release: 0.52.0

feat: add healthz endpoint (#494 )
fix: correctly set script permissions inside Docker container
2025-12-15 01:11:07 +03:00 · 2025-05-06 22:14:39 +02:00 · 2025-05-06 22:14:18 +02:00 · 2025-05-06 21:18:45 +02:00 · 2025-05-05 15:59:44 +02:00 · 2025-05-05 15:38:26 +02:00
228 changed files with 9431 additions and 2320 deletions
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -1,2 +1,2 @@
 # These are supported funding model platforms
-github: stonith404
+github: [stonith404, kmendell]
--- a/.github/svelte-check-matcher.json
+++ b/.github/svelte-check-matcher.json
@@ -0,0 +1,21 @@
 {
  "problemMatcher": [
    {
      "owner": "svelte-check",
      "pattern": [
        {
          "regexp": "^([^\\s].*):(\\d+):(\\d+)$",
          "file": 1,
          "line": 2,
          "column": 3
        },
        {
          "regexp": "^\\s*(Error|Warning):\\s*(.*)\\s+\\((?:ts|js|svelte)\\)$",
          "severity": 1,
          "message": 2,
          "loop": false
        }
      ]
    }
  ]
 }
--- a/.github/workflows/backend-linter.yml
+++ b/.github/workflows/backend-linter.yml
@@ -27,7 +27,7 @@ jobs:
        uses: actions/checkout@v4
      - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
        with:
          go-version-file: backend/go.mod
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -19,21 +19,28 @@ jobs:
    timeout-minutes: 20
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Build and export
        uses: docker/build-push-action@v6
        with:
-          tags: pocket-id/pocket-id:test
+          push: false
          load: false
          tags: pocket-id:test
          outputs: type=docker,dest=/tmp/docker-image.tar
          build-args: BUILD_TAGS=e2etest
          cache-from: type=gha
          cache-to: type=gha,mode=max
      - name: Upload Docker image artifact
        uses: actions/upload-artifact@v4
        with:
          name: docker-image
          path: /tmp/docker-image.tar
          retention-days: 1
  test-sqlite:
    if: github.event.pull_request.head.ref != 'i18n_crowdin'
@@ -47,13 +54,22 @@ jobs:
          cache: "npm"
          cache-dependency-path: frontend/package-lock.json
      - name: Cache Playwright Browsers
        uses: actions/cache@v3
        id: playwright-cache
        with:
          path: ~/.cache/ms-playwright
          key: ${{ runner.os }}-playwright-${{ hashFiles('frontend/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-playwright-
      - name: Download Docker image artifact
        uses: actions/download-artifact@v4
        with:
          name: docker-image
          path: /tmp
-      - name: Load Docker Image
+      - name: Load Docker image
        run: docker load -i /tmp/docker-image.tar
      - name: Install frontend dependencies
@@ -62,6 +78,7 @@ jobs:
      - name: Install Playwright Browsers
        working-directory: ./frontend
        if: steps.playwright-cache.outputs.cache-hit != 'true'
        run: npx playwright install --with-deps chromium
      - name: Run Docker Container with Sqlite DB
@@ -69,7 +86,7 @@ jobs:
          docker run -d --name pocket-id-sqlite \
          -p 80:80 \
          -e APP_ENV=test \
-          pocket-id/pocket-id:test
+          pocket-id:test
          docker logs -f pocket-id-sqlite &> /tmp/backend.log &
@@ -77,16 +94,18 @@ jobs:
        working-directory: ./frontend
        run: npx playwright test
-      - uses: actions/upload-artifact@v4
+      - name: Upload Frontend Test Report
-        if: always()
+        uses: actions/upload-artifact@v4
        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
        with:
          name: playwright-report-sqlite
          path: frontend/tests/.report
          include-hidden-files: true
          retention-days: 15
-      - uses: actions/upload-artifact@v4
+      - name: Upload Backend Test Report
-        if: always()
+        uses: actions/upload-artifact@v4
        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
        with:
          name: backend-sqlite
          path: /tmp/backend.log
@@ -105,12 +124,39 @@ jobs:
          cache: "npm"
          cache-dependency-path: frontend/package-lock.json
      - name: Cache Playwright Browsers
        uses: actions/cache@v3
        id: playwright-cache
        with:
          path: ~/.cache/ms-playwright
          key: ${{ runner.os }}-playwright-${{ hashFiles('frontend/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-playwright-
      - name: Cache PostgreSQL Docker image
        uses: actions/cache@v3
        id: postgres-cache
        with:
          path: /tmp/postgres-image.tar
          key: postgres-17-${{ runner.os }}
      - name: Pull and save PostgreSQL image
        if: steps.postgres-cache.outputs.cache-hit != 'true'
        run: |
          docker pull postgres:17
          docker save postgres:17 > /tmp/postgres-image.tar
      - name: Load PostgreSQL image from cache
        if: steps.postgres-cache.outputs.cache-hit == 'true'
        run: docker load < /tmp/postgres-image.tar
      - name: Download Docker image artifact
        uses: actions/download-artifact@v4
        with:
          name: docker-image
          path: /tmp
-      - name: Load Docker Image
+
      - name: Load Docker image
        run: docker load -i /tmp/docker-image.tar
      - name: Install frontend dependencies
@@ -119,6 +165,7 @@ jobs:
      - name: Install Playwright Browsers
        working-directory: ./frontend
        if: steps.playwright-cache.outputs.cache-hit != 'true'
        run: npx playwright install --with-deps chromium
      - name: Create Docker network
@@ -153,7 +200,7 @@ jobs:
          -e APP_ENV=test \
          -e DB_PROVIDER=postgres \
          -e DB_CONNECTION_STRING=postgresql://postgres:postgres@pocket-id-db:5432/pocket-id \
-          pocket-id/pocket-id:test
+          pocket-id:test
          docker logs -f pocket-id-postgres &> /tmp/backend.log &
@@ -161,7 +208,8 @@ jobs:
        working-directory: ./frontend
        run: npx playwright test
-      - uses: actions/upload-artifact@v4
+      - name: Upload Frontend Test Report
        uses: actions/upload-artifact@v4
        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
        with:
          name: playwright-report-postgres
@@ -169,8 +217,9 @@ jobs:
          include-hidden-files: true
          retention-days: 15
-      - uses: actions/upload-artifact@v4
+      - name: Upload Backend Test Report
-        if: always()
+        uses: actions/upload-artifact@v4
        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
        with:
          name: backend-postgres
          path: /tmp/backend.log
--- a/.github/workflows/svelte-check.yml
+++ b/.github/workflows/svelte-check.yml
@@ -0,0 +1,59 @@
 name: Svelte Check
 on:
  push:
    branches: [main]
    paths:
      - "frontend/src/**"
      - ".github/svelte-check-matcher.json"
      - "frontend/package.json"
      - "frontend/package-lock.json"
      - "frontend/tsconfig.json"
      - "frontend/svelte.config.js"
  pull_request:
    branches: [main]
    paths:
      - "frontend/src/**"
      - ".github/svelte-check-matcher.json"
      - "frontend/package.json"
      - "frontend/package-lock.json"
      - "frontend/tsconfig.json"
      - "frontend/svelte.config.js"
  workflow_dispatch:
 jobs:
  type-check:
    name: Run Svelte Check
    # Don't run on dependabot branches
    if: github.actor != 'dependabot[bot]'
    runs-on: ubuntu-latest
    permissions:
      contents: read
      checks: write
      pull-requests: write
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "lts/*"
          cache: "npm"
          cache-dependency-path: frontend/package-lock.json
      - name: Install dependencies
        working-directory: frontend
        run: npm ci
      - name: Build Pocket ID Frontend
        working-directory: frontend
        run: npm run build
      - name: Add svelte-check problem matcher
        run: echo "::add-matcher::.github/svelte-check-matcher.json"
      - name: Run svelte-check
        working-directory: frontend
        run: npm run check
--- a/.github/workflows/update-aaguids.yml
+++ b/.github/workflows/update-aaguids.yml
@@ -5,9 +5,10 @@ on:
    - cron: "0 0 * * 1" # Runs every Monday at midnight
  workflow_dispatch: # Allows manual triggering of the workflow
-permissions: 
+permissions:
-    contents: write
+  contents: write
-    
+  pull-requests: write
 jobs:
  update-aaguids:
    runs-on: ubuntu-latest
@@ -25,10 +26,13 @@ jobs:
          mkdir -p backend/resources
          jq -c 'map_values(.name)' data.json > backend/resources/aaguids.json
-      - name: Commit changes
+      - name: Create Pull Request
-        run: |
+        uses: peter-evans/create-pull-request@v7
-          git config --local user.email "action@github.com"
+        with:
-          git config --local user.name "GitHub Action"
+          commit-message: "chore: update AAGUIDs"
-          git add backend/resources/aaguids.json
+          title: "chore: update AAGUIDs"
-          git diff --staged --quiet || git commit -m "chore: update AAGUIDs"
+          body: |
-          git push
+            This PR updates the AAGUIDs file with the latest data from the [passkey-aaguids](https://github.com/pocket-id/passkey-aaguids) repository.
          branch: update-aaguids
          base: main
          delete-branch: true
--- a/.version
+++ b/.version
@@ -1 +1 @@
-0.45.0
+0.52.0
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -5,7 +5,7 @@
      "name": "Backend",
      "type": "go",
      "request": "launch",
-      "envFile": "${workspaceFolder}/backend/.env.example",
+      "envFile": "${workspaceFolder}/backend/cmd/.env",
      "env": {
        "APP_ENV": "development"
      },
@@ -16,7 +16,7 @@
      "name": "Frontend",
      "type": "node",
      "request": "launch",
-      "envFile": "${workspaceFolder}/frontend/.env.example",
+      "envFile": "${workspaceFolder}/frontend/.env",
      "cwd": "${workspaceFolder}/frontend",
      "runtimeExecutable": "npm",
      "runtimeArgs": [
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,130 @@
 ## [](https://github.com/pocket-id/pocket-id/compare/v0.51.1...v) (2025-05-06)
 ### Features
 * add healthz endpoint ([#494](https://github.com/pocket-id/pocket-id/issues/494)) ([3c87e4e](https://github.com/pocket-id/pocket-id/commit/3c87e4ec1468c314ac7f8fe831e97b5eead88112))
 * OpenTelemetry tracing and metrics ([#262](https://github.com/pocket-id/pocket-id/issues/262)) ([#495](https://github.com/pocket-id/pocket-id/issues/495)) ([6f54ee5](https://github.com/pocket-id/pocket-id/commit/6f54ee5d668d7a26911db10f2402daf6a1f75f68))
 ### Bug Fixes
 * correctly set script permissions inside Docker container ([c55fef0](https://github.com/pocket-id/pocket-id/commit/c55fef057cdcec867af91b29968541983cd80ec0))
 ## [](https://github.com/pocket-id/pocket-id/compare/v0.51.0...v) (2025-05-03)
 ### Bug Fixes
 * allow LDAP users to update their locale ([0b9cbf4](https://github.com/pocket-id/pocket-id/commit/0b9cbf47e36a332cfd854aa92e761264fb3e4795))
 * last name still showing as required on account form ([#492](https://github.com/pocket-id/pocket-id/issues/492)) ([cf3fe0b](https://github.com/pocket-id/pocket-id/commit/cf3fe0be84f6365f5d4eb08c1b47905962a48a0d))
 * non admin users weren't able to call the end session endpoint ([6bd6cef](https://github.com/pocket-id/pocket-id/commit/6bd6cefaa6dc571a319a6a1c2b2facc2404eadd3))
 ## [](https://github.com/pocket-id/pocket-id/compare/v0.50.0...v) (2025-04-28)
 ### Features
 * new login code card position for mobile devices ([#452](https://github.com/pocket-id/pocket-id/issues/452)) ([02cacba](https://github.com/pocket-id/pocket-id/commit/02cacba5c5524481684cb0e1790811df113a9481))
 ### Bug Fixes
 * do not require PKCE for public clients ([ce24372](https://github.com/pocket-id/pocket-id/commit/ce24372c571cc3b277095dc6a4107663d64f45b3))
 * hide global audit log switch for non admin users ([1efd1d1](https://github.com/pocket-id/pocket-id/commit/1efd1d182dbb6190d3c7e27034426c9e48781b4a))
 * return correct error message if user isn't authorized ([86d2b5f](https://github.com/pocket-id/pocket-id/commit/86d2b5f59f26cb944017826cbd8df915cdc986f1))
 * updating scopes of an authorized client fails with Postgres ([0a24ab8](https://github.com/pocket-id/pocket-id/commit/0a24ab80010eb5a15d99915802c6698274a5c57c))
 ## [](https://github.com/pocket-id/pocket-id/compare/v0.49.0...v) (2025-04-27)
 ### Features
 * device authorization endpoint ([#270](https://github.com/pocket-id/pocket-id/issues/270)) ([22f7d64](https://github.com/pocket-id/pocket-id/commit/22f7d64bf08a5a1ecbe5eee0052453b730f5c360))
 * make family name optional ([#476](https://github.com/pocket-id/pocket-id/issues/476)) ([630327c](https://github.com/pocket-id/pocket-id/commit/630327c979de2f931b9d1f0ba0b4a4de1af3fc7c))
 ### Bug Fixes
 * do not override XDG_DATA_HOME/XDG_CONFIG_HOME if they are already set ([#472](https://github.com/pocket-id/pocket-id/issues/472)) ([22725d3](https://github.com/pocket-id/pocket-id/commit/22725d30f4115ffe17625379f56affedfe116778))
 * pass context to methods that were missing it ([#487](https://github.com/pocket-id/pocket-id/issues/487)) ([4c33793](https://github.com/pocket-id/pocket-id/commit/4c33793678709eb4981be2c1fd5803bace5f5939))
 * prevent deadlock when trying to delete LDAP users ([#471](https://github.com/pocket-id/pocket-id/issues/471)) ([270c303](https://github.com/pocket-id/pocket-id/commit/270c30334dc36f215a67f873283a9d6fcd14d065))
 * rootless Caddy data and configuration ([#470](https://github.com/pocket-id/pocket-id/issues/470)) ([76b753f](https://github.com/pocket-id/pocket-id/commit/76b753f9f2a6a4f1af09359530e30844b03ac39b))
 ## [](https://github.com/pocket-id/pocket-id/compare/v0.48.0...v) (2025-04-20)
 ### Features
 * add ability to disable API key expiration email ([9122e75](https://github.com/pocket-id/pocket-id/commit/9122e75101ad39a40135ccf931eb2bfd351b5db6))
 * add ability to send login code via email ([#457](https://github.com/pocket-id/pocket-id/issues/457)) ([fe1c4b1](https://github.com/pocket-id/pocket-id/commit/fe1c4b18cdcc46a4256e0c111b34f1ce00f8e0e1))
 * add description to callback URL inputs ([eb689eb](https://github.com/pocket-id/pocket-id/commit/eb689eb56ec9eaf8b0fb1485040e26f841b9225d))
 * send email to user when api key expires within 7 days ([#451](https://github.com/pocket-id/pocket-id/issues/451)) ([26f01f2](https://github.com/pocket-id/pocket-id/commit/26f01f205be01fb8abd8c2e564c90c0fc4480ea5))
 ### Bug Fixes
 * disable animations not respected on authorize and logout page ([e571996](https://github.com/pocket-id/pocket-id/commit/e571996cb57d04232c1f47ab337ad656f48bb3cb))
 * hide alternative sign in button if user is already authenticated ([4e05b82](https://github.com/pocket-id/pocket-id/commit/4e05b82f02740a4bae07cec6c6a64acd34ca0fc3))
 * locale change in dropdown doesn't work on first try ([60bad9e](https://github.com/pocket-id/pocket-id/commit/60bad9e9859d81c9967e6939e1ed10a65145a936))
 * remove limit of 20 callback URLs ([c37a3e0](https://github.com/pocket-id/pocket-id/commit/c37a3e0ed177c3bd2b9a618d1f4b0709004478b0))
 ## [](https://github.com/pocket-id/pocket-id/compare/v0.47.0...v) (2025-04-18)
 ### Features
 * add gif support for logo and background image ([56a8b5d](https://github.com/pocket-id/pocket-id/commit/56a8b5d0c02643f869b77cf8475ddf2f9473880b))
 * disable/enable users ([#437](https://github.com/pocket-id/pocket-id/issues/437)) ([c843a60](https://github.com/pocket-id/pocket-id/commit/c843a60131b813177b1e270c4f5d97613c700efa))
 ### Bug Fixes
 * add "type" as reserved claim ([0111a58](https://github.com/pocket-id/pocket-id/commit/0111a58dac0342c5ac2fa25a050e8773810d2b0a))
 * callback URL doesn't get rejected if it starts with a different string ([f0dce41](https://github.com/pocket-id/pocket-id/commit/f0dce41fbc5649b3a8fe65de36ca20efa521b880))
 * profile picture empty for users without first or last name ([#449](https://github.com/pocket-id/pocket-id/issues/449)) ([5a6dfd9](https://github.com/pocket-id/pocket-id/commit/5a6dfd9e505f4c84e91b4b378b082fab10e8a8a8))
 * user querying fails on global audit log page with Postgres ([84f1d5c](https://github.com/pocket-id/pocket-id/commit/84f1d5c906ec3f9a74ad3d2f36526eea847af5dd))
 ## [](https://github.com/pocket-id/pocket-id/compare/v0.46.0...v) (2025-04-16)
 ### Features
 * add qrcode representation of one time link ([#424](https://github.com/pocket-id/pocket-id/issues/424)) ([#436](https://github.com/pocket-id/pocket-id/issues/436)) ([abf17f6](https://github.com/pocket-id/pocket-id/commit/abf17f62114a2de549b62cec462b9b0659ee23a7))
 * disable animations setting toggle ([#442](https://github.com/pocket-id/pocket-id/issues/442)) ([b45cf68](https://github.com/pocket-id/pocket-id/commit/b45cf68295975f51777dab95950b98b8db0a9ae5))
 ### Bug Fixes
 * define token type as claim for better client compatibility ([adf7458](https://github.com/pocket-id/pocket-id/commit/adf74586afb6ef9a00fb122c150b0248c5bc23f0))
 ## [](https://github.com/pocket-id/pocket-id/compare/v0.45.0...v) (2025-04-13)
 ### Features
 * global audit log ([#320](https://github.com/pocket-id/pocket-id/issues/320)) ([b65e693](https://github.com/pocket-id/pocket-id/commit/b65e693e12be2e7e4cb75a74d6fd43bacb3f6a94))
 * implement token introspection ([#405](https://github.com/pocket-id/pocket-id/issues/405)) ([7e5d16b](https://github.com/pocket-id/pocket-id/commit/7e5d16be9bdfccfa113924547e313886681d11bb))
 * modernize ui ([#381](https://github.com/pocket-id/pocket-id/issues/381)) ([9881a1d](https://github.com/pocket-id/pocket-id/commit/9881a1df9efe32608ab116db71c0e4f66dae171c))
 * **onboarding:** Added button when you don't have a passkey added. ([#426](https://github.com/pocket-id/pocket-id/issues/426)) ([72061ba](https://github.com/pocket-id/pocket-id/commit/72061ba4278a007437cee3a205c3076d58bde644))
 ### Bug Fixes
 * add missing rollback for LDAP sync ([658a9ca](https://github.com/pocket-id/pocket-id/commit/658a9ca6dd8d2304ff3639a000bab02e91ff68a6))
 * create reusable default profile pictures ([#406](https://github.com/pocket-id/pocket-id/issues/406)) ([734c681](https://github.com/pocket-id/pocket-id/commit/734c6813eaef166235ae801747e3652d17ae0e2a))
 * ensure file descriptors are closed + other bugs ([#413](https://github.com/pocket-id/pocket-id/issues/413)) ([2f76461](https://github.com/pocket-id/pocket-id/commit/2f7646105e26423f47cbe49dae97e40c4a01a025))
 * ensure indexes on audit_logs table ([#415](https://github.com/pocket-id/pocket-id/issues/415)) ([9e88926](https://github.com/pocket-id/pocket-id/commit/9e88926283a7a663bfc7fd4f4aa16bd02f614176))
 * ignore profile picture cache after profile picture gets updated ([4ba6893](https://github.com/pocket-id/pocket-id/commit/4ba68938dd2a631c633fcb65d8c35cb039d3f59c))
 * improve LDAP error handling ([#425](https://github.com/pocket-id/pocket-id/issues/425)) ([796bc7e](https://github.com/pocket-id/pocket-id/commit/796bc7ed3453839b1dc8d846b71fe9fac9a2d646))
 * use transactions when operations involve multiple database queries ([#392](https://github.com/pocket-id/pocket-id/issues/392)) ([ec626ee](https://github.com/pocket-id/pocket-id/commit/ec626ee7977306539fd1d70cc9091590f0a54af6))
 * use UUID for temporary file names ([ccc18d7](https://github.com/pocket-id/pocket-id/commit/ccc18d716f16a7ef1775d30982e2ba7b5ff159a6))
 ### Performance Improvements
 * run async operations in parallel in server load functions ([1762629](https://github.com/pocket-id/pocket-id/commit/17626295964244c5582806bd0f413da2c799d5ad))
 ## [](https://github.com/pocket-id/pocket-id/compare/v0.44.0...v) (2025-03-29)
--- a/6
+++ b/6
@@ -1,5 +1,6 @@
 # Tags passed to "go build"
 ARG BUILD_TAGS=""
 ARG VERSION="unknown"
 # Stage 1: Build Frontend
 FROM node:22-alpine AS frontend-builder
@@ -11,7 +12,7 @@ RUN npm run build
 RUN npm prune --production
 # Stage 2: Build Backend
-FROM golang:1.23-alpine AS backend-builder
+FROM golang:1.24-alpine AS backend-builder
 ARG BUILD_TAGS
 WORKDIR /app/backend
 COPY ./backend/go.mod ./backend/go.sum ./
@@ -25,6 +26,7 @@ RUN CGO_ENABLED=1 \
  GOOS=linux \
  go build \
  -tags "${BUILD_TAGS}" \
  -ldflags="-X github.com/pocket-id/pocket-id/backend/internal/common.Version=${VERSION}" \
  -o /app/backend/pocket-id-backend \
  .
@@ -44,7 +46,7 @@ COPY --from=frontend-builder /app/frontend/package.json ./frontend/package.json
 COPY --from=backend-builder /app/backend/pocket-id-backend ./backend/pocket-id-backend
 COPY ./scripts ./scripts
-RUN chmod +x ./scripts/**/*.sh
+RUN find ./scripts -name "*.sh" -exec chmod +x {} \;
 EXPOSE 80
 ENV APP_ENV=production
--- a/backend/cmd/main.go
+++ b/backend/cmd/main.go
@@ -1,9 +1,18 @@
 package main
 import (
 	"log"
 	"github.com/pocket-id/pocket-id/backend/internal/bootstrap"
 )
 // @title Pocket ID API
 // @version 1.0
 // @description.markdown
 func main() {
-	bootstrap.Bootstrap()
+	err := bootstrap.Bootstrap()
 	if err != nil {
 		log.Fatal(err.Error())
 	}
 }
--- a/backend/go.mod
+++ b/backend/go.mod
@@ -1,6 +1,6 @@
 module github.com/pocket-id/pocket-id/backend
-go 1.23.7
+go 1.24.0
 require (
 	github.com/caarlos0/env/v11 v11.3.1
@@ -12,7 +12,7 @@ require (
 	github.com/gin-gonic/gin v1.10.0
 	github.com/go-co-op/gocron/v2 v2.15.0
 	github.com/go-ldap/ldap/v3 v3.4.10
-	github.com/go-playground/validator/v10 v10.24.0
+	github.com/go-playground/validator/v10 v10.25.0
 	github.com/go-webauthn/webauthn v0.11.2
 	github.com/golang-migrate/migrate/v4 v4.18.2
 	github.com/google/uuid v1.6.0
@@ -20,7 +20,16 @@ require (
 	github.com/lestrrat-go/jwx/v3 v3.0.0-beta1
 	github.com/mileusna/useragent v1.3.5
 	github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2
 	github.com/prometheus/client_golang v1.22.0
 	github.com/stretchr/testify v1.10.0
 	go.opentelemetry.io/contrib/exporters/autoexport v0.59.0
 	go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.60.0
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0
 	go.opentelemetry.io/otel v1.35.0
 	go.opentelemetry.io/otel/metric v1.35.0
 	go.opentelemetry.io/otel/sdk v1.35.0
 	go.opentelemetry.io/otel/sdk/metric v1.35.0
 	go.opentelemetry.io/otel/trace v1.35.0
 	golang.org/x/crypto v0.36.0
 	golang.org/x/image v0.24.0
 	golang.org/x/time v0.9.0
@@ -31,21 +40,28 @@ require (
 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
-	github.com/bytedance/sonic v1.12.8 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bytedance/sonic v1.12.10 // indirect
 	github.com/bytedance/sonic/loader v0.2.3 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudwego/base64x v0.1.5 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
 	github.com/disintegration/gift v1.1.2 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
 	github.com/gin-contrib/sse v1.0.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-webauthn/x v0.1.16 // indirect
-	github.com/goccy/go-json v0.10.4 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/google/go-tpm v0.9.3 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
@@ -56,8 +72,7 @@ require (
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/jonboulle/clockwork v0.5.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
@@ -69,20 +84,43 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
 	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.12 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/bridges/prometheus v0.59.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.10.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.10.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.35.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.35.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 // indirect
 	go.opentelemetry.io/otel/exporters/prometheus v0.57.0 // indirect
 	go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.10.0 // indirect
 	go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.35.0 // indirect
 	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.35.0 // indirect
 	go.opentelemetry.io/otel/log v0.10.0 // indirect
 	go.opentelemetry.io/otel/sdk/log v0.10.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/arch v0.13.0 // indirect
+	golang.org/x/arch v0.14.0 // indirect
 	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 // indirect
-	golang.org/x/net v0.36.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/sync v0.12.0 // indirect
 	golang.org/x/sys v0.31.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
-	google.golang.org/protobuf v1.36.4 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a // indirect
 	google.golang.org/grpc v1.71.0 // indirect
 	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/backend/go.sum
+++ b/backend/go.sum
@@ -6,17 +6,22 @@ github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERo
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
-github.com/bytedance/sonic v1.12.8 h1:4xYRVRlXIgvSZ4e8iVTlMF5szgpXd4AfvuWgA8I8lgs=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
-github.com/bytedance/sonic v1.12.8/go.mod h1:uVvFidNmlt9+wa31S1urfwwthTWteBgG0hWuoKAXTx8=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bytedance/sonic v1.12.10 h1:uVCQr6oS5669E9ZVW0HyksTLfNS7Q/9hV6IVS4nEMsI=
 github.com/bytedance/sonic v1.12.10/go.mod h1:uVvFidNmlt9+wa31S1urfwwthTWteBgG0hWuoKAXTx8=
 github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
 github.com/bytedance/sonic/loader v0.2.3 h1:yctD0Q3v2NOGfSWPLPvG2ggA2kV6TS6s4wioyEqssH0=
 github.com/bytedance/sonic/loader v0.2.3/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
 github.com/caarlos0/env/v11 v11.3.1 h1:cArPWC15hWmEt+gWk7YBi7lEXTXCvpaSdCiZE2X5mCA=
 github.com/caarlos0/env/v11 v11.3.1/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cloudwego/base64x v0.1.5 h1:XPciSp1xaq2VCSt6lF0phncD4koWyULpl5bUxbfCyP4=
 github.com/cloudwego/base64x v0.1.5/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
 github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -58,6 +63,7 @@ github.com/go-co-op/gocron/v2 v2.15.0 h1:Kpvo71VSihE+RImmpA+3ta5CcMhoRzMGw4dJawr
 github.com/go-co-op/gocron/v2 v2.15.0/go.mod h1:ZF70ZwEqz0OO4RBXE1sNxnANy/zvwLcattWEFsqpKig=
 github.com/go-ldap/ldap/v3 v3.4.10 h1:ot/iwPOhfpNVgB1o+AVXljizWZ9JTp7YF5oeyONmcJU=
 github.com/go-ldap/ldap/v3 v3.4.10/go.mod h1:JXh4Uxgi40P6E9rdsYqpUtbW46D9UTjJ9QSwGRznplY=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
@@ -68,22 +74,25 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.24.0 h1:KHQckvo8G6hlWnrPX4NJJ+aBfWNAE/HH+qdL2cBpCmg=
+github.com/go-playground/validator/v10 v10.25.0 h1:5Dh7cjvzR7BRZadnsVOzPhWsrwUr0nmsZJxEAnFLNO8=
-github.com/go-playground/validator/v10 v10.24.0/go.mod h1:GGzBIJMuE98Ic/kJsBXbz1x/7cByt++cQ+YOuDM5wus=
+github.com/go-playground/validator/v10 v10.25.0/go.mod h1:GGzBIJMuE98Ic/kJsBXbz1x/7cByt++cQ+YOuDM5wus=
 github.com/go-webauthn/webauthn v0.11.2 h1:Fgx0/wlmkClTKlnOsdOQ+K5HcHDsDcYIvtYmfhEOSUc=
 github.com/go-webauthn/webauthn v0.11.2/go.mod h1:aOtudaF94pM71g3jRwTYYwQTG1KyTILTcZqN1srkmD0=
 github.com/go-webauthn/x v0.1.16 h1:EaVXZntpyHviN9ykjdRBQIw9B0Ed3LO5FW7mDiMQEa8=
 github.com/go-webauthn/x v0.1.16/go.mod h1:jhYjfwe/AVYaUs2mUXArj7vvZj+SpooQPyyQGNab+Us=
-github.com/goccy/go-json v0.10.4 h1:JSwxQzIqKfmFX1swYPpUThQZp/Ka4wzJdK0LWVytLPM=
+github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
-github.com/goccy/go-json v0.10.4/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
 github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-migrate/migrate/v4 v4.18.2 h1:2VSCMz7x7mjyTXx3m2zPokOY82LTRgxK1yQYKo6wWQ8=
 github.com/golang-migrate/migrate/v4 v4.18.2/go.mod h1:2CM6tJvn2kqPXwnXO/d3rAQYiyoIm180VsO8PRX6Rpk=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/go-tpm v0.9.3 h1:+yx0/anQuGzi+ssRqeD6WpXjW2L/V0dItUayO0i9sRc=
 github.com/google/go-tpm v0.9.3/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -91,6 +100,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 h1:e9Rjr40Z98/clHv5Yg79Is0NtosR5LXRvdr7o/6NwbA=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1/go.mod h1:tIxuGz/9mpox++sgp9fJjHO0+q1X9/UOWd798aAm22M=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -129,14 +140,18 @@ github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbd
 github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.2.9 h1:66ze0taIn2H33fBvCkXuv9BmCwDfafmiIVpKV9kKGuY=
+github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
-github.com/klauspost/cpuid/v2 v2.2.9/go.mod h1:rqkxqrZ1EhYM9G+hXH7YdowN5R5RGN6NK4QwQ3WMXF8=
+github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/knz/go-libedit v1.10.1/go.mod h1:MZTVkCWyz0oBc7JOWP3wNAzd002ZbM/5hgShxwh4x8M=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
 github.com/lestrrat-go/blackmagic v1.0.2 h1:Cg2gVSc9h7sz9NOByczrbUvLopQmXrfFx//N+AkAr5k=
@@ -170,6 +185,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
@@ -178,16 +195,22 @@ github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2 h1:jG+FaCBv3h6GD5F+oenTfe3
 github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2/go.mod h1:rHaQJ5SjfCdL4sqCKa3FhklRcaXga2/qyvmQuA+ZJ6M=
 github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
 github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
 github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
 github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
 github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
 github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
 github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
 github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -211,20 +234,60 @@ github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZ
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/bridges/prometheus v0.59.0 h1:HY2hJ7yn3KuEBBBsKxvF3ViSmzLwsgeNvD+0utRMgzc=
 go.opentelemetry.io/contrib/bridges/prometheus v0.59.0/go.mod h1:H4H7vs8766kwFnOZVEGMJFVF+phpBSmTckvvNRdJeDI=
 go.opentelemetry.io/contrib/exporters/autoexport v0.59.0 h1:dKhAFwh7SSoOw+gwMtSv+XLkUGTFAwAGMT3X3XSE4FA=
 go.opentelemetry.io/contrib/exporters/autoexport v0.59.0/go.mod h1:fPl+qlrhRdRntIpPs9JoQ0iBKAsnH5VkgppU1f9kyF4=
 go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.60.0 h1:jj/B7eX95/mOxim9g9laNZkOHKz/XCHG0G410SntRy4=
 go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.60.0/go.mod h1:ZvRTVaYYGypytG0zRp2A60lpj//cMq3ZnxYdZaljVBM=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8=
-go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw=
+go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8=
+go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
-go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.10.0 h1:5dTKu4I5Dn4P2hxyW3l3jTaZx9ACgg0ECos1eAVrheY=
-go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.10.0/go.mod h1:P5HcUI8obLrCCmM3sbVBohZFH34iszk/+CPWuakZWL8=
-go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.10.0 h1:q/heq5Zh8xV1+7GoMGJpTxM2Lhq5+bFxB29tshuRuw0=
-go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.10.0/go.mod h1:leO2CSTg0Y+LyvmR7Wm4pUxE8KAmaM2GCVx7O+RATLA=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.35.0 h1:QcFwRrZLc82r8wODjvyCbP7Ifp3UANaBSmhDSFjnqSc=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.35.0/go.mod h1:CXIWhUomyWBG/oY2/r/kLp6K/cmx9e/7DLpBuuGdLCA=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.35.0 h1:0NIXxOCFx+SKbhCVxwl3ETG8ClLPAa0KuKV6p3yhxP8=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.35.0/go.mod h1:ChZSJbbfbl/DcRZNc9Gqh6DYGlfjw4PvO1pEOZH1ZsE=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 h1:1fTNlAIJZGWLP5FVu0fikVry1IsiUnXjf7QFvoNN3Xw=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0/go.mod h1:zjPK58DtkqQFn+YUMbx0M2XV3QgKU0gS9LeGohREyK4=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 h1:m639+BofXTvcY1q8CGs4ItwQarYtJPOWmVobfM1HpVI=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0/go.mod h1:LjReUci/F4BUyv+y4dwnq3h/26iNOeC3wAIqgvTIZVo=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qHD0C1BeYVTLLR9sX12+Qb95kfeD/byKj6Ky1pXg=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0/go.mod h1:u5BF1xyjstDowA1R5QAO9JHzqK+ublenEW/dyqTjBVk=
 go.opentelemetry.io/otel/exporters/prometheus v0.57.0 h1:AHh/lAP1BHrY5gBwk8ncc25FXWm/gmmY3BX258z5nuk=
 go.opentelemetry.io/otel/exporters/prometheus v0.57.0/go.mod h1:QpFWz1QxqevfjwzYdbMb4Y1NnlJvqSGwyuU0B4iuc9c=
 go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.10.0 h1:GKCEAZLEpEf78cUvudQdTg0aET2ObOZRB2HtXA0qPAI=
 go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.10.0/go.mod h1:9/zqSWLCmHT/9Jo6fYeUDRRogOLL60ABLsHWS99lF8s=
 go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.35.0 h1:PB3Zrjs1sG1GBX51SXyTSoOTqcDglmsk7nT6tkKPb/k=
 go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.35.0/go.mod h1:U2R3XyVPzn0WX7wOIypPuptulsMcPDPs/oiSVOMVnHY=
 go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.35.0 h1:T0Ec2E+3YZf5bgTNQVet8iTDW7oIk03tXHq+wkwIDnE=
 go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.35.0/go.mod h1:30v2gqH+vYGJsesLWFov8u47EpYTcIQcBjKpI6pJThg=
 go.opentelemetry.io/otel/log v0.10.0 h1:1CXmspaRITvFcjA4kyVszuG4HjA61fPDxMb7q3BuyF0=
 go.opentelemetry.io/otel/log v0.10.0/go.mod h1:PbVdm9bXKku/gL0oFfUF4wwsQsOPlpo4VEqjvxih+FM=
 go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
 go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
 go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
 go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
 go.opentelemetry.io/otel/sdk/log v0.10.0 h1:lR4teQGWfeDVGoute6l0Ou+RpFqQ9vaPdrNJlST0bvw=
 go.opentelemetry.io/otel/sdk/log v0.10.0/go.mod h1:A+V1UTWREhWAittaQEG4bYm4gAZa6xnvVu+xKrIRkzo=
 go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
 go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
 go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
 go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-golang.org/x/arch v0.13.0 h1:KCkqVVV1kGg0X87TFysjCJ8MxtZEIU4Ja/yXGeoECdA=
+golang.org/x/arch v0.14.0 h1:z9JUEZWr8x4rR0OU6c4/4t6E6jOZ8/QBS2bBYBm4tx4=
-golang.org/x/arch v0.13.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
+golang.org/x/arch v0.14.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
@@ -255,8 +318,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
-golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -309,8 +372,14 @@ golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.36.4 h1:6A3ZDJHn/eNqc1i+IdefRzy/9PokBTPvcqMySR7NNIM=
+google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a h1:nwKuGPlUAt+aR+pcrkfFRrTU1BVrSmYyYMxYbUIVHr0=
-google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a/go.mod h1:3kWAYMk1I75K4vykHtKt2ycnOgpA6974V7bREqbsenU=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a h1:51aaUVRocpvUOSQKM6Q7VuoaktNIaMCLuhZB6DKksq4=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a/go.mod h1:uRxBH1mhmO8PGhU89cMcHaXKZqO+OfakD8QQO0oYwlQ=
 google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg=
 google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
 google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
 google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
--- a/backend/internal/bootstrap/application_images_bootstrap.go
+++ b/backend/internal/bootstrap/application_images_bootstrap.go
@@ -38,7 +38,6 @@ func initApplicationImages() {
 			log.Fatalf("Error copying file: %v", err)
 		}
 	}
 }
 func imageAlreadyExists(fileName string, destinationFiles []os.DirEntry) bool {
@@ -55,6 +54,11 @@ func imageAlreadyExists(fileName string, destinationFiles []os.DirEntry) bool {
 }
 func getImageNameWithoutExtension(fileName string) string {
-	splitted := strings.Split(fileName, ".")
+	idx := strings.LastIndexByte(fileName, '.')
-	return strings.Join(splitted[:len(splitted)-1], ".")
+	if idx < 1 {
 		// No dot found, or fileName starts with a dot
 		return fileName
 	}
 	return fileName[:idx]
 }
--- a/backend/internal/bootstrap/bootstrap.go
+++ b/backend/internal/bootstrap/bootstrap.go
@@ -1,19 +1,76 @@
 package bootstrap
 import (
 	"context"
 	"fmt"
 	"log"
 	"time"
 	_ "github.com/golang-migrate/migrate/v4/source/file"
-	"github.com/pocket-id/pocket-id/backend/internal/service"
+
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/job"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"github.com/pocket-id/pocket-id/backend/internal/utils/signals"
 )
-func Bootstrap() {
+func Bootstrap() error {
 	// Get a context that is canceled when the application is stopping
 	ctx := signals.SignalContext(context.Background())
 	initApplicationImages()
 	// Perform migrations for changes
 	migrateConfigDBConnstring()
 	db := newDatabase()
 	appConfigService := service.NewAppConfigService(db)
 	migrateKey()
-	initRouter(db, appConfigService)
+	// Initialize the tracer and metrics exporter
 	shutdownFns, httpClient, err := initOtel(ctx, common.EnvConfig.MetricsEnabled, common.EnvConfig.TracingEnabled)
 	if err != nil {
 		return fmt.Errorf("failed to initialize OpenTelemetry: %w", err)
 	}
 	// Connect to the database
 	db := newDatabase()
 	// Create all services
 	svc, err := initServices(ctx, db, httpClient)
 	if err != nil {
 		return fmt.Errorf("failed to initialize services: %w", err)
 	}
 	// Init the job scheduler
 	scheduler, err := job.NewScheduler()
 	if err != nil {
 		return fmt.Errorf("failed to create job scheduler: %w", err)
 	}
 	err = registerScheduledJobs(ctx, db, svc, scheduler)
 	if err != nil {
 		return fmt.Errorf("failed to register scheduled jobs: %w", err)
 	}
 	// Init the router
 	router := initRouter(db, svc)
 	// Run all background serivces
 	// This call blocks until the context is canceled
 	err = utils.
 		NewServiceRunner(router, scheduler.Run).
 		Run(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to run services: %w", err)
 	}
 	// Invoke all shutdown functions
 	// We give these a timeout of 5s
 	shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer shutdownCancel()
 	err = utils.
 		NewServiceRunner(shutdownFns...).
 		Run(shutdownCtx)
 	if err != nil {
 		log.Printf("Error shutting down services: %v", err)
 	}
 	return nil
 }
--- a/backend/internal/bootstrap/e2etest_router_bootstrap.go
+++ b/backend/internal/bootstrap/e2etest_router_bootstrap.go
@@ -12,9 +12,9 @@ import (
 // When building for E2E tests, add the e2etest controller
 func init() {
-	registerTestControllers = []func(apiGroup *gin.RouterGroup, db *gorm.DB, appConfigService *service.AppConfigService, jwtService *service.JwtService){
+	registerTestControllers = []func(apiGroup *gin.RouterGroup, db *gorm.DB, svc *services){
-		func(apiGroup *gin.RouterGroup, db *gorm.DB, appConfigService *service.AppConfigService, jwtService *service.JwtService) {
+		func(apiGroup *gin.RouterGroup, db *gorm.DB, svc *services) {
-			testService := service.NewTestService(db, appConfigService, jwtService)
+			testService := service.NewTestService(db, svc.appConfigService, svc.jwtService)
 			controller.NewTestController(apiGroup, testService)
 		},
 	}
--- a/backend/internal/bootstrap/otel_boostrap.go
+++ b/backend/internal/bootstrap/otel_boostrap.go
@@ -0,0 +1,107 @@
 package bootstrap
 import (
 	"context"
 	"fmt"
 	"net/http"
 	"time"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"go.opentelemetry.io/contrib/exporters/autoexport"
 	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 	"go.opentelemetry.io/otel"
 	metricnoop "go.opentelemetry.io/otel/metric/noop"
 	"go.opentelemetry.io/otel/propagation"
 	"go.opentelemetry.io/otel/sdk/metric"
 	"go.opentelemetry.io/otel/sdk/resource"
 	sdktrace "go.opentelemetry.io/otel/sdk/trace"
 	semconv "go.opentelemetry.io/otel/semconv/v1.30.0"
 	tracenoop "go.opentelemetry.io/otel/trace/noop"
 )
 func defaultResource() (*resource.Resource, error) {
 	return resource.Merge(
 		resource.Default(),
 		resource.NewSchemaless(
 			semconv.ServiceName("pocket-id-backend"),
 			semconv.ServiceVersion(common.Version),
 		),
 	)
 }
 func initOtel(ctx context.Context, metrics, traces bool) (shutdownFns []utils.Service, httpClient *http.Client, err error) {
 	resource, err := defaultResource()
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to create OpenTelemetry resource: %w", err)
 	}
 	shutdownFns = make([]utils.Service, 0, 2)
 	httpClient = &http.Client{}
 	defaultTransport, ok := http.DefaultTransport.(*http.Transport)
 	if !ok {
 		// Indicates a development-time error
 		panic("Default transport is not of type *http.Transport")
 	}
 	httpClient.Transport = defaultTransport.Clone()
 	if traces {
 		tr, err := autoexport.NewSpanExporter(ctx)
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to initialize OpenTelemetry span exporter: %w", err)
 		}
 		tp := sdktrace.NewTracerProvider(
 			sdktrace.WithResource(resource),
 			sdktrace.WithBatcher(tr),
 		)
 		otel.SetTracerProvider(tp)
 		otel.SetTextMapPropagator(
 			propagation.NewCompositeTextMapPropagator(
 				propagation.TraceContext{},
 				propagation.Baggage{},
 			),
 		)
 		shutdownFns = append(shutdownFns, func(shutdownCtx context.Context) error { //nolint:contextcheck
 			tpCtx, tpCancel := context.WithTimeout(shutdownCtx, 10*time.Second)
 			defer tpCancel()
 			shutdownErr := tp.Shutdown(tpCtx)
 			if shutdownErr != nil {
 				return fmt.Errorf("failed to gracefully shut down traces exporter: %w", shutdownErr)
 			}
 			return nil
 		})
 		httpClient.Transport = otelhttp.NewTransport(httpClient.Transport)
 	} else {
 		otel.SetTracerProvider(tracenoop.NewTracerProvider())
 	}
 	if metrics {
 		mr, err := autoexport.NewMetricReader(ctx)
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to initialize OpenTelemetry metric reader: %w", err)
 		}
 		mp := metric.NewMeterProvider(
 			metric.WithResource(resource),
 			metric.WithReader(mr),
 		)
 		otel.SetMeterProvider(mp)
 		shutdownFns = append(shutdownFns, func(shutdownCtx context.Context) error { //nolint:contextcheck
 			mpCtx, mpCancel := context.WithTimeout(shutdownCtx, 10*time.Second)
 			defer mpCancel()
 			shutdownErr := mp.Shutdown(mpCtx)
 			if shutdownErr != nil {
 				return fmt.Errorf("failed to gracefully shut down metrics exporter: %w", shutdownErr)
 			}
 			return nil
 		})
 	} else {
 		otel.SetMeterProvider(metricnoop.NewMeterProvider())
 	}
 	return shutdownFns, httpClient, nil
 }
--- a/backend/internal/bootstrap/router_bootstrap.go
+++ b/backend/internal/bootstrap/router_bootstrap.go
@@ -1,28 +1,37 @@
 package bootstrap
 import (
 	"context"
 	"fmt"
 	"log"
 	"net"
 	"net/http"
 	"time"
 	"github.com/gin-gonic/gin"
-	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin"
 	"github.com/pocket-id/pocket-id/backend/internal/controller"
 	"github.com/pocket-id/pocket-id/backend/internal/job"
 	"github.com/pocket-id/pocket-id/backend/internal/middleware"
 	"github.com/pocket-id/pocket-id/backend/internal/service"
 	"github.com/pocket-id/pocket-id/backend/internal/utils/systemd"
 	"golang.org/x/time/rate"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/controller"
 	"github.com/pocket-id/pocket-id/backend/internal/middleware"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"github.com/pocket-id/pocket-id/backend/internal/utils/systemd"
 )
 // This is used to register additional controllers for tests
-var registerTestControllers []func(apiGroup *gin.RouterGroup, db *gorm.DB, appConfigService *service.AppConfigService, jwtService *service.JwtService)
+var registerTestControllers []func(apiGroup *gin.RouterGroup, db *gorm.DB, svc *services)
-// @title Pocket ID API
+func initRouter(db *gorm.DB, svc *services) utils.Service {
-// @version 1
+	runner, err := initRouterInternal(db, svc)
-// @description API for Pocket ID
+	if err != nil {
-func initRouter(db *gorm.DB, appConfigService *service.AppConfigService) {
+		log.Fatalf("failed to init router: %v", err)
 	}
 	return runner
 }
 func initRouterInternal(db *gorm.DB, svc *services) (utils.Service, error) {
 	// Set the appropriate Gin mode based on the environment
 	switch common.EnvConfig.AppEnv {
 	case "production":
@@ -36,73 +45,97 @@ func initRouter(db *gorm.DB, appConfigService *service.AppConfigService) {
 	r := gin.Default()
 	r.Use(gin.Logger())
-	// Initialize services
+	if common.EnvConfig.TracingEnabled {
-	emailService, err := service.NewEmailService(appConfigService, db)
+		r.Use(otelgin.Middleware("pocket-id-backend"))
 	if err != nil {
 		log.Fatalf("Unable to create email service: %s", err)
 	}
-	geoLiteService := service.NewGeoLiteService()
+	rateLimitMiddleware := middleware.NewRateLimitMiddleware().Add(rate.Every(time.Second), 60)
 	auditLogService := service.NewAuditLogService(db, appConfigService, emailService, geoLiteService)
 	jwtService := service.NewJwtService(appConfigService)
 	webauthnService := service.NewWebAuthnService(db, jwtService, auditLogService, appConfigService)
 	userService := service.NewUserService(db, jwtService, auditLogService, emailService, appConfigService)
 	customClaimService := service.NewCustomClaimService(db)
 	oidcService := service.NewOidcService(db, jwtService, appConfigService, auditLogService, customClaimService)
 	userGroupService := service.NewUserGroupService(db, appConfigService)
 	ldapService := service.NewLdapService(db, appConfigService, userService, userGroupService)
 	apiKeyService := service.NewApiKeyService(db)
 	rateLimitMiddleware := middleware.NewRateLimitMiddleware()
 	// Setup global middleware
 	r.Use(middleware.NewCorsMiddleware().Add())
 	r.Use(middleware.NewErrorHandlerMiddleware().Add())
 	r.Use(rateLimitMiddleware.Add(rate.Every(time.Second), 60))
 	job.RegisterLdapJobs(ldapService, appConfigService)
 	job.RegisterDbCleanupJobs(db)
 	// Initialize middleware for specific routes
-	authMiddleware := middleware.NewAuthMiddleware(apiKeyService, jwtService)
+	authMiddleware := middleware.NewAuthMiddleware(svc.apiKeyService, svc.userService, svc.jwtService)
 	fileSizeLimitMiddleware := middleware.NewFileSizeLimitMiddleware()
 	// Set up API routes
-	apiGroup := r.Group("/api")
+	apiGroup := r.Group("/api", rateLimitMiddleware)
-	controller.NewApiKeyController(apiGroup, authMiddleware, apiKeyService)
+	controller.NewApiKeyController(apiGroup, authMiddleware, svc.apiKeyService)
-	controller.NewWebauthnController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), webauthnService, appConfigService)
+	controller.NewWebauthnController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), svc.webauthnService, svc.appConfigService)
-	controller.NewOidcController(apiGroup, authMiddleware, fileSizeLimitMiddleware, oidcService, jwtService)
+	controller.NewOidcController(apiGroup, authMiddleware, fileSizeLimitMiddleware, svc.oidcService, svc.jwtService)
-	controller.NewUserController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), userService, appConfigService)
+	controller.NewUserController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), svc.userService, svc.appConfigService)
-	controller.NewAppConfigController(apiGroup, authMiddleware, appConfigService, emailService, ldapService)
+	controller.NewAppConfigController(apiGroup, authMiddleware, svc.appConfigService, svc.emailService, svc.ldapService)
-	controller.NewAuditLogController(apiGroup, auditLogService, authMiddleware)
+	controller.NewAuditLogController(apiGroup, svc.auditLogService, authMiddleware)
-	controller.NewUserGroupController(apiGroup, authMiddleware, userGroupService)
+	controller.NewUserGroupController(apiGroup, authMiddleware, svc.userGroupService)
-	controller.NewCustomClaimController(apiGroup, authMiddleware, customClaimService)
+	controller.NewCustomClaimController(apiGroup, authMiddleware, svc.customClaimService)
 	// Add test controller in non-production environments
 	if common.EnvConfig.AppEnv != "production" {
 		for _, f := range registerTestControllers {
-			f(apiGroup, db, appConfigService, jwtService)
+			f(apiGroup, db, svc)
 		}
 	}
 	// Set up base routes
-	baseGroup := r.Group("/")
+	baseGroup := r.Group("/", rateLimitMiddleware)
-	controller.NewWellKnownController(baseGroup, jwtService)
+	controller.NewWellKnownController(baseGroup, svc.jwtService)
-	// Get the listener
+	// Set up healthcheck routes
-	l, err := net.Listen("tcp", common.EnvConfig.Host+":"+common.EnvConfig.Port)
+	// These are not rate-limited
 	controller.NewHealthzController(r)
 	// Set up the server
 	srv := &http.Server{
 		Addr:              net.JoinHostPort(common.EnvConfig.Host, common.EnvConfig.Port),
 		MaxHeaderBytes:    1 << 20,
 		ReadHeaderTimeout: 10 * time.Second,
 		Handler:           r,
 	}
 	// Set up the listener
 	listener, err := net.Listen("tcp", srv.Addr)
 	if err != nil {
-		log.Fatal(err)
+		return nil, fmt.Errorf("failed to create TCP listener: %w", err)
 	}
-	// Notify systemd that we are ready
+	// Service runner function
-	if err := systemd.SdNotifyReady(); err != nil {
+	runFn := func(ctx context.Context) error {
-		log.Println("Unable to notify systemd that the service is ready: ", err)
+		log.Printf("Server listening on %s", srv.Addr)
-		// continue to serve anyway since it's not that important
+
 		// Start the server in a background goroutine
 		go func() {
 			defer listener.Close()
 			// Next call blocks until the server is shut down
 			srvErr := srv.Serve(listener)
 			if srvErr != http.ErrServerClosed {
 				log.Fatalf("Error starting app server: %v", srvErr)
 			}
 		}()
 		// Notify systemd that we are ready
 		err = systemd.SdNotifyReady()
 		if err != nil {
 			// Log the error only
 			log.Printf("[WARN] Unable to notify systemd that the service is ready: %v", err)
 		}
 		// Block until the context is canceled
 		<-ctx.Done()
 		// Handle graceful shutdown
 		// Note we use the background context here as ctx has been canceled already
 		shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 5*time.Second)
 		shutdownErr := srv.Shutdown(shutdownCtx) //nolint:contextcheck
 		shutdownCancel()
 		if shutdownErr != nil {
 			// Log the error only (could be context canceled)
 			log.Printf("[WARN] App server shutdown error: %v", shutdownErr)
 		}
 		return nil
 	}
-	// Serve requests
+	return runFn, nil
 	if err := r.RunListener(l); err != nil {
 		log.Fatal(err)
 	}
 }
--- a/backend/internal/bootstrap/scheduler_bootstrap.go
+++ b/backend/internal/bootstrap/scheduler_bootstrap.go
@@ -0,0 +1,35 @@
 package bootstrap
 import (
 	"context"
 	"fmt"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/job"
 )
 func registerScheduledJobs(ctx context.Context, db *gorm.DB, svc *services, scheduler *job.Scheduler) error {
 	err := scheduler.RegisterLdapJobs(ctx, svc.ldapService, svc.appConfigService)
 	if err != nil {
 		return fmt.Errorf("failed to register LDAP jobs in scheduler: %w", err)
 	}
 	err = scheduler.RegisterGeoLiteUpdateJobs(ctx, svc.geoLiteService)
 	if err != nil {
 		return fmt.Errorf("failed to register GeoLite DB update service: %w", err)
 	}
 	err = scheduler.RegisterDbCleanupJobs(ctx, db)
 	if err != nil {
 		return fmt.Errorf("failed to register DB cleanup jobs in scheduler: %w", err)
 	}
 	err = scheduler.RegisterFileCleanupJobs(ctx, db)
 	if err != nil {
 		return fmt.Errorf("failed to register file cleanup jobs in scheduler: %w", err)
 	}
 	err = scheduler.RegisterApiKeyExpiryJob(ctx, svc.apiKeyService, svc.appConfigService)
 	if err != nil {
 		return fmt.Errorf("failed to register API key expiration jobs in scheduler: %w", err)
 	}
 	return nil
 }
--- a/backend/internal/bootstrap/services_bootstrap.go
+++ b/backend/internal/bootstrap/services_bootstrap.go
@@ -0,0 +1,52 @@
 package bootstrap
 import (
 	"context"
 	"fmt"
 	"net/http"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
 type services struct {
 	appConfigService   *service.AppConfigService
 	emailService       *service.EmailService
 	geoLiteService     *service.GeoLiteService
 	auditLogService    *service.AuditLogService
 	jwtService         *service.JwtService
 	webauthnService    *service.WebAuthnService
 	userService        *service.UserService
 	customClaimService *service.CustomClaimService
 	oidcService        *service.OidcService
 	userGroupService   *service.UserGroupService
 	ldapService        *service.LdapService
 	apiKeyService      *service.ApiKeyService
 }
 // Initializes all services
 // The context should be used by services only for initialization, and not for running
 func initServices(initCtx context.Context, db *gorm.DB, httpClient *http.Client) (svc *services, err error) {
 	svc = &services{}
 	svc.appConfigService = service.NewAppConfigService(initCtx, db)
 	svc.emailService, err = service.NewEmailService(db, svc.appConfigService)
 	if err != nil {
 		return nil, fmt.Errorf("unable to create email service: %w", err)
 	}
 	svc.geoLiteService = service.NewGeoLiteService(httpClient)
 	svc.auditLogService = service.NewAuditLogService(db, svc.appConfigService, svc.emailService, svc.geoLiteService)
 	svc.jwtService = service.NewJwtService(svc.appConfigService)
 	svc.userService = service.NewUserService(db, svc.jwtService, svc.auditLogService, svc.emailService, svc.appConfigService)
 	svc.customClaimService = service.NewCustomClaimService(db)
 	svc.oidcService = service.NewOidcService(db, svc.jwtService, svc.appConfigService, svc.auditLogService, svc.customClaimService)
 	svc.userGroupService = service.NewUserGroupService(db, svc.appConfigService)
 	svc.ldapService = service.NewLdapService(db, httpClient, svc.appConfigService, svc.userService, svc.userGroupService)
 	svc.apiKeyService = service.NewApiKeyService(db, svc.emailService)
 	svc.webauthnService = service.NewWebAuthnService(db, svc.jwtService, svc.auditLogService, svc.appConfigService)
 	return svc, nil
 }
--- a/backend/internal/common/env_config.go
+++ b/backend/internal/common/env_config.go
@@ -10,6 +10,13 @@ import (
 type DbProvider string
 const (
 	// TracerName should be passed to otel.Tracer, trace.SpanFromContext when creating custom spans.
 	TracerName = "github.com/pocket-id/pocket-id/backend/tracing"
 	// MeterName should be passed to otel.Meter when create custom metrics.
 	MeterName = "github.com/pocket-id/pocket-id/backend/metrics"
 )
 const (
 	DbProviderSqlite      DbProvider = "sqlite"
 	DbProviderPostgres    DbProvider = "postgres"
@@ -31,6 +38,8 @@ type EnvConfigSchema struct {
 	GeoLiteDBPath            string     `env:"GEOLITE_DB_PATH"`
 	GeoLiteDBUrl             string     `env:"GEOLITE_DB_URL"`
 	UiConfigDisabled         bool       `env:"PUBLIC_UI_CONFIG_DISABLED"`
 	MetricsEnabled           bool       `env:"METRICS_ENABLED"`
 	TracingEnabled           bool       `env:"TRACING_ENABLED"`
 }
 var EnvConfig = &EnvConfigSchema{
@@ -48,6 +57,8 @@ var EnvConfig = &EnvConfigSchema{
 	GeoLiteDBPath:            "data/GeoLite2-City.mmdb",
 	GeoLiteDBUrl:             MaxMindGeoLiteCityUrl,
 	UiConfigDisabled:         false,
 	MetricsEnabled:           false,
 	TracingEnabled:           false,
 }
 func init() {
--- a/backend/internal/common/errors.go
+++ b/backend/internal/common/errors.go
@@ -1,6 +1,7 @@
 package common
 import (
 	"errors"
 	"fmt"
 	"net/http"
 )
@@ -17,10 +18,16 @@ type AlreadyInUseError struct {
 }
 func (e *AlreadyInUseError) Error() string {
-	return fmt.Sprintf("%s is already in use", e.Property)
+	return e.Property + " is already in use"
 }
 func (e *AlreadyInUseError) HttpStatusCode() int { return 400 }
 func (e *AlreadyInUseError) Is(target error) bool {
 	// Ignore the field property when checking if an error is of the type AlreadyInUseError
 	x := &AlreadyInUseError{}
 	return errors.As(target, &x)
 }
 type SetupAlreadyCompletedError struct{}
 func (e *SetupAlreadyCompletedError) Error() string       { return "setup already completed" }
@@ -75,11 +82,6 @@ type FileTypeNotSupportedError struct{}
 func (e *FileTypeNotSupportedError) Error() string       { return "file type not supported" }
 func (e *FileTypeNotSupportedError) HttpStatusCode() int { return 400 }
 type InvalidCredentialsError struct{}
 func (e *InvalidCredentialsError) Error() string       { return "no user found with provided credentials" }
 func (e *InvalidCredentialsError) HttpStatusCode() int { return 400 }
 type FileTooLargeError struct {
 	MaxSize string
 }
@@ -222,8 +224,7 @@ type InvalidUUIDError struct{}
 func (e *InvalidUUIDError) Error() string {
 	return "Invalid UUID"
 }
-
+func (e *InvalidUUIDError) HttpStatusCode() int { return http.StatusBadRequest }
 type InvalidEmailError struct{}
 type OneTimeAccessDisabledError struct{}
@@ -237,31 +238,34 @@ type InvalidAPIKeyError struct{}
 func (e *InvalidAPIKeyError) Error() string {
 	return "Invalid Api Key"
 }
 func (e *InvalidAPIKeyError) HttpStatusCode() int { return http.StatusUnauthorized }
 type NoAPIKeyProvidedError struct{}
 func (e *NoAPIKeyProvidedError) Error() string {
 	return "No API Key Provided"
 }
 func (e *NoAPIKeyProvidedError) HttpStatusCode() int { return http.StatusUnauthorized }
 type APIKeyNotFoundError struct{}
 func (e *APIKeyNotFoundError) Error() string {
 	return "API Key Not Found"
 }
 func (e *APIKeyNotFoundError) HttpStatusCode() int { return http.StatusUnauthorized }
 type APIKeyExpirationDateError struct{}
 func (e *APIKeyExpirationDateError) Error() string {
 	return "API Key expiration time must be in the future"
 }
 func (e *APIKeyExpirationDateError) HttpStatusCode() int { return http.StatusBadRequest }
 type OidcInvalidRefreshTokenError struct{}
 func (e *OidcInvalidRefreshTokenError) Error() string {
 	return "refresh token is invalid or expired"
 }
 func (e *OidcInvalidRefreshTokenError) HttpStatusCode() int {
 	return http.StatusBadRequest
 }
@@ -271,7 +275,6 @@ type OidcMissingRefreshTokenError struct{}
 func (e *OidcMissingRefreshTokenError) Error() string {
 	return "refresh token is required"
 }
 func (e *OidcMissingRefreshTokenError) HttpStatusCode() int {
 	return http.StatusBadRequest
 }
@@ -281,7 +284,63 @@ type OidcMissingAuthorizationCodeError struct{}
 func (e *OidcMissingAuthorizationCodeError) Error() string {
 	return "authorization code is required"
 }
 func (e *OidcMissingAuthorizationCodeError) HttpStatusCode() int {
 	return http.StatusBadRequest
 }
 type UserDisabledError struct{}
 func (e *UserDisabledError) Error() string {
 	return "User account is disabled"
 }
 func (e *UserDisabledError) HttpStatusCode() int {
 	return http.StatusForbidden
 }
 type ValidationError struct {
 	Message string
 }
 func (e *ValidationError) Error() string {
 	return e.Message
 }
 func (e *ValidationError) HttpStatusCode() int {
 	return http.StatusBadRequest
 }
 type OidcDeviceCodeExpiredError struct{}
 func (e *OidcDeviceCodeExpiredError) Error() string {
 	return "device code has expired"
 }
 func (e *OidcDeviceCodeExpiredError) HttpStatusCode() int {
 	return http.StatusBadRequest
 }
 type OidcInvalidDeviceCodeError struct{}
 func (e *OidcInvalidDeviceCodeError) Error() string {
 	return "invalid device code"
 }
 func (e *OidcInvalidDeviceCodeError) HttpStatusCode() int {
 	return http.StatusBadRequest
 }
 type OidcSlowDownError struct{}
 func (e *OidcSlowDownError) Error() string {
 	return "polling too frequently"
 }
 func (e *OidcSlowDownError) HttpStatusCode() int {
 	return http.StatusTooManyRequests
 }
 type OidcAuthorizationPendingError struct{}
 func (e *OidcAuthorizationPendingError) Error() string {
 	return "authorization is still pending"
 }
 func (e *OidcAuthorizationPendingError) HttpStatusCode() int {
 	return http.StatusBadRequest
 }
--- a/backend/internal/common/version.go
+++ b/backend/internal/common/version.go
@@ -0,0 +1,6 @@
 package common
 // Version contains the Pocket ID version.
 //
 // It can be set at build time using -ldflags.
 var Version = "unknown"
--- a/backend/internal/controller/api_key_controller.go
+++ b/backend/internal/controller/api_key_controller.go
@@ -53,7 +53,7 @@ func (c *ApiKeyController) listApiKeysHandler(ctx *gin.Context) {
 		return
 	}
-	apiKeys, pagination, err := c.apiKeyService.ListApiKeys(userID, sortedPaginationRequest)
+	apiKeys, pagination, err := c.apiKeyService.ListApiKeys(ctx.Request.Context(), userID, sortedPaginationRequest)
 	if err != nil {
 		_ = ctx.Error(err)
 		return
@@ -87,7 +87,7 @@ func (c *ApiKeyController) createApiKeyHandler(ctx *gin.Context) {
 		return
 	}
-	apiKey, token, err := c.apiKeyService.CreateApiKey(userID, input)
+	apiKey, token, err := c.apiKeyService.CreateApiKey(ctx.Request.Context(), userID, input)
 	if err != nil {
 		_ = ctx.Error(err)
 		return
@@ -116,7 +116,7 @@ func (c *ApiKeyController) revokeApiKeyHandler(ctx *gin.Context) {
 	userID := ctx.GetString("userID")
 	apiKeyID := ctx.Param("id")
-	if err := c.apiKeyService.RevokeApiKey(userID, apiKeyID); err != nil {
+	if err := c.apiKeyService.RevokeApiKey(ctx.Request.Context(), userID, apiKeyID); err != nil {
 		_ = ctx.Error(err)
 		return
 	}
--- a/backend/internal/controller/app_config_controller.go
+++ b/backend/internal/controller/app_config_controller.go
@@ -1,7 +1,6 @@
 package controller
 import (
 	"fmt"
 	"net/http"
 	"strconv"
@@ -61,11 +60,7 @@ type AppConfigController struct {
 // @Failure 500 {object} object "{"error": "error message"}"
 // @Router /application-configuration [get]
 func (acc *AppConfigController) listAppConfigHandler(c *gin.Context) {
-	configuration, err := acc.appConfigService.ListAppConfig(false)
+	configuration := acc.appConfigService.ListAppConfig(false)
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 	var configVariablesDto []dto.PublicAppConfigVariableDto
 	if err := dto.MapStructList(configuration, &configVariablesDto); err != nil {
@@ -73,7 +68,7 @@ func (acc *AppConfigController) listAppConfigHandler(c *gin.Context) {
 		return
 	}
-	c.JSON(200, configVariablesDto)
+	c.JSON(http.StatusOK, configVariablesDto)
 }
 // listAllAppConfigHandler godoc
@@ -86,11 +81,7 @@ func (acc *AppConfigController) listAppConfigHandler(c *gin.Context) {
 // @Security BearerAuth
 // @Router /application-configuration/all [get]
 func (acc *AppConfigController) listAllAppConfigHandler(c *gin.Context) {
-	configuration, err := acc.appConfigService.ListAppConfig(true)
+	configuration := acc.appConfigService.ListAppConfig(true)
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 	var configVariablesDto []dto.AppConfigVariableDto
 	if err := dto.MapStructList(configuration, &configVariablesDto); err != nil {
@@ -98,7 +89,7 @@ func (acc *AppConfigController) listAllAppConfigHandler(c *gin.Context) {
 		return
 	}
-	c.JSON(200, configVariablesDto)
+	c.JSON(http.StatusOK, configVariablesDto)
 }
 // updateAppConfigHandler godoc
@@ -118,7 +109,7 @@ func (acc *AppConfigController) updateAppConfigHandler(c *gin.Context) {
 		return
 	}
-	savedConfigVariables, err := acc.appConfigService.UpdateAppConfig(input)
+	savedConfigVariables, err := acc.appConfigService.UpdateAppConfig(c.Request.Context(), input)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -144,17 +135,17 @@ func (acc *AppConfigController) updateAppConfigHandler(c *gin.Context) {
 // @Success 200 {file} binary "Logo image"
 // @Router /api/application-configuration/logo [get]
 func (acc *AppConfigController) getLogoHandler(c *gin.Context) {
 	dbConfig := acc.appConfigService.GetDbConfig()
 	lightLogo, _ := strconv.ParseBool(c.DefaultQuery("light", "true"))
-	var imageName string
+	var imageName, imageType string
 	var imageType string
 	if lightLogo {
 		imageName = "logoLight"
-		imageType = acc.appConfigService.DbConfig.LogoLightImageType.Value
+		imageType = dbConfig.LogoLightImageType.Value
 	} else {
 		imageName = "logoDark"
-		imageType = acc.appConfigService.DbConfig.LogoDarkImageType.Value
+		imageType = dbConfig.LogoDarkImageType.Value
 	}
 	acc.getImage(c, imageName, imageType)
@@ -182,7 +173,7 @@ func (acc *AppConfigController) getFaviconHandler(c *gin.Context) {
 // @Failure 404 {object} object "{"error": "File not found"}"
 // @Router /api/application-configuration/background-image [get]
 func (acc *AppConfigController) getBackgroundImageHandler(c *gin.Context) {
-	imageType := acc.appConfigService.DbConfig.BackgroundImageType.Value
+	imageType := acc.appConfigService.GetDbConfig().BackgroundImageType.Value
 	acc.getImage(c, "background", imageType)
 }
@@ -197,17 +188,17 @@ func (acc *AppConfigController) getBackgroundImageHandler(c *gin.Context) {
 // @Security BearerAuth
 // @Router /api/application-configuration/logo [put]
 func (acc *AppConfigController) updateLogoHandler(c *gin.Context) {
 	dbConfig := acc.appConfigService.GetDbConfig()
 	lightLogo, _ := strconv.ParseBool(c.DefaultQuery("light", "true"))
-	var imageName string
+	var imageName, imageType string
 	var imageType string
 	if lightLogo {
 		imageName = "logoLight"
-		imageType = acc.appConfigService.DbConfig.LogoLightImageType.Value
+		imageType = dbConfig.LogoLightImageType.Value
 	} else {
 		imageName = "logoDark"
-		imageType = acc.appConfigService.DbConfig.LogoDarkImageType.Value
+		imageType = dbConfig.LogoDarkImageType.Value
 	}
 	acc.updateImage(c, imageName, imageType)
@@ -247,13 +238,13 @@ func (acc *AppConfigController) updateFaviconHandler(c *gin.Context) {
 // @Security BearerAuth
 // @Router /api/application-configuration/background-image [put]
 func (acc *AppConfigController) updateBackgroundImageHandler(c *gin.Context) {
-	imageType := acc.appConfigService.DbConfig.BackgroundImageType.Value
+	imageType := acc.appConfigService.GetDbConfig().BackgroundImageType.Value
 	acc.updateImage(c, "background", imageType)
 }
 // getImage is a helper function to serve image files
 func (acc *AppConfigController) getImage(c *gin.Context, name string, imageType string) {
-	imagePath := fmt.Sprintf("%s/application-images/%s.%s", common.EnvConfig.UploadPath, name, imageType)
+	imagePath := common.EnvConfig.UploadPath + "/application-images/" + name + "." + imageType
 	mimeType := utils.GetImageMimeType(imageType)
 	c.Header("Content-Type", mimeType)
@@ -268,7 +259,7 @@ func (acc *AppConfigController) updateImage(c *gin.Context, imageName string, ol
 		return
 	}
-	err = acc.appConfigService.UpdateImage(file, imageName, oldImageType)
+	err = acc.appConfigService.UpdateImage(c.Request.Context(), file, imageName, oldImageType)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -285,7 +276,7 @@ func (acc *AppConfigController) updateImage(c *gin.Context, imageName string, ol
 // @Security BearerAuth
 // @Router /api/application-configuration/sync-ldap [post]
 func (acc *AppConfigController) syncLdapHandler(c *gin.Context) {
-	err := acc.ldapService.SyncAll()
+	err := acc.ldapService.SyncAll(c.Request.Context())
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -304,7 +295,7 @@ func (acc *AppConfigController) syncLdapHandler(c *gin.Context) {
 func (acc *AppConfigController) testEmailHandler(c *gin.Context) {
 	userID := c.GetString("userID")
-	err := acc.emailService.SendTestEmail(userID)
+	err := acc.emailService.SendTestEmail(c.Request.Context(), userID)
 	if err != nil {
 		_ = c.Error(err)
 		return
--- a/backend/internal/controller/audit_log_controller.go
+++ b/backend/internal/controller/audit_log_controller.go
@@ -20,7 +20,10 @@ func NewAuditLogController(group *gin.RouterGroup, auditLogService *service.Audi
 		auditLogService: auditLogService,
 	}
 	group.GET("/audit-logs/all", authMiddleware.Add(), alc.listAllAuditLogsHandler)
 	group.GET("/audit-logs", authMiddleware.WithAdminNotRequired().Add(), alc.listAuditLogsForUserHandler)
 	group.GET("/audit-logs/filters/client-names", authMiddleware.Add(), alc.listClientNamesHandler)
 	group.GET("/audit-logs/filters/users", authMiddleware.Add(), alc.listUserNamesWithIdsHandler)
 }
 type AuditLogController struct {
@@ -39,7 +42,9 @@ type AuditLogController struct {
 // @Router /api/audit-logs [get]
 func (alc *AuditLogController) listAuditLogsForUserHandler(c *gin.Context) {
 	var sortedPaginationRequest utils.SortedPaginationRequest
-	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
+
 	err := c.ShouldBindQuery(&sortedPaginationRequest)
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
@@ -47,7 +52,7 @@ func (alc *AuditLogController) listAuditLogsForUserHandler(c *gin.Context) {
 	userID := c.GetString("userID")
 	// Fetch audit logs for the user
-	logs, pagination, err := alc.auditLogService.ListAuditLogsForUser(userID, sortedPaginationRequest)
+	logs, pagination, err := alc.auditLogService.ListAuditLogsForUser(c.Request.Context(), userID, sortedPaginationRequest)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -72,3 +77,86 @@ func (alc *AuditLogController) listAuditLogsForUserHandler(c *gin.Context) {
 		Pagination: pagination,
 	})
 }
 // listAllAuditLogsHandler godoc
 // @Summary List all audit logs
 // @Description Get a paginated list of all audit logs (admin only)
 // @Tags Audit Logs
 // @Param page query int false "Page number, starting from 1" default(1)
 // @Param limit query int false "Number of items per page" default(10)
 // @Param sort_column query string false "Column to sort by" default("created_at")
 // @Param sort_direction query string false "Sort direction (asc or desc)" default("desc")
 // @Param user_id query string false "Filter by user ID"
 // @Param event query string false "Filter by event type"
 // @Param client_name query string false "Filter by client name"
 // @Success 200 {object} dto.Paginated[dto.AuditLogDto]
 // @Router /api/audit-logs/all [get]
 func (alc *AuditLogController) listAllAuditLogsHandler(c *gin.Context) {
 	var sortedPaginationRequest utils.SortedPaginationRequest
 	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
 		_ = c.Error(err)
 		return
 	}
 	var filters dto.AuditLogFilterDto
 	if err := c.ShouldBindQuery(&filters); err != nil {
 		_ = c.Error(err)
 		return
 	}
 	logs, pagination, err := alc.auditLogService.ListAllAuditLogs(c.Request.Context(), sortedPaginationRequest, filters)
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 	var logsDtos []dto.AuditLogDto
 	err = dto.MapStructList(logs, &logsDtos)
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 	for i, logsDto := range logsDtos {
 		logsDto.Device = alc.auditLogService.DeviceStringFromUserAgent(logs[i].UserAgent)
 		logsDto.Username = logs[i].User.Username
 		logsDtos[i] = logsDto
 	}
 	c.JSON(http.StatusOK, dto.Paginated[dto.AuditLogDto]{
 		Data:       logsDtos,
 		Pagination: pagination,
 	})
 }
 // listClientNamesHandler godoc
 // @Summary List client names
 // @Description Get a list of all client names for audit log filtering
 // @Tags Audit Logs
 // @Success 200 {array} string "List of client names"
 // @Router /api/audit-logs/filters/client-names [get]
 func (alc *AuditLogController) listClientNamesHandler(c *gin.Context) {
 	names, err := alc.auditLogService.ListClientNames(c.Request.Context())
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 	c.JSON(http.StatusOK, names)
 }
 // listUserNamesWithIdsHandler godoc
 // @Summary List users with IDs
 // @Description Get a list of all usernames with their IDs for audit log filtering
 // @Tags Audit Logs
 // @Success 200 {object} map[string]string "Map of user IDs to usernames"
 // @Router /api/audit-logs/filters/users [get]
 func (alc *AuditLogController) listUserNamesWithIdsHandler(c *gin.Context) {
 	users, err := alc.auditLogService.ListUsernamesWithIds(c.Request.Context())
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 	c.JSON(http.StatusOK, users)
 }
--- a/backend/internal/controller/custom_claim_controller.go
+++ b/backend/internal/controller/custom_claim_controller.go
@@ -41,7 +41,7 @@ type CustomClaimController struct {
 // @Security BearerAuth
 // @Router /api/custom-claims/suggestions [get]
 func (ccc *CustomClaimController) getSuggestionsHandler(c *gin.Context) {
-	claims, err := ccc.customClaimService.GetSuggestions()
+	claims, err := ccc.customClaimService.GetSuggestions(c.Request.Context())
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -69,7 +69,7 @@ func (ccc *CustomClaimController) UpdateCustomClaimsForUserHandler(c *gin.Contex
 	}
 	userId := c.Param("userId")
-	claims, err := ccc.customClaimService.UpdateCustomClaimsForUser(userId, input)
+	claims, err := ccc.customClaimService.UpdateCustomClaimsForUser(c.Request.Context(), userId, input)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -104,7 +104,7 @@ func (ccc *CustomClaimController) UpdateCustomClaimsForUserGroupHandler(c *gin.C
 	}
 	userGroupId := c.Param("userGroupId")
-	claims, err := ccc.customClaimService.UpdateCustomClaimsForUserGroup(userGroupId, input)
+	claims, err := ccc.customClaimService.UpdateCustomClaimsForUserGroup(c.Request.Context(), userGroupId, input)
 	if err != nil {
 		_ = c.Error(err)
 		return
--- a/backend/internal/controller/e2etest_controller.go
+++ b/backend/internal/controller/e2etest_controller.go
@@ -36,7 +36,7 @@ func (tc *TestController) resetAndSeedHandler(c *gin.Context) {
 		return
 	}
-	if err := tc.TestService.ResetAppConfig(); err != nil {
+	if err := tc.TestService.ResetAppConfig(c.Request.Context()); err != nil {
 		_ = c.Error(err)
 		return
 	}
--- a/backend/internal/controller/healthz_controller.go
+++ b/backend/internal/controller/healthz_controller.go
@@ -0,0 +1,29 @@
 package controller
 import (
 	"net/http"
 	"github.com/gin-gonic/gin"
 )
 // NewHealthzController creates a new controller for the healthcheck endpoints
 // @Summary Healthcheck controller
 // @Description Initializes healthcheck endpoints
 // @Tags Health
 func NewHealthzController(r *gin.Engine) {
 	hc := &HealthzController{}
 	r.GET("/healthz", hc.healthzHandler)
 }
 type HealthzController struct{}
 // healthzHandler godoc
 // @Summary Responds to healthchecks
 // @Description Responds with a successful status code to healthcheck requests
 // @Tags Health
 // @Success 204 ""
 // @Router /healthz [get]
 func (hc *HealthzController) healthzHandler(c *gin.Context) {
 	c.Status(http.StatusNoContent)
 }
--- a/backend/internal/controller/oidc_controller.go
+++ b/backend/internal/controller/oidc_controller.go
@@ -1,6 +1,7 @@
 package controller
 import (
 	"errors"
 	"log"
 	"net/http"
 	"net/url"
@@ -29,8 +30,9 @@ func NewOidcController(group *gin.RouterGroup, authMiddleware *middleware.AuthMi
 	group.POST("/oidc/token", oc.createTokensHandler)
 	group.GET("/oidc/userinfo", oc.userInfoHandler)
 	group.POST("/oidc/userinfo", oc.userInfoHandler)
-	group.POST("/oidc/end-session", authMiddleware.WithSuccessOptional().Add(), oc.EndSessionHandler)
+	group.POST("/oidc/end-session", authMiddleware.WithAdminNotRequired().WithSuccessOptional().Add(), oc.EndSessionHandler)
-	group.GET("/oidc/end-session", authMiddleware.WithSuccessOptional().Add(), oc.EndSessionHandler)
+	group.GET("/oidc/end-session", authMiddleware.WithAdminNotRequired().WithSuccessOptional().Add(), oc.EndSessionHandler)
 	group.POST("/oidc/introspect", oc.introspectTokenHandler)
 	group.GET("/oidc/clients", authMiddleware.Add(), oc.listClientsHandler)
 	group.POST("/oidc/clients", authMiddleware.Add(), oc.createClientHandler)
@@ -45,6 +47,10 @@ func NewOidcController(group *gin.RouterGroup, authMiddleware *middleware.AuthMi
 	group.GET("/oidc/clients/:id/logo", oc.getClientLogoHandler)
 	group.DELETE("/oidc/clients/:id/logo", oc.deleteClientLogoHandler)
 	group.POST("/oidc/clients/:id/logo", authMiddleware.Add(), fileSizeLimitMiddleware.Add(2<<20), oc.updateClientLogoHandler)
 	group.POST("/oidc/device/authorize", oc.deviceAuthorizationHandler)
 	group.POST("/oidc/device/verify", authMiddleware.WithAdminNotRequired().Add(), oc.verifyDeviceCodeHandler)
 	group.GET("/oidc/device/info", authMiddleware.WithAdminNotRequired().Add(), oc.getDeviceCodeInfoHandler)
 }
 type OidcController struct {
@@ -69,7 +75,7 @@ func (oc *OidcController) authorizeHandler(c *gin.Context) {
 		return
 	}
-	code, callbackURL, err := oc.oidcService.Authorize(input, c.GetString("userID"), c.ClientIP(), c.Request.UserAgent())
+	code, callbackURL, err := oc.oidcService.Authorize(c.Request.Context(), input, c.GetString("userID"), c.ClientIP(), c.Request.UserAgent())
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -100,7 +106,7 @@ func (oc *OidcController) authorizationConfirmationRequiredHandler(c *gin.Contex
 		return
 	}
-	hasAuthorizedClient, err := oc.oidcService.HasAuthorizedClient(input.ClientID, c.GetString("userID"), input.Scope)
+	hasAuthorizedClient, err := oc.oidcService.HasAuthorizedClient(c.Request.Context(), input.ClientID, c.GetString("userID"), input.Scope)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -144,24 +150,26 @@ func (oc *OidcController) createTokensHandler(c *gin.Context) {
 		return
 	}
 	clientID := input.ClientID
 	clientSecret := input.ClientSecret
 	// Client id and secret can also be passed over the Authorization header
-	if clientID == "" && clientSecret == "" {
+	if input.ClientID == "" && input.ClientSecret == "" {
-		clientID, clientSecret, _ = c.Request.BasicAuth()
+		input.ClientID, input.ClientSecret, _ = c.Request.BasicAuth()
 	}
-	idToken, accessToken, refreshToken, expiresIn, err := oc.oidcService.CreateTokens(
+	idToken, accessToken, refreshToken, expiresIn, err :=
-		input.Code,
+		oc.oidcService.CreateTokens(c.Request.Context(), input)
 		input.GrantType,
 		clientID,
 		clientSecret,
 		input.CodeVerifier,
 		input.RefreshToken,
 	)
-	if err != nil {
+	switch {
 	case errors.Is(err, &common.OidcAuthorizationPendingError{}):
 		c.JSON(http.StatusBadRequest, gin.H{
 			"error": "authorization_pending",
 		})
 		return
 	case errors.Is(err, &common.OidcSlowDownError{}):
 		c.JSON(http.StatusBadRequest, gin.H{
 			"error": "slow_down",
 		})
 		return
 	case err != nil:
 		_ = c.Error(err)
 		return
 	}
@@ -216,7 +224,7 @@ func (oc *OidcController) userInfoHandler(c *gin.Context) {
 		_ = c.Error(&common.TokenInvalidError{})
 		return
 	}
-	claims, err := oc.oidcService.GetUserClaimsForClient(userID, clientID[0])
+	claims, err := oc.oidcService.GetUserClaimsForClient(c.Request.Context(), userID, clientID[0])
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -254,7 +262,7 @@ func (oc *OidcController) EndSessionHandler(c *gin.Context) {
 		}
 	}
-	callbackURL, err := oc.oidcService.ValidateEndSession(input, c.GetString("userID"))
+	callbackURL, err := oc.oidcService.ValidateEndSession(c.Request.Context(), input, c.GetString("userID"))
 	if err != nil {
 		// If the validation fails, the user has to confirm the logout manually and doesn't get redirected
 		log.Printf("Error getting logout callback URL, the user has to confirm the logout manually: %v", err)
@@ -290,6 +298,37 @@ func (oc *OidcController) EndSessionHandlerPost(c *gin.Context) {
 	// Implementation is the same as GET
 }
 // introspectToken godoc
 // @Summary Introspect OIDC tokens
 // @Description Pass an access_token to verify if it is considered valid.
 // @Tags OIDC
 // @Produce json
 // @Param token formData string true "The token to be introspected."
 // @Success 200 {object} dto.OidcIntrospectionResponseDto "Response with the introspection result."
 // @Router /api/oidc/introspect [post]
 func (oc *OidcController) introspectTokenHandler(c *gin.Context) {
 	var input dto.OidcIntrospectDto
 	if err := c.ShouldBind(&input); err != nil {
 		_ = c.Error(err)
 		return
 	}
 	// Client id and secret have to be passed over the Authorization header. This kind of
 	// authentication allows us to keep the endpoint protected (since it could be used to
 	// find valid tokens) while still allowing it to be used by an application that is
 	// supposed to interact with our IdP (since that needs to have a client_id
 	// and client_secret anyway).
 	clientID, clientSecret, _ := c.Request.BasicAuth()
 	response, err := oc.oidcService.IntrospectToken(c.Request.Context(), clientID, clientSecret, input.Token)
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 	c.JSON(http.StatusOK, response)
 }
 // getClientMetaDataHandler godoc
 // @Summary Get client metadata
 // @Description Get OIDC client metadata for discovery and configuration
@@ -300,7 +339,7 @@ func (oc *OidcController) EndSessionHandlerPost(c *gin.Context) {
 // @Router /api/oidc/clients/{id}/meta [get]
 func (oc *OidcController) getClientMetaDataHandler(c *gin.Context) {
 	clientId := c.Param("id")
-	client, err := oc.oidcService.GetClient(clientId)
+	client, err := oc.oidcService.GetClient(c.Request.Context(), clientId)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -327,7 +366,7 @@ func (oc *OidcController) getClientMetaDataHandler(c *gin.Context) {
 // @Router /api/oidc/clients/{id} [get]
 func (oc *OidcController) getClientHandler(c *gin.Context) {
 	clientId := c.Param("id")
-	client, err := oc.oidcService.GetClient(clientId)
+	client, err := oc.oidcService.GetClient(c.Request.Context(), clientId)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -363,7 +402,7 @@ func (oc *OidcController) listClientsHandler(c *gin.Context) {
 		return
 	}
-	clients, pagination, err := oc.oidcService.ListClients(searchTerm, sortedPaginationRequest)
+	clients, pagination, err := oc.oidcService.ListClients(c.Request.Context(), searchTerm, sortedPaginationRequest)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -398,7 +437,7 @@ func (oc *OidcController) createClientHandler(c *gin.Context) {
 		return
 	}
-	client, err := oc.oidcService.CreateClient(input, c.GetString("userID"))
+	client, err := oc.oidcService.CreateClient(c.Request.Context(), input, c.GetString("userID"))
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -422,7 +461,7 @@ func (oc *OidcController) createClientHandler(c *gin.Context) {
 // @Security BearerAuth
 // @Router /api/oidc/clients/{id} [delete]
 func (oc *OidcController) deleteClientHandler(c *gin.Context) {
-	err := oc.oidcService.DeleteClient(c.Param("id"))
+	err := oc.oidcService.DeleteClient(c.Request.Context(), c.Param("id"))
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -449,7 +488,7 @@ func (oc *OidcController) updateClientHandler(c *gin.Context) {
 		return
 	}
-	client, err := oc.oidcService.UpdateClient(c.Param("id"), input)
+	client, err := oc.oidcService.UpdateClient(c.Request.Context(), c.Param("id"), input)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -474,7 +513,7 @@ func (oc *OidcController) updateClientHandler(c *gin.Context) {
 // @Security BearerAuth
 // @Router /api/oidc/clients/{id}/secret [post]
 func (oc *OidcController) createClientSecretHandler(c *gin.Context) {
-	secret, err := oc.oidcService.CreateClientSecret(c.Param("id"))
+	secret, err := oc.oidcService.CreateClientSecret(c.Request.Context(), c.Param("id"))
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -494,7 +533,7 @@ func (oc *OidcController) createClientSecretHandler(c *gin.Context) {
 // @Success 200 {file} binary "Logo image"
 // @Router /api/oidc/clients/{id}/logo [get]
 func (oc *OidcController) getClientLogoHandler(c *gin.Context) {
-	imagePath, mimeType, err := oc.oidcService.GetClientLogo(c.Param("id"))
+	imagePath, mimeType, err := oc.oidcService.GetClientLogo(c.Request.Context(), c.Param("id"))
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -521,7 +560,7 @@ func (oc *OidcController) updateClientLogoHandler(c *gin.Context) {
 		return
 	}
-	err = oc.oidcService.UpdateClientLogo(c.Param("id"), file)
+	err = oc.oidcService.UpdateClientLogo(c.Request.Context(), c.Param("id"), file)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -539,7 +578,7 @@ func (oc *OidcController) updateClientLogoHandler(c *gin.Context) {
 // @Security BearerAuth
 // @Router /api/oidc/clients/{id}/logo [delete]
 func (oc *OidcController) deleteClientLogoHandler(c *gin.Context) {
-	err := oc.oidcService.DeleteClientLogo(c.Param("id"))
+	err := oc.oidcService.DeleteClientLogo(c.Request.Context(), c.Param("id"))
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -566,7 +605,7 @@ func (oc *OidcController) updateAllowedUserGroupsHandler(c *gin.Context) {
 		return
 	}
-	oidcClient, err := oc.oidcService.UpdateAllowedUserGroups(c.Param("id"), input)
+	oidcClient, err := oc.oidcService.UpdateAllowedUserGroups(c.Request.Context(), c.Param("id"), input)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -580,3 +619,60 @@ func (oc *OidcController) updateAllowedUserGroupsHandler(c *gin.Context) {
 	c.JSON(http.StatusOK, oidcClientDto)
 }
 func (oc *OidcController) deviceAuthorizationHandler(c *gin.Context) {
 	var input dto.OidcDeviceAuthorizationRequestDto
 	if err := c.ShouldBind(&input); err != nil {
 		_ = c.Error(err)
 		return
 	}
 	// Client id and secret can also be passed over the Authorization header
 	if input.ClientID == "" && input.ClientSecret == "" {
 		input.ClientID, input.ClientSecret, _ = c.Request.BasicAuth()
 	}
 	response, err := oc.oidcService.CreateDeviceAuthorization(c.Request.Context(), input)
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 	c.JSON(http.StatusOK, response)
 }
 func (oc *OidcController) verifyDeviceCodeHandler(c *gin.Context) {
 	userCode := c.Query("code")
 	if userCode == "" {
 		_ = c.Error(&common.ValidationError{Message: "code is required"})
 		return
 	}
 	// Get IP address and user agent from the request context
 	ipAddress := c.ClientIP()
 	userAgent := c.Request.UserAgent()
 	err := oc.oidcService.VerifyDeviceCode(c.Request.Context(), userCode, c.GetString("userID"), ipAddress, userAgent)
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 	c.Status(http.StatusNoContent)
 }
 func (oc *OidcController) getDeviceCodeInfoHandler(c *gin.Context) {
 	userCode := c.Query("code")
 	if userCode == "" {
 		_ = c.Error(&common.ValidationError{Message: "code is required"})
 		return
 	}
 	deviceCodeInfo, err := oc.oidcService.GetDeviceCodeInfo(c.Request.Context(), userCode, c.GetString("userID"))
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 	c.JSON(http.StatusOK, deviceCodeInfo)
 }
--- a/backend/internal/controller/user_controller.go
+++ b/backend/internal/controller/user_controller.go
@@ -43,9 +43,10 @@ func NewUserController(group *gin.RouterGroup, authMiddleware *middleware.AuthMi
 	group.POST("/users/me/one-time-access-token", authMiddleware.WithAdminNotRequired().Add(), uc.createOwnOneTimeAccessTokenHandler)
 	group.POST("/users/:id/one-time-access-token", authMiddleware.Add(), uc.createAdminOneTimeAccessTokenHandler)
 	group.POST("/users/:id/one-time-access-email", authMiddleware.Add(), uc.RequestOneTimeAccessEmailAsAdminHandler)
 	group.POST("/one-time-access-token/:token", rateLimitMiddleware.Add(rate.Every(10*time.Second), 5), uc.exchangeOneTimeAccessTokenHandler)
 	group.POST("/one-time-access-token/setup", uc.getSetupAccessTokenHandler)
-	group.POST("/one-time-access-email", rateLimitMiddleware.Add(rate.Every(10*time.Minute), 3), uc.requestOneTimeAccessEmailHandler)
+	group.POST("/one-time-access-email", rateLimitMiddleware.Add(rate.Every(10*time.Minute), 3), uc.RequestOneTimeAccessEmailAsUnauthenticatedUserHandler)
 	group.DELETE("/users/:id/profile-picture", authMiddleware.Add(), uc.resetUserProfilePictureHandler)
 	group.DELETE("/users/me/profile-picture", authMiddleware.WithAdminNotRequired().Add(), uc.resetCurrentUserProfilePictureHandler)
@@ -65,7 +66,7 @@ type UserController struct {
 // @Router /api/users/{id}/groups [get]
 func (uc *UserController) getUserGroupsHandler(c *gin.Context) {
 	userID := c.Param("id")
-	groups, err := uc.userService.GetUserGroups(userID)
+	groups, err := uc.userService.GetUserGroups(c.Request.Context(), userID)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -99,7 +100,7 @@ func (uc *UserController) listUsersHandler(c *gin.Context) {
 		return
 	}
-	users, pagination, err := uc.userService.ListUsers(searchTerm, sortedPaginationRequest)
+	users, pagination, err := uc.userService.ListUsers(c.Request.Context(), searchTerm, sortedPaginationRequest)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -125,7 +126,7 @@ func (uc *UserController) listUsersHandler(c *gin.Context) {
 // @Success 200 {object} dto.UserDto
 // @Router /api/users/{id} [get]
 func (uc *UserController) getUserHandler(c *gin.Context) {
-	user, err := uc.userService.GetUser(c.Param("id"))
+	user, err := uc.userService.GetUser(c.Request.Context(), c.Param("id"))
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -147,7 +148,7 @@ func (uc *UserController) getUserHandler(c *gin.Context) {
 // @Success 200 {object} dto.UserDto
 // @Router /api/users/me [get]
 func (uc *UserController) getCurrentUserHandler(c *gin.Context) {
-	user, err := uc.userService.GetUser(c.GetString("userID"))
+	user, err := uc.userService.GetUser(c.Request.Context(), c.GetString("userID"))
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -170,7 +171,7 @@ func (uc *UserController) getCurrentUserHandler(c *gin.Context) {
 // @Success 204 "No Content"
 // @Router /api/users/{id} [delete]
 func (uc *UserController) deleteUserHandler(c *gin.Context) {
-	if err := uc.userService.DeleteUser(c.Param("id"), false); err != nil {
+	if err := uc.userService.DeleteUser(c.Request.Context(), c.Param("id"), false); err != nil {
 		_ = c.Error(err)
 		return
 	}
@@ -192,7 +193,7 @@ func (uc *UserController) createUserHandler(c *gin.Context) {
 		return
 	}
-	user, err := uc.userService.CreateUser(input)
+	user, err := uc.userService.CreateUser(c.Request.Context(), input)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -227,7 +228,7 @@ func (uc *UserController) updateUserHandler(c *gin.Context) {
 // @Success 200 {object} dto.UserDto
 // @Router /api/users/me [put]
 func (uc *UserController) updateCurrentUserHandler(c *gin.Context) {
-	if !uc.appConfigService.DbConfig.AllowOwnAccountEdit.IsTrue() {
+	if !uc.appConfigService.GetDbConfig().AllowOwnAccountEdit.IsTrue() {
 		_ = c.Error(&common.AccountEditNotAllowedError{})
 		return
 	}
@@ -245,13 +246,19 @@ func (uc *UserController) updateCurrentUserHandler(c *gin.Context) {
 func (uc *UserController) getUserProfilePictureHandler(c *gin.Context) {
 	userID := c.Param("id")
-	picture, size, err := uc.userService.GetProfilePicture(userID)
+	picture, size, err := uc.userService.GetProfilePicture(c.Request.Context(), userID)
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 	if picture != nil {
 		defer picture.Close()
 	}
-	c.Header("Cache-Control", "public, max-age=300")
+	_, ok := c.GetQuery("skipCache")
 	if !ok {
 		c.Header("Cache-Control", "public, max-age=900")
 	}
 	c.DataFromReader(http.StatusOK, size, "image/png", picture, nil)
 }
@@ -329,7 +336,7 @@ func (uc *UserController) createOneTimeAccessTokenHandler(c *gin.Context, own bo
 	if own {
 		input.UserID = c.GetString("userID")
 	}
-	token, err := uc.userService.CreateOneTimeAccessToken(input.UserID, input.ExpiresAt)
+	token, err := uc.userService.CreateOneTimeAccessToken(c.Request.Context(), input.UserID, input.ExpiresAt)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -350,18 +357,63 @@ func (uc *UserController) createOwnOneTimeAccessTokenHandler(c *gin.Context) {
 	uc.createOneTimeAccessTokenHandler(c, true)
 }
 // createAdminOneTimeAccessTokenHandler godoc
 // @Summary Create one-time access token for user (admin)
 // @Description Generate a one-time access token for a specific user (admin only)
 // @Tags Users
 // @Param id path string true "User ID"
 // @Param body body dto.OneTimeAccessTokenCreateDto true "Token options"
 // @Success 201 {object} object "{ \"token\": \"string\" }"
 // @Router /api/users/{id}/one-time-access-token [post]
 func (uc *UserController) createAdminOneTimeAccessTokenHandler(c *gin.Context) {
 	uc.createOneTimeAccessTokenHandler(c, false)
 }
-func (uc *UserController) requestOneTimeAccessEmailHandler(c *gin.Context) {
+// RequestOneTimeAccessEmailAsUnauthenticatedUserHandler godoc
-	var input dto.OneTimeAccessEmailDto
+// @Summary Request one-time access email
 // @Description Request a one-time access email for unauthenticated users
 // @Tags Users
 // @Accept json
 // @Produce json
 // @Param body body dto.OneTimeAccessEmailAsUnauthenticatedUserDto true "Email request information"
 // @Success 204 "No Content"
 // @Router /api/one-time-access-email [post]
 func (uc *UserController) RequestOneTimeAccessEmailAsUnauthenticatedUserHandler(c *gin.Context) {
 	var input dto.OneTimeAccessEmailAsUnauthenticatedUserDto
 	if err := c.ShouldBindJSON(&input); err != nil {
 		_ = c.Error(err)
 		return
 	}
-	err := uc.userService.RequestOneTimeAccessEmail(input.Email, input.RedirectPath)
+	err := uc.userService.RequestOneTimeAccessEmailAsUnauthenticatedUser(c.Request.Context(), input.Email, input.RedirectPath)
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 	c.Status(http.StatusNoContent)
 }
 // RequestOneTimeAccessEmailAsAdminHandler godoc
 // @Summary Request one-time access email (admin)
 // @Description Request a one-time access email for a specific user (admin only)
 // @Tags Users
 // @Accept json
 // @Produce json
 // @Param id path string true "User ID"
 // @Param body body dto.OneTimeAccessEmailAsAdminDto true "Email request options"
 // @Success 204 "No Content"
 // @Router /api/users/{id}/one-time-access-email [post]
 func (uc *UserController) RequestOneTimeAccessEmailAsAdminHandler(c *gin.Context) {
 	var input dto.OneTimeAccessEmailAsAdminDto
 	if err := c.ShouldBindJSON(&input); err != nil {
 		_ = c.Error(err)
 		return
 	}
 	userID := c.Param("id")
 	err := uc.userService.RequestOneTimeAccessEmailAsAdmin(c.Request.Context(), userID, input.ExpiresAt)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -378,7 +430,7 @@ func (uc *UserController) requestOneTimeAccessEmailHandler(c *gin.Context) {
 // @Success 200 {object} dto.UserDto
 // @Router /api/one-time-access-token/{token} [post]
 func (uc *UserController) exchangeOneTimeAccessTokenHandler(c *gin.Context) {
-	user, token, err := uc.userService.ExchangeOneTimeAccessToken(c.Param("token"), c.ClientIP(), c.Request.UserAgent())
+	user, token, err := uc.userService.ExchangeOneTimeAccessToken(c.Request.Context(), c.Param("token"), c.ClientIP(), c.Request.UserAgent())
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -390,7 +442,7 @@ func (uc *UserController) exchangeOneTimeAccessTokenHandler(c *gin.Context) {
 		return
 	}
-	maxAge := int(uc.appConfigService.DbConfig.SessionDuration.AsDurationMinutes().Seconds())
+	maxAge := int(uc.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes().Seconds())
 	cookie.AddAccessTokenCookie(c, maxAge, token)
 	c.JSON(http.StatusOK, userDto)
@@ -403,7 +455,7 @@ func (uc *UserController) exchangeOneTimeAccessTokenHandler(c *gin.Context) {
 // @Success 200 {object} dto.UserDto
 // @Router /api/one-time-access-token/setup [post]
 func (uc *UserController) getSetupAccessTokenHandler(c *gin.Context) {
-	user, token, err := uc.userService.SetupInitialAdmin()
+	user, token, err := uc.userService.SetupInitialAdmin(c.Request.Context())
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -415,7 +467,7 @@ func (uc *UserController) getSetupAccessTokenHandler(c *gin.Context) {
 		return
 	}
-	maxAge := int(uc.appConfigService.DbConfig.SessionDuration.AsDurationMinutes().Seconds())
+	maxAge := int(uc.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes().Seconds())
 	cookie.AddAccessTokenCookie(c, maxAge, token)
 	c.JSON(http.StatusOK, userDto)
@@ -436,7 +488,7 @@ func (uc *UserController) updateUserGroups(c *gin.Context) {
 		return
 	}
-	user, err := uc.userService.UpdateUserGroups(c.Param("id"), input.UserGroupIds)
+	user, err := uc.userService.UpdateUserGroups(c.Request.Context(), c.Param("id"), input.UserGroupIds)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -466,7 +518,7 @@ func (uc *UserController) updateUser(c *gin.Context, updateOwnUser bool) {
 		userID = c.Param("id")
 	}
-	user, err := uc.userService.UpdateUser(userID, input, updateOwnUser, false)
+	user, err := uc.userService.UpdateUser(c.Request.Context(), userID, input, updateOwnUser, false)
 	if err != nil {
 		_ = c.Error(err)
 		return
--- a/backend/internal/controller/user_group_controller.go
+++ b/backend/internal/controller/user_group_controller.go
@@ -47,6 +47,8 @@ type UserGroupController struct {
 // @Success 200 {object} dto.Paginated[dto.UserGroupDtoWithUserCount]
 // @Router /api/user-groups [get]
 func (ugc *UserGroupController) list(c *gin.Context) {
 	ctx := c.Request.Context()
 	searchTerm := c.Query("search")
 	var sortedPaginationRequest utils.SortedPaginationRequest
 	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
@@ -54,7 +56,7 @@ func (ugc *UserGroupController) list(c *gin.Context) {
 		return
 	}
-	groups, pagination, err := ugc.UserGroupService.List(searchTerm, sortedPaginationRequest)
+	groups, pagination, err := ugc.UserGroupService.List(ctx, searchTerm, sortedPaginationRequest)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -68,7 +70,7 @@ func (ugc *UserGroupController) list(c *gin.Context) {
 			_ = c.Error(err)
 			return
 		}
-		groupDto.UserCount, err = ugc.UserGroupService.GetUserCountOfGroup(group.ID)
+		groupDto.UserCount, err = ugc.UserGroupService.GetUserCountOfGroup(ctx, group.ID)
 		if err != nil {
 			_ = c.Error(err)
 			return
@@ -93,7 +95,7 @@ func (ugc *UserGroupController) list(c *gin.Context) {
 // @Security BearerAuth
 // @Router /api/user-groups/{id} [get]
 func (ugc *UserGroupController) get(c *gin.Context) {
-	group, err := ugc.UserGroupService.Get(c.Param("id"))
+	group, err := ugc.UserGroupService.Get(c.Request.Context(), c.Param("id"))
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -125,7 +127,7 @@ func (ugc *UserGroupController) create(c *gin.Context) {
 		return
 	}
-	group, err := ugc.UserGroupService.Create(input)
+	group, err := ugc.UserGroupService.Create(c.Request.Context(), input)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -158,7 +160,7 @@ func (ugc *UserGroupController) update(c *gin.Context) {
 		return
 	}
-	group, err := ugc.UserGroupService.Update(c.Param("id"), input, false)
+	group, err := ugc.UserGroupService.Update(c.Request.Context(), c.Param("id"), input)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -184,7 +186,7 @@ func (ugc *UserGroupController) update(c *gin.Context) {
 // @Security BearerAuth
 // @Router /api/user-groups/{id} [delete]
 func (ugc *UserGroupController) delete(c *gin.Context) {
-	if err := ugc.UserGroupService.Delete(c.Param("id")); err != nil {
+	if err := ugc.UserGroupService.Delete(c.Request.Context(), c.Param("id")); err != nil {
 		_ = c.Error(err)
 		return
 	}
@@ -210,7 +212,7 @@ func (ugc *UserGroupController) updateUsers(c *gin.Context) {
 		return
 	}
-	group, err := ugc.UserGroupService.UpdateUsers(c.Param("id"), input.UserIDs)
+	group, err := ugc.UserGroupService.UpdateUsers(c.Request.Context(), c.Param("id"), input.UserIDs)
 	if err != nil {
 		_ = c.Error(err)
 		return
--- a/backend/internal/controller/webauthn_controller.go
+++ b/backend/internal/controller/webauthn_controller.go
@@ -37,7 +37,7 @@ type WebauthnController struct {
 func (wc *WebauthnController) beginRegistrationHandler(c *gin.Context) {
 	userID := c.GetString("userID")
-	options, err := wc.webAuthnService.BeginRegistration(userID)
+	options, err := wc.webAuthnService.BeginRegistration(c.Request.Context(), userID)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -55,7 +55,7 @@ func (wc *WebauthnController) verifyRegistrationHandler(c *gin.Context) {
 	}
 	userID := c.GetString("userID")
-	credential, err := wc.webAuthnService.VerifyRegistration(sessionID, userID, c.Request)
+	credential, err := wc.webAuthnService.VerifyRegistration(c.Request.Context(), sessionID, userID, c.Request)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -71,7 +71,7 @@ func (wc *WebauthnController) verifyRegistrationHandler(c *gin.Context) {
 }
 func (wc *WebauthnController) beginLoginHandler(c *gin.Context) {
-	options, err := wc.webAuthnService.BeginLogin()
+	options, err := wc.webAuthnService.BeginLogin(c.Request.Context())
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -94,7 +94,7 @@ func (wc *WebauthnController) verifyLoginHandler(c *gin.Context) {
 		return
 	}
-	user, token, err := wc.webAuthnService.VerifyLogin(sessionID, credentialAssertionData, c.ClientIP(), c.Request.UserAgent())
+	user, token, err := wc.webAuthnService.VerifyLogin(c.Request.Context(), sessionID, credentialAssertionData, c.ClientIP(), c.Request.UserAgent())
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -106,7 +106,7 @@ func (wc *WebauthnController) verifyLoginHandler(c *gin.Context) {
 		return
 	}
-	maxAge := int(wc.appConfigService.DbConfig.SessionDuration.AsDurationMinutes().Seconds())
+	maxAge := int(wc.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes().Seconds())
 	cookie.AddAccessTokenCookie(c, maxAge, token)
 	c.JSON(http.StatusOK, userDto)
@@ -114,7 +114,7 @@ func (wc *WebauthnController) verifyLoginHandler(c *gin.Context) {
 func (wc *WebauthnController) listCredentialsHandler(c *gin.Context) {
 	userID := c.GetString("userID")
-	credentials, err := wc.webAuthnService.ListCredentials(userID)
+	credentials, err := wc.webAuthnService.ListCredentials(c.Request.Context(), userID)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -133,7 +133,7 @@ func (wc *WebauthnController) deleteCredentialHandler(c *gin.Context) {
 	userID := c.GetString("userID")
 	credentialID := c.Param("id")
-	err := wc.webAuthnService.DeleteCredential(userID, credentialID)
+	err := wc.webAuthnService.DeleteCredential(c.Request.Context(), userID, credentialID)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -152,7 +152,7 @@ func (wc *WebauthnController) updateCredentialHandler(c *gin.Context) {
 		return
 	}
-	credential, err := wc.webAuthnService.UpdateCredential(userID, credentialID, input.Name)
+	credential, err := wc.webAuthnService.UpdateCredential(c.Request.Context(), userID, credentialID, input.Name)
 	if err != nil {
 		_ = c.Error(err)
 		return
--- a/backend/internal/controller/well_known_controller.go
+++ b/backend/internal/controller/well_known_controller.go
@@ -74,8 +74,10 @@ func (wkc *WellKnownController) computeOIDCConfiguration() ([]byte, error) {
 		"token_endpoint":                        appUrl + "/api/oidc/token",
 		"userinfo_endpoint":                     appUrl + "/api/oidc/userinfo",
 		"end_session_endpoint":                  appUrl + "/api/oidc/end-session",
 		"introspection_endpoint":                appUrl + "/api/oidc/introspect",
 		"device_authorization_endpoint":         appUrl + "/api/oidc/device/authorize",
 		"jwks_uri":                              appUrl + "/.well-known/jwks.json",
-		"grant_types_supported":                 []string{"authorization_code", "refresh_token"},
+		"grant_types_supported":                 []string{"authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:device_code"},
 		"scopes_supported":                      []string{"openid", "profile", "email", "groups"},
 		"claims_supported":                      []string{"sub", "given_name", "family_name", "name", "email", "email_verified", "preferred_username", "picture", "groups"},
 		"response_types_supported":              []string{"code", "id_token"},
--- a/backend/internal/dto/api_key_dto.go
+++ b/backend/internal/dto/api_key_dto.go
@@ -11,12 +11,13 @@ type ApiKeyCreateDto struct {
 }
 type ApiKeyDto struct {
-	ID          string             `json:"id"`
+	ID                  string             `json:"id"`
-	Name        string             `json:"name"`
+	Name                string             `json:"name"`
-	Description string             `json:"description"`
+	Description         string             `json:"description"`
-	ExpiresAt   datatype.DateTime  `json:"expiresAt"`
+	ExpiresAt           datatype.DateTime  `json:"expiresAt"`
-	LastUsedAt  *datatype.DateTime `json:"lastUsedAt"`
+	LastUsedAt          *datatype.DateTime `json:"lastUsedAt"`
-	CreatedAt   datatype.DateTime  `json:"createdAt"`
+	CreatedAt           datatype.DateTime  `json:"createdAt"`
 	ExpirationEmailSent bool               `json:"expirationEmailSent"`
 }
 type ApiKeyResponseDto struct {
--- a/backend/internal/dto/app_config_dto.go
+++ b/backend/internal/dto/app_config_dto.go
@@ -12,35 +12,39 @@ type AppConfigVariableDto struct {
 }
 type AppConfigUpdateDto struct {
-	AppName                            string `json:"appName" binding:"required,min=1,max=30"`
+	AppName                                    string `json:"appName" binding:"required,min=1,max=30"`
-	SessionDuration                    string `json:"sessionDuration" binding:"required"`
+	SessionDuration                            string `json:"sessionDuration" binding:"required"`
-	EmailsVerified                     string `json:"emailsVerified" binding:"required"`
+	EmailsVerified                             string `json:"emailsVerified" binding:"required"`
-	AllowOwnAccountEdit                string `json:"allowOwnAccountEdit" binding:"required"`
+	DisableAnimations                          string `json:"disableAnimations" binding:"required"`
-	SmtHost                            string `json:"smtpHost"`
+	AllowOwnAccountEdit                        string `json:"allowOwnAccountEdit" binding:"required"`
-	SmtpPort                           string `json:"smtpPort"`
+	SmtpHost                                   string `json:"smtpHost"`
-	SmtpFrom                           string `json:"smtpFrom" binding:"omitempty,email"`
+	SmtpPort                                   string `json:"smtpPort"`
-	SmtpUser                           string `json:"smtpUser"`
+	SmtpFrom                                   string `json:"smtpFrom" binding:"omitempty,email"`
-	SmtpPassword                       string `json:"smtpPassword"`
+	SmtpUser                                   string `json:"smtpUser"`
-	SmtpTls                            string `json:"smtpTls" binding:"required,oneof=none starttls tls"`
+	SmtpPassword                               string `json:"smtpPassword"`
-	SmtpSkipCertVerify                 string `json:"smtpSkipCertVerify"`
+	SmtpTls                                    string `json:"smtpTls" binding:"required,oneof=none starttls tls"`
-	LdapEnabled                        string `json:"ldapEnabled" binding:"required"`
+	SmtpSkipCertVerify                         string `json:"smtpSkipCertVerify"`
-	LdapUrl                            string `json:"ldapUrl"`
+	LdapEnabled                                string `json:"ldapEnabled" binding:"required"`
-	LdapBindDn                         string `json:"ldapBindDn"`
+	LdapUrl                                    string `json:"ldapUrl"`
-	LdapBindPassword                   string `json:"ldapBindPassword"`
+	LdapBindDn                                 string `json:"ldapBindDn"`
-	LdapBase                           string `json:"ldapBase"`
+	LdapBindPassword                           string `json:"ldapBindPassword"`
-	LdapUserSearchFilter               string `json:"ldapUserSearchFilter"`
+	LdapBase                                   string `json:"ldapBase"`
-	LdapUserGroupSearchFilter          string `json:"ldapUserGroupSearchFilter"`
+	LdapUserSearchFilter                       string `json:"ldapUserSearchFilter"`
-	LdapSkipCertVerify                 string `json:"ldapSkipCertVerify"`
+	LdapUserGroupSearchFilter                  string `json:"ldapUserGroupSearchFilter"`
-	LdapAttributeUserUniqueIdentifier  string `json:"ldapAttributeUserUniqueIdentifier"`
+	LdapSkipCertVerify                         string `json:"ldapSkipCertVerify"`
-	LdapAttributeUserUsername          string `json:"ldapAttributeUserUsername"`
+	LdapAttributeUserUniqueIdentifier          string `json:"ldapAttributeUserUniqueIdentifier"`
-	LdapAttributeUserEmail             string `json:"ldapAttributeUserEmail"`
+	LdapAttributeUserUsername                  string `json:"ldapAttributeUserUsername"`
-	LdapAttributeUserFirstName         string `json:"ldapAttributeUserFirstName"`
+	LdapAttributeUserEmail                     string `json:"ldapAttributeUserEmail"`
-	LdapAttributeUserLastName          string `json:"ldapAttributeUserLastName"`
+	LdapAttributeUserFirstName                 string `json:"ldapAttributeUserFirstName"`
-	LdapAttributeUserProfilePicture    string `json:"ldapAttributeUserProfilePicture"`
+	LdapAttributeUserLastName                  string `json:"ldapAttributeUserLastName"`
-	LdapAttributeGroupMember           string `json:"ldapAttributeGroupMember"`
+	LdapAttributeUserProfilePicture            string `json:"ldapAttributeUserProfilePicture"`
-	LdapAttributeGroupUniqueIdentifier string `json:"ldapAttributeGroupUniqueIdentifier"`
+	LdapAttributeGroupMember                   string `json:"ldapAttributeGroupMember"`
-	LdapAttributeGroupName             string `json:"ldapAttributeGroupName"`
+	LdapAttributeGroupUniqueIdentifier         string `json:"ldapAttributeGroupUniqueIdentifier"`
-	LdapAttributeAdminGroup            string `json:"ldapAttributeAdminGroup"`
+	LdapAttributeGroupName                     string `json:"ldapAttributeGroupName"`
-	EmailOneTimeAccessEnabled          string `json:"emailOneTimeAccessEnabled" binding:"required"`
+	LdapAttributeAdminGroup                    string `json:"ldapAttributeAdminGroup"`
-	EmailLoginNotificationEnabled      string `json:"emailLoginNotificationEnabled" binding:"required"`
+	LdapSoftDeleteUsers                        string `json:"ldapSoftDeleteUsers"`
 	EmailOneTimeAccessAsAdminEnabled           string `json:"emailOneTimeAccessAsAdminEnabled" binding:"required"`
 	EmailOneTimeAccessAsUnauthenticatedEnabled string `json:"emailOneTimeAccessAsUnauthenticatedEnabled" binding:"required"`
 	EmailLoginNotificationEnabled              string `json:"emailLoginNotificationEnabled" binding:"required"`
 	EmailApiKeyExpirationEnabled               string `json:"emailApiKeyExpirationEnabled" binding:"required"`
 }
--- a/backend/internal/dto/audit_log_dto.go
+++ b/backend/internal/dto/audit_log_dto.go
@@ -15,5 +15,12 @@ type AuditLogDto struct {
 	City      string              `json:"city"`
 	Device    string              `json:"device"`
 	UserID    string              `json:"userID"`
 	Username  string              `json:"username"`
 	Data      model.AuditLogData  `json:"data"`
 }
 type AuditLogFilterDto struct {
 	UserID     string `form:"filters[userId]"`
 	Event      string `form:"filters[event]"`
 	ClientName string `form:"filters[clientName]"`
 }
--- a/backend/internal/dto/oidc_dto.go
+++ b/backend/internal/dto/oidc_dto.go
@@ -49,12 +49,17 @@ type AuthorizationRequiredDto struct {
 type OidcCreateTokensDto struct {
 	GrantType    string `form:"grant_type" binding:"required"`
 	Code         string `form:"code"`
 	DeviceCode   string `form:"device_code"`
 	ClientID     string `form:"client_id"`
 	ClientSecret string `form:"client_secret"`
 	CodeVerifier string `form:"code_verifier"`
 	RefreshToken string `form:"refresh_token"`
 }
 type OidcIntrospectDto struct {
 	Token string `form:"token" binding:"required"`
 }
 type OidcUpdateAllowedUserGroupsDto struct {
 	UserGroupIDs []string `json:"userGroupIds" binding:"required"`
 }
@@ -73,3 +78,45 @@ type OidcTokenResponseDto struct {
 	RefreshToken string `json:"refresh_token,omitempty"`
 	ExpiresIn    int    `json:"expires_in"`
 }
 type OidcIntrospectionResponseDto struct {
 	Active     bool     `json:"active"`
 	TokenType  string   `json:"token_type,omitempty"`
 	Scope      string   `json:"scope,omitempty"`
 	Expiration int64    `json:"exp,omitempty"`
 	IssuedAt   int64    `json:"iat,omitempty"`
 	NotBefore  int64    `json:"nbf,omitempty"`
 	Subject    string   `json:"sub,omitempty"`
 	Audience   []string `json:"aud,omitempty"`
 	Issuer     string   `json:"iss,omitempty"`
 	Identifier string   `json:"jti,omitempty"`
 }
 type OidcDeviceAuthorizationRequestDto struct {
 	ClientID     string `form:"client_id" binding:"required"`
 	Scope        string `form:"scope" binding:"required"`
 	ClientSecret string `form:"client_secret"`
 }
 type OidcDeviceAuthorizationResponseDto struct {
 	DeviceCode              string `json:"device_code"`
 	UserCode                string `json:"user_code"`
 	VerificationURI         string `json:"verification_uri"`
 	VerificationURIComplete string `json:"verification_uri_complete"`
 	ExpiresIn               int    `json:"expires_in"`
 	Interval                int    `json:"interval"`
 	RequiresAuthorization   bool   `json:"requires_authorization"`
 }
 type OidcDeviceTokenRequestDto struct {
 	GrantType    string `form:"grant_type" binding:"required,eq=urn:ietf:params:oauth:grant-type:device_code"`
 	DeviceCode   string `form:"device_code" binding:"required"`
 	ClientID     string `form:"client_id"`
 	ClientSecret string `form:"client_secret"`
 }
 type DeviceCodeInfoDto struct {
 	Scope                 string                `json:"scope"`
 	AuthorizationRequired bool                  `json:"authorizationRequired"`
 	Client                OidcClientMetaDataDto `json:"client"`
 }
--- a/backend/internal/dto/user_dto.go
+++ b/backend/internal/dto/user_dto.go
@@ -13,15 +13,17 @@ type UserDto struct {
 	CustomClaims []CustomClaimDto `json:"customClaims"`
 	UserGroups   []UserGroupDto   `json:"userGroups"`
 	LdapID       *string          `json:"ldapId"`
 	Disabled     bool             `json:"disabled"`
 }
 type UserCreateDto struct {
 	Username  string  `json:"username" binding:"required,username,min=2,max=50"`
 	Email     string  `json:"email" binding:"required,email"`
 	FirstName string  `json:"firstName" binding:"required,min=1,max=50"`
-	LastName  string  `json:"lastName" binding:"required,min=1,max=50"`
+	LastName  string  `json:"lastName" binding:"max=50"`
 	IsAdmin   bool    `json:"isAdmin"`
 	Locale    *string `json:"locale"`
 	Disabled  bool    `json:"disabled"`
 	LdapID    string  `json:"-"`
 }
@@ -30,11 +32,15 @@ type OneTimeAccessTokenCreateDto struct {
 	ExpiresAt time.Time `json:"expiresAt" binding:"required"`
 }
-type OneTimeAccessEmailDto struct {
+type OneTimeAccessEmailAsUnauthenticatedUserDto struct {
 	Email        string `json:"email" binding:"required,email"`
 	RedirectPath string `json:"redirectPath"`
 }
 type OneTimeAccessEmailAsAdminDto struct {
 	ExpiresAt time.Time `json:"expiresAt" binding:"required"`
 }
 type UserUpdateUserGroupDto struct {
 	UserGroupIds []string `json:"userGroupIds" binding:"required"`
 }
--- a/backend/internal/job/api_key_expiry_job.go
+++ b/backend/internal/job/api_key_expiry_job.go
@@ -0,0 +1,45 @@
 package job
 import (
 	"context"
 	"log"
 	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
 type ApiKeyEmailJobs struct {
 	apiKeyService    *service.ApiKeyService
 	appConfigService *service.AppConfigService
 }
 func (s *Scheduler) RegisterApiKeyExpiryJob(ctx context.Context, apiKeyService *service.ApiKeyService, appConfigService *service.AppConfigService) error {
 	jobs := &ApiKeyEmailJobs{
 		apiKeyService:    apiKeyService,
 		appConfigService: appConfigService,
 	}
 	return s.registerJob(ctx, "ExpiredApiKeyEmailJob", "0 0 * * *", jobs.checkAndNotifyExpiringApiKeys)
 }
 func (j *ApiKeyEmailJobs) checkAndNotifyExpiringApiKeys(ctx context.Context) error {
 	// Skip if the feature is disabled
 	if !j.appConfigService.GetDbConfig().EmailApiKeyExpirationEnabled.IsTrue() {
 		return nil
 	}
 	apiKeys, err := j.apiKeyService.ListExpiringApiKeys(ctx, 7)
 	if err != nil {
 		log.Printf("Failed to list expiring API keys: %v", err)
 		return err
 	}
 	for _, key := range apiKeys {
 		if key.User.Email == "" {
 			continue
 		}
 		if err := j.apiKeyService.SendApiKeyExpiringSoonEmail(ctx, key); err != nil {
 			log.Printf("Failed to send email for key %s: %v", key.ID, err)
 		}
 	}
 	return nil
 }
--- a/backend/internal/job/db_cleanup.go
+++ b/backend/internal/job/db_cleanup.go
@@ -1,76 +0,0 @@
 package job
 import (
 	"log"
 	"time"
 	"github.com/go-co-op/gocron/v2"
 	"github.com/google/uuid"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 	"gorm.io/gorm"
 )
 func RegisterDbCleanupJobs(db *gorm.DB) {
 	scheduler, err := gocron.NewScheduler()
 	if err != nil {
 		log.Fatalf("Failed to create a new scheduler: %s", err)
 	}
 	jobs := &Jobs{db: db}
 	registerJob(scheduler, "ClearWebauthnSessions", "0 3 * * *", jobs.clearWebauthnSessions)
 	registerJob(scheduler, "ClearOneTimeAccessTokens", "0 3 * * *", jobs.clearOneTimeAccessTokens)
 	registerJob(scheduler, "ClearOidcAuthorizationCodes", "0 3 * * *", jobs.clearOidcAuthorizationCodes)
 	registerJob(scheduler, "ClearOidcRefreshTokens", "0 3 * * *", jobs.clearOidcRefreshTokens)
 	registerJob(scheduler, "ClearAuditLogs", "0 3 * * *", jobs.clearAuditLogs)
 	scheduler.Start()
 }
 type Jobs struct {
 	db *gorm.DB
 }
 // ClearWebauthnSessions deletes WebAuthn sessions that have expired
 func (j *Jobs) clearWebauthnSessions() error {
 	return j.db.Delete(&model.WebauthnSession{}, "expires_at < ?", datatype.DateTime(time.Now())).Error
 }
 // ClearOneTimeAccessTokens deletes one-time access tokens that have expired
 func (j *Jobs) clearOneTimeAccessTokens() error {
 	return j.db.Debug().Delete(&model.OneTimeAccessToken{}, "expires_at < ?", datatype.DateTime(time.Now())).Error
 }
 // ClearOidcAuthorizationCodes deletes OIDC authorization codes that have expired
 func (j *Jobs) clearOidcAuthorizationCodes() error {
 	return j.db.Delete(&model.OidcAuthorizationCode{}, "expires_at < ?", datatype.DateTime(time.Now())).Error
 }
 // ClearOidcAuthorizationCodes deletes OIDC authorization codes that have expired
 func (j *Jobs) clearOidcRefreshTokens() error {
 	return j.db.Delete(&model.OidcRefreshToken{}, "expires_at < ?", datatype.DateTime(time.Now())).Error
 }
 // ClearAuditLogs deletes audit logs older than 90 days
 func (j *Jobs) clearAuditLogs() error {
 	return j.db.Delete(&model.AuditLog{}, "created_at < ?", datatype.DateTime(time.Now().AddDate(0, 0, -90))).Error
 }
 func registerJob(scheduler gocron.Scheduler, name string, interval string, job func() error) {
 	_, err := scheduler.NewJob(
 		gocron.CronJob(interval, false),
 		gocron.NewTask(job),
 		gocron.WithEventListeners(
 			gocron.AfterJobRuns(func(jobID uuid.UUID, jobName string) {
 				log.Printf("Job %q run successfully", name)
 			}),
 			gocron.AfterJobRunsWithError(func(jobID uuid.UUID, jobName string, err error) {
 				log.Printf("Job %q failed with error: %v", name, err)
 			}),
 		),
 	)
 	if err != nil {
 		log.Fatalf("Failed to register job %q: %v", name, err)
 	}
 }
--- a/backend/internal/job/db_cleanup_job.go
+++ b/backend/internal/job/db_cleanup_job.go
@@ -0,0 +1,68 @@
 package job
 import (
 	"context"
 	"errors"
 	"time"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )
 func (s *Scheduler) RegisterDbCleanupJobs(ctx context.Context, db *gorm.DB) error {
 	jobs := &DbCleanupJobs{db: db}
 	return errors.Join(
 		s.registerJob(ctx, "ClearWebauthnSessions", "0 3 * * *", jobs.clearWebauthnSessions),
 		s.registerJob(ctx, "ClearOneTimeAccessTokens", "0 3 * * *", jobs.clearOneTimeAccessTokens),
 		s.registerJob(ctx, "ClearOidcAuthorizationCodes", "0 3 * * *", jobs.clearOidcAuthorizationCodes),
 		s.registerJob(ctx, "ClearOidcRefreshTokens", "0 3 * * *", jobs.clearOidcRefreshTokens),
 		s.registerJob(ctx, "ClearAuditLogs", "0 3 * * *", jobs.clearAuditLogs),
 	)
 }
 type DbCleanupJobs struct {
 	db *gorm.DB
 }
 // ClearWebauthnSessions deletes WebAuthn sessions that have expired
 func (j *DbCleanupJobs) clearWebauthnSessions(ctx context.Context) error {
 	return j.db.
 		WithContext(ctx).
 		Delete(&model.WebauthnSession{}, "expires_at < ?", datatype.DateTime(time.Now())).
 		Error
 }
 // ClearOneTimeAccessTokens deletes one-time access tokens that have expired
 func (j *DbCleanupJobs) clearOneTimeAccessTokens(ctx context.Context) error {
 	return j.db.
 		WithContext(ctx).
 		Delete(&model.OneTimeAccessToken{}, "expires_at < ?", datatype.DateTime(time.Now())).
 		Error
 }
 // ClearOidcAuthorizationCodes deletes OIDC authorization codes that have expired
 func (j *DbCleanupJobs) clearOidcAuthorizationCodes(ctx context.Context) error {
 	return j.db.
 		WithContext(ctx).
 		Delete(&model.OidcAuthorizationCode{}, "expires_at < ?", datatype.DateTime(time.Now())).
 		Error
 }
 // ClearOidcAuthorizationCodes deletes OIDC authorization codes that have expired
 func (j *DbCleanupJobs) clearOidcRefreshTokens(ctx context.Context) error {
 	return j.db.
 		WithContext(ctx).
 		Delete(&model.OidcRefreshToken{}, "expires_at < ?", datatype.DateTime(time.Now())).
 		Error
 }
 // ClearAuditLogs deletes audit logs older than 90 days
 func (j *DbCleanupJobs) clearAuditLogs(ctx context.Context) error {
 	return j.db.
 		WithContext(ctx).
 		Delete(&model.AuditLog{}, "created_at < ?", datatype.DateTime(time.Now().AddDate(0, 0, -90))).
 		Error
 }
--- a/backend/internal/job/file_cleanup_job.go
+++ b/backend/internal/job/file_cleanup_job.go
@@ -0,0 +1,76 @@
 package job
 import (
 	"context"
 	"fmt"
 	"log"
 	"os"
 	"path/filepath"
 	"strings"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 )
 func (s *Scheduler) RegisterFileCleanupJobs(ctx context.Context, db *gorm.DB) error {
 	jobs := &FileCleanupJobs{db: db}
 	return s.registerJob(ctx, "ClearUnusedDefaultProfilePictures", "0 2 * * 0", jobs.clearUnusedDefaultProfilePictures)
 }
 type FileCleanupJobs struct {
 	db *gorm.DB
 }
 // ClearUnusedDefaultProfilePictures deletes default profile pictures that don't match any user's initials
 func (j *FileCleanupJobs) clearUnusedDefaultProfilePictures(ctx context.Context) error {
 	var users []model.User
 	err := j.db.
 		WithContext(ctx).
 		Find(&users).
 		Error
 	if err != nil {
 		return fmt.Errorf("failed to fetch users: %w", err)
 	}
 	// Create a map to track which initials are in use
 	initialsInUse := make(map[string]struct{})
 	for _, user := range users {
 		initialsInUse[user.Initials()] = struct{}{}
 	}
 	defaultPicturesDir := common.EnvConfig.UploadPath + "/profile-pictures/defaults"
 	if _, err := os.Stat(defaultPicturesDir); os.IsNotExist(err) {
 		return nil
 	}
 	files, err := os.ReadDir(defaultPicturesDir)
 	if err != nil {
 		return fmt.Errorf("failed to read default profile pictures directory: %w", err)
 	}
 	filesDeleted := 0
 	for _, file := range files {
 		if file.IsDir() {
 			continue // Skip directories
 		}
 		filename := file.Name()
 		initials := strings.TrimSuffix(filename, ".png")
 		// If these initials aren't used by any user, delete the file
 		if _, ok := initialsInUse[initials]; !ok {
 			filePath := filepath.Join(defaultPicturesDir, filename)
 			if err := os.Remove(filePath); err != nil {
 				log.Printf("Failed to delete unused default profile picture %s: %v", filePath, err)
 			} else {
 				filesDeleted++
 			}
 		}
 	}
 	log.Printf("Deleted %d unused default profile pictures", filesDeleted)
 	return nil
 }
--- a/backend/internal/job/geoloite_update_job.go
+++ b/backend/internal/job/geoloite_update_job.go
@@ -0,0 +1,45 @@
 package job
 import (
 	"context"
 	"log"
 	"time"
 	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
 type GeoLiteUpdateJobs struct {
 	geoLiteService *service.GeoLiteService
 }
 func (s *Scheduler) RegisterGeoLiteUpdateJobs(ctx context.Context, geoLiteService *service.GeoLiteService) error {
 	// Check if the service needs periodic updating
 	if geoLiteService.DisableUpdater() {
 		// Nothing to do
 		return nil
 	}
 	jobs := &GeoLiteUpdateJobs{geoLiteService: geoLiteService}
 	// Register the job to run every day, at 5 minutes past midnight
 	err := s.registerJob(ctx, "UpdateGeoLiteDB", "5 * */1 * *", jobs.updateGoeLiteDB)
 	if err != nil {
 		return err
 	}
 	// Run the job immediately on startup, with a 1s delay
 	go func() {
 		time.Sleep(time.Second)
 		err = jobs.updateGoeLiteDB(ctx)
 		if err != nil {
 			// Log the error only, but don't return it
 			log.Printf("Failed to Update GeoLite database: %v", err)
 		}
 	}()
 	return nil
 }
 func (j *GeoLiteUpdateJobs) updateGoeLiteDB(ctx context.Context) error {
 	return j.geoLiteService.UpdateDatabase(ctx)
 }
--- a/backend/internal/job/ldap_job.go
+++ b/backend/internal/job/ldap_job.go
@@ -1,9 +1,9 @@
 package job
 import (
 	"context"
 	"log"
 	"github.com/go-co-op/gocron/v2"
 	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
@@ -12,28 +12,29 @@ type LdapJobs struct {
 	appConfigService *service.AppConfigService
 }
-func RegisterLdapJobs(ldapService *service.LdapService, appConfigService *service.AppConfigService) {
+func (s *Scheduler) RegisterLdapJobs(ctx context.Context, ldapService *service.LdapService, appConfigService *service.AppConfigService) error {
 	jobs := &LdapJobs{ldapService: ldapService, appConfigService: appConfigService}
 	scheduler, err := gocron.NewScheduler()
 	if err != nil {
 		log.Fatalf("Failed to create a new scheduler: %s", err)
 	}
 	// Register the job to run every hour
-	registerJob(scheduler, "SyncLdap", "0 * * * *", jobs.syncLdap)
+	err := s.registerJob(ctx, "SyncLdap", "0 * * * *", jobs.syncLdap)
 	if err != nil {
 		return err
 	}
 	// Run the job immediately on startup
-	if err := jobs.syncLdap(); err != nil {
+	err = jobs.syncLdap(ctx)
-		log.Printf("Failed to sync LDAP: %s", err)
+	if err != nil {
 		// Log the error only, but don't return it
 		log.Printf("Failed to sync LDAP: %v", err)
 	}
 	scheduler.Start()
 }
 func (j *LdapJobs) syncLdap() error {
 	if j.appConfigService.DbConfig.LdapEnabled.IsTrue() {
 		return j.ldapService.SyncAll()
 	}
 	return nil
 }
 func (j *LdapJobs) syncLdap(ctx context.Context) error {
 	if !j.appConfigService.GetDbConfig().LdapEnabled.IsTrue() {
 		return nil
 	}
 	return j.ldapService.SyncAll(ctx)
 }
--- a/backend/internal/job/scheduler.go
+++ b/backend/internal/job/scheduler.go
@@ -0,0 +1,66 @@
 package job
 import (
 	"context"
 	"fmt"
 	"log"
 	"github.com/go-co-op/gocron/v2"
 	"github.com/google/uuid"
 )
 type Scheduler struct {
 	scheduler gocron.Scheduler
 }
 func NewScheduler() (*Scheduler, error) {
 	scheduler, err := gocron.NewScheduler()
 	if err != nil {
 		return nil, fmt.Errorf("failed to create a new scheduler: %w", err)
 	}
 	return &Scheduler{
 		scheduler: scheduler,
 	}, nil
 }
 // Run the scheduler.
 // This function blocks until the context is canceled.
 func (s *Scheduler) Run(ctx context.Context) error {
 	log.Println("Starting job scheduler")
 	s.scheduler.Start()
 	// Block until context is canceled
 	<-ctx.Done()
 	err := s.scheduler.Shutdown()
 	if err != nil {
 		log.Printf("[WARN] Error shutting down job scheduler: %v", err)
 	} else {
 		log.Println("Job scheduler shut down")
 	}
 	return nil
 }
 func (s *Scheduler) registerJob(ctx context.Context, name string, interval string, job func(ctx context.Context) error) error {
 	_, err := s.scheduler.NewJob(
 		gocron.CronJob(interval, false),
 		gocron.NewTask(job),
 		gocron.WithContext(ctx),
 		gocron.WithEventListeners(
 			gocron.AfterJobRuns(func(jobID uuid.UUID, jobName string) {
 				log.Printf("Job %q run successfully", name)
 			}),
 			gocron.AfterJobRunsWithError(func(jobID uuid.UUID, jobName string, err error) {
 				log.Printf("Job %q failed with error: %v", name, err)
 			}),
 		),
 	)
 	if err != nil {
 		return fmt.Errorf("failed to register job %q: %w", name, err)
 	}
 	return nil
 }
--- a/backend/internal/middleware/api_key_auth.go
+++ b/backend/internal/middleware/api_key_auth.go
@@ -36,12 +36,15 @@ func (m *ApiKeyAuthMiddleware) Add(adminRequired bool) gin.HandlerFunc {
 func (m *ApiKeyAuthMiddleware) Verify(c *gin.Context, adminRequired bool) (userID string, isAdmin bool, err error) {
 	apiKey := c.GetHeader("X-API-KEY")
-	user, err := m.apiKeyService.ValidateApiKey(apiKey)
+	user, err := m.apiKeyService.ValidateApiKey(c.Request.Context(), apiKey)
 	if err != nil {
 		return "", false, &common.NotSignedInError{}
 	}
-	// Check if the user is an admin
+	if user.Disabled {
 		return "", false, &common.UserDisabledError{}
 	}
 	if adminRequired && !user.IsAdmin {
 		return "", false, &common.MissingPermissionError{}
 	}
--- a/backend/internal/middleware/auth_middleware.go
+++ b/backend/internal/middleware/auth_middleware.go
@@ -1,7 +1,10 @@
 package middleware
 import (
 	"errors"
 	"github.com/gin-gonic/gin"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
@@ -19,11 +22,12 @@ type AuthOptions struct {
 func NewAuthMiddleware(
 	apiKeyService *service.ApiKeyService,
 	userService *service.UserService,
 	jwtService *service.JwtService,
 ) *AuthMiddleware {
 	return &AuthMiddleware{
 		apiKeyMiddleware: NewApiKeyAuthMiddleware(apiKeyService, jwtService),
-		jwtMiddleware:    NewJwtAuthMiddleware(jwtService),
+		jwtMiddleware:    NewJwtAuthMiddleware(jwtService, userService),
 		options: AuthOptions{
 			AdminRequired:   true,
 			SuccessOptional: false,
@@ -57,22 +61,32 @@ func (m *AuthMiddleware) WithSuccessOptional() *AuthMiddleware {
 func (m *AuthMiddleware) Add() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		// First try JWT auth
 		userID, isAdmin, err := m.jwtMiddleware.Verify(c, m.options.AdminRequired)
 		if err == nil {
 			// JWT auth succeeded, continue with the request
 			c.Set("userID", userID)
 			c.Set("userIsAdmin", isAdmin)
 			if c.IsAborted() {
 				return
 			}
 			c.Next()
 			return
 		}
 		// If JWT auth failed and the error is not a NotSignedInError, abort the request
 		if !errors.Is(err, &common.NotSignedInError{}) {
 			c.Abort()
 			_ = c.Error(err)
 			return
 		}
 		// JWT auth failed, try API key auth
 		userID, isAdmin, err = m.apiKeyMiddleware.Verify(c, m.options.AdminRequired)
 		if err == nil {
 			// API key auth succeeded, continue with the request
 			c.Set("userID", userID)
 			c.Set("userIsAdmin", isAdmin)
 			if c.IsAborted() {
 				return
 			}
 			c.Next()
 			return
 		}
--- a/backend/internal/middleware/cors.go
+++ b/backend/internal/middleware/cors.go
@@ -16,9 +16,10 @@ func NewCorsMiddleware() *CorsMiddleware {
 func (m *CorsMiddleware) Add() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		// Allow all origins for the token endpoint
-		if c.FullPath() == "/api/oidc/token" {
+		switch c.FullPath() {
 		case "/api/oidc/token", "/api/oidc/introspect":
 			c.Writer.Header().Set("Access-Control-Allow-Origin", "*")
-		} else {
+		default:
 			c.Writer.Header().Set("Access-Control-Allow-Origin", common.EnvConfig.AppURL)
 		}
--- a/backend/internal/middleware/jwt_auth.go
+++ b/backend/internal/middleware/jwt_auth.go
@@ -10,11 +10,12 @@ import (
 )
 type JwtAuthMiddleware struct {
-	jwtService *service.JwtService
+	userService *service.UserService
 	jwtService  *service.JwtService
 }
-func NewJwtAuthMiddleware(jwtService *service.JwtService) *JwtAuthMiddleware {
+func NewJwtAuthMiddleware(jwtService *service.JwtService, userService *service.UserService) *JwtAuthMiddleware {
-	return &JwtAuthMiddleware{jwtService: jwtService}
+	return &JwtAuthMiddleware{jwtService: jwtService, userService: userService}
 }
 func (m *JwtAuthMiddleware) Add(adminRequired bool) gin.HandlerFunc {
@@ -55,12 +56,16 @@ func (m *JwtAuthMiddleware) Verify(c *gin.Context, adminRequired bool) (subject
 		return
 	}
-	// Check if the user is an admin
+	user, err := m.userService.GetUser(c, subject)
 	isAdmin, err = service.GetIsAdmin(token)
 	if err != nil {
-		return "", false, &common.TokenInvalidError{}
+		return "", false, &common.NotSignedInError{}
 	}
-	if adminRequired && !isAdmin {
+
 	if user.Disabled {
 		return "", false, &common.UserDisabledError{}
 	}
 	if adminRequired && !user.IsAdmin {
 		return "", false, &common.MissingPermissionError{}
 	}
--- a/backend/internal/model/api_key.go
+++ b/backend/internal/model/api_key.go
@@ -5,11 +5,12 @@ import datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 type ApiKey struct {
 	Base
-	Name        string `sortable:"true"`
+	Name                string `sortable:"true"`
-	Key         string
+	Key                 string
-	Description *string
+	Description         *string
-	ExpiresAt   datatype.DateTime  `sortable:"true"`
+	ExpiresAt           datatype.DateTime  `sortable:"true"`
-	LastUsedAt  *datatype.DateTime `sortable:"true"`
+	LastUsedAt          *datatype.DateTime `sortable:"true"`
 	ExpirationEmailSent bool
 	UserID string
 	User   User
--- a/backend/internal/model/app_config.go
+++ b/backend/internal/model/app_config.go
@@ -1,17 +1,17 @@
 package model
 import (
 	"errors"
 	"fmt"
 	"reflect"
 	"strconv"
 	"strings"
 	"time"
 )
 type AppConfigVariable struct {
-	Key          string `gorm:"primaryKey;not null"`
+	Key   string `gorm:"primaryKey;not null"`
-	Type         string
+	Value string
 	IsPublic     bool
 	IsInternal   bool
 	Value        string
 	DefaultValue string
 }
 // IsTrue returns true if the value is a truthy string, such as "true", "t", "yes", "1", etc.
@@ -31,41 +31,159 @@ func (a *AppConfigVariable) AsDurationMinutes() time.Duration {
 type AppConfig struct {
 	// General
-	AppName             AppConfigVariable
+	AppName             AppConfigVariable `key:"appName,public"` // Public
-	SessionDuration     AppConfigVariable
+	SessionDuration     AppConfigVariable `key:"sessionDuration"`
-	EmailsVerified      AppConfigVariable
+	EmailsVerified      AppConfigVariable `key:"emailsVerified"`
-	AllowOwnAccountEdit AppConfigVariable
+	DisableAnimations   AppConfigVariable `key:"disableAnimations,public"`   // Public
 	AllowOwnAccountEdit AppConfigVariable `key:"allowOwnAccountEdit,public"` // Public
 	// Internal
-	BackgroundImageType AppConfigVariable
+	BackgroundImageType AppConfigVariable `key:"backgroundImageType,internal"` // Internal
-	LogoLightImageType  AppConfigVariable
+	LogoLightImageType  AppConfigVariable `key:"logoLightImageType,internal"`  // Internal
-	LogoDarkImageType   AppConfigVariable
+	LogoDarkImageType   AppConfigVariable `key:"logoDarkImageType,internal"`   // Internal
 	// Email
-	SmtpHost                      AppConfigVariable
+	SmtpHost                                   AppConfigVariable `key:"smtpHost"`
-	SmtpPort                      AppConfigVariable
+	SmtpPort                                   AppConfigVariable `key:"smtpPort"`
-	SmtpFrom                      AppConfigVariable
+	SmtpFrom                                   AppConfigVariable `key:"smtpFrom"`
-	SmtpUser                      AppConfigVariable
+	SmtpUser                                   AppConfigVariable `key:"smtpUser"`
-	SmtpPassword                  AppConfigVariable
+	SmtpPassword                               AppConfigVariable `key:"smtpPassword"`
-	SmtpTls                       AppConfigVariable
+	SmtpTls                                    AppConfigVariable `key:"smtpTls"`
-	SmtpSkipCertVerify            AppConfigVariable
+	SmtpSkipCertVerify                         AppConfigVariable `key:"smtpSkipCertVerify"`
-	EmailLoginNotificationEnabled AppConfigVariable
+	EmailLoginNotificationEnabled              AppConfigVariable `key:"emailLoginNotificationEnabled"`
-	EmailOneTimeAccessEnabled     AppConfigVariable
+	EmailOneTimeAccessAsUnauthenticatedEnabled AppConfigVariable `key:"emailOneTimeAccessAsUnauthenticatedEnabled,public"` // Public
 	EmailOneTimeAccessAsAdminEnabled           AppConfigVariable `key:"emailOneTimeAccessAsAdminEnabled,public"`           // Public
 	EmailApiKeyExpirationEnabled               AppConfigVariable `key:"emailApiKeyExpirationEnabled"`
 	// LDAP
-	LdapEnabled                        AppConfigVariable
+	LdapEnabled                        AppConfigVariable `key:"ldapEnabled,public"` // Public
-	LdapUrl                            AppConfigVariable
+	LdapUrl                            AppConfigVariable `key:"ldapUrl"`
-	LdapBindDn                         AppConfigVariable
+	LdapBindDn                         AppConfigVariable `key:"ldapBindDn"`
-	LdapBindPassword                   AppConfigVariable
+	LdapBindPassword                   AppConfigVariable `key:"ldapBindPassword"`
-	LdapBase                           AppConfigVariable
+	LdapBase                           AppConfigVariable `key:"ldapBase"`
-	LdapUserSearchFilter               AppConfigVariable
+	LdapUserSearchFilter               AppConfigVariable `key:"ldapUserSearchFilter"`
-	LdapUserGroupSearchFilter          AppConfigVariable
+	LdapUserGroupSearchFilter          AppConfigVariable `key:"ldapUserGroupSearchFilter"`
-	LdapSkipCertVerify                 AppConfigVariable
+	LdapSkipCertVerify                 AppConfigVariable `key:"ldapSkipCertVerify"`
-	LdapAttributeUserUniqueIdentifier  AppConfigVariable
+	LdapAttributeUserUniqueIdentifier  AppConfigVariable `key:"ldapAttributeUserUniqueIdentifier"`
-	LdapAttributeUserUsername          AppConfigVariable
+	LdapAttributeUserUsername          AppConfigVariable `key:"ldapAttributeUserUsername"`
-	LdapAttributeUserEmail             AppConfigVariable
+	LdapAttributeUserEmail             AppConfigVariable `key:"ldapAttributeUserEmail"`
-	LdapAttributeUserFirstName         AppConfigVariable
+	LdapAttributeUserFirstName         AppConfigVariable `key:"ldapAttributeUserFirstName"`
-	LdapAttributeUserLastName          AppConfigVariable
+	LdapAttributeUserLastName          AppConfigVariable `key:"ldapAttributeUserLastName"`
-	LdapAttributeUserProfilePicture    AppConfigVariable
+	LdapAttributeUserProfilePicture    AppConfigVariable `key:"ldapAttributeUserProfilePicture"`
-	LdapAttributeGroupMember           AppConfigVariable
+	LdapAttributeGroupMember           AppConfigVariable `key:"ldapAttributeGroupMember"`
-	LdapAttributeGroupUniqueIdentifier AppConfigVariable
+	LdapAttributeGroupUniqueIdentifier AppConfigVariable `key:"ldapAttributeGroupUniqueIdentifier"`
-	LdapAttributeGroupName             AppConfigVariable
+	LdapAttributeGroupName             AppConfigVariable `key:"ldapAttributeGroupName"`
-	LdapAttributeAdminGroup            AppConfigVariable
+	LdapAttributeAdminGroup            AppConfigVariable `key:"ldapAttributeAdminGroup"`
 	LdapSoftDeleteUsers                AppConfigVariable `key:"ldapSoftDeleteUsers"`
 }
 func (c *AppConfig) ToAppConfigVariableSlice(showAll bool) []AppConfigVariable {
 	// Use reflection to iterate through all fields
 	cfgValue := reflect.ValueOf(c).Elem()
 	cfgType := cfgValue.Type()
 	var res []AppConfigVariable
 	for i := range cfgType.NumField() {
 		field := cfgType.Field(i)
 		key, attrs, _ := strings.Cut(field.Tag.Get("key"), ",")
 		if key == "" {
 			continue
 		}
 		// If we're only showing public variables and this is not public, skip it
 		if !showAll && attrs != "public" {
 			continue
 		}
 		fieldValue := cfgValue.Field(i)
 		appConfigVariable := AppConfigVariable{
 			Key:   key,
 			Value: fieldValue.FieldByName("Value").String(),
 		}
 		res = append(res, appConfigVariable)
 	}
 	return res
 }
 func (c *AppConfig) FieldByKey(key string) (string, error) {
 	rv := reflect.ValueOf(c).Elem()
 	rt := rv.Type()
 	// Find the field in the struct whose "key" tag matches
 	for i := range rt.NumField() {
 		// Grab only the first part of the key, if there's a comma with additional properties
 		tagValue, _, _ := strings.Cut(rt.Field(i).Tag.Get("key"), ",")
 		if tagValue != key {
 			continue
 		}
 		valueField := rv.Field(i).FieldByName("Value")
 		return valueField.String(), nil
 	}
 	// If we are here, the config key was not found
 	return "", AppConfigKeyNotFoundError{field: key}
 }
 func (c *AppConfig) UpdateField(key string, value string, noInternal bool) error {
 	rv := reflect.ValueOf(c).Elem()
 	rt := rv.Type()
 	// Find the field in the struct whose "key" tag matches, then update that
 	for i := range rt.NumField() {
 		// Separate the key (before the comma) from any optional attributes after
 		tagValue, attrs, _ := strings.Cut(rt.Field(i).Tag.Get("key"), ",")
 		if tagValue != key {
 			continue
 		}
 		// If the field is internal and noInternal is true, we skip that
 		if noInternal && attrs == "internal" {
 			return AppConfigInternalForbiddenError{field: key}
 		}
 		valueField := rv.Field(i).FieldByName("Value")
 		if !valueField.CanSet() {
 			return fmt.Errorf("field Value in AppConfigVariable is not settable for config key '%s'", key)
 		}
 		// Update the value
 		valueField.SetString(value)
 		// Return once updated
 		return nil
 	}
 	// If we're here, we have not found the right field to update
 	return AppConfigKeyNotFoundError{field: key}
 }
 type AppConfigKeyNotFoundError struct {
 	field string
 }
 func (e AppConfigKeyNotFoundError) Error() string {
 	return fmt.Sprintf("cannot find config key '%s'", e.field)
 }
 func (e AppConfigKeyNotFoundError) Is(target error) bool {
 	// Ignore the field property when checking if an error is of the type AppConfigKeyNotFoundError
 	x := AppConfigKeyNotFoundError{}
 	return errors.As(target, &x)
 }
 type AppConfigInternalForbiddenError struct {
 	field string
 }
 func (e AppConfigInternalForbiddenError) Error() string {
 	return fmt.Sprintf("field '%s' is internal and can't be updated", e.field)
 }
 func (e AppConfigInternalForbiddenError) Is(target error) bool {
 	// Ignore the field property when checking if an error is of the type AppConfigInternalForbiddenError
 	x := AppConfigInternalForbiddenError{}
 	return errors.As(target, &x)
 }
--- a/backend/internal/model/app_config_test.go
+++ b/backend/internal/model/app_config_test.go
@@ -1,10 +1,16 @@
-package model
+// We use model_test here to avoid an import cycle
 package model_test
 import (
 	"reflect"
 	"strings"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 )
 func TestAppConfigVariable_AsMinutesDuration(t *testing.T) {
@@ -48,7 +54,7 @@ func TestAppConfigVariable_AsMinutesDuration(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			configVar := AppConfigVariable{
+			configVar := model.AppConfigVariable{
 				Value: tt.value,
 			}
@@ -58,3 +64,66 @@ func TestAppConfigVariable_AsMinutesDuration(t *testing.T) {
 		})
 	}
 }
 // This test ensures that the model.AppConfig and dto.AppConfigUpdateDto structs match:
 // - They should have the same properties, where the "json" tag of dto.AppConfigUpdateDto should match the "key" tag in model.AppConfig
 // - dto.AppConfigDto should not include "internal" fields from model.AppConfig
 // This test is primarily meant to catch discrepancies between the two structs as fields are added or removed over time
 func TestAppConfigStructMatchesUpdateDto(t *testing.T) {
 	appConfigType := reflect.TypeOf(model.AppConfig{})
 	updateDtoType := reflect.TypeOf(dto.AppConfigUpdateDto{})
 	// Process AppConfig fields
 	appConfigFields := make(map[string]string)
 	for i := 0; i < appConfigType.NumField(); i++ {
 		field := appConfigType.Field(i)
 		if field.Tag.Get("key") == "" {
 			// Skip internal fields
 			continue
 		}
 		// Extract the key name from the tag (takes the part before any comma)
 		keyTag := field.Tag.Get("key")
 		keyName, _, _ := strings.Cut(keyTag, ",")
 		appConfigFields[field.Name] = keyName
 	}
 	// Process AppConfigUpdateDto fields
 	dtoFields := make(map[string]string)
 	for i := 0; i < updateDtoType.NumField(); i++ {
 		field := updateDtoType.Field(i)
 		// Extract the json name from the tag (takes the part before any binding constraints)
 		jsonTag := field.Tag.Get("json")
 		jsonName, _, _ := strings.Cut(jsonTag, ",")
 		dtoFields[jsonName] = field.Name
 	}
 	// Verify every AppConfig field has a matching DTO field with the same name
 	for fieldName, keyName := range appConfigFields {
 		if strings.HasSuffix(fieldName, "ImageType") {
 			// Skip internal fields that shouldn't be in the DTO
 			continue
 		}
 		// Check if there's a DTO field with a matching JSON tag
 		_, exists := dtoFields[keyName]
 		assert.True(t, exists, "Field %s with key '%s' in AppConfig has no matching field in AppConfigUpdateDto", fieldName, keyName)
 	}
 	// Verify every DTO field has a matching AppConfig field
 	for jsonName, fieldName := range dtoFields {
 		// Find a matching field in AppConfig by key tag
 		found := false
 		for _, keyName := range appConfigFields {
 			if keyName == jsonName {
 				found = true
 				break
 			}
 		}
 		assert.True(t, found, "Field %s with json tag '%s' in AppConfigUpdateDto has no matching field in AppConfig", fieldName, jsonName)
 	}
 }
--- a/backend/internal/model/audit_log.go
+++ b/backend/internal/model/audit_log.go
@@ -3,7 +3,7 @@ package model
 import (
 	"database/sql/driver"
 	"encoding/json"
-	"errors"
+	"fmt"
 )
 type AuditLog struct {
@@ -14,8 +14,11 @@ type AuditLog struct {
 	Country   string        `sortable:"true"`
 	City      string        `sortable:"true"`
 	UserAgent string        `sortable:"true"`
-	UserID    string
+	Username  string        `gorm:"-"`
 	Data      AuditLogData
 	UserID string
 	User   User
 }
 type AuditLogData map[string]string //nolint:recvcheck
@@ -23,15 +26,17 @@ type AuditLogData map[string]string //nolint:recvcheck
 type AuditLogEvent string //nolint:recvcheck
 const (
-	AuditLogEventSignIn                   AuditLogEvent = "SIGN_IN"
+	AuditLogEventSignIn                     AuditLogEvent = "SIGN_IN"
-	AuditLogEventOneTimeAccessTokenSignIn AuditLogEvent = "TOKEN_SIGN_IN"
+	AuditLogEventOneTimeAccessTokenSignIn   AuditLogEvent = "TOKEN_SIGN_IN"
-	AuditLogEventClientAuthorization      AuditLogEvent = "CLIENT_AUTHORIZATION"
+	AuditLogEventClientAuthorization        AuditLogEvent = "CLIENT_AUTHORIZATION"
-	AuditLogEventNewClientAuthorization   AuditLogEvent = "NEW_CLIENT_AUTHORIZATION"
+	AuditLogEventNewClientAuthorization     AuditLogEvent = "NEW_CLIENT_AUTHORIZATION"
 	AuditLogEventDeviceCodeAuthorization    AuditLogEvent = "DEVICE_CODE_AUTHORIZATION"
 	AuditLogEventNewDeviceCodeAuthorization AuditLogEvent = "NEW_DEVICE_CODE_AUTHORIZATION"
 )
 // Scan and Value methods for GORM to handle the custom type
-func (e *AuditLogEvent) Scan(value interface{}) error {
+func (e *AuditLogEvent) Scan(value any) error {
 	*e = AuditLogEvent(value.(string))
 	return nil
 }
@@ -40,11 +45,14 @@ func (e AuditLogEvent) Value() (driver.Value, error) {
 	return string(e), nil
 }
-func (d *AuditLogData) Scan(value interface{}) error {
+func (d *AuditLogData) Scan(value any) error {
-	if v, ok := value.([]byte); ok {
+	switch v := value.(type) {
 	case []byte:
 		return json.Unmarshal(v, d)
-	} else {
+	case string:
-		return errors.New("type assertion to []byte failed")
+		return json.Unmarshal([]byte(v), d)
 	default:
 		return fmt.Errorf("unsupported type: %T", value)
 	}
 }
--- a/backend/internal/model/oidc.go
+++ b/backend/internal/model/oidc.go
@@ -3,7 +3,7 @@ package model
 import (
 	"database/sql/driver"
 	"encoding/json"
-	"errors"
+	"fmt"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 	"gorm.io/gorm"
@@ -74,13 +74,30 @@ func (c *OidcClient) AfterFind(_ *gorm.DB) (err error) {
 type UrlList []string //nolint:recvcheck
 func (cu *UrlList) Scan(value interface{}) error {
-	if v, ok := value.([]byte); ok {
+	switch v := value.(type) {
 	case []byte:
 		return json.Unmarshal(v, cu)
-	} else {
+	case string:
-		return errors.New("type assertion to []byte failed")
+		return json.Unmarshal([]byte(v), cu)
 	default:
 		return fmt.Errorf("unsupported type: %T", value)
 	}
 }
 func (cu UrlList) Value() (driver.Value, error) {
 	return json.Marshal(cu)
 }
 type OidcDeviceCode struct {
 	Base
 	DeviceCode   string
 	UserCode     string
 	Scope        string
 	ExpiresAt    datatype.DateTime
 	IsAuthorized bool
 	UserID   *string
 	User     User
 	ClientID string
 	Client   OidcClient
 }
--- a/backend/internal/model/user.go
+++ b/backend/internal/model/user.go
@@ -1,9 +1,12 @@
 package model
 import (
 	"strings"
 	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/go-webauthn/webauthn/webauthn"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )
 type User struct {
@@ -16,6 +19,7 @@ type User struct {
 	IsAdmin   bool   `sortable:"true"`
 	Locale    *string
 	LdapID    *string
 	Disabled  bool `sortable:"true"`
 	CustomClaims []CustomClaim
 	UserGroups   []UserGroup `gorm:"many2many:user_groups_users;"`
@@ -63,6 +67,15 @@ func (u User) WebAuthnCredentialDescriptors() (descriptors []protocol.Credential
 func (u User) FullName() string { return u.FirstName + " " + u.LastName }
 func (u User) Initials() string {
 	first := utils.GetFirstCharacter(u.FirstName)
 	last := utils.GetFirstCharacter(u.LastName)
 	if first == "" && last == "" && len(u.Username) >= 2 {
 		return strings.ToUpper(u.Username[:2])
 	}
 	return strings.ToUpper(first + last)
 }
 type OneTimeAccessToken struct {
 	Base
 	Token     string
--- a/backend/internal/model/webauthn.go
+++ b/backend/internal/model/webauthn.go
@@ -3,7 +3,7 @@ package model
 import (
 	"database/sql/driver"
 	"encoding/json"
-	"errors"
+	"fmt"
 	"time"
 	"github.com/go-webauthn/webauthn/protocol"
@@ -49,11 +49,13 @@ type AuthenticatorTransportList []protocol.AuthenticatorTransport //nolint:recvc
 // Scan and Value methods for GORM to handle the custom type
 func (atl *AuthenticatorTransportList) Scan(value interface{}) error {
-
+	switch v := value.(type) {
-	if v, ok := value.([]byte); ok {
+	case []byte:
 		return json.Unmarshal(v, atl)
-	} else {
+	case string:
-		return errors.New("type assertion to []byte failed")
+		return json.Unmarshal([]byte(v), atl)
 	default:
 		return fmt.Errorf("unsupported type: %T", value)
 	}
 }
--- a/backend/internal/service/api_key_service.go
+++ b/backend/internal/service/api_key_service.go
@@ -1,29 +1,35 @@
 package service
 import (
 	"context"
 	"errors"
 	"log"
 	"time"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"gorm.io/gorm"
 	"gorm.io/gorm/clause"
 )
 type ApiKeyService struct {
-	db *gorm.DB
+	db           *gorm.DB
 	emailService *EmailService
 }
-func NewApiKeyService(db *gorm.DB) *ApiKeyService {
+func NewApiKeyService(db *gorm.DB, emailService *EmailService) *ApiKeyService {
-	return &ApiKeyService{db: db}
+	return &ApiKeyService{db: db, emailService: emailService}
 }
-func (s *ApiKeyService) ListApiKeys(userID string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.ApiKey, utils.PaginationResponse, error) {
+func (s *ApiKeyService) ListApiKeys(ctx context.Context, userID string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.ApiKey, utils.PaginationResponse, error) {
-	query := s.db.Where("user_id = ?", userID).Model(&model.ApiKey{})
+	query := s.db.
 		WithContext(ctx).
 		Where("user_id = ?", userID).
 		Model(&model.ApiKey{})
 	var apiKeys []model.ApiKey
 	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &apiKeys)
@@ -34,7 +40,7 @@ func (s *ApiKeyService) ListApiKeys(userID string, sortedPaginationRequest utils
 	return apiKeys, pagination, nil
 }
-func (s *ApiKeyService) CreateApiKey(userID string, input dto.ApiKeyCreateDto) (model.ApiKey, string, error) {
+func (s *ApiKeyService) CreateApiKey(ctx context.Context, userID string, input dto.ApiKeyCreateDto) (model.ApiKey, string, error) {
 	// Check if expiration is in the future
 	if !input.ExpiresAt.ToTime().After(time.Now()) {
 		return model.ApiKey{}, "", &common.APIKeyExpirationDateError{}
@@ -54,7 +60,11 @@ func (s *ApiKeyService) CreateApiKey(userID string, input dto.ApiKeyCreateDto) (
 		UserID:      userID,
 	}
-	if err := s.db.Create(&apiKey).Error; err != nil {
+	err = s.db.
 		WithContext(ctx).
 		Create(&apiKey).
 		Error
 	if err != nil {
 		return model.ApiKey{}, "", err
 	}
@@ -62,29 +72,44 @@ func (s *ApiKeyService) CreateApiKey(userID string, input dto.ApiKeyCreateDto) (
 	return apiKey, token, nil
 }
-func (s *ApiKeyService) RevokeApiKey(userID, apiKeyID string) error {
+func (s *ApiKeyService) RevokeApiKey(ctx context.Context, userID, apiKeyID string) error {
 	var apiKey model.ApiKey
-	if err := s.db.Where("id = ? AND user_id = ?", apiKeyID, userID).First(&apiKey).Error; err != nil {
+	err := s.db.
 		WithContext(ctx).
 		Where("id = ? AND user_id = ?", apiKeyID, userID).
 		Delete(&apiKey).
 		Error
 	if err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return &common.APIKeyNotFoundError{}
 		}
 		return err
 	}
-	return s.db.Delete(&apiKey).Error
+	return nil
 }
-func (s *ApiKeyService) ValidateApiKey(apiKey string) (model.User, error) {
+func (s *ApiKeyService) ValidateApiKey(ctx context.Context, apiKey string) (model.User, error) {
 	if apiKey == "" {
 		return model.User{}, &common.NoAPIKeyProvidedError{}
 	}
-	var key model.ApiKey
+	now := time.Now()
 	hashedKey := utils.CreateSha256Hash(apiKey)
-	if err := s.db.Preload("User").Where("key = ? AND expires_at > ?",
+	var key model.ApiKey
-		hashedKey, datatype.DateTime(time.Now())).Preload("User").First(&key).Error; err != nil {
+	err := s.db.
-
+		WithContext(ctx).
 		Model(&model.ApiKey{}).
 		Clauses(clause.Returning{}).
 		Where("key = ? AND expires_at > ?", hashedKey, datatype.DateTime(now)).
 		Updates(&model.ApiKey{
 			LastUsedAt: utils.Ptr(datatype.DateTime(now)),
 		}).
 		Preload("User").
 		First(&key).
 		Error
 	if err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return model.User{}, &common.InvalidAPIKeyError{}
 		}
@@ -92,12 +117,49 @@ func (s *ApiKeyService) ValidateApiKey(apiKey string) (model.User, error) {
 		return model.User{}, err
 	}
 	// Update last used time
 	now := datatype.DateTime(time.Now())
 	key.LastUsedAt = &now
 	if err := s.db.Save(&key).Error; err != nil {
 		log.Printf("Failed to update last used time: %v", err)
 	}
 	return key.User, nil
 }
 func (s *ApiKeyService) ListExpiringApiKeys(ctx context.Context, daysAhead int) ([]model.ApiKey, error) {
 	var keys []model.ApiKey
 	now := time.Now()
 	cutoff := now.AddDate(0, 0, daysAhead)
 	err := s.db.
 		WithContext(ctx).
 		Preload("User").
 		Where("expires_at > ? AND expires_at <= ? AND expiration_email_sent = ?", datatype.DateTime(now), datatype.DateTime(cutoff), false).
 		Find(&keys).
 		Error
 	return keys, err
 }
 func (s *ApiKeyService) SendApiKeyExpiringSoonEmail(ctx context.Context, apiKey model.ApiKey) error {
 	user := apiKey.User
 	if user.ID == "" {
 		if err := s.db.WithContext(ctx).First(&user, "id = ?", apiKey.UserID).Error; err != nil {
 			return err
 		}
 	}
 	err := SendEmail(ctx, s.emailService, email.Address{
 		Name:  user.FullName(),
 		Email: user.Email,
 	}, ApiKeyExpiringSoonTemplate, &ApiKeyExpiringSoonTemplateData{
 		ApiKeyName: apiKey.Name,
 		ExpiresAt:  apiKey.ExpiresAt.ToTime(),
 		Name:       user.FirstName,
 	})
 	if err != nil {
 		return err
 	}
 	// Mark the API key as having had an expiration email sent
 	return s.db.WithContext(ctx).
 		Model(&model.ApiKey{}).
 		Where("id = ?", apiKey.ID).
 		Update("expiration_email_sent", true).
 		Error
 }
--- a/backend/internal/service/app_config_service.go
+++ b/backend/internal/service/app_config_service.go
@@ -1,396 +1,426 @@
 package service
 import (
 	"context"
 	"errors"
 	"fmt"
 	"log"
 	"mime/multipart"
 	"os"
 	"reflect"
 	"strings"
 	"sync/atomic"
 	"time"
 	"gorm.io/gorm"
 	"gorm.io/gorm/clause"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"gorm.io/gorm"
 )
 type AppConfigService struct {
-	DbConfig *model.AppConfig
+	dbConfig atomic.Pointer[model.AppConfig]
 	db       *gorm.DB
 }
-func NewAppConfigService(db *gorm.DB) *AppConfigService {
+func NewAppConfigService(initCtx context.Context, db *gorm.DB) *AppConfigService {
 	service := &AppConfigService{
-		DbConfig: &defaultDbConfig,
+		db: db,
 		db:       db,
 	}
-	if err := service.InitDbConfig(); err != nil {
+
 	err := service.LoadDbConfig(initCtx)
 	if err != nil {
 		log.Fatalf("Failed to initialize app config service: %v", err)
 	}
 	return service
 }
-var defaultDbConfig = model.AppConfig{
+// GetDbConfig returns the application configuration.
-	// General
+// Important: Treat the object as read-only: do not modify its properties directly!
-	AppName: model.AppConfigVariable{
+func (s *AppConfigService) GetDbConfig() *model.AppConfig {
-		Key:          "appName",
+	v := s.dbConfig.Load()
-		Type:         "string",
+	if v == nil {
-		IsPublic:     true,
+		// This indicates a development-time error
-		DefaultValue: "Pocket ID",
+		panic("called GetDbConfig before DbConfig is loaded")
-	},
+	}
-	SessionDuration: model.AppConfigVariable{
+
-		Key:          "sessionDuration",
+	return v
 		Type:         "number",
 		DefaultValue: "60",
 	},
 	EmailsVerified: model.AppConfigVariable{
 		Key:          "emailsVerified",
 		Type:         "bool",
 		DefaultValue: "false",
 	},
 	AllowOwnAccountEdit: model.AppConfigVariable{
 		Key:          "allowOwnAccountEdit",
 		Type:         "bool",
 		IsPublic:     true,
 		DefaultValue: "true",
 	},
 	// Internal
 	BackgroundImageType: model.AppConfigVariable{
 		Key:          "backgroundImageType",
 		Type:         "string",
 		IsInternal:   true,
 		DefaultValue: "jpg",
 	},
 	LogoLightImageType: model.AppConfigVariable{
 		Key:          "logoLightImageType",
 		Type:         "string",
 		IsInternal:   true,
 		DefaultValue: "svg",
 	},
 	LogoDarkImageType: model.AppConfigVariable{
 		Key:          "logoDarkImageType",
 		Type:         "string",
 		IsInternal:   true,
 		DefaultValue: "svg",
 	},
 	// Email
 	SmtpHost: model.AppConfigVariable{
 		Key:  "smtpHost",
 		Type: "string",
 	},
 	SmtpPort: model.AppConfigVariable{
 		Key:  "smtpPort",
 		Type: "number",
 	},
 	SmtpFrom: model.AppConfigVariable{
 		Key:  "smtpFrom",
 		Type: "string",
 	},
 	SmtpUser: model.AppConfigVariable{
 		Key:  "smtpUser",
 		Type: "string",
 	},
 	SmtpPassword: model.AppConfigVariable{
 		Key:  "smtpPassword",
 		Type: "string",
 	},
 	SmtpTls: model.AppConfigVariable{
 		Key:          "smtpTls",
 		Type:         "string",
 		DefaultValue: "none",
 	},
 	SmtpSkipCertVerify: model.AppConfigVariable{
 		Key:          "smtpSkipCertVerify",
 		Type:         "bool",
 		DefaultValue: "false",
 	},
 	EmailLoginNotificationEnabled: model.AppConfigVariable{
 		Key:          "emailLoginNotificationEnabled",
 		Type:         "bool",
 		DefaultValue: "false",
 	},
 	EmailOneTimeAccessEnabled: model.AppConfigVariable{
 		Key:          "emailOneTimeAccessEnabled",
 		Type:         "bool",
 		IsPublic:     true,
 		DefaultValue: "false",
 	},
 	// LDAP
 	LdapEnabled: model.AppConfigVariable{
 		Key:          "ldapEnabled",
 		Type:         "bool",
 		IsPublic:     true,
 		DefaultValue: "false",
 	},
 	LdapUrl: model.AppConfigVariable{
 		Key:  "ldapUrl",
 		Type: "string",
 	},
 	LdapBindDn: model.AppConfigVariable{
 		Key:  "ldapBindDn",
 		Type: "string",
 	},
 	LdapBindPassword: model.AppConfigVariable{
 		Key:  "ldapBindPassword",
 		Type: "string",
 	},
 	LdapBase: model.AppConfigVariable{
 		Key:  "ldapBase",
 		Type: "string",
 	},
 	LdapUserSearchFilter: model.AppConfigVariable{
 		Key:          "ldapUserSearchFilter",
 		Type:         "string",
 		DefaultValue: "(objectClass=person)",
 	},
 	LdapUserGroupSearchFilter: model.AppConfigVariable{
 		Key:          "ldapUserGroupSearchFilter",
 		Type:         "string",
 		DefaultValue: "(objectClass=groupOfNames)",
 	},
 	LdapSkipCertVerify: model.AppConfigVariable{
 		Key:          "ldapSkipCertVerify",
 		Type:         "bool",
 		DefaultValue: "false",
 	},
 	LdapAttributeUserUniqueIdentifier: model.AppConfigVariable{
 		Key:  "ldapAttributeUserUniqueIdentifier",
 		Type: "string",
 	},
 	LdapAttributeUserUsername: model.AppConfigVariable{
 		Key:  "ldapAttributeUserUsername",
 		Type: "string",
 	},
 	LdapAttributeUserEmail: model.AppConfigVariable{
 		Key:  "ldapAttributeUserEmail",
 		Type: "string",
 	},
 	LdapAttributeUserFirstName: model.AppConfigVariable{
 		Key:  "ldapAttributeUserFirstName",
 		Type: "string",
 	},
 	LdapAttributeUserLastName: model.AppConfigVariable{
 		Key:  "ldapAttributeUserLastName",
 		Type: "string",
 	},
 	LdapAttributeUserProfilePicture: model.AppConfigVariable{
 		Key:  "ldapAttributeUserProfilePicture",
 		Type: "string",
 	},
 	LdapAttributeGroupMember: model.AppConfigVariable{
 		Key:          "ldapAttributeGroupMember",
 		Type:         "string",
 		DefaultValue: "member",
 	},
 	LdapAttributeGroupUniqueIdentifier: model.AppConfigVariable{
 		Key:  "ldapAttributeGroupUniqueIdentifier",
 		Type: "string",
 	},
 	LdapAttributeGroupName: model.AppConfigVariable{
 		Key:  "ldapAttributeGroupName",
 		Type: "string",
 	},
 	LdapAttributeAdminGroup: model.AppConfigVariable{
 		Key:  "ldapAttributeAdminGroup",
 		Type: "string",
 	},
 }
-func (s *AppConfigService) UpdateAppConfig(input dto.AppConfigUpdateDto) ([]model.AppConfigVariable, error) {
+func (s *AppConfigService) getDefaultDbConfig() *model.AppConfig {
 	// Values are the default ones
 	return &model.AppConfig{
 		// General
 		AppName:             model.AppConfigVariable{Value: "Pocket ID"},
 		SessionDuration:     model.AppConfigVariable{Value: "60"},
 		EmailsVerified:      model.AppConfigVariable{Value: "false"},
 		DisableAnimations:   model.AppConfigVariable{Value: "false"},
 		AllowOwnAccountEdit: model.AppConfigVariable{Value: "true"},
 		// Internal
 		BackgroundImageType: model.AppConfigVariable{Value: "jpg"},
 		LogoLightImageType:  model.AppConfigVariable{Value: "svg"},
 		LogoDarkImageType:   model.AppConfigVariable{Value: "svg"},
 		// Email
 		SmtpHost:                      model.AppConfigVariable{},
 		SmtpPort:                      model.AppConfigVariable{},
 		SmtpFrom:                      model.AppConfigVariable{},
 		SmtpUser:                      model.AppConfigVariable{},
 		SmtpPassword:                  model.AppConfigVariable{},
 		SmtpTls:                       model.AppConfigVariable{Value: "none"},
 		SmtpSkipCertVerify:            model.AppConfigVariable{Value: "false"},
 		EmailLoginNotificationEnabled: model.AppConfigVariable{Value: "false"},
 		EmailOneTimeAccessAsUnauthenticatedEnabled: model.AppConfigVariable{Value: "false"},
 		EmailOneTimeAccessAsAdminEnabled:           model.AppConfigVariable{Value: "false"},
 		EmailApiKeyExpirationEnabled:               model.AppConfigVariable{Value: "false"},
 		// LDAP
 		LdapEnabled:                        model.AppConfigVariable{Value: "false"},
 		LdapUrl:                            model.AppConfigVariable{},
 		LdapBindDn:                         model.AppConfigVariable{},
 		LdapBindPassword:                   model.AppConfigVariable{},
 		LdapBase:                           model.AppConfigVariable{},
 		LdapUserSearchFilter:               model.AppConfigVariable{Value: "(objectClass=person)"},
 		LdapUserGroupSearchFilter:          model.AppConfigVariable{Value: "(objectClass=groupOfNames)"},
 		LdapSkipCertVerify:                 model.AppConfigVariable{Value: "false"},
 		LdapAttributeUserUniqueIdentifier:  model.AppConfigVariable{},
 		LdapAttributeUserUsername:          model.AppConfigVariable{},
 		LdapAttributeUserEmail:             model.AppConfigVariable{},
 		LdapAttributeUserFirstName:         model.AppConfigVariable{},
 		LdapAttributeUserLastName:          model.AppConfigVariable{},
 		LdapAttributeUserProfilePicture:    model.AppConfigVariable{},
 		LdapAttributeGroupMember:           model.AppConfigVariable{Value: "member"},
 		LdapAttributeGroupUniqueIdentifier: model.AppConfigVariable{},
 		LdapAttributeGroupName:             model.AppConfigVariable{},
 		LdapAttributeAdminGroup:            model.AppConfigVariable{},
 		LdapSoftDeleteUsers:                model.AppConfigVariable{Value: "true"},
 	}
 }
 func (s *AppConfigService) updateAppConfigStartTransaction(ctx context.Context) (tx *gorm.DB, err error) {
 	// We start a transaction before doing any work, to ensure that we are the only ones updating the data in the database
 	// This works across multiple processes too
 	tx = s.db.Begin()
 	err = tx.Error
 	if err != nil {
 		return nil, fmt.Errorf("failed to begin database transaction: %w", err)
 	}
 	// With SQLite there's nothing else we need to do, because a transaction blocks the entire database
 	// However, with Postgres we need to manually lock the table to prevent others from doing the same
 	switch s.db.Name() {
 	case "postgres":
 		// We do not use "NOWAIT" so this blocks until the database is available, or the context is canceled
 		// Here we use a context with a 10s timeout in case the database is blocked for longer
 		lockCtx, lockCancel := context.WithTimeout(ctx, 10*time.Second)
 		defer lockCancel()
 		err = tx.
 			WithContext(lockCtx).
 			Exec("LOCK TABLE app_config_variables IN ACCESS EXCLUSIVE MODE").
 			Error
 		if err != nil {
 			tx.Rollback()
 			return nil, fmt.Errorf("failed to acquire lock on app_config_variables table: %w", err)
 		}
 	default:
 		// Nothing to do here
 	}
 	return tx, nil
 }
 func (s *AppConfigService) updateAppConfigUpdateDatabase(ctx context.Context, tx *gorm.DB, dbUpdate *[]model.AppConfigVariable) error {
 	err := tx.
 		WithContext(ctx).
 		Clauses(clause.OnConflict{
 			// Perform an "upsert" if the key already exists, replacing the value
 			Columns:   []clause.Column{{Name: "key"}},
 			DoUpdates: clause.AssignmentColumns([]string{"value"}),
 		}).
 		Create(&dbUpdate).
 		Error
 	if err != nil {
 		return fmt.Errorf("failed to update config in database: %w", err)
 	}
 	return nil
 }
 func (s *AppConfigService) UpdateAppConfig(ctx context.Context, input dto.AppConfigUpdateDto) ([]model.AppConfigVariable, error) {
 	if common.EnvConfig.UiConfigDisabled {
 		return nil, &common.UiConfigDisabledError{}
 	}
-	tx := s.db.Begin()
+	// Start the transaction
-	rt := reflect.ValueOf(input).Type()
+	tx, err := s.updateAppConfigStartTransaction(ctx)
-	rv := reflect.ValueOf(input)
+	if err != nil {
 		return nil, err
 	}
 	defer func() {
 		tx.Rollback()
 	}()
-	var savedConfigVariables []model.AppConfigVariable
+	// From here onwards, we know we are the only process/goroutine with exclusive access to the config
-	for i := 0; i < rt.NumField(); i++ {
+	// Re-load the config from the database to be sure we have the correct data
-		field := rt.Field(i)
+	cfg, err := s.loadDbConfigInternal(ctx, tx)
-		key := field.Tag.Get("json")
+	if err != nil {
-		value := rv.FieldByName(field.Name).String()
+		return nil, fmt.Errorf("failed to reload config from database: %w", err)
 		// If the emailEnabled is set to false, disable the emailOneTimeAccessEnabled
 		if key == s.DbConfig.EmailOneTimeAccessEnabled.Key {
 			if rv.FieldByName("EmailEnabled").String() == "false" {
 				value = "false"
 			}
 		}
 		var appConfigVariable model.AppConfigVariable
 		if err := tx.First(&appConfigVariable, "key = ? AND is_internal = false", key).Error; err != nil {
 			tx.Rollback()
 			return nil, err
 		}
 		appConfigVariable.Value = value
 		if err := tx.Save(&appConfigVariable).Error; err != nil {
 			tx.Rollback()
 			return nil, err
 		}
 		savedConfigVariables = append(savedConfigVariables, appConfigVariable)
 	}
-	tx.Commit()
+	defaultCfg := s.getDefaultDbConfig()
-	if err := s.LoadDbConfigFromDb(); err != nil {
+	// Iterate through all the fields to update
 	// We update the in-memory data (in the cfg struct) and collect values to update in the database
 	rt := reflect.ValueOf(input).Type()
 	rv := reflect.ValueOf(input)
 	dbUpdate := make([]model.AppConfigVariable, 0, rt.NumField())
 	for i := range rt.NumField() {
 		field := rt.Field(i)
 		value := rv.FieldByName(field.Name).String()
 		// Get the value of the json tag, taking only what's before the comma
 		key, _, _ := strings.Cut(field.Tag.Get("json"), ",")
 		// Update the in-memory config value
 		// If the new value is an empty string, then we set the in-memory value to the default one
 		// Skip values that are internal only and can't be updated
 		if value == "" {
 			// Ignore errors here as we know the key exists
 			defaultValue, _ := defaultCfg.FieldByKey(key)
 			err = cfg.UpdateField(key, defaultValue, true)
 		} else {
 			err = cfg.UpdateField(key, value, true)
 		}
 		// If we tried to update an internal field, ignore the error (and do not update in the DB)
 		if errors.Is(err, model.AppConfigInternalForbiddenError{}) {
 			continue
 		} else if err != nil {
 			return nil, fmt.Errorf("failed to update in-memory config for key '%s': %w", key, err)
 		}
 		// We always save "value" which can be an empty string
 		dbUpdate = append(dbUpdate, model.AppConfigVariable{
 			Key:   key,
 			Value: value,
 		})
 	}
 	// Update the values in the database
 	err = s.updateAppConfigUpdateDatabase(ctx, tx, &dbUpdate)
 	if err != nil {
 		return nil, err
 	}
-	return savedConfigVariables, nil
+	// Commit the changes to the DB, then finally save the updated config in the object
 	err = tx.Commit().Error
 	if err != nil {
 		return nil, fmt.Errorf("failed to commit transaction: %w", err)
 	}
 	s.dbConfig.Store(cfg)
 	// Return the updated config
 	res := cfg.ToAppConfigVariableSlice(true)
 	return res, nil
 }
-func (s *AppConfigService) UpdateImageType(imageName string, fileType string) error {
+// UpdateAppConfigValues
-	key := fmt.Sprintf("%sImageType", imageName)
+func (s *AppConfigService) UpdateAppConfigValues(ctx context.Context, keysAndValues ...string) error {
-	err := s.db.Model(&model.AppConfigVariable{}).Where("key = ?", key).Update("value", fileType).Error
+	if common.EnvConfig.UiConfigDisabled {
 		return &common.UiConfigDisabledError{}
 	}
 	// Count of keysAndValues must be even
 	if len(keysAndValues)%2 != 0 {
 		return errors.New("invalid number of arguments received")
 	}
 	// Start the transaction
 	tx, err := s.updateAppConfigStartTransaction(ctx)
 	if err != nil {
 		return err
 	}
 	defer func() {
 		tx.Rollback()
 	}()
 	// From here onwards, we know we are the only process/goroutine with exclusive access to the config
 	// Re-load the config from the database to be sure we have the correct data
 	cfg, err := s.loadDbConfigInternal(ctx, tx)
 	if err != nil {
 		return fmt.Errorf("failed to reload config from database: %w", err)
 	}
 	defaultCfg := s.getDefaultDbConfig()
 	// Iterate through all the fields to update
 	// We update the in-memory data (in the cfg struct) and collect values to update in the database
 	// (Note the += 2, as we are iterating through key-value pairs)
 	dbUpdate := make([]model.AppConfigVariable, 0, len(keysAndValues)/2)
 	for i := 0; i < len(keysAndValues); i += 2 {
 		key := keysAndValues[i]
 		value := keysAndValues[i+1]
 		// Ensure that the field is valid
 		// We do this by grabbing the default value
 		var defaultValue string
 		defaultValue, err = defaultCfg.FieldByKey(key)
 		if err != nil {
 			return fmt.Errorf("invalid configuration key '%s': %w", key, err)
 		}
 		// Update the in-memory config value
 		// If the new value is an empty string, then we set the in-memory value to the default one
 		// Skip values that are internal only and can't be updated
 		if value == "" {
 			err = cfg.UpdateField(key, defaultValue, false)
 		} else {
 			err = cfg.UpdateField(key, value, false)
 		}
 		if err != nil {
 			return fmt.Errorf("failed to update in-memory config for key '%s': %w", key, err)
 		}
 		// We always save "value" which can be an empty string
 		dbUpdate = append(dbUpdate, model.AppConfigVariable{
 			Key:   key,
 			Value: value,
 		})
 	}
 	// Update the values in the database
 	err = s.updateAppConfigUpdateDatabase(ctx, tx, &dbUpdate)
 	if err != nil {
 		return err
 	}
-	return s.LoadDbConfigFromDb()
+	// Commit the changes to the DB, then finally save the updated config in the object
-}
+	err = tx.Commit().Error
 func (s *AppConfigService) ListAppConfig(showAll bool) ([]model.AppConfigVariable, error) {
 	var configuration []model.AppConfigVariable
 	var err error
 	if showAll {
 		err = s.db.Find(&configuration).Error
 	} else {
 		err = s.db.Find(&configuration, "is_public = true").Error
 	}
 	if err != nil {
-		return nil, err
+		return fmt.Errorf("failed to commit transaction: %w", err)
 	}
-	for i := range configuration {
+	s.dbConfig.Store(cfg)
 		if common.EnvConfig.UiConfigDisabled {
 			// Set the value to the environment variable if the UI config is disabled
 			configuration[i].Value = s.getConfigVariableFromEnvironmentVariable(configuration[i].Key, configuration[i].DefaultValue)
-		} else if configuration[i].Value == "" && configuration[i].DefaultValue != "" {
+	return nil
 			// Set the value to the default value if it is empty
 			configuration[i].Value = configuration[i].DefaultValue
 		}
 	}
 	return configuration, nil
 }
-func (s *AppConfigService) UpdateImage(uploadedFile *multipart.FileHeader, imageName string, oldImageType string) error {
+func (s *AppConfigService) ListAppConfig(showAll bool) []model.AppConfigVariable {
 	return s.GetDbConfig().ToAppConfigVariableSlice(showAll)
 }
 func (s *AppConfigService) UpdateImage(ctx context.Context, uploadedFile *multipart.FileHeader, imageName string, oldImageType string) (err error) {
 	fileType := utils.GetFileExtension(uploadedFile.Filename)
 	mimeType := utils.GetImageMimeType(fileType)
 	if mimeType == "" {
 		return &common.FileTypeNotSupportedError{}
 	}
-	// Delete the old image if it has a different file type
+	// Save the updated image
 	imagePath := common.EnvConfig.UploadPath + "/application-images/" + imageName + "." + fileType
 	err = utils.SaveFile(uploadedFile, imagePath)
 	if err != nil {
 		return err
 	}
 	// Delete the old image if it has a different file type, then update the type in the database
 	if fileType != oldImageType {
-		oldImagePath := fmt.Sprintf("%s/application-images/%s.%s", common.EnvConfig.UploadPath, imageName, oldImageType)
+		oldImagePath := common.EnvConfig.UploadPath + "/application-images/" + imageName + "." + oldImageType
-		if err := os.Remove(oldImagePath); err != nil {
+		err = os.Remove(oldImagePath)
 		if err != nil {
 			return err
 		}
 	}
-	imagePath := fmt.Sprintf("%s/application-images/%s.%s", common.EnvConfig.UploadPath, imageName, fileType)
+		// Update the file type in the database
-	if err := utils.SaveFile(uploadedFile, imagePath); err != nil {
+		err = s.UpdateAppConfigValues(ctx, imageName+"ImageType", fileType)
-		return err
+		if err != nil {
-	}
+			return err
 		}
 	// Update the file type in the database
 	if err := s.UpdateImageType(imageName, fileType); err != nil {
 		return err
 	}
 	return nil
 }
-// InitDbConfig creates the default configuration values in the database if they do not exist,
+// LoadDbConfig loads the configuration values from the database into the DbConfig struct.
-// updates existing configurations if they differ from the default, and deletes any configurations
+func (s *AppConfigService) LoadDbConfig(ctx context.Context) (err error) {
-// that are not in the default configuration.
+	var dest *model.AppConfig
 func (s *AppConfigService) InitDbConfig() error {
 	// Reflect to get the underlying value of DbConfig and its default configuration
 	defaultConfigReflectValue := reflect.ValueOf(defaultDbConfig)
 	defaultKeys := make(map[string]struct{})
-	// Iterate over the fields of DbConfig
+	// If the UI config is disabled, only load from the env
-	for i := 0; i < defaultConfigReflectValue.NumField(); i++ {
+	if common.EnvConfig.UiConfigDisabled {
-		defaultConfigVar := defaultConfigReflectValue.Field(i).Interface().(model.AppConfigVariable)
+		dest, err = s.loadDbConfigFromEnv()
 	} else {
 		dest, err = s.loadDbConfigInternal(ctx, s.db)
 	}
 	if err != nil {
 		return err
 	}
-		defaultKeys[defaultConfigVar.Key] = struct{}{}
+	// Update the value in the object
 	s.dbConfig.Store(dest)
-		var storedConfigVar model.AppConfigVariable
+	return nil
-		if err := s.db.First(&storedConfigVar, "key = ?", defaultConfigVar.Key).Error; err != nil {
+}
-			// If the configuration does not exist, create it
+
-			if err := s.db.Create(&defaultConfigVar).Error; err != nil {
+func (s *AppConfigService) loadDbConfigFromEnv() (*model.AppConfig, error) {
-				return err
+	// First, start from the default configuration
-			}
+	dest := s.getDefaultDbConfig()
 	// Iterate through each field
 	rt := reflect.ValueOf(dest).Elem().Type()
 	rv := reflect.ValueOf(dest).Elem()
 	for i := range rt.NumField() {
 		field := rt.Field(i)
 		// Get the value of the key tag, taking only what's before the comma
 		// The env var name is the key converted to SCREAMING_SNAKE_CASE
 		key, _, _ := strings.Cut(field.Tag.Get("key"), ",")
 		envVarName := utils.CamelCaseToScreamingSnakeCase(key)
 		// Set the value if it's set
 		value, ok := os.LookupEnv(envVarName)
 		if ok {
 			rv.Field(i).FieldByName("Value").SetString(value)
 		}
 	}
 	return dest, nil
 }
 func (s *AppConfigService) loadDbConfigInternal(ctx context.Context, tx *gorm.DB) (*model.AppConfig, error) {
 	// First, start from the default configuration
 	dest := s.getDefaultDbConfig()
 	// Load all configuration values from the database
 	// This loads all values in a single shot
 	loaded := []model.AppConfigVariable{}
 	queryCtx, queryCancel := context.WithTimeout(ctx, 10*time.Second)
 	defer queryCancel()
 	err := tx.
 		WithContext(queryCtx).
 		Find(&loaded).Error
 	if err != nil {
 		return nil, fmt.Errorf("failed to load configuration from the database: %w", err)
 	}
 	// Iterate through all values loaded from the database
 	for _, v := range loaded {
 		// If the value is empty, it means we are using the default value
 		if v.Value == "" {
 			continue
 		}
-		// Update existing configuration if it differs from the default
+		// Find the field in the struct whose "key" tag matches, then update that
-		if storedConfigVar.Type != defaultConfigVar.Type || storedConfigVar.IsPublic != defaultConfigVar.IsPublic || storedConfigVar.IsInternal != defaultConfigVar.IsInternal || storedConfigVar.DefaultValue != defaultConfigVar.DefaultValue {
+		err = dest.UpdateField(v.Key, v.Value, false)
-			storedConfigVar.Type = defaultConfigVar.Type
+
-			storedConfigVar.IsPublic = defaultConfigVar.IsPublic
+		// We ignore the case of fields that don't exist, as there may be leftover data in the database
-			storedConfigVar.IsInternal = defaultConfigVar.IsInternal
+		if err != nil && !errors.Is(err, model.AppConfigKeyNotFoundError{}) {
-			storedConfigVar.DefaultValue = defaultConfigVar.DefaultValue
+			return nil, fmt.Errorf("failed to process config for key '%s': %w", v.Key, err)
 			if err := s.db.Save(&storedConfigVar).Error; err != nil {
 				return err
 			}
 		}
 	}
-	// Delete any configurations not in the default keys
+	return dest, nil
 	var allConfigVars []model.AppConfigVariable
 	if err := s.db.Find(&allConfigVars).Error; err != nil {
 		return err
 	}
 	for _, config := range allConfigVars {
 		if _, exists := defaultKeys[config.Key]; !exists {
 			if err := s.db.Delete(&config).Error; err != nil {
 				return err
 			}
 		}
 	}
 	return s.LoadDbConfigFromDb()
 }
 // LoadDbConfigFromDb loads the configuration values from the database into the DbConfig struct.
 func (s *AppConfigService) LoadDbConfigFromDb() error {
 	dbConfigReflectValue := reflect.ValueOf(s.DbConfig).Elem()
 	for i := 0; i < dbConfigReflectValue.NumField(); i++ {
 		dbConfigField := dbConfigReflectValue.Field(i)
 		currentConfigVar := dbConfigField.Interface().(model.AppConfigVariable)
 		var storedConfigVar model.AppConfigVariable
 		if err := s.db.First(&storedConfigVar, "key = ?", currentConfigVar.Key).Error; err != nil {
 			return err
 		}
 		if common.EnvConfig.UiConfigDisabled {
 			storedConfigVar.Value = s.getConfigVariableFromEnvironmentVariable(currentConfigVar.Key, storedConfigVar.DefaultValue)
 		} else if storedConfigVar.Value == "" && storedConfigVar.DefaultValue != "" {
 			storedConfigVar.Value = storedConfigVar.DefaultValue
 		}
 		dbConfigField.Set(reflect.ValueOf(storedConfigVar))
 	}
 	return nil
 }
 func (s *AppConfigService) getConfigVariableFromEnvironmentVariable(key, fallbackValue string) string {
 	environmentVariableName := utils.CamelCaseToScreamingSnakeCase(key)
 	if value, exists := os.LookupEnv(environmentVariableName); exists {
 		return value
 	}
 	return fallbackValue
 }
--- a/backend/internal/service/app_config_service_test.go
+++ b/backend/internal/service/app_config_service_test.go
@@ -0,0 +1,523 @@
 package service
 import (
 	"sync/atomic"
 	"testing"
 	"time"
 	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
 	"gorm.io/gorm/logger"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"github.com/stretchr/testify/require"
 )
 // NewTestAppConfigService is a function used by tests to create AppConfigService objects with pre-defined configuration values
 func NewTestAppConfigService(config *model.AppConfig) *AppConfigService {
 	service := &AppConfigService{
 		dbConfig: atomic.Pointer[model.AppConfig]{},
 	}
 	service.dbConfig.Store(config)
 	return service
 }
 func TestLoadDbConfig(t *testing.T) {
 	t.Run("empty config table", func(t *testing.T) {
 		db := newAppConfigTestDatabaseForTest(t)
 		service := &AppConfigService{
 			db: db,
 		}
 		// Load the config
 		err := service.LoadDbConfig(t.Context())
 		require.NoError(t, err)
 		// Config should be equal to default config
 		require.Equal(t, service.GetDbConfig(), service.getDefaultDbConfig())
 	})
 	t.Run("loads value from config table", func(t *testing.T) {
 		db := newAppConfigTestDatabaseForTest(t)
 		// Populate the config table with some initial values
 		err := db.
 			Create([]model.AppConfigVariable{
 				// Should be set to the default value because it's an empty string
 				{Key: "appName", Value: ""},
 				// Overrides default value
 				{Key: "sessionDuration", Value: "5"},
 				// Does not have a default value
 				{Key: "smtpHost", Value: "example"},
 			}).
 			Error
 		require.NoError(t, err)
 		// Load the config
 		service := &AppConfigService{
 			db: db,
 		}
 		err = service.LoadDbConfig(t.Context())
 		require.NoError(t, err)
 		// Values should match expected ones
 		expect := service.getDefaultDbConfig()
 		expect.SessionDuration.Value = "5"
 		expect.SmtpHost.Value = "example"
 		require.Equal(t, service.GetDbConfig(), expect)
 	})
 	t.Run("ignores unknown config keys", func(t *testing.T) {
 		db := newAppConfigTestDatabaseForTest(t)
 		// Add an entry with a key that doesn't exist in the config struct
 		err := db.Create([]model.AppConfigVariable{
 			{Key: "__nonExistentKey", Value: "some value"},
 			{Key: "appName", Value: "TestApp"}, // This one should still be loaded
 		}).Error
 		require.NoError(t, err)
 		service := &AppConfigService{
 			db: db,
 		}
 		// This should not fail, just ignore the unknown key
 		err = service.LoadDbConfig(t.Context())
 		require.NoError(t, err)
 		config := service.GetDbConfig()
 		require.Equal(t, "TestApp", config.AppName.Value)
 	})
 	t.Run("loading config multiple times", func(t *testing.T) {
 		db := newAppConfigTestDatabaseForTest(t)
 		// Initial state
 		err := db.Create([]model.AppConfigVariable{
 			{Key: "appName", Value: "InitialApp"},
 		}).Error
 		require.NoError(t, err)
 		service := &AppConfigService{
 			db: db,
 		}
 		err = service.LoadDbConfig(t.Context())
 		require.NoError(t, err)
 		require.Equal(t, "InitialApp", service.GetDbConfig().AppName.Value)
 		// Update the database value
 		err = db.Model(&model.AppConfigVariable{}).
 			Where("key = ?", "appName").
 			Update("value", "UpdatedApp").Error
 		require.NoError(t, err)
 		// Load the config again, it should reflect the updated value
 		err = service.LoadDbConfig(t.Context())
 		require.NoError(t, err)
 		require.Equal(t, "UpdatedApp", service.GetDbConfig().AppName.Value)
 	})
 	t.Run("loads config from env when UiConfigDisabled is true", func(t *testing.T) {
 		// Save the original state and restore it after the test
 		originalUiConfigDisabled := common.EnvConfig.UiConfigDisabled
 		defer func() {
 			common.EnvConfig.UiConfigDisabled = originalUiConfigDisabled
 		}()
 		// Set environment variables for testing
 		t.Setenv("APP_NAME", "EnvTest App")
 		t.Setenv("SESSION_DURATION", "45")
 		// Enable UiConfigDisabled to load from env
 		common.EnvConfig.UiConfigDisabled = true
 		// Create database with config that should be ignored
 		db := newAppConfigTestDatabaseForTest(t)
 		err := db.Create([]model.AppConfigVariable{
 			{Key: "appName", Value: "DB App"},
 			{Key: "sessionDuration", Value: "120"},
 		}).Error
 		require.NoError(t, err)
 		service := &AppConfigService{
 			db: db,
 		}
 		// Load the config
 		err = service.LoadDbConfig(t.Context())
 		require.NoError(t, err)
 		// Config should be loaded from env, not DB
 		config := service.GetDbConfig()
 		require.Equal(t, "EnvTest App", config.AppName.Value, "Should load appName from env")
 		require.Equal(t, "45", config.SessionDuration.Value, "Should load sessionDuration from env")
 	})
 	t.Run("ignores env vars when UiConfigDisabled is false", func(t *testing.T) {
 		// Save the original state and restore it after the test
 		originalUiConfigDisabled := common.EnvConfig.UiConfigDisabled
 		defer func() {
 			common.EnvConfig.UiConfigDisabled = originalUiConfigDisabled
 		}()
 		// Set environment variables that should be ignored
 		t.Setenv("APP_NAME", "EnvTest App")
 		t.Setenv("SESSION_DURATION", "45")
 		// Make sure UiConfigDisabled is false to load from DB
 		common.EnvConfig.UiConfigDisabled = false
 		// Create database with config values that should take precedence
 		db := newAppConfigTestDatabaseForTest(t)
 		err := db.Create([]model.AppConfigVariable{
 			{Key: "appName", Value: "DB App"},
 			{Key: "sessionDuration", Value: "120"},
 		}).Error
 		require.NoError(t, err)
 		service := &AppConfigService{
 			db: db,
 		}
 		// Load the config
 		err = service.LoadDbConfig(t.Context())
 		require.NoError(t, err)
 		// Config should be loaded from DB, not env
 		config := service.GetDbConfig()
 		require.Equal(t, "DB App", config.AppName.Value, "Should load appName from DB, not env")
 		require.Equal(t, "120", config.SessionDuration.Value, "Should load sessionDuration from DB, not env")
 	})
 }
 func TestUpdateAppConfigValues(t *testing.T) {
 	t.Run("update single value", func(t *testing.T) {
 		db := newAppConfigTestDatabaseForTest(t)
 		// Create a service with default config
 		service := &AppConfigService{
 			db: db,
 		}
 		err := service.LoadDbConfig(t.Context())
 		require.NoError(t, err)
 		// Update a single config value
 		err = service.UpdateAppConfigValues(t.Context(), "appName", "Test App")
 		require.NoError(t, err)
 		// Verify in-memory config was updated
 		config := service.GetDbConfig()
 		require.Equal(t, "Test App", config.AppName.Value)
 		// Verify database was updated
 		var dbValue model.AppConfigVariable
 		err = db.Where("key = ?", "appName").First(&dbValue).Error
 		require.NoError(t, err)
 		require.Equal(t, "Test App", dbValue.Value)
 	})
 	t.Run("update multiple values", func(t *testing.T) {
 		db := newAppConfigTestDatabaseForTest(t)
 		// Create a service with default config
 		service := &AppConfigService{
 			db: db,
 		}
 		err := service.LoadDbConfig(t.Context())
 		require.NoError(t, err)
 		// Update multiple config values
 		err = service.UpdateAppConfigValues(
 			t.Context(),
 			"appName", "Test App",
 			"sessionDuration", "30",
 			"smtpHost", "mail.example.com",
 		)
 		require.NoError(t, err)
 		// Verify in-memory config was updated
 		config := service.GetDbConfig()
 		require.Equal(t, "Test App", config.AppName.Value)
 		require.Equal(t, "30", config.SessionDuration.Value)
 		require.Equal(t, "mail.example.com", config.SmtpHost.Value)
 		// Verify database was updated
 		var count int64
 		db.Model(&model.AppConfigVariable{}).Count(&count)
 		require.Equal(t, int64(3), count)
 		var appName, sessionDuration, smtpHost model.AppConfigVariable
 		err = db.Where("key = ?", "appName").First(&appName).Error
 		require.NoError(t, err)
 		require.Equal(t, "Test App", appName.Value)
 		err = db.Where("key = ?", "sessionDuration").First(&sessionDuration).Error
 		require.NoError(t, err)
 		require.Equal(t, "30", sessionDuration.Value)
 		err = db.Where("key = ?", "smtpHost").First(&smtpHost).Error
 		require.NoError(t, err)
 		require.Equal(t, "mail.example.com", smtpHost.Value)
 	})
 	t.Run("empty value resets to default", func(t *testing.T) {
 		db := newAppConfigTestDatabaseForTest(t)
 		// Create a service with default config
 		service := &AppConfigService{
 			db: db,
 		}
 		err := service.LoadDbConfig(t.Context())
 		require.NoError(t, err)
 		// First change the value
 		err = service.UpdateAppConfigValues(t.Context(), "sessionDuration", "30")
 		require.NoError(t, err)
 		require.Equal(t, "30", service.GetDbConfig().SessionDuration.Value)
 		// Now set it to empty which should use default value
 		err = service.UpdateAppConfigValues(t.Context(), "sessionDuration", "")
 		require.NoError(t, err)
 		require.Equal(t, "60", service.GetDbConfig().SessionDuration.Value) // Default value from getDefaultDbConfig
 	})
 	t.Run("error with odd number of arguments", func(t *testing.T) {
 		db := newAppConfigTestDatabaseForTest(t)
 		// Create a service with default config
 		service := &AppConfigService{
 			db: db,
 		}
 		err := service.LoadDbConfig(t.Context())
 		require.NoError(t, err)
 		// Try to update with odd number of arguments
 		err = service.UpdateAppConfigValues(t.Context(), "appName", "Test App", "sessionDuration")
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "invalid number of arguments")
 	})
 	t.Run("error with invalid key", func(t *testing.T) {
 		db := newAppConfigTestDatabaseForTest(t)
 		// Create a service with default config
 		service := &AppConfigService{
 			db: db,
 		}
 		err := service.LoadDbConfig(t.Context())
 		require.NoError(t, err)
 		// Try to update with invalid key
 		err = service.UpdateAppConfigValues(t.Context(), "nonExistentKey", "some value")
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "invalid configuration key")
 	})
 }
 func TestUpdateAppConfig(t *testing.T) {
 	t.Run("updates configuration values from DTO", func(t *testing.T) {
 		db := newAppConfigTestDatabaseForTest(t)
 		// Create a service with default config
 		service := &AppConfigService{
 			db: db,
 		}
 		err := service.LoadDbConfig(t.Context())
 		require.NoError(t, err)
 		// Create update DTO
 		input := dto.AppConfigUpdateDto{
 			AppName:         "Updated App Name",
 			SessionDuration: "120",
 			SmtpHost:        "smtp.example.com",
 			SmtpPort:        "587",
 		}
 		// Update config
 		updatedVars, err := service.UpdateAppConfig(t.Context(), input)
 		require.NoError(t, err)
 		// Verify returned updated variables
 		require.NotEmpty(t, updatedVars)
 		var foundAppName, foundSessionDuration, foundSmtpHost, foundSmtpPort bool
 		for _, v := range updatedVars {
 			switch v.Key {
 			case "appName":
 				require.Equal(t, "Updated App Name", v.Value)
 				foundAppName = true
 			case "sessionDuration":
 				require.Equal(t, "120", v.Value)
 				foundSessionDuration = true
 			case "smtpHost":
 				require.Equal(t, "smtp.example.com", v.Value)
 				foundSmtpHost = true
 			case "smtpPort":
 				require.Equal(t, "587", v.Value)
 				foundSmtpPort = true
 			}
 		}
 		require.True(t, foundAppName)
 		require.True(t, foundSessionDuration)
 		require.True(t, foundSmtpHost)
 		require.True(t, foundSmtpPort)
 		// Verify in-memory config was updated
 		config := service.GetDbConfig()
 		require.Equal(t, "Updated App Name", config.AppName.Value)
 		require.Equal(t, "120", config.SessionDuration.Value)
 		require.Equal(t, "smtp.example.com", config.SmtpHost.Value)
 		require.Equal(t, "587", config.SmtpPort.Value)
 		// Verify database was updated
 		var appName, sessionDuration, smtpHost, smtpPort model.AppConfigVariable
 		err = db.Where("key = ?", "appName").First(&appName).Error
 		require.NoError(t, err)
 		require.Equal(t, "Updated App Name", appName.Value)
 		err = db.Where("key = ?", "sessionDuration").First(&sessionDuration).Error
 		require.NoError(t, err)
 		require.Equal(t, "120", sessionDuration.Value)
 		err = db.Where("key = ?", "smtpHost").First(&smtpHost).Error
 		require.NoError(t, err)
 		require.Equal(t, "smtp.example.com", smtpHost.Value)
 		err = db.Where("key = ?", "smtpPort").First(&smtpPort).Error
 		require.NoError(t, err)
 		require.Equal(t, "587", smtpPort.Value)
 	})
 	t.Run("empty values reset to defaults", func(t *testing.T) {
 		db := newAppConfigTestDatabaseForTest(t)
 		// Create a service with default config and modify some values
 		service := &AppConfigService{
 			db: db,
 		}
 		err := service.LoadDbConfig(t.Context())
 		require.NoError(t, err)
 		// First set some non-default values
 		err = service.UpdateAppConfigValues(t.Context(),
 			"appName", "Custom App",
 			"sessionDuration", "120",
 		)
 		require.NoError(t, err)
 		// Create update DTO with empty values to reset to defaults
 		input := dto.AppConfigUpdateDto{
 			AppName:         "", // Should reset to default "Pocket ID"
 			SessionDuration: "", // Should reset to default "60"
 		}
 		// Update config
 		updatedVars, err := service.UpdateAppConfig(t.Context(), input)
 		require.NoError(t, err)
 		// Verify returned updated variables (they should be empty strings in DB)
 		var foundAppName, foundSessionDuration bool
 		for _, v := range updatedVars {
 			switch v.Key {
 			case "appName":
 				require.Equal(t, "Pocket ID", v.Value) // Returns the default value
 				foundAppName = true
 			case "sessionDuration":
 				require.Equal(t, "60", v.Value) // Returns the default value
 				foundSessionDuration = true
 			}
 		}
 		require.True(t, foundAppName)
 		require.True(t, foundSessionDuration)
 		// Verify in-memory config was reset to defaults
 		config := service.GetDbConfig()
 		require.Equal(t, "Pocket ID", config.AppName.Value)  // Default value
 		require.Equal(t, "60", config.SessionDuration.Value) // Default value
 		// Verify database was updated with empty values
 		for _, key := range []string{"appName", "sessionDuration"} {
 			var loaded model.AppConfigVariable
 			err = db.Where("key = ?", key).First(&loaded).Error
 			require.NoErrorf(t, err, "Failed to load DB value for key '%s'", key)
 			require.Emptyf(t, loaded.Value, "Loaded value for key '%s' is not empty", key)
 		}
 	})
 	t.Run("cannot update when UiConfigDisabled is true", func(t *testing.T) {
 		// Save the original state and restore it after the test
 		originalUiConfigDisabled := common.EnvConfig.UiConfigDisabled
 		defer func() {
 			common.EnvConfig.UiConfigDisabled = originalUiConfigDisabled
 		}()
 		// Disable UI config
 		common.EnvConfig.UiConfigDisabled = true
 		db := newAppConfigTestDatabaseForTest(t)
 		service := &AppConfigService{
 			db: db,
 		}
 		err := service.LoadDbConfig(t.Context())
 		require.NoError(t, err)
 		// Try to update config
 		_, err = service.UpdateAppConfig(t.Context(), dto.AppConfigUpdateDto{
 			AppName: "Should Not Update",
 		})
 		// Should get a UiConfigDisabledError
 		require.Error(t, err)
 		var uiConfigDisabledErr *common.UiConfigDisabledError
 		require.ErrorAs(t, err, &uiConfigDisabledErr)
 	})
 }
 // Implements gorm's logger.Writer interface
 type testLoggerAdapter struct {
 	t *testing.T
 }
 func (l testLoggerAdapter) Printf(format string, args ...any) {
 	l.t.Logf(format, args...)
 }
 func newAppConfigTestDatabaseForTest(t *testing.T) *gorm.DB {
 	t.Helper()
 	// Get a name for this in-memory database that is specific to the test
 	dbName := utils.CreateSha256Hash(t.Name())
 	// Connect to a new in-memory SQL database
 	db, err := gorm.Open(
 		sqlite.Open("file:"+dbName+"?mode=memory&cache=shared"),
 		&gorm.Config{
 			TranslateError: true,
 			Logger: logger.New(
 				testLoggerAdapter{t: t},
 				logger.Config{
 					SlowThreshold:             200 * time.Millisecond,
 					LogLevel:                  logger.Info,
 					IgnoreRecordNotFoundError: false,
 					ParameterizedQueries:      false,
 					Colorful:                  false,
 				},
 			),
 		})
 	require.NoError(t, err, "Failed to connect to test database")
 	// Create the app_config_variables table
 	err = db.Exec(`
 CREATE TABLE app_config_variables
 (
    key           VARCHAR(100) NOT NULL PRIMARY KEY,
    value         TEXT NOT NULL
 )
 `).Error
 	require.NoError(t, err, "Failed to create test config table")
 	return db
 }
--- a/backend/internal/service/audit_log_service.go
+++ b/backend/internal/service/audit_log_service.go
@@ -1,9 +1,12 @@
 package service
 import (
 	"context"
 	"fmt"
 	"log"
 	userAgentParser "github.com/mileusna/useragent"
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
@@ -22,10 +25,10 @@ func NewAuditLogService(db *gorm.DB, appConfigService *AppConfigService, emailSe
 }
 // Create creates a new audit log entry in the database
-func (s *AuditLogService) Create(event model.AuditLogEvent, ipAddress, userAgent, userID string, data model.AuditLogData) model.AuditLog {
+func (s *AuditLogService) Create(ctx context.Context, event model.AuditLogEvent, ipAddress, userAgent, userID string, data model.AuditLogData, tx *gorm.DB) model.AuditLog {
 	country, city, err := s.geoliteService.GetLocationByIP(ipAddress)
 	if err != nil {
-		log.Printf("Failed to get IP location: %v\n", err)
+		log.Printf("Failed to get IP location: %v", err)
 	}
 	auditLog := model.AuditLog{
@@ -39,8 +42,12 @@ func (s *AuditLogService) Create(event model.AuditLogEvent, ipAddress, userAgent
 	}
 	// Save the audit log in the database
-	if err := s.db.Create(&auditLog).Error; err != nil {
+	err = tx.
-		log.Printf("Failed to create audit log: %v\n", err)
+		WithContext(ctx).
 		Create(&auditLog).
 		Error
 	if err != nil {
 		log.Printf("Failed to create audit log: %v", err)
 		return model.AuditLog{}
 	}
@@ -48,25 +55,42 @@ func (s *AuditLogService) Create(event model.AuditLogEvent, ipAddress, userAgent
 }
 // CreateNewSignInWithEmail creates a new audit log entry in the database and sends an email if the device hasn't been used before
-func (s *AuditLogService) CreateNewSignInWithEmail(ipAddress, userAgent, userID string) model.AuditLog {
+func (s *AuditLogService) CreateNewSignInWithEmail(ctx context.Context, ipAddress, userAgent, userID string, tx *gorm.DB) model.AuditLog {
-	createdAuditLog := s.Create(model.AuditLogEventSignIn, ipAddress, userAgent, userID, model.AuditLogData{})
+	createdAuditLog := s.Create(ctx, model.AuditLogEventSignIn, ipAddress, userAgent, userID, model.AuditLogData{}, tx)
 	// Count the number of times the user has logged in from the same device
 	var count int64
-	err := s.db.Model(&model.AuditLog{}).Where("user_id = ? AND ip_address = ? AND user_agent = ?", userID, ipAddress, userAgent).Count(&count).Error
+	err := tx.
 		WithContext(ctx).
 		Model(&model.AuditLog{}).
 		Where("user_id = ? AND ip_address = ? AND user_agent = ?", userID, ipAddress, userAgent).
 		Count(&count).
 		Error
 	if err != nil {
 		log.Printf("Failed to count audit logs: %v\n", err)
 		return createdAuditLog
 	}
 	// If the user hasn't logged in from the same device before and email notifications are enabled, send an email
-	if s.appConfigService.DbConfig.EmailLoginNotificationEnabled.IsTrue() && count <= 1 {
+	if s.appConfigService.GetDbConfig().EmailLoginNotificationEnabled.IsTrue() && count <= 1 {
 		// We use a background context here as this is running in a goroutine
 		//nolint:contextcheck
 		go func() {
-			var user model.User
+			innerCtx := context.Background()
 			s.db.Where("id = ?", userID).First(&user)
-			err := SendEmail(s.emailService, email.Address{
+			// Note we don't use the transaction here because this is running in background
-				Name:  user.Username,
+			var user model.User
 			innerErr := s.db.
 				WithContext(innerCtx).
 				Where("id = ?", userID).
 				First(&user).
 				Error
 			if innerErr != nil {
 				log.Printf("Failed to load user: %v", innerErr)
 			}
 			innerErr = SendEmail(innerCtx, s.emailService, email.Address{
 				Name:  user.FullName(),
 				Email: user.Email,
 			}, NewLoginTemplate, &NewLoginTemplateData{
 				IPAddress: ipAddress,
@@ -75,8 +99,8 @@ func (s *AuditLogService) CreateNewSignInWithEmail(ipAddress, userAgent, userID
 				Device:    s.DeviceStringFromUserAgent(userAgent),
 				DateTime:  createdAuditLog.CreatedAt.UTC(),
 			})
-			if err != nil {
+			if innerErr != nil {
-				log.Printf("Failed to send email to '%s': %v\n", user.Email, err)
+				log.Printf("Failed to send email to '%s': %v", user.Email, innerErr)
 			}
 		}()
 	}
@@ -85,9 +109,12 @@ func (s *AuditLogService) CreateNewSignInWithEmail(ipAddress, userAgent, userID
 }
 // ListAuditLogsForUser retrieves all audit logs for a given user ID
-func (s *AuditLogService) ListAuditLogsForUser(userID string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.AuditLog, utils.PaginationResponse, error) {
+func (s *AuditLogService) ListAuditLogsForUser(ctx context.Context, userID string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.AuditLog, utils.PaginationResponse, error) {
 	var logs []model.AuditLog
-	query := s.db.Model(&model.AuditLog{}).Where("user_id = ?", userID)
+	query := s.db.
 		WithContext(ctx).
 		Model(&model.AuditLog{}).
 		Where("user_id = ?", userID)
 	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &logs)
 	return logs, pagination, err
@@ -97,3 +124,99 @@ func (s *AuditLogService) DeviceStringFromUserAgent(userAgent string) string {
 	ua := userAgentParser.Parse(userAgent)
 	return ua.Name + " on " + ua.OS + " " + ua.OSVersion
 }
 func (s *AuditLogService) ListAllAuditLogs(ctx context.Context, sortedPaginationRequest utils.SortedPaginationRequest, filters dto.AuditLogFilterDto) ([]model.AuditLog, utils.PaginationResponse, error) {
 	var logs []model.AuditLog
 	query := s.db.
 		WithContext(ctx).
 		Preload("User").
 		Model(&model.AuditLog{})
 	if filters.UserID != "" {
 		query = query.Where("user_id = ?", filters.UserID)
 	}
 	if filters.Event != "" {
 		query = query.Where("event = ?", filters.Event)
 	}
 	if filters.ClientName != "" {
 		dialect := s.db.Name()
 		switch dialect {
 		case "sqlite":
 			query = query.Where("json_extract(data, '$.clientName') = ?", filters.ClientName)
 		case "postgres":
 			query = query.Where("data->>'clientName' = ?", filters.ClientName)
 		default:
 			return nil, utils.PaginationResponse{}, fmt.Errorf("unsupported database dialect: %s", dialect)
 		}
 	}
 	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &logs)
 	if err != nil {
 		return nil, pagination, err
 	}
 	return logs, pagination, nil
 }
 func (s *AuditLogService) ListUsernamesWithIds(ctx context.Context) (users map[string]string, err error) {
 	query := s.db.
 		WithContext(ctx).
 		Joins("User").
 		Model(&model.AuditLog{}).
 		Select("DISTINCT \"User\".id, \"User\".username").
 		Where("\"User\".username IS NOT NULL")
 	type Result struct {
 		ID       string `gorm:"column:id"`
 		Username string `gorm:"column:username"`
 	}
 	var results []Result
 	if err := query.Find(&results).Error; err != nil {
 		return nil, fmt.Errorf("failed to query user IDs: %w", err)
 	}
 	users = make(map[string]string, len(results))
 	for _, result := range results {
 		users[result.ID] = result.Username
 	}
 	return users, nil
 }
 func (s *AuditLogService) ListClientNames(ctx context.Context) (clientNames []string, err error) {
 	dialect := s.db.Name()
 	query := s.db.
 		WithContext(ctx).
 		Model(&model.AuditLog{})
 	switch dialect {
 	case "sqlite":
 		query = query.
 			Select("DISTINCT json_extract(data, '$.clientName') AS client_name").
 			Where("json_extract(data, '$.clientName') IS NOT NULL")
 	case "postgres":
 		query = query.
 			Select("DISTINCT data->>'clientName' AS client_name").
 			Where("data->>'clientName' IS NOT NULL")
 	default:
 		return nil, fmt.Errorf("unsupported database dialect: %s", dialect)
 	}
 	type Result struct {
 		ClientName string `gorm:"column:client_name"`
 	}
 	var results []Result
 	if err := query.Find(&results).Error; err != nil {
 		return nil, fmt.Errorf("failed to query client IDs: %w", err)
 	}
 	clientNames = make([]string, len(results))
 	for i, result := range results {
 		clientNames[i] = result.ClientName
 	}
 	return clientNames, nil
 }
--- a/backend/internal/service/custom_claim_service.go
+++ b/backend/internal/service/custom_claim_service.go
@@ -1,34 +1,14 @@
 package service
 import (
 	"context"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	"gorm.io/gorm"
 )
 // Reserved claims
 var reservedClaims = map[string]struct{}{
 	"given_name":         {},
 	"family_name":        {},
 	"name":               {},
 	"email":              {},
 	"preferred_username": {},
 	"groups":             {},
 	"sub":                {},
 	"iss":                {},
 	"aud":                {},
 	"exp":                {},
 	"iat":                {},
 	"auth_time":          {},
 	"nonce":              {},
 	"acr":                {},
 	"amr":                {},
 	"azp":                {},
 	"nbf":                {},
 	"jti":                {},
 }
 type CustomClaimService struct {
 	db *gorm.DB
 }
@@ -39,8 +19,30 @@ func NewCustomClaimService(db *gorm.DB) *CustomClaimService {
 // isReservedClaim checks if a claim key is reserved e.g. email, preferred_username
 func isReservedClaim(key string) bool {
-	_, ok := reservedClaims[key]
+	switch key {
-	return ok
+	case "given_name",
 		"family_name",
 		"name",
 		"email",
 		"preferred_username",
 		"groups",
 		TokenTypeClaim,
 		"sub",
 		"iss",
 		"aud",
 		"exp",
 		"iat",
 		"auth_time",
 		"nonce",
 		"acr",
 		"amr",
 		"azp",
 		"nbf",
 		"jti":
 		return true
 	default:
 		return false
 	}
 }
 // idType is the type of the id used to identify the user or user group
@@ -52,28 +54,37 @@ const (
 )
 // UpdateCustomClaimsForUser updates the custom claims for a user
-func (s *CustomClaimService) UpdateCustomClaimsForUser(userID string, claims []dto.CustomClaimCreateDto) ([]model.CustomClaim, error) {
+func (s *CustomClaimService) UpdateCustomClaimsForUser(ctx context.Context, userID string, claims []dto.CustomClaimCreateDto) ([]model.CustomClaim, error) {
-	return s.updateCustomClaims(UserID, userID, claims)
+	return s.updateCustomClaims(ctx, UserID, userID, claims)
 }
 // UpdateCustomClaimsForUserGroup updates the custom claims for a user group
-func (s *CustomClaimService) UpdateCustomClaimsForUserGroup(userGroupID string, claims []dto.CustomClaimCreateDto) ([]model.CustomClaim, error) {
+func (s *CustomClaimService) UpdateCustomClaimsForUserGroup(ctx context.Context, userGroupID string, claims []dto.CustomClaimCreateDto) ([]model.CustomClaim, error) {
-	return s.updateCustomClaims(UserGroupID, userGroupID, claims)
+	return s.updateCustomClaims(ctx, UserGroupID, userGroupID, claims)
 }
 // updateCustomClaims updates the custom claims for a user or user group
-func (s *CustomClaimService) updateCustomClaims(idType idType, value string, claims []dto.CustomClaimCreateDto) ([]model.CustomClaim, error) {
+func (s *CustomClaimService) updateCustomClaims(ctx context.Context, idType idType, value string, claims []dto.CustomClaimCreateDto) ([]model.CustomClaim, error) {
 	// Check for duplicate keys in the claims slice
-	seenKeys := make(map[string]bool)
+	seenKeys := make(map[string]struct{})
 	for _, claim := range claims {
-		if seenKeys[claim.Key] {
+		if _, ok := seenKeys[claim.Key]; ok {
 			return nil, &common.DuplicateClaimError{Key: claim.Key}
 		}
-		seenKeys[claim.Key] = true
+		seenKeys[claim.Key] = struct{}{}
 	}
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	var existingClaims []model.CustomClaim
-	err := s.db.Where(string(idType), value).Find(&existingClaims).Error
+	err := tx.
 		WithContext(ctx).
 		Where(string(idType), value).
 		Find(&existingClaims).
 		Error
 	if err != nil {
 		return nil, err
 	}
@@ -87,8 +98,12 @@ func (s *CustomClaimService) updateCustomClaims(idType idType, value string, cla
 				break
 			}
 		}
 		if !found {
-			err = s.db.Delete(&existingClaim).Error
+			err = tx.
 				WithContext(ctx).
 				Delete(&existingClaim).
 				Error
 			if err != nil {
 				return nil, err
 			}
@@ -113,7 +128,12 @@ func (s *CustomClaimService) updateCustomClaims(idType idType, value string, cla
 		}
 		// Update the claim if it already exists or create a new one
-		err = s.db.Where(string(idType)+" = ? AND key = ?", value, claim.Key).Assign(&customClaim).FirstOrCreate(&model.CustomClaim{}).Error
+		err = tx.
 			WithContext(ctx).
 			Where(string(idType)+" = ? AND key = ?", value, claim.Key).
 			Assign(&customClaim).
 			FirstOrCreate(&model.CustomClaim{}).
 			Error
 		if err != nil {
 			return nil, err
 		}
@@ -121,7 +141,16 @@ func (s *CustomClaimService) updateCustomClaims(idType idType, value string, cla
 	// Get the updated claims
 	var updatedClaims []model.CustomClaim
-	err = s.db.Where(string(idType)+" = ?", value).Find(&updatedClaims).Error
+	err = tx.
 		WithContext(ctx).
 		Where(string(idType)+" = ?", value).
 		Find(&updatedClaims).
 		Error
 	if err != nil {
 		return nil, err
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return nil, err
 	}
@@ -129,23 +158,31 @@ func (s *CustomClaimService) updateCustomClaims(idType idType, value string, cla
 	return updatedClaims, nil
 }
-func (s *CustomClaimService) GetCustomClaimsForUser(userID string) ([]model.CustomClaim, error) {
+func (s *CustomClaimService) GetCustomClaimsForUser(ctx context.Context, userID string, tx *gorm.DB) ([]model.CustomClaim, error) {
 	var customClaims []model.CustomClaim
-	err := s.db.Where("user_id = ?", userID).Find(&customClaims).Error
+	err := tx.
 		WithContext(ctx).
 		Where("user_id = ?", userID).
 		Find(&customClaims).
 		Error
 	return customClaims, err
 }
-func (s *CustomClaimService) GetCustomClaimsForUserGroup(userGroupID string) ([]model.CustomClaim, error) {
+func (s *CustomClaimService) GetCustomClaimsForUserGroup(ctx context.Context, userGroupID string, tx *gorm.DB) ([]model.CustomClaim, error) {
 	var customClaims []model.CustomClaim
-	err := s.db.Where("user_group_id = ?", userGroupID).Find(&customClaims).Error
+	err := tx.
 		WithContext(ctx).
 		Where("user_group_id = ?", userGroupID).
 		Find(&customClaims).
 		Error
 	return customClaims, err
 }
 // GetCustomClaimsForUserWithUserGroups returns the custom claims of a user and all user groups the user is a member of,
 // prioritizing the user's claims over user group claims with the same key.
-func (s *CustomClaimService) GetCustomClaimsForUserWithUserGroups(userID string) ([]model.CustomClaim, error) {
+func (s *CustomClaimService) GetCustomClaimsForUserWithUserGroups(ctx context.Context, userID string, tx *gorm.DB) ([]model.CustomClaim, error) {
 	// Get the custom claims of the user
-	customClaims, err := s.GetCustomClaimsForUser(userID)
+	customClaims, err := s.GetCustomClaimsForUser(ctx, userID, tx)
 	if err != nil {
 		return nil, err
 	}
@@ -158,7 +195,9 @@ func (s *CustomClaimService) GetCustomClaimsForUserWithUserGroups(userID string)
 	// Get all user groups of the user
 	var userGroupsOfUser []model.UserGroup
-	err = s.db.Preload("CustomClaims").
+	err = tx.
 		WithContext(ctx).
 		Preload("CustomClaims").
 		Joins("JOIN user_groups_users ON user_groups_users.user_group_id = user_groups.id").
 		Where("user_groups_users.user_id = ?", userID).
 		Find(&userGroupsOfUser).Error
@@ -186,10 +225,12 @@ func (s *CustomClaimService) GetCustomClaimsForUserWithUserGroups(userID string)
 }
 // GetSuggestions returns a list of custom claim keys that have been used before
-func (s *CustomClaimService) GetSuggestions() ([]string, error) {
+func (s *CustomClaimService) GetSuggestions(ctx context.Context) ([]string, error) {
 	var customClaimsKeys []string
-	err := s.db.Model(&model.CustomClaim{}).
+	err := s.db.
 		WithContext(ctx).
 		Model(&model.CustomClaim{}).
 		Group("key").
 		Order("COUNT(*) DESC").
 		Pluck("key", &customClaimsKeys).Error
--- a/backend/internal/service/e2etest_service.go
+++ b/backend/internal/service/e2etest_service.go
@@ -3,6 +3,7 @@
 package service
 import (
 	"context"
 	"crypto/ecdsa"
 	"crypto/x509"
 	"encoding/base64"
@@ -34,6 +35,7 @@ func NewTestService(db *gorm.DB, appConfigService *AppConfigService, jwtService
 	return &TestService{db: db, appConfigService: appConfigService, jwtService: jwtService}
 }
 //nolint:gocognit
 func (s *TestService) SeedDatabase() error {
 	return s.db.Transaction(func(tx *gorm.DB) error {
 		users := []model.User{
@@ -187,11 +189,8 @@ func (s *TestService) SeedDatabase() error {
 		// openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 | \
 		// openssl pkcs8 -topk8 -nocrypt | tee >(openssl pkey -pubout)
-		publicKeyPasskey1, err := s.getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwcOo5KV169KR67QEHrcYkeXE3CCxv2BgwnSq4VYTQxyLtdmKxegexa8JdwFKhKXa2BMI9xaN15BoL6wSCRFJhg==")
+		publicKeyPasskey1, _ := s.getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwcOo5KV169KR67QEHrcYkeXE3CCxv2BgwnSq4VYTQxyLtdmKxegexa8JdwFKhKXa2BMI9xaN15BoL6wSCRFJhg==")
-		publicKeyPasskey2, err := s.getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEj4qA0PrZzg8Co1C27nyUbzrp8Ewjr7eOlGI2LfrzmbL5nPhZRAdJ3hEaqrHMSnJBhfMqtQGKwDYpaLIQFAKLhw==")
+		publicKeyPasskey2, _ := s.getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEj4qA0PrZzg8Co1C27nyUbzrp8Ewjr7eOlGI2LfrzmbL5nPhZRAdJ3hEaqrHMSnJBhfMqtQGKwDYpaLIQFAKLhw==")
 		if err != nil {
 			return err
 		}
 		webauthnCredentials := []model.WebauthnCredential{
 			{
 				Name:            "Passkey 1",
@@ -301,26 +300,22 @@ func (s *TestService) ResetApplicationImages() error {
 	return nil
 }
-func (s *TestService) ResetAppConfig() error {
+func (s *TestService) ResetAppConfig(ctx context.Context) error {
-	// Reseed the config variables
+	// Reset all app config variables to their default values in the database
-	if err := s.appConfigService.InitDbConfig(); err != nil {
+	err := s.db.Session(&gorm.Session{AllowGlobalUpdate: true}).Model(&model.AppConfigVariable{}).Update("value", "").Error
-		return err
+	if err != nil {
 	}
 	// Reset all app config variables to their default values
 	if err := s.db.Session(&gorm.Session{AllowGlobalUpdate: true}).Model(&model.AppConfigVariable{}).Update("value", "").Error; err != nil {
 		return err
 	}
 	// Reload the app config from the database after resetting the values
-	return s.appConfigService.LoadDbConfigFromDb()
+	return s.appConfigService.LoadDbConfig(ctx)
 }
 func (s *TestService) SetJWTKeys() {
 	const privateKeyString = `{"alg":"RS256","d":"mvMDWSdPPvcum0c0iEHE2gbqtV2NKMmLwrl9E6K7g8lTV95SePLnW_bwyMPV7EGp7PQk3l17I5XRhFjze7GqTnFIOgKzMianPs7jv2ELtBMGK0xOPATgu1iGb70xZ6vcvuEfRyY3dJ0zr4jpUdVuXwKmx9rK4IdZn2dFCKfvSuspqIpz11RhF1ALrqDLkxGVv7ZwNh0_VhJZU9hcjG5l6xc7rQEKpPRkZp0IdjkGS8Z0FskoVaiRIWAbZuiVFB9WCW8k1czC4HQTPLpII01bUQx2ludbm0UlXRgVU9ptUUbU7GAImQqTOW8LfPGklEvcgzlIlR_oqw4P9yBxLi-yMQ","dp":"pvNCSnnhbo8Igw9psPR-DicxFnkXlu_ix4gpy6efTrxA-z1VDFDioJ814vKQNioYDzpyAP1gfMPhRkvG_q0hRZsJah3Sb9dfA-WkhSWY7lURQP4yIBTMU0PF_rEATuS7lRciYk1SOx5fqXZd3m_LP0vpBC4Ujlq6NAq6CIjCnms","dq":"TtUVGCCkPNgfOLmkYXu7dxxUCV5kB01-xAEK2OY0n0pG8vfDophH4_D_ZC7nvJ8J9uDhs_3JStexq1lIvaWtG99RNTChIEDzpdn6GH9yaVcb_eB4uJjrNm64FhF8PGCCwxA-xMCZMaARKwhMB2_IOMkxUbWboL3gnhJ2rDO_QO0","e":"AQAB","kid":"8uHDw3M6rf8","kty":"RSA","n":"yaeEL0VKoPBXIAaWXsUgmu05lAvEIIdJn0FX9lHh4JE5UY9B83C5sCNdhs9iSWzpeP11EVjWp8i3Yv2CF7c7u50BXnVBGtxpZpFC-585UXacoJ0chUmarL9GRFJcM1nPHBTFu68aRrn1rIKNHUkNaaxFo0NFGl_4EDDTO8HwawTjwkPoQlRzeByhlvGPVvwgB3Fn93B8QJ_cZhXKxJvjjrC_8Pk76heC_ntEMru71Ix77BoC3j2TuyiN7m9RNBW8BU5q6lKoIdvIeZfTFLzi37iufyfvMrJTixp9zhNB1NxlLCeOZl2MXegtiGqd2H3cbAyqoOiv9ihUWTfXj7SxJw","p":"_Yylc9e07CKdqNRD2EosMC2mrhrEa9j5oY_l00Qyy4-jmCA59Q9viyqvveRo0U7cRvFA5BWgWN6GGLh1DG3X-QBqVr0dnk3uzbobb55RYUXyPLuBZI2q6w2oasbiDwPdY7KpkVv_H-bpITQlyDvO8hhucA6rUV7F6KTQVz8M3Ms","q":"y5p3hch-7jJ21TkAhp_Vk1fLCAuD4tbErwQs2of9ja8sB4iJOs5Wn6HD3P7Mc8Plye7qaLHvzc8I5g0tPKWvC0DPd_FLPXiWwMVAzee3NUX_oGeJNOQp11y1w_KqdO9qZqHSEPZ3NcFL_SZMFgggxhM1uzRiPzsVN0lnD_6prZU","qi":"2Grt6uXHm61ji3xSdkBWNtUnj19vS1-7rFJp5SoYztVQVThf_W52BAiXKBdYZDRVoItC_VS2NvAOjeJjhYO_xQ_q3hK7MdtuXfEPpLnyXKkmWo3lrJ26wbeF6l05LexCkI7ShsOuSt-dsyaTJTszuKDIA6YOfWvfo3aVZmlWRaI","use":"sig"}`
 	privateKey, _ := jwk.ParseKey([]byte(privateKeyString))
-	s.jwtService.SetKey(privateKey)
+	_ = s.jwtService.SetKey(privateKey)
 }
 // getCborPublicKey decodes a Base64 encoded public key and returns the CBOR encoded COSE key
--- a/backend/internal/service/email_service.go
+++ b/backend/internal/service/email_service.go
@@ -2,10 +2,12 @@ package service
 import (
 	"bytes"
 	"context"
 	"crypto/tls"
 	"errors"
 	"fmt"
 	htemplate "html/template"
 	"io"
 	"mime/multipart"
 	"mime/quotedprintable"
 	"net/textproto"
@@ -17,10 +19,11 @@ import (
 	"github.com/emersion/go-sasl"
 	"github.com/emersion/go-smtp"
 	"github.com/google/uuid"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
 	"gorm.io/gorm"
 )
 type EmailService struct {
@@ -30,7 +33,7 @@ type EmailService struct {
 	textTemplates    map[string]*ttemplate.Template
 }
-func NewEmailService(appConfigService *AppConfigService, db *gorm.DB) (*EmailService, error) {
+func NewEmailService(db *gorm.DB, appConfigService *AppConfigService) (*EmailService, error) {
 	htmlTemplates, err := email.PrepareHTMLTemplates(emailTemplatesPaths)
 	if err != nil {
 		return nil, fmt.Errorf("prepare html templates: %w", err)
@@ -49,22 +52,28 @@ func NewEmailService(appConfigService *AppConfigService, db *gorm.DB) (*EmailSer
 	}, nil
 }
-func (srv *EmailService) SendTestEmail(recipientUserId string) error {
+func (srv *EmailService) SendTestEmail(ctx context.Context, recipientUserId string) error {
 	var user model.User
-	if err := srv.db.First(&user, "id = ?", recipientUserId).Error; err != nil {
+	err := srv.db.
 		WithContext(ctx).
 		First(&user, "id = ?", recipientUserId).
 		Error
 	if err != nil {
 		return err
 	}
-	return SendEmail(srv,
+	return SendEmail(ctx, srv,
 		email.Address{
 			Email: user.Email,
 			Name:  user.FullName(),
 		}, TestTemplate, nil)
 }
-func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.Template[V], tData *V) error {
+func SendEmail[V any](ctx context.Context, srv *EmailService, toEmail email.Address, template email.Template[V], tData *V) error {
 	dbConfig := srv.appConfigService.GetDbConfig()
 	data := &email.TemplateData[V]{
-		AppName: srv.appConfigService.DbConfig.AppName.Value,
+		AppName: dbConfig.AppName.Value,
 		LogoURL: common.EnvConfig.AppURL + "/api/application-configuration/logo",
 		Data:    tData,
 	}
@@ -79,8 +88,8 @@ func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.T
 	c.AddHeader("Subject", template.Title(data))
 	c.AddAddressHeader("From", []email.Address{
 		{
-			Email: srv.appConfigService.DbConfig.SmtpFrom.Value,
+			Email: dbConfig.SmtpFrom.Value,
-			Name:  srv.appConfigService.DbConfig.AppName.Value,
+			Name:  dbConfig.AppName.Value,
 		},
 	})
 	c.AddAddressHeader("To", []email.Address{toEmail})
@@ -95,10 +104,10 @@ func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.T
 	// so we use the domain of the from address instead (the same as Thunderbird does)
 	// if the address does not have an @ (which would be unusual), we use hostname
-	from_address := srv.appConfigService.DbConfig.SmtpFrom.Value
+	fromAddress := dbConfig.SmtpFrom.Value
 	domain := ""
-	if strings.Contains(from_address, "@") {
+	if strings.Contains(fromAddress, "@") {
-		domain = strings.Split(from_address, "@")[1]
+		domain = strings.Split(fromAddress, "@")[1]
 	} else {
 		hostname, err := os.Hostname()
 		if err != nil {
@@ -112,6 +121,15 @@ func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.T
 	c.Body(body)
 	// Check if the context is still valid before attemtping to connect
 	// We need to do this because the smtp library doesn't have context support
 	select {
 	case <-ctx.Done():
 		return ctx.Err()
 	default:
 		// All good
 	}
 	// Connect to the SMTP server
 	client, err := srv.getSmtpClient()
 	if err != nil {
@@ -119,6 +137,14 @@ func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.T
 	}
 	defer client.Close()
 	// Check if the context is still valid before sending the email
 	select {
 	case <-ctx.Done():
 		return ctx.Err()
 	default:
 		// All good
 	}
 	// Send the email
 	if err := srv.sendEmailContent(client, toEmail, c); err != nil {
 		return fmt.Errorf("send email content: %w", err)
@@ -128,16 +154,18 @@ func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.T
 }
 func (srv *EmailService) getSmtpClient() (client *smtp.Client, err error) {
-	port := srv.appConfigService.DbConfig.SmtpPort.Value
+	dbConfig := srv.appConfigService.GetDbConfig()
-	smtpAddress := srv.appConfigService.DbConfig.SmtpHost.Value + ":" + port
+
 	port := dbConfig.SmtpPort.Value
 	smtpAddress := dbConfig.SmtpHost.Value + ":" + port
 	tlsConfig := &tls.Config{
-		InsecureSkipVerify: srv.appConfigService.DbConfig.SmtpSkipCertVerify.IsTrue(), //nolint:gosec
+		InsecureSkipVerify: dbConfig.SmtpSkipCertVerify.IsTrue(), //nolint:gosec
-		ServerName:         srv.appConfigService.DbConfig.SmtpHost.Value,
+		ServerName:         dbConfig.SmtpHost.Value,
 	}
 	// Connect to the SMTP server based on TLS setting
-	switch srv.appConfigService.DbConfig.SmtpTls.Value {
+	switch dbConfig.SmtpTls.Value {
 	case "none":
 		client, err = smtp.Dial(smtpAddress)
 	case "tls":
@@ -148,7 +176,7 @@ func (srv *EmailService) getSmtpClient() (client *smtp.Client, err error) {
 			tlsConfig,
 		)
 	default:
-		return nil, fmt.Errorf("invalid SMTP TLS setting: %s", srv.appConfigService.DbConfig.SmtpTls.Value)
+		return nil, fmt.Errorf("invalid SMTP TLS setting: %s", dbConfig.SmtpTls.Value)
 	}
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to SMTP server: %w", err)
@@ -162,8 +190,8 @@ func (srv *EmailService) getSmtpClient() (client *smtp.Client, err error) {
 	}
 	// Set up the authentication if user or password are set
-	smtpUser := srv.appConfigService.DbConfig.SmtpUser.Value
+	smtpUser := dbConfig.SmtpUser.Value
-	smtpPassword := srv.appConfigService.DbConfig.SmtpPassword.Value
+	smtpPassword := dbConfig.SmtpPassword.Value
 	if smtpUser != "" || smtpPassword != "" {
 		// Authenticate with plain auth
@@ -199,7 +227,7 @@ func (srv *EmailService) sendHelloCommand(client *smtp.Client) error {
 func (srv *EmailService) sendEmailContent(client *smtp.Client, toEmail email.Address, c *email.Composer) error {
 	// Set the sender
-	if err := client.Mail(srv.appConfigService.DbConfig.SmtpFrom.Value, nil); err != nil {
+	if err := client.Mail(srv.appConfigService.GetDbConfig().SmtpFrom.Value, nil); err != nil {
 		return fmt.Errorf("failed to set sender: %w", err)
 	}
@@ -215,7 +243,7 @@ func (srv *EmailService) sendEmailContent(client *smtp.Client, toEmail email.Add
 	}
 	// Write the email content
-	_, err = w.Write([]byte(c.String()))
+	_, err = io.Copy(w, strings.NewReader(c.String()))
 	if err != nil {
 		return fmt.Errorf("failed to write email data: %w", err)
 	}
--- a/backend/internal/service/email_service_templates.go
+++ b/backend/internal/service/email_service_templates.go
@@ -42,6 +42,13 @@ var TestTemplate = email.Template[struct{}]{
 	},
 }
 var ApiKeyExpiringSoonTemplate = email.Template[ApiKeyExpiringSoonTemplateData]{
 	Path: "api-key-expiring-soon",
 	Title: func(data *email.TemplateData[ApiKeyExpiringSoonTemplateData]) string {
 		return fmt.Sprintf("API Key \"%s\" Expiring Soon", data.Data.ApiKeyName)
 	},
 }
 type NewLoginTemplateData struct {
 	IPAddress string
 	Country   string
@@ -54,7 +61,14 @@ type OneTimeAccessTemplateData = struct {
 	Code              string
 	LoginLink         string
 	LoginLinkWithCode string
 	ExpirationString  string
 }
 type ApiKeyExpiringSoonTemplateData struct {
 	Name       string
 	ApiKeyName string
 	ExpiresAt  time.Time
 }
 // this is list of all template paths used for preloading templates
-var emailTemplatesPaths = []string{NewLoginTemplate.Path, OneTimeAccessTemplate.Path, TestTemplate.Path}
+var emailTemplatesPaths = []string{NewLoginTemplate.Path, OneTimeAccessTemplate.Path, TestTemplate.Path, ApiKeyExpiringSoonTemplate.Path}
--- a/backend/internal/service/geolite_service.go
+++ b/backend/internal/service/geolite_service.go
@@ -22,8 +22,9 @@ import (
 )
 type GeoLiteService struct {
 	httpClient     *http.Client
 	disableUpdater bool
-	mutex          sync.Mutex
+	mutex          sync.RWMutex
 }
 var localhostIPNets = []*net.IPNet{
@@ -42,24 +43,24 @@ var tailscaleIPNets = []*net.IPNet{
 }
 // NewGeoLiteService initializes a new GeoLiteService instance and starts a goroutine to update the GeoLite2 City database.
-func NewGeoLiteService() *GeoLiteService {
+func NewGeoLiteService(httpClient *http.Client) *GeoLiteService {
-	service := &GeoLiteService{}
+	service := &GeoLiteService{
 		httpClient: httpClient,
 	}
 	if common.EnvConfig.MaxMindLicenseKey == "" && common.EnvConfig.GeoLiteDBUrl == common.MaxMindGeoLiteCityUrl {
-		// Warn the user, and disable the updater.
+		// Warn the user, and disable the periodic updater
 		log.Println("MAXMIND_LICENSE_KEY environment variable is empty. The GeoLite2 City database won't be updated.")
 		service.disableUpdater = true
 	}
 	go func() {
 		if err := service.updateDatabase(); err != nil {
 			log.Printf("Failed to update GeoLite2 City database: %v\n", err)
 		}
 	}()
 	return service
 }
 func (s *GeoLiteService) DisableUpdater() bool {
 	return s.disableUpdater
 }
 // GetLocationByIP returns the country and city of the given IP address.
 func (s *GeoLiteService) GetLocationByIP(ipAddress string) (country, city string, err error) {
 	// Check the IP address against known private IP ranges
@@ -82,8 +83,8 @@ func (s *GeoLiteService) GetLocationByIP(ipAddress string) (country, city string
 	}
 	// Race condition between reading and writing the database.
-	s.mutex.Lock()
+	s.mutex.RLock()
-	defer s.mutex.Unlock()
+	defer s.mutex.RUnlock()
 	db, err := maxminddb.Open(common.EnvConfig.GeoLiteDBPath)
 	if err != nil {
@@ -91,7 +92,10 @@ func (s *GeoLiteService) GetLocationByIP(ipAddress string) (country, city string
 	}
 	defer db.Close()
-	addr := netip.MustParseAddr(ipAddress)
+	addr, err := netip.ParseAddr(ipAddress)
 	if err != nil {
 		return "", "", fmt.Errorf("failed to parse IP address: %w", err)
 	}
 	var record struct {
 		City struct {
@@ -111,21 +115,16 @@ func (s *GeoLiteService) GetLocationByIP(ipAddress string) (country, city string
 }
 // UpdateDatabase checks the age of the database and updates it if it's older than 14 days.
-func (s *GeoLiteService) updateDatabase() error {
+func (s *GeoLiteService) UpdateDatabase(parentCtx context.Context) error {
 	if s.disableUpdater {
 		// Avoid updating the GeoLite2 City database.
 		return nil
 	}
 	if s.isDatabaseUpToDate() {
-		log.Println("GeoLite2 City database is up-to-date.")
+		log.Println("GeoLite2 City database is up-to-date")
 		return nil
 	}
-	log.Println("Updating GeoLite2 City database...")
+	log.Println("Updating GeoLite2 City database")
 	downloadUrl := fmt.Sprintf(common.EnvConfig.GeoLiteDBUrl, common.EnvConfig.MaxMindLicenseKey)
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
+	ctx, cancel := context.WithTimeout(parentCtx, 10*time.Minute)
 	defer cancel()
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, downloadUrl, nil)
@@ -133,7 +132,7 @@ func (s *GeoLiteService) updateDatabase() error {
 		return fmt.Errorf("failed to create request: %w", err)
 	}
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := s.httpClient.Do(req)
 	if err != nil {
 		return fmt.Errorf("failed to download database: %w", err)
 	}
@@ -144,7 +143,8 @@ func (s *GeoLiteService) updateDatabase() error {
 	}
 	// Extract the database file directly to the target path
-	if err := s.extractDatabase(resp.Body); err != nil {
+	err = s.extractDatabase(resp.Body)
 	if err != nil {
 		return fmt.Errorf("failed to extract database: %w", err)
 	}
@@ -178,10 +178,9 @@ func (s *GeoLiteService) extractDatabase(reader io.Reader) error {
 	// Iterate over the files in the tar archive
 	for {
 		header, err := tarReader.Next()
-		if err == io.EOF {
+		if errors.Is(err, io.EOF) {
 			break
-		}
+		} else if err != nil {
 		if err != nil {
 			return fmt.Errorf("failed to read tar archive: %w", err)
 		}
--- a/backend/internal/service/jwt_service.go
+++ b/backend/internal/service/jwt_service.go
@@ -1,6 +1,7 @@
 package service
 import (
 	"context"
 	"crypto/rand"
 	"crypto/rsa"
 	"encoding/base64"
@@ -37,6 +38,18 @@ const (
 	// This may be omitted on non-admin tokens
 	IsAdminClaim = "isAdmin"
 	// TokenTypeClaim is the claim used to identify the type of token
 	TokenTypeClaim = "type"
 	// OAuthAccessTokenJWTType identifies a JWT as an OAuth access token
 	OAuthAccessTokenJWTType = "oauth-access-token" //nolint:gosec
 	// AccessTokenJWTType identifies a JWT as an access token used by Pocket ID
 	AccessTokenJWTType = "access-token"
 	// IDTokenJWTType identifies a JWT as an ID token used by Pocket ID
 	IDTokenJWTType = "id-token"
 	// Acceptable clock skew for verifying tokens
 	clockSkew = time.Minute
 )
@@ -173,7 +186,7 @@ func (s *JwtService) GenerateAccessToken(user model.User) (string, error) {
 	now := time.Now()
 	token, err := jwt.NewBuilder().
 		Subject(user.ID).
-		Expiration(now.Add(s.appConfigService.DbConfig.SessionDuration.AsDurationMinutes())).
+		Expiration(now.Add(s.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes())).
 		IssuedAt(now).
 		Issuer(common.EnvConfig.AppURL).
 		Build()
@@ -186,6 +199,11 @@ func (s *JwtService) GenerateAccessToken(user model.User) (string, error) {
 		return "", fmt.Errorf("failed to set 'aud' claim in token: %w", err)
 	}
 	err = SetTokenType(token, AccessTokenJWTType)
 	if err != nil {
 		return "", fmt.Errorf("failed to set 'type' claim in token: %w", err)
 	}
 	err = SetIsAdmin(token, user.IsAdmin)
 	if err != nil {
 		return "", fmt.Errorf("failed to set 'isAdmin' claim in token: %w", err)
@@ -209,6 +227,7 @@ func (s *JwtService) VerifyAccessToken(tokenString string) (jwt.Token, error) {
 		jwt.WithAcceptableSkew(clockSkew),
 		jwt.WithAudience(common.EnvConfig.AppURL),
 		jwt.WithIssuer(common.EnvConfig.AppURL),
 		jwt.WithValidator(TokenTypeValidator(AccessTokenJWTType)),
 	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse token: %w", err)
@@ -233,6 +252,11 @@ func (s *JwtService) GenerateIDToken(userClaims map[string]any, clientID string,
 		return "", fmt.Errorf("failed to set 'aud' claim in token: %w", err)
 	}
 	err = SetTokenType(token, IDTokenJWTType)
 	if err != nil {
 		return "", fmt.Errorf("failed to set 'type' claim in token: %w", err)
 	}
 	for k, v := range userClaims {
 		err = token.Set(k, v)
 		if err != nil {
@@ -267,6 +291,7 @@ func (s *JwtService) VerifyIdToken(tokenString string, acceptExpiredTokens bool)
 		jwt.WithKey(alg, s.privateKey),
 		jwt.WithAcceptableSkew(clockSkew),
 		jwt.WithIssuer(common.EnvConfig.AppURL),
 		jwt.WithValidator(TokenTypeValidator(IDTokenJWTType)),
 	)
 	// By default, jwt.Parse includes 3 default validators for "nbf", "iat", and "exp"
@@ -305,6 +330,11 @@ func (s *JwtService) GenerateOauthAccessToken(user model.User, clientID string)
 		return "", fmt.Errorf("failed to set 'aud' claim in token: %w", err)
 	}
 	err = SetTokenType(token, OAuthAccessTokenJWTType)
 	if err != nil {
 		return "", fmt.Errorf("failed to set 'type' claim in token: %w", err)
 	}
 	alg, _ := s.privateKey.Algorithm()
 	signed, err := jwt.Sign(token, jwt.WithKey(alg, s.privateKey))
 	if err != nil {
@@ -322,6 +352,7 @@ func (s *JwtService) VerifyOauthAccessToken(tokenString string) (jwt.Token, erro
 		jwt.WithKey(alg, s.privateKey),
 		jwt.WithAcceptableSkew(clockSkew),
 		jwt.WithIssuer(common.EnvConfig.AppURL),
 		jwt.WithValidator(TokenTypeValidator(OAuthAccessTokenJWTType)),
 	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse token: %w", err)
@@ -481,6 +512,14 @@ func GetIsAdmin(token jwt.Token) (bool, error) {
 	return isAdmin, err
 }
 // SetTokenType sets the "type" claim in the token
 func SetTokenType(token jwt.Token, tokenType string) error {
 	if tokenType == "" {
 		return nil
 	}
 	return token.Set(TokenTypeClaim, tokenType)
 }
 // SetIsAdmin sets the "isAdmin" claim in the token
 func SetIsAdmin(token jwt.Token, isAdmin bool) error {
 	// Only set if true
@@ -495,3 +534,18 @@ func SetIsAdmin(token jwt.Token, isAdmin bool) error {
 func SetAudienceString(token jwt.Token, audience string) error {
 	return token.Set(jwt.AudienceKey, audience)
 }
 // TokenTypeValidator is a validator function that checks the "type" claim in the token
 func TokenTypeValidator(expectedTokenType string) jwt.ValidatorFunc {
 	return func(_ context.Context, t jwt.Token) error {
 		var tokenType string
 		err := t.Get(TokenTypeClaim, &tokenType)
 		if err != nil {
 			return fmt.Errorf("failed to get token type claim: %w", err)
 		}
 		if tokenType != expectedTokenType {
 			return fmt.Errorf("invalid token type: expected %s, got %s", expectedTokenType, tokenType)
 		}
 		return nil
 	}
 }
--- a/backend/internal/service/jwt_service_test.go
+++ b/backend/internal/service/jwt_service_test.go
@@ -1,6 +1,7 @@
 package service
 import (
 	"context"
 	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/elliptic"
@@ -23,11 +24,9 @@ import (
 )
 func TestJwtService_Init(t *testing.T) {
-	mockConfig := &AppConfigService{
+	mockConfig := NewTestAppConfigService(&model.AppConfig{
-		DbConfig: &model.AppConfig{
+		SessionDuration: model.AppConfigVariable{Value: "60"}, // 60 minutes
-			SessionDuration: model.AppConfigVariable{Value: "60"}, // 60 minutes
+	})
 		},
 	}
 	t.Run("should generate new key when none exists", func(t *testing.T) {
 		// Create a temporary directory for the test
@@ -139,11 +138,9 @@ func TestJwtService_Init(t *testing.T) {
 }
 func TestJwtService_GetPublicJWK(t *testing.T) {
-	mockConfig := &AppConfigService{
+	mockConfig := NewTestAppConfigService(&model.AppConfig{
-		DbConfig: &model.AppConfig{
+		SessionDuration: model.AppConfigVariable{Value: "60"}, // 60 minutes
-			SessionDuration: model.AppConfigVariable{Value: "60"}, // 60 minutes
+	})
 		},
 	}
 	t.Run("returns public key when private key is initialized", func(t *testing.T) {
 		// Create a temporary directory for the test
@@ -273,11 +270,9 @@ func TestGenerateVerifyAccessToken(t *testing.T) {
 	tempDir := t.TempDir()
 	// Initialize the JWT service with a mock AppConfigService
-	mockConfig := &AppConfigService{
+	mockConfig := NewTestAppConfigService(&model.AppConfig{
-		DbConfig: &model.AppConfig{
+		SessionDuration: model.AppConfigVariable{Value: "60"}, // 60 minutes
-			SessionDuration: model.AppConfigVariable{Value: "60"}, // 60 minutes
+	})
 		},
 	}
 	// Setup the environment variable required by the token verification
 	originalAppURL := common.EnvConfig.AppURL
@@ -363,11 +358,9 @@ func TestGenerateVerifyAccessToken(t *testing.T) {
 	t.Run("uses session duration from config", func(t *testing.T) {
 		// Create a JWT service with a different session duration
-		customMockConfig := &AppConfigService{
+		customMockConfig := NewTestAppConfigService(&model.AppConfig{
-			DbConfig: &model.AppConfig{
+			SessionDuration: model.AppConfigVariable{Value: "30"}, // 30 minutes
-				SessionDuration: model.AppConfigVariable{Value: "30"}, // 30 minutes
+		})
 			},
 		}
 		service := &JwtService{}
 		err := service.init(customMockConfig, tempDir)
@@ -564,11 +557,9 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 	tempDir := t.TempDir()
 	// Initialize the JWT service with a mock AppConfigService
-	mockConfig := &AppConfigService{
+	mockConfig := NewTestAppConfigService(&model.AppConfig{
-		DbConfig: &model.AppConfig{
+		SessionDuration: model.AppConfigVariable{Value: "60"}, // 60 minutes
-			SessionDuration: model.AppConfigVariable{Value: "60"}, // 60 minutes
+	})
 		},
 	}
 	// Setup the environment variable required by the token verification
 	originalAppURL := common.EnvConfig.AppURL
@@ -643,6 +634,9 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 			Build()
 		require.NoError(t, err, "Failed to build token")
 		err = SetTokenType(token, IDTokenJWTType)
 		require.NoError(t, err, "Failed to set token type")
 		// Add custom claims
 		for k, v := range userClaims {
 			if k != "sub" { // Already set above
@@ -892,11 +886,9 @@ func TestGenerateVerifyOauthAccessToken(t *testing.T) {
 	tempDir := t.TempDir()
 	// Initialize the JWT service with a mock AppConfigService
-	mockConfig := &AppConfigService{
+	mockConfig := NewTestAppConfigService(&model.AppConfig{
-		DbConfig: &model.AppConfig{
+		SessionDuration: model.AppConfigVariable{Value: "60"}, // 60 minutes
-			SessionDuration: model.AppConfigVariable{Value: "60"}, // 60 minutes
+	})
 		},
 	}
 	// Setup the environment variable required by the token verification
 	originalAppURL := common.EnvConfig.AppURL
@@ -972,6 +964,9 @@ func TestGenerateVerifyOauthAccessToken(t *testing.T) {
 			Build()
 		require.NoError(t, err, "Failed to build token")
 		err = SetTokenType(token, OAuthAccessTokenJWTType)
 		require.NoError(t, err, "Failed to set token type")
 		signed, err := jwt.Sign(token, jwt.WithKey(jwa.RS256(), service.privateKey))
 		require.NoError(t, err, "Failed to sign token")
@@ -1172,6 +1167,54 @@ func TestGenerateVerifyOauthAccessToken(t *testing.T) {
 	})
 }
 func TestTokenTypeValidator(t *testing.T) {
 	// Create a context for the validator function
 	ctx := context.Background()
 	t.Run("succeeds when token type matches expected type", func(t *testing.T) {
 		// Create a token with the expected type
 		token := jwt.New()
 		err := token.Set(TokenTypeClaim, AccessTokenJWTType)
 		require.NoError(t, err, "Failed to set token type claim")
 		// Create a validator function for the expected type
 		validator := TokenTypeValidator(AccessTokenJWTType)
 		// Validate the token
 		err = validator(ctx, token)
 		assert.NoError(t, err, "Validator should accept token with matching type")
 	})
 	t.Run("fails when token type doesn't match expected type", func(t *testing.T) {
 		// Create a token with a different type
 		token := jwt.New()
 		err := token.Set(TokenTypeClaim, OAuthAccessTokenJWTType)
 		require.NoError(t, err, "Failed to set token type claim")
 		// Create a validator function for a different expected type
 		validator := TokenTypeValidator(IDTokenJWTType)
 		// Validate the token
 		err = validator(ctx, token)
 		require.Error(t, err, "Validator should reject token with non-matching type")
 		assert.Contains(t, err.Error(), "invalid token type: expected id-token, got oauth-access-token")
 	})
 	t.Run("fails when token type claim is missing", func(t *testing.T) {
 		// Create a token without a type claim
 		token := jwt.New()
 		// Create a validator function
 		validator := TokenTypeValidator(AccessTokenJWTType)
 		// Validate the token
 		err := validator(ctx, token)
 		require.Error(t, err, "Validator should reject token without type claim")
 		assert.Contains(t, err.Error(), "failed to get token type claim")
 	})
 }
 func importKey(t *testing.T, privateKeyRaw any, path string) string {
 	t.Helper()
--- a/backend/internal/service/ldap_service.go
+++ b/backend/internal/service/ldap_service.go
@@ -15,6 +15,7 @@ import (
 	"time"
 	"github.com/go-ldap/ldap/v3"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	"gorm.io/gorm"
@@ -22,53 +23,52 @@ import (
 type LdapService struct {
 	db               *gorm.DB
 	httpClient       *http.Client
 	appConfigService *AppConfigService
 	userService      *UserService
 	groupService     *UserGroupService
 }
-func NewLdapService(db *gorm.DB, appConfigService *AppConfigService, userService *UserService, groupService *UserGroupService) *LdapService {
+func NewLdapService(db *gorm.DB, httpClient *http.Client, appConfigService *AppConfigService, userService *UserService, groupService *UserGroupService) *LdapService {
-	return &LdapService{db: db, appConfigService: appConfigService, userService: userService, groupService: groupService}
+	return &LdapService{
 		db:               db,
 		httpClient:       httpClient,
 		appConfigService: appConfigService,
 		userService:      userService,
 		groupService:     groupService,
 	}
 }
 func (s *LdapService) createClient() (*ldap.Conn, error) {
-	if !s.appConfigService.DbConfig.LdapEnabled.IsTrue() {
+	dbConfig := s.appConfigService.GetDbConfig()
 	if !dbConfig.LdapEnabled.IsTrue() {
 		return nil, fmt.Errorf("LDAP is not enabled")
 	}
 	// Setup LDAP connection
-	ldapURL := s.appConfigService.DbConfig.LdapUrl.Value
+	client, err := ldap.DialURL(dbConfig.LdapUrl.Value, ldap.DialWithTLSConfig(&tls.Config{
-	skipTLSVerify := s.appConfigService.DbConfig.LdapSkipCertVerify.IsTrue()
+		InsecureSkipVerify: dbConfig.LdapSkipCertVerify.IsTrue(), //nolint:gosec
-	client, err := ldap.DialURL(ldapURL, ldap.DialWithTLSConfig(&tls.Config{InsecureSkipVerify: skipTLSVerify})) //nolint:gosec
+	}))
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to LDAP: %w", err)
 	}
 	// Bind as service account
-	bindDn := s.appConfigService.DbConfig.LdapBindDn.Value
+	err = client.Bind(dbConfig.LdapBindDn.Value, dbConfig.LdapBindPassword.Value)
 	bindPassword := s.appConfigService.DbConfig.LdapBindPassword.Value
 	err = client.Bind(bindDn, bindPassword)
 	if err != nil {
 		return nil, fmt.Errorf("failed to bind to LDAP: %w", err)
 	}
 	return client, nil
 }
-func (s *LdapService) SyncAll() error {
+func (s *LdapService) SyncAll(ctx context.Context) error {
-	err := s.SyncUsers()
+	// Start a transaction
-	if err != nil {
+	tx := s.db.Begin()
-		return fmt.Errorf("failed to sync users: %w", err)
+	defer func() {
-	}
+		tx.Rollback()
 	}()
 	err = s.SyncGroups()
 	if err != nil {
 		return fmt.Errorf("failed to sync groups: %w", err)
 	}
 	return nil
 }
 //nolint:gocognit
 func (s *LdapService) SyncGroups() error {
 	// Setup LDAP connection
 	client, err := s.createClient()
 	if err != nil {
@@ -76,262 +76,373 @@ func (s *LdapService) SyncGroups() error {
 	}
 	defer client.Close()
-	baseDN := s.appConfigService.DbConfig.LdapBase.Value
+	err = s.SyncUsers(ctx, tx, client)
-	nameAttribute := s.appConfigService.DbConfig.LdapAttributeGroupName.Value
+	if err != nil {
-	uniqueIdentifierAttribute := s.appConfigService.DbConfig.LdapAttributeGroupUniqueIdentifier.Value
+		return fmt.Errorf("failed to sync users: %w", err)
 	groupMemberOfAttribute := s.appConfigService.DbConfig.LdapAttributeGroupMember.Value
 	filter := s.appConfigService.DbConfig.LdapUserGroupSearchFilter.Value
 	searchAttrs := []string{
 		nameAttribute,
 		uniqueIdentifierAttribute,
 		groupMemberOfAttribute,
 	}
-	searchReq := ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, searchAttrs, []ldap.Control{})
+	err = s.SyncGroups(ctx, tx, client)
 	if err != nil {
 		return fmt.Errorf("failed to sync groups: %w", err)
 	}
 	// Commit the changes
 	err = tx.Commit().Error
 	if err != nil {
 		return fmt.Errorf("failed to commit changes to database: %w", err)
 	}
 	return nil
 }
 //nolint:gocognit
 func (s *LdapService) SyncGroups(ctx context.Context, tx *gorm.DB, client *ldap.Conn) error {
 	dbConfig := s.appConfigService.GetDbConfig()
 	searchAttrs := []string{
 		dbConfig.LdapAttributeGroupName.Value,
 		dbConfig.LdapAttributeGroupUniqueIdentifier.Value,
 		dbConfig.LdapAttributeGroupMember.Value,
 	}
 	searchReq := ldap.NewSearchRequest(
 		dbConfig.LdapBase.Value,
 		ldap.ScopeWholeSubtree,
 		0, 0, 0, false,
 		dbConfig.LdapUserGroupSearchFilter.Value,
 		searchAttrs,
 		[]ldap.Control{},
 	)
 	result, err := client.Search(searchReq)
 	if err != nil {
 		return fmt.Errorf("failed to query LDAP: %w", err)
 	}
 	// Create a mapping for groups that exist
-	ldapGroupIDs := make(map[string]bool)
+	ldapGroupIDs := make(map[string]struct{}, len(result.Entries))
 	for _, value := range result.Entries {
-		var membersUserId []string
+		ldapId := value.GetAttributeValue(dbConfig.LdapAttributeGroupUniqueIdentifier.Value)
 		ldapId := value.GetAttributeValue(uniqueIdentifierAttribute)
 		// Skip groups without a valid LDAP ID
 		if ldapId == "" {
-			log.Printf("Skipping LDAP group without a valid unique identifier (attribute: %s)", uniqueIdentifierAttribute)
+			log.Printf("Skipping LDAP group without a valid unique identifier (attribute: %s)", dbConfig.LdapAttributeGroupUniqueIdentifier.Value)
 			continue
 		}
-		ldapGroupIDs[ldapId] = true
+		ldapGroupIDs[ldapId] = struct{}{}
 		// Try to find the group in the database
 		var databaseGroup model.UserGroup
-		s.db.Where("ldap_id = ?", ldapId).First(&databaseGroup)
+		err = tx.
 			WithContext(ctx).
 			Where("ldap_id = ?", ldapId).
 			First(&databaseGroup).
 			Error
 		if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
 			// This could error with ErrRecordNotFound and we want to ignore that here
 			return fmt.Errorf("failed to query for LDAP group ID '%s': %w", ldapId, err)
 		}
 		// Get group members and add to the correct Group
-		groupMembers := value.GetAttributeValues(groupMemberOfAttribute)
+		groupMembers := value.GetAttributeValues(dbConfig.LdapAttributeGroupMember.Value)
 		membersUserId := make([]string, 0, len(groupMembers))
 		for _, member := range groupMembers {
-			// Normal output of this would be CN=username,ou=people,dc=example,dc=com
+			ldapId := getDNProperty("uid", member)
-			// Splitting at the "=" and "," then just grabbing the username for that string
+			if ldapId == "" {
-			singleMember := strings.Split(strings.Split(member, "=")[1], ",")[0]
+				continue
 			}
 			var databaseUser model.User
-			err := s.db.Where("username = ? AND ldap_id IS NOT NULL", singleMember).First(&databaseUser).Error
+			err = tx.
-			if err != nil {
+				WithContext(ctx).
-				if errors.Is(err, gorm.ErrRecordNotFound) {
+				Where("username = ? AND ldap_id IS NOT NULL", ldapId).
-					// The user collides with a non-LDAP user, so we skip it
+				First(&databaseUser).
-					continue
+				Error
-				} else {
+			if errors.Is(err, gorm.ErrRecordNotFound) {
-					return err
+				// The user collides with a non-LDAP user, so we skip it
-				}
+				continue
-
+			} else if err != nil {
 				return fmt.Errorf("failed to query for existing user '%s': %w", ldapId, err)
 			}
 			membersUserId = append(membersUserId, databaseUser.ID)
 		}
 		syncGroup := dto.UserGroupCreateDto{
-			Name:         value.GetAttributeValue(nameAttribute),
+			Name:         value.GetAttributeValue(dbConfig.LdapAttributeGroupName.Value),
-			FriendlyName: value.GetAttributeValue(nameAttribute),
+			FriendlyName: value.GetAttributeValue(dbConfig.LdapAttributeGroupName.Value),
-			LdapID:       value.GetAttributeValue(uniqueIdentifierAttribute),
+			LdapID:       value.GetAttributeValue(dbConfig.LdapAttributeGroupUniqueIdentifier.Value),
 		}
 		if databaseGroup.ID == "" {
-			newGroup, err := s.groupService.Create(syncGroup)
+			newGroup, err := s.groupService.createInternal(ctx, syncGroup, tx)
 			if err != nil {
-				log.Printf("Error syncing group %s: %s", syncGroup.Name, err)
+				return fmt.Errorf("failed to create group '%s': %w", syncGroup.Name, err)
-			} else {
+			}
-				if _, err = s.groupService.UpdateUsers(newGroup.ID, membersUserId); err != nil {
+
-					log.Printf("Error syncing group %s: %s", syncGroup.Name, err)
+			_, err = s.groupService.updateUsersInternal(ctx, newGroup.ID, membersUserId, tx)
-				}
+			if err != nil {
 				return fmt.Errorf("failed to sync users for group '%s': %w", syncGroup.Name, err)
 			}
 		} else {
-			_, err = s.groupService.Update(databaseGroup.ID, syncGroup, true)
+			_, err = s.groupService.updateInternal(ctx, databaseGroup.ID, syncGroup, true, tx)
 			if err != nil {
-				log.Printf("Error syncing group %s: %s", syncGroup.Name, err)
+				return fmt.Errorf("failed to update group '%s': %w", syncGroup.Name, err)
 			}
 			_, err = s.groupService.UpdateUsers(databaseGroup.ID, membersUserId)
 			if err != nil {
 				log.Printf("Error syncing group %s: %s", syncGroup.Name, err)
 				return err
 			}
 			_, err = s.groupService.updateUsersInternal(ctx, databaseGroup.ID, membersUserId, tx)
 			if err != nil {
 				return fmt.Errorf("failed to sync users for group '%s': %w", syncGroup.Name, err)
 			}
 		}
 	}
 	// Get all LDAP groups from the database
 	var ldapGroupsInDb []model.UserGroup
-	if err := s.db.Find(&ldapGroupsInDb, "ldap_id IS NOT NULL").Select("ldap_id").Error; err != nil {
+	err = tx.
-		fmt.Println(fmt.Errorf("failed to fetch groups from database: %w", err))
+		WithContext(ctx).
 		Find(&ldapGroupsInDb, "ldap_id IS NOT NULL").
 		Select("ldap_id").
 		Error
 	if err != nil {
 		return fmt.Errorf("failed to fetch groups from database: %w", err)
 	}
 	// Delete groups that no longer exist in LDAP
 	for _, group := range ldapGroupsInDb {
-		if _, exists := ldapGroupIDs[*group.LdapID]; !exists {
+		if _, exists := ldapGroupIDs[*group.LdapID]; exists {
-			if err := s.db.Delete(&model.UserGroup{}, "ldap_id = ?", group.LdapID).Error; err != nil {
+			continue
 				log.Printf("Failed to delete group %s with: %v", group.Name, err)
 			} else {
 				log.Printf("Deleted group %s", group.Name)
 			}
 		}
 		err = tx.
 			WithContext(ctx).
 			Delete(&model.UserGroup{}, "ldap_id = ?", group.LdapID).
 			Error
 		if err != nil {
 			return fmt.Errorf("failed to delete group '%s': %w", group.Name, err)
 		}
 		log.Printf("Deleted group '%s'", group.Name)
 	}
 	return nil
 }
 //nolint:gocognit
-func (s *LdapService) SyncUsers() error {
+func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.Conn) error {
-	// Setup LDAP connection
+	dbConfig := s.appConfigService.GetDbConfig()
 	client, err := s.createClient()
 	if err != nil {
 		return fmt.Errorf("failed to create LDAP client: %w", err)
 	}
 	defer client.Close()
 	baseDN := s.appConfigService.DbConfig.LdapBase.Value
 	uniqueIdentifierAttribute := s.appConfigService.DbConfig.LdapAttributeUserUniqueIdentifier.Value
 	usernameAttribute := s.appConfigService.DbConfig.LdapAttributeUserUsername.Value
 	emailAttribute := s.appConfigService.DbConfig.LdapAttributeUserEmail.Value
 	firstNameAttribute := s.appConfigService.DbConfig.LdapAttributeUserFirstName.Value
 	lastNameAttribute := s.appConfigService.DbConfig.LdapAttributeUserLastName.Value
 	profilePictureAttribute := s.appConfigService.DbConfig.LdapAttributeUserProfilePicture.Value
 	adminGroupAttribute := s.appConfigService.DbConfig.LdapAttributeAdminGroup.Value
 	filter := s.appConfigService.DbConfig.LdapUserSearchFilter.Value
 	searchAttrs := []string{
 		"memberOf",
 		"sn",
 		"cn",
-		uniqueIdentifierAttribute,
+		dbConfig.LdapAttributeUserUniqueIdentifier.Value,
-		usernameAttribute,
+		dbConfig.LdapAttributeUserUsername.Value,
-		emailAttribute,
+		dbConfig.LdapAttributeUserEmail.Value,
-		firstNameAttribute,
+		dbConfig.LdapAttributeUserFirstName.Value,
-		lastNameAttribute,
+		dbConfig.LdapAttributeUserLastName.Value,
-		profilePictureAttribute,
+		dbConfig.LdapAttributeUserProfilePicture.Value,
 	}
 	// Filters must start and finish with ()!
-	searchReq := ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, searchAttrs, []ldap.Control{})
+	searchReq := ldap.NewSearchRequest(
 		dbConfig.LdapBase.Value,
 		ldap.ScopeWholeSubtree,
 		0, 0, 0, false,
 		dbConfig.LdapUserSearchFilter.Value,
 		searchAttrs,
 		[]ldap.Control{},
 	)
 	result, err := client.Search(searchReq)
 	if err != nil {
-		fmt.Println(fmt.Errorf("failed to query LDAP: %w", err))
+		return fmt.Errorf("failed to query LDAP: %w", err)
 	}
 	// Create a mapping for users that exist
-	ldapUserIDs := make(map[string]bool)
+	ldapUserIDs := make(map[string]struct{}, len(result.Entries))
 	for _, value := range result.Entries {
-		ldapId := value.GetAttributeValue(uniqueIdentifierAttribute)
+		ldapId := value.GetAttributeValue(dbConfig.LdapAttributeUserUniqueIdentifier.Value)
 		// Skip users without a valid LDAP ID
 		if ldapId == "" {
-			log.Printf("Skipping LDAP user without a valid unique identifier (attribute: %s)", uniqueIdentifierAttribute)
+			log.Printf("Skipping LDAP user without a valid unique identifier (attribute: %s)", dbConfig.LdapAttributeUserUniqueIdentifier.Value)
 			continue
 		}
-		ldapUserIDs[ldapId] = true
+		ldapUserIDs[ldapId] = struct{}{}
 		// Get the user from the database
 		var databaseUser model.User
-		s.db.Where("ldap_id = ?", ldapId).First(&databaseUser)
+		err = tx.
 			WithContext(ctx).
 			Where("ldap_id = ?", ldapId).
 			First(&databaseUser).
 			Error
 		// If a user is found (even if disabled), enable them since they're now back in LDAP
 		if databaseUser.ID != "" && databaseUser.Disabled {
 			// Use the transaction instead of the direct context
 			err = tx.
 				WithContext(ctx).
 				Model(&model.User{}).
 				Where("id = ?", databaseUser.ID).
 				Update("disabled", false).
 				Error
 			if err != nil {
 				log.Printf("Failed to enable user %s: %v", databaseUser.Username, err)
 			}
 		}
 		if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
 			// This could error with ErrRecordNotFound and we want to ignore that here
 			return fmt.Errorf("failed to query for LDAP user ID '%s': %w", ldapId, err)
 		}
 		// Check if user is admin by checking if they are in the admin group
 		isAdmin := false
 		for _, group := range value.GetAttributeValues("memberOf") {
-			if strings.Contains(group, adminGroupAttribute) {
+			if getDNProperty("cn", group) == dbConfig.LdapAttributeAdminGroup.Value {
 				isAdmin = true
 				break
 			}
 		}
 		newUser := dto.UserCreateDto{
-			Username:  value.GetAttributeValue(usernameAttribute),
+			Username:  value.GetAttributeValue(dbConfig.LdapAttributeUserUsername.Value),
-			Email:     value.GetAttributeValue(emailAttribute),
+			Email:     value.GetAttributeValue(dbConfig.LdapAttributeUserEmail.Value),
-			FirstName: value.GetAttributeValue(firstNameAttribute),
+			FirstName: value.GetAttributeValue(dbConfig.LdapAttributeUserFirstName.Value),
-			LastName:  value.GetAttributeValue(lastNameAttribute),
+			LastName:  value.GetAttributeValue(dbConfig.LdapAttributeUserLastName.Value),
 			IsAdmin:   isAdmin,
 			LdapID:    ldapId,
 		}
 		if databaseUser.ID == "" {
-			_, err = s.userService.CreateUser(newUser)
+			_, err = s.userService.createUserInternal(ctx, newUser, true, tx)
-			if err != nil {
+			if errors.Is(err, &common.AlreadyInUseError{}) {
-				log.Printf("Error syncing user %s: %s", newUser.Username, err)
+				log.Printf("Skipping creating LDAP user '%s': %v", newUser.Username, err)
 				continue
 			} else if err != nil {
 				return fmt.Errorf("error creating user '%s': %w", newUser.Username, err)
 			}
 		} else {
-			_, err = s.userService.UpdateUser(databaseUser.ID, newUser, false, true)
+			_, err = s.userService.updateUserInternal(ctx, databaseUser.ID, newUser, false, true, tx)
-			if err != nil {
+			if errors.Is(err, &common.AlreadyInUseError{}) {
-				log.Printf("Error syncing user %s: %s", newUser.Username, err)
+				log.Printf("Skipping updating LDAP user '%s': %v", newUser.Username, err)
 				continue
 			} else if err != nil {
 				return fmt.Errorf("error updating user '%s': %w", newUser.Username, err)
 			}
 		}
 		// Save profile picture
-		if pictureString := value.GetAttributeValue(profilePictureAttribute); pictureString != "" {
+		pictureString := value.GetAttributeValue(dbConfig.LdapAttributeUserProfilePicture.Value)
-			if err := s.SaveProfilePicture(databaseUser.ID, pictureString); err != nil {
+		if pictureString != "" {
-				log.Printf("Error saving profile picture for user %s: %s", newUser.Username, err)
+			err = s.saveProfilePicture(ctx, databaseUser.ID, pictureString)
 			if err != nil {
 				// This is not a fatal error
 				log.Printf("Error saving profile picture for user %s: %v", newUser.Username, err)
 			}
 		}
 	}
 	// Get all LDAP users from the database
 	var ldapUsersInDb []model.User
-	if err := s.db.Find(&ldapUsersInDb, "ldap_id IS NOT NULL").Select("ldap_id").Error; err != nil {
+	err = tx.
-		fmt.Println(fmt.Errorf("failed to fetch users from database: %w", err))
+		WithContext(ctx).
 		Find(&ldapUsersInDb, "ldap_id IS NOT NULL").
 		Select("id, username, ldap_id, disabled").
 		Error
 	if err != nil {
 		return fmt.Errorf("failed to fetch users from database: %w", err)
 	}
-	// Delete users that no longer exist in LDAP
+	// Mark users as disabled or delete users that no longer exist in LDAP
 	for _, user := range ldapUsersInDb {
-		if _, exists := ldapUserIDs[*user.LdapID]; !exists {
+		// Skip if the user ID exists in the fetched LDAP results
-			if err := s.userService.DeleteUser(user.ID, true); err != nil {
+		if _, exists := ldapUserIDs[*user.LdapID]; exists {
-				log.Printf("Failed to delete user %s with: %v", user.Username, err)
+			continue
-			} else {
+		}
-				log.Printf("Deleted user %s", user.Username)
+
 		if dbConfig.LdapSoftDeleteUsers.IsTrue() {
 			err = s.userService.disableUserInternal(ctx, user.ID, tx)
 			if err != nil {
 				return fmt.Errorf("failed to disable user %s: %w", user.Username, err)
 			}
 			log.Printf("Disabled user '%s'", user.Username)
 		} else {
 			err = s.userService.deleteUserInternal(ctx, user.ID, true, tx)
 			target := &common.LdapUserUpdateError{}
 			if errors.As(err, &target) {
 				return fmt.Errorf("failed to delete user %s: LDAP user must be disabled before deletion", user.Username)
 			} else if err != nil {
 				return fmt.Errorf("failed to delete user %s: %w", user.Username, err)
 			}
 			log.Printf("Deleted user '%s'", user.Username)
 		}
 	}
 	return nil
 }
-func (s *LdapService) SaveProfilePicture(userId string, pictureString string) error {
+func (s *LdapService) saveProfilePicture(parentCtx context.Context, userId string, pictureString string) error {
 	var reader io.Reader
-	if _, err := url.ParseRequestURI(pictureString); err == nil {
+	_, err := url.ParseRequestURI(pictureString)
-		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	if err == nil {
 		ctx, cancel := context.WithTimeout(parentCtx, 15*time.Second)
 		defer cancel()
-		req, err := http.NewRequestWithContext(ctx, http.MethodGet, pictureString, nil)
+		var req *http.Request
 		req, err = http.NewRequestWithContext(ctx, http.MethodGet, pictureString, nil)
 		if err != nil {
 			return fmt.Errorf("failed to create request: %w", err)
 		}
-		response, err := http.DefaultClient.Do(req)
+		var res *http.Response
 		res, err = s.httpClient.Do(req)
 		if err != nil {
 			return fmt.Errorf("failed to download profile picture: %w", err)
 		}
-		defer response.Body.Close()
+		defer res.Body.Close()
 		reader = response.Body
 		reader = res.Body
 	} else if decodedPhoto, err := base64.StdEncoding.DecodeString(pictureString); err == nil {
 		// If the photo is a base64 encoded string, decode it
 		reader = bytes.NewReader(decodedPhoto)
 	} else {
 		// If the photo is a string, we assume that it's a binary string
 		reader = bytes.NewReader([]byte(pictureString))
 	}
 	// Update the profile picture
-	if err := s.userService.UpdateProfilePicture(userId, reader); err != nil {
+	err = s.userService.UpdateProfilePicture(userId, reader)
 	if err != nil {
 		return fmt.Errorf("failed to update profile picture: %w", err)
 	}
 	return nil
 }
 // getDNProperty returns the value of a property from a LDAP identifier
 // See: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names
 func getDNProperty(property string, str string) string {
 	// Example format is "CN=username,ou=people,dc=example,dc=com"
 	// First we split at the comma
 	property = strings.ToLower(property)
 	l := len(property) + 1
 	for _, v := range strings.Split(str, ",") {
 		v = strings.TrimSpace(v)
 		if len(v) > l && strings.ToLower(v)[0:l] == property+"=" {
 			return v[l:]
 		}
 	}
 	// CN not found, return an empty string
 	return ""
 }
--- a/backend/internal/service/ldap_service_test.go
+++ b/backend/internal/service/ldap_service_test.go
@@ -0,0 +1,73 @@
 package service
 import (
 	"testing"
 )
 func TestGetDNProperty(t *testing.T) {
 	tests := []struct {
 		name           string
 		property       string
 		dn             string
 		expectedResult string
 	}{
 		{
 			name:           "simple case",
 			property:       "cn",
 			dn:             "cn=username,ou=people,dc=example,dc=com",
 			expectedResult: "username",
 		},
 		{
 			name:           "property not found",
 			property:       "uid",
 			dn:             "cn=username,ou=people,dc=example,dc=com",
 			expectedResult: "",
 		},
 		{
 			name:           "mixed case property",
 			property:       "CN",
 			dn:             "cn=username,ou=people,dc=example,dc=com",
 			expectedResult: "username",
 		},
 		{
 			name:           "mixed case DN",
 			property:       "cn",
 			dn:             "CN=username,OU=people,DC=example,DC=com",
 			expectedResult: "username",
 		},
 		{
 			name:           "spaces in DN",
 			property:       "cn",
 			dn:             "cn=username, ou=people, dc=example, dc=com",
 			expectedResult: "username",
 		},
 		{
 			name:           "value with special characters",
 			property:       "cn",
 			dn:             "cn=user.name+123,ou=people,dc=example,dc=com",
 			expectedResult: "user.name+123",
 		},
 		{
 			name:           "empty DN",
 			property:       "cn",
 			dn:             "",
 			expectedResult: "",
 		},
 		{
 			name:           "empty property",
 			property:       "",
 			dn:             "cn=username,ou=people,dc=example,dc=com",
 			expectedResult: "",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			result := getDNProperty(tt.property, tt.dn)
 			if result != tt.expectedResult {
 				t.Errorf("getDNProperty(%q, %q) = %q, want %q",
 					tt.property, tt.dn, result, tt.expectedResult)
 			}
 		})
 	}
 }
--- a/backend/internal/service/oidc_service.go
+++ b/backend/internal/service/oidc_service.go
--- a/backend/internal/service/user_group_service.go
+++ b/backend/internal/service/user_group_service.go
@@ -1,13 +1,15 @@
 package service
 import (
 	"context"
 	"errors"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"gorm.io/gorm"
 )
 type UserGroupService struct {
@@ -19,8 +21,11 @@ func NewUserGroupService(db *gorm.DB, appConfigService *AppConfigService) *UserG
 	return &UserGroupService{db: db, appConfigService: appConfigService}
 }
-func (s *UserGroupService) List(name string, sortedPaginationRequest utils.SortedPaginationRequest) (groups []model.UserGroup, response utils.PaginationResponse, err error) {
+func (s *UserGroupService) List(ctx context.Context, name string, sortedPaginationRequest utils.SortedPaginationRequest) (groups []model.UserGroup, response utils.PaginationResponse, err error) {
-	query := s.db.Preload("CustomClaims").Model(&model.UserGroup{})
+	query := s.db.
 		WithContext(ctx).
 		Preload("CustomClaims").
 		Model(&model.UserGroup{})
 	if name != "" {
 		query = query.Where("name LIKE ?", "%"+name+"%")
@@ -42,26 +47,58 @@ func (s *UserGroupService) List(name string, sortedPaginationRequest utils.Sorte
 	return groups, response, err
 }
-func (s *UserGroupService) Get(id string) (group model.UserGroup, err error) {
+func (s *UserGroupService) Get(ctx context.Context, id string) (group model.UserGroup, err error) {
-	err = s.db.Where("id = ?", id).Preload("CustomClaims").Preload("Users").First(&group).Error
+	return s.getInternal(ctx, id, s.db)
 }
 func (s *UserGroupService) getInternal(ctx context.Context, id string, tx *gorm.DB) (group model.UserGroup, err error) {
 	err = tx.
 		WithContext(ctx).
 		Where("id = ?", id).
 		Preload("CustomClaims").
 		Preload("Users").
 		First(&group).
 		Error
 	return group, err
 }
-func (s *UserGroupService) Delete(id string) error {
+func (s *UserGroupService) Delete(ctx context.Context, id string) error {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	var group model.UserGroup
-	if err := s.db.Where("id = ?", id).First(&group).Error; err != nil {
+	err := tx.
 		WithContext(ctx).
 		Where("id = ?", id).
 		First(&group).
 		Error
 	if err != nil {
 		return err
 	}
 	// Disallow deleting the group if it is an LDAP group and LDAP is enabled
-	if group.LdapID != nil && s.appConfigService.DbConfig.LdapEnabled.IsTrue() {
+	if group.LdapID != nil && s.appConfigService.GetDbConfig().LdapEnabled.IsTrue() {
 		return &common.LdapUserGroupUpdateError{}
 	}
-	return s.db.Delete(&group).Error
+	err = tx.
 		WithContext(ctx).
 		Delete(&group).
 		Error
 	if err != nil {
 		return err
 	}
 	return tx.Commit().Error
 }
-func (s *UserGroupService) Create(input dto.UserGroupCreateDto) (group model.UserGroup, err error) {
+func (s *UserGroupService) Create(ctx context.Context, input dto.UserGroupCreateDto) (group model.UserGroup, err error) {
 	return s.createInternal(ctx, input, s.db)
 }
 func (s *UserGroupService) createInternal(ctx context.Context, input dto.UserGroupCreateDto, tx *gorm.DB) (group model.UserGroup, err error) {
 	group = model.UserGroup{
 		FriendlyName: input.FriendlyName,
 		Name:         input.Name,
@@ -71,7 +108,12 @@ func (s *UserGroupService) Create(input dto.UserGroupCreateDto) (group model.Use
 		group.LdapID = &input.LdapID
 	}
-	if err := s.db.Preload("Users").Create(&group).Error; err != nil {
+	err = tx.
 		WithContext(ctx).
 		Preload("Users").
 		Create(&group).
 		Error
 	if err != nil {
 		if errors.Is(err, gorm.ErrDuplicatedKey) {
 			return model.UserGroup{}, &common.AlreadyInUseError{Property: "name"}
 		}
@@ -80,31 +122,73 @@ func (s *UserGroupService) Create(input dto.UserGroupCreateDto) (group model.Use
 	return group, nil
 }
-func (s *UserGroupService) Update(id string, input dto.UserGroupCreateDto, allowLdapUpdate bool) (group model.UserGroup, err error) {
+func (s *UserGroupService) Update(ctx context.Context, id string, input dto.UserGroupCreateDto) (group model.UserGroup, err error) {
-	group, err = s.Get(id)
+	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	group, err = s.updateInternal(ctx, id, input, false, tx)
 	if err != nil {
 		return model.UserGroup{}, err
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return model.UserGroup{}, err
 	}
 	return group, nil
 }
 func (s *UserGroupService) updateInternal(ctx context.Context, id string, input dto.UserGroupCreateDto, isLdapSync bool, tx *gorm.DB) (group model.UserGroup, err error) {
 	group, err = s.getInternal(ctx, id, tx)
 	if err != nil {
 		return model.UserGroup{}, err
 	}
 	// Disallow updating the group if it is an LDAP group and LDAP is enabled
-	if !allowLdapUpdate && group.LdapID != nil && s.appConfigService.DbConfig.LdapEnabled.IsTrue() {
+	if !isLdapSync && group.LdapID != nil && s.appConfigService.GetDbConfig().LdapEnabled.IsTrue() {
 		return model.UserGroup{}, &common.LdapUserGroupUpdateError{}
 	}
 	group.Name = input.Name
 	group.FriendlyName = input.FriendlyName
-	if err := s.db.Preload("Users").Save(&group).Error; err != nil {
+	err = tx.
-		if errors.Is(err, gorm.ErrDuplicatedKey) {
+		WithContext(ctx).
-			return model.UserGroup{}, &common.AlreadyInUseError{Property: "name"}
+		Preload("Users").
-		}
+		Save(&group).
 		Error
 	if errors.Is(err, gorm.ErrDuplicatedKey) {
 		return model.UserGroup{}, &common.AlreadyInUseError{Property: "name"}
 	} else if err != nil {
 		return model.UserGroup{}, err
 	}
 	return group, nil
 }
-func (s *UserGroupService) UpdateUsers(id string, userIds []string) (group model.UserGroup, err error) {
+func (s *UserGroupService) UpdateUsers(ctx context.Context, id string, userIds []string) (group model.UserGroup, err error) {
-	group, err = s.Get(id)
+	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	group, err = s.updateUsersInternal(ctx, id, userIds, tx)
 	if err != nil {
 		return model.UserGroup{}, err
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return model.UserGroup{}, err
 	}
 	return group, nil
 }
 func (s *UserGroupService) updateUsersInternal(ctx context.Context, id string, userIds []string, tx *gorm.DB) (group model.UserGroup, err error) {
 	group, err = s.getInternal(ctx, id, tx)
 	if err != nil {
 		return model.UserGroup{}, err
 	}
@@ -112,28 +196,59 @@ func (s *UserGroupService) UpdateUsers(id string, userIds []string) (group model
 	// Fetch the users based on the userIds
 	var users []model.User
 	if len(userIds) > 0 {
-		if err := s.db.Where("id IN (?)", userIds).Find(&users).Error; err != nil {
+		err := tx.
 			WithContext(ctx).
 			Where("id IN (?)", userIds).
 			Find(&users).
 			Error
 		if err != nil {
 			return model.UserGroup{}, err
 		}
 	}
 	// Replace the current users with the new set of users
-	if err := s.db.Model(&group).Association("Users").Replace(users); err != nil {
+	err = tx.
 		WithContext(ctx).
 		Model(&group).
 		Association("Users").
 		Replace(users)
 	if err != nil {
 		return model.UserGroup{}, err
 	}
 	// Save the updated group
-	if err := s.db.Save(&group).Error; err != nil {
+	err = tx.
 		WithContext(ctx).
 		Save(&group).
 		Error
 	if err != nil {
 		return model.UserGroup{}, err
 	}
 	return group, nil
 }
-func (s *UserGroupService) GetUserCountOfGroup(id string) (int64, error) {
+func (s *UserGroupService) GetUserCountOfGroup(ctx context.Context, id string) (int64, error) {
 	// We only perform select queries here, so we can rollback in all cases
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	var group model.UserGroup
-	if err := s.db.Preload("Users").Where("id = ?", id).First(&group).Error; err != nil {
+	err := tx.
 		WithContext(ctx).
 		Preload("Users").
 		Where("id = ?", id).
 		First(&group).
 		Error
 	if err != nil {
 		return 0, err
 	}
-	return s.db.Model(&group).Association("Users").Count(), nil
+	count := tx.
 		WithContext(ctx).
 		Model(&group).
 		Association("Users").
 		Count()
 	return count, nil
 }
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -1,6 +1,8 @@
 package service
 import (
 	"bytes"
 	"context"
 	"errors"
 	"fmt"
 	"io"
@@ -11,7 +13,7 @@ import (
 	"time"
 	"github.com/google/uuid"
-	profilepicture "github.com/pocket-id/pocket-id/backend/internal/utils/image"
+	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
@@ -19,7 +21,7 @@ import (
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
-	"gorm.io/gorm"
+	profilepicture "github.com/pocket-id/pocket-id/backend/internal/utils/image"
 )
 type UserService struct {
@@ -34,59 +36,110 @@ func NewUserService(db *gorm.DB, jwtService *JwtService, auditLogService *AuditL
 	return &UserService{db: db, jwtService: jwtService, auditLogService: auditLogService, emailService: emailService, appConfigService: appConfigService}
 }
-func (s *UserService) ListUsers(searchTerm string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.User, utils.PaginationResponse, error) {
+func (s *UserService) ListUsers(ctx context.Context, searchTerm string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.User, utils.PaginationResponse, error) {
 	var users []model.User
-	query := s.db.Model(&model.User{})
+	query := s.db.WithContext(ctx).
 		Model(&model.User{}).
 		Preload("UserGroups").
 		Preload("CustomClaims")
 	if searchTerm != "" {
 		searchPattern := "%" + searchTerm + "%"
-		query = query.Where("email LIKE ? OR first_name LIKE ? OR username LIKE ?", searchPattern, searchPattern, searchPattern)
+		query = query.Where("email LIKE ? OR first_name LIKE ? OR last_name LIKE ? OR username LIKE ?",
 			searchPattern, searchPattern, searchPattern, searchPattern)
 	}
 	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &users)
 	return users, pagination, err
 }
-func (s *UserService) GetUser(userID string) (model.User, error) {
+func (s *UserService) GetUser(ctx context.Context, userID string) (model.User, error) {
 	return s.getUserInternal(ctx, userID, s.db)
 }
 func (s *UserService) getUserInternal(ctx context.Context, userID string, tx *gorm.DB) (model.User, error) {
 	var user model.User
-	err := s.db.Preload("UserGroups").Preload("CustomClaims").Where("id = ?", userID).First(&user).Error
+	err := tx.
 		WithContext(ctx).
 		Preload("UserGroups").
 		Preload("CustomClaims").
 		Where("id = ?", userID).
 		First(&user).
 		Error
 	return user, err
 }
-func (s *UserService) GetProfilePicture(userID string) (io.Reader, int64, error) {
+func (s *UserService) GetProfilePicture(ctx context.Context, userID string) (io.ReadCloser, int64, error) {
 	// Validate the user ID to prevent directory traversal
 	if err := uuid.Validate(userID); err != nil {
 		return nil, 0, &common.InvalidUUIDError{}
 	}
 	// First check for a custom uploaded profile picture (userID.png)
 	profilePicturePath := common.EnvConfig.UploadPath + "/profile-pictures/" + userID + ".png"
 	file, err := os.Open(profilePicturePath)
 	if err == nil {
 		// Get the file size
 		fileInfo, err := file.Stat()
 		if err != nil {
 			file.Close()
 			return nil, 0, err
 		}
 		return file, fileInfo.Size(), nil
 	}
-	// If the file does not exist, return the default profile picture
+	// If no custom picture exists, get the user's data for creating initials
-	user, err := s.GetUser(userID)
+	user, err := s.GetUser(ctx, userID)
 	if err != nil {
 		return nil, 0, err
 	}
-	defaultPicture, err := profilepicture.CreateDefaultProfilePicture(user.FirstName, user.LastName)
+	// Check if we have a cached default picture for these initials
 	defaultProfilePicturesDir := common.EnvConfig.UploadPath + "/profile-pictures/defaults/"
 	defaultPicturePath := defaultProfilePicturesDir + user.Initials() + ".png"
 	file, err = os.Open(defaultPicturePath)
 	if err == nil {
 		fileInfo, err := file.Stat()
 		if err != nil {
 			file.Close()
 			return nil, 0, err
 		}
 		return file, fileInfo.Size(), nil
 	}
 	// If no cached default picture exists, create one and save it for future use
 	defaultPicture, err := profilepicture.CreateDefaultProfilePicture(user.Initials())
 	if err != nil {
 		return nil, 0, err
 	}
-	return defaultPicture, int64(defaultPicture.Len()), nil
+	// Save the default picture for future use (in a goroutine to avoid blocking)
 	defaultPictureBytes := defaultPicture.Bytes()
 	go func() {
 		// Ensure the directory exists
 		err = os.MkdirAll(defaultProfilePicturesDir, os.ModePerm)
 		if err != nil {
 			log.Printf("Failed to create directory for default profile picture: %v", err)
 			return
 		}
 		if err := utils.SaveFileStream(bytes.NewReader(defaultPictureBytes), defaultPicturePath); err != nil {
 			log.Printf("Failed to cache default profile picture for initials %s: %v", user.Initials(), err)
 		}
 	}()
 	return io.NopCloser(bytes.NewReader(defaultPictureBytes)), int64(defaultPicture.Len()), nil
 }
-func (s *UserService) GetUserGroups(userID string) ([]model.UserGroup, error) {
+func (s *UserService) GetUserGroups(ctx context.Context, userID string) ([]model.UserGroup, error) {
 	var user model.User
-	if err := s.db.Preload("UserGroups").Where("id = ?", userID).First(&user).Error; err != nil {
+	err := s.db.
 		WithContext(ctx).
 		Preload("UserGroups").
 		Where("id = ?", userID).
 		First(&user).
 		Error
 	if err != nil {
 		return nil, err
 	}
 	return user.UserGroups, nil
@@ -121,27 +174,64 @@ func (s *UserService) UpdateProfilePicture(userID string, file io.Reader) error
 	return nil
 }
-func (s *UserService) DeleteUser(userID string, allowLdapDelete bool) error {
+func (s *UserService) DeleteUser(ctx context.Context, userID string, allowLdapDelete bool) error {
 	return s.db.Transaction(func(tx *gorm.DB) error {
 		return s.deleteUserInternal(ctx, userID, allowLdapDelete, tx)
 	})
 }
 func (s *UserService) deleteUserInternal(ctx context.Context, userID string, allowLdapDelete bool, tx *gorm.DB) error {
 	var user model.User
-	if err := s.db.Where("id = ?", userID).First(&user).Error; err != nil {
+
-		return err
+	err := tx.
 		WithContext(ctx).
 		Where("id = ?", userID).
 		First(&user).
 		Error
 	if err != nil {
 		return fmt.Errorf("failed to load user to delete: %w", err)
 	}
-	// Disallow deleting the user if it is an LDAP user and LDAP is enabled
+	// Disallow deleting the user if it is an LDAP user, LDAP is enabled, and the user is not disabled
-	if !allowLdapDelete && user.LdapID != nil && s.appConfigService.DbConfig.LdapEnabled.IsTrue() {
+	if !allowLdapDelete && !user.Disabled && user.LdapID != nil && s.appConfigService.GetDbConfig().LdapEnabled.IsTrue() {
 		return &common.LdapUserUpdateError{}
 	}
 	// Delete the profile picture
 	profilePicturePath := common.EnvConfig.UploadPath + "/profile-pictures/" + userID + ".png"
-	if err := os.Remove(profilePicturePath); err != nil && !os.IsNotExist(err) {
+	err = os.Remove(profilePicturePath)
 	if err != nil && !os.IsNotExist(err) {
 		return err
 	}
-	return s.db.Delete(&user).Error
+	err = tx.WithContext(ctx).Delete(&user).Error
 	if err != nil {
 		return fmt.Errorf("failed to delete user: %w", err)
 	}
 	return nil
 }
-func (s *UserService) CreateUser(input dto.UserCreateDto) (model.User, error) {
+func (s *UserService) CreateUser(ctx context.Context, input dto.UserCreateDto) (model.User, error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	user, err := s.createUserInternal(ctx, input, false, tx)
 	if err != nil {
 		return model.User{}, err
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return model.User{}, err
 	}
 	return user, nil
 }
 func (s *UserService) createUserInternal(ctx context.Context, input dto.UserCreateDto, isLdapSync bool, tx *gorm.DB) (model.User, error) {
 	user := model.User{
 		FirstName: input.FirstName,
 		LastName:  input.LastName,
@@ -154,53 +244,113 @@ func (s *UserService) CreateUser(input dto.UserCreateDto) (model.User, error) {
 		user.LdapID = &input.LdapID
 	}
-	if err := s.db.Create(&user).Error; err != nil {
+	err := tx.WithContext(ctx).Create(&user).Error
-		if errors.Is(err, gorm.ErrDuplicatedKey) {
+	if errors.Is(err, gorm.ErrDuplicatedKey) {
-			return model.User{}, s.checkDuplicatedFields(user)
+		// Do not follow this path if we're using LDAP, as we don't want to roll-back the transaction here
 		if !isLdapSync {
 			tx.Rollback()
 			// If we are here, the transaction is already aborted due to an error, so we pass s.db
 			err = s.checkDuplicatedFields(ctx, user, s.db)
 		} else {
 			err = s.checkDuplicatedFields(ctx, user, tx)
 		}
 		return model.User{}, err
 	} else if err != nil {
 		return model.User{}, err
 	}
 	return user, nil
 }
-func (s *UserService) UpdateUser(userID string, updatedUser dto.UserCreateDto, updateOwnUser bool, allowLdapUpdate bool) (model.User, error) {
+func (s *UserService) UpdateUser(ctx context.Context, userID string, updatedUser dto.UserCreateDto, updateOwnUser bool, isLdapSync bool) (model.User, error) {
-	var user model.User
+	tx := s.db.Begin()
-	if err := s.db.Where("id = ?", userID).First(&user).Error; err != nil {
+	defer func() {
 		tx.Rollback()
 	}()
 	user, err := s.updateUserInternal(ctx, userID, updatedUser, updateOwnUser, isLdapSync, tx)
 	if err != nil {
 		return model.User{}, err
 	}
-	// Disallow updating the user if it is an LDAP group and LDAP is enabled
+	err = tx.Commit().Error
-	if !allowLdapUpdate && user.LdapID != nil && s.appConfigService.DbConfig.LdapEnabled.IsTrue() {
+	if err != nil {
-		return model.User{}, &common.LdapUserUpdateError{}
+		return model.User{}, err
 	}
-	user.FirstName = updatedUser.FirstName
+	return user, nil
-	user.LastName = updatedUser.LastName
+}
-	user.Email = updatedUser.Email
+
-	user.Username = updatedUser.Username
+func (s *UserService) updateUserInternal(ctx context.Context, userID string, updatedUser dto.UserCreateDto, updateOwnUser bool, isLdapSync bool, tx *gorm.DB) (model.User, error) {
-	user.Locale = updatedUser.Locale
+	var user model.User
-	if !updateOwnUser {
+	err := tx.
-		user.IsAdmin = updatedUser.IsAdmin
+		WithContext(ctx).
 		Where("id = ?", userID).
 		First(&user).
 		Error
 	if err != nil {
 		return model.User{}, err
 	}
-	if err := s.db.Save(&user).Error; err != nil {
+	// Check if this is an LDAP user and LDAP is enabled
-		if errors.Is(err, gorm.ErrDuplicatedKey) {
+	isLdapUser := user.LdapID != nil && s.appConfigService.GetDbConfig().LdapEnabled.IsTrue()
-			return user, s.checkDuplicatedFields(user)
+
 	// For LDAP users, only allow updating the locale unless it's an LDAP sync
 	if !isLdapSync && isLdapUser {
 		// Only update the locale for LDAP users
 		user.Locale = updatedUser.Locale
 	} else {
 		user.FirstName = updatedUser.FirstName
 		user.LastName = updatedUser.LastName
 		user.Email = updatedUser.Email
 		user.Username = updatedUser.Username
 		user.Locale = updatedUser.Locale
 		if !updateOwnUser {
 			user.IsAdmin = updatedUser.IsAdmin
 			user.Disabled = updatedUser.Disabled
 		}
 	}
 	err = tx.
 		WithContext(ctx).
 		Save(&user).
 		Error
 	if errors.Is(err, gorm.ErrDuplicatedKey) {
 		// Do not follow this path if we're using LDAP, as we don't want to roll-back the transaction here
 		if !isLdapSync {
 			tx.Rollback()
 			// If we are here, the transaction is already aborted due to an error, so we pass s.db
 			err = s.checkDuplicatedFields(ctx, user, s.db)
 		} else {
 			err = s.checkDuplicatedFields(ctx, user, tx)
 		}
 		return user, err
 	} else if err != nil {
 		return user, err
 	}
 	return user, nil
 }
-func (s *UserService) RequestOneTimeAccessEmail(emailAddress, redirectPath string) error {
+func (s *UserService) RequestOneTimeAccessEmailAsAdmin(ctx context.Context, userID string, expiration time.Time) error {
-	isDisabled := !s.appConfigService.DbConfig.EmailOneTimeAccessEnabled.IsTrue()
+	isDisabled := !s.appConfigService.GetDbConfig().EmailOneTimeAccessAsAdminEnabled.IsTrue()
 	if isDisabled {
 		return &common.OneTimeAccessDisabledError{}
 	}
-	var user model.User
+	return s.requestOneTimeAccessEmailInternal(ctx, userID, "", expiration)
-	if err := s.db.Where("email = ?", emailAddress).First(&user).Error; err != nil {
+}
 func (s *UserService) RequestOneTimeAccessEmailAsUnauthenticatedUser(ctx context.Context, userID, redirectPath string) error {
 	isDisabled := !s.appConfigService.GetDbConfig().EmailOneTimeAccessAsUnauthenticatedEnabled.IsTrue()
 	if isDisabled {
 		return &common.OneTimeAccessDisabledError{}
 	}
 	var userId string
 	err := s.db.Model(&model.User{}).Select("id").Where("email = ?", userID).First(&userId).Error
 	if err != nil {
 		// Do not return error if user not found to prevent email enumeration
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return nil
@@ -209,41 +359,69 @@ func (s *UserService) RequestOneTimeAccessEmail(emailAddress, redirectPath strin
 		}
 	}
-	oneTimeAccessToken, err := s.CreateOneTimeAccessToken(user.ID, time.Now().Add(15*time.Minute))
+	expiration := time.Now().Add(15 * time.Minute)
 	return s.requestOneTimeAccessEmailInternal(ctx, userId, redirectPath, expiration)
 }
 func (s *UserService) requestOneTimeAccessEmailInternal(ctx context.Context, userID, redirectPath string, expiration time.Time) error {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	user, err := s.GetUser(ctx, userID)
 	if err != nil {
 		return err
 	}
-	link := fmt.Sprintf("%s/lc", common.EnvConfig.AppURL)
+	oneTimeAccessToken, err := s.createOneTimeAccessTokenInternal(ctx, user.ID, expiration, tx)
-	linkWithCode := fmt.Sprintf("%s/%s", link, oneTimeAccessToken)
+	if err != nil {
-
+		return err
 	// Add redirect path to the link
 	if strings.HasPrefix(redirectPath, "/") {
 		encodedRedirectPath := url.QueryEscape(redirectPath)
 		linkWithCode = fmt.Sprintf("%s?redirect=%s", linkWithCode, encodedRedirectPath)
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return err
 	}
 	// We use a background context here as this is running in a goroutine
 	//nolint:contextcheck
 	go func() {
-		err := SendEmail(s.emailService, email.Address{
+		innerCtx := context.Background()
-			Name:  user.Username,
+
 		link := common.EnvConfig.AppURL + "/lc"
 		linkWithCode := link + "/" + oneTimeAccessToken
 		// Add redirect path to the link
 		if strings.HasPrefix(redirectPath, "/") {
 			encodedRedirectPath := url.QueryEscape(redirectPath)
 			linkWithCode = linkWithCode + "?redirect=" + encodedRedirectPath
 		}
 		errInternal := SendEmail(innerCtx, s.emailService, email.Address{
 			Name:  user.FullName(),
 			Email: user.Email,
 		}, OneTimeAccessTemplate, &OneTimeAccessTemplateData{
 			Code:              oneTimeAccessToken,
 			LoginLink:         link,
 			LoginLinkWithCode: linkWithCode,
 			ExpirationString:  utils.DurationToString(time.Until(expiration).Round(time.Second)),
 		})
-		if err != nil {
+		if errInternal != nil {
-			log.Printf("Failed to send email to '%s': %v\n", user.Email, err)
+			log.Printf("Failed to send email to '%s': %v\n", user.Email, errInternal)
 		}
 	}()
 	return nil
 }
-func (s *UserService) CreateOneTimeAccessToken(userID string, expiresAt time.Time) (string, error) {
+func (s *UserService) CreateOneTimeAccessToken(ctx context.Context, userID string, expiresAt time.Time) (string, error) {
-	tokenLength := 16
+	return s.createOneTimeAccessTokenInternal(ctx, userID, expiresAt, s.db)
 }
 func (s *UserService) createOneTimeAccessTokenInternal(ctx context.Context, userID string, expiresAt time.Time, tx *gorm.DB) (string, error) {
 	// If expires at is less than 15 minutes, use an 6 character token instead of 16
 	tokenLength := 16
 	if time.Until(expiresAt) <= 15*time.Minute {
 		tokenLength = 6
 	}
@@ -259,16 +437,26 @@ func (s *UserService) CreateOneTimeAccessToken(userID string, expiresAt time.Tim
 		Token:     randomString,
 	}
-	if err := s.db.Create(&oneTimeAccessToken).Error; err != nil {
+	if err := tx.WithContext(ctx).Create(&oneTimeAccessToken).Error; err != nil {
 		return "", err
 	}
 	return oneTimeAccessToken.Token, nil
 }
-func (s *UserService) ExchangeOneTimeAccessToken(token string, ipAddress, userAgent string) (model.User, string, error) {
+func (s *UserService) ExchangeOneTimeAccessToken(ctx context.Context, token string, ipAddress, userAgent string) (model.User, string, error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	var oneTimeAccessToken model.OneTimeAccessToken
-	if err := s.db.Where("token = ? AND expires_at > ?", token, datatype.DateTime(time.Now())).Preload("User").First(&oneTimeAccessToken).Error; err != nil {
+	err := tx.
 		WithContext(ctx).
 		Where("token = ? AND expires_at > ?", token, datatype.DateTime(time.Now())).Preload("User").
 		First(&oneTimeAccessToken).
 		Error
 	if err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return model.User{}, "", &common.TokenInvalidOrExpiredError{}
 		}
@@ -279,19 +467,33 @@ func (s *UserService) ExchangeOneTimeAccessToken(token string, ipAddress, userAg
 		return model.User{}, "", err
 	}
-	if err := s.db.Delete(&oneTimeAccessToken).Error; err != nil {
+	err = tx.
 		WithContext(ctx).
 		Delete(&oneTimeAccessToken).
 		Error
 	if err != nil {
 		return model.User{}, "", err
 	}
 	if ipAddress != "" && userAgent != "" {
-		s.auditLogService.Create(model.AuditLogEventOneTimeAccessTokenSignIn, ipAddress, userAgent, oneTimeAccessToken.User.ID, model.AuditLogData{})
+		s.auditLogService.Create(ctx, model.AuditLogEventOneTimeAccessTokenSignIn, ipAddress, userAgent, oneTimeAccessToken.User.ID, model.AuditLogData{}, tx)
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return model.User{}, "", err
 	}
 	return oneTimeAccessToken.User, accessToken, nil
 }
-func (s *UserService) UpdateUserGroups(id string, userGroupIds []string) (user model.User, err error) {
+func (s *UserService) UpdateUserGroups(ctx context.Context, id string, userGroupIds []string) (user model.User, err error) {
-	user, err = s.GetUser(id)
+	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	user, err = s.getUserInternal(ctx, id, tx)
 	if err != nil {
 		return model.User{}, err
 	}
@@ -299,27 +501,48 @@ func (s *UserService) UpdateUserGroups(id string, userGroupIds []string) (user m
 	// Fetch the groups based on userGroupIds
 	var groups []model.UserGroup
 	if len(userGroupIds) > 0 {
-		if err := s.db.Where("id IN (?)", userGroupIds).Find(&groups).Error; err != nil {
+		err = tx.
 			WithContext(ctx).
 			Where("id IN (?)", userGroupIds).
 			Find(&groups).
 			Error
 		if err != nil {
 			return model.User{}, err
 		}
 	}
 	// Replace the current groups with the new set of groups
-	if err := s.db.Model(&user).Association("UserGroups").Replace(groups); err != nil {
+	err = tx.
 		WithContext(ctx).
 		Model(&user).
 		Association("UserGroups").
 		Replace(groups)
 	if err != nil {
 		return model.User{}, err
 	}
 	// Save the updated user
-	if err := s.db.Save(&user).Error; err != nil {
+	err = tx.WithContext(ctx).Save(&user).Error
 	if err != nil {
 		return model.User{}, err
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return model.User{}, err
 	}
 	return user, nil
 }
-func (s *UserService) SetupInitialAdmin() (model.User, string, error) {
+func (s *UserService) SetupInitialAdmin(ctx context.Context) (model.User, string, error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	var userCount int64
-	if err := s.db.Model(&model.User{}).Count(&userCount).Error; err != nil {
+	if err := tx.WithContext(ctx).Model(&model.User{}).Count(&userCount).Error; err != nil {
 		return model.User{}, "", err
 	}
 	if userCount > 1 {
@@ -334,7 +557,7 @@ func (s *UserService) SetupInitialAdmin() (model.User, string, error) {
 		IsAdmin:   true,
 	}
-	if err := s.db.Model(&model.User{}).Preload("Credentials").FirstOrCreate(&user).Error; err != nil {
+	if err := tx.WithContext(ctx).Model(&model.User{}).Preload("Credentials").FirstOrCreate(&user).Error; err != nil {
 		return model.User{}, "", err
 	}
@@ -347,16 +570,39 @@ func (s *UserService) SetupInitialAdmin() (model.User, string, error) {
 		return model.User{}, "", err
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return model.User{}, "", err
 	}
 	return user, token, nil
 }
-func (s *UserService) checkDuplicatedFields(user model.User) error {
+func (s *UserService) checkDuplicatedFields(ctx context.Context, user model.User, tx *gorm.DB) error {
-	var existingUser model.User
+	var result struct {
-	if s.db.Where("id != ? AND email = ?", user.ID, user.Email).First(&existingUser).Error == nil {
+		Found bool
 	}
 	err := tx.
 		WithContext(ctx).
 		Raw(`SELECT EXISTS(SELECT 1 FROM users WHERE id != ? AND email = ?) AS found`, user.ID, user.Email).
 		First(&result).
 		Error
 	if err != nil {
 		return err
 	}
 	if result.Found {
 		return &common.AlreadyInUseError{Property: "email"}
 	}
-	if s.db.Where("id != ? AND username = ?", user.ID, user.Username).First(&existingUser).Error == nil {
+	err = tx.
 		WithContext(ctx).
 		Raw(`SELECT EXISTS(SELECT 1 FROM users WHERE id != ? AND username = ?) AS found`, user.ID, user.Username).
 		First(&result).
 		Error
 	if err != nil {
 		return err
 	}
 	if result.Found {
 		return &common.AlreadyInUseError{Property: "username"}
 	}
@@ -386,3 +632,12 @@ func (s *UserService) ResetProfilePicture(userID string) error {
 	return nil
 }
 func (s *UserService) disableUserInternal(ctx context.Context, userID string, tx *gorm.DB) error {
 	return tx.
 		WithContext(ctx).
 		Model(&model.User{}).
 		Where("id = ?", userID).
 		Update("disabled", true).
 		Error
 }
--- a/backend/internal/service/webauthn_service.go
+++ b/backend/internal/service/webauthn_service.go
@@ -1,16 +1,19 @@
 package service
 import (
 	"context"
 	"fmt"
 	"net/http"
 	"time"
 	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/go-webauthn/webauthn/webauthn"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"gorm.io/gorm"
 )
 type WebAuthnService struct {
@@ -23,7 +26,7 @@ type WebAuthnService struct {
 func NewWebAuthnService(db *gorm.DB, jwtService *JwtService, auditLogService *AuditLogService, appConfigService *AppConfigService) *WebAuthnService {
 	webauthnConfig := &webauthn.Config{
-		RPDisplayName: appConfigService.DbConfig.AppName.Value,
+		RPDisplayName: appConfigService.GetDbConfig().AppName.Value,
 		RPID:          utils.GetHostnameFromURL(common.EnvConfig.AppURL),
 		RPOrigins:     []string{common.EnvConfig.AppURL},
 		Timeouts: webauthn.TimeoutsConfig{
@@ -40,18 +43,39 @@ func NewWebAuthnService(db *gorm.DB, jwtService *JwtService, auditLogService *Au
 		},
 	}
 	wa, _ := webauthn.New(webauthnConfig)
-	return &WebAuthnService{db: db, webAuthn: wa, jwtService: jwtService, auditLogService: auditLogService, appConfigService: appConfigService}
+	return &WebAuthnService{
 		db:               db,
 		webAuthn:         wa,
 		jwtService:       jwtService,
 		auditLogService:  auditLogService,
 		appConfigService: appConfigService,
 	}
 }
-func (s *WebAuthnService) BeginRegistration(userID string) (*model.PublicKeyCredentialCreationOptions, error) {
+func (s *WebAuthnService) BeginRegistration(ctx context.Context, userID string) (*model.PublicKeyCredentialCreationOptions, error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	s.updateWebAuthnConfig()
 	var user model.User
-	if err := s.db.Preload("Credentials").Find(&user, "id = ?", userID).Error; err != nil {
+	err := tx.
 		WithContext(ctx).
 		Preload("Credentials").
 		Find(&user, "id = ?", userID).
 		Error
 	if err != nil {
 		tx.Rollback()
 		return nil, err
 	}
-	options, session, err := s.webAuthn.BeginRegistration(&user, webauthn.WithResidentKeyRequirement(protocol.ResidentKeyRequirementRequired), webauthn.WithExclusions(user.WebAuthnCredentialDescriptors()))
+	options, session, err := s.webAuthn.BeginRegistration(
 		&user,
 		webauthn.WithResidentKeyRequirement(protocol.ResidentKeyRequirementRequired),
 		webauthn.WithExclusions(user.WebAuthnCredentialDescriptors()),
 	)
 	if err != nil {
 		return nil, err
 	}
@@ -62,7 +86,16 @@ func (s *WebAuthnService) BeginRegistration(userID string) (*model.PublicKeyCred
 		UserVerification: string(session.UserVerification),
 	}
-	if err := s.db.Create(&sessionToStore).Error; err != nil {
+	err = tx.
 		WithContext(ctx).
 		Create(&sessionToStore).
 		Error
 	if err != nil {
 		return nil, err
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return nil, err
 	}
@@ -73,9 +106,18 @@ func (s *WebAuthnService) BeginRegistration(userID string) (*model.PublicKeyCred
 	}, nil
 }
-func (s *WebAuthnService) VerifyRegistration(sessionID, userID string, r *http.Request) (model.WebauthnCredential, error) {
+func (s *WebAuthnService) VerifyRegistration(ctx context.Context, sessionID, userID string, r *http.Request) (model.WebauthnCredential, error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	var storedSession model.WebauthnSession
-	if err := s.db.First(&storedSession, "id = ?", sessionID).Error; err != nil {
+	err := tx.
 		WithContext(ctx).
 		First(&storedSession, "id = ?", sessionID).
 		Error
 	if err != nil {
 		return model.WebauthnCredential{}, err
 	}
@@ -86,7 +128,11 @@ func (s *WebAuthnService) VerifyRegistration(sessionID, userID string, r *http.R
 	}
 	var user model.User
-	if err := s.db.Find(&user, "id = ?", userID).Error; err != nil {
+	err = tx.
 		WithContext(ctx).
 		Find(&user, "id = ?", userID).
 		Error
 	if err != nil {
 		return model.WebauthnCredential{}, err
 	}
@@ -108,7 +154,16 @@ func (s *WebAuthnService) VerifyRegistration(sessionID, userID string, r *http.R
 		BackupEligible:  credential.Flags.BackupEligible,
 		BackupState:     credential.Flags.BackupState,
 	}
-	if err := s.db.Create(&credentialToStore).Error; err != nil {
+	err = tx.
 		WithContext(ctx).
 		Create(&credentialToStore).
 		Error
 	if err != nil {
 		return model.WebauthnCredential{}, err
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return model.WebauthnCredential{}, err
 	}
@@ -125,7 +180,7 @@ func (s *WebAuthnService) determinePasskeyName(aaguid []byte) string {
 	return "New Passkey" // Default fallback
 }
-func (s *WebAuthnService) BeginLogin() (*model.PublicKeyCredentialRequestOptions, error) {
+func (s *WebAuthnService) BeginLogin(ctx context.Context) (*model.PublicKeyCredentialRequestOptions, error) {
 	options, session, err := s.webAuthn.BeginDiscoverableLogin()
 	if err != nil {
 		return nil, err
@@ -137,7 +192,11 @@ func (s *WebAuthnService) BeginLogin() (*model.PublicKeyCredentialRequestOptions
 		UserVerification: string(session.UserVerification),
 	}
-	if err := s.db.Create(&sessionToStore).Error; err != nil {
+	err = s.db.
 		WithContext(ctx).
 		Create(&sessionToStore).
 		Error
 	if err != nil {
 		return nil, err
 	}
@@ -148,9 +207,18 @@ func (s *WebAuthnService) BeginLogin() (*model.PublicKeyCredentialRequestOptions
 	}, nil
 }
-func (s *WebAuthnService) VerifyLogin(sessionID string, credentialAssertionData *protocol.ParsedCredentialAssertionData, ipAddress, userAgent string) (model.User, string, error) {
+func (s *WebAuthnService) VerifyLogin(ctx context.Context, sessionID string, credentialAssertionData *protocol.ParsedCredentialAssertionData, ipAddress, userAgent string) (model.User, string, error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	var storedSession model.WebauthnSession
-	if err := s.db.First(&storedSession, "id = ?", sessionID).Error; err != nil {
+	err := tx.
 		WithContext(ctx).
 		First(&storedSession, "id = ?", sessionID).
 		Error
 	if err != nil {
 		return model.User{}, "", err
 	}
@@ -160,9 +228,14 @@ func (s *WebAuthnService) VerifyLogin(sessionID string, credentialAssertionData
 	}
 	var user *model.User
-	_, err := s.webAuthn.ValidateDiscoverableLogin(func(_, userHandle []byte) (webauthn.User, error) {
+	_, err = s.webAuthn.ValidateDiscoverableLogin(func(_, userHandle []byte) (webauthn.User, error) {
-		if err := s.db.Preload("Credentials").First(&user, "id = ?", string(userHandle)).Error; err != nil {
+		innerErr := tx.
-			return nil, err
+			WithContext(ctx).
 			Preload("Credentials").
 			First(&user, "id = ?", string(userHandle)).
 			Error
 		if innerErr != nil {
 			return nil, innerErr
 		}
 		return user, nil
 	}, session, credentialAssertionData)
@@ -171,46 +244,78 @@ func (s *WebAuthnService) VerifyLogin(sessionID string, credentialAssertionData
 		return model.User{}, "", err
 	}
 	if user.Disabled {
 		return model.User{}, "", &common.UserDisabledError{}
 	}
 	token, err := s.jwtService.GenerateAccessToken(*user)
 	if err != nil {
 		return model.User{}, "", err
 	}
-	s.auditLogService.CreateNewSignInWithEmail(ipAddress, userAgent, user.ID)
+	s.auditLogService.CreateNewSignInWithEmail(ctx, ipAddress, userAgent, user.ID, tx)
 	err = tx.Commit().Error
 	if err != nil {
 		return model.User{}, "", err
 	}
 	return *user, token, nil
 }
-func (s *WebAuthnService) ListCredentials(userID string) ([]model.WebauthnCredential, error) {
+func (s *WebAuthnService) ListCredentials(ctx context.Context, userID string) ([]model.WebauthnCredential, error) {
 	var credentials []model.WebauthnCredential
-	if err := s.db.Find(&credentials, "user_id = ?", userID).Error; err != nil {
+	err := s.db.
 		WithContext(ctx).
 		Find(&credentials, "user_id = ?", userID).
 		Error
 	if err != nil {
 		return nil, err
 	}
 	return credentials, nil
 }
-func (s *WebAuthnService) DeleteCredential(userID, credentialID string) error {
+func (s *WebAuthnService) DeleteCredential(ctx context.Context, userID, credentialID string) error {
-	var credential model.WebauthnCredential
+	err := s.db.
-	if err := s.db.First(&credential, "id = ? AND user_id = ?", credentialID, userID).Error; err != nil {
+		WithContext(ctx).
-		return err
+		Where("id = ? AND user_id = ?", credentialID, userID).
-	}
+		Delete(&model.WebauthnCredential{}).
-
+		Error
-	if err := s.db.Delete(&credential).Error; err != nil {
+	if err != nil {
-		return err
+		return fmt.Errorf("failed to delete record: %w", err)
 	}
 	return nil
 }
-func (s *WebAuthnService) UpdateCredential(userID, credentialID, name string) (model.WebauthnCredential, error) {
+func (s *WebAuthnService) UpdateCredential(ctx context.Context, userID, credentialID, name string) (model.WebauthnCredential, error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	var credential model.WebauthnCredential
-	if err := s.db.Where("id = ? AND user_id = ?", credentialID, userID).First(&credential).Error; err != nil {
+	err := tx.
 		WithContext(ctx).
 		Where("id = ? AND user_id = ?", credentialID, userID).
 		First(&credential).
 		Error
 	if err != nil {
 		return credential, err
 	}
 	credential.Name = name
-	if err := s.db.Save(&credential).Error; err != nil {
+	err = tx.
 		WithContext(ctx).
 		Save(&credential).
 		Error
 	if err != nil {
 		return credential, err
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return credential, err
 	}
@@ -219,5 +324,5 @@ func (s *WebAuthnService) UpdateCredential(userID, credentialID, name string) (m
 // updateWebAuthnConfig updates the WebAuthn configuration with the app name as it can change during runtime
 func (s *WebAuthnService) updateWebAuthnConfig() {
-	s.webAuthn.Config.RPDisplayName = s.appConfigService.DbConfig.AppName.Value
+	s.webAuthn.Config.RPDisplayName = s.appConfigService.GetDbConfig().AppName.Value
 }
--- a/backend/internal/utils/aaguid_util.go
+++ b/backend/internal/utils/aaguid_util.go
@@ -12,9 +12,13 @@ import (
 var (
 	aaguidMap     map[string]string
-	aaguidMapOnce sync.Once
+	aaguidMapOnce *sync.Once
 )
 func init() {
 	aaguidMapOnce = &sync.Once{}
 }
 // FormatAAGUID converts an AAGUID byte slice to UUID string format
 func FormatAAGUID(aaguid []byte) string {
 	if len(aaguid) == 0 {
--- a/backend/internal/utils/aaguid_util_test.go
+++ b/backend/internal/utils/aaguid_util_test.go
@@ -47,8 +47,10 @@ func TestFormatAAGUID(t *testing.T) {
 func TestGetAuthenticatorName(t *testing.T) {
 	// Reset the aaguidMap for testing
 	originalMap := aaguidMap
 	originalOnce := aaguidMapOnce
 	defer func() {
 		aaguidMap = originalMap
 		aaguidMapOnce = originalOnce
 	}()
 	// Inject a test AAGUID map
@@ -56,7 +58,7 @@ func TestGetAuthenticatorName(t *testing.T) {
 		"adce0002-35bc-c60a-648b-0b25f1f05503": "Test Authenticator",
 		"00000000-0000-0000-0000-000000000000": "Zero Authenticator",
 	}
-	aaguidMapOnce = sync.Once{}
+	aaguidMapOnce = &sync.Once{}
 	aaguidMapOnce.Do(func() {}) // Mark as done to avoid loading from file
 	tests := []struct {
@@ -99,7 +101,7 @@ func TestGetAuthenticatorName(t *testing.T) {
 func TestLoadAAGUIDsFromFile(t *testing.T) {
 	// Reset the map and once flag for clean testing
 	aaguidMap = nil
-	aaguidMapOnce = sync.Once{}
+	aaguidMapOnce = &sync.Once{}
 	// Trigger loading of AAGUIDs by calling GetAuthenticatorName
 	GetAuthenticatorName([]byte{0x01, 0x02, 0x03, 0x04})
--- a/backend/internal/utils/date_time_util.go
+++ b/backend/internal/utils/date_time_util.go
@@ -0,0 +1,52 @@
 package utils
 import (
 	"fmt"
 	"time"
 )
 // DurationToString converts a time.Duration to a human-readable string. Respects minutes, hours and days.
 func DurationToString(duration time.Duration) string {
 	// For a duration less than a day
 	if duration < 24*time.Hour {
 		hours := int(duration.Hours())
 		mins := int(duration.Minutes()) % 60
 		switch hours {
 		case 0:
 			return fmt.Sprintf("%d minutes", mins)
 		case 1:
 			if mins == 0 {
 				return "1 hour"
 			}
 			return fmt.Sprintf("1 hour and %d minutes", mins)
 		default:
 			if mins == 0 {
 				return fmt.Sprintf("%d hours", hours)
 			}
 			return fmt.Sprintf("%d hours and %d minutes", hours, mins)
 		}
 	} else {
 		// For durations of a day or more
 		days := int(duration.Hours() / 24)
 		hours := int(duration.Hours()) % 24
 		switch hours {
 		case 0:
 			if days == 1 {
 				return "1 day"
 			}
 			return fmt.Sprintf("%d days", days)
 		case 1:
 			if days == 1 {
 				return "1 day and 1 hour"
 			}
 			return fmt.Sprintf("%d days and 1 hour", days)
 		default:
 			if days == 1 {
 				return fmt.Sprintf("1 day and %d hours", hours)
 			}
 			return fmt.Sprintf("%d days and %d hours", days, hours)
 		}
 	}
 }
--- a/backend/internal/utils/file_util.go
+++ b/backend/internal/utils/file_util.go
@@ -3,14 +3,12 @@ package utils
 import (
 	"errors"
 	"fmt"
 	"hash/crc64"
 	"io"
 	"mime/multipart"
 	"os"
 	"path/filepath"
 	"strconv"
 	"time"
 	"github.com/google/uuid"
 	"github.com/pocket-id/pocket-id/backend/resources"
 )
@@ -32,6 +30,8 @@ func GetImageMimeType(ext string) string {
 		return "image/svg+xml"
 	case "ico":
 		return "image/x-icon"
 	case "gif":
 		return "image/gif"
 	default:
 		return ""
 	}
@@ -80,22 +80,7 @@ func SaveFile(file *multipart.FileHeader, dst string) error {
 // SaveFileStream saves a stream to a file.
 func SaveFileStream(r io.Reader, dstFileName string) error {
 	// Our strategy is to save to a separate file and then rename it to override the original file
-	// First, get a temp file name that doesn't exist already
+	tmpFileName := dstFileName + "." + uuid.NewString() + "-tmp"
 	var tmpFileName string
 	var i int64
 	for {
 		seed := strconv.FormatInt(time.Now().UnixNano()+i, 10)
 		suffix := crc64.Checksum([]byte(dstFileName+seed), crc64.MakeTable(crc64.ISO))
 		tmpFileName = dstFileName + "." + strconv.FormatUint(suffix, 10)
 		exists, err := FileExists(tmpFileName)
 		if err != nil {
 			return fmt.Errorf("failed to check if file '%s' exists: %w", tmpFileName, err)
 		}
 		if !exists {
 			break
 		}
 		i++
 	}
 	// Write to the temporary file
 	tmpFile, err := os.Create(tmpFileName)
--- a/backend/internal/utils/image/profile_picture.go
+++ b/backend/internal/utils/image/profile_picture.go
@@ -6,7 +6,6 @@ import (
 	"image"
 	"image/color"
 	"io"
 	"strings"
 	"github.com/disintegration/imageorient"
 	"github.com/disintegration/imaging"
@@ -42,17 +41,7 @@ func CreateProfilePicture(file io.Reader) (io.Reader, error) {
 }
 // CreateDefaultProfilePicture creates a profile picture with the initials
-func CreateDefaultProfilePicture(firstName, lastName string) (*bytes.Buffer, error) {
+func CreateDefaultProfilePicture(initials string) (*bytes.Buffer, error) {
 	// Get the initials
 	initials := ""
 	if len(firstName) > 0 {
 		initials += string(firstName[0])
 	}
 	if len(lastName) > 0 {
 		initials += string(lastName[0])
 	}
 	initials = strings.ToUpper(initials)
 	// Create a blank image with a white background
 	img := imaging.New(profilePictureSize, profilePictureSize, color.RGBA{R: 255, G: 255, B: 255, A: 255})
--- a/backend/internal/utils/paging_util.go
+++ b/backend/internal/utils/paging_util.go
@@ -5,6 +5,7 @@ import (
 	"strconv"
 	"gorm.io/gorm"
 	"gorm.io/gorm/clause"
 )
 type PaginationResponse struct {
@@ -36,11 +37,15 @@ func PaginateAndSort(sortedPaginationRequest SortedPaginationRequest, query *gor
 	isValidSortOrder := sort.Direction == "asc" || sort.Direction == "desc"
 	if sortFieldFound && isSortable && isValidSortOrder {
-		query = query.Order(CamelCaseToSnakeCase(sort.Column) + " " + sort.Direction)
+		columnName := CamelCaseToSnakeCase(sort.Column)
 		query = query.Clauses(clause.OrderBy{
 			Columns: []clause.OrderByColumn{
 				{Column: clause.Column{Name: columnName}, Desc: sort.Direction == "desc"},
 			},
 		})
 	}
 	return Paginate(pagination.Page, pagination.Limit, query, result)
 }
 func Paginate(page int, pageSize int, query *gorm.DB, result interface{}) (PaginationResponse, error) {
--- a/backend/internal/utils/ptr_util.go
+++ b/backend/internal/utils/ptr_util.go
@@ -0,0 +1,5 @@
 package utils
 func Ptr[T any](v T) *T {
 	return &v
 }
--- a/backend/internal/utils/servicerunner.go
+++ b/backend/internal/utils/servicerunner.go
@@ -0,0 +1,58 @@
 package utils
 import (
 	"context"
 	"errors"
 )
 // Source:
 // https://github.com/ItalyPaleAle/traefik-forward-auth/blob/v3.5.1/pkg/utils/servicerunner.go
 // Copyright (c) 2018, Thom Seddon & Contributors Copyright (c) 2023, Alessandro Segala & Contributors
 // License: MIT (https://github.com/ItalyPaleAle/traefik-forward-auth/blob/v3.5.1/LICENSE.md)
 // Service is a background service
 type Service func(ctx context.Context) error
 // ServiceRunner oversees a number of services running in background
 type ServiceRunner struct {
 	services []Service
 }
 // NewServiceRunner creates a new ServiceRunner
 func NewServiceRunner(services ...Service) *ServiceRunner {
 	return &ServiceRunner{
 		services: services,
 	}
 }
 // Run all background services
 func (r *ServiceRunner) Run(ctx context.Context) error {
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
 	errCh := make(chan error)
 	for _, service := range r.services {
 		go func(service Service) {
 			// Run the service
 			rErr := service(ctx)
 			// Ignore context canceled errors here as they generally indicate that the service is stopping
 			if rErr != nil && !errors.Is(rErr, context.Canceled) {
 				errCh <- rErr
 				return
 			}
 			errCh <- nil
 		}(service)
 	}
 	// Wait for all services to return
 	errs := make([]error, 0)
 	for range len(r.services) {
 		err := <-errCh
 		if err != nil {
 			errs = append(errs, err)
 		}
 	}
 	return errors.Join(errs...)
 }
--- a/backend/internal/utils/servicerunner_test.go
+++ b/backend/internal/utils/servicerunner_test.go
@@ -0,0 +1,125 @@
 package utils
 import (
 	"context"
 	"errors"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/require"
 )
 // Source:
 // https://github.com/ItalyPaleAle/traefik-forward-auth/blob/v3.5.1/pkg/utils/servicerunner.go
 // Copyright (c) 2018, Thom Seddon & Contributors Copyright (c) 2023, Alessandro Segala & Contributors
 // License: MIT (https://github.com/ItalyPaleAle/traefik-forward-auth/blob/v3.5.1/LICENSE.md)
 func TestServiceRunner_Run(t *testing.T) {
 	t.Run("successful services", func(t *testing.T) {
 		// Create a service that just returns no error after 0.2s
 		successService := func(ctx context.Context) error {
 			time.Sleep(200 * time.Millisecond)
 			return nil
 		}
 		// Create a service runner with two success services
 		runner := NewServiceRunner(successService, successService)
 		// Run the services with a timeout to avoid hanging if something goes wrong
 		ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
 		defer cancel()
 		// Run should return nil when all services succeed
 		err := runner.Run(ctx)
 		require.NoError(t, err)
 	})
 	t.Run("service with error", func(t *testing.T) {
 		// Create a service that returns an error
 		expectedErr := errors.New("service failed")
 		errorService := func(ctx context.Context) error {
 			return expectedErr
 		}
 		// Create a service runner with one error service and one success service
 		successService := func(ctx context.Context) error {
 			time.Sleep(200 * time.Millisecond)
 			return nil
 		}
 		runner := NewServiceRunner(errorService, successService)
 		// Run the services with a timeout
 		ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
 		defer cancel()
 		// Run should return the error
 		err := runner.Run(ctx)
 		require.Error(t, err)
 		// The error should contain our expected error
 		require.ErrorIs(t, err, expectedErr)
 	})
 	t.Run("context canceled", func(t *testing.T) {
 		// Create a service that waits until context is canceled
 		waitingService := func(ctx context.Context) error {
 			<-ctx.Done()
 			return ctx.Err()
 		}
 		// Create another service that returns no error quickly
 		quickService := func(ctx context.Context) error {
 			return nil
 		}
 		runner := NewServiceRunner(waitingService, quickService)
 		// Create a context that we can cancel
 		ctx, cancel := context.WithCancel(t.Context())
 		// Run the runner in a goroutine
 		errCh := make(chan error)
 		go func() {
 			errCh <- runner.Run(ctx)
 		}()
 		// Cancel the context to trigger service shutdown
 		cancel()
 		// Wait for the runner to finish with a timeout
 		select {
 		case err := <-errCh:
 			require.NoError(t, err, "expected nil error (context.Canceled should be ignored)")
 		case <-time.After(5 * time.Second):
 			t.Fatal("test timed out waiting for runner to finish")
 		}
 	})
 	t.Run("multiple errors", func(t *testing.T) {
 		// Create two services that return different errors
 		err1 := errors.New("error 1")
 		err2 := errors.New("error 2")
 		service1 := func(ctx context.Context) error {
 			return err1
 		}
 		service2 := func(ctx context.Context) error {
 			return err2
 		}
 		runner := NewServiceRunner(service1, service2)
 		// Run the services
 		ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
 		defer cancel()
 		// Run should join all errors
 		err := runner.Run(ctx)
 		require.Error(t, err)
 		// Check that both errors are included
 		require.ErrorIs(t, err, err1)
 		require.ErrorIs(t, err, err2)
 	})
 }
--- a/backend/internal/utils/signals/signal.go
+++ b/backend/internal/utils/signals/signal.go
@@ -0,0 +1,40 @@
 package signals
 import (
 	"context"
 	"log"
 	"os"
 	"os/signal"
 	"syscall"
 )
 /*
 This code is adapted from:
 https://github.com/kubernetes-sigs/controller-runtime/blob/8499b67e316a03b260c73f92d0380de8cd2e97a1/pkg/manager/signals/signal.go
 Copyright 2017 The Kubernetes Authors.
 License: Apache2 (https://github.com/kubernetes-sigs/controller-runtime/blob/8499b67e316a03b260c73f92d0380de8cd2e97a1/LICENSE)
 */
 var onlyOneSignalHandler = make(chan struct{})
 // SignalContext returns a context that is canceled when the application receives an interrupt signal.
 // A second signal forces an immediate shutdown.
 func SignalContext(parentCtx context.Context) context.Context {
 	close(onlyOneSignalHandler) // Panics when called twice
 	ctx, cancel := context.WithCancel(parentCtx)
 	sigCh := make(chan os.Signal, 2)
 	signal.Notify(sigCh, os.Interrupt, syscall.SIGTERM)
 	go func() {
 		<-sigCh
 		log.Println("Received interrupt signal. Shutting down…")
 		cancel()
 		<-sigCh
 		log.Println("Received a second interrupt signal. Forcing an immediate shutdown.")
 		os.Exit(1)
 	}()
 	return ctx
 }
--- a/backend/internal/utils/string_util.go
+++ b/backend/internal/utils/string_util.go
@@ -102,3 +102,16 @@ func CamelCaseToScreamingSnakeCase(s string) string {
 	// Convert to uppercase
 	return strings.ToUpper(snake)
 }
 // GetFirstCharacter returns the first non-whitespace character of the string, correctly handling Unicode
 func GetFirstCharacter(str string) string {
 	for _, c := range str {
 		if unicode.IsSpace(c) {
 			continue
 		}
 		return string(c)
 	}
 	// Empty string case
 	return ""
 }
--- a/backend/internal/utils/string_util_test.go
+++ b/backend/internal/utils/string_util_test.go
@@ -103,3 +103,28 @@ func TestCamelCaseToSnakeCase(t *testing.T) {
 		})
 	}
 }
 func TestGetFirstCharacter(t *testing.T) {
 	tests := []struct {
 		name     string
 		input    string
 		expected string
 	}{
 		{"empty string", "", ""},
 		{"single character", "a", "a"},
 		{"multiple characters", "hello", "h"},
 		{"unicode character", "étoile", "é"},
 		{"special character", "!test", "!"},
 		{"number as first character", "123abc", "1"},
 		{"whitespace as first character", " hello", "h"},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			result := GetFirstCharacter(tt.input)
 			if result != tt.expected {
 				t.Errorf("GetFirstCharacter(%q) = %q, want %q", tt.input, result, tt.expected)
 			}
 		})
 	}
 }
--- a/backend/main
+++ b/backend/main
--- a/backend/resources/aaguids.json
+++ b/backend/resources/aaguids.json
--- a/backend/resources/email-templates/api-key-expiring-soon_html.tmpl
+++ b/backend/resources/email-templates/api-key-expiring-soon_html.tmpl
@@ -0,0 +1,17 @@
 {{ define "base" }}
    <div class="header">
        <div class="logo">
            <img src="{{ .LogoURL }}" alt="{{ .AppName }}" width="32" height="32" style="width: 32px; height: 32px; max-width: 32px;"/>
            <h1>{{ .AppName }}</h1>
        </div>
        <div class="warning">Warning</div>
    </div>
    <div class="content">
        <h2>API Key Expiring Soon</h2>
        <p>
            Hello {{ .Data.Name }},<br/><br/>
            This is a reminder that your API key <strong>{{ .Data.ApiKeyName }}</strong> will expire on <strong>{{ .Data.ExpiresAt.Format "2006-01-02 15:04:05 MST" }}</strong>.<br/><br/>
            Please generate a new API key if you need continued access.
        </p>
    </div>
 {{ end }}
--- a/backend/resources/email-templates/api-key-expiring-soon_text.tmpl
+++ b/backend/resources/email-templates/api-key-expiring-soon_text.tmpl
@@ -0,0 +1,10 @@
 {{ define "base" -}}
 API Key Expiring Soon
 ====================
 Hello {{ .Data.Name }},
 This is a reminder that your API key "{{ .Data.ApiKeyName }}" will expire on {{ .Data.ExpiresAt.Format "2006-01-02 15:04:05 MST" }}.
 Please generate a new API key if you need continued access.
 {{ end -}}
--- a/backend/resources/email-templates/one-time-access_html.tmpl
+++ b/backend/resources/email-templates/one-time-access_html.tmpl
@@ -8,7 +8,7 @@
    <div class="content">
        <h2>Login Code</h2>
        <p class="message">
-            Click the button below to sign in to {{ .AppName }} with a login code.</br>Or visit <a href="{{ .Data.LoginLink }}">{{ .Data.LoginLink }}</a> and enter the code <strong>{{ .Data.Code }}</strong>.</br></br>This code expires in 15 minutes.
+            Click the button below to sign in to {{ .AppName }} with a login code.</br>Or visit <a href="{{ .Data.LoginLink }}">{{ .Data.LoginLink }}</a> and enter the code <strong>{{ .Data.Code }}</strong>.</br></br>This code expires in {{.Data.ExpirationString}}.
        </p>
        <div class="button-container">
            <a class="button" href="{{ .Data.LoginLinkWithCode }}" class="button">Sign In</a>
--- a/backend/resources/email-templates/one-time-access_text.tmpl
+++ b/backend/resources/email-templates/one-time-access_text.tmpl
@@ -2,7 +2,7 @@
 Login Code
 ====================
-Click the link below to sign in to {{ .AppName }} with a login code. This code expires in 15 minutes.
+Click the link below to sign in to {{ .AppName }} with a login code. This code expires in {{.Data.ExpirationString}}.
 {{ .Data.LoginLinkWithCode }}
--- a/backend/resources/migrations/postgres/20250403082322_audit_logs_indexes.down.sql
+++ b/backend/resources/migrations/postgres/20250403082322_audit_logs_indexes.down.sql
@@ -0,0 +1,3 @@
 DROP INDEX IF EXISTS idx_audit_logs_event;
 DROP INDEX IF EXISTS idx_audit_logs_user_id;
 DROP INDEX IF EXISTS idx_audit_logs_client_name;
--- a/backend/resources/migrations/postgres/20250403082322_audit_logs_indexes.up.sql
+++ b/backend/resources/migrations/postgres/20250403082322_audit_logs_indexes.up.sql
@@ -0,0 +1,3 @@
 CREATE INDEX idx_audit_logs_event ON audit_logs(event);
 CREATE INDEX idx_audit_logs_user_id ON audit_logs(user_id);
 CREATE INDEX idx_audit_logs_client_name ON audit_logs(("data"->>'clientName'));
--- a/backend/resources/migrations/postgres/20250408120918_app_config_cols.down.sql
+++ b/backend/resources/migrations/postgres/20250408120918_app_config_cols.down.sql
@@ -0,0 +1,4 @@
 ALTER TABLE app_config_variables ADD type VARCHAR(20) NOT NULL,;
 ALTER TABLE app_config_variables ADD is_public BOOLEAN DEFAULT FALSE NOT NULL,;
 ALTER TABLE app_config_variables ADD is_internal BOOLEAN DEFAULT FALSE NOT NULL,;
 ALTER TABLE app_config_variables ADD default_value TEXT;
--- a/backend/resources/migrations/postgres/20250408120918_app_config_cols.up.sql
+++ b/backend/resources/migrations/postgres/20250408120918_app_config_cols.up.sql
@@ -0,0 +1,4 @@
 ALTER TABLE app_config_variables DROP type;
 ALTER TABLE app_config_variables DROP is_public;
 ALTER TABLE app_config_variables DROP is_internal;
 ALTER TABLE app_config_variables DROP default_value;
--- a/backend/resources/migrations/postgres/20250412000000_add_user_disabled_field.down.sql
+++ b/backend/resources/migrations/postgres/20250412000000_add_user_disabled_field.down.sql
@@ -0,0 +1,4 @@
 DROP INDEX idx_users_disabled;
 ALTER TABLE users
 DROP COLUMN disabled;
--- a/backend/resources/migrations/postgres/20250412000000_add_user_disabled_field.up.sql
+++ b/backend/resources/migrations/postgres/20250412000000_add_user_disabled_field.up.sql
@@ -0,0 +1,2 @@
 ALTER TABLE users
 ADD COLUMN IF NOT EXISTS disabled BOOLEAN DEFAULT FALSE NOT NULL;
--- a/backend/resources/migrations/postgres/20250417120000_add_expiration_email_sent_to_api_keys.down.sql
+++ b/backend/resources/migrations/postgres/20250417120000_add_expiration_email_sent_to_api_keys.down.sql
@@ -0,0 +1,2 @@
 ALTER TABLE api_keys
 DROP COLUMN IF EXISTS expiration_email_sent;
--- a/backend/resources/migrations/postgres/20250417120000_add_expiration_email_sent_to_api_keys.up.sql
+++ b/backend/resources/migrations/postgres/20250417120000_add_expiration_email_sent_to_api_keys.up.sql
@@ -0,0 +1,2 @@
 ALTER TABLE api_keys
 ADD COLUMN expiration_email_sent BOOLEAN NOT NULL DEFAULT FALSE;
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Elias Schneider	f4281e4f69	release: 0.52.0	2025-05-06 22:14:39 +02:00
Alessandro (Ale) Segala	3c87e4ec14	feat: add healthz endpoint (#494 )	2025-05-06 22:14:18 +02:00
Elias Schneider	c55fef057c	fix: correctly set script permissions inside Docker container	2025-05-06 21:18:45 +02:00
Daenney	6f54ee5d66	feat: OpenTelemetry tracing and metrics (#262 ) (#495 ) Co-authored-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>	2025-05-05 15:59:44 +02:00
github-actions[bot]	9efab5f3e8	chore: update AAGUIDs (#507 ) Co-authored-by: stonith404 <58886915+stonith404@users.noreply.github.com>	2025-05-05 15:38:26 +02:00
Elias Schneider	364f5b38b9	ci/cd: create a PR instead of commiting for update aaguids workflow	2025-05-05 09:38:55 +02:00
Kyle Mendell	5d78445501	ci/cd: build frontend to include paraglide before running svelte-check	2025-05-04 10:08:01 -05:00
Kyle Mendell	8ec2388269	ci/cd: add svelte-check workflow for the frontend	2025-05-03 21:48:25 -05:00
Elias Schneider	dbacdb5bf0	release: 0.51.1	2025-05-03 23:42:47 +02:00
Elias Schneider	f4c6cff461	refactor: fix type errors	2025-05-03 23:42:17 +02:00
Elias Schneider	0b9cbf47e3	fix: allow LDAP users to update their locale	2025-05-03 23:32:56 +02:00
Alessandro (Ale) Segala	bda178c2bb	refactor: complete graceful shutdown implementation and add service runner (#493 )	2025-05-03 23:25:22 +02:00
Elias Schneider	6bd6cefaa6	fix: non admin users weren't able to call the end session endpoint	2025-05-03 22:53:55 +02:00
dependabot[bot]	83be1e0b49	chore(deps-dev): bump vite from 6.2.6 to 6.3.4 in /frontend in the npm_and_yarn group across 1 directory (#496 ) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-04-30 14:53:30 -05:00
Kyle Mendell	cf3fe0be84	fix: last name still showing as required on account form (#492 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us>	2025-04-29 20:24:16 +02:00
Elias Schneider	ec76e1c111	chore(translations): update translations via Crowdin (#491 )	2025-04-29 00:04:12 -05:00
Elias Schneider	6004f84845	release: 0.51.0	2025-04-28 11:15:52 +02:00
Alessandro (Ale) Segala	3ec98736cf	refactor: graceful shutdown for server (#482 )	2025-04-28 11:13:50 +02:00
Elias Schneider	ce24372c57	fix: do not require PKCE for public clients	2025-04-28 11:02:35 +02:00
Elias Schneider	4614769b84	refactor: reorganize imports	2025-04-28 10:49:54 +02:00
Elias Schneider	86d2b5f59f	fix: return correct error message if user isn't authorized	2025-04-28 10:39:17 +02:00
Elias Schneider	1efd1d182d	fix: hide global audit log switch for non admin users	2025-04-28 10:38:53 +02:00
Elias Schneider	0a24ab8001	fix: updating scopes of an authorized client fails with Postgres	2025-04-28 09:29:18 +02:00
James18232	02cacba5c5	feat: new login code card position for mobile devices (#452 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us>	2025-04-28 04:04:48 +00:00
Elias Schneider	38653e2aa4	chore(translations): update translations via Crowdin (#485 )	2025-04-27 23:00:37 -05:00
Elias Schneider	8cc9b159a5	release: 0.50.0	2025-04-27 21:58:28 +02:00
James Baker	990c8af3d1	Fix incorrectly swapped refreshToken and accessToken (#490 )	2025-04-27 14:09:07 -05:00
Alessandro (Ale) Segala	4c33793678	fix: pass context to methods that were missing it (#487 )	2025-04-26 12:32:42 -05:00
Elias Schneider	9e06f70380	chore(translations): update translations via Crowdin (#479 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us>	2025-04-25 12:21:59 -05:00
Kyle Mendell	22f7d64bf0	feat: device authorization endpoint (#270 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-04-25 12:14:51 -05:00
Kyle Mendell	630327c979	feat: make family name optional (#476 )	2025-04-25 09:52:09 -05:00
Alessandro (Ale) Segala	662506260e	refactor: do not force redirects to happen on the server (#481 )	2025-04-24 21:09:52 +02:00
Star_caorui	8e66af627a	chore(translations): Add Simplified Chinese translation. (#473 )	2025-04-23 18:39:37 +00:00
Alessandro (Ale) Segala	270c30334d	fix: prevent deadlock when trying to delete LDAP users (#471 )	2025-04-22 15:16:44 +02:00
Elias Schneider	c73c3ceb5e	chore(translations): update translations via Crowdin (#468 )	2025-04-21 23:02:10 -05:00
Alessandro (Ale) Segala	22725d30f4	fix: do not override XDG_DATA_HOME/XDG_CONFIG_HOME if they are already set (#472 )	2025-04-21 22:58:32 -05:00
eiqnepm	76b753f9f2	fix: rootless Caddy data and configuration (#470 )	2025-04-21 13:15:51 +02:00
Elias Schneider	453a765107	release: 0.49.0	2025-04-20 20:00:09 +02:00
Elias Schneider	f03645d545	chore(translations): update translations via Crowdin (#467 )	2025-04-20 17:59:49 +00:00
Elias Schneider	55273d68c9	chore(translations): fix typo in key	2025-04-20 19:51:12 +02:00
Elias Schneider	4e05b82f02	fix: hide alternative sign in button if user is already authenticated	2025-04-20 19:03:58 +02:00
Elias Schneider	2597907578	refactor: fix type errors	2025-04-20 18:54:45 +02:00
Kyle Mendell	debef9a66b	ci/cd: setup caching and improve ci job performance (#465 )	2025-04-20 11:48:46 -05:00
Elias Schneider	9122e75101	feat: add ability to disable API key expiration email	2025-04-20 18:41:03 +02:00
Elias Schneider	fe1c4b18cd	feat: add ability to send login code via email (#457 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us>	2025-04-20 18:32:40 +02:00
Elias Schneider	e571996cb5	fix: disable animations not respected on authorize and logout page	2025-04-20 17:04:00 +02:00
Elias Schneider	fb862d3ec3	chore(translations): update translations via Crowdin (#459 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us>	2025-04-20 09:43:27 -05:00
Kyle Mendell	26f01f205b	feat: send email to user when api key expires within 7 days (#451 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-04-20 14:40:20 +00:00
Elias Schneider	c37a3e0ed1	fix: remove limit of 20 callback URLs	2025-04-20 16:32:11 +02:00
Elias Schneider	eb689eb56e	feat: add description to callback URL inputs	2025-04-20 00:32:27 +02:00
Elias Schneider	60bad9e985	fix: locale change in dropdown doesn't work on first try	2025-04-20 00:31:33 +02:00
Elias Schneider	e21ee8a871	chore: add kmendell to `FUNDING.yml`	2025-04-19 18:51:01 +02:00
Elias Schneider	04006eb5cc	release: 0.48.0	2025-04-18 18:34:52 +02:00
Elias Schneider	84f1d5c906	fix: user querying fails on global audit log page with Postgres	2025-04-18 18:33:14 +02:00
Elias Schneider	983e989be1	chore(translations): update translations via Crowdin (#456 )	2025-04-18 18:21:04 +02:00
Kyle Mendell	c843a60131	feat: disable/enable users (#437 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-04-18 15:38:50 +00:00
Elias Schneider	56a8b5d0c0	feat: add gif support for logo and background image	2025-04-18 17:31:04 +02:00
Elias Schneider	f0dce41fbc	fix: callback URL doesn't get rejected if it starts with a different string	2025-04-17 20:52:58 +02:00
Elias Schneider	0111a58dac	fix: add "type" as reserved claim	2025-04-17 20:41:21 +02:00
Elias Schneider	50e4c5c314	chore(translations): update translations via Crowdin (#444 )	2025-04-17 20:19:50 +02:00
Kyle Mendell	5a6dfd9e50	fix: profile picture empty for users without first or last name (#449 )	2025-04-17 20:19:10 +02:00
Elias Schneider	75fbfee4d8	chore(translations): add Italian	2025-04-17 19:13:47 +02:00
dependabot[bot]	65ee500ef3	chore(deps): bump golang.org/x/net from 0.36.0 to 0.38.0 in /backend in the go_modules group across 1 directory (#450 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-04-16 18:26:55 -05:00
Elias Schneider	80f108e5d6	release: 0.47.0	2025-04-16 16:32:27 +02:00
Elias Schneider	9b2d622990	tests: adapt JWTs in e2e tests	2025-04-16 16:30:38 +02:00
Elias Schneider	adf74586af	fix: define token type as claim for better client compatibility	2025-04-16 15:58:38 +02:00
Kyle Mendell	b45cf68295	feat: disable animations setting toggle (#442 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-04-15 19:28:10 +00:00
dependabot[bot]	d9dd67c51f	chore(deps-dev): bump @sveltejs/kit from 2.16.1 to 2.20.6 in /frontend in the npm_and_yarn group across 1 directory (#443 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-04-15 20:38:03 +02:00
Grégory Paul	abf17f6211	feat: add qrcode representation of one time link (#424 ) (#436 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us> Co-authored-by: Kyle Mendell <kmendell@outlook.com> Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-04-14 13:16:46 +00:00
Elias Schneider	57cb8f8795	release: 0.46.0	2025-04-13 20:31:09 +02:00
Elias Schneider	fcb18b8c3c	chore(translations): update translations via Crowdin (#427 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us>	2025-04-13 20:30:43 +02:00
Alessandro (Ale) Segala	796bc7ed34	fix: improve LDAP error handling (#425 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us>	2025-04-12 18:38:19 -04:00
Arne Skaar Fismen	72061ba427	feat(onboarding): Added button when you don't have a passkey added. (#426 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us>	2025-04-12 02:27:01 +00:00
dependabot[bot]	d04167cada	chore(deps-dev): bump vite from 6.2.5 to 6.2.6 in /frontend in the npm_and_yarn group across 1 directory (#433 )	2025-04-11 20:07:40 -05:00
Alessandro (Ale) Segala	f83bab9e17	refactor: simplify app_config service and fix race conditions (#423 )	2025-04-10 13:41:22 +02:00
Elias Schneider	4ba68938dd	fix: ignore profile picture cache after profile picture gets updated	2025-04-09 15:51:58 +02:00
Elias Schneider	658a9ca6dd	fix: add missing rollback for LDAP sync	2025-04-09 14:05:53 +02:00
Andreas Schneider	7e5d16be9b	feat: implement token introspection (#405 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us> Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-04-09 07:18:03 +00:00
Elias Schneider	8d6c1e5c08	chore(translations): update translations via Crowdin (#420 )	2025-04-09 02:09:01 -05:00
Elias Schneider	ce6e27d0ff	refactor: rollback db changes with `defer` everywhere	2025-04-06 23:40:56 +02:00
Elias Schneider	3ebff09d63	chore(translations): update translations via Crowdin (#416 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us>	2025-04-06 22:15:05 +02:00
Elias Schneider	ccc18d716f	fix: use UUID for temporary file names	2025-04-06 15:11:19 +02:00
Alessandro (Ale) Segala	ec626ee797	fix: use transactions when operations involve multiple database queries (#392 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us>	2025-04-06 15:04:08 +02:00
Kyle Mendell	c810fec8c4	docs: update swagger description to use markdown (#418 )	2025-04-05 16:07:56 +02:00
Alessandro (Ale) Segala	9e88926283	fix: ensure indexes on audit_logs table (#415 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us>	2025-04-04 17:05:32 +00:00
dependabot[bot]	731113183e	chore(deps-dev): bump vite from 6.2.4 to 6.2.5 in /frontend in the npm_and_yarn group across 1 directory (#417 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-04-04 16:15:37 +00:00
Elias Schneider	4627f365a2	chore(translations): fix mistakes in source strings	2025-04-04 13:55:15 +02:00
Elias Schneider	1762629596	perf: run async operations in parallel in server load functions	2025-04-04 11:39:13 +02:00
Alessandro (Ale) Segala	2f7646105e	fix: ensure file descriptors are closed + other bugs (#413 )	2025-04-04 10:04:36 +02:00
Elias Schneider	980780e48b	chore(translations): update translations via Crowdin (#414 )	2025-04-04 09:06:44 +02:00
Kyle Mendell	b65e693e12	feat: global audit log (#320 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-04-03 10:11:49 -05:00
Kyle Mendell	734c6813ea	fix: create reusable default profile pictures (#406 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-04-03 08:06:56 -05:00
dependabot[bot]	0d31c0ec6c	chore(deps-dev): bump vite from 6.2.3 to 6.2.4 in /frontend in the npm_and_yarn group across 1 directory (#410 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-03-31 14:04:02 -05:00
jose_d	4806c1e09b	chore(translations): improve czech translation strings (#408 )	2025-03-31 08:22:06 -05:00
Elias Schneider	cf3084cfa8	refactor: remove cors exception from middleware as this is handled by the handler	2025-03-30 22:30:22 +02:00
Kyle Mendell	9881a1df9e	feat: modernize ui (#381 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-03-30 13:19:14 -05:00
`@@ -1,2 +1,2 @@`
	`# These are supported funding model platforms`	`# These are supported funding model platforms`
	`github: stonith404`	`github: [stonith404, kmendell]`
		`@@ -0,0 +1,2 @@`
							`ALTER TABLE users`
							`ADD COLUMN IF NOT EXISTS disabled BOOLEAN DEFAULT FALSE NOT NULL;`
		`@@ -0,0 +1,2 @@`
							`ALTER TABLE api_keys`
							`DROP COLUMN IF EXISTS expiration_email_sent;`
		`@@ -0,0 +1,2 @@`
							`ALTER TABLE api_keys`
							`ADD COLUMN expiration_email_sent BOOLEAN NOT NULL DEFAULT FALSE;`