release: 1.10.0

Co-authored-by: Elias Schneider <login@eliasschneider.com>

.github/ISSUE_TEMPLATE/bug.yml

@@ -36,13 +36,29 @@ body:
       value: |
         ### Additional Information
   - type: textarea
-    id: extra-information
+    id: version
     validations:
       required: true
     attributes:
-      label: "Version and Environment"
-      description: "Please specify the version of Pocket ID, along with any environment-specific configurations, such your reverse proxy, that might be relevant."
+      label: "Pocket ID Version"
+      description: "Please specify the version of Pocket ID."
       placeholder: "e.g., v0.24.1"
+  - type: textarea
+    id: database
+    validations:
+      required: true
+    attributes:
+      label: "Database"
+      description: "Please specify the database in use: SQLite or Postgres (including version)."
+      placeholder: "e.g., SQLite or Postgres 17"
+  - type: textarea
+    id: environment
+    validations:
+      required: true
+    attributes:
+      label: "OS and Environment"
+      description: "Please include the OS, whether you're using containers (Docker, Podman, etc) along with any environment-specific configurations, such your reverse proxy, that might be relevant."
+      placeholder: "e.g., Docker on Ubuntu 24.04, served using Traefik"
   - type: textarea
     id: log-files
     validations:

.github/workflows/e2e-tests.yml

@@ -3,15 +3,15 @@ on:
   push:
     branches: [main]
     paths-ignore:
-      - 'docs/**'
-      - '**.md'
-      - '.github/**'
+      - "docs/**"
+      - "**.md"
+      - ".github/**"
   pull_request:
     branches: [main]
     paths-ignore:
-      - 'docs/**'
-      - '**.md'
-      - '.github/**'
+      - "docs/**"
+      - "**.md"
+      - ".github/**"
 
 jobs:
   build:
@@ -45,23 +45,29 @@ jobs:
           path: /tmp/docker-image.tar
           retention-days: 1
 
-  test-sqlite:
+  test:
     if: github.event.pull_request.head.ref != 'i18n_crowdin'
     permissions:
       contents: read
       actions: write
     runs-on: ubuntu-latest
     needs: build
+    strategy:
+      fail-fast: false
+      matrix:
+        db: [sqlite, postgres]
     steps:
       - uses: actions/checkout@v4
+
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
         with:
           version: 10
+
       - uses: actions/setup-node@v4
         with:
           node-version: 22
-          cache: 'pnpm'
+          cache: "pnpm"
           cache-dependency-path: pnpm-lock.yaml
 
       - name: Cache Playwright Browsers
@@ -70,100 +76,8 @@ jobs:
         with:
           path: ~/.cache/ms-playwright
           key: ${{ runner.os }}-playwright-${{ hashFiles('pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-playwright-
-
-      - name: Download Docker image artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: docker-image
-          path: /tmp
-
-      - name: Load Docker image
-        run: docker load -i /tmp/docker-image.tar
-
-      - name: Cache LLDAP Docker image
-        uses: actions/cache@v3
-        id: lldap-cache
-        with:
-          path: /tmp/lldap-image.tar
-          key: lldap-stable-${{ runner.os }}
-
-      - name: Pull and save LLDAP image
-        if: steps.lldap-cache.outputs.cache-hit != 'true'
-        run: |
-          docker pull nitnelave/lldap:stable
-          docker save nitnelave/lldap:stable > /tmp/lldap-image.tar
-
-      - name: Load LLDAP image from cache
-        if: steps.lldap-cache.outputs.cache-hit == 'true'
-        run: docker load < /tmp/lldap-image.tar
-
-      - name: Install test dependencies
-        run: pnpm --filter pocket-id-tests install --frozen-lockfile
-
-      - name: Install Playwright Browsers
-        working-directory: ./tests
-        if: steps.playwright-cache.outputs.cache-hit != 'true'
-        run: pnpm dlx playwright install --with-deps chromium
-
-      - name: Run Docker Container with Sqlite DB and LDAP
-        working-directory: ./tests/setup
-        run: |
-          docker compose up -d
-          docker compose logs -f pocket-id &> /tmp/backend.log &
-
-      - name: Run Playwright tests
-        working-directory: tests
-        run: pnpm exec playwright test
-
-      - name: Upload Test Report
-        uses: actions/upload-artifact@v4
-        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
-        with:
-          name: playwright-report-sqlite
-          path: tests/.report
-          include-hidden-files: true
-          retention-days: 15
-
-      - name: Upload Backend Test Report
-        uses: actions/upload-artifact@v4
-        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
-        with:
-          name: backend-sqlite
-          path: /tmp/backend.log
-          include-hidden-files: true
-          retention-days: 15
-
-  test-postgres:
-    if: github.event.pull_request.head.ref != 'i18n_crowdin'
-    permissions:
-      contents: read
-      actions: write
-    runs-on: ubuntu-latest
-    needs: build
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          version: 10
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 22
-          cache: 'pnpm'
-          cache-dependency-path: pnpm-lock.yaml
-
-      - name: Cache Playwright Browsers
-        uses: actions/cache@v3
-        id: playwright-cache
-        with:
-          path: ~/.cache/ms-playwright
-          key: ${{ runner.os }}-playwright-${{ hashFiles('pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-playwright-
-
       - name: Cache PostgreSQL Docker image
+        if: matrix.db == 'postgres'
         uses: actions/cache@v3
         id: postgres-cache
         with:
@@ -171,15 +85,14 @@ jobs:
           key: postgres-17-${{ runner.os }}
 
       - name: Pull and save PostgreSQL image
-        if: steps.postgres-cache.outputs.cache-hit != 'true'
+        if: matrix.db == 'postgres' && steps.postgres-cache.outputs.cache-hit != 'true'
         run: |
           docker pull postgres:17
           docker save postgres:17 > /tmp/postgres-image.tar
 
       - name: Load PostgreSQL image from cache
-        if: steps.postgres-cache.outputs.cache-hit == 'true'
+        if: matrix.db == 'postgres' && steps.postgres-cache.outputs.cache-hit == 'true'
         run: docker load < /tmp/postgres-image.tar
-
       - name: Cache LLDAP Docker image
         uses: actions/cache@v3
         id: lldap-cache
@@ -196,7 +109,6 @@ jobs:
       - name: Load LLDAP image from cache
         if: steps.lldap-cache.outputs.cache-hit == 'true'
         run: docker load < /tmp/lldap-image.tar
-
       - name: Download Docker image artifact
         uses: actions/download-artifact@v4
         with:
@@ -207,14 +119,21 @@ jobs:
         run: docker load -i /tmp/docker-image.tar
 
       - name: Install test dependencies
-        run: pnpm --filter pocket-id-tests install
+        run: pnpm --filter pocket-id-tests install --frozen-lockfile
 
       - name: Install Playwright Browsers
         working-directory: ./tests
         if: steps.playwright-cache.outputs.cache-hit != 'true'
-        run: pnpm dlx playwright install --with-deps chromium
+        run: pnpm exec playwright install --with-deps chromium
+      - name: Run Docker Container (sqlite) with LDAP
+        if: matrix.db == 'sqlite'
+        working-directory: ./tests/setup
+        run: |
+          docker compose up -d
+          docker compose logs -f pocket-id &> /tmp/backend.log &
 
-      - name: Run Docker Container with Postgres DB and LDAP
+      - name: Run Docker Container (postgres) with LDAP
+        if: matrix.db == 'postgres'
         working-directory: ./tests/setup
         run: |
           docker compose -f docker-compose-postgres.yml up -d
@@ -228,8 +147,8 @@ jobs:
         uses: actions/upload-artifact@v4
         if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
         with:
-          name: playwright-report-postgres
-          path: frontend/tests/.report
+          name: playwright-report-${{ matrix.db }}
+          path: tests/.report
           include-hidden-files: true
           retention-days: 15
 
@@ -237,7 +156,7 @@ jobs:
         uses: actions/upload-artifact@v4
         if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
         with:
-          name: backend-postgres
+          name: backend-${{ matrix.db }}
           path: /tmp/backend.log
           include-hidden-files: true
           retention-days: 15

.version

@@ -1 +1 @@
-1.8.0
+1.10.0

CHANGELOG.md

@@ -1,3 +1,41 @@
+## [](https://github.com/pocket-id/pocket-id/compare/v1.9.1...v) (2025-08-27)
+
+### Features
+
+* redesigned sidebar with administrative dropdown ([#881](https://github.com/pocket-id/pocket-id/issues/881)) ([096d214](https://github.com/pocket-id/pocket-id/commit/096d214a88808848dae726b0ef4c9a9987185836))
+
+### Bug Fixes
+
+* apps showed multiple times if user is in multiple groups ([641bbc9](https://github.com/pocket-id/pocket-id/commit/641bbc935191bad8afbfec90943fc3e9de7a0cb6))
+## [](https://github.com/pocket-id/pocket-id/compare/v1.9.0...v) (2025-08-24)
+
+
+### Bug Fixes
+
+* sqlite migration drops allowed user groups ([d6d1a4c](https://github.com/pocket-id/pocket-id/commit/d6d1a4ced23886f255a9c2048d19ad3599a17f26))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v1.8.1...v) (2025-08-24)
+
+
+### Features
+
+* support automatic db migration rollbacks ([#874](https://github.com/pocket-id/pocket-id/issues/874)) ([c114a2e](https://github.com/pocket-id/pocket-id/commit/c114a2edaae4c007c75c34c02e8b0bb011845cae))
+
+
+### Bug Fixes
+
+* don't force uuid for client id in postgres ([2ffc6ba](https://github.com/pocket-id/pocket-id/commit/2ffc6ba42af4742a13b77543142b66b3e826ab88))
+* ensure SQLite has a writable temporary directory ([#876](https://github.com/pocket-id/pocket-id/issues/876)) ([1f3550c](https://github.com/pocket-id/pocket-id/commit/1f3550c9bd3aafd3bd2272ef47f3ed8736037d81))
+* sort order incorrect for apps when using postgres ([d0392d2](https://github.com/pocket-id/pocket-id/commit/d0392d25edcaa5f3c7da2aad70febf63b47763fa))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v1.8.0...v) (2025-08-24)
+
+
+### Bug Fixes
+
+* migration clears allowed users groups ([5971bfb](https://github.com/pocket-id/pocket-id/commit/5971bfbfa66ecfebf2b1c08d34fcbd8c18cdc046))
+* wrong column type for reauthentication tokens in Postgres ([#869](https://github.com/pocket-id/pocket-id/issues/869)) ([1283314](https://github.com/pocket-id/pocket-id/commit/1283314f776a0ba43be7d796e7e2243e31f860de))
+
 ## [](https://github.com/pocket-id/pocket-id/compare/v1.7.0...v) (2025-08-23)
 
 

backend/go.mod

@@ -74,6 +74,8 @@ require (
 	github.com/go-webauthn/x v0.1.23 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.3 // indirect
+	github.com/google/go-github/v39 v39.2.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/go-tpm v0.9.5 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -132,6 +134,7 @@ require (
 	golang.org/x/arch v0.20.0 // indirect
 	golang.org/x/exp v0.0.0-20250813145105-42675adae3e6 // indirect
 	golang.org/x/net v0.43.0 // indirect
+	golang.org/x/oauth2 v0.27.0 // indirect
 	golang.org/x/sync v0.16.0 // indirect
 	golang.org/x/sys v0.35.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a // indirect

backend/go.sum

@@ -95,11 +95,19 @@ github.com/golang-jwt/jwt/v5 v5.2.3 h1:kkGXqQOBSDDWRhWNXTFpqGSCMyh/PLnqUvMGJPDJD
 github.com/golang-jwt/jwt/v5 v5.2.3/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-migrate/migrate/v4 v4.18.3 h1:EYGkoOsvgHHfm5U/naS1RP/6PL/Xv3S4B/swMiAmDLs=
 github.com/golang-migrate/migrate/v4 v4.18.3/go.mod h1:99BKpIi6ruaaXRM1A77eqZ+FWPQ3cfRa+ZVy5bmWMaY=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/go-github/v39 v39.2.0 h1:rNNM311XtPOz5rDdsJXAp2o8F67X9FnROXTvto3aSnQ=
+github.com/google/go-github/v39 v39.2.0/go.mod h1:C1s8C5aCC9L+JXIYpJM5GYytdX52vC1bLvHEF1IhBrE=
+github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
+github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/go-tpm v0.9.5 h1:ocUmnDebX54dnW+MQWGQRbdaAcJELsa6PqZhJ48KwVU=
 github.com/google/go-tpm v0.9.5/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -319,6 +327,7 @@ go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 golang.org/x/arch v0.20.0 h1:dx1zTU0MAE98U+TQ8BLl7XsJbgze2WnNKF/8tGp/Q6c=
 golang.org/x/arch v0.20.0/go.mod h1:bdwinDaKcfZUGpH09BB7ZmOfhalA8lQdzl62l8gGWsk=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
@@ -339,6 +348,7 @@ golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
 golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -352,6 +362,9 @@ golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
 golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -385,6 +398,7 @@ golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
@@ -406,6 +420,8 @@ golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxb
 golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
 golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a h1:nwKuGPlUAt+aR+pcrkfFRrTU1BVrSmYyYMxYbUIVHr0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a/go.mod h1:3kWAYMk1I75K4vykHtKt2ycnOgpA6974V7bREqbsenU=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a h1:51aaUVRocpvUOSQKM6Q7VuoaktNIaMCLuhZB6DKksq4=

backend/internal/bootstrap/db_bootstrap.go

@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"log/slog"
 	"net/url"
+	"os"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -13,6 +15,7 @@ import (
 	"github.com/golang-migrate/migrate/v4/database"
 	postgresMigrate "github.com/golang-migrate/migrate/v4/database/postgres"
 	sqliteMigrate "github.com/golang-migrate/migrate/v4/database/sqlite3"
+	_ "github.com/golang-migrate/migrate/v4/source/github"
 	"github.com/golang-migrate/migrate/v4/source/iofs"
 	slogGorm "github.com/orandin/slog-gorm"
 	"gorm.io/driver/postgres"
@@ -20,6 +23,7 @@ import (
 	gormLogger "gorm.io/gorm/logger"
 
 	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	sqliteutil "github.com/pocket-id/pocket-id/backend/internal/utils/sqlite"
 	"github.com/pocket-id/pocket-id/backend/resources"
 )
@@ -38,7 +42,9 @@ func NewDatabase() (db *gorm.DB, err error) {
 	var driver database.Driver
 	switch common.EnvConfig.DbProvider {
 	case common.DbProviderSqlite:
-		driver, err = sqliteMigrate.WithInstance(sqlDb, &sqliteMigrate.Config{})
+		driver, err = sqliteMigrate.WithInstance(sqlDb, &sqliteMigrate.Config{
+			NoTxWrap: true,
+		})
 	case common.DbProviderPostgres:
 		driver, err = postgresMigrate.WithInstance(sqlDb, &postgresMigrate.Config{})
 	default:
@@ -58,8 +64,9 @@ func NewDatabase() (db *gorm.DB, err error) {
 }
 
 func migrateDatabase(driver database.Driver) error {
-	// Use the embedded migrations
-	source, err := iofs.New(resources.FS, "migrations/"+string(common.EnvConfig.DbProvider))
+	// Embedded migrations via iofs
+	path := "migrations/" + string(common.EnvConfig.DbProvider)
+	source, err := iofs.New(resources.FS, path)
 	if err != nil {
 		return fmt.Errorf("failed to create embedded migration source: %w", err)
 	}
@@ -69,14 +76,66 @@ func migrateDatabase(driver database.Driver) error {
 		return fmt.Errorf("failed to create migration instance: %w", err)
 	}
 
-	err = m.Up()
-	if err != nil && !errors.Is(err, migrate.ErrNoChange) {
-		return fmt.Errorf("failed to apply migrations: %w", err)
+	requiredVersion, err := getRequiredMigrationVersion(path)
+	if err != nil {
+		return fmt.Errorf("failed to get last migration version: %w", err)
 	}
 
+	currentVersion, _, _ := m.Version()
+	if currentVersion > requiredVersion {
+		slog.Warn("Database version is newer than the application supports, possible downgrade detected", slog.Uint64("db_version", uint64(currentVersion)), slog.Uint64("app_version", uint64(requiredVersion)))
+		if !common.EnvConfig.AllowDowngrade {
+			return fmt.Errorf("database version (%d) is newer than application version (%d), downgrades are not allowed (set ALLOW_DOWNGRADE=true to enable)", currentVersion, requiredVersion)
+		}
+		slog.Info("Fetching migrations from GitHub to handle possible downgrades")
+		return migrateDatabaseFromGitHub(driver, requiredVersion)
+	}
+
+	if err := m.Migrate(requiredVersion); err != nil && !errors.Is(err, migrate.ErrNoChange) {
+		return fmt.Errorf("failed to apply embedded migrations: %w", err)
+	}
 	return nil
 }
 
+func migrateDatabaseFromGitHub(driver database.Driver, version uint) error {
+	srcURL := "github://pocket-id/pocket-id/backend/resources/migrations/" + string(common.EnvConfig.DbProvider)
+
+	m, err := migrate.NewWithDatabaseInstance(srcURL, "pocket-id", driver)
+	if err != nil {
+		return fmt.Errorf("failed to create GitHub migration instance: %w", err)
+	}
+
+	if err := m.Migrate(version); err != nil && !errors.Is(err, migrate.ErrNoChange) {
+		return fmt.Errorf("failed to apply GitHub migrations: %w", err)
+	}
+	return nil
+}
+
+// getRequiredMigrationVersion reads the embedded migration files and returns the highest version number found.
+func getRequiredMigrationVersion(path string) (uint, error) {
+	entries, err := resources.FS.ReadDir(path)
+	if err != nil {
+		return 0, fmt.Errorf("failed to read migration directory: %w", err)
+	}
+
+	var maxVersion uint
+	for _, entry := range entries {
+		if entry.IsDir() {
+			continue
+		}
+		name := entry.Name()
+		var version uint
+		n, err := fmt.Sscanf(name, "%d_", &version)
+		if err == nil && n == 1 {
+			if version > maxVersion {
+				maxVersion = version
+			}
+		}
+	}
+
+	return maxVersion, nil
+}
+
 func connectDatabase() (db *gorm.DB, err error) {
 	var dialector gorm.Dialector
 
@@ -86,11 +145,20 @@ func connectDatabase() (db *gorm.DB, err error) {
 		if common.EnvConfig.DbConnectionString == "" {
 			return nil, errors.New("missing required env var 'DB_CONNECTION_STRING' for SQLite database")
 		}
+
 		sqliteutil.RegisterSqliteFunctions()
-		connString, err := parseSqliteConnectionString(common.EnvConfig.DbConnectionString)
+
+		connString, dbPath, err := parseSqliteConnectionString(common.EnvConfig.DbConnectionString)
 		if err != nil {
 			return nil, err
 		}
+
+		// Before we connect, also make sure that there's a temporary folder for SQLite to write its data
+		err = ensureSqliteTempDir(filepath.Dir(dbPath))
+		if err != nil {
+			return nil, err
+		}
+
 		dialector = sqlite.Open(connString)
 	case common.DbProviderPostgres:
 		if common.EnvConfig.DbConnectionString == "" {
@@ -120,7 +188,7 @@ func connectDatabase() (db *gorm.DB, err error) {
 	return nil, err
 }
 
-func parseSqliteConnectionString(connString string) (string, error) {
+func parseSqliteConnectionString(connString string) (parsedConnString string, dbPath string, err error) {
 	if !strings.HasPrefix(connString, "file:") {
 		connString = "file:" + connString
 	}
@@ -131,7 +199,7 @@ func parseSqliteConnectionString(connString string) (string, error) {
 	// Parse the connection string
 	connStringUrl, err := url.Parse(connString)
 	if err != nil {
-		return "", fmt.Errorf("failed to parse SQLite connection string: %w", err)
+		return "", "", fmt.Errorf("failed to parse SQLite connection string: %w", err)
 	}
 
 	// Convert options for the old SQLite driver to the new one
@@ -140,10 +208,19 @@ func parseSqliteConnectionString(connString string) (string, error) {
 	// Add the default and required params
 	err = addSqliteDefaultParameters(connStringUrl, isMemoryDB)
 	if err != nil {
-		return "", fmt.Errorf("invalid SQLite connection string: %w", err)
+		return "", "", fmt.Errorf("invalid SQLite connection string: %w", err)
 	}
 
-	return connStringUrl.String(), nil
+	// Get the absolute path to the database
+	// Here, we know for a fact that the ? is present
+	parsedConnString = connStringUrl.String()
+	idx := strings.IndexRune(parsedConnString, '?')
+	dbPath, err = filepath.Abs(parsedConnString[len("file:"):idx])
+	if err != nil {
+		return "", "", fmt.Errorf("failed to determine absolute path to the database: %w", err)
+	}
+
+	return parsedConnString, dbPath, nil
 }
 
 // The official C implementation of SQLite allows some additional properties in the connection string
@@ -296,6 +373,48 @@ func isSqliteInMemory(connString string) bool {
 	return len(qs["mode"]) > 0 && qs["mode"][0] == "memory"
 }
 
+// ensureSqliteTempDir ensures that SQLite has a directory where it can write temporary files if needed
+// The default directory may not be writable when using a container with a read-only root file system
+// See: https://www.sqlite.org/tempfiles.html
+func ensureSqliteTempDir(dbPath string) error {
+	// Per docs, SQLite tries these folders in order (excluding those that aren't applicable to us):
+	//
+	// - The SQLITE_TMPDIR environment variable
+	// - The TMPDIR environment variable
+	// - /var/tmp
+	// - /usr/tmp
+	// - /tmp
+	//
+	// Source: https://www.sqlite.org/tempfiles.html#temporary_file_storage_locations
+	//
+	// First, let's check if SQLITE_TMPDIR or TMPDIR are set, in which case we trust the user has taken care of the problem already
+	if os.Getenv("SQLITE_TMPDIR") != "" || os.Getenv("TMPDIR") != "" {
+		return nil
+	}
+
+	// Now, let's check if /var/tmp, /usr/tmp, or /tmp exist and are writable
+	for _, dir := range []string{"/var/tmp", "/usr/tmp", "/tmp"} {
+		ok, err := utils.IsWritableDir(dir)
+		if err != nil {
+			return fmt.Errorf("failed to check if %s is writable: %w", dir, err)
+		}
+		if ok {
+			// We found a folder that's writable
+			return nil
+		}
+	}
+
+	// If we're here, there's no temporary directory that's writable (not unusual for containers with a read-only root file system), so we set SQLITE_TMPDIR to the folder where the SQLite database is set
+	err := os.Setenv("SQLITE_TMPDIR", dbPath)
+	if err != nil {
+		return fmt.Errorf("failed to set SQLITE_TMPDIR environmental variable: %w", err)
+	}
+
+	slog.Debug("Set SQLITE_TMPDIR to the database directory", "path", dbPath)
+
+	return nil
+}
+
 func getGormLogger() gormLogger.Interface {
 	loggerOpts := make([]slogGorm.Option, 0, 5)
 	loggerOpts = append(loggerOpts,

backend/internal/common/env_config.go

@@ -52,6 +52,7 @@ type EnvConfigSchema struct {
 	LogJSON            bool       `env:"LOG_JSON"`
 	TrustProxy         bool       `env:"TRUST_PROXY"`
 	AnalyticsDisabled  bool       `env:"ANALYTICS_DISABLED"`
+	AllowDowngrade     bool       `env:"ALLOW_DOWNGRADE"`
 }
 
 var EnvConfig = defaultConfig()
@@ -87,6 +88,7 @@ func defaultConfig() EnvConfigSchema {
 		TracingEnabled:     false,
 		TrustProxy:         false,
 		AnalyticsDisabled:  false,
+		AllowDowngrade:     false,
 	}
 }
 

backend/internal/service/e2etest_service.go

@@ -343,7 +343,7 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 			},
 			{
 				Base: model.Base{
-					ID: "b2c3d4e5-f6g7-8901-bcde-f12345678901",
+					ID: "dc3c9c96-714e-48eb-926e-2d7c7858e6cf",
 				},
 				Token:      "PARTIAL567890ABC",
 				ExpiresAt:  datatype.DateTime(time.Now().Add(7 * 24 * time.Hour)),
@@ -352,7 +352,7 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 			},
 			{
 				Base: model.Base{
-					ID: "c3d4e5f6-g7h8-9012-cdef-123456789012",
+					ID: "44de1863-ffa5-4db1-9507-4887cd7a1e3f",
 				},
 				Token:      "EXPIRED34567890B",
 				ExpiresAt:  datatype.DateTime(time.Now().Add(-24 * time.Hour)), // Expired
@@ -361,7 +361,7 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 			},
 			{
 				Base: model.Base{
-					ID: "d4e5f6g7-h8i9-0123-def0-234567890123",
+					ID: "f1b1678b-7720-4d8b-8f91-1dbff1e2d02b",
 				},
 				Token:      "FULLYUSED567890C",
 				ExpiresAt:  datatype.DateTime(time.Now().Add(24 * time.Hour)),

backend/internal/service/oidc_service.go

@@ -1379,19 +1379,22 @@ func (s *OidcService) ListAccessibleOidcClients(ctx context.Context, userID stri
 	query := tx.
 		WithContext(ctx).
 		Model(&model.OidcClient{}).
-		Preload("UserAuthorizedOidcClients", "user_id = ?", userID).
-		Distinct()
+		Preload("UserAuthorizedOidcClients", "user_id = ?", userID)
 
 	// If user has no groups, only return clients with no allowed user groups
 	if len(userGroupIDs) == 0 {
-		query = query.
-			Joins("LEFT JOIN oidc_clients_allowed_user_groups ON oidc_clients.id = oidc_clients_allowed_user_groups.oidc_client_id").
-			Where("oidc_clients_allowed_user_groups.oidc_client_id IS NULL")
+		query = query.Where(`NOT EXISTS (
+        SELECT 1 FROM oidc_clients_allowed_user_groups 
+        WHERE oidc_clients_allowed_user_groups.oidc_client_id = oidc_clients.id)`)
 	} else {
-		// Return clients with no allowed user groups OR clients where user is in allowed groups
-		query = query.
-			Joins("LEFT JOIN oidc_clients_allowed_user_groups ON oidc_clients.id = oidc_clients_allowed_user_groups.oidc_client_id").
-			Where("oidc_clients_allowed_user_groups.oidc_client_id IS NULL OR oidc_clients_allowed_user_groups.user_group_id IN (?)", userGroupIDs)
+		query = query.Where(`
+        NOT EXISTS (
+            SELECT 1 FROM oidc_clients_allowed_user_groups 
+            WHERE oidc_clients_allowed_user_groups.oidc_client_id = oidc_clients.id
+        ) OR EXISTS (
+            SELECT 1 FROM oidc_clients_allowed_user_groups 
+            WHERE oidc_clients_allowed_user_groups.oidc_client_id = oidc_clients.id 
+            AND oidc_clients_allowed_user_groups.user_group_id IN (?))`, userGroupIDs)
 	}
 
 	var clients []model.OidcClient
@@ -1401,7 +1404,7 @@ func (s *OidcService) ListAccessibleOidcClients(ctx context.Context, userID stri
 	if sortedPaginationRequest.Sort.Column == "lastUsedAt" && utils.IsValidSortDirection(sortedPaginationRequest.Sort.Direction) {
 		query = query.
 			Joins("LEFT JOIN user_authorized_oidc_clients ON oidc_clients.id = user_authorized_oidc_clients.client_id AND user_authorized_oidc_clients.user_id = ?", userID).
-			Order("user_authorized_oidc_clients.last_used_at " + sortedPaginationRequest.Sort.Direction)
+			Order("user_authorized_oidc_clients.last_used_at " + sortedPaginationRequest.Sort.Direction + " NULLS LAST")
 	}
 
 	response, err = utils.PaginateAndSort(sortedPaginationRequest, query, &clients)

backend/internal/utils/file_util.go

@@ -1,12 +1,15 @@
 package utils
 
 import (
+	"crypto/rand"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"io"
 	"mime/multipart"
 	"os"
 	"path/filepath"
+	"syscall"
 
 	"github.com/google/uuid"
 	"github.com/pocket-id/pocket-id/backend/resources"
@@ -136,3 +139,41 @@ func FileExists(path string) (bool, error) {
 	}
 	return !s.IsDir(), nil
 }
+
+// IsWritableDir checks if a directory exists and is writable
+func IsWritableDir(dir string) (bool, error) {
+	// Check if directory exists and it's actually a directory
+	info, err := os.Stat(dir)
+	if os.IsNotExist(err) {
+		return false, nil
+	} else if err != nil {
+		return false, fmt.Errorf("failed to stat '%s': %w", dir, err)
+	}
+	if !info.IsDir() {
+		return false, nil
+	}
+
+	// Generate a random suffix for the test file to avoid conflicts
+	randomBytes := make([]byte, 8)
+	_, err = io.ReadFull(rand.Reader, randomBytes)
+	if err != nil {
+		return false, fmt.Errorf("failed to generate random bytes: %w", err)
+	}
+
+	// Check if directory is writable by trying to create a temporary file
+	testFile := filepath.Join(dir, ".pocketid_test_write_"+hex.EncodeToString(randomBytes))
+	defer os.Remove(testFile)
+
+	file, err := os.Create(testFile)
+	if err != nil {
+		if os.IsPermission(err) || errors.Is(err, syscall.EROFS) {
+			return false, nil
+		}
+
+		return false, fmt.Errorf("failed to create test file: %w", err)
+	}
+
+	_ = file.Close()
+
+	return true, nil
+}

backend/internal/utils/testing/database.go

@@ -55,7 +55,9 @@ func NewDatabaseForTest(t *testing.T) *gorm.DB {
 	// Perform migrations with the embedded migrations
 	sqlDB, err := db.DB()
 	require.NoError(t, err, "Failed to get sql.DB")
-	driver, err := sqliteMigrate.WithInstance(sqlDB, &sqliteMigrate.Config{})
+	driver, err := sqliteMigrate.WithInstance(sqlDB, &sqliteMigrate.Config{
+		NoTxWrap: true,
+	})
 	require.NoError(t, err, "Failed to create migration driver")
 	source, err := iofs.New(resources.FS, "migrations/sqlite")
 	require.NoError(t, err, "Failed to create embedded migration source")
@@ -63,6 +65,8 @@ func NewDatabaseForTest(t *testing.T) *gorm.DB {
 	require.NoError(t, err, "Failed to create migration instance")
 	err = m.Up()
 	require.NoError(t, err, "Failed to perform migrations")
+	_, err = sqlDB.Exec("PRAGMA foreign_keys = OFF;")
+	require.NoError(t, err, "Failed to disable foreign keys")
 
 	return db
 }

backend/resources/migrations/postgres/20250814121300_requires_reauthentication.up.sql

@@ -5,7 +5,7 @@ CREATE TABLE reauthentication_tokens (
     created_at TIMESTAMPTZ NOT NULL DEFAULT CURRENT_TIMESTAMP,
     token TEXT NOT NULL UNIQUE,
     expires_at TIMESTAMPTZ NOT NULL,
-    user_id TEXT NOT NULL REFERENCES users ON DELETE CASCADE
+    user_id uuid NOT NULL REFERENCES users ON DELETE CASCADE
 );
 
 CREATE INDEX idx_reauthentication_tokens_token ON reauthentication_tokens(token);

backend/resources/migrations/postgres/20250822000000_foreign_keys_improvements.down.sql

@@ -1 +1,7 @@
--- No-op
+ALTER TABLE public.audit_logs
+    DROP CONSTRAINT IF EXISTS audit_logs_user_id_fkey,
+    ADD CONSTRAINT audit_logs_user_id_fkey
+        FOREIGN KEY (user_id) REFERENCES public.users (id);
+
+ALTER TABLE public.oidc_authorization_codes
+    DROP CONSTRAINT IF EXISTS oidc_authorization_codes_client_fk;

backend/resources/migrations/postgres/20250824164821_client_id_type.down.sql

@@ -0,0 +1 @@
+-- No-op because strings can't be converted to UUIDs

backend/resources/migrations/postgres/20250824164821_client_id_type.up.sql

@@ -0,0 +1,57 @@
+-- Drop foreign keys that reference oidc_clients(id)
+ALTER TABLE oidc_authorization_codes
+    DROP CONSTRAINT IF EXISTS oidc_authorization_codes_client_fk;
+ALTER TABLE user_authorized_oidc_clients
+    DROP CONSTRAINT IF EXISTS user_authorized_oidc_clients_client_id_fkey;
+ALTER TABLE oidc_refresh_tokens
+    DROP CONSTRAINT IF EXISTS oidc_refresh_tokens_client_id_fkey;
+ALTER TABLE oidc_device_codes
+    DROP CONSTRAINT IF EXISTS oidc_device_codes_client_id_fkey;
+ALTER TABLE oidc_clients_allowed_user_groups
+    DROP CONSTRAINT IF EXISTS oidc_clients_allowed_user_groups_oidc_client_id_fkey;
+
+-- Alter child columns to TEXT
+ALTER TABLE oidc_authorization_codes
+    ALTER COLUMN client_id TYPE TEXT USING client_id::text;
+
+ALTER TABLE user_authorized_oidc_clients
+    ALTER
+        COLUMN client_id TYPE TEXT USING client_id::text;
+
+ALTER TABLE oidc_refresh_tokens
+    ALTER
+        COLUMN client_id TYPE TEXT USING client_id::text;
+
+ALTER TABLE oidc_device_codes
+    ALTER
+        COLUMN client_id TYPE TEXT USING client_id::text;
+
+ALTER TABLE oidc_clients_allowed_user_groups
+    ALTER
+        COLUMN oidc_client_id TYPE TEXT USING oidc_client_id::text;
+
+-- Alter parent primary key column to TEXT
+ALTER TABLE oidc_clients
+    ALTER
+        COLUMN id TYPE TEXT USING id::text;
+
+-- Recreate foreign keys with the new type
+ALTER TABLE oidc_authorization_codes
+    ADD CONSTRAINT oidc_authorization_codes_client_fk
+        FOREIGN KEY (client_id) REFERENCES oidc_clients (id) ON DELETE CASCADE;
+
+ALTER TABLE user_authorized_oidc_clients
+    ADD CONSTRAINT user_authorized_oidc_clients_client_id_fkey
+        FOREIGN KEY (client_id) REFERENCES oidc_clients (id) ON DELETE CASCADE;
+
+ALTER TABLE oidc_refresh_tokens
+    ADD CONSTRAINT oidc_refresh_tokens_client_id_fkey
+        FOREIGN KEY (client_id) REFERENCES oidc_clients (id) ON DELETE CASCADE;
+
+ALTER TABLE oidc_device_codes
+    ADD CONSTRAINT oidc_device_codes_client_id_fkey
+        FOREIGN KEY (client_id) REFERENCES oidc_clients (id) ON DELETE CASCADE;
+
+ALTER TABLE oidc_clients_allowed_user_groups
+    ADD CONSTRAINT oidc_clients_allowed_user_groups_oidc_client_id_fkey
+        FOREIGN KEY (oidc_client_id) REFERENCES oidc_clients (id) ON DELETE CASCADE;

backend/resources/migrations/sqlite/20240731203656_init.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE users
 (
     id         TEXT                  NOT NULL PRIMARY KEY,
@@ -77,4 +79,6 @@ CREATE TABLE application_configuration_variables
     type        TEXT                  NOT NULL,
     is_public   NUMERIC DEFAULT FALSE NOT NULL,
     is_internal NUMERIC DEFAULT FALSE NOT NULL
-);
+);
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20240813211251_passkey_backup_flags..up.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE webauthn_credentials ADD COLUMN backup_eligible BOOLEAN NOT NULL DEFAULT FALSE;
-ALTER TABLE webauthn_credentials ADD COLUMN backup_state BOOLEAN NOT NULL DEFAULT FALSE;
+ALTER TABLE webauthn_credentials ADD COLUMN backup_state BOOLEAN NOT NULL DEFAULT FALSE;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20240813211251_passkey_backup_flags.down.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE webauthn_credentials DROP COLUMN backup_eligible;
-ALTER TABLE webauthn_credentials DROP COLUMN backup_state;
+ALTER TABLE webauthn_credentials DROP COLUMN backup_state;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20240817191051_rename_config_table.down.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE app_config_variables
-    RENAME TO application_configuration_variables;
+    RENAME TO application_configuration_variables;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20240817191051_rename_config_table.up.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE application_configuration_variables
-    RENAME TO app_config_variables;
+    RENAME TO app_config_variables;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20240820205521_multiple_callback_urls.down.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 create table oidc_clients
 (
     id            TEXT not null primary key,
@@ -20,4 +22,6 @@ select id,
        created_by_id
 from oidc_clients_dg_tmp;
 
-drop table oidc_clients_dg_tmp;
+drop table oidc_clients_dg_tmp;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20240820205521_multiple_callback_urls.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 create table oidc_clients_dg_tmp
 (
     id            TEXT not null primary key,
@@ -23,4 +25,6 @@ from oidc_clients;
 drop table oidc_clients;
 
 alter table oidc_clients_dg_tmp
-    rename to oidc_clients;
+    rename to oidc_clients;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20240908123031_audit_log.down.sql

@@ -1 +1,5 @@
-DROP TABLE audit_logs;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+DROP TABLE audit_logs;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20240908123031_audit_log.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE audit_logs
 (
     id               TEXT NOT NULL PRIMARY KEY,
@@ -7,4 +9,6 @@ CREATE TABLE audit_logs
     user_agent       TEXT NOT NULL,
     data             BLOB NOT NULL,
     user_id          TEXT REFERENCES users
-);
+);
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20240924202721_user_groups.down.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 DROP TABLE user_groups;
-DROP TABLE user_groups_users;
+DROP TABLE user_groups_users;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20240924202721_user_groups.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE user_groups
 (
     id           TEXT NOT NULL PRIMARY KEY,
@@ -13,4 +15,6 @@ CREATE TABLE user_groups_users
     PRIMARY KEY (user_id, user_group_id),
     FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE,
     FOREIGN KEY (user_group_id) REFERENCES user_groups (id) ON DELETE CASCADE
-);
+);
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20241004092030_audit_log_location.down.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE audit_logs DROP COLUMN country;
-ALTER TABLE audit_logs DROP COLUMN city;
+ALTER TABLE audit_logs DROP COLUMN city;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20241004092030_audit_log_location.up.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE audit_logs ADD COLUMN country TEXT;
-ALTER TABLE audit_logs ADD COLUMN city TEXT;
+ALTER TABLE audit_logs ADD COLUMN city TEXT;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20241023072742_unix-timestamps.down.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 -- Convert the Unix timestamps back to DATETIME format
 
 UPDATE user_groups
@@ -25,4 +27,6 @@ SET created_at = datetime(created_at, 'unixepoch');
 
 UPDATE webauthn_sessions
 SET created_at = datetime(created_at, 'unixepoch'),
-    expires_at = datetime(expires_at, 'unixepoch');
+    expires_at = datetime(expires_at, 'unixepoch');
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20241023072742_unix-timestamps.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 -- Convert the DATETIME fields to Unix timestamps (in seconds)
 UPDATE user_groups
 SET created_at = strftime('%s', created_at);
@@ -24,4 +26,6 @@ SET created_at = strftime('%s', created_at);
 
 UPDATE webauthn_sessions
 SET created_at = strftime('%s', created_at),
-    expires_at = strftime('%s', expires_at);
+    expires_at = strftime('%s', expires_at);
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20241025214824_app_config_default_value.down.sql

@@ -1 +1,5 @@
-ALTER TABLE app_config_variables DROP COLUMN default_value;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+ALTER TABLE app_config_variables DROP COLUMN default_value;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20241025214824_app_config_default_value.up.sql

@@ -1 +1,5 @@
-ALTER TABLE app_config_variables ADD COLUMN default_value TEXT;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+ALTER TABLE app_config_variables ADD COLUMN default_value TEXT;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20241028064959_custom_claims.down.sql

@@ -1 +1,5 @@
-DROP TABLE custom_claims;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+DROP TABLE custom_claims;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20241028064959_custom_claims.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE custom_claims
 (
     id            TEXT NOT NULL PRIMARY KEY,
@@ -12,4 +14,6 @@ CREATE TABLE custom_claims
 
     CONSTRAINT custom_claims_unique UNIQUE (key, user_id, user_group_id),
     CHECK (user_id IS NOT NULL OR user_group_id IS NOT NULL)
-);
+);
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20241115131129_pkce.down.sql

@@ -1,3 +1,7 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_authorization_codes DROP COLUMN code_challenge;
 ALTER TABLE oidc_authorization_codes DROP COLUMN code_challenge_method_sha256;
-ALTER TABLE oidc_clients DROP COLUMN is_public;
+ALTER TABLE oidc_clients DROP COLUMN is_public;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20241115131129_pkce.up.sql

@@ -1,3 +1,7 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_authorization_codes ADD COLUMN code_challenge TEXT;
 ALTER TABLE oidc_authorization_codes ADD COLUMN code_challenge_method_sha256 NUMERIC;
-ALTER TABLE oidc_clients ADD COLUMN is_public BOOLEAN DEFAULT FALSE;
+ALTER TABLE oidc_clients ADD COLUMN is_public BOOLEAN DEFAULT FALSE;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250103145821_pkce_column.down.sql

@@ -1 +1,5 @@
-ALTER TABLE oidc_clients DROP COLUMN pkce_enabled;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+ALTER TABLE oidc_clients DROP COLUMN pkce_enabled;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250103145821_pkce_column.up.sql

@@ -1 +1,5 @@
-ALTER TABLE oidc_clients ADD COLUMN pkce_enabled BOOLEAN DEFAULT FALSE;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+ALTER TABLE oidc_clients ADD COLUMN pkce_enabled BOOLEAN DEFAULT FALSE;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250115155817_ldap.down.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE users DROP COLUMN ldap_id;
-ALTER TABLE user_groups DROP COLUMN ldap_id;
+ALTER TABLE user_groups DROP COLUMN ldap_id;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250115155817_ldap.up.sql

@@ -1,5 +1,9 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE users ADD COLUMN ldap_id TEXT;
 ALTER TABLE user_groups ADD COLUMN ldap_id TEXT;
 
 CREATE UNIQUE INDEX users_ldap_id ON users (ldap_id);
-CREATE UNIQUE INDEX user_groups_ldap_id ON user_groups (ldap_id);
+CREATE UNIQUE INDEX user_groups_ldap_id ON user_groups (ldap_id);
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250118180712_rename_email_config_variable.down.sql

@@ -1 +1,5 @@
-UPDATE app_config_variables SET key = 'emailEnabled' WHERE key = 'emailLoginNotificationEnabled';
+PRAGMA foreign_keys=OFF;
+BEGIN;
+UPDATE app_config_variables SET key = 'emailEnabled' WHERE key = 'emailLoginNotificationEnabled';
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250118180712_rename_email_config_variable.up.sql

@@ -1 +1,5 @@
-UPDATE app_config_variables SET key = 'emailLoginNotificationEnabled' WHERE key = 'emailEnabled';
+PRAGMA foreign_keys=OFF;
+BEGIN;
+UPDATE app_config_variables SET key = 'emailLoginNotificationEnabled' WHERE key = 'emailEnabled';
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250120102531_fix_empty_ldap_id_string.down.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 UPDATE users SET ldap_id = '' WHERE ldap_id IS NULL;
-UPDATE user_groups SET ldap_id = '' WHERE ldap_id IS NULL;
+UPDATE user_groups SET ldap_id = '' WHERE ldap_id IS NULL;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250120102531_fix_empty_ldap_id_string.up.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 UPDATE users SET ldap_id = null WHERE ldap_id = '';
-UPDATE user_groups SET ldap_id = null WHERE ldap_id = '';
+UPDATE user_groups SET ldap_id = null WHERE ldap_id = '';
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250131154719_oidc_user_group_restriction.down.sql

@@ -1 +1,5 @@
-DROP TABLE oidc_clients_allowed_user_groups;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+DROP TABLE oidc_clients_allowed_user_groups;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250131154719_oidc_user_group_restriction.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE oidc_clients_allowed_user_groups
 (
     user_group_id  TEXT NOT NULL,
@@ -5,4 +7,6 @@ CREATE TABLE oidc_clients_allowed_user_groups
     PRIMARY KEY (oidc_client_id, user_group_id),
     FOREIGN KEY (oidc_client_id) REFERENCES oidc_clients (id) ON DELETE CASCADE,
     FOREIGN KEY (user_group_id) REFERENCES user_groups (id) ON DELETE CASCADE
-);
+);
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250203082527_fix_empty_user_group_ldap_id_string.down.sql

@@ -1 +1,5 @@
-UPDATE user_groups SET ldap_id = '' WHERE ldap_id IS NULL;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+UPDATE user_groups SET ldap_id = '' WHERE ldap_id IS NULL;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250203082527_fix_empty_user_group_ldap_id_string.up.sql

@@ -1 +1,5 @@
-UPDATE user_groups SET ldap_id = null WHERE ldap_id = '';
+PRAGMA foreign_keys=OFF;
+BEGIN;
+UPDATE user_groups SET ldap_id = null WHERE ldap_id = '';
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250210152631_post_logout_url.down.sql

@@ -1 +1,5 @@
-ALTER TABLE oidc_clients DROP COLUMN logout_callback_urls;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+ALTER TABLE oidc_clients DROP COLUMN logout_callback_urls;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250210152631_post_logout_url.up.sql

@@ -1 +1,5 @@
-ALTER TABLE oidc_clients ADD COLUMN logout_callback_urls BLOB;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+ALTER TABLE oidc_clients ADD COLUMN logout_callback_urls BLOB;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250225182112_manual_smtp_tls_selection.down.sql

@@ -1 +1,5 @@
-UPDATE app_config_variables SET value = 'true' WHERE key = 'smtpTls';
+PRAGMA foreign_keys=OFF;
+BEGIN;
+UPDATE app_config_variables SET value = 'true' WHERE key = 'smtpTls';
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250225182112_manual_smtp_tls_selection.up.sql

@@ -1,7 +1,11 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 UPDATE app_config_variables
 SET value = CASE
                 WHEN value = 'true' AND (SELECT value FROM app_config_variables WHERE key = 'smtpPort' LIMIT 1) = '587' THEN 'starttls'
                 WHEN value = 'true' THEN 'tls'
                 ELSE 'none'
     END
-WHERE key = 'smtpTls';
+WHERE key = 'smtpTls';
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250302220732_api_key_auth.down.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 DROP INDEX IF EXISTS idx_api_keys_key;
-DROP TABLE IF EXISTS api_keys;
+DROP TABLE IF EXISTS api_keys;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250302220732_api_key_auth.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE api_keys (
     id TEXT PRIMARY KEY,
     name TEXT NOT NULL,
@@ -9,4 +11,6 @@ CREATE TABLE api_keys (
     user_id TEXT REFERENCES users(id) ON DELETE CASCADE
 );
 
-CREATE INDEX idx_api_keys_key ON api_keys(key);
+CREATE INDEX idx_api_keys_key ON api_keys(key);
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250320171311_user_locale.down.sql

@@ -1 +1,5 @@
-ALTER TABLE users DROP COLUMN locale;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+ALTER TABLE users DROP COLUMN locale;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250320171311_user_locale.up.sql

@@ -1 +1,5 @@
-ALTER TABLE users ADD COLUMN locale TEXT;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+ALTER TABLE users ADD COLUMN locale TEXT;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250323184520_oidc_refresh_tokens.down.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 DROP INDEX IF EXISTS idx_oidc_refresh_tokens_token;
-DROP TABLE IF EXISTS oidc_refresh_tokens;
+DROP TABLE IF EXISTS oidc_refresh_tokens;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250323184520_oidc_refresh_tokens.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE oidc_refresh_tokens (
     id TEXT NOT NULL PRIMARY KEY,
     created_at DATETIME,
@@ -8,4 +10,6 @@ CREATE TABLE oidc_refresh_tokens (
     client_id TEXT NOT NULL REFERENCES oidc_clients(id) ON DELETE CASCADE
 );
 
-CREATE INDEX idx_oidc_refresh_tokens_token ON oidc_refresh_tokens(token);
+CREATE INDEX idx_oidc_refresh_tokens_token ON oidc_refresh_tokens(token);
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250403082322_audit_logs_indexes.down.sql

@@ -1,3 +1,8 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 DROP INDEX IF EXISTS idx_audit_logs_event;
 DROP INDEX IF EXISTS idx_audit_logs_user_id;
 DROP INDEX IF EXISTS idx_audit_logs_client_name;
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250403082322_audit_logs_indexes.up.sql

@@ -1,3 +1,8 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE INDEX idx_audit_logs_event ON audit_logs(event);
 CREATE INDEX idx_audit_logs_user_id ON audit_logs(user_id);
 CREATE INDEX idx_audit_logs_client_name ON audit_logs((json_extract(data, '$.clientName')));
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250408120918_app_config_cols.down.sql

@@ -1,4 +1,9 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE app_config_variables ADD type VARCHAR(20) NOT NULL,;
 ALTER TABLE app_config_variables ADD is_public BOOLEAN DEFAULT FALSE NOT NULL,;
 ALTER TABLE app_config_variables ADD is_internal BOOLEAN DEFAULT FALSE NOT NULL,;
 ALTER TABLE app_config_variables ADD default_value TEXT;
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250408120918_app_config_cols.up.sql

@@ -1,4 +1,8 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE app_config_variables DROP type;
 ALTER TABLE app_config_variables DROP is_public;
 ALTER TABLE app_config_variables DROP is_internal;
-ALTER TABLE app_config_variables DROP default_value;
+ALTER TABLE app_config_variables DROP default_value;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250412000000_add_user_disabled_field.down.sql

@@ -1,4 +1,8 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 DROP INDEX idx_users_disabled;
 
 ALTER TABLE users
-DROP COLUMN disabled;
+DROP COLUMN disabled;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250412000000_add_user_disabled_field.up.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE users
-ADD COLUMN disabled NUMERIC DEFAULT FALSE NOT NULL;
+ADD COLUMN disabled NUMERIC DEFAULT FALSE NOT NULL;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250417120000_add_expiration_email_sent_to_api_keys.down.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE api_keys
-DROP COLUMN expiration_email_sent;
+DROP COLUMN expiration_email_sent;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250417120000_add_expiration_email_sent_to_api_keys.up.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE api_keys
-ADD COLUMN expiration_email_sent BOOLEAN NOT NULL DEFAULT 0;
+ADD COLUMN expiration_email_sent BOOLEAN NOT NULL DEFAULT 0;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250421221059_add_device_codes.down.sql

@@ -1 +1,5 @@
-DROP TABLE oidc_device_codes;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+DROP TABLE oidc_device_codes;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250421221059_add_device_codes.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE oidc_device_codes
 (
     id             TEXT     NOT NULL PRIMARY KEY,
@@ -9,4 +11,6 @@ CREATE TABLE oidc_device_codes
     is_authorized  BOOLEAN  NOT NULL DEFAULT FALSE,
     user_id        TEXT REFERENCES users ON DELETE CASCADE,
     client_id      TEXT     NOT NULL REFERENCES oidc_clients ON DELETE CASCADE
-);
+);
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250601204251_clear_default_app_config_variables.down.sql

@@ -1 +1 @@
--- No rollback is needed for this migration.
+-- No-op

backend/resources/migrations/sqlite/20250601204251_clear_default_app_config_variables.up.sql

@@ -1 +1,5 @@
-DELETE FROM app_config_variables WHERE value = '';
+PRAGMA foreign_keys=OFF;
+BEGIN;
+DELETE FROM app_config_variables WHERE value = '';
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250609202611_client_credentials.down.sql

@@ -1 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_clients DROP COLUMN credentials;
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250609202611_client_credentials.up.sql

@@ -1 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_clients ADD COLUMN credentials TEXT NULL;
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250619115053_add_country_index.down.sql

@@ -1 +1,5 @@
-DROP INDEX idx_audit_logs_country;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+DROP INDEX idx_audit_logs_country;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250619115053_add_country_index.up.sql

@@ -1 +1,5 @@
-CREATE INDEX idx_audit_logs_country ON audit_logs(country);
+PRAGMA foreign_keys=OFF;
+BEGIN;
+CREATE INDEX idx_audit_logs_country ON audit_logs(country);
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250622151258_add_signup_tokens.down.sql

@@ -1,3 +1,7 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 DROP INDEX IF EXISTS idx_signup_tokens_expires_at;
 DROP INDEX IF EXISTS idx_signup_tokens_token;
-DROP TABLE IF EXISTS signup_tokens;
+DROP TABLE IF EXISTS signup_tokens;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250622151258_add_signup_tokens.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE signup_tokens (
     id TEXT NOT NULL PRIMARY KEY,
     created_at DATETIME NOT NULL,
@@ -8,4 +10,6 @@ CREATE TABLE signup_tokens (
 );
 
 CREATE INDEX idx_signup_tokens_token ON signup_tokens(token);
-CREATE INDEX idx_signup_tokens_expires_at ON signup_tokens(expires_at);
+CREATE INDEX idx_signup_tokens_expires_at ON signup_tokens(expires_at);
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250628000000_audit_logs_ip_null.down.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 -- Re-create the table with non-nullable ip_address
 -- We then move the data and rename the table
 CREATE TABLE audit_logs_new
@@ -28,3 +30,6 @@ CREATE INDEX idx_audit_logs_user_id ON audit_logs(user_id);
 CREATE INDEX idx_audit_logs_user_agent ON audit_logs(user_agent);
 CREATE INDEX idx_audit_logs_client_name ON audit_logs((json_extract(data, '$.clientName')));
 CREATE INDEX idx_audit_logs_country ON audit_logs(country);
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250628000000_audit_logs_ip_null.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 -- Re-create the table with nullable ip_address
 -- We then move the data and rename the table
 CREATE TABLE audit_logs_new
@@ -28,3 +30,6 @@ CREATE INDEX idx_audit_logs_user_id ON audit_logs(user_id);
 CREATE INDEX idx_audit_logs_user_agent ON audit_logs(user_agent);
 CREATE INDEX idx_audit_logs_client_name ON audit_logs((json_extract(data, '$.clientName')));
 CREATE INDEX idx_audit_logs_country ON audit_logs(country);
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250630000000_kv_table.down.sql

@@ -1 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 DROP TABLE kv;
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250630000000_kv_table.up.sql

@@ -1,6 +1,11 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 -- The "kv" tables contains miscellaneous key-value pairs
 CREATE TABLE kv
 (
     "key"  TEXT NOT NULL PRIMARY KEY,
     "value" TEXT NOT NULL
 );
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250705000000_normalize.down.sql

@@ -1 +1 @@
--- No-op
+-- No-op

backend/resources/migrations/sqlite/20250705000000_normalize.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 -- Normalize (form NFC) all existing values in the database
 UPDATE api_keys SET
     name = normalize(name, 'nfc'),
@@ -23,3 +25,6 @@ UPDATE users SET
 UPDATE user_groups SET
     friendly_name = normalize(friendly_name, 'nfc'),
     "name" = normalize("name", 'nfc');
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250810144214_apps_dashboard.down.sql

@@ -1,3 +1,7 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_clients DROP COLUMN launch_url;
 
-ALTER TABLE user_authorized_oidc_clients DROP COLUMN created_at;
+ALTER TABLE user_authorized_oidc_clients DROP COLUMN created_at;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250810144214_apps_dashboard.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_clients ADD COLUMN launch_url TEXT;
 
 CREATE TABLE user_authorized_oidc_clients_new
@@ -14,3 +16,6 @@ SELECT scope, user_id, client_id, unixepoch() FROM user_authorized_oidc_clients;
 
 DROP TABLE user_authorized_oidc_clients;
 ALTER TABLE user_authorized_oidc_clients_new RENAME TO user_authorized_oidc_clients;
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250814121300_requires_reauthentication.down.sql

@@ -1,3 +1,7 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_clients DROP COLUMN requires_reauthentication;
 DROP INDEX IF EXISTS idx_reauthentication_tokens_token;
-DROP TABLE IF EXISTS reauthentication_tokens;
+DROP TABLE IF EXISTS reauthentication_tokens;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250814121300_requires_reauthentication.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_clients ADD COLUMN requires_reauthentication BOOLEAN NOT NULL DEFAULT FALSE;
 
 CREATE TABLE reauthentication_tokens (
@@ -8,4 +10,6 @@ CREATE TABLE reauthentication_tokens (
     user_id TEXT NOT NULL REFERENCES users ON DELETE CASCADE
 );
 
-CREATE INDEX idx_reauthentication_tokens_token ON reauthentication_tokens(token);
+CREATE INDEX idx_reauthentication_tokens_token ON reauthentication_tokens(token);
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250822000000_foreign_keys_improvements.up.sql

@@ -1,3 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
+PRAGMA foreign_keys=OFF;
 ---------------------------
 -- Delete all orphaned rows
 ---------------------------
@@ -170,4 +173,9 @@ SELECT id, created_at, name, credential_id, public_key, attestation_type,
        transport, user_id, backup_eligible, backup_state
 FROM webauthn_credentials;
 DROP TABLE webauthn_credentials;
-ALTER TABLE webauthn_credentials_new RENAME TO webauthn_credentials;
+ALTER TABLE webauthn_credentials_new RENAME TO webauthn_credentials;
+
+PRAGMA foreign_keys=ON;
+PRAGMA foreign_key_check;
+COMMIT;
+PRAGMA foreign_keys=ON;

frontend/messages/cs.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "Kliknutím zkopírujete",
 	"something_went_wrong": "Něco se pokazilo",
 	"go_back_to_home": "Přejít zpět domů",
-	"dont_have_access_to_your_passkey": "Nemáte přístup k Vašemu přístupovému klíči?",
+	"alternative_sign_in_methods": "Alternativní způsoby přihlášení",
 	"login_background": "Pozadí přihlašovací stránky",
 	"logo": "Logo",
 	"login_code": "Přihlašovací kód",
@@ -276,6 +276,8 @@
 	"public_clients_description": "Veřejní klienti nemají client secret a místo toho používají PKCE. Povolte to, pokud je váš klient SPA nebo mobilní aplikace.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Public Key Exchange je bezpečnostní funkce, která zabraňuje útokům CSRF a narušení autorizačních kódů.",
+	"requires_reauthentication": "Vyžaduje opětovné ověření",
+	"requires_users_to_authenticate_again_on_each_authorization": "Vyžaduje, aby se uživatelé při každém autorizačním pokusu znovu ověřili, i když jsou již přihlášeni.",
 	"name_logo": "Logo {name}",
 	"change_logo": "Změnit logo",
 	"upload_logo": "Nahrát logo",
@@ -385,6 +387,12 @@
 	"number_of_times_token_can_be_used": "Kolikrát lze použít registrační token.",
 	"expires": "Vyprší",
 	"signup": "Zaregistrovat se",
+	"user_creation": "Vytvoření uživatele",
+	"configure_user_creation": "Spravujte nastavení vytváření uživatelů, včetně metod registrace a výchozích oprávnění pro nové uživatele.",
+	"user_creation_groups_description": "Při registraci automaticky přiřaďte tyto skupiny novým uživatelům.",
+	"user_creation_claims_description": "Při registraci automaticky přiřaďte tyto vlastní nároky novým uživatelům.",
+	"user_creation_updated_successfully": "Nastavení pro vytváření uživatelů bylo úspěšně aktualizováno.",
+	"signup_disabled_description": "Registrace uživatelů jsou kompletně zakázány. Nové uživatelské účty mohou vytvářet pouze správci.",
 	"signup_requires_valid_token": "Pro vytvoření účtu je vyžadován platný registrační token",
 	"validating_signup_token": "Ověřování registračního tokenu",
 	"go_to_login": "Přejít na přihlášení",
@@ -396,7 +404,7 @@
 	"skip_for_now": "Prozatím přeskočit",
 	"account_created": "Účet vytvořen",
 	"enable_user_signups": "Povolit registraci uživatelů",
-	"enable_user_signups_description": "Určuje, zda by měla být funkce registrace uživatele povolena.",
+	"enable_user_signups_description": "Rozhodněte, jak se uživatelé mohou registrovat pro nové účty v Pocket ID.",
 	"user_signups_are_disabled": "Registrace uživatelů jsou v současné době zakázány",
 	"create_signup_token": "Vytvořit registrační token",
 	"view_active_signup_tokens": "Zobrazit aktivní registrační tokeny",
@@ -412,7 +420,6 @@
 	"loading": "Načítání",
 	"delete_signup_token": "Odstranit registrační token",
 	"are_you_sure_you_want_to_delete_this_signup_token": "Jste si jisti, že chcete odstranit tento registrační token? Tuto akci nelze vrátit zpět.",
-	"signup_disabled_description": "Registrace uživatelů jsou kompletně zakázány. Nové uživatelské účty mohou vytvářet pouze správci.",
 	"signup_with_token": "Zaregistrovat se s tokenem",
 	"signup_with_token_description": "Uživatelé se mohou zaregistrovat pouze pomocí platného registračního tokenu který byl vytvořen správcem.",
 	"signup_open": "Otevřená registrace",
@@ -430,5 +437,8 @@
 	"revoke_access": "Zrušit přístup",
 	"revoke_access_description": "Zrušit přístup k <b>{clientName}</b>. <b>{clientName}</b> už nebude mít přístup k informacím o vašem účtu.",
 	"revoke_access_successful": "Přístup k {clientName} byl úspěšně zrušen.",
-	"last_signed_in_ago": "Naposledy přihlášen {time} před"
+	"last_signed_in_ago": "Naposledy přihlášen {time} před",
+	"invalid_client_id": "ID klienta může obsahovat pouze písmena, číslice, podtržítka a pomlčky.",
+	"custom_client_id_description": "Nastavte vlastní ID klienta, pokud to vyžaduje vaše aplikace. V opačném případě pole nechte prázdné, aby bylo vygenerováno náhodné ID.",
+	"generated": "Vygenerováno"
 }

frontend/messages/da.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "Klik for at kopiere",
 	"something_went_wrong": "Noget gik galt",
 	"go_back_to_home": "Gå tilbage til hjem",
-	"dont_have_access_to_your_passkey": "Har du ikke adgang til din adgangsnøgle?",
+	"alternative_sign_in_methods": "Alternative login-metoder",
 	"login_background": "Log ind baggrund",
 	"logo": "Logo",
 	"login_code": "Loginkode",
@@ -276,6 +276,8 @@
 	"public_clients_description": "Public-klienter har ikke en klienthemmelighed. De er designet til mobil-, web- og native-apps, hvor hemmeligheder ikke kan opbevares sikkert.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Public Key Code Exchange er en sikkerhedsfunktion, der beskytter mod CSRF- og authorization code-angreb.",
+	"requires_reauthentication": "Kræver genbekræftelse",
+	"requires_users_to_authenticate_again_on_each_authorization": "Kræver, at brugerne skal godkende igen ved hver autorisation, selvom de allerede er logget ind.",
 	"name_logo": "Logo for {name}",
 	"change_logo": "Skift logo",
 	"upload_logo": "Upload logo",
@@ -385,6 +387,12 @@
 	"number_of_times_token_can_be_used": "Antal gange, som tilmeldingstokenet kan bruges.",
 	"expires": "Udløber",
 	"signup": "Tilmeld",
+	"user_creation": "Oprettelse af bruger",
+	"configure_user_creation": "Administrer indstillinger for brugeroprettelse, herunder tilmeldingsmetoder og standardtilladelser for nye brugere.",
+	"user_creation_groups_description": "Tildel disse grupper automatisk til nye brugere ved tilmelding.",
+	"user_creation_claims_description": "Tildel disse brugerdefinerede krav automatisk til nye brugere ved tilmelding.",
+	"user_creation_updated_successfully": "Indstillinger for brugeroprettelse opdateret.",
+	"signup_disabled_description": "Brugerregistreringer er fuldstændigt deaktiveret. Kun administratorer kan oprette nye brugerkonti.",
 	"signup_requires_valid_token": "Der kræves en gyldig tilmeldingstoken for at oprette en konto.",
 	"validating_signup_token": "Validering af tilmeldingstoken",
 	"go_to_login": "Gå til login",
@@ -396,7 +404,7 @@
 	"skip_for_now": "Spring over for nu",
 	"account_created": "Konto oprettet",
 	"enable_user_signups": "Aktiver brugerregistrering",
-	"enable_user_signups_description": "Om brugerregistreringsfunktionen skal være aktiveret.",
+	"enable_user_signups_description": "Bestem, hvordan brugere kan oprette nye konti i Pocket ID.",
 	"user_signups_are_disabled": "Brugerregistrering er i øjeblikket deaktiveret.",
 	"create_signup_token": "Opret tilmeldingstoken",
 	"view_active_signup_tokens": "Vis aktive tilmeldingstokener",
@@ -412,7 +420,6 @@
 	"loading": "Indlæsning",
 	"delete_signup_token": "Slet tilmeldingstoken",
 	"are_you_sure_you_want_to_delete_this_signup_token": "Er du sikker på, at du vil slette denne tilmeldingstoken? Denne handling kan ikke fortrydes.",
-	"signup_disabled_description": "Brugerregistreringer er fuldstændigt deaktiveret. Kun administratorer kan oprette nye brugerkonti.",
 	"signup_with_token": "Tilmeld dig med token",
 	"signup_with_token_description": "Brugere kan kun tilmelde sig ved hjælp af en gyldig tilmeldingstoken, der er oprettet af en administrator.",
 	"signup_open": "Åben tilmelding",
@@ -430,5 +437,8 @@
 	"revoke_access": "Tilbagekald adgang",
 	"revoke_access_description": "Tilbagekald adgang til <b>{clientName}</b>. <b>{clientName}</b> vil ikke længere kunne få adgang til dine kontooplysninger.",
 	"revoke_access_successful": "Adgangen til {clientName} er blevet ophævet.",
-	"last_signed_in_ago": "Sidst logget ind {time} siden"
+	"last_signed_in_ago": "Sidst logget ind {time} siden",
+	"invalid_client_id": "Kunde-ID må kun indeholde bogstaver, tal, understregninger og bindestreger.",
+	"custom_client_id_description": "Indstil et brugerdefineret klient-id, hvis dette kræves af din applikation. Ellers skal du lade feltet være tomt for at generere et tilfældigt id.",
+	"generated": "Genereret"
 }

frontend/messages/de.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "Zum Kopieren klicken",
 	"something_went_wrong": "Etwas ist schiefgelaufen",
 	"go_back_to_home": "Zurück zur Startseite",
-	"dont_have_access_to_your_passkey": "Du hast keinen Zugriff auf deinen Passkey?",
+	"alternative_sign_in_methods": "Andere Anmeldemöglichkeiten",
 	"login_background": "Login Hintergrund",
 	"logo": "Logo",
 	"login_code": "Anmeldecode",
@@ -387,6 +387,12 @@
 	"number_of_times_token_can_be_used": "Wie oft der Anmeldetoken benutzt werden kann.",
 	"expires": "Läuft ab",
 	"signup": "Anmelden",
+	"user_creation": "Benutzererstellung",
+	"configure_user_creation": "Verwalte die Einstellungen für die Benutzererstellung, einschließlich der Anmeldemethoden und Standardberechtigungen für neue Benutzer.",
+	"user_creation_groups_description": "Weise diese Gruppen neuen Benutzern bei der Anmeldung automatisch zu.",
+	"user_creation_claims_description": "Weise diese benutzerdefinierten Ansprüche neuen Benutzern bei der Anmeldung automatisch zu.",
+	"user_creation_updated_successfully": "Einstellungen für die Benutzererstellung erfolgreich aktualisiert.",
+	"signup_disabled_description": "Benutzeranmeldungen sind komplett deaktiviert. Nur Admins können neue Benutzerkonten erstellen.",
 	"signup_requires_valid_token": "Zum Erstellen eines Kontos brauchst du einen gültigen Anmeldetoken.",
 	"validating_signup_token": "Anmeldungstoken bestätigen",
 	"go_to_login": "Zum Login gehen",
@@ -398,7 +404,7 @@
 	"skip_for_now": "Jetzt überspringen",
 	"account_created": "Konto erstellt",
 	"enable_user_signups": "Benutzeranmeldungen aktivieren",
-	"enable_user_signups_description": "Ob die Funktion zur Benutzeranmeldung aktiviert werden soll.",
+	"enable_user_signups_description": "Entscheide, wie sich Leute für neue Konten in Pocket ID anmelden können.",
 	"user_signups_are_disabled": "Benutzeranmeldungen sind im Moment deaktiviert.",
 	"create_signup_token": "Anmeldungstoken erstellen",
 	"view_active_signup_tokens": "Aktive Anmeldetoken anzeigen",
@@ -414,7 +420,6 @@
 	"loading": "Laden",
 	"delete_signup_token": "Anmeldungstoken löschen",
 	"are_you_sure_you_want_to_delete_this_signup_token": "Willst du diesen Anmeldetoken wirklich löschen? Das kannst du nicht rückgängig machen.",
-	"signup_disabled_description": "Benutzeranmeldungen sind komplett deaktiviert. Nur Admins können neue Benutzerkonten erstellen.",
 	"signup_with_token": "Mit Token anmelden",
 	"signup_with_token_description": "Benutzer können sich nur mit einem gültigen Anmeldetoken anmelden, das von einem Administrator erstellt wurde.",
 	"signup_open": "Anmeldung offen",
@@ -432,5 +437,8 @@
 	"revoke_access": "Zugriff widerrufen",
 	"revoke_access_description": "Zugriff widerrufen <b>{clientName}</b>. <b>{clientName}</b> kann nicht mehr auf deine Kontoinfos zugreifen.",
 	"revoke_access_successful": "Der Zugriff auf „ {clientName} “ wurde erfolgreich gesperrt.",
-	"last_signed_in_ago": "Zuletzt angemeldet vor {time} Stunden"
+	"last_signed_in_ago": "Zuletzt angemeldet vor {time} Stunden",
+	"invalid_client_id": "Die Kunden-ID darf nur Buchstaben, Zahlen, Unterstriche und Bindestriche haben.",
+	"custom_client_id_description": "Gib eine eigene Client-ID ein, wenn deine App das braucht. Ansonsten lass das Feld leer, damit eine zufällige ID generiert wird.",
+	"generated": "Generiert"
 }

frontend/messages/en.json

@@ -17,6 +17,7 @@
 	"image_should_be_in_format": "The image should be in PNG or JPEG format.",
 	"items_per_page": "Items per page",
 	"no_items_found": "No items found",
+	"select_items": "Select items...",
 	"search": "Search...",
 	"expand_card": "Expand card",
 	"copied": "Copied",
@@ -440,5 +441,7 @@
 	"last_signed_in_ago": "Last signed in {time} ago",
 	"invalid_client_id": "Client ID can only contain letters, numbers, underscores, and hyphens",
 	"custom_client_id_description": "Set a custom client ID if this is required by your application. Otherwise, leave it blank to generate a random one.",
-	"generated": "Generated"
+	"generated": "Generated",
+  "administration": "Administration"
+
 }

frontend/messages/es.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "Haz clic para copiar",
 	"something_went_wrong": "Algo ha salido mal",
 	"go_back_to_home": "Volver al Inicio",
-	"dont_have_access_to_your_passkey": "¿No tiene acceso a su Passkey?",
+	"alternative_sign_in_methods": "Métodos alternativos de inicio de sesión",
 	"login_background": "Fondo de página de acceso",
 	"logo": "Logotipo",
 	"login_code": "Código de inicio de sesión",
@@ -276,6 +276,8 @@
 	"public_clients_description": "Public clients do not have a client secret and use PKCE instead. Enable this if your client is a SPA or mobile app.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "El intercambio de claves públicas es una función de seguridad que evita los ataques CSRF y la interceptación de códigos de autorización.",
+	"requires_reauthentication": "Requiere reautenticación",
+	"requires_users_to_authenticate_again_on_each_authorization": "Requiere que los usuarios se autentiquen de nuevo en cada autorización, incluso si ya han iniciado sesión.",
 	"name_logo": "{name} logotipo",
 	"change_logo": "Cambiar logotipo",
 	"upload_logo": "Subir Logo",
@@ -435,5 +437,8 @@
 	"revoke_access": "Revocar acceso",
 	"revoke_access_description": "Revocar el acceso a <b>{clientName}</b>. <b>{clientName}</b> ya no podrás acceder a la información de tu cuenta.",
 	"revoke_access_successful": "El acceso a {clientName} ha sido revocado correctamente.",
-	"last_signed_in_ago": "Último inicio de sesión en {time} hace"
+	"last_signed_in_ago": "Último inicio de sesión en {time} hace",
+	"invalid_client_id": "El ID de cliente solo puede contener letras, números, guiones bajos y guiones.",
+	"custom_client_id_description": "Establece un ID de cliente personalizado si tu aplicación lo requiere. De lo contrario, déjalo en blanco para generar uno aleatorio.",
+	"generated": "Generado"
 }

frontend/messages/fr.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "Cliquer pour copier",
 	"something_went_wrong": "Quelque chose n'a pas fonctionné",
 	"go_back_to_home": "Retourner à l'accueil",
-	"dont_have_access_to_your_passkey": "Vous n'avez pas accès à votre clé d'accès ?",
+	"alternative_sign_in_methods": "Autres façons de se connecter",
 	"login_background": "Arrière-plan de connexion",
 	"logo": "Logo",
 	"login_code": "Code de connexion",
@@ -276,6 +276,8 @@
 	"public_clients_description": "Les clients publics n'ont pas de secret client et utilisent PKCE à la place. Activez cette option si votre client est une application SPA ou une application mobile.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Le Public Key Code Exchange est une fonctionnalité de sécurité conçue pour prévenir les attaques CSRF et l’interception de code d’autorisation.",
+	"requires_reauthentication": "Nécessite une nouvelle authentification",
+	"requires_users_to_authenticate_again_on_each_authorization": "Demande aux utilisateurs de se connecter à nouveau à chaque autorisation, même s'ils sont déjà connectés.",
 	"name_logo": "Logo {name}",
 	"change_logo": "Changer le logo",
 	"upload_logo": "Télécharger un logo",
@@ -385,6 +387,12 @@
 	"number_of_times_token_can_be_used": "Nombre de fois que le jeton d'inscription peut être utilisé.",
 	"expires": "Expire",
 	"signup": "S'inscrire",
+	"user_creation": "Création d'un utilisateur",
+	"configure_user_creation": "Gère les paramètres de création des utilisateurs, comme les méthodes d'inscription et les autorisations par défaut pour les nouveaux utilisateurs.",
+	"user_creation_groups_description": "Attribuez automatiquement ces groupes aux nouveaux utilisateurs lors de leur inscription.",
+	"user_creation_claims_description": "Attribuez automatiquement ces revendications personnalisées aux nouveaux utilisateurs lors de leur inscription.",
+	"user_creation_updated_successfully": "Les paramètres de création d'utilisateur ont été mis à jour.",
+	"signup_disabled_description": "Les inscriptions utilisateur sont complètement désactivées. Seuls les administrateurs peuvent créer de nouveaux comptes utilisateur.",
 	"signup_requires_valid_token": "Un jeton d'inscription valide est requis pour créer un compte.",
 	"validating_signup_token": "Validation du jeton d'inscription",
 	"go_to_login": "Aller à la connexion",
@@ -396,7 +404,7 @@
 	"skip_for_now": "Ignorer pour le moment",
 	"account_created": "Compte créé",
 	"enable_user_signups": "Activer les inscriptions utilisateur",
-	"enable_user_signups_description": "Détermine si la fonctionnalité d'inscription des utilisateurs doit être activée.",
+	"enable_user_signups_description": "Décide comment les utilisateurs peuvent créer de nouveaux comptes dans Pocket ID.",
 	"user_signups_are_disabled": "Les inscriptions utilisateur sont actuellement désactivées",
 	"create_signup_token": "Créer un jeton d'inscription",
 	"view_active_signup_tokens": "Voir les jetons d'inscription actifs",
@@ -412,7 +420,6 @@
 	"loading": "Chargement",
 	"delete_signup_token": "Supprimer le jeton d'inscription",
 	"are_you_sure_you_want_to_delete_this_signup_token": "Êtes-vous sûr de vouloir supprimer ce jeton d'inscription ? Cette action est irréversible.",
-	"signup_disabled_description": "Les inscriptions utilisateur sont complètement désactivées. Seuls les administrateurs peuvent créer de nouveaux comptes utilisateur.",
 	"signup_with_token": "Inscription avec jeton",
 	"signup_with_token_description": "Les utilisateurs ne peuvent s'inscrire qu'en utilisant un jeton d'inscription valide créé par un administrateur.",
 	"signup_open": "Inscription ouverte",
@@ -430,5 +437,8 @@
 	"revoke_access": "Supprimer l'accès",
 	"revoke_access_description": "Supprimer l'accès à <b>{clientName}</b>. <b>{clientName}</b> ne pourra plus accéder aux infos de ton compte.",
 	"revoke_access_successful": "L'accès à {clientName} a été supprimé.",
-	"last_signed_in_ago": "Dernière connexion il y a {time} il y a"
+	"last_signed_in_ago": "Dernière connexion il y a {time} il y a",
+	"invalid_client_id": "L'ID client ne peut contenir que des lettres, des chiffres, des traits de soulignement et des tirets.",
+	"custom_client_id_description": "Définissez un identifiant client personnalisé si votre application l'exige. Sinon, laissez ce champ vide pour qu'un identifiant aléatoire soit généré.",
+	"generated": "Généré"
 }

frontend/messages/it.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "Clicca per copiare",
 	"something_went_wrong": "Qualcosa è andato storto",
 	"go_back_to_home": "Torna alla home",
-	"dont_have_access_to_your_passkey": "Non hai accesso alla tua passkey?",
+	"alternative_sign_in_methods": "Metodi di accesso alternativi",
 	"login_background": "Sfondo di accesso",
 	"logo": "Logo",
 	"login_code": "Codice di accesso",
@@ -276,6 +276,8 @@
 	"public_clients_description": "I client pubblici non hanno un client secret e utilizzano PKCE. Abilita questa opzione se il tuo client è una SPA o un'app mobile.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Il Public Key Code Exchange è una funzionalità di sicurezza per prevenire attacchi CSRF e intercettazione del codice di autorizzazione.",
+	"requires_reauthentication": "È necessario effettuare nuovamente l'autenticazione",
+	"requires_users_to_authenticate_again_on_each_authorization": "Chiede agli utenti di fare di nuovo l'autenticazione ogni volta che autorizzano qualcosa, anche se hanno già fatto l'accesso.",
 	"name_logo": "Logo di {name}",
 	"change_logo": "Cambia Logo",
 	"upload_logo": "Carica Logo",
@@ -385,6 +387,12 @@
 	"number_of_times_token_can_be_used": "Numero di volte che il codice d'iscrizione può essere usato.",
 	"expires": "Scadenza",
 	"signup": "Registrati",
+	"user_creation": "Creazione utente",
+	"configure_user_creation": "Gestisci le impostazioni per creare nuovi utenti, come i metodi di registrazione e i permessi di default per quelli nuovi.",
+	"user_creation_groups_description": "Assegna automaticamente questi gruppi ai nuovi utenti al momento della registrazione.",
+	"user_creation_claims_description": "Assegna automaticamente queste richieste personalizzate ai nuovi utenti al momento della registrazione.",
+	"user_creation_updated_successfully": "Le impostazioni per creare un utente sono state aggiornate.",
+	"signup_disabled_description": "Le iscrizioni utente sono completamente disabilitate. Solo gli amministratori possono creare nuovi account utente.",
 	"signup_requires_valid_token": "È necessario un codice d'iscrizione valido per creare un account",
 	"validating_signup_token": "Convalida codice d'iscrizione",
 	"go_to_login": "Vai alla login",
@@ -396,7 +404,7 @@
 	"skip_for_now": "Salta per ora",
 	"account_created": "Account creato",
 	"enable_user_signups": "Abilita Iscrizioni Utente",
-	"enable_user_signups_description": "Indica se la funzionalità di registrazione utente deve essere abilitata.",
+	"enable_user_signups_description": "Decidi come gli utenti possono registrarsi per creare nuovi account in Pocket ID.",
 	"user_signups_are_disabled": "Le iscrizioni utente sono attualmente disattivate",
 	"create_signup_token": "Crea Codice d'iscrizione",
 	"view_active_signup_tokens": "Visualizza codici d'iscrizione attivi",
@@ -412,7 +420,6 @@
 	"loading": "Caricamento",
 	"delete_signup_token": "Elimina Codice d'iscrizione",
 	"are_you_sure_you_want_to_delete_this_signup_token": "Sei sicuro di voler eliminare questo codice d'iscrizione? Questa azione non può essere annullata.",
-	"signup_disabled_description": "Le iscrizioni utente sono completamente disabilitate. Solo gli amministratori possono creare nuovi account utente.",
 	"signup_with_token": "Registrati con codice",
 	"signup_with_token_description": "Gli utenti possono registrarsi solo usando un codice d'iscrizione valido, creato da un amministratore.",
 	"signup_open": "Apri Registrazione",
@@ -430,5 +437,8 @@
 	"revoke_access": "Revoca accesso",
 	"revoke_access_description": "Revoca l'accesso a <b>{clientName}</b>. <b>{clientName}</b> non potrà più accedere alle informazioni del tuo account.",
 	"revoke_access_successful": "L'accesso a {clientName} è stato revocato con successo.",
-	"last_signed_in_ago": "Ultimo accesso {time} fa"
+	"last_signed_in_ago": "Ultimo accesso {time} fa",
+	"invalid_client_id": "L'ID cliente può contenere solo lettere, numeri, trattini bassi e trattini.",
+	"custom_client_id_description": "Imposta un ID cliente personalizzato se la tua app lo richiede. Altrimenti, lascia vuoto per generarne uno casuale.",
+	"generated": "Generato"
 }

frontend/messages/ko.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "클릭하여 복사",
 	"something_went_wrong": "문제가 발생했습니다",
 	"go_back_to_home": "홈으로 돌아가기",
-	"dont_have_access_to_your_passkey": "패스키에 접근할 수 없나요?",
+	"alternative_sign_in_methods": "대체 로그인 방법",
 	"login_background": "로그인 배경",
 	"logo": "로고",
 	"login_code": "로그인 코드",
@@ -276,6 +276,8 @@
 	"public_clients_description": "공개 클라이언트는 클라이언트 시크릿이 없습니다. 이들은 시크릿을 안전하게 보관할 수 없는 모바일, 웹, 네이티브 애플리케이션을 위해 설계되었습니다.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "공개 키 코드 교환은 CSRF 및 승인 코드 가로채기 공격을 방지하기 위한 보안 기능입니다.",
+	"requires_reauthentication": "재인증 요구",
+	"requires_users_to_authenticate_again_on_each_authorization": "사용자가 이미 로그인한 상태에서도 승인할 때마다 다시 인증을 요구합니다.",
 	"name_logo": "{name} 로고",
 	"change_logo": "로고 변경",
 	"upload_logo": "로고 업로드",
@@ -385,6 +387,12 @@
 	"number_of_times_token_can_be_used": "계정 생성 토큰을 사용할 수 있는 횟수.",
 	"expires": "만료일",
 	"signup": "계정 생성",
+	"user_creation": "사용자 생성",
+	"configure_user_creation": "사용자 생성 설정을 관리합니다. 이에는 신규 사용자 등록 방법 및 신규 사용자의 기본 권한이 포함됩니다.",
+	"user_creation_groups_description": "새 사용자가 가입할 때 이 그룹을 자동으로 할당합니다.",
+	"user_creation_claims_description": "새 사용자가 가입할 때 이 사용자 정의 클레임을 자동으로 할당합니다.",
+	"user_creation_updated_successfully": "사용자 생성 설정 업데이트가 성공적으로 완료되었습니다.",
+	"signup_disabled_description": "계정 생성이 완전히 비활성화됩니다. 새로운 사용자 계정은 관리자만 생성할 수 있습니다.",
 	"signup_requires_valid_token": "계정을 생성하려면 유효한 계정 생성 토큰이 필요합니다",
 	"validating_signup_token": "계정 생성 토큰 검증",
 	"go_to_login": "로그인으로 이동",
@@ -396,7 +404,7 @@
 	"skip_for_now": "지금은 건너뛰기",
 	"account_created": "계정 생성됨",
 	"enable_user_signups": "계정 생성 활성화",
-	"enable_user_signups_description": "계정 생성 기능이 활성화됩니다.",
+	"enable_user_signups_description": "Pocket ID에서 사용자가 새로운 계정을 생성하는 방법을 결정하세요.",
 	"user_signups_are_disabled": "계정 생성이 현재 비활성화되었습니다",
 	"create_signup_token": "계정 생성 토큰 생성",
 	"view_active_signup_tokens": "활성 계정 생성 토큰 보기",
@@ -412,7 +420,6 @@
 	"loading": "불러오는 중",
 	"delete_signup_token": "계정 생성 토큰 삭제",
 	"are_you_sure_you_want_to_delete_this_signup_token": "이 계정 생성 토큰을 정말로 삭제하시겠습니까? 이 작업은 되돌릴 수 없습니다.",
-	"signup_disabled_description": "계정 생성이 완전히 비활성화됩니다. 새로운 사용자 계정은 관리자만 생성할 수 있습니다.",
 	"signup_with_token": "토큰으로 계정 생성",
 	"signup_with_token_description": "사용자는 관리자가 생성한 유효한 계정 생성 토큰을 사용해야 가입할 수 있습니다.",
 	"signup_open": "계정 생성 허용",
@@ -430,5 +437,8 @@
 	"revoke_access": "접근 권한 취소",
 	"revoke_access_description": "<b>{clientName}</b>의 접근 권한을 취소합니다. <b>{clientName}</b>은 더 이상 계정 정보에 접근할 수 없습니다.",
 	"revoke_access_successful": "{clientName}의 접근이 성공적으로 취소되었습니다.",
-	"last_signed_in_ago": "{time} 전에 로그인함"
+	"last_signed_in_ago": "{time} 전에 로그인함",
+	"invalid_client_id": "고객 ID에는 영문자, 숫자, 밑줄, 하이픈만 포함될 수 있습니다.",
+	"custom_client_id_description": "애플리케이션에서 사용자 정의 클라이언트 ID가 요구되는 경우 설정하세요. 그렇지 않으면 빈 상태로 두어서 무작위로 생성할 수 있습니다.",
+	"generated": "생성됨"
 }

frontend/messages/nl.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "Klik om te kopiëren",
 	"something_went_wrong": "Er is iets misgegaan",
 	"go_back_to_home": "Terug naar beginpagina",
-	"dont_have_access_to_your_passkey": "Heb je geen toegang tot je passkey?",
+	"alternative_sign_in_methods": "Andere manieren om in te loggen",
 	"login_background": "Inlogachtergrond",
 	"logo": "Logo",
 	"login_code": "Inlogcode",
@@ -43,7 +43,7 @@
 	"error_occurred_with_authenticator": "Er is een fout opgetreden met de authenticator",
 	"authenticator_does_not_support_discoverable_credentials": "De authenticator ondersteunt geen vindbare referenties",
 	"authenticator_does_not_support_resident_keys": "De authenticator ondersteunt geen vaste sleutels",
-	"passkey_was_previously_registered": "Deze toegangscode is eerder geregistreerd",
+	"passkey_was_previously_registered": "Deze passkey is eerder geregistreerd",
 	"authenticator_does_not_support_any_of_the_requested_algorithms": "De authenticator ondersteunt geen van de gevraagde algoritmen",
 	"authenticator_timed_out": "De authenticator is verlopen",
 	"critical_error_occurred_contact_administrator": "Er is een kritieke fout opgetreden. Neem contact op met de beheerder.",
@@ -70,8 +70,8 @@
 	"please_try_again": "Probeer het opnieuw.",
 	"continue": "Doorgaan",
 	"alternative_sign_in": "Alternatieve aanmelding",
-	"if_you_do_not_have_access_to_your_passkey_you_can_sign_in_using_one_of_the_following_methods": "Als je geen toegang hebt tot je passkeys, kun je je op een van de volgende manieren aanmelden.",
-	"use_your_passkey_instead": "Wil je in plaats daarvan je toegangscode gebruiken?",
+	"if_you_do_not_have_access_to_your_passkey_you_can_sign_in_using_one_of_the_following_methods": "Als je geen toegang hebt tot je passkey, kun je je op een van de volgende manieren aanmelden.",
+	"use_your_passkey_instead": "Wil je in plaats daarvan je passkey gebruiken?",
 	"email_login": "E-mail inloggen",
 	"enter_a_login_code_to_sign_in": "Voer een inlogcode in om in te loggen.",
 	"request_a_login_code_via_email": "Vraag een inlogcode aan via e-mail.",
@@ -84,7 +84,7 @@
 	"enter_the_code_you_received_to_sign_in": "Voer de code in die je hebt ontvangen om in te loggen.",
 	"code": "Code",
 	"invalid_redirect_url": "Ongeldige omleidings-URL",
-	"audit_log": "Audit logboek",
+	"audit_log": "Activiteitenlogboek",
 	"users": "Gebruikers",
 	"user_groups": "Gebruikersgroepen",
 	"oidc_clients": "OIDC-clients",
@@ -95,7 +95,7 @@
 	"powered_by": "Aangedreven door",
 	"see_your_account_activities_from_the_last_3_months": "Bekijk je accountactiviteiten van de afgelopen 3 maanden.",
 	"time": "Tijd",
-	"event": "Evenement",
+	"event": "Activiteit",
 	"approximate_location": "Geschatte locatie",
 	"ip_address": "IP-adres",
 	"device": "Apparaat",
@@ -106,11 +106,11 @@
 	"account_settings": "Accountinstellingen",
 	"passkey_missing": "Passkey ontbreekt",
 	"please_provide_a_passkey_to_prevent_losing_access_to_your_account": "Voeg een passkey toe om te voorkomen dat je de toegang tot je account verliest.",
-	"single_passkey_configured": "Eén enkele toegangscode geconfigureerd",
-	"it_is_recommended_to_add_more_than_one_passkey": "Het is raadzaam om meer dan één toegangscode toe te voegen om te voorkomen dat je de toegang tot uw account verliest.",
+	"single_passkey_configured": "Eén enkele passkey geconfigureerd",
+	"it_is_recommended_to_add_more_than_one_passkey": "Het is raadzaam om meer dan één passkey toe te voegen om te voorkomen dat je de toegang tot uw account verliest.",
 	"account_details": "Accountgegevens",
-	"passkeys": "Toegangscodes",
-	"manage_your_passkeys_that_you_can_use_to_authenticate_yourself": "Beheer de toegangscodes waarmee je jezelf kunt verifiëren.",
+	"passkeys": "Passkeys",
+	"manage_your_passkeys_that_you_can_use_to_authenticate_yourself": "Beheer de passkeys waarmee je jezelf kunt verifiëren.",
 	"add_passkey": "Passkey toevoegen",
 	"create_a_one_time_login_code_to_sign_in_from_a_different_device_without_a_passkey": "Maak een eenmalige inlogcode aan om in te loggen vanaf een ander apparaat zonder passkey.",
 	"create": "Aanmaken",
@@ -276,6 +276,8 @@
 	"public_clients_description": "Publieke clients hebben geen client secret en gebruiken in plaats daarvan PKCE. Schakel dit in als je client een SPA of mobiele app is.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Public Key Code Exchange is een beveiligingsfunctie om CSRF- en autorisatiecode-onderscheppingsaanvallen te voorkomen.",
+	"requires_reauthentication": "Je moet opnieuw inloggen",
+	"requires_users_to_authenticate_again_on_each_authorization": "Gebruikers moeten bij elke autorisatie opnieuw inloggen, zelfs als ze al ingelogd zijn.",
 	"name_logo": "{name} logo",
 	"change_logo": "Logo wijzigen",
 	"upload_logo": "Logo uploaden",
@@ -320,7 +322,7 @@
 	"all_events": "Alle activiteiten",
 	"all_clients": "Alle clients",
 	"all_locations": "Alle locaties",
-	"global_audit_log": "Algemeen audit logboek",
+	"global_audit_log": "Globaal activiteitenlogboek",
 	"see_all_account_activities_from_the_last_3_months": "Bekijk alle gebruikersactiviteit van de afgelopen 3 maanden.",
 	"token_sign_in": "Inloggen met token",
 	"client_authorization": "Client autorisatie",
@@ -385,6 +387,12 @@
 	"number_of_times_token_can_be_used": "Hoe vaak het aanmeldingstoken gebruikt kan worden.",
 	"expires": "Verloopt",
 	"signup": "Aanmelden",
+	"user_creation": "Gebruikers aanmaken",
+	"configure_user_creation": "Beheer de instellingen voor het aanmaken van gebruikers, zoals hoe mensen zich kunnen aanmelden en wat nieuwe gebruikers standaard kunnen doen.",
+	"user_creation_groups_description": "Wijs deze groepen automatisch toe aan nieuwe gebruikers bij aanmelding.",
+	"user_creation_claims_description": "Wijs deze aangepaste claims automatisch toe aan nieuwe gebruikers bij aanmelding.",
+	"user_creation_updated_successfully": "Instellingen voor het aanmaken van gebruikers zijn bijgewerkt.",
+	"signup_disabled_description": "Gebruikersregistraties zijn helemaal uitgeschakeld. Alleen beheerders kunnen nieuwe gebruikersaccounts aanmaken.",
 	"signup_requires_valid_token": "U heeft een geldige registratietoken nodig om een account aan te maken.",
 	"validating_signup_token": "Inlogtoken checken",
 	"go_to_login": "Ga naar inloggen",
@@ -392,11 +400,11 @@
 	"create_your_account_to_get_started": "Om te beginnen moet u een account aanmaken.",
 	"initial_account_creation_description": "Maak een account aan om te beginnen. U kunt later een wachtwoord instellen.",
 	"setup_your_passkey": "Stel uw passkey in",
-	"create_a_passkey_to_securely_access_your_account": "Maak een toegangscode aan om veilig toegang te krijgen tot je account. Dit is je primaire manier om in te loggen.",
+	"create_a_passkey_to_securely_access_your_account": "Maak een passkey aan om veilig toegang te krijgen tot je account. Dit is je primaire manier om in te loggen.",
 	"skip_for_now": "Voor nu even overslaan",
 	"account_created": "Account aangemaakt",
 	"enable_user_signups": "Gebruikersregistratie inschakelen",
-	"enable_user_signups_description": "Of de functie voor gebruikersregistratie moet worden ingeschakeld.",
+	"enable_user_signups_description": "Bepaal hoe mensen zich kunnen aanmelden voor nieuwe accounts in Pocket ID.",
 	"user_signups_are_disabled": "Gebruikersregistraties zijn nu uitgeschakeld.",
 	"create_signup_token": "Aanmeldingstoken maken",
 	"view_active_signup_tokens": "Actieve aanmeldingstokens bekijken",
@@ -412,7 +420,6 @@
 	"loading": "Bezig met laden",
 	"delete_signup_token": "Registratietoken verwijderen",
 	"are_you_sure_you_want_to_delete_this_signup_token": "Weet u zeker dat u dit aanmeldingstoken wilt verwijderen? Deze actie kan niet ongedaan worden gemaakt.",
-	"signup_disabled_description": "Gebruikersregistraties zijn helemaal uitgeschakeld. Alleen beheerders kunnen nieuwe gebruikersaccounts aanmaken.",
 	"signup_with_token": "Aanmelden met token",
 	"signup_with_token_description": "U kunt zich alleen aanmelden met een geldige aanmeldtoken die door een beheerder is aangemaakt.",
 	"signup_open": "Open inschrijving",
@@ -429,6 +436,9 @@
 	"client_name_description": "De naam van de client die wordt getoond in de Pocket ID UI.",
 	"revoke_access": "Toegang intrekken",
 	"revoke_access_description": "Toegang intrekken tot <b>{clientName}</b>. <b>{clientName}</b> kun je accountgegevens niet meer gebruiken.",
-	"revoke_access_successful": "De toegang tot {clientName} is nu echt geblokkeerd.",
-	"last_signed_in_ago": "Laatst ingelogd {time} geleden"
+	"revoke_access_successful": "De toegang tot {clientName} is nu succesvol geblokkeerd.",
+	"last_signed_in_ago": "Laatst ingelogd {time} geleden",
+	"invalid_client_id": "De klant-ID mag alleen letters, cijfers, onderstrepingstekens en koppeltekens bevatten.",
+	"custom_client_id_description": "Stel een aangepaste client-ID in als je app dit nodig heeft. Anders laat je het gewoon leeg en wordt er een willekeurige ID gegenereerd.",
+	"generated": "Gemaakt"
 }

frontend/messages/pl.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "Kliknij, aby skopiować",
 	"something_went_wrong": "Coś poszło nie tak",
 	"go_back_to_home": "Wróć do strony głównej",
-	"dont_have_access_to_your_passkey": "Nie masz dostępu do swojego klucza?",
+	"alternative_sign_in_methods": "Alternatywne metody logowania",
 	"login_background": "Tło logowania",
 	"logo": "Logo",
 	"login_code": "Kod logowania",
@@ -276,6 +276,8 @@
 	"public_clients_description": "Klienci publiczni nie mają tajnego klucza. Są zaprojektowane dla aplikacji mobilnych, webowych i natywnych, gdzie tajne klucze nie mogą być bezpiecznie przechowywane.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Wymiana kodu publicznego klucza to funkcja zabezpieczająca, która zapobiega atakom CSRF i przechwytywaniu kodu autoryzacyjnego.",
+	"requires_reauthentication": "Wymagane ponowne uwierzytelnienie",
+	"requires_users_to_authenticate_again_on_each_authorization": "Wymaga od użytkowników ponownego uwierzytelniania przy każdej autoryzacji, nawet jeśli są już zalogowani.",
 	"name_logo": "Logo {name}",
 	"change_logo": "Zmień logo",
 	"upload_logo": "Prześlij logo",
@@ -385,6 +387,12 @@
 	"number_of_times_token_can_be_used": "Liczba przypadków, w których można użyć tokenu rejestracji.",
 	"expires": "Wygasają",
 	"signup": "Zarejestruj się",
+	"user_creation": "Tworzenie użytkowników",
+	"configure_user_creation": "Zarządzaj ustawieniami tworzenia użytkowników, w tym metodami rejestracji i domyślnymi uprawnieniami dla nowych użytkowników.",
+	"user_creation_groups_description": "Przypisz te grupy automatycznie nowym użytkownikom podczas rejestracji.",
+	"user_creation_claims_description": "Przypisuj te niestandardowe oświadczenia automatycznie nowym użytkownikom podczas rejestracji.",
+	"user_creation_updated_successfully": "Ustawienia tworzenia użytkowników zostały pomyślnie zaktualizowane.",
+	"signup_disabled_description": "Rejestracja użytkowników jest całkowicie wyłączona. Tylko administratorzy mogą tworzyć nowe konta użytkowników.",
 	"signup_requires_valid_token": "Aby utworzyć konto, wymagany jest ważny token rejestracyjny.",
 	"validating_signup_token": "Weryfikacja tokenu rejestracji",
 	"go_to_login": "Przejdź do logowania",
@@ -396,7 +404,7 @@
 	"skip_for_now": "Pomiń na razie",
 	"account_created": "Konto utworzone",
 	"enable_user_signups": "Włącz rejestrację użytkowników",
-	"enable_user_signups_description": "Czy funkcja rejestracji użytkowników powinna być włączona.",
+	"enable_user_signups_description": "Zdecyduj, w jaki sposób użytkownicy mogą rejestrować nowe konta w Pocket ID.",
 	"user_signups_are_disabled": "Rejestracja użytkowników jest obecnie wyłączona.",
 	"create_signup_token": "Utwórz token rejestracji",
 	"view_active_signup_tokens": "Wyświetl aktywne tokeny rejestracji",
@@ -412,7 +420,6 @@
 	"loading": "Ładowanie",
 	"delete_signup_token": "Usuń token rejestracji",
 	"are_you_sure_you_want_to_delete_this_signup_token": "Czy na pewno chcesz usunąć ten token rejestracji? Tego działania nie można cofnąć.",
-	"signup_disabled_description": "Rejestracja użytkowników jest całkowicie wyłączona. Tylko administratorzy mogą tworzyć nowe konta użytkowników.",
 	"signup_with_token": "Zarejestruj się za pomocą tokenu",
 	"signup_with_token_description": "Użytkownicy mogą zarejestrować się wyłącznie przy użyciu ważnego tokenu rejestracyjnego utworzonego przez administratora.",
 	"signup_open": "Otwórz rejestrację",
@@ -430,5 +437,8 @@
 	"revoke_access": "Cofnij dostęp",
 	"revoke_access_description": "Cofnij dostęp do <b>{clientName}</b>. <b>{clientName}</b> nie będzie już mógł uzyskać dostępu do informacji o Twoim koncie.",
 	"revoke_access_successful": "Dostęp do strony {clientName} został pomyślnie cofnięty.",
-	"last_signed_in_ago": "Ostatnio zalogowany {time} temu"
+	"last_signed_in_ago": "Ostatnio zalogowany {time} temu",
+	"invalid_client_id": "Identyfikator klienta może zawierać wyłącznie litery, cyfry, znaki podkreślenia i łączniki.",
+	"custom_client_id_description": "Ustaw niestandardowy identyfikator klienta, jeśli jest to wymagane przez twoją aplikację. W przeciwnym razie pozostaw to pole puste, aby wygenerować losowy identyfikator.",
+	"generated": "Wygenerowano"
 }

frontend/messages/pt-BR.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "Clique para copiar",
 	"something_went_wrong": "Algo deu errado",
 	"go_back_to_home": "Voltar para o início",
-	"dont_have_access_to_your_passkey": "Não tem acesso à sua chave de acesso?",
+	"alternative_sign_in_methods": "Outras formas de entrar",
 	"login_background": "Histórico de login",
 	"logo": "Logotipo",
 	"login_code": "Código de Login:",
@@ -276,6 +276,8 @@
 	"public_clients_description": "Public clients do not have a client secret and use PKCE instead. Enable this if your client is a SPA or mobile app.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "A troca de chaves públicas é um recurso de segurança que evita ataques CSRF e interceptação de códigos de autorização.",
+	"requires_reauthentication": "Precisa autenticar de novo",
+	"requires_users_to_authenticate_again_on_each_authorization": "Pede que os usuários se autentiquem de novo em cada autorização, mesmo que já estejam conectados.",
 	"name_logo": "{name} logotipo",
 	"change_logo": "Alterar logotipo",
 	"upload_logo": "Carregar logotipo",
@@ -385,6 +387,12 @@
 	"number_of_times_token_can_be_used": "Número de vezes que o token de inscrição pode ser usado.",
 	"expires": "Vence",
 	"signup": "Cadastre-se",
+	"user_creation": "Criação de usuário",
+	"configure_user_creation": "Gerencie as configurações de criação de usuários, incluindo métodos de inscrição e permissões padrão para novos usuários.",
+	"user_creation_groups_description": "Atribuir esses grupos automaticamente aos novos usuários quando eles se cadastrarem.",
+	"user_creation_claims_description": "Atribua essas reivindicações personalizadas automaticamente aos novos usuários no momento da inscrição.",
+	"user_creation_updated_successfully": "As configurações de criação do usuário foram atualizadas com sucesso.",
+	"signup_disabled_description": "As inscrições de usuários estão totalmente desativadas. Só os administradores podem criar novas contas de usuário.",
 	"signup_requires_valid_token": "É preciso um token de inscrição válido pra criar uma conta.",
 	"validating_signup_token": "Validando o token de inscrição",
 	"go_to_login": "Vá para o login",
@@ -396,7 +404,7 @@
 	"skip_for_now": "Pular por enquanto",
 	"account_created": "Conta criada",
 	"enable_user_signups": "Ativar inscrições de usuários",
-	"enable_user_signups_description": "Se a funcionalidade de cadastro de usuários deve ser ativada.",
+	"enable_user_signups_description": "Decida como os usuários podem se cadastrar para novas contas no Pocket ID.",
 	"user_signups_are_disabled": "As inscrições de usuários estão desativadas no momento.",
 	"create_signup_token": "Criar token de inscrição",
 	"view_active_signup_tokens": "Ver tokens de inscrição ativos",
@@ -412,7 +420,6 @@
 	"loading": "Carregando",
 	"delete_signup_token": "Apagar token de inscrição",
 	"are_you_sure_you_want_to_delete_this_signup_token": "Tem certeza que quer apagar esse token de inscrição? Não dá pra voltar atrás.",
-	"signup_disabled_description": "As inscrições de usuários estão totalmente desativadas. Só os administradores podem criar novas contas de usuário.",
 	"signup_with_token": "Cadastre-se com token",
 	"signup_with_token_description": "Os usuários só podem se cadastrar usando um token de cadastro válido criado por um administrador.",
 	"signup_open": "Inscrição aberta",
@@ -430,5 +437,8 @@
 	"revoke_access": "Revogar acesso",
 	"revoke_access_description": "Revogar acesso a <b>{clientName}</b>. <b>{clientName}</b> não vai mais conseguir acessar as informações da sua conta.",
 	"revoke_access_successful": "O acesso a {clientName} foi revogado com sucesso.",
-	"last_signed_in_ago": "Último login em {time} atrás"
+	"last_signed_in_ago": "Último login em {time} atrás",
+	"invalid_client_id": "A ID do cliente só pode ter letras, números, sublinhados e hífens.",
+	"custom_client_id_description": "Defina um ID de cliente personalizado se for necessário para o seu aplicativo. Caso contrário, deixe em branco para gerar um aleatório.",
+	"generated": "Gerado"
 }