release: 0.27.1

Co-authored-by: Elias Schneider <login@eliasschneider.com>

.github/ISSUE_TEMPLATE/bug.yml

@@ -34,4 +34,23 @@ body:
   - type: markdown
     attributes:
       value: |
-        Before submitting, please check if the issues hasn't been raised before.
+        ### Additional Information
+  - type: textarea
+    id: extra-information
+    validations:
+      required: true
+    attributes:
+      label: "Version and Environment"
+      description: "Please specify the version of Pocket ID, along with any environment-specific configurations, such your reverse proxy, that might be relevant."
+      placeholder: "e.g., v0.24.1"
+  - type: textarea
+    id: log-files
+    validations:
+      required: false
+    attributes:
+      label: "Log Output"
+      description: "Output of log files when the issue occured to help us diagnose the issue."
+  - type: markdown
+    attributes:
+      value: |
+        **Before submitting, please check if the issue hasn't been raised before.**

.gitignore

@@ -36,4 +36,20 @@ data
 /frontend/tests/.auth
 /frontend/tests/.report
 pocket-id-backend
-/backend/GeoLite2-City.mmdb
+/backend/GeoLite2-City.mmdb
+
+# Generated files
+docs/build
+docs/.docusaurus
+docs/.cache-loader
+
+# Misc
+.DS_Store
+.env.local
+.env.development.local
+.env.test.local
+.env.production.local
+
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*

.version

@@ -1 +1 @@
-0.23.0
+0.27.1

CHANGELOG.md

@@ -1,3 +1,84 @@
+## [](https://github.com/stonith404/pocket-id/compare/v0.27.0...v) (2025-01-24)
+
+
+### Bug Fixes
+
+* add `__HOST` prefix to cookies ([#175](https://github.com/stonith404/pocket-id/issues/175)) ([164ce6a](https://github.com/stonith404/pocket-id/commit/164ce6a3d7fa8ae5275c94302952cf318e3b3113))
+* send hostname derived from `PUBLIC_APP_URL` with SMTP EHLO command ([397544c](https://github.com/stonith404/pocket-id/commit/397544c0f3f2b49f1f34ae53e6b9daf194d1ae28))
+* use OS hostname for SMTP EHLO message ([47c39f6](https://github.com/stonith404/pocket-id/commit/47c39f6d382c496cb964262adcf76cc8dbb96da3))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.26.0...v) (2025-01-22)
+
+
+### Features
+
+* display private IP ranges correctly in audit log ([#139](https://github.com/stonith404/pocket-id/issues/139)) ([72923bb](https://github.com/stonith404/pocket-id/commit/72923bb86dc5d07d56aea98cf03320667944b553))
+
+
+### Bug Fixes
+
+* add save changes dialog before sending test email ([#165](https://github.com/stonith404/pocket-id/issues/165)) ([d02f475](https://github.com/stonith404/pocket-id/commit/d02f4753f3fbda75cd415ebbfe0702765c38c144))
+* ensure the downloaded GeoLite2 DB is not corrupted & prevent RW race condition ([#138](https://github.com/stonith404/pocket-id/issues/138)) ([f7710f2](https://github.com/stonith404/pocket-id/commit/f7710f298898d322885c1c83680e26faaa0bb800))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.25.1...v) (2025-01-20)
+
+
+### Features
+
+* support wildcard callback URLs ([8a1db0c](https://github.com/stonith404/pocket-id/commit/8a1db0cb4a5d4b32b4fdc19d41fff688a7c71a56))
+
+
+### Bug Fixes
+
+* non LDAP users get created with a empty LDAP ID string ([3f02d08](https://github.com/stonith404/pocket-id/commit/3f02d081098ad2caaa60a56eea4705639f80d01f))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.25.0...v) (2025-01-19)
+
+
+### Bug Fixes
+
+* disable account details inputs if user is imported from LDAP ([a8b9d60](https://github.com/stonith404/pocket-id/commit/a8b9d60a86e80c10d6fba07072b1d32cec400ecb))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.24.1...v) (2025-01-19)
+
+
+### Features
+
+* add LDAP sync ([#106](https://github.com/stonith404/pocket-id/issues/106)) ([5101b14](https://github.com/stonith404/pocket-id/commit/5101b14eec68a9507e1730994178d0ebe8185876))
+* allow sign in with email ([#100](https://github.com/stonith404/pocket-id/issues/100)) ([06b90ed](https://github.com/stonith404/pocket-id/commit/06b90eddd645cce57813f2536e4a6a8836548f2b))
+* automatically authorize client if signed in ([d5dd118](https://github.com/stonith404/pocket-id/commit/d5dd118a3f4ad6eed9ca496c458201bb10f148a0))
+
+
+### Bug Fixes
+
+* always set secure on cookie ([#130](https://github.com/stonith404/pocket-id/issues/130)) ([fda08ac](https://github.com/stonith404/pocket-id/commit/fda08ac1cd88842e25dc47395ed1288a5cfac4f8))
+* don't panic if LDAP sync fails on startup ([e284e35](https://github.com/stonith404/pocket-id/commit/e284e352e2b95fac1d098de3d404e8531de4b869))
+* improve spacing of checkboxes on application configuration page ([090eca2](https://github.com/stonith404/pocket-id/commit/090eca202d198852e6fbf4e6bebaf3b5ada13944))
+* search input not displayed if response hasn't any items ([05a98eb](https://github.com/stonith404/pocket-id/commit/05a98ebe87d7a88e8b96b144c53250a40d724ec3))
+* session duration ignored in cookie expiration ([bc8f454](https://github.com/stonith404/pocket-id/commit/bc8f454ea173ecc60e06450a1d22e24207f76714))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.24.0...v) (2025-01-13)
+
+
+### Bug Fixes
+
+* audit log table overflow if row data is long ([4d337a2](https://github.com/stonith404/pocket-id/commit/4d337a20c5cb92ef80bb7402f9b99b08e3ad0b6b))
+* optional arguments not working with `create-one-time-access-token.sh` ([8885571](https://github.com/stonith404/pocket-id/commit/888557171d61589211b10f70dce405126216ad61))
+* remove restrictive validation for group names ([be6e25a](https://github.com/stonith404/pocket-id/commit/be6e25a167de8bf07075b46f09d9fc1fa6c74426))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.23.0...v) (2025-01-11)
+
+
+### Features
+
+* add sorting for tables ([fd69830](https://github.com/stonith404/pocket-id/commit/fd69830c2681985e4fd3c5336a2b75c9fb7bc5d4))
+
+
+### Bug Fixes
+
+* pkce state not correctly reflected in oidc client info ([61d18a9](https://github.com/stonith404/pocket-id/commit/61d18a9d1b167ff59a59523ff00d00ca8f23258d))
+* send test email to the user that has requested it ([a649c4b](https://github.com/stonith404/pocket-id/commit/a649c4b4a543286123f4d1f3c411fe1a7e2c6d71))
+
 ## [](https://github.com/stonith404/pocket-id/compare/v0.22.0...v) (2025-01-03)
 
 

CONTRIBUTING.md

@@ -55,14 +55,14 @@ The frontend is built with [SvelteKit](https://kit.svelte.dev) and written in Ty
 3. Install the dependencies with `npm install`
 4. Start the frontend with `npm run dev`
 
-You're all set!
-
 ### Reverse Proxy
 We use [Caddy](https://caddyserver.com) as a reverse proxy. You can use any other reverse proxy if you want but you have to configure it yourself.
 
 #### Setup
 Run `caddy run --config reverse-proxy/Caddyfile` in the root folder.
 
+You're all set!
+
 ### Testing
 
 We are using [Playwright](https://playwright.dev) for end-to-end testing.

Dockerfile

@@ -21,7 +21,7 @@ RUN CGO_ENABLED=1 GOOS=linux go build -o /app/backend/pocket-id-backend .
 
 # Stage 3: Production Image
 FROM node:20-alpine
-# Delete default node user
+# Delete default node user
 RUN deluser --remove-home node
 
 RUN apk add --no-cache caddy curl su-exec

README.md

@@ -12,150 +12,9 @@ Additionally, what makes Pocket ID special is that it only supports [passkey](ht
 
 ## Setup
 
-> [!WARNING]  
-> Pocket ID is in its early stages and may contain bugs. There might be OIDC features that are not yet implemented. If you encounter any issues, please open an issue.
+Pocket ID can be set up in multiple ways. The easiest and recommended way is to use Docker.
 
-### Before you start
-
-Pocket ID requires a [secure context](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts), meaning it must be served over HTTPS. This is necessary because Pocket ID uses the [WebAuthn API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API).
-
-### Installation with Docker (recommended)
-
-1. Download the `docker-compose.yml` and `.env` file:
-
-   ```bash
-    curl -O https://raw.githubusercontent.com/stonith404/pocket-id/main/docker-compose.yml
-
-    curl -o .env https://raw.githubusercontent.com/stonith404/pocket-id/main/.env.example
-   ```
-
-2. Edit the `.env` file so that it fits your needs. See the [environment variables](#environment-variables) section for more information.
-3. Run `docker compose up -d`
-
-You can now sign in with the admin account on `http://localhost/login/setup`.
-
-### Unraid
-
-Pocket ID is available as a template on the Community Apps store.
-
-### Stand-alone Installation
-
-Required tools:
-
-- [Node.js](https://nodejs.org/en/download/) >= 20
-- [Go](https://golang.org/doc/install) >= 1.23
-- [Git](https://git-scm.com/downloads)
-- [PM2](https://pm2.keymetrics.io/)
-- [Caddy](https://caddyserver.com/docs/install) (optional)
-
-1. Copy the `.env.example` file in the `frontend` and `backend` folder to `.env` and change it so that it fits your needs.
-
-   ```bash
-   cp frontend/.env.example frontend/.env
-   cp backend/.env.example backend/.env
-   ```
-
-2. Run the following commands:
-
-   ```bash
-   git clone https://github.com/stonith404/pocket-id
-   cd pocket-id
-
-   # Checkout the latest version
-   git fetch --tags && git checkout $(git describe --tags `git rev-list --tags --max-count=1`)
-
-   # Start the backend
-   cd backend/cmd
-   go build -o ../pocket-id-backend
-   cd ..
-   pm2 start pocket-id-backend --name pocket-id-backend
-
-   # Start the frontend
-   cd ../frontend
-   npm install
-   npm run build
-   pm2 start --name pocket-id-frontend --node-args="--env-file .env" build/index.js
-
-   # Optional: Start Caddy (You can use any other reverse proxy)
-   cd ..
-   pm2 start --name pocket-id-caddy caddy -- run --config reverse-proxy/Caddyfile
-   ```
-
-You can now sign in with the admin account on `http://localhost/login/setup`.
-
-### Nginx Reverse Proxy
-
-To use Nginx as a reverse proxy for Pocket ID, update the configuration to increase the header buffer size. This adjustment is necessary because SvelteKit generates larger headers, which may exceed the default buffer limits.
-
-```nginx
-proxy_busy_buffers_size   512k;
-proxy_buffers   4 512k;
-proxy_buffer_size   256k;
-```
-
-## Proxy Services with Pocket ID
-
-As the goal of Pocket ID is to stay simple, it doesn't have a built-in proxy provider. However, you can use [OAuth2 Proxy](https://oauth2-proxy.github.io/oauth2-proxy) to add authentication to your services that don't support OIDC.
-
-See the [guide](docs/proxy-services.md) for more information.
-
-## Update
-
-#### Docker
-
-```bash
-docker compose pull
-docker compose up -d
-```
-
-#### Stand-alone
-
-1. Stop the running services:
-   ```bash
-   pm2 delete pocket-id-backend pocket-id-frontend pocket-id-caddy
-   ```
-2. Run the following commands:
-
-   ```bash
-   cd pocket-id
-
-   # Checkout the latest version
-   git fetch --tags && git checkout $(git describe --tags `git rev-list --tags --max-count=1`)
-
-   # Start the backend
-   cd backend/cmd
-   go build -o ../pocket-id-backend
-   cd ..
-   pm2 start pocket-id-backend --name pocket-id-backend
-
-   # Start the frontend
-   cd ../frontend
-   npm install
-   npm run build
-   pm2 start build/index.js --name pocket-id-frontend
-
-   # Optional: Start Caddy (You can use any other reverse proxy)
-   cd ..
-   pm2 start caddy --name pocket-id-caddy -- run --config reverse-proxy/Caddyfile
-   ```
-
-## Environment variables
-
-| Variable                     | Default Value             | Recommended to change | Description                                                                                                                                                                                                                                                                                                                                                               |
-| ---------------------------- | ------------------------- | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `PUBLIC_APP_URL`             | `http://localhost`        | yes                   | The URL where you will access the app.                                                                                                                                                                                                                                                                                                                                    |
-| `TRUST_PROXY`                | `false`                   | yes                   | Whether the app is behind a reverse proxy.                                                                                                                                                                                                                                                                                                                                |
-| `MAXMIND_LICENSE_KEY`        | `-`                       | yes                   | License Key for the GeoLite2 Database. The license key is required to retrieve the geographical location of IP addresses in the audit log. If the key is not provided, IP locations will be marked as "unknown." You can obtain a license key for free [here](https://www.maxmind.com/en/geolite2/signup).                                                                |
-| `PUID` and `PGID`            | `1000`                    | yes                   | The user and group ID of the user who should run Pocket ID inside the Docker container and owns the files that are mounted with the volume. You can get the `PUID` and `GUID` of your user on your host machine by using the command `id`. For more information see [this article](https://docs.linuxserver.io/general/understanding-puid-and-pgid/#using-the-variables). |
-| `DB_PROVIDER`                | `sqlite`                  | no                    | The database provider you want to use. Currently `sqlite` and `postgres` are supported.                                                                                                                                                                                                                                                                                   |
-| `SQLITE_DB_PATH`             | `data/pocket-id.db`       | no                    | The path to the SQLite database. This gets ignored if you didn't set `DB_PROVIDER` to `sqlite`.                                                                                                                                                                                                                                                                           |
-| `POSTGRES_CONNECTION_STRING` | `-`                       | no                    | The connection string to your Postgres database. This gets ignored if you didn't set `DB_PROVIDER` to `postgres`. A connection string can look like this: `postgresql://user:password@host:5432/pocket-id`.                                                                                                                                                               |
-| `UPLOAD_PATH`                | `data/uploads`            | no                    | The path where the uploaded files are stored.                                                                                                                                                                                                                                                                                                                             |
-| `INTERNAL_BACKEND_URL`       | `http://localhost:8080`   | no                    | The URL where the backend is accessible.                                                                                                                                                                                                                                                                                                                                  |
-| `GEOLITE_DB_PATH`            | `data/GeoLite2-City.mmdb` | no                    | The path where the GeoLite2 database should be stored.                                                                                                                                                                                                                                                                                                                    |
-| `CADDY_PORT`                 | `80`                      | no                    | The port on which Caddy should listen. Caddy is only active inside the Docker container. If you want to change the exposed port of the container then you sould change this variable.                                                                                                                                                                                     |
-| `PORT`                       | `3000`                    | no                    | The port on which the frontend should listen.                                                                                                                                                                                                                                                                                                                             |
-| `BACKEND_PORT`               | `8080`                    | no                    | The port on which the backend should listen.                                                                                                                                                                                                                                                                                                                              |
+Visit the [documentation](https://stonith404.github.io/pocket-id) for the setup guide and more information.
 
 ## Contribute
 

backend/.env.example

@@ -1,8 +1,10 @@
 APP_ENV=production
 PUBLIC_APP_URL=http://localhost
+# /!\ If PUBLIC_APP_URL is not a localhost address, it must be HTTPS
 DB_PROVIDER=sqlite
+# MAXMIND_LICENSE_KEY=fixme # needed for IP geolocation in the audit log
 SQLITE_DB_PATH=data/pocket-id.db
 POSTGRES_CONNECTION_STRING=postgresql://postgres:postgres@localhost:5432/pocket-id
 UPLOAD_PATH=data/uploads
 PORT=8080
-HOST=localhost
+HOST=localhost

backend/.gitignore

@@ -13,4 +13,5 @@
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
-./data
+./data
+.env

backend/go.mod

@@ -15,7 +15,7 @@ require (
 	github.com/joho/godotenv v1.5.1
 	github.com/mileusna/useragent v1.3.5
 	github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.1
-	golang.org/x/crypto v0.27.0
+	golang.org/x/crypto v0.31.0
 	golang.org/x/time v0.6.0
 	gorm.io/driver/postgres v1.5.11
 	gorm.io/driver/sqlite v1.5.6
@@ -23,12 +23,15 @@ require (
 )
 
 require (
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/bytedance/sonic v1.12.3 // indirect
 	github.com/bytedance/sonic/loader v0.2.0 // indirect
 	github.com/cloudwego/base64x v0.1.4 // indirect
 	github.com/cloudwego/iasm v0.2.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.5 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
+	github.com/go-ldap/ldap/v3 v3.4.10 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-webauthn/x v0.1.14 // indirect
@@ -61,10 +64,10 @@ require (
 	go.uber.org/atomic v1.11.0 // indirect
 	golang.org/x/arch v0.10.0 // indirect
 	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
-	golang.org/x/net v0.29.0 // indirect
-	golang.org/x/sync v0.8.0 // indirect
-	golang.org/x/sys v0.25.0 // indirect
-	golang.org/x/text v0.18.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

backend/go.sum

@@ -1,7 +1,10 @@
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/bytedance/sonic v1.12.3 h1:W2MGa7RCU1QTeYRTPE3+88mVC0yXmsRQRChiyVocVjU=
 github.com/bytedance/sonic v1.12.3/go.mod h1:B8Gt/XvtZ3Fqj+iSKMypzymZxw/FVwgIGKzMzT9r/rk=
 github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
@@ -37,8 +40,12 @@ github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE
 github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
 github.com/gin-gonic/gin v1.10.0 h1:nTuyha1TYqgedzytsKYqna+DfLos46nTv2ygFy86HFU=
 github.com/gin-gonic/gin v1.10.0/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
+github.com/go-asn1-ber/asn1-ber v1.5.7 h1:DTX+lbVTWaTw1hQ+PbZPlnDZPEIs0SS/GCZAl535dDk=
+github.com/go-asn1-ber/asn1-ber v1.5.7/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-co-op/gocron/v2 v2.12.1 h1:dCIIBFbzhWKdgXeEifBjHPzgQ1hoWhjS4289Hjjy1uw=
 github.com/go-co-op/gocron/v2 v2.12.1/go.mod h1:xY7bJxGazKam1cz04EebrlP4S9q4iWdiAylMGP3jY9w=
+github.com/go-ldap/ldap/v3 v3.4.10 h1:ot/iwPOhfpNVgB1o+AVXljizWZ9JTp7YF5oeyONmcJU=
+github.com/go-ldap/ldap/v3 v3.4.10/go.mod h1:JXh4Uxgi40P6E9rdsYqpUtbW46D9UTjJ9QSwGRznplY=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
@@ -70,11 +77,15 @@ github.com/google/go-tpm v0.9.1/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
+github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk=
@@ -83,6 +94,12 @@ github.com/jackc/pgx/v5 v5.5.5 h1:amBjrZVmksIdNjxGW/IiIMzxMKZFelXbUoPNb+8sjQw=
 github.com/jackc/pgx/v5 v5.5.5/go.mod h1:ez9gk+OAat140fv9ErkZDYFWmXLfV+++K0uAOiwgm1A=
 github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk=
 github.com/jackc/puddle/v2 v2.2.1/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
+github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
+github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=
+github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
+github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
+github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
@@ -146,6 +163,7 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
@@ -158,6 +176,7 @@ github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65E
 github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8=
 go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw=
@@ -172,27 +191,98 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 golang.org/x/arch v0.10.0 h1:S3huipmSclq3PJMNe76NGwkBR504WFkQ5dhzWzP8ZW8=
 golang.org/x/arch v0.10.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
 golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk=
 golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
 golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
 golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
 golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
 golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
 golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
 google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

backend/internal/bootstrap/bootstrap.go

@@ -2,15 +2,14 @@ package bootstrap
 
 import (
 	_ "github.com/golang-migrate/migrate/v4/source/file"
-	"github.com/stonith404/pocket-id/backend/internal/job"
 	"github.com/stonith404/pocket-id/backend/internal/service"
 )
 
 func Bootstrap() {
+	initApplicationImages()
+
 	db := newDatabase()
 	appConfigService := service.NewAppConfigService(db)
 
-	initApplicationImages()
-	job.RegisterJobs(db)
 	initRouter(db, appConfigService)
 }

backend/internal/bootstrap/router_bootstrap.go

@@ -7,6 +7,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/stonith404/pocket-id/backend/internal/common"
 	"github.com/stonith404/pocket-id/backend/internal/controller"
+	"github.com/stonith404/pocket-id/backend/internal/job"
 	"github.com/stonith404/pocket-id/backend/internal/middleware"
 	"github.com/stonith404/pocket-id/backend/internal/service"
 	"golang.org/x/time/rate"
@@ -37,27 +38,34 @@ func initRouter(db *gorm.DB, appConfigService *service.AppConfigService) {
 	auditLogService := service.NewAuditLogService(db, appConfigService, emailService, geoLiteService)
 	jwtService := service.NewJwtService(appConfigService)
 	webauthnService := service.NewWebAuthnService(db, jwtService, auditLogService, appConfigService)
-	userService := service.NewUserService(db, jwtService, auditLogService)
+	userService := service.NewUserService(db, jwtService, auditLogService, emailService)
 	customClaimService := service.NewCustomClaimService(db)
 	oidcService := service.NewOidcService(db, jwtService, appConfigService, auditLogService, customClaimService)
 	testService := service.NewTestService(db, appConfigService)
 	userGroupService := service.NewUserGroupService(db)
+	ldapService := service.NewLdapService(db, appConfigService, userService, userGroupService)
 
+	rateLimitMiddleware := middleware.NewRateLimitMiddleware()
+
+	// Setup global middleware
 	r.Use(middleware.NewCorsMiddleware().Add())
 	r.Use(middleware.NewErrorHandlerMiddleware().Add())
-	r.Use(middleware.NewRateLimitMiddleware().Add(rate.Every(time.Second), 60))
+	r.Use(rateLimitMiddleware.Add(rate.Every(time.Second), 60))
 	r.Use(middleware.NewJwtAuthMiddleware(jwtService, true).Add(false))
 
-	// Initialize middleware
+	job.RegisterLdapJobs(ldapService, appConfigService)
+	job.RegisterDbCleanupJobs(db)
+
+	// Initialize middleware for specific routes
 	jwtAuthMiddleware := middleware.NewJwtAuthMiddleware(jwtService, false)
 	fileSizeLimitMiddleware := middleware.NewFileSizeLimitMiddleware()
 
 	// Set up API routes
 	apiGroup := r.Group("/api")
-	controller.NewWebauthnController(apiGroup, jwtAuthMiddleware, middleware.NewRateLimitMiddleware(), webauthnService)
+	controller.NewWebauthnController(apiGroup, jwtAuthMiddleware, middleware.NewRateLimitMiddleware(), webauthnService, appConfigService)
 	controller.NewOidcController(apiGroup, jwtAuthMiddleware, fileSizeLimitMiddleware, oidcService, jwtService)
 	controller.NewUserController(apiGroup, jwtAuthMiddleware, middleware.NewRateLimitMiddleware(), userService, appConfigService)
-	controller.NewAppConfigController(apiGroup, jwtAuthMiddleware, appConfigService, emailService)
+	controller.NewAppConfigController(apiGroup, jwtAuthMiddleware, appConfigService, emailService, ldapService)
 	controller.NewAuditLogController(apiGroup, auditLogService, jwtAuthMiddleware)
 	controller.NewUserGroupController(apiGroup, jwtAuthMiddleware, userGroupService)
 	controller.NewCustomClaimController(apiGroup, jwtAuthMiddleware, customClaimService)

backend/internal/common/env_config.go

@@ -1,9 +1,10 @@
 package common
 
 import (
+	"log"
+
 	"github.com/caarlos0/env/v11"
 	_ "github.com/joho/godotenv/autoload"
-	"log"
 )
 
 type DbProvider string

backend/internal/common/errors.go

@@ -58,7 +58,9 @@ func (e *OidcInvalidAuthorizationCodeError) HttpStatusCode() int { return 400 }
 
 type OidcInvalidCallbackURLError struct{}
 
-func (e *OidcInvalidCallbackURLError) Error() string       { return "invalid callback URL, it might be necessary for an admin to fix this" }
+func (e *OidcInvalidCallbackURLError) Error() string {
+	return "invalid callback URL, it might be necessary for an admin to fix this"
+}
 func (e *OidcInvalidCallbackURLError) HttpStatusCode() int { return 400 }
 
 type FileTypeNotSupportedError struct{}
@@ -95,7 +97,7 @@ func (e *MissingPermissionError) HttpStatusCode() int { return http.StatusForbid
 type TooManyRequestsError struct{}
 
 func (e *TooManyRequestsError) Error() string {
-	return "Too many requests. Please wait a while before trying again."
+	return "Too many requests"
 }
 func (e *TooManyRequestsError) HttpStatusCode() int { return http.StatusTooManyRequests }
 
@@ -160,3 +162,17 @@ func (e *OidcMissingCodeChallengeError) Error() string {
 	return "Missing code challenge"
 }
 func (e *OidcMissingCodeChallengeError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type LdapUserUpdateError struct{}
+
+func (e *LdapUserUpdateError) Error() string {
+	return "LDAP users can't be updated"
+}
+func (e *LdapUserUpdateError) HttpStatusCode() int { return http.StatusForbidden }
+
+type LdapUserGroupUpdateError struct{}
+
+func (e *LdapUserGroupUpdateError) Error() string {
+	return "LDAP user groups can't be updated"
+}
+func (e *LdapUserGroupUpdateError) HttpStatusCode() int { return http.StatusForbidden }

backend/internal/controller/app_config_controller.go

@@ -16,11 +16,13 @@ func NewAppConfigController(
 	jwtAuthMiddleware *middleware.JwtAuthMiddleware,
 	appConfigService *service.AppConfigService,
 	emailService *service.EmailService,
+	ldapService *service.LdapService,
 ) {
 
 	acc := &AppConfigController{
 		appConfigService: appConfigService,
 		emailService:     emailService,
+		ldapService:      ldapService,
 	}
 	group.GET("/application-configuration", acc.listAppConfigHandler)
 	group.GET("/application-configuration/all", jwtAuthMiddleware.Add(true), acc.listAllAppConfigHandler)
@@ -34,11 +36,13 @@ func NewAppConfigController(
 	group.PUT("/application-configuration/background-image", jwtAuthMiddleware.Add(true), acc.updateBackgroundImageHandler)
 
 	group.POST("/application-configuration/test-email", jwtAuthMiddleware.Add(true), acc.testEmailHandler)
+	group.POST("/application-configuration/sync-ldap", jwtAuthMiddleware.Add(true), acc.syncLdapHandler)
 }
 
 type AppConfigController struct {
 	appConfigService *service.AppConfigService
 	emailService     *service.EmailService
+	ldapService      *service.LdapService
 }
 
 func (acc *AppConfigController) listAppConfigHandler(c *gin.Context) {
@@ -182,8 +186,19 @@ func (acc *AppConfigController) updateImage(c *gin.Context, imageName string, ol
 	c.Status(http.StatusNoContent)
 }
 
-func (acc *AppConfigController) testEmailHandler(c *gin.Context) {
-	err := acc.emailService.SendTestEmail()
+func (acc *AppConfigController) syncLdapHandler(c *gin.Context) {
+	err := acc.ldapService.SyncAll()
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+func (acc *AppConfigController) testEmailHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+
+	err := acc.emailService.SendTestEmail(userID)
 	if err != nil {
 		c.Error(err)
 		return

backend/internal/controller/audit_log_controller.go

@@ -3,8 +3,8 @@ package controller
 import (
 	"github.com/stonith404/pocket-id/backend/internal/dto"
 	"github.com/stonith404/pocket-id/backend/internal/middleware"
+	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"net/http"
-	"strconv"
 
 	"github.com/gin-gonic/gin"
 	"github.com/stonith404/pocket-id/backend/internal/service"
@@ -23,12 +23,16 @@ type AuditLogController struct {
 }
 
 func (alc *AuditLogController) listAuditLogsForUserHandler(c *gin.Context) {
+	var sortedPaginationRequest utils.SortedPaginationRequest
+	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
+		c.Error(err)
+		return
+	}
+
 	userID := c.GetString("userID")
-	page, _ := strconv.Atoi(c.DefaultQuery("page", "1"))
-	pageSize, _ := strconv.Atoi(c.DefaultQuery("limit", "10"))
 
 	// Fetch audit logs for the user
-	logs, pagination, err := alc.auditLogService.ListAuditLogsForUser(userID, page, pageSize)
+	logs, pagination, err := alc.auditLogService.ListAuditLogsForUser(userID, sortedPaginationRequest)
 	if err != nil {
 		c.Error(err)
 		return

backend/internal/controller/oidc_controller.go

@@ -5,8 +5,8 @@ import (
 	"github.com/stonith404/pocket-id/backend/internal/dto"
 	"github.com/stonith404/pocket-id/backend/internal/middleware"
 	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"net/http"
-	"strconv"
 	"strings"
 )
 
@@ -153,11 +153,14 @@ func (oc *OidcController) getClientHandler(c *gin.Context) {
 }
 
 func (oc *OidcController) listClientsHandler(c *gin.Context) {
-	page, _ := strconv.Atoi(c.DefaultQuery("page", "1"))
-	pageSize, _ := strconv.Atoi(c.DefaultQuery("limit", "10"))
 	searchTerm := c.Query("search")
+	var sortedPaginationRequest utils.SortedPaginationRequest
+	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
+		c.Error(err)
+		return
+	}
 
-	clients, pagination, err := oc.oidcService.ListClients(searchTerm, page, pageSize)
+	clients, pagination, err := oc.oidcService.ListClients(searchTerm, sortedPaginationRequest)
 	if err != nil {
 		c.Error(err)
 		return

backend/internal/controller/user_controller.go

@@ -1,21 +1,24 @@
 package controller
 
 import (
+	"github.com/stonith404/pocket-id/backend/internal/utils/cookie"
+	"net/http"
+	"strconv"
+	"time"
+
 	"github.com/gin-gonic/gin"
 	"github.com/stonith404/pocket-id/backend/internal/common"
 	"github.com/stonith404/pocket-id/backend/internal/dto"
 	"github.com/stonith404/pocket-id/backend/internal/middleware"
 	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"golang.org/x/time/rate"
-	"net/http"
-	"strconv"
-	"time"
 )
 
 func NewUserController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, userService *service.UserService, appConfigService *service.AppConfigService) {
 	uc := UserController{
-		UserService:      userService,
-		AppConfigService: appConfigService,
+		userService:      userService,
+		appConfigService: appConfigService,
 	}
 
 	group.GET("/users", jwtAuthMiddleware.Add(true), uc.listUsersHandler)
@@ -29,19 +32,23 @@ func NewUserController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.Jwt
 	group.POST("/users/:id/one-time-access-token", jwtAuthMiddleware.Add(true), uc.createOneTimeAccessTokenHandler)
 	group.POST("/one-time-access-token/:token", rateLimitMiddleware.Add(rate.Every(10*time.Second), 5), uc.exchangeOneTimeAccessTokenHandler)
 	group.POST("/one-time-access-token/setup", uc.getSetupAccessTokenHandler)
+	group.POST("/one-time-access-email", rateLimitMiddleware.Add(rate.Every(10*time.Minute), 3), uc.requestOneTimeAccessEmailHandler)
 }
 
 type UserController struct {
-	UserService      *service.UserService
-	AppConfigService *service.AppConfigService
+	userService      *service.UserService
+	appConfigService *service.AppConfigService
 }
 
 func (uc *UserController) listUsersHandler(c *gin.Context) {
-	page, _ := strconv.Atoi(c.DefaultQuery("page", "1"))
-	pageSize, _ := strconv.Atoi(c.DefaultQuery("limit", "10"))
 	searchTerm := c.Query("search")
+	var sortedPaginationRequest utils.SortedPaginationRequest
+	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
+		c.Error(err)
+		return
+	}
 
-	users, pagination, err := uc.UserService.ListUsers(searchTerm, page, pageSize)
+	users, pagination, err := uc.userService.ListUsers(searchTerm, sortedPaginationRequest)
 	if err != nil {
 		c.Error(err)
 		return
@@ -60,7 +67,7 @@ func (uc *UserController) listUsersHandler(c *gin.Context) {
 }
 
 func (uc *UserController) getUserHandler(c *gin.Context) {
-	user, err := uc.UserService.GetUser(c.Param("id"))
+	user, err := uc.userService.GetUser(c.Param("id"))
 	if err != nil {
 		c.Error(err)
 		return
@@ -76,7 +83,7 @@ func (uc *UserController) getUserHandler(c *gin.Context) {
 }
 
 func (uc *UserController) getCurrentUserHandler(c *gin.Context) {
-	user, err := uc.UserService.GetUser(c.GetString("userID"))
+	user, err := uc.userService.GetUser(c.GetString("userID"))
 	if err != nil {
 		c.Error(err)
 		return
@@ -92,7 +99,7 @@ func (uc *UserController) getCurrentUserHandler(c *gin.Context) {
 }
 
 func (uc *UserController) deleteUserHandler(c *gin.Context) {
-	if err := uc.UserService.DeleteUser(c.Param("id")); err != nil {
+	if err := uc.userService.DeleteUser(c.Param("id")); err != nil {
 		c.Error(err)
 		return
 	}
@@ -107,7 +114,7 @@ func (uc *UserController) createUserHandler(c *gin.Context) {
 		return
 	}
 
-	user, err := uc.UserService.CreateUser(input)
+	user, err := uc.userService.CreateUser(input)
 	if err != nil {
 		c.Error(err)
 		return
@@ -127,7 +134,7 @@ func (uc *UserController) updateUserHandler(c *gin.Context) {
 }
 
 func (uc *UserController) updateCurrentUserHandler(c *gin.Context) {
-	if uc.AppConfigService.DbConfig.AllowOwnAccountEdit.Value != "true" {
+	if uc.appConfigService.DbConfig.AllowOwnAccountEdit.Value != "true" {
 		c.Error(&common.AccountEditNotAllowedError{})
 		return
 	}
@@ -141,7 +148,7 @@ func (uc *UserController) createOneTimeAccessTokenHandler(c *gin.Context) {
 		return
 	}
 
-	token, err := uc.UserService.CreateOneTimeAccessToken(input.UserID, input.ExpiresAt, c.ClientIP(), c.Request.UserAgent())
+	token, err := uc.userService.CreateOneTimeAccessToken(input.UserID, input.ExpiresAt)
 	if err != nil {
 		c.Error(err)
 		return
@@ -150,8 +157,24 @@ func (uc *UserController) createOneTimeAccessTokenHandler(c *gin.Context) {
 	c.JSON(http.StatusCreated, gin.H{"token": token})
 }
 
+func (uc *UserController) requestOneTimeAccessEmailHandler(c *gin.Context) {
+	var input dto.OneTimeAccessEmailDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.Error(err)
+		return
+	}
+
+	err := uc.userService.RequestOneTimeAccessEmail(input.Email, input.RedirectPath)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
 func (uc *UserController) exchangeOneTimeAccessTokenHandler(c *gin.Context) {
-	user, token, err := uc.UserService.ExchangeOneTimeAccessToken(c.Param("token"))
+	user, token, err := uc.userService.ExchangeOneTimeAccessToken(c.Param("token"), c.ClientIP(), c.Request.UserAgent())
 	if err != nil {
 		c.Error(err)
 		return
@@ -163,12 +186,15 @@ func (uc *UserController) exchangeOneTimeAccessTokenHandler(c *gin.Context) {
 		return
 	}
 
-	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", false, true)
+	sessionDurationInMinutesParsed, _ := strconv.Atoi(uc.appConfigService.DbConfig.SessionDuration.Value)
+	maxAge := sessionDurationInMinutesParsed * 60
+	cookie.AddAccessTokenCookie(c, maxAge, token)
+
 	c.JSON(http.StatusOK, userDto)
 }
 
 func (uc *UserController) getSetupAccessTokenHandler(c *gin.Context) {
-	user, token, err := uc.UserService.SetupInitialAdmin()
+	user, token, err := uc.userService.SetupInitialAdmin()
 	if err != nil {
 		c.Error(err)
 		return
@@ -180,7 +206,10 @@ func (uc *UserController) getSetupAccessTokenHandler(c *gin.Context) {
 		return
 	}
 
-	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", false, true)
+	sessionDurationInMinutesParsed, _ := strconv.Atoi(uc.appConfigService.DbConfig.SessionDuration.Value)
+	maxAge := sessionDurationInMinutesParsed * 60
+	cookie.AddAccessTokenCookie(c, maxAge, token)
+
 	c.JSON(http.StatusOK, userDto)
 }
 
@@ -198,7 +227,7 @@ func (uc *UserController) updateUser(c *gin.Context, updateOwnUser bool) {
 		userID = c.Param("id")
 	}
 
-	user, err := uc.UserService.UpdateUser(userID, input, updateOwnUser)
+	user, err := uc.userService.UpdateUser(userID, input, updateOwnUser, false)
 	if err != nil {
 		c.Error(err)
 		return

backend/internal/controller/user_group_controller.go

@@ -1,13 +1,12 @@
 package controller
 
 import (
-	"net/http"
-	"strconv"
-
 	"github.com/gin-gonic/gin"
 	"github.com/stonith404/pocket-id/backend/internal/dto"
 	"github.com/stonith404/pocket-id/backend/internal/middleware"
 	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"net/http"
 )
 
 func NewUserGroupController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, userGroupService *service.UserGroupService) {
@@ -28,16 +27,20 @@ type UserGroupController struct {
 }
 
 func (ugc *UserGroupController) list(c *gin.Context) {
-	page, _ := strconv.Atoi(c.DefaultQuery("page", "1"))
-	pageSize, _ := strconv.Atoi(c.DefaultQuery("limit", "10"))
 	searchTerm := c.Query("search")
+	var sortedPaginationRequest utils.SortedPaginationRequest
+	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
+		c.Error(err)
+		return
+	}
 
-	groups, pagination, err := ugc.UserGroupService.List(searchTerm, page, pageSize)
+	groups, pagination, err := ugc.UserGroupService.List(searchTerm, sortedPaginationRequest)
 	if err != nil {
 		c.Error(err)
 		return
 	}
 
+	// Map the user groups to DTOs. The user count can't be mapped directly, so we have to do it manually.
 	var groupsDto = make([]dto.UserGroupDtoWithUserCount, len(groups))
 	for i, group := range groups {
 		var groupDto dto.UserGroupDtoWithUserCount
@@ -104,7 +107,7 @@ func (ugc *UserGroupController) update(c *gin.Context) {
 		return
 	}
 
-	group, err := ugc.UserGroupService.Update(c.Param("id"), input)
+	group, err := ugc.UserGroupService.Update(c.Param("id"), input, false)
 	if err != nil {
 		c.Error(err)
 		return

backend/internal/controller/webauthn_controller.go

@@ -5,7 +5,9 @@ import (
 	"github.com/stonith404/pocket-id/backend/internal/common"
 	"github.com/stonith404/pocket-id/backend/internal/dto"
 	"github.com/stonith404/pocket-id/backend/internal/middleware"
+	"github.com/stonith404/pocket-id/backend/internal/utils/cookie"
 	"net/http"
+	"strconv"
 	"time"
 
 	"github.com/gin-gonic/gin"
@@ -13,8 +15,8 @@ import (
 	"golang.org/x/time/rate"
 )
 
-func NewWebauthnController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, webauthnService *service.WebAuthnService) {
-	wc := &WebauthnController{webAuthnService: webauthnService}
+func NewWebauthnController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, webauthnService *service.WebAuthnService, appConfigService *service.AppConfigService) {
+	wc := &WebauthnController{webAuthnService: webauthnService, appConfigService: appConfigService}
 	group.GET("/webauthn/register/start", jwtAuthMiddleware.Add(false), wc.beginRegistrationHandler)
 	group.POST("/webauthn/register/finish", jwtAuthMiddleware.Add(false), wc.verifyRegistrationHandler)
 
@@ -29,7 +31,8 @@ func NewWebauthnController(group *gin.RouterGroup, jwtAuthMiddleware *middleware
 }
 
 type WebauthnController struct {
-	webAuthnService *service.WebAuthnService
+	webAuthnService  *service.WebAuthnService
+	appConfigService *service.AppConfigService
 }
 
 func (wc *WebauthnController) beginRegistrationHandler(c *gin.Context) {
@@ -40,12 +43,12 @@ func (wc *WebauthnController) beginRegistrationHandler(c *gin.Context) {
 		return
 	}
 
-	c.SetCookie("session_id", options.SessionID, int(options.Timeout.Seconds()), "/", "", false, true)
+	cookie.AddSessionIdCookie(c, int(options.Timeout.Seconds()), options.SessionID)
 	c.JSON(http.StatusOK, options.Response)
 }
 
 func (wc *WebauthnController) verifyRegistrationHandler(c *gin.Context) {
-	sessionID, err := c.Cookie("session_id")
+	sessionID, err := c.Cookie(cookie.SessionIdCookieName)
 	if err != nil {
 		c.Error(&common.MissingSessionIdError{})
 		return
@@ -74,12 +77,12 @@ func (wc *WebauthnController) beginLoginHandler(c *gin.Context) {
 		return
 	}
 
-	c.SetCookie("session_id", options.SessionID, int(options.Timeout.Seconds()), "/", "", false, true)
+	cookie.AddSessionIdCookie(c, int(options.Timeout.Seconds()), options.SessionID)
 	c.JSON(http.StatusOK, options.Response)
 }
 
 func (wc *WebauthnController) verifyLoginHandler(c *gin.Context) {
-	sessionID, err := c.Cookie("session_id")
+	sessionID, err := c.Cookie(cookie.SessionIdCookieName)
 	if err != nil {
 		c.Error(&common.MissingSessionIdError{})
 		return
@@ -103,7 +106,10 @@ func (wc *WebauthnController) verifyLoginHandler(c *gin.Context) {
 		return
 	}
 
-	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", false, true)
+	sessionDurationInMinutesParsed, _ := strconv.Atoi(wc.appConfigService.DbConfig.SessionDuration.Value)
+	maxAge := sessionDurationInMinutesParsed * 60
+	cookie.AddAccessTokenCookie(c, maxAge, token)
+
 	c.JSON(http.StatusOK, userDto)
 }
 
@@ -163,6 +169,6 @@ func (wc *WebauthnController) updateCredentialHandler(c *gin.Context) {
 }
 
 func (wc *WebauthnController) logoutHandler(c *gin.Context) {
-	c.SetCookie("access_token", "", 0, "/", "", false, true)
+	cookie.AddAccessTokenCookie(c, 0, "")
 	c.Status(http.StatusNoContent)
 }

backend/internal/dto/app_config_dto.go

@@ -12,16 +12,31 @@ type AppConfigVariableDto struct {
 }
 
 type AppConfigUpdateDto struct {
-	AppName             string `json:"appName" binding:"required,min=1,max=30"`
-	SessionDuration     string `json:"sessionDuration" binding:"required"`
-	EmailsVerified      string `json:"emailsVerified" binding:"required"`
-	AllowOwnAccountEdit string `json:"allowOwnAccountEdit" binding:"required"`
-	EmailEnabled        string `json:"emailEnabled" binding:"required"`
-	SmtHost             string `json:"smtpHost"`
-	SmtpPort            string `json:"smtpPort"`
-	SmtpFrom            string `json:"smtpFrom" binding:"omitempty,email"`
-	SmtpUser            string `json:"smtpUser"`
-	SmtpPassword        string `json:"smtpPassword"`
-	SmtpTls             string `json:"smtpTls"`
-	SmtpSkipCertVerify  string `json:"smtpSkipCertVerify"`
+	AppName                            string `json:"appName" binding:"required,min=1,max=30"`
+	SessionDuration                    string `json:"sessionDuration" binding:"required"`
+	EmailsVerified                     string `json:"emailsVerified" binding:"required"`
+	AllowOwnAccountEdit                string `json:"allowOwnAccountEdit" binding:"required"`
+	SmtHost                            string `json:"smtpHost"`
+	SmtpPort                           string `json:"smtpPort"`
+	SmtpFrom                           string `json:"smtpFrom" binding:"omitempty,email"`
+	SmtpUser                           string `json:"smtpUser"`
+	SmtpPassword                       string `json:"smtpPassword"`
+	SmtpTls                            string `json:"smtpTls"`
+	SmtpSkipCertVerify                 string `json:"smtpSkipCertVerify"`
+	LdapEnabled                        string `json:"ldapEnabled" binding:"required"`
+	LdapUrl                            string `json:"ldapUrl"`
+	LdapBindDn                         string `json:"ldapBindDn"`
+	LdapBindPassword                   string `json:"ldapBindPassword"`
+	LdapBase                           string `json:"ldapBase"`
+	LdapSkipCertVerify                 string `json:"ldapSkipCertVerify"`
+	LdapAttributeUserUniqueIdentifier  string `json:"ldapAttributeUserUniqueIdentifier"`
+	LdapAttributeUserUsername          string `json:"ldapAttributeUserUsername"`
+	LdapAttributeUserEmail             string `json:"ldapAttributeUserEmail"`
+	LdapAttributeUserFirstName         string `json:"ldapAttributeUserFirstName"`
+	LdapAttributeUserLastName          string `json:"ldapAttributeUserLastName"`
+	LdapAttributeGroupUniqueIdentifier string `json:"ldapAttributeGroupUniqueIdentifier"`
+	LdapAttributeGroupName             string `json:"ldapAttributeGroupName"`
+	LdapAttributeAdminGroup            string `json:"ldapAttributeAdminGroup"`
+	EmailOneTimeAccessEnabled          string `json:"emailOneTimeAccessEnabled" binding:"required"`
+	EmailLoginNotificationEnabled      string `json:"emailLoginNotificationEnabled" binding:"required"`
 }

backend/internal/dto/oidc_dto.go

@@ -16,7 +16,7 @@ type OidcClientDto struct {
 
 type OidcClientCreateDto struct {
 	Name         string   `json:"name" binding:"required,max=50"`
-	CallbackURLs []string `json:"callbackURLs" binding:"required,urlList"`
+	CallbackURLs []string `json:"callbackURLs" binding:"required"`
 	IsPublic     bool     `json:"isPublic"`
 	PkceEnabled  bool     `json:"pkceEnabled"`
 }

backend/internal/dto/user_dto.go

@@ -10,6 +10,7 @@ type UserDto struct {
 	LastName     string           `json:"lastName"`
 	IsAdmin      bool             `json:"isAdmin"`
 	CustomClaims []CustomClaimDto `json:"customClaims"`
+	LdapID       *string          `json:"ldapId"`
 }
 
 type UserCreateDto struct {
@@ -18,9 +19,15 @@ type UserCreateDto struct {
 	FirstName string `json:"firstName" binding:"required,min=1,max=50"`
 	LastName  string `json:"lastName" binding:"required,min=1,max=50"`
 	IsAdmin   bool   `json:"isAdmin"`
+	LdapID    string `json:"-"`
 }
 
 type OneTimeAccessTokenCreateDto struct {
 	UserID    string    `json:"userId" binding:"required"`
 	ExpiresAt time.Time `json:"expiresAt" binding:"required"`
 }
+
+type OneTimeAccessEmailDto struct {
+	Email        string `json:"email" binding:"required,email"`
+	RedirectPath string `json:"redirectPath"`
+}

backend/internal/dto/user_group_dto.go

@@ -10,6 +10,7 @@ type UserGroupDtoWithUsers struct {
 	Name         string            `json:"name"`
 	CustomClaims []CustomClaimDto  `json:"customClaims"`
 	Users        []UserDto         `json:"users"`
+	LdapID       *string           `json:"ldapId"`
 	CreatedAt    datatype.DateTime `json:"createdAt"`
 }
 
@@ -19,12 +20,14 @@ type UserGroupDtoWithUserCount struct {
 	Name         string            `json:"name"`
 	CustomClaims []CustomClaimDto  `json:"customClaims"`
 	UserCount    int64             `json:"userCount"`
+	LdapID       *string           `json:"ldapId"`
 	CreatedAt    datatype.DateTime `json:"createdAt"`
 }
 
 type UserGroupCreateDto struct {
-	FriendlyName string `json:"friendlyName" binding:"required,min=3,max=30"`
-	Name         string `json:"name" binding:"required,min=3,max=30,userGroupName"`
+	FriendlyName string `json:"friendlyName" binding:"required,min=2,max=50"`
+	Name         string `json:"name" binding:"required,min=2,max=255"`
+	LdapID       string `json:"-"`
 }
 
 type UserGroupUpdateUsersDto struct {

backend/internal/dto/validations.go

@@ -4,21 +4,9 @@ import (
 	"github.com/gin-gonic/gin/binding"
 	"github.com/go-playground/validator/v10"
 	"log"
-	"net/url"
 	"regexp"
 )
 
-var validateUrlList validator.Func = func(fl validator.FieldLevel) bool {
-	urls := fl.Field().Interface().([]string)
-	for _, u := range urls {
-		_, err := url.ParseRequestURI(u)
-		if err != nil {
-			return false
-		}
-	}
-	return true
-}
-
 var validateUsername validator.Func = func(fl validator.FieldLevel) bool {
 	// [a-zA-Z0-9]      : The username must start with an alphanumeric character
 	// [a-zA-Z0-9_.@-]* : The rest of the username can contain alphanumeric characters, dots, underscores, hyphens, and "@" symbols
@@ -28,13 +16,6 @@ var validateUsername validator.Func = func(fl validator.FieldLevel) bool {
 	return matched
 }
 
-var validateUserGroupName validator.Func = func(fl validator.FieldLevel) bool {
-	// The string can only contain lowercase letters, numbers, and underscores
-	regex := "^[a-z0-9_]*$"
-	matched, _ := regexp.MatchString(regex, fl.Field().String())
-	return matched
-}
-
 var validateClaimKey validator.Func = func(fl validator.FieldLevel) bool {
 	// The string can only contain letters and numbers
 	regex := "^[A-Za-z0-9]*$"
@@ -43,23 +24,11 @@ var validateClaimKey validator.Func = func(fl validator.FieldLevel) bool {
 }
 
 func init() {
-	if v, ok := binding.Validator.Engine().(*validator.Validate); ok {
-		if err := v.RegisterValidation("urlList", validateUrlList); err != nil {
-			log.Fatalf("Failed to register custom validation: %v", err)
-		}
-	}
 	if v, ok := binding.Validator.Engine().(*validator.Validate); ok {
 		if err := v.RegisterValidation("username", validateUsername); err != nil {
 			log.Fatalf("Failed to register custom validation: %v", err)
 		}
 	}
-
-	if v, ok := binding.Validator.Engine().(*validator.Validate); ok {
-		if err := v.RegisterValidation("userGroupName", validateUserGroupName); err != nil {
-			log.Fatalf("Failed to register custom validation: %v", err)
-		}
-	}
-
 	if v, ok := binding.Validator.Engine().(*validator.Validate); ok {
 		if err := v.RegisterValidation("claimKey", validateClaimKey); err != nil {
 			log.Fatalf("Failed to register custom validation: %v", err)

backend/internal/job/db_cleanup.go

@@ -10,7 +10,7 @@ import (
 	"time"
 )
 
-func RegisterJobs(db *gorm.DB) {
+func RegisterDbCleanupJobs(db *gorm.DB) {
 	scheduler, err := gocron.NewScheduler()
 	if err != nil {
 		log.Fatalf("Failed to create a new scheduler: %s", err)

backend/internal/job/ldap_job.go

@@ -0,0 +1,39 @@
+package job
+
+import (
+	"log"
+
+	"github.com/go-co-op/gocron/v2"
+	"github.com/stonith404/pocket-id/backend/internal/service"
+)
+
+type LdapJobs struct {
+	ldapService      *service.LdapService
+	appConfigService *service.AppConfigService
+}
+
+func RegisterLdapJobs(ldapService *service.LdapService, appConfigService *service.AppConfigService) {
+	jobs := &LdapJobs{ldapService: ldapService, appConfigService: appConfigService}
+
+	scheduler, err := gocron.NewScheduler()
+	if err != nil {
+		log.Fatalf("Failed to create a new scheduler: %s", err)
+	}
+
+	// Register the job to run every hour
+	registerJob(scheduler, "SyncLdap", "0 * * * *", jobs.syncLdap)
+
+	// Run the job immediately on startup
+	if err := jobs.syncLdap(); err != nil {
+		log.Printf("Failed to sync LDAP: %s", err)
+	}
+
+	scheduler.Start()
+}
+
+func (j *LdapJobs) syncLdap() error {
+	if j.appConfigService.DbConfig.LdapEnabled.Value == "true" {
+		return j.ldapService.SyncAll()
+	}
+	return nil
+}

backend/internal/middleware/error_handler.go

@@ -83,8 +83,6 @@ func handleValidationError(validationErrors validator.ValidationErrors) string {
 			errorMessage = fmt.Sprintf("%s must be at least %s characters long", fieldName, ve.Param())
 		case "max":
 			errorMessage = fmt.Sprintf("%s must be at most %s characters long", fieldName, ve.Param())
-		case "urlList":
-			errorMessage = fmt.Sprintf("%s must be a list of valid URLs", fieldName)
 		default:
 			errorMessage = fmt.Sprintf("%s is invalid", fieldName)
 		}

backend/internal/middleware/jwt_auth.go

@@ -4,6 +4,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/stonith404/pocket-id/backend/internal/common"
 	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/stonith404/pocket-id/backend/internal/utils/cookie"
 	"strings"
 )
 
@@ -19,7 +20,7 @@ func NewJwtAuthMiddleware(jwtService *service.JwtService, ignoreUnauthenticated
 func (m *JwtAuthMiddleware) Add(adminOnly bool) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		// Extract the token from the cookie or the Authorization header
-		token, err := c.Cookie("access_token")
+		token, err := c.Cookie(cookie.AccessTokenCookieName)
 		if err != nil {
 			authorizationHeaderSplitted := strings.Split(c.GetHeader("Authorization"), " ")
 			if len(authorizationHeaderSplitted) == 2 {

backend/internal/middleware/rate_limit.go

@@ -16,8 +16,12 @@ func NewRateLimitMiddleware() *RateLimitMiddleware {
 }
 
 func (m *RateLimitMiddleware) Add(limit rate.Limit, burst int) gin.HandlerFunc {
+	// Map to store the rate limiters per IP
+	var clients = make(map[string]*client)
+	var mu sync.Mutex
+
 	// Start the cleanup routine
-	go cleanupClients()
+	go cleanupClients(&mu, clients)
 
 	return func(c *gin.Context) {
 		ip := c.ClientIP()
@@ -29,7 +33,7 @@ func (m *RateLimitMiddleware) Add(limit rate.Limit, burst int) gin.HandlerFunc {
 			return
 		}
 
-		limiter := getLimiter(ip, limit, burst)
+		limiter := getLimiter(ip, limit, burst, &mu, clients)
 		if !limiter.Allow() {
 			c.Error(&common.TooManyRequestsError{})
 			c.Abort()
@@ -45,12 +49,8 @@ type client struct {
 	lastSeen time.Time
 }
 
-// Map to store the rate limiters per IP
-var clients = make(map[string]*client)
-var mu sync.Mutex
-
 // Cleanup routine to remove stale clients that haven't been seen for a while
-func cleanupClients() {
+func cleanupClients(mu *sync.Mutex, clients map[string]*client) {
 	for {
 		time.Sleep(time.Minute)
 		mu.Lock()
@@ -64,7 +64,7 @@ func cleanupClients() {
 }
 
 // getLimiter retrieves the rate limiter for a given IP address, creating one if it doesn't exist
-func getLimiter(ip string, limit rate.Limit, burst int) *rate.Limiter {
+func getLimiter(ip string, limit rate.Limit, burst int, mu *sync.Mutex, clients map[string]*client) *rate.Limiter {
 	mu.Lock()
 	defer mu.Unlock()
 

backend/internal/model/app_config.go

@@ -10,21 +10,38 @@ type AppConfigVariable struct {
 }
 
 type AppConfig struct {
+	// General
 	AppName             AppConfigVariable
 	SessionDuration     AppConfigVariable
 	EmailsVerified      AppConfigVariable
 	AllowOwnAccountEdit AppConfigVariable
-
+	// Internal
 	BackgroundImageType AppConfigVariable
 	LogoLightImageType  AppConfigVariable
 	LogoDarkImageType   AppConfigVariable
-
-	EmailEnabled       AppConfigVariable
-	SmtpHost           AppConfigVariable
-	SmtpPort           AppConfigVariable
-	SmtpFrom           AppConfigVariable
-	SmtpUser           AppConfigVariable
-	SmtpPassword       AppConfigVariable
-	SmtpTls            AppConfigVariable
-	SmtpSkipCertVerify AppConfigVariable
+	// Email
+	SmtpHost                      AppConfigVariable
+	SmtpPort                      AppConfigVariable
+	SmtpFrom                      AppConfigVariable
+	SmtpUser                      AppConfigVariable
+	SmtpPassword                  AppConfigVariable
+	SmtpTls                       AppConfigVariable
+	SmtpSkipCertVerify            AppConfigVariable
+	EmailLoginNotificationEnabled AppConfigVariable
+	EmailOneTimeAccessEnabled     AppConfigVariable
+	// LDAP
+	LdapEnabled                        AppConfigVariable
+	LdapUrl                            AppConfigVariable
+	LdapBindDn                         AppConfigVariable
+	LdapBindPassword                   AppConfigVariable
+	LdapBase                           AppConfigVariable
+	LdapSkipCertVerify                 AppConfigVariable
+	LdapAttributeUserUniqueIdentifier  AppConfigVariable
+	LdapAttributeUserUsername          AppConfigVariable
+	LdapAttributeUserEmail             AppConfigVariable
+	LdapAttributeUserFirstName         AppConfigVariable
+	LdapAttributeUserLastName          AppConfigVariable
+	LdapAttributeGroupUniqueIdentifier AppConfigVariable
+	LdapAttributeGroupName             AppConfigVariable
+	LdapAttributeAdminGroup            AppConfigVariable
 }

backend/internal/model/audit_log.go

@@ -9,11 +9,11 @@ import (
 type AuditLog struct {
 	Base
 
-	Event     AuditLogEvent
-	IpAddress string
-	Country   string
-	City      string
-	UserAgent string
+	Event     AuditLogEvent `sortable:"true"`
+	IpAddress string        `sortable:"true"`
+	Country   string        `sortable:"true"`
+	City      string        `sortable:"true"`
+	UserAgent string        `sortable:"true"`
 	UserID    string
 	Data      AuditLogData
 }

backend/internal/model/base.go

@@ -9,8 +9,8 @@ import (
 
 // Base contains common columns for all tables.
 type Base struct {
-	ID        string `gorm:"primaryKey;not null"`
-	CreatedAt model.DateTime
+	ID        string         `gorm:"primaryKey;not null"`
+	CreatedAt model.DateTime `sortable:"true"`
 }
 
 func (b *Base) BeforeCreate(_ *gorm.DB) (err error) {

backend/internal/model/oidc.go

@@ -36,7 +36,7 @@ type OidcAuthorizationCode struct {
 type OidcClient struct {
 	Base
 
-	Name         string
+	Name         string `sortable:"true"`
 	Secret       string
 	CallbackURLs CallbackURLs
 	ImageType    *string

backend/internal/model/user.go

@@ -9,11 +9,12 @@ import (
 type User struct {
 	Base
 
-	Username  string
-	Email     string
-	FirstName string
-	LastName  string
-	IsAdmin   bool
+	Username  string `sortable:"true"`
+	Email     string `sortable:"true"`
+	FirstName string `sortable:"true"`
+	LastName  string `sortable:"true"`
+	IsAdmin   bool   `sortable:"true"`
+	LdapID    *string
 
 	CustomClaims []CustomClaim
 	UserGroups   []UserGroup `gorm:"many2many:user_groups_users;"`

backend/internal/model/user_group.go

@@ -2,8 +2,9 @@ package model
 
 type UserGroup struct {
 	Base
-	FriendlyName string
-	Name         string `gorm:"unique"`
+	FriendlyName string `sortable:"true"`
+	Name         string `sortable:"true"`
+	LdapID       *string
 	Users        []User `gorm:"many2many:user_groups_users;"`
 	CustomClaims []CustomClaim
 }

backend/internal/service/app_config_service.go

@@ -2,15 +2,16 @@ package service
 
 import (
 	"fmt"
+	"log"
+	"mime/multipart"
+	"os"
+	"reflect"
+
 	"github.com/stonith404/pocket-id/backend/internal/common"
 	"github.com/stonith404/pocket-id/backend/internal/dto"
 	"github.com/stonith404/pocket-id/backend/internal/model"
 	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"gorm.io/gorm"
-	"log"
-	"mime/multipart"
-	"os"
-	"reflect"
 )
 
 type AppConfigService struct {
@@ -30,6 +31,7 @@ func NewAppConfigService(db *gorm.DB) *AppConfigService {
 }
 
 var defaultDbConfig = model.AppConfig{
+	// General
 	AppName: model.AppConfigVariable{
 		Key:          "appName",
 		Type:         "string",
@@ -52,6 +54,7 @@ var defaultDbConfig = model.AppConfig{
 		IsPublic:     true,
 		DefaultValue: "true",
 	},
+	// Internal
 	BackgroundImageType: model.AppConfigVariable{
 		Key:          "backgroundImageType",
 		Type:         "string",
@@ -70,11 +73,7 @@ var defaultDbConfig = model.AppConfig{
 		IsInternal:   true,
 		DefaultValue: "svg",
 	},
-	EmailEnabled: model.AppConfigVariable{
-		Key:          "emailEnabled",
-		Type:         "bool",
-		DefaultValue: "false",
-	},
+	// Email
 	SmtpHost: model.AppConfigVariable{
 		Key:  "smtpHost",
 		Type: "string",
@@ -105,6 +104,76 @@ var defaultDbConfig = model.AppConfig{
 		Type:         "bool",
 		DefaultValue: "false",
 	},
+	EmailLoginNotificationEnabled: model.AppConfigVariable{
+		Key:          "emailLoginNotificationEnabled",
+		Type:         "bool",
+		DefaultValue: "false",
+	},
+	EmailOneTimeAccessEnabled: model.AppConfigVariable{
+		Key:          "emailOneTimeAccessEnabled",
+		Type:         "bool",
+		IsPublic:     true,
+		DefaultValue: "false",
+	},
+	// LDAP
+	LdapEnabled: model.AppConfigVariable{
+		Key:          "ldapEnabled",
+		Type:         "bool",
+		DefaultValue: "false",
+	},
+	LdapUrl: model.AppConfigVariable{
+		Key:  "ldapUrl",
+		Type: "string",
+	},
+	LdapBindDn: model.AppConfigVariable{
+		Key:  "ldapBindDn",
+		Type: "string",
+	},
+	LdapBindPassword: model.AppConfigVariable{
+		Key:  "ldapBindPassword",
+		Type: "string",
+	},
+	LdapBase: model.AppConfigVariable{
+		Key:  "ldapBase",
+		Type: "string",
+	},
+	LdapSkipCertVerify: model.AppConfigVariable{
+		Key:          "ldapSkipCertVerify",
+		Type:         "bool",
+		DefaultValue: "false",
+	},
+	LdapAttributeUserUniqueIdentifier: model.AppConfigVariable{
+		Key:  "ldapAttributeUserUniqueIdentifier",
+		Type: "string",
+	},
+	LdapAttributeUserUsername: model.AppConfigVariable{
+		Key:  "ldapAttributeUserUsername",
+		Type: "string",
+	},
+	LdapAttributeUserEmail: model.AppConfigVariable{
+		Key:  "ldapAttributeUserEmail",
+		Type: "string",
+	},
+	LdapAttributeUserFirstName: model.AppConfigVariable{
+		Key:  "ldapAttributeUserFirstName",
+		Type: "string",
+	},
+	LdapAttributeUserLastName: model.AppConfigVariable{
+		Key:  "ldapAttributeUserLastName",
+		Type: "string",
+	},
+	LdapAttributeGroupUniqueIdentifier: model.AppConfigVariable{
+		Key:  "ldapAttributeGroupUniqueIdentifier",
+		Type: "string",
+	},
+	LdapAttributeGroupName: model.AppConfigVariable{
+		Key:  "ldapAttributeGroupName",
+		Type: "string",
+	},
+	LdapAttributeAdminGroup: model.AppConfigVariable{
+		Key:  "ldapAttributeAdminGroup",
+		Type: "string",
+	},
 }
 
 func (s *AppConfigService) UpdateAppConfig(input dto.AppConfigUpdateDto) ([]model.AppConfigVariable, error) {
@@ -119,6 +188,13 @@ func (s *AppConfigService) UpdateAppConfig(input dto.AppConfigUpdateDto) ([]mode
 		key := field.Tag.Get("json")
 		value := rv.FieldByName(field.Name).String()
 
+		// If the emailEnabled is set to false, disable the emailOneTimeAccessEnabled
+		if key == s.DbConfig.EmailOneTimeAccessEnabled.Key {
+			if rv.FieldByName("EmailEnabled").String() == "false" {
+				value = "false"
+			}
+		}
+
 		var appConfigVariable model.AppConfigVariable
 		if err := tx.First(&appConfigVariable, "key = ? AND is_internal = false", key).Error; err != nil {
 			tx.Rollback()

backend/internal/service/audit_log_service.go

@@ -58,8 +58,8 @@ func (s *AuditLogService) CreateNewSignInWithEmail(ipAddress, userAgent, userID
 		return createdAuditLog
 	}
 
-	// If the user hasn't logged in from the same device before, send an email
-	if count <= 1 {
+	// If the user hasn't logged in from the same device before and email notifications are enabled, send an email
+	if s.appConfigService.DbConfig.EmailLoginNotificationEnabled.Value == "true" && count <= 1 {
 		go func() {
 			var user model.User
 			s.db.Where("id = ?", userID).First(&user)
@@ -84,11 +84,11 @@ func (s *AuditLogService) CreateNewSignInWithEmail(ipAddress, userAgent, userID
 }
 
 // ListAuditLogsForUser retrieves all audit logs for a given user ID
-func (s *AuditLogService) ListAuditLogsForUser(userID string, page int, pageSize int) ([]model.AuditLog, utils.PaginationResponse, error) {
+func (s *AuditLogService) ListAuditLogsForUser(userID string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.AuditLog, utils.PaginationResponse, error) {
 	var logs []model.AuditLog
-	query := s.db.Model(&model.AuditLog{}).Where("user_id = ?", userID).Order("created_at desc")
+	query := s.db.Model(&model.AuditLog{}).Where("user_id = ?", userID)
 
-	pagination, err := utils.Paginate(page, pageSize, query, &logs)
+	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &logs)
 	return logs, pagination, err
 }
 

backend/internal/service/email_service.go

@@ -3,7 +3,6 @@ package service
 import (
 	"bytes"
 	"crypto/tls"
-	"errors"
 	"fmt"
 	"github.com/stonith404/pocket-id/backend/internal/common"
 	"github.com/stonith404/pocket-id/backend/internal/model"
@@ -15,9 +14,15 @@ import (
 	"net"
 	"net/smtp"
 	"net/textproto"
+	"os"
 	ttemplate "text/template"
+	"time"
 )
 
+var netDialer = &net.Dialer{
+	Timeout: 3 * time.Second,
+}
+
 type EmailService struct {
 	appConfigService *AppConfigService
 	db               *gorm.DB
@@ -44,9 +49,9 @@ func NewEmailService(appConfigService *AppConfigService, db *gorm.DB) (*EmailSer
 	}, nil
 }
 
-func (srv *EmailService) SendTestEmail() error {
+func (srv *EmailService) SendTestEmail(recipientUserId string) error {
 	var user model.User
-	if err := srv.db.First(&user).Error; err != nil {
+	if err := srv.db.First(&user, "id = ?", recipientUserId).Error; err != nil {
 		return err
 	}
 
@@ -58,11 +63,6 @@ func (srv *EmailService) SendTestEmail() error {
 }
 
 func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.Template[V], tData *V) error {
-	// Check if SMTP settings are set
-	if srv.appConfigService.DbConfig.EmailEnabled.Value != "true" {
-		return errors.New("email not enabled")
-	}
-
 	data := &email.TemplateData[V]{
 		AppName: srv.appConfigService.DbConfig.AppName.Value,
 		LogoURL: common.EnvConfig.AppURL + "/api/application-configuration/logo",
@@ -100,7 +100,7 @@ func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.T
 	smtpAddress := srv.appConfigService.DbConfig.SmtpHost.Value + ":" + port
 	var client *smtp.Client
 	if srv.appConfigService.DbConfig.SmtpTls.Value == "false" {
-		client, err = smtp.Dial(smtpAddress)
+		client, err = srv.connectToSmtpServer(smtpAddress)
 	} else if port == "465" {
 		client, err = srv.connectToSmtpServerUsingImplicitTLS(
 			smtpAddress,
@@ -112,10 +112,19 @@ func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.T
 			tlsConfig,
 		)
 	}
-	defer client.Quit()
+
 	if err != nil {
 		return fmt.Errorf("failed to connect to SMTP server: %w", err)
 	}
+	defer client.Close()
+
+	// Set the hello message manually as for example Google rejects the default "localhost" value
+	hostname, err := os.Hostname()
+	if err == nil {
+		if err := client.Hello(hostname); err != nil {
+			return fmt.Errorf("failed to say hello to SMTP server: %w", err)
+		}
+	}
 
 	smtpUser := srv.appConfigService.DbConfig.SmtpUser.Value
 	smtpPassword := srv.appConfigService.DbConfig.SmtpPassword.Value
@@ -140,8 +149,21 @@ func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.T
 	return nil
 }
 
+func (srv *EmailService) connectToSmtpServer(serverAddr string) (*smtp.Client, error) {
+	conn, err := netDialer.Dial("tcp", serverAddr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to SMTP server: %w", err)
+	}
+	client, err := smtp.NewClient(conn, srv.appConfigService.DbConfig.SmtpHost.Value)
+	return client, err
+}
+
 func (srv *EmailService) connectToSmtpServerUsingImplicitTLS(serverAddr string, tlsConfig *tls.Config) (*smtp.Client, error) {
-	conn, err := tls.Dial("tcp", serverAddr, tlsConfig)
+	tlsDialer := &tls.Dialer{
+		NetDialer: netDialer,
+		Config:    tlsConfig,
+	}
+	conn, err := tlsDialer.Dial("tcp", serverAddr)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to SMTP server: %w", err)
 	}
@@ -156,7 +178,7 @@ func (srv *EmailService) connectToSmtpServerUsingImplicitTLS(serverAddr string,
 }
 
 func (srv *EmailService) connectToSmtpServerUsingStartTLS(serverAddr string, tlsConfig *tls.Config) (*smtp.Client, error) {
-	conn, err := net.Dial("tcp", serverAddr)
+	conn, err := netDialer.Dial("tcp", serverAddr)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to SMTP server: %w", err)
 	}

backend/internal/service/email_service_templates.go

@@ -9,7 +9,7 @@ import (
 /**
 How to add new template:
 - pick unique and descriptive template ${name} (for example "login-with-new-device")
-- in backend/email-templates/ create "${name}_html.tmpl" and "${name}_text.tmpl"
+- in backend/resources/email-templates/ create "${name}_html.tmpl" and "${name}_text.tmpl"
 - create xxxxTemplate and xxxxTemplateData (for example NewLoginTemplate and NewLoginTemplateData)
   - Path *must* be ${name}
 - add xxxTemplate.Path to "emailTemplatePaths" at the end
@@ -27,6 +27,13 @@ var NewLoginTemplate = email.Template[NewLoginTemplateData]{
 	},
 }
 
+var OneTimeAccessTemplate = email.Template[OneTimeAccessTemplateData]{
+	Path: "one-time-access",
+	Title: func(data *email.TemplateData[OneTimeAccessTemplateData]) string {
+		return "One time access"
+	},
+}
+
 var TestTemplate = email.Template[struct{}]{
 	Path: "test",
 	Title: func(data *email.TemplateData[struct{}]) string {
@@ -42,5 +49,9 @@ type NewLoginTemplateData struct {
 	DateTime  time.Time
 }
 
+type OneTimeAccessTemplateData = struct {
+	Link string
+}
+
 // this is list of all template paths used for preloading templates
-var emailTemplatesPaths = []string{NewLoginTemplate.Path, TestTemplate.Path}
+var emailTemplatesPaths = []string{NewLoginTemplate.Path, OneTimeAccessTemplate.Path, TestTemplate.Path}

backend/internal/service/geolite_service.go

@@ -12,6 +12,7 @@ import (
 	"net/netip"
 	"os"
 	"path/filepath"
+	"sync"
 	"time"
 
 	"github.com/oschwald/maxminddb-golang/v2"
@@ -19,7 +20,24 @@ import (
 	"github.com/stonith404/pocket-id/backend/internal/common"
 )
 
-type GeoLiteService struct{}
+type GeoLiteService struct {
+	mutex sync.Mutex
+}
+
+var localhostIPNets = []*net.IPNet{
+	{IP: net.IPv4(127, 0, 0, 0), Mask: net.CIDRMask(8, 32)}, // 127.0.0.0/8
+	{IP: net.IPv6loopback, Mask: net.CIDRMask(128, 128)},    // ::1/128
+}
+
+var privateLanIPNets = []*net.IPNet{
+	{IP: net.IPv4(10, 0, 0, 0), Mask: net.CIDRMask(8, 32)},     // 10.0.0.0/8
+	{IP: net.IPv4(172, 16, 0, 0), Mask: net.CIDRMask(12, 32)},  // 172.16.0.0/12
+	{IP: net.IPv4(192, 168, 0, 0), Mask: net.CIDRMask(16, 32)}, // 192.168.0.0/16
+}
+
+var tailscaleIPNets = []*net.IPNet{
+	{IP: net.IPv4(100, 64, 0, 0), Mask: net.CIDRMask(10, 32)}, // 100.64.0.0/10
+}
 
 // NewGeoLiteService initializes a new GeoLiteService instance and starts a goroutine to update the GeoLite2 City database.
 func NewGeoLiteService() *GeoLiteService {
@@ -36,13 +54,29 @@ func NewGeoLiteService() *GeoLiteService {
 
 // GetLocationByIP returns the country and city of the given IP address.
 func (s *GeoLiteService) GetLocationByIP(ipAddress string) (country, city string, err error) {
-	// Check if IP is in Tailscale's CGNAT range (100.64.0.0/10)
+	// Check the IP address against known private IP ranges
 	if ip := net.ParseIP(ipAddress); ip != nil {
-		if ip.To4() != nil && ip.To4()[0] == 100 && ip.To4()[1] >= 64 && ip.To4()[1] <= 127 {
-			return "Internal Network", "Tailscale", nil
+		for _, ipNet := range tailscaleIPNets {
+			if ipNet.Contains(ip) {
+				return "Internal Network", "Tailscale", nil
+			}
+		}
+		for _, ipNet := range privateLanIPNets {
+			if ipNet.Contains(ip) {
+				return "Internal Network", "LAN/Docker/k8s", nil
+			}
+		}
+		for _, ipNet := range localhostIPNets {
+			if ipNet.Contains(ip) {
+				return "Internal Network", "localhost", nil
+			}
 		}
 	}
 
+	// Race condition between reading and writing the database.
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
 	db, err := maxminddb.Open(common.EnvConfig.GeoLiteDBPath)
 	if err != nil {
 		return "", "", err
@@ -134,16 +168,44 @@ func (s *GeoLiteService) extractDatabase(reader io.Reader) error {
 
 		// Check if the file is the GeoLite2-City.mmdb file
 		if header.Typeflag == tar.TypeReg && filepath.Base(header.Name) == "GeoLite2-City.mmdb" {
-			outFile, err := os.Create(common.EnvConfig.GeoLiteDBPath)
+			// extract to a temporary file to avoid having a corrupted db in case of write failure.
+			baseDir := filepath.Dir(common.EnvConfig.GeoLiteDBPath)
+			tmpFile, err := os.CreateTemp(baseDir, "geolite.*.mmdb.tmp")
 			if err != nil {
-				return fmt.Errorf("failed to create target database file: %w", err)
+				return fmt.Errorf("failed to create temporary database file: %w", err)
 			}
-			defer outFile.Close()
+			tempName := tmpFile.Name()
 
 			// Write the file contents directly to the target location
-			if _, err := io.Copy(outFile, tarReader); err != nil {
+			if _, err := io.Copy(tmpFile, tarReader); err != nil {
+				// if fails to write, then cleanup and throw an error
+				tmpFile.Close()
+				os.Remove(tempName)
 				return fmt.Errorf("failed to write database file: %w", err)
 			}
+			tmpFile.Close()
+
+			// ensure the database is not corrupted
+			db, err := maxminddb.Open(tempName)
+			if err != nil {
+				// if fails to write, then cleanup and throw an error
+				os.Remove(tempName)
+				return fmt.Errorf("failed to open downloaded database file: %w", err)
+			}
+			db.Close()
+
+			// ensure we lock the structure before we overwrite the database
+			// to prevent race conditions between reading and writing the mmdb.
+			s.mutex.Lock()
+			// replace the old file with the new file
+			err = os.Rename(tempName, common.EnvConfig.GeoLiteDBPath)
+			s.mutex.Unlock()
+
+			if err != nil {
+				// if cannot overwrite via rename, then cleanup and throw an error
+				os.Remove(tempName)
+				return fmt.Errorf("failed to replace database file: %w", err)
+			}
 			return nil
 		}
 	}

backend/internal/service/ldap_service.go

@@ -0,0 +1,261 @@
+package service
+
+import (
+	"crypto/tls"
+	"fmt"
+	"log"
+	"strings"
+
+	"github.com/go-ldap/ldap/v3"
+	"github.com/stonith404/pocket-id/backend/internal/dto"
+	"github.com/stonith404/pocket-id/backend/internal/model"
+	"gorm.io/gorm"
+)
+
+type LdapService struct {
+	db               *gorm.DB
+	appConfigService *AppConfigService
+	userService      *UserService
+	groupService     *UserGroupService
+}
+
+func NewLdapService(db *gorm.DB, appConfigService *AppConfigService, userService *UserService, groupService *UserGroupService) *LdapService {
+	return &LdapService{db: db, appConfigService: appConfigService, userService: userService, groupService: groupService}
+}
+
+func (s *LdapService) createClient() (*ldap.Conn, error) {
+	if s.appConfigService.DbConfig.LdapEnabled.Value != "true" {
+		return nil, fmt.Errorf("LDAP is not enabled")
+	}
+	// Setup LDAP connection
+	ldapURL := s.appConfigService.DbConfig.LdapUrl.Value
+	skipTLSVerify := s.appConfigService.DbConfig.LdapSkipCertVerify.Value == "true"
+	client, err := ldap.DialURL(ldapURL, ldap.DialWithTLSConfig(&tls.Config{InsecureSkipVerify: skipTLSVerify}))
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to LDAP: %w", err)
+	}
+
+	// Bind as service account
+	bindDn := s.appConfigService.DbConfig.LdapBindDn.Value
+	bindPassword := s.appConfigService.DbConfig.LdapBindPassword.Value
+	err = client.Bind(bindDn, bindPassword)
+	if err != nil {
+		return nil, fmt.Errorf("failed to bind to LDAP: %w", err)
+	}
+	return client, nil
+}
+
+func (s *LdapService) SyncAll() error {
+	err := s.SyncUsers()
+	if err != nil {
+		return fmt.Errorf("failed to sync users: %w", err)
+	}
+
+	err = s.SyncGroups()
+	if err != nil {
+		return fmt.Errorf("failed to sync groups: %w", err)
+	}
+
+	return nil
+}
+
+func (s *LdapService) SyncGroups() error {
+	// Setup LDAP connection
+	client, err := s.createClient()
+	if err != nil {
+		return fmt.Errorf("failed to create LDAP client: %w", err)
+	}
+	defer client.Close()
+
+	baseDN := s.appConfigService.DbConfig.LdapBase.Value
+	nameAttribute := s.appConfigService.DbConfig.LdapAttributeGroupName.Value
+	uniqueIdentifierAttribute := s.appConfigService.DbConfig.LdapAttributeGroupUniqueIdentifier.Value
+	filter := "(objectClass=groupOfUniqueNames)"
+
+	searchAttrs := []string{
+		nameAttribute,
+		uniqueIdentifierAttribute,
+		"member",
+	}
+
+	searchReq := ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, searchAttrs, []ldap.Control{})
+	result, err := client.Search(searchReq)
+	if err != nil {
+		return fmt.Errorf("failed to query LDAP: %w", err)
+	}
+
+	// Create a mapping for groups that exist
+	ldapGroupIDs := make(map[string]bool)
+
+	for _, value := range result.Entries {
+		var usersToAddDto dto.UserGroupUpdateUsersDto
+		var membersUserId []string
+
+		ldapId := value.GetAttributeValue(uniqueIdentifierAttribute)
+		ldapGroupIDs[ldapId] = true
+
+		// Try to find the group in the database
+		var databaseGroup model.UserGroup
+		s.db.Where("ldap_id = ?", ldapId).First(&databaseGroup)
+
+		// Get group members and add to the correct Group
+		groupMembers := value.GetAttributeValues("member")
+		for _, member := range groupMembers {
+			// Normal output of this would be CN=username,ou=people,dc=example,dc=com
+			// Splitting at the "=" and "," then just grabbing the username for that string
+			singleMember := strings.Split(strings.Split(member, "=")[1], ",")[0]
+
+			var databaseUser model.User
+			s.db.Where("username = ?", singleMember).First(&databaseUser)
+			membersUserId = append(membersUserId, databaseUser.ID)
+		}
+
+		syncGroup := dto.UserGroupCreateDto{
+			Name:         value.GetAttributeValue(nameAttribute),
+			FriendlyName: value.GetAttributeValue(nameAttribute),
+			LdapID:       value.GetAttributeValue(uniqueIdentifierAttribute),
+		}
+
+		usersToAddDto = dto.UserGroupUpdateUsersDto{
+			UserIDs: membersUserId,
+		}
+
+		if databaseGroup.ID == "" {
+			newGroup, err := s.groupService.Create(syncGroup)
+			if err != nil {
+				log.Printf("Error syncing group %s: %s", syncGroup.Name, err)
+			} else {
+				if _, err = s.groupService.UpdateUsers(newGroup.ID, usersToAddDto); err != nil {
+					log.Printf("Error syncing group %s: %s", syncGroup.Name, err)
+				}
+			}
+		} else {
+			_, err = s.groupService.Update(databaseGroup.ID, syncGroup, true)
+			_, err = s.groupService.UpdateUsers(databaseGroup.ID, usersToAddDto)
+			if err != nil {
+				log.Printf("Error syncing group %s: %s", syncGroup.Name, err)
+				return err
+			}
+
+		}
+
+	}
+
+	// Get all LDAP groups from the database
+	var ldapGroupsInDb []model.UserGroup
+	if err := s.db.Find(&ldapGroupsInDb, "ldap_id IS NOT NULL").Select("ldap_id").Error; err != nil {
+		fmt.Println(fmt.Errorf("failed to fetch groups from database: %v", err))
+	}
+
+	// Delete groups that no longer exist in LDAP
+	for _, group := range ldapGroupsInDb {
+		if _, exists := ldapGroupIDs[*group.LdapID]; !exists {
+			if err := s.db.Delete(&model.UserGroup{}, "ldap_id = ?", group.LdapID).Error; err != nil {
+				log.Printf("Failed to delete group %s with: %v", group.Name, err)
+			} else {
+				log.Printf("Deleted group %s", group.Name)
+			}
+		}
+	}
+
+	return nil
+}
+
+func (s *LdapService) SyncUsers() error {
+	// Setup LDAP connection
+	client, err := s.createClient()
+	if err != nil {
+		return fmt.Errorf("failed to create LDAP client: %w", err)
+	}
+	defer client.Close()
+
+	baseDN := s.appConfigService.DbConfig.LdapBase.Value
+	uniqueIdentifierAttribute := s.appConfigService.DbConfig.LdapAttributeUserUniqueIdentifier.Value
+	usernameAttribute := s.appConfigService.DbConfig.LdapAttributeUserUsername.Value
+	emailAttribute := s.appConfigService.DbConfig.LdapAttributeUserEmail.Value
+	firstNameAttribute := s.appConfigService.DbConfig.LdapAttributeUserFirstName.Value
+	lastNameAttribute := s.appConfigService.DbConfig.LdapAttributeUserLastName.Value
+	adminGroupAttribute := s.appConfigService.DbConfig.LdapAttributeAdminGroup.Value
+
+	filter := "(objectClass=person)"
+
+	searchAttrs := []string{
+		"memberOf",
+		"sn",
+		"cn",
+		uniqueIdentifierAttribute,
+		usernameAttribute,
+		emailAttribute,
+		firstNameAttribute,
+		lastNameAttribute,
+	}
+
+	// Filters must start and finish with ()!
+	searchReq := ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, searchAttrs, []ldap.Control{})
+
+	result, err := client.Search(searchReq)
+	if err != nil {
+		fmt.Println(fmt.Errorf("failed to query LDAP: %w", err))
+	}
+
+	// Create a mapping for users that exist
+	ldapUserIDs := make(map[string]bool)
+
+	for _, value := range result.Entries {
+		ldapId := value.GetAttributeValue(uniqueIdentifierAttribute)
+		ldapUserIDs[ldapId] = true
+
+		// Get the user from the database
+		var databaseUser model.User
+		s.db.Where("ldap_id = ?", ldapId).First(&databaseUser)
+
+		// Check if user is admin by checking if they are in the admin group
+		isAdmin := false
+		for _, group := range value.GetAttributeValues("memberOf") {
+			if strings.Contains(group, adminGroupAttribute) {
+				isAdmin = true
+			}
+		}
+
+		newUser := dto.UserCreateDto{
+			Username:  value.GetAttributeValue(usernameAttribute),
+			Email:     value.GetAttributeValue(emailAttribute),
+			FirstName: value.GetAttributeValue(firstNameAttribute),
+			LastName:  value.GetAttributeValue(lastNameAttribute),
+			IsAdmin:   isAdmin,
+			LdapID:    ldapId,
+		}
+
+		if databaseUser.ID == "" {
+			_, err = s.userService.CreateUser(newUser)
+			if err != nil {
+				log.Printf("Error syncing user %s: %s", newUser.Username, err)
+			}
+		} else {
+			_, err = s.userService.UpdateUser(databaseUser.ID, newUser, false, true)
+			if err != nil {
+				log.Printf("Error syncing user %s: %s", newUser.Username, err)
+			}
+
+		}
+
+	}
+
+	// Get all LDAP users from the database
+	var ldapUsersInDb []model.User
+	if err := s.db.Find(&ldapUsersInDb, "ldap_id IS NOT NULL").Select("ldap_id").Error; err != nil {
+		fmt.Println(fmt.Errorf("failed to fetch users from database: %v", err))
+	}
+
+	// Delete users that no longer exist in LDAP
+	for _, user := range ldapUsersInDb {
+		if _, exists := ldapUserIDs[*user.LdapID]; !exists {
+			if err := s.db.Delete(&model.User{}, "ldap_id = ?", user.LdapID).Error; err != nil {
+				log.Printf("Failed to delete user %s with: %v", user.Username, err)
+			} else {
+				log.Printf("Deleted user %s", user.Username)
+			}
+		}
+	}
+	return nil
+}

backend/internal/service/oidc_service.go

@@ -14,7 +14,7 @@ import (
 	"gorm.io/gorm"
 	"mime/multipart"
 	"os"
-	"slices"
+	"regexp"
 	"strings"
 	"time"
 )
@@ -167,7 +167,7 @@ func (s *OidcService) GetClient(clientID string) (model.OidcClient, error) {
 	return client, nil
 }
 
-func (s *OidcService) ListClients(searchTerm string, page int, pageSize int) ([]model.OidcClient, utils.PaginationResponse, error) {
+func (s *OidcService) ListClients(searchTerm string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.OidcClient, utils.PaginationResponse, error) {
 	var clients []model.OidcClient
 
 	query := s.db.Preload("CreatedBy").Model(&model.OidcClient{})
@@ -176,7 +176,7 @@ func (s *OidcService) ListClients(searchTerm string, page int, pageSize int) ([]
 		query = query.Where("name LIKE ?", searchPattern)
 	}
 
-	pagination, err := utils.Paginate(page, pageSize, query, &clients)
+	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &clients)
 	if err != nil {
 		return nil, utils.PaginationResponse{}, err
 	}
@@ -432,8 +432,16 @@ func (s *OidcService) getCallbackURL(client model.OidcClient, inputCallbackURL s
 	if inputCallbackURL == "" {
 		return client.CallbackURLs[0], nil
 	}
-	if slices.Contains(client.CallbackURLs, inputCallbackURL) {
-		return inputCallbackURL, nil
+
+	for _, callbackPattern := range client.CallbackURLs {
+		regexPattern := strings.ReplaceAll(regexp.QuoteMeta(callbackPattern), `\*`, ".*") + "$"
+		matched, err := regexp.MatchString(regexPattern, inputCallbackURL)
+		if err != nil {
+			return "", err
+		}
+		if matched {
+			return inputCallbackURL, nil
+		}
 	}
 
 	return "", &common.OidcInvalidCallbackURLError{}

backend/internal/service/user_group_service.go

@@ -17,14 +17,26 @@ func NewUserGroupService(db *gorm.DB) *UserGroupService {
 	return &UserGroupService{db: db}
 }
 
-func (s *UserGroupService) List(name string, page int, pageSize int) (groups []model.UserGroup, response utils.PaginationResponse, err error) {
+func (s *UserGroupService) List(name string, sortedPaginationRequest utils.SortedPaginationRequest) (groups []model.UserGroup, response utils.PaginationResponse, err error) {
 	query := s.db.Preload("CustomClaims").Model(&model.UserGroup{})
 
 	if name != "" {
 		query = query.Where("name LIKE ?", "%"+name+"%")
 	}
 
-	response, err = utils.Paginate(page, pageSize, query, &groups)
+	// As userCount is not a column we need to manually sort it
+	isValidSortDirection := sortedPaginationRequest.Sort.Direction == "asc" || sortedPaginationRequest.Sort.Direction == "desc"
+	if sortedPaginationRequest.Sort.Column == "userCount" && isValidSortDirection {
+		query = query.Select("user_groups.*, COUNT(user_groups_users.user_id)").
+			Joins("LEFT JOIN user_groups_users ON user_groups.id = user_groups_users.user_group_id").
+			Group("user_groups.id").
+			Order("COUNT(user_groups_users.user_id) " + sortedPaginationRequest.Sort.Direction)
+
+		response, err := utils.Paginate(sortedPaginationRequest.Pagination.Page, sortedPaginationRequest.Pagination.Limit, query, &groups)
+		return groups, response, err
+	}
+
+	response, err = utils.PaginateAndSort(sortedPaginationRequest, query, &groups)
 	return groups, response, err
 }
 
@@ -39,6 +51,10 @@ func (s *UserGroupService) Delete(id string) error {
 		return err
 	}
 
+	if group.LdapID != nil {
+		return &common.LdapUserGroupUpdateError{}
+	}
+
 	return s.db.Delete(&group).Error
 }
 
@@ -48,6 +64,10 @@ func (s *UserGroupService) Create(input dto.UserGroupCreateDto) (group model.Use
 		Name:         input.Name,
 	}
 
+	if input.LdapID != "" {
+		group.LdapID = &input.LdapID
+	}
+
 	if err := s.db.Preload("Users").Create(&group).Error; err != nil {
 		if errors.Is(err, gorm.ErrDuplicatedKey) {
 			return model.UserGroup{}, &common.AlreadyInUseError{Property: "name"}
@@ -57,14 +77,19 @@ func (s *UserGroupService) Create(input dto.UserGroupCreateDto) (group model.Use
 	return group, nil
 }
 
-func (s *UserGroupService) Update(id string, input dto.UserGroupCreateDto) (group model.UserGroup, err error) {
+func (s *UserGroupService) Update(id string, input dto.UserGroupCreateDto, allowLdapUpdate bool) (group model.UserGroup, err error) {
 	group, err = s.Get(id)
 	if err != nil {
 		return model.UserGroup{}, err
 	}
 
+	if group.LdapID != nil && !allowLdapUpdate {
+		return model.UserGroup{}, &common.LdapUserGroupUpdateError{}
+	}
+
 	group.Name = input.Name
 	group.FriendlyName = input.FriendlyName
+	group.LdapID = &input.LdapID
 
 	if err := s.db.Preload("Users").Save(&group).Error; err != nil {
 		if errors.Is(err, gorm.ErrDuplicatedKey) {

backend/internal/service/user_service.go

@@ -2,12 +2,17 @@ package service
 
 import (
 	"errors"
+	"fmt"
 	"github.com/stonith404/pocket-id/backend/internal/common"
 	"github.com/stonith404/pocket-id/backend/internal/dto"
 	"github.com/stonith404/pocket-id/backend/internal/model"
 	"github.com/stonith404/pocket-id/backend/internal/model/types"
 	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"github.com/stonith404/pocket-id/backend/internal/utils/email"
 	"gorm.io/gorm"
+	"log"
+	"net/url"
+	"strings"
 	"time"
 )
 
@@ -15,13 +20,14 @@ type UserService struct {
 	db              *gorm.DB
 	jwtService      *JwtService
 	auditLogService *AuditLogService
+	emailService    *EmailService
 }
 
-func NewUserService(db *gorm.DB, jwtService *JwtService, auditLogService *AuditLogService) *UserService {
-	return &UserService{db: db, jwtService: jwtService, auditLogService: auditLogService}
+func NewUserService(db *gorm.DB, jwtService *JwtService, auditLogService *AuditLogService, emailService *EmailService) *UserService {
+	return &UserService{db: db, jwtService: jwtService, auditLogService: auditLogService, emailService: emailService}
 }
 
-func (s *UserService) ListUsers(searchTerm string, page int, pageSize int) ([]model.User, utils.PaginationResponse, error) {
+func (s *UserService) ListUsers(searchTerm string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.User, utils.PaginationResponse, error) {
 	var users []model.User
 	query := s.db.Model(&model.User{})
 
@@ -30,7 +36,7 @@ func (s *UserService) ListUsers(searchTerm string, page int, pageSize int) ([]mo
 		query = query.Where("email LIKE ? OR first_name LIKE ? OR username LIKE ?", searchPattern, searchPattern, searchPattern)
 	}
 
-	pagination, err := utils.Paginate(page, pageSize, query, &users)
+	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &users)
 	return users, pagination, err
 }
 
@@ -46,6 +52,10 @@ func (s *UserService) DeleteUser(userID string) error {
 		return err
 	}
 
+	if user.LdapID != nil {
+		return &common.LdapUserUpdateError{}
+	}
+
 	return s.db.Delete(&user).Error
 }
 
@@ -57,6 +67,10 @@ func (s *UserService) CreateUser(input dto.UserCreateDto) (model.User, error) {
 		Username:  input.Username,
 		IsAdmin:   input.IsAdmin,
 	}
+	if input.LdapID != "" {
+		user.LdapID = &input.LdapID
+	}
+
 	if err := s.db.Create(&user).Error; err != nil {
 		if errors.Is(err, gorm.ErrDuplicatedKey) {
 			return model.User{}, s.checkDuplicatedFields(user)
@@ -66,11 +80,16 @@ func (s *UserService) CreateUser(input dto.UserCreateDto) (model.User, error) {
 	return user, nil
 }
 
-func (s *UserService) UpdateUser(userID string, updatedUser dto.UserCreateDto, updateOwnUser bool) (model.User, error) {
+func (s *UserService) UpdateUser(userID string, updatedUser dto.UserCreateDto, updateOwnUser bool, allowLdapUpdate bool) (model.User, error) {
 	var user model.User
 	if err := s.db.Where("id = ?", userID).First(&user).Error; err != nil {
 		return model.User{}, err
 	}
+
+	if user.LdapID != nil && !allowLdapUpdate {
+		return model.User{}, &common.LdapUserUpdateError{}
+	}
+
 	user.FirstName = updatedUser.FirstName
 	user.LastName = updatedUser.LastName
 	user.Email = updatedUser.Email
@@ -89,7 +108,46 @@ func (s *UserService) UpdateUser(userID string, updatedUser dto.UserCreateDto, u
 	return user, nil
 }
 
-func (s *UserService) CreateOneTimeAccessToken(userID string, expiresAt time.Time, ipAddress, userAgent string) (string, error) {
+func (s *UserService) RequestOneTimeAccessEmail(emailAddress, redirectPath string) error {
+	var user model.User
+	if err := s.db.Where("email = ?", emailAddress).First(&user).Error; err != nil {
+		// Do not return error if user not found to prevent email enumeration
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil
+		} else {
+			return err
+		}
+	}
+
+	oneTimeAccessToken, err := s.CreateOneTimeAccessToken(user.ID, time.Now().Add(time.Hour))
+	if err != nil {
+		return err
+	}
+
+	link := fmt.Sprintf("%s/login/%s", common.EnvConfig.AppURL, oneTimeAccessToken)
+
+	// Add redirect path to the link
+	if strings.HasPrefix(redirectPath, "/") {
+		encodedRedirectPath := url.QueryEscape(redirectPath)
+		link = fmt.Sprintf("%s?redirect=%s", link, encodedRedirectPath)
+	}
+
+	go func() {
+		err := SendEmail(s.emailService, email.Address{
+			Name:  user.Username,
+			Email: user.Email,
+		}, OneTimeAccessTemplate, &OneTimeAccessTemplateData{
+			Link: link,
+		})
+		if err != nil {
+			log.Printf("Failed to send email to '%s': %v\n", user.Email, err)
+		}
+	}()
+
+	return nil
+}
+
+func (s *UserService) CreateOneTimeAccessToken(userID string, expiresAt time.Time) (string, error) {
 	randomString, err := utils.GenerateRandomAlphanumericString(16)
 	if err != nil {
 		return "", err
@@ -105,12 +163,10 @@ func (s *UserService) CreateOneTimeAccessToken(userID string, expiresAt time.Tim
 		return "", err
 	}
 
-	s.auditLogService.Create(model.AuditLogEventOneTimeAccessTokenSignIn, ipAddress, userAgent, userID, model.AuditLogData{})
-
 	return oneTimeAccessToken.Token, nil
 }
 
-func (s *UserService) ExchangeOneTimeAccessToken(token string) (model.User, string, error) {
+func (s *UserService) ExchangeOneTimeAccessToken(token string, ipAddress, userAgent string) (model.User, string, error) {
 	var oneTimeAccessToken model.OneTimeAccessToken
 	if err := s.db.Where("token = ? AND expires_at > ?", token, datatype.DateTime(time.Now())).Preload("User").First(&oneTimeAccessToken).Error; err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
@@ -127,6 +183,10 @@ func (s *UserService) ExchangeOneTimeAccessToken(token string) (model.User, stri
 		return model.User{}, "", err
 	}
 
+	if ipAddress != "" && userAgent != "" {
+		s.auditLogService.Create(model.AuditLogEventOneTimeAccessTokenSignIn, ipAddress, userAgent, oneTimeAccessToken.User.ID, model.AuditLogData{})
+	}
+
 	return oneTimeAccessToken.User, accessToken, nil
 }
 

backend/internal/utils/cookie/add_cookie.go

@@ -0,0 +1,13 @@
+package cookie
+
+import (
+	"github.com/gin-gonic/gin"
+)
+
+func AddAccessTokenCookie(c *gin.Context, maxAgeInSeconds int, token string) {
+	c.SetCookie(AccessTokenCookieName, token, maxAgeInSeconds, "/", "", true, true)
+}
+
+func AddSessionIdCookie(c *gin.Context, maxAgeInSeconds int, sessionID string) {
+	c.SetCookie(SessionIdCookieName, sessionID, maxAgeInSeconds, "/", "", true, true)
+}

backend/internal/utils/cookie/cookie_names.go

@@ -0,0 +1,16 @@
+package cookie
+
+import (
+	"github.com/stonith404/pocket-id/backend/internal/common"
+	"strings"
+)
+
+var AccessTokenCookieName = "__Host-access_token"
+var SessionIdCookieName = "__Host-session"
+
+func init() {
+	if strings.HasPrefix(common.EnvConfig.AppURL, "http://") {
+		AccessTokenCookieName = "access_token"
+		SessionIdCookieName = "session"
+	}
+}

backend/internal/utils/email/email_service_templates.go

@@ -9,8 +9,6 @@ import (
 	ttemplate "text/template"
 )
 
-const templateComponentsDir = "components"
-
 type Template[V any] struct {
 	Path  string
 	Title func(data *TemplateData[V]) string

backend/internal/utils/paging_util.go

@@ -2,6 +2,7 @@ package utils
 
 import (
 	"gorm.io/gorm"
+	"reflect"
 )
 
 type PaginationResponse struct {
@@ -11,7 +12,36 @@ type PaginationResponse struct {
 	ItemsPerPage int   `json:"itemsPerPage"`
 }
 
-func Paginate(page int, pageSize int, db *gorm.DB, result interface{}) (PaginationResponse, error) {
+type SortedPaginationRequest struct {
+	Pagination struct {
+		Page  int `form:"pagination[page]"`
+		Limit int `form:"pagination[limit]"`
+	} `form:"pagination"`
+	Sort struct {
+		Column    string `form:"sort[column]"`
+		Direction string `form:"sort[direction]"`
+	} `form:"sort"`
+}
+
+func PaginateAndSort(sortedPaginationRequest SortedPaginationRequest, query *gorm.DB, result interface{}) (PaginationResponse, error) {
+	pagination := sortedPaginationRequest.Pagination
+	sort := sortedPaginationRequest.Sort
+
+	capitalizedSortColumn := CapitalizeFirstLetter(sort.Column)
+
+	sortField, sortFieldFound := reflect.TypeOf(result).Elem().Elem().FieldByName(capitalizedSortColumn)
+	isSortable := sortField.Tag.Get("sortable") == "true"
+	isValidSortOrder := sort.Direction == "asc" || sort.Direction == "desc"
+
+	if sortFieldFound && isSortable && isValidSortOrder {
+		query = query.Order(CamelCaseToSnakeCase(sort.Column) + " " + sort.Direction)
+	}
+
+	return Paginate(pagination.Page, pagination.Limit, query, result)
+
+}
+
+func Paginate(page int, pageSize int, query *gorm.DB, result interface{}) (PaginationResponse, error) {
 	if page < 1 {
 		page = 1
 	}
@@ -25,16 +55,21 @@ func Paginate(page int, pageSize int, db *gorm.DB, result interface{}) (Paginati
 	offset := (page - 1) * pageSize
 
 	var totalItems int64
-	if err := db.Count(&totalItems).Error; err != nil {
+	if err := query.Count(&totalItems).Error; err != nil {
 		return PaginationResponse{}, err
 	}
 
-	if err := db.Offset(offset).Limit(pageSize).Find(result).Error; err != nil {
+	if err := query.Offset(offset).Limit(pageSize).Find(result).Error; err != nil {
 		return PaginationResponse{}, err
 	}
 
+	totalPages := (totalItems + int64(pageSize) - 1) / int64(pageSize)
+	if totalItems == 0 {
+		totalPages = 1
+	}
+
 	return PaginationResponse{
-		TotalPages:   (totalItems + int64(pageSize) - 1) / int64(pageSize),
+		TotalPages:   totalPages,
 		TotalItems:   totalItems,
 		CurrentPage:  page,
 		ItemsPerPage: pageSize,

backend/internal/utils/string_util.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"math/big"
 	"net/url"
+	"unicode"
 )
 
 // GenerateRandomAlphanumericString generates a random alphanumeric string of the given length
@@ -41,3 +42,23 @@ func GetHostnameFromURL(rawURL string) string {
 func StringPointer(s string) *string {
 	return &s
 }
+
+func CapitalizeFirstLetter(s string) string {
+	if s == "" {
+		return s
+	}
+	runes := []rune(s)
+	runes[0] = unicode.ToUpper(runes[0])
+	return string(runes)
+}
+
+func CamelCaseToSnakeCase(s string) string {
+	var result []rune
+	for i, r := range s {
+		if unicode.IsUpper(r) && i > 0 {
+			result = append(result, '_')
+		}
+		result = append(result, unicode.ToLower(r))
+	}
+	return string(result)
+}

backend/resources/email-templates/components/style_html.tmpl

@@ -76,5 +76,20 @@
     font-size: 1rem;
     line-height: 1.5;
   }
+  .button {
+      border-radius: 0.375rem;
+      font-size: 1rem;
+      font-weight: 500;
+      background-color: #000000;
+      color: #ffffff;
+      padding: 0.7rem 1.5rem;
+      outline: none;
+      border: none;
+      text-decoration: none;
+  }
+  .button-container {
+    text-align: center;
+    margin-top: 24px;
+  }
 </style>
 {{ end }}

backend/resources/email-templates/login-with-new-device_html.tmpl

@@ -1,7 +1,7 @@
 {{ define "base" }}
     <div class="header">
         <div class="logo">
-            <img src="{{ .LogoURL }}" alt="Pocket ID"/>
+            <img src="{{ .LogoURL }}" alt="{{ .AppName }}"/>
             <h1>{{ .AppName }}</h1>
         </div>
         <div class="warning">Warning</div>

backend/resources/email-templates/one-time-access_html.tmpl

@@ -0,0 +1,17 @@
+{{ define "base" }}
+    <div class="header">
+        <div class="logo">
+            <img src="{{ .LogoURL }}" alt="{{ .AppName }}"/>
+            <h1>{{ .AppName }}</h1>
+        </div>
+    </div>
+    <div class="content">
+        <h2>One-Time Access</h2>
+        <p class="message">
+            Click the button below to sign in to {{ .AppName }} with a one-time access link. This link expires in 15 minutes.
+        </p>
+        <div class="button-container">
+            <a class="button" href="{{ .Data.Link }}" class="button">Sign In</a>
+        </div>
+    </div>
+{{ end -}}

backend/resources/email-templates/one-time-access_text.tmpl

@@ -0,0 +1,8 @@
+{{ define "base" -}}
+One-Time Access
+====================
+
+Click the link below to sign in to {{ .AppName }} with a one-time access link. This link expires in 15 minutes.
+
+{{ .Data.Link }}
+{{ end -}}

backend/resources/email-templates/test_html.tmpl

@@ -1,7 +1,7 @@
 {{ define "base" -}}
     <div class="header">
         <div class="logo">
-            <img src="{{ .LogoURL }}" alt="Pocket ID"/>
+            <img src="{{ .LogoURL }}" alt="{{ .AppName }}"/>
             <h1>{{ .AppName }}</h1>
         </div>
     </div>

backend/resources/images/logoDark.svg

@@ -1,3 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" id="a" viewBox="0 0 1015 1015">
-    <path fill="white" d="M506.6,0c209.52,0,379.98,170.45,379.98,379.96,0,82.33-25.9,160.68-74.91,226.54-48.04,64.59-113.78,111.51-190.13,135.71l-21.1,6.7-50.29-248.04,13.91-6.73c45.41-21.95,74.76-68.71,74.76-119.11,0-72.91-59.31-132.23-132.21-132.23s-132.23,59.32-132.23,132.23c0,50.4,29.36,97.16,74.77,119.11l13.65,6.61-81.01,499.24h-226.36V0h351.18Z"/>
-</svg>
+<svg xmlns="http://www.w3.org/2000/svg" id="a" viewBox="0 0 1015 1015"><path fill="#fff" d="M506.6,0c209.52,0,379.98,170.45,379.98,379.96,0,82.33-25.9,160.68-74.91,226.54-48.04,64.59-113.78,111.51-190.13,135.71l-21.1,6.7-50.29-248.04,13.91-6.73c45.41-21.95,74.76-68.71,74.76-119.11,0-72.91-59.31-132.23-132.21-132.23s-132.23,59.32-132.23,132.23c0,50.4,29.36,97.16,74.77,119.11l13.65,6.61-81.01,499.24h-226.36V0h351.18Z"/></svg>

backend/resources/images/logoLight.svg

@@ -1,3 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" id="a" viewBox="0 0 1015 1015">
-    <path fill="black" d="M506.6,0c209.52,0,379.98,170.45,379.98,379.96,0,82.33-25.9,160.68-74.91,226.54-48.04,64.59-113.78,111.51-190.13,135.71l-21.1,6.7-50.29-248.04,13.91-6.73c45.41-21.95,74.76-68.71,74.76-119.11,0-72.91-59.31-132.23-132.21-132.23s-132.23,59.32-132.23,132.23c0,50.4,29.36,97.16,74.77,119.11l13.65,6.61-81.01,499.24h-226.36V0h351.18Z"/>
-</svg>
+<svg xmlns="http://www.w3.org/2000/svg" id="a" viewBox="0 0 1015 1015"><path fill="#000" d="M506.6,0c209.52,0,379.98,170.45,379.98,379.96,0,82.33-25.9,160.68-74.91,226.54-48.04,64.59-113.78,111.51-190.13,135.71l-21.1,6.7-50.29-248.04,13.91-6.73c45.41-21.95,74.76-68.71,74.76-119.11,0-72.91-59.31-132.23-132.21-132.23s-132.23,59.32-132.23,132.23c0,50.4,29.36,97.16,74.77,119.11l13.65,6.61-81.01,499.24h-226.36V0h351.18Z"/></svg>

backend/resources/migrations/postgres/20250117164229_ldap.down.sql

@@ -0,0 +1,5 @@
+ALTER TABLE users
+DROP COLUMN ldap_id;
+
+ALTER TABLE user_groups
+DROP COLUMN ldap_id;

backend/resources/migrations/postgres/20250117164229_ldap.up.sql

@@ -0,0 +1,5 @@
+ALTER TABLE users ADD COLUMN ldap_id TEXT;
+ALTER TABLE user_groups ADD COLUMN ldap_id TEXT;
+
+CREATE UNIQUE INDEX users_ldap_id ON users (ldap_id);
+CREATE UNIQUE INDEX user_groups_ldap_id ON user_groups (ldap_id);

backend/resources/migrations/postgres/20250118180712_rename_email_config_variable.down.sql

@@ -0,0 +1 @@
+UPDATE app_config_variables SET key = 'emailEnabled' WHERE key = 'emailLoginNotificationEnabled';

backend/resources/migrations/postgres/20250118180712_rename_email_config_variable.up.sql

@@ -0,0 +1 @@
+UPDATE app_config_variables SET key = 'emailLoginNotificationEnabled' WHERE key = 'emailEnabled';

backend/resources/migrations/postgres/20250120102531_fix_empy_ldap_id_string.down.sql

@@ -0,0 +1,2 @@
+UPDATE users SET ldap_id = '' WHERE ldap_id IS NULL;
+UPDATE user_groups SET ldap_id = '' WHERE ldap_id IS NULL;

backend/resources/migrations/postgres/20250120102531_fix_empy_ldap_id_string.up.sql

@@ -0,0 +1,2 @@
+UPDATE users SET ldap_id = null WHERE ldap_id = '';
+UPDATE user_groups SET ldap_id = null WHERE ldap_id = '';

backend/resources/migrations/sqlite/20250115155817_ldap.down.sql

@@ -0,0 +1,2 @@
+ALTER TABLE users DROP COLUMN ldap_id;
+ALTER TABLE user_groups DROP COLUMN ldap_id;

backend/resources/migrations/sqlite/20250115155817_ldap.up.sql

@@ -0,0 +1,5 @@
+ALTER TABLE users ADD COLUMN ldap_id TEXT;
+ALTER TABLE user_groups ADD COLUMN ldap_id TEXT;
+
+CREATE UNIQUE INDEX users_ldap_id ON users (ldap_id);
+CREATE UNIQUE INDEX user_groups_ldap_id ON user_groups (ldap_id);

backend/resources/migrations/sqlite/20250118180712_rename_email_config_variable.down.sql

@@ -0,0 +1 @@
+UPDATE app_config_variables SET key = 'emailEnabled' WHERE key = 'emailLoginNotificationEnabled';

backend/resources/migrations/sqlite/20250118180712_rename_email_config_variable.up.sql

@@ -0,0 +1 @@
+UPDATE app_config_variables SET key = 'emailLoginNotificationEnabled' WHERE key = 'emailEnabled';

backend/resources/migrations/sqlite/20250120102531_fix_empy_ldap_id_string.down.sql

@@ -0,0 +1,2 @@
+UPDATE users SET ldap_id = '' WHERE ldap_id IS NULL;
+UPDATE user_groups SET ldap_id = '' WHERE ldap_id IS NULL;

backend/resources/migrations/sqlite/20250120102531_fix_empy_ldap_id_string.up.sql

@@ -0,0 +1,2 @@
+UPDATE users SET ldap_id = null WHERE ldap_id = '';
+UPDATE user_groups SET ldap_id = null WHERE ldap_id = '';

docs/docs/client-examples/cloudflare-zero-trust.md

@@ -0,0 +1,26 @@
+---
+id: cloudflare-zero-trust
+---
+# Cloudflare Zero Trust
+
+**Note: Cloudflare will need to be able to reach your Pocket ID instance and vice versa for this to work correctly**
+
+## Pocket ID Setup
+
+1. In Pocket-ID create a new OIDC Client, name it i.e. `Cloudflare Zero Trust`.
+2. Set a logo for this OIDC Client if you would like too.
+3. Set the callback URL to: `https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback`.
+4. Copy the Client ID, Client Secret, Authorization URL, Token URL, and Certificate URL for the next steps.
+
+## Cloudflare Zero Trust Setup
+
+1. Login to Cloudflare Zero Trust [Dashboard](https://one.dash.cloudflare.com/).
+2. Navigate to Settings > Authentication > Login Methods.
+3. Click `Add New` under login methods.
+4. Create a name for the new login method.
+5. Paste in the `Client ID` from Pocket ID into the `App ID` field.
+6. Paste the `Client Secret` from Pocket ID into the `Client Secret` field.
+7. Paste the `Authorization URL` from Pocket ID into the `Auth URL` field.
+8. Paste the `Token URL` from Pocket ID into the `Token URL` field.
+9. Paste the `Certificate URL` from Pocket ID into the `Certificate URL` field.
+10. Save the new login method and test to make sure it works with cloudflare.

docs/docs/client-examples/grist.md

@@ -0,0 +1,22 @@
+---
+id: grist
+---
+
+# Grist
+
+## Pocket ID Setup
+1. In Pocket-ID create a new OIDC Client, name it i.e. `Grist`
+2. Set the callback url to: `https://<Grist Host>/oauth2/callback`
+3. In Grist (Docker/Docker Compose/etc), set these environment variables:
+
+```ini
+GRIST_OIDC_IDP_ISSUER="https://<Pocket ID Host>/.well-known/openid-configuration"
+GRIST_OIDC_IDP_CLIENT_ID="<Client ID from the OIDC Client created in Pocket ID>"
+GRIST_OIDC_IDP_CLIENT_SECRET="<Client Secret from the OIDC Client created in Pocket ID>"
+GRIST_OIDC_SP_HOST="https://<Grist Host>"
+GRIST_OIDC_IDP_SCOPES="openid email profile"  # Default
+GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT=true  # Default=false, needs to be true for Pocket Id b/c end_session_endpoint is not implemented
+GRIST_OIDC_IDP_END_SESSION_ENDPOINT="https://<Pocket ID Host>/api/webauthn/logout" # Only set this if GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT=false and you need to define a custom endpoint
+```
+4. Also ensure that the `GRIST_DEFAULT_EMAIL` env variable is set to the same email address as your user profile within Pocket ID
+5. Start/Restart Grist

docs/docs/client-examples/hoarder.md

@@ -0,0 +1,25 @@
+---
+id: hoarder
+---
+
+# Hoarder
+
+1. In Pocket-ID create a new OIDC Client, name it i.e. `Hoarder`
+2. Set the callback url to: `https://<your-hoarder-subdomain>.<your-domain>/api/auth/callback/custom`
+3. Open your `.env` file from your Hoarder compose and add these lines:
+
+```ini
+  OAUTH_WELLKNOWN_URL = https://<your-pocket-id-subdomain>.<your-domain>/.well-known/openid-configuration
+  OAUTH_CLIENT_SECRET = <client secret from the created OIDC client>
+  OAUTH_CLIENT_ID = <client id from the created OIDC client>
+  OAUTH_PROVIDER_NAME = Pocket-Id
+  NEXTAUTH_URL = https:///<your-hoarder-subdomain>.<your-domain>
+
+```
+
+4. Optional: If you like to disable password authentication and link your existing hoarder account with your pocket-id identity
+
+```ini
+  DISABLE_PASSWORD_AUTH	= true
+  OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING = true
+```

docs/docs/client-examples/jellyfin.md

@@ -1,15 +1,21 @@
-# Jellyfin SSO Integration Guide
+---
+id: jellyfin
+---
+
+# Jellyfin
 
 > Due to the current limitations of the Jellyfin SSO plugin, this integration will only work in a browser. When tested, the Jellyfin app did not work and displayed an error, even when custom menu buttons were created.
 
 > To view the original references and a full list of capabilities, please visit the [Jellyfin SSO OpenID Section](https://github.com/9p4/jellyfin-plugin-sso?tab=readme-ov-file#openid).
 
-### Requirements
+## Requirements
+
 - [Jellyfin Server](https://jellyfin.org/downloads/server)
 - [Jellyfin SSO Plugin](https://github.com/9p4/jellyfin-plugin-sso)
 - HTTPS connection to your Jellyfin server
 
-### OIDC - Pocket ID Setup
+## OIDC - Pocket ID Setup
+
 To start, we need to create a new SSO resource in our Jellyfin application.
 
 > Replace the `JELLYFINDOMAIN` and `PROVIDER` elements in the URL.
@@ -20,32 +26,34 @@ To start, we need to create a new SSO resource in our Jellyfin application.
 4. For this example, we’ll be using the provider named "test_resource."
 5. Click **Save**. Keep the page open, as we will need the OID client ID and OID secret.
 
-### OIDC Client - Jellyfin SSO Resource
+## OIDC Client - Jellyfin SSO Resource
 
 1. Visit the plugin page (<i>Administration Dashboard -> My Plugins -> SSO-Auth</i>).
 2. Enter the <i>OID Provider Name (we used "test_resource" as our name in the callback URL), Open ID, OID Secret, and mark it as enabled.</i>
 3. The following steps are optional based on your needs. In this guide, we’ll be managing only regular users, not admins.
 
-![img.png](imgs/jelly_fin_img.png)
+![img.png](imgs/jellyfin_img.png)
 
 > To manage user access through groups, follow steps **4, 5, and 6**. Otherwise, leave it blank and skip to step 7.
 
-![img2.png](imgs/jelly_fin_img2.png)
+![img2.png](imgs/jellyfin_img2.png)
 
 4. Under <i>Roles</i>, type the name of the group you want to use. **Note:** This must be the group name, not the label. Double-check in Pocket ID, as an incorrect name will lock users out.
 5. Skip every field until you reach the **Role Claim** field, and type `groups`.
    > This step is crucial if you want to manage users through groups.
 6. Repeat the above step under **Request Additional Scopes**. This will pull the group scope during the sign-in process; otherwise, the previous steps won’t work.
 
-![img3.png](imgs/jelly_fin_img3.png)
+![img3.png](imgs/jellyfin_img3.png)
 
 7. Skip the remaining fields until you reach **Scheme Override**. Enter `https` here. If omitted, it will attempt to use HTTP first, which will break as WebAuthn requires an HTTPS connection.
 8. Click **Save** and restart Jellyfin.
 
-### Optional Step - Custom Home Button
+## Optional Step - Custom Home Button
+
 Follow the [guide to create a login button on the login page](https://github.com/9p4/jellyfin-plugin-sso?tab=readme-ov-file#creating-a-login-button-on-the-main-page) to add a custom button on your sign-in page. This step is optional, as you could also provide the sign-in URL via a bookmark or other means.
 
-### Signing into Your Jellyfin Instance
+## Signing into Your Jellyfin Instance
+
 Done! You have successfully set up SSO for your Jellyfin instance using Pocket ID.
 
 > **Note:** Sometimes there may be a brief delay when using the custom menu option. This is related to the Jellyfin plugin and not Pocket ID.

docs/docs/client-examples/netbox.md

@@ -0,0 +1,46 @@
+---
+id: netbox
+---
+
+# Netbox
+
+**This guide does not currently show how to map groups in netbox from OIDC claims**
+
+The following example variables are used, and should be replaced with your actual URLS.
+
+- netbox.example.com (The url of your netbox instance.)
+- id.example.com (The url of your Pocket ID instance.)
+
+## Pocket ID Setup
+
+1. In Pocket-ID create a new OIDC Client, name it i.e. `Netbox`.
+2. Set a logo for this OIDC Client if you would like too.
+3. Set the callback URL to: `https://netbox.example.com/oauth/complete/oidc/`.
+4. Copy the `Client ID`, and the `Client Secret` for use in the next steps.
+
+## Netbox Setup
+
+This guide assumes you are using the git based install of netbox.
+
+1. On your netbox server navigate to `/opt/netbox/netbox/netbox`
+2. Add the following to your `configuration.py` file:
+
+```python
+# Remote authentication support
+REMOTE_AUTH_ENABLED = True
+REMOTE_AUTH_BACKEND = 'social_core.backends.open_id_connect.OpenIdConnectAuth'
+REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
+REMOTE_AUTH_USER_FIRST_NAME = 'HTTP_REMOTE_USER_FIRST_NAME'
+REMOTE_AUTH_USER_LAST_NAME = 'HTTP_REMOTE_USER_LAST_NAME'
+REMOTE_AUTH_USER_EMAIL = 'HTTP_REMOTE_USER_EMAIL'
+REMOTE_AUTH_AUTO_CREATE_USER = True
+REMOTE_AUTH_DEFAULT_GROUPS = []
+REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
+
+SOCIAL_AUTH_OIDC_ENDPOINT = 'https://id.example.com'
+SOCIAL_AUTH_OIDC_KEY = '<client id from the first part of this guide>'
+SOCIAL_AUTH_OIDC_SECRET = '<client id from the first part of this guide>'
+LOGOUT_REDIRECT_URL = 'https://netbox.example.com'
+```
+
+3. Save the file and restart netbox: `sudo systemctl start netbox netbox-rq`

docs/docs/client-examples/open-webui.md

@@ -0,0 +1,17 @@
+---
+id: open-webui
+---
+
+# Open WebUI
+
+1. In Pocket-ID, create a new OIDC Client, name it i.e. `Open WebUI`.
+2. Set the callback URL to: `https://openwebui.domain/oauth/oidc/callback`
+3. Add the following to your docker `.env` file for Open WebUI:
+
+```ini
+  ENABLE_OAUTH_SIGNUP=true
+  OAUTH_CLIENT_ID=<client id from pocket ID>
+  OAUTH_CLIENT_SECRET=<client secret from pocket ID>
+  OAUTH_PROVIDER_NAME=Pocket ID
+  OPENID_PROVIDER_URL=https://<your pocket id url>/.well-known/openid-configuration
+```

docs/docs/client-examples/pgadmin.md

@@ -0,0 +1,42 @@
+---
+id: pgadmin
+---
+
+# pgAdmin
+
+The following example variables are used, and should be replaced with your actual URLS.
+
+- pgadmin.example.com (The url of your pgAdmin instance.)
+- id.example.com (The url of your Pocket ID instance.)
+
+## Pocket ID Setup
+
+1. In Pocket-ID create a new OIDC Client, name it i.e. `pgAdmin`.
+2. Set a logo for this OIDC Client if you would like too.
+3. Set the callback URL to: `https://pgadmin.example.com/oauth2/authorize`.
+4. Copy the `Client ID`, `Client Secret`, `Authorization URL`, `Userinfo URL`, `Token URL`, and `OIDC Discovery URL` for use in the next steps.
+
+# pgAdmin Setup
+
+1. Add the following to the `config_local.py` file for pgAdmin:
+
+**Make sure to replace https://id.example.com with your actual Pocket ID URL**
+
+```python
+AUTHENTICATION_SOURCES = ['oauth2', 'internal'] # This keeps internal authentication enabled as well as oauth2
+OAUTH2_AUTO_CREATE_USER = True
+OAUTH2_CONFIG = [{
+        'OAUTH2_NAME' : 'pocketid',
+        'OAUTH2_DISPLAY_NAME' : 'Pocket ID',
+        'OAUTH2_CLIENT_ID' : '<client id from the earlier step>',
+        'OAUTH2_CLIENT_SECRET' : '<client secret from the earlier step>',
+        'OAUTH2_TOKEN_URL' : 'https://id.example.com/api/oidc/token',
+        'OAUTH2_AUTHORIZATION_URL' : 'https://id.example/authorize',
+        'OAUTH2_API_BASE_URL' : 'https://id.example.com',
+        'OAUTH2_USERINFO_ENDPOINT' : 'https://id.example.com/api/oidc/userinfo',
+        'OAUTH2_SERVER_METADATA_URL' : 'https://id.example.com/.well-known/openid-configuration',
+        'OAUTH2_SCOPE' : 'openid email profile',
+        'OAUTH2_ICON' : 'fa-openid',
+        'OAUTH2_BUTTON_COLOR' : '#fd4b2d' # Can select any color you would like here.
+}]
+```

docs/docs/client-examples/portainer.md

@@ -0,0 +1,38 @@
+---
+id: portainer
+---
+
+# Portainer
+
+**This requires Portainers Business Edition**
+
+The following example variables are used, and should be replaced with your actual URLS.
+
+- portainer.example.com (The url of your Portainer instance.)
+- id.example.com (The url of your Pocket ID instance.)
+
+## Pocket ID Setup
+
+1. In Pocket-ID create a new OIDC Client, name it i.e. `Portainer`.
+2. Set a logo for this OIDC Client if you would like too.
+3. Set the callback URL to: `https://portainer.example.com/`.
+4. Copy the `Client ID`, `Client Secret`, `Authorization URL`, `Userinfo URL`, and `Token URL` for use in the next steps.
+
+# Portainer Setup
+
+- While initally setting up OAuth in Portainer, its recommended to keep the `Hide internal authentication prompt` set to `Off` incase you need a fallback login
+- This guide does **NOT** cover how to setup group claims in Portainer.
+
+1. Open the Portainer web interface and navigate to: `Settings > Authentication`
+2. Select `Custom OAuth Provider`
+3. Paste the `Client ID` from Pocket ID into the `Client ID` field in Portainer.
+4. Paste the `Client Secret` from Pocket ID into the `Client Secret` field in Portainer.
+5. Paste the `Authorization URL` from Pocket ID into the `Authorization URL` field in Portainer.
+6. Paste the `Token URL` from Pocket ID into the `Access token URL` field in Portainer.
+7. Paste the `Userinfo URL` from Pocket ID into the `Resource URL` field in Portainer.
+8. Set the `Redirect URL` to `https://portainer.example.com`
+9. Set the `Logout URL` to `https://portainer.example.com`
+10. Set the `User identifier` field to `preferred_username`. (This will use the users username vs the email)
+11. Set the `Scopes` field to: `email openid profile`
+12. Set `Auth Style` to `Auto detect`
+13. Save the settings and test the new OAuth Login.

docs/docs/client-examples/proxmox.md

@@ -0,0 +1,30 @@
+---
+id: proxmox
+---
+
+# Proxmox
+
+The following example variables are used, and should be replaced with your actual URLS.
+
+- proxmox.example.com (The url of your proxmox instance.)
+- id.example.com (The url of your Pocket ID instance.)
+
+## Pocket ID Setup
+
+1. In Pocket-ID create a new OIDC Client, name it i.e. `Proxmox`.
+2. Set a logo for this OIDC Client if you would like too.
+3. Set the callback URL to: `https://proxmox.example.com`.
+4. Copy the `Client ID`, and the `Client Secret` for use in the next steps.
+
+## Proxmox Setup
+
+1. Open the Proxmox Console and navigate to: `Datacenter - Realms`
+2. Add a new `Open ID Connect Server` Realm
+3. Enter `https://id.example.com` for the `Issuer URL`
+4. Enter a name for the realm of your choice ie. `PocketID`
+5. Paste the `Client ID` from Pocket ID into the `Client ID` field in Proxmox.
+6. Paste the `Client Secret` from Pocket ID into the `Client Key` field in Proxmox.
+7. You can check the `Default` box if you want this to be the deafult realm proxmox uses when signing in.
+8. Check the `Autocreate Users` checkbox. (This will automaitcally create users in Proxmox if they dont exsist.)
+9. Select `username` for the `Username Claim` dropdown (This is personal preference and controls how the username is shown, ie: `username = username@PocketID` or `email = username@example@PocketID`).
+10. Leave the rest as defaults and click `OK` to save the new realm.

docs/docs/client-examples/semaphore-ui.md

@@ -0,0 +1,28 @@
+---
+id: semaphore-ui
+---
+
+# Semaphore UI
+
+1. In Pocket-ID create a new OIDC Client, name it i.e. `Semaphore UI`.
+2. Set the callback URL to: `https://<your-semaphore-ui-url>/api/auth/oidc/pocketid/redirect/`.
+3. Add the following to your `config.json` file for Semaphore UI:
+
+```json
+"oidc_providers": {
+    "pocketid": {
+        "display_name": "Sign in with PocketID",
+        "provider_url": "https://<your-pocket-id-url>",
+        "client_id": "<client-id-from-pocket-id>",
+        "client_secret": "<client-secret-from-pocket-id>",
+        "redirect_url": "https://<your-semaphore-ui-url>/api/auth/oidc/pocketid/redirect/",
+        "scopes": [
+            "openid",
+            "profile",
+            "email"
+        ],
+        "username_claim": "email",
+        "name_claim": "given_name"
+    }
+}
+```

docs/docs/client-examples/vikunja.md

@@ -0,0 +1,22 @@
+---
+id: vikunja
+---
+
+# Vikunja
+
+1. In Pocket-ID create a new OIDC Client, name it i.e. `Vikunja`
+2. Set the callback url to: `https://<your-vikunja-subdomain>.<your-domain>/auth/openid/pocketid`
+3. In `Vikunja` ensure to map a config file to your container, see [here](https://vikunja.io/docs/config-options/#using-a-config-file-with-docker-compose)
+4. Add or set the following content to the `config.yml` file:
+
+```yml
+auth:
+  openid:
+    enabled: true
+    redirecturl: https://<your-vikunja-subdomain>.<your-domain>/auth/openid/pocketid
+    providers:
+      - name: Pocket-Id
+        authurl: https://<your-pocket-id-subdomain>.<your-domain>
+        clientid: <client id from the created OIDC client>
+        clientsecret: <client secret from the created OIDC client>
+```

docs/docs/configuration/environment-variables.md

@@ -0,0 +1,25 @@
+---
+id: environment-variables
+---
+
+# Environment Variables
+
+Below are all the environment variables supported by Pocket ID. These should be configured in your `.env ` file. 
+
+Be cautious when modifying environment variables that are not recommended to change.
+
+| Variable                     | Default Value             | Recommended to change | Description                                                                                                                                                                                                                                                                                                                                                               |
+| ---------------------------- | ------------------------- | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `PUBLIC_APP_URL`             | `http://localhost`        | yes                   | The URL where you will access the app.                                                                                                                                                                                                                                                                                                                                    |
+| `TRUST_PROXY`                | `false`                   | yes                   | Whether the app is behind a reverse proxy.                                                                                                                                                                                                                                                                                                                                |
+| `MAXMIND_LICENSE_KEY`        | `-`                       | yes                   | License Key for the GeoLite2 Database. The license key is required to retrieve the geographical location of IP addresses in the audit log. If the key is not provided, IP locations will be marked as "unknown." You can obtain a license key for free [here](https://www.maxmind.com/en/geolite2/signup).                                                                |
+| `PUID` and `PGID`            | `1000`                    | yes                   | The user and group ID of the user who should run Pocket ID inside the Docker container and owns the files that are mounted with the volume. You can get the `PUID` and `GUID` of your user on your host machine by using the command `id`. For more information see [this article](https://docs.linuxserver.io/general/understanding-puid-and-pgid/#using-the-variables). |
+| `DB_PROVIDER`                | `sqlite`                  | no                    | The database provider you want to use. Currently `sqlite` and `postgres` are supported.                                                                                                                                                                                                                                                                                   |
+| `SQLITE_DB_PATH`             | `data/pocket-id.db`       | no                    | The path to the SQLite database. This gets ignored if you didn't set `DB_PROVIDER` to `sqlite`.                                                                                                                                                                                                                                                                           |
+| `POSTGRES_CONNECTION_STRING` | `-`                       | no                    | The connection string to your Postgres database. This gets ignored if you didn't set `DB_PROVIDER` to `postgres`. A connection string can look like this: `postgresql://user:password@host:5432/pocket-id`.                                                                                                                                                               |
+| `UPLOAD_PATH`                | `data/uploads`            | no                    | The path where the uploaded files are stored.                                                                                                                                                                                                                                                                                                                             |
+| `INTERNAL_BACKEND_URL`       | `http://localhost:8080`   | no                    | The URL where the backend is accessible.                                                                                                                                                                                                                                                                                                                                  |
+| `GEOLITE_DB_PATH`            | `data/GeoLite2-City.mmdb` | no                    | The path where the GeoLite2 database should be stored.                                                                                                                                                                                                                                                                                                                    |
+| `CADDY_PORT`                 | `80`                      | no                    | The port on which Caddy should listen. Caddy is only active inside the Docker container. If you want to change the exposed port of the container then you sould change this variable.                                                                                                                                                                                     |
+| `PORT`                       | `3000`                    | no                    | The port on which the frontend should listen.                                                                                                                                                                                                                                                                                                                             |
+| `BACKEND_PORT`               | `8080`                    | no                    | The port on which the backend should listen                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                                                                                                                                                                                                            |

docs/docs/configuration/ldap.md

@@ -0,0 +1,40 @@
+---
+id: ldap
+---
+
+# LDAP Synchronization
+
+Pocket ID can sync users and groups from an LDAP Source (lldap, OpenLDAP, Active Directory, etc.).
+
+### LDAP Sync
+
+- The LDAP Service will sync on Pocket ID startup and every hour once enabled from the Web UI.
+- Users or groups synced from LDAP can **NOT** be edited from the Pocket ID Web UI.
+
+### Generic LDAP Setup
+
+1. Follow the installation guide [here](/pocket-id/setup/installation).
+2. Once you have signed in with the initial admin account, navigate to the Application Configuration section at `https://pocket.id/settings/admin/application-configuration`.
+3. Client Configuration Setup
+
+| LDAP Variable      | Example Value                      | Description                                                   |
+| ------------------ | ---------------------------------- | ------------------------------------------------------------- |
+| LDAP URL           | ldaps://ldap.mydomain.com:636      | The URL with port to connect to LDAP                          |
+| LDAP Bind DN       | cn=admin,ou=users,dc=domain,dc=com | The full DN value for the user with search privileges in LDAP |
+| LDAP Bind Password | securepassword                     | The password for the Bind DN account                          |
+| LDAP Search Base   | dc=domain,dc=com                   | The top-level path to search for users and groups             |
+
+<br />
+
+4. LDAP Attribute Configuration Setup
+
+| LDAP Variable                     | Example Value      | Description                                                                      |
+| --------------------------------- | ------------------ | -------------------------------------------------------------------------------- |
+| User Unique Identifier Attribute  | uuid               | The LDAP attribute to uniquely identify the user, **this should never change**   |
+| Username Attribute                | uid                | The LDAP attribute to use as the username of users                               |
+| User Mail Attribute               | mail               | The LDAP attribute to use for the email of users                                 |
+| User First Name Attribute         | givenName          | The LDAP attribute to use for the first name of users                            |
+| User Last Name Attribute          | sn                 | The LDAP attribute to use for the last name of users                             |
+| Group Unique Identifier Attribute | uuid               | The LDAP attribute to uniquely identify the groups, **this should never change** |
+| Group Name Attribute              | uid                | The LDAP attribute to use as the name of synced groups                           |
+| Admin Group Name                  | \_pocket_id_admins | The group name to use for admin permissions for LDAP users                       |

docs/docs/guides/proxy-services.md

@@ -0,0 +1,183 @@
+---
+id: proxy-services
+---
+
+# Proxy Services
+
+The goal of Pocket ID is to function exclusively as an OIDC provider. As such, we don't have a built-in proxy provider. However, you can use other tools that act as a middleware to protect your services and support OIDC as an authentication provider.
+
+There are two ways to do this:
+
+- Implement OIDC into your reverse proxy
+- Use [OAuth2 Proxy](https://oauth2-proxy.github.io/oauth2-proxy/)
+
+## Reverse Proxy
+
+Almost every reverse proxy somehow supports protecting your services with OIDC. Currently only Caddy is documented but you can search on Google for your reverse proxy and OIDC.
+
+We would really appreciate if you contribute to this documentation by adding your reverse proxy and how to configure it with Pocket ID.
+
+### Caddy
+
+With [caddy-security](https://github.com/greenpau/caddy-security) you can easily protect your services with Pocket ID.
+
+#### 1. Create a new OIDC client in Pocket ID.
+
+Create a new OIDC client in Pocket ID by navigating to `https://<your-domain>/settings/admin/oidc-clients`. Now enter `https://<domain-of-proxied-service>/auth/oauth2/generic/authorization-code-callback` as the callback URL. After adding the client, you will obtain the client ID and client secret, which you will need in the next step.
+
+#### 2. Install caddy-security
+
+Run the following command to install caddy-security:
+
+```bash
+caddy add-package github.com/greenpau/caddy-security
+```
+
+#### 3. Create your Caddyfile
+
+```bash
+{
+  	# Port to listen on
+	http_port 443
+
+  	# Configure caddy-security.
+	order authenticate before respond
+	security {
+		oauth identity provider generic {
+			delay_start 3
+			realm generic
+			driver generic
+			client_id client-id-from-pocket-id # Replace with your own client ID
+			client_secret client-secret-from-pocket-id # Replace with your own client secret
+			scopes openid email profile
+			base_auth_url http://localhost
+			metadata_url http://localhost/.well-known/openid-configuration
+		}
+
+		authentication portal myportal {
+			crypto default token lifetime 3600 # Seconds until you have to re-authenticate
+			enable identity provider generic
+			cookie insecure off # Set to "on" if you're not using HTTPS
+
+			transform user {
+				match realm generic
+				action add role user
+			}
+		}
+
+		authorization policy mypolicy {
+			set auth url /auth/oauth2/generic
+			allow roles user
+			inject headers with claims
+		}
+	}
+}
+
+https://<domain-of-your-service> {
+	@auth {
+		path /auth/oauth2/generic
+		path /auth/oauth2/generic/authorization-code-callback
+    }
+
+	route @auth {
+		authenticate with myportal
+	}
+
+	route /* {
+		authorize with mypolicy
+		reverse_proxy http://<service-to-be-proxied>:<port> # Replace with your own service
+	}
+}
+```
+
+For additional configuration options, refer to the official [caddy-security documentation](https://docs.authcrunch.com/docs/intro).
+
+#### 4. Start Caddy
+
+```bash
+caddy run --config Caddyfile
+```
+
+#### 5. Access the service
+
+Your service should now be protected by Pocket ID.
+
+## OAuth2 Proxy
+
+### Docker Installation
+
+#### 1. Add OAuth2 proxy to the service that should be proxied.
+
+To configure OAuth2 Proxy with Pocket ID, you have to add the following service to the service that should be proxied. E.g., if [Uptime Kuma](https://github.com/louislam/uptime-kuma) should be proxied, you can add the following service to the `docker-compose.yml` of Uptime Kuma:
+
+```yaml
+# Example with Uptime Kuma
+# uptime-kuma:
+#  image: louislam/uptime-kuma
+oauth2-proxy:
+  image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+  command: --config /oauth2-proxy.cfg
+  volumes:
+    - "./oauth2-proxy.cfg:/oauth2-proxy.cfg"
+  ports:
+    - 4180:4180
+```
+
+#### 2. Create a new OIDC client in Pocket ID.
+
+Create a new OIDC client in Pocket ID by navigating to `https://<your-domain>/settings/admin/oidc-clients`. Now enter `https://<domain-of-proxied-service>/oauth2/callback` as the callback URL. After adding the client, you will obtain the client ID and client secret, which you will need in the next step.
+
+#### 3. Create a configuration file for OAuth2 Proxy.
+
+Create a configuration file named `oauth2-proxy.cfg` in the same directory as your `docker-compose.yml` file of the service that should be proxied (e.g. Uptime Kuma). This file will contain the necessary configurations for OAuth2 Proxy to work with Pocket ID.
+
+Here is the recommend `oauth2-proxy.cfg` configuration:
+
+```cfg
+# Replace with your own credentials
+client_id="client-id-from-pocket-id"
+client_secret="client-secret-from-pocket-id"
+oidc_issuer_url="https://<your-pocket-id-domain>"
+
+# Replace with a secure random string
+cookie_secret="random-string"
+
+# Upstream servers (e.g http://uptime-kuma:3001)
+upstreams="http://<service-to-be-proxied>:<port>"
+
+# Additional Configuration
+provider="oidc"
+scope = "openid email profile groups"
+
+# If you are using a reverse proxy in front of OAuth2 Proxy
+reverse_proxy = true
+
+# Email domains allowed for authentication
+email_domains = ["*"]
+
+# If you are using HTTPS
+cookie_secure="true"
+
+# Listen on all interfaces
+http_address="0.0.0.0:4180"
+```
+
+For additional configuration options, refer to the official [OAuth2 Proxy documentation](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview).
+
+#### 4. Start the services.
+
+After creating the configuration file, you can start the services using Docker Compose:
+
+```bash
+docker compose up -d
+```
+
+#### 5. Access the service.
+
+You can now access the service through OAuth2 Proxy by visiting `http://localhost:4180`.
+
+### Standalone Installation
+
+Setting up OAuth2 Proxy with Pocket ID without Docker is similar to the Docker setup. As the setup depends on your environment, you have to adjust the steps accordingly but is should be similar to the Docker setup.
+
+You can visit the official [OAuth2 Proxy documentation](https://oauth2-proxy.github.io/oauth2-proxy/installation) for more information.

docs/docs/introduction.md

@@ -0,0 +1,24 @@
+---
+id: introduction
+---
+
+# Introduction
+
+Pocket ID is a simple OIDC provider that allows users to authenticate with their passkeys to your services.
+
+The goal of Pocket ID is to be a simple and easy-to-use. There are other self-hosted OIDC providers like [Keycloak](https://www.keycloak.org/) or [ORY Hydra](https://www.ory.sh/hydra/) but they are often too complex for simple use cases.
+
+Additionally, what makes Pocket ID special is that it only supports [passkey](https://www.passkeys.io/) authentication, which means you don’t need a password. Some people might not like this idea at first, but I believe passkeys are the future, and once you try them, you’ll love them. For example, you can now use a physical Yubikey to sign in to all your self-hosted services easily and securely.
+
+**_Pocket ID is in its early stages and may contain bugs. There might be OIDC features that are not yet implemented. If you encounter any issues, please open an issue_** [here](https://github.com/stonith404/pocket-id/issues/new?template=bug.yml).
+
+## Get to know Pocket ID
+
+→ [Try the Demo of Pocket ID](https://pocket-id.eliasschneider.com/)<br/>
+
+<img src="https://github.com/user-attachments/assets/96ac549d-b897-404a-8811-f42b16ea58e2" width="700"/>
+
+## Useful Links
+- [Installation](/pocket-id/setup/installation)
+- [Proxy Services](/pocket-id/guides/proxy-services)
+- [Client Examples](/pocket-id/client-examples)

docs/docs/setup/installation.md

@@ -0,0 +1,73 @@
+---
+id: installation
+---
+
+# Installation
+
+# Before you start
+
+Pocket ID requires a [secure context](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts), meaning it must be served over HTTPS. This is necessary because Pocket ID uses the [WebAuthn API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API).
+
+### Installation with Docker (recommended)
+
+1. Download the `docker-compose.yml` and `.env` file:
+
+   ```bash
+    curl -O https://raw.githubusercontent.com/stonith404/pocket-id/main/docker-compose.yml
+
+    curl -o .env https://raw.githubusercontent.com/stonith404/pocket-id/main/.env.example
+   ```
+
+2. Edit the `.env` file so that it fits your needs. See the [environment variables](/pocket-id/configuration/environment-variables) section for more information.
+3. Run `docker compose up -d`
+
+You can now sign in with the admin account on `http://localhost/login/setup`.
+
+### Unraid
+
+Pocket ID is available as a template on the Community Apps store.
+
+### Stand-alone Installation
+
+Required tools:
+
+- [Node.js](https://nodejs.org/en/download/) >= 20
+- [Go](https://golang.org/doc/install) >= 1.23
+- [Git](https://git-scm.com/downloads)
+- [PM2](https://pm2.keymetrics.io/)
+- [Caddy](https://caddyserver.com/docs/install) (optional)
+
+1. Copy the `.env.example` file in the `frontend` and `backend` folder to `.env` and change it so that it fits your needs.
+
+   ```bash
+   cp frontend/.env.example frontend/.env
+   cp backend/.env.example backend/.env
+   ```
+
+2. Run the following commands:
+
+   ```bash
+   git clone https://github.com/stonith404/pocket-id
+   cd pocket-id
+
+   # Checkout the latest version
+   git fetch --tags && git checkout $(git describe --tags `git rev-list --tags --max-count=1`)
+
+   # Start the backend
+   cd backend/cmd
+   go build -o ../pocket-id-backend
+   cd ..
+   pm2 start pocket-id-backend --name pocket-id-backend
+
+   # Start the frontend
+   cd ../frontend
+   npm install
+   npm run build
+   pm2 start --name pocket-id-frontend --node-args="--env-file .env" build/index.js
+
+   # Optional: Start Caddy (You can use any other reverse proxy)
+   cd ..
+   pm2 start --name pocket-id-caddy caddy -- run --config reverse-proxy/Caddyfile
+   ```
+
+You can now sign in with the admin account on `http://localhost/login/setup`.

docs/docs/setup/nginx-reverse-proxy.md

@@ -0,0 +1,13 @@
+---
+id: nginx-reverse-proxy
+---
+
+# Nginx Reverse Proxy
+
+To use Nginx as a reverse proxy for Pocket ID, update the configuration to increase the header buffer size. This adjustment is necessary because SvelteKit generates larger headers, which may exceed the default buffer limits.
+
+```nginx
+proxy_busy_buffers_size   512k;
+proxy_buffers   4 512k;
+proxy_buffer_size   256k;
+```

docs/docs/setup/upgrading.md

@@ -0,0 +1,45 @@
+---
+id: upgrading
+---
+
+# Upgrading
+
+Updating to a New Version
+
+#### Docker
+
+```bash
+docker compose pull
+docker compose up -d
+```
+
+#### Stand-alone
+
+1. Stop the running services:
+   ```bash
+   pm2 delete pocket-id-backend pocket-id-frontend pocket-id-caddy
+   ```
+2. Run the following commands:
+
+   ```bash
+   cd pocket-id
+
+   # Checkout the latest version
+   git fetch --tags && git checkout $(git describe --tags `git rev-list --tags --max-count=1`)
+
+   # Start the backend
+   cd backend/cmd
+   go build -o ../pocket-id-backend
+   cd ..
+   pm2 start pocket-id-backend --name pocket-id-backend
+
+   # Start the frontend
+   cd ../frontend
+   npm install
+   npm run build
+   pm2 start build/index.js --name pocket-id-frontend
+
+   # Optional: Start Caddy (You can use any other reverse proxy)
+   cd ..
+   pm2 start caddy --name pocket-id-caddy -- run --config reverse-proxy/Caddyfile
+   ```

docs/docs/troubleshooting/account-recovery.md

@@ -0,0 +1,13 @@
+---
+id: account-recovery
+---
+
+# Account recovery
+
+There are two ways to create a one-time access link for a user:
+
+1. **UI**: An admin can create a one-time access link for the user in the admin panel under the "Users" tab by clicking on the three dots next to the user's name and selecting "One-time link".
+2. **Terminal**: You can create a one-time access link for a user by running the `scripts/create-one-time-access-token.sh` script. To execute this script with Docker you have to run the following command:
+   ```bash
+   docker compose exec pocket-id sh "sh scripts/create-one-time-access-token.sh <username or email>"
+   ```

docs/docusaurus.config.ts

@@ -0,0 +1,64 @@
+import type * as Preset from "@docusaurus/preset-classic";
+import type { Config } from "@docusaurus/types";
+import { themes as prismThemes } from "prism-react-renderer";
+
+const config: Config = {
+  title: "Pocket ID",
+  tagline:
+    "Pocket ID is a simple OIDC provider that allows users to authenticate with their passkeys to your services.",
+  favicon: "img/pocket-id.png",
+
+  url: "https://stonith404.github.io",
+  baseUrl: "/pocket-id/",
+  organizationName: "stonith404",
+  projectName: "pocket-id",
+
+  onBrokenLinks: "warn",
+  onBrokenMarkdownLinks: "warn",
+
+  i18n: {
+    defaultLocale: "en",
+    locales: ["en"],
+  },
+
+  presets: [
+    [
+      "classic",
+      {
+        docs: {
+          routeBasePath: "/",
+          sidebarPath: "./sidebars.ts",
+          editUrl: "https://github.com/stonith404/pocket-id/edit/main/docs",
+        },
+        blog: false,
+      } satisfies Preset.Options,
+    ],
+  ],
+
+  themeConfig: {
+    image: "img/pocket-id.png",
+    colorMode: {
+      respectPrefersColorScheme: true,
+    },
+    navbar: {
+      title: "Pocket ID",
+      logo: {
+        alt: "Pocket ID Share Logo",
+        src: "img/pocket-id.png",
+      },
+      items: [
+        {
+          href: "https://github.com/stonith404/pocket-id",
+          label: "GitHub",
+          position: "right",
+        },
+      ],
+    },
+    prism: {
+      theme: prismThemes.github,
+      darkTheme: prismThemes.dracula,
+    },
+  } satisfies Preset.ThemeConfig,
+};
+
+export default config;

docs/package.json

@@ -0,0 +1,47 @@
+{
+  "name": "pocket-id-docs",
+  "version": "0.0.0",
+  "private": true,
+  "scripts": {
+    "docusaurus": "docusaurus",
+    "start": "docusaurus start",
+    "build": "docusaurus build",
+    "swizzle": "docusaurus swizzle",
+    "deploy": "GIT_USER=stonith404 docusaurus deploy",
+    "clear": "docusaurus clear",
+    "serve": "docusaurus serve",
+    "write-translations": "docusaurus write-translations",
+    "write-heading-ids": "docusaurus write-heading-ids",
+    "typecheck": "tsc"
+  },
+  "dependencies": {
+    "@docusaurus/core": "3.7.0",
+    "@docusaurus/preset-classic": "3.7.0",
+    "@mdx-js/react": "^3.0.0",
+    "clsx": "^2.0.0",
+    "prism-react-renderer": "^2.3.0",
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0"
+  },
+  "devDependencies": {
+    "@docusaurus/module-type-aliases": "3.7.0",
+    "@docusaurus/tsconfig": "3.7.0",
+    "@docusaurus/types": "3.7.0",
+    "typescript": "~5.6.2"
+  },
+  "browserslist": {
+    "production": [
+      ">0.5%",
+      "not dead",
+      "not op_mini all"
+    ],
+    "development": [
+      "last 3 chrome version",
+      "last 3 firefox version",
+      "last 5 safari version"
+    ]
+  },
+  "engines": {
+    "node": ">=18.0"
+  }
+}

docs/proxy-services.md

@@ -1,81 +0,0 @@
-# Proxy Services through Pocket ID
-
-The goal of Pocket ID is to stay simple. Because of that we don't have a built-in proxy provider. However, you can use [OAuth2 Proxy](https://oauth2-proxy.github.io/oauth2-proxy/) to add authentication to your services that don't support OIDC. This guide will show you how to set up OAuth2 Proxy with Pocket ID.
-
-## Docker Setup
-
-#### 1. Add OAuth2 proxy to the service that should be proxied.
-
-To configure OAuth2 Proxy with Pocket ID, you have to add the following service to the service that should be proxied. E.g., if [Uptime Kuma](https://github.com/louislam/uptime-kuma) should be proxied, you can add the following service to the `docker-compose.yml` of Uptime Kuma:
-
-```yaml
-# Example with Uptime Kuma
-# uptime-kuma:
-#  image: louislam/uptime-kuma
-oauth2-proxy:
-  image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
-  command: --config /oauth2-proxy.cfg
-  volumes:
-    - "./oauth2-proxy.cfg:/oauth2-proxy.cfg"
-  ports:
-    - 4180:4180
-```
-
-#### 2. Create a new OIDC client in Pocket ID.
-
-Create a new OIDC client in Pocket ID by navigating to `https://<your-domain>/settings/admin/oidc-clients`. Now enter `https://<domain-of-proxied-service>/oauth2/callback` as the callback URL. After adding the client, you will obtain the client ID and client secret, which you will need in the next step.
-
-#### 3. Create a configuration file for OAuth2 Proxy.
-
-Create a configuration file named `oauth2-proxy.cfg` in the same directory as your `docker-compose.yml` file of the service that should be proxied (e.g. Uptime Kuma). This file will contain the necessary configurations for OAuth2 Proxy to work with Pocket ID.
-
-Here is the recommend `oauth2-proxy.cfg` configuration:
-
-```cfg
-# Replace with your own credentials
-client_id="client-id-from-pocket-id"
-client_secret="client-secret-from-pocket-id"
-oidc_issuer_url="https://<your-pocket-id-domain>"
-
-# Replace with a secure random string
-cookie_secret="random-string"
-
-# Upstream servers (e.g http://uptime-kuma:3001)
-upstreams="http://<service-to-be-proxied>:<port>"
-
-# Additional Configuration
-provider="oidc"
-scope = "openid email profile groups"
-
-# If you are using a reverse proxy in front of OAuth2 Proxy
-reverse_proxy = true
-
-# Email domains allowed for authentication
-email_domains = ["*"]
-
-# If you are using HTTPS
-cookie_secure="true"
-
-# Listen on all interfaces
-http_address="0.0.0.0:4180"
-```
-
-For additional configuration options, refer to the official [OAuth2 Proxy documentation](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview).
-
-#### 4. Start the services.
-
-After creating the configuration file, you can start the services using Docker Compose:
-
-```bash
-docker compose up -d
-```
-
-#### 5. Access the service.
-
-You can now access the service through OAuth2 Proxy by visiting `http://localhost:4180`.
-
-## Standalone Installation
-
-Setting up OAuth2 Proxy with Pocket ID without Docker is similar to the Docker setup. As the setup depends on your environment, you have to adjust the steps accordingly but is should be similar to the Docker setup.
-
-You can visit the official [OAuth2 Proxy documentation](https://oauth2-proxy.github.io/oauth2-proxy/installation) for more information.

docs/sidebars.ts

@@ -0,0 +1,104 @@
+import type { SidebarsConfig } from "@docusaurus/plugin-content-docs";
+
+const sidebars: SidebarsConfig = {
+  docsSidebar: [
+    {
+      type: "doc",
+      id: "introduction",
+    },
+    {
+      type: "category",
+      label: "Getting Started",
+      items: [
+        {
+          type: "doc",
+          id: "setup/installation",
+        },
+        {
+          type: "doc",
+          id: "setup/nginx-reverse-proxy",
+        },
+        {
+          type: "doc",
+          id: "setup/upgrading",
+        },
+      ],
+    },
+    {
+      type: "category",
+      label: "Configuration",
+      items: [
+        {
+          type: "doc",
+          id: "configuration/environment-variables",
+        },
+        {
+          type: "doc",
+          id: "configuration/ldap",
+        },
+      ],
+    },
+    {
+      type: "category",
+      label: "Guides",
+      items: [
+        {
+          type: "doc",
+          id: "guides/proxy-services",
+        },
+      ],
+    },
+    {
+      type: "category",
+      label: "Client Examples",
+      link: {
+        type: "generated-index",
+        title: "Client Examples",
+        description:
+          "Examples of how to setup Pocket ID with different clients",
+        slug: "client-examples",
+      },
+      items: [
+        "client-examples/cloudflare-zero-trust",
+        "client-examples/grist",
+        "client-examples/hoarder",
+        "client-examples/jellyfin",
+        "client-examples/netbox",
+        "client-examples/open-webui",
+        "client-examples/pgadmin",
+        "client-examples/portainer",
+        "client-examples/proxmox",
+        "client-examples/semaphore-ui",
+        "client-examples/vikunja",
+      ],
+    },
+    {
+      type: "category",
+      label: "Troubleshooting",
+      items: [
+        {
+          type: "doc",
+          id: "troubleshooting/account-recovery",
+        },
+      ],
+    },
+    {
+      type: "category",
+      label: "Helping Out",
+      items: [
+        {
+          type: "link",
+          label: "Contributing",
+          href: "https://github.com/stonith404/pocket-id/blob/main/CONTRIBUTING.md",
+        },
+      ],
+    },
+    {
+      type: "link",
+      label: "Demo",
+      href: "https://pocket-id.eliasschneider.com/",
+    },
+  ],
+};
+
+export default sidebars;