Merge branch 'main' into i18n_crowdin

Co-authored-by: Elias Schneider <login@eliasschneider.com>

.devcontainer/devcontainer.json

@@ -2,7 +2,9 @@
   "name": "pocket-id",
   "image": "mcr.microsoft.com/devcontainers/typescript-node:1-22-bookworm",
   "features": {
-    "ghcr.io/devcontainers/features/go:1": {}
+    "ghcr.io/devcontainers/features/go:1": {
+      "version": "1.26"
+    }
   },
   "customizations": {
     "vscode": {

.github/workflows/backend-linter.yml

@@ -17,14 +17,15 @@ permissions:
   pull-requests: read
   # Optional: allow write access to checks to allow the action to annotate code in the PR.
   checks: write
+  id-token: write
 
 jobs:
   golangci-lint:
     name: Run Golangci-lint
-    runs-on: ubuntu-latest
+    runs-on: depot-ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Go
         uses: actions/setup-go@v6
@@ -32,9 +33,9 @@ jobs:
           go-version-file: backend/go.mod
 
       - name: Run Golangci-lint
-        uses: golangci/golangci-lint-action@v8.0.0
+        uses: golangci/golangci-lint-action@v9.0.0
         with:
-          version: v2.4.0
+          version: v2.11.4
           args: --build-tags=exclude_frontend
           working-directory: backend
           only-new-issues: ${{ github.event_name == 'pull_request' }}

.github/workflows/build-next.yml

@@ -9,43 +9,40 @@ concurrency:
   group: build-next-image
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+  attestations: write
+  artifact-metadata: write
+
 jobs:
   build-next:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
+    runs-on: depot-ubuntu-latest
+
+    env:
+      CONTAINER_IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/pocket-id
+
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v5
 
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
+          cache: "pnpm"
 
       - name: Setup Go
         uses: actions/setup-go@v6
         with:
           go-version-file: "backend/go.mod"
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Set DOCKER_IMAGE_NAME
-        run: |
-          # Lowercase REPO_OWNER which is required for containers
-          REPO_OWNER=${{ github.repository_owner }}
-          DOCKER_IMAGE_NAME="ghcr.io/${REPO_OWNER,,}/pocket-id"
-          echo "DOCKER_IMAGE_NAME=${DOCKER_IMAGE_NAME}" >>${GITHUB_ENV}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
@@ -54,6 +51,40 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Container Image Metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.CONTAINER_IMAGE_NAME }}
+          tags: |
+            type=raw,value=next
+          labels: |
+            org.opencontainers.image.authors=Pocket ID
+            org.opencontainers.image.url=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.documentation=https://github.com/pocket-id/pocket-id/blob/main/README.md
+            org.opencontainers.image.source=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.version=next
+            org.opencontainers.image.licenses=BSD-2-Clause
+            org.opencontainers.image.ref.name=pocket-id
+            org.opencontainers.image.title=Pocket ID
+
+      - name: Container Image Metadata
+        id: distroless-meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.CONTAINER_IMAGE_NAME }}
+          tags: |
+            type=raw,value=next-distroless
+          labels: |
+            org.opencontainers.image.authors=Pocket ID
+            org.opencontainers.image.url=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.documentation=https://github.com/pocket-id/pocket-id/blob/main/README.md
+            org.opencontainers.image.source=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.version=next-distroless
+            org.opencontainers.image.licenses=BSD-2-Clause
+            org.opencontainers.image.ref.name=pocket-id
+            org.opencontainers.image.title=Pocket ID
+
       - name: Install frontend dependencies
         run: pnpm install --frozen-lockfile
 
@@ -66,31 +97,40 @@ jobs:
 
       - name: Build and push container image
         id: build-push-image
-        uses: docker/build-push-action@v6
+        uses: depot/build-push-action@v1
         with:
           context: .
+          file: docker/Dockerfile-prebuilt
           platforms: linux/amd64,linux/arm64
           push: true
-          tags: ${{ env.DOCKER_IMAGE_NAME }}:next
-          file: docker/Dockerfile-prebuilt
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          sbom: false
+          provenance: true
+
       - name: Build and push container image (distroless)
-        uses: docker/build-push-action@v6
+        uses: depot/build-push-action@v1
         id: container-build-push-distroless
         with:
           context: .
+          file: docker/Dockerfile-distroless
           platforms: linux/amd64,linux/arm64
           push: true
-          tags: ${{ env.DOCKER_IMAGE_NAME }}:next-distroless
-          file: docker/Dockerfile-distroless
+          tags: ${{ steps.distroless-meta.outputs.tags }}
+          labels: ${{ steps.distroless-meta.outputs.labels }}
+          sbom: false
+          provenance: true
+
       - name: Container image attestation
         uses: actions/attest-build-provenance@v2
         with:
-          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-name: "${{ env.CONTAINER_IMAGE_NAME }}"
           subject-digest: ${{ steps.build-push-image.outputs.digest }}
           push-to-registry: true
+
       - name: Container image attestation (distroless)
         uses: actions/attest-build-provenance@v2
         with:
-          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-name: "${{ env.CONTAINER_IMAGE_NAME }}"
           subject-digest: ${{ steps.container-build-push-distroless.outputs.digest }}
           push-to-registry: true

.github/workflows/e2e-tests.yml

@@ -1,59 +1,27 @@
 name: E2E Tests
 on:
   push:
-    branches: [main]
+    branches: [ main ]
     paths-ignore:
       - "docs/**"
       - "**.md"
       - ".github/**"
   pull_request:
-    branches: [main, breaking/**]
+    branches: [ main, breaking/** ]
     paths-ignore:
       - "docs/**"
       - "**.md"
       - ".github/**"
 
+permissions:
+  contents: read
+  actions: write
+  id-token: write
+
 jobs:
-  build:
-    if: github.event.pull_request.head.ref != 'i18n_crowdin'
-    timeout-minutes: 20
-    permissions:
-      contents: read
-      actions: write
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Build and export
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: docker/Dockerfile
-          push: false
-          load: false
-          tags: pocket-id:test
-          outputs: type=docker,dest=/tmp/docker-image.tar
-          build-args: BUILD_TAGS=e2etest
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Upload Docker image artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: docker-image
-          path: /tmp/docker-image.tar
-          retention-days: 1
-
   test:
     if: github.event.pull_request.head.ref != 'i18n_crowdin'
-    permissions:
-      contents: read
-      actions: write
-    runs-on: ubuntu-latest
-    needs: build
+    runs-on: depot-ubuntu-24.04-32
     strategy:
       fail-fast: false
       matrix:
@@ -70,25 +38,33 @@ jobs:
             storage: database
 
     steps:
-      - uses: actions/checkout@v5
+      - name: Checkout code
+        uses: actions/checkout@v6
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v5
 
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
+          cache: "pnpm"
+
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+
+      - name: Set up Depot Docker builder
+        run: depot configure-docker
 
       - name: Cache Playwright Browsers
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         id: playwright-cache
         with:
           path: ~/.cache/ms-playwright
           key: ${{ runner.os }}-playwright-${{ hashFiles('pnpm-lock.yaml') }}
 
       - name: Cache PostgreSQL Docker image
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         id: postgres-cache
         with:
           path: /tmp/postgres-image.tar
@@ -102,23 +78,8 @@ jobs:
         if: matrix.db == 'postgres' && steps.postgres-cache.outputs.cache-hit == 'true'
         run: docker load < /tmp/postgres-image.tar
 
-      - name: Cache LLDAP Docker image
-        uses: actions/cache@v4
-        id: lldap-cache
-        with:
-          path: /tmp/lldap-image.tar
-          key: lldap-stable-${{ runner.os }}
-      - name: Pull and save LLDAP image
-        if: steps.lldap-cache.outputs.cache-hit != 'true'
-        run: |
-          docker pull lldap/lldap:2025-05-19
-          docker save lldap/lldap:2025-05-19 > /tmp/lldap-image.tar
-      - name: Load LLDAP image
-        if: steps.lldap-cache.outputs.cache-hit == 'true'
-        run: docker load < /tmp/lldap-image.tar
-
       - name: Cache SCIM Test Server Docker image
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         id: scim-cache
         with:
           path: /tmp/scim-test-server-image.tar
@@ -134,45 +95,20 @@ jobs:
 
       - name: Cache Localstack S3 Docker image
         if: matrix.storage == 's3'
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         id: s3-cache
         with:
           path: /tmp/localstack-s3-image.tar
-          key: localstack-s3-latest-${{ runner.os }}
+          key: localstack-4.14.0-${{ runner.os }}
       - name: Pull and save Localstack S3 image
         if: matrix.storage == 's3' && steps.s3-cache.outputs.cache-hit != 'true'
         run: |
-          docker pull localstack/localstack:s3-latest
-          docker save localstack/localstack:s3-latest > /tmp/localstack-s3-image.tar
+          docker pull localstack/localstack:4.14.0
+          docker save localstack/localstack:4.14.0 > /tmp/localstack-s3-image.tar
       - name: Load Localstack S3 image
         if: matrix.storage == 's3' && steps.s3-cache.outputs.cache-hit == 'true'
         run: docker load < /tmp/localstack-s3-image.tar
 
-      - name: Cache AWS CLI Docker image
-        if: matrix.storage == 's3'
-        uses: actions/cache@v4
-        id: aws-cli-cache
-        with:
-          path: /tmp/aws-cli-image.tar
-          key: aws-cli-latest-${{ runner.os }}
-      - name: Pull and save AWS CLI image
-        if: matrix.storage == 's3' && steps.aws-cli-cache.outputs.cache-hit != 'true'
-        run: |
-          docker pull amazon/aws-cli:latest
-          docker save amazon/aws-cli:latest > /tmp/aws-cli-image.tar
-      - name: Load AWS CLI image
-        if: matrix.storage == 's3' && steps.aws-cli-cache.outputs.cache-hit == 'true'
-        run: docker load < /tmp/aws-cli-image.tar
-
-      - name: Download Docker image artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: docker-image
-          path: /tmp
-
-      - name: Load Docker image
-        run: docker load -i /tmp/docker-image.tar
-
       - name: Install test dependencies
         run: pnpm --filter pocket-id-tests install --frozen-lockfile
 
@@ -198,7 +134,7 @@ jobs:
             DOCKER_COMPOSE_FILE=docker-compose-s3.yml
           fi
 
-          docker compose -f "$DOCKER_COMPOSE_FILE" up -d
+          docker compose -f "$DOCKER_COMPOSE_FILE" up -d --build
 
           {
             LOG_FILE="/tmp/backend.log"
@@ -219,7 +155,7 @@ jobs:
         run: pnpm exec playwright test
 
       - name: Upload Test Report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
         with:
           name: playwright-report-${{ matrix.db }}-${{ matrix.storage }}
@@ -228,7 +164,7 @@ jobs:
           retention-days: 15
 
       - name: Upload Backend Test Report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
         with:
           name: backend-${{ matrix.db }}-${{ matrix.storage }}

.github/workflows/pr-quality.yml

@@ -0,0 +1,106 @@
+name: PR Quality
+
+permissions:
+    contents: read
+    issues: read
+    pull-requests: write
+
+on:
+    pull_request_target:
+        types: [opened, reopened]
+
+jobs:
+    pr-quality:
+        runs-on: ubuntu-latest
+        steps:
+            - uses: peakoss/anti-slop@v0
+              with:
+                  # General Settings
+                  max-failures: 4
+
+                  # PR Branch Checks
+                  allowed-target-branches: "main"
+                  blocked-target-branches: ""
+                  allowed-source-branches: ""
+                  blocked-source-branches: ""
+
+                  # PR Quality Checks
+                  max-negative-reactions: 0
+                  require-maintainer-can-modify: true
+
+                  # PR Title Checks
+                  require-conventional-title: true
+
+                  # PR Description Checks
+                  require-description: true
+                  max-description-length: 2500
+                  max-emoji-count: 0
+                  max-code-references: 0
+                  require-linked-issue: false
+                  blocked-terms: ""
+                  blocked-issue-numbers: ""
+
+                  # PR Template Checks
+                  require-pr-template: true
+                  strict-pr-template-sections: ""
+                  optional-pr-template-sections: "Issues"
+                  max-additional-pr-template-sections: 3
+
+                  # Commit Message Checks
+                  max-commit-message-length: 500
+                  require-conventional-commits: false
+                  require-commit-author-match: true
+                  blocked-commit-authors: ""
+
+                  # File Checks
+                  allowed-file-extensions: ""
+                  allowed-paths: ""
+                  blocked-paths: |
+                      SECURITY.md
+                      LICENSE
+                  require-final-newline: false
+                  max-added-comments: 0
+
+                  # User Checks
+                  detect-spam-usernames: true
+                  min-account-age: 30
+                  max-daily-forks: 7
+                  min-profile-completeness: 4
+
+                  # Merge Checks
+                  min-repo-merged-prs: 0
+                  min-repo-merge-ratio: 0
+                  min-global-merge-ratio: 30
+                  global-merge-ratio-exclude-own: false
+
+                  # Exemptions
+                  exempt-draft-prs: false
+                  exempt-bots: |
+                      actions-user
+                      dependabot[bot]
+                      renovate[bot]
+                      github-actions[bot]
+                  exempt-users: ""
+                  exempt-author-association: "OWNER,MEMBER,COLLABORATOR"
+                  exempt-label: "quality/exempt"
+                  exempt-pr-label: ""
+                  exempt-all-milestones: false
+                  exempt-all-pr-milestones: false
+                  exempt-milestones: ""
+                  exempt-pr-milestones: ""
+
+                  # PR Success Actions
+                  success-add-pr-labels: "quality/verified"
+
+                  # PR Failure Actions
+                  failure-remove-pr-labels: ""
+                  failure-remove-all-pr-labels: true
+                  failure-add-pr-labels: "quality/rejected"
+                  failure-pr-message: |
+                      This PR did not pass quality checks so it will be closed.
+                      See the [workflow run](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}) for details on which checks failed.
+
+                      If you believe this is a mistake please let us know.
+
+                  close-pr: true
+                  lock-pr: false

.github/workflows/release.yml

@@ -5,42 +5,47 @@ on:
     tags:
       - "v*.*.*"
 
+permissions:
+  contents: write
+  packages: write
+  attestations: write
+  id-token: write
+  artifact-metadata: write
+
 jobs:
   build:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      packages: write
-      attestations: write
-      id-token: write
+    runs-on: depot-ubuntu-24.04-16
+
+    env:
+      CONTAINER_IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/pocket-id
+
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
+
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v5
+
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
+          cache: "pnpm"
+
       - uses: actions/setup-go@v6
         with:
           go-version-file: "backend/go.mod"
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Set DOCKER_IMAGE_NAME
-        run: |
-          # Lowercase REPO_OWNER which is required for containers
-          REPO_OWNER=${{ github.repository_owner }}
-          DOCKER_IMAGE_NAME="ghcr.io/${REPO_OWNER,,}/pocket-id"
-          echo "DOCKER_IMAGE_NAME=${DOCKER_IMAGE_NAME}" >>${GITHUB_ENV}
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{github.repository_owner}}
           password: ${{secrets.GITHUB_TOKEN}}
+
       - name: Docker metadata
         id: meta
         uses: docker/metadata-action@v5
@@ -51,59 +56,89 @@ jobs:
             type=semver,pattern={{version}},prefix=v
             type=semver,pattern={{major}}.{{minor}},prefix=v
             type=semver,pattern={{major}},prefix=v
+          labels: |
+            org.opencontainers.image.authors=Pocket ID
+            org.opencontainers.image.url=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.documentation=https://github.com/pocket-id/pocket-id/blob/main/README.md
+            org.opencontainers.image.source=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.version=next
+            org.opencontainers.image.licenses=BSD-2-Clause
+            org.opencontainers.image.ref.name=pocket-id
+            org.opencontainers.image.title=Pocket ID
+
       - name: Docker metadata (distroless)
         id: meta-distroless
         uses: docker/metadata-action@v5
         with:
           images: |
-            ${{ env.DOCKER_IMAGE_NAME }}
+            ${{ env.CONTAINER_IMAGE_NAME }}
           flavor: |
             suffix=-distroless,onlatest=true
           tags: |
             type=semver,pattern={{version}},prefix=v
             type=semver,pattern={{major}}.{{minor}},prefix=v
             type=semver,pattern={{major}},prefix=v
+          labels: |
+            org.opencontainers.image.authors=Pocket ID
+            org.opencontainers.image.url=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.documentation=https://github.com/pocket-id/pocket-id/blob/main/README.md
+            org.opencontainers.image.source=https://github.com/pocket-id/pocket-id
+            org.opencontainers.image.version=next-distroless
+            org.opencontainers.image.licenses=BSD-2-Clause
+            org.opencontainers.image.ref.name=pocket-id
+            org.opencontainers.image.title=Pocket ID
+
       - name: Install frontend dependencies
         run: pnpm --filter pocket-id-frontend install --frozen-lockfile
+
       - name: Build frontend
         run: pnpm --filter pocket-id-frontend build
 
       - name: Build binaries
         run: sh scripts/development/build-binaries.sh
+
       - name: Build and push container image
-        uses: docker/build-push-action@v6
+        uses: depot/build-push-action@v1
         id: container-build-push
         with:
           context: .
+          file: docker/Dockerfile-prebuilt
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          file: docker/Dockerfile-prebuilt
+          sbom: false
+          provenance: true
+
       - name: Build and push container image (distroless)
-        uses: docker/build-push-action@v6
+        uses: depot/build-push-action@v1
         id: container-build-push-distroless
         with:
           context: .
+          file: docker/Dockerfile-distroless
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta-distroless.outputs.tags }}
           labels: ${{ steps.meta-distroless.outputs.labels }}
-          file: docker/Dockerfile-distroless
+          sbom: false
+          provenance: true
+
       - name: Binary attestation
         uses: actions/attest-build-provenance@v2
         with:
           subject-path: "backend/.bin/pocket-id-**"
+
       - name: Container image attestation
         uses: actions/attest-build-provenance@v2
         with:
-          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-name: "${{ env.CONTAINER_IMAGE_NAME }}"
           subject-digest: ${{ steps.container-build-push.outputs.digest }}
           push-to-registry: true
+
       - name: Container image attestation (distroless)
         uses: actions/attest-build-provenance@v2
         with:
-          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-name: "${{ env.CONTAINER_IMAGE_NAME }}"
           subject-digest: ${{ steps.container-build-push-distroless.outputs.digest }}
           push-to-registry: true
       - name: Upload binaries to release
@@ -112,14 +147,12 @@ jobs:
         run: gh release upload ${{ github.ref_name }} backend/.bin/*
 
   publish-release:
-    runs-on: ubuntu-latest
+    runs-on: depot-ubuntu-latest
     needs: [build]
-    permissions:
-      contents: write
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Mark release as published
         run: gh release edit ${{ github.ref_name }} --draft=false

.github/workflows/svelte-check.yml

@@ -21,28 +21,31 @@ on:
       - "frontend/svelte.config.js"
   workflow_dispatch:
 
+permissions:
+  contents: read
+  checks: write
+  pull-requests: write
+  id-token: write
+
 jobs:
   type-check:
     name: Run Svelte Check
     # Don't run on dependabot branches
     if: github.actor != 'dependabot[bot]'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      checks: write
-      pull-requests: write
+    runs-on: depot-ubuntu-latest
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v5
 
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
+          cache: "pnpm"
 
       - name: Install dependencies
         run: pnpm --filter pocket-id-frontend install --frozen-lockfile

.github/workflows/unit-tests.yml

@@ -1,22 +1,24 @@
 name: Unit Tests
 on:
   push:
-    branches: [main]
+    branches: [ main ]
     paths:
       - "backend/**"
   pull_request:
-    branches: [main]
+    branches: [ main ]
     paths:
       - "backend/**"
 
+permissions:
+  contents: read
+  id-token: write
+  actions: write
+
 jobs:
   test-backend:
-    permissions:
-      contents: read
-      actions: write
-    runs-on: ubuntu-latest
+    runs-on: depot-ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: "backend/go.mod"
@@ -30,7 +32,7 @@ jobs:
         run: |
           set -e -o pipefail
           go test -tags=exclude_frontend -v ./... | tee /tmp/TestResults.log
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v7
         if: always()
         with:
           name: backend-unit-tests

.github/workflows/update-aaguids.yml

@@ -8,14 +8,15 @@ on:
 permissions:
   contents: write
   pull-requests: write
+  id-token: write
 
 jobs:
   update-aaguids:
-    runs-on: ubuntu-latest
+    runs-on: depot-ubuntu-latest
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Fetch JSON data
         run: |

.version

@@ -1 +1 @@
-2.0.2
+2.6.2

CHANGELOG.md

@@ -1,3 +1,208 @@
+## v2.6.2
+
+### Bug Fixes
+
+- return correct byte count in HEAD request writer ([#1443](https://github.com/pocket-id/pocket-id/pull/1443) by @ahampal)
+- improve keyboard navigation and screen-reader labels ([#1445](https://github.com/pocket-id/pocket-id/pull/1445) by @bjoernch)
+
+### Other
+
+- upgrade to vite 8.0 and pnpm 10.33.0 ([#1446](https://github.com/pocket-id/pocket-id/pull/1446) by @kmendell)
+
+**Full Changelog**: https://github.com/pocket-id/pocket-id/compare/v2.6.1...v2.6.2
+
+## v2.6.1
+
+### Bug Fixes
+
+- restore login screen background from not showing up ([975d3c7](https://github.com/pocket-id/pocket-id/commit/975d3c79c6a882291c69b31d25bfcd8b7896528c) by @kmendell)
+
+### Other
+
+- ignore webauthn type for swagger generation ([ce4b89d](https://github.com/pocket-id/pocket-id/commit/ce4b89da650f025747fd0dd45eab5cebe29f5a93) by @kmendell)
+- update golangci-lint ([#1440](https://github.com/pocket-id/pocket-id/pull/1440) by @ItalyPaleAle)
+- Add catalan language ([#1436](https://github.com/pocket-id/pocket-id/pull/1436) by @mcasellas)
+
+**Full Changelog**: https://github.com/pocket-id/pocket-id/compare/v2.6.0...v2.6.1
+
+## v2.6.0
+
+### Bug Fixes
+
+- disable callback URLs with protocols "javascript" and "data" ([#1397](https://github.com/pocket-id/pocket-id/pull/1397) by @ItalyPaleAle)
+- strip Root prefix from S3 List() returned paths ([#1413](https://github.com/pocket-id/pocket-id/pull/1413) by @vtmocanu)
+- use valid Tailwind v4 transition class for auth animation squares ([#1415](https://github.com/pocket-id/pocket-id/pull/1415) by @CoolShades)
+- resolve posixGroup memberUid as bare usernames ([#1422](https://github.com/pocket-id/pocket-id/pull/1422) by @gucong3000)
+- prevent flickering if no background image is set on login page ([027e6f0](https://github.com/pocket-id/pocket-id/commit/027e6f078da0eec712ae22a04b37c86110cb262b) by @stonith404)
+- improve form input layout if description next to it is multi col ([9ec4683](https://github.com/pocket-id/pocket-id/commit/9ec4683d18036ba1945bffd4bce14ec4c2dff7f9) by @stonith404)
+- access token renewal bypasses important checks ([978ac87](https://github.com/pocket-id/pocket-id/commit/978ac87deffec58beaccd15aead975e91b94c8a5) by @stonith404)
+
+### Features
+
+- add ability to revoke passkeys of users as admin ([#1386](https://github.com/pocket-id/pocket-id/pull/1386) by @jose-d)
+- add auth method claim (`amr`) to tokens ([#1433](https://github.com/pocket-id/pocket-id/pull/1433) by @stonith404)
+- add TLS support for HTTP/2 server ([#1429](https://github.com/pocket-id/pocket-id/pull/1429) by @IngmarStein)
+- add OpenID Connect `prompt` Parameter Handling ([#1299](https://github.com/pocket-id/pocket-id/pull/1299) by @rjaakke)
+- return not found. on `/setup` if already completed ([444f7ff](https://github.com/pocket-id/pocket-id/commit/444f7ff2b0269c12f1dba334a37d7db2007e172f) by @stonith404)
+
+### Other
+
+- update AAGUIDs ([#1403](https://github.com/pocket-id/pocket-id/pull/1403) by @github-actions[bot])
+- upgrade dependencies ([f8f7222](https://github.com/pocket-id/pocket-id/commit/f8f7222468dad90f630ae18f7c3fd78e37ba3f77) by @stonith404)
+- combobox not closed in e2e test ([fbdb93f](https://github.com/pocket-id/pocket-id/commit/fbdb93f1a768a05e6e3f2c6fd32b5de50a745bc6) by @stonith404)
+- Security upgrade alpine from latest to 3.23.4 ([#1431](https://github.com/pocket-id/pocket-id/pull/1431) by @stonith404)
+- security upgrade alpine from latest to 3.23.4 ([#1432](https://github.com/pocket-id/pocket-id/pull/1432) by @stonith404)
+- add Catalan language files ([4f09de2](https://github.com/pocket-id/pocket-id/commit/4f09de2cfc7d1e92632116821493a670fc7ee80d) by @stonith404)
+- reduce complexity of `ValidateEnvConfig` and `initRouter` ([a0cb574](https://github.com/pocket-id/pocket-id/commit/a0cb57431372c2bcc59904342597845e92a42a93) by @stonith404)
+- pass context to `shutdownServer` ([ff26c42](https://github.com/pocket-id/pocket-id/commit/ff26c4273a061b7d2c84e7b74f1e0f9e0acc6eb0) by @stonith404)
+
+**Full Changelog**: https://github.com/pocket-id/pocket-id/compare/v2.5.0...v2.6.0
+
+## v2.5.0
+
+### Bug Fixes
+
+- better error messages when there's another instance of Pocket ID running ([#1370](https://github.com/pocket-id/pocket-id/pull/1370) by @ItalyPaleAle)
+- move tooltip inside of form input to prevent shifting ([#1369](https://github.com/pocket-id/pocket-id/pull/1369) by @GameTec-live)
+- derive LDAP admin access from group membership ([#1374](https://github.com/pocket-id/pocket-id/pull/1374) by @kmendell)
+- avoid fmt.Sprintf on custom GeoLiteDBUrl without %s placeholder ([#1384](https://github.com/pocket-id/pocket-id/pull/1384) by @choyri)
+- show a warning when SQLite DB is stored on NFS/SMB/FUSE ([#1381](https://github.com/pocket-id/pocket-id/pull/1381) by @ItalyPaleAle)
+- empty background restore after reboot ([#1379](https://github.com/pocket-id/pocket-id/pull/1379) by @taoso)
+- allow one-char username on signup ([#1378](https://github.com/pocket-id/pocket-id/pull/1378) by @taoso)
+
+### Features
+
+- allow use of svg, png, and ico images types for favicon ([#1289](https://github.com/pocket-id/pocket-id/pull/1289) by @taoso)
+- allow clearing background image ([#1290](https://github.com/pocket-id/pocket-id/pull/1290) by @taoso)
+- add `token_endpoint_auth_methods_supported` to `.well-known` ([#1388](https://github.com/pocket-id/pocket-id/pull/1388) by @owenvoke)
+- add TRUSTED_PLATFORM environment variable for gin ([#1372](https://github.com/pocket-id/pocket-id/pull/1372) by @choyri)
+
+### Other
+
+- add pr quality action ([e3905cf](https://github.com/pocket-id/pocket-id/commit/e3905cf3159fe0370778b0d7d3be64b4246d19be) by @stonith404)
+- separate querying LDAP and updating DB during sync ([#1371](https://github.com/pocket-id/pocket-id/pull/1371) by @ItalyPaleAle)
+- bump google.golang.org/grpc from 1.79.1 to 1.79.3 in /backend in the go_modules group across 1 directory ([#1391](https://github.com/pocket-id/pocket-id/pull/1391) by @dependabot[bot])
+- Improve Latvian translations in lv.json ([#1382](https://github.com/pocket-id/pocket-id/pull/1382) by @Raito00)
+- ignore linter on app image bootstrap ([5251cd9](https://github.com/pocket-id/pocket-id/commit/5251cd97994177c96cb6f9ab3f88ca31367b5b55) by @kmendell)
+- upgrade dependencies ([e7e0176](https://github.com/pocket-id/pocket-id/commit/e7e0176316857186b9683e2f0cb0686189f86cfb) by @kmendell)
+- upgrade dependencies ([3c42a71](https://github.com/pocket-id/pocket-id/commit/3c42a713ce91b4061ffcf86d92cbb19294359ff8) by @kmendell)
+
+**Full Changelog**: https://github.com/pocket-id/pocket-id/compare/v2.4.0...v2.5.0
+
+## v2.4.0
+
+### Bug Fixes
+
+- improve wildcard matching by using `go-urlpattern` ([#1332](https://github.com/pocket-id/pocket-id/pull/1332) by @stonith404)
+- federated client credentials not working if sub ≠ client_id ([#1342](https://github.com/pocket-id/pocket-id/pull/1342) by @ItalyPaleAle)
+- handle IPv6 addresses in callback URLs ([#1355](https://github.com/pocket-id/pocket-id/pull/1355) by @ItalyPaleAle)
+- wildcard callback URLs blocked by browser-native URL validation ([#1359](https://github.com/pocket-id/pocket-id/pull/1359) by @Copilot)
+- one-time-access-token route should get user ID from URL only ([#1358](https://github.com/pocket-id/pocket-id/pull/1358) by @ItalyPaleAle)
+- various fixes in background jobs ([#1362](https://github.com/pocket-id/pocket-id/pull/1362) by @ItalyPaleAle)
+- use URL keyboard type for callback URL inputs ([a675d07](https://github.com/pocket-id/pocket-id/commit/a675d075d1ab9b7ff8160f1cfc35bc0ea1f1980a) by @stonith404)
+
+### Features
+
+- allow first name and display name to be optional ([#1288](https://github.com/pocket-id/pocket-id/pull/1288) by @taoso)
+
+### Other
+
+- bump svelte from 5.53.2 to 5.53.5 in the npm_and_yarn group across 1 directory ([#1348](https://github.com/pocket-id/pocket-id/pull/1348) by @dependabot[bot])
+- bump @sveltejs/kit from 2.53.0 to 2.53.3 in the npm_and_yarn group across 1 directory ([#1349](https://github.com/pocket-id/pocket-id/pull/1349) by @dependabot[bot])
+- update AAGUIDs ([#1354](https://github.com/pocket-id/pocket-id/pull/1354) by @github-actions[bot])
+- add Português files ([01141b8](https://github.com/pocket-id/pocket-id/commit/01141b8c0f2e96a40fd876d3206e49a694fd12c4) by @kmendell)
+- add Latvian files ([e0fc4cc](https://github.com/pocket-id/pocket-id/commit/e0fc4cc01bd51e5a97e46aad78a493a668049220) by @kmendell)
+- fix wrong seed data ([e7bd66d](https://github.com/pocket-id/pocket-id/commit/e7bd66d1a77c89dde542b4385ba01dc0d432e434) by @stonith404)
+- fix wrong seed data in `database.json` ([f4eb8db](https://github.com/pocket-id/pocket-id/commit/f4eb8db50993edacd90e919b39a5c6d9dd4924c7) by @stonith404)
+
+### Performance Improvements
+
+- frontend performance optimizations ([#1344](https://github.com/pocket-id/pocket-id/pull/1344) by @ItalyPaleAle)
+
+**Full Changelog**: https://github.com/pocket-id/pocket-id/compare/v2.3.0...v2.4.0
+
+## v2.3.0
+
+### Bug Fixes
+
+- ENCRYPTION_KEY needed for version and help commands ([#1256](https://github.com/pocket-id/pocket-id/pull/1256) by @kmendell)
+- prevent deletion of OIDC provider logo for non admin/anonymous users ([#1267](https://github.com/pocket-id/pocket-id/pull/1267) by @HiMoritz)
+- add `type="url"` to url inputs ([bb7b0d5](https://github.com/pocket-id/pocket-id/commit/bb7b0d56084df49b6a003cc3eaf076884e2cbf60) by @stonith404)
+- increase rate limit for frontend and api requests ([aab7e36](https://github.com/pocket-id/pocket-id/commit/aab7e364e85f1ce13950da93cc50324328cdd96d) by @stonith404)
+- decode URL-encoded client ID and secret in Basic auth ([#1263](https://github.com/pocket-id/pocket-id/pull/1263) by @ypomortsev)
+- token endpoint must not accept params as query string args ([#1321](https://github.com/pocket-id/pocket-id/pull/1321) by @ItalyPaleAle)
+- left align input error messages ([b3fe143](https://github.com/pocket-id/pocket-id/commit/b3fe14313684f9d8c389ed93ea8e479e3681b5c6) by @stonith404)
+- disallow API key renewal and creation with API key authentication ([#1334](https://github.com/pocket-id/pocket-id/pull/1334) by @stonith404)
+
+### Features
+
+- add VERSION_CHECK_DISABLED environment variable ([#1254](https://github.com/pocket-id/pocket-id/pull/1254) by @dihmandrake)
+- add support for HTTP/2 ([56afebc](https://github.com/pocket-id/pocket-id/commit/56afebc242be7ed14b58185425d6445bf18f640a) by @stonith404)
+- manageability of uncompressed geolite db file ([#1234](https://github.com/pocket-id/pocket-id/pull/1234) by @gucheen)
+- add JWT ID for generated tokens ([#1322](https://github.com/pocket-id/pocket-id/pull/1322) by @imnotjames)
+- current version api endpoint ([#1310](https://github.com/pocket-id/pocket-id/pull/1310) by @kmendell)
+
+### Other
+
+- bump @sveltejs/kit from 2.49.2 to 2.49.5 in the npm_and_yarn group across 1 directory ([#1240](https://github.com/pocket-id/pocket-id/pull/1240) by @dependabot[bot])
+- bump svelte from 5.46.1 to 5.46.4 in the npm_and_yarn group across 1 directory ([#1242](https://github.com/pocket-id/pocket-id/pull/1242) by @dependabot[bot])
+- bump devalue to 5.6.2 ([9dbc02e](https://github.com/pocket-id/pocket-id/commit/9dbc02e56871b2de6a39c443e1455efc26a949f7) by @kmendell)
+- upgrade deps ([4811625](https://github.com/pocket-id/pocket-id/commit/4811625cdd64b47ea67b7a9b03396e455896ccd6) by @kmendell)
+- add Estonian files ([53ef61a](https://github.com/pocket-id/pocket-id/commit/53ef61a3e5c4b77edec49d41ab94302bfec84269) by @kmendell)
+- update AAGUIDs ([#1257](https://github.com/pocket-id/pocket-id/pull/1257) by @github-actions[bot])
+- add Norwegian language files ([80558c5](https://github.com/pocket-id/pocket-id/commit/80558c562533e7b4d658d5baa4221d8cd209b47d) by @stonith404)
+- run formatter ([60825c5](https://github.com/pocket-id/pocket-id/commit/60825c5743b0e233ab622fd4d0ea04eb7ab59529) by @kmendell)
+- bump axios from 1.13.2 to 1.13.5 in the npm_and_yarn group across 1 directory ([#1309](https://github.com/pocket-id/pocket-id/pull/1309) by @dependabot[bot])
+- update dependenicies ([94a4897](https://github.com/pocket-id/pocket-id/commit/94a48977ba24e099b6221838d620c365eb1d4bf4) by @kmendell)
+- update AAGUIDs ([#1316](https://github.com/pocket-id/pocket-id/pull/1316) by @github-actions[bot])
+- bump svelte from 5.46.4 to 5.51.5 in the npm_and_yarn group across 1 directory ([#1324](https://github.com/pocket-id/pocket-id/pull/1324) by @dependabot[bot])
+- bump @sveltejs/kit from 2.49.5 to 2.52.2 in the npm_and_yarn group across 1 directory ([#1327](https://github.com/pocket-id/pocket-id/pull/1327) by @dependabot[bot])
+- upgrade dependencies ([0678699](https://github.com/pocket-id/pocket-id/commit/0678699d0cce5448c425b2c16bedab5fc242cbf0) by @stonith404)
+- upgrade to node 24 and go 1.26.0 ([#1328](https://github.com/pocket-id/pocket-id/pull/1328) by @kmendell)
+
+**Full Changelog**: https://github.com/pocket-id/pocket-id/compare/v2.2.0...v2.3.0
+
+## v2.2.0
+
+### Bug Fixes
+
+- allow changing "require email address" if no SMTP credentials present ([8c68b08](https://github.com/pocket-id/pocket-id/commit/8c68b08c12ba371deda61662e3d048d63d07c56f) by @stonith404)
+- data import from sqlite to postgres fails because of wrong datatype ([1a032a8](https://github.com/pocket-id/pocket-id/commit/1a032a812ef78b250a898d14bec73a8ef7a7859a) by @stonith404)
+- user can't update account if email is empty ([5828fa5](https://github.com/pocket-id/pocket-id/commit/5828fa57791314594625d52475733dce23cc2fcc) by @stonith404)
+- login codes sent by an admin incorrectly requires a device token ([03f9be0](https://github.com/pocket-id/pocket-id/commit/03f9be0d125732e02a8e2c5390d9e6d0c74ce957) by @stonith404)
+- allow exchanging logic code if already authenticated ([0e2cdc3](https://github.com/pocket-id/pocket-id/commit/0e2cdc393e34276bb3b8ea318cdc7261de3f2dec) by @stonith404)
+- db version downgrades don't downgrade db schema ([4df4bcb](https://github.com/pocket-id/pocket-id/commit/4df4bcb6451b4bf88093e04f3222c8737f2c7be3) by @stonith404)
+- use user specific email verified claim instead of global one ([2a11c3e](https://github.com/pocket-id/pocket-id/commit/2a11c3e60942d45c2e5b422d99945bce65a622a2) by @stonith404)
+
+### Features
+
+- add CLI command for encryption key rotation ([#1209](https://github.com/pocket-id/pocket-id/pull/1209) by @stonith404)
+- improve passkey error messages ([2f25861](https://github.com/pocket-id/pocket-id/commit/2f25861d15aefa868042e70d3e21b7b38a6ae679) by @stonith404)
+- make home page URL configurable ([#1215](https://github.com/pocket-id/pocket-id/pull/1215) by @stonith404)
+- add option to renew API key ([#1214](https://github.com/pocket-id/pocket-id/pull/1214) by @stonith404)
+- add support for email verification ([#1223](https://github.com/pocket-id/pocket-id/pull/1223) by @stonith404)
+- add environment variable to disable built-in rate limiting ([9ca3d33](https://github.com/pocket-id/pocket-id/commit/9ca3d33c8897cf49a871783058205bb180529cd2) by @stonith404)
+- add static api key env variable ([#1229](https://github.com/pocket-id/pocket-id/pull/1229) by @stonith404)
+
+**Full Changelog**: https://github.com/pocket-id/pocket-id/compare/v2.1.0...v2.2.0
+
+## v2.1.0
+
+### Bug Fixes
+
+- invalid cookie name for email login code device token ([d6a7b50](https://github.com/pocket-id/pocket-id/commit/d6a7b503ff4571b1291a55a569add3374f5e2d5b) by @stonith404)
+
+### Features
+
+- add issuer url to oidc client details list ([#1197](https://github.com/pocket-id/pocket-id/pull/1197) by @kmendell)
+- process nonce within device authorization flow ([#1185](https://github.com/pocket-id/pocket-id/pull/1185) by @justincmoy)
+
+### Other
+
+- run SCIM jobs in context of gocron instead of custom implementation ([4881130](https://github.com/pocket-id/pocket-id/commit/4881130eadcef0642f8a87650b7c36fda453b51b) by @stonith404)
+
+**Full Changelog**: https://github.com/pocket-id/pocket-id/compare/v2.0.2...v2.1.0
+
 ## v2.0.2
 
 ### Bug Fixes

CONTRIBUTING.md

@@ -21,7 +21,6 @@ Before you submit the pull request for review please ensure that
   ```
 
   Where `TYPE` can be:
-
   - **feat** - is a new feature
   - **doc** - documentation only changes
   - **fix** - a bug fix
@@ -51,8 +50,8 @@ If you use [Dev Containers](https://code.visualstudio.com/docs/remote/containers
 
 If you don't use Dev Containers, you need to install the following tools manually:
 
-- [Node.js](https://nodejs.org/en/download/) >= 22
-- [Go](https://golang.org/doc/install) >= 1.25
+- [Node.js](https://nodejs.org/en/download/) >= 24
+- [Go](https://golang.org/doc/install) >= 1.26
 - [Git](https://git-scm.com/downloads)
 
 ### 2. Setup

backend/frontend/frontend_excluded.go

@@ -2,8 +2,11 @@
 
 package frontend
 
-import "github.com/gin-gonic/gin"
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
 
-func RegisterFrontend(router *gin.Engine) error {
+func RegisterFrontend(router *gin.Engine, oidcService *service.OidcService) error {
 	return ErrFrontendNotIncluded
 }

backend/frontend/frontend_included.go

@@ -8,13 +8,16 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"mime"
 	"net/http"
-	"os"
+	"path"
 	"strings"
 	"time"
 
 	"github.com/gin-gonic/gin"
 	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"golang.org/x/time/rate"
 )
 
 //go:embed all:dist/*
@@ -52,16 +55,23 @@ func init() {
 	}
 }
 
-func RegisterFrontend(router *gin.Engine) error {
+func RegisterFrontend(router *gin.Engine, oidcService *service.OidcService) error {
 	distFS, err := fs.Sub(frontendFS, "dist")
 	if err != nil {
 		return fmt.Errorf("failed to create sub FS: %w", err)
 	}
 
-	cacheMaxAge := time.Hour * 24
-	fileServer := NewFileServerWithCaching(http.FS(distFS), int(cacheMaxAge.Seconds()))
+	// Load a map of all files to see which ones are available pre-compressed
+	preCompressed, err := listPreCompressedAssets(distFS)
+	if err != nil {
+		return fmt.Errorf("failed to index pre-compressed frontend assets: %w", err)
+	}
 
-	router.NoRoute(func(c *gin.Context) {
+	// Init the file server
+	fileServer := NewFileServerWithCaching(http.FS(distFS), preCompressed)
+
+	// Handler for Gin
+	handler := func(c *gin.Context) {
 		path := strings.TrimPrefix(c.Request.URL.Path, "/")
 
 		if strings.HasSuffix(path, "/") {
@@ -74,16 +84,19 @@ func RegisterFrontend(router *gin.Engine) error {
 			return
 		}
 
-		// If path is / or does not exist, serve index.html
-		if path == "" {
-			path = "index.html"
-		} else if _, err := fs.Stat(distFS, path); os.IsNotExist(err) {
-			path = "index.html"
-		}
-
-		if path == "index.html" {
+		if isSPARequest(path, distFS) {
 			nonce := middleware.GetCSPNonce(c)
 
+			if isOAuth2AuthorizationPostRequest(c) {
+				// In that case, we need to validate and allow form submissions to the redirect_uri
+				redirectURI := c.Query("redirect_uri")
+				clientID := c.Query("client_id")
+				validatedRedirectURI, err := oidcService.ResolveAllowedCallbackURL(c.Request.Context(), clientID, redirectURI)
+				if err == nil {
+					c.Header("Content-Security-Policy", middleware.BuildCSP(nonce, validatedRedirectURI))
+				}
+			}
+
 			// Do not cache the HTML shell, as it embeds a per-request nonce
 			c.Header("Content-Type", "text/html; charset=utf-8")
 			c.Header("Cache-Control", "no-store")
@@ -97,43 +110,184 @@ func RegisterFrontend(router *gin.Engine) error {
 		// Serve other static assets with caching
 		c.Request.URL.Path = "/" + path
 		fileServer.ServeHTTP(c.Writer, c.Request)
-	})
+	}
+
+	rateLimitMiddleware := middleware.NewRateLimitMiddleware().Add(rate.Every(300*time.Millisecond), 50)
+	router.NoRoute(rateLimitOnlyForOAuth2AuthorizationPostRequest(rateLimitMiddleware, distFS), handler)
 
 	return nil
 }
 
+func rateLimitOnlyForOAuth2AuthorizationPostRequest(rateLimitMiddleware gin.HandlerFunc, distFS fs.FS) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		path := strings.TrimPrefix(c.Request.URL.Path, "/")
+		if isSPARequest(path, distFS) && isOAuth2AuthorizationPostRequest(c) {
+			rateLimitMiddleware(c)
+			return
+		}
+
+		c.Next()
+	}
+}
+
+// isOAuth2AuthorizationRequest checks if this is an OAuth2 authorization request with response_mode=form_post
+// In that case, we need to validate and allow form submissions to the redirect_uri
+func isOAuth2AuthorizationPostRequest(c *gin.Context) bool {
+	responseMode := c.Query("response_mode")
+	redirectURI := c.Query("redirect_uri")
+	clientID := c.Query("client_id")
+
+	return responseMode == "form_post" && redirectURI != "" && clientID != ""
+}
+
+func isSPARequest(path string, distFS fs.FS) bool {
+	if path == "" {
+		return true
+	}
+
+	if _, err := fs.Stat(distFS, path); err != nil {
+		return true
+	}
+
+	return false
+}
+
 // FileServerWithCaching wraps http.FileServer to add caching headers
 type FileServerWithCaching struct {
 	root                    http.FileSystem
 	lastModified            time.Time
-	cacheMaxAge             int
 	lastModifiedHeaderValue string
-	cacheControlHeaderValue string
+	preCompressed           preCompressedMap
 }
 
-func NewFileServerWithCaching(root http.FileSystem, maxAge int) *FileServerWithCaching {
+func NewFileServerWithCaching(root http.FileSystem, preCompressed preCompressedMap) *FileServerWithCaching {
 	return &FileServerWithCaching{
 		root:                    root,
 		lastModified:            time.Now(),
-		cacheMaxAge:             maxAge,
 		lastModifiedHeaderValue: time.Now().UTC().Format(http.TimeFormat),
-		cacheControlHeaderValue: fmt.Sprintf("public, max-age=%d", maxAge),
+		preCompressed:           preCompressed,
 	}
 }
 
 func (f *FileServerWithCaching) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	// Check if the client has a cached version
-	if ifModifiedSince := r.Header.Get("If-Modified-Since"); ifModifiedSince != "" {
-		ifModifiedSinceTime, err := time.Parse(http.TimeFormat, ifModifiedSince)
-		if err == nil && f.lastModified.Before(ifModifiedSinceTime.Add(1*time.Second)) {
-			// Client's cached version is up to date
-			w.WriteHeader(http.StatusNotModified)
-			return
+	// First, set cache headers
+	// Check if the request is for an immutable asset
+	if isImmutableAsset(r) {
+		// Set the cache control header as immutable with a long expiration
+		w.Header().Set("Cache-Control", "public, max-age=31536000, immutable")
+	} else {
+		// Check if the client has a cached version
+		ifModifiedSince := r.Header.Get("If-Modified-Since")
+		if ifModifiedSince != "" {
+			ifModifiedSinceTime, err := time.Parse(http.TimeFormat, ifModifiedSince)
+			if err == nil && f.lastModified.Before(ifModifiedSinceTime.Add(1*time.Second)) {
+				// Client's cached version is up to date
+				w.WriteHeader(http.StatusNotModified)
+				return
+			}
+		}
+
+		// Cache other assets for up to 24 hours, but set Last-Modified too
+		w.Header().Set("Last-Modified", f.lastModifiedHeaderValue)
+		w.Header().Set("Cache-Control", "public, max-age=86400")
+	}
+
+	// Check if the asset is available pre-compressed
+	_, ok := f.preCompressed[r.URL.Path]
+	if ok {
+		// Add a "Vary" with "Accept-Encoding" so CDNs are aware that content is pre-compressed
+		w.Header().Add("Vary", "Accept-Encoding")
+
+		// Select the encoding if any
+		ext, ce := f.selectEncoding(r)
+		if ext != "" {
+			// Set the content type explicitly before changing the path
+			ct := mime.TypeByExtension(path.Ext(r.URL.Path))
+			if ct != "" {
+				w.Header().Set("Content-Type", ct)
+			}
+
+			// Make the serve return the encoded content
+			w.Header().Set("Content-Encoding", ce)
+			r.URL.Path += "." + ext
 		}
 	}
 
-	w.Header().Set("Last-Modified", f.lastModifiedHeaderValue)
-	w.Header().Set("Cache-Control", f.cacheControlHeaderValue)
-
 	http.FileServer(f.root).ServeHTTP(w, r)
 }
+
+func (f *FileServerWithCaching) selectEncoding(r *http.Request) (ext string, contentEnc string) {
+	available, ok := f.preCompressed[r.URL.Path]
+	if !ok {
+		return "", ""
+	}
+
+	// Check if the client accepts compressed files
+	acceptEncoding := strings.TrimSpace(strings.ToLower(r.Header.Get("Accept-Encoding")))
+	if acceptEncoding == "" {
+		return "", ""
+	}
+
+	// Prefer brotli over gzip when both are accepted.
+	if available.br && (acceptEncoding == "*" || acceptEncoding == "br" || strings.Contains(acceptEncoding, "br")) {
+		return "br", "br"
+	}
+	if available.gz && (acceptEncoding == "gzip" || strings.Contains(acceptEncoding, "gzip")) {
+		return "gz", "gzip"
+	}
+
+	return "", ""
+}
+
+func isImmutableAsset(r *http.Request) bool {
+	switch {
+	// Fonts
+	case strings.HasPrefix(r.URL.Path, "/fonts/"):
+		return true
+
+	// Compiled SvelteKit assets
+	case strings.HasPrefix(r.URL.Path, "/_app/immutable/"):
+		return true
+
+	default:
+		return false
+	}
+}
+
+type preCompressedMap map[string]struct {
+	br bool
+	gz bool
+}
+
+func listPreCompressedAssets(distFS fs.FS) (preCompressedMap, error) {
+	preCompressed := make(preCompressedMap, 0)
+	err := fs.WalkDir(distFS, ".", func(path string, d fs.DirEntry, walkErr error) error {
+		if walkErr != nil {
+			return walkErr
+		}
+
+		if d.IsDir() {
+			return nil
+		}
+
+		switch {
+		case strings.HasSuffix(path, ".br"):
+			originalPath := "/" + strings.TrimSuffix(path, ".br")
+			entry := preCompressed[originalPath]
+			entry.br = true
+			preCompressed[originalPath] = entry
+		case strings.HasSuffix(path, ".gz"):
+			originalPath := "/" + strings.TrimSuffix(path, ".gz")
+			entry := preCompressed[originalPath]
+			entry.gz = true
+			preCompressed[originalPath] = entry
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return preCompressed, nil
+}

backend/frontend/frontend_included_test.go

@@ -0,0 +1,111 @@
+//go:build !exclude_frontend
+
+package frontend
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"testing/fstest"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsSPARequest(t *testing.T) {
+	distFS := fstest.MapFS{
+		"assets/app.js": &fstest.MapFile{Data: []byte("console.log('test')")},
+	}
+
+	t.Run("root path is spa request", func(t *testing.T) {
+		assert.True(t, isSPARequest("", distFS))
+	})
+
+	t.Run("existing bundled asset is not spa request", func(t *testing.T) {
+		assert.False(t, isSPARequest("assets/app.js", distFS))
+	})
+
+	t.Run("unknown path is spa request", func(t *testing.T) {
+		assert.True(t, isSPARequest("authorize", distFS))
+	})
+}
+
+func TestRateLimitOnlyForOAuth2AuthorizationPostRequest(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+
+	distFS := fstest.MapFS{
+		"assets/app.js": &fstest.MapFile{Data: []byte("console.log('test')")},
+	}
+
+	t.Run("rate limits spa form_post request", func(t *testing.T) {
+		rateLimited := false
+		nextCalled := false
+		middleware := rateLimitOnlyForOAuth2AuthorizationPostRequest(func(c *gin.Context) {
+			rateLimited = true
+			c.Abort()
+		}, distFS)
+
+		router := gin.New()
+		router.NoRoute(
+			middleware,
+			func(c *gin.Context) {
+				nextCalled = true
+			},
+		)
+
+		recorder := httptest.NewRecorder()
+		req := httptest.NewRequest(http.MethodGet, "/authorize?response_mode=form_post&client_id=test&redirect_uri=https://example.com/callback", nil)
+		router.ServeHTTP(recorder, req)
+
+		assert.True(t, rateLimited)
+		assert.False(t, nextCalled)
+	})
+
+	t.Run("does not rate limit page request with no form_post params", func(t *testing.T) {
+		rateLimited := false
+		nextCalled := false
+		middleware := rateLimitOnlyForOAuth2AuthorizationPostRequest(func(c *gin.Context) {
+			rateLimited = true
+			c.Abort()
+		}, distFS)
+
+		router := gin.New()
+		router.NoRoute(
+			middleware,
+			func(c *gin.Context) {
+				nextCalled = true
+			},
+		)
+
+		recorder := httptest.NewRecorder()
+		req := httptest.NewRequest(http.MethodGet, "/authorize", nil)
+		router.ServeHTTP(recorder, req)
+
+		assert.False(t, rateLimited)
+		assert.True(t, nextCalled)
+	})
+
+	t.Run("does not rate limit static asset request with form_post params", func(t *testing.T) {
+		rateLimited := false
+		nextCalled := false
+		middleware := rateLimitOnlyForOAuth2AuthorizationPostRequest(func(c *gin.Context) {
+			rateLimited = true
+			c.Abort()
+		}, distFS)
+
+		router := gin.New()
+		router.NoRoute(
+			middleware,
+			func(c *gin.Context) {
+				nextCalled = true
+			},
+		)
+
+		recorder := httptest.NewRecorder()
+		req := httptest.NewRequest(http.MethodGet, "/assets/app.js?response_mode=form_post&client_id=test&redirect_uri=https://example.com/callback", nil)
+		router.ServeHTTP(recorder, req)
+
+		assert.False(t, rateLimited)
+		assert.True(t, nextCalled)
+	})
+}

backend/go.mod

@@ -1,109 +1,112 @@
 module github.com/pocket-id/pocket-id/backend
 
-go 1.25
+go 1.26.0
 
 require (
-	github.com/aws/aws-sdk-go-v2 v1.41.0
-	github.com/aws/aws-sdk-go-v2/config v1.32.6
-	github.com/aws/aws-sdk-go-v2/credentials v1.19.6
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.95.0
-	github.com/aws/smithy-go v1.24.0
-	github.com/caarlos0/env/v11 v11.3.1
+	github.com/aws/aws-sdk-go-v2 v1.41.6
+	github.com/aws/aws-sdk-go-v2/config v1.32.16
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.15
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.99.1
+	github.com/aws/smithy-go v1.25.0
+	github.com/caarlos0/env/v11 v11.4.0
 	github.com/cenkalti/backoff/v5 v5.0.3
 	github.com/disintegration/imageorient v0.0.0-20180920195336-8147d86e83ec
 	github.com/disintegration/imaging v1.6.2
+	github.com/dunglas/go-urlpattern v0.0.0-20241020164140-716dfa1c80b1
 	github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6
 	github.com/emersion/go-smtp v0.24.0
-	github.com/gin-contrib/slog v1.2.0
-	github.com/gin-gonic/gin v1.11.0
+	github.com/fsnotify/fsnotify v1.9.0
+	github.com/gin-contrib/slog v1.2.1
+	github.com/gin-gonic/gin v1.12.0
 	github.com/glebarez/go-sqlite v1.22.0
 	github.com/glebarez/sqlite v1.11.0
-	github.com/go-co-op/gocron/v2 v2.19.0
-	github.com/go-ldap/ldap/v3 v3.4.12
-	github.com/go-playground/validator/v10 v10.30.1
-	github.com/go-webauthn/webauthn v0.15.0
+	github.com/go-co-op/gocron/v2 v2.21.0
+	github.com/go-ldap/ldap/v3 v3.4.13
+	github.com/go-playground/validator/v10 v10.30.2
+	github.com/go-webauthn/webauthn v0.16.5
 	github.com/golang-migrate/migrate/v4 v4.19.1
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/go-uuid v1.0.3
 	github.com/jinzhu/copier v0.4.0
 	github.com/joho/godotenv v1.5.1
-	github.com/lestrrat-go/httprc/v3 v3.0.3
-	github.com/lestrrat-go/jwx/v3 v3.0.12
-	github.com/lmittmann/tint v1.1.2
-	github.com/mattn/go-isatty v0.0.20
+	github.com/lestrrat-go/httprc/v3 v3.0.5
+	github.com/lestrrat-go/jwx/v3 v3.1.0
+	github.com/lmittmann/tint v1.1.3
+	github.com/mattn/go-isatty v0.0.21
 	github.com/mileusna/useragent v1.3.5
 	github.com/orandin/slog-gorm v1.4.0
 	github.com/oschwald/maxminddb-golang/v2 v2.1.1
 	github.com/spf13/cobra v1.10.2
 	github.com/stretchr/testify v1.11.1
-	go.opentelemetry.io/contrib/bridges/otelslog v0.14.0
-	go.opentelemetry.io/contrib/exporters/autoexport v0.64.0
-	go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.64.0
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0
-	go.opentelemetry.io/otel v1.39.0
-	go.opentelemetry.io/otel/log v0.15.0
-	go.opentelemetry.io/otel/metric v1.39.0
-	go.opentelemetry.io/otel/sdk v1.39.0
-	go.opentelemetry.io/otel/sdk/log v0.15.0
-	go.opentelemetry.io/otel/sdk/metric v1.39.0
-	go.opentelemetry.io/otel/trace v1.39.0
-	golang.org/x/crypto v0.46.0
-	golang.org/x/image v0.34.0
-	golang.org/x/sync v0.19.0
-	golang.org/x/text v0.32.0
-	golang.org/x/time v0.14.0
+	go.opentelemetry.io/contrib/bridges/otelslog v0.18.0
+	go.opentelemetry.io/contrib/exporters/autoexport v0.68.0
+	go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.68.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0
+	go.opentelemetry.io/otel v1.43.0
+	go.opentelemetry.io/otel/log v0.19.0
+	go.opentelemetry.io/otel/metric v1.43.0
+	go.opentelemetry.io/otel/sdk v1.43.0
+	go.opentelemetry.io/otel/sdk/log v0.19.0
+	go.opentelemetry.io/otel/sdk/metric v1.43.0
+	go.opentelemetry.io/otel/trace v1.43.0
+	golang.org/x/crypto v0.50.0
+	golang.org/x/image v0.39.0
+	golang.org/x/net v0.53.0
+	golang.org/x/sync v0.20.0
+	golang.org/x/text v0.36.0
+	golang.org/x/time v0.15.0
 	gorm.io/driver/postgres v1.6.0
 	gorm.io/gorm v1.31.1
 )
 
 require (
 	github.com/Azure/go-ntlmssp v0.1.0 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.16 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.16 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.16 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.16 // indirect
-	github.com/aws/aws-sdk-go-v2/service/signin v1.0.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.30.8 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.12 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.41.5 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.9 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.22 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.22 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.22 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.23 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.22 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.22 // indirect
+	github.com/aws/aws-sdk-go-v2/service/signin v1.0.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.16 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.20 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.42.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bytedance/gopkg v0.1.3 // indirect
-	github.com/bytedance/sonic v1.14.2 // indirect
-	github.com/bytedance/sonic/loader v0.4.0 // indirect
+	github.com/bits-and-blooms/bitset v1.24.4 // indirect
+	github.com/bytedance/gopkg v0.1.4 // indirect
+	github.com/bytedance/sonic v1.15.0 // indirect
+	github.com/bytedance/sonic/loader v0.5.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.1 // indirect
 	github.com/disintegration/gift v1.2.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
-	github.com/gin-contrib/sse v1.1.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.1 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.13 // indirect
+	github.com/gin-contrib/sse v1.1.1 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
-	github.com/go-webauthn/x v0.1.27 // indirect
-	github.com/goccy/go-json v0.10.5 // indirect
-	github.com/goccy/go-yaml v1.19.1 // indirect
-	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
+	github.com/go-webauthn/x v0.2.3 // indirect
+	github.com/goccy/go-json v0.10.6 // indirect
+	github.com/goccy/go-yaml v1.19.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.1 // indirect
 	github.com/google/go-github/v39 v39.2.0 // indirect
 	github.com/google/go-querystring v1.2.0 // indirect
 	github.com/google/go-tpm v0.9.8 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.4 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
-	github.com/jackc/pgx/v5 v5.8.0 // indirect
+	github.com/jackc/pgx/v5 v5.9.1 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
@@ -112,60 +115,63 @@ require (
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.4 // indirect
-	github.com/lestrrat-go/dsig v1.0.0 // indirect
+	github.com/lestrrat-go/dsig v1.2.1 // indirect
 	github.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
 	github.com/lestrrat-go/option/v2 v2.0.0 // indirect
-	github.com/lib/pq v1.10.9 // indirect
-	github.com/mattn/go-sqlite3 v1.14.33 // indirect
+	github.com/lib/pq v1.12.3 // indirect
+	github.com/mattn/go-sqlite3 v1.14.42 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/ncruces/go-strftime v1.0.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/nlnwa/whatwg-url v0.6.2 // indirect
+	github.com/pelletier/go-toml/v2 v2.3.0 // indirect
+	github.com/philhofer/fwd v1.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.23.2 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.67.4 // indirect
+	github.com/prometheus/common v0.67.5 // indirect
 	github.com/prometheus/otlptranslator v1.0.0 // indirect
-	github.com/prometheus/procfs v0.19.2 // indirect
+	github.com/prometheus/procfs v0.20.1 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
-	github.com/quic-go/quic-go v0.58.0 // indirect
+	github.com/quic-go/quic-go v0.59.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
 	github.com/segmentio/asm v1.2.1 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/tinylib/msgp v1.6.4 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.1 // indirect
-	github.com/valyala/fastjson v1.6.7 // indirect
+	github.com/valyala/fastjson v1.6.10 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
+	go.mongodb.org/mongo-driver/v2 v2.5.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/bridges/prometheus v0.64.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.15.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.15.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.39.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.39.0 // indirect
-	go.opentelemetry.io/otel/exporters/prometheus v0.61.0 // indirect
-	go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.15.0 // indirect
-	go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.39.0 // indirect
-	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.39.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.3 // indirect
-	golang.org/x/arch v0.23.0 // indirect
-	golang.org/x/exp v0.0.0-20251219203646-944ab1f22d93 // indirect
-	golang.org/x/net v0.48.0 // indirect
-	golang.org/x/oauth2 v0.34.0 // indirect
-	golang.org/x/sys v0.39.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20251222181119-0a764e51fe1b // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b // indirect
-	google.golang.org/grpc v1.78.0 // indirect
+	go.opentelemetry.io/contrib/bridges/prometheus v0.68.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.19.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.19.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.43.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.43.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 // indirect
+	go.opentelemetry.io/otel/exporters/prometheus v0.65.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.19.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.43.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.43.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.10.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.4 // indirect
+	golang.org/x/arch v0.26.0 // indirect
+	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f // indirect
+	golang.org/x/oauth2 v0.36.0 // indirect
+	golang.org/x/sys v0.43.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260406210006-6f92a3bedf2d // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260406210006-6f92a3bedf2d // indirect
+	google.golang.org/grpc v1.80.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	modernc.org/libc v1.67.4 // indirect
+	modernc.org/libc v1.71.0 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
-	modernc.org/sqlite v1.42.2 // indirect
+	modernc.org/sqlite v1.48.2 // indirect
 )

backend/go.sum

@@ -6,54 +6,55 @@ github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERo
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=
 github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
-github.com/aws/aws-sdk-go-v2 v1.41.0 h1:tNvqh1s+v0vFYdA1xq0aOJH+Y5cRyZ5upu6roPgPKd4=
-github.com/aws/aws-sdk-go-v2 v1.41.0/go.mod h1:MayyLB8y+buD9hZqkCW3kX1AKq07Y5pXxtgB+rRFhz0=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 h1:489krEF9xIGkOaaX3CE/Be2uWjiXrkCH6gUX+bZA/BU=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4/go.mod h1:IOAPF6oT9KCsceNTvvYMNHy0+kMF8akOjeDvPENWxp4=
-github.com/aws/aws-sdk-go-v2/config v1.32.6 h1:hFLBGUKjmLAekvi1evLi5hVvFQtSo3GYwi+Bx4lpJf8=
-github.com/aws/aws-sdk-go-v2/config v1.32.6/go.mod h1:lcUL/gcd8WyjCrMnxez5OXkO3/rwcNmvfno62tnXNcI=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.6 h1:F9vWao2TwjV2MyiyVS+duza0NIRtAslgLUM0vTA1ZaE=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.6/go.mod h1:SgHzKjEVsdQr6Opor0ihgWtkWdfRAIwxYzSJ8O85VHY=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.16 h1:80+uETIWS1BqjnN9uJ0dBUaETh+P1XwFy5vwHwK5r9k=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.16/go.mod h1:wOOsYuxYuB/7FlnVtzeBYRcjSRtQpAW0hCP7tIULMwo=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.16 h1:rgGwPzb82iBYSvHMHXc8h9mRoOUBZIGFgKb9qniaZZc=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.16/go.mod h1:L/UxsGeKpGoIj6DxfhOWHWQ/kGKcd4I1VncE4++IyKA=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16 h1:1jtGzuV7c82xnqOVfx2F0xmJcOw5374L7N6juGW6x6U=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16/go.mod h1:M2E5OQf+XLe+SZGmmpaI2yy+J326aFf6/+54PoxSANc=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.16 h1:CjMzUs78RDDv4ROu3JnJn/Ig1r6ZD7/T2DXLLRpejic=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.16/go.mod h1:uVW4OLBqbJXSHJYA9svT9BluSvvwbzLQ2Crf6UPzR3c=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 h1:0ryTNEdJbzUCEWkVXEXoqlXV72J5keC1GvILMOuD00E=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4/go.mod h1:HQ4qwNZh32C3CBeO6iJLQlgtMzqeG17ziAA/3KDJFow=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.7 h1:DIBqIrJ7hv+e4CmIk2z3pyKT+3B6qVMgRsawHiR3qso=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.7/go.mod h1:vLm00xmBke75UmpNvOcZQ/Q30ZFjbczeLFqGx5urmGo=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16 h1:oHjJHeUy0ImIV0bsrX0X91GkV5nJAyv1l1CC9lnO0TI=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16/go.mod h1:iRSNGgOYmiYwSCXxXaKb9HfOEj40+oTKn8pTxMlYkRM=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.16 h1:NSbvS17MlI2lurYgXnCOLvCFX38sBW4eiVER7+kkgsU=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.16/go.mod h1:SwT8Tmqd4sA6G1qaGdzWCJN99bUmPGHfRwwq3G5Qb+A=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.95.0 h1:MIWra+MSq53CFaXXAywB2qg9YvVZifkk6vEGl/1Qor0=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.95.0/go.mod h1:79S2BdqCJpScXZA2y+cpZuocWsjGjJINyXnOsf5DTz8=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.4 h1:HpI7aMmJ+mm1wkSHIA2t5EaFFv5EFYXePW30p1EIrbQ=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.4/go.mod h1:C5RdGMYGlfM0gYq/tifqgn4EbyX99V15P2V3R+VHbQU=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.8 h1:aM/Q24rIlS3bRAhTyFurowU8A0SMyGDtEOY/l/s/1Uw=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.8/go.mod h1:+fWt2UHSb4kS7Pu8y+BMBvJF0EWx+4H0hzNwtDNRTrg=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.12 h1:AHDr0DaHIAo8c9t1emrzAlVDFp+iMMKnPdYy6XO4MCE=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.12/go.mod h1:GQ73XawFFiWxyWXMHWfhiomvP3tXtdNar/fi8z18sx0=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.5 h1:SciGFVNZ4mHdm7gpD1dgZYnCuVdX1s+lFTg4+4DOy70=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.5/go.mod h1:iW40X4QBmUxdP+fZNOpfmkdMZqsovezbAeO+Ubiv2pk=
-github.com/aws/smithy-go v1.24.0 h1:LpilSUItNPFr1eY85RYgTIg5eIEPtvFbskaFcmmIUnk=
-github.com/aws/smithy-go v1.24.0/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
+github.com/aws/aws-sdk-go-v2 v1.41.6 h1:1AX0AthnBQzMx1vbmir3Y4WsnJgiydmnJjiLu+LvXOg=
+github.com/aws/aws-sdk-go-v2 v1.41.6/go.mod h1:dy0UzBIfwSeot4grGvY1AqFWN5zgziMmWGzysDnHFcQ=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.9 h1:adBsCIIpLbLmYnkQU+nAChU5yhVTvu5PerROm+/Kq2A=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.9/go.mod h1:uOYhgfgThm/ZyAuJGNQ5YgNyOlYfqnGpTHXvk3cpykg=
+github.com/aws/aws-sdk-go-v2/config v1.32.16 h1:Q0iQ7quUgJP0F/SCRTieScnaMdXr9h/2+wze1u3cNeM=
+github.com/aws/aws-sdk-go-v2/config v1.32.16/go.mod h1:duCCnJEFqpt2RC6no1iK6q+8HpwOAkiUua0pY507dQc=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.15 h1:fyvgWTszojq8hEnMi8PPBTvZdTtEVmAVyo+NFLHBhH4=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.15/go.mod h1:gJiYyMOjNg8OEdRWOf3CrFQxM2a98qmrtjx1zuiQfB8=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.22 h1:IOGsJ1xVWhsi+ZO7/NW8OuZZBtMJLZbk4P5HDjJO0jQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.22/go.mod h1:b+hYdbU+jGKfXE8kKM6g1+h+L/Go3vMvzlxBsiuGsxg=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.22 h1:GmLa5Kw1ESqtFpXsx5MmC84QWa/ZrLZvlJGa2y+4kcQ=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.22/go.mod h1:6sW9iWm9DK9YRpRGga/qzrzNLgKpT2cIxb7Vo2eNOp0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.22 h1:dY4kWZiSaXIzxnKlj17nHnBcXXBfac6UlsAx2qL6XrU=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.22/go.mod h1:KIpEUx0JuRZLO7U6cbV204cWAEco2iC3l061IxlwLtI=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.23 h1:FPXsW9+gMuIeKmz7j6ENWcWtBGTe1kH8r9thNt5Uxx4=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.23/go.mod h1:7J8iGMdRKk6lw2C+cMIphgAnT8uTwBwNOsGkyOCm80U=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.8 h1:HtOTYcbVcGABLOVuPYaIihj6IlkqubBwFj10K5fxRek=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.8/go.mod h1:VsK9abqQeGlzPgUr+isNWzPlK2vKe9INMLWnY65f5Xs=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.14 h1:xnvDEnw+pnj5mctWiYuFbigrEzSm35x7k4KS/ZkCANg=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.14/go.mod h1:yS5rNogD8e0Wu9+l3MUwr6eENBzEeGejvINpN5PAYfY=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.22 h1:PUmZeJU6Y1Lbvt9WFuJ0ugUK2xn6hIWUBBbKuOWF30s=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.22/go.mod h1:nO6egFBoAaoXze24a2C0NjQCvdpk8OueRoYimvEB9jo=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.22 h1:SE+aQ4DEqG53RRCAIHlCf//B2ycxGH7jFkpnAh/kKPM=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.22/go.mod h1:ES3ynECd7fYeJIL6+oax+uIEljmfps0S70BaQzbMd/o=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.99.1 h1:kU/eBN5+MWNo/LcbNa4hWDdN76hdcd7hocU5kvu7IsU=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.99.1/go.mod h1:Fw9aqhJicIVee1VytBBjH+l+5ov6/PhbtIK/u3rt/ls=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.10 h1:a1Fq/KXn75wSzoJaPQTgZO0wHGqE9mjFnylnqEPTchA=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.10/go.mod h1:p6+MXNxW7IA6dMgHfTAzljuwSKD0NCm/4lbS4t6+7vI=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.16 h1:x6bKbmDhsgSZwv6q19wY/u3rLk/3FGjJWyqKcIRufpE=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.16/go.mod h1:CudnEVKRtLn0+3uMV0yEXZ+YZOKnAtUJ5DmDhilVnIw=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.20 h1:oK/njaL8GtyEihkWMD4k3VgHCT64RQKkZwh0DG5j8ak=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.20/go.mod h1:JHs8/y1f3zY7U5WcuzoJ/yAYGYtNIVPKLIbp61euvmg=
+github.com/aws/aws-sdk-go-v2/service/sts v1.42.0 h1:ks8KBcZPh3PYISr5dAiXCM5/Thcuxk8l+PG4+A0exds=
+github.com/aws/aws-sdk-go-v2/service/sts v1.42.0/go.mod h1:pFw33T0WLvXU3rw1WBkpMlkgIn54eCB5FYLhjDc9Foo=
+github.com/aws/smithy-go v1.25.0 h1:Sz/XJ64rwuiKtB6j98nDIPyYrV1nVNJ4YU74gttcl5U=
+github.com/aws/smithy-go v1.25.0/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bytedance/gopkg v0.1.3 h1:TPBSwH8RsouGCBcMBktLt1AymVo2TVsBVCY4b6TnZ/M=
-github.com/bytedance/gopkg v0.1.3/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM=
-github.com/bytedance/sonic v1.14.2 h1:k1twIoe97C1DtYUo+fZQy865IuHia4PR5RPiuGPPIIE=
-github.com/bytedance/sonic v1.14.2/go.mod h1:T80iDELeHiHKSc0C9tubFygiuXoGzrkjKzX2quAx980=
-github.com/bytedance/sonic/loader v0.4.0 h1:olZ7lEqcxtZygCK9EKYKADnpQoYkRQxaeY2NYzevs+o=
-github.com/bytedance/sonic/loader v0.4.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
-github.com/caarlos0/env/v11 v11.3.1 h1:cArPWC15hWmEt+gWk7YBi7lEXTXCvpaSdCiZE2X5mCA=
-github.com/caarlos0/env/v11 v11.3.1/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U=
+github.com/bits-and-blooms/bitset v1.20.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
+github.com/bits-and-blooms/bitset v1.24.4 h1:95H15Og1clikBrKr/DuzMXkQzECs1M6hhoGXLwLQOZE=
+github.com/bits-and-blooms/bitset v1.24.4/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
+github.com/bytedance/gopkg v0.1.4 h1:oZnQwnX82KAIWb7033bEwtxvTqXcYMxDBaQxo5JJHWM=
+github.com/bytedance/gopkg v0.1.4/go.mod h1:v1zWfPm21Fb+OsyXN2VAHdL6TBb2L88anLQgdyje6R4=
+github.com/bytedance/sonic v1.15.0 h1:/PXeWFaR5ElNcVE84U0dOHjiMHQOwNIx3K4ymzh/uSE=
+github.com/bytedance/sonic v1.15.0/go.mod h1:tFkWrPz0/CUCLEF4ri4UkHekCIcdnkqXw9VduqpJh0k=
+github.com/bytedance/sonic/loader v0.5.1 h1:Ygpfa9zwRCCKSlrp5bBP/b/Xzc3VxsAW+5NIYXrOOpI=
+github.com/bytedance/sonic/loader v0.5.1/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
+github.com/caarlos0/env/v11 v11.4.0 h1:Kcb6t5kIIr4XkoQC9AF2j+8E1Jsrl3Wz/hhm1LtoGAc=
+github.com/caarlos0/env/v11 v11.4.0/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U=
 github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@@ -69,8 +70,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.1 h1:5RVFMOWjMyRy8cARdy79nAmgYw3hK/4HUq48LQ6Wwqo=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.1/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
 github.com/dhui/dktest v0.4.6 h1:+DPKyScKSEp3VLtbMDHcUq6V5Lm5zfZZVb0Sk7Ahom4=
 github.com/dhui/dktest v0.4.6/go.mod h1:JHTSYDtKkvFNFHJKqCzVzqXecyv+tKt8EzceOmQOgbU=
 github.com/disintegration/gift v1.1.2/go.mod h1:Jh2i7f7Q2BM7Ezno3PhfezbR1xpUg9dUg3/RlKGr4HI=
@@ -88,6 +89,8 @@ github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/dunglas/go-urlpattern v0.0.0-20241020164140-716dfa1c80b1 h1:RW22Y3QjGrb97NUA8yupdFcaqg//+hMI2fZrETBvQ4s=
+github.com/dunglas/go-urlpattern v0.0.0-20241020164140-716dfa1c80b1/go.mod h1:mnVcdqOeYg0HvT6veRo7wINa1mJ+lC/R4ig2lWcapSI=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6 h1:oP4q0fw+fOSWn3DfFi4EXdT+B+gTtzx8GC9xsc26Znk=
@@ -96,26 +99,28 @@ github.com/emersion/go-smtp v0.24.0 h1:g6AfoF140mvW0vLNPD/LuCBLEAdlxOjIXqbIkJIS6
 github.com/emersion/go-smtp v0.24.0/go.mod h1:ZtRRkbTyp2XTHCA+BmyTFTrj8xY4I+b4McvHxCU2gsQ=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
-github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
-github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
-github.com/gin-contrib/slog v1.2.0 h1:vAxZfr7knD1ZYK5+pMJLP52sZXIkJXkcRPa/0dx9hSk=
-github.com/gin-contrib/slog v1.2.0/go.mod h1:vYK6YltmpsEFkO0zfRMLTKHrWS3DwUSn0TMpT+kMagI=
-github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
-github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
-github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
-github.com/gin-gonic/gin v1.11.0/go.mod h1:+iq/FyxlGzII0KHiBGjuNn4UNENUlKbGlNmc+W50Dls=
+github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
+github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
+github.com/fxamacker/cbor/v2 v2.9.1 h1:2rWm8B193Ll4VdjsJY28jxs70IdDsHRWgQYAI80+rMQ=
+github.com/fxamacker/cbor/v2 v2.9.1/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM=
+github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gin-contrib/slog v1.2.1 h1:tQbsmllW/PNgtvHRdVlI38jLfpN4IFLS7Pb4HgTeiYw=
+github.com/gin-contrib/slog v1.2.1/go.mod h1:f/Ke0A3h4DUh0cQnjR2b/l+i0EmVJ+6VY6GIw3RKtxA=
+github.com/gin-contrib/sse v1.1.1 h1:uGYpNwTacv5R68bSGMapo62iLTRa9l5zxGCps4hK6ko=
+github.com/gin-contrib/sse v1.1.1/go.mod h1:QXzuVkA0YO7o/gun03UI1Q+FTI8ZV/n5t03kIQAI89s=
+github.com/gin-gonic/gin v1.12.0 h1:b3YAbrZtnf8N//yjKeU2+MQsh2mY5htkZidOM7O0wG8=
+github.com/gin-gonic/gin v1.12.0/go.mod h1:VxccKfsSllpKshkBWgVgRniFFAzFb9csfngsqANjnLc=
 github.com/glebarez/go-sqlite v1.22.0 h1:uAcMJhaA6r3LHMTFgP0SifzgXg46yJkgxqyuyec+ruQ=
 github.com/glebarez/go-sqlite v1.22.0/go.mod h1:PlBIdHe0+aUEFn+r2/uthrWq4FxbzugL0L8Li6yQJbc=
 github.com/glebarez/sqlite v1.11.0 h1:wSG0irqzP6VurnMEpFGer5Li19RpIRi2qvQz++w0GMw=
 github.com/glebarez/sqlite v1.11.0/go.mod h1:h8/o8j5wiAsqSPoWELDUdJXhjAhsVliSn7bWZjOhrgQ=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-co-op/gocron/v2 v2.19.0 h1:OKf2y6LXPs/BgBI2fl8PxUpNAI1DA9Mg+hSeGOS38OU=
-github.com/go-co-op/gocron/v2 v2.19.0/go.mod h1:5lEiCKk1oVJV39Zg7/YG10OnaVrDAV5GGR6O0663k6U=
-github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
-github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
+github.com/go-co-op/gocron/v2 v2.21.0 h1:e1nt9AEFglarRH9/9y9q0V5sblwxlknpHPjttEajrwQ=
+github.com/go-co-op/gocron/v2 v2.21.0/go.mod h1:5lEiCKk1oVJV39Zg7/YG10OnaVrDAV5GGR6O0663k6U=
+github.com/go-ldap/ldap/v3 v3.4.13 h1:+x1nG9h+MZN7h/lUi5Q3UZ0fJ1GyDQYbPvbuH38baDQ=
+github.com/go-ldap/ldap/v3 v3.4.13/go.mod h1:LxsGZV6vbaK0sIvYfsv47rfh4ca0JXokCoKjZxsszv0=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -127,22 +132,22 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.30.1 h1:f3zDSN/zOma+w6+1Wswgd9fLkdwy06ntQJp0BBvFG0w=
-github.com/go-playground/validator/v10 v10.30.1/go.mod h1:oSuBIQzuJxL//3MelwSLD5hc2Tu889bF0Idm9Dg26cM=
-github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
-github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
-github.com/go-webauthn/webauthn v0.15.0 h1:LR1vPv62E0/6+sTenX35QrCmpMCzLeVAcnXeH4MrbJY=
-github.com/go-webauthn/webauthn v0.15.0/go.mod h1:hcAOhVChPRG7oqG7Xj6XKN1mb+8eXTGP/B7zBLzkX5A=
-github.com/go-webauthn/x v0.1.27 h1:CLyuB8JGn9xvw0etBl4fnclcbPTwhKpN4Xg32zaSYnI=
-github.com/go-webauthn/x v0.1.27/go.mod h1:KGYJQAPPgbpDKi4N7zKMGL+Iz6WgxKg3OlhVbPtuJXI=
-github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
-github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
-github.com/goccy/go-yaml v1.19.1 h1:3rG3+v8pkhRqoQ/88NYNMHYVGYztCOCIZ7UQhu7H+NE=
-github.com/goccy/go-yaml v1.19.1/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+github.com/go-playground/validator/v10 v10.30.2 h1:JiFIMtSSHb2/XBUbWM4i/MpeQm9ZK2xqPNk8vgvu5JQ=
+github.com/go-playground/validator/v10 v10.30.2/go.mod h1:mAf2pIOVXjTEBrwUMGKkCWKKPs9NheYGabeB04txQSc=
+github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
+github.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-webauthn/webauthn v0.16.5 h1:x+vADHlaiIjta23kGhtwyCIlB5mayKx6SBlpwQ5NF9A=
+github.com/go-webauthn/webauthn v0.16.5/go.mod h1:mQC6L0lZ5Kiu35G70zeB2WnrW4+vbHjR8Koq4HdVaMg=
+github.com/go-webauthn/x v0.2.3 h1:8oArS+Rc1SWFLXhE17KZNx258Z4kUSyaDgsSncCO5RA=
+github.com/go-webauthn/x v0.2.3/go.mod h1:tM04GF3V6VYq79AZMl7vbj4q6pz9r7L2criWRzbWhPk=
+github.com/goccy/go-json v0.10.6 h1:p8HrPJzOakx/mn/bQtjgNjdTcN+/S6FcG2CTtQOrHVU=
+github.com/goccy/go-json v0.10.6/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
+github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
-github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
+github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang-migrate/migrate/v4 v4.19.1 h1:OCyb44lFuQfYXYLx1SCxPZQGU7mcaZ7gH9yH4jSFbBA=
 github.com/golang-migrate/migrate/v4 v4.19.1/go.mod h1:CTcgfjxhaUtsLipnLoQRWCrjYXycRz/g5+RWDuYgPrE=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -161,13 +166,15 @@ github.com/google/go-querystring v1.2.0 h1:yhqkPbu2/OH+V9BfpCVPZkNmUXhb2gBxJArfh
 github.com/google/go-querystring v1.2.0/go.mod h1:8IFJqpSRITyJ8QhQ13bmbeMBDfmeEJZD5A0egEOmkqU=
 github.com/google/go-tpm v0.9.8 h1:slArAR9Ft+1ybZu0lBwpSmpwhRXaa85hWtMinMyRAWo=
 github.com/google/go-tpm v0.9.8/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
+github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba h1:qJEJcuLzH5KDR0gKc0zcktin6KSAwL7+jWKBYceddTc=
+github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba/go.mod h1:EFYHy8/1y2KfgTAsx7Luu7NGhoxtuVHnNo8jE7FikKc=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.4 h1:kEISI/Gx67NzH3nJxAmY/dGac80kKZgZt134u7Y/k1s=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.4/go.mod h1:6Nz966r3vQYCqIzWsuEl9d7cf7mRhtDmm++sOxlnfxI=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 h1:HWRh5R2+9EifMyIHV7ZV+MIZqgz+PMpZ14Jynv3O2Zs=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0/go.mod h1:JfhWUomR1baixubs02l85lZYYOm7LV6om4ceouMv45c=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
@@ -178,8 +185,8 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.8.0 h1:TYPDoleBBme0xGSAX3/+NujXXtpZn9HBONkQC7IEZSo=
-github.com/jackc/pgx/v5 v5.8.0/go.mod h1:QVeDInX2m9VyzvNeiCJVjCkNFqzsNb43204HshNSZKw=
+github.com/jackc/pgx/v5 v5.9.1 h1:uwrxJXBnx76nyISkhr33kQLlUqjv7et7b9FjCen/tdc=
+github.com/jackc/pgx/v5 v5.9.1/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
@@ -220,26 +227,26 @@ github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
 github.com/lestrrat-go/blackmagic v1.0.4 h1:IwQibdnf8l2KoO+qC3uT4OaTWsW7tuRQXy9TRN9QanA=
 github.com/lestrrat-go/blackmagic v1.0.4/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw=
-github.com/lestrrat-go/dsig v1.0.0 h1:OE09s2r9Z81kxzJYRn07TFM9XA4akrUdoMwr0L8xj38=
-github.com/lestrrat-go/dsig v1.0.0/go.mod h1:dEgoOYYEJvW6XGbLasr8TFcAxoWrKlbQvmJgCR0qkDo=
+github.com/lestrrat-go/dsig v1.2.1 h1:MwxzZhE4+4fguHi+uDALKVlC3Cn+O1QU1Q/F8D7hVIc=
+github.com/lestrrat-go/dsig v1.2.1/go.mod h1:RD2eOaidyPvpc7IJQoO3Qq52RWdy8ZcJs8lrOnoa1Kc=
 github.com/lestrrat-go/dsig-secp256k1 v1.0.0 h1:JpDe4Aybfl0soBvoVwjqDbp+9S1Y2OM7gcrVVMFPOzY=
 github.com/lestrrat-go/dsig-secp256k1 v1.0.0/go.mod h1:CxUgAhssb8FToqbL8NjSPoGQlnO4w3LG1P0qPWQm/NU=
 github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
 github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
-github.com/lestrrat-go/httprc/v3 v3.0.3 h1:WjLHWkDkgWXeIUrKi/7lS/sGq2DjkSAwdTbH5RHXAKs=
-github.com/lestrrat-go/httprc/v3 v3.0.3/go.mod h1:mSMtkZW92Z98M5YoNNztbRGxbXHql7tSitCvaxvo9l0=
-github.com/lestrrat-go/jwx/v3 v3.0.12 h1:p25r68Y4KrbBdYjIsQweYxq794CtGCzcrc5dGzJIRjg=
-github.com/lestrrat-go/jwx/v3 v3.0.12/go.mod h1:HiUSaNmMLXgZ08OmGBaPVvoZQgJVOQphSrGr5zMamS8=
+github.com/lestrrat-go/httprc/v3 v3.0.5 h1:S+Mb4L2I+bM6JGTibLmxExhyTOqnXjqx+zi9MoXw/TM=
+github.com/lestrrat-go/httprc/v3 v3.0.5/go.mod h1:mSMtkZW92Z98M5YoNNztbRGxbXHql7tSitCvaxvo9l0=
+github.com/lestrrat-go/jwx/v3 v3.1.0 h1:AyyLtxc0QM75F75JroWgt1phwC7X+wOb3XKhH7XBZWw=
+github.com/lestrrat-go/jwx/v3 v3.1.0/go.mod h1:uw/MN2M/Xiu4FhwcIwH11Zsh9JWx9SWzgALl7/uIEkU=
 github.com/lestrrat-go/option/v2 v2.0.0 h1:XxrcaJESE1fokHy3FpaQ/cXW8ZsIdWcdFzzLOcID3Ss=
 github.com/lestrrat-go/option/v2 v2.0.0/go.mod h1:oSySsmzMoR0iRzCDCaUfsCzxQHUEuhOViQObyy7S6Vg=
-github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
-github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/lmittmann/tint v1.1.2 h1:2CQzrL6rslrsyjqLDwD11bZ5OpLBPU+g3G/r5LSfS8w=
-github.com/lmittmann/tint v1.1.2/go.mod h1:HIS3gSy7qNwGCj+5oRjAutErFBl4BzdQP6cJZ0NfMwE=
-github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-sqlite3 v1.14.33 h1:A5blZ5ulQo2AtayQ9/limgHEkFreKj1Dv226a1K73s0=
-github.com/mattn/go-sqlite3 v1.14.33/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/lib/pq v1.12.3 h1:tTWxr2YLKwIvK90ZXEw8GP7UFHtcbTtty8zsI+YjrfQ=
+github.com/lib/pq v1.12.3/go.mod h1:/p+8NSbOcwzAEI7wiMXFlgydTwcgTr3OSKMsD2BitpA=
+github.com/lmittmann/tint v1.1.3 h1:Hv4EaHWXQr+GTFnOU4VKf8UvAtZgn0VuKT+G0wFlO3I=
+github.com/lmittmann/tint v1.1.3/go.mod h1:HIS3gSy7qNwGCj+5oRjAutErFBl4BzdQP6cJZ0NfMwE=
+github.com/mattn/go-isatty v0.0.21 h1:xYae+lCNBP7QuW4PUnNG61ffM4hVIfm+zUzDuSzYLGs=
+github.com/mattn/go-isatty v0.0.21/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
+github.com/mattn/go-sqlite3 v1.14.42 h1:MigqEP4ZmHw3aIdIT7T+9TLa90Z6smwcthx+Azv4Cgo=
+github.com/mattn/go-sqlite3 v1.14.42/go.mod h1:pjEuOr8IwzLJP2MfGeTb0A35jauH+C2kbHKBr7yXKVQ=
 github.com/mileusna/useragent v1.3.5 h1:SJM5NzBmh/hO+4LGeATKpaEX9+b4vcGg2qXGLiNGDws=
 github.com/mileusna/useragent v1.3.5/go.mod h1:3d8TOmwL/5I8pJjyVDteHtgDGcefrFUX4ccGOMKNYYc=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
@@ -257,6 +264,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
 github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
+github.com/nlnwa/whatwg-url v0.6.2 h1:jU61lU2ig4LANydbEJmA2nPrtCGiKdtgT0rmMd2VZ/Q=
+github.com/nlnwa/whatwg-url v0.6.2/go.mod h1:x0FPXJzzOEieQtsBT/AKvbiBbQ46YlL6Xa7m02M1ECk=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
@@ -265,8 +274,10 @@ github.com/orandin/slog-gorm v1.4.0 h1:FgA8hJufF9/jeNSYoEXmHPPBwET2gwlF3B85JdpsT
 github.com/orandin/slog-gorm v1.4.0/go.mod h1:MoZ51+b7xE9lwGNPYEhxcUtRNrYzjdcKvA8QXQQGEPA=
 github.com/oschwald/maxminddb-golang/v2 v2.1.1 h1:lA8FH0oOrM4u7mLvowq8IT6a3Q/qEnqRzLQn9eH5ojc=
 github.com/oschwald/maxminddb-golang/v2 v2.1.1/go.mod h1:PLdx6PR+siSIoXqqy7C7r3SB3KZnhxWr1Dp6g0Hacl8=
-github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
-github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
+github.com/pelletier/go-toml/v2 v2.3.0 h1:k59bC/lIZREW0/iVaQR8nDHxVq8OVlIzYCOJf421CaM=
+github.com/pelletier/go-toml/v2 v2.3.0/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
+github.com/philhofer/fwd v1.2.0 h1:e6DnBTl7vGY+Gz322/ASL4Gyp1FspeMvx1RNDoToZuM=
+github.com/philhofer/fwd v1.2.0/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -276,16 +287,16 @@ github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h
 github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
-github.com/prometheus/common v0.67.4 h1:yR3NqWO1/UyO1w2PhUvXlGQs/PtFmoveVO0KZ4+Lvsc=
-github.com/prometheus/common v0.67.4/go.mod h1:gP0fq6YjjNCLssJCQp0yk4M8W6ikLURwkdd/YKtTbyI=
+github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4=
+github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw=
 github.com/prometheus/otlptranslator v1.0.0 h1:s0LJW/iN9dkIH+EnhiD3BlkkP5QVIUVEoIwkU+A6qos=
 github.com/prometheus/otlptranslator v1.0.0/go.mod h1:vRYWnXvI6aWGpsdY/mOT/cbeVRBlPWtBNDb7kGR3uKM=
-github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=
-github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
+github.com/prometheus/procfs v0.20.1 h1:XwbrGOIplXW/AU3YhIhLODXMJYyC1isLFfYCsTEycfc=
+github.com/prometheus/procfs v0.20.1/go.mod h1:o9EMBZGRyvDrSPH1RqdxhojkuXstoe4UlK79eF5TGGo=
 github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
 github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
-github.com/quic-go/quic-go v0.58.0 h1:ggY2pvZaVdB9EyojxL1p+5mptkuHyX5MOSv4dgWF4Ug=
-github.com/quic-go/quic-go v0.58.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU=
+github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SAw=
+github.com/quic-go/quic-go v0.59.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
@@ -312,124 +323,182 @@ github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXl
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/tinylib/msgp v1.6.4 h1:mOwYbyYDLPj35mkA2BjjYejgJk9BuHxDdvRnb6v2ZcQ=
+github.com/tinylib/msgp v1.6.4/go.mod h1:RSp0LW9oSxFut3KzESt5Voq4GVWyS+PSulT77roAqEA=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.3.1 h1:waO7eEiFDwidsBN6agj1vJQ4AG7lh2yqXyOXqhgQuyY=
 github.com/ugorji/go/codec v1.3.1/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
-github.com/valyala/fastjson v1.6.7 h1:ZE4tRy0CIkh+qDc5McjatheGX2czdn8slQjomexVpBM=
-github.com/valyala/fastjson v1.6.7/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY=
+github.com/valyala/fastjson v1.6.10 h1:/yjJg8jaVQdYR3arGxPE2X5z89xrlhS0eGXdv+ADTh4=
+github.com/valyala/fastjson v1.6.10/go.mod h1:e6FubmQouUNP73jtMLmcbxS6ydWIpOfhz34TSfO3JaE=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.mongodb.org/mongo-driver/v2 v2.5.0 h1:yXUhImUjjAInNcpTcAlPHiT7bIXhshCTL3jVBkF3xaE=
+go.mongodb.org/mongo-driver/v2 v2.5.0/go.mod h1:yOI9kBsufol30iFsl1slpdq1I0eHPzybRWdyYUs8K/0=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/contrib/bridges/otelslog v0.14.0 h1:eypSOd+0txRKCXPNyqLPsbSfA0jULgJcGmSAdFAnrCM=
-go.opentelemetry.io/contrib/bridges/otelslog v0.14.0/go.mod h1:CRGvIBL/aAxpQU34ZxyQVFlovVcp67s4cAmQu8Jh9mc=
-go.opentelemetry.io/contrib/bridges/prometheus v0.64.0 h1:7TYhBCu6Xz6vDJGNtEslWZLuuX2IJ/aH50hBY4MVeUg=
-go.opentelemetry.io/contrib/bridges/prometheus v0.64.0/go.mod h1:tHQctZfAe7e4PBPGyt3kae6mQFXNpj+iiDJa3ithM50=
-go.opentelemetry.io/contrib/exporters/autoexport v0.64.0 h1:9pzPj3RFyKOxBAMkM2w84LpT+rdHam1XoFA+QhARiRw=
-go.opentelemetry.io/contrib/exporters/autoexport v0.64.0/go.mod h1:hlVZx1btWH0XTfXpuGX9dsquB50s+tc3fYFOO5elo2M=
-go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.64.0 h1:7IKZbAYwlwLXAdu7SVPhzTjDjogWZxP4MIa7rovY+PU=
-go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.64.0/go.mod h1:+TF5nf3NIv2X8PGxqfYOaRnAoMM43rUA2C3XsN2DoWA=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 h1:ssfIgGNANqpVFCndZvcuyKbl0g+UAVcbBcqGkG28H0Y=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0/go.mod h1:GQ/474YrbE4Jx8gZ4q5I4hrhUzM6UPzyrqJYV2AqPoQ=
-go.opentelemetry.io/contrib/propagators/b3 v1.39.0 h1:PI7pt9pkSnimWcp5sQhUA9OzLbc3Ba4sL+VEUTNsxrk=
-go.opentelemetry.io/contrib/propagators/b3 v1.39.0/go.mod h1:5gV/EzPnfYIwjzj+6y8tbGW2PKWhcsz5e/7twptRVQY=
-go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
-go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
-go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.15.0 h1:W+m0g+/6v3pa5PgVf2xoFMi5YtNR06WtS7ve5pcvLtM=
-go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.15.0/go.mod h1:JM31r0GGZ/GU94mX8hN4D8v6e40aFlUECSQ48HaLgHM=
-go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.15.0 h1:EKpiGphOYq3CYnIe2eX9ftUkyU+Y8Dtte8OaWyHJ4+I=
-go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.15.0/go.mod h1:nWFP7C+T8TygkTjJ7mAyEaFaE7wNfms3nV/vexZ6qt0=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0 h1:cEf8jF6WbuGQWUVcqgyWtTR0kOOAWY1DYZ+UhvdmQPw=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0/go.mod h1:k1lzV5n5U3HkGvTCJHraTAGJ7MqsgL1wrGwTj1Isfiw=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.39.0 h1:nKP4Z2ejtHn3yShBb+2KawiXgpn8In5cT7aO2wXuOTE=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.39.0/go.mod h1:NwjeBbNigsO4Aj9WgM0C+cKIrxsZUaRmZUO7A8I7u8o=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 h1:f0cb2XPmrqn4XMy9PNliTgRKJgS5WcL/u0/WRYGz4t0=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0/go.mod h1:vnakAaFckOMiMtOIhFI2MNH4FYrZzXCYxmb1LlhoGz8=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0 h1:in9O8ESIOlwJAEGTkkf34DesGRAc/Pn8qJ7k3r/42LM=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0/go.mod h1:Rp0EXBm5tfnv0WL+ARyO/PHBEaEAT8UUHQ6AGJcSq6c=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.39.0 h1:Ckwye2FpXkYgiHX7fyVrN1uA/UYd9ounqqTuSNAv0k4=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.39.0/go.mod h1:teIFJh5pW2y+AN7riv6IBPX2DuesS3HgP39mwOspKwU=
-go.opentelemetry.io/otel/exporters/prometheus v0.61.0 h1:cCyZS4dr67d30uDyh8etKM2QyDsQ4zC9ds3bdbrVoD0=
-go.opentelemetry.io/otel/exporters/prometheus v0.61.0/go.mod h1:iivMuj3xpR2DkUrUya3TPS/Z9h3dz7h01GxU+fQBRNg=
-go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.15.0 h1:0BSddrtQqLEylcErkeFrJBmwFzcqfQq9+/uxfTZq+HE=
-go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.15.0/go.mod h1:87sjYuAPzaRCtdd09GU5gM1U9wQLrrcYrm77mh5EBoc=
-go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.39.0 h1:5gn2urDL/FBnK8OkCfD1j3/ER79rUuTYmCvlXBKeYL8=
-go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.39.0/go.mod h1:0fBG6ZJxhqByfFZDwSwpZGzJU671HkwpWaNe2t4VUPI=
-go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.39.0 h1:8UPA4IbVZxpsD76ihGOQiFml99GPAEZLohDXvqHdi6U=
-go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.39.0/go.mod h1:MZ1T/+51uIVKlRzGw1Fo46KEWThjlCBZKl2LzY5nv4g=
-go.opentelemetry.io/otel/log v0.15.0 h1:0VqVnc3MgyYd7QqNVIldC3dsLFKgazR6P3P3+ypkyDY=
-go.opentelemetry.io/otel/log v0.15.0/go.mod h1:9c/G1zbyZfgu1HmQD7Qj84QMmwTp2QCQsZH1aeoWDE4=
-go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
-go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
-go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
-go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
-go.opentelemetry.io/otel/sdk/log v0.15.0 h1:WgMEHOUt5gjJE93yqfqJOkRflApNif84kxoHWS9VVHE=
-go.opentelemetry.io/otel/sdk/log v0.15.0/go.mod h1:qDC/FlKQCXfH5hokGsNg9aUBGMJQsrUyeOiW5u+dKBQ=
-go.opentelemetry.io/otel/sdk/log/logtest v0.14.0 h1:Ijbtz+JKXl8T2MngiwqBlPaHqc4YCaP/i13Qrow6gAM=
-go.opentelemetry.io/otel/sdk/log/logtest v0.14.0/go.mod h1:dCU8aEL6q+L9cYTqcVOk8rM9Tp8WdnHOPLiBgp0SGOA=
-go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
-go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
-go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
-go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
-go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A=
-go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4=
+go.opentelemetry.io/contrib/bridges/otelslog v0.18.0 h1:hhPGP3zvvy1xWT9RTy970wlniSxFttBIsAK1gvMguJM=
+go.opentelemetry.io/contrib/bridges/otelslog v0.18.0/go.mod h1:twJF7inoMza6kxMcF8JOdL3mPmtOZu7GEr34CUNE6Dg=
+go.opentelemetry.io/contrib/bridges/prometheus v0.68.0 h1:w3zlHYETbDwXyWHZlyyR58ZC39XGi8rAhkBgUgJ9d5w=
+go.opentelemetry.io/contrib/bridges/prometheus v0.68.0/go.mod h1:GR/mClR2nn7vE8RLwxKjoBNg+QtgdDhRzxVa93koy5o=
+go.opentelemetry.io/contrib/exporters/autoexport v0.68.0 h1:0D3GFvELGIwQGfC6agLsbrEYSGWZTRTxIXxcQUqrOuk=
+go.opentelemetry.io/contrib/exporters/autoexport v0.68.0/go.mod h1:DM2NV7Zb8CcGeVPt6glouY0FAiwZQ/iqgcWExhgWeN8=
+go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.68.0 h1:5FXSL2s6afUC1bzNzl1iedZZ8yqR7GOhbCoEXtyeK6Q=
+go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.68.0/go.mod h1:MdHW7tLtkeGJnR4TyOrnd5D0zUGZQB1l84uHCe8hRpE=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 h1:CqXxU8VOmDefoh0+ztfGaymYbhdB/tT3zs79QaZTNGY=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0/go.mod h1:BuhAPThV8PBHBvg8ZzZ/Ok3idOdhWIodywz2xEcRbJo=
+go.opentelemetry.io/contrib/propagators/b3 v1.43.0 h1:CETqV3QLLPTy5yNrqyMr41VnAOOD4lsRved7n4QG00A=
+go.opentelemetry.io/contrib/propagators/b3 v1.43.0/go.mod h1:Q4mCiCdziYzpNR0g+6UqVotAlCDZdzz6L8jwY4knOrw=
+go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
+go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.19.0 h1:Dn8rkudDzY6KV9dr/D/bTUuWgqDf9xe0rr4G2elrn0Y=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.19.0/go.mod h1:gMk9F0xDgyN9M/3Ed5Y1wKcx/9mlU91NXY2SNq7RQuU=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.19.0 h1:HIBTQ3VO5aupLKjC90JgMqpezVXwFuq6Ryjn0/izoag=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.19.0/go.mod h1:ji9vId85hMxqfvICA0Jt8JqEdrXaAkcpkI9HPXya0ro=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.43.0 h1:8UQVDcZxOJLtX6gxtDt3vY2WTgvZqMQRzjsqiIHQdkc=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.43.0/go.mod h1:2lmweYCiHYpEjQ/lSJBYhj9jP1zvCvQW4BqL9dnT7FQ=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.43.0 h1:w1K+pCJoPpQifuVpsKamUdn9U0zM3xUziVOqsGksUrY=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.43.0/go.mod h1:HBy4BjzgVE8139ieRI75oXm3EcDN+6GhD88JT1Kjvxg=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 h1:88Y4s2C8oTui1LGM6bTWkw0ICGcOLCAI5l6zsD1j20k=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0/go.mod h1:Vl1/iaggsuRlrHf/hfPJPvVag77kKyvrLeD10kpMl+A=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0 h1:RAE+JPfvEmvy+0LzyUA25/SGawPwIUbZ6u0Wug54sLc=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0/go.mod h1:AGmbycVGEsRx9mXMZ75CsOyhSP6MFIcj/6dnG+vhVjk=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 h1:3iZJKlCZufyRzPzlQhUIWVmfltrXuGyfjREgGP3UUjc=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0/go.mod h1:/G+nUPfhq2e+qiXMGxMwumDrP5jtzU+mWN7/sjT2rak=
+go.opentelemetry.io/otel/exporters/prometheus v0.65.0 h1:jOveH/b4lU9HT7y+Gfamf18BqlOuz2PWEvs8yM7Q6XE=
+go.opentelemetry.io/otel/exporters/prometheus v0.65.0/go.mod h1:i1P8pcumauPtUI4YNopea1dhzEMuEqWP1xoUZDylLHo=
+go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.19.0 h1:GJkybS+crDMdExT/BUNCEgfrmfboztcS6PhvSo88HKM=
+go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.19.0/go.mod h1:NuAyxRYIG2lKX3YQkB+83StTxM7s52PUUkRRiC0wnYI=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.43.0 h1:TC+BewnDpeiAmcscXbGMfxkO+mwYUwE/VySwvw88PfA=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.43.0/go.mod h1:J/ZyF4vfPwsSr9xJSPyQ4LqtcTPULFR64KwTikGLe+A=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.43.0 h1:mS47AX77OtFfKG4vtp+84kuGSFZHTyxtXIN269vChY0=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.43.0/go.mod h1:PJnsC41lAGncJlPUniSwM81gc80GkgWJWr3cu2nKEtU=
+go.opentelemetry.io/otel/log v0.19.0 h1:KUZs/GOsw79TBBMfDWsXS+KZ4g2Ckzksd1ymzsIEbo4=
+go.opentelemetry.io/otel/log v0.19.0/go.mod h1:5DQYeGmxVIr4n0/BcJvF4upsraHjg6vudJJpnkL6Ipk=
+go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
+go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
+go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
+go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
+go.opentelemetry.io/otel/sdk/log v0.19.0 h1:scYVLqT22D2gqXItnWiocLUKGH9yvkkeql5dBDiXyko=
+go.opentelemetry.io/otel/sdk/log v0.19.0/go.mod h1:vFBowwXGLlW9AvpuF7bMgnNI95LiW10szrOdvzBHlAg=
+go.opentelemetry.io/otel/sdk/log/logtest v0.19.0 h1:BEbF7ZBB6qQloV/Ub1+3NQoOUnVtcGkU3XX4Ws3GQfk=
+go.opentelemetry.io/otel/sdk/log/logtest v0.19.0/go.mod h1:Lua81/3yM0wOmoHTokLj9y9ADeA02v1naRrVrkAZuKk=
+go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
+go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
+go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
+go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
+go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpuCSL2g=
+go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
 go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
-go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
-go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
+go.yaml.in/yaml/v2 v2.4.4 h1:tuyd0P+2Ont/d6e2rl3be67goVK4R6deVxCUX5vyPaQ=
+go.yaml.in/yaml/v2 v2.4.4/go.mod h1:gMZqIpDtDqOfM0uNfy0SkpRhvUryYH0Z6wdMYcacYXQ=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/arch v0.23.0 h1:lKF64A2jF6Zd8L0knGltUnegD62JMFBiCPBmQpToHhg=
-golang.org/x/arch v0.23.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
+golang.org/x/arch v0.26.0 h1:jZ6dpec5haP/fUv1kLCbuJy6dnRrfX6iVK08lZBFpk4=
+golang.org/x/arch v0.26.0/go.mod h1:0X+GdSIP+kL5wPmpK7sdkEVTt2XoYP0cSjQSbZBwOi8=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
-golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
-golang.org/x/exp v0.0.0-20251219203646-944ab1f22d93 h1:fQsdNF2N+/YewlRZiricy4P1iimyPKZ/xwniHj8Q2a0=
-golang.org/x/exp v0.0.0-20251219203646-944ab1f22d93/go.mod h1:EPRbTFwzwjXj9NpYyyrvenVh9Y+GFeEvMNh7Xuz7xgU=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
+golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
+golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
 golang.org/x/image v0.0.0-20191009234506-e7c1f5e7dbb8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.34.0 h1:33gCkyw9hmwbZJeZkct8XyR11yH889EQt/QH4VmXMn8=
-golang.org/x/image v0.34.0/go.mod h1:2RNFBZRB+vnwwFil8GkMdRvrJOFd1AzdZI6vOY+eJVU=
-golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
-golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
+golang.org/x/image v0.39.0 h1:skVYidAEVKgn8lZ602XO75asgXBgLj9G/FE3RbuPFww=
+golang.org/x/image v0.39.0/go.mod h1:sIbmppfU+xFLPIG0FoVUTvyBMmgng1/XAMhQ2ft0hpA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
+golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
-golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
-golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
+golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
-golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
-golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
-golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
-golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
+golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
-golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
+golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
-gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
+gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/genproto/googleapis/api v0.0.0-20251222181119-0a764e51fe1b h1:uA40e2M6fYRBf0+8uN5mLlqUtV192iiksiICIBkYJ1E=
-google.golang.org/genproto/googleapis/api v0.0.0-20251222181119-0a764e51fe1b/go.mod h1:Xa7le7qx2vmqB/SzWUBa7KdMjpdpAHlh5QCSnjessQk=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b h1:Mv8VFug0MP9e5vUxfBcE3vUkV6CImK3cMNMIDFjmzxU=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
-google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
-google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
+google.golang.org/genproto/googleapis/api v0.0.0-20260406210006-6f92a3bedf2d h1:/aDRtSZJjyLQzm75d+a1wOJaqyKBMvIAfeQmoa3ORiI=
+google.golang.org/genproto/googleapis/api v0.0.0-20260406210006-6f92a3bedf2d/go.mod h1:etfGUgejTiadZAUaEP14NP97xi1RGeawqkjDARA/UOs=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260406210006-6f92a3bedf2d h1:wT2n40TBqFY6wiwazVK9/iTWbsQrgk5ZfCSVFLO9LQA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260406210006-6f92a3bedf2d/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM=
+google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
 google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -442,20 +511,20 @@ gorm.io/driver/postgres v1.6.0 h1:2dxzU8xJ+ivvqTRph34QX+WrRaJlmfyPqXmoGVjMBa4=
 gorm.io/driver/postgres v1.6.0/go.mod h1:vUw0mrGgrTK+uPHEhAdV4sfFELrByKVGnaVRkXDhtWo=
 gorm.io/gorm v1.31.1 h1:7CA8FTFz/gRfgqgpeKIBcervUn3xSyPUmr6B2WXJ7kg=
 gorm.io/gorm v1.31.1/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=
-modernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis=
-modernc.org/cc/v4 v4.27.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
-modernc.org/ccgo/v4 v4.30.1 h1:4r4U1J6Fhj98NKfSjnPUN7Ze2c6MnAdL0hWw6+LrJpc=
-modernc.org/ccgo/v4 v4.30.1/go.mod h1:bIOeI1JL54Utlxn+LwrFyjCx2n2RDiYEaJVSrgdrRfM=
-modernc.org/fileutil v1.3.40 h1:ZGMswMNc9JOCrcrakF1HrvmergNLAmxOPjizirpfqBA=
-modernc.org/fileutil v1.3.40/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
+modernc.org/cc/v4 v4.27.3 h1:uNCgn37E5U09mTv1XgskEVUJ8ADKpmFMPxzGJ0TSo+U=
+modernc.org/cc/v4 v4.27.3/go.mod h1:3YjcbCqhoTTHPycJDRl2WZKKFj0nwcOIPBfEZK0Hdk8=
+modernc.org/ccgo/v4 v4.32.4 h1:L5OB8rpEX4ZsXEQwGozRfJyJSFHbbNVOoQ59DU9/KuU=
+modernc.org/ccgo/v4 v4.32.4/go.mod h1:lY7f+fiTDHfcv6YlRgSkxYfhs+UvOEEzj49jAn2TOx0=
+modernc.org/fileutil v1.4.0 h1:j6ZzNTftVS054gi281TyLjHPp6CPHr2KCxEXjEbD6SM=
+modernc.org/fileutil v1.4.0/go.mod h1:EqdKFDxiByqxLk8ozOxObDSfcVOv/54xDs/DUHdvCUU=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
 modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
-modernc.org/gc/v3 v3.1.1 h1:k8T3gkXWY9sEiytKhcgyiZ2L0DTyCQ/nvX+LoCljoRE=
-modernc.org/gc/v3 v3.1.1/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
+modernc.org/gc/v3 v3.1.2 h1:ZtDCnhonXSZexk/AYsegNRV1lJGgaNZJuKjJSWKyEqo=
+modernc.org/gc/v3 v3.1.2/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
 modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
 modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
-modernc.org/libc v1.67.4 h1:zZGmCMUVPORtKv95c2ReQN5VDjvkoRm9GWPTEPuvlWg=
-modernc.org/libc v1.67.4/go.mod h1:QvvnnJ5P7aitu0ReNpVIEyesuhmDLQ8kaEoyMjIFZJA=
+modernc.org/libc v1.71.0 h1:bu0djXJGhqed3DnBzyzu3sY0fv432lesyz99ecEahyA=
+modernc.org/libc v1.71.0/go.mod h1:tTU8DL8A+XLVkEY3x5E/tO7s2Q/q42EtnNWda/L5QhQ=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
@@ -464,8 +533,8 @@ modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
 modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.42.2 h1:7hkZUNJvJFN2PgfUdjni9Kbvd4ef4mNLOu0B9FGxM74=
-modernc.org/sqlite v1.42.2/go.mod h1:+VkC6v3pLOAE0A0uVucQEcbVW0I5nHCeDaBf+DpsQT8=
+modernc.org/sqlite v1.48.2 h1:5CnW4uP8joZtA0LedVqLbZV5GD7F/0x91AXeSyjoh5c=
+modernc.org/sqlite v1.48.2/go.mod h1:hWjRO6Tj/5Ik8ieqxQybiEOUXy0NJFNp2tpvVpKlvig=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=

backend/internal/bootstrap/app_images_bootstrap.go

@@ -12,6 +12,7 @@ import (
 	"log/slog"
 	"os"
 	"path"
+	"strings"
 
 	"github.com/pocket-id/pocket-id/backend/internal/storage"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
@@ -20,6 +21,8 @@ import (
 
 // initApplicationImages copies the images from the embedded directory to the storage backend
 // and returns a map containing the detected file extensions in the application-images directory.
+//
+//nolint:gocognit
 func initApplicationImages(ctx context.Context, fileStorage storage.FileStorage) (map[string]string, error) {
 	// Previous versions of images
 	// If these are found, they are deleted
@@ -76,6 +79,18 @@ func initApplicationImages(ctx context.Context, fileStorage storage.FileStorage)
 		dstNameToExt[nameWithoutExt] = ext
 	}
 
+	initedPath := path.Join("application-images", ".inited")
+	if _, _, err := fileStorage.Open(ctx, initedPath); err == nil {
+		return dstNameToExt, nil
+	} else if !os.IsNotExist(err) {
+		return nil, fmt.Errorf("failed to read .inited: %w", err)
+	} else {
+		err := fileStorage.Save(ctx, initedPath, strings.NewReader(""))
+		if err != nil {
+			return nil, fmt.Errorf("failed to store .inited: %w", err)
+		}
+	}
+
 	// Copy images from the images directory to the application-images directory if they don't already exist
 	for _, sourceFile := range sourceFiles {
 		if sourceFile.IsDir() {

backend/internal/bootstrap/bootstrap.go

@@ -2,6 +2,7 @@ package bootstrap
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"log/slog"
 	"time"
@@ -11,6 +12,7 @@ import (
 
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/job"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 	"github.com/pocket-id/pocket-id/backend/internal/storage"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )
@@ -48,14 +50,21 @@ func Bootstrap(ctx context.Context) error {
 		return fmt.Errorf("failed to initialize application images: %w", err)
 	}
 
+	scheduler, err := job.NewScheduler()
+	if err != nil {
+		return fmt.Errorf("failed to create job scheduler: %w", err)
+	}
+
 	// Create all services
-	svc, err := initServices(ctx, db, httpClient, imageExtensions, fileStorage)
+	svc, err := initServices(ctx, db, httpClient, imageExtensions, fileStorage, scheduler)
 	if err != nil {
 		return fmt.Errorf("failed to initialize services: %w", err)
 	}
 
 	waitUntil, err := svc.appLockService.Acquire(ctx, false)
-	if err != nil {
+	if errors.Is(err, service.ErrLockUnavailable) {
+		return errors.New("it appears that there's already one instance of Pocket ID running; running multiple replicas of Pocket ID is currently not supported")
+	} else if err != nil {
 		return fmt.Errorf("failed to acquire application lock: %w", err)
 	}
 
@@ -74,11 +83,7 @@ func Bootstrap(ctx context.Context) error {
 	}
 	shutdownFns = append(shutdownFns, shutdownFn)
 
-	// Init the job scheduler
-	scheduler, err := job.NewScheduler()
-	if err != nil {
-		return fmt.Errorf("failed to create job scheduler: %w", err)
-	}
+	// Register scheduled jobs
 	err = registerScheduledJobs(ctx, db, svc, httpClient, scheduler)
 	if err != nil {
 		return fmt.Errorf("failed to register scheduled jobs: %w", err)

backend/internal/bootstrap/db_bootstrap.go

@@ -34,7 +34,8 @@ func NewDatabase() (db *gorm.DB, err error) {
 	}
 
 	// Run migrations
-	if err := utils.MigrateDatabase(sqlDb); err != nil {
+	err = utils.MigrateDatabase(sqlDb)
+	if err != nil {
 		return nil, fmt.Errorf("failed to run migrations: %w", err)
 	}
 
@@ -42,7 +43,10 @@ func NewDatabase() (db *gorm.DB, err error) {
 }
 
 func ConnectDatabase() (db *gorm.DB, err error) {
-	var dialector gorm.Dialector
+	var (
+		dialector               gorm.Dialector
+		sqliteNetworkFilesystem bool
+	)
 
 	// Choose the correct database provider
 	var onConnFn func(conn *sql.DB)
@@ -63,6 +67,14 @@ func ConnectDatabase() (db *gorm.DB, err error) {
 			if err := ensureSqliteDatabaseDir(dbPath); err != nil {
 				return nil, err
 			}
+
+			sqliteNetworkFilesystem, err = utils.IsNetworkedFileSystem(filepath.Dir(dbPath))
+			if err != nil {
+				// Log the error only
+				slog.Warn("Failed to detect filesystem type for the SQLite database directory", slog.String("path", filepath.Dir(dbPath)), slog.Any("error", err))
+			} else if sqliteNetworkFilesystem {
+				slog.Warn("⚠️⚠️⚠️ SQLite databases should not be stored on a networked file system like NFS, SMB, or FUSE, as there's a risk of crashes and even database corruption", slog.String("path", filepath.Dir(dbPath)))
+			}
 		}
 
 		// Before we connect, also make sure that there's a temporary folder for SQLite to write its data

backend/internal/bootstrap/observability_boostrap.go

@@ -118,11 +118,10 @@ func initOtelLogging(ctx context.Context, resource *resource.Resource) error {
 	// Set the logger provider globally
 	globallog.SetLoggerProvider(provider)
 
-	// Wrap the handler in a "fanout" one
-	handler = utils.LogFanoutHandler{
+	handler = slog.NewMultiHandler(
 		handler,
 		otelslog.NewHandler(common.Name, otelslog.WithLoggerProvider(provider)),
-	}
+	)
 
 	// Set the default slog to send logs to OTel and add the app name
 	log := slog.New(handler).

backend/internal/bootstrap/router_bootstrap.go

@@ -2,6 +2,7 @@ package bootstrap
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"log/slog"
@@ -10,11 +11,16 @@ import (
 	"os"
 	"strconv"
 	"strings"
+	"sync"
+	"sync/atomic"
 	"time"
 
+	"github.com/fsnotify/fsnotify"
 	sloggin "github.com/gin-contrib/slog"
 	"github.com/gin-gonic/gin"
 	"go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin"
+	"golang.org/x/net/http2"
+	"golang.org/x/net/http2/h2c"
 	"golang.org/x/time/rate"
 	"gorm.io/gorm"
 
@@ -30,6 +36,47 @@ import (
 var registerTestControllers []func(apiGroup *gin.RouterGroup, db *gorm.DB, svc *services)
 
 func initRouter(db *gorm.DB, svc *services) (utils.Service, error) {
+	r, err := initEngine()
+	if err != nil {
+		return nil, err
+	}
+	err = registerRoutes(r, db, svc)
+	if err != nil {
+		return nil, err
+	}
+
+	serverConfig, err := initServer(r)
+	if err != nil {
+		return nil, err
+	}
+
+	runFn := func(ctx context.Context) error {
+		return runServer(ctx, serverConfig)
+	}
+
+	return runFn, nil
+}
+
+type serverConfig struct {
+	addr         string
+	certProvider *tlsCertProvider
+	listener     net.Listener
+	server       *http.Server
+	tlsConfig    *tls.Config
+}
+
+func initEngine() (*gin.Engine, error) {
+	setGinMode()
+
+	r := gin.New()
+	initLogger(r)
+	configureEngine(r)
+	registerGlobalMiddleware(r)
+
+	return r, nil
+}
+
+func setGinMode() {
 	// Set the appropriate Gin mode based on the environment
 	switch common.EnvConfig.AppEnv {
 	case common.AppEnvProduction:
@@ -39,72 +86,136 @@ func initRouter(db *gorm.DB, svc *services) (utils.Service, error) {
 	case common.AppEnvTest:
 		gin.SetMode(gin.TestMode)
 	}
+}
 
-	r := gin.New()
-	initLogger(r)
-
+func configureEngine(r *gin.Engine) {
 	if !common.EnvConfig.TrustProxy {
 		_ = r.SetTrustedProxies(nil)
 	}
 
+	if common.EnvConfig.TrustedPlatform != "" {
+		r.TrustedPlatform = common.EnvConfig.TrustedPlatform
+	}
+
 	if common.EnvConfig.TracingEnabled {
 		r.Use(otelgin.Middleware(common.Name))
 	}
+}
 
-	rateLimitMiddleware := middleware.NewRateLimitMiddleware().Add(rate.Every(time.Second), 60)
-
-	// Setup global middleware
+func registerGlobalMiddleware(r *gin.Engine) {
 	r.Use(middleware.HeadMiddleware())
 	r.Use(middleware.NewCacheControlMiddleware().Add())
 	r.Use(middleware.NewCorsMiddleware().Add())
 	r.Use(middleware.NewCspMiddleware().Add())
 	r.Use(middleware.NewErrorHandlerMiddleware().Add())
+}
 
-	err := frontend.RegisterFrontend(r)
+func registerRoutes(r *gin.Engine, db *gorm.DB, svc *services) error {
+
+	err := frontend.RegisterFrontend(r, svc.oidcService)
 	if errors.Is(err, frontend.ErrFrontendNotIncluded) {
 		slog.Warn("Frontend is not included in the build. Skipping frontend registration.")
 	} else if err != nil {
-		return nil, fmt.Errorf("failed to register frontend: %w", err)
+		return fmt.Errorf("failed to register frontend: %w", err)
 	}
 
 	// Initialize middleware for specific routes
 	authMiddleware := middleware.NewAuthMiddleware(svc.apiKeyService, svc.userService, svc.jwtService)
 	fileSizeLimitMiddleware := middleware.NewFileSizeLimitMiddleware()
+	apiRateLimitMiddleware := middleware.NewRateLimitMiddleware().Add(rate.Every(time.Second), 100)
 
-	// Set up API routes
-	apiGroup := r.Group("/api", rateLimitMiddleware)
+	apiGroup := r.Group("/api", apiRateLimitMiddleware)
 	controller.NewApiKeyController(apiGroup, authMiddleware, svc.apiKeyService)
 	controller.NewWebauthnController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), svc.webauthnService, svc.appConfigService)
 	controller.NewOidcController(apiGroup, authMiddleware, fileSizeLimitMiddleware, svc.oidcService, svc.jwtService)
-	controller.NewUserController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), svc.userService, svc.appConfigService)
+	controller.NewUserController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), svc.userService, svc.oneTimeAccessService, svc.webauthnService, svc.appConfigService)
 	controller.NewAppConfigController(apiGroup, authMiddleware, svc.appConfigService, svc.emailService, svc.ldapService)
 	controller.NewAppImagesController(apiGroup, authMiddleware, svc.appImagesService)
 	controller.NewAuditLogController(apiGroup, svc.auditLogService, authMiddleware)
 	controller.NewUserGroupController(apiGroup, authMiddleware, svc.userGroupService)
 	controller.NewCustomClaimController(apiGroup, authMiddleware, svc.customClaimService)
-	controller.NewVersionController(apiGroup, svc.versionService)
+	controller.NewVersionController(apiGroup, authMiddleware, svc.versionService)
 	controller.NewScimController(apiGroup, authMiddleware, svc.scimService)
+	controller.NewUserSignupController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), svc.userSignUpService, svc.appConfigService)
 
-	// Add test controller in non-production environments
-	if !common.EnvConfig.AppEnv.IsProduction() {
-		for _, f := range registerTestControllers {
-			f(apiGroup, db, svc)
-		}
-	}
+	registerTestRoutes(apiGroup, db, svc)
 
-	// Set up base routes
-	baseGroup := r.Group("/", rateLimitMiddleware)
+	baseGroup := r.Group("/", apiRateLimitMiddleware)
 	controller.NewWellKnownController(baseGroup, svc.jwtService)
 
-	// Set up healthcheck routes
-	// These are not rate-limited
+	// These are not rate-limited.
 	controller.NewHealthzController(r)
 
-	// Set up the server
-	srv := &http.Server{
+	return nil
+}
+
+func registerTestRoutes(apiGroup *gin.RouterGroup, db *gorm.DB, svc *services) {
+	if common.EnvConfig.AppEnv.IsProduction() {
+		return
+	}
+
+	for _, f := range registerTestControllers {
+		f(apiGroup, db, svc)
+	}
+}
+
+func initServer(r *gin.Engine) (*serverConfig, error) {
+	protocols, tlsConfig, certProvider, err := initServerProtocols()
+	if err != nil {
+		return nil, err
+	}
+
+	network, addr := listenerNetworkAndAddr()
+	listener, err := net.Listen(network, addr) //nolint:noctx
+	if err != nil {
+		return nil, fmt.Errorf("failed to create %s listener: %w", network, err)
+	}
+
+	if err := setUnixSocketMode(network, addr); err != nil {
+		listener.Close()
+		return nil, err
+	}
+
+	return &serverConfig{
+		addr:         addr,
+		certProvider: certProvider,
+		listener:     listener,
+		server:       newHTTPServer(r, protocols),
+		tlsConfig:    tlsConfig,
+	}, nil
+}
+
+func initServerProtocols() (*http.Protocols, *tls.Config, *tlsCertProvider, error) {
+	protocols := new(http.Protocols)
+	protocols.SetHTTP1(true)
+
+	if common.EnvConfig.TLSCertFile == "" || common.EnvConfig.TLSKeyFile == "" {
+		protocols.SetUnencryptedHTTP2(true)
+		return protocols, nil, nil, nil
+	}
+
+	protocols.SetHTTP2(true)
+	certProvider, err := newCertProvider(common.EnvConfig.TLSCertFile, common.EnvConfig.TLSKeyFile)
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("failed to load TLS certificate: %w", err)
+	}
+
+	tlsConfig := &tls.Config{
+		GetCertificate: certProvider.GetCertificate,
+		MinVersion:     tls.VersionTLS13,
+		NextProtos:     []string{"h2"},
+	}
+
+	slog.Info("TLS enabled")
+	return protocols, tlsConfig, certProvider, nil
+}
+
+func newHTTPServer(r *gin.Engine, protocols *http.Protocols) *http.Server {
+	return &http.Server{
 		MaxHeaderBytes:    1 << 20,
 		ReadHeaderTimeout: 10 * time.Second,
-		Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		Protocols:         protocols,
+		Handler: h2c.NewHandler(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 			// HEAD requests don't get matched by Gin routes, so we convert them to GET
 			// middleware.HeadMiddleware will convert them back to HEAD later
 			if req.Method == http.MethodHead {
@@ -114,75 +225,121 @@ func initRouter(db *gorm.DB, svc *services) (utils.Service, error) {
 			}
 
 			r.ServeHTTP(w, req)
-		}),
+		}), &http2.Server{}),
+	}
+}
+
+func listenerNetworkAndAddr() (string, string) {
+	if common.EnvConfig.UnixSocket == "" {
+		return "tcp", net.JoinHostPort(common.EnvConfig.Host, common.EnvConfig.Port)
 	}
 
-	// Set up the listener
-	network := "tcp"
-	addr := net.JoinHostPort(common.EnvConfig.Host, common.EnvConfig.Port)
-	if common.EnvConfig.UnixSocket != "" {
-		network = "unix"
-		addr = common.EnvConfig.UnixSocket
-		os.Remove(addr) // remove dangling the socket file to avoid file-exist error
-	}
-
-	listener, err := net.Listen(network, addr) //nolint:noctx
-	if err != nil {
-		return nil, fmt.Errorf("failed to create %s listener: %w", network, err)
-	}
-
-	// Set the socket mode if using a Unix socket
-	if network == "unix" && common.EnvConfig.UnixSocketMode != "" {
-		mode, err := strconv.ParseUint(common.EnvConfig.UnixSocketMode, 8, 32)
-		if err != nil {
-			return nil, fmt.Errorf("failed to parse UNIX socket mode '%s': %w", common.EnvConfig.UnixSocketMode, err)
-		}
-
-		if err := os.Chmod(addr, os.FileMode(mode)); err != nil {
-			return nil, fmt.Errorf("failed to set UNIX socket mode '%s': %w", common.EnvConfig.UnixSocketMode, err)
-		}
-	}
-
-	// Service runner function
-	runFn := func(ctx context.Context) error {
-		slog.Info("Server listening", slog.String("addr", addr))
-
-		// Start the server in a background goroutine
-		go func() {
-			defer listener.Close()
-
-			// Next call blocks until the server is shut down
-			srvErr := srv.Serve(listener)
-			if srvErr != http.ErrServerClosed {
-				slog.Error("Error starting app server", "error", srvErr)
-				os.Exit(1)
-			}
-		}()
-
-		// Notify systemd that we are ready
-		err = systemd.SdNotifyReady()
-		if err != nil {
-			// Log the error only
-			slog.Warn("Unable to notify systemd that the service is ready", "error", err)
-		}
-
-		// Block until the context is canceled
-		<-ctx.Done()
-
-		// Handle graceful shutdown
-		// Note we use the background context here as ctx has been canceled already
-		shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 5*time.Second)
-		shutdownErr := srv.Shutdown(shutdownCtx) //nolint:contextcheck
-		shutdownCancel()
-		if shutdownErr != nil {
-			// Log the error only (could be context canceled)
-			slog.Warn("App server shutdown error", "error", shutdownErr)
-		}
+	addr := common.EnvConfig.UnixSocket
+	os.Remove(addr) // remove dangling the socket file to avoid file-exist error
+	return "unix", addr
+}
 
+func setUnixSocketMode(network, addr string) error {
+	if network != "unix" || common.EnvConfig.UnixSocketMode == "" {
 		return nil
 	}
 
-	return runFn, nil
+	mode, err := strconv.ParseUint(common.EnvConfig.UnixSocketMode, 8, 32)
+	if err != nil {
+		return fmt.Errorf("failed to parse UNIX socket mode '%s': %w", common.EnvConfig.UnixSocketMode, err)
+	}
+
+	if err := os.Chmod(addr, os.FileMode(mode)); err != nil {
+		return fmt.Errorf("failed to set UNIX socket mode '%s': %w", common.EnvConfig.UnixSocketMode, err)
+	}
+
+	return nil
+}
+
+func runServer(ctx context.Context, config *serverConfig) error {
+	slog.Info("Server listening", slog.String("addr", config.addr), slog.Bool("tls", config.tlsConfig != nil))
+
+	certWatcher, err := startCertWatcher(ctx, config.certProvider)
+	if err != nil {
+		return err
+	}
+	defer closeCertWatcher(certWatcher)
+
+	startHTTPServer(config)
+	notifySystemdReady()
+
+	<-ctx.Done()
+
+	// We do not pass the context because it's already been canceled
+	//nolint:contextcheck
+	return shutdownServer(config.server)
+}
+
+func startCertWatcher(ctx context.Context, certProvider *tlsCertProvider) (*fsnotify.Watcher, error) {
+	if certProvider == nil {
+		return nil, nil
+	}
+
+	certWatcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create certificate watcher: %w", err)
+	}
+
+	if err := certWatcher.Add(common.EnvConfig.TLSCertFile); err != nil {
+		certWatcher.Close()
+		return nil, fmt.Errorf("failed to watch TLS certificate: %w", err)
+	}
+	if err := certWatcher.Add(common.EnvConfig.TLSKeyFile); err != nil {
+		certWatcher.Close()
+		return nil, fmt.Errorf("failed to watch TLS key: %w", err)
+	}
+
+	go certProvider.StartWatching(ctx, certWatcher)
+	return certWatcher, nil
+}
+
+func closeCertWatcher(certWatcher *fsnotify.Watcher) {
+	if certWatcher != nil {
+		certWatcher.Close()
+	}
+}
+
+func startHTTPServer(config *serverConfig) {
+	go func() {
+		defer config.listener.Close()
+
+		listener := config.listener
+		if config.tlsConfig != nil {
+			listener = tls.NewListener(config.listener, config.tlsConfig)
+		}
+		srvErr := config.server.Serve(listener)
+
+		if srvErr != http.ErrServerClosed {
+			slog.Error("Error starting app server", "error", srvErr)
+			os.Exit(1)
+		}
+	}()
+}
+
+func notifySystemdReady() {
+	err := systemd.SdNotifyReady()
+	if err != nil {
+		// Log the error only
+		slog.Warn("Unable to notify systemd that the service is ready", "error", err)
+	}
+}
+
+func shutdownServer(srv *http.Server) error {
+	// Note we use the background context here as ctx has been canceled already
+	shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 5*time.Second)
+	shutdownErr := srv.Shutdown(shutdownCtx) //nolint:contextcheck
+	shutdownCancel()
+	if shutdownErr != nil {
+		// Log the error only (could be context canceled)
+		slog.Warn("App server shutdown error", "error", shutdownErr)
+	}
+
+	return nil
 }
 
 func initLogger(r *gin.Engine) {
@@ -211,3 +368,99 @@ func initLogger(r *gin.Engine) {
 		}),
 	))
 }
+
+// tlsCertProvider holds certificates that can be dynamically reloaded
+type tlsCertProvider struct {
+	certMutex   sync.RWMutex
+	cert        *tls.Certificate
+	certFile    string
+	keyFile     string
+	forceReload atomic.Bool
+}
+
+// GetCertificate implements tls.GetCertificate interface for dynamic certificate loading
+func (p *tlsCertProvider) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	if p.forceReload.Load() {
+		p.certMutex.Lock()
+		p.forceReload.Store(false)
+		p.certMutex.Unlock()
+	}
+
+	p.certMutex.RLock()
+	defer p.certMutex.RUnlock()
+	return p.cert, nil
+}
+
+// newCertProvider creates a new certificate provider with initial certificates loaded
+func newCertProvider(certFile, keyFile string) (*tlsCertProvider, error) {
+	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	if err != nil {
+		return nil, err
+	}
+
+	return &tlsCertProvider{
+		cert:     &cert,
+		certFile: certFile,
+		keyFile:  keyFile,
+	}, nil
+}
+
+// reloadCertificate reloads the certificate from disk
+func (p *tlsCertProvider) reloadCertificate() error {
+	cert, err := tls.LoadX509KeyPair(p.certFile, p.keyFile)
+	if err != nil {
+		return fmt.Errorf("failed to reload TLS certificate: %w", err)
+	}
+
+	p.certMutex.Lock()
+	p.cert = &cert
+	p.certMutex.Unlock()
+
+	return nil
+}
+
+// StartWatching begins monitoring the certificate files for changes with debouncing
+func (p *tlsCertProvider) StartWatching(ctx context.Context, watcher *fsnotify.Watcher) {
+	debounceDuration := 1 * time.Second
+	reloadTimer := time.NewTimer(debounceDuration)
+	reloadTimer.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case event, ok := <-watcher.Events:
+			if !ok {
+				return
+			}
+			// Only process write/rename events for certificate/key files
+			if event.Has(fsnotify.Write | fsnotify.Rename) {
+				// Reset the debounce timer whenever we get a relevant event
+				reloadTimer.Stop()
+				// Drain the channel if there's a pending value
+				select {
+				case <-reloadTimer.C:
+				default:
+				}
+				reloadTimer.Reset(debounceDuration)
+				slog.Debug("TLS file change detected, debouncing", slog.String("path", event.Name))
+			}
+		case <-reloadTimer.C:
+			// Timer fired - no more events in 500ms, so reload
+			slog.Info("Reloading TLS certificate")
+
+			if err := p.reloadCertificate(); err != nil {
+				slog.Error("Failed to reload TLS certificate", "error", err)
+				continue
+			}
+
+			p.forceReload.Store(true)
+			slog.Info("TLS certificate reloaded successfully")
+		case err, ok := <-watcher.Errors:
+			if !ok {
+				return
+			}
+			slog.Error("Certificate watcher error", "error", err)
+		}
+	}
+}

backend/internal/bootstrap/scheduler_bootstrap.go

@@ -35,6 +35,10 @@ func registerScheduledJobs(ctx context.Context, db *gorm.DB, svc *services, http
 	if err != nil {
 		return fmt.Errorf("failed to register analytics job in scheduler: %w", err)
 	}
+	err = scheduler.RegisterScimJobs(ctx, svc.scimService)
+	if err != nil {
+		return fmt.Errorf("failed to register SCIM scheduler job: %w", err)
+	}
 
 	return nil
 }

backend/internal/bootstrap/services_bootstrap.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net/http"
 
+	"github.com/pocket-id/pocket-id/backend/internal/job"
 	"gorm.io/gorm"
 
 	"github.com/pocket-id/pocket-id/backend/internal/service"
@@ -20,7 +21,6 @@ type services struct {
 	jwtService           *service.JwtService
 	webauthnService      *service.WebAuthnService
 	scimService          *service.ScimService
-	scimSchedulerService *service.ScimSchedulerService
 	userService          *service.UserService
 	customClaimService   *service.CustomClaimService
 	oidcService          *service.OidcService
@@ -30,10 +30,12 @@ type services struct {
 	versionService       *service.VersionService
 	fileStorage          storage.FileStorage
 	appLockService       *service.AppLockService
+	userSignUpService    *service.UserSignUpService
+	oneTimeAccessService *service.OneTimeAccessService
 }
 
 // Initializes all services
-func initServices(ctx context.Context, db *gorm.DB, httpClient *http.Client, imageExtensions map[string]string, fileStorage storage.FileStorage) (svc *services, err error) {
+func initServices(ctx context.Context, db *gorm.DB, httpClient *http.Client, imageExtensions map[string]string, fileStorage storage.FileStorage, scheduler *job.Scheduler) (svc *services, err error) {
 	svc = &services{}
 
 	svc.appConfigService, err = service.NewAppConfigService(ctx, db)
@@ -52,7 +54,7 @@ func initServices(ctx context.Context, db *gorm.DB, httpClient *http.Client, ima
 
 	svc.geoLiteService = service.NewGeoLiteService(httpClient)
 	svc.auditLogService = service.NewAuditLogService(db, svc.appConfigService, svc.emailService, svc.geoLiteService)
-	svc.jwtService, err = service.NewJwtService(db, svc.appConfigService)
+	svc.jwtService, err = service.NewJwtService(ctx, db, svc.appConfigService)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create JWT service: %w", err)
 	}
@@ -63,21 +65,25 @@ func initServices(ctx context.Context, db *gorm.DB, httpClient *http.Client, ima
 		return nil, fmt.Errorf("failed to create WebAuthn service: %w", err)
 	}
 
-	svc.oidcService, err = service.NewOidcService(ctx, db, svc.jwtService, svc.appConfigService, svc.auditLogService, svc.customClaimService, svc.webauthnService, httpClient, fileStorage)
+	svc.scimService = service.NewScimService(db, scheduler, httpClient)
+
+	svc.oidcService, err = service.NewOidcService(ctx, db, svc.jwtService, svc.appConfigService, svc.auditLogService, svc.customClaimService, svc.webauthnService, svc.scimService, httpClient, fileStorage)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create OIDC service: %w", err)
 	}
 
-	svc.userGroupService = service.NewUserGroupService(db, svc.appConfigService)
-	svc.userService = service.NewUserService(db, svc.jwtService, svc.auditLogService, svc.emailService, svc.appConfigService, svc.customClaimService, svc.appImagesService, fileStorage)
+	svc.userGroupService = service.NewUserGroupService(db, svc.appConfigService, svc.scimService)
+	svc.userService = service.NewUserService(db, svc.jwtService, svc.auditLogService, svc.emailService, svc.appConfigService, svc.customClaimService, svc.appImagesService, svc.scimService, fileStorage)
 	svc.ldapService = service.NewLdapService(db, httpClient, svc.appConfigService, svc.userService, svc.userGroupService, fileStorage)
-	svc.apiKeyService = service.NewApiKeyService(db, svc.emailService)
-	svc.scimService = service.NewScimService(db, httpClient)
-	svc.scimSchedulerService, err = service.NewScimSchedulerService(ctx, svc.scimService)
+
+	svc.apiKeyService, err = service.NewApiKeyService(ctx, db, svc.emailService)
 	if err != nil {
-		return nil, fmt.Errorf("failed to create SCIM scheduler service: %w", err)
+		return nil, fmt.Errorf("failed to create API key service: %w", err)
 	}
 
+	svc.userSignUpService = service.NewUserSignupService(db, svc.jwtService, svc.auditLogService, svc.appConfigService, svc.userService)
+	svc.oneTimeAccessService = service.NewOneTimeAccessService(db, svc.userService, svc.jwtService, svc.auditLogService, svc.emailService, svc.appConfigService)
+
 	svc.versionService = service.NewVersionService(httpClient)
 
 	return svc, nil

backend/internal/cmds/encryption_key_rotate.go

@@ -0,0 +1,187 @@
+package cmds
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/spf13/cobra"
+	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/bootstrap"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	jwkutils "github.com/pocket-id/pocket-id/backend/internal/utils/jwk"
+)
+
+type encryptionKeyRotateFlags struct {
+	NewKey string
+	Yes    bool
+}
+
+func init() {
+	var flags encryptionKeyRotateFlags
+
+	encryptionKeyRotateCmd := &cobra.Command{
+		Use:   "encryption-key-rotate",
+		Short: "Re-encrypts data using a new encryption key",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			db, err := bootstrap.NewDatabase()
+			if err != nil {
+				return err
+			}
+
+			return encryptionKeyRotate(cmd.Context(), flags, db, &common.EnvConfig)
+		},
+	}
+
+	encryptionKeyRotateCmd.Flags().StringVar(&flags.NewKey, "new-key", "", "New encryption key to re-encrypt data with")
+	encryptionKeyRotateCmd.Flags().BoolVarP(&flags.Yes, "yes", "y", false, "Do not prompt for confirmation")
+
+	rootCmd.AddCommand(encryptionKeyRotateCmd)
+}
+
+func encryptionKeyRotate(ctx context.Context, flags encryptionKeyRotateFlags, db *gorm.DB, envConfig *common.EnvConfigSchema) error {
+	oldKey := envConfig.EncryptionKey
+	newKey := []byte(flags.NewKey)
+	if len(newKey) == 0 {
+		return errors.New("new encryption key is required (--new-key)")
+	}
+	if len(newKey) < 16 {
+		return errors.New("new encryption key must be at least 16 bytes long")
+	}
+
+	if !flags.Yes {
+		fmt.Println("WARNING: Rotating the encryption key will re-encrypt secrets in the database. Pocket-ID must be restarted with the new ENCRYPTION_KEY after rotation is complete.")
+		ok, err := utils.PromptForConfirmation("Continue")
+		if err != nil {
+			return err
+		}
+		if !ok {
+			fmt.Println("Aborted")
+			os.Exit(1)
+		}
+	}
+
+	appConfigService, err := service.NewAppConfigService(ctx, db)
+	if err != nil {
+		return fmt.Errorf("failed to create app config service: %w", err)
+	}
+	instanceID := appConfigService.GetDbConfig().InstanceID.Value
+
+	// Derive the encryption keys used for the JWK encryption
+	oldKek, err := jwkutils.LoadKeyEncryptionKey(&common.EnvConfigSchema{EncryptionKey: oldKey}, instanceID)
+	if err != nil {
+		return fmt.Errorf("failed to derive old key encryption key: %w", err)
+	}
+	newKek, err := jwkutils.LoadKeyEncryptionKey(&common.EnvConfigSchema{EncryptionKey: newKey}, instanceID)
+	if err != nil {
+		return fmt.Errorf("failed to derive new key encryption key: %w", err)
+	}
+
+	// Derive the encryption keys used for EncryptedString fields
+	oldEncKey, err := datatype.DeriveEncryptedStringKey(oldKey)
+	if err != nil {
+		return fmt.Errorf("failed to derive old encrypted string key: %w", err)
+	}
+	newEncKey, err := datatype.DeriveEncryptedStringKey(newKey)
+	if err != nil {
+		return fmt.Errorf("failed to derive new encrypted string key: %w", err)
+	}
+
+	err = db.Transaction(func(tx *gorm.DB) error {
+		err = rotateSigningKeyEncryption(ctx, tx, oldKek, newKek)
+		if err != nil {
+			return err
+		}
+
+		err = rotateScimTokens(tx, oldEncKey, newEncKey)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	fmt.Println("Encryption key rotation completed successfully.")
+	fmt.Println("Restart pocket-id with the new ENCRYPTION_KEY to use the rotated data.")
+
+	return nil
+}
+
+func rotateSigningKeyEncryption(ctx context.Context, db *gorm.DB, oldKek []byte, newKek []byte) error {
+	oldProvider := &jwkutils.KeyProviderDatabase{}
+	err := oldProvider.Init(jwkutils.KeyProviderOpts{
+		DB:  db,
+		Kek: oldKek,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to init key provider with old encryption key: %w", err)
+	}
+
+	key, err := oldProvider.LoadKey(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to load signing key using old encryption key: %w", err)
+	}
+	if key == nil {
+		return nil
+	}
+
+	newProvider := &jwkutils.KeyProviderDatabase{}
+	err = newProvider.Init(jwkutils.KeyProviderOpts{
+		DB:  db,
+		Kek: newKek,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to init key provider with new encryption key: %w", err)
+	}
+
+	if err := newProvider.SaveKey(ctx, key); err != nil {
+		return fmt.Errorf("failed to store signing key with new encryption key: %w", err)
+	}
+
+	return nil
+}
+
+type scimTokenRow struct {
+	ID    string
+	Token string
+}
+
+func rotateScimTokens(db *gorm.DB, oldEncKey []byte, newEncKey []byte) error {
+	var rows []scimTokenRow
+	err := db.Model(&model.ScimServiceProvider{}).Select("id, token").Scan(&rows).Error
+	if err != nil {
+		return fmt.Errorf("failed to list SCIM service providers: %w", err)
+	}
+
+	for _, row := range rows {
+		if row.Token == "" {
+			continue
+		}
+
+		decBytes, err := datatype.DecryptEncryptedStringWithKey(oldEncKey, row.Token)
+		if err != nil {
+			return fmt.Errorf("failed to decrypt SCIM token for provider %s: %w", row.ID, err)
+		}
+
+		encValue, err := datatype.EncryptEncryptedStringWithKey(newEncKey, decBytes)
+		if err != nil {
+			return fmt.Errorf("failed to encrypt SCIM token for provider %s: %w", row.ID, err)
+		}
+
+		err = db.Model(&model.ScimServiceProvider{}).Where("id = ?", row.ID).Update("token", encValue).Error
+		if err != nil {
+			return fmt.Errorf("failed to update SCIM token for provider %s: %w", row.ID, err)
+		}
+	}
+
+	return nil
+}

backend/internal/cmds/encryption_key_rotate_test.go

@@ -0,0 +1,89 @@
+package cmds
+
+import (
+	"testing"
+	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	jwkutils "github.com/pocket-id/pocket-id/backend/internal/utils/jwk"
+	testingutils "github.com/pocket-id/pocket-id/backend/internal/utils/testing"
+)
+
+func TestEncryptionKeyRotate(t *testing.T) {
+	oldKey := []byte("old-encryption-key-123456")
+	newKey := []byte("new-encryption-key-654321")
+
+	envConfig := &common.EnvConfigSchema{
+		EncryptionKey: oldKey,
+	}
+
+	db := testingutils.NewDatabaseForTest(t)
+
+	appConfigService, err := service.NewAppConfigService(t.Context(), db)
+	require.NoError(t, err)
+	instanceID := appConfigService.GetDbConfig().InstanceID.Value
+
+	oldKek, err := jwkutils.LoadKeyEncryptionKey(envConfig, instanceID)
+	require.NoError(t, err)
+
+	oldProvider := &jwkutils.KeyProviderDatabase{}
+	require.NoError(t, oldProvider.Init(jwkutils.KeyProviderOpts{
+		DB:  db,
+		Kek: oldKek,
+	}))
+
+	signingKey, err := jwkutils.GenerateKey("RS256", "")
+	require.NoError(t, err)
+	require.NoError(t, oldProvider.SaveKey(t.Context(), signingKey))
+
+	oldEncKey, err := datatype.DeriveEncryptedStringKey(oldKey)
+	require.NoError(t, err)
+	encToken, err := datatype.EncryptEncryptedStringWithKey(oldEncKey, []byte("scim-token-123"))
+	require.NoError(t, err)
+
+	err = db.Exec(
+		`INSERT INTO scim_service_providers (id, created_at, endpoint, token, oidc_client_id) VALUES (?, ?, ?, ?, ?)`,
+		"scim-1",
+		time.Now(),
+		"https://example.com/scim",
+		encToken,
+		"client-1",
+	).Error
+	require.NoError(t, err)
+
+	flags := encryptionKeyRotateFlags{
+		NewKey: string(newKey),
+		Yes:    true,
+	}
+	require.NoError(t, encryptionKeyRotate(t.Context(), flags, db, envConfig))
+
+	newKek, err := jwkutils.LoadKeyEncryptionKey(&common.EnvConfigSchema{EncryptionKey: newKey}, instanceID)
+	require.NoError(t, err)
+
+	newProvider := &jwkutils.KeyProviderDatabase{}
+	require.NoError(t, newProvider.Init(jwkutils.KeyProviderOpts{
+		DB:  db,
+		Kek: newKek,
+	}))
+
+	rotatedKey, err := newProvider.LoadKey(t.Context())
+	require.NoError(t, err)
+	require.NotNil(t, rotatedKey)
+
+	var storedToken string
+	err = db.Model(&model.ScimServiceProvider{}).Where("id = ?", "scim-1").Pluck("token", &storedToken).Error
+	require.NoError(t, err)
+
+	newEncKey, err := datatype.DeriveEncryptedStringKey(newKey)
+	require.NoError(t, err)
+
+	decBytes, err := datatype.DecryptEncryptedStringWithKey(newEncKey, storedToken)
+	require.NoError(t, err)
+	assert.Equal(t, "scim-token-123", string(decBytes))
+}

backend/internal/cmds/import.go

@@ -119,11 +119,10 @@ func acquireImportLock(ctx context.Context, db *gorm.DB, force bool) error {
 	defer cancel()
 
 	waitUntil, err := appLockService.Acquire(opCtx, force)
-	if err != nil {
-		if errors.Is(err, service.ErrLockUnavailable) {
-			//nolint:staticcheck
-			return errors.New("Pocket ID must be stopped before importing data; please stop the running instance or run with --forcefully-acquire-lock to terminate the other instance")
-		}
+	if errors.Is(err, service.ErrLockUnavailable) {
+		//nolint:staticcheck
+		return errors.New("Pocket ID must be stopped before importing data; please stop the running instance or run with --forcefully-acquire-lock to terminate the other instance")
+	} else if err != nil {
 		return fmt.Errorf("failed to acquire application lock: %w", err)
 	}
 

backend/internal/cmds/key_rotate.go

@@ -102,7 +102,7 @@ func keyRotate(ctx context.Context, flags keyRotateFlags, db *gorm.DB, envConfig
 	}
 
 	// Save the key
-	err = keyProvider.SaveKey(key)
+	err = keyProvider.SaveKey(ctx, key)
 	if err != nil {
 		return fmt.Errorf("failed to store new key: %w", err)
 	}

backend/internal/cmds/key_rotate_test.go

@@ -104,7 +104,7 @@ func testKeyRotateWithDatabaseStorage(t *testing.T, flags keyRotateFlags, wantEr
 	require.NoError(t, err)
 
 	// Verify key was created
-	key, err := keyProvider.LoadKey()
+	key, err := keyProvider.LoadKey(t.Context())
 	require.NoError(t, err)
 	require.NotNil(t, key)
 

backend/internal/common/env_config.go

@@ -44,11 +44,15 @@ type EnvConfigSchema struct {
 	DbProvider            DbProvider
 	DbConnectionString    string `env:"DB_CONNECTION_STRING" options:"file"`
 	TrustProxy            bool   `env:"TRUST_PROXY"`
+	TrustedPlatform       string `env:"TRUSTED_PLATFORM"`
 	AuditLogRetentionDays int    `env:"AUDIT_LOG_RETENTION_DAYS"`
 	AnalyticsDisabled     bool   `env:"ANALYTICS_DISABLED"`
 	AllowDowngrade        bool   `env:"ALLOW_DOWNGRADE"`
 	InternalAppURL        string `env:"INTERNAL_APP_URL"`
 	UiConfigDisabled      bool   `env:"UI_CONFIG_DISABLED"`
+	DisableRateLimiting   bool   `env:"DISABLE_RATE_LIMITING"`
+	VersionCheckDisabled  bool   `env:"VERSION_CHECK_DISABLED"`
+	StaticApiKey          string `env:"STATIC_API_KEY" options:"file"`
 
 	FileBackend                     string `env:"FILE_BACKEND" options:"toLower"`
 	UploadPath                      string `env:"UPLOAD_PATH"`
@@ -56,7 +60,7 @@ type EnvConfigSchema struct {
 	S3Region                        string `env:"S3_REGION"`
 	S3Endpoint                      string `env:"S3_ENDPOINT"`
 	S3AccessKeyID                   string `env:"S3_ACCESS_KEY_ID"`
-	S3SecretAccessKey               string `env:"S3_SECRET_ACCESS_KEY"`
+	S3SecretAccessKey               string `env:"S3_SECRET_ACCESS_KEY" options:"file"`
 	S3ForcePathStyle                bool   `env:"S3_FORCE_PATH_STYLE"`
 	S3DisableDefaultIntegrityChecks bool   `env:"S3_DISABLE_DEFAULT_INTEGRITY_CHECKS"`
 
@@ -66,6 +70,9 @@ type EnvConfigSchema struct {
 	UnixSocketMode  string `env:"UNIX_SOCKET_MODE"`
 	LocalIPv6Ranges string `env:"LOCAL_IPV6_RANGES"`
 
+	TLSCertFile string `env:"TLS_CERT" options:"file"`
+	TLSKeyFile  string `env:"TLS_KEY" options:"file"`
+
 	MaxMindLicenseKey string `env:"MAXMIND_LICENSE_KEY" options:"file"`
 	GeoLiteDBPath     string `env:"GEOLITE_DB_PATH"`
 	GeoLiteDBUrl      string `env:"GEOLITE_DB_URL"`
@@ -103,7 +110,7 @@ func defaultConfig() EnvConfigSchema {
 
 func parseEnvConfig() error {
 	parsers := map[reflect.Type]env.ParserFunc{
-		reflect.TypeOf([]byte{}): func(value string) (interface{}, error) {
+		reflect.TypeFor[[]byte](): func(value string) (any, error) {
 			return []byte(value), nil
 		},
 	}
@@ -126,6 +133,10 @@ func parseEnvConfig() error {
 
 // ValidateEnvConfig checks the EnvConfig for required fields and valid values
 func ValidateEnvConfig(config *EnvConfigSchema) error {
+	if shouldSkipEnvValidation(os.Args) {
+		return nil
+	}
+
 	if _, err := sloggin.ParseLevel(config.LogLevel); err != nil {
 		return errors.New("invalid LOG_LEVEL value. Must be 'debug', 'info', 'warn' or 'error'")
 	}
@@ -134,6 +145,31 @@ func ValidateEnvConfig(config *EnvConfigSchema) error {
 		return errors.New("ENCRYPTION_KEY must be at least 16 bytes long")
 	}
 
+	prepareDbConfig(config)
+
+	if err := validateAppURLs(config); err != nil {
+		return err
+	}
+	if err := validateFileBackend(config); err != nil {
+		return err
+	}
+	if err := validateLocalIPv6Ranges(config.LocalIPv6Ranges); err != nil {
+		return err
+	}
+
+	if config.AuditLogRetentionDays <= 0 {
+		return errors.New("AUDIT_LOG_RETENTION_DAYS must be greater than 0")
+	}
+
+	if config.StaticApiKey != "" && len(config.StaticApiKey) < 16 {
+		return errors.New("STATIC_API_KEY must be at least 16 characters long")
+	}
+
+	return validateTLSConfig(config)
+
+}
+
+func prepareDbConfig(config *EnvConfigSchema) {
 	switch {
 	case config.DbConnectionString == "":
 		config.DbProvider = DbProviderSqlite
@@ -143,66 +179,112 @@ func ValidateEnvConfig(config *EnvConfigSchema) error {
 	default:
 		config.DbProvider = DbProviderSqlite
 	}
+}
 
-	parsedAppUrl, err := url.Parse(config.AppURL)
-	if err != nil {
-		return errors.New("APP_URL is not a valid URL")
-	}
-	if parsedAppUrl.Path != "" {
-		return errors.New("APP_URL must not contain a path")
+func validateAppURLs(config *EnvConfigSchema) error {
+	if err := validateURLWithoutPath(config.AppURL, "APP_URL"); err != nil {
+		return err
 	}
 
 	// Derive INTERNAL_APP_URL from APP_URL if not set; validate only when provided
 	if config.InternalAppURL == "" {
 		config.InternalAppURL = config.AppURL
-	} else {
-		parsedInternalAppUrl, err := url.Parse(config.InternalAppURL)
-		if err != nil {
-			return errors.New("INTERNAL_APP_URL is not a valid URL")
-		}
-		if parsedInternalAppUrl.Path != "" {
-			return errors.New("INTERNAL_APP_URL must not contain a path")
-		}
+		return nil
 	}
 
+	return validateURLWithoutPath(config.InternalAppURL, "INTERNAL_APP_URL")
+}
+
+func validateURLWithoutPath(rawURL, envName string) error {
+	parsedURL, err := url.Parse(rawURL)
+	if err != nil {
+		return fmt.Errorf("%s is not a valid URL", envName)
+	}
+	if parsedURL.Path != "" {
+		return fmt.Errorf("%s must not contain a path", envName)
+	}
+
+	return nil
+}
+
+func validateFileBackend(config *EnvConfigSchema) error {
 	switch config.FileBackend {
 	case "s3", "database":
-		// All good, these are valid values
+		return nil
 	case "", "filesystem":
 		if config.UploadPath == "" {
 			config.UploadPath = defaultFsUploadPath
 		}
+		return nil
 	default:
 		return errors.New("invalid FILE_BACKEND value. Must be 'filesystem', 'database', or 's3'")
 	}
+}
 
-	// Validate LOCAL_IPV6_RANGES
-	ranges := strings.Split(config.LocalIPv6Ranges, ",")
-	for _, rangeStr := range ranges {
+func validateLocalIPv6Ranges(localIPv6Ranges string) error {
+	ranges := strings.SplitSeq(localIPv6Ranges, ",")
+	for rangeStr := range ranges {
 		rangeStr = strings.TrimSpace(rangeStr)
 		if rangeStr == "" {
 			continue
 		}
 
-		_, ipNet, err := net.ParseCIDR(rangeStr)
-		if err != nil {
-			return fmt.Errorf("invalid LOCAL_IPV6_RANGES '%s': %w", rangeStr, err)
+		if err := validateLocalIPv6Range(rangeStr); err != nil {
+			return err
 		}
-
-		if ipNet.IP.To4() != nil {
-			return fmt.Errorf("range '%s' is not a valid IPv6 range", rangeStr)
-		}
-
 	}
 
-	if config.AuditLogRetentionDays <= 0 {
-		return errors.New("AUDIT_LOG_RETENTION_DAYS must be greater than 0")
+	return nil
+}
+
+func validateLocalIPv6Range(rangeStr string) error {
+	_, ipNet, err := net.ParseCIDR(rangeStr)
+	if err != nil {
+		return fmt.Errorf("invalid LOCAL_IPV6_RANGES '%s': %w", rangeStr, err)
+	}
+
+	if ipNet.IP.To4() != nil {
+		return fmt.Errorf("range '%s' is not a valid IPv6 range", rangeStr)
+	}
+
+	return nil
+}
+
+func validateTLSConfig(config *EnvConfigSchema) error {
+	switch {
+	case config.TLSCertFile != "" && config.TLSKeyFile == "":
+		return errors.New("TLS_KEY_FILE must be set when TLS_CERT_FILE is set")
+	case config.TLSCertFile == "" && config.TLSKeyFile != "":
+		return errors.New("TLS_CERT_FILE must be set when TLS_KEY_FILE is set")
+	}
+
+	if config.TLSCertFile != "" && config.TLSKeyFile != "" {
+		if _, err := os.Stat(config.TLSCertFile); err != nil {
+			return fmt.Errorf("TLS_CERT_FILE not found: %w", err)
+		}
+	}
+
+	if config.TLSCertFile != "" && config.TLSKeyFile != "" {
+		if _, err := os.Stat(config.TLSKeyFile); err != nil {
+			return fmt.Errorf("TLS_KEY_FILE not found: %w", err)
+		}
 	}
 
 	return nil
 
 }
 
+func shouldSkipEnvValidation(args []string) bool {
+	for _, arg := range args[1:] {
+		switch arg {
+		case "-h", "--help", "help", "version":
+			return true
+		}
+	}
+
+	return false
+}
+
 // prepareEnvConfig processes special options for EnvConfig fields
 func prepareEnvConfig(config *EnvConfigSchema) error {
 	val := reflect.ValueOf(config).Elem()
@@ -213,9 +295,9 @@ func prepareEnvConfig(config *EnvConfigSchema) error {
 		fieldType := typ.Field(i)
 
 		optionsTag := fieldType.Tag.Get("options")
-		options := strings.Split(optionsTag, ",")
+		options := strings.SplitSeq(optionsTag, ",")
 
-		for _, option := range options {
+		for option := range options {
 			switch option {
 			case "toLower":
 				if field.Kind() == reflect.String {
@@ -265,6 +347,7 @@ func resolveFileBasedEnvVariable(field reflect.Value, fieldType reflect.StructFi
 		return nil
 	}
 
+	// #nosec G703 - Path is passed by the admin
 	fileContent, err := os.ReadFile(envVarFileValue)
 	if err != nil {
 		return fmt.Errorf("failed to read file for env var %s: %w", envVarFileName, err)

backend/internal/common/env_config_test.go

@@ -207,6 +207,58 @@ func TestParseEnvConfig(t *testing.T) {
 		require.Error(t, err)
 		assert.ErrorContains(t, err, "invalid FILE_BACKEND value")
 	})
+
+	t.Run("should fail when TLS cert is set without key", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("APP_URL", "http://localhost:3000")
+		t.Setenv("TLS_CERT", "/path/to/cert.pem")
+
+		err := parseAndValidateEnvConfig(t)
+		require.Error(t, err)
+		assert.ErrorContains(t, err, "TLS_KEY_FILE must be set when TLS_CERT_FILE is set")
+	})
+
+	t.Run("should fail when TLS key is set without cert", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("APP_URL", "http://localhost:3000")
+		t.Setenv("TLS_KEY", "/path/to/key.pem")
+
+		err := parseAndValidateEnvConfig(t)
+		require.Error(t, err)
+		assert.ErrorContains(t, err, "TLS_CERT_FILE must be set when TLS_KEY_FILE is set")
+	})
+
+	t.Run("should fail when TLS cert file does not exist", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("APP_URL", "http://localhost:3000")
+		t.Setenv("TLS_CERT", "/nonexistent/cert.pem")
+
+		keyFile := t.TempDir() + "/key.pem"
+		require.NoError(t, os.WriteFile(keyFile, []byte("key"), 0600))
+		t.Setenv("TLS_KEY", keyFile)
+
+		err := parseAndValidateEnvConfig(t)
+		require.Error(t, err)
+		assert.ErrorContains(t, err, "TLS_CERT_FILE not found")
+	})
+
+	t.Run("should fail when TLS key file does not exist", func(t *testing.T) {
+		EnvConfig = defaultConfig()
+		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
+		t.Setenv("APP_URL", "http://localhost:3000")
+
+		certFile := t.TempDir() + "/cert.pem"
+		require.NoError(t, os.WriteFile(certFile, []byte("cert"), 0600))
+		t.Setenv("TLS_CERT", certFile)
+		t.Setenv("TLS_KEY", "/nonexistent/key.pem")
+
+		err := parseAndValidateEnvConfig(t)
+		require.Error(t, err)
+		assert.ErrorContains(t, err, "TLS_KEY_FILE not found")
+	})
 }
 
 func TestPrepareEnvConfig_FileBasedAndToLower(t *testing.T) {
@@ -220,7 +272,7 @@ func TestPrepareEnvConfig_FileBasedAndToLower(t *testing.T) {
 	require.NoError(t, err)
 
 	dbConnFile := tempDir + "/db_connection.txt"
-	dbConnContent := "postgres://user:pass@localhost/testdb"
+	dbConnContent := "postgres://user:pass@localhost/testdb" // #nosec G101 - test credential
 	err = os.WriteFile(dbConnFile, []byte(dbConnContent), 0600)
 	require.NoError(t, err)
 
@@ -254,4 +306,26 @@ func TestPrepareEnvConfig_FileBasedAndToLower(t *testing.T) {
 		require.NoError(t, err)
 		assert.Equal(t, binaryKeyContent, config.EncryptionKey)
 	})
+
+	t.Run("should load TLS cert and key file contents", func(t *testing.T) {
+		config := defaultConfig()
+
+		certFile := tempDir + "/cert.pem"
+		certContent := "-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----"
+		err := os.WriteFile(certFile, []byte(certContent), 0600)
+		require.NoError(t, err)
+
+		keyFile := tempDir + "/key.pem"
+		keyContent := "-----BEGIN PRIVATE KEY-----\ntest\n-----END PRIVATE KEY-----"
+		err = os.WriteFile(keyFile, []byte(keyContent), 0600)
+		require.NoError(t, err)
+
+		t.Setenv("TLS_CERT_FILE", certFile)
+		t.Setenv("TLS_KEY_FILE", keyFile)
+
+		err = prepareEnvConfig(&config)
+		require.NoError(t, err)
+		assert.Equal(t, certContent, config.TLSCertFile)
+		assert.Equal(t, keyContent, config.TLSKeyFile)
+	})
 }

backend/internal/common/errors.go

@@ -8,400 +8,386 @@ import (
 
 type AppError interface {
 	error
+
 	HttpStatusCode() int
 }
 
+type AppErrorDescription interface {
+	AppError
+
+	Description() string
+}
+
 // Custom error types for various conditions
 
 type AlreadyInUseError struct {
 	Property string
 }
 
-func (e *AlreadyInUseError) Error() string {
+func (e AlreadyInUseError) Error() string {
 	return e.Property + " is already in use"
 }
-func (e *AlreadyInUseError) HttpStatusCode() int { return 400 }
+func (e AlreadyInUseError) HttpStatusCode() int { return http.StatusBadRequest }
 
-func (e *AlreadyInUseError) Is(target error) bool {
+func (e AlreadyInUseError) Is(target error) bool {
 	// Ignore the field property when checking if an error is of the type AlreadyInUseError
 	x := &AlreadyInUseError{}
 	return errors.As(target, &x)
 }
 
-type SetupAlreadyCompletedError struct{}
+type SetupNotAvailableError struct{}
 
-func (e *SetupAlreadyCompletedError) Error() string       { return "setup already completed" }
-func (e *SetupAlreadyCompletedError) HttpStatusCode() int { return 400 }
+func (e SetupNotAvailableError) Error() string       { return "not found" }
+func (e SetupNotAvailableError) HttpStatusCode() int { return http.StatusNotFound }
 
 type TokenInvalidOrExpiredError struct{}
 
-func (e *TokenInvalidOrExpiredError) Error() string       { return "token is invalid or expired" }
-func (e *TokenInvalidOrExpiredError) HttpStatusCode() int { return 400 }
+func (e TokenInvalidOrExpiredError) Error() string       { return "token is invalid or expired" }
+func (e TokenInvalidOrExpiredError) HttpStatusCode() int { return http.StatusUnauthorized }
 
 type DeviceCodeInvalid struct{}
 
-func (e *DeviceCodeInvalid) Error() string {
+func (e DeviceCodeInvalid) Error() string {
 	return "one time access code must be used on the device it was generated for"
 }
-func (e *DeviceCodeInvalid) HttpStatusCode() int { return 400 }
+func (e DeviceCodeInvalid) HttpStatusCode() int { return http.StatusUnauthorized }
 
 type TokenInvalidError struct{}
 
-func (e *TokenInvalidError) Error() string {
-	return "Token is invalid"
-}
-func (e *TokenInvalidError) HttpStatusCode() int { return 400 }
+func (e TokenInvalidError) Error() string       { return "Token is invalid" }
+func (e TokenInvalidError) HttpStatusCode() int { return http.StatusUnauthorized }
 
 type OidcMissingAuthorizationError struct{}
 
-func (e *OidcMissingAuthorizationError) Error() string       { return "missing authorization" }
-func (e *OidcMissingAuthorizationError) HttpStatusCode() int { return http.StatusForbidden }
+func (e OidcMissingAuthorizationError) Error() string       { return "missing authorization" }
+func (e OidcMissingAuthorizationError) HttpStatusCode() int { return http.StatusForbidden }
 
 type OidcGrantTypeNotSupportedError struct{}
 
-func (e *OidcGrantTypeNotSupportedError) Error() string       { return "grant type not supported" }
-func (e *OidcGrantTypeNotSupportedError) HttpStatusCode() int { return 400 }
+func (e OidcGrantTypeNotSupportedError) Error() string       { return "grant type not supported" }
+func (e OidcGrantTypeNotSupportedError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type OidcMissingClientCredentialsError struct{}
 
-func (e *OidcMissingClientCredentialsError) Error() string       { return "client id or secret not provided" }
-func (e *OidcMissingClientCredentialsError) HttpStatusCode() int { return 400 }
+func (e OidcMissingClientCredentialsError) Error() string       { return "client id or secret not provided" }
+func (e OidcMissingClientCredentialsError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type OidcClientSecretInvalidError struct{}
 
-func (e *OidcClientSecretInvalidError) Error() string       { return "invalid client secret" }
-func (e *OidcClientSecretInvalidError) HttpStatusCode() int { return 400 }
+func (e OidcClientSecretInvalidError) Error() string       { return "invalid client secret" }
+func (e OidcClientSecretInvalidError) HttpStatusCode() int { return http.StatusUnauthorized }
 
 type OidcClientAssertionInvalidError struct{}
 
-func (e *OidcClientAssertionInvalidError) Error() string       { return "invalid client assertion" }
-func (e *OidcClientAssertionInvalidError) HttpStatusCode() int { return 400 }
+func (e OidcClientAssertionInvalidError) Error() string       { return "invalid client assertion" }
+func (e OidcClientAssertionInvalidError) HttpStatusCode() int { return http.StatusUnauthorized }
 
 type OidcInvalidAuthorizationCodeError struct{}
 
-func (e *OidcInvalidAuthorizationCodeError) Error() string       { return "invalid authorization code" }
-func (e *OidcInvalidAuthorizationCodeError) HttpStatusCode() int { return 400 }
+func (e OidcInvalidAuthorizationCodeError) Error() string       { return "invalid authorization code" }
+func (e OidcInvalidAuthorizationCodeError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type OidcClientNotFoundError struct{}
+
+func (e OidcClientNotFoundError) Error() string       { return "client not found" }
+func (e OidcClientNotFoundError) HttpStatusCode() int { return http.StatusNotFound }
 
 type OidcMissingCallbackURLError struct{}
 
-func (e *OidcMissingCallbackURLError) Error() string {
+func (e OidcMissingCallbackURLError) Error() string {
 	return "unable to detect callback url, it might be necessary for an admin to fix this"
 }
-func (e *OidcMissingCallbackURLError) HttpStatusCode() int { return 400 }
+func (e OidcMissingCallbackURLError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type OidcInvalidCallbackURLError struct{}
 
-func (e *OidcInvalidCallbackURLError) Error() string {
+func (e OidcInvalidCallbackURLError) Error() string {
 	return "invalid callback URL, it might be necessary for an admin to fix this"
 }
-func (e *OidcInvalidCallbackURLError) HttpStatusCode() int { return 400 }
+func (e OidcInvalidCallbackURLError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type FileTypeNotSupportedError struct{}
 
-func (e *FileTypeNotSupportedError) Error() string       { return "file type not supported" }
-func (e *FileTypeNotSupportedError) HttpStatusCode() int { return 400 }
+func (e FileTypeNotSupportedError) Error() string       { return "file type not supported" }
+func (e FileTypeNotSupportedError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type FileTooLargeError struct {
 	MaxSize string
 }
 
-func (e *FileTooLargeError) Error() string {
+func (e FileTooLargeError) Error() string {
 	return fmt.Sprintf("The file can't be larger than %s", e.MaxSize)
 }
-func (e *FileTooLargeError) HttpStatusCode() int { return http.StatusRequestEntityTooLarge }
+func (e FileTooLargeError) HttpStatusCode() int { return http.StatusRequestEntityTooLarge }
 
 type NotSignedInError struct{}
 
-func (e *NotSignedInError) Error() string       { return "You are not signed in" }
-func (e *NotSignedInError) HttpStatusCode() int { return http.StatusUnauthorized }
+func (e NotSignedInError) Error() string       { return "You are not signed in" }
+func (e NotSignedInError) HttpStatusCode() int { return http.StatusUnauthorized }
 
 type MissingAccessToken struct{}
 
-func (e *MissingAccessToken) Error() string       { return "Missing access token" }
-func (e *MissingAccessToken) HttpStatusCode() int { return http.StatusUnauthorized }
+func (e MissingAccessToken) Error() string       { return "Missing access token" }
+func (e MissingAccessToken) HttpStatusCode() int { return http.StatusUnauthorized }
 
 type MissingPermissionError struct{}
 
-func (e *MissingPermissionError) Error() string {
+func (e MissingPermissionError) Error() string {
 	return "You don't have permission to perform this action"
 }
-func (e *MissingPermissionError) HttpStatusCode() int { return http.StatusForbidden }
+func (e MissingPermissionError) HttpStatusCode() int { return http.StatusForbidden }
 
 type TooManyRequestsError struct{}
 
-func (e *TooManyRequestsError) Error() string {
-	return "Too many requests"
-}
-func (e *TooManyRequestsError) HttpStatusCode() int { return http.StatusTooManyRequests }
+func (e TooManyRequestsError) Error() string       { return "Too many requests" }
+func (e TooManyRequestsError) HttpStatusCode() int { return http.StatusTooManyRequests }
+
+type UserIdNotProvidedError struct{}
+
+func (e UserIdNotProvidedError) Error() string       { return "User id not provided" }
+func (e UserIdNotProvidedError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type UserNotFoundError struct{}
+
+func (e UserNotFoundError) Error() string       { return "User not found" }
+func (e UserNotFoundError) HttpStatusCode() int { return http.StatusNotFound }
 
 type ClientIdOrSecretNotProvidedError struct{}
 
-func (e *ClientIdOrSecretNotProvidedError) Error() string {
-	return "Client id or secret not provided"
-}
-func (e *ClientIdOrSecretNotProvidedError) HttpStatusCode() int { return http.StatusBadRequest }
+func (e ClientIdOrSecretNotProvidedError) Error() string       { return "Client id or secret not provided" }
+func (e ClientIdOrSecretNotProvidedError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type WrongFileTypeError struct {
 	ExpectedFileType string
 }
 
-func (e *WrongFileTypeError) Error() string {
+func (e WrongFileTypeError) Error() string {
 	return fmt.Sprintf("File must be of type %s", e.ExpectedFileType)
 }
-func (e *WrongFileTypeError) HttpStatusCode() int { return http.StatusBadRequest }
+func (e WrongFileTypeError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type MissingSessionIdError struct{}
 
-func (e *MissingSessionIdError) Error() string {
-	return "Missing session id"
-}
-func (e *MissingSessionIdError) HttpStatusCode() int { return http.StatusBadRequest }
+func (e MissingSessionIdError) Error() string       { return "Missing session id" }
+func (e MissingSessionIdError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type ReservedClaimError struct {
 	Key string
 }
 
-func (e *ReservedClaimError) Error() string {
+func (e ReservedClaimError) Error() string {
 	return fmt.Sprintf("Claim %s is reserved and can't be used", e.Key)
 }
-func (e *ReservedClaimError) HttpStatusCode() int { return http.StatusBadRequest }
+func (e ReservedClaimError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type DuplicateClaimError struct {
 	Key string
 }
 
-func (e *DuplicateClaimError) Error() string {
+func (e DuplicateClaimError) Error() string {
 	return fmt.Sprintf("Claim %s is already defined", e.Key)
 }
-func (e *DuplicateClaimError) HttpStatusCode() int { return http.StatusBadRequest }
+func (e DuplicateClaimError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type OidcInvalidCodeVerifierError struct{}
 
-func (e *OidcInvalidCodeVerifierError) Error() string {
-	return "Invalid code verifier"
-}
-func (e *OidcInvalidCodeVerifierError) HttpStatusCode() int { return http.StatusBadRequest }
+func (e OidcInvalidCodeVerifierError) Error() string       { return "Invalid code verifier" }
+func (e OidcInvalidCodeVerifierError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type OidcMissingCodeChallengeError struct{}
 
-func (e *OidcMissingCodeChallengeError) Error() string {
-	return "Missing code challenge"
-}
-func (e *OidcMissingCodeChallengeError) HttpStatusCode() int { return http.StatusBadRequest }
+func (e OidcMissingCodeChallengeError) Error() string       { return "Missing code challenge" }
+func (e OidcMissingCodeChallengeError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type LdapUserUpdateError struct{}
 
-func (e *LdapUserUpdateError) Error() string {
-	return "LDAP users can't be updated"
-}
-func (e *LdapUserUpdateError) HttpStatusCode() int { return http.StatusForbidden }
+func (e LdapUserUpdateError) Error() string       { return "LDAP users can't be updated" }
+func (e LdapUserUpdateError) HttpStatusCode() int { return http.StatusForbidden }
 
 type LdapUserGroupUpdateError struct{}
 
-func (e *LdapUserGroupUpdateError) Error() string {
-	return "LDAP user groups can't be updated"
-}
-func (e *LdapUserGroupUpdateError) HttpStatusCode() int { return http.StatusForbidden }
+func (e LdapUserGroupUpdateError) Error() string       { return "LDAP user groups can't be updated" }
+func (e LdapUserGroupUpdateError) HttpStatusCode() int { return http.StatusForbidden }
 
 type OidcAccessDeniedError struct{}
 
-func (e *OidcAccessDeniedError) Error() string {
-	return "You're not allowed to access this service"
-}
-func (e *OidcAccessDeniedError) HttpStatusCode() int { return http.StatusForbidden }
+func (e OidcAccessDeniedError) Error() string       { return "You're not allowed to access this service" }
+func (e OidcAccessDeniedError) HttpStatusCode() int { return http.StatusForbidden }
 
 type OidcClientIdNotMatchingError struct{}
 
-func (e *OidcClientIdNotMatchingError) Error() string {
+func (e OidcClientIdNotMatchingError) Error() string {
 	return "Client id in request doesn't match client id in token"
 }
-func (e *OidcClientIdNotMatchingError) HttpStatusCode() int { return http.StatusBadRequest }
+func (e OidcClientIdNotMatchingError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type OidcNoCallbackURLError struct{}
 
-func (e *OidcNoCallbackURLError) Error() string {
+func (e OidcNoCallbackURLError) Error() string {
 	return "No callback URL provided"
 }
-func (e *OidcNoCallbackURLError) HttpStatusCode() int { return http.StatusBadRequest }
+func (e OidcNoCallbackURLError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type UiConfigDisabledError struct{}
 
-func (e *UiConfigDisabledError) Error() string {
+func (e UiConfigDisabledError) Error() string {
 	return "The configuration can't be changed since the UI configuration is disabled"
 }
-func (e *UiConfigDisabledError) HttpStatusCode() int { return http.StatusForbidden }
+func (e UiConfigDisabledError) HttpStatusCode() int { return http.StatusForbidden }
 
 type InvalidUUIDError struct{}
 
-func (e *InvalidUUIDError) Error() string {
-	return "Invalid UUID"
-}
-func (e *InvalidUUIDError) HttpStatusCode() int { return http.StatusBadRequest }
+func (e InvalidUUIDError) Error() string       { return "Invalid UUID" }
+func (e InvalidUUIDError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type OneTimeAccessDisabledError struct{}
 
-func (e *OneTimeAccessDisabledError) Error() string {
-	return "One-time access is disabled"
-}
-func (e *OneTimeAccessDisabledError) HttpStatusCode() int { return http.StatusBadRequest }
+func (e OneTimeAccessDisabledError) Error() string       { return "One-time access is disabled" }
+func (e OneTimeAccessDisabledError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type InvalidAPIKeyError struct{}
 
-func (e *InvalidAPIKeyError) Error() string {
-	return "Invalid Api Key"
-}
-func (e *InvalidAPIKeyError) HttpStatusCode() int { return http.StatusUnauthorized }
+func (e InvalidAPIKeyError) Error() string       { return "Invalid Api Key" }
+func (e InvalidAPIKeyError) HttpStatusCode() int { return http.StatusUnauthorized }
 
 type NoAPIKeyProvidedError struct{}
 
-func (e *NoAPIKeyProvidedError) Error() string {
-	return "No API Key Provided"
-}
-func (e *NoAPIKeyProvidedError) HttpStatusCode() int { return http.StatusUnauthorized }
+func (e NoAPIKeyProvidedError) Error() string       { return "No API Key Provided" }
+func (e NoAPIKeyProvidedError) HttpStatusCode() int { return http.StatusUnauthorized }
 
 type APIKeyNotFoundError struct{}
 
-func (e *APIKeyNotFoundError) Error() string {
-	return "API Key Not Found"
-}
-func (e *APIKeyNotFoundError) HttpStatusCode() int { return http.StatusUnauthorized }
+func (e APIKeyNotFoundError) Error() string       { return "API Key Not Found" }
+func (e APIKeyNotFoundError) HttpStatusCode() int { return http.StatusUnauthorized }
+
+type APIKeyNotExpiredError struct{}
+
+func (e APIKeyNotExpiredError) Error() string       { return "API Key is not expired yet" }
+func (e APIKeyNotExpiredError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type APIKeyExpirationDateError struct{}
 
-func (e *APIKeyExpirationDateError) Error() string {
+func (e APIKeyExpirationDateError) Error() string {
 	return "API Key expiration time must be in the future"
 }
-func (e *APIKeyExpirationDateError) HttpStatusCode() int { return http.StatusBadRequest }
+func (e APIKeyExpirationDateError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type APIKeyAuthNotAllowedError struct{}
+
+func (e APIKeyAuthNotAllowedError) Error() string {
+	return "API key authentication is not allowed for this endpoint"
+}
+func (e APIKeyAuthNotAllowedError) HttpStatusCode() int { return http.StatusForbidden }
 
 type OidcInvalidRefreshTokenError struct{}
 
-func (e *OidcInvalidRefreshTokenError) Error() string {
-	return "refresh token is invalid or expired"
-}
-func (e *OidcInvalidRefreshTokenError) HttpStatusCode() int {
-	return http.StatusBadRequest
-}
+func (e OidcInvalidRefreshTokenError) Error() string       { return "refresh token is invalid or expired" }
+func (e OidcInvalidRefreshTokenError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type OidcMissingRefreshTokenError struct{}
 
-func (e *OidcMissingRefreshTokenError) Error() string {
-	return "refresh token is required"
-}
-func (e *OidcMissingRefreshTokenError) HttpStatusCode() int {
-	return http.StatusBadRequest
-}
+func (e OidcMissingRefreshTokenError) Error() string       { return "refresh token is required" }
+func (e OidcMissingRefreshTokenError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type OidcMissingAuthorizationCodeError struct{}
 
-func (e *OidcMissingAuthorizationCodeError) Error() string {
-	return "authorization code is required"
-}
-func (e *OidcMissingAuthorizationCodeError) HttpStatusCode() int {
-	return http.StatusBadRequest
-}
+func (e OidcMissingAuthorizationCodeError) Error() string       { return "authorization code is required" }
+func (e OidcMissingAuthorizationCodeError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type UserDisabledError struct{}
 
-func (e *UserDisabledError) Error() string {
-	return "User account is disabled"
-}
-func (e *UserDisabledError) HttpStatusCode() int {
-	return http.StatusForbidden
-}
+func (e UserDisabledError) Error() string       { return "User account is disabled" }
+func (e UserDisabledError) HttpStatusCode() int { return http.StatusForbidden }
 
-type ValidationError struct {
-	Message string
-}
+type ValidationError struct{ Message string }
 
-func (e *ValidationError) Error() string {
-	return e.Message
-}
+func (e ValidationError) Error() string { return e.Message }
 
-func (e *ValidationError) HttpStatusCode() int {
-	return http.StatusBadRequest
-}
+func (e ValidationError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type OidcDeviceCodeExpiredError struct{}
 
-func (e *OidcDeviceCodeExpiredError) Error() string {
-	return "device code has expired"
-}
-func (e *OidcDeviceCodeExpiredError) HttpStatusCode() int {
-	return http.StatusBadRequest
-}
+func (e OidcDeviceCodeExpiredError) Error() string       { return "device code has expired" }
+func (e OidcDeviceCodeExpiredError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type OidcInvalidDeviceCodeError struct{}
 
-func (e *OidcInvalidDeviceCodeError) Error() string {
-	return "invalid device code"
-}
-func (e *OidcInvalidDeviceCodeError) HttpStatusCode() int {
-	return http.StatusBadRequest
-}
+func (e OidcInvalidDeviceCodeError) Error() string       { return "invalid device code" }
+func (e OidcInvalidDeviceCodeError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type OidcSlowDownError struct{}
 
-func (e *OidcSlowDownError) Error() string {
-	return "polling too frequently"
-}
-func (e *OidcSlowDownError) HttpStatusCode() int {
-	return http.StatusTooManyRequests
-}
+func (e OidcSlowDownError) Error() string       { return "polling too frequently" }
+func (e OidcSlowDownError) HttpStatusCode() int { return http.StatusTooManyRequests }
 
 type OidcAuthorizationPendingError struct{}
 
-func (e *OidcAuthorizationPendingError) Error() string {
-	return "authorization is still pending"
-}
-func (e *OidcAuthorizationPendingError) HttpStatusCode() int {
-	return http.StatusBadRequest
-}
+func (e OidcAuthorizationPendingError) Error() string       { return "authorization is still pending" }
+func (e OidcAuthorizationPendingError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type ReauthenticationRequiredError struct{}
 
-func (e *ReauthenticationRequiredError) Error() string {
-	return "reauthentication required"
-}
-func (e *ReauthenticationRequiredError) HttpStatusCode() int {
-	return http.StatusUnauthorized
-}
+func (e ReauthenticationRequiredError) Error() string       { return "reauthentication required" }
+func (e ReauthenticationRequiredError) HttpStatusCode() int { return http.StatusUnauthorized }
 
 type OpenSignupDisabledError struct{}
 
-func (e *OpenSignupDisabledError) Error() string {
-	return "Open user signup is not enabled"
-}
+func (e OpenSignupDisabledError) Error() string { return "Open user signup is not enabled" }
 
-func (e *OpenSignupDisabledError) HttpStatusCode() int {
-	return http.StatusForbidden
-}
+func (e OpenSignupDisabledError) HttpStatusCode() int { return http.StatusForbidden }
 
 type ClientIdAlreadyExistsError struct{}
 
-func (e *ClientIdAlreadyExistsError) Error() string {
-	return "Client ID already in use"
-}
+func (e ClientIdAlreadyExistsError) Error() string { return "Client ID already in use" }
 
-func (e *ClientIdAlreadyExistsError) HttpStatusCode() int {
-	return http.StatusBadRequest
-}
+func (e ClientIdAlreadyExistsError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type UserEmailNotSetError struct{}
 
-func (e *UserEmailNotSetError) Error() string {
-	return "The user does not have an email address set"
-}
+func (e UserEmailNotSetError) Error() string { return "The user does not have an email address set" }
 
-func (e *UserEmailNotSetError) HttpStatusCode() int {
-	return http.StatusBadRequest
-}
+func (e UserEmailNotSetError) HttpStatusCode() int { return http.StatusBadRequest }
 
 type ImageNotFoundError struct{}
 
-func (e *ImageNotFoundError) Error() string {
-	return "Image not found"
+func (e ImageNotFoundError) Error() string { return "Image not found" }
+
+func (e ImageNotFoundError) HttpStatusCode() int { return http.StatusNotFound }
+
+type InvalidEmailVerificationTokenError struct{}
+
+func (e InvalidEmailVerificationTokenError) Error() string { return "Invalid email verification token" }
+
+func (e InvalidEmailVerificationTokenError) HttpStatusCode() int { return http.StatusBadRequest }
+
+// OIDC prompt parameter errors - used for redirect error responses
+
+type OidcLoginRequiredError struct{}
+
+func (e OidcLoginRequiredError) Error() string       { return "login_required" }
+func (e OidcLoginRequiredError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type OidcConsentRequiredError struct{}
+
+func (e OidcConsentRequiredError) Error() string       { return "consent_required" }
+func (e OidcConsentRequiredError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type OidcInteractionRequiredError struct{}
+
+func (e OidcInteractionRequiredError) Error() string       { return "interaction_required" }
+func (e OidcInteractionRequiredError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type OidcInvalidRequestError struct{ description string }
+
+func NewOidcInvalidRequestError(description string) *OidcInvalidRequestError {
+	return &OidcInvalidRequestError{description: description}
 }
 
-func (e *ImageNotFoundError) HttpStatusCode() int {
-	return http.StatusNotFound
-}
+func (e OidcInvalidRequestError) Error() string       { return "invalid_request" }
+func (e OidcInvalidRequestError) HttpStatusCode() int { return http.StatusBadRequest }
+func (e OidcInvalidRequestError) Description() string { return e.description }
+
+type OidcAccountSelectionRequiredError struct{}
+
+func (e OidcAccountSelectionRequiredError) Error() string       { return "account_selection_required" }
+func (e OidcAccountSelectionRequiredError) HttpStatusCode() int { return http.StatusBadRequest }

backend/internal/controller/api_key_controller.go

@@ -26,11 +26,11 @@ func NewApiKeyController(group *gin.RouterGroup, authMiddleware *middleware.Auth
 	uc := &ApiKeyController{apiKeyService: apiKeyService}
 
 	apiKeyGroup := group.Group("/api-keys")
-	apiKeyGroup.Use(authMiddleware.WithAdminNotRequired().Add())
 	{
-		apiKeyGroup.GET("", uc.listApiKeysHandler)
-		apiKeyGroup.POST("", uc.createApiKeyHandler)
-		apiKeyGroup.DELETE("/:id", uc.revokeApiKeyHandler)
+		apiKeyGroup.GET("", authMiddleware.WithAdminNotRequired().Add(), uc.listApiKeysHandler)
+		apiKeyGroup.POST("", authMiddleware.WithAdminNotRequired().WithApiKeyAuthDisabled().Add(), uc.createApiKeyHandler)
+		apiKeyGroup.POST("/:id/renew", authMiddleware.WithAdminNotRequired().WithApiKeyAuthDisabled().Add(), uc.renewApiKeyHandler)
+		apiKeyGroup.DELETE("/:id", authMiddleware.WithAdminNotRequired().Add(), uc.revokeApiKeyHandler)
 	}
 }
 
@@ -101,6 +101,41 @@ func (c *ApiKeyController) createApiKeyHandler(ctx *gin.Context) {
 	})
 }
 
+// renewApiKeyHandler godoc
+// @Summary Renew API key
+// @Description Renew an existing API key by ID
+// @Tags API Keys
+// @Param id path string true "API Key ID"
+// @Success 200 {object} dto.ApiKeyResponseDto "Renewed API key with new token"
+// @Router /api/api-keys/{id}/renew [post]
+func (c *ApiKeyController) renewApiKeyHandler(ctx *gin.Context) {
+	userID := ctx.GetString("userID")
+	apiKeyID := ctx.Param("id")
+
+	var input dto.ApiKeyRenewDto
+	if err := dto.ShouldBindWithNormalizedJSON(ctx, &input); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	apiKey, token, err := c.apiKeyService.RenewApiKey(ctx.Request.Context(), userID, apiKeyID, input.ExpiresAt.ToTime())
+	if err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	var apiKeyDto dto.ApiKeyDto
+	if err := dto.MapStruct(apiKey, &apiKeyDto); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	ctx.JSON(http.StatusOK, dto.ApiKeyResponseDto{
+		ApiKey: apiKeyDto,
+		Token:  token,
+	})
+}
+
 // revokeApiKeyHandler godoc
 // @Summary Revoke API key
 // @Description Revoke (delete) an existing API key by ID

backend/internal/controller/app_config_controller.go

@@ -49,7 +49,7 @@ type AppConfigController struct {
 // @Accept json
 // @Produce json
 // @Success 200 {array} dto.PublicAppConfigVariableDto
-// @Router /application-configuration [get]
+// @Router /api/application-configuration [get]
 func (acc *AppConfigController) listAppConfigHandler(c *gin.Context) {
 	configuration := acc.appConfigService.ListAppConfig(false)
 
@@ -76,7 +76,7 @@ func (acc *AppConfigController) listAppConfigHandler(c *gin.Context) {
 // @Accept json
 // @Produce json
 // @Success 200 {array} dto.AppConfigVariableDto
-// @Router /application-configuration/all [get]
+// @Router /api/application-configuration/all [get]
 func (acc *AppConfigController) listAllAppConfigHandler(c *gin.Context) {
 	configuration := acc.appConfigService.ListAppConfig(true)
 

backend/internal/controller/app_images_controller.go

@@ -2,7 +2,9 @@ package controller
 
 import (
 	"net/http"
+	"slices"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/gin-gonic/gin"
@@ -34,6 +36,7 @@ func NewAppImagesController(
 	group.PUT("/application-images/favicon", authMiddleware.Add(), controller.updateFaviconHandler)
 	group.PUT("/application-images/default-profile-picture", authMiddleware.Add(), controller.updateDefaultProfilePicture)
 
+	group.DELETE("/application-images/background", authMiddleware.Add(), controller.deleteBackgroundImageHandler)
 	group.DELETE("/application-images/default-profile-picture", authMiddleware.Add(), controller.deleteDefaultProfilePicture)
 }
 
@@ -192,12 +195,27 @@ func (c *AppImagesController) updateBackgroundImageHandler(ctx *gin.Context) {
 	ctx.Status(http.StatusNoContent)
 }
 
+// deleteBackgroundImageHandler godoc
+// @Summary Delete background image
+// @Description Delete the application background image
+// @Tags Application Images
+// @Success 204 "No Content"
+// @Router /api/application-images/background [delete]
+func (c *AppImagesController) deleteBackgroundImageHandler(ctx *gin.Context) {
+	if err := c.appImagesService.DeleteImage(ctx.Request.Context(), "background"); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}
+
 // updateFaviconHandler godoc
 // @Summary Update favicon
 // @Description Update the application favicon
 // @Tags Application Images
 // @Accept multipart/form-data
-// @Param file formData file true "Favicon file (.ico)"
+// @Param file formData file true "Favicon file (.svg/.png/.ico)"
 // @Success 204 "No Content"
 // @Router /api/application-images/favicon [put]
 func (c *AppImagesController) updateFaviconHandler(ctx *gin.Context) {
@@ -208,8 +226,9 @@ func (c *AppImagesController) updateFaviconHandler(ctx *gin.Context) {
 	}
 
 	fileType := utils.GetFileExtension(file.Filename)
-	if fileType != "ico" {
-		_ = ctx.Error(&common.WrongFileTypeError{ExpectedFileType: ".ico"})
+	mimeType := utils.GetImageMimeType(strings.ToLower(fileType))
+	if !slices.Contains([]string{"image/svg+xml", "image/png", "image/x-icon"}, mimeType) {
+		_ = ctx.Error(&common.WrongFileTypeError{ExpectedFileType: ".svg or .png or .ico"})
 		return
 	}
 

backend/internal/controller/audit_log_controller.go

@@ -63,6 +63,7 @@ func (alc *AuditLogController) listAuditLogsForUserHandler(c *gin.Context) {
 	// Add device information to the logs
 	for i, logsDto := range logsDtos {
 		logsDto.Device = alc.auditLogService.DeviceStringFromUserAgent(logs[i].UserAgent)
+		logsDto.ActorUsername = logsDto.Data["actorUsername"]
 		logsDtos[i] = logsDto
 	}
 
@@ -101,6 +102,7 @@ func (alc *AuditLogController) listAllAuditLogsHandler(c *gin.Context) {
 	for i, logsDto := range logsDtos {
 		logsDto.Device = alc.auditLogService.DeviceStringFromUserAgent(logs[i].UserAgent)
 		logsDto.Username = logs[i].User.Username
+		logsDto.ActorUsername = logsDto.Data["actorUsername"]
 		logsDtos[i] = logsDto
 	}
 

backend/internal/controller/oidc_controller.go

@@ -1,6 +1,7 @@
 package controller
 
 import (
+	"context"
 	"errors"
 	"log/slog"
 	"net/http"
@@ -24,7 +25,11 @@ import (
 // @Description Initializes all OIDC-related API endpoints for authentication and client management
 // @Tags OIDC
 func NewOidcController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, fileSizeLimitMiddleware *middleware.FileSizeLimitMiddleware, oidcService *service.OidcService, jwtService *service.JwtService) {
-	oc := &OidcController{oidcService: oidcService, jwtService: jwtService}
+	oc := &OidcController{
+		oidcService:  oidcService,
+		jwtService:   jwtService,
+		createTokens: oidcService.CreateTokens,
+	}
 
 	group.POST("/oidc/authorize", authMiddleware.WithAdminNotRequired().Add(), oc.authorizeHandler)
 	group.POST("/oidc/authorization-required", authMiddleware.WithAdminNotRequired().Add(), oc.authorizationConfirmationRequiredHandler)
@@ -47,7 +52,7 @@ func NewOidcController(group *gin.RouterGroup, authMiddleware *middleware.AuthMi
 	group.POST("/oidc/clients/:id/secret", authMiddleware.Add(), oc.createClientSecretHandler)
 
 	group.GET("/oidc/clients/:id/logo", oc.getClientLogoHandler)
-	group.DELETE("/oidc/clients/:id/logo", oc.deleteClientLogoHandler)
+	group.DELETE("/oidc/clients/:id/logo", authMiddleware.Add(), oc.deleteClientLogoHandler)
 	group.POST("/oidc/clients/:id/logo", authMiddleware.Add(), fileSizeLimitMiddleware.Add(2<<20), oc.updateClientLogoHandler)
 
 	group.GET("/oidc/clients/:id/preview/:userId", authMiddleware.Add(), oc.getClientPreviewHandler)
@@ -68,8 +73,9 @@ func NewOidcController(group *gin.RouterGroup, authMiddleware *middleware.AuthMi
 }
 
 type OidcController struct {
-	oidcService *service.OidcService
-	jwtService  *service.JwtService
+	oidcService  *service.OidcService
+	jwtService   *service.JwtService
+	createTokens func(context.Context, dto.OidcCreateTokensDto) (service.CreatedTokens, error)
 }
 
 // authorizeHandler godoc
@@ -83,13 +89,29 @@ type OidcController struct {
 // @Router /api/oidc/authorize [post]
 func (oc *OidcController) authorizeHandler(c *gin.Context) {
 	var input dto.AuthorizeOidcClientRequestDto
-	if err := c.ShouldBindJSON(&input); err != nil {
+	err := c.ShouldBindJSON(&input)
+	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 
-	code, callbackURL, err := oc.oidcService.Authorize(c.Request.Context(), input, c.GetString("userID"), c.ClientIP(), c.Request.UserAgent())
+	code, callbackURL, err := oc.oidcService.Authorize(
+		c.Request.Context(),
+		input,
+		c.GetString("userID"),
+		c.GetString("authenticationMethod"),
+		c.ClientIP(),
+		c.Request.UserAgent(),
+	)
 	if err != nil {
+		// Check if this is a prompt-related error that should be returned as a redirect error
+		if isOidcPromptError(err) {
+			c.JSON(http.StatusOK, gin.H{
+				"error":            err.Error(),
+				"requiresRedirect": true,
+			})
+			return
+		}
 		_ = c.Error(err)
 		return
 	}
@@ -103,6 +125,19 @@ func (oc *OidcController) authorizeHandler(c *gin.Context) {
 	c.JSON(http.StatusOK, response)
 }
 
+// isOidcPromptError checks if an error is a prompt-related OIDC error that should trigger a redirect
+func isOidcPromptError(err error) bool {
+	var loginReq *common.OidcLoginRequiredError
+	var consentReq *common.OidcConsentRequiredError
+	var interactionReq *common.OidcInteractionRequiredError
+	var accountSelectionReq *common.OidcAccountSelectionRequiredError
+
+	return errors.As(err, &loginReq) ||
+		errors.As(err, &consentReq) ||
+		errors.As(err, &interactionReq) ||
+		errors.As(err, &accountSelectionReq)
+}
+
 // authorizationConfirmationRequiredHandler godoc
 // @Summary Check if authorization confirmation is required
 // @Description Check if the user needs to confirm authorization for the client
@@ -144,8 +179,13 @@ func (oc *OidcController) authorizationConfirmationRequiredHandler(c *gin.Contex
 // @Success 200 {object} dto.OidcTokenResponseDto "Token response with access_token and optional id_token and refresh_token"
 // @Router /api/oidc/token [post]
 func (oc *OidcController) createTokensHandler(c *gin.Context) {
+	// Per RFC-6749, parameters passed to the /token endpoint MUST be passed in the body of the request
+	// Gin's "ShouldBind" by default reads from the query string too, so we need to reset all query string args before invoking ShouldBind
+	c.Request.URL.RawQuery = ""
+
 	var input dto.OidcCreateTokensDto
-	if err := c.ShouldBind(&input); err != nil {
+	err := c.ShouldBind(&input)
+	if err != nil {
 		_ = c.Error(err)
 		return
 	}
@@ -164,10 +204,10 @@ func (oc *OidcController) createTokensHandler(c *gin.Context) {
 
 	// Client id and secret can also be passed over the Authorization header
 	if input.ClientID == "" && input.ClientSecret == "" {
-		input.ClientID, input.ClientSecret, _ = c.Request.BasicAuth()
+		input.ClientID, input.ClientSecret, _ = utils.OAuthClientBasicAuth(c.Request)
 	}
 
-	tokens, err := oc.oidcService.CreateTokens(c.Request.Context(), input)
+	tokens, err := oc.createTokens(c.Request.Context(), input)
 
 	switch {
 	case errors.Is(err, &common.OidcAuthorizationPendingError{}):
@@ -322,13 +362,15 @@ func (oc *OidcController) introspectTokenHandler(c *gin.Context) {
 		creds service.ClientAuthCredentials
 		ok    bool
 	)
-	creds.ClientID, creds.ClientSecret, ok = c.Request.BasicAuth()
+	creds.ClientID, creds.ClientSecret, ok = utils.OAuthClientBasicAuth(c.Request)
 	if !ok {
-		// If there's no basic auth, check if we have a bearer token
+		// If there's no basic auth, check if we have a bearer token (used as client assertion)
 		bearer, ok := utils.BearerAuth(c.Request)
 		if ok {
 			creds.ClientAssertionType = service.ClientAssertionTypeJWTBearer
 			creds.ClientAssertion = bearer
+			// When using client assertions, client_id can be passed as a form field
+			creds.ClientID = input.ClientID
 		}
 	}
 
@@ -651,15 +693,20 @@ func (oc *OidcController) updateAllowedUserGroupsHandler(c *gin.Context) {
 }
 
 func (oc *OidcController) deviceAuthorizationHandler(c *gin.Context) {
+	// Per RFC 8628 (OAuth 2.0 Device Authorization Grant), parameters for the device authorization request MUST be sent in the body of the POST request
+	// Gin's "ShouldBind" by default reads from the query string too, so we need to reset all query string args before invoking ShouldBind
+	c.Request.URL.RawQuery = ""
+
 	var input dto.OidcDeviceAuthorizationRequestDto
-	if err := c.ShouldBind(&input); err != nil {
+	err := c.ShouldBind(&input)
+	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 
 	// Client id and secret can also be passed over the Authorization header
 	if input.ClientID == "" && input.ClientSecret == "" {
-		input.ClientID, input.ClientSecret, _ = c.Request.BasicAuth()
+		input.ClientID, input.ClientSecret, _ = utils.OAuthClientBasicAuth(c.Request)
 	}
 
 	response, err := oc.oidcService.CreateDeviceAuthorization(c.Request.Context(), input)
@@ -783,7 +830,14 @@ func (oc *OidcController) verifyDeviceCodeHandler(c *gin.Context) {
 	ipAddress := c.ClientIP()
 	userAgent := c.Request.UserAgent()
 
-	err := oc.oidcService.VerifyDeviceCode(c.Request.Context(), userCode, c.GetString("userID"), ipAddress, userAgent)
+	err := oc.oidcService.VerifyDeviceCode(
+		c.Request.Context(),
+		userCode,
+		c.GetString("userID"),
+		c.GetString("authenticationMethod"),
+		ipAddress,
+		userAgent)
+
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -839,7 +893,13 @@ func (oc *OidcController) getClientPreviewHandler(c *gin.Context) {
 		return
 	}
 
-	preview, err := oc.oidcService.GetClientPreview(c.Request.Context(), clientID, userID, strings.Split(scopes, " "))
+	preview, err := oc.oidcService.GetClientPreview(
+		c.Request.Context(),
+		clientID,
+		userID,
+		strings.Split(scopes, " "),
+		c.GetString("authenticationMethod"))
+
 	if err != nil {
 		_ = c.Error(err)
 		return

backend/internal/controller/oidc_controller_test.go

@@ -0,0 +1,227 @@
+package controller
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+func TestCreateTokensHandler(t *testing.T) {
+	createTestContext := func(t *testing.T, rawURL string, form url.Values, authHeader string, noCT bool) (*gin.Context, *httptest.ResponseRecorder) {
+		t.Helper()
+
+		mode := gin.Mode()
+		gin.SetMode(gin.TestMode)
+		t.Cleanup(func() { gin.SetMode(mode) })
+
+		recorder := httptest.NewRecorder()
+		c, _ := gin.CreateTestContext(recorder)
+
+		req, err := http.NewRequestWithContext(t.Context(), http.MethodPost, rawURL, strings.NewReader(form.Encode()))
+		require.NoError(t, err)
+
+		if !noCT {
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+		}
+		if authHeader != "" {
+			req.Header.Set("Authorization", authHeader)
+		}
+
+		c.Request = req
+		return c, recorder
+	}
+
+	t.Run("Ignores Query String Parameters For Binding", func(t *testing.T) {
+		oc := &OidcController{}
+
+		c, _ := createTestContext(
+			t,
+			"http://example.com/oidc/token?grant_type=refresh_token&refresh_token=query-value",
+			url.Values{},
+			"",
+			false,
+		)
+
+		oc.createTokensHandler(c)
+
+		require.Len(t, c.Errors, 1)
+		assert.Contains(t, c.Errors[0].Err.Error(), "GrantType")
+	})
+
+	t.Run("Missing Authorization Code", func(t *testing.T) {
+		oc := &OidcController{}
+
+		c, _ := createTestContext(
+			t,
+			"http://example.com/oidc/token",
+			url.Values{
+				"grant_type": {service.GrantTypeAuthorizationCode},
+			},
+			"",
+			false,
+		)
+
+		oc.createTokensHandler(c)
+
+		require.Len(t, c.Errors, 1)
+		var missingCodeErr *common.OidcMissingAuthorizationCodeError
+		require.ErrorAs(t, c.Errors[0].Err, &missingCodeErr)
+	})
+
+	t.Run("Missing Refresh Token", func(t *testing.T) {
+		oc := &OidcController{}
+
+		c, _ := createTestContext(
+			t,
+			"http://example.com/oidc/token",
+			url.Values{
+				"grant_type": {service.GrantTypeRefreshToken},
+			},
+			"",
+			false,
+		)
+
+		oc.createTokensHandler(c)
+
+		require.Len(t, c.Errors, 1)
+		var missingRefreshErr *common.OidcMissingRefreshTokenError
+		require.ErrorAs(t, c.Errors[0].Err, &missingRefreshErr)
+	})
+
+	t.Run("Uses Basic Auth Credentials When Body Credentials Missing", func(t *testing.T) {
+		var capturedInput dto.OidcCreateTokensDto
+		oc := &OidcController{
+			createTokens: func(_ context.Context, input dto.OidcCreateTokensDto) (service.CreatedTokens, error) {
+				capturedInput = input
+				return service.CreatedTokens{
+					AccessToken:  "access-token",
+					IdToken:      "id-token",
+					RefreshToken: "refresh-token",
+					ExpiresIn:    2 * time.Minute,
+				}, nil
+			},
+		}
+
+		basicAuth := "Basic " + base64.StdEncoding.EncodeToString([]byte("client-id:client-secret"))
+		c, recorder := createTestContext(
+			t,
+			"http://example.com/oidc/token",
+			url.Values{
+				"grant_type":    {service.GrantTypeRefreshToken},
+				"refresh_token": {"input-refresh-token"},
+			},
+			basicAuth,
+			false,
+		)
+
+		oc.createTokensHandler(c)
+
+		require.Empty(t, c.Errors)
+		assert.Equal(t, "client-id", capturedInput.ClientID)
+		assert.Equal(t, "client-secret", capturedInput.ClientSecret)
+		assert.Equal(t, "input-refresh-token", capturedInput.RefreshToken)
+
+		require.Equal(t, http.StatusOK, recorder.Code)
+		var response dto.OidcTokenResponseDto
+		require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &response))
+		assert.Equal(t, "access-token", response.AccessToken)
+		assert.Equal(t, "Bearer", response.TokenType)
+		assert.Equal(t, "id-token", response.IdToken)
+		assert.Equal(t, "refresh-token", response.RefreshToken)
+		assert.Equal(t, 120, response.ExpiresIn)
+	})
+
+	t.Run("Maps Authorization Pending Error", func(t *testing.T) {
+		oc := &OidcController{
+			createTokens: func(context.Context, dto.OidcCreateTokensDto) (service.CreatedTokens, error) {
+				return service.CreatedTokens{}, &common.OidcAuthorizationPendingError{}
+			},
+		}
+
+		c, recorder := createTestContext(
+			t,
+			"http://example.com/oidc/token",
+			url.Values{
+				"grant_type":    {service.GrantTypeRefreshToken},
+				"refresh_token": {"input-refresh-token"},
+			},
+			"",
+			false,
+		)
+
+		oc.createTokensHandler(c)
+
+		require.Empty(t, c.Errors)
+		require.Equal(t, http.StatusBadRequest, recorder.Code)
+		var response map[string]string
+		require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &response))
+		assert.Equal(t, "authorization_pending", response["error"])
+	})
+
+	t.Run("Maps Slow Down Error", func(t *testing.T) {
+		oc := &OidcController{
+			createTokens: func(context.Context, dto.OidcCreateTokensDto) (service.CreatedTokens, error) {
+				return service.CreatedTokens{}, &common.OidcSlowDownError{}
+			},
+		}
+
+		c, recorder := createTestContext(
+			t,
+			"http://example.com/oidc/token",
+			url.Values{
+				"grant_type":    {service.GrantTypeRefreshToken},
+				"refresh_token": {"input-refresh-token"},
+			},
+			"",
+			false,
+		)
+
+		oc.createTokensHandler(c)
+
+		require.Empty(t, c.Errors)
+		require.Equal(t, http.StatusBadRequest, recorder.Code)
+		var response map[string]string
+		require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &response))
+		assert.Equal(t, "slow_down", response["error"])
+	})
+
+	t.Run("Returns Generic Service Error In Context", func(t *testing.T) {
+		expectedErr := errors.New("boom")
+		oc := &OidcController{
+			createTokens: func(context.Context, dto.OidcCreateTokensDto) (service.CreatedTokens, error) {
+				return service.CreatedTokens{}, expectedErr
+			},
+		}
+
+		c, _ := createTestContext(
+			t,
+			"http://example.com/oidc/token",
+			url.Values{
+				"grant_type":    {service.GrantTypeRefreshToken},
+				"refresh_token": {"input-refresh-token"},
+			},
+			"",
+			false,
+		)
+
+		oc.createTokensHandler(c)
+
+		require.Len(t, c.Errors, 1)
+		assert.ErrorIs(t, c.Errors[0].Err, expectedErr)
+	})
+}

backend/internal/controller/user_controller.go

@@ -4,6 +4,7 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
 
 	"github.com/gin-gonic/gin"
@@ -14,19 +15,18 @@ import (
 	"golang.org/x/time/rate"
 )
 
-const (
-	defaultOneTimeAccessTokenDuration = 15 * time.Minute
-	defaultSignupTokenDuration        = time.Hour
-)
+const defaultOneTimeAccessTokenDuration = 15 * time.Minute
 
 // NewUserController creates a new controller for user management endpoints
 // @Summary User management controller
 // @Description Initializes all user-related API endpoints
 // @Tags Users
-func NewUserController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, userService *service.UserService, appConfigService *service.AppConfigService) {
+func NewUserController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, userService *service.UserService, oneTimeAccessService *service.OneTimeAccessService, webAuthnService *service.WebAuthnService, appConfigService *service.AppConfigService) {
 	uc := UserController{
-		userService:      userService,
-		appConfigService: appConfigService,
+		userService:          userService,
+		oneTimeAccessService: oneTimeAccessService,
+		webAuthnService:      webAuthnService,
+		appConfigService:     appConfigService,
 	}
 
 	group.GET("/users", authMiddleware.Add(), uc.listUsersHandler)
@@ -35,8 +35,10 @@ func NewUserController(group *gin.RouterGroup, authMiddleware *middleware.AuthMi
 	group.POST("/users", authMiddleware.Add(), uc.createUserHandler)
 	group.PUT("/users/:id", authMiddleware.Add(), uc.updateUserHandler)
 	group.GET("/users/:id/groups", authMiddleware.Add(), uc.getUserGroupsHandler)
+	group.GET("/users/:id/webauthn-credentials", authMiddleware.Add(), uc.listUserWebauthnCredentialsHandler)
 	group.PUT("/users/me", authMiddleware.WithAdminNotRequired().Add(), uc.updateCurrentUserHandler)
 	group.DELETE("/users/:id", authMiddleware.Add(), uc.deleteUserHandler)
+	group.DELETE("/users/:id/webauthn-credentials/:credentialId", authMiddleware.Add(), uc.deleteUserWebauthnCredentialHandler)
 
 	group.PUT("/users/:id/user-groups", authMiddleware.Add(), uc.updateUserGroups)
 
@@ -54,17 +56,15 @@ func NewUserController(group *gin.RouterGroup, authMiddleware *middleware.AuthMi
 	group.DELETE("/users/:id/profile-picture", authMiddleware.Add(), uc.resetUserProfilePictureHandler)
 	group.DELETE("/users/me/profile-picture", authMiddleware.WithAdminNotRequired().Add(), uc.resetCurrentUserProfilePictureHandler)
 
-	group.POST("/signup-tokens", authMiddleware.Add(), uc.createSignupTokenHandler)
-	group.GET("/signup-tokens", authMiddleware.Add(), uc.listSignupTokensHandler)
-	group.DELETE("/signup-tokens/:id", authMiddleware.Add(), uc.deleteSignupTokenHandler)
-	group.POST("/signup", rateLimitMiddleware.Add(rate.Every(1*time.Minute), 10), uc.signupHandler)
-	group.POST("/signup/setup", uc.signUpInitialAdmin)
-
+	group.POST("/users/me/send-email-verification", rateLimitMiddleware.Add(rate.Every(10*time.Minute), 3), authMiddleware.WithAdminNotRequired().Add(), uc.sendEmailVerificationHandler)
+	group.POST("/users/me/verify-email", rateLimitMiddleware.Add(rate.Every(10*time.Second), 5), authMiddleware.WithAdminNotRequired().Add(), uc.verifyEmailHandler)
 }
 
 type UserController struct {
-	userService      *service.UserService
-	appConfigService *service.AppConfigService
+	userService          *service.UserService
+	oneTimeAccessService *service.OneTimeAccessService
+	webAuthnService      *service.WebAuthnService
+	appConfigService     *service.AppConfigService
 }
 
 // getUserGroupsHandler godoc
@@ -91,6 +91,36 @@ func (uc *UserController) getUserGroupsHandler(c *gin.Context) {
 	c.JSON(http.StatusOK, groupsDto)
 }
 
+// listUserWebauthnCredentialsHandler godoc
+// @Summary List user passkeys
+// @Description Retrieve all WebAuthn credentials for a specific user
+// @Tags Users
+// @Param id path string true "User ID"
+// @Success 200 {array} dto.WebauthnCredentialDto
+// @Router /api/users/{id}/webauthn-credentials [get]
+func (uc *UserController) listUserWebauthnCredentialsHandler(c *gin.Context) {
+	userID := c.Param("id")
+
+	if _, err := uc.userService.GetUser(c.Request.Context(), userID); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	credentials, err := uc.webAuthnService.ListCredentials(c.Request.Context(), userID)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var credentialDtos []dto.WebauthnCredentialDto
+	if err := dto.MapStructList(credentials, &credentialDtos); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, credentialDtos)
+}
+
 // listUsersHandler godoc
 // @Summary List users
 // @Description Get a paginated list of users with optional search and sorting
@@ -185,6 +215,31 @@ func (uc *UserController) deleteUserHandler(c *gin.Context) {
 	c.Status(http.StatusNoContent)
 }
 
+// deleteUserWebauthnCredentialHandler godoc
+// @Summary Delete user passkey
+// @Description Delete a specific WebAuthn credential for a user
+// @Tags Users
+// @Param id path string true "User ID"
+// @Param credentialId path string true "Credential ID"
+// @Success 204 "No Content"
+// @Router /api/users/{id}/webauthn-credentials/{credentialId} [delete]
+func (uc *UserController) deleteUserWebauthnCredentialHandler(c *gin.Context) {
+	err := uc.webAuthnService.DeleteCredential(
+		c.Request.Context(),
+		c.Param("id"),
+		c.Param("credentialId"),
+		c.ClientIP(),
+		c.Request.UserAgent(),
+		c.GetString("userID"),
+	)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
 // createUserHandler godoc
 // @Summary Create user
 // @Description Create a new user
@@ -327,22 +382,34 @@ func (uc *UserController) updateCurrentUserProfilePictureHandler(c *gin.Context)
 
 func (uc *UserController) createOneTimeAccessTokenHandler(c *gin.Context, own bool) {
 	var input dto.OneTimeAccessTokenCreateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
+	err := c.ShouldBindJSON(&input)
+	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 
-	var ttl time.Duration
+	var (
+		userID string
+		ttl    time.Duration
+	)
 	if own {
-		input.UserID = c.GetString("userID")
+		// Get user ID from context and force the default TTL
+		userID = c.GetString("userID")
 		ttl = defaultOneTimeAccessTokenDuration
 	} else {
+		// Get user ID from URL parameter, and optional TTL from body
+		userID = c.Param("id")
 		ttl = input.TTL.Duration
 		if ttl <= 0 {
 			ttl = defaultOneTimeAccessTokenDuration
 		}
 	}
-	token, err := uc.userService.CreateOneTimeAccessToken(c.Request.Context(), input.UserID, ttl)
+	if userID == "" {
+		_ = c.Error(&common.UserIdNotProvidedError{})
+		return
+	}
+
+	token, err := uc.oneTimeAccessService.CreateOneTimeAccessToken(c.Request.Context(), userID, ttl)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -391,7 +458,7 @@ func (uc *UserController) RequestOneTimeAccessEmailAsUnauthenticatedUserHandler(
 		return
 	}
 
-	deviceToken, err := uc.userService.RequestOneTimeAccessEmailAsUnauthenticatedUser(c.Request.Context(), input.Email, input.RedirectPath)
+	deviceToken, err := uc.oneTimeAccessService.RequestOneTimeAccessEmailAsUnauthenticatedUser(c.Request.Context(), input.Email, input.RedirectPath)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -424,7 +491,7 @@ func (uc *UserController) RequestOneTimeAccessEmailAsAdminHandler(c *gin.Context
 	if ttl <= 0 {
 		ttl = defaultOneTimeAccessTokenDuration
 	}
-	err := uc.userService.RequestOneTimeAccessEmailAsAdmin(c.Request.Context(), userID, ttl)
+	err := uc.oneTimeAccessService.RequestOneTimeAccessEmailAsAdmin(c.Request.Context(), userID, ttl)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -442,41 +509,7 @@ func (uc *UserController) RequestOneTimeAccessEmailAsAdminHandler(c *gin.Context
 // @Router /api/one-time-access-token/{token} [post]
 func (uc *UserController) exchangeOneTimeAccessTokenHandler(c *gin.Context) {
 	deviceToken, _ := c.Cookie(cookie.DeviceTokenCookieName)
-	user, token, err := uc.userService.ExchangeOneTimeAccessToken(c.Request.Context(), c.Param("token"), deviceToken, c.ClientIP(), c.Request.UserAgent())
-	if err != nil {
-		_ = c.Error(err)
-		return
-	}
-
-	var userDto dto.UserDto
-	if err := dto.MapStruct(user, &userDto); err != nil {
-		_ = c.Error(err)
-		return
-	}
-
-	maxAge := int(uc.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes().Seconds())
-	cookie.AddAccessTokenCookie(c, maxAge, token)
-
-	c.JSON(http.StatusOK, userDto)
-}
-
-// signUpInitialAdmin godoc
-// @Summary Sign up initial admin user
-// @Description Sign up and generate setup access token for initial admin user
-// @Tags Users
-// @Accept json
-// @Produce json
-// @Param body body dto.SignUpDto true "User information"
-// @Success 200 {object} dto.UserDto
-// @Router /api/signup/setup [post]
-func (uc *UserController) signUpInitialAdmin(c *gin.Context) {
-	var input dto.SignUpDto
-	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
-		_ = c.Error(err)
-		return
-	}
-
-	user, token, err := uc.userService.SignUpInitialAdmin(c.Request.Context(), input)
+	user, token, err := uc.oneTimeAccessService.ExchangeOneTimeAccessToken(c.Request.Context(), c.Param("token"), deviceToken, c.ClientIP(), c.Request.UserAgent())
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -524,130 +557,6 @@ func (uc *UserController) updateUserGroups(c *gin.Context) {
 	c.JSON(http.StatusOK, userDto)
 }
 
-// createSignupTokenHandler godoc
-// @Summary Create signup token
-// @Description Create a new signup token that allows user registration
-// @Tags Users
-// @Accept json
-// @Produce json
-// @Param token body dto.SignupTokenCreateDto true "Signup token information"
-// @Success 201 {object} dto.SignupTokenDto
-// @Router /api/signup-tokens [post]
-func (uc *UserController) createSignupTokenHandler(c *gin.Context) {
-	var input dto.SignupTokenCreateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
-		_ = c.Error(err)
-		return
-	}
-
-	ttl := input.TTL.Duration
-	if ttl <= 0 {
-		ttl = defaultSignupTokenDuration
-	}
-
-	signupToken, err := uc.userService.CreateSignupToken(c.Request.Context(), ttl, input.UsageLimit, input.UserGroupIDs)
-	if err != nil {
-		_ = c.Error(err)
-		return
-	}
-
-	var tokenDto dto.SignupTokenDto
-	err = dto.MapStruct(signupToken, &tokenDto)
-	if err != nil {
-		_ = c.Error(err)
-		return
-	}
-
-	c.JSON(http.StatusCreated, tokenDto)
-}
-
-// listSignupTokensHandler godoc
-// @Summary List signup tokens
-// @Description Get a paginated list of signup tokens
-// @Tags Users
-// @Param pagination[page] query int false "Page number for pagination" default(1)
-// @Param pagination[limit] query int false "Number of items per page" default(20)
-// @Param sort[column] query string false "Column to sort by"
-// @Param sort[direction] query string false "Sort direction (asc or desc)" default("asc")
-// @Success 200 {object} dto.Paginated[dto.SignupTokenDto]
-// @Router /api/signup-tokens [get]
-func (uc *UserController) listSignupTokensHandler(c *gin.Context) {
-	listRequestOptions := utils.ParseListRequestOptions(c)
-
-	tokens, pagination, err := uc.userService.ListSignupTokens(c.Request.Context(), listRequestOptions)
-	if err != nil {
-		_ = c.Error(err)
-		return
-	}
-
-	var tokensDto []dto.SignupTokenDto
-	if err := dto.MapStructList(tokens, &tokensDto); err != nil {
-		_ = c.Error(err)
-		return
-	}
-
-	c.JSON(http.StatusOK, dto.Paginated[dto.SignupTokenDto]{
-		Data:       tokensDto,
-		Pagination: pagination,
-	})
-}
-
-// deleteSignupTokenHandler godoc
-// @Summary Delete signup token
-// @Description Delete a signup token by ID
-// @Tags Users
-// @Param id path string true "Token ID"
-// @Success 204 "No Content"
-// @Router /api/signup-tokens/{id} [delete]
-func (uc *UserController) deleteSignupTokenHandler(c *gin.Context) {
-	tokenID := c.Param("id")
-
-	err := uc.userService.DeleteSignupToken(c.Request.Context(), tokenID)
-	if err != nil {
-		_ = c.Error(err)
-		return
-	}
-
-	c.Status(http.StatusNoContent)
-}
-
-// signupWithTokenHandler godoc
-// @Summary Sign up
-// @Description Create a new user account
-// @Tags Users
-// @Accept json
-// @Produce json
-// @Param user body dto.SignUpDto true "User information"
-// @Success 201 {object} dto.SignUpDto
-// @Router /api/signup [post]
-func (uc *UserController) signupHandler(c *gin.Context) {
-	var input dto.SignUpDto
-	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
-		_ = c.Error(err)
-		return
-	}
-
-	ipAddress := c.ClientIP()
-	userAgent := c.GetHeader("User-Agent")
-
-	user, accessToken, err := uc.userService.SignUp(c.Request.Context(), input, ipAddress, userAgent)
-	if err != nil {
-		_ = c.Error(err)
-		return
-	}
-
-	maxAge := int(uc.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes().Seconds())
-	cookie.AddAccessTokenCookie(c, maxAge, accessToken)
-
-	var userDto dto.UserDto
-	if err := dto.MapStruct(user, &userDto); err != nil {
-		_ = c.Error(err)
-		return
-	}
-
-	c.JSON(http.StatusCreated, userDto)
-}
-
 // updateUser is an internal helper method, not exposed as an API endpoint
 func (uc *UserController) updateUser(c *gin.Context, updateOwnUser bool) {
 	var input dto.UserCreateDto
@@ -714,3 +623,44 @@ func (uc *UserController) resetCurrentUserProfilePictureHandler(c *gin.Context)
 
 	c.Status(http.StatusNoContent)
 }
+
+// sendEmailVerificationHandler godoc
+// @Summary Send email verification
+// @Description Send an email verification to the currently authenticated user
+// @Tags Users
+// @Produce json
+// @Success 204 "No Content"
+// @Router /api/users/me/send-email-verification [post]
+func (uc *UserController) sendEmailVerificationHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+
+	if err := uc.userService.SendEmailVerification(c.Request.Context(), userID); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// verifyEmailHandler godoc
+// @Summary Verify email
+// @Description Verify the currently authenticated user's email using a verification token
+// @Tags Users
+// @Param body body dto.EmailVerificationDto true "Email verification token"
+// @Success 204 "No Content"
+// @Router /api/users/me/verify-email [post]
+func (uc *UserController) verifyEmailHandler(c *gin.Context) {
+	var input dto.EmailVerificationDto
+	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	userID := c.GetString("userID")
+	if err := uc.userService.VerifyEmail(c.Request.Context(), userID, input.Token); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}

backend/internal/controller/user_signup_controller.go

@@ -0,0 +1,215 @@
+package controller
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"golang.org/x/time/rate"
+)
+
+const defaultSignupTokenDuration = time.Hour
+
+// NewUserSignupController creates a new controller for user signup and signup token management
+// @Summary User signup and signup token management controller
+// @Description Initializes all user signup-related API endpoints
+// @Tags Users
+func NewUserSignupController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, userSignUpService *service.UserSignUpService, appConfigService *service.AppConfigService) {
+	usc := UserSignupController{
+		userSignUpService: userSignUpService,
+		appConfigService:  appConfigService,
+	}
+
+	group.POST("/signup-tokens", authMiddleware.Add(), usc.createSignupTokenHandler)
+	group.GET("/signup-tokens", authMiddleware.Add(), usc.listSignupTokensHandler)
+	group.DELETE("/signup-tokens/:id", authMiddleware.Add(), usc.deleteSignupTokenHandler)
+	group.POST("/signup", rateLimitMiddleware.Add(rate.Every(1*time.Minute), 10), usc.signupHandler)
+	group.GET("/signup/setup", usc.checkInitialAdminSetupAvailable)
+	group.POST("/signup/setup", usc.signUpInitialAdmin)
+
+}
+
+type UserSignupController struct {
+	userSignUpService *service.UserSignUpService
+	appConfigService  *service.AppConfigService
+}
+
+func (usc *UserSignupController) checkInitialAdminSetupAvailable(c *gin.Context) {
+	setupCompleted, err := usc.userSignUpService.IsInitialAdminSetupCompleted(c.Request.Context())
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	if setupCompleted {
+		_ = c.Error(&common.SetupNotAvailableError{})
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// signUpInitialAdmin godoc
+// @Summary Sign up initial admin user
+// @Description Sign up and generate setup access token for initial admin user
+// @Tags Users
+// @Accept json
+// @Produce json
+// @Param body body dto.SignUpDto true "User information"
+// @Success 200 {object} dto.UserDto
+// @Router /api/signup/setup [post]
+func (usc *UserSignupController) signUpInitialAdmin(c *gin.Context) {
+	var input dto.SignUpDto
+	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	user, token, err := usc.userSignUpService.SignUpInitialAdmin(c.Request.Context(), input)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var userDto dto.UserDto
+	if err := dto.MapStruct(user, &userDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	maxAge := int(usc.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes().Seconds())
+	cookie.AddAccessTokenCookie(c, maxAge, token)
+
+	c.JSON(http.StatusOK, userDto)
+}
+
+// createSignupTokenHandler godoc
+// @Summary Create signup token
+// @Description Create a new signup token that allows user registration
+// @Tags Users
+// @Accept json
+// @Produce json
+// @Param token body dto.SignupTokenCreateDto true "Signup token information"
+// @Success 201 {object} dto.SignupTokenDto
+// @Router /api/signup-tokens [post]
+func (usc *UserSignupController) createSignupTokenHandler(c *gin.Context) {
+	var input dto.SignupTokenCreateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	ttl := input.TTL.Duration
+	if ttl <= 0 {
+		ttl = defaultSignupTokenDuration
+	}
+
+	signupToken, err := usc.userSignUpService.CreateSignupToken(c.Request.Context(), ttl, input.UsageLimit, input.UserGroupIDs)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var tokenDto dto.SignupTokenDto
+	err = dto.MapStruct(signupToken, &tokenDto)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusCreated, tokenDto)
+}
+
+// listSignupTokensHandler godoc
+// @Summary List signup tokens
+// @Description Get a paginated list of signup tokens
+// @Tags Users
+// @Param pagination[page] query int false "Page number for pagination" default(1)
+// @Param pagination[limit] query int false "Number of items per page" default(20)
+// @Param sort[column] query string false "Column to sort by"
+// @Param sort[direction] query string false "Sort direction (asc or desc)" default("asc")
+// @Success 200 {object} dto.Paginated[dto.SignupTokenDto]
+// @Router /api/signup-tokens [get]
+func (usc *UserSignupController) listSignupTokensHandler(c *gin.Context) {
+	listRequestOptions := utils.ParseListRequestOptions(c)
+
+	tokens, pagination, err := usc.userSignUpService.ListSignupTokens(c.Request.Context(), listRequestOptions)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var tokensDto []dto.SignupTokenDto
+	if err := dto.MapStructList(tokens, &tokensDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, dto.Paginated[dto.SignupTokenDto]{
+		Data:       tokensDto,
+		Pagination: pagination,
+	})
+}
+
+// deleteSignupTokenHandler godoc
+// @Summary Delete signup token
+// @Description Delete a signup token by ID
+// @Tags Users
+// @Param id path string true "Token ID"
+// @Success 204 "No Content"
+// @Router /api/signup-tokens/{id} [delete]
+func (usc *UserSignupController) deleteSignupTokenHandler(c *gin.Context) {
+	tokenID := c.Param("id")
+
+	err := usc.userSignUpService.DeleteSignupToken(c.Request.Context(), tokenID)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// signupWithTokenHandler godoc
+// @Summary Sign up
+// @Description Create a new user account
+// @Tags Users
+// @Accept json
+// @Produce json
+// @Param user body dto.SignUpDto true "User information"
+// @Success 201 {object} dto.SignUpDto
+// @Router /api/signup [post]
+func (usc *UserSignupController) signupHandler(c *gin.Context) {
+	var input dto.SignUpDto
+	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	ipAddress := c.ClientIP()
+	userAgent := c.GetHeader("User-Agent")
+
+	user, accessToken, err := usc.userSignUpService.SignUp(c.Request.Context(), input, ipAddress, userAgent)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	maxAge := int(usc.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes().Seconds())
+	cookie.AddAccessTokenCookie(c, maxAge, accessToken)
+
+	var userDto dto.UserDto
+	if err := dto.MapStruct(user, &userDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusCreated, userDto)
+}

backend/internal/controller/version_controller.go

@@ -5,14 +5,17 @@ import (
 	"time"
 
 	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
 	"github.com/pocket-id/pocket-id/backend/internal/service"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )
 
 // NewVersionController registers version-related routes.
-func NewVersionController(group *gin.RouterGroup, versionService *service.VersionService) {
+func NewVersionController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, versionService *service.VersionService) {
 	vc := &VersionController{versionService: versionService}
 	group.GET("/version/latest", vc.getLatestVersionHandler)
+	group.GET("/version/current", authMiddleware.WithAdminNotRequired().Add(), vc.getCurrentVersionHandler)
 }
 
 type VersionController struct {
@@ -38,3 +41,16 @@ func (vc *VersionController) getLatestVersionHandler(c *gin.Context) {
 		"latestVersion": tag,
 	})
 }
+
+// getCurrentVersionHandler godoc
+// @Summary Get current deployed version of Pocket ID
+// @Tags Version
+// @Produce json
+// @Success 200 {object} map[string]string "Current version information"
+// @Router /api/version/current [get]
+func (vc *VersionController) getCurrentVersionHandler(c *gin.Context) {
+
+	c.JSON(http.StatusOK, gin.H{
+		"currentVersion": common.Version,
+	})
+}

backend/internal/controller/webauthn_controller.go

@@ -137,7 +137,7 @@ func (wc *WebauthnController) deleteCredentialHandler(c *gin.Context) {
 	clientIP := c.ClientIP()
 	userAgent := c.Request.UserAgent()
 
-	err := wc.webAuthnService.DeleteCredential(c.Request.Context(), userID, credentialID, clientIP, userAgent)
+	err := wc.webAuthnService.DeleteCredential(c.Request.Context(), userID, credentialID, clientIP, userAgent, userID)
 	if err != nil {
 		_ = c.Error(err)
 		return

backend/internal/controller/well_known_controller.go

@@ -91,6 +91,8 @@ func (wkc *WellKnownController) computeOIDCConfiguration() ([]byte, error) {
 		"id_token_signing_alg_values_supported":          []string{alg.String()},
 		"authorization_response_iss_parameter_supported": true,
 		"code_challenge_methods_supported":               []string{"plain", "S256"},
+		"prompt_values_supported":                        []string{"none", "login", "consent", "select_account"},
+		"token_endpoint_auth_methods_supported":          []string{"client_secret_basic", "client_secret_post", "none"},
 	}
 	return json.Marshal(config)
 }

backend/internal/dto/api_key_dto.go

@@ -10,6 +10,10 @@ type ApiKeyCreateDto struct {
 	ExpiresAt   datatype.DateTime `json:"expiresAt" binding:"required"`
 }
 
+type ApiKeyRenewDto struct {
+	ExpiresAt datatype.DateTime `json:"expiresAt" binding:"required"`
+}
+
 type ApiKeyDto struct {
 	ID                  string             `json:"id"`
 	Name                string             `json:"name"`

backend/internal/dto/app_config_dto.go

@@ -14,6 +14,7 @@ type AppConfigVariableDto struct {
 type AppConfigUpdateDto struct {
 	AppName                                    string `json:"appName" binding:"required,min=1,max=30" unorm:"nfc"`
 	SessionDuration                            string `json:"sessionDuration" binding:"required"`
+	HomePageURL                                string `json:"homePageUrl" binding:"required"`
 	EmailsVerified                             string `json:"emailsVerified" binding:"required"`
 	DisableAnimations                          string `json:"disableAnimations" binding:"required"`
 	AllowOwnAccountEdit                        string `json:"allowOwnAccountEdit" binding:"required"`
@@ -53,4 +54,5 @@ type AppConfigUpdateDto struct {
 	EmailOneTimeAccessAsUnauthenticatedEnabled string `json:"emailOneTimeAccessAsUnauthenticatedEnabled" binding:"required"`
 	EmailLoginNotificationEnabled              string `json:"emailLoginNotificationEnabled" binding:"required"`
 	EmailApiKeyExpirationEnabled               string `json:"emailApiKeyExpirationEnabled" binding:"required"`
+	EmailVerificationEnabled                   string `json:"emailVerificationEnabled" binding:"required"`
 }

backend/internal/dto/audit_log_dto.go

@@ -8,12 +8,13 @@ type AuditLogDto struct {
 	ID        string            `json:"id"`
 	CreatedAt datatype.DateTime `json:"createdAt"`
 
-	Event     string            `json:"event"`
-	IpAddress string            `json:"ipAddress"`
-	Country   string            `json:"country"`
-	City      string            `json:"city"`
-	Device    string            `json:"device"`
-	UserID    string            `json:"userID"`
-	Username  string            `json:"username"`
-	Data      map[string]string `json:"data"`
+	Event         string            `json:"event"`
+	IpAddress     string            `json:"ipAddress"`
+	Country       string            `json:"country"`
+	City          string            `json:"city"`
+	Device        string            `json:"device"`
+	UserID        string            `json:"userID"`
+	Username      string            `json:"username"`
+	ActorUsername string            `json:"actorUsername"`
+	Data          map[string]string `json:"data"`
 }

backend/internal/dto/dto_mapper_test.go

@@ -9,7 +9,6 @@ import (
 
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
-	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )
 
 type sourceStruct struct {
@@ -60,11 +59,11 @@ type embeddedStruct struct {
 func TestMapStruct(t *testing.T) {
 	src := sourceStruct{
 		AString:            "abcd",
-		AStringPtr:         utils.Ptr("xyz"),
+		AStringPtr:         new("xyz"),
 		ABool:              true,
-		ABoolPtr:           utils.Ptr(false),
+		ABoolPtr:           new(false),
 		ACustomDateTime:    datatype.DateTime(time.Date(2025, 1, 2, 3, 4, 5, 0, time.UTC)),
-		ACustomDateTimePtr: utils.Ptr(datatype.DateTime(time.Date(2024, 1, 2, 3, 4, 5, 0, time.UTC))),
+		ACustomDateTimePtr: new(datatype.DateTime(time.Date(2024, 1, 2, 3, 4, 5, 0, time.UTC))),
 		ANilStringPtr:      nil,
 		ASlice:             []string{"a", "b", "c"},
 		AMap: map[string]int{
@@ -80,8 +79,8 @@ func TestMapStruct(t *testing.T) {
 			Bar: 111,
 		},
 
-		StringPtrToString:      utils.Ptr("foobar"),
-		EmptyStringPtrToString: utils.Ptr(""),
+		StringPtrToString:      new("foobar"),
+		EmptyStringPtrToString: new(""),
 		NilStringPtrToString:   nil,
 		IntToInt64:             99,
 		AuditLogEventToString:  model.AuditLogEventAccountCreated,
@@ -118,11 +117,11 @@ func TestMapStructList(t *testing.T) {
 	sources := []sourceStruct{
 		{
 			AString:            "first",
-			AStringPtr:         utils.Ptr("one"),
+			AStringPtr:         new("one"),
 			ABool:              true,
-			ABoolPtr:           utils.Ptr(false),
+			ABoolPtr:           new(false),
 			ACustomDateTime:    datatype.DateTime(time.Date(2025, 1, 2, 3, 4, 5, 0, time.UTC)),
-			ACustomDateTimePtr: utils.Ptr(datatype.DateTime(time.Date(2024, 1, 2, 3, 4, 5, 0, time.UTC))),
+			ACustomDateTimePtr: new(datatype.DateTime(time.Date(2024, 1, 2, 3, 4, 5, 0, time.UTC))),
 			ASlice:             []string{"a", "b"},
 			AMap: map[string]int{
 				"a": 1,
@@ -136,11 +135,11 @@ func TestMapStructList(t *testing.T) {
 		},
 		{
 			AString:            "second",
-			AStringPtr:         utils.Ptr("two"),
+			AStringPtr:         new("two"),
 			ABool:              false,
-			ABoolPtr:           utils.Ptr(true),
+			ABoolPtr:           new(true),
 			ACustomDateTime:    datatype.DateTime(time.Date(2026, 6, 7, 8, 9, 10, 0, time.UTC)),
-			ACustomDateTimePtr: utils.Ptr(datatype.DateTime(time.Date(2023, 6, 7, 8, 9, 10, 0, time.UTC))),
+			ACustomDateTimePtr: new(datatype.DateTime(time.Date(2023, 6, 7, 8, 9, 10, 0, time.UTC))),
 			ASlice:             []string{"c", "d", "e"},
 			AMap: map[string]int{
 				"c": 3,

backend/internal/dto/dto_normalize.go

@@ -12,7 +12,7 @@ import (
 // Normalize iterates through an object and performs Unicode normalization on all string fields with the `unorm` tag.
 func Normalize(obj any) {
 	v := reflect.ValueOf(obj)
-	if v.Kind() != reflect.Ptr || v.IsNil() {
+	if v.Kind() != reflect.Pointer || v.IsNil() {
 		return
 	}
 	v = v.Elem()
@@ -21,7 +21,7 @@ func Normalize(obj any) {
 	if v.Kind() == reflect.Slice {
 		for i := 0; i < v.Len(); i++ {
 			elem := v.Index(i)
-			if elem.Kind() == reflect.Ptr && !elem.IsNil() && elem.Elem().Kind() == reflect.Struct {
+			if elem.Kind() == reflect.Pointer && !elem.IsNil() && elem.Elem().Kind() == reflect.Struct {
 				Normalize(elem.Interface())
 			} else if elem.Kind() == reflect.Struct && elem.CanAddr() {
 				Normalize(elem.Addr().Interface())

backend/internal/dto/oidc_dto.go

@@ -33,8 +33,8 @@ type OidcClientWithAllowedGroupsCountDto struct {
 
 type OidcClientUpdateDto struct {
 	Name                     string                   `json:"name" binding:"required,max=50" unorm:"nfc"`
-	CallbackURLs             []string                 `json:"callbackURLs" binding:"omitempty,dive,callback_url"`
-	LogoutCallbackURLs       []string                 `json:"logoutCallbackURLs" binding:"omitempty,dive,callback_url"`
+	CallbackURLs             []string                 `json:"callbackURLs" binding:"omitempty,dive,callback_url_pattern"`
+	LogoutCallbackURLs       []string                 `json:"logoutCallbackURLs" binding:"omitempty,dive,callback_url_pattern"`
 	IsPublic                 bool                     `json:"isPublic"`
 	PkceEnabled              bool                     `json:"pkceEnabled"`
 	RequiresReauthentication bool                     `json:"requiresReauthentication"`
@@ -66,11 +66,13 @@ type OidcClientFederatedIdentityDto struct {
 type AuthorizeOidcClientRequestDto struct {
 	ClientID              string `json:"clientID" binding:"required"`
 	Scope                 string `json:"scope" binding:"required"`
-	CallbackURL           string `json:"callbackURL"`
+	CallbackURL           string `json:"callbackURL" binding:"omitempty,callback_url"`
 	Nonce                 string `json:"nonce"`
 	CodeChallenge         string `json:"codeChallenge"`
 	CodeChallengeMethod   string `json:"codeChallengeMethod"`
 	ReauthenticationToken string `json:"reauthenticationToken"`
+	Prompt                string `json:"prompt"`
+	ResponseMode          string `json:"responseMode" binding:"omitempty,response_mode"`
 }
 
 type AuthorizeOidcClientResponseDto struct {
@@ -98,7 +100,8 @@ type OidcCreateTokensDto struct {
 }
 
 type OidcIntrospectDto struct {
-	Token string `form:"token" binding:"required"`
+	Token    string `form:"token" binding:"required"`
+	ClientID string `form:"client_id"`
 }
 
 type OidcUpdateAllowedUserGroupsDto struct {
@@ -139,6 +142,7 @@ type OidcDeviceAuthorizationRequestDto struct {
 	ClientSecret        string `form:"client_secret"`
 	ClientAssertion     string `form:"client_assertion"`
 	ClientAssertionType string `form:"client_assertion_type"`
+	Nonce               string `form:"nonce"`
 }
 
 type OidcDeviceAuthorizationResponseDto struct {

backend/internal/dto/one_time_access_dto.go

@@ -0,0 +1,16 @@
+package dto
+
+import "github.com/pocket-id/pocket-id/backend/internal/utils"
+
+type OneTimeAccessTokenCreateDto struct {
+	TTL utils.JSONDuration `json:"ttl" binding:"ttl"`
+}
+
+type OneTimeAccessEmailAsUnauthenticatedUserDto struct {
+	Email        string `json:"email" binding:"required,email" unorm:"nfc"`
+	RedirectPath string `json:"redirectPath"`
+}
+
+type OneTimeAccessEmailAsAdminDto struct {
+	TTL utils.JSONDuration `json:"ttl" binding:"ttl"`
+}

backend/internal/dto/scim_dto.go

@@ -67,7 +67,7 @@ type ScimResourceData struct {
 type ScimResourceMeta struct {
 	Location     string    `json:"location,omitempty"`
 	ResourceType string    `json:"resourceType,omitempty"`
-	Created      time.Time `json:"created,omitempty"`
+	Created      time.Time `json:"created"`
 	LastModified time.Time `json:"lastModified,omitempty"`
 	Version      string    `json:"version,omitempty"`
 }

backend/internal/dto/signup_dto.go

@@ -0,0 +1,9 @@
+package dto
+
+type SignUpDto struct {
+	Username  string  `json:"username" binding:"required,username,min=1,max=50" unorm:"nfc"`
+	Email     *string `json:"email" binding:"omitempty,email" unorm:"nfc"`
+	FirstName string  `json:"firstName" binding:"max=50" unorm:"nfc"`
+	LastName  string  `json:"lastName" binding:"max=50" unorm:"nfc"`
+	Token     string  `json:"token"`
+}

backend/internal/dto/user_dto.go

@@ -4,35 +4,36 @@ import (
 	"errors"
 
 	"github.com/gin-gonic/gin/binding"
-	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )
 
 type UserDto struct {
-	ID           string                `json:"id"`
-	Username     string                `json:"username"`
-	Email        *string               `json:"email" `
-	FirstName    string                `json:"firstName"`
-	LastName     *string               `json:"lastName"`
-	DisplayName  string                `json:"displayName"`
-	IsAdmin      bool                  `json:"isAdmin"`
-	Locale       *string               `json:"locale"`
-	CustomClaims []CustomClaimDto      `json:"customClaims"`
-	UserGroups   []UserGroupMinimalDto `json:"userGroups"`
-	LdapID       *string               `json:"ldapId"`
-	Disabled     bool                  `json:"disabled"`
+	ID            string                `json:"id"`
+	Username      string                `json:"username"`
+	Email         *string               `json:"email"`
+	EmailVerified bool                  `json:"emailVerified"`
+	FirstName     string                `json:"firstName"`
+	LastName      *string               `json:"lastName"`
+	DisplayName   string                `json:"displayName"`
+	IsAdmin       bool                  `json:"isAdmin"`
+	Locale        *string               `json:"locale"`
+	CustomClaims  []CustomClaimDto      `json:"customClaims"`
+	UserGroups    []UserGroupMinimalDto `json:"userGroups"`
+	LdapID        *string               `json:"ldapId"`
+	Disabled      bool                  `json:"disabled"`
 }
 
 type UserCreateDto struct {
-	Username     string   `json:"username" binding:"required,username,min=2,max=50" unorm:"nfc"`
-	Email        *string  `json:"email" binding:"omitempty,email" unorm:"nfc"`
-	FirstName    string   `json:"firstName" binding:"required,min=1,max=50" unorm:"nfc"`
-	LastName     string   `json:"lastName" binding:"max=50" unorm:"nfc"`
-	DisplayName  string   `json:"displayName" binding:"required,min=1,max=100" unorm:"nfc"`
-	IsAdmin      bool     `json:"isAdmin"`
-	Locale       *string  `json:"locale"`
-	Disabled     bool     `json:"disabled"`
-	UserGroupIds []string `json:"userGroupIds"`
-	LdapID       string   `json:"-"`
+	Username      string   `json:"username" binding:"required,username,min=1,max=50" unorm:"nfc"`
+	Email         *string  `json:"email" binding:"omitempty,email" unorm:"nfc"`
+	EmailVerified bool     `json:"emailVerified"`
+	FirstName     string   `json:"firstName" binding:"max=50" unorm:"nfc"`
+	LastName      string   `json:"lastName" binding:"max=50" unorm:"nfc"`
+	DisplayName   string   `json:"displayName" binding:"max=100" unorm:"nfc"`
+	IsAdmin       bool     `json:"isAdmin"`
+	Locale        *string  `json:"locale"`
+	Disabled      bool     `json:"disabled"`
+	UserGroupIds  []string `json:"userGroupIds"`
+	LdapID        string   `json:"-"`
 }
 
 func (u UserCreateDto) Validate() error {
@@ -46,28 +47,10 @@ func (u UserCreateDto) Validate() error {
 	return e.Struct(u)
 }
 
-type OneTimeAccessTokenCreateDto struct {
-	UserID string             `json:"userId"`
-	TTL    utils.JSONDuration `json:"ttl" binding:"ttl"`
-}
-
-type OneTimeAccessEmailAsUnauthenticatedUserDto struct {
-	Email        string `json:"email" binding:"required,email" unorm:"nfc"`
-	RedirectPath string `json:"redirectPath"`
-}
-
-type OneTimeAccessEmailAsAdminDto struct {
-	TTL utils.JSONDuration `json:"ttl" binding:"ttl"`
+type EmailVerificationDto struct {
+	Token string `json:"token" binding:"required"`
 }
 
 type UserUpdateUserGroupDto struct {
 	UserGroupIds []string `json:"userGroupIds" binding:"required"`
 }
-
-type SignUpDto struct {
-	Username  string  `json:"username" binding:"required,username,min=2,max=50" unorm:"nfc"`
-	Email     *string `json:"email" binding:"omitempty,email" unorm:"nfc"`
-	FirstName string  `json:"firstName" binding:"required,min=1,max=50" unorm:"nfc"`
-	LastName  string  `json:"lastName" binding:"max=50" unorm:"nfc"`
-	Token     string  `json:"token"`
-}

backend/internal/dto/user_dto_test.go

@@ -3,7 +3,6 @@ package dto
 import (
 	"testing"
 
-	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"github.com/stretchr/testify/require"
 )
 
@@ -17,7 +16,7 @@ func TestUserCreateDto_Validate(t *testing.T) {
 			name: "valid input",
 			input: UserCreateDto{
 				Username:    "testuser",
-				Email:       utils.Ptr("test@example.com"),
+				Email:       new("test@example.com"),
 				FirstName:   "John",
 				LastName:    "Doe",
 				DisplayName: "John Doe",
@@ -27,27 +26,37 @@ func TestUserCreateDto_Validate(t *testing.T) {
 		{
 			name: "missing username",
 			input: UserCreateDto{
-				Email:       utils.Ptr("test@example.com"),
+				Email:       new("test@example.com"),
 				FirstName:   "John",
 				LastName:    "Doe",
 				DisplayName: "John Doe",
 			},
 			wantErr: "Field validation for 'Username' failed on the 'required' tag",
 		},
+		{
+			name: "missing first name",
+			input: UserCreateDto{
+				Username: "testuser",
+				Email:    new("test@example.com"),
+				LastName: "Doe",
+			},
+			wantErr: "",
+		},
 		{
 			name: "missing display name",
 			input: UserCreateDto{
-				Email:     utils.Ptr("test@example.com"),
+				Username:  "testuser",
+				Email:     new("test@example.com"),
 				FirstName: "John",
 				LastName:  "Doe",
 			},
-			wantErr: "Field validation for 'DisplayName' failed on the 'required' tag",
+			wantErr: "",
 		},
 		{
 			name: "username contains invalid characters",
 			input: UserCreateDto{
 				Username:    "test/ser",
-				Email:       utils.Ptr("test@example.com"),
+				Email:       new("test@example.com"),
 				FirstName:   "John",
 				LastName:    "Doe",
 				DisplayName: "John Doe",
@@ -58,7 +67,7 @@ func TestUserCreateDto_Validate(t *testing.T) {
 			name: "invalid email",
 			input: UserCreateDto{
 				Username:    "testuser",
-				Email:       utils.Ptr("not-an-email"),
+				Email:       new("not-an-email"),
 				FirstName:   "John",
 				LastName:    "Doe",
 				DisplayName: "John Doe",
@@ -69,18 +78,18 @@ func TestUserCreateDto_Validate(t *testing.T) {
 			name: "first name too short",
 			input: UserCreateDto{
 				Username:    "testuser",
-				Email:       utils.Ptr("test@example.com"),
+				Email:       new("test@example.com"),
 				FirstName:   "",
 				LastName:    "Doe",
 				DisplayName: "John Doe",
 			},
-			wantErr: "Field validation for 'FirstName' failed on the 'required' tag",
+			wantErr: "",
 		},
 		{
 			name: "last name too long",
 			input: UserCreateDto{
 				Username:    "testuser",
-				Email:       utils.Ptr("test@example.com"),
+				Email:       new("test@example.com"),
 				FirstName:   "John",
 				LastName:    "abcdfghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz",
 				DisplayName: "John Doe",

backend/internal/dto/validations.go

@@ -15,43 +15,47 @@ import (
 // [a-zA-Z0-9]      : The username must start with an alphanumeric character
 // [a-zA-Z0-9_.@-]* : The rest of the username can contain alphanumeric characters, dots, underscores, hyphens, and "@" symbols
 // [a-zA-Z0-9]$     : The username must end with an alphanumeric character
-var validateUsernameRegex = regexp.MustCompile("^[a-zA-Z0-9][a-zA-Z0-9_.@-]*[a-zA-Z0-9]$")
+// (...)?           : This allows single-character usernames (just one alphanumeric character)
+var validateUsernameRegex = regexp.MustCompile("^[a-zA-Z0-9]([a-zA-Z0-9_.@-]*[a-zA-Z0-9])?$")
 
 var validateClientIDRegex = regexp.MustCompile("^[a-zA-Z0-9._-]+$")
 
 func init() {
-	v := binding.Validator.Engine().(*validator.Validate)
+	engine := binding.Validator.Engine().(*validator.Validate)
 
 	// Maximum allowed value for TTLs
 	const maxTTL = 31 * 24 * time.Hour
 
-	if err := v.RegisterValidation("username", func(fl validator.FieldLevel) bool {
-		return ValidateUsername(fl.Field().String())
-	}); err != nil {
-		panic("Failed to register custom validation for username: " + err.Error())
+	validators := map[string]validator.Func{
+		"username": func(fl validator.FieldLevel) bool {
+			return ValidateUsername(fl.Field().String())
+		},
+		"client_id": func(fl validator.FieldLevel) bool {
+			return ValidateClientID(fl.Field().String())
+		},
+		"ttl": func(fl validator.FieldLevel) bool {
+			ttl, ok := fl.Field().Interface().(utils.JSONDuration)
+			if !ok {
+				return false
+			}
+			// Allow zero, which means the field wasn't set
+			return ttl.Duration == 0 || (ttl.Duration > time.Second && ttl.Duration <= maxTTL)
+		},
+		"callback_url": func(fl validator.FieldLevel) bool {
+			return ValidateCallbackURL(fl.Field().String())
+		},
+		"callback_url_pattern": func(fl validator.FieldLevel) bool {
+			return ValidateCallbackURLPattern(fl.Field().String())
+		},
+		"response_mode": func(fl validator.FieldLevel) bool {
+			return ValidateResponseMode(fl.Field().String())
+		},
 	}
-
-	if err := v.RegisterValidation("client_id", func(fl validator.FieldLevel) bool {
-		return ValidateClientID(fl.Field().String())
-	}); err != nil {
-		panic("Failed to register custom validation for client_id: " + err.Error())
-	}
-
-	if err := v.RegisterValidation("ttl", func(fl validator.FieldLevel) bool {
-		ttl, ok := fl.Field().Interface().(utils.JSONDuration)
-		if !ok {
-			return false
+	for k, v := range validators {
+		err := engine.RegisterValidation(k, v)
+		if err != nil {
+			panic("Failed to register custom validation for " + k + ": " + err.Error())
 		}
-		// Allow zero, which means the field wasn't set
-		return ttl.Duration == 0 || (ttl.Duration > time.Second && ttl.Duration <= maxTTL)
-	}); err != nil {
-		panic("Failed to register custom validation for ttl: " + err.Error())
-	}
-
-	if err := v.RegisterValidation("callback_url", func(fl validator.FieldLevel) bool {
-		return ValidateCallbackURL(fl.Field().String())
-	}); err != nil {
-		panic("Failed to register custom validation for callback_url: " + err.Error())
 	}
 }
 
@@ -65,21 +69,38 @@ func ValidateClientID(clientID string) bool {
 	return validateClientIDRegex.MatchString(clientID)
 }
 
-// ValidateCallbackURL validates callback URLs with support for wildcards
-func ValidateCallbackURL(raw string) bool {
-	// Don't validate if it contains a wildcard
-	if strings.Contains(raw, "*") {
-		return true
-	}
-
-	u, err := url.Parse(raw)
+// ValidateCallbackURL validates the input callback URL
+func ValidateCallbackURL(str string) bool {
+	// Ensure the URL is a valid one and that the protocol is not "javascript:" or "data:"
+	u, err := url.Parse(str)
 	if err != nil {
 		return false
 	}
 
-	if !u.IsAbs() {
+	switch strings.ToLower(u.Scheme) {
+	case "javascript", "data":
+		return false
+	default:
+		return true
+	}
+}
+
+// ValidateCallbackURLPattern validates callback URL patterns, with support for wildcards
+func ValidateCallbackURLPattern(raw string) bool {
+	err := utils.ValidateCallbackURLPattern(raw)
+	return err == nil
+}
+
+// ValidateResponseMode validates response_mode parameter
+// If responseMode is present, it must be "form_post" or "query"
+// Empty responseMode is allowed (field not provided, use default)
+func ValidateResponseMode(responseMode string) bool {
+	switch responseMode {
+	case "form_post", "query":
+		return true
+	case "":
+		return true
+	default:
 		return false
 	}
-
-	return true
 }

backend/internal/dto/validations_test.go

@@ -20,6 +20,7 @@ func TestValidateUsername(t *testing.T) {
 		{"starts with symbol", ".username", false},
 		{"ends with non-alphanumeric", "username-", false},
 		{"contains space", "user name", false},
+		{"valid single char", "a", true},
 		{"empty", "", false},
 		{"only special chars", "-._@", false},
 		{"valid long", "a1234567890_b.c-d@e", true},
@@ -56,3 +57,47 @@ func TestValidateClientID(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateResponseMode(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected bool
+	}{
+		{"valid form_post", "form_post", true},
+		{"valid query", "query", true},
+		{"valid empty", "", true},
+		{"invalid fragment", "fragment", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, ValidateResponseMode(tt.input))
+		})
+	}
+}
+
+func TestValidateCallbackURL(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected bool
+	}{
+		{"valid https URL", "https://example.com/callback", true},
+		{"valid loopback URL", "http://127.0.0.1:49813/callback", true},
+		{"empty scheme", "//127.0.0.1:49813/callback", true},
+		{"valid custom scheme", "pocketid://callback", true},
+		{"invalid malformed URL", "http://[::1", false},
+		{"invalid missing scheme separator", "://example.com/callback", false},
+		{"rejects javascript scheme", "javascript:alert(1)", false},
+		{"rejects mixed case javascript scheme", "JavaScript:alert(1)", false},
+		{"rejects data scheme", "data:text/html;base64,PGgxPkhlbGxvPC9oMT4=", false},
+		{"rejects mixed case data scheme", "DaTa:text/html;base64,PGgxPkhlbGxvPC9oMT4=", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, ValidateCallbackURL(tt.input))
+		})
+	}
+}

backend/internal/dto/webauthn_dto.go

@@ -10,7 +10,7 @@ type WebauthnCredentialDto struct {
 	Name            string                            `json:"name"`
 	CredentialID    string                            `json:"credentialID"`
 	AttestationType string                            `json:"attestationType"`
-	Transport       []protocol.AuthenticatorTransport `json:"transport"`
+	Transport       []protocol.AuthenticatorTransport `json:"transport" swaggertype:"array,string"`
 
 	BackupEligible bool `json:"backupEligible"`
 	BackupState    bool `json:"backupState"`

backend/internal/job/analytics_job.go

@@ -28,7 +28,7 @@ func (s *Scheduler) RegisterAnalyticsJob(ctx context.Context, appConfig *service
 		appConfig:  appConfig,
 		httpClient: httpClient,
 	}
-	return s.registerJob(ctx, "SendHeartbeat", gocron.DurationJob(24*time.Hour), jobs.sendHeartbeat, true)
+	return s.RegisterJob(ctx, "SendHeartbeat", gocron.DurationJob(24*time.Hour), jobs.sendHeartbeat, service.RegisterJobOpts{RunImmediately: true})
 }
 
 type AnalyticsJob struct {

backend/internal/job/api_key_expiry_job.go

@@ -22,7 +22,7 @@ func (s *Scheduler) RegisterApiKeyExpiryJob(ctx context.Context, apiKeyService *
 	}
 
 	// Send every day at midnight
-	return s.registerJob(ctx, "ExpiredApiKeyEmailJob", gocron.CronJob("0 0 * * *", false), jobs.checkAndNotifyExpiringApiKeys, false)
+	return s.RegisterJob(ctx, "ExpiredApiKeyEmailJob", gocron.CronJob("0 0 * * *", false), jobs.checkAndNotifyExpiringApiKeys, service.RegisterJobOpts{})
 }
 
 func (j *ApiKeyEmailJobs) checkAndNotifyExpiringApiKeys(ctx context.Context) error {
@@ -42,7 +42,11 @@ func (j *ApiKeyEmailJobs) checkAndNotifyExpiringApiKeys(ctx context.Context) err
 		}
 		err = j.apiKeyService.SendApiKeyExpiringSoonEmail(ctx, key)
 		if err != nil {
-			slog.ErrorContext(ctx, "Failed to send expiring API key notification email", slog.String("key", key.ID), slog.Any("error", err))
+			slog.ErrorContext(ctx, "Failed to send expiring API key notification email",
+				slog.String("key", key.ID),
+				slog.String("user", key.User.ID),
+				slog.Any("error", err),
+			)
 		}
 	}
 	return nil

backend/internal/job/db_cleanup_job.go

@@ -7,27 +7,37 @@ import (
 	"log/slog"
 	"time"
 
-	"github.com/go-co-op/gocron/v2"
+	backoff "github.com/cenkalti/backoff/v5"
 	"gorm.io/gorm"
 
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
 
 func (s *Scheduler) RegisterDbCleanupJobs(ctx context.Context, db *gorm.DB) error {
 	jobs := &DbCleanupJobs{db: db}
 
-	// Run every 24 hours (but with some jitter so they don't run at the exact same time), and now
-	def := gocron.DurationRandomJob(24*time.Hour-2*time.Minute, 24*time.Hour+2*time.Minute)
+	newBackOff := func() *backoff.ExponentialBackOff {
+		bo := backoff.NewExponentialBackOff()
+		bo.Multiplier = 4
+		bo.RandomizationFactor = 0.1
+		bo.InitialInterval = time.Second
+		bo.MaxInterval = 45 * time.Second
+		return bo
+	}
+
+	// Use exponential backoff for each DB cleanup job so transient query failures are retried automatically rather than causing an immediate job failure
 	return errors.Join(
-		s.registerJob(ctx, "ClearWebauthnSessions", def, jobs.clearWebauthnSessions, true),
-		s.registerJob(ctx, "ClearOneTimeAccessTokens", def, jobs.clearOneTimeAccessTokens, true),
-		s.registerJob(ctx, "ClearSignupTokens", def, jobs.clearSignupTokens, true),
-		s.registerJob(ctx, "ClearOidcAuthorizationCodes", def, jobs.clearOidcAuthorizationCodes, true),
-		s.registerJob(ctx, "ClearOidcRefreshTokens", def, jobs.clearOidcRefreshTokens, true),
-		s.registerJob(ctx, "ClearReauthenticationTokens", def, jobs.clearReauthenticationTokens, true),
-		s.registerJob(ctx, "ClearAuditLogs", def, jobs.clearAuditLogs, true),
+		s.RegisterJob(ctx, "ClearWebauthnSessions", jobDefWithJitter(24*time.Hour), jobs.clearWebauthnSessions, service.RegisterJobOpts{RunImmediately: true, BackOff: newBackOff()}),
+		s.RegisterJob(ctx, "ClearOneTimeAccessTokens", jobDefWithJitter(24*time.Hour), jobs.clearOneTimeAccessTokens, service.RegisterJobOpts{RunImmediately: true, BackOff: newBackOff()}),
+		s.RegisterJob(ctx, "ClearSignupTokens", jobDefWithJitter(24*time.Hour), jobs.clearSignupTokens, service.RegisterJobOpts{RunImmediately: true, BackOff: newBackOff()}),
+		s.RegisterJob(ctx, "ClearEmailVerificationTokens", jobDefWithJitter(24*time.Hour), jobs.clearEmailVerificationTokens, service.RegisterJobOpts{RunImmediately: true, BackOff: newBackOff()}),
+		s.RegisterJob(ctx, "ClearOidcAuthorizationCodes", jobDefWithJitter(24*time.Hour), jobs.clearOidcAuthorizationCodes, service.RegisterJobOpts{RunImmediately: true, BackOff: newBackOff()}),
+		s.RegisterJob(ctx, "ClearOidcRefreshTokens", jobDefWithJitter(24*time.Hour), jobs.clearOidcRefreshTokens, service.RegisterJobOpts{RunImmediately: true, BackOff: newBackOff()}),
+		s.RegisterJob(ctx, "ClearReauthenticationTokens", jobDefWithJitter(24*time.Hour), jobs.clearReauthenticationTokens, service.RegisterJobOpts{RunImmediately: true, BackOff: newBackOff()}),
+		s.RegisterJob(ctx, "ClearAuditLogs", jobDefWithJitter(24*time.Hour), jobs.clearAuditLogs, service.RegisterJobOpts{RunImmediately: true, BackOff: newBackOff()}),
 	)
 }
 
@@ -135,3 +145,16 @@ func (j *DbCleanupJobs) clearAuditLogs(ctx context.Context) error {
 
 	return nil
 }
+
+// ClearEmailVerificationTokens deletes email verification tokens that have expired
+func (j *DbCleanupJobs) clearEmailVerificationTokens(ctx context.Context) error {
+	st := j.db.
+		WithContext(ctx).
+		Delete(&model.EmailVerificationToken{}, "expires_at < ?", datatype.DateTime(time.Now()))
+	if st.Error != nil {
+		return fmt.Errorf("failed to clean expired email verification tokens: %w", st.Error)
+	}
+
+	slog.InfoContext(ctx, "Cleaned expired email verification tokens", slog.Int64("count", st.RowsAffected))
+	return nil
+}

backend/internal/job/file_cleanup_job.go

@@ -13,20 +13,26 @@ import (
 	"gorm.io/gorm"
 
 	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 	"github.com/pocket-id/pocket-id/backend/internal/storage"
 )
 
 func (s *Scheduler) RegisterFileCleanupJobs(ctx context.Context, db *gorm.DB, fileStorage storage.FileStorage) error {
 	jobs := &FileCleanupJobs{db: db, fileStorage: fileStorage}
 
-	err := s.registerJob(ctx, "ClearUnusedDefaultProfilePictures", gocron.DurationJob(24*time.Hour), jobs.clearUnusedDefaultProfilePictures, false)
+	var errs []error
+	errs = append(errs,
+		s.RegisterJob(ctx, "ClearUnusedDefaultProfilePictures", gocron.DurationJob(24*time.Hour), jobs.clearUnusedDefaultProfilePictures, service.RegisterJobOpts{}),
+	)
 
 	// Only necessary for file system storage
 	if fileStorage.Type() == storage.TypeFileSystem {
-		err = errors.Join(err, s.registerJob(ctx, "ClearOrphanedTempFiles", gocron.DurationJob(12*time.Hour), jobs.clearOrphanedTempFiles, true))
+		errs = append(errs,
+			s.RegisterJob(ctx, "ClearOrphanedTempFiles", gocron.DurationJob(12*time.Hour), jobs.clearOrphanedTempFiles, service.RegisterJobOpts{RunImmediately: true}),
+		)
 	}
 
-	return err
+	return errors.Join(errs...)
 }
 
 type FileCleanupJobs struct {
@@ -68,7 +74,8 @@ func (j *FileCleanupJobs) clearUnusedDefaultProfilePictures(ctx context.Context)
 		// If these initials aren't used by any user, delete the file
 		if _, ok := initialsInUse[initials]; !ok {
 			filePath := path.Join(defaultPicturesDir, filename)
-			if err := j.fileStorage.Delete(ctx, filePath); err != nil {
+			err = j.fileStorage.Delete(ctx, filePath)
+			if err != nil {
 				slog.ErrorContext(ctx, "Failed to delete unused default profile picture", slog.String("path", filePath), slog.Any("error", err))
 			} else {
 				filesDeleted++
@@ -95,8 +102,9 @@ func (j *FileCleanupJobs) clearOrphanedTempFiles(ctx context.Context) error {
 			return nil
 		}
 
-		if err := j.fileStorage.Delete(ctx, p.Path); err != nil {
-			slog.ErrorContext(ctx, "Failed to delete temp file", slog.String("path", p.Path), slog.Any("error", err))
+		rErr := j.fileStorage.Delete(ctx, p.Path)
+		if rErr != nil {
+			slog.ErrorContext(ctx, "Failed to delete temp file", slog.String("path", p.Path), slog.Any("error", rErr))
 			return nil
 		}
 		deleted++

backend/internal/job/geoloite_update_job.go

@@ -23,7 +23,7 @@ func (s *Scheduler) RegisterGeoLiteUpdateJobs(ctx context.Context, geoLiteServic
 	jobs := &GeoLiteUpdateJobs{geoLiteService: geoLiteService}
 
 	// Run every 24 hours (and right away)
-	return s.registerJob(ctx, "UpdateGeoLiteDB", gocron.DurationJob(24*time.Hour), jobs.updateGoeLiteDB, true)
+	return s.RegisterJob(ctx, "UpdateGeoLiteDB", gocron.DurationJob(24*time.Hour), jobs.updateGoeLiteDB, service.RegisterJobOpts{RunImmediately: true})
 }
 
 func (j *GeoLiteUpdateJobs) updateGoeLiteDB(ctx context.Context) error {

backend/internal/job/ldap_job.go

@@ -4,8 +4,6 @@ import (
 	"context"
 	"time"
 
-	"github.com/go-co-op/gocron/v2"
-
 	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
 
@@ -17,8 +15,8 @@ type LdapJobs struct {
 func (s *Scheduler) RegisterLdapJobs(ctx context.Context, ldapService *service.LdapService, appConfigService *service.AppConfigService) error {
 	jobs := &LdapJobs{ldapService: ldapService, appConfigService: appConfigService}
 
-	// Register the job to run every hour
-	return s.registerJob(ctx, "SyncLdap", gocron.DurationJob(time.Hour), jobs.syncLdap, true)
+	// Register the job to run every hour (with some jitter)
+	return s.RegisterJob(ctx, "SyncLdap", jobDefWithJitter(time.Hour), jobs.syncLdap, service.RegisterJobOpts{RunImmediately: true})
 }
 
 func (j *LdapJobs) syncLdap(ctx context.Context) error {

backend/internal/job/scheduler.go

@@ -2,11 +2,16 @@ package job
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"log/slog"
+	"time"
 
+	backoff "github.com/cenkalti/backoff/v5"
 	"github.com/go-co-op/gocron/v2"
 	"github.com/google/uuid"
+
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
 
 type Scheduler struct {
@@ -24,6 +29,22 @@ func NewScheduler() (*Scheduler, error) {
 	}, nil
 }
 
+func (s *Scheduler) RemoveJob(name string) error {
+	jobs := s.scheduler.Jobs()
+
+	var errs []error
+	for _, job := range jobs {
+		if job.Name() == name {
+			err := s.scheduler.RemoveJob(job.ID())
+			if err != nil {
+				errs = append(errs, fmt.Errorf("failed to dequeue job %q with ID %q: %w", name, job.ID().String(), err))
+			}
+		}
+	}
+
+	return errors.Join(errs...)
+}
+
 // Run the scheduler.
 // This function blocks until the context is canceled.
 func (s *Scheduler) Run(ctx context.Context) error {
@@ -43,9 +64,32 @@ func (s *Scheduler) Run(ctx context.Context) error {
 	return nil
 }
 
-func (s *Scheduler) registerJob(ctx context.Context, name string, def gocron.JobDefinition, job func(ctx context.Context) error, runImmediately bool) error {
+func (s *Scheduler) RegisterJob(ctx context.Context, name string, def gocron.JobDefinition, jobFn func(ctx context.Context) error, opts service.RegisterJobOpts) error {
+	// If a BackOff strategy is provided, wrap the job with retry logic
+	if opts.BackOff != nil {
+		origJob := jobFn
+		jobFn = func(ctx context.Context) error {
+			_, err := backoff.Retry(
+				ctx,
+				func() (struct{}, error) {
+					return struct{}{}, origJob(ctx)
+				},
+				backoff.WithBackOff(opts.BackOff),
+				backoff.WithNotify(func(err error, d time.Duration) {
+					slog.WarnContext(ctx, "Job failed, retrying",
+						slog.String("name", name),
+						slog.Any("error", err),
+						slog.Duration("retryIn", d),
+					)
+				}),
+			)
+			return err
+		}
+	}
+
 	jobOptions := []gocron.JobOption{
 		gocron.WithContext(ctx),
+		gocron.WithName(name),
 		gocron.WithEventListeners(
 			gocron.BeforeJobRuns(func(jobID uuid.UUID, jobName string) {
 				slog.Info("Starting job",
@@ -69,11 +113,13 @@ func (s *Scheduler) registerJob(ctx context.Context, name string, def gocron.Job
 		),
 	}
 
-	if runImmediately {
+	if opts.RunImmediately {
 		jobOptions = append(jobOptions, gocron.JobOption(gocron.WithStartImmediately()))
 	}
 
-	_, err := s.scheduler.NewJob(def, gocron.NewTask(job), jobOptions...)
+	jobOptions = append(jobOptions, opts.ExtraOptions...)
+
+	_, err := s.scheduler.NewJob(def, gocron.NewTask(jobFn), jobOptions...)
 
 	if err != nil {
 		return fmt.Errorf("failed to register job %q: %w", name, err)
@@ -81,3 +127,9 @@ func (s *Scheduler) registerJob(ctx context.Context, name string, def gocron.Job
 
 	return nil
 }
+
+func jobDefWithJitter(interval time.Duration) gocron.JobDefinition {
+	const jitter = 5 * time.Minute
+
+	return gocron.DurationRandomJob(interval-jitter, interval+jitter)
+}

backend/internal/job/scim_job.go

@@ -0,0 +1,25 @@
+package job
+
+import (
+	"context"
+	"time"
+
+	"github.com/go-co-op/gocron/v2"
+
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+type ScimJobs struct {
+	scimService *service.ScimService
+}
+
+func (s *Scheduler) RegisterScimJobs(ctx context.Context, scimService *service.ScimService) error {
+	jobs := &ScimJobs{scimService: scimService}
+
+	// Register the job to run every hour (with some jitter)
+	return s.RegisterJob(ctx, "SyncScim", gocron.DurationJob(time.Hour), jobs.SyncScim, service.RegisterJobOpts{RunImmediately: true})
+}
+
+func (j *ScimJobs) SyncScim(ctx context.Context) error {
+	return j.scimService.SyncAll(ctx)
+}

backend/internal/middleware/api_key_auth.go

@@ -34,7 +34,7 @@ func (m *ApiKeyAuthMiddleware) Add(adminRequired bool) gin.HandlerFunc {
 }
 
 func (m *ApiKeyAuthMiddleware) Verify(c *gin.Context, adminRequired bool) (userID string, isAdmin bool, err error) {
-	apiKey := c.GetHeader("X-API-KEY")
+	apiKey := c.GetHeader("X-API-Key")
 
 	user, err := m.apiKeyService.ValidateApiKey(c.Request.Context(), apiKey)
 	if err != nil {

backend/internal/middleware/auth_middleware.go

@@ -18,6 +18,7 @@ type AuthMiddleware struct {
 type AuthOptions struct {
 	AdminRequired   bool
 	SuccessOptional bool
+	AllowApiKeyAuth bool
 }
 
 func NewAuthMiddleware(
@@ -31,6 +32,7 @@ func NewAuthMiddleware(
 		options: AuthOptions{
 			AdminRequired:   true,
 			SuccessOptional: false,
+			AllowApiKeyAuth: true,
 		},
 	}
 }
@@ -59,12 +61,24 @@ func (m *AuthMiddleware) WithSuccessOptional() *AuthMiddleware {
 	return clone
 }
 
+// WithApiKeyAuthDisabled disables API key authentication fallback and requires JWT auth.
+func (m *AuthMiddleware) WithApiKeyAuthDisabled() *AuthMiddleware {
+	clone := &AuthMiddleware{
+		apiKeyMiddleware: m.apiKeyMiddleware,
+		jwtMiddleware:    m.jwtMiddleware,
+		options:          m.options,
+	}
+	clone.options.AllowApiKeyAuth = false
+	return clone
+}
+
 func (m *AuthMiddleware) Add() gin.HandlerFunc {
 	return func(c *gin.Context) {
-		userID, isAdmin, err := m.jwtMiddleware.Verify(c, m.options.AdminRequired)
+		userID, isAdmin, authenticationMethod, err := m.jwtMiddleware.Verify(c, m.options.AdminRequired)
 		if err == nil {
 			c.Set("userID", userID)
 			c.Set("userIsAdmin", isAdmin)
+			c.Set("authenticationMethod", authenticationMethod)
 			if c.IsAborted() {
 				return
 			}
@@ -79,6 +93,21 @@ func (m *AuthMiddleware) Add() gin.HandlerFunc {
 			return
 		}
 
+		if !m.options.AllowApiKeyAuth {
+			if m.options.SuccessOptional {
+				c.Next()
+				return
+			}
+
+			c.Abort()
+			if c.GetHeader("X-API-Key") != "" {
+				_ = c.Error(&common.APIKeyAuthNotAllowedError{})
+				return
+			}
+			_ = c.Error(err)
+			return
+		}
+
 		// JWT auth failed, try API key auth
 		userID, isAdmin, err = m.apiKeyMiddleware.Verify(c, m.options.AdminRequired)
 		if err == nil {

backend/internal/middleware/auth_middleware_test.go

@@ -0,0 +1,104 @@
+package middleware
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/require"
+	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	testutils "github.com/pocket-id/pocket-id/backend/internal/utils/testing"
+)
+
+func TestWithApiKeyAuthDisabled(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+
+	originalEnvConfig := common.EnvConfig
+	defer func() {
+		common.EnvConfig = originalEnvConfig
+	}()
+	common.EnvConfig.AppURL = "https://test.example.com"
+	common.EnvConfig.EncryptionKey = []byte("0123456789abcdef0123456789abcdef")
+
+	db := testutils.NewDatabaseForTest(t)
+
+	appConfigService, err := service.NewAppConfigService(t.Context(), db)
+	require.NoError(t, err)
+
+	jwtService, err := service.NewJwtService(t.Context(), db, appConfigService)
+	require.NoError(t, err)
+
+	userService := service.NewUserService(db, jwtService, nil, nil, appConfigService, nil, nil, nil, nil)
+	apiKeyService, err := service.NewApiKeyService(t.Context(), db, nil)
+	require.NoError(t, err)
+
+	authMiddleware := NewAuthMiddleware(apiKeyService, userService, jwtService)
+
+	user := createUserForAuthMiddlewareTest(t, db)
+	jwtToken, err := jwtService.GenerateAccessToken(user, "")
+	require.NoError(t, err)
+
+	_, apiKeyToken, err := apiKeyService.CreateApiKey(t.Context(), user.ID, dto.ApiKeyCreateDto{
+		Name:      "Middleware API Key",
+		ExpiresAt: datatype.DateTime(time.Now().Add(24 * time.Hour)),
+	})
+	require.NoError(t, err)
+
+	router := gin.New()
+	router.Use(NewErrorHandlerMiddleware().Add())
+	router.GET("/api/protected", authMiddleware.WithAdminNotRequired().WithApiKeyAuthDisabled().Add(), func(c *gin.Context) {
+		c.Status(http.StatusNoContent)
+	})
+
+	t.Run("rejects API key auth when API key auth is disabled", func(t *testing.T) {
+		req := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "/api/protected", nil)
+		req.Header.Set("X-API-Key", apiKeyToken)
+		recorder := httptest.NewRecorder()
+
+		router.ServeHTTP(recorder, req)
+
+		require.Equal(t, http.StatusForbidden, recorder.Code)
+
+		var body map[string]string
+		err := json.Unmarshal(recorder.Body.Bytes(), &body)
+		require.NoError(t, err)
+		require.Equal(t, "API key authentication is not allowed for this endpoint", body["error"])
+	})
+
+	t.Run("allows JWT auth when API key auth is disabled", func(t *testing.T) {
+		req := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "/api/protected", nil)
+		req.Header.Set("Authorization", "Bearer "+jwtToken)
+		recorder := httptest.NewRecorder()
+
+		router.ServeHTTP(recorder, req)
+
+		require.Equal(t, http.StatusNoContent, recorder.Code)
+	})
+}
+
+func createUserForAuthMiddlewareTest(t *testing.T, db *gorm.DB) model.User {
+	t.Helper()
+
+	email := "auth@example.com"
+	user := model.User{
+		Username:    "auth-user",
+		Email:       &email,
+		FirstName:   "Auth",
+		LastName:    "User",
+		DisplayName: "Auth User",
+	}
+
+	err := db.Create(&user).Error
+	require.NoError(t, err)
+
+	return user
+}

backend/internal/middleware/cache_control_test.go

@@ -18,7 +18,7 @@ func TestCacheControlMiddlewareSetsDefault(t *testing.T) {
 		c.Status(http.StatusOK)
 	})
 
-	req := httptest.NewRequest(http.MethodGet, "/test", http.NoBody)
+	req := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "/test", http.NoBody)
 	w := httptest.NewRecorder()
 
 	router.ServeHTTP(w, req)
@@ -36,7 +36,7 @@ func TestCacheControlMiddlewarePreservesExistingHeader(t *testing.T) {
 		c.Status(http.StatusOK)
 	})
 
-	req := httptest.NewRequest(http.MethodGet, "/custom", http.NoBody)
+	req := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "/custom", http.NoBody)
 	w := httptest.NewRecorder()
 
 	router.ServeHTTP(w, req)

backend/internal/middleware/csp_middleware.go

@@ -3,6 +3,7 @@ package middleware
 import (
 	"crypto/rand"
 	"encoding/base64"
+	"strings"
 
 	"github.com/gin-gonic/gin"
 )
@@ -28,22 +29,39 @@ func (m *CspMiddleware) Add() gin.HandlerFunc {
 		// Generate a random base64 nonce for this request
 		nonce := generateNonce()
 		c.Set("csp_nonce", nonce)
+		c.Writer.Header().Set("Content-Security-Policy", BuildCSP(nonce))
 
-		csp := "default-src 'self'; " +
-			"base-uri 'self'; " +
-			"object-src 'none'; " +
-			"frame-ancestors 'none'; " +
-			"form-action 'self'; " +
-			"img-src * blob:;" +
-			"font-src 'self'; " +
-			"style-src 'self' 'unsafe-inline'; " +
-			"script-src 'self' 'nonce-" + nonce + "'"
-
-		c.Writer.Header().Set("Content-Security-Policy", csp)
 		c.Next()
 	}
 }
 
+func BuildCSP(nonce string, formActionExtra ...string) string {
+	formAction := "'self'"
+
+	if len(formActionExtra) > 0 {
+		b := strings.Builder{}
+
+		for _, extra := range formActionExtra {
+			if extra != "" {
+				b.WriteByte(' ')
+				b.WriteString(extra)
+			}
+		}
+
+		formAction += b.String()
+	}
+
+	return "default-src 'self'; " +
+		"base-uri 'self'; " +
+		"object-src 'none'; " +
+		"frame-ancestors 'none'; " +
+		"form-action " + formAction + "; " +
+		"img-src * blob:;" +
+		"font-src 'self'; " +
+		"style-src 'self' 'unsafe-inline'; " +
+		"script-src 'self' 'nonce-" + nonce + "'"
+}
+
 func generateNonce() string {
 	b := make([]byte, 16)
 	if _, err := rand.Read(b); err != nil {

backend/internal/middleware/csp_middleware_test.go

@@ -0,0 +1,24 @@
+package middleware
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestBuildCSP(t *testing.T) {
+	t.Run("uses self form action by default", func(t *testing.T) {
+		csp := BuildCSP("test-nonce")
+
+		assert.Contains(t, csp, "form-action 'self';")
+		assert.Contains(t, csp, "script-src 'self' 'nonce-test-nonce'")
+	})
+
+	t.Run("adds validated form action targets", func(t *testing.T) {
+		csp := BuildCSP("test-nonce", "https://example.com/callback")
+
+		assert.Contains(t, csp, "form-action 'self' https://example.com/callback;")
+		assert.Equal(t, 1, strings.Count(csp, "form-action"))
+	})
+}

backend/internal/middleware/error_handler.go

@@ -23,7 +23,6 @@ func (m *ErrorHandlerMiddleware) Add() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		c.Next()
 		for _, err := range c.Errors {
-
 			// Check for record not found errors
 			if errors.Is(err, gorm.ErrRecordNotFound) {
 				errorResponse(c, http.StatusNotFound, "Record not found")
@@ -39,30 +38,56 @@ func (m *ErrorHandlerMiddleware) Add() gin.HandlerFunc {
 			}
 
 			// Check for slice validation errors
-			var sliceValidationErrors binding.SliceValidationError
-			if errors.As(err, &sliceValidationErrors) {
-				if errors.As(sliceValidationErrors[0], &validationErrors) {
+			svErr, ok := errors.AsType[binding.SliceValidationError](err)
+			if ok {
+				if errors.As(svErr[0], &validationErrors) {
 					message := handleValidationError(validationErrors)
 					errorResponse(c, http.StatusBadRequest, message)
 					return
 				}
 			}
 
-			var appErr common.AppError
-			if errors.As(err, &appErr) {
+			// AppError with description
+			appDescErr, ok := errors.AsType[common.AppErrorDescription](err)
+			if ok {
+				errorResponseWithDescription(c, appDescErr.HttpStatusCode(), appDescErr.Error(), appDescErr.Description())
+				return
+			}
+
+			// AppError (without description)
+			appErr, ok := errors.AsType[common.AppError](err)
+			if ok {
 				errorResponse(c, appErr.HttpStatusCode(), appErr.Error())
 				return
 			}
 
-			c.JSON(http.StatusInternalServerError, gin.H{"error": "Something went wrong"})
+			c.JSON(http.StatusInternalServerError, errorResponseBody{
+				Error: "Something went wrong",
+			})
 		}
 	}
 }
 
+type errorResponseBody struct {
+	Error            string `json:"error"`
+	ErrorDescription string `json:"error_description,omitempty"`
+}
+
 func errorResponse(c *gin.Context, statusCode int, message string) {
 	// Capitalize the first letter of the message
 	message = strings.ToUpper(message[:1]) + message[1:]
-	c.JSON(statusCode, gin.H{"error": message})
+	c.JSON(statusCode, errorResponseBody{
+		Error: message,
+	})
+}
+
+func errorResponseWithDescription(c *gin.Context, statusCode int, message string, description string) {
+	// Capitalize the first letter of the message
+	message = strings.ToUpper(message[:1]) + message[1:]
+	c.JSON(statusCode, errorResponseBody{
+		Error:            message,
+		ErrorDescription: description,
+	})
 }
 
 func handleValidationError(validationErrors validator.ValidationErrors) string {

backend/internal/middleware/head_middleware.go

@@ -16,7 +16,7 @@ type headWriter struct {
 
 func (w *headWriter) Write(b []byte) (int, error) {
 	w.size += len(b)
-	return w.size, nil
+	return len(b), nil
 }
 
 func HeadMiddleware() gin.HandlerFunc {

backend/internal/middleware/jwt_auth.go

@@ -20,7 +20,7 @@ func NewJwtAuthMiddleware(jwtService *service.JwtService, userService *service.U
 
 func (m *JwtAuthMiddleware) Add(adminRequired bool) gin.HandlerFunc {
 	return func(c *gin.Context) {
-		userID, isAdmin, err := m.Verify(c, adminRequired)
+		userID, isAdmin, authenticationMethod, err := m.Verify(c, adminRequired)
 		if err != nil {
 			c.Abort()
 			_ = c.Error(err)
@@ -29,11 +29,12 @@ func (m *JwtAuthMiddleware) Add(adminRequired bool) gin.HandlerFunc {
 
 		c.Set("userID", userID)
 		c.Set("userIsAdmin", isAdmin)
+		c.Set("authenticationMethod", authenticationMethod)
 		c.Next()
 	}
 }
 
-func (m *JwtAuthMiddleware) Verify(c *gin.Context, adminRequired bool) (subject string, isAdmin bool, err error) {
+func (m *JwtAuthMiddleware) Verify(c *gin.Context, adminRequired bool) (subject string, isAdmin bool, authenticationMethod string, err error) {
 	// Extract the token from the cookie
 	accessToken, err := c.Cookie(cookie.AccessTokenCookieName)
 	if err != nil {
@@ -41,33 +42,37 @@ func (m *JwtAuthMiddleware) Verify(c *gin.Context, adminRequired bool) (subject
 		var ok bool
 		_, accessToken, ok = strings.Cut(c.GetHeader("Authorization"), " ")
 		if !ok || accessToken == "" {
-			return "", false, &common.NotSignedInError{}
+			return "", false, "", &common.NotSignedInError{}
 		}
 	}
 
 	token, err := m.jwtService.VerifyAccessToken(accessToken)
 	if err != nil {
-		return "", false, &common.NotSignedInError{}
+		return "", false, "", &common.NotSignedInError{}
+	}
+	authenticationMethod, err = service.GetAuthenticationMethod(token)
+	if err != nil {
+		return "", false, "", &common.NotSignedInError{}
 	}
 
 	subject, ok := token.Subject()
 	if !ok {
 		_ = c.Error(&common.TokenInvalidError{})
-		return
+		return "", false, "", &common.TokenInvalidError{}
 	}
 
 	user, err := m.userService.GetUser(c, subject)
 	if err != nil {
-		return "", false, &common.NotSignedInError{}
+		return "", false, "", &common.NotSignedInError{}
 	}
 
 	if user.Disabled {
-		return "", false, &common.UserDisabledError{}
+		return "", false, "", &common.UserDisabledError{}
 	}
 
 	if adminRequired && !user.IsAdmin {
-		return "", false, &common.MissingPermissionError{}
+		return "", false, "", &common.MissingPermissionError{}
 	}
 
-	return subject, isAdmin, nil
+	return subject, user.IsAdmin, authenticationMethod, nil
 }

backend/internal/middleware/rate_limit.go

@@ -17,6 +17,12 @@ func NewRateLimitMiddleware() *RateLimitMiddleware {
 }
 
 func (m *RateLimitMiddleware) Add(limit rate.Limit, burst int) gin.HandlerFunc {
+	if common.EnvConfig.DisableRateLimiting {
+		return func(c *gin.Context) {
+			c.Next()
+		}
+	}
+
 	// Map to store the rate limiters per IP
 	var clients = make(map[string]*client)
 	var mu sync.Mutex

backend/internal/model/app_config.go

@@ -36,6 +36,7 @@ type AppConfig struct {
 	// General
 	AppName                   AppConfigVariable `key:"appName,public"` // Public
 	SessionDuration           AppConfigVariable `key:"sessionDuration"`
+	HomePageURL               AppConfigVariable `key:"homePageUrl,public"` // Public
 	EmailsVerified            AppConfigVariable `key:"emailsVerified"`
 	AccentColor               AppConfigVariable `key:"accentColor,public"`         // Public
 	DisableAnimations         AppConfigVariable `key:"disableAnimations,public"`   // Public
@@ -58,6 +59,7 @@ type AppConfig struct {
 	EmailOneTimeAccessAsUnauthenticatedEnabled AppConfigVariable `key:"emailOneTimeAccessAsUnauthenticatedEnabled,public"` // Public
 	EmailOneTimeAccessAsAdminEnabled           AppConfigVariable `key:"emailOneTimeAccessAsAdminEnabled,public"`           // Public
 	EmailApiKeyExpirationEnabled               AppConfigVariable `key:"emailApiKeyExpirationEnabled"`
+	EmailVerificationEnabled                   AppConfigVariable `key:"emailVerificationEnabled,public"` // Public
 	// LDAP
 	LdapEnabled                        AppConfigVariable `key:"ldapEnabled,public"` // Public
 	LdapUrl                            AppConfigVariable `key:"ldapUrl"`

backend/internal/model/app_config_test.go

@@ -70,13 +70,12 @@ func TestAppConfigVariable_AsMinutesDuration(t *testing.T) {
 // - dto.AppConfigDto should not include "internal" fields from model.AppConfig
 // This test is primarily meant to catch discrepancies between the two structs as fields are added or removed over time
 func TestAppConfigStructMatchesUpdateDto(t *testing.T) {
-	appConfigType := reflect.TypeOf(model.AppConfig{})
-	updateDtoType := reflect.TypeOf(dto.AppConfigUpdateDto{})
+	appConfigType := reflect.TypeFor[model.AppConfig]()
+	updateDtoType := reflect.TypeFor[dto.AppConfigUpdateDto]()
 
 	// Process AppConfig fields
 	appConfigFields := make(map[string]string)
-	for i := 0; i < appConfigType.NumField(); i++ {
-		field := appConfigType.Field(i)
+	for field := range appConfigType.Fields() {
 		if field.Tag.Get("key") == "" {
 			// Skip internal fields
 			continue
@@ -91,9 +90,7 @@ func TestAppConfigStructMatchesUpdateDto(t *testing.T) {
 
 	// Process AppConfigUpdateDto fields
 	dtoFields := make(map[string]string)
-	for i := 0; i < updateDtoType.NumField(); i++ {
-		field := updateDtoType.Field(i)
-
+	for field := range updateDtoType.Fields() {
 		// Extract the json name from the tag (takes the part before any binding constraints)
 		jsonTag := field.Tag.Get("json")
 		jsonName, _, _ := strings.Cut(jsonTag, ",")

backend/internal/model/email_verification_token.go

@@ -0,0 +1,13 @@
+package model
+
+import datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+
+type EmailVerificationToken struct {
+	Base
+
+	Token     string
+	ExpiresAt datatype.DateTime
+
+	UserID string
+	User   User
+}

backend/internal/model/oidc.go

@@ -33,6 +33,7 @@ type OidcAuthorizationCode struct {
 
 	Code                      string
 	Scope                     string
+	AuthenticationMethod      string
 	Nonce                     string
 	CodeChallenge             *string
 	CodeChallengeMethodSha256 *bool
@@ -77,9 +78,10 @@ func (c OidcClient) HasDarkLogo() bool {
 type OidcRefreshToken struct {
 	Base
 
-	Token     string
-	ExpiresAt datatype.DateTime
-	Scope     string
+	Token                string
+	ExpiresAt            datatype.DateTime
+	Scope                string
+	AuthenticationMethod string
 
 	UserID string
 	User   User
@@ -141,11 +143,13 @@ func (cu UrlList) Value() (driver.Value, error) {
 
 type OidcDeviceCode struct {
 	Base
-	DeviceCode   string
-	UserCode     string
-	Scope        string
-	ExpiresAt    datatype.DateTime
-	IsAuthorized bool
+	DeviceCode           string
+	UserCode             string
+	Scope                string
+	AuthenticationMethod string
+	Nonce                string
+	ExpiresAt            datatype.DateTime
+	IsAuthorized         bool
 
 	UserID   *string
 	User     User

backend/internal/model/one_time_access_token.go

@@ -0,0 +1,13 @@
+package model
+
+import datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+
+type OneTimeAccessToken struct {
+	Base
+	Token       string
+	DeviceToken *string
+	ExpiresAt   datatype.DateTime
+
+	UserID string
+	User   User
+}

backend/internal/model/types/encrypted_string.go

@@ -40,14 +40,9 @@ func (e *EncryptedString) Scan(value any) error {
 		return nil
 	}
 
-	encBytes, err := base64.StdEncoding.DecodeString(raw)
+	decBytes, err := DecryptEncryptedStringWithKey(encStringKey, raw)
 	if err != nil {
-		return fmt.Errorf("failed to decode encrypted string: %w", err)
-	}
-
-	decBytes, err := cryptoutils.Decrypt(encStringKey, encBytes, []byte(encryptedStringAAD))
-	if err != nil {
-		return fmt.Errorf("failed to decrypt encrypted string: %w", err)
+		return err
 	}
 
 	*e = EncryptedString(decBytes)
@@ -59,19 +54,20 @@ func (e EncryptedString) Value() (driver.Value, error) {
 		return "", nil
 	}
 
-	encBytes, err := cryptoutils.Encrypt(encStringKey, []byte(e), []byte(encryptedStringAAD))
+	encValue, err := EncryptEncryptedStringWithKey(encStringKey, []byte(e))
 	if err != nil {
-		return nil, fmt.Errorf("failed to encrypt string: %w", err)
+		return nil, err
 	}
 
-	return base64.StdEncoding.EncodeToString(encBytes), nil
+	return encValue, nil
 }
 
 func (e EncryptedString) String() string {
 	return string(e)
 }
 
-func deriveEncryptedStringKey(master []byte) ([]byte, error) {
+// DeriveEncryptedStringKey derives a key for encrypting EncryptedString values from the master key.
+func DeriveEncryptedStringKey(master []byte) ([]byte, error) {
 	const info = "pocketid/encrypted_string"
 	r := hkdf.New(sha256.New, master, nil, []byte(info))
 
@@ -82,8 +78,33 @@ func deriveEncryptedStringKey(master []byte) ([]byte, error) {
 	return key, nil
 }
 
+// DecryptEncryptedStringWithKey decrypts an EncryptedString value using the derived key.
+func DecryptEncryptedStringWithKey(key []byte, encoded string) ([]byte, error) {
+	encBytes, err := base64.StdEncoding.DecodeString(encoded)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode encrypted string: %w", err)
+	}
+
+	decBytes, err := cryptoutils.Decrypt(key, encBytes, []byte(encryptedStringAAD))
+	if err != nil {
+		return nil, fmt.Errorf("failed to decrypt encrypted string: %w", err)
+	}
+
+	return decBytes, nil
+}
+
+// EncryptEncryptedStringWithKey encrypts an EncryptedString value using the derived key.
+func EncryptEncryptedStringWithKey(key []byte, plaintext []byte) (string, error) {
+	encBytes, err := cryptoutils.Encrypt(key, plaintext, []byte(encryptedStringAAD))
+	if err != nil {
+		return "", fmt.Errorf("failed to encrypt string: %w", err)
+	}
+
+	return base64.StdEncoding.EncodeToString(encBytes), nil
+}
+
 func init() {
-	key, err := deriveEncryptedStringKey(common.EnvConfig.EncryptionKey)
+	key, err := DeriveEncryptedStringKey(common.EnvConfig.EncryptionKey)
 	if err != nil {
 		panic(fmt.Sprintf("failed to derive encrypted string key: %v", err))
 	}

backend/internal/model/user.go

@@ -14,16 +14,17 @@ import (
 type User struct {
 	Base
 
-	Username    string  `sortable:"true"`
-	Email       *string `sortable:"true"`
-	FirstName   string  `sortable:"true"`
-	LastName    string  `sortable:"true"`
-	DisplayName string  `sortable:"true"`
-	IsAdmin     bool    `sortable:"true" filterable:"true"`
-	Locale      *string
-	LdapID      *string
-	Disabled    bool `sortable:"true" filterable:"true"`
-	UpdatedAt   *datatype.DateTime
+	Username      string  `sortable:"true"`
+	Email         *string `sortable:"true"`
+	EmailVerified bool    `sortable:"true" filterable:"true"`
+	FirstName     string  `sortable:"true"`
+	LastName      string  `sortable:"true"`
+	DisplayName   string  `sortable:"true"`
+	IsAdmin       bool    `sortable:"true" filterable:"true"`
+	Locale        *string
+	LdapID        *string
+	Disabled      bool `sortable:"true" filterable:"true"`
+	UpdatedAt     *datatype.DateTime
 
 	CustomClaims []CustomClaim
 	UserGroups   []UserGroup `gorm:"many2many:user_groups_users;"`
@@ -38,7 +39,7 @@ func (u User) WebAuthnDisplayName() string {
 	if u.DisplayName != "" {
 		return u.DisplayName
 	}
-	return u.FirstName + " " + u.LastName
+	return u.FullName()
 }
 
 func (u User) WebAuthnIcon() string { return "" }
@@ -75,7 +76,16 @@ func (u User) WebAuthnCredentialDescriptors() (descriptors []protocol.Credential
 }
 
 func (u User) FullName() string {
-	return u.FirstName + " " + u.LastName
+	fullname := strings.TrimSpace(u.FirstName + " " + u.LastName)
+	if fullname != "" {
+		return fullname
+	}
+
+	if u.DisplayName != "" {
+		return u.DisplayName
+	}
+
+	return u.Username
 }
 
 func (u User) Initials() string {
@@ -93,13 +103,3 @@ func (u User) LastModified() time.Time {
 	}
 	return u.CreatedAt.ToTime()
 }
-
-type OneTimeAccessToken struct {
-	Base
-	Token       string
-	DeviceToken *string
-	ExpiresAt   datatype.DateTime
-
-	UserID string
-	User   User
-}

backend/internal/model/webauthn.go

@@ -58,7 +58,7 @@ type ReauthenticationToken struct {
 type AuthenticatorTransportList []protocol.AuthenticatorTransport //nolint:recvcheck
 
 // Scan and Value methods for GORM to handle the custom type
-func (atl *AuthenticatorTransportList) Scan(value interface{}) error {
+func (atl *AuthenticatorTransportList) Scan(value any) error {
 	return utils.UnmarshalJSONFromDatabase(atl, value)
 }
 
@@ -69,7 +69,7 @@ func (atl AuthenticatorTransportList) Value() (driver.Value, error) {
 type CredentialParameters []protocol.CredentialParameter //nolint:recvcheck
 
 // Scan and Value methods for GORM to handle the custom type
-func (cp *CredentialParameters) Scan(value interface{}) error {
+func (cp *CredentialParameters) Scan(value any) error {
 	return utils.UnmarshalJSONFromDatabase(cp, value)
 }
 

backend/internal/service/api_key_service.go

@@ -3,6 +3,7 @@ package service
 import (
 	"context"
 	"errors"
+	"fmt"
 	"time"
 
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
@@ -16,13 +17,25 @@ import (
 	"gorm.io/gorm/clause"
 )
 
+const staticApiKeyUserID = "00000000-0000-0000-0000-000000000000"
+
 type ApiKeyService struct {
 	db           *gorm.DB
 	emailService *EmailService
 }
 
-func NewApiKeyService(db *gorm.DB, emailService *EmailService) *ApiKeyService {
-	return &ApiKeyService{db: db, emailService: emailService}
+func NewApiKeyService(ctx context.Context, db *gorm.DB, emailService *EmailService) (*ApiKeyService, error) {
+	s := &ApiKeyService{db: db, emailService: emailService}
+
+	if common.EnvConfig.StaticApiKey == "" {
+		err := s.deleteStaticApiKeyUser(ctx)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return s, nil
+
 }
 
 func (s *ApiKeyService) ListApiKeys(ctx context.Context, userID string, listRequestOptions utils.ListRequestOptions) ([]model.ApiKey, utils.PaginationResponse, error) {
@@ -65,6 +78,9 @@ func (s *ApiKeyService) CreateApiKey(ctx context.Context, userID string, input d
 		Create(&apiKey).
 		Error
 	if err != nil {
+		if errors.Is(err, gorm.ErrDuplicatedKey) {
+			return model.ApiKey{}, "", &common.AlreadyInUseError{Property: "API key name"}
+		}
 		return model.ApiKey{}, "", err
 	}
 
@@ -72,6 +88,56 @@ func (s *ApiKeyService) CreateApiKey(ctx context.Context, userID string, input d
 	return apiKey, token, nil
 }
 
+func (s *ApiKeyService) RenewApiKey(ctx context.Context, userID, apiKeyID string, expiration time.Time) (model.ApiKey, string, error) {
+	// Check if expiration is in the future
+	if !expiration.After(time.Now()) {
+		return model.ApiKey{}, "", &common.APIKeyExpirationDateError{}
+	}
+
+	tx := s.db.Begin()
+	defer tx.Rollback()
+
+	var apiKey model.ApiKey
+	err := tx.
+		WithContext(ctx).
+		Model(&model.ApiKey{}).
+		Where("id = ? AND user_id = ?", apiKeyID, userID).
+		First(&apiKey).
+		Error
+
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return model.ApiKey{}, "", &common.APIKeyNotFoundError{}
+		}
+		return model.ApiKey{}, "", err
+	}
+
+	// Only allow renewal if the key has already expired
+	if apiKey.ExpiresAt.ToTime().After(time.Now()) {
+		return model.ApiKey{}, "", &common.APIKeyNotExpiredError{}
+	}
+
+	// Generate a secure random API key
+	token, err := utils.GenerateRandomAlphanumericString(32)
+	if err != nil {
+		return model.ApiKey{}, "", err
+	}
+
+	apiKey.Key = utils.CreateSha256Hash(token)
+	apiKey.ExpiresAt = datatype.DateTime(expiration)
+
+	err = tx.WithContext(ctx).Save(&apiKey).Error
+	if err != nil {
+		return model.ApiKey{}, "", err
+	}
+
+	if err := tx.Commit().Error; err != nil {
+		return model.ApiKey{}, "", err
+	}
+
+	return apiKey, token, nil
+}
+
 func (s *ApiKeyService) RevokeApiKey(ctx context.Context, userID, apiKeyID string) error {
 	var apiKey model.ApiKey
 	err := s.db.
@@ -94,6 +160,10 @@ func (s *ApiKeyService) ValidateApiKey(ctx context.Context, apiKey string) (mode
 		return model.User{}, &common.NoAPIKeyProvidedError{}
 	}
 
+	if common.EnvConfig.StaticApiKey != "" && apiKey == common.EnvConfig.StaticApiKey {
+		return s.initStaticApiKeyUser(ctx)
+	}
+
 	now := time.Now()
 	hashedKey := utils.CreateSha256Hash(apiKey)
 
@@ -104,7 +174,7 @@ func (s *ApiKeyService) ValidateApiKey(ctx context.Context, apiKey string) (mode
 		Clauses(clause.Returning{}).
 		Where("key = ? AND expires_at > ?", hashedKey, datatype.DateTime(now)).
 		Updates(&model.ApiKey{
-			LastUsedAt: utils.Ptr(datatype.DateTime(now)),
+			LastUsedAt: new(datatype.DateTime(now)),
 		}).
 		Preload("User").
 		First(&key).
@@ -136,34 +206,75 @@ func (s *ApiKeyService) ListExpiringApiKeys(ctx context.Context, daysAhead int)
 }
 
 func (s *ApiKeyService) SendApiKeyExpiringSoonEmail(ctx context.Context, apiKey model.ApiKey) error {
-	user := apiKey.User
-
-	if user.ID == "" {
-		if err := s.db.WithContext(ctx).First(&user, "id = ?", apiKey.UserID).Error; err != nil {
-			return err
-		}
-	}
-
-	if user.Email == nil {
+	if apiKey.User.Email == nil {
 		return &common.UserEmailNotSetError{}
 	}
 
 	err := SendEmail(ctx, s.emailService, email.Address{
-		Name:  user.FullName(),
-		Email: *user.Email,
+		Name:  apiKey.User.FullName(),
+		Email: *apiKey.User.Email,
 	}, ApiKeyExpiringSoonTemplate, &ApiKeyExpiringSoonTemplateData{
 		ApiKeyName: apiKey.Name,
 		ExpiresAt:  apiKey.ExpiresAt.ToTime(),
-		Name:       user.FirstName,
+		Name:       apiKey.User.FirstName,
 	})
 	if err != nil {
-		return err
+		return fmt.Errorf("error sending notification email: %w", err)
 	}
 
 	// Mark the API key as having had an expiration email sent
-	return s.db.WithContext(ctx).
+	err = s.db.WithContext(ctx).
 		Model(&model.ApiKey{}).
 		Where("id = ?", apiKey.ID).
 		Update("expiration_email_sent", true).
 		Error
+	if err != nil {
+		return fmt.Errorf("error recording expiration sent email in database: %w", err)
+	}
+
+	return nil
+}
+
+func (s *ApiKeyService) initStaticApiKeyUser(ctx context.Context) (user model.User, err error) {
+	err = s.db.
+		WithContext(ctx).
+		First(&user, "id = ?", staticApiKeyUserID).
+		Error
+
+	if err == nil {
+		return user, nil
+	}
+
+	if !errors.Is(err, gorm.ErrRecordNotFound) {
+		return model.User{}, err
+	}
+
+	usernameSuffix, err := utils.GenerateRandomAlphanumericString(6)
+	if err != nil {
+		return model.User{}, err
+	}
+
+	user = model.User{
+		Base: model.Base{
+			ID: staticApiKeyUserID,
+		},
+		FirstName:   "Static API User",
+		Username:    "static-api-user-" + usernameSuffix,
+		DisplayName: "Static API User",
+		IsAdmin:     true,
+	}
+
+	err = s.db.
+		WithContext(ctx).
+		Create(&user).
+		Error
+
+	return user, err
+}
+
+func (s *ApiKeyService) deleteStaticApiKeyUser(ctx context.Context) error {
+	return s.db.
+		WithContext(ctx).
+		Delete(&model.User{}, "id = ?", staticApiKeyUserID).
+		Error
 }

backend/internal/service/app_config_service.go

@@ -61,6 +61,7 @@ func (s *AppConfigService) getDefaultDbConfig() *model.AppConfig {
 		// General
 		AppName:                   model.AppConfigVariable{Value: "Pocket ID"},
 		SessionDuration:           model.AppConfigVariable{Value: "60"},
+		HomePageURL:               model.AppConfigVariable{Value: "/settings/account"},
 		EmailsVerified:            model.AppConfigVariable{Value: "false"},
 		DisableAnimations:         model.AppConfigVariable{Value: "false"},
 		AllowOwnAccountEdit:       model.AppConfigVariable{Value: "true"},
@@ -83,6 +84,7 @@ func (s *AppConfigService) getDefaultDbConfig() *model.AppConfig {
 		EmailOneTimeAccessAsUnauthenticatedEnabled: model.AppConfigVariable{Value: "false"},
 		EmailOneTimeAccessAsAdminEnabled:           model.AppConfigVariable{Value: "false"},
 		EmailApiKeyExpirationEnabled:               model.AppConfigVariable{Value: "false"},
+		EmailVerificationEnabled:                   model.AppConfigVariable{Value: "false"},
 		// LDAP
 		LdapEnabled:                        model.AppConfigVariable{Value: "false"},
 		LdapUrl:                            model.AppConfigVariable{},
@@ -184,8 +186,7 @@ func (s *AppConfigService) UpdateAppConfig(ctx context.Context, input dto.AppCon
 	rt := reflect.ValueOf(input).Type()
 	rv := reflect.ValueOf(input)
 	dbUpdate := make([]model.AppConfigVariable, 0, rt.NumField())
-	for i := range rt.NumField() {
-		field := rt.Field(i)
+	for field := range rt.Fields() {
 		value := rv.FieldByName(field.Name).String()
 
 		// Get the value of the json tag, taking only what's before the comma
@@ -264,9 +265,9 @@ func (s *AppConfigService) UpdateAppConfigValues(ctx context.Context, keysAndVal
 	// We update the in-memory data (in the cfg struct) and collect values to update in the database
 	// (Note the += 2, as we are iterating through key-value pairs)
 	dbUpdate := make([]model.AppConfigVariable, 0, len(keysAndValues)/2)
-	for i := 0; i < len(keysAndValues); i += 2 {
-		key := keysAndValues[i]
-		value := keysAndValues[i+1]
+	for i := 1; i < len(keysAndValues); i += 2 {
+		key := keysAndValues[i-1]
+		value := keysAndValues[i]
 
 		// Ensure that the field is valid
 		// We do this by grabbing the default value
@@ -407,6 +408,7 @@ func (s *AppConfigService) loadDbConfigFromEnv(ctx context.Context, tx *gorm.DB)
 		if attrs == "sensitive" {
 			fileName := os.Getenv(envVarName + "_FILE")
 			if fileName != "" {
+				// #nosec G703 - Value is provided by admin
 				b, err := os.ReadFile(fileName)
 				if err != nil {
 					return nil, fmt.Errorf("failed to read secret '%s' from file '%s': %w", envVarName, fileName, err)

backend/internal/service/app_images_service_test.go

@@ -104,7 +104,7 @@ func newFileHeader(t *testing.T, filename string, content []byte) *multipart.Fil
 
 	require.NoError(t, writer.Close())
 
-	req := httptest.NewRequest(http.MethodPost, "/", body)
+	req := httptest.NewRequestWithContext(t.Context(), http.MethodPost, "/", body)
 	req.Header.Set("Content-Type", writer.FormDataContentType())
 
 	_, fileHeader, err := req.FormFile("file")

backend/internal/service/app_lock_service.go

@@ -73,7 +73,10 @@ func (lv *lockValue) Unmarshal(raw string) error {
 // Acquire obtains the lock. When force is true, the lock is stolen from any existing owner.
 // If the lock is forcefully acquired, it blocks until the previous lock has expired.
 func (s *AppLockService) Acquire(ctx context.Context, force bool) (waitUntil time.Time, err error) {
-	tx := s.db.Begin()
+	tx := s.db.WithContext(ctx).Begin()
+	if tx.Error != nil {
+		return time.Time{}, fmt.Errorf("begin lock transaction: %w", tx.Error)
+	}
 	defer func() {
 		tx.Rollback()
 	}()
@@ -93,7 +96,8 @@ func (s *AppLockService) Acquire(ctx context.Context, force bool) (waitUntil tim
 
 	var prevLock lockValue
 	if prevLockRaw != "" {
-		if err := prevLock.Unmarshal(prevLockRaw); err != nil {
+		err = prevLock.Unmarshal(prevLockRaw)
+		if err != nil {
 			return time.Time{}, fmt.Errorf("decode existing lock value: %w", err)
 		}
 	}
@@ -139,7 +143,8 @@ func (s *AppLockService) Acquire(ctx context.Context, force bool) (waitUntil tim
 		return time.Time{}, fmt.Errorf("lock acquisition failed: %w", res.Error)
 	}
 
-	if err := tx.Commit().Error; err != nil {
+	err = tx.Commit().Error
+	if err != nil {
 		return time.Time{}, fmt.Errorf("commit lock acquisition: %w", err)
 	}
 
@@ -174,7 +179,8 @@ func (s *AppLockService) RunRenewal(ctx context.Context) error {
 		case <-ctx.Done():
 			return nil
 		case <-ticker.C:
-			if err := s.renew(ctx); err != nil {
+			err := s.renew(ctx)
+			if err != nil {
 				return fmt.Errorf("renew lock: %w", err)
 			}
 		}
@@ -183,33 +189,43 @@ func (s *AppLockService) RunRenewal(ctx context.Context) error {
 
 // Release releases the lock if it is held by this process.
 func (s *AppLockService) Release(ctx context.Context) error {
-	opCtx, cancel := context.WithTimeout(ctx, 3*time.Second)
-	defer cancel()
+	db, err := s.db.DB()
+	if err != nil {
+		return fmt.Errorf("failed to get DB connection: %w", err)
+	}
 
 	var query string
 	switch s.db.Name() {
 	case "sqlite":
 		query = `
-		DELETE FROM kv
-		WHERE key = ?
-		  AND json_extract(value, '$.lock_id') = ?
-	`
+DELETE FROM kv
+WHERE key = ?
+  AND json_extract(value, '$.lock_id') = ?
+`
 	case "postgres":
 		query = `
-		DELETE FROM kv
-		WHERE key = $1
-		  AND value::json->>'lock_id' = $2
-	`
+DELETE FROM kv
+WHERE key = $1
+  AND value::json->>'lock_id' = $2
+`
 	default:
 		return fmt.Errorf("unsupported database dialect: %s", s.db.Name())
 	}
 
-	res := s.db.WithContext(opCtx).Exec(query, lockKey, s.lockID)
-	if res.Error != nil {
-		return fmt.Errorf("release lock failed: %w", res.Error)
+	opCtx, cancel := context.WithTimeout(ctx, 3*time.Second)
+	defer cancel()
+
+	res, err := db.ExecContext(opCtx, query, lockKey, s.lockID)
+	if err != nil {
+		return fmt.Errorf("release lock failed: %w", err)
 	}
 
-	if res.RowsAffected == 0 {
+	count, err := res.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to count affected rows: %w", err)
+	}
+
+	if count == 0 {
 		slog.Warn("Application lock not held by this process, cannot release",
 			slog.Int64("process_id", s.processID),
 			slog.String("host_id", s.hostID),
@@ -225,6 +241,11 @@ func (s *AppLockService) Release(ctx context.Context) error {
 
 // renew tries to renew the lock, retrying up to renewRetries times (sleeping 1s between attempts).
 func (s *AppLockService) renew(ctx context.Context) error {
+	db, err := s.db.DB()
+	if err != nil {
+		return fmt.Errorf("failed to get DB connection: %w", err)
+	}
+
 	var lastErr error
 	for attempt := 1; attempt <= renewRetries; attempt++ {
 		now := time.Now()
@@ -246,42 +267,56 @@ func (s *AppLockService) renew(ctx context.Context) error {
 		switch s.db.Name() {
 		case "sqlite":
 			query = `
-				UPDATE kv
-				SET value = ?
-				WHERE key = ?
-				  AND json_extract(value, '$.lock_id') = ?
-				  AND json_extract(value, '$.expires_at') > ?
-			`
+UPDATE kv
+SET value = ?
+WHERE key = ?
+  AND json_extract(value, '$.lock_id') = ?
+  AND json_extract(value, '$.expires_at') > ?
+`
 		case "postgres":
 			query = `
-				UPDATE kv
-				SET value = $1
-				WHERE key = $2
-				  AND value::json->>'lock_id' = $3
-				  AND ((value::json->>'expires_at')::bigint > $4)
-			`
+UPDATE kv
+SET value = $1
+WHERE key = $2
+  AND value::json->>'lock_id' = $3
+  AND ((value::json->>'expires_at')::bigint > $4)
+`
 		default:
 			return fmt.Errorf("unsupported database dialect: %s", s.db.Name())
 		}
 
 		opCtx, cancel := context.WithTimeout(ctx, 3*time.Second)
-		res := s.db.WithContext(opCtx).Exec(query, raw, lockKey, s.lockID, nowUnix)
+		res, err := db.ExecContext(opCtx, query, raw, lockKey, s.lockID, nowUnix)
 		cancel()
 
-		switch {
-		case res.Error != nil:
-			lastErr = fmt.Errorf("lock renewal failed: %w", res.Error)
-		case res.RowsAffected == 0:
-			// Must be after checking res.Error
-			return ErrLockLost
-		default:
+		// Query succeeded, but may have updated 0 rows
+		if err == nil {
+			count, err := res.RowsAffected()
+			if err != nil {
+				return fmt.Errorf("failed to count affected rows: %w", err)
+			}
+
+			// If no rows were updated, we lost the lock
+			if count == 0 {
+				return ErrLockLost
+			}
+
+			// All good
 			slog.Debug("Renewed application lock",
 				slog.Int64("process_id", s.processID),
 				slog.String("host_id", s.hostID),
+				slog.Duration("duration", time.Since(now)),
 			)
 			return nil
 		}
 
+		// If we're here, we have an error that can be retried
+		slog.Debug("Application lock renewal attempt failed",
+			slog.Any("error", err),
+			slog.Duration("duration", time.Since(now)),
+		)
+		lastErr = fmt.Errorf("lock renewal failed: %w", err)
+
 		// Wait before next attempt or cancel if context is done
 		if attempt < renewRetries {
 			select {

backend/internal/service/app_lock_service_test.go

@@ -49,6 +49,23 @@ func readLockValue(t *testing.T, db *gorm.DB) lockValue {
 	return value
 }
 
+func lockDatabaseForWrite(t *testing.T, db *gorm.DB) *gorm.DB {
+	t.Helper()
+
+	tx := db.Begin()
+	require.NoError(t, tx.Error)
+
+	// Keep a write transaction open to block other queries.
+	err := tx.Exec(
+		`INSERT INTO kv (key, value) VALUES (?, ?) ON CONFLICT(key) DO NOTHING`,
+		lockKey,
+		`{"expires_at":0}`,
+	).Error
+	require.NoError(t, err)
+
+	return tx
+}
+
 func TestAppLockServiceAcquire(t *testing.T) {
 	t.Run("creates new lock when none exists", func(t *testing.T) {
 		db := testutils.NewDatabaseForTest(t)
@@ -99,6 +116,66 @@ func TestAppLockServiceAcquire(t *testing.T) {
 		require.Equal(t, service.hostID, stored.HostID)
 		require.Greater(t, stored.ExpiresAt, time.Now().Unix())
 	})
+
+	t.Run("force acquisition returns wait duration when stealing active lock", func(t *testing.T) {
+		db := testutils.NewDatabaseForTest(t)
+		service := newTestAppLockService(t, db)
+
+		existing := lockValue{
+			ProcessID: 99,
+			HostID:    "other-host",
+			LockID:    "other-lock-id",
+			ExpiresAt: time.Now().Add(ttl).Unix(),
+		}
+		insertLock(t, db, existing)
+
+		waitUntil, err := service.Acquire(context.Background(), true)
+		require.NoError(t, err)
+		require.WithinDuration(t, time.Unix(existing.ExpiresAt, 0), waitUntil, time.Second)
+	})
+
+	t.Run("force acquisition does not wait when lock id is unchanged", func(t *testing.T) {
+		db := testutils.NewDatabaseForTest(t)
+		service := newTestAppLockService(t, db)
+
+		insertLock(t, db, lockValue{
+			ProcessID: 99,
+			HostID:    "other-host",
+			LockID:    service.lockID,
+			ExpiresAt: time.Now().Add(ttl).Unix(),
+		})
+
+		waitUntil, err := service.Acquire(context.Background(), true)
+		require.NoError(t, err)
+		require.True(t, waitUntil.IsZero())
+	})
+
+	t.Run("returns error when existing lock value is invalid JSON", func(t *testing.T) {
+		db := testutils.NewDatabaseForTest(t)
+		service := newTestAppLockService(t, db)
+
+		raw := "this-is-not-json"
+		err := db.Create(&model.KV{Key: lockKey, Value: &raw}).Error
+		require.NoError(t, err)
+
+		_, err = service.Acquire(context.Background(), false)
+		require.ErrorContains(t, err, "decode existing lock value")
+	})
+
+	t.Run("returns context deadline exceeded when database is locked", func(t *testing.T) {
+		db := testutils.NewDatabaseForTest(t)
+		service := newTestAppLockService(t, db)
+
+		tx := lockDatabaseForWrite(t, db)
+		defer tx.Rollback()
+
+		ctx, cancel := context.WithTimeout(context.Background(), 150*time.Millisecond)
+		defer cancel()
+
+		_, err := service.Acquire(ctx, false)
+		require.ErrorIs(t, err, context.DeadlineExceeded)
+		require.ErrorContains(t, err, "begin lock transaction")
+	})
 }
 
 func TestAppLockServiceRelease(t *testing.T) {
@@ -134,6 +211,24 @@ func TestAppLockServiceRelease(t *testing.T) {
 		stored := readLockValue(t, db)
 		require.Equal(t, existing, stored)
 	})
+
+	t.Run("returns context deadline exceeded when database is locked", func(t *testing.T) {
+		db := testutils.NewDatabaseForTest(t)
+		service := newTestAppLockService(t, db)
+
+		_, err := service.Acquire(context.Background(), false)
+		require.NoError(t, err)
+
+		tx := lockDatabaseForWrite(t, db)
+		defer tx.Rollback()
+
+		ctx, cancel := context.WithTimeout(context.Background(), 150*time.Millisecond)
+		defer cancel()
+
+		err = service.Release(ctx)
+		require.ErrorIs(t, err, context.DeadlineExceeded)
+		require.ErrorContains(t, err, "release lock failed")
+	})
 }
 
 func TestAppLockServiceRenew(t *testing.T) {
@@ -186,4 +281,21 @@ func TestAppLockServiceRenew(t *testing.T) {
 		err = service.renew(context.Background())
 		require.ErrorIs(t, err, ErrLockLost)
 	})
+
+	t.Run("returns context deadline exceeded when database is locked", func(t *testing.T) {
+		db := testutils.NewDatabaseForTest(t)
+		service := newTestAppLockService(t, db)
+
+		_, err := service.Acquire(context.Background(), false)
+		require.NoError(t, err)
+
+		tx := lockDatabaseForWrite(t, db)
+		defer tx.Rollback()
+
+		ctx, cancel := context.WithTimeout(context.Background(), 150*time.Millisecond)
+		defer cancel()
+
+		err = service.renew(ctx)
+		require.ErrorIs(t, err, context.DeadlineExceeded)
+	})
 }

backend/internal/service/audit_log_service.go

@@ -92,7 +92,7 @@ func (s *AuditLogService) CreateNewSignInWithEmail(ctx context.Context, ipAddres
 
 	// If the user hasn't logged in from the same device before and email notifications are enabled, send an email
 	if s.appConfigService.GetDbConfig().EmailLoginNotificationEnabled.IsTrue() && count <= 1 {
-		// We use a background context here as this is running in a goroutine
+		// #nosec G118 - We use a background context here as this is running in a goroutine
 		//nolint:contextcheck
 		go func() {
 			span := trace.SpanFromContext(ctx)

backend/internal/service/e2etest_service.go

@@ -80,30 +80,32 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 				Base: model.Base{
 					ID: "f4b89dc2-62fb-46bf-9f5f-c34f4eafe93e",
 				},
-				Username:    "tim",
-				Email:       utils.Ptr("tim.cook@test.com"),
-				FirstName:   "Tim",
-				LastName:    "Cook",
-				DisplayName: "Tim Cook",
-				IsAdmin:     true,
+				Username:      "tim",
+				Email:         new("tim.cook@test.com"),
+				EmailVerified: true,
+				FirstName:     "Tim",
+				LastName:      "Cook",
+				DisplayName:   "Tim Cook",
+				IsAdmin:       true,
 			},
 			{
 				Base: model.Base{
 					ID: "1cd19686-f9a6-43f4-a41f-14a0bf5b4036",
 				},
-				Username:    "craig",
-				Email:       utils.Ptr("craig.federighi@test.com"),
-				FirstName:   "Craig",
-				LastName:    "Federighi",
-				DisplayName: "Craig Federighi",
-				IsAdmin:     false,
+				Username:      "craig",
+				Email:         new("craig.federighi@test.com"),
+				EmailVerified: false,
+				FirstName:     "Craig",
+				LastName:      "Federighi",
+				DisplayName:   "Craig Federighi",
+				IsAdmin:       false,
 			},
 			{
 				Base: model.Base{
 					ID: "d9256384-98ad-49a7-bc58-99ad0b4dc23c",
 				},
 				Username:    "eddy",
-				Email:       utils.Ptr("eddy.cue@test.com"),
+				Email:       new("eddy.cue@test.com"),
 				FirstName:   "Eddy",
 				LastName:    "Cue",
 				DisplayName: "Eddy Cue",
@@ -169,12 +171,12 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 					ID: "3654a746-35d4-4321-ac61-0bdcff2b4055",
 				},
 				Name:               "Nextcloud",
-				LaunchURL:          utils.Ptr("https://nextcloud.local"),
+				LaunchURL:          new("https://nextcloud.local"),
 				Secret:             "$2a$10$9dypwot8nGuCjT6wQWWpJOckZfRprhe2EkwpKizxS/fpVHrOLEJHC", // w2mUeZISmEvIDMEDvpY0PnxQIpj1m3zY
 				CallbackURLs:       model.UrlList{"http://nextcloud/auth/callback"},
 				LogoutCallbackURLs: model.UrlList{"http://nextcloud/auth/logout/callback"},
-				ImageType:          utils.StringPointer("png"),
-				CreatedByID:        utils.Ptr(users[0].ID),
+				ImageType:          new("png"),
+				CreatedByID:        new(users[0].ID),
 			},
 			{
 				Base: model.Base{
@@ -183,7 +185,7 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 				Name:              "Immich",
 				Secret:            "$2a$10$Ak.FP8riD1ssy2AGGbG.gOpnp/rBpymd74j0nxNMtW0GG1Lb4gzxe", // PYjrE9u4v9GVqXKi52eur0eb2Ci4kc0x
 				CallbackURLs:      model.UrlList{"http://immich/auth/callback"},
-				CreatedByID:       utils.Ptr(users[1].ID),
+				CreatedByID:       new(users[1].ID),
 				IsGroupRestricted: true,
 				AllowedUserGroups: []model.UserGroup{
 					userGroups[1],
@@ -198,7 +200,7 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 				CallbackURLs:       model.UrlList{"http://tailscale/auth/callback"},
 				LogoutCallbackURLs: model.UrlList{"http://tailscale/auth/logout/callback"},
 				IsGroupRestricted:  true,
-				CreatedByID:        utils.Ptr(users[0].ID),
+				CreatedByID:        new(users[0].ID),
 			},
 			{
 				Base: model.Base{
@@ -207,7 +209,7 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 				Name:              "Federated",
 				Secret:            "$2a$10$Ak.FP8riD1ssy2AGGbG.gOpnp/rBpymd74j0nxNMtW0GG1Lb4gzxe", // PYjrE9u4v9GVqXKi52eur0eb2Ci4kc0x
 				CallbackURLs:      model.UrlList{"http://federated/auth/callback"},
-				CreatedByID:       utils.Ptr(users[1].ID),
+				CreatedByID:       new(users[1].ID),
 				AllowedUserGroups: []model.UserGroup{},
 				Credentials: model.OidcClientCredentials{
 					FederatedIdentities: []model.OidcClientFederatedIdentity{
@@ -227,7 +229,7 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 				Name:              "SCIM Client",
 				Secret:            "$2a$10$h4wfa8gI7zavDAxwzSq1sOwYU4e8DwK1XZ8ZweNnY5KzlJ3Iz.qdK", // nQbiuMRG7FpdK2EnDd5MBivWQeKFXohn
 				CallbackURLs:      model.UrlList{"http://scimclient/auth/callback"},
-				CreatedByID:       utils.Ptr(users[0].ID),
+				CreatedByID:       new(users[0].ID),
 				IsGroupRestricted: true,
 				AllowedUserGroups: []model.UserGroup{
 					userGroups[0],
@@ -243,20 +245,22 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 
 		authCodes := []model.OidcAuthorizationCode{
 			{
-				Code:      "auth-code",
-				Scope:     "openid profile",
-				Nonce:     "nonce",
-				ExpiresAt: datatype.DateTime(time.Now().Add(1 * time.Hour)),
-				UserID:    users[0].ID,
-				ClientID:  oidcClients[0].ID,
+				Code:                 "auth-code",
+				Scope:                "openid profile",
+				Nonce:                "nonce",
+				AuthenticationMethod: AuthenticationMethodPhishingResistant,
+				ExpiresAt:            datatype.DateTime(time.Now().Add(1 * time.Hour)),
+				UserID:               users[0].ID,
+				ClientID:             oidcClients[0].ID,
 			},
 			{
-				Code:      "federated",
-				Scope:     "openid profile",
-				Nonce:     "nonce",
-				ExpiresAt: datatype.DateTime(time.Now().Add(1 * time.Hour)),
-				UserID:    users[1].ID,
-				ClientID:  oidcClients[2].ID,
+				Code:                 "federated",
+				Scope:                "openid profile",
+				Nonce:                "nonce",
+				AuthenticationMethod: AuthenticationMethodPhishingResistant,
+				ExpiresAt:            datatype.DateTime(time.Now().Add(1 * time.Hour)),
+				UserID:               users[1].ID,
+				ClientID:             oidcClients[3].ID,
 			},
 		}
 		for _, authCode := range authCodes {
@@ -266,11 +270,12 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 		}
 
 		refreshToken := model.OidcRefreshToken{
-			Token:     utils.CreateSha256Hash("ou87UDg249r1StBLYkMEqy9TXDbV5HmGuDpMcZDo"),
-			ExpiresAt: datatype.DateTime(time.Now().Add(24 * time.Hour)),
-			Scope:     "openid profile email",
-			UserID:    users[0].ID,
-			ClientID:  oidcClients[0].ID,
+			Token:                utils.CreateSha256Hash("ou87UDg249r1StBLYkMEqy9TXDbV5HmGuDpMcZDo"),
+			AuthenticationMethod: AuthenticationMethodPhishingResistant,
+			ExpiresAt:            datatype.DateTime(time.Now().Add(24 * time.Hour)),
+			Scope:                "openid profile email",
+			UserID:               users[0].ID,
+			ClientID:             oidcClients[0].ID,
 		}
 		if err := tx.Create(&refreshToken).Error; err != nil {
 			return err
@@ -354,17 +359,30 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 			return err
 		}
 
-		apiKey := model.ApiKey{
-			Base: model.Base{
-				ID: "5f1fa856-c164-4295-961e-175a0d22d725",
+		apiKeys := []model.ApiKey{
+			{
+				Base: model.Base{
+					ID: "5f1fa856-c164-4295-961e-175a0d22d725",
+				},
+				Name:      "Test API Key",
+				Key:       "6c34966f57ef2bb7857649aff0e7ab3ad67af93c846342ced3f5a07be8706c20",
+				UserID:    users[0].ID,
+				ExpiresAt: datatype.DateTime(time.Now().Add(30 * 24 * time.Hour)),
+			},
+			{
+				Base: model.Base{
+					ID: "98900330-7a7b-48fe-881b-2cc6ad049976",
+				},
+				Name:      "Expired API Key",
+				Key:       "141ff8ac9db640ba93630099de83d0ead8e7ac673e3a7d31b4fd7ff2252e6389",
+				UserID:    users[0].ID,
+				ExpiresAt: datatype.DateTime(time.Now().Add(-20 * 24 * time.Hour)),
 			},
-			Name:      "Test API Key",
-			Key:       "6c34966f57ef2bb7857649aff0e7ab3ad67af93c846342ced3f5a07be8706c20",
-			UserID:    users[0].ID,
-			ExpiresAt: datatype.DateTime(time.Now().Add(30 * 24 * time.Hour)),
 		}
-		if err := tx.Create(&apiKey).Error; err != nil {
-			return err
+		for _, apiKey := range apiKeys {
+			if err := tx.Create(&apiKey).Error; err != nil {
+				return err
+			}
 		}
 
 		signupTokens := []model.SignupToken{
@@ -414,11 +432,36 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 			}
 		}
 
+		emailVerificationTokens := []model.EmailVerificationToken{
+			{
+				Base: model.Base{
+					ID: "ef9ca469-b178-4857-bd39-26639dca45de",
+				},
+				Token:     "2FZFSoupBdHyqIL65bWTsgCgHIhxlXup",
+				ExpiresAt: datatype.DateTime(time.Now().Add(2 * time.Hour)),
+				UserID:    users[1].ID,
+			},
+			{
+				Base: model.Base{
+					ID: "a3dcb4d2-7f3c-4e8a-9f4d-5b6c7d8e9f00",
+				},
+				Token:     "EXPIRED1234567890ABCDE",
+				ExpiresAt: datatype.DateTime(time.Now().Add(-1 * time.Hour)),
+				UserID:    users[1].ID,
+			},
+		}
+
+		for _, token := range emailVerificationTokens {
+			if err := tx.Create(&token).Error; err != nil {
+				return err
+			}
+		}
+
 		keyValues := []model.KV{
 			{
 				Key: jwkutils.PrivateKeyDBKey,
 				// {"alg":"RS256","d":"mvMDWSdPPvcum0c0iEHE2gbqtV2NKMmLwrl9E6K7g8lTV95SePLnW_bwyMPV7EGp7PQk3l17I5XRhFjze7GqTnFIOgKzMianPs7jv2ELtBMGK0xOPATgu1iGb70xZ6vcvuEfRyY3dJ0zr4jpUdVuXwKmx9rK4IdZn2dFCKfvSuspqIpz11RhF1ALrqDLkxGVv7ZwNh0_VhJZU9hcjG5l6xc7rQEKpPRkZp0IdjkGS8Z0FskoVaiRIWAbZuiVFB9WCW8k1czC4HQTPLpII01bUQx2ludbm0UlXRgVU9ptUUbU7GAImQqTOW8LfPGklEvcgzlIlR_oqw4P9yBxLi-yMQ","dp":"pvNCSnnhbo8Igw9psPR-DicxFnkXlu_ix4gpy6efTrxA-z1VDFDioJ814vKQNioYDzpyAP1gfMPhRkvG_q0hRZsJah3Sb9dfA-WkhSWY7lURQP4yIBTMU0PF_rEATuS7lRciYk1SOx5fqXZd3m_LP0vpBC4Ujlq6NAq6CIjCnms","dq":"TtUVGCCkPNgfOLmkYXu7dxxUCV5kB01-xAEK2OY0n0pG8vfDophH4_D_ZC7nvJ8J9uDhs_3JStexq1lIvaWtG99RNTChIEDzpdn6GH9yaVcb_eB4uJjrNm64FhF8PGCCwxA-xMCZMaARKwhMB2_IOMkxUbWboL3gnhJ2rDO_QO0","e":"AQAB","kid":"8uHDw3M6rf8","kty":"RSA","n":"yaeEL0VKoPBXIAaWXsUgmu05lAvEIIdJn0FX9lHh4JE5UY9B83C5sCNdhs9iSWzpeP11EVjWp8i3Yv2CF7c7u50BXnVBGtxpZpFC-585UXacoJ0chUmarL9GRFJcM1nPHBTFu68aRrn1rIKNHUkNaaxFo0NFGl_4EDDTO8HwawTjwkPoQlRzeByhlvGPVvwgB3Fn93B8QJ_cZhXKxJvjjrC_8Pk76heC_ntEMru71Ix77BoC3j2TuyiN7m9RNBW8BU5q6lKoIdvIeZfTFLzi37iufyfvMrJTixp9zhNB1NxlLCeOZl2MXegtiGqd2H3cbAyqoOiv9ihUWTfXj7SxJw","p":"_Yylc9e07CKdqNRD2EosMC2mrhrEa9j5oY_l00Qyy4-jmCA59Q9viyqvveRo0U7cRvFA5BWgWN6GGLh1DG3X-QBqVr0dnk3uzbobb55RYUXyPLuBZI2q6w2oasbiDwPdY7KpkVv_H-bpITQlyDvO8hhucA6rUV7F6KTQVz8M3Ms","q":"y5p3hch-7jJ21TkAhp_Vk1fLCAuD4tbErwQs2of9ja8sB4iJOs5Wn6HD3P7Mc8Plye7qaLHvzc8I5g0tPKWvC0DPd_FLPXiWwMVAzee3NUX_oGeJNOQp11y1w_KqdO9qZqHSEPZ3NcFL_SZMFgggxhM1uzRiPzsVN0lnD_6prZU","qi":"2Grt6uXHm61ji3xSdkBWNtUnj19vS1-7rFJp5SoYztVQVThf_W52BAiXKBdYZDRVoItC_VS2NvAOjeJjhYO_xQ_q3hK7MdtuXfEPpLnyXKkmWo3lrJ26wbeF6l05LexCkI7ShsOuSt-dsyaTJTszuKDIA6YOfWvfo3aVZmlWRaI","use":"sig"}
-				Value: utils.Ptr("7d/5hl7diJ2rnFL14hEAQf9tzpu29aqXQ8jpJ2iqqKUNFZpdOkEpud0CmRv4H3r8yyk2u/Gqqj9klSy58DJkYXGF5PAYgLyoBIb7L3JXWRbxg4cQ3QJCug13l2OTmpAKoVc+rmX8c3j3h1sNqyJ+7Ql5sS0jSeyiYgIsFNCdnK5alBDyvtcpe/QDpklmP4JCeVpvmf2rLGplk3g5UO5ydJ8UiDXxfDmi+gF6NKJvrGnnah8Ar3G/x88z+tTJtp0DIQFwxXwUM2XZqzEVGm8K2r0w5o9/Keh6bBBaiuH2C78ZOaijGV3DovhR+e9J0cYUYGwT42MZMx9fSWQ/lvWGGnf+Uq3MXJfjWSREfhkp8KTQwR9F7+dnVJWswOEk7jPR8I7hCWTMxJyvaFX3wgAXIVmhrgXZQQbYOqTt56IoqUl0xOJku8dA8opg2UcLlmmuOh6+hfkXKsiiS/H/9c1BVIGj1fCOiT6IePh4wKKSTbwJnPD5EKmdJpgTsUpjcDnXQKY4ReO0UpdRdKxwRDDLeQuG6j+ljGxR9GPudCU9Nmci6rFVI6n5LWYkQxBA1O73RpmXRZPDzntDfpXMEonkmSvOoxaCK2Id7CRKMdqvR0kEouwnhk5WSFtsfi3sA0pkXzPFxwZeWM8vFtbffZOZzXaOhxCOfcj1NClZohlZhyc4jvkxmrpY7PSaAzih0AmHI7y0LYFi6fZu/K4EheVa1+KF55nWZ8ARikHMWKAKkyExkTak7xyN884TDmzURRaPlQg4jzQte5WMNjAG/hlHibdMBNvgwiYd49ZxteJ8ABdbiXVRl+2JGbdjl2ubpQZwOn7bJKlqO56bIwsZ+e4+pXsuOGdBahkHrUjtMEmH3DZbGc6CJLbcmdhdpApLQRRcLAazxJhzAwJ47FRYsHsj57LnYNvmcKdIxw8rxCdLUuzz95uw0T3ankEO5J9sjem+HMEuKdwXK1UcuOn2rjR8Sd/BuvQmeso27dFbPXqXYNS90Ml45YyTvcKSiopD181oZR703TFUSpR7dsiqROMr+p/2jN9h6a8WbQ8xpksyclaQByY/M77AssbXnG6wfhRsntNIINCZLbBnjXOyz6ZHIC5K4tSTdcnWaiYPeRPQmnw9UUvHAcNU2yMWsy0eU377yDS0WstTxOdQutTdkczl8kv5Lo26JiEK7mSIuRK19ffF9Zz8FG8+eKv5zdyIPjyQRDYBysUoDv5huKe2eoxJu/MWS2Pql/ZtUGeD6Ozm3mCvh0vQ9ceagBkY6Ocm3du0ziAKP29Ri0mjg4DizVorbLzsh+EQH/s2Pi9MnjUZDlEmuLl2Xfp7/w4j/8u0N0tVR70VDFuGdKpTjFY3vS8EJrPtyMTM51x1D9rb8gIql8aR/rJw4YF+huxg1mv5n6+tGVqg5msbPmF12eJijP4lkmaRwIpLW5pJTtaDkUj7uOeu1mm4k+Dt5nh0/0jPHzrv6bcTCcbV7UjMHDoTXXqEpFAAJ66rHR7zdAJu+YKsnTIZyLmOpcowq7LL8G9qTvV0OSpyQWUIavRSgbDHFqEqRs+JU94jAzkq8nCY5MTd9m5sIv9InfdT3k+pwpsE/FKge8nghFLtbUrafGkzTky8SE2druvVcIvbfXMfLIKRUYjJgnWc0gQzF5J6pzXM7D2r/RG6JDzASqjlbURq6v9bhNerlOVdMujWKEEVcKWIzlbt4RkihRjM8AUqIZQOyicGQ+4yfIjAHw5viuABONYs3OIWULnFqJxdvS9rNKhfxSjIq9cfqyzevq2xrRoMXEonobh6M3bD2Vang8OAeVeD1OXWPERi4pepCYFS9RJ/Xa/UWxptsqSNuGcb3fAzQSmLpXLGdWRoKXvSe7EYgc0bGcLOjSTu5RURKo+EF9i4KT9EJauf6VXw5dTf/CCIJRXE1bWzXhSCFYntohYhX2ldOCDYpi/jFBC6Vtkw0ud3/xq8Nmhd5gUk+SpngByCZH3Pm3H+jvlbMpiqkDkm1v74hDX13Xhrcw2eWyuqKBVoRCCniUvwpYNbGvBfjC6Hcizv0Aybciwj+4nybt5EPoEUm6S6Gs7fG7QpPdvrzpAxX70MlmdkF/gwyuhbEeJhLK+WL7qAsN5CvHPzVbsIf90x+nGTtMJPgpxVr0tJMj+vprXV4WxutfARBiOnqe58MhA857sd+MzKBgKnoLOBRTiC3qc/0/ULwbG2HCCD7nmwzz7M4nUuMvo8rgS7z0BF68OClT8X3JwSXbL5Wg=="),
+				Value: new("7d/5hl7diJ2rnFL14hEAQf9tzpu29aqXQ8jpJ2iqqKUNFZpdOkEpud0CmRv4H3r8yyk2u/Gqqj9klSy58DJkYXGF5PAYgLyoBIb7L3JXWRbxg4cQ3QJCug13l2OTmpAKoVc+rmX8c3j3h1sNqyJ+7Ql5sS0jSeyiYgIsFNCdnK5alBDyvtcpe/QDpklmP4JCeVpvmf2rLGplk3g5UO5ydJ8UiDXxfDmi+gF6NKJvrGnnah8Ar3G/x88z+tTJtp0DIQFwxXwUM2XZqzEVGm8K2r0w5o9/Keh6bBBaiuH2C78ZOaijGV3DovhR+e9J0cYUYGwT42MZMx9fSWQ/lvWGGnf+Uq3MXJfjWSREfhkp8KTQwR9F7+dnVJWswOEk7jPR8I7hCWTMxJyvaFX3wgAXIVmhrgXZQQbYOqTt56IoqUl0xOJku8dA8opg2UcLlmmuOh6+hfkXKsiiS/H/9c1BVIGj1fCOiT6IePh4wKKSTbwJnPD5EKmdJpgTsUpjcDnXQKY4ReO0UpdRdKxwRDDLeQuG6j+ljGxR9GPudCU9Nmci6rFVI6n5LWYkQxBA1O73RpmXRZPDzntDfpXMEonkmSvOoxaCK2Id7CRKMdqvR0kEouwnhk5WSFtsfi3sA0pkXzPFxwZeWM8vFtbffZOZzXaOhxCOfcj1NClZohlZhyc4jvkxmrpY7PSaAzih0AmHI7y0LYFi6fZu/K4EheVa1+KF55nWZ8ARikHMWKAKkyExkTak7xyN884TDmzURRaPlQg4jzQte5WMNjAG/hlHibdMBNvgwiYd49ZxteJ8ABdbiXVRl+2JGbdjl2ubpQZwOn7bJKlqO56bIwsZ+e4+pXsuOGdBahkHrUjtMEmH3DZbGc6CJLbcmdhdpApLQRRcLAazxJhzAwJ47FRYsHsj57LnYNvmcKdIxw8rxCdLUuzz95uw0T3ankEO5J9sjem+HMEuKdwXK1UcuOn2rjR8Sd/BuvQmeso27dFbPXqXYNS90Ml45YyTvcKSiopD181oZR703TFUSpR7dsiqROMr+p/2jN9h6a8WbQ8xpksyclaQByY/M77AssbXnG6wfhRsntNIINCZLbBnjXOyz6ZHIC5K4tSTdcnWaiYPeRPQmnw9UUvHAcNU2yMWsy0eU377yDS0WstTxOdQutTdkczl8kv5Lo26JiEK7mSIuRK19ffF9Zz8FG8+eKv5zdyIPjyQRDYBysUoDv5huKe2eoxJu/MWS2Pql/ZtUGeD6Ozm3mCvh0vQ9ceagBkY6Ocm3du0ziAKP29Ri0mjg4DizVorbLzsh+EQH/s2Pi9MnjUZDlEmuLl2Xfp7/w4j/8u0N0tVR70VDFuGdKpTjFY3vS8EJrPtyMTM51x1D9rb8gIql8aR/rJw4YF+huxg1mv5n6+tGVqg5msbPmF12eJijP4lkmaRwIpLW5pJTtaDkUj7uOeu1mm4k+Dt5nh0/0jPHzrv6bcTCcbV7UjMHDoTXXqEpFAAJ66rHR7zdAJu+YKsnTIZyLmOpcowq7LL8G9qTvV0OSpyQWUIavRSgbDHFqEqRs+JU94jAzkq8nCY5MTd9m5sIv9InfdT3k+pwpsE/FKge8nghFLtbUrafGkzTky8SE2druvVcIvbfXMfLIKRUYjJgnWc0gQzF5J6pzXM7D2r/RG6JDzASqjlbURq6v9bhNerlOVdMujWKEEVcKWIzlbt4RkihRjM8AUqIZQOyicGQ+4yfIjAHw5viuABONYs3OIWULnFqJxdvS9rNKhfxSjIq9cfqyzevq2xrRoMXEonobh6M3bD2Vang8OAeVeD1OXWPERi4pepCYFS9RJ/Xa/UWxptsqSNuGcb3fAzQSmLpXLGdWRoKXvSe7EYgc0bGcLOjSTu5RURKo+EF9i4KT9EJauf6VXw5dTf/CCIJRXE1bWzXhSCFYntohYhX2ldOCDYpi/jFBC6Vtkw0ud3/xq8Nmhd5gUk+SpngByCZH3Pm3H+jvlbMpiqkDkm1v74hDX13Xhrcw2eWyuqKBVoRCCniUvwpYNbGvBfjC6Hcizv0Aybciwj+4nybt5EPoEUm6S6Gs7fG7QpPdvrzpAxX70MlmdkF/gwyuhbEeJhLK+WL7qAsN5CvHPzVbsIf90x+nGTtMJPgpxVr0tJMj+vprXV4WxutfARBiOnqe58MhA857sd+MzKBgKnoLOBRTiC3qc/0/ULwbG2HCCD7nmwzz7M4nUuMvo8rgS7z0BF68OClT8X3JwSXbL5Wg=="),
 			},
 		}
 
@@ -526,7 +569,7 @@ func (s *TestService) ResetAppConfig(ctx context.Context) error {
 	}
 
 	// Reload the JWK
-	if err := s.jwtService.LoadOrGenerateKey(); err != nil {
+	if err := s.jwtService.LoadOrGenerateKey(ctx); err != nil {
 		return err
 	}
 

backend/internal/service/email_service.go

@@ -150,7 +150,8 @@ func SendEmail[V any](ctx context.Context, srv *EmailService, toEmail email.Addr
 	}
 
 	// Send the email
-	if err := srv.sendEmailContent(client, toEmail, c); err != nil {
+	err = srv.sendEmailContent(client, toEmail, c)
+	if err != nil {
 		return fmt.Errorf("send email content: %w", err)
 	}
 

backend/internal/service/email_service_templates.go

@@ -49,6 +49,13 @@ var ApiKeyExpiringSoonTemplate = email.Template[ApiKeyExpiringSoonTemplateData]{
 	},
 }
 
+var EmailVerificationTemplate = email.Template[EmailVerificationTemplateData]{
+	Path: "email-verification",
+	Title: func(data *email.TemplateData[EmailVerificationTemplateData]) string {
+		return "Verify your " + data.AppName + " email address"
+	},
+}
+
 type NewLoginTemplateData struct {
 	IPAddress string
 	Country   string
@@ -70,5 +77,10 @@ type ApiKeyExpiringSoonTemplateData struct {
 	ExpiresAt  time.Time
 }
 
+type EmailVerificationTemplateData struct {
+	UserFullName     string
+	VerificationLink string
+}
+
 // this is list of all template paths used for preloading templates
-var emailTemplatesPaths = []string{NewLoginTemplate.Path, OneTimeAccessTemplate.Path, TestTemplate.Path, ApiKeyExpiringSoonTemplate.Path}
+var emailTemplatesPaths = []string{NewLoginTemplate.Path, OneTimeAccessTemplate.Path, TestTemplate.Path, ApiKeyExpiringSoonTemplate.Path, EmailVerificationTemplate.Path}

backend/internal/service/export_service.go

@@ -129,39 +129,39 @@ func (s *ExportService) getScanValuesForTable(cols []string, types utils.DBSchem
 		case "boolean", "bool":
 			var x bool
 			if types[col].Nullable {
-				res[i] = utils.Ptr(utils.Ptr(x))
+				res[i] = new(new(x))
 			} else {
-				res[i] = utils.Ptr(x)
+				res[i] = new(x)
 			}
 		case "blob", "bytea", "jsonb":
 			// Treat jsonb columns as binary too
 			var x []byte
 			if types[col].Nullable {
-				res[i] = utils.Ptr(utils.Ptr(x))
+				res[i] = new(new(x))
 			} else {
-				res[i] = utils.Ptr(x)
+				res[i] = new(x)
 			}
 		case "timestamp", "timestamptz", "timestamp with time zone", "datetime":
 			var x datatype.DateTime
 			if types[col].Nullable {
-				res[i] = utils.Ptr(utils.Ptr(x))
+				res[i] = new(new(x))
 			} else {
-				res[i] = utils.Ptr(x)
+				res[i] = new(x)
 			}
 		case "integer", "int", "bigint":
 			var x int64
 			if types[col].Nullable {
-				res[i] = utils.Ptr(utils.Ptr(x))
+				res[i] = new(new(x))
 			} else {
-				res[i] = utils.Ptr(x)
+				res[i] = new(x)
 			}
 		default:
 			// Treat everything else as a string (including the "numeric" type)
 			var x string
 			if types[col].Nullable {
-				res[i] = utils.Ptr(utils.Ptr(x))
+				res[i] = new(new(x))
 			} else {
-				res[i] = utils.Ptr(x)
+				res[i] = new(x)
 			}
 		}
 	}

backend/internal/service/geolite_service.go

@@ -2,6 +2,7 @@ package service
 
 import (
 	"archive/tar"
+	"bytes"
 	"compress/gzip"
 	"context"
 	"errors"
@@ -13,6 +14,7 @@ import (
 	"net/netip"
 	"os"
 	"path/filepath"
+	"strings"
 	"sync"
 	"time"
 
@@ -22,6 +24,8 @@ import (
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 )
 
+const maxTotalSize = 300 * 1024 * 1024 // 300 MB limit for total decompressed size
+
 type GeoLiteService struct {
 	httpClient     *http.Client
 	disableUpdater bool
@@ -109,7 +113,11 @@ func (s *GeoLiteService) UpdateDatabase(parentCtx context.Context) error {
 	}
 
 	slog.Info("Updating GeoLite2 City database")
-	downloadUrl := fmt.Sprintf(common.EnvConfig.GeoLiteDBUrl, common.EnvConfig.MaxMindLicenseKey)
+
+	downloadUrl := common.EnvConfig.GeoLiteDBUrl
+	if strings.Contains(downloadUrl, "%s") {
+		downloadUrl = fmt.Sprintf(downloadUrl, common.EnvConfig.MaxMindLicenseKey)
+	}
 
 	ctx, cancel := context.WithTimeout(parentCtx, 10*time.Minute)
 	defer cancel()
@@ -151,7 +159,24 @@ func (s *GeoLiteService) isDatabaseUpToDate() bool {
 
 // extractDatabase extracts the database file from the tar.gz archive directly to the target location.
 func (s *GeoLiteService) extractDatabase(reader io.Reader) error {
-	gzr, err := gzip.NewReader(reader)
+	// Check for gzip magic number
+	buf := make([]byte, 2)
+	_, err := io.ReadFull(reader, buf)
+	if err != nil {
+		return fmt.Errorf("failed to read magic number: %w", err)
+	}
+
+	// Check if the file starts with the gzip magic number
+	// Gosec returns false positive for "G602: slice index out of range"
+	//nolint:gosec
+	isGzip := buf[0] == 0x1f && buf[1] == 0x8b
+
+	if !isGzip {
+		// If not gzip, assume it's a regular database file
+		return s.writeDatabaseFile(io.MultiReader(bytes.NewReader(buf), reader))
+	}
+
+	gzr, err := gzip.NewReader(io.MultiReader(bytes.NewReader(buf), reader))
 	if err != nil {
 		return fmt.Errorf("failed to create gzip reader: %w", err)
 	}
@@ -160,7 +185,6 @@ func (s *GeoLiteService) extractDatabase(reader io.Reader) error {
 	tarReader := tar.NewReader(gzr)
 
 	var totalSize int64
-	const maxTotalSize = 300 * 1024 * 1024 // 300 MB limit for total decompressed size
 
 	// Iterate over the files in the tar archive
 	for {
@@ -222,3 +246,47 @@ func (s *GeoLiteService) extractDatabase(reader io.Reader) error {
 
 	return errors.New("GeoLite2-City.mmdb not found in archive")
 }
+
+func (s *GeoLiteService) writeDatabaseFile(reader io.Reader) error {
+	baseDir := filepath.Dir(common.EnvConfig.GeoLiteDBPath)
+	tmpFile, err := os.CreateTemp(baseDir, "geolite.*.mmdb.tmp")
+	if err != nil {
+		return fmt.Errorf("failed to create temporary database file: %w", err)
+	}
+	defer tmpFile.Close()
+
+	// Limit the amount we read to maxTotalSize.
+	// We read one extra byte to detect if the source is larger than the limit.
+	limitReader := io.LimitReader(reader, maxTotalSize+1)
+
+	// Write the file contents directly to the temporary file
+	written, err := io.Copy(tmpFile, limitReader)
+	if err != nil {
+		os.Remove(tmpFile.Name())
+		return fmt.Errorf("failed to write database file: %w", err)
+	}
+
+	if written > maxTotalSize {
+		os.Remove(tmpFile.Name())
+		return errors.New("total database size exceeds maximum allowed limit")
+	}
+
+	// Validate the downloaded database file
+	if db, err := maxminddb.Open(tmpFile.Name()); err == nil {
+		db.Close()
+	} else {
+		os.Remove(tmpFile.Name())
+		return fmt.Errorf("failed to open downloaded database file: %w", err)
+	}
+
+	// Ensure atomic replacement of the old database file
+	s.mutex.Lock()
+	err = os.Rename(tmpFile.Name(), common.EnvConfig.GeoLiteDBPath)
+	s.mutex.Unlock()
+
+	if err != nil {
+		os.Remove(tmpFile.Name())
+		return fmt.Errorf("failed to replace database file: %w", err)
+	}
+	return nil
+}

backend/internal/service/jwt_service.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/google/uuid"
 	"github.com/lestrrat-go/jwx/v3/jwa"
 	"github.com/lestrrat-go/jwx/v3/jwk"
 	"github.com/lestrrat-go/jwx/v3/jwt"
@@ -31,6 +32,15 @@ const (
 	// RefreshTokenClaim is the claim used for the refresh token's value
 	RefreshTokenClaim = "rt"
 
+	// AuthenticationMethodsClaim is the claim used to identify how the user authenticated
+	AuthenticationMethodsClaim = "amr"
+
+	// AuthenticationMethodPhishingResistant identifies phishing-resistant authentication, such as passkeys
+	AuthenticationMethodPhishingResistant = "phr"
+
+	// AuthenticationMethodOneTimePassword identifies one-time password/code authentication
+	AuthenticationMethodOneTimePassword = "otp"
+
 	// OAuthAccessTokenJWTType identifies a JWT as an OAuth access token
 	OAuthAccessTokenJWTType = "oauth-access-token" //nolint:gosec
 
@@ -56,10 +66,10 @@ type JwtService struct {
 	jwksEncoded      []byte
 }
 
-func NewJwtService(db *gorm.DB, appConfigService *AppConfigService) (*JwtService, error) {
+func NewJwtService(ctx context.Context, db *gorm.DB, appConfigService *AppConfigService) (*JwtService, error) {
 	service := &JwtService{}
 
-	err := service.init(db, appConfigService, &common.EnvConfig)
+	err := service.init(ctx, db, appConfigService, &common.EnvConfig)
 	if err != nil {
 		return nil, err
 	}
@@ -67,16 +77,16 @@ func NewJwtService(db *gorm.DB, appConfigService *AppConfigService) (*JwtService
 	return service, nil
 }
 
-func (s *JwtService) init(db *gorm.DB, appConfigService *AppConfigService, envConfig *common.EnvConfigSchema) (err error) {
+func (s *JwtService) init(ctx context.Context, db *gorm.DB, appConfigService *AppConfigService, envConfig *common.EnvConfigSchema) (err error) {
 	s.appConfigService = appConfigService
 	s.envConfig = envConfig
 	s.db = db
 
 	// Ensure keys are generated or loaded
-	return s.LoadOrGenerateKey()
+	return s.LoadOrGenerateKey(ctx)
 }
 
-func (s *JwtService) LoadOrGenerateKey() error {
+func (s *JwtService) LoadOrGenerateKey(ctx context.Context) error {
 	// Get the key provider
 	keyProvider, err := jwkutils.GetKeyProvider(s.db, s.envConfig, s.appConfigService.GetDbConfig().InstanceID.Value)
 	if err != nil {
@@ -84,7 +94,7 @@ func (s *JwtService) LoadOrGenerateKey() error {
 	}
 
 	// Try loading a key
-	key, err := keyProvider.LoadKey()
+	key, err := keyProvider.LoadKey(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to load key: %w", err)
 	}
@@ -105,7 +115,7 @@ func (s *JwtService) LoadOrGenerateKey() error {
 	}
 
 	// Save the newly-generated key
-	err = keyProvider.SaveKey(s.privateKey)
+	err = keyProvider.SaveKey(ctx, s.privateKey)
 	if err != nil {
 		return fmt.Errorf("failed to save private key: %w", err)
 	}
@@ -186,13 +196,15 @@ func (s *JwtService) SetKey(privateKey jwk.Key) error {
 	return nil
 }
 
-func (s *JwtService) GenerateAccessToken(user model.User) (string, error) {
+func (s *JwtService) GenerateAccessToken(user model.User, authenticationMethod string) (string, error) {
+
 	now := time.Now()
 	token, err := jwt.NewBuilder().
 		Subject(user.ID).
 		Expiration(now.Add(s.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes())).
 		IssuedAt(now).
 		Issuer(s.envConfig.AppURL).
+		JwtID(uuid.New().String()).
 		Build()
 	if err != nil {
 		return "", fmt.Errorf("failed to build token: %w", err)
@@ -213,6 +225,11 @@ func (s *JwtService) GenerateAccessToken(user model.User) (string, error) {
 		return "", fmt.Errorf("failed to set 'isAdmin' claim in token: %w", err)
 	}
 
+	err = SetAuthenticationMethods(token, authenticationMethod)
+	if err != nil {
+		return "", fmt.Errorf("failed to set '%s' claim in token: %w", AuthenticationMethodsClaim, err)
+	}
+
 	alg, _ := s.privateKey.Algorithm()
 	signed, err := jwt.Sign(token, jwt.WithKey(alg, s.privateKey))
 	if err != nil {
@@ -241,12 +258,13 @@ func (s *JwtService) VerifyAccessToken(tokenString string) (jwt.Token, error) {
 }
 
 // BuildIDToken creates an ID token with all claims
-func (s *JwtService) BuildIDToken(userClaims map[string]any, clientID string, nonce string) (jwt.Token, error) {
+func (s *JwtService) BuildIDToken(userClaims map[string]any, clientID string, nonce string, authenticationMethod string) (jwt.Token, error) {
 	now := time.Now()
 	token, err := jwt.NewBuilder().
 		Expiration(now.Add(1 * time.Hour)).
 		IssuedAt(now).
 		Issuer(s.envConfig.AppURL).
+		JwtID(uuid.New().String()).
 		Build()
 	if err != nil {
 		return nil, fmt.Errorf("failed to build token: %w", err)
@@ -262,6 +280,11 @@ func (s *JwtService) BuildIDToken(userClaims map[string]any, clientID string, no
 		return nil, fmt.Errorf("failed to set 'type' claim in token: %w", err)
 	}
 
+	err = SetAuthenticationMethods(token, authenticationMethod)
+	if err != nil {
+		return nil, fmt.Errorf("failed to set '%s' claim in token: %w", AuthenticationMethodsClaim, err)
+	}
+
 	for k, v := range userClaims {
 		err = token.Set(k, v)
 		if err != nil {
@@ -280,8 +303,8 @@ func (s *JwtService) BuildIDToken(userClaims map[string]any, clientID string, no
 }
 
 // GenerateIDToken creates and signs an ID token
-func (s *JwtService) GenerateIDToken(userClaims map[string]any, clientID string, nonce string) (string, error) {
-	token, err := s.BuildIDToken(userClaims, clientID, nonce)
+func (s *JwtService) GenerateIDToken(userClaims map[string]any, clientID string, nonce string, authenticationMethod string) (string, error) {
+	token, err := s.BuildIDToken(userClaims, clientID, nonce, authenticationMethod)
 	if err != nil {
 		return "", err
 	}
@@ -329,13 +352,14 @@ func (s *JwtService) VerifyIdToken(tokenString string, acceptExpiredTokens bool)
 }
 
 // BuildOAuthAccessToken creates an OAuth access token with all claims
-func (s *JwtService) BuildOAuthAccessToken(user model.User, clientID string) (jwt.Token, error) {
+func (s *JwtService) BuildOAuthAccessToken(user model.User, clientID string, authenticationMethod string) (jwt.Token, error) {
 	now := time.Now()
 	token, err := jwt.NewBuilder().
 		Subject(user.ID).
 		Expiration(now.Add(1 * time.Hour)).
 		IssuedAt(now).
 		Issuer(s.envConfig.AppURL).
+		JwtID(uuid.New().String()).
 		Build()
 	if err != nil {
 		return nil, fmt.Errorf("failed to build token: %w", err)
@@ -351,12 +375,17 @@ func (s *JwtService) BuildOAuthAccessToken(user model.User, clientID string) (jw
 		return nil, fmt.Errorf("failed to set 'type' claim in token: %w", err)
 	}
 
+	err = SetAuthenticationMethods(token, authenticationMethod)
+	if err != nil {
+		return nil, fmt.Errorf("failed to set '%s' claim in token: %w", AuthenticationMethodsClaim, err)
+	}
+
 	return token, nil
 }
 
 // GenerateOAuthAccessToken creates and signs an OAuth access token
-func (s *JwtService) GenerateOAuthAccessToken(user model.User, clientID string) (string, error) {
-	token, err := s.BuildOAuthAccessToken(user, clientID)
+func (s *JwtService) GenerateOAuthAccessToken(user model.User, clientID string, authenticationMethod string) (string, error) {
+	token, err := s.BuildOAuthAccessToken(user, clientID, authenticationMethod)
 	if err != nil {
 		return "", err
 	}
@@ -530,6 +559,27 @@ func GetIsAdmin(token jwt.Token) (bool, error) {
 	return isAdmin, nil
 }
 
+// GetAuthenticationMethod returns the first authentication method in the "amr" claim in the token
+func GetAuthenticationMethod(token jwt.Token) (string, error) {
+	if !token.Has(AuthenticationMethodsClaim) {
+		return "", nil
+	}
+	var rawAuthenticationMethods []any
+	err := token.Get(AuthenticationMethodsClaim, &rawAuthenticationMethods)
+	if err != nil {
+		return "", fmt.Errorf("failed to get '%s' claim from token: %w", AuthenticationMethodsClaim, err)
+	}
+
+	if len(rawAuthenticationMethods) == 0 {
+		return "", nil
+	}
+	authenticationMethod, ok := rawAuthenticationMethods[0].(string)
+	if !ok {
+		return "", fmt.Errorf("invalid '%s' claim in token: expected array of strings", AuthenticationMethodsClaim)
+	}
+	return authenticationMethod, nil
+}
+
 // SetTokenType sets the "type" claim in the token
 func SetTokenType(token jwt.Token, tokenType string) error {
 	if tokenType == "" {
@@ -547,6 +597,14 @@ func SetIsAdmin(token jwt.Token, isAdmin bool) error {
 	return token.Set(IsAdminClaim, isAdmin)
 }
 
+// SetAuthenticationMethods sets the authentication method references claim in the token
+func SetAuthenticationMethods(token jwt.Token, authenticationMethod string) error {
+	if authenticationMethod == "" {
+		return nil
+	}
+	return token.Set(AuthenticationMethodsClaim, []string{authenticationMethod})
+}
+
 // SetAudienceString sets the "aud" claim with a value that is a string, and not an array
 // This is permitted by RFC 7519, and it's done here for backwards-compatibility
 func SetAudienceString(token jwt.Token, audience string) error {

backend/internal/service/jwt_service_test.go

@@ -20,13 +20,14 @@ import (
 
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
-	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	jwkutils "github.com/pocket-id/pocket-id/backend/internal/utils/jwk"
 	testutils "github.com/pocket-id/pocket-id/backend/internal/utils/testing"
 )
 
 const testEncryptionKey = "0123456789abcdef0123456789abcdef"
 
+const uuidRegexPattern = "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$"
+
 func newTestEnvConfig() *common.EnvConfigSchema {
 	return &common.EnvConfigSchema{
 		AppURL:        "https://test.example.com",
@@ -38,7 +39,7 @@ func initJwtService(t *testing.T, db *gorm.DB, appConfig *AppConfigService, envC
 	t.Helper()
 
 	service := &JwtService{}
-	err := service.init(db, appConfig, envConfig)
+	err := service.init(t.Context(), db, appConfig, envConfig)
 	require.NoError(t, err, "Failed to initialize JWT service")
 
 	return service
@@ -65,7 +66,7 @@ func saveKeyToDatabase(t *testing.T, db *gorm.DB, envConfig *common.EnvConfigSch
 	keyProvider, err := jwkutils.GetKeyProvider(db, envConfig, appConfig.GetDbConfig().InstanceID.Value)
 	require.NoError(t, err, "Failed to init key provider")
 
-	err = keyProvider.SaveKey(key)
+	err = keyProvider.SaveKey(t.Context(), key)
 	require.NoError(t, err, "Failed to save key")
 
 	kid, ok := key.KeyID()
@@ -93,7 +94,7 @@ func TestJwtService_Init(t *testing.T) {
 		// Verify the key has been persisted in the database
 		keyProvider, err := jwkutils.GetKeyProvider(db, mockEnvConfig, mockConfig.GetDbConfig().InstanceID.Value)
 		require.NoError(t, err, "Failed to init key provider")
-		key, err := keyProvider.LoadKey()
+		key, err := keyProvider.LoadKey(t.Context())
 		require.NoError(t, err, "Failed to load key from provider")
 		require.NotNil(t, key, "Key should be present in the database")
 
@@ -173,6 +174,7 @@ func TestJwtService_Init(t *testing.T) {
 		_ = assert.True(t, ok) &&
 			assert.Equal(t, origKeyID, loadedKeyID, "Loaded key should have the same ID as the original")
 	})
+
 }
 
 func TestJwtService_GetPublicJWK(t *testing.T) {
@@ -303,11 +305,11 @@ func TestGenerateVerifyAccessToken(t *testing.T) {
 
 		user := model.User{
 			Base:    model.Base{ID: "user123"},
-			Email:   utils.Ptr("user@example.com"),
+			Email:   new("user@example.com"),
 			IsAdmin: false,
 		}
 
-		tokenString, err := service.GenerateAccessToken(user)
+		tokenString, err := service.GenerateAccessToken(user, "")
 		require.NoError(t, err, "Failed to generate access token")
 		assert.NotEmpty(t, tokenString, "Token should not be empty")
 
@@ -320,9 +322,15 @@ func TestGenerateVerifyAccessToken(t *testing.T) {
 		isAdmin, err := GetIsAdmin(claims)
 		_ = assert.NoError(t, err, "Failed to get isAdmin claim") &&
 			assert.False(t, isAdmin, "isAdmin should be false")
+		authenticationMethod, err := GetAuthenticationMethod(claims)
+		_ = assert.NoError(t, err, "Failed to get amr claim") &&
+			assert.Empty(t, authenticationMethod, "amr should be empty when not specified")
 		audience, ok := claims.Audience()
 		_ = assert.True(t, ok, "Audience not found in token") &&
 			assert.Equal(t, []string{service.envConfig.AppURL}, audience, "Audience should contain the app URL")
+		jwtID, ok := claims.JwtID()
+		_ = assert.True(t, ok, "JWT ID not found in token") &&
+			assert.Regexp(t, uuidRegexPattern, jwtID, "JWT ID is not a UUID")
 
 		expectedExp := time.Now().Add(1 * time.Hour)
 		expiration, ok := claims.Expiration()
@@ -336,11 +344,11 @@ func TestGenerateVerifyAccessToken(t *testing.T) {
 
 		adminUser := model.User{
 			Base:    model.Base{ID: "admin123"},
-			Email:   utils.Ptr("admin@example.com"),
+			Email:   new("admin@example.com"),
 			IsAdmin: true,
 		}
 
-		tokenString, err := service.GenerateAccessToken(adminUser)
+		tokenString, err := service.GenerateAccessToken(adminUser, "")
 		require.NoError(t, err, "Failed to generate access token")
 
 		claims, err := service.VerifyAccessToken(tokenString)
@@ -354,6 +362,24 @@ func TestGenerateVerifyAccessToken(t *testing.T) {
 			assert.Equal(t, adminUser.ID, subject, "Token subject should match user ID")
 	})
 
+	t.Run("sets authentication method references claim when provided", func(t *testing.T) {
+		service, _, _ := setupJwtService(t, mockConfig)
+
+		user := model.User{
+			Base: model.Base{ID: "user-with-auth-method"},
+		}
+
+		tokenString, err := service.GenerateAccessToken(user, AuthenticationMethodPhishingResistant)
+		require.NoError(t, err, "Failed to generate access token")
+
+		claims, err := service.VerifyAccessToken(tokenString)
+		require.NoError(t, err, "Failed to verify generated token")
+
+		authenticationMethod, err := GetAuthenticationMethod(claims)
+		_ = assert.NoError(t, err, "Failed to get amr claim") &&
+			assert.Equal(t, AuthenticationMethodPhishingResistant, authenticationMethod, "amr should match")
+	})
+
 	t.Run("uses session duration from config", func(t *testing.T) {
 		customMockConfig := NewTestAppConfigService(&model.AppConfig{
 			SessionDuration: model.AppConfigVariable{Value: "30"}, // 30 minutes
@@ -364,7 +390,7 @@ func TestGenerateVerifyAccessToken(t *testing.T) {
 			Base: model.Base{ID: "user456"},
 		}
 
-		tokenString, err := service.GenerateAccessToken(user)
+		tokenString, err := service.GenerateAccessToken(user, "")
 		require.NoError(t, err, "Failed to generate access token")
 
 		claims, err := service.VerifyAccessToken(tokenString)
@@ -388,11 +414,11 @@ func TestGenerateVerifyAccessToken(t *testing.T) {
 
 		user := model.User{
 			Base:    model.Base{ID: "eddsauser123"},
-			Email:   utils.Ptr("eddsauser@example.com"),
+			Email:   new("eddsauser@example.com"),
 			IsAdmin: true,
 		}
 
-		tokenString, err := service.GenerateAccessToken(user)
+		tokenString, err := service.GenerateAccessToken(user, "")
 		require.NoError(t, err, "Failed to generate access token with Ed25519 key")
 		assert.NotEmpty(t, tokenString, "Token should not be empty")
 
@@ -425,11 +451,11 @@ func TestGenerateVerifyAccessToken(t *testing.T) {
 
 		user := model.User{
 			Base:    model.Base{ID: "ecdsauser123"},
-			Email:   utils.Ptr("ecdsauser@example.com"),
+			Email:   new("ecdsauser@example.com"),
 			IsAdmin: true,
 		}
 
-		tokenString, err := service.GenerateAccessToken(user)
+		tokenString, err := service.GenerateAccessToken(user, "")
 		require.NoError(t, err, "Failed to generate access token with ECDSA key")
 		assert.NotEmpty(t, tokenString, "Token should not be empty")
 
@@ -462,11 +488,11 @@ func TestGenerateVerifyAccessToken(t *testing.T) {
 
 		user := model.User{
 			Base:    model.Base{ID: "rsauser123"},
-			Email:   utils.Ptr("rsauser@example.com"),
+			Email:   new("rsauser@example.com"),
 			IsAdmin: true,
 		}
 
-		tokenString, err := service.GenerateAccessToken(user)
+		tokenString, err := service.GenerateAccessToken(user, "")
 		require.NoError(t, err, "Failed to generate access token with RSA key")
 		assert.NotEmpty(t, tokenString, "Token should not be empty")
 
@@ -497,14 +523,14 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 	t.Run("generates and verifies ID token with standard claims", func(t *testing.T) {
 		service, _, _ := setupJwtService(t, mockConfig)
 
-		userClaims := map[string]interface{}{
+		userClaims := map[string]any{
 			"sub":   "user123",
 			"name":  "Test User",
 			"email": "user@example.com",
 		}
 		const clientID = "test-client-123"
 
-		tokenString, err := service.GenerateIDToken(userClaims, clientID, "")
+		tokenString, err := service.GenerateIDToken(userClaims, clientID, "", "")
 		require.NoError(t, err, "Failed to generate ID token")
 		assert.NotEmpty(t, tokenString, "Token should not be empty")
 
@@ -520,6 +546,9 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 		issuer, ok := claims.Issuer()
 		_ = assert.True(t, ok, "Issuer not found in token") &&
 			assert.Equal(t, service.envConfig.AppURL, issuer, "Issuer should match app URL")
+		jwtID, ok := claims.JwtID()
+		_ = assert.True(t, ok, "JWT ID not found in token") &&
+			assert.Regexp(t, uuidRegexPattern, jwtID, "JWT ID is not a UUID")
 
 		expectedExp := time.Now().Add(1 * time.Hour)
 		expiration, ok := claims.Expiration()
@@ -531,7 +560,7 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 	t.Run("can accept expired tokens if told so", func(t *testing.T) {
 		service, _, _ := setupJwtService(t, mockConfig)
 
-		userClaims := map[string]interface{}{
+		userClaims := map[string]any{
 			"sub":   "user123",
 			"name":  "Test User",
 			"email": "user@example.com",
@@ -579,14 +608,14 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 	t.Run("generates and verifies ID token with nonce", func(t *testing.T) {
 		service, _, _ := setupJwtService(t, mockConfig)
 
-		userClaims := map[string]interface{}{
+		userClaims := map[string]any{
 			"sub":  "user456",
 			"name": "Another User",
 		}
 		const clientID = "test-client-456"
 		nonce := "random-nonce-value"
 
-		tokenString, err := service.GenerateIDToken(userClaims, clientID, nonce)
+		tokenString, err := service.GenerateIDToken(userClaims, clientID, nonce, "")
 		require.NoError(t, err, "Failed to generate ID token with nonce")
 
 		publicKey, err := service.GetPublicJWK()
@@ -604,10 +633,10 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 	t.Run("fails verification with incorrect issuer", func(t *testing.T) {
 		service, _, _ := setupJwtService(t, mockConfig)
 
-		userClaims := map[string]interface{}{
+		userClaims := map[string]any{
 			"sub": "user789",
 		}
-		tokenString, err := service.GenerateIDToken(userClaims, "client-789", "")
+		tokenString, err := service.GenerateIDToken(userClaims, "client-789", "", "")
 		require.NoError(t, err, "Failed to generate ID token")
 
 		service.envConfig.AppURL = "https://wrong-issuer.com"
@@ -626,14 +655,14 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 		require.True(t, ok)
 		assert.Equal(t, origKeyID, loadedKeyID, "Loaded key should have the same ID as the original")
 
-		userClaims := map[string]interface{}{
+		userClaims := map[string]any{
 			"sub":   "eddsauser456",
 			"name":  "EdDSA User",
 			"email": "eddsauser@example.com",
 		}
 		const clientID = "eddsa-client-123"
 
-		tokenString, err := service.GenerateIDToken(userClaims, clientID, "")
+		tokenString, err := service.GenerateIDToken(userClaims, clientID, "", "")
 		require.NoError(t, err, "Failed to generate ID token with key")
 		assert.NotEmpty(t, tokenString, "Token should not be empty")
 
@@ -664,13 +693,13 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 		require.True(t, ok)
 		assert.Equal(t, origKeyID, loadedKeyID, "Loaded key should have the same ID as the original")
 
-		userClaims := map[string]interface{}{
+		userClaims := map[string]any{
 			"sub":   "ecdsauser456",
 			"email": "ecdsauser@example.com",
 		}
 		const clientID = "ecdsa-client-123"
 
-		tokenString, err := service.GenerateIDToken(userClaims, clientID, "")
+		tokenString, err := service.GenerateIDToken(userClaims, clientID, "", "")
 		require.NoError(t, err, "Failed to generate ID token with key")
 		assert.NotEmpty(t, tokenString, "Token should not be empty")
 
@@ -701,14 +730,14 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 		require.True(t, ok)
 		assert.Equal(t, origKeyID, loadedKeyID, "Loaded key should have the same ID as the original")
 
-		userClaims := map[string]interface{}{
+		userClaims := map[string]any{
 			"sub":   "rsauser456",
 			"name":  "RSA User",
 			"email": "rsauser@example.com",
 		}
 		const clientID = "rsa-client-123"
 
-		tokenString, err := service.GenerateIDToken(userClaims, clientID, "")
+		tokenString, err := service.GenerateIDToken(userClaims, clientID, "", "")
 		require.NoError(t, err, "Failed to generate ID token with key")
 		assert.NotEmpty(t, tokenString, "Token should not be empty")
 
@@ -734,11 +763,11 @@ func TestGenerateVerifyOAuthAccessToken(t *testing.T) {
 
 		user := model.User{
 			Base:  model.Base{ID: "user123"},
-			Email: utils.Ptr("user@example.com"),
+			Email: new("user@example.com"),
 		}
 		const clientID = "test-client-123"
 
-		tokenString, err := service.GenerateOAuthAccessToken(user, clientID)
+		tokenString, err := service.GenerateOAuthAccessToken(user, clientID, "")
 		require.NoError(t, err, "Failed to generate OAuth access token")
 		assert.NotEmpty(t, tokenString, "Token should not be empty")
 
@@ -754,6 +783,9 @@ func TestGenerateVerifyOAuthAccessToken(t *testing.T) {
 		issuer, ok := claims.Issuer()
 		_ = assert.True(t, ok, "Issuer not found in token") &&
 			assert.Equal(t, service.envConfig.AppURL, issuer, "Issuer should match app URL")
+		jwtID, ok := claims.JwtID()
+		_ = assert.True(t, ok, "JWT ID not found in token") &&
+			assert.Regexp(t, uuidRegexPattern, jwtID, "JWT ID is not a UUID")
 
 		expectedExp := time.Now().Add(1 * time.Hour)
 		expiration, ok := claims.Expiration()
@@ -762,6 +794,25 @@ func TestGenerateVerifyOAuthAccessToken(t *testing.T) {
 		assert.InDelta(t, 0, timeDiff, 1.0, "Token should expire in approximately 1 hour")
 	})
 
+	t.Run("sets authentication method references claim when provided", func(t *testing.T) {
+		service, _, _ := setupJwtService(t, mockConfig)
+
+		user := model.User{
+			Base: model.Base{ID: "oauth-amr-user"},
+		}
+		const clientID = "test-client-amr"
+
+		tokenString, err := service.GenerateOAuthAccessToken(user, clientID, AuthenticationMethodPhishingResistant)
+		require.NoError(t, err, "Failed to generate OAuth access token")
+
+		claims, err := service.VerifyOAuthAccessToken(tokenString)
+		require.NoError(t, err, "Failed to verify generated OAuth access token")
+
+		authenticationMethod, err := GetAuthenticationMethod(claims)
+		_ = assert.NoError(t, err, "Failed to get amr claim") &&
+			assert.Equal(t, AuthenticationMethodPhishingResistant, authenticationMethod, "amr should match")
+	})
+
 	t.Run("fails verification for expired token", func(t *testing.T) {
 		service, _, _ := setupJwtService(t, mockConfig)
 
@@ -795,7 +846,7 @@ func TestGenerateVerifyOAuthAccessToken(t *testing.T) {
 		user := model.User{Base: model.Base{ID: "user789"}}
 		const clientID = "test-client-789"
 
-		tokenString, err := service1.GenerateOAuthAccessToken(user, clientID)
+		tokenString, err := service1.GenerateOAuthAccessToken(user, clientID, "")
 		require.NoError(t, err, "Failed to generate OAuth access token")
 
 		_, err = service2.VerifyOAuthAccessToken(tokenString)
@@ -814,11 +865,11 @@ func TestGenerateVerifyOAuthAccessToken(t *testing.T) {
 
 		user := model.User{
 			Base:  model.Base{ID: "eddsauser789"},
-			Email: utils.Ptr("eddsaoauth@example.com"),
+			Email: new("eddsaoauth@example.com"),
 		}
 		const clientID = "eddsa-oauth-client"
 
-		tokenString, err := service.GenerateOAuthAccessToken(user, clientID)
+		tokenString, err := service.GenerateOAuthAccessToken(user, clientID, "")
 		require.NoError(t, err, "Failed to generate OAuth access token with key")
 		assert.NotEmpty(t, tokenString, "Token should not be empty")
 
@@ -851,11 +902,11 @@ func TestGenerateVerifyOAuthAccessToken(t *testing.T) {
 
 		user := model.User{
 			Base:  model.Base{ID: "ecdsauser789"},
-			Email: utils.Ptr("ecdsaoauth@example.com"),
+			Email: new("ecdsaoauth@example.com"),
 		}
 		const clientID = "ecdsa-oauth-client"
 
-		tokenString, err := service.GenerateOAuthAccessToken(user, clientID)
+		tokenString, err := service.GenerateOAuthAccessToken(user, clientID, "")
 		require.NoError(t, err, "Failed to generate OAuth access token with key")
 		assert.NotEmpty(t, tokenString, "Token should not be empty")
 
@@ -888,11 +939,11 @@ func TestGenerateVerifyOAuthAccessToken(t *testing.T) {
 
 		user := model.User{
 			Base:  model.Base{ID: "rsauser789"},
-			Email: utils.Ptr("rsaoauth@example.com"),
+			Email: new("rsaoauth@example.com"),
 		}
 		const clientID = "rsa-oauth-client"
 
-		tokenString, err := service.GenerateOAuthAccessToken(user, clientID)
+		tokenString, err := service.GenerateOAuthAccessToken(user, clientID, "")
 		require.NoError(t, err, "Failed to generate OAuth access token with key")
 		assert.NotEmpty(t, tokenString, "Token should not be empty")
 

backend/internal/service/ldap_service.go

@@ -35,6 +35,7 @@ type LdapService struct {
 	userService      *UserService
 	groupService     *UserGroupService
 	fileStorage      storage.FileStorage
+	clientFactory    func() (ldapClient, error)
 }
 
 type savePicture struct {
@@ -43,8 +44,33 @@ type savePicture struct {
 	picture  string
 }
 
+type ldapDesiredUser struct {
+	ldapID  string
+	input   dto.UserCreateDto
+	picture string
+}
+
+type ldapDesiredGroup struct {
+	ldapID          string
+	input           dto.UserGroupCreateDto
+	memberUsernames []string
+}
+
+type ldapDesiredState struct {
+	users    []ldapDesiredUser
+	userIDs  map[string]struct{}
+	groups   []ldapDesiredGroup
+	groupIDs map[string]struct{}
+}
+
+type ldapClient interface {
+	Search(searchRequest *ldap.SearchRequest) (*ldap.SearchResult, error)
+	Bind(username, password string) error
+	Close() error
+}
+
 func NewLdapService(db *gorm.DB, httpClient *http.Client, appConfigService *AppConfigService, userService *UserService, groupService *UserGroupService, fileStorage storage.FileStorage) *LdapService {
-	return &LdapService{
+	service := &LdapService{
 		db:               db,
 		httpClient:       httpClient,
 		appConfigService: appConfigService,
@@ -52,9 +78,12 @@ func NewLdapService(db *gorm.DB, httpClient *http.Client, appConfigService *AppC
 		groupService:     groupService,
 		fileStorage:      fileStorage,
 	}
+
+	service.clientFactory = service.createClient
+	return service
 }
 
-func (s *LdapService) createClient() (*ldap.Conn, error) {
+func (s *LdapService) createClient() (ldapClient, error) {
 	dbConfig := s.appConfigService.GetDbConfig()
 
 	if !dbConfig.LdapEnabled.IsTrue() {
@@ -79,24 +108,33 @@ func (s *LdapService) createClient() (*ldap.Conn, error) {
 
 func (s *LdapService) SyncAll(ctx context.Context) error {
 	// Setup LDAP connection
-	client, err := s.createClient()
+	client, err := s.clientFactory()
 	if err != nil {
 		return fmt.Errorf("failed to create LDAP client: %w", err)
 	}
 	defer client.Close()
 
-	// Start a transaction
-	tx := s.db.Begin()
-	defer func() {
-		tx.Rollback()
-	}()
+	// First, we fetch all users and group from LDAP, which is our "desired state"
+	desiredState, err := s.fetchDesiredState(ctx, client)
+	if err != nil {
+		return fmt.Errorf("failed to fetch LDAP state: %w", err)
+	}
 
-	savePictures, deleteFiles, err := s.SyncUsers(ctx, tx, client)
+	// Start a transaction
+	tx := s.db.WithContext(ctx).Begin()
+	if tx.Error != nil {
+		return fmt.Errorf("failed to begin database transaction: %w", tx.Error)
+	}
+	defer tx.Rollback()
+
+	// Reconcile users
+	savePictures, deleteFiles, err := s.reconcileUsers(ctx, tx, desiredState.users, desiredState.userIDs)
 	if err != nil {
 		return fmt.Errorf("failed to sync users: %w", err)
 	}
 
-	err = s.SyncGroups(ctx, tx, client)
+	// Reconcile groups
+	err = s.reconcileGroups(ctx, tx, desiredState.groups, desiredState.groupIDs)
 	if err != nil {
 		return fmt.Errorf("failed to sync groups: %w", err)
 	}
@@ -129,10 +167,59 @@ func (s *LdapService) SyncAll(ctx context.Context) error {
 	return nil
 }
 
-//nolint:gocognit
-func (s *LdapService) SyncGroups(ctx context.Context, tx *gorm.DB, client *ldap.Conn) error {
+func (s *LdapService) fetchDesiredState(ctx context.Context, client ldapClient) (ldapDesiredState, error) {
+	// Fetch users first so we can use their DNs when resolving group members
+	users, userIDs, usernamesByDN, err := s.fetchUsersFromLDAP(ctx, client)
+	if err != nil {
+		return ldapDesiredState{}, err
+	}
+
+	// Then fetch groups to complete the desired LDAP state snapshot
+	groups, groupIDs, err := s.fetchGroupsFromLDAP(ctx, client, usernamesByDN)
+	if err != nil {
+		return ldapDesiredState{}, err
+	}
+
+	// Apply user admin flags from the desired group membership snapshot.
+	// This intentionally uses the configured group member attribute rather than
+	// relying on a user-side reverse-membership attribute such as memberOf.
+	s.applyAdminGroupMembership(users, groups)
+
+	return ldapDesiredState{
+		users:    users,
+		userIDs:  userIDs,
+		groups:   groups,
+		groupIDs: groupIDs,
+	}, nil
+}
+
+func (s *LdapService) applyAdminGroupMembership(desiredUsers []ldapDesiredUser, desiredGroups []ldapDesiredGroup) {
+	dbConfig := s.appConfigService.GetDbConfig()
+	if dbConfig.LdapAdminGroupName.Value == "" {
+		return
+	}
+
+	adminUsernames := make(map[string]struct{})
+	for _, group := range desiredGroups {
+		if group.input.Name != dbConfig.LdapAdminGroupName.Value {
+			continue
+		}
+
+		for _, username := range group.memberUsernames {
+			adminUsernames[username] = struct{}{}
+		}
+	}
+
+	for i := range desiredUsers {
+		_, isAdmin := adminUsernames[desiredUsers[i].input.Username]
+		desiredUsers[i].input.IsAdmin = desiredUsers[i].input.IsAdmin || isAdmin
+	}
+}
+
+func (s *LdapService) fetchGroupsFromLDAP(ctx context.Context, client ldapClient, usernamesByDN map[string]string) (desiredGroups []ldapDesiredGroup, ldapGroupIDs map[string]struct{}, err error) {
 	dbConfig := s.appConfigService.GetDbConfig()
 
+	// Query LDAP for all groups we want to manage
 	searchAttrs := []string{
 		dbConfig.LdapAttributeGroupName.Value,
 		dbConfig.LdapAttributeGroupUniqueIdentifier.Value,
@@ -149,90 +236,42 @@ func (s *LdapService) SyncGroups(ctx context.Context, tx *gorm.DB, client *ldap.
 	)
 	result, err := client.Search(searchReq)
 	if err != nil {
-		return fmt.Errorf("failed to query LDAP: %w", err)
+		return nil, nil, fmt.Errorf("failed to query LDAP groups: %w", err)
 	}
 
-	// Create a mapping for groups that exist
-	ldapGroupIDs := make(map[string]struct{}, len(result.Entries))
+	// Build the in-memory desired state for groups
+	ldapGroupIDs = make(map[string]struct{}, len(result.Entries))
+	desiredGroups = make([]ldapDesiredGroup, 0, len(result.Entries))
 
 	for _, value := range result.Entries {
-		ldapId := convertLdapIdToString(value.GetAttributeValue(dbConfig.LdapAttributeGroupUniqueIdentifier.Value))
+		ldapID := convertLdapIdToString(value.GetAttributeValue(dbConfig.LdapAttributeGroupUniqueIdentifier.Value))
 
 		// Skip groups without a valid LDAP ID
-		if ldapId == "" {
+		if ldapID == "" {
 			slog.Warn("Skipping LDAP group without a valid unique identifier", slog.String("attribute", dbConfig.LdapAttributeGroupUniqueIdentifier.Value))
 			continue
 		}
 
-		ldapGroupIDs[ldapId] = struct{}{}
-
-		// Try to find the group in the database
-		var databaseGroup model.UserGroup
-		err = tx.
-			WithContext(ctx).
-			Where("ldap_id = ?", ldapId).
-			First(&databaseGroup).
-			Error
-		if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
-			// This could error with ErrRecordNotFound and we want to ignore that here
-			return fmt.Errorf("failed to query for LDAP group ID '%s': %w", ldapId, err)
-		}
+		ldapGroupIDs[ldapID] = struct{}{}
 
 		// Get group members and add to the correct Group
 		groupMembers := value.GetAttributeValues(dbConfig.LdapAttributeGroupMember.Value)
-		membersUserId := make([]string, 0, len(groupMembers))
+		memberUsernames := make([]string, 0, len(groupMembers))
 		for _, member := range groupMembers {
-			username := getDNProperty(dbConfig.LdapAttributeUserUsername.Value, member)
-
-			// If username extraction fails, try to query LDAP directly for the user
+			username := s.resolveGroupMemberUsername(ctx, client, member, usernamesByDN)
 			if username == "" {
-				// Query LDAP to get the user by their DN
-				userSearchReq := ldap.NewSearchRequest(
-					member,
-					ldap.ScopeBaseObject,
-					0, 0, 0, false,
-					"(objectClass=*)",
-					[]string{dbConfig.LdapAttributeUserUsername.Value, dbConfig.LdapAttributeUserUniqueIdentifier.Value},
-					[]ldap.Control{},
-				)
-
-				userResult, err := client.Search(userSearchReq)
-				if err != nil || len(userResult.Entries) == 0 {
-					slog.WarnContext(ctx, "Could not resolve group member DN", slog.String("member", member), slog.Any("error", err))
-					continue
-				}
-
-				username = userResult.Entries[0].GetAttributeValue(dbConfig.LdapAttributeUserUsername.Value)
-				if username == "" {
-					slog.WarnContext(ctx, "Could not extract username from group member DN", slog.String("member", member))
-					continue
-				}
-			}
-
-			username = norm.NFC.String(username)
-
-			var databaseUser model.User
-			err = tx.
-				WithContext(ctx).
-				Where("username = ? AND ldap_id IS NOT NULL", username).
-				First(&databaseUser).
-				Error
-			if errors.Is(err, gorm.ErrRecordNotFound) {
-				// The user collides with a non-LDAP user, so we skip it
 				continue
-			} else if err != nil {
-				return fmt.Errorf("failed to query for existing user '%s': %w", username, err)
 			}
 
-			membersUserId = append(membersUserId, databaseUser.ID)
+			memberUsernames = append(memberUsernames, username)
 		}
 
 		syncGroup := dto.UserGroupCreateDto{
 			Name:         value.GetAttributeValue(dbConfig.LdapAttributeGroupName.Value),
 			FriendlyName: value.GetAttributeValue(dbConfig.LdapAttributeGroupName.Value),
-			LdapID:       ldapId,
+			LdapID:       ldapID,
 		}
-		dto.Normalize(syncGroup)
+		dto.Normalize(&syncGroup)
 
 		err = syncGroup.Validate()
 		if err != nil {
@@ -240,66 +279,21 @@ func (s *LdapService) SyncGroups(ctx context.Context, tx *gorm.DB, client *ldap.
 			continue
 		}
 
-		if databaseGroup.ID == "" {
-			newGroup, err := s.groupService.createInternal(ctx, syncGroup, tx)
-			if err != nil {
-				return fmt.Errorf("failed to create group '%s': %w", syncGroup.Name, err)
-			}
-
-			_, err = s.groupService.updateUsersInternal(ctx, newGroup.ID, membersUserId, tx)
-			if err != nil {
-				return fmt.Errorf("failed to sync users for group '%s': %w", syncGroup.Name, err)
-			}
-		} else {
-			_, err = s.groupService.updateInternal(ctx, databaseGroup.ID, syncGroup, true, tx)
-			if err != nil {
-				return fmt.Errorf("failed to update group '%s': %w", syncGroup.Name, err)
-			}
-
-			_, err = s.groupService.updateUsersInternal(ctx, databaseGroup.ID, membersUserId, tx)
-			if err != nil {
-				return fmt.Errorf("failed to sync users for group '%s': %w", syncGroup.Name, err)
-			}
-		}
+		desiredGroups = append(desiredGroups, ldapDesiredGroup{
+			ldapID:          ldapID,
+			input:           syncGroup,
+			memberUsernames: memberUsernames,
+		})
 	}
 
-	// Get all LDAP groups from the database
-	var ldapGroupsInDb []model.UserGroup
-	err = tx.
-		WithContext(ctx).
-		Find(&ldapGroupsInDb, "ldap_id IS NOT NULL").
-		Select("ldap_id").
-		Error
-	if err != nil {
-		return fmt.Errorf("failed to fetch groups from database: %w", err)
-	}
-
-	// Delete groups that no longer exist in LDAP
-	for _, group := range ldapGroupsInDb {
-		if _, exists := ldapGroupIDs[*group.LdapID]; exists {
-			continue
-		}
-
-		err = tx.
-			WithContext(ctx).
-			Delete(&model.UserGroup{}, "ldap_id = ?", group.LdapID).
-			Error
-		if err != nil {
-			return fmt.Errorf("failed to delete group '%s': %w", group.Name, err)
-		}
-
-		slog.Info("Deleted group", slog.String("group", group.Name))
-	}
-
-	return nil
+	return desiredGroups, ldapGroupIDs, nil
 }
 
-//nolint:gocognit
-func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.Conn) (savePictures []savePicture, deleteFiles []string, err error) {
+func (s *LdapService) fetchUsersFromLDAP(ctx context.Context, client ldapClient) (desiredUsers []ldapDesiredUser, ldapUserIDs map[string]struct{}, usernamesByDN map[string]string, err error) {
 	dbConfig := s.appConfigService.GetDbConfig()
 
+	// Query LDAP for all users we want to manage
 	searchAttrs := []string{
-		"memberOf",
 		"sn",
 		"cn",
 		dbConfig.LdapAttributeUserUniqueIdentifier.Value,
@@ -323,75 +317,48 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 
 	result, err := client.Search(searchReq)
 	if err != nil {
-		return nil, nil, fmt.Errorf("failed to query LDAP: %w", err)
+		return nil, nil, nil, fmt.Errorf("failed to query LDAP users: %w", err)
 	}
 
-	// Create a mapping for users that exist
-	ldapUserIDs := make(map[string]struct{}, len(result.Entries))
-	savePictures = make([]savePicture, 0, len(result.Entries))
+	// Build the in-memory desired state for users and a DN lookup for group membership resolution
+	ldapUserIDs = make(map[string]struct{}, len(result.Entries))
+	usernamesByDN = make(map[string]string, len(result.Entries))
+	desiredUsers = make([]ldapDesiredUser, 0, len(result.Entries))
 
 	for _, value := range result.Entries {
-		ldapId := convertLdapIdToString(value.GetAttributeValue(dbConfig.LdapAttributeUserUniqueIdentifier.Value))
+		username := norm.NFC.String(value.GetAttributeValue(dbConfig.LdapAttributeUserUsername.Value))
+		if normalizedDN := normalizeLDAPDN(value.DN); normalizedDN != "" && username != "" {
+			usernamesByDN[normalizedDN] = username
+		}
+
+		ldapID := convertLdapIdToString(value.GetAttributeValue(dbConfig.LdapAttributeUserUniqueIdentifier.Value))
 
 		// Skip users without a valid LDAP ID
-		if ldapId == "" {
+		if ldapID == "" {
 			slog.Warn("Skipping LDAP user without a valid unique identifier", slog.String("attribute", dbConfig.LdapAttributeUserUniqueIdentifier.Value))
 			continue
 		}
 
-		ldapUserIDs[ldapId] = struct{}{}
-
-		// Get the user from the database
-		var databaseUser model.User
-		err = tx.
-			WithContext(ctx).
-			Where("ldap_id = ?", ldapId).
-			First(&databaseUser).
-			Error
-
-		// If a user is found (even if disabled), enable them since they're now back in LDAP
-		if databaseUser.ID != "" && databaseUser.Disabled {
-			err = tx.
-				WithContext(ctx).
-				Model(&model.User{}).
-				Where("id = ?", databaseUser.ID).
-				Update("disabled", false).
-				Error
-
-			if err != nil {
-				return nil, nil, fmt.Errorf("failed to enable user %s: %w", databaseUser.Username, err)
-			}
-		}
-
-		if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
-			// This could error with ErrRecordNotFound and we want to ignore that here
-			return nil, nil, fmt.Errorf("failed to query for LDAP user ID '%s': %w", ldapId, err)
-		}
-
-		// Check if user is admin by checking if they are in the admin group
-		isAdmin := false
-		for _, group := range value.GetAttributeValues("memberOf") {
-			if getDNProperty(dbConfig.LdapAttributeGroupName.Value, group) == dbConfig.LdapAdminGroupName.Value {
-				isAdmin = true
-				break
-			}
-		}
+		ldapUserIDs[ldapID] = struct{}{}
 
 		newUser := dto.UserCreateDto{
-			Username:    value.GetAttributeValue(dbConfig.LdapAttributeUserUsername.Value),
-			Email:       utils.PtrOrNil(value.GetAttributeValue(dbConfig.LdapAttributeUserEmail.Value)),
-			FirstName:   value.GetAttributeValue(dbConfig.LdapAttributeUserFirstName.Value),
-			LastName:    value.GetAttributeValue(dbConfig.LdapAttributeUserLastName.Value),
-			DisplayName: value.GetAttributeValue(dbConfig.LdapAttributeUserDisplayName.Value),
-			IsAdmin:     isAdmin,
-			LdapID:      ldapId,
+			Username:      value.GetAttributeValue(dbConfig.LdapAttributeUserUsername.Value),
+			Email:         utils.PtrOrNil(value.GetAttributeValue(dbConfig.LdapAttributeUserEmail.Value)),
+			EmailVerified: true,
+			FirstName:     value.GetAttributeValue(dbConfig.LdapAttributeUserFirstName.Value),
+			LastName:      value.GetAttributeValue(dbConfig.LdapAttributeUserLastName.Value),
+			DisplayName:   value.GetAttributeValue(dbConfig.LdapAttributeUserDisplayName.Value),
+			// Admin status is computed after groups are loaded so it can use the
+			// configured group member attribute instead of a hard-coded memberOf.
+			IsAdmin: false,
+			LdapID:  ldapID,
 		}
 
 		if newUser.DisplayName == "" {
 			newUser.DisplayName = strings.TrimSpace(newUser.FirstName + " " + newUser.LastName)
 		}
 
-		dto.Normalize(newUser)
+		dto.Normalize(&newUser)
 
 		err = newUser.Validate()
 		if err != nil {
@@ -399,53 +366,207 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 			continue
 		}
 
-		userID := databaseUser.ID
-		if databaseUser.ID == "" {
-			createdUser, err := s.userService.createUserInternal(ctx, newUser, true, tx)
-			if errors.Is(err, &common.AlreadyInUseError{}) {
-				slog.Warn("Skipping creating LDAP user", slog.String("username", newUser.Username), slog.Any("error", err))
+		desiredUsers = append(desiredUsers, ldapDesiredUser{
+			ldapID:  ldapID,
+			input:   newUser,
+			picture: value.GetAttributeValue(dbConfig.LdapAttributeUserProfilePicture.Value),
+		})
+	}
+
+	return desiredUsers, ldapUserIDs, usernamesByDN, nil
+}
+
+func (s *LdapService) resolveGroupMemberUsername(ctx context.Context, client ldapClient, member string, usernamesByDN map[string]string) string {
+	dbConfig := s.appConfigService.GetDbConfig()
+
+	// First try the DN cache we built while loading users
+	username, exists := usernamesByDN[normalizeLDAPDN(member)]
+	if exists && username != "" {
+		return username
+	}
+
+	// Then try to extract the username directly from the DN
+	username = getDNProperty(dbConfig.LdapAttributeUserUsername.Value, member)
+	if username != "" {
+		return norm.NFC.String(username)
+	}
+
+	// posixGroup (and similar) stores bare usernames in memberUid, not DNs. Treat any value
+	// that is not a valid DN as the username directly — see https://github.com/pocket-id/pocket-id/issues/1408
+	if _, err := ldap.ParseDN(member); err != nil {
+		return norm.NFC.String(member)
+	}
+
+	// As a fallback, query LDAP for the referenced entry
+	userSearchReq := ldap.NewSearchRequest(
+		member,
+		ldap.ScopeBaseObject,
+		0, 0, 0, false,
+		"(objectClass=*)",
+		[]string{dbConfig.LdapAttributeUserUsername.Value},
+		[]ldap.Control{},
+	)
+
+	userResult, err := client.Search(userSearchReq)
+	if err != nil || len(userResult.Entries) == 0 {
+		slog.WarnContext(ctx, "Could not resolve group member DN", slog.String("member", member), slog.Any("error", err))
+		return ""
+	}
+
+	username = userResult.Entries[0].GetAttributeValue(dbConfig.LdapAttributeUserUsername.Value)
+	if username == "" {
+		slog.WarnContext(ctx, "Could not extract username from group member DN", slog.String("member", member))
+		return ""
+	}
+
+	return norm.NFC.String(username)
+}
+
+func (s *LdapService) reconcileGroups(ctx context.Context, tx *gorm.DB, desiredGroups []ldapDesiredGroup, ldapGroupIDs map[string]struct{}) error {
+	// Load the current LDAP-managed state from the database
+	ldapGroupsInDB, ldapGroupsByID, err := s.loadLDAPGroupsInDB(ctx, tx)
+	if err != nil {
+		return fmt.Errorf("failed to fetch groups from database: %w", err)
+	}
+
+	_, _, ldapUsersByUsername, err := s.loadLDAPUsersInDB(ctx, tx)
+	if err != nil {
+		return fmt.Errorf("failed to fetch users from database: %w", err)
+	}
+
+	// Apply creates and updates to match the desired LDAP group state
+	for _, desiredGroup := range desiredGroups {
+		memberUserIDs := make([]string, 0, len(desiredGroup.memberUsernames))
+		for _, username := range desiredGroup.memberUsernames {
+			databaseUser, exists := ldapUsersByUsername[username]
+			if !exists {
+				// The user collides with a non-LDAP user or was skipped during user sync, so we ignore it
 				continue
-			} else if err != nil {
-				return nil, nil, fmt.Errorf("error creating user '%s': %w", newUser.Username, err)
-			}
-			userID = createdUser.ID
-		} else {
-			_, err = s.userService.updateUserInternal(ctx, databaseUser.ID, newUser, false, true, tx)
-			if errors.Is(err, &common.AlreadyInUseError{}) {
-				slog.Warn("Skipping updating LDAP user", slog.String("username", newUser.Username), slog.Any("error", err))
-				continue
-			} else if err != nil {
-				return nil, nil, fmt.Errorf("error updating user '%s': %w", newUser.Username, err)
 			}
+
+			memberUserIDs = append(memberUserIDs, databaseUser.ID)
 		}
 
-		// Save profile picture
-		pictureString := value.GetAttributeValue(dbConfig.LdapAttributeUserProfilePicture.Value)
-		if pictureString != "" {
-			// Storage operations must be executed outside of a transaction
-			savePictures = append(savePictures, savePicture{
-				userID:   databaseUser.ID,
-				username: userID,
-				picture:  pictureString,
-			})
+		databaseGroup := ldapGroupsByID[desiredGroup.ldapID]
+		if databaseGroup.ID == "" {
+			newGroup, err := s.groupService.createInternal(ctx, desiredGroup.input, tx)
+			if err != nil {
+				return fmt.Errorf("failed to create group '%s': %w", desiredGroup.input.Name, err)
+			}
+			ldapGroupsByID[desiredGroup.ldapID] = newGroup
+
+			_, err = s.groupService.updateUsersInternal(ctx, newGroup.ID, memberUserIDs, tx)
+			if err != nil {
+				return fmt.Errorf("failed to sync users for group '%s': %w", desiredGroup.input.Name, err)
+			}
+			continue
+		}
+
+		_, err = s.groupService.updateInternal(ctx, databaseGroup.ID, desiredGroup.input, true, tx)
+		if err != nil {
+			return fmt.Errorf("failed to update group '%s': %w", desiredGroup.input.Name, err)
+		}
+
+		_, err = s.groupService.updateUsersInternal(ctx, databaseGroup.ID, memberUserIDs, tx)
+		if err != nil {
+			return fmt.Errorf("failed to sync users for group '%s': %w", desiredGroup.input.Name, err)
 		}
 	}
 
-	// Get all LDAP users from the database
-	var ldapUsersInDb []model.User
-	err = tx.
-		WithContext(ctx).
-		Find(&ldapUsersInDb, "ldap_id IS NOT NULL").
-		Select("id, username, ldap_id, disabled").
-		Error
+	// Delete groups that are no longer present in LDAP
+	for _, group := range ldapGroupsInDB {
+		if group.LdapID == nil {
+			continue
+		}
+
+		if _, exists := ldapGroupIDs[*group.LdapID]; exists {
+			continue
+		}
+
+		err = tx.
+			WithContext(ctx).
+			Delete(&model.UserGroup{}, "ldap_id = ?", *group.LdapID).
+			Error
+		if err != nil {
+			return fmt.Errorf("failed to delete group '%s': %w", group.Name, err)
+		}
+
+		slog.Info("Deleted group", slog.String("group", group.Name))
+	}
+
+	return nil
+}
+
+//nolint:gocognit
+func (s *LdapService) reconcileUsers(ctx context.Context, tx *gorm.DB, desiredUsers []ldapDesiredUser, ldapUserIDs map[string]struct{}) (savePictures []savePicture, deleteFiles []string, err error) {
+	dbConfig := s.appConfigService.GetDbConfig()
+
+	// Load the current LDAP-managed state from the database
+	ldapUsersInDB, ldapUsersByID, _, err := s.loadLDAPUsersInDB(ctx, tx)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to fetch users from database: %w", err)
 	}
 
-	// Mark users as disabled or delete users that no longer exist in LDAP
-	deleteFiles = make([]string, 0, len(ldapUserIDs))
-	for _, user := range ldapUsersInDb {
-		// Skip if the user ID exists in the fetched LDAP results
+	// Apply creates and updates to match the desired LDAP user state
+	savePictures = make([]savePicture, 0, len(desiredUsers))
+
+	for _, desiredUser := range desiredUsers {
+		databaseUser := ldapUsersByID[desiredUser.ldapID]
+
+		// If a user is found (even if disabled), enable them since they're now back in LDAP.
+		if databaseUser.ID != "" && databaseUser.Disabled {
+			err = tx.
+				WithContext(ctx).
+				Model(&model.User{}).
+				Where("id = ?", databaseUser.ID).
+				Update("disabled", false).
+				Error
+			if err != nil {
+				return nil, nil, fmt.Errorf("failed to enable user %s: %w", databaseUser.Username, err)
+			}
+
+			databaseUser.Disabled = false
+			ldapUsersByID[desiredUser.ldapID] = databaseUser
+		}
+
+		userID := databaseUser.ID
+		if databaseUser.ID == "" {
+			createdUser, err := s.userService.createUserInternal(ctx, desiredUser.input, true, tx)
+			if errors.Is(err, &common.AlreadyInUseError{}) {
+				slog.Warn("Skipping creating LDAP user", slog.String("username", desiredUser.input.Username), slog.Any("error", err))
+				continue
+			} else if err != nil {
+				return nil, nil, fmt.Errorf("error creating user '%s': %w", desiredUser.input.Username, err)
+			}
+
+			userID = createdUser.ID
+			ldapUsersByID[desiredUser.ldapID] = createdUser
+		} else {
+			_, err = s.userService.updateUserInternal(ctx, databaseUser.ID, desiredUser.input, false, true, tx)
+			if errors.Is(err, &common.AlreadyInUseError{}) {
+				slog.Warn("Skipping updating LDAP user", slog.String("username", desiredUser.input.Username), slog.Any("error", err))
+				continue
+			} else if err != nil {
+				return nil, nil, fmt.Errorf("error updating user '%s': %w", desiredUser.input.Username, err)
+			}
+		}
+
+		if desiredUser.picture != "" {
+			savePictures = append(savePictures, savePicture{
+				userID:   userID,
+				username: desiredUser.input.Username,
+				picture:  desiredUser.picture,
+			})
+		}
+	}
+
+	// Disable or delete users that are no longer present in LDAP
+	deleteFiles = make([]string, 0, len(ldapUsersInDB))
+	for _, user := range ldapUsersInDB {
+		if user.LdapID == nil {
+			continue
+		}
+
 		if _, exists := ldapUserIDs[*user.LdapID]; exists {
 			continue
 		}
@@ -457,29 +578,73 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 			}
 
 			slog.Info("Disabled user", slog.String("username", user.Username))
-		} else {
-			err = s.userService.deleteUserInternal(ctx, tx, user.ID, true)
-			if err != nil {
-				target := &common.LdapUserUpdateError{}
-				if errors.As(err, &target) {
-					return nil, nil, fmt.Errorf("failed to delete user %s: LDAP user must be disabled before deletion", user.Username)
-				}
-				return nil, nil, fmt.Errorf("failed to delete user %s: %w", user.Username, err)
-			}
-
-			slog.Info("Deleted user", slog.String("username", user.Username))
-
-			// Storage operations must be executed outside of a transaction
-			deleteFiles = append(deleteFiles, path.Join("profile-pictures", user.ID+".png"))
+			continue
 		}
+
+		err = s.userService.deleteUserInternal(ctx, tx, user.ID, true)
+		if err != nil {
+			target := &common.LdapUserUpdateError{}
+			if errors.As(err, &target) {
+				return nil, nil, fmt.Errorf("failed to delete user %s: LDAP user must be disabled before deletion", user.Username)
+			}
+			return nil, nil, fmt.Errorf("failed to delete user %s: %w", user.Username, err)
+		}
+
+		slog.Info("Deleted user", slog.String("username", user.Username))
+		deleteFiles = append(deleteFiles, path.Join("profile-pictures", user.ID+".png"))
 	}
 
 	return savePictures, deleteFiles, nil
 }
 
+func (s *LdapService) loadLDAPUsersInDB(ctx context.Context, tx *gorm.DB) (users []model.User, byLdapID map[string]model.User, byUsername map[string]model.User, err error) {
+	// Load all LDAP-managed users and index them by LDAP ID and by username
+	err = tx.
+		WithContext(ctx).
+		Select("id, username, ldap_id, disabled").
+		Where("ldap_id IS NOT NULL").
+		Find(&users).
+		Error
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	byLdapID = make(map[string]model.User, len(users))
+	byUsername = make(map[string]model.User, len(users))
+	for _, user := range users {
+		byLdapID[*user.LdapID] = user
+		byUsername[user.Username] = user
+	}
+
+	return users, byLdapID, byUsername, nil
+}
+
+func (s *LdapService) loadLDAPGroupsInDB(ctx context.Context, tx *gorm.DB) ([]model.UserGroup, map[string]model.UserGroup, error) {
+	var groups []model.UserGroup
+
+	// Load all LDAP-managed groups and index them by LDAP ID
+	err := tx.
+		WithContext(ctx).
+		Select("id, name, ldap_id").
+		Where("ldap_id IS NOT NULL").
+		Find(&groups).
+		Error
+	if err != nil {
+		return nil, nil, err
+	}
+
+	groupsByID := make(map[string]model.UserGroup, len(groups))
+	for _, group := range groups {
+		groupsByID[*group.LdapID] = group
+	}
+
+	return groups, groupsByID, nil
+}
+
 func (s *LdapService) saveProfilePicture(parentCtx context.Context, userId string, pictureString string) error {
 	var reader io.ReadSeeker
 
+	// Accept either a URL, a base64-encoded payload, or raw binary data
 	_, err := url.ParseRequestURI(pictureString)
 	if err == nil {
 		ctx, cancel := context.WithTimeout(parentCtx, 15*time.Second)
@@ -521,6 +686,31 @@ func (s *LdapService) saveProfilePicture(parentCtx context.Context, userId strin
 	return nil
 }
 
+// normalizeLDAPDN returns a canonical lowercase form of a DN for use as a map key.
+// Different LDAP servers may format the same DN with varying attribute type casing (e.g. "CN=" vs "cn=") or extra whitespace (e.g. "dc=example, dc=com").
+// Without normalization, cache lookups in usernamesByDN would miss when a member attribute value uses a different format than the DN returned in the search entry
+//
+// ldap.ParseDN is used instead of simple lowercasing because it correctly handles multi-valued RDNs (joined with "+") and strips inter-component whitespace.
+// If parsing fails for any reason, we fall back to a simple lowercase+trim.
+func normalizeLDAPDN(dn string) string {
+	parsed, err := ldap.ParseDN(dn)
+	if err != nil {
+		return strings.ToLower(strings.TrimSpace(dn))
+	}
+
+	// Reconstruct the DN in a canonical form: lowercase type=lowercase value, with RDN components separated by "," and multi-value attributes by "+"
+	parts := make([]string, 0, len(parsed.RDNs))
+	for _, rdn := range parsed.RDNs {
+		attrs := make([]string, 0, len(rdn.Attributes))
+		for _, attr := range rdn.Attributes {
+			attrs = append(attrs, strings.ToLower(attr.Type)+"="+strings.ToLower(attr.Value))
+		}
+		parts = append(parts, strings.Join(attrs, "+"))
+	}
+
+	return strings.Join(parts, ",")
+}
+
 // getDNProperty returns the value of a property from a LDAP identifier
 // See: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names
 func getDNProperty(property string, str string) string {
@@ -528,7 +718,7 @@ func getDNProperty(property string, str string) string {
 	// First we split at the comma
 	property = strings.ToLower(property)
 	l := len(property) + 1
-	for _, v := range strings.Split(str, ",") {
+	for v := range strings.SplitSeq(str, ",") {
 		v = strings.TrimSpace(v)
 		if len(v) > l && strings.ToLower(v)[0:l] == property+"=" {
 			return v[l:]

backend/internal/service/ldap_service_test.go

@@ -1,9 +1,410 @@
 package service
 
 import (
+	"net/http"
 	"testing"
+
+	"github.com/go-ldap/ldap/v3"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/storage"
+	testutils "github.com/pocket-id/pocket-id/backend/internal/utils/testing"
 )
 
+type fakeLDAPClient struct {
+	searchFn func(searchRequest *ldap.SearchRequest) (*ldap.SearchResult, error)
+}
+
+func (c *fakeLDAPClient) Search(searchRequest *ldap.SearchRequest) (*ldap.SearchResult, error) {
+	if c.searchFn == nil {
+		return nil, nil
+	}
+
+	return c.searchFn(searchRequest)
+}
+
+func (c *fakeLDAPClient) Bind(_, _ string) error {
+	return nil
+}
+
+func (c *fakeLDAPClient) Close() error {
+	return nil
+}
+
+func TestLdapServiceSyncAllReconcilesUsersAndGroups(t *testing.T) {
+	service, db := newTestLdapService(t, newFakeLDAPClient(
+		ldapSearchResult(
+			ldapEntry("uid=alice,ou=people,dc=example,dc=com", map[string][]string{
+				"entryUUID":   {"u-alice"},
+				"uid":         {"alice"},
+				"mail":        {"alice@example.com"},
+				"givenName":   {"Alice"},
+				"sn":          {"Jones"},
+				"displayName": {""},
+			}),
+			ldapEntry("uid=bob,ou=people,dc=example,dc=com", map[string][]string{
+				"entryUUID":   {"u-bob"},
+				"uid":         {"bob"},
+				"mail":        {"bob@example.com"},
+				"givenName":   {"Bob"},
+				"sn":          {"Brown"},
+				"displayName": {""},
+			}),
+		),
+		ldapSearchResult(
+			ldapEntry("cn=admins,ou=groups,dc=example,dc=com", map[string][]string{
+				"entryUUID": {"g-admins"},
+				"cn":        {"admins"},
+				"member":    {"uid=alice,ou=people,dc=example,dc=com"},
+			}),
+			ldapEntry("cn=team,ou=groups,dc=example,dc=com", map[string][]string{
+				"entryUUID": {"g-team"},
+				"cn":        {"team"},
+				"member": {
+					"UID=Alice, OU=People, DC=example, DC=com",
+					"uid=bob, ou=people, dc=example, dc=com",
+				},
+			}),
+		),
+	))
+
+	aliceLdapID := "u-alice"
+	missingLdapID := "u-missing"
+	teamLdapID := "g-team"
+	oldGroupLdapID := "g-old"
+
+	require.NoError(t, db.Create(&model.User{
+		Username:      "alice-old",
+		Email:         new("alice-old@example.com"),
+		EmailVerified: true,
+		FirstName:     "Old",
+		LastName:      "Name",
+		DisplayName:   "Old Name",
+		LdapID:        &aliceLdapID,
+		Disabled:      true,
+	}).Error)
+
+	require.NoError(t, db.Create(&model.User{
+		Username:      "missing",
+		Email:         new("missing@example.com"),
+		EmailVerified: true,
+		FirstName:     "Missing",
+		LastName:      "User",
+		DisplayName:   "Missing User",
+		LdapID:        &missingLdapID,
+	}).Error)
+
+	require.NoError(t, db.Create(&model.UserGroup{
+		Name:         "team-old",
+		FriendlyName: "team-old",
+		LdapID:       &teamLdapID,
+	}).Error)
+
+	require.NoError(t, db.Create(&model.UserGroup{
+		Name:         "old-group",
+		FriendlyName: "old-group",
+		LdapID:       &oldGroupLdapID,
+	}).Error)
+
+	require.NoError(t, service.SyncAll(t.Context()))
+
+	var alice model.User
+	require.NoError(t, db.First(&alice, "ldap_id = ?", aliceLdapID).Error)
+	assert.Equal(t, "alice", alice.Username)
+	assert.Equal(t, new("alice@example.com"), alice.Email)
+	assert.Equal(t, "Alice", alice.FirstName)
+	assert.Equal(t, "Jones", alice.LastName)
+	assert.Equal(t, "Alice Jones", alice.DisplayName)
+	assert.True(t, alice.IsAdmin)
+	assert.False(t, alice.Disabled)
+
+	var bob model.User
+	require.NoError(t, db.First(&bob, "ldap_id = ?", "u-bob").Error)
+	assert.Equal(t, "bob", bob.Username)
+	assert.Equal(t, "Bob Brown", bob.DisplayName)
+
+	var missing model.User
+	require.NoError(t, db.First(&missing, "ldap_id = ?", missingLdapID).Error)
+	assert.True(t, missing.Disabled)
+
+	var oldGroupCount int64
+	require.NoError(t, db.Model(&model.UserGroup{}).Where("ldap_id = ?", oldGroupLdapID).Count(&oldGroupCount).Error)
+	assert.Zero(t, oldGroupCount)
+
+	var team model.UserGroup
+	require.NoError(t, db.Preload("Users").First(&team, "ldap_id = ?", teamLdapID).Error)
+	assert.Equal(t, "team", team.Name)
+	assert.Equal(t, "team", team.FriendlyName)
+	assert.ElementsMatch(t, []string{"alice", "bob"}, usernames(team.Users))
+}
+
+// Regression: posixGroup uses memberUid (bare uid values), not member DNs — issue #1408.
+func TestLdapServiceSyncAllMapsPosixGroupMemberUid(t *testing.T) {
+	appCfg := defaultTestLDAPAppConfig()
+	appCfg.LdapUserGroupSearchFilter = model.AppConfigVariable{Value: "(objectClass=posixGroup)"}
+	appCfg.LdapAttributeGroupMember = model.AppConfigVariable{Value: "memberUid"}
+
+	service, db := newTestLdapServiceWithAppConfig(t, appCfg, newFakeLDAPClient(
+		ldapSearchResult(
+			ldapEntry("uid=alice,ou=users,dc=example,dc=com", map[string][]string{
+				"entryUUID":   {"u-alice"},
+				"uid":         {"alice"},
+				"mail":        {"alice@example.com"},
+				"givenName":   {"Alice"},
+				"sn":          {"Jones"},
+				"displayName": {""},
+			}),
+			ldapEntry("uid=bob,ou=users,dc=example,dc=com", map[string][]string{
+				"entryUUID":   {"u-bob"},
+				"uid":         {"bob"},
+				"mail":        {"bob@example.com"},
+				"givenName":   {"Bob"},
+				"sn":          {"Brown"},
+				"displayName": {""},
+			}),
+		),
+		ldapSearchResult(
+			ldapEntry("cn=users,ou=groups,dc=example,dc=com", map[string][]string{
+				"entryUUID": {"g-users"},
+				"cn":        {"users"},
+				"memberUid": {"alice", "bob", "unknown"},
+			}),
+		),
+	))
+
+	require.NoError(t, service.SyncAll(t.Context()))
+
+	var group model.UserGroup
+	require.NoError(t, db.Preload("Users").First(&group, "ldap_id = ?", "g-users").Error)
+	assert.Equal(t, "users", group.Name)
+	assert.ElementsMatch(t, []string{"alice", "bob"}, usernames(group.Users))
+}
+
+func TestLdapServiceSyncAllHandlesDuplicateLDAPIDsInSingleRun(t *testing.T) {
+	service, db := newTestLdapService(t, newFakeLDAPClient(
+		ldapSearchResult(
+			ldapEntry("uid=alice,ou=people,dc=example,dc=com", map[string][]string{
+				"entryUUID":   {"u-dup"},
+				"uid":         {"alice"},
+				"mail":        {"alice@example.com"},
+				"givenName":   {"Alice"},
+				"sn":          {"Doe"},
+				"displayName": {"Alice Doe"},
+			}),
+			ldapEntry("uid=alice,ou=people,dc=example,dc=com", map[string][]string{
+				"entryUUID":   {"u-dup"},
+				"uid":         {"alice"},
+				"mail":        {"alice@example.com"},
+				"givenName":   {"Alicia"},
+				"sn":          {"Doe"},
+				"displayName": {"Alicia Doe"},
+			}),
+		),
+		ldapSearchResult(
+			ldapEntry("cn=team,ou=groups,dc=example,dc=com", map[string][]string{
+				"entryUUID": {"g-dup"},
+				"cn":        {"team"},
+				"member":    {"uid=alice,ou=people,dc=example,dc=com"},
+			}),
+			ldapEntry("cn=team,ou=groups,dc=example,dc=com", map[string][]string{
+				"entryUUID": {"g-dup"},
+				"cn":        {"team-renamed"},
+				"member":    {"uid=alice,ou=people,dc=example,dc=com"},
+			}),
+		),
+	))
+
+	require.NoError(t, service.SyncAll(t.Context()))
+
+	var users []model.User
+	require.NoError(t, db.Find(&users, "ldap_id = ?", "u-dup").Error)
+	require.Len(t, users, 1)
+	assert.Equal(t, "alice", users[0].Username)
+	assert.Equal(t, "Alicia", users[0].FirstName)
+	assert.Equal(t, "Alicia Doe", users[0].DisplayName)
+
+	var groups []model.UserGroup
+	require.NoError(t, db.Preload("Users").Find(&groups, "ldap_id = ?", "g-dup").Error)
+	require.Len(t, groups, 1)
+	assert.Equal(t, "team-renamed", groups[0].Name)
+	assert.Equal(t, "team-renamed", groups[0].FriendlyName)
+	assert.ElementsMatch(t, []string{"alice"}, usernames(groups[0].Users))
+}
+
+func TestLdapServiceSyncAllSetsAdminFromGroupMembership(t *testing.T) {
+	tests := []struct {
+		name        string
+		appConfig   *model.AppConfig
+		groupEntry  *ldap.Entry
+		groupName   string
+		groupLookup string
+	}{
+		{
+			name:      "memberOf missing on user",
+			appConfig: defaultTestLDAPAppConfig(),
+			groupEntry: ldapEntry("cn=admins,ou=groups,dc=example,dc=com", map[string][]string{
+				"entryUUID": {"g-admins"},
+				"cn":        {"admins"},
+				"member":    {"uid=testadmin,ou=people,dc=example,dc=com"},
+			}),
+			groupName:   "admins",
+			groupLookup: "g-admins",
+		},
+		{
+			name: "configured group name attribute differs from DN RDN",
+			appConfig: func() *model.AppConfig {
+				cfg := defaultTestLDAPAppConfig()
+				cfg.LdapAttributeGroupName = model.AppConfigVariable{Value: "displayName"}
+				cfg.LdapAdminGroupName = model.AppConfigVariable{Value: "pocketid.admin"}
+				return cfg
+			}(),
+			groupEntry: ldapEntry("cn=admins,ou=groups,dc=example,dc=com", map[string][]string{
+				"entryUUID":   {"g-display-admins"},
+				"cn":          {"admins"},
+				"displayName": {"pocketid.admin"},
+				"member":      {"uid=testadmin,ou=people,dc=example,dc=com"},
+			}),
+			groupName:   "pocketid.admin",
+			groupLookup: "g-display-admins",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			service, db := newTestLdapServiceWithAppConfig(t, tt.appConfig, newFakeLDAPClient(
+				ldapSearchResult(
+					ldapEntry("uid=testadmin,ou=people,dc=example,dc=com", map[string][]string{
+						"entryUUID":   {"u-testadmin"},
+						"uid":         {"testadmin"},
+						"mail":        {"testadmin@example.com"},
+						"givenName":   {"Test"},
+						"sn":          {"Admin"},
+						"displayName": {""},
+					}),
+				),
+				ldapSearchResult(tt.groupEntry),
+			))
+
+			require.NoError(t, service.SyncAll(t.Context()))
+
+			var user model.User
+			require.NoError(t, db.First(&user, "ldap_id = ?", "u-testadmin").Error)
+			assert.True(t, user.IsAdmin)
+
+			var group model.UserGroup
+			require.NoError(t, db.Preload("Users").First(&group, "ldap_id = ?", tt.groupLookup).Error)
+			assert.Equal(t, tt.groupName, group.Name)
+			assert.ElementsMatch(t, []string{"testadmin"}, usernames(group.Users))
+		})
+	}
+}
+
+func newTestLdapService(t *testing.T, client ldapClient) (*LdapService, *gorm.DB) {
+	t.Helper()
+
+	return newTestLdapServiceWithAppConfig(t, defaultTestLDAPAppConfig(), client)
+}
+
+func newTestLdapServiceWithAppConfig(t *testing.T, appConfigModel *model.AppConfig, client ldapClient) (*LdapService, *gorm.DB) {
+	t.Helper()
+
+	db := testutils.NewDatabaseForTest(t)
+
+	fileStorage, err := storage.NewDatabaseStorage(db)
+	require.NoError(t, err)
+
+	appConfig := NewTestAppConfigService(appConfigModel)
+
+	groupService := NewUserGroupService(db, appConfig, nil)
+	userService := NewUserService(
+		db,
+		nil,
+		nil,
+		nil,
+		appConfig,
+		NewCustomClaimService(db),
+		NewAppImagesService(map[string]string{}, fileStorage),
+		nil,
+		fileStorage,
+	)
+
+	service := NewLdapService(db, &http.Client{}, appConfig, userService, groupService, fileStorage)
+	service.clientFactory = func() (ldapClient, error) {
+		return client, nil
+	}
+
+	return service, db
+}
+
+func defaultTestLDAPAppConfig() *model.AppConfig {
+	return &model.AppConfig{
+		RequireUserEmail:                   model.AppConfigVariable{Value: "false"},
+		LdapEnabled:                        model.AppConfigVariable{Value: "true"},
+		LdapBase:                           model.AppConfigVariable{Value: "dc=example,dc=com"},
+		LdapUserSearchFilter:               model.AppConfigVariable{Value: "(objectClass=person)"},
+		LdapUserGroupSearchFilter:          model.AppConfigVariable{Value: "(objectClass=groupOfNames)"},
+		LdapAttributeUserUniqueIdentifier:  model.AppConfigVariable{Value: "entryUUID"},
+		LdapAttributeUserUsername:          model.AppConfigVariable{Value: "uid"},
+		LdapAttributeUserEmail:             model.AppConfigVariable{Value: "mail"},
+		LdapAttributeUserFirstName:         model.AppConfigVariable{Value: "givenName"},
+		LdapAttributeUserLastName:          model.AppConfigVariable{Value: "sn"},
+		LdapAttributeUserDisplayName:       model.AppConfigVariable{Value: "displayName"},
+		LdapAttributeUserProfilePicture:    model.AppConfigVariable{Value: "jpegPhoto"},
+		LdapAttributeGroupMember:           model.AppConfigVariable{Value: "member"},
+		LdapAttributeGroupUniqueIdentifier: model.AppConfigVariable{Value: "entryUUID"},
+		LdapAttributeGroupName:             model.AppConfigVariable{Value: "cn"},
+		LdapAdminGroupName:                 model.AppConfigVariable{Value: "admins"},
+		LdapSoftDeleteUsers:                model.AppConfigVariable{Value: "true"},
+	}
+}
+
+func newFakeLDAPClient(userResult, groupResult *ldap.SearchResult) ldapClient {
+	return &fakeLDAPClient{
+		searchFn: func(searchRequest *ldap.SearchRequest) (*ldap.SearchResult, error) {
+			switch searchRequest.Filter {
+			case "(objectClass=person)":
+				return userResult, nil
+			case "(objectClass=groupOfNames)", "(objectClass=posixGroup)":
+				return groupResult, nil
+			default:
+				return &ldap.SearchResult{}, nil
+			}
+		},
+	}
+}
+
+func ldapSearchResult(entries ...*ldap.Entry) *ldap.SearchResult {
+	return &ldap.SearchResult{Entries: entries}
+}
+
+func ldapEntry(dn string, attrs map[string][]string) *ldap.Entry {
+	entry := &ldap.Entry{
+		DN:         dn,
+		Attributes: make([]*ldap.EntryAttribute, 0, len(attrs)),
+	}
+
+	for name, values := range attrs {
+		entry.Attributes = append(entry.Attributes, &ldap.EntryAttribute{
+			Name:   name,
+			Values: values,
+		})
+	}
+
+	return entry
+}
+
+func usernames(users []model.User) []string {
+	result := make([]string, 0, len(users))
+	for _, user := range users {
+		result = append(result, user.Username)
+	}
+
+	return result
+}
+
 func TestGetDNProperty(t *testing.T) {
 	tests := []struct {
 		name           string
@@ -64,10 +465,58 @@ func TestGetDNProperty(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			result := getDNProperty(tt.property, tt.dn)
-			if result != tt.expectedResult {
-				t.Errorf("getDNProperty(%q, %q) = %q, want %q",
-					tt.property, tt.dn, result, tt.expectedResult)
-			}
+			assert.Equalf(t, tt.expectedResult, result, "getDNProperty(%q, %q)", tt.property, tt.dn)
+		})
+	}
+}
+
+func TestNormalizeLDAPDN(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "already normalized",
+			input:    "cn=alice,dc=example,dc=com",
+			expected: "cn=alice,dc=example,dc=com",
+		},
+		{
+			name:     "uppercase attribute types",
+			input:    "CN=Alice,DC=example,DC=com",
+			expected: "cn=alice,dc=example,dc=com",
+		},
+		{
+			name:     "spaces after commas",
+			input:    "cn=alice, dc=example, dc=com",
+			expected: "cn=alice,dc=example,dc=com",
+		},
+		{
+			name:     "uppercase types and spaces",
+			input:    "CN=Alice, DC=example, DC=com",
+			expected: "cn=alice,dc=example,dc=com",
+		},
+		{
+			name:     "multi-valued RDN",
+			input:    "cn=alice+uid=a123,dc=example,dc=com",
+			expected: "cn=alice+uid=a123,dc=example,dc=com",
+		},
+		{
+			name:     "invalid DN falls back to lowercase+trim",
+			input:    "  NOT A VALID DN  ",
+			expected: "not a valid dn",
+		},
+		{
+			name:     "empty string",
+			input:    "",
+			expected: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := normalizeLDAPDN(tt.input)
+			assert.Equalf(t, tt.expected, result, "normalizeLDAPDN(%q)", tt.input)
 		})
 	}
 }
@@ -98,9 +547,7 @@ func TestConvertLdapIdToString(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got := convertLdapIdToString(tt.input)
-			if got != tt.expected {
-				t.Errorf("Expected %q, got %q", tt.expected, got)
-			}
+			assert.Equal(t, tt.expected, got)
 		})
 	}
 }

backend/internal/service/oidc_service.go

@@ -56,6 +56,7 @@ type OidcService struct {
 	auditLogService    *AuditLogService
 	customClaimService *CustomClaimService
 	webAuthnService    *WebAuthnService
+	scimService        *ScimService
 
 	httpClient  *http.Client
 	jwkCache    *jwk.Cache
@@ -70,6 +71,7 @@ func NewOidcService(
 	auditLogService *AuditLogService,
 	customClaimService *CustomClaimService,
 	webAuthnService *WebAuthnService,
+	scimService *ScimService,
 	httpClient *http.Client,
 	fileStorage storage.FileStorage,
 ) (s *OidcService, err error) {
@@ -80,6 +82,7 @@ func NewOidcService(
 		auditLogService:    auditLogService,
 		customClaimService: customClaimService,
 		webAuthnService:    webAuthnService,
+		scimService:        scimService,
 		httpClient:         httpClient,
 		fileStorage:        fileStorage,
 	}
@@ -120,11 +123,9 @@ func (s *OidcService) getJWKCache(ctx context.Context) (*jwk.Cache, error) {
 	)
 }
 
-func (s *OidcService) Authorize(ctx context.Context, input dto.AuthorizeOidcClientRequestDto, userID, ipAddress, userAgent string) (string, string, error) {
+func (s *OidcService) Authorize(ctx context.Context, input dto.AuthorizeOidcClientRequestDto, userID string, authenticationMethod string, ipAddress, userAgent string) (string, string, error) {
 	tx := s.db.Begin()
-	defer func() {
-		tx.Rollback()
-	}()
+	defer tx.Rollback()
 
 	var client model.OidcClient
 	err := tx.
@@ -136,27 +137,47 @@ func (s *OidcService) Authorize(ctx context.Context, input dto.AuthorizeOidcClie
 		return "", "", err
 	}
 
-	if client.RequiresReauthentication {
-		if input.ReauthenticationToken == "" {
-			return "", "", &common.ReauthenticationRequiredError{}
-		}
-		err = s.webAuthnService.ConsumeReauthenticationToken(ctx, tx, input.ReauthenticationToken, userID)
-		if err != nil {
-			return "", "", err
-		}
-	}
-
 	// If the client is not public, the code challenge must be provided
 	if client.IsPublic && input.CodeChallenge == "" {
 		return "", "", &common.OidcMissingCodeChallengeError{}
 	}
 
-	// Get the callback URL of the client. Return an error if the provided callback URL is not allowed
+	// Validate the callback URL before any prompt checks, so that prompt-related
+	// error responses never contain an unvalidated redirect target
 	callbackURL, err := s.getCallbackURL(&client, input.CallbackURL, tx, ctx)
 	if err != nil {
 		return "", "", err
 	}
 
+	// Parse prompt parameter (space-delimited list per OIDC spec)
+	promptValues := parsePromptParameter(input.Prompt)
+	hasPromptNone := slices.Contains(promptValues, "none")
+	hasPromptLogin := slices.Contains(promptValues, "login")
+	hasPromptConsent := slices.Contains(promptValues, "consent")
+	hasPromptSelectAccount := slices.Contains(promptValues, "select_account")
+
+	// Validate prompt parameter conflicts early.
+	// Per OIDC Core §3.1.2.6, prompt=none must not be combined with any
+	// value that requires user interaction.
+	if hasPromptNone && (hasPromptConsent || hasPromptLogin || hasPromptSelectAccount) {
+		return "", "", common.NewOidcInvalidRequestError("prompt type 'none' cannot be combined with others")
+	}
+
+	// prompt=select_account is handled entirely in the UI
+	// Pocket ID holds one session per browser, so the frontend renders the current user as the sole selectable account and then calls Authorize normally.
+
+	// If prompt=login is specified or the client requires reauthentication, check the reauthentication token
+	if hasPromptLogin || client.RequiresReauthentication {
+		if input.ReauthenticationToken == "" {
+			return "", "", &common.ReauthenticationRequiredError{}
+		}
+
+		err = s.webAuthnService.ConsumeReauthenticationToken(ctx, tx, input.ReauthenticationToken, userID)
+		if err != nil {
+			return "", "", err
+		}
+	}
+
 	// Check if the user group is allowed to authorize the client
 	var user model.User
 	err = tx.
@@ -172,27 +193,48 @@ func (s *OidcService) Authorize(ctx context.Context, input dto.AuthorizeOidcClie
 		return "", "", &common.OidcAccessDeniedError{}
 	}
 
+	// Handle prompt=none - if consent would be required, we can't show UI
+	if hasPromptNone {
+		hasAlreadyAuthorized, err := s.hasAuthorizedClientInternal(ctx, input.ClientID, userID, input.Scope, tx)
+		if err != nil {
+			return "", "", err
+		}
+		if !hasAlreadyAuthorized {
+			return "", "", &common.OidcConsentRequiredError{}
+		}
+	}
+
 	hasAlreadyAuthorizedClient, err := s.createAuthorizedClientInternal(ctx, userID, input.ClientID, input.Scope, tx)
 	if err != nil {
 		return "", "", err
 	}
 
 	// Create the authorization code
-	code, err := s.createAuthorizationCode(ctx, input.ClientID, userID, input.Scope, input.Nonce, input.CodeChallenge, input.CodeChallengeMethod, tx)
+	code, err := s.createAuthorizationCode(ctx, input.ClientID, userID, input.Scope, authenticationMethod, input.Nonce, input.CodeChallenge, input.CodeChallengeMethod, tx)
 	if err != nil {
 		return "", "", err
 	}
 
 	// Log the authorization event
 	if hasAlreadyAuthorizedClient {
-		s.auditLogService.Create(ctx, model.AuditLogEventClientAuthorization, ipAddress, userAgent, userID, model.AuditLogData{"clientName": client.Name}, tx)
+		s.auditLogService.Create(
+			ctx, model.AuditLogEventClientAuthorization,
+			ipAddress, userAgent, userID,
+			model.AuditLogData{"clientName": client.Name},
+			tx,
+		)
 	} else {
-		s.auditLogService.Create(ctx, model.AuditLogEventNewClientAuthorization, ipAddress, userAgent, userID, model.AuditLogData{"clientName": client.Name}, tx)
+		s.auditLogService.Create(
+			ctx, model.AuditLogEventNewClientAuthorization,
+			ipAddress, userAgent, userID,
+			model.AuditLogData{"clientName": client.Name},
+			tx,
+		)
 	}
 
 	err = tx.Commit().Error
 	if err != nil {
-		return "", "", err
+		return "", "", fmt.Errorf("failed to commit transaction: %w", err)
 	}
 
 	return code, callbackURL, nil
@@ -311,17 +353,17 @@ func (s *OidcService) createTokenFromDeviceCode(ctx context.Context, input dto.O
 	}
 
 	// Explicitly use the input clientID for the audience claim to ensure consistency
-	idToken, err := s.jwtService.GenerateIDToken(userClaims, input.ClientID, "")
+	idToken, err := s.jwtService.GenerateIDToken(userClaims, input.ClientID, deviceAuth.Nonce, deviceAuth.AuthenticationMethod)
 	if err != nil {
 		return CreatedTokens{}, err
 	}
 
-	refreshToken, err := s.createRefreshToken(ctx, input.ClientID, *deviceAuth.UserID, deviceAuth.Scope, tx)
+	refreshToken, err := s.createRefreshToken(ctx, input.ClientID, *deviceAuth.UserID, deviceAuth.Scope, deviceAuth.AuthenticationMethod, tx)
 	if err != nil {
 		return CreatedTokens{}, err
 	}
 
-	accessToken, err := s.jwtService.GenerateOAuthAccessToken(deviceAuth.User, input.ClientID)
+	accessToken, err := s.jwtService.GenerateOAuthAccessToken(deviceAuth.User, input.ClientID, deviceAuth.AuthenticationMethod)
 	if err != nil {
 		return CreatedTokens{}, err
 	}
@@ -362,7 +404,7 @@ func (s *OidcService) createTokenFromClientCredentials(ctx context.Context, inpu
 		audClaim = input.Resource
 	}
 
-	accessToken, err := s.jwtService.GenerateOAuthAccessToken(dummyUser, audClaim)
+	accessToken, err := s.jwtService.GenerateOAuthAccessToken(dummyUser, audClaim, "")
 	if err != nil {
 		return CreatedTokens{}, err
 	}
@@ -401,7 +443,7 @@ func (s *OidcService) createTokenFromAuthorizationCode(ctx context.Context, inpu
 		}
 	}
 
-	if authorizationCodeMetaData.ClientID != input.ClientID && authorizationCodeMetaData.ExpiresAt.ToTime().Before(time.Now()) {
+	if authorizationCodeMetaData.ClientID != input.ClientID || authorizationCodeMetaData.ExpiresAt.ToTime().Before(time.Now()) {
 		return CreatedTokens{}, &common.OidcInvalidAuthorizationCodeError{}
 	}
 
@@ -410,18 +452,20 @@ func (s *OidcService) createTokenFromAuthorizationCode(ctx context.Context, inpu
 		return CreatedTokens{}, err
 	}
 
-	idToken, err := s.jwtService.GenerateIDToken(userClaims, input.ClientID, authorizationCodeMetaData.Nonce)
+	authenticationMethod := authorizationCodeMetaData.AuthenticationMethod
+
+	idToken, err := s.jwtService.GenerateIDToken(userClaims, input.ClientID, authorizationCodeMetaData.Nonce, authenticationMethod)
 	if err != nil {
 		return CreatedTokens{}, err
 	}
 
 	// Generate a refresh token
-	refreshToken, err := s.createRefreshToken(ctx, input.ClientID, authorizationCodeMetaData.UserID, authorizationCodeMetaData.Scope, tx)
+	refreshToken, err := s.createRefreshToken(ctx, input.ClientID, authorizationCodeMetaData.UserID, authorizationCodeMetaData.Scope, authenticationMethod, tx)
 	if err != nil {
 		return CreatedTokens{}, err
 	}
 
-	accessToken, err := s.jwtService.GenerateOAuthAccessToken(authorizationCodeMetaData.User, input.ClientID)
+	accessToken, err := s.jwtService.GenerateOAuthAccessToken(authorizationCodeMetaData.User, input.ClientID, authenticationMethod)
 	if err != nil {
 		return CreatedTokens{}, err
 	}
@@ -498,8 +542,46 @@ func (s *OidcService) createTokenFromRefreshToken(ctx context.Context, input dto
 		return CreatedTokens{}, &common.OidcInvalidRefreshTokenError{}
 	}
 
+	if storedRefreshToken.User.Disabled {
+		return CreatedTokens{}, &common.OidcInvalidRefreshTokenError{}
+	}
+
+	var authorizedClient model.UserAuthorizedOidcClient
+	err = tx.
+		WithContext(ctx).
+		Where("user_id = ? AND client_id = ?", storedRefreshToken.UserID, input.ClientID).
+		First(&authorizedClient).
+		Error
+	if errors.Is(err, gorm.ErrRecordNotFound) {
+		err = tx.WithContext(ctx).Delete(&storedRefreshToken).Error
+		if err != nil {
+			return CreatedTokens{}, err
+		}
+
+		err = tx.Commit().Error
+		if err != nil {
+			return CreatedTokens{}, err
+		}
+
+		return CreatedTokens{}, &common.OidcInvalidRefreshTokenError{}
+	} else if err != nil {
+		return CreatedTokens{}, err
+	}
+
+	if client.IsGroupRestricted {
+		err = tx.WithContext(ctx).Model(client).Association("AllowedUserGroups").Find(&client.AllowedUserGroups)
+		if err != nil {
+			return CreatedTokens{}, err
+		}
+	}
+
+	if !IsUserGroupAllowedToAuthorize(storedRefreshToken.User, *client) {
+		return CreatedTokens{}, &common.OidcAccessDeniedError{}
+	}
+
 	// Generate a new access token
-	accessToken, err := s.jwtService.GenerateOAuthAccessToken(storedRefreshToken.User, input.ClientID)
+	authenticationMethods := storedRefreshToken.AuthenticationMethod
+	accessToken, err := s.jwtService.GenerateOAuthAccessToken(storedRefreshToken.User, input.ClientID, authenticationMethods)
 	if err != nil {
 		return CreatedTokens{}, err
 	}
@@ -512,13 +594,13 @@ func (s *OidcService) createTokenFromRefreshToken(ctx context.Context, input dto
 
 	// Generate a new ID token
 	// There's no nonce here because we don't have one with the refresh token, but that's not required
-	idToken, err := s.jwtService.GenerateIDToken(userClaims, input.ClientID, "")
+	idToken, err := s.jwtService.GenerateIDToken(userClaims, input.ClientID, "", authenticationMethods)
 	if err != nil {
 		return CreatedTokens{}, err
 	}
 
 	// Generate a new refresh token and invalidate the old one
-	newRefreshToken, err := s.createRefreshToken(ctx, input.ClientID, storedRefreshToken.UserID, storedRefreshToken.Scope, tx)
+	newRefreshToken, err := s.createRefreshToken(ctx, input.ClientID, storedRefreshToken.UserID, storedRefreshToken.Scope, authenticationMethods, tx)
 	if err != nil {
 		return CreatedTokens{}, err
 	}
@@ -680,6 +762,27 @@ func (s *OidcService) GetClient(ctx context.Context, clientID string) (model.Oid
 	return s.getClientInternal(ctx, clientID, s.db, false)
 }
 
+func (s *OidcService) ResolveAllowedCallbackURL(ctx context.Context, clientID, inputCallbackURL string) (string, error) {
+	client, err := s.GetClient(ctx, clientID)
+	if err != nil {
+		return "", err
+	}
+
+	if inputCallbackURL == "" || len(client.CallbackURLs) == 0 {
+		return "", &common.OidcMissingCallbackURLError{}
+	}
+
+	matched, err := utils.GetCallbackURLFromList(client.CallbackURLs, inputCallbackURL)
+	if err != nil {
+		return "", err
+	}
+	if matched == "" {
+		return "", &common.OidcInvalidCallbackURLError{}
+	}
+
+	return matched, nil
+}
+
 func (s *OidcService) getClientInternal(ctx context.Context, clientID string, tx *gorm.DB, forUpdate bool) (model.OidcClient, error) {
 	var client model.OidcClient
 	q := tx.
@@ -728,7 +831,7 @@ func (s *OidcService) CreateClient(ctx context.Context, input dto.OidcClientCrea
 		Base: model.Base{
 			ID: input.ID,
 		},
-		CreatedByID: utils.Ptr(userID),
+		CreatedByID: new(userID),
 	}
 	updateOIDCClientModelFromDto(&client, &input.OidcClientUpdateDto)
 
@@ -1088,6 +1191,7 @@ func (s *OidcService) UpdateAllowedUserGroups(ctx context.Context, id string, in
 		return model.OidcClient{}, err
 	}
 
+	s.scimService.ScheduleSync()
 	return client, nil
 }
 
@@ -1138,7 +1242,7 @@ func (s *OidcService) ValidateEndSession(ctx context.Context, input dto.OidcLogo
 	return callbackURL, nil
 }
 
-func (s *OidcService) createAuthorizationCode(ctx context.Context, clientID string, userID string, scope string, nonce string, codeChallenge string, codeChallengeMethod string, tx *gorm.DB) (string, error) {
+func (s *OidcService) createAuthorizationCode(ctx context.Context, clientID string, userID string, scope string, authenticationMethod string, nonce string, codeChallenge string, codeChallengeMethod string, tx *gorm.DB) (string, error) {
 	randomString, err := utils.GenerateRandomAlphanumericString(32)
 	if err != nil {
 		return "", err
@@ -1152,6 +1256,7 @@ func (s *OidcService) createAuthorizationCode(ctx context.Context, clientID stri
 		ClientID:                  clientID,
 		UserID:                    userID,
 		Scope:                     scope,
+		AuthenticationMethod:      authenticationMethod,
 		Nonce:                     nonce,
 		CodeChallenge:             &codeChallenge,
 		CodeChallengeMethodSha256: &codeChallengeMethodSha256,
@@ -1278,6 +1383,7 @@ func (s *OidcService) CreateDeviceAuthorization(ctx context.Context, input dto.O
 		ExpiresAt:    datatype.DateTime(time.Now().Add(DeviceCodeDuration)),
 		IsAuthorized: false,
 		ClientID:     client.ID,
+		Nonce:        input.Nonce,
 	}
 
 	if err := s.db.Create(deviceAuth).Error; err != nil {
@@ -1294,7 +1400,7 @@ func (s *OidcService) CreateDeviceAuthorization(ctx context.Context, input dto.O
 	}, nil
 }
 
-func (s *OidcService) VerifyDeviceCode(ctx context.Context, userCode string, userID string, ipAddress string, userAgent string) error {
+func (s *OidcService) VerifyDeviceCode(ctx context.Context, userCode string, userID string, authenticationMethod string, ipAddress string, userAgent string) error {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
@@ -1343,6 +1449,7 @@ func (s *OidcService) VerifyDeviceCode(ctx context.Context, userCode string, use
 	}
 
 	deviceAuth.UserID = &userID
+	deviceAuth.AuthenticationMethod = authenticationMethod
 	deviceAuth.IsAuthorized = true
 
 	err = tx.
@@ -1459,6 +1566,15 @@ func (s *OidcService) RevokeAuthorizedClient(ctx context.Context, userID string,
 		return err
 	}
 
+	err = tx.
+		WithContext(ctx).
+		Where("user_id = ? AND client_id = ?", userID, clientID).
+		Delete(&model.OidcRefreshToken{}).
+		Error
+	if err != nil {
+		return err
+	}
+
 	err = tx.Commit().Error
 	if err != nil {
 		return err
@@ -1546,7 +1662,7 @@ func (s *OidcService) ListAccessibleOidcClients(ctx context.Context, userID stri
 	return dtos, response, err
 }
 
-func (s *OidcService) createRefreshToken(ctx context.Context, clientID string, userID string, scope string, tx *gorm.DB) (string, error) {
+func (s *OidcService) createRefreshToken(ctx context.Context, clientID string, userID string, scope string, authenticationMethod string, tx *gorm.DB) (string, error) {
 	refreshToken, err := utils.GenerateRandomAlphanumericString(40)
 	if err != nil {
 		return "", err
@@ -1557,11 +1673,12 @@ func (s *OidcService) createRefreshToken(ctx context.Context, clientID string, u
 	refreshTokenHash := utils.CreateSha256Hash(refreshToken)
 
 	m := model.OidcRefreshToken{
-		ExpiresAt: datatype.DateTime(time.Now().Add(RefreshTokenDuration)),
-		Token:     refreshTokenHash,
-		ClientID:  clientID,
-		UserID:    userID,
-		Scope:     scope,
+		ExpiresAt:            datatype.DateTime(time.Now().Add(RefreshTokenDuration)),
+		Token:                refreshTokenHash,
+		ClientID:             clientID,
+		UserID:               userID,
+		Scope:                scope,
+		AuthenticationMethod: authenticationMethod,
 	}
 
 	err = tx.
@@ -1639,34 +1756,19 @@ func clientAuthCredentialsFromCreateTokensDto(d *dto.OidcCreateTokensDto) Client
 }
 
 func (s *OidcService) verifyClientCredentialsInternal(ctx context.Context, tx *gorm.DB, input ClientAuthCredentials, allowPublicClientsWithoutAuth bool) (client *model.OidcClient, err error) {
-	isClientAssertion := input.ClientAssertionType == ClientAssertionTypeJWTBearer && input.ClientAssertion != ""
-
-	// Determine the client ID based on the authentication method
-	var clientID string
-	switch {
-	case isClientAssertion:
-		// Extract client ID from the JWT assertion's 'sub' claim
-		clientID, err = s.extractClientIDFromAssertion(input.ClientAssertion)
-		if err != nil {
-			slog.Error("Failed to extract client ID from assertion", "error", err)
-			return nil, &common.OidcClientAssertionInvalidError{}
-		}
-	case input.ClientID != "":
-		// Use the provided client ID for other authentication methods
-		clientID = input.ClientID
-	default:
+	if input.ClientID == "" {
 		return nil, &common.OidcMissingClientCredentialsError{}
 	}
 
 	// Load the OIDC client's configuration
 	err = tx.
 		WithContext(ctx).
-		First(&client, "id = ?", clientID).
+		First(&client, "id = ?", input.ClientID).
 		Error
-	if err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) && isClientAssertion {
-			return nil, &common.OidcClientAssertionInvalidError{}
-		}
+	if errors.Is(err, gorm.ErrRecordNotFound) {
+		slog.WarnContext(ctx, "Client not found", slog.String("client", input.ClientID))
+		return nil, &common.OidcClientNotFoundError{}
+	} else if err != nil {
 		return nil, err
 	}
 
@@ -1681,7 +1783,7 @@ func (s *OidcService) verifyClientCredentialsInternal(ctx context.Context, tx *g
 		return client, nil
 
 	// Next, check if we want to use client assertions from federated identities
-	case isClientAssertion:
+	case input.ClientAssertionType == ClientAssertionTypeJWTBearer && input.ClientAssertion != "":
 		err = s.verifyClientAssertionFromFederatedIdentities(ctx, client, input)
 		if err != nil {
 			slog.WarnContext(ctx, "Invalid assertion for client", slog.String("client", client.ID), slog.Any("error", err))
@@ -1706,14 +1808,18 @@ func (s *OidcService) jwkSetForURL(ctx context.Context, url string) (set jwk.Set
 		// We set a timeout because otherwise Register will keep trying in case of errors
 		registerCtx, registerCancel := context.WithTimeout(ctx, 15*time.Second)
 		defer registerCancel()
-		// We need to register the URL
-		err = s.jwkCache.Register(
-			registerCtx,
-			url,
-			jwk.WithMaxInterval(24*time.Hour),
-			jwk.WithMinInterval(15*time.Minute),
+
+		registerOptions := []jwk.RegisterOption{
+			jwk.WithMaxInterval(24 * time.Hour),
+			jwk.WithMinInterval(15 * time.Minute),
 			jwk.WithWaitReady(true),
-		)
+		}
+		if s.httpClient != nil {
+			registerOptions = append(registerOptions, jwk.WithHTTPClient(s.httpClient))
+		}
+
+		// We need to register the URL
+		err = s.jwkCache.Register(registerCtx, url, registerOptions...)
 		// In case of race conditions (two goroutines calling jwkCache.Register at the same time), it's possible we can get a conflict anyways, so we ignore that error
 		if err != nil && !errors.Is(err, httprc.ErrResourceAlreadyExists()) {
 			return nil, fmt.Errorf("failed to register JWK set: %w", err)
@@ -1778,37 +1884,21 @@ func (s *OidcService) verifyClientAssertionFromFederatedIdentities(ctx context.C
 	// (Note: we don't use jwt.WithIssuer() because that would be redundant)
 	_, err = jwt.Parse(assertion,
 		jwt.WithValidate(true),
+
 		jwt.WithAcceptableSkew(clockSkew),
 		jwt.WithKeySet(jwks, jws.WithInferAlgorithmFromKey(true), jws.WithUseDefault(true)),
 		jwt.WithAudience(audience),
 		jwt.WithSubject(subject),
 	)
 	if err != nil {
-		return fmt.Errorf("client assertion is not valid: %w", err)
+		return fmt.Errorf("client assertion could not be verified: %w", err)
 	}
 
 	// If we're here, the assertion is valid
 	return nil
 }
 
-// extractClientIDFromAssertion extracts the client_id from the JWT assertion's 'sub' claim
-func (s *OidcService) extractClientIDFromAssertion(assertion string) (string, error) {
-	// Parse the JWT without verification first to get the claims
-	insecureToken, err := jwt.ParseInsecure([]byte(assertion))
-	if err != nil {
-		return "", fmt.Errorf("failed to parse JWT assertion: %w", err)
-	}
-
-	// Extract the subject claim which must be the client_id according to RFC 7523
-	sub, ok := insecureToken.Subject()
-	if !ok || sub == "" {
-		return "", fmt.Errorf("missing or invalid 'sub' claim in JWT assertion")
-	}
-
-	return sub, nil
-}
-
-func (s *OidcService) GetClientPreview(ctx context.Context, clientID string, userID string, scopes []string) (*dto.OidcClientPreviewDto, error) {
+func (s *OidcService) GetClientPreview(ctx context.Context, clientID string, userID string, scopes []string, authenticationMethod string) (*dto.OidcClientPreviewDto, error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
@@ -1844,12 +1934,12 @@ func (s *OidcService) GetClientPreview(ctx context.Context, clientID string, use
 		return nil, err
 	}
 
-	idToken, err := s.jwtService.BuildIDToken(userClaims, clientID, "")
+	idToken, err := s.jwtService.BuildIDToken(userClaims, clientID, "", authenticationMethod)
 	if err != nil {
 		return nil, err
 	}
 
-	accessToken, err := s.jwtService.BuildOAuthAccessToken(user, clientID)
+	accessToken, err := s.jwtService.BuildOAuthAccessToken(user, clientID, authenticationMethod)
 	if err != nil {
 		return nil, err
 	}
@@ -1895,7 +1985,7 @@ func (s *OidcService) getUserClaims(ctx context.Context, user *model.User, scope
 	claims["sub"] = user.ID
 	if slices.Contains(scopes, "email") {
 		claims["email"] = user.Email
-		claims["email_verified"] = s.appConfigService.GetDbConfig().EmailsVerified.IsTrue()
+		claims["email_verified"] = user.EmailVerified
 	}
 
 	if slices.Contains(scopes, "groups") {
@@ -2129,3 +2219,11 @@ func (s *OidcService) GetClientScimServiceProvider(ctx context.Context, clientID
 
 	return provider, nil
 }
+
+// parsePromptParameter parses the OIDC prompt parameter which is a space-delimited list of values
+func parsePromptParameter(prompt string) []string {
+	if prompt == "" {
+		return []string{}
+	}
+	return strings.Fields(prompt)
+}

backend/internal/service/oidc_service_test.go

@@ -10,6 +10,7 @@ import (
 	"encoding/json"
 	"io"
 	"net/http"
+	"slices"
 	"strconv"
 	"strings"
 	"testing"
@@ -20,6 +21,7 @@ import (
 	"github.com/lestrrat-go/jwx/v3/jwt"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"gorm.io/gorm"
 
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
@@ -160,7 +162,7 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 	mockConfig := NewTestAppConfigService(&model.AppConfig{
 		SessionDuration: model.AppConfigVariable{Value: "60"}, // 60 minutes
 	})
-	mockJwtService, err := NewJwtService(db, mockConfig)
+	mockJwtService, err := NewJwtService(t.Context(), db, mockConfig)
 	require.NoError(t, err)
 
 	// Create a mock HTTP client with custom transport to return the JWKS
@@ -229,6 +231,12 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 					Subject:  federatedClient.ID,
 					JWKS:     federatedClientIssuer + "/jwks.json",
 				},
+				{
+					Issuer:   "federated-issuer-2",
+					Audience: federatedClientAudience,
+					Subject:  "my-federated-client",
+					JWKS:     federatedClientIssuer + "/jwks.json",
+				},
 				{Issuer: federatedClientIssuerDefaults},
 			},
 		},
@@ -461,6 +469,43 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 
 				// Generate a token
 				input := dto.OidcCreateTokensDto{
+					ClientID:            federatedClient.ID,
+					ClientAssertion:     string(signedToken),
+					ClientAssertionType: ClientAssertionTypeJWTBearer,
+				}
+				createdToken, err := s.createTokenFromClientCredentials(t.Context(), input)
+				require.NoError(t, err)
+				require.NotNil(t, token)
+
+				// Verify the token
+				claims, err := s.jwtService.VerifyOAuthAccessToken(createdToken.AccessToken)
+				require.NoError(t, err, "Failed to verify generated token")
+
+				// Check the claims
+				subject, ok := claims.Subject()
+				_ = assert.True(t, ok, "User ID not found in token") &&
+					assert.Equal(t, "client-"+federatedClient.ID, subject, "Token subject should match federated client ID with prefix")
+				audience, ok := claims.Audience()
+				_ = assert.True(t, ok, "Audience not found in token") &&
+					assert.Equal(t, []string{federatedClient.ID}, audience, "Audience should contain the federated client ID")
+			})
+
+			t.Run("Succeeds with valid assertion and custom subject", func(t *testing.T) {
+				// Create JWT for federated identity
+				token, err := jwt.NewBuilder().
+					Issuer("federated-issuer-2").
+					Audience([]string{federatedClientAudience}).
+					Subject("my-federated-client").
+					IssuedAt(time.Now()).
+					Expiration(time.Now().Add(10 * time.Minute)).
+					Build()
+				require.NoError(t, err)
+				signedToken, err := jwt.Sign(token, jwt.WithKey(jwa.ES256(), privateJWK))
+				require.NoError(t, err)
+
+				// Generate a token
+				input := dto.OidcCreateTokensDto{
+					ClientID:            federatedClient.ID,
 					ClientAssertion:     string(signedToken),
 					ClientAssertionType: ClientAssertionTypeJWTBearer,
 				}
@@ -483,6 +528,7 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 
 			t.Run("Fails with invalid assertion", func(t *testing.T) {
 				input := dto.OidcCreateTokensDto{
+					ClientID:            confidentialClient.ID,
 					ClientAssertion:     "invalid.jwt.token",
 					ClientAssertionType: ClientAssertionTypeJWTBearer,
 				}
@@ -518,6 +564,180 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 	})
 }
 
+func TestOidcServiceRefreshTokenAuthorizationState(t *testing.T) {
+	newFixture := func(t *testing.T, isGroupRestricted bool) (*OidcService, *gorm.DB, model.User, model.OidcClient, string, string, *model.UserGroup) {
+		t.Helper()
+
+		db := testutils.NewDatabaseForTest(t)
+		common.EnvConfig.EncryptionKey = []byte("0123456789abcdef0123456789abcdef")
+
+		mockConfig := NewTestAppConfigService(&model.AppConfig{
+			SessionDuration: model.AppConfigVariable{Value: "60"},
+		})
+		jwtService, err := NewJwtService(t.Context(), db, mockConfig)
+		require.NoError(t, err)
+
+		service := &OidcService{
+			db:               db,
+			jwtService:       jwtService,
+			appConfigService: mockConfig,
+		}
+
+		email := "refresh-token-user@example.com"
+		user := model.User{
+			Username:      "refresh-token-user",
+			Email:         &email,
+			EmailVerified: true,
+			FirstName:     "Refresh",
+			LastName:      "User",
+		}
+		require.NoError(t, db.Create(&user).Error)
+
+		client, err := service.CreateClient(t.Context(), dto.OidcClientCreateDto{
+			OidcClientUpdateDto: dto.OidcClientUpdateDto{
+				Name:              "Refresh Token Client",
+				CallbackURLs:      []string{"https://example.com/callback"},
+				IsGroupRestricted: isGroupRestricted,
+			},
+		}, user.ID)
+		require.NoError(t, err)
+
+		clientSecret, err := service.CreateClientSecret(t.Context(), client.ID)
+		require.NoError(t, err)
+
+		var userGroup *model.UserGroup
+		if isGroupRestricted {
+			group := model.UserGroup{
+				FriendlyName: "Allowed Group",
+				Name:         "allowed-group",
+			}
+			require.NoError(t, db.Create(&group).Error)
+			require.NoError(t, db.Model(&user).Association("UserGroups").Append(&group))
+			require.NoError(t, db.Model(&client).Association("AllowedUserGroups").Append(&group))
+			userGroup = &group
+		}
+
+		scope := "openid profile email groups"
+		require.NoError(t, db.Create(&model.UserAuthorizedOidcClient{
+			UserID:   user.ID,
+			ClientID: client.ID,
+			Scope:    scope,
+		}).Error)
+
+		refreshToken, err := service.createRefreshToken(t.Context(), client.ID, user.ID, scope, AuthenticationMethodPhishingResistant, db)
+		require.NoError(t, err)
+
+		return service, db, user, client, clientSecret, refreshToken, userGroup
+	}
+
+	refreshInput := func(client model.OidcClient, clientSecret string, refreshToken string) dto.OidcCreateTokensDto {
+		return dto.OidcCreateTokensDto{
+			GrantType:    GrantTypeRefreshToken,
+			RefreshToken: refreshToken,
+			ClientID:     client.ID,
+			ClientSecret: clientSecret,
+		}
+	}
+
+	t.Run("rejects refresh token after authorization revocation", func(t *testing.T) {
+		service, db, user, client, clientSecret, refreshToken, _ := newFixture(t, false)
+
+		err := service.RevokeAuthorizedClient(t.Context(), user.ID, client.ID)
+		require.NoError(t, err)
+
+		var refreshTokenCount int64
+		require.NoError(t, db.Model(&model.OidcRefreshToken{}).
+			Where("user_id = ? AND client_id = ?", user.ID, client.ID).
+			Count(&refreshTokenCount).Error)
+		assert.Zero(t, refreshTokenCount)
+
+		_, err = service.createTokenFromRefreshToken(t.Context(), refreshInput(client, clientSecret, refreshToken))
+		require.Error(t, err)
+		require.ErrorIs(t, err, &common.OidcInvalidRefreshTokenError{})
+	})
+
+	t.Run("rejects and deletes stale refresh token without authorization record", func(t *testing.T) {
+		service, db, user, client, clientSecret, refreshToken, _ := newFixture(t, false)
+
+		require.NoError(t, db.
+			Where("user_id = ? AND client_id = ?", user.ID, client.ID).
+			Delete(&model.UserAuthorizedOidcClient{}).Error)
+
+		_, err := service.createTokenFromRefreshToken(t.Context(), refreshInput(client, clientSecret, refreshToken))
+		require.Error(t, err)
+		require.ErrorIs(t, err, &common.OidcInvalidRefreshTokenError{})
+
+		var refreshTokenCount int64
+		require.NoError(t, db.Model(&model.OidcRefreshToken{}).
+			Where("user_id = ? AND client_id = ?", user.ID, client.ID).
+			Count(&refreshTokenCount).Error)
+		assert.Zero(t, refreshTokenCount)
+	})
+
+	t.Run("rejects refresh token for disabled user", func(t *testing.T) {
+		service, db, user, client, clientSecret, refreshToken, _ := newFixture(t, false)
+
+		require.NoError(t, db.Model(&model.User{}).
+			Where("id = ?", user.ID).
+			Update("disabled", true).Error)
+
+		_, err := service.createTokenFromRefreshToken(t.Context(), refreshInput(client, clientSecret, refreshToken))
+		require.Error(t, err)
+		require.ErrorIs(t, err, &common.OidcInvalidRefreshTokenError{})
+	})
+
+	t.Run("rejects refresh token after user leaves allowed group", func(t *testing.T) {
+		service, db, user, client, clientSecret, refreshToken, userGroup := newFixture(t, true)
+		require.NotNil(t, userGroup)
+
+		require.NoError(t, db.Model(&user).Association("UserGroups").Delete(userGroup))
+
+		_, err := service.createTokenFromRefreshToken(t.Context(), refreshInput(client, clientSecret, refreshToken))
+		require.Error(t, err)
+		require.ErrorIs(t, err, &common.OidcAccessDeniedError{})
+	})
+}
+
+func TestOidcServiceAuthenticationMethodsPersistence(t *testing.T) {
+	mockConfig := NewTestAppConfigService(&model.AppConfig{
+		SessionDuration: model.AppConfigVariable{Value: "60"},
+	})
+	jwtService, db, _ := setupJwtService(t, mockConfig)
+	service := &OidcService{
+		db:         db,
+		jwtService: jwtService,
+	}
+	authenticationMethod := AuthenticationMethodPhishingResistant
+
+	t.Run("stores authentication method on authorization codes", func(t *testing.T) {
+		code, err := service.createAuthorizationCode(
+			t.Context(),
+			"amr-client",
+			"amr-user",
+			"openid profile",
+			authenticationMethod,
+			"",
+			"",
+			"",
+			db,
+		)
+		require.NoError(t, err)
+
+		var authorizationCode model.OidcAuthorizationCode
+		require.NoError(t, db.First(&authorizationCode, "code = ?", code).Error)
+		assert.Equal(t, authenticationMethod, authorizationCode.AuthenticationMethod)
+	})
+
+	t.Run("stores authentication methods on refresh tokens", func(t *testing.T) {
+		_, err := service.createRefreshToken(t.Context(), "amr-client", "amr-user", "openid profile", authenticationMethod, db)
+		require.NoError(t, err)
+
+		var refreshToken model.OidcRefreshToken
+		require.NoError(t, db.First(&refreshToken, "client_id = ? AND user_id = ?", "amr-client", "amr-user").Error)
+		assert.Equal(t, authenticationMethod, refreshToken.AuthenticationMethod)
+	})
+}
+
 func TestValidateCodeVerifier_Plain(t *testing.T) {
 	require.False(t, validateCodeVerifier("", "", false))
 	require.False(t, validateCodeVerifier("", "", true))
@@ -676,6 +896,8 @@ func TestOidcService_updateClientLogoType(t *testing.T) {
 }
 
 func TestOidcService_downloadAndSaveLogoFromURL(t *testing.T) {
+	const publicLogoHost = "https://8.8.8.8"
+
 	// Create a test database
 	db := testutils.NewDatabaseForTest(t)
 
@@ -721,7 +943,7 @@ func TestOidcService_downloadAndSaveLogoFromURL(t *testing.T) {
 		// Create a mock HTTP client with responses
 		mockResponses := map[string]*http.Response{
 			//nolint:bodyclose
-			"https://example.com/logo.png": pngResponse,
+			publicLogoHost + "/logo.png": pngResponse,
 		}
 		httpClient := &http.Client{
 			Transport: &testutils.MockRoundTripper{
@@ -737,7 +959,7 @@ func TestOidcService_downloadAndSaveLogoFromURL(t *testing.T) {
 		}
 
 		// Download and save the logo
-		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "https://example.com/logo.png", true)
+		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, publicLogoHost+"/logo.png", true)
 		require.NoError(t, err)
 
 		// Verify the file was saved
@@ -766,7 +988,7 @@ func TestOidcService_downloadAndSaveLogoFromURL(t *testing.T) {
 
 		mockResponses := map[string]*http.Response{
 			//nolint:bodyclose
-			"https://example.com/dark-logo.webp": webpResponse,
+			publicLogoHost + "/dark-logo.webp": webpResponse,
 		}
 		httpClient := &http.Client{
 			Transport: &testutils.MockRoundTripper{
@@ -781,7 +1003,7 @@ func TestOidcService_downloadAndSaveLogoFromURL(t *testing.T) {
 		}
 
 		// Download and save the dark logo
-		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "https://example.com/dark-logo.webp", false)
+		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, publicLogoHost+"/dark-logo.webp", false)
 		require.NoError(t, err)
 
 		// Verify the dark logo file was saved
@@ -805,7 +1027,7 @@ func TestOidcService_downloadAndSaveLogoFromURL(t *testing.T) {
 
 		mockResponses := map[string]*http.Response{
 			//nolint:bodyclose
-			"https://example.com/icon.svg": testutils.NewMockResponse(http.StatusOK, string(svgContent)),
+			publicLogoHost + "/icon.svg": testutils.NewMockResponse(http.StatusOK, string(svgContent)),
 		}
 		httpClient := &http.Client{
 			Transport: &testutils.MockRoundTripper{
@@ -819,7 +1041,7 @@ func TestOidcService_downloadAndSaveLogoFromURL(t *testing.T) {
 			httpClient:  httpClient,
 		}
 
-		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "https://example.com/icon.svg", true)
+		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, publicLogoHost+"/icon.svg", true)
 		require.NoError(t, err)
 
 		// Verify SVG file was saved
@@ -836,7 +1058,7 @@ func TestOidcService_downloadAndSaveLogoFromURL(t *testing.T) {
 
 		mockResponses := map[string]*http.Response{
 			//nolint:bodyclose
-			"https://example.com/logo": jpgResponse,
+			publicLogoHost + "/logo": jpgResponse,
 		}
 		httpClient := &http.Client{
 			Transport: &testutils.MockRoundTripper{
@@ -850,7 +1072,7 @@ func TestOidcService_downloadAndSaveLogoFromURL(t *testing.T) {
 			httpClient:  httpClient,
 		}
 
-		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "https://example.com/logo", true)
+		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, publicLogoHost+"/logo", true)
 		require.NoError(t, err)
 
 		// Verify JPG file was saved (jpeg extension is normalized to jpg)
@@ -872,7 +1094,7 @@ func TestOidcService_downloadAndSaveLogoFromURL(t *testing.T) {
 	t.Run("Returns error for non-200 status code", func(t *testing.T) {
 		mockResponses := map[string]*http.Response{
 			//nolint:bodyclose
-			"https://example.com/not-found.png": testutils.NewMockResponse(http.StatusNotFound, "Not Found"),
+			publicLogoHost + "/not-found.png": testutils.NewMockResponse(http.StatusNotFound, "Not Found"),
 		}
 		httpClient := &http.Client{
 			Transport: &testutils.MockRoundTripper{
@@ -886,7 +1108,7 @@ func TestOidcService_downloadAndSaveLogoFromURL(t *testing.T) {
 			httpClient:  httpClient,
 		}
 
-		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "https://example.com/not-found.png", true)
+		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, publicLogoHost+"/not-found.png", true)
 		require.Error(t, err)
 		require.ErrorContains(t, err, "failed to fetch logo")
 	})
@@ -902,7 +1124,7 @@ func TestOidcService_downloadAndSaveLogoFromURL(t *testing.T) {
 
 		mockResponses := map[string]*http.Response{
 			//nolint:bodyclose
-			"https://example.com/large.png": largeResponse,
+			publicLogoHost + "/large.png": largeResponse,
 		}
 		httpClient := &http.Client{
 			Transport: &testutils.MockRoundTripper{
@@ -916,7 +1138,7 @@ func TestOidcService_downloadAndSaveLogoFromURL(t *testing.T) {
 			httpClient:  httpClient,
 		}
 
-		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "https://example.com/large.png", true)
+		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, publicLogoHost+"/large.png", true)
 		require.Error(t, err)
 		require.ErrorIs(t, err, errLogoTooLarge)
 	})
@@ -928,7 +1150,7 @@ func TestOidcService_downloadAndSaveLogoFromURL(t *testing.T) {
 
 		mockResponses := map[string]*http.Response{
 			//nolint:bodyclose
-			"https://example.com/file.txt": textResponse,
+			publicLogoHost + "/file.txt": textResponse,
 		}
 		httpClient := &http.Client{
 			Transport: &testutils.MockRoundTripper{
@@ -942,7 +1164,7 @@ func TestOidcService_downloadAndSaveLogoFromURL(t *testing.T) {
 			httpClient:  httpClient,
 		}
 
-		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, "https://example.com/file.txt", true)
+		err := s.downloadAndSaveLogoFromURL(t.Context(), client.ID, publicLogoHost+"/file.txt", true)
 		require.Error(t, err)
 		var fileTypeErr *common.FileTypeNotSupportedError
 		require.ErrorAs(t, err, &fileTypeErr)
@@ -955,7 +1177,7 @@ func TestOidcService_downloadAndSaveLogoFromURL(t *testing.T) {
 
 		mockResponses := map[string]*http.Response{
 			//nolint:bodyclose
-			"https://example.com/logo.png": pngResponse,
+			publicLogoHost + "/logo.png": pngResponse,
 		}
 		httpClient := &http.Client{
 			Transport: &testutils.MockRoundTripper{
@@ -969,8 +1191,61 @@ func TestOidcService_downloadAndSaveLogoFromURL(t *testing.T) {
 			httpClient:  httpClient,
 		}
 
-		err := s.downloadAndSaveLogoFromURL(t.Context(), "non-existent-client-id", "https://example.com/logo.png", true)
+		err := s.downloadAndSaveLogoFromURL(t.Context(), "non-existent-client-id", publicLogoHost+"/logo.png", true)
 		require.Error(t, err)
 		require.ErrorContains(t, err, "failed to look up client")
 	})
 }
+
+// Tests for prompt parameter parsing and handling
+func TestParsePromptParameter(t *testing.T) {
+	t.Run("empty prompt returns empty slice", func(t *testing.T) {
+		result := parsePromptParameter("")
+		assert.Equal(t, []string{}, result)
+	})
+
+	t.Run("single prompt value", func(t *testing.T) {
+		result := parsePromptParameter("none")
+		assert.Equal(t, []string{"none"}, result)
+	})
+
+	t.Run("multiple prompt values space-delimited", func(t *testing.T) {
+		result := parsePromptParameter("login consent")
+		assert.Equal(t, []string{"login", "consent"}, result)
+	})
+
+	t.Run("multiple prompt values with extra spaces", func(t *testing.T) {
+		result := parsePromptParameter("  none   login  ")
+		assert.Equal(t, []string{"none", "login"}, result)
+	})
+}
+
+func TestPromptParameterConflicts(t *testing.T) {
+	tests := []struct {
+		name           string
+		prompt         string
+		expectConflict bool
+	}{
+		{"none alone is valid", "none", false},
+		{"login alone is valid", "login", false},
+		{"consent alone is valid", "consent", false},
+		{"login consent is valid", "login consent", false},
+		{"none consent conflicts", "none consent", true},
+		{"none login conflicts", "none login", true},
+		{"none select_account conflicts", "none select_account", true},
+		{"none consent login conflicts", "none consent login", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			values := parsePromptParameter(tt.prompt)
+			hasNone := slices.Contains(values, "none")
+			hasConsent := slices.Contains(values, "consent")
+			hasLogin := slices.Contains(values, "login")
+			hasSelectAccount := slices.Contains(values, "select_account")
+
+			conflict := hasNone && (hasConsent || hasLogin || hasSelectAccount)
+			assert.Equal(t, tt.expectConflict, conflict)
+		})
+	}
+}