expanded;
+		localStorage.setItem('collapsible-cards-expanded', JSON.stringify(state));
+	}
+
+	function toggleExpanded() {
+		expanded = !expanded;
+		saveExpandedState();
+	}
+
+	onMount(() => {
+		if (defaultExpanded) {
+			saveExpandedState();
+		}
+		loadExpandedState();
+	});
+</script>
+
+<Card.Root>
+	<Card.Header class="cursor-pointer" onclick={toggleExpanded}>
+		<div class="flex items-center justify-between">
+			<div>
+				<Card.Title>{title}</Card.Title>
+				{#if description}
+					<Card.Description>{description}</Card.Description>
+				{/if}
+			</div>
+			<Button class="ml-10 h-8 p-3" variant="ghost" aria-label="Expand card">
+				<LucideChevronDown
+					class={cn(
+						'h-5 w-5 transition-transform duration-200',
+						expanded && 'rotate-180 transform'
+					)}
+				/>
+			</Button>
+		</div>
+	</Card.Header>
+	{#if expanded}
+		<div transition:slide={{ duration: 200 }}>
+			<Card.Content>
+				{@render children()}
+			</Card.Content>
+		</div>
+	{/if}
+</Card.Root>

frontend/src/lib/components/ui/card/card-description.svelte

@@ -8,6 +8,6 @@
 	export { className as class };
 </script>
 
-<p class={cn('text-sm text-muted-foreground', className)} {...$$restProps}>
+<p class={cn('text-sm text-muted-foreground mt-1', className)} {...$$restProps}>
 	<slot />
 </p>

frontend/src/lib/components/ui/dropdown-menu/dropdown-menu-item.svelte

@@ -14,7 +14,7 @@
 
 <DropdownMenuPrimitive.Item
 	class={cn(
-		'relative flex cursor-default select-none items-center rounded-sm px-2 py-1.5 text-sm outline-none data-[disabled]:pointer-events-none data-[highlighted]:bg-accent data-[highlighted]:text-accent-foreground data-[disabled]:opacity-50',
+		'relative flex select-none items-center rounded-sm px-2 py-1.5 text-sm outline-none data-[disabled]:pointer-events-none data-[highlighted]:bg-accent data-[highlighted]:text-accent-foreground data-[disabled]:opacity-50',
 		inset && 'pl-8',
 		className
 	)}

frontend/src/lib/components/ui/dropdown-menu/dropdown-menu-sub-trigger.svelte

@@ -15,7 +15,7 @@
 
 <DropdownMenuPrimitive.SubTrigger
 	class={cn(
-		'flex cursor-default select-none items-center rounded-sm px-2 py-1.5 text-sm outline-none data-[highlighted]:bg-accent data-[state=open]:bg-accent data-[highlighted]:text-accent-foreground data-[state=open]:text-accent-foreground',
+		'flex select-none items-center rounded-sm px-2 py-1.5 text-sm outline-none data-[highlighted]:bg-accent data-[state=open]:bg-accent data-[highlighted]:text-accent-foreground data-[state=open]:text-accent-foreground',
 		inset && 'pl-8',
 		className
 	)}