release: 0.28.0

feat: map allowed groups to OIDC clients (#202 )
docs: add example for adding Pocket ID to FreshRSS (#200 )
2025-12-06 13:12:58 +03:00 · 2025-02-03 18:41:42 +01:00 · 2025-02-03 18:41:15 +01:00 · 2025-02-03 09:10:10 +01:00 · 2025-02-03 09:08:20 +01:00 · 2025-02-03 08:58:35 +01:00
142 changed files with 24951 additions and 5992 deletions
--- a/.github/ISSUE_TEMPLATE/bug.yml
+++ b/.github/ISSUE_TEMPLATE/bug.yml
@@ -34,4 +34,23 @@ body:
  - type: markdown
    attributes:
      value: |
-        Before submitting, please check if the issues hasn't been raised before.
+        ### Additional Information
+  - type: textarea
+    id: extra-information
+    validations:
+      required: true
+    attributes:
+      label: "Version and Environment"
+      description: "Please specify the version of Pocket ID, along with any environment-specific configurations, such your reverse proxy, that might be relevant."
+      placeholder: "e.g., v0.24.1"
+  - type: textarea
+    id: log-files
+    validations:
+      required: false
+    attributes:
+      label: "Log Output"
+      description: "Output of log files when the issue occured to help us diagnose the issue."
+  - type: markdown
+    attributes:
+      value: |
+        **Before submitting, please check if the issue hasn't been raised before.**
--- a/.github/workflows/deploy-docs.yml
+++ b/.github/workflows/deploy-docs.yml
@@ -0,0 +1,51 @@
+name: Deploy Docs
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "docs/**"
+
+jobs:
+  build:
+    name: Build Docusaurus
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+          cache: "npm"
+          cache-dependency-path: docs/package-lock.json
+
+      - name: Install dependencies
+        run: npm install
+        working-directory: ./docs
+
+      - name: Build website
+        run: npm run build
+        working-directory: ./docs
+
+      - name: Upload Build Artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: docs/build
+
+  deploy:
+    name: Deploy to GitHub Pages
+    needs: build
+
+    permissions:
+      pages: write
+      id-token: write
+
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -2,8 +2,17 @@ name: E2E Tests
 on:
  push:
    branches: [main]
+    paths-ignore:
+      - "docs/**"
+      - "**.md"
+      - ".github/**"
  pull_request:
    branches: [main]
+    paths-ignore:
+      - "docs/**"
+      - "**.md"
+      - ".github/**"
+
 jobs:
  build:
    timeout-minutes: 20
--- a/.gitignore
+++ b/.gitignore
@@ -36,4 +36,20 @@ data
 /frontend/tests/.auth
 /frontend/tests/.report
 pocket-id-backend
-/backend/GeoLite2-City.mmdb
+/backend/GeoLite2-City.mmdb
+
+# Generated files
+docs/build
+docs/.docusaurus
+docs/.cache-loader
+
+# Misc
+.DS_Store
+.env.local
+.env.development.local
+.env.test.local
+.env.production.local
+
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
--- a/.version
+++ b/.version
@@ -1 +1 @@
-0.25.0
+0.28.0
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,67 @@
+## [](https://github.com/stonith404/pocket-id/compare/v0.27.2...v) (2025-02-03)
+
+
+### Features
+
+* allow LDAP users and groups to be deleted if LDAP gets disabled ([9ab1787](https://github.com/stonith404/pocket-id/commit/9ab178712aa3cc71546a89226e67b7ba91245251))
+* map allowed groups to OIDC clients ([#202](https://github.com/stonith404/pocket-id/issues/202)) ([13b02a0](https://github.com/stonith404/pocket-id/commit/13b02a072f20ce10e12fd8b897cbf42a908f3291))
+
+
+### Bug Fixes
+
+* **caddy:** trusted_proxies for IPv6 enabled hosts ([#189](https://github.com/stonith404/pocket-id/issues/189)) ([37a835b](https://github.com/stonith404/pocket-id/commit/37a835b44e308622f6862de494738dd2bfb58ef0))
+* missing user service dependency ([61e71ad](https://github.com/stonith404/pocket-id/commit/61e71ad43b8f0f498133d3eb2381382e7bc642b9))
+* non LDAP user group can't be updated after update ([ecd74b7](https://github.com/stonith404/pocket-id/commit/ecd74b794f1ffb7da05bce0046fb8d096b039409))
+* use cursor pointer on clickable elements ([7798580](https://github.com/stonith404/pocket-id/commit/77985800ae9628104e03e7f2e803b7ed9eaaf4e0))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.27.1...v) (2025-01-27)
+
+
+### Bug Fixes
+
+* smtp hello for tls connections ([#180](https://github.com/stonith404/pocket-id/issues/180)) ([781ff7a](https://github.com/stonith404/pocket-id/commit/781ff7ae7b84b13892e7a565b7a78f20c52ee2c9))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.27.0...v) (2025-01-24)
+
+
+### Bug Fixes
+
+* add `__HOST` prefix to cookies ([#175](https://github.com/stonith404/pocket-id/issues/175)) ([164ce6a](https://github.com/stonith404/pocket-id/commit/164ce6a3d7fa8ae5275c94302952cf318e3b3113))
+* send hostname derived from `PUBLIC_APP_URL` with SMTP EHLO command ([397544c](https://github.com/stonith404/pocket-id/commit/397544c0f3f2b49f1f34ae53e6b9daf194d1ae28))
+* use OS hostname for SMTP EHLO message ([47c39f6](https://github.com/stonith404/pocket-id/commit/47c39f6d382c496cb964262adcf76cc8dbb96da3))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.26.0...v) (2025-01-22)
+
+
+### Features
+
+* display private IP ranges correctly in audit log ([#139](https://github.com/stonith404/pocket-id/issues/139)) ([72923bb](https://github.com/stonith404/pocket-id/commit/72923bb86dc5d07d56aea98cf03320667944b553))
+
+
+### Bug Fixes
+
+* add save changes dialog before sending test email ([#165](https://github.com/stonith404/pocket-id/issues/165)) ([d02f475](https://github.com/stonith404/pocket-id/commit/d02f4753f3fbda75cd415ebbfe0702765c38c144))
+* ensure the downloaded GeoLite2 DB is not corrupted & prevent RW race condition ([#138](https://github.com/stonith404/pocket-id/issues/138)) ([f7710f2](https://github.com/stonith404/pocket-id/commit/f7710f298898d322885c1c83680e26faaa0bb800))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.25.1...v) (2025-01-20)
+
+
+### Features
+
+* support wildcard callback URLs ([8a1db0c](https://github.com/stonith404/pocket-id/commit/8a1db0cb4a5d4b32b4fdc19d41fff688a7c71a56))
+
+
+### Bug Fixes
+
+* non LDAP users get created with a empty LDAP ID string ([3f02d08](https://github.com/stonith404/pocket-id/commit/3f02d081098ad2caaa60a56eea4705639f80d01f))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.25.0...v) (2025-01-19)
+
+
+### Bug Fixes
+
+* disable account details inputs if user is imported from LDAP ([a8b9d60](https://github.com/stonith404/pocket-id/commit/a8b9d60a86e80c10d6fba07072b1d32cec400ecb))
+
 ## [](https://github.com/stonith404/pocket-id/compare/v0.24.1...v) (2025-01-19)


--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -55,19 +55,19 @@ The frontend is built with [SvelteKit](https://kit.svelte.dev) and written in Ty
 3. Install the dependencies with `npm install`
 4. Start the frontend with `npm run dev`

-You're all set!
-
 ### Reverse Proxy
 We use [Caddy](https://caddyserver.com) as a reverse proxy. You can use any other reverse proxy if you want but you have to configure it yourself.

 #### Setup
 Run `caddy run --config reverse-proxy/Caddyfile` in the root folder.

+You're all set!
+
 ### Testing

 We are using [Playwright](https://playwright.dev) for end-to-end testing.

 The tests can be run like this:
 1. Start the backend normally
-2. Start the frontend in production mode with `npm run build && node build/index.js`
+2. Start the frontend in production mode with `npm run build && node --env-file=.env build/index.js`
 3. Run the tests with `npm run test`
--- a/6
+++ b/6
@@ -1,5 +1,5 @@
 # Stage 1: Build Frontend
-FROM node:20-alpine AS frontend-builder
+FROM node:22-alpine AS frontend-builder
 WORKDIR /app/frontend
 COPY ./frontend/package*.json ./
 RUN npm ci
@@ -20,8 +20,8 @@ WORKDIR /app/backend/cmd
 RUN CGO_ENABLED=1 GOOS=linux go build -o /app/backend/pocket-id-backend .

 # Stage 3: Production Image
-FROM node:20-alpine
-# Delete default node user
+FROM node:22-alpine
+# Delete default node user
 RUN deluser --remove-home node

 RUN apk add --no-cache caddy curl su-exec
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@

 Pocket ID is a simple OIDC provider that allows users to authenticate with their passkeys to your services.

-→ Try out the [Demo](https://pocket-id.eliasschneider.com)
+→ Try out the [Demo](https://demo.pocket-id.org)

 <img src="https://github.com/user-attachments/assets/96ac549d-b897-404a-8811-f42b16ea58e2" width="1200"/>

@@ -10,181 +10,11 @@ The goal of Pocket ID is to be a simple and easy-to-use. There are other self-ho

 Additionally, what makes Pocket ID special is that it only supports [passkey](https://www.passkeys.io/) authentication, which means you don’t need a password. Some people might not like this idea at first, but I believe passkeys are the future, and once you try them, you’ll love them. For example, you can now use a physical Yubikey to sign in to all your self-hosted services easily and securely.

-## Table of Contents
-
- [ Pocket ID](#-pocket-id)
-  - [Table of Contents](#table-of-contents)
-  - [Setup](#setup)
-    - [Before you start](#before-you-start)
-    - [Installation with Docker (recommended)](#installation-with-docker-recommended)
-    - [Unraid](#unraid)
-    - [Stand-alone Installation](#stand-alone-installation)
-    - [Nginx Reverse Proxy](#nginx-reverse-proxy)
-  - [Proxy Services with Pocket ID](#proxy-services-with-pocket-id)
-  - [Update](#update)
-      - [Docker](#docker)
-      - [Stand-alone](#stand-alone)
-  - [Environment variables](#environment-variables)
-  - [Account recovery](#account-recovery)
-  - [Contribute](#contribute)
-
 ## Setup

-> [!WARNING]
-> Pocket ID is in its early stages and may contain bugs. There might be OIDC features that are not yet implemented. If you encounter any issues, please open an issue.
+Pocket ID can be set up in multiple ways. The easiest and recommended way is to use Docker.

-### Before you start
-
-Pocket ID requires a [secure context](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts), meaning it must be served over HTTPS. This is necessary because Pocket ID uses the [WebAuthn API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API).
-
-### Installation with Docker (recommended)
-
-1. Download the `docker-compose.yml` and `.env` file:
-
-   ```bash
-    curl -O https://raw.githubusercontent.com/stonith404/pocket-id/main/docker-compose.yml
-
-    curl -o .env https://raw.githubusercontent.com/stonith404/pocket-id/main/.env.example
-   ```
-
-2. Edit the `.env` file so that it fits your needs. See the [environment variables](#environment-variables) section for more information.
-3. Run `docker compose up -d`
-
-You can now sign in with the admin account on `http://localhost/login/setup`.
-
-### Unraid
-
-Pocket ID is available as a template on the Community Apps store.
-
-### Stand-alone Installation
-
-Required tools:
-
- [Node.js](https://nodejs.org/en/download/) >= 20
- [Go](https://golang.org/doc/install) >= 1.23
- [Git](https://git-scm.com/downloads)
- [PM2](https://pm2.keymetrics.io/)
- [Caddy](https://caddyserver.com/docs/install) (optional)
-
-1. Copy the `.env.example` file in the `frontend` and `backend` folder to `.env` and change it so that it fits your needs.
-
-   ```bash
-   cp frontend/.env.example frontend/.env
-   cp backend/.env.example backend/.env
-   ```
-
-2. Run the following commands:
-
-   ```bash
-   git clone https://github.com/stonith404/pocket-id
-   cd pocket-id
-
-   # Checkout the latest version
-   git fetch --tags && git checkout $(git describe --tags `git rev-list --tags --max-count=1`)
-
-   # Start the backend
-   cd backend/cmd
-   go build -o ../pocket-id-backend
-   cd ..
-   pm2 start pocket-id-backend --name pocket-id-backend
-
-   # Start the frontend
-   cd ../frontend
-   npm install
-   npm run build
-   pm2 start --name pocket-id-frontend --node-args="--env-file .env" build/index.js
-
-   # Optional: Start Caddy (You can use any other reverse proxy)
-   cd ..
-   pm2 start --name pocket-id-caddy caddy -- run --config reverse-proxy/Caddyfile
-   ```
-
-You can now sign in with the admin account on `http://localhost/login/setup`.
-
-### Nginx Reverse Proxy
-
-To use Nginx as a reverse proxy for Pocket ID, update the configuration to increase the header buffer size. This adjustment is necessary because SvelteKit generates larger headers, which may exceed the default buffer limits.
-
-```nginx
-proxy_busy_buffers_size   512k;
-proxy_buffers   4 512k;
-proxy_buffer_size   256k;
-```
-
-## Proxy Services with Pocket ID
-
-The goal of Pocket ID is to function exclusively as an OIDC provider. As such, we don't have a built-in proxy provider. However, you can use other tools that act as a middleware to protect your services and support OIDC as an authentication provider.
-
-See the [guide](docs/proxy-services.md) for more information.
-
-## Update
-
-#### Docker
-
-```bash
-docker compose pull
-docker compose up -d
-```
-
-#### Stand-alone
-
-1. Stop the running services:
-   ```bash
-   pm2 delete pocket-id-backend pocket-id-frontend pocket-id-caddy
-   ```
-2. Run the following commands:
-
-   ```bash
-   cd pocket-id
-
-   # Checkout the latest version
-   git fetch --tags && git checkout $(git describe --tags `git rev-list --tags --max-count=1`)
-
-   # Start the backend
-   cd backend/cmd
-   go build -o ../pocket-id-backend
-   cd ..
-   pm2 start pocket-id-backend --name pocket-id-backend
-
-   # Start the frontend
-   cd ../frontend
-   npm install
-   npm run build
-   pm2 start build/index.js --name pocket-id-frontend
-
-   # Optional: Start Caddy (You can use any other reverse proxy)
-   cd ..
-   pm2 start caddy --name pocket-id-caddy -- run --config reverse-proxy/Caddyfile
-   ```
-
-## Environment variables
-
-| Variable                     | Default Value             | Recommended to change | Description                                                                                                                                                                                                                                                                                                                                                               |
-| ---------------------------- | ------------------------- | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `PUBLIC_APP_URL`             | `http://localhost`        | yes                   | The URL where you will access the app.                                                                                                                                                                                                                                                                                                                                    |
-| `TRUST_PROXY`                | `false`                   | yes                   | Whether the app is behind a reverse proxy.                                                                                                                                                                                                                                                                                                                                |
-| `MAXMIND_LICENSE_KEY`        | `-`                       | yes                   | License Key for the GeoLite2 Database. The license key is required to retrieve the geographical location of IP addresses in the audit log. If the key is not provided, IP locations will be marked as "unknown." You can obtain a license key for free [here](https://www.maxmind.com/en/geolite2/signup).                                                                |
-| `PUID` and `PGID`            | `1000`                    | yes                   | The user and group ID of the user who should run Pocket ID inside the Docker container and owns the files that are mounted with the volume. You can get the `PUID` and `GUID` of your user on your host machine by using the command `id`. For more information see [this article](https://docs.linuxserver.io/general/understanding-puid-and-pgid/#using-the-variables). |
-| `DB_PROVIDER`                | `sqlite`                  | no                    | The database provider you want to use. Currently `sqlite` and `postgres` are supported.                                                                                                                                                                                                                                                                                   |
-| `SQLITE_DB_PATH`             | `data/pocket-id.db`       | no                    | The path to the SQLite database. This gets ignored if you didn't set `DB_PROVIDER` to `sqlite`.                                                                                                                                                                                                                                                                           |
-| `POSTGRES_CONNECTION_STRING` | `-`                       | no                    | The connection string to your Postgres database. This gets ignored if you didn't set `DB_PROVIDER` to `postgres`. A connection string can look like this: `postgresql://user:password@host:5432/pocket-id`.                                                                                                                                                               |
-| `UPLOAD_PATH`                | `data/uploads`            | no                    | The path where the uploaded files are stored.                                                                                                                                                                                                                                                                                                                             |
-| `INTERNAL_BACKEND_URL`       | `http://localhost:8080`   | no                    | The URL where the backend is accessible.                                                                                                                                                                                                                                                                                                                                  |
-| `GEOLITE_DB_PATH`            | `data/GeoLite2-City.mmdb` | no                    | The path where the GeoLite2 database should be stored.                                                                                                                                                                                                                                                                                                                    |
-| `CADDY_PORT`                 | `80`                      | no                    | The port on which Caddy should listen. Caddy is only active inside the Docker container. If you want to change the exposed port of the container then you sould change this variable.                                                                                                                                                                                     |
-| `PORT`                       | `3000`                    | no                    | The port on which the frontend should listen.                                                                                                                                                                                                                                                                                                                             |
-| `BACKEND_PORT`               | `8080`                    | no                    | The port on which the backend should listen.                                                                                                                                                                                                                                                                                                                              |
-
-
-## Account recovery
-
-There are two ways to create a one-time access link for a user:
-
-1. **UI**: An admin can create a one-time access link for the user in the admin panel under the "Users" tab by clicking on the three dots next to the user's name and selecting "One-time link".
-2. **Terminal**: You can create a one-time access link for a user by running the `scripts/create-one-time-access-token.sh` script. To execute this script with Docker you have to run the following command:
-   ```bash
-   docker compose exec pocket-id sh "sh scripts/create-one-time-access-token.sh <username or email>"
-   ```
+Visit the [documentation](https://docs.pocket-id.org) for the setup guide and more information.

 ## Contribute

--- a/backend/.env.example
+++ b/backend/.env.example
@@ -1,6 +1,8 @@
 APP_ENV=production
 PUBLIC_APP_URL=http://localhost
+# /!\ If PUBLIC_APP_URL is not a localhost address, it must be HTTPS
 DB_PROVIDER=sqlite
+# MAXMIND_LICENSE_KEY=fixme # needed for IP geolocation in the audit log
 SQLITE_DB_PATH=data/pocket-id.db
 POSTGRES_CONNECTION_STRING=postgresql://postgres:postgres@localhost:5432/pocket-id
 UPLOAD_PATH=data/uploads
--- a/backend/go.mod
+++ b/backend/go.mod
@@ -3,56 +3,55 @@ module github.com/stonith404/pocket-id/backend
 go 1.23.1

 require (
-	github.com/caarlos0/env/v11 v11.2.2
+	github.com/caarlos0/env/v11 v11.3.1
 	github.com/fxamacker/cbor/v2 v2.7.0
 	github.com/gin-gonic/gin v1.10.0
-	github.com/go-co-op/gocron/v2 v2.12.1
-	github.com/go-playground/validator/v10 v10.22.1
+	github.com/go-co-op/gocron/v2 v2.15.0
+	github.com/go-ldap/ldap/v3 v3.4.10
+	github.com/go-playground/validator/v10 v10.24.0
 	github.com/go-webauthn/webauthn v0.11.2
 	github.com/golang-jwt/jwt/v5 v5.2.1
-	github.com/golang-migrate/migrate/v4 v4.18.1
+	github.com/golang-migrate/migrate/v4 v4.18.2
 	github.com/google/uuid v1.6.0
 	github.com/joho/godotenv v1.5.1
 	github.com/mileusna/useragent v1.3.5
-	github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.1
-	golang.org/x/crypto v0.31.0
-	golang.org/x/time v0.6.0
+	github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2
+	golang.org/x/crypto v0.32.0
+	golang.org/x/time v0.9.0
 	gorm.io/driver/postgres v1.5.11
-	gorm.io/driver/sqlite v1.5.6
+	gorm.io/driver/sqlite v1.5.7
 	gorm.io/gorm v1.25.12
 )

 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
-	github.com/bytedance/sonic v1.12.3 // indirect
-	github.com/bytedance/sonic/loader v0.2.0 // indirect
-	github.com/cloudwego/base64x v0.1.4 // indirect
-	github.com/cloudwego/iasm v0.2.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.5 // indirect
-	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/bytedance/sonic v1.12.8 // indirect
+	github.com/bytedance/sonic/loader v0.2.3 // indirect
+	github.com/cloudwego/base64x v0.1.5 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
+	github.com/gin-contrib/sse v1.0.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
-	github.com/go-ldap/ldap/v3 v3.4.10 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-webauthn/x v0.1.14 // indirect
-	github.com/goccy/go-json v0.10.3 // indirect
-	github.com/google/go-tpm v0.9.1 // indirect
+	github.com/go-webauthn/x v0.1.16 // indirect
+	github.com/goccy/go-json v0.10.4 // indirect
+	github.com/google/go-tpm v0.9.3 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
-	github.com/jackc/pgx/v5 v5.5.5 // indirect
-	github.com/jackc/puddle/v2 v2.2.1 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+	github.com/jackc/pgx/v5 v5.7.2 // indirect
+	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
-	github.com/jonboulle/clockwork v0.4.0 // indirect
+	github.com/jonboulle/clockwork v0.5.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.8 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-sqlite3 v1.14.23 // indirect
+	github.com/mattn/go-sqlite3 v1.14.24 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
@@ -62,12 +61,12 @@ require (
 	github.com/ugorji/go/codec v1.2.12 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/arch v0.10.0 // indirect
-	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
-	golang.org/x/net v0.33.0 // indirect
+	golang.org/x/arch v0.13.0 // indirect
+	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 // indirect
+	golang.org/x/net v0.34.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
-	google.golang.org/protobuf v1.34.2 // indirect
+	google.golang.org/protobuf v1.36.4 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/backend/go.sum
+++ b/backend/go.sum
@@ -4,24 +4,24 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
-github.com/bytedance/sonic v1.12.3 h1:W2MGa7RCU1QTeYRTPE3+88mVC0yXmsRQRChiyVocVjU=
-github.com/bytedance/sonic v1.12.3/go.mod h1:B8Gt/XvtZ3Fqj+iSKMypzymZxw/FVwgIGKzMzT9r/rk=
+github.com/bytedance/sonic v1.12.8 h1:4xYRVRlXIgvSZ4e8iVTlMF5szgpXd4AfvuWgA8I8lgs=
+github.com/bytedance/sonic v1.12.8/go.mod h1:uVvFidNmlt9+wa31S1urfwwthTWteBgG0hWuoKAXTx8=
 github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
-github.com/bytedance/sonic/loader v0.2.0 h1:zNprn+lsIP06C/IqCHs3gPQIvnvpKbbxyXQP1iU4kWM=
-github.com/bytedance/sonic/loader v0.2.0/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
-github.com/caarlos0/env/v11 v11.2.2 h1:95fApNrUyueipoZN/EhA8mMxiNxrBwDa+oAZrMWl3Kg=
-github.com/caarlos0/env/v11 v11.2.2/go.mod h1:JBfcdeQiBoI3Zh1QRAWfe+tpiNTmDtcCj/hHHHMx0vc=
-github.com/cloudwego/base64x v0.1.4 h1:jwCgWpFanWmN8xoIUHa2rtzmkd5J2plF/dnLS6Xd/0Y=
-github.com/cloudwego/base64x v0.1.4/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
-github.com/cloudwego/iasm v0.2.0 h1:1KNIy1I1H9hNNFEEH3DVnI4UujN+1zjpuk6gwHLTssg=
+github.com/bytedance/sonic/loader v0.2.3 h1:yctD0Q3v2NOGfSWPLPvG2ggA2kV6TS6s4wioyEqssH0=
+github.com/bytedance/sonic/loader v0.2.3/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
+github.com/caarlos0/env/v11 v11.3.1 h1:cArPWC15hWmEt+gWk7YBi7lEXTXCvpaSdCiZE2X5mCA=
+github.com/caarlos0/env/v11 v11.3.1/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U=
+github.com/cloudwego/base64x v0.1.5 h1:XPciSp1xaq2VCSt6lF0phncD4koWyULpl5bUxbfCyP4=
+github.com/cloudwego/base64x v0.1.5/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
 github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dhui/dktest v0.4.3 h1:wquqUxAFdcUgabAVLvSCOKOlag5cIZuaOjYIBOWdsR0=
-github.com/dhui/dktest v0.4.3/go.mod h1:zNK8IwktWzQRm6I/l2Wjp7MakiyaFWv4G1hjmodmMTs=
+github.com/dhui/dktest v0.4.4 h1:+I4s6JRE1yGuqflzwqG+aIaMdgXIorCf5P98JnaAWa8=
+github.com/dhui/dktest v0.4.4/go.mod h1:4+22R4lgsdAXrDyaH4Nqx2JEz2hLp49MqQmm9HLCQhM=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/docker/docker v27.2.0+incompatible h1:Rk9nIVdfH3+Vz4cyI/uhbINhEZ/oLmc+CBXmH6fbNk4=
@@ -34,16 +34,16 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
-github.com/gabriel-vasile/mimetype v1.4.5 h1:J7wGKdGu33ocBOhGy0z653k/lFKLFDPJMG8Gql0kxn4=
-github.com/gabriel-vasile/mimetype v1.4.5/go.mod h1:ibHel+/kbxn9x2407k1izTA1S81ku1z/DlgOW2QE0M4=
-github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
-github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
+github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
+github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
+github.com/gin-contrib/sse v1.0.0 h1:y3bT1mUWUxDpW4JLQg/HnTqV4rozuW4tC9eFKTxYI9E=
+github.com/gin-contrib/sse v1.0.0/go.mod h1:zNuFdwarAygJBht0NTKiSi3jRf6RbqeILZ9Sp6Slhe0=
 github.com/gin-gonic/gin v1.10.0 h1:nTuyha1TYqgedzytsKYqna+DfLos46nTv2ygFy86HFU=
 github.com/gin-gonic/gin v1.10.0/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
 github.com/go-asn1-ber/asn1-ber v1.5.7 h1:DTX+lbVTWaTw1hQ+PbZPlnDZPEIs0SS/GCZAl535dDk=
 github.com/go-asn1-ber/asn1-ber v1.5.7/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-co-op/gocron/v2 v2.12.1 h1:dCIIBFbzhWKdgXeEifBjHPzgQ1hoWhjS4289Hjjy1uw=
-github.com/go-co-op/gocron/v2 v2.12.1/go.mod h1:xY7bJxGazKam1cz04EebrlP4S9q4iWdiAylMGP3jY9w=
+github.com/go-co-op/gocron/v2 v2.15.0 h1:Kpvo71VSihE+RImmpA+3ta5CcMhoRzMGw4dJawrj4zo=
+github.com/go-co-op/gocron/v2 v2.15.0/go.mod h1:ZF70ZwEqz0OO4RBXE1sNxnANy/zvwLcattWEFsqpKig=
 github.com/go-ldap/ldap/v3 v3.4.10 h1:ot/iwPOhfpNVgB1o+AVXljizWZ9JTp7YF5oeyONmcJU=
 github.com/go-ldap/ldap/v3 v3.4.10/go.mod h1:JXh4Uxgi40P6E9rdsYqpUtbW46D9UTjJ9QSwGRznplY=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
@@ -56,24 +56,24 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.22.1 h1:40JcKH+bBNGFczGuoBYgX4I6m/i27HYW8P9FDk5PbgA=
-github.com/go-playground/validator/v10 v10.22.1/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
+github.com/go-playground/validator/v10 v10.24.0 h1:KHQckvo8G6hlWnrPX4NJJ+aBfWNAE/HH+qdL2cBpCmg=
+github.com/go-playground/validator/v10 v10.24.0/go.mod h1:GGzBIJMuE98Ic/kJsBXbz1x/7cByt++cQ+YOuDM5wus=
 github.com/go-webauthn/webauthn v0.11.2 h1:Fgx0/wlmkClTKlnOsdOQ+K5HcHDsDcYIvtYmfhEOSUc=
 github.com/go-webauthn/webauthn v0.11.2/go.mod h1:aOtudaF94pM71g3jRwTYYwQTG1KyTILTcZqN1srkmD0=
-github.com/go-webauthn/x v0.1.14 h1:1wrB8jzXAofojJPAaRxnZhRgagvLGnLjhCAwg3kTpT0=
-github.com/go-webauthn/x v0.1.14/go.mod h1:UuVvFZ8/NbOnkDz3y1NaxtUN87pmtpC1PQ+/5BBQRdc=
-github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
-github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/go-webauthn/x v0.1.16 h1:EaVXZntpyHviN9ykjdRBQIw9B0Ed3LO5FW7mDiMQEa8=
+github.com/go-webauthn/x v0.1.16/go.mod h1:jhYjfwe/AVYaUs2mUXArj7vvZj+SpooQPyyQGNab+Us=
+github.com/goccy/go-json v0.10.4 h1:JSwxQzIqKfmFX1swYPpUThQZp/Ka4wzJdK0LWVytLPM=
+github.com/goccy/go-json v0.10.4/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
 github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
-github.com/golang-migrate/migrate/v4 v4.18.1 h1:JML/k+t4tpHCpQTCAD62Nu43NUFzHY4CV3uAuvHGC+Y=
-github.com/golang-migrate/migrate/v4 v4.18.1/go.mod h1:HAX6m3sQgcdO81tdjn5exv20+3Kb13cmGli1hrD6hks=
+github.com/golang-migrate/migrate/v4 v4.18.2 h1:2VSCMz7x7mjyTXx3m2zPokOY82LTRgxK1yQYKo6wWQ8=
+github.com/golang-migrate/migrate/v4 v4.18.2/go.mod h1:2CM6tJvn2kqPXwnXO/d3rAQYiyoIm180VsO8PRX6Rpk=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-tpm v0.9.1 h1:0pGc4X//bAlmZzMKf8iz6IsDo1nYTbYJ6FZN/rg4zdM=
-github.com/google/go-tpm v0.9.1/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
+github.com/google/go-tpm v0.9.3 h1:+yx0/anQuGzi+ssRqeD6WpXjW2L/V0dItUayO0i9sRc=
+github.com/google/go-tpm v0.9.3/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -85,20 +85,27 @@ github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brv
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
-github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk=
-github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.5.5 h1:amBjrZVmksIdNjxGW/IiIMzxMKZFelXbUoPNb+8sjQw=
-github.com/jackc/pgx/v5 v5.5.5/go.mod h1:ez9gk+OAat140fv9ErkZDYFWmXLfV+++K0uAOiwgm1A=
-github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk=
-github.com/jackc/puddle/v2 v2.2.1/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
+github.com/jackc/pgx/v5 v5.7.2 h1:mLoDLV6sonKlvjIEsV56SkWNCnuNv531l94GaIzO+XI=
+github.com/jackc/pgx/v5 v5.7.2/go.mod h1:ncY89UGWxg82EykZUwSpUKEfccBGGYq1xjrOpsbsfGQ=
+github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
+github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
+github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
 github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
+github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg=
 github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=
+github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
 github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
+github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8=
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
+github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
@@ -106,13 +113,13 @@ github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
 github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
-github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4=
-github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc=
+github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
+github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.2.8 h1:+StwCXwm9PdpiEkPyzBXIy+M9KUb4ODm0Zarf1kS5BM=
-github.com/klauspost/cpuid/v2 v2.2.8/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
+github.com/klauspost/cpuid/v2 v2.2.9 h1:66ze0taIn2H33fBvCkXuv9BmCwDfafmiIVpKV9kKGuY=
+github.com/klauspost/cpuid/v2 v2.2.9/go.mod h1:rqkxqrZ1EhYM9G+hXH7YdowN5R5RGN6NK4QwQ3WMXF8=
 github.com/knz/go-libedit v1.10.1/go.mod h1:MZTVkCWyz0oBc7JOWP3wNAzd002ZbM/5hgShxwh4x8M=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -124,8 +131,8 @@ github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-sqlite3 v1.14.23 h1:gbShiuAP1W5j9UOksQ06aiiqPMxYecovVGwmTxWtuw0=
-github.com/mattn/go-sqlite3 v1.14.23/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
+github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mileusna/useragent v1.3.5 h1:SJM5NzBmh/hO+4LGeATKpaEX9+b4vcGg2qXGLiNGDws=
 github.com/mileusna/useragent v1.3.5/go.mod h1:3d8TOmwL/5I8pJjyVDteHtgDGcefrFUX4ccGOMKNYYc=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
@@ -145,8 +152,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
-github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.1 h1:UihPOz+oIJ5X0JsO7wEkL50fheCODsoZ9r86mJWfNMc=
-github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.1/go.mod h1:vPpFrres6g9B5+meBwAd9xnp335KFcLEFW7EqJxBHy0=
+github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2 h1:jG+FaCBv3h6GD5F+oenTfe3+0NmX8sCKjni5k3A5Dek=
+github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2/go.mod h1:rHaQJ5SjfCdL4sqCKa3FhklRcaXga2/qyvmQuA+ZJ6M=
 github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
 github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
@@ -162,14 +169,16 @@ github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
@@ -189,20 +198,19 @@ go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-golang.org/x/arch v0.10.0 h1:S3huipmSclq3PJMNe76NGwkBR504WFkQ5dhzWzP8ZW8=
-golang.org/x/arch v0.10.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
+golang.org/x/arch v0.13.0 h1:KCkqVVV1kGg0X87TFysjCJ8MxtZEIU4Ja/yXGeoECdA=
+golang.org/x/arch v0.13.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
-golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
-golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk=
-golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY=
+golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
+golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 h1:yqrTHse8TCMW1M1ZCP+VAR/l0kKxwaAIqN/il7x4voA=
+golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
@@ -218,18 +226,15 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
-golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
-golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
+golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -243,10 +248,9 @@ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
-golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -264,12 +268,10 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
-golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
-golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
+golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
@@ -277,8 +279,8 @@ golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+google.golang.org/protobuf v1.36.4 h1:6A3ZDJHn/eNqc1i+IdefRzy/9PokBTPvcqMySR7NNIM=
+google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
@@ -288,8 +290,8 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/driver/postgres v1.5.11 h1:ubBVAfbKEUld/twyKZ0IYn9rSQh448EdelLYk9Mv314=
 gorm.io/driver/postgres v1.5.11/go.mod h1:DX3GReXH+3FPWGrrgffdvCk3DQ1dwDPdmbenSkweRGI=
-gorm.io/driver/sqlite v1.5.6 h1:fO/X46qn5NUEEOZtnjJRWRzZMe8nqJiQ9E+0hi+hKQE=
-gorm.io/driver/sqlite v1.5.6/go.mod h1:U+J8craQU6Fzkcvu8oLeAQmi50TkwPEhHDEjQZXDah4=
+gorm.io/driver/sqlite v1.5.7 h1:8NvsrhP0ifM7LX9G4zPB97NwovUakUxc+2V2uuf3Z1I=
+gorm.io/driver/sqlite v1.5.7/go.mod h1:U+J8craQU6Fzkcvu8oLeAQmi50TkwPEhHDEjQZXDah4=
 gorm.io/gorm v1.25.12 h1:I0u8i2hWQItBq1WfE0o2+WuL9+8L21K9e2HHSTE/0f8=
 gorm.io/gorm v1.25.12/go.mod h1:xh7N7RHfYlNc5EmcI/El95gXusucDrQnHXe0+CgWcLQ=
 nullprogram.com/x/optparse v1.0.0/go.mod h1:KdyPE+Igbe0jQUrVfMqDMeJQIJZEuyV7pjYmp6pbG50=
--- a/backend/internal/bootstrap/bootstrap.go
+++ b/backend/internal/bootstrap/bootstrap.go
@@ -6,9 +6,10 @@ import (
 )

 func Bootstrap() {
+	initApplicationImages()
+
 	db := newDatabase()
 	appConfigService := service.NewAppConfigService(db)

-	initApplicationImages()
 	initRouter(db, appConfigService)
 }
--- a/backend/internal/bootstrap/router_bootstrap.go
+++ b/backend/internal/bootstrap/router_bootstrap.go
@@ -38,11 +38,11 @@ func initRouter(db *gorm.DB, appConfigService *service.AppConfigService) {
 	auditLogService := service.NewAuditLogService(db, appConfigService, emailService, geoLiteService)
 	jwtService := service.NewJwtService(appConfigService)
 	webauthnService := service.NewWebAuthnService(db, jwtService, auditLogService, appConfigService)
-	userService := service.NewUserService(db, jwtService, auditLogService, emailService)
+	userService := service.NewUserService(db, jwtService, auditLogService, emailService, appConfigService)
 	customClaimService := service.NewCustomClaimService(db)
 	oidcService := service.NewOidcService(db, jwtService, appConfigService, auditLogService, customClaimService)
 	testService := service.NewTestService(db, appConfigService)
-	userGroupService := service.NewUserGroupService(db)
+	userGroupService := service.NewUserGroupService(db, appConfigService)
 	ldapService := service.NewLdapService(db, appConfigService, userService, userGroupService)

 	rateLimitMiddleware := middleware.NewRateLimitMiddleware()
--- a/backend/internal/common/errors.go
+++ b/backend/internal/common/errors.go
@@ -176,3 +176,11 @@ func (e *LdapUserGroupUpdateError) Error() string {
 	return "LDAP user groups can't be updated"
 }
 func (e *LdapUserGroupUpdateError) HttpStatusCode() int { return http.StatusForbidden }
+
+type OidcAccessDeniedError struct{}
+
+func (e *OidcAccessDeniedError) Error() string {
+	return "You're not allowed to access this service"
+}
+
+func (e *OidcAccessDeniedError) HttpStatusCode() int { return http.StatusForbidden }
--- a/backend/internal/controller/oidc_controller.go
+++ b/backend/internal/controller/oidc_controller.go
@@ -14,7 +14,8 @@ func NewOidcController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.Jwt
 	oc := &OidcController{oidcService: oidcService, jwtService: jwtService}

 	group.POST("/oidc/authorize", jwtAuthMiddleware.Add(false), oc.authorizeHandler)
-	group.POST("/oidc/authorize/new-client", jwtAuthMiddleware.Add(false), oc.authorizeNewClientHandler)
+	group.POST("/oidc/authorization-required", jwtAuthMiddleware.Add(false), oc.authorizationConfirmationRequiredHandler)
+
 	group.POST("/oidc/token", oc.createTokensHandler)
 	group.GET("/oidc/userinfo", oc.userInfoHandler)

@@ -24,6 +25,7 @@ func NewOidcController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.Jwt
 	group.PUT("/oidc/clients/:id", jwtAuthMiddleware.Add(true), oc.updateClientHandler)
 	group.DELETE("/oidc/clients/:id", jwtAuthMiddleware.Add(true), oc.deleteClientHandler)

+	group.PUT("/oidc/clients/:id/allowed-user-groups", jwtAuthMiddleware.Add(true), oc.updateAllowedUserGroupsHandler)
 	group.POST("/oidc/clients/:id/secret", jwtAuthMiddleware.Add(true), oc.createClientSecretHandler)

 	group.GET("/oidc/clients/:id/logo", oc.getClientLogoHandler)
@@ -57,25 +59,20 @@ func (oc *OidcController) authorizeHandler(c *gin.Context) {
 	c.JSON(http.StatusOK, response)
 }

-func (oc *OidcController) authorizeNewClientHandler(c *gin.Context) {
-	var input dto.AuthorizeOidcClientRequestDto
+func (oc *OidcController) authorizationConfirmationRequiredHandler(c *gin.Context) {
+	var input dto.AuthorizationRequiredDto
 	if err := c.ShouldBindJSON(&input); err != nil {
 		c.Error(err)
 		return
 	}

-	code, callbackURL, err := oc.oidcService.AuthorizeNewClient(input, c.GetString("userID"), c.ClientIP(), c.Request.UserAgent())
+	hasAuthorizedClient, err := oc.oidcService.HasAuthorizedClient(input.ClientID, c.GetString("userID"), input.Scope)
 	if err != nil {
 		c.Error(err)
 		return
 	}

-	response := dto.AuthorizeOidcClientResponseDto{
-		Code:        code,
-		CallbackURL: callbackURL,
-	}
-
-	c.JSON(http.StatusOK, response)
+	c.JSON(http.StatusOK, gin.H{"authorizationRequired": !hasAuthorizedClient})
 }

 func (oc *OidcController) createTokensHandler(c *gin.Context) {
@@ -134,7 +131,7 @@ func (oc *OidcController) getClientHandler(c *gin.Context) {

 	// Return a different DTO based on the user's role
 	if c.GetBool("userIsAdmin") {
-		clientDto := dto.OidcClientDto{}
+		clientDto := dto.OidcClientWithAllowedUserGroupsDto{}
 		err = dto.MapStruct(client, &clientDto)
 		if err == nil {
 			c.JSON(http.StatusOK, clientDto)
@@ -191,7 +188,7 @@ func (oc *OidcController) createClientHandler(c *gin.Context) {
 		return
 	}

-	var clientDto dto.OidcClientDto
+	var clientDto dto.OidcClientWithAllowedUserGroupsDto
 	if err := dto.MapStruct(client, &clientDto); err != nil {
 		c.Error(err)
 		return
@@ -223,7 +220,7 @@ func (oc *OidcController) updateClientHandler(c *gin.Context) {
 		return
 	}

-	var clientDto dto.OidcClientDto
+	var clientDto dto.OidcClientWithAllowedUserGroupsDto
 	if err := dto.MapStruct(client, &clientDto); err != nil {
 		c.Error(err)
 		return
@@ -278,3 +275,25 @@ func (oc *OidcController) deleteClientLogoHandler(c *gin.Context) {

 	c.Status(http.StatusNoContent)
 }
+
+func (oc *OidcController) updateAllowedUserGroupsHandler(c *gin.Context) {
+	var input dto.OidcUpdateAllowedUserGroupsDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.Error(err)
+		return
+	}
+
+	oidcClient, err := oc.oidcService.UpdateAllowedUserGroups(c.Param("id"), input)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	var oidcClientDto dto.OidcClientDto
+	if err := dto.MapStruct(oidcClient, &oidcClientDto); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, oidcClientDto)
+}
--- a/backend/internal/controller/user_controller.go
+++ b/backend/internal/controller/user_controller.go
@@ -1,7 +1,9 @@
 package controller

 import (
+	"github.com/stonith404/pocket-id/backend/internal/utils/cookie"
 	"net/http"
+	"strconv"
 	"time"

 	"github.com/gin-gonic/gin"
@@ -184,7 +186,10 @@ func (uc *UserController) exchangeOneTimeAccessTokenHandler(c *gin.Context) {
 		return
 	}

-	utils.AddAccessTokenCookie(c, uc.appConfigService.DbConfig.SessionDuration.Value, token)
+	sessionDurationInMinutesParsed, _ := strconv.Atoi(uc.appConfigService.DbConfig.SessionDuration.Value)
+	maxAge := sessionDurationInMinutesParsed * 60
+	cookie.AddAccessTokenCookie(c, maxAge, token)
+
 	c.JSON(http.StatusOK, userDto)
 }

@@ -201,7 +206,10 @@ func (uc *UserController) getSetupAccessTokenHandler(c *gin.Context) {
 		return
 	}

-	utils.AddAccessTokenCookie(c, uc.appConfigService.DbConfig.SessionDuration.Value, token)
+	sessionDurationInMinutesParsed, _ := strconv.Atoi(uc.appConfigService.DbConfig.SessionDuration.Value)
+	maxAge := sessionDurationInMinutesParsed * 60
+	cookie.AddAccessTokenCookie(c, maxAge, token)
+
 	c.JSON(http.StatusOK, userDto)
 }

--- a/backend/internal/controller/webauthn_controller.go
+++ b/backend/internal/controller/webauthn_controller.go
@@ -5,8 +5,9 @@ import (
 	"github.com/stonith404/pocket-id/backend/internal/common"
 	"github.com/stonith404/pocket-id/backend/internal/dto"
 	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"github.com/stonith404/pocket-id/backend/internal/utils/cookie"
 	"net/http"
+	"strconv"
 	"time"

 	"github.com/gin-gonic/gin"
@@ -42,12 +43,12 @@ func (wc *WebauthnController) beginRegistrationHandler(c *gin.Context) {
 		return
 	}

-	c.SetCookie("session_id", options.SessionID, int(options.Timeout.Seconds()), "/", "", true, true)
+	cookie.AddSessionIdCookie(c, int(options.Timeout.Seconds()), options.SessionID)
 	c.JSON(http.StatusOK, options.Response)
 }

 func (wc *WebauthnController) verifyRegistrationHandler(c *gin.Context) {
-	sessionID, err := c.Cookie("session_id")
+	sessionID, err := c.Cookie(cookie.SessionIdCookieName)
 	if err != nil {
 		c.Error(&common.MissingSessionIdError{})
 		return
@@ -76,12 +77,12 @@ func (wc *WebauthnController) beginLoginHandler(c *gin.Context) {
 		return
 	}

-	c.SetCookie("session_id", options.SessionID, int(options.Timeout.Seconds()), "/", "", true, true)
+	cookie.AddSessionIdCookie(c, int(options.Timeout.Seconds()), options.SessionID)
 	c.JSON(http.StatusOK, options.Response)
 }

 func (wc *WebauthnController) verifyLoginHandler(c *gin.Context) {
-	sessionID, err := c.Cookie("session_id")
+	sessionID, err := c.Cookie(cookie.SessionIdCookieName)
 	if err != nil {
 		c.Error(&common.MissingSessionIdError{})
 		return
@@ -105,7 +106,10 @@ func (wc *WebauthnController) verifyLoginHandler(c *gin.Context) {
 		return
 	}

-	utils.AddAccessTokenCookie(c, wc.appConfigService.DbConfig.SessionDuration.Value, token)
+	sessionDurationInMinutesParsed, _ := strconv.Atoi(wc.appConfigService.DbConfig.SessionDuration.Value)
+	maxAge := sessionDurationInMinutesParsed * 60
+	cookie.AddAccessTokenCookie(c, maxAge, token)
+
 	c.JSON(http.StatusOK, userDto)
 }

@@ -165,6 +169,6 @@ func (wc *WebauthnController) updateCredentialHandler(c *gin.Context) {
 }

 func (wc *WebauthnController) logoutHandler(c *gin.Context) {
-	utils.AddAccessTokenCookie(c, "0", "")
+	cookie.AddAccessTokenCookie(c, 0, "")
 	c.Status(http.StatusNoContent)
 }
--- a/backend/internal/dto/app_config_dto.go
+++ b/backend/internal/dto/app_config_dto.go
@@ -37,6 +37,6 @@ type AppConfigUpdateDto struct {
 	LdapAttributeGroupUniqueIdentifier string `json:"ldapAttributeGroupUniqueIdentifier"`
 	LdapAttributeGroupName             string `json:"ldapAttributeGroupName"`
 	LdapAttributeAdminGroup            string `json:"ldapAttributeAdminGroup"`
-	EmailOneTimeAccessEnabled     string `json:"emailOneTimeAccessEnabled" binding:"required"`
-	EmailLoginNotificationEnabled string `json:"emailLoginNotificationEnabled" binding:"required"`
+	EmailOneTimeAccessEnabled          string `json:"emailOneTimeAccessEnabled" binding:"required"`
+	EmailLoginNotificationEnabled      string `json:"emailLoginNotificationEnabled" binding:"required"`
 }
--- a/backend/internal/dto/oidc_dto.go
+++ b/backend/internal/dto/oidc_dto.go
@@ -11,12 +11,19 @@ type OidcClientDto struct {
 	CallbackURLs []string `json:"callbackURLs"`
 	IsPublic     bool     `json:"isPublic"`
 	PkceEnabled  bool     `json:"pkceEnabled"`
-	CreatedBy    UserDto  `json:"createdBy"`
+}
+
+type OidcClientWithAllowedUserGroupsDto struct {
+	PublicOidcClientDto
+	CallbackURLs      []string                    `json:"callbackURLs"`
+	IsPublic          bool                        `json:"isPublic"`
+	PkceEnabled       bool                        `json:"pkceEnabled"`
+	AllowedUserGroups []UserGroupDtoWithUserCount `json:"allowedUserGroups"`
 }

 type OidcClientCreateDto struct {
 	Name         string   `json:"name" binding:"required,max=50"`
-	CallbackURLs []string `json:"callbackURLs" binding:"required,urlList"`
+	CallbackURLs []string `json:"callbackURLs" binding:"required"`
 	IsPublic     bool     `json:"isPublic"`
 	PkceEnabled  bool     `json:"pkceEnabled"`
 }
@@ -35,6 +42,11 @@ type AuthorizeOidcClientResponseDto struct {
 	CallbackURL string `json:"callbackURL"`
 }

+type AuthorizationRequiredDto struct {
+	ClientID string `json:"clientID" binding:"required"`
+	Scope    string `json:"scope" binding:"required"`
+}
+
 type OidcCreateTokensDto struct {
 	GrantType    string `form:"grant_type" binding:"required"`
 	Code         string `form:"code" binding:"required"`
@@ -42,3 +54,7 @@ type OidcCreateTokensDto struct {
 	ClientSecret string `form:"client_secret"`
 	CodeVerifier string `form:"code_verifier"`
 }
+
+type OidcUpdateAllowedUserGroupsDto struct {
+	UserGroupIDs []string `json:"userGroupIds" binding:"required"`
+}
--- a/backend/internal/dto/user_group_dto.go
+++ b/backend/internal/dto/user_group_dto.go
@@ -33,7 +33,3 @@ type UserGroupCreateDto struct {
 type UserGroupUpdateUsersDto struct {
 	UserIDs []string `json:"userIds" binding:"required"`
 }
-
-type AssignUserToGroupDto struct {
-	UserID string `json:"userId" binding:"required"`
-}
--- a/backend/internal/dto/validations.go
+++ b/backend/internal/dto/validations.go
@@ -4,21 +4,9 @@ import (
 	"github.com/gin-gonic/gin/binding"
 	"github.com/go-playground/validator/v10"
 	"log"
-	"net/url"
 	"regexp"
 )

-var validateUrlList validator.Func = func(fl validator.FieldLevel) bool {
-	urls := fl.Field().Interface().([]string)
-	for _, u := range urls {
-		_, err := url.ParseRequestURI(u)
-		if err != nil {
-			return false
-		}
-	}
-	return true
-}
-
 var validateUsername validator.Func = func(fl validator.FieldLevel) bool {
 	// [a-zA-Z0-9]      : The username must start with an alphanumeric character
 	// [a-zA-Z0-9_.@-]* : The rest of the username can contain alphanumeric characters, dots, underscores, hyphens, and "@" symbols
@@ -36,11 +24,6 @@ var validateClaimKey validator.Func = func(fl validator.FieldLevel) bool {
 }

 func init() {
-	if v, ok := binding.Validator.Engine().(*validator.Validate); ok {
-		if err := v.RegisterValidation("urlList", validateUrlList); err != nil {
-			log.Fatalf("Failed to register custom validation: %v", err)
-		}
-	}
 	if v, ok := binding.Validator.Engine().(*validator.Validate); ok {
 		if err := v.RegisterValidation("username", validateUsername); err != nil {
 			log.Fatalf("Failed to register custom validation: %v", err)
--- a/backend/internal/middleware/error_handler.go
+++ b/backend/internal/middleware/error_handler.go
@@ -83,8 +83,6 @@ func handleValidationError(validationErrors validator.ValidationErrors) string {
 			errorMessage = fmt.Sprintf("%s must be at least %s characters long", fieldName, ve.Param())
 		case "max":
 			errorMessage = fmt.Sprintf("%s must be at most %s characters long", fieldName, ve.Param())
-		case "urlList":
-			errorMessage = fmt.Sprintf("%s must be a list of valid URLs", fieldName)
 		default:
 			errorMessage = fmt.Sprintf("%s is invalid", fieldName)
 		}
--- a/backend/internal/middleware/jwt_auth.go
+++ b/backend/internal/middleware/jwt_auth.go
@@ -4,6 +4,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/stonith404/pocket-id/backend/internal/common"
 	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/stonith404/pocket-id/backend/internal/utils/cookie"
 	"strings"
 )

@@ -19,7 +20,7 @@ func NewJwtAuthMiddleware(jwtService *service.JwtService, ignoreUnauthenticated
 func (m *JwtAuthMiddleware) Add(adminOnly bool) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		// Extract the token from the cookie or the Authorization header
-		token, err := c.Cookie("access_token")
+		token, err := c.Cookie(cookie.AccessTokenCookieName)
 		if err != nil {
 			authorizationHeaderSplitted := strings.Split(c.GetHeader("Authorization"), " ")
 			if len(authorizationHeaderSplitted) == 2 {
--- a/backend/internal/model/app_config.go
+++ b/backend/internal/model/app_config.go
@@ -20,14 +20,14 @@ type AppConfig struct {
 	LogoLightImageType  AppConfigVariable
 	LogoDarkImageType   AppConfigVariable
 	// Email
-	SmtpHost           AppConfigVariable
-	SmtpPort           AppConfigVariable
-	SmtpFrom           AppConfigVariable
-	SmtpUser           AppConfigVariable
-	SmtpPassword       AppConfigVariable
-	SmtpTls            AppConfigVariable
-	SmtpSkipCertVerify AppConfigVariable
-    EmailLoginNotificationEnabled AppConfigVariable
+	SmtpHost                      AppConfigVariable
+	SmtpPort                      AppConfigVariable
+	SmtpFrom                      AppConfigVariable
+	SmtpUser                      AppConfigVariable
+	SmtpPassword                  AppConfigVariable
+	SmtpTls                       AppConfigVariable
+	SmtpSkipCertVerify            AppConfigVariable
+	EmailLoginNotificationEnabled AppConfigVariable
 	EmailOneTimeAccessEnabled     AppConfigVariable
 	// LDAP
 	LdapEnabled                        AppConfigVariable
--- a/backend/internal/model/oidc.go
+++ b/backend/internal/model/oidc.go
@@ -44,8 +44,9 @@ type OidcClient struct {
 	IsPublic     bool
 	PkceEnabled  bool

-	CreatedByID string
-	CreatedBy   User
+	AllowedUserGroups []UserGroup `gorm:"many2many:oidc_clients_allowed_user_groups;"`
+	CreatedByID       string
+	CreatedBy         User
 }

 func (c *OidcClient) AfterFind(_ *gorm.DB) (err error) {
--- a/backend/internal/service/app_config_service.go
+++ b/backend/internal/service/app_config_service.go
@@ -73,7 +73,7 @@ var defaultDbConfig = model.AppConfig{
 		IsInternal:   true,
 		DefaultValue: "svg",
 	},
-    // Email
+	// Email
 	SmtpHost: model.AppConfigVariable{
 		Key:  "smtpHost",
 		Type: "string",
@@ -104,7 +104,7 @@ var defaultDbConfig = model.AppConfig{
 		Type:         "bool",
 		DefaultValue: "false",
 	},
-    EmailLoginNotificationEnabled: model.AppConfigVariable{
+	EmailLoginNotificationEnabled: model.AppConfigVariable{
 		Key:          "emailLoginNotificationEnabled",
 		Type:         "bool",
 		DefaultValue: "false",
@@ -119,6 +119,7 @@ var defaultDbConfig = model.AppConfig{
 	LdapEnabled: model.AppConfigVariable{
 		Key:          "ldapEnabled",
 		Type:         "bool",
+		IsPublic:     true,
 		DefaultValue: "false",
 	},
 	LdapUrl: model.AppConfigVariable{
--- a/backend/internal/service/email_service.go
+++ b/backend/internal/service/email_service.go
@@ -4,18 +4,20 @@ import (
 	"bytes"
 	"crypto/tls"
 	"fmt"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"github.com/stonith404/pocket-id/backend/internal/utils/email"
-	"gorm.io/gorm"
 	htemplate "html/template"
 	"mime/multipart"
 	"mime/quotedprintable"
 	"net"
 	"net/smtp"
 	"net/textproto"
+	"os"
 	ttemplate "text/template"
 	"time"
+
+	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/stonith404/pocket-id/backend/internal/model"
+	"github.com/stonith404/pocket-id/backend/internal/utils/email"
+	"gorm.io/gorm"
 )

 var netDialer = &net.Dialer{
@@ -88,18 +90,33 @@ func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.T
 	)
 	c.Body(body)

-	// Set up the TLS configuration
+	// Connect to the SMTP server
+	client, err := srv.getSmtpClient()
+	if err != nil {
+		return fmt.Errorf("failed to connect to SMTP server: %w", err)
+	}
+	defer client.Close()
+
+	// Send the email
+	if err := srv.sendEmailContent(client, toEmail, c); err != nil {
+		return fmt.Errorf("send email content: %w", err)
+	}
+
+	return nil
+}
+
+func (srv *EmailService) getSmtpClient() (client *smtp.Client, err error) {
+	port := srv.appConfigService.DbConfig.SmtpPort.Value
+	smtpAddress := srv.appConfigService.DbConfig.SmtpHost.Value + ":" + port
+
 	tlsConfig := &tls.Config{
 		InsecureSkipVerify: srv.appConfigService.DbConfig.SmtpSkipCertVerify.Value == "true",
 		ServerName:         srv.appConfigService.DbConfig.SmtpHost.Value,
 	}

 	// Connect to the SMTP server
-	port := srv.appConfigService.DbConfig.SmtpPort.Value
-	smtpAddress := srv.appConfigService.DbConfig.SmtpHost.Value + ":" + port
-	var client *smtp.Client
 	if srv.appConfigService.DbConfig.SmtpTls.Value == "false" {
-		client, err = smtp.Dial(smtpAddress)
+		client, err = srv.connectToSmtpServer(smtpAddress)
 	} else if port == "465" {
 		client, err = srv.connectToSmtpServerUsingImplicitTLS(
 			smtpAddress,
@@ -111,17 +128,14 @@ func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.T
 			tlsConfig,
 		)
 	}
-
 	if err != nil {
-		return fmt.Errorf("failed to connect to SMTP server: %w", err)
+		return nil, fmt.Errorf("failed to connect to SMTP server: %w", err)
 	}

-	defer client.Close()
-
+	// Set up the authentication if user or password are set
 	smtpUser := srv.appConfigService.DbConfig.SmtpUser.Value
 	smtpPassword := srv.appConfigService.DbConfig.SmtpPassword.Value

-	// Set up the authentication if user or password are set
 	if smtpUser != "" || smtpPassword != "" {
 		auth := smtp.PlainAuth("",
 			srv.appConfigService.DbConfig.SmtpUser.Value,
@@ -129,16 +143,29 @@ func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.T
 			srv.appConfigService.DbConfig.SmtpHost.Value,
 		)
 		if err := client.Auth(auth); err != nil {
-			return fmt.Errorf("failed to authenticate SMTP client: %w", err)
+			return nil, fmt.Errorf("failed to authenticate SMTP client: %w", err)
 		}
 	}

-	// Send the email
-	if err := srv.sendEmailContent(client, toEmail, c); err != nil {
-		return fmt.Errorf("send email content: %w", err)
+	return client, err
+}
+
+func (srv *EmailService) connectToSmtpServer(serverAddr string) (*smtp.Client, error) {
+	conn, err := netDialer.Dial("tcp", serverAddr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to SMTP server: %w", err)
+	}
+	client, err := smtp.NewClient(conn, srv.appConfigService.DbConfig.SmtpHost.Value)
+	if err != nil {
+		conn.Close()
+		return nil, fmt.Errorf("failed to create SMTP client: %w", err)
 	}

-	return nil
+	if err := srv.sendHelloCommand(client); err != nil {
+		return nil, fmt.Errorf("failed to say hello to SMTP server: %w", err)
+	}
+
+	return client, err
 }

 func (srv *EmailService) connectToSmtpServerUsingImplicitTLS(serverAddr string, tlsConfig *tls.Config) (*smtp.Client, error) {
@@ -157,6 +184,10 @@ func (srv *EmailService) connectToSmtpServerUsingImplicitTLS(serverAddr string,
 		return nil, fmt.Errorf("failed to create SMTP client: %w", err)
 	}

+	if err := srv.sendHelloCommand(client); err != nil {
+		return nil, fmt.Errorf("failed to say hello to SMTP server: %w", err)
+	}
+
 	return client, nil
 }

@@ -172,12 +203,26 @@ func (srv *EmailService) connectToSmtpServerUsingStartTLS(serverAddr string, tls
 		return nil, fmt.Errorf("failed to create SMTP client: %w", err)
 	}

+	if err := srv.sendHelloCommand(client); err != nil {
+		return nil, fmt.Errorf("failed to say hello to SMTP server: %w", err)
+	}
+
 	if err := client.StartTLS(tlsConfig); err != nil {
 		return nil, fmt.Errorf("failed to start TLS: %w", err)
 	}
 	return client, nil
 }

+func (srv *EmailService) sendHelloCommand(client *smtp.Client) error {
+	hostname, err := os.Hostname()
+	if err == nil {
+		if err := client.Hello(hostname); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 func (srv *EmailService) sendEmailContent(client *smtp.Client, toEmail email.Address, c *email.Composer) error {
 	if err := client.Mail(srv.appConfigService.DbConfig.SmtpFrom.Value); err != nil {
 		return fmt.Errorf("failed to set sender: %w", err)
--- a/backend/internal/service/geolite_service.go
+++ b/backend/internal/service/geolite_service.go
@@ -12,6 +12,7 @@ import (
 	"net/netip"
 	"os"
 	"path/filepath"
+	"sync"
 	"time"

 	"github.com/oschwald/maxminddb-golang/v2"
@@ -19,7 +20,24 @@ import (
 	"github.com/stonith404/pocket-id/backend/internal/common"
 )

-type GeoLiteService struct{}
+type GeoLiteService struct {
+	mutex sync.Mutex
+}
+
+var localhostIPNets = []*net.IPNet{
+	{IP: net.IPv4(127, 0, 0, 0), Mask: net.CIDRMask(8, 32)}, // 127.0.0.0/8
+	{IP: net.IPv6loopback, Mask: net.CIDRMask(128, 128)},    // ::1/128
+}
+
+var privateLanIPNets = []*net.IPNet{
+	{IP: net.IPv4(10, 0, 0, 0), Mask: net.CIDRMask(8, 32)},     // 10.0.0.0/8
+	{IP: net.IPv4(172, 16, 0, 0), Mask: net.CIDRMask(12, 32)},  // 172.16.0.0/12
+	{IP: net.IPv4(192, 168, 0, 0), Mask: net.CIDRMask(16, 32)}, // 192.168.0.0/16
+}
+
+var tailscaleIPNets = []*net.IPNet{
+	{IP: net.IPv4(100, 64, 0, 0), Mask: net.CIDRMask(10, 32)}, // 100.64.0.0/10
+}

 // NewGeoLiteService initializes a new GeoLiteService instance and starts a goroutine to update the GeoLite2 City database.
 func NewGeoLiteService() *GeoLiteService {
@@ -36,13 +54,29 @@ func NewGeoLiteService() *GeoLiteService {

 // GetLocationByIP returns the country and city of the given IP address.
 func (s *GeoLiteService) GetLocationByIP(ipAddress string) (country, city string, err error) {
-	// Check if IP is in Tailscale's CGNAT range (100.64.0.0/10)
+	// Check the IP address against known private IP ranges
 	if ip := net.ParseIP(ipAddress); ip != nil {
-		if ip.To4() != nil && ip.To4()[0] == 100 && ip.To4()[1] >= 64 && ip.To4()[1] <= 127 {
-			return "Internal Network", "Tailscale", nil
+		for _, ipNet := range tailscaleIPNets {
+			if ipNet.Contains(ip) {
+				return "Internal Network", "Tailscale", nil
+			}
+		}
+		for _, ipNet := range privateLanIPNets {
+			if ipNet.Contains(ip) {
+				return "Internal Network", "LAN/Docker/k8s", nil
+			}
+		}
+		for _, ipNet := range localhostIPNets {
+			if ipNet.Contains(ip) {
+				return "Internal Network", "localhost", nil
+			}
 		}
 	}

+	// Race condition between reading and writing the database.
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
 	db, err := maxminddb.Open(common.EnvConfig.GeoLiteDBPath)
 	if err != nil {
 		return "", "", err
@@ -134,16 +168,44 @@ func (s *GeoLiteService) extractDatabase(reader io.Reader) error {

 		// Check if the file is the GeoLite2-City.mmdb file
 		if header.Typeflag == tar.TypeReg && filepath.Base(header.Name) == "GeoLite2-City.mmdb" {
-			outFile, err := os.Create(common.EnvConfig.GeoLiteDBPath)
+			// extract to a temporary file to avoid having a corrupted db in case of write failure.
+			baseDir := filepath.Dir(common.EnvConfig.GeoLiteDBPath)
+			tmpFile, err := os.CreateTemp(baseDir, "geolite.*.mmdb.tmp")
 			if err != nil {
-				return fmt.Errorf("failed to create target database file: %w", err)
+				return fmt.Errorf("failed to create temporary database file: %w", err)
 			}
-			defer outFile.Close()
+			tempName := tmpFile.Name()

 			// Write the file contents directly to the target location
-			if _, err := io.Copy(outFile, tarReader); err != nil {
+			if _, err := io.Copy(tmpFile, tarReader); err != nil {
+				// if fails to write, then cleanup and throw an error
+				tmpFile.Close()
+				os.Remove(tempName)
 				return fmt.Errorf("failed to write database file: %w", err)
 			}
+			tmpFile.Close()
+
+			// ensure the database is not corrupted
+			db, err := maxminddb.Open(tempName)
+			if err != nil {
+				// if fails to write, then cleanup and throw an error
+				os.Remove(tempName)
+				return fmt.Errorf("failed to open downloaded database file: %w", err)
+			}
+			db.Close()
+
+			// ensure we lock the structure before we overwrite the database
+			// to prevent race conditions between reading and writing the mmdb.
+			s.mutex.Lock()
+			// replace the old file with the new file
+			err = os.Rename(tempName, common.EnvConfig.GeoLiteDBPath)
+			s.mutex.Unlock()
+
+			if err != nil {
+				// if cannot overwrite via rename, then cleanup and throw an error
+				os.Remove(tempName)
+				return fmt.Errorf("failed to replace database file: %w", err)
+			}
 			return nil
 		}
 	}
--- a/backend/internal/service/oidc_service.go
+++ b/backend/internal/service/oidc_service.go
@@ -14,7 +14,7 @@ import (
 	"gorm.io/gorm"
 	"mime/multipart"
 	"os"
-	"slices"
+	"regexp"
 	"strings"
 	"time"
 )
@@ -38,71 +38,111 @@ func NewOidcService(db *gorm.DB, jwtService *JwtService, appConfigService *AppCo
 }

 func (s *OidcService) Authorize(input dto.AuthorizeOidcClientRequestDto, userID, ipAddress, userAgent string) (string, string, error) {
-	var userAuthorizedOIDCClient model.UserAuthorizedOidcClient
-	s.db.Preload("Client").First(&userAuthorizedOIDCClient, "client_id = ? AND user_id = ?", input.ClientID, userID)
-
-	if userAuthorizedOIDCClient.Client.IsPublic && input.CodeChallenge == "" {
-		return "", "", &common.OidcMissingCodeChallengeError{}
-	}
-
-	if userAuthorizedOIDCClient.Scope != input.Scope {
-		return "", "", &common.OidcMissingAuthorizationError{}
-	}
-
-	callbackURL, err := s.getCallbackURL(userAuthorizedOIDCClient.Client, input.CallbackURL)
-	if err != nil {
-		return "", "", err
-	}
-
-	code, err := s.createAuthorizationCode(input.ClientID, userID, input.Scope, input.Nonce, input.CodeChallenge, input.CodeChallengeMethod)
-	if err != nil {
-		return "", "", err
-	}
-
-	s.auditLogService.Create(model.AuditLogEventClientAuthorization, ipAddress, userAgent, userID, model.AuditLogData{"clientName": userAuthorizedOIDCClient.Client.Name})
-
-	return code, callbackURL, nil
-}
-
-func (s *OidcService) AuthorizeNewClient(input dto.AuthorizeOidcClientRequestDto, userID, ipAddress, userAgent string) (string, string, error) {
 	var client model.OidcClient
-	if err := s.db.First(&client, "id = ?", input.ClientID).Error; err != nil {
+	if err := s.db.Preload("AllowedUserGroups").First(&client, "id = ?", input.ClientID).Error; err != nil {
 		return "", "", err
 	}

+	// If the client is not public, the code challenge must be provided
 	if client.IsPublic && input.CodeChallenge == "" {
 		return "", "", &common.OidcMissingCodeChallengeError{}
 	}

+	// Get the callback URL of the client. Return an error if the provided callback URL is not allowed
 	callbackURL, err := s.getCallbackURL(client, input.CallbackURL)
 	if err != nil {
 		return "", "", err
 	}

-	userAuthorizedClient := model.UserAuthorizedOidcClient{
-		UserID:   userID,
-		ClientID: input.ClientID,
-		Scope:    input.Scope,
+	// Check if the user group is allowed to authorize the client
+	var user model.User
+	if err := s.db.Preload("UserGroups").First(&user, "id = ?", userID).Error; err != nil {
+		return "", "", err
 	}

-	if err := s.db.Create(&userAuthorizedClient).Error; err != nil {
-		if errors.Is(err, gorm.ErrDuplicatedKey) {
-			err = s.db.Model(&userAuthorizedClient).Update("scope", input.Scope).Error
-		} else {
-			return "", "", err
+	if !s.IsUserGroupAllowedToAuthorize(user, client) {
+		return "", "", &common.OidcAccessDeniedError{}
+	}
+
+	// Check if the user has already authorized the client with the given scope
+	hasAuthorizedClient, err := s.HasAuthorizedClient(input.ClientID, userID, input.Scope)
+	if err != nil {
+		return "", "", err
+	}
+
+	// If the user has not authorized the client, create a new authorization in the database
+	if !hasAuthorizedClient {
+		userAuthorizedClient := model.UserAuthorizedOidcClient{
+			UserID:   userID,
+			ClientID: input.ClientID,
+			Scope:    input.Scope,
+		}
+
+		if err := s.db.Create(&userAuthorizedClient).Error; err != nil {
+			if errors.Is(err, gorm.ErrDuplicatedKey) {
+				// The client has already been authorized but with a different scope so we need to update the scope
+				if err := s.db.Model(&userAuthorizedClient).Update("scope", input.Scope).Error; err != nil {
+					return "", "", err
+				}
+			} else {
+				return "", "", err
+			}
 		}
 	}

+	// Create the authorization code
 	code, err := s.createAuthorizationCode(input.ClientID, userID, input.Scope, input.Nonce, input.CodeChallenge, input.CodeChallengeMethod)
 	if err != nil {
 		return "", "", err
 	}

-	s.auditLogService.Create(model.AuditLogEventNewClientAuthorization, ipAddress, userAgent, userID, model.AuditLogData{"clientName": client.Name})
+	// Log the authorization event
+	if hasAuthorizedClient {
+		s.auditLogService.Create(model.AuditLogEventClientAuthorization, ipAddress, userAgent, userID, model.AuditLogData{"clientName": client.Name})
+	} else {
+		s.auditLogService.Create(model.AuditLogEventNewClientAuthorization, ipAddress, userAgent, userID, model.AuditLogData{"clientName": client.Name})
+
+	}

 	return code, callbackURL, nil
 }

+// HasAuthorizedClient checks if the user has already authorized the client with the given scope
+func (s *OidcService) HasAuthorizedClient(clientID, userID, scope string) (bool, error) {
+	var userAuthorizedOidcClient model.UserAuthorizedOidcClient
+	if err := s.db.First(&userAuthorizedOidcClient, "client_id = ? AND user_id = ?", clientID, userID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return false, nil
+		}
+		return false, err
+	}
+
+	if userAuthorizedOidcClient.Scope != scope {
+		return false, nil
+	}
+
+	return true, nil
+}
+
+// IsUserGroupAllowedToAuthorize checks if the user group of the user is allowed to authorize the client
+func (s *OidcService) IsUserGroupAllowedToAuthorize(user model.User, client model.OidcClient) bool {
+	if len(client.AllowedUserGroups) == 0 {
+		return true
+	}
+
+	isAllowedToAuthorize := false
+	for _, userGroup := range client.AllowedUserGroups {
+		for _, userGroupUser := range user.UserGroups {
+			if userGroup.ID == userGroupUser.ID {
+				isAllowedToAuthorize = true
+				break
+			}
+		}
+	}
+
+	return isAllowedToAuthorize
+}
+
 func (s *OidcService) CreateTokens(code, grantType, clientID, clientSecret, codeVerifier string) (string, string, error) {
 	if grantType != "authorization_code" {
 		return "", "", &common.OidcGrantTypeNotSupportedError{}
@@ -161,7 +201,7 @@ func (s *OidcService) CreateTokens(code, grantType, clientID, clientSecret, code

 func (s *OidcService) GetClient(clientID string) (model.OidcClient, error) {
 	var client model.OidcClient
-	if err := s.db.Preload("CreatedBy").First(&client, "id = ?", clientID).Error; err != nil {
+	if err := s.db.Preload("CreatedBy").Preload("AllowedUserGroups").First(&client, "id = ?", clientID).Error; err != nil {
 		return model.OidcClient{}, err
 	}
 	return client, nil
@@ -382,6 +422,33 @@ func (s *OidcService) GetUserClaimsForClient(userID string, clientID string) (ma
 	return claims, nil
 }

+func (s *OidcService) UpdateAllowedUserGroups(id string, input dto.OidcUpdateAllowedUserGroupsDto) (client model.OidcClient, err error) {
+	client, err = s.GetClient(id)
+	if err != nil {
+		return model.OidcClient{}, err
+	}
+
+	// Fetch the user groups based on UserGroupIDs in input
+	var groups []model.UserGroup
+	if len(input.UserGroupIDs) > 0 {
+		if err := s.db.Where("id IN (?)", input.UserGroupIDs).Find(&groups).Error; err != nil {
+			return model.OidcClient{}, err
+		}
+	}
+
+	// Replace the current user groups with the new set of user groups
+	if err := s.db.Model(&client).Association("AllowedUserGroups").Replace(groups); err != nil {
+		return model.OidcClient{}, err
+	}
+
+	// Save the updated client
+	if err := s.db.Save(&client).Error; err != nil {
+		return model.OidcClient{}, err
+	}
+
+	return client, nil
+}
+
 func (s *OidcService) createAuthorizationCode(clientID string, userID string, scope string, nonce string, codeChallenge string, codeChallengeMethod string) (string, error) {
 	randomString, err := utils.GenerateRandomAlphanumericString(32)
 	if err != nil {
@@ -432,8 +499,16 @@ func (s *OidcService) getCallbackURL(client model.OidcClient, inputCallbackURL s
 	if inputCallbackURL == "" {
 		return client.CallbackURLs[0], nil
 	}
-	if slices.Contains(client.CallbackURLs, inputCallbackURL) {
-		return inputCallbackURL, nil
+
+	for _, callbackPattern := range client.CallbackURLs {
+		regexPattern := strings.ReplaceAll(regexp.QuoteMeta(callbackPattern), `\*`, ".*") + "$"
+		matched, err := regexp.MatchString(regexPattern, inputCallbackURL)
+		if err != nil {
+			return "", err
+		}
+		if matched {
+			return inputCallbackURL, nil
+		}
 	}

 	return "", &common.OidcInvalidCallbackURLError{}
--- a/backend/internal/service/test_service.go
+++ b/backend/internal/service/test_service.go
@@ -124,7 +124,10 @@ func (s *TestService) SeedDatabase() error {
 				Name:         "Immich",
 				Secret:       "$2a$10$Ak.FP8riD1ssy2AGGbG.gOpnp/rBpymd74j0nxNMtW0GG1Lb4gzxe", // PYjrE9u4v9GVqXKi52eur0eb2Ci4kc0x
 				CallbackURLs: model.CallbackURLs{"http://immich/auth/callback"},
-				CreatedByID:  users[0].ID,
+				CreatedByID:  users[1].ID,
+				AllowedUserGroups: []model.UserGroup{
+					userGroups[1],
+				},
 			},
 		}
 		for _, client := range oidcClients {
@@ -163,27 +166,31 @@ func (s *TestService) SeedDatabase() error {
 			return err
 		}

-		publicKey1, err := s.getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwcOo5KV169KR67QEHrcYkeXE3CCxv2BgwnSq4VYTQxyLtdmKxegexa8JdwFKhKXa2BMI9xaN15BoL6wSCRFJhg==")
-		publicKey2, err := s.getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESq/wR8QbBu3dKnpaw/v0mDxFFDwnJ/L5XHSg2tAmq5x1BpSMmIr3+DxCbybVvGRmWGh8kKhy7SMnK91M6rFHTA==")
+		// To generate a new key pair, run the following command:
+		// openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 | \
+		// openssl pkcs8 -topk8 -nocrypt | tee >(openssl pkey -pubout)
+
+		publicKeyPasskey1, err := s.getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwcOo5KV169KR67QEHrcYkeXE3CCxv2BgwnSq4VYTQxyLtdmKxegexa8JdwFKhKXa2BMI9xaN15BoL6wSCRFJhg==")
+		publicKeyPasskey2, err := s.getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEj4qA0PrZzg8Co1C27nyUbzrp8Ewjr7eOlGI2LfrzmbL5nPhZRAdJ3hEaqrHMSnJBhfMqtQGKwDYpaLIQFAKLhw==")
 		if err != nil {
 			return err
 		}
 		webauthnCredentials := []model.WebauthnCredential{
 			{
 				Name:            "Passkey 1",
-				CredentialID:    []byte("test-credential-1"),
-				PublicKey:       publicKey1,
+				CredentialID:    []byte("test-credential-tim"),
+				PublicKey:       publicKeyPasskey1,
 				AttestationType: "none",
 				Transport:       model.AuthenticatorTransportList{protocol.Internal},
 				UserID:          users[0].ID,
 			},
 			{
 				Name:            "Passkey 2",
-				CredentialID:    []byte("test-credential-2"),
-				PublicKey:       publicKey2,
+				CredentialID:    []byte("test-credential-craig"),
+				PublicKey:       publicKeyPasskey2,
 				AttestationType: "none",
 				Transport:       model.AuthenticatorTransportList{protocol.Internal},
-				UserID:          users[0].ID,
+				UserID:          users[1].ID,
 			},
 		}
 		for _, credential := range webauthnCredentials {
--- a/backend/internal/service/user_group_service.go
+++ b/backend/internal/service/user_group_service.go
@@ -10,11 +10,12 @@ import (
 )

 type UserGroupService struct {
-	db *gorm.DB
+	db               *gorm.DB
+	appConfigService *AppConfigService
 }

-func NewUserGroupService(db *gorm.DB) *UserGroupService {
-	return &UserGroupService{db: db}
+func NewUserGroupService(db *gorm.DB, appConfigService *AppConfigService) *UserGroupService {
+	return &UserGroupService{db: db, appConfigService: appConfigService}
 }

 func (s *UserGroupService) List(name string, sortedPaginationRequest utils.SortedPaginationRequest) (groups []model.UserGroup, response utils.PaginationResponse, err error) {
@@ -51,7 +52,8 @@ func (s *UserGroupService) Delete(id string) error {
 		return err
 	}

-	if group.LdapID != nil {
+	// Disallow deleting the group if it is an LDAP group and LDAP is enabled
+	if group.LdapID != nil && s.appConfigService.DbConfig.LdapEnabled.Value == "true" {
 		return &common.LdapUserGroupUpdateError{}
 	}

@@ -62,7 +64,10 @@ func (s *UserGroupService) Create(input dto.UserGroupCreateDto) (group model.Use
 	group = model.UserGroup{
 		FriendlyName: input.FriendlyName,
 		Name:         input.Name,
-		LdapID:       &input.LdapID,
+	}
+
+	if input.LdapID != "" {
+		group.LdapID = &input.LdapID
 	}

 	if err := s.db.Preload("Users").Create(&group).Error; err != nil {
@@ -80,13 +85,13 @@ func (s *UserGroupService) Update(id string, input dto.UserGroupCreateDto, allow
 		return model.UserGroup{}, err
 	}

-	if group.LdapID != nil && !allowLdapUpdate {
+	// Disallow updating the group if it is an LDAP group and LDAP is enabled
+	if !allowLdapUpdate && group.LdapID != nil && s.appConfigService.DbConfig.LdapEnabled.Value == "true" {
 		return model.UserGroup{}, &common.LdapUserGroupUpdateError{}
 	}

 	group.Name = input.Name
 	group.FriendlyName = input.FriendlyName
-	group.LdapID = &input.LdapID

 	if err := s.db.Preload("Users").Save(&group).Error; err != nil {
 		if errors.Is(err, gorm.ErrDuplicatedKey) {
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -17,14 +17,15 @@ import (
 )

 type UserService struct {
-	db              *gorm.DB
-	jwtService      *JwtService
-	auditLogService *AuditLogService
-	emailService    *EmailService
+	db               *gorm.DB
+	jwtService       *JwtService
+	auditLogService  *AuditLogService
+	emailService     *EmailService
+	appConfigService *AppConfigService
 }

-func NewUserService(db *gorm.DB, jwtService *JwtService, auditLogService *AuditLogService, emailService *EmailService) *UserService {
-	return &UserService{db: db, jwtService: jwtService, auditLogService: auditLogService, emailService: emailService}
+func NewUserService(db *gorm.DB, jwtService *JwtService, auditLogService *AuditLogService, emailService *EmailService, appConfigService *AppConfigService) *UserService {
+	return &UserService{db: db, jwtService: jwtService, auditLogService: auditLogService, emailService: emailService, appConfigService: appConfigService}
 }

 func (s *UserService) ListUsers(searchTerm string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.User, utils.PaginationResponse, error) {
@@ -52,7 +53,8 @@ func (s *UserService) DeleteUser(userID string) error {
 		return err
 	}

-	if user.LdapID != nil {
+	// Disallow deleting the user if it is an LDAP user and LDAP is enabled
+	if user.LdapID != nil && s.appConfigService.DbConfig.LdapEnabled.Value == "true" {
 		return &common.LdapUserUpdateError{}
 	}

@@ -66,8 +68,11 @@ func (s *UserService) CreateUser(input dto.UserCreateDto) (model.User, error) {
 		Email:     input.Email,
 		Username:  input.Username,
 		IsAdmin:   input.IsAdmin,
-		LdapID:    &input.LdapID,
 	}
+	if input.LdapID != "" {
+		user.LdapID = &input.LdapID
+	}
+
 	if err := s.db.Create(&user).Error; err != nil {
 		if errors.Is(err, gorm.ErrDuplicatedKey) {
 			return model.User{}, s.checkDuplicatedFields(user)
@@ -83,7 +88,8 @@ func (s *UserService) UpdateUser(userID string, updatedUser dto.UserCreateDto, u
 		return model.User{}, err
 	}

-	if user.LdapID != nil && !allowLdapUpdate {
+	// Disallow updating the user if it is an LDAP group and LDAP is enabled
+	if !allowLdapUpdate && user.LdapID != nil && s.appConfigService.DbConfig.LdapEnabled.Value == "true" {
 		return model.User{}, &common.LdapUserUpdateError{}
 	}

--- a/backend/internal/utils/cookie/add_cookie.go
+++ b/backend/internal/utils/cookie/add_cookie.go
@@ -0,0 +1,13 @@
+package cookie
+
+import (
+	"github.com/gin-gonic/gin"
+)
+
+func AddAccessTokenCookie(c *gin.Context, maxAgeInSeconds int, token string) {
+	c.SetCookie(AccessTokenCookieName, token, maxAgeInSeconds, "/", "", true, true)
+}
+
+func AddSessionIdCookie(c *gin.Context, maxAgeInSeconds int, sessionID string) {
+	c.SetCookie(SessionIdCookieName, sessionID, maxAgeInSeconds, "/", "", true, true)
+}
--- a/backend/internal/utils/cookie/cookie_names.go
+++ b/backend/internal/utils/cookie/cookie_names.go
@@ -0,0 +1,16 @@
+package cookie
+
+import (
+	"github.com/stonith404/pocket-id/backend/internal/common"
+	"strings"
+)
+
+var AccessTokenCookieName = "__Host-access_token"
+var SessionIdCookieName = "__Host-session"
+
+func init() {
+	if strings.HasPrefix(common.EnvConfig.AppURL, "http://") {
+		AccessTokenCookieName = "access_token"
+		SessionIdCookieName = "session"
+	}
+}
--- a/backend/internal/utils/cookie_util.go
+++ b/backend/internal/utils/cookie_util.go
@@ -1,12 +0,0 @@
-package utils
-
-import (
-	"github.com/gin-gonic/gin"
-	"strconv"
-)
-
-func AddAccessTokenCookie(c *gin.Context, sessionDurationInMinutes string, token string) {
-	sessionDurationInMinutesParsed, _ := strconv.Atoi(sessionDurationInMinutes)
-	maxAge := sessionDurationInMinutesParsed * 60
-	c.SetCookie("access_token", token, maxAge, "/", "", true, true)
-}
--- a/backend/resources/images/logoDark.svg
+++ b/backend/resources/images/logoDark.svg
@@ -1,3 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" id="a" viewBox="0 0 1015 1015">
-    <path fill="white" d="M506.6,0c209.52,0,379.98,170.45,379.98,379.96,0,82.33-25.9,160.68-74.91,226.54-48.04,64.59-113.78,111.51-190.13,135.71l-21.1,6.7-50.29-248.04,13.91-6.73c45.41-21.95,74.76-68.71,74.76-119.11,0-72.91-59.31-132.23-132.21-132.23s-132.23,59.32-132.23,132.23c0,50.4,29.36,97.16,74.77,119.11l13.65,6.61-81.01,499.24h-226.36V0h351.18Z"/>
-</svg>
+<svg xmlns="http://www.w3.org/2000/svg" id="a" viewBox="0 0 1015 1015"><path fill="#fff" d="M506.6,0c209.52,0,379.98,170.45,379.98,379.96,0,82.33-25.9,160.68-74.91,226.54-48.04,64.59-113.78,111.51-190.13,135.71l-21.1,6.7-50.29-248.04,13.91-6.73c45.41-21.95,74.76-68.71,74.76-119.11,0-72.91-59.31-132.23-132.21-132.23s-132.23,59.32-132.23,132.23c0,50.4,29.36,97.16,74.77,119.11l13.65,6.61-81.01,499.24h-226.36V0h351.18Z"/></svg>
--- a/backend/resources/images/logoLight.svg
+++ b/backend/resources/images/logoLight.svg
@@ -1,3 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" id="a" viewBox="0 0 1015 1015">
-    <path fill="black" d="M506.6,0c209.52,0,379.98,170.45,379.98,379.96,0,82.33-25.9,160.68-74.91,226.54-48.04,64.59-113.78,111.51-190.13,135.71l-21.1,6.7-50.29-248.04,13.91-6.73c45.41-21.95,74.76-68.71,74.76-119.11,0-72.91-59.31-132.23-132.21-132.23s-132.23,59.32-132.23,132.23c0,50.4,29.36,97.16,74.77,119.11l13.65,6.61-81.01,499.24h-226.36V0h351.18Z"/>
-</svg>
+<svg xmlns="http://www.w3.org/2000/svg" id="a" viewBox="0 0 1015 1015"><path fill="#000" d="M506.6,0c209.52,0,379.98,170.45,379.98,379.96,0,82.33-25.9,160.68-74.91,226.54-48.04,64.59-113.78,111.51-190.13,135.71l-21.1,6.7-50.29-248.04,13.91-6.73c45.41-21.95,74.76-68.71,74.76-119.11,0-72.91-59.31-132.23-132.21-132.23s-132.23,59.32-132.23,132.23c0,50.4,29.36,97.16,74.77,119.11l13.65,6.61-81.01,499.24h-226.36V0h351.18Z"/></svg>
--- a/backend/resources/migrations/postgres/20250120102531_fix_empty_ldap_id_string.down.sql
+++ b/backend/resources/migrations/postgres/20250120102531_fix_empty_ldap_id_string.down.sql
@@ -0,0 +1,2 @@
+UPDATE users SET ldap_id = '' WHERE ldap_id IS NULL;
+UPDATE user_groups SET ldap_id = '' WHERE ldap_id IS NULL;
--- a/backend/resources/migrations/postgres/20250120102531_fix_empty_ldap_id_string.up.sql
+++ b/backend/resources/migrations/postgres/20250120102531_fix_empty_ldap_id_string.up.sql
@@ -0,0 +1,2 @@
+UPDATE users SET ldap_id = null WHERE ldap_id = '';
+UPDATE user_groups SET ldap_id = null WHERE ldap_id = '';
--- a/backend/resources/migrations/postgres/20250131154719_oidc_user_group_restriction.down.sql
+++ b/backend/resources/migrations/postgres/20250131154719_oidc_user_group_restriction.down.sql
@@ -0,0 +1 @@
+DROP TABLE oidc_clients_allowed_user_groups;
--- a/backend/resources/migrations/postgres/20250131154719_oidc_user_group_restriction.up.sql
+++ b/backend/resources/migrations/postgres/20250131154719_oidc_user_group_restriction.up.sql
@@ -0,0 +1,8 @@
+CREATE TABLE oidc_clients_allowed_user_groups
+(
+    user_group_id  UUID NOT NULL REFERENCES user_groups ON DELETE CASCADE,
+    oidc_client_id UUID NOT NULL REFERENCES oidc_clients ON DELETE CASCADE,
+    PRIMARY KEY (oidc_client_id, user_group_id)
+);
+
+
--- a/backend/resources/migrations/postgres/20250203082527_fix_empty_user_group_ldap_id_string.down.sql
+++ b/backend/resources/migrations/postgres/20250203082527_fix_empty_user_group_ldap_id_string.down.sql
@@ -0,0 +1 @@
+UPDATE user_groups SET ldap_id = '' WHERE ldap_id IS NULL;
--- a/backend/resources/migrations/postgres/20250203082527_fix_empty_user_group_ldap_id_string.up.sql
+++ b/backend/resources/migrations/postgres/20250203082527_fix_empty_user_group_ldap_id_string.up.sql
@@ -0,0 +1 @@
+UPDATE user_groups SET ldap_id = null WHERE ldap_id = '';
--- a/backend/resources/migrations/sqlite/20250120102531_fix_empty_ldap_id_string.down.sql
+++ b/backend/resources/migrations/sqlite/20250120102531_fix_empty_ldap_id_string.down.sql
@@ -0,0 +1,2 @@
+UPDATE users SET ldap_id = '' WHERE ldap_id IS NULL;
+UPDATE user_groups SET ldap_id = '' WHERE ldap_id IS NULL;
--- a/backend/resources/migrations/sqlite/20250120102531_fix_empty_ldap_id_string.up.sql
+++ b/backend/resources/migrations/sqlite/20250120102531_fix_empty_ldap_id_string.up.sql
@@ -0,0 +1,2 @@
+UPDATE users SET ldap_id = null WHERE ldap_id = '';
+UPDATE user_groups SET ldap_id = null WHERE ldap_id = '';
--- a/backend/resources/migrations/sqlite/20250131154719_oidc_user_group_restriction.down.sql
+++ b/backend/resources/migrations/sqlite/20250131154719_oidc_user_group_restriction.down.sql
@@ -0,0 +1 @@
+DROP TABLE oidc_clients_allowed_user_groups;
--- a/backend/resources/migrations/sqlite/20250131154719_oidc_user_group_restriction.up.sql
+++ b/backend/resources/migrations/sqlite/20250131154719_oidc_user_group_restriction.up.sql
@@ -0,0 +1,8 @@
+CREATE TABLE oidc_clients_allowed_user_groups
+(
+    user_group_id  TEXT NOT NULL,
+    oidc_client_id TEXT NOT NULL,
+    PRIMARY KEY (oidc_client_id, user_group_id),
+    FOREIGN KEY (oidc_client_id) REFERENCES oidc_clients (id) ON DELETE CASCADE,
+    FOREIGN KEY (user_group_id) REFERENCES user_groups (id) ON DELETE CASCADE
+);
--- a/backend/resources/migrations/sqlite/20250203082527_fix_empty_user_group_ldap_id_string.down.sql
+++ b/backend/resources/migrations/sqlite/20250203082527_fix_empty_user_group_ldap_id_string.down.sql
@@ -0,0 +1 @@
+UPDATE user_groups SET ldap_id = '' WHERE ldap_id IS NULL;
--- a/backend/resources/migrations/sqlite/20250203082527_fix_empty_user_group_ldap_id_string.up.sql
+++ b/backend/resources/migrations/sqlite/20250203082527_fix_empty_user_group_ldap_id_string.up.sql
@@ -0,0 +1 @@
+UPDATE user_groups SET ldap_id = null WHERE ldap_id = '';
--- a/docs/docs/client-examples/cloudflare-zero-trust.md
+++ b/docs/docs/client-examples/cloudflare-zero-trust.md
@@ -0,0 +1,26 @@
+---
+id: cloudflare-zero-trust
+---
+# Cloudflare Zero Trust
+
+**Note: Cloudflare will need to be able to reach your Pocket ID instance and vice versa for this to work correctly**
+
+## Pocket ID Setup
+
+1. In Pocket-ID create a new OIDC Client, name it i.e. `Cloudflare Zero Trust`.
+2. Set a logo for this OIDC Client if you would like too.
+3. Set the callback URL to: `https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback`.
+4. Copy the Client ID, Client Secret, Authorization URL, Token URL, and Certificate URL for the next steps.
+
+## Cloudflare Zero Trust Setup
+
+1. Login to Cloudflare Zero Trust [Dashboard](https://one.dash.cloudflare.com/).
+2. Navigate to Settings > Authentication > Login Methods.
+3. Click `Add New` under login methods.
+4. Create a name for the new login method.
+5. Paste in the `Client ID` from Pocket ID into the `App ID` field.
+6. Paste the `Client Secret` from Pocket ID into the `Client Secret` field.
+7. Paste the `Authorization URL` from Pocket ID into the `Auth URL` field.
+8. Paste the `Token URL` from Pocket ID into the `Token URL` field.
+9. Paste the `Certificate URL` from Pocket ID into the `Certificate URL` field.
+10. Save the new login method and test to make sure it works with cloudflare.
--- a/docs/docs/client-examples/freshrss.md
+++ b/docs/docs/client-examples/freshrss.md
@@ -0,0 +1,63 @@
+---
+id: freshrss
+---
+
+# FreshRSS
+
+The following example variables are used, and should be replaced with your actual URLs.
+
+- `freshrss.example.com` (The URL of your Proxmox instance.)
+- `id.example.com` (The URL of your Pocket ID instance.)
+
+## Pocket ID Setup
+
+1. In Pocket ID create a new OIDC Client, name it, for example, `FreshRSS`.
+2. Set a logo for this OIDC Client if you would like to.
+3. Set the callback URL to: `https://freshrss.example.com`.
+4. Copy the `Client ID`, `Client Secret`, and `OIDC Discovery URL` for use in the next steps.
+
+## FreshRSS Setup
+
+See [FreshRSS’ OpenID Connect documentation](16_OpenID-Connect.md) for general OIDC settings.
+
+This is an example docker-compose file for FreshRSS with OIDC enabled.
+
+```yaml
+services:
+  freshrss:
+    image: freshrss/freshrss:1.25.0
+    container_name: freshrss
+    ports:
+      - 8080:80
+    volumes:
+      - /freshrss_data:/var/www/FreshRSS/data
+      - /freshrss_extensions:/var/www/FreshRSS/extensions
+    environment:
+      CRON_MIN: 1,31
+      TZ: Etc/UTC
+      OIDC_ENABLED: 1
+      OIDC_CLIENT_ID: <POCKET_ID_CLIENT_ID>
+      OIDC_CLIENT_SECRET: <POCKET_ID_SECRET>
+      OIDC_PROVIDER_METADATA_URL: https://id.example.com/.well-known/openid-configuration
+      OIDC_SCOPES: openid email profile
+      OIDC_X_FORWARDED_HEADERS: X-Forwarded-Proto X-Forwarded-Host
+      OIDC_REMOTE_USER_CLAIM: preferred_username
+    restart: unless-stopped
+    networks:
+      - freshrss
+networks:
+  freshrss:
+    name: freshrss
+```
+
+:::important
+The Username used in Pocket ID must match the Username used in FreshRSS **exactly**. This also applies to case sensitivity. As of version `0.24` of Pocket ID all Usernames are required to be entirely lowercase. FreshRSS allows for uppercase. If a Pocket ID Username is `amanda` and your FreshRSS Username is `Amanda`, you will get a 403 error in FreshRSS and be unable to login. As of version `1.25` of FreshRSS, you are unable to change your username in the GUI. To change your FreshRSS username to lowercase or to match your Pocket ID username, you must nagivate to your FreshRSS volume location. Go to `data/users/` and change the folder for your user to the matching username in Pocket ID, then restart the FreshRSS container to apply the changes.
+:::
+
+## Complete OIDC Setup
+
+If you are setting up a new instance of FreshRSS, simply start the container with the OIDC variables and navigate to your FreshRSS URL.
+
+If you are adding OIDC to an existing FreshRSS instance, recreate the container with the docker-compose file with the OIDC variables in it and navigate to your FreshRSS URL. Go to `Settings > Authentication` and change the Authentication method to **HTTP** and hit Submit. Logout to test your OIDC connection.
+
+If you have an error with Pocket ID or are unable to login to your FreshRSS account, you can revert to password login by editing your `config.php` file for FreshRSS. Find the value for `auth_type` and change from `http_auth` to `form`. Restart the FreshRSS container to revert to password login.
--- a/docs/docs/client-examples/gitea.md
+++ b/docs/docs/client-examples/gitea.md
@@ -0,0 +1,30 @@
+---
+id: gitea
+---
+
+# Gitea
+
+## Pocket ID Setup
+
+1. In Pocket ID, create a new OIDC client named `Gitea` (or any name you prefer).  
+2. (Optional) Set a logo for the OIDC client.  
+3. Set the callback URL to: `https://<Gitea Host>/user/oauth2/PocketID/callback`  
+4. Copy the `Client ID`, `Client Secret`, and `OIDC Discovery URL` for the next steps.  
+
+## Gitea Setup
+
+1. Log in to Gitea as an admin.  
+2. Go to **Site Administration → Identity & Access → Authentication Sources**.  
+3. Click **Add Authentication Source**.  
+4. Set **Authentication Type** to `OAuth2`.  
+5. Set **Authentication Name** to `PocketID`.  
+   :::important  
+   If you change this name, update the callback URL in Pocket ID to match.  
+   :::  
+6. Set **OAuth2 Provider** to `OpenID Connect`.  
+7. Enter the `Client ID` into the **Client ID (Key)** field.  
+8. Enter the `Client Secret` into the **Client Secret** field.  
+9. Enter the `OIDC Discovery URL` into the **OpenID Connect Auto Discovery URL** field.  
+10. Enable **Skip local 2FA**.  
+11. Set **Additional Scopes** to `openid email profile`.  
+12. Save the settings and test the OAuth login.  
--- a/docs/docs/client-examples/grist.md
+++ b/docs/docs/client-examples/grist.md
@@ -0,0 +1,22 @@
+---
+id: grist
+---
+
+# Grist
+
+## Pocket ID Setup
+1. In Pocket-ID create a new OIDC Client, name it i.e. `Grist`
+2. Set the callback url to: `https://<Grist Host>/oauth2/callback`
+3. In Grist (Docker/Docker Compose/etc), set these environment variables:
+
+```ini
+GRIST_OIDC_IDP_ISSUER="https://<Pocket ID Host>/.well-known/openid-configuration"
+GRIST_OIDC_IDP_CLIENT_ID="<Client ID from the OIDC Client created in Pocket ID>"
+GRIST_OIDC_IDP_CLIENT_SECRET="<Client Secret from the OIDC Client created in Pocket ID>"
+GRIST_OIDC_SP_HOST="https://<Grist Host>"
+GRIST_OIDC_IDP_SCOPES="openid email profile"  # Default
+GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT=true  # Default=false, needs to be true for Pocket Id b/c end_session_endpoint is not implemented
+GRIST_OIDC_IDP_END_SESSION_ENDPOINT="https://<Pocket ID Host>/api/webauthn/logout" # Only set this if GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT=false and you need to define a custom endpoint
+```
+4. Also ensure that the `GRIST_DEFAULT_EMAIL` env variable is set to the same email address as your user profile within Pocket ID
+5. Start/Restart Grist
--- a/docs/docs/client-examples/headscale.md
+++ b/docs/docs/client-examples/headscale.md
@@ -0,0 +1,34 @@
+---
+id: headscale
+---
+# Headscale
+
+## Create OIDC Client in Pocket ID
+1. Create a new OIDC Client in Pocket ID (e.g., `Headscale`).
+2. Set the callback URL:  `https://<HEADSCALE-DOMAIN>/oidc/callback`
+3. Enable `PKCE`.
+4. Copy the **Client ID** and **Client Secret**.
+
+## Configure Headscale
+> Refer to the example [`config.yaml`](https://github.com/juanfont/headscale/blob/main/config-example.yaml) for full OIDC configuration options.
+
+Add the following to `config.yaml`:
+
+```yaml
+oidc:
+  issuer: "https://<POCKET-ID-DOMAIN>"
+  client_id: "<CLIENT-ID>"
+  client_secret: "<CLIENT-SECRET>"
+  pkce:
+    enabled: true
+    method: S256
+```
+
+### (Optional) Restrict Access to Certain Groups
+To allow only specific groups, add:
+
+```yaml
+  scope: ["openid", "profile", "email", "groups"]
+  allowed_groups:
+    - <POCKET-ID-GROUP-NAME> #example: headscale 
+```
--- a/docs/docs/client-examples/hoarder.md
+++ b/docs/docs/client-examples/hoarder.md
@@ -0,0 +1,25 @@
+---
+id: hoarder
+---
+
+# Hoarder
+
+1. In Pocket-ID create a new OIDC Client, name it i.e. `Hoarder`
+2. Set the callback url to: `https://<your-hoarder-subdomain>.<your-domain>/api/auth/callback/custom`
+3. Open your `.env` file from your Hoarder compose and add these lines:
+
+```ini
+  OAUTH_WELLKNOWN_URL = https://<your-pocket-id-subdomain>.<your-domain>/.well-known/openid-configuration
+  OAUTH_CLIENT_SECRET = <client secret from the created OIDC client>
+  OAUTH_CLIENT_ID = <client id from the created OIDC client>
+  OAUTH_PROVIDER_NAME = Pocket-Id
+  NEXTAUTH_URL = https:///<your-hoarder-subdomain>.<your-domain>
+
+```
+
+4. Optional: If you like to disable password authentication and link your existing hoarder account with your pocket-id identity
+
+```ini
+  DISABLE_PASSWORD_AUTH	= true
+  OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING = true
+```
--- a/docs/docs/client-examples/imgs/jellyfin_img.png
+++ b/docs/docs/client-examples/imgs/jellyfin_img.png
--- a/docs/docs/client-examples/imgs/jellyfin_img2.png
+++ b/docs/docs/client-examples/imgs/jellyfin_img2.png
--- a/docs/docs/client-examples/imgs/jellyfin_img3.png
+++ b/docs/docs/client-examples/imgs/jellyfin_img3.png
--- a/docs/docs/client-examples/immich.md
+++ b/docs/docs/client-examples/immich.md
@@ -0,0 +1,26 @@
+---
+id: immich
+---
+# Immich
+
+## Create OIDC Client in Pocket ID
+1. Create a new OIDC Client in Pocket ID (e.g., `immich`).
+2. Set the callback URLs:  
+    ```
+    https://<IMMICH-DOMAIN>/auth/login
+    https://<IMMICH-DOMAIN>/user-settings
+    app.immich:///oauth-callback
+    ```
+4. Copy the **Client ID**, **Client Secret**, and **OIDC Discovery URL**.
+
+## Configure Immich
+1. Open Immich and navigate to:
+   **`Administration > Settings > Authentication Settings > OAuth`**
+2. Enable **Login with OAuth**.
+3. Fill in the required fields:
+   - **Issuer URL**: Paste the `Authorization URL` from Pocket ID.
+   - **Client ID**: Paste the `Client ID` from Pocket ID.
+   - **Client Secret**: Paste the `Client Secret` from Pocket ID.
+4. *(Optional)* Change `Button Text` to `Login with Pocket ID`.
+5. Save the settings.
+6. Test the OAuth login to ensure it works.
--- a/docs/docs/client-examples/jellyfin.md
+++ b/docs/docs/client-examples/jellyfin.md
@@ -1,15 +1,21 @@
-# Jellyfin SSO Integration Guide
+---
+id: jellyfin
+---
+
+# Jellyfin

 > Due to the current limitations of the Jellyfin SSO plugin, this integration will only work in a browser. When tested, the Jellyfin app did not work and displayed an error, even when custom menu buttons were created.

 > To view the original references and a full list of capabilities, please visit the [Jellyfin SSO OpenID Section](https://github.com/9p4/jellyfin-plugin-sso?tab=readme-ov-file#openid).

-### Requirements
+## Requirements
+
 - [Jellyfin Server](https://jellyfin.org/downloads/server)
 - [Jellyfin SSO Plugin](https://github.com/9p4/jellyfin-plugin-sso)
 - HTTPS connection to your Jellyfin server

-### OIDC - Pocket ID Setup
+## OIDC - Pocket ID Setup
+
 To start, we need to create a new SSO resource in our Jellyfin application.

 > Replace the `JELLYFINDOMAIN` and `PROVIDER` elements in the URL.
@@ -20,32 +26,34 @@ To start, we need to create a new SSO resource in our Jellyfin application.
 4. For this example, we’ll be using the provider named "test_resource."
 5. Click **Save**. Keep the page open, as we will need the OID client ID and OID secret.

-### OIDC Client - Jellyfin SSO Resource
+## OIDC Client - Jellyfin SSO Resource

 1. Visit the plugin page (<i>Administration Dashboard -> My Plugins -> SSO-Auth</i>).
 2. Enter the <i>OID Provider Name (we used "test_resource" as our name in the callback URL), Open ID, OID Secret, and mark it as enabled.</i>
 3. The following steps are optional based on your needs. In this guide, we’ll be managing only regular users, not admins.

-![img.png](imgs/jelly_fin_img.png)
+![img.png](imgs/jellyfin_img.png)

 > To manage user access through groups, follow steps **4, 5, and 6**. Otherwise, leave it blank and skip to step 7.

-![img2.png](imgs/jelly_fin_img2.png)
+![img2.png](imgs/jellyfin_img2.png)

 4. Under <i>Roles</i>, type the name of the group you want to use. **Note:** This must be the group name, not the label. Double-check in Pocket ID, as an incorrect name will lock users out.
 5. Skip every field until you reach the **Role Claim** field, and type `groups`.
   > This step is crucial if you want to manage users through groups.
 6. Repeat the above step under **Request Additional Scopes**. This will pull the group scope during the sign-in process; otherwise, the previous steps won’t work.

-![img3.png](imgs/jelly_fin_img3.png)
+![img3.png](imgs/jellyfin_img3.png)

 7. Skip the remaining fields until you reach **Scheme Override**. Enter `https` here. If omitted, it will attempt to use HTTP first, which will break as WebAuthn requires an HTTPS connection.
 8. Click **Save** and restart Jellyfin.

-### Optional Step - Custom Home Button
+## Optional Step - Custom Home Button
+
 Follow the [guide to create a login button on the login page](https://github.com/9p4/jellyfin-plugin-sso?tab=readme-ov-file#creating-a-login-button-on-the-main-page) to add a custom button on your sign-in page. This step is optional, as you could also provide the sign-in URL via a bookmark or other means.

-### Signing into Your Jellyfin Instance
+## Signing into Your Jellyfin Instance
+
 Done! You have successfully set up SSO for your Jellyfin instance using Pocket ID.

 > **Note:** Sometimes there may be a brief delay when using the custom menu option. This is related to the Jellyfin plugin and not Pocket ID.
--- a/docs/docs/client-examples/memos.md
+++ b/docs/docs/client-examples/memos.md
@@ -0,0 +1,28 @@
+---
+id: memos
+---
+
+# Memos
+
+## Pocket ID Setup
+
+1. In Pocket ID, create a new OIDC client named `Memos` (or any name you prefer).  
+2. (Optional) Set a logo for the OIDC client.  
+3. Set the callback URL to: `https://< Memos Host >/auth/callback`  
+4. Copy the `Client ID`, `Client Secret`, `Authorization endpoint`, `Token endpoint`, and `User endpoint` for the next steps.  
+
+## Gitea Setup
+
+1. Log in to Memos as an admin.
+2. Go to **Settings → SSO → Create**.  
+3. Set **Template** to `Custom`.   
+4. Enter the `Client ID` into the **Client ID** field.  
+5. Enter the `Client Secret` into the **Client secret** field.  
+6. Enter the `Authorization URL` into the **Authorization endpoint** field.
+7. Enter the `Token URL` into the **Token endpoint** field.
+8. Enter the `Userinfo URL` into the **User endpoint** field.
+11. Set **Scopes** to `openid email profile`.
+12. Set **Identifier** to `preferred_username`
+13. Set **Display Name** to `profile`.
+14. Set **Email** to `email`.
+15. Save the settings and test the OAuth login.  
--- a/docs/docs/client-examples/netbox.md
+++ b/docs/docs/client-examples/netbox.md
@@ -0,0 +1,46 @@
+---
+id: netbox
+---
+
+# Netbox
+
+**This guide does not currently show how to map groups in netbox from OIDC claims**
+
+The following example variables are used, and should be replaced with your actual URLS.
+
+- netbox.example.com (The url of your netbox instance.)
+- id.example.com (The url of your Pocket ID instance.)
+
+## Pocket ID Setup
+
+1. In Pocket-ID create a new OIDC Client, name it i.e. `Netbox`.
+2. Set a logo for this OIDC Client if you would like too.
+3. Set the callback URL to: `https://netbox.example.com/oauth/complete/oidc/`.
+4. Copy the `Client ID`, and the `Client Secret` for use in the next steps.
+
+## Netbox Setup
+
+This guide assumes you are using the git based install of netbox.
+
+1. On your netbox server navigate to `/opt/netbox/netbox/netbox`
+2. Add the following to your `configuration.py` file:
+
+```python
+# Remote authentication support
+REMOTE_AUTH_ENABLED = True
+REMOTE_AUTH_BACKEND = 'social_core.backends.open_id_connect.OpenIdConnectAuth'
+REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
+REMOTE_AUTH_USER_FIRST_NAME = 'HTTP_REMOTE_USER_FIRST_NAME'
+REMOTE_AUTH_USER_LAST_NAME = 'HTTP_REMOTE_USER_LAST_NAME'
+REMOTE_AUTH_USER_EMAIL = 'HTTP_REMOTE_USER_EMAIL'
+REMOTE_AUTH_AUTO_CREATE_USER = True
+REMOTE_AUTH_DEFAULT_GROUPS = []
+REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
+
+SOCIAL_AUTH_OIDC_ENDPOINT = 'https://id.example.com'
+SOCIAL_AUTH_OIDC_KEY = '<client id from the first part of this guide>'
+SOCIAL_AUTH_OIDC_SECRET = '<client id from the first part of this guide>'
+LOGOUT_REDIRECT_URL = 'https://netbox.example.com'
+```
+
+3. Save the file and restart netbox: `sudo systemctl start netbox netbox-rq`
--- a/docs/docs/client-examples/open-webui.md
+++ b/docs/docs/client-examples/open-webui.md
@@ -0,0 +1,17 @@
+---
+id: open-webui
+---
+
+# Open WebUI
+
+1. In Pocket-ID, create a new OIDC Client, name it i.e. `Open WebUI`.
+2. Set the callback URL to: `https://openwebui.domain/oauth/oidc/callback`
+3. Add the following to your docker `.env` file for Open WebUI:
+
+```ini
+  ENABLE_OAUTH_SIGNUP=true
+  OAUTH_CLIENT_ID=<client id from pocket ID>
+  OAUTH_CLIENT_SECRET=<client secret from pocket ID>
+  OAUTH_PROVIDER_NAME=Pocket ID
+  OPENID_PROVIDER_URL=https://<your pocket id url>/.well-known/openid-configuration
+```
--- a/docs/docs/client-examples/pgadmin.md
+++ b/docs/docs/client-examples/pgadmin.md
@@ -0,0 +1,42 @@
+---
+id: pgadmin
+---
+
+# pgAdmin
+
+The following example variables are used, and should be replaced with your actual URLS.
+
+- pgadmin.example.com (The url of your pgAdmin instance.)
+- id.example.com (The url of your Pocket ID instance.)
+
+## Pocket ID Setup
+
+1. In Pocket-ID create a new OIDC Client, name it i.e. `pgAdmin`.
+2. Set a logo for this OIDC Client if you would like too.
+3. Set the callback URL to: `https://pgadmin.example.com/oauth2/authorize`.
+4. Copy the `Client ID`, `Client Secret`, `Authorization URL`, `Userinfo URL`, `Token URL`, and `OIDC Discovery URL` for use in the next steps.
+
+# pgAdmin Setup
+
+1. Add the following to the `config_local.py` file for pgAdmin:
+
+**Make sure to replace https://id.example.com with your actual Pocket ID URL**
+
+```python
+AUTHENTICATION_SOURCES = ['oauth2', 'internal'] # This keeps internal authentication enabled as well as oauth2
+OAUTH2_AUTO_CREATE_USER = True
+OAUTH2_CONFIG = [{
+        'OAUTH2_NAME' : 'pocketid',
+        'OAUTH2_DISPLAY_NAME' : 'Pocket ID',
+        'OAUTH2_CLIENT_ID' : '<client id from the earlier step>',
+        'OAUTH2_CLIENT_SECRET' : '<client secret from the earlier step>',
+        'OAUTH2_TOKEN_URL' : 'https://id.example.com/api/oidc/token',
+        'OAUTH2_AUTHORIZATION_URL' : 'https://id.example/authorize',
+        'OAUTH2_API_BASE_URL' : 'https://id.example.com',
+        'OAUTH2_USERINFO_ENDPOINT' : 'https://id.example.com/api/oidc/userinfo',
+        'OAUTH2_SERVER_METADATA_URL' : 'https://id.example.com/.well-known/openid-configuration',
+        'OAUTH2_SCOPE' : 'openid email profile',
+        'OAUTH2_ICON' : 'fa-openid',
+        'OAUTH2_BUTTON_COLOR' : '#fd4b2d' # Can select any color you would like here.
+}]
+```
--- a/docs/docs/client-examples/portainer.md
+++ b/docs/docs/client-examples/portainer.md
@@ -0,0 +1,38 @@
+---
+id: portainer
+---
+
+# Portainer
+
+**This requires Portainers Business Edition**
+
+The following example variables are used, and should be replaced with your actual URLS.
+
+- portainer.example.com (The url of your Portainer instance.)
+- id.example.com (The url of your Pocket ID instance.)
+
+## Pocket ID Setup
+
+1. In Pocket-ID create a new OIDC Client, name it i.e. `Portainer`.
+2. Set a logo for this OIDC Client if you would like too.
+3. Set the callback URL to: `https://portainer.example.com/`.
+4. Copy the `Client ID`, `Client Secret`, `Authorization URL`, `Userinfo URL`, and `Token URL` for use in the next steps.
+
+# Portainer Setup
+
+- While initally setting up OAuth in Portainer, its recommended to keep the `Hide internal authentication prompt` set to `Off` incase you need a fallback login
+- This guide does **NOT** cover how to setup group claims in Portainer.
+
+1. Open the Portainer web interface and navigate to: `Settings > Authentication`
+2. Select `Custom OAuth Provider`
+3. Paste the `Client ID` from Pocket ID into the `Client ID` field in Portainer.
+4. Paste the `Client Secret` from Pocket ID into the `Client Secret` field in Portainer.
+5. Paste the `Authorization URL` from Pocket ID into the `Authorization URL` field in Portainer.
+6. Paste the `Token URL` from Pocket ID into the `Access token URL` field in Portainer.
+7. Paste the `Userinfo URL` from Pocket ID into the `Resource URL` field in Portainer.
+8. Set the `Redirect URL` to `https://portainer.example.com`
+9. Set the `Logout URL` to `https://portainer.example.com`
+10. Set the `User identifier` field to `preferred_username`. (This will use the users username vs the email)
+11. Set the `Scopes` field to: `email openid profile`
+12. Set `Auth Style` to `Auto detect`
+13. Save the settings and test the new OAuth Login.
--- a/docs/docs/client-examples/proxmox.md
+++ b/docs/docs/client-examples/proxmox.md
@@ -0,0 +1,30 @@
+---
+id: proxmox
+---
+
+# Proxmox
+
+The following example variables are used, and should be replaced with your actual URLs.
+
+- `proxmox.example.com` (The URL of your Proxmox instance.)
+- `id.example.com` (The URL of your Pocket ID instance.)
+
+## Pocket ID Setup
+
+1. In Pocket ID create a new OIDC Client, name it, for example, `Proxmox`.
+2. Set a logo for this OIDC Client if you would like to.
+3. Set the callback URL to: `https://proxmox.example.com`.
+4. Copy the `Client ID`, and the `Client Secret` for use in the next steps.
+
+## Proxmox Setup
+
+1. Open the Proxmox console and navigate to: `Datacenter` -> `Permissions` -> `Realms`.
+2. Add a new `OpenID Connect Server` Realm.
+3. Enter `https://id.example.com` for the `Issuer URL`.
+4. Enter a name for the realm of your choice, for example, `PocketID`.
+5. Paste the `Client ID` from Pocket ID into the `Client ID` field in Proxmox.
+6. Paste the `Client Secret` from Pocket ID into the `Client Key` field in Proxmox.
+7. You can check the `Default` box if you want this to be the default realm Proxmox uses when signing in.
+8. Check the `Autocreate Users` checkbox. (This will automatically create users in Proxmox if they don't exist).
+9. Select `username` for the `Username Claim` dropdown. (This is a personal preference and controls how the username is shown, for example: `username = username@PocketID` or `email = username@example@PocketID`).
+10. Leave the rest as defaults and click `OK` to save the new realm.
--- a/docs/docs/client-examples/semaphore-ui.md
+++ b/docs/docs/client-examples/semaphore-ui.md
@@ -0,0 +1,28 @@
+---
+id: semaphore-ui
+---
+
+# Semaphore UI
+
+1. In Pocket-ID create a new OIDC Client, name it i.e. `Semaphore UI`.
+2. Set the callback URL to: `https://<your-semaphore-ui-url>/api/auth/oidc/pocketid/redirect/`.
+3. Add the following to your `config.json` file for Semaphore UI:
+
+```json
+"oidc_providers": {
+    "pocketid": {
+        "display_name": "Sign in with PocketID",
+        "provider_url": "https://<your-pocket-id-url>",
+        "client_id": "<client-id-from-pocket-id>",
+        "client_secret": "<client-secret-from-pocket-id>",
+        "redirect_url": "https://<your-semaphore-ui-url>/api/auth/oidc/pocketid/redirect/",
+        "scopes": [
+            "openid",
+            "profile",
+            "email"
+        ],
+        "username_claim": "email",
+        "name_claim": "given_name"
+    }
+}
+```
--- a/docs/docs/client-examples/vikunja.md
+++ b/docs/docs/client-examples/vikunja.md
@@ -0,0 +1,22 @@
+---
+id: vikunja
+---
+
+# Vikunja
+
+1. In Pocket-ID create a new OIDC Client, name it i.e. `Vikunja`
+2. Set the callback url to: `https://<your-vikunja-subdomain>.<your-domain>/auth/openid/pocketid`
+3. In `Vikunja` ensure to map a config file to your container, see [here](https://vikunja.io/docs/config-options/#using-a-config-file-with-docker-compose)
+4. Add or set the following content to the `config.yml` file:
+
+```yml
+auth:
+  openid:
+    enabled: true
+    redirecturl: https://<your-vikunja-subdomain>.<your-domain>/auth/openid/pocketid
+    providers:
+      - name: Pocket-Id
+        authurl: https://<your-pocket-id-subdomain>.<your-domain>
+        clientid: <client id from the created OIDC client>
+        clientsecret: <client secret from the created OIDC client>
+```
--- a/docs/docs/configuration/environment-variables.md
+++ b/docs/docs/configuration/environment-variables.md
@@ -0,0 +1,25 @@
+---
+id: environment-variables
+---
+
+# Environment Variables
+
+Below are all the environment variables supported by Pocket ID. These should be configured in your `.env ` file. 
+
+Be cautious when modifying environment variables that are not recommended to change.
+
+| Variable                     | Default Value             | Recommended to change | Description                                                                                                                                                                                                                                                                                                                                                               |
+| ---------------------------- | ------------------------- | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `PUBLIC_APP_URL`             | `http://localhost`        | yes                   | The URL where you will access the app.                                                                                                                                                                                                                                                                                                                                    |
+| `TRUST_PROXY`                | `false`                   | yes                   | Whether the app is behind a reverse proxy.                                                                                                                                                                                                                                                                                                                                |
+| `MAXMIND_LICENSE_KEY`        | `-`                       | yes                   | License Key for the GeoLite2 Database. The license key is required to retrieve the geographical location of IP addresses in the audit log. If the key is not provided, IP locations will be marked as "unknown." You can obtain a license key for free [here](https://www.maxmind.com/en/geolite2/signup).                                                                |
+| `PUID` and `PGID`            | `1000`                    | yes                   | The user and group ID of the user who should run Pocket ID inside the Docker container and owns the files that are mounted with the volume. You can get the `PUID` and `GUID` of your user on your host machine by using the command `id`. For more information see [this article](https://docs.linuxserver.io/general/understanding-puid-and-pgid/#using-the-variables). |
+| `DB_PROVIDER`                | `sqlite`                  | no                    | The database provider you want to use. Currently `sqlite` and `postgres` are supported.                                                                                                                                                                                                                                                                                   |
+| `SQLITE_DB_PATH`             | `data/pocket-id.db`       | no                    | The path to the SQLite database. This gets ignored if you didn't set `DB_PROVIDER` to `sqlite`.                                                                                                                                                                                                                                                                           |
+| `POSTGRES_CONNECTION_STRING` | `-`                       | no                    | The connection string to your Postgres database. This gets ignored if you didn't set `DB_PROVIDER` to `postgres`. A connection string can look like this: `postgresql://user:password@host:5432/pocket-id`.                                                                                                                                                               |
+| `UPLOAD_PATH`                | `data/uploads`            | no                    | The path where the uploaded files are stored.                                                                                                                                                                                                                                                                                                                             |
+| `INTERNAL_BACKEND_URL`       | `http://localhost:8080`   | no                    | The URL where the backend is accessible.                                                                                                                                                                                                                                                                                                                                  |
+| `GEOLITE_DB_PATH`            | `data/GeoLite2-City.mmdb` | no                    | The path where the GeoLite2 database should be stored.                                                                                                                                                                                                                                                                                                                    |
+| `CADDY_PORT`                 | `80`                      | no                    | The port on which Caddy should listen. Caddy is only active inside the Docker container. If you want to change the exposed port of the container then you sould change this variable.                                                                                                                                                                                     |
+| `PORT`                       | `3000`                    | no                    | The port on which the frontend should listen.                                                                                                                                                                                                                                                                                                                             |
+| `BACKEND_PORT`               | `8080`                    | no                    | The port on which the backend should listen                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                                                                                                                                                                                                            |
--- a/docs/docs/configuration/ldap.md
+++ b/docs/docs/configuration/ldap.md
@@ -0,0 +1,40 @@
+---
+id: ldap
+---
+
+# LDAP Synchronization
+
+Pocket ID can sync users and groups from an LDAP Source (lldap, OpenLDAP, Active Directory, etc.).
+
+### LDAP Sync
+
+- The LDAP Service will sync on Pocket ID startup and every hour once enabled from the Web UI.
+- Users or groups synced from LDAP can **NOT** be edited from the Pocket ID Web UI.
+
+### Generic LDAP Setup
+
+1. Follow the installation guide [here](/setup/installation).
+2. Once you have signed in with the initial admin account, navigate to the Application Configuration section at `https://pocket.id/settings/admin/application-configuration`.
+3. Client Configuration Setup
+
+| LDAP Variable      | Example Value                      | Description                                                   |
+| ------------------ | ---------------------------------- | ------------------------------------------------------------- |
+| LDAP URL           | ldaps://ldap.mydomain.com:636      | The URL with port to connect to LDAP                          |
+| LDAP Bind DN       | cn=admin,ou=users,dc=domain,dc=com | The full DN value for the user with search privileges in LDAP |
+| LDAP Bind Password | securepassword                     | The password for the Bind DN account                          |
+| LDAP Search Base   | dc=domain,dc=com                   | The top-level path to search for users and groups             |
+
+<br />
+
+4. LDAP Attribute Configuration Setup
+
+| LDAP Variable                     | Example Value      | Description                                                                      |
+| --------------------------------- | ------------------ | -------------------------------------------------------------------------------- |
+| User Unique Identifier Attribute  | uuid               | The LDAP attribute to uniquely identify the user, **this should never change**   |
+| Username Attribute                | uid                | The LDAP attribute to use as the username of users                               |
+| User Mail Attribute               | mail               | The LDAP attribute to use for the email of users                                 |
+| User First Name Attribute         | givenName          | The LDAP attribute to use for the first name of users                            |
+| User Last Name Attribute          | sn                 | The LDAP attribute to use for the last name of users                             |
+| Group Unique Identifier Attribute | uuid               | The LDAP attribute to uniquely identify the groups, **this should never change** |
+| Group Name Attribute              | uid                | The LDAP attribute to use as the name of synced groups                           |
+| Admin Group Name                  | \_pocket_id_admins | The group name to use for admin permissions for LDAP users                       |
--- a/docs/docs/guides/proxy-services.md
+++ b/docs/docs/guides/proxy-services.md
@@ -1,4 +1,8 @@
-# Proxy Services through Pocket ID
+---
+id: proxy-services
+---
+
+# Proxy Services

 The goal of Pocket ID is to function exclusively as an OIDC provider. As such, we don't have a built-in proxy provider. However, you can use other tools that act as a middleware to protect your services and support OIDC as an authentication provider.

@@ -33,13 +37,14 @@ caddy add-package github.com/greenpau/caddy-security

 ```bash
 {
-  # Port to listen on
+  	# Port to listen on
 	http_port 443

-  # Configure caddy-security.
+  	# Configure caddy-security.
 	order authenticate before respond
 	security {
 		oauth identity provider generic {
+			delay_start 3
 			realm generic
 			driver generic
 			client_id client-id-from-pocket-id # Replace with your own client ID
--- a/docs/docs/introduction.md
+++ b/docs/docs/introduction.md
@@ -0,0 +1,24 @@
+---
+id: introduction
+---
+
+# Introduction
+
+Pocket ID is a simple OIDC provider that allows users to authenticate with their passkeys to your services.
+
+The goal of Pocket ID is to be a simple and easy-to-use. There are other self-hosted OIDC providers like [Keycloak](https://www.keycloak.org/) or [ORY Hydra](https://www.ory.sh/hydra/) but they are often too complex for simple use cases.
+
+Additionally, what makes Pocket ID special is that it only supports [passkey](https://www.passkeys.io/) authentication, which means you don’t need a password. Some people might not like this idea at first, but I believe passkeys are the future, and once you try them, you’ll love them. For example, you can now use a physical Yubikey to sign in to all your self-hosted services easily and securely.
+
+**_Pocket ID is in its early stages and may contain bugs. There might be OIDC features that are not yet implemented. If you encounter any issues, please open an issue_** [here](https://github.com/stonith404/pocket-id/issues/new?template=bug.yml).
+
+## Get to know Pocket ID
+
+→ [Try the Demo of Pocket ID](https://demo.pocket-id.org)
+
+<img src="https://github.com/user-attachments/assets/96ac549d-b897-404a-8811-f42b16ea58e2" width="700"/>
+
+## Useful Links
+- [Installation](/setup/installation)
+- [Proxy Services](/guides/proxy-services)
+- [Client Examples](/client-examples)
--- a/docs/docs/setup/installation.md
+++ b/docs/docs/setup/installation.md
@@ -0,0 +1,85 @@
+---
+id: installation
+---
+
+# Installation
+
+# Before you start
+
+Pocket ID requires a [secure context](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts), meaning it must be served over HTTPS. This is necessary because Pocket ID uses the [WebAuthn API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API).
+
+### Installation with Docker (recommended)
+
+1. Download the `docker-compose.yml` and `.env` file:
+
+   ```bash
+    curl -O https://raw.githubusercontent.com/stonith404/pocket-id/main/docker-compose.yml
+
+    curl -o .env https://raw.githubusercontent.com/stonith404/pocket-id/main/.env.example
+   ```
+
+2. Edit the `.env` file so that it fits your needs. See the [environment variables](/configuration/environment-variables) section for more information.
+3. Run `docker compose up -d`
+
+You can now sign in with the admin account on `http://localhost/login/setup`.
+
+### Proxmox
+
+Run the [helper script](https://community-scripts.github.io/ProxmoxVE/scripts?id=pocketid) as root in your Proxmox shell. 
+
+**Configuration Paths**
+- /opt/pocket-id/backend/.env
+- /opt/pocket-id/frontend/.env
+
+```bash
+bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/pocketid.sh)"
+```
+
+### Unraid
+
+Pocket ID is available as a template on the Community Apps store.
+
+### Stand-alone Installation
+
+Required tools:
+
+- [Node.js](https://nodejs.org/en/download/) >= 22
+- [Go](https://golang.org/doc/install) >= 1.23
+- [Git](https://git-scm.com/downloads)
+- [PM2](https://pm2.keymetrics.io/)
+- [Caddy](https://caddyserver.com/docs/install) (optional)
+
+1. Copy the `.env.example` file in the `frontend` and `backend` folder to `.env` and change it so that it fits your needs.
+
+   ```bash
+   cp frontend/.env.example frontend/.env
+   cp backend/.env.example backend/.env
+   ```
+
+2. Run the following commands:
+
+   ```bash
+   git clone https://github.com/stonith404/pocket-id
+   cd pocket-id
+
+   # Checkout the latest version
+   git fetch --tags && git checkout $(git describe --tags `git rev-list --tags --max-count=1`)
+
+   # Start the backend
+   cd backend/cmd
+   go build -o ../pocket-id-backend
+   cd ..
+   pm2 start pocket-id-backend --name pocket-id-backend
+
+   # Start the frontend
+   cd ../frontend
+   npm install
+   npm run build
+   pm2 start --name pocket-id-frontend --node-args="--env-file .env" build/index.js
+
+   # Optional: Start Caddy (You can use any other reverse proxy)
+   cd ..
+   pm2 start --name pocket-id-caddy caddy -- run --config reverse-proxy/Caddyfile
+   ```
+
+You can now sign in with the admin account on `http://localhost/login/setup`.
--- a/docs/docs/setup/nginx-reverse-proxy.md
+++ b/docs/docs/setup/nginx-reverse-proxy.md
@@ -0,0 +1,13 @@
+---
+id: nginx-reverse-proxy
+---
+
+# Nginx Reverse Proxy
+
+To use Nginx as a reverse proxy for Pocket ID, update the configuration to increase the header buffer size. This adjustment is necessary because SvelteKit generates larger headers, which may exceed the default buffer limits.
+
+```nginx
+proxy_busy_buffers_size   512k;
+proxy_buffers   4 512k;
+proxy_buffer_size   256k;
+```
--- a/docs/docs/setup/upgrading.md
+++ b/docs/docs/setup/upgrading.md
@@ -0,0 +1,45 @@
+---
+id: upgrading
+---
+
+# Upgrading
+
+Updating to a New Version
+
+#### Docker
+
+```bash
+docker compose pull
+docker compose up -d
+```
+
+#### Stand-alone
+
+1. Stop the running services:
+   ```bash
+   pm2 delete pocket-id-backend pocket-id-frontend pocket-id-caddy
+   ```
+2. Run the following commands:
+
+   ```bash
+   cd pocket-id
+
+   # Checkout the latest version
+   git fetch --tags && git checkout $(git describe --tags `git rev-list --tags --max-count=1`)
+
+   # Start the backend
+   cd backend/cmd
+   go build -o ../pocket-id-backend
+   cd ..
+   pm2 start pocket-id-backend --name pocket-id-backend
+
+   # Start the frontend
+   cd ../frontend
+   npm install
+   npm run build
+   pm2 start --name pocket-id-frontend --node-args="--env-file .env" build/index.js
+
+   # Optional: Start Caddy (You can use any other reverse proxy)
+   cd ..
+   pm2 start caddy --name pocket-id-caddy -- run --config reverse-proxy/Caddyfile
+   ```
--- a/docs/docs/troubleshooting/account-recovery.md
+++ b/docs/docs/troubleshooting/account-recovery.md
@@ -0,0 +1,13 @@
+---
+id: account-recovery
+---
+
+# Account recovery
+
+There are two ways to create a one-time access link for a user:
+
+1. **UI**: An admin can create a one-time access link for the user in the admin panel under the "Users" tab by clicking on the three dots next to the user's name and selecting "One-time link".
+2. **Terminal**: You can create a one-time access link for a user by running the `scripts/create-one-time-access-token.sh` script. To execute this script with Docker you have to run the following command:
+   ```bash
+   docker compose exec pocket-id sh "sh scripts/create-one-time-access-token.sh <username or email>"
+   ```
--- a/docs/docusaurus.config.ts
+++ b/docs/docusaurus.config.ts
@@ -0,0 +1,71 @@
+import type * as Preset from "@docusaurus/preset-classic";
+import type { Config } from "@docusaurus/types";
+import { themes as prismThemes } from "prism-react-renderer";
+
+const config: Config = {
+  title: "Pocket ID",
+  tagline:
+    "Pocket ID is a simple OIDC provider that allows users to authenticate with their passkeys to your services.",
+  favicon: "img/pocket-id.png",
+
+  url: "https://docs.pocket-id.org",
+  baseUrl: "/",
+  organizationName: "stonith404",
+  projectName: "pocket-id",
+
+  onBrokenLinks: "warn",
+  onBrokenMarkdownLinks: "warn",
+
+  i18n: {
+    defaultLocale: "en",
+    locales: ["en"],
+  },
+
+  presets: [
+    [
+      "classic",
+      {
+        docs: {
+          routeBasePath: "/",
+          sidebarPath: "./sidebars.ts",
+          editUrl: "https://github.com/stonith404/pocket-id/edit/main/docs",
+        },
+        blog: false,
+      } satisfies Preset.Options,
+    ],
+  ],
+
+  themeConfig: {
+    image: "img/pocket-id.png",
+    colorMode: {
+      respectPrefersColorScheme: true,
+    },
+    navbar: {
+      title: "Pocket ID",
+      logo: {
+        alt: "Pocket ID Share Logo",
+        src: "img/pocket-id.png",
+      },
+      items: [
+        // Version gets replaced by the version-label.ts script
+        {
+          to: "#version",
+          label: " ",
+          position: "right",
+        },
+        {
+          href: "https://github.com/stonith404/pocket-id",
+          label: "GitHub",
+          position: "right",
+        },
+      ],
+    },
+    prism: {
+      theme: prismThemes.github,
+      darkTheme: prismThemes.dracula,
+    },
+  } satisfies Preset.ThemeConfig,
+
+  clientModules: [require.resolve("./src/version-label.ts")],
+};
+export default config;
--- a/docs/imgs/jelly_fin_img.png
+++ b/docs/imgs/jelly_fin_img.png
--- a/docs/imgs/jelly_fin_img2.png
+++ b/docs/imgs/jelly_fin_img2.png
--- a/docs/imgs/jelly_fin_img3.png
+++ b/docs/imgs/jelly_fin_img3.png
--- a/docs/package-lock.json
+++ b/docs/package-lock.json
--- a/docs/package.json
+++ b/docs/package.json
@@ -0,0 +1,47 @@
+{
+  "name": "pocket-id-docs",
+  "version": "0.0.0",
+  "private": true,
+  "scripts": {
+    "docusaurus": "docusaurus",
+    "start": "docusaurus start",
+    "build": "docusaurus build",
+    "swizzle": "docusaurus swizzle",
+    "deploy": "GIT_USER=stonith404 docusaurus deploy",
+    "clear": "docusaurus clear",
+    "serve": "docusaurus serve",
+    "write-translations": "docusaurus write-translations",
+    "write-heading-ids": "docusaurus write-heading-ids",
+    "typecheck": "tsc"
+  },
+  "dependencies": {
+    "@docusaurus/core": "3.7.0",
+    "@docusaurus/preset-classic": "3.7.0",
+    "@mdx-js/react": "^3.0.0",
+    "clsx": "^2.0.0",
+    "prism-react-renderer": "^2.3.0",
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0"
+  },
+  "devDependencies": {
+    "@docusaurus/module-type-aliases": "3.7.0",
+    "@docusaurus/tsconfig": "3.7.0",
+    "@docusaurus/types": "3.7.0",
+    "typescript": "~5.6.2"
+  },
+  "browserslist": {
+    "production": [
+      ">0.5%",
+      "not dead",
+      "not op_mini all"
+    ],
+    "development": [
+      "last 3 chrome version",
+      "last 3 firefox version",
+      "last 5 safari version"
+    ]
+  },
+  "engines": {
+    "node": ">=18.0"
+  }
+}
--- a/docs/sidebars.ts
+++ b/docs/sidebars.ts
@@ -0,0 +1,109 @@
+import type { SidebarsConfig } from "@docusaurus/plugin-content-docs";
+
+const sidebars: SidebarsConfig = {
+  docsSidebar: [
+    {
+      type: "doc",
+      id: "introduction",
+    },
+    {
+      type: "category",
+      label: "Getting Started",
+      items: [
+        {
+          type: "doc",
+          id: "setup/installation",
+        },
+        {
+          type: "doc",
+          id: "setup/nginx-reverse-proxy",
+        },
+        {
+          type: "doc",
+          id: "setup/upgrading",
+        },
+      ],
+    },
+    {
+      type: "category",
+      label: "Configuration",
+      items: [
+        {
+          type: "doc",
+          id: "configuration/environment-variables",
+        },
+        {
+          type: "doc",
+          id: "configuration/ldap",
+        },
+      ],
+    },
+    {
+      type: "category",
+      label: "Guides",
+      items: [
+        {
+          type: "doc",
+          id: "guides/proxy-services",
+        },
+      ],
+    },
+    {
+      type: "category",
+      label: "Client Examples",
+      link: {
+        type: "generated-index",
+        title: "Client Examples",
+        description:
+          "Examples of how to setup Pocket ID with different clients",
+        slug: "client-examples",
+      },
+      items: [
+        "client-examples/cloudflare-zero-trust",
+        "client-examples/freshrss",
+        "client-examples/grist",
+        "client-examples/headscale",
+        "client-examples/hoarder",
+        "client-examples/immich",
+        "client-examples/jellyfin",
+        "client-examples/netbox",
+        "client-examples/open-webui",
+        "client-examples/pgadmin",
+        "client-examples/portainer",
+        "client-examples/proxmox",
+        "client-examples/semaphore-ui",
+        "client-examples/vikunja",
+        "client-examples/gitea",
+        "client-examples/memos",
+      ],
+    },
+    {
+      type: "category",
+      label: "Troubleshooting",
+      items: [
+        {
+          type: "doc",
+          id: "troubleshooting/account-recovery",
+        },
+      ],
+    },
+    {
+      type: "category",
+      label: "Helping Out",
+      items: [
+        {
+          type: "link",
+          label: "Contributing",
+          href: "https://github.com/stonith404/pocket-id/blob/main/CONTRIBUTING.md",
+        },
+      ],
+    },
+    {
+      type: "link",
+      label: "Demo",
+      href: "https://demo.pocket-id.org",
+    },
+  ],
+};
+
+export default sidebars;
--- a/docs/src/pages/index.tsx
+++ b/docs/src/pages/index.tsx
@@ -0,0 +1,5 @@
+import { Redirect } from "react-router-dom";
+
+export default function Home() {
+  return <Redirect to="/introduction" />;
+}
--- a/docs/src/version-label.ts
+++ b/docs/src/version-label.ts
@@ -0,0 +1,23 @@
+import ExecutionEnvironment from "@docusaurus/ExecutionEnvironment";
+
+if (ExecutionEnvironment.canUseDOM) {
+  function readVersionFile() {
+    return fetch(
+      "https://raw.githubusercontent.com/stonith404/pocket-id/refs/heads/main/.version"
+    )
+      .then((response) => response.text())
+      .catch((error) => `Error reading version file: ${error}`);
+  }
+
+  function getVersion() {
+    readVersionFile()
+      .then((version) => {
+        const versionLabels = document.querySelectorAll('[href="#version"]');
+        versionLabels.forEach((label) => {
+          (label as HTMLElement).innerText = `v${version}`;
+        });
+      })
+      .catch((error) => console.error("Error fetching version:", error));
+  }
+  window.addEventListener("load", getVersion);
+}
--- a/docs/static/.nojekyll
+++ b/docs/static/.nojekyll
--- a/docs/static/CNAME
+++ b/docs/static/CNAME
@@ -0,0 +1 @@
+docs.pocket-id.org
--- a/docs/static/img/pocket-id.png
+++ b/docs/static/img/pocket-id.png
--- a/docs/tsconfig.json
+++ b/docs/tsconfig.json
@@ -0,0 +1,8 @@
+{
+  // This file is not used in compilation. It is here just for a nice editor experience.
+  "extends": "@docusaurus/tsconfig",
+  "compilerOptions": {
+    "baseUrl": "."
+  },
+  "exclude": [".docusaurus", "build"]
+}
--- a/frontend/.env.example
+++ b/frontend/.env.example
@@ -1,2 +1,3 @@
 PUBLIC_APP_URL=http://localhost
+# /!\ If PUBLIC_APP_URL is not a localhost address, it must be HTTPS
 INTERNAL_BACKEND_URL=http://localhost:8080
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -1,7 +1,8 @@
 {
  "name": "pocket-id-frontend",
-  "version": "0.25.0",
+  "version": "0.28.0",
  "private": true,
+  "type": "module",
  "scripts": {
    "dev": "vite dev --port 3000",
    "build": "vite build",
@@ -11,48 +12,44 @@
    "lint": "prettier --check . && eslint .",
    "format": "prettier --write ."
  },
-  "devDependencies": {
-    "@playwright/test": "^1.48.1",
-    "@sveltejs/adapter-auto": "^3.3.0",
-    "@sveltejs/adapter-node": "^5.2.8",
-    "@sveltejs/kit": "^2.7.2",
-    "@sveltejs/vite-plugin-svelte": "^4.0.0",
-    "@types/eslint": "^9.6.1",
-    "@types/jsonwebtoken": "^9.0.7",
-    "@types/node": "^22.7.9",
-    "autoprefixer": "^10.4.20",
-    "cbor-js": "^0.1.0",
-    "eslint": "^9.13.0",
-    "eslint-config-prettier": "^9.1.0",
-    "eslint-plugin-svelte": "^2.46.0",
-    "globals": "^15.11.0",
-    "postcss": "^8.4.47",
-    "prettier": "^3.3.3",
-    "prettier-plugin-svelte": "^3.2.7",
-    "prettier-plugin-tailwindcss": "^0.6.8",
-    "svelte": "^5.0.5",
-    "svelte-check": "^4.0.5",
-    "tailwindcss": "^3.4.14",
-    "tslib": "^2.8.0",
-    "typescript": "^5.6.3",
-    "typescript-eslint": "^8.11.0",
-    "vite": "^5.4.10"
-  },
-  "type": "module",
  "dependencies": {
-    "@simplewebauthn/browser": "^10.0.0",
-    "axios": "^1.7.7",
-    "bits-ui": "^0.21.16",
+    "@simplewebauthn/browser": "^13.1.0",
+    "@tailwindcss/vite": "^4.0.0",
+    "axios": "^1.7.9",
+    "bits-ui": "^0.22.0",
    "clsx": "^2.1.1",
    "crypto": "^1.0.1",
    "formsnap": "^1.0.1",
-    "jsonwebtoken": "^9.0.2",
-    "lucide-svelte": "^0.453.0",
-    "mode-watcher": "^0.4.1",
+    "jose": "^5.9.6",
+    "lucide-svelte": "^0.474.0",
+    "mode-watcher": "^0.5.1",
    "svelte-sonner": "^0.3.28",
-    "sveltekit-superforms": "^2.20.0",
-    "tailwind-merge": "^2.5.4",
-    "tailwind-variants": "^0.2.1",
-    "zod": "^3.23.8"
+    "sveltekit-superforms": "^2.23.1",
+    "tailwind-merge": "^2.6.0",
+    "tailwind-variants": "^0.3.1",
+    "zod": "^3.24.1"
+  },
+  "devDependencies": {
+    "@playwright/test": "^1.50.0",
+    "@sveltejs/adapter-auto": "^4.0.0",
+    "@sveltejs/adapter-node": "^5.2.12",
+    "@sveltejs/kit": "^2.16.1",
+    "@sveltejs/vite-plugin-svelte": "^5.0.3",
+    "@types/eslint": "^9.6.1",
+    "@types/node": "^22.10.10",
+    "eslint": "^9.19.0",
+    "eslint-config-prettier": "^10.0.1",
+    "eslint-plugin-svelte": "^2.46.1",
+    "globals": "^15.14.0",
+    "prettier": "^3.4.2",
+    "prettier-plugin-svelte": "^3.3.3",
+    "prettier-plugin-tailwindcss": "^0.6.11",
+    "svelte": "^5.19.3",
+    "svelte-check": "^4.1.4",
+    "tailwindcss": "^4.0.0",
+    "tslib": "^2.8.1",
+    "typescript": "^5.7.3",
+    "typescript-eslint": "^8.21.0",
+    "vite": "^6.0.11"
  }
 }
--- a/frontend/postcss.config.js
+++ b/frontend/postcss.config.js
@@ -1,6 +0,0 @@
-export default {
-	plugins: {
-		tailwindcss: {},
-		autoprefixer: {}
-	}
-};
--- a/frontend/src/app.css
+++ b/frontend/src/app.css
@@ -1,6 +1,6 @@
-@tailwind base;
-@tailwind components;
-@tailwind utilities;
+@import "tailwindcss";
+
+@config '../tailwind.config.ts';

@layer base {
 	:root {
@@ -77,6 +77,10 @@
 		@apply bg-background text-foreground;
 	}

+	button{
+		@apply cursor-pointer;
+	}
+
 	@font-face {
 		font-family: 'Playfair Display';
 		font-weight: 400;
--- a/frontend/src/hooks.server.ts
+++ b/frontend/src/hooks.server.ts
@@ -1,7 +1,8 @@
 import { env } from '$env/dynamic/private';
+import { ACCESS_TOKEN_COOKIE_NAME } from '$lib/constants';
 import type { Handle, HandleServerError } from '@sveltejs/kit';
 import { AxiosError } from 'axios';
-import jwt from 'jsonwebtoken';
+import { decodeJwt } from 'jose';

 // Workaround so that we can also import this environment variable into client-side code
 // If we would directly import $env/dynamic/private into the api-service.ts file, it would throw an error
@@ -9,18 +10,7 @@ import jwt from 'jsonwebtoken';
 process.env.INTERNAL_BACKEND_URL = env.INTERNAL_BACKEND_URL ?? 'http://localhost:8080';

 export const handle: Handle = async ({ event, resolve }) => {
-	const accessToken = event.cookies.get('access_token');
-
-	let isSignedIn: boolean = false;
-	let isAdmin: boolean = false;
-
-	if (accessToken) {
-		const jwtPayload = jwt.decode(accessToken, { json: true });
-		if (jwtPayload?.exp && jwtPayload.exp * 1000 > Date.now()) {
-			isSignedIn = true;
-			isAdmin = jwtPayload?.isAdmin || false;
-		}
-	}
+	const { isSignedIn, isAdmin } = verifyJwt(event.cookies.get(ACCESS_TOKEN_COOKIE_NAME));

 	if (event.url.pathname.startsWith('/settings') && !event.url.pathname.startsWith('/login')) {
 		if (!isSignedIn) {
@@ -65,3 +55,18 @@ export const handleError: HandleServerError = async ({ error, message, status })
 		status
 	};
 };
+
+function verifyJwt(accessToken: string | undefined) {
+	let isSignedIn = false;
+	let isAdmin = false;
+
+	if (accessToken) {
+		const jwtPayload = decodeJwt<{ isAdmin: boolean }>(accessToken);
+		if (jwtPayload?.exp && jwtPayload.exp * 1000 > Date.now()) {
+			isSignedIn = true;
+			isAdmin = jwtPayload?.isAdmin || false;
+		}
+	}
+
+	return { isSignedIn, isAdmin };
+}
--- a/frontend/src/lib/components/collapsible-card.svelte
+++ b/frontend/src/lib/components/collapsible-card.svelte
@@ -0,0 +1,75 @@
+<script lang="ts">
+	import { cn } from '$lib/utils/style';
+	import { LucideChevronDown } from 'lucide-svelte';
+	import { onMount, type Snippet } from 'svelte';
+	import { slide } from 'svelte/transition';
+	import { Button } from './ui/button';
+	import * as Card from './ui/card';
+
+	let {
+		id,
+		title,
+		description,
+		defaultExpanded = false,
+		children
+	}: {
+		id: string;
+		title: string;
+		description?: string;
+		defaultExpanded?: boolean;
+		children: Snippet;
+	} = $props();
+
+	let expanded = $state(defaultExpanded);
+
+	function loadExpandedState() {
+		const state = JSON.parse(localStorage.getItem('collapsible-cards-expanded') || '{}');
+		expanded = state[id] || false;
+	}
+
+	function saveExpandedState() {
+		const state = JSON.parse(localStorage.getItem('collapsible-cards-expanded') || '{}');
+		state[id] = expanded;
+		localStorage.setItem('collapsible-cards-expanded', JSON.stringify(state));
+	}
+
+	function toggleExpanded() {
+		expanded = !expanded;
+		saveExpandedState();
+	}
+
+	onMount(() => {
+		if (defaultExpanded) {
+			saveExpandedState();
+		}
+		loadExpandedState();
+	});
+</script>
+
+<Card.Root>
+	<Card.Header class="cursor-pointer" onclick={toggleExpanded}>
+		<div class="flex items-center justify-between">
+			<div>
+				<Card.Title>{title}</Card.Title>
+				{#if description}
+					<Card.Description>{description}</Card.Description>
+				{/if}
+			</div>
+			<Button class="ml-10 h-8 p-3" variant="ghost" aria-label="Expand card">
+				<LucideChevronDown
+					class={cn(
+						'h-5 w-5 transition-transform duration-200',
+						expanded && 'rotate-180 transform'
+					)}
+				/>
+			</Button>
+		</div>
+	</Card.Header>
+	{#if expanded}
+		<div transition:slide={{ duration: 200 }}>
+			<Card.Content>
+				{@render children()}
+			</Card.Content>
+		</div>
+	{/if}
+</Card.Root>
--- a/frontend/src/lib/components/ui/card/card-description.svelte
+++ b/frontend/src/lib/components/ui/card/card-description.svelte
@@ -8,6 +8,6 @@
 	export { className as class };
 </script>

-<p class={cn('text-sm text-muted-foreground', className)} {...$$restProps}>
+<p class={cn('text-sm text-muted-foreground mt-1', className)} {...$$restProps}>
 	<slot />
 </p>
--- a/frontend/src/lib/components/ui/dropdown-menu/dropdown-menu-item.svelte
+++ b/frontend/src/lib/components/ui/dropdown-menu/dropdown-menu-item.svelte
@@ -14,7 +14,7 @@

 <DropdownMenuPrimitive.Item
 	class={cn(
-		'relative flex cursor-default select-none items-center rounded-sm px-2 py-1.5 text-sm outline-none data-[disabled]:pointer-events-none data-[highlighted]:bg-accent data-[highlighted]:text-accent-foreground data-[disabled]:opacity-50',
+		'relative flex select-none items-center rounded-sm px-2 py-1.5 text-sm outline-none data-[disabled]:pointer-events-none data-[highlighted]:bg-accent data-[highlighted]:text-accent-foreground data-[disabled]:opacity-50',
 		inset && 'pl-8',
 		className
 	)}
--- a/frontend/src/lib/components/ui/dropdown-menu/dropdown-menu-sub-trigger.svelte
+++ b/frontend/src/lib/components/ui/dropdown-menu/dropdown-menu-sub-trigger.svelte
@@ -15,7 +15,7 @@

 <DropdownMenuPrimitive.SubTrigger
 	class={cn(
-		'flex cursor-default select-none items-center rounded-sm px-2 py-1.5 text-sm outline-none data-[highlighted]:bg-accent data-[state=open]:bg-accent data-[highlighted]:text-accent-foreground data-[state=open]:text-accent-foreground',
+		'flex select-none items-center rounded-sm px-2 py-1.5 text-sm outline-none data-[highlighted]:bg-accent data-[state=open]:bg-accent data-[highlighted]:text-accent-foreground data-[state=open]:text-accent-foreground',
 		inset && 'pl-8',
 		className
 	)}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Elias Schneider	e2c38138be	release: 0.28.0	2025-02-03 18:41:42 +01:00
Elias Schneider	13b02a072f	feat: map allowed groups to OIDC clients (#202 )	2025-02-03 18:41:15 +01:00
Logan	430421e98b	docs: add example for adding Pocket ID to FreshRSS (#200 )	2025-02-03 09:10:10 +01:00
Elias Schneider	61e71ad43b	fix: missing user service dependency	2025-02-03 09:08:20 +01:00
Elias Schneider	4db44e4818	Merge remote-tracking branch 'origin/main'	2025-02-03 08:58:35 +01:00
Elias Schneider	9ab178712a	feat: allow LDAP users and groups to be deleted if LDAP gets disabled	2025-02-03 08:58:20 +01:00
Elias Schneider	ecd74b794f	fix: non LDAP user group can't be updated after update	2025-02-03 08:37:46 +01:00
Kyle Mendell	5afd651434	docs: add helper scripts install for proxmox (#197 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-02-02 18:59:04 +01:00
Elias Schneider	2d3cba6308	docs: add new `demo.pocket-id.org` domain to the README	2025-02-01 19:40:44 +01:00
Elias Schneider	e607fe424a	docs: add custom `pocket-id.org` domain	2025-02-01 19:31:01 +01:00
PrtmPhlp	8ae446322a	docs: Added Gitea and Memos example (#194 )	2025-02-01 16:26:59 +01:00
Andrew Pearson	37a835b44e	fix(caddy): trusted_proxies for IPv6 enabled hosts (#189 )	2025-02-01 01:02:34 +01:00
Jeffrey Garcia	75f531fbc6	docs: Add Immich and Headscale client examples (#191 )	2025-02-01 01:00:54 +01:00
Elias Schneider	28346da731	refactor: run formatter	2025-01-28 22:27:50 +01:00
Elias Schneider	a1b20f0e74	ci/cd: ignore irrelevant paths for e2e tests	2025-01-28 22:27:07 +01:00
Elias Schneider	7497f4ad40	ci/cd: add auto deployment for docs website	2025-01-28 22:25:16 +01:00
Kyle Mendell	b530d646ac	docs: add version label to navbar (#186 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-01-28 22:19:16 +01:00
Elias Schneider	77985800ae	fix: use cursor pointer on clickable elements	2025-01-28 19:22:29 +01:00
Elias Schneider	ea21eba281	release: 0.27.2	2025-01-27 17:30:13 +01:00
Elias Schneider	66edb18f2c	Merge branch 'main' of https://github.com/stonith404/pocket-id	2025-01-27 12:01:16 +01:00
Elias Schneider	dab37c5967	chore: downgrade formsnap	2025-01-27 12:01:07 +01:00
Kyle Mendell	781ff7ae7b	fix: smtp hello for tls connections (#180 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-01-27 11:37:50 +01:00
Elias Schneider	04c7f180de	chore: upgrade frontend and backend dependencies	2025-01-27 11:01:48 +01:00
Elias Schneider	5c452ceef0	chore: upgrade to Tailwind 4	2025-01-27 10:21:11 +01:00
Elias Schneider	8cd834a503	chore: upgrade to Nodejs 22	2025-01-27 09:48:20 +01:00
Elias Schneider	a65ce56b42	docs: add missing env file flag to frontend start command	2025-01-27 09:43:43 +01:00
Daniel Breedeveld	4a97986f52	docs: fix typos and improve clarity in proxmox.md (#183 )	2025-01-27 09:02:55 +01:00
Elias Schneider	a879bfa418	release: 0.27.1	2025-01-24 12:07:10 +01:00
Elias Schneider	164ce6a3d7	fix: add `__HOST` prefix to cookies (#175 )	2025-01-24 12:01:27 +01:00
Chris Danis	ef1aeb7152	docs: make CONTRIBUTING instructions work & fix example envs (#152 )	2025-01-24 10:51:26 +01:00
Elias Schneider	47c39f6d38	fix: use OS hostname for SMTP EHLO message	2025-01-24 10:36:16 +01:00
Elias Schneider	2884021055	chore: remove duplicate text from issue template	2025-01-23 19:57:50 +01:00
Kyle Mendell	def39b8703	chore: bug template update (#133 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-01-23 19:10:48 +01:00
Elias Schneider	d071641890	docs: remove duplicate `contribute.md`	2025-01-23 18:10:28 +01:00
Elias Schneider	397544c0f3	fix: send hostname derived from `PUBLIC_APP_URL` with SMTP EHLO command	2025-01-23 17:55:36 +01:00
Kyle Mendell	1fb99e5d52	docs: add more client-examples (#166 )	2025-01-23 11:37:41 +01:00
Elias Schneider	7b403552ba	chore: add GitHub release creation to `create-release.sh` script	2025-01-23 08:56:28 +01:00
Elias Schneider	440a9f1ba0	release: 0.27.0	2025-01-22 18:51:06 +01:00
Kyle Mendell	d02f4753f3	fix: add save changes dialog before sending test email (#165 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-01-22 18:49:25 +01:00
Kyle Mendell	ede7d8fc15	docs: fix open-webui docs page (#162 )	2025-01-21 19:07:12 +01:00
imgbot[bot]	e4e6c9b680	refactor: optimize images (#161 ) Signed-off-by: ImgBotApp <ImgBotHelp@gmail.com> Co-authored-by: ImgBotApp <ImgBotHelp@gmail.com>	2025-01-21 18:59:16 +01:00
Kyle Mendell	c12bf2955b	docs: add docusaurus docs (#118 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-01-21 18:46:42 +01:00
Elias Schneider	c211d3fc67	docs: add `delay_start` to caddy security	2025-01-20 17:54:38 +01:00
Kamil Kosek	d87eb416cd	docs: create sample-configurations.md (#142 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-01-20 11:54:35 +01:00
Giovanni	f7710f2988	fix: ensure the downloaded GeoLite2 DB is not corrupted & prevent RW race condition (#138 )	2025-01-20 11:50:58 +01:00
Chris Danis	72923bb86d	feat: display private IP ranges correctly in audit log (#139 )	2025-01-20 11:36:12 +01:00
Elias Schneider	6e44b5e367	release: 0.26.0	2025-01-20 11:23:52 +01:00
Elias Schneider	8a1db0cb4a	feat: support wildcard callback URLs	2025-01-20 11:19:23 +01:00
Elias Schneider	3f02d08109	fix: non LDAP users get created with a empty LDAP ID string	2025-01-20 10:41:01 +01:00
Elias Schneider	715040ba04	release: 0.25.1	2025-01-19 22:14:29 +01:00
Elias Schneider	a8b9d60a86	fix: disable account details inputs if user is imported from LDAP	2025-01-19 22:14:20 +01:00
@@ -1 +1 @@
 .25.0
 .28.0
				`@@ -0,0 +1 @@`
				`DROP TABLE oidc_clients_allowed_user_groups;`
				`@@ -0,0 +1 @@`
				`UPDATE user_groups SET ldap_id = '' WHERE ldap_id IS NULL;`
				`@@ -0,0 +1 @@`
				`UPDATE user_groups SET ldap_id = null WHERE ldap_id = '';`