release: 0.15.0

.github/workflows/build-and-push-docker-image.yml

@@ -11,18 +11,36 @@ jobs:
       - name: checkout code
         uses: actions/checkout@v3
 
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}
+            ${{ github.repository }}
+          tags: |
+            type=semver,pattern={{version}},prefix=v
+            type=semver,pattern={{major}}.{{minor}},prefix=v
+
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
-      - name: Login to Docker registry
-        uses: docker/login-action@v2
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
           password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
 
+      - name: 'Login to GitHub Container Registry'
+        uses: docker/login-action@v3
+        with:
+            registry: ghcr.io
+            username: ${{github.repository_owner}}
+            password: ${{secrets.GITHUB_TOKEN}}    
+
       - name: Download GeoLite2 City database
         run: MAXMIND_LICENSE_KEY=${{ secrets.MAXMIND_LICENSE_KEY }} sh scripts/download-ip-database.sh
     
@@ -32,6 +50,7 @@ jobs:
           context: .
           platforms: linux/amd64,linux/arm64
           push: true
-          tags: stonith404/pocket-id:latest,stonith404/pocket-id:${{  github.ref_name }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max

.version

@@ -1 +1 @@
-0.13.1
+0.15.0

CHANGELOG.md

@@ -1,3 +1,29 @@
+## [](https://github.com/stonith404/pocket-id/compare/v0.14.0...v) (2024-11-21)
+
+
+### Features
+
+* add option to skip TLS certificate check and ability to send test email ([653d948](https://github.com/stonith404/pocket-id/commit/653d948f73b61e6d1fd3484398fef1a2a37e6d92))
+* add PKCE support ([3613ac2](https://github.com/stonith404/pocket-id/commit/3613ac261cf65a2db0620ff16dc6df239f6e5ecd))
+
+
+### Bug Fixes
+
+* mobile layout overflow on application configuration page ([e784093](https://github.com/stonith404/pocket-id/commit/e784093342f9977ea08cac65ff0c3de4d2644872))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.13.1...v) (2024-11-11)
+
+
+### Features
+
+* add audit log event for one time access token sign in ([aca2240](https://github.com/stonith404/pocket-id/commit/aca2240a50a12e849cfb6e1aa56390b000aebae0))
+
+
+### Bug Fixes
+
+* overflow of pagination control on mobile ([de45398](https://github.com/stonith404/pocket-id/commit/de4539890349153c467013c24c4d6b30feb8fed8))
+* time displayed incorrectly in audit log ([3d3fb4d](https://github.com/stonith404/pocket-id/commit/3d3fb4d855ef510f2292e98fcaaaf83debb5d3e0))
+
 ## [](https://github.com/stonith404/pocket-id/compare/v0.13.0...v) (2024-11-01)
 
 

Dockerfile

@@ -21,7 +21,10 @@ RUN CGO_ENABLED=1 GOOS=linux go build -o /app/backend/pocket-id-backend .
 
 # Stage 3: Production Image
 FROM node:20-alpine
-RUN apk add --no-cache caddy
+# Delete default node user
+RUN deluser --remove-home node
+
+RUN apk add --no-cache caddy su-exec
 COPY ./reverse-proxy /etc/caddy/
 
 WORKDIR /app
@@ -41,5 +44,5 @@ RUN chmod +x ./scripts/*.sh
 EXPOSE 80
 ENV APP_ENV=production
 
-# Use a shell form to run both the frontend and backend
-CMD ["sh", "./scripts/docker-entrypoint.sh"]
+ENTRYPOINT ["sh", "./scripts/docker/create-user.sh"]
+CMD ["sh", "./scripts/docker/entrypoint.sh"]

README.md

@@ -11,7 +11,7 @@ Additionally, what makes Pocket ID special is that it only supports [passkey](ht
 ## Setup
 
 > [!WARNING]  
-> Pocket ID is in its early stages and may contain bugs.
+> Pocket ID is in its early stages and may contain bugs. There might be OIDC features that are not yet implemented. If you encounter any issues, please open an issue.
 
 ### Before you start
 
@@ -150,6 +150,7 @@ docker compose up -d
 | ---------------------- | ----------------------- | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | `PUBLIC_APP_URL`       | `http://localhost`      | yes                   | The URL where you will access the app.                                                                                                                                                |
 | `TRUST_PROXY`          | `false`                 | yes                   | Whether the app is behind a reverse proxy.                                                                                                                                            |
+| `PUID`                  and `PGID` | `1000`                  | yes                   | The user and group ID of the user who should run Pocket ID inside the Docker container and owns the files that are mounted with the volume. You can get the `PUID` and `GUID` of your user on your host machine by using the command `id`. For more information see [this article](https://docs.linuxserver.io/general/understanding-puid-and-pgid/#using-the-variables).                                                                                                                       |
 | `DB_PATH`              | `data/pocket-id.db`     | no                    | The path to the SQLite database.                                                                                                                                                      |
 | `UPLOAD_PATH`          | `data/uploads`          | no                    | The path where the uploaded files are stored.                                                                                                                                         |
 | `INTERNAL_BACKEND_URL` | `http://localhost:8080` | no                    | The URL where the backend is accessible.                                                                                                                                              |

backend/email-templates/test_html.tmpl

@@ -0,0 +1,11 @@
+{{ define "base" -}}
+    <div class="header">
+        <div class="logo">
+            <img src="{{ .LogoURL }}" alt="Pocket ID"/>
+            <h1>{{ .AppName }}</h1>
+        </div>
+    </div>
+    <div class="content">
+        <p>This is a test email.</p>
+    </div>
+{{ end -}}

backend/email-templates/test_text.tmpl

@@ -0,0 +1,3 @@
+{{ define "base" -}}
+This is a test email.
+{{ end -}}

backend/internal/bootstrap/router_bootstrap.go

@@ -30,7 +30,7 @@ func initRouter(db *gorm.DB, appConfigService *service.AppConfigService) {
 
 	// Initialize services
 	templateDir := os.DirFS(common.EnvConfig.EmailTemplatesPath)
-	emailService, err := service.NewEmailService(appConfigService, templateDir)
+	emailService, err := service.NewEmailService(appConfigService, db, templateDir)
 	if err != nil {
 		log.Fatalf("Unable to create email service: %s", err)
 	}
@@ -38,7 +38,7 @@ func initRouter(db *gorm.DB, appConfigService *service.AppConfigService) {
 	auditLogService := service.NewAuditLogService(db, appConfigService, emailService)
 	jwtService := service.NewJwtService(appConfigService)
 	webauthnService := service.NewWebAuthnService(db, jwtService, auditLogService, appConfigService)
-	userService := service.NewUserService(db, jwtService)
+	userService := service.NewUserService(db, jwtService, auditLogService)
 	customClaimService := service.NewCustomClaimService(db)
 	oidcService := service.NewOidcService(db, jwtService, appConfigService, auditLogService, customClaimService)
 	testService := service.NewTestService(db, appConfigService)
@@ -58,7 +58,7 @@ func initRouter(db *gorm.DB, appConfigService *service.AppConfigService) {
 	controller.NewWebauthnController(apiGroup, jwtAuthMiddleware, middleware.NewRateLimitMiddleware(), webauthnService)
 	controller.NewOidcController(apiGroup, jwtAuthMiddleware, fileSizeLimitMiddleware, oidcService, jwtService)
 	controller.NewUserController(apiGroup, jwtAuthMiddleware, middleware.NewRateLimitMiddleware(), userService, appConfigService)
-	controller.NewAppConfigController(apiGroup, jwtAuthMiddleware, appConfigService)
+	controller.NewAppConfigController(apiGroup, jwtAuthMiddleware, appConfigService, emailService)
 	controller.NewAuditLogController(apiGroup, auditLogService, jwtAuthMiddleware)
 	controller.NewUserGroupController(apiGroup, jwtAuthMiddleware, userGroupService)
 	controller.NewCustomClaimController(apiGroup, jwtAuthMiddleware, customClaimService)

backend/internal/common/errors.go

@@ -102,7 +102,7 @@ func (e *TooManyRequestsError) HttpStatusCode() int { return http.StatusTooManyR
 type ClientIdOrSecretNotProvidedError struct{}
 
 func (e *ClientIdOrSecretNotProvidedError) Error() string {
-	return "Client id and secret not provided"
+	return "Client id or secret not provided"
 }
 func (e *ClientIdOrSecretNotProvidedError) HttpStatusCode() int { return http.StatusBadRequest }
 
@@ -146,3 +146,17 @@ func (e *AccountEditNotAllowedError) Error() string {
 	return "You are not allowed to edit your account"
 }
 func (e *AccountEditNotAllowedError) HttpStatusCode() int { return http.StatusForbidden }
+
+type OidcInvalidCodeVerifierError struct{}
+
+func (e *OidcInvalidCodeVerifierError) Error() string {
+	return "Invalid code verifier"
+}
+func (e *OidcInvalidCodeVerifierError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type OidcMissingCodeChallengeError struct{}
+
+func (e *OidcMissingCodeChallengeError) Error() string {
+	return "Missing code challenge"
+}
+func (e *OidcMissingCodeChallengeError) HttpStatusCode() int { return http.StatusBadRequest }

backend/internal/controller/app_config_controller.go

@@ -14,10 +14,13 @@ import (
 func NewAppConfigController(
 	group *gin.RouterGroup,
 	jwtAuthMiddleware *middleware.JwtAuthMiddleware,
-	appConfigService *service.AppConfigService) {
+	appConfigService *service.AppConfigService,
+	emailService *service.EmailService,
+) {
 
 	acc := &AppConfigController{
 		appConfigService: appConfigService,
+		emailService:     emailService,
 	}
 	group.GET("/application-configuration", acc.listAppConfigHandler)
 	group.GET("/application-configuration/all", jwtAuthMiddleware.Add(true), acc.listAllAppConfigHandler)
@@ -29,10 +32,13 @@ func NewAppConfigController(
 	group.PUT("/application-configuration/logo", jwtAuthMiddleware.Add(true), acc.updateLogoHandler)
 	group.PUT("/application-configuration/favicon", jwtAuthMiddleware.Add(true), acc.updateFaviconHandler)
 	group.PUT("/application-configuration/background-image", jwtAuthMiddleware.Add(true), acc.updateBackgroundImageHandler)
+
+	group.POST("/application-configuration/test-email", jwtAuthMiddleware.Add(true), acc.testEmailHandler)
 }
 
 type AppConfigController struct {
 	appConfigService *service.AppConfigService
+	emailService     *service.EmailService
 }
 
 func (acc *AppConfigController) listAppConfigHandler(c *gin.Context) {
@@ -175,3 +181,13 @@ func (acc *AppConfigController) updateImage(c *gin.Context, imageName string, ol
 
 	c.Status(http.StatusNoContent)
 }
+
+func (acc *AppConfigController) testEmailHandler(c *gin.Context) {
+	err := acc.emailService.SendTestEmail()
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}

backend/internal/controller/oidc_controller.go

@@ -2,7 +2,6 @@ package controller
 
 import (
 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
 	"github.com/stonith404/pocket-id/backend/internal/dto"
 	"github.com/stonith404/pocket-id/backend/internal/middleware"
 	"github.com/stonith404/pocket-id/backend/internal/service"
@@ -80,7 +79,10 @@ func (oc *OidcController) authorizeNewClientHandler(c *gin.Context) {
 }
 
 func (oc *OidcController) createTokensHandler(c *gin.Context) {
-	var input dto.OidcIdTokenDto
+	// Disable cors for this endpoint
+	c.Writer.Header().Set("Access-Control-Allow-Origin", "*")
+
+	var input dto.OidcCreateTokensDto
 
 	if err := c.ShouldBind(&input); err != nil {
 		c.Error(err)
@@ -91,16 +93,11 @@ func (oc *OidcController) createTokensHandler(c *gin.Context) {
 	clientSecret := input.ClientSecret
 
 	// Client id and secret can also be passed over the Authorization header
-	if clientID == "" || clientSecret == "" {
-		var ok bool
-		clientID, clientSecret, ok = c.Request.BasicAuth()
-		if !ok {
-			c.Error(&common.ClientIdOrSecretNotProvidedError{})
-			return
-		}
+	if clientID == "" && clientSecret == "" {
+		clientID, clientSecret, _ = c.Request.BasicAuth()
 	}
 
-	idToken, accessToken, err := oc.oidcService.CreateTokens(input.Code, input.GrantType, clientID, clientSecret)
+	idToken, accessToken, err := oc.oidcService.CreateTokens(input.Code, input.GrantType, clientID, clientSecret, input.CodeVerifier)
 	if err != nil {
 		c.Error(err)
 		return

backend/internal/controller/user_controller.go

@@ -141,7 +141,7 @@ func (uc *UserController) createOneTimeAccessTokenHandler(c *gin.Context) {
 		return
 	}
 
-	token, err := uc.UserService.CreateOneTimeAccessToken(input.UserID, input.ExpiresAt)
+	token, err := uc.UserService.CreateOneTimeAccessToken(input.UserID, input.ExpiresAt, c.ClientIP(), c.Request.UserAgent())
 	if err != nil {
 		c.Error(err)
 		return

backend/internal/dto/app_config_dto.go

@@ -22,4 +22,5 @@ type AppConfigUpdateDto struct {
 	SmtpFrom            string `json:"smtpFrom" binding:"omitempty,email"`
 	SmtpUser            string `json:"smtpUser"`
 	SmtpPassword        string `json:"smtpPassword"`
+	SmtpSkipCertVerify  string `json:"smtpSkipCertVerify"`
 }

backend/internal/dto/audit_log_dto.go

@@ -2,12 +2,12 @@ package dto
 
 import (
 	"github.com/stonith404/pocket-id/backend/internal/model"
-	"time"
+	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
 )
 
 type AuditLogDto struct {
-	ID        string    `json:"id"`
-	CreatedAt time.Time `json:"createdAt"`
+	ID        string            `json:"id"`
+	CreatedAt datatype.DateTime `json:"createdAt"`
 
 	Event     model.AuditLogEvent `json:"event"`
 	IpAddress string              `json:"ipAddress"`

backend/internal/dto/oidc_dto.go

@@ -9,19 +9,23 @@ type PublicOidcClientDto struct {
 type OidcClientDto struct {
 	PublicOidcClientDto
 	CallbackURLs []string `json:"callbackURLs"`
+	IsPublic     bool     `json:"isPublic"`
 	CreatedBy    UserDto  `json:"createdBy"`
 }
 
 type OidcClientCreateDto struct {
 	Name         string   `json:"name" binding:"required,max=50"`
 	CallbackURLs []string `json:"callbackURLs" binding:"required,urlList"`
+	IsPublic     bool     `json:"isPublic"`
 }
 
 type AuthorizeOidcClientRequestDto struct {
-	ClientID    string `json:"clientID" binding:"required"`
-	Scope       string `json:"scope" binding:"required"`
-	CallbackURL string `json:"callbackURL"`
-	Nonce       string `json:"nonce"`
+	ClientID            string `json:"clientID" binding:"required"`
+	Scope               string `json:"scope" binding:"required"`
+	CallbackURL         string `json:"callbackURL"`
+	Nonce               string `json:"nonce"`
+	CodeChallenge       string `json:"codeChallenge"`
+	CodeChallengeMethod string `json:"codeChallengeMethod"`
 }
 
 type AuthorizeOidcClientResponseDto struct {
@@ -29,9 +33,10 @@ type AuthorizeOidcClientResponseDto struct {
 	CallbackURL string `json:"callbackURL"`
 }
 
-type OidcIdTokenDto struct {
+type OidcCreateTokensDto struct {
 	GrantType    string `form:"grant_type" binding:"required"`
 	Code         string `form:"code" binding:"required"`
 	ClientID     string `form:"client_id"`
 	ClientSecret string `form:"client_secret"`
+	CodeVerifier string `form:"code_verifier"`
 }

backend/internal/dto/user_group_dto.go

@@ -1,23 +1,25 @@
 package dto
 
-import "time"
+import (
+	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
+)
 
 type UserGroupDtoWithUsers struct {
-	ID           string           `json:"id"`
-	FriendlyName string           `json:"friendlyName"`
-	Name         string           `json:"name"`
-	CustomClaims []CustomClaimDto `json:"customClaims"`
-	Users        []UserDto        `json:"users"`
-	CreatedAt    time.Time        `json:"createdAt"`
+	ID           string            `json:"id"`
+	FriendlyName string            `json:"friendlyName"`
+	Name         string            `json:"name"`
+	CustomClaims []CustomClaimDto  `json:"customClaims"`
+	Users        []UserDto         `json:"users"`
+	CreatedAt    datatype.DateTime `json:"createdAt"`
 }
 
 type UserGroupDtoWithUserCount struct {
-	ID           string           `json:"id"`
-	FriendlyName string           `json:"friendlyName"`
-	Name         string           `json:"name"`
-	CustomClaims []CustomClaimDto `json:"customClaims"`
-	UserCount    int64            `json:"userCount"`
-	CreatedAt    time.Time        `json:"createdAt"`
+	ID           string            `json:"id"`
+	FriendlyName string            `json:"friendlyName"`
+	Name         string            `json:"name"`
+	CustomClaims []CustomClaimDto  `json:"customClaims"`
+	UserCount    int64             `json:"userCount"`
+	CreatedAt    datatype.DateTime `json:"createdAt"`
 }
 
 type UserGroupCreateDto struct {

backend/internal/dto/webauthn_dto.go

@@ -2,7 +2,7 @@ package dto
 
 import (
 	"github.com/go-webauthn/webauthn/protocol"
-	"time"
+	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
 )
 
 type WebauthnCredentialDto struct {
@@ -15,7 +15,7 @@ type WebauthnCredentialDto struct {
 	BackupEligible bool `json:"backupEligible"`
 	BackupState    bool `json:"backupState"`
 
-	CreatedAt time.Time `json:"createdAt"`
+	CreatedAt datatype.DateTime `json:"createdAt"`
 }
 
 type WebauthnCredentialUpdateDto struct {

backend/internal/middleware/cors.go

@@ -1,11 +1,8 @@
 package middleware
 
 import (
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"time"
-
-	"github.com/gin-contrib/cors"
 	"github.com/gin-gonic/gin"
+	"github.com/stonith404/pocket-id/backend/internal/common"
 )
 
 type CorsMiddleware struct{}
@@ -15,10 +12,22 @@ func NewCorsMiddleware() *CorsMiddleware {
 }
 
 func (m *CorsMiddleware) Add() gin.HandlerFunc {
-	return cors.New(cors.Config{
-		AllowOrigins: []string{common.EnvConfig.AppURL},
-		AllowMethods: []string{"*"},
-		AllowHeaders: []string{"*"},
-		MaxAge:       12 * time.Hour,
-	})
+	return func(c *gin.Context) {
+		// Allow all origins for the token endpoint
+		if c.FullPath() == "/api/oidc/token" {
+			c.Writer.Header().Set("Access-Control-Allow-Origin", "*")
+		} else {
+			c.Writer.Header().Set("Access-Control-Allow-Origin", common.EnvConfig.AppURL)
+		}
+
+		c.Writer.Header().Set("Access-Control-Allow-Headers", "*")
+		c.Writer.Header().Set("Access-Control-Allow-Methods", "POST, OPTIONS, GET, PUT")
+
+		if c.Request.Method == "OPTIONS" {
+			c.AbortWithStatus(204)
+			return
+		}
+
+		c.Next()
+	}
 }

backend/internal/model/app_config.go

@@ -19,10 +19,11 @@ type AppConfig struct {
 	LogoLightImageType  AppConfigVariable
 	LogoDarkImageType   AppConfigVariable
 
-	EmailEnabled AppConfigVariable
-	SmtpHost     AppConfigVariable
-	SmtpPort     AppConfigVariable
-	SmtpFrom     AppConfigVariable
-	SmtpUser     AppConfigVariable
-	SmtpPassword AppConfigVariable
+	EmailEnabled       AppConfigVariable
+	SmtpHost           AppConfigVariable
+	SmtpPort           AppConfigVariable
+	SmtpFrom           AppConfigVariable
+	SmtpUser           AppConfigVariable
+	SmtpPassword       AppConfigVariable
+	SmtpSkipCertVerify AppConfigVariable
 }

backend/internal/model/audit_log.go

@@ -23,9 +23,10 @@ type AuditLogData map[string]string
 type AuditLogEvent string
 
 const (
-	AuditLogEventSignIn                 AuditLogEvent = "SIGN_IN"
-	AuditLogEventClientAuthorization    AuditLogEvent = "CLIENT_AUTHORIZATION"
-	AuditLogEventNewClientAuthorization AuditLogEvent = "NEW_CLIENT_AUTHORIZATION"
+	AuditLogEventSignIn                   AuditLogEvent = "SIGN_IN"
+	AuditLogEventOneTimeAccessTokenSignIn AuditLogEvent = "TOKEN_SIGN_IN"
+	AuditLogEventClientAuthorization      AuditLogEvent = "CLIENT_AUTHORIZATION"
+	AuditLogEventNewClientAuthorization   AuditLogEvent = "NEW_CLIENT_AUTHORIZATION"
 )
 
 // Scan and Value methods for GORM to handle the custom type

backend/internal/model/oidc.go

@@ -20,10 +20,12 @@ type UserAuthorizedOidcClient struct {
 type OidcAuthorizationCode struct {
 	Base
 
-	Code      string
-	Scope     string
-	Nonce     string
-	ExpiresAt datatype.DateTime
+	Code                      string
+	Scope                     string
+	Nonce                     string
+	CodeChallenge             *string
+	CodeChallengeMethodSha256 *bool
+	ExpiresAt                 datatype.DateTime
 
 	UserID string
 	User   User
@@ -39,6 +41,7 @@ type OidcClient struct {
 	CallbackURLs CallbackURLs
 	ImageType    *string
 	HasLogo      bool `gorm:"-"`
+	IsPublic     bool
 
 	CreatedByID string
 	CreatedBy   User

backend/internal/model/user.go

@@ -59,6 +59,8 @@ func (u User) WebAuthnCredentialDescriptors() (descriptors []protocol.Credential
 	return descriptors
 }
 
+func (u User) FullName() string { return u.FirstName + " " + u.LastName }
+
 type OneTimeAccessToken struct {
 	Base
 	Token     string

backend/internal/service/app_config_service.go

@@ -95,6 +95,11 @@ var defaultDbConfig = model.AppConfig{
 		Key:  "smtpPassword",
 		Type: "string",
 	},
+	SmtpSkipCertVerify: model.AppConfigVariable{
+		Key:          "smtpSkipCertVerify",
+		Type:         "bool",
+		DefaultValue: "false",
+	},
 }
 
 func (s *AppConfigService) UpdateAppConfig(input dto.AppConfigUpdateDto) ([]model.AppConfigVariable, error) {

backend/internal/service/audit_log_service.go

@@ -48,8 +48,8 @@ func (s *AuditLogService) Create(event model.AuditLogEvent, ipAddress, userAgent
 }
 
 // CreateNewSignInWithEmail creates a new audit log entry in the database and sends an email if the device hasn't been used before
-func (s *AuditLogService) CreateNewSignInWithEmail(ipAddress, userAgent, userID string, data model.AuditLogData) model.AuditLog {
-	createdAuditLog := s.Create(model.AuditLogEventSignIn, ipAddress, userAgent, userID, data)
+func (s *AuditLogService) CreateNewSignInWithEmail(ipAddress, userAgent, userID string) model.AuditLog {
+	createdAuditLog := s.Create(model.AuditLogEventSignIn, ipAddress, userAgent, userID, model.AuditLogData{})
 
 	// Count the number of times the user has logged in from the same device
 	var count int64

backend/internal/service/email_service.go

@@ -2,14 +2,18 @@ package service
 
 import (
 	"bytes"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/stonith404/pocket-id/backend/internal/model"
 	"github.com/stonith404/pocket-id/backend/internal/utils/email"
+	"gorm.io/gorm"
 	htemplate "html/template"
 	"io/fs"
 	"mime/multipart"
 	"mime/quotedprintable"
+	"net"
 	"net/smtp"
 	"net/textproto"
 	ttemplate "text/template"
@@ -17,11 +21,12 @@ import (
 
 type EmailService struct {
 	appConfigService *AppConfigService
+	db               *gorm.DB
 	htmlTemplates    map[string]*htemplate.Template
 	textTemplates    map[string]*ttemplate.Template
 }
 
-func NewEmailService(appConfigService *AppConfigService, templateDir fs.FS) (*EmailService, error) {
+func NewEmailService(appConfigService *AppConfigService, db *gorm.DB, templateDir fs.FS) (*EmailService, error) {
 	htmlTemplates, err := email.PrepareHTMLTemplates(templateDir, emailTemplatesPaths)
 	if err != nil {
 		return nil, fmt.Errorf("prepare html templates: %w", err)
@@ -34,11 +39,25 @@ func NewEmailService(appConfigService *AppConfigService, templateDir fs.FS) (*Em
 
 	return &EmailService{
 		appConfigService: appConfigService,
+		db:               db,
 		htmlTemplates:    htmlTemplates,
 		textTemplates:    textTemplates,
 	}, nil
 }
 
+func (srv *EmailService) SendTestEmail() error {
+	var user model.User
+	if err := srv.db.First(&user).Error; err != nil {
+		return err
+	}
+
+	return SendEmail(srv,
+		email.Address{
+			Email: user.Email,
+			Name:  user.FullName(),
+		}, TestTemplate, nil)
+}
+
 func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.Template[V], tData *V) error {
 	// Check if SMTP settings are set
 	if srv.appConfigService.DbConfig.EmailEnabled.Value != "true" {
@@ -71,26 +90,100 @@ func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.T
 	)
 	c.Body(body)
 
-	// Set up the authentication information.
+	// Set up the TLS configuration
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: srv.appConfigService.DbConfig.SmtpSkipCertVerify.Value == "true",
+		ServerName:         srv.appConfigService.DbConfig.SmtpHost.Value,
+	}
+
+	// Connect to the SMTP server
+	port := srv.appConfigService.DbConfig.SmtpPort.Value
+	var client *smtp.Client
+	if port == "465" {
+		client, err = srv.connectToSmtpServerUsingImplicitTLS(
+			srv.appConfigService.DbConfig.SmtpHost.Value+":"+port,
+			tlsConfig,
+		)
+	} else {
+		client, err = srv.connectToSmtpServerUsingStartTLS(
+			srv.appConfigService.DbConfig.SmtpHost.Value+":"+port,
+			tlsConfig,
+		)
+	}
+	defer client.Quit()
+	if err != nil {
+		return fmt.Errorf("failed to connect to SMTP server: %w", err)
+	}
+
+	// Set up the authentication
 	auth := smtp.PlainAuth("",
 		srv.appConfigService.DbConfig.SmtpUser.Value,
 		srv.appConfigService.DbConfig.SmtpPassword.Value,
 		srv.appConfigService.DbConfig.SmtpHost.Value,
 	)
-
-	// Send the email
-	err = smtp.SendMail(
-		srv.appConfigService.DbConfig.SmtpHost.Value+":"+srv.appConfigService.DbConfig.SmtpPort.Value,
-		auth,
-		srv.appConfigService.DbConfig.SmtpFrom.Value,
-		[]string{toEmail.Email},
-		[]byte(c.String()),
-	)
-
-	if err != nil {
-		return fmt.Errorf("failed to send email: %w", err)
+	if err := client.Auth(auth); err != nil {
+		return fmt.Errorf("failed to authenticate SMTP client: %w", err)
 	}
 
+	// Send the email
+	if err := srv.sendEmailContent(client, toEmail, c); err != nil {
+		return fmt.Errorf("send email content: %w", err)
+	}
+
+	return nil
+}
+
+func (srv *EmailService) connectToSmtpServerUsingImplicitTLS(serverAddr string, tlsConfig *tls.Config) (*smtp.Client, error) {
+	conn, err := tls.Dial("tcp", serverAddr, tlsConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to SMTP server: %w", err)
+	}
+
+	client, err := smtp.NewClient(conn, srv.appConfigService.DbConfig.SmtpHost.Value)
+	if err != nil {
+		conn.Close()
+		return nil, fmt.Errorf("failed to create SMTP client: %w", err)
+	}
+
+	return client, nil
+}
+
+func (srv *EmailService) connectToSmtpServerUsingStartTLS(serverAddr string, tlsConfig *tls.Config) (*smtp.Client, error) {
+	conn, err := net.Dial("tcp", serverAddr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to SMTP server: %w", err)
+	}
+
+	client, err := smtp.NewClient(conn, srv.appConfigService.DbConfig.SmtpHost.Value)
+	if err != nil {
+		conn.Close()
+		return nil, fmt.Errorf("failed to create SMTP client: %w", err)
+	}
+
+	if err := client.StartTLS(tlsConfig); err != nil {
+		return nil, fmt.Errorf("failed to start TLS: %w", err)
+	}
+	return client, nil
+}
+
+func (srv *EmailService) sendEmailContent(client *smtp.Client, toEmail email.Address, c *email.Composer) error {
+	if err := client.Mail(srv.appConfigService.DbConfig.SmtpFrom.Value); err != nil {
+		return fmt.Errorf("failed to set sender: %w", err)
+	}
+	if err := client.Rcpt(toEmail.Email); err != nil {
+		return fmt.Errorf("failed to set recipient: %w", err)
+	}
+	w, err := client.Data()
+	if err != nil {
+		return fmt.Errorf("failed to start data: %w", err)
+	}
+	_, err = w.Write([]byte(c.String()))
+	if err != nil {
+		return fmt.Errorf("failed to write email data: %w", err)
+	}
+	if err := w.Close(); err != nil {
+		return fmt.Errorf("failed to close data writer: %w", err)
+	}
 	return nil
 }
 

backend/internal/service/email_service_templates.go

@@ -27,6 +27,13 @@ var NewLoginTemplate = email.Template[NewLoginTemplateData]{
 	},
 }
 
+var TestTemplate = email.Template[struct{}]{
+	Path: "test",
+	Title: func(data *email.TemplateData[struct{}]) string {
+		return "Test email"
+	},
+}
+
 type NewLoginTemplateData struct {
 	IPAddress string
 	Country   string
@@ -36,4 +43,4 @@ type NewLoginTemplateData struct {
 }
 
 // this is list of all template paths used for preloading templates
-var emailTemplatesPaths = []string{NewLoginTemplate.Path}
+var emailTemplatesPaths = []string{NewLoginTemplate.Path, TestTemplate.Path}

backend/internal/service/oidc_service.go

@@ -1,6 +1,8 @@
 package service
 
 import (
+	"crypto/sha256"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"github.com/stonith404/pocket-id/backend/internal/common"
@@ -39,16 +41,20 @@ func (s *OidcService) Authorize(input dto.AuthorizeOidcClientRequestDto, userID,
 	var userAuthorizedOIDCClient model.UserAuthorizedOidcClient
 	s.db.Preload("Client").First(&userAuthorizedOIDCClient, "client_id = ? AND user_id = ?", input.ClientID, userID)
 
+	if userAuthorizedOIDCClient.Client.IsPublic && input.CodeChallenge == "" {
+		return "", "", &common.OidcMissingCodeChallengeError{}
+	}
+
 	if userAuthorizedOIDCClient.Scope != input.Scope {
 		return "", "", &common.OidcMissingAuthorizationError{}
 	}
 
-	callbackURL, err := getCallbackURL(userAuthorizedOIDCClient.Client, input.CallbackURL)
+	callbackURL, err := s.getCallbackURL(userAuthorizedOIDCClient.Client, input.CallbackURL)
 	if err != nil {
 		return "", "", err
 	}
 
-	code, err := s.createAuthorizationCode(input.ClientID, userID, input.Scope, input.Nonce)
+	code, err := s.createAuthorizationCode(input.ClientID, userID, input.Scope, input.Nonce, input.CodeChallenge, input.CodeChallengeMethod)
 	if err != nil {
 		return "", "", err
 	}
@@ -64,7 +70,11 @@ func (s *OidcService) AuthorizeNewClient(input dto.AuthorizeOidcClientRequestDto
 		return "", "", err
 	}
 
-	callbackURL, err := getCallbackURL(client, input.CallbackURL)
+	if client.IsPublic && input.CodeChallenge == "" {
+		return "", "", &common.OidcMissingCodeChallengeError{}
+	}
+
+	callbackURL, err := s.getCallbackURL(client, input.CallbackURL)
 	if err != nil {
 		return "", "", err
 	}
@@ -83,7 +93,7 @@ func (s *OidcService) AuthorizeNewClient(input dto.AuthorizeOidcClientRequestDto
 		}
 	}
 
-	code, err := s.createAuthorizationCode(input.ClientID, userID, input.Scope, input.Nonce)
+	code, err := s.createAuthorizationCode(input.ClientID, userID, input.Scope, input.Nonce, input.CodeChallenge, input.CodeChallengeMethod)
 	if err != nil {
 		return "", "", err
 	}
@@ -93,31 +103,41 @@ func (s *OidcService) AuthorizeNewClient(input dto.AuthorizeOidcClientRequestDto
 	return code, callbackURL, nil
 }
 
-func (s *OidcService) CreateTokens(code, grantType, clientID, clientSecret string) (string, string, error) {
+func (s *OidcService) CreateTokens(code, grantType, clientID, clientSecret, codeVerifier string) (string, string, error) {
 	if grantType != "authorization_code" {
 		return "", "", &common.OidcGrantTypeNotSupportedError{}
 	}
 
-	if clientID == "" || clientSecret == "" {
-		return "", "", &common.OidcMissingClientCredentialsError{}
-	}
-
 	var client model.OidcClient
 	if err := s.db.First(&client, "id = ?", clientID).Error; err != nil {
 		return "", "", err
 	}
 
-	err := bcrypt.CompareHashAndPassword([]byte(client.Secret), []byte(clientSecret))
-	if err != nil {
-		return "", "", &common.OidcClientSecretInvalidError{}
+	// Verify the client secret if the client is not public
+	if !client.IsPublic {
+		if clientID == "" || clientSecret == "" {
+			return "", "", &common.OidcMissingClientCredentialsError{}
+		}
+
+		err := bcrypt.CompareHashAndPassword([]byte(client.Secret), []byte(clientSecret))
+		if err != nil {
+			return "", "", &common.OidcClientSecretInvalidError{}
+		}
 	}
 
 	var authorizationCodeMetaData model.OidcAuthorizationCode
-	err = s.db.Preload("User").First(&authorizationCodeMetaData, "code = ?", code).Error
+	err := s.db.Preload("User").First(&authorizationCodeMetaData, "code = ?", code).Error
 	if err != nil {
 		return "", "", &common.OidcInvalidAuthorizationCodeError{}
 	}
 
+	// If the client is public, the code verifier must match the code challenge
+	if client.IsPublic {
+		if !s.validateCodeVerifier(codeVerifier, *authorizationCodeMetaData.CodeChallenge, *authorizationCodeMetaData.CodeChallengeMethodSha256) {
+			return "", "", &common.OidcInvalidCodeVerifierError{}
+		}
+	}
+
 	if authorizationCodeMetaData.ClientID != clientID && authorizationCodeMetaData.ExpiresAt.ToTime().Before(time.Now()) {
 		return "", "", &common.OidcInvalidAuthorizationCodeError{}
 	}
@@ -186,6 +206,7 @@ func (s *OidcService) UpdateClient(clientID string, input dto.OidcClientCreateDt
 
 	client.Name = input.Name
 	client.CallbackURLs = input.CallbackURLs
+	client.IsPublic = input.IsPublic
 
 	if err := s.db.Save(&client).Error; err != nil {
 		return model.OidcClient{}, err
@@ -331,7 +352,7 @@ func (s *OidcService) GetUserClaimsForClient(userID string, clientID string) (ma
 	profileClaims := map[string]interface{}{
 		"given_name":         user.FirstName,
 		"family_name":        user.LastName,
-		"name":               user.FirstName + " " + user.LastName,
+		"name":               user.FullName(),
 		"preferred_username": user.Username,
 	}
 
@@ -358,19 +379,23 @@ func (s *OidcService) GetUserClaimsForClient(userID string, clientID string) (ma
 	return claims, nil
 }
 
-func (s *OidcService) createAuthorizationCode(clientID string, userID string, scope string, nonce string) (string, error) {
+func (s *OidcService) createAuthorizationCode(clientID string, userID string, scope string, nonce string, codeChallenge string, codeChallengeMethod string) (string, error) {
 	randomString, err := utils.GenerateRandomAlphanumericString(32)
 	if err != nil {
 		return "", err
 	}
 
+	codeChallengeMethodSha256 := strings.ToUpper(codeChallengeMethod) == "S256"
+
 	oidcAuthorizationCode := model.OidcAuthorizationCode{
-		ExpiresAt: datatype.DateTime(time.Now().Add(15 * time.Minute)),
-		Code:      randomString,
-		ClientID:  clientID,
-		UserID:    userID,
-		Scope:     scope,
-		Nonce:     nonce,
+		ExpiresAt:                 datatype.DateTime(time.Now().Add(15 * time.Minute)),
+		Code:                      randomString,
+		ClientID:                  clientID,
+		UserID:                    userID,
+		Scope:                     scope,
+		Nonce:                     nonce,
+		CodeChallenge:             &codeChallenge,
+		CodeChallengeMethodSha256: &codeChallengeMethodSha256,
 	}
 
 	if err := s.db.Create(&oidcAuthorizationCode).Error; err != nil {
@@ -380,7 +405,23 @@ func (s *OidcService) createAuthorizationCode(clientID string, userID string, sc
 	return randomString, nil
 }
 
-func getCallbackURL(client model.OidcClient, inputCallbackURL string) (callbackURL string, err error) {
+func (s *OidcService) validateCodeVerifier(codeVerifier, codeChallenge string, codeChallengeMethodSha256 bool) bool {
+	if !codeChallengeMethodSha256 {
+		return codeVerifier == codeChallenge
+	}
+
+	// Compute SHA-256 hash of the codeVerifier
+	h := sha256.New()
+	h.Write([]byte(codeVerifier))
+	codeVerifierHash := h.Sum(nil)
+
+	// Base64 URL encode the verifier hash
+	encodedVerifierHash := base64.RawURLEncoding.EncodeToString(codeVerifierHash)
+
+	return encodedVerifierHash == codeChallenge
+}
+
+func (s *OidcService) getCallbackURL(client model.OidcClient, inputCallbackURL string) (callbackURL string, err error) {
 	if inputCallbackURL == "" {
 		return client.CallbackURLs[0], nil
 	}

backend/internal/service/user_service.go

@@ -12,12 +12,13 @@ import (
 )
 
 type UserService struct {
-	db         *gorm.DB
-	jwtService *JwtService
+	db              *gorm.DB
+	jwtService      *JwtService
+	auditLogService *AuditLogService
 }
 
-func NewUserService(db *gorm.DB, jwtService *JwtService) *UserService {
-	return &UserService{db: db, jwtService: jwtService}
+func NewUserService(db *gorm.DB, jwtService *JwtService, auditLogService *AuditLogService) *UserService {
+	return &UserService{db: db, jwtService: jwtService, auditLogService: auditLogService}
 }
 
 func (s *UserService) ListUsers(searchTerm string, page int, pageSize int) ([]model.User, utils.PaginationResponse, error) {
@@ -88,7 +89,7 @@ func (s *UserService) UpdateUser(userID string, updatedUser dto.UserCreateDto, u
 	return user, nil
 }
 
-func (s *UserService) CreateOneTimeAccessToken(userID string, expiresAt time.Time) (string, error) {
+func (s *UserService) CreateOneTimeAccessToken(userID string, expiresAt time.Time, ipAddress, userAgent string) (string, error) {
 	randomString, err := utils.GenerateRandomAlphanumericString(16)
 	if err != nil {
 		return "", err
@@ -104,6 +105,8 @@ func (s *UserService) CreateOneTimeAccessToken(userID string, expiresAt time.Tim
 		return "", err
 	}
 
+	s.auditLogService.Create(model.AuditLogEventOneTimeAccessTokenSignIn, ipAddress, userAgent, userID, model.AuditLogData{})
+
 	return oneTimeAccessToken.Token, nil
 }
 

backend/internal/service/webauthn_service.go

@@ -165,7 +165,7 @@ func (s *WebAuthnService) VerifyLogin(sessionID, userID string, credentialAssert
 		return model.User{}, "", err
 	}
 
-	s.auditLogService.CreateNewSignInWithEmail(ipAddress, userAgent, user.ID, model.AuditLogData{})
+	s.auditLogService.CreateNewSignInWithEmail(ipAddress, userAgent, user.ID)
 
 	return *user, token, nil
 }

backend/migrations/20241115131129_pkce.down.sql

@@ -0,0 +1,3 @@
+ALTER TABLE oidc_authorization_codes DROP COLUMN code_challenge;
+ALTER TABLE oidc_authorization_codes DROP COLUMN code_challenge_method_sha256;
+ALTER TABLE oidc_clients DROP COLUMN is_public;

backend/migrations/20241115131129_pkce.up.sql

@@ -0,0 +1,3 @@
+ALTER TABLE oidc_authorization_codes ADD COLUMN code_challenge TEXT;
+ALTER TABLE oidc_authorization_codes ADD COLUMN code_challenge_method_sha256 NUMERIC;
+ALTER TABLE oidc_clients ADD COLUMN is_public BOOLEAN DEFAULT FALSE;

frontend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pocket-id-frontend",
-  "version": "0.13.1",
+  "version": "0.15.0",
   "private": true,
   "scripts": {
     "dev": "vite dev --port 3000",

frontend/src/lib/components/advanced-table.svelte

@@ -117,7 +117,9 @@
 			</Table.Body>
 		</Table.Root>
 
-		<div class="mt-5 flex items-center justify-between space-x-2">
+		<div
+			class="mt-5 flex flex-col-reverse items-center justify-between gap-3 space-x-2 sm:flex-row"
+		>
 			<div class="flex items-center space-x-2">
 				<p class="text-sm font-medium">Items per page</p>
 				<Select.Root

frontend/src/lib/components/checkbox-with-label.svelte

@@ -0,0 +1,25 @@
+<script lang="ts">
+	import { Checkbox } from './ui/checkbox';
+	import { Label } from './ui/label';
+
+	let {
+		id,
+		checked = $bindable(),
+		label,
+		description
+	}: { id: string; checked: boolean; label: string; description?: string } = $props();
+</script>
+
+<div class="items-top mt-5 flex space-x-2">
+	<Checkbox {id} bind:checked />
+	<div class="grid gap-1.5 leading-none">
+		<Label for={id} class="mb-0 text-sm font-medium leading-none">
+			{label}
+		</Label>
+		{#if description}
+			<p class="text-muted-foreground text-[0.8rem]">
+				{description}
+			</p>
+		{/if}
+	</div>
+</div>

frontend/src/lib/components/ui/badge/index.ts

@@ -2,7 +2,7 @@ import { type VariantProps, tv } from "tailwind-variants";
 export { default as Badge } from "./badge.svelte";
 
 export const badgeVariants = tv({
-	base: "inline-flex select-none items-center rounded-full border px-2.5 py-0.5 text-xs font-semibold transition-colors focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2",
+	base: "inline-flex select-none items-center rounded-full border px-2.5 py-0.5 text-xs font-semibold transition-colors focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 break-keep whitespace-nowrap",
 	variants: {
 		variant: {
 			default: "border-transparent bg-primary text-primary-foreground hover:bg-primary/80",

frontend/src/lib/components/ui/pagination/pagination-ellipsis.svelte

@@ -10,7 +10,7 @@
 </script>
 
 <span
-	aria-hidden
+	aria-hidden="true"
 	class={cn("flex h-9 w-9 items-center justify-center", className)}
 	{...$$restProps}
 >

frontend/src/lib/services/app-config-service.ts

@@ -53,6 +53,10 @@ export default class AppConfigService extends APIService {
 		await this.api.put(`/application-configuration/background-image`, formData);
 	}
 
+	async sendTestEmail() {
+		await this.api.post('/application-configuration/test-email');
+	}
+
 	async getVersionInformation() {
 		const response = (
 			await axios.get('https://api.github.com/repos/stonith404/pocket-id/releases/latest')

frontend/src/lib/services/oidc-service.ts

@@ -3,23 +3,27 @@ import type { Paginated, PaginationRequest } from '$lib/types/pagination.type';
 import APIService from './api-service';
 
 class OidcService extends APIService {
-	async authorize(clientId: string, scope: string, callbackURL: string, nonce?: string) {
+	async authorize(clientId: string, scope: string, callbackURL: string, nonce?: string, codeChallenge?: string, codeChallengeMethod?: string) {
 		const res = await this.api.post('/oidc/authorize', {
 			scope,
 			nonce,
 			callbackURL,
-			clientId
+			clientId,
+			codeChallenge,
+			codeChallengeMethod
 		});
 
 		return res.data as AuthorizeResponse;
 	}
 
-	async authorizeNewClient(clientId: string, scope: string, callbackURL: string, nonce?: string) {
+	async authorizeNewClient(clientId: string, scope: string, callbackURL: string, nonce?: string, codeChallenge?: string, codeChallengeMethod?: string) {
 		const res = await this.api.post('/oidc/authorize/new-client', {
 			scope,
 			nonce,
 			callbackURL,
-			clientId
+			clientId,
+			codeChallenge,
+			codeChallengeMethod
 		});
 
 		return res.data as AuthorizeResponse;

frontend/src/lib/types/application-configuration.ts

@@ -12,6 +12,7 @@ export type AllAppConfig = AppConfig & {
 	smtpFrom: string;
 	smtpUser: string;
 	smtpPassword: string;
+	smtpSkipCertVerify: boolean;
 };
 
 export type AppConfigRawResponse = {

frontend/src/lib/types/oidc.type.ts

@@ -4,6 +4,7 @@ export type OidcClient = {
 	logoURL: string;
 	callbackURLs: [string, ...string[]];
 	hasLogo: boolean;
+	isPublic: boolean;
 };
 
 export type OidcClientCreate = Omit<OidcClient, 'id' | 'logoURL' | 'hasLogo'>;

frontend/src/routes/authorize/+page.server.ts

@@ -12,6 +12,8 @@ export const load: PageServerLoad = async ({ url, cookies }) => {
 		nonce: url.searchParams.get('nonce') || undefined,
 		state: url.searchParams.get('state')!,
 		callbackURL: url.searchParams.get('redirect_uri')!,
-		client
+		client,
+		codeChallenge: url.searchParams.get('code_challenge')!,
+		codeChallengeMethod: url.searchParams.get('code_challenge_method')!
 	};
 };

frontend/src/routes/authorize/+page.svelte

@@ -24,7 +24,7 @@
 	let authorizationRequired = false;
 
 	export let data: PageData;
-	let { scope, nonce, client, state, callbackURL } = data;
+	let { scope, nonce, client, state, callbackURL, codeChallenge, codeChallengeMethod  } = data;
 
 	async function authorize() {
 		isLoading = true;
@@ -37,7 +37,7 @@
 			}
 
 			await oidService
-				.authorize(client!.id, scope, callbackURL, nonce)
+				.authorize(client!.id, scope, callbackURL, nonce, codeChallenge, codeChallengeMethod)
 				.then(async ({ code, callbackURL }) => {
 					onSuccess(code, callbackURL);
 				});
@@ -55,7 +55,7 @@
 		isLoading = true;
 		try {
 			await oidService
-				.authorizeNewClient(client!.id, scope, callbackURL, nonce)
+				.authorizeNewClient(client!.id, scope, callbackURL, nonce, codeChallenge, codeChallengeMethod)
 				.then(async ({ code, callbackURL }) => {
 					onSuccess(code, callbackURL);
 				});

frontend/src/routes/settings/+layout.svelte

@@ -22,6 +22,7 @@
 
 	if ($userStore?.isAdmin) {
 		links = [
+			// svelte-ignore state_referenced_locally
 			...links,
 			{ href: '/settings/admin/users', label: 'Users' },
 			{ href: '/settings/admin/user-groups', label: 'User Groups' },

frontend/src/routes/settings/admin/application-configuration/forms/app-config-email-form.svelte

@@ -1,6 +1,8 @@
 <script lang="ts">
+	import CheckboxWithLabel from '$lib/components/checkbox-with-label.svelte';
 	import FormInput from '$lib/components/form-input.svelte';
 	import { Button } from '$lib/components/ui/button';
+	import AppConfigService from '$lib/services/app-config-service';
 	import type { AllAppConfig } from '$lib/types/application-configuration';
 	import { createForm } from '$lib/utils/form-util';
 	import { toast } from 'svelte-sonner';
@@ -14,7 +16,9 @@
 		callback: (appConfig: Partial<AllAppConfig>) => Promise<void>;
 	} = $props();
 
-	let isLoading = $state(false);
+	const appConfigService = new AppConfigService();
+
+	let isSendingTestEmail = $state(false);
 	let emailEnabled = $state(appConfig.emailEnabled);
 
 	const updatedAppConfig = {
@@ -23,7 +27,8 @@
 		smtpPort: appConfig.smtpPort,
 		smtpUser: appConfig.smtpUser,
 		smtpPassword: appConfig.smtpPassword,
-		smtpFrom: appConfig.smtpFrom
+		smtpFrom: appConfig.smtpFrom,
+		smtpSkipCertVerify: appConfig.smtpSkipCertVerify
 	};
 
 	const formSchema = z.object({
@@ -31,19 +36,20 @@
 		smtpPort: z.number().min(1),
 		smtpUser: z.string().min(1),
 		smtpPassword: z.string().min(1),
-		smtpFrom: z.string().email()
+		smtpFrom: z.string().email(),
+		smtpSkipCertVerify: z.boolean()
 	});
 
 	const { inputs, ...form } = createForm<typeof formSchema>(formSchema, updatedAppConfig);
 
 	async function onSubmit() {
+		console.log('submit');
 		const data = form.validate();
 		if (!data) return false;
-		isLoading = true;
 		await callback({
 			...data,
 			emailEnabled: true
-		}).finally(() => (isLoading = false));
+		});
 		toast.success('Email configuration updated successfully');
 		return true;
 	}
@@ -59,22 +65,43 @@
 			emailEnabled = true;
 		}
 	}
+
+	async function onTestEmail() {
+		isSendingTestEmail = true;
+		await appConfigService
+			.sendTestEmail()
+			.then(() => toast.success('Test email sent successfully to your Email address.'))
+			.catch(() =>
+				toast.error('Failed to send test email. Check the server logs for more information.')
+			)
+			.finally(() => (isSendingTestEmail = false));
+	}
 </script>
 
 <form onsubmit={onSubmit}>
-	<div class="mt-5 grid grid-cols-2 gap-5">
+	<div class="mt-5 grid grid-cols-1 gap-5 md:grid-cols-2">
 		<FormInput label="SMTP Host" bind:input={$inputs.smtpHost} />
 		<FormInput label="SMTP Port" type="number" bind:input={$inputs.smtpPort} />
 		<FormInput label="SMTP User" bind:input={$inputs.smtpUser} />
 		<FormInput label="SMTP Password" type="password" bind:input={$inputs.smtpPassword} />
 		<FormInput label="SMTP From" bind:input={$inputs.smtpFrom} />
+		<CheckboxWithLabel
+			id="skip-cert-verify"
+			label="Skip Certificate Verification"
+			description="This can be useful for self-signed certificates."
+			bind:checked={$inputs.smtpSkipCertVerify.value}
+		/>
 	</div>
-	<div class="mt-5 flex justify-end gap-3">
+	<div class="mt-8 flex flex-wrap justify-end gap-3">
 		{#if emailEnabled}
 			<Button variant="secondary" onclick={onDisable}>Disable</Button>
-			<Button {isLoading} onclick={onSubmit} type="submit">Save</Button>
+			<Button isLoading={isSendingTestEmail} variant="secondary" onclick={onTestEmail}
+				>Send Test Email</Button
+			>
+
+			<Button onclick={onSubmit} type="submit">Save</Button>
 		{:else}
-			<Button {isLoading} onclick={onEnable} type="submit">Enable</Button>
+			<Button onclick={onEnable}>Enable</Button>
 		{/if}
 	</div>
 </form>

frontend/src/routes/settings/admin/application-configuration/forms/app-config-general-form.svelte

@@ -1,4 +1,5 @@
 <script lang="ts">
+	import CheckboxWithLabel from '$lib/components/checkbox-with-label.svelte';
 	import FormInput from '$lib/components/form-input.svelte';
 	import { Button } from '$lib/components/ui/button';
 	import { Checkbox } from '$lib/components/ui/checkbox';
@@ -51,28 +52,18 @@
 			description="The duration of a session in minutes before the user has to sign in again."
 			bind:input={$inputs.sessionDuration}
 		/>
-		<div class="items-top mt-5 flex space-x-2">
-			<Checkbox id="admin-privileges" bind:checked={$inputs.allowOwnAccountEdit.value} />
-			<div class="grid gap-1.5 leading-none">
-				<Label for="admin-privileges" class="mb-0 text-sm font-medium leading-none">
-					Enable Self-Account Editing
-				</Label>
-				<p class="text-muted-foreground text-[0.8rem]">
-					Whether the users should be able to edit their own account details.
-				</p>
-			</div>
-		</div>
-		<div class="items-top mt-5 flex space-x-2">
-			<Checkbox id="admin-privileges" bind:checked={$inputs.emailsVerified.value} />
-			<div class="grid gap-1.5 leading-none">
-				<Label for="admin-privileges" class="mb-0 text-sm font-medium leading-none">
-					Emails Verified
-				</Label>
-				<p class="text-muted-foreground text-[0.8rem]">
-					Whether the user's email should be marked as verified for the OIDC clients.
-				</p>
-			</div>
-		</div>
+		<CheckboxWithLabel
+			id="self-account-editing"
+			label="Enable Self-Account Editing"
+			description="Whether the users should be able to edit their own account details."
+			bind:checked={$inputs.allowOwnAccountEdit.value}
+		/>
+		<CheckboxWithLabel
+			id="emails-verified"
+			label="Emails Verified"
+			description="Whether the user's email should be marked as verified for the OIDC clients."
+			bind:checked={$inputs.emailsVerified.value}
+		/>
 	</div>
 	<div class="mt-5 flex justify-end">
 		<Button {isLoading} type="submit">Save</Button>

frontend/src/routes/settings/admin/oidc-clients/[id]/+page.svelte

@@ -26,7 +26,8 @@
 		'OIDC Discovery URL': `https://${$page.url.hostname}/.well-known/openid-configuration`,
 		'Token URL': `https://${$page.url.hostname}/api/oidc/token`,
 		'Userinfo URL': `https://${$page.url.hostname}/api/oidc/userinfo`,
-		'Certificate URL': `https://${$page.url.hostname}/.well-known/jwks.json`
+		'Certificate URL': `https://${$page.url.hostname}/.well-known/jwks.json`,
+		PKCE: client.isPublic ? 'Enabled' : 'Disabled'
 	};
 
 	async function updateClient(updatedClient: OidcClientCreateWithLogo) {
@@ -34,6 +35,8 @@
 		const dataPromise = oidcService.updateClient(client.id, updatedClient);
 		const imagePromise = oidcService.updateClientLogo(client, updatedClient.logo);
 
+		client.isPublic = updatedClient.isPublic;
+
 		await Promise.all([dataPromise, imagePromise])
 			.then(() => {
 				toast.success('OIDC client updated successfully');
@@ -93,27 +96,29 @@
 					<span class="text-muted-foreground text-sm" data-testid="client-id"> {client.id}</span>
 				</CopyToClipboard>
 			</div>
-			<div class="mb-2 mt-1 flex items-center">
-				<Label class="w-44">Client secret</Label>
-				{#if $clientSecretStore}
-					<CopyToClipboard value={$clientSecretStore}>
-						<span class="text-muted-foreground text-sm" data-testid="client-secret">
-							{$clientSecretStore}
-						</span>
-					</CopyToClipboard>
-				{:else}
-					<span class="text-muted-foreground text-sm" data-testid="client-secret"
-						>••••••••••••••••••••••••••••••••</span
-					>
-					<Button
-						class="ml-2"
-						onclick={createClientSecret}
-						size="sm"
-						variant="ghost"
-						aria-label="Create new client secret"><LucideRefreshCcw class="h-3 w-3" /></Button
-					>
-				{/if}
-			</div>
+			{#if !client.isPublic}
+				<div class="mb-2 mt-1 flex items-center">
+					<Label class="w-44">Client secret</Label>
+					{#if $clientSecretStore}
+						<CopyToClipboard value={$clientSecretStore}>
+							<span class="text-muted-foreground text-sm" data-testid="client-secret">
+								{$clientSecretStore}
+							</span>
+						</CopyToClipboard>
+					{:else}
+						<span class="text-muted-foreground text-sm" data-testid="client-secret"
+							>••••••••••••••••••••••••••••••••</span
+						>
+						<Button
+							class="ml-2"
+							onclick={createClientSecret}
+							size="sm"
+							variant="ghost"
+							aria-label="Create new client secret"><LucideRefreshCcw class="h-3 w-3" /></Button
+						>
+					{/if}
+				</div>
+			{/if}
 			{#if showAllDetails}
 				<div transition:slide>
 					{#each Object.entries(setupDetails) as [key, value]}

frontend/src/routes/settings/admin/oidc-clients/oidc-client-form.svelte

@@ -1,4 +1,5 @@
 <script lang="ts">
+	import CheckboxWithLabel from '$lib/components/checkbox-with-label.svelte';
 	import FileInput from '$lib/components/file-input.svelte';
 	import FormInput from '$lib/components/form-input.svelte';
 	import { Button } from '$lib/components/ui/button';
@@ -28,12 +29,14 @@
 
 	const client: OidcClientCreate = {
 		name: existingClient?.name || '',
-		callbackURLs: existingClient?.callbackURLs || [""]
+		callbackURLs: existingClient?.callbackURLs || [''],
+		isPublic: existingClient?.isPublic || false
 	};
 
 	const formSchema = z.object({
 		name: z.string().min(2).max(50),
-		callbackURLs: z.array(z.string().url()).nonempty()
+		callbackURLs: z.array(z.string().url()).nonempty(),
+		isPublic: z.boolean()
 	});
 
 	type FormSchema = typeof formSchema;
@@ -71,15 +74,21 @@
 </script>
 
 <form onsubmit={onSubmit}>
-	<div class="flex flex-col gap-3 sm:flex-row">
+	<div class="grid grid-cols-2 gap-3 sm:flex-row">
 		<FormInput label="Name" class="w-full" bind:input={$inputs.name} />
 		<OidcCallbackUrlInput
 			class="w-full"
 			bind:callbackURLs={$inputs.callbackURLs.value}
 			bind:error={$inputs.callbackURLs.error}
 		/>
+		<CheckboxWithLabel
+			id="public-client"
+			label="Public Client"
+			description="Public clients do not have a client secret and use PKCE instead. Enable this if your client is a SPA or mobile app."
+			bind:checked={$inputs.isPublic.value}
+		/>
 	</div>
-	<div class="mt-3">
+	<div class="mt-8">
 		<Label for="logo">Logo</Label>
 		<div class="mt-2 flex items-end gap-3">
 			{#if logoDataURL}

frontend/src/routes/settings/admin/users/user-form.svelte

@@ -1,8 +1,7 @@
 <script lang="ts">
+	import CheckboxWithLabel from '$lib/components/checkbox-with-label.svelte';
 	import FormInput from '$lib/components/form-input.svelte';
 	import { Button } from '$lib/components/ui/button';
-	import { Checkbox } from '$lib/components/ui/checkbox';
-	import { Label } from '$lib/components/ui/label';
 	import type { UserCreate } from '$lib/types/user.type';
 	import { createForm } from '$lib/utils/form-util';
 	import { z } from 'zod';
@@ -70,15 +69,12 @@
 			<FormInput label="Username" bind:input={$inputs.username} />
 		</div>
 	</div>
-	<div class="items-top mt-5 flex space-x-2">
-		<Checkbox id="admin-privileges" bind:checked={$inputs.isAdmin.value} />
-		<div class="grid gap-1.5 leading-none">
-			<Label for="admin-privileges" class="mb-0 text-sm font-medium leading-none">
-				Admin Privileges
-			</Label>
-			<p class="text-muted-foreground text-[0.8rem]">Admins have full access to the admin panel.</p>
-		</div>
-	</div>
+	<CheckboxWithLabel
+		id="admin-privileges"
+		label="Admin Privileges"
+		description="Admins have full access to the admin panel."
+		bind:checked={$inputs.isAdmin.value}
+	/>
 	<div class="mt-5 flex justify-end">
 		<Button {isLoading} type="submit">Save</Button>
 	</div>

scripts/docker/create-user.sh

@@ -0,0 +1,28 @@
+
+echo "Creating user and group..."
+
+PUID=${PUID:-1000}
+PGID=${PGID:-1000}
+
+# Check if the group with PGID exists; if not, create it
+if ! getent group pocket-id-group > /dev/null 2>&1; then
+    addgroup -g "$PGID" pocket-id-group
+fi
+
+# Check if a user with PUID exists; if not, create it
+if ! id -u pocket-id > /dev/null 2>&1; then
+    if ! getent passwd "$PUID" > /dev/null 2>&1; then
+        adduser -u "$PUID" -G pocket-id-group pocket-id
+    else
+        # If a user with the PUID already exists, use that user
+        existing_user=$(getent passwd "$PUID" | cut -d: -f1)
+        echo "Using existing user: $existing_user"
+    fi
+fi
+
+# Change ownership of the /app directory
+mkdir -p /app/backend/data
+find /app/backend/data \( ! -group "${PGID}" -o ! -user "${PUID}" \) -exec chown "${PUID}:${PGID}" {} +
+
+# Switch to the non-root user
+exec su-exec "$PUID:$PGID" "$@"