New translations en.json (Finnish)

2025-12-06 13:22:57 +03:00 · 2025-11-29 21:57:09 +01:00 · 2025-11-29 20:48:33 +01:00 · 2025-11-29 19:02:16 +01:00 · 2025-11-29 17:53:49 +01:00 · 2025-11-29 16:55:54 +01:00
204 changed files with 9032 additions and 4539 deletions
--- a/.github/workflows/backend-linter.yml
+++ b/.github/workflows/backend-linter.yml
@@ -2,11 +2,11 @@ name: Run Backend Linter

 on:
  push:
-    branches: [main]
+    branches: [main, breaking/**]
    paths:
      - "backend/**"
  pull_request:
-    branches: [main]
+    branches: [main, breaking/**]
    paths:
      - "backend/**"

--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -1,13 +1,13 @@
 name: E2E Tests
 on:
  push:
-    branches: [main]
+    branches: [main, breaking/**]
    paths-ignore:
      - "docs/**"
      - "**.md"
      - ".github/**"
  pull_request:
-    branches: [main]
+    branches: [main, breaking/**]
    paths-ignore:
      - "docs/**"
      - "**.md"
@@ -57,7 +57,18 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        db: [sqlite, postgres]
+        include:
+          - db: sqlite
+            storage: fs
+          - db: postgres
+            storage: fs
+          - db: sqlite
+            storage: s3
+          - db: sqlite
+            storage: database
+          - db: postgres
+            storage: database
+
    steps:
      - uses: actions/checkout@v5

@@ -70,44 +81,74 @@ jobs:
          node-version: 22

      - name: Cache Playwright Browsers
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        id: playwright-cache
        with:
          path: ~/.cache/ms-playwright
          key: ${{ runner.os }}-playwright-${{ hashFiles('pnpm-lock.yaml') }}
+
      - name: Cache PostgreSQL Docker image
-        if: matrix.db == 'postgres'
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        id: postgres-cache
        with:
          path: /tmp/postgres-image.tar
          key: postgres-17-${{ runner.os }}
-
      - name: Pull and save PostgreSQL image
        if: matrix.db == 'postgres' && steps.postgres-cache.outputs.cache-hit != 'true'
        run: |
          docker pull postgres:17
          docker save postgres:17 > /tmp/postgres-image.tar
-
-      - name: Load PostgreSQL image from cache
+      - name: Load PostgreSQL image
        if: matrix.db == 'postgres' && steps.postgres-cache.outputs.cache-hit == 'true'
        run: docker load < /tmp/postgres-image.tar
+
      - name: Cache LLDAP Docker image
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        id: lldap-cache
        with:
          path: /tmp/lldap-image.tar
          key: lldap-stable-${{ runner.os }}
-
      - name: Pull and save LLDAP image
        if: steps.lldap-cache.outputs.cache-hit != 'true'
        run: |
-          docker pull nitnelave/lldap:stable
-          docker save nitnelave/lldap:stable > /tmp/lldap-image.tar
-
-      - name: Load LLDAP image from cache
+          docker pull lldap/lldap:2025-05-19
+          docker save lldap/lldap:2025-05-19 > /tmp/lldap-image.tar
+      - name: Load LLDAP image
        if: steps.lldap-cache.outputs.cache-hit == 'true'
        run: docker load < /tmp/lldap-image.tar
+
+      - name: Cache Localstack S3 Docker image
+        if: matrix.storage == 's3'
+        uses: actions/cache@v4
+        id: s3-cache
+        with:
+          path: /tmp/localstack-s3-image.tar
+          key: localstack-s3-latest-${{ runner.os }}
+      - name: Pull and save Localstack S3 image
+        if: matrix.storage == 's3' && steps.s3-cache.outputs.cache-hit != 'true'
+        run: |
+          docker pull localstack/localstack:s3-latest
+          docker save localstack/localstack:s3-latest > /tmp/localstack-s3-image.tar
+      - name: Load Localstack S3 image
+        if: matrix.storage == 's3' && steps.s3-cache.outputs.cache-hit == 'true'
+        run: docker load < /tmp/localstack-s3-image.tar
+
+      - name: Cache AWS CLI Docker image
+        if: matrix.storage == 's3'
+        uses: actions/cache@v4
+        id: aws-cli-cache
+        with:
+          path: /tmp/aws-cli-image.tar
+          key: aws-cli-latest-${{ runner.os }}
+      - name: Pull and save AWS CLI image
+        if: matrix.storage == 's3' && steps.aws-cli-cache.outputs.cache-hit != 'true'
+        run: |
+          docker pull amazon/aws-cli:latest
+          docker save amazon/aws-cli:latest > /tmp/aws-cli-image.tar
+      - name: Load AWS CLI image
+        if: matrix.storage == 's3' && steps.aws-cli-cache.outputs.cache-hit == 'true'
+        run: docker load < /tmp/aws-cli-image.tar
+
      - name: Download Docker image artifact
        uses: actions/download-artifact@v4
        with:
@@ -124,19 +165,21 @@ jobs:
        working-directory: ./tests
        if: steps.playwright-cache.outputs.cache-hit != 'true'
        run: pnpm exec playwright install --with-deps chromium
-      - name: Run Docker Container (sqlite) with LDAP
-        if: matrix.db == 'sqlite'
-        working-directory: ./tests/setup
-        run: |
-          docker compose up -d
-          docker compose logs -f pocket-id &> /tmp/backend.log &

-      - name: Run Docker Container (postgres) with LDAP
-        if: matrix.db == 'postgres'
+      - name: Run Docker containers
        working-directory: ./tests/setup
        run: |
-          docker compose -f docker-compose-postgres.yml up -d
-          docker compose -f docker-compose-postgres.yml logs -f pocket-id &> /tmp/backend.log &
+          DOCKER_COMPOSE_FILE=docker-compose.yml
+
+          export FILE_BACKEND="${{ matrix.storage }}"
+          if [ "${{ matrix.db }}" = "postgres" ]; then
+            DOCKER_COMPOSE_FILE=docker-compose-postgres.yml
+          elif [ "${{ matrix.storage }}" = "s3" ]; then
+            DOCKER_COMPOSE_FILE=docker-compose-s3.yml
+          fi
+
+          docker compose -f "$DOCKER_COMPOSE_FILE" up -d
+          docker compose -f "$DOCKER_COMPOSE_FILE" logs -f pocket-id &> /tmp/backend.log &

      - name: Run Playwright tests
        working-directory: ./tests
@@ -146,7 +189,7 @@ jobs:
        uses: actions/upload-artifact@v4
        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
        with:
-          name: playwright-report-${{ matrix.db }}
+          name: playwright-report-${{ matrix.db }}-${{ matrix.storage }}
          path: tests/.report
          include-hidden-files: true
          retention-days: 15
@@ -155,7 +198,7 @@ jobs:
        uses: actions/upload-artifact@v4
        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
        with:
-          name: backend-${{ matrix.db }}
+          name: backend-${{ matrix.db }}-${{ matrix.storage }}
          path: /tmp/backend.log
          include-hidden-files: true
          retention-days: 15
--- a/.github/workflows/svelte-check.yml
+++ b/.github/workflows/svelte-check.yml
@@ -2,7 +2,7 @@ name: Svelte Check

 on:
  push:
-    branches: [main]
+    branches: [main, breaking/**]
    paths:
      - "frontend/src/**"
      - ".github/svelte-check-matcher.json"
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -1,7 +1,7 @@
 name: Unit Tests
 on:
  push:
-    branches: [main]
+    branches: [main, breaking/**]
    paths:
      - "backend/**"
  pull_request:
--- a/.gitignore
+++ b/.gitignore
@@ -1,8 +1,12 @@
 # JetBrains
 **/.idea

+# Node
 node_modules

+# PNPM
+.pnpm-store/
+
 # Output
 .output
 .vercel
--- a/.version
+++ b/.version
@@ -1 +1 @@
-1.13.1
+1.15.0
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,70 @@
+## v1.15.0
+
+### Bug Fixes
+
+- sorting by PKCE and re-auth of OIDC clients ([e03270e](https://github.com/pocket-id/pocket-id/commit/e03270eb9d474735ff4a1b4d8c90f1857b8cd52b) by @stonith404)
+- replace %lang% placeholder in html lang ([#1071](https://github.com/pocket-id/pocket-id/pull/1071) by @daimond113)
+- disabled property gets ignored when creating an user ([76e0192](https://github.com/pocket-id/pocket-id/commit/76e0192ceec339b6ddb4ad3424057d2bb48fae8f) by @stonith404)
+- remove redundant indexes in Postgres ([6a038fc](https://github.com/pocket-id/pocket-id/commit/6a038fcf9afabbf00c45e42071e9bbe62ecab403) by @stonith404)
+
+### Features
+
+- open edit page on table row click ([f184120](https://github.com/pocket-id/pocket-id/commit/f184120890c32f1e75a918c171084878a10e8b42) by @stonith404)
+- add ability to set default profile picture ([#1061](https://github.com/pocket-id/pocket-id/pull/1061) by @stonith404)
+
+### Other
+
+- add support for OpenBSD binaries ([d683d18](https://github.com/pocket-id/pocket-id/commit/d683d18d9109ca2850e278b78f7bf3e5aca1d34d) by @stonith404)
+
+**Full Changelog**: https://github.com/pocket-id/pocket-id/compare/v1.14.2...v1.15.0
+
+## v1.14.2
+
+### Bug Fixes
+
+- dark oidc client icons not saved on client creation ([#1057](https://github.com/pocket-id/pocket-id/pull/1057) by @mufeedali)
+
+### Other
+
+- add Turkish language files ([a190529](https://github.com/pocket-id/pocket-id/commit/a190529117fe20b5b836d452b382da69abba9458) by @stonith404)
+
+**Full Changelog**: https://github.com/pocket-id/pocket-id/compare/v1.14.1...v1.14.2
+
+## v1.14.1
+
+### Bug Fixes
+
+- Prevent blinding FOUC in dark mode ([#1054](https://github.com/pocket-id/pocket-id/pull/1054) by @mufeedali)
+- use credProps to save passkey on firefox android ([#1055](https://github.com/pocket-id/pocket-id/pull/1055) by @lhoursquentin)
+- ignore trailing slashes in `APP_URL` ([65616f6](https://github.com/pocket-id/pocket-id/commit/65616f65e53f3e62d18a8209929e68ddc8d2b9b8) by @stonith404)
+
+**Full Changelog**: https://github.com/pocket-id/pocket-id/compare/v1.14.0...v1.14.1
+
+## v1.14.0
+
+### Bug Fixes
+
+- ignore trailing slash in URL ([9f0aa55](https://github.com/pocket-id/pocket-id/commit/9f0aa55be67b7a09810569250563bb388b40590a) by @stonith404)
+- use constant time comparisons when validating PKCE challenges ([#1047](https://github.com/pocket-id/pocket-id/pull/1047) by @ItalyPaleAle)
+- only animate login background on initial page load ([b356cef](https://github.com/pocket-id/pocket-id/commit/b356cef766697c621157235ae1d2743f3fe6720d) by @stonith404)
+- make pkce requirement visible in the oidc form if client is public ([47927d1](https://github.com/pocket-id/pocket-id/commit/47927d157470daa5b5a5b30e61a2ba69110eeff9) by @stonith404)
+- prevent page flickering on redirection based on auth state ([10d6403](https://github.com/pocket-id/pocket-id/commit/10d640385ff2078299a07f05e5ca3f0d392eecf7) by @stonith404)
+
+### Features
+
+- add various improvements to the table component ([#961](https://github.com/pocket-id/pocket-id/pull/961) by @stonith404)
+- add support for dark mode oidc client icons ([#1039](https://github.com/pocket-id/pocket-id/pull/1039) by @kmendell)
+
+### Other
+
+- add Japanese files ([068fcc6](https://github.com/pocket-id/pocket-id/commit/068fcc65a62c76f55c9636f830fc769bd59220c4) by @kmendell)
+- bump sveltekit-superforms from 2.27.1 to 2.27.4 in the npm_and_yarn group across 1 directory ([#1031](https://github.com/pocket-id/pocket-id/pull/1031) by @dependabot[bot])
+- update AAGUIDs ([#1041](https://github.com/pocket-id/pocket-id/pull/1041) by @github-actions[bot])
+- bump vite from 7.0.7 to 7.0.8 in the npm_and_yarn group across 1 directory ([#1042](https://github.com/pocket-id/pocket-id/pull/1042) by @dependabot[bot])
+- upgrade dependencies ([6362ff9](https://github.com/pocket-id/pocket-id/commit/6362ff986124d056cc07d214855f198eab9cb97d) by @stonith404)
+
+**Full Changelog**: https://github.com/pocket-id/pocket-id/compare/v1.13.1...v1.14.0
+
 ## v1.13.1

 ### Bug Fixes
--- a/backend/frontend/frontend_included.go
+++ b/backend/frontend/frontend_included.go
@@ -32,10 +32,6 @@ func init() {
 		panic(fmt.Errorf("failed to read index.html: %w", iErr))
 	}

-	// Get the position of the first <script> tag
-	idx := bytes.Index(index, []byte(scriptTag))
-
-	// Create writeIndexFn, which adds the CSP tag to the script tag if needed
 	writeIndexFn = func(w io.Writer, nonce string) (err error) {
 		// If there's no nonce, write the index as-is
 		if nonce == "" {
@@ -43,23 +39,16 @@ func init() {
 			return err
 		}

-		// We have a nonce, so first write the index until the <script> tag
-		// Then we write the modified script tag
-		// Finally, the rest of the index
-		_, err = w.Write(index[0:idx])
-		if err != nil {
-			return err
-		}
-		_, err = w.Write([]byte(`<script nonce="` + nonce + `">`))
-		if err != nil {
-			return err
-		}
-		_, err = w.Write(index[(idx + len(scriptTag)):])
-		if err != nil {
-			return err
-		}
+		// Add nonce to all <script> tags
+		// We replace "<script" with `<script nonce="..."` everywhere it appears
+		modified := bytes.ReplaceAll(
+			index,
+			[]byte(scriptTag),
+			[]byte(`<script nonce="`+nonce+`">`),
+		)

-		return nil
+		_, err = w.Write(modified)
+		return err
 	}
 }

@@ -75,6 +64,11 @@ func RegisterFrontend(router *gin.Engine) error {
 	router.NoRoute(func(c *gin.Context) {
 		path := strings.TrimPrefix(c.Request.URL.Path, "/")

+		if strings.HasSuffix(path, "/") {
+			c.Redirect(http.StatusMovedPermanently, strings.TrimRight(c.Request.URL.String(), "/"))
+			return
+		}
+
 		if strings.HasPrefix(path, "api/") {
 			c.JSON(http.StatusNotFound, gin.H{"error": "API endpoint not found"})
 			return
@@ -94,13 +88,9 @@ func RegisterFrontend(router *gin.Engine) error {
 			c.Header("Content-Type", "text/html; charset=utf-8")
 			c.Header("Cache-Control", "no-store")
 			c.Status(http.StatusOK)
-
-			err = writeIndexFn(c.Writer, nonce)
-			if err != nil {
+			if err := writeIndexFn(c.Writer, nonce); err != nil {
 				_ = c.Error(fmt.Errorf("failed to write index.html file: %w", err))
-				return
 			}
-
 			return
 		}

--- a/backend/go.mod
+++ b/backend/go.mod
@@ -3,88 +3,107 @@ module github.com/pocket-id/pocket-id/backend
 go 1.25

 require (
+	github.com/aws/aws-sdk-go-v2 v1.39.6
+	github.com/aws/aws-sdk-go-v2/config v1.31.17
+	github.com/aws/aws-sdk-go-v2/credentials v1.18.21
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.90.0
+	github.com/aws/smithy-go v1.23.2
 	github.com/caarlos0/env/v11 v11.3.1
 	github.com/cenkalti/backoff/v5 v5.0.3
 	github.com/disintegration/imageorient v0.0.0-20180920195336-8147d86e83ec
 	github.com/disintegration/imaging v1.6.2
-	github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21
-	github.com/emersion/go-smtp v0.21.3
+	github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6
+	github.com/emersion/go-smtp v0.24.0
 	github.com/fxamacker/cbor/v2 v2.9.0
 	github.com/gin-contrib/slog v1.1.0
-	github.com/gin-gonic/gin v1.10.1
+	github.com/gin-gonic/gin v1.11.0
 	github.com/glebarez/go-sqlite v1.22.0
 	github.com/glebarez/sqlite v1.11.0
-	github.com/go-co-op/gocron/v2 v2.16.3
-	github.com/go-ldap/ldap/v3 v3.4.10
-	github.com/go-playground/validator/v10 v10.27.0
-	github.com/go-webauthn/webauthn v0.11.2
-	github.com/golang-migrate/migrate/v4 v4.18.3
+	github.com/go-co-op/gocron/v2 v2.17.0
+	github.com/go-ldap/ldap/v3 v3.4.12
+	github.com/go-playground/validator/v10 v10.28.0
+	github.com/go-webauthn/webauthn v0.14.0
+	github.com/golang-migrate/migrate/v4 v4.19.0
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/go-uuid v1.0.3
 	github.com/jinzhu/copier v0.4.0
 	github.com/joho/godotenv v1.5.1
-	github.com/lestrrat-go/httprc/v3 v3.0.0
-	github.com/lestrrat-go/jwx/v3 v3.0.10
+	github.com/lestrrat-go/httprc/v3 v3.0.1
+	github.com/lestrrat-go/jwx/v3 v3.0.12
 	github.com/lmittmann/tint v1.1.2
 	github.com/mattn/go-isatty v0.0.20
 	github.com/mileusna/useragent v1.3.5
 	github.com/orandin/slog-gorm v1.4.0
-	github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.8
-	github.com/spf13/cobra v1.9.1
-	github.com/stretchr/testify v1.10.0
-	go.opentelemetry.io/contrib/bridges/otelslog v0.12.0
-	go.opentelemetry.io/contrib/exporters/autoexport v0.59.0
-	go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.60.0
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0
-	go.opentelemetry.io/otel v1.37.0
-	go.opentelemetry.io/otel/log v0.13.0
-	go.opentelemetry.io/otel/metric v1.37.0
-	go.opentelemetry.io/otel/sdk v1.35.0
-	go.opentelemetry.io/otel/sdk/log v0.10.0
-	go.opentelemetry.io/otel/sdk/metric v1.35.0
-	go.opentelemetry.io/otel/trace v1.37.0
-	golang.org/x/crypto v0.41.0
-	golang.org/x/image v0.30.0
-	golang.org/x/sync v0.16.0
-	golang.org/x/text v0.28.0
-	golang.org/x/time v0.12.0
+	github.com/oschwald/maxminddb-golang/v2 v2.0.0
+	github.com/spf13/cobra v1.10.1
+	github.com/stretchr/testify v1.11.1
+	go.opentelemetry.io/contrib/bridges/otelslog v0.13.0
+	go.opentelemetry.io/contrib/exporters/autoexport v0.63.0
+	go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.63.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0
+	go.opentelemetry.io/otel v1.38.0
+	go.opentelemetry.io/otel/log v0.14.0
+	go.opentelemetry.io/otel/metric v1.38.0
+	go.opentelemetry.io/otel/sdk v1.38.0
+	go.opentelemetry.io/otel/sdk/log v0.14.0
+	go.opentelemetry.io/otel/sdk/metric v1.38.0
+	go.opentelemetry.io/otel/trace v1.38.0
+	golang.org/x/crypto v0.45.0
+	golang.org/x/image v0.32.0
+	golang.org/x/sync v0.18.0
+	golang.org/x/text v0.31.0
+	golang.org/x/time v0.14.0
 	gorm.io/driver/postgres v1.6.0
-	gorm.io/gorm v1.30.1
+	gorm.io/gorm v1.31.0
 )

 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.39.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bytedance/sonic v1.14.0 // indirect
+	github.com/bytedance/gopkg v0.1.3 // indirect
+	github.com/bytedance/sonic v1.14.1 // indirect
 	github.com/bytedance/sonic/loader v0.3.0 // indirect
-	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
-	github.com/disintegration/gift v1.1.2 // indirect
+	github.com/disintegration/gift v1.2.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.9 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.10 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
-	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-webauthn/x v0.1.23 // indirect
+	github.com/go-webauthn/x v0.1.25 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
-	github.com/golang-jwt/jwt/v5 v5.2.3 // indirect
+	github.com/goccy/go-yaml v1.18.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
 	github.com/google/go-github/v39 v39.2.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/go-tpm v0.9.5 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 // indirect
+	github.com/google/go-tpm v0.9.6 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
-	github.com/jackc/pgx/v5 v5.7.5 // indirect
+	github.com/jackc/pgx/v5 v5.7.6 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
@@ -93,57 +112,64 @@ require (
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.4 // indirect
+	github.com/lestrrat-go/dsig v1.0.0 // indirect
+	github.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
 	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/lestrrat-go/option/v2 v2.0.0 // indirect
 	github.com/lib/pq v1.10.9 // indirect
-	github.com/mattn/go-sqlite3 v1.14.24 // indirect
+	github.com/mattn/go-sqlite3 v1.14.32 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/ncruces/go-strftime v0.1.9 // indirect
+	github.com/ncruces/go-strftime v1.0.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.22.0 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/prometheus/client_golang v1.23.2 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.67.1 // indirect
+	github.com/prometheus/otlptranslator v1.0.0 // indirect
+	github.com/prometheus/procfs v0.18.0 // indirect
+	github.com/quic-go/qpack v0.5.1 // indirect
+	github.com/quic-go/quic-go v0.55.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
-	github.com/segmentio/asm v1.2.0 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/segmentio/asm v1.2.1 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.0 // indirect
 	github.com/valyala/fastjson v1.6.4 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/bridges/prometheus v0.59.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.10.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.10.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.35.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.35.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 // indirect
-	go.opentelemetry.io/otel/exporters/prometheus v0.57.0 // indirect
-	go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.10.0 // indirect
-	go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.35.0 // indirect
-	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.35.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
-	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/arch v0.20.0 // indirect
-	golang.org/x/exp v0.0.0-20250813145105-42675adae3e6 // indirect
-	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sys v0.35.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a // indirect
-	google.golang.org/grpc v1.71.0 // indirect
-	google.golang.org/protobuf v1.36.7 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/bridges/prometheus v0.63.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.14.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.14.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.38.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 // indirect
+	go.opentelemetry.io/otel/exporters/prometheus v0.60.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.14.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.38.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.8.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	golang.org/x/arch v0.22.0 // indirect
+	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
+	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.32.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/tools v0.38.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
+	google.golang.org/grpc v1.76.0 // indirect
+	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	modernc.org/libc v1.66.7 // indirect
+	modernc.org/libc v1.66.10 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
-	modernc.org/sqlite v1.38.2 // indirect
+	modernc.org/sqlite v1.39.1 // indirect
 )
--- a/backend/go.sum
+++ b/backend/go.sum
@@ -4,74 +4,115 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
-github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=
+github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/aws/aws-sdk-go-v2 v1.39.6 h1:2JrPCVgWJm7bm83BDwY5z8ietmeJUbh3O2ACnn+Xsqk=
+github.com/aws/aws-sdk-go-v2 v1.39.6/go.mod h1:c9pm7VwuW0UPxAEYGyTmyurVcNrbF6Rt/wixFqDhcjE=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3 h1:DHctwEM8P8iTXFxC/QK0MRjwEpWQeM9yzidCRjldUz0=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3/go.mod h1:xdCzcZEtnSTKVDOmUZs4l/j3pSV6rpo1WXl5ugNsL8Y=
+github.com/aws/aws-sdk-go-v2/config v1.31.17 h1:QFl8lL6RgakNK86vusim14P2k8BFSxjvUkcWLDjgz9Y=
+github.com/aws/aws-sdk-go-v2/config v1.31.17/go.mod h1:V8P7ILjp/Uef/aX8TjGk6OHZN6IKPM5YW6S78QnRD5c=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.21 h1:56HGpsgnmD+2/KpG0ikvvR8+3v3COCwaF4r+oWwOeNA=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.21/go.mod h1:3YELwedmQbw7cXNaII2Wywd+YY58AmLPwX4LzARgmmA=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 h1:T1brd5dR3/fzNFAQch/iBKeX07/ffu/cLu+q+RuzEWk=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13/go.mod h1:Peg/GBAQ6JDt+RoBf4meB1wylmAipb7Kg2ZFakZTlwk=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13 h1:a+8/MLcWlIxo1lF9xaGt3J/u3yOZx+CdSveSNwjhD40=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13/go.mod h1:oGnKwIYZ4XttyU2JWxFrwvhF6YKiK/9/wmE3v3Iu9K8=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13 h1:HBSI2kDkMdWz4ZM7FjwE7e/pWDEZ+nR95x8Ztet1ooY=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13/go.mod h1:YE94ZoDArI7awZqJzBAZ3PDD2zSfuP7w6P2knOzIn8M=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.13 h1:eg/WYAa12vqTphzIdWMzqYRVKKnCboVPRlvaybNCqPA=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.13/go.mod h1:/FDdxWhz1486obGrKKC1HONd7krpk38LBt+dutLcN9k=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 h1:x2Ibm/Af8Fi+BH+Hsn9TXGdT+hKbDd5XOTZxTMxDk7o=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3/go.mod h1:IW1jwyrQgMdhisceG8fQLmQIydcT/jWY21rFhzgaKwo=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.4 h1:NvMjwvv8hpGUILarKw7Z4Q0w1H9anXKsesMxtw++MA4=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.4/go.mod h1:455WPHSwaGj2waRSpQp7TsnpOnBfw8iDfPfbwl7KPJE=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 h1:kDqdFvMY4AtKoACfzIGD8A0+hbT41KTKF//gq7jITfM=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13/go.mod h1:lmKuogqSU3HzQCwZ9ZtcqOc5XGMqtDK7OIc2+DxiUEg=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.13 h1:zhBJXdhWIFZ1acfDYIhu4+LCzdUS2Vbcum7D01dXlHQ=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.13/go.mod h1:JaaOeCE368qn2Hzi3sEzY6FgAZVCIYcC2nwbro2QCh8=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.90.0 h1:ef6gIJR+xv/JQWwpa5FYirzoQctfSJm7tuDe3SZsUf8=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.90.0/go.mod h1:+wArOOrcHUevqdto9k1tKOF5++YTe9JEcPSc9Tx2ZSw=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.1 h1:0JPwLz1J+5lEOfy/g0SURC9cxhbQ1lIMHMa+AHZSzz0=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.1/go.mod h1:fKvyjJcz63iL/ftA6RaM8sRCtN4r4zl4tjL3qw5ec7k=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5 h1:OWs0/j2UYR5LOGi88sD5/lhN6TDLG6SfA7CqsQO9zF0=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5/go.mod h1:klO+ejMvYsB4QATfEOIXk8WAEwN4N0aBfJpvC+5SZBo=
+github.com/aws/aws-sdk-go-v2/service/sts v1.39.1 h1:mLlUgHn02ue8whiR4BmxxGJLR2gwU6s6ZzJ5wDamBUs=
+github.com/aws/aws-sdk-go-v2/service/sts v1.39.1/go.mod h1:E19xDjpzPZC7LS2knI9E6BaRFDK43Eul7vd6rSq2HWk=
+github.com/aws/smithy-go v1.23.2 h1:Crv0eatJUQhaManss33hS5r40CG3ZFH+21XSkqMrIUM=
+github.com/aws/smithy-go v1.23.2/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bytedance/sonic v1.14.0 h1:/OfKt8HFw0kh2rj8N0F6C/qPGRESq0BbaNZgcNXXzQQ=
-github.com/bytedance/sonic v1.14.0/go.mod h1:WoEbx8WTcFJfzCe0hbmyTGrfjt8PzNEBdxlNUO24NhA=
+github.com/bytedance/gopkg v0.1.3 h1:TPBSwH8RsouGCBcMBktLt1AymVo2TVsBVCY4b6TnZ/M=
+github.com/bytedance/gopkg v0.1.3/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM=
+github.com/bytedance/sonic v1.14.1 h1:FBMC0zVz5XUmE4z9wF4Jey0An5FueFvOsTKKKtwIl7w=
+github.com/bytedance/sonic v1.14.1/go.mod h1:gi6uhQLMbTdeP0muCnrjHLeCUPyb70ujhnNlhOylAFc=
 github.com/bytedance/sonic/loader v0.3.0 h1:dskwH8edlzNMctoruo8FPTJDF3vLtDT0sXZwvZJyqeA=
 github.com/bytedance/sonic/loader v0.3.0/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
 github.com/caarlos0/env/v11 v11.3.1 h1:cArPWC15hWmEt+gWk7YBi7lEXTXCvpaSdCiZE2X5mCA=
 github.com/caarlos0/env/v11 v11.3.1/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U=
-github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
-github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cloudwego/base64x v0.1.6 h1:t11wG9AECkCDk5fMSoxmufanudBtJ+/HemLstXDLI2M=
 github.com/cloudwego/base64x v0.1.6/go.mod h1:OFcloc187FXDaYHvrNIjxSe8ncn0OOM8gEHfghB2IPU=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
-github.com/dhui/dktest v0.4.5 h1:uUfYBIVREmj/Rw6MvgmqNAYzTiKOHJak+enB5Di73MM=
-github.com/dhui/dktest v0.4.5/go.mod h1:tmcyeHDKagvlDrz7gDKq4UAJOLIfVZYkfD5OnHDwcCo=
-github.com/disintegration/gift v1.1.2 h1:9ZyHJr+kPamiH10FX3Pynt1AxFUob812bU9Wt4GMzhs=
+github.com/dhui/dktest v0.4.6 h1:+DPKyScKSEp3VLtbMDHcUq6V5Lm5zfZZVb0Sk7Ahom4=
+github.com/dhui/dktest v0.4.6/go.mod h1:JHTSYDtKkvFNFHJKqCzVzqXecyv+tKt8EzceOmQOgbU=
 github.com/disintegration/gift v1.1.2/go.mod h1:Jh2i7f7Q2BM7Ezno3PhfezbR1xpUg9dUg3/RlKGr4HI=
+github.com/disintegration/gift v1.2.1 h1:Y005a1X4Z7Uc+0gLpSAsKhWi4qLtsdEcMIbbdvdZ6pc=
+github.com/disintegration/gift v1.2.1/go.mod h1:Jh2i7f7Q2BM7Ezno3PhfezbR1xpUg9dUg3/RlKGr4HI=
 github.com/disintegration/imageorient v0.0.0-20180920195336-8147d86e83ec h1:YrB6aVr9touOt75I9O1SiancmR2GMg45U9UYf0gtgWg=
 github.com/disintegration/imageorient v0.0.0-20180920195336-8147d86e83ec/go.mod h1:K0KBFIr1gWu/C1Gp10nFAcAE4hsB7JxE6OgLijrJ8Sk=
 github.com/disintegration/imaging v1.6.2 h1:w1LecBlG2Lnp8B3jk5zSuNqd7b4DXhcjwek1ei82L+c=
 github.com/disintegration/imaging v1.6.2/go.mod h1:44/5580QXChDfwIclfc/PCwrr44amcmDAg8hxG0Ewe4=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/docker v27.2.0+incompatible h1:Rk9nIVdfH3+Vz4cyI/uhbINhEZ/oLmc+CBXmH6fbNk4=
-github.com/docker/docker v27.2.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI=
+github.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
-github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21 h1:OJyUGMJTzHTd1XQp98QTaHernxMYzRaOasRir9hUlFQ=
-github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21/go.mod h1:iL2twTeMvZnrg54ZoPDNfJaJaqy0xIQFuBdrLsmspwQ=
-github.com/emersion/go-smtp v0.21.3 h1:7uVwagE8iPYE48WhNsng3RRpCUpFvNl39JGNSIyGVMY=
-github.com/emersion/go-smtp v0.21.3/go.mod h1:qm27SGYgoIPRot6ubfQ/GpiPy/g3PaZAVRxiO/sDUgQ=
+github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6 h1:oP4q0fw+fOSWn3DfFi4EXdT+B+gTtzx8GC9xsc26Znk=
+github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6/go.mod h1:iL2twTeMvZnrg54ZoPDNfJaJaqy0xIQFuBdrLsmspwQ=
+github.com/emersion/go-smtp v0.24.0 h1:g6AfoF140mvW0vLNPD/LuCBLEAdlxOjIXqbIkJIS6Wk=
+github.com/emersion/go-smtp v0.24.0/go.mod h1:ZtRRkbTyp2XTHCA+BmyTFTrj8xY4I+b4McvHxCU2gsQ=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/gabriel-vasile/mimetype v1.4.9 h1:5k+WDwEsD9eTLL8Tz3L0VnmVh9QxGjRmjBvAG7U/oYY=
-github.com/gabriel-vasile/mimetype v1.4.9/go.mod h1:WnSQhFKJuBlRyLiKohA/2DtIlPFAbguNaG7QCHcyGok=
+github.com/gabriel-vasile/mimetype v1.4.10 h1:zyueNbySn/z8mJZHLt6IPw0KoZsiQNszIpU+bX4+ZK0=
+github.com/gabriel-vasile/mimetype v1.4.10/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/gin-contrib/slog v1.1.0 h1:K9MVNrETT6r/C3u2Aheer/gxwVeVqrGL0hXlsmv3fm4=
 github.com/gin-contrib/slog v1.1.0/go.mod h1:PvNXQVXcVOAaaiJR84LV1/xlQHIaXi9ygEXyBkmjdkY=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
 github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
-github.com/gin-gonic/gin v1.10.1 h1:T0ujvqyCSqRopADpgPgiTT63DUQVSfojyME59Ei63pQ=
-github.com/gin-gonic/gin v1.10.1/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
+github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
+github.com/gin-gonic/gin v1.11.0/go.mod h1:+iq/FyxlGzII0KHiBGjuNn4UNENUlKbGlNmc+W50Dls=
 github.com/glebarez/go-sqlite v1.22.0 h1:uAcMJhaA6r3LHMTFgP0SifzgXg46yJkgxqyuyec+ruQ=
 github.com/glebarez/go-sqlite v1.22.0/go.mod h1:PlBIdHe0+aUEFn+r2/uthrWq4FxbzugL0L8Li6yQJbc=
 github.com/glebarez/sqlite v1.11.0 h1:wSG0irqzP6VurnMEpFGer5Li19RpIRi2qvQz++w0GMw=
 github.com/glebarez/sqlite v1.11.0/go.mod h1:h8/o8j5wiAsqSPoWELDUdJXhjAhsVliSn7bWZjOhrgQ=
-github.com/go-asn1-ber/asn1-ber v1.5.7 h1:DTX+lbVTWaTw1hQ+PbZPlnDZPEIs0SS/GCZAl535dDk=
-github.com/go-asn1-ber/asn1-ber v1.5.7/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-co-op/gocron/v2 v2.16.3 h1:kYqukZqBa8RC2+AFAHnunmKcs9GRTjwBo8WRF3I6cbI=
-github.com/go-co-op/gocron/v2 v2.16.3/go.mod h1:aTf7/+5Jo2E+cyAqq625UQ6DzpkV96b22VHIUAt6l3c=
-github.com/go-ldap/ldap/v3 v3.4.10 h1:ot/iwPOhfpNVgB1o+AVXljizWZ9JTp7YF5oeyONmcJU=
-github.com/go-ldap/ldap/v3 v3.4.10/go.mod h1:JXh4Uxgi40P6E9rdsYqpUtbW46D9UTjJ9QSwGRznplY=
+github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
+github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-co-op/gocron/v2 v2.17.0 h1:e/oj6fcAM8vOOKZxv2Cgfmjo+s8AXC46po5ZPtaSea4=
+github.com/go-co-op/gocron/v2 v2.17.0/go.mod h1:Zii6he+Zfgy5W9B+JKk/KwejFOW0kZTFvHtwIpR4aBI=
+github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
+github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -83,50 +124,48 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.27.0 h1:w8+XrWVMhGkxOaaowyKH35gFydVHOvC0/uWoy2Fzwn4=
-github.com/go-playground/validator/v10 v10.27.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
-github.com/go-webauthn/webauthn v0.11.2 h1:Fgx0/wlmkClTKlnOsdOQ+K5HcHDsDcYIvtYmfhEOSUc=
-github.com/go-webauthn/webauthn v0.11.2/go.mod h1:aOtudaF94pM71g3jRwTYYwQTG1KyTILTcZqN1srkmD0=
-github.com/go-webauthn/x v0.1.23 h1:9lEO0s+g8iTyz5Vszlg/rXTGrx3CjcD0RZQ1GPZCaxI=
-github.com/go-webauthn/x v0.1.23/go.mod h1:AJd3hI7NfEp/4fI6T4CHD753u91l510lglU7/NMN6+E=
+github.com/go-playground/validator/v10 v10.28.0 h1:Q7ibns33JjyW48gHkuFT91qX48KG0ktULL6FgHdG688=
+github.com/go-playground/validator/v10 v10.28.0/go.mod h1:GoI6I1SjPBh9p7ykNE/yj3fFYbyDOpwMn5KXd+m2hUU=
+github.com/go-webauthn/webauthn v0.14.0 h1:ZLNPUgPcDlAeoxe+5umWG/tEeCoQIDr7gE2Zx2QnhL0=
+github.com/go-webauthn/webauthn v0.14.0/go.mod h1:QZzPFH3LJ48u5uEPAu+8/nWJImoLBWM7iAH/kSVSo6k=
+github.com/go-webauthn/x v0.1.25 h1:g/0noooIGcz/yCVqebcFgNnGIgBlJIccS+LYAa+0Z88=
+github.com/go-webauthn/x v0.1.25/go.mod h1:ieblaPY1/BVCV0oQTsA/VAo08/TWayQuJuo5Q+XxmTY=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
+github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v5 v5.2.3 h1:kkGXqQOBSDDWRhWNXTFpqGSCMyh/PLnqUvMGJPDJDs0=
-github.com/golang-jwt/jwt/v5 v5.2.3/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
-github.com/golang-migrate/migrate/v4 v4.18.3 h1:EYGkoOsvgHHfm5U/naS1RP/6PL/Xv3S4B/swMiAmDLs=
-github.com/golang-migrate/migrate/v4 v4.18.3/go.mod h1:99BKpIi6ruaaXRM1A77eqZ+FWPQ3cfRa+ZVy5bmWMaY=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang-migrate/migrate/v4 v4.19.0 h1:RcjOnCGz3Or6HQYEJ/EEVLfWnmw9KnoigPSjzhCuaSE=
+github.com/golang-migrate/migrate/v4 v4.19.0/go.mod h1:9dyEcu+hO+G9hPSw8AIg50yg622pXJsoHItQnDGZkI0=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/go-github/v39 v39.2.0 h1:rNNM311XtPOz5rDdsJXAp2o8F67X9FnROXTvto3aSnQ=
 github.com/google/go-github/v39 v39.2.0/go.mod h1:C1s8C5aCC9L+JXIYpJM5GYytdX52vC1bLvHEF1IhBrE=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
-github.com/google/go-tpm v0.9.5 h1:ocUmnDebX54dnW+MQWGQRbdaAcJELsa6PqZhJ48KwVU=
-github.com/google/go-tpm v0.9.5/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
+github.com/google/go-tpm v0.9.6 h1:Ku42PT4LmjDu1H5C5ISWLlpI1mj+Zq7sPGKoRw2XROA=
+github.com/google/go-tpm v0.9.6/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
-github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 h1:e9Rjr40Z98/clHv5Yg79Is0NtosR5LXRvdr7o/6NwbA=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1/go.mod h1:tIxuGz/9mpox++sgp9fJjHO0+q1X9/UOWd798aAm22M=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 h1:NmZ1PKzSTQbuGHw9DGPFomqkkLWMC+vZCkfs+FHv1Vg=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3/go.mod h1:zQrxl1YP88HQlA6i9c63DSVPFklWpGX4OWAc9bFuaH4=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
@@ -135,8 +174,8 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.7.5 h1:JHGfMnQY+IEtGM63d+NGMjoRpysB2JBwDr5fsngwmJs=
-github.com/jackc/pgx/v5 v5.7.5/go.mod h1:aruU7o91Tc2q2cFp5h4uP3f6ztExVpyVv88Xl/8Vl8M=
+github.com/jackc/pgx/v5 v5.7.6 h1:rWQc5FwZSPX58r1OQmkuaNicxdmExaEz5A2DO2hUuTk=
+github.com/jackc/pgx/v5 v5.7.6/go.mod h1:aruU7o91Tc2q2cFp5h4uP3f6ztExVpyVv88Xl/8Vl8M=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
@@ -177,12 +216,16 @@ github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
 github.com/lestrrat-go/blackmagic v1.0.4 h1:IwQibdnf8l2KoO+qC3uT4OaTWsW7tuRQXy9TRN9QanA=
 github.com/lestrrat-go/blackmagic v1.0.4/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw=
+github.com/lestrrat-go/dsig v1.0.0 h1:OE09s2r9Z81kxzJYRn07TFM9XA4akrUdoMwr0L8xj38=
+github.com/lestrrat-go/dsig v1.0.0/go.mod h1:dEgoOYYEJvW6XGbLasr8TFcAxoWrKlbQvmJgCR0qkDo=
+github.com/lestrrat-go/dsig-secp256k1 v1.0.0 h1:JpDe4Aybfl0soBvoVwjqDbp+9S1Y2OM7gcrVVMFPOzY=
+github.com/lestrrat-go/dsig-secp256k1 v1.0.0/go.mod h1:CxUgAhssb8FToqbL8NjSPoGQlnO4w3LG1P0qPWQm/NU=
 github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
 github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
-github.com/lestrrat-go/httprc/v3 v3.0.0 h1:nZUx/zFg5uc2rhlu1L1DidGr5Sj02JbXvGSpnY4LMrc=
-github.com/lestrrat-go/httprc/v3 v3.0.0/go.mod h1:k2U1QIiyVqAKtkffbg+cUmsyiPGQsb9aAfNQiNFuQ9Q=
-github.com/lestrrat-go/jwx/v3 v3.0.10 h1:XuoCBhZBncRIjMQ32HdEc76rH0xK/Qv2wq5TBouYJDw=
-github.com/lestrrat-go/jwx/v3 v3.0.10/go.mod h1:kNMedLgTpHvPJkK5EMVa1JFz+UVyY2dMmZKu3qjl/Pk=
+github.com/lestrrat-go/httprc/v3 v3.0.1 h1:3n7Es68YYGZb2Jf+k//llA4FTZMl3yCwIjFIk4ubevI=
+github.com/lestrrat-go/httprc/v3 v3.0.1/go.mod h1:2uAvmbXE4Xq8kAUjVrZOq1tZVYYYs5iP62Cmtru00xk=
+github.com/lestrrat-go/jwx/v3 v3.0.12 h1:p25r68Y4KrbBdYjIsQweYxq794CtGCzcrc5dGzJIRjg=
+github.com/lestrrat-go/jwx/v3 v3.0.12/go.mod h1:HiUSaNmMLXgZ08OmGBaPVvoZQgJVOQphSrGr5zMamS8=
 github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
 github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/lestrrat-go/option/v2 v2.0.0 h1:XxrcaJESE1fokHy3FpaQ/cXW8ZsIdWcdFzzLOcID3Ss=
@@ -193,8 +236,8 @@ github.com/lmittmann/tint v1.1.2 h1:2CQzrL6rslrsyjqLDwD11bZ5OpLBPU+g3G/r5LSfS8w=
 github.com/lmittmann/tint v1.1.2/go.mod h1:HIS3gSy7qNwGCj+5oRjAutErFBl4BzdQP6cJZ0NfMwE=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
-github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuErjs=
+github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mileusna/useragent v1.3.5 h1:SJM5NzBmh/hO+4LGeATKpaEX9+b4vcGg2qXGLiNGDws=
 github.com/mileusna/useragent v1.3.5/go.mod h1:3d8TOmwL/5I8pJjyVDteHtgDGcefrFUX4ccGOMKNYYc=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
@@ -212,55 +255,61 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
-github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
+github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
+github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
 github.com/orandin/slog-gorm v1.4.0 h1:FgA8hJufF9/jeNSYoEXmHPPBwET2gwlF3B85JdpsTUU=
 github.com/orandin/slog-gorm v1.4.0/go.mod h1:MoZ51+b7xE9lwGNPYEhxcUtRNrYzjdcKvA8QXQQGEPA=
-github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.8 h1:aM1/rO6p+XV+l+seD7UCtFZgsOefDTrFVLvPoZWjXZs=
-github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.8/go.mod h1:Jts8ztuE0PkUwY7VCJyp6B68ujQfr6G9P5Dn3Yx9u6w=
+github.com/oschwald/maxminddb-golang/v2 v2.0.0 h1:Gyljxck1kHbBxDgLM++NfDWBqvu1pWWfT8XbosSo0bo=
+github.com/oschwald/maxminddb-golang/v2 v2.0.0/go.mod h1:gG4V88LsawPEqtbL1Veh1WRh+nVSYwXzJ1P5Fcn77g0=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.67.1 h1:OTSON1P4DNxzTg4hmKCc37o4ZAZDv0cfXLkOt0oEowI=
+github.com/prometheus/common v0.67.1/go.mod h1:RpmT9v35q2Y+lsieQsdOh5sXZ6ajUGC8NjZAmr8vb0Q=
+github.com/prometheus/otlptranslator v1.0.0 h1:s0LJW/iN9dkIH+EnhiD3BlkkP5QVIUVEoIwkU+A6qos=
+github.com/prometheus/otlptranslator v1.0.0/go.mod h1:vRYWnXvI6aWGpsdY/mOT/cbeVRBlPWtBNDb7kGR3uKM=
+github.com/prometheus/procfs v0.18.0 h1:2QTA9cKdznfYJz7EDaa7IiJobHuV7E1WzeBwcrhk0ao=
+github.com/prometheus/procfs v0.18.0/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
+github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
+github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
+github.com/quic-go/quic-go v0.55.0 h1:zccPQIqYCXDt5NmcEabyYvOnomjs8Tlwl7tISjJh9Mk=
+github.com/quic-go/quic-go v0.55.0/go.mod h1:DR51ilwU1uE164KuWXhinFcKWGlEjzys2l8zUl5Ss1U=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
-github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/segmentio/asm v1.2.1 h1:DTNbBqs57ioxAD4PrArqftgypG4/qNpXoJx8TVXxPR0=
+github.com/segmentio/asm v1.2.1/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
+github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
+github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA=
@@ -269,190 +318,139 @@ github.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXV
 github.com/valyala/fastjson v1.6.4/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/bridges/otelslog v0.12.0 h1:lFM7SZo8Ce01RzRfnUFQZEYeWRf/MtOA3A5MobOqk2g=
-go.opentelemetry.io/contrib/bridges/otelslog v0.12.0/go.mod h1:Dw05mhFtrKAYu72Tkb3YBYeQpRUJ4quDgo2DQw3No5A=
-go.opentelemetry.io/contrib/bridges/prometheus v0.59.0 h1:HY2hJ7yn3KuEBBBsKxvF3ViSmzLwsgeNvD+0utRMgzc=
-go.opentelemetry.io/contrib/bridges/prometheus v0.59.0/go.mod h1:H4H7vs8766kwFnOZVEGMJFVF+phpBSmTckvvNRdJeDI=
-go.opentelemetry.io/contrib/exporters/autoexport v0.59.0 h1:dKhAFwh7SSoOw+gwMtSv+XLkUGTFAwAGMT3X3XSE4FA=
-go.opentelemetry.io/contrib/exporters/autoexport v0.59.0/go.mod h1:fPl+qlrhRdRntIpPs9JoQ0iBKAsnH5VkgppU1f9kyF4=
-go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.60.0 h1:jj/B7eX95/mOxim9g9laNZkOHKz/XCHG0G410SntRy4=
-go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.60.0/go.mod h1:ZvRTVaYYGypytG0zRp2A60lpj//cMq3ZnxYdZaljVBM=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8=
-go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
-go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
-go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.10.0 h1:5dTKu4I5Dn4P2hxyW3l3jTaZx9ACgg0ECos1eAVrheY=
-go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.10.0/go.mod h1:P5HcUI8obLrCCmM3sbVBohZFH34iszk/+CPWuakZWL8=
-go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.10.0 h1:q/heq5Zh8xV1+7GoMGJpTxM2Lhq5+bFxB29tshuRuw0=
-go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.10.0/go.mod h1:leO2CSTg0Y+LyvmR7Wm4pUxE8KAmaM2GCVx7O+RATLA=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.35.0 h1:QcFwRrZLc82r8wODjvyCbP7Ifp3UANaBSmhDSFjnqSc=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.35.0/go.mod h1:CXIWhUomyWBG/oY2/r/kLp6K/cmx9e/7DLpBuuGdLCA=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.35.0 h1:0NIXxOCFx+SKbhCVxwl3ETG8ClLPAa0KuKV6p3yhxP8=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.35.0/go.mod h1:ChZSJbbfbl/DcRZNc9Gqh6DYGlfjw4PvO1pEOZH1ZsE=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 h1:1fTNlAIJZGWLP5FVu0fikVry1IsiUnXjf7QFvoNN3Xw=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0/go.mod h1:zjPK58DtkqQFn+YUMbx0M2XV3QgKU0gS9LeGohREyK4=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 h1:m639+BofXTvcY1q8CGs4ItwQarYtJPOWmVobfM1HpVI=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0/go.mod h1:LjReUci/F4BUyv+y4dwnq3h/26iNOeC3wAIqgvTIZVo=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qHD0C1BeYVTLLR9sX12+Qb95kfeD/byKj6Ky1pXg=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0/go.mod h1:u5BF1xyjstDowA1R5QAO9JHzqK+ublenEW/dyqTjBVk=
-go.opentelemetry.io/otel/exporters/prometheus v0.57.0 h1:AHh/lAP1BHrY5gBwk8ncc25FXWm/gmmY3BX258z5nuk=
-go.opentelemetry.io/otel/exporters/prometheus v0.57.0/go.mod h1:QpFWz1QxqevfjwzYdbMb4Y1NnlJvqSGwyuU0B4iuc9c=
-go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.10.0 h1:GKCEAZLEpEf78cUvudQdTg0aET2ObOZRB2HtXA0qPAI=
-go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.10.0/go.mod h1:9/zqSWLCmHT/9Jo6fYeUDRRogOLL60ABLsHWS99lF8s=
-go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.35.0 h1:PB3Zrjs1sG1GBX51SXyTSoOTqcDglmsk7nT6tkKPb/k=
-go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.35.0/go.mod h1:U2R3XyVPzn0WX7wOIypPuptulsMcPDPs/oiSVOMVnHY=
-go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.35.0 h1:T0Ec2E+3YZf5bgTNQVet8iTDW7oIk03tXHq+wkwIDnE=
-go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.35.0/go.mod h1:30v2gqH+vYGJsesLWFov8u47EpYTcIQcBjKpI6pJThg=
-go.opentelemetry.io/otel/log v0.13.0 h1:yoxRoIZcohB6Xf0lNv9QIyCzQvrtGZklVbdCoyb7dls=
-go.opentelemetry.io/otel/log v0.13.0/go.mod h1:INKfG4k1O9CL25BaM1qLe0zIedOpvlS5Z7XgSbmN83E=
-go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
-go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
-go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
-go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
-go.opentelemetry.io/otel/sdk/log v0.10.0 h1:lR4teQGWfeDVGoute6l0Ou+RpFqQ9vaPdrNJlST0bvw=
-go.opentelemetry.io/otel/sdk/log v0.10.0/go.mod h1:A+V1UTWREhWAittaQEG4bYm4gAZa6xnvVu+xKrIRkzo=
-go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
-go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
-go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
-go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
-go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
-go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
-go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
-go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/bridges/otelslog v0.13.0 h1:bwnLpizECbPr1RrQ27waeY2SPIPeccCx/xLuoYADZ9s=
+go.opentelemetry.io/contrib/bridges/otelslog v0.13.0/go.mod h1:3nWlOiiqA9UtUnrcNk82mYasNxD8ehOspL0gOfEo6Y4=
+go.opentelemetry.io/contrib/bridges/prometheus v0.63.0 h1:/Rij/t18Y7rUayNg7Id6rPrEnHgorxYabm2E6wUdPP4=
+go.opentelemetry.io/contrib/bridges/prometheus v0.63.0/go.mod h1:AdyDPn6pkbkt2w01n3BubRVk7xAsCRq1Yg1mpfyA/0E=
+go.opentelemetry.io/contrib/exporters/autoexport v0.63.0 h1:NLnZybb9KkfMXPwZhd5diBYJoVxiO9Qa06dacEA7ySY=
+go.opentelemetry.io/contrib/exporters/autoexport v0.63.0/go.mod h1:OvRg7gm5WRSCtxzGSsrFHbDLToYlStHNZQ+iPNIyD6g=
+go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.63.0 h1:5kSIJ0y8ckZZKoDhZHdVtcyjVi6rXyAwyaR8mp4zLbg=
+go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.63.0/go.mod h1:i+fIMHvcSQtsIY82/xgiVWRklrNt/O6QriHLjzGeY+s=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg=
+go.opentelemetry.io/contrib/propagators/b3 v1.38.0 h1:uHsCCOSKl0kLrV2dLkFK+8Ywk9iKa/fptkytc6aFFEo=
+go.opentelemetry.io/contrib/propagators/b3 v1.38.0/go.mod h1:wMRSZJZcY8ya9mApLLhwIMjqmApy2o/Ml+62lhvxyHU=
+go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
+go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.14.0 h1:OMqPldHt79PqWKOMYIAQs3CxAi7RLgPxwfFSwr4ZxtM=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.14.0/go.mod h1:1biG4qiqTxKiUCtoWDPpL3fB3KxVwCiGw81j3nKMuHE=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.14.0 h1:QQqYw3lkrzwVsoEX0w//EhH/TCnpRdEenKBOOEIMjWc=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.14.0/go.mod h1:gSVQcr17jk2ig4jqJ2DX30IdWH251JcNAecvrqTxH1s=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0 h1:vl9obrcoWVKp/lwl8tRE33853I8Xru9HFbw/skNeLs8=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0/go.mod h1:GAXRxmLJcVM3u22IjTg74zWBrRCKq8BnOqUVLodpcpw=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.38.0 h1:Oe2z/BCg5q7k4iXC3cqJxKYg0ieRiOqF0cecFYdPTwk=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.38.0/go.mod h1:ZQM5lAJpOsKnYagGg/zV2krVqTtaVdYdDkhMoX6Oalg=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZFLdPRmhDUp2zFmQe3RHIOsw24=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0/go.mod h1:ri3aaHSmCTVYu2AWv44YMauwAQc0aqI9gHKIcSbI1pU=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 h1:lwI4Dc5leUqENgGuQImwLo4WnuXFPetmPpkLi2IrX54=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0/go.mod h1:Kz/oCE7z5wuyhPxsXDuaPteSWqjSBD5YaSdbxZYGbGk=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 h1:aTL7F04bJHUlztTsNGJ2l+6he8c+y/b//eR0jjjemT4=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0/go.mod h1:kldtb7jDTeol0l3ewcmd8SDvx3EmIE7lyvqbasU3QC4=
+go.opentelemetry.io/otel/exporters/prometheus v0.60.0 h1:cGtQxGvZbnrWdC2GyjZi0PDKVSLWP/Jocix3QWfXtbo=
+go.opentelemetry.io/otel/exporters/prometheus v0.60.0/go.mod h1:hkd1EekxNo69PTV4OWFGZcKQiIqg0RfuWExcPKFvepk=
+go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.14.0 h1:B/g+qde6Mkzxbry5ZZag0l7QrQBCtVm7lVjaLgmpje8=
+go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.14.0/go.mod h1:mOJK8eMmgW6ocDJn6Bn11CcZ05gi3P8GylBXEkZtbgA=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.38.0 h1:wm/Q0GAAykXv83wzcKzGGqAnnfLFyFe7RslekZuv+VI=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.38.0/go.mod h1:ra3Pa40+oKjvYh+ZD3EdxFZZB0xdMfuileHAm4nNN7w=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0 h1:kJxSDN4SgWWTjG/hPp3O7LCGLcHXFlvS2/FFOrwL+SE=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0/go.mod h1:mgIOzS7iZeKJdeB8/NYHrJ48fdGc71Llo5bJ1J4DWUE=
+go.opentelemetry.io/otel/log v0.14.0 h1:2rzJ+pOAZ8qmZ3DDHg73NEKzSZkhkGIua9gXtxNGgrM=
+go.opentelemetry.io/otel/log v0.14.0/go.mod h1:5jRG92fEAgx0SU/vFPxmJvhIuDU9E1SUnEQrMlJpOno=
+go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
+go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
+go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
+go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
+go.opentelemetry.io/otel/sdk/log v0.14.0 h1:JU/U3O7N6fsAXj0+CXz21Czg532dW2V4gG1HE/e8Zrg=
+go.opentelemetry.io/otel/sdk/log v0.14.0/go.mod h1:imQvII+0ZylXfKU7/wtOND8Hn4OpT3YUoIgqJVksUkM=
+go.opentelemetry.io/otel/sdk/log/logtest v0.14.0 h1:Ijbtz+JKXl8T2MngiwqBlPaHqc4YCaP/i13Qrow6gAM=
+go.opentelemetry.io/otel/sdk/log/logtest v0.14.0/go.mod h1:dCU8aEL6q+L9cYTqcVOk8rM9Tp8WdnHOPLiBgp0SGOA=
+go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
+go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
+go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
+go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
+go.opentelemetry.io/proto/otlp v1.8.0 h1:fRAZQDcAFHySxpJ1TwlA1cJ4tvcrw7nXl9xWWC8N5CE=
+go.opentelemetry.io/proto/otlp v1.8.0/go.mod h1:tIeYOeNBU4cvmPqpaji1P+KbB4Oloai8wN4rWzRrFF0=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-golang.org/x/arch v0.20.0 h1:dx1zTU0MAE98U+TQ8BLl7XsJbgze2WnNKF/8tGp/Q6c=
-golang.org/x/arch v0.20.0/go.mod h1:bdwinDaKcfZUGpH09BB7ZmOfhalA8lQdzl62l8gGWsk=
+go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
+go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
+golang.org/x/arch v0.22.0 h1:c/Zle32i5ttqRXjdLyyHZESLD/bB90DCU1g9l/0YBDI=
+golang.org/x/arch v0.22.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/exp v0.0.0-20250813145105-42675adae3e6 h1:SbTAbRFnd5kjQXbczszQ0hdk3ctwYf3qBNH9jIsGclE=
-golang.org/x/exp v0.0.0-20250813145105-42675adae3e6/go.mod h1:4QTo5u+SEIbbKW1RacMZq1YEfOBqeXa19JeshGi+zc4=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
+golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
+golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
 golang.org/x/image v0.0.0-20191009234506-e7c1f5e7dbb8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.30.0 h1:jD5RhkmVAnjqaCUXfbGBrn3lpxbknfN9w2UhHHU+5B4=
-golang.org/x/image v0.30.0/go.mod h1:SAEUTxCCMWSrJcCy/4HwavEsfZZJlYxeHLc6tTiAe/c=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/image v0.32.0 h1:6lZQWq75h7L5IWNk0r+SCpUJ6tUVd3v4ZHnbRKLkUDQ=
+golang.org/x/image v0.32.0/go.mod h1:/R37rrQmKXtO6tYXAjtDLwQgFLHmhW+V6ayXlxzP2Pc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
-golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
-golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
-golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
-golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
+golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
-golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
-golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
-golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
-golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
-golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
-golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
-golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
-golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a h1:nwKuGPlUAt+aR+pcrkfFRrTU1BVrSmYyYMxYbUIVHr0=
-google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a/go.mod h1:3kWAYMk1I75K4vykHtKt2ycnOgpA6974V7bREqbsenU=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a h1:51aaUVRocpvUOSQKM6Q7VuoaktNIaMCLuhZB6DKksq4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a/go.mod h1:uRxBH1mhmO8PGhU89cMcHaXKZqO+OfakD8QQO0oYwlQ=
-google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg=
-google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
-google.golang.org/protobuf v1.36.7 h1:IgrO7UwFQGJdRNXH/sQux4R1Dj1WAKcLElzeeRaXV2A=
-google.golang.org/protobuf v1.36.7/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 h1:mepRgnBZa07I4TRuomDE4sTIYieg/osKmzIf4USdWS4=
+google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8/go.mod h1:fDMmzKV90WSg1NbozdqrE64fkuTv6mlq2zxo9ad+3yo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 h1:M1rk8KBnUsBDg1oPGHNCxG4vc1f49epmTO7xscSajMk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
+google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/driver/postgres v1.6.0 h1:2dxzU8xJ+ivvqTRph34QX+WrRaJlmfyPqXmoGVjMBa4=
 gorm.io/driver/postgres v1.6.0/go.mod h1:vUw0mrGgrTK+uPHEhAdV4sfFELrByKVGnaVRkXDhtWo=
-gorm.io/gorm v1.30.1 h1:lSHg33jJTBxs2mgJRfRZeLDG+WZaHYCk3Wtfl6Ngzo4=
-gorm.io/gorm v1.30.1/go.mod h1:8Z33v652h4//uMA76KjeDH8mJXPm1QNCYrMeatR0DOE=
-modernc.org/cc/v4 v4.26.3 h1:yEN8dzrkRFnn4PUUKXLYIqVf2PJYAEjMTFjO3BDGc3I=
-modernc.org/cc/v4 v4.26.3/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
-modernc.org/ccgo/v4 v4.28.0 h1:rjznn6WWehKq7dG4JtLRKxb52Ecv8OUGah8+Z/SfpNU=
-modernc.org/ccgo/v4 v4.28.0/go.mod h1:JygV3+9AV6SmPhDasu4JgquwU81XAKLd3OKTUDNOiKE=
-modernc.org/fileutil v1.3.15 h1:rJAXTP6ilMW/1+kzDiqmBlHLWszheUFXIyGQIAvjJpY=
-modernc.org/fileutil v1.3.15/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
+gorm.io/gorm v1.31.0 h1:0VlycGreVhK7RF/Bwt51Fk8v0xLiiiFdbGDPIZQ7mJY=
+gorm.io/gorm v1.31.0/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=
+modernc.org/cc/v4 v4.26.5 h1:xM3bX7Mve6G8K8b+T11ReenJOT+BmVqQj0FY5T4+5Y4=
+modernc.org/cc/v4 v4.26.5/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
+modernc.org/ccgo/v4 v4.28.1 h1:wPKYn5EC/mYTqBO373jKjvX2n+3+aK7+sICCv4Fjy1A=
+modernc.org/ccgo/v4 v4.28.1/go.mod h1:uD+4RnfrVgE6ec9NGguUNdhqzNIeeomeXf6CL0GTE5Q=
+modernc.org/fileutil v1.3.40 h1:ZGMswMNc9JOCrcrakF1HrvmergNLAmxOPjizirpfqBA=
+modernc.org/fileutil v1.3.40/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
 modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
 modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
 modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
-modernc.org/libc v1.66.7 h1:rjhZ8OSCybKWxS1CJr0hikpEi6Vg+944Ouyrd+bQsoY=
-modernc.org/libc v1.66.7/go.mod h1:ln6tbWX0NH+mzApEoDRvilBvAWFt1HX7AUA4VDdVDPM=
+modernc.org/libc v1.66.10 h1:yZkb3YeLx4oynyR+iUsXsybsX4Ubx7MQlSYEw4yj59A=
+modernc.org/libc v1.66.10/go.mod h1:8vGSEwvoUoltr4dlywvHqjtAqHBaw0j1jI7iFBTAr2I=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
@@ -461,8 +459,8 @@ modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
 modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.38.2 h1:Aclu7+tgjgcQVShZqim41Bbw9Cho0y/7WzYptXqkEek=
-modernc.org/sqlite v1.38.2/go.mod h1:cPTJYSlgg3Sfg046yBShXENNtPrWrDX8bsbAQBzgQ5E=
+modernc.org/sqlite v1.39.1 h1:H+/wGFzuSCIEVCvXYVHX5RQglwhMOvtHSv+VtidL2r4=
+modernc.org/sqlite v1.39.1/go.mod h1:9fjQZ0mB1LLP0GYrp39oOJXx/I2sxEnZtzCmEQIKvGE=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
--- a/backend/internal/bootstrap/app_images_bootstrap.go
+++ b/backend/internal/bootstrap/app_images_bootstrap.go
@@ -2,68 +2,76 @@ package bootstrap

 import (
 	"bytes"
+	"context"
+	"crypto/sha256"
 	"encoding/hex"
+	"errors"
 	"fmt"
+	"io"
+	"io/fs"
 	"log/slog"
 	"os"
 	"path"

-	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/storage"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"github.com/pocket-id/pocket-id/backend/resources"
 )

-// initApplicationImages copies the images from the images directory to the application-images directory
+// initApplicationImages copies the images from the embedded directory to the storage backend
 // and returns a map containing the detected file extensions in the application-images directory.
-func initApplicationImages() (map[string]string, error) {
+func initApplicationImages(ctx context.Context, fileStorage storage.FileStorage) (map[string]string, error) {
 	// Previous versions of images
 	// If these are found, they are deleted
 	legacyImageHashes := imageHashMap{
 		"background.jpg": mustDecodeHex("138d510030ed845d1d74de34658acabff562d306476454369a60ab8ade31933f"),
 	}

-	dirPath := common.EnvConfig.UploadPath + "/application-images"
-
 	sourceFiles, err := resources.FS.ReadDir("images")
 	if err != nil && !os.IsNotExist(err) {
 		return nil, fmt.Errorf("failed to read directory: %w", err)
 	}

-	destinationFiles, err := os.ReadDir(dirPath)
-	if err != nil && !os.IsNotExist(err) {
-		return nil, fmt.Errorf("failed to read directory: %w", err)
+	destinationFiles, err := fileStorage.List(ctx, "application-images")
+	if err != nil {
+		if storage.IsNotExist(err) {
+			destinationFiles = []storage.ObjectInfo{}
+		} else {
+			return nil, fmt.Errorf("failed to list application images: %w", err)
+		}
+
 	}
 	dstNameToExt := make(map[string]string, len(destinationFiles))
 	for _, f := range destinationFiles {
-		if f.IsDir() {
-			continue
-		}
-		name := f.Name()
-		nameWithoutExt, ext := utils.SplitFileName(name)
-		destFilePath := path.Join(dirPath, name)
-
 		// Skip directories
-		if f.IsDir() {
+		_, name := path.Split(f.Path)
+		if name == "" {
 			continue
 		}
-
-		h, err := utils.CreateSha256FileHash(destFilePath)
+		nameWithoutExt, ext := utils.SplitFileName(name)
+		reader, _, err := fileStorage.Open(ctx, f.Path)
 		if err != nil {
-			slog.Warn("Failed to get hash for file", slog.String("name", name), slog.Any("error", err))
+			if errors.Is(err, fs.ErrNotExist) {
+				continue
+			}
+			slog.Warn("Failed to open application image for hashing", slog.String("name", name), slog.Any("error", err))
+			continue
+		}
+		hash, err := hashStream(reader)
+		reader.Close()
+		if err != nil {
+			slog.Warn("Failed to hash application image", slog.String("name", name), slog.Any("error", err))
 			continue
 		}

 		// Check if the file is a legacy one - if so, delete it
-		if legacyImageHashes.Contains(h) {
+		if legacyImageHashes.Contains(hash) {
 			slog.Info("Found legacy application image that will be removed", slog.String("name", name))
-			err = os.Remove(destFilePath)
-			if err != nil {
+			if err := fileStorage.Delete(ctx, f.Path); err != nil {
 				return nil, fmt.Errorf("failed to remove legacy file '%s': %w", name, err)
 			}
 			continue
 		}
-
-		// Track existing files
 		dstNameToExt[nameWithoutExt] = ext
 	}

@@ -76,21 +84,21 @@ func initApplicationImages() (map[string]string, error) {
 		name := sourceFile.Name()
 		nameWithoutExt, ext := utils.SplitFileName(name)
 		srcFilePath := path.Join("images", name)
-		destFilePath := path.Join(dirPath, name)

-		// Skip if there's already an image at the path
-		// We do not check the extension because users could have uploaded a different one
 		if _, exists := dstNameToExt[nameWithoutExt]; exists {
 			continue
 		}

 		slog.Info("Writing new application image", slog.String("name", name))
-		err := utils.CopyEmbeddedFileToDisk(srcFilePath, destFilePath)
+		srcFile, err := resources.FS.Open(srcFilePath)
 		if err != nil {
-			return nil, fmt.Errorf("failed to copy file: %w", err)
+			return nil, fmt.Errorf("failed to open embedded file '%s': %w", name, err)
 		}
-
-		// Track the newly copied file so it can be included in the extensions map later
+		if err := fileStorage.Save(ctx, path.Join("application-images", name), srcFile); err != nil {
+			srcFile.Close()
+			return nil, fmt.Errorf("failed to store application image '%s': %w", name, err)
+		}
+		srcFile.Close()
 		dstNameToExt[nameWithoutExt] = ext
 	}

@@ -118,3 +126,11 @@ func mustDecodeHex(str string) []byte {
 	}
 	return b
 }
+
+func hashStream(r io.Reader) ([]byte, error) {
+	h := sha256.New()
+	if _, err := io.Copy(h, r); err != nil {
+		return nil, err
+	}
+	return h.Sum(nil), nil
+}
--- a/backend/internal/bootstrap/bootstrap.go
+++ b/backend/internal/bootstrap/bootstrap.go
@@ -10,6 +10,7 @@ import (

 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/job"
+	"github.com/pocket-id/pocket-id/backend/internal/storage"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

@@ -21,19 +22,45 @@ func Bootstrap(ctx context.Context) error {
 	}
 	slog.InfoContext(ctx, "Pocket ID is starting")

-	imageExtensions, err := initApplicationImages()
-	if err != nil {
-		return fmt.Errorf("failed to initialize application images: %w", err)
-	}
-
 	// Connect to the database
 	db, err := NewDatabase()
 	if err != nil {
 		return fmt.Errorf("failed to initialize database: %w", err)
 	}

+	// Initialize the file storage backend
+	var fileStorage storage.FileStorage
+
+	switch common.EnvConfig.FileBackend {
+	case storage.TypeFileSystem:
+		fileStorage, err = storage.NewFilesystemStorage(common.EnvConfig.UploadPath)
+	case storage.TypeDatabase:
+		fileStorage, err = storage.NewDatabaseStorage(db)
+	case storage.TypeS3:
+		s3Cfg := storage.S3Config{
+			Bucket:          common.EnvConfig.S3Bucket,
+			Region:          common.EnvConfig.S3Region,
+			Endpoint:        common.EnvConfig.S3Endpoint,
+			AccessKeyID:     common.EnvConfig.S3AccessKeyID,
+			SecretAccessKey: common.EnvConfig.S3SecretAccessKey,
+			ForcePathStyle:  common.EnvConfig.S3ForcePathStyle,
+			Root:            common.EnvConfig.UploadPath,
+		}
+		fileStorage, err = storage.NewS3Storage(ctx, s3Cfg)
+	default:
+		err = fmt.Errorf("unknown file storage backend: %s", common.EnvConfig.FileBackend)
+	}
+	if err != nil {
+		return fmt.Errorf("failed to initialize file storage (backend: %s): %w", common.EnvConfig.FileBackend, err)
+	}
+
+	imageExtensions, err := initApplicationImages(ctx, fileStorage)
+	if err != nil {
+		return fmt.Errorf("failed to initialize application images: %w", err)
+	}
+
 	// Create all services
-	svc, err := initServices(ctx, db, httpClient, imageExtensions)
+	svc, err := initServices(ctx, db, httpClient, imageExtensions, fileStorage)
 	if err != nil {
 		return fmt.Errorf("failed to initialize services: %w", err)
 	}
--- a/backend/internal/bootstrap/e2etest_router_bootstrap.go
+++ b/backend/internal/bootstrap/e2etest_router_bootstrap.go
@@ -17,7 +17,7 @@ import (
 func init() {
 	registerTestControllers = []func(apiGroup *gin.RouterGroup, db *gorm.DB, svc *services){
 		func(apiGroup *gin.RouterGroup, db *gorm.DB, svc *services) {
-			testService, err := service.NewTestService(db, svc.appConfigService, svc.jwtService, svc.ldapService)
+			testService, err := service.NewTestService(db, svc.appConfigService, svc.jwtService, svc.ldapService, svc.fileStorage)
 			if err != nil {
 				slog.Error("Failed to initialize test service", slog.Any("error", err))
 				os.Exit(1)
--- a/backend/internal/bootstrap/router_bootstrap.go
+++ b/backend/internal/bootstrap/router_bootstrap.go
@@ -41,11 +41,11 @@ func initRouter(db *gorm.DB, svc *services) utils.Service {
 func initRouterInternal(db *gorm.DB, svc *services) (utils.Service, error) {
 	// Set the appropriate Gin mode based on the environment
 	switch common.EnvConfig.AppEnv {
-	case "production":
+	case common.AppEnvProduction:
 		gin.SetMode(gin.ReleaseMode)
-	case "development":
+	case common.AppEnvDevelopment:
 		gin.SetMode(gin.DebugMode)
-	case "test":
+	case common.AppEnvTest:
 		gin.SetMode(gin.TestMode)
 	}

@@ -92,7 +92,7 @@ func initRouterInternal(db *gorm.DB, svc *services) (utils.Service, error) {
 	controller.NewVersionController(apiGroup, svc.versionService)

 	// Add test controller in non-production environments
-	if common.EnvConfig.AppEnv != "production" {
+	if !common.EnvConfig.AppEnv.IsProduction() {
 		for _, f := range registerTestControllers {
 			f(apiGroup, db, svc)
 		}
--- a/backend/internal/bootstrap/scheduler_bootstrap.go
+++ b/backend/internal/bootstrap/scheduler_bootstrap.go
@@ -23,7 +23,7 @@ func registerScheduledJobs(ctx context.Context, db *gorm.DB, svc *services, http
 	if err != nil {
 		return fmt.Errorf("failed to register DB cleanup jobs in scheduler: %w", err)
 	}
-	err = scheduler.RegisterFileCleanupJobs(ctx, db)
+	err = scheduler.RegisterFileCleanupJobs(ctx, db, svc.fileStorage)
 	if err != nil {
 		return fmt.Errorf("failed to register file cleanup jobs in scheduler: %w", err)
 	}
--- a/backend/internal/bootstrap/services_bootstrap.go
+++ b/backend/internal/bootstrap/services_bootstrap.go
@@ -8,6 +8,7 @@ import (
 	"gorm.io/gorm"

 	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/storage"
 )

 type services struct {
@@ -25,10 +26,11 @@ type services struct {
 	ldapService        *service.LdapService
 	apiKeyService      *service.ApiKeyService
 	versionService     *service.VersionService
+	fileStorage        storage.FileStorage
 }

 // Initializes all services
-func initServices(ctx context.Context, db *gorm.DB, httpClient *http.Client, imageExtensions map[string]string) (svc *services, err error) {
+func initServices(ctx context.Context, db *gorm.DB, httpClient *http.Client, imageExtensions map[string]string, fileStorage storage.FileStorage) (svc *services, err error) {
 	svc = &services{}

 	svc.appConfigService, err = service.NewAppConfigService(ctx, db)
@@ -36,7 +38,8 @@ func initServices(ctx context.Context, db *gorm.DB, httpClient *http.Client, ima
 		return nil, fmt.Errorf("failed to create app config service: %w", err)
 	}

-	svc.appImagesService = service.NewAppImagesService(imageExtensions)
+	svc.fileStorage = fileStorage
+	svc.appImagesService = service.NewAppImagesService(imageExtensions, fileStorage)

 	svc.emailService, err = service.NewEmailService(db, svc.appConfigService)
 	if err != nil {
@@ -56,14 +59,14 @@ func initServices(ctx context.Context, db *gorm.DB, httpClient *http.Client, ima
 		return nil, fmt.Errorf("failed to create WebAuthn service: %w", err)
 	}

-	svc.oidcService, err = service.NewOidcService(ctx, db, svc.jwtService, svc.appConfigService, svc.auditLogService, svc.customClaimService, svc.webauthnService, httpClient)
+	svc.oidcService, err = service.NewOidcService(ctx, db, svc.jwtService, svc.appConfigService, svc.auditLogService, svc.customClaimService, svc.webauthnService, httpClient, fileStorage)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create OIDC service: %w", err)
 	}

 	svc.userGroupService = service.NewUserGroupService(db, svc.appConfigService)
-	svc.userService = service.NewUserService(db, svc.jwtService, svc.auditLogService, svc.emailService, svc.appConfigService, svc.customClaimService)
-	svc.ldapService = service.NewLdapService(db, httpClient, svc.appConfigService, svc.userService, svc.userGroupService)
+	svc.userService = service.NewUserService(db, svc.jwtService, svc.auditLogService, svc.emailService, svc.appConfigService, svc.customClaimService, svc.appImagesService, fileStorage)
+	svc.ldapService = service.NewLdapService(db, httpClient, svc.appConfigService, svc.userService, svc.userGroupService, fileStorage)
 	svc.apiKeyService = service.NewApiKeyService(db, svc.emailService)

 	svc.versionService = service.NewVersionService(httpClient)
--- a/backend/internal/common/env_config.go
+++ b/backend/internal/common/env_config.go
@@ -15,6 +15,7 @@ import (
 	_ "github.com/joho/godotenv/autoload"
 )

+type AppEnv string
 type DbProvider string

 const (
@@ -25,20 +26,31 @@ const (
 )

 const (
+	AppEnvProduction        AppEnv     = "production"
+	AppEnvDevelopment       AppEnv     = "development"
+	AppEnvTest              AppEnv     = "test"
 	DbProviderSqlite        DbProvider = "sqlite"
 	DbProviderPostgres      DbProvider = "postgres"
 	MaxMindGeoLiteCityUrl   string     = "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=%s&suffix=tar.gz"
 	defaultSqliteConnString string     = "data/pocket-id.db"
+	defaultFsUploadPath     string     = "data/uploads"
 	AppUrl                  string     = "http://localhost:1411"
 )

 type EnvConfigSchema struct {
-	AppEnv             string     `env:"APP_ENV" options:"toLower"`
+	AppEnv             AppEnv     `env:"APP_ENV" options:"toLower"`
 	LogLevel           string     `env:"LOG_LEVEL" options:"toLower"`
-	AppURL             string     `env:"APP_URL" options:"toLower"`
+	AppURL             string     `env:"APP_URL" options:"toLower,trimTrailingSlash"`
 	DbProvider         DbProvider `env:"DB_PROVIDER" options:"toLower"`
 	DbConnectionString string     `env:"DB_CONNECTION_STRING" options:"file"`
+	FileBackend        string     `env:"FILE_BACKEND" options:"toLower"`
 	UploadPath         string     `env:"UPLOAD_PATH"`
+	S3Bucket           string     `env:"S3_BUCKET"`
+	S3Region           string     `env:"S3_REGION"`
+	S3Endpoint         string     `env:"S3_ENDPOINT"`
+	S3AccessKeyID      string     `env:"S3_ACCESS_KEY_ID"`
+	S3SecretAccessKey  string     `env:"S3_SECRET_ACCESS_KEY"`
+	S3ForcePathStyle   bool       `env:"S3_FORCE_PATH_STYLE"`
 	KeysPath           string     `env:"KEYS_PATH"`
 	KeysStorage        string     `env:"KEYS_STORAGE"`
 	EncryptionKey      []byte     `env:"ENCRYPTION_KEY" options:"file"`
@@ -72,30 +84,16 @@ func init() {

 func defaultConfig() EnvConfigSchema {
 	return EnvConfigSchema{
-		AppEnv:             "production",
-		LogLevel:           "info",
-		DbProvider:         "sqlite",
-		DbConnectionString: "",
-		UploadPath:         "data/uploads",
-		KeysPath:           "data/keys",
-		KeysStorage:        "", // "database" or "file"
-		EncryptionKey:      nil,
-		AppURL:             AppUrl,
-		Port:               "1411",
-		Host:               "0.0.0.0",
-		UnixSocket:         "",
-		UnixSocketMode:     "",
-		MaxMindLicenseKey:  "",
-		GeoLiteDBPath:      "data/GeoLite2-City.mmdb",
-		GeoLiteDBUrl:       MaxMindGeoLiteCityUrl,
-		LocalIPv6Ranges:    "",
-		UiConfigDisabled:   false,
-		MetricsEnabled:     false,
-		TracingEnabled:     false,
-		TrustProxy:         false,
-		AnalyticsDisabled:  false,
-		AllowDowngrade:     false,
-		InternalAppURL:     "",
+		AppEnv:        AppEnvProduction,
+		LogLevel:      "info",
+		DbProvider:    "sqlite",
+		FileBackend:   "fs",
+		KeysPath:      "data/keys",
+		AppURL:        AppUrl,
+		Port:          "1411",
+		Host:          "0.0.0.0",
+		GeoLiteDBPath: "data/GeoLite2-City.mmdb",
+		GeoLiteDBUrl:  MaxMindGeoLiteCityUrl,
 	}
 }

@@ -181,6 +179,21 @@ func validateEnvConfig(config *EnvConfigSchema) error {
 		return fmt.Errorf("invalid value for KEYS_STORAGE: %s", config.KeysStorage)
 	}

+	switch config.FileBackend {
+	case "s3":
+		if config.KeysStorage == "file" {
+			return errors.New("KEYS_STORAGE cannot be 'file' when FILE_BACKEND is 's3'")
+		}
+	case "database":
+		// All good, these are valid values
+	case "", "fs":
+		if config.UploadPath == "" {
+			config.UploadPath = defaultFsUploadPath
+		}
+	default:
+		return errors.New("invalid FILE_BACKEND value. Must be 'fs', 'database', or 's3'")
+	}
+
 	// Validate LOCAL_IPV6_RANGES
 	ranges := strings.Split(config.LocalIPv6Ranges, ",")
 	for _, rangeStr := range ranges {
@@ -227,6 +240,10 @@ func prepareEnvConfig(config *EnvConfigSchema) error {
 				if err != nil {
 					return err
 				}
+			case "trimTrailingSlash":
+				if field.Kind() == reflect.String {
+					field.SetString(strings.TrimRight(field.String(), "/"))
+				}
 			}
 		}
 	}
@@ -275,3 +292,11 @@ func resolveFileBasedEnvVariable(field reflect.Value, fieldType reflect.StructFi

 	return nil
 }
+
+func (a AppEnv) IsProduction() bool {
+	return a == AppEnvProduction
+}
+
+func (a AppEnv) IsTest() bool {
+	return a == AppEnvTest
+}
--- a/backend/internal/common/env_config_test.go
+++ b/backend/internal/common/env_config_test.go
@@ -192,7 +192,7 @@ func TestParseEnvConfig(t *testing.T) {
 		t.Setenv("DB_PROVIDER", "postgres")
 		t.Setenv("DB_CONNECTION_STRING", "postgres://test")
 		t.Setenv("APP_URL", "https://prod.example.com")
-		t.Setenv("APP_ENV", "STAGING")
+		t.Setenv("APP_ENV", "PRODUCTION")
 		t.Setenv("UPLOAD_PATH", "/custom/uploads")
 		t.Setenv("KEYS_PATH", "/custom/keys")
 		t.Setenv("PORT", "8080")
@@ -203,11 +203,49 @@ func TestParseEnvConfig(t *testing.T) {

 		err := parseEnvConfig()
 		require.NoError(t, err)
-		assert.Equal(t, "staging", EnvConfig.AppEnv) // lowercased
+		assert.Equal(t, AppEnvProduction, EnvConfig.AppEnv) // lowercased
 		assert.Equal(t, "/custom/uploads", EnvConfig.UploadPath)
 		assert.Equal(t, "8080", EnvConfig.Port)
 		assert.Equal(t, "localhost", EnvConfig.Host) // lowercased
 	})
+
+	t.Run("should normalize file backend and default upload path", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "sqlite")
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("APP_URL", "http://localhost:3000")
+		t.Setenv("FILE_BACKEND", "FS")
+		t.Setenv("UPLOAD_PATH", "")
+
+		err := parseEnvConfig()
+		require.NoError(t, err)
+		assert.Equal(t, "fs", EnvConfig.FileBackend)
+		assert.Equal(t, defaultFsUploadPath, EnvConfig.UploadPath)
+	})
+
+	t.Run("should fail when FILE_BACKEND is s3 but keys are stored on filesystem", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "sqlite")
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("APP_URL", "http://localhost:3000")
+		t.Setenv("FILE_BACKEND", "s3")
+
+		err := parseEnvConfig()
+		require.Error(t, err)
+		assert.ErrorContains(t, err, "KEYS_STORAGE cannot be 'file' when FILE_BACKEND is 's3'")
+	})
+
+	t.Run("should fail with invalid FILE_BACKEND value", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "sqlite")
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("APP_URL", "http://localhost:3000")
+		t.Setenv("FILE_BACKEND", "invalid")
+
+		err := parseEnvConfig()
+		require.Error(t, err)
+		assert.ErrorContains(t, err, "invalid FILE_BACKEND value")
+	})
 }

 func TestPrepareEnvConfig_FileBasedAndToLower(t *testing.T) {
@@ -241,7 +279,7 @@ func TestPrepareEnvConfig_FileBasedAndToLower(t *testing.T) {
 		err := prepareEnvConfig(&config)
 		require.NoError(t, err)

-		assert.Equal(t, "staging", config.AppEnv)
+		assert.Equal(t, AppEnv("staging"), config.AppEnv)
 		assert.Equal(t, "localhost", config.Host)
 		assert.Equal(t, []byte(encryptionKeyContent), config.EncryptionKey)
 		assert.Equal(t, dbConnContent, config.DbConnectionString)
--- a/backend/internal/common/errors.go
+++ b/backend/internal/common/errors.go
@@ -388,3 +388,13 @@ func (e *UserEmailNotSetError) Error() string {
 func (e *UserEmailNotSetError) HttpStatusCode() int {
 	return http.StatusBadRequest
 }
+
+type ImageNotFoundError struct{}
+
+func (e *ImageNotFoundError) Error() string {
+	return "Image not found"
+}
+
+func (e *ImageNotFoundError) HttpStatusCode() int {
+	return http.StatusNotFound
+}
--- a/backend/internal/controller/api_key_controller.go
+++ b/backend/internal/controller/api_key_controller.go
@@ -45,15 +45,11 @@ func NewApiKeyController(group *gin.RouterGroup, authMiddleware *middleware.Auth
 // @Success 200 {object} dto.Paginated[dto.ApiKeyDto]
 // @Router /api/api-keys [get]
 func (c *ApiKeyController) listApiKeysHandler(ctx *gin.Context) {
+	listRequestOptions := utils.ParseListRequestOptions(ctx)
+
 	userID := ctx.GetString("userID")

-	var sortedPaginationRequest utils.SortedPaginationRequest
-	if err := ctx.ShouldBindQuery(&sortedPaginationRequest); err != nil {
-		_ = ctx.Error(err)
-		return
-	}
-
-	apiKeys, pagination, err := c.apiKeyService.ListApiKeys(ctx.Request.Context(), userID, sortedPaginationRequest)
+	apiKeys, pagination, err := c.apiKeyService.ListApiKeys(ctx.Request.Context(), userID, listRequestOptions)
 	if err != nil {
 		_ = ctx.Error(err)
 		return
--- a/backend/internal/controller/app_images_controller.go
+++ b/backend/internal/controller/app_images_controller.go
@@ -25,10 +25,14 @@ func NewAppImagesController(
 	group.GET("/application-images/logo", controller.getLogoHandler)
 	group.GET("/application-images/background", controller.getBackgroundImageHandler)
 	group.GET("/application-images/favicon", controller.getFaviconHandler)
+	group.GET("/application-images/default-profile-picture", authMiddleware.Add(), controller.getDefaultProfilePicture)

 	group.PUT("/application-images/logo", authMiddleware.Add(), controller.updateLogoHandler)
 	group.PUT("/application-images/background", authMiddleware.Add(), controller.updateBackgroundImageHandler)
 	group.PUT("/application-images/favicon", authMiddleware.Add(), controller.updateFaviconHandler)
+	group.PUT("/application-images/default-profile-picture", authMiddleware.Add(), controller.updateDefaultProfilePicture)
+
+	group.DELETE("/application-images/default-profile-picture", authMiddleware.Add(), controller.deleteDefaultProfilePicture)
 }

 type AppImagesController struct {
@@ -78,6 +82,18 @@ func (c *AppImagesController) getFaviconHandler(ctx *gin.Context) {
 	c.getImage(ctx, "favicon")
 }

+// getDefaultProfilePicture godoc
+// @Summary Get default profile picture image
+// @Description Get the default profile picture image for the application
+// @Tags Application Images
+// @Produce image/png
+// @Produce image/jpeg
+// @Success 200 {file} binary "Default profile picture image"
+// @Router /api/application-images/default-profile-picture [get]
+func (c *AppImagesController) getDefaultProfilePicture(ctx *gin.Context) {
+	c.getImage(ctx, "default-profile-picture")
+}
+
 // updateLogoHandler godoc
 // @Summary Update logo
 // @Description Update the application logo
@@ -100,7 +116,7 @@ func (c *AppImagesController) updateLogoHandler(ctx *gin.Context) {
 		imageName = "logoDark"
 	}

-	if err := c.appImagesService.UpdateImage(file, imageName); err != nil {
+	if err := c.appImagesService.UpdateImage(ctx.Request.Context(), file, imageName); err != nil {
 		_ = ctx.Error(err)
 		return
 	}
@@ -123,7 +139,7 @@ func (c *AppImagesController) updateBackgroundImageHandler(ctx *gin.Context) {
 		return
 	}

-	if err := c.appImagesService.UpdateImage(file, "background"); err != nil {
+	if err := c.appImagesService.UpdateImage(ctx.Request.Context(), file, "background"); err != nil {
 		_ = ctx.Error(err)
 		return
 	}
@@ -152,7 +168,7 @@ func (c *AppImagesController) updateFaviconHandler(ctx *gin.Context) {
 		return
 	}

-	if err := c.appImagesService.UpdateImage(file, "favicon"); err != nil {
+	if err := c.appImagesService.UpdateImage(ctx.Request.Context(), file, "favicon"); err != nil {
 		_ = ctx.Error(err)
 		return
 	}
@@ -161,13 +177,52 @@ func (c *AppImagesController) updateFaviconHandler(ctx *gin.Context) {
 }

 func (c *AppImagesController) getImage(ctx *gin.Context, name string) {
-	imagePath, mimeType, err := c.appImagesService.GetImage(name)
+	reader, size, mimeType, err := c.appImagesService.GetImage(ctx.Request.Context(), name)
+	if err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+	defer reader.Close()
+
+	ctx.Header("Content-Type", mimeType)
+	utils.SetCacheControlHeader(ctx, 15*time.Minute, 24*time.Hour)
+	ctx.DataFromReader(http.StatusOK, size, mimeType, reader, nil)
+}
+
+// updateDefaultProfilePicture godoc
+// @Summary Update default profile picture image
+// @Description Update the default profile picture image
+// @Tags Application Images
+// @Accept multipart/form-data
+// @Param file formData file true "Profile picture image file"
+// @Success 204 "No Content"
+// @Router /api/application-images/default-profile-picture [put]
+func (c *AppImagesController) updateDefaultProfilePicture(ctx *gin.Context) {
+	file, err := ctx.FormFile("file")
 	if err != nil {
 		_ = ctx.Error(err)
 		return
 	}

-	ctx.Header("Content-Type", mimeType)
-	utils.SetCacheControlHeader(ctx, 15*time.Minute, 24*time.Hour)
-	ctx.File(imagePath)
+	if err := c.appImagesService.UpdateImage(ctx.Request.Context(), file, "default-profile-picture"); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}
+
+// deleteDefaultProfilePicture godoc
+// @Summary Delete default profile picture image
+// @Description Delete the default profile picture image
+// @Tags Application Images
+// @Success 204 "No Content"
+// @Router /api/application-images/default-profile-picture [delete]
+func (c *AppImagesController) deleteDefaultProfilePicture(ctx *gin.Context) {
+	if err := c.appImagesService.DeleteImage(ctx.Request.Context(), "default-profile-picture"); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
 }
--- a/backend/internal/controller/audit_log_controller.go
+++ b/backend/internal/controller/audit_log_controller.go
@@ -41,18 +41,12 @@ type AuditLogController struct {
 // @Success 200 {object} dto.Paginated[dto.AuditLogDto]
 // @Router /api/audit-logs [get]
 func (alc *AuditLogController) listAuditLogsForUserHandler(c *gin.Context) {
-	var sortedPaginationRequest utils.SortedPaginationRequest
-
-	err := c.ShouldBindQuery(&sortedPaginationRequest)
-	if err != nil {
-		_ = c.Error(err)
-		return
-	}
+	listRequestOptions := utils.ParseListRequestOptions(c)

 	userID := c.GetString("userID")

 	// Fetch audit logs for the user
-	logs, pagination, err := alc.auditLogService.ListAuditLogsForUser(c.Request.Context(), userID, sortedPaginationRequest)
+	logs, pagination, err := alc.auditLogService.ListAuditLogsForUser(c.Request.Context(), userID, listRequestOptions)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -86,26 +80,12 @@ func (alc *AuditLogController) listAuditLogsForUserHandler(c *gin.Context) {
 // @Param pagination[limit] query int false "Number of items per page" default(20)
 // @Param sort[column] query string false "Column to sort by"
 // @Param sort[direction] query string false "Sort direction (asc or desc)" default("asc")
-// @Param filters[userId] query string false "Filter by user ID"
-// @Param filters[event] query string false "Filter by event type"
-// @Param filters[clientName] query string false "Filter by client name"
-// @Param filters[location] query string false "Filter by location type (external or internal)"
 // @Success 200 {object} dto.Paginated[dto.AuditLogDto]
 // @Router /api/audit-logs/all [get]
 func (alc *AuditLogController) listAllAuditLogsHandler(c *gin.Context) {
-	var sortedPaginationRequest utils.SortedPaginationRequest
-	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
-		_ = c.Error(err)
-		return
-	}
+	listRequestOptions := utils.ParseListRequestOptions(c)

-	var filters dto.AuditLogFilterDto
-	if err := c.ShouldBindQuery(&filters); err != nil {
-		_ = c.Error(err)
-		return
-	}
-
-	logs, pagination, err := alc.auditLogService.ListAllAuditLogs(c.Request.Context(), sortedPaginationRequest, filters)
+	logs, pagination, err := alc.auditLogService.ListAllAuditLogs(c.Request.Context(), listRequestOptions)
 	if err != nil {
 		_ = c.Error(err)
 		return
--- a/backend/internal/controller/oidc_controller.go
+++ b/backend/internal/controller/oidc_controller.go
@@ -5,6 +5,7 @@ import (
 	"log/slog"
 	"net/http"
 	"net/url"
+	"strconv"
 	"strings"
 	"time"

@@ -357,6 +358,7 @@ func (oc *OidcController) getClientMetaDataHandler(c *gin.Context) {
 	clientDto := dto.OidcClientMetaDataDto{}
 	err = dto.MapStruct(client, &clientDto)
 	if err == nil {
+		clientDto.HasDarkLogo = client.HasDarkLogo()
 		c.JSON(http.StatusOK, clientDto)
 		return
 	}
@@ -403,13 +405,9 @@ func (oc *OidcController) getClientHandler(c *gin.Context) {
 // @Router /api/oidc/clients [get]
 func (oc *OidcController) listClientsHandler(c *gin.Context) {
 	searchTerm := c.Query("search")
-	var sortedPaginationRequest utils.SortedPaginationRequest
-	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
-		_ = c.Error(err)
-		return
-	}
+	listRequestOptions := utils.ParseListRequestOptions(c)

-	clients, pagination, err := oc.oidcService.ListClients(c.Request.Context(), searchTerm, sortedPaginationRequest)
+	clients, pagination, err := oc.oidcService.ListClients(c.Request.Context(), searchTerm, listRequestOptions)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -423,6 +421,7 @@ func (oc *OidcController) listClientsHandler(c *gin.Context) {
 			_ = c.Error(err)
 			return
 		}
+		clientDto.HasDarkLogo = client.HasDarkLogo()
 		clientDto.AllowedUserGroupsCount, err = oc.oidcService.GetAllowedGroupsCountOfClient(c, client.ID)
 		if err != nil {
 			_ = c.Error(err)
@@ -543,19 +542,23 @@ func (oc *OidcController) createClientSecretHandler(c *gin.Context) {
 // @Produce image/jpeg
 // @Produce image/svg+xml
 // @Param id path string true "Client ID"
+// @Param light query boolean false "Light mode logo (true) or dark mode logo (false)"
 // @Success 200 {file} binary "Logo image"
 // @Router /api/oidc/clients/{id}/logo [get]
 func (oc *OidcController) getClientLogoHandler(c *gin.Context) {
-	imagePath, mimeType, err := oc.oidcService.GetClientLogo(c.Request.Context(), c.Param("id"))
+	lightLogo, _ := strconv.ParseBool(c.DefaultQuery("light", "true"))
+
+	reader, size, mimeType, err := oc.oidcService.GetClientLogo(c.Request.Context(), c.Param("id"), lightLogo)
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
+	defer reader.Close()

 	utils.SetCacheControlHeader(c, 15*time.Minute, 12*time.Hour)

 	c.Header("Content-Type", mimeType)
-	c.File(imagePath)
+	c.DataFromReader(http.StatusOK, size, mimeType, reader, nil)
 }

 // updateClientLogoHandler godoc
@@ -565,6 +568,7 @@ func (oc *OidcController) getClientLogoHandler(c *gin.Context) {
 // @Accept multipart/form-data
 // @Param id path string true "Client ID"
 // @Param file formData file true "Logo image file (PNG, JPG, or SVG)"
+// @Param light query boolean false "Light mode logo (true) or dark mode logo (false)"
 // @Success 204 "No Content"
 // @Router /api/oidc/clients/{id}/logo [post]
 func (oc *OidcController) updateClientLogoHandler(c *gin.Context) {
@@ -574,7 +578,9 @@ func (oc *OidcController) updateClientLogoHandler(c *gin.Context) {
 		return
 	}

-	err = oc.oidcService.UpdateClientLogo(c.Request.Context(), c.Param("id"), file)
+	lightLogo, _ := strconv.ParseBool(c.DefaultQuery("light", "true"))
+
+	err = oc.oidcService.UpdateClientLogo(c.Request.Context(), c.Param("id"), file, lightLogo)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -588,10 +594,19 @@ func (oc *OidcController) updateClientLogoHandler(c *gin.Context) {
 // @Description Delete the logo for an OIDC client
 // @Tags OIDC
 // @Param id path string true "Client ID"
+// @Param light query boolean false "Light mode logo (true) or dark mode logo (false)"
 // @Success 204 "No Content"
 // @Router /api/oidc/clients/{id}/logo [delete]
 func (oc *OidcController) deleteClientLogoHandler(c *gin.Context) {
-	err := oc.oidcService.DeleteClientLogo(c.Request.Context(), c.Param("id"))
+	var err error
+
+	lightLogo, _ := strconv.ParseBool(c.DefaultQuery("light", "true"))
+	if lightLogo {
+		err = oc.oidcService.DeleteClientLogo(c.Request.Context(), c.Param("id"))
+	} else {
+		err = oc.oidcService.DeleteClientDarkLogo(c.Request.Context(), c.Param("id"))
+	}
+
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -628,6 +643,7 @@ func (oc *OidcController) updateAllowedUserGroupsHandler(c *gin.Context) {
 		_ = c.Error(err)
 		return
 	}
+	oidcClientDto.HasDarkLogo = oidcClient.HasDarkLogo()

 	c.JSON(http.StatusOK, oidcClientDto)
 }
@@ -685,12 +701,9 @@ func (oc *OidcController) listAuthorizedClientsHandler(c *gin.Context) {
 }

 func (oc *OidcController) listAuthorizedClients(c *gin.Context, userID string) {
-	var sortedPaginationRequest utils.SortedPaginationRequest
-	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
-		_ = c.Error(err)
-		return
-	}
-	authorizedClients, pagination, err := oc.oidcService.ListAuthorizedClients(c.Request.Context(), userID, sortedPaginationRequest)
+	listRequestOptions := utils.ParseListRequestOptions(c)
+
+	authorizedClients, pagination, err := oc.oidcService.ListAuthorizedClients(c.Request.Context(), userID, listRequestOptions)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -741,15 +754,11 @@ func (oc *OidcController) revokeOwnClientAuthorizationHandler(c *gin.Context) {
 // @Success 200 {object} dto.Paginated[dto.AccessibleOidcClientDto]
 // @Router /api/oidc/users/me/clients [get]
 func (oc *OidcController) listOwnAccessibleClientsHandler(c *gin.Context) {
+	listRequestOptions := utils.ParseListRequestOptions(c)
+
 	userID := c.GetString("userID")

-	var sortedPaginationRequest utils.SortedPaginationRequest
-	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
-		_ = c.Error(err)
-		return
-	}
-
-	clients, pagination, err := oc.oidcService.ListAccessibleOidcClients(c.Request.Context(), userID, sortedPaginationRequest)
+	clients, pagination, err := oc.oidcService.ListAccessibleOidcClients(c.Request.Context(), userID, listRequestOptions)
 	if err != nil {
 		_ = c.Error(err)
 		return
--- a/backend/internal/controller/user_controller.go
+++ b/backend/internal/controller/user_controller.go
@@ -104,13 +104,9 @@ func (uc *UserController) getUserGroupsHandler(c *gin.Context) {
 // @Router /api/users [get]
 func (uc *UserController) listUsersHandler(c *gin.Context) {
 	searchTerm := c.Query("search")
-	var sortedPaginationRequest utils.SortedPaginationRequest
-	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
-		_ = c.Error(err)
-		return
-	}
+	listRequestOptions := utils.ParseListRequestOptions(c)

-	users, pagination, err := uc.userService.ListUsers(c.Request.Context(), searchTerm, sortedPaginationRequest)
+	users, pagination, err := uc.userService.ListUsers(c.Request.Context(), searchTerm, listRequestOptions)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -290,7 +286,7 @@ func (uc *UserController) updateUserProfilePictureHandler(c *gin.Context) {
 	}
 	defer file.Close()

-	if err := uc.userService.UpdateProfilePicture(userID, file); err != nil {
+	if err := uc.userService.UpdateProfilePicture(c.Request.Context(), userID, file); err != nil {
 		_ = c.Error(err)
 		return
 	}
@@ -321,7 +317,7 @@ func (uc *UserController) updateCurrentUserProfilePictureHandler(c *gin.Context)
 	}
 	defer file.Close()

-	if err := uc.userService.UpdateProfilePicture(userID, file); err != nil {
+	if err := uc.userService.UpdateProfilePicture(c.Request.Context(), userID, file); err != nil {
 		_ = c.Error(err)
 		return
 	}
@@ -574,13 +570,9 @@ func (uc *UserController) createSignupTokenHandler(c *gin.Context) {
 // @Success 200 {object} dto.Paginated[dto.SignupTokenDto]
 // @Router /api/signup-tokens [get]
 func (uc *UserController) listSignupTokensHandler(c *gin.Context) {
-	var sortedPaginationRequest utils.SortedPaginationRequest
-	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
-		_ = c.Error(err)
-		return
-	}
+	listRequestOptions := utils.ParseListRequestOptions(c)

-	tokens, pagination, err := uc.userService.ListSignupTokens(c.Request.Context(), sortedPaginationRequest)
+	tokens, pagination, err := uc.userService.ListSignupTokens(c.Request.Context(), listRequestOptions)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -695,7 +687,7 @@ func (uc *UserController) updateUser(c *gin.Context, updateOwnUser bool) {
 func (uc *UserController) resetUserProfilePictureHandler(c *gin.Context) {
 	userID := c.Param("id")

-	if err := uc.userService.ResetProfilePicture(userID); err != nil {
+	if err := uc.userService.ResetProfilePicture(c.Request.Context(), userID); err != nil {
 		_ = c.Error(err)
 		return
 	}
@@ -713,7 +705,7 @@ func (uc *UserController) resetUserProfilePictureHandler(c *gin.Context) {
 func (uc *UserController) resetCurrentUserProfilePictureHandler(c *gin.Context) {
 	userID := c.GetString("userID")

-	if err := uc.userService.ResetProfilePicture(userID); err != nil {
+	if err := uc.userService.ResetProfilePicture(c.Request.Context(), userID); err != nil {
 		_ = c.Error(err)
 		return
 	}
--- a/backend/internal/controller/user_group_controller.go
+++ b/backend/internal/controller/user_group_controller.go
@@ -47,16 +47,10 @@ type UserGroupController struct {
 // @Success 200 {object} dto.Paginated[dto.UserGroupDtoWithUserCount]
 // @Router /api/user-groups [get]
 func (ugc *UserGroupController) list(c *gin.Context) {
-	ctx := c.Request.Context()
-
 	searchTerm := c.Query("search")
-	var sortedPaginationRequest utils.SortedPaginationRequest
-	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
-		_ = c.Error(err)
-		return
-	}
+	listRequestOptions := utils.ParseListRequestOptions(c)

-	groups, pagination, err := ugc.UserGroupService.List(ctx, searchTerm, sortedPaginationRequest)
+	groups, pagination, err := ugc.UserGroupService.List(c, searchTerm, listRequestOptions)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -70,7 +64,7 @@ func (ugc *UserGroupController) list(c *gin.Context) {
 			_ = c.Error(err)
 			return
 		}
-		groupDto.UserCount, err = ugc.UserGroupService.GetUserCountOfGroup(ctx, group.ID)
+		groupDto.UserCount, err = ugc.UserGroupService.GetUserCountOfGroup(c.Request.Context(), group.ID)
 		if err != nil {
 			_ = c.Error(err)
 			return
--- a/backend/internal/controller/webauthn_controller.go
+++ b/backend/internal/controller/webauthn_controller.go
@@ -57,7 +57,7 @@ func (wc *WebauthnController) verifyRegistrationHandler(c *gin.Context) {
 	}

 	userID := c.GetString("userID")
-	credential, err := wc.webAuthnService.VerifyRegistration(c.Request.Context(), sessionID, userID, c.Request)
+	credential, err := wc.webAuthnService.VerifyRegistration(c.Request.Context(), sessionID, userID, c.Request, c.ClientIP())
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -134,8 +134,10 @@ func (wc *WebauthnController) listCredentialsHandler(c *gin.Context) {
 func (wc *WebauthnController) deleteCredentialHandler(c *gin.Context) {
 	userID := c.GetString("userID")
 	credentialID := c.Param("id")
+	clientIP := c.ClientIP()
+	userAgent := c.Request.UserAgent()

-	err := wc.webAuthnService.DeleteCredential(c.Request.Context(), userID, credentialID)
+	err := wc.webAuthnService.DeleteCredential(c.Request.Context(), userID, credentialID, clientIP, userAgent)
 	if err != nil {
 		_ = c.Error(err)
 		return
--- a/backend/internal/dto/audit_log_dto.go
+++ b/backend/internal/dto/audit_log_dto.go
@@ -17,10 +17,3 @@ type AuditLogDto struct {
 	Username  string            `json:"username"`
 	Data      map[string]string `json:"data"`
 }
-
-type AuditLogFilterDto struct {
-	UserID     string `form:"filters[userId]"`
-	Event      string `form:"filters[event]"`
-	ClientName string `form:"filters[clientName]"`
-	Location   string `form:"filters[location]"`
-}
--- a/backend/internal/dto/oidc_dto.go
+++ b/backend/internal/dto/oidc_dto.go
@@ -6,6 +6,7 @@ type OidcClientMetaDataDto struct {
 	ID                       string  `json:"id"`
 	Name                     string  `json:"name"`
 	HasLogo                  bool    `json:"hasLogo"`
+	HasDarkLogo              bool    `json:"hasDarkLogo"`
 	LaunchURL                *string `json:"launchURL"`
 	RequiresReauthentication bool    `json:"requiresReauthentication"`
 }
@@ -39,7 +40,9 @@ type OidcClientUpdateDto struct {
 	Credentials              OidcClientCredentialsDto `json:"credentials"`
 	LaunchURL                *string                  `json:"launchURL" binding:"omitempty,url"`
 	HasLogo                  bool                     `json:"hasLogo"`
+	HasDarkLogo              bool                     `json:"hasDarkLogo"`
 	LogoURL                  *string                  `json:"logoUrl"`
+	DarkLogoURL              *string                  `json:"darkLogoUrl"`
 }

 type OidcClientCreateDto struct {
--- a/backend/internal/job/analytics_job.go
+++ b/backend/internal/job/analytics_job.go
@@ -19,7 +19,7 @@ const heartbeatUrl = "https://analytics.pocket-id.org/heartbeat"

 func (s *Scheduler) RegisterAnalyticsJob(ctx context.Context, appConfig *service.AppConfigService, httpClient *http.Client) error {
 	// Skip if analytics are disabled or not in production environment
-	if common.EnvConfig.AnalyticsDisabled || common.EnvConfig.AppEnv != "production" {
+	if common.EnvConfig.AnalyticsDisabled || !common.EnvConfig.AppEnv.IsProduction() {
 		return nil
 	}

@@ -39,7 +39,7 @@ type AnalyticsJob struct {
 // sendHeartbeat sends a heartbeat to the analytics service
 func (j *AnalyticsJob) sendHeartbeat(parentCtx context.Context) error {
 	// Skip if analytics are disabled or not in production environment
-	if common.EnvConfig.AnalyticsDisabled || common.EnvConfig.AppEnv != "production" {
+	if common.EnvConfig.AnalyticsDisabled || !common.EnvConfig.AppEnv.IsProduction() {
 		return nil
 	}

--- a/backend/internal/job/file_cleanup_job.go
+++ b/backend/internal/job/file_cleanup_job.go
@@ -2,29 +2,36 @@ package job

 import (
 	"context"
+	"errors"
 	"fmt"
 	"log/slog"
-	"os"
-	"path/filepath"
+	"path"
 	"strings"
 	"time"

 	"github.com/go-co-op/gocron/v2"
 	"gorm.io/gorm"

-	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/storage"
 )

-func (s *Scheduler) RegisterFileCleanupJobs(ctx context.Context, db *gorm.DB) error {
-	jobs := &FileCleanupJobs{db: db}
+func (s *Scheduler) RegisterFileCleanupJobs(ctx context.Context, db *gorm.DB, fileStorage storage.FileStorage) error {
+	jobs := &FileCleanupJobs{db: db, fileStorage: fileStorage}

-	// Run every 24 hours
-	return s.registerJob(ctx, "ClearUnusedDefaultProfilePictures", gocron.DurationJob(24*time.Hour), jobs.clearUnusedDefaultProfilePictures, false)
+	err := s.registerJob(ctx, "ClearUnusedDefaultProfilePictures", gocron.DurationJob(24*time.Hour), jobs.clearUnusedDefaultProfilePictures, false)
+
+	// Only necessary for file system storage
+	if fileStorage.Type() == storage.TypeFileSystem {
+		err = errors.Join(err, s.registerJob(ctx, "ClearOrphanedTempFiles", gocron.DurationJob(12*time.Hour), jobs.clearOrphanedTempFiles, true))
+	}
+
+	return err
 }

 type FileCleanupJobs struct {
-	db *gorm.DB
+	db          *gorm.DB
+	fileStorage storage.FileStorage
 }

 // ClearUnusedDefaultProfilePictures deletes default profile pictures that don't match any user's initials
@@ -44,29 +51,24 @@ func (j *FileCleanupJobs) clearUnusedDefaultProfilePictures(ctx context.Context)
 		initialsInUse[user.Initials()] = struct{}{}
 	}

-	defaultPicturesDir := common.EnvConfig.UploadPath + "/profile-pictures/defaults"
-	if _, err := os.Stat(defaultPicturesDir); os.IsNotExist(err) {
-		return nil
-	}
-
-	files, err := os.ReadDir(defaultPicturesDir)
+	defaultPicturesDir := path.Join("profile-pictures", "defaults")
+	files, err := j.fileStorage.List(ctx, defaultPicturesDir)
 	if err != nil {
-		return fmt.Errorf("failed to read default profile pictures directory: %w", err)
+		return fmt.Errorf("failed to list default profile pictures: %w", err)
 	}

 	filesDeleted := 0
 	for _, file := range files {
-		if file.IsDir() {
-			continue // Skip directories
+		_, filename := path.Split(file.Path)
+		if filename == "" {
+			continue
 		}
-
-		filename := file.Name()
 		initials := strings.TrimSuffix(filename, ".png")

 		// If these initials aren't used by any user, delete the file
 		if _, ok := initialsInUse[initials]; !ok {
-			filePath := filepath.Join(defaultPicturesDir, filename)
-			if err := os.Remove(filePath); err != nil {
+			filePath := path.Join(defaultPicturesDir, filename)
+			if err := j.fileStorage.Delete(ctx, filePath); err != nil {
 				slog.ErrorContext(ctx, "Failed to delete unused default profile picture", slog.String("path", filePath), slog.Any("error", err))
 			} else {
 				filesDeleted++
@@ -77,3 +79,34 @@ func (j *FileCleanupJobs) clearUnusedDefaultProfilePictures(ctx context.Context)
 	slog.Info("Done deleting unused default profile pictures", slog.Int("count", filesDeleted))
 	return nil
 }
+
+// clearOrphanedTempFiles deletes temporary files that are produced by failed atomic writes
+func (j *FileCleanupJobs) clearOrphanedTempFiles(ctx context.Context) error {
+	const minAge = 10 * time.Minute
+
+	var deleted int
+	err := j.fileStorage.Walk(ctx, "/", func(p storage.ObjectInfo) error {
+		// Only temp files
+		if !strings.HasSuffix(p.Path, "-tmp") {
+			return nil
+		}
+
+		if time.Since(p.ModTime) < minAge {
+			return nil
+		}
+
+		if err := j.fileStorage.Delete(ctx, p.Path); err != nil {
+			slog.ErrorContext(ctx, "Failed to delete temp file", slog.String("path", p.Path), slog.Any("error", err))
+			return nil
+		}
+		deleted++
+		return nil
+	})
+
+	if err != nil {
+		return fmt.Errorf("failed to scan storage: %w", err)
+	}
+
+	slog.Info("Done cleaning orphaned temp files", slog.Int("count", deleted))
+	return nil
+}
--- a/backend/internal/middleware/rate_limit.go
+++ b/backend/internal/middleware/rate_limit.go
@@ -29,7 +29,7 @@ func (m *RateLimitMiddleware) Add(limit rate.Limit, burst int) gin.HandlerFunc {

 		// Skip rate limiting for localhost and test environment
 		// If the client ip is localhost the request comes from the frontend
-		if ip == "" || ip == "127.0.0.1" || ip == "::1" || common.EnvConfig.AppEnv == "test" {
+		if ip == "" || ip == "127.0.0.1" || ip == "::1" || common.EnvConfig.AppEnv.IsTest() {
 			c.Next()
 			return
 		}
--- a/backend/internal/model/audit_log.go
+++ b/backend/internal/model/audit_log.go
@@ -3,13 +3,14 @@ package model
 import (
 	"database/sql/driver"
 	"encoding/json"
-	"fmt"
+
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

 type AuditLog struct {
 	Base

-	Event     AuditLogEvent `sortable:"true"`
+	Event     AuditLogEvent `sortable:"true" filterable:"true"`
 	IpAddress *string       `sortable:"true"`
 	Country   string        `sortable:"true"`
 	City      string        `sortable:"true"`
@@ -17,7 +18,7 @@ type AuditLog struct {
 	Username  string        `gorm:"-"`
 	Data      AuditLogData

-	UserID string
+	UserID string `filterable:"true"`
 	User   User
 }

@@ -33,6 +34,8 @@ const (
 	AuditLogEventNewClientAuthorization     AuditLogEvent = "NEW_CLIENT_AUTHORIZATION"
 	AuditLogEventDeviceCodeAuthorization    AuditLogEvent = "DEVICE_CODE_AUTHORIZATION"
 	AuditLogEventNewDeviceCodeAuthorization AuditLogEvent = "NEW_DEVICE_CODE_AUTHORIZATION"
+	AuditLogEventPasskeyAdded               AuditLogEvent = "PASSKEY_ADDED"
+	AuditLogEventPasskeyRemoved             AuditLogEvent = "PASSKEY_REMOVED"
 )

 // Scan and Value methods for GORM to handle the custom type
@@ -47,14 +50,7 @@ func (e AuditLogEvent) Value() (driver.Value, error) {
 }

 func (d *AuditLogData) Scan(value any) error {
-	switch v := value.(type) {
-	case []byte:
-		return json.Unmarshal(v, d)
-	case string:
-		return json.Unmarshal([]byte(v), d)
-	default:
-		return fmt.Errorf("unsupported type: %T", value)
-	}
+	return utils.UnmarshalJSONFromDatabase(d, value)
 }

 func (d AuditLogData) Value() (driver.Value, error) {
--- a/backend/internal/model/oidc.go
+++ b/backend/internal/model/oidc.go
@@ -3,10 +3,10 @@ package model
 import (
 	"database/sql/driver"
 	"encoding/json"
-	"fmt"
 	"strings"

 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

 type UserAuthorizedOidcClient struct {
@@ -52,9 +52,10 @@ type OidcClient struct {
 	CallbackURLs             UrlList
 	LogoutCallbackURLs       UrlList
 	ImageType                *string
+	DarkImageType            *string
 	IsPublic                 bool
-	PkceEnabled              bool
-	RequiresReauthentication bool
+	PkceEnabled              bool `sortable:"true" filterable:"true"`
+	RequiresReauthentication bool `sortable:"true" filterable:"true"`
 	Credentials              OidcClientCredentials
 	LaunchURL                *string

@@ -68,6 +69,10 @@ func (c OidcClient) HasLogo() bool {
 	return c.ImageType != nil && *c.ImageType != ""
 }

+func (c OidcClient) HasDarkLogo() bool {
+	return c.DarkImageType != nil && *c.DarkImageType != ""
+}
+
 type OidcRefreshToken struct {
 	Base

@@ -116,14 +121,7 @@ func (occ OidcClientCredentials) FederatedIdentityForIssuer(issuer string) (Oidc
 }

 func (occ *OidcClientCredentials) Scan(value any) error {
-	switch v := value.(type) {
-	case []byte:
-		return json.Unmarshal(v, occ)
-	case string:
-		return json.Unmarshal([]byte(v), occ)
-	default:
-		return fmt.Errorf("unsupported type: %T", value)
-	}
+	return utils.UnmarshalJSONFromDatabase(occ, value)
 }

 func (occ OidcClientCredentials) Value() (driver.Value, error) {
@@ -133,14 +131,7 @@ func (occ OidcClientCredentials) Value() (driver.Value, error) {
 type UrlList []string //nolint:recvcheck

 func (cu *UrlList) Scan(value any) error {
-	switch v := value.(type) {
-	case []byte:
-		return json.Unmarshal(v, cu)
-	case string:
-		return json.Unmarshal([]byte(v), cu)
-	default:
-		return fmt.Errorf("unsupported type: %T", value)
-	}
+	return utils.UnmarshalJSONFromDatabase(cu, value)
 }

 func (cu UrlList) Value() (driver.Value, error) {
--- a/backend/internal/model/storage.go
+++ b/backend/internal/model/storage.go
@@ -0,0 +1,17 @@
+package model
+
+import (
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+)
+
+type Storage struct {
+	Path      string `gorm:"primaryKey"`
+	Data      []byte
+	Size      int64
+	ModTime   datatype.DateTime
+	CreatedAt datatype.DateTime
+}
+
+func (Storage) TableName() string {
+	return "storage"
+}
--- a/backend/internal/model/user.go
+++ b/backend/internal/model/user.go
@@ -18,10 +18,10 @@ type User struct {
 	FirstName   string  `sortable:"true"`
 	LastName    string  `sortable:"true"`
 	DisplayName string  `sortable:"true"`
-	IsAdmin     bool    `sortable:"true"`
+	IsAdmin     bool    `sortable:"true" filterable:"true"`
 	Locale      *string
 	LdapID      *string
-	Disabled    bool `sortable:"true"`
+	Disabled    bool `sortable:"true" filterable:"true"`

 	CustomClaims []CustomClaim
 	UserGroups   []UserGroup `gorm:"many2many:user_groups_users;"`
--- a/backend/internal/model/webauthn.go
+++ b/backend/internal/model/webauthn.go
@@ -3,11 +3,11 @@ package model
 import (
 	"database/sql/driver"
 	"encoding/json"
-	"fmt"
 	"time"

 	"github.com/go-webauthn/webauthn/protocol"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

 type WebauthnSession struct {
@@ -16,6 +16,7 @@ type WebauthnSession struct {
 	Challenge        string
 	ExpiresAt        datatype.DateTime
 	UserVerification string
+	CredentialParams CredentialParameters
 }

 type WebauthnCredential struct {
@@ -58,16 +59,20 @@ type AuthenticatorTransportList []protocol.AuthenticatorTransport //nolint:recvc

 // Scan and Value methods for GORM to handle the custom type
 func (atl *AuthenticatorTransportList) Scan(value interface{}) error {
-	switch v := value.(type) {
-	case []byte:
-		return json.Unmarshal(v, atl)
-	case string:
-		return json.Unmarshal([]byte(v), atl)
-	default:
-		return fmt.Errorf("unsupported type: %T", value)
-	}
+	return utils.UnmarshalJSONFromDatabase(atl, value)
 }

 func (atl AuthenticatorTransportList) Value() (driver.Value, error) {
 	return json.Marshal(atl)
 }
+
+type CredentialParameters []protocol.CredentialParameter //nolint:recvcheck
+
+// Scan and Value methods for GORM to handle the custom type
+func (cp *CredentialParameters) Scan(value interface{}) error {
+	return utils.UnmarshalJSONFromDatabase(cp, value)
+}
+
+func (cp CredentialParameters) Value() (driver.Value, error) {
+	return json.Marshal(cp)
+}
--- a/backend/internal/service/api_key_service.go
+++ b/backend/internal/service/api_key_service.go
@@ -25,14 +25,14 @@ func NewApiKeyService(db *gorm.DB, emailService *EmailService) *ApiKeyService {
 	return &ApiKeyService{db: db, emailService: emailService}
 }

-func (s *ApiKeyService) ListApiKeys(ctx context.Context, userID string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.ApiKey, utils.PaginationResponse, error) {
+func (s *ApiKeyService) ListApiKeys(ctx context.Context, userID string, listRequestOptions utils.ListRequestOptions) ([]model.ApiKey, utils.PaginationResponse, error) {
 	query := s.db.
 		WithContext(ctx).
 		Where("user_id = ?", userID).
 		Model(&model.ApiKey{})

 	var apiKeys []model.ApiKey
-	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &apiKeys)
+	pagination, err := utils.PaginateFilterAndSort(listRequestOptions, query, &apiKeys)
 	if err != nil {
 		return nil, utils.PaginationResponse{}, err
 	}
--- a/backend/internal/service/app_images_service.go
+++ b/backend/internal/service/app_images_service.go
@@ -1,42 +1,52 @@
 package service

 import (
+	"context"
 	"fmt"
+	"io"
 	"mime/multipart"
-	"os"
-	"path/filepath"
+	"path"
 	"strings"
 	"sync"

 	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/storage"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

 type AppImagesService struct {
 	mu         sync.RWMutex
 	extensions map[string]string
+	storage    storage.FileStorage
 }

-func NewAppImagesService(extensions map[string]string) *AppImagesService {
-	return &AppImagesService{extensions: extensions}
+func NewAppImagesService(extensions map[string]string, storage storage.FileStorage) *AppImagesService {
+	return &AppImagesService{extensions: extensions, storage: storage}
 }

-func (s *AppImagesService) GetImage(name string) (string, string, error) {
+func (s *AppImagesService) GetImage(ctx context.Context, name string) (io.ReadCloser, int64, string, error) {
 	ext, err := s.getExtension(name)
 	if err != nil {
-		return "", "", err
+		return nil, 0, "", err
 	}

 	mimeType := utils.GetImageMimeType(ext)
 	if mimeType == "" {
-		return "", "", fmt.Errorf("unsupported image type '%s'", ext)
+		return nil, 0, "", fmt.Errorf("unsupported image type '%s'", ext)
 	}

-	imagePath := filepath.Join(common.EnvConfig.UploadPath, "application-images", fmt.Sprintf("%s.%s", name, ext))
-	return imagePath, mimeType, nil
+	imagePath := path.Join("application-images", name+"."+ext)
+	reader, size, err := s.storage.Open(ctx, imagePath)
+	if err != nil {
+		if storage.IsNotExist(err) {
+			return nil, 0, "", &common.ImageNotFoundError{}
+		}
+		return nil, 0, "", err
+	}
+	return reader, size, mimeType, nil
 }

-func (s *AppImagesService) UpdateImage(file *multipart.FileHeader, imageName string) error {
+func (s *AppImagesService) UpdateImage(ctx context.Context, file *multipart.FileHeader, imageName string) error {
 	fileType := strings.ToLower(utils.GetFileExtension(file.Filename))
 	mimeType := utils.GetImageMimeType(fileType)
 	if mimeType == "" {
@@ -48,18 +58,23 @@ func (s *AppImagesService) UpdateImage(file *multipart.FileHeader, imageName str

 	currentExt, ok := s.extensions[imageName]
 	if !ok {
-		return fmt.Errorf("unknown application image '%s'", imageName)
+		s.extensions[imageName] = fileType
 	}

-	imagePath := filepath.Join(common.EnvConfig.UploadPath, "application-images", fmt.Sprintf("%s.%s", imageName, fileType))
+	imagePath := path.Join("application-images", imageName+"."+fileType)
+	fileReader, err := file.Open()
+	if err != nil {
+		return err
+	}
+	defer fileReader.Close()

-	if err := utils.SaveFile(file, imagePath); err != nil {
+	if err := s.storage.Save(ctx, imagePath, fileReader); err != nil {
 		return err
 	}

 	if currentExt != "" && currentExt != fileType {
-		oldImagePath := filepath.Join(common.EnvConfig.UploadPath, "application-images", fmt.Sprintf("%s.%s", imageName, currentExt))
-		if err := os.Remove(oldImagePath); err != nil && !os.IsNotExist(err) {
+		oldImagePath := path.Join("application-images", imageName+"."+currentExt)
+		if err := s.storage.Delete(ctx, oldImagePath); err != nil {
 			return err
 		}
 	}
@@ -69,13 +84,39 @@ func (s *AppImagesService) UpdateImage(file *multipart.FileHeader, imageName str
 	return nil
 }

+func (s *AppImagesService) DeleteImage(ctx context.Context, imageName string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	ext, ok := s.extensions[imageName]
+	if !ok || ext == "" {
+		return &common.ImageNotFoundError{}
+	}
+
+	imagePath := path.Join("application-images", imageName+"."+ext)
+	if err := s.storage.Delete(ctx, imagePath); err != nil {
+		return err
+	}
+
+	delete(s.extensions, imageName)
+	return nil
+}
+
+func (s *AppImagesService) IsDefaultProfilePictureSet() bool {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	_, ok := s.extensions["default-profile-picture"]
+	return ok
+}
+
 func (s *AppImagesService) getExtension(name string) (string, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()

 	ext, ok := s.extensions[name]
 	if !ok || ext == "" {
-		return "", fmt.Errorf("unknown application image '%s'", name)
+		return "", &common.ImageNotFoundError{}
 	}

 	return strings.ToLower(ext), nil
--- a/backend/internal/service/app_images_service_test.go
+++ b/backend/internal/service/app_images_service_test.go
@@ -2,66 +2,92 @@ package service

 import (
 	"bytes"
+	"context"
+	"io"
 	"io/fs"
 	"mime/multipart"
 	"net/http"
 	"net/http/httptest"
-	"os"
-	"path/filepath"
+	"path"
 	"testing"

+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/storage"
 )

 func TestAppImagesService_GetImage(t *testing.T) {
-	tempDir := t.TempDir()
-	originalUploadPath := common.EnvConfig.UploadPath
-	common.EnvConfig.UploadPath = tempDir
-	t.Cleanup(func() {
-		common.EnvConfig.UploadPath = originalUploadPath
-	})
-
-	imagesDir := filepath.Join(tempDir, "application-images")
-	require.NoError(t, os.MkdirAll(imagesDir, 0o755))
-
-	filePath := filepath.Join(imagesDir, "background.webp")
-	require.NoError(t, os.WriteFile(filePath, []byte("data"), fs.FileMode(0o644)))
-
-	service := NewAppImagesService(map[string]string{"background": "webp"})
-
-	path, mimeType, err := service.GetImage("background")
+	store, err := storage.NewFilesystemStorage(t.TempDir())
 	require.NoError(t, err)
-	require.Equal(t, filePath, path)
+
+	require.NoError(t, store.Save(context.Background(), path.Join("application-images", "background.webp"), bytes.NewReader([]byte("data"))))
+
+	service := NewAppImagesService(map[string]string{"background": "webp"}, store)
+
+	reader, size, mimeType, err := service.GetImage(context.Background(), "background")
+	require.NoError(t, err)
+	defer reader.Close()
+	payload, err := io.ReadAll(reader)
+	require.NoError(t, err)
+	require.Equal(t, []byte("data"), payload)
+	require.Equal(t, int64(len(payload)), size)
 	require.Equal(t, "image/webp", mimeType)
 }

 func TestAppImagesService_UpdateImage(t *testing.T) {
-	tempDir := t.TempDir()
-	originalUploadPath := common.EnvConfig.UploadPath
-	common.EnvConfig.UploadPath = tempDir
-	t.Cleanup(func() {
-		common.EnvConfig.UploadPath = originalUploadPath
-	})
+	store, err := storage.NewFilesystemStorage(t.TempDir())
+	require.NoError(t, err)

-	imagesDir := filepath.Join(tempDir, "application-images")
-	require.NoError(t, os.MkdirAll(imagesDir, 0o755))
+	require.NoError(t, store.Save(context.Background(), path.Join("application-images", "logoLight.svg"), bytes.NewReader([]byte("old"))))

-	oldPath := filepath.Join(imagesDir, "logoLight.svg")
-	require.NoError(t, os.WriteFile(oldPath, []byte("old"), fs.FileMode(0o644)))
-
-	service := NewAppImagesService(map[string]string{"logoLight": "svg"})
+	service := NewAppImagesService(map[string]string{"logoLight": "svg"}, store)

 	fileHeader := newFileHeader(t, "logoLight.png", []byte("new"))

-	require.NoError(t, service.UpdateImage(fileHeader, "logoLight"))
+	require.NoError(t, service.UpdateImage(context.Background(), fileHeader, "logoLight"))

-	_, err := os.Stat(filepath.Join(imagesDir, "logoLight.png"))
+	reader, _, err := store.Open(context.Background(), path.Join("application-images", "logoLight.png"))
+	require.NoError(t, err)
+	_ = reader.Close()
+
+	_, _, err = store.Open(context.Background(), path.Join("application-images", "logoLight.svg"))
+	require.ErrorIs(t, err, fs.ErrNotExist)
+}
+
+func TestAppImagesService_ErrorsAndFlags(t *testing.T) {
+	store, err := storage.NewFilesystemStorage(t.TempDir())
 	require.NoError(t, err)

-	_, err = os.Stat(oldPath)
-	require.ErrorIs(t, err, os.ErrNotExist)
+	service := NewAppImagesService(map[string]string{}, store)
+
+	t.Run("get missing image returns not found", func(t *testing.T) {
+		_, _, _, err := service.GetImage(context.Background(), "missing")
+		require.Error(t, err)
+		var imageErr *common.ImageNotFoundError
+		assert.ErrorAs(t, err, &imageErr)
+	})
+
+	t.Run("reject unsupported file types", func(t *testing.T) {
+		err := service.UpdateImage(context.Background(), newFileHeader(t, "logo.txt", []byte("nope")), "logo")
+		require.Error(t, err)
+		var fileTypeErr *common.FileTypeNotSupportedError
+		assert.ErrorAs(t, err, &fileTypeErr)
+	})
+
+	t.Run("delete and extension tracking", func(t *testing.T) {
+		require.NoError(t, store.Save(context.Background(), path.Join("application-images", "default-profile-picture.png"), bytes.NewReader([]byte("img"))))
+		service.extensions["default-profile-picture"] = "png"
+
+		require.NoError(t, service.DeleteImage(context.Background(), "default-profile-picture"))
+		assert.False(t, service.IsDefaultProfilePictureSet())
+
+		err := service.DeleteImage(context.Background(), "default-profile-picture")
+		require.Error(t, err)
+		var imageErr *common.ImageNotFoundError
+		assert.ErrorAs(t, err, &imageErr)
+	})
 }

 func newFileHeader(t *testing.T, filename string, content []byte) *multipart.FileHeader {
--- a/backend/internal/service/audit_log_service.go
+++ b/backend/internal/service/audit_log_service.go
@@ -6,7 +6,6 @@ import (
 	"log/slog"

 	userAgentParser "github.com/mileusna/useragent"
-	"github.com/pocket-id/pocket-id/backend/internal/dto"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
@@ -35,7 +34,7 @@ func (s *AuditLogService) Create(ctx context.Context, event model.AuditLogEvent,
 	country, city, err := s.geoliteService.GetLocationByIP(ipAddress)
 	if err != nil {
 		// Log the error but don't interrupt the operation
-		slog.Warn("Failed to get IP location", "error", err)
+		slog.Warn("Failed to get IP location", slog.String("ip", ipAddress), slog.Any("error", err))
 	}

 	auditLog := model.AuditLog{
@@ -136,14 +135,14 @@ func (s *AuditLogService) CreateNewSignInWithEmail(ctx context.Context, ipAddres
 }

 // ListAuditLogsForUser retrieves all audit logs for a given user ID
-func (s *AuditLogService) ListAuditLogsForUser(ctx context.Context, userID string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.AuditLog, utils.PaginationResponse, error) {
+func (s *AuditLogService) ListAuditLogsForUser(ctx context.Context, userID string, listRequestOptions utils.ListRequestOptions) ([]model.AuditLog, utils.PaginationResponse, error) {
 	var logs []model.AuditLog
 	query := s.db.
 		WithContext(ctx).
 		Model(&model.AuditLog{}).
 		Where("user_id = ?", userID)

-	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &logs)
+	pagination, err := utils.PaginateFilterAndSort(listRequestOptions, query, &logs)
 	return logs, pagination, err
 }

@@ -152,7 +151,7 @@ func (s *AuditLogService) DeviceStringFromUserAgent(userAgent string) string {
 	return ua.Name + " on " + ua.OS + " " + ua.OSVersion
 }

-func (s *AuditLogService) ListAllAuditLogs(ctx context.Context, sortedPaginationRequest utils.SortedPaginationRequest, filters dto.AuditLogFilterDto) ([]model.AuditLog, utils.PaginationResponse, error) {
+func (s *AuditLogService) ListAllAuditLogs(ctx context.Context, listRequestOptions utils.ListRequestOptions) ([]model.AuditLog, utils.PaginationResponse, error) {
 	var logs []model.AuditLog

 	query := s.db.
@@ -160,33 +159,36 @@ func (s *AuditLogService) ListAllAuditLogs(ctx context.Context, sortedPagination
 		Preload("User").
 		Model(&model.AuditLog{})

-	if filters.UserID != "" {
-		query = query.Where("user_id = ?", filters.UserID)
-	}
-	if filters.Event != "" {
-		query = query.Where("event = ?", filters.Event)
-	}
-	if filters.ClientName != "" {
+	if clientName, ok := listRequestOptions.Filters["clientName"]; ok {
 		dialect := s.db.Name()
 		switch dialect {
 		case "sqlite":
-			query = query.Where("json_extract(data, '$.clientName') = ?", filters.ClientName)
+			query = query.Where("json_extract(data, '$.clientName') IN ?", clientName)
 		case "postgres":
-			query = query.Where("data->>'clientName' = ?", filters.ClientName)
+			query = query.Where("data->>'clientName' IN ?", clientName)
 		default:
 			return nil, utils.PaginationResponse{}, fmt.Errorf("unsupported database dialect: %s", dialect)
 		}
 	}
-	if filters.Location != "" {
-		switch filters.Location {
-		case "external":
-			query = query.Where("country != 'Internal Network'")
-		case "internal":
-			query = query.Where("country = 'Internal Network'")
+
+	if locations, ok := listRequestOptions.Filters["location"]; ok {
+		mapped := make([]string, 0, len(locations))
+		for _, v := range locations {
+			if s, ok := v.(string); ok {
+				switch s {
+				case "internal":
+					mapped = append(mapped, "Internal Network")
+				case "external":
+					mapped = append(mapped, "External Network")
+				}
+			}
+		}
+		if len(mapped) > 0 {
+			query = query.Where("country IN ?", mapped)
 		}
 	}

-	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &logs)
+	pagination, err := utils.PaginateFilterAndSort(listRequestOptions, query, &logs)
 	if err != nil {
 		return nil, pagination, err
 	}
@@ -199,8 +201,8 @@ func (s *AuditLogService) ListUsernamesWithIds(ctx context.Context) (users map[s
 		WithContext(ctx).
 		Joins("User").
 		Model(&model.AuditLog{}).
-		Select("DISTINCT \"User\".id, \"User\".username").
-		Where("\"User\".username IS NOT NULL")
+		Select(`DISTINCT "User".id, "User".username`).
+		Where(`"User".username IS NOT NULL`)

 	type Result struct {
 		ID       string `gorm:"column:id"`
@@ -208,7 +210,8 @@ func (s *AuditLogService) ListUsernamesWithIds(ctx context.Context) (users map[s
 	}

 	var results []Result
-	if err := query.Find(&results).Error; err != nil {
+	err = query.Find(&results).Error
+	if err != nil {
 		return nil, fmt.Errorf("failed to query user IDs: %w", err)
 	}

@@ -244,7 +247,8 @@ func (s *AuditLogService) ListClientNames(ctx context.Context) (clientNames []st
 	}

 	var results []Result
-	if err := query.Find(&results).Error; err != nil {
+	err = query.Find(&results).Error
+	if err != nil {
 		return nil, fmt.Errorf("failed to query client IDs: %w", err)
 	}

--- a/backend/internal/service/e2etest_service.go
+++ b/backend/internal/service/e2etest_service.go
@@ -11,8 +11,7 @@ import (
 	"encoding/base64"
 	"fmt"
 	"log/slog"
-	"os"
-	"path/filepath"
+	"path"
 	"time"

 	"github.com/fxamacker/cbor/v2"
@@ -25,6 +24,7 @@ import (
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/storage"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	jwkutils "github.com/pocket-id/pocket-id/backend/internal/utils/jwk"
 	"github.com/pocket-id/pocket-id/backend/resources"
@@ -35,15 +35,17 @@ type TestService struct {
 	jwtService       *JwtService
 	appConfigService *AppConfigService
 	ldapService      *LdapService
+	fileStorage      storage.FileStorage
 	externalIdPKey   jwk.Key
 }

-func NewTestService(db *gorm.DB, appConfigService *AppConfigService, jwtService *JwtService, ldapService *LdapService) (*TestService, error) {
+func NewTestService(db *gorm.DB, appConfigService *AppConfigService, jwtService *JwtService, ldapService *LdapService, fileStorage storage.FileStorage) (*TestService, error) {
 	s := &TestService{
 		db:               db,
 		appConfigService: appConfigService,
 		jwtService:       jwtService,
 		ldapService:      ldapService,
+		fileStorage:      fileStorage,
 	}
 	err := s.initExternalIdP()
 	if err != nil {
@@ -424,8 +426,9 @@ func (s *TestService) ResetDatabase() error {
 }

 func (s *TestService) ResetApplicationImages(ctx context.Context) error {
-	if err := os.RemoveAll(common.EnvConfig.UploadPath); err != nil {
-		slog.ErrorContext(ctx, "Error removing directory", slog.Any("error", err))
+	err := s.fileStorage.DeleteAll(ctx, "/")
+	if err != nil {
+		slog.ErrorContext(ctx, "Error removing uploads", slog.Any("error", err))
 		return err
 	}

@@ -435,13 +438,20 @@ func (s *TestService) ResetApplicationImages(ctx context.Context) error {
 	}

 	for _, file := range files {
-		srcFilePath := filepath.Join("images", file.Name())
-		destFilePath := filepath.Join(common.EnvConfig.UploadPath, "application-images", file.Name())
-
-		err := utils.CopyEmbeddedFileToDisk(srcFilePath, destFilePath)
+		if file.IsDir() {
+			continue
+		}
+		srcFilePath := path.Join("images", file.Name())
+		srcFile, err := resources.FS.Open(srcFilePath)
 		if err != nil {
 			return err
 		}
+		err = s.fileStorage.Save(ctx, path.Join("application-images", file.Name()), srcFile)
+		if err != nil {
+			srcFile.Close()
+			return err
+		}
+		srcFile.Close()
 	}

 	return nil
--- a/backend/internal/service/email_service.go
+++ b/backend/internal/service/email_service.go
@@ -282,16 +282,18 @@ func prepareBody[V any](srv *EmailService, template email.Template[V], data *ema

 	var htmlHeader = textproto.MIMEHeader{}
 	htmlHeader.Add("Content-Type", "text/html; charset=UTF-8")
-	htmlHeader.Add("Content-Transfer-Encoding", "8bit")
+	htmlHeader.Add("Content-Transfer-Encoding", "quoted-printable")
 	htmlPart, err := mpart.CreatePart(htmlHeader)
 	if err != nil {
 		return "", "", fmt.Errorf("create html part: %w", err)
 	}

-	err = email.GetTemplate(srv.htmlTemplates, template).ExecuteTemplate(htmlPart, "root", data)
+	htmlQp := quotedprintable.NewWriter(htmlPart)
+	err = email.GetTemplate(srv.htmlTemplates, template).ExecuteTemplate(htmlQp, "root", data)
 	if err != nil {
 		return "", "", fmt.Errorf("execute html template: %w", err)
 	}
+	htmlQp.Close()

 	err = mpart.Close()
 	if err != nil {
--- a/backend/internal/service/ldap_service.go
+++ b/backend/internal/service/ldap_service.go
@@ -11,12 +11,14 @@ import (
 	"log/slog"
 	"net/http"
 	"net/url"
+	"path"
 	"strings"
 	"time"
 	"unicode/utf8"

 	"github.com/go-ldap/ldap/v3"
 	"github.com/google/uuid"
+	"github.com/pocket-id/pocket-id/backend/internal/storage"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"golang.org/x/text/unicode/norm"
 	"gorm.io/gorm"
@@ -32,15 +34,23 @@ type LdapService struct {
 	appConfigService *AppConfigService
 	userService      *UserService
 	groupService     *UserGroupService
+	fileStorage      storage.FileStorage
 }

-func NewLdapService(db *gorm.DB, httpClient *http.Client, appConfigService *AppConfigService, userService *UserService, groupService *UserGroupService) *LdapService {
+type savePicture struct {
+	userID   string
+	username string
+	picture  string
+}
+
+func NewLdapService(db *gorm.DB, httpClient *http.Client, appConfigService *AppConfigService, userService *UserService, groupService *UserGroupService, fileStorage storage.FileStorage) *LdapService {
 	return &LdapService{
 		db:               db,
 		httpClient:       httpClient,
 		appConfigService: appConfigService,
 		userService:      userService,
 		groupService:     groupService,
+		fileStorage:      fileStorage,
 	}
 }

@@ -68,12 +78,6 @@ func (s *LdapService) createClient() (*ldap.Conn, error) {
 }

 func (s *LdapService) SyncAll(ctx context.Context) error {
-	// Start a transaction
-	tx := s.db.Begin()
-	defer func() {
-		tx.Rollback()
-	}()
-
 	// Setup LDAP connection
 	client, err := s.createClient()
 	if err != nil {
@@ -81,7 +85,13 @@ func (s *LdapService) SyncAll(ctx context.Context) error {
 	}
 	defer client.Close()

-	err = s.SyncUsers(ctx, tx, client)
+	// Start a transaction
+	tx := s.db.Begin()
+	defer func() {
+		tx.Rollback()
+	}()
+
+	savePictures, deleteFiles, err := s.SyncUsers(ctx, tx, client)
 	if err != nil {
 		return fmt.Errorf("failed to sync users: %w", err)
 	}
@@ -97,6 +107,25 @@ func (s *LdapService) SyncAll(ctx context.Context) error {
 		return fmt.Errorf("failed to commit changes to database: %w", err)
 	}

+	// Now that we've committed the transaction, we can perform operations on the storage layer
+	// First, save all new pictures
+	for _, sp := range savePictures {
+		err = s.saveProfilePicture(ctx, sp.userID, sp.picture)
+		if err != nil {
+			// This is not a fatal error
+			slog.Warn("Error saving profile picture for LDAP user", slog.String("username", sp.username), slog.Any("error", err))
+		}
+	}
+
+	// Delete all old files
+	for _, path := range deleteFiles {
+		err = s.fileStorage.Delete(ctx, path)
+		if err != nil {
+			// This is not a fatal error
+			slog.Error("Failed to delete file after LDAP sync", slog.String("path", path), slog.Any("error", err))
+		}
+	}
+
 	return nil
 }

@@ -266,7 +295,7 @@ func (s *LdapService) SyncGroups(ctx context.Context, tx *gorm.DB, client *ldap.
 }

 //nolint:gocognit
-func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.Conn) error {
+func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.Conn) (savePictures []savePicture, deleteFiles []string, err error) {
 	dbConfig := s.appConfigService.GetDbConfig()

 	searchAttrs := []string{
@@ -294,11 +323,12 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C

 	result, err := client.Search(searchReq)
 	if err != nil {
-		return fmt.Errorf("failed to query LDAP: %w", err)
+		return nil, nil, fmt.Errorf("failed to query LDAP: %w", err)
 	}

 	// Create a mapping for users that exist
 	ldapUserIDs := make(map[string]struct{}, len(result.Entries))
+	savePictures = make([]savePicture, 0, len(result.Entries))

 	for _, value := range result.Entries {
 		ldapId := convertLdapIdToString(value.GetAttributeValue(dbConfig.LdapAttributeUserUniqueIdentifier.Value))
@@ -329,13 +359,13 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 				Error

 			if err != nil {
-				return fmt.Errorf("failed to enable user %s: %w", databaseUser.Username, err)
+				return nil, nil, fmt.Errorf("failed to enable user %s: %w", databaseUser.Username, err)
 			}
 		}

 		if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
 			// This could error with ErrRecordNotFound and we want to ignore that here
-			return fmt.Errorf("failed to query for LDAP user ID '%s': %w", ldapId, err)
+			return nil, nil, fmt.Errorf("failed to query for LDAP user ID '%s': %w", ldapId, err)
 		}

 		// Check if user is admin by checking if they are in the admin group
@@ -369,32 +399,35 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 			continue
 		}

+		userID := databaseUser.ID
 		if databaseUser.ID == "" {
-			_, err = s.userService.createUserInternal(ctx, newUser, true, tx)
+			createdUser, err := s.userService.createUserInternal(ctx, newUser, true, tx)
 			if errors.Is(err, &common.AlreadyInUseError{}) {
 				slog.Warn("Skipping creating LDAP user", slog.String("username", newUser.Username), slog.Any("error", err))
 				continue
 			} else if err != nil {
-				return fmt.Errorf("error creating user '%s': %w", newUser.Username, err)
+				return nil, nil, fmt.Errorf("error creating user '%s': %w", newUser.Username, err)
 			}
+			userID = createdUser.ID
 		} else {
 			_, err = s.userService.updateUserInternal(ctx, databaseUser.ID, newUser, false, true, tx)
 			if errors.Is(err, &common.AlreadyInUseError{}) {
 				slog.Warn("Skipping updating LDAP user", slog.String("username", newUser.Username), slog.Any("error", err))
 				continue
 			} else if err != nil {
-				return fmt.Errorf("error updating user '%s': %w", newUser.Username, err)
+				return nil, nil, fmt.Errorf("error updating user '%s': %w", newUser.Username, err)
 			}
 		}

 		// Save profile picture
 		pictureString := value.GetAttributeValue(dbConfig.LdapAttributeUserProfilePicture.Value)
 		if pictureString != "" {
-			err = s.saveProfilePicture(ctx, databaseUser.ID, pictureString)
-			if err != nil {
-				// This is not a fatal error
-				slog.Warn("Error saving profile picture for user", slog.String("username", newUser.Username), slog.Any("error", err))
-			}
+			// Storage operations must be executed outside of a transaction
+			savePictures = append(savePictures, savePicture{
+				userID:   databaseUser.ID,
+				username: userID,
+				picture:  pictureString,
+			})
 		}
 	}

@@ -406,10 +439,11 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 		Select("id, username, ldap_id, disabled").
 		Error
 	if err != nil {
-		return fmt.Errorf("failed to fetch users from database: %w", err)
+		return nil, nil, fmt.Errorf("failed to fetch users from database: %w", err)
 	}

 	// Mark users as disabled or delete users that no longer exist in LDAP
+	deleteFiles = make([]string, 0, len(ldapUserIDs))
 	for _, user := range ldapUsersInDb {
 		// Skip if the user ID exists in the fetched LDAP results
 		if _, exists := ldapUserIDs[*user.LdapID]; exists {
@@ -417,30 +451,34 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 		}

 		if dbConfig.LdapSoftDeleteUsers.IsTrue() {
-			err = s.userService.disableUserInternal(ctx, user.ID, tx)
+			err = s.userService.disableUserInternal(ctx, tx, user.ID)
 			if err != nil {
-				return fmt.Errorf("failed to disable user %s: %w", user.Username, err)
+				return nil, nil, fmt.Errorf("failed to disable user %s: %w", user.Username, err)
 			}

 			slog.Info("Disabled user", slog.String("username", user.Username))
 		} else {
-			err = s.userService.deleteUserInternal(ctx, user.ID, true, tx)
-			target := &common.LdapUserUpdateError{}
-			if errors.As(err, &target) {
-				return fmt.Errorf("failed to delete user %s: LDAP user must be disabled before deletion", user.Username)
-			} else if err != nil {
-				return fmt.Errorf("failed to delete user %s: %w", user.Username, err)
+			err = s.userService.deleteUserInternal(ctx, tx, user.ID, true)
+			if err != nil {
+				target := &common.LdapUserUpdateError{}
+				if errors.As(err, &target) {
+					return nil, nil, fmt.Errorf("failed to delete user %s: LDAP user must be disabled before deletion", user.Username)
+				}
+				return nil, nil, fmt.Errorf("failed to delete user %s: %w", user.Username, err)
 			}

 			slog.Info("Deleted user", slog.String("username", user.Username))
+
+			// Storage operations must be executed outside of a transaction
+			deleteFiles = append(deleteFiles, path.Join("profile-pictures", user.ID+".png"))
 		}
 	}

-	return nil
+	return savePictures, deleteFiles, nil
 }

 func (s *LdapService) saveProfilePicture(parentCtx context.Context, userId string, pictureString string) error {
-	var reader io.Reader
+	var reader io.ReadSeeker

 	_, err := url.ParseRequestURI(pictureString)
 	if err == nil {
@@ -460,7 +498,12 @@ func (s *LdapService) saveProfilePicture(parentCtx context.Context, userId strin
 		}
 		defer res.Body.Close()

-		reader = res.Body
+		data, err := io.ReadAll(res.Body)
+		if err != nil {
+			return fmt.Errorf("failed to read profile picture: %w", err)
+		}
+
+		reader = bytes.NewReader(data)
 	} else if decodedPhoto, err := base64.StdEncoding.DecodeString(pictureString); err == nil {
 		// If the photo is a base64 encoded string, decode it
 		reader = bytes.NewReader(decodedPhoto)
@@ -470,7 +513,7 @@ func (s *LdapService) saveProfilePicture(parentCtx context.Context, userId strin
 	}

 	// Update the profile picture
-	err = s.userService.UpdateProfilePicture(userId, reader)
+	err = s.userService.UpdateProfilePicture(parentCtx, userId, reader)
 	if err != nil {
 		return fmt.Errorf("failed to update profile picture: %w", err)
 	}
--- a/backend/internal/service/oidc_service.go
+++ b/backend/internal/service/oidc_service.go
@@ -3,6 +3,7 @@ package service
 import (
 	"context"
 	"crypto/sha256"
+	"crypto/subtle"
 	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
@@ -11,11 +12,9 @@ import (
 	"io"
 	"log/slog"
 	"mime/multipart"
-	"net"
 	"net/http"
 	"net/url"
-	"os"
-	"path/filepath"
+	"path"
 	"regexp"
 	"slices"
 	"strings"
@@ -34,6 +33,7 @@ import (
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/storage"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

@@ -58,8 +58,9 @@ type OidcService struct {
 	customClaimService *CustomClaimService
 	webAuthnService    *WebAuthnService

-	httpClient *http.Client
-	jwkCache   *jwk.Cache
+	httpClient  *http.Client
+	jwkCache    *jwk.Cache
+	fileStorage storage.FileStorage
 }

 func NewOidcService(
@@ -71,6 +72,7 @@ func NewOidcService(
 	customClaimService *CustomClaimService,
 	webAuthnService *WebAuthnService,
 	httpClient *http.Client,
+	fileStorage storage.FileStorage,
 ) (s *OidcService, err error) {
 	s = &OidcService{
 		db:                 db,
@@ -80,6 +82,7 @@ func NewOidcService(
 		customClaimService: customClaimService,
 		webAuthnService:    webAuthnService,
 		httpClient:         httpClient,
+		fileStorage:        fileStorage,
 	}

 	// Note: we don't pass the HTTP Client with OTel instrumented to this because requests are always made in background and not tied to a specific trace
@@ -394,7 +397,7 @@ func (s *OidcService) createTokenFromAuthorizationCode(ctx context.Context, inpu

 	// If the client is public or PKCE is enabled, the code verifier must match the code challenge
 	if client.IsPublic || client.PkceEnabled {
-		if !s.validateCodeVerifier(input.CodeVerifier, *authorizationCodeMetaData.CodeChallenge, *authorizationCodeMetaData.CodeChallengeMethodSha256) {
+		if !validateCodeVerifier(input.CodeVerifier, *authorizationCodeMetaData.CodeChallenge, *authorizationCodeMetaData.CodeChallengeMethodSha256) {
 			return CreatedTokens{}, &common.OidcInvalidCodeVerifierError{}
 		}
 	}
@@ -675,24 +678,26 @@ func (s *OidcService) introspectRefreshToken(ctx context.Context, clientID strin
 }

 func (s *OidcService) GetClient(ctx context.Context, clientID string) (model.OidcClient, error) {
-	return s.getClientInternal(ctx, clientID, s.db)
+	return s.getClientInternal(ctx, clientID, s.db, false)
 }

-func (s *OidcService) getClientInternal(ctx context.Context, clientID string, tx *gorm.DB) (model.OidcClient, error) {
+func (s *OidcService) getClientInternal(ctx context.Context, clientID string, tx *gorm.DB, forUpdate bool) (model.OidcClient, error) {
 	var client model.OidcClient
-	err := tx.
+	q := tx.
 		WithContext(ctx).
 		Preload("CreatedBy").
-		Preload("AllowedUserGroups").
-		First(&client, "id = ?", clientID).
-		Error
-	if err != nil {
-		return model.OidcClient{}, err
+		Preload("AllowedUserGroups")
+	if forUpdate {
+		q = q.Clauses(clause.Locking{Strength: "UPDATE"})
+	}
+	q = q.First(&client, "id = ?", clientID)
+	if q.Error != nil {
+		return model.OidcClient{}, q.Error
 	}
 	return client, nil
 }

-func (s *OidcService) ListClients(ctx context.Context, name string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.OidcClient, utils.PaginationResponse, error) {
+func (s *OidcService) ListClients(ctx context.Context, name string, listRequestOptions utils.ListRequestOptions) ([]model.OidcClient, utils.PaginationResponse, error) {
 	var clients []model.OidcClient

 	query := s.db.
@@ -705,26 +710,21 @@ func (s *OidcService) ListClients(ctx context.Context, name string, sortedPagina
 	}

 	// As allowedUserGroupsCount is not a column, we need to manually sort it
-	if sortedPaginationRequest.Sort.Column == "allowedUserGroupsCount" && utils.IsValidSortDirection(sortedPaginationRequest.Sort.Direction) {
+	if listRequestOptions.Sort.Column == "allowedUserGroupsCount" && utils.IsValidSortDirection(listRequestOptions.Sort.Direction) {
 		query = query.Select("oidc_clients.*, COUNT(oidc_clients_allowed_user_groups.oidc_client_id)").
 			Joins("LEFT JOIN oidc_clients_allowed_user_groups ON oidc_clients.id = oidc_clients_allowed_user_groups.oidc_client_id").
 			Group("oidc_clients.id").
-			Order("COUNT(oidc_clients_allowed_user_groups.oidc_client_id) " + sortedPaginationRequest.Sort.Direction)
+			Order("COUNT(oidc_clients_allowed_user_groups.oidc_client_id) " + listRequestOptions.Sort.Direction)

-		response, err := utils.Paginate(sortedPaginationRequest.Pagination.Page, sortedPaginationRequest.Pagination.Limit, query, &clients)
+		response, err := utils.Paginate(listRequestOptions.Pagination.Page, listRequestOptions.Pagination.Limit, query, &clients)
 		return clients, response, err
 	}

-	response, err := utils.PaginateAndSort(sortedPaginationRequest, query, &clients)
+	response, err := utils.PaginateFilterAndSort(listRequestOptions, query, &clients)
 	return clients, response, err
 }

 func (s *OidcService) CreateClient(ctx context.Context, input dto.OidcClientCreateDto, userID string) (model.OidcClient, error) {
-	tx := s.db.Begin()
-	defer func() {
-		tx.Rollback()
-	}()
-
 	client := model.OidcClient{
 		Base: model.Base{
 			ID: input.ID,
@@ -733,7 +733,7 @@ func (s *OidcService) CreateClient(ctx context.Context, input dto.OidcClientCrea
 	}
 	updateOIDCClientModelFromDto(&client, &input.OidcClientUpdateDto)

-	err := tx.
+	err := s.db.
 		WithContext(ctx).
 		Create(&client).
 		Error
@@ -744,16 +744,19 @@ func (s *OidcService) CreateClient(ctx context.Context, input dto.OidcClientCrea
 		return model.OidcClient{}, err
 	}

+	// All storage operations must be executed outside of a transaction
 	if input.LogoURL != nil {
-		err = s.downloadAndSaveLogoFromURL(ctx, tx, client.ID, *input.LogoURL)
+		err = s.downloadAndSaveLogoFromURL(ctx, client.ID, *input.LogoURL, true)
 		if err != nil {
 			return model.OidcClient{}, fmt.Errorf("failed to download logo: %w", err)
 		}
 	}

-	err = tx.Commit().Error
-	if err != nil {
-		return model.OidcClient{}, err
+	if input.DarkLogoURL != nil {
+		err = s.downloadAndSaveLogoFromURL(ctx, client.ID, *input.DarkLogoURL, false)
+		if err != nil {
+			return model.OidcClient{}, fmt.Errorf("failed to download dark logo: %w", err)
+		}
 	}

 	return client, nil
@@ -761,31 +764,45 @@ func (s *OidcService) CreateClient(ctx context.Context, input dto.OidcClientCrea

 func (s *OidcService) UpdateClient(ctx context.Context, clientID string, input dto.OidcClientUpdateDto) (model.OidcClient, error) {
 	tx := s.db.Begin()
-	defer func() { tx.Rollback() }()
+	defer func() {
+		tx.Rollback()
+	}()

 	var client model.OidcClient
-	if err := tx.WithContext(ctx).
+	err := tx.WithContext(ctx).
 		Preload("CreatedBy").
-		First(&client, "id = ?", clientID).Error; err != nil {
+		First(&client, "id = ?", clientID).Error
+	if err != nil {
 		return model.OidcClient{}, err
 	}

 	updateOIDCClientModelFromDto(&client, &input)

-	if err := tx.WithContext(ctx).Save(&client).Error; err != nil {
+	err = tx.WithContext(ctx).Save(&client).Error
+	if err != nil {
 		return model.OidcClient{}, err
 	}

+	err = tx.Commit().Error
+	if err != nil {
+		return model.OidcClient{}, err
+	}
+
+	// All storage operations must be executed outside of a transaction
 	if input.LogoURL != nil {
-		err := s.downloadAndSaveLogoFromURL(ctx, tx, client.ID, *input.LogoURL)
+		err = s.downloadAndSaveLogoFromURL(ctx, client.ID, *input.LogoURL, true)
 		if err != nil {
 			return model.OidcClient{}, fmt.Errorf("failed to download logo: %w", err)
 		}
 	}

-	if err := tx.Commit().Error; err != nil {
-		return model.OidcClient{}, err
+	if input.DarkLogoURL != nil {
+		err = s.downloadAndSaveLogoFromURL(ctx, client.ID, *input.DarkLogoURL, false)
+		if err != nil {
+			return model.OidcClient{}, fmt.Errorf("failed to download dark logo: %w", err)
+		}
 	}
+
 	return client, nil
 }

@@ -818,12 +835,24 @@ func (s *OidcService) DeleteClient(ctx context.Context, clientID string) error {
 	err := s.db.
 		WithContext(ctx).
 		Where("id = ?", clientID).
+		Clauses(clause.Returning{}).
 		Delete(&client).
 		Error
 	if err != nil {
 		return err
 	}

+	// Delete images if present
+	// Note that storage operations must be done outside of a transaction
+	if client.ImageType != nil && *client.ImageType != "" {
+		old := path.Join("oidc-client-images", client.ID+"."+*client.ImageType)
+		_ = s.fileStorage.Delete(ctx, old)
+	}
+	if client.DarkImageType != nil && *client.DarkImageType != "" {
+		old := path.Join("oidc-client-images", client.ID+"-dark."+*client.DarkImageType)
+		_ = s.fileStorage.Delete(ctx, old)
+	}
+
 	return nil
 }

@@ -869,50 +898,98 @@ func (s *OidcService) CreateClientSecret(ctx context.Context, clientID string) (
 	return clientSecret, nil
 }

-func (s *OidcService) GetClientLogo(ctx context.Context, clientID string) (string, string, error) {
+func (s *OidcService) GetClientLogo(ctx context.Context, clientID string, light bool) (io.ReadCloser, int64, string, error) {
 	var client model.OidcClient
 	err := s.db.
 		WithContext(ctx).
 		First(&client, "id = ?", clientID).
 		Error
 	if err != nil {
-		return "", "", err
+		return nil, 0, "", err
 	}

-	if client.ImageType == nil {
-		return "", "", errors.New("image not found")
+	var suffix string
+	var ext string
+	switch {
+	case !light && client.DarkImageType != nil:
+		// Dark logo if requested and exists
+		suffix = "-dark"
+		ext = *client.DarkImageType
+	case client.ImageType != nil:
+		// Light logo if requested or no dark logo is available
+		ext = *client.ImageType
+	default:
+		return nil, 0, "", errors.New("image not found")
 	}

-	imagePath := common.EnvConfig.UploadPath + "/oidc-client-images/" + client.ID + "." + *client.ImageType
-	mimeType := utils.GetImageMimeType(*client.ImageType)
+	mimeType := utils.GetImageMimeType(ext)
+	if mimeType == "" {
+		return nil, 0, "", fmt.Errorf("unsupported image type '%s'", ext)
+	}
+	key := path.Join("oidc-client-images", client.ID+suffix+"."+ext)
+	reader, size, err := s.fileStorage.Open(ctx, key)
+	if err != nil {
+		return nil, 0, "", err
+	}

-	return imagePath, mimeType, nil
+	return reader, size, mimeType, nil
 }

-func (s *OidcService) UpdateClientLogo(ctx context.Context, clientID string, file *multipart.FileHeader) error {
+func (s *OidcService) UpdateClientLogo(ctx context.Context, clientID string, file *multipart.FileHeader, light bool) error {
 	fileType := strings.ToLower(utils.GetFileExtension(file.Filename))
 	if mimeType := utils.GetImageMimeType(fileType); mimeType == "" {
 		return &common.FileTypeNotSupportedError{}
 	}

-	imagePath := common.EnvConfig.UploadPath + "/oidc-client-images/" + clientID + "." + fileType
-	err := utils.SaveFile(file, imagePath)
+	var darkSuffix string
+	if !light {
+		darkSuffix = "-dark"
+	}
+
+	imagePath := path.Join("oidc-client-images", clientID+darkSuffix+"."+fileType)
+	reader, err := file.Open()
+	if err != nil {
+		return err
+	}
+	defer reader.Close()
+	err = s.fileStorage.Save(ctx, imagePath, reader)
 	if err != nil {
 		return err
 	}

-	tx := s.db.Begin()
-
-	err = s.updateClientLogoType(ctx, tx, clientID, fileType)
+	err = s.updateClientLogoType(ctx, clientID, fileType, light)
 	if err != nil {
-		tx.Rollback()
 		return err
 	}

-	return tx.Commit().Error
+	return nil
 }

 func (s *OidcService) DeleteClientLogo(ctx context.Context, clientID string) error {
+	return s.deleteClientLogoInternal(ctx, clientID, "", func(client *model.OidcClient) (string, error) {
+		if client.ImageType == nil {
+			return "", errors.New("image not found")
+		}
+
+		oldImageType := *client.ImageType
+		client.ImageType = nil
+		return oldImageType, nil
+	})
+}
+
+func (s *OidcService) DeleteClientDarkLogo(ctx context.Context, clientID string) error {
+	return s.deleteClientLogoInternal(ctx, clientID, "-dark", func(client *model.OidcClient) (string, error) {
+		if client.DarkImageType == nil {
+			return "", errors.New("image not found")
+		}
+
+		oldImageType := *client.DarkImageType
+		client.DarkImageType = nil
+		return oldImageType, nil
+	})
+}
+
+func (s *OidcService) deleteClientLogoInternal(ctx context.Context, clientID string, imagePathSuffix string, setClientImage func(*model.OidcClient) (string, error)) error {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
@@ -927,13 +1004,11 @@ func (s *OidcService) DeleteClientLogo(ctx context.Context, clientID string) err
 		return err
 	}

-	if client.ImageType == nil {
-		return errors.New("image not found")
+	oldImageType, err := setClientImage(&client)
+	if err != nil {
+		return err
 	}

-	oldImageType := *client.ImageType
-	client.ImageType = nil
-
 	err = tx.
 		WithContext(ctx).
 		Save(&client).
@@ -942,12 +1017,14 @@ func (s *OidcService) DeleteClientLogo(ctx context.Context, clientID string) err
 		return err
 	}

-	imagePath := common.EnvConfig.UploadPath + "/oidc-client-images/" + client.ID + "." + oldImageType
-	if err := os.Remove(imagePath); err != nil {
+	err = tx.Commit().Error
+	if err != nil {
 		return err
 	}

-	err = tx.Commit().Error
+	// All storage operations must be performed outside of a database transaction
+	imagePath := path.Join("oidc-client-images", client.ID+imagePathSuffix+"."+oldImageType)
+	err = s.fileStorage.Delete(ctx, imagePath)
 	if err != nil {
 		return err
 	}
@@ -961,7 +1038,7 @@ func (s *OidcService) UpdateAllowedUserGroups(ctx context.Context, id string, in
 		tx.Rollback()
 	}()

-	client, err = s.getClientInternal(ctx, id, tx)
+	client, err = s.getClientInternal(ctx, id, tx, true)
 	if err != nil {
 		return model.OidcClient{}, err
 	}
@@ -1083,13 +1160,20 @@ func (s *OidcService) createAuthorizationCode(ctx context.Context, clientID stri
 	return randomString, nil
 }

-func (s *OidcService) validateCodeVerifier(codeVerifier, codeChallenge string, codeChallengeMethodSha256 bool) bool {
+func validateCodeVerifier(codeVerifier, codeChallenge string, codeChallengeMethodSha256 bool) bool {
 	if codeVerifier == "" || codeChallenge == "" {
 		return false
 	}

 	if !codeChallengeMethodSha256 {
-		return codeVerifier == codeChallenge
+		return subtle.ConstantTimeCompare([]byte(codeVerifier), []byte(codeChallenge)) == 1
+	}
+
+	// Base64 URL decode the challenge
+	// If it's not valid base64url, fail the operation
+	codeChallengeBytes, err := base64.RawURLEncoding.DecodeString(codeChallenge)
+	if err != nil {
+		return false
 	}

 	// Compute SHA-256 hash of the codeVerifier
@@ -1097,10 +1181,7 @@ func (s *OidcService) validateCodeVerifier(codeVerifier, codeChallenge string, c
 	h.Write([]byte(codeVerifier))
 	codeVerifierHash := h.Sum(nil)

-	// Base64 URL encode the verifier hash
-	encodedVerifierHash := base64.RawURLEncoding.EncodeToString(codeVerifierHash)
-
-	return encodedVerifierHash == codeChallenge
+	return subtle.ConstantTimeCompare(codeVerifierHash, codeChallengeBytes) == 1
 }

 func (s *OidcService) getCallbackURL(client *model.OidcClient, inputCallbackURL string, tx *gorm.DB, ctx context.Context) (callbackURL string, err error) {
@@ -1324,9 +1405,10 @@ func (s *OidcService) GetDeviceCodeInfo(ctx context.Context, userCode string, us

 	return &dto.DeviceCodeInfoDto{
 		Client: dto.OidcClientMetaDataDto{
-			ID:      deviceAuth.Client.ID,
-			Name:    deviceAuth.Client.Name,
-			HasLogo: deviceAuth.Client.HasLogo(),
+			ID:          deviceAuth.Client.ID,
+			Name:        deviceAuth.Client.Name,
+			HasLogo:     deviceAuth.Client.HasLogo(),
+			HasDarkLogo: deviceAuth.Client.HasDarkLogo(),
 		},
 		Scope:                 deviceAuth.Scope,
 		AuthorizationRequired: !hasAuthorizedClient,
@@ -1350,7 +1432,7 @@ func (s *OidcService) GetAllowedGroupsCountOfClient(ctx context.Context, id stri
 	return count, nil
 }

-func (s *OidcService) ListAuthorizedClients(ctx context.Context, userID string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.UserAuthorizedOidcClient, utils.PaginationResponse, error) {
+func (s *OidcService) ListAuthorizedClients(ctx context.Context, userID string, listRequestOptions utils.ListRequestOptions) ([]model.UserAuthorizedOidcClient, utils.PaginationResponse, error) {

 	query := s.db.
 		WithContext(ctx).
@@ -1359,7 +1441,7 @@ func (s *OidcService) ListAuthorizedClients(ctx context.Context, userID string,
 		Where("user_id = ?", userID)

 	var authorizedClients []model.UserAuthorizedOidcClient
-	response, err := utils.PaginateAndSort(sortedPaginationRequest, query, &authorizedClients)
+	response, err := utils.PaginateFilterAndSort(listRequestOptions, query, &authorizedClients)

 	return authorizedClients, response, err
 }
@@ -1392,7 +1474,7 @@ func (s *OidcService) RevokeAuthorizedClient(ctx context.Context, userID string,
 	return nil
 }

-func (s *OidcService) ListAccessibleOidcClients(ctx context.Context, userID string, sortedPaginationRequest utils.SortedPaginationRequest) ([]dto.AccessibleOidcClientDto, utils.PaginationResponse, error) {
+func (s *OidcService) ListAccessibleOidcClients(ctx context.Context, userID string, listRequestOptions utils.ListRequestOptions) ([]dto.AccessibleOidcClientDto, utils.PaginationResponse, error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
@@ -1439,13 +1521,13 @@ func (s *OidcService) ListAccessibleOidcClients(ctx context.Context, userID stri

 	// Handle custom sorting for lastUsedAt column
 	var response utils.PaginationResponse
-	if sortedPaginationRequest.Sort.Column == "lastUsedAt" && utils.IsValidSortDirection(sortedPaginationRequest.Sort.Direction) {
+	if listRequestOptions.Sort.Column == "lastUsedAt" && utils.IsValidSortDirection(listRequestOptions.Sort.Direction) {
 		query = query.
 			Joins("LEFT JOIN user_authorized_oidc_clients ON oidc_clients.id = user_authorized_oidc_clients.client_id AND user_authorized_oidc_clients.user_id = ?", userID).
-			Order("user_authorized_oidc_clients.last_used_at " + sortedPaginationRequest.Sort.Direction + " NULLS LAST")
+			Order("user_authorized_oidc_clients.last_used_at " + listRequestOptions.Sort.Direction + " NULLS LAST")
 	}

-	response, err = utils.PaginateAndSort(sortedPaginationRequest, query, &clients)
+	response, err = utils.PaginateFilterAndSort(listRequestOptions, query, &clients)
 	if err != nil {
 		return nil, utils.PaginationResponse{}, err
 	}
@@ -1458,10 +1540,11 @@ func (s *OidcService) ListAccessibleOidcClients(ctx context.Context, userID stri
 		}
 		dtos[i] = dto.AccessibleOidcClientDto{
 			OidcClientMetaDataDto: dto.OidcClientMetaDataDto{
-				ID:        client.ID,
-				Name:      client.Name,
-				LaunchURL: client.LaunchURL,
-				HasLogo:   client.HasLogo(),
+				ID:          client.ID,
+				Name:        client.Name,
+				LaunchURL:   client.LaunchURL,
+				HasLogo:     client.HasLogo(),
+				HasDarkLogo: client.HasDarkLogo(),
 			},
 			LastUsedAt: lastUsedAt,
 		}
@@ -1738,7 +1821,7 @@ func (s *OidcService) GetClientPreview(ctx context.Context, clientID string, use
 		tx.Rollback()
 	}()

-	client, err := s.getClientInternal(ctx, clientID, tx)
+	client, err := s.getClientInternal(ctx, clientID, tx, false)
 	if err != nil {
 		return nil, err
 	}
@@ -1883,7 +1966,25 @@ func (s *OidcService) IsClientAccessibleToUser(ctx context.Context, clientID str
 	return s.IsUserGroupAllowedToAuthorize(user, client), nil
 }

-func (s *OidcService) downloadAndSaveLogoFromURL(parentCtx context.Context, tx *gorm.DB, clientID string, raw string) error {
+var errLogoTooLarge = errors.New("logo is too large")
+
+func httpClientWithCheckRedirect(source *http.Client, checkRedirect func(req *http.Request, via []*http.Request) error) *http.Client {
+	if source == nil {
+		source = http.DefaultClient
+	}
+
+	// Create a new client that clones the transport
+	client := &http.Client{
+		Transport: source.Transport,
+	}
+
+	// Assign the CheckRedirect function
+	client.CheckRedirect = checkRedirect
+
+	return client
+}
+
+func (s *OidcService) downloadAndSaveLogoFromURL(parentCtx context.Context, clientID string, raw string, light bool) error {
 	u, err := url.Parse(raw)
 	if err != nil {
 		return err
@@ -1892,18 +1993,29 @@ func (s *OidcService) downloadAndSaveLogoFromURL(parentCtx context.Context, tx *
 	ctx, cancel := context.WithTimeout(parentCtx, 15*time.Second)
 	defer cancel()

-	r := net.Resolver{}
-	ips, err := r.LookupIPAddr(ctx, u.Hostname())
-	if err != nil || len(ips) == 0 {
-		return fmt.Errorf("cannot resolve hostname")
+	// Prevents SSRF by allowing only public IPs
+	ok, err := utils.IsURLPrivate(ctx, u)
+	if err != nil {
+		return err
+	} else if ok {
+		return errors.New("private IP addresses are not allowed")
 	}

-	// Prevents SSRF by allowing only public IPs
-	for _, addr := range ips {
-		if utils.IsPrivateIP(addr.IP) {
-			return fmt.Errorf("private IP addresses are not allowed")
+	// We need to check this on redirects too
+	client := httpClientWithCheckRedirect(s.httpClient, func(r *http.Request, via []*http.Request) error {
+		if len(via) >= 10 {
+			return errors.New("stopped after 10 redirects")
 		}
-	}
+
+		ok, err := utils.IsURLPrivate(r.Context(), r.URL)
+		if err != nil {
+			return err
+		} else if ok {
+			return errors.New("private IP addresses are not allowed")
+		}
+
+		return nil
+	})

 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, raw, nil)
 	if err != nil {
@@ -1912,7 +2024,7 @@ func (s *OidcService) downloadAndSaveLogoFromURL(parentCtx context.Context, tx *
 	req.Header.Set("User-Agent", "pocket-id/oidc-logo-fetcher")
 	req.Header.Set("Accept", "image/*")

-	resp, err := s.httpClient.Do(req)
+	resp, err := client.Do(req)
 	if err != nil {
 		return err
 	}
@@ -1924,7 +2036,7 @@ func (s *OidcService) downloadAndSaveLogoFromURL(parentCtx context.Context, tx *

 	const maxLogoSize int64 = 2 * 1024 * 1024 // 2MB
 	if resp.ContentLength > maxLogoSize {
-		return fmt.Errorf("logo is too large")
+		return errLogoTooLarge
 	}

 	// Prefer extension in path if supported
@@ -1938,37 +2050,76 @@ func (s *OidcService) downloadAndSaveLogoFromURL(parentCtx context.Context, tx *
 		return &common.FileTypeNotSupportedError{}
 	}

-	folderPath := filepath.Join(common.EnvConfig.UploadPath, "oidc-client-images")
-	err = os.MkdirAll(folderPath, os.ModePerm)
-	if err != nil {
+	var darkSuffix string
+	if !light {
+		darkSuffix = "-dark"
+	}
+
+	imagePath := path.Join("oidc-client-images", clientID+darkSuffix+"."+ext)
+	err = s.fileStorage.Save(ctx, imagePath, utils.NewLimitReader(resp.Body, maxLogoSize+1))
+	if errors.Is(err, utils.ErrSizeExceeded) {
+		return errLogoTooLarge
+	} else if err != nil {
 		return err
 	}

-	imagePath := filepath.Join(folderPath, clientID+"."+ext)
-	err = utils.SaveFileStream(io.LimitReader(resp.Body, maxLogoSize+1), imagePath)
+	err = s.updateClientLogoType(ctx, clientID, ext, light)
 	if err != nil {
 		return err
 	}

-	if err := s.updateClientLogoType(ctx, tx, clientID, ext); err != nil {
-		return err
-	}
-
 	return nil
 }

-func (s *OidcService) updateClientLogoType(ctx context.Context, tx *gorm.DB, clientID, ext string) error {
-	uploadsDir := common.EnvConfig.UploadPath + "/oidc-client-images"
+func (s *OidcService) updateClientLogoType(ctx context.Context, clientID string, ext string, light bool) error {
+	var darkSuffix string
+	if !light {
+		darkSuffix = "-dark"
+	}

+	tx := s.db.Begin()
+	defer func() {
+		tx.Rollback()
+	}()
+
+	// We need to acquire an update lock for the row to be locked, since we'll update it later
 	var client model.OidcClient
-	if err := tx.WithContext(ctx).First(&client, "id = ?", clientID).Error; err != nil {
-		return err
+	err := tx.
+		WithContext(ctx).
+		Clauses(clause.Locking{Strength: "UPDATE"}).
+		First(&client, "id = ?", clientID).
+		Error
+	if err != nil {
+		return fmt.Errorf("failed to look up client: %w", err)
 	}
-	if client.ImageType != nil && *client.ImageType != ext {
-		old := fmt.Sprintf("%s/%s.%s", uploadsDir, client.ID, *client.ImageType)
-		_ = os.Remove(old)
-	}
-	client.ImageType = &ext
-	return tx.WithContext(ctx).Save(&client).Error

+	var currentType *string
+	if light {
+		currentType = client.ImageType
+		client.ImageType = &ext
+	} else {
+		currentType = client.DarkImageType
+		client.DarkImageType = &ext
+	}
+
+	err = tx.
+		WithContext(ctx).
+		Save(&client).
+		Error
+	if err != nil {
+		return fmt.Errorf("failed to save updated client: %w", err)
+	}
+
+	err = tx.Commit().Error
+	if err != nil {
+		return fmt.Errorf("failed to commit transaction: %w", err)
+	}
+
+	// Storage operations must be executed outside of a transaction
+	if currentType != nil && *currentType != ext {
+		old := path.Join("oidc-client-images", client.ID+darkSuffix+"."+*currentType)
+		_ = s.fileStorage.Delete(ctx, old)
+	}
+
+	return nil
 }
--- a/backend/internal/service/oidc_service_test.go
+++ b/backend/internal/service/oidc_service_test.go
@@ -5,8 +5,13 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
 	"encoding/json"
+	"io"
 	"net/http"
+	"strconv"
+	"strings"
 	"testing"
 	"time"

@@ -19,6 +24,7 @@ import (
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/storage"
 	testutils "github.com/pocket-id/pocket-id/backend/internal/utils/testing"
 )

@@ -510,3 +516,460 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 		})
 	})
 }
+
+func TestValidateCodeVerifier_Plain(t *testing.T) {
+	require.False(t, validateCodeVerifier("", "", false))
+	require.False(t, validateCodeVerifier("", "", true))
+
+	t.Run("plain", func(t *testing.T) {
+		require.False(t, validateCodeVerifier("", "challenge", false))
+		require.False(t, validateCodeVerifier("verifier", "", false))
+		require.True(t, validateCodeVerifier("plainVerifier", "plainVerifier", false))
+		require.False(t, validateCodeVerifier("plainVerifier", "otherVerifier", false))
+	})
+
+	t.Run("SHA 256", func(t *testing.T) {
+		codeVerifier := "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
+		hash := sha256.Sum256([]byte(codeVerifier))
+		codeChallenge := base64.RawURLEncoding.EncodeToString(hash[:])
+
+		require.True(t, validateCodeVerifier(codeVerifier, codeChallenge, true))
+		require.False(t, validateCodeVerifier("wrongVerifier", codeChallenge, true))
+		require.False(t, validateCodeVerifier(codeVerifier, "!", true))
+
+		// Invalid base64
+		require.False(t, validateCodeVerifier("NOT!VALID", codeChallenge, true))
+	})
+}
+
+func TestOidcService_updateClientLogoType(t *testing.T) {
+	// Create a test database
+	db := testutils.NewDatabaseForTest(t)
+
+	// Create database storage
+	dbStorage, err := storage.NewDatabaseStorage(db)
+	require.NoError(t, err)
+
+	// Init the OidcService
+	s := &OidcService{
+		db:          db,
+		fileStorage: dbStorage,
+	}
+
+	// Create a test client
+	client := model.OidcClient{
+		Name:         "Test Client",
+		CallbackURLs: model.UrlList{"https://example.com/callback"},
+	}
+	err = db.Create(&client).Error
+	require.NoError(t, err)
+
+	// Helper function to check if a file exists in storage
+	fileExists := func(t *testing.T, path string) bool {
+		t.Helper()
+		_, _, err := dbStorage.Open(t.Context(), path)
+		return err == nil
+	}
+
+	// Helper function to create a dummy file in storage
+	createDummyFile := func(t *testing.T, path string) {
+		t.Helper()
+		err := dbStorage.Save(t.Context(), path, strings.NewReader("dummy content"))
+		require.NoError(t, err)
+	}
+
+	t.Run("Updates light logo type for client without previous logo", func(t *testing.T) {
+		// Update the logo type
+		err := s.updateClientLogoType(t.Context(), client.ID, "png", true)
+		require.NoError(t, err)
+
+		// Verify the client was updated
+		var updatedClient model.OidcClient
+		err = db.First(&updatedClient, "id = ?", client.ID).Error
+		require.NoError(t, err)
+		require.NotNil(t, updatedClient.ImageType)
+		assert.Equal(t, "png", *updatedClient.ImageType)
+	})
+
+	t.Run("Updates dark logo type for client without previous dark logo", func(t *testing.T) {
+		// Update the dark logo type
+		err := s.updateClientLogoType(t.Context(), client.ID, "jpg", false)
+		require.NoError(t, err)
+
+		// Verify the client was updated
+		var updatedClient model.OidcClient
+		err = db.First(&updatedClient, "id = ?", client.ID).Error
+		require.NoError(t, err)
+		require.NotNil(t, updatedClient.DarkImageType)
+		assert.Equal(t, "jpg", *updatedClient.DarkImageType)
+	})
+
+	t.Run("Updates light logo type and deletes old file when type changes", func(t *testing.T) {
+		// Create the old PNG file in storage
+		oldPath := "oidc-client-images/" + client.ID + ".png"
+		createDummyFile(t, oldPath)
+		require.True(t, fileExists(t, oldPath), "Old file should exist before update")
+
+		// Client currently has a PNG logo, update to WEBP
+		err := s.updateClientLogoType(t.Context(), client.ID, "webp", true)
+		require.NoError(t, err)
+
+		// Verify the client was updated
+		var updatedClient model.OidcClient
+		err = db.First(&updatedClient, "id = ?", client.ID).Error
+		require.NoError(t, err)
+		require.NotNil(t, updatedClient.ImageType)
+		assert.Equal(t, "webp", *updatedClient.ImageType)
+
+		// Old PNG file should be deleted
+		assert.False(t, fileExists(t, oldPath), "Old PNG file should have been deleted")
+	})
+
+	t.Run("Updates dark logo type and deletes old file when type changes", func(t *testing.T) {
+		// Create the old JPG dark file in storage
+		oldPath := "oidc-client-images/" + client.ID + "-dark.jpg"
+		createDummyFile(t, oldPath)
+		require.True(t, fileExists(t, oldPath), "Old dark file should exist before update")
+
+		// Client currently has a JPG dark logo, update to WEBP
+		err := s.updateClientLogoType(t.Context(), client.ID, "webp", false)
+		require.NoError(t, err)
+
+		// Verify the client was updated
+		var updatedClient model.OidcClient
+		err = db.First(&updatedClient, "id = ?", client.ID).Error
+		require.NoError(t, err)
+		require.NotNil(t, updatedClient.DarkImageType)
+		assert.Equal(t, "webp", *updatedClient.DarkImageType)
+
+		// Old JPG dark file should be deleted
+		assert.False(t, fileExists(t, oldPath), "Old JPG dark file should have been deleted")
+	})
+
+	t.Run("Does not delete file when type remains the same", func(t *testing.T) {
+		// Create the WEBP file in storage
+		webpPath := "oidc-client-images/" + client.ID + ".webp"
+		createDummyFile(t, webpPath)
+		require.True(t, fileExists(t, webpPath), "WEBP file should exist before update")
+
+		// Update to the same type (WEBP)
+		err := s.updateClientLogoType(t.Context(), client.ID, "webp", true)
+		require.NoError(t, err)
+
+		// Verify the client still has WEBP
+		var updatedClient model.OidcClient
+		err = db.First(&updatedClient, "id = ?", client.ID).Error
+		require.NoError(t, err)
+		require.NotNil(t, updatedClient.ImageType)
+		assert.Equal(t, "webp", *updatedClient.ImageType)
+
+		// WEBP file should still exist since type didn't change
+		assert.True(t, fileExists(t, webpPath), "WEBP file should still exist")
+	})
+
+	t.Run("Returns error for non-existent client", func(t *testing.T) {
+		err := s.updateClientLogoType(t.Context(), "non-existent-client-id", "png", true)
+		require.Error(t, err)
+		require.ErrorContains(t, err, "failed to look up client")
+	})
+}
+
+func TestOidcService_downloadAndSaveLogoFromURL(t *testing.T) {
+	// Create a test database
+	db := testutils.NewDatabaseForTest(t)
+
+	// Create database storage
+	dbStorage, err := storage.NewDatabaseStorage(db)
+	require.NoError(t, err)
+
+	// Create a test client
+	client := model.OidcClient{
+		Name:         "Test Client",
+		CallbackURLs: model.UrlList{"https://example.com/callback"},
+	}
+	err = db.Create(&client).Error
+	require.NoError(t, err)
+
+	// Helper function to check if a file exists in storage
+	fileExists := func(t *testing.T, path string) bool {
+		t.Helper()
+		_, _, err := dbStorage.Open(t.Context(), path)
+		return err == nil
+	}
+
+	// Helper function to get file content from storage
+	getFileContent := func(t *testing.T, path string) []byte {
+		t.Helper()
+		reader, _, err := dbStorage.Open(t.Context(), path)
+		require.NoError(t, err)
+		defer reader.Close()
+		content, err := io.ReadAll(reader)
+		require.NoError(t, err)
+		return content
+	}
+
+	t.Run("Successfully downloads and saves PNG logo from URL", func(t *testing.T) {
+		// Create mock PNG content
+		pngContent := []byte("fake-png-content")
+
+		// Create a mock HTTP response with headers
+		//nolint:bodyclose
+		pngResponse := testutils.NewMockResponse(http.StatusOK, string(pngContent))
+		pngResponse.Header.Set("Content-Type", "image/png")
+
+		// Create a mock HTTP client with responses
+		mockResponses := map[string]*http.Response{
+			//nolint:bodyclose
+			"https://example.com/logo.png": pngResponse,
+		}
+		httpClient := &http.Client{
+			Transport: &testutils.MockRoundTripper{
+				Responses: mockResponses,
+			},
+		}
+
+		// Init the OidcService with mock HTTP client
+		s := &OidcService{
+			db:          db,
+			fileStorage: dbStorage,
+			httpClient:  httpClient,
+		}
+
+		// Download and save the logo
+		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "https://example.com/logo.png", true)
+		require.NoError(t, err)
+
+		// Verify the file was saved
+		logoPath := "oidc-client-images/" + client.ID + ".png"
+		require.True(t, fileExists(t, logoPath), "Logo file should exist in storage")
+
+		// Verify the content
+		savedContent := getFileContent(t, logoPath)
+		assert.Equal(t, pngContent, savedContent)
+
+		// Verify the client was updated
+		var updatedClient model.OidcClient
+		err = db.First(&updatedClient, "id = ?", client.ID).Error
+		require.NoError(t, err)
+		require.NotNil(t, updatedClient.ImageType)
+		assert.Equal(t, "png", *updatedClient.ImageType)
+	})
+
+	t.Run("Successfully downloads and saves dark logo", func(t *testing.T) {
+		// Create mock WEBP content
+		webpContent := []byte("fake-webp-content")
+
+		//nolint:bodyclose
+		webpResponse := testutils.NewMockResponse(http.StatusOK, string(webpContent))
+		webpResponse.Header.Set("Content-Type", "image/webp")
+
+		mockResponses := map[string]*http.Response{
+			//nolint:bodyclose
+			"https://example.com/dark-logo.webp": webpResponse,
+		}
+		httpClient := &http.Client{
+			Transport: &testutils.MockRoundTripper{
+				Responses: mockResponses,
+			},
+		}
+
+		s := &OidcService{
+			db:          db,
+			fileStorage: dbStorage,
+			httpClient:  httpClient,
+		}
+
+		// Download and save the dark logo
+		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "https://example.com/dark-logo.webp", false)
+		require.NoError(t, err)
+
+		// Verify the dark logo file was saved
+		darkLogoPath := "oidc-client-images/" + client.ID + "-dark.webp"
+		require.True(t, fileExists(t, darkLogoPath), "Dark logo file should exist in storage")
+
+		// Verify the content
+		savedContent := getFileContent(t, darkLogoPath)
+		assert.Equal(t, webpContent, savedContent)
+
+		// Verify the client was updated
+		var updatedClient model.OidcClient
+		err = db.First(&updatedClient, "id = ?", client.ID).Error
+		require.NoError(t, err)
+		require.NotNil(t, updatedClient.DarkImageType)
+		assert.Equal(t, "webp", *updatedClient.DarkImageType)
+	})
+
+	t.Run("Detects extension from URL path", func(t *testing.T) {
+		svgContent := []byte("<svg></svg>")
+
+		mockResponses := map[string]*http.Response{
+			//nolint:bodyclose
+			"https://example.com/icon.svg": testutils.NewMockResponse(http.StatusOK, string(svgContent)),
+		}
+		httpClient := &http.Client{
+			Transport: &testutils.MockRoundTripper{
+				Responses: mockResponses,
+			},
+		}
+
+		s := &OidcService{
+			db:          db,
+			fileStorage: dbStorage,
+			httpClient:  httpClient,
+		}
+
+		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "https://example.com/icon.svg", true)
+		require.NoError(t, err)
+
+		// Verify SVG file was saved
+		logoPath := "oidc-client-images/" + client.ID + ".svg"
+		require.True(t, fileExists(t, logoPath), "SVG logo should exist")
+	})
+
+	t.Run("Detects extension from Content-Type when path has no extension", func(t *testing.T) {
+		jpgContent := []byte("fake-jpg-content")
+
+		//nolint:bodyclose
+		jpgResponse := testutils.NewMockResponse(http.StatusOK, string(jpgContent))
+		jpgResponse.Header.Set("Content-Type", "image/jpeg")
+
+		mockResponses := map[string]*http.Response{
+			//nolint:bodyclose
+			"https://example.com/logo": jpgResponse,
+		}
+		httpClient := &http.Client{
+			Transport: &testutils.MockRoundTripper{
+				Responses: mockResponses,
+			},
+		}
+
+		s := &OidcService{
+			db:          db,
+			fileStorage: dbStorage,
+			httpClient:  httpClient,
+		}
+
+		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "https://example.com/logo", true)
+		require.NoError(t, err)
+
+		// Verify JPG file was saved (jpeg extension is normalized to jpg)
+		logoPath := "oidc-client-images/" + client.ID + ".jpg"
+		require.True(t, fileExists(t, logoPath), "JPG logo should exist")
+	})
+
+	t.Run("Returns error for invalid URL", func(t *testing.T) {
+		s := &OidcService{
+			db:          db,
+			fileStorage: dbStorage,
+			httpClient:  &http.Client{},
+		}
+
+		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "://invalid-url", true)
+		require.Error(t, err)
+	})
+
+	t.Run("Returns error for non-200 status code", func(t *testing.T) {
+		mockResponses := map[string]*http.Response{
+			//nolint:bodyclose
+			"https://example.com/not-found.png": testutils.NewMockResponse(http.StatusNotFound, "Not Found"),
+		}
+		httpClient := &http.Client{
+			Transport: &testutils.MockRoundTripper{
+				Responses: mockResponses,
+			},
+		}
+
+		s := &OidcService{
+			db:          db,
+			fileStorage: dbStorage,
+			httpClient:  httpClient,
+		}
+
+		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "https://example.com/not-found.png", true)
+		require.Error(t, err)
+		require.ErrorContains(t, err, "failed to fetch logo")
+	})
+
+	t.Run("Returns error for too large content", func(t *testing.T) {
+		// Create content larger than 2MB (maxLogoSize)
+		largeContent := strings.Repeat("x", 2<<20+100) // 2.1MB
+
+		//nolint:bodyclose
+		largeResponse := testutils.NewMockResponse(http.StatusOK, largeContent)
+		largeResponse.Header.Set("Content-Type", "image/png")
+		largeResponse.Header.Set("Content-Length", strconv.Itoa(len(largeContent)))
+
+		mockResponses := map[string]*http.Response{
+			//nolint:bodyclose
+			"https://example.com/large.png": largeResponse,
+		}
+		httpClient := &http.Client{
+			Transport: &testutils.MockRoundTripper{
+				Responses: mockResponses,
+			},
+		}
+
+		s := &OidcService{
+			db:          db,
+			fileStorage: dbStorage,
+			httpClient:  httpClient,
+		}
+
+		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "https://example.com/large.png", true)
+		require.Error(t, err)
+		require.ErrorIs(t, err, errLogoTooLarge)
+	})
+
+	t.Run("Returns error for unsupported file type", func(t *testing.T) {
+		//nolint:bodyclose
+		textResponse := testutils.NewMockResponse(http.StatusOK, "text content")
+		textResponse.Header.Set("Content-Type", "text/plain")
+
+		mockResponses := map[string]*http.Response{
+			//nolint:bodyclose
+			"https://example.com/file.txt": textResponse,
+		}
+		httpClient := &http.Client{
+			Transport: &testutils.MockRoundTripper{
+				Responses: mockResponses,
+			},
+		}
+
+		s := &OidcService{
+			db:          db,
+			fileStorage: dbStorage,
+			httpClient:  httpClient,
+		}
+
+		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "https://example.com/file.txt", true)
+		require.Error(t, err)
+		var fileTypeErr *common.FileTypeNotSupportedError
+		require.ErrorAs(t, err, &fileTypeErr)
+	})
+
+	t.Run("Returns error for non-existent client", func(t *testing.T) {
+		//nolint:bodyclose
+		pngResponse := testutils.NewMockResponse(http.StatusOK, "content")
+		pngResponse.Header.Set("Content-Type", "image/png")
+
+		mockResponses := map[string]*http.Response{
+			//nolint:bodyclose
+			"https://example.com/logo.png": pngResponse,
+		}
+		httpClient := &http.Client{
+			Transport: &testutils.MockRoundTripper{
+				Responses: mockResponses,
+			},
+		}
+
+		s := &OidcService{
+			db:          db,
+			fileStorage: dbStorage,
+			httpClient:  httpClient,
+		}
+
+		err := s.downloadAndSaveLogoFromURL(t.Context(), "non-existent-client-id", "https://example.com/logo.png", true)
+		require.Error(t, err)
+		require.ErrorContains(t, err, "failed to look up client")
+	})
+}
--- a/backend/internal/service/user_group_service.go
+++ b/backend/internal/service/user_group_service.go
@@ -21,7 +21,7 @@ func NewUserGroupService(db *gorm.DB, appConfigService *AppConfigService) *UserG
 	return &UserGroupService{db: db, appConfigService: appConfigService}
 }

-func (s *UserGroupService) List(ctx context.Context, name string, sortedPaginationRequest utils.SortedPaginationRequest) (groups []model.UserGroup, response utils.PaginationResponse, err error) {
+func (s *UserGroupService) List(ctx context.Context, name string, listRequestOptions utils.ListRequestOptions) (groups []model.UserGroup, response utils.PaginationResponse, err error) {
 	query := s.db.
 		WithContext(ctx).
 		Preload("CustomClaims").
@@ -32,17 +32,14 @@ func (s *UserGroupService) List(ctx context.Context, name string, sortedPaginati
 	}

 	// As userCount is not a column we need to manually sort it
-	if sortedPaginationRequest.Sort.Column == "userCount" && utils.IsValidSortDirection(sortedPaginationRequest.Sort.Direction) {
+	if listRequestOptions.Sort.Column == "userCount" && utils.IsValidSortDirection(listRequestOptions.Sort.Direction) {
 		query = query.Select("user_groups.*, COUNT(user_groups_users.user_id)").
 			Joins("LEFT JOIN user_groups_users ON user_groups.id = user_groups_users.user_group_id").
 			Group("user_groups.id").
-			Order("COUNT(user_groups_users.user_id) " + sortedPaginationRequest.Sort.Direction)
-
-		response, err := utils.Paginate(sortedPaginationRequest.Pagination.Page, sortedPaginationRequest.Pagination.Limit, query, &groups)
-		return groups, response, err
+			Order("COUNT(user_groups_users.user_id) " + listRequestOptions.Sort.Direction)
 	}

-	response, err = utils.PaginateAndSort(sortedPaginationRequest, query, &groups)
+	response, err = utils.PaginateFilterAndSort(listRequestOptions, query, &groups)
 	return groups, response, err
 }

--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -7,20 +7,23 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/fs"
 	"log/slog"
 	"net/url"
-	"os"
+	"path"
 	"strings"
 	"time"

 	"github.com/google/uuid"
 	"go.opentelemetry.io/otel/trace"
 	"gorm.io/gorm"
+	"gorm.io/gorm/clause"

 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/storage"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
 	profilepicture "github.com/pocket-id/pocket-id/backend/internal/utils/image"
@@ -33,9 +36,11 @@ type UserService struct {
 	emailService       *EmailService
 	appConfigService   *AppConfigService
 	customClaimService *CustomClaimService
+	appImagesService   *AppImagesService
+	fileStorage        storage.FileStorage
 }

-func NewUserService(db *gorm.DB, jwtService *JwtService, auditLogService *AuditLogService, emailService *EmailService, appConfigService *AppConfigService, customClaimService *CustomClaimService) *UserService {
+func NewUserService(db *gorm.DB, jwtService *JwtService, auditLogService *AuditLogService, emailService *EmailService, appConfigService *AppConfigService, customClaimService *CustomClaimService, appImagesService *AppImagesService, fileStorage storage.FileStorage) *UserService {
 	return &UserService{
 		db:                 db,
 		jwtService:         jwtService,
@@ -43,10 +48,12 @@ func NewUserService(db *gorm.DB, jwtService *JwtService, auditLogService *AuditL
 		emailService:       emailService,
 		appConfigService:   appConfigService,
 		customClaimService: customClaimService,
+		appImagesService:   appImagesService,
+		fileStorage:        fileStorage,
 	}
 }

-func (s *UserService) ListUsers(ctx context.Context, searchTerm string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.User, utils.PaginationResponse, error) {
+func (s *UserService) ListUsers(ctx context.Context, searchTerm string, listRequestOptions utils.ListRequestOptions) ([]model.User, utils.PaginationResponse, error) {
 	var users []model.User
 	query := s.db.WithContext(ctx).
 		Model(&model.User{}).
@@ -60,7 +67,7 @@ func (s *UserService) ListUsers(ctx context.Context, searchTerm string, sortedPa
 			searchPattern, searchPattern, searchPattern, searchPattern)
 	}

-	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &users)
+	pagination, err := utils.PaginateFilterAndSort(listRequestOptions, query, &users)

 	return users, pagination, err
 }
@@ -87,39 +94,42 @@ func (s *UserService) GetProfilePicture(ctx context.Context, userID string) (io.
 		return nil, 0, &common.InvalidUUIDError{}
 	}

-	// First check for a custom uploaded profile picture (userID.png)
-	profilePicturePath := common.EnvConfig.UploadPath + "/profile-pictures/" + userID + ".png"
-	file, err := os.Open(profilePicturePath)
-	if err == nil {
-		// Get the file size
-		fileInfo, err := file.Stat()
-		if err != nil {
-			file.Close()
-			return nil, 0, err
-		}
-		return file, fileInfo.Size(), nil
-	}
-
-	// If no custom picture exists, get the user's data for creating initials
 	user, err := s.GetUser(ctx, userID)
 	if err != nil {
 		return nil, 0, err
 	}

-	// Check if we have a cached default picture for these initials
-	defaultProfilePicturesDir := common.EnvConfig.UploadPath + "/profile-pictures/defaults/"
-	defaultPicturePath := defaultProfilePicturesDir + user.Initials() + ".png"
-	file, err = os.Open(defaultPicturePath)
+	profilePicturePath := path.Join("profile-pictures", userID+".png")
+
+	// Try custom profile picture
+	file, size, err := s.fileStorage.Open(ctx, profilePicturePath)
 	if err == nil {
-		fileInfo, err := file.Stat()
-		if err != nil {
-			file.Close()
-			return nil, 0, err
-		}
-		return file, fileInfo.Size(), nil
+		return file, size, nil
+	} else if !errors.Is(err, fs.ErrNotExist) {
+		return nil, 0, err
 	}

-	// If no cached default picture exists, create one and save it for future use
+	// Try default global profile picture
+	if s.appImagesService.IsDefaultProfilePictureSet() {
+		reader, size, _, err := s.appImagesService.GetImage(ctx, "default-profile-picture")
+		if err == nil {
+			return reader, size, nil
+		}
+		if !errors.Is(err, &common.ImageNotFoundError{}) {
+			return nil, 0, err
+		}
+	}
+
+	// Try cached default for initials
+	defaultPicturePath := path.Join("profile-pictures", "defaults", user.Initials()+".png")
+	file, size, err = s.fileStorage.Open(ctx, defaultPicturePath)
+	if err == nil {
+		return file, size, nil
+	} else if !errors.Is(err, fs.ErrNotExist) {
+		return nil, 0, err
+	}
+
+	// Create and return generated default with initials
 	defaultPicture, err := profilepicture.CreateDefaultProfilePicture(user.Initials())
 	if err != nil {
 		return nil, 0, err
@@ -127,20 +137,16 @@ func (s *UserService) GetProfilePicture(ctx context.Context, userID string) (io.

 	// Save the default picture for future use (in a goroutine to avoid blocking)
 	defaultPictureBytes := defaultPicture.Bytes()
+	//nolint:contextcheck
 	go func() {
-		// Ensure the directory exists
-		errInternal := os.MkdirAll(defaultProfilePicturesDir, os.ModePerm)
-		if errInternal != nil {
-			slog.Error("Failed to create directory for default profile picture", slog.Any("error", errInternal))
-			return
-		}
-		errInternal = utils.SaveFileStream(bytes.NewReader(defaultPictureBytes), defaultPicturePath)
-		if errInternal != nil {
-			slog.Error("Failed to cache default profile picture for initials", slog.String("initials", user.Initials()), slog.Any("error", errInternal))
+		// Use bytes.NewReader because we need an io.ReadSeeker
+		rErr := s.fileStorage.Save(context.Background(), defaultPicturePath, bytes.NewReader(defaultPictureBytes))
+		if rErr != nil {
+			slog.Error("Failed to cache default profile picture", slog.String("initials", user.Initials()), slog.Any("error", rErr))
 		}
 	}()

-	return io.NopCloser(bytes.NewReader(defaultPictureBytes)), int64(defaultPicture.Len()), nil
+	return io.NopCloser(bytes.NewReader(defaultPictureBytes)), int64(len(defaultPictureBytes)), nil
 }

 func (s *UserService) GetUserGroups(ctx context.Context, userID string) ([]model.UserGroup, error) {
@@ -157,7 +163,7 @@ func (s *UserService) GetUserGroups(ctx context.Context, userID string) ([]model
 	return user.UserGroups, nil
 }

-func (s *UserService) UpdateProfilePicture(userID string, file io.Reader) error {
+func (s *UserService) UpdateProfilePicture(ctx context.Context, userID string, file io.ReadSeeker) error {
 	// Validate the user ID to prevent directory traversal
 	err := uuid.Validate(userID)
 	if err != nil {
@@ -170,15 +176,8 @@ func (s *UserService) UpdateProfilePicture(userID string, file io.Reader) error
 		return err
 	}

-	// Ensure the directory exists
-	profilePictureDir := common.EnvConfig.UploadPath + "/profile-pictures"
-	err = os.MkdirAll(profilePictureDir, os.ModePerm)
-	if err != nil {
-		return err
-	}
-
-	// Create the profile picture file
-	err = utils.SaveFileStream(profilePicture, profilePictureDir+"/"+userID+".png")
+	profilePicturePath := path.Join("profile-pictures", userID+".png")
+	err = s.fileStorage.Save(ctx, profilePicturePath, profilePicture)
 	if err != nil {
 		return err
 	}
@@ -187,17 +186,30 @@ func (s *UserService) UpdateProfilePicture(userID string, file io.Reader) error
 }

 func (s *UserService) DeleteUser(ctx context.Context, userID string, allowLdapDelete bool) error {
-	return s.db.Transaction(func(tx *gorm.DB) error {
-		return s.deleteUserInternal(ctx, userID, allowLdapDelete, tx)
+	err := s.db.Transaction(func(tx *gorm.DB) error {
+		return s.deleteUserInternal(ctx, tx, userID, allowLdapDelete)
 	})
+	if err != nil {
+		return fmt.Errorf("failed to delete user '%s': %w", userID, err)
+	}
+
+	// Storage operations must be executed outside of a transaction
+	profilePicturePath := path.Join("profile-pictures", userID+".png")
+	err = s.fileStorage.Delete(ctx, profilePicturePath)
+	if err != nil && !storage.IsNotExist(err) {
+		return fmt.Errorf("failed to delete profile picture for user '%s': %w", userID, err)
+	}
+
+	return nil
 }

-func (s *UserService) deleteUserInternal(ctx context.Context, userID string, allowLdapDelete bool, tx *gorm.DB) error {
+func (s *UserService) deleteUserInternal(ctx context.Context, tx *gorm.DB, userID string, allowLdapDelete bool) error {
 	var user model.User

 	err := tx.
 		WithContext(ctx).
 		Where("id = ?", userID).
+		Clauses(clause.Locking{Strength: "UPDATE"}).
 		First(&user).
 		Error
 	if err != nil {
@@ -209,13 +221,6 @@ func (s *UserService) deleteUserInternal(ctx context.Context, userID string, all
 		return &common.LdapUserUpdateError{}
 	}

-	// Delete the profile picture
-	profilePicturePath := common.EnvConfig.UploadPath + "/profile-pictures/" + userID + ".png"
-	err = os.Remove(profilePicturePath)
-	if err != nil && !os.IsNotExist(err) {
-		return err
-	}
-
 	err = tx.WithContext(ctx).Delete(&user).Error
 	if err != nil {
 		return fmt.Errorf("failed to delete user: %w", err)
@@ -256,6 +261,7 @@ func (s *UserService) createUserInternal(ctx context.Context, input dto.UserCrea
 		Username:    input.Username,
 		IsAdmin:     input.IsAdmin,
 		Locale:      input.Locale,
+		Disabled:    input.Disabled,
 	}
 	if input.LdapID != "" {
 		user.LdapID = &input.LdapID
@@ -292,16 +298,27 @@ func (s *UserService) applySignupDefaults(ctx context.Context, user *model.User,

 	// Apply default user groups
 	var groupIDs []string
-	if v := config.SignupDefaultUserGroupIDs.Value; v != "" && v != "[]" {
-		if err := json.Unmarshal([]byte(v), &groupIDs); err != nil {
+	v := config.SignupDefaultUserGroupIDs.Value
+	if v != "" && v != "[]" {
+		err := json.Unmarshal([]byte(v), &groupIDs)
+		if err != nil {
 			return fmt.Errorf("invalid SignupDefaultUserGroupIDs JSON: %w", err)
 		}
 		if len(groupIDs) > 0 {
 			var groups []model.UserGroup
-			if err := tx.WithContext(ctx).Where("id IN ?", groupIDs).Find(&groups).Error; err != nil {
+			err = tx.WithContext(ctx).
+				Where("id IN ?", groupIDs).
+				Find(&groups).
+				Error
+			if err != nil {
 				return fmt.Errorf("failed to find default user groups: %w", err)
 			}
-			if err := tx.WithContext(ctx).Model(user).Association("UserGroups").Replace(groups); err != nil {
+
+			err = tx.WithContext(ctx).
+				Model(user).
+				Association("UserGroups").
+				Replace(groups)
+			if err != nil {
 				return fmt.Errorf("failed to associate default user groups: %w", err)
 			}
 		}
@@ -309,12 +326,15 @@ func (s *UserService) applySignupDefaults(ctx context.Context, user *model.User,

 	// Apply default custom claims
 	var claims []dto.CustomClaimCreateDto
-	if v := config.SignupDefaultCustomClaims.Value; v != "" && v != "[]" {
-		if err := json.Unmarshal([]byte(v), &claims); err != nil {
+	v = config.SignupDefaultCustomClaims.Value
+	if v != "" && v != "[]" {
+		err := json.Unmarshal([]byte(v), &claims)
+		if err != nil {
 			return fmt.Errorf("invalid SignupDefaultCustomClaims JSON: %w", err)
 		}
 		if len(claims) > 0 {
-			if _, err := s.customClaimService.updateCustomClaimsInternal(ctx, UserID, user.ID, claims, tx); err != nil {
+			_, err = s.customClaimService.updateCustomClaimsInternal(ctx, UserID, user.ID, claims, tx)
+			if err != nil {
 				return fmt.Errorf("failed to apply default custom claims: %w", err)
 			}
 		}
@@ -351,6 +371,7 @@ func (s *UserService) updateUserInternal(ctx context.Context, userID string, upd
 	err := tx.
 		WithContext(ctx).
 		Where("id = ?", userID).
+		Clauses(clause.Locking{Strength: "UPDATE"}).
 		First(&user).
 		Error
 	if err != nil {
@@ -422,13 +443,11 @@ func (s *UserService) RequestOneTimeAccessEmailAsUnauthenticatedUser(ctx context

 	var userId string
 	err := s.db.Model(&model.User{}).Select("id").Where("email = ?", userID).First(&userId).Error
-	if err != nil {
+	if errors.Is(err, gorm.ErrRecordNotFound) {
 		// Do not return error if user not found to prevent email enumeration
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			return nil
-		} else {
-			return err
-		}
+		return nil
+	} else if err != nil {
+		return err
 	}

 	return s.requestOneTimeAccessEmailInternal(ctx, userId, redirectPath, 15*time.Minute)
@@ -519,7 +538,9 @@ func (s *UserService) ExchangeOneTimeAccessToken(ctx context.Context, token stri
 	var oneTimeAccessToken model.OneTimeAccessToken
 	err := tx.
 		WithContext(ctx).
-		Where("token = ? AND expires_at > ?", token, datatype.DateTime(time.Now())).Preload("User").
+		Where("token = ? AND expires_at > ?", token, datatype.DateTime(time.Now())).
+		Preload("User").
+		Clauses(clause.Locking{Strength: "UPDATE"}).
 		First(&oneTimeAccessToken).
 		Error
 	if err != nil {
@@ -672,30 +693,20 @@ func (s *UserService) checkDuplicatedFields(ctx context.Context, user model.User
 }

 // ResetProfilePicture deletes a user's custom profile picture
-func (s *UserService) ResetProfilePicture(userID string) error {
+func (s *UserService) ResetProfilePicture(ctx context.Context, userID string) error {
 	// Validate the user ID to prevent directory traversal
 	if err := uuid.Validate(userID); err != nil {
 		return &common.InvalidUUIDError{}
 	}

-	// Build path to profile picture
-	profilePicturePath := common.EnvConfig.UploadPath + "/profile-pictures/" + userID + ".png"
-
-	// Check if file exists and delete it
-	if _, err := os.Stat(profilePicturePath); err == nil {
-		if err := os.Remove(profilePicturePath); err != nil {
-			return fmt.Errorf("failed to delete profile picture: %w", err)
-		}
-	} else if !os.IsNotExist(err) {
-		// If any error other than "file not exists"
-		return fmt.Errorf("failed to check if profile picture exists: %w", err)
+	profilePicturePath := path.Join("profile-pictures", userID+".png")
+	if err := s.fileStorage.Delete(ctx, profilePicturePath); err != nil {
+		return fmt.Errorf("failed to delete profile picture: %w", err)
 	}
-	// It's okay if the file doesn't exist - just means there's no custom picture to delete
-
 	return nil
 }

-func (s *UserService) disableUserInternal(ctx context.Context, userID string, tx *gorm.DB) error {
+func (s *UserService) disableUserInternal(ctx context.Context, tx *gorm.DB, userID string) error {
 	return tx.
 		WithContext(ctx).
 		Model(&model.User{}).
@@ -736,6 +747,7 @@ func (s *UserService) SignUp(ctx context.Context, signupData dto.SignUpDto, ipAd
 		err := tx.
 			WithContext(ctx).
 			Where("token = ?", signupData.Token).
+			Clauses(clause.Locking{Strength: "UPDATE"}).
 			First(&signupToken).
 			Error
 		if err != nil {
@@ -794,11 +806,11 @@ func (s *UserService) SignUp(ctx context.Context, signupData dto.SignUpDto, ipAd
 	return user, accessToken, nil
 }

-func (s *UserService) ListSignupTokens(ctx context.Context, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.SignupToken, utils.PaginationResponse, error) {
+func (s *UserService) ListSignupTokens(ctx context.Context, listRequestOptions utils.ListRequestOptions) ([]model.SignupToken, utils.PaginationResponse, error) {
 	var tokens []model.SignupToken
 	query := s.db.WithContext(ctx).Model(&model.SignupToken{})

-	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &tokens)
+	pagination, err := utils.PaginateFilterAndSort(listRequestOptions, query, &tokens)
 	return tokens, pagination, err
 }

--- a/backend/internal/service/version_service.go
+++ b/backend/internal/service/version_service.go
@@ -58,7 +58,7 @@ func (s *VersionService) GetLatestVersion(ctx context.Context) (string, error) {
 		}

 		if payload.TagName == "" {
-			return "", fmt.Errorf("GitHub API returned empty tag name")
+			return "", errors.New("GitHub API returned empty tag name")
 		}

 		return strings.TrimPrefix(payload.TagName, "v"), nil
--- a/backend/internal/service/webauthn_service.go
+++ b/backend/internal/service/webauthn_service.go
@@ -2,6 +2,8 @@ package service

 import (
 	"context"
+	"encoding/hex"
+	"errors"
 	"fmt"
 	"net/http"
 	"time"
@@ -81,6 +83,7 @@ func (s *WebAuthnService) BeginRegistration(ctx context.Context, userID string)
 		&user,
 		webauthn.WithResidentKeyRequirement(protocol.ResidentKeyRequirementRequired),
 		webauthn.WithExclusions(user.WebAuthnCredentialDescriptors()),
+		webauthn.WithExtensions(map[string]any{"credProps": true}), // Required for Firefox Android to properly save the key in Google password manager
 	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to begin WebAuthn registration: %w", err)
@@ -89,6 +92,7 @@ func (s *WebAuthnService) BeginRegistration(ctx context.Context, userID string)
 	sessionToStore := &model.WebauthnSession{
 		ExpiresAt:        datatype.DateTime(session.Expires),
 		Challenge:        session.Challenge,
+		CredentialParams: session.CredParams,
 		UserVerification: string(session.UserVerification),
 	}

@@ -112,7 +116,7 @@ func (s *WebAuthnService) BeginRegistration(ctx context.Context, userID string)
 	}, nil
 }

-func (s *WebAuthnService) VerifyRegistration(ctx context.Context, sessionID, userID string, r *http.Request) (model.WebauthnCredential, error) {
+func (s *WebAuthnService) VerifyRegistration(ctx context.Context, sessionID string, userID string, r *http.Request, ipAddress string) (model.WebauthnCredential, error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
@@ -130,9 +134,10 @@ func (s *WebAuthnService) VerifyRegistration(ctx context.Context, sessionID, use
 	}

 	session := webauthn.SessionData{
-		Challenge: storedSession.Challenge,
-		Expires:   storedSession.ExpiresAt.ToTime(),
-		UserID:    []byte(userID),
+		Challenge:  storedSession.Challenge,
+		Expires:    storedSession.ExpiresAt.ToTime(),
+		CredParams: storedSession.CredentialParams,
+		UserID:     []byte(userID),
 	}

 	var user model.User
@@ -170,6 +175,9 @@ func (s *WebAuthnService) VerifyRegistration(ctx context.Context, sessionID, use
 		return model.WebauthnCredential{}, fmt.Errorf("failed to store WebAuthn credential: %w", err)
 	}

+	auditLogData := model.AuditLogData{"credentialID": hex.EncodeToString(credential.ID), "passkeyName": passkeyName}
+	s.auditLogService.Create(ctx, model.AuditLogEventPasskeyAdded, ipAddress, r.UserAgent(), userID, auditLogData, tx)
+
 	err = tx.Commit().Error
 	if err != nil {
 		return model.WebauthnCredential{}, fmt.Errorf("failed to commit transaction: %w", err)
@@ -285,16 +293,30 @@ func (s *WebAuthnService) ListCredentials(ctx context.Context, userID string) ([
 	return credentials, nil
 }

-func (s *WebAuthnService) DeleteCredential(ctx context.Context, userID, credentialID string) error {
-	err := s.db.
+func (s *WebAuthnService) DeleteCredential(ctx context.Context, userID string, credentialID string, ipAddress string, userAgent string) error {
+	tx := s.db.Begin()
+	defer func() {
+		tx.Rollback()
+	}()
+
+	credential := &model.WebauthnCredential{}
+	err := tx.
 		WithContext(ctx).
-		Where("id = ? AND user_id = ?", credentialID, userID).
-		Delete(&model.WebauthnCredential{}).
+		Clauses(clause.Returning{}).
+		Delete(credential, "id = ? AND user_id = ?", credentialID, userID).
 		Error
 	if err != nil {
 		return fmt.Errorf("failed to delete record: %w", err)
 	}

+	auditLogData := model.AuditLogData{"credentialID": hex.EncodeToString(credential.CredentialID), "passkeyName": credential.Name}
+	s.auditLogService.Create(ctx, model.AuditLogEventPasskeyRemoved, ipAddress, userAgent, userID, auditLogData, tx)
+
+	err = tx.Commit().Error
+	if err != nil {
+		return fmt.Errorf("failed to commit transaction: %w", err)
+	}
+
 	return nil
 }

@@ -350,7 +372,7 @@ func (s *WebAuthnService) CreateReauthenticationTokenWithAccessToken(ctx context

 	userID, ok := token.Subject()
 	if !ok {
-		return "", fmt.Errorf("access token does not contain user ID")
+		return "", errors.New("access token does not contain user ID")
 	}

 	// Check if token is issued less than a minute ago
--- a/backend/internal/storage/database.go
+++ b/backend/internal/storage/database.go
@@ -0,0 +1,226 @@
+package storage
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
+)
+
+var TypeDatabase = "database"
+
+type databaseStorage struct {
+	db *gorm.DB
+}
+
+// NewDatabaseStorage creates a new database storage provider
+func NewDatabaseStorage(db *gorm.DB) (FileStorage, error) {
+	if db == nil {
+		return nil, errors.New("database connection is required")
+	}
+	return &databaseStorage{db: db}, nil
+}
+
+func (s *databaseStorage) Type() string {
+	return TypeDatabase
+}
+
+func (s *databaseStorage) Save(ctx context.Context, relativePath string, data io.Reader) error {
+	// Normalize the path
+	relativePath = filepath.ToSlash(filepath.Clean(relativePath))
+
+	// Read all data into memory
+	b, err := io.ReadAll(data)
+	if err != nil {
+		return fmt.Errorf("failed to read data: %w", err)
+	}
+
+	now := datatype.DateTime(time.Now())
+	storage := model.Storage{
+		Path:      relativePath,
+		Data:      b,
+		Size:      int64(len(b)),
+		ModTime:   now,
+		CreatedAt: now,
+	}
+
+	// Use upsert: insert or update on conflict
+	result := s.db.
+		WithContext(ctx).
+		Clauses(clause.OnConflict{
+			Columns:   []clause.Column{{Name: "path"}},
+			DoUpdates: clause.AssignmentColumns([]string{"data", "size", "mod_time"}),
+		}).
+		Create(&storage)
+
+	if result.Error != nil {
+		return fmt.Errorf("failed to save file to database: %w", result.Error)
+	}
+
+	return nil
+}
+
+func (s *databaseStorage) Open(ctx context.Context, relativePath string) (io.ReadCloser, int64, error) {
+	relativePath = filepath.ToSlash(filepath.Clean(relativePath))
+
+	var storage model.Storage
+	result := s.db.
+		WithContext(ctx).
+		Where("path = ?", relativePath).
+		First(&storage)
+
+	if result.Error != nil {
+		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+			return nil, 0, os.ErrNotExist
+		}
+		return nil, 0, fmt.Errorf("failed to read file from database: %w", result.Error)
+	}
+
+	reader := io.NopCloser(bytes.NewReader(storage.Data))
+	return reader, storage.Size, nil
+}
+
+func (s *databaseStorage) Delete(ctx context.Context, relativePath string) error {
+	relativePath = filepath.ToSlash(filepath.Clean(relativePath))
+
+	result := s.db.
+		WithContext(ctx).
+		Where("path = ?", relativePath).
+		Delete(&model.Storage{})
+	if result.Error != nil {
+		return fmt.Errorf("failed to delete file from database: %w", result.Error)
+	}
+
+	return nil
+}
+
+func (s *databaseStorage) DeleteAll(ctx context.Context, prefix string) error {
+	prefix = filepath.ToSlash(filepath.Clean(prefix))
+
+	// If empty prefix, delete all
+	if isRootPath(prefix) {
+		result := s.db.
+			WithContext(ctx).
+			Where("1 = 1"). // Delete everything
+			Delete(&model.Storage{})
+		if result.Error != nil {
+			return fmt.Errorf("failed to delete all files from database: %w", result.Error)
+		}
+		return nil
+	}
+
+	// Ensure prefix ends with / for proper prefix matching
+	if !strings.HasSuffix(prefix, "/") {
+		prefix += "/"
+	}
+
+	query := s.db.WithContext(ctx)
+	query = addPathPrefixClause(s.db.Name(), query, prefix)
+	result := query.Delete(&model.Storage{})
+	if result.Error != nil {
+		return fmt.Errorf("failed to delete files with prefix '%s' from database: %w", prefix, result.Error)
+	}
+
+	return nil
+}
+
+func (s *databaseStorage) List(ctx context.Context, prefix string) ([]ObjectInfo, error) {
+	prefix = filepath.ToSlash(filepath.Clean(prefix))
+
+	var storageItems []model.Storage
+	query := s.db.WithContext(ctx)
+
+	if !isRootPath(prefix) {
+		// Ensure prefix matching
+		if !strings.HasSuffix(prefix, "/") {
+			prefix += "/"
+		}
+		query = addPathPrefixClause(s.db.Name(), query, prefix)
+	}
+
+	result := query.
+		Select("path", "size", "mod_time").
+		Find(&storageItems)
+	if result.Error != nil {
+		return nil, fmt.Errorf("failed to list files from database: %w", result.Error)
+	}
+
+	objects := make([]ObjectInfo, 0, len(storageItems))
+	for _, item := range storageItems {
+		// Filter out directory-like paths (those that contain additional slashes after the prefix)
+		relativePath := strings.TrimPrefix(item.Path, prefix)
+		if strings.ContainsRune(relativePath, '/') {
+			continue
+		}
+
+		objects = append(objects, ObjectInfo{
+			Path:    item.Path,
+			Size:    item.Size,
+			ModTime: time.Time(item.ModTime),
+		})
+	}
+
+	return objects, nil
+}
+
+func (s *databaseStorage) Walk(ctx context.Context, root string, fn func(ObjectInfo) error) error {
+	root = filepath.ToSlash(filepath.Clean(root))
+
+	var storageItems []model.Storage
+	query := s.db.WithContext(ctx)
+
+	if !isRootPath(root) {
+		// Ensure root matching
+		if !strings.HasSuffix(root, "/") {
+			root += "/"
+		}
+		query = addPathPrefixClause(s.db.Name(), query, root)
+	}
+
+	result := query.
+		Select("path", "size", "mod_time").
+		Find(&storageItems)
+	if result.Error != nil {
+		return fmt.Errorf("failed to walk files from database: %w", result.Error)
+	}
+
+	for _, item := range storageItems {
+		err := fn(ObjectInfo{
+			Path:    item.Path,
+			Size:    item.Size,
+			ModTime: time.Time(item.ModTime),
+		})
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func isRootPath(path string) bool {
+	return path == "" || path == "/" || path == "."
+}
+
+func addPathPrefixClause(dialect string, query *gorm.DB, prefix string) *gorm.DB {
+	// In SQLite, we use "GLOB" which can use the index
+	switch dialect {
+	case "sqlite":
+		return query.Where("path GLOB ?", prefix+"*")
+	case "postgres":
+		return query.Where("path LIKE ?", prefix+"%")
+	default:
+		// Indicates a development-time error
+		panic(fmt.Errorf("unsupported database dialect: %s", dialect))
+	}
+}
--- a/backend/internal/storage/database_test.go
+++ b/backend/internal/storage/database_test.go
@@ -0,0 +1,148 @@
+package storage
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	testingutil "github.com/pocket-id/pocket-id/backend/internal/utils/testing"
+)
+
+func TestDatabaseStorageOperations(t *testing.T) {
+	ctx := context.Background()
+	db := testingutil.NewDatabaseForTest(t)
+	store, err := NewDatabaseStorage(db)
+	require.NoError(t, err)
+
+	t.Run("type should be database", func(t *testing.T) {
+		assert.Equal(t, TypeDatabase, store.Type())
+	})
+
+	t.Run("save, open and list files", func(t *testing.T) {
+		err := store.Save(ctx, "images/logo.png", bytes.NewBufferString("logo-data"))
+		require.NoError(t, err)
+
+		reader, size, err := store.Open(ctx, "images/logo.png")
+		require.NoError(t, err)
+		defer reader.Close()
+
+		contents, err := io.ReadAll(reader)
+		require.NoError(t, err)
+		assert.Equal(t, []byte("logo-data"), contents)
+		assert.Equal(t, int64(len(contents)), size)
+
+		err = store.Save(ctx, "images/nested/child.txt", bytes.NewBufferString("child"))
+		require.NoError(t, err)
+
+		files, err := store.List(ctx, "images")
+		require.NoError(t, err)
+		require.Len(t, files, 1)
+		assert.Equal(t, "images/logo.png", files[0].Path)
+		assert.Equal(t, int64(len("logo-data")), files[0].Size)
+	})
+
+	t.Run("save should update existing file", func(t *testing.T) {
+		err := store.Save(ctx, "test/update.txt", bytes.NewBufferString("original"))
+		require.NoError(t, err)
+
+		err = store.Save(ctx, "test/update.txt", bytes.NewBufferString("updated"))
+		require.NoError(t, err)
+
+		reader, size, err := store.Open(ctx, "test/update.txt")
+		require.NoError(t, err)
+		defer reader.Close()
+
+		contents, err := io.ReadAll(reader)
+		require.NoError(t, err)
+		assert.Equal(t, []byte("updated"), contents)
+		assert.Equal(t, int64(len("updated")), size)
+	})
+
+	t.Run("delete files individually", func(t *testing.T) {
+		err := store.Save(ctx, "images/delete-me.txt", bytes.NewBufferString("temp"))
+		require.NoError(t, err)
+
+		require.NoError(t, store.Delete(ctx, "images/delete-me.txt"))
+		_, _, err = store.Open(ctx, "images/delete-me.txt")
+		require.Error(t, err)
+		assert.True(t, IsNotExist(err))
+	})
+
+	t.Run("delete missing file should not error", func(t *testing.T) {
+		require.NoError(t, store.Delete(ctx, "images/missing.txt"))
+	})
+
+	t.Run("delete all files", func(t *testing.T) {
+		require.NoError(t, store.Save(ctx, "cleanup/a.txt", bytes.NewBufferString("a")))
+		require.NoError(t, store.Save(ctx, "cleanup/b.txt", bytes.NewBufferString("b")))
+		require.NoError(t, store.Save(ctx, "cleanup/nested/c.txt", bytes.NewBufferString("c")))
+		require.NoError(t, store.DeleteAll(ctx, "/"))
+
+		_, _, err := store.Open(ctx, "cleanup/a.txt")
+		require.Error(t, err)
+		assert.True(t, IsNotExist(err))
+
+		_, _, err = store.Open(ctx, "cleanup/b.txt")
+		require.Error(t, err)
+		assert.True(t, IsNotExist(err))
+
+		_, _, err = store.Open(ctx, "cleanup/nested/c.txt")
+		require.Error(t, err)
+		assert.True(t, IsNotExist(err))
+	})
+
+	t.Run("delete all files under a prefix", func(t *testing.T) {
+		require.NoError(t, store.Save(ctx, "cleanup/a.txt", bytes.NewBufferString("a")))
+		require.NoError(t, store.Save(ctx, "cleanup/b.txt", bytes.NewBufferString("b")))
+		require.NoError(t, store.Save(ctx, "cleanup/nested/c.txt", bytes.NewBufferString("c")))
+		require.NoError(t, store.DeleteAll(ctx, "cleanup"))
+
+		_, _, err := store.Open(ctx, "cleanup/a.txt")
+		require.Error(t, err)
+		assert.True(t, IsNotExist(err))
+
+		_, _, err = store.Open(ctx, "cleanup/b.txt")
+		require.Error(t, err)
+		assert.True(t, IsNotExist(err))
+
+		_, _, err = store.Open(ctx, "cleanup/nested/c.txt")
+		require.Error(t, err)
+		assert.True(t, IsNotExist(err))
+	})
+
+	t.Run("walk files", func(t *testing.T) {
+		require.NoError(t, store.Save(ctx, "walk/file1.txt", bytes.NewBufferString("1")))
+		require.NoError(t, store.Save(ctx, "walk/file2.txt", bytes.NewBufferString("2")))
+		require.NoError(t, store.Save(ctx, "walk/nested/file3.txt", bytes.NewBufferString("3")))
+
+		var paths []string
+		err := store.Walk(ctx, "walk", func(info ObjectInfo) error {
+			paths = append(paths, info.Path)
+			return nil
+		})
+		require.NoError(t, err)
+		assert.Len(t, paths, 3)
+		assert.Contains(t, paths, "walk/file1.txt")
+		assert.Contains(t, paths, "walk/file2.txt")
+		assert.Contains(t, paths, "walk/nested/file3.txt")
+	})
+}
+
+func TestNewDatabaseStorage(t *testing.T) {
+	t.Run("should return error with nil database", func(t *testing.T) {
+		_, err := NewDatabaseStorage(nil)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "database connection is required")
+	})
+
+	t.Run("should create storage with valid database", func(t *testing.T) {
+		db := testingutil.NewDatabaseForTest(t)
+		store, err := NewDatabaseStorage(db)
+		require.NoError(t, err)
+		assert.NotNil(t, store)
+	})
+}
--- a/backend/internal/storage/filesystem.go
+++ b/backend/internal/storage/filesystem.go
@@ -0,0 +1,193 @@
+package storage
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/google/uuid"
+)
+
+type filesystemStorage struct {
+	root             *os.Root
+	absoluteRootPath string
+}
+
+func NewFilesystemStorage(rootPath string) (FileStorage, error) {
+	if err := os.MkdirAll(rootPath, 0700); err != nil {
+		return nil, fmt.Errorf("failed to create root directory '%s': %w", rootPath, err)
+	}
+	root, err := os.OpenRoot(rootPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open root directory '%s': %w", rootPath, err)
+	}
+
+	absoluteRootPath, err := filepath.Abs(rootPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get absolute path of root directory '%s': %w", rootPath, err)
+	}
+
+	return &filesystemStorage{root: root, absoluteRootPath: absoluteRootPath}, err
+}
+
+func (s *filesystemStorage) Type() string {
+	return TypeFileSystem
+}
+
+func (s *filesystemStorage) Save(_ context.Context, path string, data io.Reader) error {
+	path = filepath.FromSlash(path)
+
+	if err := s.root.MkdirAll(filepath.Dir(path), 0700); err != nil {
+		return fmt.Errorf("failed to create directories for path '%s': %w", path, err)
+	}
+
+	// Our strategy is to save to a separate file and then rename it to override the original file
+	tmpName := path + "." + uuid.NewString() + "-tmp"
+
+	// Write to the temporary file
+	tmpFile, err := s.root.Create(tmpName)
+	if err != nil {
+		return fmt.Errorf("failed to open file '%s' for writing: %w", tmpName, err)
+	}
+
+	_, err = io.Copy(tmpFile, data)
+	if err != nil {
+		tmpFile.Close()
+		_ = s.root.Remove(tmpName)
+		return fmt.Errorf("failed to write temporary file: %w", err)
+	}
+
+	if err = tmpFile.Close(); err != nil {
+		_ = s.root.Remove(tmpName)
+		return fmt.Errorf("failed to close temporary file: %w", err)
+	}
+
+	// Rename to the final file, which overrides existing files
+	// This is an atomic operation
+	if err = s.root.Rename(tmpName, path); err != nil {
+		_ = s.root.Remove(tmpName)
+		return fmt.Errorf("failed to move temporary file: %w", err)
+	}
+
+	return nil
+}
+
+func (s *filesystemStorage) Open(_ context.Context, path string) (io.ReadCloser, int64, error) {
+	path = filepath.FromSlash(path)
+
+	file, err := s.root.Open(path)
+	if err != nil {
+		return nil, 0, err
+	}
+	info, err := file.Stat()
+	if err != nil {
+		file.Close()
+		return nil, 0, err
+	}
+	return file, info.Size(), nil
+}
+
+func (s *filesystemStorage) Delete(_ context.Context, path string) error {
+	path = filepath.FromSlash(path)
+
+	err := s.root.Remove(path)
+	if err != nil && !errors.Is(err, fs.ErrNotExist) {
+		return err
+	}
+	return nil
+}
+
+func (s *filesystemStorage) DeleteAll(_ context.Context, path string) error {
+	path = filepath.FromSlash(path)
+
+	// If "/", "." or "" is requested, we delete all contents of the root.
+	if path == "" || path == "/" || path == "." {
+		dir, err := s.root.Open(".")
+		if err != nil {
+			return fmt.Errorf("failed to open root directory: %w", err)
+		}
+		defer dir.Close()
+
+		entries, err := dir.ReadDir(-1)
+		if err != nil {
+			return fmt.Errorf("failed to list root directory: %w", err)
+		}
+		for _, entry := range entries {
+			if err := s.root.RemoveAll(entry.Name()); err != nil {
+				return fmt.Errorf("failed to delete '%s': %w", entry.Name(), err)
+			}
+		}
+		return nil
+	}
+
+	return s.root.RemoveAll(path)
+}
+func (s *filesystemStorage) List(_ context.Context, path string) ([]ObjectInfo, error) {
+	path = filepath.FromSlash(path)
+
+	dir, err := s.root.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	defer dir.Close()
+
+	entries, err := dir.ReadDir(-1)
+	if err != nil {
+		return nil, err
+	}
+
+	objects := make([]ObjectInfo, 0, len(entries))
+	for _, entry := range entries {
+		if entry.IsDir() {
+			continue
+		}
+		info, err := entry.Info()
+		if err != nil {
+			return nil, err
+		}
+		objects = append(objects, ObjectInfo{
+			Path:    filepath.Join(path, entry.Name()),
+			Size:    info.Size(),
+			ModTime: info.ModTime(),
+		})
+	}
+	return objects, nil
+}
+func (s *filesystemStorage) Walk(_ context.Context, root string, fn func(ObjectInfo) error) error {
+	root = filepath.FromSlash(root)
+
+	fullPath := filepath.Clean(filepath.Join(s.absoluteRootPath, root))
+
+	// As we can't use os.Root here, we manually ensure that the fullPath is within the root directory
+	sep := string(filepath.Separator)
+	if !strings.HasPrefix(fullPath+sep, s.absoluteRootPath+sep) {
+		return fmt.Errorf("invalid root path: %s", root)
+	}
+
+	return filepath.WalkDir(fullPath, func(full string, d fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+		if d.IsDir() {
+			return nil
+		}
+		rel, err := filepath.Rel(s.absoluteRootPath, full)
+		if err != nil {
+			return err
+		}
+		info, err := d.Info()
+		if err != nil {
+			return err
+		}
+		return fn(ObjectInfo{
+			Path:    filepath.ToSlash(rel),
+			Size:    info.Size(),
+			ModTime: info.ModTime(),
+		})
+	})
+}
--- a/backend/internal/storage/filesystem_test.go
+++ b/backend/internal/storage/filesystem_test.go
@@ -0,0 +1,68 @@
+package storage
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestFilesystemStorageOperations(t *testing.T) {
+	ctx := context.Background()
+	store, err := NewFilesystemStorage(t.TempDir())
+	require.NoError(t, err)
+
+	t.Run("save, open and list files", func(t *testing.T) {
+		err := store.Save(ctx, "images/logo.png", bytes.NewBufferString("logo-data"))
+		require.NoError(t, err)
+
+		reader, size, err := store.Open(ctx, "images/logo.png")
+		require.NoError(t, err)
+		defer reader.Close()
+
+		contents, err := io.ReadAll(reader)
+		require.NoError(t, err)
+		assert.Equal(t, []byte("logo-data"), contents)
+		assert.Equal(t, int64(len(contents)), size)
+
+		err = store.Save(ctx, "images/nested/child.txt", bytes.NewBufferString("child"))
+		require.NoError(t, err)
+
+		files, err := store.List(ctx, "images")
+		require.NoError(t, err)
+		require.Len(t, files, 1)
+		assert.Equal(t, filepath.Join("images", "logo.png"), files[0].Path)
+		assert.Equal(t, int64(len("logo-data")), files[0].Size)
+	})
+
+	t.Run("delete files individually and idempotently", func(t *testing.T) {
+		err := store.Save(ctx, "images/delete-me.txt", bytes.NewBufferString("temp"))
+		require.NoError(t, err)
+
+		require.NoError(t, store.Delete(ctx, "images/delete-me.txt"))
+		_, _, err = store.Open(ctx, "images/delete-me.txt")
+		require.Error(t, err)
+		assert.True(t, IsNotExist(err))
+
+		// Deleting a missing object should be a no-op.
+		require.NoError(t, store.Delete(ctx, "images/missing.txt"))
+	})
+
+	t.Run("delete all files under a prefix", func(t *testing.T) {
+		require.NoError(t, store.Save(ctx, "images/a.txt", bytes.NewBufferString("a")))
+		require.NoError(t, store.Save(ctx, "images/b.txt", bytes.NewBufferString("b")))
+		require.NoError(t, store.DeleteAll(ctx, "images"))
+
+		_, _, err := store.Open(ctx, "images/a.txt")
+		require.Error(t, err)
+		assert.True(t, IsNotExist(err))
+
+		_, _, err = store.Open(ctx, "images/b.txt")
+		require.Error(t, err)
+		assert.True(t, IsNotExist(err))
+	})
+}
--- a/backend/internal/storage/s3.go
+++ b/backend/internal/storage/s3.go
@@ -0,0 +1,185 @@
+package storage
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"path/filepath"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	awscfg "github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials"
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	s3types "github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/aws/smithy-go"
+)
+
+type S3Config struct {
+	Bucket          string
+	Region          string
+	Endpoint        string
+	AccessKeyID     string
+	SecretAccessKey string
+	ForcePathStyle  bool
+	Root            string
+}
+
+type s3Storage struct {
+	client *s3.Client
+	bucket string
+	prefix string
+}
+
+func NewS3Storage(ctx context.Context, cfg S3Config) (FileStorage, error) {
+	creds := credentials.NewStaticCredentialsProvider(cfg.AccessKeyID, cfg.SecretAccessKey, "")
+	awsCfg, err := awscfg.LoadDefaultConfig(ctx, awscfg.WithRegion(cfg.Region), awscfg.WithCredentialsProvider(creds))
+	if err != nil {
+		return nil, fmt.Errorf("failed to load AWS configuration: %w", err)
+	}
+	client := s3.NewFromConfig(awsCfg, func(o *s3.Options) {
+		if cfg.Endpoint != "" {
+			o.BaseEndpoint = aws.String(cfg.Endpoint)
+		}
+		o.UsePathStyle = cfg.ForcePathStyle
+	})
+
+	return &s3Storage{
+		client: client,
+		bucket: cfg.Bucket,
+		prefix: strings.Trim(cfg.Root, "/"),
+	}, nil
+}
+
+func (s *s3Storage) Type() string {
+	return TypeS3
+}
+
+func (s *s3Storage) Save(ctx context.Context, path string, data io.Reader) error {
+	_, err := s.client.PutObject(ctx, &s3.PutObjectInput{
+		Bucket: aws.String(s.bucket),
+		Key:    aws.String(s.buildObjectKey(path)),
+		Body:   data,
+	})
+	return err
+}
+
+func (s *s3Storage) Open(ctx context.Context, path string) (io.ReadCloser, int64, error) {
+	resp, err := s.client.GetObject(ctx, &s3.GetObjectInput{
+		Bucket: aws.String(s.bucket),
+		Key:    aws.String(s.buildObjectKey(path)),
+	})
+	if err != nil {
+		if isS3NotFound(err) {
+			return nil, 0, fs.ErrNotExist
+		}
+		return nil, 0, err
+	}
+	return resp.Body, aws.ToInt64(resp.ContentLength), nil
+}
+
+func (s *s3Storage) Delete(ctx context.Context, path string) error {
+	_, err := s.client.DeleteObject(ctx, &s3.DeleteObjectInput{
+		Bucket: aws.String(s.bucket),
+		Key:    aws.String(s.buildObjectKey(path)),
+	})
+	return err
+}
+
+func (s *s3Storage) DeleteAll(ctx context.Context, path string) error {
+
+	paginator := s3.NewListObjectsV2Paginator(s.client, &s3.ListObjectsV2Input{
+		Bucket: aws.String(s.bucket),
+		Prefix: aws.String(s.buildObjectKey(path)),
+	})
+	for paginator.HasMorePages() {
+		page, err := paginator.NextPage(ctx)
+		if err != nil {
+			return err
+		}
+		if len(page.Contents) == 0 {
+			continue
+		}
+		objects := make([]s3types.ObjectIdentifier, 0, len(page.Contents))
+		for _, obj := range page.Contents {
+			objects = append(objects, s3types.ObjectIdentifier{Key: obj.Key})
+		}
+		_, err = s.client.DeleteObjects(ctx, &s3.DeleteObjectsInput{
+			Bucket: aws.String(s.bucket),
+			Delete: &s3types.Delete{Objects: objects, Quiet: aws.Bool(true)},
+		})
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (s *s3Storage) List(ctx context.Context, path string) ([]ObjectInfo, error) {
+	paginator := s3.NewListObjectsV2Paginator(s.client, &s3.ListObjectsV2Input{
+		Bucket: aws.String(s.bucket),
+		Prefix: aws.String(s.buildObjectKey(path)),
+	})
+	var objects []ObjectInfo
+	for paginator.HasMorePages() {
+		page, err := paginator.NextPage(ctx)
+		if err != nil {
+			return nil, err
+		}
+		for _, obj := range page.Contents {
+			if obj.Key == nil {
+				continue
+			}
+			objects = append(objects, ObjectInfo{
+				Path:    aws.ToString(obj.Key),
+				Size:    aws.ToInt64(obj.Size),
+				ModTime: aws.ToTime(obj.LastModified),
+			})
+		}
+	}
+	return objects, nil
+}
+
+func (s *s3Storage) Walk(ctx context.Context, root string, fn func(ObjectInfo) error) error {
+	objects, err := s.List(ctx, root)
+	if err != nil {
+		return err
+	}
+
+	for _, obj := range objects {
+		if err := fn(obj); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *s3Storage) buildObjectKey(p string) string {
+	p = filepath.Clean(p)
+	p = filepath.ToSlash(p)
+	p = strings.Trim(p, "/")
+
+	if p == "" || p == "." {
+		return s.prefix
+	}
+
+	if s.prefix == "" {
+		return p
+	}
+
+	return s.prefix + "/" + p
+}
+
+func isS3NotFound(err error) bool {
+	var apiErr smithy.APIError
+	if errors.As(err, &apiErr) {
+		if apiErr.ErrorCode() == "NotFound" || apiErr.ErrorCode() == "NoSuchKey" {
+			return true
+		}
+	}
+	var missingKey *s3types.NoSuchKey
+	return errors.As(err, &missingKey)
+}
--- a/backend/internal/storage/s3_test.go
+++ b/backend/internal/storage/s3_test.go
@@ -0,0 +1,44 @@
+package storage
+
+import (
+	"errors"
+	"testing"
+
+	s3types "github.com/aws/aws-sdk-go-v2/service/s3/types"
+	"github.com/aws/smithy-go"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestS3Helpers(t *testing.T) {
+	t.Run("buildObjectKey trims and joins prefix", func(t *testing.T) {
+		tests := []struct {
+			name     string
+			prefix   string
+			path     string
+			expected string
+		}{
+			{name: "no prefix no path", prefix: "", path: "", expected: ""},
+			{name: "prefix no path", prefix: "root", path: "", expected: "root"},
+			{name: "prefix with nested path", prefix: "root", path: "foo/bar/baz", expected: "root/foo/bar/baz"},
+			{name: "trimmed path and prefix", prefix: "root", path: "/foo//bar/", expected: "root/foo/bar"},
+			{name: "no prefix path only", prefix: "", path: "./images/logo.png", expected: "images/logo.png"},
+		}
+
+		for _, tc := range tests {
+			t.Run(tc.name, func(t *testing.T) {
+				s := &s3Storage{
+					bucket: "bucket",
+					prefix: tc.prefix,
+				}
+				assert.Equal(t, tc.expected, s.buildObjectKey(tc.path))
+			})
+		}
+	})
+
+	t.Run("isS3NotFound detects expected errors", func(t *testing.T) {
+		assert.True(t, isS3NotFound(&smithy.GenericAPIError{Code: "NoSuchKey"}))
+		assert.True(t, isS3NotFound(&smithy.GenericAPIError{Code: "NotFound"}))
+		assert.True(t, isS3NotFound(&s3types.NoSuchKey{}))
+		assert.False(t, isS3NotFound(errors.New("boom")))
+	})
+}
--- a/backend/internal/storage/storage.go
+++ b/backend/internal/storage/storage.go
@@ -0,0 +1,33 @@
+package storage
+
+import (
+	"context"
+	"io"
+	"os"
+	"time"
+)
+
+var (
+	TypeFileSystem = "fs"
+	TypeS3         = "s3"
+)
+
+type ObjectInfo struct {
+	Path    string
+	Size    int64
+	ModTime time.Time
+}
+
+type FileStorage interface {
+	Save(ctx context.Context, relativePath string, data io.Reader) error
+	Open(ctx context.Context, relativePath string) (io.ReadCloser, int64, error)
+	Delete(ctx context.Context, relativePath string) error
+	DeleteAll(ctx context.Context, prefix string) error
+	List(ctx context.Context, prefix string) ([]ObjectInfo, error)
+	Walk(ctx context.Context, root string, fn func(ObjectInfo) error) error
+	Type() string
+}
+
+func IsNotExist(err error) bool {
+	return os.IsNotExist(err)
+}
--- a/backend/internal/utils/file_util.go
+++ b/backend/internal/utils/file_util.go
@@ -2,20 +2,15 @@ package utils

 import (
 	"crypto/rand"
-	"crypto/sha256"
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"io"
 	"mime"
-	"mime/multipart"
 	"os"
 	"path/filepath"
 	"strings"
 	"syscall"
-
-	"github.com/google/uuid"
-	"github.com/pocket-id/pocket-id/backend/resources"
 )

 func GetFileExtension(filename string) string {
@@ -86,110 +81,6 @@ func GetImageExtensionFromMimeType(mimeType string) string {
 	}
 }

-func CopyEmbeddedFileToDisk(srcFilePath, destFilePath string) error {
-	srcFile, err := resources.FS.Open(srcFilePath)
-	if err != nil {
-		return fmt.Errorf("failed to open embedded file: %w", err)
-	}
-	defer srcFile.Close()
-
-	err = os.MkdirAll(filepath.Dir(destFilePath), os.ModePerm)
-	if err != nil {
-		return fmt.Errorf("failed to create destination directory: %w", err)
-	}
-
-	destFile, err := os.Create(destFilePath)
-	if err != nil {
-		return fmt.Errorf("failed to open destination file: %w", err)
-	}
-	defer destFile.Close()
-
-	_, err = io.Copy(destFile, srcFile)
-	if err != nil {
-		return fmt.Errorf("failed to write to destination file: %w", err)
-	}
-
-	return nil
-}
-
-func EmbeddedFileSha256(filePath string) ([]byte, error) {
-	f, err := resources.FS.Open(filePath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to open embedded file: %w", err)
-	}
-	defer f.Close()
-
-	h := sha256.New()
-	_, err = io.Copy(h, f)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read embedded file: %w", err)
-	}
-
-	return h.Sum(nil), nil
-}
-
-func SaveFile(file *multipart.FileHeader, dst string) error {
-	src, err := file.Open()
-	if err != nil {
-		return err
-	}
-	defer src.Close()
-
-	if err = os.MkdirAll(filepath.Dir(dst), 0o750); err != nil {
-		return err
-	}
-
-	return SaveFileStream(src, dst)
-}
-
-// SaveFileStream saves a stream to a file.
-func SaveFileStream(r io.Reader, dstFileName string) error {
-	// Our strategy is to save to a separate file and then rename it to override the original file
-	tmpFileName := dstFileName + "." + uuid.NewString() + "-tmp"
-
-	// Write to the temporary file
-	tmpFile, err := os.Create(tmpFileName)
-	if err != nil {
-		return fmt.Errorf("failed to open file '%s' for writing: %w", tmpFileName, err)
-	}
-
-	n, err := io.Copy(tmpFile, r)
-	if err != nil {
-		// Delete the temporary file; we ignore errors here
-		_ = tmpFile.Close()
-		_ = os.Remove(tmpFileName)
-
-		return fmt.Errorf("failed to write to file '%s': %w", tmpFileName, err)
-	}
-
-	err = tmpFile.Close()
-	if err != nil {
-		// Delete the temporary file; we ignore errors here
-		_ = os.Remove(tmpFileName)
-
-		return fmt.Errorf("failed to close stream to file '%s': %w", tmpFileName, err)
-	}
-
-	if n == 0 {
-		// Delete the temporary file; we ignore errors here
-		_ = os.Remove(tmpFileName)
-
-		return errors.New("no data written")
-	}
-
-	// Rename to the final file, which overrides existing files
-	// This is an atomic operation
-	err = os.Rename(tmpFileName, dstFileName)
-	if err != nil {
-		// Delete the temporary file; we ignore errors here
-		_ = os.Remove(tmpFileName)
-
-		return fmt.Errorf("failed to rename file '%s': %w", dstFileName, err)
-	}
-
-	return nil
-}
-
 // FileExists returns true if a file exists on disk and is a regular file
 func FileExists(path string) (bool, error) {
 	s, err := os.Stat(path)
--- a/backend/internal/utils/image/profile_picture.go
+++ b/backend/internal/utils/image/profile_picture.go
@@ -12,32 +12,40 @@ import (
 	"golang.org/x/image/font"
 	"golang.org/x/image/font/opentype"
 	"golang.org/x/image/math/fixed"
+	"golang.org/x/image/webp"

 	"github.com/pocket-id/pocket-id/backend/resources"
 )

 const profilePictureSize = 300

-// CreateProfilePicture resizes the profile picture to a square
-func CreateProfilePicture(file io.Reader) (io.Reader, error) {
+// CreateProfilePicture resizes the profile picture to a square and encodes it as PNG
+func CreateProfilePicture(file io.ReadSeeker) (io.ReadSeeker, error) {
+	// Attempt standard formats first
 	img, _, err := imageorient.Decode(file)
 	if err != nil {
-		return nil, fmt.Errorf("failed to decode image: %w", err)
+		if _, seekErr := file.Seek(0, io.SeekStart); seekErr != nil {
+			return nil, fmt.Errorf("failed to seek file: %w", seekErr)
+		}
+		// Try WebP
+		webpImg, webpErr := webp.Decode(file)
+		if webpErr != nil {
+			return nil, fmt.Errorf("failed to decode image: %w", err)
+		}
+
+		img = webpImg
 	}

+	// Resize to square
 	img = imaging.Fill(img, profilePictureSize, profilePictureSize, imaging.Center, imaging.Lanczos)

-	pr, pw := io.Pipe()
-	go func() {
-		innerErr := imaging.Encode(pw, img, imaging.PNG)
-		if innerErr != nil {
-			_ = pw.CloseWithError(fmt.Errorf("failed to encode image: %w", innerErr))
-			return
-		}
-		pw.Close()
-	}()
+	// Encode back to PNG
+	var buf bytes.Buffer
+	if err := imaging.Encode(&buf, img, imaging.PNG); err != nil {
+		return nil, fmt.Errorf("failed to encode image: %w", err)
+	}

-	return pr, nil
+	return bytes.NewReader(buf.Bytes()), nil
 }

 // CreateDefaultProfilePicture creates a profile picture with the initials
--- a/backend/internal/utils/ip_util.go
+++ b/backend/internal/utils/ip_util.go
@@ -1,7 +1,10 @@
 package utils

 import (
+	"context"
+	"errors"
 	"net"
+	"net/url"
 	"strings"

 	"github.com/pocket-id/pocket-id/backend/internal/common"
@@ -56,6 +59,23 @@ func IsPrivateIP(ip net.IP) bool {
 	return IsLocalhostIP(ip) || IsPrivateLanIP(ip) || IsTailscaleIP(ip) || IsLocalIPv6(ip)
 }

+func IsURLPrivate(ctx context.Context, u *url.URL) (bool, error) {
+	var r net.Resolver
+	ips, err := r.LookupIPAddr(ctx, u.Hostname())
+	if err != nil || len(ips) == 0 {
+		return false, errors.New("cannot resolve hostname")
+	}
+
+	// Prevents SSRF by allowing only public IPs
+	for _, addr := range ips {
+		if IsPrivateIP(addr.IP) {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
 func listContainsIP(ipNets []*net.IPNet, ip net.IP) bool {
 	for _, ipNet := range ipNets {
 		if ipNet.Contains(ip) {
--- a/backend/internal/utils/ip_util_test.go
+++ b/backend/internal/utils/ip_util_test.go
@@ -1,8 +1,14 @@
 package utils

 import (
+	"context"
 	"net"
+	"net/url"
 	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"

 	"github.com/pocket-id/pocket-id/backend/internal/common"
 )
@@ -20,9 +26,8 @@ func TestIsLocalhostIP(t *testing.T) {

 	for _, tt := range tests {
 		ip := net.ParseIP(tt.ip)
-		if got := IsLocalhostIP(ip); got != tt.expected {
-			t.Errorf("IsLocalhostIP(%s) = %v, want %v", tt.ip, got, tt.expected)
-		}
+		got := IsLocalhostIP(ip)
+		assert.Equal(t, tt.expected, got)
 	}
 }

@@ -40,9 +45,8 @@ func TestIsPrivateLanIP(t *testing.T) {

 	for _, tt := range tests {
 		ip := net.ParseIP(tt.ip)
-		if got := IsPrivateLanIP(ip); got != tt.expected {
-			t.Errorf("IsPrivateLanIP(%s) = %v, want %v", tt.ip, got, tt.expected)
-		}
+		got := IsPrivateLanIP(ip)
+		assert.Equal(t, tt.expected, got)
 	}
 }

@@ -59,9 +63,9 @@ func TestIsTailscaleIP(t *testing.T) {

 	for _, tt := range tests {
 		ip := net.ParseIP(tt.ip)
-		if got := IsTailscaleIP(ip); got != tt.expected {
-			t.Errorf("IsTailscaleIP(%s) = %v, want %v", tt.ip, got, tt.expected)
-		}
+
+		got := IsTailscaleIP(ip)
+		assert.Equal(t, tt.expected, got)
 	}
 }

@@ -86,16 +90,17 @@ func TestIsLocalIPv6(t *testing.T) {

 	for _, tt := range tests {
 		ip := net.ParseIP(tt.ip)
-		if got := IsLocalIPv6(ip); got != tt.expected {
-			t.Errorf("IsLocalIPv6(%s) = %v, want %v", tt.ip, got, tt.expected)
-		}
+		got := IsLocalIPv6(ip)
+		assert.Equal(t, tt.expected, got)
 	}
 }

 func TestIsPrivateIP(t *testing.T) {
 	// Save and restore env config
 	origRanges := common.EnvConfig.LocalIPv6Ranges
-	defer func() { common.EnvConfig.LocalIPv6Ranges = origRanges }()
+	t.Cleanup(func() {
+		common.EnvConfig.LocalIPv6Ranges = origRanges
+	})

 	common.EnvConfig.LocalIPv6Ranges = "fd00::/8"
 	localIPv6Ranges = nil // reset
@@ -115,9 +120,8 @@ func TestIsPrivateIP(t *testing.T) {

 	for _, tt := range tests {
 		ip := net.ParseIP(tt.ip)
-		if got := IsPrivateIP(ip); got != tt.expected {
-			t.Errorf("IsPrivateIP(%s) = %v, want %v", tt.ip, got, tt.expected)
-		}
+		got := IsPrivateIP(ip)
+		assert.Equal(t, tt.expected, got)
 	}
 }

@@ -138,22 +142,202 @@ func TestListContainsIP(t *testing.T) {

 	for _, tt := range tests {
 		ip := net.ParseIP(tt.ip)
-		if got := listContainsIP(list, ip); got != tt.expected {
-			t.Errorf("listContainsIP(%s) = %v, want %v", tt.ip, got, tt.expected)
-		}
+		got := listContainsIP(list, ip)
+		assert.Equal(t, tt.expected, got)
 	}
 }

 func TestInit_LocalIPv6Ranges(t *testing.T) {
 	// Save and restore env config
 	origRanges := common.EnvConfig.LocalIPv6Ranges
-	defer func() { common.EnvConfig.LocalIPv6Ranges = origRanges }()
+	t.Cleanup(func() {
+		common.EnvConfig.LocalIPv6Ranges = origRanges
+	})

 	common.EnvConfig.LocalIPv6Ranges = "fd00::/8, invalidCIDR ,fc00::/7"
 	localIPv6Ranges = nil
 	loadLocalIPv6Ranges()

-	if len(localIPv6Ranges) != 2 {
-		t.Errorf("expected 2 valid IPv6 ranges, got %d", len(localIPv6Ranges))
+	assert.Len(t, localIPv6Ranges, 2)
+}
+
+func TestIsURLPrivate(t *testing.T) {
+	ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
+	defer cancel()
+
+	tests := []struct {
+		name        string
+		urlStr      string
+		expectPriv  bool
+		expectError bool
+	}{
+		{
+			name:        "localhost by name",
+			urlStr:      "http://localhost",
+			expectPriv:  true,
+			expectError: false,
+		},
+		{
+			name:        "localhost with port",
+			urlStr:      "http://localhost:8080",
+			expectPriv:  true,
+			expectError: false,
+		},
+		{
+			name:        "127.0.0.1 IP",
+			urlStr:      "http://127.0.0.1",
+			expectPriv:  true,
+			expectError: false,
+		},
+		{
+			name:        "127.0.0.1 with port",
+			urlStr:      "http://127.0.0.1:3000",
+			expectPriv:  true,
+			expectError: false,
+		},
+		{
+			name:        "IPv6 loopback",
+			urlStr:      "http://[::1]",
+			expectPriv:  true,
+			expectError: false,
+		},
+		{
+			name:        "IPv6 loopback with port",
+			urlStr:      "http://[::1]:8080",
+			expectPriv:  true,
+			expectError: false,
+		},
+		{
+			name:        "private IP 10.x.x.x",
+			urlStr:      "http://10.0.0.1",
+			expectPriv:  true,
+			expectError: false,
+		},
+		{
+			name:        "private IP 192.168.x.x",
+			urlStr:      "http://192.168.1.1",
+			expectPriv:  true,
+			expectError: false,
+		},
+		{
+			name:        "private IP 172.16.x.x",
+			urlStr:      "http://172.16.0.1",
+			expectPriv:  true,
+			expectError: false,
+		},
+		{
+			name:        "Tailscale IP",
+			urlStr:      "http://100.64.0.1",
+			expectPriv:  true,
+			expectError: false,
+		},
+		{
+			name:        "public IP - Google DNS",
+			urlStr:      "http://8.8.8.8",
+			expectPriv:  false,
+			expectError: false,
+		},
+		{
+			name:        "public IP - Cloudflare DNS",
+			urlStr:      "http://1.1.1.1",
+			expectPriv:  false,
+			expectError: false,
+		},
+		{
+			name:        "invalid hostname",
+			urlStr:      "http://this-should-not-resolve-ever-123456789.invalid",
+			expectPriv:  false,
+			expectError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			u, err := url.Parse(tt.urlStr)
+			require.NoError(t, err, "Failed to parse URL %s", tt.urlStr)
+
+			isPriv, err := IsURLPrivate(ctx, u)
+
+			if tt.expectError {
+				require.Error(t, err, "IsURLPrivate(%s) expected error but got none", tt.urlStr)
+			} else {
+				require.NoError(t, err, "IsURLPrivate(%s) unexpected error", tt.urlStr)
+				assert.Equal(t, tt.expectPriv, isPriv, "IsURLPrivate(%s)", tt.urlStr)
+			}
+		})
 	}
 }
+
+func TestIsURLPrivate_WithDomainName(t *testing.T) {
+	// Note: These tests rely on actual DNS resolution
+	// They test real public domains to ensure they are not flagged as private
+	ctx, cancel := context.WithTimeout(t.Context(), 10*time.Second)
+	defer cancel()
+
+	tests := []struct {
+		name       string
+		urlStr     string
+		expectPriv bool
+	}{
+		{
+			name:       "Google public domain",
+			urlStr:     "https://www.google.com",
+			expectPriv: false,
+		},
+		{
+			name:       "GitHub public domain",
+			urlStr:     "https://github.com",
+			expectPriv: false,
+		},
+		{
+			// localhost.localtest.me is a well-known domain that resolves to 127.0.0.1
+			name:       "localhost.localtest.me resolves to 127.0.0.1",
+			urlStr:     "http://localhost.localtest.me",
+			expectPriv: true,
+		},
+		{
+			// 10.0.0.1.nip.io resolves to 10.0.0.1 (private IP)
+			name:       "nip.io domain resolving to private 10.x IP",
+			urlStr:     "http://10.0.0.1.nip.io",
+			expectPriv: true,
+		},
+		{
+			// 192.168.1.1.nip.io resolves to 192.168.1.1 (private IP)
+			name:       "nip.io domain resolving to private 192.168.x IP",
+			urlStr:     "http://192.168.1.1.nip.io",
+			expectPriv: true,
+		},
+		{
+			// 127.0.0.1.nip.io resolves to 127.0.0.1 (localhost)
+			name:       "nip.io domain resolving to localhost",
+			urlStr:     "http://127.0.0.1.nip.io",
+			expectPriv: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			u, err := url.Parse(tt.urlStr)
+			require.NoError(t, err, "Failed to parse URL %s", tt.urlStr)
+
+			isPriv, err := IsURLPrivate(ctx, u)
+			if err != nil {
+				t.Skipf("DNS resolution failed for %s (network issue?): %v", tt.urlStr, err)
+				return
+			}
+
+			assert.Equal(t, tt.expectPriv, isPriv, "IsURLPrivate(%s)", tt.urlStr)
+		})
+	}
+}
+
+func TestIsURLPrivate_ContextCancellation(t *testing.T) {
+	ctx, cancel := context.WithCancel(t.Context())
+	cancel() // Cancel immediately
+
+	u, err := url.Parse("http://example.com")
+	require.NoError(t, err, "Failed to parse URL")
+
+	_, err = IsURLPrivate(ctx, u)
+	assert.Error(t, err, "IsURLPrivate with cancelled context expected error but got none")
+}
--- a/backend/internal/utils/json_util.go
+++ b/backend/internal/utils/json_util.go
@@ -3,6 +3,7 @@ package utils
 import (
 	"encoding/json"
 	"errors"
+	"fmt"
 	"time"
 )

@@ -40,3 +41,14 @@ func (d *JSONDuration) UnmarshalJSON(b []byte) error {
 		return errors.New("invalid duration")
 	}
 }
+
+func UnmarshalJSONFromDatabase(data interface{}, value any) error {
+	switch v := value.(type) {
+	case []byte:
+		return json.Unmarshal(v, data)
+	case string:
+		return json.Unmarshal([]byte(v), data)
+	default:
+		return fmt.Errorf("unsupported type: %T", value)
+	}
+}
--- a/backend/internal/utils/list_request_util.go
+++ b/backend/internal/utils/list_request_util.go
@@ -0,0 +1,205 @@
+package utils
+
+import (
+	"reflect"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
+)
+
+type PaginationResponse struct {
+	TotalPages   int64 `json:"totalPages"`
+	TotalItems   int64 `json:"totalItems"`
+	CurrentPage  int   `json:"currentPage"`
+	ItemsPerPage int   `json:"itemsPerPage"`
+}
+
+type ListRequestOptions struct {
+	Pagination struct {
+		Page  int `form:"pagination[page]"`
+		Limit int `form:"pagination[limit]"`
+	} `form:"pagination"`
+	Sort struct {
+		Column    string `form:"sort[column]"`
+		Direction string `form:"sort[direction]"`
+	} `form:"sort"`
+	Filters map[string][]any
+}
+
+type FieldMeta struct {
+	ColumnName   string
+	IsSortable   bool
+	IsFilterable bool
+}
+
+func ParseListRequestOptions(ctx *gin.Context) (listRequestOptions ListRequestOptions) {
+	if err := ctx.ShouldBindQuery(&listRequestOptions); err != nil {
+		return listRequestOptions
+	}
+
+	listRequestOptions.Filters = parseNestedFilters(ctx)
+	return listRequestOptions
+}
+
+func PaginateFilterAndSort(params ListRequestOptions, query *gorm.DB, result interface{}) (PaginationResponse, error) {
+	meta := extractModelMetadata(result)
+
+	query = applyFilters(params.Filters, query, meta)
+	query = applySorting(params.Sort.Column, params.Sort.Direction, query, meta)
+
+	return Paginate(params.Pagination.Page, params.Pagination.Limit, query, result)
+}
+
+func Paginate(page int, pageSize int, query *gorm.DB, result interface{}) (PaginationResponse, error) {
+	if page < 1 {
+		page = 1
+	}
+
+	if pageSize < 1 {
+		pageSize = 20
+	} else if pageSize > 100 {
+		pageSize = 100
+	}
+
+	var totalItems int64
+	if err := query.Count(&totalItems).Error; err != nil {
+		return PaginationResponse{}, err
+	}
+
+	totalPages := (totalItems + int64(pageSize) - 1) / int64(pageSize)
+	if totalItems == 0 {
+		totalPages = 1
+	}
+
+	if int64(page) > totalPages {
+		page = int(totalPages)
+	}
+
+	offset := (page - 1) * pageSize
+
+	if err := query.Offset(offset).Limit(pageSize).Find(result).Error; err != nil {
+		return PaginationResponse{}, err
+	}
+
+	return PaginationResponse{
+		TotalPages:   totalPages,
+		TotalItems:   totalItems,
+		CurrentPage:  page,
+		ItemsPerPage: pageSize,
+	}, nil
+}
+
+func NormalizeSortDirection(direction string) string {
+	d := strings.ToLower(strings.TrimSpace(direction))
+	if d != "asc" && d != "desc" {
+		return "asc"
+	}
+	return d
+}
+
+func IsValidSortDirection(direction string) bool {
+	d := strings.ToLower(strings.TrimSpace(direction))
+	return d == "asc" || d == "desc"
+}
+
+// parseNestedFilters handles ?filters[field][0]=val1&filters[field][1]=val2
+func parseNestedFilters(ctx *gin.Context) map[string][]any {
+	result := make(map[string][]any)
+	query := ctx.Request.URL.Query()
+
+	for key, values := range query {
+		if !strings.HasPrefix(key, "filters[") {
+			continue
+		}
+
+		// Keys can be "filters[field]" or "filters[field][0]"
+		raw := strings.TrimPrefix(key, "filters[")
+		// Take everything up to the first closing bracket
+		if idx := strings.IndexByte(raw, ']'); idx != -1 {
+			field := raw[:idx]
+			for _, v := range values {
+				result[field] = append(result[field], ConvertStringToType(v))
+			}
+		}
+	}
+
+	return result
+}
+
+// applyFilters applies filtering to the GORM query based on the provided filters
+func applyFilters(filters map[string][]any, query *gorm.DB, meta map[string]FieldMeta) *gorm.DB {
+	for key, values := range filters {
+		if key == "" || len(values) == 0 {
+			continue
+		}
+
+		fieldName := CapitalizeFirstLetter(key)
+		fieldMeta, ok := meta[fieldName]
+		if !ok || !fieldMeta.IsFilterable {
+			continue
+		}
+
+		query = query.Where(fieldMeta.ColumnName+" IN ?", values)
+	}
+	return query
+}
+
+// applySorting applies sorting to the GORM query based on the provided column and direction
+func applySorting(sortColumn string, sortDirection string, query *gorm.DB, meta map[string]FieldMeta) *gorm.DB {
+	fieldName := CapitalizeFirstLetter(sortColumn)
+	fieldMeta, ok := meta[fieldName]
+	if !ok || !fieldMeta.IsSortable {
+		return query
+	}
+
+	sortDirection = NormalizeSortDirection(sortDirection)
+
+	query = query.Clauses(clause.OrderBy{
+		Columns: []clause.OrderByColumn{
+			{Column: clause.Column{Name: fieldMeta.ColumnName}, Desc: sortDirection == "desc"},
+		},
+	})
+	return query
+}
+
+// extractModelMetadata extracts FieldMeta from the model struct using reflection
+func extractModelMetadata(model interface{}) map[string]FieldMeta {
+	meta := make(map[string]FieldMeta)
+
+	// Unwrap pointers and slices to get the element struct type
+	t := reflect.TypeOf(model)
+	for t.Kind() == reflect.Ptr || t.Kind() == reflect.Slice {
+		t = t.Elem()
+		if t == nil {
+			return meta
+		}
+	}
+
+	// recursive parser that merges fields from embedded structs
+	var parseStruct func(reflect.Type)
+	parseStruct = func(st reflect.Type) {
+		for i := 0; i < st.NumField(); i++ {
+			field := st.Field(i)
+			ft := field.Type
+
+			// If the field is an embedded/anonymous struct, recurse into it
+			if field.Anonymous && ft.Kind() == reflect.Struct {
+				parseStruct(ft)
+				continue
+			}
+
+			// Normal field: record metadata
+			name := field.Name
+			meta[name] = FieldMeta{
+				ColumnName:   CamelCaseToSnakeCase(name),
+				IsSortable:   field.Tag.Get("sortable") == "true",
+				IsFilterable: field.Tag.Get("filterable") == "true",
+			}
+		}
+	}
+
+	parseStruct(t)
+	return meta
+}
--- a/backend/internal/utils/paging_util.go
+++ b/backend/internal/utils/paging_util.go
@@ -1,99 +0,0 @@
-package utils
-
-import (
-	"reflect"
-	"strconv"
-	"strings"
-
-	"gorm.io/gorm"
-	"gorm.io/gorm/clause"
-)
-
-type PaginationResponse struct {
-	TotalPages   int64 `json:"totalPages"`
-	TotalItems   int64 `json:"totalItems"`
-	CurrentPage  int   `json:"currentPage"`
-	ItemsPerPage int   `json:"itemsPerPage"`
-}
-
-type SortedPaginationRequest struct {
-	Pagination struct {
-		Page  int `form:"pagination[page]"`
-		Limit int `form:"pagination[limit]"`
-	} `form:"pagination"`
-	Sort struct {
-		Column    string `form:"sort[column]"`
-		Direction string `form:"sort[direction]"`
-	} `form:"sort"`
-}
-
-func PaginateAndSort(sortedPaginationRequest SortedPaginationRequest, query *gorm.DB, result interface{}) (PaginationResponse, error) {
-	pagination := sortedPaginationRequest.Pagination
-	sort := sortedPaginationRequest.Sort
-
-	capitalizedSortColumn := CapitalizeFirstLetter(sort.Column)
-
-	sortField, sortFieldFound := reflect.TypeOf(result).Elem().Elem().FieldByName(capitalizedSortColumn)
-	isSortable, _ := strconv.ParseBool(sortField.Tag.Get("sortable"))
-
-	sort.Direction = NormalizeSortDirection(sort.Direction)
-
-	if sortFieldFound && isSortable {
-		columnName := CamelCaseToSnakeCase(sort.Column)
-		query = query.Clauses(clause.OrderBy{
-			Columns: []clause.OrderByColumn{
-				{Column: clause.Column{Name: columnName}, Desc: sort.Direction == "desc"},
-			},
-		})
-	}
-
-	return Paginate(pagination.Page, pagination.Limit, query, result)
-}
-
-func Paginate(page int, pageSize int, query *gorm.DB, result interface{}) (PaginationResponse, error) {
-	if page < 1 {
-		page = 1
-	}
-
-	if pageSize < 1 {
-		pageSize = 20
-	} else if pageSize > 100 {
-		pageSize = 100
-	}
-
-	offset := (page - 1) * pageSize
-
-	var totalItems int64
-	if err := query.Count(&totalItems).Error; err != nil {
-		return PaginationResponse{}, err
-	}
-
-	if err := query.Offset(offset).Limit(pageSize).Find(result).Error; err != nil {
-		return PaginationResponse{}, err
-	}
-
-	totalPages := (totalItems + int64(pageSize) - 1) / int64(pageSize)
-	if totalItems == 0 {
-		totalPages = 1
-	}
-
-	return PaginationResponse{
-		TotalPages:   totalPages,
-		TotalItems:   totalItems,
-		CurrentPage:  page,
-		ItemsPerPage: pageSize,
-	}, nil
-}
-
-func NormalizeSortDirection(direction string) string {
-	d := strings.ToLower(strings.TrimSpace(direction))
-	if d != "asc" && d != "desc" {
-		return "asc"
-	}
-	return d
-}
-
-func IsValidSortDirection(direction string) bool {
-	d := strings.ToLower(strings.TrimSpace(direction))
-	return d == "asc" || d == "desc"
-}
--- a/backend/internal/utils/stream_util.go
+++ b/backend/internal/utils/stream_util.go
@@ -0,0 +1,34 @@
+package utils
+
+import (
+	"errors"
+	"io"
+)
+
+var ErrSizeExceeded = errors.New("stream size exceeded")
+
+// LimitReader is like io.LimitReader but throws an error if the stream exceeds the max size
+// io.LimitReader instead just returns io.EOF
+// Adapted from https://github.com/golang/go/issues/51115#issuecomment-1079761212
+type LimitReader struct {
+	io.ReadCloser
+	N int64
+}
+
+func NewLimitReader(r io.ReadCloser, limit int64) *LimitReader {
+	return &LimitReader{r, limit}
+}
+
+func (r *LimitReader) Read(p []byte) (n int, err error) {
+	if r.N <= 0 {
+		return 0, ErrSizeExceeded
+	}
+
+	if int64(len(p)) > r.N {
+		p = p[0:r.N]
+	}
+
+	n, err = r.ReadCloser.Read(p)
+	r.N -= int64(n)
+	return
+}
--- a/backend/internal/utils/string_util.go
+++ b/backend/internal/utils/string_util.go
@@ -81,26 +81,21 @@ func CapitalizeFirstLetter(str string) string {
 	return result.String()
 }

-func CamelCaseToSnakeCase(str string) string {
-	result := strings.Builder{}
-	result.Grow(int(float32(len(str)) * 1.1))
-	for i, r := range str {
-		if unicode.IsUpper(r) && i > 0 {
-			result.WriteByte('_')
-		}
-		result.WriteRune(unicode.ToLower(r))
-	}
-	return result.String()
+var (
+	reAcronymBoundary = regexp.MustCompile(`([A-Z]+)([A-Z][a-z])`) // ABCd -> AB_Cd
+	reLowerToUpper    = regexp.MustCompile(`([a-z0-9])([A-Z])`)    // aB -> a_B
+)
+
+func CamelCaseToSnakeCase(s string) string {
+	s = reAcronymBoundary.ReplaceAllString(s, "${1}_${2}")
+	s = reLowerToUpper.ReplaceAllString(s, "${1}_${2}")
+	return strings.ToLower(s)
 }

-var camelCaseToScreamingSnakeCaseRe = regexp.MustCompile(`([a-z0-9])([A-Z])`)
-
 func CamelCaseToScreamingSnakeCase(s string) string {
-	// Insert underscores before uppercase letters (except the first one)
-	snake := camelCaseToScreamingSnakeCaseRe.ReplaceAllString(s, `${1}_${2}`)
-
-	// Convert to uppercase
-	return strings.ToUpper(snake)
+	s = reAcronymBoundary.ReplaceAllString(s, "${1}_${2}")
+	s = reLowerToUpper.ReplaceAllString(s, "${1}_${2}")
+	return strings.ToUpper(s)
 }

 // GetFirstCharacter returns the first non-whitespace character of the string, correctly handling Unicode
--- a/backend/internal/utils/string_util_test.go
+++ b/backend/internal/utils/string_util_test.go
@@ -86,9 +86,9 @@ func TestCamelCaseToSnakeCase(t *testing.T) {
 		{"simple camelCase", "camelCase", "camel_case"},
 		{"PascalCase", "PascalCase", "pascal_case"},
 		{"multipleWordsInCamelCase", "multipleWordsInCamelCase", "multiple_words_in_camel_case"},
-		{"consecutive uppercase", "HTTPRequest", "h_t_t_p_request"},
+		{"consecutive uppercase", "HTTPRequest", "http_request"},
 		{"single lowercase word", "word", "word"},
-		{"single uppercase word", "WORD", "w_o_r_d"},
+		{"single uppercase word", "WORD", "word"},
 		{"with numbers", "camel123Case", "camel123_case"},
 		{"with numbers in middle", "model2Name", "model2_name"},
 		{"mixed case", "iPhone6sPlus", "i_phone6s_plus"},
@@ -104,6 +104,34 @@ func TestCamelCaseToSnakeCase(t *testing.T) {
 	}
 }

+func TestCamelCaseToScreamingSnakeCase(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{"empty string", "", ""},
+		{"simple camelCase", "camelCase", "CAMEL_CASE"},
+		{"PascalCase", "PascalCase", "PASCAL_CASE"},
+		{"multipleWordsInCamelCase", "multipleWordsInCamelCase", "MULTIPLE_WORDS_IN_CAMEL_CASE"},
+		{"consecutive uppercase", "HTTPRequest", "HTTP_REQUEST"},
+		{"single lowercase word", "word", "WORD"},
+		{"single uppercase word", "WORD", "WORD"},
+		{"with numbers", "camel123Case", "CAMEL123_CASE"},
+		{"with numbers in middle", "model2Name", "MODEL2_NAME"},
+		{"mixed case", "iPhone6sPlus", "I_PHONE6S_PLUS"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := CamelCaseToScreamingSnakeCase(tt.input)
+			if result != tt.expected {
+				t.Errorf("CamelCaseToScreamingSnakeCase(%q) = %q, want %q", tt.input, result, tt.expected)
+			}
+		})
+	}
+}
+
 func TestGetFirstCharacter(t *testing.T) {
 	tests := []struct {
 		name     string
--- a/backend/internal/utils/type_util.go
+++ b/backend/internal/utils/type_util.go
@@ -0,0 +1,35 @@
+package utils
+
+import (
+	"strconv"
+	"strings"
+)
+
+// ConvertStringToType attempts to convert a string to bool, int, or float.
+func ConvertStringToType(value string) any {
+	v := strings.TrimSpace(value)
+	if v == "" {
+		return v
+	}
+
+	// Try bool
+	if v == "true" {
+		return true
+	}
+	if v == "false" {
+		return false
+	}
+
+	// Try int
+	if i, err := strconv.Atoi(v); err == nil {
+		return i
+	}
+
+	// Try float
+	if f, err := strconv.ParseFloat(v, 64); err == nil {
+		return f
+	}
+
+	// Default: string
+	return v
+}
--- a/backend/internal/utils/type_util_test.go
+++ b/backend/internal/utils/type_util_test.go
@@ -0,0 +1,37 @@
+package utils
+
+import (
+	"testing"
+)
+
+func TestConvertStringToType(t *testing.T) {
+	tests := []struct {
+		input    string
+		expected any
+	}{
+		{"true", true},
+		{"false", false},
+		{"  true  ", true},
+		{"  false  ", false},
+		{"42", 42},
+		{"  42  ", 42},
+		{"3.14", 3.14},
+		{"  3.14  ", 3.14},
+		{"hello", "hello"},
+		{"  hello  ", "hello"},
+		{"", ""},
+		{"   ", ""},
+	}
+
+	for _, tt := range tests {
+		result := ConvertStringToType(tt.input)
+		if result != tt.expected {
+			if f, ok := tt.expected.(float64); ok {
+				if rf, ok := result.(float64); ok && rf == f {
+					continue
+				}
+			}
+			t.Errorf("ConvertStringToType(%q) = %#v (type %T), want %#v (type %T)", tt.input, result, result, tt.expected, tt.expected)
+		}
+	}
+}
--- a/backend/resources/aaguids.json
+++ b/backend/resources/aaguids.json
--- a/backend/resources/email-templates/api-key-expiring-soon_html.tmpl
+++ b/backend/resources/email-templates/api-key-expiring-soon_html.tmpl
@@ -1,3 +1 @@
-{{define "root"}}<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr" lang="en"><head><link rel="preload" as="image" href="{{.LogoURL}}"/><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"/><meta name="x-apple-disable-message-reformatting"/></head><body style="padding:50px;background-color:#FBFBFB;font-family:Arial, sans-serif"><!--$--><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="max-width:37.5em;width:500px;margin:0 auto"><tbody><tr style="width:100%"><td><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody><tr><td><table align="left" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="margin-bottom:16px"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column" style="width:50px">
-<img alt="{{.AppName}}" height="32" src="{{.LogoURL}}" style="display:block;outline:none;border:none;text-decoration:none;width:32px;height:32px;vertical-align:middle" width="32"/></td><td data-id="__react-email-column"><p style="font-size:23px;line-height:24px;font-weight:bold;margin:0;padding:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{.AppName}}</p></td></tr></tbody></table></td></tr></tbody></table><div style="background-color:white;padding:24px;border-radius:10px;box-shadow:0 1px 4px 0px rgba(0, 0, 0, 0.1)"><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column"><h1 style="font-size:20px;font-weight:bold;margin:0">API Key Expiring Soon</h1></td><td align="right" data-id="__react-email-column">
-<p style="font-size:12px;line-height:24px;background-color:#ffd966;color:#7f6000;padding:1px 12px;border-radius:50px;display:inline-block;margin:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">Warning</p></td></tr></tbody></table><p style="font-size:14px;line-height:24px;margin-top:16px;margin-bottom:16px">Hello <!-- -->{{.Data.Name}}<!-- -->, <br/>This is a reminder that your API key <strong>{{.Data.APIKeyName}}</strong> <!-- -->will expire on <strong>{{.Data.ExpiresAt.Format "2006-01-02 15:04:05 MST"}}</strong>.</p><p style="font-size:14px;line-height:24px;margin-top:16px;margin-bottom:16px">Please generate a new API key if you need continued access.</p></div></td></tr></tbody></table><!--7--><!--/$--></body></html>{{end}}
+{{define "root"}}<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr" lang="en"><head><link rel="preload" as="image" href="{{.LogoURL}}"/><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"/><meta name="x-apple-disable-message-reformatting"/></head><body style="padding:50px;background-color:#FBFBFB;font-family:Arial, sans-serif"><!--$--><!--html--><!--head--><!--body--><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="max-width:37.5em;width:500px;margin:0 auto"><tbody><tr style="width:100%"><td><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody><tr><td><table align="left" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="margin-bottom:16px"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column" style="width:50px"><img alt="{{.AppName}}" height="32" src="{{.LogoURL}}" style="display:block;outline:none;border:none;text-decoration:none;width:32px;height:32px;vertical-align:middle" width="32"/></td><td data-id="__react-email-column"><p style="font-size:23px;line-height:24px;font-weight:bold;margin:0;padding:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{.AppName}}</p></td></tr></tbody></table></td></tr></tbody></table><div style="background-color:white;padding:24px;border-radius:10px;box-shadow:0 1px 4px 0px rgba(0, 0, 0, 0.1)"><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column"><h1 style="font-size:20px;font-weight:bold;margin:0">API Key Expiring Soon</h1></td><td align="right" data-id="__react-email-column"><p style="font-size:12px;line-height:24px;background-color:#ffd966;color:#7f6000;padding:1px 12px;border-radius:50px;display:inline-block;margin:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">Warning</p></td></tr></tbody></table><p style="font-size:14px;line-height:24px;margin-top:16px;margin-bottom:16px">Hello <!-- -->{{.Data.Name}}<!-- -->, <br/>This is a reminder that your API key <strong>{{.Data.APIKeyName}}</strong> <!-- -->will expire on <strong>{{.Data.ExpiresAt.Format "2006-01-02 15:04:05 MST"}}</strong>.</p><p style="font-size:14px;line-height:24px;margin-top:16px;margin-bottom:16px">Please generate a new API key if you need continued access.</p></div></td></tr></tbody></table><!--/$--></body></html>{{end}}
--- a/backend/resources/email-templates/login-with-new-device_html.tmpl
+++ b/backend/resources/email-templates/login-with-new-device_html.tmpl
@@ -1,5 +1 @@
-{{define "root"}}<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr" lang="en"><head><link rel="preload" as="image" href="{{.LogoURL}}"/><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"/><meta name="x-apple-disable-message-reformatting"/></head><body style="padding:50px;background-color:#FBFBFB;font-family:Arial, sans-serif"><!--$--><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="max-width:37.5em;width:500px;margin:0 auto"><tbody><tr style="width:100%"><td><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody><tr><td><table align="left" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="margin-bottom:16px"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column" style="width:50px">
-<img alt="{{.AppName}}" height="32" src="{{.LogoURL}}" style="display:block;outline:none;border:none;text-decoration:none;width:32px;height:32px;vertical-align:middle" width="32"/></td><td data-id="__react-email-column"><p style="font-size:23px;line-height:24px;font-weight:bold;margin:0;padding:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{.AppName}}</p></td></tr></tbody></table></td></tr></tbody></table><div style="background-color:white;padding:24px;border-radius:10px;box-shadow:0 1px 4px 0px rgba(0, 0, 0, 0.1)"><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column"><h1 style="font-size:20px;font-weight:bold;margin:0">New Sign-In Detected</h1></td><td align="right" data-id="__react-email-column">
-<p style="font-size:12px;line-height:24px;background-color:#ffd966;color:#7f6000;padding:1px 12px;border-radius:50px;display:inline-block;margin:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">Warning</p></td></tr></tbody></table><p style="font-size:14px;line-height:24px;margin-top:16px;margin-bottom:16px">Your <!-- -->{{.AppName}}<!-- --> account was recently accessed from a new IP address or browser. If you recognize this activity, no further action is required.</p><h4 style="font-size:1rem;font-weight:bold;margin:30px 0 10px 0">Details</h4><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column" style="width:225px"><p style="font-size:12px;line-height:24px;margin:0;color:gray;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">Approximate Location</p>
-<p style="font-size:14px;line-height:24px;margin:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{if and .Data.City .Data.Country}}{{.Data.City}}, {{.Data.Country}}{{else if .Data.Country}}{{.Data.Country}}{{else}}Unknown{{end}}</p></td><td data-id="__react-email-column" style="width:225px"><p style="font-size:12px;line-height:24px;margin:0;color:gray;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">IP Address</p><p style="font-size:14px;line-height:24px;margin:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{.Data.IPAddress}}</p></td></tr></tbody></table><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="margin-top:10px"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column" style="width:225px"><p style="font-size:12px;line-height:24px;margin:0;color:gray;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">Device</p>
-<p style="font-size:14px;line-height:24px;margin:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{.Data.Device}}</p></td><td data-id="__react-email-column" style="width:225px"><p style="font-size:12px;line-height:24px;margin:0;color:gray;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">Sign-In Time</p><p style="font-size:14px;line-height:24px;margin:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{.Data.DateTime.Format "January 2, 2006 at 3:04 PM MST"}}</p></td></tr></tbody></table></div></td></tr></tbody></table><!--7--><!--/$--></body></html>{{end}}
+{{define "root"}}<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr" lang="en"><head><link rel="preload" as="image" href="{{.LogoURL}}"/><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"/><meta name="x-apple-disable-message-reformatting"/></head><body style="padding:50px;background-color:#FBFBFB;font-family:Arial, sans-serif"><!--$--><!--html--><!--head--><!--body--><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="max-width:37.5em;width:500px;margin:0 auto"><tbody><tr style="width:100%"><td><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody><tr><td><table align="left" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="margin-bottom:16px"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column" style="width:50px"><img alt="{{.AppName}}" height="32" src="{{.LogoURL}}" style="display:block;outline:none;border:none;text-decoration:none;width:32px;height:32px;vertical-align:middle" width="32"/></td><td data-id="__react-email-column"><p style="font-size:23px;line-height:24px;font-weight:bold;margin:0;padding:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{.AppName}}</p></td></tr></tbody></table></td></tr></tbody></table><div style="background-color:white;padding:24px;border-radius:10px;box-shadow:0 1px 4px 0px rgba(0, 0, 0, 0.1)"><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column"><h1 style="font-size:20px;font-weight:bold;margin:0">New Sign-In Detected</h1></td><td align="right" data-id="__react-email-column"><p style="font-size:12px;line-height:24px;background-color:#ffd966;color:#7f6000;padding:1px 12px;border-radius:50px;display:inline-block;margin:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">Warning</p></td></tr></tbody></table><p style="font-size:14px;line-height:24px;margin-top:16px;margin-bottom:16px">Your <!-- -->{{.AppName}}<!-- --> account was recently accessed from a new IP address or browser. If you recognize this activity, no further action is required.</p><h4 style="font-size:1rem;font-weight:bold;margin:30px 0 10px 0">Details</h4><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column" style="width:225px"><p style="font-size:12px;line-height:24px;margin:0;color:gray;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">Approximate Location</p><p style="font-size:14px;line-height:24px;margin:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{if and .Data.City .Data.Country}}{{.Data.City}}, {{.Data.Country}}{{else if .Data.Country}}{{.Data.Country}}{{else}}Unknown{{end}}</p></td><td data-id="__react-email-column" style="width:225px"><p style="font-size:12px;line-height:24px;margin:0;color:gray;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">IP Address</p><p style="font-size:14px;line-height:24px;margin:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{.Data.IPAddress}}</p></td></tr></tbody></table><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="margin-top:10px"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column" style="width:225px"><p style="font-size:12px;line-height:24px;margin:0;color:gray;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">Device</p><p style="font-size:14px;line-height:24px;margin:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{.Data.Device}}</p></td><td data-id="__react-email-column" style="width:225px"><p style="font-size:12px;line-height:24px;margin:0;color:gray;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">Sign-In Time</p><p style="font-size:14px;line-height:24px;margin:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{.Data.DateTime.Format "January 2, 2006 at 3:04 PM MST"}}</p></td></tr></tbody></table></div></td></tr></tbody></table><!--/$--></body></html>{{end}}
--- a/backend/resources/email-templates/one-time-access_html.tmpl
+++ b/backend/resources/email-templates/one-time-access_html.tmpl
@@ -1,4 +1 @@
-{{define "root"}}<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr" lang="en"><head><link rel="preload" as="image" href="{{.LogoURL}}"/><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"/><meta name="x-apple-disable-message-reformatting"/></head><body style="padding:50px;background-color:#FBFBFB;font-family:Arial, sans-serif"><!--$--><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="max-width:37.5em;width:500px;margin:0 auto"><tbody><tr style="width:100%"><td><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody><tr><td><table align="left" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="margin-bottom:16px"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column" style="width:50px">
-<img alt="{{.AppName}}" height="32" src="{{.LogoURL}}" style="display:block;outline:none;border:none;text-decoration:none;width:32px;height:32px;vertical-align:middle" width="32"/></td><td data-id="__react-email-column"><p style="font-size:23px;line-height:24px;font-weight:bold;margin:0;padding:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{.AppName}}</p></td></tr></tbody></table></td></tr></tbody></table><div style="background-color:white;padding:24px;border-radius:10px;box-shadow:0 1px 4px 0px rgba(0, 0, 0, 0.1)"><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column"><h1 style="font-size:20px;font-weight:bold;margin:0">Your Login Code</h1></td><td align="right" data-id="__react-email-column"></td></tr></tbody></table><p style="font-size:14px;line-height:24px;margin-top:16px;margin-bottom:16px">Click the button below to sign in to <!-- -->
-{{.AppName}}<!-- --> with a login code.<br/>Or visit<!-- --> <a href="{{.Data.LoginLink}}" style="color:#000;text-decoration-line:none;text-decoration:underline;font-family:Arial, sans-serif" target="_blank">{{.Data.LoginLink}}</a> <!-- -->and enter the code <strong>{{.Data.Code}}</strong>.<br/><br/>This code expires in <!-- -->{{.Data.ExpirationString}}<!-- -->.</p><div style="text-align:center"><a href="{{.Data.LoginLinkWithCode}}" style="line-height:100%;text-decoration:none;display:inline-block;max-width:100%;mso-padding-alt:0px;background-color:#000000;color:#ffffff;padding:12px 24px;border-radius:4px;font-size:15px;font-weight:500;cursor:pointer;margin-top:10px;padding-top:12px;padding-right:24px;padding-bottom:12px;padding-left:24px" target="_blank"><span><!--[if mso]><i style="mso-font-width:400%;mso-text-raise:18" hidden>&#8202;&#8202;&#8202;</i><![endif]--></span><span style="max-width:100%;display:inline-block;line-height:120%;mso-padding-alt:0px;mso-text-raise:9px">
-Sign In</span><span><!--[if mso]><i style="mso-font-width:400%" hidden>&#8202;&#8202;&#8202;&#8203;</i><![endif]--></span></a></div></div></td></tr></tbody></table><!--7--><!--/$--></body></html>{{end}}
+{{define "root"}}<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr" lang="en"><head><link rel="preload" as="image" href="{{.LogoURL}}"/><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"/><meta name="x-apple-disable-message-reformatting"/></head><body style="padding:50px;background-color:#FBFBFB;font-family:Arial, sans-serif"><!--$--><!--html--><!--head--><!--body--><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="max-width:37.5em;width:500px;margin:0 auto"><tbody><tr style="width:100%"><td><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody><tr><td><table align="left" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="margin-bottom:16px"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column" style="width:50px"><img alt="{{.AppName}}" height="32" src="{{.LogoURL}}" style="display:block;outline:none;border:none;text-decoration:none;width:32px;height:32px;vertical-align:middle" width="32"/></td><td data-id="__react-email-column"><p style="font-size:23px;line-height:24px;font-weight:bold;margin:0;padding:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{.AppName}}</p></td></tr></tbody></table></td></tr></tbody></table><div style="background-color:white;padding:24px;border-radius:10px;box-shadow:0 1px 4px 0px rgba(0, 0, 0, 0.1)"><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column"><h1 style="font-size:20px;font-weight:bold;margin:0">Your Login Code</h1></td><td align="right" data-id="__react-email-column"></td></tr></tbody></table><p style="font-size:14px;line-height:24px;margin-top:16px;margin-bottom:16px">Click the button below to sign in to <!-- -->{{.AppName}}<!-- --> with a login code.<br/>Or visit<!-- --> <a href="{{.Data.LoginLink}}" style="color:#000;text-decoration-line:none;text-decoration:underline;font-family:Arial, sans-serif" target="_blank">{{.Data.LoginLink}}</a> <!-- -->and enter the code <strong>{{.Data.Code}}</strong>.<br/><br/>This code expires in <!-- -->{{.Data.ExpirationString}}<!-- -->.</p><div style="text-align:center"><a href="{{.Data.LoginLinkWithCode}}" style="line-height:100%;text-decoration:none;display:inline-block;max-width:100%;mso-padding-alt:0px;background-color:#000000;color:#ffffff;padding:12px 24px;border-radius:4px;font-size:15px;font-weight:500;cursor:pointer;margin-top:10px;padding-top:12px;padding-right:24px;padding-bottom:12px;padding-left:24px" target="_blank"><span><!--[if mso]><i style="mso-font-width:400%;mso-text-raise:18" hidden>&#8202;&#8202;&#8202;</i><![endif]--></span><span style="max-width:100%;display:inline-block;line-height:120%;mso-padding-alt:0px;mso-text-raise:9px">Sign In</span><span><!--[if mso]><i style="mso-font-width:400%" hidden>&#8202;&#8202;&#8202;&#8203;</i><![endif]--></span></a></div></div></td></tr></tbody></table><!--/$--></body></html>{{end}}
--- a/backend/resources/email-templates/test_html.tmpl
+++ b/backend/resources/email-templates/test_html.tmpl
@@ -1,3 +1 @@
-{{define "root"}}<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr" lang="en"><head><link rel="preload" as="image" href="{{.LogoURL}}"/><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"/><meta name="x-apple-disable-message-reformatting"/></head><body style="padding:50px;background-color:#FBFBFB;font-family:Arial, sans-serif"><!--$--><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="max-width:37.5em;width:500px;margin:0 auto"><tbody><tr style="width:100%"><td><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody><tr><td><table align="left" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="margin-bottom:16px"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column" style="width:50px">
-<img alt="{{.AppName}}" height="32" src="{{.LogoURL}}" style="display:block;outline:none;border:none;text-decoration:none;width:32px;height:32px;vertical-align:middle" width="32"/></td><td data-id="__react-email-column"><p style="font-size:23px;line-height:24px;font-weight:bold;margin:0;padding:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{.AppName}}</p></td></tr></tbody></table></td></tr></tbody></table><div style="background-color:white;padding:24px;border-radius:10px;box-shadow:0 1px 4px 0px rgba(0, 0, 0, 0.1)"><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column"><h1 style="font-size:20px;font-weight:bold;margin:0">Test Email</h1></td><td align="right" data-id="__react-email-column"></td></tr></tbody></table><p style="font-size:14px;line-height:24px;margin-top:16px;margin-bottom:16px">Your email setup is working correctly!</p></div></td>
-</tr></tbody></table><!--7--><!--/$--></body></html>{{end}}
+{{define "root"}}<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr" lang="en"><head><link rel="preload" as="image" href="{{.LogoURL}}"/><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"/><meta name="x-apple-disable-message-reformatting"/></head><body style="padding:50px;background-color:#FBFBFB;font-family:Arial, sans-serif"><!--$--><!--html--><!--head--><!--body--><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="max-width:37.5em;width:500px;margin:0 auto"><tbody><tr style="width:100%"><td><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody><tr><td><table align="left" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="margin-bottom:16px"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column" style="width:50px"><img alt="{{.AppName}}" height="32" src="{{.LogoURL}}" style="display:block;outline:none;border:none;text-decoration:none;width:32px;height:32px;vertical-align:middle" width="32"/></td><td data-id="__react-email-column"><p style="font-size:23px;line-height:24px;font-weight:bold;margin:0;padding:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{.AppName}}</p></td></tr></tbody></table></td></tr></tbody></table><div style="background-color:white;padding:24px;border-radius:10px;box-shadow:0 1px 4px 0px rgba(0, 0, 0, 0.1)"><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column"><h1 style="font-size:20px;font-weight:bold;margin:0">Test Email</h1></td><td align="right" data-id="__react-email-column"></td></tr></tbody></table><p style="font-size:14px;line-height:24px;margin-top:16px;margin-bottom:16px">Your email setup is working correctly!</p></div></td></tr></tbody></table><!--/$--></body></html>{{end}}
--- a/backend/resources/migrations/postgres/20251018000000_add_dark_logo.down.sql
+++ b/backend/resources/migrations/postgres/20251018000000_add_dark_logo.down.sql
@@ -0,0 +1 @@
+ALTER TABLE oidc_clients DROP COLUMN dark_image_type;
--- a/backend/resources/migrations/postgres/20251018000000_add_dark_logo.up.sql
+++ b/backend/resources/migrations/postgres/20251018000000_add_dark_logo.up.sql
@@ -0,0 +1 @@
+ALTER TABLE oidc_clients ADD COLUMN dark_image_type TEXT;
--- a/backend/resources/migrations/postgres/20251024000000_webauthn_credential_params.down.sql
+++ b/backend/resources/migrations/postgres/20251024000000_webauthn_credential_params.down.sql
@@ -0,0 +1 @@
+ALTER TABLE webauthn_sessions DROP COLUMN credential_params;
--- a/backend/resources/migrations/postgres/20251024000000_webauthn_credential_params.up.sql
+++ b/backend/resources/migrations/postgres/20251024000000_webauthn_credential_params.up.sql
@@ -0,0 +1 @@
+ALTER TABLE webauthn_sessions ADD COLUMN credential_params JSONB NOT NULL DEFAULT '[]';
--- a/backend/resources/migrations/postgres/20251106144600_redundant_indexes.down.sql
+++ b/backend/resources/migrations/postgres/20251106144600_redundant_indexes.down.sql
@@ -0,0 +1 @@
+-- No-op
--- a/backend/resources/migrations/postgres/20251106144600_redundant_indexes.up.sql
+++ b/backend/resources/migrations/postgres/20251106144600_redundant_indexes.up.sql
@@ -0,0 +1,4 @@
+DROP INDEX IF EXISTS idx_api_keys_key;
+DROP INDEX IF EXISTS idx_oidc_refresh_tokens_token;
+DROP INDEX IF EXISTS idx_signup_tokens_token;
+DROP INDEX IF EXISTS idx_reauthentication_tokens_token;
--- a/backend/resources/migrations/postgres/20251110000000_storage_table.down.sql
+++ b/backend/resources/migrations/postgres/20251110000000_storage_table.down.sql
@@ -0,0 +1 @@
+DROP TABLE storage;
--- a/backend/resources/migrations/postgres/20251110000000_storage_table.up.sql
+++ b/backend/resources/migrations/postgres/20251110000000_storage_table.up.sql
@@ -0,0 +1,9 @@
+-- The "storage" table contains file data stored in the database
+CREATE TABLE storage
+(
+    path       TEXT NOT NULL PRIMARY KEY,
+    data       BYTEA NOT NULL,
+    size       BIGINT NOT NULL,
+    mod_time   TIMESTAMPTZ NOT NULL,
+    created_at TIMESTAMPTZ NOT NULL
+);
--- a/backend/resources/migrations/postgres/20251115000000_api_keys_expires_at_index.down.sql
+++ b/backend/resources/migrations/postgres/20251115000000_api_keys_expires_at_index.down.sql
@@ -0,0 +1 @@
+DROP INDEX idx_api_keys_expires_at;
--- a/backend/resources/migrations/postgres/20251115000000_api_keys_expires_at_index.up.sql
+++ b/backend/resources/migrations/postgres/20251115000000_api_keys_expires_at_index.up.sql
@@ -0,0 +1 @@
+CREATE INDEX idx_api_keys_expires_at ON api_keys(expires_at);
--- a/backend/resources/migrations/sqlite/20251018000000_add_dark_logo.down.sql
+++ b/backend/resources/migrations/sqlite/20251018000000_add_dark_logo.down.sql
@@ -0,0 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
+ALTER TABLE oidc_clients DROP COLUMN dark_image_type;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20251018000000_add_dark_logo.up.sql
+++ b/backend/resources/migrations/sqlite/20251018000000_add_dark_logo.up.sql
@@ -0,0 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
+ALTER TABLE oidc_clients ADD COLUMN dark_image_type TEXT;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20251024000000_webauthn_credential_params.down.sql
+++ b/backend/resources/migrations/sqlite/20251024000000_webauthn_credential_params.down.sql
@@ -0,0 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
+ALTER TABLE webauthn_sessions DROP COLUMN credential_params;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20251024000000_webauthn_credential_params.up.sql
+++ b/backend/resources/migrations/sqlite/20251024000000_webauthn_credential_params.up.sql
@@ -0,0 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
+ALTER TABLE webauthn_sessions ADD COLUMN credential_params TEXT NOT NULL DEFAULT '[]';
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20251110000000_storage_table.down.sql
+++ b/backend/resources/migrations/sqlite/20251110000000_storage_table.down.sql
@@ -0,0 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
+DROP TABLE storage;
+
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20251110000000_storage_table.up.sql
+++ b/backend/resources/migrations/sqlite/20251110000000_storage_table.up.sql
@@ -0,0 +1,14 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
+-- The "storage" table contains file data stored in the database
+CREATE TABLE storage
+(
+    path       TEXT NOT NULL PRIMARY KEY,
+    data       BLOB NOT NULL,
+    size       INTEGER NOT NULL,
+    mod_time   DATETIME NOT NULL,
+    created_at DATETIME NOT NULL
+);
+
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20251115000000_api_keys_expires_at_index.down.sql
+++ b/backend/resources/migrations/sqlite/20251115000000_api_keys_expires_at_index.down.sql
@@ -0,0 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
+DROP INDEX idx_api_keys_expires_at;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20251115000000_api_keys_expires_at_index.up.sql
+++ b/backend/resources/migrations/sqlite/20251115000000_api_keys_expires_at_index.up.sql
@@ -0,0 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
+CREATE INDEX idx_api_keys_expires_at ON api_keys(expires_at);
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/email-templates/build.ts
+++ b/email-templates/build.ts
@@ -12,40 +12,6 @@ function getTemplateName(filename: string): string {
  return filename.replace(".tsx", "");
 }

-/**
- * Tag-aware wrapping:
- * - Prefer breaking immediately after the last '>' within maxLen.
- * - Never break at spaces.
- * - If no '>' exists in the window, hard-break at maxLen.
- */
-function tagAwareWrap(input: string, maxLen: number): string {
-  const out: string[] = [];
-
-  for (const originalLine of input.split(/\r?\n/)) {
-    let line = originalLine;
-    while (line.length > maxLen) {
-      let breakPos = line.lastIndexOf(">", maxLen);
-
-      // If '>' happens to be exactly at maxLen, break after it
-      if (breakPos === maxLen) breakPos = maxLen;
-
-      // If we found a '>' before the limit, break right after it
-      if (breakPos > -1 && breakPos < maxLen) {
-        out.push(line.slice(0, breakPos + 1));
-        line = line.slice(breakPos + 1);
-        continue;
-      }
-
-      // No suitable tag end found—hard break
-      out.push(line.slice(0, maxLen));
-      line = line.slice(maxLen);
-    }
-    out.push(line);
-  }
-
-  return out.join("\n");
-}
-
 async function buildTemplateFile(
  Component: any,
  templateName: string,
@@ -58,11 +24,7 @@ async function buildTemplateFile(
  // Normalize quotes
  const normalized = rendered.replace(/&quot;/g, '"');

-  // Enforce line length: prefer tag boundaries, never spaces
-  const maxLen = isPlainText ? 78 : 998; // RFC-safe
-  const safe = tagAwareWrap(normalized, maxLen);
-
-  const goTemplate = `{{define "root"}}${safe}{{end}}`;
+  const goTemplate = `{{define "root"}}${normalized}{{end}}`;
  const suffix = isPlainText ? "_text.tmpl" : "_html.tmpl";
  const templatePath = path.join(outputDir, `${templateName}${suffix}`);

@@ -98,7 +60,7 @@ async function discoverAndBuildTemplates() {
      }

      await buildTemplateFile(Component, templateName, false); // HTML
-      await buildTemplateFile(Component, templateName, true);  // Text
+      await buildTemplateFile(Component, templateName, true); // Text

      console.log(`✓ Built ${templateName}`);
    } catch (error) {
@@ -112,4 +74,4 @@ async function main() {
  console.log("All templates built successfully!");
 }

-main().catch(console.error);
+main().catch(console.error);
--- a/email-templates/package.json
+++ b/email-templates/package.json
@@ -10,16 +10,16 @@
  },
  "dependencies": {
    "@react-email/components": "0.1.1",
-    "react": "^19.0.0",
-    "react-dom": "^19.0.0",
+    "react": "^19.2.0",
+    "react-dom": "^19.2.0",
    "tailwind-merge": "^3.3.1"
  },
  "devDependencies": {
    "@react-email/preview-server": "4.2.8",
-    "@types/node": "^24.0.10",
-    "@types/react": "^19.0.1",
-    "@types/react-dom": "^19.0.1",
+    "@types/node": "^24.9.1",
+    "@types/react": "^19.2.2",
+    "@types/react-dom": "^19.2.2",
    "react-email": "4.2.8",
-    "tsx": "^4.0.0"
+    "tsx": "^4.20.6"
  }
 }
--- a/frontend/messages/cs.json
+++ b/frontend/messages/cs.json
@@ -155,7 +155,7 @@
 	"are_you_sure_you_want_to_revoke_the_api_key_apikeyname": "Jste si jisti, že chcete zrušit klíč API \"{apiKeyName}\"? To naruší všechny integrace pomocí tohoto klíče.",
 	"last_used": "Naposledy použito",
 	"actions": "Akce",
-	"images_updated_successfully": "Obrázky úspěšně aktualizovány",
+	"images_updated_successfully": "Obrázky byly úspěšně aktualizovány. Aktualizace může trvat několik minut.",
 	"general": "Obecné",
 	"configure_smtp_to_send_emails": "Povolte e-mailová oznámení pro upozornění uživatelů, pokud je zjištěno přihlášení z nového zařízení nebo lokace.",
 	"ldap": "LDAP",
@@ -331,6 +331,10 @@
 	"token_sign_in": "Přihlášení tokenem",
 	"client_authorization": "Autorizace klienta",
 	"new_client_authorization": "Nová autorizace klienta",
+	"device_code_authorization": "Autorizace kódu zařízení",
+	"new_device_code_authorization": "Autorizace nového kódu zařízení",
+	"passkey_added": "Přidán přístupový klíč",
+	"passkey_removed": "Heslo odstraněno",
 	"disable_animations": "Zakázat animace",
 	"turn_off_ui_animations": "Vypnout animace v celém uživatelském rozhraní.",
 	"user_disabled": "Účet deaktivován",
@@ -455,5 +459,15 @@
 	"logo_from_url_description": "Vložte přímou URL adresu obrázku (svg, png, webp). Ikony najdete na <link  href=\"https://selfh.st/icons\">Selfh.st Icons</link> nebo <link href=\"https://dashboardicons.com\">Dashboard Icons</link>.",
 	"invalid_url": "Neplatná adresa URL",
 	"require_user_email": "Vyžadovat e-mailovou adresu",
-	"require_user_email_description": "Vyžaduje, aby uživatelé měli e-mailovou adresu. Pokud je tato možnost deaktivována, uživatelé bez e-mailové adresy nebudou moci používat funkce, které e-mailovou adresu vyžadují."
+	"require_user_email_description": "Vyžaduje, aby uživatelé měli e-mailovou adresu. Pokud je tato možnost deaktivována, uživatelé bez e-mailové adresy nebudou moci používat funkce, které e-mailovou adresu vyžadují.",
+	"view": "Zobrazení",
+	"toggle_columns": "Přepnout sloupce",
+	"locale": "Jazyk",
+	"ldap_id": "LDAP ID",
+	"reauthentication": "Opětovné ověření",
+	"clear_filters": "Vymazat filtry",
+	"default_profile_picture": "Výchozí profilový obrázek",
+	"light": "Světlo",
+	"dark": "Tmavá",
+	"system": "Systém"
 }
--- a/frontend/messages/da.json
+++ b/frontend/messages/da.json
@@ -155,7 +155,7 @@
 	"are_you_sure_you_want_to_revoke_the_api_key_apikeyname": "Er du sikker på, at du vil tilbagekalde API-nøglen \"{apiKeyName}\"? Dette vil afbryde alle integrationer, der bruger nøglen.",
 	"last_used": "Sidst brugt",
 	"actions": "Handlinger",
-	"images_updated_successfully": "Billeder blev opdateret",
+	"images_updated_successfully": "Billeder opdateret. Det kan tage et par minutter at opdatere.",
 	"general": "Generelt",
 	"configure_smtp_to_send_emails": "Aktivér e-mailnotifikationer for at advare brugere, når et login registreres fra en ny enhed eller placering.",
 	"ldap": "LDAP",
@@ -331,6 +331,10 @@
 	"token_sign_in": "Token-login",
 	"client_authorization": "Godkendelse af klient",
 	"new_client_authorization": "Ny klientgodkendelse",
+	"device_code_authorization": "Autorisation af enhedskode",
+	"new_device_code_authorization": "Autorisation af ny enhedskode",
+	"passkey_added": "Passkey tilføjet",
+	"passkey_removed": "Adgangskode fjernet",
 	"disable_animations": "Deaktiver animationer",
 	"turn_off_ui_animations": "Slå animationer fra for hele brugergrænsefladen.",
 	"user_disabled": "Konto deaktiveret",
@@ -455,5 +459,15 @@
 	"logo_from_url_description": "Indsæt en direkte billed-URL (svg, png, webp). Find ikoner på <link  href=\"https://selfh.st/icons\">Selfh.st Icons</link> eller <link href=\"https://dashboardicons.com\">Dashboard Icons</link>.",
 	"invalid_url": "Ugyldig URL",
 	"require_user_email": "Kræver e-mailadresse",
-	"require_user_email_description": "Kræver, at brugerne har en e-mailadresse. Hvis denne funktion er deaktiveret, kan brugere uden en e-mailadresse ikke bruge funktioner, der kræver en e-mailadresse."
+	"require_user_email_description": "Kræver, at brugerne har en e-mailadresse. Hvis denne funktion er deaktiveret, kan brugere uden en e-mailadresse ikke bruge funktioner, der kræver en e-mailadresse.",
+	"view": "Vis",
+	"toggle_columns": "Skift kolonner",
+	"locale": "Lokale",
+	"ldap_id": "LDAP-id",
+	"reauthentication": "Genbekræftelse",
+	"clear_filters": "Ryd filtre",
+	"default_profile_picture": "Standardprofilbillede",
+	"light": "Lys",
+	"dark": "Mørk",
+	"system": "System"
 }
--- a/frontend/messages/de.json
+++ b/frontend/messages/de.json
@@ -17,7 +17,7 @@
 	"image_should_be_in_format": "Das Bild sollte im PNG- oder JPEG-Format vorliegen.",
 	"items_per_page": "Einträge pro Seite",
 	"no_items_found": "Keine Einträge gefunden",
-	"select_items": "Wähle Artikel aus...",
+	"select_items": "Elemente auswählen...",
 	"search": "Suchen...",
 	"expand_card": "Karte erweitern",
 	"copied": "Kopiert",
@@ -105,7 +105,7 @@
 	"unknown": "unbekannt",
 	"account_details_updated_successfully": "Kontodetails erfolgreich aktualisiert",
 	"profile_picture_updated_successfully": "Profilbild erfolgreich aktualisiert. Die Aktualisierung kann einige Minuten dauern.",
-	"account_settings": "Konto Einstellungen",
+	"account_settings": "Konto-Einstellungen",
 	"passkey_missing": "Passkey fehlt",
 	"please_provide_a_passkey_to_prevent_losing_access_to_your_account": "Bitte füge einen Passkey hinzu, um zu verhindern, dass du den Zugriff auf dein Konto verlierst.",
 	"single_passkey_configured": "Nur ein Passkey hinterlegt",
@@ -155,7 +155,7 @@
 	"are_you_sure_you_want_to_revoke_the_api_key_apikeyname": "Bist du sicher, dass du den API-Schlüssel \"{apiKeyName}\" widerrufen willst? Das wird jegliche Integrationen, die diesen Schlüssel verwenden, brechen.",
 	"last_used": "Letzte Verwendung",
 	"actions": "Aktionen",
-	"images_updated_successfully": "Bild erfolgreich aktualisiert",
+	"images_updated_successfully": "Bilder erfolgreich aktualisiert. Die Aktualisierung kann ein paar Minuten dauern.",
 	"general": "Allgemein",
 	"configure_smtp_to_send_emails": "Aktiviere E-Mail Benachrichtigungen, um Benutzer zu informieren, wenn ein Login von einem neuen Gerät oder Standort erkannt wird.",
 	"ldap": "LDAP",
@@ -331,6 +331,10 @@
 	"token_sign_in": "Token-Anmeldung",
 	"client_authorization": "Client-Autorisierung",
 	"new_client_authorization": "Neue Client-Autorisierung",
+	"device_code_authorization": "Gerätecode-Autorisierung",
+	"new_device_code_authorization": "Neue Gerätecode-Autorisierung",
+	"passkey_added": "Passwort hinzugefügt",
+	"passkey_removed": "Passwort entfernt",
 	"disable_animations": "Animationen deaktivieren",
 	"turn_off_ui_animations": "Deaktiviert alle Animationen in der Benutzeroberfläche.",
 	"user_disabled": "Account deaktiviert",
@@ -455,5 +459,15 @@
 	"logo_from_url_description": "Füge eine direkte Bild-URL ein (svg, png, webp). Finde Symbole bei <link  href=\"https://selfh.st/icons\">Selfh.st Icons</link> oder <link href=\"https://dashboardicons.com\">Dashboard Icons</link>.",
 	"invalid_url": "Ungültige URL",
 	"require_user_email": "E-Mail-Adresse erforderlich",
-	"require_user_email_description": "Benutzer müssen eine E-Mail-Adresse haben. Wenn das deaktiviert ist, können Leute ohne E-Mail-Adresse die Funktionen, die eine E-Mail-Adresse brauchen, nicht nutzen."
+	"require_user_email_description": "Benutzer müssen eine E-Mail-Adresse haben. Wenn das deaktiviert ist, können Leute ohne E-Mail-Adresse die Funktionen, die eine E-Mail-Adresse brauchen, nicht nutzen.",
+	"view": "Ansicht",
+	"toggle_columns": "Spalten umschalten",
+	"locale": "Ort",
+	"ldap_id": "LDAP-ID",
+	"reauthentication": "Erneute Authentifizierung",
+	"clear_filters": "Filter löschen",
+	"default_profile_picture": "Standard-Profilbild",
+	"light": "Hell",
+	"dark": "Dunkel",
+	"system": "System"
 }
--- a/frontend/messages/en.json
+++ b/frontend/messages/en.json
@@ -155,7 +155,7 @@
 	"are_you_sure_you_want_to_revoke_the_api_key_apikeyname": "Are you sure you want to revoke the API key \"{apiKeyName}\"? This will break any integrations using this key.",
 	"last_used": "Last Used",
 	"actions": "Actions",
-	"images_updated_successfully": "Images updated successfully",
+	"images_updated_successfully": "Images updated successfully. It may take a few minutes to update.",
 	"general": "General",
 	"configure_smtp_to_send_emails": "Enable email notifications to alert users when a login is detected from a new device or location.",
 	"ldap": "LDAP",
@@ -331,6 +331,10 @@
 	"token_sign_in": "Token Sign In",
 	"client_authorization": "Client Authorization",
 	"new_client_authorization": "New Client Authorization",
+	"device_code_authorization": "Device Code Authorization",
+	"new_device_code_authorization": "New Device Code Authorization",
+	"passkey_added": "Passkey Added",
+	"passkey_removed": "Passkey Removed",
 	"disable_animations": "Disable Animations",
 	"turn_off_ui_animations": "Turn off animations throughout the UI.",
 	"user_disabled": "Account Disabled",
@@ -455,5 +459,15 @@
 	"logo_from_url_description": "Paste a direct image URL (svg, png, webp). Find icons at <link  href=\"https://selfh.st/icons\">Selfh.st Icons</link> or <link href=\"https://dashboardicons.com\">Dashboard Icons</link>.",
 	"invalid_url": "Invalid URL",
 	"require_user_email": "Require Email Address",
-	"require_user_email_description": "Requires users to have an email address. If disabled, the users without an email address won't be able to use features that require an email address."
+	"require_user_email_description": "Requires users to have an email address. If disabled, the users without an email address won't be able to use features that require an email address.",
+	"view": "View",
+	"toggle_columns": "Toggle columns",
+	"locale": "Locale",
+	"ldap_id": "LDAP ID",
+	"reauthentication": "Re-authentication",
+	"clear_filters": "Clear Filters",
+	"default_profile_picture": "Default Profile Picture",
+	"light": "Light",
+	"dark": "Dark",
+	"system": "System"
 }
--- a/frontend/messages/es.json
+++ b/frontend/messages/es.json
@@ -155,7 +155,7 @@
 	"are_you_sure_you_want_to_revoke_the_api_key_apikeyname": "¿Estás seguro de que deseas invalidar la API Key \"{apiKeyName}\"? Esto romperá cualquier integración que esté usando esta clave.",
 	"last_used": "Utilizado por última vez",
 	"actions": "Acciones",
-	"images_updated_successfully": "Imágenes actualizadas correctamente",
+	"images_updated_successfully": "Imágenes actualizadas correctamente. La actualización puede tardar unos minutos.",
 	"general": "General",
 	"configure_smtp_to_send_emails": "Habilita las notificaciones por correo electrónico para alertar a los usuarios cuando se detecta un inicio de sesión desde un nuevo dispositivo o ubicación.",
 	"ldap": "LDAP",
@@ -331,6 +331,10 @@
 	"token_sign_in": "Inicio de sesión con token",
 	"client_authorization": "Autorización del cliente",
 	"new_client_authorization": "Autorización de nuevo cliente",
+	"device_code_authorization": "Autorización del código del dispositivo",
+	"new_device_code_authorization": "Autorización de código de nuevo dispositivo",
+	"passkey_added": "Clave de acceso añadida",
+	"passkey_removed": "Clave de acceso eliminada",
 	"disable_animations": "Desactivar animaciones",
 	"turn_off_ui_animations": "Desactiva las animaciones en toda la interfaz de usuario.",
 	"user_disabled": "Cuenta desactivada",
@@ -455,5 +459,15 @@
 	"logo_from_url_description": "Pega una URL de imagen directa (svg, png, webp). Encuentra iconos en <link  href=\"https://selfh.st/icons\">Selfh.st Icons</link> o <link href=\"https://dashboardicons.com\">Dashboard Icons</link>.",
 	"invalid_url": "URL no válida",
 	"require_user_email": "Requerir dirección de correo electrónico",
-	"require_user_email_description": "Requiere que los usuarios tengan una dirección de correo electrónico. Si se desactiva, los usuarios que no tengan una dirección de correo electrónico no podrán utilizar las funciones que la requieran."
+	"require_user_email_description": "Requiere que los usuarios tengan una dirección de correo electrónico. Si se desactiva, los usuarios que no tengan una dirección de correo electrónico no podrán utilizar las funciones que la requieran.",
+	"view": "Ver",
+	"toggle_columns": "Alternar columnas",
+	"locale": "Configuración regional",
+	"ldap_id": "Identificador LDAP",
+	"reauthentication": "Reautenticación",
+	"clear_filters": "Borrar filtros",
+	"default_profile_picture": "Imagen de perfil predeterminada",
+	"light": "Luz",
+	"dark": "Oscuro",
+	"system": "Sistema"
 }
--- a/frontend/messages/fi.json
+++ b/frontend/messages/fi.json
@@ -0,0 +1,473 @@
+{
+	"$schema": "https://inlang.com/schema/inlang-message-format",
+	"my_account": "Oma tIli",
+	"logout": "Kirjaudu ulos",
+	"confirm": "Vahvista",
+	"docs": "Ohjeet",
+	"key": "Avain",
+	"value": "Arvo",
+	"remove_custom_claim": "Poista mukautettu vaatimus",
+	"add_custom_claim": "Lisää mukautettu vaatimus",
+	"add_another": "Lisää toinen",
+	"select_a_date": "Valitse päivämäärä",
+	"select_file": "Valitse tiedosto",
+	"profile_picture": "Profiilikuva",
+	"profile_picture_is_managed_by_ldap_server": "Profiilikuva hallitaan LDAP-palvelimella, eikä sitä voi muuttaa tässä.",
+	"click_profile_picture_to_upload_custom": "Napsauta profiilikuvaa ladataksesi kuvan tiedostoistasi.",
+	"image_should_be_in_format": "Kuvan tulee olla PNG- tai JPEG-muodossa.",
+	"items_per_page": "Kohteita per sivu",
+	"no_items_found": "Kohteita ei löytynyt",
+	"select_items": "Valitse kohteet...",
+	"search": "Hae...",
+	"expand_card": "Laajenna kortti",
+	"copied": "Kopioitu",
+	"click_to_copy": "Klikkaa kopioidaksesi",
+	"something_went_wrong": "Jokin meni pieleen",
+	"go_back_to_home": "Siirry takaisin kotiin",
+	"alternative_sign_in_methods": "Vaihtoehtoiset kirjautumistavat",
+	"login_background": "Kirjautumisen tausta",
+	"logo": "Logo",
+	"login_code": "Kirjautumiskoodi",
+	"create_a_login_code_to_sign_in_without_a_passkey_once": "Luo kirjautumiskoodi, jota käyttäjä voi käyttää kirjautuakseen sisään ilman pääsyavainta kerran.",
+	"one_hour": "1 tunti",
+	"twelve_hours": "12 tuntia",
+	"one_day": "1 päivä",
+	"one_week": "1 viikko",
+	"one_month": "1 kuukausi",
+	"expiration": "Vanhentuminen",
+	"generate_code": "Luo koodi",
+	"name": "Nimi",
+	"browser_unsupported": "Selainta ei tueta",
+	"this_browser_does_not_support_passkeys": "Tämä selain ei tue pääsyavaimia. Käytä vaihtoehtoista kirjautumistapaa.",
+	"an_unknown_error_occurred": "Tapahtui tuntematon virhe",
+	"authentication_process_was_aborted": "Todentamisprosessi keskeytettiin",
+	"error_occurred_with_authenticator": "Todentajan kanssa tapahtui virhe",
+	"authenticator_does_not_support_discoverable_credentials": "Todentaja ei tue löydettäviä käyttäjätietoja",
+	"authenticator_does_not_support_resident_keys": "Todentaja ei tue laiteavaimia",
+	"passkey_was_previously_registered": "Tämä pääsyavain on aiemmin rekisteröity",
+	"authenticator_does_not_support_any_of_the_requested_algorithms": "Todentaja ei tue mitään pyydetyistä algoritmeista",
+	"authenticator_timed_out": "Todentaja aikakatkaistiin",
+	"critical_error_occurred_contact_administrator": "Kriittinen virhe tapahtui. Ota yhteyttä järjestelmänvalvojaan.",
+	"sign_in_to": "Kirjaudu palveluun {name}",
+	"client_not_found": "Asiakasta ei löydy",
+	"client_wants_to_access_the_following_information": "<b>{client}</b> haluaa käyttää seuraavia tietoja:",
+	"do_you_want_to_sign_in_to_client_with_your_app_name_account": "Haluatko kirjautua sisään palveluun <b>{client}</b> {appName} -tililläsi?",
+	"email": "Sähköposti",
+	"view_your_email_address": "Näytä sähköpostiosoitteesi",
+	"profile": "Profiili",
+	"view_your_profile_information": "Tarkastele profiilisi tietoja",
+	"groups": "Ryhmät",
+	"view_the_groups_you_are_a_member_of": "Tarkastele ryhmiä, joiden jäsen olet",
+	"cancel": "Peruuta",
+	"sign_in": "Kirjaudu sisään",
+	"try_again": "Yritä uudelleen",
+	"client_logo": "Asiakasohjelman Logo",
+	"sign_out": "Kirjaudu ulos",
+	"do_you_want_to_sign_out_of_pocketid_with_the_account": "Haluatko kirjautua ulos palvelusta {appName} tilillä <b>{username}</b>?",
+	"sign_in_to_appname": "Kirjaudu palveluun {appName}",
+	"please_try_to_sign_in_again": "Yritä kirjautua sisään uudelleen.",
+	"authenticate_with_passkey_to_access_account": "Tunnistaudu pääsyavaimellasi, jotta pääset tiliisi.",
+	"authenticate": "Tunnistaudu",
+	"please_try_again": "Ole hyvä ja yritä uudelleen.",
+	"continue": "Jatka",
+	"alternative_sign_in": "Vaihtoehtoinen kirjautuminen",
+	"if_you_do_not_have_access_to_your_passkey_you_can_sign_in_using_one_of_the_following_methods": "Jos sinulla ei ole pääsyä pääsyavaimeesi, voit kirjautua sisään jollakin seuraavista tavoista.",
+	"use_your_passkey_instead": "Käytä pääsyavainta sittenkin?",
+	"email_login": "Sisäänkirjautuminen sähköpostilla",
+	"enter_a_login_code_to_sign_in": "Syötä kirjautumiskoodi kirjautuaksesi sisään.",
+	"sign_in_with_login_code": "Kirjaudu sisään kirjautumiskoodilla",
+	"request_a_login_code_via_email": "Pyydä kirjautumiskoodi sähköpostitse.",
+	"go_back": "Takaisin",
+	"an_email_has_been_sent_to_the_provided_email_if_it_exists_in_the_system": "Sähköposti on lähetetty annettuun osoitteeseen, jos se on järjestelmässä.",
+	"enter_code": "Syötä koodi",
+	"enter_your_email_address_to_receive_an_email_with_a_login_code": "Syötä sähköpostiosoitteesi saadaksesi kirjautumiskoodin sähköpostitse.",
+	"your_email": "Sähköpostisi",
+	"submit": "Lähetä",
+	"enter_the_code_you_received_to_sign_in": "Syötä saamasi koodi kirjautuaksesi sisään.",
+	"code": "Koodi",
+	"invalid_redirect_url": "Virheellinen uudelleenohjauksen URL",
+	"audit_log": "Tarkastusloki",
+	"users": "Käyttäjät",
+	"user_groups": "Käyttäjäryhmät",
+	"oidc_clients": "OIDC Asiakkaat",
+	"api_keys": "API Avaimet",
+	"application_configuration": "Sovelluksen määritys",
+	"settings": "Asetukset",
+	"update_pocket_id": "Päivitä Pocket ID",
+	"powered_by": "Voimanlähteenä",
+	"see_your_account_activities_from_the_last_3_months": "Katso tilisi tapahtumat viimeisen 3 kuukauden ajalta.",
+	"time": "Aika",
+	"event": "Tapahtuma",
+	"approximate_location": "Arvioitu sijainti",
+	"ip_address": "IP-osoite",
+	"device": "Laite",
+	"client": "Asiakas",
+	"unknown": "Tuntematon",
+	"account_details_updated_successfully": "Tilin tiedot päivitetty onnistuneesti",
+	"profile_picture_updated_successfully": "Profiilikuva päivitetty onnistuneesti. Päivitys voi kestää muutaman minuutin.",
+	"account_settings": "Tilin asetukset",
+	"passkey_missing": "Pääsyavain puuttuu",
+	"please_provide_a_passkey_to_prevent_losing_access_to_your_account": "Lisää pääsyavain, jotta et menetä pääsyä tiliisi.",
+	"single_passkey_configured": "Yksi avain määritetty",
+	"it_is_recommended_to_add_more_than_one_passkey": "On suositeltavaa lisätä useampi pääsyavain, jottet menetä päsyä tiliisi.",
+	"account_details": "Tilitiedot",
+	"passkeys": "Pääsyavaimet",
+	"manage_your_passkeys_that_you_can_use_to_authenticate_yourself": "Hallitse pääsyavaimiasi, joita voit käyttää tunnistautumiseen.",
+	"add_passkey": "Lisää pääsyavain",
+	"create_a_one_time_login_code_to_sign_in_from_a_different_device_without_a_passkey": "Luo kertakäyttöinen kirjautumiskoodi, jotta voit kirjautua sisään toisella laitteella ilman pääsyavainta.",
+	"create": "Luo",
+	"first_name": "Etunimi",
+	"last_name": "Sukunimi",
+	"username": "Käyttäjätunnus",
+	"save": "Tallenna",
+	"username_can_only_contain": "Käyttäjätunnus voi sisältää vain pieniä kirjaimia, numeroita, alaviivoja, pisteitä, tavuviivoja ja @-merkkejä",
+	"username_must_start_with": "Käyttäjätunnuksen on alettava kirjaimella tai numerolla",
+	"username_must_end_with": "Käyttäjätunnuksen tulee päättyä kirjaimeen tai numeroon",
+	"sign_in_using_the_following_code_the_code_will_expire_in_minutes": "Kirjaudu sisään seuraavalla koodilla. Koodi vanhenee 15 minuutin kuluttua.",
+	"or_visit": "tai vieraile",
+	"added_on": "Lisätty",
+	"rename": "Nimeä uudelleen",
+	"delete": "Poista",
+	"are_you_sure_you_want_to_delete_this_passkey": "Haluatko varmasti poistaa tämän pääsyavaimen?",
+	"passkey_deleted_successfully": "Pääsyavaimen poistettu onnistuneesti",
+	"delete_passkey_name": "Poista {passkeyName}",
+	"passkey_name_updated_successfully": "Pääsyavaimen nimi päivitetty onnistuneesti",
+	"name_passkey": "Nimeä pääsyavain",
+	"name_your_passkey_to_easily_identify_it_later": "Nimeä pääsyavaimesi, jotta voit tunnistaa sen helposti myöhemmin.",
+	"create_api_key": "Luo API-avain",
+	"add_a_new_api_key_for_programmatic_access": "Lisää uusi API-avain ohjelmoitua pääsyä varten <link href='https://pocket-id.org/docs/api'>Pocket ID API</link>:iin.",
+	"add_api_key": "Lisää API-avain",
+	"manage_api_keys": "Hallitse API-avaimia",
+	"api_key_created": "API-avain luotu",
+	"for_security_reasons_this_key_will_only_be_shown_once": "Turvallisuussyistä tämä avain näytetään vain kerran. Säilytä se turvallisessa paikassa.",
+	"description": "Kuvaus",
+	"api_key": "API-avain",
+	"close": "Sulje",
+	"name_to_identify_this_api_key": "Nimi tämän API avaimen tunnistamiseksi.",
+	"expires_at": "Vanhenee",
+	"when_this_api_key_will_expire": "Milloin tämä API-avain vanhenee.",
+	"optional_description_to_help_identify_this_keys_purpose": "Valinnainen kuvaus, joka auttaa tunnistamaan tämän avaimen tarkoituksen.",
+	"expiration_date_must_be_in_the_future": "Päättymispäivän on oltava tulevaisuudessa",
+	"revoke_api_key": "Peruuta API-avain",
+	"never": "Ei koskaan",
+	"revoke": "Peru",
+	"api_key_revoked_successfully": "API-avain peruttu onnistuneesti",
+	"are_you_sure_you_want_to_revoke_the_api_key_apikeyname": "Haluatko varmasti perua API-avaimen \"{apiKeyName}\"? Tämä katkaisee kaikki tämän avaimen käyttävät integraatiot.",
+	"last_used": "Viimeksi käytetty",
+	"actions": "Toiminnot",
+	"images_updated_successfully": "Kuvat päivitetty onnistuneesti. Päivitys voi kestää muutaman minuutin.",
+	"general": "Yleiset",
+	"configure_smtp_to_send_emails": "Ota käyttöön sähköposti-ilmoitukset ilmoittaaksesi käyttäjille, kun kirjautuminen havaitaan uudesta laitteesta tai sijainnista.",
+	"ldap": "LDAP",
+	"configure_ldap_settings_to_sync_users_and_groups_from_an_ldap_server": "Määritä LDAP-asetukset käyttäjien ja ryhmien synkronointia varten LDAP-palvelimelta.",
+	"images": "Kuvat",
+	"update": "Päivitä",
+	"email_configuration_updated_successfully": "Sähköpostiasetukset päivitetty onnistuneesti",
+	"save_changes_question": "Tallenna muutokset?",
+	"you_have_to_save_the_changes_before_sending_a_test_email_do_you_want_to_save_now": "Sinun on tallennettava muutokset ennen testisähköpostin lähettämistä. Haluatko tallentaa nyt?",
+	"save_and_send": "Tallenna ja lähetä",
+	"test_email_sent_successfully": "Testiviesti lähetetty onnistuneesti sähköpostiosoitteeseesi.",
+	"failed_to_send_test_email": "Testisähköpostin lähettäminen epäonnistui. Tarkista lisätietoja palvelimen lokitiedostoista.",
+	"smtp_configuration": "SMTP Asetukset",
+	"smtp_host": "SMTP palvelin",
+	"smtp_port": "SMTP portti",
+	"smtp_user": "SMTP käyttäjä",
+	"smtp_password": "SMTP salasana",
+	"smtp_from": "SMTP lähettäjä",
+	"smtp_tls_option": "SMTP TLS -valinta",
+	"email_tls_option": "Sähköpostin TLS-valinta",
+	"skip_certificate_verification": "Ohita varmenteen vahvistus",
+	"this_can_be_useful_for_selfsigned_certificates": "Tämä voi olla hyödyllistä itse-allekirjoitetuille varmenteille.",
+	"enabled_emails": "Käytössä olevat sähköpostit",
+	"email_login_notification": "Sähköposti-ilmoitus kirjautumisesta",
+	"send_an_email_to_the_user_when_they_log_in_from_a_new_device": "Lähetä käyttäjälle sähköposti, kun hän kirjautuu sisään uudelta laitteelta.",
+	"emai_login_code_requested_by_user": "Käyttäjän pyytämä sähköpostin kirjautumiskoodi",
+	"allow_users_to_sign_in_with_a_login_code_sent_to_their_email": "Antaa käyttäjille mahdollisuuden ohittaa pääsyavaimen pyytämällä kirjautumiskoodin, joka lähetetään heidän sähköpostiinsa. Tämä merkittävästi heikentää turvallisuutta, koska kuka tahansa, jolla on pääsy käyttäjän sähköpostiin, voi kirjautua sisään.",
+	"email_login_code_from_admin": "Sähköpostin kirjautumiskoodi järjestelmänvalvojalta",
+	"allows_an_admin_to_send_a_login_code_to_the_user": "Antaa järjestelmänvalvojalle mahdollisuuden lähettää käyttäjälle kirjautumiskoodi sähköpostitse.",
+	"send_test_email": "Lähetä testisähköposti",
+	"application_configuration_updated_successfully": "Sovelluksen määritykset päivitetty onnistuneesti",
+	"application_name": "Sovelluksen nimi",
+	"session_duration": "Istunnon kesto",
+	"the_duration_of_a_session_in_minutes_before_the_user_has_to_sign_in_again": "Istunnon kesto minuutteina ennen kuin käyttäjän on kirjauduttava uudelleen.",
+	"enable_self_account_editing": "Ota käyttöön tilin itsemuokkaus",
+	"whether_the_users_should_be_able_to_edit_their_own_account_details": "Määrittää voiko käyttäjät itse muokata oman tilinsä tietoja.",
+	"emails_verified": "Sähköpostiosoitteet vahvistettu",
+	"whether_the_users_email_should_be_marked_as_verified_for_the_oidc_clients": "Merkitäänkö käyttäjän sähköpostiosoite vahvistetuksi OIDC-asiakkaille.",
+	"ldap_configuration_updated_successfully": "LDAP-määritykset päivitetty onnistuneesti",
+	"ldap_disabled_successfully": "LDAP poistettu käytöstä onnistuneesti",
+	"ldap_sync_finished": "LDAP-synkronointi valmis",
+	"client_configuration": "Asiakkaan määritys",
+	"ldap_url": "LDAP URL",
+	"ldap_bind_dn": "LDAP Bind DN",
+	"ldap_bind_password": "LDAP Bind Salasana",
+	"ldap_base_dn": "LDAP perus DN",
+	"user_search_filter": "Käyttäjän hakusuodatin",
+	"the_search_filter_to_use_to_search_or_sync_users": "Käyttäjien hakuun/synkronointiin käytettävä hakusuodatin.",
+	"groups_search_filter": "Ryhmien hakusuodatin",
+	"the_search_filter_to_use_to_search_or_sync_groups": "Ryhmien hakuun/synkronointiin käytettävä hakusuodatin.",
+	"attribute_mapping": "Attribuuttien yhdistäminen",
+	"user_unique_identifier_attribute": "Käyttäjän yksilöllinen tunnisteattribuutti",
+	"the_value_of_this_attribute_should_never_change": "Tämän attribuutin arvon ei tulisi koskaan muuttua.",
+	"username_attribute": "Käyttäjänimen attribuutti",
+	"user_mail_attribute": "Käyttäjän sähköpostin attribuutti",
+	"user_first_name_attribute": "Käyttäjän etunimi-attribuutti",
+	"user_last_name_attribute": "Käyttäjän sukunimi-attribuutti",
+	"user_profile_picture_attribute": "Käyttäjän profiilikuva-attribuutti",
+	"the_value_of_this_attribute_can_either_be_a_url_binary_or_base64_encoded_image": "Tämän attribuutin arvo voi olla joko URL, binääri tai base64-koodattu kuva.",
+	"group_members_attribute": "Ryhmän jäsenten attribuutti",
+	"the_attribute_to_use_for_querying_members_of_a_group": "Attribuutti, jota käytetään ryhmän jäsenten kyselyä varten.",
+	"group_unique_identifier_attribute": "Ryhmän yksilöllinen tunnisteattribuutti",
+	"group_rdn_attribute": "Ryhmän RDN-attribuutti (DN:ssä)",
+	"admin_group_name": "Järjestelmänvalvojan ryhmän nimi",
+	"members_of_this_group_will_have_admin_privileges_in_pocketid": "Tämän ryhmän jäsenillä on järjestelmänvalvojan oikeudet Pocket ID:ssä.",
+	"disable": "Poista käytöstä",
+	"sync_now": "Synkronoi nyt",
+	"enable": "Ota käyttöön",
+	"user_created_successfully": "Käyttäjä luotu onnistuneesti",
+	"create_user": "Luo käyttäjä",
+	"add_a_new_user_to_appname": "Lisää käyttäjä palveluun {appName}",
+	"add_user": "Lisää käyttäjä",
+	"manage_users": "Käyttäjien hallinta",
+	"admin_privileges": "Järjestelmänvalvojan oikeudet",
+	"admins_have_full_access_to_the_admin_panel": "Järjestelmänvalvojilla on täysi pääsy hallintapaneeliin.",
+	"delete_firstname_lastname": "Poista {firstName} {lastName}",
+	"are_you_sure_you_want_to_delete_this_user": "Haluatko varmasti poistaa tämän käyttäjän?",
+	"user_deleted_successfully": "Käyttäjä poistettu onnistuneesti",
+	"role": "Rooli",
+	"source": "Lähde",
+	"admin": "Järjestelmänvalvoja",
+	"user": "Käyttäjä",
+	"local": "Paikallinen",
+	"toggle_menu": "Avaa valikko",
+	"edit": "Muokkaa",
+	"user_groups_updated_successfully": "Käyttäjäryhmät päivitetty onnistuneesti",
+	"user_updated_successfully": "Käyttäjä päivitetty onnistuneesti",
+	"custom_claims_updated_successfully": "Mukautetut vaatimukset päivitetty onnistuneesti",
+	"back": "Takaisin",
+	"user_details_firstname_lastname": "Käyttäjän tiedot {firstName} {lastName}",
+	"manage_which_groups_this_user_belongs_to": "Hallitse, mihin ryhmiin tämä käyttäjä kuuluu.",
+	"custom_claims": "Mukautetut vaatimukset",
+	"custom_claims_are_key_value_pairs_that_can_be_used_to_store_additional_information_about_a_user": "Mukautetut vaatimukset ovat avain-arvo-pareja, joita voidaan käyttää käyttäjää koskevien lisätietojen tallentamiseen. Nämä vaatimukset sisällytetään tunnistustunnukseen, jos pyydetään oikeusaluetta \"profile\".",
+	"user_group_created_successfully": "Käyttäjäryhmä luotu onnistuneesti",
+	"create_user_group": "Luo käyttäjäryhmä",
+	"create_a_new_group_that_can_be_assigned_to_users": "Luo uusi ryhmä, joka voidaan määrittää käyttäjille.",
+	"add_group": "Lisää ryhmä",
+	"manage_user_groups": "Hallitse käyttäjäryhmiä",
+	"friendly_name": "Käyttäjäystävälinen nimi",
+	"name_that_will_be_displayed_in_the_ui": "Nimi, joka näkyy käyttöliittymässä",
+	"name_that_will_be_in_the_groups_claim": "Nimi, joka tulee olemaan \"groups\" -vaatimuksessa",
+	"delete_name": "Poista {name}",
+	"are_you_sure_you_want_to_delete_this_user_group": "Haluatko varmasti poistaa tämän käyttäjäryhmän?",
+	"user_group_deleted_successfully": "Käyttäjäryhmä poistettu onnistuneesti",
+	"user_count": "Käyttäjien määrä",
+	"user_group_updated_successfully": "Käyttäjäryhmä päivitetty onnistuneesti",
+	"users_updated_successfully": "Käyttäjät päivitetty onnistuneesti",
+	"user_group_details_name": "Käyttäjäryhmän tiedot {name}",
+	"assign_users_to_this_group": "Määritä käyttäjät tähän ryhmään.",
+	"custom_claims_are_key_value_pairs_that_can_be_used_to_store_additional_information_about_a_user_prioritized": "Mukautetut vaatimukset ovat avain-arvo-pareja, joita voidaan käyttää käyttäjää koskevien lisätietojen tallentamiseen. Nämä vaatimukset sisällytetään tunnistustunnukseen, jos pyydetään oikeusaluetta \"profiili\". Käyttäjälle määritellyt mukautetut vaatimukset asetetaan etusijalle, jos esiintyy ristiriitoja.",
+	"oidc_client_created_successfully": "OIDC-asiakasohjelma luotu onnistuneesti",
+	"create_oidc_client": "Luo OIDC-asiakas",
+	"add_a_new_oidc_client_to_appname": "Lisää uusi OIDC-asiakasohjelma {appName} palveluun.",
+	"add_oidc_client": "Lisää OIDC-asiakas",
+	"manage_oidc_clients": "Hallitse OIDC-asiakkaita",
+	"one_time_link": "Kertakäyttöinen linkki",
+	"use_this_link_to_sign_in_once": "Käytä tätä linkkiä kirjautuaksesi sisään kerran. Tätä tarvitaan käyttäjille, jotka eivät ole vielä lisänneet pääsyavainta tai ovat kadottaneet sen.",
+	"add": "Lisää",
+	"callback_urls": "Takaisinkutsu-URL",
+	"logout_callback_urls": "Uloskirjautumisen takaisinkutsun URL",
+	"public_client": "Julkinen asiakas",
+	"public_clients_description": "Julkisilla asiakkailla ei ole asiakassalaisuutta. Ne on suunniteltu mobiili-, web- ja natiivisovelluksiin, joissa salaisuuksia ei voida tallentaa turvallisesti.",
+	"pkce": "PKCE",
+	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Public Key Code Exchange on tietoturvatoiminto, joka estää CSRF:n ja valtuutuskoodin sieppaushyökkäykset.",
+	"requires_reauthentication": "Vaatii uudelleentodennuksen",
+	"requires_users_to_authenticate_again_on_each_authorization": "Vaatii käyttäjiltä uuden todennuksen jokaisella valtuutuksella, vaikka he olisivat jo kirjautuneet sisään",
+	"name_logo": "{name} logo",
+	"change_logo": "Vaihda logo",
+	"upload_logo": "Lataa logo",
+	"remove_logo": "Poista logo",
+	"are_you_sure_you_want_to_delete_this_oidc_client": "Haluatko varmasti poistaa tämän OIDC-asiakkaan?",
+	"oidc_client_deleted_successfully": "OIDC-asiakasohjelma poistettu onnistuneesti",
+	"authorization_url": "Valtuutuksen URL",
+	"oidc_discovery_url": "OIDC Discovery URL",
+	"token_url": "Tokenin URL",
+	"userinfo_url": "Käyttäjätietojen URL-osoite",
+	"logout_url": "Uloskirjautumisen URL-osoite",
+	"certificate_url": "Sertifikaatin URL-osoite",
+	"enabled": "Käytössä",
+	"disabled": "Pois käytöstä",
+	"oidc_client_updated_successfully": "OIDC-asiakasohjelma päivitetty onnistuneesti",
+	"create_new_client_secret": "Luo uusi asiakassalaisuus",
+	"are_you_sure_you_want_to_create_a_new_client_secret": "Haluatko varmasti luoda uuden asiakassalaisuuden? Vanha salaisuus mitätöidään.",
+	"generate": "Luo",
+	"new_client_secret_created_successfully": "Uusi asiakassalasana luotu onnistuneesti",
+	"allowed_user_groups_updated_successfully": "Sallitut käyttäjäryhmät päivitetty onnistuneesti",
+	"oidc_client_name": "OIDC-asiakas {name}",
+	"client_id": "Asiakas ID",
+	"client_secret": "Asiakkaan salaisuus",
+	"show_more_details": "Näytä lisätietoja",
+	"allowed_user_groups": "Sallitut käyttäjäryhmät",
+	"add_user_groups_to_this_client_to_restrict_access_to_users_in_these_groups": "Lisää käyttäjäryhmiä tähän asiakkaaseen rajoittaaksesi pääsyn näiden ryhmien käyttäjille. Jos käyttäjäryhmiä ei ole valittu, kaikki käyttäjät pääsevät käyttämään tätä asiakasta.",
+	"favicon": "Sivustokuvake",
+	"light_mode_logo": "Vaalean tilan logo",
+	"dark_mode_logo": "Tumman tilan logo",
+	"background_image": "Taustakuva",
+	"language": "Kieli",
+	"reset_profile_picture_question": "Palautetaanko profiilikuva?",
+	"this_will_remove_the_uploaded_image_and_reset_the_profile_picture_to_default": "Tämä poistaa ladatun kuvan ja palauttaa profiilikuva oletusasetuksiin. Haluatko jatkaa?",
+	"reset": "Palauta",
+	"reset_to_default": "Palauta oletukset",
+	"profile_picture_has_been_reset": "Profiilikuva on nollattu. Päivitys voi kestää muutaman minuutin.",
+	"select_the_language_you_want_to_use": "Valitse haluamasi kieli. Huomaa, että osa tekstistä saatetaan kääntää automaattisesti, jolloin käännös voi olla epätarkka.",
+	"contribute_to_translation": "Jos löydät ongelman, voit osallistua käännöstyöhön <link href='https://crowdin.com/project/pocket-id'>Crowdinissa</link>.",
+	"personal": "Henkilökohtainen",
+	"global": "Globaali",
+	"all_users": "Kaikki käyttäjät",
+	"all_events": "Kaikki tapahtumat",
+	"all_clients": "Kaikki asiakkaat",
+	"all_locations": "Kaikki sijainnit",
+	"global_audit_log": "Globaali tarkastusloki",
+	"see_all_account_activities_from_the_last_3_months": "Katso kaikkien käyttäjien toiminnot viimeisen 3 kuukauden ajalta.",
+	"token_sign_in": "Tunnuksella kirjautuminen",
+	"client_authorization": "Asiakkaan valtuutus",
+	"new_client_authorization": "Uuden asiakkaan valtuutus",
+	"device_code_authorization": "Laitteen koodivaltuutus",
+	"new_device_code_authorization": "Uuden laitteen koodivaltuutus",
+	"passkey_added": "Pääsyavain lisättiin",
+	"passkey_removed": "Pääsyavain poistettiin",
+	"disable_animations": "Poista animaatiot käytöstä",
+	"turn_off_ui_animations": "Poista animaatiot käytöstä koko käyttöliittymässä.",
+	"user_disabled": "Tili poistettu käytöstä",
+	"disabled_users_cannot_log_in_or_use_services": "Käytöstä poistetut käyttäjät eivät voi kirjautua sisään tai käyttää palveluita.",
+	"user_disabled_successfully": "Käyttäjä on poistettu käytöstä onnistuneesti.",
+	"user_enabled_successfully": "Käyttäjä on otettu käyttöön onnistuneesti.",
+	"status": "Tila",
+	"disable_firstname_lastname": "Poista käytöstä {firstName} {lastName}",
+	"are_you_sure_you_want_to_disable_this_user": "Haluatko varmasti poistaa tämän käyttäjän käytöstä? Hän ei voi kirjautua sisään tai käyttää mitään palveluita.",
+	"ldap_soft_delete_users": "Säilytä LDAP:sta käytöstä poistetut käyttäjät.",
+	"ldap_soft_delete_users_description": "Kun tämä toiminto on käytössä, LDAP:sta poistetut käyttäjät merkitään käytöstä poistetuiksi sen sijaan, että ne poistettaisiin järjestelmästä kokonaan.",
+	"login_code_email_success": "Pääsyavain poistettiin",
+	"send_email": "Lähetä sähköposti",
+	"show_code": "Näytä koodi",
+	"callback_url_description": "Asiakkaasi antamat URL-osoitteet. Lisätään automaattisesti, jos kenttä jätetään tyhjäksi. Villikortit (*) ovat tuettuja, mutta niitä on parempi välttää turvallisuussyistä.",
+	"logout_callback_url_description": "Asiakkaasi antamat URL-osoitteet kirjautumiseen. Villikortit (*) ovat tuettuja, mutta niitä on parempi välttää turvallisuuden vuoksi.",
+	"api_key_expiration": "API-avaimen voimassaolon päättyminen",
+	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Lähetä käyttäjälle sähköpostiviesti, kun hänen API-avaimensa on vanhentumassa.",
+	"authorize_device": "Valtuuta laite",
+	"the_device_has_been_authorized": "Laite on valtuutettu.",
+	"enter_code_displayed_in_previous_step": "Syötä edellisessä vaiheessa näkynyt koodi.",
+	"authorize": "Salli",
+	"federated_client_credentials": "Federoidut asiakastunnukset",
+	"federated_client_credentials_description": "Yhdistettyjen asiakastunnistetietojen avulla voit todentaa OIDC-asiakkaat kolmannen osapuolen myöntämillä JWT-tunnuksilla.",
+	"add_federated_client_credential": "Lisää federoitu asiakastunnus",
+	"add_another_federated_client_credential": "Lisää toinen federoitu asiakastunnus",
+	"oidc_allowed_group_count": "Sallittujen ryhmien määrä",
+	"unrestricted": "Rajoittamaton",
+	"show_advanced_options": "Näytä lisäasetukset",
+	"hide_advanced_options": "Piilota lisäasetukset",
+	"oidc_data_preview": "OIDC-tietojen esikatselu",
+	"preview_the_oidc_data_that_would_be_sent_for_different_users": "Esikatsele OIDC-tiedot, jotka lähetetään eri käyttäjille",
+	"id_token": "ID-tunnus",
+	"access_token": "Käyttöoikeustunnus",
+	"userinfo": "Käyttäjätieto",
+	"id_token_payload": "ID tunnuksen data",
+	"access_token_payload": "Pääsytunnuksen data",
+	"userinfo_endpoint_response": "Käyttäjätietojen päätepisteen vastaus",
+	"copy": "Kopioi",
+	"no_preview_data_available": "Esikatselutietoja ei saatavilla",
+	"copy_all": "Kopioi kaikki",
+	"preview": "Esikatsele",
+	"preview_for_user": "Esikatsele käyttäjänä {name}",
+	"preview_the_oidc_data_that_would_be_sent_for_this_user": "Esikatsele OIDC-tiedot, jotka lähetetään tälle käyttäjälle",
+	"show": "Näytä",
+	"select_an_option": "Valitse vaihtoehto",
+	"select_user": "Valitse käyttäjä",
+	"error": "Virhe",
+	"select_an_accent_color_to_customize_the_appearance_of_pocket_id": "Valitse korostusväri Pocket ID:n ulkoasun mukauttamiseksi.",
+	"accent_color": "Korostusväri",
+	"custom_accent_color": "Mukautettu korostusväri",
+	"custom_accent_color_description": "Syötä mukautettu väri käyttämällä CSS-väriformaatteja (esim. hex, rgb, hsl).",
+	"color_value": "Väriarvo",
+	"apply": "Käytä",
+	"signup_token": "Rekisteröitymistunnus",
+	"create_a_signup_token_to_allow_new_user_registration": "Luo rekisteröitymistunnus, jotta uudet käyttäjät voivat rekisteröityä.",
+	"usage_limit": "Käyttöraja",
+	"number_of_times_token_can_be_used": "Kuinka monta kertaa rekisteröitymistunnusta voidaan käyttää.",
+	"expires": "Vanhenee",
+	"signup": "Rekisteröidy",
+	"user_creation": "Käyttäjän luominen",
+	"configure_user_creation": "Hallitse käyttäjien luomisen asetuksia, mukaan lukien rekisteröitymistavat ja uusien käyttäjien oletusluvat.",
+	"user_creation_groups_description": "Määritä nämä ryhmät automaattisesti uusille käyttäjille rekisteröitymisen yhteydessä.",
+	"user_creation_claims_description": "Määritä nämä mukautetut vaatimukset automaattisesti uusille käyttäjille rekisteröitymisen yhteydessä.",
+	"user_creation_updated_successfully": "Käyttäjän luomisen asetukset päivitetty onnistuneesti.",
+	"signup_disabled_description": "Käyttäjien rekisteröityminen on kokonaan estetty. Vain järjestelmänvalvojat voivat luoda uusia käyttäjätilejä.",
+	"signup_requires_valid_token": "Tilisi luomiseen tarvitaan voimassa oleva rekisteröitymistunnus",
+	"validating_signup_token": "Kirjautumistunnuksen validointi",
+	"go_to_login": "Siirry kirjautumiseen",
+	"signup_to_appname": "Rekisteröidy palveluun {appName}",
+	"create_your_account_to_get_started": "Luo käyttäjä alottaaksesi.",
+	"initial_account_creation_description": "Luo tili aloittaaksesi. Voit asettaa pääsyavaimen myöhemmin.",
+	"setup_your_passkey": "Määritä pääsyavain",
+	"create_a_passkey_to_securely_access_your_account": "Luo pääsyavain, jolla voit kirjautua sisään tiliisi turvallisesti. Tämä tulee olemaan ensisijainen tapasi kirjautua sisään.",
+	"skip_for_now": "Ohita toistaiseksi",
+	"account_created": "Tili luotu",
+	"enable_user_signups": "Ota käyttäjien rekisteröityminen käyttöön",
+	"enable_user_signups_description": "Päätä, miten käyttäjät voivat rekisteröidä uusia tilejä Pocket ID:ssä.",
+	"user_signups_are_disabled": "Käyttäjien rekisteröityminen on tällä hetkellä pois käytöstä",
+	"create_signup_token": "Luo rekisteröitymistunnus",
+	"view_active_signup_tokens": "Näytä aktiiviset rekisteröitymistunnukset",
+	"manage_signup_tokens": "Hallitse rekisteröitymistunnuksia",
+	"view_and_manage_active_signup_tokens": "Tarkastele ja hallitse aktiivisia rekisteröitymistunnuksia.",
+	"signup_token_deleted_successfully": "Rekisteröitymistunnus poistettu onnistuneesti.",
+	"expired": "Vanhentunut",
+	"used_up": "Käytetty loppuun",
+	"active": "Aktiivinen",
+	"usage": "Käyttö",
+	"created": "Luotu",
+	"token": "Tunnus",
+	"loading": "Ladataan",
+	"delete_signup_token": "Poista rekisteröitymistunnus",
+	"are_you_sure_you_want_to_delete_this_signup_token": "Haluatko varmasti poistaa tämän rekisteröitymistunnuksen? Tätä toimintoa ei voi peruuttaa.",
+	"signup_with_token": "Rekisteröidy tunnuksella",
+	"signup_with_token_description": "Käyttäjät voivat rekisteröityä vain käyttämällä järjestelmänvalvojan luomaa voimassa olevaa rekisteröitymistunnusta.",
+	"signup_open": "Avoin rekisteröityminen",
+	"signup_open_description": "Kuka tahansa voi luoda uuden tilin ilman rajoituksia.",
+	"of": "/",
+	"skip_passkey_setup": "Ohita pääsyavaimen määritys",
+	"skip_passkey_setup_description": "On erittäin suositeltavaa asettaa pääsyavain, koska ilman sitä tilisi lukkiutuu heti, kun istunto vanhenee.",
+	"my_apps": "Omat sovellukset",
+	"no_apps_available": "Ei sovelluksia saatavilla",
+	"contact_your_administrator_for_app_access": "Ota yhteyttä järjestelmänvalvojaan saadaksesi pääsyn sovelluksiin.",
+	"launch": "Avaa",
+	"client_launch_url": "Asiakkaan käynnistys-URL",
+	"client_launch_url_description": "URL-osoite, joka avautuu, kun käyttäjä käynnistää sovelluksen Omat sovellukset -sivulta.",
+	"client_name_description": "Asiakkaan nimi, joka näkyy Pocket ID käyttöliittymässä.",
+	"revoke_access": "Peru käyttöoikeus",
+	"revoke_access_description": "Peruuta käyttöoikeus palveluun <b>{clientName}</b>. <b>{clientName}</b> palvelu ei voi enää käyttää tilisi tietoja.",
+	"revoke_access_successful": "Pääsy palveluun {clientName} on peruutettu onnistuneesti.",
+	"last_signed_in_ago": "Viimeksi kirjautunut {time} sitten",
+	"invalid_client_id": "Asiakastunnus voi sisältää vain kirjaimia, numeroita, alaviivoja ja väliviivoja",
+	"custom_client_id_description": "Aseta mukautettu asiakastunnus, jos sovelluksesi sitä vaatii. Muussa tapauksessa jätä kenttä tyhjäksi, jotta järjestelmä luo satunnaisen tunnuksen.",
+	"generated": "Luotu",
+	"administration": "Ylläpito",
+	"group_rdn_attribute_description": "Ryhmien erottavassa nimessä (DN) käytetty attribuutti.",
+	"display_name_attribute": "Näytönimien attribuutti",
+	"display_name": "Näyttönimi",
+	"configure_application_images": "Määritä sovelluksen kuvat",
+	"ui_config_disabled_info_title": "UI-asetukset poistettu käytöstä",
+	"ui_config_disabled_info_description": "Käyttöliittymän asetukset on poistettu käytöstä, koska sovelluksen asetuksia hallitaan ympäristömuuttujien avulla. Joitakin asetuksia ei ehkä voi muokata.",
+	"logo_from_url_description": "Liitä suora kuvan URL-osoite (svg, png, webp). Löydät kuvakkeita osoitteesta <link  href=\"https://selfh.st/icons\">Selfh.st Icons</link> tai <link href=\"https://dashboardicons.com\">Dashboard Icons</link>.",
+	"invalid_url": "Virheellinen URL-osoite",
+	"require_user_email": "Vaadi sähköpostiosoite",
+	"require_user_email_description": "Vaatii käyttäjiltä sähköpostiosoitteen. Jos tämä asetus on pois käytöstä, käyttäjät, joilla ei ole sähköpostiosoitetta, eivät voi käyttää ominaisuuksia, jotka edellyttävät sähköpostiosoitetta.",
+	"view": "Näytä",
+	"toggle_columns": "Näytä sarakkeet",
+	"locale": "Kieli",
+	"ldap_id": "LDAP ID",
+	"reauthentication": "Uudelleentodentaminen",
+	"clear_filters": "Tyhjennä suodattimet",
+	"default_profile_picture": "Oletusprofiilikuva",
+	"light": "Vaalea",
+	"dark": "Tumma",
+	"system": "Järjestelmä"
+}
--- a/frontend/messages/fr.json
+++ b/frontend/messages/fr.json
@@ -17,14 +17,14 @@
 	"image_should_be_in_format": "L'image doit être au format PNG ou JPEG.",
 	"items_per_page": "Éléments par page",
 	"no_items_found": "Aucune donnée trouvée",
-	"select_items": "Choisis des trucs...",
+	"select_items": "Sélectionner des éléments...",
 	"search": "Rechercher...",
-	"expand_card": "Carte d'expansion",
+	"expand_card": "Développer la carte",
 	"copied": "Copié",
 	"click_to_copy": "Cliquer pour copier",
 	"something_went_wrong": "Quelque chose n'a pas fonctionné",
 	"go_back_to_home": "Retourner à l'accueil",
-	"alternative_sign_in_methods": "Autres façons de se connecter",
+	"alternative_sign_in_methods": "Méthodes de connexion alternatives",
 	"login_background": "Arrière-plan de connexion",
 	"logo": "Logo",
 	"login_code": "Code de connexion",
@@ -75,10 +75,10 @@
 	"use_your_passkey_instead": "Utiliser votre clé d'accès à la place ?",
 	"email_login": "Connexion par e-mail",
 	"enter_a_login_code_to_sign_in": "Entrez un code de connexion pour vous connecter.",
-	"sign_in_with_login_code": "Connecte-toi avec ton code d'accès",
+	"sign_in_with_login_code": "Connectez-vous avec votre code d'accès",
 	"request_a_login_code_via_email": "Demander un code de connexion par e-mail.",
 	"go_back": "Retour",
-	"an_email_has_been_sent_to_the_provided_email_if_it_exists_in_the_system": "Un e-mail a été envoyé à l'e-mail mentionné, si elle existe dans le système.",
+	"an_email_has_been_sent_to_the_provided_email_if_it_exists_in_the_system": "Un e-mail a été envoyé à l'adresse mentionnée, si celle-ci existe dans le système.",
 	"enter_code": "Entrez le code",
 	"enter_your_email_address_to_receive_an_email_with_a_login_code": "Entrez votre adresse e-mail pour recevoir un email avec un code de connexion.",
 	"your_email": "Votre email",
@@ -90,10 +90,10 @@
 	"users": "Utilisateurs",
 	"user_groups": "Groupes d’utilisateurs",
 	"oidc_clients": "Clients OIDC",
-	"api_keys": "Clés API",
+	"api_keys": "Clés d'API",
 	"application_configuration": "Configuration de l’application",
 	"settings": "Paramètres",
-	"update_pocket_id": "Mise à jour de Pocket ID",
+	"update_pocket_id": "Mettre à jour Pocket ID",
 	"powered_by": "Propulsé par",
 	"see_your_account_activities_from_the_last_3_months": "Consultez les activités de votre compte au cours des 3 derniers mois.",
 	"time": "Date et heure",
@@ -139,7 +139,7 @@
 	"add_api_key": "Crée une clé API",
 	"manage_api_keys": "Gérer les clés API",
 	"api_key_created": "Clé API créée",
-	"for_security_reasons_this_key_will_only_be_shown_once": "Pour des raisons de sécurité, cette clé ne sera affichée qu'une seule fois. Veuillez la conserver en toute sécurité.",
+	"for_security_reasons_this_key_will_only_be_shown_once": "Pour des raisons de sécurité, cette clé ne sera affichée qu'une seule fois. Veuillez la conserver dans un endroit sûr.",
 	"description": "Description",
 	"api_key": "Clé API",
 	"close": "Fermer",
@@ -155,7 +155,7 @@
 	"are_you_sure_you_want_to_revoke_the_api_key_apikeyname": "Êtes-vous sûr de vouloir révoquer la clé API \"{apiKeyName}\" ? Cela va casser toutes les intégrations utilisant cette clé.",
 	"last_used": "Dernière utilisation",
 	"actions": "Actions",
-	"images_updated_successfully": "Image mise à jour avec succès",
+	"images_updated_successfully": "Les images ont été mises à jour sans problème. Ça peut prendre quelques minutes pour que tout se mette à jour.",
 	"general": "Général",
 	"configure_smtp_to_send_emails": "Activer les notifications par e-mail pour alerter les utilisateurs lorsqu'une connexion est détectée à partir d'un nouvel appareil ou d'un nouvel emplacement.",
 	"ldap": "LDAP",
@@ -163,7 +163,7 @@
 	"images": "Images",
 	"update": "Mise à jour",
 	"email_configuration_updated_successfully": "La configuration du serveur mail à été mise à jour avec succès",
-	"save_changes_question": "Enregistrer des changements ?",
+	"save_changes_question": "Enregistrer ces changements ?",
 	"you_have_to_save_the_changes_before_sending_a_test_email_do_you_want_to_save_now": "Vous devez enregistrer les modifications avant d'envoyer un e-mail de test. Voulez-vous enregistrer maintenant ?",
 	"save_and_send": "Enregistrer et envoyer",
 	"test_email_sent_successfully": "L'e-mail de test a été envoyé avec succès à votre adresse e-mail.",
@@ -256,7 +256,7 @@
 	"manage_user_groups": "Gérer les groupes d'utilisateurs",
 	"friendly_name": "Nom d'affichage",
 	"name_that_will_be_displayed_in_the_ui": "Nom qui sera affiché dans l'interface utilisateur",
-	"name_that_will_be_in_the_groups_claim": "Nommez ce qui sera dans le \"groupe\" claim",
+	"name_that_will_be_in_the_groups_claim": "Nom qui sera dans la revendication \"groups\"",
 	"delete_name": "Supprimer {name}",
 	"are_you_sure_you_want_to_delete_this_user_group": "Êtes-vous sûr de vouloir supprimer ce groupe d'utilisateurs?",
 	"user_group_deleted_successfully": "Groupe d'utilisateurs supprimé avec succès",
@@ -272,14 +272,14 @@
 	"add_oidc_client": "Ajouter un client OIDC",
 	"manage_oidc_clients": "Gérer les clients OIDC",
 	"one_time_link": "Lien de connexion unique",
-	"use_this_link_to_sign_in_once": "Utilisez ce lien pour vous connecter. Ceci est nécessaire pour les utilisateurs qui n'ont pas encore ajouté de clé d'accès ou l'ont perdu.",
+	"use_this_link_to_sign_in_once": "Utilisez ce lien pour vous connecter. Ceci est nécessaire pour les utilisateurs qui n'ont pas encore ajouté de clé d'accès ou qui l'ont perdu.",
 	"add": "Ajouter",
 	"callback_urls": "URL de callback",
 	"logout_callback_urls": "URL de callback de déconnexion",
 	"public_client": "Client public",
 	"public_clients_description": "Les clients publics n'ont pas de secret client et utilisent PKCE à la place. Activez cette option si votre client est une application SPA ou une application mobile.",
 	"pkce": "PKCE",
-	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Le Public Key Code Exchange est une fonctionnalité de sécurité conçue pour prévenir les attaques CSRF et l’interception de code d’autorisation.",
+	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Le Public Key Code Exchange est une fonctionnalité de sécurité conçue pour prévenir les attaques CSRF et d’interception de code d’autorisation.",
 	"requires_reauthentication": "Nécessite une nouvelle authentification",
 	"requires_users_to_authenticate_again_on_each_authorization": "Demande aux utilisateurs de se connecter à nouveau à chaque autorisation, même s'ils sont déjà connectés.",
 	"name_logo": "Logo {name}",
@@ -318,7 +318,7 @@
 	"reset": "Réinitialiser",
 	"reset_to_default": "Valeurs par défaut",
 	"profile_picture_has_been_reset": "La photo de profil a été réinitialisée. La mise à jour peut prendre quelques minutes.",
-	"select_the_language_you_want_to_use": "Choisis la langue que tu veux utiliser. Attention, certains textes peuvent être traduits automatiquement et ne pas être tout à fait exacts.",
+	"select_the_language_you_want_to_use": "Choisissez la langue que vous souhaitez utiliser. Attention, certains textes peuvent être traduits automatiquement et ne pas être tout à fait exacts.",
 	"contribute_to_translation": "Si vous trouvez un problème, n'hésitez pas à contribuer à la traduction sur <link href='https://crowdin.com/project/pocket-id'>Crowdin</link>.",
 	"personal": "Personnel",
 	"global": "Global",
@@ -331,6 +331,10 @@
 	"token_sign_in": "Connexion par jeton",
 	"client_authorization": "Autorisation client",
 	"new_client_authorization": "Nouvelle autorisation client",
+	"device_code_authorization": "Autorisation du code de l'appareil",
+	"new_device_code_authorization": "Autorisation du code du nouvel appareil",
+	"passkey_added": "Clé d'accès ajoutée",
+	"passkey_removed": "Clé d'accès supprimée",
 	"disable_animations": "Désactiver les animations",
 	"turn_off_ui_animations": "Désactiver les animations dans toute l'interface.",
 	"user_disabled": "Compte désactivé",
@@ -348,7 +352,7 @@
 	"callback_url_description": "URL(s) fournies par votre client. Sera automatiquement ajoutée si laissée vide. Les jokers (*) sont supportés, mais il est préférable de les éviter pour plus de sécurité.",
 	"logout_callback_url_description": "URL(s) fournies par votre client pour la déconnexion. Les jokers (*) sont supportés, mais il est préférable de les éviter pour plus de sécurité.",
 	"api_key_expiration": "Expiration de la clé API",
-	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Envoyer un email à l'utilisateur lorsque sa clé API est sur le point d'expirer.",
+	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Envoyer un email à l'utilisateur lorsque sa clé d'API est sur le point d'expirer.",
 	"authorize_device": "Autoriser l'appareil",
 	"the_device_has_been_authorized": "L'appareil a été autorisé.",
 	"enter_code_displayed_in_previous_step": "Entrez le code affiché à l'étape précédente.",
@@ -382,7 +386,7 @@
 	"select_an_accent_color_to_customize_the_appearance_of_pocket_id": "Sélectionnez une couleur d'accent pour personnaliser l'apparence de Pocket ID.",
 	"accent_color": "Couleur d'accent",
 	"custom_accent_color": "Couleur d'accent personnalisée",
-	"custom_accent_color_description": "Entrez une couleur personnalisée en utilisant un format CSS valide (par ex. hex, rgb, hsl).",
+	"custom_accent_color_description": "Entrez une couleur personnalisée en utilisant un format CSS valide (ex. : hex, rgb, hsl).",
 	"color_value": "Valeur de la couleur",
 	"apply": "Appliquer",
 	"signup_token": "Jeton d'inscription",
@@ -429,19 +433,19 @@
 	"signup_open": "Inscription ouverte",
 	"signup_open_description": "Toute personne peut créer un nouveau compte sans restriction.",
 	"of": "sur",
-	"skip_passkey_setup": "Ignorer la configuration de la clé d'accès",
+	"skip_passkey_setup": "Ignorer la configuration d'une clé d'accès",
 	"skip_passkey_setup_description": "Il est fortement recommandé de configurer une clé d'accès, car sans elle, vous serez verrouillé hors de votre compte dès l'expiration de la session.",
 	"my_apps": "Mes applications",
-	"no_apps_available": "Aucune appli disponible",
-	"contact_your_administrator_for_app_access": "Contacte ton administrateur pour avoir accès aux applications.",
+	"no_apps_available": "Aucune app disponible",
+	"contact_your_administrator_for_app_access": "Contactez votre administrateur pour avoir accès aux applications.",
 	"launch": "Lancement",
 	"client_launch_url": "URL de lancement du client",
 	"client_launch_url_description": "L'URL qui s'ouvrira quand quelqu'un lancera l'appli depuis la page Mes applis.",
 	"client_name_description": "Le nom du client qui apparaît dans l'interface utilisateur Pocket ID.",
 	"revoke_access": "Supprimer l'accès",
-	"revoke_access_description": "Supprimer l'accès à <b>{clientName}</b>. <b>{clientName}</b> ne pourra plus accéder aux infos de ton compte.",
+	"revoke_access_description": "Supprimer l'accès à <b>{clientName}</b>. <b>{clientName}</b> ne pourra plus accéder aux infos de votre compte.",
 	"revoke_access_successful": "L'accès à {clientName} a été supprimé.",
-	"last_signed_in_ago": "Dernière connexion il y a {time} il y a",
+	"last_signed_in_ago": "Dernière connexion il y a {time}",
 	"invalid_client_id": "L'ID client ne peut contenir que des lettres, des chiffres, des traits de soulignement et des tirets.",
 	"custom_client_id_description": "Définissez un identifiant client personnalisé si votre application l'exige. Sinon, laissez ce champ vide pour qu'un identifiant aléatoire soit généré.",
 	"generated": "Généré",
@@ -452,8 +456,18 @@
 	"configure_application_images": "Configurer les images d'application",
 	"ui_config_disabled_info_title": "Configuration de l'interface utilisateur désactivée",
 	"ui_config_disabled_info_description": "La configuration de l'interface utilisateur est désactivée parce que les paramètres de configuration de l'application sont gérés par des variables d'environnement. Certains paramètres peuvent ne pas être modifiables.",
-	"logo_from_url_description": "Colle une URL d'image directe (svg, png, webp). Trouve des icônes sur <link  href=\"https://selfh.st/icons\">Selfh.st Icons</link> ou <link href=\"https://dashboardicons.com\">Dashboard Icons</link>.",
-	"invalid_url": "URL pas valide",
-	"require_user_email": "Besoin d'une adresse e-mail",
-	"require_user_email_description": "Les utilisateurs doivent avoir une adresse e-mail. Si cette option est désactivée, ceux qui n'ont pas d'adresse e-mail ne pourront pas utiliser les fonctionnalités qui en ont besoin."
+	"logo_from_url_description": "Collez une URL pointant une image (svg, png, webp). Trouvez des icônes sur <link  href=\"https://selfh.st/icons\">Selfh.st Icons</link> ou <link href=\"https://dashboardicons.com\">Dashboard Icons</link>.",
+	"invalid_url": "URL invalide",
+	"require_user_email": "Adresse e-mail requise",
+	"require_user_email_description": "Les utilisateurs doivent avoir une adresse e-mail. Si cette option est désactivée, ceux qui n'ont pas d'adresse e-mail ne pourront pas utiliser les fonctionnalités nécessitant un e-mail.",
+	"view": "Voir",
+	"toggle_columns": "Basculer les colonnes",
+	"locale": "Paramètres régionaux",
+	"ldap_id": "ID LDAP",
+	"reauthentication": "Réauthentification",
+	"clear_filters": "Effacer les filtres",
+	"default_profile_picture": "Photo de profil par défaut",
+	"light": "Lumière",
+	"dark": "Sombre",
+	"system": "Système"
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Elias Schneider	c3735c2ec9	New translations en.json (Finnish)	2025-11-29 21:57:09 +01:00
Elias Schneider	59a66cd408	New translations en.json (Finnish)	2025-11-29 20:48:33 +01:00
Elias Schneider	9401eaa957	New translations en.json (Finnish)	2025-11-29 19:02:16 +01:00
Elias Schneider	4ca7c85f22	New translations en.json (Finnish)	2025-11-29 17:53:49 +01:00
Elias Schneider	5b6c933fd5	New translations en.json (Finnish)	2025-11-29 16:55:54 +01:00
Elias Schneider	ca888b3dd2	chore(translations): add Finish files	2025-11-25 20:46:48 +01:00
Elias Schneider	ce88686c5f	chore(translations): update translations via Crowdin (#1111 )	2025-11-25 20:43:47 +01:00
Elias Schneider	a9b6635126	chore(translations): update translations via Crowdin (#1101 )	2025-11-23 17:10:24 +01:00
dependabot[bot]	e817f042ec	chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 in /backend in the go_modules group across 1 directory (#1107 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-11-23 17:10:10 +01:00
Alessandro (Ale) Segala	c56afe016e	feat: adding/removing passkeys creates an entry in audit logs (#1099 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-11-16 14:51:38 -08:00
Alessandro (Ale) Segala	a54b867105	refactor: use constants for AppEnv values (#1098 )	2025-11-16 18:25:06 +01:00
Alessandro (Ale) Segala	29a1d3b778	feat: add database storage backend (#1091 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-11-16 18:23:46 +01:00
Elias Schneider	12125713a2	feat: add support for WEBP profile pictures (#1090 )	2025-11-11 10:56:20 -06:00
Elias Schneider	ab9c0f9ac0	ci/cd: run checks on PR to `breaking/**` branches	2025-11-11 11:21:39 +01:00
Elias Schneider	42b872d6b2	chore(translations): update translations via Crowdin (#1085 )	2025-11-10 14:46:48 +01:00
Elias Schneider	bfd71d090c	feat: add support for S3 storage backend (#1080 ) Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>	2025-11-10 09:02:25 +00:00
Kyle Mendell	d5e0cfd4a6	feat: light/dark/system mode switcher (#1081 )	2025-11-09 13:28:58 -06:00
Kyle Mendell	9981304b4b	chore(deps): update pnpm to 10.20 (#1082 )	2025-11-08 13:09:05 -06:00
Elias Schneider	5cf73e9309	fix: use `quoted-printable` encoding for mails to prevent line limitation	2025-11-08 17:34:43 +01:00
Elias Schneider	f125cf0dad	release: 1.15.0	2025-11-06 15:49:39 +01:00
Elias Schneider	6a038fcf9a	fix: remove redundant indexes in Postgres	2025-11-06 15:02:39 +01:00
Elias Schneider	76e0192cee	fix: disabled property gets ignored when creating an user	2025-11-06 12:28:07 +01:00
Elias Schneider	3ebf94dd84	chore(translations): update translations via Crowdin (#1059 )	2025-11-05 11:28:14 +01:00
dai	7ec57437ac	fix: replace %lang% placeholder in html lang (#1071 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-11-04 13:01:12 +00:00
Elias Schneider	ed2c7b2303	feat: add ability to set default profile picture (#1061 ) Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>	2025-11-04 13:40:00 +01:00
Elias Schneider	e03270eb9d	fix: sorting by PKCE and re-auth of OIDC clients	2025-11-04 13:27:05 +01:00
Elias Schneider	d683d18d91	chore: add support for OpenBSD binaries	2025-11-01 16:26:43 +01:00
Elias Schneider	f184120890	feat: open edit page on table row click	2025-10-29 10:46:03 +01:00
Elias Schneider	04d8500910	release: 1.14.2	2025-10-29 09:25:28 +01:00
Mufeed Ali	93639dddb2	fix: dark oidc client icons not saved on client creation (#1057 )	2025-10-28 12:35:56 +01:00
Elias Schneider	a190529117	chore(translations): add Turkish language files	2025-10-28 09:31:32 +01:00
Elias Schneider	73392b5837	release: 1.14.1	2025-10-27 14:07:34 +01:00
Elias Schneider	65616f65e5	fix: ignore trailing slashes in `APP_URL`	2025-10-27 10:48:27 +01:00
Elias Schneider	98a99fbb0a	chore(translations): update translations via Crowdin (#1048 )	2025-10-27 09:48:39 +01:00
Quentin L'Hours	3f3b6b88fd	fix: use credProps to save passkey on firefox android (#1055 )	2025-10-27 09:48:24 +01:00
Mufeed Ali	8f98d8c0b4	fix: Prevent blinding FOUC in dark mode (#1054 )	2025-10-26 20:40:25 +01:00
Elias Schneider	c9308472a9	release: 1.14.0	2025-10-24 13:47:58 +02:00
Elias Schneider	6362ff9861	chore: upgrade dependencies	2025-10-24 12:18:38 +02:00
Elias Schneider	10d640385f	fix: prevent page flickering on redirection based on auth state	2025-10-24 12:12:42 +02:00
Elias Schneider	47927d1574	fix: make pkce requirement visible in the oidc form if client is public	2025-10-24 10:57:44 +02:00
Elias Schneider	b356cef766	fix: only animate login background on initial page load	2025-10-24 10:53:51 +02:00
Elias Schneider	9fc45930a8	chore(translations): update translations via Crowdin (#1033 )	2025-10-24 09:58:00 +02:00
Kyle Mendell	028d1c858e	feat: add support for dark mode oidc client icons (#1039 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-10-24 09:57:12 +02:00
Alessandro (Ale) Segala	eb3963d0fc	fix: use constant time comparisons when validating PKCE challenges (#1047 )	2025-10-24 08:30:50 +02:00
dependabot[bot]	35d913f905	chore(deps-dev): bump vite from 7.0.7 to 7.0.8 in the npm_and_yarn group across 1 directory (#1042 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-10-21 18:04:28 -05:00
github-actions[bot]	32485f4c7c	chore: update AAGUIDs (#1041 ) Co-authored-by: stonith404 <58886915+stonith404@users.noreply.github.com>	2025-10-20 08:43:27 +02:00
Elias Schneider	ceb38b0825	chore(translations): update translations via Crowdin (#1025 )	2025-10-16 08:28:13 +02:00
dependabot[bot]	c0b6ede5be	chore(deps): bump sveltekit-superforms from 2.27.1 to 2.27.4 in the npm_and_yarn group across 1 directory (#1031 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-10-16 08:27:52 +02:00
Elias Schneider	c20e93b55c	feat: add various improvements to the table component (#961 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us>	2025-10-13 09:12:55 +00:00
Elias Schneider	24ca6a106d	chore(translations): update translations via Crowdin (#1014 )	2025-10-12 09:58:22 -05:00
Elias Schneider	9f0aa55be6	fix: ignore trailing slash in URL	2025-10-09 20:27:15 +02:00
Kyle Mendell	068fcc65a6	chore(translations): add Japanese files	2025-10-07 18:29:13 -05:00
@@ -1 +1 @@
 .13.1
 .15.0
				`@@ -0,0 +1 @@`
				`ALTER TABLE oidc_clients DROP COLUMN dark_image_type;`
				`@@ -0,0 +1 @@`
				`ALTER TABLE oidc_clients ADD COLUMN dark_image_type TEXT;`
				`@@ -0,0 +1 @@`
				`ALTER TABLE webauthn_sessions DROP COLUMN credential_params;`
				`@@ -0,0 +1 @@`
				`ALTER TABLE webauthn_sessions ADD COLUMN credential_params JSONB NOT NULL DEFAULT '[]';`
				`@@ -0,0 +1 @@`
				`CREATE INDEX idx_api_keys_expires_at ON api_keys(expires_at);`