Update example .env to use database for keys storage

Given recent conversations on how the database will be the preferred (or sole) method in a future release, start by updating the example env
2025-12-14 09:12:59 +03:00 · 2025-11-10 07:17:38 -08:00
179 changed files with 6368 additions and 7559 deletions
--- a/.env.example
+++ b/.env.example
@@ -1,18 +1,14 @@
 # See the documentation for more information: https://pocket-id.org/docs/configuration/environment-variables
 # These variables must be configured for your deployment:
 APP_URL=https://your-pocket-id-domain.com
 # Encryption key (choose one method):
 # Method 1: Direct key (simple but less secure)
 # Generate with: openssl rand -base64 32
 ENCRYPTION_KEY=
 # Method 2: File-based key (recommended)
 # Put the base64 key in a file and point to it here.
 # ENCRYPTION_KEY_FILE=/path/to/encryption_key
 # These variables are optional but recommended to review:
 TRUST_PROXY=false
 MAXMIND_LICENSE_KEY=
 PUID=1000
 PGID=1000
 KEYS_STORAGE=database
 # Encryption key used to protect sensitive data
 # Can be generated with `openssl rand -base64 32`
 # See https://pocket-id.org/docs/configuration/environment-variables#encryption-keys
 ENCRYPTION_KEY=
 # Alternatively, point to a file containing the key (could be a Docker secret)
 #ENCRYPTION_KEY_FILE=
--- a/.github/workflows/backend-linter.yml
+++ b/.github/workflows/backend-linter.yml
@@ -2,11 +2,11 @@ name: Run Backend Linter
 on:
  push:
-    branches: [main, breaking/**]
+    branches: [main]
    paths:
      - "backend/**"
  pull_request:
-    branches: [main, breaking/**]
+    branches: [main]
    paths:
      - "backend/**"
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -1,13 +1,13 @@
 name: E2E Tests
 on:
  push:
-    branches: [main, breaking/**]
+    branches: [main]
    paths-ignore:
      - "docs/**"
      - "**.md"
      - ".github/**"
  pull_request:
-    branches: [main, breaking/**]
+    branches: [main]
    paths-ignore:
      - "docs/**"
      - "**.md"
@@ -57,17 +57,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        include:
+        db: [sqlite, postgres, sqlite-s3]
          - db: sqlite
            storage: fs
          - db: postgres
            storage: fs
          - db: sqlite
            storage: s3
          - db: sqlite
            storage: database
          - db: postgres
            storage: database
    steps:
      - uses: actions/checkout@v5
@@ -81,73 +71,64 @@ jobs:
          node-version: 22
      - name: Cache Playwright Browsers
-        uses: actions/cache@v4
+        uses: actions/cache@v3
        id: playwright-cache
        with:
          path: ~/.cache/ms-playwright
          key: ${{ runner.os }}-playwright-${{ hashFiles('pnpm-lock.yaml') }}
      - name: Cache PostgreSQL Docker image
-        uses: actions/cache@v4
+        if: matrix.db == 'postgres'
        uses: actions/cache@v3
        id: postgres-cache
        with:
          path: /tmp/postgres-image.tar
          key: postgres-17-${{ runner.os }}
      - name: Pull and save PostgreSQL image
        if: matrix.db == 'postgres' && steps.postgres-cache.outputs.cache-hit != 'true'
        run: |
          docker pull postgres:17
          docker save postgres:17 > /tmp/postgres-image.tar
      - name: Load PostgreSQL image
        if: matrix.db == 'postgres' && steps.postgres-cache.outputs.cache-hit == 'true'
        run: docker load < /tmp/postgres-image.tar
      - name: Cache LLDAP Docker image
-        uses: actions/cache@v4
+        uses: actions/cache@v3
        id: lldap-cache
        with:
          path: /tmp/lldap-image.tar
          key: lldap-stable-${{ runner.os }}
      - name: Pull and save LLDAP image
        if: steps.lldap-cache.outputs.cache-hit != 'true'
        run: |
-          docker pull lldap/lldap:2025-05-19
+          docker pull nitnelave/lldap:stable
-          docker save lldap/lldap:2025-05-19 > /tmp/lldap-image.tar
+          docker save nitnelave/lldap:stable > /tmp/lldap-image.tar
      - name: Load LLDAP image
        if: steps.lldap-cache.outputs.cache-hit == 'true'
        run: docker load < /tmp/lldap-image.tar
      - name: Cache Localstack S3 Docker image
-        if: matrix.storage == 's3'
+        if: matrix.db == 'sqlite-s3'
-        uses: actions/cache@v4
+        uses: actions/cache@v3
        id: s3-cache
        with:
          path: /tmp/localstack-s3-image.tar
          key: localstack-s3-latest-${{ runner.os }}
      - name: Pull and save Localstack S3 image
-        if: matrix.storage == 's3' && steps.s3-cache.outputs.cache-hit != 'true'
+        if: matrix.db == 'sqlite-s3' && steps.s3-cache.outputs.cache-hit != 'true'
        run: |
          docker pull localstack/localstack:s3-latest
          docker save localstack/localstack:s3-latest > /tmp/localstack-s3-image.tar
      - name: Load Localstack S3 image
        if: matrix.storage == 's3' && steps.s3-cache.outputs.cache-hit == 'true'
        run: docker load < /tmp/localstack-s3-image.tar
-      - name: Cache AWS CLI Docker image
+      - name: Load Localstack S3 image
-        if: matrix.storage == 's3'
+        if: matrix.db == 'sqlite-s3' && steps.s3-cache.outputs.cache-hit == 'true'
-        uses: actions/cache@v4
+        run: docker load < /tmp/localstack-s3-image.tar
        id: aws-cli-cache
        with:
          path: /tmp/aws-cli-image.tar
          key: aws-cli-latest-${{ runner.os }}
      - name: Pull and save AWS CLI image
        if: matrix.storage == 's3' && steps.aws-cli-cache.outputs.cache-hit != 'true'
        run: |
          docker pull amazon/aws-cli:latest
          docker save amazon/aws-cli:latest > /tmp/aws-cli-image.tar
      - name: Load AWS CLI image
        if: matrix.storage == 's3' && steps.aws-cli-cache.outputs.cache-hit == 'true'
        run: docker load < /tmp/aws-cli-image.tar
      - name: Download Docker image artifact
        uses: actions/download-artifact@v4
@@ -166,33 +147,26 @@ jobs:
        if: steps.playwright-cache.outputs.cache-hit != 'true'
        run: pnpm exec playwright install --with-deps chromium
-      - name: Run Docker containers
+      - name: Run Docker Container (sqlite) with LDAP
        if: matrix.db == 'sqlite'
        working-directory: ./tests/setup
        run: |
-          DOCKER_COMPOSE_FILE=docker-compose.yml
+          docker compose up -d
          docker compose logs -f pocket-id &> /tmp/backend.log &
-          echo "FILE_BACKEND=${{ matrix.storage }}" > .env
+      - name: Run Docker Container (postgres) with LDAP
-          if [ "${{ matrix.db }}" = "postgres" ]; then
+        if: matrix.db == 'postgres'
-            DOCKER_COMPOSE_FILE=docker-compose-postgres.yml
+        working-directory: ./tests/setup
-          elif [ "${{ matrix.storage }}" = "s3" ]; then
+        run: |
-            DOCKER_COMPOSE_FILE=docker-compose-s3.yml
+          docker compose -f docker-compose-postgres.yml up -d
-          fi
+          docker compose -f docker-compose-postgres.yml logs -f pocket-id &> /tmp/backend.log &
-          docker compose -f "$DOCKER_COMPOSE_FILE" up -d
+      - name: Run Docker Container (sqlite-s3) with LDAP + S3
-
+        if: matrix.db == 'sqlite-s3'
-          {
+        working-directory: ./tests/setup
-            LOG_FILE="/tmp/backend.log"
+        run: |
-            while true; do
+          docker compose -f docker-compose-s3.yml up -d
-              CID=$(docker compose -f "$DOCKER_COMPOSE_FILE" ps -q pocket-id)
+          docker compose -f docker-compose-s3.yml logs -f pocket-id &> /tmp/backend.log &
              if [ -n "$CID" ]; then
                echo "[$(date)] Attaching logs for $CID" >> "$LOG_FILE"
                docker logs -f --since=0 "$CID" >> "$LOG_FILE" 2>&1
              else
                echo "[$(date)] Container not yet running…" >> "$LOG_FILE"
              fi
              sleep 1
            done
          } &
      - name: Run Playwright tests
        working-directory: ./tests
@@ -202,7 +176,7 @@ jobs:
        uses: actions/upload-artifact@v4
        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
        with:
-          name: playwright-report-${{ matrix.db }}-${{ matrix.storage }}
+          name: playwright-report-${{ matrix.db }}
          path: tests/.report
          include-hidden-files: true
          retention-days: 15
@@ -211,7 +185,7 @@ jobs:
        uses: actions/upload-artifact@v4
        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
        with:
-          name: backend-${{ matrix.db }}-${{ matrix.storage }}
+          name: backend-${{ matrix.db }}
          path: /tmp/backend.log
          include-hidden-files: true
          retention-days: 15
--- a/.github/workflows/svelte-check.yml
+++ b/.github/workflows/svelte-check.yml
@@ -2,7 +2,7 @@ name: Svelte Check
 on:
  push:
-    branches: [main, breaking/**]
+    branches: [main]
    paths:
      - "frontend/src/**"
      - ".github/svelte-check-matcher.json"
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -1,7 +1,7 @@
 name: Unit Tests
 on:
  push:
-    branches: [main, breaking/**]
+    branches: [main]
    paths:
      - "backend/**"
  pull_request:
--- a/.gitignore
+++ b/.gitignore
@@ -15,7 +15,6 @@ node_modules
 /backend/bin
 pocket-id
 /tests/test-results/*.json
 .tmp/
 # OS
 .DS_Store
@@ -26,6 +25,7 @@ Thumbs.db
 .env.*
 !.env.development-example
 !.env.test
 !.env.example
 # Vite
 vite.config.js.timestamp-*
--- a/backend/cmd/main.go
+++ b/backend/cmd/main.go
@@ -1,12 +1,9 @@
 package main
 import (
 	"fmt"
 	"os"
 	_ "time/tzdata"
 	"github.com/pocket-id/pocket-id/backend/internal/cmds"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 )
 // @title Pocket ID API
@@ -14,9 +11,5 @@ import (
 // @description.markdown
 func main() {
 	if err := common.ValidateEnvConfig(&common.EnvConfig); err != nil {
 		fmt.Fprintf(os.Stderr, "config error: %v\n", err)
 		os.Exit(1)
 	}
 	cmds.Execute()
 }
--- a/backend/go.mod
+++ b/backend/go.mod
@@ -3,10 +3,10 @@ module github.com/pocket-id/pocket-id/backend
 go 1.25
 require (
-	github.com/aws/aws-sdk-go-v2 v1.40.0
+	github.com/aws/aws-sdk-go-v2 v1.39.6
-	github.com/aws/aws-sdk-go-v2/config v1.32.2
+	github.com/aws/aws-sdk-go-v2/config v1.31.17
-	github.com/aws/aws-sdk-go-v2/credentials v1.19.2
+	github.com/aws/aws-sdk-go-v2/credentials v1.18.21
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.92.1
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.90.0
 	github.com/aws/smithy-go v1.23.2
 	github.com/caarlos0/env/v11 v11.3.1
 	github.com/cenkalti/backoff/v5 v5.0.3
@@ -14,14 +14,15 @@ require (
 	github.com/disintegration/imaging v1.6.2
 	github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6
 	github.com/emersion/go-smtp v0.24.0
-	github.com/gin-contrib/slog v1.2.0
+	github.com/fxamacker/cbor/v2 v2.9.0
 	github.com/gin-contrib/slog v1.1.0
 	github.com/gin-gonic/gin v1.11.0
 	github.com/glebarez/go-sqlite v1.22.0
 	github.com/glebarez/sqlite v1.11.0
-	github.com/go-co-op/gocron/v2 v2.18.1
+	github.com/go-co-op/gocron/v2 v2.17.0
 	github.com/go-ldap/ldap/v3 v3.4.12
 	github.com/go-playground/validator/v10 v10.28.0
-	github.com/go-webauthn/webauthn v0.15.0
+	github.com/go-webauthn/webauthn v0.14.0
 	github.com/golang-migrate/migrate/v4 v4.19.0
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/go-uuid v1.0.3
@@ -33,7 +34,7 @@ require (
 	github.com/mattn/go-isatty v0.0.20
 	github.com/mileusna/useragent v1.3.5
 	github.com/orandin/slog-gorm v1.4.0
-	github.com/oschwald/maxminddb-golang/v2 v2.1.0
+	github.com/oschwald/maxminddb-golang/v2 v2.0.0
 	github.com/spf13/cobra v1.10.1
 	github.com/stretchr/testify v1.11.1
 	go.opentelemetry.io/contrib/bridges/otelslog v0.13.0
@@ -47,35 +48,34 @@ require (
 	go.opentelemetry.io/otel/sdk/log v0.14.0
 	go.opentelemetry.io/otel/sdk/metric v1.38.0
 	go.opentelemetry.io/otel/trace v1.38.0
-	golang.org/x/crypto v0.45.0
+	golang.org/x/crypto v0.43.0
-	golang.org/x/image v0.33.0
+	golang.org/x/image v0.32.0
-	golang.org/x/sync v0.18.0
+	golang.org/x/sync v0.17.0
-	golang.org/x/text v0.31.0
+	golang.org/x/text v0.30.0
 	golang.org/x/time v0.14.0
 	gorm.io/driver/postgres v1.6.0
-	gorm.io/gorm v1.31.1
+	gorm.io/gorm v1.31.0
 )
 require (
-	github.com/Azure/go-ntlmssp v0.1.0 // indirect
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.14 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.14 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.14 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.14 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.13 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.13 // indirect
-	github.com/aws/aws-sdk-go-v2/service/signin v1.0.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.30.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.39.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bytedance/gopkg v0.1.3 // indirect
-	github.com/bytedance/sonic v1.14.2 // indirect
+	github.com/bytedance/sonic v1.14.1 // indirect
-	github.com/bytedance/sonic/loader v0.4.0 // indirect
+	github.com/bytedance/sonic/loader v0.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@@ -83,22 +83,20 @@ require (
 	github.com/disintegration/gift v1.2.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.10 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.11 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/go-webauthn/x v0.1.25 // indirect
 	github.com/go-webauthn/x v0.1.26 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/goccy/go-yaml v1.18.0 // indirect
 	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
 	github.com/google/go-github/v39 v39.2.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/go-tpm v0.9.7 // indirect
+	github.com/google/go-tpm v0.9.6 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
@@ -121,6 +119,7 @@ require (
 	github.com/lestrrat-go/option/v2 v2.0.0 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/mattn/go-sqlite3 v1.14.32 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
@@ -129,17 +128,17 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_golang v1.23.2 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.67.4 // indirect
+	github.com/prometheus/common v0.67.1 // indirect
 	github.com/prometheus/otlptranslator v1.0.0 // indirect
-	github.com/prometheus/procfs v0.19.2 // indirect
+	github.com/prometheus/procfs v0.18.0 // indirect
-	github.com/quic-go/qpack v0.6.0 // indirect
+	github.com/quic-go/qpack v0.5.1 // indirect
-	github.com/quic-go/quic-go v0.57.0 // indirect
+	github.com/quic-go/quic-go v0.55.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
 	github.com/segmentio/asm v1.2.1 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
-	github.com/ugorji/go/codec v1.3.1 // indirect
+	github.com/ugorji/go/codec v1.3.0 // indirect
 	github.com/valyala/fastjson v1.6.4 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
@@ -155,20 +154,22 @@ require (
 	go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.14.0 // indirect
 	go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.38.0 // indirect
 	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.8.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
-	golang.org/x/arch v0.23.0 // indirect
+	golang.org/x/arch v0.22.0 // indirect
-	golang.org/x/exp v0.0.0-20251125195548-87e1e737ad39 // indirect
+	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
-	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
-	golang.org/x/oauth2 v0.33.0 // indirect
+	golang.org/x/net v0.46.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/oauth2 v0.32.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20251124214823-79d6a2a48846 // indirect
+	golang.org/x/sys v0.37.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251124214823-79d6a2a48846 // indirect
+	golang.org/x/tools v0.38.0 // indirect
-	google.golang.org/grpc v1.77.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
 	google.golang.org/grpc v1.76.0 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	modernc.org/libc v1.67.1 // indirect
+	modernc.org/libc v1.66.10 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
-	modernc.org/sqlite v1.40.1 // indirect
+	modernc.org/sqlite v1.39.1 // indirect
 )
--- a/backend/go.sum
+++ b/backend/go.sum
@@ -1,57 +1,55 @@
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
-github.com/Azure/go-ntlmssp v0.1.0 h1:DjFo6YtWzNqNvQdrwEyr/e4nhU3vRiwenz5QX7sFz+A=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
-github.com/Azure/go-ntlmssp v0.1.0/go.mod h1:NYqdhxd/8aAct/s4qSYZEerdPuH1liG2/X9DiVTbhpk=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=
 github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
-github.com/aws/aws-sdk-go-v2 v1.40.0 h1:/WMUA0kjhZExjOQN2z3oLALDREea1A7TobfuiBrKlwc=
+github.com/aws/aws-sdk-go-v2 v1.39.6 h1:2JrPCVgWJm7bm83BDwY5z8ietmeJUbh3O2ACnn+Xsqk=
-github.com/aws/aws-sdk-go-v2 v1.40.0/go.mod h1:c9pm7VwuW0UPxAEYGyTmyurVcNrbF6Rt/wixFqDhcjE=
+github.com/aws/aws-sdk-go-v2 v1.39.6/go.mod h1:c9pm7VwuW0UPxAEYGyTmyurVcNrbF6Rt/wixFqDhcjE=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3 h1:DHctwEM8P8iTXFxC/QK0MRjwEpWQeM9yzidCRjldUz0=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3/go.mod h1:xdCzcZEtnSTKVDOmUZs4l/j3pSV6rpo1WXl5ugNsL8Y=
-github.com/aws/aws-sdk-go-v2/config v1.32.2 h1:4liUsdEpUUPZs5WVapsJLx5NPmQhQdez7nYFcovrytk=
+github.com/aws/aws-sdk-go-v2/config v1.31.17 h1:QFl8lL6RgakNK86vusim14P2k8BFSxjvUkcWLDjgz9Y=
-github.com/aws/aws-sdk-go-v2/config v1.32.2/go.mod h1:l0hs06IFz1eCT+jTacU/qZtC33nvcnLADAPL/XyrkZI=
+github.com/aws/aws-sdk-go-v2/config v1.31.17/go.mod h1:V8P7ILjp/Uef/aX8TjGk6OHZN6IKPM5YW6S78QnRD5c=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.2 h1:qZry8VUyTK4VIo5aEdUcBjPZHL2v4FyQ3QEOaWcFLu4=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.21 h1:56HGpsgnmD+2/KpG0ikvvR8+3v3COCwaF4r+oWwOeNA=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.2/go.mod h1:YUqm5a1/kBnoK+/NY5WEiMocZihKSo15/tJdmdXnM5g=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.21/go.mod h1:3YELwedmQbw7cXNaII2Wywd+YY58AmLPwX4LzARgmmA=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.14 h1:WZVR5DbDgxzA0BJeudId89Kmgy6DIU4ORpxwsVHz0qA=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 h1:T1brd5dR3/fzNFAQch/iBKeX07/ffu/cLu+q+RuzEWk=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.14/go.mod h1:Dadl9QO0kHgbrH1GRqGiZdYtW5w+IXXaBNCHTIaheM4=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13/go.mod h1:Peg/GBAQ6JDt+RoBf4meB1wylmAipb7Kg2ZFakZTlwk=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.14 h1:PZHqQACxYb8mYgms4RZbhZG0a7dPW06xOjmaH0EJC/I=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13 h1:a+8/MLcWlIxo1lF9xaGt3J/u3yOZx+CdSveSNwjhD40=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.14/go.mod h1:VymhrMJUWs69D8u0/lZ7jSB6WgaG/NqHi3gX0aYf6U0=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13/go.mod h1:oGnKwIYZ4XttyU2JWxFrwvhF6YKiK/9/wmE3v3Iu9K8=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.14 h1:bOS19y6zlJwagBfHxs0ESzr1XCOU2KXJCWcq3E2vfjY=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13 h1:HBSI2kDkMdWz4ZM7FjwE7e/pWDEZ+nR95x8Ztet1ooY=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.14/go.mod h1:1ipeGBMAxZ0xcTm6y6paC2C/J6f6OO7LBODV9afuAyM=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13/go.mod h1:YE94ZoDArI7awZqJzBAZ3PDD2zSfuP7w6P2knOzIn8M=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.14 h1:ITi7qiDSv/mSGDSWNpZ4k4Ve0DQR6Ug2SJQ8zEHoDXg=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.13 h1:eg/WYAa12vqTphzIdWMzqYRVKKnCboVPRlvaybNCqPA=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.14/go.mod h1:k1xtME53H1b6YpZt74YmwlONMWf4ecM+lut1WQLAF/U=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.13/go.mod h1:/FDdxWhz1486obGrKKC1HONd7krpk38LBt+dutLcN9k=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 h1:x2Ibm/Af8Fi+BH+Hsn9TXGdT+hKbDd5XOTZxTMxDk7o=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3/go.mod h1:IW1jwyrQgMdhisceG8fQLmQIydcT/jWY21rFhzgaKwo=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.5 h1:Hjkh7kE6D81PgrHlE/m9gx+4TyyeLHuY8xJs7yXN5C4=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.4 h1:NvMjwvv8hpGUILarKw7Z4Q0w1H9anXKsesMxtw++MA4=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.5/go.mod h1:nPRXgyCfAurhyaTMoBMwRBYBhaHI4lNPAnJmjM0Tslc=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.4/go.mod h1:455WPHSwaGj2waRSpQp7TsnpOnBfw8iDfPfbwl7KPJE=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.14 h1:FIouAnCE46kyYqyhs0XEBDFFSREtdnr8HQuLPQPLCrY=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 h1:kDqdFvMY4AtKoACfzIGD8A0+hbT41KTKF//gq7jITfM=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.14/go.mod h1:UTwDc5COa5+guonQU8qBikJo1ZJ4ln2r1MkF7Dqag1E=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13/go.mod h1:lmKuogqSU3HzQCwZ9ZtcqOc5XGMqtDK7OIc2+DxiUEg=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.14 h1:FzQE21lNtUor0Fb7QNgnEyiRCBlolLTX/Z1j65S7teM=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.13 h1:zhBJXdhWIFZ1acfDYIhu4+LCzdUS2Vbcum7D01dXlHQ=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.14/go.mod h1:s1ydyWG9pm3ZwmmYN21HKyG9WzAZhYVW85wMHs5FV6w=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.13/go.mod h1:JaaOeCE368qn2Hzi3sEzY6FgAZVCIYcC2nwbro2QCh8=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.92.1 h1:OgQy/+0+Kc3khtqiEOk23xQAglXi3Tj0y5doOxbi5tg=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.90.0 h1:ef6gIJR+xv/JQWwpa5FYirzoQctfSJm7tuDe3SZsUf8=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.92.1/go.mod h1:wYNqY3L02Z3IgRYxOBPH9I1zD9Cjh9hI5QOy/eOjQvw=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.90.0/go.mod h1:+wArOOrcHUevqdto9k1tKOF5++YTe9JEcPSc9Tx2ZSw=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.2 h1:MxMBdKTYBjPQChlJhi4qlEueqB1p1KcbTEa7tD5aqPs=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.1 h1:0JPwLz1J+5lEOfy/g0SURC9cxhbQ1lIMHMa+AHZSzz0=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.2/go.mod h1:iS6EPmNeqCsGo+xQmXv0jIMjyYtQfnwg36zl2FwEouk=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.1/go.mod h1:fKvyjJcz63iL/ftA6RaM8sRCtN4r4zl4tjL3qw5ec7k=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.5 h1:ksUT5KtgpZd3SAiFJNJ0AFEJVva3gjBmN7eXUZjzUwQ=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5 h1:OWs0/j2UYR5LOGi88sD5/lhN6TDLG6SfA7CqsQO9zF0=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.5/go.mod h1:av+ArJpoYf3pgyrj6tcehSFW+y9/QvAY8kMooR9bZCw=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5/go.mod h1:klO+ejMvYsB4QATfEOIXk8WAEwN4N0aBfJpvC+5SZBo=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.10 h1:GtsxyiF3Nd3JahRBJbxLCCdYW9ltGQYrFWg8XdkGDd8=
+github.com/aws/aws-sdk-go-v2/service/sts v1.39.1 h1:mLlUgHn02ue8whiR4BmxxGJLR2gwU6s6ZzJ5wDamBUs=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.10/go.mod h1:/j67Z5XBVDx8nZVp9EuFM9/BS5dvBznbqILGuu73hug=
+github.com/aws/aws-sdk-go-v2/service/sts v1.39.1/go.mod h1:E19xDjpzPZC7LS2knI9E6BaRFDK43Eul7vd6rSq2HWk=
 github.com/aws/aws-sdk-go-v2/service/sts v1.41.2 h1:a5UTtD4mHBU3t0o6aHQZFJTNKVfxFWfPX7J0Lr7G+uY=
 github.com/aws/aws-sdk-go-v2/service/sts v1.41.2/go.mod h1:6TxbXoDSgBQ225Qd8Q+MbxUxUh6TtNKwbRt/EPS9xso=
 github.com/aws/smithy-go v1.23.2 h1:Crv0eatJUQhaManss33hS5r40CG3ZFH+21XSkqMrIUM=
 github.com/aws/smithy-go v1.23.2/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bytedance/gopkg v0.1.3 h1:TPBSwH8RsouGCBcMBktLt1AymVo2TVsBVCY4b6TnZ/M=
 github.com/bytedance/gopkg v0.1.3/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM=
-github.com/bytedance/sonic v1.14.2 h1:k1twIoe97C1DtYUo+fZQy865IuHia4PR5RPiuGPPIIE=
+github.com/bytedance/sonic v1.14.1 h1:FBMC0zVz5XUmE4z9wF4Jey0An5FueFvOsTKKKtwIl7w=
-github.com/bytedance/sonic v1.14.2/go.mod h1:T80iDELeHiHKSc0C9tubFygiuXoGzrkjKzX2quAx980=
+github.com/bytedance/sonic v1.14.1/go.mod h1:gi6uhQLMbTdeP0muCnrjHLeCUPyb70ujhnNlhOylAFc=
-github.com/bytedance/sonic/loader v0.4.0 h1:olZ7lEqcxtZygCK9EKYKADnpQoYkRQxaeY2NYzevs+o=
+github.com/bytedance/sonic/loader v0.3.0 h1:dskwH8edlzNMctoruo8FPTJDF3vLtDT0sXZwvZJyqeA=
-github.com/bytedance/sonic/loader v0.4.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
+github.com/bytedance/sonic/loader v0.3.0/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
 github.com/caarlos0/env/v11 v11.3.1 h1:cArPWC15hWmEt+gWk7YBi7lEXTXCvpaSdCiZE2X5mCA=
 github.com/caarlos0/env/v11 v11.3.1/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U=
 github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
@@ -97,10 +95,10 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/gabriel-vasile/mimetype v1.4.11 h1:AQvxbp830wPhHTqc1u7nzoLT+ZFxGY7emj5DR5DYFik=
+github.com/gabriel-vasile/mimetype v1.4.10 h1:zyueNbySn/z8mJZHLt6IPw0KoZsiQNszIpU+bX4+ZK0=
-github.com/gabriel-vasile/mimetype v1.4.11/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gabriel-vasile/mimetype v1.4.10/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
-github.com/gin-contrib/slog v1.2.0 h1:vAxZfr7knD1ZYK5+pMJLP52sZXIkJXkcRPa/0dx9hSk=
+github.com/gin-contrib/slog v1.1.0 h1:K9MVNrETT6r/C3u2Aheer/gxwVeVqrGL0hXlsmv3fm4=
-github.com/gin-contrib/slog v1.2.0/go.mod h1:vYK6YltmpsEFkO0zfRMLTKHrWS3DwUSn0TMpT+kMagI=
+github.com/gin-contrib/slog v1.1.0/go.mod h1:PvNXQVXcVOAaaiJR84LV1/xlQHIaXi9ygEXyBkmjdkY=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
 github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
 github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
@@ -111,8 +109,8 @@ github.com/glebarez/sqlite v1.11.0 h1:wSG0irqzP6VurnMEpFGer5Li19RpIRi2qvQz++w0GM
 github.com/glebarez/sqlite v1.11.0/go.mod h1:h8/o8j5wiAsqSPoWELDUdJXhjAhsVliSn7bWZjOhrgQ=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-co-op/gocron/v2 v2.18.1 h1:VVxgAghLW1Q6VHi/rc+B0ZSpFoUVlWgkw09Yximvn58=
+github.com/go-co-op/gocron/v2 v2.17.0 h1:e/oj6fcAM8vOOKZxv2Cgfmjo+s8AXC46po5ZPtaSea4=
-github.com/go-co-op/gocron/v2 v2.18.1/go.mod h1:Zii6he+Zfgy5W9B+JKk/KwejFOW0kZTFvHtwIpR4aBI=
+github.com/go-co-op/gocron/v2 v2.17.0/go.mod h1:Zii6he+Zfgy5W9B+JKk/KwejFOW0kZTFvHtwIpR4aBI=
 github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
 github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -128,12 +126,10 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
 github.com/go-playground/validator/v10 v10.28.0 h1:Q7ibns33JjyW48gHkuFT91qX48KG0ktULL6FgHdG688=
 github.com/go-playground/validator/v10 v10.28.0/go.mod h1:GoI6I1SjPBh9p7ykNE/yj3fFYbyDOpwMn5KXd+m2hUU=
-github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
+github.com/go-webauthn/webauthn v0.14.0 h1:ZLNPUgPcDlAeoxe+5umWG/tEeCoQIDr7gE2Zx2QnhL0=
-github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-webauthn/webauthn v0.14.0/go.mod h1:QZzPFH3LJ48u5uEPAu+8/nWJImoLBWM7iAH/kSVSo6k=
-github.com/go-webauthn/webauthn v0.15.0 h1:LR1vPv62E0/6+sTenX35QrCmpMCzLeVAcnXeH4MrbJY=
+github.com/go-webauthn/x v0.1.25 h1:g/0noooIGcz/yCVqebcFgNnGIgBlJIccS+LYAa+0Z88=
-github.com/go-webauthn/webauthn v0.15.0/go.mod h1:hcAOhVChPRG7oqG7Xj6XKN1mb+8eXTGP/B7zBLzkX5A=
+github.com/go-webauthn/x v0.1.25/go.mod h1:ieblaPY1/BVCV0oQTsA/VAo08/TWayQuJuo5Q+XxmTY=
 github.com/go-webauthn/x v0.1.26 h1:eNzreFKnwNLDFoywGh9FA8YOMebBWTUNlNSdolQRebs=
 github.com/go-webauthn/x v0.1.26/go.mod h1:jmf/phPV6oIsF6hmdVre+ovHkxjDOmNH0t6fekWUxvg=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
@@ -156,8 +152,8 @@ github.com/google/go-github/v39 v39.2.0 h1:rNNM311XtPOz5rDdsJXAp2o8F67X9FnROXTvt
 github.com/google/go-github/v39 v39.2.0/go.mod h1:C1s8C5aCC9L+JXIYpJM5GYytdX52vC1bLvHEF1IhBrE=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
-github.com/google/go-tpm v0.9.7 h1:u89J4tUUeDTlH8xxC3CTW7OHZjbjKoHdQ9W7gCUhtxA=
+github.com/google/go-tpm v0.9.6 h1:Ku42PT4LmjDu1H5C5ISWLlpI1mj+Zq7sPGKoRw2XROA=
-github.com/google/go-tpm v0.9.7/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
+github.com/google/go-tpm v0.9.6/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
@@ -172,8 +168,6 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
 github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
@@ -246,6 +240,8 @@ github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuE
 github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mileusna/useragent v1.3.5 h1:SJM5NzBmh/hO+4LGeATKpaEX9+b4vcGg2qXGLiNGDws=
 github.com/mileusna/useragent v1.3.5/go.mod h1:3d8TOmwL/5I8pJjyVDteHtgDGcefrFUX4ccGOMKNYYc=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
@@ -267,8 +263,8 @@ github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQ
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
 github.com/orandin/slog-gorm v1.4.0 h1:FgA8hJufF9/jeNSYoEXmHPPBwET2gwlF3B85JdpsTUU=
 github.com/orandin/slog-gorm v1.4.0/go.mod h1:MoZ51+b7xE9lwGNPYEhxcUtRNrYzjdcKvA8QXQQGEPA=
-github.com/oschwald/maxminddb-golang/v2 v2.1.0 h1:2Iv7lmG9XtxuZA/jFAsd7LnZaC1E59pFsj5O/nU15pw=
+github.com/oschwald/maxminddb-golang/v2 v2.0.0 h1:Gyljxck1kHbBxDgLM++NfDWBqvu1pWWfT8XbosSo0bo=
-github.com/oschwald/maxminddb-golang/v2 v2.1.0/go.mod h1:gG4V88LsawPEqtbL1Veh1WRh+nVSYwXzJ1P5Fcn77g0=
+github.com/oschwald/maxminddb-golang/v2 v2.0.0/go.mod h1:gG4V88LsawPEqtbL1Veh1WRh+nVSYwXzJ1P5Fcn77g0=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -279,16 +275,16 @@ github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h
 github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
-github.com/prometheus/common v0.67.4 h1:yR3NqWO1/UyO1w2PhUvXlGQs/PtFmoveVO0KZ4+Lvsc=
+github.com/prometheus/common v0.67.1 h1:OTSON1P4DNxzTg4hmKCc37o4ZAZDv0cfXLkOt0oEowI=
-github.com/prometheus/common v0.67.4/go.mod h1:gP0fq6YjjNCLssJCQp0yk4M8W6ikLURwkdd/YKtTbyI=
+github.com/prometheus/common v0.67.1/go.mod h1:RpmT9v35q2Y+lsieQsdOh5sXZ6ajUGC8NjZAmr8vb0Q=
 github.com/prometheus/otlptranslator v1.0.0 h1:s0LJW/iN9dkIH+EnhiD3BlkkP5QVIUVEoIwkU+A6qos=
 github.com/prometheus/otlptranslator v1.0.0/go.mod h1:vRYWnXvI6aWGpsdY/mOT/cbeVRBlPWtBNDb7kGR3uKM=
-github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=
+github.com/prometheus/procfs v0.18.0 h1:2QTA9cKdznfYJz7EDaa7IiJobHuV7E1WzeBwcrhk0ao=
-github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
+github.com/prometheus/procfs v0.18.0/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
-github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
+github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
-github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
+github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
-github.com/quic-go/quic-go v0.57.0 h1:AsSSrrMs4qI/hLrKlTH/TGQeTMY0ib1pAOX7vA3AdqE=
+github.com/quic-go/quic-go v0.55.0 h1:zccPQIqYCXDt5NmcEabyYvOnomjs8Tlwl7tISjJh9Mk=
-github.com/quic-go/quic-go v0.57.0/go.mod h1:ly4QBAjHA2VhdnxhojRsCUOeJwKYg+taDlos92xb1+s=
+github.com/quic-go/quic-go v0.55.0/go.mod h1:DR51ilwU1uE164KuWXhinFcKWGlEjzys2l8zUl5Ss1U=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
@@ -306,20 +302,18 @@ github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3A
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
-github.com/ugorji/go/codec v1.3.1 h1:waO7eEiFDwidsBN6agj1vJQ4AG7lh2yqXyOXqhgQuyY=
+github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA=
-github.com/ugorji/go/codec v1.3.1/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
+github.com/ugorji/go/codec v1.3.0/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
 github.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXVQ=
 github.com/valyala/fastjson v1.6.4/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
@@ -376,63 +370,63 @@ go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6
 go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
 go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
 go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
-go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A=
+go.opentelemetry.io/proto/otlp v1.8.0 h1:fRAZQDcAFHySxpJ1TwlA1cJ4tvcrw7nXl9xWWC8N5CE=
-go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4=
+go.opentelemetry.io/proto/otlp v1.8.0/go.mod h1:tIeYOeNBU4cvmPqpaji1P+KbB4Oloai8wN4rWzRrFF0=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
 go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
 go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
 go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
-golang.org/x/arch v0.23.0 h1:lKF64A2jF6Zd8L0knGltUnegD62JMFBiCPBmQpToHhg=
+golang.org/x/arch v0.22.0 h1:c/Zle32i5ttqRXjdLyyHZESLD/bB90DCU1g9l/0YBDI=
-golang.org/x/arch v0.23.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
+golang.org/x/arch v0.22.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
+golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
-golang.org/x/exp v0.0.0-20251125195548-87e1e737ad39 h1:DHNhtq3sNNzrvduZZIiFyXWOL9IWaDPHqTnLJp+rCBY=
+golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
-golang.org/x/exp v0.0.0-20251125195548-87e1e737ad39/go.mod h1:46edojNIoXTNOhySWIWdix628clX9ODXwPsQuG6hsK0=
+golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
 golang.org/x/image v0.0.0-20191009234506-e7c1f5e7dbb8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.33.0 h1:LXRZRnv1+zGd5XBUVRFmYEphyyKJjQjCRiOuAP3sZfQ=
+golang.org/x/image v0.32.0 h1:6lZQWq75h7L5IWNk0r+SCpUJ6tUVd3v4ZHnbRKLkUDQ=
-golang.org/x/image v0.33.0/go.mod h1:DD3OsTYT9chzuzTQt+zMcOlBHgfoKQb1gry8p76Y1sc=
+golang.org/x/image v0.32.0/go.mod h1:/R37rrQmKXtO6tYXAjtDLwQgFLHmhW+V6ayXlxzP2Pc=
-golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
-golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.33.0 h1:4Q+qn+E5z8gPRJfmRy7C2gGG3T4jIprK6aSYgTXGRpo=
+golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
-golang.org/x/oauth2 v0.33.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
 golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
 golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
-golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/genproto/googleapis/api v0.0.0-20251124214823-79d6a2a48846 h1:ZdyUkS9po3H7G0tuh955QVyyotWvOD4W0aEapeGeUYk=
+google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 h1:mepRgnBZa07I4TRuomDE4sTIYieg/osKmzIf4USdWS4=
-google.golang.org/genproto/googleapis/api v0.0.0-20251124214823-79d6a2a48846/go.mod h1:Fk4kyraUvqD7i5H6S43sj2W98fbZa75lpZz/eUyhfO0=
+google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8/go.mod h1:fDMmzKV90WSg1NbozdqrE64fkuTv6mlq2zxo9ad+3yo=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251124214823-79d6a2a48846 h1:Wgl1rcDNThT+Zn47YyCXOXyX/COgMTIdhJ717F0l4xk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 h1:M1rk8KBnUsBDg1oPGHNCxG4vc1f49epmTO7xscSajMk=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251124214823-79d6a2a48846/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
-google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM=
+google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
-google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig=
+google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
 google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
 google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -443,22 +437,20 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/driver/postgres v1.6.0 h1:2dxzU8xJ+ivvqTRph34QX+WrRaJlmfyPqXmoGVjMBa4=
 gorm.io/driver/postgres v1.6.0/go.mod h1:vUw0mrGgrTK+uPHEhAdV4sfFELrByKVGnaVRkXDhtWo=
-gorm.io/gorm v1.31.1 h1:7CA8FTFz/gRfgqgpeKIBcervUn3xSyPUmr6B2WXJ7kg=
+gorm.io/gorm v1.31.0 h1:0VlycGreVhK7RF/Bwt51Fk8v0xLiiiFdbGDPIZQ7mJY=
-gorm.io/gorm v1.31.1/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=
+gorm.io/gorm v1.31.0/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=
-modernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis=
+modernc.org/cc/v4 v4.26.5 h1:xM3bX7Mve6G8K8b+T11ReenJOT+BmVqQj0FY5T4+5Y4=
-modernc.org/cc/v4 v4.27.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
+modernc.org/cc/v4 v4.26.5/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
-modernc.org/ccgo/v4 v4.30.1 h1:4r4U1J6Fhj98NKfSjnPUN7Ze2c6MnAdL0hWw6+LrJpc=
+modernc.org/ccgo/v4 v4.28.1 h1:wPKYn5EC/mYTqBO373jKjvX2n+3+aK7+sICCv4Fjy1A=
-modernc.org/ccgo/v4 v4.30.1/go.mod h1:bIOeI1JL54Utlxn+LwrFyjCx2n2RDiYEaJVSrgdrRfM=
+modernc.org/ccgo/v4 v4.28.1/go.mod h1:uD+4RnfrVgE6ec9NGguUNdhqzNIeeomeXf6CL0GTE5Q=
 modernc.org/fileutil v1.3.40 h1:ZGMswMNc9JOCrcrakF1HrvmergNLAmxOPjizirpfqBA=
 modernc.org/fileutil v1.3.40/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
 modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
 modernc.org/gc/v3 v3.1.1 h1:k8T3gkXWY9sEiytKhcgyiZ2L0DTyCQ/nvX+LoCljoRE=
 modernc.org/gc/v3 v3.1.1/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
 modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
 modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
-modernc.org/libc v1.67.1 h1:bFaqOaa5/zbWYJo8aW0tXPX21hXsngG2M7mckCnFSVk=
+modernc.org/libc v1.66.10 h1:yZkb3YeLx4oynyR+iUsXsybsX4Ubx7MQlSYEw4yj59A=
-modernc.org/libc v1.67.1/go.mod h1:QvvnnJ5P7aitu0ReNpVIEyesuhmDLQ8kaEoyMjIFZJA=
+modernc.org/libc v1.66.10/go.mod h1:8vGSEwvoUoltr4dlywvHqjtAqHBaw0j1jI7iFBTAr2I=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
@@ -467,8 +459,8 @@ modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
 modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.40.1 h1:VfuXcxcUWWKRBuP8+BR9L7VnmusMgBNNnBYGEe9w/iY=
+modernc.org/sqlite v1.39.1 h1:H+/wGFzuSCIEVCvXYVHX5RQglwhMOvtHSv+VtidL2r4=
-modernc.org/sqlite v1.40.1/go.mod h1:9fjQZ0mB1LLP0GYrp39oOJXx/I2sxEnZtzCmEQIKvGE=
+modernc.org/sqlite v1.39.1/go.mod h1:9fjQZ0mB1LLP0GYrp39oOJXx/I2sxEnZtzCmEQIKvGE=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
--- a/backend/internal/bootstrap/bootstrap.go
+++ b/backend/internal/bootstrap/bootstrap.go
@@ -7,7 +7,6 @@ import (
 	"time"
 	_ "github.com/golang-migrate/migrate/v4/source/file"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/job"
@@ -16,16 +15,6 @@ import (
 )
 func Bootstrap(ctx context.Context) error {
 	var shutdownFns []utils.Service
 	defer func() { //nolint:contextcheck
 		// Invoke all shutdown functions on exit
 		shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 		defer cancel()
 		if err := utils.NewServiceRunner(shutdownFns...).Run(shutdownCtx); err != nil {
 			slog.Error("Error during graceful shutdown", "error", err)
 		}
 	}()
 	// Initialize the observability stack, including the logger, distributed tracing, and metrics
 	shutdownFns, httpClient, err := initObservability(ctx, common.EnvConfig.MetricsEnabled, common.EnvConfig.TracingEnabled)
 	if err != nil {
@@ -33,14 +22,28 @@ func Bootstrap(ctx context.Context) error {
 	}
 	slog.InfoContext(ctx, "Pocket ID is starting")
-	db, err := NewDatabase()
+	// Initialize the file storage backend
-	if err != nil {
+	var fileStorage storage.FileStorage
 		return fmt.Errorf("failed to initialize database: %w", err)
 	}
-	fileStorage, err := InitStorage(ctx, db)
+	switch common.EnvConfig.FileBackend {
 	case storage.TypeFileSystem:
 		fileStorage, err = storage.NewFilesystemStorage(common.EnvConfig.UploadPath)
 	case storage.TypeS3:
 		s3Cfg := storage.S3Config{
 			Bucket:          common.EnvConfig.S3Bucket,
 			Region:          common.EnvConfig.S3Region,
 			Endpoint:        common.EnvConfig.S3Endpoint,
 			AccessKeyID:     common.EnvConfig.S3AccessKeyID,
 			SecretAccessKey: common.EnvConfig.S3SecretAccessKey,
 			ForcePathStyle:  common.EnvConfig.S3ForcePathStyle,
 			Root:            common.EnvConfig.UploadPath,
 		}
 		fileStorage, err = storage.NewS3Storage(ctx, s3Cfg)
 	default:
 		err = fmt.Errorf("unknown file storage backend: %s", common.EnvConfig.FileBackend)
 	}
 	if err != nil {
-		return fmt.Errorf("failed to initialize file storage (backend: %s): %w", common.EnvConfig.FileBackend, err)
+		return fmt.Errorf("failed to initialize file storage: %w", err)
 	}
 	imageExtensions, err := initApplicationImages(ctx, fileStorage)
@@ -48,32 +51,18 @@ func Bootstrap(ctx context.Context) error {
 		return fmt.Errorf("failed to initialize application images: %w", err)
 	}
 	// Connect to the database
 	db, err := NewDatabase()
 	if err != nil {
 		return fmt.Errorf("failed to initialize database: %w", err)
 	}
 	// Create all services
 	svc, err := initServices(ctx, db, httpClient, imageExtensions, fileStorage)
 	if err != nil {
 		return fmt.Errorf("failed to initialize services: %w", err)
 	}
 	waitUntil, err := svc.appLockService.Acquire(ctx, false)
 	if err != nil {
 		return fmt.Errorf("failed to acquire application lock: %w", err)
 	}
 	select {
 	case <-ctx.Done():
 		return ctx.Err()
 	case <-time.After(time.Until(waitUntil)):
 	}
 	shutdownFn := func(shutdownCtx context.Context) error {
 		sErr := svc.appLockService.Release(shutdownCtx)
 		if sErr != nil {
 			return fmt.Errorf("failed to release application lock: %w", sErr)
 		}
 		return nil
 	}
 	shutdownFns = append(shutdownFns, shutdownFn)
 	// Init the job scheduler
 	scheduler, err := job.NewScheduler()
 	if err != nil {
@@ -85,51 +74,28 @@ func Bootstrap(ctx context.Context) error {
 	}
 	// Init the router
-	router, err := initRouter(db, svc)
+	router := initRouter(db, svc)
 	if err != nil {
 		return fmt.Errorf("failed to initialize router: %w", err)
 	}
 	// Run all background services
 	// This call blocks until the context is canceled
-	services := []utils.Service{svc.appLockService.RunRenewal, router}
+	err = utils.
-
+		NewServiceRunner(router, scheduler.Run).
-	if common.EnvConfig.AppEnv != "test" {
+		Run(ctx)
 		services = append(services, scheduler.Run)
 	}
 	err = utils.NewServiceRunner(services...).Run(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to run services: %w", err)
 	}
 	// Invoke all shutdown functions
 	// We give these a timeout of 5s
 	// Note: we use a background context because the run context has been canceled already
 	shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer shutdownCancel()
 	err = utils.
 		NewServiceRunner(shutdownFns...).
 		Run(shutdownCtx) //nolint:contextcheck
 	if err != nil {
 		slog.Error("Error shutting down services", slog.Any("error", err))
 	}
 	return nil
 }
 func InitStorage(ctx context.Context, db *gorm.DB) (fileStorage storage.FileStorage, err error) {
 	switch common.EnvConfig.FileBackend {
 	case storage.TypeFileSystem:
 		fileStorage, err = storage.NewFilesystemStorage(common.EnvConfig.UploadPath)
 	case storage.TypeDatabase:
 		fileStorage, err = storage.NewDatabaseStorage(db)
 	case storage.TypeS3:
 		s3Cfg := storage.S3Config{
 			Bucket:                        common.EnvConfig.S3Bucket,
 			Region:                        common.EnvConfig.S3Region,
 			Endpoint:                      common.EnvConfig.S3Endpoint,
 			AccessKeyID:                   common.EnvConfig.S3AccessKeyID,
 			SecretAccessKey:               common.EnvConfig.S3SecretAccessKey,
 			ForcePathStyle:                common.EnvConfig.S3ForcePathStyle,
 			DisableDefaultIntegrityChecks: common.EnvConfig.S3DisableDefaultIntegrityChecks,
 			Root:                          common.EnvConfig.UploadPath,
 		}
 		fileStorage, err = storage.NewS3Storage(ctx, s3Cfg)
 	default:
 		err = fmt.Errorf("unknown file storage backend: %s", common.EnvConfig.FileBackend)
 	}
 	if err != nil {
 		return fileStorage, err
 	}
 	return fileStorage, nil
 }
--- a/backend/internal/bootstrap/db_bootstrap.go
+++ b/backend/internal/bootstrap/db_bootstrap.go
@@ -12,7 +12,12 @@ import (
 	"time"
 	"github.com/glebarez/sqlite"
 	"github.com/golang-migrate/migrate/v4"
 	"github.com/golang-migrate/migrate/v4/database"
 	postgresMigrate "github.com/golang-migrate/migrate/v4/database/postgres"
 	sqliteMigrate "github.com/golang-migrate/migrate/v4/database/sqlite3"
 	_ "github.com/golang-migrate/migrate/v4/source/github"
 	"github.com/golang-migrate/migrate/v4/source/iofs"
 	slogGorm "github.com/orandin/slog-gorm"
 	"gorm.io/driver/postgres"
 	"gorm.io/gorm"
@@ -21,10 +26,11 @@ import (
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	sqliteutil "github.com/pocket-id/pocket-id/backend/internal/utils/sqlite"
 	"github.com/pocket-id/pocket-id/backend/resources"
 )
 func NewDatabase() (db *gorm.DB, err error) {
-	db, err = ConnectDatabase()
+	db, err = connectDatabase()
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to database: %w", err)
 	}
@@ -33,15 +39,105 @@ func NewDatabase() (db *gorm.DB, err error) {
 		return nil, fmt.Errorf("failed to get sql.DB: %w", err)
 	}
 	// Choose the correct driver for the database provider
 	var driver database.Driver
 	switch common.EnvConfig.DbProvider {
 	case common.DbProviderSqlite:
 		driver, err = sqliteMigrate.WithInstance(sqlDb, &sqliteMigrate.Config{
 			NoTxWrap: true,
 		})
 	case common.DbProviderPostgres:
 		driver, err = postgresMigrate.WithInstance(sqlDb, &postgresMigrate.Config{})
 	default:
 		// Should never happen at this point
 		return nil, fmt.Errorf("unsupported database provider: %s", common.EnvConfig.DbProvider)
 	}
 	if err != nil {
 		return nil, fmt.Errorf("failed to create migration driver: %w", err)
 	}
 	// Run migrations
-	if err := utils.MigrateDatabase(sqlDb); err != nil {
+	if err := migrateDatabase(driver); err != nil {
 		return nil, fmt.Errorf("failed to run migrations: %w", err)
 	}
 	return db, nil
 }
-func ConnectDatabase() (db *gorm.DB, err error) {
+func migrateDatabase(driver database.Driver) error {
 	// Embedded migrations via iofs
 	path := "migrations/" + string(common.EnvConfig.DbProvider)
 	source, err := iofs.New(resources.FS, path)
 	if err != nil {
 		return fmt.Errorf("failed to create embedded migration source: %w", err)
 	}
 	m, err := migrate.NewWithInstance("iofs", source, "pocket-id", driver)
 	if err != nil {
 		return fmt.Errorf("failed to create migration instance: %w", err)
 	}
 	requiredVersion, err := getRequiredMigrationVersion(path)
 	if err != nil {
 		return fmt.Errorf("failed to get last migration version: %w", err)
 	}
 	currentVersion, _, _ := m.Version()
 	if currentVersion > requiredVersion {
 		slog.Warn("Database version is newer than the application supports, possible downgrade detected", slog.Uint64("db_version", uint64(currentVersion)), slog.Uint64("app_version", uint64(requiredVersion)))
 		if !common.EnvConfig.AllowDowngrade {
 			return fmt.Errorf("database version (%d) is newer than application version (%d), downgrades are not allowed (set ALLOW_DOWNGRADE=true to enable)", currentVersion, requiredVersion)
 		}
 		slog.Info("Fetching migrations from GitHub to handle possible downgrades")
 		return migrateDatabaseFromGitHub(driver, requiredVersion)
 	}
 	if err := m.Migrate(requiredVersion); err != nil && !errors.Is(err, migrate.ErrNoChange) {
 		return fmt.Errorf("failed to apply embedded migrations: %w", err)
 	}
 	return nil
 }
 func migrateDatabaseFromGitHub(driver database.Driver, version uint) error {
 	srcURL := "github://pocket-id/pocket-id/backend/resources/migrations/" + string(common.EnvConfig.DbProvider)
 	m, err := migrate.NewWithDatabaseInstance(srcURL, "pocket-id", driver)
 	if err != nil {
 		return fmt.Errorf("failed to create GitHub migration instance: %w", err)
 	}
 	if err := m.Migrate(version); err != nil && !errors.Is(err, migrate.ErrNoChange) {
 		return fmt.Errorf("failed to apply GitHub migrations: %w", err)
 	}
 	return nil
 }
 // getRequiredMigrationVersion reads the embedded migration files and returns the highest version number found.
 func getRequiredMigrationVersion(path string) (uint, error) {
 	entries, err := resources.FS.ReadDir(path)
 	if err != nil {
 		return 0, fmt.Errorf("failed to read migration directory: %w", err)
 	}
 	var maxVersion uint
 	for _, entry := range entries {
 		if entry.IsDir() {
 			continue
 		}
 		name := entry.Name()
 		var version uint
 		n, err := fmt.Sscanf(name, "%d_", &version)
 		if err == nil && n == 1 {
 			if version > maxVersion {
 				maxVersion = version
 			}
 		}
 	}
 	return maxVersion, nil
 }
 func connectDatabase() (db *gorm.DB, err error) {
 	var dialector gorm.Dialector
 	// Choose the correct database provider
--- a/backend/internal/bootstrap/e2etest_router_bootstrap.go
+++ b/backend/internal/bootstrap/e2etest_router_bootstrap.go
@@ -17,7 +17,7 @@ import (
 func init() {
 	registerTestControllers = []func(apiGroup *gin.RouterGroup, db *gorm.DB, svc *services){
 		func(apiGroup *gin.RouterGroup, db *gorm.DB, svc *services) {
-			testService, err := service.NewTestService(db, svc.appConfigService, svc.jwtService, svc.ldapService, svc.appLockService, svc.fileStorage)
+			testService, err := service.NewTestService(db, svc.appConfigService, svc.jwtService, svc.ldapService, svc.fileStorage)
 			if err != nil {
 				slog.Error("Failed to initialize test service", slog.Any("error", err))
 				os.Exit(1)
--- a/backend/internal/bootstrap/router_bootstrap.go
+++ b/backend/internal/bootstrap/router_bootstrap.go
@@ -29,14 +29,23 @@ import (
 // This is used to register additional controllers for tests
 var registerTestControllers []func(apiGroup *gin.RouterGroup, db *gorm.DB, svc *services)
-func initRouter(db *gorm.DB, svc *services) (utils.Service, error) {
+func initRouter(db *gorm.DB, svc *services) utils.Service {
 	runner, err := initRouterInternal(db, svc)
 	if err != nil {
 		slog.Error("Failed to init router", "error", err)
 		os.Exit(1)
 	}
 	return runner
 }
 func initRouterInternal(db *gorm.DB, svc *services) (utils.Service, error) {
 	// Set the appropriate Gin mode based on the environment
 	switch common.EnvConfig.AppEnv {
-	case common.AppEnvProduction:
+	case "production":
 		gin.SetMode(gin.ReleaseMode)
-	case common.AppEnvDevelopment:
+	case "development":
 		gin.SetMode(gin.DebugMode)
-	case common.AppEnvTest:
+	case "test":
 		gin.SetMode(gin.TestMode)
 	}
@@ -83,7 +92,7 @@ func initRouter(db *gorm.DB, svc *services) (utils.Service, error) {
 	controller.NewVersionController(apiGroup, svc.versionService)
 	// Add test controller in non-production environments
-	if !common.EnvConfig.AppEnv.IsProduction() {
+	if common.EnvConfig.AppEnv != "production" {
 		for _, f := range registerTestControllers {
 			f(apiGroup, db, svc)
 		}
--- a/backend/internal/bootstrap/services_bootstrap.go
+++ b/backend/internal/bootstrap/services_bootstrap.go
@@ -27,7 +27,6 @@ type services struct {
 	apiKeyService      *service.ApiKeyService
 	versionService     *service.VersionService
 	fileStorage        storage.FileStorage
 	appLockService     *service.AppLockService
 }
 // Initializes all services
@@ -41,7 +40,6 @@ func initServices(ctx context.Context, db *gorm.DB, httpClient *http.Client, ima
 	svc.fileStorage = fileStorage
 	svc.appImagesService = service.NewAppImagesService(imageExtensions, fileStorage)
 	svc.appLockService = service.NewAppLockService(db)
 	svc.emailService, err = service.NewEmailService(db, svc.appConfigService)
 	if err != nil {
@@ -68,7 +66,7 @@ func initServices(ctx context.Context, db *gorm.DB, httpClient *http.Client, ima
 	svc.userGroupService = service.NewUserGroupService(db, svc.appConfigService)
 	svc.userService = service.NewUserService(db, svc.jwtService, svc.auditLogService, svc.emailService, svc.appConfigService, svc.customClaimService, svc.appImagesService, fileStorage)
-	svc.ldapService = service.NewLdapService(db, httpClient, svc.appConfigService, svc.userService, svc.userGroupService, fileStorage)
+	svc.ldapService = service.NewLdapService(db, httpClient, svc.appConfigService, svc.userService, svc.userGroupService)
 	svc.apiKeyService = service.NewApiKeyService(db, svc.emailService)
 	svc.versionService = service.NewVersionService(httpClient)
--- a/backend/internal/cmds/export.go
+++ b/backend/internal/cmds/export.go
@@ -1,70 +0,0 @@
 package cmds
 import (
 	"context"
 	"fmt"
 	"io"
 	"os"
 	"github.com/pocket-id/pocket-id/backend/internal/bootstrap"
 	"github.com/pocket-id/pocket-id/backend/internal/service"
 	"github.com/spf13/cobra"
 )
 type exportFlags struct {
 	Path string
 }
 func init() {
 	var flags exportFlags
 	exportCmd := &cobra.Command{
 		Use:   "export",
 		Short: "Exports all data of Pocket ID into a ZIP file",
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return runExport(cmd.Context(), flags)
 		},
 	}
 	exportCmd.Flags().StringVarP(&flags.Path, "path", "p", "pocket-id-export.zip", "Path to the ZIP file to export the data to, or '-' to write to stdout")
 	rootCmd.AddCommand(exportCmd)
 }
 // runExport orchestrates the export flow
 func runExport(ctx context.Context, flags exportFlags) error {
 	db, err := bootstrap.NewDatabase()
 	if err != nil {
 		return fmt.Errorf("failed to connect to database: %w", err)
 	}
 	storage, err := bootstrap.InitStorage(ctx, db)
 	if err != nil {
 		return fmt.Errorf("failed to initialize storage: %w", err)
 	}
 	exportService := service.NewExportService(db, storage)
 	var w io.Writer
 	if flags.Path == "-" {
 		w = os.Stdout
 	} else {
 		file, err := os.Create(flags.Path)
 		if err != nil {
 			return fmt.Errorf("failed to create export file: %w", err)
 		}
 		defer file.Close()
 		w = file
 	}
 	if err := exportService.ExportToZip(ctx, w); err != nil {
 		return fmt.Errorf("failed to export data: %w", err)
 	}
 	if flags.Path != "-" {
 		fmt.Printf("Exported data to %s\n", flags.Path)
 	}
 	return nil
 }
--- a/backend/internal/cmds/import.go
+++ b/backend/internal/cmds/import.go
@@ -1,191 +0,0 @@
 package cmds
 import (
 	"archive/zip"
 	"context"
 	"errors"
 	"fmt"
 	"io"
 	"os"
 	"path/filepath"
 	"time"
 	"github.com/spf13/cobra"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/bootstrap"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/service"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )
 type importFlags struct {
 	Path                  string
 	Yes                   bool
 	ForcefullyAcquireLock bool
 }
 func init() {
 	var flags importFlags
 	importCmd := &cobra.Command{
 		Use:   "import",
 		Short: "Imports all data of Pocket ID from a ZIP file",
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return runImport(cmd.Context(), flags)
 		},
 	}
 	importCmd.Flags().StringVarP(&flags.Path, "path", "p", "pocket-id-export.zip", "Path to the ZIP file to import the data from, or '-' to read from stdin")
 	importCmd.Flags().BoolVarP(&flags.Yes, "yes", "y", false, "Skip confirmation prompts")
 	importCmd.Flags().BoolVarP(&flags.ForcefullyAcquireLock, "forcefully-acquire-lock", "", false, "Forcefully acquire the application lock by terminating the Pocket ID instance")
 	rootCmd.AddCommand(importCmd)
 }
 // runImport handles the high-level orchestration of the import process
 func runImport(ctx context.Context, flags importFlags) error {
 	if !flags.Yes {
 		ok, err := askForConfirmation()
 		if err != nil {
 			return fmt.Errorf("failed to get confirmation: %w", err)
 		}
 		if !ok {
 			fmt.Println("Aborted")
 			os.Exit(1)
 		}
 	}
 	var (
 		zipReader *zip.ReadCloser
 		cleanup   func()
 		err       error
 	)
 	if flags.Path == "-" {
 		zipReader, cleanup, err = readZipFromStdin()
 		defer cleanup()
 	} else {
 		zipReader, err = zip.OpenReader(flags.Path)
 	}
 	if err != nil {
 		return fmt.Errorf("failed to open zip: %w", err)
 	}
 	defer zipReader.Close()
 	db, err := bootstrap.ConnectDatabase()
 	if err != nil {
 		return err
 	}
 	err = acquireImportLock(ctx, db, flags.ForcefullyAcquireLock)
 	if err != nil {
 		return err
 	}
 	storage, err := bootstrap.InitStorage(ctx, db)
 	if err != nil {
 		return fmt.Errorf("failed to initialize storage: %w", err)
 	}
 	importService := service.NewImportService(db, storage)
 	err = importService.ImportFromZip(ctx, &zipReader.Reader)
 	if err != nil {
 		return fmt.Errorf("failed to import data from zip: %w", err)
 	}
 	fmt.Println("Import completed successfully.")
 	return nil
 }
 func acquireImportLock(ctx context.Context, db *gorm.DB, force bool) error {
 	// Check if the kv table exists, in case we are starting from an empty database
 	exists, err := utils.DBTableExists(db, "kv")
 	if err != nil {
 		return fmt.Errorf("failed to check if kv table exists: %w", err)
 	}
 	if !exists {
 		// This either means the database is empty, or the import is into an old version of PocketID that doesn't support locks
 		// In either case, there's no lock to acquire
 		fmt.Println("Could not acquire a lock because the 'kv' table does not exist. This is fine if you're importing into a new database, but make sure that there isn't an instance of Pocket ID currently running and using the same database.")
 		return nil
 	}
 	// Note that we do not call a deferred Release if the data was imported
 	// This is because we are overriding the contents of the database, so the lock is automatically lost
 	appLockService := service.NewAppLockService(db)
 	opCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
 	defer cancel()
 	waitUntil, err := appLockService.Acquire(opCtx, force)
 	if err != nil {
 		if errors.Is(err, service.ErrLockUnavailable) {
 			//nolint:staticcheck
 			return errors.New("Pocket ID must be stopped before importing data; please stop the running instance or run with --forcefully-acquire-lock to terminate the other instance")
 		}
 		return fmt.Errorf("failed to acquire application lock: %w", err)
 	}
 	select {
 	case <-ctx.Done():
 		return ctx.Err()
 	case <-time.After(time.Until(waitUntil)):
 	}
 	return nil
 }
 func askForConfirmation() (bool, error) {
 	fmt.Println("WARNING: This feature is experimental and may not work correctly. Please create a backup before proceeding and report any issues you encounter.")
 	fmt.Println()
 	fmt.Println("WARNING: Import will erase all existing data at the following locations:")
 	fmt.Printf("Database:      %s\n", absolutePathOrOriginal(common.EnvConfig.DbConnectionString))
 	fmt.Printf("Uploads Path:  %s\n", absolutePathOrOriginal(common.EnvConfig.UploadPath))
 	ok, err := utils.PromptForConfirmation("Do you want to continue?")
 	if err != nil {
 		return false, err
 	}
 	return ok, nil
 }
 // absolutePathOrOriginal returns the absolute path of the given path, or the original if it fails
 func absolutePathOrOriginal(path string) string {
 	abs, err := filepath.Abs(path)
 	if err != nil {
 		return path
 	}
 	return abs
 }
 func readZipFromStdin() (*zip.ReadCloser, func(), error) {
 	tmpFile, err := os.CreateTemp("", "pocket-id-import-*.zip")
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to create temporary file: %w", err)
 	}
 	cleanup := func() {
 		_ = os.Remove(tmpFile.Name())
 	}
 	if _, err := io.Copy(tmpFile, os.Stdin); err != nil {
 		tmpFile.Close()
 		cleanup()
 		return nil, nil, fmt.Errorf("failed to read data from stdin: %w", err)
 	}
 	if err := tmpFile.Close(); err != nil {
 		cleanup()
 		return nil, nil, fmt.Errorf("failed to close temporary file: %w", err)
 	}
 	r, err := zip.OpenReader(tmpFile.Name())
 	if err != nil {
 		cleanup()
 		return nil, nil, err
 	}
 	return r, cleanup, nil
 }
--- a/backend/internal/cmds/key_rotate.go
+++ b/backend/internal/cmds/key_rotate.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
 	"os"
 	"strings"
 	"github.com/lestrrat-go/jwx/v3/jwa"
@@ -79,7 +78,7 @@ func keyRotate(ctx context.Context, flags keyRotateFlags, db *gorm.DB, envConfig
 		}
 		if !ok {
 			fmt.Println("Aborted")
-			os.Exit(1)
+			return nil
 		}
 	}
--- a/backend/internal/cmds/key_rotate_test.go
+++ b/backend/internal/cmds/key_rotate_test.go
@@ -1,6 +1,8 @@
 package cmds
 import (
 	"os"
 	"path/filepath"
 	"testing"
 	"github.com/stretchr/testify/assert"
@@ -67,14 +69,78 @@ func TestKeyRotate(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Run("file storage", func(t *testing.T) {
 				testKeyRotateWithFileStorage(t, tt.flags, tt.wantErr, tt.errMsg)
 			})
 			t.Run("database storage", func(t *testing.T) {
 				testKeyRotateWithDatabaseStorage(t, tt.flags, tt.wantErr, tt.errMsg)
 			})
 		})
 	}
 }
 func testKeyRotateWithFileStorage(t *testing.T, flags keyRotateFlags, wantErr bool, errMsg string) {
 	// Create temporary directory for keys
 	tempDir := t.TempDir()
 	keysPath := filepath.Join(tempDir, "keys")
 	err := os.MkdirAll(keysPath, 0755)
 	require.NoError(t, err)
 	// Set up file storage config
 	envConfig := &common.EnvConfigSchema{
 		KeysStorage: "file",
 		KeysPath:    keysPath,
 	}
 	// Create test database
 	db := testingutils.NewDatabaseForTest(t)
 	// Initialize app config service and create instance
 	appConfigService, err := service.NewAppConfigService(t.Context(), db)
 	require.NoError(t, err)
 	instanceID := appConfigService.GetDbConfig().InstanceID.Value
 	// Check if key exists before rotation
 	keyProvider, err := jwkutils.GetKeyProvider(db, envConfig, instanceID)
 	require.NoError(t, err)
 	// Run the key rotation
 	err = keyRotate(t.Context(), flags, db, envConfig)
 	if wantErr {
 		require.Error(t, err)
 		if errMsg != "" {
 			require.ErrorContains(t, err, errMsg)
 		}
 		return
 	}
 	require.NoError(t, err)
 	// Verify key was created
 	key, err := keyProvider.LoadKey()
 	require.NoError(t, err)
 	require.NotNil(t, key)
 	// Verify the algorithm matches what we requested
 	alg, _ := key.Algorithm()
 	assert.NotEmpty(t, alg)
 	if flags.Alg != "" {
 		expectedAlg := flags.Alg
 		if expectedAlg == "EdDSA" {
 			// EdDSA keys should have the EdDSA algorithm
 			assert.Equal(t, "EdDSA", alg.String())
 		} else {
 			assert.Equal(t, expectedAlg, alg.String())
 		}
 	}
 }
 func testKeyRotateWithDatabaseStorage(t *testing.T, flags keyRotateFlags, wantErr bool, errMsg string) {
 	// Set up database storage config
 	envConfig := &common.EnvConfigSchema{
 		KeysStorage:   "database",
 		EncryptionKey: []byte("test-encryption-key-characters-long"),
 	}
--- a/backend/internal/cmds/root.go
+++ b/backend/internal/cmds/root.go
@@ -15,7 +15,6 @@ var rootCmd = &cobra.Command{
 	Use:   "pocket-id",
 	Short: "A simple and easy-to-use OIDC provider that allows users to authenticate with their passkeys to your services.",
 	Long:  "By default, this command starts the pocket-id server.",
 	SilenceUsage: true,
 	Run: func(cmd *cobra.Command, args []string) {
 		// Start the server
 		err := bootstrap.Bootstrap(cmd.Context())
--- a/backend/internal/common/env_config.go
+++ b/backend/internal/common/env_config.go
@@ -15,7 +15,6 @@ import (
 	_ "github.com/joho/godotenv/autoload"
 )
 type AppEnv string
 type DbProvider string
 const (
@@ -26,9 +25,6 @@ const (
 )
 const (
 	AppEnvProduction        AppEnv     = "production"
 	AppEnvDevelopment       AppEnv     = "development"
 	AppEnvTest              AppEnv     = "test"
 	DbProviderSqlite        DbProvider = "sqlite"
 	DbProviderPostgres      DbProvider = "postgres"
 	MaxMindGeoLiteCityUrl   string     = "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=%s&suffix=tar.gz"
@@ -38,40 +34,38 @@ const (
 )
 type EnvConfigSchema struct {
-	AppEnv             AppEnv `env:"APP_ENV" options:"toLower"`
+	AppEnv             string     `env:"APP_ENV" options:"toLower"`
 	LogLevel           string     `env:"LOG_LEVEL" options:"toLower"`
 	LogJSON            bool   `env:"LOG_JSON"`
 	AppURL             string     `env:"APP_URL" options:"toLower,trimTrailingSlash"`
-	DbProvider         DbProvider
+	DbProvider         DbProvider `env:"DB_PROVIDER" options:"toLower"`
 	DbConnectionString string     `env:"DB_CONNECTION_STRING" options:"file"`
 	EncryptionKey      []byte `env:"ENCRYPTION_KEY" options:"file"`
 	Port               string `env:"PORT"`
 	Host               string `env:"HOST" options:"toLower"`
 	UnixSocket         string `env:"UNIX_SOCKET"`
 	UnixSocketMode     string `env:"UNIX_SOCKET_MODE"`
 	LocalIPv6Ranges    string `env:"LOCAL_IPV6_RANGES"`
 	UiConfigDisabled   bool   `env:"UI_CONFIG_DISABLED"`
 	MetricsEnabled     bool   `env:"METRICS_ENABLED"`
 	TracingEnabled     bool   `env:"TRACING_ENABLED"`
 	TrustProxy         bool   `env:"TRUST_PROXY"`
 	AnalyticsDisabled  bool   `env:"ANALYTICS_DISABLED"`
 	AllowDowngrade     bool   `env:"ALLOW_DOWNGRADE"`
 	InternalAppURL     string `env:"INTERNAL_APP_URL"`
 	MaxMindLicenseKey string `env:"MAXMIND_LICENSE_KEY" options:"file"`
 	GeoLiteDBPath     string `env:"GEOLITE_DB_PATH"`
 	GeoLiteDBUrl      string `env:"GEOLITE_DB_URL"`
 	FileBackend        string     `env:"FILE_BACKEND" options:"toLower"`
 	UploadPath         string     `env:"UPLOAD_PATH"`
 	S3Bucket           string     `env:"S3_BUCKET"`
 	S3Region           string     `env:"S3_REGION"`
 	S3Endpoint         string     `env:"S3_ENDPOINT"`
 	S3AccessKeyID      string     `env:"S3_ACCESS_KEY_ID"`
 	S3SecretAccessKey  string     `env:"S3_SECRET_ACCESS_KEY"`
 	S3ForcePathStyle   bool       `env:"S3_FORCE_PATH_STYLE"`
-	S3DisableDefaultIntegrityChecks bool   `env:"S3_DISABLE_DEFAULT_INTEGRITY_CHECKS"`
+	KeysPath           string     `env:"KEYS_PATH"`
 	KeysStorage        string     `env:"KEYS_STORAGE"`
 	EncryptionKey      []byte     `env:"ENCRYPTION_KEY" options:"file"`
 	Port               string     `env:"PORT"`
 	Host               string     `env:"HOST" options:"toLower"`
 	UnixSocket         string     `env:"UNIX_SOCKET"`
 	UnixSocketMode     string     `env:"UNIX_SOCKET_MODE"`
 	MaxMindLicenseKey  string     `env:"MAXMIND_LICENSE_KEY" options:"file"`
 	GeoLiteDBPath      string     `env:"GEOLITE_DB_PATH"`
 	GeoLiteDBUrl       string     `env:"GEOLITE_DB_URL"`
 	LocalIPv6Ranges    string     `env:"LOCAL_IPV6_RANGES"`
 	UiConfigDisabled   bool       `env:"UI_CONFIG_DISABLED"`
 	MetricsEnabled     bool       `env:"METRICS_ENABLED"`
 	TracingEnabled     bool       `env:"TRACING_ENABLED"`
 	LogJSON            bool       `env:"LOG_JSON"`
 	TrustProxy         bool       `env:"TRUST_PROXY"`
 	AnalyticsDisabled  bool       `env:"ANALYTICS_DISABLED"`
 	AllowDowngrade     bool       `env:"ALLOW_DOWNGRADE"`
 	InternalAppURL     string     `env:"INTERNAL_APP_URL"`
 }
 var EnvConfig = defaultConfig()
@@ -86,10 +80,11 @@ func init() {
 func defaultConfig() EnvConfigSchema {
 	return EnvConfigSchema{
-		AppEnv:        AppEnvProduction,
+		AppEnv:        "production",
 		LogLevel:      "info",
 		DbProvider:    "sqlite",
 		FileBackend:   "fs",
 		KeysPath:      "data/keys",
 		AppURL:        AppUrl,
 		Port:          "1411",
 		Host:          "0.0.0.0",
@@ -117,28 +112,32 @@ func parseEnvConfig() error {
 		return fmt.Errorf("error preparing env config: %w", err)
 	}
 	err = validateEnvConfig(&EnvConfig)
 	if err != nil {
 		return err
 	}
 	return nil
 }
-// ValidateEnvConfig checks the EnvConfig for required fields and valid values
+// validateEnvConfig checks the EnvConfig for required fields and valid values
-func ValidateEnvConfig(config *EnvConfigSchema) error {
+func validateEnvConfig(config *EnvConfigSchema) error {
 	if _, err := sloggin.ParseLevel(config.LogLevel); err != nil {
 		return errors.New("invalid LOG_LEVEL value. Must be 'debug', 'info', 'warn' or 'error'")
 	}
-	if len(config.EncryptionKey) < 16 {
+	switch config.DbProvider {
-		return errors.New("ENCRYPTION_KEY must be at least 16 bytes long")
+	case DbProviderSqlite:
-	}
+		if config.DbConnectionString == "" {
 	switch {
 	case config.DbConnectionString == "":
 		config.DbProvider = DbProviderSqlite
 			config.DbConnectionString = defaultSqliteConnString
-	case strings.HasPrefix(config.DbConnectionString, "postgres://") || strings.HasPrefix(config.DbConnectionString, "postgresql://"):
+		}
-		config.DbProvider = DbProviderPostgres
+	case DbProviderPostgres:
 		if config.DbConnectionString == "" {
 			return errors.New("missing required env var 'DB_CONNECTION_STRING' for Postgres database")
 		}
 	default:
-		config.DbProvider = DbProviderSqlite
+		return errors.New("invalid DB_PROVIDER value. Must be 'sqlite' or 'postgres'")
 	}
 	parsedAppUrl, err := url.Parse(config.AppURL)
@@ -162,14 +161,31 @@ func ValidateEnvConfig(config *EnvConfigSchema) error {
 		}
 	}
 	switch config.KeysStorage {
 	// KeysStorage defaults to "file" if empty
 	case "":
 		config.KeysStorage = "file"
 	case "database":
 		if config.EncryptionKey == nil {
 			return errors.New("ENCRYPTION_KEY must be non-empty when KEYS_STORAGE is database")
 		}
 	case "file":
 		// All good, these are valid values
 	default:
 		return fmt.Errorf("invalid value for KEYS_STORAGE: %s", config.KeysStorage)
 	}
 	switch config.FileBackend {
-	case "s3", "database":
+	case "s3":
 		if config.KeysStorage == "file" {
 			return errors.New("KEYS_STORAGE cannot be 'file' when FILE_BACKEND is 's3'")
 		}
 	case "", "fs":
 		if config.UploadPath == "" {
 			config.UploadPath = defaultFsUploadPath
 		}
 	default:
-		return errors.New("invalid FILE_BACKEND value. Must be 'fs', 'database', or 's3'")
+		return errors.New("invalid FILE_BACKEND value. Must be 'fs' or 's3'")
 	}
 	// Validate LOCAL_IPV6_RANGES
@@ -270,11 +286,3 @@ func resolveFileBasedEnvVariable(field reflect.Value, fieldType reflect.StructFi
 	return nil
 }
 func (a AppEnv) IsProduction() bool {
 	return a == AppEnvProduction
 }
 func (a AppEnv) IsTest() bool {
 	return a == AppEnvTest
 }
--- a/backend/internal/common/env_config_test.go
+++ b/backend/internal/common/env_config_test.go
@@ -8,20 +8,6 @@ import (
 	"github.com/stretchr/testify/require"
 )
 func parseAndValidateEnvConfig(t *testing.T) error {
 	t.Helper()
 	if _, exists := os.LookupEnv("ENCRYPTION_KEY"); !exists {
 		t.Setenv("ENCRYPTION_KEY", "0123456789abcdef")
 	}
 	if err := parseEnvConfig(); err != nil {
 		return err
 	}
 	return ValidateEnvConfig(&EnvConfig)
 }
 func TestParseEnvConfig(t *testing.T) {
 	// Store original config to restore later
 	originalConfig := EnvConfig
@@ -31,10 +17,11 @@ func TestParseEnvConfig(t *testing.T) {
 	t.Run("should parse valid SQLite config correctly", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "SQLITE") // should be lowercased automatically
 		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
 		t.Setenv("APP_URL", "HTTP://LOCALHOST:3000")
-		err := parseAndValidateEnvConfig(t)
+		err := parseEnvConfig()
 		require.NoError(t, err)
 		assert.Equal(t, DbProviderSqlite, EnvConfig.DbProvider)
 		assert.Equal(t, "http://localhost:3000", EnvConfig.AppURL)
@@ -42,76 +29,147 @@ func TestParseEnvConfig(t *testing.T) {
 	t.Run("should parse valid Postgres config correctly", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "POSTGRES")
 		t.Setenv("DB_CONNECTION_STRING", "postgres://user:pass@localhost/db")
 		t.Setenv("APP_URL", "https://example.com")
-		err := parseAndValidateEnvConfig(t)
+		err := parseEnvConfig()
 		require.NoError(t, err)
 		assert.Equal(t, DbProviderPostgres, EnvConfig.DbProvider)
 	})
-	t.Run("should fail when ENCRYPTION_KEY is too short", func(t *testing.T) {
+	t.Run("should fail with invalid DB_PROVIDER", func(t *testing.T) {
 		EnvConfig = defaultConfig()
-		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("DB_PROVIDER", "invalid")
 		t.Setenv("DB_CONNECTION_STRING", "test")
 		t.Setenv("APP_URL", "http://localhost:3000")
 		t.Setenv("ENCRYPTION_KEY", "short")
-		err := parseAndValidateEnvConfig(t)
+		err := parseEnvConfig()
 		require.Error(t, err)
-		assert.ErrorContains(t, err, "ENCRYPTION_KEY must be at least 16 bytes long")
+		assert.ErrorContains(t, err, "invalid DB_PROVIDER value")
 	})
 	t.Run("should set default SQLite connection string when DB_CONNECTION_STRING is empty", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
 		t.Setenv("APP_URL", "http://localhost:3000")
-		err := parseAndValidateEnvConfig(t)
+		err := parseEnvConfig()
 		require.NoError(t, err)
 		assert.Equal(t, defaultSqliteConnString, EnvConfig.DbConnectionString)
 	})
 	t.Run("should fail when Postgres DB_CONNECTION_STRING is missing", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "postgres")
 		t.Setenv("APP_URL", "http://localhost:3000")
 		err := parseEnvConfig()
 		require.Error(t, err)
 		assert.ErrorContains(t, err, "missing required env var 'DB_CONNECTION_STRING' for Postgres")
 	})
 	t.Run("should fail with invalid APP_URL", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
 		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
 		t.Setenv("APP_URL", "€://not-a-valid-url")
-		err := parseAndValidateEnvConfig(t)
+		err := parseEnvConfig()
 		require.Error(t, err)
 		assert.ErrorContains(t, err, "APP_URL is not a valid URL")
 	})
 	t.Run("should fail when APP_URL contains path", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
 		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
 		t.Setenv("APP_URL", "http://localhost:3000/path")
-		err := parseAndValidateEnvConfig(t)
+		err := parseEnvConfig()
 		require.Error(t, err)
 		assert.ErrorContains(t, err, "APP_URL must not contain a path")
 	})
 	t.Run("should fail with invalid INTERNAL_APP_URL", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
 		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
 		t.Setenv("INTERNAL_APP_URL", "€://not-a-valid-url")
-		err := parseAndValidateEnvConfig(t)
+		err := parseEnvConfig()
 		require.Error(t, err)
 		assert.ErrorContains(t, err, "INTERNAL_APP_URL is not a valid URL")
 	})
 	t.Run("should fail when INTERNAL_APP_URL contains path", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
 		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
 		t.Setenv("INTERNAL_APP_URL", "http://localhost:3000/path")
-		err := parseAndValidateEnvConfig(t)
+		err := parseEnvConfig()
 		require.Error(t, err)
 		assert.ErrorContains(t, err, "INTERNAL_APP_URL must not contain a path")
 	})
 	t.Run("should default KEYS_STORAGE to 'file' when empty", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
 		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
 		t.Setenv("APP_URL", "http://localhost:3000")
 		err := parseEnvConfig()
 		require.NoError(t, err)
 		assert.Equal(t, "file", EnvConfig.KeysStorage)
 	})
 	t.Run("should fail when KEYS_STORAGE is 'database' but no encryption key", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
 		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
 		t.Setenv("APP_URL", "http://localhost:3000")
 		t.Setenv("KEYS_STORAGE", "database")
 		err := parseEnvConfig()
 		require.Error(t, err)
 		assert.ErrorContains(t, err, "ENCRYPTION_KEY must be non-empty when KEYS_STORAGE is database")
 	})
 	t.Run("should accept valid KEYS_STORAGE values", func(t *testing.T) {
 		validStorageTypes := []string{"file", "database"}
 		for _, storage := range validStorageTypes {
 			EnvConfig = defaultConfig()
 			t.Setenv("DB_PROVIDER", "sqlite")
 			t.Setenv("DB_CONNECTION_STRING", "file:test.db")
 			t.Setenv("APP_URL", "http://localhost:3000")
 			t.Setenv("KEYS_STORAGE", storage)
 			if storage == "database" {
 				t.Setenv("ENCRYPTION_KEY", "test-key")
 			}
 			err := parseEnvConfig()
 			require.NoError(t, err)
 			assert.Equal(t, storage, EnvConfig.KeysStorage)
 		}
 	})
 	t.Run("should fail with invalid KEYS_STORAGE value", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
 		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
 		t.Setenv("APP_URL", "http://localhost:3000")
 		t.Setenv("KEYS_STORAGE", "invalid")
 		err := parseEnvConfig()
 		require.Error(t, err)
 		assert.ErrorContains(t, err, "invalid value for KEYS_STORAGE")
 	})
 	t.Run("should parse boolean environment variables correctly", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
 		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
 		t.Setenv("APP_URL", "http://localhost:3000")
 		t.Setenv("UI_CONFIG_DISABLED", "true")
@@ -120,7 +178,7 @@ func TestParseEnvConfig(t *testing.T) {
 		t.Setenv("TRUST_PROXY", "true")
 		t.Setenv("ANALYTICS_DISABLED", "false")
-		err := parseAndValidateEnvConfig(t)
+		err := parseEnvConfig()
 		require.NoError(t, err)
 		assert.True(t, EnvConfig.UiConfigDisabled)
 		assert.True(t, EnvConfig.MetricsEnabled)
@@ -131,19 +189,21 @@ func TestParseEnvConfig(t *testing.T) {
 	t.Run("should parse string environment variables correctly", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "postgres")
 		t.Setenv("DB_CONNECTION_STRING", "postgres://test")
 		t.Setenv("APP_URL", "https://prod.example.com")
-		t.Setenv("APP_ENV", "PRODUCTION")
+		t.Setenv("APP_ENV", "STAGING")
 		t.Setenv("UPLOAD_PATH", "/custom/uploads")
 		t.Setenv("KEYS_PATH", "/custom/keys")
 		t.Setenv("PORT", "8080")
 		t.Setenv("HOST", "LOCALHOST")
 		t.Setenv("UNIX_SOCKET", "/tmp/app.sock")
 		t.Setenv("MAXMIND_LICENSE_KEY", "test-license")
 		t.Setenv("GEOLITE_DB_PATH", "/custom/geolite.mmdb")
-		err := parseAndValidateEnvConfig(t)
+		err := parseEnvConfig()
 		require.NoError(t, err)
-		assert.Equal(t, AppEnvProduction, EnvConfig.AppEnv) // lowercased
+		assert.Equal(t, "staging", EnvConfig.AppEnv) // lowercased
 		assert.Equal(t, "/custom/uploads", EnvConfig.UploadPath)
 		assert.Equal(t, "8080", EnvConfig.Port)
 		assert.Equal(t, "localhost", EnvConfig.Host) // lowercased
@@ -151,24 +211,38 @@ func TestParseEnvConfig(t *testing.T) {
 	t.Run("should normalize file backend and default upload path", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
 		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
 		t.Setenv("APP_URL", "http://localhost:3000")
 		t.Setenv("FILE_BACKEND", "FS")
 		t.Setenv("UPLOAD_PATH", "")
-		err := parseAndValidateEnvConfig(t)
+		err := parseEnvConfig()
 		require.NoError(t, err)
 		assert.Equal(t, "fs", EnvConfig.FileBackend)
 		assert.Equal(t, defaultFsUploadPath, EnvConfig.UploadPath)
 	})
 	t.Run("should fail when FILE_BACKEND is s3 but keys are stored on filesystem", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
 		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
 		t.Setenv("APP_URL", "http://localhost:3000")
 		t.Setenv("FILE_BACKEND", "s3")
 		err := parseEnvConfig()
 		require.Error(t, err)
 		assert.ErrorContains(t, err, "KEYS_STORAGE cannot be 'file' when FILE_BACKEND is 's3'")
 	})
 	t.Run("should fail with invalid FILE_BACKEND value", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
 		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
 		t.Setenv("APP_URL", "http://localhost:3000")
 		t.Setenv("FILE_BACKEND", "invalid")
-		err := parseAndValidateEnvConfig(t)
+		err := parseEnvConfig()
 		require.Error(t, err)
 		assert.ErrorContains(t, err, "invalid FILE_BACKEND value")
 	})
@@ -205,7 +279,7 @@ func TestPrepareEnvConfig_FileBasedAndToLower(t *testing.T) {
 		err := prepareEnvConfig(&config)
 		require.NoError(t, err)
-		assert.Equal(t, AppEnv("staging"), config.AppEnv)
+		assert.Equal(t, "staging", config.AppEnv)
 		assert.Equal(t, "localhost", config.Host)
 		assert.Equal(t, []byte(encryptionKeyContent), config.EncryptionKey)
 		assert.Equal(t, dbConnContent, config.DbConnectionString)
--- a/backend/internal/controller/e2etest_controller.go
+++ b/backend/internal/controller/e2etest_controller.go
@@ -40,11 +40,6 @@ func (tc *TestController) resetAndSeedHandler(c *gin.Context) {
 		return
 	}
 	if err := tc.TestService.ResetLock(c.Request.Context()); err != nil {
 		_ = c.Error(err)
 		return
 	}
 	if err := tc.TestService.ResetApplicationImages(c.Request.Context()); err != nil {
 		_ = c.Error(err)
 		return
@@ -74,6 +69,8 @@ func (tc *TestController) resetAndSeedHandler(c *gin.Context) {
 		}
 	}
 	tc.TestService.SetJWTKeys()
 	c.Status(http.StatusNoContent)
 }
--- a/backend/internal/controller/oidc_controller.go
+++ b/backend/internal/controller/oidc_controller.go
@@ -587,6 +587,7 @@ func (oc *OidcController) updateClientLogoHandler(c *gin.Context) {
 	}
 	c.Status(http.StatusNoContent)
 }
 // deleteClientLogoHandler godoc
@@ -613,6 +614,7 @@ func (oc *OidcController) deleteClientLogoHandler(c *gin.Context) {
 	}
 	c.Status(http.StatusNoContent)
 }
 // updateAllowedUserGroupsHandler godoc
--- a/backend/internal/controller/webauthn_controller.go
+++ b/backend/internal/controller/webauthn_controller.go
@@ -57,7 +57,7 @@ func (wc *WebauthnController) verifyRegistrationHandler(c *gin.Context) {
 	}
 	userID := c.GetString("userID")
-	credential, err := wc.webAuthnService.VerifyRegistration(c.Request.Context(), sessionID, userID, c.Request, c.ClientIP())
+	credential, err := wc.webAuthnService.VerifyRegistration(c.Request.Context(), sessionID, userID, c.Request)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -134,10 +134,8 @@ func (wc *WebauthnController) listCredentialsHandler(c *gin.Context) {
 func (wc *WebauthnController) deleteCredentialHandler(c *gin.Context) {
 	userID := c.GetString("userID")
 	credentialID := c.Param("id")
 	clientIP := c.ClientIP()
 	userAgent := c.Request.UserAgent()
-	err := wc.webAuthnService.DeleteCredential(c.Request.Context(), userID, credentialID, clientIP, userAgent)
+	err := wc.webAuthnService.DeleteCredential(c.Request.Context(), userID, credentialID)
 	if err != nil {
 		_ = c.Error(err)
 		return
--- a/backend/internal/dto/app_config_dto.go
+++ b/backend/internal/dto/app_config_dto.go
@@ -47,7 +47,7 @@ type AppConfigUpdateDto struct {
 	LdapAttributeGroupMember                   string `json:"ldapAttributeGroupMember"`
 	LdapAttributeGroupUniqueIdentifier         string `json:"ldapAttributeGroupUniqueIdentifier"`
 	LdapAttributeGroupName                     string `json:"ldapAttributeGroupName"`
-	LdapAdminGroupName                         string `json:"ldapAdminGroupName"`
+	LdapAttributeAdminGroup                    string `json:"ldapAttributeAdminGroup"`
 	LdapSoftDeleteUsers                        string `json:"ldapSoftDeleteUsers"`
 	EmailOneTimeAccessAsAdminEnabled           string `json:"emailOneTimeAccessAsAdminEnabled" binding:"required"`
 	EmailOneTimeAccessAsUnauthenticatedEnabled string `json:"emailOneTimeAccessAsUnauthenticatedEnabled" binding:"required"`
--- a/backend/internal/job/analytics_job.go
+++ b/backend/internal/job/analytics_job.go
@@ -19,7 +19,7 @@ const heartbeatUrl = "https://analytics.pocket-id.org/heartbeat"
 func (s *Scheduler) RegisterAnalyticsJob(ctx context.Context, appConfig *service.AppConfigService, httpClient *http.Client) error {
 	// Skip if analytics are disabled or not in production environment
-	if common.EnvConfig.AnalyticsDisabled || !common.EnvConfig.AppEnv.IsProduction() {
+	if common.EnvConfig.AnalyticsDisabled || common.EnvConfig.AppEnv != "production" {
 		return nil
 	}
@@ -39,7 +39,7 @@ type AnalyticsJob struct {
 // sendHeartbeat sends a heartbeat to the analytics service
 func (j *AnalyticsJob) sendHeartbeat(parentCtx context.Context) error {
 	// Skip if analytics are disabled or not in production environment
-	if common.EnvConfig.AnalyticsDisabled || !common.EnvConfig.AppEnv.IsProduction() {
+	if common.EnvConfig.AnalyticsDisabled || common.EnvConfig.AppEnv != "production" {
 		return nil
 	}
--- a/backend/internal/middleware/rate_limit.go
+++ b/backend/internal/middleware/rate_limit.go
@@ -29,7 +29,7 @@ func (m *RateLimitMiddleware) Add(limit rate.Limit, burst int) gin.HandlerFunc {
 		// Skip rate limiting for localhost and test environment
 		// If the client ip is localhost the request comes from the frontend
-		if ip == "" || ip == "127.0.0.1" || ip == "::1" || common.EnvConfig.AppEnv.IsTest() {
+		if ip == "" || ip == "127.0.0.1" || ip == "::1" || common.EnvConfig.AppEnv == "test" {
 			c.Next()
 			return
 		}
--- a/backend/internal/model/app_config.go
+++ b/backend/internal/model/app_config.go
@@ -77,7 +77,7 @@ type AppConfig struct {
 	LdapAttributeGroupMember           AppConfigVariable `key:"ldapAttributeGroupMember"`
 	LdapAttributeGroupUniqueIdentifier AppConfigVariable `key:"ldapAttributeGroupUniqueIdentifier"`
 	LdapAttributeGroupName             AppConfigVariable `key:"ldapAttributeGroupName"`
-	LdapAdminGroupName                 AppConfigVariable `key:"ldapAdminGroupName"`
+	LdapAttributeAdminGroup            AppConfigVariable `key:"ldapAttributeAdminGroup"`
 	LdapSoftDeleteUsers                AppConfigVariable `key:"ldapSoftDeleteUsers"`
 }
--- a/backend/internal/model/audit_log.go
+++ b/backend/internal/model/audit_log.go
@@ -34,8 +34,6 @@ const (
 	AuditLogEventNewClientAuthorization     AuditLogEvent = "NEW_CLIENT_AUTHORIZATION"
 	AuditLogEventDeviceCodeAuthorization    AuditLogEvent = "DEVICE_CODE_AUTHORIZATION"
 	AuditLogEventNewDeviceCodeAuthorization AuditLogEvent = "NEW_DEVICE_CODE_AUTHORIZATION"
 	AuditLogEventPasskeyAdded               AuditLogEvent = "PASSKEY_ADDED"
 	AuditLogEventPasskeyRemoved             AuditLogEvent = "PASSKEY_REMOVED"
 )
 // Scan and Value methods for GORM to handle the custom type
--- a/backend/internal/model/storage.go
+++ b/backend/internal/model/storage.go
@@ -1,17 +0,0 @@
 package model
 import (
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )
 type Storage struct {
 	Path      string `gorm:"primaryKey"`
 	Data      []byte
 	Size      int64
 	ModTime   datatype.DateTime
 	CreatedAt datatype.DateTime
 }
 func (Storage) TableName() string {
 	return "storage"
 }
--- a/backend/internal/model/types/date_time.go
+++ b/backend/internal/model/types/date_time.go
@@ -11,15 +11,6 @@ import (
 // DateTime custom type for time.Time to store date as unix timestamp for sqlite and as date for postgres
 type DateTime time.Time //nolint:recvcheck
 func DateTimeFromString(str string) (DateTime, error) {
 	t, err := time.Parse(time.RFC3339Nano, str)
 	if err != nil {
 		return DateTime{}, fmt.Errorf("failed to parse date string: %w", err)
 	}
 	return DateTime(t), nil
 }
 func (date *DateTime) Scan(value any) (err error) {
 	switch v := value.(type) {
 	case time.Time:
--- a/backend/internal/service/app_config_service.go
+++ b/backend/internal/service/app_config_service.go
@@ -102,7 +102,7 @@ func (s *AppConfigService) getDefaultDbConfig() *model.AppConfig {
 		LdapAttributeGroupMember:           model.AppConfigVariable{Value: "member"},
 		LdapAttributeGroupUniqueIdentifier: model.AppConfigVariable{},
 		LdapAttributeGroupName:             model.AppConfigVariable{},
-		LdapAdminGroupName:                 model.AppConfigVariable{},
+		LdapAttributeAdminGroup:            model.AppConfigVariable{},
 		LdapSoftDeleteUsers:                model.AppConfigVariable{Value: "true"},
 	}
 }
--- a/backend/internal/service/app_lock_service.go
+++ b/backend/internal/service/app_lock_service.go
@@ -1,296 +0,0 @@
 package service
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"log/slog"
 	"os"
 	"time"
 	"github.com/google/uuid"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	"gorm.io/gorm"
 	"gorm.io/gorm/clause"
 )
 var (
 	ErrLockUnavailable = errors.New("lock is already held by another process")
 	ErrLockLost        = errors.New("lock ownership lost")
 )
 const (
 	ttl           = 30 * time.Second
 	renewInterval = 20 * time.Second
 	renewRetries  = 3
 	lockKey       = "application_lock"
 )
 type AppLockService struct {
 	db        *gorm.DB
 	lockID    string
 	processID int64
 	hostID    string
 }
 func NewAppLockService(db *gorm.DB) *AppLockService {
 	host, err := os.Hostname()
 	if err != nil || host == "" {
 		host = "unknown-host"
 	}
 	return &AppLockService{
 		db:        db,
 		processID: int64(os.Getpid()),
 		hostID:    host,
 		lockID:    uuid.NewString(),
 	}
 }
 type lockValue struct {
 	ProcessID int64  `json:"process_id"`
 	HostID    string `json:"host_id"`
 	LockID    string `json:"lock_id"`
 	ExpiresAt int64  `json:"expires_at"`
 }
 func (lv *lockValue) Marshal() (string, error) {
 	data, err := json.Marshal(lv)
 	if err != nil {
 		return "", err
 	}
 	return string(data), nil
 }
 func (lv *lockValue) Unmarshal(raw string) error {
 	if raw == "" {
 		return nil
 	}
 	return json.Unmarshal([]byte(raw), lv)
 }
 // Acquire obtains the lock. When force is true, the lock is stolen from any existing owner.
 // If the lock is forcefully acquired, it blocks until the previous lock has expired.
 func (s *AppLockService) Acquire(ctx context.Context, force bool) (waitUntil time.Time, err error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	var prevLockRaw string
 	err = tx.
 		WithContext(ctx).
 		Model(&model.KV{}).
 		Where("key = ?", lockKey).
 		Clauses(clause.Locking{Strength: "UPDATE"}).
 		Select("value").
 		Scan(&prevLockRaw).
 		Error
 	if err != nil {
 		return time.Time{}, fmt.Errorf("query existing lock: %w", err)
 	}
 	var prevLock lockValue
 	if prevLockRaw != "" {
 		if err := prevLock.Unmarshal(prevLockRaw); err != nil {
 			return time.Time{}, fmt.Errorf("decode existing lock value: %w", err)
 		}
 	}
 	now := time.Now()
 	nowUnix := now.Unix()
 	value := lockValue{
 		ProcessID: s.processID,
 		HostID:    s.hostID,
 		LockID:    s.lockID,
 		ExpiresAt: now.Add(ttl).Unix(),
 	}
 	raw, err := value.Marshal()
 	if err != nil {
 		return time.Time{}, fmt.Errorf("encode lock value: %w", err)
 	}
 	var query string
 	switch s.db.Name() {
 	case "sqlite":
 		query = `
 			INSERT INTO kv (key, value)
 			VALUES (?, ?)
 			ON CONFLICT(key) DO UPDATE SET 
 				value = excluded.value
 			WHERE (json_extract(kv.value, '$.expires_at') < ?) OR ?
 		`
 	case "postgres":
 		query = `
 			INSERT INTO kv (key, value)
 			VALUES ($1, $2)
 			ON CONFLICT(key) DO UPDATE SET 
 				value = excluded.value
 			WHERE ((kv.value::json->>'expires_at')::bigint < $3) OR ($4::boolean IS TRUE)
 		`
 	default:
 		return time.Time{}, fmt.Errorf("unsupported database dialect: %s", s.db.Name())
 	}
 	res := tx.WithContext(ctx).Exec(query, lockKey, raw, nowUnix, force)
 	if res.Error != nil {
 		return time.Time{}, fmt.Errorf("lock acquisition failed: %w", res.Error)
 	}
 	if err := tx.Commit().Error; err != nil {
 		return time.Time{}, fmt.Errorf("commit lock acquisition: %w", err)
 	}
 	// If there is a lock that is not expired and force is false, no rows will be affected
 	if res.RowsAffected == 0 {
 		return time.Time{}, ErrLockUnavailable
 	}
 	if force && prevLock.ExpiresAt > nowUnix && prevLock.LockID != s.lockID {
 		waitUntil = time.Unix(prevLock.ExpiresAt, 0)
 	}
 	attrs := []any{
 		slog.Int64("process_id", s.processID),
 		slog.String("host_id", s.hostID),
 	}
 	if wait := time.Until(waitUntil); wait > 0 {
 		attrs = append(attrs, slog.Duration("wait_before_proceeding", wait))
 	}
 	slog.Info("Acquired application lock", attrs...)
 	return waitUntil, nil
 }
 // RunRenewal keeps renewing the lock until the context is canceled.
 func (s *AppLockService) RunRenewal(ctx context.Context) error {
 	ticker := time.NewTicker(renewInterval)
 	defer ticker.Stop()
 	for {
 		select {
 		case <-ctx.Done():
 			return nil
 		case <-ticker.C:
 			if err := s.renew(ctx); err != nil {
 				return fmt.Errorf("renew lock: %w", err)
 			}
 		}
 	}
 }
 // Release releases the lock if it is held by this process.
 func (s *AppLockService) Release(ctx context.Context) error {
 	opCtx, cancel := context.WithTimeout(ctx, 3*time.Second)
 	defer cancel()
 	var query string
 	switch s.db.Name() {
 	case "sqlite":
 		query = `
 		DELETE FROM kv
 		WHERE key = ?
 		  AND json_extract(value, '$.lock_id') = ?
 	`
 	case "postgres":
 		query = `
 		DELETE FROM kv
 		WHERE key = $1
 		  AND value::json->>'lock_id' = $2
 	`
 	default:
 		return fmt.Errorf("unsupported database dialect: %s", s.db.Name())
 	}
 	res := s.db.WithContext(opCtx).Exec(query, lockKey, s.lockID)
 	if res.Error != nil {
 		return fmt.Errorf("release lock failed: %w", res.Error)
 	}
 	if res.RowsAffected == 0 {
 		slog.Warn("Application lock not held by this process, cannot release",
 			slog.Int64("process_id", s.processID),
 			slog.String("host_id", s.hostID),
 		)
 	}
 	slog.Info("Released application lock",
 		slog.Int64("process_id", s.processID),
 		slog.String("host_id", s.hostID),
 	)
 	return nil
 }
 // renew tries to renew the lock, retrying up to renewRetries times (sleeping 1s between attempts).
 func (s *AppLockService) renew(ctx context.Context) error {
 	var lastErr error
 	for attempt := 1; attempt <= renewRetries; attempt++ {
 		now := time.Now()
 		nowUnix := now.Unix()
 		expiresAt := now.Add(ttl).Unix()
 		value := lockValue{
 			LockID:    s.lockID,
 			ProcessID: s.processID,
 			HostID:    s.hostID,
 			ExpiresAt: expiresAt,
 		}
 		raw, err := value.Marshal()
 		if err != nil {
 			return fmt.Errorf("encode lock value: %w", err)
 		}
 		var query string
 		switch s.db.Name() {
 		case "sqlite":
 			query = `
 				UPDATE kv
 				SET value = ?
 				WHERE key = ?
 				  AND json_extract(value, '$.lock_id') = ?
 				  AND json_extract(value, '$.expires_at') > ?
 			`
 		case "postgres":
 			query = `
 				UPDATE kv
 				SET value = $1
 				WHERE key = $2
 				  AND value::json->>'lock_id' = $3
 				  AND ((value::json->>'expires_at')::bigint > $4)
 			`
 		default:
 			return fmt.Errorf("unsupported database dialect: %s", s.db.Name())
 		}
 		opCtx, cancel := context.WithTimeout(ctx, 3*time.Second)
 		res := s.db.WithContext(opCtx).Exec(query, raw, lockKey, s.lockID, nowUnix)
 		cancel()
 		switch {
 		case res.Error != nil:
 			lastErr = fmt.Errorf("lock renewal failed: %w", res.Error)
 		case res.RowsAffected == 0:
 			// Must be after checking res.Error
 			return ErrLockLost
 		default:
 			slog.Debug("Renewed application lock",
 				slog.Int64("process_id", s.processID),
 				slog.String("host_id", s.hostID),
 			)
 			return nil
 		}
 		// Wait before next attempt or cancel if context is done
 		if attempt < renewRetries {
 			select {
 			case <-ctx.Done():
 				return ctx.Err()
 			case <-time.After(1 * time.Second):
 			}
 		}
 	}
 	return lastErr
 }
--- a/backend/internal/service/app_lock_service_test.go
+++ b/backend/internal/service/app_lock_service_test.go
@@ -1,189 +0,0 @@
 package service
 import (
 	"context"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/require"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	testutils "github.com/pocket-id/pocket-id/backend/internal/utils/testing"
 )
 func newTestAppLockService(t *testing.T, db *gorm.DB) *AppLockService {
 	t.Helper()
 	return &AppLockService{
 		db:        db,
 		processID: 1,
 		hostID:    "test-host",
 		lockID:    "a13c7673-c7ae-49f1-9112-2cd2d0d4b0c1",
 	}
 }
 func insertLock(t *testing.T, db *gorm.DB, value lockValue) {
 	t.Helper()
 	raw, err := value.Marshal()
 	require.NoError(t, err)
 	err = db.Create(&model.KV{Key: lockKey, Value: &raw}).Error
 	require.NoError(t, err)
 }
 func readLockValue(t *testing.T, db *gorm.DB) lockValue {
 	t.Helper()
 	var row model.KV
 	err := db.Take(&row, "key = ?", lockKey).Error
 	require.NoError(t, err)
 	require.NotNil(t, row.Value)
 	var value lockValue
 	err = value.Unmarshal(*row.Value)
 	require.NoError(t, err)
 	return value
 }
 func TestAppLockServiceAcquire(t *testing.T) {
 	t.Run("creates new lock when none exists", func(t *testing.T) {
 		db := testutils.NewDatabaseForTest(t)
 		service := newTestAppLockService(t, db)
 		_, err := service.Acquire(context.Background(), false)
 		require.NoError(t, err)
 		stored := readLockValue(t, db)
 		require.Equal(t, service.processID, stored.ProcessID)
 		require.Equal(t, service.hostID, stored.HostID)
 		require.Greater(t, stored.ExpiresAt, time.Now().Unix())
 	})
 	t.Run("returns ErrLockUnavailable when lock held by another process", func(t *testing.T) {
 		db := testutils.NewDatabaseForTest(t)
 		service := newTestAppLockService(t, db)
 		existing := lockValue{
 			ProcessID: 99,
 			HostID:    "other-host",
 			ExpiresAt: time.Now().Add(ttl).Unix(),
 		}
 		insertLock(t, db, existing)
 		_, err := service.Acquire(context.Background(), false)
 		require.ErrorIs(t, err, ErrLockUnavailable)
 		current := readLockValue(t, db)
 		require.Equal(t, existing, current)
 	})
 	t.Run("force acquisition steals lock", func(t *testing.T) {
 		db := testutils.NewDatabaseForTest(t)
 		service := newTestAppLockService(t, db)
 		insertLock(t, db, lockValue{
 			ProcessID: 99,
 			HostID:    "other-host",
 			ExpiresAt: time.Now().Unix(),
 		})
 		_, err := service.Acquire(context.Background(), true)
 		require.NoError(t, err)
 		stored := readLockValue(t, db)
 		require.Equal(t, service.processID, stored.ProcessID)
 		require.Equal(t, service.hostID, stored.HostID)
 		require.Greater(t, stored.ExpiresAt, time.Now().Unix())
 	})
 }
 func TestAppLockServiceRelease(t *testing.T) {
 	t.Run("removes owned lock", func(t *testing.T) {
 		db := testutils.NewDatabaseForTest(t)
 		service := newTestAppLockService(t, db)
 		_, err := service.Acquire(context.Background(), false)
 		require.NoError(t, err)
 		err = service.Release(context.Background())
 		require.NoError(t, err)
 		var row model.KV
 		err = db.Take(&row, "key = ?", lockKey).Error
 		require.ErrorIs(t, err, gorm.ErrRecordNotFound)
 	})
 	t.Run("ignores lock held by another owner", func(t *testing.T) {
 		db := testutils.NewDatabaseForTest(t)
 		service := newTestAppLockService(t, db)
 		existing := lockValue{
 			ProcessID: 2,
 			HostID:    "other-host",
 			ExpiresAt: time.Now().Add(ttl).Unix(),
 		}
 		insertLock(t, db, existing)
 		err := service.Release(context.Background())
 		require.NoError(t, err)
 		stored := readLockValue(t, db)
 		require.Equal(t, existing, stored)
 	})
 }
 func TestAppLockServiceRenew(t *testing.T) {
 	t.Run("extends expiration when lock is still owned", func(t *testing.T) {
 		db := testutils.NewDatabaseForTest(t)
 		service := newTestAppLockService(t, db)
 		_, err := service.Acquire(context.Background(), false)
 		require.NoError(t, err)
 		before := readLockValue(t, db)
 		err = service.renew(context.Background())
 		require.NoError(t, err)
 		after := readLockValue(t, db)
 		require.Equal(t, service.processID, after.ProcessID)
 		require.Equal(t, service.hostID, after.HostID)
 		require.GreaterOrEqual(t, after.ExpiresAt, before.ExpiresAt)
 	})
 	t.Run("returns ErrLockLost when lock is missing", func(t *testing.T) {
 		db := testutils.NewDatabaseForTest(t)
 		service := newTestAppLockService(t, db)
 		err := service.renew(context.Background())
 		require.ErrorIs(t, err, ErrLockLost)
 	})
 	t.Run("returns ErrLockLost when ownership changed", func(t *testing.T) {
 		db := testutils.NewDatabaseForTest(t)
 		service := newTestAppLockService(t, db)
 		_, err := service.Acquire(context.Background(), false)
 		require.NoError(t, err)
 		// Simulate a different process taking the lock.
 		newOwner := lockValue{
 			ProcessID: 9,
 			HostID:    "stolen-host",
 			ExpiresAt: time.Now().Add(ttl).Unix(),
 		}
 		raw, marshalErr := newOwner.Marshal()
 		require.NoError(t, marshalErr)
 		updateErr := db.Model(&model.KV{}).
 			Where("key = ?", lockKey).
 			Update("value", raw).Error
 		require.NoError(t, updateErr)
 		err = service.renew(context.Background())
 		require.ErrorIs(t, err, ErrLockLost)
 	})
 }
--- a/backend/internal/service/audit_log_service.go
+++ b/backend/internal/service/audit_log_service.go
@@ -34,7 +34,7 @@ func (s *AuditLogService) Create(ctx context.Context, event model.AuditLogEvent,
 	country, city, err := s.geoliteService.GetLocationByIP(ipAddress)
 	if err != nil {
 		// Log the error but don't interrupt the operation
-		slog.Warn("Failed to get IP location", slog.String("ip", ipAddress), slog.Any("error", err))
+		slog.Warn("Failed to get IP location", "error", err)
 	}
 	auditLog := model.AuditLog{
@@ -201,8 +201,8 @@ func (s *AuditLogService) ListUsernamesWithIds(ctx context.Context) (users map[s
 		WithContext(ctx).
 		Joins("User").
 		Model(&model.AuditLog{}).
-		Select(`DISTINCT "User".id, "User".username`).
+		Select("DISTINCT \"User\".id, \"User\".username").
-		Where(`"User".username IS NOT NULL`)
+		Where("\"User\".username IS NOT NULL")
 	type Result struct {
 		ID       string `gorm:"column:id"`
@@ -210,8 +210,7 @@ func (s *AuditLogService) ListUsernamesWithIds(ctx context.Context) (users map[s
 	}
 	var results []Result
-	err = query.Find(&results).Error
+	if err := query.Find(&results).Error; err != nil {
 	if err != nil {
 		return nil, fmt.Errorf("failed to query user IDs: %w", err)
 	}
@@ -247,8 +246,7 @@ func (s *AuditLogService) ListClientNames(ctx context.Context) (clientNames []st
 	}
 	var results []Result
-	err = query.Find(&results).Error
+	if err := query.Find(&results).Error; err != nil {
 	if err != nil {
 		return nil, fmt.Errorf("failed to query client IDs: %w", err)
 	}
--- a/backend/internal/service/e2etest_service.go
+++ b/backend/internal/service/e2etest_service.go
@@ -7,12 +7,14 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/x509"
 	"encoding/base64"
 	"fmt"
 	"log/slog"
 	"path"
 	"time"
 	"github.com/fxamacker/cbor/v2"
 	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/lestrrat-go/jwx/v3/jwa"
 	"github.com/lestrrat-go/jwx/v3/jwk"
@@ -34,17 +36,15 @@ type TestService struct {
 	appConfigService *AppConfigService
 	ldapService      *LdapService
 	fileStorage      storage.FileStorage
 	appLockService   *AppLockService
 	externalIdPKey   jwk.Key
 }
-func NewTestService(db *gorm.DB, appConfigService *AppConfigService, jwtService *JwtService, ldapService *LdapService, appLockService *AppLockService, fileStorage storage.FileStorage) (*TestService, error) {
+func NewTestService(db *gorm.DB, appConfigService *AppConfigService, jwtService *JwtService, ldapService *LdapService, fileStorage storage.FileStorage) (*TestService, error) {
 	s := &TestService{
 		db:               db,
 		appConfigService: appConfigService,
 		jwtService:       jwtService,
 		ldapService:      ldapService,
 		appLockService:   appLockService,
 		fileStorage:      fileStorage,
 	}
 	err := s.initExternalIdP()
@@ -288,8 +288,8 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 		// openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 | \
 		// openssl pkcs8 -topk8 -nocrypt | tee >(openssl pkey -pubout)
-		publicKeyPasskey1, _ := base64.StdEncoding.DecodeString("pQMmIAEhWCDBw6jkpXXr0pHrtAQetxiR5cTcILG/YGDCdKrhVhNDHCJYIIu12YrF6B7Frwl3AUqEpdrYEwj3Fo3XkGgvrBIJEUmGAQI=")
+		publicKeyPasskey1, _ := s.getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwcOo5KV169KR67QEHrcYkeXE3CCxv2BgwnSq4VYTQxyLtdmKxegexa8JdwFKhKXa2BMI9xaN15BoL6wSCRFJhg==")
-		publicKeyPasskey2, _ := base64.StdEncoding.DecodeString("pSJYIPmc+FlEB0neERqqscxKckGF8yq1AYrANiloshAUAouHAQIDJiABIVggj4qA0PrZzg8Co1C27nyUbzrp8Ewjr7eOlGI2LfrzmbI=")
+		publicKeyPasskey2, _ := s.getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEj4qA0PrZzg8Co1C27nyUbzrp8Ewjr7eOlGI2LfrzmbL5nPhZRAdJ3hEaqrHMSnJBhfMqtQGKwDYpaLIQFAKLhw==")
 		webauthnCredentials := []model.WebauthnCredential{
 			{
 				Name:            "Passkey 1",
@@ -318,10 +318,6 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 			Challenge:        "challenge",
 			ExpiresAt:        datatype.DateTime(time.Now().Add(1 * time.Hour)),
 			UserVerification: "preferred",
 			CredentialParams: model.CredentialParameters{
 				{Type: "public-key", Algorithm: -7},
 				{Type: "public-key", Algorithm: -257},
 			},
 		}
 		if err := tx.Create(&webauthnSession).Error; err != nil {
 			return err
@@ -334,7 +330,6 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 			Name:   "Test API Key",
 			Key:    "6c34966f57ef2bb7857649aff0e7ab3ad67af93c846342ced3f5a07be8706c20",
 			UserID: users[0].ID,
 			ExpiresAt: datatype.DateTime(time.Now().Add(30 * 24 * time.Hour)),
 		}
 		if err := tx.Create(&apiKey).Error; err != nil {
 			return err
@@ -384,20 +379,6 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 			}
 		}
 		keyValues := []model.KV{
 			{
 				Key: jwkutils.PrivateKeyDBKey,
 				// {"alg":"RS256","d":"mvMDWSdPPvcum0c0iEHE2gbqtV2NKMmLwrl9E6K7g8lTV95SePLnW_bwyMPV7EGp7PQk3l17I5XRhFjze7GqTnFIOgKzMianPs7jv2ELtBMGK0xOPATgu1iGb70xZ6vcvuEfRyY3dJ0zr4jpUdVuXwKmx9rK4IdZn2dFCKfvSuspqIpz11RhF1ALrqDLkxGVv7ZwNh0_VhJZU9hcjG5l6xc7rQEKpPRkZp0IdjkGS8Z0FskoVaiRIWAbZuiVFB9WCW8k1czC4HQTPLpII01bUQx2ludbm0UlXRgVU9ptUUbU7GAImQqTOW8LfPGklEvcgzlIlR_oqw4P9yBxLi-yMQ","dp":"pvNCSnnhbo8Igw9psPR-DicxFnkXlu_ix4gpy6efTrxA-z1VDFDioJ814vKQNioYDzpyAP1gfMPhRkvG_q0hRZsJah3Sb9dfA-WkhSWY7lURQP4yIBTMU0PF_rEATuS7lRciYk1SOx5fqXZd3m_LP0vpBC4Ujlq6NAq6CIjCnms","dq":"TtUVGCCkPNgfOLmkYXu7dxxUCV5kB01-xAEK2OY0n0pG8vfDophH4_D_ZC7nvJ8J9uDhs_3JStexq1lIvaWtG99RNTChIEDzpdn6GH9yaVcb_eB4uJjrNm64FhF8PGCCwxA-xMCZMaARKwhMB2_IOMkxUbWboL3gnhJ2rDO_QO0","e":"AQAB","kid":"8uHDw3M6rf8","kty":"RSA","n":"yaeEL0VKoPBXIAaWXsUgmu05lAvEIIdJn0FX9lHh4JE5UY9B83C5sCNdhs9iSWzpeP11EVjWp8i3Yv2CF7c7u50BXnVBGtxpZpFC-585UXacoJ0chUmarL9GRFJcM1nPHBTFu68aRrn1rIKNHUkNaaxFo0NFGl_4EDDTO8HwawTjwkPoQlRzeByhlvGPVvwgB3Fn93B8QJ_cZhXKxJvjjrC_8Pk76heC_ntEMru71Ix77BoC3j2TuyiN7m9RNBW8BU5q6lKoIdvIeZfTFLzi37iufyfvMrJTixp9zhNB1NxlLCeOZl2MXegtiGqd2H3cbAyqoOiv9ihUWTfXj7SxJw","p":"_Yylc9e07CKdqNRD2EosMC2mrhrEa9j5oY_l00Qyy4-jmCA59Q9viyqvveRo0U7cRvFA5BWgWN6GGLh1DG3X-QBqVr0dnk3uzbobb55RYUXyPLuBZI2q6w2oasbiDwPdY7KpkVv_H-bpITQlyDvO8hhucA6rUV7F6KTQVz8M3Ms","q":"y5p3hch-7jJ21TkAhp_Vk1fLCAuD4tbErwQs2of9ja8sB4iJOs5Wn6HD3P7Mc8Plye7qaLHvzc8I5g0tPKWvC0DPd_FLPXiWwMVAzee3NUX_oGeJNOQp11y1w_KqdO9qZqHSEPZ3NcFL_SZMFgggxhM1uzRiPzsVN0lnD_6prZU","qi":"2Grt6uXHm61ji3xSdkBWNtUnj19vS1-7rFJp5SoYztVQVThf_W52BAiXKBdYZDRVoItC_VS2NvAOjeJjhYO_xQ_q3hK7MdtuXfEPpLnyXKkmWo3lrJ26wbeF6l05LexCkI7ShsOuSt-dsyaTJTszuKDIA6YOfWvfo3aVZmlWRaI","use":"sig"}
 				Value: utils.Ptr("7d/5hl7diJ2rnFL14hEAQf9tzpu29aqXQ8jpJ2iqqKUNFZpdOkEpud0CmRv4H3r8yyk2u/Gqqj9klSy58DJkYXGF5PAYgLyoBIb7L3JXWRbxg4cQ3QJCug13l2OTmpAKoVc+rmX8c3j3h1sNqyJ+7Ql5sS0jSeyiYgIsFNCdnK5alBDyvtcpe/QDpklmP4JCeVpvmf2rLGplk3g5UO5ydJ8UiDXxfDmi+gF6NKJvrGnnah8Ar3G/x88z+tTJtp0DIQFwxXwUM2XZqzEVGm8K2r0w5o9/Keh6bBBaiuH2C78ZOaijGV3DovhR+e9J0cYUYGwT42MZMx9fSWQ/lvWGGnf+Uq3MXJfjWSREfhkp8KTQwR9F7+dnVJWswOEk7jPR8I7hCWTMxJyvaFX3wgAXIVmhrgXZQQbYOqTt56IoqUl0xOJku8dA8opg2UcLlmmuOh6+hfkXKsiiS/H/9c1BVIGj1fCOiT6IePh4wKKSTbwJnPD5EKmdJpgTsUpjcDnXQKY4ReO0UpdRdKxwRDDLeQuG6j+ljGxR9GPudCU9Nmci6rFVI6n5LWYkQxBA1O73RpmXRZPDzntDfpXMEonkmSvOoxaCK2Id7CRKMdqvR0kEouwnhk5WSFtsfi3sA0pkXzPFxwZeWM8vFtbffZOZzXaOhxCOfcj1NClZohlZhyc4jvkxmrpY7PSaAzih0AmHI7y0LYFi6fZu/K4EheVa1+KF55nWZ8ARikHMWKAKkyExkTak7xyN884TDmzURRaPlQg4jzQte5WMNjAG/hlHibdMBNvgwiYd49ZxteJ8ABdbiXVRl+2JGbdjl2ubpQZwOn7bJKlqO56bIwsZ+e4+pXsuOGdBahkHrUjtMEmH3DZbGc6CJLbcmdhdpApLQRRcLAazxJhzAwJ47FRYsHsj57LnYNvmcKdIxw8rxCdLUuzz95uw0T3ankEO5J9sjem+HMEuKdwXK1UcuOn2rjR8Sd/BuvQmeso27dFbPXqXYNS90Ml45YyTvcKSiopD181oZR703TFUSpR7dsiqROMr+p/2jN9h6a8WbQ8xpksyclaQByY/M77AssbXnG6wfhRsntNIINCZLbBnjXOyz6ZHIC5K4tSTdcnWaiYPeRPQmnw9UUvHAcNU2yMWsy0eU377yDS0WstTxOdQutTdkczl8kv5Lo26JiEK7mSIuRK19ffF9Zz8FG8+eKv5zdyIPjyQRDYBysUoDv5huKe2eoxJu/MWS2Pql/ZtUGeD6Ozm3mCvh0vQ9ceagBkY6Ocm3du0ziAKP29Ri0mjg4DizVorbLzsh+EQH/s2Pi9MnjUZDlEmuLl2Xfp7/w4j/8u0N0tVR70VDFuGdKpTjFY3vS8EJrPtyMTM51x1D9rb8gIql8aR/rJw4YF+huxg1mv5n6+tGVqg5msbPmF12eJijP4lkmaRwIpLW5pJTtaDkUj7uOeu1mm4k+Dt5nh0/0jPHzrv6bcTCcbV7UjMHDoTXXqEpFAAJ66rHR7zdAJu+YKsnTIZyLmOpcowq7LL8G9qTvV0OSpyQWUIavRSgbDHFqEqRs+JU94jAzkq8nCY5MTd9m5sIv9InfdT3k+pwpsE/FKge8nghFLtbUrafGkzTky8SE2druvVcIvbfXMfLIKRUYjJgnWc0gQzF5J6pzXM7D2r/RG6JDzASqjlbURq6v9bhNerlOVdMujWKEEVcKWIzlbt4RkihRjM8AUqIZQOyicGQ+4yfIjAHw5viuABONYs3OIWULnFqJxdvS9rNKhfxSjIq9cfqyzevq2xrRoMXEonobh6M3bD2Vang8OAeVeD1OXWPERi4pepCYFS9RJ/Xa/UWxptsqSNuGcb3fAzQSmLpXLGdWRoKXvSe7EYgc0bGcLOjSTu5RURKo+EF9i4KT9EJauf6VXw5dTf/CCIJRXE1bWzXhSCFYntohYhX2ldOCDYpi/jFBC6Vtkw0ud3/xq8Nmhd5gUk+SpngByCZH3Pm3H+jvlbMpiqkDkm1v74hDX13Xhrcw2eWyuqKBVoRCCniUvwpYNbGvBfjC6Hcizv0Aybciwj+4nybt5EPoEUm6S6Gs7fG7QpPdvrzpAxX70MlmdkF/gwyuhbEeJhLK+WL7qAsN5CvHPzVbsIf90x+nGTtMJPgpxVr0tJMj+vprXV4WxutfARBiOnqe58MhA857sd+MzKBgKnoLOBRTiC3qc/0/ULwbG2HCCD7nmwzz7M4nUuMvo8rgS7z0BF68OClT8X3JwSXbL5Wg=="),
 			},
 		}
 		for _, kv := range keyValues {
 			if err := tx.Create(&kv).Error; err != nil {
 				return err
 			}
 		}
 		return nil
 	})
@@ -445,8 +426,7 @@ func (s *TestService) ResetDatabase() error {
 }
 func (s *TestService) ResetApplicationImages(ctx context.Context) error {
-	err := s.fileStorage.DeleteAll(ctx, "/")
+	if err := s.fileStorage.DeleteAll(ctx, "/"); err != nil {
 	if err != nil {
 		slog.ErrorContext(ctx, "Error removing uploads", slog.Any("error", err))
 		return err
 	}
@@ -465,8 +445,7 @@ func (s *TestService) ResetApplicationImages(ctx context.Context) error {
 		if err != nil {
 			return err
 		}
-		err = s.fileStorage.Save(ctx, path.Join("application-images", file.Name()), srcFile)
+		if err := s.fileStorage.Save(ctx, path.Join("application-images", file.Name()), srcFile); err != nil {
 		if err != nil {
 			srcFile.Close()
 			return err
 		}
@@ -483,29 +462,47 @@ func (s *TestService) ResetAppConfig(ctx context.Context) error {
 		return err
 	}
 	// Manually set instance ID
 	err = s.appConfigService.UpdateAppConfigValues(ctx, "instanceId", "test-instance-id")
 	if err != nil {
 		return err
 	}
 	// Reload the app config from the database after resetting the values
-	err = s.appConfigService.LoadDbConfig(ctx)
+	return s.appConfigService.LoadDbConfig(ctx)
 	if err != nil {
 		return err
 	}
 	// Reload the JWK
 	if err := s.jwtService.LoadOrGenerateKey(); err != nil {
 		return err
 	}
 	return nil
 }
-func (s *TestService) ResetLock(ctx context.Context) error {
+func (s *TestService) SetJWTKeys() {
-	_, err := s.appLockService.Acquire(ctx, true)
+	const privateKeyString = `{"alg":"RS256","d":"mvMDWSdPPvcum0c0iEHE2gbqtV2NKMmLwrl9E6K7g8lTV95SePLnW_bwyMPV7EGp7PQk3l17I5XRhFjze7GqTnFIOgKzMianPs7jv2ELtBMGK0xOPATgu1iGb70xZ6vcvuEfRyY3dJ0zr4jpUdVuXwKmx9rK4IdZn2dFCKfvSuspqIpz11RhF1ALrqDLkxGVv7ZwNh0_VhJZU9hcjG5l6xc7rQEKpPRkZp0IdjkGS8Z0FskoVaiRIWAbZuiVFB9WCW8k1czC4HQTPLpII01bUQx2ludbm0UlXRgVU9ptUUbU7GAImQqTOW8LfPGklEvcgzlIlR_oqw4P9yBxLi-yMQ","dp":"pvNCSnnhbo8Igw9psPR-DicxFnkXlu_ix4gpy6efTrxA-z1VDFDioJ814vKQNioYDzpyAP1gfMPhRkvG_q0hRZsJah3Sb9dfA-WkhSWY7lURQP4yIBTMU0PF_rEATuS7lRciYk1SOx5fqXZd3m_LP0vpBC4Ujlq6NAq6CIjCnms","dq":"TtUVGCCkPNgfOLmkYXu7dxxUCV5kB01-xAEK2OY0n0pG8vfDophH4_D_ZC7nvJ8J9uDhs_3JStexq1lIvaWtG99RNTChIEDzpdn6GH9yaVcb_eB4uJjrNm64FhF8PGCCwxA-xMCZMaARKwhMB2_IOMkxUbWboL3gnhJ2rDO_QO0","e":"AQAB","kid":"8uHDw3M6rf8","kty":"RSA","n":"yaeEL0VKoPBXIAaWXsUgmu05lAvEIIdJn0FX9lHh4JE5UY9B83C5sCNdhs9iSWzpeP11EVjWp8i3Yv2CF7c7u50BXnVBGtxpZpFC-585UXacoJ0chUmarL9GRFJcM1nPHBTFu68aRrn1rIKNHUkNaaxFo0NFGl_4EDDTO8HwawTjwkPoQlRzeByhlvGPVvwgB3Fn93B8QJ_cZhXKxJvjjrC_8Pk76heC_ntEMru71Ix77BoC3j2TuyiN7m9RNBW8BU5q6lKoIdvIeZfTFLzi37iufyfvMrJTixp9zhNB1NxlLCeOZl2MXegtiGqd2H3cbAyqoOiv9ihUWTfXj7SxJw","p":"_Yylc9e07CKdqNRD2EosMC2mrhrEa9j5oY_l00Qyy4-jmCA59Q9viyqvveRo0U7cRvFA5BWgWN6GGLh1DG3X-QBqVr0dnk3uzbobb55RYUXyPLuBZI2q6w2oasbiDwPdY7KpkVv_H-bpITQlyDvO8hhucA6rUV7F6KTQVz8M3Ms","q":"y5p3hch-7jJ21TkAhp_Vk1fLCAuD4tbErwQs2of9ja8sB4iJOs5Wn6HD3P7Mc8Plye7qaLHvzc8I5g0tPKWvC0DPd_FLPXiWwMVAzee3NUX_oGeJNOQp11y1w_KqdO9qZqHSEPZ3NcFL_SZMFgggxhM1uzRiPzsVN0lnD_6prZU","qi":"2Grt6uXHm61ji3xSdkBWNtUnj19vS1-7rFJp5SoYztVQVThf_W52BAiXKBdYZDRVoItC_VS2NvAOjeJjhYO_xQ_q3hK7MdtuXfEPpLnyXKkmWo3lrJ26wbeF6l05LexCkI7ShsOuSt-dsyaTJTszuKDIA6YOfWvfo3aVZmlWRaI","use":"sig"}`
-	return err
+
 	privateKey, _ := jwk.ParseKey([]byte(privateKeyString))
 	_ = s.jwtService.SetKey(privateKey)
 }
 // getCborPublicKey decodes a Base64 encoded public key and returns the CBOR encoded COSE key
 func (s *TestService) getCborPublicKey(base64PublicKey string) ([]byte, error) {
 	decodedKey, err := base64.StdEncoding.DecodeString(base64PublicKey)
 	if err != nil {
 		return nil, fmt.Errorf("failed to decode base64 key: %w", err)
 	}
 	pubKey, err := x509.ParsePKIXPublicKey(decodedKey)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse public key: %w", err)
 	}
 	ecdsaPubKey, ok := pubKey.(*ecdsa.PublicKey)
 	if !ok {
 		return nil, fmt.Errorf("not an ECDSA public key")
 	}
 	coseKey := map[int]interface{}{
 		1:  2,                     // Key type: EC2
 		3:  -7,                    // Algorithm: ECDSA with SHA-256
 		-1: 1,                     // Curve: P-256
 		-2: ecdsaPubKey.X.Bytes(), // X coordinate
 		-3: ecdsaPubKey.Y.Bytes(), // Y coordinate
 	}
 	cborPublicKey, err := cbor.Marshal(coseKey)
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal COSE key: %w", err)
 	}
 	return cborPublicKey, nil
 }
 // SyncLdap triggers an LDAP synchronization
@@ -532,7 +529,7 @@ func (s *TestService) SetLdapTestConfig(ctx context.Context) error {
 			"ldapAttributeGroupUniqueIdentifier": "uuid",
 			"ldapAttributeGroupName":             "uid",
 			"ldapAttributeGroupMember":           "member",
-			"ldapAdminGroupName":                 "admin_group",
+			"ldapAttributeAdminGroup":            "admin_group",
 			"ldapSoftDeleteUsers":                "true",
 			"ldapEnabled":                        "true",
 		}
--- a/backend/internal/service/export_service.go
+++ b/backend/internal/service/export_service.go
@@ -1,217 +0,0 @@
 package service
 import (
 	"archive/zip"
 	"context"
 	"encoding/json"
 	"fmt"
 	"io"
 	"path/filepath"
 	"gorm.io/gorm"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 	"github.com/pocket-id/pocket-id/backend/internal/storage"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )
 // ExportService handles exporting Pocket ID data into a ZIP archive.
 type ExportService struct {
 	db      *gorm.DB
 	storage storage.FileStorage
 }
 func NewExportService(db *gorm.DB, storage storage.FileStorage) *ExportService {
 	return &ExportService{
 		db:      db,
 		storage: storage,
 	}
 }
 // ExportToZip performs the full export process and writes the ZIP data to the given writer.
 func (s *ExportService) ExportToZip(ctx context.Context, w io.Writer) error {
 	dbData, err := s.extractDatabase()
 	if err != nil {
 		return err
 	}
 	return s.writeExportZipStream(ctx, w, dbData)
 }
 // extractDatabase reads all tables into a DatabaseExport struct
 func (s *ExportService) extractDatabase() (DatabaseExport, error) {
 	schema, err := utils.LoadDBSchemaTypes(s.db)
 	if err != nil {
 		return DatabaseExport{}, fmt.Errorf("failed to load schema types: %w", err)
 	}
 	version, err := s.schemaVersion()
 	if err != nil {
 		return DatabaseExport{}, err
 	}
 	out := DatabaseExport{
 		Provider: s.db.Name(),
 		Version:  version,
 		Tables:   map[string][]map[string]any{},
 		// These tables need to be inserted in a specific order because of foreign key constraints
 		// Not all tables are listed here, because not all tables are order-dependent
 		TableOrder: []string{"users", "user_groups", "oidc_clients"},
 	}
 	for table := range schema {
 		if table == "storage" || table == "schema_migrations" {
 			continue
 		}
 		err = s.dumpTable(table, schema[table], &out)
 		if err != nil {
 			return DatabaseExport{}, err
 		}
 	}
 	return out, nil
 }
 func (s *ExportService) schemaVersion() (uint, error) {
 	var version uint
 	if err := s.db.Raw("SELECT version FROM schema_migrations").Row().Scan(&version); err != nil {
 		return 0, fmt.Errorf("failed to query schema version: %w", err)
 	}
 	return version, nil
 }
 // dumpTable selects all rows from a table and appends them to out.Tables
 func (s *ExportService) dumpTable(table string, types utils.DBSchemaTableTypes, out *DatabaseExport) error {
 	rows, err := s.db.Raw("SELECT * FROM " + table).Rows()
 	if err != nil {
 		return fmt.Errorf("failed to read table %s: %w", table, err)
 	}
 	defer rows.Close()
 	cols, _ := rows.Columns()
 	if len(cols) != len(types) {
 		// Should never happen...
 		return fmt.Errorf("mismatched columns in table (%d) and schema (%d)", len(cols), len(types))
 	}
 	for rows.Next() {
 		vals := s.getScanValuesForTable(cols, types)
 		err = rows.Scan(vals...)
 		if err != nil {
 			return fmt.Errorf("failed to scan row in table %s: %w", table, err)
 		}
 		rowMap := make(map[string]any, len(cols))
 		for i, col := range cols {
 			rowMap[col] = vals[i]
 		}
 		// Skip the app lock row in the kv table
 		if table == "kv" {
 			if keyPtr, ok := rowMap["key"].(*string); ok && keyPtr != nil && *keyPtr == lockKey {
 				continue
 			}
 		}
 		out.Tables[table] = append(out.Tables[table], rowMap)
 	}
 	return rows.Err()
 }
 func (s *ExportService) getScanValuesForTable(cols []string, types utils.DBSchemaTableTypes) []any {
 	res := make([]any, len(cols))
 	for i, col := range cols {
 		// Store a pointer
 		// Note: don't create a helper function for this switch, because it would return type "any" and mess everything up
 		// If the column is nullable, we need a pointer to a pointer!
 		switch types[col].Name {
 		case "boolean", "bool":
 			var x bool
 			if types[col].Nullable {
 				res[i] = utils.Ptr(utils.Ptr(x))
 			} else {
 				res[i] = utils.Ptr(x)
 			}
 		case "blob", "bytea", "jsonb":
 			// Treat jsonb columns as binary too
 			var x []byte
 			if types[col].Nullable {
 				res[i] = utils.Ptr(utils.Ptr(x))
 			} else {
 				res[i] = utils.Ptr(x)
 			}
 		case "timestamp", "timestamptz", "timestamp with time zone", "datetime":
 			var x datatype.DateTime
 			if types[col].Nullable {
 				res[i] = utils.Ptr(utils.Ptr(x))
 			} else {
 				res[i] = utils.Ptr(x)
 			}
 		case "integer", "int", "bigint":
 			var x int64
 			if types[col].Nullable {
 				res[i] = utils.Ptr(utils.Ptr(x))
 			} else {
 				res[i] = utils.Ptr(x)
 			}
 		default:
 			// Treat everything else as a string (including the "numeric" type)
 			var x string
 			if types[col].Nullable {
 				res[i] = utils.Ptr(utils.Ptr(x))
 			} else {
 				res[i] = utils.Ptr(x)
 			}
 		}
 	}
 	return res
 }
 func (s *ExportService) writeExportZipStream(ctx context.Context, w io.Writer, dbData DatabaseExport) error {
 	zipWriter := zip.NewWriter(w)
 	// Add database.json
 	jsonWriter, err := zipWriter.Create("database.json")
 	if err != nil {
 		return fmt.Errorf("failed to create database.json in zip: %w", err)
 	}
 	jsonEncoder := json.NewEncoder(jsonWriter)
 	jsonEncoder.SetEscapeHTML(false)
 	if err := jsonEncoder.Encode(dbData); err != nil {
 		return fmt.Errorf("failed to encode database.json: %w", err)
 	}
 	// Add uploaded files
 	if err := s.addUploadsToZip(ctx, zipWriter); err != nil {
 		return err
 	}
 	return zipWriter.Close()
 }
 // addUploadsToZip adds all files from the storage to the ZIP archive under the "uploads/" directory
 func (s *ExportService) addUploadsToZip(ctx context.Context, zipWriter *zip.Writer) error {
 	return s.storage.Walk(ctx, "/", func(p storage.ObjectInfo) error {
 		zipPath := filepath.Join("uploads", p.Path)
 		w, err := zipWriter.Create(zipPath)
 		if err != nil {
 			return fmt.Errorf("failed to create zip entry for %s: %w", zipPath, err)
 		}
 		f, _, err := s.storage.Open(ctx, p.Path)
 		if err != nil {
 			return fmt.Errorf("failed to open file %s: %w", zipPath, err)
 		}
 		defer f.Close()
 		if _, err := io.Copy(w, f); err != nil {
 			return fmt.Errorf("failed to copy file %s into zip: %w", zipPath, err)
 		}
 		return nil
 	})
 }
--- a/backend/internal/service/import_service.go
+++ b/backend/internal/service/import_service.go
@@ -1,264 +0,0 @@
 package service
 import (
 	"archive/zip"
 	"bytes"
 	"context"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"slices"
 	"strings"
 	"gorm.io/gorm"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 	"github.com/pocket-id/pocket-id/backend/internal/storage"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )
 // ImportService handles importing Pocket ID data from an exported ZIP archive.
 type ImportService struct {
 	db      *gorm.DB
 	storage storage.FileStorage
 }
 type DatabaseExport struct {
 	Provider   string                      `json:"provider"`
 	Version    uint                        `json:"version"`
 	Tables     map[string][]map[string]any `json:"tables"`
 	TableOrder []string                    `json:"tableOrder"`
 }
 func NewImportService(db *gorm.DB, storage storage.FileStorage) *ImportService {
 	return &ImportService{
 		db:      db,
 		storage: storage,
 	}
 }
 // ImportFromZip performs the full import process from the given ZIP reader.
 func (s *ImportService) ImportFromZip(ctx context.Context, r *zip.Reader) error {
 	dbData, err := processZipDatabaseJson(r.File)
 	if err != nil {
 		return err
 	}
 	err = s.ImportDatabase(dbData)
 	if err != nil {
 		return err
 	}
 	err = s.importUploads(ctx, r.File)
 	if err != nil {
 		return err
 	}
 	return nil
 }
 // ImportDatabase only imports the database data from the given DatabaseExport struct.
 func (s *ImportService) ImportDatabase(dbData DatabaseExport) error {
 	err := s.resetSchema(dbData.Version, dbData.Provider)
 	if err != nil {
 		return err
 	}
 	err = s.insertData(dbData)
 	if err != nil {
 		return err
 	}
 	return nil
 }
 // processZipDatabaseJson extracts database.json from the ZIP archive
 func processZipDatabaseJson(files []*zip.File) (dbData DatabaseExport, err error) {
 	for _, f := range files {
 		if f.Name == "database.json" {
 			return parseDatabaseJsonStream(f)
 		}
 	}
 	return dbData, errors.New("database.json not found in the ZIP file")
 }
 func parseDatabaseJsonStream(f *zip.File) (dbData DatabaseExport, err error) {
 	rc, err := f.Open()
 	if err != nil {
 		return dbData, fmt.Errorf("failed to open database.json: %w", err)
 	}
 	defer rc.Close()
 	err = json.NewDecoder(rc).Decode(&dbData)
 	if err != nil {
 		return dbData, fmt.Errorf("failed to decode database.json: %w", err)
 	}
 	return dbData, nil
 }
 // importUploads imports files from the uploads/ directory in the ZIP archive
 func (s *ImportService) importUploads(ctx context.Context, files []*zip.File) error {
 	const maxFileSize = 50 << 20 // 50 MiB
 	const uploadsPrefix = "uploads/"
 	for _, f := range files {
 		if !strings.HasPrefix(f.Name, uploadsPrefix) {
 			continue
 		}
 		if f.UncompressedSize64 > maxFileSize {
 			return fmt.Errorf("file %s too large (%d bytes)", f.Name, f.UncompressedSize64)
 		}
 		targetPath := strings.TrimPrefix(f.Name, uploadsPrefix)
 		if strings.HasSuffix(f.Name, "/") || targetPath == "" {
 			continue // Skip directories
 		}
 		err := s.storage.DeleteAll(ctx, targetPath)
 		if err != nil {
 			return fmt.Errorf("failed to delete existing file %s: %w", targetPath, err)
 		}
 		rc, err := f.Open()
 		if err != nil {
 			return err
 		}
 		buf, err := io.ReadAll(rc)
 		rc.Close()
 		if err != nil {
 			return fmt.Errorf("read file %s: %w", f.Name, err)
 		}
 		err = s.storage.Save(ctx, targetPath, bytes.NewReader(buf))
 		if err != nil {
 			return fmt.Errorf("failed to save file %s: %w", targetPath, err)
 		}
 	}
 	return nil
 }
 // resetSchema drops the existing schema and migrates to the target version
 func (s *ImportService) resetSchema(targetVersion uint, exportDbProvider string) error {
 	sqlDb, err := s.db.DB()
 	if err != nil {
 		return fmt.Errorf("failed to get sql.DB: %w", err)
 	}
 	m, err := utils.GetEmbeddedMigrateInstance(sqlDb)
 	if err != nil {
 		return fmt.Errorf("failed to get migrate instance: %w", err)
 	}
 	err = m.Drop()
 	if err != nil {
 		return fmt.Errorf("failed to drop existing schema: %w", err)
 	}
 	// Needs to be called again to re-create the schema_migrations table
 	m, err = utils.GetEmbeddedMigrateInstance(sqlDb)
 	if err != nil {
 		return fmt.Errorf("failed to get migrate instance: %w", err)
 	}
 	err = m.Migrate(targetVersion)
 	if err != nil {
 		return fmt.Errorf("migration failed: %w", err)
 	}
 	return nil
 }
 // insertData populates the DB with the imported data
 func (s *ImportService) insertData(dbData DatabaseExport) error {
 	schema, err := utils.LoadDBSchemaTypes(s.db)
 	if err != nil {
 		return fmt.Errorf("failed to load schema types: %w", err)
 	}
 	return s.db.Transaction(func(tx *gorm.DB) error {
 		// Iterate through all tables
 		// Some tables need to be processed in order
 		tables := make([]string, 0, len(dbData.Tables))
 		tables = append(tables, dbData.TableOrder...)
 		for t := range dbData.Tables {
 			// Skip tables already present where the order matters
 			// Also skip the schema_migrations table
 			if slices.Contains(dbData.TableOrder, t) || t == "schema_migrations" {
 				continue
 			}
 			tables = append(tables, t)
 		}
 		// Insert rows
 		for _, table := range tables {
 			for _, row := range dbData.Tables[table] {
 				err = normalizeRowWithSchema(row, table, schema)
 				if err != nil {
 					return fmt.Errorf("failed to normalize row for table '%s': %w", table, err)
 				}
 				err = tx.Table(table).Create(row).Error
 				if err != nil {
 					return fmt.Errorf("failed inserting into table '%s': %w", table, err)
 				}
 			}
 		}
 		return nil
 	})
 }
 // normalizeRowWithSchema converts row values based on the DB schema
 func normalizeRowWithSchema(row map[string]any, table string, schema utils.DBSchemaTypes) error {
 	if schema[table] == nil {
 		return fmt.Errorf("schema not found for table '%s'", table)
 	}
 	for col, val := range row {
 		if val == nil {
 			// If the value is nil, skip the column
 			continue
 		}
 		colType := schema[table][col]
 		switch colType.Name {
 		case "timestamp", "timestamptz", "timestamp with time zone", "datetime":
 			// Dates are stored as strings
 			str, ok := val.(string)
 			if !ok {
 				return fmt.Errorf("value for column '%s/%s' was expected to be a string, but was '%T'", table, col, val)
 			}
 			d, err := datatype.DateTimeFromString(str)
 			if err != nil {
 				return fmt.Errorf("failed to decode value for column '%s/%s' as timestamp: %w", table, col, err)
 			}
 			row[col] = d
 		case "blob", "bytea", "jsonb":
 			// Binary data and jsonb data is stored in the file as base64-encoded string
 			str, ok := val.(string)
 			if !ok {
 				return fmt.Errorf("value for column '%s/%s' was expected to be a string, but was '%T'", table, col, val)
 			}
 			b, err := base64.StdEncoding.DecodeString(str)
 			if err != nil {
 				return fmt.Errorf("failed to decode value for column '%s/%s' from base64: %w", table, col, err)
 			}
 			// For jsonb, we additionally cast to json.RawMessage
 			if colType.Name == "jsonb" {
 				row[col] = json.RawMessage(b)
 			} else {
 				row[col] = b
 			}
 		}
 	}
 	return nil
 }
--- a/backend/internal/service/jwt_service.go
+++ b/backend/internal/service/jwt_service.go
@@ -18,6 +18,14 @@ import (
 )
 const (
 	// PrivateKeyFile is the path in the data/keys folder where the key is stored
 	// This is a JSON file containing a key encoded as JWK
 	PrivateKeyFile = "jwt_private_key.json"
 	// PrivateKeyFileEncrypted is the path in the data/keys folder where the encrypted key is stored
 	// This is a encrypted JSON file containing a key encoded as JWK
 	PrivateKeyFileEncrypted = "jwt_private_key.json.enc"
 	// KeyUsageSigning is the usage for the private keys, for the "use" property
 	KeyUsageSigning = "sig"
@@ -48,7 +56,6 @@ const (
 )
 type JwtService struct {
 	db               *gorm.DB
 	envConfig        *common.EnvConfigSchema
 	privateKey       jwk.Key
 	keyId            string
@@ -59,6 +66,7 @@ type JwtService struct {
 func NewJwtService(db *gorm.DB, appConfigService *AppConfigService) (*JwtService, error) {
 	service := &JwtService{}
 	// Ensure keys are generated or loaded
 	err := service.init(db, appConfigService, &common.EnvConfig)
 	if err != nil {
 		return nil, err
@@ -70,15 +78,14 @@ func NewJwtService(db *gorm.DB, appConfigService *AppConfigService) (*JwtService
 func (s *JwtService) init(db *gorm.DB, appConfigService *AppConfigService, envConfig *common.EnvConfigSchema) (err error) {
 	s.appConfigService = appConfigService
 	s.envConfig = envConfig
 	s.db = db
 	// Ensure keys are generated or loaded
-	return s.LoadOrGenerateKey()
+	return s.loadOrGenerateKey(db)
 }
-func (s *JwtService) LoadOrGenerateKey() error {
+func (s *JwtService) loadOrGenerateKey(db *gorm.DB) error {
 	// Get the key provider
-	keyProvider, err := jwkutils.GetKeyProvider(s.db, s.envConfig, s.appConfigService.GetDbConfig().InstanceID.Value)
+	keyProvider, err := jwkutils.GetKeyProvider(db, s.envConfig, s.appConfigService.GetDbConfig().InstanceID.Value)
 	if err != nil {
 		return fmt.Errorf("failed to get key provider: %w", err)
 	}
@@ -86,7 +93,7 @@ func (s *JwtService) LoadOrGenerateKey() error {
 	// Try loading a key
 	key, err := keyProvider.LoadKey()
 	if err != nil {
-		return fmt.Errorf("failed to load key: %w", err)
+		return fmt.Errorf("failed to load key (provider type '%s'): %w", s.envConfig.KeysStorage, err)
 	}
 	// If we have a key, store it in the object and we're done
@@ -107,7 +114,7 @@ func (s *JwtService) LoadOrGenerateKey() error {
 	// Save the newly-generated key
 	err = keyProvider.SaveKey(s.privateKey)
 	if err != nil {
-		return fmt.Errorf("failed to save private key: %w", err)
+		return fmt.Errorf("failed to save private key (provider type '%s'): %w", s.envConfig.KeysStorage, err)
 	}
 	return nil
--- a/backend/internal/service/jwt_service_test.go
+++ b/backend/internal/service/jwt_service_test.go
--- a/backend/internal/service/ldap_service.go
+++ b/backend/internal/service/ldap_service.go
@@ -11,14 +11,12 @@ import (
 	"log/slog"
 	"net/http"
 	"net/url"
 	"path"
 	"strings"
 	"time"
 	"unicode/utf8"
 	"github.com/go-ldap/ldap/v3"
 	"github.com/google/uuid"
 	"github.com/pocket-id/pocket-id/backend/internal/storage"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"golang.org/x/text/unicode/norm"
 	"gorm.io/gorm"
@@ -34,23 +32,15 @@ type LdapService struct {
 	appConfigService *AppConfigService
 	userService      *UserService
 	groupService     *UserGroupService
 	fileStorage      storage.FileStorage
 }
-type savePicture struct {
+func NewLdapService(db *gorm.DB, httpClient *http.Client, appConfigService *AppConfigService, userService *UserService, groupService *UserGroupService) *LdapService {
 	userID   string
 	username string
 	picture  string
 }
 func NewLdapService(db *gorm.DB, httpClient *http.Client, appConfigService *AppConfigService, userService *UserService, groupService *UserGroupService, fileStorage storage.FileStorage) *LdapService {
 	return &LdapService{
 		db:               db,
 		httpClient:       httpClient,
 		appConfigService: appConfigService,
 		userService:      userService,
 		groupService:     groupService,
 		fileStorage:      fileStorage,
 	}
 }
@@ -78,6 +68,12 @@ func (s *LdapService) createClient() (*ldap.Conn, error) {
 }
 func (s *LdapService) SyncAll(ctx context.Context) error {
 	// Start a transaction
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	// Setup LDAP connection
 	client, err := s.createClient()
 	if err != nil {
@@ -85,13 +81,7 @@ func (s *LdapService) SyncAll(ctx context.Context) error {
 	}
 	defer client.Close()
-	// Start a transaction
+	err = s.SyncUsers(ctx, tx, client)
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	savePictures, deleteFiles, err := s.SyncUsers(ctx, tx, client)
 	if err != nil {
 		return fmt.Errorf("failed to sync users: %w", err)
 	}
@@ -107,25 +97,6 @@ func (s *LdapService) SyncAll(ctx context.Context) error {
 		return fmt.Errorf("failed to commit changes to database: %w", err)
 	}
 	// Now that we've committed the transaction, we can perform operations on the storage layer
 	// First, save all new pictures
 	for _, sp := range savePictures {
 		err = s.saveProfilePicture(ctx, sp.userID, sp.picture)
 		if err != nil {
 			// This is not a fatal error
 			slog.Warn("Error saving profile picture for LDAP user", slog.String("username", sp.username), slog.Any("error", err))
 		}
 	}
 	// Delete all old files
 	for _, path := range deleteFiles {
 		err = s.fileStorage.Delete(ctx, path)
 		if err != nil {
 			// This is not a fatal error
 			slog.Error("Failed to delete file after LDAP sync", slog.String("path", path), slog.Any("error", err))
 		}
 	}
 	return nil
 }
@@ -295,7 +266,7 @@ func (s *LdapService) SyncGroups(ctx context.Context, tx *gorm.DB, client *ldap.
 }
 //nolint:gocognit
-func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.Conn) (savePictures []savePicture, deleteFiles []string, err error) {
+func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.Conn) error {
 	dbConfig := s.appConfigService.GetDbConfig()
 	searchAttrs := []string{
@@ -323,12 +294,11 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 	result, err := client.Search(searchReq)
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to query LDAP: %w", err)
+		return fmt.Errorf("failed to query LDAP: %w", err)
 	}
 	// Create a mapping for users that exist
 	ldapUserIDs := make(map[string]struct{}, len(result.Entries))
 	savePictures = make([]savePicture, 0, len(result.Entries))
 	for _, value := range result.Entries {
 		ldapId := convertLdapIdToString(value.GetAttributeValue(dbConfig.LdapAttributeUserUniqueIdentifier.Value))
@@ -359,19 +329,19 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 				Error
 			if err != nil {
-				return nil, nil, fmt.Errorf("failed to enable user %s: %w", databaseUser.Username, err)
+				return fmt.Errorf("failed to enable user %s: %w", databaseUser.Username, err)
 			}
 		}
 		if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
 			// This could error with ErrRecordNotFound and we want to ignore that here
-			return nil, nil, fmt.Errorf("failed to query for LDAP user ID '%s': %w", ldapId, err)
+			return fmt.Errorf("failed to query for LDAP user ID '%s': %w", ldapId, err)
 		}
 		// Check if user is admin by checking if they are in the admin group
 		isAdmin := false
 		for _, group := range value.GetAttributeValues("memberOf") {
-			if getDNProperty(dbConfig.LdapAttributeGroupName.Value, group) == dbConfig.LdapAdminGroupName.Value {
+			if getDNProperty(dbConfig.LdapAttributeGroupName.Value, group) == dbConfig.LdapAttributeAdminGroup.Value {
 				isAdmin = true
 				break
 			}
@@ -399,35 +369,32 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 			continue
 		}
 		userID := databaseUser.ID
 		if databaseUser.ID == "" {
-			createdUser, err := s.userService.createUserInternal(ctx, newUser, true, tx)
+			_, err = s.userService.createUserInternal(ctx, newUser, true, tx)
 			if errors.Is(err, &common.AlreadyInUseError{}) {
 				slog.Warn("Skipping creating LDAP user", slog.String("username", newUser.Username), slog.Any("error", err))
 				continue
 			} else if err != nil {
-				return nil, nil, fmt.Errorf("error creating user '%s': %w", newUser.Username, err)
+				return fmt.Errorf("error creating user '%s': %w", newUser.Username, err)
 			}
 			userID = createdUser.ID
 		} else {
 			_, err = s.userService.updateUserInternal(ctx, databaseUser.ID, newUser, false, true, tx)
 			if errors.Is(err, &common.AlreadyInUseError{}) {
 				slog.Warn("Skipping updating LDAP user", slog.String("username", newUser.Username), slog.Any("error", err))
 				continue
 			} else if err != nil {
-				return nil, nil, fmt.Errorf("error updating user '%s': %w", newUser.Username, err)
+				return fmt.Errorf("error updating user '%s': %w", newUser.Username, err)
 			}
 		}
 		// Save profile picture
 		pictureString := value.GetAttributeValue(dbConfig.LdapAttributeUserProfilePicture.Value)
 		if pictureString != "" {
-			// Storage operations must be executed outside of a transaction
+			err = s.saveProfilePicture(ctx, databaseUser.ID, pictureString)
-			savePictures = append(savePictures, savePicture{
+			if err != nil {
-				userID:   databaseUser.ID,
+				// This is not a fatal error
-				username: userID,
+				slog.Warn("Error saving profile picture for user", slog.String("username", newUser.Username), slog.Any("error", err))
-				picture:  pictureString,
+			}
 			})
 		}
 	}
@@ -439,11 +406,10 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 		Select("id, username, ldap_id, disabled").
 		Error
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to fetch users from database: %w", err)
+		return fmt.Errorf("failed to fetch users from database: %w", err)
 	}
 	// Mark users as disabled or delete users that no longer exist in LDAP
 	deleteFiles = make([]string, 0, len(ldapUserIDs))
 	for _, user := range ldapUsersInDb {
 		// Skip if the user ID exists in the fetched LDAP results
 		if _, exists := ldapUserIDs[*user.LdapID]; exists {
@@ -451,34 +417,30 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 		}
 		if dbConfig.LdapSoftDeleteUsers.IsTrue() {
-			err = s.userService.disableUserInternal(ctx, tx, user.ID)
+			err = s.userService.disableUserInternal(ctx, user.ID, tx)
 			if err != nil {
-				return nil, nil, fmt.Errorf("failed to disable user %s: %w", user.Username, err)
+				return fmt.Errorf("failed to disable user %s: %w", user.Username, err)
 			}
 			slog.Info("Disabled user", slog.String("username", user.Username))
 		} else {
-			err = s.userService.deleteUserInternal(ctx, tx, user.ID, true)
+			err = s.userService.deleteUserInternal(ctx, user.ID, true, tx)
 			if err != nil {
 			target := &common.LdapUserUpdateError{}
 			if errors.As(err, &target) {
-					return nil, nil, fmt.Errorf("failed to delete user %s: LDAP user must be disabled before deletion", user.Username)
+				return fmt.Errorf("failed to delete user %s: LDAP user must be disabled before deletion", user.Username)
-				}
+			} else if err != nil {
-				return nil, nil, fmt.Errorf("failed to delete user %s: %w", user.Username, err)
+				return fmt.Errorf("failed to delete user %s: %w", user.Username, err)
 			}
 			slog.Info("Deleted user", slog.String("username", user.Username))
 			// Storage operations must be executed outside of a transaction
 			deleteFiles = append(deleteFiles, path.Join("profile-pictures", user.ID+".png"))
 		}
 	}
-	return savePictures, deleteFiles, nil
+	return nil
 }
 func (s *LdapService) saveProfilePicture(parentCtx context.Context, userId string, pictureString string) error {
-	var reader io.ReadSeeker
+	var reader io.Reader
 	_, err := url.ParseRequestURI(pictureString)
 	if err == nil {
@@ -498,12 +460,7 @@ func (s *LdapService) saveProfilePicture(parentCtx context.Context, userId strin
 		}
 		defer res.Body.Close()
-		data, err := io.ReadAll(res.Body)
+		reader = res.Body
 		if err != nil {
 			return fmt.Errorf("failed to read profile picture: %w", err)
 		}
 		reader = bytes.NewReader(data)
 	} else if decodedPhoto, err := base64.StdEncoding.DecodeString(pictureString); err == nil {
 		// If the photo is a base64 encoded string, decode it
 		reader = bytes.NewReader(decodedPhoto)
--- a/backend/internal/service/oidc_service.go
+++ b/backend/internal/service/oidc_service.go
@@ -12,6 +12,7 @@ import (
 	"io"
 	"log/slog"
 	"mime/multipart"
 	"net"
 	"net/http"
 	"net/url"
 	"path"
@@ -678,21 +679,19 @@ func (s *OidcService) introspectRefreshToken(ctx context.Context, clientID strin
 }
 func (s *OidcService) GetClient(ctx context.Context, clientID string) (model.OidcClient, error) {
-	return s.getClientInternal(ctx, clientID, s.db, false)
+	return s.getClientInternal(ctx, clientID, s.db)
 }
-func (s *OidcService) getClientInternal(ctx context.Context, clientID string, tx *gorm.DB, forUpdate bool) (model.OidcClient, error) {
+func (s *OidcService) getClientInternal(ctx context.Context, clientID string, tx *gorm.DB) (model.OidcClient, error) {
 	var client model.OidcClient
-	q := tx.
+	err := tx.
 		WithContext(ctx).
 		Preload("CreatedBy").
-		Preload("AllowedUserGroups")
+		Preload("AllowedUserGroups").
-	if forUpdate {
+		First(&client, "id = ?", clientID).
-		q = q.Clauses(clause.Locking{Strength: "UPDATE"})
+		Error
-	}
+	if err != nil {
-	q = q.First(&client, "id = ?", clientID)
+		return model.OidcClient{}, err
 	if q.Error != nil {
 		return model.OidcClient{}, q.Error
 	}
 	return client, nil
 }
@@ -725,6 +724,11 @@ func (s *OidcService) ListClients(ctx context.Context, name string, listRequestO
 }
 func (s *OidcService) CreateClient(ctx context.Context, input dto.OidcClientCreateDto, userID string) (model.OidcClient, error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	client := model.OidcClient{
 		Base: model.Base{
 			ID: input.ID,
@@ -733,7 +737,7 @@ func (s *OidcService) CreateClient(ctx context.Context, input dto.OidcClientCrea
 	}
 	updateOIDCClientModelFromDto(&client, &input.OidcClientUpdateDto)
-	err := s.db.
+	err := tx.
 		WithContext(ctx).
 		Create(&client).
 		Error
@@ -744,65 +748,62 @@ func (s *OidcService) CreateClient(ctx context.Context, input dto.OidcClientCrea
 		return model.OidcClient{}, err
 	}
 	// All storage operations must be executed outside of a transaction
 	if input.LogoURL != nil {
-		err = s.downloadAndSaveLogoFromURL(ctx, client.ID, *input.LogoURL, true)
+		err = s.downloadAndSaveLogoFromURL(ctx, tx, client.ID, *input.LogoURL, true)
 		if err != nil {
 			return model.OidcClient{}, fmt.Errorf("failed to download logo: %w", err)
 		}
 	}
 	if input.DarkLogoURL != nil {
-		err = s.downloadAndSaveLogoFromURL(ctx, client.ID, *input.DarkLogoURL, false)
+		err = s.downloadAndSaveLogoFromURL(ctx, tx, client.ID, *input.DarkLogoURL, false)
 		if err != nil {
 			return model.OidcClient{}, fmt.Errorf("failed to download dark logo: %w", err)
 		}
 	}
 	return client, nil
 }
 func (s *OidcService) UpdateClient(ctx context.Context, clientID string, input dto.OidcClientUpdateDto) (model.OidcClient, error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	var client model.OidcClient
 	err := tx.WithContext(ctx).
 		Preload("CreatedBy").
 		First(&client, "id = ?", clientID).Error
 	if err != nil {
 		return model.OidcClient{}, err
 	}
 	updateOIDCClientModelFromDto(&client, &input)
 	err = tx.WithContext(ctx).Save(&client).Error
 	if err != nil {
 		return model.OidcClient{}, err
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return model.OidcClient{}, err
 	}
-	// All storage operations must be executed outside of a transaction
+	return client, nil
 }
 func (s *OidcService) UpdateClient(ctx context.Context, clientID string, input dto.OidcClientUpdateDto) (model.OidcClient, error) {
 	tx := s.db.Begin()
 	defer func() { tx.Rollback() }()
 	var client model.OidcClient
 	if err := tx.WithContext(ctx).
 		Preload("CreatedBy").
 		First(&client, "id = ?", clientID).Error; err != nil {
 		return model.OidcClient{}, err
 	}
 	updateOIDCClientModelFromDto(&client, &input)
 	if err := tx.WithContext(ctx).Save(&client).Error; err != nil {
 		return model.OidcClient{}, err
 	}
 	if input.LogoURL != nil {
-		err = s.downloadAndSaveLogoFromURL(ctx, client.ID, *input.LogoURL, true)
+		err := s.downloadAndSaveLogoFromURL(ctx, tx, client.ID, *input.LogoURL, true)
 		if err != nil {
 			return model.OidcClient{}, fmt.Errorf("failed to download logo: %w", err)
 		}
 	}
 	if input.DarkLogoURL != nil {
-		err = s.downloadAndSaveLogoFromURL(ctx, client.ID, *input.DarkLogoURL, false)
+		err := s.downloadAndSaveLogoFromURL(ctx, tx, client.ID, *input.DarkLogoURL, false)
 		if err != nil {
 			return model.OidcClient{}, fmt.Errorf("failed to download dark logo: %w", err)
 		}
 	}
 	if err := tx.Commit().Error; err != nil {
 		return model.OidcClient{}, err
 	}
 	return client, nil
 }
@@ -835,24 +836,12 @@ func (s *OidcService) DeleteClient(ctx context.Context, clientID string) error {
 	err := s.db.
 		WithContext(ctx).
 		Where("id = ?", clientID).
 		Clauses(clause.Returning{}).
 		Delete(&client).
 		Error
 	if err != nil {
 		return err
 	}
 	// Delete images if present
 	// Note that storage operations must be done outside of a transaction
 	if client.ImageType != nil && *client.ImageType != "" {
 		old := path.Join("oidc-client-images", client.ID+"."+*client.ImageType)
 		_ = s.fileStorage.Delete(ctx, old)
 	}
 	if client.DarkImageType != nil && *client.DarkImageType != "" {
 		old := path.Join("oidc-client-images", client.ID+"-dark."+*client.DarkImageType)
 		_ = s.fileStorage.Delete(ctx, old)
 	}
 	return nil
 }
@@ -952,44 +941,22 @@ func (s *OidcService) UpdateClientLogo(ctx context.Context, clientID string, fil
 		return err
 	}
 	defer reader.Close()
-	err = s.fileStorage.Save(ctx, imagePath, reader)
+	if err := s.fileStorage.Save(ctx, imagePath, reader); err != nil {
 	if err != nil {
 		return err
 	}
-	err = s.updateClientLogoType(ctx, clientID, fileType, light)
+	tx := s.db.Begin()
 	err = s.updateClientLogoType(ctx, tx, clientID, fileType, light)
 	if err != nil {
 		tx.Rollback()
 		return err
 	}
-	return nil
+	return tx.Commit().Error
 }
 func (s *OidcService) DeleteClientLogo(ctx context.Context, clientID string) error {
 	return s.deleteClientLogoInternal(ctx, clientID, "", func(client *model.OidcClient) (string, error) {
 		if client.ImageType == nil {
 			return "", errors.New("image not found")
 		}
 		oldImageType := *client.ImageType
 		client.ImageType = nil
 		return oldImageType, nil
 	})
 }
 func (s *OidcService) DeleteClientDarkLogo(ctx context.Context, clientID string) error {
 	return s.deleteClientLogoInternal(ctx, clientID, "-dark", func(client *model.OidcClient) (string, error) {
 		if client.DarkImageType == nil {
 			return "", errors.New("image not found")
 		}
 		oldImageType := *client.DarkImageType
 		client.DarkImageType = nil
 		return oldImageType, nil
 	})
 }
 func (s *OidcService) deleteClientLogoInternal(ctx context.Context, clientID string, imagePathSuffix string, setClientImage func(*model.OidcClient) (string, error)) error {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
@@ -1004,11 +971,13 @@ func (s *OidcService) deleteClientLogoInternal(ctx context.Context, clientID str
 		return err
 	}
-	oldImageType, err := setClientImage(&client)
+	if client.ImageType == nil {
-	if err != nil {
+		return errors.New("image not found")
 		return err
 	}
 	oldImageType := *client.ImageType
 	client.ImageType = nil
 	err = tx.
 		WithContext(ctx).
 		Save(&client).
@@ -1017,14 +986,55 @@ func (s *OidcService) deleteClientLogoInternal(ctx context.Context, clientID str
 		return err
 	}
 	imagePath := path.Join("oidc-client-images", client.ID+"."+oldImageType)
 	if err := s.fileStorage.Delete(ctx, imagePath); err != nil {
 		return err
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return err
 	}
-	// All storage operations must be performed outside of a database transaction
+	return nil
-	imagePath := path.Join("oidc-client-images", client.ID+imagePathSuffix+"."+oldImageType)
+}
-	err = s.fileStorage.Delete(ctx, imagePath)
+
 func (s *OidcService) DeleteClientDarkLogo(ctx context.Context, clientID string) error {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	var client model.OidcClient
 	err := tx.
 		WithContext(ctx).
 		First(&client, "id = ?", clientID).
 		Error
 	if err != nil {
 		return err
 	}
 	if client.DarkImageType == nil {
 		return errors.New("image not found")
 	}
 	oldImageType := *client.DarkImageType
 	client.DarkImageType = nil
 	err = tx.
 		WithContext(ctx).
 		Save(&client).
 		Error
 	if err != nil {
 		return err
 	}
 	imagePath := path.Join("oidc-client-images", client.ID+"-dark."+oldImageType)
 	if err := s.fileStorage.Delete(ctx, imagePath); err != nil {
 		return err
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return err
 	}
@@ -1038,7 +1048,7 @@ func (s *OidcService) UpdateAllowedUserGroups(ctx context.Context, id string, in
 		tx.Rollback()
 	}()
-	client, err = s.getClientInternal(ctx, id, tx, true)
+	client, err = s.getClientInternal(ctx, id, tx)
 	if err != nil {
 		return model.OidcClient{}, err
 	}
@@ -1821,7 +1831,7 @@ func (s *OidcService) GetClientPreview(ctx context.Context, clientID string, use
 		tx.Rollback()
 	}()
-	client, err := s.getClientInternal(ctx, clientID, tx, false)
+	client, err := s.getClientInternal(ctx, clientID, tx)
 	if err != nil {
 		return nil, err
 	}
@@ -1966,25 +1976,7 @@ func (s *OidcService) IsClientAccessibleToUser(ctx context.Context, clientID str
 	return s.IsUserGroupAllowedToAuthorize(user, client), nil
 }
-var errLogoTooLarge = errors.New("logo is too large")
+func (s *OidcService) downloadAndSaveLogoFromURL(parentCtx context.Context, tx *gorm.DB, clientID string, raw string, light bool) error {
 func httpClientWithCheckRedirect(source *http.Client, checkRedirect func(req *http.Request, via []*http.Request) error) *http.Client {
 	if source == nil {
 		source = http.DefaultClient
 	}
 	// Create a new client that clones the transport
 	client := &http.Client{
 		Transport: source.Transport,
 	}
 	// Assign the CheckRedirect function
 	client.CheckRedirect = checkRedirect
 	return client
 }
 func (s *OidcService) downloadAndSaveLogoFromURL(parentCtx context.Context, clientID string, raw string, light bool) error {
 	u, err := url.Parse(raw)
 	if err != nil {
 		return err
@@ -1993,30 +1985,19 @@ func (s *OidcService) downloadAndSaveLogoFromURL(parentCtx context.Context, clie
 	ctx, cancel := context.WithTimeout(parentCtx, 15*time.Second)
 	defer cancel()
 	r := net.Resolver{}
 	ips, err := r.LookupIPAddr(ctx, u.Hostname())
 	if err != nil || len(ips) == 0 {
 		return fmt.Errorf("cannot resolve hostname")
 	}
 	// Prevents SSRF by allowing only public IPs
-	ok, err := utils.IsURLPrivate(ctx, u)
+	for _, addr := range ips {
-	if err != nil {
+		if utils.IsPrivateIP(addr.IP) {
-		return err
+			return fmt.Errorf("private IP addresses are not allowed")
 	} else if ok {
 		return errors.New("private IP addresses are not allowed")
 		}
 	// We need to check this on redirects too
 	client := httpClientWithCheckRedirect(s.httpClient, func(r *http.Request, via []*http.Request) error {
 		if len(via) >= 10 {
 			return errors.New("stopped after 10 redirects")
 	}
 		ok, err := utils.IsURLPrivate(r.Context(), r.URL)
 		if err != nil {
 			return err
 		} else if ok {
 			return errors.New("private IP addresses are not allowed")
 		}
 		return nil
 	})
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, raw, nil)
 	if err != nil {
 		return err
@@ -2024,7 +2005,7 @@ func (s *OidcService) downloadAndSaveLogoFromURL(parentCtx context.Context, clie
 	req.Header.Set("User-Agent", "pocket-id/oidc-logo-fetcher")
 	req.Header.Set("Accept", "image/*")
-	resp, err := client.Do(req)
+	resp, err := s.httpClient.Do(req)
 	if err != nil {
 		return err
 	}
@@ -2036,7 +2017,7 @@ func (s *OidcService) downloadAndSaveLogoFromURL(parentCtx context.Context, clie
 	const maxLogoSize int64 = 2 * 1024 * 1024 // 2MB
 	if resp.ContentLength > maxLogoSize {
-		return errLogoTooLarge
+		return fmt.Errorf("logo is too large")
 	}
 	// Prefer extension in path if supported
@@ -2056,70 +2037,48 @@ func (s *OidcService) downloadAndSaveLogoFromURL(parentCtx context.Context, clie
 	}
 	imagePath := path.Join("oidc-client-images", clientID+darkSuffix+"."+ext)
-	err = s.fileStorage.Save(ctx, imagePath, utils.NewLimitReader(resp.Body, maxLogoSize+1))
+	if err := s.fileStorage.Save(ctx, imagePath, io.LimitReader(resp.Body, maxLogoSize+1)); err != nil {
 	if errors.Is(err, utils.ErrSizeExceeded) {
 		return errLogoTooLarge
 	} else if err != nil {
 		return err
 	}
-	err = s.updateClientLogoType(ctx, clientID, ext, light)
+	if err := s.updateClientLogoType(ctx, tx, clientID, ext, light); err != nil {
 	if err != nil {
 		return err
 	}
 	return nil
 }
-func (s *OidcService) updateClientLogoType(ctx context.Context, clientID string, ext string, light bool) error {
+func (s *OidcService) updateClientLogoType(ctx context.Context, tx *gorm.DB, clientID, ext string, light bool) error {
 	var darkSuffix string
 	if !light {
 		darkSuffix = "-dark"
 	}
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	// We need to acquire an update lock for the row to be locked, since we'll update it later
 	var client model.OidcClient
-	err := tx.
+	if err := tx.WithContext(ctx).First(&client, "id = ?", clientID).Error; err != nil {
-		WithContext(ctx).
+		return err
 		Clauses(clause.Locking{Strength: "UPDATE"}).
 		First(&client, "id = ?", clientID).
 		Error
 	if err != nil {
 		return fmt.Errorf("failed to look up client: %w", err)
 	}
 	var currentType *string
 	if light {
 		currentType = client.ImageType
 		client.ImageType = &ext
 	} else {
 		currentType = client.DarkImageType
 		client.DarkImageType = &ext
 	}
 	err = tx.
 		WithContext(ctx).
 		Save(&client).
 		Error
 	if err != nil {
 		return fmt.Errorf("failed to save updated client: %w", err)
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return fmt.Errorf("failed to commit transaction: %w", err)
 	}
 	// Storage operations must be executed outside of a transaction
 	if currentType != nil && *currentType != ext {
 		old := path.Join("oidc-client-images", client.ID+darkSuffix+"."+*currentType)
 		_ = s.fileStorage.Delete(ctx, old)
 	}
-	return nil
+	var column string
 	if light {
 		column = "image_type"
 	} else {
 		column = "dark_image_type"
 	}
 	return tx.WithContext(ctx).
 		Model(&model.OidcClient{}).
 		Where("id = ?", clientID).
 		Update(column, ext).
 		Error
 }
--- a/backend/internal/service/oidc_service_test.go
+++ b/backend/internal/service/oidc_service_test.go
@@ -8,10 +8,7 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/json"
 	"io"
 	"net/http"
 	"strconv"
 	"strings"
 	"testing"
 	"time"
@@ -24,7 +21,6 @@ import (
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	"github.com/pocket-id/pocket-id/backend/internal/storage"
 	testutils "github.com/pocket-id/pocket-id/backend/internal/utils/testing"
 )
@@ -148,7 +144,6 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 	var err error
 	// Create a test database
 	db := testutils.NewDatabaseForTest(t)
 	common.EnvConfig.EncryptionKey = []byte("0123456789abcdef0123456789abcdef")
 	// Create two JWKs for testing
 	privateJWK, jwkSetJSON := generateTestECDSAKey(t)
@@ -542,435 +537,3 @@ func TestValidateCodeVerifier_Plain(t *testing.T) {
 		require.False(t, validateCodeVerifier("NOT!VALID", codeChallenge, true))
 	})
 }
 func TestOidcService_updateClientLogoType(t *testing.T) {
 	// Create a test database
 	db := testutils.NewDatabaseForTest(t)
 	// Create database storage
 	dbStorage, err := storage.NewDatabaseStorage(db)
 	require.NoError(t, err)
 	// Init the OidcService
 	s := &OidcService{
 		db:          db,
 		fileStorage: dbStorage,
 	}
 	// Create a test client
 	client := model.OidcClient{
 		Name:         "Test Client",
 		CallbackURLs: model.UrlList{"https://example.com/callback"},
 	}
 	err = db.Create(&client).Error
 	require.NoError(t, err)
 	// Helper function to check if a file exists in storage
 	fileExists := func(t *testing.T, path string) bool {
 		t.Helper()
 		_, _, err := dbStorage.Open(t.Context(), path)
 		return err == nil
 	}
 	// Helper function to create a dummy file in storage
 	createDummyFile := func(t *testing.T, path string) {
 		t.Helper()
 		err := dbStorage.Save(t.Context(), path, strings.NewReader("dummy content"))
 		require.NoError(t, err)
 	}
 	t.Run("Updates light logo type for client without previous logo", func(t *testing.T) {
 		// Update the logo type
 		err := s.updateClientLogoType(t.Context(), client.ID, "png", true)
 		require.NoError(t, err)
 		// Verify the client was updated
 		var updatedClient model.OidcClient
 		err = db.First(&updatedClient, "id = ?", client.ID).Error
 		require.NoError(t, err)
 		require.NotNil(t, updatedClient.ImageType)
 		assert.Equal(t, "png", *updatedClient.ImageType)
 	})
 	t.Run("Updates dark logo type for client without previous dark logo", func(t *testing.T) {
 		// Update the dark logo type
 		err := s.updateClientLogoType(t.Context(), client.ID, "jpg", false)
 		require.NoError(t, err)
 		// Verify the client was updated
 		var updatedClient model.OidcClient
 		err = db.First(&updatedClient, "id = ?", client.ID).Error
 		require.NoError(t, err)
 		require.NotNil(t, updatedClient.DarkImageType)
 		assert.Equal(t, "jpg", *updatedClient.DarkImageType)
 	})
 	t.Run("Updates light logo type and deletes old file when type changes", func(t *testing.T) {
 		// Create the old PNG file in storage
 		oldPath := "oidc-client-images/" + client.ID + ".png"
 		createDummyFile(t, oldPath)
 		require.True(t, fileExists(t, oldPath), "Old file should exist before update")
 		// Client currently has a PNG logo, update to WEBP
 		err := s.updateClientLogoType(t.Context(), client.ID, "webp", true)
 		require.NoError(t, err)
 		// Verify the client was updated
 		var updatedClient model.OidcClient
 		err = db.First(&updatedClient, "id = ?", client.ID).Error
 		require.NoError(t, err)
 		require.NotNil(t, updatedClient.ImageType)
 		assert.Equal(t, "webp", *updatedClient.ImageType)
 		// Old PNG file should be deleted
 		assert.False(t, fileExists(t, oldPath), "Old PNG file should have been deleted")
 	})
 	t.Run("Updates dark logo type and deletes old file when type changes", func(t *testing.T) {
 		// Create the old JPG dark file in storage
 		oldPath := "oidc-client-images/" + client.ID + "-dark.jpg"
 		createDummyFile(t, oldPath)
 		require.True(t, fileExists(t, oldPath), "Old dark file should exist before update")
 		// Client currently has a JPG dark logo, update to WEBP
 		err := s.updateClientLogoType(t.Context(), client.ID, "webp", false)
 		require.NoError(t, err)
 		// Verify the client was updated
 		var updatedClient model.OidcClient
 		err = db.First(&updatedClient, "id = ?", client.ID).Error
 		require.NoError(t, err)
 		require.NotNil(t, updatedClient.DarkImageType)
 		assert.Equal(t, "webp", *updatedClient.DarkImageType)
 		// Old JPG dark file should be deleted
 		assert.False(t, fileExists(t, oldPath), "Old JPG dark file should have been deleted")
 	})
 	t.Run("Does not delete file when type remains the same", func(t *testing.T) {
 		// Create the WEBP file in storage
 		webpPath := "oidc-client-images/" + client.ID + ".webp"
 		createDummyFile(t, webpPath)
 		require.True(t, fileExists(t, webpPath), "WEBP file should exist before update")
 		// Update to the same type (WEBP)
 		err := s.updateClientLogoType(t.Context(), client.ID, "webp", true)
 		require.NoError(t, err)
 		// Verify the client still has WEBP
 		var updatedClient model.OidcClient
 		err = db.First(&updatedClient, "id = ?", client.ID).Error
 		require.NoError(t, err)
 		require.NotNil(t, updatedClient.ImageType)
 		assert.Equal(t, "webp", *updatedClient.ImageType)
 		// WEBP file should still exist since type didn't change
 		assert.True(t, fileExists(t, webpPath), "WEBP file should still exist")
 	})
 	t.Run("Returns error for non-existent client", func(t *testing.T) {
 		err := s.updateClientLogoType(t.Context(), "non-existent-client-id", "png", true)
 		require.Error(t, err)
 		require.ErrorContains(t, err, "failed to look up client")
 	})
 }
 func TestOidcService_downloadAndSaveLogoFromURL(t *testing.T) {
 	// Create a test database
 	db := testutils.NewDatabaseForTest(t)
 	// Create database storage
 	dbStorage, err := storage.NewDatabaseStorage(db)
 	require.NoError(t, err)
 	// Create a test client
 	client := model.OidcClient{
 		Name:         "Test Client",
 		CallbackURLs: model.UrlList{"https://example.com/callback"},
 	}
 	err = db.Create(&client).Error
 	require.NoError(t, err)
 	// Helper function to check if a file exists in storage
 	fileExists := func(t *testing.T, path string) bool {
 		t.Helper()
 		_, _, err := dbStorage.Open(t.Context(), path)
 		return err == nil
 	}
 	// Helper function to get file content from storage
 	getFileContent := func(t *testing.T, path string) []byte {
 		t.Helper()
 		reader, _, err := dbStorage.Open(t.Context(), path)
 		require.NoError(t, err)
 		defer reader.Close()
 		content, err := io.ReadAll(reader)
 		require.NoError(t, err)
 		return content
 	}
 	t.Run("Successfully downloads and saves PNG logo from URL", func(t *testing.T) {
 		// Create mock PNG content
 		pngContent := []byte("fake-png-content")
 		// Create a mock HTTP response with headers
 		//nolint:bodyclose
 		pngResponse := testutils.NewMockResponse(http.StatusOK, string(pngContent))
 		pngResponse.Header.Set("Content-Type", "image/png")
 		// Create a mock HTTP client with responses
 		mockResponses := map[string]*http.Response{
 			//nolint:bodyclose
 			"https://example.com/logo.png": pngResponse,
 		}
 		httpClient := &http.Client{
 			Transport: &testutils.MockRoundTripper{
 				Responses: mockResponses,
 			},
 		}
 		// Init the OidcService with mock HTTP client
 		s := &OidcService{
 			db:          db,
 			fileStorage: dbStorage,
 			httpClient:  httpClient,
 		}
 		// Download and save the logo
 		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "https://example.com/logo.png", true)
 		require.NoError(t, err)
 		// Verify the file was saved
 		logoPath := "oidc-client-images/" + client.ID + ".png"
 		require.True(t, fileExists(t, logoPath), "Logo file should exist in storage")
 		// Verify the content
 		savedContent := getFileContent(t, logoPath)
 		assert.Equal(t, pngContent, savedContent)
 		// Verify the client was updated
 		var updatedClient model.OidcClient
 		err = db.First(&updatedClient, "id = ?", client.ID).Error
 		require.NoError(t, err)
 		require.NotNil(t, updatedClient.ImageType)
 		assert.Equal(t, "png", *updatedClient.ImageType)
 	})
 	t.Run("Successfully downloads and saves dark logo", func(t *testing.T) {
 		// Create mock WEBP content
 		webpContent := []byte("fake-webp-content")
 		//nolint:bodyclose
 		webpResponse := testutils.NewMockResponse(http.StatusOK, string(webpContent))
 		webpResponse.Header.Set("Content-Type", "image/webp")
 		mockResponses := map[string]*http.Response{
 			//nolint:bodyclose
 			"https://example.com/dark-logo.webp": webpResponse,
 		}
 		httpClient := &http.Client{
 			Transport: &testutils.MockRoundTripper{
 				Responses: mockResponses,
 			},
 		}
 		s := &OidcService{
 			db:          db,
 			fileStorage: dbStorage,
 			httpClient:  httpClient,
 		}
 		// Download and save the dark logo
 		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "https://example.com/dark-logo.webp", false)
 		require.NoError(t, err)
 		// Verify the dark logo file was saved
 		darkLogoPath := "oidc-client-images/" + client.ID + "-dark.webp"
 		require.True(t, fileExists(t, darkLogoPath), "Dark logo file should exist in storage")
 		// Verify the content
 		savedContent := getFileContent(t, darkLogoPath)
 		assert.Equal(t, webpContent, savedContent)
 		// Verify the client was updated
 		var updatedClient model.OidcClient
 		err = db.First(&updatedClient, "id = ?", client.ID).Error
 		require.NoError(t, err)
 		require.NotNil(t, updatedClient.DarkImageType)
 		assert.Equal(t, "webp", *updatedClient.DarkImageType)
 	})
 	t.Run("Detects extension from URL path", func(t *testing.T) {
 		svgContent := []byte("<svg></svg>")
 		mockResponses := map[string]*http.Response{
 			//nolint:bodyclose
 			"https://example.com/icon.svg": testutils.NewMockResponse(http.StatusOK, string(svgContent)),
 		}
 		httpClient := &http.Client{
 			Transport: &testutils.MockRoundTripper{
 				Responses: mockResponses,
 			},
 		}
 		s := &OidcService{
 			db:          db,
 			fileStorage: dbStorage,
 			httpClient:  httpClient,
 		}
 		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "https://example.com/icon.svg", true)
 		require.NoError(t, err)
 		// Verify SVG file was saved
 		logoPath := "oidc-client-images/" + client.ID + ".svg"
 		require.True(t, fileExists(t, logoPath), "SVG logo should exist")
 	})
 	t.Run("Detects extension from Content-Type when path has no extension", func(t *testing.T) {
 		jpgContent := []byte("fake-jpg-content")
 		//nolint:bodyclose
 		jpgResponse := testutils.NewMockResponse(http.StatusOK, string(jpgContent))
 		jpgResponse.Header.Set("Content-Type", "image/jpeg")
 		mockResponses := map[string]*http.Response{
 			//nolint:bodyclose
 			"https://example.com/logo": jpgResponse,
 		}
 		httpClient := &http.Client{
 			Transport: &testutils.MockRoundTripper{
 				Responses: mockResponses,
 			},
 		}
 		s := &OidcService{
 			db:          db,
 			fileStorage: dbStorage,
 			httpClient:  httpClient,
 		}
 		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "https://example.com/logo", true)
 		require.NoError(t, err)
 		// Verify JPG file was saved (jpeg extension is normalized to jpg)
 		logoPath := "oidc-client-images/" + client.ID + ".jpg"
 		require.True(t, fileExists(t, logoPath), "JPG logo should exist")
 	})
 	t.Run("Returns error for invalid URL", func(t *testing.T) {
 		s := &OidcService{
 			db:          db,
 			fileStorage: dbStorage,
 			httpClient:  &http.Client{},
 		}
 		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "://invalid-url", true)
 		require.Error(t, err)
 	})
 	t.Run("Returns error for non-200 status code", func(t *testing.T) {
 		mockResponses := map[string]*http.Response{
 			//nolint:bodyclose
 			"https://example.com/not-found.png": testutils.NewMockResponse(http.StatusNotFound, "Not Found"),
 		}
 		httpClient := &http.Client{
 			Transport: &testutils.MockRoundTripper{
 				Responses: mockResponses,
 			},
 		}
 		s := &OidcService{
 			db:          db,
 			fileStorage: dbStorage,
 			httpClient:  httpClient,
 		}
 		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "https://example.com/not-found.png", true)
 		require.Error(t, err)
 		require.ErrorContains(t, err, "failed to fetch logo")
 	})
 	t.Run("Returns error for too large content", func(t *testing.T) {
 		// Create content larger than 2MB (maxLogoSize)
 		largeContent := strings.Repeat("x", 2<<20+100) // 2.1MB
 		//nolint:bodyclose
 		largeResponse := testutils.NewMockResponse(http.StatusOK, largeContent)
 		largeResponse.Header.Set("Content-Type", "image/png")
 		largeResponse.Header.Set("Content-Length", strconv.Itoa(len(largeContent)))
 		mockResponses := map[string]*http.Response{
 			//nolint:bodyclose
 			"https://example.com/large.png": largeResponse,
 		}
 		httpClient := &http.Client{
 			Transport: &testutils.MockRoundTripper{
 				Responses: mockResponses,
 			},
 		}
 		s := &OidcService{
 			db:          db,
 			fileStorage: dbStorage,
 			httpClient:  httpClient,
 		}
 		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "https://example.com/large.png", true)
 		require.Error(t, err)
 		require.ErrorIs(t, err, errLogoTooLarge)
 	})
 	t.Run("Returns error for unsupported file type", func(t *testing.T) {
 		//nolint:bodyclose
 		textResponse := testutils.NewMockResponse(http.StatusOK, "text content")
 		textResponse.Header.Set("Content-Type", "text/plain")
 		mockResponses := map[string]*http.Response{
 			//nolint:bodyclose
 			"https://example.com/file.txt": textResponse,
 		}
 		httpClient := &http.Client{
 			Transport: &testutils.MockRoundTripper{
 				Responses: mockResponses,
 			},
 		}
 		s := &OidcService{
 			db:          db,
 			fileStorage: dbStorage,
 			httpClient:  httpClient,
 		}
 		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "https://example.com/file.txt", true)
 		require.Error(t, err)
 		var fileTypeErr *common.FileTypeNotSupportedError
 		require.ErrorAs(t, err, &fileTypeErr)
 	})
 	t.Run("Returns error for non-existent client", func(t *testing.T) {
 		//nolint:bodyclose
 		pngResponse := testutils.NewMockResponse(http.StatusOK, "content")
 		pngResponse.Header.Set("Content-Type", "image/png")
 		mockResponses := map[string]*http.Response{
 			//nolint:bodyclose
 			"https://example.com/logo.png": pngResponse,
 		}
 		httpClient := &http.Client{
 			Transport: &testutils.MockRoundTripper{
 				Responses: mockResponses,
 			},
 		}
 		s := &OidcService{
 			db:          db,
 			fileStorage: dbStorage,
 			httpClient:  httpClient,
 		}
 		err := s.downloadAndSaveLogoFromURL(t.Context(), "non-existent-client-id", "https://example.com/logo.png", true)
 		require.Error(t, err)
 		require.ErrorContains(t, err, "failed to look up client")
 	})
 }
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -17,7 +17,6 @@ import (
 	"github.com/google/uuid"
 	"go.opentelemetry.io/otel/trace"
 	"gorm.io/gorm"
 	"gorm.io/gorm/clause"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
@@ -102,10 +101,9 @@ func (s *UserService) GetProfilePicture(ctx context.Context, userID string) (io.
 	profilePicturePath := path.Join("profile-pictures", userID+".png")
 	// Try custom profile picture
-	file, size, err := s.fileStorage.Open(ctx, profilePicturePath)
+	if file, size, err := s.fileStorage.Open(ctx, profilePicturePath); err == nil {
 	if err == nil {
 		return file, size, nil
-	} else if !errors.Is(err, fs.ErrNotExist) {
+	} else if err != nil && !errors.Is(err, fs.ErrNotExist) {
 		return nil, 0, err
 	}
@@ -122,10 +120,9 @@ func (s *UserService) GetProfilePicture(ctx context.Context, userID string) (io.
 	// Try cached default for initials
 	defaultPicturePath := path.Join("profile-pictures", "defaults", user.Initials()+".png")
-	file, size, err = s.fileStorage.Open(ctx, defaultPicturePath)
+	if file, size, err := s.fileStorage.Open(ctx, defaultPicturePath); err == nil {
 	if err == nil {
 		return file, size, nil
-	} else if !errors.Is(err, fs.ErrNotExist) {
+	} else if err != nil && !errors.Is(err, fs.ErrNotExist) {
 		return nil, 0, err
 	}
@@ -136,13 +133,12 @@ func (s *UserService) GetProfilePicture(ctx context.Context, userID string) (io.
 	}
 	// Save the default picture for future use (in a goroutine to avoid blocking)
 	//nolint:contextcheck
 	defaultPictureBytes := defaultPicture.Bytes()
 	//nolint:contextcheck
 	go func() {
-		// Use bytes.NewReader because we need an io.ReadSeeker
+		if err := s.fileStorage.Save(context.Background(), defaultPicturePath, bytes.NewReader(defaultPictureBytes)); err != nil {
-		rErr := s.fileStorage.Save(context.Background(), defaultPicturePath, bytes.NewReader(defaultPictureBytes))
+			slog.Error("Failed to cache default profile picture", slog.String("initials", user.Initials()), slog.Any("error", err))
 		if rErr != nil {
 			slog.Error("Failed to cache default profile picture", slog.String("initials", user.Initials()), slog.Any("error", rErr))
 		}
 	}()
@@ -163,7 +159,7 @@ func (s *UserService) GetUserGroups(ctx context.Context, userID string) ([]model
 	return user.UserGroups, nil
 }
-func (s *UserService) UpdateProfilePicture(ctx context.Context, userID string, file io.ReadSeeker) error {
+func (s *UserService) UpdateProfilePicture(ctx context.Context, userID string, file io.Reader) error {
 	// Validate the user ID to prevent directory traversal
 	err := uuid.Validate(userID)
 	if err != nil {
@@ -186,30 +182,17 @@ func (s *UserService) UpdateProfilePicture(ctx context.Context, userID string, f
 }
 func (s *UserService) DeleteUser(ctx context.Context, userID string, allowLdapDelete bool) error {
-	err := s.db.Transaction(func(tx *gorm.DB) error {
+	return s.db.Transaction(func(tx *gorm.DB) error {
-		return s.deleteUserInternal(ctx, tx, userID, allowLdapDelete)
+		return s.deleteUserInternal(ctx, userID, allowLdapDelete, tx)
 	})
 	if err != nil {
 		return fmt.Errorf("failed to delete user '%s': %w", userID, err)
 	}
 	// Storage operations must be executed outside of a transaction
 	profilePicturePath := path.Join("profile-pictures", userID+".png")
 	err = s.fileStorage.Delete(ctx, profilePicturePath)
 	if err != nil && !storage.IsNotExist(err) {
 		return fmt.Errorf("failed to delete profile picture for user '%s': %w", userID, err)
 	}
 	return nil
 }
-func (s *UserService) deleteUserInternal(ctx context.Context, tx *gorm.DB, userID string, allowLdapDelete bool) error {
+func (s *UserService) deleteUserInternal(ctx context.Context, userID string, allowLdapDelete bool, tx *gorm.DB) error {
 	var user model.User
 	err := tx.
 		WithContext(ctx).
 		Where("id = ?", userID).
 		Clauses(clause.Locking{Strength: "UPDATE"}).
 		First(&user).
 		Error
 	if err != nil {
@@ -221,6 +204,11 @@ func (s *UserService) deleteUserInternal(ctx context.Context, tx *gorm.DB, userI
 		return &common.LdapUserUpdateError{}
 	}
 	profilePicturePath := path.Join("profile-pictures", userID+".png")
 	if err := s.fileStorage.Delete(ctx, profilePicturePath); err != nil {
 		return err
 	}
 	err = tx.WithContext(ctx).Delete(&user).Error
 	if err != nil {
 		return fmt.Errorf("failed to delete user: %w", err)
@@ -298,27 +286,16 @@ func (s *UserService) applySignupDefaults(ctx context.Context, user *model.User,
 	// Apply default user groups
 	var groupIDs []string
-	v := config.SignupDefaultUserGroupIDs.Value
+	if v := config.SignupDefaultUserGroupIDs.Value; v != "" && v != "[]" {
-	if v != "" && v != "[]" {
+		if err := json.Unmarshal([]byte(v), &groupIDs); err != nil {
 		err := json.Unmarshal([]byte(v), &groupIDs)
 		if err != nil {
 			return fmt.Errorf("invalid SignupDefaultUserGroupIDs JSON: %w", err)
 		}
 		if len(groupIDs) > 0 {
 			var groups []model.UserGroup
-			err = tx.WithContext(ctx).
+			if err := tx.WithContext(ctx).Where("id IN ?", groupIDs).Find(&groups).Error; err != nil {
 				Where("id IN ?", groupIDs).
 				Find(&groups).
 				Error
 			if err != nil {
 				return fmt.Errorf("failed to find default user groups: %w", err)
 			}
-
+			if err := tx.WithContext(ctx).Model(user).Association("UserGroups").Replace(groups); err != nil {
 			err = tx.WithContext(ctx).
 				Model(user).
 				Association("UserGroups").
 				Replace(groups)
 			if err != nil {
 				return fmt.Errorf("failed to associate default user groups: %w", err)
 			}
 		}
@@ -326,15 +303,12 @@ func (s *UserService) applySignupDefaults(ctx context.Context, user *model.User,
 	// Apply default custom claims
 	var claims []dto.CustomClaimCreateDto
-	v = config.SignupDefaultCustomClaims.Value
+	if v := config.SignupDefaultCustomClaims.Value; v != "" && v != "[]" {
-	if v != "" && v != "[]" {
+		if err := json.Unmarshal([]byte(v), &claims); err != nil {
 		err := json.Unmarshal([]byte(v), &claims)
 		if err != nil {
 			return fmt.Errorf("invalid SignupDefaultCustomClaims JSON: %w", err)
 		}
 		if len(claims) > 0 {
-			_, err = s.customClaimService.updateCustomClaimsInternal(ctx, UserID, user.ID, claims, tx)
+			if _, err := s.customClaimService.updateCustomClaimsInternal(ctx, UserID, user.ID, claims, tx); err != nil {
 			if err != nil {
 				return fmt.Errorf("failed to apply default custom claims: %w", err)
 			}
 		}
@@ -371,7 +345,6 @@ func (s *UserService) updateUserInternal(ctx context.Context, userID string, upd
 	err := tx.
 		WithContext(ctx).
 		Where("id = ?", userID).
 		Clauses(clause.Locking{Strength: "UPDATE"}).
 		First(&user).
 		Error
 	if err != nil {
@@ -443,12 +416,14 @@ func (s *UserService) RequestOneTimeAccessEmailAsUnauthenticatedUser(ctx context
 	var userId string
 	err := s.db.Model(&model.User{}).Select("id").Where("email = ?", userID).First(&userId).Error
-	if errors.Is(err, gorm.ErrRecordNotFound) {
+	if err != nil {
 		// Do not return error if user not found to prevent email enumeration
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return nil
-	} else if err != nil {
+		} else {
 			return err
 		}
 	}
 	return s.requestOneTimeAccessEmailInternal(ctx, userId, redirectPath, 15*time.Minute)
 }
@@ -538,9 +513,7 @@ func (s *UserService) ExchangeOneTimeAccessToken(ctx context.Context, token stri
 	var oneTimeAccessToken model.OneTimeAccessToken
 	err := tx.
 		WithContext(ctx).
-		Where("token = ? AND expires_at > ?", token, datatype.DateTime(time.Now())).
+		Where("token = ? AND expires_at > ?", token, datatype.DateTime(time.Now())).Preload("User").
 		Preload("User").
 		Clauses(clause.Locking{Strength: "UPDATE"}).
 		First(&oneTimeAccessToken).
 		Error
 	if err != nil {
@@ -706,7 +679,7 @@ func (s *UserService) ResetProfilePicture(ctx context.Context, userID string) er
 	return nil
 }
-func (s *UserService) disableUserInternal(ctx context.Context, tx *gorm.DB, userID string) error {
+func (s *UserService) disableUserInternal(ctx context.Context, userID string, tx *gorm.DB) error {
 	return tx.
 		WithContext(ctx).
 		Model(&model.User{}).
@@ -747,7 +720,6 @@ func (s *UserService) SignUp(ctx context.Context, signupData dto.SignUpDto, ipAd
 		err := tx.
 			WithContext(ctx).
 			Where("token = ?", signupData.Token).
 			Clauses(clause.Locking{Strength: "UPDATE"}).
 			First(&signupToken).
 			Error
 		if err != nil {
--- a/backend/internal/service/version_service.go
+++ b/backend/internal/service/version_service.go
@@ -58,7 +58,7 @@ func (s *VersionService) GetLatestVersion(ctx context.Context) (string, error) {
 		}
 		if payload.TagName == "" {
-			return "", errors.New("GitHub API returned empty tag name")
+			return "", fmt.Errorf("GitHub API returned empty tag name")
 		}
 		return strings.TrimPrefix(payload.TagName, "v"), nil
--- a/backend/internal/service/webauthn_service.go
+++ b/backend/internal/service/webauthn_service.go
@@ -2,8 +2,6 @@ package service
 import (
 	"context"
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"net/http"
 	"time"
@@ -116,7 +114,7 @@ func (s *WebAuthnService) BeginRegistration(ctx context.Context, userID string)
 	}, nil
 }
-func (s *WebAuthnService) VerifyRegistration(ctx context.Context, sessionID string, userID string, r *http.Request, ipAddress string) (model.WebauthnCredential, error) {
+func (s *WebAuthnService) VerifyRegistration(ctx context.Context, sessionID, userID string, r *http.Request) (model.WebauthnCredential, error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
@@ -175,9 +173,6 @@ func (s *WebAuthnService) VerifyRegistration(ctx context.Context, sessionID stri
 		return model.WebauthnCredential{}, fmt.Errorf("failed to store WebAuthn credential: %w", err)
 	}
 	auditLogData := model.AuditLogData{"credentialID": hex.EncodeToString(credential.ID), "passkeyName": passkeyName}
 	s.auditLogService.Create(ctx, model.AuditLogEventPasskeyAdded, ipAddress, r.UserAgent(), userID, auditLogData, tx)
 	err = tx.Commit().Error
 	if err != nil {
 		return model.WebauthnCredential{}, fmt.Errorf("failed to commit transaction: %w", err)
@@ -293,30 +288,16 @@ func (s *WebAuthnService) ListCredentials(ctx context.Context, userID string) ([
 	return credentials, nil
 }
-func (s *WebAuthnService) DeleteCredential(ctx context.Context, userID string, credentialID string, ipAddress string, userAgent string) error {
+func (s *WebAuthnService) DeleteCredential(ctx context.Context, userID, credentialID string) error {
-	tx := s.db.Begin()
+	err := s.db.
 	defer func() {
 		tx.Rollback()
 	}()
 	credential := &model.WebauthnCredential{}
 	err := tx.
 		WithContext(ctx).
-		Clauses(clause.Returning{}).
+		Where("id = ? AND user_id = ?", credentialID, userID).
-		Delete(credential, "id = ? AND user_id = ?", credentialID, userID).
+		Delete(&model.WebauthnCredential{}).
 		Error
 	if err != nil {
 		return fmt.Errorf("failed to delete record: %w", err)
 	}
 	auditLogData := model.AuditLogData{"credentialID": hex.EncodeToString(credential.CredentialID), "passkeyName": credential.Name}
 	s.auditLogService.Create(ctx, model.AuditLogEventPasskeyRemoved, ipAddress, userAgent, userID, auditLogData, tx)
 	err = tx.Commit().Error
 	if err != nil {
 		return fmt.Errorf("failed to commit transaction: %w", err)
 	}
 	return nil
 }
@@ -372,7 +353,7 @@ func (s *WebAuthnService) CreateReauthenticationTokenWithAccessToken(ctx context
 	userID, ok := token.Subject()
 	if !ok {
-		return "", errors.New("access token does not contain user ID")
+		return "", fmt.Errorf("access token does not contain user ID")
 	}
 	// Check if token is issued less than a minute ago
--- a/backend/internal/storage/database.go
+++ b/backend/internal/storage/database.go
@@ -1,226 +0,0 @@
 package storage
 import (
 	"bytes"
 	"context"
 	"errors"
 	"fmt"
 	"io"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 	"gorm.io/gorm"
 	"gorm.io/gorm/clause"
 )
 var TypeDatabase = "database"
 type databaseStorage struct {
 	db *gorm.DB
 }
 // NewDatabaseStorage creates a new database storage provider
 func NewDatabaseStorage(db *gorm.DB) (FileStorage, error) {
 	if db == nil {
 		return nil, errors.New("database connection is required")
 	}
 	return &databaseStorage{db: db}, nil
 }
 func (s *databaseStorage) Type() string {
 	return TypeDatabase
 }
 func (s *databaseStorage) Save(ctx context.Context, relativePath string, data io.Reader) error {
 	// Normalize the path
 	relativePath = filepath.ToSlash(filepath.Clean(relativePath))
 	// Read all data into memory
 	b, err := io.ReadAll(data)
 	if err != nil {
 		return fmt.Errorf("failed to read data: %w", err)
 	}
 	now := datatype.DateTime(time.Now())
 	storage := model.Storage{
 		Path:      relativePath,
 		Data:      b,
 		Size:      int64(len(b)),
 		ModTime:   now,
 		CreatedAt: now,
 	}
 	// Use upsert: insert or update on conflict
 	result := s.db.
 		WithContext(ctx).
 		Clauses(clause.OnConflict{
 			Columns:   []clause.Column{{Name: "path"}},
 			DoUpdates: clause.AssignmentColumns([]string{"data", "size", "mod_time"}),
 		}).
 		Create(&storage)
 	if result.Error != nil {
 		return fmt.Errorf("failed to save file to database: %w", result.Error)
 	}
 	return nil
 }
 func (s *databaseStorage) Open(ctx context.Context, relativePath string) (io.ReadCloser, int64, error) {
 	relativePath = filepath.ToSlash(filepath.Clean(relativePath))
 	var storage model.Storage
 	result := s.db.
 		WithContext(ctx).
 		Where("path = ?", relativePath).
 		First(&storage)
 	if result.Error != nil {
 		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
 			return nil, 0, os.ErrNotExist
 		}
 		return nil, 0, fmt.Errorf("failed to read file from database: %w", result.Error)
 	}
 	reader := io.NopCloser(bytes.NewReader(storage.Data))
 	return reader, storage.Size, nil
 }
 func (s *databaseStorage) Delete(ctx context.Context, relativePath string) error {
 	relativePath = filepath.ToSlash(filepath.Clean(relativePath))
 	result := s.db.
 		WithContext(ctx).
 		Where("path = ?", relativePath).
 		Delete(&model.Storage{})
 	if result.Error != nil {
 		return fmt.Errorf("failed to delete file from database: %w", result.Error)
 	}
 	return nil
 }
 func (s *databaseStorage) DeleteAll(ctx context.Context, prefix string) error {
 	prefix = filepath.ToSlash(filepath.Clean(prefix))
 	// If empty prefix, delete all
 	if isRootPath(prefix) {
 		result := s.db.
 			WithContext(ctx).
 			Where("1 = 1"). // Delete everything
 			Delete(&model.Storage{})
 		if result.Error != nil {
 			return fmt.Errorf("failed to delete all files from database: %w", result.Error)
 		}
 		return nil
 	}
 	// Ensure prefix ends with / for proper prefix matching
 	if !strings.HasSuffix(prefix, "/") {
 		prefix += "/"
 	}
 	query := s.db.WithContext(ctx)
 	query = addPathPrefixClause(s.db.Name(), query, prefix)
 	result := query.Delete(&model.Storage{})
 	if result.Error != nil {
 		return fmt.Errorf("failed to delete files with prefix '%s' from database: %w", prefix, result.Error)
 	}
 	return nil
 }
 func (s *databaseStorage) List(ctx context.Context, prefix string) ([]ObjectInfo, error) {
 	prefix = filepath.ToSlash(filepath.Clean(prefix))
 	var storageItems []model.Storage
 	query := s.db.WithContext(ctx)
 	if !isRootPath(prefix) {
 		// Ensure prefix matching
 		if !strings.HasSuffix(prefix, "/") {
 			prefix += "/"
 		}
 		query = addPathPrefixClause(s.db.Name(), query, prefix)
 	}
 	result := query.
 		Select("path", "size", "mod_time").
 		Find(&storageItems)
 	if result.Error != nil {
 		return nil, fmt.Errorf("failed to list files from database: %w", result.Error)
 	}
 	objects := make([]ObjectInfo, 0, len(storageItems))
 	for _, item := range storageItems {
 		// Filter out directory-like paths (those that contain additional slashes after the prefix)
 		relativePath := strings.TrimPrefix(item.Path, prefix)
 		if strings.ContainsRune(relativePath, '/') {
 			continue
 		}
 		objects = append(objects, ObjectInfo{
 			Path:    item.Path,
 			Size:    item.Size,
 			ModTime: time.Time(item.ModTime),
 		})
 	}
 	return objects, nil
 }
 func (s *databaseStorage) Walk(ctx context.Context, root string, fn func(ObjectInfo) error) error {
 	root = filepath.ToSlash(filepath.Clean(root))
 	var storageItems []model.Storage
 	query := s.db.WithContext(ctx)
 	if !isRootPath(root) {
 		// Ensure root matching
 		if !strings.HasSuffix(root, "/") {
 			root += "/"
 		}
 		query = addPathPrefixClause(s.db.Name(), query, root)
 	}
 	result := query.
 		Select("path", "size", "mod_time").
 		Find(&storageItems)
 	if result.Error != nil {
 		return fmt.Errorf("failed to walk files from database: %w", result.Error)
 	}
 	for _, item := range storageItems {
 		err := fn(ObjectInfo{
 			Path:    item.Path,
 			Size:    item.Size,
 			ModTime: time.Time(item.ModTime),
 		})
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
 func isRootPath(path string) bool {
 	return path == "" || path == "/" || path == "."
 }
 func addPathPrefixClause(dialect string, query *gorm.DB, prefix string) *gorm.DB {
 	// In SQLite, we use "GLOB" which can use the index
 	switch dialect {
 	case "sqlite":
 		return query.Where("path GLOB ?", prefix+"*")
 	case "postgres":
 		return query.Where("path LIKE ?", prefix+"%")
 	default:
 		// Indicates a development-time error
 		panic(fmt.Errorf("unsupported database dialect: %s", dialect))
 	}
 }
--- a/backend/internal/storage/database_test.go
+++ b/backend/internal/storage/database_test.go
@@ -1,148 +0,0 @@
 package storage
 import (
 	"bytes"
 	"context"
 	"io"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	testingutil "github.com/pocket-id/pocket-id/backend/internal/utils/testing"
 )
 func TestDatabaseStorageOperations(t *testing.T) {
 	ctx := context.Background()
 	db := testingutil.NewDatabaseForTest(t)
 	store, err := NewDatabaseStorage(db)
 	require.NoError(t, err)
 	t.Run("type should be database", func(t *testing.T) {
 		assert.Equal(t, TypeDatabase, store.Type())
 	})
 	t.Run("save, open and list files", func(t *testing.T) {
 		err := store.Save(ctx, "images/logo.png", bytes.NewBufferString("logo-data"))
 		require.NoError(t, err)
 		reader, size, err := store.Open(ctx, "images/logo.png")
 		require.NoError(t, err)
 		defer reader.Close()
 		contents, err := io.ReadAll(reader)
 		require.NoError(t, err)
 		assert.Equal(t, []byte("logo-data"), contents)
 		assert.Equal(t, int64(len(contents)), size)
 		err = store.Save(ctx, "images/nested/child.txt", bytes.NewBufferString("child"))
 		require.NoError(t, err)
 		files, err := store.List(ctx, "images")
 		require.NoError(t, err)
 		require.Len(t, files, 1)
 		assert.Equal(t, "images/logo.png", files[0].Path)
 		assert.Equal(t, int64(len("logo-data")), files[0].Size)
 	})
 	t.Run("save should update existing file", func(t *testing.T) {
 		err := store.Save(ctx, "test/update.txt", bytes.NewBufferString("original"))
 		require.NoError(t, err)
 		err = store.Save(ctx, "test/update.txt", bytes.NewBufferString("updated"))
 		require.NoError(t, err)
 		reader, size, err := store.Open(ctx, "test/update.txt")
 		require.NoError(t, err)
 		defer reader.Close()
 		contents, err := io.ReadAll(reader)
 		require.NoError(t, err)
 		assert.Equal(t, []byte("updated"), contents)
 		assert.Equal(t, int64(len("updated")), size)
 	})
 	t.Run("delete files individually", func(t *testing.T) {
 		err := store.Save(ctx, "images/delete-me.txt", bytes.NewBufferString("temp"))
 		require.NoError(t, err)
 		require.NoError(t, store.Delete(ctx, "images/delete-me.txt"))
 		_, _, err = store.Open(ctx, "images/delete-me.txt")
 		require.Error(t, err)
 		assert.True(t, IsNotExist(err))
 	})
 	t.Run("delete missing file should not error", func(t *testing.T) {
 		require.NoError(t, store.Delete(ctx, "images/missing.txt"))
 	})
 	t.Run("delete all files", func(t *testing.T) {
 		require.NoError(t, store.Save(ctx, "cleanup/a.txt", bytes.NewBufferString("a")))
 		require.NoError(t, store.Save(ctx, "cleanup/b.txt", bytes.NewBufferString("b")))
 		require.NoError(t, store.Save(ctx, "cleanup/nested/c.txt", bytes.NewBufferString("c")))
 		require.NoError(t, store.DeleteAll(ctx, "/"))
 		_, _, err := store.Open(ctx, "cleanup/a.txt")
 		require.Error(t, err)
 		assert.True(t, IsNotExist(err))
 		_, _, err = store.Open(ctx, "cleanup/b.txt")
 		require.Error(t, err)
 		assert.True(t, IsNotExist(err))
 		_, _, err = store.Open(ctx, "cleanup/nested/c.txt")
 		require.Error(t, err)
 		assert.True(t, IsNotExist(err))
 	})
 	t.Run("delete all files under a prefix", func(t *testing.T) {
 		require.NoError(t, store.Save(ctx, "cleanup/a.txt", bytes.NewBufferString("a")))
 		require.NoError(t, store.Save(ctx, "cleanup/b.txt", bytes.NewBufferString("b")))
 		require.NoError(t, store.Save(ctx, "cleanup/nested/c.txt", bytes.NewBufferString("c")))
 		require.NoError(t, store.DeleteAll(ctx, "cleanup"))
 		_, _, err := store.Open(ctx, "cleanup/a.txt")
 		require.Error(t, err)
 		assert.True(t, IsNotExist(err))
 		_, _, err = store.Open(ctx, "cleanup/b.txt")
 		require.Error(t, err)
 		assert.True(t, IsNotExist(err))
 		_, _, err = store.Open(ctx, "cleanup/nested/c.txt")
 		require.Error(t, err)
 		assert.True(t, IsNotExist(err))
 	})
 	t.Run("walk files", func(t *testing.T) {
 		require.NoError(t, store.Save(ctx, "walk/file1.txt", bytes.NewBufferString("1")))
 		require.NoError(t, store.Save(ctx, "walk/file2.txt", bytes.NewBufferString("2")))
 		require.NoError(t, store.Save(ctx, "walk/nested/file3.txt", bytes.NewBufferString("3")))
 		var paths []string
 		err := store.Walk(ctx, "walk", func(info ObjectInfo) error {
 			paths = append(paths, info.Path)
 			return nil
 		})
 		require.NoError(t, err)
 		assert.Len(t, paths, 3)
 		assert.Contains(t, paths, "walk/file1.txt")
 		assert.Contains(t, paths, "walk/file2.txt")
 		assert.Contains(t, paths, "walk/nested/file3.txt")
 	})
 }
 func TestNewDatabaseStorage(t *testing.T) {
 	t.Run("should return error with nil database", func(t *testing.T) {
 		_, err := NewDatabaseStorage(nil)
 		require.Error(t, err)
 		assert.Contains(t, err.Error(), "database connection is required")
 	})
 	t.Run("should create storage with valid database", func(t *testing.T) {
 		db := testingutil.NewDatabaseForTest(t)
 		store, err := NewDatabaseStorage(db)
 		require.NoError(t, err)
 		assert.NotNil(t, store)
 	})
 }
--- a/backend/internal/storage/s3.go
+++ b/backend/internal/storage/s3.go
@@ -24,7 +24,6 @@ type S3Config struct {
 	AccessKeyID     string
 	SecretAccessKey string
 	ForcePathStyle  bool
 	DisableDefaultIntegrityChecks bool
 	Root            string
 }
@@ -45,10 +44,6 @@ func NewS3Storage(ctx context.Context, cfg S3Config) (FileStorage, error) {
 			o.BaseEndpoint = aws.String(cfg.Endpoint)
 		}
 		o.UsePathStyle = cfg.ForcePathStyle
 		if cfg.DisableDefaultIntegrityChecks {
 			o.RequestChecksumCalculation = aws.RequestChecksumCalculationWhenRequired
 			o.ResponseChecksumValidation = aws.ResponseChecksumValidationWhenRequired
 		}
 	})
 	return &s3Storage{
--- a/backend/internal/utils/db_migration_util.go
+++ b/backend/internal/utils/db_migration_util.go
@@ -1,130 +0,0 @@
 package utils
 import (
 	"database/sql"
 	"errors"
 	"fmt"
 	"log/slog"
 	"github.com/golang-migrate/migrate/v4"
 	"github.com/golang-migrate/migrate/v4/database"
 	postgresMigrate "github.com/golang-migrate/migrate/v4/database/postgres"
 	sqliteMigrate "github.com/golang-migrate/migrate/v4/database/sqlite3"
 	"github.com/golang-migrate/migrate/v4/source/iofs"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/resources"
 )
 // MigrateDatabase applies database migrations using embedded migration files or fetches them from GitHub if a downgrade is detected.
 func MigrateDatabase(sqlDb *sql.DB) error {
 	m, err := GetEmbeddedMigrateInstance(sqlDb)
 	if err != nil {
 		return fmt.Errorf("failed to get migrate instance: %w", err)
 	}
 	path := "migrations/" + string(common.EnvConfig.DbProvider)
 	requiredVersion, err := getRequiredMigrationVersion(path)
 	if err != nil {
 		return fmt.Errorf("failed to get last migration version: %w", err)
 	}
 	currentVersion, _, _ := m.Version()
 	if currentVersion > requiredVersion {
 		slog.Warn("Database version is newer than the application supports, possible downgrade detected", slog.Uint64("db_version", uint64(currentVersion)), slog.Uint64("app_version", uint64(requiredVersion)))
 		if !common.EnvConfig.AllowDowngrade {
 			return fmt.Errorf("database version (%d) is newer than application version (%d), downgrades are not allowed (set ALLOW_DOWNGRADE=true to enable)", currentVersion, requiredVersion)
 		}
 		slog.Info("Fetching migrations from GitHub to handle possible downgrades")
 		return migrateDatabaseFromGitHub(sqlDb, requiredVersion)
 	}
 	if err := m.Migrate(requiredVersion); err != nil && !errors.Is(err, migrate.ErrNoChange) {
 		return fmt.Errorf("failed to apply embedded migrations: %w", err)
 	}
 	return nil
 }
 // GetEmbeddedMigrateInstance creates a migrate.Migrate instance using embedded migration files.
 func GetEmbeddedMigrateInstance(sqlDb *sql.DB) (*migrate.Migrate, error) {
 	path := "migrations/" + string(common.EnvConfig.DbProvider)
 	source, err := iofs.New(resources.FS, path)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create embedded migration source: %w", err)
 	}
 	driver, err := newMigrationDriver(sqlDb, common.EnvConfig.DbProvider)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create migration driver: %w", err)
 	}
 	m, err := migrate.NewWithInstance("iofs", source, "pocket-id", driver)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create migration instance: %w", err)
 	}
 	return m, nil
 }
 // newMigrationDriver creates a database.Driver instance based on the given database provider.
 func newMigrationDriver(sqlDb *sql.DB, dbProvider common.DbProvider) (driver database.Driver, err error) {
 	switch dbProvider {
 	case common.DbProviderSqlite:
 		driver, err = sqliteMigrate.WithInstance(sqlDb, &sqliteMigrate.Config{
 			NoTxWrap: true,
 		})
 	case common.DbProviderPostgres:
 		driver, err = postgresMigrate.WithInstance(sqlDb, &postgresMigrate.Config{})
 	default:
 		// Should never happen at this point
 		return nil, fmt.Errorf("unsupported database provider: %s", common.EnvConfig.DbProvider)
 	}
 	if err != nil {
 		return nil, fmt.Errorf("failed to create migration driver: %w", err)
 	}
 	return driver, nil
 }
 // migrateDatabaseFromGitHub applies database migrations fetched from GitHub to handle downgrades.
 func migrateDatabaseFromGitHub(sqlDb *sql.DB, version uint) error {
 	srcURL := "github://pocket-id/pocket-id/backend/resources/migrations/" + string(common.EnvConfig.DbProvider)
 	driver, err := newMigrationDriver(sqlDb, common.EnvConfig.DbProvider)
 	if err != nil {
 		return fmt.Errorf("failed to create migration driver: %w", err)
 	}
 	m, err := migrate.NewWithDatabaseInstance(srcURL, "pocket-id", driver)
 	if err != nil {
 		return fmt.Errorf("failed to create GitHub migration instance: %w", err)
 	}
 	if err := m.Migrate(version); err != nil && !errors.Is(err, migrate.ErrNoChange) {
 		return fmt.Errorf("failed to apply GitHub migrations: %w", err)
 	}
 	return nil
 }
 // getRequiredMigrationVersion reads the embedded migration files and returns the highest version number found.
 func getRequiredMigrationVersion(path string) (uint, error) {
 	entries, err := resources.FS.ReadDir(path)
 	if err != nil {
 		return 0, fmt.Errorf("failed to read migration directory: %w", err)
 	}
 	var maxVersion uint
 	for _, entry := range entries {
 		if entry.IsDir() {
 			continue
 		}
 		name := entry.Name()
 		var version uint
 		n, err := fmt.Sscanf(name, "%d_", &version)
 		if err == nil && n == 1 {
 			if version > maxVersion {
 				maxVersion = version
 			}
 		}
 	}
 	return maxVersion, nil
 }
--- a/backend/internal/utils/db_util.go
+++ b/backend/internal/utils/db_util.go
@@ -1,116 +0,0 @@
 package utils
 import (
 	"fmt"
 	"strings"
 	"gorm.io/gorm"
 )
 // DBTableExists checks if a table exists in the database
 func DBTableExists(db *gorm.DB, tableName string) (exists bool, err error) {
 	switch db.Name() {
 	case "postgres":
 		query := `SELECT EXISTS (
 			SELECT FROM information_schema.tables 
 			WHERE table_schema = 'public' 
 			AND table_name = ?
 		)`
 		err = db.Raw(query, tableName).Scan(&exists).Error
 		if err != nil {
 			return false, err
 		}
 	case "sqlite":
 		query := `SELECT COUNT(*) > 0 FROM sqlite_master WHERE type='table' AND name=?`
 		err = db.Raw(query, tableName).Scan(&exists).Error
 		if err != nil {
 			return false, err
 		}
 	default:
 		return false, fmt.Errorf("unsupported database dialect: %s", db.Name())
 	}
 	return exists, nil
 }
 type DBSchemaColumn struct {
 	Name     string
 	Nullable bool
 }
 type DBSchemaTableTypes = map[string]DBSchemaColumn
 type DBSchemaTypes = map[string]DBSchemaTableTypes
 // LoadDBSchemaTypes retrieves the column types for all tables in the DB
 // Result is a map of "table --> column --> {name: column type name, nullable: boolean}"
 func LoadDBSchemaTypes(db *gorm.DB) (result DBSchemaTypes, err error) {
 	result = make(DBSchemaTypes)
 	switch db.Name() {
 	case "postgres":
 		var rows []struct {
 			TableName  string
 			ColumnName string
 			DataType   string
 			Nullable   bool
 		}
 		err := db.
 			Raw(`
 				SELECT table_name, column_name, data_type, is_nullable = 'YES' AS nullable
 				FROM information_schema.columns
 				WHERE table_schema = 'public';
 			`).
 			Scan(&rows).
 			Error
 		if err != nil {
 			return nil, err
 		}
 		for _, r := range rows {
 			t := strings.ToLower(r.DataType)
 			if result[r.TableName] == nil {
 				result[r.TableName] = make(map[string]DBSchemaColumn)
 			}
 			result[r.TableName][r.ColumnName] = DBSchemaColumn{
 				Name:     strings.ToLower(t),
 				Nullable: r.Nullable,
 			}
 		}
 	case "sqlite":
 		var tables []string
 		err = db.
 			Raw(`SELECT name FROM sqlite_master WHERE type='table' AND name NOT LIKE 'sqlite_%';`).
 			Scan(&tables).
 			Error
 		if err != nil {
 			return nil, err
 		}
 		for _, table := range tables {
 			var cols []struct {
 				Name    string
 				Type    string
 				Notnull bool
 			}
 			err := db.
 				Raw(`PRAGMA table_info("` + table + `");`).
 				Scan(&cols).
 				Error
 			if err != nil {
 				return nil, err
 			}
 			for _, c := range cols {
 				if result[table] == nil {
 					result[table] = make(map[string]DBSchemaColumn)
 				}
 				result[table][c.Name] = DBSchemaColumn{
 					Name:     strings.ToLower(c.Type),
 					Nullable: !c.Notnull,
 				}
 			}
 		}
 	default:
 		return nil, fmt.Errorf("unsupported database dialect: %s", db.Name())
 	}
 	return result, nil
 }
--- a/backend/internal/utils/image/profile_picture.go
+++ b/backend/internal/utils/image/profile_picture.go
@@ -12,36 +12,24 @@ import (
 	"golang.org/x/image/font"
 	"golang.org/x/image/font/opentype"
 	"golang.org/x/image/math/fixed"
 	"golang.org/x/image/webp"
 	"github.com/pocket-id/pocket-id/backend/resources"
 )
 const profilePictureSize = 300
-// CreateProfilePicture resizes the profile picture to a square and encodes it as PNG
+// CreateProfilePicture resizes the profile picture to a square
-func CreateProfilePicture(file io.ReadSeeker) (io.ReadSeeker, error) {
+func CreateProfilePicture(file io.Reader) (io.ReadSeeker, error) {
 	// Attempt standard formats first
 	img, _, err := imageorient.Decode(file)
 	if err != nil {
 		if _, seekErr := file.Seek(0, io.SeekStart); seekErr != nil {
 			return nil, fmt.Errorf("failed to seek file: %w", seekErr)
 		}
 		// Try WebP
 		webpImg, webpErr := webp.Decode(file)
 		if webpErr != nil {
 		return nil, fmt.Errorf("failed to decode image: %w", err)
 	}
 		img = webpImg
 	}
 	// Resize to square
 	img = imaging.Fill(img, profilePictureSize, profilePictureSize, imaging.Center, imaging.Lanczos)
 	// Encode back to PNG
 	var buf bytes.Buffer
-	if err := imaging.Encode(&buf, img, imaging.PNG); err != nil {
+	err = imaging.Encode(&buf, img, imaging.PNG)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encode image: %w", err)
 	}
--- a/backend/internal/utils/ip_util.go
+++ b/backend/internal/utils/ip_util.go
@@ -1,10 +1,7 @@
 package utils
 import (
 	"context"
 	"errors"
 	"net"
 	"net/url"
 	"strings"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
@@ -59,23 +56,6 @@ func IsPrivateIP(ip net.IP) bool {
 	return IsLocalhostIP(ip) || IsPrivateLanIP(ip) || IsTailscaleIP(ip) || IsLocalIPv6(ip)
 }
 func IsURLPrivate(ctx context.Context, u *url.URL) (bool, error) {
 	var r net.Resolver
 	ips, err := r.LookupIPAddr(ctx, u.Hostname())
 	if err != nil || len(ips) == 0 {
 		return false, errors.New("cannot resolve hostname")
 	}
 	// Prevents SSRF by allowing only public IPs
 	for _, addr := range ips {
 		if IsPrivateIP(addr.IP) {
 			return true, nil
 		}
 	}
 	return false, nil
 }
 func listContainsIP(ipNets []*net.IPNet, ip net.IP) bool {
 	for _, ipNet := range ipNets {
 		if ipNet.Contains(ip) {
--- a/backend/internal/utils/ip_util_test.go
+++ b/backend/internal/utils/ip_util_test.go
@@ -1,14 +1,8 @@
 package utils
 import (
 	"context"
 	"net"
 	"net/url"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 )
@@ -26,8 +20,9 @@ func TestIsLocalhostIP(t *testing.T) {
 	for _, tt := range tests {
 		ip := net.ParseIP(tt.ip)
-		got := IsLocalhostIP(ip)
+		if got := IsLocalhostIP(ip); got != tt.expected {
-		assert.Equal(t, tt.expected, got)
+			t.Errorf("IsLocalhostIP(%s) = %v, want %v", tt.ip, got, tt.expected)
 		}
 	}
 }
@@ -45,8 +40,9 @@ func TestIsPrivateLanIP(t *testing.T) {
 	for _, tt := range tests {
 		ip := net.ParseIP(tt.ip)
-		got := IsPrivateLanIP(ip)
+		if got := IsPrivateLanIP(ip); got != tt.expected {
-		assert.Equal(t, tt.expected, got)
+			t.Errorf("IsPrivateLanIP(%s) = %v, want %v", tt.ip, got, tt.expected)
 		}
 	}
 }
@@ -63,9 +59,9 @@ func TestIsTailscaleIP(t *testing.T) {
 	for _, tt := range tests {
 		ip := net.ParseIP(tt.ip)
-
+		if got := IsTailscaleIP(ip); got != tt.expected {
-		got := IsTailscaleIP(ip)
+			t.Errorf("IsTailscaleIP(%s) = %v, want %v", tt.ip, got, tt.expected)
-		assert.Equal(t, tt.expected, got)
+		}
 	}
 }
@@ -90,17 +86,16 @@ func TestIsLocalIPv6(t *testing.T) {
 	for _, tt := range tests {
 		ip := net.ParseIP(tt.ip)
-		got := IsLocalIPv6(ip)
+		if got := IsLocalIPv6(ip); got != tt.expected {
-		assert.Equal(t, tt.expected, got)
+			t.Errorf("IsLocalIPv6(%s) = %v, want %v", tt.ip, got, tt.expected)
 		}
 	}
 }
 func TestIsPrivateIP(t *testing.T) {
 	// Save and restore env config
 	origRanges := common.EnvConfig.LocalIPv6Ranges
-	t.Cleanup(func() {
+	defer func() { common.EnvConfig.LocalIPv6Ranges = origRanges }()
 		common.EnvConfig.LocalIPv6Ranges = origRanges
 	})
 	common.EnvConfig.LocalIPv6Ranges = "fd00::/8"
 	localIPv6Ranges = nil // reset
@@ -120,8 +115,9 @@ func TestIsPrivateIP(t *testing.T) {
 	for _, tt := range tests {
 		ip := net.ParseIP(tt.ip)
-		got := IsPrivateIP(ip)
+		if got := IsPrivateIP(ip); got != tt.expected {
-		assert.Equal(t, tt.expected, got)
+			t.Errorf("IsPrivateIP(%s) = %v, want %v", tt.ip, got, tt.expected)
 		}
 	}
 }
@@ -142,202 +138,22 @@ func TestListContainsIP(t *testing.T) {
 	for _, tt := range tests {
 		ip := net.ParseIP(tt.ip)
-		got := listContainsIP(list, ip)
+		if got := listContainsIP(list, ip); got != tt.expected {
-		assert.Equal(t, tt.expected, got)
+			t.Errorf("listContainsIP(%s) = %v, want %v", tt.ip, got, tt.expected)
 		}
 	}
 }
 func TestInit_LocalIPv6Ranges(t *testing.T) {
 	// Save and restore env config
 	origRanges := common.EnvConfig.LocalIPv6Ranges
-	t.Cleanup(func() {
+	defer func() { common.EnvConfig.LocalIPv6Ranges = origRanges }()
 		common.EnvConfig.LocalIPv6Ranges = origRanges
 	})
 	common.EnvConfig.LocalIPv6Ranges = "fd00::/8, invalidCIDR ,fc00::/7"
 	localIPv6Ranges = nil
 	loadLocalIPv6Ranges()
-	assert.Len(t, localIPv6Ranges, 2)
+	if len(localIPv6Ranges) != 2 {
-}
+		t.Errorf("expected 2 valid IPv6 ranges, got %d", len(localIPv6Ranges))
 func TestIsURLPrivate(t *testing.T) {
 	ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
 	defer cancel()
 	tests := []struct {
 		name        string
 		urlStr      string
 		expectPriv  bool
 		expectError bool
 	}{
 		{
 			name:        "localhost by name",
 			urlStr:      "http://localhost",
 			expectPriv:  true,
 			expectError: false,
 		},
 		{
 			name:        "localhost with port",
 			urlStr:      "http://localhost:8080",
 			expectPriv:  true,
 			expectError: false,
 		},
 		{
 			name:        "127.0.0.1 IP",
 			urlStr:      "http://127.0.0.1",
 			expectPriv:  true,
 			expectError: false,
 		},
 		{
 			name:        "127.0.0.1 with port",
 			urlStr:      "http://127.0.0.1:3000",
 			expectPriv:  true,
 			expectError: false,
 		},
 		{
 			name:        "IPv6 loopback",
 			urlStr:      "http://[::1]",
 			expectPriv:  true,
 			expectError: false,
 		},
 		{
 			name:        "IPv6 loopback with port",
 			urlStr:      "http://[::1]:8080",
 			expectPriv:  true,
 			expectError: false,
 		},
 		{
 			name:        "private IP 10.x.x.x",
 			urlStr:      "http://10.0.0.1",
 			expectPriv:  true,
 			expectError: false,
 		},
 		{
 			name:        "private IP 192.168.x.x",
 			urlStr:      "http://192.168.1.1",
 			expectPriv:  true,
 			expectError: false,
 		},
 		{
 			name:        "private IP 172.16.x.x",
 			urlStr:      "http://172.16.0.1",
 			expectPriv:  true,
 			expectError: false,
 		},
 		{
 			name:        "Tailscale IP",
 			urlStr:      "http://100.64.0.1",
 			expectPriv:  true,
 			expectError: false,
 		},
 		{
 			name:        "public IP - Google DNS",
 			urlStr:      "http://8.8.8.8",
 			expectPriv:  false,
 			expectError: false,
 		},
 		{
 			name:        "public IP - Cloudflare DNS",
 			urlStr:      "http://1.1.1.1",
 			expectPriv:  false,
 			expectError: false,
 		},
 		{
 			name:        "invalid hostname",
 			urlStr:      "http://this-should-not-resolve-ever-123456789.invalid",
 			expectPriv:  false,
 			expectError: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			u, err := url.Parse(tt.urlStr)
 			require.NoError(t, err, "Failed to parse URL %s", tt.urlStr)
 			isPriv, err := IsURLPrivate(ctx, u)
 			if tt.expectError {
 				require.Error(t, err, "IsURLPrivate(%s) expected error but got none", tt.urlStr)
 			} else {
 				require.NoError(t, err, "IsURLPrivate(%s) unexpected error", tt.urlStr)
 				assert.Equal(t, tt.expectPriv, isPriv, "IsURLPrivate(%s)", tt.urlStr)
 			}
 		})
 	}
 }
 func TestIsURLPrivate_WithDomainName(t *testing.T) {
 	// Note: These tests rely on actual DNS resolution
 	// They test real public domains to ensure they are not flagged as private
 	ctx, cancel := context.WithTimeout(t.Context(), 10*time.Second)
 	defer cancel()
 	tests := []struct {
 		name       string
 		urlStr     string
 		expectPriv bool
 	}{
 		{
 			name:       "Google public domain",
 			urlStr:     "https://www.google.com",
 			expectPriv: false,
 		},
 		{
 			name:       "GitHub public domain",
 			urlStr:     "https://github.com",
 			expectPriv: false,
 		},
 		{
 			// localhost.localtest.me is a well-known domain that resolves to 127.0.0.1
 			name:       "localhost.localtest.me resolves to 127.0.0.1",
 			urlStr:     "http://localhost.localtest.me",
 			expectPriv: true,
 		},
 		{
 			// 10.0.0.1.nip.io resolves to 10.0.0.1 (private IP)
 			name:       "nip.io domain resolving to private 10.x IP",
 			urlStr:     "http://10.0.0.1.nip.io",
 			expectPriv: true,
 		},
 		{
 			// 192.168.1.1.nip.io resolves to 192.168.1.1 (private IP)
 			name:       "nip.io domain resolving to private 192.168.x IP",
 			urlStr:     "http://192.168.1.1.nip.io",
 			expectPriv: true,
 		},
 		{
 			// 127.0.0.1.nip.io resolves to 127.0.0.1 (localhost)
 			name:       "nip.io domain resolving to localhost",
 			urlStr:     "http://127.0.0.1.nip.io",
 			expectPriv: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			u, err := url.Parse(tt.urlStr)
 			require.NoError(t, err, "Failed to parse URL %s", tt.urlStr)
 			isPriv, err := IsURLPrivate(ctx, u)
 			if err != nil {
 				t.Skipf("DNS resolution failed for %s (network issue?): %v", tt.urlStr, err)
 				return
 			}
 			assert.Equal(t, tt.expectPriv, isPriv, "IsURLPrivate(%s)", tt.urlStr)
 		})
 	}
 }
 func TestIsURLPrivate_ContextCancellation(t *testing.T) {
 	ctx, cancel := context.WithCancel(t.Context())
 	cancel() // Cancel immediately
 	u, err := url.Parse("http://example.com")
 	require.NoError(t, err, "Failed to parse URL")
 	_, err = IsURLPrivate(ctx, u)
 	assert.Error(t, err, "IsURLPrivate with cancelled context expected error but got none")
 }
--- a/backend/internal/utils/jwk/key_provider.go
+++ b/backend/internal/utils/jwk/key_provider.go
@@ -28,14 +28,22 @@ func GetKeyProvider(db *gorm.DB, envConfig *common.EnvConfigSchema, instanceID s
 		return nil, fmt.Errorf("failed to load encryption key: %w", err)
 	}
 	// Get the key provider
 	switch envConfig.KeysStorage {
 	case "file", "":
 		keyProvider = &KeyProviderFile{}
 	case "database":
 		keyProvider = &KeyProviderDatabase{}
 	default:
 		return nil, fmt.Errorf("invalid key storage '%s'", envConfig.KeysStorage)
 	}
 	err = keyProvider.Init(KeyProviderOpts{
 		DB:        db,
 		EnvConfig: envConfig,
 		Kek:       kek,
 	})
 	if err != nil {
-		return nil, fmt.Errorf("failed to init key provider: %w", err)
+		return nil, fmt.Errorf("failed to init key provider of type '%s': %w", envConfig.KeysStorage, err)
 	}
 	return keyProvider, nil
--- a/backend/internal/utils/jwk/key_provider_file.go
+++ b/backend/internal/utils/jwk/key_provider_file.go
@@ -0,0 +1,202 @@
 package jwk
 import (
 	"encoding/base64"
 	"fmt"
 	"os"
 	"path/filepath"
 	"github.com/lestrrat-go/jwx/v3/jwk"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	cryptoutils "github.com/pocket-id/pocket-id/backend/internal/utils/crypto"
 )
 const (
 	// PrivateKeyFile is the path in the data/keys folder where the key is stored
 	// This is a JSON file containing a key encoded as JWK
 	PrivateKeyFile = "jwt_private_key.json"
 	// PrivateKeyFileEncrypted is the path in the data/keys folder where the encrypted key is stored
 	// This is a encrypted JSON file containing a key encoded as JWK
 	PrivateKeyFileEncrypted = "jwt_private_key.json.enc"
 )
 type KeyProviderFile struct {
 	envConfig *common.EnvConfigSchema
 	kek       []byte
 }
 func (f *KeyProviderFile) Init(opts KeyProviderOpts) error {
 	f.envConfig = opts.EnvConfig
 	f.kek = opts.Kek
 	return nil
 }
 func (f *KeyProviderFile) LoadKey() (jwk.Key, error) {
 	if len(f.kek) > 0 {
 		return f.loadEncryptedKey()
 	}
 	return f.loadKey()
 }
 func (f *KeyProviderFile) SaveKey(key jwk.Key) error {
 	if len(f.kek) > 0 {
 		return f.saveKeyEncrypted(key)
 	}
 	return f.saveKey(key)
 }
 func (f *KeyProviderFile) loadKey() (jwk.Key, error) {
 	var key jwk.Key
 	// First, check if we have a JWK file
 	// If we do, then we just load that
 	jwkPath := f.jwkPath()
 	ok, err := utils.FileExists(jwkPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to check if private key file exists at path '%s': %w", jwkPath, err)
 	}
 	if !ok {
 		// File doesn't exist, no key was loaded
 		return nil, nil
 	}
 	data, err := os.ReadFile(jwkPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read private key file at path '%s': %w", jwkPath, err)
 	}
 	key, err = jwk.ParseKey(data)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse private key file at path '%s': %w", jwkPath, err)
 	}
 	return key, nil
 }
 func (f *KeyProviderFile) loadEncryptedKey() (key jwk.Key, err error) {
 	// First, check if we have an encrypted JWK file
 	// If we do, then we just load that
 	encJwkPath := f.encJwkPath()
 	ok, err := utils.FileExists(encJwkPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to check if encrypted private key file exists at path '%s': %w", encJwkPath, err)
 	}
 	if ok {
 		encB64, err := os.ReadFile(encJwkPath)
 		if err != nil {
 			return nil, fmt.Errorf("failed to read encrypted private key file at path '%s': %w", encJwkPath, err)
 		}
 		// Decode from base64
 		enc := make([]byte, base64.StdEncoding.DecodedLen(len(encB64)))
 		n, err := base64.StdEncoding.Decode(enc, encB64)
 		if err != nil {
 			return nil, fmt.Errorf("failed to read encrypted private key file at path '%s': not a valid base64-encoded file: %w", encJwkPath, err)
 		}
 		// Decrypt the data
 		data, err := cryptoutils.Decrypt(f.kek, enc[:n], nil)
 		if err != nil {
 			return nil, fmt.Errorf("failed to decrypt private key file at path '%s': %w", encJwkPath, err)
 		}
 		// Parse the key
 		key, err = jwk.ParseKey(data)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse encrypted private key file at path '%s': %w", encJwkPath, err)
 		}
 		return key, nil
 	}
 	// Check if we have an un-encrypted JWK file
 	key, err = f.loadKey()
 	if err != nil {
 		return nil, fmt.Errorf("failed to load un-encrypted key file: %w", err)
 	}
 	if key == nil {
 		// No key exists, encrypted or un-encrypted
 		return nil, nil
 	}
 	// If we are here, we have loaded a key that was un-encrypted
 	// We need to replace the plaintext key with the encrypted one before we return
 	err = f.saveKeyEncrypted(key)
 	if err != nil {
 		return nil, fmt.Errorf("failed to save encrypted key file: %w", err)
 	}
 	jwkPath := f.jwkPath()
 	err = os.Remove(jwkPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to remove un-encrypted key file at path '%s': %w", jwkPath, err)
 	}
 	return key, nil
 }
 func (f *KeyProviderFile) saveKey(key jwk.Key) error {
 	err := os.MkdirAll(f.envConfig.KeysPath, 0700)
 	if err != nil {
 		return fmt.Errorf("failed to create directory '%s' for key file: %w", f.envConfig.KeysPath, err)
 	}
 	jwkPath := f.jwkPath()
 	keyFile, err := os.OpenFile(jwkPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		return fmt.Errorf("failed to create key file at path '%s': %w", jwkPath, err)
 	}
 	defer keyFile.Close()
 	// Write the JSON file to disk
 	err = EncodeJWK(keyFile, key)
 	if err != nil {
 		return fmt.Errorf("failed to write key file at path '%s': %w", jwkPath, err)
 	}
 	return nil
 }
 func (f *KeyProviderFile) saveKeyEncrypted(key jwk.Key) error {
 	err := os.MkdirAll(f.envConfig.KeysPath, 0700)
 	if err != nil {
 		return fmt.Errorf("failed to create directory '%s' for encrypted key file: %w", f.envConfig.KeysPath, err)
 	}
 	// Encode the key to JSON
 	data, err := EncodeJWKBytes(key)
 	if err != nil {
 		return fmt.Errorf("failed to encode key to JSON: %w", err)
 	}
 	// Encrypt the key then encode to Base64
 	enc, err := cryptoutils.Encrypt(f.kek, data, nil)
 	if err != nil {
 		return fmt.Errorf("failed to encrypt key: %w", err)
 	}
 	encB64 := make([]byte, base64.StdEncoding.EncodedLen(len(enc)))
 	base64.StdEncoding.Encode(encB64, enc)
 	// Write to disk
 	encJwkPath := f.encJwkPath()
 	err = os.WriteFile(encJwkPath, encB64, 0600)
 	if err != nil {
 		return fmt.Errorf("failed to write encrypted key file at path '%s': %w", encJwkPath, err)
 	}
 	return nil
 }
 func (f *KeyProviderFile) jwkPath() string {
 	return filepath.Join(f.envConfig.KeysPath, PrivateKeyFile)
 }
 func (f *KeyProviderFile) encJwkPath() string {
 	return filepath.Join(f.envConfig.KeysPath, PrivateKeyFileEncrypted)
 }
 // Compile-time interface check
 var _ KeyProvider = (*KeyProviderFile)(nil)
--- a/backend/internal/utils/jwk/key_provider_file_test.go
+++ b/backend/internal/utils/jwk/key_provider_file_test.go
@@ -0,0 +1,320 @@
 package jwk
 import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"encoding/base64"
 	"os"
 	"path/filepath"
 	"testing"
 	"github.com/lestrrat-go/jwx/v3/jwk"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	cryptoutils "github.com/pocket-id/pocket-id/backend/internal/utils/crypto"
 )
 func TestKeyProviderFile_LoadKey(t *testing.T) {
 	// Generate a test key to use in our tests
 	pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	require.NoError(t, err)
 	key, err := jwk.Import(pk)
 	require.NoError(t, err)
 	t.Run("LoadKey with no existing key", func(t *testing.T) {
 		tempDir := t.TempDir()
 		provider := &KeyProviderFile{}
 		err := provider.Init(KeyProviderOpts{
 			EnvConfig: &common.EnvConfigSchema{
 				KeysPath: tempDir,
 			},
 		})
 		require.NoError(t, err)
 		// Load key when none exists
 		loadedKey, err := provider.LoadKey()
 		require.NoError(t, err)
 		assert.Nil(t, loadedKey, "Expected nil key when no key exists")
 	})
 	t.Run("LoadKey with no existing key (with kek)", func(t *testing.T) {
 		tempDir := t.TempDir()
 		provider := &KeyProviderFile{}
 		err = provider.Init(KeyProviderOpts{
 			EnvConfig: &common.EnvConfigSchema{
 				KeysPath: tempDir,
 			},
 			Kek: makeKEK(t),
 		})
 		require.NoError(t, err)
 		// Load key when none exists
 		loadedKey, err := provider.LoadKey()
 		require.NoError(t, err)
 		assert.Nil(t, loadedKey, "Expected nil key when no key exists")
 	})
 	t.Run("LoadKey with unencrypted key", func(t *testing.T) {
 		tempDir := t.TempDir()
 		provider := &KeyProviderFile{}
 		err := provider.Init(KeyProviderOpts{
 			EnvConfig: &common.EnvConfigSchema{
 				KeysPath: tempDir,
 			},
 		})
 		require.NoError(t, err)
 		// Save a key
 		err = provider.SaveKey(key)
 		require.NoError(t, err)
 		// Make sure the key file exists
 		keyPath := filepath.Join(tempDir, PrivateKeyFile)
 		exists, err := utils.FileExists(keyPath)
 		require.NoError(t, err)
 		assert.True(t, exists, "Expected key file to exist")
 		// Load the key
 		loadedKey, err := provider.LoadKey()
 		require.NoError(t, err)
 		assert.NotNil(t, loadedKey, "Expected non-nil key when key exists")
 		// Verify the loaded key is the same as the original
 		keyBytes, err := EncodeJWKBytes(key)
 		require.NoError(t, err)
 		loadedKeyBytes, err := EncodeJWKBytes(loadedKey)
 		require.NoError(t, err)
 		assert.Equal(t, keyBytes, loadedKeyBytes, "Expected loaded key to match original key")
 	})
 	t.Run("LoadKey with encrypted key", func(t *testing.T) {
 		tempDir := t.TempDir()
 		provider := &KeyProviderFile{}
 		err = provider.Init(KeyProviderOpts{
 			EnvConfig: &common.EnvConfigSchema{
 				KeysPath: tempDir,
 			},
 			Kek: makeKEK(t),
 		})
 		require.NoError(t, err)
 		// Save a key (will be encrypted)
 		err = provider.SaveKey(key)
 		require.NoError(t, err)
 		// Make sure the encrypted key file exists
 		encKeyPath := filepath.Join(tempDir, PrivateKeyFileEncrypted)
 		exists, err := utils.FileExists(encKeyPath)
 		require.NoError(t, err)
 		assert.True(t, exists, "Expected encrypted key file to exist")
 		// Make sure the unencrypted key file does not exist
 		keyPath := filepath.Join(tempDir, PrivateKeyFile)
 		exists, err = utils.FileExists(keyPath)
 		require.NoError(t, err)
 		assert.False(t, exists, "Expected unencrypted key file to not exist")
 		// Load the key
 		loadedKey, err := provider.LoadKey()
 		require.NoError(t, err)
 		assert.NotNil(t, loadedKey, "Expected non-nil key when encrypted key exists")
 		// Verify the loaded key is the same as the original
 		keyBytes, err := EncodeJWKBytes(key)
 		require.NoError(t, err)
 		loadedKeyBytes, err := EncodeJWKBytes(loadedKey)
 		require.NoError(t, err)
 		assert.Equal(t, keyBytes, loadedKeyBytes, "Expected loaded key to match original key")
 	})
 	t.Run("LoadKey replaces unencrypted key with encrypted key when kek is provided", func(t *testing.T) {
 		tempDir := t.TempDir()
 		// First, create an unencrypted key
 		providerNoKek := &KeyProviderFile{}
 		err := providerNoKek.Init(KeyProviderOpts{
 			EnvConfig: &common.EnvConfigSchema{
 				KeysPath: tempDir,
 			},
 		})
 		require.NoError(t, err)
 		// Save an unencrypted key
 		err = providerNoKek.SaveKey(key)
 		require.NoError(t, err)
 		// Verify unencrypted key exists
 		keyPath := filepath.Join(tempDir, PrivateKeyFile)
 		exists, err := utils.FileExists(keyPath)
 		require.NoError(t, err)
 		assert.True(t, exists, "Expected unencrypted key file to exist")
 		// Now create a provider with a kek
 		kek := make([]byte, 32)
 		_, err = rand.Read(kek)
 		require.NoError(t, err)
 		providerWithKek := &KeyProviderFile{}
 		err = providerWithKek.Init(KeyProviderOpts{
 			EnvConfig: &common.EnvConfigSchema{
 				KeysPath: tempDir,
 			},
 			Kek: kek,
 		})
 		require.NoError(t, err)
 		// Load the key - this should convert the unencrypted key to encrypted
 		loadedKey, err := providerWithKek.LoadKey()
 		require.NoError(t, err)
 		assert.NotNil(t, loadedKey, "Expected non-nil key when loading and converting key")
 		// Verify the unencrypted key no longer exists
 		exists, err = utils.FileExists(keyPath)
 		require.NoError(t, err)
 		assert.False(t, exists, "Expected unencrypted key file to be removed")
 		// Verify the encrypted key file exists
 		encKeyPath := filepath.Join(tempDir, PrivateKeyFileEncrypted)
 		exists, err = utils.FileExists(encKeyPath)
 		require.NoError(t, err)
 		assert.True(t, exists, "Expected encrypted key file to exist after conversion")
 		// Verify the key data
 		keyBytes, err := EncodeJWKBytes(key)
 		require.NoError(t, err)
 		loadedKeyBytes, err := EncodeJWKBytes(loadedKey)
 		require.NoError(t, err)
 		assert.Equal(t, keyBytes, loadedKeyBytes, "Expected loaded key to match original key after conversion")
 	})
 }
 func TestKeyProviderFile_SaveKey(t *testing.T) {
 	// Generate a test key to use in our tests
 	pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	require.NoError(t, err)
 	key, err := jwk.Import(pk)
 	require.NoError(t, err)
 	t.Run("SaveKey unencrypted", func(t *testing.T) {
 		tempDir := t.TempDir()
 		provider := &KeyProviderFile{}
 		err := provider.Init(KeyProviderOpts{
 			EnvConfig: &common.EnvConfigSchema{
 				KeysPath: tempDir,
 			},
 		})
 		require.NoError(t, err)
 		// Save the key
 		err = provider.SaveKey(key)
 		require.NoError(t, err)
 		// Verify the key file exists
 		keyPath := filepath.Join(tempDir, PrivateKeyFile)
 		exists, err := utils.FileExists(keyPath)
 		require.NoError(t, err)
 		assert.True(t, exists, "Expected key file to exist")
 		// Verify the content of the key file
 		data, err := os.ReadFile(keyPath)
 		require.NoError(t, err)
 		parsedKey, err := jwk.ParseKey(data)
 		require.NoError(t, err)
 		// Compare the saved key with the original
 		keyBytes, err := EncodeJWKBytes(key)
 		require.NoError(t, err)
 		parsedKeyBytes, err := EncodeJWKBytes(parsedKey)
 		require.NoError(t, err)
 		assert.Equal(t, keyBytes, parsedKeyBytes, "Expected saved key to match original key")
 	})
 	t.Run("SaveKey encrypted", func(t *testing.T) {
 		tempDir := t.TempDir()
 		// Generate a 64-byte kek
 		kek := makeKEK(t)
 		provider := &KeyProviderFile{}
 		err = provider.Init(KeyProviderOpts{
 			EnvConfig: &common.EnvConfigSchema{
 				KeysPath: tempDir,
 			},
 			Kek: kek,
 		})
 		require.NoError(t, err)
 		// Save the key (will be encrypted)
 		err = provider.SaveKey(key)
 		require.NoError(t, err)
 		// Verify the encrypted key file exists
 		encKeyPath := filepath.Join(tempDir, PrivateKeyFileEncrypted)
 		exists, err := utils.FileExists(encKeyPath)
 		require.NoError(t, err)
 		assert.True(t, exists, "Expected encrypted key file to exist")
 		// Verify the unencrypted key file doesn't exist
 		keyPath := filepath.Join(tempDir, PrivateKeyFile)
 		exists, err = utils.FileExists(keyPath)
 		require.NoError(t, err)
 		assert.False(t, exists, "Expected unencrypted key file to not exist")
 		// Manually decrypt the encrypted key file to verify it contains the correct key
 		encB64, err := os.ReadFile(encKeyPath)
 		require.NoError(t, err)
 		// Decode from base64
 		enc := make([]byte, base64.StdEncoding.DecodedLen(len(encB64)))
 		n, err := base64.StdEncoding.Decode(enc, encB64)
 		require.NoError(t, err)
 		enc = enc[:n] // Trim any padding
 		// Decrypt the data
 		data, err := cryptoutils.Decrypt(kek, enc, nil)
 		require.NoError(t, err)
 		// Parse the key
 		parsedKey, err := jwk.ParseKey(data)
 		require.NoError(t, err)
 		// Compare the decrypted key with the original
 		keyBytes, err := EncodeJWKBytes(key)
 		require.NoError(t, err)
 		parsedKeyBytes, err := EncodeJWKBytes(parsedKey)
 		require.NoError(t, err)
 		assert.Equal(t, keyBytes, parsedKeyBytes, "Expected decrypted key to match original key")
 	})
 }
 func makeKEK(t *testing.T) []byte {
 	t.Helper()
 	// Generate a 32-byte kek
 	kek := make([]byte, 32)
 	_, err := rand.Read(kek)
 	require.NoError(t, err)
 	return kek
 }
--- a/backend/internal/utils/servicerunner.go
+++ b/backend/internal/utils/servicerunner.go
@@ -38,7 +38,6 @@ func (r *ServiceRunner) Run(ctx context.Context) error {
 			// Ignore context canceled errors here as they generally indicate that the service is stopping
 			if rErr != nil && !errors.Is(rErr, context.Canceled) {
 				cancel()
 				errCh <- rErr
 				return
 			}
--- a/backend/internal/utils/servicerunner_test.go
+++ b/backend/internal/utils/servicerunner_test.go
@@ -61,26 +61,6 @@ func TestServiceRunner_Run(t *testing.T) {
 		require.ErrorIs(t, err, expectedErr)
 	})
 	t.Run("service error cancels others", func(t *testing.T) {
 		expectedErr := errors.New("boom")
 		errorService := func(ctx context.Context) error {
 			return expectedErr
 		}
 		waitingService := func(ctx context.Context) error {
 			<-ctx.Done()
 			return ctx.Err()
 		}
 		runner := NewServiceRunner(errorService, waitingService)
 		ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
 		defer cancel()
 		err := runner.Run(ctx)
 		require.Error(t, err)
 		require.ErrorIs(t, err, expectedErr)
 	})
 	t.Run("context canceled", func(t *testing.T) {
 		// Create a service that waits until context is canceled
 		waitingService := func(ctx context.Context) error {
--- a/backend/internal/utils/stream_util.go
+++ b/backend/internal/utils/stream_util.go
@@ -1,34 +0,0 @@
 package utils
 import (
 	"errors"
 	"io"
 )
 var ErrSizeExceeded = errors.New("stream size exceeded")
 // LimitReader is like io.LimitReader but throws an error if the stream exceeds the max size
 // io.LimitReader instead just returns io.EOF
 // Adapted from https://github.com/golang/go/issues/51115#issuecomment-1079761212
 type LimitReader struct {
 	io.ReadCloser
 	N int64
 }
 func NewLimitReader(r io.ReadCloser, limit int64) *LimitReader {
 	return &LimitReader{r, limit}
 }
 func (r *LimitReader) Read(p []byte) (n int, err error) {
 	if r.N <= 0 {
 		return 0, ErrSizeExceeded
 	}
 	if int64(len(p)) > r.N {
 		p = p[0:r.N]
 	}
 	n, err = r.ReadCloser.Read(p)
 	r.N -= int64(n)
 	return
 }
--- a/backend/resources/e2e-tests/database.json
+++ b/backend/resources/e2e-tests/database.json
@@ -1 +0,0 @@
 ../../../tests/database.json
--- a/backend/resources/files_test.go
+++ b/backend/resources/files_test.go
@@ -1,72 +0,0 @@
 package resources
 import (
 	"embed"
 	"slices"
 	"strconv"
 	"strings"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // This test is meant to enforce that for every new migration added, a file with the same migration number exists for all supported databases
 // This is necessary to ensure import/export works correctly
 // Note: if a migration is not needed for a database, ensure there's a file with an empty (no-op) migration (e.g. even just a comment)
 func TestMigrationsMatchingVersions(t *testing.T) {
 	// We can ignore migrations with version below 20251115000000
 	const ignoreBefore = 20251115000000
 	// Scan postgres migrations
 	postgresMigrations := scanMigrations(t, FS, "migrations/postgres", ignoreBefore)
 	// Scan sqlite migrations
 	sqliteMigrations := scanMigrations(t, FS, "migrations/sqlite", ignoreBefore)
 	// Sort both lists for consistent comparison
 	slices.Sort(postgresMigrations)
 	slices.Sort(sqliteMigrations)
 	// Compare the lists
 	assert.Equal(t, postgresMigrations, sqliteMigrations, "Migration versions must match between Postgres and SQLite")
 }
 // scanMigrations scans a directory for migration files and returns a list of versions
 func scanMigrations(t *testing.T, fs embed.FS, dir string, ignoreBefore int64) []int64 {
 	t.Helper()
 	entries, err := fs.ReadDir(dir)
 	require.NoErrorf(t, err, "Failed to read directory '%s'", dir)
 	// Divide by 2 because of up and down files
 	versions := make([]int64, 0, len(entries)/2)
 	for _, entry := range entries {
 		if entry.IsDir() {
 			continue
 		}
 		filename := entry.Name()
 		// Only consider .up.sql files
 		if !strings.HasSuffix(filename, ".up.sql") {
 			continue
 		}
 		// Extract version from filename (format: <version>_<anything>.up.sql)
 		versionString, _, ok := strings.Cut(filename, "_")
 		require.Truef(t, ok, "Migration file has unexpected format: %s", filename)
 		version, err := strconv.ParseInt(versionString, 10, 64)
 		require.NoErrorf(t, err, "Failed to parse version from filename '%s'", filename)
 		// Exclude migrations with version below ignoreBefore
 		if version < ignoreBefore {
 			continue
 		}
 		versions = append(versions, version)
 	}
 	return versions
 }
--- a/backend/resources/migrations/postgres/20251110000000_storage_table.down.sql
+++ b/backend/resources/migrations/postgres/20251110000000_storage_table.down.sql
@@ -1 +0,0 @@
 DROP TABLE storage;
--- a/backend/resources/migrations/postgres/20251110000000_storage_table.up.sql
+++ b/backend/resources/migrations/postgres/20251110000000_storage_table.up.sql
@@ -1,9 +0,0 @@
 -- The "storage" table contains file data stored in the database
 CREATE TABLE storage
 (
    path       TEXT NOT NULL PRIMARY KEY,
    data       BYTEA NOT NULL,
    size       BIGINT NOT NULL,
    mod_time   TIMESTAMPTZ NOT NULL,
    created_at TIMESTAMPTZ NOT NULL
 );
--- a/backend/resources/migrations/postgres/20251115000000_api_keys_expires_at_index.down.sql
+++ b/backend/resources/migrations/postgres/20251115000000_api_keys_expires_at_index.down.sql
@@ -1 +0,0 @@
 DROP INDEX idx_api_keys_expires_at;
--- a/backend/resources/migrations/postgres/20251115000000_api_keys_expires_at_index.up.sql
+++ b/backend/resources/migrations/postgres/20251115000000_api_keys_expires_at_index.up.sql
@@ -1 +0,0 @@
 CREATE INDEX idx_api_keys_expires_at ON api_keys(expires_at);
--- a/backend/resources/migrations/postgres/20251117141000_export_normalization.down.sql
+++ b/backend/resources/migrations/postgres/20251117141000_export_normalization.down.sql
@@ -1 +0,0 @@
 -- No-op in Postgres
--- a/backend/resources/migrations/postgres/20251117141000_export_normalization.up.sql
+++ b/backend/resources/migrations/postgres/20251117141000_export_normalization.up.sql
@@ -1 +0,0 @@
 -- No-op in Postgres
--- a/backend/resources/migrations/sqlite/20251110000000_storage_table.down.sql
+++ b/backend/resources/migrations/sqlite/20251110000000_storage_table.down.sql
@@ -1,6 +0,0 @@
 PRAGMA foreign_keys=OFF;
 BEGIN;
 DROP TABLE storage;
 COMMIT;
 PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20251110000000_storage_table.up.sql
+++ b/backend/resources/migrations/sqlite/20251110000000_storage_table.up.sql
@@ -1,14 +0,0 @@
 PRAGMA foreign_keys=OFF;
 BEGIN;
 -- The "storage" table contains file data stored in the database
 CREATE TABLE storage
 (
    path       TEXT NOT NULL PRIMARY KEY,
    data       BLOB NOT NULL,
    size       INTEGER NOT NULL,
    mod_time   DATETIME NOT NULL,
    created_at DATETIME NOT NULL
 );
 COMMIT;
 PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20251115000000_api_keys_expires_at_index.down.sql
+++ b/backend/resources/migrations/sqlite/20251115000000_api_keys_expires_at_index.down.sql
@@ -1,5 +0,0 @@
 PRAGMA foreign_keys=OFF;
 BEGIN;
 DROP INDEX idx_api_keys_expires_at;
 COMMIT;
 PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20251115000000_api_keys_expires_at_index.up.sql
+++ b/backend/resources/migrations/sqlite/20251115000000_api_keys_expires_at_index.up.sql
@@ -1,5 +0,0 @@
 PRAGMA foreign_keys=OFF;
 BEGIN;
 CREATE INDEX idx_api_keys_expires_at ON api_keys(expires_at);
 COMMIT;
 PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20251117141000_export_normalization.down.sql
+++ b/backend/resources/migrations/sqlite/20251117141000_export_normalization.down.sql
@@ -1,133 +0,0 @@
 PRAGMA foreign_keys = OFF;
 BEGIN;
 CREATE TABLE users_old
 (
    id           TEXT                   NOT NULL PRIMARY KEY,
    created_at   DATETIME,
    username     TEXT COLLATE NOCASE    NOT NULL UNIQUE,
    email        TEXT                   NOT NULL UNIQUE,
    first_name   TEXT,
    last_name    TEXT                   NOT NULL,
    display_name TEXT                   NOT NULL,
    is_admin     NUMERIC DEFAULT 0      NOT NULL,
    ldap_id      TEXT,
    locale       TEXT,
    disabled     NUMERIC DEFAULT 0      NOT NULL
 );
 INSERT INTO users_old (
    id,
    created_at,
    username,
    email,
    first_name,
    last_name,
    display_name,
    is_admin,
    ldap_id,
    locale,
    disabled
 )
 SELECT
    id,
    created_at,
    username,
    email,
    first_name,
    last_name,
    display_name,
    CASE WHEN is_admin THEN 1 ELSE 0 END,
    ldap_id,
    locale,
    CASE WHEN disabled THEN 1 ELSE 0 END
 FROM users;
 DROP TABLE users;
 ALTER TABLE users_old RENAME TO users;
 CREATE UNIQUE INDEX users_ldap_id ON users (ldap_id);
 CREATE TABLE webauthn_credentials_old
 (
    id               TEXT                   PRIMARY KEY,
    created_at       DATETIME               NOT NULL,
    name             TEXT                   NOT NULL,
    credential_id    TEXT                   NOT NULL UNIQUE,
    public_key       BLOB                   NOT NULL,
    attestation_type TEXT                   NOT NULL,
    transport        BLOB                   NOT NULL,
    user_id          TEXT REFERENCES users ON DELETE CASCADE,
    backup_eligible  NUMERIC DEFAULT 0      NOT NULL,
    backup_state     NUMERIC DEFAULT 0      NOT NULL
 );
 INSERT INTO webauthn_credentials_old (
    id,
    created_at,
    name,
    credential_id,
    public_key,
    attestation_type,
    transport,
    user_id,
    backup_eligible,
    backup_state
 )
 SELECT
    id,
    created_at,
    name,
    credential_id,
    public_key,
    attestation_type,
    transport,
    user_id,
    CASE WHEN backup_eligible THEN 1 ELSE 0 END,
    CASE WHEN backup_state THEN 1 ELSE 0 END
 FROM webauthn_credentials;
 DROP TABLE webauthn_credentials;
 ALTER TABLE webauthn_credentials_old RENAME TO webauthn_credentials;
 CREATE TABLE webauthn_sessions_old
 (
    id                TEXT              NOT NULL PRIMARY KEY,
    created_at        DATETIME,
    challenge         TEXT              NOT NULL UNIQUE,
    expires_at        DATETIME          NOT NULL,
    user_verification TEXT              NOT NULL,
    credential_params TEXT DEFAULT '[]' NOT NULL
 );
 INSERT INTO webauthn_sessions_old (
    id,
    created_at,
    challenge,
    expires_at,
    user_verification,
    credential_params
 )
 SELECT
    id,
    created_at,
    challenge,
    expires_at,
    user_verification,
    credential_params
 FROM webauthn_sessions;
 DROP TABLE webauthn_sessions;
 ALTER TABLE webauthn_sessions_old RENAME TO webauthn_sessions;
 COMMIT;
 PRAGMA foreign_keys = ON;
--- a/backend/resources/migrations/sqlite/20251117141000_export_normalization.up.sql
+++ b/backend/resources/migrations/sqlite/20251117141000_export_normalization.up.sql
@@ -1,144 +0,0 @@
 PRAGMA foreign_keys = OFF;
 BEGIN;
 -- 1. Create a new table with BOOLEAN columns
 CREATE TABLE users_new
 (
    id           TEXT                  NOT NULL PRIMARY KEY,
    created_at   DATETIME,
    username     TEXT COLLATE NOCASE   NOT NULL UNIQUE,
    email        TEXT                  NOT NULL UNIQUE,
    first_name   TEXT,
    last_name    TEXT                  NOT NULL,
    display_name TEXT                  NOT NULL,
    is_admin     BOOLEAN DEFAULT FALSE NOT NULL,
    ldap_id      TEXT,
    locale       TEXT,
    disabled     BOOLEAN DEFAULT FALSE NOT NULL
 );
 -- 2. Copy all existing data, converting numeric bools to real booleans
 INSERT INTO users_new (
    id,
    created_at,
    username,
    email,
    first_name,
    last_name,
    display_name,
    is_admin,
    ldap_id,
    locale,
    disabled
 )
 SELECT
    id,
    created_at,
    username,
    email,
    first_name,
    last_name,
    display_name,
    CASE WHEN is_admin != 0 THEN TRUE ELSE FALSE END,
    ldap_id,
    locale,
    CASE WHEN disabled != 0 THEN TRUE ELSE FALSE END
 FROM users;
 -- 3. Drop old table
 DROP TABLE users;
 -- 4. Rename new table to original name
 ALTER TABLE users_new RENAME TO users;
 -- 5. Recreate index
 CREATE UNIQUE INDEX users_ldap_id ON users (ldap_id);
 -- 6. Create temporary table with changed credential_id type to BLOB
 CREATE TABLE webauthn_credentials_dg_tmp
 (
    id               TEXT PRIMARY KEY,
    created_at       DATETIME             NOT NULL,
    name             TEXT                 NOT NULL,
    credential_id    BLOB                 NOT NULL UNIQUE,
    public_key       BLOB                 NOT NULL,
    attestation_type TEXT                 NOT NULL,
    transport        BLOB                 NOT NULL,
    user_id          TEXT REFERENCES users ON DELETE CASCADE,
    backup_eligible  BOOLEAN DEFAULT FALSE NOT NULL,
    backup_state     BOOLEAN DEFAULT FALSE NOT NULL
 );
 -- 7. Copy existing data into the temporary table
 INSERT INTO webauthn_credentials_dg_tmp (
    id,
    created_at,
    name,
    credential_id,
    public_key,
    attestation_type,
    transport,
    user_id,
    backup_eligible,
    backup_state
 )
 SELECT
    id,
    created_at,
    name,
    credential_id,
    public_key,
    attestation_type,
    transport,
    user_id,
    backup_eligible,
    backup_state
 FROM webauthn_credentials;
 -- 8. Drop old table
 DROP TABLE webauthn_credentials;
 -- 9. Rename temporary table to original name
 ALTER TABLE webauthn_credentials_dg_tmp
    RENAME TO webauthn_credentials;
 -- 10. Create temporary table with credential_params type changed to BLOB
 CREATE TABLE webauthn_sessions_dg_tmp
 (
    id                TEXT              NOT NULL PRIMARY KEY,
    created_at        DATETIME,
    challenge         TEXT              NOT NULL UNIQUE,
    expires_at        DATETIME          NOT NULL,
    user_verification TEXT              NOT NULL,
    credential_params BLOB DEFAULT '[]' NOT NULL
 );
 -- 11. Copy existing data into the temporary sessions table
 INSERT INTO webauthn_sessions_dg_tmp (
    id,
    created_at,
    challenge,
    expires_at,
    user_verification,
    credential_params
 )
 SELECT
    id,
    created_at,
    challenge,
    expires_at,
    user_verification,
    credential_params
 FROM webauthn_sessions;
 -- 12. Drop old table
 DROP TABLE webauthn_sessions;
 -- 13. Rename temporary sessions table to original name
 ALTER TABLE webauthn_sessions_dg_tmp
    RENAME TO webauthn_sessions;
 COMMIT;
 PRAGMA foreign_keys = ON;
--- a/email-templates/package.json
+++ b/email-templates/package.json
@@ -9,17 +9,17 @@
    "export": "email export"
  },
  "dependencies": {
-    "@react-email/components": "1.0.1",
+    "@react-email/components": "0.1.1",
    "react": "^19.2.0",
    "react-dom": "^19.2.0",
-    "tailwind-merge": "^3.4.0"
+    "tailwind-merge": "^3.3.1"
  },
  "devDependencies": {
-    "@react-email/preview-server": "5.0.5",
+    "@react-email/preview-server": "4.2.8",
-    "@types/node": "^24.10.1",
+    "@types/node": "^24.9.1",
-    "@types/react": "^19.2.7",
+    "@types/react": "^19.2.2",
-    "@types/react-dom": "^19.2.3",
+    "@types/react-dom": "^19.2.2",
-    "react-email": "5.0.5",
+    "react-email": "4.2.8",
    "tsx": "^4.20.6"
  }
 }
--- a/frontend/messages/cs.json
+++ b/frontend/messages/cs.json
@@ -331,10 +331,6 @@
 	"token_sign_in": "Přihlášení tokenem",
 	"client_authorization": "Autorizace klienta",
 	"new_client_authorization": "Nová autorizace klienta",
 	"device_code_authorization": "Autorizace kódu zařízení",
 	"new_device_code_authorization": "Autorizace nového kódu zařízení",
 	"passkey_added": "Přidán přístupový klíč",
 	"passkey_removed": "Heslo odstraněno",
 	"disable_animations": "Zakázat animace",
 	"turn_off_ui_animations": "Vypnout animace v celém uživatelském rozhraní.",
 	"user_disabled": "Účet deaktivován",
--- a/frontend/messages/da.json
+++ b/frontend/messages/da.json
@@ -331,10 +331,6 @@
 	"token_sign_in": "Token-login",
 	"client_authorization": "Godkendelse af klient",
 	"new_client_authorization": "Ny klientgodkendelse",
 	"device_code_authorization": "Autorisation af enhedskode",
 	"new_device_code_authorization": "Autorisation af ny enhedskode",
 	"passkey_added": "Passkey tilføjet",
 	"passkey_removed": "Adgangskode fjernet",
 	"disable_animations": "Deaktiver animationer",
 	"turn_off_ui_animations": "Slå animationer fra for hele brugergrænsefladen.",
 	"user_disabled": "Konto deaktiveret",
--- a/frontend/messages/de.json
+++ b/frontend/messages/de.json
@@ -105,7 +105,7 @@
 	"unknown": "unbekannt",
 	"account_details_updated_successfully": "Kontodetails erfolgreich aktualisiert",
 	"profile_picture_updated_successfully": "Profilbild erfolgreich aktualisiert. Die Aktualisierung kann einige Minuten dauern.",
-	"account_settings": "Konto-Einstellungen",
+	"account_settings": "Konto Einstellungen",
 	"passkey_missing": "Passkey fehlt",
 	"please_provide_a_passkey_to_prevent_losing_access_to_your_account": "Bitte füge einen Passkey hinzu, um zu verhindern, dass du den Zugriff auf dein Konto verlierst.",
 	"single_passkey_configured": "Nur ein Passkey hinterlegt",
@@ -331,10 +331,6 @@
 	"token_sign_in": "Token-Anmeldung",
 	"client_authorization": "Client-Autorisierung",
 	"new_client_authorization": "Neue Client-Autorisierung",
 	"device_code_authorization": "Gerätecode-Autorisierung",
 	"new_device_code_authorization": "Neue Gerätecode-Autorisierung",
 	"passkey_added": "Passwort hinzugefügt",
 	"passkey_removed": "Passwort entfernt",
 	"disable_animations": "Animationen deaktivieren",
 	"turn_off_ui_animations": "Deaktiviert alle Animationen in der Benutzeroberfläche.",
 	"user_disabled": "Account deaktiviert",
--- a/frontend/messages/en.json
+++ b/frontend/messages/en.json
@@ -331,10 +331,6 @@
 	"token_sign_in": "Token Sign In",
 	"client_authorization": "Client Authorization",
 	"new_client_authorization": "New Client Authorization",
 	"device_code_authorization": "Device Code Authorization",
 	"new_device_code_authorization": "New Device Code Authorization",
 	"passkey_added": "Passkey Added",
 	"passkey_removed": "Passkey Removed",
 	"disable_animations": "Disable Animations",
 	"turn_off_ui_animations": "Turn off animations throughout the UI.",
 	"user_disabled": "Account Disabled",
@@ -469,6 +465,5 @@
 	"default_profile_picture": "Default Profile Picture",
 	"light": "Light",
 	"dark": "Dark",
-	"system": "System",
+	"system": "System"
 	"scopes": "Scopes"
 }
--- a/frontend/messages/es.json
+++ b/frontend/messages/es.json
@@ -331,10 +331,6 @@
 	"token_sign_in": "Inicio de sesión con token",
 	"client_authorization": "Autorización del cliente",
 	"new_client_authorization": "Autorización de nuevo cliente",
 	"device_code_authorization": "Autorización del código del dispositivo",
 	"new_device_code_authorization": "Autorización de código de nuevo dispositivo",
 	"passkey_added": "Clave de acceso añadida",
 	"passkey_removed": "Clave de acceso eliminada",
 	"disable_animations": "Desactivar animaciones",
 	"turn_off_ui_animations": "Desactiva las animaciones en toda la interfaz de usuario.",
 	"user_disabled": "Cuenta desactivada",
--- a/frontend/messages/fi.json
+++ b/frontend/messages/fi.json
@@ -1,473 +0,0 @@
 {
 	"$schema": "https://inlang.com/schema/inlang-message-format",
 	"my_account": "My Account",
 	"logout": "Logout",
 	"confirm": "Confirm",
 	"docs": "Docs",
 	"key": "Key",
 	"value": "Value",
 	"remove_custom_claim": "Remove custom claim",
 	"add_custom_claim": "Add custom claim",
 	"add_another": "Add another",
 	"select_a_date": "Select a date",
 	"select_file": "Select File",
 	"profile_picture": "Profile Picture",
 	"profile_picture_is_managed_by_ldap_server": "The profile picture is managed by the LDAP server and cannot be changed here.",
 	"click_profile_picture_to_upload_custom": "Click on the profile picture to upload a custom one from your files.",
 	"image_should_be_in_format": "The image should be in PNG or JPEG format.",
 	"items_per_page": "Items per page",
 	"no_items_found": "No items found",
 	"select_items": "Select items...",
 	"search": "Search...",
 	"expand_card": "Expand card",
 	"copied": "Copied",
 	"click_to_copy": "Click to copy",
 	"something_went_wrong": "Something went wrong",
 	"go_back_to_home": "Go back to home",
 	"alternative_sign_in_methods": "Alternative Sign In Methods",
 	"login_background": "Login background",
 	"logo": "Logo",
 	"login_code": "Login Code",
 	"create_a_login_code_to_sign_in_without_a_passkey_once": "Create a login code that the user can use to sign in without a passkey once.",
 	"one_hour": "1 hour",
 	"twelve_hours": "12 hours",
 	"one_day": "1 day",
 	"one_week": "1 week",
 	"one_month": "1 month",
 	"expiration": "Expiration",
 	"generate_code": "Generate Code",
 	"name": "Name",
 	"browser_unsupported": "Browser unsupported",
 	"this_browser_does_not_support_passkeys": "This browser doesn't support passkeys. Please use an alternative sign in method.",
 	"an_unknown_error_occurred": "An unknown error occurred",
 	"authentication_process_was_aborted": "The authentication process was aborted",
 	"error_occurred_with_authenticator": "An error occurred with the authenticator",
 	"authenticator_does_not_support_discoverable_credentials": "The authenticator does not support discoverable credentials",
 	"authenticator_does_not_support_resident_keys": "The authenticator does not support resident keys",
 	"passkey_was_previously_registered": "This passkey was previously registered",
 	"authenticator_does_not_support_any_of_the_requested_algorithms": "The authenticator does not support any of the requested algorithms",
 	"authenticator_timed_out": "The authenticator timed out",
 	"critical_error_occurred_contact_administrator": "A critical error occurred. Please contact your administrator.",
 	"sign_in_to": "Sign in to {name}",
 	"client_not_found": "Client not found",
 	"client_wants_to_access_the_following_information": "<b>{client}</b> wants to access the following information:",
 	"do_you_want_to_sign_in_to_client_with_your_app_name_account": "Do you want to sign in to <b>{client}</b> with your {appName} account?",
 	"email": "Email",
 	"view_your_email_address": "View your email address",
 	"profile": "Profile",
 	"view_your_profile_information": "View your profile information",
 	"groups": "Groups",
 	"view_the_groups_you_are_a_member_of": "View the groups you are a member of",
 	"cancel": "Cancel",
 	"sign_in": "Sign in",
 	"try_again": "Try again",
 	"client_logo": "Client Logo",
 	"sign_out": "Sign out",
 	"do_you_want_to_sign_out_of_pocketid_with_the_account": "Do you want to sign out of {appName} with the account <b>{username}</b>?",
 	"sign_in_to_appname": "Sign in to {appName}",
 	"please_try_to_sign_in_again": "Please try to sign in again.",
 	"authenticate_with_passkey_to_access_account": "Authenticate yourself with your passkey to access your account.",
 	"authenticate": "Authenticate",
 	"please_try_again": "Please try again.",
 	"continue": "Continue",
 	"alternative_sign_in": "Alternative Sign In",
 	"if_you_do_not_have_access_to_your_passkey_you_can_sign_in_using_one_of_the_following_methods": "If you don't have access to your passkey, you can sign in using one of the following methods.",
 	"use_your_passkey_instead": "Use your passkey instead?",
 	"email_login": "Email Login",
 	"enter_a_login_code_to_sign_in": "Enter a login code to sign in.",
 	"sign_in_with_login_code": "Sign in with login code",
 	"request_a_login_code_via_email": "Request a login code via email.",
 	"go_back": "Go back",
 	"an_email_has_been_sent_to_the_provided_email_if_it_exists_in_the_system": "An email has been sent to the provided email, if it exists in the system.",
 	"enter_code": "Enter code",
 	"enter_your_email_address_to_receive_an_email_with_a_login_code": "Enter your email address to receive an email with a login code.",
 	"your_email": "Your email",
 	"submit": "Submit",
 	"enter_the_code_you_received_to_sign_in": "Enter the code you received to sign in.",
 	"code": "Code",
 	"invalid_redirect_url": "Invalid redirect URL",
 	"audit_log": "Audit Log",
 	"users": "Users",
 	"user_groups": "User Groups",
 	"oidc_clients": "OIDC Clients",
 	"api_keys": "API Keys",
 	"application_configuration": "Application Configuration",
 	"settings": "Settings",
 	"update_pocket_id": "Update Pocket ID",
 	"powered_by": "Powered by",
 	"see_your_account_activities_from_the_last_3_months": "See your account activities from the last 3 months.",
 	"time": "Time",
 	"event": "Event",
 	"approximate_location": "Approximate Location",
 	"ip_address": "IP Address",
 	"device": "Device",
 	"client": "Client",
 	"unknown": "Unknown",
 	"account_details_updated_successfully": "Account details updated successfully",
 	"profile_picture_updated_successfully": "Profile picture updated successfully. It may take a few minutes to update.",
 	"account_settings": "Account Settings",
 	"passkey_missing": "Passkey missing",
 	"please_provide_a_passkey_to_prevent_losing_access_to_your_account": "Please add a passkey to prevent losing access to your account.",
 	"single_passkey_configured": "Single Passkey Configured",
 	"it_is_recommended_to_add_more_than_one_passkey": "It is recommended to add more than one passkey to avoid losing access to your account.",
 	"account_details": "Account Details",
 	"passkeys": "Passkeys",
 	"manage_your_passkeys_that_you_can_use_to_authenticate_yourself": "Manage your passkeys that you can use to authenticate yourself.",
 	"add_passkey": "Add Passkey",
 	"create_a_one_time_login_code_to_sign_in_from_a_different_device_without_a_passkey": "Create a one-time login code to sign in from a different device without a passkey.",
 	"create": "Create",
 	"first_name": "First name",
 	"last_name": "Last name",
 	"username": "Username",
 	"save": "Save",
 	"username_can_only_contain": "Username can only contain lowercase letters, numbers, underscores, dots, hyphens, and '@' symbols",
 	"username_must_start_with": "Username must start with an alphanumeric character",
 	"username_must_end_with": "Username must end with an alphanumeric character",
 	"sign_in_using_the_following_code_the_code_will_expire_in_minutes": "Sign in using the following code. The code will expire in 15 minutes.",
 	"or_visit": "or visit",
 	"added_on": "Added on",
 	"rename": "Rename",
 	"delete": "Delete",
 	"are_you_sure_you_want_to_delete_this_passkey": "Are you sure you want to delete this passkey?",
 	"passkey_deleted_successfully": "Passkey deleted successfully",
 	"delete_passkey_name": "Delete {passkeyName}",
 	"passkey_name_updated_successfully": "Passkey name updated successfully",
 	"name_passkey": "Name Passkey",
 	"name_your_passkey_to_easily_identify_it_later": "Name your passkey to easily identify it later.",
 	"create_api_key": "Create API Key",
 	"add_a_new_api_key_for_programmatic_access": "Add a new API key for programmatic access to the <link href='https://pocket-id.org/docs/api'>Pocket ID API</link>.",
 	"add_api_key": "Add API Key",
 	"manage_api_keys": "Manage API Keys",
 	"api_key_created": "API Key Created",
 	"for_security_reasons_this_key_will_only_be_shown_once": "For security reasons, this key will only be shown once. Please store it securely.",
 	"description": "Description",
 	"api_key": "API Key",
 	"close": "Close",
 	"name_to_identify_this_api_key": "Name to identify this API key.",
 	"expires_at": "Expires At",
 	"when_this_api_key_will_expire": "When this API key will expire.",
 	"optional_description_to_help_identify_this_keys_purpose": "Optional description to help identify this key's purpose.",
 	"expiration_date_must_be_in_the_future": "Expiration date must be in the future",
 	"revoke_api_key": "Revoke API Key",
 	"never": "Never",
 	"revoke": "Revoke",
 	"api_key_revoked_successfully": "API key revoked successfully",
 	"are_you_sure_you_want_to_revoke_the_api_key_apikeyname": "Are you sure you want to revoke the API key \"{apiKeyName}\"? This will break any integrations using this key.",
 	"last_used": "Last Used",
 	"actions": "Actions",
 	"images_updated_successfully": "Images updated successfully. It may take a few minutes to update.",
 	"general": "General",
 	"configure_smtp_to_send_emails": "Enable email notifications to alert users when a login is detected from a new device or location.",
 	"ldap": "LDAP",
 	"configure_ldap_settings_to_sync_users_and_groups_from_an_ldap_server": "Configure LDAP settings to sync users and groups from an LDAP server.",
 	"images": "Images",
 	"update": "Update",
 	"email_configuration_updated_successfully": "Email configuration updated successfully",
 	"save_changes_question": "Save changes?",
 	"you_have_to_save_the_changes_before_sending_a_test_email_do_you_want_to_save_now": "You have to save the changes before sending a test email. Do you want to save now?",
 	"save_and_send": "Save and send",
 	"test_email_sent_successfully": "Test email sent successfully to your email address.",
 	"failed_to_send_test_email": "Failed to send test email. Check the server logs for more information.",
 	"smtp_configuration": "SMTP Configuration",
 	"smtp_host": "SMTP Host",
 	"smtp_port": "SMTP Port",
 	"smtp_user": "SMTP User",
 	"smtp_password": "SMTP Password",
 	"smtp_from": "SMTP From",
 	"smtp_tls_option": "SMTP TLS Option",
 	"email_tls_option": "Email TLS Option",
 	"skip_certificate_verification": "Skip Certificate Verification",
 	"this_can_be_useful_for_selfsigned_certificates": "This can be useful for self-signed certificates.",
 	"enabled_emails": "Enabled Emails",
 	"email_login_notification": "Email Login Notification",
 	"send_an_email_to_the_user_when_they_log_in_from_a_new_device": "Send an email to the user when they log in from a new device.",
 	"emai_login_code_requested_by_user": "Email Login Code Requested by User",
 	"allow_users_to_sign_in_with_a_login_code_sent_to_their_email": "Allows users to bypass passkeys by requesting a login code sent to their email. This significantly reduces security as anyone with access to the user's email can gain entry.",
 	"email_login_code_from_admin": "Email Login Code from Admin",
 	"allows_an_admin_to_send_a_login_code_to_the_user": "Allows an admin to send a login code to the user via email.",
 	"send_test_email": "Send test email",
 	"application_configuration_updated_successfully": "Application configuration updated successfully",
 	"application_name": "Application Name",
 	"session_duration": "Session Duration",
 	"the_duration_of_a_session_in_minutes_before_the_user_has_to_sign_in_again": "The duration of a session in minutes before the user has to sign in again.",
 	"enable_self_account_editing": "Enable Self-Account Editing",
 	"whether_the_users_should_be_able_to_edit_their_own_account_details": "Whether the users should be able to edit their own account details.",
 	"emails_verified": "Emails Verified",
 	"whether_the_users_email_should_be_marked_as_verified_for_the_oidc_clients": "Whether the user's email should be marked as verified for the OIDC clients.",
 	"ldap_configuration_updated_successfully": "LDAP configuration updated successfully",
 	"ldap_disabled_successfully": "LDAP disabled successfully",
 	"ldap_sync_finished": "LDAP sync finished",
 	"client_configuration": "Client Configuration",
 	"ldap_url": "LDAP URL",
 	"ldap_bind_dn": "LDAP Bind DN",
 	"ldap_bind_password": "LDAP Bind Password",
 	"ldap_base_dn": "LDAP Base DN",
 	"user_search_filter": "User Search Filter",
 	"the_search_filter_to_use_to_search_or_sync_users": "The Search filter to use to search/sync users.",
 	"groups_search_filter": "Groups Search Filter",
 	"the_search_filter_to_use_to_search_or_sync_groups": "The Search filter to use to search/sync groups.",
 	"attribute_mapping": "Attribute Mapping",
 	"user_unique_identifier_attribute": "User Unique Identifier Attribute",
 	"the_value_of_this_attribute_should_never_change": "The value of this attribute should never change.",
 	"username_attribute": "Username Attribute",
 	"user_mail_attribute": "User Mail Attribute",
 	"user_first_name_attribute": "User First Name Attribute",
 	"user_last_name_attribute": "User Last Name Attribute",
 	"user_profile_picture_attribute": "User Profile Picture Attribute",
 	"the_value_of_this_attribute_can_either_be_a_url_binary_or_base64_encoded_image": "The value of this attribute can either be a URL, a binary or a base64 encoded image.",
 	"group_members_attribute": "Group Members Attribute",
 	"the_attribute_to_use_for_querying_members_of_a_group": "The attribute to use for querying members of a group.",
 	"group_unique_identifier_attribute": "Group Unique Identifier Attribute",
 	"group_rdn_attribute": "Group RDN Attribute (in DN)",
 	"admin_group_name": "Admin Group Name",
 	"members_of_this_group_will_have_admin_privileges_in_pocketid": "Members of this group will have Admin Privileges in Pocket ID.",
 	"disable": "Disable",
 	"sync_now": "Sync now",
 	"enable": "Enable",
 	"user_created_successfully": "User created successfully",
 	"create_user": "Create User",
 	"add_a_new_user_to_appname": "Add a new user to {appName}",
 	"add_user": "Add User",
 	"manage_users": "Manage Users",
 	"admin_privileges": "Admin Privileges",
 	"admins_have_full_access_to_the_admin_panel": "Admins have full access to the admin panel.",
 	"delete_firstname_lastname": "Delete {firstName} {lastName}",
 	"are_you_sure_you_want_to_delete_this_user": "Are you sure you want to delete this user?",
 	"user_deleted_successfully": "User deleted successfully",
 	"role": "Role",
 	"source": "Source",
 	"admin": "Admin",
 	"user": "User",
 	"local": "Local",
 	"toggle_menu": "Toggle menu",
 	"edit": "Edit",
 	"user_groups_updated_successfully": "User groups updated successfully",
 	"user_updated_successfully": "User updated successfully",
 	"custom_claims_updated_successfully": "Custom claims updated successfully",
 	"back": "Back",
 	"user_details_firstname_lastname": "User Details {firstName} {lastName}",
 	"manage_which_groups_this_user_belongs_to": "Manage which groups this user belongs to.",
 	"custom_claims": "Custom Claims",
 	"custom_claims_are_key_value_pairs_that_can_be_used_to_store_additional_information_about_a_user": "Custom claims are key-value pairs that can be used to store additional information about a user. These claims will be included in the ID token if the scope 'profile' is requested.",
 	"user_group_created_successfully": "User group created successfully",
 	"create_user_group": "Create User Group",
 	"create_a_new_group_that_can_be_assigned_to_users": "Create a new group that can be assigned to users.",
 	"add_group": "Add Group",
 	"manage_user_groups": "Manage User Groups",
 	"friendly_name": "Friendly Name",
 	"name_that_will_be_displayed_in_the_ui": "Name that will be displayed in the UI",
 	"name_that_will_be_in_the_groups_claim": "Name that will be in the \"groups\" claim",
 	"delete_name": "Delete {name}",
 	"are_you_sure_you_want_to_delete_this_user_group": "Are you sure you want to delete this user group?",
 	"user_group_deleted_successfully": "User group deleted successfully",
 	"user_count": "User Count",
 	"user_group_updated_successfully": "User group updated successfully",
 	"users_updated_successfully": "Users updated successfully",
 	"user_group_details_name": "User Group Details {name}",
 	"assign_users_to_this_group": "Assign users to this group.",
 	"custom_claims_are_key_value_pairs_that_can_be_used_to_store_additional_information_about_a_user_prioritized": "Custom claims are key-value pairs that can be used to store additional information about a user. These claims will be included in the ID token if the scope 'profile' is requested. Custom claims defined on the user will be prioritized if there are conflicts.",
 	"oidc_client_created_successfully": "OIDC client created successfully",
 	"create_oidc_client": "Create OIDC Client",
 	"add_a_new_oidc_client_to_appname": "Add a new OIDC client to {appName}.",
 	"add_oidc_client": "Add OIDC Client",
 	"manage_oidc_clients": "Manage OIDC Clients",
 	"one_time_link": "One Time Link",
 	"use_this_link_to_sign_in_once": "Use this link to sign in once. This is needed for users who haven't added a passkey yet or have lost it.",
 	"add": "Add",
 	"callback_urls": "Callback URLs",
 	"logout_callback_urls": "Logout Callback URLs",
 	"public_client": "Public Client",
 	"public_clients_description": "Public clients do not have a client secret. They are designed for mobile, web, and native applications where secrets cannot be securely stored.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Public Key Code Exchange is a security feature to prevent CSRF and authorization code interception attacks.",
 	"requires_reauthentication": "Requires Re-Authentication",
 	"requires_users_to_authenticate_again_on_each_authorization": "Requires users to authenticate again on each authorization, even if already signed in",
 	"name_logo": "{name} logo",
 	"change_logo": "Change Logo",
 	"upload_logo": "Upload Logo",
 	"remove_logo": "Remove Logo",
 	"are_you_sure_you_want_to_delete_this_oidc_client": "Are you sure you want to delete this OIDC client?",
 	"oidc_client_deleted_successfully": "OIDC client deleted successfully",
 	"authorization_url": "Authorization URL",
 	"oidc_discovery_url": "OIDC Discovery URL",
 	"token_url": "Token URL",
 	"userinfo_url": "Userinfo URL",
 	"logout_url": "Logout URL",
 	"certificate_url": "Certificate URL",
 	"enabled": "Enabled",
 	"disabled": "Disabled",
 	"oidc_client_updated_successfully": "OIDC client updated successfully",
 	"create_new_client_secret": "Create new client secret",
 	"are_you_sure_you_want_to_create_a_new_client_secret": "Are you sure you want to create a new client secret? The old one will be invalidated.",
 	"generate": "Generate",
 	"new_client_secret_created_successfully": "New client secret created successfully",
 	"allowed_user_groups_updated_successfully": "Allowed user groups updated successfully",
 	"oidc_client_name": "OIDC Client {name}",
 	"client_id": "Client ID",
 	"client_secret": "Client secret",
 	"show_more_details": "Show more details",
 	"allowed_user_groups": "Allowed User Groups",
 	"add_user_groups_to_this_client_to_restrict_access_to_users_in_these_groups": "Add user groups to this client to restrict access to users in these groups. If no user groups are selected, all users will have access to this client.",
 	"favicon": "Favicon",
 	"light_mode_logo": "Light Mode Logo",
 	"dark_mode_logo": "Dark Mode Logo",
 	"background_image": "Background Image",
 	"language": "Language",
 	"reset_profile_picture_question": "Reset profile picture?",
 	"this_will_remove_the_uploaded_image_and_reset_the_profile_picture_to_default": "This will remove the uploaded image and reset the profile picture to default. Do you want to continue?",
 	"reset": "Reset",
 	"reset_to_default": "Reset to default",
 	"profile_picture_has_been_reset": "Profile picture has been reset. It may take a few minutes to update.",
 	"select_the_language_you_want_to_use": "Select the language you want to use. Please note that some text may be automatically translated and could be inaccurate.",
 	"contribute_to_translation": "If you find an issue you're welcome to contribute to the translation on <link href='https://crowdin.com/project/pocket-id'>Crowdin</link>.",
 	"personal": "Personal",
 	"global": "Global",
 	"all_users": "All Users",
 	"all_events": "All Events",
 	"all_clients": "All Clients",
 	"all_locations": "All Locations",
 	"global_audit_log": "Global Audit Log",
 	"see_all_account_activities_from_the_last_3_months": "See all user activity for the last 3 months.",
 	"token_sign_in": "Token Sign In",
 	"client_authorization": "Client Authorization",
 	"new_client_authorization": "New Client Authorization",
 	"device_code_authorization": "Device Code Authorization",
 	"new_device_code_authorization": "New Device Code Authorization",
 	"passkey_added": "Passkey Added",
 	"passkey_removed": "Passkey Removed",
 	"disable_animations": "Disable Animations",
 	"turn_off_ui_animations": "Turn off animations throughout the UI.",
 	"user_disabled": "Account Disabled",
 	"disabled_users_cannot_log_in_or_use_services": "Disabled users cannot log in or use services.",
 	"user_disabled_successfully": "User has been disabled successfully.",
 	"user_enabled_successfully": "User has been enabled successfully.",
 	"status": "Status",
 	"disable_firstname_lastname": "Disable {firstName} {lastName}",
 	"are_you_sure_you_want_to_disable_this_user": "Are you sure you want to disable this user? They will not be able to log in or access any services.",
 	"ldap_soft_delete_users": "Keep disabled users from LDAP.",
 	"ldap_soft_delete_users_description": "When enabled, users removed from LDAP will be disabled rather than deleted from the system.",
 	"login_code_email_success": "The login code has been sent to the user.",
 	"send_email": "Send Email",
 	"show_code": "Show Code",
 	"callback_url_description": "URL(s) provided by your client. Will be automatically added if left blank. Wildcards (*) are supported, but best avoided for better security.",
 	"logout_callback_url_description": "URL(s) provided by your client for logout. Wildcards (*) are supported, but best avoided for better security.",
 	"api_key_expiration": "API Key Expiration",
 	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire.",
 	"authorize_device": "Authorize Device",
 	"the_device_has_been_authorized": "The device has been authorized.",
 	"enter_code_displayed_in_previous_step": "Enter the code that was displayed in the previous step.",
 	"authorize": "Authorize",
 	"federated_client_credentials": "Federated Client Credentials",
 	"federated_client_credentials_description": "Using federated client credentials, you can authenticate OIDC clients using JWT tokens issued by third-party authorities.",
 	"add_federated_client_credential": "Add Federated Client Credential",
 	"add_another_federated_client_credential": "Add another federated client credential",
 	"oidc_allowed_group_count": "Allowed Group Count",
 	"unrestricted": "Unrestricted",
 	"show_advanced_options": "Show Advanced Options",
 	"hide_advanced_options": "Hide Advanced Options",
 	"oidc_data_preview": "OIDC Data Preview",
 	"preview_the_oidc_data_that_would_be_sent_for_different_users": "Preview the OIDC data that would be sent for different users",
 	"id_token": "ID Token",
 	"access_token": "Access Token",
 	"userinfo": "Userinfo",
 	"id_token_payload": "ID Token Payload",
 	"access_token_payload": "Access Token Payload",
 	"userinfo_endpoint_response": "Userinfo Endpoint Response",
 	"copy": "Copy",
 	"no_preview_data_available": "No preview data available",
 	"copy_all": "Copy All",
 	"preview": "Preview",
 	"preview_for_user": "Preview for {name}",
 	"preview_the_oidc_data_that_would_be_sent_for_this_user": "Preview the OIDC data that would be sent for this user",
 	"show": "Show",
 	"select_an_option": "Select an option",
 	"select_user": "Select User",
 	"error": "Error",
 	"select_an_accent_color_to_customize_the_appearance_of_pocket_id": "Select an accent color to customize the appearance of Pocket ID.",
 	"accent_color": "Accent Color",
 	"custom_accent_color": "Custom Accent Color",
 	"custom_accent_color_description": "Enter a custom color using valid CSS color formats (e.g., hex, rgb, hsl).",
 	"color_value": "Color Value",
 	"apply": "Apply",
 	"signup_token": "Signup Token",
 	"create_a_signup_token_to_allow_new_user_registration": "Create a signup token to allow new user registration.",
 	"usage_limit": "Usage Limit",
 	"number_of_times_token_can_be_used": "Number of times the signup token can be used.",
 	"expires": "Expires",
 	"signup": "Sign Up",
 	"user_creation": "User Creation",
 	"configure_user_creation": "Manage user creation settings, including signup methods and default permissions for new users.",
 	"user_creation_groups_description": "Assign these groups automatically to new users upon signup.",
 	"user_creation_claims_description": "Assign these custom claims automatically to new users upon signup.",
 	"user_creation_updated_successfully": "User creation settings updated successfully.",
 	"signup_disabled_description": "User signups are completely disabled. Only administrators can create new user accounts.",
 	"signup_requires_valid_token": "A valid signup token is required to create an account",
 	"validating_signup_token": "Validating signup token",
 	"go_to_login": "Go to login",
 	"signup_to_appname": "Sign Up to {appName}",
 	"create_your_account_to_get_started": "Create your account to get started.",
 	"initial_account_creation_description": "Please create your account to get started. You will be able to set up a passkey later.",
 	"setup_your_passkey": "Set up your passkey",
 	"create_a_passkey_to_securely_access_your_account": "Create a passkey to securely access your account. This will be your primary way to sign in.",
 	"skip_for_now": "Skip for now",
 	"account_created": "Account Created",
 	"enable_user_signups": "Enable User Signups",
 	"enable_user_signups_description": "Decide how users can sign up for new accounts in Pocket ID.",
 	"user_signups_are_disabled": "User signups are currently disabled",
 	"create_signup_token": "Create Signup Token",
 	"view_active_signup_tokens": "View Active Signup Tokens",
 	"manage_signup_tokens": "Manage Signup Tokens",
 	"view_and_manage_active_signup_tokens": "View and manage active signup tokens.",
 	"signup_token_deleted_successfully": "Signup token deleted successfully.",
 	"expired": "Expired",
 	"used_up": "Used Up",
 	"active": "Active",
 	"usage": "Usage",
 	"created": "Created",
 	"token": "Token",
 	"loading": "Loading",
 	"delete_signup_token": "Delete Signup Token",
 	"are_you_sure_you_want_to_delete_this_signup_token": "Are you sure you want to delete this signup token? This action cannot be undone.",
 	"signup_with_token": "Signup with token",
 	"signup_with_token_description": "Users can only sign up using a valid signup token created by an administrator.",
 	"signup_open": "Open Signup",
 	"signup_open_description": "Anyone can create a new account without restrictions.",
 	"of": "of",
 	"skip_passkey_setup": "Skip Passkey Setup",
 	"skip_passkey_setup_description": "It's highly recommended to set up a passkey because without one, you will be locked out of your account as soon as the session expires.",
 	"my_apps": "My Apps",
 	"no_apps_available": "No apps available",
 	"contact_your_administrator_for_app_access": "Contact your administrator to get access to applications.",
 	"launch": "Launch",
 	"client_launch_url": "Client Launch URL",
 	"client_launch_url_description": "The URL that will be opened when a user launches the app from the My Apps page.",
 	"client_name_description": "The name of the client that shows in the Pocket ID UI.",
 	"revoke_access": "Revoke Access",
 	"revoke_access_description": "Revoke access to <b>{clientName}</b>. <b>{clientName}</b> will no longer be able to access your account information.",
 	"revoke_access_successful": "The access to {clientName} has been successfully revoked.",
 	"last_signed_in_ago": "Last signed in {time} ago",
 	"invalid_client_id": "Client ID can only contain letters, numbers, underscores, and hyphens",
 	"custom_client_id_description": "Set a custom client ID if this is required by your application. Otherwise, leave it blank to generate a random one.",
 	"generated": "Generated",
 	"administration": "Administration",
 	"group_rdn_attribute_description": "The attribute used in the groups distinguished name (DN).",
 	"display_name_attribute": "Display Name Attribute",
 	"display_name": "Display Name",
 	"configure_application_images": "Configure Application Images",
 	"ui_config_disabled_info_title": "UI Configuration Disabled",
 	"ui_config_disabled_info_description": "The UI configuration is disabled because the application configuration settings are managed through environment variables. Some settings may not be editable.",
 	"logo_from_url_description": "Paste a direct image URL (svg, png, webp). Find icons at <link  href=\"https://selfh.st/icons\">Selfh.st Icons</link> or <link href=\"https://dashboardicons.com\">Dashboard Icons</link>.",
 	"invalid_url": "Invalid URL",
 	"require_user_email": "Require Email Address",
 	"require_user_email_description": "Requires users to have an email address. If disabled, the users without an email address won't be able to use features that require an email address.",
 	"view": "View",
 	"toggle_columns": "Toggle columns",
 	"locale": "Locale",
 	"ldap_id": "LDAP ID",
 	"reauthentication": "Re-authentication",
 	"clear_filters": "Clear Filters",
 	"default_profile_picture": "Default Profile Picture",
 	"light": "Light",
 	"dark": "Dark",
 	"system": "System"
 }
--- a/frontend/messages/fr.json
+++ b/frontend/messages/fr.json
@@ -331,10 +331,6 @@
 	"token_sign_in": "Connexion par jeton",
 	"client_authorization": "Autorisation client",
 	"new_client_authorization": "Nouvelle autorisation client",
 	"device_code_authorization": "Autorisation du code de l'appareil",
 	"new_device_code_authorization": "Autorisation du code du nouvel appareil",
 	"passkey_added": "Clé d'accès ajoutée",
 	"passkey_removed": "Clé d'accès supprimée",
 	"disable_animations": "Désactiver les animations",
 	"turn_off_ui_animations": "Désactiver les animations dans toute l'interface.",
 	"user_disabled": "Compte désactivé",
--- a/frontend/messages/it.json
+++ b/frontend/messages/it.json
@@ -331,10 +331,6 @@
 	"token_sign_in": "Accesso con token",
 	"client_authorization": "Autorizzazione client",
 	"new_client_authorization": "Nuova autorizzazione client",
 	"device_code_authorization": "Autorizzazione codice dispositivo",
 	"new_device_code_authorization": "Autorizzazione codice nuovo dispositivo",
 	"passkey_added": "Passkey aggiunto",
 	"passkey_removed": "Passkey rimosso",
 	"disable_animations": "Disabilita animazioni",
 	"turn_off_ui_animations": "Disattiva tutte le animazioni della UI.",
 	"user_disabled": "Account disabilitato",
--- a/frontend/messages/ja.json
+++ b/frontend/messages/ja.json
@@ -331,10 +331,6 @@
 	"token_sign_in": "トークンサインイン",
 	"client_authorization": "Client Authorization",
 	"new_client_authorization": "New Client Authorization",
 	"device_code_authorization": "デバイスコード認証",
 	"new_device_code_authorization": "新規デバイス認証コード",
 	"passkey_added": "パスキー追加",
 	"passkey_removed": "パスキー削除済み",
 	"disable_animations": "アニメーションの無効化",
 	"turn_off_ui_animations": "Turn off animations throughout the UI.",
 	"user_disabled": "アカウントの無効化",
--- a/frontend/messages/ko.json
+++ b/frontend/messages/ko.json
@@ -331,10 +331,6 @@
 	"token_sign_in": "토큰 로그인",
 	"client_authorization": "클라이언트 승인",
 	"new_client_authorization": "새로운 클라이언트 승인",
 	"device_code_authorization": "기기 코드 인증",
 	"new_device_code_authorization": "신규 장치 코드 인증",
 	"passkey_added": "패스키 추가됨",
 	"passkey_removed": "패스키 제거됨",
 	"disable_animations": "애니메이션 비활성화",
 	"turn_off_ui_animations": "UI 전체의 애니메이션을 비활성화합니다.",
 	"user_disabled": "계정 비활성화",
@@ -467,7 +463,7 @@
 	"reauthentication": "재인증",
 	"clear_filters": "필터 지우기",
 	"default_profile_picture": "기본 프로필 사진",
-	"light": "라이트",
+	"light": "빛",
-	"dark": "다크",
+	"dark": "어둠",
 	"system": "시스템"
 }
--- a/frontend/messages/nl.json
+++ b/frontend/messages/nl.json
@@ -331,10 +331,6 @@
 	"token_sign_in": "Inloggen met token",
 	"client_authorization": "Client autorisatie",
 	"new_client_authorization": "Nieuwe clientautorisatie",
 	"device_code_authorization": "Autorisatie van apparaatcode",
 	"new_device_code_authorization": "Nieuwe apparaatcode autoriseren",
 	"passkey_added": "Toegangscode toegevoegd",
 	"passkey_removed": "Toegangssleutel verwijderd",
 	"disable_animations": "Animaties uitzetten",
 	"turn_off_ui_animations": "Zet alle animaties in de gebruikersinterface uit.",
 	"user_disabled": "Account uitgeschakeld",
--- a/frontend/messages/pl.json
+++ b/frontend/messages/pl.json
@@ -331,10 +331,6 @@
 	"token_sign_in": "Logowanie za pomocą tokena",
 	"client_authorization": "Autoryzacja klienta",
 	"new_client_authorization": "Nowa autoryzacja klienta",
 	"device_code_authorization": "Autoryzacja kodu urządzenia",
 	"new_device_code_authorization": "Autoryzacja nowego kodu urządzenia",
 	"passkey_added": "Dodano klucz dostępu",
 	"passkey_removed": "Klucz dostępu usunięty",
 	"disable_animations": "Wyłącz animacje",
 	"turn_off_ui_animations": "Wyłącz animacje w całym interfejsie użytkownika.",
 	"user_disabled": "Konto wyłączone",
--- a/frontend/messages/pt-BR.json
+++ b/frontend/messages/pt-BR.json
@@ -331,10 +331,6 @@
 	"token_sign_in": "Entrar com token",
 	"client_authorization": "Autorização do cliente",
 	"new_client_authorization": "Autorização de novo cliente",
 	"device_code_authorization": "Autorização do código do dispositivo",
 	"new_device_code_authorization": "Autorização de novo código de dispositivo",
 	"passkey_added": "Chave de acesso adicionada",
 	"passkey_removed": "Chave de acesso removida",
 	"disable_animations": "Desativar animações",
 	"turn_off_ui_animations": "Desligue as animações em toda a interface do usuário.",
 	"user_disabled": "Conta desativada",
--- a/frontend/messages/ru.json
+++ b/frontend/messages/ru.json
@@ -331,10 +331,6 @@
 	"token_sign_in": "Вход с помощью токена",
 	"client_authorization": "Авторизация клиента",
 	"new_client_authorization": "Авторизация нового клиента",
 	"device_code_authorization": "Авторизация кода устройства",
 	"new_device_code_authorization": "Авторизация нового кода устройства",
 	"passkey_added": "Добавлен пароль",
 	"passkey_removed": "Удален ключ доступа",
 	"disable_animations": "Отключить анимации",
 	"turn_off_ui_animations": "Отключить все анимации в интерфейсе.",
 	"user_disabled": "Учетная запись отключена",
--- a/frontend/messages/sv.json
+++ b/frontend/messages/sv.json
@@ -331,10 +331,6 @@
 	"token_sign_in": "Token-inloggning",
 	"client_authorization": "Godkännande av klient",
 	"new_client_authorization": "Ny klientauktorisation",
 	"device_code_authorization": "Enhetskodsgodkännande",
 	"new_device_code_authorization": "Auktorisering av ny enhetskod",
 	"passkey_added": "Passord tillagt",
 	"passkey_removed": "Passord borttaget",
 	"disable_animations": "Stäng av animationer",
 	"turn_off_ui_animations": "Stäng av animationer i hela användargränssnittet.",
 	"user_disabled": "Konto inaktiverat",
--- a/frontend/messages/tr.json
+++ b/frontend/messages/tr.json
@@ -331,10 +331,6 @@
 	"token_sign_in": "Token ile Giriş",
 	"client_authorization": "İstemci Yetkilendirmesi",
 	"new_client_authorization": "Yeni İstemci Yetkilendirmesi",
 	"device_code_authorization": "Cihaz Kodu Yetkilendirme",
 	"new_device_code_authorization": "Yeni Cihaz Kodu Yetkilendirmesi",
 	"passkey_added": "Anahtar Eklendi",
 	"passkey_removed": "Geçiş Anahtarı Kaldırıldı",
 	"disable_animations": "Animasyonları Devre Dışı Bırak",
 	"turn_off_ui_animations": "Kullanıcı arayüzü animasyonlarını kapatın.",
 	"user_disabled": "Hesap Devre Dışı",
--- a/frontend/messages/uk.json
+++ b/frontend/messages/uk.json
@@ -331,10 +331,6 @@
 	"token_sign_in": "Вхід за допомогою токена",
 	"client_authorization": "Авторизація клієнта",
 	"new_client_authorization": "Нова авторизація клієнта",
 	"device_code_authorization": "Авторизація коду пристрою",
 	"new_device_code_authorization": "Авторизація нового коду пристрою",
 	"passkey_added": "Додано пароль",
 	"passkey_removed": "Ключ доступу видалено",
 	"disable_animations": "Вимкнути анімацію",
 	"turn_off_ui_animations": "Вимкнути анімації у всьому інтерфейсі.",
 	"user_disabled": "Обліковий запис вимкнено",
--- a/frontend/messages/vi.json
+++ b/frontend/messages/vi.json
@@ -331,10 +331,6 @@
 	"token_sign_in": "Đăng nhập bằng token",
 	"client_authorization": "Xác thực client",
 	"new_client_authorization": "Xác thực client mới",
 	"device_code_authorization": "Xác thực mã thiết bị",
 	"new_device_code_authorization": "Xác thực mã thiết bị mới",
 	"passkey_added": "Thêm khóa truy cập",
 	"passkey_removed": "Khóa truy cập đã bị xóa",
 	"disable_animations": "Tắt hiệu ứng động",
 	"turn_off_ui_animations": "Tắt các hiệu ứng động trong giao diện người dùng.",
 	"user_disabled": "Tài khoản bị vô hiệu hóa",
--- a/frontend/messages/zh-CN.json
+++ b/frontend/messages/zh-CN.json
@@ -331,10 +331,6 @@
 	"token_sign_in": "Token 登录",
 	"client_authorization": "客户端授权",
 	"new_client_authorization": "首次客户端授权",
 	"device_code_authorization": "设备代码授权",
 	"new_device_code_authorization": "新设备代码授权",
 	"passkey_added": "密钥已添加",
 	"passkey_removed": "密钥已移除",
 	"disable_animations": "关闭动画",
 	"turn_off_ui_animations": "关闭界面中的所有动画效果。",
 	"user_disabled": "账户已禁用",
--- a/frontend/messages/zh-TW.json
+++ b/frontend/messages/zh-TW.json
@@ -331,10 +331,6 @@
 	"token_sign_in": "Token 登入",
 	"client_authorization": "客戶端授權",
 	"new_client_authorization": "新客戶端授權",
 	"device_code_authorization": "裝置代碼授權",
 	"new_device_code_authorization": "新裝置代碼授權",
 	"passkey_added": "通行密鑰已添加",
 	"passkey_removed": "通行密鑰已移除",
 	"disable_animations": "停用動畫",
 	"turn_off_ui_animations": "關閉整個 UI 的動畫。",
 	"user_disabled": "帳號已停用",
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -15,49 +15,49 @@
  },
  "dependencies": {
    "@simplewebauthn/browser": "^13.2.2",
-    "@tailwindcss/vite": "^4.1.17",
+    "@tailwindcss/vite": "^4.1.16",
-    "axios": "^1.13.2",
+    "axios": "^1.12.2",
    "clsx": "^2.1.1",
    "date-fns": "^4.1.0",
-    "jose": "^6.1.2",
+    "jose": "^5.10.0",
    "qrcode": "^1.5.4",
-    "runed": "^0.36.0",
+    "runed": "^0.31.1",
-    "sveltekit-superforms": "^2.28.1",
+    "sveltekit-superforms": "^2.28.0",
-    "tailwind-merge": "^3.4.0",
+    "tailwind-merge": "^3.3.1",
-    "zod": "^4.1.13"
+    "zod": "^4.1.12"
  },
  "devDependencies": {
-    "@inlang/paraglide-js": "^2.5.0",
+    "@inlang/paraglide-js": "^2.4.0",
    "@inlang/plugin-m-function-matcher": "^2.1.0",
    "@inlang/plugin-message-format": "^4.0.0",
    "@internationalized/date": "^3.10.0",
-    "@lucide/svelte": "^0.554.0",
+    "@lucide/svelte": "^0.525.0",
    "@sveltejs/adapter-static": "^3.0.10",
-    "@sveltejs/kit": "^2.49.0",
+    "@sveltejs/kit": "^2.47.3",
    "@sveltejs/vite-plugin-svelte": "^6.2.1",
    "@types/eslint": "^9.6.1",
-    "@types/node": "^24.10.1",
+    "@types/node": "^22.18.12",
    "@types/qrcode": "^1.5.6",
-    "bits-ui": "^2.14.4",
+    "bits-ui": "^2.14.1",
-    "eslint": "^9.39.1",
+    "eslint": "^9.38.0",
    "eslint-config-prettier": "^10.1.8",
-    "eslint-plugin-svelte": "^3.13.0",
+    "eslint-plugin-svelte": "^3.12.5",
    "formsnap": "^2.0.1",
-    "globals": "^16.5.0",
+    "globals": "^16.4.0",
    "mode-watcher": "^1.1.0",
    "prettier": "^3.6.2",
    "prettier-plugin-svelte": "^3.4.0",
-    "prettier-plugin-tailwindcss": "^0.7.1",
+    "prettier-plugin-tailwindcss": "^0.6.14",
-    "rollup": "^4.53.3",
+    "rollup": "^4.52.5",
-    "svelte": "^5.44.0",
+    "svelte": "^5.41.3",
-    "svelte-check": "^4.3.4",
+    "svelte-check": "^4.3.3",
-    "svelte-sonner": "^1.0.6",
+    "svelte-sonner": "^1.0.5",
-    "tailwind-variants": "^3.2.2",
+    "tailwind-variants": "^1.0.0",
-    "tailwindcss": "^4.1.17",
+    "tailwindcss": "^4.1.16",
    "tslib": "^2.8.1",
    "tw-animate-css": "^1.4.0",
    "typescript": "^5.9.3",
-    "typescript-eslint": "^8.48.0",
+    "typescript-eslint": "^8.46.2",
-    "vite": "^7.2.4"
+    "vite": "^7.1.12"
  }
 }
--- a/frontend/project.inlang/settings.json
+++ b/frontend/project.inlang/settings.json
@@ -7,7 +7,6 @@
 		"de",
 		"en",
 		"es",
 		"fi",
 		"fr",
 		"it",
 		"ko",
--- a/frontend/src/lib/components/form/checkbox-with-label.svelte
+++ b/frontend/src/lib/components/form/checkbox-with-label.svelte
@@ -1,6 +1,6 @@
 <script lang="ts">
 	import { Checkbox } from '$lib/components/ui/checkbox';
-	import * as Field from '$lib/components/ui/field';
+	import { Label } from '$lib/components/ui/label';
 	let {
 		id,
@@ -26,10 +26,14 @@
 		onCheckedChange={(v) => onCheckedChange && onCheckedChange(v == true)}
 		bind:checked
 	/>
-	<Field.Field class="gap-0">
+	<div class="grid gap-1.5 leading-none">
-		<Field.Label for={id}>{label}</Field.Label>
+		<Label for={id} class="mb-0 text-sm leading-none font-medium">
 			{label}
 		</Label>
 		{#if description}
-			<Field.Description>{description}</Field.Description>
+			<p class="text-muted-foreground text-[0.8rem]">
 				{description}
 			</p>
 		{/if}
-	</Field.Field>
+	</div>
 </div>
--- a/frontend/src/lib/components/form/form-input.svelte
+++ b/frontend/src/lib/components/form/form-input.svelte
@@ -1,7 +1,7 @@
 <script lang="ts">
 	import DatePicker from '$lib/components/form/date-picker.svelte';
 	import * as Field from '$lib/components/ui/field';
 	import { Input, type FormInputEvent } from '$lib/components/ui/input';
 	import { Label } from '$lib/components/ui/label';
 	import { m } from '$lib/paraglide/messages';
 	import type { FormInput } from '$lib/utils/form-util';
 	import { LucideExternalLink } from '@lucide/svelte';
@@ -34,12 +34,12 @@
 	const id = label?.toLowerCase().replace(/ /g, '-');
 </script>
-<Field.Field data-disabled={disabled} {...restProps}>
+<div {...restProps}>
 	{#if label}
-		<Field.Label required={input?.required} for={id}>{label}</Field.Label>
+		<Label required={input?.required} class="mb-0" for={id}>{label}</Label>
 	{/if}
 	{#if description}
-		<Field.Description>
+		<p class="text-muted-foreground mt-1 text-xs">
 			{description}
 			{#if docsLink}
 				<a
@@ -51,8 +51,9 @@
 					<LucideExternalLink class="inline size-3 align-text-top" />
 				</a>
 			{/if}
-		</Field.Description>
+		</p>
 	{/if}
 	<div class={label || description ? 'mt-2' : ''}>
 		{#if children}
 			{@render children()}
 		{:else if input}
@@ -71,6 +72,7 @@
 			{/if}
 		{/if}
 		{#if input?.error}
-		<Field.Error>{input.error}</Field.Error>
+			<p class="text-destructive mt-1 text-start text-xs">{input.error}</p>
 		{/if}
-</Field.Field>
+	</div>
 </div>
--- a/frontend/src/lib/components/form/profile-picture-settings.svelte
+++ b/frontend/src/lib/components/form/profile-picture-settings.svelte
@@ -5,8 +5,7 @@
 	import { m } from '$lib/paraglide/messages';
 	import appConfigStore from '$lib/stores/application-configuration-store';
 	import { cachedProfilePicture } from '$lib/utils/cached-image-util';
-	import { LucideRefreshCw, LucideUpload } from '@lucide/svelte';
+	import { LucideLoader, LucideRefreshCw, LucideUpload } from '@lucide/svelte';
 	import { Spinner } from '$lib/components/ui/spinner';
 	import { onMount } from 'svelte';
 	import { openConfirmDialog } from '../confirm-dialog';
@@ -89,7 +88,7 @@
 					</Avatar.Root>
 					<div class="absolute inset-0 flex items-center justify-center">
 						{#if isLoading}
-							<Spinner class="size-5" />
+							<LucideLoader class="size-5 animate-spin" />
 						{:else}
 							<LucideUpload class="size-5 opacity-0 transition-opacity group-hover:opacity-100" />
 						{/if}
--- a/Show More
+++ b/Show More
		`@@ -1 +0,0 @@`
			`CREATE INDEX idx_api_keys_expires_at ON api_keys(expires_at);`