Update example .env to use database for keys storage

Given recent conversations on how the database will be the preferred (or sole) method in a future release, start by updating the example env

.devcontainer/devcontainer.json

@@ -0,0 +1,21 @@
+{
+  "name": "pocket-id",
+  "image": "mcr.microsoft.com/devcontainers/typescript-node:1-22-bookworm",
+  "features": {
+    "ghcr.io/devcontainers/features/go:1": {}
+  },
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "golang.go",
+        "svelte.svelte-vscode",
+        "bradlc.vscode-tailwindcss",
+        "esbenp.prettier-vscode"
+      ]
+    }
+  },
+  "containerEnv": {
+    "HOST": "0.0.0.0"
+  },
+  "postCreateCommand": "npm install --prefix frontend && cd backend && go mod download"
+}

.dockerignore

@@ -0,0 +1,22 @@
+**/node_modules
+
+# Output
+.output
+.vercel
+/frontend/.svelte-kit
+/frontend/build
+/backend/bin
+/backend/frontend/dist
+/tests/.auth
+/tests/.report
+
+
+# Env
+.env
+.env.*
+
+
+# Application specific
+data
+/scripts/development
+/backend/GeoLite2-City.mmdb

.env.example

@@ -1,2 +1,14 @@
-PUBLIC_APP_URL=http://localhost
-TRUST_PROXY=false
+# See the documentation for more information: https://pocket-id.org/docs/configuration/environment-variables
+APP_URL=https://your-pocket-id-domain.com
+TRUST_PROXY=false
+MAXMIND_LICENSE_KEY=
+PUID=1000
+PGID=1000
+KEYS_STORAGE=database
+
+# Encryption key used to protect sensitive data
+# Can be generated with `openssl rand -base64 32`
+# See https://pocket-id.org/docs/configuration/environment-variables#encryption-keys
+ENCRYPTION_KEY=
+# Alternatively, point to a file containing the key (could be a Docker secret)
+#ENCRYPTION_KEY_FILE=

.env.test

@@ -1,2 +0,0 @@
-APP_ENV=test
-PUBLIC_APP_URL=http://localhost

.github/CODEOWNERS

@@ -0,0 +1 @@
+*       @pocket-id/maintainers

.github/FUNDING.yml

@@ -1,2 +1,2 @@
 # These are supported funding model platforms
-github: stonith404
+github: [stonith404, kmendell]

.github/ISSUE_TEMPLATE/bug.yml

@@ -1,7 +1,7 @@
 name: "🐛 Bug Report"
 description: "Report something that is not working as expected"
 title: "🐛 Bug Report: "
-labels: [bug]
+type: 'Bug'
 body:
   - type: markdown
     attributes:
@@ -34,4 +34,39 @@ body:
   - type: markdown
     attributes:
       value: |
-        Before submitting, please check if the issues hasn't been raised before.
+        ### Additional Information
+  - type: textarea
+    id: version
+    validations:
+      required: true
+    attributes:
+      label: "Pocket ID Version"
+      description: "Please specify the version of Pocket ID."
+      placeholder: "e.g., v0.24.1"
+  - type: textarea
+    id: database
+    validations:
+      required: true
+    attributes:
+      label: "Database"
+      description: "Please specify the database in use: SQLite or Postgres (including version)."
+      placeholder: "e.g., SQLite or Postgres 17"
+  - type: textarea
+    id: environment
+    validations:
+      required: true
+    attributes:
+      label: "OS and Environment"
+      description: "Please include the OS, whether you're using containers (Docker, Podman, etc) along with any environment-specific configurations, such your reverse proxy, that might be relevant."
+      placeholder: "e.g., Docker on Ubuntu 24.04, served using Traefik"
+  - type: textarea
+    id: log-files
+    validations:
+      required: false
+    attributes:
+      label: "Log Output"
+      description: "Output of log files when the issue occurred to help us diagnose the issue."
+  - type: markdown
+    attributes:
+      value: |
+        **Before submitting, please check if the issue hasn't been raised before.**

.github/ISSUE_TEMPLATE/config.yml

@@ -1 +1,5 @@
-blank_issues_enabled: false
+blank_issues_enabled: false
+contact_links:
+  - name: 💬 Discord
+    url: https://discord.gg/8wudU9KaxM
+    about: For help and chatting with the community

.github/ISSUE_TEMPLATE/feature.yml

@@ -1,7 +1,7 @@
 name: 🚀 Feature
 description: "Submit a proposal for a new feature"
 title: "🚀 Feature: "
-labels: [feature]
+type: 'Feature'
 body:
   - type: textarea
     id: feature-description

.github/ISSUE_TEMPLATE/language-request.yml

@@ -0,0 +1,20 @@
+name: "🌐 Language request"
+description: "You want to contribute to a language that isn't on Crowdin yet?"
+title: "🌐 Language Request: <language name in english>"
+type: 'Language Request'
+body:
+  - type: input
+    id: language-name-native
+    attributes:
+      label: "🌐 Language Name (native)"
+      placeholder: "Schweizerdeutsch"
+    validations:
+      required: true
+  - type: input
+    id: language-code
+    attributes:
+      label: "🌐 ISO 639-1 Language Code"
+      description: "You can find your language code [here](https://www.andiamo.co.uk/resources/iso-language-codes/)."
+      placeholder: "de-CH"
+    validations:
+      required: true

.github/dependabot.yml

@@ -0,0 +1,12 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for more information:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+# https://containers.dev/guide/dependabot
+
+version: 2
+updates:
+ - package-ecosystem: "devcontainers"
+   directory: "/"
+   schedule:
+     interval: weekly

.github/svelte-check-matcher.json

@@ -0,0 +1,21 @@
+{
+  "problemMatcher": [
+    {
+      "owner": "svelte-check",
+      "pattern": [
+        {
+          "regexp": "^([^\\s].*):(\\d+):(\\d+)$",
+          "file": 1,
+          "line": 2,
+          "column": 3
+        },
+        {
+          "regexp": "^\\s*(Error|Warning):\\s*(.*)\\s+\\((?:ts|js|svelte)\\)$",
+          "severity": 1,
+          "message": 2,
+          "loop": false
+        }
+      ]
+    }
+  ]
+}

.github/workflows/backend-linter.yml

@@ -0,0 +1,40 @@
+name: Run Backend Linter
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "backend/**"
+  pull_request:
+    branches: [main]
+    paths:
+      - "backend/**"
+
+permissions:
+  # Required: allow read access to the content for analysis.
+  contents: read
+  # Optional: allow read access to pull request. Use with `only-new-issues` option.
+  pull-requests: read
+  # Optional: allow write access to checks to allow the action to annotate code in the PR.
+  checks: write
+
+jobs:
+  golangci-lint:
+    name: Run Golangci-lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: backend/go.mod
+
+      - name: Run Golangci-lint
+        uses: golangci/golangci-lint-action@v8.0.0
+        with:
+          version: v2.4.0
+          args: --build-tags=exclude_frontend
+          working-directory: backend
+          only-new-issues: ${{ github.event_name == 'pull_request' }}

.github/workflows/build-and-push-docker-image.yml

@@ -1,34 +0,0 @@
-name: Build and Push Docker Image
-
-on:
-  release:
-    types: [published]
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: checkout code
-        uses: actions/checkout@v3
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-
-      - name: Login to Docker registry
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
-          password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
-
-      - name: Build and push
-        uses: docker/build-push-action@v4
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: stonith404/pocket-id:latest,stonith404/pocket-id:${{  github.ref_name }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max

.github/workflows/build-next.yml

@@ -0,0 +1,96 @@
+name: Build Next Image
+
+on:
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: build-next-image
+  cancel-in-progress: true
+
+jobs:
+  build-next:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v5
+        with:
+          node-version: 22
+
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: "backend/go.mod"
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Set DOCKER_IMAGE_NAME
+        run: |
+          # Lowercase REPO_OWNER which is required for containers
+          REPO_OWNER=${{ github.repository_owner }}
+          DOCKER_IMAGE_NAME="ghcr.io/${REPO_OWNER,,}/pocket-id"
+          echo "DOCKER_IMAGE_NAME=${DOCKER_IMAGE_NAME}" >>${GITHUB_ENV}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install frontend dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build frontend
+        working-directory: frontend
+        run: pnpm run build
+
+      - name: Build binaries
+        run: sh scripts/development/build-binaries.sh --docker-only
+
+      - name: Build and push container image
+        id: build-push-image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ env.DOCKER_IMAGE_NAME }}:next
+          file: docker/Dockerfile-prebuilt
+      - name: Build and push container image (distroless)
+        uses: docker/build-push-action@v6
+        id: container-build-push-distroless
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ env.DOCKER_IMAGE_NAME }}:next-distroless
+          file: docker/Dockerfile-distroless
+      - name: Container image attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-digest: ${{ steps.build-push-image.outputs.digest }}
+          push-to-registry: true
+      - name: Container image attestation (distroless)
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-digest: ${{ steps.container-build-push-distroless.outputs.digest }}
+          push-to-registry: true

.github/workflows/e2e-tests.yml

@@ -2,44 +2,190 @@ name: E2E Tests
 on:
   push:
     branches: [main]
+    paths-ignore:
+      - "docs/**"
+      - "**.md"
+      - ".github/**"
   pull_request:
     branches: [main]
+    paths-ignore:
+      - "docs/**"
+      - "**.md"
+      - ".github/**"
+
 jobs:
-  build-and-test:
+  build:
+    if: github.event.pull_request.head.ref != 'i18n_crowdin'
     timeout-minutes: 20
+    permissions:
+      contents: read
+      actions: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: lts/*
-          cache: 'npm'
-          cache-dependency-path: frontend/package-lock.json
-      
-      - name: Build Docker Image
-        run: docker build -t stonith404/pocket-id .
-      - name: Run Docker Container
-        run: docker run -d --name pocket-id -p 80:80 --env-file .env.test stonith404/pocket-id
+      - uses: actions/checkout@v5
 
-      - name: Install frontend dependencies
-        working-directory: ./frontend
-        run: npm ci
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and export
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: docker/Dockerfile
+          push: false
+          load: false
+          tags: pocket-id:test
+          outputs: type=docker,dest=/tmp/docker-image.tar
+          build-args: BUILD_TAGS=e2etest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Upload Docker image artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: docker-image
+          path: /tmp/docker-image.tar
+          retention-days: 1
+
+  test:
+    if: github.event.pull_request.head.ref != 'i18n_crowdin'
+    permissions:
+      contents: read
+      actions: write
+    runs-on: ubuntu-latest
+    needs: build
+    strategy:
+      fail-fast: false
+      matrix:
+        db: [sqlite, postgres, sqlite-s3]
+
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v5
+        with:
+          node-version: 22
+
+      - name: Cache Playwright Browsers
+        uses: actions/cache@v3
+        id: playwright-cache
+        with:
+          path: ~/.cache/ms-playwright
+          key: ${{ runner.os }}-playwright-${{ hashFiles('pnpm-lock.yaml') }}
+
+      - name: Cache PostgreSQL Docker image
+        if: matrix.db == 'postgres'
+        uses: actions/cache@v3
+        id: postgres-cache
+        with:
+          path: /tmp/postgres-image.tar
+          key: postgres-17-${{ runner.os }}
+
+      - name: Pull and save PostgreSQL image
+        if: matrix.db == 'postgres' && steps.postgres-cache.outputs.cache-hit != 'true'
+        run: |
+          docker pull postgres:17
+          docker save postgres:17 > /tmp/postgres-image.tar
+
+      - name: Load PostgreSQL image
+        if: matrix.db == 'postgres' && steps.postgres-cache.outputs.cache-hit == 'true'
+        run: docker load < /tmp/postgres-image.tar
+
+      - name: Cache LLDAP Docker image
+        uses: actions/cache@v3
+        id: lldap-cache
+        with:
+          path: /tmp/lldap-image.tar
+          key: lldap-stable-${{ runner.os }}
+
+      - name: Pull and save LLDAP image
+        if: steps.lldap-cache.outputs.cache-hit != 'true'
+        run: |
+          docker pull nitnelave/lldap:stable
+          docker save nitnelave/lldap:stable > /tmp/lldap-image.tar
+
+      - name: Load LLDAP image
+        if: steps.lldap-cache.outputs.cache-hit == 'true'
+        run: docker load < /tmp/lldap-image.tar
+
+      - name: Cache Localstack S3 Docker image
+        if: matrix.db == 'sqlite-s3'
+        uses: actions/cache@v3
+        id: s3-cache
+        with:
+          path: /tmp/localstack-s3-image.tar
+          key: localstack-s3-latest-${{ runner.os }}
+
+      - name: Pull and save Localstack S3 image
+        if: matrix.db == 'sqlite-s3' && steps.s3-cache.outputs.cache-hit != 'true'
+        run: |
+          docker pull localstack/localstack:s3-latest
+          docker save localstack/localstack:s3-latest > /tmp/localstack-s3-image.tar
+
+      - name: Load Localstack S3 image
+        if: matrix.db == 'sqlite-s3' && steps.s3-cache.outputs.cache-hit == 'true'
+        run: docker load < /tmp/localstack-s3-image.tar
+
+      - name: Download Docker image artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: docker-image
+          path: /tmp
+
+      - name: Load Docker image
+        run: docker load -i /tmp/docker-image.tar
+
+      - name: Install test dependencies
+        run: pnpm --filter pocket-id-tests install --frozen-lockfile
 
       - name: Install Playwright Browsers
-        working-directory: ./frontend
-        run: npx playwright install --with-deps chromium
+        working-directory: ./tests
+        if: steps.playwright-cache.outputs.cache-hit != 'true'
+        run: pnpm exec playwright install --with-deps chromium
+
+      - name: Run Docker Container (sqlite) with LDAP
+        if: matrix.db == 'sqlite'
+        working-directory: ./tests/setup
+        run: |
+          docker compose up -d
+          docker compose logs -f pocket-id &> /tmp/backend.log &
+
+      - name: Run Docker Container (postgres) with LDAP
+        if: matrix.db == 'postgres'
+        working-directory: ./tests/setup
+        run: |
+          docker compose -f docker-compose-postgres.yml up -d
+          docker compose -f docker-compose-postgres.yml logs -f pocket-id &> /tmp/backend.log &
+
+      - name: Run Docker Container (sqlite-s3) with LDAP + S3
+        if: matrix.db == 'sqlite-s3'
+        working-directory: ./tests/setup
+        run: |
+          docker compose -f docker-compose-s3.yml up -d
+          docker compose -f docker-compose-s3.yml logs -f pocket-id &> /tmp/backend.log &
 
       - name: Run Playwright tests
-        working-directory: ./frontend
-        run: npx playwright test
+        working-directory: ./tests
+        run: pnpm exec playwright test
 
-      - name: Get container logs
-        if: always()
-        run: docker logs pocket-id
-
-      - uses: actions/upload-artifact@v4
-        if: always()
+      - name: Upload Test Report
+        uses: actions/upload-artifact@v4
+        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
         with:
-          name: playwright-report
-          path: frontend/tests/.output
+          name: playwright-report-${{ matrix.db }}
+          path: tests/.report
+          include-hidden-files: true
+          retention-days: 15
+
+      - name: Upload Backend Test Report
+        uses: actions/upload-artifact@v4
+        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
+        with:
+          name: backend-${{ matrix.db }}
+          path: /tmp/backend.log
+          include-hidden-files: true
           retention-days: 15

.github/workflows/release.yml

@@ -0,0 +1,125 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      attestations: write
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+      - name: Setup Node.js
+        uses: actions/setup-node@v5
+        with:
+          node-version: 22
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: "backend/go.mod"
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Set DOCKER_IMAGE_NAME
+        run: |
+          # Lowercase REPO_OWNER which is required for containers
+          REPO_OWNER=${{ github.repository_owner }}
+          DOCKER_IMAGE_NAME="ghcr.io/${REPO_OWNER,,}/pocket-id"
+          echo "DOCKER_IMAGE_NAME=${DOCKER_IMAGE_NAME}" >>${GITHUB_ENV}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{github.repository_owner}}
+          password: ${{secrets.GITHUB_TOKEN}}
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.DOCKER_IMAGE_NAME }}
+          tags: |
+            type=semver,pattern={{version}},prefix=v
+            type=semver,pattern={{major}}.{{minor}},prefix=v
+            type=semver,pattern={{major}},prefix=v
+      - name: Docker metadata (distroless)
+        id: meta-distroless
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.DOCKER_IMAGE_NAME }}
+          flavor: |
+            suffix=-distroless,onlatest=true
+          tags: |
+            type=semver,pattern={{version}},prefix=v
+            type=semver,pattern={{major}}.{{minor}},prefix=v
+            type=semver,pattern={{major}},prefix=v
+      - name: Install frontend dependencies
+        run: pnpm --filter pocket-id-frontend install --frozen-lockfile
+      - name: Build frontend
+        run: pnpm --filter pocket-id-frontend build
+
+      - name: Build binaries
+        run: sh scripts/development/build-binaries.sh
+      - name: Build and push container image
+        uses: docker/build-push-action@v6
+        id: container-build-push
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          file: docker/Dockerfile-prebuilt
+      - name: Build and push container image (distroless)
+        uses: docker/build-push-action@v6
+        id: container-build-push-distroless
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta-distroless.outputs.tags }}
+          labels: ${{ steps.meta-distroless.outputs.labels }}
+          file: docker/Dockerfile-distroless
+      - name: Binary attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: "backend/.bin/pocket-id-**"
+      - name: Container image attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-digest: ${{ steps.container-build-push.outputs.digest }}
+          push-to-registry: true
+      - name: Container image attestation (distroless)
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-digest: ${{ steps.container-build-push-distroless.outputs.digest }}
+          push-to-registry: true
+      - name: Upload binaries to release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh release upload ${{ github.ref_name }} backend/.bin/*
+
+  publish-release:
+    runs-on: ubuntu-latest
+    needs: [build]
+    permissions:
+      contents: write
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+      - name: Mark release as published
+        run: gh release edit ${{ github.ref_name }} --draft=false

.github/workflows/svelte-check.yml

@@ -0,0 +1,59 @@
+name: Svelte Check
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "frontend/src/**"
+      - ".github/svelte-check-matcher.json"
+      - "frontend/package.json"
+      - "frontend/package-lock.json"
+      - "frontend/tsconfig.json"
+      - "frontend/svelte.config.js"
+  pull_request:
+    branches: [main]
+    paths:
+      - "frontend/src/**"
+      - ".github/svelte-check-matcher.json"
+      - "frontend/package.json"
+      - "frontend/package-lock.json"
+      - "frontend/tsconfig.json"
+      - "frontend/svelte.config.js"
+  workflow_dispatch:
+
+jobs:
+  type-check:
+    name: Run Svelte Check
+    # Don't run on dependabot branches
+    if: github.actor != 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      checks: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v5
+        with:
+          node-version: 22
+
+      - name: Install dependencies
+        run: pnpm --filter pocket-id-frontend install --frozen-lockfile
+
+      - name: Build Pocket ID Frontend
+        working-directory: frontend
+        run: pnpm --filter pocket-id-frontend build
+
+      - name: Add svelte-check problem matcher
+        run: echo "::add-matcher::.github/svelte-check-matcher.json"
+
+      - name: Run svelte-check
+        working-directory: frontend
+        run: pnpm --filter pocket-id-frontend check

.github/workflows/unit-tests.yml

@@ -0,0 +1,38 @@
+name: Unit Tests
+on:
+  push:
+    branches: [main]
+    paths:
+      - "backend/**"
+  pull_request:
+    branches: [main]
+    paths:
+      - "backend/**"
+
+jobs:
+  test-backend:
+    permissions:
+      contents: read
+      actions: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: "backend/go.mod"
+          cache-dependency-path: "backend/go.sum"
+      - name: Install dependencies
+        working-directory: backend
+        run: |
+          go get ./...
+      - name: Run backend unit tests
+        working-directory: backend
+        run: |
+          set -e -o pipefail
+          go test -tags=exclude_frontend -v ./... | tee /tmp/TestResults.log
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: backend-unit-tests
+          path: /tmp/TestResults.log
+          retention-days: 15

.github/workflows/update-aaguids.yml

@@ -0,0 +1,39 @@
+name: Update AAGUIDs
+
+on:
+  schedule:
+    - cron: "0 0 * * 1" # Runs every Monday at midnight
+  workflow_dispatch: # Allows manual triggering of the workflow
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-aaguids:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Fetch JSON data
+        run: |
+          curl -o data.json https://raw.githubusercontent.com/pocket-id/passkey-aaguids/refs/heads/main/combined_aaguid.json
+
+      - name: Process JSON data
+        run: |
+          mkdir -p backend/resources
+          jq -c 'map_values(.name)' data.json > backend/resources/aaguids.json
+          rm data.json
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          commit-message: "chore: update AAGUIDs"
+          title: "chore: update AAGUIDs"
+          body: |
+            This PR updates the AAGUIDs file with the latest data from the [passkey-aaguids](https://github.com/pocket-id/passkey-aaguids) repository.
+          branch: update-aaguids
+          base: main
+          delete-branch: true

.gitignore

@@ -1,14 +1,20 @@
 # JetBrains
 **/.idea
 
+# Node
 node_modules
 
+# PNPM
+.pnpm-store/
+
 # Output
 .output
 .vercel
 /frontend/.svelte-kit
 /frontend/build
 /backend/bin
+pocket-id
+/tests/test-results/*.json
 
 # OS
 .DS_Store
@@ -17,8 +23,9 @@ Thumbs.db
 # Env
 .env
 .env.*
-!.env.example
+!.env.development-example
 !.env.test
+!.env.example
 
 # Vite
 vite.config.js.timestamp-*
@@ -30,8 +37,26 @@ vite.config.ts.timestamp-*
 *.dll
 *.so
 *.dylib
+/backend/.bin
+/pocket-id
 
 # Application specific
 data
-/frontend/tests/.auth
-pocket-id-backend
+/tests/.auth
+/tests/.report
+/backend/GeoLite2-City.mmdb
+/backend/frontend/dist
+
+# Misc
+.DS_Store
+.env.local
+.env.development.local
+.env.test.local
+.env.production.local
+
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+#Debug
+backend/cmd/__debug_*

.version

@@ -1 +1 @@
-0.5.1
+1.15.0

.vscode/extensions.json

@@ -0,0 +1,8 @@
+{
+  "recommendations": [
+    "golang.go",
+    "svelte.svelte-vscode",
+    "bradlc.vscode-tailwindcss",
+    "esbenp.prettier-vscode"
+  ]
+}

.vscode/launch.json

@@ -0,0 +1,42 @@
+{
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "name": "Backend",
+      "type": "go",
+      "request": "launch",
+      "envFile": "${workspaceFolder}/backend/cmd/.env",
+      "env": {
+        "APP_ENV": "development"
+      },
+      "mode": "debug",
+      "program": "${workspaceFolder}/backend/cmd/main.go",
+    },
+    {
+      "name": "Frontend",
+      "type": "node",
+      "request": "launch",
+      "envFile": "${workspaceFolder}/frontend/.env",
+      "cwd": "${workspaceFolder}/frontend",
+      "runtimeExecutable": "npm",
+      "runtimeArgs": [
+        "run",
+        "dev"
+      ]
+    }
+  ],
+  "compounds": [
+    {
+      "name": "Development",
+      "configurations": [
+        "Backend",
+        "Frontend"
+      ],
+      "presentation": {
+        "hidden": false,
+        "group": "",
+        "order": 1
+      }
+    }
+  ],
+}

.vscode/settings.json

@@ -0,0 +1,4 @@
+{
+    "go.buildTags": "e2etest",
+    "prettier.documentSelectors": ["**/*.svelte"],
+}

CONTRIBUTING.md

@@ -17,7 +17,7 @@ Before you submit the pull request for review please ensure that
   example:
 
   ```
-  feat(share): add password protection
+  fix: hide global audit log switch for non admin users
   ```
 
   Where `TYPE` can be:
@@ -28,46 +28,69 @@ Before you submit the pull request for review please ensure that
   - **refactor** - code change that neither fixes a bug nor adds a feature
 
 - Your pull request has a detailed description
-- You run `npm run format` to format the code
+- You run `pnpm format` to format the code
 
-## Setup project
+## Development Environment
 
-Pocket ID consists of a frontend, backend and a reverse proxy.
+Pocket ID consists of a frontend and backend. In production the frontend gets statically served by the backend, but in development they run as separate processes to enable hot reloading.
 
-### Backend
+There are two ways to get the development environment setup:
 
-The backend is built with [Gin](https://gin-gonic.com) and written in Go.
+### 1. Install required tools
 
-#### Setup
+#### With Dev Containers
+
+If you use [Dev Containers](https://code.visualstudio.com/docs/remote/containers) in VS Code, you don't need to install anything manually, just follow the steps below.
+
+1. Make sure you have [Dev Containers](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers) extension installed
+2. Clone and open the repo in VS Code
+3. VS Code will detect .devcontainer and will prompt you to open the folder in devcontainer
+4. If the auto prompt does not work, hit `F1` and select `Dev Containers: Open Folder in Container.`, then select the pocket-id repo root folder and it'll open in container.
+
+#### Without Dev Containers
+
+If you don't use Dev Containers, you need to install the following tools manually:
+
+- [Node.js](https://nodejs.org/en/download/) >= 22
+- [Go](https://golang.org/doc/install) >= 1.25
+- [Git](https://git-scm.com/downloads)
+
+### 2. Setup
+
+#### Backend
+
+The backend is built with [Gin](https://gin-gonic.com) and written in Go. To set it up, follow these steps:
 
 1. Open the `backend` folder
-2. Copy the `.env.example` file to `.env` and change the `APP_ENV` to `development`
-3. Start the backend with `go run cmd/main.go`
+2. Copy the `.env.development-example` file to `.env` and edit the variables as needed
+3. Start the backend with `go run -tags exclude_frontend ./cmd`
 
 ### Frontend
 
-The frontend is built with [SvelteKit](https://kit.svelte.dev) and written in TypeScript.
+The frontend is built with [SvelteKit](https://kit.svelte.dev) and written in TypeScript. To set it up, follow these steps:
 
-#### Setup
+1. Open the `pocket-id` project folder
+2. Copy the `frontend/.env.development-example` file to `frontend/.env` and edit the variables as needed
+3. Install the dependencies with `pnpm install`
+4. Start the frontend with `pnpm dev`
 
-1. Open the `frontend` folder
-2. Copy the `.env.example` file to `.env`
-3. Install the dependencies with `npm install`
-4. Start the frontend with `npm run dev`
-
-You're all set!
-
-### Reverse Proxy
-We use [Caddy](https://caddyserver.com) as a reverse proxy. You can use any other reverse proxy if you want but you have to configure it yourself.
-
-#### Setup
-Run `caddy run --config reverse-proxy/Caddyfile` in the root folder.
+You're all set! The application is now listening on `localhost:3000`. The backend gets proxied trough the frontend in development mode.
 
 ### Testing
 
 We are using [Playwright](https://playwright.dev) for end-to-end testing.
 
+If you are contributing to a new feature please ensure that you add tests for it. The tests are located in the `tests` folder at the root of the project.
+
 The tests can be run like this:
-1. Start the backend normally
-2. Start the frontend in production mode with `npm run build && node build/index.js`
-3. Run the tests with `npm run test`
+
+1. Install the dependencies from the root of the project `pnpm install`
+
+2. Visit the setup folder by running `cd tests/setup`
+
+3. Start the test environment by running `docker compose up -d --build`
+
+4. Go back to the test folder by running `cd ..`
+5. Run the tests with `pnpm dlx playwright test` or from the root project folder `pnpm test`
+
+If you make any changes to the application, you have to rebuild the test environment by running `docker compose up -d --build` again.

Dockerfile

@@ -1,43 +0,0 @@
-# Stage 1: Build Frontend
-FROM node:20-alpine AS frontend-builder
-WORKDIR /app/frontend
-COPY ./frontend/package*.json ./
-RUN npm ci
-COPY ./frontend ./
-RUN npm run build
-RUN npm prune --production
-
-# Stage 2: Build Backend
-FROM golang:1.23-alpine AS backend-builder
-WORKDIR /app/backend
-COPY ./backend/go.mod ./backend/go.sum ./
-RUN go mod download
-
-RUN apk add --no-cache gcc musl-dev
-
-COPY ./backend ./
-WORKDIR /app/backend/cmd
-RUN CGO_ENABLED=1 GOOS=linux go build -o /app/backend/pocket-id-backend .
-
-# Stage 3: Production Image
-FROM node:20-alpine
-RUN apk add --no-cache caddy
-COPY ./reverse-proxy /etc/caddy/
-
-WORKDIR /app
-COPY --from=frontend-builder /app/frontend/build ./frontend/build
-COPY --from=frontend-builder /app/frontend/node_modules ./frontend/node_modules
-COPY --from=frontend-builder /app/frontend/package.json ./frontend/package.json
-
-COPY --from=backend-builder /app/backend/pocket-id-backend ./backend/pocket-id-backend
-COPY --from=backend-builder /app/backend/migrations ./backend/migrations
-COPY --from=backend-builder /app/backend/email-templates ./backend/email-templates
-COPY --from=backend-builder /app/backend/images ./backend/images
-
-COPY ./scripts ./scripts
-
-EXPOSE 3000
-ENV APP_ENV=production
-
-# Use a shell form to run both the frontend and backend
-CMD ["sh", "./scripts/docker-entrypoint.sh"]

README.md

@@ -2,6 +2,8 @@
 
 Pocket ID is a simple OIDC provider that allows users to authenticate with their passkeys to your services.
 
+→ Try out the [Demo](https://demo.pocket-id.org)
+
 <img src="https://github.com/user-attachments/assets/96ac549d-b897-404a-8811-f42b16ea58e2" width="1200"/>
 
 The goal of Pocket ID is to be a simple and easy-to-use. There are other self-hosted OIDC providers like [Keycloak](https://www.keycloak.org/) or [ORY Hydra](https://www.ory.sh/hydra/) but they are often too complex for simple use cases.
@@ -10,149 +12,9 @@ Additionally, what makes Pocket ID special is that it only supports [passkey](ht
 
 ## Setup
 
-> [!WARNING]  
-> Pocket ID is in its early stages and may contain bugs.
+Pocket ID can be set up in multiple ways. The easiest and recommended way is to use Docker.
 
-### Before you start
-
-Pocket ID requires a [secure context](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts), meaning it must be served over HTTPS. This is necessary because Pocket ID uses the [WebAuthn API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API) which requires a secure context.
-
-### Installation with Docker (recommended)
-
-1. Download the `docker-compose.yml` and `.env` file:
-
-   ```bash
-    curl -O https://raw.githubusercontent.com/stonith404/pocket-id/main/docker-compose.yml
-
-    curl -o .env https://raw.githubusercontent.com/stonith404/pocket-id/main/.env.example
-   ```
-
-2. Edit the `.env` file so that it fits your needs. See the [environment variables](#environment-variables) section for more information.
-3. Run `docker compose up -d`
-
-You can now sign in with the admin account on `http://localhost/login/setup`.
-
-### Unraid
-
-Pocket ID is available as a template on the Community Apps store.
-
-### Stand-alone Installation
-
-Required tools:
-
-- [Node.js](https://nodejs.org/en/download/) >= 20
-- [Go](https://golang.org/doc/install) >= 1.23
-- [Git](https://git-scm.com/downloads)
-- [PM2](https://pm2.keymetrics.io/)
-- [Caddy](https://caddyserver.com/docs/install) (optional)
-
-1. Copy the `.env.example` file in the `frontend` and `backend` folder to `.env` and change it so that it fits your needs.
-
-   ```bash
-   cp frontend/.env.example frontend/.env
-   cp backend/.env.example backend/.env
-   ```
-
-2. Run the following commands:
-
-   ```bash
-   git clone https://github.com/stonith404/pocket-id
-   cd pocket-id
-
-   # Checkout the latest version
-   git fetch --tags && git checkout $(git describe --tags `git rev-list --tags --max-count=1`)
-
-   # Start the backend
-   cd backend/cmd
-   go build -o ../pocket-id-backend
-   cd ..
-   pm2 start pocket-id-backend --name pocket-id-backend
-
-   # Start the frontend
-   cd ../frontend
-   npm install
-   npm run build
-   pm2 start --name pocket-id-frontend --node-args="--env-file .env" build/index.js
-
-   # Optional: Start Caddy (You can use any other reverse proxy)
-   cd ..
-   pm2 start --name pocket-id-caddy caddy -- run --config Caddyfile
-   ```
-
-You can now sign in with the admin account on `http://localhost/login/setup`.
-
-### Add Pocket ID as an OIDC provider
-
-You can add a new OIDC client on `https://<your-domain>/settings/admin/oidc-clients`
-
-After you have added the client, you can obtain the client ID and client secret.
-
-You may need the following information:
-
-- **Authorization URL**: `https://<your-domain>/authorize`
-- **Token URL**: `https://<your-domain>/api/oidc/token`
-- **Userinfo URL**: `https://<your-domain>/api/oidc/userinfo`
-- **Certificate URL**: `https://<your-domain>/.well-known/jwks.json`
-- **OIDC Discovery URL**: `https://<your-domain>/.well-known/openid-configuration`
-- **PKCE**: `false` as this is not supported yet.
-
-### Proxy Services with Pocket ID
-
-As the goal of Pocket ID is to stay simple, we don't have a built-in proxy provider. However, you can use [OAuth2 Proxy](https://oauth2-proxy.github.io/) to add authentication to your services that don't support OIDC.
-
-See the [guide](docs/proxy-services.md) for more information.
-
-### Update
-
-#### Docker
-
-```bash
-docker compose pull
-docker compose up -d
-```
-
-#### Stand-alone
-
-1. Stop the running services:
-   ```bash
-   pm2 delete pocket-id-backend pocket-id-frontend pocket-id-caddy
-   ```
-2. Run the following commands:
-
-   ```bash
-   cd pocket-id
-
-   # Checkout the latest version
-   git fetch --tags && git checkout $(git describe --tags `git rev-list --tags --max-count=1`)
-
-   # Start the backend
-   cd backend/cmd
-   go build -o ../pocket-id-backend
-   cd ..
-   pm2 start pocket-id-backend --name pocket-id-backend
-
-   # Start the frontend
-   cd ../frontend
-   npm install
-   npm run build
-   pm2 start build/index.js --name pocket-id-frontend
-
-   # Optional: Start Caddy (You can use any other reverse proxy)
-   cd ..
-   pm2 start caddy --name pocket-id-caddy -- run --config Caddyfile
-   ```
-
-### Environment variables
-
-| Variable               | Default Value           | Recommended to change | Description                                   |
-| ---------------------- | ----------------------- | --------------------- | --------------------------------------------- |
-| `PUBLIC_APP_URL`       | `http://localhost`      | yes                   | The URL where you will access the app.        |
-| `TRUST_PROXY`          | `false`                 | yes                   | Whether the app is behind a reverse proxy.    |
-| `DB_PATH`              | `data/pocket-id.db`     | no                    | The path to the SQLite database.              |
-| `UPLOAD_PATH`          | `data/uploads`          | no                    | The path where the uploaded files are stored. |
-| `INTERNAL_BACKEND_URL` | `http://localhost:8080` | no                    | The URL where the backend is accessible.      |
-| `PORT`                 | `3000`                  | no                    | The port on which the frontend should listen. |
-| `BACKEND_PORT`         | `8080`                  | no                    | The port on which the backend should listen.  |
+Visit the [documentation](https://docs.pocket-id.org) for the setup guide and more information.
 
 ## Contribute
 

backend/.air.toml

@@ -0,0 +1,12 @@
+root = "."
+tmp_dir = ".bin"
+
+[build]
+  bin = "./.bin/pocket-id"
+  cmd = "CGO_ENABLED=0 go build -o ./.bin/pocket-id ./cmd"
+  exclude_dir = ["resources", ".bin", "data"]
+  exclude_regex = [".*_test\\.go"]
+  stop_on_error = true
+
+[misc]
+  clean_on_exit = true

backend/.env.development-example

@@ -0,0 +1,9 @@
+# Sample .env file for development
+# All environment variables can be found on https://pocket-id.org/docs/configuration/environment-variables
+
+APP_ENV=development
+# Set the APP_URL to the URL where the frontend is listening
+# In the development environment the backend gets proxied by the frontend
+APP_URL=http://localhost:3000
+PORT=1411
+MAXMIND_LICENSE_KEY=your_license_key

backend/.env.example

@@ -1,6 +0,0 @@
-APP_ENV=production
-PUBLIC_APP_URL=http://localhost
-DB_PATH=data/pocket-id.db
-UPLOAD_PATH=data/uploads
-PORT=8080
-HOST=localhost

backend/.gitignore

@@ -13,4 +13,6 @@
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
-./data
+./data
+.env
+pocket-id

backend/.golangci.yml

@@ -0,0 +1,64 @@
+version: "2"
+run:
+  tests: true
+  timeout: 5m
+linters:
+  default: none
+  enable:
+    - asasalint
+    - asciicheck
+    - bidichk
+    - bodyclose
+    - contextcheck
+    - copyloopvar
+    - durationcheck
+    - errcheck
+    - errchkjson
+    - errorlint
+    - exhaustive
+    - gocheckcompilerdirectives
+    - gochecksumtype
+    - gocognit
+    - gocritic
+    - gosec
+    - gosmopolitan
+    - govet
+    - ineffassign
+    - loggercheck
+    - makezero
+    - musttag
+    - nilerr
+    - nilnesserr
+    - noctx
+    - protogetter
+    - reassign
+    - recvcheck
+    - rowserrcheck
+    - spancheck
+    - sqlclosecheck
+    - staticcheck
+    - testifylint
+    - unused
+    - usestdlibvars
+    - zerologlint
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+      - internal/service/test_service.go
+formatters:
+  enable:
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

backend/cmd/main.go

@@ -1,9 +1,15 @@
 package main
 
 import (
-	"github.com/stonith404/pocket-id/backend/internal/bootstrap"
+	_ "time/tzdata"
+
+	"github.com/pocket-id/pocket-id/backend/internal/cmds"
 )
 
+// @title Pocket ID API
+// @version 1.0
+// @description.markdown
+
 func main() {
-	bootstrap.Bootstrap()
+	cmds.Execute()
 }

backend/email-templates/components/email_html.tmpl

@@ -1,14 +0,0 @@
-{{ define "root" }}
-<html lang="en">
-<head>
-    <meta charset="UTF-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    {{ template "style" . }}
-</head>
-<body>
-    <div class="container">
-        {{ template "base" . }}
-    </div>
-</body>
-</html>
-{{ end }}

backend/email-templates/components/email_text.tmpl

@@ -1,7 +0,0 @@
-{{- define "root" -}}
-{{- template "base" . -}}
-{{- end }}
-
-
---
-This is automatically sent email from {{.AppName}}.

backend/email-templates/components/style_html.tmpl

@@ -1,80 +0,0 @@
-{{ define "style" }}
-<style>
-  body {
-    font-family: Arial, sans-serif;
-    background-color: #f0f0f0;
-    color: #333;
-    margin: 0;
-    padding: 0;
-  }
-  .container {
-    background-color: #fff;
-    color: #333;
-    padding: 32px;
-    border-radius: 10px;
-    max-width: 600px;
-    margin: 40px auto;
-    box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
-  }
-  .header {
-    display: flex;
-    justify-content: space-between;
-    align-items: center;
-    margin-bottom: 24px;
-  }
-  .header .logo {
-    display: flex;
-    align-items: center;
-    gap: 8px;
-  }
-  .header .logo img {
-    width: 32px;
-    height: 32px;
-    object-fit: cover;
-  }
-  .header h1 {
-    font-size: 1.5rem;
-    font-weight: bold;
-  }
-  .warning {
-    background-color: #ffd966;
-    color: #7f6000;
-    padding: 4px 12px;
-    border-radius: 50px;
-    font-size: 0.875rem;
-  }
-  .content {
-    background-color: #fafafa;
-    color: #333;
-    padding: 24px;
-    border-radius: 10px;
-  }
-  .content h2 {
-    font-size: 1.25rem;
-    font-weight: bold;
-    margin-bottom: 16px;
-  }
-  .grid {
-    display: grid;
-    grid-template-columns: 1fr 1fr;
-    gap: 16px;
-    margin-bottom: 16px;
-  }
-  .grid div {
-    display: flex;
-    flex-direction: column;
-  }
-  .grid p {
-    margin: 0;
-  }
-  .label {
-    color: #888;
-    font-size: 0.875rem;
-    margin-bottom: 4px;
-  }
-  .message {
-    font-size: 1rem;
-    line-height: 1.5;
-  }
-</style>
-{{ end }}

backend/email-templates/login-with-new-device_html.tmpl

@@ -1,30 +0,0 @@
-{{ define "base" }}
-    <div class="header">
-        <div class="logo">
-            <img src="{{ .LogoURL }}" alt="Pocket ID"/>
-            <h1>{{ .AppName }}</h1>
-        </div>
-        <div class="warning">Warning</div>
-    </div>
-    <div class="content">
-        <h2>New Sign-In Detected</h2>
-        <div class="grid">
-            <div>
-                <p class="label">IP Address</p>
-                <p>{{ .Data.IPAddress}}</p>
-            </div>
-            <div>
-                <p class="label">Device</p>
-                <p>{{ .Data.Device }}</p>
-            </div>
-            <div>
-                <p class="label">Sign-In Time</p>
-                <p>{{ .Data.DateTime.Format "2006-01-02 15:04:05 UTC"}}</p>
-            </div>
-        </div>
-        <p class="message">
-            This sign-in was detected from a new device or location. If you recognize this activity, you can
-            safely ignore this message. If not, please review your account and security settings.
-        </p>
-    </div>
-{{ end -}}

backend/email-templates/login-with-new-device_text.tmpl

@@ -1,12 +0,0 @@
-{{ define "base" -}}
-New Sign-In Detected
-====================
-
-IP Address: {{ .Data.IPAddress }}
-Device:     {{ .Data.Device }}
-Time:       {{ .Data.DateTime.Format "2006-01-02 15:04:05 UTC"}}
-
-This sign-in was detected from a new device or location. If you recognize
-this activity, you can safely ignore this message. If not, please review
-your account and security settings.
-{{ end -}}

backend/frontend/frontend_excluded.go

@@ -0,0 +1,9 @@
+//go:build exclude_frontend
+
+package frontend
+
+import "github.com/gin-gonic/gin"
+
+func RegisterFrontend(router *gin.Engine) error {
+	return ErrFrontendNotIncluded
+}

backend/frontend/frontend_included.go

@@ -0,0 +1,139 @@
+//go:build !exclude_frontend
+
+package frontend
+
+import (
+	"bytes"
+	"embed"
+	"fmt"
+	"io"
+	"io/fs"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+)
+
+//go:embed all:dist/*
+var frontendFS embed.FS
+
+// This function, created by the init() method, writes to "w" the index.html page, populating the nonce
+var writeIndexFn func(w io.Writer, nonce string) error
+
+func init() {
+	const scriptTag = "<script>"
+
+	// Read the index.html from the bundle
+	index, iErr := fs.ReadFile(frontendFS, "dist/index.html")
+	if iErr != nil {
+		panic(fmt.Errorf("failed to read index.html: %w", iErr))
+	}
+
+	writeIndexFn = func(w io.Writer, nonce string) (err error) {
+		// If there's no nonce, write the index as-is
+		if nonce == "" {
+			_, err = w.Write(index)
+			return err
+		}
+
+		// Add nonce to all <script> tags
+		// We replace "<script" with `<script nonce="..."` everywhere it appears
+		modified := bytes.ReplaceAll(
+			index,
+			[]byte(scriptTag),
+			[]byte(`<script nonce="`+nonce+`">`),
+		)
+
+		_, err = w.Write(modified)
+		return err
+	}
+}
+
+func RegisterFrontend(router *gin.Engine) error {
+	distFS, err := fs.Sub(frontendFS, "dist")
+	if err != nil {
+		return fmt.Errorf("failed to create sub FS: %w", err)
+	}
+
+	cacheMaxAge := time.Hour * 24
+	fileServer := NewFileServerWithCaching(http.FS(distFS), int(cacheMaxAge.Seconds()))
+
+	router.NoRoute(func(c *gin.Context) {
+		path := strings.TrimPrefix(c.Request.URL.Path, "/")
+
+		if strings.HasSuffix(path, "/") {
+			c.Redirect(http.StatusMovedPermanently, strings.TrimRight(c.Request.URL.String(), "/"))
+			return
+		}
+
+		if strings.HasPrefix(path, "api/") {
+			c.JSON(http.StatusNotFound, gin.H{"error": "API endpoint not found"})
+			return
+		}
+
+		// If path is / or does not exist, serve index.html
+		if path == "" {
+			path = "index.html"
+		} else if _, err := fs.Stat(distFS, path); os.IsNotExist(err) {
+			path = "index.html"
+		}
+
+		if path == "index.html" {
+			nonce := middleware.GetCSPNonce(c)
+
+			// Do not cache the HTML shell, as it embeds a per-request nonce
+			c.Header("Content-Type", "text/html; charset=utf-8")
+			c.Header("Cache-Control", "no-store")
+			c.Status(http.StatusOK)
+			if err := writeIndexFn(c.Writer, nonce); err != nil {
+				_ = c.Error(fmt.Errorf("failed to write index.html file: %w", err))
+			}
+			return
+		}
+
+		// Serve other static assets with caching
+		c.Request.URL.Path = "/" + path
+		fileServer.ServeHTTP(c.Writer, c.Request)
+	})
+
+	return nil
+}
+
+// FileServerWithCaching wraps http.FileServer to add caching headers
+type FileServerWithCaching struct {
+	root                    http.FileSystem
+	lastModified            time.Time
+	cacheMaxAge             int
+	lastModifiedHeaderValue string
+	cacheControlHeaderValue string
+}
+
+func NewFileServerWithCaching(root http.FileSystem, maxAge int) *FileServerWithCaching {
+	return &FileServerWithCaching{
+		root:                    root,
+		lastModified:            time.Now(),
+		cacheMaxAge:             maxAge,
+		lastModifiedHeaderValue: time.Now().UTC().Format(http.TimeFormat),
+		cacheControlHeaderValue: fmt.Sprintf("public, max-age=%d", maxAge),
+	}
+}
+
+func (f *FileServerWithCaching) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	// Check if the client has a cached version
+	if ifModifiedSince := r.Header.Get("If-Modified-Since"); ifModifiedSince != "" {
+		ifModifiedSinceTime, err := time.Parse(http.TimeFormat, ifModifiedSince)
+		if err == nil && f.lastModified.Before(ifModifiedSinceTime.Add(1*time.Second)) {
+			// Client's cached version is up to date
+			w.WriteHeader(http.StatusNotModified)
+			return
+		}
+	}
+
+	w.Header().Set("Last-Modified", f.lastModifiedHeaderValue)
+	w.Header().Set("Cache-Control", f.cacheControlHeaderValue)
+
+	http.FileServer(f.root).ServeHTTP(w, r)
+}

backend/frontend/shared.go

@@ -0,0 +1,5 @@
+package frontend
+
+import "errors"
+
+var ErrFrontendNotIncluded = errors.New("frontend is not included")

backend/go.mod

@@ -1,64 +1,175 @@
-module github.com/stonith404/pocket-id/backend
+module github.com/pocket-id/pocket-id/backend
 
-go 1.23
+go 1.25
 
 require (
-	github.com/caarlos0/env/v11 v11.2.2
-	github.com/fxamacker/cbor/v2 v2.7.0
-	github.com/gin-contrib/cors v1.7.2
-	github.com/gin-gonic/gin v1.10.0
-	github.com/go-co-op/gocron/v2 v2.11.0
-	github.com/go-playground/validator/v10 v10.22.0
-	github.com/go-webauthn/webauthn v0.11.1
-	github.com/golang-jwt/jwt/v5 v5.2.1
-	github.com/golang-migrate/migrate/v4 v4.17.1
+	github.com/aws/aws-sdk-go-v2 v1.39.6
+	github.com/aws/aws-sdk-go-v2/config v1.31.17
+	github.com/aws/aws-sdk-go-v2/credentials v1.18.21
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.90.0
+	github.com/aws/smithy-go v1.23.2
+	github.com/caarlos0/env/v11 v11.3.1
+	github.com/cenkalti/backoff/v5 v5.0.3
+	github.com/disintegration/imageorient v0.0.0-20180920195336-8147d86e83ec
+	github.com/disintegration/imaging v1.6.2
+	github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6
+	github.com/emersion/go-smtp v0.24.0
+	github.com/fxamacker/cbor/v2 v2.9.0
+	github.com/gin-contrib/slog v1.1.0
+	github.com/gin-gonic/gin v1.11.0
+	github.com/glebarez/go-sqlite v1.22.0
+	github.com/glebarez/sqlite v1.11.0
+	github.com/go-co-op/gocron/v2 v2.17.0
+	github.com/go-ldap/ldap/v3 v3.4.12
+	github.com/go-playground/validator/v10 v10.28.0
+	github.com/go-webauthn/webauthn v0.14.0
+	github.com/golang-migrate/migrate/v4 v4.19.0
 	github.com/google/uuid v1.6.0
+	github.com/hashicorp/go-uuid v1.0.3
+	github.com/jinzhu/copier v0.4.0
 	github.com/joho/godotenv v1.5.1
-	github.com/mileusna/useragent v1.3.4
-	golang.org/x/crypto v0.26.0
-	golang.org/x/time v0.6.0
-	gorm.io/driver/sqlite v1.5.6
-	gorm.io/gorm v1.25.11
+	github.com/lestrrat-go/httprc/v3 v3.0.1
+	github.com/lestrrat-go/jwx/v3 v3.0.12
+	github.com/lmittmann/tint v1.1.2
+	github.com/mattn/go-isatty v0.0.20
+	github.com/mileusna/useragent v1.3.5
+	github.com/orandin/slog-gorm v1.4.0
+	github.com/oschwald/maxminddb-golang/v2 v2.0.0
+	github.com/spf13/cobra v1.10.1
+	github.com/stretchr/testify v1.11.1
+	go.opentelemetry.io/contrib/bridges/otelslog v0.13.0
+	go.opentelemetry.io/contrib/exporters/autoexport v0.63.0
+	go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.63.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0
+	go.opentelemetry.io/otel v1.38.0
+	go.opentelemetry.io/otel/log v0.14.0
+	go.opentelemetry.io/otel/metric v1.38.0
+	go.opentelemetry.io/otel/sdk v1.38.0
+	go.opentelemetry.io/otel/sdk/log v0.14.0
+	go.opentelemetry.io/otel/sdk/metric v1.38.0
+	go.opentelemetry.io/otel/trace v1.38.0
+	golang.org/x/crypto v0.43.0
+	golang.org/x/image v0.32.0
+	golang.org/x/sync v0.17.0
+	golang.org/x/text v0.30.0
+	golang.org/x/time v0.14.0
+	gorm.io/driver/postgres v1.6.0
+	gorm.io/gorm v1.31.0
 )
 
 require (
-	github.com/bytedance/sonic v1.12.1 // indirect
-	github.com/bytedance/sonic/loader v0.2.0 // indirect
-	github.com/cloudwego/base64x v0.1.4 // indirect
-	github.com/cloudwego/iasm v0.2.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.5 // indirect
-	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.39.1 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/bytedance/gopkg v0.1.3 // indirect
+	github.com/bytedance/sonic v1.14.1 // indirect
+	github.com/bytedance/sonic/loader v0.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cloudwego/base64x v0.1.6 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
+	github.com/disintegration/gift v1.2.1 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.10 // indirect
+	github.com/gin-contrib/sse v1.1.0 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-webauthn/x v0.1.12 // indirect
-	github.com/goccy/go-json v0.10.3 // indirect
-	github.com/google/go-tpm v0.9.1 // indirect
+	github.com/go-webauthn/x v0.1.25 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/goccy/go-yaml v1.18.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
+	github.com/google/go-github/v39 v39.2.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/go-tpm v0.9.6 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+	github.com/jackc/pgx/v5 v5.7.6 // indirect
+	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
-	github.com/jonboulle/clockwork v0.4.0 // indirect
+	github.com/jonboulle/clockwork v0.5.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.8 // indirect
-	github.com/kr/pretty v0.3.1 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-sqlite3 v1.14.22 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.4 // indirect
+	github.com/lestrrat-go/dsig v1.0.0 // indirect
+	github.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/option v1.0.1 // indirect
+	github.com/lestrrat-go/option/v2 v2.0.0 // indirect
+	github.com/lib/pq v1.10.9 // indirect
+	github.com/mattn/go-sqlite3 v1.14.32 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/ncruces/go-strftime v1.0.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/prometheus/client_golang v1.23.2 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.67.1 // indirect
+	github.com/prometheus/otlptranslator v1.0.0 // indirect
+	github.com/prometheus/procfs v0.18.0 // indirect
+	github.com/quic-go/qpack v0.5.1 // indirect
+	github.com/quic-go/quic-go v0.55.0 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
-	github.com/rogpeppe/go-internal v1.11.0 // indirect
+	github.com/segmentio/asm v1.2.1 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
-	github.com/ugorji/go/codec v1.2.12 // indirect
+	github.com/ugorji/go/codec v1.3.0 // indirect
+	github.com/valyala/fastjson v1.6.4 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/arch v0.9.0 // indirect
-	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/net v0.27.0 // indirect
-	golang.org/x/sys v0.23.0 // indirect
-	golang.org/x/text v0.17.0 // indirect
-	google.golang.org/protobuf v1.34.2 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/bridges/prometheus v0.63.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.14.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.14.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.38.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 // indirect
+	go.opentelemetry.io/otel/exporters/prometheus v0.60.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.14.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.38.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.8.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	golang.org/x/arch v0.22.0 // indirect
+	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
+	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/net v0.46.0 // indirect
+	golang.org/x/oauth2 v0.32.0 // indirect
+	golang.org/x/sys v0.37.0 // indirect
+	golang.org/x/tools v0.38.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
+	google.golang.org/grpc v1.76.0 // indirect
+	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	modernc.org/libc v1.66.10 // indirect
+	modernc.org/mathutil v1.7.1 // indirect
+	modernc.org/memory v1.11.0 // indirect
+	modernc.org/sqlite v1.39.1 // indirect
 )

backend/go.sum

@@ -1,153 +1,467 @@
-github.com/bytedance/sonic v1.12.1 h1:jWl5Qz1fy7X1ioY74WqO0KjAMtAGQs4sYnjiEBiyX24=
-github.com/bytedance/sonic v1.12.1/go.mod h1:B8Gt/XvtZ3Fqj+iSKMypzymZxw/FVwgIGKzMzT9r/rk=
-github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
-github.com/bytedance/sonic/loader v0.2.0 h1:zNprn+lsIP06C/IqCHs3gPQIvnvpKbbxyXQP1iU4kWM=
-github.com/bytedance/sonic/loader v0.2.0/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
-github.com/caarlos0/env/v11 v11.2.2 h1:95fApNrUyueipoZN/EhA8mMxiNxrBwDa+oAZrMWl3Kg=
-github.com/caarlos0/env/v11 v11.2.2/go.mod h1:JBfcdeQiBoI3Zh1QRAWfe+tpiNTmDtcCj/hHHHMx0vc=
-github.com/cloudwego/base64x v0.1.4 h1:jwCgWpFanWmN8xoIUHa2rtzmkd5J2plF/dnLS6Xd/0Y=
-github.com/cloudwego/base64x v0.1.4/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
-github.com/cloudwego/iasm v0.2.0 h1:1KNIy1I1H9hNNFEEH3DVnI4UujN+1zjpuk6gwHLTssg=
-github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
+github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=
+github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/aws/aws-sdk-go-v2 v1.39.6 h1:2JrPCVgWJm7bm83BDwY5z8ietmeJUbh3O2ACnn+Xsqk=
+github.com/aws/aws-sdk-go-v2 v1.39.6/go.mod h1:c9pm7VwuW0UPxAEYGyTmyurVcNrbF6Rt/wixFqDhcjE=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3 h1:DHctwEM8P8iTXFxC/QK0MRjwEpWQeM9yzidCRjldUz0=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3/go.mod h1:xdCzcZEtnSTKVDOmUZs4l/j3pSV6rpo1WXl5ugNsL8Y=
+github.com/aws/aws-sdk-go-v2/config v1.31.17 h1:QFl8lL6RgakNK86vusim14P2k8BFSxjvUkcWLDjgz9Y=
+github.com/aws/aws-sdk-go-v2/config v1.31.17/go.mod h1:V8P7ILjp/Uef/aX8TjGk6OHZN6IKPM5YW6S78QnRD5c=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.21 h1:56HGpsgnmD+2/KpG0ikvvR8+3v3COCwaF4r+oWwOeNA=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.21/go.mod h1:3YELwedmQbw7cXNaII2Wywd+YY58AmLPwX4LzARgmmA=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 h1:T1brd5dR3/fzNFAQch/iBKeX07/ffu/cLu+q+RuzEWk=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13/go.mod h1:Peg/GBAQ6JDt+RoBf4meB1wylmAipb7Kg2ZFakZTlwk=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13 h1:a+8/MLcWlIxo1lF9xaGt3J/u3yOZx+CdSveSNwjhD40=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13/go.mod h1:oGnKwIYZ4XttyU2JWxFrwvhF6YKiK/9/wmE3v3Iu9K8=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13 h1:HBSI2kDkMdWz4ZM7FjwE7e/pWDEZ+nR95x8Ztet1ooY=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13/go.mod h1:YE94ZoDArI7awZqJzBAZ3PDD2zSfuP7w6P2knOzIn8M=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.13 h1:eg/WYAa12vqTphzIdWMzqYRVKKnCboVPRlvaybNCqPA=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.13/go.mod h1:/FDdxWhz1486obGrKKC1HONd7krpk38LBt+dutLcN9k=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 h1:x2Ibm/Af8Fi+BH+Hsn9TXGdT+hKbDd5XOTZxTMxDk7o=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3/go.mod h1:IW1jwyrQgMdhisceG8fQLmQIydcT/jWY21rFhzgaKwo=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.4 h1:NvMjwvv8hpGUILarKw7Z4Q0w1H9anXKsesMxtw++MA4=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.4/go.mod h1:455WPHSwaGj2waRSpQp7TsnpOnBfw8iDfPfbwl7KPJE=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 h1:kDqdFvMY4AtKoACfzIGD8A0+hbT41KTKF//gq7jITfM=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13/go.mod h1:lmKuogqSU3HzQCwZ9ZtcqOc5XGMqtDK7OIc2+DxiUEg=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.13 h1:zhBJXdhWIFZ1acfDYIhu4+LCzdUS2Vbcum7D01dXlHQ=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.13/go.mod h1:JaaOeCE368qn2Hzi3sEzY6FgAZVCIYcC2nwbro2QCh8=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.90.0 h1:ef6gIJR+xv/JQWwpa5FYirzoQctfSJm7tuDe3SZsUf8=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.90.0/go.mod h1:+wArOOrcHUevqdto9k1tKOF5++YTe9JEcPSc9Tx2ZSw=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.1 h1:0JPwLz1J+5lEOfy/g0SURC9cxhbQ1lIMHMa+AHZSzz0=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.1/go.mod h1:fKvyjJcz63iL/ftA6RaM8sRCtN4r4zl4tjL3qw5ec7k=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5 h1:OWs0/j2UYR5LOGi88sD5/lhN6TDLG6SfA7CqsQO9zF0=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5/go.mod h1:klO+ejMvYsB4QATfEOIXk8WAEwN4N0aBfJpvC+5SZBo=
+github.com/aws/aws-sdk-go-v2/service/sts v1.39.1 h1:mLlUgHn02ue8whiR4BmxxGJLR2gwU6s6ZzJ5wDamBUs=
+github.com/aws/aws-sdk-go-v2/service/sts v1.39.1/go.mod h1:E19xDjpzPZC7LS2knI9E6BaRFDK43Eul7vd6rSq2HWk=
+github.com/aws/smithy-go v1.23.2 h1:Crv0eatJUQhaManss33hS5r40CG3ZFH+21XSkqMrIUM=
+github.com/aws/smithy-go v1.23.2/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/bytedance/gopkg v0.1.3 h1:TPBSwH8RsouGCBcMBktLt1AymVo2TVsBVCY4b6TnZ/M=
+github.com/bytedance/gopkg v0.1.3/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM=
+github.com/bytedance/sonic v1.14.1 h1:FBMC0zVz5XUmE4z9wF4Jey0An5FueFvOsTKKKtwIl7w=
+github.com/bytedance/sonic v1.14.1/go.mod h1:gi6uhQLMbTdeP0muCnrjHLeCUPyb70ujhnNlhOylAFc=
+github.com/bytedance/sonic/loader v0.3.0 h1:dskwH8edlzNMctoruo8FPTJDF3vLtDT0sXZwvZJyqeA=
+github.com/bytedance/sonic/loader v0.3.0/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
+github.com/caarlos0/env/v11 v11.3.1 h1:cArPWC15hWmEt+gWk7YBi7lEXTXCvpaSdCiZE2X5mCA=
+github.com/caarlos0/env/v11 v11.3.1/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U=
+github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
+github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cloudwego/base64x v0.1.6 h1:t11wG9AECkCDk5fMSoxmufanudBtJ+/HemLstXDLI2M=
+github.com/cloudwego/base64x v0.1.6/go.mod h1:OFcloc187FXDaYHvrNIjxSe8ncn0OOM8gEHfghB2IPU=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
-github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
-github.com/gabriel-vasile/mimetype v1.4.5 h1:J7wGKdGu33ocBOhGy0z653k/lFKLFDPJMG8Gql0kxn4=
-github.com/gabriel-vasile/mimetype v1.4.5/go.mod h1:ibHel+/kbxn9x2407k1izTA1S81ku1z/DlgOW2QE0M4=
-github.com/gin-contrib/cors v1.7.2 h1:oLDHxdg8W/XDoN/8zamqk/Drgt4oVZDvaV0YmvVICQw=
-github.com/gin-contrib/cors v1.7.2/go.mod h1:SUJVARKgQ40dmrzgXEVxj2m7Ig1v1qIboQkPDTQ9t2E=
-github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
-github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
-github.com/gin-gonic/gin v1.10.0 h1:nTuyha1TYqgedzytsKYqna+DfLos46nTv2ygFy86HFU=
-github.com/gin-gonic/gin v1.10.0/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
-github.com/go-co-op/gocron/v2 v2.11.0 h1:IOowNA6SzwdRFnD4/Ol3Kj6G2xKfsoiiGq2Jhhm9bvE=
-github.com/go-co-op/gocron/v2 v2.11.0/go.mod h1:xY7bJxGazKam1cz04EebrlP4S9q4iWdiAylMGP3jY9w=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
+github.com/dhui/dktest v0.4.6 h1:+DPKyScKSEp3VLtbMDHcUq6V5Lm5zfZZVb0Sk7Ahom4=
+github.com/dhui/dktest v0.4.6/go.mod h1:JHTSYDtKkvFNFHJKqCzVzqXecyv+tKt8EzceOmQOgbU=
+github.com/disintegration/gift v1.1.2/go.mod h1:Jh2i7f7Q2BM7Ezno3PhfezbR1xpUg9dUg3/RlKGr4HI=
+github.com/disintegration/gift v1.2.1 h1:Y005a1X4Z7Uc+0gLpSAsKhWi4qLtsdEcMIbbdvdZ6pc=
+github.com/disintegration/gift v1.2.1/go.mod h1:Jh2i7f7Q2BM7Ezno3PhfezbR1xpUg9dUg3/RlKGr4HI=
+github.com/disintegration/imageorient v0.0.0-20180920195336-8147d86e83ec h1:YrB6aVr9touOt75I9O1SiancmR2GMg45U9UYf0gtgWg=
+github.com/disintegration/imageorient v0.0.0-20180920195336-8147d86e83ec/go.mod h1:K0KBFIr1gWu/C1Gp10nFAcAE4hsB7JxE6OgLijrJ8Sk=
+github.com/disintegration/imaging v1.6.2 h1:w1LecBlG2Lnp8B3jk5zSuNqd7b4DXhcjwek1ei82L+c=
+github.com/disintegration/imaging v1.6.2/go.mod h1:44/5580QXChDfwIclfc/PCwrr44amcmDAg8hxG0Ewe4=
+github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
+github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI=
+github.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
+github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6 h1:oP4q0fw+fOSWn3DfFi4EXdT+B+gTtzx8GC9xsc26Znk=
+github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6/go.mod h1:iL2twTeMvZnrg54ZoPDNfJaJaqy0xIQFuBdrLsmspwQ=
+github.com/emersion/go-smtp v0.24.0 h1:g6AfoF140mvW0vLNPD/LuCBLEAdlxOjIXqbIkJIS6Wk=
+github.com/emersion/go-smtp v0.24.0/go.mod h1:ZtRRkbTyp2XTHCA+BmyTFTrj8xY4I+b4McvHxCU2gsQ=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
+github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/gabriel-vasile/mimetype v1.4.10 h1:zyueNbySn/z8mJZHLt6IPw0KoZsiQNszIpU+bX4+ZK0=
+github.com/gabriel-vasile/mimetype v1.4.10/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gin-contrib/slog v1.1.0 h1:K9MVNrETT6r/C3u2Aheer/gxwVeVqrGL0hXlsmv3fm4=
+github.com/gin-contrib/slog v1.1.0/go.mod h1:PvNXQVXcVOAaaiJR84LV1/xlQHIaXi9ygEXyBkmjdkY=
+github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
+github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
+github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
+github.com/gin-gonic/gin v1.11.0/go.mod h1:+iq/FyxlGzII0KHiBGjuNn4UNENUlKbGlNmc+W50Dls=
+github.com/glebarez/go-sqlite v1.22.0 h1:uAcMJhaA6r3LHMTFgP0SifzgXg46yJkgxqyuyec+ruQ=
+github.com/glebarez/go-sqlite v1.22.0/go.mod h1:PlBIdHe0+aUEFn+r2/uthrWq4FxbzugL0L8Li6yQJbc=
+github.com/glebarez/sqlite v1.11.0 h1:wSG0irqzP6VurnMEpFGer5Li19RpIRi2qvQz++w0GMw=
+github.com/glebarez/sqlite v1.11.0/go.mod h1:h8/o8j5wiAsqSPoWELDUdJXhjAhsVliSn7bWZjOhrgQ=
+github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
+github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-co-op/gocron/v2 v2.17.0 h1:e/oj6fcAM8vOOKZxv2Cgfmjo+s8AXC46po5ZPtaSea4=
+github.com/go-co-op/gocron/v2 v2.17.0/go.mod h1:Zii6he+Zfgy5W9B+JKk/KwejFOW0kZTFvHtwIpR4aBI=
+github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
+github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
 github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.22.0 h1:k6HsTZ0sTnROkhS//R0O+55JgM8C4Bx7ia+JlgcnOao=
-github.com/go-playground/validator/v10 v10.22.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
-github.com/go-webauthn/webauthn v0.11.1 h1:5G/+dg91/VcaJHTtJUfwIlNJkLwbJCcnUc4W8VtkpzA=
-github.com/go-webauthn/webauthn v0.11.1/go.mod h1:YXRm1WG0OtUyDFaVAgB5KG7kVqW+6dYCJ7FTQH4SxEE=
-github.com/go-webauthn/x v0.1.12 h1:RjQ5cvApzyU/xLCiP+rub0PE4HBZsLggbxGR5ZpUf/A=
-github.com/go-webauthn/x v0.1.12/go.mod h1:XlRcGkNH8PT45TfeJYc6gqpOtiOendHhVmnOxh+5yHs=
-github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
-github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
-github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
-github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
-github.com/golang-migrate/migrate/v4 v4.17.1 h1:4zQ6iqL6t6AiItphxJctQb3cFqWiSpMnX7wLTPnnYO4=
-github.com/golang-migrate/migrate/v4 v4.17.1/go.mod h1:m8hinFyWBn0SA4QKHuKh175Pm9wjmxj3S2Mia7dbXzM=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-tpm v0.9.1 h1:0pGc4X//bAlmZzMKf8iz6IsDo1nYTbYJ6FZN/rg4zdM=
-github.com/google/go-tpm v0.9.1/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
+github.com/go-playground/validator/v10 v10.28.0 h1:Q7ibns33JjyW48gHkuFT91qX48KG0ktULL6FgHdG688=
+github.com/go-playground/validator/v10 v10.28.0/go.mod h1:GoI6I1SjPBh9p7ykNE/yj3fFYbyDOpwMn5KXd+m2hUU=
+github.com/go-webauthn/webauthn v0.14.0 h1:ZLNPUgPcDlAeoxe+5umWG/tEeCoQIDr7gE2Zx2QnhL0=
+github.com/go-webauthn/webauthn v0.14.0/go.mod h1:QZzPFH3LJ48u5uEPAu+8/nWJImoLBWM7iAH/kSVSo6k=
+github.com/go-webauthn/x v0.1.25 h1:g/0noooIGcz/yCVqebcFgNnGIgBlJIccS+LYAa+0Z88=
+github.com/go-webauthn/x v0.1.25/go.mod h1:ieblaPY1/BVCV0oQTsA/VAo08/TWayQuJuo5Q+XxmTY=
+github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
+github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
+github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang-migrate/migrate/v4 v4.19.0 h1:RcjOnCGz3Or6HQYEJ/EEVLfWnmw9KnoigPSjzhCuaSE=
+github.com/golang-migrate/migrate/v4 v4.19.0/go.mod h1:9dyEcu+hO+G9hPSw8AIg50yg622pXJsoHItQnDGZkI0=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/go-github/v39 v39.2.0 h1:rNNM311XtPOz5rDdsJXAp2o8F67X9FnROXTvto3aSnQ=
+github.com/google/go-github/v39 v39.2.0/go.mod h1:C1s8C5aCC9L+JXIYpJM5GYytdX52vC1bLvHEF1IhBrE=
+github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
+github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
+github.com/google/go-tpm v0.9.6 h1:Ku42PT4LmjDu1H5C5ISWLlpI1mj+Zq7sPGKoRw2XROA=
+github.com/google/go-tpm v0.9.6/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
+github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 h1:NmZ1PKzSTQbuGHw9DGPFomqkkLWMC+vZCkfs+FHv1Vg=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3/go.mod h1:zQrxl1YP88HQlA6i9c63DSVPFklWpGX4OWAc9bFuaH4=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
+github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
+github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
+github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
+github.com/jackc/pgx/v5 v5.7.6 h1:rWQc5FwZSPX58r1OQmkuaNicxdmExaEz5A2DO2hUuTk=
+github.com/jackc/pgx/v5 v5.7.6/go.mod h1:aruU7o91Tc2q2cFp5h4uP3f6ztExVpyVv88Xl/8Vl8M=
+github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
+github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
+github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
+github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
+github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
+github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg=
+github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=
+github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
+github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
+github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8=
+github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
+github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
+github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
+github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
+github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
 github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
-github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4=
-github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc=
+github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
+github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.2.8 h1:+StwCXwm9PdpiEkPyzBXIy+M9KUb4ODm0Zarf1kS5BM=
-github.com/klauspost/cpuid/v2 v2.2.8/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
-github.com/knz/go-libedit v1.10.1/go.mod h1:MZTVkCWyz0oBc7JOWP3wNAzd002ZbM/5hgShxwh4x8M=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
+github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
+github.com/lestrrat-go/blackmagic v1.0.4 h1:IwQibdnf8l2KoO+qC3uT4OaTWsW7tuRQXy9TRN9QanA=
+github.com/lestrrat-go/blackmagic v1.0.4/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw=
+github.com/lestrrat-go/dsig v1.0.0 h1:OE09s2r9Z81kxzJYRn07TFM9XA4akrUdoMwr0L8xj38=
+github.com/lestrrat-go/dsig v1.0.0/go.mod h1:dEgoOYYEJvW6XGbLasr8TFcAxoWrKlbQvmJgCR0qkDo=
+github.com/lestrrat-go/dsig-secp256k1 v1.0.0 h1:JpDe4Aybfl0soBvoVwjqDbp+9S1Y2OM7gcrVVMFPOzY=
+github.com/lestrrat-go/dsig-secp256k1 v1.0.0/go.mod h1:CxUgAhssb8FToqbL8NjSPoGQlnO4w3LG1P0qPWQm/NU=
+github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
+github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
+github.com/lestrrat-go/httprc/v3 v3.0.1 h1:3n7Es68YYGZb2Jf+k//llA4FTZMl3yCwIjFIk4ubevI=
+github.com/lestrrat-go/httprc/v3 v3.0.1/go.mod h1:2uAvmbXE4Xq8kAUjVrZOq1tZVYYYs5iP62Cmtru00xk=
+github.com/lestrrat-go/jwx/v3 v3.0.12 h1:p25r68Y4KrbBdYjIsQweYxq794CtGCzcrc5dGzJIRjg=
+github.com/lestrrat-go/jwx/v3 v3.0.12/go.mod h1:HiUSaNmMLXgZ08OmGBaPVvoZQgJVOQphSrGr5zMamS8=
+github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
+github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
+github.com/lestrrat-go/option/v2 v2.0.0 h1:XxrcaJESE1fokHy3FpaQ/cXW8ZsIdWcdFzzLOcID3Ss=
+github.com/lestrrat-go/option/v2 v2.0.0/go.mod h1:oSySsmzMoR0iRzCDCaUfsCzxQHUEuhOViQObyy7S6Vg=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/lmittmann/tint v1.1.2 h1:2CQzrL6rslrsyjqLDwD11bZ5OpLBPU+g3G/r5LSfS8w=
+github.com/lmittmann/tint v1.1.2/go.mod h1:HIS3gSy7qNwGCj+5oRjAutErFBl4BzdQP6cJZ0NfMwE=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
-github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
-github.com/mileusna/useragent v1.3.4 h1:MiuRRuvGjEie1+yZHO88UBYg8YBC/ddF6T7F56i3PCk=
-github.com/mileusna/useragent v1.3.4/go.mod h1:3d8TOmwL/5I8pJjyVDteHtgDGcefrFUX4ccGOMKNYYc=
+github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuErjs=
+github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mileusna/useragent v1.3.5 h1:SJM5NzBmh/hO+4LGeATKpaEX9+b4vcGg2qXGLiNGDws=
+github.com/mileusna/useragent v1.3.5/go.mod h1:3d8TOmwL/5I8pJjyVDteHtgDGcefrFUX4ccGOMKNYYc=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
+github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=
-github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
-github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
+github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
+github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
+github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
+github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/orandin/slog-gorm v1.4.0 h1:FgA8hJufF9/jeNSYoEXmHPPBwET2gwlF3B85JdpsTUU=
+github.com/orandin/slog-gorm v1.4.0/go.mod h1:MoZ51+b7xE9lwGNPYEhxcUtRNrYzjdcKvA8QXQQGEPA=
+github.com/oschwald/maxminddb-golang/v2 v2.0.0 h1:Gyljxck1kHbBxDgLM++NfDWBqvu1pWWfT8XbosSo0bo=
+github.com/oschwald/maxminddb-golang/v2 v2.0.0/go.mod h1:gG4V88LsawPEqtbL1Veh1WRh+nVSYwXzJ1P5Fcn77g0=
+github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
+github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.67.1 h1:OTSON1P4DNxzTg4hmKCc37o4ZAZDv0cfXLkOt0oEowI=
+github.com/prometheus/common v0.67.1/go.mod h1:RpmT9v35q2Y+lsieQsdOh5sXZ6ajUGC8NjZAmr8vb0Q=
+github.com/prometheus/otlptranslator v1.0.0 h1:s0LJW/iN9dkIH+EnhiD3BlkkP5QVIUVEoIwkU+A6qos=
+github.com/prometheus/otlptranslator v1.0.0/go.mod h1:vRYWnXvI6aWGpsdY/mOT/cbeVRBlPWtBNDb7kGR3uKM=
+github.com/prometheus/procfs v0.18.0 h1:2QTA9cKdznfYJz7EDaa7IiJobHuV7E1WzeBwcrhk0ao=
+github.com/prometheus/procfs v0.18.0/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
+github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
+github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
+github.com/quic-go/quic-go v0.55.0 h1:zccPQIqYCXDt5NmcEabyYvOnomjs8Tlwl7tISjJh9Mk=
+github.com/quic-go/quic-go v0.55.0/go.mod h1:DR51ilwU1uE164KuWXhinFcKWGlEjzys2l8zUl5Ss1U=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
-github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
-github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/segmentio/asm v1.2.1 h1:DTNbBqs57ioxAD4PrArqftgypG4/qNpXoJx8TVXxPR0=
+github.com/segmentio/asm v1.2.1/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
+github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
+github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
-github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
-github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
+github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA=
+github.com/ugorji/go/codec v1.3.0/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
+github.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXVQ=
+github.com/valyala/fastjson v1.6.4/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
-go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/bridges/otelslog v0.13.0 h1:bwnLpizECbPr1RrQ27waeY2SPIPeccCx/xLuoYADZ9s=
+go.opentelemetry.io/contrib/bridges/otelslog v0.13.0/go.mod h1:3nWlOiiqA9UtUnrcNk82mYasNxD8ehOspL0gOfEo6Y4=
+go.opentelemetry.io/contrib/bridges/prometheus v0.63.0 h1:/Rij/t18Y7rUayNg7Id6rPrEnHgorxYabm2E6wUdPP4=
+go.opentelemetry.io/contrib/bridges/prometheus v0.63.0/go.mod h1:AdyDPn6pkbkt2w01n3BubRVk7xAsCRq1Yg1mpfyA/0E=
+go.opentelemetry.io/contrib/exporters/autoexport v0.63.0 h1:NLnZybb9KkfMXPwZhd5diBYJoVxiO9Qa06dacEA7ySY=
+go.opentelemetry.io/contrib/exporters/autoexport v0.63.0/go.mod h1:OvRg7gm5WRSCtxzGSsrFHbDLToYlStHNZQ+iPNIyD6g=
+go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.63.0 h1:5kSIJ0y8ckZZKoDhZHdVtcyjVi6rXyAwyaR8mp4zLbg=
+go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.63.0/go.mod h1:i+fIMHvcSQtsIY82/xgiVWRklrNt/O6QriHLjzGeY+s=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg=
+go.opentelemetry.io/contrib/propagators/b3 v1.38.0 h1:uHsCCOSKl0kLrV2dLkFK+8Ywk9iKa/fptkytc6aFFEo=
+go.opentelemetry.io/contrib/propagators/b3 v1.38.0/go.mod h1:wMRSZJZcY8ya9mApLLhwIMjqmApy2o/Ml+62lhvxyHU=
+go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
+go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.14.0 h1:OMqPldHt79PqWKOMYIAQs3CxAi7RLgPxwfFSwr4ZxtM=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.14.0/go.mod h1:1biG4qiqTxKiUCtoWDPpL3fB3KxVwCiGw81j3nKMuHE=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.14.0 h1:QQqYw3lkrzwVsoEX0w//EhH/TCnpRdEenKBOOEIMjWc=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.14.0/go.mod h1:gSVQcr17jk2ig4jqJ2DX30IdWH251JcNAecvrqTxH1s=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0 h1:vl9obrcoWVKp/lwl8tRE33853I8Xru9HFbw/skNeLs8=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0/go.mod h1:GAXRxmLJcVM3u22IjTg74zWBrRCKq8BnOqUVLodpcpw=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.38.0 h1:Oe2z/BCg5q7k4iXC3cqJxKYg0ieRiOqF0cecFYdPTwk=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.38.0/go.mod h1:ZQM5lAJpOsKnYagGg/zV2krVqTtaVdYdDkhMoX6Oalg=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZFLdPRmhDUp2zFmQe3RHIOsw24=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0/go.mod h1:ri3aaHSmCTVYu2AWv44YMauwAQc0aqI9gHKIcSbI1pU=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 h1:lwI4Dc5leUqENgGuQImwLo4WnuXFPetmPpkLi2IrX54=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0/go.mod h1:Kz/oCE7z5wuyhPxsXDuaPteSWqjSBD5YaSdbxZYGbGk=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 h1:aTL7F04bJHUlztTsNGJ2l+6he8c+y/b//eR0jjjemT4=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0/go.mod h1:kldtb7jDTeol0l3ewcmd8SDvx3EmIE7lyvqbasU3QC4=
+go.opentelemetry.io/otel/exporters/prometheus v0.60.0 h1:cGtQxGvZbnrWdC2GyjZi0PDKVSLWP/Jocix3QWfXtbo=
+go.opentelemetry.io/otel/exporters/prometheus v0.60.0/go.mod h1:hkd1EekxNo69PTV4OWFGZcKQiIqg0RfuWExcPKFvepk=
+go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.14.0 h1:B/g+qde6Mkzxbry5ZZag0l7QrQBCtVm7lVjaLgmpje8=
+go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.14.0/go.mod h1:mOJK8eMmgW6ocDJn6Bn11CcZ05gi3P8GylBXEkZtbgA=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.38.0 h1:wm/Q0GAAykXv83wzcKzGGqAnnfLFyFe7RslekZuv+VI=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.38.0/go.mod h1:ra3Pa40+oKjvYh+ZD3EdxFZZB0xdMfuileHAm4nNN7w=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0 h1:kJxSDN4SgWWTjG/hPp3O7LCGLcHXFlvS2/FFOrwL+SE=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0/go.mod h1:mgIOzS7iZeKJdeB8/NYHrJ48fdGc71Llo5bJ1J4DWUE=
+go.opentelemetry.io/otel/log v0.14.0 h1:2rzJ+pOAZ8qmZ3DDHg73NEKzSZkhkGIua9gXtxNGgrM=
+go.opentelemetry.io/otel/log v0.14.0/go.mod h1:5jRG92fEAgx0SU/vFPxmJvhIuDU9E1SUnEQrMlJpOno=
+go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
+go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
+go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
+go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
+go.opentelemetry.io/otel/sdk/log v0.14.0 h1:JU/U3O7N6fsAXj0+CXz21Czg532dW2V4gG1HE/e8Zrg=
+go.opentelemetry.io/otel/sdk/log v0.14.0/go.mod h1:imQvII+0ZylXfKU7/wtOND8Hn4OpT3YUoIgqJVksUkM=
+go.opentelemetry.io/otel/sdk/log/logtest v0.14.0 h1:Ijbtz+JKXl8T2MngiwqBlPaHqc4YCaP/i13Qrow6gAM=
+go.opentelemetry.io/otel/sdk/log/logtest v0.14.0/go.mod h1:dCU8aEL6q+L9cYTqcVOk8rM9Tp8WdnHOPLiBgp0SGOA=
+go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
+go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
+go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
+go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
+go.opentelemetry.io/proto/otlp v1.8.0 h1:fRAZQDcAFHySxpJ1TwlA1cJ4tvcrw7nXl9xWWC8N5CE=
+go.opentelemetry.io/proto/otlp v1.8.0/go.mod h1:tIeYOeNBU4cvmPqpaji1P+KbB4Oloai8wN4rWzRrFF0=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-golang.org/x/arch v0.9.0 h1:ub9TgUInamJ8mrZIGlBG6/4TqWeMszd4N8lNorbrr6k=
-golang.org/x/arch v0.9.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
-golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw=
-golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
-golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
-golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
+go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
+golang.org/x/arch v0.22.0 h1:c/Zle32i5ttqRXjdLyyHZESLD/bB90DCU1g9l/0YBDI=
+golang.org/x/arch v0.22.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
+golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
+golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
+golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
+golang.org/x/image v0.0.0-20191009234506-e7c1f5e7dbb8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/image v0.32.0 h1:6lZQWq75h7L5IWNk0r+SCpUJ6tUVd3v4ZHnbRKLkUDQ=
+golang.org/x/image v0.32.0/go.mod h1:/R37rrQmKXtO6tYXAjtDLwQgFLHmhW+V6ayXlxzP2Pc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
+golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
+golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
-golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
-golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
-golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
-golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
+golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
+golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 h1:mepRgnBZa07I4TRuomDE4sTIYieg/osKmzIf4USdWS4=
+google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8/go.mod h1:fDMmzKV90WSg1NbozdqrE64fkuTv6mlq2zxo9ad+3yo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 h1:M1rk8KBnUsBDg1oPGHNCxG4vc1f49epmTO7xscSajMk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
+google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gorm.io/driver/sqlite v1.5.6 h1:fO/X46qn5NUEEOZtnjJRWRzZMe8nqJiQ9E+0hi+hKQE=
-gorm.io/driver/sqlite v1.5.6/go.mod h1:U+J8craQU6Fzkcvu8oLeAQmi50TkwPEhHDEjQZXDah4=
-gorm.io/gorm v1.25.11 h1:/Wfyg1B/je1hnDx3sMkX+gAlxrlZpn6X0BXRlwXlvHg=
-gorm.io/gorm v1.25.11/go.mod h1:xh7N7RHfYlNc5EmcI/El95gXusucDrQnHXe0+CgWcLQ=
-nullprogram.com/x/optparse v1.0.0/go.mod h1:KdyPE+Igbe0jQUrVfMqDMeJQIJZEuyV7pjYmp6pbG50=
+gorm.io/driver/postgres v1.6.0 h1:2dxzU8xJ+ivvqTRph34QX+WrRaJlmfyPqXmoGVjMBa4=
+gorm.io/driver/postgres v1.6.0/go.mod h1:vUw0mrGgrTK+uPHEhAdV4sfFELrByKVGnaVRkXDhtWo=
+gorm.io/gorm v1.31.0 h1:0VlycGreVhK7RF/Bwt51Fk8v0xLiiiFdbGDPIZQ7mJY=
+gorm.io/gorm v1.31.0/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=
+modernc.org/cc/v4 v4.26.5 h1:xM3bX7Mve6G8K8b+T11ReenJOT+BmVqQj0FY5T4+5Y4=
+modernc.org/cc/v4 v4.26.5/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
+modernc.org/ccgo/v4 v4.28.1 h1:wPKYn5EC/mYTqBO373jKjvX2n+3+aK7+sICCv4Fjy1A=
+modernc.org/ccgo/v4 v4.28.1/go.mod h1:uD+4RnfrVgE6ec9NGguUNdhqzNIeeomeXf6CL0GTE5Q=
+modernc.org/fileutil v1.3.40 h1:ZGMswMNc9JOCrcrakF1HrvmergNLAmxOPjizirpfqBA=
+modernc.org/fileutil v1.3.40/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
+modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
+modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
+modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
+modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
+modernc.org/libc v1.66.10 h1:yZkb3YeLx4oynyR+iUsXsybsX4Ubx7MQlSYEw4yj59A=
+modernc.org/libc v1.66.10/go.mod h1:8vGSEwvoUoltr4dlywvHqjtAqHBaw0j1jI7iFBTAr2I=
+modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
+modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
+modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
+modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
+modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
+modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
+modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
+modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
+modernc.org/sqlite v1.39.1 h1:H+/wGFzuSCIEVCvXYVHX5RQglwhMOvtHSv+VtidL2r4=
+modernc.org/sqlite v1.39.1/go.mod h1:9fjQZ0mB1LLP0GYrp39oOJXx/I2sxEnZtzCmEQIKvGE=
+modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
+modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
+modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
+modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=

backend/internal/bootstrap/app_images_bootstrap.go

@@ -0,0 +1,136 @@
+package bootstrap
+
+import (
+	"bytes"
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"log/slog"
+	"os"
+	"path"
+
+	"github.com/pocket-id/pocket-id/backend/internal/storage"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/resources"
+)
+
+// initApplicationImages copies the images from the embedded directory to the storage backend
+// and returns a map containing the detected file extensions in the application-images directory.
+func initApplicationImages(ctx context.Context, fileStorage storage.FileStorage) (map[string]string, error) {
+	// Previous versions of images
+	// If these are found, they are deleted
+	legacyImageHashes := imageHashMap{
+		"background.jpg": mustDecodeHex("138d510030ed845d1d74de34658acabff562d306476454369a60ab8ade31933f"),
+	}
+
+	sourceFiles, err := resources.FS.ReadDir("images")
+	if err != nil && !os.IsNotExist(err) {
+		return nil, fmt.Errorf("failed to read directory: %w", err)
+	}
+
+	destinationFiles, err := fileStorage.List(ctx, "application-images")
+	if err != nil {
+		if storage.IsNotExist(err) {
+			destinationFiles = []storage.ObjectInfo{}
+		} else {
+			return nil, fmt.Errorf("failed to list application images: %w", err)
+		}
+
+	}
+	dstNameToExt := make(map[string]string, len(destinationFiles))
+	for _, f := range destinationFiles {
+		// Skip directories
+		_, name := path.Split(f.Path)
+		if name == "" {
+			continue
+		}
+		nameWithoutExt, ext := utils.SplitFileName(name)
+		reader, _, err := fileStorage.Open(ctx, f.Path)
+		if err != nil {
+			if errors.Is(err, fs.ErrNotExist) {
+				continue
+			}
+			slog.Warn("Failed to open application image for hashing", slog.String("name", name), slog.Any("error", err))
+			continue
+		}
+		hash, err := hashStream(reader)
+		reader.Close()
+		if err != nil {
+			slog.Warn("Failed to hash application image", slog.String("name", name), slog.Any("error", err))
+			continue
+		}
+
+		// Check if the file is a legacy one - if so, delete it
+		if legacyImageHashes.Contains(hash) {
+			slog.Info("Found legacy application image that will be removed", slog.String("name", name))
+			if err := fileStorage.Delete(ctx, f.Path); err != nil {
+				return nil, fmt.Errorf("failed to remove legacy file '%s': %w", name, err)
+			}
+			continue
+		}
+		dstNameToExt[nameWithoutExt] = ext
+	}
+
+	// Copy images from the images directory to the application-images directory if they don't already exist
+	for _, sourceFile := range sourceFiles {
+		if sourceFile.IsDir() {
+			continue
+		}
+
+		name := sourceFile.Name()
+		nameWithoutExt, ext := utils.SplitFileName(name)
+		srcFilePath := path.Join("images", name)
+
+		if _, exists := dstNameToExt[nameWithoutExt]; exists {
+			continue
+		}
+
+		slog.Info("Writing new application image", slog.String("name", name))
+		srcFile, err := resources.FS.Open(srcFilePath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to open embedded file '%s': %w", name, err)
+		}
+		if err := fileStorage.Save(ctx, path.Join("application-images", name), srcFile); err != nil {
+			srcFile.Close()
+			return nil, fmt.Errorf("failed to store application image '%s': %w", name, err)
+		}
+		srcFile.Close()
+		dstNameToExt[nameWithoutExt] = ext
+	}
+
+	return dstNameToExt, nil
+}
+
+type imageHashMap map[string][]byte
+
+func (m imageHashMap) Contains(target []byte) bool {
+	if len(target) == 0 {
+		return false
+	}
+	for _, h := range m {
+		if bytes.Equal(h, target) {
+			return true
+		}
+	}
+	return false
+}
+
+func mustDecodeHex(str string) []byte {
+	b, err := hex.DecodeString(str)
+	if err != nil {
+		panic(err)
+	}
+	return b
+}
+
+func hashStream(r io.Reader) ([]byte, error) {
+	h := sha256.New()
+	if _, err := io.Copy(h, r); err != nil {
+		return nil, err
+	}
+	return h.Sum(nil), nil
+}

backend/internal/bootstrap/application_images_bootstrap.go

@@ -1,28 +0,0 @@
-package bootstrap
-
-import (
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
-	"log"
-	"os"
-)
-
-func initApplicationImages() {
-	dirPath := common.EnvConfig.UploadPath + "/application-images"
-
-	files, err := os.ReadDir(dirPath)
-	if err != nil && !os.IsNotExist(err) {
-		log.Fatalf("Error reading directory: %v", err)
-	}
-
-	// Skip if files already exist
-	if len(files) > 1 {
-		return
-	}
-
-	// Copy files from source to destination
-	err = utils.CopyDirectory("./images", dirPath)
-	if err != nil {
-		log.Fatalf("Error copying directory: %v", err)
-	}
-}

backend/internal/bootstrap/bootstrap.go

@@ -1,16 +1,101 @@
 package bootstrap
 
 import (
+	"context"
+	"fmt"
+	"log/slog"
+	"time"
+
 	_ "github.com/golang-migrate/migrate/v4/source/file"
-	"github.com/stonith404/pocket-id/backend/internal/job"
-	"github.com/stonith404/pocket-id/backend/internal/service"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/job"
+	"github.com/pocket-id/pocket-id/backend/internal/storage"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )
 
-func Bootstrap() {
-	db := newDatabase()
-	appConfigService := service.NewAppConfigService(db)
+func Bootstrap(ctx context.Context) error {
+	// Initialize the observability stack, including the logger, distributed tracing, and metrics
+	shutdownFns, httpClient, err := initObservability(ctx, common.EnvConfig.MetricsEnabled, common.EnvConfig.TracingEnabled)
+	if err != nil {
+		return fmt.Errorf("failed to initialize OpenTelemetry: %w", err)
+	}
+	slog.InfoContext(ctx, "Pocket ID is starting")
 
-	initApplicationImages()
-	job.RegisterJobs(db)
-	initRouter(db, appConfigService)
+	// Initialize the file storage backend
+	var fileStorage storage.FileStorage
+
+	switch common.EnvConfig.FileBackend {
+	case storage.TypeFileSystem:
+		fileStorage, err = storage.NewFilesystemStorage(common.EnvConfig.UploadPath)
+	case storage.TypeS3:
+		s3Cfg := storage.S3Config{
+			Bucket:          common.EnvConfig.S3Bucket,
+			Region:          common.EnvConfig.S3Region,
+			Endpoint:        common.EnvConfig.S3Endpoint,
+			AccessKeyID:     common.EnvConfig.S3AccessKeyID,
+			SecretAccessKey: common.EnvConfig.S3SecretAccessKey,
+			ForcePathStyle:  common.EnvConfig.S3ForcePathStyle,
+			Root:            common.EnvConfig.UploadPath,
+		}
+		fileStorage, err = storage.NewS3Storage(ctx, s3Cfg)
+	default:
+		err = fmt.Errorf("unknown file storage backend: %s", common.EnvConfig.FileBackend)
+	}
+	if err != nil {
+		return fmt.Errorf("failed to initialize file storage: %w", err)
+	}
+
+	imageExtensions, err := initApplicationImages(ctx, fileStorage)
+	if err != nil {
+		return fmt.Errorf("failed to initialize application images: %w", err)
+	}
+
+	// Connect to the database
+	db, err := NewDatabase()
+	if err != nil {
+		return fmt.Errorf("failed to initialize database: %w", err)
+	}
+
+	// Create all services
+	svc, err := initServices(ctx, db, httpClient, imageExtensions, fileStorage)
+	if err != nil {
+		return fmt.Errorf("failed to initialize services: %w", err)
+	}
+
+	// Init the job scheduler
+	scheduler, err := job.NewScheduler()
+	if err != nil {
+		return fmt.Errorf("failed to create job scheduler: %w", err)
+	}
+	err = registerScheduledJobs(ctx, db, svc, httpClient, scheduler)
+	if err != nil {
+		return fmt.Errorf("failed to register scheduled jobs: %w", err)
+	}
+
+	// Init the router
+	router := initRouter(db, svc)
+
+	// Run all background services
+	// This call blocks until the context is canceled
+	err = utils.
+		NewServiceRunner(router, scheduler.Run).
+		Run(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to run services: %w", err)
+	}
+
+	// Invoke all shutdown functions
+	// We give these a timeout of 5s
+	// Note: we use a background context because the run context has been canceled already
+	shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer shutdownCancel()
+	err = utils.
+		NewServiceRunner(shutdownFns...).
+		Run(shutdownCtx) //nolint:contextcheck
+	if err != nil {
+		slog.Error("Error shutting down services", slog.Any("error", err))
+	}
+
+	return nil
 }

backend/internal/bootstrap/db_bootstrap.go

@@ -1,86 +1,455 @@
 package bootstrap
 
 import (
+	"database/sql"
 	"errors"
-	"github.com/golang-migrate/migrate/v4"
-	"github.com/golang-migrate/migrate/v4/database/sqlite3"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"gorm.io/driver/sqlite"
-	"gorm.io/gorm"
-	"gorm.io/gorm/logger"
-	"log"
+	"fmt"
+	"log/slog"
+	"net/url"
 	"os"
+	"path/filepath"
+	"strings"
 	"time"
+
+	"github.com/glebarez/sqlite"
+	"github.com/golang-migrate/migrate/v4"
+	"github.com/golang-migrate/migrate/v4/database"
+	postgresMigrate "github.com/golang-migrate/migrate/v4/database/postgres"
+	sqliteMigrate "github.com/golang-migrate/migrate/v4/database/sqlite3"
+	_ "github.com/golang-migrate/migrate/v4/source/github"
+	"github.com/golang-migrate/migrate/v4/source/iofs"
+	slogGorm "github.com/orandin/slog-gorm"
+	"gorm.io/driver/postgres"
+	"gorm.io/gorm"
+	gormLogger "gorm.io/gorm/logger"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	sqliteutil "github.com/pocket-id/pocket-id/backend/internal/utils/sqlite"
+	"github.com/pocket-id/pocket-id/backend/resources"
 )
 
-func newDatabase() (db *gorm.DB) {
-	db, err := connectDatabase()
+func NewDatabase() (db *gorm.DB, err error) {
+	db, err = connectDatabase()
 	if err != nil {
-		log.Fatalf("failed to connect to database: %v", err)
+		return nil, fmt.Errorf("failed to connect to database: %w", err)
 	}
 	sqlDb, err := db.DB()
 	if err != nil {
-		log.Fatalf("failed to get sql.DB: %v", err)
+		return nil, fmt.Errorf("failed to get sql.DB: %w", err)
 	}
 
-	driver, err := sqlite3.WithInstance(sqlDb, &sqlite3.Config{})
-	m, err := migrate.NewWithDatabaseInstance(
-		"file://migrations",
-		"postgres", driver)
+	// Choose the correct driver for the database provider
+	var driver database.Driver
+	switch common.EnvConfig.DbProvider {
+	case common.DbProviderSqlite:
+		driver, err = sqliteMigrate.WithInstance(sqlDb, &sqliteMigrate.Config{
+			NoTxWrap: true,
+		})
+	case common.DbProviderPostgres:
+		driver, err = postgresMigrate.WithInstance(sqlDb, &postgresMigrate.Config{})
+	default:
+		// Should never happen at this point
+		return nil, fmt.Errorf("unsupported database provider: %s", common.EnvConfig.DbProvider)
+	}
 	if err != nil {
-		log.Fatalf("failed to create migration instance: %v", err)
+		return nil, fmt.Errorf("failed to create migration driver: %w", err)
 	}
 
-	err = m.Up()
-	if err != nil && !errors.Is(err, migrate.ErrNoChange) {
-		log.Fatalf("failed to apply migrations: %v", err)
+	// Run migrations
+	if err := migrateDatabase(driver); err != nil {
+		return nil, fmt.Errorf("failed to run migrations: %w", err)
 	}
 
-	return db
+	return db, nil
 }
 
-func connectDatabase() (db *gorm.DB, err error) {
-	dbPath := common.EnvConfig.DBPath
-
-	// Use in-memory database for testing
-	if common.EnvConfig.AppEnv == "test" {
-		dbPath = "file::memory:?cache=shared"
+func migrateDatabase(driver database.Driver) error {
+	// Embedded migrations via iofs
+	path := "migrations/" + string(common.EnvConfig.DbProvider)
+	source, err := iofs.New(resources.FS, path)
+	if err != nil {
+		return fmt.Errorf("failed to create embedded migration source: %w", err)
 	}
 
-	for i := 1; i <= 3; i++ {
-		db, err = gorm.Open(sqlite.Open(dbPath), &gorm.Config{
-			TranslateError: true,
-			Logger:         getLogger(),
-		})
-		if err == nil {
-			break
-		} else {
-			log.Printf("Attempt %d: Failed to initialize database. Retrying...", i)
-			time.Sleep(3 * time.Second)
+	m, err := migrate.NewWithInstance("iofs", source, "pocket-id", driver)
+	if err != nil {
+		return fmt.Errorf("failed to create migration instance: %w", err)
+	}
+
+	requiredVersion, err := getRequiredMigrationVersion(path)
+	if err != nil {
+		return fmt.Errorf("failed to get last migration version: %w", err)
+	}
+
+	currentVersion, _, _ := m.Version()
+	if currentVersion > requiredVersion {
+		slog.Warn("Database version is newer than the application supports, possible downgrade detected", slog.Uint64("db_version", uint64(currentVersion)), slog.Uint64("app_version", uint64(requiredVersion)))
+		if !common.EnvConfig.AllowDowngrade {
+			return fmt.Errorf("database version (%d) is newer than application version (%d), downgrades are not allowed (set ALLOW_DOWNGRADE=true to enable)", currentVersion, requiredVersion)
+		}
+		slog.Info("Fetching migrations from GitHub to handle possible downgrades")
+		return migrateDatabaseFromGitHub(driver, requiredVersion)
+	}
+
+	if err := m.Migrate(requiredVersion); err != nil && !errors.Is(err, migrate.ErrNoChange) {
+		return fmt.Errorf("failed to apply embedded migrations: %w", err)
+	}
+	return nil
+}
+
+func migrateDatabaseFromGitHub(driver database.Driver, version uint) error {
+	srcURL := "github://pocket-id/pocket-id/backend/resources/migrations/" + string(common.EnvConfig.DbProvider)
+
+	m, err := migrate.NewWithDatabaseInstance(srcURL, "pocket-id", driver)
+	if err != nil {
+		return fmt.Errorf("failed to create GitHub migration instance: %w", err)
+	}
+
+	if err := m.Migrate(version); err != nil && !errors.Is(err, migrate.ErrNoChange) {
+		return fmt.Errorf("failed to apply GitHub migrations: %w", err)
+	}
+	return nil
+}
+
+// getRequiredMigrationVersion reads the embedded migration files and returns the highest version number found.
+func getRequiredMigrationVersion(path string) (uint, error) {
+	entries, err := resources.FS.ReadDir(path)
+	if err != nil {
+		return 0, fmt.Errorf("failed to read migration directory: %w", err)
+	}
+
+	var maxVersion uint
+	for _, entry := range entries {
+		if entry.IsDir() {
+			continue
+		}
+		name := entry.Name()
+		var version uint
+		n, err := fmt.Sscanf(name, "%d_", &version)
+		if err == nil && n == 1 {
+			if version > maxVersion {
+				maxVersion = version
+			}
 		}
 	}
 
-	return db, err
+	return maxVersion, nil
 }
 
-func getLogger() logger.Interface {
-	isProduction := common.EnvConfig.AppEnv == "production"
+func connectDatabase() (db *gorm.DB, err error) {
+	var dialector gorm.Dialector
 
-	var logLevel logger.LogLevel
-	if isProduction {
-		logLevel = logger.Error
-	} else {
-		logLevel = logger.Info
+	// Choose the correct database provider
+	var onConnFn func(conn *sql.DB)
+	switch common.EnvConfig.DbProvider {
+	case common.DbProviderSqlite:
+		if common.EnvConfig.DbConnectionString == "" {
+			return nil, errors.New("missing required env var 'DB_CONNECTION_STRING' for SQLite database")
+		}
+
+		sqliteutil.RegisterSqliteFunctions()
+
+		connString, dbPath, isMemoryDB, err := parseSqliteConnectionString(common.EnvConfig.DbConnectionString)
+		if err != nil {
+			return nil, err
+		}
+
+		// Before we connect, also make sure that there's a temporary folder for SQLite to write its data
+		err = ensureSqliteTempDir(filepath.Dir(dbPath))
+		if err != nil {
+			return nil, err
+		}
+
+		if isMemoryDB {
+			// For in-memory SQLite databases, we must limit to 1 open connection at the same time, or they won't see the whole data
+			// The other workaround, of using shared caches, doesn't work well with multiple write transactions trying to happen at once
+			onConnFn = func(conn *sql.DB) {
+				conn.SetMaxOpenConns(1)
+			}
+		}
+
+		dialector = sqlite.Open(connString)
+	case common.DbProviderPostgres:
+		if common.EnvConfig.DbConnectionString == "" {
+			return nil, errors.New("missing required env var 'DB_CONNECTION_STRING' for Postgres database")
+		}
+		dialector = postgres.Open(common.EnvConfig.DbConnectionString)
+	default:
+		return nil, fmt.Errorf("unsupported database provider: %s", common.EnvConfig.DbProvider)
 	}
 
-	return logger.New(
-		log.New(os.Stdout, "\r\n", log.LstdFlags),
-		logger.Config{
-			SlowThreshold:             200 * time.Millisecond,
-			LogLevel:                  logLevel,
-			IgnoreRecordNotFoundError: isProduction,
-			ParameterizedQueries:      isProduction,
-			Colorful:                  !isProduction,
-		},
-	)
+	for i := 1; i <= 3; i++ {
+		db, err = gorm.Open(dialector, &gorm.Config{
+			TranslateError: true,
+			Logger:         getGormLogger(),
+		})
+		if err == nil {
+			slog.Info("Connected to database", slog.String("provider", string(common.EnvConfig.DbProvider)))
+
+			if onConnFn != nil {
+				conn, err := db.DB()
+				if err != nil {
+					slog.Warn("Failed to get database connection, will retry in 3s", slog.Int("attempt", i), slog.String("provider", string(common.EnvConfig.DbProvider)), slog.Any("error", err))
+					time.Sleep(3 * time.Second)
+				}
+				onConnFn(conn)
+			}
+
+			return db, nil
+		}
+
+		slog.Warn("Failed to connect to database, will retry in 3s", slog.Int("attempt", i), slog.String("provider", string(common.EnvConfig.DbProvider)), slog.Any("error", err))
+		time.Sleep(3 * time.Second)
+	}
+
+	slog.Error("Failed to connect to database after 3 attempts", slog.String("provider", string(common.EnvConfig.DbProvider)), slog.Any("error", err))
+
+	return nil, err
+}
+
+func parseSqliteConnectionString(connString string) (parsedConnString string, dbPath string, isMemoryDB bool, err error) {
+	if !strings.HasPrefix(connString, "file:") {
+		connString = "file:" + connString
+	}
+
+	// Check if we're using an in-memory database
+	isMemoryDB = isSqliteInMemory(connString)
+
+	// Parse the connection string
+	connStringUrl, err := url.Parse(connString)
+	if err != nil {
+		return "", "", false, fmt.Errorf("failed to parse SQLite connection string: %w", err)
+	}
+
+	// Convert options for the old SQLite driver to the new one
+	convertSqlitePragmaArgs(connStringUrl)
+
+	// Add the default and required params
+	err = addSqliteDefaultParameters(connStringUrl, isMemoryDB)
+	if err != nil {
+		return "", "", false, fmt.Errorf("invalid SQLite connection string: %w", err)
+	}
+
+	// Get the absolute path to the database
+	// Here, we know for a fact that the ? is present
+	parsedConnString = connStringUrl.String()
+	idx := strings.IndexRune(parsedConnString, '?')
+	dbPath, err = filepath.Abs(parsedConnString[len("file:"):idx])
+	if err != nil {
+		return "", "", false, fmt.Errorf("failed to determine absolute path to the database: %w", err)
+	}
+
+	return parsedConnString, dbPath, isMemoryDB, nil
+}
+
+// The official C implementation of SQLite allows some additional properties in the connection string
+// that are not supported in the in the modernc.org/sqlite driver, and which must be passed as PRAGMA args instead.
+// To ensure that people can use similar args as in the C driver, which was also used by Pocket ID
+// previously (via github.com/mattn/go-sqlite3), we are converting some options.
+// Note this function updates connStringUrl.
+func convertSqlitePragmaArgs(connStringUrl *url.URL) {
+	// Reference: https://github.com/mattn/go-sqlite3?tab=readme-ov-file#connection-string
+	// This only includes a subset of options, excluding those that are not relevant to us
+	qs := make(url.Values, len(connStringUrl.Query()))
+	for k, v := range connStringUrl.Query() {
+		switch strings.ToLower(k) {
+		case "_auto_vacuum", "_vacuum":
+			qs.Add("_pragma", "auto_vacuum("+v[0]+")")
+		case "_busy_timeout", "_timeout":
+			qs.Add("_pragma", "busy_timeout("+v[0]+")")
+		case "_case_sensitive_like", "_cslike":
+			qs.Add("_pragma", "case_sensitive_like("+v[0]+")")
+		case "_foreign_keys", "_fk":
+			qs.Add("_pragma", "foreign_keys("+v[0]+")")
+		case "_locking_mode", "_locking":
+			qs.Add("_pragma", "locking_mode("+v[0]+")")
+		case "_secure_delete":
+			qs.Add("_pragma", "secure_delete("+v[0]+")")
+		case "_synchronous", "_sync":
+			qs.Add("_pragma", "synchronous("+v[0]+")")
+		default:
+			// Pass other query-string args as-is
+			qs[k] = v
+		}
+	}
+
+	// Update the connStringUrl object
+	connStringUrl.RawQuery = qs.Encode()
+}
+
+// Adds the default (and some required) parameters to the SQLite connection string.
+// Note this function updates connStringUrl.
+func addSqliteDefaultParameters(connStringUrl *url.URL, isMemoryDB bool) error {
+	// This function include code adapted from https://github.com/dapr/components-contrib/blob/v1.14.6/
+	// Copyright (C) 2023 The Dapr Authors
+	// License: Apache2
+	const defaultBusyTimeout = 2500 * time.Millisecond
+
+	// Get the "query string" from the connection string if present
+	qs := connStringUrl.Query()
+	if len(qs) == 0 {
+		qs = make(url.Values, 2)
+	}
+
+	// Check if the database is read-only or immutable
+	isReadOnly := false
+	if len(qs["mode"]) > 0 {
+		// Keep the first value only
+		qs["mode"] = []string{
+			strings.ToLower(qs["mode"][0]),
+		}
+		if qs["mode"][0] == "ro" {
+			isReadOnly = true
+		}
+	}
+	if len(qs["immutable"]) > 0 {
+		// Keep the first value only
+		qs["immutable"] = []string{
+			strings.ToLower(qs["immutable"][0]),
+		}
+		if qs["immutable"][0] == "1" {
+			isReadOnly = true
+		}
+	}
+
+	// We do not want to override a _txlock if set, but we'll show a warning if it's not "immediate"
+	if len(qs["_txlock"]) > 0 {
+		// Keep the first value only
+		qs["_txlock"] = []string{
+			strings.ToLower(qs["_txlock"][0]),
+		}
+		if qs["_txlock"][0] != "immediate" {
+			slog.Warn("SQLite connection is being created with a _txlock different from the recommended value 'immediate'")
+		}
+	} else {
+		qs["_txlock"] = []string{"immediate"}
+	}
+
+	// Add pragma values
+	var hasBusyTimeout, hasJournalMode bool
+	if len(qs["_pragma"]) == 0 {
+		qs["_pragma"] = make([]string, 0, 3)
+	} else {
+		for _, p := range qs["_pragma"] {
+			p = strings.ToLower(p)
+			switch {
+			case strings.HasPrefix(p, "busy_timeout"):
+				hasBusyTimeout = true
+			case strings.HasPrefix(p, "journal_mode"):
+				hasJournalMode = true
+			case strings.HasPrefix(p, "foreign_keys"):
+				return errors.New("found forbidden option '_pragma=foreign_keys' in the connection string")
+			}
+		}
+	}
+	if !hasBusyTimeout {
+		qs["_pragma"] = append(qs["_pragma"], fmt.Sprintf("busy_timeout(%d)", defaultBusyTimeout.Milliseconds()))
+	}
+	if !hasJournalMode {
+		switch {
+		case isMemoryDB:
+			// For in-memory databases, set the journal to MEMORY, the only allowed option besides OFF (which would make transactions ineffective)
+			qs["_pragma"] = append(qs["_pragma"], "journal_mode(MEMORY)")
+		case isReadOnly:
+			// Set the journaling mode to "DELETE" (the default) if the database is read-only
+			qs["_pragma"] = append(qs["_pragma"], "journal_mode(DELETE)")
+		default:
+			// Enable WAL
+			qs["_pragma"] = append(qs["_pragma"], "journal_mode(WAL)")
+		}
+	}
+
+	// Forcefully enable foreign keys
+	qs["_pragma"] = append(qs["_pragma"], "foreign_keys(1)")
+
+	// Update the connStringUrl object
+	connStringUrl.RawQuery = qs.Encode()
+
+	return nil
+}
+
+// isSqliteInMemory returns true if the connection string is for an in-memory database.
+func isSqliteInMemory(connString string) bool {
+	lc := strings.ToLower(connString)
+
+	// First way to define an in-memory database is to use ":memory:" or "file::memory:" as connection string
+	if strings.HasPrefix(lc, ":memory:") || strings.HasPrefix(lc, "file::memory:") {
+		return true
+	}
+
+	// Another way is to pass "mode=memory" in the "query string"
+	idx := strings.IndexRune(lc, '?')
+	if idx < 0 {
+		return false
+	}
+	qs, _ := url.ParseQuery(lc[(idx + 1):])
+
+	return len(qs["mode"]) > 0 && qs["mode"][0] == "memory"
+}
+
+// ensureSqliteTempDir ensures that SQLite has a directory where it can write temporary files if needed
+// The default directory may not be writable when using a container with a read-only root file system
+// See: https://www.sqlite.org/tempfiles.html
+func ensureSqliteTempDir(dbPath string) error {
+	// Per docs, SQLite tries these folders in order (excluding those that aren't applicable to us):
+	//
+	// - The SQLITE_TMPDIR environment variable
+	// - The TMPDIR environment variable
+	// - /var/tmp
+	// - /usr/tmp
+	// - /tmp
+	//
+	// Source: https://www.sqlite.org/tempfiles.html#temporary_file_storage_locations
+	//
+	// First, let's check if SQLITE_TMPDIR or TMPDIR are set, in which case we trust the user has taken care of the problem already
+	if os.Getenv("SQLITE_TMPDIR") != "" || os.Getenv("TMPDIR") != "" {
+		return nil
+	}
+
+	// Now, let's check if /var/tmp, /usr/tmp, or /tmp exist and are writable
+	for _, dir := range []string{"/var/tmp", "/usr/tmp", "/tmp"} {
+		ok, err := utils.IsWritableDir(dir)
+		if err != nil {
+			return fmt.Errorf("failed to check if %s is writable: %w", dir, err)
+		}
+		if ok {
+			// We found a folder that's writable
+			return nil
+		}
+	}
+
+	// If we're here, there's no temporary directory that's writable (not unusual for containers with a read-only root file system), so we set SQLITE_TMPDIR to the folder where the SQLite database is set
+	err := os.Setenv("SQLITE_TMPDIR", dbPath)
+	if err != nil {
+		return fmt.Errorf("failed to set SQLITE_TMPDIR environmental variable: %w", err)
+	}
+
+	slog.Debug("Set SQLITE_TMPDIR to the database directory", "path", dbPath)
+
+	return nil
+}
+
+func getGormLogger() gormLogger.Interface {
+	loggerOpts := make([]slogGorm.Option, 0, 5)
+	loggerOpts = append(loggerOpts,
+		slogGorm.WithSlowThreshold(200*time.Millisecond),
+		slogGorm.WithErrorField("error"),
+	)
+
+	if common.EnvConfig.LogLevel == "debug" {
+		loggerOpts = append(loggerOpts,
+			slogGorm.SetLogLevel(slogGorm.DefaultLogType, slog.LevelDebug),
+			slogGorm.WithRecordNotFoundError(),
+			slogGorm.WithTraceAll(),
+		)
+
+	} else {
+		loggerOpts = append(loggerOpts,
+			slogGorm.SetLogLevel(slogGorm.DefaultLogType, slog.LevelWarn),
+			slogGorm.WithIgnoreTrace(),
+		)
+	}
+
+	return slogGorm.New(loggerOpts...)
 }

backend/internal/bootstrap/db_bootstrap_test.go

@@ -0,0 +1,324 @@
+package bootstrap
+
+import (
+	"net/url"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestIsSqliteInMemory(t *testing.T) {
+	tests := []struct {
+		name     string
+		connStr  string
+		expected bool
+	}{
+		{
+			name:     "memory database with :memory:",
+			connStr:  ":memory:",
+			expected: true,
+		},
+		{
+			name:     "memory database with file::memory:",
+			connStr:  "file::memory:",
+			expected: true,
+		},
+		{
+			name:     "memory database with :MEMORY: (uppercase)",
+			connStr:  ":MEMORY:",
+			expected: true,
+		},
+		{
+			name:     "memory database with FILE::MEMORY: (uppercase)",
+			connStr:  "FILE::MEMORY:",
+			expected: true,
+		},
+		{
+			name:     "memory database with mixed case",
+			connStr:  ":Memory:",
+			expected: true,
+		},
+		{
+			name:     "has mode=memory",
+			connStr:  "file:data?mode=memory",
+			expected: true,
+		},
+		{
+			name:     "file database",
+			connStr:  "data.db",
+			expected: false,
+		},
+		{
+			name:     "file database with path",
+			connStr:  "/path/to/data.db",
+			expected: false,
+		},
+		{
+			name:     "file database with file: prefix",
+			connStr:  "file:data.db",
+			expected: false,
+		},
+		{
+			name:     "empty string",
+			connStr:  "",
+			expected: false,
+		},
+		{
+			name:     "string containing memory but not at start",
+			connStr:  "data:memory:.db",
+			expected: false,
+		},
+		{
+			name:     "has mode=ro",
+			connStr:  "file:data?mode=ro",
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := isSqliteInMemory(tt.connStr)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
+
+func TestConvertSqlitePragmaArgs(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "basic file path",
+			input:    "file:test.db",
+			expected: "file:test.db",
+		},
+		{
+			name:     "converts _busy_timeout to pragma",
+			input:    "file:test.db?_busy_timeout=5000",
+			expected: "file:test.db?_pragma=busy_timeout%285000%29",
+		},
+		{
+			name:     "converts _timeout to pragma",
+			input:    "file:test.db?_timeout=5000",
+			expected: "file:test.db?_pragma=busy_timeout%285000%29",
+		},
+		{
+			name:     "converts _foreign_keys to pragma",
+			input:    "file:test.db?_foreign_keys=1",
+			expected: "file:test.db?_pragma=foreign_keys%281%29",
+		},
+		{
+			name:     "converts _fk to pragma",
+			input:    "file:test.db?_fk=1",
+			expected: "file:test.db?_pragma=foreign_keys%281%29",
+		},
+		{
+			name:     "converts _synchronous to pragma",
+			input:    "file:test.db?_synchronous=NORMAL",
+			expected: "file:test.db?_pragma=synchronous%28NORMAL%29",
+		},
+		{
+			name:     "converts _sync to pragma",
+			input:    "file:test.db?_sync=NORMAL",
+			expected: "file:test.db?_pragma=synchronous%28NORMAL%29",
+		},
+		{
+			name:     "converts _auto_vacuum to pragma",
+			input:    "file:test.db?_auto_vacuum=FULL",
+			expected: "file:test.db?_pragma=auto_vacuum%28FULL%29",
+		},
+		{
+			name:     "converts _vacuum to pragma",
+			input:    "file:test.db?_vacuum=FULL",
+			expected: "file:test.db?_pragma=auto_vacuum%28FULL%29",
+		},
+		{
+			name:     "converts _case_sensitive_like to pragma",
+			input:    "file:test.db?_case_sensitive_like=1",
+			expected: "file:test.db?_pragma=case_sensitive_like%281%29",
+		},
+		{
+			name:     "converts _cslike to pragma",
+			input:    "file:test.db?_cslike=1",
+			expected: "file:test.db?_pragma=case_sensitive_like%281%29",
+		},
+		{
+			name:     "converts _locking_mode to pragma",
+			input:    "file:test.db?_locking_mode=EXCLUSIVE",
+			expected: "file:test.db?_pragma=locking_mode%28EXCLUSIVE%29",
+		},
+		{
+			name:     "converts _locking to pragma",
+			input:    "file:test.db?_locking=EXCLUSIVE",
+			expected: "file:test.db?_pragma=locking_mode%28EXCLUSIVE%29",
+		},
+		{
+			name:     "converts _secure_delete to pragma",
+			input:    "file:test.db?_secure_delete=1",
+			expected: "file:test.db?_pragma=secure_delete%281%29",
+		},
+		{
+			name:     "preserves unrecognized parameters",
+			input:    "file:test.db?mode=rw&cache=shared",
+			expected: "file:test.db?cache=shared&mode=rw",
+		},
+		{
+			name:     "handles multiple parameters",
+			input:    "file:test.db?_fk=1&mode=rw&_timeout=5000",
+			expected: "file:test.db?_pragma=foreign_keys%281%29&_pragma=busy_timeout%285000%29&mode=rw",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			resultURL, _ := url.Parse(tt.input)
+			convertSqlitePragmaArgs(resultURL)
+
+			// Parse both URLs to compare components independently
+			expectedURL, err := url.Parse(tt.expected)
+			require.NoError(t, err)
+
+			// Compare scheme and path components
+			compareQueryStrings(t, expectedURL, resultURL)
+		})
+	}
+}
+
+func TestAddSqliteDefaultParameters(t *testing.T) {
+	tests := []struct {
+		name        string
+		input       string
+		isMemoryDB  bool
+		expected    string
+		expectError bool
+	}{
+		{
+			name:       "basic file database",
+			input:      "file:test.db",
+			isMemoryDB: false,
+			expected:   "file:test.db?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28WAL%29&_txlock=immediate",
+		},
+		{
+			name:       "in-memory database",
+			input:      "file::memory:",
+			isMemoryDB: true,
+			expected:   "file::memory:?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28MEMORY%29&_txlock=immediate",
+		},
+		{
+			name:       "read-only database with mode=ro",
+			input:      "file:test.db?mode=ro",
+			isMemoryDB: false,
+			expected:   "file:test.db?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28DELETE%29&_txlock=immediate&mode=ro",
+		},
+		{
+			name:       "immutable database",
+			input:      "file:test.db?immutable=1",
+			isMemoryDB: false,
+			expected:   "file:test.db?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28DELETE%29&_txlock=immediate&immutable=1",
+		},
+		{
+			name:       "database with existing _txlock",
+			input:      "file:test.db?_txlock=deferred",
+			isMemoryDB: false,
+			expected:   "file:test.db?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28WAL%29&_txlock=deferred",
+		},
+		{
+			name:       "database with existing busy_timeout pragma",
+			input:      "file:test.db?_pragma=busy_timeout%285000%29",
+			isMemoryDB: false,
+			expected:   "file:test.db?_pragma=busy_timeout%285000%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28WAL%29&_txlock=immediate",
+		},
+		{
+			name:       "database with existing journal_mode pragma",
+			input:      "file:test.db?_pragma=journal_mode%28DELETE%29",
+			isMemoryDB: false,
+			expected:   "file:test.db?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28DELETE%29&_txlock=immediate",
+		},
+		{
+			name:        "database with forbidden foreign_keys pragma",
+			input:       "file:test.db?_pragma=foreign_keys%280%29",
+			isMemoryDB:  false,
+			expectError: true,
+		},
+		{
+			name:       "database with multiple existing pragmas",
+			input:      "file:test.db?_pragma=busy_timeout%283000%29&_pragma=journal_mode%28TRUNCATE%29&_pragma=synchronous%28NORMAL%29",
+			isMemoryDB: false,
+			expected:   "file:test.db?_pragma=busy_timeout%283000%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28TRUNCATE%29&_pragma=synchronous%28NORMAL%29&_txlock=immediate",
+		},
+		{
+			name:       "database with mode=rw (not read-only)",
+			input:      "file:test.db?mode=rw",
+			isMemoryDB: false,
+			expected:   "file:test.db?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28WAL%29&_txlock=immediate&mode=rw",
+		},
+		{
+			name:       "database with immutable=0 (not immutable)",
+			input:      "file:test.db?immutable=0",
+			isMemoryDB: false,
+			expected:   "file:test.db?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28WAL%29&_txlock=immediate&immutable=0",
+		},
+		{
+			name:       "database with mixed case mode=RO",
+			input:      "file:test.db?mode=RO",
+			isMemoryDB: false,
+			expected:   "file:test.db?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28DELETE%29&_txlock=immediate&mode=ro",
+		},
+		{
+			name:       "database with mixed case immutable=1",
+			input:      "file:test.db?immutable=1",
+			isMemoryDB: false,
+			expected:   "file:test.db?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28DELETE%29&_txlock=immediate&immutable=1",
+		},
+		{
+			name:       "complex database configuration",
+			input:      "file:test.db?cache=shared&mode=rwc&_txlock=immediate&_pragma=synchronous%28FULL%29",
+			isMemoryDB: false,
+			expected:   "file:test.db?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28WAL%29&_pragma=synchronous%28FULL%29&_txlock=immediate&cache=shared&mode=rwc",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			resultURL, err := url.Parse(tt.input)
+			require.NoError(t, err)
+
+			err = addSqliteDefaultParameters(resultURL, tt.isMemoryDB)
+
+			if tt.expectError {
+				require.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err)
+
+			expectedURL, err := url.Parse(tt.expected)
+			require.NoError(t, err)
+
+			compareQueryStrings(t, expectedURL, resultURL)
+		})
+	}
+}
+
+func compareQueryStrings(t *testing.T, expectedURL *url.URL, resultURL *url.URL) {
+	t.Helper()
+
+	// Compare scheme and path components
+	assert.Equal(t, expectedURL.Scheme, resultURL.Scheme)
+	assert.Equal(t, expectedURL.Path, resultURL.Path)
+
+	// Compare query parameters regardless of order
+	expectedQuery := expectedURL.Query()
+	resultQuery := resultURL.Query()
+
+	assert.Len(t, expectedQuery, len(resultQuery))
+
+	for key, expectedValues := range expectedQuery {
+		resultValues, ok := resultQuery[key]
+		_ = assert.True(t, ok) &&
+			assert.ElementsMatch(t, expectedValues, resultValues)
+	}
+}

backend/internal/bootstrap/e2etest_router_bootstrap.go

@@ -0,0 +1,30 @@
+//go:build e2etest
+
+package bootstrap
+
+import (
+	"log/slog"
+	"os"
+
+	"github.com/gin-gonic/gin"
+	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/controller"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+// When building for E2E tests, add the e2etest controller
+func init() {
+	registerTestControllers = []func(apiGroup *gin.RouterGroup, db *gorm.DB, svc *services){
+		func(apiGroup *gin.RouterGroup, db *gorm.DB, svc *services) {
+			testService, err := service.NewTestService(db, svc.appConfigService, svc.jwtService, svc.ldapService, svc.fileStorage)
+			if err != nil {
+				slog.Error("Failed to initialize test service", slog.Any("error", err))
+				os.Exit(1)
+				return
+			}
+
+			controller.NewTestController(apiGroup, testService)
+		},
+	}
+}

backend/internal/bootstrap/observability_boostrap.go

@@ -0,0 +1,203 @@
+package bootstrap
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"os"
+	"time"
+
+	sloggin "github.com/gin-contrib/slog"
+
+	"github.com/lmittmann/tint"
+	"github.com/mattn/go-isatty"
+	"go.opentelemetry.io/contrib/bridges/otelslog"
+	"go.opentelemetry.io/contrib/exporters/autoexport"
+	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
+	"go.opentelemetry.io/otel"
+	globallog "go.opentelemetry.io/otel/log/global"
+	metricnoop "go.opentelemetry.io/otel/metric/noop"
+	"go.opentelemetry.io/otel/propagation"
+	sdklog "go.opentelemetry.io/otel/sdk/log"
+	"go.opentelemetry.io/otel/sdk/metric"
+	"go.opentelemetry.io/otel/sdk/resource"
+	sdktrace "go.opentelemetry.io/otel/sdk/trace"
+	semconv "go.opentelemetry.io/otel/semconv/v1.30.0"
+	tracenoop "go.opentelemetry.io/otel/trace/noop"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
+
+func defaultResource() (*resource.Resource, error) {
+	return resource.Merge(
+		resource.Default(),
+		resource.NewSchemaless(
+			semconv.ServiceName(common.Name),
+			semconv.ServiceVersion(common.Version),
+		),
+	)
+}
+
+func initObservability(ctx context.Context, metrics, traces bool) (shutdownFns []utils.Service, httpClient *http.Client, err error) {
+	resource, err := defaultResource()
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to create OpenTelemetry resource: %w", err)
+	}
+
+	shutdownFns = make([]utils.Service, 0, 2)
+
+	httpClient = &http.Client{}
+	defaultTransport, ok := http.DefaultTransport.(*http.Transport)
+	if !ok {
+		// Indicates a development-time error
+		panic("Default transport is not of type *http.Transport")
+	}
+	httpClient.Transport = defaultTransport.Clone()
+
+	// Logging
+	err = initOtelLogging(ctx, resource)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Tracing
+	tracingShutdownFn, err := initOtelTracing(ctx, traces, resource, httpClient)
+	if err != nil {
+		return nil, nil, err
+	} else if tracingShutdownFn != nil {
+		shutdownFns = append(shutdownFns, tracingShutdownFn)
+	}
+
+	// Metrics
+	metricsShutdownFn, err := initOtelMetrics(ctx, metrics, resource)
+	if err != nil {
+		return nil, nil, err
+	} else if metricsShutdownFn != nil {
+		shutdownFns = append(shutdownFns, metricsShutdownFn)
+	}
+
+	return shutdownFns, httpClient, nil
+}
+
+func initOtelLogging(ctx context.Context, resource *resource.Resource) error {
+	// If the env var OTEL_LOGS_EXPORTER is empty, we set it to "none", for autoexport to work
+	if os.Getenv("OTEL_LOGS_EXPORTER") == "" {
+		os.Setenv("OTEL_LOGS_EXPORTER", "none")
+	}
+	exp, err := autoexport.NewLogExporter(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to initialize OpenTelemetry log exporter: %w", err)
+	}
+
+	level, _ := sloggin.ParseLevel(common.EnvConfig.LogLevel)
+
+	// Create the handler
+	var handler slog.Handler
+	if common.EnvConfig.LogJSON {
+		handler = slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{
+			Level: level,
+		})
+	} else {
+		handler = tint.NewHandler(os.Stdout, &tint.Options{
+			TimeFormat: time.Stamp,
+			Level:      level,
+			NoColor:    !isatty.IsTerminal(os.Stdout.Fd()),
+		})
+	}
+
+	// Create the logger provider
+	provider := sdklog.NewLoggerProvider(
+		sdklog.WithProcessor(
+			sdklog.NewBatchProcessor(exp),
+		),
+		sdklog.WithResource(resource),
+	)
+
+	// Set the logger provider globally
+	globallog.SetLoggerProvider(provider)
+
+	// Wrap the handler in a "fanout" one
+	handler = utils.LogFanoutHandler{
+		handler,
+		otelslog.NewHandler(common.Name, otelslog.WithLoggerProvider(provider)),
+	}
+
+	// Set the default slog to send logs to OTel and add the app name
+	log := slog.New(handler).
+		With(slog.String("app", common.Name)).
+		With(slog.String("version", common.Version))
+	slog.SetDefault(log)
+
+	return nil
+}
+
+func initOtelTracing(ctx context.Context, traces bool, resource *resource.Resource, httpClient *http.Client) (shutdownFn utils.Service, err error) {
+	if !traces {
+		otel.SetTracerProvider(tracenoop.NewTracerProvider())
+		return nil, nil
+	}
+
+	tr, err := autoexport.NewSpanExporter(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize OpenTelemetry span exporter: %w", err)
+	}
+	tp := sdktrace.NewTracerProvider(
+		sdktrace.WithResource(resource),
+		sdktrace.WithBatcher(tr),
+	)
+
+	otel.SetTracerProvider(tp)
+	otel.SetTextMapPropagator(
+		propagation.NewCompositeTextMapPropagator(
+			propagation.TraceContext{},
+			propagation.Baggage{},
+		),
+	)
+
+	shutdownFn = func(shutdownCtx context.Context) error { //nolint:contextcheck
+		tpCtx, tpCancel := context.WithTimeout(shutdownCtx, 10*time.Second)
+		defer tpCancel()
+		shutdownErr := tp.Shutdown(tpCtx)
+		if shutdownErr != nil {
+			return fmt.Errorf("failed to gracefully shut down traces exporter: %w", shutdownErr)
+		}
+		return nil
+	}
+
+	// Add tracing to the HTTP client
+	httpClient.Transport = otelhttp.NewTransport(httpClient.Transport)
+
+	return shutdownFn, nil
+}
+
+func initOtelMetrics(ctx context.Context, metrics bool, resource *resource.Resource) (shutdownFn utils.Service, err error) {
+	if !metrics {
+		otel.SetMeterProvider(metricnoop.NewMeterProvider())
+		return nil, nil
+	}
+
+	mr, err := autoexport.NewMetricReader(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize OpenTelemetry metric reader: %w", err)
+	}
+
+	mp := metric.NewMeterProvider(
+		metric.WithResource(resource),
+		metric.WithReader(mr),
+	)
+	otel.SetMeterProvider(mp)
+
+	shutdownFn = func(shutdownCtx context.Context) error { //nolint:contextcheck
+		mpCtx, mpCancel := context.WithTimeout(shutdownCtx, 10*time.Second)
+		defer mpCancel()
+		shutdownErr := mp.Shutdown(mpCtx)
+		if shutdownErr != nil {
+			return fmt.Errorf("failed to gracefully shut down metrics exporter: %w", shutdownErr)
+		}
+		return nil
+	}
+
+	return shutdownFn, nil
+}

backend/internal/bootstrap/router_bootstrap.go

@@ -1,20 +1,44 @@
 package bootstrap
 
 import (
-	"log"
+	"context"
+	"errors"
+	"fmt"
+	"log/slog"
+	"net"
+	"net/http"
 	"os"
+	"strconv"
+	"strings"
 	"time"
 
+	sloggin "github.com/gin-contrib/slog"
 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/controller"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
+	"go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin"
 	"golang.org/x/time/rate"
 	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/frontend"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/controller"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/systemd"
 )
 
-func initRouter(db *gorm.DB, appConfigService *service.AppConfigService) {
+// This is used to register additional controllers for tests
+var registerTestControllers []func(apiGroup *gin.RouterGroup, db *gorm.DB, svc *services)
+
+func initRouter(db *gorm.DB, svc *services) utils.Service {
+	runner, err := initRouterInternal(db, svc)
+	if err != nil {
+		slog.Error("Failed to init router", "error", err)
+		os.Exit(1)
+	}
+	return runner
+}
+
+func initRouterInternal(db *gorm.DB, svc *services) (utils.Service, error) {
 	// Set the appropriate Gin mode based on the environment
 	switch common.EnvConfig.AppEnv {
 	case "production":
@@ -25,50 +49,160 @@ func initRouter(db *gorm.DB, appConfigService *service.AppConfigService) {
 		gin.SetMode(gin.TestMode)
 	}
 
-	r := gin.Default()
-	r.Use(gin.Logger())
+	r := gin.New()
+	initLogger(r)
 
-	// Initialize services
-	templateDir := os.DirFS(common.EnvConfig.EmailTemplatesPath)
-	emailService, err := service.NewEmailService(appConfigService, templateDir)
-	if err != nil {
-		log.Fatalf("Unable to create email service: %s", err)
+	if !common.EnvConfig.TrustProxy {
+		_ = r.SetTrustedProxies(nil)
 	}
 
-	auditLogService := service.NewAuditLogService(db, appConfigService, emailService)
-	jwtService := service.NewJwtService(appConfigService)
-	webauthnService := service.NewWebAuthnService(db, jwtService, auditLogService, appConfigService)
-	userService := service.NewUserService(db, jwtService)
-	oidcService := service.NewOidcService(db, jwtService, appConfigService, auditLogService)
-	testService := service.NewTestService(db, appConfigService)
+	if common.EnvConfig.TracingEnabled {
+		r.Use(otelgin.Middleware(common.Name))
+	}
 
+	rateLimitMiddleware := middleware.NewRateLimitMiddleware().Add(rate.Every(time.Second), 60)
+
+	// Setup global middleware
 	r.Use(middleware.NewCorsMiddleware().Add())
-	r.Use(middleware.NewRateLimitMiddleware().Add(rate.Every(time.Second), 60))
-	r.Use(middleware.NewJwtAuthMiddleware(jwtService, true).Add(false))
+	r.Use(middleware.NewCspMiddleware().Add())
+	r.Use(middleware.NewErrorHandlerMiddleware().Add())
 
-	// Initialize middleware
-	jwtAuthMiddleware := middleware.NewJwtAuthMiddleware(jwtService, false)
+	err := frontend.RegisterFrontend(r)
+	if errors.Is(err, frontend.ErrFrontendNotIncluded) {
+		slog.Warn("Frontend is not included in the build. Skipping frontend registration.")
+	} else if err != nil {
+		return nil, fmt.Errorf("failed to register frontend: %w", err)
+	}
+
+	// Initialize middleware for specific routes
+	authMiddleware := middleware.NewAuthMiddleware(svc.apiKeyService, svc.userService, svc.jwtService)
 	fileSizeLimitMiddleware := middleware.NewFileSizeLimitMiddleware()
 
 	// Set up API routes
-	apiGroup := r.Group("/api")
-	controller.NewWebauthnController(apiGroup, jwtAuthMiddleware, middleware.NewRateLimitMiddleware(), webauthnService)
-	controller.NewOidcController(apiGroup, jwtAuthMiddleware, fileSizeLimitMiddleware, oidcService, jwtService)
-	controller.NewUserController(apiGroup, jwtAuthMiddleware, middleware.NewRateLimitMiddleware(), userService)
-	controller.NewAppConfigController(apiGroup, jwtAuthMiddleware, appConfigService)
-	controller.NewAuditLogController(apiGroup, auditLogService, jwtAuthMiddleware)
+	apiGroup := r.Group("/api", rateLimitMiddleware)
+	controller.NewApiKeyController(apiGroup, authMiddleware, svc.apiKeyService)
+	controller.NewWebauthnController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), svc.webauthnService, svc.appConfigService)
+	controller.NewOidcController(apiGroup, authMiddleware, fileSizeLimitMiddleware, svc.oidcService, svc.jwtService)
+	controller.NewUserController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), svc.userService, svc.appConfigService)
+	controller.NewAppConfigController(apiGroup, authMiddleware, svc.appConfigService, svc.emailService, svc.ldapService)
+	controller.NewAppImagesController(apiGroup, authMiddleware, svc.appImagesService)
+	controller.NewAuditLogController(apiGroup, svc.auditLogService, authMiddleware)
+	controller.NewUserGroupController(apiGroup, authMiddleware, svc.userGroupService)
+	controller.NewCustomClaimController(apiGroup, authMiddleware, svc.customClaimService)
+	controller.NewVersionController(apiGroup, svc.versionService)
 
 	// Add test controller in non-production environments
 	if common.EnvConfig.AppEnv != "production" {
-		controller.NewTestController(apiGroup, testService)
+		for _, f := range registerTestControllers {
+			f(apiGroup, db, svc)
+		}
 	}
 
 	// Set up base routes
-	baseGroup := r.Group("/")
-	controller.NewWellKnownController(baseGroup, jwtService)
+	baseGroup := r.Group("/", rateLimitMiddleware)
+	controller.NewWellKnownController(baseGroup, svc.jwtService)
 
-	// Run the server
-	if err := r.Run(common.EnvConfig.Host + ":" + common.EnvConfig.Port); err != nil {
-		log.Fatal(err)
+	// Set up healthcheck routes
+	// These are not rate-limited
+	controller.NewHealthzController(r)
+
+	// Set up the server
+	srv := &http.Server{
+		MaxHeaderBytes:    1 << 20,
+		ReadHeaderTimeout: 10 * time.Second,
+		Handler:           r,
 	}
+
+	// Set up the listener
+	network := "tcp"
+	addr := net.JoinHostPort(common.EnvConfig.Host, common.EnvConfig.Port)
+	if common.EnvConfig.UnixSocket != "" {
+		network = "unix"
+		addr = common.EnvConfig.UnixSocket
+		os.Remove(addr) // remove dangling the socket file to avoid file-exist error
+	}
+
+	listener, err := net.Listen(network, addr) //nolint:noctx
+	if err != nil {
+		return nil, fmt.Errorf("failed to create %s listener: %w", network, err)
+	}
+
+	// Set the socket mode if using a Unix socket
+	if network == "unix" && common.EnvConfig.UnixSocketMode != "" {
+		mode, err := strconv.ParseUint(common.EnvConfig.UnixSocketMode, 8, 32)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse UNIX socket mode '%s': %w", common.EnvConfig.UnixSocketMode, err)
+		}
+
+		if err := os.Chmod(addr, os.FileMode(mode)); err != nil {
+			return nil, fmt.Errorf("failed to set UNIX socket mode '%s': %w", common.EnvConfig.UnixSocketMode, err)
+		}
+	}
+
+	// Service runner function
+	runFn := func(ctx context.Context) error {
+		slog.Info("Server listening", slog.String("addr", addr))
+
+		// Start the server in a background goroutine
+		go func() {
+			defer listener.Close()
+
+			// Next call blocks until the server is shut down
+			srvErr := srv.Serve(listener)
+			if srvErr != http.ErrServerClosed {
+				slog.Error("Error starting app server", "error", srvErr)
+				os.Exit(1)
+			}
+		}()
+
+		// Notify systemd that we are ready
+		err = systemd.SdNotifyReady()
+		if err != nil {
+			// Log the error only
+			slog.Warn("Unable to notify systemd that the service is ready", "error", err)
+		}
+
+		// Block until the context is canceled
+		<-ctx.Done()
+
+		// Handle graceful shutdown
+		// Note we use the background context here as ctx has been canceled already
+		shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 5*time.Second)
+		shutdownErr := srv.Shutdown(shutdownCtx) //nolint:contextcheck
+		shutdownCancel()
+		if shutdownErr != nil {
+			// Log the error only (could be context canceled)
+			slog.Warn("App server shutdown error", "error", shutdownErr)
+		}
+
+		return nil
+	}
+
+	return runFn, nil
+}
+
+func initLogger(r *gin.Engine) {
+	loggerSkipPathsPrefix := []string{
+		"GET /api/application-images/logo",
+		"GET /api/application-images/background",
+		"GET /api/application-images/favicon",
+		"GET /_app",
+		"GET /fonts",
+		"GET /healthz",
+		"HEAD /healthz",
+	}
+
+	r.Use(sloggin.SetLogger(
+		sloggin.WithLogger(func(_ *gin.Context, _ *slog.Logger) *slog.Logger {
+			return slog.Default()
+		}),
+		sloggin.WithSkipper(func(c *gin.Context) bool {
+			for _, prefix := range loggerSkipPathsPrefix {
+				if strings.HasPrefix(c.Request.Method+" "+c.Request.URL.String(), prefix) {
+					return true
+				}
+			}
+			return false
+		}),
+	))
 }

backend/internal/bootstrap/scheduler_bootstrap.go

@@ -0,0 +1,40 @@
+package bootstrap
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/job"
+)
+
+func registerScheduledJobs(ctx context.Context, db *gorm.DB, svc *services, httpClient *http.Client, scheduler *job.Scheduler) error {
+	err := scheduler.RegisterLdapJobs(ctx, svc.ldapService, svc.appConfigService)
+	if err != nil {
+		return fmt.Errorf("failed to register LDAP jobs in scheduler: %w", err)
+	}
+	err = scheduler.RegisterGeoLiteUpdateJobs(ctx, svc.geoLiteService)
+	if err != nil {
+		return fmt.Errorf("failed to register GeoLite DB update service: %w", err)
+	}
+	err = scheduler.RegisterDbCleanupJobs(ctx, db)
+	if err != nil {
+		return fmt.Errorf("failed to register DB cleanup jobs in scheduler: %w", err)
+	}
+	err = scheduler.RegisterFileCleanupJobs(ctx, db, svc.fileStorage)
+	if err != nil {
+		return fmt.Errorf("failed to register file cleanup jobs in scheduler: %w", err)
+	}
+	err = scheduler.RegisterApiKeyExpiryJob(ctx, svc.apiKeyService, svc.appConfigService)
+	if err != nil {
+		return fmt.Errorf("failed to register API key expiration jobs in scheduler: %w", err)
+	}
+	err = scheduler.RegisterAnalyticsJob(ctx, svc.appConfigService, httpClient)
+	if err != nil {
+		return fmt.Errorf("failed to register analytics job in scheduler: %w", err)
+	}
+
+	return nil
+}

backend/internal/bootstrap/services_bootstrap.go

@@ -0,0 +1,75 @@
+package bootstrap
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/storage"
+)
+
+type services struct {
+	appConfigService   *service.AppConfigService
+	appImagesService   *service.AppImagesService
+	emailService       *service.EmailService
+	geoLiteService     *service.GeoLiteService
+	auditLogService    *service.AuditLogService
+	jwtService         *service.JwtService
+	webauthnService    *service.WebAuthnService
+	userService        *service.UserService
+	customClaimService *service.CustomClaimService
+	oidcService        *service.OidcService
+	userGroupService   *service.UserGroupService
+	ldapService        *service.LdapService
+	apiKeyService      *service.ApiKeyService
+	versionService     *service.VersionService
+	fileStorage        storage.FileStorage
+}
+
+// Initializes all services
+func initServices(ctx context.Context, db *gorm.DB, httpClient *http.Client, imageExtensions map[string]string, fileStorage storage.FileStorage) (svc *services, err error) {
+	svc = &services{}
+
+	svc.appConfigService, err = service.NewAppConfigService(ctx, db)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create app config service: %w", err)
+	}
+
+	svc.fileStorage = fileStorage
+	svc.appImagesService = service.NewAppImagesService(imageExtensions, fileStorage)
+
+	svc.emailService, err = service.NewEmailService(db, svc.appConfigService)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create email service: %w", err)
+	}
+
+	svc.geoLiteService = service.NewGeoLiteService(httpClient)
+	svc.auditLogService = service.NewAuditLogService(db, svc.appConfigService, svc.emailService, svc.geoLiteService)
+	svc.jwtService, err = service.NewJwtService(db, svc.appConfigService)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create JWT service: %w", err)
+	}
+
+	svc.customClaimService = service.NewCustomClaimService(db)
+	svc.webauthnService, err = service.NewWebAuthnService(db, svc.jwtService, svc.auditLogService, svc.appConfigService)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create WebAuthn service: %w", err)
+	}
+
+	svc.oidcService, err = service.NewOidcService(ctx, db, svc.jwtService, svc.appConfigService, svc.auditLogService, svc.customClaimService, svc.webauthnService, httpClient, fileStorage)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create OIDC service: %w", err)
+	}
+
+	svc.userGroupService = service.NewUserGroupService(db, svc.appConfigService)
+	svc.userService = service.NewUserService(db, svc.jwtService, svc.auditLogService, svc.emailService, svc.appConfigService, svc.customClaimService, svc.appImagesService, fileStorage)
+	svc.ldapService = service.NewLdapService(db, httpClient, svc.appConfigService, svc.userService, svc.userGroupService)
+	svc.apiKeyService = service.NewApiKeyService(db, svc.emailService)
+
+	svc.versionService = service.NewVersionService(httpClient)
+
+	return svc, nil
+}

backend/internal/cmds/healthcheck.go

@@ -0,0 +1,83 @@
+package cmds
+
+import (
+	"context"
+	"log/slog"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/spf13/cobra"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+)
+
+type healthcheckFlags struct {
+	Endpoint string
+	Verbose  bool
+}
+
+func init() {
+	var flags healthcheckFlags
+
+	healthcheckCmd := &cobra.Command{
+		Use:   "healthcheck",
+		Short: "Performs a healthcheck of a running Pocket ID instance",
+		Run: func(cmd *cobra.Command, args []string) {
+			start := time.Now()
+
+			ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Second)
+			defer cancel()
+
+			url := flags.Endpoint + "/healthz"
+			req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+			if err != nil {
+				slog.ErrorContext(ctx,
+					"Failed to create request object",
+					"error", err,
+					"url", url,
+					"ms", time.Since(start).Milliseconds(),
+				)
+				os.Exit(1)
+			}
+
+			res, err := http.DefaultClient.Do(req)
+			if err != nil {
+				slog.ErrorContext(ctx,
+					"Failed to perform request",
+					"error", err,
+					"url", url,
+					"ms", time.Since(start).Milliseconds(),
+				)
+				os.Exit(1)
+			}
+			defer res.Body.Close()
+
+			if res.StatusCode < 200 || res.StatusCode >= 300 {
+				if err != nil {
+					slog.ErrorContext(ctx,
+						"Healthcheck failed",
+						"status", res.StatusCode,
+						"url", url,
+						"ms", time.Since(start).Milliseconds(),
+					)
+					os.Exit(1)
+				}
+			}
+
+			if flags.Verbose {
+				slog.InfoContext(ctx,
+					"Healthcheck succeeded",
+					"status", res.StatusCode,
+					"url", url,
+					"ms", time.Since(start).Milliseconds(),
+				)
+			}
+		},
+	}
+
+	healthcheckCmd.Flags().StringVarP(&flags.Endpoint, "endpoint", "e", "http://localhost:"+common.EnvConfig.Port, "Endpoint for Pocket ID")
+	healthcheckCmd.Flags().BoolVarP(&flags.Verbose, "verbose", "v", false, "Enable verbose mode")
+
+	rootCmd.AddCommand(healthcheckCmd)
+}

backend/internal/cmds/key_rotate.go

@@ -0,0 +1,113 @@
+package cmds
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/lestrrat-go/jwx/v3/jwa"
+	"github.com/spf13/cobra"
+	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/bootstrap"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	jwkutils "github.com/pocket-id/pocket-id/backend/internal/utils/jwk"
+)
+
+type keyRotateFlags struct {
+	Alg string
+	Crv string
+	Yes bool
+}
+
+func init() {
+	var flags keyRotateFlags
+
+	keyRotateCmd := &cobra.Command{
+		Use:   "key-rotate",
+		Short: "Generates a new token signing key and replaces the current one",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			db, err := bootstrap.NewDatabase()
+			if err != nil {
+				return err
+			}
+
+			return keyRotate(cmd.Context(), flags, db, &common.EnvConfig)
+		},
+	}
+
+	keyRotateCmd.Flags().StringVarP(&flags.Alg, "alg", "a", "RS256", "Key algorithm. Supported values: RS256, RS384, RS512, ES256, ES384, ES512, EdDSA")
+	keyRotateCmd.Flags().StringVarP(&flags.Crv, "crv", "c", "", "Curve name when using EdDSA keys. Supported values: Ed25519")
+	keyRotateCmd.Flags().BoolVarP(&flags.Yes, "yes", "y", false, "Do not prompt for confirmation")
+
+	rootCmd.AddCommand(keyRotateCmd)
+}
+
+func keyRotate(ctx context.Context, flags keyRotateFlags, db *gorm.DB, envConfig *common.EnvConfigSchema) error {
+	// Validate the flags
+	switch strings.ToUpper(flags.Alg) {
+	case jwa.RS256().String(), jwa.RS384().String(), jwa.RS512().String(),
+		jwa.ES256().String(), jwa.ES384().String(), jwa.ES512().String():
+		// All good, but uppercase it for consistency
+		flags.Alg = strings.ToUpper(flags.Alg)
+	case strings.ToUpper(jwa.EdDSA().String()):
+		// Ensure Crv is set and valid
+		switch strings.ToUpper(flags.Crv) {
+		case strings.ToUpper(jwa.Ed25519().String()):
+			// All good, but ensure consistency in casing
+			flags.Crv = jwa.Ed25519().String()
+		case "":
+			return errors.New("a curve name is required when algorithm is EdDSA")
+		default:
+			return errors.New("unsupported EdDSA curve; supported values: Ed25519")
+		}
+	case "":
+		return errors.New("key algorithm is required")
+	default:
+		return errors.New("unsupported key algorithm; supported values: RS256, RS384, RS512, ES256, ES384, ES512, EdDSA")
+	}
+
+	if !flags.Yes {
+		fmt.Println("WARNING: Rotating the private key will invalidate all existing tokens. Both pocket-id and all client applications will likely need to be restarted.")
+		ok, err := utils.PromptForConfirmation("Confirm")
+		if err != nil {
+			return err
+		}
+		if !ok {
+			fmt.Println("Aborted")
+			return nil
+		}
+	}
+
+	// Init the services we need
+	appConfigService, err := service.NewAppConfigService(ctx, db)
+	if err != nil {
+		return fmt.Errorf("failed to create app config service: %w", err)
+	}
+
+	// Get the key provider
+	keyProvider, err := jwkutils.GetKeyProvider(db, envConfig, appConfigService.GetDbConfig().InstanceID.Value)
+	if err != nil {
+		return fmt.Errorf("failed to get key provider: %w", err)
+	}
+
+	// Generate a new key
+	key, err := jwkutils.GenerateKey(flags.Alg, flags.Crv)
+	if err != nil {
+		return fmt.Errorf("failed to generate key: %w", err)
+	}
+
+	// Save the key
+	err = keyProvider.SaveKey(key)
+	if err != nil {
+		return fmt.Errorf("failed to store new key: %w", err)
+	}
+
+	fmt.Println("Key rotated successfully")
+	fmt.Println("Note: if pocket-id is running, you will need to restart it for the new key to be loaded")
+
+	return nil
+}

backend/internal/cmds/key_rotate_test.go

@@ -0,0 +1,216 @@
+package cmds
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	jwkutils "github.com/pocket-id/pocket-id/backend/internal/utils/jwk"
+	testingutils "github.com/pocket-id/pocket-id/backend/internal/utils/testing"
+)
+
+func TestKeyRotate(t *testing.T) {
+	tests := []struct {
+		name    string
+		flags   keyRotateFlags
+		wantErr bool
+		errMsg  string
+	}{
+		{
+			name: "valid RS256",
+			flags: keyRotateFlags{
+				Alg: "RS256",
+				Yes: true,
+			},
+			wantErr: false,
+		},
+		{
+			name: "valid EdDSA with Ed25519",
+			flags: keyRotateFlags{
+				Alg: "EdDSA",
+				Crv: "Ed25519",
+				Yes: true,
+			},
+			wantErr: false,
+		},
+		{
+			name: "invalid algorithm",
+			flags: keyRotateFlags{
+				Alg: "INVALID",
+				Yes: true,
+			},
+			wantErr: true,
+			errMsg:  "unsupported key algorithm",
+		},
+		{
+			name: "EdDSA without curve",
+			flags: keyRotateFlags{
+				Alg: "EdDSA",
+				Yes: true,
+			},
+			wantErr: true,
+			errMsg:  "a curve name is required when algorithm is EdDSA",
+		},
+		{
+			name: "empty algorithm",
+			flags: keyRotateFlags{
+				Alg: "",
+				Yes: true,
+			},
+			wantErr: true,
+			errMsg:  "key algorithm is required",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Run("file storage", func(t *testing.T) {
+				testKeyRotateWithFileStorage(t, tt.flags, tt.wantErr, tt.errMsg)
+			})
+
+			t.Run("database storage", func(t *testing.T) {
+				testKeyRotateWithDatabaseStorage(t, tt.flags, tt.wantErr, tt.errMsg)
+			})
+		})
+	}
+}
+
+func testKeyRotateWithFileStorage(t *testing.T, flags keyRotateFlags, wantErr bool, errMsg string) {
+	// Create temporary directory for keys
+	tempDir := t.TempDir()
+	keysPath := filepath.Join(tempDir, "keys")
+	err := os.MkdirAll(keysPath, 0755)
+	require.NoError(t, err)
+
+	// Set up file storage config
+	envConfig := &common.EnvConfigSchema{
+		KeysStorage: "file",
+		KeysPath:    keysPath,
+	}
+
+	// Create test database
+	db := testingutils.NewDatabaseForTest(t)
+
+	// Initialize app config service and create instance
+	appConfigService, err := service.NewAppConfigService(t.Context(), db)
+	require.NoError(t, err)
+	instanceID := appConfigService.GetDbConfig().InstanceID.Value
+
+	// Check if key exists before rotation
+	keyProvider, err := jwkutils.GetKeyProvider(db, envConfig, instanceID)
+	require.NoError(t, err)
+
+	// Run the key rotation
+	err = keyRotate(t.Context(), flags, db, envConfig)
+
+	if wantErr {
+		require.Error(t, err)
+		if errMsg != "" {
+			require.ErrorContains(t, err, errMsg)
+		}
+		return
+	}
+
+	require.NoError(t, err)
+
+	// Verify key was created
+	key, err := keyProvider.LoadKey()
+	require.NoError(t, err)
+	require.NotNil(t, key)
+
+	// Verify the algorithm matches what we requested
+	alg, _ := key.Algorithm()
+	assert.NotEmpty(t, alg)
+	if flags.Alg != "" {
+		expectedAlg := flags.Alg
+		if expectedAlg == "EdDSA" {
+			// EdDSA keys should have the EdDSA algorithm
+			assert.Equal(t, "EdDSA", alg.String())
+		} else {
+			assert.Equal(t, expectedAlg, alg.String())
+		}
+	}
+}
+
+func testKeyRotateWithDatabaseStorage(t *testing.T, flags keyRotateFlags, wantErr bool, errMsg string) {
+	// Set up database storage config
+	envConfig := &common.EnvConfigSchema{
+		KeysStorage:   "database",
+		EncryptionKey: []byte("test-encryption-key-characters-long"),
+	}
+
+	// Create test database
+	db := testingutils.NewDatabaseForTest(t)
+
+	// Initialize app config service and create instance
+	appConfigService, err := service.NewAppConfigService(t.Context(), db)
+	require.NoError(t, err)
+	instanceID := appConfigService.GetDbConfig().InstanceID.Value
+
+	// Get key provider
+	keyProvider, err := jwkutils.GetKeyProvider(db, envConfig, instanceID)
+	require.NoError(t, err)
+
+	// Run the key rotation
+	err = keyRotate(t.Context(), flags, db, envConfig)
+
+	if wantErr {
+		require.Error(t, err)
+		if errMsg != "" {
+			require.ErrorContains(t, err, errMsg)
+		}
+		return
+	}
+
+	require.NoError(t, err)
+
+	// Verify key was created
+	key, err := keyProvider.LoadKey()
+	require.NoError(t, err)
+	require.NotNil(t, key)
+
+	// Verify the algorithm matches what we requested
+	alg, _ := key.Algorithm()
+	assert.NotEmpty(t, alg)
+	if flags.Alg != "" {
+		expectedAlg := flags.Alg
+		if expectedAlg == "EdDSA" {
+			// EdDSA keys should have the EdDSA algorithm
+			assert.Equal(t, "EdDSA", alg.String())
+		} else {
+			assert.Equal(t, expectedAlg, alg.String())
+		}
+	}
+}
+
+func TestKeyRotateMultipleAlgorithms(t *testing.T) {
+	algorithms := []struct {
+		alg string
+		crv string
+	}{
+		{"RS256", ""},
+		{"RS384", ""},
+		// Skip RSA-4096 key generation test as it can take a long time
+		// {"RS512", ""},
+		{"ES256", ""},
+		{"ES384", ""},
+		{"ES512", ""},
+		{"EdDSA", "Ed25519"},
+	}
+
+	for _, algo := range algorithms {
+		t.Run(algo.alg, func(t *testing.T) {
+			// Test with database storage for all algorithms
+			testKeyRotateWithDatabaseStorage(t, keyRotateFlags{
+				Alg: algo.alg,
+				Crv: algo.crv,
+				Yes: true,
+			}, false, "")
+		})
+	}
+}

backend/internal/cmds/one_time_access_token.go

@@ -0,0 +1,85 @@
+package cmds
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/spf13/cobra"
+	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/bootstrap"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+var oneTimeAccessTokenCmd = &cobra.Command{
+	Use:   "one-time-access-token [username or email]",
+	Short: "Generates a one-time access token for the given user",
+	Args:  cobra.ExactArgs(1),
+	RunE: func(cmd *cobra.Command, args []string) error {
+		// Get the username or email of the user
+		userArg := args[0]
+
+		// Connect to the database
+		db, err := bootstrap.NewDatabase()
+		if err != nil {
+			return err
+		}
+
+		// Create the access token
+		var oneTimeAccessToken *model.OneTimeAccessToken
+		err = db.Transaction(func(tx *gorm.DB) error {
+			// Load the user to retrieve the user ID
+			var user model.User
+			queryCtx, queryCancel := context.WithTimeout(cmd.Context(), 10*time.Second)
+			defer queryCancel()
+			txErr := tx.
+				WithContext(queryCtx).
+				Where("username = ? OR email = ?", userArg, userArg).
+				First(&user).
+				Error
+			switch {
+			case errors.Is(txErr, gorm.ErrRecordNotFound):
+				return errors.New("user not found")
+			case txErr != nil:
+				return fmt.Errorf("failed to query for user: %w", txErr)
+			case user.ID == "":
+				return errors.New("invalid user loaded: ID is empty")
+			}
+
+			// Create a new access token that expires in 1 hour
+			oneTimeAccessToken, txErr = service.NewOneTimeAccessToken(user.ID, time.Hour)
+			if txErr != nil {
+				return fmt.Errorf("failed to generate access token: %w", txErr)
+			}
+
+			queryCtx, queryCancel = context.WithTimeout(cmd.Context(), 10*time.Second)
+			defer queryCancel()
+			txErr = tx.
+				WithContext(queryCtx).
+				Create(oneTimeAccessToken).
+				Error
+			if txErr != nil {
+				return fmt.Errorf("failed to save access token: %w", txErr)
+			}
+
+			return nil
+		})
+		if err != nil {
+			return err
+		}
+
+		// Print the result
+		fmt.Printf(`A one-time access token valid for 1 hour has been created for "%s".`+"\n", userArg)
+		fmt.Printf("Use the following URL to sign in once: %s/lc/%s\n", common.EnvConfig.AppURL, oneTimeAccessToken.Token)
+
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(oneTimeAccessTokenCmd)
+}

backend/internal/cmds/root.go

@@ -0,0 +1,36 @@
+package cmds
+
+import (
+	"context"
+	"log/slog"
+	"os"
+
+	"github.com/spf13/cobra"
+
+	"github.com/pocket-id/pocket-id/backend/internal/bootstrap"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/signals"
+)
+
+var rootCmd = &cobra.Command{
+	Use:   "pocket-id",
+	Short: "A simple and easy-to-use OIDC provider that allows users to authenticate with their passkeys to your services.",
+	Long:  "By default, this command starts the pocket-id server.",
+	Run: func(cmd *cobra.Command, args []string) {
+		// Start the server
+		err := bootstrap.Bootstrap(cmd.Context())
+		if err != nil {
+			slog.Error("Failed to run pocket-id", "error", err)
+			os.Exit(1)
+		}
+	},
+}
+
+func Execute() {
+	// Get a context that is canceled when the application is stopping
+	ctx := signals.SignalContext(context.Background())
+
+	err := rootCmd.ExecuteContext(ctx)
+	if err != nil {
+		os.Exit(1)
+	}
+}

backend/internal/cmds/version.go

@@ -0,0 +1,19 @@
+package cmds
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+)
+
+func init() {
+	rootCmd.AddCommand(&cobra.Command{
+		Use:   "version",
+		Short: "Print the version number",
+		Run: func(cmd *cobra.Command, args []string) {
+			fmt.Println("pocket-id " + common.Version)
+		},
+	})
+}

backend/internal/common/env_config.go

@@ -1,33 +1,288 @@
 package common
 
 import (
+	"errors"
+	"fmt"
+	"log/slog"
+	"net"
+	"net/url"
+	"os"
+	"reflect"
+	"strings"
+
 	"github.com/caarlos0/env/v11"
+	sloggin "github.com/gin-contrib/slog"
 	_ "github.com/joho/godotenv/autoload"
-	"log"
+)
+
+type DbProvider string
+
+const (
+	// TracerName should be passed to otel.Tracer, trace.SpanFromContext when creating custom spans.
+	TracerName = "github.com/pocket-id/pocket-id/backend/tracing"
+	// MeterName should be passed to otel.Meter when create custom metrics.
+	MeterName = "github.com/pocket-id/pocket-id/backend/metrics"
+)
+
+const (
+	DbProviderSqlite        DbProvider = "sqlite"
+	DbProviderPostgres      DbProvider = "postgres"
+	MaxMindGeoLiteCityUrl   string     = "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=%s&suffix=tar.gz"
+	defaultSqliteConnString string     = "data/pocket-id.db"
+	defaultFsUploadPath     string     = "data/uploads"
+	AppUrl                  string     = "http://localhost:1411"
 )
 
 type EnvConfigSchema struct {
-	AppEnv             string `env:"APP_ENV"`
-	AppURL             string `env:"PUBLIC_APP_URL"`
-	DBPath             string `env:"DB_PATH"`
-	UploadPath         string `env:"UPLOAD_PATH"`
-	Port               string `env:"BACKEND_PORT"`
-	Host               string `env:"HOST"`
-	EmailTemplatesPath string `env:"EMAIL_TEMPLATES_PATH"`
+	AppEnv             string     `env:"APP_ENV" options:"toLower"`
+	LogLevel           string     `env:"LOG_LEVEL" options:"toLower"`
+	AppURL             string     `env:"APP_URL" options:"toLower,trimTrailingSlash"`
+	DbProvider         DbProvider `env:"DB_PROVIDER" options:"toLower"`
+	DbConnectionString string     `env:"DB_CONNECTION_STRING" options:"file"`
+	FileBackend        string     `env:"FILE_BACKEND" options:"toLower"`
+	UploadPath         string     `env:"UPLOAD_PATH"`
+	S3Bucket           string     `env:"S3_BUCKET"`
+	S3Region           string     `env:"S3_REGION"`
+	S3Endpoint         string     `env:"S3_ENDPOINT"`
+	S3AccessKeyID      string     `env:"S3_ACCESS_KEY_ID"`
+	S3SecretAccessKey  string     `env:"S3_SECRET_ACCESS_KEY"`
+	S3ForcePathStyle   bool       `env:"S3_FORCE_PATH_STYLE"`
+	KeysPath           string     `env:"KEYS_PATH"`
+	KeysStorage        string     `env:"KEYS_STORAGE"`
+	EncryptionKey      []byte     `env:"ENCRYPTION_KEY" options:"file"`
+	Port               string     `env:"PORT"`
+	Host               string     `env:"HOST" options:"toLower"`
+	UnixSocket         string     `env:"UNIX_SOCKET"`
+	UnixSocketMode     string     `env:"UNIX_SOCKET_MODE"`
+	MaxMindLicenseKey  string     `env:"MAXMIND_LICENSE_KEY" options:"file"`
+	GeoLiteDBPath      string     `env:"GEOLITE_DB_PATH"`
+	GeoLiteDBUrl       string     `env:"GEOLITE_DB_URL"`
+	LocalIPv6Ranges    string     `env:"LOCAL_IPV6_RANGES"`
+	UiConfigDisabled   bool       `env:"UI_CONFIG_DISABLED"`
+	MetricsEnabled     bool       `env:"METRICS_ENABLED"`
+	TracingEnabled     bool       `env:"TRACING_ENABLED"`
+	LogJSON            bool       `env:"LOG_JSON"`
+	TrustProxy         bool       `env:"TRUST_PROXY"`
+	AnalyticsDisabled  bool       `env:"ANALYTICS_DISABLED"`
+	AllowDowngrade     bool       `env:"ALLOW_DOWNGRADE"`
+	InternalAppURL     string     `env:"INTERNAL_APP_URL"`
 }
 
-var EnvConfig = &EnvConfigSchema{
-	AppEnv:             "production",
-	DBPath:             "data/pocket-id.db",
-	UploadPath:         "data/uploads",
-	AppURL:             "http://localhost",
-	Port:               "8080",
-	Host:               "localhost",
-	EmailTemplatesPath: "./email-templates",
-}
+var EnvConfig = defaultConfig()
 
 func init() {
-	if err := env.ParseWithOptions(EnvConfig, env.Options{}); err != nil {
-		log.Fatal(err)
+	err := parseEnvConfig()
+	if err != nil {
+		slog.Error("Configuration error", slog.Any("error", err))
+		os.Exit(1)
 	}
 }
+
+func defaultConfig() EnvConfigSchema {
+	return EnvConfigSchema{
+		AppEnv:        "production",
+		LogLevel:      "info",
+		DbProvider:    "sqlite",
+		FileBackend:   "fs",
+		KeysPath:      "data/keys",
+		AppURL:        AppUrl,
+		Port:          "1411",
+		Host:          "0.0.0.0",
+		GeoLiteDBPath: "data/GeoLite2-City.mmdb",
+		GeoLiteDBUrl:  MaxMindGeoLiteCityUrl,
+	}
+}
+
+func parseEnvConfig() error {
+	parsers := map[reflect.Type]env.ParserFunc{
+		reflect.TypeOf([]byte{}): func(value string) (interface{}, error) {
+			return []byte(value), nil
+		},
+	}
+
+	err := env.ParseWithOptions(&EnvConfig, env.Options{
+		FuncMap: parsers,
+	})
+	if err != nil {
+		return fmt.Errorf("error parsing env config: %w", err)
+	}
+
+	err = prepareEnvConfig(&EnvConfig)
+	if err != nil {
+		return fmt.Errorf("error preparing env config: %w", err)
+	}
+
+	err = validateEnvConfig(&EnvConfig)
+	if err != nil {
+		return err
+	}
+
+	return nil
+
+}
+
+// validateEnvConfig checks the EnvConfig for required fields and valid values
+func validateEnvConfig(config *EnvConfigSchema) error {
+	if _, err := sloggin.ParseLevel(config.LogLevel); err != nil {
+		return errors.New("invalid LOG_LEVEL value. Must be 'debug', 'info', 'warn' or 'error'")
+	}
+
+	switch config.DbProvider {
+	case DbProviderSqlite:
+		if config.DbConnectionString == "" {
+			config.DbConnectionString = defaultSqliteConnString
+		}
+	case DbProviderPostgres:
+		if config.DbConnectionString == "" {
+			return errors.New("missing required env var 'DB_CONNECTION_STRING' for Postgres database")
+		}
+	default:
+		return errors.New("invalid DB_PROVIDER value. Must be 'sqlite' or 'postgres'")
+	}
+
+	parsedAppUrl, err := url.Parse(config.AppURL)
+	if err != nil {
+		return errors.New("APP_URL is not a valid URL")
+	}
+	if parsedAppUrl.Path != "" {
+		return errors.New("APP_URL must not contain a path")
+	}
+
+	// Derive INTERNAL_APP_URL from APP_URL if not set; validate only when provided
+	if config.InternalAppURL == "" {
+		config.InternalAppURL = config.AppURL
+	} else {
+		parsedInternalAppUrl, err := url.Parse(config.InternalAppURL)
+		if err != nil {
+			return errors.New("INTERNAL_APP_URL is not a valid URL")
+		}
+		if parsedInternalAppUrl.Path != "" {
+			return errors.New("INTERNAL_APP_URL must not contain a path")
+		}
+	}
+
+	switch config.KeysStorage {
+	// KeysStorage defaults to "file" if empty
+	case "":
+		config.KeysStorage = "file"
+	case "database":
+		if config.EncryptionKey == nil {
+			return errors.New("ENCRYPTION_KEY must be non-empty when KEYS_STORAGE is database")
+		}
+	case "file":
+		// All good, these are valid values
+	default:
+		return fmt.Errorf("invalid value for KEYS_STORAGE: %s", config.KeysStorage)
+	}
+
+	switch config.FileBackend {
+	case "s3":
+		if config.KeysStorage == "file" {
+			return errors.New("KEYS_STORAGE cannot be 'file' when FILE_BACKEND is 's3'")
+		}
+	case "", "fs":
+		if config.UploadPath == "" {
+			config.UploadPath = defaultFsUploadPath
+		}
+	default:
+		return errors.New("invalid FILE_BACKEND value. Must be 'fs' or 's3'")
+	}
+
+	// Validate LOCAL_IPV6_RANGES
+	ranges := strings.Split(config.LocalIPv6Ranges, ",")
+	for _, rangeStr := range ranges {
+		rangeStr = strings.TrimSpace(rangeStr)
+		if rangeStr == "" {
+			continue
+		}
+
+		_, ipNet, err := net.ParseCIDR(rangeStr)
+		if err != nil {
+			return fmt.Errorf("invalid LOCAL_IPV6_RANGES '%s': %w", rangeStr, err)
+		}
+
+		if ipNet.IP.To4() != nil {
+			return fmt.Errorf("range '%s' is not a valid IPv6 range", rangeStr)
+		}
+
+	}
+
+	return nil
+
+}
+
+// prepareEnvConfig processes special options for EnvConfig fields
+func prepareEnvConfig(config *EnvConfigSchema) error {
+	val := reflect.ValueOf(config).Elem()
+	typ := val.Type()
+
+	for i := 0; i < val.NumField(); i++ {
+		field := val.Field(i)
+		fieldType := typ.Field(i)
+
+		optionsTag := fieldType.Tag.Get("options")
+		options := strings.Split(optionsTag, ",")
+
+		for _, option := range options {
+			switch option {
+			case "toLower":
+				if field.Kind() == reflect.String {
+					field.SetString(strings.ToLower(field.String()))
+				}
+			case "file":
+				err := resolveFileBasedEnvVariable(field, fieldType)
+				if err != nil {
+					return err
+				}
+			case "trimTrailingSlash":
+				if field.Kind() == reflect.String {
+					field.SetString(strings.TrimRight(field.String(), "/"))
+				}
+			}
+		}
+	}
+
+	return nil
+}
+
+// resolveFileBasedEnvVariable checks if an environment variable with the suffix "_FILE" is set,
+// reads the content of the file specified by that variable, and sets the corresponding field's value.
+func resolveFileBasedEnvVariable(field reflect.Value, fieldType reflect.StructField) error {
+	// Only process string and []byte fields
+	isString := field.Kind() == reflect.String
+	isByteSlice := field.Kind() == reflect.Slice && field.Type().Elem().Kind() == reflect.Uint8
+	if !isString && !isByteSlice {
+		return nil
+	}
+
+	// Only process fields with the "env" tag
+	envTag := fieldType.Tag.Get("env")
+	if envTag == "" {
+		return nil
+	}
+
+	envVarName := envTag
+	if commaIndex := len(envTag); commaIndex > 0 {
+		envVarName = envTag[:commaIndex]
+	}
+
+	// If the file environment variable is not set, skip
+	envVarFileName := envVarName + "_FILE"
+	envVarFileValue := os.Getenv(envVarFileName)
+	if envVarFileValue == "" {
+		return nil
+	}
+
+	fileContent, err := os.ReadFile(envVarFileValue)
+	if err != nil {
+		return fmt.Errorf("failed to read file for env var %s: %w", envVarFileName, err)
+	}
+
+	if isString {
+		field.SetString(strings.TrimSpace(string(fileContent)))
+	} else {
+		field.SetBytes(fileContent)
+	}
+
+	return nil
+}

backend/internal/common/env_config_test.go

@@ -0,0 +1,296 @@
+package common
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestParseEnvConfig(t *testing.T) {
+	// Store original config to restore later
+	originalConfig := EnvConfig
+	t.Cleanup(func() {
+		EnvConfig = originalConfig
+	})
+
+	t.Run("should parse valid SQLite config correctly", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "SQLITE") // should be lowercased automatically
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("APP_URL", "HTTP://LOCALHOST:3000")
+
+		err := parseEnvConfig()
+		require.NoError(t, err)
+		assert.Equal(t, DbProviderSqlite, EnvConfig.DbProvider)
+		assert.Equal(t, "http://localhost:3000", EnvConfig.AppURL)
+	})
+
+	t.Run("should parse valid Postgres config correctly", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "POSTGRES")
+		t.Setenv("DB_CONNECTION_STRING", "postgres://user:pass@localhost/db")
+		t.Setenv("APP_URL", "https://example.com")
+
+		err := parseEnvConfig()
+		require.NoError(t, err)
+		assert.Equal(t, DbProviderPostgres, EnvConfig.DbProvider)
+	})
+
+	t.Run("should fail with invalid DB_PROVIDER", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "invalid")
+		t.Setenv("DB_CONNECTION_STRING", "test")
+		t.Setenv("APP_URL", "http://localhost:3000")
+
+		err := parseEnvConfig()
+		require.Error(t, err)
+		assert.ErrorContains(t, err, "invalid DB_PROVIDER value")
+	})
+
+	t.Run("should set default SQLite connection string when DB_CONNECTION_STRING is empty", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "sqlite")
+		t.Setenv("APP_URL", "http://localhost:3000")
+
+		err := parseEnvConfig()
+		require.NoError(t, err)
+		assert.Equal(t, defaultSqliteConnString, EnvConfig.DbConnectionString)
+	})
+
+	t.Run("should fail when Postgres DB_CONNECTION_STRING is missing", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "postgres")
+		t.Setenv("APP_URL", "http://localhost:3000")
+
+		err := parseEnvConfig()
+		require.Error(t, err)
+		assert.ErrorContains(t, err, "missing required env var 'DB_CONNECTION_STRING' for Postgres")
+	})
+
+	t.Run("should fail with invalid APP_URL", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "sqlite")
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("APP_URL", "€://not-a-valid-url")
+
+		err := parseEnvConfig()
+		require.Error(t, err)
+		assert.ErrorContains(t, err, "APP_URL is not a valid URL")
+	})
+
+	t.Run("should fail when APP_URL contains path", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "sqlite")
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("APP_URL", "http://localhost:3000/path")
+
+		err := parseEnvConfig()
+		require.Error(t, err)
+		assert.ErrorContains(t, err, "APP_URL must not contain a path")
+	})
+
+	t.Run("should fail with invalid INTERNAL_APP_URL", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "sqlite")
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("INTERNAL_APP_URL", "€://not-a-valid-url")
+
+		err := parseEnvConfig()
+		require.Error(t, err)
+		assert.ErrorContains(t, err, "INTERNAL_APP_URL is not a valid URL")
+	})
+
+	t.Run("should fail when INTERNAL_APP_URL contains path", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "sqlite")
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("INTERNAL_APP_URL", "http://localhost:3000/path")
+
+		err := parseEnvConfig()
+		require.Error(t, err)
+		assert.ErrorContains(t, err, "INTERNAL_APP_URL must not contain a path")
+	})
+
+	t.Run("should default KEYS_STORAGE to 'file' when empty", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "sqlite")
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("APP_URL", "http://localhost:3000")
+
+		err := parseEnvConfig()
+		require.NoError(t, err)
+		assert.Equal(t, "file", EnvConfig.KeysStorage)
+	})
+
+	t.Run("should fail when KEYS_STORAGE is 'database' but no encryption key", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "sqlite")
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("APP_URL", "http://localhost:3000")
+		t.Setenv("KEYS_STORAGE", "database")
+
+		err := parseEnvConfig()
+		require.Error(t, err)
+		assert.ErrorContains(t, err, "ENCRYPTION_KEY must be non-empty when KEYS_STORAGE is database")
+	})
+
+	t.Run("should accept valid KEYS_STORAGE values", func(t *testing.T) {
+		validStorageTypes := []string{"file", "database"}
+
+		for _, storage := range validStorageTypes {
+			EnvConfig = defaultConfig()
+			t.Setenv("DB_PROVIDER", "sqlite")
+			t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+			t.Setenv("APP_URL", "http://localhost:3000")
+			t.Setenv("KEYS_STORAGE", storage)
+			if storage == "database" {
+				t.Setenv("ENCRYPTION_KEY", "test-key")
+			}
+
+			err := parseEnvConfig()
+			require.NoError(t, err)
+			assert.Equal(t, storage, EnvConfig.KeysStorage)
+		}
+	})
+
+	t.Run("should fail with invalid KEYS_STORAGE value", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "sqlite")
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("APP_URL", "http://localhost:3000")
+		t.Setenv("KEYS_STORAGE", "invalid")
+
+		err := parseEnvConfig()
+		require.Error(t, err)
+		assert.ErrorContains(t, err, "invalid value for KEYS_STORAGE")
+	})
+
+	t.Run("should parse boolean environment variables correctly", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "sqlite")
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("APP_URL", "http://localhost:3000")
+		t.Setenv("UI_CONFIG_DISABLED", "true")
+		t.Setenv("METRICS_ENABLED", "true")
+		t.Setenv("TRACING_ENABLED", "false")
+		t.Setenv("TRUST_PROXY", "true")
+		t.Setenv("ANALYTICS_DISABLED", "false")
+
+		err := parseEnvConfig()
+		require.NoError(t, err)
+		assert.True(t, EnvConfig.UiConfigDisabled)
+		assert.True(t, EnvConfig.MetricsEnabled)
+		assert.False(t, EnvConfig.TracingEnabled)
+		assert.True(t, EnvConfig.TrustProxy)
+		assert.False(t, EnvConfig.AnalyticsDisabled)
+	})
+
+	t.Run("should parse string environment variables correctly", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "postgres")
+		t.Setenv("DB_CONNECTION_STRING", "postgres://test")
+		t.Setenv("APP_URL", "https://prod.example.com")
+		t.Setenv("APP_ENV", "STAGING")
+		t.Setenv("UPLOAD_PATH", "/custom/uploads")
+		t.Setenv("KEYS_PATH", "/custom/keys")
+		t.Setenv("PORT", "8080")
+		t.Setenv("HOST", "LOCALHOST")
+		t.Setenv("UNIX_SOCKET", "/tmp/app.sock")
+		t.Setenv("MAXMIND_LICENSE_KEY", "test-license")
+		t.Setenv("GEOLITE_DB_PATH", "/custom/geolite.mmdb")
+
+		err := parseEnvConfig()
+		require.NoError(t, err)
+		assert.Equal(t, "staging", EnvConfig.AppEnv) // lowercased
+		assert.Equal(t, "/custom/uploads", EnvConfig.UploadPath)
+		assert.Equal(t, "8080", EnvConfig.Port)
+		assert.Equal(t, "localhost", EnvConfig.Host) // lowercased
+	})
+
+	t.Run("should normalize file backend and default upload path", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "sqlite")
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("APP_URL", "http://localhost:3000")
+		t.Setenv("FILE_BACKEND", "FS")
+		t.Setenv("UPLOAD_PATH", "")
+
+		err := parseEnvConfig()
+		require.NoError(t, err)
+		assert.Equal(t, "fs", EnvConfig.FileBackend)
+		assert.Equal(t, defaultFsUploadPath, EnvConfig.UploadPath)
+	})
+
+	t.Run("should fail when FILE_BACKEND is s3 but keys are stored on filesystem", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "sqlite")
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("APP_URL", "http://localhost:3000")
+		t.Setenv("FILE_BACKEND", "s3")
+
+		err := parseEnvConfig()
+		require.Error(t, err)
+		assert.ErrorContains(t, err, "KEYS_STORAGE cannot be 'file' when FILE_BACKEND is 's3'")
+	})
+
+	t.Run("should fail with invalid FILE_BACKEND value", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "sqlite")
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("APP_URL", "http://localhost:3000")
+		t.Setenv("FILE_BACKEND", "invalid")
+
+		err := parseEnvConfig()
+		require.Error(t, err)
+		assert.ErrorContains(t, err, "invalid FILE_BACKEND value")
+	})
+}
+
+func TestPrepareEnvConfig_FileBasedAndToLower(t *testing.T) {
+	// Create temporary directory for test files
+	tempDir := t.TempDir()
+
+	// Create test files
+	encryptionKeyFile := tempDir + "/encryption_key.txt"
+	encryptionKeyContent := "test-encryption-key-123"
+	err := os.WriteFile(encryptionKeyFile, []byte(encryptionKeyContent), 0600)
+	require.NoError(t, err)
+
+	dbConnFile := tempDir + "/db_connection.txt"
+	dbConnContent := "postgres://user:pass@localhost/testdb"
+	err = os.WriteFile(dbConnFile, []byte(dbConnContent), 0600)
+	require.NoError(t, err)
+
+	binaryKeyFile := tempDir + "/binary_key.bin"
+	binaryKeyContent := []byte{0x01, 0x02, 0x03, 0x04}
+	err = os.WriteFile(binaryKeyFile, binaryKeyContent, 0600)
+	require.NoError(t, err)
+
+	t.Run("should process toLower and file options", func(t *testing.T) {
+		config := defaultConfig()
+		config.AppEnv = "STAGING"
+		config.Host = "LOCALHOST"
+
+		t.Setenv("ENCRYPTION_KEY_FILE", encryptionKeyFile)
+		t.Setenv("DB_CONNECTION_STRING_FILE", dbConnFile)
+
+		err := prepareEnvConfig(&config)
+		require.NoError(t, err)
+
+		assert.Equal(t, "staging", config.AppEnv)
+		assert.Equal(t, "localhost", config.Host)
+		assert.Equal(t, []byte(encryptionKeyContent), config.EncryptionKey)
+		assert.Equal(t, dbConnContent, config.DbConnectionString)
+	})
+
+	t.Run("should handle binary data correctly", func(t *testing.T) {
+		config := defaultConfig()
+		t.Setenv("ENCRYPTION_KEY_FILE", binaryKeyFile)
+
+		err := prepareEnvConfig(&config)
+		require.NoError(t, err)
+		assert.Equal(t, binaryKeyContent, config.EncryptionKey)
+	})
+}

backend/internal/common/errors.go

@@ -1,18 +1,400 @@
 package common
 
-import "errors"
-
-var (
-	ErrUsernameTaken                = errors.New("username is already taken")
-	ErrEmailTaken                   = errors.New("email is already taken")
-	ErrSetupAlreadyCompleted        = errors.New("setup already completed")
-	ErrTokenInvalidOrExpired        = errors.New("token is invalid or expired")
-	ErrOidcMissingAuthorization     = errors.New("missing authorization")
-	ErrOidcGrantTypeNotSupported    = errors.New("grant type not supported")
-	ErrOidcMissingClientCredentials = errors.New("client id or secret not provided")
-	ErrOidcClientSecretInvalid      = errors.New("invalid client secret")
-	ErrOidcInvalidAuthorizationCode = errors.New("invalid authorization code")
-	ErrOidcInvalidCallbackURL       = errors.New("invalid callback URL")
-	ErrFileTypeNotSupported         = errors.New("file type not supported")
-	ErrInvalidCredentials           = errors.New("no user found with provided credentials")
+import (
+	"errors"
+	"fmt"
+	"net/http"
 )
+
+type AppError interface {
+	error
+	HttpStatusCode() int
+}
+
+// Custom error types for various conditions
+
+type AlreadyInUseError struct {
+	Property string
+}
+
+func (e *AlreadyInUseError) Error() string {
+	return e.Property + " is already in use"
+}
+func (e *AlreadyInUseError) HttpStatusCode() int { return 400 }
+
+func (e *AlreadyInUseError) Is(target error) bool {
+	// Ignore the field property when checking if an error is of the type AlreadyInUseError
+	x := &AlreadyInUseError{}
+	return errors.As(target, &x)
+}
+
+type SetupAlreadyCompletedError struct{}
+
+func (e *SetupAlreadyCompletedError) Error() string       { return "setup already completed" }
+func (e *SetupAlreadyCompletedError) HttpStatusCode() int { return 400 }
+
+type TokenInvalidOrExpiredError struct{}
+
+func (e *TokenInvalidOrExpiredError) Error() string       { return "token is invalid or expired" }
+func (e *TokenInvalidOrExpiredError) HttpStatusCode() int { return 400 }
+
+type TokenInvalidError struct{}
+
+func (e *TokenInvalidError) Error() string {
+	return "Token is invalid"
+}
+func (e *TokenInvalidError) HttpStatusCode() int { return 400 }
+
+type OidcMissingAuthorizationError struct{}
+
+func (e *OidcMissingAuthorizationError) Error() string       { return "missing authorization" }
+func (e *OidcMissingAuthorizationError) HttpStatusCode() int { return http.StatusForbidden }
+
+type OidcGrantTypeNotSupportedError struct{}
+
+func (e *OidcGrantTypeNotSupportedError) Error() string       { return "grant type not supported" }
+func (e *OidcGrantTypeNotSupportedError) HttpStatusCode() int { return 400 }
+
+type OidcMissingClientCredentialsError struct{}
+
+func (e *OidcMissingClientCredentialsError) Error() string       { return "client id or secret not provided" }
+func (e *OidcMissingClientCredentialsError) HttpStatusCode() int { return 400 }
+
+type OidcClientSecretInvalidError struct{}
+
+func (e *OidcClientSecretInvalidError) Error() string       { return "invalid client secret" }
+func (e *OidcClientSecretInvalidError) HttpStatusCode() int { return 400 }
+
+type OidcClientAssertionInvalidError struct{}
+
+func (e *OidcClientAssertionInvalidError) Error() string       { return "invalid client assertion" }
+func (e *OidcClientAssertionInvalidError) HttpStatusCode() int { return 400 }
+
+type OidcInvalidAuthorizationCodeError struct{}
+
+func (e *OidcInvalidAuthorizationCodeError) Error() string       { return "invalid authorization code" }
+func (e *OidcInvalidAuthorizationCodeError) HttpStatusCode() int { return 400 }
+
+type OidcMissingCallbackURLError struct{}
+
+func (e *OidcMissingCallbackURLError) Error() string {
+	return "unable to detect callback url, it might be necessary for an admin to fix this"
+}
+func (e *OidcMissingCallbackURLError) HttpStatusCode() int { return 400 }
+
+type OidcInvalidCallbackURLError struct{}
+
+func (e *OidcInvalidCallbackURLError) Error() string {
+	return "invalid callback URL, it might be necessary for an admin to fix this"
+}
+func (e *OidcInvalidCallbackURLError) HttpStatusCode() int { return 400 }
+
+type FileTypeNotSupportedError struct{}
+
+func (e *FileTypeNotSupportedError) Error() string       { return "file type not supported" }
+func (e *FileTypeNotSupportedError) HttpStatusCode() int { return 400 }
+
+type FileTooLargeError struct {
+	MaxSize string
+}
+
+func (e *FileTooLargeError) Error() string {
+	return fmt.Sprintf("The file can't be larger than %s", e.MaxSize)
+}
+func (e *FileTooLargeError) HttpStatusCode() int { return http.StatusRequestEntityTooLarge }
+
+type NotSignedInError struct{}
+
+func (e *NotSignedInError) Error() string       { return "You are not signed in" }
+func (e *NotSignedInError) HttpStatusCode() int { return http.StatusUnauthorized }
+
+type MissingAccessToken struct{}
+
+func (e *MissingAccessToken) Error() string       { return "Missing access token" }
+func (e *MissingAccessToken) HttpStatusCode() int { return http.StatusUnauthorized }
+
+type MissingPermissionError struct{}
+
+func (e *MissingPermissionError) Error() string {
+	return "You don't have permission to perform this action"
+}
+func (e *MissingPermissionError) HttpStatusCode() int { return http.StatusForbidden }
+
+type TooManyRequestsError struct{}
+
+func (e *TooManyRequestsError) Error() string {
+	return "Too many requests"
+}
+func (e *TooManyRequestsError) HttpStatusCode() int { return http.StatusTooManyRequests }
+
+type ClientIdOrSecretNotProvidedError struct{}
+
+func (e *ClientIdOrSecretNotProvidedError) Error() string {
+	return "Client id or secret not provided"
+}
+func (e *ClientIdOrSecretNotProvidedError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type WrongFileTypeError struct {
+	ExpectedFileType string
+}
+
+func (e *WrongFileTypeError) Error() string {
+	return fmt.Sprintf("File must be of type %s", e.ExpectedFileType)
+}
+func (e *WrongFileTypeError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type MissingSessionIdError struct{}
+
+func (e *MissingSessionIdError) Error() string {
+	return "Missing session id"
+}
+func (e *MissingSessionIdError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type ReservedClaimError struct {
+	Key string
+}
+
+func (e *ReservedClaimError) Error() string {
+	return fmt.Sprintf("Claim %s is reserved and can't be used", e.Key)
+}
+func (e *ReservedClaimError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type DuplicateClaimError struct {
+	Key string
+}
+
+func (e *DuplicateClaimError) Error() string {
+	return fmt.Sprintf("Claim %s is already defined", e.Key)
+}
+func (e *DuplicateClaimError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type OidcInvalidCodeVerifierError struct{}
+
+func (e *OidcInvalidCodeVerifierError) Error() string {
+	return "Invalid code verifier"
+}
+func (e *OidcInvalidCodeVerifierError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type OidcMissingCodeChallengeError struct{}
+
+func (e *OidcMissingCodeChallengeError) Error() string {
+	return "Missing code challenge"
+}
+func (e *OidcMissingCodeChallengeError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type LdapUserUpdateError struct{}
+
+func (e *LdapUserUpdateError) Error() string {
+	return "LDAP users can't be updated"
+}
+func (e *LdapUserUpdateError) HttpStatusCode() int { return http.StatusForbidden }
+
+type LdapUserGroupUpdateError struct{}
+
+func (e *LdapUserGroupUpdateError) Error() string {
+	return "LDAP user groups can't be updated"
+}
+func (e *LdapUserGroupUpdateError) HttpStatusCode() int { return http.StatusForbidden }
+
+type OidcAccessDeniedError struct{}
+
+func (e *OidcAccessDeniedError) Error() string {
+	return "You're not allowed to access this service"
+}
+func (e *OidcAccessDeniedError) HttpStatusCode() int { return http.StatusForbidden }
+
+type OidcClientIdNotMatchingError struct{}
+
+func (e *OidcClientIdNotMatchingError) Error() string {
+	return "Client id in request doesn't match client id in token"
+}
+func (e *OidcClientIdNotMatchingError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type OidcNoCallbackURLError struct{}
+
+func (e *OidcNoCallbackURLError) Error() string {
+	return "No callback URL provided"
+}
+func (e *OidcNoCallbackURLError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type UiConfigDisabledError struct{}
+
+func (e *UiConfigDisabledError) Error() string {
+	return "The configuration can't be changed since the UI configuration is disabled"
+}
+func (e *UiConfigDisabledError) HttpStatusCode() int { return http.StatusForbidden }
+
+type InvalidUUIDError struct{}
+
+func (e *InvalidUUIDError) Error() string {
+	return "Invalid UUID"
+}
+func (e *InvalidUUIDError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type OneTimeAccessDisabledError struct{}
+
+func (e *OneTimeAccessDisabledError) Error() string {
+	return "One-time access is disabled"
+}
+func (e *OneTimeAccessDisabledError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type InvalidAPIKeyError struct{}
+
+func (e *InvalidAPIKeyError) Error() string {
+	return "Invalid Api Key"
+}
+func (e *InvalidAPIKeyError) HttpStatusCode() int { return http.StatusUnauthorized }
+
+type NoAPIKeyProvidedError struct{}
+
+func (e *NoAPIKeyProvidedError) Error() string {
+	return "No API Key Provided"
+}
+func (e *NoAPIKeyProvidedError) HttpStatusCode() int { return http.StatusUnauthorized }
+
+type APIKeyNotFoundError struct{}
+
+func (e *APIKeyNotFoundError) Error() string {
+	return "API Key Not Found"
+}
+func (e *APIKeyNotFoundError) HttpStatusCode() int { return http.StatusUnauthorized }
+
+type APIKeyExpirationDateError struct{}
+
+func (e *APIKeyExpirationDateError) Error() string {
+	return "API Key expiration time must be in the future"
+}
+func (e *APIKeyExpirationDateError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type OidcInvalidRefreshTokenError struct{}
+
+func (e *OidcInvalidRefreshTokenError) Error() string {
+	return "refresh token is invalid or expired"
+}
+func (e *OidcInvalidRefreshTokenError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}
+
+type OidcMissingRefreshTokenError struct{}
+
+func (e *OidcMissingRefreshTokenError) Error() string {
+	return "refresh token is required"
+}
+func (e *OidcMissingRefreshTokenError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}
+
+type OidcMissingAuthorizationCodeError struct{}
+
+func (e *OidcMissingAuthorizationCodeError) Error() string {
+	return "authorization code is required"
+}
+func (e *OidcMissingAuthorizationCodeError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}
+
+type UserDisabledError struct{}
+
+func (e *UserDisabledError) Error() string {
+	return "User account is disabled"
+}
+func (e *UserDisabledError) HttpStatusCode() int {
+	return http.StatusForbidden
+}
+
+type ValidationError struct {
+	Message string
+}
+
+func (e *ValidationError) Error() string {
+	return e.Message
+}
+
+func (e *ValidationError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}
+
+type OidcDeviceCodeExpiredError struct{}
+
+func (e *OidcDeviceCodeExpiredError) Error() string {
+	return "device code has expired"
+}
+func (e *OidcDeviceCodeExpiredError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}
+
+type OidcInvalidDeviceCodeError struct{}
+
+func (e *OidcInvalidDeviceCodeError) Error() string {
+	return "invalid device code"
+}
+func (e *OidcInvalidDeviceCodeError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}
+
+type OidcSlowDownError struct{}
+
+func (e *OidcSlowDownError) Error() string {
+	return "polling too frequently"
+}
+func (e *OidcSlowDownError) HttpStatusCode() int {
+	return http.StatusTooManyRequests
+}
+
+type OidcAuthorizationPendingError struct{}
+
+func (e *OidcAuthorizationPendingError) Error() string {
+	return "authorization is still pending"
+}
+func (e *OidcAuthorizationPendingError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}
+
+type ReauthenticationRequiredError struct{}
+
+func (e *ReauthenticationRequiredError) Error() string {
+	return "reauthentication required"
+}
+func (e *ReauthenticationRequiredError) HttpStatusCode() int {
+	return http.StatusUnauthorized
+}
+
+type OpenSignupDisabledError struct{}
+
+func (e *OpenSignupDisabledError) Error() string {
+	return "Open user signup is not enabled"
+}
+
+func (e *OpenSignupDisabledError) HttpStatusCode() int {
+	return http.StatusForbidden
+}
+
+type ClientIdAlreadyExistsError struct{}
+
+func (e *ClientIdAlreadyExistsError) Error() string {
+	return "Client ID already in use"
+}
+
+func (e *ClientIdAlreadyExistsError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}
+
+type UserEmailNotSetError struct{}
+
+func (e *UserEmailNotSetError) Error() string {
+	return "The user does not have an email address set"
+}
+
+func (e *UserEmailNotSetError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}
+
+type ImageNotFoundError struct{}
+
+func (e *ImageNotFoundError) Error() string {
+	return "Image not found"
+}
+
+func (e *ImageNotFoundError) HttpStatusCode() int {
+	return http.StatusNotFound
+}

backend/internal/common/version.go

@@ -0,0 +1,9 @@
+package common
+
+// Name is the name of the application
+const Name = "pocket-id"
+
+// Version contains the Pocket ID version.
+//
+// It can be set at build time using -ldflags.
+var Version = "unknown"

backend/internal/controller/api_key_controller.go

@@ -0,0 +1,121 @@
+package controller
+
+import (
+	"net/http"
+
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+// swag init -g cmd/main.go -o ./docs/swagger --parseDependency
+
+// ApiKeyController manages API keys for authenticated users
+type ApiKeyController struct {
+	apiKeyService *service.ApiKeyService
+}
+
+// NewApiKeyController creates a new controller for API key management
+// @Summary API key management controller
+// @Description Initializes API endpoints for managing API keys
+// @Tags API Keys
+func NewApiKeyController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, apiKeyService *service.ApiKeyService) {
+	uc := &ApiKeyController{apiKeyService: apiKeyService}
+
+	apiKeyGroup := group.Group("/api-keys")
+	apiKeyGroup.Use(authMiddleware.WithAdminNotRequired().Add())
+	{
+		apiKeyGroup.GET("", uc.listApiKeysHandler)
+		apiKeyGroup.POST("", uc.createApiKeyHandler)
+		apiKeyGroup.DELETE("/:id", uc.revokeApiKeyHandler)
+	}
+}
+
+// listApiKeysHandler godoc
+// @Summary List API keys
+// @Description Get a paginated list of API keys belonging to the current user
+// @Tags API Keys
+// @Param pagination[page] query int false "Page number for pagination" default(1)
+// @Param pagination[limit] query int false "Number of items per page" default(20)
+// @Param sort[column] query string false "Column to sort by"
+// @Param sort[direction] query string false "Sort direction (asc or desc)" default("asc")
+// @Success 200 {object} dto.Paginated[dto.ApiKeyDto]
+// @Router /api/api-keys [get]
+func (c *ApiKeyController) listApiKeysHandler(ctx *gin.Context) {
+	listRequestOptions := utils.ParseListRequestOptions(ctx)
+
+	userID := ctx.GetString("userID")
+
+	apiKeys, pagination, err := c.apiKeyService.ListApiKeys(ctx.Request.Context(), userID, listRequestOptions)
+	if err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	var apiKeysDto []dto.ApiKeyDto
+	if err := dto.MapStructList(apiKeys, &apiKeysDto); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	ctx.JSON(http.StatusOK, dto.Paginated[dto.ApiKeyDto]{
+		Data:       apiKeysDto,
+		Pagination: pagination,
+	})
+}
+
+// createApiKeyHandler godoc
+// @Summary Create API key
+// @Description Create a new API key for the current user
+// @Tags API Keys
+// @Param api_key body dto.ApiKeyCreateDto true "API key information"
+// @Success 201 {object} dto.ApiKeyResponseDto "Created API key with token"
+// @Router /api/api-keys [post]
+func (c *ApiKeyController) createApiKeyHandler(ctx *gin.Context) {
+	userID := ctx.GetString("userID")
+
+	var input dto.ApiKeyCreateDto
+	if err := dto.ShouldBindWithNormalizedJSON(ctx, &input); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	apiKey, token, err := c.apiKeyService.CreateApiKey(ctx.Request.Context(), userID, input)
+	if err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	var apiKeyDto dto.ApiKeyDto
+	if err := dto.MapStruct(apiKey, &apiKeyDto); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	ctx.JSON(http.StatusCreated, dto.ApiKeyResponseDto{
+		ApiKey: apiKeyDto,
+		Token:  token,
+	})
+}
+
+// revokeApiKeyHandler godoc
+// @Summary Revoke API key
+// @Description Revoke (delete) an existing API key by ID
+// @Tags API Keys
+// @Param id path string true "API Key ID"
+// @Success 204 "No Content"
+// @Router /api/api-keys/{id} [delete]
+func (c *ApiKeyController) revokeApiKeyHandler(ctx *gin.Context) {
+	userID := ctx.GetString("userID")
+	apiKeyID := ctx.Param("id")
+
+	if err := c.apiKeyService.RevokeApiKey(ctx.Request.Context(), userID, apiKeyID); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}

backend/internal/controller/app_config_controller.go

@@ -1,156 +1,153 @@
 package controller
 
 import (
-	"errors"
-	"fmt"
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"net/http"
+	"strconv"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
 
+// NewAppConfigController creates a new controller for application configuration endpoints
+// @Summary Create a new application configuration controller
+// @Description Initialize routes for application configuration
+// @Tags Application Configuration
 func NewAppConfigController(
 	group *gin.RouterGroup,
-	jwtAuthMiddleware *middleware.JwtAuthMiddleware,
-	appConfigService *service.AppConfigService) {
+	authMiddleware *middleware.AuthMiddleware,
+	appConfigService *service.AppConfigService,
+	emailService *service.EmailService,
+	ldapService *service.LdapService,
+) {
 
 	acc := &AppConfigController{
 		appConfigService: appConfigService,
+		emailService:     emailService,
+		ldapService:      ldapService,
 	}
 	group.GET("/application-configuration", acc.listAppConfigHandler)
-	group.GET("/application-configuration/all", jwtAuthMiddleware.Add(true), acc.listAllAppConfigHandler)
-	group.PUT("/application-configuration", acc.updateAppConfigHandler)
+	group.GET("/application-configuration/all", authMiddleware.Add(), acc.listAllAppConfigHandler)
+	group.PUT("/application-configuration", authMiddleware.Add(), acc.updateAppConfigHandler)
 
-	group.GET("/application-configuration/logo", acc.getLogoHandler)
-	group.GET("/application-configuration/background-image", acc.getBackgroundImageHandler)
-	group.GET("/application-configuration/favicon", acc.getFaviconHandler)
-	group.PUT("/application-configuration/logo", jwtAuthMiddleware.Add(true), acc.updateLogoHandler)
-	group.PUT("/application-configuration/favicon", jwtAuthMiddleware.Add(true), acc.updateFaviconHandler)
-	group.PUT("/application-configuration/background-image", jwtAuthMiddleware.Add(true), acc.updateBackgroundImageHandler)
+	group.POST("/application-configuration/test-email", authMiddleware.Add(), acc.testEmailHandler)
+	group.POST("/application-configuration/sync-ldap", authMiddleware.Add(), acc.syncLdapHandler)
 }
 
 type AppConfigController struct {
 	appConfigService *service.AppConfigService
+	emailService     *service.EmailService
+	ldapService      *service.LdapService
 }
 
+// listAppConfigHandler godoc
+// @Summary List public application configurations
+// @Description Get all public application configurations
+// @Tags Application Configuration
+// @Accept json
+// @Produce json
+// @Success 200 {array} dto.PublicAppConfigVariableDto
+// @Router /application-configuration [get]
 func (acc *AppConfigController) listAppConfigHandler(c *gin.Context) {
-	configuration, err := acc.appConfigService.ListAppConfig(false)
-	if err != nil {
-		utils.ControllerError(c, err)
-		return
-	}
+	configuration := acc.appConfigService.ListAppConfig(false)
 
 	var configVariablesDto []dto.PublicAppConfigVariableDto
 	if err := dto.MapStructList(configuration, &configVariablesDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
-	c.JSON(200, configVariablesDto)
+	// Manually add uiConfigDisabled which isn't in the database but defined with an environment variable
+	configVariablesDto = append(configVariablesDto, dto.PublicAppConfigVariableDto{
+		Key:   "uiConfigDisabled",
+		Value: strconv.FormatBool(common.EnvConfig.UiConfigDisabled),
+		Type:  "boolean",
+	})
+
+	c.JSON(http.StatusOK, configVariablesDto)
 }
 
+// listAllAppConfigHandler godoc
+// @Summary List all application configurations
+// @Description Get all application configurations including private ones
+// @Tags Application Configuration
+// @Accept json
+// @Produce json
+// @Success 200 {array} dto.AppConfigVariableDto
+// @Router /application-configuration/all [get]
 func (acc *AppConfigController) listAllAppConfigHandler(c *gin.Context) {
-	configuration, err := acc.appConfigService.ListAppConfig(true)
-	if err != nil {
-		utils.ControllerError(c, err)
-		return
-	}
+	configuration := acc.appConfigService.ListAppConfig(true)
 
 	var configVariablesDto []dto.AppConfigVariableDto
 	if err := dto.MapStructList(configuration, &configVariablesDto); err != nil {
-		utils.ControllerError(c, err)
-		return
-	}
-
-	c.JSON(200, configVariablesDto)
-}
-
-func (acc *AppConfigController) updateAppConfigHandler(c *gin.Context) {
-	var input dto.AppConfigUpdateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.ControllerError(c, err)
-		return
-	}
-
-	savedConfigVariables, err := acc.appConfigService.UpdateAppConfig(input)
-	if err != nil {
-		utils.ControllerError(c, err)
-		return
-	}
-
-	var configVariablesDto []dto.AppConfigVariableDto
-	if err := dto.MapStructList(savedConfigVariables, &configVariablesDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
 	c.JSON(http.StatusOK, configVariablesDto)
 }
 
-func (acc *AppConfigController) getLogoHandler(c *gin.Context) {
-	imageType := acc.appConfigService.DbConfig.LogoImageType.Value
-	acc.getImage(c, "logo", imageType)
-}
-
-func (acc *AppConfigController) getFaviconHandler(c *gin.Context) {
-	acc.getImage(c, "favicon", "ico")
-}
-
-func (acc *AppConfigController) getBackgroundImageHandler(c *gin.Context) {
-	imageType := acc.appConfigService.DbConfig.BackgroundImageType.Value
-	acc.getImage(c, "background", imageType)
-}
-
-func (acc *AppConfigController) updateLogoHandler(c *gin.Context) {
-	imageType := acc.appConfigService.DbConfig.LogoImageType.Value
-	acc.updateImage(c, "logo", imageType)
-}
-
-func (acc *AppConfigController) updateFaviconHandler(c *gin.Context) {
-	file, err := c.FormFile("file")
-	if err != nil {
-		utils.ControllerError(c, err)
+// updateAppConfigHandler godoc
+// @Summary Update application configurations
+// @Description Update application configuration settings
+// @Tags Application Configuration
+// @Accept json
+// @Produce json
+// @Param body body dto.AppConfigUpdateDto true "Application Configuration"
+// @Success 200 {array} dto.AppConfigVariableDto
+// @Router /api/application-configuration [put]
+func (acc *AppConfigController) updateAppConfigHandler(c *gin.Context) {
+	var input dto.AppConfigUpdateDto
+	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
+		_ = c.Error(err)
 		return
 	}
 
-	fileType := utils.GetFileExtension(file.Filename)
-	if fileType != "ico" {
-		utils.CustomControllerError(c, http.StatusBadRequest, "File must be of type .ico")
-		return
-	}
-	acc.updateImage(c, "favicon", "ico")
-}
-
-func (acc *AppConfigController) updateBackgroundImageHandler(c *gin.Context) {
-	imageType := acc.appConfigService.DbConfig.BackgroundImageType.Value
-	acc.updateImage(c, "background", imageType)
-}
-
-func (acc *AppConfigController) getImage(c *gin.Context, name string, imageType string) {
-	imagePath := fmt.Sprintf("%s/application-images/%s.%s", common.EnvConfig.UploadPath, name, imageType)
-	mimeType := utils.GetImageMimeType(imageType)
-
-	c.Header("Content-Type", mimeType)
-	c.File(imagePath)
-}
-
-func (acc *AppConfigController) updateImage(c *gin.Context, imageName string, oldImageType string) {
-	file, err := c.FormFile("file")
+	savedConfigVariables, err := acc.appConfigService.UpdateAppConfig(c.Request.Context(), input)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
-	err = acc.appConfigService.UpdateImage(file, imageName, oldImageType)
+	var configVariablesDto []dto.AppConfigVariableDto
+	if err := dto.MapStructList(savedConfigVariables, &configVariablesDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, configVariablesDto)
+}
+
+// syncLdapHandler godoc
+// @Summary Synchronize LDAP
+// @Description Manually trigger LDAP synchronization
+// @Tags Application Configuration
+// @Success 204 "No Content"
+// @Router /api/application-configuration/sync-ldap [post]
+func (acc *AppConfigController) syncLdapHandler(c *gin.Context) {
+	err := acc.ldapService.SyncAll(c.Request.Context())
 	if err != nil {
-		if errors.Is(err, common.ErrFileTypeNotSupported) {
-			utils.CustomControllerError(c, http.StatusBadRequest, err.Error())
-		} else {
-			utils.ControllerError(c, err)
-		}
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// testEmailHandler godoc
+// @Summary Send test email
+// @Description Send a test email to verify email configuration
+// @Tags Application Configuration
+// @Success 204 "No Content"
+// @Router /api/application-configuration/test-email [post]
+func (acc *AppConfigController) testEmailHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+
+	err := acc.emailService.SendTestEmail(c.Request.Context(), userID)
+	if err != nil {
+		_ = c.Error(err)
 		return
 	}
 

backend/internal/controller/app_images_controller.go

@@ -0,0 +1,228 @@
+package controller
+
+import (
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/gin-gonic/gin"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
+
+func NewAppImagesController(
+	group *gin.RouterGroup,
+	authMiddleware *middleware.AuthMiddleware,
+	appImagesService *service.AppImagesService,
+) {
+	controller := &AppImagesController{
+		appImagesService: appImagesService,
+	}
+
+	group.GET("/application-images/logo", controller.getLogoHandler)
+	group.GET("/application-images/background", controller.getBackgroundImageHandler)
+	group.GET("/application-images/favicon", controller.getFaviconHandler)
+	group.GET("/application-images/default-profile-picture", authMiddleware.Add(), controller.getDefaultProfilePicture)
+
+	group.PUT("/application-images/logo", authMiddleware.Add(), controller.updateLogoHandler)
+	group.PUT("/application-images/background", authMiddleware.Add(), controller.updateBackgroundImageHandler)
+	group.PUT("/application-images/favicon", authMiddleware.Add(), controller.updateFaviconHandler)
+	group.PUT("/application-images/default-profile-picture", authMiddleware.Add(), controller.updateDefaultProfilePicture)
+
+	group.DELETE("/application-images/default-profile-picture", authMiddleware.Add(), controller.deleteDefaultProfilePicture)
+}
+
+type AppImagesController struct {
+	appImagesService *service.AppImagesService
+}
+
+// getLogoHandler godoc
+// @Summary Get logo image
+// @Description Get the logo image for the application
+// @Tags Application Images
+// @Param light query boolean false "Light mode logo (true) or dark mode logo (false)"
+// @Produce image/png
+// @Produce image/jpeg
+// @Produce image/svg+xml
+// @Success 200 {file} binary "Logo image"
+// @Router /api/application-images/logo [get]
+func (c *AppImagesController) getLogoHandler(ctx *gin.Context) {
+	lightLogo, _ := strconv.ParseBool(ctx.DefaultQuery("light", "true"))
+	imageName := "logoLight"
+	if !lightLogo {
+		imageName = "logoDark"
+	}
+
+	c.getImage(ctx, imageName)
+}
+
+// getBackgroundImageHandler godoc
+// @Summary Get background image
+// @Description Get the background image for the application
+// @Tags Application Images
+// @Produce image/png
+// @Produce image/jpeg
+// @Success 200 {file} binary "Background image"
+// @Router /api/application-images/background [get]
+func (c *AppImagesController) getBackgroundImageHandler(ctx *gin.Context) {
+	c.getImage(ctx, "background")
+}
+
+// getFaviconHandler godoc
+// @Summary Get favicon
+// @Description Get the favicon for the application
+// @Tags Application Images
+// @Produce image/x-icon
+// @Success 200 {file} binary "Favicon image"
+// @Router /api/application-images/favicon [get]
+func (c *AppImagesController) getFaviconHandler(ctx *gin.Context) {
+	c.getImage(ctx, "favicon")
+}
+
+// getDefaultProfilePicture godoc
+// @Summary Get default profile picture image
+// @Description Get the default profile picture image for the application
+// @Tags Application Images
+// @Produce image/png
+// @Produce image/jpeg
+// @Success 200 {file} binary "Default profile picture image"
+// @Router /api/application-images/default-profile-picture [get]
+func (c *AppImagesController) getDefaultProfilePicture(ctx *gin.Context) {
+	c.getImage(ctx, "default-profile-picture")
+}
+
+// updateLogoHandler godoc
+// @Summary Update logo
+// @Description Update the application logo
+// @Tags Application Images
+// @Accept multipart/form-data
+// @Param light query boolean false "Light mode logo (true) or dark mode logo (false)"
+// @Param file formData file true "Logo image file"
+// @Success 204 "No Content"
+// @Router /api/application-images/logo [put]
+func (c *AppImagesController) updateLogoHandler(ctx *gin.Context) {
+	file, err := ctx.FormFile("file")
+	if err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	lightLogo, _ := strconv.ParseBool(ctx.DefaultQuery("light", "true"))
+	imageName := "logoLight"
+	if !lightLogo {
+		imageName = "logoDark"
+	}
+
+	if err := c.appImagesService.UpdateImage(ctx.Request.Context(), file, imageName); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}
+
+// updateBackgroundImageHandler godoc
+// @Summary Update background image
+// @Description Update the application background image
+// @Tags Application Images
+// @Accept multipart/form-data
+// @Param file formData file true "Background image file"
+// @Success 204 "No Content"
+// @Router /api/application-images/background [put]
+func (c *AppImagesController) updateBackgroundImageHandler(ctx *gin.Context) {
+	file, err := ctx.FormFile("file")
+	if err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	if err := c.appImagesService.UpdateImage(ctx.Request.Context(), file, "background"); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}
+
+// updateFaviconHandler godoc
+// @Summary Update favicon
+// @Description Update the application favicon
+// @Tags Application Images
+// @Accept multipart/form-data
+// @Param file formData file true "Favicon file (.ico)"
+// @Success 204 "No Content"
+// @Router /api/application-images/favicon [put]
+func (c *AppImagesController) updateFaviconHandler(ctx *gin.Context) {
+	file, err := ctx.FormFile("file")
+	if err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	fileType := utils.GetFileExtension(file.Filename)
+	if fileType != "ico" {
+		_ = ctx.Error(&common.WrongFileTypeError{ExpectedFileType: ".ico"})
+		return
+	}
+
+	if err := c.appImagesService.UpdateImage(ctx.Request.Context(), file, "favicon"); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}
+
+func (c *AppImagesController) getImage(ctx *gin.Context, name string) {
+	reader, size, mimeType, err := c.appImagesService.GetImage(ctx.Request.Context(), name)
+	if err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+	defer reader.Close()
+
+	ctx.Header("Content-Type", mimeType)
+	utils.SetCacheControlHeader(ctx, 15*time.Minute, 24*time.Hour)
+	ctx.DataFromReader(http.StatusOK, size, mimeType, reader, nil)
+}
+
+// updateDefaultProfilePicture godoc
+// @Summary Update default profile picture image
+// @Description Update the default profile picture image
+// @Tags Application Images
+// @Accept multipart/form-data
+// @Param file formData file true "Profile picture image file"
+// @Success 204 "No Content"
+// @Router /api/application-images/default-profile-picture [put]
+func (c *AppImagesController) updateDefaultProfilePicture(ctx *gin.Context) {
+	file, err := ctx.FormFile("file")
+	if err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	if err := c.appImagesService.UpdateImage(ctx.Request.Context(), file, "default-profile-picture"); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}
+
+// deleteDefaultProfilePicture godoc
+// @Summary Delete default profile picture image
+// @Description Delete the default profile picture image
+// @Tags Application Images
+// @Success 204 "No Content"
+// @Router /api/application-images/default-profile-picture [delete]
+func (c *AppImagesController) deleteDefaultProfilePicture(ctx *gin.Context) {
+	if err := c.appImagesService.DeleteImage(ctx.Request.Context(), "default-profile-picture"); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}

backend/internal/controller/audit_log_controller.go

@@ -1,37 +1,54 @@
 package controller
 
 import (
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
 	"net/http"
-	"strconv"
+
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 
 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
 
-func NewAuditLogController(group *gin.RouterGroup, auditLogService *service.AuditLogService, jwtAuthMiddleware *middleware.JwtAuthMiddleware) {
+// NewAuditLogController creates a new controller for audit log management
+// @Summary Audit log controller
+// @Description Initializes API endpoints for accessing audit logs
+// @Tags Audit Logs
+func NewAuditLogController(group *gin.RouterGroup, auditLogService *service.AuditLogService, authMiddleware *middleware.AuthMiddleware) {
 	alc := AuditLogController{
 		auditLogService: auditLogService,
 	}
 
-	group.GET("/audit-logs", jwtAuthMiddleware.Add(false), alc.listAuditLogsForUserHandler)
+	group.GET("/audit-logs/all", authMiddleware.Add(), alc.listAllAuditLogsHandler)
+	group.GET("/audit-logs", authMiddleware.WithAdminNotRequired().Add(), alc.listAuditLogsForUserHandler)
+	group.GET("/audit-logs/filters/client-names", authMiddleware.Add(), alc.listClientNamesHandler)
+	group.GET("/audit-logs/filters/users", authMiddleware.Add(), alc.listUserNamesWithIdsHandler)
 }
 
 type AuditLogController struct {
 	auditLogService *service.AuditLogService
 }
 
+// listAuditLogsForUserHandler godoc
+// @Summary List audit logs
+// @Description Get a paginated list of audit logs for the current user
+// @Tags Audit Logs
+// @Param pagination[page] query int false "Page number for pagination" default(1)
+// @Param pagination[limit] query int false "Number of items per page" default(20)
+// @Param sort[column] query string false "Column to sort by"
+// @Param sort[direction] query string false "Sort direction (asc or desc)" default("asc")
+// @Success 200 {object} dto.Paginated[dto.AuditLogDto]
+// @Router /api/audit-logs [get]
 func (alc *AuditLogController) listAuditLogsForUserHandler(c *gin.Context) {
+	listRequestOptions := utils.ParseListRequestOptions(c)
+
 	userID := c.GetString("userID")
-	page, _ := strconv.Atoi(c.DefaultQuery("page", "1"))
-	pageSize, _ := strconv.Atoi(c.DefaultQuery("limit", "10"))
 
 	// Fetch audit logs for the user
-	logs, pagination, err := alc.auditLogService.ListAuditLogsForUser(userID, page, pageSize)
+	logs, pagination, err := alc.auditLogService.ListAuditLogsForUser(c.Request.Context(), userID, listRequestOptions)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
@@ -39,7 +56,7 @@ func (alc *AuditLogController) listAuditLogsForUserHandler(c *gin.Context) {
 	var logsDtos []dto.AuditLogDto
 	err = dto.MapStructList(logs, &logsDtos)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
@@ -49,8 +66,78 @@ func (alc *AuditLogController) listAuditLogsForUserHandler(c *gin.Context) {
 		logsDtos[i] = logsDto
 	}
 
-	c.JSON(http.StatusOK, gin.H{
-		"data":       logsDtos,
-		"pagination": pagination,
+	c.JSON(http.StatusOK, dto.Paginated[dto.AuditLogDto]{
+		Data:       logsDtos,
+		Pagination: pagination,
 	})
 }
+
+// listAllAuditLogsHandler godoc
+// @Summary List all audit logs
+// @Description Get a paginated list of all audit logs (admin only)
+// @Tags Audit Logs
+// @Param pagination[page] query int false "Page number for pagination" default(1)
+// @Param pagination[limit] query int false "Number of items per page" default(20)
+// @Param sort[column] query string false "Column to sort by"
+// @Param sort[direction] query string false "Sort direction (asc or desc)" default("asc")
+// @Success 200 {object} dto.Paginated[dto.AuditLogDto]
+// @Router /api/audit-logs/all [get]
+func (alc *AuditLogController) listAllAuditLogsHandler(c *gin.Context) {
+	listRequestOptions := utils.ParseListRequestOptions(c)
+
+	logs, pagination, err := alc.auditLogService.ListAllAuditLogs(c.Request.Context(), listRequestOptions)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var logsDtos []dto.AuditLogDto
+	err = dto.MapStructList(logs, &logsDtos)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	for i, logsDto := range logsDtos {
+		logsDto.Device = alc.auditLogService.DeviceStringFromUserAgent(logs[i].UserAgent)
+		logsDto.Username = logs[i].User.Username
+		logsDtos[i] = logsDto
+	}
+
+	c.JSON(http.StatusOK, dto.Paginated[dto.AuditLogDto]{
+		Data:       logsDtos,
+		Pagination: pagination,
+	})
+}
+
+// listClientNamesHandler godoc
+// @Summary List client names
+// @Description Get a list of all client names for audit log filtering
+// @Tags Audit Logs
+// @Success 200 {array} string "List of client names"
+// @Router /api/audit-logs/filters/client-names [get]
+func (alc *AuditLogController) listClientNamesHandler(c *gin.Context) {
+	names, err := alc.auditLogService.ListClientNames(c.Request.Context())
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, names)
+}
+
+// listUserNamesWithIdsHandler godoc
+// @Summary List users with IDs
+// @Description Get a list of all usernames with their IDs for audit log filtering
+// @Tags Audit Logs
+// @Success 200 {object} map[string]string "Map of user IDs to usernames"
+// @Router /api/audit-logs/filters/users [get]
+func (alc *AuditLogController) listUserNamesWithIdsHandler(c *gin.Context) {
+	users, err := alc.auditLogService.ListUsernamesWithIds(c.Request.Context())
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, users)
+}

backend/internal/controller/custom_claim_controller.go

@@ -0,0 +1,115 @@
+package controller
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+// NewCustomClaimController creates a new controller for custom claim management
+// @Summary Custom claim management controller
+// @Description Initializes all custom claim-related API endpoints
+// @Tags Custom Claims
+func NewCustomClaimController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, customClaimService *service.CustomClaimService) {
+	wkc := &CustomClaimController{customClaimService: customClaimService}
+
+	customClaimsGroup := group.Group("/custom-claims")
+	customClaimsGroup.Use(authMiddleware.Add())
+	{
+		customClaimsGroup.GET("/suggestions", wkc.getSuggestionsHandler)
+		customClaimsGroup.PUT("/user/:userId", wkc.UpdateCustomClaimsForUserHandler)
+		customClaimsGroup.PUT("/user-group/:userGroupId", wkc.UpdateCustomClaimsForUserGroupHandler)
+	}
+}
+
+type CustomClaimController struct {
+	customClaimService *service.CustomClaimService
+}
+
+// getSuggestionsHandler godoc
+// @Summary Get custom claim suggestions
+// @Description Get a list of suggested custom claim names
+// @Tags Custom Claims
+// @Produce json
+// @Success 200 {array} string "List of suggested custom claim names"
+// @Router /api/custom-claims/suggestions [get]
+func (ccc *CustomClaimController) getSuggestionsHandler(c *gin.Context) {
+	claims, err := ccc.customClaimService.GetSuggestions(c.Request.Context())
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, claims)
+}
+
+// UpdateCustomClaimsForUserHandler godoc
+// @Summary Update custom claims for a user
+// @Description Update or create custom claims for a specific user
+// @Tags Custom Claims
+// @Accept json
+// @Produce json
+// @Param userId path string true "User ID"
+// @Param claims body []dto.CustomClaimCreateDto true "List of custom claims to set for the user"
+// @Success 200 {array} dto.CustomClaimDto "Updated custom claims"
+// @Router /api/custom-claims/user/{userId} [put]
+func (ccc *CustomClaimController) UpdateCustomClaimsForUserHandler(c *gin.Context) {
+	var input []dto.CustomClaimCreateDto
+
+	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	userId := c.Param("userId")
+	claims, err := ccc.customClaimService.UpdateCustomClaimsForUser(c.Request.Context(), userId, input)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var customClaimsDto []dto.CustomClaimDto
+	if err := dto.MapStructList(claims, &customClaimsDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, customClaimsDto)
+}
+
+// UpdateCustomClaimsForUserGroupHandler godoc
+// @Summary Update custom claims for a user group
+// @Description Update or create custom claims for a specific user group
+// @Tags Custom Claims
+// @Accept json
+// @Produce json
+// @Param userGroupId path string true "User Group ID"
+// @Param claims body []dto.CustomClaimCreateDto true "List of custom claims to set for the user group"
+// @Success 200 {array} dto.CustomClaimDto "Updated custom claims"
+// @Router /api/custom-claims/user-group/{userGroupId} [put]
+func (ccc *CustomClaimController) UpdateCustomClaimsForUserGroupHandler(c *gin.Context) {
+	var input []dto.CustomClaimCreateDto
+
+	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	userGroupId := c.Param("userGroupId")
+	claims, err := ccc.customClaimService.UpdateCustomClaimsForUserGroup(c.Request.Context(), userGroupId, input)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var customClaimsDto []dto.CustomClaimDto
+	if err := dto.MapStructList(claims, &customClaimsDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, customClaimsDto)
+}

backend/internal/controller/e2etest_controller.go

@@ -0,0 +1,127 @@
+//go:build e2etest
+
+package controller
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+func NewTestController(group *gin.RouterGroup, testService *service.TestService) {
+	testController := &TestController{TestService: testService}
+
+	group.POST("/test/reset", testController.resetAndSeedHandler)
+	group.POST("/test/refreshtoken", testController.signRefreshToken)
+
+	group.GET("/externalidp/jwks.json", testController.externalIdPJWKS)
+	group.POST("/externalidp/sign", testController.externalIdPSignToken)
+}
+
+type TestController struct {
+	TestService *service.TestService
+}
+
+func (tc *TestController) resetAndSeedHandler(c *gin.Context) {
+	var baseURL string
+	if c.Request.TLS != nil {
+		baseURL = "https://" + c.Request.Host
+	} else {
+		baseURL = "http://" + c.Request.Host
+	}
+
+	skipLdap := c.Query("skip-ldap") == "true"
+	skipSeed := c.Query("skip-seed") == "true"
+
+	if err := tc.TestService.ResetDatabase(); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	if err := tc.TestService.ResetApplicationImages(c.Request.Context()); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	if !skipSeed {
+		if err := tc.TestService.SeedDatabase(baseURL); err != nil {
+			_ = c.Error(err)
+			return
+		}
+	}
+
+	if err := tc.TestService.ResetAppConfig(c.Request.Context()); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	if !skipLdap {
+		if err := tc.TestService.SetLdapTestConfig(c.Request.Context()); err != nil {
+			_ = c.Error(err)
+			return
+		}
+
+		if err := tc.TestService.SyncLdap(c.Request.Context()); err != nil {
+			_ = c.Error(err)
+			return
+		}
+	}
+
+	tc.TestService.SetJWTKeys()
+
+	c.Status(http.StatusNoContent)
+}
+
+func (tc *TestController) externalIdPJWKS(c *gin.Context) {
+	jwks, err := tc.TestService.GetExternalIdPJWKS()
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, jwks)
+}
+
+func (tc *TestController) externalIdPSignToken(c *gin.Context) {
+	var input struct {
+		Aud string `json:"aud"`
+		Iss string `json:"iss"`
+		Sub string `json:"sub"`
+	}
+	err := c.ShouldBindJSON(&input)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	token, err := tc.TestService.SignExternalIdPToken(input.Iss, input.Sub, input.Aud)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Writer.WriteString(token)
+}
+
+func (tc *TestController) signRefreshToken(c *gin.Context) {
+	var input struct {
+		UserID       string `json:"user"`
+		ClientID     string `json:"client"`
+		RefreshToken string `json:"rt"`
+	}
+	err := c.ShouldBindJSON(&input)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	token, err := tc.TestService.SignRefreshToken(input.UserID, input.ClientID, input.RefreshToken)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Writer.WriteString(token)
+}

backend/internal/controller/healthz_controller.go

@@ -0,0 +1,29 @@
+package controller
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+)
+
+// NewHealthzController creates a new controller for the healthcheck endpoints
+// @Summary Healthcheck controller
+// @Description Initializes healthcheck endpoints
+// @Tags Health
+func NewHealthzController(r *gin.Engine) {
+	hc := &HealthzController{}
+
+	r.GET("/healthz", hc.healthzHandler)
+}
+
+type HealthzController struct{}
+
+// healthzHandler godoc
+// @Summary Responds to healthchecks
+// @Description Responds with a successful status code to healthcheck requests
+// @Tags Health
+// @Success 204 ""
+// @Router /healthz [get]
+func (hc *HealthzController) healthzHandler(c *gin.Context) {
+	c.Status(http.StatusNoContent)
+}

backend/internal/controller/test_controller.go

@@ -1,37 +0,0 @@
-package controller
-
-import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
-	"net/http"
-)
-
-func NewTestController(group *gin.RouterGroup, testService *service.TestService) {
-	testController := &TestController{TestService: testService}
-
-	group.POST("/test/reset", testController.resetAndSeedHandler)
-}
-
-type TestController struct {
-	TestService *service.TestService
-}
-
-func (tc *TestController) resetAndSeedHandler(c *gin.Context) {
-	if err := tc.TestService.ResetDatabase(); err != nil {
-		utils.ControllerError(c, err)
-		return
-	}
-
-	if err := tc.TestService.ResetApplicationImages(); err != nil {
-		utils.ControllerError(c, err)
-		return
-	}
-
-	if err := tc.TestService.SeedDatabase(); err != nil {
-		utils.ControllerError(c, err)
-		return
-	}
-
-	c.Status(http.StatusNoContent)
-}

backend/internal/controller/user_controller.go

@@ -1,195 +1,656 @@
 package controller
 
 import (
-	"errors"
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
-	"golang.org/x/time/rate"
 	"net/http"
-	"strconv"
 	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"golang.org/x/time/rate"
 )
 
-func NewUserController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, userService *service.UserService) {
+const (
+	defaultOneTimeAccessTokenDuration = 15 * time.Minute
+	defaultSignupTokenDuration        = time.Hour
+)
+
+// NewUserController creates a new controller for user management endpoints
+// @Summary User management controller
+// @Description Initializes all user-related API endpoints
+// @Tags Users
+func NewUserController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, userService *service.UserService, appConfigService *service.AppConfigService) {
 	uc := UserController{
-		UserService: userService,
+		userService:      userService,
+		appConfigService: appConfigService,
 	}
 
-	group.GET("/users", jwtAuthMiddleware.Add(true), uc.listUsersHandler)
-	group.GET("/users/me", jwtAuthMiddleware.Add(false), uc.getCurrentUserHandler)
-	group.GET("/users/:id", jwtAuthMiddleware.Add(true), uc.getUserHandler)
-	group.POST("/users", jwtAuthMiddleware.Add(true), uc.createUserHandler)
-	group.PUT("/users/:id", jwtAuthMiddleware.Add(true), uc.updateUserHandler)
-	group.PUT("/users/me", jwtAuthMiddleware.Add(false), uc.updateCurrentUserHandler)
-	group.DELETE("/users/:id", jwtAuthMiddleware.Add(true), uc.deleteUserHandler)
+	group.GET("/users", authMiddleware.Add(), uc.listUsersHandler)
+	group.GET("/users/me", authMiddleware.WithAdminNotRequired().Add(), uc.getCurrentUserHandler)
+	group.GET("/users/:id", authMiddleware.Add(), uc.getUserHandler)
+	group.POST("/users", authMiddleware.Add(), uc.createUserHandler)
+	group.PUT("/users/:id", authMiddleware.Add(), uc.updateUserHandler)
+	group.GET("/users/:id/groups", authMiddleware.Add(), uc.getUserGroupsHandler)
+	group.PUT("/users/me", authMiddleware.WithAdminNotRequired().Add(), uc.updateCurrentUserHandler)
+	group.DELETE("/users/:id", authMiddleware.Add(), uc.deleteUserHandler)
 
-	group.POST("/users/:id/one-time-access-token", jwtAuthMiddleware.Add(true), uc.createOneTimeAccessTokenHandler)
+	group.PUT("/users/:id/user-groups", authMiddleware.Add(), uc.updateUserGroups)
+
+	group.GET("/users/:id/profile-picture.png", uc.getUserProfilePictureHandler)
+
+	group.PUT("/users/:id/profile-picture", authMiddleware.Add(), uc.updateUserProfilePictureHandler)
+	group.PUT("/users/me/profile-picture", authMiddleware.WithAdminNotRequired().Add(), uc.updateCurrentUserProfilePictureHandler)
+
+	group.POST("/users/me/one-time-access-token", authMiddleware.WithAdminNotRequired().Add(), uc.createOwnOneTimeAccessTokenHandler)
+	group.POST("/users/:id/one-time-access-token", authMiddleware.Add(), uc.createAdminOneTimeAccessTokenHandler)
+	group.POST("/users/:id/one-time-access-email", authMiddleware.Add(), uc.RequestOneTimeAccessEmailAsAdminHandler)
 	group.POST("/one-time-access-token/:token", rateLimitMiddleware.Add(rate.Every(10*time.Second), 5), uc.exchangeOneTimeAccessTokenHandler)
-	group.POST("/one-time-access-token/setup", uc.getSetupAccessTokenHandler)
+	group.POST("/one-time-access-email", rateLimitMiddleware.Add(rate.Every(10*time.Minute), 3), uc.RequestOneTimeAccessEmailAsUnauthenticatedUserHandler)
+
+	group.DELETE("/users/:id/profile-picture", authMiddleware.Add(), uc.resetUserProfilePictureHandler)
+	group.DELETE("/users/me/profile-picture", authMiddleware.WithAdminNotRequired().Add(), uc.resetCurrentUserProfilePictureHandler)
+
+	group.POST("/signup-tokens", authMiddleware.Add(), uc.createSignupTokenHandler)
+	group.GET("/signup-tokens", authMiddleware.Add(), uc.listSignupTokensHandler)
+	group.DELETE("/signup-tokens/:id", authMiddleware.Add(), uc.deleteSignupTokenHandler)
+	group.POST("/signup", rateLimitMiddleware.Add(rate.Every(1*time.Minute), 10), uc.signupHandler)
+	group.POST("/signup/setup", uc.signUpInitialAdmin)
+
 }
 
 type UserController struct {
-	UserService *service.UserService
+	userService      *service.UserService
+	appConfigService *service.AppConfigService
 }
 
-func (uc *UserController) listUsersHandler(c *gin.Context) {
-	page, _ := strconv.Atoi(c.DefaultQuery("page", "1"))
-	pageSize, _ := strconv.Atoi(c.DefaultQuery("limit", "10"))
-	searchTerm := c.Query("search")
-
-	users, pagination, err := uc.UserService.ListUsers(searchTerm, page, pageSize)
+// getUserGroupsHandler godoc
+// @Summary Get user groups
+// @Description Retrieve all groups a specific user belongs to
+// @Tags Users,User Groups
+// @Param id path string true "User ID"
+// @Success 200 {array} dto.UserGroupDtoWithUsers
+// @Router /api/users/{id}/groups [get]
+func (uc *UserController) getUserGroupsHandler(c *gin.Context) {
+	userID := c.Param("id")
+	groups, err := uc.userService.GetUserGroups(c.Request.Context(), userID)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
+		return
+	}
+
+	var groupsDto []dto.UserGroupDtoWithUsers
+	if err := dto.MapStructList(groups, &groupsDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, groupsDto)
+}
+
+// listUsersHandler godoc
+// @Summary List users
+// @Description Get a paginated list of users with optional search and sorting
+// @Tags Users
+// @Param search query string false "Search term to filter users"
+// @Param pagination[page] query int false "Page number for pagination" default(1)
+// @Param pagination[limit] query int false "Number of items per page" default(20)
+// @Param sort[column] query string false "Column to sort by"
+// @Param sort[direction] query string false "Sort direction (asc or desc)" default("asc")
+// @Success 200 {object} dto.Paginated[dto.UserDto]
+// @Router /api/users [get]
+func (uc *UserController) listUsersHandler(c *gin.Context) {
+	searchTerm := c.Query("search")
+	listRequestOptions := utils.ParseListRequestOptions(c)
+
+	users, pagination, err := uc.userService.ListUsers(c.Request.Context(), searchTerm, listRequestOptions)
+	if err != nil {
+		_ = c.Error(err)
 		return
 	}
 
 	var usersDto []dto.UserDto
 	if err := dto.MapStructList(users, &usersDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
-	c.JSON(http.StatusOK, gin.H{
-		"data":       usersDto,
-		"pagination": pagination,
+	c.JSON(http.StatusOK, dto.Paginated[dto.UserDto]{
+		Data:       usersDto,
+		Pagination: pagination,
 	})
 }
 
+// getUserHandler godoc
+// @Summary Get user by ID
+// @Description Retrieve detailed information about a specific user
+// @Tags Users
+// @Param id path string true "User ID"
+// @Success 200 {object} dto.UserDto
+// @Router /api/users/{id} [get]
 func (uc *UserController) getUserHandler(c *gin.Context) {
-	user, err := uc.UserService.GetUser(c.Param("id"))
+	user, err := uc.userService.GetUser(c.Request.Context(), c.Param("id"))
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
 	var userDto dto.UserDto
 	if err := dto.MapStruct(user, &userDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
 	c.JSON(http.StatusOK, userDto)
 }
 
+// getCurrentUserHandler godoc
+// @Summary Get current user
+// @Description Retrieve information about the currently authenticated user
+// @Tags Users
+// @Success 200 {object} dto.UserDto
+// @Router /api/users/me [get]
 func (uc *UserController) getCurrentUserHandler(c *gin.Context) {
-	user, err := uc.UserService.GetUser(c.GetString("userID"))
+	user, err := uc.userService.GetUser(c.Request.Context(), c.GetString("userID"))
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
 	var userDto dto.UserDto
 	if err := dto.MapStruct(user, &userDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
 	c.JSON(http.StatusOK, userDto)
 }
 
+// deleteUserHandler godoc
+// @Summary Delete user
+// @Description Delete a specific user by ID
+// @Tags Users
+// @Param id path string true "User ID"
+// @Success 204 "No Content"
+// @Router /api/users/{id} [delete]
 func (uc *UserController) deleteUserHandler(c *gin.Context) {
-	if err := uc.UserService.DeleteUser(c.Param("id")); err != nil {
-		utils.ControllerError(c, err)
+	if err := uc.userService.DeleteUser(c.Request.Context(), c.Param("id"), false); err != nil {
+		_ = c.Error(err)
 		return
 	}
 
 	c.Status(http.StatusNoContent)
 }
 
+// createUserHandler godoc
+// @Summary Create user
+// @Description Create a new user
+// @Tags Users
+// @Param user body dto.UserCreateDto true "User information"
+// @Success 201 {object} dto.UserDto
+// @Router /api/users [post]
 func (uc *UserController) createUserHandler(c *gin.Context) {
 	var input dto.UserCreateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.ControllerError(c, err)
+	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
+		_ = c.Error(err)
 		return
 	}
 
-	user, err := uc.UserService.CreateUser(input)
+	user, err := uc.userService.CreateUser(c.Request.Context(), input)
 	if err != nil {
-		if errors.Is(err, common.ErrEmailTaken) || errors.Is(err, common.ErrUsernameTaken) {
-			utils.CustomControllerError(c, http.StatusConflict, err.Error())
-		} else {
-			utils.ControllerError(c, err)
-		}
+		_ = c.Error(err)
 		return
 	}
 
 	var userDto dto.UserDto
 	if err := dto.MapStruct(user, &userDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
 	c.JSON(http.StatusCreated, userDto)
 }
 
+// updateUserHandler godoc
+// @Summary Update user
+// @Description Update an existing user by ID
+// @Tags Users
+// @Param id path string true "User ID"
+// @Param user body dto.UserCreateDto true "User information"
+// @Success 200 {object} dto.UserDto
+// @Router /api/users/{id} [put]
 func (uc *UserController) updateUserHandler(c *gin.Context) {
 	uc.updateUser(c, false)
 }
 
+// updateCurrentUserHandler godoc
+// @Summary Update current user
+// @Description Update the currently authenticated user's information
+// @Tags Users
+// @Param user body dto.UserCreateDto true "User information"
+// @Success 200 {object} dto.UserDto
+// @Router /api/users/me [put]
 func (uc *UserController) updateCurrentUserHandler(c *gin.Context) {
 	uc.updateUser(c, true)
 }
 
-func (uc *UserController) createOneTimeAccessTokenHandler(c *gin.Context) {
-	var input dto.OneTimeAccessTokenCreateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.ControllerError(c, err)
+// getUserProfilePictureHandler godoc
+// @Summary Get user profile picture
+// @Description Retrieve a specific user's profile picture
+// @Tags Users
+// @Produce image/png
+// @Param id path string true "User ID"
+// @Success 200 {file} binary "PNG image"
+// @Router /api/users/{id}/profile-picture.png [get]
+func (uc *UserController) getUserProfilePictureHandler(c *gin.Context) {
+	userID := c.Param("id")
+
+	picture, size, err := uc.userService.GetProfilePicture(c.Request.Context(), userID)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+	if picture != nil {
+		defer picture.Close()
+	}
+
+	utils.SetCacheControlHeader(c, 15*time.Minute, 1*time.Hour)
+
+	c.DataFromReader(http.StatusOK, size, "image/png", picture, nil)
+}
+
+// updateUserProfilePictureHandler godoc
+// @Summary Update user profile picture
+// @Description Update a specific user's profile picture
+// @Tags Users
+// @Accept multipart/form-data
+// @Produce json
+// @Param id path string true "User ID"
+// @Param file formData file true "Profile picture image file (PNG, JPG, or JPEG)"
+// @Success 204 "No Content"
+// @Router /api/users/{id}/profile-picture [put]
+func (uc *UserController) updateUserProfilePictureHandler(c *gin.Context) {
+	userID := c.Param("id")
+	fileHeader, err := c.FormFile("file")
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+	file, err := fileHeader.Open()
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+	defer file.Close()
+
+	if err := uc.userService.UpdateProfilePicture(c.Request.Context(), userID, file); err != nil {
+		_ = c.Error(err)
 		return
 	}
 
-	token, err := uc.UserService.CreateOneTimeAccessToken(input.UserID, input.ExpiresAt)
+	c.Status(http.StatusNoContent)
+}
+
+// updateCurrentUserProfilePictureHandler godoc
+// @Summary Update current user's profile picture
+// @Description Update the currently authenticated user's profile picture
+// @Tags Users
+// @Accept multipart/form-data
+// @Produce json
+// @Param file formData file true "Profile picture image file (PNG, JPG, or JPEG)"
+// @Success 204 "No Content"
+// @Router /api/users/me/profile-picture [put]
+func (uc *UserController) updateCurrentUserProfilePictureHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+	fileHeader, err := c.FormFile("file")
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
+		return
+	}
+	file, err := fileHeader.Open()
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+	defer file.Close()
+
+	if err := uc.userService.UpdateProfilePicture(c.Request.Context(), userID, file); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+func (uc *UserController) createOneTimeAccessTokenHandler(c *gin.Context, own bool) {
+	var input dto.OneTimeAccessTokenCreateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var ttl time.Duration
+	if own {
+		input.UserID = c.GetString("userID")
+		ttl = defaultOneTimeAccessTokenDuration
+	} else {
+		ttl = input.TTL.Duration
+		if ttl <= 0 {
+			ttl = defaultOneTimeAccessTokenDuration
+		}
+	}
+	token, err := uc.userService.CreateOneTimeAccessToken(c.Request.Context(), input.UserID, ttl)
+	if err != nil {
+		_ = c.Error(err)
 		return
 	}
 
 	c.JSON(http.StatusCreated, gin.H{"token": token})
 }
 
-func (uc *UserController) exchangeOneTimeAccessTokenHandler(c *gin.Context) {
-	user, token, err := uc.UserService.ExchangeOneTimeAccessToken(c.Param("token"))
-	if err != nil {
-		if errors.Is(err, common.ErrTokenInvalidOrExpired) {
-			utils.CustomControllerError(c, http.StatusUnauthorized, err.Error())
-		} else {
-			utils.ControllerError(c, err)
-		}
+// createOwnOneTimeAccessTokenHandler godoc
+// @Summary Create one-time access token for current user
+// @Description Generate a one-time access token for the currently authenticated user
+// @Tags Users
+// @Param id path string true "User ID"
+// @Param body body dto.OneTimeAccessTokenCreateDto true "Token options"
+// @Success 201 {object} object "{ \"token\": \"string\" }"
+// @Router /api/users/{id}/one-time-access-token [post]
+func (uc *UserController) createOwnOneTimeAccessTokenHandler(c *gin.Context) {
+	uc.createOneTimeAccessTokenHandler(c, true)
+}
+
+// createAdminOneTimeAccessTokenHandler godoc
+// @Summary Create one-time access token for user (admin)
+// @Description Generate a one-time access token for a specific user (admin only)
+// @Tags Users
+// @Param id path string true "User ID"
+// @Param body body dto.OneTimeAccessTokenCreateDto true "Token options"
+// @Success 201 {object} object "{ \"token\": \"string\" }"
+// @Router /api/users/{id}/one-time-access-token [post]
+func (uc *UserController) createAdminOneTimeAccessTokenHandler(c *gin.Context) {
+	uc.createOneTimeAccessTokenHandler(c, false)
+}
+
+// RequestOneTimeAccessEmailAsUnauthenticatedUserHandler godoc
+// @Summary Request one-time access email
+// @Description Request a one-time access email for unauthenticated users
+// @Tags Users
+// @Accept json
+// @Produce json
+// @Param body body dto.OneTimeAccessEmailAsUnauthenticatedUserDto true "Email request information"
+// @Success 204 "No Content"
+// @Router /api/one-time-access-email [post]
+func (uc *UserController) RequestOneTimeAccessEmailAsUnauthenticatedUserHandler(c *gin.Context) {
+	var input dto.OneTimeAccessEmailAsUnauthenticatedUserDto
+	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
+		_ = c.Error(err)
 		return
 	}
 
-	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", false, true)
-	c.JSON(http.StatusOK, user)
+	err := uc.userService.RequestOneTimeAccessEmailAsUnauthenticatedUser(c.Request.Context(), input.Email, input.RedirectPath)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
 }
 
-func (uc *UserController) getSetupAccessTokenHandler(c *gin.Context) {
-	user, token, err := uc.UserService.SetupInitialAdmin()
+// RequestOneTimeAccessEmailAsAdminHandler godoc
+// @Summary Request one-time access email (admin)
+// @Description Request a one-time access email for a specific user (admin only)
+// @Tags Users
+// @Accept json
+// @Produce json
+// @Param id path string true "User ID"
+// @Param body body dto.OneTimeAccessEmailAsAdminDto true "Email request options"
+// @Success 204 "No Content"
+// @Router /api/users/{id}/one-time-access-email [post]
+func (uc *UserController) RequestOneTimeAccessEmailAsAdminHandler(c *gin.Context) {
+	var input dto.OneTimeAccessEmailAsAdminDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	userID := c.Param("id")
+
+	ttl := input.TTL.Duration
+	if ttl <= 0 {
+		ttl = defaultOneTimeAccessTokenDuration
+	}
+	err := uc.userService.RequestOneTimeAccessEmailAsAdmin(c.Request.Context(), userID, ttl)
 	if err != nil {
-		if errors.Is(err, common.ErrSetupAlreadyCompleted) {
-			utils.CustomControllerError(c, http.StatusBadRequest, err.Error())
-		} else {
-			utils.ControllerError(c, err)
-		}
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// exchangeOneTimeAccessTokenHandler godoc
+// @Summary Exchange one-time access token
+// @Description Exchange a one-time access token for a session token
+// @Tags Users
+// @Param token path string true "One-time access token"
+// @Success 200 {object} dto.UserDto
+// @Router /api/one-time-access-token/{token} [post]
+func (uc *UserController) exchangeOneTimeAccessTokenHandler(c *gin.Context) {
+	user, token, err := uc.userService.ExchangeOneTimeAccessToken(c.Request.Context(), c.Param("token"), c.ClientIP(), c.Request.UserAgent())
+	if err != nil {
+		_ = c.Error(err)
 		return
 	}
 
 	var userDto dto.UserDto
 	if err := dto.MapStruct(user, &userDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
-	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", false, true)
+	maxAge := int(uc.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes().Seconds())
+	cookie.AddAccessTokenCookie(c, maxAge, token)
+
 	c.JSON(http.StatusOK, userDto)
 }
 
+// signUpInitialAdmin godoc
+// @Summary Sign up initial admin user
+// @Description Sign up and generate setup access token for initial admin user
+// @Tags Users
+// @Accept json
+// @Produce json
+// @Param body body dto.SignUpDto true "User information"
+// @Success 200 {object} dto.UserDto
+// @Router /api/signup/setup [post]
+func (uc *UserController) signUpInitialAdmin(c *gin.Context) {
+	var input dto.SignUpDto
+	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	user, token, err := uc.userService.SignUpInitialAdmin(c.Request.Context(), input)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var userDto dto.UserDto
+	if err := dto.MapStruct(user, &userDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	maxAge := int(uc.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes().Seconds())
+	cookie.AddAccessTokenCookie(c, maxAge, token)
+
+	c.JSON(http.StatusOK, userDto)
+}
+
+// updateUserGroups godoc
+// @Summary Update user groups
+// @Description Update the groups a specific user belongs to
+// @Tags Users
+// @Param id path string true "User ID"
+// @Param groups body dto.UserUpdateUserGroupDto true "User group IDs"
+// @Success 200 {object} dto.UserDto
+// @Router /api/users/{id}/user-groups [put]
+func (uc *UserController) updateUserGroups(c *gin.Context) {
+	var input dto.UserUpdateUserGroupDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	user, err := uc.userService.UpdateUserGroups(c.Request.Context(), c.Param("id"), input.UserGroupIds)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var userDto dto.UserDto
+	if err := dto.MapStruct(user, &userDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, userDto)
+}
+
+// createSignupTokenHandler godoc
+// @Summary Create signup token
+// @Description Create a new signup token that allows user registration
+// @Tags Users
+// @Accept json
+// @Produce json
+// @Param token body dto.SignupTokenCreateDto true "Signup token information"
+// @Success 201 {object} dto.SignupTokenDto
+// @Router /api/signup-tokens [post]
+func (uc *UserController) createSignupTokenHandler(c *gin.Context) {
+	var input dto.SignupTokenCreateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	ttl := input.TTL.Duration
+	if ttl <= 0 {
+		ttl = defaultSignupTokenDuration
+	}
+
+	signupToken, err := uc.userService.CreateSignupToken(c.Request.Context(), ttl, input.UsageLimit)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var tokenDto dto.SignupTokenDto
+	err = dto.MapStruct(signupToken, &tokenDto)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusCreated, tokenDto)
+}
+
+// listSignupTokensHandler godoc
+// @Summary List signup tokens
+// @Description Get a paginated list of signup tokens
+// @Tags Users
+// @Param pagination[page] query int false "Page number for pagination" default(1)
+// @Param pagination[limit] query int false "Number of items per page" default(20)
+// @Param sort[column] query string false "Column to sort by"
+// @Param sort[direction] query string false "Sort direction (asc or desc)" default("asc")
+// @Success 200 {object} dto.Paginated[dto.SignupTokenDto]
+// @Router /api/signup-tokens [get]
+func (uc *UserController) listSignupTokensHandler(c *gin.Context) {
+	listRequestOptions := utils.ParseListRequestOptions(c)
+
+	tokens, pagination, err := uc.userService.ListSignupTokens(c.Request.Context(), listRequestOptions)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var tokensDto []dto.SignupTokenDto
+	if err := dto.MapStructList(tokens, &tokensDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, dto.Paginated[dto.SignupTokenDto]{
+		Data:       tokensDto,
+		Pagination: pagination,
+	})
+}
+
+// deleteSignupTokenHandler godoc
+// @Summary Delete signup token
+// @Description Delete a signup token by ID
+// @Tags Users
+// @Param id path string true "Token ID"
+// @Success 204 "No Content"
+// @Router /api/signup-tokens/{id} [delete]
+func (uc *UserController) deleteSignupTokenHandler(c *gin.Context) {
+	tokenID := c.Param("id")
+
+	err := uc.userService.DeleteSignupToken(c.Request.Context(), tokenID)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// signupWithTokenHandler godoc
+// @Summary Sign up
+// @Description Create a new user account
+// @Tags Users
+// @Accept json
+// @Produce json
+// @Param user body dto.SignUpDto true "User information"
+// @Success 201 {object} dto.SignUpDto
+// @Router /api/signup [post]
+func (uc *UserController) signupHandler(c *gin.Context) {
+	var input dto.SignUpDto
+	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	ipAddress := c.ClientIP()
+	userAgent := c.GetHeader("User-Agent")
+
+	user, accessToken, err := uc.userService.SignUp(c.Request.Context(), input, ipAddress, userAgent)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	maxAge := int(uc.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes().Seconds())
+	cookie.AddAccessTokenCookie(c, maxAge, accessToken)
+
+	var userDto dto.UserDto
+	if err := dto.MapStruct(user, &userDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusCreated, userDto)
+}
+
+// updateUser is an internal helper method, not exposed as an API endpoint
 func (uc *UserController) updateUser(c *gin.Context, updateOwnUser bool) {
 	var input dto.UserCreateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.ControllerError(c, err)
+	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
+		_ = c.Error(err)
 		return
 	}
 
@@ -200,21 +661,54 @@ func (uc *UserController) updateUser(c *gin.Context, updateOwnUser bool) {
 		userID = c.Param("id")
 	}
 
-	user, err := uc.UserService.UpdateUser(userID, input, updateOwnUser)
+	user, err := uc.userService.UpdateUser(c.Request.Context(), userID, input, updateOwnUser, false)
 	if err != nil {
-		if errors.Is(err, common.ErrEmailTaken) || errors.Is(err, common.ErrUsernameTaken) {
-			utils.CustomControllerError(c, http.StatusConflict, err.Error())
-		} else {
-			utils.ControllerError(c, err)
-		}
+		_ = c.Error(err)
 		return
 	}
 
 	var userDto dto.UserDto
 	if err := dto.MapStruct(user, &userDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
 	c.JSON(http.StatusOK, userDto)
 }
+
+// resetUserProfilePictureHandler godoc
+// @Summary Reset user profile picture
+// @Description Reset a specific user's profile picture to the default
+// @Tags Users
+// @Produce json
+// @Param id path string true "User ID"
+// @Success 204 "No Content"
+// @Router /api/users/{id}/profile-picture [delete]
+func (uc *UserController) resetUserProfilePictureHandler(c *gin.Context) {
+	userID := c.Param("id")
+
+	if err := uc.userService.ResetProfilePicture(c.Request.Context(), userID); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// resetCurrentUserProfilePictureHandler godoc
+// @Summary Reset current user's profile picture
+// @Description Reset the currently authenticated user's profile picture to the default
+// @Tags Users
+// @Produce json
+// @Success 204 "No Content"
+// @Router /api/users/me/profile-picture [delete]
+func (uc *UserController) resetCurrentUserProfilePictureHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+
+	if err := uc.userService.ResetProfilePicture(c.Request.Context(), userID); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}

backend/internal/controller/user_group_controller.go

@@ -0,0 +1,217 @@
+package controller
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
+
+// NewUserGroupController creates a new controller for user group management
+// @Summary User group management controller
+// @Description Initializes all user group-related API endpoints
+// @Tags User Groups
+func NewUserGroupController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, userGroupService *service.UserGroupService) {
+	ugc := UserGroupController{
+		UserGroupService: userGroupService,
+	}
+
+	userGroupsGroup := group.Group("/user-groups")
+	userGroupsGroup.Use(authMiddleware.Add())
+	{
+		userGroupsGroup.GET("", ugc.list)
+		userGroupsGroup.GET("/:id", ugc.get)
+		userGroupsGroup.POST("", ugc.create)
+		userGroupsGroup.PUT("/:id", ugc.update)
+		userGroupsGroup.DELETE("/:id", ugc.delete)
+		userGroupsGroup.PUT("/:id/users", ugc.updateUsers)
+	}
+}
+
+type UserGroupController struct {
+	UserGroupService *service.UserGroupService
+}
+
+// list godoc
+// @Summary List user groups
+// @Description Get a paginated list of user groups with optional search and sorting
+// @Tags User Groups
+// @Param search query string false "Search term to filter user groups by name"
+// @Param pagination[page] query int false "Page number for pagination" default(1)
+// @Param pagination[limit] query int false "Number of items per page" default(20)
+// @Param sort[column] query string false "Column to sort by"
+// @Param sort[direction] query string false "Sort direction (asc or desc)" default("asc")
+// @Success 200 {object} dto.Paginated[dto.UserGroupDtoWithUserCount]
+// @Router /api/user-groups [get]
+func (ugc *UserGroupController) list(c *gin.Context) {
+	searchTerm := c.Query("search")
+	listRequestOptions := utils.ParseListRequestOptions(c)
+
+	groups, pagination, err := ugc.UserGroupService.List(c, searchTerm, listRequestOptions)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	// Map the user groups to DTOs
+	var groupsDto = make([]dto.UserGroupDtoWithUserCount, len(groups))
+	for i, group := range groups {
+		var groupDto dto.UserGroupDtoWithUserCount
+		if err := dto.MapStruct(group, &groupDto); err != nil {
+			_ = c.Error(err)
+			return
+		}
+		groupDto.UserCount, err = ugc.UserGroupService.GetUserCountOfGroup(c.Request.Context(), group.ID)
+		if err != nil {
+			_ = c.Error(err)
+			return
+		}
+		groupsDto[i] = groupDto
+	}
+
+	c.JSON(http.StatusOK, dto.Paginated[dto.UserGroupDtoWithUserCount]{
+		Data:       groupsDto,
+		Pagination: pagination,
+	})
+}
+
+// get godoc
+// @Summary Get user group by ID
+// @Description Retrieve detailed information about a specific user group including its users
+// @Tags User Groups
+// @Accept json
+// @Produce json
+// @Param id path string true "User Group ID"
+// @Success 200 {object} dto.UserGroupDtoWithUsers
+// @Router /api/user-groups/{id} [get]
+func (ugc *UserGroupController) get(c *gin.Context) {
+	group, err := ugc.UserGroupService.Get(c.Request.Context(), c.Param("id"))
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var groupDto dto.UserGroupDtoWithUsers
+	if err := dto.MapStruct(group, &groupDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, groupDto)
+}
+
+// create godoc
+// @Summary Create user group
+// @Description Create a new user group
+// @Tags User Groups
+// @Accept json
+// @Produce json
+// @Param userGroup body dto.UserGroupCreateDto true "User group information"
+// @Success 201 {object} dto.UserGroupDtoWithUsers "Created user group"
+// @Router /api/user-groups [post]
+func (ugc *UserGroupController) create(c *gin.Context) {
+	var input dto.UserGroupCreateDto
+	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	group, err := ugc.UserGroupService.Create(c.Request.Context(), input)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var groupDto dto.UserGroupDtoWithUsers
+	if err := dto.MapStruct(group, &groupDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusCreated, groupDto)
+}
+
+// update godoc
+// @Summary Update user group
+// @Description Update an existing user group by ID
+// @Tags User Groups
+// @Accept json
+// @Produce json
+// @Param id path string true "User Group ID"
+// @Param userGroup body dto.UserGroupCreateDto true "User group information"
+// @Success 200 {object} dto.UserGroupDtoWithUsers "Updated user group"
+// @Router /api/user-groups/{id} [put]
+func (ugc *UserGroupController) update(c *gin.Context) {
+	var input dto.UserGroupCreateDto
+	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	group, err := ugc.UserGroupService.Update(c.Request.Context(), c.Param("id"), input)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var groupDto dto.UserGroupDtoWithUsers
+	if err := dto.MapStruct(group, &groupDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, groupDto)
+}
+
+// delete godoc
+// @Summary Delete user group
+// @Description Delete a specific user group by ID
+// @Tags User Groups
+// @Accept json
+// @Produce json
+// @Param id path string true "User Group ID"
+// @Success 204 "No Content"
+// @Router /api/user-groups/{id} [delete]
+func (ugc *UserGroupController) delete(c *gin.Context) {
+	if err := ugc.UserGroupService.Delete(c.Request.Context(), c.Param("id")); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// updateUsers godoc
+// @Summary Update users in a group
+// @Description Update the list of users belonging to a specific user group
+// @Tags User Groups
+// @Accept json
+// @Produce json
+// @Param id path string true "User Group ID"
+// @Param users body dto.UserGroupUpdateUsersDto true "List of user IDs to assign to this group"
+// @Success 200 {object} dto.UserGroupDtoWithUsers
+// @Router /api/user-groups/{id}/users [put]
+func (ugc *UserGroupController) updateUsers(c *gin.Context) {
+	var input dto.UserGroupUpdateUsersDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	group, err := ugc.UserGroupService.UpdateUsers(c.Request.Context(), c.Param("id"), input.UserIDs)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var groupDto dto.UserGroupDtoWithUsers
+	if err := dto.MapStruct(group, &groupDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, groupDto)
+}

backend/internal/controller/version_controller.go

@@ -0,0 +1,40 @@
+package controller
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
+
+// NewVersionController registers version-related routes.
+func NewVersionController(group *gin.RouterGroup, versionService *service.VersionService) {
+	vc := &VersionController{versionService: versionService}
+	group.GET("/version/latest", vc.getLatestVersionHandler)
+}
+
+type VersionController struct {
+	versionService *service.VersionService
+}
+
+// getLatestVersionHandler godoc
+// @Summary Get latest available version of Pocket ID
+// @Tags Version
+// @Produce json
+// @Success 200 {object} map[string]string "Latest version information"
+// @Router /api/version/latest [get]
+func (vc *VersionController) getLatestVersionHandler(c *gin.Context) {
+	tag, err := vc.versionService.GetLatestVersion(c.Request.Context())
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	utils.SetCacheControlHeader(c, 5*time.Minute, 15*time.Minute)
+
+	c.JSON(http.StatusOK, gin.H{
+		"latestVersion": tag,
+	})
+}

backend/internal/controller/webauthn_controller.go

@@ -1,68 +1,71 @@
 package controller
 
 import (
-	"errors"
-	"github.com/go-webauthn/webauthn/protocol"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
 	"net/http"
 	"time"
 
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
+
 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 	"golang.org/x/time/rate"
 )
 
-func NewWebauthnController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, webauthnService *service.WebAuthnService) {
-	wc := &WebauthnController{webAuthnService: webauthnService}
-	group.GET("/webauthn/register/start", jwtAuthMiddleware.Add(false), wc.beginRegistrationHandler)
-	group.POST("/webauthn/register/finish", jwtAuthMiddleware.Add(false), wc.verifyRegistrationHandler)
+func NewWebauthnController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, webauthnService *service.WebAuthnService, appConfigService *service.AppConfigService) {
+	wc := &WebauthnController{webAuthnService: webauthnService, appConfigService: appConfigService}
+	group.GET("/webauthn/register/start", authMiddleware.WithAdminNotRequired().Add(), wc.beginRegistrationHandler)
+	group.POST("/webauthn/register/finish", authMiddleware.WithAdminNotRequired().Add(), wc.verifyRegistrationHandler)
 
 	group.GET("/webauthn/login/start", wc.beginLoginHandler)
 	group.POST("/webauthn/login/finish", rateLimitMiddleware.Add(rate.Every(10*time.Second), 5), wc.verifyLoginHandler)
 
-	group.POST("/webauthn/logout", jwtAuthMiddleware.Add(false), wc.logoutHandler)
+	group.POST("/webauthn/logout", authMiddleware.WithAdminNotRequired().Add(), wc.logoutHandler)
 
-	group.GET("/webauthn/credentials", jwtAuthMiddleware.Add(false), wc.listCredentialsHandler)
-	group.PATCH("/webauthn/credentials/:id", jwtAuthMiddleware.Add(false), wc.updateCredentialHandler)
-	group.DELETE("/webauthn/credentials/:id", jwtAuthMiddleware.Add(false), wc.deleteCredentialHandler)
+	group.POST("/webauthn/reauthenticate", authMiddleware.WithAdminNotRequired().Add(), rateLimitMiddleware.Add(rate.Every(10*time.Second), 5), wc.reauthenticateHandler)
+
+	group.GET("/webauthn/credentials", authMiddleware.WithAdminNotRequired().Add(), wc.listCredentialsHandler)
+	group.PATCH("/webauthn/credentials/:id", authMiddleware.WithAdminNotRequired().Add(), wc.updateCredentialHandler)
+	group.DELETE("/webauthn/credentials/:id", authMiddleware.WithAdminNotRequired().Add(), wc.deleteCredentialHandler)
 }
 
 type WebauthnController struct {
-	webAuthnService *service.WebAuthnService
+	webAuthnService  *service.WebAuthnService
+	appConfigService *service.AppConfigService
 }
 
 func (wc *WebauthnController) beginRegistrationHandler(c *gin.Context) {
 	userID := c.GetString("userID")
-	options, err := wc.webAuthnService.BeginRegistration(userID)
+	options, err := wc.webAuthnService.BeginRegistration(c.Request.Context(), userID)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
-	c.SetCookie("session_id", options.SessionID, int(options.Timeout.Seconds()), "/", "", false, true)
+	cookie.AddSessionIdCookie(c, int(options.Timeout.Seconds()), options.SessionID)
 	c.JSON(http.StatusOK, options.Response)
 }
 
 func (wc *WebauthnController) verifyRegistrationHandler(c *gin.Context) {
-	sessionID, err := c.Cookie("session_id")
+	sessionID, err := c.Cookie(cookie.SessionIdCookieName)
 	if err != nil {
-		utils.CustomControllerError(c, http.StatusBadRequest, "Session ID missing")
+		_ = c.Error(&common.MissingSessionIdError{})
 		return
 	}
 
 	userID := c.GetString("userID")
-	credential, err := wc.webAuthnService.VerifyRegistration(sessionID, userID, c.Request)
+	credential, err := wc.webAuthnService.VerifyRegistration(c.Request.Context(), sessionID, userID, c.Request)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
 	var credentialDto dto.WebauthnCredentialDto
 	if err := dto.MapStruct(credential, &credentialDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
@@ -70,62 +73,58 @@ func (wc *WebauthnController) verifyRegistrationHandler(c *gin.Context) {
 }
 
 func (wc *WebauthnController) beginLoginHandler(c *gin.Context) {
-	options, err := wc.webAuthnService.BeginLogin()
+	options, err := wc.webAuthnService.BeginLogin(c.Request.Context())
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
-	c.SetCookie("session_id", options.SessionID, int(options.Timeout.Seconds()), "/", "", false, true)
+	cookie.AddSessionIdCookie(c, int(options.Timeout.Seconds()), options.SessionID)
 	c.JSON(http.StatusOK, options.Response)
 }
 
 func (wc *WebauthnController) verifyLoginHandler(c *gin.Context) {
-	sessionID, err := c.Cookie("session_id")
+	sessionID, err := c.Cookie(cookie.SessionIdCookieName)
 	if err != nil {
-		utils.CustomControllerError(c, http.StatusBadRequest, "Session ID missing")
+		_ = c.Error(&common.MissingSessionIdError{})
 		return
 	}
 
 	credentialAssertionData, err := protocol.ParseCredentialRequestResponseBody(c.Request.Body)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
-	userID := c.GetString("userID")
-
-	user, token, err := wc.webAuthnService.VerifyLogin(sessionID, userID, credentialAssertionData, c.ClientIP(), c.Request.UserAgent())
+	user, token, err := wc.webAuthnService.VerifyLogin(c.Request.Context(), sessionID, credentialAssertionData, c.ClientIP(), c.Request.UserAgent())
 	if err != nil {
-		if errors.Is(err, common.ErrInvalidCredentials) {
-			utils.CustomControllerError(c, http.StatusUnauthorized, err.Error())
-		} else {
-			utils.ControllerError(c, err)
-		}
+		_ = c.Error(err)
 		return
 	}
 
 	var userDto dto.UserDto
 	if err := dto.MapStruct(user, &userDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
-	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", false, true)
+	maxAge := int(wc.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes().Seconds())
+	cookie.AddAccessTokenCookie(c, maxAge, token)
+
 	c.JSON(http.StatusOK, userDto)
 }
 
 func (wc *WebauthnController) listCredentialsHandler(c *gin.Context) {
 	userID := c.GetString("userID")
-	credentials, err := wc.webAuthnService.ListCredentials(userID)
+	credentials, err := wc.webAuthnService.ListCredentials(c.Request.Context(), userID)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
 	var credentialDtos []dto.WebauthnCredentialDto
 	if err := dto.MapStructList(credentials, &credentialDtos); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
@@ -136,9 +135,9 @@ func (wc *WebauthnController) deleteCredentialHandler(c *gin.Context) {
 	userID := c.GetString("userID")
 	credentialID := c.Param("id")
 
-	err := wc.webAuthnService.DeleteCredential(userID, credentialID)
+	err := wc.webAuthnService.DeleteCredential(c.Request.Context(), userID, credentialID)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
@@ -151,19 +150,19 @@ func (wc *WebauthnController) updateCredentialHandler(c *gin.Context) {
 
 	var input dto.WebauthnCredentialUpdateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
-	credential, err := wc.webAuthnService.UpdateCredential(userID, credentialID, input.Name)
+	credential, err := wc.webAuthnService.UpdateCredential(c.Request.Context(), userID, credentialID, input.Name)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
 	var credentialDto dto.WebauthnCredentialDto
 	if err := dto.MapStruct(credential, &credentialDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
@@ -171,6 +170,36 @@ func (wc *WebauthnController) updateCredentialHandler(c *gin.Context) {
 }
 
 func (wc *WebauthnController) logoutHandler(c *gin.Context) {
-	c.SetCookie("access_token", "", 0, "/", "", false, true)
+	cookie.AddAccessTokenCookie(c, 0, "")
 	c.Status(http.StatusNoContent)
 }
+
+func (wc *WebauthnController) reauthenticateHandler(c *gin.Context) {
+	sessionID, err := c.Cookie(cookie.SessionIdCookieName)
+	if err != nil {
+		_ = c.Error(&common.MissingSessionIdError{})
+		return
+	}
+
+	var token string
+
+	// Try to create a reauthentication token with WebAuthn
+	credentialAssertionData, err := protocol.ParseCredentialRequestResponseBody(c.Request.Body)
+	if err == nil {
+		token, err = wc.webAuthnService.CreateReauthenticationTokenWithWebauthn(c.Request.Context(), sessionID, credentialAssertionData)
+		if err != nil {
+			_ = c.Error(err)
+			return
+		}
+	} else {
+		// If WebAuthn fails, try to create a reauthentication token with the access token
+		accessToken, _ := c.Cookie(cookie.AccessTokenCookieName)
+		token, err = wc.webAuthnService.CreateReauthenticationTokenWithAccessToken(c.Request.Context(), accessToken)
+		if err != nil {
+			_ = c.Error(err)
+			return
+		}
+	}
+
+	c.JSON(http.StatusOK, gin.H{"reauthenticationToken": token})
+}

backend/internal/controller/well_known_controller.go

@@ -1,46 +1,96 @@
 package controller
 
 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"encoding/json"
+	"fmt"
+	"log/slog"
 	"net/http"
+	"os"
+
+	"github.com/gin-gonic/gin"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
 
+// NewWellKnownController creates a new controller for OIDC discovery endpoints
+// @Summary OIDC Discovery controller
+// @Description Initializes OIDC discovery and JWKS endpoints
+// @Tags Well Known
 func NewWellKnownController(group *gin.RouterGroup, jwtService *service.JwtService) {
 	wkc := &WellKnownController{jwtService: jwtService}
+
+	// Pre-compute the OIDC configuration document, which is static
+	var err error
+	wkc.oidcConfig, err = wkc.computeOIDCConfiguration()
+	if err != nil {
+		slog.Error("Failed to pre-compute OpenID Connect configuration document", slog.Any("error", err))
+		os.Exit(1)
+		return
+	}
+
 	group.GET("/.well-known/jwks.json", wkc.jwksHandler)
 	group.GET("/.well-known/openid-configuration", wkc.openIDConfigurationHandler)
 }
 
 type WellKnownController struct {
 	jwtService *service.JwtService
+	oidcConfig []byte
 }
 
+// jwksHandler godoc
+// @Summary Get JSON Web Key Set (JWKS)
+// @Description Returns the JSON Web Key Set used for token verification
+// @Tags Well Known
+// @Produce json
+// @Success 200 {object} object "{ \"keys\": []interface{} }"
+// @Router /.well-known/jwks.json [get]
 func (wkc *WellKnownController) jwksHandler(c *gin.Context) {
-	jwk, err := wkc.jwtService.GetJWK()
+	jwks, err := wkc.jwtService.GetPublicJWKSAsJSON()
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}
 
-	c.JSON(http.StatusOK, gin.H{"keys": []interface{}{jwk}})
+	c.Data(http.StatusOK, "application/json; charset=utf-8", jwks)
 }
 
+// openIDConfigurationHandler godoc
+// @Summary Get OpenID Connect discovery configuration
+// @Description Returns the OpenID Connect discovery document with endpoints and capabilities
+// @Tags Well Known
+// @Success 200 {object} object "OpenID Connect configuration"
+// @Router /.well-known/openid-configuration [get]
 func (wkc *WellKnownController) openIDConfigurationHandler(c *gin.Context) {
-	appUrl := common.EnvConfig.AppURL
-	config := map[string]interface{}{
-		"issuer":                                appUrl,
-		"authorization_endpoint":                appUrl + "/authorize",
-		"token_endpoint":                        appUrl + "/api/oidc/token",
-		"userinfo_endpoint":                     appUrl + "/api/oidc/userinfo",
-		"jwks_uri":                              appUrl + "/.well-known/jwks.json",
-		"scopes_supported":                      []string{"openid", "profile", "email"},
-		"claims_supported":                      []string{"sub", "given_name", "family_name", "name", "email", "preferred_username"},
-		"response_types_supported":              []string{"code", "id_token"},
-		"subject_types_supported":               []string{"public"},
-		"id_token_signing_alg_values_supported": []string{"RS256"},
-	}
-	c.JSON(http.StatusOK, config)
+	c.Data(http.StatusOK, "application/json; charset=utf-8", wkc.oidcConfig)
+}
+
+func (wkc *WellKnownController) computeOIDCConfiguration() ([]byte, error) {
+	appUrl := common.EnvConfig.AppURL
+
+	internalAppUrl := common.EnvConfig.InternalAppURL
+
+	alg, err := wkc.jwtService.GetKeyAlg()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get key algorithm: %w", err)
+	}
+	config := map[string]any{
+		"issuer":                                         appUrl,
+		"authorization_endpoint":                         appUrl + "/authorize",
+		"token_endpoint":                                 internalAppUrl + "/api/oidc/token",
+		"userinfo_endpoint":                              internalAppUrl + "/api/oidc/userinfo",
+		"end_session_endpoint":                           appUrl + "/api/oidc/end-session",
+		"introspection_endpoint":                         internalAppUrl + "/api/oidc/introspect",
+		"device_authorization_endpoint":                  appUrl + "/api/oidc/device/authorize",
+		"jwks_uri":                                       internalAppUrl + "/.well-known/jwks.json",
+		"grant_types_supported":                          []string{service.GrantTypeAuthorizationCode, service.GrantTypeRefreshToken, service.GrantTypeDeviceCode, service.GrantTypeClientCredentials},
+		"scopes_supported":                               []string{"openid", "profile", "email", "groups"},
+		"claims_supported":                               []string{"sub", "given_name", "family_name", "name", "email", "email_verified", "preferred_username", "picture", "groups"},
+		"response_types_supported":                       []string{"code", "id_token"},
+		"subject_types_supported":                        []string{"public"},
+		"id_token_signing_alg_values_supported":          []string{alg.String()},
+		"authorization_response_iss_parameter_supported": true,
+		"code_challenge_methods_supported":               []string{"plain", "S256"},
+	}
+	return json.Marshal(config)
 }

backend/internal/dto/api_key_dto.go

@@ -0,0 +1,26 @@
+package dto
+
+import (
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+)
+
+type ApiKeyCreateDto struct {
+	Name        string            `json:"name" binding:"required,min=3,max=50" unorm:"nfc"`
+	Description *string           `json:"description" unorm:"nfc"`
+	ExpiresAt   datatype.DateTime `json:"expiresAt" binding:"required"`
+}
+
+type ApiKeyDto struct {
+	ID                  string             `json:"id"`
+	Name                string             `json:"name"`
+	Description         *string            `json:"description"`
+	ExpiresAt           datatype.DateTime  `json:"expiresAt"`
+	LastUsedAt          *datatype.DateTime `json:"lastUsedAt"`
+	CreatedAt           datatype.DateTime  `json:"createdAt"`
+	ExpirationEmailSent bool               `json:"expirationEmailSent"`
+}
+
+type ApiKeyResponseDto struct {
+	ApiKey ApiKeyDto `json:"apiKey"`
+	Token  string    `json:"token"`
+}

backend/internal/dto/app_config_dto.go

@@ -12,12 +12,45 @@ type AppConfigVariableDto struct {
 }
 
 type AppConfigUpdateDto struct {
-	AppName         string `json:"appName" binding:"required,min=1,max=30"`
-	SessionDuration string `json:"sessionDuration" binding:"required"`
-	EmailEnabled    string `json:"emailEnabled" binding:"required"`
-	SmtHost         string `json:"smtpHost"`
-	SmtpPort        string `json:"smtpPort"`
-	SmtpFrom        string `json:"smtpFrom" binding:"omitempty,email"`
-	SmtpUser        string `json:"smtpUser"`
-	SmtpPassword    string `json:"smtpPassword"`
+	AppName                                    string `json:"appName" binding:"required,min=1,max=30" unorm:"nfc"`
+	SessionDuration                            string `json:"sessionDuration" binding:"required"`
+	EmailsVerified                             string `json:"emailsVerified" binding:"required"`
+	DisableAnimations                          string `json:"disableAnimations" binding:"required"`
+	AllowOwnAccountEdit                        string `json:"allowOwnAccountEdit" binding:"required"`
+	AllowUserSignups                           string `json:"allowUserSignups" binding:"required,oneof=disabled withToken open"`
+	SignupDefaultUserGroupIDs                  string `json:"signupDefaultUserGroupIDs" binding:"omitempty,json"`
+	SignupDefaultCustomClaims                  string `json:"signupDefaultCustomClaims" binding:"omitempty,json"`
+	AccentColor                                string `json:"accentColor"`
+	RequireUserEmail                           string `json:"requireUserEmail" binding:"required"`
+	SmtpHost                                   string `json:"smtpHost"`
+	SmtpPort                                   string `json:"smtpPort"`
+	SmtpFrom                                   string `json:"smtpFrom" binding:"omitempty,email"`
+	SmtpUser                                   string `json:"smtpUser"`
+	SmtpPassword                               string `json:"smtpPassword"`
+	SmtpTls                                    string `json:"smtpTls" binding:"required,oneof=none starttls tls"`
+	SmtpSkipCertVerify                         string `json:"smtpSkipCertVerify"`
+	LdapEnabled                                string `json:"ldapEnabled" binding:"required"`
+	LdapUrl                                    string `json:"ldapUrl"`
+	LdapBindDn                                 string `json:"ldapBindDn"`
+	LdapBindPassword                           string `json:"ldapBindPassword"`
+	LdapBase                                   string `json:"ldapBase"`
+	LdapUserSearchFilter                       string `json:"ldapUserSearchFilter"`
+	LdapUserGroupSearchFilter                  string `json:"ldapUserGroupSearchFilter"`
+	LdapSkipCertVerify                         string `json:"ldapSkipCertVerify"`
+	LdapAttributeUserUniqueIdentifier          string `json:"ldapAttributeUserUniqueIdentifier"`
+	LdapAttributeUserUsername                  string `json:"ldapAttributeUserUsername"`
+	LdapAttributeUserEmail                     string `json:"ldapAttributeUserEmail"`
+	LdapAttributeUserFirstName                 string `json:"ldapAttributeUserFirstName"`
+	LdapAttributeUserLastName                  string `json:"ldapAttributeUserLastName"`
+	LdapAttributeUserDisplayName               string `json:"ldapAttributeUserDisplayName"`
+	LdapAttributeUserProfilePicture            string `json:"ldapAttributeUserProfilePicture"`
+	LdapAttributeGroupMember                   string `json:"ldapAttributeGroupMember"`
+	LdapAttributeGroupUniqueIdentifier         string `json:"ldapAttributeGroupUniqueIdentifier"`
+	LdapAttributeGroupName                     string `json:"ldapAttributeGroupName"`
+	LdapAttributeAdminGroup                    string `json:"ldapAttributeAdminGroup"`
+	LdapSoftDeleteUsers                        string `json:"ldapSoftDeleteUsers"`
+	EmailOneTimeAccessAsAdminEnabled           string `json:"emailOneTimeAccessAsAdminEnabled" binding:"required"`
+	EmailOneTimeAccessAsUnauthenticatedEnabled string `json:"emailOneTimeAccessAsUnauthenticatedEnabled" binding:"required"`
+	EmailLoginNotificationEnabled              string `json:"emailLoginNotificationEnabled" binding:"required"`
+	EmailApiKeyExpirationEnabled               string `json:"emailApiKeyExpirationEnabled" binding:"required"`
 }

backend/internal/dto/audit_log_dto.go

@@ -1,17 +1,19 @@
 package dto
 
 import (
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"time"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )
 
 type AuditLogDto struct {
-	ID        string    `json:"id"`
-	CreatedAt time.Time `json:"createdAt"`
+	ID        string            `json:"id"`
+	CreatedAt datatype.DateTime `json:"createdAt"`
 
-	Event     model.AuditLogEvent `json:"event"`
-	IpAddress string              `json:"ipAddress"`
-	Device    string              `json:"device"`
-	UserID    string              `json:"userID"`
-	Data      model.AuditLogData  `json:"data"`
+	Event     string            `json:"event"`
+	IpAddress string            `json:"ipAddress"`
+	Country   string            `json:"country"`
+	City      string            `json:"city"`
+	Device    string            `json:"device"`
+	UserID    string            `json:"userID"`
+	Username  string            `json:"username"`
+	Data      map[string]string `json:"data"`
 }

backend/internal/dto/custom_claim_dto.go

@@ -0,0 +1,11 @@
+package dto
+
+type CustomClaimDto struct {
+	Key   string `json:"key"`
+	Value string `json:"value"`
+}
+
+type CustomClaimCreateDto struct {
+	Key   string `json:"key" binding:"required" unorm:"nfc"`
+	Value string `json:"value" binding:"required" unorm:"nfc"`
+}

backend/internal/dto/dto_mapper.go

@@ -1,81 +1,27 @@
 package dto
 
 import (
-	"errors"
-	"reflect"
+	"fmt"
+
+	"github.com/jinzhu/copier"
 )
 
 // MapStructList maps a list of source structs to a list of destination structs
-func MapStructList[S any, D any](source []S, destination *[]D) error {
-	*destination = make([]D, 0, len(source))
+func MapStructList[S any, D any](source []S, destination *[]D) (err error) {
+	*destination = make([]D, len(source))
 
-	for _, item := range source {
-		var destItem D
-		if err := MapStruct(item, &destItem); err != nil {
-			return err
+	for i, item := range source {
+		err = MapStruct(item, &((*destination)[i]))
+		if err != nil {
+			return fmt.Errorf("failed to map field %d: %w", i, err)
 		}
-		*destination = append(*destination, destItem)
 	}
 	return nil
 }
 
 // MapStruct maps a source struct to a destination struct
-func MapStruct[S any, D any](source S, destination *D) error {
-	// Ensure destination is a non-nil pointer
-	destValue := reflect.ValueOf(destination)
-	if destValue.Kind() != reflect.Ptr || destValue.IsNil() {
-		return errors.New("destination must be a non-nil pointer to a struct")
-	}
-
-	// Ensure source is a struct
-	sourceValue := reflect.ValueOf(source)
-	if sourceValue.Kind() != reflect.Struct {
-		return errors.New("source must be a struct")
-	}
-
-	return mapStructInternal(sourceValue, destValue.Elem())
-}
-
-func mapStructInternal(sourceVal reflect.Value, destVal reflect.Value) error {
-	// Loop through the fields of the destination struct
-	for i := 0; i < destVal.NumField(); i++ {
-		destField := destVal.Field(i)
-		destFieldType := destVal.Type().Field(i)
-
-		if destFieldType.Anonymous {
-			// Recursively handle embedded structs
-			if err := mapStructInternal(sourceVal, destField); err != nil {
-				return err
-			}
-			continue
-		}
-
-		sourceField := sourceVal.FieldByName(destFieldType.Name)
-
-		// If the source field is valid and can be assigned to the destination field
-		if sourceField.IsValid() && destField.CanSet() {
-			// Handle direct assignment for simple types
-			if sourceField.Type() == destField.Type() {
-				destField.Set(sourceField)
-			} else if sourceField.Kind() == reflect.Slice && destField.Kind() == reflect.Slice {
-				// Handle slices
-				if sourceField.Type().Elem() == destField.Type().Elem() {
-					newSlice := reflect.MakeSlice(destField.Type(), sourceField.Len(), sourceField.Cap())
-
-					for j := 0; j < sourceField.Len(); j++ {
-						newSlice.Index(j).Set(sourceField.Index(j))
-					}
-
-					destField.Set(newSlice)
-				}
-			} else if sourceField.Kind() == reflect.Struct && destField.Kind() == reflect.Struct {
-				// Recursively map nested structs
-				if err := mapStructInternal(sourceField, destField); err != nil {
-					return err
-				}
-			}
-		}
-	}
-
-	return nil
+func MapStruct(source any, destination any) error {
+	return copier.CopyWithOption(destination, source, copier.Option{
+		DeepCopy: true,
+	})
 }

backend/internal/dto/dto_mapper_test.go

@@ -0,0 +1,197 @@
+package dto
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
+
+type sourceStruct struct {
+	AString            string
+	AStringPtr         *string
+	ABool              bool
+	ABoolPtr           *bool
+	ACustomDateTime    datatype.DateTime
+	ACustomDateTimePtr *datatype.DateTime
+	ANilStringPtr      *string
+	ASlice             []string
+	AMap               map[string]int
+	AStruct            embeddedStruct
+	AStructPtr         *embeddedStruct
+
+	StringPtrToString      *string
+	EmptyStringPtrToString *string
+	NilStringPtrToString   *string
+	IntToInt64             int
+	AuditLogEventToString  model.AuditLogEvent
+}
+
+type destStruct struct {
+	AString            string
+	AStringPtr         *string
+	ABool              bool
+	ABoolPtr           *bool
+	ACustomDateTime    datatype.DateTime
+	ACustomDateTimePtr *datatype.DateTime
+	ANilStringPtr      *string
+	ASlice             []string
+	AMap               map[string]int
+	AStruct            embeddedStruct
+	AStructPtr         *embeddedStruct
+
+	StringPtrToString      string
+	EmptyStringPtrToString string
+	NilStringPtrToString   string
+	IntToInt64             int64
+	AuditLogEventToString  string
+}
+
+type embeddedStruct struct {
+	Foo string
+	Bar int64
+}
+
+func TestMapStruct(t *testing.T) {
+	src := sourceStruct{
+		AString:            "abcd",
+		AStringPtr:         utils.Ptr("xyz"),
+		ABool:              true,
+		ABoolPtr:           utils.Ptr(false),
+		ACustomDateTime:    datatype.DateTime(time.Date(2025, 1, 2, 3, 4, 5, 0, time.UTC)),
+		ACustomDateTimePtr: utils.Ptr(datatype.DateTime(time.Date(2024, 1, 2, 3, 4, 5, 0, time.UTC))),
+		ANilStringPtr:      nil,
+		ASlice:             []string{"a", "b", "c"},
+		AMap: map[string]int{
+			"a": 1,
+			"b": 2,
+		},
+		AStruct: embeddedStruct{
+			Foo: "bar",
+			Bar: 42,
+		},
+		AStructPtr: &embeddedStruct{
+			Foo: "quo",
+			Bar: 111,
+		},
+
+		StringPtrToString:      utils.Ptr("foobar"),
+		EmptyStringPtrToString: utils.Ptr(""),
+		NilStringPtrToString:   nil,
+		IntToInt64:             99,
+		AuditLogEventToString:  model.AuditLogEventAccountCreated,
+	}
+	var dst destStruct
+	err := MapStruct(src, &dst)
+	require.NoError(t, err)
+
+	assert.Equal(t, src.AString, dst.AString)
+	_ = assert.NotNil(t, src.AStringPtr) &&
+		assert.Equal(t, *src.AStringPtr, *dst.AStringPtr)
+	assert.Equal(t, src.ABool, dst.ABool)
+	_ = assert.NotNil(t, src.ABoolPtr) &&
+		assert.Equal(t, *src.ABoolPtr, *dst.ABoolPtr)
+	assert.Equal(t, src.ACustomDateTime, dst.ACustomDateTime)
+	_ = assert.NotNil(t, src.ACustomDateTimePtr) &&
+		assert.Equal(t, *src.ACustomDateTimePtr, *dst.ACustomDateTimePtr)
+	assert.Nil(t, dst.ANilStringPtr)
+	assert.Equal(t, src.ASlice, dst.ASlice)
+	assert.Equal(t, src.AMap, dst.AMap)
+	assert.Equal(t, "bar", dst.AStruct.Foo)
+	assert.Equal(t, int64(42), dst.AStruct.Bar)
+	_ = assert.NotNil(t, src.AStructPtr) &&
+		assert.Equal(t, "quo", dst.AStructPtr.Foo) &&
+		assert.Equal(t, int64(111), dst.AStructPtr.Bar)
+	assert.Equal(t, "foobar", dst.StringPtrToString)
+	assert.Empty(t, dst.EmptyStringPtrToString)
+	assert.Empty(t, dst.NilStringPtrToString)
+	assert.Equal(t, int64(99), dst.IntToInt64)
+	assert.Equal(t, "ACCOUNT_CREATED", dst.AuditLogEventToString)
+}
+
+func TestMapStructList(t *testing.T) {
+	sources := []sourceStruct{
+		{
+			AString:            "first",
+			AStringPtr:         utils.Ptr("one"),
+			ABool:              true,
+			ABoolPtr:           utils.Ptr(false),
+			ACustomDateTime:    datatype.DateTime(time.Date(2025, 1, 2, 3, 4, 5, 0, time.UTC)),
+			ACustomDateTimePtr: utils.Ptr(datatype.DateTime(time.Date(2024, 1, 2, 3, 4, 5, 0, time.UTC))),
+			ASlice:             []string{"a", "b"},
+			AMap: map[string]int{
+				"a": 1,
+				"b": 2,
+			},
+			AStruct: embeddedStruct{
+				Foo: "first_struct",
+				Bar: 10,
+			},
+			IntToInt64: 10,
+		},
+		{
+			AString:            "second",
+			AStringPtr:         utils.Ptr("two"),
+			ABool:              false,
+			ABoolPtr:           utils.Ptr(true),
+			ACustomDateTime:    datatype.DateTime(time.Date(2026, 6, 7, 8, 9, 10, 0, time.UTC)),
+			ACustomDateTimePtr: utils.Ptr(datatype.DateTime(time.Date(2023, 6, 7, 8, 9, 10, 0, time.UTC))),
+			ASlice:             []string{"c", "d", "e"},
+			AMap: map[string]int{
+				"c": 3,
+				"d": 4,
+			},
+			AStruct: embeddedStruct{
+				Foo: "second_struct",
+				Bar: 20,
+			},
+			IntToInt64: 20,
+		},
+	}
+
+	var destinations []destStruct
+	err := MapStructList(sources, &destinations)
+
+	require.NoError(t, err)
+	require.Len(t, destinations, 2)
+
+	// Verify first element
+	assert.Equal(t, "first", destinations[0].AString)
+	assert.Equal(t, "one", *destinations[0].AStringPtr)
+	assert.True(t, destinations[0].ABool)
+	assert.False(t, *destinations[0].ABoolPtr)
+	assert.Equal(t, datatype.DateTime(time.Date(2025, 1, 2, 3, 4, 5, 0, time.UTC)), destinations[0].ACustomDateTime)
+	assert.Equal(t, datatype.DateTime(time.Date(2024, 1, 2, 3, 4, 5, 0, time.UTC)), *destinations[0].ACustomDateTimePtr)
+	assert.Equal(t, []string{"a", "b"}, destinations[0].ASlice)
+	assert.Equal(t, map[string]int{"a": 1, "b": 2}, destinations[0].AMap)
+	assert.Equal(t, "first_struct", destinations[0].AStruct.Foo)
+	assert.Equal(t, int64(10), destinations[0].AStruct.Bar)
+	assert.Equal(t, int64(10), destinations[0].IntToInt64)
+
+	// Verify second element
+	assert.Equal(t, "second", destinations[1].AString)
+	assert.Equal(t, "two", *destinations[1].AStringPtr)
+	assert.False(t, destinations[1].ABool)
+	assert.True(t, *destinations[1].ABoolPtr)
+	assert.Equal(t, datatype.DateTime(time.Date(2026, 6, 7, 8, 9, 10, 0, time.UTC)), destinations[1].ACustomDateTime)
+	assert.Equal(t, datatype.DateTime(time.Date(2023, 6, 7, 8, 9, 10, 0, time.UTC)), *destinations[1].ACustomDateTimePtr)
+	assert.Equal(t, []string{"c", "d", "e"}, destinations[1].ASlice)
+	assert.Equal(t, map[string]int{"c": 3, "d": 4}, destinations[1].AMap)
+	assert.Equal(t, "second_struct", destinations[1].AStruct.Foo)
+	assert.Equal(t, int64(20), destinations[1].AStruct.Bar)
+	assert.Equal(t, int64(20), destinations[1].IntToInt64)
+}
+
+func TestMapStructList_EmptySource(t *testing.T) {
+	var sources []sourceStruct
+	var destinations []destStruct
+
+	err := MapStructList(sources, &destinations)
+	require.NoError(t, err)
+	assert.Empty(t, destinations)
+}

backend/internal/dto/dto_normalize.go

@@ -0,0 +1,94 @@
+package dto
+
+import (
+	"net/http"
+	"reflect"
+
+	"github.com/gin-gonic/gin"
+	"github.com/gin-gonic/gin/binding"
+	"golang.org/x/text/unicode/norm"
+)
+
+// Normalize iterates through an object and performs Unicode normalization on all string fields with the `unorm` tag.
+func Normalize(obj any) {
+	v := reflect.ValueOf(obj)
+	if v.Kind() != reflect.Ptr || v.IsNil() {
+		return
+	}
+	v = v.Elem()
+
+	// Handle case where obj is a slice of models
+	if v.Kind() == reflect.Slice {
+		for i := 0; i < v.Len(); i++ {
+			elem := v.Index(i)
+			if elem.Kind() == reflect.Ptr && !elem.IsNil() && elem.Elem().Kind() == reflect.Struct {
+				Normalize(elem.Interface())
+			} else if elem.Kind() == reflect.Struct && elem.CanAddr() {
+				Normalize(elem.Addr().Interface())
+			}
+		}
+		return
+	}
+
+	if v.Kind() != reflect.Struct {
+		return
+	}
+
+	// Iterate through all fields looking for those with the "unorm" tag
+	t := v.Type()
+loop:
+	for i := range t.NumField() {
+		field := t.Field(i)
+
+		unormTag := field.Tag.Get("unorm")
+		if unormTag == "" {
+			continue
+		}
+
+		fv := v.Field(i)
+		if !fv.CanSet() || fv.Kind() != reflect.String {
+			continue
+		}
+
+		var form norm.Form
+		switch unormTag {
+		case "nfc":
+			form = norm.NFC
+		case "nfkc":
+			form = norm.NFKC
+		case "nfd":
+			form = norm.NFD
+		case "nfkd":
+			form = norm.NFKD
+		default:
+			continue loop
+		}
+
+		val := fv.String()
+		val = form.String(val)
+		fv.SetString(val)
+	}
+}
+
+func ShouldBindWithNormalizedJSON(ctx *gin.Context, obj any) error {
+	return ctx.ShouldBindWith(obj, binding.JSON)
+}
+
+type NormalizerJSONBinding struct{}
+
+func (NormalizerJSONBinding) Name() string {
+	return "json"
+}
+
+func (NormalizerJSONBinding) Bind(req *http.Request, obj any) error {
+	// Use the default JSON binder
+	err := binding.JSON.Bind(req, obj)
+	if err != nil {
+		return err
+	}
+
+	// Perform normalization
+	Normalize(obj)
+
+	return nil
+}

backend/internal/dto/dto_normalize_test.go

@@ -0,0 +1,84 @@
+package dto
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"golang.org/x/text/unicode/norm"
+)
+
+type testDto struct {
+	Name        string `unorm:"nfc"`
+	Description string `unorm:"nfd"`
+	Other       string
+	BadForm     string `unorm:"bad"`
+}
+
+func TestNormalize(t *testing.T) {
+	input := testDto{
+		// Is in NFC form already
+		Name: norm.NFC.String("Café"),
+		// NFC form will be normalized to NFD
+		Description: norm.NFC.String("vërø"),
+		// Should be unchanged
+		Other: "NöTag",
+		// Should be unchanged
+		BadForm: "BåD",
+	}
+
+	Normalize(&input)
+
+	assert.Equal(t, norm.NFC.String("Café"), input.Name)
+	assert.Equal(t, norm.NFD.String("vërø"), input.Description)
+	assert.Equal(t, "NöTag", input.Other)
+	assert.Equal(t, "BåD", input.BadForm)
+}
+
+func TestNormalizeSlice(t *testing.T) {
+	obj1 := testDto{
+		Name:        norm.NFC.String("Café1"),
+		Description: norm.NFC.String("vërø1"),
+		Other:       "NöTag1",
+		BadForm:     "BåD1",
+	}
+	obj2 := testDto{
+		Name:        norm.NFD.String("Résumé2"),
+		Description: norm.NFD.String("accéléré2"),
+		Other:       "NöTag2",
+		BadForm:     "BåD2",
+	}
+
+	t.Run("slice of structs", func(t *testing.T) {
+		slice := []testDto{obj1, obj2}
+		Normalize(&slice)
+
+		// Verify first element
+		assert.Equal(t, norm.NFC.String("Café1"), slice[0].Name)
+		assert.Equal(t, norm.NFD.String("vërø1"), slice[0].Description)
+		assert.Equal(t, "NöTag1", slice[0].Other)
+		assert.Equal(t, "BåD1", slice[0].BadForm)
+
+		// Verify second element
+		assert.Equal(t, norm.NFC.String("Résumé2"), slice[1].Name)
+		assert.Equal(t, norm.NFD.String("accéléré2"), slice[1].Description)
+		assert.Equal(t, "NöTag2", slice[1].Other)
+		assert.Equal(t, "BåD2", slice[1].BadForm)
+	})
+
+	t.Run("slice of pointers to structs", func(t *testing.T) {
+		slice := []*testDto{&obj1, &obj2}
+		Normalize(&slice)
+
+		// Verify first element
+		assert.Equal(t, norm.NFC.String("Café1"), slice[0].Name)
+		assert.Equal(t, norm.NFD.String("vërø1"), slice[0].Description)
+		assert.Equal(t, "NöTag1", slice[0].Other)
+		assert.Equal(t, "BåD1", slice[0].BadForm)
+
+		// Verify second element
+		assert.Equal(t, norm.NFC.String("Résumé2"), slice[1].Name)
+		assert.Equal(t, norm.NFD.String("accéléré2"), slice[1].Description)
+		assert.Equal(t, "NöTag2", slice[1].Other)
+		assert.Equal(t, "BåD2", slice[1].BadForm)
+	})
+}

backend/internal/dto/oidc_dto.go

@@ -1,37 +1,180 @@
 package dto
 
-type PublicOidcClientDto struct {
-	ID      string `json:"id"`
-	Name    string `json:"name"`
-	HasLogo bool   `json:"hasLogo"`
+import datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+
+type OidcClientMetaDataDto struct {
+	ID                       string  `json:"id"`
+	Name                     string  `json:"name"`
+	HasLogo                  bool    `json:"hasLogo"`
+	HasDarkLogo              bool    `json:"hasDarkLogo"`
+	LaunchURL                *string `json:"launchURL"`
+	RequiresReauthentication bool    `json:"requiresReauthentication"`
 }
 
 type OidcClientDto struct {
-	PublicOidcClientDto
-	CallbackURLs []string `json:"callbackURLs"`
-	CreatedBy    UserDto  `json:"createdBy"`
+	OidcClientMetaDataDto
+	CallbackURLs       []string                 `json:"callbackURLs"`
+	LogoutCallbackURLs []string                 `json:"logoutCallbackURLs"`
+	IsPublic           bool                     `json:"isPublic"`
+	PkceEnabled        bool                     `json:"pkceEnabled"`
+	Credentials        OidcClientCredentialsDto `json:"credentials"`
+}
+
+type OidcClientWithAllowedUserGroupsDto struct {
+	OidcClientDto
+	AllowedUserGroups []UserGroupDtoWithUserCount `json:"allowedUserGroups"`
+}
+
+type OidcClientWithAllowedGroupsCountDto struct {
+	OidcClientDto
+	AllowedUserGroupsCount int64 `json:"allowedUserGroupsCount"`
+}
+
+type OidcClientUpdateDto struct {
+	Name                     string                   `json:"name" binding:"required,max=50" unorm:"nfc"`
+	CallbackURLs             []string                 `json:"callbackURLs" binding:"omitempty,dive,callback_url"`
+	LogoutCallbackURLs       []string                 `json:"logoutCallbackURLs" binding:"omitempty,dive,callback_url"`
+	IsPublic                 bool                     `json:"isPublic"`
+	PkceEnabled              bool                     `json:"pkceEnabled"`
+	RequiresReauthentication bool                     `json:"requiresReauthentication"`
+	Credentials              OidcClientCredentialsDto `json:"credentials"`
+	LaunchURL                *string                  `json:"launchURL" binding:"omitempty,url"`
+	HasLogo                  bool                     `json:"hasLogo"`
+	HasDarkLogo              bool                     `json:"hasDarkLogo"`
+	LogoURL                  *string                  `json:"logoUrl"`
+	DarkLogoURL              *string                  `json:"darkLogoUrl"`
 }
 
 type OidcClientCreateDto struct {
-	Name         string   `json:"name" binding:"required,max=50"`
-	CallbackURLs []string `json:"callbackURLs" binding:"required,urlList"`
+	OidcClientUpdateDto
+	ID string `json:"id" binding:"omitempty,client_id,min=2,max=128"`
+}
+
+type OidcClientCredentialsDto struct {
+	FederatedIdentities []OidcClientFederatedIdentityDto `json:"federatedIdentities,omitempty"`
+}
+
+type OidcClientFederatedIdentityDto struct {
+	Issuer   string `json:"issuer"`
+	Subject  string `json:"subject,omitempty"`
+	Audience string `json:"audience,omitempty"`
+	JWKS     string `json:"jwks,omitempty"`
 }
 
 type AuthorizeOidcClientRequestDto struct {
-	ClientID    string `json:"clientID" binding:"required"`
-	Scope       string `json:"scope" binding:"required"`
-	CallbackURL string `json:"callbackURL"`
-	Nonce       string `json:"nonce"`
+	ClientID              string `json:"clientID" binding:"required"`
+	Scope                 string `json:"scope" binding:"required"`
+	CallbackURL           string `json:"callbackURL"`
+	Nonce                 string `json:"nonce"`
+	CodeChallenge         string `json:"codeChallenge"`
+	CodeChallengeMethod   string `json:"codeChallengeMethod"`
+	ReauthenticationToken string `json:"reauthenticationToken"`
 }
 
 type AuthorizeOidcClientResponseDto struct {
 	Code        string `json:"code"`
 	CallbackURL string `json:"callbackURL"`
+	Issuer      string `json:"issuer"`
 }
 
-type OidcIdTokenDto struct {
-	GrantType    string `form:"grant_type" binding:"required"`
-	Code         string `form:"code" binding:"required"`
+type AuthorizationRequiredDto struct {
+	ClientID string `json:"clientID" binding:"required"`
+	Scope    string `json:"scope" binding:"required"`
+}
+
+type OidcCreateTokensDto struct {
+	GrantType           string `form:"grant_type" binding:"required"`
+	Code                string `form:"code"`
+	DeviceCode          string `form:"device_code"`
+	ClientID            string `form:"client_id"`
+	ClientSecret        string `form:"client_secret"`
+	CodeVerifier        string `form:"code_verifier"`
+	RefreshToken        string `form:"refresh_token"`
+	ClientAssertion     string `form:"client_assertion"`
+	ClientAssertionType string `form:"client_assertion_type"`
+	Resource            string `form:"resource"`
+}
+
+type OidcIntrospectDto struct {
+	Token string `form:"token" binding:"required"`
+}
+
+type OidcUpdateAllowedUserGroupsDto struct {
+	UserGroupIDs []string `json:"userGroupIds" binding:"required"`
+}
+
+type OidcLogoutDto struct {
+	IdTokenHint           string `form:"id_token_hint"`
+	ClientId              string `form:"client_id"`
+	PostLogoutRedirectUri string `form:"post_logout_redirect_uri"`
+	State                 string `form:"state"`
+}
+
+type OidcTokenResponseDto struct {
+	AccessToken  string `json:"access_token"`
+	TokenType    string `json:"token_type"`
+	IdToken      string `json:"id_token,omitempty"`
+	RefreshToken string `json:"refresh_token,omitempty"`
+	ExpiresIn    int    `json:"expires_in"`
+}
+
+type OidcIntrospectionResponseDto struct {
+	Active     bool     `json:"active"`
+	TokenType  string   `json:"token_type,omitempty"`
+	Scope      string   `json:"scope,omitempty"`
+	Expiration int64    `json:"exp,omitempty"`
+	IssuedAt   int64    `json:"iat,omitempty"`
+	NotBefore  int64    `json:"nbf,omitempty"`
+	Subject    string   `json:"sub,omitempty"`
+	Audience   []string `json:"aud,omitempty"`
+	Issuer     string   `json:"iss,omitempty"`
+	Identifier string   `json:"jti,omitempty"`
+}
+
+type OidcDeviceAuthorizationRequestDto struct {
+	ClientID            string `form:"client_id" binding:"required"`
+	Scope               string `form:"scope" binding:"required"`
+	ClientSecret        string `form:"client_secret"`
+	ClientAssertion     string `form:"client_assertion"`
+	ClientAssertionType string `form:"client_assertion_type"`
+}
+
+type OidcDeviceAuthorizationResponseDto struct {
+	DeviceCode              string `json:"device_code"`
+	UserCode                string `json:"user_code"`
+	VerificationURI         string `json:"verification_uri"`
+	VerificationURIComplete string `json:"verification_uri_complete"`
+	ExpiresIn               int    `json:"expires_in"`
+	Interval                int    `json:"interval"`
+	RequiresAuthorization   bool   `json:"requires_authorization"`
+}
+
+type OidcDeviceTokenRequestDto struct {
+	GrantType    string `form:"grant_type" binding:"required,eq=urn:ietf:params:oauth:grant-type:device_code"`
+	DeviceCode   string `form:"device_code" binding:"required"`
 	ClientID     string `form:"client_id"`
 	ClientSecret string `form:"client_secret"`
 }
+
+type DeviceCodeInfoDto struct {
+	Scope                 string                `json:"scope"`
+	AuthorizationRequired bool                  `json:"authorizationRequired"`
+	Client                OidcClientMetaDataDto `json:"client"`
+}
+
+type AuthorizedOidcClientDto struct {
+	Scope      string                `json:"scope"`
+	Client     OidcClientMetaDataDto `json:"client"`
+	LastUsedAt datatype.DateTime     `json:"lastUsedAt"`
+}
+
+type OidcClientPreviewDto struct {
+	IdToken     map[string]any `json:"idToken"`
+	AccessToken map[string]any `json:"accessToken"`
+	UserInfo    map[string]any `json:"userInfo"`
+}
+
+type AccessibleOidcClientDto struct {
+	OidcClientMetaDataDto
+	LastUsedAt *datatype.DateTime `json:"lastUsedAt"`
+}

backend/internal/dto/pagination_dto.go

@@ -0,0 +1,10 @@
+package dto
+
+import "github.com/pocket-id/pocket-id/backend/internal/utils"
+
+type Pagination = utils.PaginationResponse
+
+type Paginated[T any] struct {
+	Data       []T        `json:"data"`
+	Pagination Pagination `json:"pagination"`
+}

backend/internal/dto/signup_token_dto.go

@@ -0,0 +1,20 @@
+package dto
+
+import (
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
+
+type SignupTokenCreateDto struct {
+	TTL        utils.JSONDuration `json:"ttl" binding:"required,ttl"`
+	UsageLimit int                `json:"usageLimit" binding:"required,min=1,max=100"`
+}
+
+type SignupTokenDto struct {
+	ID         string            `json:"id"`
+	Token      string            `json:"token"`
+	ExpiresAt  datatype.DateTime `json:"expiresAt"`
+	UsageLimit int               `json:"usageLimit"`
+	UsageCount int               `json:"usageCount"`
+	CreatedAt  datatype.DateTime `json:"createdAt"`
+}

backend/internal/dto/user_dto.go

@@ -1,25 +1,72 @@
 package dto
 
-import "time"
+import (
+	"errors"
+
+	"github.com/gin-gonic/gin/binding"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
 
 type UserDto struct {
-	ID        string `json:"id"`
-	Username  string `json:"username"`
-	Email     string `json:"email" `
-	FirstName string `json:"firstName"`
-	LastName  string `json:"lastName"`
-	IsAdmin   bool   `json:"isAdmin"`
+	ID           string           `json:"id"`
+	Username     string           `json:"username"`
+	Email        *string          `json:"email" `
+	FirstName    string           `json:"firstName"`
+	LastName     *string          `json:"lastName"`
+	DisplayName  string           `json:"displayName"`
+	IsAdmin      bool             `json:"isAdmin"`
+	Locale       *string          `json:"locale"`
+	CustomClaims []CustomClaimDto `json:"customClaims"`
+	UserGroups   []UserGroupDto   `json:"userGroups"`
+	LdapID       *string          `json:"ldapId"`
+	Disabled     bool             `json:"disabled"`
 }
 
 type UserCreateDto struct {
-	Username  string `json:"username" binding:"required,username,min=3,max=20"`
-	Email     string `json:"email" binding:"required,email"`
-	FirstName string `json:"firstName" binding:"required,min=3,max=30"`
-	LastName  string `json:"lastName" binding:"required,min=3,max=30"`
-	IsAdmin   bool   `json:"isAdmin"`
+	Username    string  `json:"username" binding:"required,username,min=2,max=50" unorm:"nfc"`
+	Email       *string `json:"email" binding:"omitempty,email" unorm:"nfc"`
+	FirstName   string  `json:"firstName" binding:"required,min=1,max=50" unorm:"nfc"`
+	LastName    string  `json:"lastName" binding:"max=50" unorm:"nfc"`
+	DisplayName string  `json:"displayName" binding:"required,min=1,max=100" unorm:"nfc"`
+	IsAdmin     bool    `json:"isAdmin"`
+	Locale      *string `json:"locale"`
+	Disabled    bool    `json:"disabled"`
+	LdapID      string  `json:"-"`
+}
+
+func (u UserCreateDto) Validate() error {
+	e, ok := binding.Validator.Engine().(interface {
+		Struct(s any) error
+	})
+	if !ok {
+		return errors.New("validator does not implement the expected interface")
+	}
+
+	return e.Struct(u)
 }
 
 type OneTimeAccessTokenCreateDto struct {
-	UserID    string    `json:"userId" binding:"required"`
-	ExpiresAt time.Time `json:"expiresAt" binding:"required"`
+	UserID string             `json:"userId"`
+	TTL    utils.JSONDuration `json:"ttl" binding:"ttl"`
+}
+
+type OneTimeAccessEmailAsUnauthenticatedUserDto struct {
+	Email        string `json:"email" binding:"required,email" unorm:"nfc"`
+	RedirectPath string `json:"redirectPath"`
+}
+
+type OneTimeAccessEmailAsAdminDto struct {
+	TTL utils.JSONDuration `json:"ttl" binding:"ttl"`
+}
+
+type UserUpdateUserGroupDto struct {
+	UserGroupIds []string `json:"userGroupIds" binding:"required"`
+}
+
+type SignUpDto struct {
+	Username  string  `json:"username" binding:"required,username,min=2,max=50" unorm:"nfc"`
+	Email     *string `json:"email" binding:"omitempty,email" unorm:"nfc"`
+	FirstName string  `json:"firstName" binding:"required,min=1,max=50" unorm:"nfc"`
+	LastName  string  `json:"lastName" binding:"max=50" unorm:"nfc"`
+	Token     string  `json:"token"`
 }

backend/internal/dto/user_dto_test.go

@@ -0,0 +1,105 @@
+package dto
+
+import (
+	"testing"
+
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/stretchr/testify/require"
+)
+
+func TestUserCreateDto_Validate(t *testing.T) {
+	testCases := []struct {
+		name    string
+		input   UserCreateDto
+		wantErr string
+	}{
+		{
+			name: "valid input",
+			input: UserCreateDto{
+				Username:    "testuser",
+				Email:       utils.Ptr("test@example.com"),
+				FirstName:   "John",
+				LastName:    "Doe",
+				DisplayName: "John Doe",
+			},
+			wantErr: "",
+		},
+		{
+			name: "missing username",
+			input: UserCreateDto{
+				Email:       utils.Ptr("test@example.com"),
+				FirstName:   "John",
+				LastName:    "Doe",
+				DisplayName: "John Doe",
+			},
+			wantErr: "Field validation for 'Username' failed on the 'required' tag",
+		},
+		{
+			name: "missing display name",
+			input: UserCreateDto{
+				Email:     utils.Ptr("test@example.com"),
+				FirstName: "John",
+				LastName:  "Doe",
+			},
+			wantErr: "Field validation for 'DisplayName' failed on the 'required' tag",
+		},
+		{
+			name: "username contains invalid characters",
+			input: UserCreateDto{
+				Username:    "test/ser",
+				Email:       utils.Ptr("test@example.com"),
+				FirstName:   "John",
+				LastName:    "Doe",
+				DisplayName: "John Doe",
+			},
+			wantErr: "Field validation for 'Username' failed on the 'username' tag",
+		},
+		{
+			name: "invalid email",
+			input: UserCreateDto{
+				Username:    "testuser",
+				Email:       utils.Ptr("not-an-email"),
+				FirstName:   "John",
+				LastName:    "Doe",
+				DisplayName: "John Doe",
+			},
+			wantErr: "Field validation for 'Email' failed on the 'email' tag",
+		},
+		{
+			name: "first name too short",
+			input: UserCreateDto{
+				Username:    "testuser",
+				Email:       utils.Ptr("test@example.com"),
+				FirstName:   "",
+				LastName:    "Doe",
+				DisplayName: "John Doe",
+			},
+			wantErr: "Field validation for 'FirstName' failed on the 'required' tag",
+		},
+		{
+			name: "last name too long",
+			input: UserCreateDto{
+				Username:    "testuser",
+				Email:       utils.Ptr("test@example.com"),
+				FirstName:   "John",
+				LastName:    "abcdfghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz",
+				DisplayName: "John Doe",
+			},
+			wantErr: "Field validation for 'LastName' failed on the 'max' tag",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			err := tc.input.Validate()
+
+			if tc.wantErr == "" {
+				require.NoError(t, err)
+				return
+			}
+
+			require.Error(t, err)
+			require.ErrorContains(t, err, tc.wantErr)
+		})
+	}
+}

backend/internal/dto/user_group_dto.go

@@ -0,0 +1,58 @@
+package dto
+
+import (
+	"errors"
+
+	"github.com/gin-gonic/gin/binding"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+)
+
+type UserGroupDto struct {
+	ID           string            `json:"id"`
+	FriendlyName string            `json:"friendlyName"`
+	Name         string            `json:"name"`
+	CustomClaims []CustomClaimDto  `json:"customClaims"`
+	LdapID       *string           `json:"ldapId"`
+	CreatedAt    datatype.DateTime `json:"createdAt"`
+}
+
+type UserGroupDtoWithUsers struct {
+	ID           string            `json:"id"`
+	FriendlyName string            `json:"friendlyName"`
+	Name         string            `json:"name"`
+	CustomClaims []CustomClaimDto  `json:"customClaims"`
+	Users        []UserDto         `json:"users"`
+	LdapID       *string           `json:"ldapId"`
+	CreatedAt    datatype.DateTime `json:"createdAt"`
+}
+
+type UserGroupDtoWithUserCount struct {
+	ID           string            `json:"id"`
+	FriendlyName string            `json:"friendlyName"`
+	Name         string            `json:"name"`
+	CustomClaims []CustomClaimDto  `json:"customClaims"`
+	UserCount    int64             `json:"userCount"`
+	LdapID       *string           `json:"ldapId"`
+	CreatedAt    datatype.DateTime `json:"createdAt"`
+}
+
+type UserGroupCreateDto struct {
+	FriendlyName string `json:"friendlyName" binding:"required,min=2,max=50" unorm:"nfc"`
+	Name         string `json:"name" binding:"required,min=2,max=255" unorm:"nfc"`
+	LdapID       string `json:"-"`
+}
+
+func (g UserGroupCreateDto) Validate() error {
+	e, ok := binding.Validator.Engine().(interface {
+		Struct(s any) error
+	})
+	if !ok {
+		return errors.New("validator does not implement the expected interface")
+	}
+
+	return e.Struct(g)
+}
+
+type UserGroupUpdateUsersDto struct {
+	UserIDs []string `json:"userIds" binding:"required"`
+}

backend/internal/dto/validations.go

@@ -1,42 +1,85 @@
 package dto
 
 import (
-	"github.com/gin-gonic/gin/binding"
-	"github.com/go-playground/validator/v10"
-	"log"
 	"net/url"
 	"regexp"
+	"strings"
+	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+
+	"github.com/gin-gonic/gin/binding"
+	"github.com/go-playground/validator/v10"
 )
 
-var validateUrlList validator.Func = func(fl validator.FieldLevel) bool {
-	urls := fl.Field().Interface().([]string)
-	for _, u := range urls {
-		_, err := url.ParseRequestURI(u)
-		if err != nil {
-			return false
-		}
-	}
-	return true
-}
+// [a-zA-Z0-9]      : The username must start with an alphanumeric character
+// [a-zA-Z0-9_.@-]* : The rest of the username can contain alphanumeric characters, dots, underscores, hyphens, and "@" symbols
+// [a-zA-Z0-9]$     : The username must end with an alphanumeric character
+var validateUsernameRegex = regexp.MustCompile("^[a-zA-Z0-9][a-zA-Z0-9_.@-]*[a-zA-Z0-9]$")
 
-var validateUsername validator.Func = func(fl validator.FieldLevel) bool {
-	// [a-zA-Z0-9]      : The username must start with an alphanumeric character
-	// [a-zA-Z0-9_.@-]* : The rest of the username can contain alphanumeric characters, dots, underscores, hyphens, and "@" symbols
-	// [a-zA-Z0-9]$     : The username must end with an alphanumeric character
-	regex := "^[a-zA-Z0-9][a-zA-Z0-9_.@-]*[a-zA-Z0-9]$"
-	matched, _ := regexp.MatchString(regex, fl.Field().String())
-	return matched
-}
+var validateClientIDRegex = regexp.MustCompile("^[a-zA-Z0-9._-]+$")
 
 func init() {
-	if v, ok := binding.Validator.Engine().(*validator.Validate); ok {
-		if err := v.RegisterValidation("urlList", validateUrlList); err != nil {
-			log.Fatalf("Failed to register custom validation: %v", err)
-		}
+	v := binding.Validator.Engine().(*validator.Validate)
+
+	// Maximum allowed value for TTLs
+	const maxTTL = 31 * 24 * time.Hour
+
+	if err := v.RegisterValidation("username", func(fl validator.FieldLevel) bool {
+		return ValidateUsername(fl.Field().String())
+	}); err != nil {
+		panic("Failed to register custom validation for username: " + err.Error())
 	}
-	if v, ok := binding.Validator.Engine().(*validator.Validate); ok {
-		if err := v.RegisterValidation("username", validateUsername); err != nil {
-			log.Fatalf("Failed to register custom validation: %v", err)
+
+	if err := v.RegisterValidation("client_id", func(fl validator.FieldLevel) bool {
+		return ValidateClientID(fl.Field().String())
+	}); err != nil {
+		panic("Failed to register custom validation for client_id: " + err.Error())
+	}
+
+	if err := v.RegisterValidation("ttl", func(fl validator.FieldLevel) bool {
+		ttl, ok := fl.Field().Interface().(utils.JSONDuration)
+		if !ok {
+			return false
 		}
+		// Allow zero, which means the field wasn't set
+		return ttl.Duration == 0 || (ttl.Duration > time.Second && ttl.Duration <= maxTTL)
+	}); err != nil {
+		panic("Failed to register custom validation for ttl: " + err.Error())
+	}
+
+	if err := v.RegisterValidation("callback_url", func(fl validator.FieldLevel) bool {
+		return ValidateCallbackURL(fl.Field().String())
+	}); err != nil {
+		panic("Failed to register custom validation for callback_url: " + err.Error())
 	}
 }
+
+// ValidateUsername validates username inputs
+func ValidateUsername(username string) bool {
+	return validateUsernameRegex.MatchString(username)
+}
+
+// ValidateClientID validates client ID inputs
+func ValidateClientID(clientID string) bool {
+	return validateClientIDRegex.MatchString(clientID)
+}
+
+// ValidateCallbackURL validates callback URLs with support for wildcards
+func ValidateCallbackURL(raw string) bool {
+	// Don't validate if it contains a wildcard
+	if strings.Contains(raw, "*") {
+		return true
+	}
+
+	u, err := url.Parse(raw)
+	if err != nil {
+		return false
+	}
+
+	if !u.IsAbs() {
+		return false
+	}
+
+	return true
+}

backend/internal/dto/validations_test.go

@@ -0,0 +1,58 @@
+package dto
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestValidateUsername(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected bool
+	}{
+		{"valid simple", "user123", true},
+		{"valid with dot", "user.name", true},
+		{"valid with underscore", "user_name", true},
+		{"valid with hyphen", "user-name", true},
+		{"valid with at", "user@name", true},
+		{"starts with symbol", ".username", false},
+		{"ends with non-alphanumeric", "username-", false},
+		{"contains space", "user name", false},
+		{"empty", "", false},
+		{"only special chars", "-._@", false},
+		{"valid long", "a1234567890_b.c-d@e", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, ValidateUsername(tt.input))
+		})
+	}
+}
+
+func TestValidateClientID(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected bool
+	}{
+		{"valid simple", "client123", true},
+		{"valid with dot", "client.id", true},
+		{"valid with underscore", "client_id", true},
+		{"valid with hyphen", "client-id", true},
+		{"valid with all", "client.id-123_abc", true},
+		{"contains space", "client id", false},
+		{"contains at", "client@id", false},
+		{"empty", "", false},
+		{"only special chars", "-._", true},
+		{"invalid char", "client!id", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, ValidateClientID(tt.input))
+		})
+	}
+}

backend/internal/dto/webauthn_dto.go

@@ -2,7 +2,7 @@ package dto
 
 import (
 	"github.com/go-webauthn/webauthn/protocol"
-	"time"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )
 
 type WebauthnCredentialDto struct {
@@ -15,9 +15,9 @@ type WebauthnCredentialDto struct {
 	BackupEligible bool `json:"backupEligible"`
 	BackupState    bool `json:"backupState"`
 
-	CreatedAt time.Time `json:"createdAt"`
+	CreatedAt datatype.DateTime `json:"createdAt"`
 }
 
 type WebauthnCredentialUpdateDto struct {
-	Name string `json:"name" binding:"required,min=1,max=30"`
+	Name string `json:"name" binding:"required,min=1,max=50"`
 }

backend/internal/job/analytics_job.go

@@ -0,0 +1,86 @@
+package job
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"time"
+
+	backoff "github.com/cenkalti/backoff/v5"
+	"github.com/go-co-op/gocron/v2"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+const heartbeatUrl = "https://analytics.pocket-id.org/heartbeat"
+
+func (s *Scheduler) RegisterAnalyticsJob(ctx context.Context, appConfig *service.AppConfigService, httpClient *http.Client) error {
+	// Skip if analytics are disabled or not in production environment
+	if common.EnvConfig.AnalyticsDisabled || common.EnvConfig.AppEnv != "production" {
+		return nil
+	}
+
+	// Send every 24 hours
+	jobs := &AnalyticsJob{
+		appConfig:  appConfig,
+		httpClient: httpClient,
+	}
+	return s.registerJob(ctx, "SendHeartbeat", gocron.DurationJob(24*time.Hour), jobs.sendHeartbeat, true)
+}
+
+type AnalyticsJob struct {
+	appConfig  *service.AppConfigService
+	httpClient *http.Client
+}
+
+// sendHeartbeat sends a heartbeat to the analytics service
+func (j *AnalyticsJob) sendHeartbeat(parentCtx context.Context) error {
+	// Skip if analytics are disabled or not in production environment
+	if common.EnvConfig.AnalyticsDisabled || common.EnvConfig.AppEnv != "production" {
+		return nil
+	}
+
+	body, err := json.Marshal(struct {
+		Version    string `json:"version"`
+		InstanceID string `json:"instance_id"`
+	}{
+		Version:    common.Version,
+		InstanceID: j.appConfig.GetDbConfig().InstanceID.Value,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to marshal heartbeat body: %w", err)
+	}
+
+	_, err = backoff.Retry(
+		parentCtx,
+		func() (struct{}, error) {
+			ctx, cancel := context.WithTimeout(parentCtx, 20*time.Second)
+			defer cancel()
+			req, err := http.NewRequestWithContext(ctx, http.MethodPost, heartbeatUrl, bytes.NewReader(body))
+			if err != nil {
+				return struct{}{}, fmt.Errorf("failed to create request: %w", err)
+			}
+			req.Header.Set("Content-Type", "application/json")
+			resp, err := j.httpClient.Do(req)
+			if err != nil {
+				return struct{}{}, fmt.Errorf("failed to send request: %w", err)
+			}
+			defer resp.Body.Close()
+			if resp.StatusCode != http.StatusOK {
+				return struct{}{}, fmt.Errorf("request failed with status code: %d", resp.StatusCode)
+			}
+			return struct{}{}, nil
+		},
+		backoff.WithBackOff(backoff.NewExponentialBackOff()),
+		backoff.WithMaxTries(3),
+	)
+
+	if err != nil {
+		return fmt.Errorf("heartbeat request failed: %w", err)
+	}
+
+	return nil
+}

backend/internal/job/api_key_expiry_job.go

@@ -0,0 +1,49 @@
+package job
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+
+	"github.com/go-co-op/gocron/v2"
+
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+type ApiKeyEmailJobs struct {
+	apiKeyService    *service.ApiKeyService
+	appConfigService *service.AppConfigService
+}
+
+func (s *Scheduler) RegisterApiKeyExpiryJob(ctx context.Context, apiKeyService *service.ApiKeyService, appConfigService *service.AppConfigService) error {
+	jobs := &ApiKeyEmailJobs{
+		apiKeyService:    apiKeyService,
+		appConfigService: appConfigService,
+	}
+
+	// Send every day at midnight
+	return s.registerJob(ctx, "ExpiredApiKeyEmailJob", gocron.CronJob("0 0 * * *", false), jobs.checkAndNotifyExpiringApiKeys, false)
+}
+
+func (j *ApiKeyEmailJobs) checkAndNotifyExpiringApiKeys(ctx context.Context) error {
+	// Skip if the feature is disabled
+	if !j.appConfigService.GetDbConfig().EmailApiKeyExpirationEnabled.IsTrue() {
+		return nil
+	}
+
+	apiKeys, err := j.apiKeyService.ListExpiringApiKeys(ctx, 7)
+	if err != nil {
+		return fmt.Errorf("failed to list expiring API keys: %w", err)
+	}
+
+	for _, key := range apiKeys {
+		if key.User.Email == nil {
+			continue
+		}
+		err = j.apiKeyService.SendApiKeyExpiringSoonEmail(ctx, key)
+		if err != nil {
+			slog.ErrorContext(ctx, "Failed to send expiring API key notification email", slog.String("key", key.ID), slog.Any("error", err))
+		}
+	}
+	return nil
+}

backend/internal/job/db_cleanup.go

@@ -1,68 +0,0 @@
-package job
-
-import (
-	"github.com/go-co-op/gocron/v2"
-	"github.com/google/uuid"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
-	"gorm.io/gorm"
-	"log"
-	"time"
-)
-
-func RegisterJobs(db *gorm.DB) {
-	scheduler, err := gocron.NewScheduler()
-	if err != nil {
-		log.Fatalf("Failed to create a new scheduler: %s", err)
-	}
-
-	jobs := &Jobs{db: db}
-
-	registerJob(scheduler, "ClearWebauthnSessions", "0 3 * * *", jobs.clearWebauthnSessions)
-	registerJob(scheduler, "ClearOneTimeAccessTokens", "0 3 * * *", jobs.clearOneTimeAccessTokens)
-	registerJob(scheduler, "ClearOidcAuthorizationCodes", "0 3 * * *", jobs.clearOidcAuthorizationCodes)
-	scheduler.Start()
-}
-
-type Jobs struct {
-	db *gorm.DB
-}
-
-// ClearWebauthnSessions deletes WebAuthn sessions that have expired
-func (j *Jobs) clearWebauthnSessions() error {
-	return j.db.Delete(&model.WebauthnSession{}, "expires_at < ?", utils.FormatDateForDb(time.Now())).Error
-}
-
-// ClearOneTimeAccessTokens deletes one-time access tokens that have expired
-func (j *Jobs) clearOneTimeAccessTokens() error {
-	return j.db.Debug().Delete(&model.OneTimeAccessToken{}, "expires_at < ?", utils.FormatDateForDb(time.Now())).Error
-}
-
-// ClearOidcAuthorizationCodes deletes OIDC authorization codes that have expired
-func (j *Jobs) clearOidcAuthorizationCodes() error {
-	return j.db.Delete(&model.OidcAuthorizationCode{}, "expires_at < ?", utils.FormatDateForDb(time.Now())).Error
-}
-
-// ClearAuditLogs deletes audit logs older than 90 days
-func (j *Jobs) clearAuditLogs() error {
-	return j.db.Delete(&model.AuditLog{}, "created_at < ?", utils.FormatDateForDb(time.Now().AddDate(0, 0, -90))).Error
-}
-
-func registerJob(scheduler gocron.Scheduler, name string, interval string, job func() error) {
-	_, err := scheduler.NewJob(
-		gocron.CronJob(interval, false),
-		gocron.NewTask(job),
-		gocron.WithEventListeners(
-			gocron.AfterJobRuns(func(jobID uuid.UUID, jobName string) {
-				log.Printf("Job %q run successfully", name)
-			}),
-			gocron.AfterJobRunsWithError(func(jobID uuid.UUID, jobName string, err error) {
-				log.Printf("Job %q failed with error: %v", name, err)
-			}),
-		),
-	)
-
-	if err != nil {
-		log.Fatalf("Failed to register job %q: %v", name, err)
-	}
-}