release: 1.11.1

chore(translations): update translations via Crowdin (#957 )
release: 1.11.0
2026-02-25 06:23:51 +00:00 · 2025-09-18 22:33:22 +02:00 · 2025-09-18 22:26:38 +02:00 · 2025-09-18 22:16:32 +02:00 · 2025-09-18 21:55:43 +02:00 · 2025-09-17 14:43:12 -05:00
214 changed files with 8515 additions and 1241 deletions
--- a/.github/workflows/build-next.yml
+++ b/.github/workflows/build-next.yml
@@ -23,8 +23,6 @@ jobs:

      - name: Setup pnpm
        uses: pnpm/action-setup@v4
-        with:
-          version: 10

      - name: Setup Node.js
        uses: actions/setup-node@v4
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -3,15 +3,15 @@ on:
  push:
    branches: [main]
    paths-ignore:
-      - "docs/**"
-      - "**.md"
-      - ".github/**"
+      - 'docs/**'
+      - '**.md'
+      - '.github/**'
  pull_request:
    branches: [main]
    paths-ignore:
-      - "docs/**"
-      - "**.md"
-      - ".github/**"
+      - 'docs/**'
+      - '**.md'
+      - '.github/**'

 jobs:
  build:
@@ -61,13 +61,11 @@ jobs:

      - name: Setup pnpm
        uses: pnpm/action-setup@v4
-        with:
-          version: 10

      - uses: actions/setup-node@v4
        with:
          node-version: 22
-          cache: "pnpm"
+          cache: 'pnpm'
          cache-dependency-path: pnpm-lock.yaml

      - name: Cache Playwright Browsers
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -18,8 +18,6 @@ jobs:
        uses: actions/checkout@v3
      - name: Setup pnpm
        uses: pnpm/action-setup@v4
-        with:
-          version: 10
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
@@ -71,6 +69,7 @@ jobs:
        run: pnpm --filter pocket-id-frontend install --frozen-lockfile
      - name: Build frontend
        run: pnpm --filter pocket-id-frontend build
+
      - name: Build binaries
        run: sh scripts/development/build-binaries.sh
      - name: Build and push container image
--- a/.github/workflows/svelte-check.yml
+++ b/.github/workflows/svelte-check.yml
@@ -38,8 +38,6 @@ jobs:

      - name: Setup pnpm
        uses: pnpm/action-setup@v4
-        with:
-          version: 10

      - name: Setup Node.js
        uses: actions/setup-node@v4
--- a/.version
+++ b/.version
@@ -1 +1 @@
-1.9.0
+1.11.1
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,52 @@
+## [1.11.1](https://github.com/pocket-id/pocket-id/compare/v1.10.0...v1.11.1) (2025-09-18)
+
+### Bug Fixes
+
+- add missing translations ([8c9cac2](https://github.com/pocket-id/pocket-id/commit/8c9cac2655ddbe4872234a1b55fdd51d2f3ac31c))
+
+## [1.11.0](https://github.com/pocket-id/pocket-id/compare/v1.10.0...v1.11.0) (2025-09-18)
+
+
+### Features
+
+* add CSP header ([#908](https://github.com/pocket-id/pocket-id/issues/908)) ([6215e1a](https://github.com/pocket-id/pocket-id/commit/6215e1ac01c03866f8b2e89ac084ddd6a3c3ac9e))
+* add custom base url ([#858](https://github.com/pocket-id/pocket-id/issues/858)) ([a3979f6](https://github.com/pocket-id/pocket-id/commit/a3979f63e07d418ee9eb1cb1abc37aede5799fc8))
+* add info box to app settings if UI config is disabled ([a1d8538](https://github.com/pocket-id/pocket-id/commit/a1d8538c64beb4d7e8559934985772fba27623ca))
+* add PWA support ([#938](https://github.com/pocket-id/pocket-id/issues/938)) ([5367463](https://github.com/pocket-id/pocket-id/commit/5367463239b354640fd65390bc409e4a0ac13fd1))
+* add support for `LOG_LEVEL` env variable ([#942](https://github.com/pocket-id/pocket-id/issues/942)) ([2d6d5df](https://github.com/pocket-id/pocket-id/commit/2d6d5df0e7f104a148fb4eeac89a2fbb7db8047a))
+* add user display name field ([#898](https://github.com/pocket-id/pocket-id/issues/898)) ([6837360](https://github.com/pocket-id/pocket-id/commit/68373604dd30065947226922233bc1e19e778b01))
+* allow uppercase usernames ([#958](https://github.com/pocket-id/pocket-id/issues/958)) ([0224949](https://github.com/pocket-id/pocket-id/commit/02249491f86c289adf596d9d9922dfa04779edee))
+* client_credentials flow support ([#901](https://github.com/pocket-id/pocket-id/issues/901)) ([901333f](https://github.com/pocket-id/pocket-id/commit/901333f7e43b4e925ed6dfd890dee2caa1947934))
+* return new id_token when using refresh token ([#925](https://github.com/pocket-id/pocket-id/issues/925)) ([307caaa](https://github.com/pocket-id/pocket-id/commit/307caaa3efbc966341b95ee4b5ff18c81ed98e54))
+
+
+### Bug Fixes
+
+* add validation for callback URLs ([#929](https://github.com/pocket-id/pocket-id/issues/929)) ([6c91474](https://github.com/pocket-id/pocket-id/commit/6c9147483c0a370e2b5011d13898279d2acc445d))
+* disable sign up options in UI if `UI_CONFIG_DISABLED` ([1d7cbc2](https://github.com/pocket-id/pocket-id/commit/1d7cbc2a4ecf352d46087f30b477f6bbaa23adf5))
+* ensure users imported from LDAP have fields validated ([#923](https://github.com/pocket-id/pocket-id/issues/923)) ([4215523](https://github.com/pocket-id/pocket-id/commit/42155238b750b015b0547294f397e1e285594e3e))
+* key-rotate doesn't work with database storage ([#940](https://github.com/pocket-id/pocket-id/issues/940)) ([c018f29](https://github.com/pocket-id/pocket-id/commit/c018f29ad7c61a3ef1b235b0d404a3a2024a26ca))
+* list items on previous page get unselected if other items selected on next page ([6c696b4](https://github.com/pocket-id/pocket-id/commit/6c696b46c8b60b3dc4af35c9c6cf1b8e1322f4cd))
+* make environment variables case insensitive where necessary ([#954](https://github.com/pocket-id/pocket-id/issues/954)) ([99f31a7](https://github.com/pocket-id/pocket-id/commit/99f31a7c26c63dec76682ddf450d88e6ee40876f)), closes [#935](https://github.com/pocket-id/pocket-id/issues/935)
+* my apps card shouldn't take full width if only one item exists ([e7e53a8](https://github.com/pocket-id/pocket-id/commit/e7e53a8b8c87bee922167d24556aef3ea219b1a2))
+* update localized name and description of ldap group name attribute ([#892](https://github.com/pocket-id/pocket-id/issues/892)) ([e88be7e](https://github.com/pocket-id/pocket-id/commit/e88be7e61a8aafabcae70adf9265023c50626705))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v1.9.1...v) (2025-08-27)
+
+### Features
+
+* redesigned sidebar with administrative dropdown ([#881](https://github.com/pocket-id/pocket-id/issues/881)) ([096d214](https://github.com/pocket-id/pocket-id/commit/096d214a88808848dae726b0ef4c9a9987185836))
+
+### Bug Fixes
+
+* apps showed multiple times if user is in multiple groups ([641bbc9](https://github.com/pocket-id/pocket-id/commit/641bbc935191bad8afbfec90943fc3e9de7a0cb6))
+## [](https://github.com/pocket-id/pocket-id/compare/v1.9.0...v) (2025-08-24)
+
+
+### Bug Fixes
+
+* sqlite migration drops allowed user groups ([d6d1a4c](https://github.com/pocket-id/pocket-id/commit/d6d1a4ced23886f255a9c2048d19ad3599a17f26))
+
 ## [](https://github.com/pocket-id/pocket-id/compare/v1.8.1...v) (2025-08-24)


--- a/backend/.golangci.yml
+++ b/backend/.golangci.yml
@@ -61,4 +61,4 @@ formatters:
    paths:
      - third_party$
      - builtin$
-      - examples$
+      - examples$
--- a/backend/frontend/frontend_included.go
+++ b/backend/frontend/frontend_included.go
@@ -3,8 +3,10 @@
 package frontend

 import (
+	"bytes"
 	"embed"
 	"fmt"
+	"io"
 	"io/fs"
 	"net/http"
 	"os"
@@ -12,11 +14,55 @@ import (
 	"time"

 	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
 )

 //go:embed all:dist/*
 var frontendFS embed.FS

+// This function, created by the init() method, writes to "w" the index.html page, populating the nonce
+var writeIndexFn func(w io.Writer, nonce string) error
+
+func init() {
+	const scriptTag = "<script>"
+
+	// Read the index.html from the bundle
+	index, iErr := fs.ReadFile(frontendFS, "dist/index.html")
+	if iErr != nil {
+		panic(fmt.Errorf("failed to read index.html: %w", iErr))
+	}
+
+	// Get the position of the first <script> tag
+	idx := bytes.Index(index, []byte(scriptTag))
+
+	// Create writeIndexFn, which adds the CSP tag to the script tag if needed
+	writeIndexFn = func(w io.Writer, nonce string) (err error) {
+		// If there's no nonce, write the index as-is
+		if nonce == "" {
+			_, err = w.Write(index)
+			return err
+		}
+
+		// We have a nonce, so first write the index until the <script> tag
+		// Then we write the modified script tag
+		// Finally, the rest of the index
+		_, err = w.Write(index[0:idx])
+		if err != nil {
+			return err
+		}
+		_, err = w.Write([]byte(`<script nonce="` + nonce + `">`))
+		if err != nil {
+			return err
+		}
+		_, err = w.Write(index[(idx + len(scriptTag)):])
+		if err != nil {
+			return err
+		}
+
+		return nil
+	}
+}
+
 func RegisterFrontend(router *gin.Engine) error {
 	distFS, err := fs.Sub(frontendFS, "dist")
 	if err != nil {
@@ -27,13 +73,39 @@ func RegisterFrontend(router *gin.Engine) error {
 	fileServer := NewFileServerWithCaching(http.FS(distFS), int(cacheMaxAge.Seconds()))

 	router.NoRoute(func(c *gin.Context) {
-		// Try to serve the requested file
 		path := strings.TrimPrefix(c.Request.URL.Path, "/")
-		if _, err := fs.Stat(distFS, path); os.IsNotExist(err) {
-			// File doesn't exist, serve index.html instead
-			c.Request.URL.Path = "/"
+
+		if strings.HasPrefix(path, "api/") {
+			c.JSON(http.StatusNotFound, gin.H{"error": "API endpoint not found"})
+			return
 		}

+		// If path is / or does not exist, serve index.html
+		if path == "" {
+			path = "index.html"
+		} else if _, err := fs.Stat(distFS, path); os.IsNotExist(err) {
+			path = "index.html"
+		}
+
+		if path == "index.html" {
+			nonce := middleware.GetCSPNonce(c)
+
+			// Do not cache the HTML shell, as it embeds a per-request nonce
+			c.Header("Content-Type", "text/html; charset=utf-8")
+			c.Header("Cache-Control", "no-store")
+			c.Status(http.StatusOK)
+
+			err = writeIndexFn(c.Writer, nonce)
+			if err != nil {
+				_ = c.Error(fmt.Errorf("failed to write index.html file: %w", err))
+				return
+			}
+
+			return
+		}
+
+		// Serve other static assets with caching
+		c.Request.URL.Path = "/" + path
 		fileServer.ServeHTTP(c.Writer, c.Request)
 	})

--- a/backend/go.mod
+++ b/backend/go.mod
@@ -10,6 +10,7 @@ require (
 	github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21
 	github.com/emersion/go-smtp v0.21.3
 	github.com/fxamacker/cbor/v2 v2.9.0
+	github.com/gin-contrib/slog v1.1.0
 	github.com/gin-gonic/gin v1.10.1
 	github.com/glebarez/go-sqlite v1.22.0
 	github.com/glebarez/sqlite v1.11.0
@@ -29,7 +30,6 @@ require (
 	github.com/mileusna/useragent v1.3.5
 	github.com/orandin/slog-gorm v1.4.0
 	github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.8
-	github.com/samber/slog-gin v1.15.1
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	go.opentelemetry.io/contrib/bridges/otelslog v0.12.0
@@ -45,6 +45,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.37.0
 	golang.org/x/crypto v0.41.0
 	golang.org/x/image v0.30.0
+	golang.org/x/sync v0.16.0
 	golang.org/x/text v0.28.0
 	golang.org/x/time v0.12.0
 	gorm.io/driver/postgres v1.6.0
@@ -135,7 +136,6 @@ require (
 	golang.org/x/exp v0.0.0-20250813145105-42675adae3e6 // indirect
 	golang.org/x/net v0.43.0 // indirect
 	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sync v0.16.0 // indirect
 	golang.org/x/sys v0.35.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a // indirect
--- a/backend/go.sum
+++ b/backend/go.sum
@@ -56,6 +56,8 @@ github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sa
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/gabriel-vasile/mimetype v1.4.9 h1:5k+WDwEsD9eTLL8Tz3L0VnmVh9QxGjRmjBvAG7U/oYY=
 github.com/gabriel-vasile/mimetype v1.4.9/go.mod h1:WnSQhFKJuBlRyLiKohA/2DtIlPFAbguNaG7QCHcyGok=
+github.com/gin-contrib/slog v1.1.0 h1:K9MVNrETT6r/C3u2Aheer/gxwVeVqrGL0hXlsmv3fm4=
+github.com/gin-contrib/slog v1.1.0/go.mod h1:PvNXQVXcVOAaaiJR84LV1/xlQHIaXi9ygEXyBkmjdkY=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
 github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
 github.com/gin-gonic/gin v1.10.1 h1:T0ujvqyCSqRopADpgPgiTT63DUQVSfojyME59Ei63pQ=
@@ -241,8 +243,6 @@ github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzG
 github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/samber/slog-gin v1.15.1 h1:jsnfr+S5HQPlz9pFPA3tOmKW7wN/znyZiE6hncucrTM=
-github.com/samber/slog-gin v1.15.1/go.mod h1:mPAEinK/g2jPLauuWO11m3Q0Ca7aG4k9XjXjXY8IhMQ=
 github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
 github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
 github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
--- a/backend/internal/bootstrap/application_images_bootstrap.go
+++ b/backend/internal/bootstrap/application_images_bootstrap.go
@@ -1,9 +1,13 @@
 package bootstrap

 import (
+	"bytes"
+	"encoding/hex"
 	"fmt"
+	"io/fs"
+	"log/slog"
 	"os"
-	"path"
+	"path/filepath"
 	"strings"

 	"github.com/pocket-id/pocket-id/backend/internal/common"
@@ -13,6 +17,15 @@ import (

 // initApplicationImages copies the images from the images directory to the application-images directory
 func initApplicationImages() error {
+	// Images that are built into the Pocket ID binary
+	builtInImageHashes := getBuiltInImageHashes()
+
+	// Previous versions of images
+	// If these are found, they are deleted
+	legacyImageHashes := imageHashMap{
+		"background.jpg": mustDecodeHex("138d510030ed845d1d74de34658acabff562d306476454369a60ab8ade31933f"),
+	}
+
 	dirPath := common.EnvConfig.UploadPath + "/application-images"

 	sourceFiles, err := resources.FS.ReadDir("images")
@@ -24,15 +37,48 @@ func initApplicationImages() error {
 	if err != nil && !os.IsNotExist(err) {
 		return fmt.Errorf("failed to read directory: %w", err)
 	}
+	destinationFilesMap := make(map[string]bool, len(destinationFiles))
+	for _, f := range destinationFiles {
+		name := f.Name()
+		destFilePath := filepath.Join(dirPath, name)
+
+		h, err := utils.CreateSha256FileHash(destFilePath)
+		if err != nil {
+			return fmt.Errorf("failed to get hash for file '%s': %w", name, err)
+		}
+
+		// Check if the file is a legacy one - if so, delete it
+		if legacyImageHashes.Contains(h) {
+			slog.Info("Found legacy application image that will be removed", slog.String("name", name))
+			err = os.Remove(destFilePath)
+			if err != nil {
+				return fmt.Errorf("failed to remove legacy file '%s': %w", name, err)
+			}
+			continue
+		}
+
+		// Check if the file is a built-in one and save it in the map
+		destinationFilesMap[getImageNameWithoutExtension(name)] = builtInImageHashes.Contains(h)
+	}

 	// Copy images from the images directory to the application-images directory if they don't already exist
 	for _, sourceFile := range sourceFiles {
-		if sourceFile.IsDir() || imageAlreadyExists(sourceFile.Name(), destinationFiles) {
+		// Skip if it's a directory
+		if sourceFile.IsDir() {
 			continue
 		}
-		srcFilePath := path.Join("images", sourceFile.Name())
-		destFilePath := path.Join(dirPath, sourceFile.Name())

+		name := sourceFile.Name()
+		srcFilePath := filepath.Join("images", name)
+		destFilePath := filepath.Join(dirPath, name)
+
+		// Skip if there's already an image at the path
+		// We do not check the extension because users could have uploaded a different one
+		if imageAlreadyExists(sourceFile, destinationFilesMap) {
+			continue
+		}
+
+		slog.Info("Writing new application image", slog.String("name", name))
 		err := utils.CopyEmbeddedFileToDisk(srcFilePath, destFilePath)
 		if err != nil {
 			return fmt.Errorf("failed to copy file: %w", err)
@@ -42,25 +88,49 @@ func initApplicationImages() error {
 	return nil
 }

-func imageAlreadyExists(fileName string, destinationFiles []os.DirEntry) bool {
-	for _, destinationFile := range destinationFiles {
-		sourceFileWithoutExtension := getImageNameWithoutExtension(fileName)
-		destinationFileWithoutExtension := getImageNameWithoutExtension(destinationFile.Name())
+func getBuiltInImageHashes() imageHashMap {
+	return imageHashMap{
+		"background.webp": mustDecodeHex("3fc436a66d6b872b01d96a4e75046c46b5c3e2daccd51e98ecdf98fd445599ab"),
+		"favicon.ico":     mustDecodeHex("70f9c4b6bd4781ade5fc96958b1267511751e91957f83c2354fb880b35ec890a"),
+		"logo.svg":        mustDecodeHex("f1e60707df9784152ce0847e3eb59cb68b9015f918ff160376c27ebff1eda796"),
+		"logoDark.svg":    mustDecodeHex("0421a8d93714bacf54c78430f1db378fd0d29565f6de59b6a89090d44a82eb16"),
+		"logoLight.svg":   mustDecodeHex("6d42c88cf6668f7e57c4f2a505e71ecc8a1e0a27534632aa6adec87b812d0bb0"),
+	}
+}

-		if sourceFileWithoutExtension == destinationFileWithoutExtension {
+type imageHashMap map[string][]byte
+
+func (m imageHashMap) Contains(target []byte) bool {
+	if len(target) == 0 {
+		return false
+	}
+	for _, h := range m {
+		if bytes.Equal(h, target) {
 			return true
 		}
 	}
-
 	return false
 }

+func imageAlreadyExists(sourceFile fs.DirEntry, destinationFiles map[string]bool) bool {
+	sourceFileWithoutExtension := getImageNameWithoutExtension(sourceFile.Name())
+	_, ok := destinationFiles[sourceFileWithoutExtension]
+	return ok
+}
+
 func getImageNameWithoutExtension(fileName string) string {
 	idx := strings.LastIndexByte(fileName, '.')
 	if idx < 1 {
 		// No dot found, or fileName starts with a dot
 		return fileName
 	}
-
 	return fileName[:idx]
 }
+
+func mustDecodeHex(str string) []byte {
+	b, err := hex.DecodeString(str)
+	if err != nil {
+		panic(err)
+	}
+	return b
+}
--- a/backend/internal/bootstrap/application_images_bootstrap_test.go
+++ b/backend/internal/bootstrap/application_images_bootstrap_test.go
@@ -0,0 +1,61 @@
+package bootstrap
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
+
+func TestGetBuiltInImageData(t *testing.T) {
+	// Get the built-in image data map
+	builtInImages := getBuiltInImageHashes()
+
+	// Read the actual images directory from disk
+	imagesDir := filepath.Join("..", "..", "resources", "images")
+	actualFiles, err := os.ReadDir(imagesDir)
+	require.NoError(t, err, "Failed to read images directory")
+
+	// Create a map of actual files for comparison
+	actualFilesMap := make(map[string]struct{})
+
+	// Validate each actual file exists in the built-in data with correct hash
+	for _, file := range actualFiles {
+		fileName := file.Name()
+		if file.IsDir() || strings.HasPrefix(fileName, ".") {
+			continue
+		}
+
+		actualFilesMap[fileName] = struct{}{}
+
+		// Check if the file exists in the built-in data
+		builtInHash, exists := builtInImages[fileName]
+		assert.True(t, exists, "File %s exists in images directory but not in getBuiltInImageData map", fileName)
+
+		if !exists {
+			continue
+		}
+
+		filePath := filepath.Join(imagesDir, fileName)
+
+		// Validate SHA256 hash
+		actualHash, err := utils.CreateSha256FileHash(filePath)
+		require.NoError(t, err, "Failed to compute hash for %s", fileName)
+		assert.Equal(t, actualHash, builtInHash, "SHA256 hash mismatch for file %s", fileName)
+	}
+
+	// Ensure the built-in data doesn't have extra files that don't exist in the directory
+	for fileName := range builtInImages {
+		_, exists := actualFilesMap[fileName]
+		assert.True(t, exists, "File %s exists in getBuiltInImageData map but not in images directory", fileName)
+	}
+
+	// Ensure we have at least some files (sanity check)
+	assert.NotEmpty(t, actualFilesMap, "Images directory should contain at least one file")
+	assert.Len(t, actualFilesMap, len(builtInImages), "Number of files in directory should match number in built-in data map")
+}
--- a/backend/internal/bootstrap/db_bootstrap.go
+++ b/backend/internal/bootstrap/db_bootstrap.go
@@ -42,7 +42,9 @@ func NewDatabase() (db *gorm.DB, err error) {
 	var driver database.Driver
 	switch common.EnvConfig.DbProvider {
 	case common.DbProviderSqlite:
-		driver, err = sqliteMigrate.WithInstance(sqlDb, &sqliteMigrate.Config{})
+		driver, err = sqliteMigrate.WithInstance(sqlDb, &sqliteMigrate.Config{
+			NoTxWrap: true,
+		})
 	case common.DbProviderPostgres:
 		driver, err = postgresMigrate.WithInstance(sqlDb, &postgresMigrate.Config{})
 	default:
@@ -420,17 +422,18 @@ func getGormLogger() gormLogger.Interface {
 		slogGorm.WithErrorField("error"),
 	)

-	if common.EnvConfig.AppEnv == "production" {
-		loggerOpts = append(loggerOpts,
-			slogGorm.SetLogLevel(slogGorm.DefaultLogType, slog.LevelWarn),
-			slogGorm.WithIgnoreTrace(),
-		)
-	} else {
+	if common.EnvConfig.LogLevel == "debug" {
 		loggerOpts = append(loggerOpts,
 			slogGorm.SetLogLevel(slogGorm.DefaultLogType, slog.LevelDebug),
 			slogGorm.WithRecordNotFoundError(),
 			slogGorm.WithTraceAll(),
 		)
+
+	} else {
+		loggerOpts = append(loggerOpts,
+			slogGorm.SetLogLevel(slogGorm.DefaultLogType, slog.LevelWarn),
+			slogGorm.WithIgnoreTrace(),
+		)
 	}

 	return slogGorm.New(loggerOpts...)
--- a/backend/internal/bootstrap/observability_boostrap.go
+++ b/backend/internal/bootstrap/observability_boostrap.go
@@ -8,6 +8,8 @@ import (
 	"os"
 	"time"

+	sloggin "github.com/gin-contrib/slog"
+
 	"github.com/lmittmann/tint"
 	"github.com/mattn/go-isatty"
 	"go.opentelemetry.io/contrib/bridges/otelslog"
@@ -89,28 +91,19 @@ func initOtelLogging(ctx context.Context, resource *resource.Resource) error {
 		return fmt.Errorf("failed to initialize OpenTelemetry log exporter: %w", err)
 	}

-	level := slog.LevelDebug
-	if common.EnvConfig.AppEnv == "production" {
-		level = slog.LevelInfo
-	}
+	level, _ := sloggin.ParseLevel(common.EnvConfig.LogLevel)

 	// Create the handler
 	var handler slog.Handler
-	switch {
-	case common.EnvConfig.LogJSON:
-		// Log as JSON if configured
+	if common.EnvConfig.LogJSON {
 		handler = slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{
 			Level: level,
 		})
-	case isatty.IsTerminal(os.Stdout.Fd()):
-		// Enable colors if we have a TTY
+	} else {
 		handler = tint.NewHandler(os.Stdout, &tint.Options{
-			TimeFormat: time.StampMilli,
+			TimeFormat: time.Stamp,
 			Level:      level,
-		})
-	default:
-		handler = slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{
-			Level: level,
+			NoColor:    !isatty.IsTerminal(os.Stdout.Fd()),
 		})
 	}

--- a/backend/internal/bootstrap/router_bootstrap.go
+++ b/backend/internal/bootstrap/router_bootstrap.go
@@ -12,8 +12,8 @@ import (
 	"strings"
 	"time"

+	sloggin "github.com/gin-contrib/slog"
 	"github.com/gin-gonic/gin"
-	sloggin "github.com/samber/slog-gin"
 	"go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin"
 	"golang.org/x/time/rate"
 	"gorm.io/gorm"
@@ -49,30 +49,8 @@ func initRouterInternal(db *gorm.DB, svc *services) (utils.Service, error) {
 		gin.SetMode(gin.TestMode)
 	}

-	// do not log these URLs
-	loggerSkipPathsPrefix := []string{
-		"GET /application-configuration/logo",
-		"GET /application-configuration/background-image",
-		"GET /application-configuration/favicon",
-		"GET /_app",
-		"GET /fonts",
-		"GET /healthz",
-		"HEAD /healthz",
-	}
-
 	r := gin.New()
-	r.Use(sloggin.NewWithConfig(slog.Default(), sloggin.Config{
-		Filters: []sloggin.Filter{
-			func(c *gin.Context) bool {
-				for _, prefix := range loggerSkipPathsPrefix {
-					if strings.HasPrefix(c.Request.Method+" "+c.Request.URL.String(), prefix) {
-						return false
-					}
-				}
-				return true
-			},
-		},
-	}))
+	initLogger(r)

 	if !common.EnvConfig.TrustProxy {
 		_ = r.SetTrustedProxies(nil)
@@ -86,6 +64,7 @@ func initRouterInternal(db *gorm.DB, svc *services) (utils.Service, error) {

 	// Setup global middleware
 	r.Use(middleware.NewCorsMiddleware().Add())
+	r.Use(middleware.NewCspMiddleware().Add())
 	r.Use(middleware.NewErrorHandlerMiddleware().Add())

 	err := frontend.RegisterFrontend(r)
@@ -109,6 +88,7 @@ func initRouterInternal(db *gorm.DB, svc *services) (utils.Service, error) {
 	controller.NewAuditLogController(apiGroup, svc.auditLogService, authMiddleware)
 	controller.NewUserGroupController(apiGroup, authMiddleware, svc.userGroupService)
 	controller.NewCustomClaimController(apiGroup, authMiddleware, svc.customClaimService)
+	controller.NewVersionController(apiGroup, svc.versionService)

 	// Add test controller in non-production environments
 	if common.EnvConfig.AppEnv != "production" {
@@ -198,3 +178,29 @@ func initRouterInternal(db *gorm.DB, svc *services) (utils.Service, error) {

 	return runFn, nil
 }
+
+func initLogger(r *gin.Engine) {
+	loggerSkipPathsPrefix := []string{
+		"GET /api/application-configuration/logo",
+		"GET /api/application-configuration/background-image",
+		"GET /api/application-configuration/favicon",
+		"GET /_app",
+		"GET /fonts",
+		"GET /healthz",
+		"HEAD /healthz",
+	}
+
+	r.Use(sloggin.SetLogger(
+		sloggin.WithLogger(func(_ *gin.Context, _ *slog.Logger) *slog.Logger {
+			return slog.Default()
+		}),
+		sloggin.WithSkipper(func(c *gin.Context) bool {
+			for _, prefix := range loggerSkipPathsPrefix {
+				if strings.HasPrefix(c.Request.Method+" "+c.Request.URL.String(), prefix) {
+					return true
+				}
+			}
+			return false
+		}),
+	))
+}
--- a/backend/internal/bootstrap/services_bootstrap.go
+++ b/backend/internal/bootstrap/services_bootstrap.go
@@ -23,6 +23,7 @@ type services struct {
 	userGroupService   *service.UserGroupService
 	ldapService        *service.LdapService
 	apiKeyService      *service.ApiKeyService
+	versionService     *service.VersionService
 }

 // Initializes all services
@@ -62,5 +63,7 @@ func initServices(ctx context.Context, db *gorm.DB, httpClient *http.Client) (sv
 	svc.ldapService = service.NewLdapService(db, httpClient, svc.appConfigService, svc.userService, svc.userGroupService)
 	svc.apiKeyService = service.NewApiKeyService(db, svc.emailService)

+	svc.versionService = service.NewVersionService(httpClient)
+
 	return svc, nil
 }
--- a/backend/internal/common/env_config.go
+++ b/backend/internal/common/env_config.go
@@ -10,6 +10,7 @@ import (
 	"strings"

 	"github.com/caarlos0/env/v11"
+	sloggin "github.com/gin-contrib/slog"
 	_ "github.com/joho/godotenv/autoload"
 )

@@ -27,19 +28,21 @@ const (
 	DbProviderPostgres      DbProvider = "postgres"
 	MaxMindGeoLiteCityUrl   string     = "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=%s&suffix=tar.gz"
 	defaultSqliteConnString string     = "data/pocket-id.db"
+	AppUrl                  string     = "http://localhost:1411"
 )

 type EnvConfigSchema struct {
-	AppEnv             string     `env:"APP_ENV"`
-	AppURL             string     `env:"APP_URL"`
-	DbProvider         DbProvider `env:"DB_PROVIDER"`
+	AppEnv             string     `env:"APP_ENV" options:"toLower"`
+	LogLevel           string     `env:"LOG_LEVEL" options:"toLower"`
+	AppURL             string     `env:"APP_URL" options:"toLower"`
+	DbProvider         DbProvider `env:"DB_PROVIDER" options:"toLower"`
 	DbConnectionString string     `env:"DB_CONNECTION_STRING" options:"file"`
 	UploadPath         string     `env:"UPLOAD_PATH"`
 	KeysPath           string     `env:"KEYS_PATH"`
 	KeysStorage        string     `env:"KEYS_STORAGE"`
 	EncryptionKey      []byte     `env:"ENCRYPTION_KEY" options:"file"`
 	Port               string     `env:"PORT"`
-	Host               string     `env:"HOST"`
+	Host               string     `env:"HOST" options:"toLower"`
 	UnixSocket         string     `env:"UNIX_SOCKET"`
 	UnixSocketMode     string     `env:"UNIX_SOCKET_MODE"`
 	MaxMindLicenseKey  string     `env:"MAXMIND_LICENSE_KEY" options:"file"`
@@ -53,6 +56,7 @@ type EnvConfigSchema struct {
 	TrustProxy         bool       `env:"TRUST_PROXY"`
 	AnalyticsDisabled  bool       `env:"ANALYTICS_DISABLED"`
 	AllowDowngrade     bool       `env:"ALLOW_DOWNGRADE"`
+	InternalAppURL     string     `env:"INTERNAL_APP_URL"`
 }

 var EnvConfig = defaultConfig()
@@ -68,13 +72,14 @@ func init() {
 func defaultConfig() EnvConfigSchema {
 	return EnvConfigSchema{
 		AppEnv:             "production",
+		LogLevel:           "info",
 		DbProvider:         "sqlite",
 		DbConnectionString: "",
 		UploadPath:         "data/uploads",
 		KeysPath:           "data/keys",
 		KeysStorage:        "", // "database" or "file"
 		EncryptionKey:      nil,
-		AppURL:             "http://localhost:1411",
+		AppURL:             AppUrl,
 		Port:               "1411",
 		Host:               "0.0.0.0",
 		UnixSocket:         "",
@@ -89,6 +94,7 @@ func defaultConfig() EnvConfigSchema {
 		TrustProxy:         false,
 		AnalyticsDisabled:  false,
 		AllowDowngrade:     false,
+		InternalAppURL:     "",
 	}
 }

@@ -106,26 +112,40 @@ func parseEnvConfig() error {
 		return fmt.Errorf("error parsing env config: %w", err)
 	}

-	err = resolveFileBasedEnvVariables(&EnvConfig)
+	err = prepareEnvConfig(&EnvConfig)
+	if err != nil {
+		return fmt.Errorf("error preparing env config: %w", err)
+	}
+
+	err = validateEnvConfig(&EnvConfig)
 	if err != nil {
 		return err
 	}

-	// Validate the environment variables
-	switch EnvConfig.DbProvider {
+	return nil
+
+}
+
+// validateEnvConfig checks the EnvConfig for required fields and valid values
+func validateEnvConfig(config *EnvConfigSchema) error {
+	if _, err := sloggin.ParseLevel(config.LogLevel); err != nil {
+		return errors.New("invalid LOG_LEVEL value. Must be 'debug', 'info', 'warn' or 'error'")
+	}
+
+	switch config.DbProvider {
 	case DbProviderSqlite:
-		if EnvConfig.DbConnectionString == "" {
-			EnvConfig.DbConnectionString = defaultSqliteConnString
+		if config.DbConnectionString == "" {
+			config.DbConnectionString = defaultSqliteConnString
 		}
 	case DbProviderPostgres:
-		if EnvConfig.DbConnectionString == "" {
+		if config.DbConnectionString == "" {
 			return errors.New("missing required env var 'DB_CONNECTION_STRING' for Postgres database")
 		}
 	default:
 		return errors.New("invalid DB_PROVIDER value. Must be 'sqlite' or 'postgres'")
 	}

-	parsedAppUrl, err := url.Parse(EnvConfig.AppURL)
+	parsedAppUrl, err := url.Parse(config.AppURL)
 	if err != nil {
 		return errors.New("APP_URL is not a valid URL")
 	}
@@ -133,25 +153,39 @@ func parseEnvConfig() error {
 		return errors.New("APP_URL must not contain a path")
 	}

-	switch EnvConfig.KeysStorage {
+	// Derive INTERNAL_APP_URL from APP_URL if not set; validate only when provided
+	if config.InternalAppURL == "" {
+		config.InternalAppURL = config.AppURL
+	} else {
+		parsedInternalAppUrl, err := url.Parse(config.InternalAppURL)
+		if err != nil {
+			return errors.New("INTERNAL_APP_URL is not a valid URL")
+		}
+		if parsedInternalAppUrl.Path != "" {
+			return errors.New("INTERNAL_APP_URL must not contain a path")
+		}
+	}
+
+	switch config.KeysStorage {
 	// KeysStorage defaults to "file" if empty
 	case "":
-		EnvConfig.KeysStorage = "file"
+		config.KeysStorage = "file"
 	case "database":
-		if EnvConfig.EncryptionKey == nil {
+		if config.EncryptionKey == nil {
 			return errors.New("ENCRYPTION_KEY must be non-empty when KEYS_STORAGE is database")
 		}
 	case "file":
 		// All good, these are valid values
 	default:
-		return fmt.Errorf("invalid value for KEYS_STORAGE: %s", EnvConfig.KeysStorage)
+		return fmt.Errorf("invalid value for KEYS_STORAGE: %s", config.KeysStorage)
 	}

 	return nil
+
 }

-// resolveFileBasedEnvVariables uses reflection to automatically resolve file-based secrets
-func resolveFileBasedEnvVariables(config *EnvConfigSchema) error {
+// prepareEnvConfig processes special options for EnvConfig fields
+func prepareEnvConfig(config *EnvConfigSchema) error {
 	val := reflect.ValueOf(config).Elem()
 	typ := val.Type()

@@ -159,48 +193,65 @@ func resolveFileBasedEnvVariables(config *EnvConfigSchema) error {
 		field := val.Field(i)
 		fieldType := typ.Field(i)

-		// Only process string and []byte fields
-		isString := field.Kind() == reflect.String
-		isByteSlice := field.Kind() == reflect.Slice && field.Type().Elem().Kind() == reflect.Uint8
-		if !isString && !isByteSlice {
-			continue
-		}
-
-		// Only process fields with the "options" tag set to "file"
 		optionsTag := fieldType.Tag.Get("options")
-		if optionsTag != "file" {
-			continue
-		}
+		options := strings.Split(optionsTag, ",")

-		// Only process fields with the "env" tag
-		envTag := fieldType.Tag.Get("env")
-		if envTag == "" {
-			continue
-		}
-
-		envVarName := envTag
-		if commaIndex := len(envTag); commaIndex > 0 {
-			envVarName = envTag[:commaIndex]
-		}
-
-		// If the file environment variable is not set, skip
-		envVarFileName := envVarName + "_FILE"
-		envVarFileValue := os.Getenv(envVarFileName)
-		if envVarFileValue == "" {
-			continue
-		}
-
-		fileContent, err := os.ReadFile(envVarFileValue)
-		if err != nil {
-			return fmt.Errorf("failed to read file for env var %s: %w", envVarFileName, err)
-		}
-
-		if isString {
-			field.SetString(strings.TrimSpace(string(fileContent)))
-		} else {
-			field.SetBytes(fileContent)
+		for _, option := range options {
+			switch option {
+			case "toLower":
+				if field.Kind() == reflect.String {
+					field.SetString(strings.ToLower(field.String()))
+				}
+			case "file":
+				err := resolveFileBasedEnvVariable(field, fieldType)
+				if err != nil {
+					return err
+				}
+			}
 		}
 	}

 	return nil
 }
+
+// resolveFileBasedEnvVariable checks if an environment variable with the suffix "_FILE" is set,
+// reads the content of the file specified by that variable, and sets the corresponding field's value.
+func resolveFileBasedEnvVariable(field reflect.Value, fieldType reflect.StructField) error {
+	// Only process string and []byte fields
+	isString := field.Kind() == reflect.String
+	isByteSlice := field.Kind() == reflect.Slice && field.Type().Elem().Kind() == reflect.Uint8
+	if !isString && !isByteSlice {
+		return nil
+	}
+
+	// Only process fields with the "env" tag
+	envTag := fieldType.Tag.Get("env")
+	if envTag == "" {
+		return nil
+	}
+
+	envVarName := envTag
+	if commaIndex := len(envTag); commaIndex > 0 {
+		envVarName = envTag[:commaIndex]
+	}
+
+	// If the file environment variable is not set, skip
+	envVarFileName := envVarName + "_FILE"
+	envVarFileValue := os.Getenv(envVarFileName)
+	if envVarFileValue == "" {
+		return nil
+	}
+
+	fileContent, err := os.ReadFile(envVarFileValue)
+	if err != nil {
+		return fmt.Errorf("failed to read file for env var %s: %w", envVarFileName, err)
+	}
+
+	if isString {
+		field.SetString(strings.TrimSpace(string(fileContent)))
+	} else {
+		field.SetBytes(fileContent)
+	}
+
+	return nil
+}
--- a/backend/internal/common/env_config_test.go
+++ b/backend/internal/common/env_config_test.go
@@ -17,18 +17,19 @@ func TestParseEnvConfig(t *testing.T) {

 	t.Run("should parse valid SQLite config correctly", func(t *testing.T) {
 		EnvConfig = defaultConfig()
-		t.Setenv("DB_PROVIDER", "sqlite")
+		t.Setenv("DB_PROVIDER", "SQLITE") // should be lowercased automatically
 		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
-		t.Setenv("APP_URL", "http://localhost:3000")
+		t.Setenv("APP_URL", "HTTP://LOCALHOST:3000")

 		err := parseEnvConfig()
 		require.NoError(t, err)
 		assert.Equal(t, DbProviderSqlite, EnvConfig.DbProvider)
+		assert.Equal(t, "http://localhost:3000", EnvConfig.AppURL)
 	})

 	t.Run("should parse valid Postgres config correctly", func(t *testing.T) {
 		EnvConfig = defaultConfig()
-		t.Setenv("DB_PROVIDER", "postgres")
+		t.Setenv("DB_PROVIDER", "POSTGRES")
 		t.Setenv("DB_CONNECTION_STRING", "postgres://user:pass@localhost/db")
 		t.Setenv("APP_URL", "https://example.com")

@@ -51,7 +52,6 @@ func TestParseEnvConfig(t *testing.T) {
 	t.Run("should set default SQLite connection string when DB_CONNECTION_STRING is empty", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
-		t.Setenv("DB_CONNECTION_STRING", "") // Explicitly empty
 		t.Setenv("APP_URL", "http://localhost:3000")

 		err := parseEnvConfig()
@@ -91,6 +91,28 @@ func TestParseEnvConfig(t *testing.T) {
 		assert.ErrorContains(t, err, "APP_URL must not contain a path")
 	})

+	t.Run("should fail with invalid INTERNAL_APP_URL", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "sqlite")
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("INTERNAL_APP_URL", "€://not-a-valid-url")
+
+		err := parseEnvConfig()
+		require.Error(t, err)
+		assert.ErrorContains(t, err, "INTERNAL_APP_URL is not a valid URL")
+	})
+
+	t.Run("should fail when INTERNAL_APP_URL contains path", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_PROVIDER", "sqlite")
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("INTERNAL_APP_URL", "http://localhost:3000/path")
+
+		err := parseEnvConfig()
+		require.Error(t, err)
+		assert.ErrorContains(t, err, "INTERNAL_APP_URL must not contain a path")
+	})
+
 	t.Run("should default KEYS_STORAGE to 'file' when empty", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
@@ -170,25 +192,25 @@ func TestParseEnvConfig(t *testing.T) {
 		t.Setenv("DB_PROVIDER", "postgres")
 		t.Setenv("DB_CONNECTION_STRING", "postgres://test")
 		t.Setenv("APP_URL", "https://prod.example.com")
-		t.Setenv("APP_ENV", "staging")
+		t.Setenv("APP_ENV", "STAGING")
 		t.Setenv("UPLOAD_PATH", "/custom/uploads")
 		t.Setenv("KEYS_PATH", "/custom/keys")
 		t.Setenv("PORT", "8080")
-		t.Setenv("HOST", "127.0.0.1")
+		t.Setenv("HOST", "LOCALHOST")
 		t.Setenv("UNIX_SOCKET", "/tmp/app.sock")
 		t.Setenv("MAXMIND_LICENSE_KEY", "test-license")
 		t.Setenv("GEOLITE_DB_PATH", "/custom/geolite.mmdb")

 		err := parseEnvConfig()
 		require.NoError(t, err)
-		assert.Equal(t, "staging", EnvConfig.AppEnv)
+		assert.Equal(t, "staging", EnvConfig.AppEnv) // lowercased
 		assert.Equal(t, "/custom/uploads", EnvConfig.UploadPath)
 		assert.Equal(t, "8080", EnvConfig.Port)
-		assert.Equal(t, "127.0.0.1", EnvConfig.Host)
+		assert.Equal(t, "localhost", EnvConfig.Host) // lowercased
 	})
 }

-func TestResolveFileBasedEnvVariables(t *testing.T) {
+func TestPrepareEnvConfig_FileBasedAndToLower(t *testing.T) {
 	// Create temporary directory for test files
 	tempDir := t.TempDir()

@@ -203,103 +225,34 @@ func TestResolveFileBasedEnvVariables(t *testing.T) {
 	err = os.WriteFile(dbConnFile, []byte(dbConnContent), 0600)
 	require.NoError(t, err)

-	// Create a binary file for testing binary data handling
 	binaryKeyFile := tempDir + "/binary_key.bin"
-	binaryKeyContent := []byte{0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10}
+	binaryKeyContent := []byte{0x01, 0x02, 0x03, 0x04}
 	err = os.WriteFile(binaryKeyFile, binaryKeyContent, 0600)
 	require.NoError(t, err)

-	t.Run("should read file content for fields with options:file tag", func(t *testing.T) {
+	t.Run("should process toLower and file options", func(t *testing.T) {
 		config := defaultConfig()
+		config.AppEnv = "STAGING"
+		config.Host = "LOCALHOST"

-		// Set environment variables pointing to files
 		t.Setenv("ENCRYPTION_KEY_FILE", encryptionKeyFile)
 		t.Setenv("DB_CONNECTION_STRING_FILE", dbConnFile)

-		err := resolveFileBasedEnvVariables(&config)
+		err := prepareEnvConfig(&config)
 		require.NoError(t, err)

-		// Verify file contents were read correctly
+		assert.Equal(t, "staging", config.AppEnv)
+		assert.Equal(t, "localhost", config.Host)
 		assert.Equal(t, []byte(encryptionKeyContent), config.EncryptionKey)
 		assert.Equal(t, dbConnContent, config.DbConnectionString)
 	})

-	t.Run("should skip fields without options:file tag", func(t *testing.T) {
-		config := defaultConfig()
-		originalAppURL := config.AppURL
-
-		// Set a file for a field that doesn't have options:file tag
-		t.Setenv("APP_URL_FILE", "/tmp/nonexistent.txt")
-
-		err := resolveFileBasedEnvVariables(&config)
-		require.NoError(t, err)
-
-		// AppURL should remain unchanged
-		assert.Equal(t, originalAppURL, config.AppURL)
-	})
-
-	t.Run("should skip non-string fields", func(t *testing.T) {
-		// This test verifies that non-string fields are skipped
-		// We test this indirectly by ensuring the function doesn't error
-		// when processing the actual EnvConfigSchema which has bool fields
-		config := defaultConfig()
-
-		err := resolveFileBasedEnvVariables(&config)
-		require.NoError(t, err)
-	})
-
-	t.Run("should skip when _FILE environment variable is not set", func(t *testing.T) {
-		config := defaultConfig()
-		originalEncryptionKey := config.EncryptionKey
-
-		// Don't set ENCRYPTION_KEY_FILE environment variable
-
-		err := resolveFileBasedEnvVariables(&config)
-		require.NoError(t, err)
-
-		// EncryptionKey should remain unchanged
-		assert.Equal(t, originalEncryptionKey, config.EncryptionKey)
-	})
-
-	t.Run("should handle multiple file-based variables simultaneously", func(t *testing.T) {
-		config := defaultConfig()
-
-		// Set multiple file environment variables
-		t.Setenv("ENCRYPTION_KEY_FILE", encryptionKeyFile)
-		t.Setenv("DB_CONNECTION_STRING_FILE", dbConnFile)
-
-		err := resolveFileBasedEnvVariables(&config)
-		require.NoError(t, err)
-
-		// All should be resolved correctly
-		assert.Equal(t, []byte(encryptionKeyContent), config.EncryptionKey)
-		assert.Equal(t, dbConnContent, config.DbConnectionString)
-	})
-
-	t.Run("should handle mixed file and non-file environment variables", func(t *testing.T) {
-		config := defaultConfig()
-
-		// Set both file and non-file environment variables
-		t.Setenv("ENCRYPTION_KEY_FILE", encryptionKeyFile)
-
-		err := resolveFileBasedEnvVariables(&config)
-		require.NoError(t, err)
-
-		// File-based should be resolved, others should remain as set by env parser
-		assert.Equal(t, []byte(encryptionKeyContent), config.EncryptionKey)
-		assert.Equal(t, "http://localhost:1411", config.AppURL)
-	})
-
 	t.Run("should handle binary data correctly", func(t *testing.T) {
 		config := defaultConfig()
-
-		// Set environment variable pointing to binary file
 		t.Setenv("ENCRYPTION_KEY_FILE", binaryKeyFile)

-		err := resolveFileBasedEnvVariables(&config)
+		err := prepareEnvConfig(&config)
 		require.NoError(t, err)
-
-		// Verify binary data was read correctly without corruption
 		assert.Equal(t, binaryKeyContent, config.EncryptionKey)
 	})
 }
--- a/backend/internal/controller/oidc_controller.go
+++ b/backend/internal/controller/oidc_controller.go
@@ -828,7 +828,7 @@ func (oc *OidcController) getClientPreviewHandler(c *gin.Context) {
 		return
 	}

-	preview, err := oc.oidcService.GetClientPreview(c.Request.Context(), clientID, userID, scopes)
+	preview, err := oc.oidcService.GetClientPreview(c.Request.Context(), clientID, userID, strings.Split(scopes, " "))
 	if err != nil {
 		_ = c.Error(err)
 		return
--- a/backend/internal/controller/version_controller.go
+++ b/backend/internal/controller/version_controller.go
@@ -0,0 +1,40 @@
+package controller
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
+
+// NewVersionController registers version-related routes.
+func NewVersionController(group *gin.RouterGroup, versionService *service.VersionService) {
+	vc := &VersionController{versionService: versionService}
+	group.GET("/version/latest", vc.getLatestVersionHandler)
+}
+
+type VersionController struct {
+	versionService *service.VersionService
+}
+
+// getLatestVersionHandler godoc
+// @Summary Get latest available version of Pocket ID
+// @Tags Version
+// @Produce json
+// @Success 200 {object} map[string]string "Latest version information"
+// @Router /api/version/latest [get]
+func (vc *VersionController) getLatestVersionHandler(c *gin.Context) {
+	tag, err := vc.versionService.GetLatestVersion(c.Request.Context())
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	utils.SetCacheControlHeader(c, 5*time.Minute, 15*time.Minute)
+
+	c.JSON(http.StatusOK, gin.H{
+		"latestVersion": tag,
+	})
+}
--- a/backend/internal/controller/well_known_controller.go
+++ b/backend/internal/controller/well_known_controller.go
@@ -67,6 +67,9 @@ func (wkc *WellKnownController) openIDConfigurationHandler(c *gin.Context) {

 func (wkc *WellKnownController) computeOIDCConfiguration() ([]byte, error) {
 	appUrl := common.EnvConfig.AppURL
+
+	internalAppUrl := common.EnvConfig.InternalAppURL
+
 	alg, err := wkc.jwtService.GetKeyAlg()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get key algorithm: %w", err)
@@ -74,13 +77,13 @@ func (wkc *WellKnownController) computeOIDCConfiguration() ([]byte, error) {
 	config := map[string]any{
 		"issuer":                                         appUrl,
 		"authorization_endpoint":                         appUrl + "/authorize",
-		"token_endpoint":                                 appUrl + "/api/oidc/token",
-		"userinfo_endpoint":                              appUrl + "/api/oidc/userinfo",
+		"token_endpoint":                                 internalAppUrl + "/api/oidc/token",
+		"userinfo_endpoint":                              internalAppUrl + "/api/oidc/userinfo",
 		"end_session_endpoint":                           appUrl + "/api/oidc/end-session",
-		"introspection_endpoint":                         appUrl + "/api/oidc/introspect",
+		"introspection_endpoint":                         internalAppUrl + "/api/oidc/introspect",
 		"device_authorization_endpoint":                  appUrl + "/api/oidc/device/authorize",
-		"jwks_uri":                                       appUrl + "/.well-known/jwks.json",
-		"grant_types_supported":                          []string{service.GrantTypeAuthorizationCode, service.GrantTypeRefreshToken, service.GrantTypeDeviceCode},
+		"jwks_uri":                                       internalAppUrl + "/.well-known/jwks.json",
+		"grant_types_supported":                          []string{service.GrantTypeAuthorizationCode, service.GrantTypeRefreshToken, service.GrantTypeDeviceCode, service.GrantTypeClientCredentials},
 		"scopes_supported":                               []string{"openid", "profile", "email", "groups"},
 		"claims_supported":                               []string{"sub", "given_name", "family_name", "name", "email", "email_verified", "preferred_username", "picture", "groups"},
 		"response_types_supported":                       []string{"code", "id_token"},
--- a/backend/internal/dto/app_config_dto.go
+++ b/backend/internal/dto/app_config_dto.go
@@ -41,6 +41,7 @@ type AppConfigUpdateDto struct {
 	LdapAttributeUserEmail                     string `json:"ldapAttributeUserEmail"`
 	LdapAttributeUserFirstName                 string `json:"ldapAttributeUserFirstName"`
 	LdapAttributeUserLastName                  string `json:"ldapAttributeUserLastName"`
+	LdapAttributeUserDisplayName               string `json:"ldapAttributeUserDisplayName"`
 	LdapAttributeUserProfilePicture            string `json:"ldapAttributeUserProfilePicture"`
 	LdapAttributeGroupMember                   string `json:"ldapAttributeGroupMember"`
 	LdapAttributeGroupUniqueIdentifier         string `json:"ldapAttributeGroupUniqueIdentifier"`
--- a/backend/internal/dto/oidc_dto.go
+++ b/backend/internal/dto/oidc_dto.go
@@ -31,8 +31,8 @@ type OidcClientWithAllowedGroupsCountDto struct {

 type OidcClientUpdateDto struct {
 	Name                     string                   `json:"name" binding:"required,max=50" unorm:"nfc"`
-	CallbackURLs             []string                 `json:"callbackURLs"`
-	LogoutCallbackURLs       []string                 `json:"logoutCallbackURLs"`
+	CallbackURLs             []string                 `json:"callbackURLs" binding:"omitempty,dive,callback_url"`
+	LogoutCallbackURLs       []string                 `json:"logoutCallbackURLs" binding:"omitempty,dive,callback_url"`
 	IsPublic                 bool                     `json:"isPublic"`
 	PkceEnabled              bool                     `json:"pkceEnabled"`
 	RequiresReauthentication bool                     `json:"requiresReauthentication"`
@@ -87,6 +87,7 @@ type OidcCreateTokensDto struct {
 	RefreshToken        string `form:"refresh_token"`
 	ClientAssertion     string `form:"client_assertion"`
 	ClientAssertionType string `form:"client_assertion_type"`
+	Resource            string `form:"resource"`
 }

 type OidcIntrospectDto struct {
--- a/backend/internal/dto/user_dto.go
+++ b/backend/internal/dto/user_dto.go
@@ -1,6 +1,9 @@
 package dto

 import (
+	"errors"
+
+	"github.com/gin-gonic/gin/binding"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

@@ -9,7 +12,8 @@ type UserDto struct {
 	Username     string           `json:"username"`
 	Email        string           `json:"email" `
 	FirstName    string           `json:"firstName"`
-	LastName     string           `json:"lastName"`
+	LastName     *string          `json:"lastName"`
+	DisplayName  string           `json:"displayName"`
 	IsAdmin      bool             `json:"isAdmin"`
 	Locale       *string          `json:"locale"`
 	CustomClaims []CustomClaimDto `json:"customClaims"`
@@ -19,14 +23,26 @@ type UserDto struct {
 }

 type UserCreateDto struct {
-	Username  string  `json:"username" binding:"required,username,min=2,max=50" unorm:"nfc"`
-	Email     string  `json:"email" binding:"required,email" unorm:"nfc"`
-	FirstName string  `json:"firstName" binding:"required,min=1,max=50" unorm:"nfc"`
-	LastName  string  `json:"lastName" binding:"max=50" unorm:"nfc"`
-	IsAdmin   bool    `json:"isAdmin"`
-	Locale    *string `json:"locale"`
-	Disabled  bool    `json:"disabled"`
-	LdapID    string  `json:"-"`
+	Username    string  `json:"username" binding:"required,username,min=2,max=50" unorm:"nfc"`
+	Email       string  `json:"email" binding:"required,email" unorm:"nfc"`
+	FirstName   string  `json:"firstName" binding:"required,min=1,max=50" unorm:"nfc"`
+	LastName    string  `json:"lastName" binding:"max=50" unorm:"nfc"`
+	DisplayName string  `json:"displayName" binding:"required,max=100" unorm:"nfc"`
+	IsAdmin     bool    `json:"isAdmin"`
+	Locale      *string `json:"locale"`
+	Disabled    bool    `json:"disabled"`
+	LdapID      string  `json:"-"`
+}
+
+func (u UserCreateDto) Validate() error {
+	e, ok := binding.Validator.Engine().(interface {
+		Struct(s any) error
+	})
+	if !ok {
+		return errors.New("validator does not implement the expected interface")
+	}
+
+	return e.Struct(u)
 }

 type OneTimeAccessTokenCreateDto struct {
--- a/backend/internal/dto/user_dto_test.go
+++ b/backend/internal/dto/user_dto_test.go
@@ -0,0 +1,104 @@
+package dto
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestUserCreateDto_Validate(t *testing.T) {
+	testCases := []struct {
+		name    string
+		input   UserCreateDto
+		wantErr string
+	}{
+		{
+			name: "valid input",
+			input: UserCreateDto{
+				Username:    "testuser",
+				Email:       "test@example.com",
+				FirstName:   "John",
+				LastName:    "Doe",
+				DisplayName: "John Doe",
+			},
+			wantErr: "",
+		},
+		{
+			name: "missing username",
+			input: UserCreateDto{
+				Email:       "test@example.com",
+				FirstName:   "John",
+				LastName:    "Doe",
+				DisplayName: "John Doe",
+			},
+			wantErr: "Field validation for 'Username' failed on the 'required' tag",
+		},
+		{
+			name: "missing display name",
+			input: UserCreateDto{
+				Email:     "test@example.com",
+				FirstName: "John",
+				LastName:  "Doe",
+			},
+			wantErr: "Field validation for 'DisplayName' failed on the 'required' tag",
+		},
+		{
+			name: "username contains invalid characters",
+			input: UserCreateDto{
+				Username:    "test/ser",
+				Email:       "test@example.com",
+				FirstName:   "John",
+				LastName:    "Doe",
+				DisplayName: "John Doe",
+			},
+			wantErr: "Field validation for 'Username' failed on the 'username' tag",
+		},
+		{
+			name: "invalid email",
+			input: UserCreateDto{
+				Username:    "testuser",
+				Email:       "not-an-email",
+				FirstName:   "John",
+				LastName:    "Doe",
+				DisplayName: "John Doe",
+			},
+			wantErr: "Field validation for 'Email' failed on the 'email' tag",
+		},
+		{
+			name: "first name too short",
+			input: UserCreateDto{
+				Username:    "testuser",
+				Email:       "test@example.com",
+				FirstName:   "",
+				LastName:    "Doe",
+				DisplayName: "John Doe",
+			},
+			wantErr: "Field validation for 'FirstName' failed on the 'required' tag",
+		},
+		{
+			name: "last name too long",
+			input: UserCreateDto{
+				Username:    "testuser",
+				Email:       "test@example.com",
+				FirstName:   "John",
+				LastName:    "abcdfghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz",
+				DisplayName: "John Doe",
+			},
+			wantErr: "Field validation for 'LastName' failed on the 'max' tag",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			err := tc.input.Validate()
+
+			if tc.wantErr == "" {
+				require.NoError(t, err)
+				return
+			}
+
+			require.Error(t, err)
+			require.ErrorContains(t, err, tc.wantErr)
+		})
+	}
+}
--- a/backend/internal/dto/user_group_dto.go
+++ b/backend/internal/dto/user_group_dto.go
@@ -1,6 +1,9 @@
 package dto

 import (
+	"errors"
+
+	"github.com/gin-gonic/gin/binding"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )

@@ -39,6 +42,17 @@ type UserGroupCreateDto struct {
 	LdapID       string `json:"-"`
 }

+func (g UserGroupCreateDto) Validate() error {
+	e, ok := binding.Validator.Engine().(interface {
+		Struct(s any) error
+	})
+	if !ok {
+		return errors.New("validator does not implement the expected interface")
+	}
+
+	return e.Struct(g)
+}
+
 type UserGroupUpdateUsersDto struct {
 	UserIDs []string `json:"userIds" binding:"required"`
 }
--- a/backend/internal/dto/validations.go
+++ b/backend/internal/dto/validations.go
@@ -1,7 +1,9 @@
 package dto

 import (
+	"net/url"
 	"regexp"
+	"strings"
 	"time"

 	"github.com/pocket-id/pocket-id/backend/internal/utils"
@@ -10,43 +12,76 @@ import (
 	"github.com/go-playground/validator/v10"
 )

+// [a-zA-Z0-9]      : The username must start with an alphanumeric character
+// [a-zA-Z0-9_.@-]* : The rest of the username can contain alphanumeric characters, dots, underscores, hyphens, and "@" symbols
+// [a-zA-Z0-9]$     : The username must end with an alphanumeric character
+var validateUsernameRegex = regexp.MustCompile("^[a-zA-Z0-9][a-zA-Z0-9_.@-]*[a-zA-Z0-9]$")
+
+var validateClientIDRegex = regexp.MustCompile("^[a-zA-Z0-9._-]+$")
+
 func init() {
 	v := binding.Validator.Engine().(*validator.Validate)

-	// [a-zA-Z0-9]      : The username must start with an alphanumeric character
-	// [a-zA-Z0-9_.@-]* : The rest of the username can contain alphanumeric characters, dots, underscores, hyphens, and "@" symbols
-	// [a-zA-Z0-9]$     : The username must end with an alphanumeric character
-	var validateUsernameRegex = regexp.MustCompile("^[a-zA-Z0-9][a-zA-Z0-9_.@-]*[a-zA-Z0-9]$")
-
-	var validateClientIDRegex = regexp.MustCompile("^[a-zA-Z0-9._-]+$")
-
 	// Maximum allowed value for TTLs
 	const maxTTL = 31 * 24 * time.Hour

-	// Errors here are development-time ones
-	err := v.RegisterValidation("username", func(fl validator.FieldLevel) bool {
-		return validateUsernameRegex.MatchString(fl.Field().String())
-	})
-	if err != nil {
+	if err := v.RegisterValidation("username", func(fl validator.FieldLevel) bool {
+		return ValidateUsername(fl.Field().String())
+	}); err != nil {
 		panic("Failed to register custom validation for username: " + err.Error())
 	}

-	err = v.RegisterValidation("client_id", func(fl validator.FieldLevel) bool {
-		return validateClientIDRegex.MatchString(fl.Field().String())
-	})
-	if err != nil {
+	if err := v.RegisterValidation("client_id", func(fl validator.FieldLevel) bool {
+		return ValidateClientID(fl.Field().String())
+	}); err != nil {
 		panic("Failed to register custom validation for client_id: " + err.Error())
 	}

-	err = v.RegisterValidation("ttl", func(fl validator.FieldLevel) bool {
+	if err := v.RegisterValidation("ttl", func(fl validator.FieldLevel) bool {
 		ttl, ok := fl.Field().Interface().(utils.JSONDuration)
 		if !ok {
 			return false
 		}
 		// Allow zero, which means the field wasn't set
-		return ttl.Duration == 0 || ttl.Duration > time.Second && ttl.Duration <= maxTTL
-	})
-	if err != nil {
+		return ttl.Duration == 0 || (ttl.Duration > time.Second && ttl.Duration <= maxTTL)
+	}); err != nil {
 		panic("Failed to register custom validation for ttl: " + err.Error())
 	}
+
+	if err := v.RegisterValidation("callback_url", func(fl validator.FieldLevel) bool {
+		return ValidateCallbackURL(fl.Field().String())
+	}); err != nil {
+		panic("Failed to register custom validation for callback_url: " + err.Error())
+	}
+}
+
+// ValidateUsername validates username inputs
+func ValidateUsername(username string) bool {
+	return validateUsernameRegex.MatchString(username)
+}
+
+// ValidateClientID validates client ID inputs
+func ValidateClientID(clientID string) bool {
+	return validateClientIDRegex.MatchString(clientID)
+}
+
+// ValidateCallbackURL validates callback URLs with support for wildcards
+func ValidateCallbackURL(raw string) bool {
+	if raw == "*" {
+		return true
+	}
+
+	// Replace all '*' with 'x' to check if the rest is still a valid URI
+	test := strings.ReplaceAll(raw, "*", "x")
+
+	u, err := url.Parse(test)
+	if err != nil {
+		return false
+	}
+
+	if !u.IsAbs() {
+		return false
+	}
+
+	return true
 }
--- a/backend/internal/dto/validations_test.go
+++ b/backend/internal/dto/validations_test.go
@@ -0,0 +1,58 @@
+package dto
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestValidateUsername(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected bool
+	}{
+		{"valid simple", "user123", true},
+		{"valid with dot", "user.name", true},
+		{"valid with underscore", "user_name", true},
+		{"valid with hyphen", "user-name", true},
+		{"valid with at", "user@name", true},
+		{"starts with symbol", ".username", false},
+		{"ends with non-alphanumeric", "username-", false},
+		{"contains space", "user name", false},
+		{"empty", "", false},
+		{"only special chars", "-._@", false},
+		{"valid long", "a1234567890_b.c-d@e", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, ValidateUsername(tt.input))
+		})
+	}
+}
+
+func TestValidateClientID(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected bool
+	}{
+		{"valid simple", "client123", true},
+		{"valid with dot", "client.id", true},
+		{"valid with underscore", "client_id", true},
+		{"valid with hyphen", "client-id", true},
+		{"valid with all", "client.id-123_abc", true},
+		{"contains space", "client id", false},
+		{"contains at", "client@id", false},
+		{"empty", "", false},
+		{"only special chars", "-._", true},
+		{"invalid char", "client!id", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, ValidateClientID(tt.input))
+		})
+	}
+}
--- a/backend/internal/middleware/csp_middleware.go
+++ b/backend/internal/middleware/csp_middleware.go
@@ -0,0 +1,53 @@
+package middleware
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+
+	"github.com/gin-gonic/gin"
+)
+
+// CspMiddleware sets a Content Security Policy header and, when possible,
+// includes a per-request nonce for inline scripts.
+type CspMiddleware struct{}
+
+func NewCspMiddleware() *CspMiddleware { return &CspMiddleware{} }
+
+// GetCSPNonce returns the CSP nonce generated for this request, if any.
+func GetCSPNonce(c *gin.Context) string {
+	if v, ok := c.Get("csp_nonce"); ok {
+		if s, ok := v.(string); ok {
+			return s
+		}
+	}
+	return ""
+}
+
+func (m *CspMiddleware) Add() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// Generate a random base64 nonce for this request
+		nonce := generateNonce()
+		c.Set("csp_nonce", nonce)
+
+		csp := "default-src 'self'; " +
+			"base-uri 'self'; " +
+			"object-src 'none'; " +
+			"frame-ancestors 'none'; " +
+			"form-action 'self'; " +
+			"img-src 'self' data: blob:; " +
+			"font-src 'self'; " +
+			"style-src 'self' 'unsafe-inline'; " +
+			"script-src 'self' 'nonce-" + nonce + "'"
+
+		c.Writer.Header().Set("Content-Security-Policy", csp)
+		c.Next()
+	}
+}
+
+func generateNonce() string {
+	b := make([]byte, 16)
+	if _, err := rand.Read(b); err != nil {
+		return "" // if generation fails, return empty; policy will omit nonce
+	}
+	return base64.RawURLEncoding.EncodeToString(b)
+}
--- a/backend/internal/middleware/error_handler.go
+++ b/backend/internal/middleware/error_handler.go
@@ -77,7 +77,7 @@ func handleValidationError(validationErrors validator.ValidationErrors) string {
 		case "email":
 			errorMessage = fmt.Sprintf("%s must be a valid email address", fieldName)
 		case "username":
-			errorMessage = fmt.Sprintf("%s must only contain lowercase letters, numbers, underscores, dots, hyphens, and '@' symbols and not start or end with a special character", fieldName)
+			errorMessage = fmt.Sprintf("%s must only contain letters, numbers, underscores, dots, hyphens, and '@' symbols and not start or end with a special character", fieldName)
 		case "url":
 			errorMessage = fmt.Sprintf("%s must be a valid URL", fieldName)
 		case "min":
--- a/backend/internal/model/app_config.go
+++ b/backend/internal/model/app_config.go
@@ -74,6 +74,7 @@ type AppConfig struct {
 	LdapAttributeUserEmail             AppConfigVariable `key:"ldapAttributeUserEmail"`
 	LdapAttributeUserFirstName         AppConfigVariable `key:"ldapAttributeUserFirstName"`
 	LdapAttributeUserLastName          AppConfigVariable `key:"ldapAttributeUserLastName"`
+	LdapAttributeUserDisplayName       AppConfigVariable `key:"ldapAttributeUserDisplayName"`
 	LdapAttributeUserProfilePicture    AppConfigVariable `key:"ldapAttributeUserProfilePicture"`
 	LdapAttributeGroupMember           AppConfigVariable `key:"ldapAttributeGroupMember"`
 	LdapAttributeGroupUniqueIdentifier AppConfigVariable `key:"ldapAttributeGroupUniqueIdentifier"`
--- a/backend/internal/model/oidc.go
+++ b/backend/internal/model/oidc.go
@@ -4,6 +4,7 @@ import (
 	"database/sql/driver"
 	"encoding/json"
 	"fmt"
+	"strings"

 	"gorm.io/gorm"

@@ -21,6 +22,14 @@ type UserAuthorizedOidcClient struct {
 	Client   OidcClient
 }

+func (c UserAuthorizedOidcClient) Scopes() []string {
+	if len(c.Scope) == 0 {
+		return []string{}
+	}
+
+	return strings.Split(c.Scope, " ")
+}
+
 type OidcAuthorizationCode struct {
 	Base

@@ -72,6 +81,14 @@ type OidcRefreshToken struct {
 	Client   OidcClient
 }

+func (c OidcRefreshToken) Scopes() []string {
+	if len(c.Scope) == 0 {
+		return []string{}
+	}
+
+	return strings.Split(c.Scope, " ")
+}
+
 func (c *OidcClient) AfterFind(_ *gorm.DB) (err error) {
 	// Compute HasLogo field
 	c.HasLogo = c.ImageType != nil && *c.ImageType != ""
--- a/backend/internal/model/user.go
+++ b/backend/internal/model/user.go
@@ -13,14 +13,15 @@ import (
 type User struct {
 	Base

-	Username  string `sortable:"true"`
-	Email     string `sortable:"true"`
-	FirstName string `sortable:"true"`
-	LastName  string `sortable:"true"`
-	IsAdmin   bool   `sortable:"true"`
-	Locale    *string
-	LdapID    *string
-	Disabled  bool `sortable:"true"`
+	Username    string `sortable:"true"`
+	Email       string `sortable:"true"`
+	FirstName   string `sortable:"true"`
+	LastName    string `sortable:"true"`
+	DisplayName string `sortable:"true"`
+	IsAdmin     bool   `sortable:"true"`
+	Locale      *string
+	LdapID      *string
+	Disabled    bool `sortable:"true"`

 	CustomClaims []CustomClaim
 	UserGroups   []UserGroup `gorm:"many2many:user_groups_users;"`
@@ -31,7 +32,12 @@ func (u User) WebAuthnID() []byte { return []byte(u.ID) }

 func (u User) WebAuthnName() string { return u.Username }

-func (u User) WebAuthnDisplayName() string { return u.FirstName + " " + u.LastName }
+func (u User) WebAuthnDisplayName() string {
+	if u.DisplayName != "" {
+		return u.DisplayName
+	}
+	return u.FirstName + " " + u.LastName
+}

 func (u User) WebAuthnIcon() string { return "" }

@@ -66,7 +72,9 @@ func (u User) WebAuthnCredentialDescriptors() (descriptors []protocol.Credential
 	return descriptors
 }

-func (u User) FullName() string { return u.FirstName + " " + u.LastName }
+func (u User) FullName() string {
+	return u.FirstName + " " + u.LastName
+}

 func (u User) Initials() string {
 	first := utils.GetFirstCharacter(u.FirstName)
--- a/backend/internal/service/app_config_service.go
+++ b/backend/internal/service/app_config_service.go
@@ -70,7 +70,7 @@ func (s *AppConfigService) getDefaultDbConfig() *model.AppConfig {
 		SignupDefaultCustomClaims: model.AppConfigVariable{Value: "[]"},
 		AccentColor:               model.AppConfigVariable{Value: "default"},
 		// Internal
-		BackgroundImageType: model.AppConfigVariable{Value: "jpg"},
+		BackgroundImageType: model.AppConfigVariable{Value: "webp"},
 		LogoLightImageType:  model.AppConfigVariable{Value: "svg"},
 		LogoDarkImageType:   model.AppConfigVariable{Value: "svg"},
 		InstanceID:          model.AppConfigVariable{Value: ""},
@@ -100,6 +100,7 @@ func (s *AppConfigService) getDefaultDbConfig() *model.AppConfig {
 		LdapAttributeUserEmail:             model.AppConfigVariable{},
 		LdapAttributeUserFirstName:         model.AppConfigVariable{},
 		LdapAttributeUserLastName:          model.AppConfigVariable{},
+		LdapAttributeUserDisplayName:       model.AppConfigVariable{Value: "cn"},
 		LdapAttributeUserProfilePicture:    model.AppConfigVariable{},
 		LdapAttributeGroupMember:           model.AppConfigVariable{Value: "member"},
 		LdapAttributeGroupUniqueIdentifier: model.AppConfigVariable{},
--- a/backend/internal/service/custom_claim_service.go
+++ b/backend/internal/service/custom_claim_service.go
@@ -25,6 +25,7 @@ func isReservedClaim(key string) bool {
 		"name",
 		"email",
 		"preferred_username",
+		"display_name",
 		"groups",
 		TokenTypeClaim,
 		"sub",
--- a/backend/internal/service/e2etest_service.go
+++ b/backend/internal/service/e2etest_service.go
@@ -78,21 +78,23 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 				Base: model.Base{
 					ID: "f4b89dc2-62fb-46bf-9f5f-c34f4eafe93e",
 				},
-				Username:  "tim",
-				Email:     "tim.cook@test.com",
-				FirstName: "Tim",
-				LastName:  "Cook",
-				IsAdmin:   true,
+				Username:    "tim",
+				Email:       "tim.cook@test.com",
+				FirstName:   "Tim",
+				LastName:    "Cook",
+				DisplayName: "Tim Cook",
+				IsAdmin:     true,
 			},
 			{
 				Base: model.Base{
 					ID: "1cd19686-f9a6-43f4-a41f-14a0bf5b4036",
 				},
-				Username:  "craig",
-				Email:     "craig.federighi@test.com",
-				FirstName: "Craig",
-				LastName:  "Federighi",
-				IsAdmin:   false,
+				Username:    "craig",
+				Email:       "craig.federighi@test.com",
+				FirstName:   "Craig",
+				LastName:    "Federighi",
+				DisplayName: "Craig Federighi",
+				IsAdmin:     false,
 			},
 		}
 		for _, user := range users {
--- a/backend/internal/service/email_service.go
+++ b/backend/internal/service/email_service.go
@@ -262,7 +262,7 @@ func prepareBody[V any](srv *EmailService, template email.Template[V], data *ema

 	// prepare text part
 	var textHeader = textproto.MIMEHeader{}
-	textHeader.Add("Content-Type", "text/plain;\n charset=UTF-8")
+	textHeader.Add("Content-Type", "text/plain; charset=UTF-8")
 	textHeader.Add("Content-Transfer-Encoding", "quoted-printable")
 	textPart, err := mpart.CreatePart(textHeader)
 	if err != nil {
@@ -274,18 +274,17 @@ func prepareBody[V any](srv *EmailService, template email.Template[V], data *ema
 	if err != nil {
 		return "", "", fmt.Errorf("execute text template: %w", err)
 	}
+	textQp.Close()

-	// prepare html part
 	var htmlHeader = textproto.MIMEHeader{}
-	htmlHeader.Add("Content-Type", "text/html;\n charset=UTF-8")
-	htmlHeader.Add("Content-Transfer-Encoding", "quoted-printable")
+	htmlHeader.Add("Content-Type", "text/html; charset=UTF-8")
+	htmlHeader.Add("Content-Transfer-Encoding", "8bit")
 	htmlPart, err := mpart.CreatePart(htmlHeader)
 	if err != nil {
 		return "", "", fmt.Errorf("create html part: %w", err)
 	}

-	htmlQp := quotedprintable.NewWriter(htmlPart)
-	err = email.GetTemplate(srv.htmlTemplates, template).ExecuteTemplate(htmlQp, "root", data)
+	err = email.GetTemplate(srv.htmlTemplates, template).ExecuteTemplate(htmlPart, "root", data)
 	if err != nil {
 		return "", "", fmt.Errorf("execute html template: %w", err)
 	}
--- a/backend/internal/service/ldap_service.go
+++ b/backend/internal/service/ldap_service.go
@@ -179,10 +179,12 @@ func (s *LdapService) SyncGroups(ctx context.Context, tx *gorm.DB, client *ldap.
 				}
 			}

+			username = norm.NFC.String(username)
+
 			var databaseUser model.User
 			err = tx.
 				WithContext(ctx).
-				Where("username = ? AND ldap_id IS NOT NULL", norm.NFC.String(username)).
+				Where("username = ? AND ldap_id IS NOT NULL", username).
 				First(&databaseUser).
 				Error
 			if errors.Is(err, gorm.ErrRecordNotFound) {
@@ -202,6 +204,12 @@ func (s *LdapService) SyncGroups(ctx context.Context, tx *gorm.DB, client *ldap.
 		}
 		dto.Normalize(syncGroup)

+		err = syncGroup.Validate()
+		if err != nil {
+			slog.WarnContext(ctx, "LDAP user group object is not valid", slog.Any("error", err))
+			continue
+		}
+
 		if databaseGroup.ID == "" {
 			newGroup, err := s.groupService.createInternal(ctx, syncGroup, tx)
 			if err != nil {
@@ -270,6 +278,7 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 		dbConfig.LdapAttributeUserFirstName.Value,
 		dbConfig.LdapAttributeUserLastName.Value,
 		dbConfig.LdapAttributeUserProfilePicture.Value,
+		dbConfig.LdapAttributeUserDisplayName.Value,
 	}

 	// Filters must start and finish with ()!
@@ -338,15 +347,22 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 		}

 		newUser := dto.UserCreateDto{
-			Username:  value.GetAttributeValue(dbConfig.LdapAttributeUserUsername.Value),
-			Email:     value.GetAttributeValue(dbConfig.LdapAttributeUserEmail.Value),
-			FirstName: value.GetAttributeValue(dbConfig.LdapAttributeUserFirstName.Value),
-			LastName:  value.GetAttributeValue(dbConfig.LdapAttributeUserLastName.Value),
-			IsAdmin:   isAdmin,
-			LdapID:    ldapId,
+			Username:    value.GetAttributeValue(dbConfig.LdapAttributeUserUsername.Value),
+			Email:       value.GetAttributeValue(dbConfig.LdapAttributeUserEmail.Value),
+			FirstName:   value.GetAttributeValue(dbConfig.LdapAttributeUserFirstName.Value),
+			LastName:    value.GetAttributeValue(dbConfig.LdapAttributeUserLastName.Value),
+			DisplayName: value.GetAttributeValue(dbConfig.LdapAttributeUserDisplayName.Value),
+			IsAdmin:     isAdmin,
+			LdapID:      ldapId,
 		}
 		dto.Normalize(newUser)

+		err = newUser.Validate()
+		if err != nil {
+			slog.WarnContext(ctx, "LDAP user object is not valid", slog.Any("error", err))
+			continue
+		}
+
 		if databaseUser.ID == "" {
 			_, err = s.userService.createUserInternal(ctx, newUser, true, tx)
 			if errors.Is(err, &common.AlreadyInUseError{}) {
--- a/backend/internal/service/oidc_service.go
+++ b/backend/internal/service/oidc_service.go
@@ -37,9 +37,11 @@ const (
 	GrantTypeAuthorizationCode = "authorization_code"
 	GrantTypeRefreshToken      = "refresh_token"
 	GrantTypeDeviceCode        = "urn:ietf:params:oauth:grant-type:device_code"
+	GrantTypeClientCredentials = "client_credentials"

 	ClientAssertionTypeJWTBearer = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" //nolint:gosec

+	AccessTokenDuration  = time.Hour
 	RefreshTokenDuration = 30 * 24 * time.Hour // 30 days
 	DeviceCodeDuration   = 15 * time.Minute
 )
@@ -247,6 +249,8 @@ func (s *OidcService) CreateTokens(ctx context.Context, input dto.OidcCreateToke
 		return s.createTokenFromRefreshToken(ctx, input)
 	case GrantTypeDeviceCode:
 		return s.createTokenFromDeviceCode(ctx, input)
+	case GrantTypeClientCredentials:
+		return s.createTokenFromClientCredentials(ctx, input)
 	default:
 		return CreatedTokens{}, &common.OidcGrantTypeNotSupportedError{}
 	}
@@ -329,7 +333,35 @@ func (s *OidcService) createTokenFromDeviceCode(ctx context.Context, input dto.O
 		IdToken:      idToken,
 		AccessToken:  accessToken,
 		RefreshToken: refreshToken,
-		ExpiresIn:    time.Hour,
+		ExpiresIn:    AccessTokenDuration,
+	}, nil
+}
+
+func (s *OidcService) createTokenFromClientCredentials(ctx context.Context, input dto.OidcCreateTokensDto) (CreatedTokens, error) {
+	client, err := s.verifyClientCredentialsInternal(ctx, s.db, clientAuthCredentialsFromCreateTokensDto(&input), false)
+	if err != nil {
+		return CreatedTokens{}, err
+	}
+
+	// GenerateOAuthAccessToken uses user.ID as a "sub" claim. Prefix is used to take those security considerations
+	// into account: https://datatracker.ietf.org/doc/html/rfc9068#name-security-considerations
+	dummyUser := model.User{
+		Base: model.Base{ID: "client-" + client.ID},
+	}
+
+	audClaim := client.ID
+	if input.Resource != "" {
+		audClaim = input.Resource
+	}
+
+	accessToken, err := s.jwtService.GenerateOAuthAccessToken(dummyUser, audClaim)
+	if err != nil {
+		return CreatedTokens{}, err
+	}
+
+	return CreatedTokens{
+		AccessToken: accessToken,
+		ExpiresIn:   AccessTokenDuration,
 	}, nil
 }

@@ -403,7 +435,7 @@ func (s *OidcService) createTokenFromAuthorizationCode(ctx context.Context, inpu
 		IdToken:      idToken,
 		AccessToken:  accessToken,
 		RefreshToken: refreshToken,
-		ExpiresIn:    time.Hour,
+		ExpiresIn:    AccessTokenDuration,
 	}, nil
 }

@@ -447,10 +479,9 @@ func (s *OidcService) createTokenFromRefreshToken(ctx context.Context, input dto
 		).
 		First(&storedRefreshToken).
 		Error
-	if err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			return CreatedTokens{}, &common.OidcInvalidRefreshTokenError{}
-		}
+	if errors.Is(err, gorm.ErrRecordNotFound) {
+		return CreatedTokens{}, &common.OidcInvalidRefreshTokenError{}
+	} else if err != nil {
 		return CreatedTokens{}, err
 	}

@@ -465,6 +496,19 @@ func (s *OidcService) createTokenFromRefreshToken(ctx context.Context, input dto
 		return CreatedTokens{}, err
 	}

+	// Load the profile, which we need for the ID token
+	userClaims, err := s.getUserClaims(ctx, &storedRefreshToken.User, storedRefreshToken.Scopes(), tx)
+	if err != nil {
+		return CreatedTokens{}, err
+	}
+
+	// Generate a new ID token
+	// There's no nonce here because we don't have one with the refresh token, but that's not required
+	idToken, err := s.jwtService.GenerateIDToken(userClaims, input.ClientID, "")
+	if err != nil {
+		return CreatedTokens{}, err
+	}
+
 	// Generate a new refresh token and invalidate the old one
 	newRefreshToken, err := s.createRefreshToken(ctx, input.ClientID, storedRefreshToken.UserID, storedRefreshToken.Scope, tx)
 	if err != nil {
@@ -488,7 +532,8 @@ func (s *OidcService) createTokenFromRefreshToken(ctx context.Context, input dto
 	return CreatedTokens{
 		AccessToken:  accessToken,
 		RefreshToken: newRefreshToken,
-		ExpiresIn:    time.Hour,
+		IdToken:      idToken,
+		ExpiresIn:    AccessTokenDuration,
 	}, nil
 }

@@ -1383,14 +1428,18 @@ func (s *OidcService) ListAccessibleOidcClients(ctx context.Context, userID stri

 	// If user has no groups, only return clients with no allowed user groups
 	if len(userGroupIDs) == 0 {
-		query = query.
-			Joins("LEFT JOIN oidc_clients_allowed_user_groups ON oidc_clients.id = oidc_clients_allowed_user_groups.oidc_client_id").
-			Where("oidc_clients_allowed_user_groups.oidc_client_id IS NULL")
+		query = query.Where(`NOT EXISTS (
+        SELECT 1 FROM oidc_clients_allowed_user_groups 
+        WHERE oidc_clients_allowed_user_groups.oidc_client_id = oidc_clients.id)`)
 	} else {
-		// Return clients with no allowed user groups OR clients where user is in allowed groups
-		query = query.
-			Joins("LEFT JOIN oidc_clients_allowed_user_groups ON oidc_clients.id = oidc_clients_allowed_user_groups.oidc_client_id").
-			Where("oidc_clients_allowed_user_groups.oidc_client_id IS NULL OR oidc_clients_allowed_user_groups.user_group_id IN (?)", userGroupIDs)
+		query = query.Where(`
+        NOT EXISTS (
+            SELECT 1 FROM oidc_clients_allowed_user_groups 
+            WHERE oidc_clients_allowed_user_groups.oidc_client_id = oidc_clients.id
+        ) OR EXISTS (
+            SELECT 1 FROM oidc_clients_allowed_user_groups 
+            WHERE oidc_clients_allowed_user_groups.oidc_client_id = oidc_clients.id 
+            AND oidc_clients_allowed_user_groups.user_group_id IN (?))`, userGroupIDs)
 	}

 	var clients []model.OidcClient
@@ -1690,7 +1739,7 @@ func (s *OidcService) extractClientIDFromAssertion(assertion string) (string, er
 	return sub, nil
 }

-func (s *OidcService) GetClientPreview(ctx context.Context, clientID string, userID string, scopes string) (*dto.OidcClientPreviewDto, error) {
+func (s *OidcService) GetClientPreview(ctx context.Context, clientID string, userID string, scopes []string) (*dto.OidcClientPreviewDto, error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
@@ -1715,14 +1764,7 @@ func (s *OidcService) GetClientPreview(ctx context.Context, clientID string, use
 		return nil, &common.OidcAccessDeniedError{}
 	}

-	dummyAuthorizedClient := model.UserAuthorizedOidcClient{
-		UserID:   userID,
-		ClientID: clientID,
-		Scope:    scopes,
-		User:     user,
-	}
-
-	userClaims, err := s.getUserClaimsFromAuthorizedClient(ctx, &dummyAuthorizedClient, tx)
+	userClaims, err := s.getUserClaims(ctx, &user, scopes, tx)
 	if err != nil {
 		return nil, err
 	}
@@ -1775,14 +1817,10 @@ func (s *OidcService) getUserClaimsForClientInternal(ctx context.Context, userID
 		return nil, err
 	}

-	return s.getUserClaimsFromAuthorizedClient(ctx, &authorizedOidcClient, tx)
-
+	return s.getUserClaims(ctx, &authorizedOidcClient.User, authorizedOidcClient.Scopes(), tx)
 }

-func (s *OidcService) getUserClaimsFromAuthorizedClient(ctx context.Context, authorizedClient *model.UserAuthorizedOidcClient, tx *gorm.DB) (map[string]any, error) {
-	user := authorizedClient.User
-	scopes := strings.Split(authorizedClient.Scope, " ")
-
+func (s *OidcService) getUserClaims(ctx context.Context, user *model.User, scopes []string, tx *gorm.DB) (map[string]any, error) {
 	claims := make(map[string]any, 10)

 	claims["sub"] = user.ID
@@ -1800,13 +1838,6 @@ func (s *OidcService) getUserClaimsFromAuthorizedClient(ctx context.Context, aut
 	}

 	if slices.Contains(scopes, "profile") {
-		// Add profile claims
-		claims["given_name"] = user.FirstName
-		claims["family_name"] = user.LastName
-		claims["name"] = user.FullName()
-		claims["preferred_username"] = user.Username
-		claims["picture"] = common.EnvConfig.AppURL + "/api/users/" + user.ID + "/profile-picture.png"
-
 		// Add custom claims
 		customClaims, err := s.customClaimService.GetCustomClaimsForUserWithUserGroups(ctx, user.ID, tx)
 		if err != nil {
@@ -1825,6 +1856,15 @@ func (s *OidcService) getUserClaimsFromAuthorizedClient(ctx context.Context, aut
 				claims[customClaim.Key] = customClaim.Value
 			}
 		}
+
+		// Add profile claims
+		claims["given_name"] = user.FirstName
+		claims["family_name"] = user.LastName
+		claims["name"] = user.FullName()
+		claims["display_name"] = user.DisplayName
+
+		claims["preferred_username"] = user.Username
+		claims["picture"] = common.EnvConfig.AppURL + "/api/users/" + user.ID + "/profile-picture.png"
 	}

 	if slices.Contains(scopes, "email") {
--- a/backend/internal/service/oidc_service_test.go
+++ b/backend/internal/service/oidc_service_test.go
@@ -18,6 +18,7 @@ import (

 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
 	testutils "github.com/pocket-id/pocket-id/backend/internal/utils/testing"
 )

@@ -148,6 +149,13 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 	privateJWKDefaults, jwkSetJSONDefaults := generateTestECDSAKey(t)
 	require.NoError(t, err)

+	// Create a mock config and JwtService to test complete a token creation process
+	mockConfig := NewTestAppConfigService(&model.AppConfig{
+		SessionDuration: model.AppConfigVariable{Value: "60"}, // 60 minutes
+	})
+	mockJwtService, err := NewJwtService(db, mockConfig)
+	require.NoError(t, err)
+
 	// Create a mock HTTP client with custom transport to return the JWKS
 	httpClient := &http.Client{
 		Transport: &testutils.MockRoundTripper{
@@ -162,8 +170,10 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {

 	// Init the OidcService
 	s := &OidcService{
-		db:         db,
-		httpClient: httpClient,
+		db:               db,
+		jwtService:       mockJwtService,
+		appConfigService: mockConfig,
+		httpClient:       httpClient,
 	}
 	s.jwkCache, err = s.getJWKCache(t.Context())
 	require.NoError(t, err)
@@ -384,4 +394,119 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 			assert.Equal(t, federatedClient.ID, client.ID)
 		})
 	})
+
+	t.Run("Complete token creation flow", func(t *testing.T) {
+		t.Run("Client Credentials flow", func(t *testing.T) {
+			t.Run("Succeeds with valid secret", func(t *testing.T) {
+				// Generate a token
+				input := dto.OidcCreateTokensDto{
+					ClientID:     confidentialClient.ID,
+					ClientSecret: confidentialSecret,
+				}
+				token, err := s.createTokenFromClientCredentials(t.Context(), input)
+				require.NoError(t, err)
+				require.NotNil(t, token)
+
+				// Verify the token
+				claims, err := s.jwtService.VerifyOAuthAccessToken(token.AccessToken)
+				require.NoError(t, err, "Failed to verify generated token")
+
+				// Check the claims
+				subject, ok := claims.Subject()
+				_ = assert.True(t, ok, "User ID not found in token") &&
+					assert.Equal(t, "client-"+confidentialClient.ID, subject, "Token subject should match confidential client ID with prefix")
+				audience, ok := claims.Audience()
+				_ = assert.True(t, ok, "Audience not found in token") &&
+					assert.Equal(t, []string{confidentialClient.ID}, audience, "Audience should contain confidential client ID")
+			})
+
+			t.Run("Fails with invalid secret", func(t *testing.T) {
+				input := dto.OidcCreateTokensDto{
+					ClientID:     confidentialClient.ID,
+					ClientSecret: "invalid-secret",
+				}
+				_, err := s.createTokenFromClientCredentials(t.Context(), input)
+				require.Error(t, err)
+				require.ErrorIs(t, err, &common.OidcClientSecretInvalidError{})
+			})
+
+			t.Run("Fails without client secret for public clients", func(t *testing.T) {
+				input := dto.OidcCreateTokensDto{
+					ClientID: publicClient.ID,
+				}
+				_, err := s.createTokenFromClientCredentials(t.Context(), input)
+				require.Error(t, err)
+				require.ErrorIs(t, err, &common.OidcMissingClientCredentialsError{})
+			})
+
+			t.Run("Succeeds with valid assertion", func(t *testing.T) {
+				// Create JWT for federated identity
+				token, err := jwt.NewBuilder().
+					Issuer(federatedClientIssuer).
+					Audience([]string{federatedClientAudience}).
+					Subject(federatedClient.ID).
+					IssuedAt(time.Now()).
+					Expiration(time.Now().Add(10 * time.Minute)).
+					Build()
+				require.NoError(t, err)
+				signedToken, err := jwt.Sign(token, jwt.WithKey(jwa.ES256(), privateJWK))
+				require.NoError(t, err)
+
+				// Generate a token
+				input := dto.OidcCreateTokensDto{
+					ClientAssertion:     string(signedToken),
+					ClientAssertionType: ClientAssertionTypeJWTBearer,
+				}
+				createdToken, err := s.createTokenFromClientCredentials(t.Context(), input)
+				require.NoError(t, err)
+				require.NotNil(t, token)
+
+				// Verify the token
+				claims, err := s.jwtService.VerifyOAuthAccessToken(createdToken.AccessToken)
+				require.NoError(t, err, "Failed to verify generated token")
+
+				// Check the claims
+				subject, ok := claims.Subject()
+				_ = assert.True(t, ok, "User ID not found in token") &&
+					assert.Equal(t, "client-"+federatedClient.ID, subject, "Token subject should match federated client ID with prefix")
+				audience, ok := claims.Audience()
+				_ = assert.True(t, ok, "Audience not found in token") &&
+					assert.Equal(t, []string{federatedClient.ID}, audience, "Audience should contain the federated client ID")
+			})
+
+			t.Run("Fails with invalid assertion", func(t *testing.T) {
+				input := dto.OidcCreateTokensDto{
+					ClientAssertion:     "invalid.jwt.token",
+					ClientAssertionType: ClientAssertionTypeJWTBearer,
+				}
+				_, err := s.createTokenFromClientCredentials(t.Context(), input)
+				require.Error(t, err)
+				require.ErrorIs(t, err, &common.OidcClientAssertionInvalidError{})
+			})
+
+			t.Run("Succeeds with custom resource", func(t *testing.T) {
+				// Generate a token
+				input := dto.OidcCreateTokensDto{
+					ClientID:     confidentialClient.ID,
+					ClientSecret: confidentialSecret,
+					Resource:     "https://example.com/",
+				}
+				token, err := s.createTokenFromClientCredentials(t.Context(), input)
+				require.NoError(t, err)
+				require.NotNil(t, token)
+
+				// Verify the token
+				claims, err := s.jwtService.VerifyOAuthAccessToken(token.AccessToken)
+				require.NoError(t, err, "Failed to verify generated token")
+
+				// Check the claims
+				subject, ok := claims.Subject()
+				_ = assert.True(t, ok, "User ID not found in token") &&
+					assert.Equal(t, "client-"+confidentialClient.ID, subject, "Token subject should match confidential client ID with prefix")
+				audience, ok := claims.Audience()
+				_ = assert.True(t, ok, "Audience not found in token") &&
+					assert.Equal(t, []string{input.Resource}, audience, "Audience should contain the resource provided in request")
+			})
+		})
+	})
 }
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -245,12 +245,13 @@ func (s *UserService) CreateUser(ctx context.Context, input dto.UserCreateDto) (

 func (s *UserService) createUserInternal(ctx context.Context, input dto.UserCreateDto, isLdapSync bool, tx *gorm.DB) (model.User, error) {
 	user := model.User{
-		FirstName: input.FirstName,
-		LastName:  input.LastName,
-		Email:     input.Email,
-		Username:  input.Username,
-		IsAdmin:   input.IsAdmin,
-		Locale:    input.Locale,
+		FirstName:   input.FirstName,
+		LastName:    input.LastName,
+		DisplayName: input.DisplayName,
+		Email:       input.Email,
+		Username:    input.Username,
+		IsAdmin:     input.IsAdmin,
+		Locale:      input.Locale,
 	}
 	if input.LdapID != "" {
 		user.LdapID = &input.LdapID
@@ -362,6 +363,7 @@ func (s *UserService) updateUserInternal(ctx context.Context, userID string, upd
 		// Full update: Allow updating all personal fields
 		user.FirstName = updatedUser.FirstName
 		user.LastName = updatedUser.LastName
+		user.DisplayName = updatedUser.DisplayName
 		user.Email = updatedUser.Email
 		user.Username = updatedUser.Username
 		user.Locale = updatedUser.Locale
@@ -600,11 +602,12 @@ func (s *UserService) SignUpInitialAdmin(ctx context.Context, signUpData dto.Sig
 	}

 	userToCreate := dto.UserCreateDto{
-		FirstName: signUpData.FirstName,
-		LastName:  signUpData.LastName,
-		Username:  signUpData.Username,
-		Email:     signUpData.Email,
-		IsAdmin:   true,
+		FirstName:   signUpData.FirstName,
+		LastName:    signUpData.LastName,
+		DisplayName: strings.TrimSpace(signUpData.FirstName + " " + signUpData.LastName),
+		Username:    signUpData.Username,
+		Email:       signUpData.Email,
+		IsAdmin:     true,
 	}

 	user, err := s.createUserInternal(ctx, userToCreate, false, tx)
@@ -736,10 +739,11 @@ func (s *UserService) SignUp(ctx context.Context, signupData dto.SignUpDto, ipAd
 	}

 	userToCreate := dto.UserCreateDto{
-		Username:  signupData.Username,
-		Email:     signupData.Email,
-		FirstName: signupData.FirstName,
-		LastName:  signupData.LastName,
+		Username:    signupData.Username,
+		Email:       signupData.Email,
+		FirstName:   signupData.FirstName,
+		LastName:    signupData.LastName,
+		DisplayName: strings.TrimSpace(signupData.FirstName + " " + signupData.LastName),
 	}

 	user, err := s.createUserInternal(ctx, userToCreate, false, tx)
--- a/backend/internal/service/version_service.go
+++ b/backend/internal/service/version_service.go
@@ -0,0 +1,74 @@
+package service
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
+
+const (
+	versionTTL      = 15 * time.Minute
+	versionCheckURL = "https://api.github.com/repos/pocket-id/pocket-id/releases/latest"
+)
+
+type VersionService struct {
+	httpClient *http.Client
+	cache      *utils.Cache[string]
+}
+
+func NewVersionService(httpClient *http.Client) *VersionService {
+	return &VersionService{
+		httpClient: httpClient,
+		cache:      utils.New[string](versionTTL),
+	}
+}
+
+func (s *VersionService) GetLatestVersion(ctx context.Context) (string, error) {
+	version, err := s.cache.GetOrFetch(ctx, func(ctx context.Context) (string, error) {
+		reqCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
+		defer cancel()
+
+		req, err := http.NewRequestWithContext(reqCtx, http.MethodGet, versionCheckURL, nil)
+		if err != nil {
+			return "", fmt.Errorf("create GitHub request: %w", err)
+		}
+
+		resp, err := s.httpClient.Do(req)
+		if err != nil {
+			return "", fmt.Errorf("get latest tag: %w", err)
+		}
+		defer resp.Body.Close()
+
+		if resp.StatusCode != http.StatusOK {
+			return "", fmt.Errorf("GitHub API returned status %d", resp.StatusCode)
+		}
+
+		var payload struct {
+			TagName string `json:"tag_name"`
+		}
+		if err := json.NewDecoder(resp.Body).Decode(&payload); err != nil {
+			return "", fmt.Errorf("decode payload: %w", err)
+		}
+
+		if payload.TagName == "" {
+			return "", fmt.Errorf("GitHub API returned empty tag name")
+		}
+
+		return strings.TrimPrefix(payload.TagName, "v"), nil
+	})
+
+	var staleErr *utils.ErrStale
+	if errors.As(err, &staleErr) {
+		slog.Warn("Failed to fetch latest version, returning stale cache", "error", staleErr.Err)
+		return version, nil
+	}
+
+	return version, err
+}
--- a/backend/internal/utils/cache_util.go
+++ b/backend/internal/utils/cache_util.go
@@ -0,0 +1,78 @@
+package utils
+
+import (
+	"context"
+	"sync/atomic"
+	"time"
+
+	"golang.org/x/sync/singleflight"
+)
+
+type CacheEntry[T any] struct {
+	Value     T
+	FetchedAt time.Time
+}
+
+type ErrStale struct {
+	Err error
+}
+
+func (e *ErrStale) Error() string { return "returned stale cache: " + e.Err.Error() }
+func (e *ErrStale) Unwrap() error { return e.Err }
+
+type Cache[T any] struct {
+	ttl   time.Duration
+	entry atomic.Pointer[CacheEntry[T]]
+	sf    singleflight.Group
+}
+
+func New[T any](ttl time.Duration) *Cache[T] {
+	return &Cache[T]{ttl: ttl}
+}
+
+// Get returns the cached value if it's still fresh.
+func (c *Cache[T]) Get() (T, bool) {
+	entry := c.entry.Load()
+	if entry == nil {
+		var zero T
+		return zero, false
+	}
+	if time.Since(entry.FetchedAt) < c.ttl {
+		return entry.Value, true
+	}
+	var zero T
+	return zero, false
+}
+
+// GetOrFetch returns the cached value if it's still fresh, otherwise calls fetch to get a new value.
+func (c *Cache[T]) GetOrFetch(ctx context.Context, fetch func(context.Context) (T, error)) (T, error) {
+	// If fresh, serve immediately
+	if v, ok := c.Get(); ok {
+		return v, nil
+	}
+
+	// Fetch with singleflight to prevent multiple concurrent fetches
+	vAny, err, _ := c.sf.Do("singleton", func() (any, error) {
+		if v2, ok := c.Get(); ok {
+			return v2, nil
+		}
+		val, fetchErr := fetch(ctx)
+		if fetchErr != nil {
+			return nil, fetchErr
+		}
+		c.entry.Store(&CacheEntry[T]{Value: val, FetchedAt: time.Now()})
+		return val, nil
+	})
+
+	if err == nil {
+		return vAny.(T), nil
+	}
+
+	// Fetch failed. Return stale if possible.
+	if e := c.entry.Load(); e != nil {
+		return e.Value, &ErrStale{Err: err}
+	}
+
+	var zero T
+	return zero, err
+}
--- a/backend/internal/utils/email/email_service_templates.go
+++ b/backend/internal/utils/email/email_service_templates.go
@@ -3,8 +3,7 @@ package email
 import (
 	"fmt"
 	htemplate "html/template"
-	"io/fs"
-	"path"
+	"path/filepath"
 	ttemplate "text/template"

 	"github.com/pocket-id/pocket-id/backend/resources"
@@ -27,71 +26,35 @@ func GetTemplate[U any, V any](templateMap TemplateMap[U], template Template[V])
 	return templateMap[template.Path]
 }

-type cloneable[V pareseable[V]] interface {
-	Clone() (V, error)
-}
-
-type pareseable[V any] interface {
-	ParseFS(fs.FS, ...string) (V, error)
-}
-
-func prepareTemplate[V pareseable[V]](templateFS fs.FS, template string, rootTemplate cloneable[V], suffix string) (V, error) {
-	tmpl, err := rootTemplate.Clone()
-	if err != nil {
-		return *new(V), fmt.Errorf("clone root template: %w", err)
-	}
-
-	filename := fmt.Sprintf("%s%s", template, suffix)
-	templatePath := path.Join("email-templates", filename)
-	_, err = tmpl.ParseFS(templateFS, templatePath)
-	if err != nil {
-		return *new(V), fmt.Errorf("parsing template '%s': %w", template, err)
-	}
-
-	return tmpl, nil
-}
-
 func PrepareTextTemplates(templates []string) (map[string]*ttemplate.Template, error) {
-	components := path.Join("email-templates", "components", "*_text.tmpl")
-	rootTmpl, err := ttemplate.ParseFS(resources.FS, components)
-	if err != nil {
-		return nil, fmt.Errorf("unable to parse templates '%s': %w", components, err)
-	}
-
 	textTemplates := make(map[string]*ttemplate.Template, len(templates))
 	for _, tmpl := range templates {
-		rootTmplClone, err := rootTmpl.Clone()
+		filename := tmpl + "_text.tmpl"
+		templatePath := filepath.Join("email-templates", filename)
+
+		parsedTemplate, err := ttemplate.ParseFS(resources.FS, templatePath)
 		if err != nil {
-			return nil, fmt.Errorf("clone root template: %w", err)
+			return nil, fmt.Errorf("parsing template '%s': %w", tmpl, err)
 		}

-		textTemplates[tmpl], err = prepareTemplate[*ttemplate.Template](resources.FS, tmpl, rootTmplClone, "_text.tmpl")
-		if err != nil {
-			return nil, fmt.Errorf("parse '%s': %w", tmpl, err)
-		}
+		textTemplates[tmpl] = parsedTemplate
 	}

 	return textTemplates, nil
 }

 func PrepareHTMLTemplates(templates []string) (map[string]*htemplate.Template, error) {
-	components := path.Join("email-templates", "components", "*_html.tmpl")
-	rootTmpl, err := htemplate.ParseFS(resources.FS, components)
-	if err != nil {
-		return nil, fmt.Errorf("unable to parse templates '%s': %w", components, err)
-	}
-
 	htmlTemplates := make(map[string]*htemplate.Template, len(templates))
 	for _, tmpl := range templates {
-		rootTmplClone, err := rootTmpl.Clone()
+		filename := tmpl + "_html.tmpl"
+		templatePath := filepath.Join("email-templates", filename)
+
+		parsedTemplate, err := htemplate.ParseFS(resources.FS, templatePath)
 		if err != nil {
-			return nil, fmt.Errorf("clone root template: %w", err)
+			return nil, fmt.Errorf("parsing template '%s': %w", tmpl, err)
 		}

-		htmlTemplates[tmpl], err = prepareTemplate[*htemplate.Template](resources.FS, tmpl, rootTmplClone, "_html.tmpl")
-		if err != nil {
-			return nil, fmt.Errorf("parse '%s': %w", tmpl, err)
-		}
+		htmlTemplates[tmpl] = parsedTemplate
 	}

 	return htmlTemplates, nil
--- a/backend/internal/utils/file_util.go
+++ b/backend/internal/utils/file_util.go
@@ -2,6 +2,7 @@ package utils

 import (
 	"crypto/rand"
+	"crypto/sha256"
 	"encoding/hex"
 	"errors"
 	"fmt"
@@ -35,6 +36,12 @@ func GetImageMimeType(ext string) string {
 		return "image/x-icon"
 	case "gif":
 		return "image/gif"
+	case "webp":
+		return "image/webp"
+	case "avif":
+		return "image/avif"
+	case "heic":
+		return "image/heic"
 	default:
 		return ""
 	}
@@ -43,29 +50,45 @@ func GetImageMimeType(ext string) string {
 func CopyEmbeddedFileToDisk(srcFilePath, destFilePath string) error {
 	srcFile, err := resources.FS.Open(srcFilePath)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to open embedded file: %w", err)
 	}
 	defer srcFile.Close()

 	err = os.MkdirAll(filepath.Dir(destFilePath), os.ModePerm)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to create destination directory: %w", err)
 	}

 	destFile, err := os.Create(destFilePath)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to open destination file: %w", err)
 	}
 	defer destFile.Close()

 	_, err = io.Copy(destFile, srcFile)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to write to destination file: %w", err)
 	}

 	return nil
 }

+func EmbeddedFileSha256(filePath string) ([]byte, error) {
+	f, err := resources.FS.Open(filePath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open embedded file: %w", err)
+	}
+	defer f.Close()
+
+	h := sha256.New()
+	_, err = io.Copy(h, f)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read embedded file: %w", err)
+	}
+
+	return h.Sum(nil), nil
+}
+
 func SaveFile(file *multipart.FileHeader, dst string) error {
 	src, err := file.Open()
 	if err != nil {
--- a/backend/internal/utils/hash_util.go
+++ b/backend/internal/utils/hash_util.go
@@ -3,9 +3,28 @@ package utils
 import (
 	"crypto/sha256"
 	"encoding/hex"
+	"fmt"
+	"io"
+	"os"
 )

 func CreateSha256Hash(input string) string {
 	hash := sha256.Sum256([]byte(input))
 	return hex.EncodeToString(hash[:])
 }
+
+func CreateSha256FileHash(filePath string) ([]byte, error) {
+	f, err := os.Open(filePath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open file: %w", err)
+	}
+	defer f.Close()
+
+	h := sha256.New()
+	_, err = io.Copy(h, f)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read file: %w", err)
+	}
+
+	return h.Sum(nil), nil
+}
--- a/backend/internal/utils/jwk/key_provider_database.go
+++ b/backend/internal/utils/jwk/key_provider_database.go
@@ -9,6 +9,7 @@ import (

 	"github.com/lestrrat-go/jwx/v3/jwk"
 	"gorm.io/gorm"
+	"gorm.io/gorm/clause"

 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	cryptoutils "github.com/pocket-id/pocket-id/backend/internal/utils/crypto"
@@ -95,7 +96,14 @@ func (f *KeyProviderDatabase) SaveKey(key jwk.Key) error {

 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
-	err = f.db.WithContext(ctx).Create(&row).Error
+	err = f.db.
+		WithContext(ctx).
+		Clauses(clause.OnConflict{
+			Columns:   []clause.Column{{Name: "key"}},
+			DoUpdates: clause.AssignmentColumns([]string{"value"}),
+		}).
+		Create(&row).
+		Error
 	if err != nil {
 		// There's one scenario where if Pocket ID is started fresh with more than 1 replica, they both could be trying to create the private key in the database at the same time
 		// In this case, only one of the replicas will succeed; the other one(s) will return an error here, which will cascade down and cause the replica(s) to crash and be restarted (at that point they'll load the then-existing key from the database)
--- a/backend/internal/utils/ptr_util.go
+++ b/backend/internal/utils/ptr_util.go
@@ -3,3 +3,11 @@ package utils
 func Ptr[T any](v T) *T {
 	return &v
 }
+
+func PtrValueOrZero[T any](ptr *T) T {
+	if ptr == nil {
+		var zero T
+		return zero
+	}
+	return *ptr
+}
--- a/backend/internal/utils/testing/database.go
+++ b/backend/internal/utils/testing/database.go
@@ -55,7 +55,9 @@ func NewDatabaseForTest(t *testing.T) *gorm.DB {
 	// Perform migrations with the embedded migrations
 	sqlDB, err := db.DB()
 	require.NoError(t, err, "Failed to get sql.DB")
-	driver, err := sqliteMigrate.WithInstance(sqlDB, &sqliteMigrate.Config{})
+	driver, err := sqliteMigrate.WithInstance(sqlDB, &sqliteMigrate.Config{
+		NoTxWrap: true,
+	})
 	require.NoError(t, err, "Failed to create migration driver")
 	source, err := iofs.New(resources.FS, "migrations/sqlite")
 	require.NoError(t, err, "Failed to create embedded migration source")
@@ -63,6 +65,8 @@ func NewDatabaseForTest(t *testing.T) *gorm.DB {
 	require.NoError(t, err, "Failed to create migration instance")
 	err = m.Up()
 	require.NoError(t, err, "Failed to perform migrations")
+	_, err = sqlDB.Exec("PRAGMA foreign_keys = OFF;")
+	require.NoError(t, err, "Failed to disable foreign keys")

 	return db
 }
--- a/backend/resources/aaguids.json
+++ b/backend/resources/aaguids.json
--- a/backend/resources/email-templates/api-key-expiring-soon_html.tmpl
+++ b/backend/resources/email-templates/api-key-expiring-soon_html.tmpl
@@ -1,17 +1,3 @@
-{{ define "base" }}
-    <div class="header">
-        <div class="logo">
-            <img src="{{ .LogoURL }}" alt="{{ .AppName }}" width="32" height="32" style="width: 32px; height: 32px; max-width: 32px;"/>
-            <h1>{{ .AppName }}</h1>
-        </div>
-        <div class="warning">Warning</div>
-    </div>
-    <div class="content">
-        <h2>API Key Expiring Soon</h2>
-        <p>
-            Hello {{ .Data.Name }},<br/><br/>
-            This is a reminder that your API key <strong>{{ .Data.ApiKeyName }}</strong> will expire on <strong>{{ .Data.ExpiresAt.Format "2006-01-02 15:04:05 MST" }}</strong>.<br/><br/>
-            Please generate a new API key if you need continued access.
-        </p>
-    </div>
-{{ end }}
+{{define "root"}}<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr" lang="en"><head><link rel="preload" as="image" href="{{.LogoURL}}"/><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"/><meta name="x-apple-disable-message-reformatting"/></head><body style="padding:50px;background-color:#FBFBFB;font-family:Arial, sans-serif"><!--$--><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="max-width:37.5em;width:500px;margin:0 auto"><tbody><tr style="width:100%"><td><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody><tr><td><table align="left" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="width:210px;margin-bottom:16px"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column">
+<img alt="{{.AppName}}" height="32" src="{{.LogoURL}}" style="display:block;outline:none;border:none;text-decoration:none;width:32px;height:32px;vertical-align:middle;margin-right:8px" width="32"/></td><td data-id="__react-email-column"><p style="font-size:23px;line-height:24px;font-weight:bold;margin:0;padding:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{.AppName}}</p></td></tr></tbody></table></td></tr></tbody></table><div style="background-color:white;padding:24px;border-radius:10px;box-shadow:0 1px 4px 0px rgba(0, 0, 0, 0.1)"><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column"><h1 style="font-size:20px;font-weight:bold;margin:0">API Key Expiring Soon</h1></td><td align="right" data-id="__react-email-column">
+<p style="font-size:12px;line-height:24px;background-color:#ffd966;color:#7f6000;padding:1px 12px;border-radius:50px;display:inline-block;margin:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">Warning</p></td></tr></tbody></table><p style="font-size:14px;line-height:24px;margin-top:16px;margin-bottom:16px">Hello <!-- -->{{.Data.Name}}<!-- -->, <br/>This is a reminder that your API key <strong>{{.Data.APIKeyName}}</strong> <!-- -->will expire on <strong>{{.Data.ExpiresAt.Format "2006-01-02 15:04:05 MST"}}</strong>.</p><p style="font-size:14px;line-height:24px;margin-top:16px;margin-bottom:16px">Please generate a new API key if you need continued access.</p></div></td></tr></tbody></table><!--7--><!--/$--></body></html>{{end}}
--- a/backend/resources/email-templates/api-key-expiring-soon_text.tmpl
+++ b/backend/resources/email-templates/api-key-expiring-soon_text.tmpl
@@ -1,10 +1,12 @@
-{{ define "base" -}}
-API Key Expiring Soon
-====================
+{{define "root"}}{{.AppName}}

-Hello {{ .Data.Name }},

-This is a reminder that your API key "{{ .Data.ApiKeyName }}" will expire on {{ .Data.ExpiresAt.Format "2006-01-02 15:04:05 MST" }}.
+API KEY EXPIRING SOON

-Please generate a new API key if you need continued access.
-{{ end -}}
+Warning
+
+Hello {{.Data.Name}},
+This is a reminder that your API key {{.Data.APIKeyName}} will expire on
+{{.Data.ExpiresAt.Format "2006-01-02 15:04:05 MST"}}.
+
+Please generate a new API key if you need continued access.{{end}}
--- a/backend/resources/email-templates/components/email_html.tmpl
+++ b/backend/resources/email-templates/components/email_html.tmpl
@@ -1,14 +0,0 @@
-{{ define "root" }}
-<html lang="en">
-<head>
-    <meta charset="UTF-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    {{ template "style" . }}
-</head>
-<body>
-    <div class="container">
-        {{ template "base" . }}
-    </div>
-</body>
-</html>
-{{ end }}
--- a/backend/resources/email-templates/components/email_text.tmpl
+++ b/backend/resources/email-templates/components/email_text.tmpl
@@ -1,7 +0,0 @@
-{{- define "root" -}}
-{{- template "base" . -}}
-{{- end }}
-
-
--
-This is automatically sent email from {{.AppName}}.
--- a/backend/resources/email-templates/components/style_html.tmpl
+++ b/backend/resources/email-templates/components/style_html.tmpl
@@ -1,92 +0,0 @@
-{{ define "style" }}
-<style>
-/* Reset styles for email clients */
- body, table, td, p, a {
-     margin: 0;
-     padding: 0;
-     border: 0;
-     font-size: 100%;
-     font-family: Arial, sans-serif;
-     line-height: 1.5;
-}
- body {
-     background-color: #f0f0f0;
-     color: #333;
-}
- .container {
-     width: 100%;
-     max-width: 600px;
-     margin: 40px auto;
-     background-color: #fff;
-     border-radius: 10px;
-     box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
-     padding: 32px;
-}
- .header {
-     display: flex;
-     margin-bottom: 24px;
-}
- .header .logo img {
-     width: 32px;
-     height: 32px;
-     vertical-align: middle;
-}
- .header h1 {
-     font-size: 1.5rem;
-     font-weight: bold;
-     display: inline-block;
-     vertical-align: middle;
-     margin-left: 8px;
-}
- .warning {
-     background-color: #ffd966;
-     color: #7f6000;
-     padding: 4px 12px;
-     border-radius: 50px;
-     font-size: 0.875rem;
-     margin: auto 0 auto auto;
-}
- .content {
-     background-color: #fafafa;
-     padding: 24px;
-     border-radius: 10px;
-}
- .content h2 {
-     font-size: 1.25rem;
-     font-weight: bold;
-     margin-bottom: 16px;
-}
- .grid {
-     width: 100%;
-     margin-bottom: 16px;
-}
- .grid td {
-     width: 50%;
-     padding-bottom: 8px;
-     vertical-align: top;
-}
- .label {
-     color: #888;
-     font-size: 0.875rem;
-}
- .message {
-     font-size: 1rem;
-     line-height: 1.5;
-     margin-top: 16px;
-}
- .button {
-     background-color: #000000;
-     color: #ffffff;
-     padding: 0.7rem 1.5rem;
-     text-decoration: none;
-     border-radius: 4px;
-     font-size: 1rem;
-     font-weight: 500;
-     display: inline-block;
-     margin-top: 24px;
-}
- .button-container {
-     text-align: center;
-}
-</style>
-{{ end }}
--- a/backend/resources/email-templates/login-with-new-device_html.tmpl
+++ b/backend/resources/email-templates/login-with-new-device_html.tmpl
@@ -1,40 +1,5 @@
-{{ define "base" }}
-<div class="header">
-   <div class="logo">
-      <img src="{{ .LogoURL }}" alt="{{ .AppName }}" width="32" height="32" style="width: 32px; height: 32px; max-width: 32px;"/>
-      <h1>{{ .AppName }}</h1>
-   </div>
-   <div class="warning">Warning</div>
-</div>
-<div class="content">
-   <h2>New Sign-In Detected</h2>
-   <table class="grid">
-      <tr>
-         {{ if and .Data.City .Data.Country }}
-         <td>
-            <p class="label">Approximate Location</p>
-            <p>{{ .Data.City }}, {{ .Data.Country }}</p>
-         </td>
-         {{ end }}
-         <td>
-            <p class="label">IP Address</p>
-            <p>{{ .Data.IPAddress }}</p>
-         </td>
-      </tr>
-      <tr>
-         <td>
-            <p class="label">Device</p>
-            <p>{{ .Data.Device }}</p>
-         </td>
-         <td>
-            <p class="label">Sign-In Time</p>
-            <p>{{ .Data.DateTime.Format "2006-01-02 15:04:05 UTC" }}</p>
-         </td>
-      </tr>
-   </table>
-   <p class="message">
-      This sign-in was detected from a new device or location. If you recognize this activity, you can
-      safely ignore this message. If not, please review your account and security settings.
-   </p>
-</div>
-{{ end -}}
+{{define "root"}}<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr" lang="en"><head><link rel="preload" as="image" href="{{.LogoURL}}"/><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"/><meta name="x-apple-disable-message-reformatting"/></head><body style="padding:50px;background-color:#FBFBFB;font-family:Arial, sans-serif"><!--$--><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="max-width:37.5em;width:500px;margin:0 auto"><tbody><tr style="width:100%"><td><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody><tr><td><table align="left" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="width:210px;margin-bottom:16px"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column">
+<img alt="{{.AppName}}" height="32" src="{{.LogoURL}}" style="display:block;outline:none;border:none;text-decoration:none;width:32px;height:32px;vertical-align:middle;margin-right:8px" width="32"/></td><td data-id="__react-email-column"><p style="font-size:23px;line-height:24px;font-weight:bold;margin:0;padding:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{.AppName}}</p></td></tr></tbody></table></td></tr></tbody></table><div style="background-color:white;padding:24px;border-radius:10px;box-shadow:0 1px 4px 0px rgba(0, 0, 0, 0.1)"><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column"><h1 style="font-size:20px;font-weight:bold;margin:0">New Sign-In Detected</h1></td><td align="right" data-id="__react-email-column">
+<p style="font-size:12px;line-height:24px;background-color:#ffd966;color:#7f6000;padding:1px 12px;border-radius:50px;display:inline-block;margin:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">Warning</p></td></tr></tbody></table><p style="font-size:14px;line-height:24px;margin-top:16px;margin-bottom:16px">Your <!-- -->{{.AppName}}<!-- --> account was recently accessed from a new IP address or browser. If you recognize this activity, no further action is required.</p><h4 style="font-size:1rem;font-weight:bold;margin:30px 0 10px 0">Details</h4><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column" style="width:225px"><p style="font-size:12px;line-height:24px;margin:0;color:gray;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">Approximate Location</p>
+<p style="font-size:14px;line-height:24px;margin:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{.Data.City}}<!-- -->, <!-- -->{{.Data.Country}}</p></td><td data-id="__react-email-column" style="width:225px"><p style="font-size:12px;line-height:24px;margin:0;color:gray;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">IP Address</p><p style="font-size:14px;line-height:24px;margin:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{.Data.IPAddress}}</p></td></tr></tbody></table><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="margin-top:10px"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column" style="width:225px"><p style="font-size:12px;line-height:24px;margin:0;color:gray;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">Device</p><p style="font-size:14px;line-height:24px;margin:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">
+{{.Data.Device}}</p></td><td data-id="__react-email-column" style="width:225px"><p style="font-size:12px;line-height:24px;margin:0;color:gray;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">Sign-In Time</p><p style="font-size:14px;line-height:24px;margin:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{.Data.DateTime.Format "January 2, 2006 at 3:04 PM MST"}}</p></td></tr></tbody></table></div></td></tr></tbody></table><!--7--><!--/$--></body></html>{{end}}
--- a/backend/resources/email-templates/login-with-new-device_text.tmpl
+++ b/backend/resources/email-templates/login-with-new-device_text.tmpl
@@ -1,15 +1,27 @@
-{{ define "base" -}}
-New Sign-In Detected
-====================
+{{define "root"}}{{.AppName}}

-{{ if and .Data.City .Data.Country }}
-Approximate Location: {{ .Data.City }}, {{ .Data.Country }}
-{{ end }}
-IP Address: {{ .Data.IPAddress }}
-Device:     {{ .Data.Device }}
-Time:       {{ .Data.DateTime.Format "2006-01-02 15:04:05 UTC"}}

-This sign-in was detected from a new device or location. If you recognize
-this activity, you can safely ignore this message. If not, please review
-your account and security settings.
-{{ end -}}
+NEW SIGN-IN DETECTED
+
+Warning
+
+Your {{.AppName}} account was recently accessed from a new IP address or
+browser. If you recognize this activity, no further action is required.
+
+DETAILS
+
+Approximate Location
+
+{{.Data.City}}, {{.Data.Country}}
+
+IP Address
+
+{{.Data.IPAddress}}
+
+Device
+
+{{.Data.Device}}
+
+Sign-In Time
+
+{{.Data.DateTime.Format "January 2, 2006 at 3:04 PM MST"}}{{end}}
--- a/backend/resources/email-templates/one-time-access_html.tmpl
+++ b/backend/resources/email-templates/one-time-access_html.tmpl
@@ -1,17 +1,4 @@
-{{ define "base" }}
-    <div class="header">
-        <div class="logo">
-            <img src="{{ .LogoURL }}" alt="{{ .AppName }}" width="32" height="32" style="width: 32px; height: 32px; max-width: 32px;"/>
-            <h1>{{ .AppName }}</h1>
-        </div>
-    </div>
-    <div class="content">
-        <h2>Login Code</h2>
-        <p class="message">
-            Click the button below to sign in to {{ .AppName }} with a login code.</br>Or visit <a href="{{ .Data.LoginLink }}">{{ .Data.LoginLink }}</a> and enter the code <strong>{{ .Data.Code }}</strong>.</br></br>This code expires in {{.Data.ExpirationString}}.
-        </p>
-        <div class="button-container">
-            <a class="button" href="{{ .Data.LoginLinkWithCode }}" class="button">Sign In</a>
-        </div>
-    </div>
-{{ end -}}
+{{define "root"}}<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr" lang="en"><head><link rel="preload" as="image" href="{{.LogoURL}}"/><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"/><meta name="x-apple-disable-message-reformatting"/></head><body style="padding:50px;background-color:#FBFBFB;font-family:Arial, sans-serif"><!--$--><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="max-width:37.5em;width:500px;margin:0 auto"><tbody><tr style="width:100%"><td><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody><tr><td><table align="left" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="width:210px;margin-bottom:16px"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column">
+<img alt="{{.AppName}}" height="32" src="{{.LogoURL}}" style="display:block;outline:none;border:none;text-decoration:none;width:32px;height:32px;vertical-align:middle;margin-right:8px" width="32"/></td><td data-id="__react-email-column"><p style="font-size:23px;line-height:24px;font-weight:bold;margin:0;padding:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{.AppName}}</p></td></tr></tbody></table></td></tr></tbody></table><div style="background-color:white;padding:24px;border-radius:10px;box-shadow:0 1px 4px 0px rgba(0, 0, 0, 0.1)"><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column"><h1 style="font-size:20px;font-weight:bold;margin:0">Your Login Code</h1></td><td align="right" data-id="__react-email-column"></td></tr></tbody></table><p style="font-size:14px;line-height:24px;margin-top:16px;margin-bottom:16px">
+Click the button below to sign in to <!-- -->{{.AppName}}<!-- --> with a login code.<br/>Or visit<!-- --> <a href="{{.Data.LoginLink}}" style="color:#000;text-decoration-line:none;text-decoration:underline;font-family:Arial, sans-serif" target="_blank">{{.Data.LoginLink}}</a> <!-- -->and enter the code <strong>{{.Data.Code}}</strong>.<br/><br/>This code expires in <!-- -->{{.Data.ExpirationString}}<!-- -->.</p><div style="text-align:center"><a href="{{.Data.LoginLinkWithCode}}" style="line-height:100%;text-decoration:none;display:inline-block;max-width:100%;mso-padding-alt:0px;background-color:#000000;color:#ffffff;padding:12px 24px;border-radius:4px;font-size:15px;font-weight:500;cursor:pointer;margin-top:10px;padding-top:12px;padding-right:24px;padding-bottom:12px;padding-left:24px" target="_blank"><span><!--[if mso]><i style="mso-font-width:400%;mso-text-raise:18" hidden>&#8202;&#8202;&#8202;</i><![endif]--></span>
+<span style="max-width:100%;display:inline-block;line-height:120%;mso-padding-alt:0px;mso-text-raise:9px">Sign In</span><span><!--[if mso]><i style="mso-font-width:400%" hidden>&#8202;&#8202;&#8202;&#8203;</i><![endif]--></span></a></div></div></td></tr></tbody></table><!--7--><!--/$--></body></html>{{end}}
--- a/backend/resources/email-templates/one-time-access_text.tmpl
+++ b/backend/resources/email-templates/one-time-access_text.tmpl
@@ -1,10 +1,12 @@
-{{ define "base" -}}
-Login Code
-====================
+{{define "root"}}{{.AppName}}

-Click the link below to sign in to {{ .AppName }} with a login code. This code expires in {{.Data.ExpirationString}}.

-{{ .Data.LoginLinkWithCode }}
+YOUR LOGIN CODE

-Or visit {{ .Data.LoginLink }} and enter the the code "{{ .Data.Code }}".
-{{ end -}}
+Click the button below to sign in to {{.AppName}} with a login code.
+Or visit {{.Data.LoginLink}} {{.Data.LoginLink}} and enter the code
+{{.Data.Code}}.
+
+This code expires in {{.Data.ExpirationString}}.
+
+Sign In {{.Data.LoginLinkWithCode}}{{end}}
--- a/backend/resources/email-templates/test_html.tmpl
+++ b/backend/resources/email-templates/test_html.tmpl
@@ -1,11 +1,3 @@
-{{ define "base" -}}
-    <div class="header">
-        <div class="logo">
-            <img src="{{ .LogoURL }}" alt="{{ .AppName }}"/>
-            <h1>{{ .AppName }}</h1>
-        </div>
-    </div>
-    <div class="content">
-        <p>This is a test email.</p>
-    </div>
-{{ end -}}
+{{define "root"}}<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr" lang="en"><head><link rel="preload" as="image" href="{{.LogoURL}}"/><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"/><meta name="x-apple-disable-message-reformatting"/></head><body style="padding:50px;background-color:#FBFBFB;font-family:Arial, sans-serif"><!--$--><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="max-width:37.5em;width:500px;margin:0 auto"><tbody><tr style="width:100%"><td><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody><tr><td><table align="left" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation" style="width:210px;margin-bottom:16px"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column">
+<img alt="{{.AppName}}" height="32" src="{{.LogoURL}}" style="display:block;outline:none;border:none;text-decoration:none;width:32px;height:32px;vertical-align:middle;margin-right:8px" width="32"/></td><td data-id="__react-email-column"><p style="font-size:23px;line-height:24px;font-weight:bold;margin:0;padding:0;margin-top:0;margin-bottom:0;margin-left:0;margin-right:0">{{.AppName}}</p></td></tr></tbody></table></td></tr></tbody></table><div style="background-color:white;padding:24px;border-radius:10px;box-shadow:0 1px 4px 0px rgba(0, 0, 0, 0.1)"><table align="center" width="100%" border="0" cellPadding="0" cellSpacing="0" role="presentation"><tbody style="width:100%"><tr style="width:100%"><td data-id="__react-email-column"><h1 style="font-size:20px;font-weight:bold;margin:0">Test Email</h1></td><td align="right" data-id="__react-email-column"></td></tr></tbody></table><p style="font-size:14px;line-height:24px;margin-top:16px;margin-bottom:16px">
+Your email setup is working correctly!</p></div></td></tr></tbody></table><!--7--><!--/$--></body></html>{{end}}
--- a/backend/resources/email-templates/test_text.tmpl
+++ b/backend/resources/email-templates/test_text.tmpl
@@ -1,3 +1,6 @@
-{{ define "base" -}}
-This is a test email.
-{{ end -}}
+{{define "root"}}{{.AppName}}
+
+
+TEST EMAIL
+
+Your email setup is working correctly!{{end}}
--- a/backend/resources/files.go
+++ b/backend/resources/files.go
@@ -4,5 +4,5 @@ import "embed"

 // Embedded file systems for the project

-//go:embed email-templates images migrations fonts aaguids.json
+//go:embed email-templates/*.tmpl images migrations fonts aaguids.json
 var FS embed.FS
--- a/backend/resources/images/background.jpg
+++ b/backend/resources/images/background.jpg
--- a/backend/resources/images/background.webp
+++ b/backend/resources/images/background.webp
--- a/backend/resources/migrations/postgres/20250917170000_user_display_name_and_username.down.sql
+++ b/backend/resources/migrations/postgres/20250917170000_user_display_name_and_username.down.sql
@@ -0,0 +1,3 @@
+ALTER TABLE users DROP COLUMN display_name;
+
+ALTER TABLE users ALTER COLUMN username TYPE TEXT;
--- a/backend/resources/migrations/postgres/20250917170000_user_display_name_and_username.up.sql
+++ b/backend/resources/migrations/postgres/20250917170000_user_display_name_and_username.up.sql
@@ -0,0 +1,6 @@
+ALTER TABLE users ADD COLUMN display_name TEXT;
+UPDATE users SET display_name = trim(coalesce(first_name,'') || ' ' || coalesce(last_name,''));
+ALTER TABLE users ALTER COLUMN display_name SET NOT NULL;
+
+CREATE EXTENSION IF NOT EXISTS citext;
+ALTER TABLE users ALTER COLUMN username TYPE CITEXT COLLATE "C";
--- a/backend/resources/migrations/sqlite/20240731203656_init.up.sql
+++ b/backend/resources/migrations/sqlite/20240731203656_init.up.sql
@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE users
 (
    id         TEXT                  NOT NULL PRIMARY KEY,
@@ -77,4 +79,6 @@ CREATE TABLE application_configuration_variables
    type        TEXT                  NOT NULL,
    is_public   NUMERIC DEFAULT FALSE NOT NULL,
    is_internal NUMERIC DEFAULT FALSE NOT NULL
-);
+);
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20240813211251_passkey_backup_flags..up.sql
+++ b/backend/resources/migrations/sqlite/20240813211251_passkey_backup_flags..up.sql
@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE webauthn_credentials ADD COLUMN backup_eligible BOOLEAN NOT NULL DEFAULT FALSE;
-ALTER TABLE webauthn_credentials ADD COLUMN backup_state BOOLEAN NOT NULL DEFAULT FALSE;
+ALTER TABLE webauthn_credentials ADD COLUMN backup_state BOOLEAN NOT NULL DEFAULT FALSE;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20240813211251_passkey_backup_flags.down.sql
+++ b/backend/resources/migrations/sqlite/20240813211251_passkey_backup_flags.down.sql
@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE webauthn_credentials DROP COLUMN backup_eligible;
-ALTER TABLE webauthn_credentials DROP COLUMN backup_state;
+ALTER TABLE webauthn_credentials DROP COLUMN backup_state;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20240817191051_rename_config_table.down.sql
+++ b/backend/resources/migrations/sqlite/20240817191051_rename_config_table.down.sql
@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE app_config_variables
-    RENAME TO application_configuration_variables;
+    RENAME TO application_configuration_variables;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20240817191051_rename_config_table.up.sql
+++ b/backend/resources/migrations/sqlite/20240817191051_rename_config_table.up.sql
@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE application_configuration_variables
-    RENAME TO app_config_variables;
+    RENAME TO app_config_variables;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20240820205521_multiple_callback_urls.down.sql
+++ b/backend/resources/migrations/sqlite/20240820205521_multiple_callback_urls.down.sql
@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 create table oidc_clients
 (
    id            TEXT not null primary key,
@@ -20,4 +22,6 @@ select id,
       created_by_id
 from oidc_clients_dg_tmp;

-drop table oidc_clients_dg_tmp;
+drop table oidc_clients_dg_tmp;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20240820205521_multiple_callback_urls.up.sql
+++ b/backend/resources/migrations/sqlite/20240820205521_multiple_callback_urls.up.sql
@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 create table oidc_clients_dg_tmp
 (
    id            TEXT not null primary key,
@@ -23,4 +25,6 @@ from oidc_clients;
 drop table oidc_clients;

 alter table oidc_clients_dg_tmp
-    rename to oidc_clients;
+    rename to oidc_clients;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20240908123031_audit_log.down.sql
+++ b/backend/resources/migrations/sqlite/20240908123031_audit_log.down.sql
@@ -1 +1,5 @@
-DROP TABLE audit_logs;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+DROP TABLE audit_logs;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20240908123031_audit_log.up.sql
+++ b/backend/resources/migrations/sqlite/20240908123031_audit_log.up.sql
@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE audit_logs
 (
    id               TEXT NOT NULL PRIMARY KEY,
@@ -7,4 +9,6 @@ CREATE TABLE audit_logs
    user_agent       TEXT NOT NULL,
    data             BLOB NOT NULL,
    user_id          TEXT REFERENCES users
-);
+);
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20240924202721_user_groups.down.sql
+++ b/backend/resources/migrations/sqlite/20240924202721_user_groups.down.sql
@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 DROP TABLE user_groups;
-DROP TABLE user_groups_users;
+DROP TABLE user_groups_users;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20240924202721_user_groups.up.sql
+++ b/backend/resources/migrations/sqlite/20240924202721_user_groups.up.sql
@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE user_groups
 (
    id           TEXT NOT NULL PRIMARY KEY,
@@ -13,4 +15,6 @@ CREATE TABLE user_groups_users
    PRIMARY KEY (user_id, user_group_id),
    FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE,
    FOREIGN KEY (user_group_id) REFERENCES user_groups (id) ON DELETE CASCADE
-);
+);
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20241004092030_audit_log_location.down.sql
+++ b/backend/resources/migrations/sqlite/20241004092030_audit_log_location.down.sql
@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE audit_logs DROP COLUMN country;
-ALTER TABLE audit_logs DROP COLUMN city;
+ALTER TABLE audit_logs DROP COLUMN city;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20241004092030_audit_log_location.up.sql
+++ b/backend/resources/migrations/sqlite/20241004092030_audit_log_location.up.sql
@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE audit_logs ADD COLUMN country TEXT;
-ALTER TABLE audit_logs ADD COLUMN city TEXT;
+ALTER TABLE audit_logs ADD COLUMN city TEXT;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20241023072742_unix-timestamps.down.sql
+++ b/backend/resources/migrations/sqlite/20241023072742_unix-timestamps.down.sql
@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 -- Convert the Unix timestamps back to DATETIME format

 UPDATE user_groups
@@ -25,4 +27,6 @@ SET created_at = datetime(created_at, 'unixepoch');

 UPDATE webauthn_sessions
 SET created_at = datetime(created_at, 'unixepoch'),
-    expires_at = datetime(expires_at, 'unixepoch');
+    expires_at = datetime(expires_at, 'unixepoch');
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20241023072742_unix-timestamps.up.sql
+++ b/backend/resources/migrations/sqlite/20241023072742_unix-timestamps.up.sql
@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 -- Convert the DATETIME fields to Unix timestamps (in seconds)
 UPDATE user_groups
 SET created_at = strftime('%s', created_at);
@@ -24,4 +26,6 @@ SET created_at = strftime('%s', created_at);

 UPDATE webauthn_sessions
 SET created_at = strftime('%s', created_at),
-    expires_at = strftime('%s', expires_at);
+    expires_at = strftime('%s', expires_at);
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20241025214824_app_config_default_value.down.sql
+++ b/backend/resources/migrations/sqlite/20241025214824_app_config_default_value.down.sql
@@ -1 +1,5 @@
-ALTER TABLE app_config_variables DROP COLUMN default_value;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+ALTER TABLE app_config_variables DROP COLUMN default_value;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20241025214824_app_config_default_value.up.sql
+++ b/backend/resources/migrations/sqlite/20241025214824_app_config_default_value.up.sql
@@ -1 +1,5 @@
-ALTER TABLE app_config_variables ADD COLUMN default_value TEXT;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+ALTER TABLE app_config_variables ADD COLUMN default_value TEXT;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20241028064959_custom_claims.down.sql
+++ b/backend/resources/migrations/sqlite/20241028064959_custom_claims.down.sql
@@ -1 +1,5 @@
-DROP TABLE custom_claims;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+DROP TABLE custom_claims;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20241028064959_custom_claims.up.sql
+++ b/backend/resources/migrations/sqlite/20241028064959_custom_claims.up.sql
@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE custom_claims
 (
    id            TEXT NOT NULL PRIMARY KEY,
@@ -12,4 +14,6 @@ CREATE TABLE custom_claims

    CONSTRAINT custom_claims_unique UNIQUE (key, user_id, user_group_id),
    CHECK (user_id IS NOT NULL OR user_group_id IS NOT NULL)
-);
+);
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20241115131129_pkce.down.sql
+++ b/backend/resources/migrations/sqlite/20241115131129_pkce.down.sql
@@ -1,3 +1,7 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_authorization_codes DROP COLUMN code_challenge;
 ALTER TABLE oidc_authorization_codes DROP COLUMN code_challenge_method_sha256;
-ALTER TABLE oidc_clients DROP COLUMN is_public;
+ALTER TABLE oidc_clients DROP COLUMN is_public;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20241115131129_pkce.up.sql
+++ b/backend/resources/migrations/sqlite/20241115131129_pkce.up.sql
@@ -1,3 +1,7 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_authorization_codes ADD COLUMN code_challenge TEXT;
 ALTER TABLE oidc_authorization_codes ADD COLUMN code_challenge_method_sha256 NUMERIC;
-ALTER TABLE oidc_clients ADD COLUMN is_public BOOLEAN DEFAULT FALSE;
+ALTER TABLE oidc_clients ADD COLUMN is_public BOOLEAN DEFAULT FALSE;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20250103145821_pkce_column.down.sql
+++ b/backend/resources/migrations/sqlite/20250103145821_pkce_column.down.sql
@@ -1 +1,5 @@
-ALTER TABLE oidc_clients DROP COLUMN pkce_enabled;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+ALTER TABLE oidc_clients DROP COLUMN pkce_enabled;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20250103145821_pkce_column.up.sql
+++ b/backend/resources/migrations/sqlite/20250103145821_pkce_column.up.sql
@@ -1 +1,5 @@
-ALTER TABLE oidc_clients ADD COLUMN pkce_enabled BOOLEAN DEFAULT FALSE;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+ALTER TABLE oidc_clients ADD COLUMN pkce_enabled BOOLEAN DEFAULT FALSE;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20250115155817_ldap.down.sql
+++ b/backend/resources/migrations/sqlite/20250115155817_ldap.down.sql
@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE users DROP COLUMN ldap_id;
-ALTER TABLE user_groups DROP COLUMN ldap_id;
+ALTER TABLE user_groups DROP COLUMN ldap_id;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20250115155817_ldap.up.sql
+++ b/backend/resources/migrations/sqlite/20250115155817_ldap.up.sql
@@ -1,5 +1,9 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE users ADD COLUMN ldap_id TEXT;
 ALTER TABLE user_groups ADD COLUMN ldap_id TEXT;

 CREATE UNIQUE INDEX users_ldap_id ON users (ldap_id);
-CREATE UNIQUE INDEX user_groups_ldap_id ON user_groups (ldap_id);
+CREATE UNIQUE INDEX user_groups_ldap_id ON user_groups (ldap_id);
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20250118180712_rename_email_config_variable.down.sql
+++ b/backend/resources/migrations/sqlite/20250118180712_rename_email_config_variable.down.sql
@@ -1 +1,5 @@
-UPDATE app_config_variables SET key = 'emailEnabled' WHERE key = 'emailLoginNotificationEnabled';
+PRAGMA foreign_keys=OFF;
+BEGIN;
+UPDATE app_config_variables SET key = 'emailEnabled' WHERE key = 'emailLoginNotificationEnabled';
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20250118180712_rename_email_config_variable.up.sql
+++ b/backend/resources/migrations/sqlite/20250118180712_rename_email_config_variable.up.sql
@@ -1 +1,5 @@
-UPDATE app_config_variables SET key = 'emailLoginNotificationEnabled' WHERE key = 'emailEnabled';
+PRAGMA foreign_keys=OFF;
+BEGIN;
+UPDATE app_config_variables SET key = 'emailLoginNotificationEnabled' WHERE key = 'emailEnabled';
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20250120102531_fix_empty_ldap_id_string.down.sql
+++ b/backend/resources/migrations/sqlite/20250120102531_fix_empty_ldap_id_string.down.sql
@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 UPDATE users SET ldap_id = '' WHERE ldap_id IS NULL;
-UPDATE user_groups SET ldap_id = '' WHERE ldap_id IS NULL;
+UPDATE user_groups SET ldap_id = '' WHERE ldap_id IS NULL;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20250120102531_fix_empty_ldap_id_string.up.sql
+++ b/backend/resources/migrations/sqlite/20250120102531_fix_empty_ldap_id_string.up.sql
@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 UPDATE users SET ldap_id = null WHERE ldap_id = '';
-UPDATE user_groups SET ldap_id = null WHERE ldap_id = '';
+UPDATE user_groups SET ldap_id = null WHERE ldap_id = '';
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20250131154719_oidc_user_group_restriction.down.sql
+++ b/backend/resources/migrations/sqlite/20250131154719_oidc_user_group_restriction.down.sql
@@ -1 +1,5 @@
-DROP TABLE oidc_clients_allowed_user_groups;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+DROP TABLE oidc_clients_allowed_user_groups;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20250131154719_oidc_user_group_restriction.up.sql
+++ b/backend/resources/migrations/sqlite/20250131154719_oidc_user_group_restriction.up.sql
@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE oidc_clients_allowed_user_groups
 (
    user_group_id  TEXT NOT NULL,
@@ -5,4 +7,6 @@ CREATE TABLE oidc_clients_allowed_user_groups
    PRIMARY KEY (oidc_client_id, user_group_id),
    FOREIGN KEY (oidc_client_id) REFERENCES oidc_clients (id) ON DELETE CASCADE,
    FOREIGN KEY (user_group_id) REFERENCES user_groups (id) ON DELETE CASCADE
-);
+);
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20250203082527_fix_empty_user_group_ldap_id_string.down.sql
+++ b/backend/resources/migrations/sqlite/20250203082527_fix_empty_user_group_ldap_id_string.down.sql
@@ -1 +1,5 @@
-UPDATE user_groups SET ldap_id = '' WHERE ldap_id IS NULL;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+UPDATE user_groups SET ldap_id = '' WHERE ldap_id IS NULL;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20250203082527_fix_empty_user_group_ldap_id_string.up.sql
+++ b/backend/resources/migrations/sqlite/20250203082527_fix_empty_user_group_ldap_id_string.up.sql
@@ -1 +1,5 @@
-UPDATE user_groups SET ldap_id = null WHERE ldap_id = '';
+PRAGMA foreign_keys=OFF;
+BEGIN;
+UPDATE user_groups SET ldap_id = null WHERE ldap_id = '';
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/backend/resources/migrations/sqlite/20250210152631_post_logout_url.down.sql
+++ b/backend/resources/migrations/sqlite/20250210152631_post_logout_url.down.sql
@@ -1 +1,5 @@
-ALTER TABLE oidc_clients DROP COLUMN logout_callback_urls;
+PRAGMA foreign_keys=OFF;
+BEGIN;
+ALTER TABLE oidc_clients DROP COLUMN logout_callback_urls;
+COMMIT;
+PRAGMA foreign_keys=ON;
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Elias Schneider	8973e93cb6	release: 1.11.1	2025-09-18 22:33:22 +02:00
Elias Schneider	8c9cac2655	chore(translations): update translations via Crowdin (#957 )	2025-09-18 22:26:38 +02:00
Elias Schneider	ed8547ccc1	release: 1.11.0	2025-09-18 22:16:32 +02:00
Elias Schneider	e7e53a8b8c	fix: my apps card shouldn't take full width if only one item exists	2025-09-18 21:55:43 +02:00
Elias Schneider	02249491f8	feat: allow uppercase usernames (#958 )	2025-09-17 14:43:12 -05:00
Elias Schneider	cf0892922b	chore: include version in changelog	2025-09-17 18:00:04 +02:00
Elias Schneider	99f31a7c26	fix: make environment variables case insensitive where necessary (#954 ) fix #935	2025-09-17 08:21:54 -07:00
Kyle Mendell	68373604dd	feat: add user display name field (#898 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-09-17 17:18:27 +02:00
Elias Schneider	2d6d5df0e7	feat: add support for `LOG_LEVEL` env variable (#942 )	2025-09-14 08:26:21 -07:00
Alessandro (Ale) Segala	a897b31166	chore: minify background image (#933 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-09-14 08:24:28 -07:00
dependabot[bot]	fb92906c3a	chore(deps): bump axios from 1.11.0 to 1.12.0 in the npm_and_yarn group across 1 directory (#943 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-09-13 12:20:18 -05:00
Alessandro (Ale) Segala	c018f29ad7	fix: key-rotate doesn't work with database storage (#940 )	2025-09-12 20:04:45 -05:00
Elias Schneider	5367463239	feat: add PWA support (#938 )	2025-09-12 10:17:35 -05:00
Elias Schneider	6c9147483c	fix: add validation for callback URLs (#929 )	2025-09-10 10:14:54 -07:00
Elias Schneider	d123d7f335	chore(translations): update translations via Crowdin (#931 )	2025-09-10 07:57:58 -05:00
dependabot[bot]	da8ca08c36	chore(deps-dev): bump vite from 7.0.6 to 7.0.7 in the npm_and_yarn group across 1 directory (#932 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-09-09 17:32:14 -05:00
Alessandro (Ale) Segala	307caaa3ef	feat: return new id_token when using refresh token (#925 )	2025-09-09 11:31:50 +02:00
Elias Schneider	6c696b46c8	fix: list items on previous page get unselected if other items selected on next page	2025-09-09 10:02:59 +02:00
Alessandro (Ale) Segala	42155238b7	fix: ensure users imported from LDAP have fields validated (#923 )	2025-09-09 09:31:49 +02:00
Elias Schneider	92edc26a30	chore(translations): update translations via Crowdin (#924 )	2025-09-08 08:12:21 -05:00
github-actions[bot]	e36499c483	chore: update AAGUIDs (#926 ) Co-authored-by: stonith404 <58886915+stonith404@users.noreply.github.com>	2025-09-08 00:14:56 -05:00
Elias Schneider	6215e1ac01	feat: add CSP header (#908 ) Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>	2025-09-07 11:45:06 -07:00
Elias Schneider	74b39e16f9	chore(translations): update translations via Crowdin (#915 )	2025-09-07 20:31:30 +02:00
Elias Schneider	a1d8538c64	feat: add info box to app settings if UI config is disabled	2025-09-07 19:49:07 +02:00
Elias Schneider	1d7cbc2a4e	fix: disable sign up options in UI if `UI_CONFIG_DISABLED`	2025-09-07 19:42:20 +02:00
Kyle Mendell	954fb4f0c8	chore(translations): add Swedish files	2025-09-05 19:57:54 -05:00
Savely Krasovsky	901333f7e4	feat: client_credentials flow support (#901 )	2025-09-02 18:33:01 -05:00
Elias Schneider	0b381467ca	chore(translations): update translations via Crowdin (#904 )	2025-09-02 09:57:31 -05:00
github-actions[bot]	6188dc6fb7	chore: update AAGUIDs (#903 ) Co-authored-by: stonith404 <58886915+stonith404@users.noreply.github.com>	2025-08-31 19:40:23 -05:00
Kyle Mendell	802754c24c	refactor: use react email for email templates (#734 ) Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com> Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-08-31 16:54:13 +00:00
Elias Schneider	6c843228eb	chore(translations): update translations via Crowdin (#893 )	2025-08-30 13:20:35 -05:00
Stephan H.	a3979f63e0	feat: add custom base url (#858 ) Co-authored-by: Stephan Höhn <me@steph.ovh> Co-authored-by: Kyle Mendell <ksm@ofkm.us>	2025-08-30 13:13:57 -05:00
Elias Schneider	52c560c30d	chore(translations): update translations via Crowdin (#887 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us>	2025-08-27 16:44:26 -05:00
Kyle Mendell	e88be7e61a	fix: update localized name and description of ldap group name attribute (#892 )	2025-08-27 15:52:50 -05:00
Kyle Mendell	a4e965434f	release: 1.10.0	2025-08-27 15:24:57 -05:00
Kyle Mendell	096d214a88	feat: redesigned sidebar with administrative dropdown (#881 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-08-27 16:39:22 +00:00
Savely Krasovsky	afb7fc32e7	chore(translations): add missing translations (#884 )	2025-08-27 18:13:35 +02:00
Elias Schneider	641bbc9351	fix: apps showed multiple times if user is in multiple groups	2025-08-27 17:53:21 +02:00
Kyle Mendell	136c6082f6	chore(deps): bump sveltekit to 2.36.3 and devalue to 5.3.2 (#889 )	2025-08-26 18:59:35 -05:00
github-actions[bot]	b9a20d2923	chore: update AAGUIDs (#885 ) Co-authored-by: stonith404 <58886915+stonith404@users.noreply.github.com>	2025-08-25 08:13:32 +02:00
Elias Schneider	74eb2ac0b9	release: 1.9.1	2025-08-24 23:17:31 +02:00
Elias Schneider	51222f5607	tests: add no tx wrap to unit tests	2025-08-24 23:16:49 +02:00
Elias Schneider	d6d1a4ced2	fix: sqlite migration drops allowed user groups	2025-08-24 23:07:50 +02:00
@@ -1 +1 @@
 .9.0
 .11.1